0001423
ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version
International Organization for Standardization
International or National Standard
For Purchase
ISO 22301- Societal Security - Business Continuity Management Systems - Requirements
ISO 22301: Societal Security - Business Continuity Management Systems - Requirements
2012-06-15
The document as a whole was last reviewed and released on 2016-10-18T00:00:00-0700.
0001423
For Purchase
International Organization for Standardization
International or National Standard
ISO 22301- Societal Security - Business Continuity Management Systems - Requirements
ISO 22301: Societal Security - Business Continuity Management Systems - Requirements
2012-06-15
The document as a whole was last reviewed and released on 2016-10-18T00:00:00-0700.
This Authority Document In Depth Report is copyrighted - © 2024 - Network Frontiers LLC. All rights reserved. Copyright in the Authority Document analyzed herein is held by its authors. Network Frontiers makes no claims of copyright in this Authority Document.
This Authority Document In Depth Report is provided for informational purposes only and does not constitute, and should not be construed as, legal advice. The reader is encouraged to consult with an attorney experienced in these areas for further explanation and advice.
This Authority Document In Depth Report provides analysis and guidance for use and implementation of the Authority Document but it is not a substitute for the original authority document itself. Readers should refer to the original authority document as the definitive resource on obligations and compliance requirements.
This document has been mapped into the Unified Compliance Framework using a patented methodology and patented tools (you can research our patents HERE). The mapping team has taken every effort to ensure the quality of mapping is of the highest degree. To learn more about the process we use to map Authority Documents, or to become involved in that process, click HERE.
When the UCF Mapping Teams tag Citations and their associated mandates within an Authority Document, those Citations and Mandates are tied to Common Controls. In addition, and by virtue of those Citations and mandates being tied to Common Controls, there are three sets of meta data that are associated with each Citation; Controls by Impact Zone, Controls by Type, and Controls by Classification.
The online version of the mapping analysis you see here is just a fraction of the work the UCF Mapping Team has done. The downloadable version of this document, available within the Common Controls Hub (available HERE) contains the following:
Document implementation analysis – statistics about the document’s alignment with Common Controls as compared to other Authority Documents and statistics on usage of key terms and non-standard terms.
Citation and Mandate Tagging and Mapping – A complete listing of each and every Citation we found within ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version that have been tagged with their primary and secondary nouns and primary and secondary verbs in three column format. The first column shows the Citation (the marker within the Authority Document that points to where we found the guidance). The second column shows the Citation guidance per se, along with the tagging for the mandate we found within the Citation. The third column shows the Common Control ID that the mandate is linked to, and the final column gives us the Common Control itself.
Dictionary Terms – The dictionary terms listed for ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version are based upon terms either found within the Authority Document’s defined terms section(which most legal documents have), its glossary, and for the most part, as tagged within each mandate. The terms with links are terms that are the standardized version of the term.
Common Controls andAn Impact Zone is a hierarchical way of organizing our suite of Common Controls — it is a taxonomy. The top levels of the UCF hierarchy are called Impact Zones. Common Controls are mapped within the UCF’s Impact Zones and are maintained in a legal hierarchy within that Impact Zone. Each Impact Zone deals with a separate area of policies, standards, and procedures: technology acquisition, physical security, continuity, records management, etc.
The UCF created its taxonomy by looking at the corpus of standards and regulations through the lens of unification and a view toward how the controls impact the organization. Thus, we created a hierarchical structure for each impact zone that takes into account regulatory and standards bodies, doctrines, and language.
Audits and risk management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Audits and risk management CC ID 00677 | IT Impact Zone | IT Impact Zone | |
| Define the roles and responsibilities for personnel assigned to tasks in the Audit function. CC ID 00678 [The audit programme, including any schedule, shall be based on the results of risk assessments of the organization’s activities, and the results of previous audits. The audit procedures shall cover the scope, frequency, methodologies and competencies, as well as the responsibilities and requirements for conducting audits and reporting results. § 9.2 ¶ 3 The audit programme, including any schedule, shall be based on the results of risk assessments of the organization’s activities, and the results of previous audits. The audit procedures shall cover the scope, frequency, methodologies and competencies, as well as the responsibilities and requirements for conducting audits and reporting results. § 9.2 ¶ 3 The audit programme, including any schedule, shall be based on the results of risk assessments of the organization’s activities, and the results of previous audits. The audit procedures shall cover the scope, frequency, methodologies and competencies, as well as the responsibilities and requirements for conducting audits and reporting results. § 9.2 ¶ 3] | Establish Roles | Preventive | |
| Manage supply chain audits. CC ID 01203 | Audits and Risk Management | Preventive | |
| Review the external auditors involvement in assessing Information Technology controls. CC ID 01204 | Audits and Risk Management | Preventive | |
| Rotate auditors, as necessary. CC ID 15589 | Audits and Risk Management | Preventive | |
| Assign the roles and responsibilities for the Board of Directors and senior management in the Audit function. CC ID 00679 | Establish Roles | Preventive | |
| Assign the Board of Directors to address audit findings. CC ID 12396 | Human Resources Management | Corrective | |
| Assign the internal audit staff to be independent from business units reporting to the Board of Directors. CC ID 01184 | Establish Roles | Preventive | |
| Define and assign the internal audit manager's roles and responsibilities. CC ID 00680 | Establish Roles | Preventive | |
| Report audit findings by the internal audit manager directly to senior management. CC ID 01152 | Testing | Detective | |
| Assign the internal audit manager's compensation and performance review to the Board of Directors or audit committee. CC ID 01186 | Establish Roles | Preventive | |
| Define and assign the internal audit staff's roles and responsibilities. CC ID 00681 | Establish Roles | Preventive | |
| Assign the responsibility for operating an internal control system to the internal audit staff. CC ID 01187 | Establish Roles | Preventive | |
| Define and assign the external auditor's roles and responsibilities. CC ID 00683 | Establish Roles | Preventive | |
| Engage auditors who have adequate knowledge of the subject matter. CC ID 07102 | Audits and Risk Management | Preventive | |
| Retain copies of external auditor outsourcing contracts and engagement letters. CC ID 01188 | Establish/Maintain Documentation | Preventive | |
| Review external auditor outsourcing contracts and engagement letters. CC ID 01189 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in external auditor outsourcing contracts. CC ID 16523 | Establish/Maintain Documentation | Preventive | |
| Include a change control clause in external auditor outsourcing contracts. CC ID 01192 | Establish/Maintain Documentation | Preventive | |
| Include procedures for resolving problems in external auditor outsourcing contracts. CC ID 01196 | Establish/Maintain Documentation | Preventive | |
| Include procedures for controlling the use of restricted information in external auditor outsourcing contracts. CC ID 01194 | Establish/Maintain Documentation | Preventive | |
| Include reports and work paper Records Management practices in external auditor outsourcing contracts. CC ID 01195 | Establish/Maintain Documentation | Preventive | |
| Include communication protocols in external auditor outsourcing contracts. CC ID 01201 | Establish/Maintain Documentation | Preventive | |
| Review the external audit scope, as necessary. CC ID 01202 | Audits and Risk Management | Preventive | |
| Review the external audit assertion for accuracy. CC ID 06977 | Testing | Detective | |
| Review the risk assessments as compared to the in scope controls. CC ID 06978 | Testing | Detective | |
| Include nondisclosure agreements in external auditor outsourcing contracts. CC ID 10014 | Audits and Risk Management | Detective | |
| Include the scope and work to be performed in external auditor outsourcing contracts. CC ID 01190 | Establish/Maintain Documentation | Preventive | |
| Include work status reporting requirements in the external auditor outsourcing contracts. CC ID 01191 | Establish/Maintain Documentation | Preventive | |
| Include access to work papers in external auditor outsourcing contracts. CC ID 01193 | Establish/Maintain Documentation | Preventive | |
| Review the external auditor's qualifications. CC ID 01197 | Audits and Risk Management | Preventive | |
| Conduct a performance review of the external auditor's performance during the audit process. CC ID 01198 | Audits and Risk Management | Preventive | |
| Review the adequacy of the external auditor's work papers and audit reports. CC ID 01199 | Establish/Maintain Documentation | Preventive | |
| Review the conclusions of the external auditor's work papers and audit reports. CC ID 01200 | Establish/Maintain Documentation | Preventive | |
| Question external auditors about how audits were conducted and what is in the audit reports. CC ID 04587 | Behavior | Preventive | |
| Disseminate and communicate with the organization about any missing audit documentation. CC ID 06992 | Behavior | Preventive | |
| Evaluate any refusal by the organization to provide missing audit documentation. CC ID 06993 | Establish/Maintain Documentation | Preventive | |
| Take appropriate action if missing audit documentation compromises the audit. CC ID 06994 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an audit program. CC ID 00684 [{audit scope} {evidence of the audit results} The organization shall - plan, establish, implement and maintain (an) audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit programme(s) shall take into consideration the importance of the processes concerned and the results of previous audits, - define the audit criteria and scope for each audit, - select auditors and conduct audits to ensure objectivity and the impartiality of the audit process, - ensure that the results of the audits are reported to relevant management, and - retain documented information as evidence of the implementation of the audit programme and the audit results. § 9.2 ¶ 2 {audit scope} {evidence of the audit results} The organization shall - plan, establish, implement and maintain (an) audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit programme(s) shall take into consideration the importance of the processes concerned and the results of previous audits, - define the audit criteria and scope for each audit, - select auditors and conduct audits to ensure objectivity and the impartiality of the audit process, - ensure that the results of the audits are reported to relevant management, and - retain documented information as evidence of the implementation of the audit programme and the audit results. § 9.2 ¶ 2] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain audit policies. CC ID 13166 | Establish/Maintain Documentation | Preventive | |
| Assign the audit to impartial auditors. CC ID 07118 [{audit scope} {evidence of the audit results} The organization shall - plan, establish, implement and maintain (an) audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit programme(s) shall take into consideration the importance of the processes concerned and the results of previous audits, - define the audit criteria and scope for each audit, - select auditors and conduct audits to ensure objectivity and the impartiality of the audit process, - ensure that the results of the audits are reported to relevant management, and - retain documented information as evidence of the implementation of the audit programme and the audit results. § 9.2 ¶ 2] | Establish Roles | Preventive | |
| Define what constitutes a threat to independence. CC ID 16824 | Audits and Risk Management | Preventive | |
| Determine if requested services create a threat to independence. CC ID 16823 | Audits and Risk Management | Detective | |
| Exercise due professional care during the planning and performance of the audit. CC ID 07119 [{audit scope} {evidence of the audit results} The organization shall - plan, establish, implement and maintain (an) audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit programme(s) shall take into consideration the importance of the processes concerned and the results of previous audits, - define the audit criteria and scope for each audit, - select auditors and conduct audits to ensure objectivity and the impartiality of the audit process, - ensure that the results of the audits are reported to relevant management, and - retain documented information as evidence of the implementation of the audit programme and the audit results. § 9.2 ¶ 2 {audit scope} {evidence of the audit results} The organization shall - plan, establish, implement and maintain (an) audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit programme(s) shall take into consideration the importance of the processes concerned and the results of previous audits, - define the audit criteria and scope for each audit, - select auditors and conduct audits to ensure objectivity and the impartiality of the audit process, - ensure that the results of the audits are reported to relevant management, and - retain documented information as evidence of the implementation of the audit programme and the audit results. § 9.2 ¶ 2] | Behavior | Preventive | |
| Include resource requirements in the audit program. CC ID 15237 | Establish/Maintain Documentation | Preventive | |
| Include risks and opportunities in the audit program. CC ID 15236 | Establish/Maintain Documentation | Preventive | |
| Include provisions for legislative plurality and legislative domain in the audit program. CC ID 06959 [The audit programme, including any schedule, shall be based on the results of risk assessments of the organization’s activities, and the results of previous audits. The audit procedures shall cover the scope, frequency, methodologies and competencies, as well as the responsibilities and requirements for conducting audits and reporting results. § 9.2 ¶ 3 The audit programme, including any schedule, shall be based on the results of risk assessments of the organization’s activities, and the results of previous audits. The audit procedures shall cover the scope, frequency, methodologies and competencies, as well as the responsibilities and requirements for conducting audits and reporting results. § 9.2 ¶ 3] | Audits and Risk Management | Preventive | |
| Establish and maintain audit terms. CC ID 13880 | Establish/Maintain Documentation | Preventive | |
| Refrain from approving changes to the audit terms absent reasonable justification. CC ID 13973 | Process or Activity | Preventive | |
| Include a statement about the inherent limitations of the audit in the audit terms. CC ID 13883 | Establish/Maintain Documentation | Preventive | |
| Include a statement that the audit will be conducted in accordance with attestation standards in the audit terms. CC ID 13882 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain agreed upon procedures that are in scope for the audit. CC ID 13893 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an in scope system description. CC ID 14873 | Establish/Maintain Documentation | Preventive | |
| Include in scope procedures in the audit assertion's in scope system description. CC ID 16551 | Audits and Risk Management | Preventive | |
| Include roles and responsibilities in the audit assertion's in scope system description. CC ID 16558 | Audits and Risk Management | Preventive | |
| Include the audit criteria in the audit assertion's in scope system description. CC ID 16548 | Audits and Risk Management | Preventive | |
| Include third party data in the audit assertion's in scope system description. CC ID 16554 | Audits and Risk Management | Preventive | |
| Include third party personnel in the audit assertion's in scope system description. CC ID 16552 | Audits and Risk Management | Preventive | |
| Include compliance requirements in the audit assertion's in scope system description. CC ID 16506 | Audits and Risk Management | Preventive | |
| Include third party assets in the audit assertion's in scope system description. CC ID 16550 | Audits and Risk Management | Preventive | |
| Include third party services in the audit assertion's in scope system description. CC ID 16503 | Establish/Maintain Documentation | Preventive | |
| Include monitoring controls in the audit assertion's in scope system description. CC ID 16501 | Establish/Maintain Documentation | Preventive | |
| Include availability commitments in the audit assertion's in scope system description. CC ID 14914 | Establish/Maintain Documentation | Preventive | |
| Include deviations and the corrective actions taken in the audit assertion's in scope system description. CC ID 16549 | Audits and Risk Management | Preventive | |
| Include changes in the audit assertion's in scope system description. CC ID 14894 | Establish/Maintain Documentation | Preventive | |
| Include external communications in the audit assertion's in scope system description. CC ID 14913 | Establish/Maintain Documentation | Preventive | |
| Include a section regarding incidents related to the system in the audit assertion’s in scope system description. CC ID 14878 | Establish/Maintain Documentation | Preventive | |
| Include the function performed by the in scope system in the audit assertion's in scope system description. CC ID 14911 | Establish/Maintain Documentation | Preventive | |
| Include the disposition of the incident in the audit assertion's in scope system description. CC ID 14896 | Establish/Maintain Documentation | Preventive | |
| Include the extent of the incident in the audit assertion's in scope system description. CC ID 14895 | Establish/Maintain Documentation | Preventive | |
| Include the timing of each incident in the audit assertion's in scope system description. CC ID 14891 | Establish/Maintain Documentation | Preventive | |
| Include the nature of each incident in the audit assertion's in scope system description. CC ID 14889 | Establish/Maintain Documentation | Preventive | |
| Include a section regarding in scope controls related to the system in the audit assertion's in scope system description. CC ID 14897 | Establish/Maintain Documentation | Preventive | |
| Include how the in scope system meets external requirements in the audit assertion's in scope system description. CC ID 16502 | Establish/Maintain Documentation | Preventive | |
| Include the timing of each control in the audit assertion's in scope system description. CC ID 14916 | Establish/Maintain Documentation | Preventive | |
| Include the nature of the control in the audit assertion's in scope system description. CC ID 14910 | Establish/Maintain Documentation | Preventive | |
| Include the information sources used in performing the control in the audit assertion's in scope system description. CC ID 14909 | Establish/Maintain Documentation | Preventive | |
| Include the responsible party for performing the control in the audit assertion's in scope system description. CC ID 14907 | Establish/Maintain Documentation | Preventive | |
| Include the subject matter to which the control is applied in the audit assertion's in scope system description. CC ID 14904 | Establish/Maintain Documentation | Preventive | |
| Refrain from omitting or distorting information in the audit assertion's in scope system description. CC ID 14893 | Establish/Maintain Documentation | Preventive | |
| Include the timing of each change in the audit assertion's in scope system description. CC ID 14892 | Establish/Maintain Documentation | Preventive | |
| Include the system boundaries in the audit assertion's in scope system description. CC ID 14887 | Establish/Maintain Documentation | Preventive | |
| Determine the presentation method of the audit assertion's in scope system description. CC ID 14885 | Establish/Maintain Documentation | Detective | |
| Include the time frame covered by the description in the audit assertion's in scope system description. CC ID 14884 | Establish/Maintain Documentation | Preventive | |
| Include commitments to third parties in the audit assertion. CC ID 14899 | Establish/Maintain Documentation | Preventive | |
| Determine the completeness of the audit assertion's in scope system description. CC ID 14883 | Establish/Maintain Documentation | Preventive | |
| Determine the appropriateness of the audit assertion's in scope system description. CC ID 16449 | Audits and Risk Management | Detective | |
| Include system requirements in the audit assertion's in scope system description. CC ID 14881 | Establish/Maintain Documentation | Preventive | |
| Include third party controls in the audit assertion's in scope system description. CC ID 14880 | Establish/Maintain Documentation | Preventive | |
| Hold an opening meeting with interested personnel and affected parties prior to an audit. CC ID 15256 | Audits and Risk Management | Preventive | |
| Identify personnel who should attend the closing meeting. CC ID 15261 | Business Processes | Preventive | |
| Confirm audit requirements during the opening meeting. CC ID 15255 | Audits and Risk Management | Detective | |
| Include discussions about how particular situations will be handled in the opening meeting. CC ID 15254 | Audits and Risk Management | Preventive | |
| Include agreement to the audit scope and audit terms in the audit program. CC ID 06965 [{audit scope} {evidence of the audit results} The organization shall - plan, establish, implement and maintain (an) audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit programme(s) shall take into consideration the importance of the processes concerned and the results of previous audits, - define the audit criteria and scope for each audit, - select auditors and conduct audits to ensure objectivity and the impartiality of the audit process, - ensure that the results of the audits are reported to relevant management, and - retain documented information as evidence of the implementation of the audit programme and the audit results. § 9.2 ¶ 2 {audit scope} {evidence of the audit results} The organization shall - plan, establish, implement and maintain (an) audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit programme(s) shall take into consideration the importance of the processes concerned and the results of previous audits, - define the audit criteria and scope for each audit, - select auditors and conduct audits to ensure objectivity and the impartiality of the audit process, - ensure that the results of the audits are reported to relevant management, and - retain documented information as evidence of the implementation of the audit programme and the audit results. § 9.2 ¶ 2 The audit programme, including any schedule, shall be based on the results of risk assessments of the organization’s activities, and the results of previous audits. The audit procedures shall cover the scope, frequency, methodologies and competencies, as well as the responsibilities and requirements for conducting audits and reporting results. § 9.2 ¶ 3] | Establish/Maintain Documentation | Preventive | |
| Establish and maintain a bespoke audit scope for each audit being performed. CC ID 13077 | Establish/Maintain Documentation | Preventive | |
| Include third party assets in the audit scope. CC ID 16504 | Audits and Risk Management | Preventive | |
| Include audit subject matter in the audit program. CC ID 07103 [{audit scope} {evidence of the audit results} The organization shall - plan, establish, implement and maintain (an) audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit programme(s) shall take into consideration the importance of the processes concerned and the results of previous audits, - define the audit criteria and scope for each audit, - select auditors and conduct audits to ensure objectivity and the impartiality of the audit process, - ensure that the results of the audits are reported to relevant management, and - retain documented information as evidence of the implementation of the audit programme and the audit results. § 9.2 ¶ 2] | Establish/Maintain Documentation | Preventive | |
| Examine the availability of the audit criteria in the audit program. CC ID 16520 | Investigate | Preventive | |
| Examine the objectivity of the audit criteria in the audit program. CC ID 07104 | Establish/Maintain Documentation | Preventive | |
| Examine the measurability of the audit criteria in the audit program. CC ID 07105 | Establish/Maintain Documentation | Preventive | |
| Examine the completeness of the audit criteria in the audit program. CC ID 07106 | Establish/Maintain Documentation | Preventive | |
| Examine the relevance of the audit criteria in the audit program. CC ID 07107 | Establish/Maintain Documentation | Preventive | |
| Determine the appropriateness of the audit subject matter. CC ID 16505 | Audits and Risk Management | Preventive | |
| Disseminate and communicate the audit program with the audit subject matter and audit criteria to all interested personnel and affected parties. CC ID 07116 | Establish/Maintain Documentation | Preventive | |
| Include the in scope material or in scope products in the audit program. CC ID 08961 | Audits and Risk Management | Preventive | |
| Include in scope information in the audit program. CC ID 16198 | Establish/Maintain Documentation | Preventive | |
| Include the out of scope material or out of scope products in the audit program. CC ID 08962 | Establish/Maintain Documentation | Preventive | |
| Provide a representation letter in support of the audit assertion. CC ID 07158 | Establish/Maintain Documentation | Preventive | |
| Include the date of the audit in the representation letter. CC ID 16517 | Audits and Risk Management | Preventive | |
| Include a statement that management has evaluated compliance with external requirements in the representation letter. CC ID 13942 | Establish/Maintain Documentation | Preventive | |
| Include a statement that the assumptions used for estimates are reasonable in the representation letter. CC ID 13934 | Establish/Maintain Documentation | Preventive | |
| Include a statement that uncorrected misstatements are believed to be immaterial in the representation letter. CC ID 13884 | Establish/Maintain Documentation | Preventive | |
| Include a statement that system incidents have been disclosed to the auditor in the representation letter. CC ID 16772 | Establish/Maintain Documentation | Preventive | |
| Include a statement that incidents of fraud and non-compliance have been disclosed to the auditor in the representation letter. CC ID 16769 | Establish/Maintain Documentation | Preventive | |
| Include a statement of responsibility for the subject matter in the representation letter. CC ID 07159 | Establish/Maintain Documentation | Preventive | |
| Include a statement of responsibility for selecting the audit criteria in the representation letter. CC ID 07160 | Establish/Maintain Documentation | Preventive | |
| Include a statement of responsibility regarding the appropriateness of the audit criteria in the representation letter. CC ID 07161 | Establish/Maintain Documentation | Preventive | |
| Include an assertion about the subject matter based on the selected audit criteria in the representation letter. CC ID 07162 | Establish/Maintain Documentation | Preventive | |
| Include a statement that all known matters contradicting the audit assertion have been disclosed to the auditor in the representation letter. CC ID 07163 | Establish/Maintain Documentation | Preventive | |
| Include the availability of all in scope records relevant to the subject matter in the representation letter. CC ID 07164 | Establish/Maintain Documentation | Preventive | |
| Include a statement that any known subsequent events have been disclosed to the auditor in the representation letter. CC ID 07165 | Establish/Maintain Documentation | Preventive | |
| Include a statement that deficiencies in internal controls have been disclosed to the auditor in the representation letter. CC ID 13899 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain audit assertions, as necessary. CC ID 14871 | Establish/Maintain Documentation | Detective | |
| Include an in scope system description in the audit assertion. CC ID 14872 | Establish/Maintain Documentation | Preventive | |
| Include any assumptions that are improbable in the audit assertion. CC ID 13950 | Establish/Maintain Documentation | Preventive | |
| Include investigations and legal proceedings in the audit assertion. CC ID 16846 | Establish/Maintain Documentation | Preventive | |
| Include how the audit scope matches in scope controls in the audit assertion. CC ID 06969 | Establish/Maintain Documentation | Preventive | |
| Include why specific criteria are ignored by in scope controls in the audit assertion. CC ID 07027 | Establish/Maintain Documentation | Preventive | |
| Include how the in scope system is designed and implemented in the audit assertion. CC ID 06970 | Establish/Maintain Documentation | Preventive | |
| Include the responsible party's opinion of the quality of the evidence in the audit assertion. CC ID 13949 | Establish/Maintain Documentation | Preventive | |
| Include the end users and affected parties of the in scope system in the audit assertion. CC ID 07028 | Establish/Maintain Documentation | Preventive | |
| Include the in scope services offered or in scope transactions processed in the audit assertion. CC ID 06971 | Establish/Maintain Documentation | Preventive | |
| Include the in scope procedures in the audit assertion. CC ID 06972 | Establish/Maintain Documentation | Preventive | |
| Include the in scope records produced in the audit assertion. CC ID 06968 | Establish/Maintain Documentation | Preventive | |
| Include how in scope material events are monitored and logged in the audit assertion. CC ID 06973 | Establish/Maintain Documentation | Preventive | |
| Include any in scope material events that might affect the assertion in the audit assertion. CC ID 06991 | Establish/Maintain Documentation | Preventive | |
| Include the in scope controls and compliance documents in the audit assertion. CC ID 06974 | Establish/Maintain Documentation | Preventive | |
| Include the in scope risk assessment processes in the audit assertion. CC ID 06975 [The audit programme, including any schedule, shall be based on the results of risk assessments of the organization’s activities, and the results of previous audits. The audit procedures shall cover the scope, frequency, methodologies and competencies, as well as the responsibilities and requirements for conducting audits and reporting results. § 9.2 ¶ 3] | Establish/Maintain Documentation | Preventive | |
| Include in scope change controls in the audit assertion. CC ID 06976 | Establish/Maintain Documentation | Preventive | |
| Include any in scope uncorrected errors or non-compliance issues in the audit assertion. CC ID 06989 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate a written audit assertion of the audit scope and audit terms to interested personnel and affected parties. CC ID 06967 | Establish/Maintain Documentation | Preventive | |
| Include the scope for the desired level of assurance in the audit program. CC ID 12793 | Communicate | Preventive | |
| Include conditions that might require modification of the audit program in the audit terms. CC ID 07149 | Establish/Maintain Documentation | Preventive | |
| Include how access to in scope systems, personnel and in scope records are provided to the auditor in the audit terms. CC ID 06988 | Establish/Maintain Documentation | Preventive | |
| Include the criteria for determining the desired level of assurance in the audit program. CC ID 12795 | Audits and Risk Management | Preventive | |
| Establish, implement, and maintain procedures for determining the desired level of assurance in the audit program. CC ID 12794 | Establish/Maintain Documentation | Preventive | |
| Include the expectations for the audit report in the audit terms. CC ID 07148 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain a practitioner’s report on management’s assertions, as necessary. CC ID 13888 | Establish/Maintain Documentation | Preventive | |
| Refrain from changing the date of the practitioner's report on agreed-upon procedures when reissuing it. CC ID 13896 | Establish/Maintain Documentation | Corrective | |
| Hold a closing meeting following an audit to present audit findings and conclusions. CC ID 15248 | Communicate | Preventive | |
| Include materiality levels in the audit terms. CC ID 01238 | Establish/Maintain Documentation | Preventive | |
| Include material changes in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01239 | Establish/Maintain Documentation | Preventive | |
| Include material weaknesses, material failures, and material errors in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01240 | Establish/Maintain Documentation | Preventive | |
| Schedule attestation engagement meetings with interested personnel and affected parties, as necessary. CC ID 15263 | Business Processes | Preventive | |
| Refrain from performing an attestation engagement under defined conditions. CC ID 13952 | Audits and Risk Management | Detective | |
| Refrain from accepting an attestation engagement when the engaging party refuses to sign the engagement letter. CC ID 14912 | Business Processes | Preventive | |
| Refrain from accepting an attestation engagement unless the prospective financial information includes a summary of significant assumptions. CC ID 13954 | Behavior | Preventive | |
| Refrain from accepting an attestation engagement when all parties disagree on the procedures. CC ID 13951 | Audits and Risk Management | Preventive | |
| Accept the attestation engagement when all preconditions are met. CC ID 13933 | Business Processes | Preventive | |
| Audit in scope audit items and compliance documents. CC ID 06730 [The organization shall conduct internal audits at planned intervals to provide information on whether the business continuity management system conforms to the organization’s own requirements for its BCMS, § 9.2 ¶ 1 a) 1) The organization shall conduct internal audits at planned intervals to provide information on whether the business continuity management system conforms to the requirements of this International Standard, and § 9.2 ¶ 1 a) 2) The organization shall conduct internal audits at planned intervals to provide information on whether the business continuity management system is effectively implemented and maintained. § 9.2 ¶ 1 b)] | Audits and Risk Management | Preventive | |
| Collect all work papers for the audit and audit report into an engagement file. CC ID 07001 | Actionable Reports or Measurements | Preventive | |
| Document any after the fact changes to the engagement file. CC ID 07002 | Establish/Maintain Documentation | Preventive | |
| Protect access to the engagement file and all associated audit documentation in compliance with Authority Documents the organization must follow. CC ID 07179 | Establish/Maintain Documentation | Preventive | |
| Disclose work papers in the engagement file in compliance with legal requirements. CC ID 07180 | Establish/Maintain Documentation | Preventive | |
| Archive the engagement file and all work papers for the period prescribed by law or contract. CC ID 10038 | Records Management | Preventive | |
| Conduct onsite inspections, as necessary. CC ID 16199 | Testing | Preventive | |
| Identify hypothetical assumptions in forecasts and projections during an audit. CC ID 13946 | Audits and Risk Management | Detective | |
| Refrain from examining forecasts and projections which refrain from disclosing assumptions during an audit. CC ID 13932 | Audits and Risk Management | Detective | |
| Audit policies, standards, and procedures. CC ID 12927 | Audits and Risk Management | Preventive | |
| Audit cybersecurity risk management within the policies, standards, and procedures of the organization. CC ID 13011 | Investigate | Detective | |
| Audit information systems, as necessary. CC ID 13010 | Investigate | Detective | |
| Audit the potential costs of compromise to information systems. CC ID 13012 | Investigate | Detective | |
| Determine the accurateness of the audit assertion's in scope system description. CC ID 06979 | Testing | Detective | |
| Determine if the in scope system has been implemented as described in the audit assertion. CC ID 06983 | Testing | Detective | |
| Investigate the nature and causes of misstatements in the audit assertion's in scope system description. CC ID 16557 | Audits and Risk Management | Detective | |
| Determine the effect of fraud and non-compliance on the description of the system in the audit assertion, as necessary. CC ID 13977 | Process or Activity | Detective | |
| Edit the audit assertion for accuracy. CC ID 07030 | Establish/Maintain Documentation | Preventive | |
| Determine if the audit assertion's in scope procedures are accurately documented. CC ID 06982 | Establish/Maintain Documentation | Preventive | |
| Determine if the audit assertion's in scope controls are reasonable. CC ID 06980 | Testing | Detective | |
| Determine the effect of fraud and non-compliance on the achievement of in scope controls in the audit assertion, as necessary. CC ID 13978 | Process or Activity | Detective | |
| Document test plans for auditing in scope controls. CC ID 06985 | Testing | Detective | |
| Determine the implementation status of the audit assertion's in scope controls. CC ID 06981 | Testing | Detective | |
| Determine the effectiveness of in scope controls. CC ID 06984 | Testing | Detective | |
| Review incident management audit logs to determine the effectiveness of in scope controls. CC ID 12157 | Audits and Risk Management | Detective | |
| Review audit reports to determine the effectiveness of in scope controls. CC ID 12156 | Audits and Risk Management | Detective | |
| Observe processes to determine the effectiveness of in scope controls. CC ID 12155 | Audits and Risk Management | Detective | |
| Interview stakeholders to determine the effectiveness of in scope controls. CC ID 12154 | Audits and Risk Management | Detective | |
| Review documentation to determine the effectiveness of in scope controls. CC ID 16522 | Process or Activity | Preventive | |
| Review policies and procedures to determine the effectiveness of in scope controls. CC ID 12144 | Audits and Risk Management | Detective | |
| Evaluate personnel status changes to determine the effectiveness of in scope controls. CC ID 16556 | Audits and Risk Management | Detective | |
| Determine whether individuals performing a control have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 16555 | Audits and Risk Management | Detective | |
| Determine any errors or material omissions in the audit assertion that affect in scope control implementations. CC ID 06990 | Testing | Detective | |
| Include the process of using evidential matter to test in scope controls in the test plan. CC ID 06996 | Establish/Maintain Documentation | Preventive | |
| Audit the in scope system according to the test plan using relevant evidence. CC ID 07112 [Top management shall ensure that the responsibilities and authorities for relevant roles are assigned and communicated within the organization by - defining the criteria for accepting risks and the acceptable levels of risk, - actively engaging in exercising and testing, - ensuring that internal audits of the BCMS are conducted, - conducting management reviews of the BCMS, and - demonstrating its commitment to continual improvement. § 5.2 ¶ 3 The audit programme, including any schedule, shall be based on the results of risk assessments of the organization’s activities, and the results of previous audits. The audit procedures shall cover the scope, frequency, methodologies and competencies, as well as the responsibilities and requirements for conducting audits and reporting results. § 9.2 ¶ 3] | Testing | Preventive | |
| Implement procedures that collect sufficient audit evidence. CC ID 07153 | Audits and Risk Management | Preventive | |
| Collect evidence about the in scope audit items of the audit assertion. CC ID 07154 | Audits and Risk Management | Preventive | |
| Collect audit evidence sufficient to avoid misstatements. CC ID 07155 | Audits and Risk Management | Preventive | |
| Collect audit evidence at the level of the organization's competence in the subject matter. CC ID 07156 | Audits and Risk Management | Preventive | |
| Collect audit evidence sufficient to overcome inadequacies in the organization's attestation. CC ID 07157 | Audits and Risk Management | Preventive | |
| Report that audit evidence collected was not sufficient to the proper authorities. CC ID 16847 | Communicate | Preventive | |
| Provide transactional walkthrough procedures for external auditors. CC ID 00672 | Testing | Preventive | |
| Establish, implement, and maintain interview procedures. CC ID 16282 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the interview procedures. CC ID 16297 | Human Resources Management | Preventive | |
| Coordinate the scheduling of interviews. CC ID 16293 | Process or Activity | Preventive | |
| Create a schedule for the interviews. CC ID 16292 | Process or Activity | Preventive | |
| Identify interviewees. CC ID 16290 | Process or Activity | Preventive | |
| Conduct interviews, as necessary. CC ID 07188 | Testing | Detective | |
| Verify statements made by interviewees are correct. CC ID 16299 | Behavior | Detective | |
| Discuss unsolved questions with the interviewee. CC ID 16298 | Process or Activity | Detective | |
| Allow interviewee to respond to explanations. CC ID 16296 | Process or Activity | Detective | |
| Explain the requirements being discussed to the interviewee. CC ID 16294 | Process or Activity | Detective | |
| Explain the goals of the interview to the interviewee. CC ID 07189 | Behavior | Detective | |
| Explain the testing results to the interviewee. CC ID 16291 | Process or Activity | Preventive | |
| Withdraw from the audit, when defined conditions exist. CC ID 13885 | Process or Activity | Corrective | |
| Establish and maintain work papers, as necessary. CC ID 13891 | Establish/Maintain Documentation | Preventive | |
| Include the auditor's conclusions on work performed by individuals assigned to the audit in the work papers. CC ID 16775 | Establish/Maintain Documentation | Preventive | |
| Include audit irregularities in the work papers. CC ID 16774 | Establish/Maintain Documentation | Preventive | |
| Include corrective actions in the work papers. CC ID 16771 | Establish/Maintain Documentation | Preventive | |
| Include information about the organization being audited and the auditor performing the audit in the work papers. CC ID 16770 | Establish/Maintain Documentation | Preventive | |
| Include discussions with interested personnel and affected parties in the work papers. CC ID 16768 | Establish/Maintain Documentation | Preventive | |
| Include justification for departing from mandatory requirements in the work papers. CC ID 13935 | Establish/Maintain Documentation | Preventive | |
| Include audit evidence obtained from previous engagements in the work papers. CC ID 16518 | Audits and Risk Management | Preventive | |
| Include the reviewer, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06998 | Establish/Maintain Documentation | Preventive | |
| Include the tests, examinations, interviews and observations performed during the audit in the work papers. CC ID 07190 | Establish/Maintain Documentation | Preventive | |
| Include if any subject matter experts or additional research had to be undertaken to test in scope controls in the work papers. CC ID 07026 | Establish/Maintain Documentation | Preventive | |
| Include the tester, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06997 | Establish/Maintain Documentation | Preventive | |
| Include if the audit evidence has identified in scope control deficiencies in the work papers. CC ID 07152 | Audits and Risk Management | Detective | |
| Include any subsequent events related to the audit assertion or audit subject matter in the work papers. CC ID 07177 | Audits and Risk Management | Preventive | |
| Include if in scope control deviations allow in scope controls to be performed acceptably in the work papers. CC ID 06987 | Testing | Detective | |
| Include the causes of identified in scope control deficiencies in the work papers. CC ID 07000 | Establish/Maintain Documentation | Preventive | |
| Include discussions regarding the causes of identified in scope control deficiencies in the work papers. CC ID 06999 | Establish/Maintain Documentation | Preventive | |
| Investigate the nature and causes of identified in scope control deviations. CC ID 06986 | Testing | Detective | |
| Supervise interested personnel and affected parties participating in the audit. CC ID 07150 | Monitor and Evaluate Occurrences | Preventive | |
| Notify interested personnel and affected parties participating in the audit of their roles and responsibilities during the audit. CC ID 07151 | Establish Roles | Preventive | |
| Respond to questions or clarification requests regarding the audit. CC ID 08902 | Business Processes | Preventive | |
| Track and measure the implementation of the organizational compliance framework. CC ID 06445 | Monitor and Evaluate Occurrences | Preventive | |
| Review the need for organizational efficiency as balanced against the needs of compliance and security. CC ID 07111 | Business Processes | Preventive | |
| Engage subject matter experts when the auditor requires additional expertise during an attestation engagement, as necessary. CC ID 13971 | Process or Activity | Preventive | |
| Review the subject matter expert's findings. CC ID 16559 | Audits and Risk Management | Detective | |
| Establish, implement, and maintain a practitioner’s report on agreed-upon procedures. CC ID 13894 | Establish/Maintain Documentation | Preventive | |
| Provide auditors access to all in scope records, in scope assets, personnel and in scope procedures. CC ID 06966 | Audits and Risk Management | Preventive | |
| Permit assessment teams to conduct audits, as necessary. CC ID 16430 | Investigate | Detective | |
| Provide auditors access to affected parties during the audit, as necessary. CC ID 07187 | Business Processes | Preventive | |
| Solve any access problems auditors encounter during the audit. CC ID 08959 | Audits and Risk Management | Corrective | |
| Notify interested personnel and affected parties when an auditee refuses to provide access or participate in the audit. CC ID 08960 | Audits and Risk Management | Preventive | |
| Establish and maintain a practitioner's examination report on pro forma financial information. CC ID 13968 | Establish/Maintain Documentation | Preventive | |
| Include references to where financial information was derived in the practitioner's review report on pro forma financial information. CC ID 13982 | Establish/Maintain Documentation | Preventive | |
| Include a statement that the financial statements used were audited by other practitioners in the practitioner's examination report on pro forma financial information, as necessary. CC ID 13981 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain organizational audit reports. CC ID 06731 [{audit scope} {evidence of the audit results} The organization shall - plan, establish, implement and maintain (an) audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit programme(s) shall take into consideration the importance of the processes concerned and the results of previous audits, - define the audit criteria and scope for each audit, - select auditors and conduct audits to ensure objectivity and the impartiality of the audit process, - ensure that the results of the audits are reported to relevant management, and - retain documented information as evidence of the implementation of the audit programme and the audit results. § 9.2 ¶ 2] | Establish/Maintain Documentation | Preventive | |
| Determine what disclosures are required in the audit report. CC ID 14888 | Establish/Maintain Documentation | Detective | |
| Include the justification for not following the applicable requirements in the audit report. CC ID 16822 | Audits and Risk Management | Preventive | |
| Include a statement that the applicable requirements were not followed in the audit report. CC ID 16821 | Audits and Risk Management | Preventive | |
| Include audit subject matter in the audit report. CC ID 14882 | Establish/Maintain Documentation | Preventive | |
| Include an other-matter paragraph in the audit report. CC ID 14901 | Establish/Maintain Documentation | Preventive | |
| Identify the audit team members in the audit report. CC ID 15259 | Human Resources Management | Detective | |
| Include that the auditee did not provide comments in the audit report. CC ID 16849 | Establish/Maintain Documentation | Preventive | |
| Write the audit report using clear and conspicuous language. CC ID 13948 | Establish/Maintain Documentation | Preventive | |
| Include a statement that the sufficiency of the agreed upon procedures is the responsibility of the specified parties in the audit report. CC ID 13936 | Establish/Maintain Documentation | Preventive | |
| Include a statement that the financial statements were audited in the audit report. CC ID 13963 | Establish/Maintain Documentation | Preventive | |
| Include the criteria that financial information was measured against in the audit report. CC ID 13966 | Establish/Maintain Documentation | Preventive | |
| Include a description of the financial information being reported on in the audit report. CC ID 13965 | Establish/Maintain Documentation | Preventive | |
| Include references to any adjustments of financial information in the audit report. CC ID 13964 | Establish/Maintain Documentation | Preventive | |
| Include in the audit report that audit opinions are not dependent on references to subject matter experts, as necessary. CC ID 13953 | Establish/Maintain Documentation | Preventive | |
| Include references to historical financial information used in the audit report. CC ID 13961 | Establish/Maintain Documentation | Preventive | |
| Include a statement about the inherent limitations of the audit in the audit report. CC ID 14900 | Establish/Maintain Documentation | Preventive | |
| Include a description of the limitations on the usefulness of hypothetical assumptions in the audit report. CC ID 13958 | Establish/Maintain Documentation | Preventive | |
| Include the word independent in the title of audit reports. CC ID 07003 | Actionable Reports or Measurements | Preventive | |
| Include the date of the audit in the audit report. CC ID 07024 | Actionable Reports or Measurements | Preventive | |
| Structure the audit report to be in the form of procedures and findings. CC ID 13940 | Establish/Maintain Documentation | Preventive | |
| Include information about the organization being audited and the auditor performing the audit in the audit report. CC ID 07004 | Actionable Reports or Measurements | Preventive | |
| Include any discussions of significant findings in the audit report. CC ID 13955 | Establish/Maintain Documentation | Preventive | |
| Include the date and with whom discussions about significant findings took place in the audit report. CC ID 13962 | Establish/Maintain Documentation | Preventive | |
| Include the audit criteria in the audit report. CC ID 13945 | Establish/Maintain Documentation | Preventive | |
| Include a statement in the audit report that the agreed upon procedures were potentially insufficient in identifying material risks, as necessary. CC ID 13957 | Establish/Maintain Documentation | Preventive | |
| Include all hypothetical assumptions in the audit report. CC ID 13947 | Establish/Maintain Documentation | Preventive | |
| Include a statement that access to the report is restricted based on least privilege in the audit report. CC ID 07023 | Actionable Reports or Measurements | Preventive | |
| Include a statement that identifies the distribution list for the report in the audit report. CC ID 07172 | Establish/Maintain Documentation | Preventive | |
| Include a statement that identifies the use restrictions for the report in the audit report. CC ID 07173 | Establish/Maintain Documentation | Preventive | |
| Include a statement that the agreed upon procedures involves collecting evidence in the audit report. CC ID 13956 | Establish/Maintain Documentation | Preventive | |
| Include all of the facts and demonstrated plausibility in the audit report. CC ID 08929 | Establish/Maintain Documentation | Preventive | |
| Include a statement that the agreed upon procedures were performed by all parties in the audit report. CC ID 13931 | Establish/Maintain Documentation | Preventive | |
| Include references to subject matter experts in the audit report when citing qualified opinions. CC ID 13929 | Establish/Maintain Documentation | Preventive | |
| Include a description of the assistance provided by Subject Matter Experts in the audit report. CC ID 13939 | Establish/Maintain Documentation | Preventive | |
| Include a review of the subject matter expert's findings in the audit report. CC ID 13972 | Establish/Maintain Documentation | Preventive | |
| Include a statement of the character of the engagement in the audit report. CC ID 07166 | Establish/Maintain Documentation | Preventive | |
| Include the nature and scope of the audit performed in the statement of the character of the engagement in the audit report. CC ID 07167 | Establish/Maintain Documentation | Preventive | |
| Include the professional standards governing the audit in the statement of the character of the engagement in the audit report. CC ID 07168 | Establish/Maintain Documentation | Preventive | |
| Include all restrictions on the audit in the audit report. CC ID 13930 | Establish/Maintain Documentation | Preventive | |
| Include a statement that the auditor has no responsibility to update the audit report after its submission. CC ID 13943 | Establish/Maintain Documentation | Preventive | |
| Include a statement on the auditor's ethical requirements in the audit report. CC ID 16767 | Establish/Maintain Documentation | Preventive | |
| Include a statement that the responsible party refused to provide a written assertion in the audit report. CC ID 13887 | Establish/Maintain Documentation | Preventive | |
| Include a statement that the examination involves procedures for collecting evidence in the audit report. CC ID 13941 | Establish/Maintain Documentation | Preventive | |
| Express an adverse opinion in the audit report when significant assumptions are not suitably supported. CC ID 13944 | Establish/Maintain Documentation | Preventive | |
| Include a statement that modifications to historical evidence accurately reflect current evidence in the audit report. CC ID 13938 | Establish/Maintain Documentation | Preventive | |
| Refrain from referencing previous engagements in the audit report. CC ID 16516 | Audits and Risk Management | Preventive | |
| Refrain from referencing other auditor's work in the audit report. CC ID 13881 | Establish/Maintain Documentation | Preventive | |
| Include that the audit findings are not a predictive analysis of future compliance in the audit report. CC ID 07018 | Establish/Maintain Documentation | Preventive | |
| Identify the participants from the organization being audited in the audit report. CC ID 15258 | Audits and Risk Management | Detective | |
| Include how in scope controls meet external requirements in the audit report. CC ID 16450 | Establish/Maintain Documentation | Preventive | |
| Include the in scope records used to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14915 | Establish/Maintain Documentation | Preventive | |
| Include recommended corrective actions in the audit report. CC ID 16197 | Establish/Maintain Documentation | Preventive | |
| Include risks and opportunities in the audit report. CC ID 16196 | Establish/Maintain Documentation | Preventive | |
| Include the description of tests of controls and results in the audit report. CC ID 14898 | Establish/Maintain Documentation | Preventive | |
| Include the nature of the tests performed in the description of tests of controls and results in the audit report. CC ID 14908 | Establish/Maintain Documentation | Preventive | |
| Include the test scope in the description of tests of controls and results in the audit report. CC ID 14906 | Establish/Maintain Documentation | Preventive | |
| Identify the stakeholders interviewed to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14905 | Establish/Maintain Documentation | Preventive | |
| Include the timing of controls in the description of tests of controls and results in the audit report. CC ID 16553 | Audits and Risk Management | Preventive | |
| Include the controls that were tested in the description of tests of controls and results in the audit report. CC ID 14902 | Establish/Maintain Documentation | Preventive | |
| Include subsequent events related to the audit assertion or audit subject matter in the audit report. CC ID 16773 | Establish/Maintain Documentation | Preventive | |
| Include the organization's audit assertion of the in scope system in the audit report. CC ID 07005 | Actionable Reports or Measurements | Preventive | |
| Include that the organization is the responsible party for the content of its audit assertion and in scope system description in the audit report. CC ID 07010 | Establish/Maintain Documentation | Preventive | |
| Include that the organization is the responsible party for providing in scope services in the audit report. CC ID 14903 | Establish/Maintain Documentation | Preventive | |
| Include that the organization is the responsible party for specifying in scope controls not defined by law or contractual obligation in the audit report. CC ID 07011 | Establish/Maintain Documentation | Preventive | |
| Include that the organization is the responsible party for designing and implementing the in scope controls it identified in the audit scope in the audit report. CC ID 07014 | Establish/Maintain Documentation | Preventive | |
| Include the audit opinion regarding the accurateness of the in scope system description in the audit report. CC ID 07019 | Establish/Maintain Documentation | Preventive | |
| Include the attestation standards the auditor follows in the audit report. CC ID 07015 | Establish/Maintain Documentation | Preventive | |
| Include the audit opinion about the audit assertion in relation to the audit criteria used for evaluation in the audit report. CC ID 07169 | Establish/Maintain Documentation | Preventive | |
| Include the auditor's significant reservations about the engagement, the audit assertion, or the audit subject matter in the audit report. CC ID 07170 | Establish/Maintain Documentation | Preventive | |
| Include an emphasis-of-matter paragraph in the audit report. CC ID 14890 | Establish/Maintain Documentation | Preventive | |
| Include the organization's in scope system description in the audit report. CC ID 11626 | Audits and Risk Management | Preventive | |
| Include any out of scope components of in scope systems in the audit report. CC ID 07006 | Establish/Maintain Documentation | Preventive | |
| Include that the organization is the responsible party for identifying material risks in the audit report. CC ID 07012 | Establish/Maintain Documentation | Preventive | |
| Include that the organization is the responsible party for selecting the audit criteria in the audit report. CC ID 07013 | Establish/Maintain Documentation | Preventive | |
| Include the scope and work performed in the audit report. CC ID 11621 | Audits and Risk Management | Preventive | |
| Review the adequacy of the internal auditor's work papers. CC ID 01146 | Audits and Risk Management | Detective | |
| Compare the evaluations completed by the internal auditors and the external auditors in past audit reports. CC ID 01158 | Establish/Maintain Documentation | Detective | |
| Review the adequacy of the internal auditor's audit reports. CC ID 11620 | Audits and Risk Management | Detective | |
| Review past audit reports. CC ID 01155 [{audit scope} {evidence of the audit results} The organization shall - plan, establish, implement and maintain (an) audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit programme(s) shall take into consideration the importance of the processes concerned and the results of previous audits, - define the audit criteria and scope for each audit, - select auditors and conduct audits to ensure objectivity and the impartiality of the audit process, - ensure that the results of the audits are reported to relevant management, and - retain documented information as evidence of the implementation of the audit programme and the audit results. § 9.2 ¶ 2 The audit programme, including any schedule, shall be based on the results of risk assessments of the organization’s activities, and the results of previous audits. The audit procedures shall cover the scope, frequency, methodologies and competencies, as well as the responsibilities and requirements for conducting audits and reporting results. § 9.2 ¶ 3] | Establish/Maintain Documentation | Detective | |
| Review past audit reports for specific process steps and calculations that were stated to support the audit report's conclusions. CC ID 01160 | Establish/Maintain Documentation | Detective | |
| Review the reporting of material weaknesses and risks in past audit reports. CC ID 01161 | Establish/Maintain Documentation | Detective | |
| Resolve disputes before creating the audit summary. CC ID 08964 | Behavior | Preventive | |
| Refrain from including the description of the audit in the audit report when the auditor is disclaiming an audit opinion. CC ID 13975 | Establish/Maintain Documentation | Preventive | |
| Refrain from including scope limitations from changed attestation engagements in the audit report. CC ID 13983 | Establish/Maintain Documentation | Preventive | |
| Refrain from including in the audit report any procedures that were performed that the auditor is disclaiming in an audit opinion. CC ID 13974 | Establish/Maintain Documentation | Preventive | |
| Include deficiencies and non-compliance in the audit report. CC ID 14879 | Establish/Maintain Documentation | Corrective | |
| Determine the effect of deficiencies on the audit report, as necessary. CC ID 14886 | Investigate | Detective | |
| Determine the effect of fraud and non-compliance on the audit report, as necessary. CC ID 13979 | Process or Activity | Detective | |
| Include an audit opinion in the audit report. CC ID 07017 | Establish/Maintain Documentation | Preventive | |
| Include qualified opinions in the audit report. CC ID 13928 | Establish/Maintain Documentation | Preventive | |
| Include that the auditor is the responsible party to express an opinion on the audit subject matter based on examination of evidence in the audit report. CC ID 07174 | Establish/Maintain Documentation | Preventive | |
| Include a description of the reasons for modifying the audit opinion in the audit report. CC ID 13898 | Establish/Maintain Documentation | Corrective | |
| Include that the auditor did not express an opinion in the audit report, as necessary. CC ID 13886 | Establish/Maintain Documentation | Preventive | |
| Disclaim the audit opinion in the audit report, as necessary. CC ID 13901 | Business Processes | Corrective | |
| Include items that were excluded from the audit report in the audit report. CC ID 07007 | Establish/Maintain Documentation | Preventive | |
| Include the organization's privacy practices in the audit report. CC ID 07029 | Establish/Maintain Documentation | Preventive | |
| Include items that pertain to third parties in the audit report. CC ID 07008 | Establish/Maintain Documentation | Preventive | |
| Refrain from including reference to procedures performed in previous attestation engagements in the audit report. CC ID 13970 | Establish/Maintain Documentation | Preventive | |
| Include a statement in the audit report that no procedures were performed subsequent to the date of the practitioner's review report on pro forma financial information, as necessary. CC ID 13969 | Establish/Maintain Documentation | Preventive | |
| Include any of the organization's use of compensating controls that were not audited in the audit report. CC ID 07009 | Establish/Maintain Documentation | Preventive | |
| Include whether the use of compensating controls are necessary in the audit report. CC ID 07020 | Establish/Maintain Documentation | Preventive | |
| Include the pass or fail test status of all in scope controls in the audit report. CC ID 07016 | Establish/Maintain Documentation | Preventive | |
| Include the process of using evidential matter to test in scope controls in the audit report. CC ID 07021 | Establish/Maintain Documentation | Preventive | |
| Include the nature and causes of identified in scope control deviations in the audit report. CC ID 07022 | Establish/Maintain Documentation | Preventive | |
| Modify the audit opinion in the audit report under defined conditions. CC ID 13937 | Establish/Maintain Documentation | Corrective | |
| Disclose any audit irregularities in the audit report. CC ID 06995 | Actionable Reports or Measurements | Preventive | |
| Include the written signature of the auditor's organization in the audit report. CC ID 13897 | Establish/Maintain Documentation | Preventive | |
| Include a statement that additional reports are being submitted in the audit report. CC ID 16848 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the audit report to all interested personnel and affected parties identified in the distribution list. CC ID 07117 | Establish/Maintain Documentation | Preventive | |
| Define the roles and responsibilities for distributing the audit report. CC ID 16845 | Human Resources Management | Preventive | |
| Disseminate and communicate the reviews of audit reports to organizational management. CC ID 00653 [{audit scope} {evidence of the audit results} The organization shall - plan, establish, implement and maintain (an) audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit programme(s) shall take into consideration the importance of the processes concerned and the results of previous audits, - define the audit criteria and scope for each audit, - select auditors and conduct audits to ensure objectivity and the impartiality of the audit process, - ensure that the results of the audits are reported to relevant management, and - retain documented information as evidence of the implementation of the audit programme and the audit results. § 9.2 ¶ 2] | Log Management | Detective | |
| Disseminate and communicate the reasons the audit report was delayed to interested personnel and affected parties. CC ID 15257 | Communicate | Preventive | |
| Notify auditees if disclosure of audit documentation is required by law. CC ID 15249 | Communicate | Preventive | |
| Disseminate and communicate to the organization that access and use of audit reports are based on least privilege. CC ID 07171 | Behavior | Preventive | |
| Disseminate and communicate documents that contain information in support of the audit report. CC ID 07175 | Establish/Maintain Documentation | Preventive | |
| Correct any material misstatements in documents that contain information in support of the audit report. CC ID 07176 | Establish/Maintain Documentation | Preventive | |
| Review the issues of non-compliance from past audit reports. CC ID 01148 [The business impact analysis shall include the following: assessing the impacts over time of not performing these activities; § 8.2.2 ¶ 2 b) When nonconformity occurs, the organization shall evaluate the need for action to eliminate the causes of the nonconformity, in order that it does not recur or occur elsewhere, by reviewing the nonconformity, § 10.1 ¶ 1 c) 1)] | Establish/Maintain Documentation | Detective | |
| Notify interested personnel and affected parties after bribes are offered during the audit. CC ID 08872 | Business Processes | Preventive | |
| Submit an audit report that is complete. CC ID 01145 | Testing | Detective | |
| Accept the audit report. CC ID 07025 | Establish/Maintain Documentation | Preventive | |
| Implement a corrective action plan in response to the audit report. CC ID 06777 [The management responsible for the area being audited shall ensure that any necessary corrections and corrective actions are taken without undue delay to eliminate detected nonconformities and their causes. Follow-up activities shall include the verification of the actions taken and the reporting of verification results. § 9.2 ¶ 4 The management responsible for the area being audited shall ensure that any necessary corrections and corrective actions are taken without undue delay to eliminate detected nonconformities and their causes. Follow-up activities shall include the verification of the actions taken and the reporting of verification results. § 9.2 ¶ 4 {results of BCMS reviews} {key partners} {results of testing} {BCMS performance} {BCMS effectiveness} {emerging good guidance} Management reviews shall consider the performance of the organization, including - follow-up actions from previous management reviews, - the need for changes to the BCMS, including the policy and objectives, - opportunities for improvement, - results of BCMS audits and reviews, including those of key suppliers and partners where appropriate, - techniques, products or procedures, which could be used in the organization to improve the BCMS’ performance and effectiveness, - status of corrective actions, - results of exercising and testing, - risks or issues not adequately addressed in any previous risk assessment, - any changes that could affect the BCMS, whether internal or external to the scope of the BCMS, - adequacy of policy, - recommendations for improvement, - lessons learned and actions arising from disruptive incidents, and - emerging good practice and guidance. § 9.3 ¶ 3] | Establish/Maintain Documentation | Corrective | |
| Assign responsibility for remediation actions. CC ID 13622 | Human Resources Management | Preventive | |
| Monitor and report on the status of mitigation actions in the corrective action plan. CC ID 15250 | Actionable Reports or Measurements | Corrective | |
| Review management's response to issues raised in past audit reports. CC ID 01149 [The management review shall include consideration of the status of actions from previous management reviews, § 9.3 ¶ 2 a) The management review shall include consideration of information on the business continuity performance, including trends in nonconformities and corrective actions, § 9.3 ¶ 2 c) 1)] | Audits and Risk Management | Detective | |
| Define penalties for uncorrected audit findings or remaining non-compliant with the audit report. CC ID 08963 [{results of BCMS reviews} {key partners} {results of testing} {BCMS performance} {BCMS effectiveness} {emerging good guidance} Management reviews shall consider the performance of the organization, including - follow-up actions from previous management reviews, - the need for changes to the BCMS, including the policy and objectives, - opportunities for improvement, - results of BCMS audits and reviews, including those of key suppliers and partners where appropriate, - techniques, products or procedures, which could be used in the organization to improve the BCMS’ performance and effectiveness, - status of corrective actions, - results of exercising and testing, - risks or issues not adequately addressed in any previous risk assessment, - any changes that could affect the BCMS, whether internal or external to the scope of the BCMS, - adequacy of policy, - recommendations for improvement, - lessons learned and actions arising from disruptive incidents, and - emerging good practice and guidance. § 9.3 ¶ 3] | Establish/Maintain Documentation | Preventive | |
| Assess the quality of the audit program in regards to the staff and their qualifications. CC ID 01150 | Testing | Detective | |
| Evaluate the competency of auditors. CC ID 15253 | Human Resources Management | Detective | |
| Review the audit program scope as it relates to the organization's profile. CC ID 01159 | Audits and Risk Management | Detective | |
| Assess the quality of the audit program in regards to its documentation. CC ID 11622 | Audits and Risk Management | Preventive | |
| Establish, implement, and maintain the audit plan. CC ID 01156 | Testing | Detective | |
| Include the audit criteria in the audit plan. CC ID 15262 | Establish/Maintain Documentation | Preventive | |
| Include a list of reference documents in the audit plan. CC ID 15260 | Establish/Maintain Documentation | Preventive | |
| Include the languages to be used for the audit in the audit plan. CC ID 15252 | Establish/Maintain Documentation | Preventive | |
| Include the allocation of resources in the audit plan. CC ID 15251 | Establish/Maintain Documentation | Preventive | |
| Include communication protocols in the audit plan. CC ID 15247 | Establish/Maintain Documentation | Preventive | |
| Include the level of audit sampling necessary to collect sufficient audit evidence in the audit plan. CC ID 15246 | Establish/Maintain Documentation | Preventive | |
| Include meeting schedules in the audit plan. CC ID 15245 | Establish/Maintain Documentation | Preventive | |
| Include the time frames for the audit in the audit plan. CC ID 15244 | Establish/Maintain Documentation | Preventive | |
| Include the time frames for conducting the audit in the audit plan. CC ID 15243 | Establish/Maintain Documentation | Preventive | |
| Include the locations to be audited in the audit plan. CC ID 15242 | Establish/Maintain Documentation | Preventive | |
| Include the processes to be audited in the audit plan. CC ID 15241 | Establish/Maintain Documentation | Preventive | |
| Include audit objectives in the audit plan. CC ID 15240 | Establish/Maintain Documentation | Preventive | |
| Include the risks associated with audit activities in the audit plan. CC ID 15239 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the audit plan to interested personnel and affected parties. CC ID 15238 | Communicate | Preventive | |
| Establish, implement, and maintain an audit schedule for the audit program. CC ID 13158 [The audit programme, including any schedule, shall be based on the results of risk assessments of the organization’s activities, and the results of previous audits. The audit procedures shall cover the scope, frequency, methodologies and competencies, as well as the responsibilities and requirements for conducting audits and reporting results. § 9.2 ¶ 3] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a risk management program. CC ID 12051 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain the risk assessment framework. CC ID 00685 [The organization shall establish, implement and maintain a formal and documented process for business impact analysis and risk assessment that specifies the requirements for this information to be kept up-to-date and confidential. § 8.2.1 ¶ 1 e)] | Establish/Maintain Documentation | Preventive | |
| Analyze the risk management strategy for addressing requirements. CC ID 12926 | Audits and Risk Management | Detective | |
| Analyze the risk management strategy for addressing threats. CC ID 12925 | Audits and Risk Management | Detective | |
| Analyze the risk management strategy for addressing opportunities. CC ID 12924 | Audits and Risk Management | Detective | |
| Define and assign the roles and responsibilities for the risk assessment framework, as necessary. CC ID 06456 | Establish Roles | Preventive | |
| Establish, implement, and maintain a risk assessment program. CC ID 00687 | Establish/Maintain Documentation | Preventive | |
| Address past incidents in the risk assessment program. CC ID 12743 | Audits and Risk Management | Preventive | |
| Employ third parties when implementing a risk assessment, as necessary. CC ID 16306 | Human Resources Management | Detective | |
| Include the need for risk assessments in the risk assessment program. CC ID 06447 | Establish/Maintain Documentation | Preventive | |
| Include the information flow of restricted data in the risk assessment program. CC ID 12339 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain the factors and context for risk to the organization. CC ID 12230 [{external factor} In establishing the context, the organization shall define the external and internal factors that create the uncertainty that gives rise to risk, § 4.1 ¶ 4 2) Top management shall ensure that the responsibilities and authorities for relevant roles are assigned and communicated within the organization by - defining the criteria for accepting risks and the acceptable levels of risk, - actively engaging in exercising and testing, - ensuring that internal audits of the BCMS are conducted, - conducting management reviews of the BCMS, and - demonstrating its commitment to continual improvement. § 5.2 ¶ 3] | Audits and Risk Management | Preventive | |
| Establish, implement, and maintain a financial plan to support the risk management strategy. CC ID 12786 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain insurance requirements. CC ID 16562 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate insurance options to interested personnel and affected parties. CC ID 16572 | Communicate | Preventive | |
| Disseminate and communicate insurance requirements to interested personnel and affected parties. CC ID 16567 | Communicate | Preventive | |
| Purchase insurance on behalf of interested personnel and affected parties. CC ID 16571 | Acquisition/Sale of Assets or Services | Corrective | |
| Design a portfolio of insurance options in accordance with risk decision-making criteria. CC ID 12878 | Business Processes | Preventive | |
| Design a portfolio of loans in accordance with risk decision-making criteria. CC ID 12877 | Business Processes | Preventive | |
| Design a portfolio of risk limiting and mitigating approaches in organizational contracts in accordance with risk decision-making criteria. CC ID 12903 | Business Processes | Preventive | |
| Address cybersecurity risks in the risk assessment program. CC ID 13193 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830 | Process or Activity | Preventive | |
| Include a Data Protection Impact Assessment in the risk assessment program. CC ID 12630 | Establish/Maintain Documentation | Preventive | |
| Include an assessment of the necessity and proportionality of the processing operations in relation to the purposes in the Data Protection Impact Assessment. CC ID 12681 | Establish/Maintain Documentation | Preventive | |
| Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371 | Establish/Maintain Documentation | Preventive | |
| Include a risk assessment of data subject's rights in the Data Protection Impact Assessment. CC ID 12674 | Establish/Maintain Documentation | Preventive | |
| Include the description and purpose of processing restricted data in the Data Protection Impact Assessment. CC ID 12673 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313 | Communicate | Preventive | |
| Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370 | Establish/Maintain Documentation | Preventive | |
| Include monitoring unsecured areas in the Data Protection Impact Assessment. CC ID 12671 | Establish/Maintain Documentation | Preventive | |
| Include security measures for protecting restricted data in the Data Protection Impact Assessment. CC ID 12635 | Establish/Maintain Documentation | Preventive | |
| Use the risk taxonomy when managing risk. CC ID 12280 | Behavior | Preventive | |
| Establish, implement, and maintain a risk assessment policy. CC ID 14026 | Establish/Maintain Documentation | Preventive | |
| Include compliance requirements in the risk assessment policy. CC ID 14121 | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the risk assessment policy. CC ID 14120 | Establish/Maintain Documentation | Preventive | |
| Include management commitment in the risk assessment policy. CC ID 14119 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the risk assessment policy. CC ID 14118 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the risk assessment policy. CC ID 14117 | Establish/Maintain Documentation | Preventive | |
| Include the purpose in the risk assessment policy. CC ID 14116 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the risk assessment policy to interested personnel and affected parties. CC ID 14115 | Communicate | Preventive | |
| Establish, implement, and maintain risk assessment procedures. CC ID 06446 [The organization shall establish, implement, and maintain a formal documented risk assessment process that systematically identifies, analyses, and evaluates the risk of disruptive incidents to the organization. § 8.2.3 ¶ 1 {formal and documented process for risk assessment} {required output from the risk assessment} The organization shall establish, implement and maintain a formal and documented process for business impact analysis and risk assessment that defines the required output from the business impact analysis and risk assessment, and § 8.2.1 ¶ 1 d) {risk management procedures} The organization shall plan, implement and control the processes needed to meet requirements, and to implement the actions determined in 6.1, by establishing criteria for the processes, § 8.1 ¶ 1 a) The organization shall establish, implement and maintain a formal and documented process for business impact analysis and risk assessment that 8.2.1 ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Analyze the organization's information security environment. CC ID 13122 | Technical Security | Preventive | |
| Employ risk assessment procedures that follow legal requirements and contractual obligations when risk profiling. CC ID 06472 [{formal process} {legal requirements} The organization shall establish, implement and maintain a formal and documented process for business impact analysis and risk assessment that takes into account legal and other requirements to which the organization subscribes, § 8.2.1 ¶ 1 b)] | Establish/Maintain Documentation | Preventive | |
| Employ risk assessment procedures that follow standards and best practices, as necessary. CC ID 06473 | Establish/Maintain Documentation | Preventive | |
| Document cybersecurity risks. CC ID 12281 | Establish/Maintain Documentation | Preventive | |
| Employ risk assessment procedures that take into account both electronic records and printed records. CC ID 06476 | Establish/Maintain Documentation | Preventive | |
| Employ risk assessment procedures that take into account information classification. CC ID 06477 | Establish/Maintain Documentation | Preventive | |
| Engage appropriate parties to assist with risk assessments, as necessary. CC ID 12153 | Human Resources Management | Preventive | |
| Employ risk assessment procedures that align with strategic objectives. CC ID 06474 | Establish/Maintain Documentation | Preventive | |
| Employ risk assessment procedures that take into account prior risk assessment findings of the same scope. CC ID 06478 | Establish/Maintain Documentation | Preventive | |
| Employ risk assessment procedures that take into account the target environment. CC ID 06479 | Establish/Maintain Documentation | Preventive | |
| Employ risk assessment procedures that take into account incidents associated with the target environment. CC ID 06480 | Establish/Maintain Documentation | Preventive | |
| Employ risk assessment procedures that take into account risk factors. CC ID 16560 | Audits and Risk Management | Preventive | |
| Include compliance with disposition requirements in the risk assessment procedures. CC ID 12342 | Establish/Maintain Documentation | Preventive | |
| Include compliance with retention requirements in the risk assessment procedures. CC ID 12341 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a threat and risk classification scheme. CC ID 07183 [{formal process} The organization shall establish, implement and maintain a formal and documented process for business impact analysis and risk assessment that establishes the context of the assessment, defines criteria and evaluates the potential impact of a disruptive incident, § 8.2.1 ¶ 1 a)] | Establish/Maintain Documentation | Preventive | |
| Employ risk assessment procedures that include appropriate risk treatment options for each identified risk. CC ID 06484 [The organization shall evaluate which disruption related risks require treatment, and § 8.2.3 ¶ 2 c) {formal process} The organization shall establish, implement and maintain a formal and documented process for business impact analysis and risk assessment that includes systematic analysis, prioritization of risk treatments, and their related costs, § 8.2.1 ¶ 1 c) {formal process} The organization shall establish, implement and maintain a formal and documented process for business impact analysis and risk assessment that includes systematic analysis, prioritization of risk treatments, and their related costs, § 8.2.1 ¶ 1 c) {actions to address risks and opportunities} The organization shall plan, implement and control the processes needed to meet requirements, and to implement the actions determined in 6.1, by implementing control of the processes in accordance with the criteria, and § 8.1 ¶ 1 b) {changes to security requirements} The outputs of the management review shall include decisions related to continual improvement opportunities and the possible need for changes to the BCMS, and include the following: modification of procedures and controls to respond to internal or external events that may impact on the BCMS, including changes to risk reduction and security requirements, § 9.3 ¶ 4 d) 2)] | Establish/Maintain Documentation | Preventive | |
| Document organizational risk criteria. CC ID 12277 | Establish/Maintain Documentation | Preventive | |
| Include security threats and vulnerabilities in the threat and risk classification scheme. CC ID 00699 | Technical Security | Preventive | |
| Include an analysis of system interdependencies in the threat and risk classification scheme. CC ID 13056 | Investigate | Detective | |
| Categorize the systems, information, and data by risk profile in the threat and risk classification scheme. CC ID 01443 | Audits and Risk Management | Preventive | |
| Review the risk profiles, as necessary. CC ID 16561 | Audits and Risk Management | Detective | |
| Include risks to critical personnel and assets in the threat and risk classification scheme. CC ID 00698 | Audits and Risk Management | Preventive | |
| Include the traceability of malicious code in the threat and risk classification scheme. CC ID 06600 | Establish/Maintain Documentation | Preventive | |
| Assign a probability of occurrence to all types of threats in the threat and risk classification scheme. CC ID 01173 | Audits and Risk Management | Preventive | |
| Approve the threat and risk classification scheme. CC ID 15693 | Business Processes | Preventive | |
| Establish, implement, and maintain risk profiling procedures for internal risk assessments. CC ID 01157 | Audits and Risk Management | Preventive | |
| Include language that is easy to understand in the risk assessment report. CC ID 06461 | Establish/Maintain Documentation | Preventive | |
| Include the environments that call for risk assessments in the risk assessment program. CC ID 06448 | Establish/Maintain Documentation | Preventive | |
| Include the process for defining the scope of each risk assessment in the risk assessment program. CC ID 06462 [{formal process} The organization shall establish, implement and maintain a formal and documented process for business impact analysis and risk assessment that establishes the context of the assessment, defines criteria and evaluates the potential impact of a disruptive incident, § 8.2.1 ¶ 1 a)] | Establish/Maintain Documentation | Preventive | |
| Include the circumstances that call for risk assessments in the risk assessment program. CC ID 06449 | Establish/Maintain Documentation | Preventive | |
| Include the roles and responsibilities involved in risk assessments in the risk assessment program. CC ID 06450 | Establish/Maintain Documentation | Preventive | |
| Include the methods of managing and responding to the risk assessment report in the risk assessment program. CC ID 06451 | Establish/Maintain Documentation | Preventive | |
| Automate as much of the risk assessment program, as necessary. CC ID 06459 | Audits and Risk Management | Preventive | |
| Disseminate and communicate the risk assessment procedures to interested personnel and affected parties. CC ID 14136 | Communicate | Preventive | |
| Approve the risk assessment program and associated risk assessment procedures at the senior management level. CC ID 06458 | Establish/Maintain Documentation | Preventive | |
| Perform risk assessments for all target environments, as necessary. CC ID 06452 [{formal process} The organization shall establish, implement and maintain a formal and documented process for business impact analysis and risk assessment that includes systematic analysis, prioritization of risk treatments, and their related costs, § 8.2.1 ¶ 1 c)] | Testing | Preventive | |
| Include the probability and potential impact of pandemics in the scope of the risk assessment. CC ID 13241 | Establish/Maintain Documentation | Preventive | |
| Include physical assets in the scope of the risk assessment. CC ID 13075 | Establish/Maintain Documentation | Preventive | |
| Include the results of the risk assessment in the risk assessment report. CC ID 06481 [{formal and documented process for risk assessment} {required output from the risk assessment} The organization shall establish, implement and maintain a formal and documented process for business impact analysis and risk assessment that defines the required output from the business impact analysis and risk assessment, and § 8.2.1 ¶ 1 d)] | Establish/Maintain Documentation | Preventive | |
| Approve the results of the risk assessment as documented in the risk assessment report. CC ID 07109 | Audits and Risk Management | Preventive | |
| Update the risk assessment upon discovery of a new threat. CC ID 00708 | Establish/Maintain Documentation | Detective | |
| Review risks to the organization's audit function when changes in the supply chain occur. CC ID 01154 | Audits and Risk Management | Preventive | |
| Update the risk assessment upon changes to the risk profile. CC ID 11627 [{update of the business impact analysis} {update of the business continuity plans} {update of the related procedures} The outputs of the management review shall include decisions related to continual improvement opportunities and the possible need for changes to the BCMS, and include the following: update of the risk assessment, business impact analysis, business continuity plans and related procedures; § 9.3 ¶ 4 c)] | Establish/Maintain Documentation | Detective | |
| Review the risk to the audit function when the audit personnel status changes. CC ID 01153 | Audits and Risk Management | Preventive | |
| Document any reasons for modifying or refraining from modifying the organization's risk assessment when the risk assessment has been reviewed. CC ID 13312 | Establish/Maintain Documentation | Preventive | |
| Create a risk assessment report based on the risk assessment results. CC ID 15695 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the approved risk assessment report to interested personnel and affected parties. CC ID 10633 | Communicate | Preventive | |
| Conduct external audits of risk assessments, as necessary. CC ID 13308 | Audits and Risk Management | Detective | |
| Notify the organization upon completion of the external audits of the organization's risk assessment. CC ID 13313 | Communicate | Preventive | |
| Establish, implement, and maintain a risk assessment awareness and training program. CC ID 06453 | Business Processes | Preventive | |
| Disseminate and communicate information about risks to all interested personnel and affected parties. CC ID 06718 [{significant impact} {procedures for alerts} {procedures for warnings} The organization shall decide, using life safety as the first priority and in consultation with relevant interested parties, whether to communicate externally about its significant risks and impacts and document its decision. If the decision is to communicate then the organization shall establish and implement procedures for this external communication, alerts and warnings including the media as appropriate. § 8.4.2 ¶ 3 {significant impact} {procedures for alerts} {procedures for warnings} The organization shall decide, using life safety as the first priority and in consultation with relevant interested parties, whether to communicate externally about its significant risks and impacts and document its decision. If the decision is to communicate then the organization shall establish and implement procedures for this external communication, alerts and warnings including the media as appropriate. § 8.4.2 ¶ 3] | Behavior | Preventive | |
| Evaluate the effectiveness of threat and vulnerability management procedures. CC ID 13491 | Investigate | Detective | |
| Correlate the business impact of identified risks in the risk assessment report. CC ID 00686 | Audits and Risk Management | Preventive | |
| Conduct a Business Impact Analysis, as necessary. CC ID 01147 [{formal and documented process for risk assessment} {required output from the risk assessment} The organization shall establish, implement and maintain a formal and documented process for business impact analysis and risk assessment that defines the required output from the business impact analysis and risk assessment, and § 8.2.1 ¶ 1 d) {formal and documented process for risk assessment} {required output from the risk assessment} The organization shall establish, implement and maintain a formal and documented process for business impact analysis and risk assessment that defines the required output from the business impact analysis and risk assessment, and § 8.2.1 ¶ 1 d) The organization shall establish, implement, and maintain a formal and documented evaluation process for determining continuity and recovery priorities, objectives and targets. This process shall include assessing the impacts of disrupting activities that support the organization’s products and services. § 8.2.2 ¶ 1 {outputs from the risk assessment} Determination and selection of strategy shall be based on the outputs from the business impact analysis and risk assessment. § 8.3.1 ¶ 1 The organization shall establish, implement and maintain a formal and documented process for business impact analysis and risk assessment that specifies the requirements for this information to be kept up-to-date and confidential. § 8.2.1 ¶ 1 e) The organization shall establish, implement and maintain a formal and documented process for business impact analysis and risk assessment that 8.2.1 ¶ 1] | Audits and Risk Management | Detective | |
| Include recovery of the critical path in the Business Impact Analysis. CC ID 13224 | Establish/Maintain Documentation | Preventive | |
| Include acceptable levels of data loss in the Business Impact Analysis. CC ID 13264 | Establish/Maintain Documentation | Preventive | |
| Include Recovery Point Objectives in the Business Impact Analysis. CC ID 13223 | Establish/Maintain Documentation | Preventive | |
| Include the Recovery Time Objectives in the Business Impact Analysis. CC ID 13222 | Establish/Maintain Documentation | Preventive | |
| Include pandemic risks in the Business Impact Analysis. CC ID 13219 | Establish/Maintain Documentation | Preventive | |
| Include tolerance to downtime in the Business Impact Analysis report. CC ID 01172 [The organization shall establish, implement, and maintain a formal and documented evaluation process for determining continuity and recovery priorities, objectives and targets. This process shall include assessing the impacts of disrupting activities that support the organization’s products and services. § 8.2.2 ¶ 1 The business impact analysis shall include the following: identifying dependencies and supporting resources for these activities, including suppliers, outsource partners and other relevant interested parties. § 8.2.2 ¶ 2 d) The response structure shall identify impact thresholds that justify initiation of formal response, § 8.4.2 ¶ 2 a)] | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the Business Impact Analysis to interested personnel and affected parties. CC ID 15300 | Communicate | Preventive | |
| Establish, implement, and maintain a risk register. CC ID 14828 | Establish/Maintain Documentation | Preventive | |
| Document organizational risk tolerance in a risk register. CC ID 09961 [The organization shall identify and document the following: the organization’s risk appetite. § 4.1 ¶ 3 c) The organization shall identify and document the following: the organization’s risk appetite. § 4.1 ¶ 3 c)] | Establish/Maintain Documentation | Preventive | |
| Align organizational risk tolerance to that of industry peers in the risk register. CC ID 09962 | Business Processes | Preventive | |
| Review the Business Impact Analysis, as necessary. CC ID 12774 | Business Processes | Preventive | |
| Analyze and quantify the risks to in scope systems and information. CC ID 00701 [The organization shall systematically analyse risk, § 8.2.3 ¶ 2 b)] | Audits and Risk Management | Preventive | |
| Establish and maintain a Risk Scoping and Measurement Definitions Document. CC ID 00703 | Audits and Risk Management | Preventive | |
| Identify the material risks in the risk assessment report. CC ID 06482 | Audits and Risk Management | Preventive | |
| Assess the potential level of business impact risk associated with each business process. CC ID 06463 [The business impact analysis shall include the following: identifying activities that support the provision of products and services; § 8.2.2 ¶ 2 a) The organization shall identify risks of disruption to the organization’s prioritized activities and the processes, systems, information, people, assets, outsource partners and other resources that support them, § 8.2.3 ¶ 2 a)] | Audits and Risk Management | Detective | |
| Assess the potential level of business impact risk associated with the business environment. CC ID 06464 [The organization shall identify risks of disruption to the organization’s prioritized activities and the processes, systems, information, people, assets, outsource partners and other resources that support them, § 8.2.3 ¶ 2 a)] | Audits and Risk Management | Detective | |
| Assess the potential level of business impact risk associated with business information of in scope systems. CC ID 06465 | Audits and Risk Management | Detective | |
| Identify changes to in scope systems that could threaten communication between business units. CC ID 13173 | Investigate | Detective | |
| Assess the potential business impact risk of in scope systems caused by deliberate threats to their confidentiality, integrity, and availability. CC ID 06466 | Audits and Risk Management | Detective | |
| Assess the potential level of business impact risk caused by accidental threats to the confidentiality, integrity and availability of critical systems. CC ID 06467 | Audits and Risk Management | Detective | |
| Assess the potential level of business impact risk associated with reputational damage. CC ID 15335 | Audits and Risk Management | Detective | |
| Assess the potential level of business impact risk associated with insider threats. CC ID 06468 | Audits and Risk Management | Detective | |
| Assess the potential level of business impact risk associated with external entities. CC ID 06469 | Audits and Risk Management | Detective | |
| Assess the potential level of business impact risk associated with natural disasters. CC ID 06470 | Actionable Reports or Measurements | Detective | |
| Assess the potential level of business impact risk associated with control weaknesses. CC ID 06471 | Audits and Risk Management | Detective | |
| Establish a risk acceptance level that is appropriate to the organization's risk appetite. CC ID 00706 [The organization shall identify treatments commensurate with business continuity objectives and in accordance with the organization’s risk appetite. § 8.2.3 ¶ 2 d) The organization shall choose and implement appropriate risk treatments in accordance with its risk appetite. § 8.3.3 ¶ 2 In establishing the context, the organization shall set risk criteria taking into account the risk appetite, and § 4.1 ¶ 4 3) Top management shall ensure that the responsibilities and authorities for relevant roles are assigned and communicated within the organization by - defining the criteria for accepting risks and the acceptable levels of risk, - actively engaging in exercising and testing, - ensuring that internal audits of the BCMS are conducted, - conducting management reviews of the BCMS, and - demonstrating its commitment to continual improvement. § 5.2 ¶ 3 The outputs of the management review shall include decisions related to continual improvement opportunities and the possible need for changes to the BCMS, and include the following: modification of procedures and controls to respond to internal or external events that may impact on the BCMS, including changes to levels of risk and/or criteria for accepting risks, § 9.3 ¶ 4 d) 6)] | Establish/Maintain Documentation | Preventive | |
| Investigate alternative risk control strategies appropriate to the organization's risk appetite. CC ID 12887 | Investigate | Preventive | |
| Select the appropriate risk treatment option for each identified risk in the risk register. CC ID 06483 [The organization shall choose and implement appropriate risk treatments in accordance with its risk appetite. § 8.3.3 ¶ 2 For identified risks requiring treatment, the organization shall consider proactive measures that reduce the likelihood of disruption, § 8.3.3 ¶ 1 a) For identified risks requiring treatment, the organization shall consider proactive measures that shorten the period of disruption, and § 8.3.3 ¶ 1 b) For identified risks requiring treatment, the organization shall consider proactive measures that limit the impact of disruption on the organization’s key products and services. § 8.3.3 ¶ 1 c)] | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the risk acceptance level in the risk treatment plan to all interested personnel and affected parties. CC ID 06849 | Behavior | Preventive | |
| Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary. CC ID 00704 [{update of the business impact analysis} {update of the business continuity plans} {update of the related procedures} The outputs of the management review shall include decisions related to continual improvement opportunities and the possible need for changes to the BCMS, and include the following: update of the risk assessment, business impact analysis, business continuity plans and related procedures; § 9.3 ¶ 4 c)] | Establish/Maintain Documentation | Detective | |
| Document the results of the gap analysis. CC ID 16271 | Establish/Maintain Documentation | Preventive | |
| Prioritize and select controls based on the risk assessment findings. CC ID 00707 [The organization shall identify treatments commensurate with business continuity objectives and in accordance with the organization’s risk appetite. § 8.2.3 ¶ 2 d) {outputs from the risk assessment} Determination and selection of strategy shall be based on the outputs from the business impact analysis and risk assessment. § 8.3.1 ¶ 1] | Audits and Risk Management | Preventive | |
| Analyze the effect of threats on organizational strategies and objectives. CC ID 12850 | Process or Activity | Detective | |
| Analyze the effect of opportunities on organizational strategies and objectives. CC ID 12849 | Process or Activity | Detective | |
| Prioritize and categorize the effects of opportunities, threats and requirements on control activities. CC ID 12822 | Audits and Risk Management | Preventive | |
| Determine the effectiveness of risk control measures. CC ID 06601 [{formal process} The organization shall establish, implement and maintain a formal and documented process for business impact analysis and risk assessment that establishes the context of the assessment, defines criteria and evaluates the potential impact of a disruptive incident, § 8.2.1 ¶ 1 a)] | Testing | Detective | |
| Develop key indicators to inform management on the effectiveness of risk control measures. CC ID 12946 | Audits and Risk Management | Preventive | |
| Establish, implement, and maintain a risk treatment plan. CC ID 11983 [{actions to address these risks and opportunities} The organization shall plan how to integrate and implement the actions into its BCMS processes (see 8.1), § 6.1 ¶ 2 b) 1)] | Establish/Maintain Documentation | Preventive | |
| Include the date of the risk assessment in the risk treatment plan. CC ID 16321 | Establish/Maintain Documentation | Preventive | |
| Include the release status of the risk assessment in the risk treatment plan. CC ID 16320 | Audits and Risk Management | Preventive | |
| Identify the planned actions and controls that address high risk in the risk treatment plan. CC ID 12835 | Audits and Risk Management | Preventive | |
| Identify the current actions and controls that address high risk in the risk treatment plan. CC ID 12834 | Audits and Risk Management | Preventive | |
| Include the risk treatment strategy in the risk treatment plan. CC ID 12159 | Establish/Maintain Documentation | Preventive | |
| Revise the risk treatment strategies in the risk treatment plan, as necessary. CC ID 12552 | Establish/Maintain Documentation | Corrective | |
| Include an overview of the migration project plan in the risk treatment plan. CC ID 11982 | Establish/Maintain Documentation | Preventive | |
| Include change control processes in the risk treatment plan. CC ID 11981 | Establish/Maintain Documentation | Preventive | |
| Include a description of the processes to check for new vulnerabilities in the risk treatment plan. CC ID 11980 | Establish/Maintain Documentation | Preventive | |
| Include the implemented risk management controls in the risk treatment plan. CC ID 11979 | Establish/Maintain Documentation | Preventive | |
| Include requirements for monitoring and reporting in the risk treatment plan, as necessary. CC ID 13620 | Establish/Maintain Documentation | Preventive | |
| Include risk assessment results in the risk treatment plan. CC ID 11978 | Establish/Maintain Documentation | Preventive | |
| Include a description of usage in the risk treatment plan. CC ID 11977 | Establish/Maintain Documentation | Preventive | |
| Document all constraints applied to the risk treatment plan, as necessary. CC ID 13619 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the risk treatment plan to interested personnel and affected parties. CC ID 15694 | Communicate | Preventive | |
| Approve the risk treatment plan. CC ID 13495 | Audits and Risk Management | Preventive | |
| Integrate the corrective action plan based on the risk assessment findings with other risk management activities. CC ID 06457 [When nonconformity occurs, the organization shall implement any action needed, § 10.1 ¶ 1 d)] | Establish/Maintain Documentation | Preventive | |
| Document and communicate a corrective action plan based on the risk assessment findings. CC ID 00705 [The organization shall plan actions to address these risks and opportunities, § 6.1 ¶ 2 a)] | Establish/Maintain Documentation | Corrective | |
| Review and approve the risk assessment findings. CC ID 06485 | Establish/Maintain Documentation | Preventive | |
Human Resources management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Human Resources management CC ID 00763 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806 [Top management shall ensure that the responsibilities and authorities for relevant roles are assigned and communicated within the organization. § 5.4 ¶ 1] | Establish Roles | Preventive | |
| Define and assign the head of Information Security's roles and responsibilities. CC ID 06091 | Establish Roles | Preventive | |
| Establish, implement, and maintain a security operations center. CC ID 14762 | Human Resources Management | Preventive | |
| Define the scope for the security operations center. CC ID 15713 | Establish/Maintain Documentation | Preventive | |
| Designate an alternate for each organizational leader. CC ID 12053 | Human Resources Management | Preventive | |
| Limit the activities performed as a proxy to an organizational leader. CC ID 12054 | Behavior | Preventive | |
| Assign the roles and responsibilities of management in establishing, implementing, and maintaining the information security program. CC ID 13112 | Human Resources Management | Preventive | |
| Define and assign the Board of Directors roles and responsibilities and senior management roles and responsibilities, including signing off on key policies and procedures. CC ID 00807 [Top management shall assign the responsibility and authority for reporting on the performance of the BCMS to top management. § 5.4 ¶ 2 b)] | Establish Roles | Preventive | |
| Establish and maintain board committees, as necessary. CC ID 14789 | Human Resources Management | Preventive | |
| Define and assign the roles and responsibilities of the chairman of the board. CC ID 14786 | Establish/Maintain Documentation | Preventive | |
| Assign oversight of C-level executives to the Board of Directors. CC ID 14784 | Human Resources Management | Preventive | |
| Establish, implement, and maintain candidate selection procedures to the board of directors. CC ID 14782 | Establish/Maintain Documentation | Preventive | |
| Include the criteria of mixed experiences and skills in the candidate selection procedures. CC ID 14791 | Establish/Maintain Documentation | Preventive | |
| Assign oversight of the financial management program to the board of directors. CC ID 14781 | Human Resources Management | Preventive | |
| Assign senior management to the role of supporting Quality Management. CC ID 13692 | Human Resources Management | Preventive | |
| Assign senior management to the role of authorizing official. CC ID 14238 | Establish Roles | Preventive | |
| Assign members who are independent from management to the Board of Directors. CC ID 12395 | Human Resources Management | Preventive | |
| Assign ownership of risks to the Board of Directors or senior management. CC ID 13662 | Human Resources Management | Preventive | |
| Assign the organization's board and senior management to oversee the continuity planning process. CC ID 12991 | Human Resources Management | Preventive | |
| Rotate members of the board of directors, as necessary. CC ID 14803 | Human Resources Management | Corrective | |
| Define and assign board committees, as necessary. CC ID 14787 | Human Resources Management | Preventive | |
| Define and assign risk committees, as necessary. CC ID 14795 | Human Resources Management | Preventive | |
| Establish, implement, and maintain a board committee charter, as necessary. CC ID 14802 | Establish/Maintain Documentation | Preventive | |
| Define and assign audit committees, as necessary. CC ID 14788 | Human Resources Management | Preventive | |
| Include members with experience in audit practices, financial reporting, and accounting in the audit committee. CC ID 14796 | Human Resources Management | Preventive | |
| Define and assign compensation committees, as necessary. CC ID 14793 | Human Resources Management | Preventive | |
| Define and assign the Chief Information Officer's roles and responsibilities. CC ID 00808 | Establish Roles | Preventive | |
| Define and assign the network administrator's roles and responsibilities. CC ID 16363 | Human Resources Management | Preventive | |
| Define and assign the Information Technology staff's roles and responsibilities. CC ID 00809 | Establish Roles | Preventive | |
| Define and assign the Data Protection Officer's roles and responsibilities. CC ID 16525 | Human Resources Management | Preventive | |
| Define and assign the business unit manager's roles and responsibilities. CC ID 00810 | Establish Roles | Preventive | |
| Define and assign the Facility Security Officer's roles and responsibilities. CC ID 01887 | Establish Roles | Preventive | |
| Define and assign the Chief Risk Officer's roles and responsibilities. CC ID 14333 | Human Resources Management | Preventive | |
| Define and assign roles and responsibilities for network management. CC ID 13128 | Human Resources Management | Preventive | |
| Define and assign the technology security leader's roles and responsibilities. CC ID 01897 | Establish Roles | Preventive | |
| Define and assign the security staff roles and responsibilities. CC ID 11750 | Establish/Maintain Documentation | Preventive | |
| Define and assign the authorized representatives roles and responsibilities. CC ID 15033 | Human Resources Management | Preventive | |
| Define and assign the property management leader's roles and responsibilities. CC ID 00669 | Establish Roles | Preventive | |
| Define and assign the Archives and Records Management oversight's roles and responsibilities. CC ID 00697 | Establish Roles | Preventive | |
| Define and assign the Privacy Officer's roles and responsibilities. CC ID 00714 | Establish Roles | Preventive | |
| Define and assign critical facility management personnel's roles and responsibilities. CC ID 06381 | Establish Roles | Preventive | |
| Define the objectives and extent of outsourcing operational roles and responsibilities. CC ID 06383 | Establish/Maintain Documentation | Preventive | |
| Define and assign the Chief Security Officer's roles and responsibilities. CC ID 06431 | Establish Roles | Preventive | |
| Establish and maintain an Information Technology steering committee. CC ID 12706 | Human Resources Management | Preventive | |
| Assign the Information Technology steering committee to report to senior management. CC ID 12731 | Human Resources Management | Preventive | |
| Convene the Information Technology steering committee, as necessary. CC ID 12730 | Human Resources Management | Preventive | |
| Assign reviewing investments to the Information Technology steering committee, as necessary. CC ID 13625 | Human Resources Management | Preventive | |
| Assign a contact person to all business units. CC ID 07144 | Establish Roles | Preventive | |
| Define and assign the assessment team's roles and responsibilities. CC ID 08890 | Business Processes | Preventive | |
| Assign the role of Risk Assessment Manager to applicable controls. CC ID 12143 | Human Resources Management | Preventive | |
| Assign the Risk Assessment manager the duty of reporting risk assessment results to organizational management. CC ID 12152 | Human Resources Management | Preventive | |
| Refrain from allocating temporary staff to perform sensitive jobs absent the presence and control of authorized permanent staff. CC ID 12299 | Human Resources Management | Preventive | |
| Establish, implement, and maintain a personnel management program. CC ID 14018 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a personnel security program. CC ID 10628 | Establish/Maintain Documentation | Preventive | |
| Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 00782 [The organization shall ensure that these persons are competent on the basis of appropriate education, training, and experience, § 7.2 ¶ 1 b)] | Testing | Detective | |
| Perform security skills assessments for all critical employees. CC ID 12102 | Human Resources Management | Detective | |
| Assign security clearance procedures to qualified personnel. CC ID 06812 | Establish Roles | Preventive | |
| Assign personnel screening procedures to qualified personnel. CC ID 11699 | Establish Roles | Preventive | |
| Establish, implement, and maintain personnel screening procedures. CC ID 11700 | Establish/Maintain Documentation | Preventive | |
| Perform a background check during personnel screening. CC ID 11758 | Human Resources Management | Detective | |
| Perform a personal identification check during personnel screening. CC ID 06721 | Human Resources Management | Preventive | |
| Perform a criminal records check during personnel screening. CC ID 06643 | Establish/Maintain Documentation | Preventive | |
| Include all residences in the criminal records check. CC ID 13306 | Process or Activity | Preventive | |
| Document any reasons a full criminal records check could not be performed. CC ID 13305 | Establish/Maintain Documentation | Preventive | |
| Perform a personal references check during personnel screening. CC ID 06645 | Human Resources Management | Preventive | |
| Perform a credit check during personnel screening. CC ID 06646 | Human Resources Management | Preventive | |
| Perform an academic records check during personnel screening. CC ID 06647 | Establish/Maintain Documentation | Preventive | |
| Perform a drug test during personnel screening. CC ID 06648 | Testing | Preventive | |
| Perform a resume check during personnel screening. CC ID 06659 | Human Resources Management | Preventive | |
| Perform a curriculum vitae check during personnel screening. CC ID 06660 | Human Resources Management | Preventive | |
| Allow personnel being screened to appeal findings and appeal decisions. CC ID 06720 | Human Resources Management | Preventive | |
| Disseminate and communicate screening results to interested personnel and affected parties. CC ID 16445 | Communicate | Preventive | |
| Perform personnel screening procedures, as necessary. CC ID 11763 | Human Resources Management | Preventive | |
| Document the personnel risk assessment results. CC ID 11764 | Establish/Maintain Documentation | Detective | |
| Establish, implement, and maintain security clearance procedures. CC ID 00783 | Establish/Maintain Documentation | Preventive | |
| Perform periodic background checks on designated roles, as necessary. CC ID 11759 | Human Resources Management | Detective | |
| Perform security clearance procedures, as necessary. CC ID 06644 | Human Resources Management | Preventive | |
| Establish and maintain security clearances. CC ID 01634 | Human Resources Management | Preventive | |
| Document the security clearance procedure results. CC ID 01635 | Establish/Maintain Documentation | Detective | |
| Establish and maintain the staff structure in line with the strategic plan. CC ID 00764 | Establish Roles | Preventive | |
| Document and communicate role descriptions to all applicable personnel. CC ID 00776 [Persons doing work under the organization’s control shall be aware of their own role during disruptive incidents. § 7.3 ¶ 1 d)] | Establish Roles | Detective | |
| Evaluate the staffing requirements regularly. CC ID 00775 [The organization shall determine the necessary competence of person(s) doing work under its control that affects its performance, § 7.2 ¶ 1 a)] | Business Processes | Detective | |
| Train all personnel and third parties, as necessary. CC ID 00785 [The organization shall where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken, and § 7.2 ¶ 1 c)] | Behavior | Preventive | |
| Establish, implement, and maintain an education methodology. CC ID 06671 | Business Processes | Preventive | |
| Support certification programs as viable training programs. CC ID 13268 | Human Resources Management | Preventive | |
| Include evidence of experience in applications for professional certification. CC ID 16193 | Establish/Maintain Documentation | Preventive | |
| Include supporting documentation in applications for professional certification. CC ID 16195 | Establish/Maintain Documentation | Preventive | |
| Submit applications for professional certification. CC ID 16192 | Training | Preventive | |
| Retrain all personnel, as necessary. CC ID 01362 | Behavior | Preventive | |
| Tailor training to meet published guidance on the subject being taught. CC ID 02217 | Behavior | Preventive | |
| Tailor training to be taught at each person's level of responsibility. CC ID 06674 | Behavior | Preventive | |
| Conduct cross-training or staff backup training to minimize dependency on critical individuals. CC ID 00786 | Behavior | Preventive | |
| Document all training in a training record. CC ID 01423 [The organization shall retain appropriate documented information as evidence of competence. § 7.2 ¶ 1 d)] | Establish/Maintain Documentation | Detective | |
| Use automated mechanisms in the training environment, where appropriate. CC ID 06752 | Behavior | Preventive | |
| Conduct tests and evaluate training. CC ID 06672 [The organization shall where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken, and § 7.2 ¶ 1 c)] | Testing | Detective | |
| Hire third parties to conduct training, as necessary. CC ID 13167 | Human Resources Management | Preventive | |
| Review the current published guidance and awareness and training programs. CC ID 01245 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain training plans. CC ID 00828 | Establish/Maintain Documentation | Preventive | |
| Train personnel to recognize conditions of diseases or sicknesses, as necessary. CC ID 14383 | Training | Detective | |
| Include prevention techniques in training regarding diseases or sicknesses. CC ID 14387 | Training | Preventive | |
| Include the concept of disease clusters when training to recognize conditions of diseases or sicknesses. CC ID 14386 | Training | Preventive | |
| Train personnel to identify and communicate symptoms of exposure to disease or sickness. CC ID 14385 | Training | Detective | |
| Develop or acquire content to update the training plans. CC ID 12867 | Training | Preventive | |
| Designate training facilities in the training plan. CC ID 16200 | Training | Preventive | |
| Include portions of the visitor control program in the training plan. CC ID 13287 | Establish/Maintain Documentation | Preventive | |
| Include ethical culture in the training plan, as necessary. CC ID 12801 | Human Resources Management | Preventive | |
| Include in scope external requirements in the training plan, as necessary. CC ID 13041 | Training | Preventive | |
| Include duties and responsibilities in the training plan, as necessary. CC ID 12800 | Human Resources Management | Preventive | |
| Conduct bespoke roles and responsibilities training, as necessary. CC ID 13192 | Training | Preventive | |
| Include risk management in the training plan, as necessary. CC ID 13040 | Training | Preventive | |
| Conduct Archives and Records Management training. CC ID 00975 | Behavior | Preventive | |
| Conduct personal data processing training. CC ID 13757 | Training | Preventive | |
| Include in personal data processing training how to provide the contact information for the categories of personal data the organization may disclose. CC ID 13758 | Training | Preventive | |
| Include the cloud service usage standard in the training plan. CC ID 13039 | Training | Preventive | |
| Establish, implement, and maintain a security awareness program. CC ID 11746 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a security awareness and training policy. CC ID 14022 | Establish/Maintain Documentation | Preventive | |
| Include compliance requirements in the security awareness and training policy. CC ID 14092 | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the security awareness and training policy. CC ID 14091 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain security awareness and training procedures. CC ID 14054 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the security awareness and training procedures to interested personnel and affected parties. CC ID 14138 | Communicate | Preventive | |
| Include management commitment in the security awareness and training policy. CC ID 14049 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the security awareness and training policy. CC ID 14048 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the security awareness and training policy. CC ID 14047 | Establish/Maintain Documentation | Preventive | |
| Include the purpose in the security awareness and training policy. CC ID 14045 | Establish/Maintain Documentation | Preventive | |
| Include configuration management procedures in the security awareness program. CC ID 13967 | Establish/Maintain Documentation | Preventive | |
| Include media protection in the security awareness program. CC ID 16368 | Training | Preventive | |
| Document security awareness requirements. CC ID 12146 | Establish/Maintain Documentation | Preventive | |
| Include safeguards for information systems in the security awareness program. CC ID 13046 | Establish/Maintain Documentation | Preventive | |
| Include security policies and security standards in the security awareness program. CC ID 13045 | Establish/Maintain Documentation | Preventive | |
| Include physical security in the security awareness program. CC ID 16369 | Training | Preventive | |
| Include mobile device security guidelines in the security awareness program. CC ID 11803 | Establish/Maintain Documentation | Preventive | |
| Include updates on emerging issues in the security awareness program. CC ID 13184 | Training | Preventive | |
| Include cybersecurity in the security awareness program. CC ID 13183 | Training | Preventive | |
| Include implications of non-compliance in the security awareness program. CC ID 16425 | Training | Preventive | |
| Include the acceptable use policy in the security awareness program. CC ID 15487 | Training | Preventive | |
| Include training based on the participants' level of responsibility and access level in the security awareness program. CC ID 11802 | Establish/Maintain Documentation | Preventive | |
| Include a requirement to train all new hires and interested personnel in the security awareness program. CC ID 11800 | Establish/Maintain Documentation | Preventive | |
| Include remote access in the security awareness program. CC ID 13892 | Establish/Maintain Documentation | Preventive | |
| Document the goals of the security awareness program. CC ID 12145 | Establish/Maintain Documentation | Preventive | |
| Compare current security awareness assessment reports to the security awareness baseline. CC ID 12150 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain management's commitment to supporting the security awareness program. CC ID 12151 | Human Resources Management | Preventive | |
| Establish and maintain a steering committee to guide the security awareness program. CC ID 12149 | Human Resources Management | Preventive | |
| Document the scope of the security awareness program. CC ID 12148 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a security awareness baseline. CC ID 12147 | Establish/Maintain Documentation | Preventive | |
| Encourage interested personnel to obtain security certification. CC ID 11804 | Human Resources Management | Preventive | |
| Disseminate and communicate the security awareness program to all interested personnel and affected parties. CC ID 00823 | Behavior | Preventive | |
| Train all personnel and third parties on how to recognize and report security incidents. CC ID 01211 | Behavior | Preventive | |
| Train all personnel and third parties on how to recognize and report system failures. CC ID 13475 | Training | Preventive | |
| Require personnel to acknowledge, through writing their signature, that they have read and understand the organization's security policies. CC ID 01363 | Establish/Maintain Documentation | Preventive | |
| Monitor and measure the effectiveness of security awareness. CC ID 06262 | Monitor and Evaluate Occurrences | Detective | |
| Establish, implement, and maintain an environmental management system awareness program. CC ID 15200 | Establish/Maintain Documentation | Preventive | |
| Conduct secure coding and development training for developers. CC ID 06822 | Behavior | Corrective | |
| Conduct tampering prevention training. CC ID 11875 | Training | Preventive | |
| Include the mandate to refrain from installing, refrain from replacing, and refrain from returning any asset absent verification in the tampering prevention training. CC ID 11877 | Training | Preventive | |
| Include how to identify and authenticate third parties claiming to be maintenance personnel in the tampering prevention training. CC ID 11876 | Training | Preventive | |
| Include how to report tampering and unauthorized substitution in the tampering prevention training. CC ID 11879 | Training | Preventive | |
| Include how to prevent physical tampering in the tampering prevention training. CC ID 11878 | Training | Preventive | |
| Include procedures on how to inspect devices in the tampering prevention training. CC ID 11990 | Training | Preventive | |
| Train interested personnel and affected parties to collect digital forensic evidence. CC ID 08658 | Training | Preventive | |
| Conduct crime prevention training. CC ID 06350 | Behavior | Preventive | |
| Analyze and evaluate training records to improve the training program. CC ID 06380 | Monitor and Evaluate Occurrences | Detective | |
Leadership and high level objectives | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Leadership and high level objectives CC ID 00597 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a reporting methodology program. CC ID 02072 | Business Processes | Preventive | |
| Establish, implement, and maintain communication protocols. CC ID 12245 [{internal communications protocol} The procedures shall establish an appropriate internal and external communications protocol, § 8.4.1 ¶ 3 a) {internal communications protocol} The procedures shall establish an appropriate internal and external communications protocol, § 8.4.1 ¶ 3 a) The organization shall establish, implement, and maintain procedure(s) for - internal communication amongst interested parties and employees within the organization, - external communication with customers, partner entities, local community, and other interested parties, including the media, - receiving, documenting, and responding to communication from interested parties, - adapting and integrating a national or regional threat advisory system, or equivalent, into planning and operational use, if appropriate, - ensuring availability of the means of communication during a disruptive incident, - facilitating structured communication with appropriate authorities and ensuring the interoperability of multiple responding organizations and personnel, where appropriate, and - operating and testing of communications capabilities intended for use during disruption of normal communications. § 7.4 ¶ 2 The organization shall establish, implement, and maintain procedure(s) for - internal communication amongst interested parties and employees within the organization, - external communication with customers, partner entities, local community, and other interested parties, including the media, - receiving, documenting, and responding to communication from interested parties, - adapting and integrating a national or regional threat advisory system, or equivalent, into planning and operational use, if appropriate, - ensuring availability of the means of communication during a disruptive incident, - facilitating structured communication with appropriate authorities and ensuring the interoperability of multiple responding organizations and personnel, where appropriate, and - operating and testing of communications capabilities intended for use during disruption of normal communications. § 7.4 ¶ 2 {procedures for receiving, documenting and responding to communication from interested parties} The organization shall establish, implement and maintain procedures for internal communication within the organization and receiving, documenting and responding to communication from interested parties, § 8.4.3 ¶ 1 c) {procedures for receiving, documenting and responding to communication from interested parties} The organization shall establish, implement and maintain procedures for internal communication within the organization and receiving, documenting and responding to communication from interested parties, § 8.4.3 ¶ 1 c)] | Establish/Maintain Documentation | Preventive | |
| Use secure communication protocols for telecommunications. CC ID 16458 | Business Processes | Preventive | |
| Align the information being disseminated and communicated with the communication requirements according to the organization's communication protocol. CC ID 12419 | Establish/Maintain Documentation | Preventive | |
| Assess the effectiveness of the communication methods used in the communication protocol. CC ID 12691 | Process or Activity | Detective | |
| Include external requirements in the organization's communication protocol. CC ID 12418 | Establish/Maintain Documentation | Preventive | |
| Include disseminating and communicating events surrounding instances of desirable conduct and undesirable conduct in the communication protocols. CC ID 12824 | Communicate | Preventive | |
| Include input from interested personnel and affected parties as a part of the organization’s communication protocol. CC ID 12417 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a corrective action plan to address barriers to stakeholder engagement. CC ID 15677 | Process or Activity | Preventive | |
| Identify barriers to stakeholder engagement. CC ID 15676 | Process or Activity | Preventive | |
| Identify alternative measures for collecting stakeholder input, as necessary. CC ID 15672 | Communicate | Preventive | |
| Include disseminating and communicating conditions surrounding instances of desirable conduct and undesirable conduct in the communication protocols. CC ID 12804 | Communicate | Preventive | |
| Include methods to obtain information from interested personnel and affected parties about performance variances in the communication protocol. CC ID 12856 | Process or Activity | Preventive | |
| Include disseminating and communicating desirable conduct in the communication protocols. CC ID 12803 | Communicate | Preventive | |
| Include disseminating and communicating undesirable conduct in communication protocols. CC ID 12802 | Communicate | Preventive | |
| Route notifications, as necessary. CC ID 12832 | Process or Activity | Preventive | |
| Substantiate notifications, as necessary. CC ID 12831 | Process or Activity | Preventive | |
| Analyze the flow of information to ensure it is being received by the correct processes. CC ID 12860 | Business Processes | Preventive | |
| Prioritize notifications, as necessary. CC ID 12830 | Process or Activity | Preventive | |
| Report to management and stakeholders on the findings and information gathered from all types of inquiries. CC ID 12797 | Actionable Reports or Measurements | Preventive | |
| Disseminate and communicate internal controls with supply chain members. CC ID 12416 | Communicate | Preventive | |
| Establish and maintain the organization's survey method. CC ID 12869 | Process or Activity | Preventive | |
| Document the findings from surveys. CC ID 16309 | Establish/Maintain Documentation | Preventive | |
| Provide a consolidated view of information in the organization's survey method. CC ID 12894 | Process or Activity | Preventive | |
| Establish, implement, and maintain warning procedures that follow the organization's communication protocol. CC ID 12407 [{significant impact} {procedures for alerts} {procedures for warnings} The organization shall decide, using life safety as the first priority and in consultation with relevant interested parties, whether to communicate externally about its significant risks and impacts and document its decision. If the decision is to communicate then the organization shall establish and implement procedures for this external communication, alerts and warnings including the media as appropriate. § 8.4.2 ¶ 3] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain alert procedures that follow the organization's communication protocol. CC ID 12406 [{significant impact} {procedures for alerts} {procedures for warnings} The organization shall decide, using life safety as the first priority and in consultation with relevant interested parties, whether to communicate externally about its significant risks and impacts and document its decision. If the decision is to communicate then the organization shall establish and implement procedures for this external communication, alerts and warnings including the media as appropriate. § 8.4.2 ¶ 3] | Establish/Maintain Documentation | Preventive | |
| Include the capturing and alerting of compliance violations in the notification system. CC ID 12962 | Monitor and Evaluate Occurrences | Preventive | |
| Include the capturing and alerting of unethical conduct in the notification system. CC ID 12932 | Monitor and Evaluate Occurrences | Preventive | |
| Include the capturing and alerting of performance variances in the notification system. CC ID 12929 | Monitor and Evaluate Occurrences | Preventive | |
| Include the capturing and alerting of weaknesses in the notification system. CC ID 12928 | Monitor and Evaluate Occurrences | Preventive | |
| Include the capturing and alerting of account activity in the notification system. CC ID 15314 | Monitor and Evaluate Occurrences | Preventive | |
| Analyze organizational objectives, functions, and activities. CC ID 00598 | Monitor and Evaluate Occurrences | Preventive | |
| Establish, implement, and maintain organizational objectives. CC ID 09959 [In establishing the context, the organization shall articulate its objectives, including those concerned with business continuity, § 4.1 ¶ 4 1) In establishing the context, the organization shall articulate its objectives, including those concerned with business continuity, § 4.1 ¶ 4 1) Top management shall ensure that business continuity objectives are established and communicated for relevant functions and levels within the organization. § 6.2 ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Evaluate organizational objectives to determine impact on other organizational objectives. CC ID 12814 | Process or Activity | Preventive | |
| Identify events that may affect organizational objectives. CC ID 12961 | Process or Activity | Preventive | |
| Identify conditions that may affect organizational objectives. CC ID 12958 | Process or Activity | Preventive | |
| Identify requirements that could affect achieving organizational objectives. CC ID 12828 | Business Processes | Preventive | |
| Identify opportunities that could affect achieving organizational objectives. CC ID 12826 | Business Processes | Preventive | |
| Prioritize organizational objectives. CC ID 09960 | Business Processes | Preventive | |
| Select financial reporting objectives consistent with accounting principles available to the organization. CC ID 12400 | Business Processes | Preventive | |
| Establish, implement, and maintain a value generation model. CC ID 15591 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the value generation model to all interested personnel and affected parties. CC ID 15607 | Communicate | Preventive | |
| Include value distribution in the value generation model. CC ID 15603 | Establish/Maintain Documentation | Preventive | |
| Include value retention in the value generation model. CC ID 15600 | Establish/Maintain Documentation | Preventive | |
| Include value generation procedures in the value generation model. CC ID 15599 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain value generation objectives. CC ID 15583 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain social responsibility objectives. CC ID 15611 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain a Mission, Vision, and Values Statement. CC ID 12783 | Establish/Maintain Documentation | Preventive | |
| Include the vision statement in the Mission, Vision, and Values Statement. CC ID 12839 | Establish/Maintain Documentation | Preventive | |
| Include the mission statement in the Mission, Vision, and Values Statement. CC ID 12838 | Establish/Maintain Documentation | Preventive | |
| Include management commitment in the Mission, Vision, and Values Statement. CC ID 12808 | Establish/Maintain Documentation | Preventive | |
| Include the value statement in the Mission, Vision, and Values Statement. CC ID 12807 | Establish/Maintain Documentation | Preventive | |
| Include environmental factors in the Mission, Vision, and Values Statement. CC ID 15590 | Establish/Maintain Documentation | Preventive | |
| Include societal factors in the Mission, Vision, and Values Statement. CC ID 15605 | Establish/Maintain Documentation | Preventive | |
| Include stakeholder requirements in the Mission, Vision, and Values Statement. CC ID 15586 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the Mission, Vision, and Values Statement to all interested personnel and affected parties. CC ID 15585 | Communicate | Preventive | |
| Disseminate and communicate organizational objectives, functions, and activities to all interested personnel and affected parties. CC ID 13191 | Communicate | Preventive | |
| Document and communicate the linkage between organizational objectives, functions, activities, and general controls. CC ID 12398 | Establish/Maintain Documentation | Preventive | |
| Identify threats that could affect achieving organizational objectives. CC ID 12827 | Business Processes | Preventive | |
| Identify how opportunities, threats, and external requirements are trending. CC ID 12829 | Process or Activity | Preventive | |
| Identify relationships between opportunities, threats, and external requirements. CC ID 12805 | Process or Activity | Preventive | |
| Review the organization's approach to managing information security, as necessary. CC ID 12005 | Business Processes | Preventive | |
| Monitor regulatory trends to maintain compliance. CC ID 00604 [{legal requirements} The outputs of the management review shall include decisions related to continual improvement opportunities and the possible need for changes to the BCMS, and include the following: modification of procedures and controls to respond to internal or external events that may impact on the BCMS, including changes to legal and regulatory requirements, § 9.3 ¶ 4 d) 4)] | Monitor and Evaluate Occurrences | Detective | |
| Monitor for new Information Security solutions. CC ID 07078 | Monitor and Evaluate Occurrences | Detective | |
| Subscribe to a threat intelligence service to receive notification of emerging threats. CC ID 12135 [The organization shall establish, implement, and maintain procedure(s) for - internal communication amongst interested parties and employees within the organization, - external communication with customers, partner entities, local community, and other interested parties, including the media, - receiving, documenting, and responding to communication from interested parties, - adapting and integrating a national or regional threat advisory system, or equivalent, into planning and operational use, if appropriate, - ensuring availability of the means of communication during a disruptive incident, - facilitating structured communication with appropriate authorities and ensuring the interoperability of multiple responding organizations and personnel, where appropriate, and - operating and testing of communications capabilities intended for use during disruption of normal communications. § 7.4 ¶ 2 {national risk advisory system} The organization shall establish, implement and maintain procedures for receiving, documenting and responding to any national or regional risk advisory system or equivalent, § 8.4.3 ¶ 1 d) {national risk advisory system} The organization shall establish, implement and maintain procedures for receiving, documenting and responding to any national or regional risk advisory system or equivalent, § 8.4.3 ¶ 1 d) {national risk advisory system} The organization shall establish, implement and maintain procedures for receiving, documenting and responding to any national or regional risk advisory system or equivalent, § 8.4.3 ¶ 1 d)] | Technical Security | Detective | |
| Disseminate and communicate emerging threats to all interested personnel and affected parties. CC ID 12185 | Communicate | Preventive | |
| Disseminate and communicate updated guidance documentation to interested personnel and affected parties upon discovery of a new threat. CC ID 12191 | Communicate | Corrective | |
| Establish, implement, and maintain a Quality Management framework. CC ID 07196 [The outputs of the management review shall include decisions related to continual improvement opportunities and the possible need for changes to the BCMS, and include the following: § 9.3 ¶ 4 {results of BCMS reviews} {key partners} {results of testing} {BCMS performance} {BCMS effectiveness} {emerging good guidance} Management reviews shall consider the performance of the organization, including - follow-up actions from previous management reviews, - the need for changes to the BCMS, including the policy and objectives, - opportunities for improvement, - results of BCMS audits and reviews, including those of key suppliers and partners where appropriate, - techniques, products or procedures, which could be used in the organization to improve the BCMS’ performance and effectiveness, - status of corrective actions, - results of exercising and testing, - risks or issues not adequately addressed in any previous risk assessment, - any changes that could affect the BCMS, whether internal or external to the scope of the BCMS, - adequacy of policy, - recommendations for improvement, - lessons learned and actions arising from disruptive incidents, and - emerging good practice and guidance. § 9.3 ¶ 3 {results of BCMS reviews} {key partners} {results of testing} {BCMS performance} {BCMS effectiveness} {emerging good guidance} Management reviews shall consider the performance of the organization, including - follow-up actions from previous management reviews, - the need for changes to the BCMS, including the policy and objectives, - opportunities for improvement, - results of BCMS audits and reviews, including those of key suppliers and partners where appropriate, - techniques, products or procedures, which could be used in the organization to improve the BCMS’ performance and effectiveness, - status of corrective actions, - results of exercising and testing, - risks or issues not adequately addressed in any previous risk assessment, - any changes that could affect the BCMS, whether internal or external to the scope of the BCMS, - adequacy of policy, - recommendations for improvement, - lessons learned and actions arising from disruptive incidents, and - emerging good practice and guidance. § 9.3 ¶ 3] | Establish/Maintain Documentation | Preventive | |
| Include supply chain management standards in the Quality Management framework. CC ID 13701 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a Quality Management policy. CC ID 13694 | Establish/Maintain Documentation | Preventive | |
| Include a commitment to satisfy applicable requirements in the Quality Management policy. CC ID 13700 | Establish/Maintain Documentation | Preventive | |
| Tailor the Quality Management policy to support the organization's strategic direction. CC ID 13699 | Establish/Maintain Documentation | Preventive | |
| Include a commitment to continual improvement of the Quality Management system in the Quality Management policy. CC ID 13698 | Establish/Maintain Documentation | Preventive | |
| Include critical Information Technology processes in the Quality Management framework. CC ID 13645 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the Quality Management policy to all interested personnel and affected parties. CC ID 13695 | Communicate | Preventive | |
| Disseminate and communicate the Quality Management framework to all stakeholders. CC ID 13680 | Communicate | Preventive | |
| Align the quality objectives with the Quality Management policy. CC ID 13697 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a Quality Management standard. CC ID 01006 | Establish/Maintain Documentation | Preventive | |
| Document the measurements used by Quality Assurance and Quality Control testing. CC ID 07200 | Establish/Maintain Documentation | Preventive | |
| Enforce a continuous Quality Control system. CC ID 01005 | Business Processes | Detective | |
| Conduct Quality Control to ensure adherence to Information Technology policies, standards, and procedures. CC ID 01008 [{results of BCMS reviews} {key partners} {results of testing} {BCMS performance} {BCMS effectiveness} {emerging good guidance} Management reviews shall consider the performance of the organization, including - follow-up actions from previous management reviews, - the need for changes to the BCMS, including the policy and objectives, - opportunities for improvement, - results of BCMS audits and reviews, including those of key suppliers and partners where appropriate, - techniques, products or procedures, which could be used in the organization to improve the BCMS’ performance and effectiveness, - status of corrective actions, - results of exercising and testing, - risks or issues not adequately addressed in any previous risk assessment, - any changes that could affect the BCMS, whether internal or external to the scope of the BCMS, - adequacy of policy, - recommendations for improvement, - lessons learned and actions arising from disruptive incidents, and - emerging good practice and guidance. § 9.3 ¶ 3] | Testing | Detective | |
| Establish, implement, and maintain a Quality Management program. CC ID 07201 | Establish/Maintain Documentation | Preventive | |
| Notify affected parties and interested personnel of quality management system approvals that have been refused, suspended, or withdrawn. CC ID 15045 | Communicate | Preventive | |
| Notify affected parties and interested personnel of quality management system approvals that have been issued. CC ID 15036 | Communicate | Preventive | |
| Include quality objectives in the Quality Management program. CC ID 13693 | Establish/Maintain Documentation | Preventive | |
| Correct errors and deficiencies in a timely manner. CC ID 13501 | Business Processes | Corrective | |
| Include records management in the quality management system. CC ID 15055 | Establish/Maintain Documentation | Preventive | |
| Include risk management in the quality management system. CC ID 15054 | Establish/Maintain Documentation | Preventive | |
| Include data management procedures in the quality management system. CC ID 15052 | Establish/Maintain Documentation | Preventive | |
| Include a post-market monitoring system in the quality management system. CC ID 15027 | Establish/Maintain Documentation | Preventive | |
| Include operational roles and responsibilities in the quality management system. CC ID 15028 | Establish/Maintain Documentation | Preventive | |
| Include quality gates and testing milestones in the Quality Management program. CC ID 06825 | Systems Design, Build, and Implementation | Preventive | |
| Include resource management in the quality management system. CC ID 15026 | Establish/Maintain Documentation | Preventive | |
| Include communication protocols in the quality management system. CC ID 15025 | Establish/Maintain Documentation | Preventive | |
| Include incident reporting procedures in the quality management system. CC ID 15023 | Establish/Maintain Documentation | Preventive | |
| Include technical specifications in the quality management system. CC ID 15021 | Establish/Maintain Documentation | Preventive | |
| Document the deficiencies in a deficiency report that were found during Quality Control and corrected during Quality Improvement. CC ID 07203 | Establish/Maintain Documentation | Preventive | |
| Include program documentation standards in the Quality Management program. CC ID 01016 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain time frames for correcting deficiencies found during Quality Control. CC ID 07206 | Business Processes | Detective | |
| Include program testing standards in the Quality Management program. CC ID 01017 | Establish/Maintain Documentation | Preventive | |
| Review and analyze any quality improvement goals that were missed. CC ID 07204 | Business Processes | Detective | |
| Include system testing standards in the Quality Management program. CC ID 01018 | Establish/Maintain Documentation | Preventive | |
| Include an issue tracking system in the Quality Management program. CC ID 06824 | Systems Design, Build, and Implementation | Preventive | |
| Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a policy and procedure management program. CC ID 06285 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain an Authority Document list. CC ID 07113 [{legal requirements} {regulatory requirements} {new legal, regulatory and other requirements} The organization shall document this information and keep it up-to-date. New or variations to legal, regulatory and other requirements shall be communicated to affected employees and other interested parties. § 4.2.2 ¶ 3 [identified and controlled] Documented information of external origin determined by the organization to be necessary for the planning and operation of the BCMS shall be identified, as appropriate, and controlled. § 7.5.3 ¶ 3] | Establish/Maintain Documentation | Preventive | |
| Map in scope assets and in scope records to external requirements. CC ID 12189 | Establish/Maintain Documentation | Detective | |
| Document organizational procedures that harmonize external requirements, including all legal requirements. CC ID 00623 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain full documentation of all policies, standards, and procedures that support the organization's compliance framework. CC ID 01636 [The organization’s BCMS shall include - documented information required by this International Standard, and - documented information determined by the organization as being necessary for the effectiveness of the BCMS. § 7.5.1 ¶ 1 The organization’s BCMS shall include - documented information required by this International Standard, and - documented information determined by the organization as being necessary for the effectiveness of the BCMS. § 7.5.1 ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the organization’s policies, standards, and procedures to all interested personnel and affected parties. CC ID 12901 | Communicate | Preventive | |
| Disseminate and communicate the list of Authority Documents that support the organization's compliance framework to interested personnel and affected parties. CC ID 01312 | Establish/Maintain Documentation | Preventive | |
| Classify controls according to their preventive, detective, or corrective status. CC ID 06436 | Establish/Maintain Documentation | Preventive | |
| Publish, disseminate, and communicate a Statement on Internal Control, as necessary. CC ID 06727 | Establish/Maintain Documentation | Preventive | |
| Include signatures of c-level executives in the Statement on Internal Control. CC ID 14778 | Establish/Maintain Documentation | Preventive | |
| Include management's assertions on the effectiveness of internal control in the Statement on Internal Control. CC ID 14771 | Establish/Maintain Documentation | Corrective | |
| Include confirmation of any significant weaknesses in the Statement on Internal Control. CC ID 06861 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the Statement on Internal Control. CC ID 14774 | Establish/Maintain Documentation | Preventive | |
| Include an assurance statement regarding the counterterror protective security plan in the Statement on Internal Control. CC ID 06866 | Establish/Maintain Documentation | Preventive | |
| Include limitations of internal control systems in the Statement on Internal Control. CC ID 14773 | Establish/Maintain Documentation | Preventive | |
| Include a description of the methodology used to evaluate internal controls in the Statement on Internal Control. CC ID 14772 | Establish/Maintain Documentation | Preventive | |
| Include the counterterror protective security plan test results in the Statement on Internal Control. CC ID 06867 | Establish/Maintain Documentation | Detective | |
| Assign legislative body jurisdiction to the organization's assets, as necessary. CC ID 06956 | Establish Roles | Preventive | |
| Approve all compliance documents. CC ID 06286 | Establish/Maintain Documentation | Preventive | |
| Assign the appropriate roles to all applicable compliance documents. CC ID 06284 [Top management shall assign the responsibility and authority for ensuring that the management system conforms to the requirements of this International Standard, and § 5.4 ¶ 2 a)] | Establish Roles | Preventive | |
| Identify and document the Designated Approval Authority for compliance documents. CC ID 07114 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate compliance documents to all interested personnel and affected parties. CC ID 06282 | Behavior | Preventive | |
| Disseminate and communicate any compliance document changes when the documents are updated to interested personnel and affected parties. CC ID 06283 [{legal requirements} {regulatory requirements} {new legal, regulatory and other requirements} The organization shall document this information and keep it up-to-date. New or variations to legal, regulatory and other requirements shall be communicated to affected employees and other interested parties. § 4.2.2 ¶ 3] | Behavior | Preventive | |
| Establish, implement, and maintain a strategic plan. CC ID 12784 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a decision management strategy. CC ID 06913 | Establish/Maintain Documentation | Preventive | |
| Document and evaluate the decision outcomes from the decision-making process. CC ID 06918 [{significant impact} {procedures for alerts} {procedures for warnings} The organization shall decide, using life safety as the first priority and in consultation with relevant interested parties, whether to communicate externally about its significant risks and impacts and document its decision. If the decision is to communicate then the organization shall establish and implement procedures for this external communication, alerts and warnings including the media as appropriate. § 8.4.2 ¶ 3] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a Strategic Information Technology Plan. CC ID 00628 | Establish/Maintain Documentation | Preventive | |
| Include business continuity objectives in the Strategic Information Technology Plan. CC ID 06496 [{activation procedures} {communication procedures} {internal interdependencies} {internal interactions} {external interactions} {information flow processes} Each plan shall define - purpose and scope, - objectives, - activation criteria and procedures, - implementation procedures, - roles, responsibilities, and authorities, - communication requirements and procedures, - internal and external interdependencies and interactions, - resource requirements, and - information flow and documentation processes. § 8.4.4 ¶ 3] | Establish/Maintain Documentation | Preventive | |
| Align business continuity objectives with the business continuity policy. CC ID 12408 [The business continuity objectives shall be consistent with the business continuity policy, § 6.2 ¶ 2 a)] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a Governance, Risk, and Compliance awareness and training program. CC ID 06492 [Persons doing work under the organization’s control shall be aware of their contribution to the effectiveness of the BCMS, including the benefits of improved business continuity management performance, § 7.3 ¶ 1 b)] | Business Processes | Preventive | |
| Establish and maintain a rapport with business and technical communities throughout the organization to promote the value and importance of Information Security. CC ID 06493 | Behavior | Preventive | |
Monitoring and measurement | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Monitoring and measurement CC ID 00636 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a risk monitoring program. CC ID 00658 [{what needs to be measured} The organization shall determine what needs to be monitored and measured, § 9.1.1 ¶ 1 a)] | Establish/Maintain Documentation | Preventive | |
| Monitor the organization's exposure to threats, as necessary. CC ID 06494 | Monitor and Evaluate Occurrences | Preventive | |
| Monitor and evaluate environmental threats. CC ID 13481 | Monitor and Evaluate Occurrences | Detective | |
| Implement a fraud detection system. CC ID 13081 | Business Processes | Preventive | |
| Update or adjust fraud detection systems, as necessary. CC ID 13684 | Process or Activity | Corrective | |
| Monitor for new vulnerabilities. CC ID 06843 | Monitor and Evaluate Occurrences | Preventive | |
| Establish, implement, and maintain a compliance testing strategy. CC ID 00659 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a self-assessment approach as part of the compliance testing strategy. CC ID 12833 | Testing | Preventive | |
| Test compliance controls for proper functionality. CC ID 00660 | Testing | Detective | |
| Establish, implement, and maintain a system security plan. CC ID 01922 | Testing | Preventive | |
| Include a system description in the system security plan. CC ID 16467 | Establish/Maintain Documentation | Preventive | |
| Include a description of the operational context in the system security plan. CC ID 14301 | Establish/Maintain Documentation | Preventive | |
| Include the results of the security categorization in the system security plan. CC ID 14281 | Establish/Maintain Documentation | Preventive | |
| Include the information types in the system security plan. CC ID 14696 | Establish/Maintain Documentation | Preventive | |
| Include the security requirements in the system security plan. CC ID 14274 | Establish/Maintain Documentation | Preventive | |
| Include threats in the system security plan. CC ID 14693 | Establish/Maintain Documentation | Preventive | |
| Include network diagrams in the system security plan. CC ID 14273 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the system security plan. CC ID 14682 | Establish/Maintain Documentation | Preventive | |
| Include the results of the privacy risk assessment in the system security plan. CC ID 14676 | Establish/Maintain Documentation | Preventive | |
| Include remote access methods in the system security plan. CC ID 16441 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the system security plan to interested personnel and affected parties. CC ID 14275 | Communicate | Preventive | |
| Include a description of the operational environment in the system security plan. CC ID 14272 | Establish/Maintain Documentation | Preventive | |
| Include the security categorizations and rationale in the system security plan. CC ID 14270 | Establish/Maintain Documentation | Preventive | |
| Include the authorization boundary in the system security plan. CC ID 14257 | Establish/Maintain Documentation | Preventive | |
| Align the enterprise architecture with the system security plan. CC ID 14255 | Process or Activity | Preventive | |
| Include security controls in the system security plan. CC ID 14239 | Establish/Maintain Documentation | Preventive | |
| Create specific test plans to test each system component. CC ID 00661 | Establish/Maintain Documentation | Preventive | |
| Include the roles and responsibilities in the test plan. CC ID 14299 | Establish/Maintain Documentation | Preventive | |
| Include the assessment team in the test plan. CC ID 14297 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the test plans. CC ID 14293 | Establish/Maintain Documentation | Preventive | |
| Include the assessment environment in the test plan. CC ID 14271 | Establish/Maintain Documentation | Preventive | |
| Approve the system security plan. CC ID 14241 | Business Processes | Preventive | |
| Adhere to the system security plan. CC ID 11640 | Testing | Detective | |
| Review the test plans for each system component. CC ID 00662 | Establish/Maintain Documentation | Preventive | |
| Validate all testing assumptions in the test plans. CC ID 00663 | Testing | Detective | |
| Document validated testing processes in the testing procedures. CC ID 06200 | Establish/Maintain Documentation | Preventive | |
| Require testing procedures to be complete. CC ID 00664 | Testing | Detective | |
| Include error details, identifying the root causes, and mitigation actions in the testing procedures. CC ID 11827 | Establish/Maintain Documentation | Preventive | |
| Determine the appropriate assessment method for each testing process in the test plan. CC ID 00665 | Testing | Preventive | |
| Implement automated audit tools. CC ID 04882 | Acquisition/Sale of Assets or Services | Preventive | |
| Assign senior management to approve test plans. CC ID 13071 | Human Resources Management | Preventive | |
| Analyze system audit reports and determine the need to perform more tests. CC ID 00666 | Testing | Detective | |
| Monitor devices continuously for conformance with production specifications. CC ID 06201 | Monitor and Evaluate Occurrences | Detective | |
| Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 [{legal requirements} {business continuity objectives} The organization shall periodically evaluate compliance with applicable legal and regulatory requirements, industry best practices, and conformance with its own business continuity policy and objectives; and § 9.1.2 c) {legal requirements} {business continuity objectives} The organization shall periodically evaluate compliance with applicable legal and regulatory requirements, industry best practices, and conformance with its own business continuity policy and objectives; and § 9.1.2 c) {legal requirements} {business continuity objectives} The organization shall periodically evaluate compliance with applicable legal and regulatory requirements, industry best practices, and conformance with its own business continuity policy and objectives; and § 9.1.2 c) {legal requirements} {business continuity objectives} The organization shall periodically evaluate compliance with applicable legal and regulatory requirements, industry best practices, and conformance with its own business continuity policy and objectives; and § 9.1.2 c) {legal requirements} {business continuity objectives} The organization shall periodically evaluate compliance with applicable legal and regulatory requirements, industry best practices, and conformance with its own business continuity policy and objectives; and § 9.1.2 c) The organization shall determine when the monitoring and measuring shall be performed, and § 9.1.1 ¶ 1 c)] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a metrics policy. CC ID 01654 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653 [The procedures for monitoring performance shall provide for - the setting of performance metrics appropriate to the needs of the organization, - monitoring the extent to which the organization’s business continuity policy, objectives and targets are met, - performance of the processes, procedures and functions that protect its prioritized activities, - monitoring compliance with this International Standard and the business continuity objectives, - monitoring historical evidence of deficient BCMS’ performance, and - recording data and results of monitoring and measurement to facilitate subsequent corrective actions. § 9.1.1 ¶ 5] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain risk management metrics. CC ID 01656 | Establish/Maintain Documentation | Preventive | |
| Report on the percentage of critical assets for which an assurance strategy is implemented. CC ID 01657 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of key organizational functions for which an assurance strategy is implemented. CC ID 01658 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of key compliance requirements for which an assurance strategy has been implemented. CC ID 01659 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of the Information System budget allocated to Information Security. CC ID 04571 | Actionable Reports or Measurements | Detective | |
| Identify information being used to support the performance of the governance, risk, and compliance capability. CC ID 12866 | Business Processes | Preventive | |
| Identify information being used to support performance reviews for risk optimization. CC ID 12865 | Audits and Risk Management | Preventive | |
| Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726 | Monitor and Evaluate Occurrences | Detective | |
| Identify and document instances of non-compliance with the compliance framework. CC ID 06499 [When nonconformity occurs, the organization shall identify the nonconformity, § 10.1 ¶ 1 a) The organization shall retain documented information as evidence of - the nature of the nonconformities and any subsequent actions taken, and - the results of any corrective action. § 10.1 ¶ 3 {do not occur} When nonconformity occurs, the organization shall evaluate the need for action to eliminate the causes of the nonconformity, in order that it does not recur or occur elsewhere, by evaluating the need for corrective action to ensure that nonconformities do not recur or occur elsewhere, § 10.1 ¶ 1 c) 4 The management review shall include consideration of information on the business continuity performance, including trends in nonconformities and corrective actions, § 9.3 ¶ 2 c) 1)] | Establish/Maintain Documentation | Preventive | |
| Align enforcement reviews for non-compliance with organizational risk tolerance. CC ID 13063 | Business Processes | Detective | |
| Determine the causes of compliance violations. CC ID 12401 [When nonconformity occurs, the organization shall evaluate the need for action to eliminate the causes of the nonconformity, in order that it does not recur or occur elsewhere, by determining the causes of the nonconformity, and § 10.1 ¶ 1 c) 2 {does not occur} When nonconformity occurs, the organization shall evaluate the need for action to eliminate the causes of the nonconformity, in order that it does not recur or occur elsewhere, by § 10.1 ¶ 1 c)] | Investigate | Corrective | |
| Identify and document events surrounding non-compliance with the organizational compliance framework. CC ID 12935 | Establish/Maintain Documentation | Preventive | |
| Determine if multiple compliance violations of the same type could occur. CC ID 12402 [When nonconformity occurs, the organization shall evaluate the need for action to eliminate the causes of the nonconformity, in order that it does not recur or occur elsewhere, by determining if similar nonconformities exist, or could potentially occur, § 10.1 ¶ 1 c) 3] | Investigate | Detective | |
| Correct compliance violations. CC ID 13515 | Process or Activity | Corrective | |
| Review the effectiveness of disciplinary actions carried out for compliance violations. CC ID 12403 [When nonconformity occurs, the organization shall review the effectiveness of any corrective action taken, § 10.1 ¶ 1 e) When nonconformity occurs, the organization shall evaluate the need for action to eliminate the causes of the nonconformity, in order that it does not recur or occur elsewhere, by reviewing the effectiveness of any corrective action taken and § 10.1 ¶ 1 c) 6] | Investigate | Detective | |
| Carry out disciplinary actions when a compliance violation is detected. CC ID 06675 [When nonconformity occurs, the organization shall react to the nonconformity, and, as applicable, § 10.1 ¶ 1 b) {adverse results} Additionally, the organization shall — take action when necessary to address adverse trends or results before a nonconformity occurs, and — retain relevant documented information as evidence of the results. § 9.1.1 ¶ 4 {nonconformity} take action to control and correct it, and § 10.1 ¶ 1 b) 1) {nonconformity} take action to control and correct it, and § 10.1 ¶ 1 b) 1) When nonconformity occurs, the organization shall evaluate the need for action to eliminate the causes of the nonconformity, in order that it does not recur or occur elsewhere, by determining and implementing corrective action needed, § 10.1 ¶ 1 c) 5] | Behavior | Corrective | |
| Align disciplinary actions with the level of compliance violation. CC ID 12404 [Corrective actions shall be appropriate to the effects of the nonconformities encountered. § 10.1 ¶ 2 When nonconformity occurs, the organization shall evaluate the need for action to eliminate the causes of the nonconformity, in order that it does not recur or occur elsewhere, by determining and implementing corrective action needed, § 10.1 ¶ 1 c) 5] | Human Resources Management | Preventive | |
| Establish, implement, and maintain disciplinary action notices. CC ID 16577 | Establish/Maintain Documentation | Preventive | |
| Include a copy of the order in the disciplinary action notice. CC ID 16606 | Establish/Maintain Documentation | Preventive | |
| Include the sanctions imposed in the disciplinary action notice. CC ID 16599 | Establish/Maintain Documentation | Preventive | |
| Include the effective date of the sanctions in the disciplinary action notice. CC ID 16589 | Establish/Maintain Documentation | Preventive | |
| Include the requirements that were violated in the disciplinary action notice. CC ID 16588 | Establish/Maintain Documentation | Preventive | |
| Include responses to charges from interested personnel and affected parties in the disciplinary action notice. CC ID 16587 | Establish/Maintain Documentation | Preventive | |
| Include the reasons for imposing sanctions in the disciplinary action notice. CC ID 16586 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the disciplinary action notice to interested personnel and affected parties. CC ID 16585 | Communicate | Preventive | |
| Include required information in the disciplinary action notice. CC ID 16584 | Establish/Maintain Documentation | Preventive | |
| Include a justification for actions taken in the disciplinary action notice. CC ID 16583 | Establish/Maintain Documentation | Preventive | |
| Include a statement on the conclusions of the investigation in the disciplinary action notice. CC ID 16582 | Establish/Maintain Documentation | Preventive | |
| Include the investigation results in the disciplinary action notice. CC ID 16581 | Establish/Maintain Documentation | Preventive | |
| Include a description of the causes of the actions taken in the disciplinary action notice. CC ID 16580 | Establish/Maintain Documentation | Preventive | |
| Include the name of the person responsible for the charges in the disciplinary action notice. CC ID 16579 | Establish/Maintain Documentation | Preventive | |
| Include contact information in the disciplinary action notice. CC ID 16578 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain compliance program metrics. CC ID 11625 | Monitor and Evaluate Occurrences | Preventive | |
| Establish, implement, and maintain a security program metrics program. CC ID 01660 | Establish/Maintain Documentation | Preventive | |
| Report on the policies and controls that have been implemented by management. CC ID 01670 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain a key management roles metrics standard. CC ID 11631 | Establish/Maintain Documentation | Preventive | |
| Report on the percentage of security management roles that have been assigned. CC ID 01671 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain a key stakeholder metrics program. CC ID 01661 | Establish/Maintain Documentation | Preventive | |
| Report on the percentage of board meetings or committee meetings at which Information Assurance was on the agenda. CC ID 01672 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain a supply chain member metrics program. CC ID 01662 | Establish/Maintain Documentation | Preventive | |
| Report on the percentage of supply chain members for which all Information Assurance requirements have been implemented. CC ID 01675 | Actionable Reports or Measurements | Detective | |
| Report on the Service Level Agreement performance of supply chain members. CC ID 06838 | Actionable Reports or Measurements | Preventive | |
| Establish, implement, and maintain a Business Continuity metrics program. CC ID 01663 [Top management shall demonstrate leadership and commitment with respect to the BCMS by - ensuring that policies and objectives are established for the business continuity management system and are compatible with the strategic direction of the organization, - ensuring the integration of the business continuity management system requirements into the organization’s business processes, - ensuring that the resources needed for the business continuity management system are available, - communicating the importance of effective business continuity management and conforming to the BCMS requirements, - ensuring that the BCMS achieves its intended outcome(s), - directing and supporting persons to contribute to the effectiveness of the BCMS, - promoting continual improvement, and - supporting other relevant management roles to demonstrate their leadership and commitment as it applies to their areas of responsibility. § 5.2 ¶ 1 The organization shall determine when the results from monitoring and measurement shall be analysed and evaluated. § 9.1.1 ¶ 1 d) The procedures for monitoring performance shall provide for - the setting of performance metrics appropriate to the needs of the organization, - monitoring the extent to which the organization’s business continuity policy, objectives and targets are met, - performance of the processes, procedures and functions that protect its prioritized activities, - monitoring compliance with this International Standard and the business continuity objectives, - monitoring historical evidence of deficient BCMS’ performance, and - recording data and results of monitoring and measurement to facilitate subsequent corrective actions. § 9.1.1 ¶ 5 The procedures for monitoring performance shall provide for - the setting of performance metrics appropriate to the needs of the organization, - monitoring the extent to which the organization’s business continuity policy, objectives and targets are met, - performance of the processes, procedures and functions that protect its prioritized activities, - monitoring compliance with this International Standard and the business continuity objectives, - monitoring historical evidence of deficient BCMS’ performance, and - recording data and results of monitoring and measurement to facilitate subsequent corrective actions. § 9.1.1 ¶ 5 The procedures for monitoring performance shall provide for - the setting of performance metrics appropriate to the needs of the organization, - monitoring the extent to which the organization’s business continuity policy, objectives and targets are met, - performance of the processes, procedures and functions that protect its prioritized activities, - monitoring compliance with this International Standard and the business continuity objectives, - monitoring historical evidence of deficient BCMS’ performance, and - recording data and results of monitoring and measurement to facilitate subsequent corrective actions. § 9.1.1 ¶ 5 The procedures for monitoring performance shall provide for - the setting of performance metrics appropriate to the needs of the organization, - monitoring the extent to which the organization’s business continuity policy, objectives and targets are met, - performance of the processes, procedures and functions that protect its prioritized activities, - monitoring compliance with this International Standard and the business continuity objectives, - monitoring historical evidence of deficient BCMS’ performance, and - recording data and results of monitoring and measurement to facilitate subsequent corrective actions. § 9.1.1 ¶ 5 The management review shall include consideration of information on the business continuity performance, including trends in monitoring and measurement evaluation results, and § 9.3 ¶ 2 c) 2)] | Establish/Maintain Documentation | Preventive | |
| Report on the percentage of organizational units that have an established Business Continuity Plan. CC ID 01676 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of organizational units with a documented Business Continuity Plan for which specific responsibilities have been assigned. CC ID 02057 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of Business Continuity Plans that have been reviewed, tested, and updated. CC ID 02058 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain an audit metrics program. CC ID 01664 | Establish/Maintain Documentation | Preventive | |
| Report on the percentage of needed internal audits that have been completed and reviewed. CC ID 01677 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of Information Security requirements from applicable laws and regulations that are included in the audit program. CC ID 02069 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of needed external audits that have been completed and reviewed. CC ID 11632 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of Information Security audits conducted in compliance with the approved audit program. CC ID 02070 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of audit findings that have been resolved since the last audit. CC ID 01678 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of management actions in response to audit findings and audit recommendations that were implemented in a timely way. CC ID 02071 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain an Information Security metrics program. CC ID 01665 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a metrics standard and template. CC ID 02157 | Establish/Maintain Documentation | Preventive | |
| Convert data into standard units before reporting metrics. CC ID 15507 | Process or Activity | Corrective | |
| Monitor compliance with the Quality Control system. CC ID 01023 | Actionable Reports or Measurements | Preventive | |
| Report on the percentage of complaints received about products or delivered services. CC ID 07199 | Actionable Reports or Measurements | Preventive | |
| Report on the percentage of Quality Assurance attained by Quality Improvement practices. CC ID 07202 | Actionable Reports or Measurements | Preventive | |
| Establish, implement, and maintain occupational health and safety management metrics program. CC ID 15915 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a policies and controls metrics program. CC ID 01666 [The outputs of the management review shall include decisions related to continual improvement opportunities and the possible need for changes to the BCMS, and include the following: how the effectiveness of controls are measured. § 9.3 ¶ 4 e)] | Establish/Maintain Documentation | Preventive | |
| Report on the percentage of total controls for which policies, standards, and procedures exist and for which approval has been granted. CC ID 01679 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of personnel who are assigned and acknowledged responsibilities for approved policies, standards, and procedures. CC ID 01680 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of policy compliance reviews for which no compliance violations were noted. CC ID 01681 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of senior management or business unit heads who have implemented operational compliance procedures. CC ID 01682 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain a security roles and responsibilities metrics program. CC ID 01667 | Establish/Maintain Documentation | Preventive | |
| Report on the percentage of role descriptions that define the Information Awareness roles for Security Managers and administrators. CC ID 01685 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of role descriptions that define the information awareness roles for interested personnel. CC ID 01686 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of role descriptions that define the information awareness roles for end users. CC ID 01687 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of performance reviews that include the evaluation of Information Assurance responsibilities and policy compliance. CC ID 01688 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of individuals who have access to security software, are trained, and authorized Security Administrators. CC ID 01691 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of individuals who are able to assign security privileges, are trained, and authorized Security Administrators. CC ID 01692 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain a role-based information access metrics program. CC ID 01668 | Establish/Maintain Documentation | Preventive | |
| Report on the percentage of new hires who completed training ahead of being granted network access or system access. CC ID 01683 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of personnel who have completed periodic Information Assurance refresher training. CC ID 01684 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of user roles, systems, and applications that comply with the segregation of duties principle. CC ID 01689 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of individuals whose access rights have been reviewed. CC ID 01690 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of users who have access to restricted data or restricted information and have undergone a background check. CC ID 01693 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain an information risk threshold metrics program. CC ID 01694 | Establish/Maintain Documentation | Preventive | |
| Report on the percentage of critical information assets and information-dependent functions. CC ID 02040 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of critical assets and functions for which the cost of compromise has been quantified. CC ID 02041 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of identified risks that have a defined risk mitigation plan. CC ID 02042 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of systems with approved System Security Plans. CC ID 02145 | Actionable Reports or Measurements | Detective | |
| Monitor the supply chain for Information Assurance effectiveness. CC ID 02043 | Establish/Maintain Documentation | Preventive | |
| Report on the percentage of known Information Security risks that are related to supply chain relationships. CC ID 02044 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of critical information assets or critical functions for which access by supply chain personnel is disallowed. CC ID 02045 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of supply chain personnel who have current information asset user privileges. CC ID 02046 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of systems with critical information assets or functions for which electronic connection by supply chain assets is disallowed. CC ID 02047 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of security incidents that involved supply chain personnel. CC ID 02048 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of third party contracts that include a requirement to externally verify policies and procedures. CC ID 02049 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of supply chain relationships that have been reviewed for compliance with information security requirements. CC ID 02050 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain an identification and classification of information assets metrics program. CC ID 02052 | Business Processes | Preventive | |
| Report on the percentage of information assets that have been reviewed and classified. CC ID 02053 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of information assets with defined user privileges that have been assigned based on role and according to policy. CC ID 02054 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of scheduled Information Technology inventory processes that occurred on time. CC ID 02055 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain an Information Systems architecture metrics program. CC ID 02059 | Business Processes | Preventive | |
| Report on the percentage of recently identified information security risks related to systems architecture that have been adequately mitigated. CC ID 02060 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of system architecture changes that were approved through appropriate change requests. CC ID 02061 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of critical information assets or functions residing on systems that are currently in compliance with the approved systems architecture. CC ID 02062 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of systems that have been recertified if security controls were updated after the system was developed. CC ID 02142 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of systems that have completed Certification and Accreditation. CC ID 02143 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain a physical environment metrics program. CC ID 02063 | Business Processes | Preventive | |
| Report on the percentage of critical organizational information assets and functions that have been reviewed from the risk to physical security perspective. CC ID 02064 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of critical organizational information assets and functions exposed to physical risks for which risk mitigation actions have been implemented. CC ID 02065 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of critical assets that have been reviewed from the environmental risk perspective. CC ID 02066 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of servers located in controlled access areas. CC ID 02067 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain a privacy metrics program. CC ID 15494 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain environmental management system performance metrics. CC ID 15191 | Actionable Reports or Measurements | Preventive | |
| Establish, implement, and maintain waste management metrics. CC ID 16152 | Actionable Reports or Measurements | Preventive | |
| Establish, implement, and maintain emissions management metrics. CC ID 16145 | Actionable Reports or Measurements | Preventive | |
| Establish, implement, and maintain financial management metrics. CC ID 16749 | Actionable Reports or Measurements | Preventive | |
| Establish, implement, and maintain a technical measurement metrics policy. CC ID 01655 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a user identification and authentication metrics program. CC ID 02073 | Business Processes | Preventive | |
| Report on the percentage of unique active user identifiers. CC ID 02074 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of systems and applications that perform authenticator policy verification. CC ID 02086 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of active user passwords that are set to expire. CC ID 02087 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of systems with critical information assets that use stronger authentication than user identifiers and passwords. CC ID 02088 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain a user account management metrics program. CC ID 02075 | Business Processes | Preventive | |
| Report on the percentage of systems for which default accounts and default passwords have been disabled or reset. CC ID 02089 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of inactive user accounts that are assigned to personnel who have left or no longer need access. CC ID 02090 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of systems with account lockout thresholds set. CC ID 02091 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of inactive user accounts that have been disabled. CC ID 02092 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of workstations with session timeout or automatic logoff controls set. CC ID 02093 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of users with access to shared accounts. CC ID 04573 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain a user and administrator privilege management metrics program. CC ID 02076 | Actionable Reports or Measurements | Preventive | |
| Report on the percentage of active computer accounts that have had the current user privileges reviewed. CC ID 02094 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of systems where permission to install nonstandard software is limited. CC ID 02095 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of systems and applications that have user privileges and administrator privileges assigned in compliance with Role-Based Access Controls. CC ID 02096 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain a Configuration Management metrics program. CC ID 02077 | Business Processes | Preventive | |
| Report on the percentage of systems for which approved configuration settings have been implemented. CC ID 02097 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of systems with configurations that do not deviate from approved standards. CC ID 02098 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of systems that are continuously monitored for compliance with the configuration standard with out-of-compliance alarms or out-of-compliance reports. CC ID 02099 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of systems whose configuration is compared with a previously established trusted configuration baseline. CC ID 02100 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of systems where the authority to make configuration changes are limited. CC ID 02101 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of system components that undergo maintenance as scheduled. CC ID 04562 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain a Security Information and Event Management metrics program. CC ID 02078 | Log Management | Preventive | |
| Report on the percentage of systems for which event logging has been implemented. CC ID 02102 | Log Management | Detective | |
| Report on the percentage of systems for which event logs are monitored and reviewed. CC ID 02103 | Log Management | Detective | |
| Report on the percentage of systems for which log capacity and log retention schedules have been implemented. CC ID 02104 | Log Management | Detective | |
| Report on the percentage of systems that generate warnings about anomalous activity or potentially unauthorized activity. CC ID 02105 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain a communications, e-mail, and remote access security management metrics program. CC ID 02079 | Business Processes | Preventive | |
| Report on the percentage of laptops and mobile devices that are needing to be in compliance with the approved configuration standard before granting network access. CC ID 02106 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of organizationally controlled communications channels that have been secured. CC ID 02107 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of host servers that are protected from becoming relay hosts. CC ID 02108 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of mobile users who access organizational facilities using secure communications methods. CC ID 02109 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain a malicious code protection management metrics program. CC ID 02080 | Business Processes | Preventive | |
| Report on the percentage of workstations and laptops that employ automated system security tools. CC ID 02110 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of servers that employ automated system security tools. CC ID 02111 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of mobile devices that employ automated system security tools. CC ID 02112 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain a software change management metrics program. CC ID 02081 | Business Processes | Preventive | |
| Report on the percentage of software changes that have been documented and approved through change request forms. CC ID 02152 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of systems with all approved patches installed. CC ID 02113 | Actionable Reports or Measurements | Detective | |
| Report on the mean time from patch availability to patch installation. CC ID 02114 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of software changes that were reviewed for security impacts before the software configuration is updated. CC ID 02115 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain a network management and firewall management metrics program. CC ID 02082 | Business Processes | Preventive | |
| Establish, implement, and maintain a network activity baseline. CC ID 13188 | Technical Security | Detective | |
| Report on the percentage of systems configured according to the configuration standard. CC ID 02116 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of network access controls used to gain unauthorized access. CC ID 04572 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain a data encryption management metrics program. CC ID 02083 | Business Processes | Preventive | |
| Report on the percentage of critical information assets stored on network accessible devices that are encrypted with widely tested and published cryptographic algorithms. CC ID 02117 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of mobile devices that use encryption for critical information assets. CC ID 02118 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of passwords and Personal Identification Numbers that are encrypted. CC ID 02119 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of media that passes sanitization procedure testing. CC ID 04574 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain a backup management and recovery management metrics program. CC ID 02084 | Business Processes | Preventive | |
| Report on the percentage of systems with critical information assets or critical business functions that have been backed up in accordance with the backup policy and the system's continuity plan. CC ID 02120 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of systems with critical information assets or critical functions where restoration from a backup has been successfully demonstrated. CC ID 02121 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of backup media stored off site in secure storage. CC ID 02122 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of used backup media or archive media sanitized prior to reuse or disposal. CC ID 02123 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain an incident management and vulnerability management metrics program. CC ID 02085 | Business Processes | Preventive | |
| Report on the estimated damage or loss resulting from all security incidents. CC ID 01674 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of security incidents that did not cause confidentiality, integrity, or availability losses beyond the Service Level Agreement thresholds. CC ID 01673 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of operational time that critical services were unavailable due to security incidents. CC ID 02124 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02125 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of systems affected by security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02126 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of security incidents that were managed according to established policies, procedures, and processes. CC ID 02127 | Actionable Reports or Measurements | Detective | |
| Report on the number of security incidents reported to FedCIRC, NIPC, the Payment Card Industry, or local law enforcement. CC ID 02154 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of systems with critical information assets or critical functions that have been assessed for security vulnerabilities. CC ID 02128 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of vulnerability assessment findings that have been addressed since the last reporting period. CC ID 02129 | Actionable Reports or Measurements | Detective | |
| Report on the average elapsed time between the discovery of a new vulnerability and implementing corrective action. CC ID 02140 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of physical security incidents that involved entry into a facility containing Information Systems. CC ID 04564 | Actionable Reports or Measurements | Detective | |
| Delay the reporting of incident management metrics, as necessary. CC ID 15501 | Communicate | Preventive | |
| Establish, implement, and maintain an Electronic Health Records measurement metrics program. CC ID 06221 | Establish/Maintain Documentation | Preventive | |
| Report on the percentage of unique patients who had at least one medication entered using the Computerized Provider Order Entry system. CC ID 06222 | Actionable Reports or Measurements | Preventive | |
| Report on the percentage of unique patients who have diagnoses recorded as structured data into the current and active diagnoses problem list. CC ID 06223 | Actionable Reports or Measurements | Preventive | |
| Report on the percentage of permissible prescriptions that are transmitted electronically. CC ID 06224 | Actionable Reports or Measurements | Preventive | |
| Report on the percentage of unique patients who have at least one entry recorded as structured data into the active medication list. CC ID 06225 | Actionable Reports or Measurements | Preventive | |
| Report on the percentage of unique patients who have at least one entry recorded as structured data into the active medication allergy list. CC ID 06226 | Actionable Reports or Measurements | Preventive | |
| Report on the percentage of unique patients who have demographics recorded as structured data. CC ID 06227 | Actionable Reports or Measurements | Preventive | |
| Report on the percentage of unique patients over the age of 2 who have their height, weight, and blood pressure recorded as structured data. CC ID 06228 | Actionable Reports or Measurements | Preventive | |
| Report on the percentage of unique patients over the age of 13 who have their smoking status recorded as structured data. CC ID 06229 | Actionable Reports or Measurements | Preventive | |
| Report on the percentage of patients who are given an electronic copy of their Individually Identifiable Health Information not later than three business days after Individually Identifiable Health Information is requested. CC ID 06230 | Actionable Reports or Measurements | Preventive | |
| Report on the percentage of patients who are given clinical summaries not later than three business days after a physician office visit. CC ID 06231 | Actionable Reports or Measurements | Preventive | |
| Report on the percentage of lab test results that are incorporated into the Electronic Health Records as structured data. CC ID 06232 | Actionable Reports or Measurements | Preventive | |
| Report on the percentage of patients sixty-five years of age or older or five years of age or younger who were sent a reminder. CC ID 06233 | Actionable Reports or Measurements | Preventive | |
| Report on the percentage of unique patients who are given electronic access to their Individually Identifiable Health Information not later than four business days after their Individually Identifiable Health Information is updated. CC ID 06234 | Actionable Reports or Measurements | Preventive | |
| Report on the percentage of unique patients who are given patient-specific education resources. CC ID 06235 | Actionable Reports or Measurements | Preventive | |
| Report on the percentage of medication reconciliations that are performed if a patient is received from another setting or healthcare provider. CC ID 06236 | Actionable Reports or Measurements | Preventive | |
| Report on the percentage of summary of care records that are provided for transitions of care or referrals for patients who are transitioned or referred to another setting or healthcare provider. CC ID 06237 | Actionable Reports or Measurements | Preventive | |
| Report on the percentage of patients who receive their discharge instructions if discharge instructions are requested. CC ID 06238 | Actionable Reports or Measurements | Preventive | |
| Report on the percentage of patients 65 years of age or older who have an indication of advance directive status recorded as structured data. CC ID 06239 | Actionable Reports or Measurements | Preventive | |
| Establish, implement, and maintain a log management program. CC ID 00673 | Establish/Maintain Documentation | Preventive | |
| Deploy log normalization tools, as necessary. CC ID 12141 | Technical Security | Preventive | |
| Restrict access to logs to authorized individuals. CC ID 01342 | Log Management | Preventive | |
| Restrict access to audit trails to a need to know basis. CC ID 11641 | Technical Security | Preventive | |
| Refrain from recording unnecessary restricted data in logs. CC ID 06318 | Log Management | Preventive | |
| Back up audit trails according to backup procedures. CC ID 11642 | Systems Continuity | Preventive | |
| Back up logs according to backup procedures. CC ID 01344 | Log Management | Preventive | |
| Copy logs from all predefined hosts onto a log management infrastructure. CC ID 01346 | Log Management | Preventive | |
| Identify hosts with logs that are not being stored. CC ID 06314 | Log Management | Preventive | |
| Identify hosts with logs that are being stored at the system level only. CC ID 06315 | Log Management | Preventive | |
| Identify hosts with logs that should be stored at both the system level and the infrastructure level. CC ID 06316 | Log Management | Preventive | |
| Identify hosts with logs that are being stored at the infrastructure level only. CC ID 06317 | Log Management | Preventive | |
| Protect logs from unauthorized activity. CC ID 01345 | Log Management | Preventive | |
| Perform testing and validating activities on all logs. CC ID 06322 | Log Management | Preventive | |
| Archive the audit trail in accordance with compliance requirements. CC ID 00674 | Log Management | Preventive | |
| Enforce dual authorization as a part of information flow control for logs. CC ID 10098 | Configuration | Preventive | |
| Preserve the identity of individuals in audit trails. CC ID 10594 | Log Management | Preventive | |
| Establish, implement, and maintain a cross-organizational audit sharing agreement. CC ID 10595 | Establish/Maintain Documentation | Preventive | |
| Provide cross-organizational audit information based on the cross-organizational audit sharing agreement. CC ID 10596 | Audits and Risk Management | Preventive | |
| Establish, implement, and maintain a corrective action plan. CC ID 00675 | Monitor and Evaluate Occurrences | Detective | |
| Include monitoring in the corrective action plan. CC ID 11645 [The management responsible for the area being audited shall ensure that any necessary corrections and corrective actions are taken without undue delay to eliminate detected nonconformities and their causes. Follow-up activities shall include the verification of the actions taken and the reporting of verification results. § 9.2 ¶ 4 {results of BCMS reviews} {key partners} {results of testing} {BCMS performance} {BCMS effectiveness} {emerging good guidance} Management reviews shall consider the performance of the organization, including - follow-up actions from previous management reviews, - the need for changes to the BCMS, including the policy and objectives, - opportunities for improvement, - results of BCMS audits and reviews, including those of key suppliers and partners where appropriate, - techniques, products or procedures, which could be used in the organization to improve the BCMS’ performance and effectiveness, - status of corrective actions, - results of exercising and testing, - risks or issues not adequately addressed in any previous risk assessment, - any changes that could affect the BCMS, whether internal or external to the scope of the BCMS, - adequacy of policy, - recommendations for improvement, - lessons learned and actions arising from disruptive incidents, and - emerging good practice and guidance. § 9.3 ¶ 3] | Monitor and Evaluate Occurrences | Detective | |
| Report actions taken on known security issues to the Board of Directors or Senior Executive Committee on a regular basis. CC ID 12330 [The management responsible for the area being audited shall ensure that any necessary corrections and corrective actions are taken without undue delay to eliminate detected nonconformities and their causes. Follow-up activities shall include the verification of the actions taken and the reporting of verification results. § 9.2 ¶ 4] | Monitor and Evaluate Occurrences | Preventive | |
| Protect against misusing automated audit tools. CC ID 04547 | Technical Security | Preventive | |
| Evaluate the measurement process used for metrics. CC ID 06920 [{what needs to be measured} The organization shall determine what needs to be monitored and measured, § 9.1.1 ¶ 1 a) The procedures for monitoring performance shall provide for - the setting of performance metrics appropriate to the needs of the organization, - monitoring the extent to which the organization’s business continuity policy, objectives and targets are met, - performance of the processes, procedures and functions that protect its prioritized activities, - monitoring compliance with this International Standard and the business continuity objectives, - monitoring historical evidence of deficient BCMS’ performance, and - recording data and results of monitoring and measurement to facilitate subsequent corrective actions. § 9.1.1 ¶ 5] | Testing | Detective | |
Operational and Systems Continuity | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Operational and Systems Continuity CC ID 00731 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a business continuity program. CC ID 13210 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a continuity framework. CC ID 00732 [Top management shall establish a business continuity policy that is appropriate to the purpose of the organization, § 5.3 ¶ 1 a) Top management shall establish a business continuity policy that provides a framework for setting business continuity objectives, § 5.3 ¶ 1 b) {BCMS plans} Top management shall provide evidence of its commitment to the establishment, implementation, operation, monitoring, review, maintenance, and improvement of the BCMS by - establishing a business continuity policy, - ensuring that BCMS objectives and plans are established, - establishing roles, responsibilities, and competencies for business continuity management, and - appointing one or more persons to be responsible for the BCMS with the appropriate authority and competencies to be accountable for the implementation and maintenance of the BCMS. § 5.2 ¶ 2 The BCMS policy shall - be available as documented information, - be communicated within the organization, - be available to interested parties, as appropriate, - be reviewed for continuing suitability at defined intervals and when significant changes occur. § 5.3 ¶ 2 The organization shall establish, implement, maintain and continually improve a BCMS, including the processes needed and their interactions, in accordance with the requirements of this International Standard. § 4.4 ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Establish and maintain the scope of the continuity framework. CC ID 11908 [The organization shall determine the boundaries and applicability of the BCMS to establish its scope. § 4.3.1 ¶ 1 The organization shall define the scope of the BCMS in terms of and appropriate to the size, nature and complexity of the organization. § 4.3.2 ¶ 1 e) {external issues} The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its BCMS. § 4.1 ¶ 1 {external issues} The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its BCMS. § 4.1 ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Identify all stakeholders critical to the continuity of operations. CC ID 12741 | Systems Continuity | Detective | |
| Include network security in the scope of the continuity framework. CC ID 16327 | Establish/Maintain Documentation | Preventive | |
| Explain any exclusions to the scope of the continuity framework. CC ID 12236 [When defining the scope, the organization shall document and explain exclusions; any such exclusions shall not affect the organization’s ability and responsibility to provide continuity of business and operations that meet the BCMS requirements, as determined by business impact analysis or risk assessment and applicable legal or regulatory requirements. § 4.3.2 ¶ 2 The outputs of the management review shall include decisions related to continual improvement opportunities and the possible need for changes to the BCMS, and include the following: variations to the scope of the BCMS; § 9.3 ¶ 4 a)] | Establish/Maintain Documentation | Preventive | |
| Refrain from including exclusions that could affect business continuity. CC ID 12740 | Records Management | Preventive | |
| Include the organization's business products and services in the scope of the continuity framework. CC ID 12235 [The organization shall identify products and services and all related activities within the scope of the BCMS, § 4.3.2 ¶ 1 c) The business continuity objectives shall take account of the minimum level of products and services that is acceptable to the organization to achieve its objectives, § 6.2 ¶ 2 b)] | Establish/Maintain Documentation | Preventive | |
| Include business units in the scope of the continuity framework. CC ID 11898 [The organization shall identify and document the following: links between the business continuity policy and the organization’s objectives and other policies, including its overall risk management strategy; and § 4.1 ¶ 3 b) The organization shall establish the parts of the organization to be included in the BCMS, § 4.3.2 ¶ 1 a) {activation procedures} {communication procedures} {internal interdependencies} {internal interactions} {external interactions} {information flow processes} Each plan shall define - purpose and scope, - objectives, - activation criteria and procedures, - implementation procedures, - roles, responsibilities, and authorities, - communication requirements and procedures, - internal and external interdependencies and interactions, - resource requirements, and - information flow and documentation processes. § 8.4.4 ¶ 3] | Establish/Maintain Documentation | Preventive | |
| Include business functions in the scope of the continuity framework. CC ID 12699 | Establish/Maintain Documentation | Preventive | |
| Include information security continuity in the scope of the continuity framework. CC ID 12009 [{activation procedures} {communication procedures} {internal interdependencies} {internal interactions} {external interactions} {information flow processes} Each plan shall define - purpose and scope, - objectives, - activation criteria and procedures, - implementation procedures, - roles, responsibilities, and authorities, - communication requirements and procedures, - internal and external interdependencies and interactions, - resource requirements, and - information flow and documentation processes. § 8.4.4 ¶ 3] | Systems Continuity | Preventive | |
| Include affected party’s needs and interests in the scope of the continuity framework. CC ID 12698 | Systems Continuity | Preventive | |
| Establish and maintain a list of interested personnel and affected parties with whom to disseminate and communicate the continuity framework. CC ID 12242 [{internal communications} The organization shall determine the need for internal and external communications relevant to the BCMS including with whom to communicate. § 7.4 ¶ 1 c) {internal communications} The organization shall determine the need for internal and external communications relevant to the BCMS including with whom to communicate. § 7.4 ¶ 1 c) The organization shall establish, implement, and maintain procedure(s) for - internal communication amongst interested parties and employees within the organization, - external communication with customers, partner entities, local community, and other interested parties, including the media, - receiving, documenting, and responding to communication from interested parties, - adapting and integrating a national or regional threat advisory system, or equivalent, into planning and operational use, if appropriate, - ensuring availability of the means of communication during a disruptive incident, - facilitating structured communication with appropriate authorities and ensuring the interoperability of multiple responding organizations and personnel, where appropriate, and - operating and testing of communications capabilities intended for use during disruption of normal communications. § 7.4 ¶ 2 The organization shall establish, implement, and maintain procedure(s) for - internal communication amongst interested parties and employees within the organization, - external communication with customers, partner entities, local community, and other interested parties, including the media, - receiving, documenting, and responding to communication from interested parties, - adapting and integrating a national or regional threat advisory system, or equivalent, into planning and operational use, if appropriate, - ensuring availability of the means of communication during a disruptive incident, - facilitating structured communication with appropriate authorities and ensuring the interoperability of multiple responding organizations and personnel, where appropriate, and - operating and testing of communications capabilities intended for use during disruption of normal communications. § 7.4 ¶ 2] | Establish/Maintain Documentation | Preventive | |
| Take into account applicable requirements when establishing, implementing, and maintaining the continuity framework. CC ID 11907 [The organization shall ensure that these applicable legal, regulatory and other requirements to which the organization subscribes are taken into account in establishing, implementing and maintaining its BCMS. § 4.2.2 ¶ 2 When establishing its BCMS, the organization shall determine the requirements of these interested parties § 4.2.1 ¶ 1 b) The business continuity objectives shall take into account applicable requirements, and § 6.2 ¶ 2 d) {legal requirements} The organization shall establish, implement and maintain a procedure(s) to identify, have access to, and assess the applicable legal and regulatory requirements to which the organization subscribes related to the continuity of its operations, products and services, as well as the interests of relevant interested parties. § 4.2.2 ¶ 1 Top management shall establish a business continuity policy that includes a commitment to satisfy applicable requirements, § 5.3 ¶ 1 c) The organization shall determine an appropriate business continuity strategy for mitigating, responding to and managing impacts. § 8.3.1 ¶ 2 c) {internal obligations} The organization shall establish BCMS requirements, considering the organization's mission, goals, internal and external obligations, and legal and regulatory responsibilities, § 4.3.2 ¶ 1 b) {results of BCMS reviews} {key partners} {results of testing} {BCMS performance} {BCMS effectiveness} {emerging good guidance} Management reviews shall consider the performance of the organization, including - follow-up actions from previous management reviews, - the need for changes to the BCMS, including the policy and objectives, - opportunities for improvement, - results of BCMS audits and reviews, including those of key suppliers and partners where appropriate, - techniques, products or procedures, which could be used in the organization to improve the BCMS’ performance and effectiveness, - status of corrective actions, - results of exercising and testing, - risks or issues not adequately addressed in any previous risk assessment, - any changes that could affect the BCMS, whether internal or external to the scope of the BCMS, - adequacy of policy, - recommendations for improvement, - lessons learned and actions arising from disruptive incidents, and - emerging good practice and guidance. § 9.3 ¶ 3 {results of BCMS reviews} {key partners} {results of testing} {BCMS performance} {BCMS effectiveness} {emerging good guidance} Management reviews shall consider the performance of the organization, including - follow-up actions from previous management reviews, - the need for changes to the BCMS, including the policy and objectives, - opportunities for improvement, - results of BCMS audits and reviews, including those of key suppliers and partners where appropriate, - techniques, products or procedures, which could be used in the organization to improve the BCMS’ performance and effectiveness, - status of corrective actions, - results of exercising and testing, - risks or issues not adequately addressed in any previous risk assessment, - any changes that could affect the BCMS, whether internal or external to the scope of the BCMS, - adequacy of policy, - recommendations for improvement, - lessons learned and actions arising from disruptive incidents, and - emerging good practice and guidance. § 9.3 ¶ 3] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a shelter in place plan. CC ID 16260 | Establish/Maintain Documentation | Preventive | |
| Designate safe rooms in the shelter in place plan. CC ID 16276 | Establish/Maintain Documentation | Preventive | |
| Include Quality Management in the continuity framework. CC ID 12239 [Top management shall establish a business continuity policy that includes a commitment to continual improvement of the BCMS. § 5.3 ¶ 1 d)] | Establish/Maintain Documentation | Preventive | |
| Establish and maintain a system continuity plan philosophy. CC ID 00734 [The procedures shall be developed based on stated assumptions and an analysis of interdependencies, and § 8.4.1 ¶ 3 e)] | Establish/Maintain Documentation | Preventive | |
| Define the executive vision of the continuity planning process. CC ID 01243 | Establish/Maintain Documentation | Preventive | |
| Include a pandemic plan in the continuity plan. CC ID 06800 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain continuity roles and responsibilities. CC ID 00733 [{BCMS plans} Top management shall provide evidence of its commitment to the establishment, implementation, operation, monitoring, review, maintenance, and improvement of the BCMS by - establishing a business continuity policy, - ensuring that BCMS objectives and plans are established, - establishing roles, responsibilities, and competencies for business continuity management, and - appointing one or more persons to be responsible for the BCMS with the appropriate authority and competencies to be accountable for the implementation and maintenance of the BCMS. § 5.2 ¶ 2 {activation procedures} {communication procedures} {internal interdependencies} {internal interactions} {external interactions} {information flow processes} Each plan shall define - purpose and scope, - objectives, - activation criteria and procedures, - implementation procedures, - roles, responsibilities, and authorities, - communication requirements and procedures, - internal and external interdependencies and interactions, - resource requirements, and - information flow and documentation processes. § 8.4.4 ¶ 3] | Establish Roles | Preventive | |
| Coordinate continuity planning with other business units responsible for related plans. CC ID 01386 [{processes, and procedures for the activation of the response} {processes, and procedures for the operation of the response} {processes, and procedures for the coordination of the response} {processes, and procedures for the communication of the response} The response structure shall have processes, and procedures for the activation, operation, coordination, and communication of the response, § 8.4.2 ¶ 2 d)] | Systems Continuity | Preventive | |
| Include continuity wrap-up procedures and continuity normalization procedures during continuity planning. CC ID 00761 [The organization shall have documented procedures to restore and return business activities from the temporary measures adopted to support normal business requirements after an incident. § 8.4.5 ¶ 1 The business continuity plans shall collectively contain a process for standing down once the incident is over. § 8.4.4 ¶ 2 g)] | Establish/Maintain Documentation | Preventive | |
| Re-accredit the continuity procedures after an emergency occurs. CC ID 01246 | Systems Continuity | Corrective | |
| Monitor disaster forecasting organizations for when disaster events are discovered. CC ID 06373 | Monitor and Evaluate Occurrences | Detective | |
| Disseminate and communicate information regarding disaster relief resources to interested personnel and affected parties. CC ID 16573 | Communicate | Preventive | |
| Evaluate all possible continuity risks and impacts as a part of the continuity framework. CC ID 06374 | Systems Continuity | Detective | |
| Assess risks related to fault tolerance and redundancy of critical assets. CC ID 13053 | Systems Continuity | Preventive | |
| Establish, implement, and maintain a continuity plan. CC ID 00752 [The organization shall continually improve the suitability, adequacy or effectiveness of the BCMS. § 10.2 ¶ 1 The organization shall continually improve the suitability, adequacy or effectiveness of the BCMS. § 10.2 ¶ 1 The organization shall continually improve the suitability, adequacy or effectiveness of the BCMS. § 10.2 ¶ 1 {BCMS plans} Top management shall provide evidence of its commitment to the establishment, implementation, operation, monitoring, review, maintenance, and improvement of the BCMS by - establishing a business continuity policy, - ensuring that BCMS objectives and plans are established, - establishing roles, responsibilities, and competencies for business continuity management, and - appointing one or more persons to be responsible for the BCMS with the appropriate authority and competencies to be accountable for the implementation and maintenance of the BCMS. § 5.2 ¶ 2 Top management shall demonstrate leadership and commitment with respect to the BCMS by - ensuring that policies and objectives are established for the business continuity management system and are compatible with the strategic direction of the organization, - ensuring the integration of the business continuity management system requirements into the organization’s business processes, - ensuring that the resources needed for the business continuity management system are available, - communicating the importance of effective business continuity management and conforming to the BCMS requirements, - ensuring that the BCMS achieves its intended outcome(s), - directing and supporting persons to contribute to the effectiveness of the BCMS, - promoting continual improvement, and - supporting other relevant management roles to demonstrate their leadership and commitment as it applies to their areas of responsibility. § 5.2 ¶ 1 The BCMS policy shall - be available as documented information, - be communicated within the organization, - be available to interested parties, as appropriate, - be reviewed for continuing suitability at defined intervals and when significant changes occur. § 5.3 ¶ 2 The procedures shall focus on the impact of events that could potentially disrupt operations, § 8.4.1 ¶ 3 d) The procedures shall be developed based on stated assumptions and an analysis of interdependencies, and § 8.4.1 ¶ 3 e) The organization shall conduct exercises and tests that are reviewed within the context of promoting continual improvement, and § 8.5 ¶ 2 f) When nonconformity occurs, the organization shall make changes to the business continuity management system, if necessary. § 10.1 ¶ 1 f) Top management shall ensure that the responsibilities and authorities for relevant roles are assigned and communicated within the organization by - defining the criteria for accepting risks and the acceptable levels of risk, - actively engaging in exercising and testing, - ensuring that internal audits of the BCMS are conducted, - conducting management reviews of the BCMS, and - demonstrating its commitment to continual improvement. § 5.2 ¶ 3 {business continuity procedure} The organization shall conduct evaluations at planned intervals and when significant changes occur. § 9.1.2 d) The organization shall evaluate the BCMS performance and the effectiveness of the BCMS. § 9.1.1 ¶ 3 The organization shall evaluate the BCMS performance and the effectiveness of the BCMS. § 9.1.1 ¶ 3 The outputs of the management review shall include decisions related to continual improvement opportunities and the possible need for changes to the BCMS, and include the following: § 9.3 ¶ 4 {periodic exercising} {periodic testing} {periodic post-incident reporting} {periodic performance evaluations} These evaluations shall be undertaken through periodic reviews, exercising, testing, post-incident reporting and performance evaluations. Significant changes arising shall be reflected in the procedure(s) in a timely manner; § 9.1.2 b) {activation procedures} {communication procedures} {internal interdependencies} {internal interactions} {external interactions} {information flow processes} Each plan shall define - purpose and scope, - objectives, - activation criteria and procedures, - implementation procedures, - roles, responsibilities, and authorities, - communication requirements and procedures, - internal and external interdependencies and interactions, - resource requirements, and - information flow and documentation processes. § 8.4.4 ¶ 3 The management review shall include consideration of information on the business continuity performance, including trends in audit results, § 9.3 ¶ 2 c) 3) Top management shall review the organization’s BCMS, at planned intervals, to ensure its continuing suitability, adequacy and effectiveness. § 9.3 ¶ 1 {update of the business impact analysis} {update of the business continuity plans} {update of the related procedures} The outputs of the management review shall include decisions related to continual improvement opportunities and the possible need for changes to the BCMS, and include the following: update of the risk assessment, business impact analysis, business continuity plans and related procedures; § 9.3 ¶ 4 c) {outputs of the management review} modification of procedures and controls to respond to internal or external events that may impact on the BCMS, including changes to § 9.3 ¶ 4 d)] | Establish/Maintain Documentation | Preventive | |
| Identify all stakeholders in the continuity plan. CC ID 13256 | Establish/Maintain Documentation | Preventive | |
| Report changes in the continuity plan to senior management. CC ID 12757 | Communicate | Corrective | |
| Activate the continuity plan if the damage assessment report indicates the activation criterion has been met. CC ID 01373 [The response structure shall activate an appropriate business continuity response, § 8.4.2 ¶ 2 c) The business continuity plans shall collectively contain a process for activating the response, § 8.4.4 ¶ 2 b) {activation procedures} {communication procedures} {internal interdependencies} {internal interactions} {external interactions} {information flow processes} Each plan shall define - purpose and scope, - objectives, - activation criteria and procedures, - implementation procedures, - roles, responsibilities, and authorities, - communication requirements and procedures, - internal and external interdependencies and interactions, - resource requirements, and - information flow and documentation processes. § 8.4.4 ¶ 3 {activation procedures} {communication procedures} {internal interdependencies} {internal interactions} {external interactions} {information flow processes} Each plan shall define - purpose and scope, - objectives, - activation criteria and procedures, - implementation procedures, - roles, responsibilities, and authorities, - communication requirements and procedures, - internal and external interdependencies and interactions, - resource requirements, and - information flow and documentation processes. § 8.4.4 ¶ 3 {processes, and procedures for the activation of the response} {processes, and procedures for the operation of the response} {processes, and procedures for the coordination of the response} {processes, and procedures for the communication of the response} The response structure shall have processes, and procedures for the activation, operation, coordination, and communication of the response, § 8.4.2 ¶ 2 d)] | Systems Continuity | Corrective | |
| Notify interested personnel and affected parties upon activation of the continuity plan. CC ID 16777 | Communicate | Preventive | |
| Maintain normal security levels when an emergency occurs. CC ID 06377 | Systems Continuity | Preventive | |
| Execute fail-safe procedures when an emergency occurs. CC ID 07108 | Systems Continuity | Preventive | |
| Lead or manage business continuity and system continuity, as necessary. CC ID 12240 [Top management shall demonstrate leadership and commitment with respect to the BCMS by - ensuring that policies and objectives are established for the business continuity management system and are compatible with the strategic direction of the organization, - ensuring the integration of the business continuity management system requirements into the organization’s business processes, - ensuring that the resources needed for the business continuity management system are available, - communicating the importance of effective business continuity management and conforming to the BCMS requirements, - ensuring that the BCMS achieves its intended outcome(s), - directing and supporting persons to contribute to the effectiveness of the BCMS, - promoting continual improvement, and - supporting other relevant management roles to demonstrate their leadership and commitment as it applies to their areas of responsibility. § 5.2 ¶ 1 {BCMS plans} Top management shall provide evidence of its commitment to the establishment, implementation, operation, monitoring, review, maintenance, and improvement of the BCMS by - establishing a business continuity policy, - ensuring that BCMS objectives and plans are established, - establishing roles, responsibilities, and competencies for business continuity management, and - appointing one or more persons to be responsible for the BCMS with the appropriate authority and competencies to be accountable for the implementation and maintenance of the BCMS. § 5.2 ¶ 2 The organization shall determine and provide the resources needed for the establishment, implementation, maintenance and continual improvement of the BCMS. § 7.1 ¶ 1] | Human Resources Management | Preventive | |
| Include a business continuity testing policy in the continuity plan, as necessary. CC ID 13234 | Establish/Maintain Documentation | Preventive | |
| Allocate financial resources to implement the continuity plan, as necessary. CC ID 12993 | Establish/Maintain Documentation | Preventive | |
| Allocate personnel to implement the continuity plan, as necessary. CC ID 12992 | Human Resources Management | Preventive | |
| Include the in scope system's location in the continuity plan. CC ID 16246 | Systems Continuity | Preventive | |
| Include the system description in the continuity plan. CC ID 16241 | Systems Continuity | Preventive | |
| Establish, implement, and maintain redundant systems. CC ID 16354 | Configuration | Preventive | |
| Refrain from adopting impromptu measures when continuity procedures exist. CC ID 13093 | Behavior | Preventive | |
| Include identification procedures in the continuity plan, as necessary. CC ID 14372 | Establish/Maintain Documentation | Preventive | |
| Restore systems and environments to be operational. CC ID 13476 | Systems Continuity | Corrective | |
| Include the continuity strategy in the continuity plan. CC ID 13189 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the continuity plan, as necessary. CC ID 13254 | Establish/Maintain Documentation | Preventive | |
| Document and use the lessons learned to update the continuity plan. CC ID 10037 [The BCMS policy shall - be available as documented information, - be communicated within the organization, - be available to interested parties, as appropriate, - be reviewed for continuing suitability at defined intervals and when significant changes occur. § 5.3 ¶ 2 The organization shall - communicate the results of management review to relevant interested parties, and - take appropriate action relating to those results. § 9.3 ¶ 6 When nonconformity occurs, the organization shall evaluate the need for action to eliminate the causes of the nonconformity, in order that it does not recur or occur elsewhere, by making changes to the BCMS, if necessary. § 10.1 ¶ 1 c) 7 [post-incident review results] When a disruptive incident occurs and results in the activation of its business continuity procedures, the organization shall undertake a post-incident review and record the results. § 9.1.2 ¶ 1 The outputs of the management review shall include decisions related to continual improvement opportunities and the possible need for changes to the BCMS, and include the following: improvement of the effectiveness of the BCMS; § 9.3 ¶ 4 b) {results of BCMS reviews} {key partners} {results of testing} {BCMS performance} {BCMS effectiveness} {emerging good guidance} Management reviews shall consider the performance of the organization, including - follow-up actions from previous management reviews, - the need for changes to the BCMS, including the policy and objectives, - opportunities for improvement, - results of BCMS audits and reviews, including those of key suppliers and partners where appropriate, - techniques, products or procedures, which could be used in the organization to improve the BCMS’ performance and effectiveness, - status of corrective actions, - results of exercising and testing, - risks or issues not adequately addressed in any previous risk assessment, - any changes that could affect the BCMS, whether internal or external to the scope of the BCMS, - adequacy of policy, - recommendations for improvement, - lessons learned and actions arising from disruptive incidents, and - emerging good practice and guidance. § 9.3 ¶ 3] | Establish/Maintain Documentation | Preventive | |
| Implement alternate security mechanisms when the means of implementing the security function is unavailable. CC ID 10605 | Technical Security | Preventive | |
| Coordinate continuity planning with governmental entities, as necessary. CC ID 13258 | Process or Activity | Preventive | |
| Monitor and evaluate business continuity management system performance. CC ID 12410 [The procedures for monitoring performance shall provide for - the setting of performance metrics appropriate to the needs of the organization, - monitoring the extent to which the organization’s business continuity policy, objectives and targets are met, - performance of the processes, procedures and functions that protect its prioritized activities, - monitoring compliance with this International Standard and the business continuity objectives, - monitoring historical evidence of deficient BCMS’ performance, and - recording data and results of monitoring and measurement to facilitate subsequent corrective actions. § 9.1.1 ¶ 5 {results of BCMS reviews} {key partners} {results of testing} {BCMS performance} {BCMS effectiveness} {emerging good guidance} Management reviews shall consider the performance of the organization, including - follow-up actions from previous management reviews, - the need for changes to the BCMS, including the policy and objectives, - opportunities for improvement, - results of BCMS audits and reviews, including those of key suppliers and partners where appropriate, - techniques, products or procedures, which could be used in the organization to improve the BCMS’ performance and effectiveness, - status of corrective actions, - results of exercising and testing, - risks or issues not adequately addressed in any previous risk assessment, - any changes that could affect the BCMS, whether internal or external to the scope of the BCMS, - adequacy of policy, - recommendations for improvement, - lessons learned and actions arising from disruptive incidents, and - emerging good practice and guidance. § 9.3 ¶ 3 {results of BCMS reviews} {key partners} {results of testing} {BCMS performance} {BCMS effectiveness} {emerging good guidance} Management reviews shall consider the performance of the organization, including - follow-up actions from previous management reviews, - the need for changes to the BCMS, including the policy and objectives, - opportunities for improvement, - results of BCMS audits and reviews, including those of key suppliers and partners where appropriate, - techniques, products or procedures, which could be used in the organization to improve the BCMS’ performance and effectiveness, - status of corrective actions, - results of exercising and testing, - risks or issues not adequately addressed in any previous risk assessment, - any changes that could affect the BCMS, whether internal or external to the scope of the BCMS, - adequacy of policy, - recommendations for improvement, - lessons learned and actions arising from disruptive incidents, and - emerging good practice and guidance. § 9.3 ¶ 3 {results of BCMS reviews} {key partners} {results of testing} {BCMS performance} {BCMS effectiveness} {emerging good guidance} Management reviews shall consider the performance of the organization, including - follow-up actions from previous management reviews, - the need for changes to the BCMS, including the policy and objectives, - opportunities for improvement, - results of BCMS audits and reviews, including those of key suppliers and partners where appropriate, - techniques, products or procedures, which could be used in the organization to improve the BCMS’ performance and effectiveness, - status of corrective actions, - results of exercising and testing, - risks or issues not adequately addressed in any previous risk assessment, - any changes that could affect the BCMS, whether internal or external to the scope of the BCMS, - adequacy of policy, - recommendations for improvement, - lessons learned and actions arising from disruptive incidents, and - emerging good practice and guidance. § 9.3 ¶ 3] | Monitor and Evaluate Occurrences | Detective | |
| Record business continuity management system performance for posterity. CC ID 12411 [The procedures for monitoring performance shall provide for - the setting of performance metrics appropriate to the needs of the organization, - monitoring the extent to which the organization’s business continuity policy, objectives and targets are met, - performance of the processes, procedures and functions that protect its prioritized activities, - monitoring compliance with this International Standard and the business continuity objectives, - monitoring historical evidence of deficient BCMS’ performance, and - recording data and results of monitoring and measurement to facilitate subsequent corrective actions. § 9.1.1 ¶ 5] | Monitor and Evaluate Occurrences | Preventive | |
| Coordinate continuity planning with community organizations, as necessary. CC ID 13259 | Process or Activity | Preventive | |
| Coordinate and incorporate supply chain members' continuity plans, as necessary. CC ID 13242 | Establish/Maintain Documentation | Preventive | |
| Include incident management procedures in the continuity plan. CC ID 13244 | Establish/Maintain Documentation | Preventive | |
| Include the use of virtual meeting tools in the continuity plan. CC ID 14390 | Establish/Maintain Documentation | Preventive | |
| Include scenario analyses of various contingency scenarios in the continuity plan. CC ID 13057 | Establish/Maintain Documentation | Preventive | |
| Include the annual statement based on the continuity plan review in the continuity plan. CC ID 12775 | Establish/Maintain Documentation | Preventive | |
| Include the roles and responsibilities of the organization's legal counsel in the continuity plan. CC ID 16233 | Establish Roles | Preventive | |
| Establish, implement, and maintain the continuity procedures. CC ID 14236 | Establish/Maintain Documentation | Corrective | |
| Disseminate and communicate the continuity procedures to interested personnel and affected parties. CC ID 14055 | Communicate | Preventive | |
| Document the uninterrupted power requirements for all in scope systems. CC ID 06707 | Establish/Maintain Documentation | Preventive | |
| Install an Uninterruptible Power Supply sized to support all critical systems. CC ID 00725 | Configuration | Preventive | |
| Install a generator sized to support the facility. CC ID 06709 | Configuration | Preventive | |
| Establish, implement, and maintain a fuel supply large enough to support the generators during an emergency. CC ID 06376 | Acquisition/Sale of Assets or Services | Preventive | |
| Document all supporting information in the continuity plan, such as purpose, scope, and requirements. CC ID 01371 [In establishing the context, the organization shall define the purpose of the BCMS. § 4.1 ¶ 4 4) The scope shall be available as documented information. § 4.3.1 ¶ 3 {activation procedures} {communication procedures} {internal interdependencies} {internal interactions} {external interactions} {information flow processes} Each plan shall define - purpose and scope, - objectives, - activation criteria and procedures, - implementation procedures, - roles, responsibilities, and authorities, - communication requirements and procedures, - internal and external interdependencies and interactions, - resource requirements, and - information flow and documentation processes. § 8.4.4 ¶ 3 {activation procedures} {communication procedures} {internal interdependencies} {internal interactions} {external interactions} {information flow processes} Each plan shall define - purpose and scope, - objectives, - activation criteria and procedures, - implementation procedures, - roles, responsibilities, and authorities, - communication requirements and procedures, - internal and external interdependencies and interactions, - resource requirements, and - information flow and documentation processes. § 8.4.4 ¶ 3 {activation procedures} {communication procedures} {internal interdependencies} {internal interactions} {external interactions} {information flow processes} Each plan shall define - purpose and scope, - objectives, - activation criteria and procedures, - implementation procedures, - roles, responsibilities, and authorities, - communication requirements and procedures, - internal and external interdependencies and interactions, - resource requirements, and - information flow and documentation processes. § 8.4.4 ¶ 3 {activation procedures} {communication procedures} {internal interdependencies} {internal interactions} {external interactions} {information flow processes} Each plan shall define - purpose and scope, - objectives, - activation criteria and procedures, - implementation procedures, - roles, responsibilities, and authorities, - communication requirements and procedures, - internal and external interdependencies and interactions, - resource requirements, and - information flow and documentation processes. § 8.4.4 ¶ 3] | Establish/Maintain Documentation | Preventive | |
| Include notifications to alternate facilities in the continuity plan. CC ID 13220 | Establish/Maintain Documentation | Preventive | |
| Approve the continuity plan requirements before documenting the continuity plan. CC ID 12778 | Systems Continuity | Preventive | |
| Document the concept of operations in the continuity plan, including a line of succession. CC ID 01372 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain the organization's call tree. CC ID 01167 | Testing | Detective | |
| Establish, implement, and maintain damage assessment procedures. CC ID 01267 [The response structure shall assess the nature and extent of a disruptive incident and its potential impact, § 8.4.2 ¶ 2 b) The response structure shall assess the nature and extent of a disruptive incident and its potential impact, § 8.4.2 ¶ 2 b) The response structure shall assess the nature and extent of a disruptive incident and its potential impact, § 8.4.2 ¶ 2 b) [post-incident review results] When a disruptive incident occurs and results in the activation of its business continuity procedures, the organization shall undertake a post-incident review and record the results. § 9.1.2 ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a recovery plan. CC ID 13288 | Establish/Maintain Documentation | Preventive | |
| Notify interested personnel and affected parties of updates to the recovery plan. CC ID 13302 | Communicate | Preventive | |
| Include procedures to restore network connectivity in the recovery plan. CC ID 16250 | Establish/Maintain Documentation | Preventive | |
| Include addressing backup failures in the recovery plan. CC ID 13298 | Establish/Maintain Documentation | Preventive | |
| Include procedures to verify completion of the data backup procedure in the recovery plan. CC ID 13297 | Establish/Maintain Documentation | Preventive | |
| Include the roles and responsibilities of responders in the recovery plan. CC ID 13296 | Human Resources Management | Preventive | |
| Include the procedures for the storage of information necessary to recover functionality in the recovery plan. CC ID 13295 | Establish/Maintain Documentation | Preventive | |
| Include the backup procedures for information necessary to recover functionality in the recovery plan. CC ID 13294 | Establish/Maintain Documentation | Preventive | |
| Include the criteria for activation in the recovery plan. CC ID 13293 | Establish/Maintain Documentation | Preventive | |
| Include escalation procedures in the recovery plan. CC ID 16248 | Establish/Maintain Documentation | Preventive | |
| Include procedures to preserve data before beginning the recovery process in the recovery plan. CC ID 13292 | Establish/Maintain Documentation | Preventive | |
| Determine the cause for the activation of the recovery plan. CC ID 13291 | Investigate | Detective | |
| Test the recovery plan, as necessary. CC ID 13290 | Testing | Detective | |
| Test the backup information, as necessary. CC ID 13303 | Testing | Detective | |
| Document lessons learned from testing the recovery plan or an actual event. CC ID 13301 | Establish/Maintain Documentation | Detective | |
| Disseminate and communicate the recovery plan to interested personnel and affected parties. CC ID 14859 | Communicate | Preventive | |
| Include restoration procedures in the continuity plan. CC ID 01169 [The business continuity procedures shall be effective in minimizing consequences through implementation of appropriate mitigation strategies. § 8.4.1 ¶ 3 f)] | Establish Roles | Preventive | |
| Include risk prioritized recovery procedures for each business unit in the recovery plan. CC ID 01166 [The organization shall determine an appropriate business continuity strategy for stabilizing, continuing, resuming and recovering prioritized activities and their dependencies and supporting resources, and § 8.3.1 ¶ 2 b) The business continuity plans shall collectively contain how the organization will continue or recover its prioritized activities within predetermined timeframes, § 8.4.4 ¶ 2 e)] | Establish/Maintain Documentation | Preventive | |
| Include the recovery plan in the continuity plan. CC ID 01377 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the recovery status of the contingency plan to interested personnel and affected parties. CC ID 12758 | Communicate | Preventive | |
| Disseminate and communicate business functions across multiple facilities separated by geographic separation. CC ID 10662 | Systems Continuity | Preventive | |
| Disseminate and communicate processing activities across multiple facilities using geographic separation. CC ID 10663 | Systems Continuity | Preventive | |
| Disseminate and communicate electronic media storage devices across multiple facilities using geographic separation. CC ID 10664 | Systems Continuity | Preventive | |
| Use out-of-band channels for the physical delivery or electronic transmission of information, as necessary. CC ID 10665 | Systems Continuity | Corrective | |
| Establish, implement, and maintain system continuity plan strategies. CC ID 00735 | Establish/Maintain Documentation | Preventive | |
| Define and prioritize critical business functions. CC ID 00736 [The organization shall determine an appropriate business continuity strategy for protecting prioritized activities, § 8.3.1 ¶ 2 a) The business continuity plans shall collectively contain details to manage the immediate consequences of a disruptive incident giving due regard to prevention of further loss or unavailability of prioritized activities; § 8.4.4 ¶ 2 c) 3)] | Establish/Maintain Documentation | Detective | |
| Review and prioritize the importance of each business unit. CC ID 01165 | Systems Continuity | Preventive | |
| Review and prioritize the importance of each business process. CC ID 11689 [Top management shall demonstrate leadership and commitment with respect to the BCMS by - ensuring that policies and objectives are established for the business continuity management system and are compatible with the strategic direction of the organization, - ensuring the integration of the business continuity management system requirements into the organization’s business processes, - ensuring that the resources needed for the business continuity management system are available, - communicating the importance of effective business continuity management and conforming to the BCMS requirements, - ensuring that the BCMS achieves its intended outcome(s), - directing and supporting persons to contribute to the effectiveness of the BCMS, - promoting continual improvement, and - supporting other relevant management roles to demonstrate their leadership and commitment as it applies to their areas of responsibility. § 5.2 ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Document the mean time to failure for system components. CC ID 10684 [Top management shall demonstrate leadership and commitment with respect to the BCMS by - ensuring that policies and objectives are established for the business continuity management system and are compatible with the strategic direction of the organization, - ensuring the integration of the business continuity management system requirements into the organization’s business processes, - ensuring that the resources needed for the business continuity management system are available, - communicating the importance of effective business continuity management and conforming to the BCMS requirements, - ensuring that the BCMS achieves its intended outcome(s), - directing and supporting persons to contribute to the effectiveness of the BCMS, - promoting continual improvement, and - supporting other relevant management roles to demonstrate their leadership and commitment as it applies to their areas of responsibility. § 5.2 ¶ 1] | Systems Continuity | Preventive | |
| Conduct a risk assessment on reciprocal agreements that provide for recovery capabilities. CC ID 12759 | Audits and Risk Management | Preventive | |
| Establish, implement, and maintain Recovery Time Objectives for all in scope services. CC ID 12241 [The business continuity objectives shall be monitored and updated as appropriate. § 6.2 ¶ 2 e)] | Systems Continuity | Preventive | |
| Establish, implement, and maintain Recovery Time Objectives for all in scope systems. CC ID 11688 [The business impact analysis shall include the following: setting prioritized timeframes for resuming these activities at a specified minimum acceptable level, taking into consideration the time within which the impacts of not resuming them would become unacceptable; and § 8.2.2 ¶ 2 c) The determination of strategy shall include approving prioritized time frames for the resumption of activities. § 8.3.1 ¶ 3 {BCMS plans} Top management shall provide evidence of its commitment to the establishment, implementation, operation, monitoring, review, maintenance, and improvement of the BCMS by - establishing a business continuity policy, - ensuring that BCMS objectives and plans are established, - establishing roles, responsibilities, and competencies for business continuity management, and - appointing one or more persons to be responsible for the BCMS with the appropriate authority and competencies to be accountable for the implementation and maintenance of the BCMS. § 5.2 ¶ 2 {incident response procedure} The organization shall establish documented procedures for responding to a disruptive incident and how it will continue or recover its activities within a predetermined timeframe. Such procedures shall address the requirements of those who will use them. § 8.4.4 ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Reconfigure restored systems to meet the Recovery Time Objectives. CC ID 11693 | Process or Activity | Corrective | |
| Include the protection of personnel in the continuity plan. CC ID 06378 [The business continuity plans shall collectively contain details to manage the immediate consequences of a disruptive incident giving due regard to the welfare of individuals, § 8.4.4 ¶ 2 c) 1)] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a critical personnel list. CC ID 00739 [{activation procedures} {communication procedures} {internal interdependencies} {internal interactions} {external interactions} {information flow processes} Each plan shall define - purpose and scope, - objectives, - activation criteria and procedures, - implementation procedures, - roles, responsibilities, and authorities, - communication requirements and procedures, - internal and external interdependencies and interactions, - resource requirements, and - information flow and documentation processes. § 8.4.4 ¶ 3] | Establish/Maintain Documentation | Detective | |
| Identify alternate personnel for each person on the critical personnel list. CC ID 12771 | Human Resources Management | Preventive | |
| Define the triggering events for when to activate the pandemic plan. CC ID 06801 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a critical third party list. CC ID 06815 [When establishing its BCMS, the organization shall determine the interested parties that are relevant to the BCMS, and § 4.2.1 ¶ 1 a)] | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate critical third party dependencies to interested personnel and affected parties. CC ID 06816 [{activation procedures} {communication procedures} {internal interdependencies} {internal interactions} {external interactions} {information flow processes} Each plan shall define - purpose and scope, - objectives, - activation criteria and procedures, - implementation procedures, - roles, responsibilities, and authorities, - communication requirements and procedures, - internal and external interdependencies and interactions, - resource requirements, and - information flow and documentation processes. § 8.4.4 ¶ 3 {activation procedures} {communication procedures} {internal interdependencies} {internal interactions} {external interactions} {information flow processes} Each plan shall define - purpose and scope, - objectives, - activation criteria and procedures, - implementation procedures, - roles, responsibilities, and authorities, - communication requirements and procedures, - internal and external interdependencies and interactions, - resource requirements, and - information flow and documentation processes. § 8.4.4 ¶ 3] | Behavior | Preventive | |
| Establish, implement, and maintain a critical resource list. CC ID 00740 [The outputs of the management review shall include decisions related to continual improvement opportunities and the possible need for changes to the BCMS, and include the following: modification of procedures and controls to respond to internal or external events that may impact on the BCMS, including changes to resource needs, § 9.3 ¶ 4 d) 7] | Establish/Maintain Documentation | Detective | |
| Define and maintain continuity Service Level Agreements for all critical resources. CC ID 00741 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain a core supply inventory required to support critical business functions. CC ID 04890 [The response structure shall have resources available to support the processes and procedures to manage a disruptive incident in order to minimize impact, and § 8.4.2 ¶ 2 e)] | Establish/Maintain Documentation | Preventive | |
| Include damaged site continuity procedures that cover continuing operations in a partially functional primary facility in the continuity plan. CC ID 01374 [{procedures for recording actions taken and decisions made} The organization shall establish, implement and maintain procedures for recording of vital information about the incident, actions taken and decisions made, and the following shall also be considered and implemented where applicable: — alerting interested parties potentially impacted by an actual or impending disruptive incident; — assuring the interoperability of multiple responding organizations and personnel; — operation of a communications facility. § 8.4.3 ¶ 1 g)] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain at-risk structure removal or relocation procedures. CC ID 01247 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain physical hazard segregation or removal procedures. CC ID 01248 | Physical and Environmental Protection | Corrective | |
| Include emergency communications procedures in the continuity plan. CC ID 00750 [The organization shall establish, implement, and maintain procedure(s) for - internal communication amongst interested parties and employees within the organization, - external communication with customers, partner entities, local community, and other interested parties, including the media, - receiving, documenting, and responding to communication from interested parties, - adapting and integrating a national or regional threat advisory system, or equivalent, into planning and operational use, if appropriate, - ensuring availability of the means of communication during a disruptive incident, - facilitating structured communication with appropriate authorities and ensuring the interoperability of multiple responding organizations and personnel, where appropriate, and - operating and testing of communications capabilities intended for use during disruption of normal communications. § 7.4 ¶ 2 The organization shall establish, implement, and maintain procedure(s) for - internal communication amongst interested parties and employees within the organization, - external communication with customers, partner entities, local community, and other interested parties, including the media, - receiving, documenting, and responding to communication from interested parties, - adapting and integrating a national or regional threat advisory system, or equivalent, into planning and operational use, if appropriate, - ensuring availability of the means of communication during a disruptive incident, - facilitating structured communication with appropriate authorities and ensuring the interoperability of multiple responding organizations and personnel, where appropriate, and - operating and testing of communications capabilities intended for use during disruption of normal communications. § 7.4 ¶ 2 The organization shall establish, implement and maintain procedures for assuring availability of the means of communication during a disruptive incident, § 8.4.3 ¶ 1 e) {significant impact} {procedures for alerts} {procedures for warnings} The organization shall decide, using life safety as the first priority and in consultation with relevant interested parties, whether to communicate externally about its significant risks and impacts and document its decision. If the decision is to communicate then the organization shall establish and implement procedures for this external communication, alerts and warnings including the media as appropriate. § 8.4.2 ¶ 3 The business continuity plans shall collectively contain details on how and under what circumstances the organization will communicate with employees and their relatives, key interested parties and emergency contacts, § 8.4.4 ¶ 2 d) {activation procedures} {communication procedures} {internal interdependencies} {internal interactions} {external interactions} {information flow processes} Each plan shall define - purpose and scope, - objectives, - activation criteria and procedures, - implementation procedures, - roles, responsibilities, and authorities, - communication requirements and procedures, - internal and external interdependencies and interactions, - resource requirements, and - information flow and documentation processes. § 8.4.4 ¶ 3] | Establish/Maintain Documentation | Preventive | |
| Include managing multiple responding organizations in the emergency communications procedure. CC ID 01249 [The organization shall establish, implement, and maintain procedure(s) for - internal communication amongst interested parties and employees within the organization, - external communication with customers, partner entities, local community, and other interested parties, including the media, - receiving, documenting, and responding to communication from interested parties, - adapting and integrating a national or regional threat advisory system, or equivalent, into planning and operational use, if appropriate, - ensuring availability of the means of communication during a disruptive incident, - facilitating structured communication with appropriate authorities and ensuring the interoperability of multiple responding organizations and personnel, where appropriate, and - operating and testing of communications capabilities intended for use during disruption of normal communications. § 7.4 ¶ 2 The organization shall establish, implement and maintain procedures for facilitating structured communication with emergency responders, § 8.4.3 ¶ 1 f) {procedures for recording actions taken and decisions made} The organization shall establish, implement and maintain procedures for recording of vital information about the incident, actions taken and decisions made, and the following shall also be considered and implemented where applicable: — alerting interested parties potentially impacted by an actual or impending disruptive incident; — assuring the interoperability of multiple responding organizations and personnel; — operation of a communications facility. § 8.4.3 ¶ 1 g)] | Establish/Maintain Documentation | Preventive | |
| Expedite emergency communications' fiscal decisions in accordance with accounting principles. CC ID 01266 | Systems Continuity | Preventive | |
| Maintain contact information for key third parties in a readily accessible manner. CC ID 12764 | Establish/Maintain Documentation | Preventive | |
| Log important conversations conducted during emergencies with third parties. CC ID 12763 | Log Management | Preventive | |
| Identify the appropriate staff to route external communications to in the emergency communications procedures. CC ID 12762 | Communicate | Preventive | |
| Identify who can speak to the media in the emergency communications procedures. CC ID 12761 | Communicate | Corrective | |
| Use available financial resources for the efficaciousness of the service continuity strategy. CC ID 01370 [Top management shall demonstrate leadership and commitment with respect to the BCMS by - ensuring that policies and objectives are established for the business continuity management system and are compatible with the strategic direction of the organization, - ensuring the integration of the business continuity management system requirements into the organization’s business processes, - ensuring that the resources needed for the business continuity management system are available, - communicating the importance of effective business continuity management and conforming to the BCMS requirements, - ensuring that the BCMS achieves its intended outcome(s), - directing and supporting persons to contribute to the effectiveness of the BCMS, - promoting continual improvement, and - supporting other relevant management roles to demonstrate their leadership and commitment as it applies to their areas of responsibility. § 5.2 ¶ 1] | Testing | Detective | |
| Include the ability to obtain additional liquidity in the continuity plan. CC ID 12770 | Acquisition/Sale of Assets or Services | Preventive | |
| Minimize system continuity requirements. CC ID 00753 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the continuity plan to interested personnel and affected parties. CC ID 00760 [Top management shall demonstrate leadership and commitment with respect to the BCMS by - ensuring that policies and objectives are established for the business continuity management system and are compatible with the strategic direction of the organization, - ensuring the integration of the business continuity management system requirements into the organization’s business processes, - ensuring that the resources needed for the business continuity management system are available, - communicating the importance of effective business continuity management and conforming to the BCMS requirements, - ensuring that the BCMS achieves its intended outcome(s), - directing and supporting persons to contribute to the effectiveness of the BCMS, - promoting continual improvement, and - supporting other relevant management roles to demonstrate their leadership and commitment as it applies to their areas of responsibility. § 5.2 ¶ 1 The BCMS policy shall - be available as documented information, - be communicated within the organization, - be available to interested parties, as appropriate, - be reviewed for continuing suitability at defined intervals and when significant changes occur. § 5.3 ¶ 2 The BCMS policy shall - be available as documented information, - be communicated within the organization, - be available to interested parties, as appropriate, - be reviewed for continuing suitability at defined intervals and when significant changes occur. § 5.3 ¶ 2 Top management shall ensure that business continuity objectives are established and communicated for relevant functions and levels within the organization. § 6.2 ¶ 1 {internal communications} The organization shall determine the need for internal and external communications relevant to the BCMS including on what it will communicate, § 7.4 ¶ 1 a) {internal communications} The organization shall determine the need for internal and external communications relevant to the BCMS including on what it will communicate, § 7.4 ¶ 1 a) {internal communications} The organization shall determine the need for internal and external communications relevant to the BCMS including when to communicate, § 7.4 ¶ 1 b) {internal communications} The organization shall determine the need for internal and external communications relevant to the BCMS including when to communicate, § 7.4 ¶ 1 b) The organization shall - communicate the results of management review to relevant interested parties, and - take appropriate action relating to those results. § 9.3 ¶ 6 {internal communications} The organization shall determine the need for internal and external communications relevant to the BCMS including § 7.4 ¶ 1 {internal communications} The organization shall determine the need for internal and external communications relevant to the BCMS including § 7.4 ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Store an up-to-date copy of the continuity plan at the alternate facility. CC ID 01171 | Establish/Maintain Documentation | Preventive | |
| Train personnel on the continuity plan. CC ID 00759 [The organization shall conduct exercises and tests that taken together over time validate the whole of its business continuity arrangements, involving relevant interested parties, § 8.5 ¶ 2 c)] | Behavior | Preventive | |
| Utilize automated mechanisms for more realistic continuity plan training. CC ID 01387 | Behavior | Preventive | |
| Incorporate simulated events into the continuity plan training. CC ID 01402 | Behavior | Preventive | |
| Include cross-team coordination in continuity plan training. CC ID 16235 | Training | Preventive | |
| Include stay at home order training in the continuity plan training. CC ID 14382 | Training | Preventive | |
| Include avoiding unnecessary travel in the stay at home order training. CC ID 14388 | Training | Preventive | |
| Include personal protection in continuity plan training. CC ID 14394 | Training | Preventive | |
| Establish, implement, and maintain a business continuity plan testing program. CC ID 14829 | Testing | Preventive | |
| Establish, implement, and maintain a continuity test plan. CC ID 04896 [The organization shall conduct exercises and tests that are conducted at planned intervals and when there are significant changes within the organization or to the environment in which it operates. § 8.5 ¶ 2 g) The organization shall conduct exercises and tests that are conducted at planned intervals and when there are significant changes within the organization or to the environment in which it operates. § 8.5 ¶ 2 g)] | Establish/Maintain Documentation | Preventive | |
| Include success criteria for testing the plan in the continuity test plan. CC ID 14877 | Establish/Maintain Documentation | Preventive | |
| Include recovery procedures in the continuity test plan. CC ID 14876 | Establish/Maintain Documentation | Preventive | |
| Include test scripts in the continuity test plan. CC ID 14875 | Establish/Maintain Documentation | Preventive | |
| Include test objectives and scope of testing in the continuity test plan. CC ID 14874 | Establish/Maintain Documentation | Preventive | |
| Include escalation procedures in the continuity test plan, as necessary. CC ID 14400 | Establish/Maintain Documentation | Preventive | |
| Include the succession plan in the continuity test plan, as necessary. CC ID 14401 | Establish/Maintain Documentation | Preventive | |
| Include contact information in the continuity test plan. CC ID 14399 | Establish/Maintain Documentation | Preventive | |
| Include testing all system components in the continuity test plan. CC ID 13508 | Establish/Maintain Documentation | Preventive | |
| Include test scenarios in the continuity test plan. CC ID 13506 | Establish/Maintain Documentation | Preventive | |
| Include test dates or test frequency in the continuity test plan, as necessary. CC ID 13243 | Establish/Maintain Documentation | Preventive | |
| Test the continuity plan, as necessary. CC ID 00755 [The organization shall exercise and test its business continuity procedures to ensure that they are consistent with its business continuity objectives. § 8.5 ¶ 1 The organization shall conduct exercises and tests that are conducted at planned intervals and when there are significant changes within the organization or to the environment in which it operates. § 8.5 ¶ 2 g) The organization shall conduct exercises and tests that are conducted at planned intervals and when there are significant changes within the organization or to the environment in which it operates. § 8.5 ¶ 2 g) The business continuity objectives shall be measurable, § 6.2 ¶ 2 c) The organization shall conduct exercises and tests that produce formalized post-exercise reports that contain outcomes, recommendations and actions to implement improvements, § 8.5 ¶ 2 e) The organization shall conduct exercises and tests that are consistent with the scope and objectives of the BCMS, § 8.5 ¶ 2 a) The organization shall conduct exercises and tests that produce formalized post-exercise reports that contain outcomes, recommendations and actions to implement improvements, § 8.5 ¶ 2 e) {business continuity capabilities} The organization shall conduct evaluations of its business continuity procedures and capabilities in order to ensure their continuing suitability, adequacy and effectiveness; § 9.1.2 a) {business continuity capabilities} The organization shall conduct evaluations of its business continuity procedures and capabilities in order to ensure their continuing suitability, adequacy and effectiveness; § 9.1.2 a) Top management shall ensure that the responsibilities and authorities for relevant roles are assigned and communicated within the organization by - defining the criteria for accepting risks and the acceptable levels of risk, - actively engaging in exercising and testing, - ensuring that internal audits of the BCMS are conducted, - conducting management reviews of the BCMS, and - demonstrating its commitment to continual improvement. § 5.2 ¶ 3 {communication procedures} The communication and warning procedures shall be regularly exercised. § 8.4.3 ¶ 2 {communication procedures} The communication and warning procedures shall be regularly exercised. § 8.4.3 ¶ 2 {periodic exercising} {periodic testing} {periodic post-incident reporting} {periodic performance evaluations} These evaluations shall be undertaken through periodic reviews, exercising, testing, post-incident reporting and performance evaluations. Significant changes arising shall be reflected in the procedure(s) in a timely manner; § 9.1.2 b) {periodic exercising} {periodic testing} {periodic post-incident reporting} {periodic performance evaluations} These evaluations shall be undertaken through periodic reviews, exercising, testing, post-incident reporting and performance evaluations. Significant changes arising shall be reflected in the procedure(s) in a timely manner; § 9.1.2 b)] | Testing | Detective | |
| Include coverage of all major components in the scope of testing the continuity plan. CC ID 12767 | Testing | Preventive | |
| Include third party recovery services in the scope of testing the continuity plan. CC ID 12766 | Testing | Preventive | |
| Validate the emergency communications procedures during continuity plan tests. CC ID 12777 | Testing | Preventive | |
| Include the coordination and interfaces among third parties in the coverage of the scope of testing the continuity plan. CC ID 12769 | Testing | Preventive | |
| Involve senior management, as necessary, when testing the continuity plan. CC ID 13793 | Testing | Detective | |
| Test the continuity plan under conditions that simulate a disaster or disruption. CC ID 00757 [The organization shall conduct exercises and tests that are based on appropriate scenarios that are well planned with clearly defined aims and objectives, § 8.5 ¶ 2 b) The organization shall conduct exercises and tests that minimize the risk of disruption of operations, § 8.5 ¶ 2 d) The organization shall conduct exercises and tests that minimize the risk of disruption of operations, § 8.5 ¶ 2 d)] | Testing | Detective | |
| Analyze system interdependence during continuity plan tests. CC ID 13082 | Testing | Detective | |
| Validate the evacuation plans during continuity plan tests. CC ID 12760 | Testing | Preventive | |
| Test the continuity plan at the alternate facility. CC ID 01174 | Testing | Detective | |
| Include predefined goals and realistic conditions during off-site testing. CC ID 01175 | Establish/Maintain Documentation | Preventive | |
| Coordinate testing the continuity plan with all applicable business units and critical business functions. CC ID 01388 [The organization shall conduct exercises and tests that taken together over time validate the whole of its business continuity arrangements, involving relevant interested parties, § 8.5 ¶ 2 c)] | Testing | Preventive | |
| Review all third party's continuity plan test results. CC ID 01365 [The organization shall conduct evaluations of the business continuity capabilities of suppliers. § 8.3.1 ¶ 4] | Testing | Detective | |
| Automate the off-site testing to more thoroughly test the continuity plan. CC ID 01389 | Testing | Detective | |
| Document the continuity plan test results and provide them to interested personnel and affected parties. CC ID 06548 [The organization shall conduct exercises and tests that produce formalized post-exercise reports that contain outcomes, recommendations and actions to implement improvements, § 8.5 ¶ 2 e) {results of BCMS reviews} {key partners} {results of testing} {BCMS performance} {BCMS effectiveness} {emerging good guidance} Management reviews shall consider the performance of the organization, including - follow-up actions from previous management reviews, - the need for changes to the BCMS, including the policy and objectives, - opportunities for improvement, - results of BCMS audits and reviews, including those of key suppliers and partners where appropriate, - techniques, products or procedures, which could be used in the organization to improve the BCMS’ performance and effectiveness, - status of corrective actions, - results of exercising and testing, - risks or issues not adequately addressed in any previous risk assessment, - any changes that could affect the BCMS, whether internal or external to the scope of the BCMS, - adequacy of policy, - recommendations for improvement, - lessons learned and actions arising from disruptive incidents, and - emerging good practice and guidance. § 9.3 ¶ 3 {results of BCMS reviews} {key partners} {results of testing} {BCMS performance} {BCMS effectiveness} {emerging good guidance} Management reviews shall consider the performance of the organization, including - follow-up actions from previous management reviews, - the need for changes to the BCMS, including the policy and objectives, - opportunities for improvement, - results of BCMS audits and reviews, including those of key suppliers and partners where appropriate, - techniques, products or procedures, which could be used in the organization to improve the BCMS’ performance and effectiveness, - status of corrective actions, - results of exercising and testing, - risks or issues not adequately addressed in any previous risk assessment, - any changes that could affect the BCMS, whether internal or external to the scope of the BCMS, - adequacy of policy, - recommendations for improvement, - lessons learned and actions arising from disruptive incidents, and - emerging good practice and guidance. § 9.3 ¶ 3] | Actionable Reports or Measurements | Preventive | |
| Approve the continuity plan test results. CC ID 15718 | Systems Continuity | Preventive | |
| Retest the continuity plan after correcting reported deficiencies documented in the continuity plan test results. CC ID 06553 | Testing | Detective | |
| Conduct full recovery and restoration of service testing for high impact systems at the alternate facility. CC ID 01404 | Testing | Detective | |
Operational management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Operational management CC ID 00805 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a positive information control environment. CC ID 00813 [Persons in top management and other relevant management roles throughout the organization shall demonstrate leadership with respect to the BCMS. § 5.1 ¶ 1 Top management shall demonstrate leadership and commitment with respect to the BCMS by - ensuring that policies and objectives are established for the business continuity management system and are compatible with the strategic direction of the organization, - ensuring the integration of the business continuity management system requirements into the organization’s business processes, - ensuring that the resources needed for the business continuity management system are available, - communicating the importance of effective business continuity management and conforming to the BCMS requirements, - ensuring that the BCMS achieves its intended outcome(s), - directing and supporting persons to contribute to the effectiveness of the BCMS, - promoting continual improvement, and - supporting other relevant management roles to demonstrate their leadership and commitment as it applies to their areas of responsibility. § 5.2 ¶ 1 Top management shall ensure that the responsibilities and authorities for relevant roles are assigned and communicated within the organization by - defining the criteria for accepting risks and the acceptable levels of risk, - actively engaging in exercising and testing, - ensuring that internal audits of the BCMS are conducted, - conducting management reviews of the BCMS, and - demonstrating its commitment to continual improvement. § 5.2 ¶ 3] | Business Processes | Preventive | |
| Make compliance and governance decisions in a timely manner. CC ID 06490 | Behavior | Preventive | |
| Establish, implement, and maintain an internal control framework. CC ID 00820 | Establish/Maintain Documentation | Preventive | |
| Assign resources to implement the internal control framework. CC ID 00816 [The organization shall determine the resource requirements to implement the selected strategies. The types of resources considered shall include but not be limited to § 8.3.2 ¶ 1 {activation procedures} {communication procedures} {internal interdependencies} {internal interactions} {external interactions} {information flow processes} Each plan shall define - purpose and scope, - objectives, - activation criteria and procedures, - implementation procedures, - roles, responsibilities, and authorities, - communication requirements and procedures, - internal and external interdependencies and interactions, - resource requirements, and - information flow and documentation processes. § 8.4.4 ¶ 3] | Business Processes | Preventive | |
| Define and assign the roles and responsibilities for interested personnel and affected parties when establishing, implementing, and maintaining the internal control framework. CC ID 07146 | Establish Roles | Preventive | |
| Include procedures for continuous quality improvement in the internal control framework. CC ID 00819 [The management review shall include consideration of opportunities for continual improvement. § 9.3 ¶ 2 d) {changes to operational processes} The outputs of the management review shall include decisions related to continual improvement opportunities and the possible need for changes to the BCMS, and include the following: modification of procedures and controls to respond to internal or external events that may impact on the BCMS, including changes to operational conditions and processes, § 9.3 ¶ 4 d) 3) {changes to operational processes} The outputs of the management review shall include decisions related to continual improvement opportunities and the possible need for changes to the BCMS, and include the following: modification of procedures and controls to respond to internal or external events that may impact on the BCMS, including changes to operational conditions and processes, § 9.3 ¶ 4 d) 3)] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an information security program. CC ID 00812 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739 [Persons doing work under the organization’s control shall be aware of the business continuity policy, § 7.3 ¶ 1 a)] | Communicate | Preventive | |
| Establish, implement, and maintain the Acceptable Use Policy. CC ID 01350 [For the control of documented information, the organization shall address the following activities, as applicable — distribution, access, retrieval and use, — storage and preservation, including preservation of legibility, — control of changes, — retention and disposition, — retrieval and use, — preservation of legibility, and — prevention of the unintended use of obsolete information. § 7.5.3 ¶ 2 For the control of documented information, the organization shall address the following activities, as applicable — distribution, access, retrieval and use, — storage and preservation, including preservation of legibility, — control of changes, — retention and disposition, — retrieval and use, — preservation of legibility, and — prevention of the unintended use of obsolete information. § 7.5.3 ¶ 2] | Establish/Maintain Documentation | Preventive | |
| Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy. CC ID 01351 | Establish/Maintain Documentation | Preventive | |
| Include requiring users to protect restricted data in accordance with the Governance, Risk, and Compliance framework in the Acceptable Use Policy. CC ID 11894 | Establish/Maintain Documentation | Preventive | |
| Include Bring Your Own Device agreements in the Acceptable Use Policy. CC ID 15703 | Establish/Maintain Documentation | Preventive | |
| Include the obligations of users in the Bring Your Own Device agreement. CC ID 15708 | Establish/Maintain Documentation | Preventive | |
| Include the rights of the organization in the Bring Your Own Device agreement. CC ID 15707 | Establish/Maintain Documentation | Preventive | |
| Include the circumstances in which the organization may confiscate, audit, or inspect assets in the Bring Your Own Device agreement. CC ID 15706 | Establish/Maintain Documentation | Preventive | |
| Include the circumstances in which the organization may manage assets in the Bring Your Own Device agreement. CC ID 15705 | Establish/Maintain Documentation | Preventive | |
| Include Bring Your Own Device usage in the Acceptable Use Policy. CC ID 12293 | Establish/Maintain Documentation | Preventive | |
| Include a web usage policy in the Acceptable Use Policy. CC ID 16496 | Establish/Maintain Documentation | Preventive | |
| Include Bring Your Own Device security guidelines in the Acceptable Use Policy. CC ID 01352 | Establish/Maintain Documentation | Preventive | |
| Include asset tags in the Acceptable Use Policy. CC ID 01354 | Establish/Maintain Documentation | Preventive | |
| Specify the owner of applicable assets in the Acceptable Use Policy. CC ID 15699 | Establish/Maintain Documentation | Preventive | |
| Include asset use policies in the Acceptable Use Policy. CC ID 01355 | Establish/Maintain Documentation | Preventive | |
| Include authority for access authorization lists for assets in all relevant Acceptable Use Policies. CC ID 11872 | Establish/Maintain Documentation | Preventive | |
| Include access control mechanisms in the Acceptable Use Policy. CC ID 01353 | Establish/Maintain Documentation | Preventive | |
| Include temporary activation of remote access technologies for third parties in the Acceptable Use Policy. CC ID 11892 | Technical Security | Preventive | |
| Include prohibiting the copying or moving of restricted data from its original source onto local hard drives or removable storage media in the Acceptable Use Policy. CC ID 11893 | Establish/Maintain Documentation | Preventive | |
| Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772 | Data and Information Management | Preventive | |
| Correlate the Acceptable Use Policy with the network security policy. CC ID 01356 | Establish/Maintain Documentation | Preventive | |
| Include appropriate network locations for each technology in the Acceptable Use Policy. CC ID 11881 | Establish/Maintain Documentation | Preventive | |
| Correlate the Acceptable Use Policy with the approved product list. CC ID 01357 | Establish/Maintain Documentation | Preventive | |
| Include facility access and facility use in the Acceptable Use Policy. CC ID 06441 | Establish/Maintain Documentation | Preventive | |
| Include disciplinary actions in the Acceptable Use Policy. CC ID 00296 | Establish/Maintain Documentation | Corrective | |
| Include the usage restrictions of mobile code technologies in the Acceptable Use Policy. CC ID 15311 | Establish/Maintain Documentation | Preventive | |
| Include a software installation policy in the Acceptable Use Policy. CC ID 06749 | Establish/Maintain Documentation | Preventive | |
| Document idle session termination and logout for remote access technologies in the Acceptable Use Policy. CC ID 12472 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the Acceptable Use Policy to all interested personnel and affected parties. CC ID 12431 | Communicate | Preventive | |
| Require interested personnel and affected parties to sign Acceptable Use Policies. CC ID 06661 | Establish/Maintain Documentation | Preventive | |
| Require interested personnel and affected parties to re-sign Acceptable Use Policies, as necessary. CC ID 06663 | Establish/Maintain Documentation | Preventive | |
| Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 | Business Processes | Preventive | |
| Establish, implement, and maintain consequences for non-compliance with the organizational compliance framework. CC ID 11747 [Persons doing work under the organization’s control shall be aware of the implications of not conforming with the BCMS requirements, and § 7.3 ¶ 1 c) When nonconformity occurs, the organization shall deal with the consequences. § 10.1 ¶ 1 b) 2] | Process or Activity | Corrective | |
| Establish, implement, and maintain a customer service program. CC ID 00846 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an Incident Management program. CC ID 00853 | Business Processes | Preventive | |
| Include detection procedures in the Incident Management program. CC ID 00588 [The organization shall establish, implement and maintain procedures for detecting an incident, § 8.4.3 ¶ 1 a)] | Establish/Maintain Documentation | Preventive | |
| Categorize the incident following an incident response. CC ID 13208 | Technical Security | Preventive | |
| Define and document impact thresholds to be used in categorizing incidents. CC ID 10033 [The organization shall identify and document the following: the organization’s activities, functions, services, products, partnerships, supply chains, relationships with interested parties, and the potential impact related to a disruptive incident; § 4.1 ¶ 3 a)] | Establish/Maintain Documentation | Preventive | |
| Determine the incident severity level when assessing the security incidents. CC ID 01650 | Monitor and Evaluate Occurrences | Corrective | |
| Require personnel to monitor for and report known or suspected compromise of assets. CC ID 16453 | Monitor and Evaluate Occurrences | Detective | |
| Require personnel to monitor for and report suspicious account activity. CC ID 16462 | Monitor and Evaluate Occurrences | Detective | |
| Identify root causes of incidents that force system changes. CC ID 13482 | Investigate | Detective | |
| Respond to and triage when an incident is detected. CC ID 06942 | Monitor and Evaluate Occurrences | Detective | |
| Document the incident and any relevant evidence in the incident report. CC ID 08659 [{procedures for recording actions taken and decisions made} The organization shall establish, implement and maintain procedures for recording of vital information about the incident, actions taken and decisions made, and the following shall also be considered and implemented where applicable: — alerting interested parties potentially impacted by an actual or impending disruptive incident; — assuring the interoperability of multiple responding organizations and personnel; — operation of a communications facility. § 8.4.3 ¶ 1 g) {procedures for recording actions taken and decisions made} The organization shall establish, implement and maintain procedures for recording of vital information about the incident, actions taken and decisions made, and the following shall also be considered and implemented where applicable: — alerting interested parties potentially impacted by an actual or impending disruptive incident; — assuring the interoperability of multiple responding organizations and personnel; — operation of a communications facility. § 8.4.3 ¶ 1 g)] | Establish/Maintain Documentation | Detective | |
| Escalate incidents, as necessary. CC ID 14861 | Monitor and Evaluate Occurrences | Corrective | |
| Include support from law enforcement authorities when conducting incident response activities, as necessary. CC ID 13197 | Process or Activity | Corrective | |
| Respond to all alerts from security systems in a timely manner. CC ID 06434 | Behavior | Corrective | |
| Coordinate incident response activities with interested personnel and affected parties. CC ID 13196 | Process or Activity | Corrective | |
| Contain the incident to prevent further loss. CC ID 01751 | Process or Activity | Corrective | |
| Wipe data and memory after an incident has been detected. CC ID 16850 | Technical Security | Corrective | |
| Refrain from accessing compromised systems. CC ID 01752 | Technical Security | Corrective | |
| Isolate compromised systems from the network. CC ID 01753 | Technical Security | Corrective | |
| Store system logs for in scope systems as digital forensic evidence after a security incident has been detected. CC ID 01754 | Log Management | Corrective | |
| Change authenticators after a security incident has been detected. CC ID 06789 | Technical Security | Corrective | |
| Refrain from turning on any in scope devices that are turned off when a security incident is detected. CC ID 08677 | Investigate | Detective | |
| Record actions taken by investigators during a forensic investigation in the forensic investigation report. CC ID 07095 | Establish/Maintain Documentation | Preventive | |
| Include where the digital forensic evidence was found in the forensic investigation report. CC ID 08674 | Establish/Maintain Documentation | Detective | |
| Include the condition of the digital forensic evidence in the forensic investigation report. CC ID 08678 | Establish/Maintain Documentation | Detective | |
| Assess all incidents to determine what information was accessed. CC ID 01226 | Testing | Corrective | |
| Check the precursors and indicators when assessing the security incidents. CC ID 01761 | Monitor and Evaluate Occurrences | Corrective | |
| Analyze the incident response process following an incident response. CC ID 13179 | Investigate | Detective | |
| Share incident information with interested personnel and affected parties. CC ID 01212 [The response structure shall communicate with interested parties and authorities, as well as the media. § 8.4.2 ¶ 2 f) The response structure shall communicate with interested parties and authorities, as well as the media. § 8.4.2 ¶ 2 f) {procedures for recording actions taken and decisions made} The organization shall establish, implement and maintain procedures for recording of vital information about the incident, actions taken and decisions made, and the following shall also be considered and implemented where applicable: — alerting interested parties potentially impacted by an actual or impending disruptive incident; — assuring the interoperability of multiple responding organizations and personnel; — operation of a communications facility. § 8.4.3 ¶ 1 g)] | Data and Information Management | Corrective | |
| Share data loss event information with the media. CC ID 01759 [The response structure shall communicate with interested parties and authorities, as well as the media. § 8.4.2 ¶ 2 f) The business continuity plans shall collectively contain details of the organization’s media response following an incident, including a communications strategy, § 8.4.4 ¶ 2 f) 1) The business continuity plans shall collectively contain details of the organization’s media response following an incident, including preferred interface with the media, § 8.4.4 ¶ 2 f) 2) The business continuity plans shall collectively contain details of the organization’s media response following an incident, including guideline or template for drafting a statement for the media, and § 8.4.4 ¶ 2 f) 3) The business continuity plans shall collectively contain details of the organization's media response following an incident, including § 8.4.4 ¶ 2 f)] | Behavior | Corrective | |
| Comply with privacy regulations and civil liberties requirements when sharing data loss event information. CC ID 10036 | Data and Information Management | Preventive | |
| Share data loss event information with interconnected system owners. CC ID 01209 | Establish/Maintain Documentation | Corrective | |
| Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539 | Communicate | Preventive | |
| Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538 | Communicate | Preventive | |
| Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547 | Establish/Maintain Documentation | Preventive | |
| Report data loss event information to breach notification organizations. CC ID 01210 | Data and Information Management | Corrective | |
| Submit an incident management audit log to the proper authorities for each security breach that affects a predefined number of individuals, as necessary. CC ID 06326 | Log Management | Detective | |
| Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797 | Communicate | Preventive | |
| Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782 | Communicate | Preventive | |
| Report to breach notification organizations the time frame in which the organization will send data loss event notifications to interested personnel and affected parties. CC ID 04731 | Behavior | Corrective | |
| Remediate security violations according to organizational standards. CC ID 12338 | Business Processes | Preventive | |
| Include data loss event notifications in the Incident Response program. CC ID 00364 | Establish/Maintain Documentation | Preventive | |
| Include legal requirements for data loss event notifications in the Incident Response program. CC ID 11954 | Establish/Maintain Documentation | Preventive | |
| Notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00365 | Behavior | Corrective | |
| Determine whether or not incident response notifications are necessary during the privacy breach investigation. CC ID 00801 | Behavior | Detective | |
| Delay sending incident response notifications under predetermined conditions. CC ID 00804 | Behavior | Corrective | |
| Include required information in the written request to delay the notification to affected parties. CC ID 16785 | Establish/Maintain Documentation | Preventive | |
| Submit written requests to delay the notification of affected parties. CC ID 16783 | Communicate | Preventive | |
| Revoke the written request to delay the notification. CC ID 16843 | Process or Activity | Preventive | |
| Design the text of the notice for all incident response notifications to be no smaller than 10-point type. CC ID 12985 | Establish/Maintain Documentation | Preventive | |
| Avoid false positive incident response notifications. CC ID 04732 | Behavior | Detective | |
| Establish, implement, and maintain incident response notifications. CC ID 12975 | Establish/Maintain Documentation | Corrective | |
| Refrain from charging for providing incident response notifications. CC ID 13876 | Business Processes | Preventive | |
| Include information required by law in incident response notifications. CC ID 00802 | Establish/Maintain Documentation | Detective | |
| Title breach notifications "Notice of Data Breach". CC ID 12977 | Establish/Maintain Documentation | Preventive | |
| Display titles of incident response notifications clearly and conspicuously. CC ID 12986 | Establish/Maintain Documentation | Preventive | |
| Display headings in incident response notifications clearly and conspicuously. CC ID 12987 | Establish/Maintain Documentation | Preventive | |
| Design the incident response notification to call attention to its nature and significance. CC ID 12984 | Establish/Maintain Documentation | Preventive | |
| Use plain language to write incident response notifications. CC ID 12976 | Establish/Maintain Documentation | Preventive | |
| Include directions for changing the user's authenticator or security questions and answers in the breach notification. CC ID 12983 | Establish/Maintain Documentation | Preventive | |
| Refrain from including restricted information in the incident response notification. CC ID 16806 | Actionable Reports or Measurements | Preventive | |
| Include the affected parties rights in the incident response notification. CC ID 16811 | Establish/Maintain Documentation | Preventive | |
| Include details of the investigation in incident response notifications. CC ID 12296 | Establish/Maintain Documentation | Preventive | |
| Include the issuer's name in incident response notifications. CC ID 12062 | Establish/Maintain Documentation | Preventive | |
| Include a "What Happened" heading in breach notifications. CC ID 12978 | Establish/Maintain Documentation | Preventive | |
| Include a general description of the data loss event in incident response notifications. CC ID 04734 | Establish/Maintain Documentation | Preventive | |
| Include time information in incident response notifications. CC ID 04745 | Establish/Maintain Documentation | Preventive | |
| Include the identification of the data source in incident response notifications. CC ID 12305 | Establish/Maintain Documentation | Preventive | |
| Include a "What Information Was Involved" heading in the breach notification. CC ID 12979 | Establish/Maintain Documentation | Preventive | |
| Include the type of information that was lost in incident response notifications. CC ID 04735 | Establish/Maintain Documentation | Preventive | |
| Include the type of information the organization maintains about the affected parties in incident response notifications. CC ID 04776 | Establish/Maintain Documentation | Preventive | |
| Include a "What We Are Doing" heading in the breach notification. CC ID 12982 | Establish/Maintain Documentation | Preventive | |
| Include what the organization has done to enhance data protection controls in incident response notifications. CC ID 04736 | Establish/Maintain Documentation | Preventive | |
| Include what the organization is offering or has already done to assist affected parties in incident response notifications. CC ID 04737 | Establish/Maintain Documentation | Preventive | |
| Include a "For More Information" heading in breach notifications. CC ID 12981 | Establish/Maintain Documentation | Preventive | |
| Include details of the companies and persons involved in incident response notifications. CC ID 12295 | Establish/Maintain Documentation | Preventive | |
| Include the credit reporting agencies' contact information in incident response notifications. CC ID 04744 | Establish/Maintain Documentation | Preventive | |
| Include the reporting individual's contact information in incident response notifications. CC ID 12297 | Establish/Maintain Documentation | Preventive | |
| Include any consequences in the incident response notifications. CC ID 12604 | Establish/Maintain Documentation | Preventive | |
| Include whether the notification was delayed due to a law enforcement investigation in incident response notifications. CC ID 04746 | Establish/Maintain Documentation | Preventive | |
| Include a "What You Can Do" heading in the breach notification. CC ID 12980 | Establish/Maintain Documentation | Preventive | |
| Include how the affected parties can protect themselves from identity theft in incident response notifications. CC ID 04738 | Establish/Maintain Documentation | Detective | |
| Provide enrollment information for identity theft prevention services or identity theft mitigation services. CC ID 13767 | Communicate | Corrective | |
| Offer identity theft prevention services or identity theft mitigation services at no cost to the affected parties. CC ID 13766 | Business Processes | Corrective | |
| Include contact information in incident response notifications. CC ID 04739 | Establish/Maintain Documentation | Preventive | |
| Include a copy of the incident response notification in breach notifications, as necessary. CC ID 13085 | Communicate | Preventive | |
| Send paper incident response notifications to affected parties, as necessary. CC ID 00366 | Behavior | Corrective | |
| Post the incident response notification on the organization's website. CC ID 16809 | Process or Activity | Preventive | |
| Determine if a substitute incident response notification is permitted if notifying affected parties. CC ID 00803 | Behavior | Corrective | |
| Document the determination for providing a substitute incident response notification. CC ID 16841 | Process or Activity | Preventive | |
| Use a substitute incident response notification to notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00368 | Behavior | Corrective | |
| Telephone incident response notifications to affected parties, as necessary. CC ID 04650 | Behavior | Corrective | |
| Send electronic substitute incident response notifications to affected parties, as necessary. CC ID 04747 | Behavior | Preventive | |
| Include contact information in the substitute incident response notification. CC ID 16776 | Establish/Maintain Documentation | Preventive | |
| Post substitute incident response notifications to the organization's website, as necessary. CC ID 04748 | Establish/Maintain Documentation | Preventive | |
| Send substitute incident response notifications to breach notification organizations, as necessary. CC ID 04750 | Behavior | Preventive | |
| Publish the incident response notification in a general circulation periodical. CC ID 04651 | Behavior | Corrective | |
| Publish the substitute incident response notification in a general circulation periodical, as necessary. CC ID 04769 | Behavior | Preventive | |
| Send electronic incident response notifications to affected parties, as necessary. CC ID 00367 | Behavior | Corrective | |
| Notify interested personnel and affected parties of the privacy breach about any recovered restricted data. CC ID 13347 | Communicate | Corrective | |
| Establish, implement, and maintain a containment strategy. CC ID 13480 | Establish/Maintain Documentation | Preventive | |
| Include the containment approach in the containment strategy. CC ID 13486 | Establish/Maintain Documentation | Preventive | |
| Include response times in the containment strategy. CC ID 13485 | Establish/Maintain Documentation | Preventive | |
| Include incident recovery procedures in the Incident Management program. CC ID 01758 [The organization shall establish, implement, and maintain business continuity procedures to manage a disruptive incident and continue its activities based on recovery objectives identified in the business impact analysis. § 8.4.1 ¶ 1] | Establish/Maintain Documentation | Corrective | |
| Change wireless access variables after a data loss event has been detected. CC ID 01756 | Technical Security | Corrective | |
| Eradicate the cause of the incident after the incident has been contained. CC ID 01757 | Business Processes | Corrective | |
| Establish, implement, and maintain a restoration log. CC ID 12745 | Establish/Maintain Documentation | Preventive | |
| Include a description of the restored data that was restored manually in the restoration log. CC ID 15463 | Data and Information Management | Preventive | |
| Include a description of the restored data in the restoration log. CC ID 15462 | Data and Information Management | Preventive | |
| Implement security controls for personnel that have accessed information absent authorization. CC ID 10611 | Human Resources Management | Corrective | |
| Establish, implement, and maintain compromised system reaccreditation procedures. CC ID 00592 | Establish/Maintain Documentation | Preventive | |
| Detect any potentially undiscovered security vulnerabilities on previously compromised systems. CC ID 06265 | Monitor and Evaluate Occurrences | Detective | |
| Re-image compromised systems with secure builds. CC ID 12086 | Technical Security | Corrective | |
| Analyze security violations in Suspicious Activity Reports. CC ID 00591 | Establish/Maintain Documentation | Preventive | |
| Include lessons learned from analyzing security violations in the Incident Management program. CC ID 01234 | Monitor and Evaluate Occurrences | Preventive | |
| Provide progress reports of the incident investigation to the appropriate roles, as necessary. CC ID 12298 | Investigate | Preventive | |
| Update the incident response procedures using the lessons learned. CC ID 01233 [{periodic exercising} {periodic testing} {periodic post-incident reporting} {periodic performance evaluations} These evaluations shall be undertaken through periodic reviews, exercising, testing, post-incident reporting and performance evaluations. Significant changes arising shall be reflected in the procedure(s) in a timely manner; § 9.1.2 b) {update of the business impact analysis} {update of the business continuity plans} {update of the related procedures} The outputs of the management review shall include decisions related to continual improvement opportunities and the possible need for changes to the BCMS, and include the following: update of the risk assessment, business impact analysis, business continuity plans and related procedures; § 9.3 ¶ 4 c)] | Establish/Maintain Documentation | Preventive | |
| Include incident monitoring procedures in the Incident Management program. CC ID 01207 [The organization shall establish, implement and maintain procedures for regular monitoring of an incident, § 8.4.3 ¶ 1 b)] | Establish/Maintain Documentation | Preventive | |
| Include incident response procedures in the Incident Management program. CC ID 01218 [The business continuity plans shall collectively contain details to manage the immediate consequences of a disruptive incident giving due regard to § 8.4.4 ¶ 2 c) The business continuity plans shall collectively contain details to manage the immediate consequences of a disruptive incident giving due regard to strategic, tactical and operational options for responding to the disruption, and § 8.4.4 ¶ 2 c) 2)] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain incident management audit logs. CC ID 13514 | Records Management | Preventive | |
| Log incidents in the Incident Management audit log. CC ID 00857 | Establish/Maintain Documentation | Preventive | |
| Include the organizational functions affected by disruption in the Incident Management audit log. CC ID 12238 [The organization shall identify and document the following: the organization’s activities, functions, services, products, partnerships, supply chains, relationships with interested parties, and the potential impact related to a disruptive incident; § 4.1 ¶ 3 a)] | Log Management | Corrective | |
| Include the organization's business products and services affected by disruptions in the Incident Management audit log. CC ID 12234 [The organization shall identify and document the following: the organization’s activities, functions, services, products, partnerships, supply chains, relationships with interested parties, and the potential impact related to a disruptive incident; § 4.1 ¶ 3 a) The organization shall identify and document the following: the organization’s activities, functions, services, products, partnerships, supply chains, relationships with interested parties, and the potential impact related to a disruptive incident; § 4.1 ¶ 3 a)] | Log Management | Preventive | |
| Establish, implement, and maintain an Incident Response program. CC ID 00579 [The organization shall identify and document the following: the organization’s activities, functions, services, products, partnerships, supply chains, relationships with interested parties, and the potential impact related to a disruptive incident; § 4.1 ¶ 3 a) {incident response procedure} The organization shall establish documented procedures for responding to a disruptive incident and how it will continue or recover its activities within a predetermined timeframe. Such procedures shall address the requirements of those who will use them. § 8.4.4 ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Create an incident response report following an incident response. CC ID 12700 | Establish/Maintain Documentation | Preventive | |
| Include disciplinary actions taken in the incident response report. CC ID 16810 | Establish/Maintain Documentation | Preventive | |
| Include the persons responsible for the incident in the incident response report. CC ID 16808 | Establish/Maintain Documentation | Preventive | |
| Include the number of individuals the incident response notification was sent to in the incident response report. CC ID 16789 | Establish/Maintain Documentation | Preventive | |
| Include any consequences to organizational reputation and confidence due to the incident in the incident response report. CC ID 12728 | Establish/Maintain Documentation | Preventive | |
| Include the number of customers that were affected by the incident in the incident response report. CC ID 12727 | Establish/Maintain Documentation | Preventive | |
| Include investments associated with the incident in the incident response report. CC ID 12726 | Establish/Maintain Documentation | Preventive | |
| Include costs associated with the incident in the incident response report. CC ID 12725 | Establish/Maintain Documentation | Preventive | |
| Include losses due to the incident in the incident response report. CC ID 12724 | Establish/Maintain Documentation | Preventive | |
| Include a description of the impact the incident had on customer service in the incident response report. CC ID 12735 | Establish/Maintain Documentation | Preventive | |
| Include foregone revenue from the incident in the incident response report. CC ID 12723 | Establish/Maintain Documentation | Preventive | |
| Include the magnitude of the incident in the incident response report. CC ID 12722 | Establish/Maintain Documentation | Preventive | |
| Include implications of the incident in the incident response report. CC ID 12721 | Establish/Maintain Documentation | Preventive | |
| Include measures to prevent similar incidents from occurring in the incident response report. CC ID 12720 | Establish/Maintain Documentation | Preventive | |
| Include breaches of regulatory requirements due to the incident in the incident response report. CC ID 12719 | Establish/Maintain Documentation | Preventive | |
| Include information on all affected assets in the incident response report. CC ID 12718 | Establish/Maintain Documentation | Preventive | |
| Include the scope of the incident in the incident response report. CC ID 12717 | Establish/Maintain Documentation | Preventive | |
| Include the duration of the incident in the incident response report. CC ID 12716 | Establish/Maintain Documentation | Preventive | |
| Include the extent of the incident in the incident response report. CC ID 12715 | Establish/Maintain Documentation | Preventive | |
| Include measures to mitigate the root causes of the incident in the incident response report. CC ID 12714 | Establish/Maintain Documentation | Preventive | |
| Include the reasons the incident occurred in the incident response report. CC ID 12711 | Establish/Maintain Documentation | Preventive | |
| Include the frequency of similar incidents occurring in the incident response report. CC ID 12712 | Establish/Maintain Documentation | Preventive | |
| Include lessons learned from the incident in the incident response report. CC ID 12713 | Establish/Maintain Documentation | Preventive | |
| Include where the incident occurred in the incident response report. CC ID 12710 | Establish/Maintain Documentation | Preventive | |
| Include when the incident occurred in the incident response report. CC ID 12709 | Establish/Maintain Documentation | Preventive | |
| Include corrective action taken to eradicate the incident in the incident response report. CC ID 12708 | Establish/Maintain Documentation | Preventive | |
| Include a description of the impact the incident had on regulatory compliance in the incident response report. CC ID 12704 | Establish/Maintain Documentation | Preventive | |
| Include a description of the impact the incident had on operations in the incident response report. CC ID 12703 | Establish/Maintain Documentation | Preventive | |
| Include an executive summary of the incident in the incident response report. CC ID 12702 | Establish/Maintain Documentation | Preventive | |
| Include a root cause analysis of the incident in the incident response report. CC ID 12701 | Establish/Maintain Documentation | Preventive | |
| Submit the incident response report to the proper authorities in a timely manner. CC ID 12705 | Communicate | Preventive | |
| Employ tools and mechanisms to support the organization's Incident Response program. CC ID 13182 | Acquisition/Sale of Assets or Services | Preventive | |
| Define target resolution times for incident response in the Incident Response program. CC ID 13072 | Establish/Maintain Documentation | Preventive | |
| Analyze and respond to security alerts. CC ID 12504 | Business Processes | Detective | |
| Mitigate reported incidents. CC ID 12973 | Actionable Reports or Measurements | Preventive | |
| Establish, implement, and maintain an incident response plan. CC ID 12056 | Establish/Maintain Documentation | Preventive | |
| Include addressing external communications in the incident response plan. CC ID 13351 | Establish/Maintain Documentation | Preventive | |
| Include addressing internal communications in the incident response plan. CC ID 13350 | Establish/Maintain Documentation | Preventive | |
| Include change control procedures in the incident response plan. CC ID 15479 | Establish/Maintain Documentation | Preventive | |
| Include addressing information sharing in the incident response plan. CC ID 13349 | Establish/Maintain Documentation | Preventive | |
| Include dynamic reconfiguration in the incident response plan. CC ID 14306 | Establish/Maintain Documentation | Preventive | |
| Include a definition of reportable incidents in the incident response plan. CC ID 14303 | Establish/Maintain Documentation | Preventive | |
| Include the management support needed for incident response in the incident response plan. CC ID 14300 | Establish/Maintain Documentation | Preventive | |
| Include root cause analysis in the incident response plan. CC ID 16423 | Establish/Maintain Documentation | Preventive | |
| Include how incident response fits into the organization in the incident response plan. CC ID 14294 | Establish/Maintain Documentation | Preventive | |
| Include the resources needed for incident response in the incident response plan. CC ID 14292 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a cyber incident response plan. CC ID 13286 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the cyber incident response plan to interested personnel and affected parties. CC ID 16838 | Communicate | Preventive | |
| Include incident response team structures in the Incident Response program. CC ID 01237 [The organization shall establish, document, and implement procedures and a management structure to respond to a disruptive incident using personnel with the necessary responsibility, authority and competence to manage an incident. § 8.4.2 ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Include the incident response team member's roles and responsibilities in the Incident Response program. CC ID 01652 [The business continuity plans shall collectively contain defined roles and responsibilities for people and teams having authority during and following an incident, § 8.4.4 ¶ 2 a) The business continuity plans shall collectively contain defined roles and responsibilities for people and teams having authority during and following an incident, § 8.4.4 ¶ 2 a) {incident response procedure} The organization shall establish documented procedures for responding to a disruptive incident and how it will continue or recover its activities within a predetermined timeframe. Such procedures shall address the requirements of those who will use them. § 8.4.4 ¶ 1] | Establish Roles | Preventive | |
| Include the incident response point of contact's roles and responsibilities in the Incident Response program. CC ID 01877 | Establish Roles | Preventive | |
| Open a priority incident request after a security breach is detected. CC ID 04838 | Testing | Corrective | |
| Activate the incident response notification procedures after a security breach is detected. CC ID 04839 | Testing | Corrective | |
| Notify interested personnel and affected parties that a security breach was detected. CC ID 11788 | Communicate | Corrective | |
| Include the head of information security's roles and responsibilities in the Incident Response program. CC ID 01878 | Establish Roles | Preventive | |
| Include the customer database owner's roles and responsibilities in the Incident Response program. CC ID 01879 | Establish Roles | Preventive | |
| Include the online sales department's roles and responsibilities in the Incident Response program. CC ID 01880 | Establish Roles | Preventive | |
| Include the incident response point of contact for credit card payment system's roles and responsibilities in the Incident Response program. CC ID 01881 | Establish Roles | Preventive | |
| Include the organizational legal counsel's roles and responsibilities in the Incident Response program. CC ID 01882 | Establish Roles | Preventive | |
| Include the Human Resources point of contact's roles and responsibilities in the Incident Response program. CC ID 01883 | Establish Roles | Preventive | |
| Include the organizational incident response network architecture point of contact's roles and responsibilities in the Incident Response program. CC ID 01884 | Establish Roles | Preventive | |
| Include the organizational incident response public relations point of contact's roles and responsibilities in the Incident Response program. CC ID 01885 [The business continuity plans shall collectively contain details of the organization’s media response following an incident, including appropriate spokespeople; § 8.4.4 ¶ 2 f) 4] | Establish Roles | Preventive | |
| Include the organizational incident response location manager's roles and responsibilities in the Incident Response program. CC ID 01886 | Establish Roles | Preventive | |
| Assign the distribution of security alerts to the appropriate role in the incident response program. CC ID 11887 | Human Resources Management | Preventive | |
| Assign monitoring and analyzing the security alert when a security alert is received to the appropriate role in the incident response program. CC ID 11886 | Investigate | Detective | |
| Assign establishing, implementing, and maintaining incident response procedures to the appropriate role in the incident response program. CC ID 12473 | Establish/Maintain Documentation | Preventive | |
| Assign the distribution of incident response procedures to the appropriate role in the incident response program. CC ID 12474 | Communicate | Preventive | |
| Include personnel contact information in the event of an incident in the Incident Response program. CC ID 06385 | Establish/Maintain Documentation | Preventive | |
| Include what information interested personnel and affected parties need in the event of an incident in the Incident Response program. CC ID 11789 [The organization shall identify and document the following: the organization’s activities, functions, services, products, partnerships, supply chains, relationships with interested parties, and the potential impact related to a disruptive incident; § 4.1 ¶ 3 a) The organization shall identify and document the following: the organization’s activities, functions, services, products, partnerships, supply chains, relationships with interested parties, and the potential impact related to a disruptive incident; § 4.1 ¶ 3 a) The organization shall identify and document the following: the organization’s activities, functions, services, products, partnerships, supply chains, relationships with interested parties, and the potential impact related to a disruptive incident; § 4.1 ¶ 3 a) The organization shall take into account interested parties’ needs and interests, such as customers, investors, shareholders, the supply chain, public and/or community input and needs, expectations and interests (as appropriate), and § 4.3.2 ¶ 1 d) The organization shall take into account interested parties’ needs and interests, such as customers, investors, shareholders, the supply chain, public and/or community input and needs, expectations and interests (as appropriate), and § 4.3.2 ¶ 1 d)] | Establish/Maintain Documentation | Preventive | |
| Include identifying remediation actions in the incident response plan. CC ID 13354 | Establish/Maintain Documentation | Preventive | |
| Include procedures for providing updated status information to the crisis management team in the incident response plan. CC ID 12776 | Establish/Maintain Documentation | Preventive | |
| Include coverage of all system components in the Incident Response program. CC ID 11955 | Establish/Maintain Documentation | Preventive | |
| Prepare for incident response notifications. CC ID 00584 | Establish/Maintain Documentation | Preventive | |
| Include incident response team services in the Incident Response program. CC ID 11766 [The business continuity plans shall collectively contain defined roles and responsibilities for people and teams having authority during and following an incident, § 8.4.4 ¶ 2 a) The business continuity plans shall collectively contain defined roles and responsibilities for people and teams having authority during and following an incident, § 8.4.4 ¶ 2 a)] | Establish/Maintain Documentation | Preventive | |
| Include the incident response training program in the Incident Response program. CC ID 06750 | Establish/Maintain Documentation | Preventive | |
| Incorporate simulated events into the incident response training program. CC ID 06751 | Behavior | Preventive | |
| Incorporate realistic exercises that are tested into the incident response training program. CC ID 06753 | Behavior | Preventive | |
| Conduct incident response training. CC ID 11889 | Training | Preventive | |
| Establish, implement, and maintain an incident response policy. CC ID 14024 | Establish/Maintain Documentation | Preventive | |
| Include compliance requirements in the incident response policy. CC ID 14108 | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the incident response policy. CC ID 14107 | Establish/Maintain Documentation | Preventive | |
| Include management commitment in the incident response policy. CC ID 14106 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the incident response policy. CC ID 14105 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the incident response policy. CC ID 14104 | Establish/Maintain Documentation | Preventive | |
| Include the purpose in the incident response policy. CC ID 14101 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the incident response policy to interested personnel and affected parties. CC ID 14099 | Communicate | Preventive | |
| Establish, implement, and maintain incident response procedures. CC ID 01206 [The organization shall document procedures (including necessary arrangements) to ensure continuity of activities and management of a disruptive incident. § 8.4.1 ¶ 2 The procedures shall be specific regarding the immediate steps that are to be taken during a disruption, § 8.4.1 ¶ 3 b) The organization shall establish, document, and implement procedures and a management structure to respond to a disruptive incident using personnel with the necessary responsibility, authority and competence to manage an incident. § 8.4.2 ¶ 1 {processes, and procedures for the activation of the response} {processes, and procedures for the operation of the response} {processes, and procedures for the coordination of the response} {processes, and procedures for the communication of the response} The response structure shall have processes, and procedures for the activation, operation, coordination, and communication of the response, § 8.4.2 ¶ 2 d) {results of BCMS reviews} {key partners} {results of testing} {BCMS performance} {BCMS effectiveness} {emerging good guidance} Management reviews shall consider the performance of the organization, including - follow-up actions from previous management reviews, - the need for changes to the BCMS, including the policy and objectives, - opportunities for improvement, - results of BCMS audits and reviews, including those of key suppliers and partners where appropriate, - techniques, products or procedures, which could be used in the organization to improve the BCMS’ performance and effectiveness, - status of corrective actions, - results of exercising and testing, - risks or issues not adequately addressed in any previous risk assessment, - any changes that could affect the BCMS, whether internal or external to the scope of the BCMS, - adequacy of policy, - recommendations for improvement, - lessons learned and actions arising from disruptive incidents, and - emerging good practice and guidance. § 9.3 ¶ 3] | Establish/Maintain Documentation | Detective | |
| Include references to industry best practices in the incident response procedures. CC ID 11956 | Establish/Maintain Documentation | Preventive | |
| Include responding to alerts from security monitoring systems in the incident response procedures. CC ID 11949 [{internal conditions} The procedures shall be flexible to respond to unanticipated threats and changing internal and external conditions, § 8.4.1 ¶ 3 c)] | Establish/Maintain Documentation | Preventive | |
| Respond when an integrity violation is detected, as necessary. CC ID 10678 | Technical Security | Corrective | |
| Shut down systems when an integrity violation is detected, as necessary. CC ID 10679 | Technical Security | Corrective | |
| Restart systems when an integrity violation is detected, as necessary. CC ID 10680 | Technical Security | Corrective | |
| Maintain contact with breach notification organizations for notification purposes in the event a privacy breach has occurred. CC ID 01213 | Behavior | Preventive | |
| Include business continuity procedures in the Incident Response program. CC ID 06433 [The organization shall establish, implement, and maintain business continuity procedures to manage a disruptive incident and continue its activities based on recovery objectives identified in the business impact analysis. § 8.4.1 ¶ 1 {internal conditions} The procedures shall be flexible to respond to unanticipated threats and changing internal and external conditions, § 8.4.1 ¶ 3 c)] | Establish/Maintain Documentation | Preventive | |
| Coordinate backup procedures as defined in the system continuity plan with backup procedures necessary for incident response procedures. CC ID 06432 | Establish/Maintain Documentation | Preventive | |
| Include consumer protection procedures in the Incident Response program. CC ID 12755 | Systems Continuity | Preventive | |
| Include the reimbursement of customers for financial losses due to incidents in the Incident Response program. CC ID 12756 | Business Processes | Preventive | |
| Establish trust between the incident response team and the end user community during an incident. CC ID 01217 | Testing | Detective | |
| Include business recovery procedures in the Incident Response program. CC ID 11774 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a digital forensic evidence framework. CC ID 08652 | Establish/Maintain Documentation | Preventive | |
| Retain collected evidence for potential future legal actions. CC ID 01235 | Records Management | Preventive | |
| Protect devices containing digital forensic evidence during transport. CC ID 08687 | Investigate | Detective | |
| Protect devices containing digital forensic evidence in sealed containers. CC ID 08685 | Investigate | Detective | |
| Establish, implement, and maintain a chain of custody for all devices containing digital forensic evidence. CC ID 08686 | Establish/Maintain Documentation | Detective | |
| Define the business scenarios that require digital forensic evidence. CC ID 08653 | Establish/Maintain Documentation | Preventive | |
| Define the circumstances for collecting digital forensic evidence. CC ID 08657 | Establish/Maintain Documentation | Preventive | |
| Conduct forensic investigations in the event of a security compromise. CC ID 11951 | Investigate | Corrective | |
| Contact affected parties to participate in forensic investigations, as necessary. CC ID 12343 | Communicate | Detective | |
| Identify potential sources of digital forensic evidence. CC ID 08651 | Investigate | Preventive | |
| Document the legal requirements for evidence collection. CC ID 08654 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a digital forensic evidence collection program. CC ID 08655 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the digital forensic evidence collection program. CC ID 15724 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain secure storage and handling of evidence procedures. CC ID 08656 | Records Management | Preventive | |
| Prepare digital forensic equipment. CC ID 08688 | Investigate | Detective | |
| Use digital forensic equipment suitable to the circumstances. CC ID 08690 | Investigate | Detective | |
| Provide relevant user manuals for digital forensic equipment during use. CC ID 08691 | Investigate | Detective | |
| Include the hardware configuration and software configuration of the digital forensic equipment in the forensic investigation report. CC ID 08693 | Establish/Maintain Documentation | Detective | |
| Test the operation of the digital forensic equipment prior to use. CC ID 08694 | Testing | Detective | |
| Maintain digital forensic equipment for proper performance. CC ID 08689 | Investigate | Detective | |
| Collect evidence from the incident scene. CC ID 02236 | Business Processes | Corrective | |
| Include documentation of the system containing and surrounding digital forensic evidence in the forensic investigation report. CC ID 08679 | Establish/Maintain Documentation | Detective | |
| Include the configuration settings of devices associated with digital forensic evidence in the forensic investigation report. CC ID 08676 | Establish/Maintain Documentation | Detective | |
| Include the external connections to systems containing digital forensic evidence in the forensic investigation report. CC ID 08680 | Establish/Maintain Documentation | Detective | |
| Include the electronic media storage devices containing digital forensic evidence in the forensic investigation report. CC ID 08695 | Establish/Maintain Documentation | Detective | |
| Include all system components of systems containing digital forensic evidence in the forensic investigation report. CC ID 08696 | Establish/Maintain Documentation | Detective | |
| Refrain from altering the state of compromised systems when collecting digital forensic evidence. CC ID 08671 | Investigate | Detective | |
| Follow all applicable laws and principles when collecting digital forensic evidence. CC ID 08672 | Investigate | Detective | |
| Remove everyone except interested personnel and affected parties from the proximity of digital forensic evidence. CC ID 08675 | Investigate | Detective | |
| Secure devices containing digital forensic evidence. CC ID 08681 | Investigate | Detective | |
| Use a write blocker to prevent digital forensic evidence from being modified. CC ID 08692 | Investigate | Detective | |
| Capture volatile information from devices containing digital forensic evidence prior to shutdown. CC ID 08684 | Investigate | Detective | |
| Create a system image of the device before collecting digital forensic evidence. CC ID 08673 | Investigate | Detective | |
| Shut down stand alone devices containing digital forensic evidence. CC ID 08682 | Investigate | Detective | |
| Disconnect electronic media storage devices of systems containing digital forensic evidence. CC ID 08697 | Investigate | Detective | |
| Place evidence tape over devices containing digital forensic evidence. CC ID 08683 | Investigate | Detective | |
| Disseminate and communicate the incident response procedures to all interested personnel and affected parties. CC ID 01215 [{processes, and procedures for the activation of the response} {processes, and procedures for the operation of the response} {processes, and procedures for the coordination of the response} {processes, and procedures for the communication of the response} The response structure shall have processes, and procedures for the activation, operation, coordination, and communication of the response, § 8.4.2 ¶ 2 d)] | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the final incident report, which includes the investigation results and any remediation activity results. CC ID 12306 [{periodic exercising} {periodic testing} {periodic post-incident reporting} {periodic performance evaluations} These evaluations shall be undertaken through periodic reviews, exercising, testing, post-incident reporting and performance evaluations. Significant changes arising shall be reflected in the procedure(s) in a timely manner; § 9.1.2 b)] | Actionable Reports or Measurements | Preventive | |
| Test the incident response procedures. CC ID 01216 | Testing | Detective | |
| Document the results of incident response tests and provide them to senior management. CC ID 14857 | Actionable Reports or Measurements | Preventive | |
| Establish, implement, and maintain a performance management standard. CC ID 01615 [{periodic exercising} {periodic testing} {periodic post-incident reporting} {periodic performance evaluations} These evaluations shall be undertaken through periodic reviews, exercising, testing, post-incident reporting and performance evaluations. Significant changes arising shall be reflected in the procedure(s) in a timely manner; § 9.1.2 b)] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain future system performance forecasting methods. CC ID 11775 | Business Processes | Preventive | |
| Use proactive performance management. CC ID 00937 | Business Processes | Detective | |
| Utilize resource availability management controls. CC ID 00940 | Business Processes | Detective | |
| Establish, implement, and maintain a remediation plan for deviations in the resource management process. CC ID 13679 | Establish/Maintain Documentation | Preventive | |
| Follow the maintenance schedule. CC ID 11791 | Maintenance | Preventive | |
| Establish, implement, and maintain rate limiting filters. CC ID 06883 | Business Processes | Preventive | |
| Establish, implement, and maintain system capacity monitoring procedures. CC ID 01619 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain system performance monitoring procedures. CC ID 11752 [{methods for measurement} {methods for analysis} {methods for evaluation} The organization shall determine the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results, § 9.1.1 ¶ 1 b) {methods for measurement} {methods for analysis} {methods for evaluation} The organization shall determine the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results, § 9.1.1 ¶ 1 b) {methods for measurement} {methods for analysis} {methods for evaluation} The organization shall determine the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results, § 9.1.1 ¶ 1 b) {methods for measurement} {methods for analysis} {methods for evaluation} The organization shall determine the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results, § 9.1.1 ¶ 1 b)] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a cost management program. CC ID 13638 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain cost management procedures. CC ID 00873 [{funding requirements} The outputs of the management review shall include decisions related to continual improvement opportunities and the possible need for changes to the BCMS, and include the following: modification of procedures and controls to respond to internal or external events that may impact on the BCMS, including changes to funding and budget requirements; and § 9.3 ¶ 4 d) 8)] | Business Processes | Detective | |
| Update the business cases for cost management procedures, as necessary. CC ID 13642 | Business Processes | Preventive | |
| Perform an impact assessment of any deviations found in the cost management procedures. CC ID 13641 | Investigate | Detective | |
| Identify deviations in cost management procedures. CC ID 13640 | Investigate | Detective | |
| Identify and allocate departmental costs. CC ID 00871 | Business Processes | Detective | |
| Prepare an Information Technology budget, as necessary. CC ID 00872 [{funding requirements} The outputs of the management review shall include decisions related to continual improvement opportunities and the possible need for changes to the BCMS, and include the following: modification of procedures and controls to respond to internal or external events that may impact on the BCMS, including changes to funding and budget requirements; and § 9.3 ¶ 4 d) 8)] | Establish/Maintain Documentation | Detective | |
| Review and approve the Information Technology budget. CC ID 13644 | Business Processes | Corrective | |
| Update the Information Technology budget, as necessary. CC ID 13643 | Business Processes | Corrective | |
| Establish, implement, and maintain a change control program. CC ID 00886 [{business requirements} The outputs of the management review shall include decisions related to continual improvement opportunities and the possible need for changes to the BCMS, and include the following: modification of procedures and controls to respond to internal or external events that may impact on the BCMS, including changes to business and operational requirements, § 9.3 ¶ 4 d) 1) {changes to security requirements} The outputs of the management review shall include decisions related to continual improvement opportunities and the possible need for changes to the BCMS, and include the following: modification of procedures and controls to respond to internal or external events that may impact on the BCMS, including changes to risk reduction and security requirements, § 9.3 ¶ 4 d) 2) {results of BCMS reviews} {key partners} {results of testing} {BCMS performance} {BCMS effectiveness} {emerging good guidance} Management reviews shall consider the performance of the organization, including - follow-up actions from previous management reviews, - the need for changes to the BCMS, including the policy and objectives, - opportunities for improvement, - results of BCMS audits and reviews, including those of key suppliers and partners where appropriate, - techniques, products or procedures, which could be used in the organization to improve the BCMS’ performance and effectiveness, - status of corrective actions, - results of exercising and testing, - risks or issues not adequately addressed in any previous risk assessment, - any changes that could affect the BCMS, whether internal or external to the scope of the BCMS, - adequacy of policy, - recommendations for improvement, - lessons learned and actions arising from disruptive incidents, and - emerging good practice and guidance. § 9.3 ¶ 3 {results of BCMS reviews} {key partners} {results of testing} {BCMS performance} {BCMS effectiveness} {emerging good guidance} Management reviews shall consider the performance of the organization, including - follow-up actions from previous management reviews, - the need for changes to the BCMS, including the policy and objectives, - opportunities for improvement, - results of BCMS audits and reviews, including those of key suppliers and partners where appropriate, - techniques, products or procedures, which could be used in the organization to improve the BCMS’ performance and effectiveness, - status of corrective actions, - results of exercising and testing, - risks or issues not adequately addressed in any previous risk assessment, - any changes that could affect the BCMS, whether internal or external to the scope of the BCMS, - adequacy of policy, - recommendations for improvement, - lessons learned and actions arising from disruptive incidents, and - emerging good practice and guidance. § 9.3 ¶ 3] | Establish/Maintain Documentation | Preventive | |
| Include potential consequences of unintended changes in the change control program. CC ID 12243 [The organization shall control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary. § 8.1 ¶ 2] | Establish/Maintain Documentation | Preventive | |
| Include version control in the change control program. CC ID 13119 | Establish/Maintain Documentation | Preventive | |
| Include service design and transition in the change control program. CC ID 13920 | Establish/Maintain Documentation | Preventive | |
| Separate the production environment from development environment or test environment for the change control process. CC ID 11864 | Maintenance | Preventive | |
| Integrate configuration management procedures into the change control program. CC ID 13646 | Technical Security | Preventive | |
| Establish, implement, and maintain a back-out plan. CC ID 13623 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain back-out procedures for each proposed change in a change request. CC ID 00373 | Establish/Maintain Documentation | Preventive | |
| Approve back-out plans, as necessary. CC ID 13627 | Establish/Maintain Documentation | Corrective | |
| Manage change requests. CC ID 00887 [For the control of documented information, the organization shall address the following activities, as applicable — distribution, access, retrieval and use, — storage and preservation, including preservation of legibility, — control of changes, — retention and disposition, — retrieval and use, — preservation of legibility, and — prevention of the unintended use of obsolete information. § 7.5.3 ¶ 2 The management review shall include consideration of changes in external and internal issues that are relevant to the business continuity management system, § 9.3 ¶ 2 b)] | Business Processes | Preventive | |
| Include documentation of the impact level of proposed changes in the change request. CC ID 11942 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain a change request approver list. CC ID 06795 | Establish/Maintain Documentation | Preventive | |
| Document all change requests in change request forms. CC ID 06794 | Establish/Maintain Documentation | Preventive | |
| Test proposed changes prior to their approval. CC ID 00548 | Testing | Detective | |
| Examine all changes to ensure they correspond with the change request. CC ID 12345 | Business Processes | Detective | |
| Approve tested change requests. CC ID 11783 | Data and Information Management | Preventive | |
| Validate the system before implementing approved changes. CC ID 01510 | Systems Design, Build, and Implementation | Preventive | |
| Disseminate and communicate proposed changes to all interested personnel and affected parties. CC ID 06807 | Behavior | Preventive | |
| Establish, implement, and maintain emergency change procedures. CC ID 00890 | Establish/Maintain Documentation | Preventive | |
| Perform emergency changes, as necessary. CC ID 12707 | Process or Activity | Preventive | |
| Back up emergency changes after the change has been performed. CC ID 12734 | Process or Activity | Preventive | |
| Log emergency changes after they have been performed. CC ID 12733 | Establish/Maintain Documentation | Preventive | |
| Perform risk assessments prior to approving change requests. CC ID 00888 | Testing | Preventive | |
| Conduct network certifications prior to approving change requests for networks. CC ID 13121 | Process or Activity | Detective | |
| Analyze mitigating controls for vulnerabilities in the network when certifying the network. CC ID 13126 | Investigate | Detective | |
| Collect data about the network environment when certifying the network. CC ID 13125 | Investigate | Detective | |
| Implement changes according to the change control program. CC ID 11776 [The organization shall control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary. § 8.1 ¶ 2] | Business Processes | Preventive | |
| Provide audit trails for all approved changes. CC ID 13120 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a patch management program. CC ID 00896 | Process or Activity | Preventive | |
| Document the sources of all software updates. CC ID 13316 | Establish/Maintain Documentation | Preventive | |
| Implement patch management software, as necessary. CC ID 12094 | Technical Security | Preventive | |
| Include updates and exceptions to hardened images as a part of the patch management program. CC ID 12087 | Technical Security | Preventive | |
| Establish, implement, and maintain a patch management policy. CC ID 16432 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain patch management procedures. CC ID 15224 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a patch log. CC ID 01642 | Establish/Maintain Documentation | Preventive | |
| Review the patch log for missing patches. CC ID 13186 | Technical Security | Detective | |
| Perform a patch test prior to deploying a patch. CC ID 00898 | Testing | Detective | |
| Prioritize deploying patches according to vulnerability risk metrics. CC ID 06796 | Business Processes | Preventive | |
| Deploy software patches in accordance with organizational standards. CC ID 07032 | Configuration | Corrective | |
| Test software patches for any potential compromise of the system's security. CC ID 13175 | Testing | Detective | |
| Patch software. CC ID 11825 | Technical Security | Corrective | |
| Patch the operating system, as necessary. CC ID 11824 | Technical Security | Corrective | |
| Deploy software patches in the disaster recovery environment to mirror those in the production environment. CC ID 13174 | Configuration | Corrective | |
| Remove outdated software after software has been updated. CC ID 11792 | Configuration | Corrective | |
| Update computer firmware, as necessary. CC ID 11755 | Configuration | Corrective | |
| Review changes to computer firmware. CC ID 12226 | Testing | Detective | |
| Certify changes to computer firmware are free of malicious logic. CC ID 12227 | Testing | Detective | |
| Remove outdated computer firmware after the computer firmware has been updated. CC ID 10671 | Configuration | Corrective | |
| Implement cryptographic mechanisms to authenticate software and computer firmware before installation. CC ID 10682 | Technical Security | Detective | |
| Establish, implement, and maintain a software release policy. CC ID 00893 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain traceability documentation. CC ID 16388 | Systems Design, Build, and Implementation | Preventive | |
| Disseminate and communicate software update information to users and regulators. CC ID 06602 | Behavior | Preventive | |
| Allow interested personnel and affected parties to opt out of specific version releases and software updates. CC ID 06809 | Data and Information Management | Preventive | |
| Mitigate the adverse effects of unauthorized changes. CC ID 12244 [The organization shall control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary. § 8.1 ¶ 2] | Business Processes | Corrective | |
| Establish, implement, and maintain approved change acceptance testing procedures. CC ID 06391 | Establish/Maintain Documentation | Detective | |
| Test the system's operational functionality after implementing approved changes. CC ID 06294 | Testing | Detective | |
| Perform and pass acceptance testing before moving a system back into operation after an approved change has occurred. CC ID 04541 | Testing | Detective | |
| Establish, implement, and maintain a change acceptance testing log. CC ID 06392 | Establish/Maintain Documentation | Corrective | |
| Update associated documentation after the system configuration has been changed. CC ID 00891 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a configuration change log. CC ID 08710 | Configuration | Detective | |
| Document approved configuration deviations. CC ID 08711 | Establish/Maintain Documentation | Corrective | |
| Document the organization's local environments. CC ID 06726 [When determining this scope, the organization shall consider — the external and internal issues referred to in 4.1, and — the requirements referred to in 4.2. § 4.3.1 ¶ 2 When planning for the BCMS, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to - ensure the management system can achieve its intended outcome(s), - prevent, or reduce, undesired effects, - achieve continual improvement. § 6.1 ¶ 1 evaluate the effectiveness of these actions (see 9.1). § 6.1 ¶ 2 b) 2) To achieve its business continuity objectives, the organization shall determine — who will be responsible, — what will be done, — what resources will be required, — when it will be completed, and — how the results will be evaluated. § 6.2 ¶ 4 These issues shall be taken into account when establishing, implementing and maintaining the organization's BCMS. § 4.1 ¶ 2 buildings, work environment and associated utilities, § 8.3.2 ¶ 1 c) facilities, equipment and consumables, § 8.3.2 ¶ 1 d) information and communication technology (ICT) systems, § 8.3.2 ¶ 1 e) transportation, § 8.3.2 ¶ 1 f) people, § 8.3.2 ¶ 1 a) information and data, § 8.3.2 ¶ 1 b) finance, and § 8.3.2 ¶ 1 g) partners and suppliers. § 8.3.2 ¶ 1 h)] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain local environment security profiles. CC ID 07037 | Establish/Maintain Documentation | Preventive | |
| Include individuals assigned to the local environment in the local environment security profile. CC ID 07038 | Establish/Maintain Documentation | Preventive | |
| Include security requirements in the local environment security profile. CC ID 15717 | Establish/Maintain Documentation | Preventive | |
| Include the business processes assigned to the local environment in the local environment security profile. CC ID 07039 | Establish/Maintain Documentation | Preventive | |
| Include the technology used in the local environment in the local environment security profile. CC ID 07040 | Establish/Maintain Documentation | Preventive | |
| Include contact information for critical personnel assigned to the local environment in the local environment security profile. CC ID 07041 | Establish/Maintain Documentation | Preventive | |
| Include facility information for the local environment in the local environment security profile. CC ID 07042 | Establish/Maintain Documentation | Preventive | |
| Include facility access information for the local environment in the local environment security profile. CC ID 11773 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the local environment security profile to interested personnel and affected parties. CC ID 15716 | Communicate | Preventive | |
| Update the local environment security profile, as necessary. CC ID 07043 | Establish/Maintain Documentation | Preventive | |
Physical and environmental protection | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Physical and environmental protection CC ID 00709 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain an environmental control program. CC ID 00724 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain environmental control procedures. CC ID 12246 [{internal conditions} The procedures shall be flexible to respond to unanticipated threats and changing internal and external conditions, § 8.4.1 ¶ 3 c)] | Establish/Maintain Documentation | Preventive | |
Records management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Records management CC ID 00902 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain records management policies. CC ID 00903 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a record classification scheme for forms. CC ID 00911 | Establish/Maintain Documentation | Detective | |
| Establish, implement, and maintain form creation, management, and distribution procedures. CC ID 06393 [For the control of documented information, the organization shall address the following activities, as applicable — distribution, access, retrieval and use, — storage and preservation, including preservation of legibility, — control of changes, — retention and disposition, — retrieval and use, — preservation of legibility, and — prevention of the unintended use of obsolete information. § 7.5.3 ¶ 2] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain form disposition procedures. CC ID 06394 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a record classification scheme. CC ID 00914 | Establish/Maintain Documentation | Preventive | |
| Allocate record identifiers to reference the records as a part of document tracking. CC ID 11662 [When creating and updating documented information, the organization shall ensure appropriate identification and description, § 7.5.2 ¶ 1 a) When creating and updating documented information, the organization shall ensure appropriate identification and description, § 7.5.2 ¶ 1 a)] | Records Management | Preventive | |
| Define each system's preservation requirements for records and logs. CC ID 00904 | Establish/Maintain Documentation | Detective | |
| Establish, implement, and maintain a data retention program. CC ID 00906 | Establish/Maintain Documentation | Detective | |
| Select the appropriate format for archived data and records. CC ID 06320 [{appropriate media} When creating and updating documented information, the organization shall ensure appropriate format and media, and review and approval for suitability and adequacy. § 7.5.2 ¶ 1 b)] | Data and Information Management | Preventive | |
| Determine how long to keep records and logs before disposing them. CC ID 11661 | Process or Activity | Preventive | |
| Retain records in accordance with applicable requirements. CC ID 00968 [The organization shall retain documented information on the business continuity policy. § 5.3 ¶ 3 The organization shall retain documented information on the business continuity objectives. § 6.2 ¶ 3 The organization shall retain appropriate documented information as evidence of the results. § 9.1.1 ¶ 2 {actions to address risks and opportunities} The organization shall plan, implement and control the processes needed to meet requirements, and to implement the actions determined in 6.1, by keeping documented information to the extent necessary to have confidence that the processes have been carried out as planned. § 8.1 ¶ 1 c) {adverse results} Additionally, the organization shall — take action when necessary to address adverse trends or results before a nonconformity occurs, and — retain relevant documented information as evidence of the results. § 9.1.1 ¶ 4 The organization shall retain documented information as evidence of the results of management reviews. § 9.3 ¶ 5 The organization shall retain documented information as evidence of - the nature of the nonconformities and any subsequent actions taken, and - the results of any corrective action. § 10.1 ¶ 3 The organization shall retain documented information as evidence of - the nature of the nonconformities and any subsequent actions taken, and - the results of any corrective action. § 10.1 ¶ 3] | Records Management | Preventive | |
| Define each system's disposition requirements for records and logs. CC ID 11651 | Process or Activity | Preventive | |
| Establish, implement, and maintain records disposition procedures. CC ID 00971 [For the control of documented information, the organization shall address the following activities, as applicable — distribution, access, retrieval and use, — storage and preservation, including preservation of legibility, — control of changes, — retention and disposition, — retrieval and use, — preservation of legibility, and — prevention of the unintended use of obsolete information. § 7.5.3 ¶ 2] | Establish/Maintain Documentation | Preventive | |
| Manage the disposition status for all records. CC ID 00972 | Records Management | Preventive | |
| Use a second person to confirm and sign-off that manually deleted data was deleted. CC ID 12313 | Data and Information Management | Preventive | |
| Remove and/or destroy records according to the records' retention event and retention period schedule. CC ID 06621 | Records Management | Preventive | |
| Place printed records awaiting destruction into secure containers. CC ID 12464 | Physical and Environmental Protection | Preventive | |
| Destroy printed records so they cannot be reconstructed. CC ID 11779 | Physical and Environmental Protection | Preventive | |
| Automate a programmatic process to remove stored data and records that exceed retention requirements. CC ID 06082 | Data and Information Management | Preventive | |
| Include methods to identify records that meet or exceed the record's retention event in the records disposition procedures. CC ID 11962 | Establish/Maintain Documentation | Preventive | |
| Maintain disposal records or redeployment records. CC ID 01644 | Establish/Maintain Documentation | Preventive | |
| Include the name of the signing officer in the disposal record. CC ID 15710 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain records management procedures. CC ID 11619 | Establish/Maintain Documentation | Preventive | |
| Protect records from loss in accordance with applicable requirements. CC ID 12007 [Documented information required by the BCMS and by this International Standard shall be controlled to ensure it is adequately protected. § 7.5.3 ¶ 1 b)] | Records Management | Preventive | |
| Capture the records required by organizational compliance requirements. CC ID 00912 [Documented information required by the BCMS and by this International Standard shall be controlled to ensure it is available and suitable for use, where and when it is needed, § 7.5.3 ¶ 1 a)] | Records Management | Detective | |
| Establish, implement, and maintain authorization records. CC ID 14367 | Establish/Maintain Documentation | Preventive | |
| Include the reasons for granting the authorization in the authorization records. CC ID 14371 | Establish/Maintain Documentation | Preventive | |
| Include the date and time the authorization was granted in the authorization records. CC ID 14370 | Establish/Maintain Documentation | Preventive | |
| Include the person's name who approved the authorization in the authorization records. CC ID 14369 | Establish/Maintain Documentation | Preventive | |
| Assign the appropriate information classification to records imported into the Records Management system. CC ID 04555 | Data and Information Management | Detective | |
| Establish, implement, and maintain electronic health records. CC ID 14436 | Data and Information Management | Preventive | |
| Include Individually Identifiable Health Information in the patient's electronic health record. CC ID 14437 | Data and Information Management | Preventive | |
| Review and update Individually Identifiable Health Information in the patient's electronic health records, as necessary. CC ID 14438 | Records Management | Preventive | |
| Display required information automatically in electronic health records. CC ID 14442 | Process or Activity | Preventive | |
| Create summary of care records in accordance with applicable standards. CC ID 14440 | Establish/Maintain Documentation | Preventive | |
| Provide the patient with a summary of care record, as necessary. CC ID 14441 | Actionable Reports or Measurements | Preventive | |
| Create export summaries, as necessary. CC ID 14446 | Process or Activity | Preventive | |
| Import data files into a patient's electronic health record. CC ID 14448 | Data and Information Management | Preventive | |
| Export requested sections of the electronic health record. CC ID 14447 | Data and Information Management | Preventive | |
| Identify patient-specific education resources. CC ID 14439 | Process or Activity | Detective | |
| Establish and maintain an implantable device list. CC ID 14444 | Records Management | Preventive | |
| Display the implantable device list to authorized users. CC ID 14445 | Data and Information Management | Preventive | |
| Establish, implement, and maintain decision support interventions. CC ID 14443 | Business Processes | Preventive | |
| Include attributes in the decision support intervention. CC ID 16766 | Data and Information Management | Preventive | |
| Establish, implement, and maintain a recordkeeping system. CC ID 15709 | Records Management | Preventive | |
| Log the termination date in the recordkeeping system. CC ID 16181 | Records Management | Preventive | |
| Log the name of the requestor in the recordkeeping system. CC ID 15712 | Records Management | Preventive | |
| Log the date and time each item is accessed in the recordkeeping system. CC ID 15711 | Records Management | Preventive | |
| Log records as being received into the recordkeeping system. CC ID 11696 | Records Management | Preventive | |
| Log the date and time each item is received into the recordkeeping system. CC ID 11709 | Log Management | Preventive | |
| Log the date and time each item is made available into the recordkeeping system. CC ID 11710 | Log Management | Preventive | |
| Log the number of routine items received into the recordkeeping system. CC ID 11701 | Establish/Maintain Documentation | Preventive | |
| Log the number of routine items in the organization's possession at the close of business for the month in the recordkeeping system. CC ID 11707 | Log Management | Preventive | |
| Log the number of routine items received during the month that were turned around in the recordkeeping system. CC ID 11705 | Log Management | Preventive | |
| Log the number of routine items received during the month that were not turned around within three business days of receipt in the recordkeeping system. CC ID 11703 | Log Management | Preventive | |
| Log the date and time when a notice of refusal to perform the registrar function is received in the recordkeeping system. CC ID 11711 | Log Management | Preventive | |
| Log inquiries concerning items in the recordkeeping system, annotating the date received. CC ID 11718 | Log Management | Preventive | |
| Log responses to inquiries, annotating the send date for each response into the recordkeeping system. CC ID 11719 | Log Management | Preventive | |
| Log the number of non-routine items received into the recordkeeping system. CC ID 11706 | Log Management | Preventive | |
| Log the documentation of determination that items received are not routine into the recordkeeping system. CC ID 11716 | Log Management | Preventive | |
| Log the number of non-routine items in the organization's possession at the close of business for the month in the recordkeeping system. CC ID 11708 | Log Management | Preventive | |
| Log the number of non-routine items received during the month that were turned around in the recordkeeping system. CC ID 11704 | Log Management | Preventive | |
| Log performance monitoring into the recordkeeping system. CC ID 11724 | Log Management | Preventive | |
| Log the number of inquiries pending as of the close of business into the recordkeeping system. CC ID 11728 | Log Management | Preventive | |
| Log the number of inquiries received but not responded to within the required time frame into the recordkeeping system. CC ID 11727 | Log Management | Preventive | |
| Establish, implement, and maintain a transfer journal. CC ID 11729 | Records Management | Preventive | |
| Log any notices filed by the organization into the recordkeeping system. CC ID 11725 | Log Management | Preventive | |
| Log telephone responses into a telephone log, annotating the date of each response, in the recordkeeping system. CC ID 11723 | Log Management | Preventive | |
| Log the date each certificate is made available to interested personnel and affected parties into the recordkeeping system. CC ID 11720 | Log Management | Preventive | |
| Log the number of items not processed within the required time frame into the recordkeeping system. CC ID 11717 | Log Management | Preventive | |
| Provide a receipt of records logged into the recordkeeping system. CC ID 11697 | Records Management | Preventive | |
| Log the appointments and termination of appointments of registered transfer agents into the recordkeeping system. CC ID 11712 | Log Management | Preventive | |
| Log any stop orders or notices of adverse claims into the recordkeeping system. CC ID 11726 | Log Management | Preventive | |
| Log the number of items processed within the required time frame into the recordkeeping system. CC ID 11715 | Log Management | Preventive | |
| Classify restricted data or restricted information in Records Management systems according to the data or information's sensitivity. CC ID 04720 | Data and Information Management | Detective | |
| Include record integrity techniques in the records management procedures. CC ID 06418 [For the control of documented information, the organization shall address the following activities, as applicable — distribution, access, retrieval and use, — storage and preservation, including preservation of legibility, — control of changes, — retention and disposition, — retrieval and use, — preservation of legibility, and — prevention of the unintended use of obsolete information. § 7.5.3 ¶ 2] | Establish/Maintain Documentation | Preventive | |
| Note in electronic records converted from printed records, the location of the original. CC ID 11809 | Records Management | Preventive | |
| Incorporate desktop publishing into the organization's Records Management program. CC ID 06535 | Establish/Maintain Documentation | Preventive | |
| Provide structures for browsing records stored in the Electronic Document and Records Management system. CC ID 10009 | Business Processes | Preventive | |
| Provide structures for searching for items stored in the Electronic Document and Records Management system. CC ID 10010 | Business Processes | Preventive | |
| Provide structures for downloading records from the Electronic Document and Records Management system. CC ID 10011 | Business Processes | Preventive | |
| Provide structures for managing e-mail stored in the Electronic Document and Records Management system. CC ID 10012 | Business Processes | Preventive | |
| Provide structures for authorized parties to approve record updates in the Electronic Document and Records Management system. CC ID 11965 | Records Management | Preventive | |
| Provide structures for version control of records stored in the Electronic Document and Records Management system. CC ID 10013 | Business Processes | Preventive | |
| Establish, implement, and maintain electronic storage media management procedures. CC ID 00931 [For the control of documented information, the organization shall address the following activities, as applicable — distribution, access, retrieval and use, — storage and preservation, including preservation of legibility, — control of changes, — retention and disposition, — retrieval and use, — preservation of legibility, and — prevention of the unintended use of obsolete information. § 7.5.3 ¶ 2] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain security label procedures. CC ID 06747 | Establish/Maintain Documentation | Preventive | |
| Label restricted storage media appropriately. CC ID 00966 | Data and Information Management | Preventive | |
| Label printed output for specific record categories as directed by the organization's information classification standard. CC ID 01420 | Records Management | Detective | |
| Establish, implement, and maintain restricted material identification procedures. CC ID 01889 | Establish/Maintain Documentation | Preventive | |
| Conspicuously locate the restricted record's overall classification. CC ID 01890 | Establish/Maintain Documentation | Preventive | |
| Mark a restricted record's displayed pages or printed pages with the appropriate classification. CC ID 01891 | Establish/Maintain Documentation | Preventive | |
| Mark a restricted record's components (appendices, annexes) with the appropriate classification. CC ID 01892 | Establish/Maintain Documentation | Preventive | |
| Mark a restricted record's portions (paragraphs, sections) with the appropriate classification. CC ID 01893 | Establish/Maintain Documentation | Preventive | |
| Mark a restricted record's subject line or title with the appropriate classification. CC ID 01894 | Establish/Maintain Documentation | Preventive | |
| Mark all forms of electronic messages that contain restricted data or restricted information with the appropriate classification. CC ID 01896 | Data and Information Management | Preventive | |
| Establish, implement, and maintain label inheritance mechanisms for aggregate data sets. CC ID 06957 | Technical Security | Preventive | |
| Establish the minimum originator requirements for security labels. CC ID 06579 | Establish/Maintain Documentation | Preventive | |
| Establish the minimum intermediate system requirements for security labels. CC ID 06581 | Establish/Maintain Documentation | Preventive | |
| Establish the minimum receiver requirements for records or electronic storage media marked with security labels. CC ID 06580 | Establish/Maintain Documentation | Preventive | |
| Establish policy based processing rules to process incoming records or electronic storage media marked with security labels. CC ID 06582 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain access controls for all records. CC ID 00371 [When establishing control of documented information, the organization shall ensure that there is adequate protection for the documented information. § 7.5.3 ¶ 4 For the control of documented information, the organization shall address the following activities, as applicable — distribution, access, retrieval and use, — storage and preservation, including preservation of legibility, — control of changes, — retention and disposition, — retrieval and use, — preservation of legibility, and — prevention of the unintended use of obsolete information. § 7.5.3 ¶ 2] | Records Management | Preventive | |
| Reproduce materials containing restricted data or restricted information in accordance with compliance requirements. CC ID 02202 | Data and Information Management | Preventive | |
| Establish, implement, and maintain a records lifecycle management program. CC ID 00951 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an information preservation policy. CC ID 16483 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain information preservation procedures. CC ID 06277 [For the control of documented information, the organization shall address the following activities, as applicable — distribution, access, retrieval and use, — storage and preservation, including preservation of legibility, — control of changes, — retention and disposition, — retrieval and use, — preservation of legibility, and — prevention of the unintended use of obsolete information. § 7.5.3 ¶ 2 For the control of documented information, the organization shall address the following activities, as applicable — distribution, access, retrieval and use, — storage and preservation, including preservation of legibility, — control of changes, — retention and disposition, — retrieval and use, — preservation of legibility, and — prevention of the unintended use of obsolete information. § 7.5.3 ¶ 2] | Establish/Maintain Documentation | Preventive | |
| Implement and maintain high availability storage, as necessary. CC ID 00952 | Technical Security | Preventive | |
| Implement and maintain backups and duplicate copies of organizational records. CC ID 00953 | Records Management | Preventive | |
| Establish, implement, and maintain the duplicate original of record indexes. CC ID 00954 | Records Management | Preventive | |
| Establish, implement, and maintain a transparent storage media strategy. CC ID 00932 | Records Management | Preventive | |
| Establish, implement, and maintain an online availability plan that is commensurate with the electronic storage media. CC ID 00934 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain online storage monitoring and reporting capabilities. CC ID 00935 | Monitor and Evaluate Occurrences | Detective | |
| Establish, implement, and maintain online storage controls. CC ID 00942 | Technical Security | Preventive | |
| Establish, implement, and maintain security controls appropriate to the record types and electronic storage media. CC ID 00943 | Records Management | Preventive | |
| Store records on non-rewritable, non-erasable storage media formats, as necessary. CC ID 00944 | Testing | Detective | |
| Provide encryption for different types of electronic storage media. CC ID 00945 | Technical Security | Preventive | |
| Implement electronic storage media integrity controls. CC ID 00946 | Configuration | Preventive | |
| Automate electronic storage media integrity check controls. CC ID 00948 | Configuration | Preventive | |
| Provide capacity for indexes on electronic storage media, as necessary. CC ID 00950 | Configuration | Preventive | |
| Provide audit trails for all pertinent records. CC ID 00372 | Establish/Maintain Documentation | Detective | |
| Establish, implement, and maintain a removable storage media log. CC ID 12317 | Log Management | Preventive | |
| Include a unique identifier for each removable storage media asset in the removable storage media log. CC ID 12320 | Establish/Maintain Documentation | Preventive | |
| Include the date and time in the removable storage media log. CC ID 12318 | Establish/Maintain Documentation | Preventive | |
| Include the name and signature of the current custodian in the removable storage media log. CC ID 12315 | Establish/Maintain Documentation | Preventive | |
| Include the number of physical media used for the data transfer in the removable storage media log. CC ID 12754 | Establish/Maintain Documentation | Preventive | |
| Include the recipient's name for the data transfer in the removable storage media log. CC ID 12753 | Establish/Maintain Documentation | Preventive | |
| Include the sender's name in the removable storage media log. CC ID 12752 | Establish/Maintain Documentation | Preventive | |
| Include the type of physical media being used for the data transfer in the removable storage media log. CC ID 12751 | Establish/Maintain Documentation | Preventive | |
| Include the reason for transfer in the removable storage media log. CC ID 12316 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain storage media downgrading procedures. CC ID 10619 | Process or Activity | Preventive | |
| Identify electronic storage media that require downgrading. CC ID 10620 | Process or Activity | Detective | |
| Downgrade electronic storage media, as necessary. CC ID 10621 | Process or Activity | Corrective | |
| Document all actions taken when downgrading electronic storage media. CC ID 10622 | Establish/Maintain Documentation | Preventive | |
| Test the storage media downgrade for correct performance. CC ID 10623 | Testing | Detective | |
| Establish, implement, and maintain document retention procedures. CC ID 11660 [For the control of documented information, the organization shall address the following activities, as applicable — distribution, access, retrieval and use, — storage and preservation, including preservation of legibility, — control of changes, — retention and disposition, — retrieval and use, — preservation of legibility, and — prevention of the unintended use of obsolete information. § 7.5.3 ¶ 2] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an e-discovery program. CC ID 00976 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a document retrieval system to use during e-discovery. CC ID 00985 [For the control of documented information, the organization shall address the following activities, as applicable — distribution, access, retrieval and use, — storage and preservation, including preservation of legibility, — control of changes, — retention and disposition, — retrieval and use, — preservation of legibility, and — prevention of the unintended use of obsolete information. § 7.5.3 ¶ 2 For the control of documented information, the organization shall address the following activities, as applicable — distribution, access, retrieval and use, — storage and preservation, including preservation of legibility, — control of changes, — retention and disposition, — retrieval and use, — preservation of legibility, and — prevention of the unintended use of obsolete information. § 7.5.3 ¶ 2] | Systems Design, Build, and Implementation | Preventive | |
| Establish, implement, and maintain e-discovery collection and production procedures. CC ID 00986 | Establish/Maintain Documentation | Preventive | |
Third Party and supply chain oversight | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Third Party and supply chain oversight CC ID 08807 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a supply chain management program. CC ID 11742 [The organization shall ensure that outsourced processes are controlled. § 8.1 ¶ 3] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain procedures for establishing, maintaining, and terminating third party contracts. CC ID 00796 | Establish/Maintain Documentation | Preventive | |
| Review and update all contracts, as necessary. CC ID 11612 | Establish/Maintain Documentation | Preventive | |
| Terminate supplier relationships, as necessary. CC ID 13489 | Business Processes | Corrective | |
| Document and maintain supply chain processes. CC ID 08816 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an exit plan. CC ID 15492 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the exit plan. CC ID 15497 | Establish/Maintain Documentation | Preventive | |
| Test the exit plan, as necessary. CC ID 15495 | Testing | Preventive | |
| Include contingency plans in the third party management plan. CC ID 10030 | Establish/Maintain Documentation | Preventive | |
| Refrain from placing excessive reliance on third parties that provide support for service continuity. CC ID 12768 | Systems Continuity | Preventive | |
| Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 | Process or Activity | Detective | |
| Include a nondisclosure agreement in third party contracts if a separate nondisclosure agreement does not exist. CC ID 06505 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain software exchange agreements with all third parties. CC ID 11615 | Establish/Maintain Documentation | Preventive | |
| Include a description of the product or service to be provided in third party contracts. CC ID 06509 | Establish/Maintain Documentation | Preventive | |
| Include a description of the products or services fees in third party contracts. CC ID 10018 | Establish/Maintain Documentation | Preventive | |
| Include which parties are responsible for which fees in third party contracts. CC ID 10019 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain rules of engagement with third parties. CC ID 13994 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain information flow agreements with all third parties. CC ID 04543 | Establish/Maintain Documentation | Preventive | |
| Include the type of information being transmitted in the information flow agreement. CC ID 14245 | Establish/Maintain Documentation | Preventive | |
| Include the security requirements in the information flow agreement. CC ID 14244 | Establish/Maintain Documentation | Preventive | |
| Include the interface characteristics in the information flow agreement. CC ID 14240 | Establish/Maintain Documentation | Preventive | |
| Include the scope and inventory of third party systems and assets being provided to the organization in third party contracts. CC ID 06528 | Establish/Maintain Documentation | Preventive | |
| Include proof of license documentation for the third parties with access to in scope systems in third party contracts. CC ID 06529 | Establish/Maintain Documentation | Preventive | |
| Include a description of costs and responsibility for purchasing and maintaining hardware and software in third party contracts. CC ID 10020 | Establish/Maintain Documentation | Preventive | |
| Include a description of the data or information to be covered in third party contracts. CC ID 06510 | Establish/Maintain Documentation | Preventive | |
| Include text about access, use, disclosure, and transfer of data or information in third party contracts. CC ID 11610 | Business Processes | Preventive | |
| Include text about data ownership in third party contracts. CC ID 06502 | Establish/Maintain Documentation | Preventive | |
| Include text about trade secrets and intellectual property in third party contracts. CC ID 06503 | Establish/Maintain Documentation | Preventive | |
| Include text about participation in the organization's testing programs in third party contracts. CC ID 14402 | Establish/Maintain Documentation | Preventive | |
| Include the contract duration in third party contracts. CC ID 16221 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in third party contracts. CC ID 13487 | Establish/Maintain Documentation | Preventive | |
| Include cryptographic keys in third party contracts. CC ID 16179 | Establish/Maintain Documentation | Preventive | |
| Include bankruptcy provisions in third party contracts. CC ID 16519 | Establish/Maintain Documentation | Preventive | |
| Include cybersecurity supply chain risk management requirements in third party contracts. CC ID 15646 | Establish/Maintain Documentation | Preventive | |
| Include text that organizations must meet organizational compliance requirements in third party contracts. CC ID 06506 | Establish/Maintain Documentation | Preventive | |
| Include compliance with the organization's access policy as a requirement in third party contracts. CC ID 06507 | Establish/Maintain Documentation | Preventive | |
| Include compliance with the organization's breach notification policy as a requirement in third party contracts. CC ID 06508 | Establish/Maintain Documentation | Preventive | |
| Include compliance with the organization's monitoring policies as a requirement in third party contracts. CC ID 06513 | Establish/Maintain Documentation | Preventive | |
| Include compliance with the organization's incident response policy and incident notification policy in third party contracts. CC ID 06515 | Establish/Maintain Documentation | Preventive | |
| Include text about the expected actions to be taken in case of a breach of contract in third party contracts. CC ID 06504 | Establish/Maintain Documentation | Preventive | |
| Include compliance with the organization's privacy policy in third party contracts. CC ID 06518 | Establish/Maintain Documentation | Preventive | |
| Include compliance with the organization's media handling policy in third party contracts. CC ID 06525 | Establish/Maintain Documentation | Preventive | |
| Include third party responsibilities for compliance awareness in third party contracts. CC ID 06530 | Establish/Maintain Documentation | Preventive | |
| Include compliance with the organization's data usage policies in third party contracts. CC ID 16413 | Establish/Maintain Documentation | Preventive | |
| Include compliance with the organization's system hardening framework in third party contracts. CC ID 06531 | Establish/Maintain Documentation | Preventive | |
| Include compliance with the organization's physical access policy in third party contracts. CC ID 06878 | Establish/Maintain Documentation | Preventive | |
| Include a reporting structure in third party contracts. CC ID 06532 | Establish/Maintain Documentation | Preventive | |
| Include points of contact in third party contracts. CC ID 12355 | Establish/Maintain Documentation | Preventive | |
| Include financial reporting in third party contracts, as necessary. CC ID 13573 | Establish/Maintain Documentation | Preventive | |
| Include reporting to the organization of third party audit findings in third party contracts. CC ID 06512 | Establish/Maintain Documentation | Preventive | |
| Include the right of the organization to conduct compliance audits in third party contracts. CC ID 06514 | Establish/Maintain Documentation | Preventive | |
| Include third party responsibilities for maintaining a Business Recovery and Resumption Plan in third party contracts. CC ID 06516 | Establish/Maintain Documentation | Preventive | |
| Include training requirements in third party contracts. CC ID 16367 | Acquisition/Sale of Assets or Services | Preventive | |
| Include an indemnification and liability clause in third party contracts. CC ID 06517 | Establish/Maintain Documentation | Preventive | |
| Include a third party delegation clause and subcontractor to third party clause in third party contracts. CC ID 06521 | Establish/Maintain Documentation | Preventive | |
| Include text that subcontractors must meet organizational compliance requirements in third party contracts. CC ID 06522 | Establish/Maintain Documentation | Preventive | |
| Include text regarding foreign-based third parties in third party contracts. CC ID 06722 | Establish/Maintain Documentation | Preventive | |
| Include change control clauses in third party contracts, as necessary. CC ID 06523 | Establish/Maintain Documentation | Preventive | |
| Include notification to the organization of any material change in the third party's ability to perform functions according to Service Level Agreements in third party contracts. CC ID 07115 | Establish/Maintain Documentation | Preventive | |
| Include triggers for renegotiating the contract in third party contracts. CC ID 06527 | Establish/Maintain Documentation | Preventive | |
| Include change control notification processes in third party contracts. CC ID 06524 | Establish/Maintain Documentation | Preventive | |
| Include cost structure changes in third party contracts. CC ID 10021 | Establish/Maintain Documentation | Preventive | |
| Include a choice of venue clause in third party contracts. CC ID 06520 | Establish/Maintain Documentation | Preventive | |
| Include a dispute resolution clause in third party contracts. CC ID 06519 | Establish/Maintain Documentation | Preventive | |
| Include the dispute resolution body's contact information in the terms and conditions in third party contracts. CC ID 13813 | Establish/Maintain Documentation | Preventive | |
| Include a termination provision clause in third party contracts. CC ID 01367 | Establish/Maintain Documentation | Detective | |
| Include early termination contingency plans in the third party contracts. CC ID 06526 | Establish/Maintain Documentation | Preventive | |
| Include a liquidated damages clause and material breach clause in third party contracts. CC ID 06817 | Establish/Maintain Documentation | Preventive | |
| Include termination costs in third party contracts. CC ID 10023 | Establish/Maintain Documentation | Preventive | |
| Include text about obtaining adequate insurance in third party contracts. CC ID 06880 | Establish/Maintain Documentation | Preventive | |
| Include incident management procedures and incident reporting procedures in third party contracts. CC ID 01214 | Establish/Maintain Documentation | Preventive | |
| Include a usage limitation of restricted data clause in third party contracts. CC ID 13026 | Establish/Maintain Documentation | Preventive | |
| Include end-of-life information in third party contracts. CC ID 15265 | Establish/Maintain Documentation | Preventive | |
| Include third party requirements for personnel security in third party contracts. CC ID 00790 | Testing | Detective | |
| Establish, implement, and maintain third party transaction authentication procedures. CC ID 00791 | Establish/Maintain Documentation | Preventive | |
| Include third party acknowledgment of their data protection responsibilities in third party contracts. CC ID 01364 | Testing | Detective | |
| Include auditing third party security controls and compliance controls in third party contracts. CC ID 01366 | Testing | Detective | |
| Include responding to privacy rights violation complaints in third party contracts. CC ID 12432 | Establish/Maintain Documentation | Preventive | |
| Establish the third party's service continuity. CC ID 00797 | Testing | Detective | |
| Determine the adequacy of a third party's alternate site preparations. CC ID 06879 | Testing | Detective | |
| Employ access controls that meet the organization's compliance requirements on third party systems with access to the organization's restricted data. CC ID 04264 | Data and Information Management | Detective | |
| Maintain the third party's compliance framework to be equivalent to that of the organization's compliance requirements. CC ID 06087 | Testing | Detective | |
| Include disclosure requirements in third party contracts. CC ID 08825 | Business Processes | Preventive | |
| Include requirements for alternate processing facilities in third party contracts. CC ID 13059 | Establish/Maintain Documentation | Preventive | |
| Document the organization's supply chain in the supply chain management program. CC ID 09958 | Establish/Maintain Documentation | Preventive | |
| Document supply chain dependencies in the supply chain management program. CC ID 08900 | Establish/Maintain Documentation | Detective | |
| Establish and maintain a Third Party Service Provider list. CC ID 12480 | Establish/Maintain Documentation | Preventive | |
| Include required information in the Third Party Service Provider list. CC ID 14429 | Establish/Maintain Documentation | Preventive | |
| Include subcontractors in the Third Party Service Provider list. CC ID 14425 | Establish/Maintain Documentation | Preventive | |
| Include alternate service providers in the Third Party Service Provider list. CC ID 14420 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the Third Party Service Provider list to interested personnel and affected parties. CC ID 14422 | Communicate | Preventive | |
| Include contact information of the Service Provider in the Third Party Service Provider list. CC ID 14430 | Establish/Maintain Documentation | Preventive | |
| Include all contract dates in the Third Party Service Provider list. CC ID 14421 | Establish/Maintain Documentation | Preventive | |
| Include the services provided by each supplier in the Third Party Service Provider list. CC ID 12481 | Establish/Maintain Documentation | Preventive | |
| Include criticality of services in the Third Party Service Provider list. CC ID 14428 | Establish/Maintain Documentation | Preventive | |
| Include a description of data used in the Third Party Service Provider list. CC ID 14427 | Establish/Maintain Documentation | Preventive | |
| Include the location of services provided in the Third Party Service Provider list. CC ID 14423 | Establish/Maintain Documentation | Preventive | |
| Document supply chain transactions in the supply chain management program. CC ID 08857 | Business Processes | Preventive | |
| Document the supply chain's critical paths in the supply chain management program. CC ID 10032 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain supply chain manufacturing and integration requirements documents for all items being produced for the organization. CC ID 11558 | Establish/Maintain Documentation | Preventive | |
| Disallow access to restricted information on machines used to manufacture authentication elements. CC ID 11561 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain Operational Level Agreements. CC ID 13637 | Establish/Maintain Documentation | Preventive | |
| Include technical processes in operational level agreements, as necessary. CC ID 13639 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain Service Level Agreements with the organization's supply chain. CC ID 00838 | Process or Activity | Preventive | |
| Monitor and report on the efficacy of all Service Level Agreements using a Service Level Agreement Monitoring Chart or equivalent. CC ID 00842 | Establish/Maintain Documentation | Detective | |
| Include the responsible party for managing complaints in third party contracts. CC ID 10022 | Establish Roles | Preventive | |
| Approve all Service Level Agreements. CC ID 00843 [The outputs of the management review shall include decisions related to continual improvement opportunities and the possible need for changes to the BCMS, and include the following: modification of procedures and controls to respond to internal or external events that may impact on the BCMS, including changes to contractual obligations, § 9.3 ¶ 4 d) 5)] | Establish/Maintain Documentation | Detective | |
| Track all chargeable items in Service Level Agreements. CC ID 11616 | Business Processes | Detective | |
| Document all chargeable items in Service Level Agreements. CC ID 00844 | Establish/Maintain Documentation | Detective | |
| Enforce third party Service Level Agreements, as necessary. CC ID 07098 | Business Processes | Corrective | |
| Categorize all suppliers in the supply chain management program. CC ID 00792 | Establish/Maintain Documentation | Preventive | |
| Include risk management procedures in the supply chain management policy. CC ID 08811 | Establish/Maintain Documentation | Preventive | |
| Perform risk assessments of third parties, as necessary. CC ID 06454 | Testing | Detective | |
| Include a determination of the complexity of the third party relationships in the supply chain risk assessment. CC ID 10024 [The business impact analysis shall include the following: identifying dependencies and supporting resources for these activities, including suppliers, outsource partners and other relevant interested parties. § 8.2.2 ¶ 2 d)] | Business Processes | Preventive | |
| Include a determination of financial benefits over actual costs of third party relationships in the supply chain risk assessment report. CC ID 10025 | Establish/Maintain Documentation | Preventive | |
| Include a determination of how third party relationships affect strategic initiatives in the supply chain risk assessment report. CC ID 10026 | Establish/Maintain Documentation | Preventive | |
| Include a determination if the third party relationship will affect employees in the supply chain risk assessment report. CC ID 10027 | Business Processes | Preventive | |
| Include a determination of customer interactions with third parties in the supply chain risk assessment report. CC ID 10028 | Establish/Maintain Documentation | Preventive | |
| Include a determination on the risks third parties pose to Information Security in the supply chain risk assessment report. CC ID 10029 | Establish/Maintain Documentation | Preventive | |
| Re-evaluate risk assessments of third parties, as necessary. CC ID 12158 | Audits and Risk Management | Detective | |
| Establish, implement, and maintain a supply chain management policy. CC ID 08808 | Establish/Maintain Documentation | Preventive | |
| Require supply chain members to accept and sign the organization's code of conduct. CC ID 12397 | Business Processes | Preventive | |
| Require third parties to employ a Chief Information Security Officer. CC ID 12057 | Human Resources Management | Preventive | |
| Include supplier assessment principles in the supply chain management policy. CC ID 08809 | Establish/Maintain Documentation | Preventive | |
| Include the third party selection process in the supply chain management policy. CC ID 13132 | Establish/Maintain Documentation | Preventive | |
| Select suppliers based on their qualifications. CC ID 00795 | Establish/Maintain Documentation | Preventive | |
| Include refraining from depending on any individual third party in the supply chain management policy. CC ID 13133 | Establish/Maintain Documentation | Preventive | |
| Include a clear management process in the supply chain management policy. CC ID 08810 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the supply chain management policy. CC ID 15499 | Establish/Maintain Documentation | Preventive | |
| Include third party due diligence standards in the supply chain management policy. CC ID 08812 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the supply chain management policy to all interested personnel and affected parties. CC ID 15493 | Communicate | Preventive | |
| Require suppliers to commit to the supply chain management policy. CC ID 08813 | Establish/Maintain Documentation | Preventive | |
| Support third parties in building their capabilities. CC ID 08814 | Business Processes | Preventive | |
| Implement measurable improvement plans with all third parties. CC ID 08815 | Business Processes | Preventive | |
| Post a list of compliant third parties on the organization's website. CC ID 08817 | Business Processes | Preventive | |
| Use third parties that are compliant with the applicable requirements. CC ID 08818 | Business Processes | Preventive | |
| Establish, implement, and maintain a conflict minerals policy. CC ID 08943 | Establish/Maintain Documentation | Preventive | |
| Include a statement of avoided areas from receiving minerals in the conflict minerals policy. CC ID 08944 | Establish/Maintain Documentation | Preventive | |
| Include all in scope materials in the conflict minerals policy. CC ID 08945 | Establish/Maintain Documentation | Preventive | |
| Include adherence to international transportation regulations in the conflict minerals policy. CC ID 08946 | Establish/Maintain Documentation | Preventive | |
| Include all applicable authority documents in the conflict minerals policy. CC ID 08947 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the conflict minerals policy to all interested personnel and affected parties. CC ID 08948 | Establish/Maintain Documentation | Preventive | |
| Make the conflict minerals policy Publicly Available Information. CC ID 08949 | Data and Information Management | Preventive | |
| Establish and maintain a conflict materials report. CC ID 08823 | Establish/Maintain Documentation | Preventive | |
| Define documentation requirements for each potential conflict material's source of origin. CC ID 08820 | Establish/Maintain Documentation | Preventive | |
| Define documentation requirements for smelted minerals and legacy refined materials sources of origin. CC ID 08821 | Establish/Maintain Documentation | Preventive | |
| Identify supply sources for secondary materials. CC ID 08822 | Business Processes | Preventive | |
| Deal directly with third parties that provide any material listed in the conflict materials report. CC ID 08891 | Business Processes | Preventive | |
| Conduct all parts of the supply chain due diligence process. CC ID 08854 | Business Processes | Preventive | |
| Assess third parties' business continuity capabilities during due diligence. CC ID 12077 [{results of BCMS reviews} {key partners} {results of testing} {BCMS performance} {BCMS effectiveness} {emerging good guidance} Management reviews shall consider the performance of the organization, including - follow-up actions from previous management reviews, - the need for changes to the BCMS, including the policy and objectives, - opportunities for improvement, - results of BCMS audits and reviews, including those of key suppliers and partners where appropriate, - techniques, products or procedures, which could be used in the organization to improve the BCMS’ performance and effectiveness, - status of corrective actions, - results of exercising and testing, - risks or issues not adequately addressed in any previous risk assessment, - any changes that could affect the BCMS, whether internal or external to the scope of the BCMS, - adequacy of policy, - recommendations for improvement, - lessons learned and actions arising from disruptive incidents, and - emerging good practice and guidance. § 9.3 ¶ 3] | Business Processes | Detective | |
| Review third parties' backup policies. CC ID 13043 | Systems Continuity | Detective | |
Common Controls andEach Common Control is assigned a meta-data type to help you determine the objective of the Control and associated Authority Document mandates aligned with it. These types include behavioral controls, process controls, records management, technical security, configuration management, etc. They are provided as another tool to dissect the Authority Document’s mandates and assign them effectively within your organization.
Acquisition/Sale of Assets or Services | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Implement automated audit tools. CC ID 04882 | Monitoring and measurement | Preventive | |
| Purchase insurance on behalf of interested personnel and affected parties. CC ID 16571 | Audits and risk management | Corrective | |
| Establish, implement, and maintain a fuel supply large enough to support the generators during an emergency. CC ID 06376 | Operational and Systems Continuity | Preventive | |
| Include the ability to obtain additional liquidity in the continuity plan. CC ID 12770 | Operational and Systems Continuity | Preventive | |
| Employ tools and mechanisms to support the organization's Incident Response program. CC ID 13182 | Operational management | Preventive | |
| Include training requirements in third party contracts. CC ID 16367 | Third Party and supply chain oversight | Preventive | |
Actionable Reports or Measurements | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Report to management and stakeholders on the findings and information gathered from all types of inquiries. CC ID 12797 | Leadership and high level objectives | Preventive | |
| Report on the percentage of critical assets for which an assurance strategy is implemented. CC ID 01657 | Monitoring and measurement | Detective | |
| Report on the percentage of key organizational functions for which an assurance strategy is implemented. CC ID 01658 | Monitoring and measurement | Detective | |
| Report on the percentage of key compliance requirements for which an assurance strategy has been implemented. CC ID 01659 | Monitoring and measurement | Detective | |
| Report on the percentage of the Information System budget allocated to Information Security. CC ID 04571 | Monitoring and measurement | Detective | |
| Report on the policies and controls that have been implemented by management. CC ID 01670 | Monitoring and measurement | Detective | |
| Report on the percentage of security management roles that have been assigned. CC ID 01671 | Monitoring and measurement | Detective | |
| Report on the percentage of board meetings or committee meetings at which Information Assurance was on the agenda. CC ID 01672 | Monitoring and measurement | Detective | |
| Report on the percentage of supply chain members for which all Information Assurance requirements have been implemented. CC ID 01675 | Monitoring and measurement | Detective | |
| Report on the Service Level Agreement performance of supply chain members. CC ID 06838 | Monitoring and measurement | Preventive | |
| Report on the percentage of organizational units that have an established Business Continuity Plan. CC ID 01676 | Monitoring and measurement | Detective | |
| Report on the percentage of organizational units with a documented Business Continuity Plan for which specific responsibilities have been assigned. CC ID 02057 | Monitoring and measurement | Detective | |
| Report on the percentage of Business Continuity Plans that have been reviewed, tested, and updated. CC ID 02058 | Monitoring and measurement | Detective | |
| Report on the percentage of needed internal audits that have been completed and reviewed. CC ID 01677 | Monitoring and measurement | Detective | |
| Report on the percentage of Information Security requirements from applicable laws and regulations that are included in the audit program. CC ID 02069 | Monitoring and measurement | Detective | |
| Report on the percentage of needed external audits that have been completed and reviewed. CC ID 11632 | Monitoring and measurement | Detective | |
| Report on the percentage of Information Security audits conducted in compliance with the approved audit program. CC ID 02070 | Monitoring and measurement | Detective | |
| Report on the percentage of audit findings that have been resolved since the last audit. CC ID 01678 | Monitoring and measurement | Detective | |
| Report on the percentage of management actions in response to audit findings and audit recommendations that were implemented in a timely way. CC ID 02071 | Monitoring and measurement | Detective | |
| Monitor compliance with the Quality Control system. CC ID 01023 | Monitoring and measurement | Preventive | |
| Report on the percentage of complaints received about products or delivered services. CC ID 07199 | Monitoring and measurement | Preventive | |
| Report on the percentage of Quality Assurance attained by Quality Improvement practices. CC ID 07202 | Monitoring and measurement | Preventive | |
| Report on the percentage of total controls for which policies, standards, and procedures exist and for which approval has been granted. CC ID 01679 | Monitoring and measurement | Detective | |
| Report on the percentage of personnel who are assigned and acknowledged responsibilities for approved policies, standards, and procedures. CC ID 01680 | Monitoring and measurement | Detective | |
| Report on the percentage of policy compliance reviews for which no compliance violations were noted. CC ID 01681 | Monitoring and measurement | Detective | |
| Report on the percentage of senior management or business unit heads who have implemented operational compliance procedures. CC ID 01682 | Monitoring and measurement | Detective | |
| Report on the percentage of role descriptions that define the Information Awareness roles for Security Managers and administrators. CC ID 01685 | Monitoring and measurement | Detective | |
| Report on the percentage of role descriptions that define the information awareness roles for interested personnel. CC ID 01686 | Monitoring and measurement | Detective | |
| Report on the percentage of role descriptions that define the information awareness roles for end users. CC ID 01687 | Monitoring and measurement | Detective | |
| Report on the percentage of performance reviews that include the evaluation of Information Assurance responsibilities and policy compliance. CC ID 01688 | Monitoring and measurement | Detective | |
| Report on the percentage of individuals who have access to security software, are trained, and authorized Security Administrators. CC ID 01691 | Monitoring and measurement | Detective | |
| Report on the percentage of individuals who are able to assign security privileges, are trained, and authorized Security Administrators. CC ID 01692 | Monitoring and measurement | Detective | |
| Report on the percentage of new hires who completed training ahead of being granted network access or system access. CC ID 01683 | Monitoring and measurement | Detective | |
| Report on the percentage of personnel who have completed periodic Information Assurance refresher training. CC ID 01684 | Monitoring and measurement | Detective | |
| Report on the percentage of user roles, systems, and applications that comply with the segregation of duties principle. CC ID 01689 | Monitoring and measurement | Detective | |
| Report on the percentage of individuals whose access rights have been reviewed. CC ID 01690 | Monitoring and measurement | Detective | |
| Report on the percentage of users who have access to restricted data or restricted information and have undergone a background check. CC ID 01693 | Monitoring and measurement | Detective | |
| Report on the percentage of critical information assets and information-dependent functions. CC ID 02040 | Monitoring and measurement | Detective | |
| Report on the percentage of critical assets and functions for which the cost of compromise has been quantified. CC ID 02041 | Monitoring and measurement | Detective | |
| Report on the percentage of identified risks that have a defined risk mitigation plan. CC ID 02042 | Monitoring and measurement | Detective | |
| Report on the percentage of systems with approved System Security Plans. CC ID 02145 | Monitoring and measurement | Detective | |
| Report on the percentage of known Information Security risks that are related to supply chain relationships. CC ID 02044 | Monitoring and measurement | Detective | |
| Report on the percentage of critical information assets or critical functions for which access by supply chain personnel is disallowed. CC ID 02045 | Monitoring and measurement | Detective | |
| Report on the percentage of supply chain personnel who have current information asset user privileges. CC ID 02046 | Monitoring and measurement | Detective | |
| Report on the percentage of systems with critical information assets or functions for which electronic connection by supply chain assets is disallowed. CC ID 02047 | Monitoring and measurement | Detective | |
| Report on the percentage of security incidents that involved supply chain personnel. CC ID 02048 | Monitoring and measurement | Detective | |
| Report on the percentage of third party contracts that include a requirement to externally verify policies and procedures. CC ID 02049 | Monitoring and measurement | Detective | |
| Report on the percentage of supply chain relationships that have been reviewed for compliance with information security requirements. CC ID 02050 | Monitoring and measurement | Detective | |
| Report on the percentage of information assets that have been reviewed and classified. CC ID 02053 | Monitoring and measurement | Detective | |
| Report on the percentage of information assets with defined user privileges that have been assigned based on role and according to policy. CC ID 02054 | Monitoring and measurement | Detective | |
| Report on the percentage of scheduled Information Technology inventory processes that occurred on time. CC ID 02055 | Monitoring and measurement | Detective | |
| Report on the percentage of recently identified information security risks related to systems architecture that have been adequately mitigated. CC ID 02060 | Monitoring and measurement | Detective | |
| Report on the percentage of system architecture changes that were approved through appropriate change requests. CC ID 02061 | Monitoring and measurement | Detective | |
| Report on the percentage of critical information assets or functions residing on systems that are currently in compliance with the approved systems architecture. CC ID 02062 | Monitoring and measurement | Detective | |
| Report on the percentage of systems that have been recertified if security controls were updated after the system was developed. CC ID 02142 | Monitoring and measurement | Detective | |
| Report on the percentage of systems that have completed Certification and Accreditation. CC ID 02143 | Monitoring and measurement | Detective | |
| Report on the percentage of critical organizational information assets and functions that have been reviewed from the risk to physical security perspective. CC ID 02064 | Monitoring and measurement | Detective | |
| Report on the percentage of critical organizational information assets and functions exposed to physical risks for which risk mitigation actions have been implemented. CC ID 02065 | Monitoring and measurement | Detective | |
| Report on the percentage of critical assets that have been reviewed from the environmental risk perspective. CC ID 02066 | Monitoring and measurement | Detective | |
| Report on the percentage of servers located in controlled access areas. CC ID 02067 | Monitoring and measurement | Detective | |
| Establish, implement, and maintain environmental management system performance metrics. CC ID 15191 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain waste management metrics. CC ID 16152 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain emissions management metrics. CC ID 16145 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain financial management metrics. CC ID 16749 | Monitoring and measurement | Preventive | |
| Report on the percentage of unique active user identifiers. CC ID 02074 | Monitoring and measurement | Detective | |
| Report on the percentage of systems and applications that perform authenticator policy verification. CC ID 02086 | Monitoring and measurement | Detective | |
| Report on the percentage of active user passwords that are set to expire. CC ID 02087 | Monitoring and measurement | Detective | |
| Report on the percentage of systems with critical information assets that use stronger authentication than user identifiers and passwords. CC ID 02088 | Monitoring and measurement | Detective | |
| Report on the percentage of systems for which default accounts and default passwords have been disabled or reset. CC ID 02089 | Monitoring and measurement | Detective | |
| Report on the percentage of inactive user accounts that are assigned to personnel who have left or no longer need access. CC ID 02090 | Monitoring and measurement | Detective | |
| Report on the percentage of systems with account lockout thresholds set. CC ID 02091 | Monitoring and measurement | Detective | |
| Report on the percentage of inactive user accounts that have been disabled. CC ID 02092 | Monitoring and measurement | Detective | |
| Report on the percentage of workstations with session timeout or automatic logoff controls set. CC ID 02093 | Monitoring and measurement | Detective | |
| Report on the percentage of users with access to shared accounts. CC ID 04573 | Monitoring and measurement | Detective | |
| Establish, implement, and maintain a user and administrator privilege management metrics program. CC ID 02076 | Monitoring and measurement | Preventive | |
| Report on the percentage of active computer accounts that have had the current user privileges reviewed. CC ID 02094 | Monitoring and measurement | Detective | |
| Report on the percentage of systems where permission to install nonstandard software is limited. CC ID 02095 | Monitoring and measurement | Detective | |
| Report on the percentage of systems and applications that have user privileges and administrator privileges assigned in compliance with Role-Based Access Controls. CC ID 02096 | Monitoring and measurement | Detective | |
| Report on the percentage of systems for which approved configuration settings have been implemented. CC ID 02097 | Monitoring and measurement | Detective | |
| Report on the percentage of systems with configurations that do not deviate from approved standards. CC ID 02098 | Monitoring and measurement | Detective | |
| Report on the percentage of systems that are continuously monitored for compliance with the configuration standard with out-of-compliance alarms or out-of-compliance reports. CC ID 02099 | Monitoring and measurement | Detective | |
| Report on the percentage of systems whose configuration is compared with a previously established trusted configuration baseline. CC ID 02100 | Monitoring and measurement | Detective | |
| Report on the percentage of systems where the authority to make configuration changes are limited. CC ID 02101 | Monitoring and measurement | Detective | |
| Report on the percentage of system components that undergo maintenance as scheduled. CC ID 04562 | Monitoring and measurement | Detective | |
| Report on the percentage of systems that generate warnings about anomalous activity or potentially unauthorized activity. CC ID 02105 | Monitoring and measurement | Detective | |
| Report on the percentage of laptops and mobile devices that are needing to be in compliance with the approved configuration standard before granting network access. CC ID 02106 | Monitoring and measurement | Detective | |
| Report on the percentage of organizationally controlled communications channels that have been secured. CC ID 02107 | Monitoring and measurement | Detective | |
| Report on the percentage of host servers that are protected from becoming relay hosts. CC ID 02108 | Monitoring and measurement | Detective | |
| Report on the percentage of mobile users who access organizational facilities using secure communications methods. CC ID 02109 | Monitoring and measurement | Detective | |
| Report on the percentage of workstations and laptops that employ automated system security tools. CC ID 02110 | Monitoring and measurement | Detective | |
| Report on the percentage of servers that employ automated system security tools. CC ID 02111 | Monitoring and measurement | Detective | |
| Report on the percentage of mobile devices that employ automated system security tools. CC ID 02112 | Monitoring and measurement | Detective | |
| Report on the percentage of software changes that have been documented and approved through change request forms. CC ID 02152 | Monitoring and measurement | Detective | |
| Report on the percentage of systems with all approved patches installed. CC ID 02113 | Monitoring and measurement | Detective | |
| Report on the mean time from patch availability to patch installation. CC ID 02114 | Monitoring and measurement | Detective | |
| Report on the percentage of software changes that were reviewed for security impacts before the software configuration is updated. CC ID 02115 | Monitoring and measurement | Detective | |
| Report on the percentage of systems configured according to the configuration standard. CC ID 02116 | Monitoring and measurement | Detective | |
| Report on the percentage of network access controls used to gain unauthorized access. CC ID 04572 | Monitoring and measurement | Detective | |
| Report on the percentage of critical information assets stored on network accessible devices that are encrypted with widely tested and published cryptographic algorithms. CC ID 02117 | Monitoring and measurement | Detective | |
| Report on the percentage of mobile devices that use encryption for critical information assets. CC ID 02118 | Monitoring and measurement | Detective | |
| Report on the percentage of passwords and Personal Identification Numbers that are encrypted. CC ID 02119 | Monitoring and measurement | Detective | |
| Report on the percentage of media that passes sanitization procedure testing. CC ID 04574 | Monitoring and measurement | Detective | |
| Report on the percentage of systems with critical information assets or critical business functions that have been backed up in accordance with the backup policy and the system's continuity plan. CC ID 02120 | Monitoring and measurement | Detective | |
| Report on the percentage of systems with critical information assets or critical functions where restoration from a backup has been successfully demonstrated. CC ID 02121 | Monitoring and measurement | Detective | |
| Report on the percentage of backup media stored off site in secure storage. CC ID 02122 | Monitoring and measurement | Detective | |
| Report on the percentage of used backup media or archive media sanitized prior to reuse or disposal. CC ID 02123 | Monitoring and measurement | Detective | |
| Report on the estimated damage or loss resulting from all security incidents. CC ID 01674 | Monitoring and measurement | Detective | |
| Report on the percentage of security incidents that did not cause confidentiality, integrity, or availability losses beyond the Service Level Agreement thresholds. CC ID 01673 | Monitoring and measurement | Detective | |
| Report on the percentage of operational time that critical services were unavailable due to security incidents. CC ID 02124 | Monitoring and measurement | Detective | |
| Report on the percentage of security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02125 | Monitoring and measurement | Detective | |
| Report on the percentage of systems affected by security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02126 | Monitoring and measurement | Detective | |
| Report on the percentage of security incidents that were managed according to established policies, procedures, and processes. CC ID 02127 | Monitoring and measurement | Detective | |
| Report on the number of security incidents reported to FedCIRC, NIPC, the Payment Card Industry, or local law enforcement. CC ID 02154 | Monitoring and measurement | Detective | |
| Report on the percentage of systems with critical information assets or critical functions that have been assessed for security vulnerabilities. CC ID 02128 | Monitoring and measurement | Detective | |
| Report on the percentage of vulnerability assessment findings that have been addressed since the last reporting period. CC ID 02129 | Monitoring and measurement | Detective | |
| Report on the average elapsed time between the discovery of a new vulnerability and implementing corrective action. CC ID 02140 | Monitoring and measurement | Detective | |
| Report on the percentage of physical security incidents that involved entry into a facility containing Information Systems. CC ID 04564 | Monitoring and measurement | Detective | |
| Report on the percentage of unique patients who had at least one medication entered using the Computerized Provider Order Entry system. CC ID 06222 | Monitoring and measurement | Preventive | |
| Report on the percentage of unique patients who have diagnoses recorded as structured data into the current and active diagnoses problem list. CC ID 06223 | Monitoring and measurement | Preventive | |
| Report on the percentage of permissible prescriptions that are transmitted electronically. CC ID 06224 | Monitoring and measurement | Preventive | |
| Report on the percentage of unique patients who have at least one entry recorded as structured data into the active medication list. CC ID 06225 | Monitoring and measurement | Preventive | |
| Report on the percentage of unique patients who have at least one entry recorded as structured data into the active medication allergy list. CC ID 06226 | Monitoring and measurement | Preventive | |
| Report on the percentage of unique patients who have demographics recorded as structured data. CC ID 06227 | Monitoring and measurement | Preventive | |
| Report on the percentage of unique patients over the age of 2 who have their height, weight, and blood pressure recorded as structured data. CC ID 06228 | Monitoring and measurement | Preventive | |
| Report on the percentage of unique patients over the age of 13 who have their smoking status recorded as structured data. CC ID 06229 | Monitoring and measurement | Preventive | |
| Report on the percentage of patients who are given an electronic copy of their Individually Identifiable Health Information not later than three business days after Individually Identifiable Health Information is requested. CC ID 06230 | Monitoring and measurement | Preventive | |
| Report on the percentage of patients who are given clinical summaries not later than three business days after a physician office visit. CC ID 06231 | Monitoring and measurement | Preventive | |
| Report on the percentage of lab test results that are incorporated into the Electronic Health Records as structured data. CC ID 06232 | Monitoring and measurement | Preventive | |
| Report on the percentage of patients sixty-five years of age or older or five years of age or younger who were sent a reminder. CC ID 06233 | Monitoring and measurement | Preventive | |
| Report on the percentage of unique patients who are given electronic access to their Individually Identifiable Health Information not later than four business days after their Individually Identifiable Health Information is updated. CC ID 06234 | Monitoring and measurement | Preventive | |
| Report on the percentage of unique patients who are given patient-specific education resources. CC ID 06235 | Monitoring and measurement | Preventive | |
| Report on the percentage of medication reconciliations that are performed if a patient is received from another setting or healthcare provider. CC ID 06236 | Monitoring and measurement | Preventive | |
| Report on the percentage of summary of care records that are provided for transitions of care or referrals for patients who are transitioned or referred to another setting or healthcare provider. CC ID 06237 | Monitoring and measurement | Preventive | |
| Report on the percentage of patients who receive their discharge instructions if discharge instructions are requested. CC ID 06238 | Monitoring and measurement | Preventive | |
| Report on the percentage of patients 65 years of age or older who have an indication of advance directive status recorded as structured data. CC ID 06239 | Monitoring and measurement | Preventive | |
| Collect all work papers for the audit and audit report into an engagement file. CC ID 07001 | Audits and risk management | Preventive | |
| Include the word independent in the title of audit reports. CC ID 07003 | Audits and risk management | Preventive | |
| Include the date of the audit in the audit report. CC ID 07024 | Audits and risk management | Preventive | |
| Include information about the organization being audited and the auditor performing the audit in the audit report. CC ID 07004 | Audits and risk management | Preventive | |
| Include a statement that access to the report is restricted based on least privilege in the audit report. CC ID 07023 | Audits and risk management | Preventive | |
| Include the organization's audit assertion of the in scope system in the audit report. CC ID 07005 | Audits and risk management | Preventive | |
| Disclose any audit irregularities in the audit report. CC ID 06995 | Audits and risk management | Preventive | |
| Monitor and report on the status of mitigation actions in the corrective action plan. CC ID 15250 | Audits and risk management | Corrective | |
| Assess the potential level of business impact risk associated with natural disasters. CC ID 06470 | Audits and risk management | Detective | |
| Document the continuity plan test results and provide them to interested personnel and affected parties. CC ID 06548 [The organization shall conduct exercises and tests that produce formalized post-exercise reports that contain outcomes, recommendations and actions to implement improvements, § 8.5 ¶ 2 e) {results of BCMS reviews} {key partners} {results of testing} {BCMS performance} {BCMS effectiveness} {emerging good guidance} Management reviews shall consider the performance of the organization, including - follow-up actions from previous management reviews, - the need for changes to the BCMS, including the policy and objectives, - opportunities for improvement, - results of BCMS audits and reviews, including those of key suppliers and partners where appropriate, - techniques, products or procedures, which could be used in the organization to improve the BCMS’ performance and effectiveness, - status of corrective actions, - results of exercising and testing, - risks or issues not adequately addressed in any previous risk assessment, - any changes that could affect the BCMS, whether internal or external to the scope of the BCMS, - adequacy of policy, - recommendations for improvement, - lessons learned and actions arising from disruptive incidents, and - emerging good practice and guidance. § 9.3 ¶ 3 {results of BCMS reviews} {key partners} {results of testing} {BCMS performance} {BCMS effectiveness} {emerging good guidance} Management reviews shall consider the performance of the organization, including - follow-up actions from previous management reviews, - the need for changes to the BCMS, including the policy and objectives, - opportunities for improvement, - results of BCMS audits and reviews, including those of key suppliers and partners where appropriate, - techniques, products or procedures, which could be used in the organization to improve the BCMS’ performance and effectiveness, - status of corrective actions, - results of exercising and testing, - risks or issues not adequately addressed in any previous risk assessment, - any changes that could affect the BCMS, whether internal or external to the scope of the BCMS, - adequacy of policy, - recommendations for improvement, - lessons learned and actions arising from disruptive incidents, and - emerging good practice and guidance. § 9.3 ¶ 3] | Operational and Systems Continuity | Preventive | |
| Refrain from including restricted information in the incident response notification. CC ID 16806 | Operational management | Preventive | |
| Mitigate reported incidents. CC ID 12973 | Operational management | Preventive | |
| Disseminate and communicate the final incident report, which includes the investigation results and any remediation activity results. CC ID 12306 [{periodic exercising} {periodic testing} {periodic post-incident reporting} {periodic performance evaluations} These evaluations shall be undertaken through periodic reviews, exercising, testing, post-incident reporting and performance evaluations. Significant changes arising shall be reflected in the procedure(s) in a timely manner; § 9.1.2 b)] | Operational management | Preventive | |
| Document the results of incident response tests and provide them to senior management. CC ID 14857 | Operational management | Preventive | |
| Provide the patient with a summary of care record, as necessary. CC ID 14441 | Records management | Preventive | |
Audits and Risk Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Identify information being used to support performance reviews for risk optimization. CC ID 12865 | Monitoring and measurement | Preventive | |
| Provide cross-organizational audit information based on the cross-organizational audit sharing agreement. CC ID 10596 | Monitoring and measurement | Preventive | |
| Manage supply chain audits. CC ID 01203 | Audits and risk management | Preventive | |
| Review the external auditors involvement in assessing Information Technology controls. CC ID 01204 | Audits and risk management | Preventive | |
| Rotate auditors, as necessary. CC ID 15589 | Audits and risk management | Preventive | |
| Engage auditors who have adequate knowledge of the subject matter. CC ID 07102 | Audits and risk management | Preventive | |
| Review the external audit scope, as necessary. CC ID 01202 | Audits and risk management | Preventive | |
| Include nondisclosure agreements in external auditor outsourcing contracts. CC ID 10014 | Audits and risk management | Detective | |
| Review the external auditor's qualifications. CC ID 01197 | Audits and risk management | Preventive | |
| Conduct a performance review of the external auditor's performance during the audit process. CC ID 01198 | Audits and risk management | Preventive | |
| Define what constitutes a threat to independence. CC ID 16824 | Audits and risk management | Preventive | |
| Determine if requested services create a threat to independence. CC ID 16823 | Audits and risk management | Detective | |
| Include provisions for legislative plurality and legislative domain in the audit program. CC ID 06959 [The audit programme, including any schedule, shall be based on the results of risk assessments of the organization’s activities, and the results of previous audits. The audit procedures shall cover the scope, frequency, methodologies and competencies, as well as the responsibilities and requirements for conducting audits and reporting results. § 9.2 ¶ 3 The audit programme, including any schedule, shall be based on the results of risk assessments of the organization’s activities, and the results of previous audits. The audit procedures shall cover the scope, frequency, methodologies and competencies, as well as the responsibilities and requirements for conducting audits and reporting results. § 9.2 ¶ 3] | Audits and risk management | Preventive | |
| Include in scope procedures in the audit assertion's in scope system description. CC ID 16551 | Audits and risk management | Preventive | |
| Include roles and responsibilities in the audit assertion's in scope system description. CC ID 16558 | Audits and risk management | Preventive | |
| Include the audit criteria in the audit assertion's in scope system description. CC ID 16548 | Audits and risk management | Preventive | |
| Include third party data in the audit assertion's in scope system description. CC ID 16554 | Audits and risk management | Preventive | |
| Include third party personnel in the audit assertion's in scope system description. CC ID 16552 | Audits and risk management | Preventive | |
| Include compliance requirements in the audit assertion's in scope system description. CC ID 16506 | Audits and risk management | Preventive | |
| Include third party assets in the audit assertion's in scope system description. CC ID 16550 | Audits and risk management | Preventive | |
| Include deviations and the corrective actions taken in the audit assertion's in scope system description. CC ID 16549 | Audits and risk management | Preventive | |
| Determine the appropriateness of the audit assertion's in scope system description. CC ID 16449 | Audits and risk management | Detective | |
| Hold an opening meeting with interested personnel and affected parties prior to an audit. CC ID 15256 | Audits and risk management | Preventive | |
| Confirm audit requirements during the opening meeting. CC ID 15255 | Audits and risk management | Detective | |
| Include discussions about how particular situations will be handled in the opening meeting. CC ID 15254 | Audits and risk management | Preventive | |
| Include third party assets in the audit scope. CC ID 16504 | Audits and risk management | Preventive | |
| Determine the appropriateness of the audit subject matter. CC ID 16505 | Audits and risk management | Preventive | |
| Include the in scope material or in scope products in the audit program. CC ID 08961 | Audits and risk management | Preventive | |
| Include the date of the audit in the representation letter. CC ID 16517 | Audits and risk management | Preventive | |
| Include the criteria for determining the desired level of assurance in the audit program. CC ID 12795 | Audits and risk management | Preventive | |
| Refrain from performing an attestation engagement under defined conditions. CC ID 13952 | Audits and risk management | Detective | |
| Refrain from accepting an attestation engagement when all parties disagree on the procedures. CC ID 13951 | Audits and risk management | Preventive | |
| Audit in scope audit items and compliance documents. CC ID 06730 [The organization shall conduct internal audits at planned intervals to provide information on whether the business continuity management system conforms to the organization’s own requirements for its BCMS, § 9.2 ¶ 1 a) 1) The organization shall conduct internal audits at planned intervals to provide information on whether the business continuity management system conforms to the requirements of this International Standard, and § 9.2 ¶ 1 a) 2) The organization shall conduct internal audits at planned intervals to provide information on whether the business continuity management system is effectively implemented and maintained. § 9.2 ¶ 1 b)] | Audits and risk management | Preventive | |
| Identify hypothetical assumptions in forecasts and projections during an audit. CC ID 13946 | Audits and risk management | Detective | |
| Refrain from examining forecasts and projections which refrain from disclosing assumptions during an audit. CC ID 13932 | Audits and risk management | Detective | |
| Audit policies, standards, and procedures. CC ID 12927 | Audits and risk management | Preventive | |
| Investigate the nature and causes of misstatements in the audit assertion's in scope system description. CC ID 16557 | Audits and risk management | Detective | |
| Review incident management audit logs to determine the effectiveness of in scope controls. CC ID 12157 | Audits and risk management | Detective | |
| Review audit reports to determine the effectiveness of in scope controls. CC ID 12156 | Audits and risk management | Detective | |
| Observe processes to determine the effectiveness of in scope controls. CC ID 12155 | Audits and risk management | Detective | |
| Interview stakeholders to determine the effectiveness of in scope controls. CC ID 12154 | Audits and risk management | Detective | |
| Review policies and procedures to determine the effectiveness of in scope controls. CC ID 12144 | Audits and risk management | Detective | |
| Evaluate personnel status changes to determine the effectiveness of in scope controls. CC ID 16556 | Audits and risk management | Detective | |
| Determine whether individuals performing a control have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 16555 | Audits and risk management | Detective | |
| Implement procedures that collect sufficient audit evidence. CC ID 07153 | Audits and risk management | Preventive | |
| Collect evidence about the in scope audit items of the audit assertion. CC ID 07154 | Audits and risk management | Preventive | |
| Collect audit evidence sufficient to avoid misstatements. CC ID 07155 | Audits and risk management | Preventive | |
| Collect audit evidence at the level of the organization's competence in the subject matter. CC ID 07156 | Audits and risk management | Preventive | |
| Collect audit evidence sufficient to overcome inadequacies in the organization's attestation. CC ID 07157 | Audits and risk management | Preventive | |
| Include audit evidence obtained from previous engagements in the work papers. CC ID 16518 | Audits and risk management | Preventive | |
| Include if the audit evidence has identified in scope control deficiencies in the work papers. CC ID 07152 | Audits and risk management | Detective | |
| Include any subsequent events related to the audit assertion or audit subject matter in the work papers. CC ID 07177 | Audits and risk management | Preventive | |
| Review the subject matter expert's findings. CC ID 16559 | Audits and risk management | Detective | |
| Provide auditors access to all in scope records, in scope assets, personnel and in scope procedures. CC ID 06966 | Audits and risk management | Preventive | |
| Solve any access problems auditors encounter during the audit. CC ID 08959 | Audits and risk management | Corrective | |
| Notify interested personnel and affected parties when an auditee refuses to provide access or participate in the audit. CC ID 08960 | Audits and risk management | Preventive | |
| Include the justification for not following the applicable requirements in the audit report. CC ID 16822 | Audits and risk management | Preventive | |
| Include a statement that the applicable requirements were not followed in the audit report. CC ID 16821 | Audits and risk management | Preventive | |
| Refrain from referencing previous engagements in the audit report. CC ID 16516 | Audits and risk management | Preventive | |
| Identify the participants from the organization being audited in the audit report. CC ID 15258 | Audits and risk management | Detective | |
| Include the timing of controls in the description of tests of controls and results in the audit report. CC ID 16553 | Audits and risk management | Preventive | |
| Include the organization's in scope system description in the audit report. CC ID 11626 | Audits and risk management | Preventive | |
| Include the scope and work performed in the audit report. CC ID 11621 | Audits and risk management | Preventive | |
| Review the adequacy of the internal auditor's work papers. CC ID 01146 | Audits and risk management | Detective | |
| Review the adequacy of the internal auditor's audit reports. CC ID 11620 | Audits and risk management | Detective | |
| Review management's response to issues raised in past audit reports. CC ID 01149 [The management review shall include consideration of the status of actions from previous management reviews, § 9.3 ¶ 2 a) The management review shall include consideration of information on the business continuity performance, including trends in nonconformities and corrective actions, § 9.3 ¶ 2 c) 1)] | Audits and risk management | Detective | |
| Review the audit program scope as it relates to the organization's profile. CC ID 01159 | Audits and risk management | Detective | |
| Assess the quality of the audit program in regards to its documentation. CC ID 11622 | Audits and risk management | Preventive | |
| Analyze the risk management strategy for addressing requirements. CC ID 12926 | Audits and risk management | Detective | |
| Analyze the risk management strategy for addressing threats. CC ID 12925 | Audits and risk management | Detective | |
| Analyze the risk management strategy for addressing opportunities. CC ID 12924 | Audits and risk management | Detective | |
| Address past incidents in the risk assessment program. CC ID 12743 | Audits and risk management | Preventive | |
| Establish and maintain the factors and context for risk to the organization. CC ID 12230 [{external factor} In establishing the context, the organization shall define the external and internal factors that create the uncertainty that gives rise to risk, § 4.1 ¶ 4 2) Top management shall ensure that the responsibilities and authorities for relevant roles are assigned and communicated within the organization by - defining the criteria for accepting risks and the acceptable levels of risk, - actively engaging in exercising and testing, - ensuring that internal audits of the BCMS are conducted, - conducting management reviews of the BCMS, and - demonstrating its commitment to continual improvement. § 5.2 ¶ 3] | Audits and risk management | Preventive | |
| Employ risk assessment procedures that take into account risk factors. CC ID 16560 | Audits and risk management | Preventive | |
| Categorize the systems, information, and data by risk profile in the threat and risk classification scheme. CC ID 01443 | Audits and risk management | Preventive | |
| Review the risk profiles, as necessary. CC ID 16561 | Audits and risk management | Detective | |
| Include risks to critical personnel and assets in the threat and risk classification scheme. CC ID 00698 | Audits and risk management | Preventive | |
| Assign a probability of occurrence to all types of threats in the threat and risk classification scheme. CC ID 01173 | Audits and risk management | Preventive | |
| Establish, implement, and maintain risk profiling procedures for internal risk assessments. CC ID 01157 | Audits and risk management | Preventive | |
| Automate as much of the risk assessment program, as necessary. CC ID 06459 | Audits and risk management | Preventive | |
| Approve the results of the risk assessment as documented in the risk assessment report. CC ID 07109 | Audits and risk management | Preventive | |
| Review risks to the organization's audit function when changes in the supply chain occur. CC ID 01154 | Audits and risk management | Preventive | |
| Review the risk to the audit function when the audit personnel status changes. CC ID 01153 | Audits and risk management | Preventive | |
| Conduct external audits of risk assessments, as necessary. CC ID 13308 | Audits and risk management | Detective | |
| Correlate the business impact of identified risks in the risk assessment report. CC ID 00686 | Audits and risk management | Preventive | |
| Conduct a Business Impact Analysis, as necessary. CC ID 01147 [{formal and documented process for risk assessment} {required output from the risk assessment} The organization shall establish, implement and maintain a formal and documented process for business impact analysis and risk assessment that defines the required output from the business impact analysis and risk assessment, and § 8.2.1 ¶ 1 d) {formal and documented process for risk assessment} {required output from the risk assessment} The organization shall establish, implement and maintain a formal and documented process for business impact analysis and risk assessment that defines the required output from the business impact analysis and risk assessment, and § 8.2.1 ¶ 1 d) The organization shall establish, implement, and maintain a formal and documented evaluation process for determining continuity and recovery priorities, objectives and targets. This process shall include assessing the impacts of disrupting activities that support the organization’s products and services. § 8.2.2 ¶ 1 {outputs from the risk assessment} Determination and selection of strategy shall be based on the outputs from the business impact analysis and risk assessment. § 8.3.1 ¶ 1 The organization shall establish, implement and maintain a formal and documented process for business impact analysis and risk assessment that specifies the requirements for this information to be kept up-to-date and confidential. § 8.2.1 ¶ 1 e) The organization shall establish, implement and maintain a formal and documented process for business impact analysis and risk assessment that 8.2.1 ¶ 1] | Audits and risk management | Detective | |
| Analyze and quantify the risks to in scope systems and information. CC ID 00701 [The organization shall systematically analyse risk, § 8.2.3 ¶ 2 b)] | Audits and risk management | Preventive | |
| Establish and maintain a Risk Scoping and Measurement Definitions Document. CC ID 00703 | Audits and risk management | Preventive | |
| Identify the material risks in the risk assessment report. CC ID 06482 | Audits and risk management | Preventive | |
| Assess the potential level of business impact risk associated with each business process. CC ID 06463 [The business impact analysis shall include the following: identifying activities that support the provision of products and services; § 8.2.2 ¶ 2 a) The organization shall identify risks of disruption to the organization’s prioritized activities and the processes, systems, information, people, assets, outsource partners and other resources that support them, § 8.2.3 ¶ 2 a)] | Audits and risk management | Detective | |
| Assess the potential level of business impact risk associated with the business environment. CC ID 06464 [The organization shall identify risks of disruption to the organization’s prioritized activities and the processes, systems, information, people, assets, outsource partners and other resources that support them, § 8.2.3 ¶ 2 a)] | Audits and risk management | Detective | |
| Assess the potential level of business impact risk associated with business information of in scope systems. CC ID 06465 | Audits and risk management | Detective | |
| Assess the potential business impact risk of in scope systems caused by deliberate threats to their confidentiality, integrity, and availability. CC ID 06466 | Audits and risk management | Detective | |
| Assess the potential level of business impact risk caused by accidental threats to the confidentiality, integrity and availability of critical systems. CC ID 06467 | Audits and risk management | Detective | |
| Assess the potential level of business impact risk associated with reputational damage. CC ID 15335 | Audits and risk management | Detective | |
| Assess the potential level of business impact risk associated with insider threats. CC ID 06468 | Audits and risk management | Detective | |
| Assess the potential level of business impact risk associated with external entities. CC ID 06469 | Audits and risk management | Detective | |
| Assess the potential level of business impact risk associated with control weaknesses. CC ID 06471 | Audits and risk management | Detective | |
| Prioritize and select controls based on the risk assessment findings. CC ID 00707 [The organization shall identify treatments commensurate with business continuity objectives and in accordance with the organization’s risk appetite. § 8.2.3 ¶ 2 d) {outputs from the risk assessment} Determination and selection of strategy shall be based on the outputs from the business impact analysis and risk assessment. § 8.3.1 ¶ 1] | Audits and risk management | Preventive | |
| Prioritize and categorize the effects of opportunities, threats and requirements on control activities. CC ID 12822 | Audits and risk management | Preventive | |
| Develop key indicators to inform management on the effectiveness of risk control measures. CC ID 12946 | Audits and risk management | Preventive | |
| Include the release status of the risk assessment in the risk treatment plan. CC ID 16320 | Audits and risk management | Preventive | |
| Identify the planned actions and controls that address high risk in the risk treatment plan. CC ID 12835 | Audits and risk management | Preventive | |
| Identify the current actions and controls that address high risk in the risk treatment plan. CC ID 12834 | Audits and risk management | Preventive | |
| Approve the risk treatment plan. CC ID 13495 | Audits and risk management | Preventive | |
| Conduct a risk assessment on reciprocal agreements that provide for recovery capabilities. CC ID 12759 | Operational and Systems Continuity | Preventive | |
| Re-evaluate risk assessments of third parties, as necessary. CC ID 12158 | Third Party and supply chain oversight | Detective | |
Behavior | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Disseminate and communicate compliance documents to all interested personnel and affected parties. CC ID 06282 | Leadership and high level objectives | Preventive | |
| Disseminate and communicate any compliance document changes when the documents are updated to interested personnel and affected parties. CC ID 06283 [{legal requirements} {regulatory requirements} {new legal, regulatory and other requirements} The organization shall document this information and keep it up-to-date. New or variations to legal, regulatory and other requirements shall be communicated to affected employees and other interested parties. § 4.2.2 ¶ 3] | Leadership and high level objectives | Preventive | |
| Establish and maintain a rapport with business and technical communities throughout the organization to promote the value and importance of Information Security. CC ID 06493 | Leadership and high level objectives | Preventive | |
| Carry out disciplinary actions when a compliance violation is detected. CC ID 06675 [When nonconformity occurs, the organization shall react to the nonconformity, and, as applicable, § 10.1 ¶ 1 b) {adverse results} Additionally, the organization shall — take action when necessary to address adverse trends or results before a nonconformity occurs, and — retain relevant documented information as evidence of the results. § 9.1.1 ¶ 4 {nonconformity} take action to control and correct it, and § 10.1 ¶ 1 b) 1) {nonconformity} take action to control and correct it, and § 10.1 ¶ 1 b) 1) When nonconformity occurs, the organization shall evaluate the need for action to eliminate the causes of the nonconformity, in order that it does not recur or occur elsewhere, by determining and implementing corrective action needed, § 10.1 ¶ 1 c) 5] | Monitoring and measurement | Corrective | |
| Question external auditors about how audits were conducted and what is in the audit reports. CC ID 04587 | Audits and risk management | Preventive | |
| Disseminate and communicate with the organization about any missing audit documentation. CC ID 06992 | Audits and risk management | Preventive | |
| Exercise due professional care during the planning and performance of the audit. CC ID 07119 [{audit scope} {evidence of the audit results} The organization shall - plan, establish, implement and maintain (an) audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit programme(s) shall take into consideration the importance of the processes concerned and the results of previous audits, - define the audit criteria and scope for each audit, - select auditors and conduct audits to ensure objectivity and the impartiality of the audit process, - ensure that the results of the audits are reported to relevant management, and - retain documented information as evidence of the implementation of the audit programme and the audit results. § 9.2 ¶ 2 {audit scope} {evidence of the audit results} The organization shall - plan, establish, implement and maintain (an) audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit programme(s) shall take into consideration the importance of the processes concerned and the results of previous audits, - define the audit criteria and scope for each audit, - select auditors and conduct audits to ensure objectivity and the impartiality of the audit process, - ensure that the results of the audits are reported to relevant management, and - retain documented information as evidence of the implementation of the audit programme and the audit results. § 9.2 ¶ 2] | Audits and risk management | Preventive | |
| Refrain from accepting an attestation engagement unless the prospective financial information includes a summary of significant assumptions. CC ID 13954 | Audits and risk management | Preventive | |
| Verify statements made by interviewees are correct. CC ID 16299 | Audits and risk management | Detective | |
| Explain the goals of the interview to the interviewee. CC ID 07189 | Audits and risk management | Detective | |
| Resolve disputes before creating the audit summary. CC ID 08964 | Audits and risk management | Preventive | |
| Disseminate and communicate to the organization that access and use of audit reports are based on least privilege. CC ID 07171 | Audits and risk management | Preventive | |
| Use the risk taxonomy when managing risk. CC ID 12280 | Audits and risk management | Preventive | |
| Disseminate and communicate information about risks to all interested personnel and affected parties. CC ID 06718 [{significant impact} {procedures for alerts} {procedures for warnings} The organization shall decide, using life safety as the first priority and in consultation with relevant interested parties, whether to communicate externally about its significant risks and impacts and document its decision. If the decision is to communicate then the organization shall establish and implement procedures for this external communication, alerts and warnings including the media as appropriate. § 8.4.2 ¶ 3 {significant impact} {procedures for alerts} {procedures for warnings} The organization shall decide, using life safety as the first priority and in consultation with relevant interested parties, whether to communicate externally about its significant risks and impacts and document its decision. If the decision is to communicate then the organization shall establish and implement procedures for this external communication, alerts and warnings including the media as appropriate. § 8.4.2 ¶ 3] | Audits and risk management | Preventive | |
| Disseminate and communicate the risk acceptance level in the risk treatment plan to all interested personnel and affected parties. CC ID 06849 | Audits and risk management | Preventive | |
| Refrain from adopting impromptu measures when continuity procedures exist. CC ID 13093 | Operational and Systems Continuity | Preventive | |
| Disseminate and communicate critical third party dependencies to interested personnel and affected parties. CC ID 06816 [{activation procedures} {communication procedures} {internal interdependencies} {internal interactions} {external interactions} {information flow processes} Each plan shall define - purpose and scope, - objectives, - activation criteria and procedures, - implementation procedures, - roles, responsibilities, and authorities, - communication requirements and procedures, - internal and external interdependencies and interactions, - resource requirements, and - information flow and documentation processes. § 8.4.4 ¶ 3 {activation procedures} {communication procedures} {internal interdependencies} {internal interactions} {external interactions} {information flow processes} Each plan shall define - purpose and scope, - objectives, - activation criteria and procedures, - implementation procedures, - roles, responsibilities, and authorities, - communication requirements and procedures, - internal and external interdependencies and interactions, - resource requirements, and - information flow and documentation processes. § 8.4.4 ¶ 3] | Operational and Systems Continuity | Preventive | |
| Train personnel on the continuity plan. CC ID 00759 [The organization shall conduct exercises and tests that taken together over time validate the whole of its business continuity arrangements, involving relevant interested parties, § 8.5 ¶ 2 c)] | Operational and Systems Continuity | Preventive | |
| Utilize automated mechanisms for more realistic continuity plan training. CC ID 01387 | Operational and Systems Continuity | Preventive | |
| Incorporate simulated events into the continuity plan training. CC ID 01402 | Operational and Systems Continuity | Preventive | |
| Limit the activities performed as a proxy to an organizational leader. CC ID 12054 | Human Resources management | Preventive | |
| Train all personnel and third parties, as necessary. CC ID 00785 [The organization shall where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken, and § 7.2 ¶ 1 c)] | Human Resources management | Preventive | |
| Retrain all personnel, as necessary. CC ID 01362 | Human Resources management | Preventive | |
| Tailor training to meet published guidance on the subject being taught. CC ID 02217 | Human Resources management | Preventive | |
| Tailor training to be taught at each person's level of responsibility. CC ID 06674 | Human Resources management | Preventive | |
| Conduct cross-training or staff backup training to minimize dependency on critical individuals. CC ID 00786 | Human Resources management | Preventive | |
| Use automated mechanisms in the training environment, where appropriate. CC ID 06752 | Human Resources management | Preventive | |
| Conduct Archives and Records Management training. CC ID 00975 | Human Resources management | Preventive | |
| Disseminate and communicate the security awareness program to all interested personnel and affected parties. CC ID 00823 | Human Resources management | Preventive | |
| Train all personnel and third parties on how to recognize and report security incidents. CC ID 01211 | Human Resources management | Preventive | |
| Conduct secure coding and development training for developers. CC ID 06822 | Human Resources management | Corrective | |
| Conduct crime prevention training. CC ID 06350 | Human Resources management | Preventive | |
| Make compliance and governance decisions in a timely manner. CC ID 06490 | Operational management | Preventive | |
| Respond to all alerts from security systems in a timely manner. CC ID 06434 | Operational management | Corrective | |
| Share data loss event information with the media. CC ID 01759 [The response structure shall communicate with interested parties and authorities, as well as the media. § 8.4.2 ¶ 2 f) The business continuity plans shall collectively contain details of the organization’s media response following an incident, including a communications strategy, § 8.4.4 ¶ 2 f) 1) The business continuity plans shall collectively contain details of the organization’s media response following an incident, including preferred interface with the media, § 8.4.4 ¶ 2 f) 2) The business continuity plans shall collectively contain details of the organization’s media response following an incident, including guideline or template for drafting a statement for the media, and § 8.4.4 ¶ 2 f) 3) The business continuity plans shall collectively contain details of the organization's media response following an incident, including § 8.4.4 ¶ 2 f)] | Operational management | Corrective | |
| Report to breach notification organizations the time frame in which the organization will send data loss event notifications to interested personnel and affected parties. CC ID 04731 | Operational management | Corrective | |
| Notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00365 | Operational management | Corrective | |
| Determine whether or not incident response notifications are necessary during the privacy breach investigation. CC ID 00801 | Operational management | Detective | |
| Delay sending incident response notifications under predetermined conditions. CC ID 00804 | Operational management | Corrective | |
| Avoid false positive incident response notifications. CC ID 04732 | Operational management | Detective | |
| Send paper incident response notifications to affected parties, as necessary. CC ID 00366 | Operational management | Corrective | |
| Determine if a substitute incident response notification is permitted if notifying affected parties. CC ID 00803 | Operational management | Corrective | |
| Use a substitute incident response notification to notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00368 | Operational management | Corrective | |
| Telephone incident response notifications to affected parties, as necessary. CC ID 04650 | Operational management | Corrective | |
| Send electronic substitute incident response notifications to affected parties, as necessary. CC ID 04747 | Operational management | Preventive | |
| Send substitute incident response notifications to breach notification organizations, as necessary. CC ID 04750 | Operational management | Preventive | |
| Publish the incident response notification in a general circulation periodical. CC ID 04651 | Operational management | Corrective | |
| Publish the substitute incident response notification in a general circulation periodical, as necessary. CC ID 04769 | Operational management | Preventive | |
| Send electronic incident response notifications to affected parties, as necessary. CC ID 00367 | Operational management | Corrective | |
| Incorporate simulated events into the incident response training program. CC ID 06751 | Operational management | Preventive | |
| Incorporate realistic exercises that are tested into the incident response training program. CC ID 06753 | Operational management | Preventive | |
| Maintain contact with breach notification organizations for notification purposes in the event a privacy breach has occurred. CC ID 01213 | Operational management | Preventive | |
| Disseminate and communicate proposed changes to all interested personnel and affected parties. CC ID 06807 | Operational management | Preventive | |
| Disseminate and communicate software update information to users and regulators. CC ID 06602 | Operational management | Preventive | |
Business Processes | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain a reporting methodology program. CC ID 02072 | Leadership and high level objectives | Preventive | |
| Use secure communication protocols for telecommunications. CC ID 16458 | Leadership and high level objectives | Preventive | |
| Analyze the flow of information to ensure it is being received by the correct processes. CC ID 12860 | Leadership and high level objectives | Preventive | |
| Identify requirements that could affect achieving organizational objectives. CC ID 12828 | Leadership and high level objectives | Preventive | |
| Identify opportunities that could affect achieving organizational objectives. CC ID 12826 | Leadership and high level objectives | Preventive | |
| Prioritize organizational objectives. CC ID 09960 | Leadership and high level objectives | Preventive | |
| Select financial reporting objectives consistent with accounting principles available to the organization. CC ID 12400 | Leadership and high level objectives | Preventive | |
| Identify threats that could affect achieving organizational objectives. CC ID 12827 | Leadership and high level objectives | Preventive | |
| Review the organization's approach to managing information security, as necessary. CC ID 12005 | Leadership and high level objectives | Preventive | |
| Enforce a continuous Quality Control system. CC ID 01005 | Leadership and high level objectives | Detective | |
| Correct errors and deficiencies in a timely manner. CC ID 13501 | Leadership and high level objectives | Corrective | |
| Establish and maintain time frames for correcting deficiencies found during Quality Control. CC ID 07206 | Leadership and high level objectives | Detective | |
| Review and analyze any quality improvement goals that were missed. CC ID 07204 | Leadership and high level objectives | Detective | |
| Establish, implement, and maintain a Governance, Risk, and Compliance awareness and training program. CC ID 06492 [Persons doing work under the organization’s control shall be aware of their contribution to the effectiveness of the BCMS, including the benefits of improved business continuity management performance, § 7.3 ¶ 1 b)] | Leadership and high level objectives | Preventive | |
| Implement a fraud detection system. CC ID 13081 | Monitoring and measurement | Preventive | |
| Approve the system security plan. CC ID 14241 | Monitoring and measurement | Preventive | |
| Identify information being used to support the performance of the governance, risk, and compliance capability. CC ID 12866 | Monitoring and measurement | Preventive | |
| Align enforcement reviews for non-compliance with organizational risk tolerance. CC ID 13063 | Monitoring and measurement | Detective | |
| Establish, implement, and maintain an identification and classification of information assets metrics program. CC ID 02052 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain an Information Systems architecture metrics program. CC ID 02059 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a physical environment metrics program. CC ID 02063 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a user identification and authentication metrics program. CC ID 02073 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a user account management metrics program. CC ID 02075 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a Configuration Management metrics program. CC ID 02077 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a communications, e-mail, and remote access security management metrics program. CC ID 02079 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a malicious code protection management metrics program. CC ID 02080 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a software change management metrics program. CC ID 02081 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a network management and firewall management metrics program. CC ID 02082 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a data encryption management metrics program. CC ID 02083 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a backup management and recovery management metrics program. CC ID 02084 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain an incident management and vulnerability management metrics program. CC ID 02085 | Monitoring and measurement | Preventive | |
| Identify personnel who should attend the closing meeting. CC ID 15261 | Audits and risk management | Preventive | |
| Schedule attestation engagement meetings with interested personnel and affected parties, as necessary. CC ID 15263 | Audits and risk management | Preventive | |
| Refrain from accepting an attestation engagement when the engaging party refuses to sign the engagement letter. CC ID 14912 | Audits and risk management | Preventive | |
| Accept the attestation engagement when all preconditions are met. CC ID 13933 | Audits and risk management | Preventive | |
| Respond to questions or clarification requests regarding the audit. CC ID 08902 | Audits and risk management | Preventive | |
| Review the need for organizational efficiency as balanced against the needs of compliance and security. CC ID 07111 | Audits and risk management | Preventive | |
| Provide auditors access to affected parties during the audit, as necessary. CC ID 07187 | Audits and risk management | Preventive | |
| Disclaim the audit opinion in the audit report, as necessary. CC ID 13901 | Audits and risk management | Corrective | |
| Notify interested personnel and affected parties after bribes are offered during the audit. CC ID 08872 | Audits and risk management | Preventive | |
| Design a portfolio of insurance options in accordance with risk decision-making criteria. CC ID 12878 | Audits and risk management | Preventive | |
| Design a portfolio of loans in accordance with risk decision-making criteria. CC ID 12877 | Audits and risk management | Preventive | |
| Design a portfolio of risk limiting and mitigating approaches in organizational contracts in accordance with risk decision-making criteria. CC ID 12903 | Audits and risk management | Preventive | |
| Approve the threat and risk classification scheme. CC ID 15693 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a risk assessment awareness and training program. CC ID 06453 | Audits and risk management | Preventive | |
| Align organizational risk tolerance to that of industry peers in the risk register. CC ID 09962 | Audits and risk management | Preventive | |
| Review the Business Impact Analysis, as necessary. CC ID 12774 | Audits and risk management | Preventive | |
| Define and assign the assessment team's roles and responsibilities. CC ID 08890 | Human Resources management | Preventive | |
| Evaluate the staffing requirements regularly. CC ID 00775 [The organization shall determine the necessary competence of person(s) doing work under its control that affects its performance, § 7.2 ¶ 1 a)] | Human Resources management | Detective | |
| Establish, implement, and maintain an education methodology. CC ID 06671 | Human Resources management | Preventive | |
| Establish, implement, and maintain a positive information control environment. CC ID 00813 [Persons in top management and other relevant management roles throughout the organization shall demonstrate leadership with respect to the BCMS. § 5.1 ¶ 1 Top management shall demonstrate leadership and commitment with respect to the BCMS by - ensuring that policies and objectives are established for the business continuity management system and are compatible with the strategic direction of the organization, - ensuring the integration of the business continuity management system requirements into the organization’s business processes, - ensuring that the resources needed for the business continuity management system are available, - communicating the importance of effective business continuity management and conforming to the BCMS requirements, - ensuring that the BCMS achieves its intended outcome(s), - directing and supporting persons to contribute to the effectiveness of the BCMS, - promoting continual improvement, and - supporting other relevant management roles to demonstrate their leadership and commitment as it applies to their areas of responsibility. § 5.2 ¶ 1 Top management shall ensure that the responsibilities and authorities for relevant roles are assigned and communicated within the organization by - defining the criteria for accepting risks and the acceptable levels of risk, - actively engaging in exercising and testing, - ensuring that internal audits of the BCMS are conducted, - conducting management reviews of the BCMS, and - demonstrating its commitment to continual improvement. § 5.2 ¶ 3] | Operational management | Preventive | |
| Assign resources to implement the internal control framework. CC ID 00816 [The organization shall determine the resource requirements to implement the selected strategies. The types of resources considered shall include but not be limited to § 8.3.2 ¶ 1 {activation procedures} {communication procedures} {internal interdependencies} {internal interactions} {external interactions} {information flow processes} Each plan shall define - purpose and scope, - objectives, - activation criteria and procedures, - implementation procedures, - roles, responsibilities, and authorities, - communication requirements and procedures, - internal and external interdependencies and interactions, - resource requirements, and - information flow and documentation processes. § 8.4.4 ¶ 3] | Operational management | Preventive | |
| Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 | Operational management | Preventive | |
| Establish, implement, and maintain an Incident Management program. CC ID 00853 | Operational management | Preventive | |
| Remediate security violations according to organizational standards. CC ID 12338 | Operational management | Preventive | |
| Refrain from charging for providing incident response notifications. CC ID 13876 | Operational management | Preventive | |
| Offer identity theft prevention services or identity theft mitigation services at no cost to the affected parties. CC ID 13766 | Operational management | Corrective | |
| Eradicate the cause of the incident after the incident has been contained. CC ID 01757 | Operational management | Corrective | |
| Analyze and respond to security alerts. CC ID 12504 | Operational management | Detective | |
| Include the reimbursement of customers for financial losses due to incidents in the Incident Response program. CC ID 12756 | Operational management | Preventive | |
| Collect evidence from the incident scene. CC ID 02236 | Operational management | Corrective | |
| Establish, implement, and maintain future system performance forecasting methods. CC ID 11775 | Operational management | Preventive | |
| Use proactive performance management. CC ID 00937 | Operational management | Detective | |
| Utilize resource availability management controls. CC ID 00940 | Operational management | Detective | |
| Establish, implement, and maintain rate limiting filters. CC ID 06883 | Operational management | Preventive | |
| Establish, implement, and maintain cost management procedures. CC ID 00873 [{funding requirements} The outputs of the management review shall include decisions related to continual improvement opportunities and the possible need for changes to the BCMS, and include the following: modification of procedures and controls to respond to internal or external events that may impact on the BCMS, including changes to funding and budget requirements; and § 9.3 ¶ 4 d) 8)] | Operational management | Detective | |
| Update the business cases for cost management procedures, as necessary. CC ID 13642 | Operational management | Preventive | |
| Identify and allocate departmental costs. CC ID 00871 | Operational management | Detective | |
| Review and approve the Information Technology budget. CC ID 13644 | Operational management | Corrective | |
| Update the Information Technology budget, as necessary. CC ID 13643 | Operational management | Corrective | |
| Manage change requests. CC ID 00887 [For the control of documented information, the organization shall address the following activities, as applicable — distribution, access, retrieval and use, — storage and preservation, including preservation of legibility, — control of changes, — retention and disposition, — retrieval and use, — preservation of legibility, and — prevention of the unintended use of obsolete information. § 7.5.3 ¶ 2 The management review shall include consideration of changes in external and internal issues that are relevant to the business continuity management system, § 9.3 ¶ 2 b)] | Operational management | Preventive | |
| Examine all changes to ensure they correspond with the change request. CC ID 12345 | Operational management | Detective | |
| Implement changes according to the change control program. CC ID 11776 [The organization shall control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary. § 8.1 ¶ 2] | Operational management | Preventive | |
| Prioritize deploying patches according to vulnerability risk metrics. CC ID 06796 | Operational management | Preventive | |
| Mitigate the adverse effects of unauthorized changes. CC ID 12244 [The organization shall control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary. § 8.1 ¶ 2] | Operational management | Corrective | |
| Establish, implement, and maintain decision support interventions. CC ID 14443 | Records management | Preventive | |
| Provide structures for browsing records stored in the Electronic Document and Records Management system. CC ID 10009 | Records management | Preventive | |
| Provide structures for searching for items stored in the Electronic Document and Records Management system. CC ID 10010 | Records management | Preventive | |
| Provide structures for downloading records from the Electronic Document and Records Management system. CC ID 10011 | Records management | Preventive | |
| Provide structures for managing e-mail stored in the Electronic Document and Records Management system. CC ID 10012 | Records management | Preventive | |
| Provide structures for version control of records stored in the Electronic Document and Records Management system. CC ID 10013 | Records management | Preventive | |
| Terminate supplier relationships, as necessary. CC ID 13489 | Third Party and supply chain oversight | Corrective | |
| Include text about access, use, disclosure, and transfer of data or information in third party contracts. CC ID 11610 | Third Party and supply chain oversight | Preventive | |
| Include disclosure requirements in third party contracts. CC ID 08825 | Third Party and supply chain oversight | Preventive | |
| Document supply chain transactions in the supply chain management program. CC ID 08857 | Third Party and supply chain oversight | Preventive | |
| Track all chargeable items in Service Level Agreements. CC ID 11616 | Third Party and supply chain oversight | Detective | |
| Enforce third party Service Level Agreements, as necessary. CC ID 07098 | Third Party and supply chain oversight | Corrective | |
| Include a determination of the complexity of the third party relationships in the supply chain risk assessment. CC ID 10024 [The business impact analysis shall include the following: identifying dependencies and supporting resources for these activities, including suppliers, outsource partners and other relevant interested parties. § 8.2.2 ¶ 2 d)] | Third Party and supply chain oversight | Preventive | |
| Include a determination if the third party relationship will affect employees in the supply chain risk assessment report. CC ID 10027 | Third Party and supply chain oversight | Preventive | |
| Require supply chain members to accept and sign the organization's code of conduct. CC ID 12397 | Third Party and supply chain oversight | Preventive | |
| Support third parties in building their capabilities. CC ID 08814 | Third Party and supply chain oversight | Preventive | |
| Implement measurable improvement plans with all third parties. CC ID 08815 | Third Party and supply chain oversight | Preventive | |
| Post a list of compliant third parties on the organization's website. CC ID 08817 | Third Party and supply chain oversight | Preventive | |
| Use third parties that are compliant with the applicable requirements. CC ID 08818 | Third Party and supply chain oversight | Preventive | |
| Identify supply sources for secondary materials. CC ID 08822 | Third Party and supply chain oversight | Preventive | |
| Deal directly with third parties that provide any material listed in the conflict materials report. CC ID 08891 | Third Party and supply chain oversight | Preventive | |
| Conduct all parts of the supply chain due diligence process. CC ID 08854 | Third Party and supply chain oversight | Preventive | |
| Assess third parties' business continuity capabilities during due diligence. CC ID 12077 [{results of BCMS reviews} {key partners} {results of testing} {BCMS performance} {BCMS effectiveness} {emerging good guidance} Management reviews shall consider the performance of the organization, including - follow-up actions from previous management reviews, - the need for changes to the BCMS, including the policy and objectives, - opportunities for improvement, - results of BCMS audits and reviews, including those of key suppliers and partners where appropriate, - techniques, products or procedures, which could be used in the organization to improve the BCMS’ performance and effectiveness, - status of corrective actions, - results of exercising and testing, - risks or issues not adequately addressed in any previous risk assessment, - any changes that could affect the BCMS, whether internal or external to the scope of the BCMS, - adequacy of policy, - recommendations for improvement, - lessons learned and actions arising from disruptive incidents, and - emerging good practice and guidance. § 9.3 ¶ 3] | Third Party and supply chain oversight | Detective | |
Communicate | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Include disseminating and communicating events surrounding instances of desirable conduct and undesirable conduct in the communication protocols. CC ID 12824 | Leadership and high level objectives | Preventive | |
| Identify alternative measures for collecting stakeholder input, as necessary. CC ID 15672 | Leadership and high level objectives | Preventive | |
| Include disseminating and communicating conditions surrounding instances of desirable conduct and undesirable conduct in the communication protocols. CC ID 12804 | Leadership and high level objectives | Preventive | |
| Include disseminating and communicating desirable conduct in the communication protocols. CC ID 12803 | Leadership and high level objectives | Preventive | |
| Include disseminating and communicating undesirable conduct in communication protocols. CC ID 12802 | Leadership and high level objectives | Preventive | |
| Disseminate and communicate internal controls with supply chain members. CC ID 12416 | Leadership and high level objectives | Preventive | |
| Disseminate and communicate the value generation model to all interested personnel and affected parties. CC ID 15607 | Leadership and high level objectives | Preventive | |
| Disseminate and communicate the Mission, Vision, and Values Statement to all interested personnel and affected parties. CC ID 15585 | Leadership and high level objectives | Preventive | |
| Disseminate and communicate organizational objectives, functions, and activities to all interested personnel and affected parties. CC ID 13191 | Leadership and high level objectives | Preventive | |
| Disseminate and communicate emerging threats to all interested personnel and affected parties. CC ID 12185 | Leadership and high level objectives | Preventive | |
| Disseminate and communicate updated guidance documentation to interested personnel and affected parties upon discovery of a new threat. CC ID 12191 | Leadership and high level objectives | Corrective | |
| Disseminate and communicate the Quality Management policy to all interested personnel and affected parties. CC ID 13695 | Leadership and high level objectives | Preventive | |
| Disseminate and communicate the Quality Management framework to all stakeholders. CC ID 13680 | Leadership and high level objectives | Preventive | |
| Notify affected parties and interested personnel of quality management system approvals that have been refused, suspended, or withdrawn. CC ID 15045 | Leadership and high level objectives | Preventive | |
| Notify affected parties and interested personnel of quality management system approvals that have been issued. CC ID 15036 | Leadership and high level objectives | Preventive | |
| Disseminate and communicate the organization’s policies, standards, and procedures to all interested personnel and affected parties. CC ID 12901 | Leadership and high level objectives | Preventive | |
| Disseminate and communicate the system security plan to interested personnel and affected parties. CC ID 14275 | Monitoring and measurement | Preventive | |
| Disseminate and communicate the disciplinary action notice to interested personnel and affected parties. CC ID 16585 | Monitoring and measurement | Preventive | |
| Delay the reporting of incident management metrics, as necessary. CC ID 15501 | Monitoring and measurement | Preventive | |
| Include the scope for the desired level of assurance in the audit program. CC ID 12793 | Audits and risk management | Preventive | |
| Hold a closing meeting following an audit to present audit findings and conclusions. CC ID 15248 | Audits and risk management | Preventive | |
| Report that audit evidence collected was not sufficient to the proper authorities. CC ID 16847 | Audits and risk management | Preventive | |
| Disseminate and communicate the reasons the audit report was delayed to interested personnel and affected parties. CC ID 15257 | Audits and risk management | Preventive | |
| Notify auditees if disclosure of audit documentation is required by law. CC ID 15249 | Audits and risk management | Preventive | |
| Disseminate and communicate the audit plan to interested personnel and affected parties. CC ID 15238 | Audits and risk management | Preventive | |
| Disseminate and communicate insurance options to interested personnel and affected parties. CC ID 16572 | Audits and risk management | Preventive | |
| Disseminate and communicate insurance requirements to interested personnel and affected parties. CC ID 16567 | Audits and risk management | Preventive | |
| Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313 | Audits and risk management | Preventive | |
| Disseminate and communicate the risk assessment policy to interested personnel and affected parties. CC ID 14115 | Audits and risk management | Preventive | |
| Disseminate and communicate the risk assessment procedures to interested personnel and affected parties. CC ID 14136 | Audits and risk management | Preventive | |
| Disseminate and communicate the approved risk assessment report to interested personnel and affected parties. CC ID 10633 | Audits and risk management | Preventive | |
| Notify the organization upon completion of the external audits of the organization's risk assessment. CC ID 13313 | Audits and risk management | Preventive | |
| Disseminate and communicate the Business Impact Analysis to interested personnel and affected parties. CC ID 15300 | Audits and risk management | Preventive | |
| Disseminate and communicate the risk treatment plan to interested personnel and affected parties. CC ID 15694 | Audits and risk management | Preventive | |
| Disseminate and communicate information regarding disaster relief resources to interested personnel and affected parties. CC ID 16573 | Operational and Systems Continuity | Preventive | |
| Report changes in the continuity plan to senior management. CC ID 12757 | Operational and Systems Continuity | Corrective | |
| Notify interested personnel and affected parties upon activation of the continuity plan. CC ID 16777 | Operational and Systems Continuity | Preventive | |
| Disseminate and communicate the continuity procedures to interested personnel and affected parties. CC ID 14055 | Operational and Systems Continuity | Preventive | |
| Notify interested personnel and affected parties of updates to the recovery plan. CC ID 13302 | Operational and Systems Continuity | Preventive | |
| Disseminate and communicate the recovery plan to interested personnel and affected parties. CC ID 14859 | Operational and Systems Continuity | Preventive | |
| Disseminate and communicate the recovery status of the contingency plan to interested personnel and affected parties. CC ID 12758 | Operational and Systems Continuity | Preventive | |
| Identify the appropriate staff to route external communications to in the emergency communications procedures. CC ID 12762 | Operational and Systems Continuity | Preventive | |
| Identify who can speak to the media in the emergency communications procedures. CC ID 12761 | Operational and Systems Continuity | Corrective | |
| Disseminate and communicate screening results to interested personnel and affected parties. CC ID 16445 | Human Resources management | Preventive | |
| Disseminate and communicate the security awareness and training procedures to interested personnel and affected parties. CC ID 14138 | Human Resources management | Preventive | |
| Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739 [Persons doing work under the organization’s control shall be aware of the business continuity policy, § 7.3 ¶ 1 a)] | Operational management | Preventive | |
| Disseminate and communicate the Acceptable Use Policy to all interested personnel and affected parties. CC ID 12431 | Operational management | Preventive | |
| Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539 | Operational management | Preventive | |
| Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538 | Operational management | Preventive | |
| Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797 | Operational management | Preventive | |
| Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782 | Operational management | Preventive | |
| Submit written requests to delay the notification of affected parties. CC ID 16783 | Operational management | Preventive | |
| Provide enrollment information for identity theft prevention services or identity theft mitigation services. CC ID 13767 | Operational management | Corrective | |
| Include a copy of the incident response notification in breach notifications, as necessary. CC ID 13085 | Operational management | Preventive | |
| Notify interested personnel and affected parties of the privacy breach about any recovered restricted data. CC ID 13347 | Operational management | Corrective | |
| Submit the incident response report to the proper authorities in a timely manner. CC ID 12705 | Operational management | Preventive | |
| Disseminate and communicate the cyber incident response plan to interested personnel and affected parties. CC ID 16838 | Operational management | Preventive | |
| Notify interested personnel and affected parties that a security breach was detected. CC ID 11788 | Operational management | Corrective | |
| Assign the distribution of incident response procedures to the appropriate role in the incident response program. CC ID 12474 | Operational management | Preventive | |
| Disseminate and communicate the incident response policy to interested personnel and affected parties. CC ID 14099 | Operational management | Preventive | |
| Contact affected parties to participate in forensic investigations, as necessary. CC ID 12343 | Operational management | Detective | |
| Disseminate and communicate the local environment security profile to interested personnel and affected parties. CC ID 15716 | Operational management | Preventive | |
| Disseminate and communicate the Third Party Service Provider list to interested personnel and affected parties. CC ID 14422 | Third Party and supply chain oversight | Preventive | |
| Disseminate and communicate the supply chain management policy to all interested personnel and affected parties. CC ID 15493 | Third Party and supply chain oversight | Preventive | |
Configuration | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Enforce dual authorization as a part of information flow control for logs. CC ID 10098 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain redundant systems. CC ID 16354 | Operational and Systems Continuity | Preventive | |
| Install an Uninterruptible Power Supply sized to support all critical systems. CC ID 00725 | Operational and Systems Continuity | Preventive | |
| Install a generator sized to support the facility. CC ID 06709 | Operational and Systems Continuity | Preventive | |
| Deploy software patches in accordance with organizational standards. CC ID 07032 | Operational management | Corrective | |
| Deploy software patches in the disaster recovery environment to mirror those in the production environment. CC ID 13174 | Operational management | Corrective | |
| Remove outdated software after software has been updated. CC ID 11792 | Operational management | Corrective | |
| Update computer firmware, as necessary. CC ID 11755 | Operational management | Corrective | |
| Remove outdated computer firmware after the computer firmware has been updated. CC ID 10671 | Operational management | Corrective | |
| Establish, implement, and maintain a configuration change log. CC ID 08710 | Operational management | Detective | |
| Implement electronic storage media integrity controls. CC ID 00946 | Records management | Preventive | |
| Automate electronic storage media integrity check controls. CC ID 00948 | Records management | Preventive | |
| Provide capacity for indexes on electronic storage media, as necessary. CC ID 00950 | Records management | Preventive | |
Data and Information Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772 | Operational management | Preventive | |
| Share incident information with interested personnel and affected parties. CC ID 01212 [The response structure shall communicate with interested parties and authorities, as well as the media. § 8.4.2 ¶ 2 f) The response structure shall communicate with interested parties and authorities, as well as the media. § 8.4.2 ¶ 2 f) {procedures for recording actions taken and decisions made} The organization shall establish, implement and maintain procedures for recording of vital information about the incident, actions taken and decisions made, and the following shall also be considered and implemented where applicable: — alerting interested parties potentially impacted by an actual or impending disruptive incident; — assuring the interoperability of multiple responding organizations and personnel; — operation of a communications facility. § 8.4.3 ¶ 1 g)] | Operational management | Corrective | |
| Comply with privacy regulations and civil liberties requirements when sharing data loss event information. CC ID 10036 | Operational management | Preventive | |
| Report data loss event information to breach notification organizations. CC ID 01210 | Operational management | Corrective | |
| Include a description of the restored data that was restored manually in the restoration log. CC ID 15463 | Operational management | Preventive | |
| Include a description of the restored data in the restoration log. CC ID 15462 | Operational management | Preventive | |
| Approve tested change requests. CC ID 11783 | Operational management | Preventive | |
| Allow interested personnel and affected parties to opt out of specific version releases and software updates. CC ID 06809 | Operational management | Preventive | |
| Select the appropriate format for archived data and records. CC ID 06320 [{appropriate media} When creating and updating documented information, the organization shall ensure appropriate format and media, and review and approval for suitability and adequacy. § 7.5.2 ¶ 1 b)] | Records management | Preventive | |
| Use a second person to confirm and sign-off that manually deleted data was deleted. CC ID 12313 | Records management | Preventive | |
| Automate a programmatic process to remove stored data and records that exceed retention requirements. CC ID 06082 | Records management | Preventive | |
| Assign the appropriate information classification to records imported into the Records Management system. CC ID 04555 | Records management | Detective | |
| Establish, implement, and maintain electronic health records. CC ID 14436 | Records management | Preventive | |
| Include Individually Identifiable Health Information in the patient's electronic health record. CC ID 14437 | Records management | Preventive | |
| Import data files into a patient's electronic health record. CC ID 14448 | Records management | Preventive | |
| Export requested sections of the electronic health record. CC ID 14447 | Records management | Preventive | |
| Display the implantable device list to authorized users. CC ID 14445 | Records management | Preventive | |
| Include attributes in the decision support intervention. CC ID 16766 | Records management | Preventive | |
| Classify restricted data or restricted information in Records Management systems according to the data or information's sensitivity. CC ID 04720 | Records management | Detective | |
| Label restricted storage media appropriately. CC ID 00966 | Records management | Preventive | |
| Mark all forms of electronic messages that contain restricted data or restricted information with the appropriate classification. CC ID 01896 | Records management | Preventive | |
| Reproduce materials containing restricted data or restricted information in accordance with compliance requirements. CC ID 02202 | Records management | Preventive | |
| Employ access controls that meet the organization's compliance requirements on third party systems with access to the organization's restricted data. CC ID 04264 | Third Party and supply chain oversight | Detective | |
| Make the conflict minerals policy Publicly Available Information. CC ID 08949 | Third Party and supply chain oversight | Preventive | |
Establish Roles | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Assign legislative body jurisdiction to the organization's assets, as necessary. CC ID 06956 | Leadership and high level objectives | Preventive | |
| Assign the appropriate roles to all applicable compliance documents. CC ID 06284 [Top management shall assign the responsibility and authority for ensuring that the management system conforms to the requirements of this International Standard, and § 5.4 ¶ 2 a)] | Leadership and high level objectives | Preventive | |
| Define the roles and responsibilities for personnel assigned to tasks in the Audit function. CC ID 00678 [The audit programme, including any schedule, shall be based on the results of risk assessments of the organization’s activities, and the results of previous audits. The audit procedures shall cover the scope, frequency, methodologies and competencies, as well as the responsibilities and requirements for conducting audits and reporting results. § 9.2 ¶ 3 The audit programme, including any schedule, shall be based on the results of risk assessments of the organization’s activities, and the results of previous audits. The audit procedures shall cover the scope, frequency, methodologies and competencies, as well as the responsibilities and requirements for conducting audits and reporting results. § 9.2 ¶ 3 The audit programme, including any schedule, shall be based on the results of risk assessments of the organization’s activities, and the results of previous audits. The audit procedures shall cover the scope, frequency, methodologies and competencies, as well as the responsibilities and requirements for conducting audits and reporting results. § 9.2 ¶ 3] | Audits and risk management | Preventive | |
| Assign the roles and responsibilities for the Board of Directors and senior management in the Audit function. CC ID 00679 | Audits and risk management | Preventive | |
| Assign the internal audit staff to be independent from business units reporting to the Board of Directors. CC ID 01184 | Audits and risk management | Preventive | |
| Define and assign the internal audit manager's roles and responsibilities. CC ID 00680 | Audits and risk management | Preventive | |
| Assign the internal audit manager's compensation and performance review to the Board of Directors or audit committee. CC ID 01186 | Audits and risk management | Preventive | |
| Define and assign the internal audit staff's roles and responsibilities. CC ID 00681 | Audits and risk management | Preventive | |
| Assign the responsibility for operating an internal control system to the internal audit staff. CC ID 01187 | Audits and risk management | Preventive | |
| Define and assign the external auditor's roles and responsibilities. CC ID 00683 | Audits and risk management | Preventive | |
| Assign the audit to impartial auditors. CC ID 07118 [{audit scope} {evidence of the audit results} The organization shall - plan, establish, implement and maintain (an) audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit programme(s) shall take into consideration the importance of the processes concerned and the results of previous audits, - define the audit criteria and scope for each audit, - select auditors and conduct audits to ensure objectivity and the impartiality of the audit process, - ensure that the results of the audits are reported to relevant management, and - retain documented information as evidence of the implementation of the audit programme and the audit results. § 9.2 ¶ 2] | Audits and risk management | Preventive | |
| Notify interested personnel and affected parties participating in the audit of their roles and responsibilities during the audit. CC ID 07151 | Audits and risk management | Preventive | |
| Define and assign the roles and responsibilities for the risk assessment framework, as necessary. CC ID 06456 | Audits and risk management | Preventive | |
| Establish, implement, and maintain continuity roles and responsibilities. CC ID 00733 [{BCMS plans} Top management shall provide evidence of its commitment to the establishment, implementation, operation, monitoring, review, maintenance, and improvement of the BCMS by - establishing a business continuity policy, - ensuring that BCMS objectives and plans are established, - establishing roles, responsibilities, and competencies for business continuity management, and - appointing one or more persons to be responsible for the BCMS with the appropriate authority and competencies to be accountable for the implementation and maintenance of the BCMS. § 5.2 ¶ 2 {activation procedures} {communication procedures} {internal interdependencies} {internal interactions} {external interactions} {information flow processes} Each plan shall define - purpose and scope, - objectives, - activation criteria and procedures, - implementation procedures, - roles, responsibilities, and authorities, - communication requirements and procedures, - internal and external interdependencies and interactions, - resource requirements, and - information flow and documentation processes. § 8.4.4 ¶ 3] | Operational and Systems Continuity | Preventive | |
| Include the roles and responsibilities of the organization's legal counsel in the continuity plan. CC ID 16233 | Operational and Systems Continuity | Preventive | |
| Include restoration procedures in the continuity plan. CC ID 01169 [The business continuity procedures shall be effective in minimizing consequences through implementation of appropriate mitigation strategies. § 8.4.1 ¶ 3 f)] | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806 [Top management shall ensure that the responsibilities and authorities for relevant roles are assigned and communicated within the organization. § 5.4 ¶ 1] | Human Resources management | Preventive | |
| Define and assign the head of Information Security's roles and responsibilities. CC ID 06091 | Human Resources management | Preventive | |
| Define and assign the Board of Directors roles and responsibilities and senior management roles and responsibilities, including signing off on key policies and procedures. CC ID 00807 [Top management shall assign the responsibility and authority for reporting on the performance of the BCMS to top management. § 5.4 ¶ 2 b)] | Human Resources management | Preventive | |
| Assign senior management to the role of authorizing official. CC ID 14238 | Human Resources management | Preventive | |
| Define and assign the Chief Information Officer's roles and responsibilities. CC ID 00808 | Human Resources management | Preventive | |
| Define and assign the Information Technology staff's roles and responsibilities. CC ID 00809 | Human Resources management | Preventive | |
| Define and assign the business unit manager's roles and responsibilities. CC ID 00810 | Human Resources management | Preventive | |
| Define and assign the Facility Security Officer's roles and responsibilities. CC ID 01887 | Human Resources management | Preventive | |
| Define and assign the technology security leader's roles and responsibilities. CC ID 01897 | Human Resources management | Preventive | |
| Define and assign the property management leader's roles and responsibilities. CC ID 00669 | Human Resources management | Preventive | |
| Define and assign the Archives and Records Management oversight's roles and responsibilities. CC ID 00697 | Human Resources management | Preventive | |
| Define and assign the Privacy Officer's roles and responsibilities. CC ID 00714 | Human Resources management | Preventive | |
| Define and assign critical facility management personnel's roles and responsibilities. CC ID 06381 | Human Resources management | Preventive | |
| Define and assign the Chief Security Officer's roles and responsibilities. CC ID 06431 | Human Resources management | Preventive | |
| Assign a contact person to all business units. CC ID 07144 | Human Resources management | Preventive | |
| Assign security clearance procedures to qualified personnel. CC ID 06812 | Human Resources management | Preventive | |
| Assign personnel screening procedures to qualified personnel. CC ID 11699 | Human Resources management | Preventive | |
| Establish and maintain the staff structure in line with the strategic plan. CC ID 00764 | Human Resources management | Preventive | |
| Document and communicate role descriptions to all applicable personnel. CC ID 00776 [Persons doing work under the organization’s control shall be aware of their own role during disruptive incidents. § 7.3 ¶ 1 d)] | Human Resources management | Detective | |
| Define and assign the roles and responsibilities for interested personnel and affected parties when establishing, implementing, and maintaining the internal control framework. CC ID 07146 | Operational management | Preventive | |
| Include the incident response team member's roles and responsibilities in the Incident Response program. CC ID 01652 [The business continuity plans shall collectively contain defined roles and responsibilities for people and teams having authority during and following an incident, § 8.4.4 ¶ 2 a) The business continuity plans shall collectively contain defined roles and responsibilities for people and teams having authority during and following an incident, § 8.4.4 ¶ 2 a) {incident response procedure} The organization shall establish documented procedures for responding to a disruptive incident and how it will continue or recover its activities within a predetermined timeframe. Such procedures shall address the requirements of those who will use them. § 8.4.4 ¶ 1] | Operational management | Preventive | |
| Include the incident response point of contact's roles and responsibilities in the Incident Response program. CC ID 01877 | Operational management | Preventive | |
| Include the head of information security's roles and responsibilities in the Incident Response program. CC ID 01878 | Operational management | Preventive | |
| Include the customer database owner's roles and responsibilities in the Incident Response program. CC ID 01879 | Operational management | Preventive | |
| Include the online sales department's roles and responsibilities in the Incident Response program. CC ID 01880 | Operational management | Preventive | |
| Include the incident response point of contact for credit card payment system's roles and responsibilities in the Incident Response program. CC ID 01881 | Operational management | Preventive | |
| Include the organizational legal counsel's roles and responsibilities in the Incident Response program. CC ID 01882 | Operational management | Preventive | |
| Include the Human Resources point of contact's roles and responsibilities in the Incident Response program. CC ID 01883 | Operational management | Preventive | |
| Include the organizational incident response network architecture point of contact's roles and responsibilities in the Incident Response program. CC ID 01884 | Operational management | Preventive | |
| Include the organizational incident response public relations point of contact's roles and responsibilities in the Incident Response program. CC ID 01885 [The business continuity plans shall collectively contain details of the organization’s media response following an incident, including appropriate spokespeople; § 8.4.4 ¶ 2 f) 4] | Operational management | Preventive | |
| Include the organizational incident response location manager's roles and responsibilities in the Incident Response program. CC ID 01886 | Operational management | Preventive | |
| Include the responsible party for managing complaints in third party contracts. CC ID 10022 | Third Party and supply chain oversight | Preventive | |
Establish/Maintain Documentation | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain communication protocols. CC ID 12245 [{internal communications protocol} The procedures shall establish an appropriate internal and external communications protocol, § 8.4.1 ¶ 3 a) {internal communications protocol} The procedures shall establish an appropriate internal and external communications protocol, § 8.4.1 ¶ 3 a) The organization shall establish, implement, and maintain procedure(s) for - internal communication amongst interested parties and employees within the organization, - external communication with customers, partner entities, local community, and other interested parties, including the media, - receiving, documenting, and responding to communication from interested parties, - adapting and integrating a national or regional threat advisory system, or equivalent, into planning and operational use, if appropriate, - ensuring availability of the means of communication during a disruptive incident, - facilitating structured communication with appropriate authorities and ensuring the interoperability of multiple responding organizations and personnel, where appropriate, and - operating and testing of communications capabilities intended for use during disruption of normal communications. § 7.4 ¶ 2 The organization shall establish, implement, and maintain procedure(s) for - internal communication amongst interested parties and employees within the organization, - external communication with customers, partner entities, local community, and other interested parties, including the media, - receiving, documenting, and responding to communication from interested parties, - adapting and integrating a national or regional threat advisory system, or equivalent, into planning and operational use, if appropriate, - ensuring availability of the means of communication during a disruptive incident, - facilitating structured communication with appropriate authorities and ensuring the interoperability of multiple responding organizations and personnel, where appropriate, and - operating and testing of communications capabilities intended for use during disruption of normal communications. § 7.4 ¶ 2 {procedures for receiving, documenting and responding to communication from interested parties} The organization shall establish, implement and maintain procedures for internal communication within the organization and receiving, documenting and responding to communication from interested parties, § 8.4.3 ¶ 1 c) {procedures for receiving, documenting and responding to communication from interested parties} The organization shall establish, implement and maintain procedures for internal communication within the organization and receiving, documenting and responding to communication from interested parties, § 8.4.3 ¶ 1 c)] | Leadership and high level objectives | Preventive | |
| Align the information being disseminated and communicated with the communication requirements according to the organization's communication protocol. CC ID 12419 | Leadership and high level objectives | Preventive | |
| Include external requirements in the organization's communication protocol. CC ID 12418 | Leadership and high level objectives | Preventive | |
| Include input from interested personnel and affected parties as a part of the organization’s communication protocol. CC ID 12417 | Leadership and high level objectives | Preventive | |
| Document the findings from surveys. CC ID 16309 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain warning procedures that follow the organization's communication protocol. CC ID 12407 [{significant impact} {procedures for alerts} {procedures for warnings} The organization shall decide, using life safety as the first priority and in consultation with relevant interested parties, whether to communicate externally about its significant risks and impacts and document its decision. If the decision is to communicate then the organization shall establish and implement procedures for this external communication, alerts and warnings including the media as appropriate. § 8.4.2 ¶ 3] | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain alert procedures that follow the organization's communication protocol. CC ID 12406 [{significant impact} {procedures for alerts} {procedures for warnings} The organization shall decide, using life safety as the first priority and in consultation with relevant interested parties, whether to communicate externally about its significant risks and impacts and document its decision. If the decision is to communicate then the organization shall establish and implement procedures for this external communication, alerts and warnings including the media as appropriate. § 8.4.2 ¶ 3] | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain organizational objectives. CC ID 09959 [In establishing the context, the organization shall articulate its objectives, including those concerned with business continuity, § 4.1 ¶ 4 1) In establishing the context, the organization shall articulate its objectives, including those concerned with business continuity, § 4.1 ¶ 4 1) Top management shall ensure that business continuity objectives are established and communicated for relevant functions and levels within the organization. § 6.2 ¶ 1] | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a value generation model. CC ID 15591 | Leadership and high level objectives | Preventive | |
| Include value distribution in the value generation model. CC ID 15603 | Leadership and high level objectives | Preventive | |
| Include value retention in the value generation model. CC ID 15600 | Leadership and high level objectives | Preventive | |
| Include value generation procedures in the value generation model. CC ID 15599 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain value generation objectives. CC ID 15583 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain social responsibility objectives. CC ID 15611 | Leadership and high level objectives | Preventive | |
| Establish and maintain a Mission, Vision, and Values Statement. CC ID 12783 | Leadership and high level objectives | Preventive | |
| Include the vision statement in the Mission, Vision, and Values Statement. CC ID 12839 | Leadership and high level objectives | Preventive | |
| Include the mission statement in the Mission, Vision, and Values Statement. CC ID 12838 | Leadership and high level objectives | Preventive | |
| Include management commitment in the Mission, Vision, and Values Statement. CC ID 12808 | Leadership and high level objectives | Preventive | |
| Include the value statement in the Mission, Vision, and Values Statement. CC ID 12807 | Leadership and high level objectives | Preventive | |
| Include environmental factors in the Mission, Vision, and Values Statement. CC ID 15590 | Leadership and high level objectives | Preventive | |
| Include societal factors in the Mission, Vision, and Values Statement. CC ID 15605 | Leadership and high level objectives | Preventive | |
| Include stakeholder requirements in the Mission, Vision, and Values Statement. CC ID 15586 | Leadership and high level objectives | Preventive | |
| Document and communicate the linkage between organizational objectives, functions, activities, and general controls. CC ID 12398 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a Quality Management framework. CC ID 07196 [The outputs of the management review shall include decisions related to continual improvement opportunities and the possible need for changes to the BCMS, and include the following: § 9.3 ¶ 4 {results of BCMS reviews} {key partners} {results of testing} {BCMS performance} {BCMS effectiveness} {emerging good guidance} Management reviews shall consider the performance of the organization, including - follow-up actions from previous management reviews, - the need for changes to the BCMS, including the policy and objectives, - opportunities for improvement, - results of BCMS audits and reviews, including those of key suppliers and partners where appropriate, - techniques, products or procedures, which could be used in the organization to improve the BCMS’ performance and effectiveness, - status of corrective actions, - results of exercising and testing, - risks or issues not adequately addressed in any previous risk assessment, - any changes that could affect the BCMS, whether internal or external to the scope of the BCMS, - adequacy of policy, - recommendations for improvement, - lessons learned and actions arising from disruptive incidents, and - emerging good practice and guidance. § 9.3 ¶ 3 {results of BCMS reviews} {key partners} {results of testing} {BCMS performance} {BCMS effectiveness} {emerging good guidance} Management reviews shall consider the performance of the organization, including - follow-up actions from previous management reviews, - the need for changes to the BCMS, including the policy and objectives, - opportunities for improvement, - results of BCMS audits and reviews, including those of key suppliers and partners where appropriate, - techniques, products or procedures, which could be used in the organization to improve the BCMS’ performance and effectiveness, - status of corrective actions, - results of exercising and testing, - risks or issues not adequately addressed in any previous risk assessment, - any changes that could affect the BCMS, whether internal or external to the scope of the BCMS, - adequacy of policy, - recommendations for improvement, - lessons learned and actions arising from disruptive incidents, and - emerging good practice and guidance. § 9.3 ¶ 3] | Leadership and high level objectives | Preventive | |
| Include supply chain management standards in the Quality Management framework. CC ID 13701 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a Quality Management policy. CC ID 13694 | Leadership and high level objectives | Preventive | |
| Include a commitment to satisfy applicable requirements in the Quality Management policy. CC ID 13700 | Leadership and high level objectives | Preventive | |
| Tailor the Quality Management policy to support the organization's strategic direction. CC ID 13699 | Leadership and high level objectives | Preventive | |
| Include a commitment to continual improvement of the Quality Management system in the Quality Management policy. CC ID 13698 | Leadership and high level objectives | Preventive | |
| Include critical Information Technology processes in the Quality Management framework. CC ID 13645 | Leadership and high level objectives | Preventive | |
| Align the quality objectives with the Quality Management policy. CC ID 13697 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a Quality Management standard. CC ID 01006 | Leadership and high level objectives | Preventive | |
| Document the measurements used by Quality Assurance and Quality Control testing. CC ID 07200 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a Quality Management program. CC ID 07201 | Leadership and high level objectives | Preventive | |
| Include quality objectives in the Quality Management program. CC ID 13693 | Leadership and high level objectives | Preventive | |
| Include records management in the quality management system. CC ID 15055 | Leadership and high level objectives | Preventive | |
| Include risk management in the quality management system. CC ID 15054 | Leadership and high level objectives | Preventive | |
| Include data management procedures in the quality management system. CC ID 15052 | Leadership and high level objectives | Preventive | |
| Include a post-market monitoring system in the quality management system. CC ID 15027 | Leadership and high level objectives | Preventive | |
| Include operational roles and responsibilities in the quality management system. CC ID 15028 | Leadership and high level objectives | Preventive | |
| Include resource management in the quality management system. CC ID 15026 | Leadership and high level objectives | Preventive | |
| Include communication protocols in the quality management system. CC ID 15025 | Leadership and high level objectives | Preventive | |
| Include incident reporting procedures in the quality management system. CC ID 15023 | Leadership and high level objectives | Preventive | |
| Include technical specifications in the quality management system. CC ID 15021 | Leadership and high level objectives | Preventive | |
| Document the deficiencies in a deficiency report that were found during Quality Control and corrected during Quality Improvement. CC ID 07203 | Leadership and high level objectives | Preventive | |
| Include program documentation standards in the Quality Management program. CC ID 01016 | Leadership and high level objectives | Preventive | |
| Include program testing standards in the Quality Management program. CC ID 01017 | Leadership and high level objectives | Preventive | |
| Include system testing standards in the Quality Management program. CC ID 01018 | Leadership and high level objectives | Preventive | |
| Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a policy and procedure management program. CC ID 06285 | Leadership and high level objectives | Preventive | |
| Establish and maintain an Authority Document list. CC ID 07113 [{legal requirements} {regulatory requirements} {new legal, regulatory and other requirements} The organization shall document this information and keep it up-to-date. New or variations to legal, regulatory and other requirements shall be communicated to affected employees and other interested parties. § 4.2.2 ¶ 3 [identified and controlled] Documented information of external origin determined by the organization to be necessary for the planning and operation of the BCMS shall be identified, as appropriate, and controlled. § 7.5.3 ¶ 3] | Leadership and high level objectives | Preventive | |
| Map in scope assets and in scope records to external requirements. CC ID 12189 | Leadership and high level objectives | Detective | |
| Document organizational procedures that harmonize external requirements, including all legal requirements. CC ID 00623 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain full documentation of all policies, standards, and procedures that support the organization's compliance framework. CC ID 01636 [The organization’s BCMS shall include - documented information required by this International Standard, and - documented information determined by the organization as being necessary for the effectiveness of the BCMS. § 7.5.1 ¶ 1 The organization’s BCMS shall include - documented information required by this International Standard, and - documented information determined by the organization as being necessary for the effectiveness of the BCMS. § 7.5.1 ¶ 1] | Leadership and high level objectives | Preventive | |
| Disseminate and communicate the list of Authority Documents that support the organization's compliance framework to interested personnel and affected parties. CC ID 01312 | Leadership and high level objectives | Preventive | |
| Classify controls according to their preventive, detective, or corrective status. CC ID 06436 | Leadership and high level objectives | Preventive | |
| Publish, disseminate, and communicate a Statement on Internal Control, as necessary. CC ID 06727 | Leadership and high level objectives | Preventive | |
| Include signatures of c-level executives in the Statement on Internal Control. CC ID 14778 | Leadership and high level objectives | Preventive | |
| Include management's assertions on the effectiveness of internal control in the Statement on Internal Control. CC ID 14771 | Leadership and high level objectives | Corrective | |
| Include confirmation of any significant weaknesses in the Statement on Internal Control. CC ID 06861 | Leadership and high level objectives | Preventive | |
| Include roles and responsibilities in the Statement on Internal Control. CC ID 14774 | Leadership and high level objectives | Preventive | |
| Include an assurance statement regarding the counterterror protective security plan in the Statement on Internal Control. CC ID 06866 | Leadership and high level objectives | Preventive | |
| Include limitations of internal control systems in the Statement on Internal Control. CC ID 14773 | Leadership and high level objectives | Preventive | |
| Include a description of the methodology used to evaluate internal controls in the Statement on Internal Control. CC ID 14772 | Leadership and high level objectives | Preventive | |
| Include the counterterror protective security plan test results in the Statement on Internal Control. CC ID 06867 | Leadership and high level objectives | Detective | |
| Approve all compliance documents. CC ID 06286 | Leadership and high level objectives | Preventive | |
| Identify and document the Designated Approval Authority for compliance documents. CC ID 07114 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a strategic plan. CC ID 12784 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a decision management strategy. CC ID 06913 | Leadership and high level objectives | Preventive | |
| Document and evaluate the decision outcomes from the decision-making process. CC ID 06918 [{significant impact} {procedures for alerts} {procedures for warnings} The organization shall decide, using life safety as the first priority and in consultation with relevant interested parties, whether to communicate externally about its significant risks and impacts and document its decision. If the decision is to communicate then the organization shall establish and implement procedures for this external communication, alerts and warnings including the media as appropriate. § 8.4.2 ¶ 3] | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a Strategic Information Technology Plan. CC ID 00628 | Leadership and high level objectives | Preventive | |
| Include business continuity objectives in the Strategic Information Technology Plan. CC ID 06496 [{activation procedures} {communication procedures} {internal interdependencies} {internal interactions} {external interactions} {information flow processes} Each plan shall define - purpose and scope, - objectives, - activation criteria and procedures, - implementation procedures, - roles, responsibilities, and authorities, - communication requirements and procedures, - internal and external interdependencies and interactions, - resource requirements, and - information flow and documentation processes. § 8.4.4 ¶ 3] | Leadership and high level objectives | Preventive | |
| Align business continuity objectives with the business continuity policy. CC ID 12408 [The business continuity objectives shall be consistent with the business continuity policy, § 6.2 ¶ 2 a)] | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a risk monitoring program. CC ID 00658 [{what needs to be measured} The organization shall determine what needs to be monitored and measured, § 9.1.1 ¶ 1 a)] | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a compliance testing strategy. CC ID 00659 | Monitoring and measurement | Preventive | |
| Include a system description in the system security plan. CC ID 16467 | Monitoring and measurement | Preventive | |
| Include a description of the operational context in the system security plan. CC ID 14301 | Monitoring and measurement | Preventive | |
| Include the results of the security categorization in the system security plan. CC ID 14281 | Monitoring and measurement | Preventive | |
| Include the information types in the system security plan. CC ID 14696 | Monitoring and measurement | Preventive | |
| Include the security requirements in the system security plan. CC ID 14274 | Monitoring and measurement | Preventive | |
| Include threats in the system security plan. CC ID 14693 | Monitoring and measurement | Preventive | |
| Include network diagrams in the system security plan. CC ID 14273 | Monitoring and measurement | Preventive | |
| Include roles and responsibilities in the system security plan. CC ID 14682 | Monitoring and measurement | Preventive | |
| Include the results of the privacy risk assessment in the system security plan. CC ID 14676 | Monitoring and measurement | Preventive | |
| Include remote access methods in the system security plan. CC ID 16441 | Monitoring and measurement | Preventive | |
| Include a description of the operational environment in the system security plan. CC ID 14272 | Monitoring and measurement | Preventive | |
| Include the security categorizations and rationale in the system security plan. CC ID 14270 | Monitoring and measurement | Preventive | |
| Include the authorization boundary in the system security plan. CC ID 14257 | Monitoring and measurement | Preventive | |
| Include security controls in the system security plan. CC ID 14239 | Monitoring and measurement | Preventive | |
| Create specific test plans to test each system component. CC ID 00661 | Monitoring and measurement | Preventive | |
| Include the roles and responsibilities in the test plan. CC ID 14299 | Monitoring and measurement | Preventive | |
| Include the assessment team in the test plan. CC ID 14297 | Monitoring and measurement | Preventive | |
| Include the scope in the test plans. CC ID 14293 | Monitoring and measurement | Preventive | |
| Include the assessment environment in the test plan. CC ID 14271 | Monitoring and measurement | Preventive | |
| Review the test plans for each system component. CC ID 00662 | Monitoring and measurement | Preventive | |
| Document validated testing processes in the testing procedures. CC ID 06200 | Monitoring and measurement | Preventive | |
| Include error details, identifying the root causes, and mitigation actions in the testing procedures. CC ID 11827 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 [{legal requirements} {business continuity objectives} The organization shall periodically evaluate compliance with applicable legal and regulatory requirements, industry best practices, and conformance with its own business continuity policy and objectives; and § 9.1.2 c) {legal requirements} {business continuity objectives} The organization shall periodically evaluate compliance with applicable legal and regulatory requirements, industry best practices, and conformance with its own business continuity policy and objectives; and § 9.1.2 c) {legal requirements} {business continuity objectives} The organization shall periodically evaluate compliance with applicable legal and regulatory requirements, industry best practices, and conformance with its own business continuity policy and objectives; and § 9.1.2 c) {legal requirements} {business continuity objectives} The organization shall periodically evaluate compliance with applicable legal and regulatory requirements, industry best practices, and conformance with its own business continuity policy and objectives; and § 9.1.2 c) {legal requirements} {business continuity objectives} The organization shall periodically evaluate compliance with applicable legal and regulatory requirements, industry best practices, and conformance with its own business continuity policy and objectives; and § 9.1.2 c) The organization shall determine when the monitoring and measuring shall be performed, and § 9.1.1 ¶ 1 c)] | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a metrics policy. CC ID 01654 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653 [The procedures for monitoring performance shall provide for - the setting of performance metrics appropriate to the needs of the organization, - monitoring the extent to which the organization’s business continuity policy, objectives and targets are met, - performance of the processes, procedures and functions that protect its prioritized activities, - monitoring compliance with this International Standard and the business continuity objectives, - monitoring historical evidence of deficient BCMS’ performance, and - recording data and results of monitoring and measurement to facilitate subsequent corrective actions. § 9.1.1 ¶ 5] | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain risk management metrics. CC ID 01656 | Monitoring and measurement | Preventive | |
| Identify and document instances of non-compliance with the compliance framework. CC ID 06499 [When nonconformity occurs, the organization shall identify the nonconformity, § 10.1 ¶ 1 a) The organization shall retain documented information as evidence of - the nature of the nonconformities and any subsequent actions taken, and - the results of any corrective action. § 10.1 ¶ 3 {do not occur} When nonconformity occurs, the organization shall evaluate the need for action to eliminate the causes of the nonconformity, in order that it does not recur or occur elsewhere, by evaluating the need for corrective action to ensure that nonconformities do not recur or occur elsewhere, § 10.1 ¶ 1 c) 4 The management review shall include consideration of information on the business continuity performance, including trends in nonconformities and corrective actions, § 9.3 ¶ 2 c) 1)] | Monitoring and measurement | Preventive | |
| Identify and document events surrounding non-compliance with the organizational compliance framework. CC ID 12935 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain disciplinary action notices. CC ID 16577 | Monitoring and measurement | Preventive | |
| Include a copy of the order in the disciplinary action notice. CC ID 16606 | Monitoring and measurement | Preventive | |
| Include the sanctions imposed in the disciplinary action notice. CC ID 16599 | Monitoring and measurement | Preventive | |
| Include the effective date of the sanctions in the disciplinary action notice. CC ID 16589 | Monitoring and measurement | Preventive | |
| Include the requirements that were violated in the disciplinary action notice. CC ID 16588 | Monitoring and measurement | Preventive | |
| Include responses to charges from interested personnel and affected parties in the disciplinary action notice. CC ID 16587 | Monitoring and measurement | Preventive | |
| Include the reasons for imposing sanctions in the disciplinary action notice. CC ID 16586 | Monitoring and measurement | Preventive | |
| Include required information in the disciplinary action notice. CC ID 16584 | Monitoring and measurement | Preventive | |
| Include a justification for actions taken in the disciplinary action notice. CC ID 16583 | Monitoring and measurement | Preventive | |
| Include a statement on the conclusions of the investigation in the disciplinary action notice. CC ID 16582 | Monitoring and measurement | Preventive | |
| Include the investigation results in the disciplinary action notice. CC ID 16581 | Monitoring and measurement | Preventive | |
| Include a description of the causes of the actions taken in the disciplinary action notice. CC ID 16580 | Monitoring and measurement | Preventive | |
| Include the name of the person responsible for the charges in the disciplinary action notice. CC ID 16579 | Monitoring and measurement | Preventive | |
| Include contact information in the disciplinary action notice. CC ID 16578 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a security program metrics program. CC ID 01660 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a key management roles metrics standard. CC ID 11631 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a key stakeholder metrics program. CC ID 01661 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a supply chain member metrics program. CC ID 01662 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a Business Continuity metrics program. CC ID 01663 [Top management shall demonstrate leadership and commitment with respect to the BCMS by - ensuring that policies and objectives are established for the business continuity management system and are compatible with the strategic direction of the organization, - ensuring the integration of the business continuity management system requirements into the organization’s business processes, - ensuring that the resources needed for the business continuity management system are available, - communicating the importance of effective business continuity management and conforming to the BCMS requirements, - ensuring that the BCMS achieves its intended outcome(s), - directing and supporting persons to contribute to the effectiveness of the BCMS, - promoting continual improvement, and - supporting other relevant management roles to demonstrate their leadership and commitment as it applies to their areas of responsibility. § 5.2 ¶ 1 The organization shall determine when the results from monitoring and measurement shall be analysed and evaluated. § 9.1.1 ¶ 1 d) The procedures for monitoring performance shall provide for - the setting of performance metrics appropriate to the needs of the organization, - monitoring the extent to which the organization’s business continuity policy, objectives and targets are met, - performance of the processes, procedures and functions that protect its prioritized activities, - monitoring compliance with this International Standard and the business continuity objectives, - monitoring historical evidence of deficient BCMS’ performance, and - recording data and results of monitoring and measurement to facilitate subsequent corrective actions. § 9.1.1 ¶ 5 The procedures for monitoring performance shall provide for - the setting of performance metrics appropriate to the needs of the organization, - monitoring the extent to which the organization’s business continuity policy, objectives and targets are met, - performance of the processes, procedures and functions that protect its prioritized activities, - monitoring compliance with this International Standard and the business continuity objectives, - monitoring historical evidence of deficient BCMS’ performance, and - recording data and results of monitoring and measurement to facilitate subsequent corrective actions. § 9.1.1 ¶ 5 The procedures for monitoring performance shall provide for - the setting of performance metrics appropriate to the needs of the organization, - monitoring the extent to which the organization’s business continuity policy, objectives and targets are met, - performance of the processes, procedures and functions that protect its prioritized activities, - monitoring compliance with this International Standard and the business continuity objectives, - monitoring historical evidence of deficient BCMS’ performance, and - recording data and results of monitoring and measurement to facilitate subsequent corrective actions. § 9.1.1 ¶ 5 The procedures for monitoring performance shall provide for - the setting of performance metrics appropriate to the needs of the organization, - monitoring the extent to which the organization’s business continuity policy, objectives and targets are met, - performance of the processes, procedures and functions that protect its prioritized activities, - monitoring compliance with this International Standard and the business continuity objectives, - monitoring historical evidence of deficient BCMS’ performance, and - recording data and results of monitoring and measurement to facilitate subsequent corrective actions. § 9.1.1 ¶ 5 The management review shall include consideration of information on the business continuity performance, including trends in monitoring and measurement evaluation results, and § 9.3 ¶ 2 c) 2)] | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain an audit metrics program. CC ID 01664 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain an Information Security metrics program. CC ID 01665 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a metrics standard and template. CC ID 02157 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain occupational health and safety management metrics program. CC ID 15915 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a policies and controls metrics program. CC ID 01666 [The outputs of the management review shall include decisions related to continual improvement opportunities and the possible need for changes to the BCMS, and include the following: how the effectiveness of controls are measured. § 9.3 ¶ 4 e)] | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a security roles and responsibilities metrics program. CC ID 01667 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a role-based information access metrics program. CC ID 01668 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain an information risk threshold metrics program. CC ID 01694 | Monitoring and measurement | Preventive | |
| Monitor the supply chain for Information Assurance effectiveness. CC ID 02043 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a privacy metrics program. CC ID 15494 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a technical measurement metrics policy. CC ID 01655 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain an Electronic Health Records measurement metrics program. CC ID 06221 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a log management program. CC ID 00673 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a cross-organizational audit sharing agreement. CC ID 10595 | Monitoring and measurement | Preventive | |
| Retain copies of external auditor outsourcing contracts and engagement letters. CC ID 01188 | Audits and risk management | Preventive | |
| Review external auditor outsourcing contracts and engagement letters. CC ID 01189 | Audits and risk management | Preventive | |
| Include roles and responsibilities in external auditor outsourcing contracts. CC ID 16523 | Audits and risk management | Preventive | |
| Include a change control clause in external auditor outsourcing contracts. CC ID 01192 | Audits and risk management | Preventive | |
| Include procedures for resolving problems in external auditor outsourcing contracts. CC ID 01196 | Audits and risk management | Preventive | |
| Include procedures for controlling the use of restricted information in external auditor outsourcing contracts. CC ID 01194 | Audits and risk management | Preventive | |
| Include reports and work paper Records Management practices in external auditor outsourcing contracts. CC ID 01195 | Audits and risk management | Preventive | |
| Include communication protocols in external auditor outsourcing contracts. CC ID 01201 | Audits and risk management | Preventive | |
| Include the scope and work to be performed in external auditor outsourcing contracts. CC ID 01190 | Audits and risk management | Preventive | |
| Include work status reporting requirements in the external auditor outsourcing contracts. CC ID 01191 | Audits and risk management | Preventive | |
| Include access to work papers in external auditor outsourcing contracts. CC ID 01193 | Audits and risk management | Preventive | |
| Review the adequacy of the external auditor's work papers and audit reports. CC ID 01199 | Audits and risk management | Preventive | |
| Review the conclusions of the external auditor's work papers and audit reports. CC ID 01200 | Audits and risk management | Preventive | |
| Evaluate any refusal by the organization to provide missing audit documentation. CC ID 06993 | Audits and risk management | Preventive | |
| Take appropriate action if missing audit documentation compromises the audit. CC ID 06994 | Audits and risk management | Preventive | |
| Establish, implement, and maintain an audit program. CC ID 00684 [{audit scope} {evidence of the audit results} The organization shall - plan, establish, implement and maintain (an) audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit programme(s) shall take into consideration the importance of the processes concerned and the results of previous audits, - define the audit criteria and scope for each audit, - select auditors and conduct audits to ensure objectivity and the impartiality of the audit process, - ensure that the results of the audits are reported to relevant management, and - retain documented information as evidence of the implementation of the audit programme and the audit results. § 9.2 ¶ 2 {audit scope} {evidence of the audit results} The organization shall - plan, establish, implement and maintain (an) audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit programme(s) shall take into consideration the importance of the processes concerned and the results of previous audits, - define the audit criteria and scope for each audit, - select auditors and conduct audits to ensure objectivity and the impartiality of the audit process, - ensure that the results of the audits are reported to relevant management, and - retain documented information as evidence of the implementation of the audit programme and the audit results. § 9.2 ¶ 2] | Audits and risk management | Preventive | |
| Establish, implement, and maintain audit policies. CC ID 13166 | Audits and risk management | Preventive | |
| Include resource requirements in the audit program. CC ID 15237 | Audits and risk management | Preventive | |
| Include risks and opportunities in the audit program. CC ID 15236 | Audits and risk management | Preventive | |
| Establish and maintain audit terms. CC ID 13880 | Audits and risk management | Preventive | |
| Include a statement about the inherent limitations of the audit in the audit terms. CC ID 13883 | Audits and risk management | Preventive | |
| Include a statement that the audit will be conducted in accordance with attestation standards in the audit terms. CC ID 13882 | Audits and risk management | Preventive | |
| Establish, implement, and maintain agreed upon procedures that are in scope for the audit. CC ID 13893 | Audits and risk management | Preventive | |
| Establish, implement, and maintain an in scope system description. CC ID 14873 | Audits and risk management | Preventive | |
| Include third party services in the audit assertion's in scope system description. CC ID 16503 | Audits and risk management | Preventive | |
| Include monitoring controls in the audit assertion's in scope system description. CC ID 16501 | Audits and risk management | Preventive | |
| Include availability commitments in the audit assertion's in scope system description. CC ID 14914 | Audits and risk management | Preventive | |
| Include changes in the audit assertion's in scope system description. CC ID 14894 | Audits and risk management | Preventive | |
| Include external communications in the audit assertion's in scope system description. CC ID 14913 | Audits and risk management | Preventive | |
| Include a section regarding incidents related to the system in the audit assertion’s in scope system description. CC ID 14878 | Audits and risk management | Preventive | |
| Include the function performed by the in scope system in the audit assertion's in scope system description. CC ID 14911 | Audits and risk management | Preventive | |
| Include the disposition of the incident in the audit assertion's in scope system description. CC ID 14896 | Audits and risk management | Preventive | |
| Include the extent of the incident in the audit assertion's in scope system description. CC ID 14895 | Audits and risk management | Preventive | |
| Include the timing of each incident in the audit assertion's in scope system description. CC ID 14891 | Audits and risk management | Preventive | |
| Include the nature of each incident in the audit assertion's in scope system description. CC ID 14889 | Audits and risk management | Preventive | |
| Include a section regarding in scope controls related to the system in the audit assertion's in scope system description. CC ID 14897 | Audits and risk management | Preventive | |
| Include how the in scope system meets external requirements in the audit assertion's in scope system description. CC ID 16502 | Audits and risk management | Preventive | |
| Include the timing of each control in the audit assertion's in scope system description. CC ID 14916 | Audits and risk management | Preventive | |
| Include the nature of the control in the audit assertion's in scope system description. CC ID 14910 | Audits and risk management | Preventive | |
| Include the information sources used in performing the control in the audit assertion's in scope system description. CC ID 14909 | Audits and risk management | Preventive | |
| Include the responsible party for performing the control in the audit assertion's in scope system description. CC ID 14907 | Audits and risk management | Preventive | |
| Include the subject matter to which the control is applied in the audit assertion's in scope system description. CC ID 14904 | Audits and risk management | Preventive | |
| Refrain from omitting or distorting information in the audit assertion's in scope system description. CC ID 14893 | Audits and risk management | Preventive | |
| Include the timing of each change in the audit assertion's in scope system description. CC ID 14892 | Audits and risk management | Preventive | |
| Include the system boundaries in the audit assertion's in scope system description. CC ID 14887 | Audits and risk management | Preventive | |
| Determine the presentation method of the audit assertion's in scope system description. CC ID 14885 | Audits and risk management | Detective | |
| Include the time frame covered by the description in the audit assertion's in scope system description. CC ID 14884 | Audits and risk management | Preventive | |
| Include commitments to third parties in the audit assertion. CC ID 14899 | Audits and risk management | Preventive | |
| Determine the completeness of the audit assertion's in scope system description. CC ID 14883 | Audits and risk management | Preventive | |
| Include system requirements in the audit assertion's in scope system description. CC ID 14881 | Audits and risk management | Preventive | |
| Include third party controls in the audit assertion's in scope system description. CC ID 14880 | Audits and risk management | Preventive | |
| Include agreement to the audit scope and audit terms in the audit program. CC ID 06965 [{audit scope} {evidence of the audit results} The organization shall - plan, establish, implement and maintain (an) audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit programme(s) shall take into consideration the importance of the processes concerned and the results of previous audits, - define the audit criteria and scope for each audit, - select auditors and conduct audits to ensure objectivity and the impartiality of the audit process, - ensure that the results of the audits are reported to relevant management, and - retain documented information as evidence of the implementation of the audit programme and the audit results. § 9.2 ¶ 2 {audit scope} {evidence of the audit results} The organization shall - plan, establish, implement and maintain (an) audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit programme(s) shall take into consideration the importance of the processes concerned and the results of previous audits, - define the audit criteria and scope for each audit, - select auditors and conduct audits to ensure objectivity and the impartiality of the audit process, - ensure that the results of the audits are reported to relevant management, and - retain documented information as evidence of the implementation of the audit programme and the audit results. § 9.2 ¶ 2 The audit programme, including any schedule, shall be based on the results of risk assessments of the organization’s activities, and the results of previous audits. The audit procedures shall cover the scope, frequency, methodologies and competencies, as well as the responsibilities and requirements for conducting audits and reporting results. § 9.2 ¶ 3] | Audits and risk management | Preventive | |
| Establish and maintain a bespoke audit scope for each audit being performed. CC ID 13077 | Audits and risk management | Preventive | |
| Include audit subject matter in the audit program. CC ID 07103 [{audit scope} {evidence of the audit results} The organization shall - plan, establish, implement and maintain (an) audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit programme(s) shall take into consideration the importance of the processes concerned and the results of previous audits, - define the audit criteria and scope for each audit, - select auditors and conduct audits to ensure objectivity and the impartiality of the audit process, - ensure that the results of the audits are reported to relevant management, and - retain documented information as evidence of the implementation of the audit programme and the audit results. § 9.2 ¶ 2] | Audits and risk management | Preventive | |
| Examine the objectivity of the audit criteria in the audit program. CC ID 07104 | Audits and risk management | Preventive | |
| Examine the measurability of the audit criteria in the audit program. CC ID 07105 | Audits and risk management | Preventive | |
| Examine the completeness of the audit criteria in the audit program. CC ID 07106 | Audits and risk management | Preventive | |
| Examine the relevance of the audit criteria in the audit program. CC ID 07107 | Audits and risk management | Preventive | |
| Disseminate and communicate the audit program with the audit subject matter and audit criteria to all interested personnel and affected parties. CC ID 07116 | Audits and risk management | Preventive | |
| Include in scope information in the audit program. CC ID 16198 | Audits and risk management | Preventive | |
| Include the out of scope material or out of scope products in the audit program. CC ID 08962 | Audits and risk management | Preventive | |
| Provide a representation letter in support of the audit assertion. CC ID 07158 | Audits and risk management | Preventive | |
| Include a statement that management has evaluated compliance with external requirements in the representation letter. CC ID 13942 | Audits and risk management | Preventive | |
| Include a statement that the assumptions used for estimates are reasonable in the representation letter. CC ID 13934 | Audits and risk management | Preventive | |
| Include a statement that uncorrected misstatements are believed to be immaterial in the representation letter. CC ID 13884 | Audits and risk management | Preventive | |
| Include a statement that system incidents have been disclosed to the auditor in the representation letter. CC ID 16772 | Audits and risk management | Preventive | |
| Include a statement that incidents of fraud and non-compliance have been disclosed to the auditor in the representation letter. CC ID 16769 | Audits and risk management | Preventive | |
| Include a statement of responsibility for the subject matter in the representation letter. CC ID 07159 | Audits and risk management | Preventive | |
| Include a statement of responsibility for selecting the audit criteria in the representation letter. CC ID 07160 | Audits and risk management | Preventive | |
| Include a statement of responsibility regarding the appropriateness of the audit criteria in the representation letter. CC ID 07161 | Audits and risk management | Preventive | |
| Include an assertion about the subject matter based on the selected audit criteria in the representation letter. CC ID 07162 | Audits and risk management | Preventive | |
| Include a statement that all known matters contradicting the audit assertion have been disclosed to the auditor in the representation letter. CC ID 07163 | Audits and risk management | Preventive | |
| Include the availability of all in scope records relevant to the subject matter in the representation letter. CC ID 07164 | Audits and risk management | Preventive | |
| Include a statement that any known subsequent events have been disclosed to the auditor in the representation letter. CC ID 07165 | Audits and risk management | Preventive | |
| Include a statement that deficiencies in internal controls have been disclosed to the auditor in the representation letter. CC ID 13899 | Audits and risk management | Preventive | |
| Establish and maintain audit assertions, as necessary. CC ID 14871 | Audits and risk management | Detective | |
| Include an in scope system description in the audit assertion. CC ID 14872 | Audits and risk management | Preventive | |
| Include any assumptions that are improbable in the audit assertion. CC ID 13950 | Audits and risk management | Preventive | |
| Include investigations and legal proceedings in the audit assertion. CC ID 16846 | Audits and risk management | Preventive | |
| Include how the audit scope matches in scope controls in the audit assertion. CC ID 06969 | Audits and risk management | Preventive | |
| Include why specific criteria are ignored by in scope controls in the audit assertion. CC ID 07027 | Audits and risk management | Preventive | |
| Include how the in scope system is designed and implemented in the audit assertion. CC ID 06970 | Audits and risk management | Preventive | |
| Include the responsible party's opinion of the quality of the evidence in the audit assertion. CC ID 13949 | Audits and risk management | Preventive | |
| Include the end users and affected parties of the in scope system in the audit assertion. CC ID 07028 | Audits and risk management | Preventive | |
| Include the in scope services offered or in scope transactions processed in the audit assertion. CC ID 06971 | Audits and risk management | Preventive | |
| Include the in scope procedures in the audit assertion. CC ID 06972 | Audits and risk management | Preventive | |
| Include the in scope records produced in the audit assertion. CC ID 06968 | Audits and risk management | Preventive | |
| Include how in scope material events are monitored and logged in the audit assertion. CC ID 06973 | Audits and risk management | Preventive | |
| Include any in scope material events that might affect the assertion in the audit assertion. CC ID 06991 | Audits and risk management | Preventive | |
| Include the in scope controls and compliance documents in the audit assertion. CC ID 06974 | Audits and risk management | Preventive | |
| Include the in scope risk assessment processes in the audit assertion. CC ID 06975 [The audit programme, including any schedule, shall be based on the results of risk assessments of the organization’s activities, and the results of previous audits. The audit procedures shall cover the scope, frequency, methodologies and competencies, as well as the responsibilities and requirements for conducting audits and reporting results. § 9.2 ¶ 3] | Audits and risk management | Preventive | |
| Include in scope change controls in the audit assertion. CC ID 06976 | Audits and risk management | Preventive | |
| Include any in scope uncorrected errors or non-compliance issues in the audit assertion. CC ID 06989 | Audits and risk management | Preventive | |
| Disseminate and communicate a written audit assertion of the audit scope and audit terms to interested personnel and affected parties. CC ID 06967 | Audits and risk management | Preventive | |
| Include conditions that might require modification of the audit program in the audit terms. CC ID 07149 | Audits and risk management | Preventive | |
| Include how access to in scope systems, personnel and in scope records are provided to the auditor in the audit terms. CC ID 06988 | Audits and risk management | Preventive | |
| Establish, implement, and maintain procedures for determining the desired level of assurance in the audit program. CC ID 12794 | Audits and risk management | Preventive | |
| Include the expectations for the audit report in the audit terms. CC ID 07148 | Audits and risk management | Preventive | |
| Establish and maintain a practitioner’s report on management’s assertions, as necessary. CC ID 13888 | Audits and risk management | Preventive | |
| Refrain from changing the date of the practitioner's report on agreed-upon procedures when reissuing it. CC ID 13896 | Audits and risk management | Corrective | |
| Include materiality levels in the audit terms. CC ID 01238 | Audits and risk management | Preventive | |
| Include material changes in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01239 | Audits and risk management | Preventive | |
| Include material weaknesses, material failures, and material errors in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01240 | Audits and risk management | Preventive | |
| Document any after the fact changes to the engagement file. CC ID 07002 | Audits and risk management | Preventive | |
| Protect access to the engagement file and all associated audit documentation in compliance with Authority Documents the organization must follow. CC ID 07179 | Audits and risk management | Preventive | |
| Disclose work papers in the engagement file in compliance with legal requirements. CC ID 07180 | Audits and risk management | Preventive | |
| Edit the audit assertion for accuracy. CC ID 07030 | Audits and risk management | Preventive | |
| Determine if the audit assertion's in scope procedures are accurately documented. CC ID 06982 | Audits and risk management | Preventive | |
| Include the process of using evidential matter to test in scope controls in the test plan. CC ID 06996 | Audits and risk management | Preventive | |
| Establish, implement, and maintain interview procedures. CC ID 16282 | Audits and risk management | Preventive | |
| Establish and maintain work papers, as necessary. CC ID 13891 | Audits and risk management | Preventive | |
| Include the auditor's conclusions on work performed by individuals assigned to the audit in the work papers. CC ID 16775 | Audits and risk management | Preventive | |
| Include audit irregularities in the work papers. CC ID 16774 | Audits and risk management | Preventive | |
| Include corrective actions in the work papers. CC ID 16771 | Audits and risk management | Preventive | |
| Include information about the organization being audited and the auditor performing the audit in the work papers. CC ID 16770 | Audits and risk management | Preventive | |
| Include discussions with interested personnel and affected parties in the work papers. CC ID 16768 | Audits and risk management | Preventive | |
| Include justification for departing from mandatory requirements in the work papers. CC ID 13935 | Audits and risk management | Preventive | |
| Include the reviewer, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06998 | Audits and risk management | Preventive | |
| Include the tests, examinations, interviews and observations performed during the audit in the work papers. CC ID 07190 | Audits and risk management | Preventive | |
| Include if any subject matter experts or additional research had to be undertaken to test in scope controls in the work papers. CC ID 07026 | Audits and risk management | Preventive | |
| Include the tester, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06997 | Audits and risk management | Preventive | |
| Include the causes of identified in scope control deficiencies in the work papers. CC ID 07000 | Audits and risk management | Preventive | |
| Include discussions regarding the causes of identified in scope control deficiencies in the work papers. CC ID 06999 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a practitioner’s report on agreed-upon procedures. CC ID 13894 | Audits and risk management | Preventive | |
| Establish and maintain a practitioner's examination report on pro forma financial information. CC ID 13968 | Audits and risk management | Preventive | |
| Include references to where financial information was derived in the practitioner's review report on pro forma financial information. CC ID 13982 | Audits and risk management | Preventive | |
| Include a statement that the financial statements used were audited by other practitioners in the practitioner's examination report on pro forma financial information, as necessary. CC ID 13981 | Audits and risk management | Preventive | |
| Establish and maintain organizational audit reports. CC ID 06731 [{audit scope} {evidence of the audit results} The organization shall - plan, establish, implement and maintain (an) audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit programme(s) shall take into consideration the importance of the processes concerned and the results of previous audits, - define the audit criteria and scope for each audit, - select auditors and conduct audits to ensure objectivity and the impartiality of the audit process, - ensure that the results of the audits are reported to relevant management, and - retain documented information as evidence of the implementation of the audit programme and the audit results. § 9.2 ¶ 2] | Audits and risk management | Preventive | |
| Determine what disclosures are required in the audit report. CC ID 14888 | Audits and risk management | Detective | |
| Include audit subject matter in the audit report. CC ID 14882 | Audits and risk management | Preventive | |
| Include an other-matter paragraph in the audit report. CC ID 14901 | Audits and risk management | Preventive | |
| Include that the auditee did not provide comments in the audit report. CC ID 16849 | Audits and risk management | Preventive | |
| Write the audit report using clear and conspicuous language. CC ID 13948 | Audits and risk management | Preventive | |
| Include a statement that the sufficiency of the agreed upon procedures is the responsibility of the specified parties in the audit report. CC ID 13936 | Audits and risk management | Preventive | |
| Include a statement that the financial statements were audited in the audit report. CC ID 13963 | Audits and risk management | Preventive | |
| Include the criteria that financial information was measured against in the audit report. CC ID 13966 | Audits and risk management | Preventive | |
| Include a description of the financial information being reported on in the audit report. CC ID 13965 | Audits and risk management | Preventive | |
| Include references to any adjustments of financial information in the audit report. CC ID 13964 | Audits and risk management | Preventive | |
| Include in the audit report that audit opinions are not dependent on references to subject matter experts, as necessary. CC ID 13953 | Audits and risk management | Preventive | |
| Include references to historical financial information used in the audit report. CC ID 13961 | Audits and risk management | Preventive | |
| Include a statement about the inherent limitations of the audit in the audit report. CC ID 14900 | Audits and risk management | Preventive | |
| Include a description of the limitations on the usefulness of hypothetical assumptions in the audit report. CC ID 13958 | Audits and risk management | Preventive | |
| Structure the audit report to be in the form of procedures and findings. CC ID 13940 | Audits and risk management | Preventive | |
| Include any discussions of significant findings in the audit report. CC ID 13955 | Audits and risk management | Preventive | |
| Include the date and with whom discussions about significant findings took place in the audit report. CC ID 13962 | Audits and risk management | Preventive | |
| Include the audit criteria in the audit report. CC ID 13945 | Audits and risk management | Preventive | |
| Include a statement in the audit report that the agreed upon procedures were potentially insufficient in identifying material risks, as necessary. CC ID 13957 | Audits and risk management | Preventive | |
| Include all hypothetical assumptions in the audit report. CC ID 13947 | Audits and risk management | Preventive | |
| Include a statement that identifies the distribution list for the report in the audit report. CC ID 07172 | Audits and risk management | Preventive | |
| Include a statement that identifies the use restrictions for the report in the audit report. CC ID 07173 | Audits and risk management | Preventive | |
| Include a statement that the agreed upon procedures involves collecting evidence in the audit report. CC ID 13956 | Audits and risk management | Preventive | |
| Include all of the facts and demonstrated plausibility in the audit report. CC ID 08929 | Audits and risk management | Preventive | |
| Include a statement that the agreed upon procedures were performed by all parties in the audit report. CC ID 13931 | Audits and risk management | Preventive | |
| Include references to subject matter experts in the audit report when citing qualified opinions. CC ID 13929 | Audits and risk management | Preventive | |
| Include a description of the assistance provided by Subject Matter Experts in the audit report. CC ID 13939 | Audits and risk management | Preventive | |
| Include a review of the subject matter expert's findings in the audit report. CC ID 13972 | Audits and risk management | Preventive | |
| Include a statement of the character of the engagement in the audit report. CC ID 07166 | Audits and risk management | Preventive | |
| Include the nature and scope of the audit performed in the statement of the character of the engagement in the audit report. CC ID 07167 | Audits and risk management | Preventive | |
| Include the professional standards governing the audit in the statement of the character of the engagement in the audit report. CC ID 07168 | Audits and risk management | Preventive | |
| Include all restrictions on the audit in the audit report. CC ID 13930 | Audits and risk management | Preventive | |
| Include a statement that the auditor has no responsibility to update the audit report after its submission. CC ID 13943 | Audits and risk management | Preventive | |
| Include a statement on the auditor's ethical requirements in the audit report. CC ID 16767 | Audits and risk management | Preventive | |
| Include a statement that the responsible party refused to provide a written assertion in the audit report. CC ID 13887 | Audits and risk management | Preventive | |
| Include a statement that the examination involves procedures for collecting evidence in the audit report. CC ID 13941 | Audits and risk management | Preventive | |
| Express an adverse opinion in the audit report when significant assumptions are not suitably supported. CC ID 13944 | Audits and risk management | Preventive | |
| Include a statement that modifications to historical evidence accurately reflect current evidence in the audit report. CC ID 13938 | Audits and risk management | Preventive | |
| Refrain from referencing other auditor's work in the audit report. CC ID 13881 | Audits and risk management | Preventive | |
| Include that the audit findings are not a predictive analysis of future compliance in the audit report. CC ID 07018 | Audits and risk management | Preventive | |
| Include how in scope controls meet external requirements in the audit report. CC ID 16450 | Audits and risk management | Preventive | |
| Include the in scope records used to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14915 | Audits and risk management | Preventive | |
| Include recommended corrective actions in the audit report. CC ID 16197 | Audits and risk management | Preventive | |
| Include risks and opportunities in the audit report. CC ID 16196 | Audits and risk management | Preventive | |
| Include the description of tests of controls and results in the audit report. CC ID 14898 | Audits and risk management | Preventive | |
| Include the nature of the tests performed in the description of tests of controls and results in the audit report. CC ID 14908 | Audits and risk management | Preventive | |
| Include the test scope in the description of tests of controls and results in the audit report. CC ID 14906 | Audits and risk management | Preventive | |
| Identify the stakeholders interviewed to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14905 | Audits and risk management | Preventive | |
| Include the controls that were tested in the description of tests of controls and results in the audit report. CC ID 14902 | Audits and risk management | Preventive | |
| Include subsequent events related to the audit assertion or audit subject matter in the audit report. CC ID 16773 | Audits and risk management | Preventive | |
| Include that the organization is the responsible party for the content of its audit assertion and in scope system description in the audit report. CC ID 07010 | Audits and risk management | Preventive | |
| Include that the organization is the responsible party for providing in scope services in the audit report. CC ID 14903 | Audits and risk management | Preventive | |
| Include that the organization is the responsible party for specifying in scope controls not defined by law or contractual obligation in the audit report. CC ID 07011 | Audits and risk management | Preventive | |
| Include that the organization is the responsible party for designing and implementing the in scope controls it identified in the audit scope in the audit report. CC ID 07014 | Audits and risk management | Preventive | |
| Include the audit opinion regarding the accurateness of the in scope system description in the audit report. CC ID 07019 | Audits and risk management | Preventive | |
| Include the attestation standards the auditor follows in the audit report. CC ID 07015 | Audits and risk management | Preventive | |
| Include the audit opinion about the audit assertion in relation to the audit criteria used for evaluation in the audit report. CC ID 07169 | Audits and risk management | Preventive | |
| Include the auditor's significant reservations about the engagement, the audit assertion, or the audit subject matter in the audit report. CC ID 07170 | Audits and risk management | Preventive | |
| Include an emphasis-of-matter paragraph in the audit report. CC ID 14890 | Audits and risk management | Preventive | |
| Include any out of scope components of in scope systems in the audit report. CC ID 07006 | Audits and risk management | Preventive | |
| Include that the organization is the responsible party for identifying material risks in the audit report. CC ID 07012 | Audits and risk management | Preventive | |
| Include that the organization is the responsible party for selecting the audit criteria in the audit report. CC ID 07013 | Audits and risk management | Preventive | |
| Compare the evaluations completed by the internal auditors and the external auditors in past audit reports. CC ID 01158 | Audits and risk management | Detective | |
| Review past audit reports. CC ID 01155 [{audit scope} {evidence of the audit results} The organization shall - plan, establish, implement and maintain (an) audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit programme(s) shall take into consideration the importance of the processes concerned and the results of previous audits, - define the audit criteria and scope for each audit, - select auditors and conduct audits to ensure objectivity and the impartiality of the audit process, - ensure that the results of the audits are reported to relevant management, and - retain documented information as evidence of the implementation of the audit programme and the audit results. § 9.2 ¶ 2 The audit programme, including any schedule, shall be based on the results of risk assessments of the organization’s activities, and the results of previous audits. The audit procedures shall cover the scope, frequency, methodologies and competencies, as well as the responsibilities and requirements for conducting audits and reporting results. § 9.2 ¶ 3] | Audits and risk management | Detective | |
| Review past audit reports for specific process steps and calculations that were stated to support the audit report's conclusions. CC ID 01160 | Audits and risk management | Detective | |
| Review the reporting of material weaknesses and risks in past audit reports. CC ID 01161 | Audits and risk management | Detective | |
| Refrain from including the description of the audit in the audit report when the auditor is disclaiming an audit opinion. CC ID 13975 | Audits and risk management | Preventive | |
| Refrain from including scope limitations from changed attestation engagements in the audit report. CC ID 13983 | Audits and risk management | Preventive | |
| Refrain from including in the audit report any procedures that were performed that the auditor is disclaiming in an audit opinion. CC ID 13974 | Audits and risk management | Preventive | |
| Include deficiencies and non-compliance in the audit report. CC ID 14879 | Audits and risk management | Corrective | |
| Include an audit opinion in the audit report. CC ID 07017 | Audits and risk management | Preventive | |
| Include qualified opinions in the audit report. CC ID 13928 | Audits and risk management | Preventive | |
| Include that the auditor is the responsible party to express an opinion on the audit subject matter based on examination of evidence in the audit report. CC ID 07174 | Audits and risk management | Preventive | |
| Include a description of the reasons for modifying the audit opinion in the audit report. CC ID 13898 | Audits and risk management | Corrective | |
| Include that the auditor did not express an opinion in the audit report, as necessary. CC ID 13886 | Audits and risk management | Preventive | |
| Include items that were excluded from the audit report in the audit report. CC ID 07007 | Audits and risk management | Preventive | |
| Include the organization's privacy practices in the audit report. CC ID 07029 | Audits and risk management | Preventive | |
| Include items that pertain to third parties in the audit report. CC ID 07008 | Audits and risk management | Preventive | |
| Refrain from including reference to procedures performed in previous attestation engagements in the audit report. CC ID 13970 | Audits and risk management | Preventive | |
| Include a statement in the audit report that no procedures were performed subsequent to the date of the practitioner's review report on pro forma financial information, as necessary. CC ID 13969 | Audits and risk management | Preventive | |
| Include any of the organization's use of compensating controls that were not audited in the audit report. CC ID 07009 | Audits and risk management | Preventive | |
| Include whether the use of compensating controls are necessary in the audit report. CC ID 07020 | Audits and risk management | Preventive | |
| Include the pass or fail test status of all in scope controls in the audit report. CC ID 07016 | Audits and risk management | Preventive | |
| Include the process of using evidential matter to test in scope controls in the audit report. CC ID 07021 | Audits and risk management | Preventive | |
| Include the nature and causes of identified in scope control deviations in the audit report. CC ID 07022 | Audits and risk management | Preventive | |
| Modify the audit opinion in the audit report under defined conditions. CC ID 13937 | Audits and risk management | Corrective | |
| Include the written signature of the auditor's organization in the audit report. CC ID 13897 | Audits and risk management | Preventive | |
| Include a statement that additional reports are being submitted in the audit report. CC ID 16848 | Audits and risk management | Preventive | |
| Disseminate and communicate the audit report to all interested personnel and affected parties identified in the distribution list. CC ID 07117 | Audits and risk management | Preventive | |
| Disseminate and communicate documents that contain information in support of the audit report. CC ID 07175 | Audits and risk management | Preventive | |
| Correct any material misstatements in documents that contain information in support of the audit report. CC ID 07176 | Audits and risk management | Preventive | |
| Review the issues of non-compliance from past audit reports. CC ID 01148 [The business impact analysis shall include the following: assessing the impacts over time of not performing these activities; § 8.2.2 ¶ 2 b) When nonconformity occurs, the organization shall evaluate the need for action to eliminate the causes of the nonconformity, in order that it does not recur or occur elsewhere, by reviewing the nonconformity, § 10.1 ¶ 1 c) 1)] | Audits and risk management | Detective | |
| Accept the audit report. CC ID 07025 | Audits and risk management | Preventive | |
| Implement a corrective action plan in response to the audit report. CC ID 06777 [The management responsible for the area being audited shall ensure that any necessary corrections and corrective actions are taken without undue delay to eliminate detected nonconformities and their causes. Follow-up activities shall include the verification of the actions taken and the reporting of verification results. § 9.2 ¶ 4 The management responsible for the area being audited shall ensure that any necessary corrections and corrective actions are taken without undue delay to eliminate detected nonconformities and their causes. Follow-up activities shall include the verification of the actions taken and the reporting of verification results. § 9.2 ¶ 4 {results of BCMS reviews} {key partners} {results of testing} {BCMS performance} {BCMS effectiveness} {emerging good guidance} Management reviews shall consider the performance of the organization, including - follow-up actions from previous management reviews, - the need for changes to the BCMS, including the policy and objectives, - opportunities for improvement, - results of BCMS audits and reviews, including those of key suppliers and partners where appropriate, - techniques, products or procedures, which could be used in the organization to improve the BCMS’ performance and effectiveness, - status of corrective actions, - results of exercising and testing, - risks or issues not adequately addressed in any previous risk assessment, - any changes that could affect the BCMS, whether internal or external to the scope of the BCMS, - adequacy of policy, - recommendations for improvement, - lessons learned and actions arising from disruptive incidents, and - emerging good practice and guidance. § 9.3 ¶ 3] | Audits and risk management | Corrective | |
| Define penalties for uncorrected audit findings or remaining non-compliant with the audit report. CC ID 08963 [{results of BCMS reviews} {key partners} {results of testing} {BCMS performance} {BCMS effectiveness} {emerging good guidance} Management reviews shall consider the performance of the organization, including - follow-up actions from previous management reviews, - the need for changes to the BCMS, including the policy and objectives, - opportunities for improvement, - results of BCMS audits and reviews, including those of key suppliers and partners where appropriate, - techniques, products or procedures, which could be used in the organization to improve the BCMS’ performance and effectiveness, - status of corrective actions, - results of exercising and testing, - risks or issues not adequately addressed in any previous risk assessment, - any changes that could affect the BCMS, whether internal or external to the scope of the BCMS, - adequacy of policy, - recommendations for improvement, - lessons learned and actions arising from disruptive incidents, and - emerging good practice and guidance. § 9.3 ¶ 3] | Audits and risk management | Preventive | |
| Include the audit criteria in the audit plan. CC ID 15262 | Audits and risk management | Preventive | |
| Include a list of reference documents in the audit plan. CC ID 15260 | Audits and risk management | Preventive | |
| Include the languages to be used for the audit in the audit plan. CC ID 15252 | Audits and risk management | Preventive | |
| Include the allocation of resources in the audit plan. CC ID 15251 | Audits and risk management | Preventive | |
| Include communication protocols in the audit plan. CC ID 15247 | Audits and risk management | Preventive | |
| Include the level of audit sampling necessary to collect sufficient audit evidence in the audit plan. CC ID 15246 | Audits and risk management | Preventive | |
| Include meeting schedules in the audit plan. CC ID 15245 | Audits and risk management | Preventive | |
| Include the time frames for the audit in the audit plan. CC ID 15244 | Audits and risk management | Preventive | |
| Include the time frames for conducting the audit in the audit plan. CC ID 15243 | Audits and risk management | Preventive | |
| Include the locations to be audited in the audit plan. CC ID 15242 | Audits and risk management | Preventive | |
| Include the processes to be audited in the audit plan. CC ID 15241 | Audits and risk management | Preventive | |
| Include audit objectives in the audit plan. CC ID 15240 | Audits and risk management | Preventive | |
| Include the risks associated with audit activities in the audit plan. CC ID 15239 | Audits and risk management | Preventive | |
| Establish, implement, and maintain an audit schedule for the audit program. CC ID 13158 [The audit programme, including any schedule, shall be based on the results of risk assessments of the organization’s activities, and the results of previous audits. The audit procedures shall cover the scope, frequency, methodologies and competencies, as well as the responsibilities and requirements for conducting audits and reporting results. § 9.2 ¶ 3] | Audits and risk management | Preventive | |
| Establish, implement, and maintain a risk management program. CC ID 12051 | Audits and risk management | Preventive | |
| Establish, implement, and maintain the risk assessment framework. CC ID 00685 [The organization shall establish, implement and maintain a formal and documented process for business impact analysis and risk assessment that specifies the requirements for this information to be kept up-to-date and confidential. § 8.2.1 ¶ 1 e)] | Audits and risk management | Preventive | |
| Establish, implement, and maintain a risk assessment program. CC ID 00687 | Audits and risk management | Preventive | |
| Include the need for risk assessments in the risk assessment program. CC ID 06447 | Audits and risk management | Preventive | |
| Include the information flow of restricted data in the risk assessment program. CC ID 12339 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a financial plan to support the risk management strategy. CC ID 12786 | Audits and risk management | Preventive | |
| Establish, implement, and maintain insurance requirements. CC ID 16562 | Audits and risk management | Preventive | |
| Address cybersecurity risks in the risk assessment program. CC ID 13193 | Audits and risk management | Preventive | |
| Include a Data Protection Impact Assessment in the risk assessment program. CC ID 12630 | Audits and risk management | Preventive | |
| Include an assessment of the necessity and proportionality of the processing operations in relation to the purposes in the Data Protection Impact Assessment. CC ID 12681 | Audits and risk management | Preventive | |
| Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371 | Audits and risk management | Preventive | |
| Include a risk assessment of data subject's rights in the Data Protection Impact Assessment. CC ID 12674 | Audits and risk management | Preventive | |
| Include the description and purpose of processing restricted data in the Data Protection Impact Assessment. CC ID 12673 | Audits and risk management | Preventive | |
| Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370 | Audits and risk management | Preventive | |
| Include monitoring unsecured areas in the Data Protection Impact Assessment. CC ID 12671 | Audits and risk management | Preventive | |
| Include security measures for protecting restricted data in the Data Protection Impact Assessment. CC ID 12635 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a risk assessment policy. CC ID 14026 | Audits and risk management | Preventive | |
| Include compliance requirements in the risk assessment policy. CC ID 14121 | Audits and risk management | Preventive | |
| Include coordination amongst entities in the risk assessment policy. CC ID 14120 | Audits and risk management | Preventive | |
| Include management commitment in the risk assessment policy. CC ID 14119 | Audits and risk management | Preventive | |
| Include roles and responsibilities in the risk assessment policy. CC ID 14118 | Audits and risk management | Preventive | |
| Include the scope in the risk assessment policy. CC ID 14117 | Audits and risk management | Preventive | |
| Include the purpose in the risk assessment policy. CC ID 14116 | Audits and risk management | Preventive | |
| Establish, implement, and maintain risk assessment procedures. CC ID 06446 [The organization shall establish, implement, and maintain a formal documented risk assessment process that systematically identifies, analyses, and evaluates the risk of disruptive incidents to the organization. § 8.2.3 ¶ 1 {formal and documented process for risk assessment} {required output from the risk assessment} The organization shall establish, implement and maintain a formal and documented process for business impact analysis and risk assessment that defines the required output from the business impact analysis and risk assessment, and § 8.2.1 ¶ 1 d) {risk management procedures} The organization shall plan, implement and control the processes needed to meet requirements, and to implement the actions determined in 6.1, by establishing criteria for the processes, § 8.1 ¶ 1 a) The organization shall establish, implement and maintain a formal and documented process for business impact analysis and risk assessment that 8.2.1 ¶ 1] | Audits and risk management | Preventive | |
| Employ risk assessment procedures that follow legal requirements and contractual obligations when risk profiling. CC ID 06472 [{formal process} {legal requirements} The organization shall establish, implement and maintain a formal and documented process for business impact analysis and risk assessment that takes into account legal and other requirements to which the organization subscribes, § 8.2.1 ¶ 1 b)] | Audits and risk management | Preventive | |
| Employ risk assessment procedures that follow standards and best practices, as necessary. CC ID 06473 | Audits and risk management | Preventive | |
| Document cybersecurity risks. CC ID 12281 | Audits and risk management | Preventive | |
| Employ risk assessment procedures that take into account both electronic records and printed records. CC ID 06476 | Audits and risk management | Preventive | |
| Employ risk assessment procedures that take into account information classification. CC ID 06477 | Audits and risk management | Preventive | |
| Employ risk assessment procedures that align with strategic objectives. CC ID 06474 | Audits and risk management | Preventive | |
| Employ risk assessment procedures that take into account prior risk assessment findings of the same scope. CC ID 06478 | Audits and risk management | Preventive | |
| Employ risk assessment procedures that take into account the target environment. CC ID 06479 | Audits and risk management | Preventive | |
| Employ risk assessment procedures that take into account incidents associated with the target environment. CC ID 06480 | Audits and risk management | Preventive | |
| Include compliance with disposition requirements in the risk assessment procedures. CC ID 12342 | Audits and risk management | Preventive | |
| Include compliance with retention requirements in the risk assessment procedures. CC ID 12341 | Audits and risk management | Preventive | |
| Employ risk assessment procedures that include appropriate risk treatment options for each identified risk. CC ID 06484 [The organization shall evaluate which disruption related risks require treatment, and § 8.2.3 ¶ 2 c) {formal process} The organization shall establish, implement and maintain a formal and documented process for business impact analysis and risk assessment that includes systematic analysis, prioritization of risk treatments, and their related costs, § 8.2.1 ¶ 1 c) {formal process} The organization shall establish, implement and maintain a formal and documented process for business impact analysis and risk assessment that includes systematic analysis, prioritization of risk treatments, and their related costs, § 8.2.1 ¶ 1 c) {actions to address risks and opportunities} The organization shall plan, implement and control the processes needed to meet requirements, and to implement the actions determined in 6.1, by implementing control of the processes in accordance with the criteria, and § 8.1 ¶ 1 b) {changes to security requirements} The outputs of the management review shall include decisions related to continual improvement opportunities and the possible need for changes to the BCMS, and include the following: modification of procedures and controls to respond to internal or external events that may impact on the BCMS, including changes to risk reduction and security requirements, § 9.3 ¶ 4 d) 2)] | Audits and risk management | Preventive | |
| Establish, implement, and maintain a threat and risk classification scheme. CC ID 07183 [{formal process} The organization shall establish, implement and maintain a formal and documented process for business impact analysis and risk assessment that establishes the context of the assessment, defines criteria and evaluates the potential impact of a disruptive incident, § 8.2.1 ¶ 1 a)] | Audits and risk management | Preventive | |
| Document organizational risk criteria. CC ID 12277 | Audits and risk management | Preventive | |
| Include the traceability of malicious code in the threat and risk classification scheme. CC ID 06600 | Audits and risk management | Preventive | |
| Include language that is easy to understand in the risk assessment report. CC ID 06461 | Audits and risk management | Preventive | |
| Include the environments that call for risk assessments in the risk assessment program. CC ID 06448 | Audits and risk management | Preventive | |
| Include the process for defining the scope of each risk assessment in the risk assessment program. CC ID 06462 [{formal process} The organization shall establish, implement and maintain a formal and documented process for business impact analysis and risk assessment that establishes the context of the assessment, defines criteria and evaluates the potential impact of a disruptive incident, § 8.2.1 ¶ 1 a)] | Audits and risk management | Preventive | |
| Include the circumstances that call for risk assessments in the risk assessment program. CC ID 06449 | Audits and risk management | Preventive | |
| Include the roles and responsibilities involved in risk assessments in the risk assessment program. CC ID 06450 | Audits and risk management | Preventive | |
| Include the methods of managing and responding to the risk assessment report in the risk assessment program. CC ID 06451 | Audits and risk management | Preventive | |
| Approve the risk assessment program and associated risk assessment procedures at the senior management level. CC ID 06458 | Audits and risk management | Preventive | |
| Include the probability and potential impact of pandemics in the scope of the risk assessment. CC ID 13241 | Audits and risk management | Preventive | |
| Include physical assets in the scope of the risk assessment. CC ID 13075 | Audits and risk management | Preventive | |
| Include the results of the risk assessment in the risk assessment report. CC ID 06481 [{formal and documented process for risk assessment} {required output from the risk assessment} The organization shall establish, implement and maintain a formal and documented process for business impact analysis and risk assessment that defines the required output from the business impact analysis and risk assessment, and § 8.2.1 ¶ 1 d)] | Audits and risk management | Preventive | |
| Update the risk assessment upon discovery of a new threat. CC ID 00708 | Audits and risk management | Detective | |
| Update the risk assessment upon changes to the risk profile. CC ID 11627 [{update of the business impact analysis} {update of the business continuity plans} {update of the related procedures} The outputs of the management review shall include decisions related to continual improvement opportunities and the possible need for changes to the BCMS, and include the following: update of the risk assessment, business impact analysis, business continuity plans and related procedures; § 9.3 ¶ 4 c)] | Audits and risk management | Detective | |
| Document any reasons for modifying or refraining from modifying the organization's risk assessment when the risk assessment has been reviewed. CC ID 13312 | Audits and risk management | Preventive | |
| Create a risk assessment report based on the risk assessment results. CC ID 15695 | Audits and risk management | Preventive | |
| Include recovery of the critical path in the Business Impact Analysis. CC ID 13224 | Audits and risk management | Preventive | |
| Include acceptable levels of data loss in the Business Impact Analysis. CC ID 13264 | Audits and risk management | Preventive | |
| Include Recovery Point Objectives in the Business Impact Analysis. CC ID 13223 | Audits and risk management | Preventive | |
| Include the Recovery Time Objectives in the Business Impact Analysis. CC ID 13222 | Audits and risk management | Preventive | |
| Include pandemic risks in the Business Impact Analysis. CC ID 13219 | Audits and risk management | Preventive | |
| Include tolerance to downtime in the Business Impact Analysis report. CC ID 01172 [The organization shall establish, implement, and maintain a formal and documented evaluation process for determining continuity and recovery priorities, objectives and targets. This process shall include assessing the impacts of disrupting activities that support the organization’s products and services. § 8.2.2 ¶ 1 The business impact analysis shall include the following: identifying dependencies and supporting resources for these activities, including suppliers, outsource partners and other relevant interested parties. § 8.2.2 ¶ 2 d) The response structure shall identify impact thresholds that justify initiation of formal response, § 8.4.2 ¶ 2 a)] | Audits and risk management | Preventive | |
| Establish, implement, and maintain a risk register. CC ID 14828 | Audits and risk management | Preventive | |
| Document organizational risk tolerance in a risk register. CC ID 09961 [The organization shall identify and document the following: the organization’s risk appetite. § 4.1 ¶ 3 c) The organization shall identify and document the following: the organization’s risk appetite. § 4.1 ¶ 3 c)] | Audits and risk management | Preventive | |
| Establish a risk acceptance level that is appropriate to the organization's risk appetite. CC ID 00706 [The organization shall identify treatments commensurate with business continuity objectives and in accordance with the organization’s risk appetite. § 8.2.3 ¶ 2 d) The organization shall choose and implement appropriate risk treatments in accordance with its risk appetite. § 8.3.3 ¶ 2 In establishing the context, the organization shall set risk criteria taking into account the risk appetite, and § 4.1 ¶ 4 3) Top management shall ensure that the responsibilities and authorities for relevant roles are assigned and communicated within the organization by - defining the criteria for accepting risks and the acceptable levels of risk, - actively engaging in exercising and testing, - ensuring that internal audits of the BCMS are conducted, - conducting management reviews of the BCMS, and - demonstrating its commitment to continual improvement. § 5.2 ¶ 3 The outputs of the management review shall include decisions related to continual improvement opportunities and the possible need for changes to the BCMS, and include the following: modification of procedures and controls to respond to internal or external events that may impact on the BCMS, including changes to levels of risk and/or criteria for accepting risks, § 9.3 ¶ 4 d) 6)] | Audits and risk management | Preventive | |
| Select the appropriate risk treatment option for each identified risk in the risk register. CC ID 06483 [The organization shall choose and implement appropriate risk treatments in accordance with its risk appetite. § 8.3.3 ¶ 2 For identified risks requiring treatment, the organization shall consider proactive measures that reduce the likelihood of disruption, § 8.3.3 ¶ 1 a) For identified risks requiring treatment, the organization shall consider proactive measures that shorten the period of disruption, and § 8.3.3 ¶ 1 b) For identified risks requiring treatment, the organization shall consider proactive measures that limit the impact of disruption on the organization’s key products and services. § 8.3.3 ¶ 1 c)] | Audits and risk management | Preventive | |
| Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary. CC ID 00704 [{update of the business impact analysis} {update of the business continuity plans} {update of the related procedures} The outputs of the management review shall include decisions related to continual improvement opportunities and the possible need for changes to the BCMS, and include the following: update of the risk assessment, business impact analysis, business continuity plans and related procedures; § 9.3 ¶ 4 c)] | Audits and risk management | Detective | |
| Document the results of the gap analysis. CC ID 16271 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a risk treatment plan. CC ID 11983 [{actions to address these risks and opportunities} The organization shall plan how to integrate and implement the actions into its BCMS processes (see 8.1), § 6.1 ¶ 2 b) 1)] | Audits and risk management | Preventive | |
| Include the date of the risk assessment in the risk treatment plan. CC ID 16321 | Audits and risk management | Preventive | |
| Include the risk treatment strategy in the risk treatment plan. CC ID 12159 | Audits and risk management | Preventive | |
| Revise the risk treatment strategies in the risk treatment plan, as necessary. CC ID 12552 | Audits and risk management | Corrective | |
| Include an overview of the migration project plan in the risk treatment plan. CC ID 11982 | Audits and risk management | Preventive | |
| Include change control processes in the risk treatment plan. CC ID 11981 | Audits and risk management | Preventive | |
| Include a description of the processes to check for new vulnerabilities in the risk treatment plan. CC ID 11980 | Audits and risk management | Preventive | |
| Include the implemented risk management controls in the risk treatment plan. CC ID 11979 | Audits and risk management | Preventive | |
| Include requirements for monitoring and reporting in the risk treatment plan, as necessary. CC ID 13620 | Audits and risk management | Preventive | |
| Include risk assessment results in the risk treatment plan. CC ID 11978 | Audits and risk management | Preventive | |
| Include a description of usage in the risk treatment plan. CC ID 11977 | Audits and risk management | Preventive | |
| Document all constraints applied to the risk treatment plan, as necessary. CC ID 13619 | Audits and risk management | Preventive | |
| Integrate the corrective action plan based on the risk assessment findings with other risk management activities. CC ID 06457 [When nonconformity occurs, the organization shall implement any action needed, § 10.1 ¶ 1 d)] | Audits and risk management | Preventive | |
| Document and communicate a corrective action plan based on the risk assessment findings. CC ID 00705 [The organization shall plan actions to address these risks and opportunities, § 6.1 ¶ 2 a)] | Audits and risk management | Corrective | |
| Review and approve the risk assessment findings. CC ID 06485 | Audits and risk management | Preventive | |
| Establish, implement, and maintain environmental control procedures. CC ID 12246 [{internal conditions} The procedures shall be flexible to respond to unanticipated threats and changing internal and external conditions, § 8.4.1 ¶ 3 c)] | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a business continuity program. CC ID 13210 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain a continuity framework. CC ID 00732 [Top management shall establish a business continuity policy that is appropriate to the purpose of the organization, § 5.3 ¶ 1 a) Top management shall establish a business continuity policy that provides a framework for setting business continuity objectives, § 5.3 ¶ 1 b) {BCMS plans} Top management shall provide evidence of its commitment to the establishment, implementation, operation, monitoring, review, maintenance, and improvement of the BCMS by - establishing a business continuity policy, - ensuring that BCMS objectives and plans are established, - establishing roles, responsibilities, and competencies for business continuity management, and - appointing one or more persons to be responsible for the BCMS with the appropriate authority and competencies to be accountable for the implementation and maintenance of the BCMS. § 5.2 ¶ 2 The BCMS policy shall - be available as documented information, - be communicated within the organization, - be available to interested parties, as appropriate, - be reviewed for continuing suitability at defined intervals and when significant changes occur. § 5.3 ¶ 2 The organization shall establish, implement, maintain and continually improve a BCMS, including the processes needed and their interactions, in accordance with the requirements of this International Standard. § 4.4 ¶ 1] | Operational and Systems Continuity | Preventive | |
| Establish and maintain the scope of the continuity framework. CC ID 11908 [The organization shall determine the boundaries and applicability of the BCMS to establish its scope. § 4.3.1 ¶ 1 The organization shall define the scope of the BCMS in terms of and appropriate to the size, nature and complexity of the organization. § 4.3.2 ¶ 1 e) {external issues} The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its BCMS. § 4.1 ¶ 1 {external issues} The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its BCMS. § 4.1 ¶ 1] | Operational and Systems Continuity | Preventive | |
| Include network security in the scope of the continuity framework. CC ID 16327 | Operational and Systems Continuity | Preventive | |
| Explain any exclusions to the scope of the continuity framework. CC ID 12236 [When defining the scope, the organization shall document and explain exclusions; any such exclusions shall not affect the organization’s ability and responsibility to provide continuity of business and operations that meet the BCMS requirements, as determined by business impact analysis or risk assessment and applicable legal or regulatory requirements. § 4.3.2 ¶ 2 The outputs of the management review shall include decisions related to continual improvement opportunities and the possible need for changes to the BCMS, and include the following: variations to the scope of the BCMS; § 9.3 ¶ 4 a)] | Operational and Systems Continuity | Preventive | |
| Include the organization's business products and services in the scope of the continuity framework. CC ID 12235 [The organization shall identify products and services and all related activities within the scope of the BCMS, § 4.3.2 ¶ 1 c) The business continuity objectives shall take account of the minimum level of products and services that is acceptable to the organization to achieve its objectives, § 6.2 ¶ 2 b)] | Operational and Systems Continuity | Preventive | |
| Include business units in the scope of the continuity framework. CC ID 11898 [The organization shall identify and document the following: links between the business continuity policy and the organization’s objectives and other policies, including its overall risk management strategy; and § 4.1 ¶ 3 b) The organization shall establish the parts of the organization to be included in the BCMS, § 4.3.2 ¶ 1 a) {activation procedures} {communication procedures} {internal interdependencies} {internal interactions} {external interactions} {information flow processes} Each plan shall define - purpose and scope, - objectives, - activation criteria and procedures, - implementation procedures, - roles, responsibilities, and authorities, - communication requirements and procedures, - internal and external interdependencies and interactions, - resource requirements, and - information flow and documentation processes. § 8.4.4 ¶ 3] | Operational and Systems Continuity | Preventive | |
| Include business functions in the scope of the continuity framework. CC ID 12699 | Operational and Systems Continuity | Preventive | |
| Establish and maintain a list of interested personnel and affected parties with whom to disseminate and communicate the continuity framework. CC ID 12242 [{internal communications} The organization shall determine the need for internal and external communications relevant to the BCMS including with whom to communicate. § 7.4 ¶ 1 c) {internal communications} The organization shall determine the need for internal and external communications relevant to the BCMS including with whom to communicate. § 7.4 ¶ 1 c) The organization shall establish, implement, and maintain procedure(s) for - internal communication amongst interested parties and employees within the organization, - external communication with customers, partner entities, local community, and other interested parties, including the media, - receiving, documenting, and responding to communication from interested parties, - adapting and integrating a national or regional threat advisory system, or equivalent, into planning and operational use, if appropriate, - ensuring availability of the means of communication during a disruptive incident, - facilitating structured communication with appropriate authorities and ensuring the interoperability of multiple responding organizations and personnel, where appropriate, and - operating and testing of communications capabilities intended for use during disruption of normal communications. § 7.4 ¶ 2 The organization shall establish, implement, and maintain procedure(s) for - internal communication amongst interested parties and employees within the organization, - external communication with customers, partner entities, local community, and other interested parties, including the media, - receiving, documenting, and responding to communication from interested parties, - adapting and integrating a national or regional threat advisory system, or equivalent, into planning and operational use, if appropriate, - ensuring availability of the means of communication during a disruptive incident, - facilitating structured communication with appropriate authorities and ensuring the interoperability of multiple responding organizations and personnel, where appropriate, and - operating and testing of communications capabilities intended for use during disruption of normal communications. § 7.4 ¶ 2] | Operational and Systems Continuity | Preventive | |
| Take into account applicable requirements when establishing, implementing, and maintaining the continuity framework. CC ID 11907 [The organization shall ensure that these applicable legal, regulatory and other requirements to which the organization subscribes are taken into account in establishing, implementing and maintaining its BCMS. § 4.2.2 ¶ 2 When establishing its BCMS, the organization shall determine the requirements of these interested parties § 4.2.1 ¶ 1 b) The business continuity objectives shall take into account applicable requirements, and § 6.2 ¶ 2 d) {legal requirements} The organization shall establish, implement and maintain a procedure(s) to identify, have access to, and assess the applicable legal and regulatory requirements to which the organization subscribes related to the continuity of its operations, products and services, as well as the interests of relevant interested parties. § 4.2.2 ¶ 1 Top management shall establish a business continuity policy that includes a commitment to satisfy applicable requirements, § 5.3 ¶ 1 c) The organization shall determine an appropriate business continuity strategy for mitigating, responding to and managing impacts. § 8.3.1 ¶ 2 c) {internal obligations} The organization shall establish BCMS requirements, considering the organization's mission, goals, internal and external obligations, and legal and regulatory responsibilities, § 4.3.2 ¶ 1 b) {results of BCMS reviews} {key partners} {results of testing} {BCMS performance} {BCMS effectiveness} {emerging good guidance} Management reviews shall consider the performance of the organization, including - follow-up actions from previous management reviews, - the need for changes to the BCMS, including the policy and objectives, - opportunities for improvement, - results of BCMS audits and reviews, including those of key suppliers and partners where appropriate, - techniques, products or procedures, which could be used in the organization to improve the BCMS’ performance and effectiveness, - status of corrective actions, - results of exercising and testing, - risks or issues not adequately addressed in any previous risk assessment, - any changes that could affect the BCMS, whether internal or external to the scope of the BCMS, - adequacy of policy, - recommendations for improvement, - lessons learned and actions arising from disruptive incidents, and - emerging good practice and guidance. § 9.3 ¶ 3 {results of BCMS reviews} {key partners} {results of testing} {BCMS performance} {BCMS effectiveness} {emerging good guidance} Management reviews shall consider the performance of the organization, including - follow-up actions from previous management reviews, - the need for changes to the BCMS, including the policy and objectives, - opportunities for improvement, - results of BCMS audits and reviews, including those of key suppliers and partners where appropriate, - techniques, products or procedures, which could be used in the organization to improve the BCMS’ performance and effectiveness, - status of corrective actions, - results of exercising and testing, - risks or issues not adequately addressed in any previous risk assessment, - any changes that could affect the BCMS, whether internal or external to the scope of the BCMS, - adequacy of policy, - recommendations for improvement, - lessons learned and actions arising from disruptive incidents, and - emerging good practice and guidance. § 9.3 ¶ 3] | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain a shelter in place plan. CC ID 16260 | Operational and Systems Continuity | Preventive | |
| Designate safe rooms in the shelter in place plan. CC ID 16276 | Operational and Systems Continuity | Preventive | |
| Include Quality Management in the continuity framework. CC ID 12239 [Top management shall establish a business continuity policy that includes a commitment to continual improvement of the BCMS. § 5.3 ¶ 1 d)] | Operational and Systems Continuity | Preventive | |
| Establish and maintain a system continuity plan philosophy. CC ID 00734 [The procedures shall be developed based on stated assumptions and an analysis of interdependencies, and § 8.4.1 ¶ 3 e)] | Operational and Systems Continuity | Preventive | |
| Define the executive vision of the continuity planning process. CC ID 01243 | Operational and Systems Continuity | Preventive | |
| Include a pandemic plan in the continuity plan. CC ID 06800 | Operational and Systems Continuity | Preventive | |
| Include continuity wrap-up procedures and continuity normalization procedures during continuity planning. CC ID 00761 [The organization shall have documented procedures to restore and return business activities from the temporary measures adopted to support normal business requirements after an incident. § 8.4.5 ¶ 1 The business continuity plans shall collectively contain a process for standing down once the incident is over. § 8.4.4 ¶ 2 g)] | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain a continuity plan. CC ID 00752 [The organization shall continually improve the suitability, adequacy or effectiveness of the BCMS. § 10.2 ¶ 1 The organization shall continually improve the suitability, adequacy or effectiveness of the BCMS. § 10.2 ¶ 1 The organization shall continually improve the suitability, adequacy or effectiveness of the BCMS. § 10.2 ¶ 1 {BCMS plans} Top management shall provide evidence of its commitment to the establishment, implementation, operation, monitoring, review, maintenance, and improvement of the BCMS by - establishing a business continuity policy, - ensuring that BCMS objectives and plans are established, - establishing roles, responsibilities, and competencies for business continuity management, and - appointing one or more persons to be responsible for the BCMS with the appropriate authority and competencies to be accountable for the implementation and maintenance of the BCMS. § 5.2 ¶ 2 Top management shall demonstrate leadership and commitment with respect to the BCMS by - ensuring that policies and objectives are established for the business continuity management system and are compatible with the strategic direction of the organization, - ensuring the integration of the business continuity management system requirements into the organization’s business processes, - ensuring that the resources needed for the business continuity management system are available, - communicating the importance of effective business continuity management and conforming to the BCMS requirements, - ensuring that the BCMS achieves its intended outcome(s), - directing and supporting persons to contribute to the effectiveness of the BCMS, - promoting continual improvement, and - supporting other relevant management roles to demonstrate their leadership and commitment as it applies to their areas of responsibility. § 5.2 ¶ 1 The BCMS policy shall - be available as documented information, - be communicated within the organization, - be available to interested parties, as appropriate, - be reviewed for continuing suitability at defined intervals and when significant changes occur. § 5.3 ¶ 2 The procedures shall focus on the impact of events that could potentially disrupt operations, § 8.4.1 ¶ 3 d) The procedures shall be developed based on stated assumptions and an analysis of interdependencies, and § 8.4.1 ¶ 3 e) The organization shall conduct exercises and tests that are reviewed within the context of promoting continual improvement, and § 8.5 ¶ 2 f) When nonconformity occurs, the organization shall make changes to the business continuity management system, if necessary. § 10.1 ¶ 1 f) Top management shall ensure that the responsibilities and authorities for relevant roles are assigned and communicated within the organization by - defining the criteria for accepting risks and the acceptable levels of risk, - actively engaging in exercising and testing, - ensuring that internal audits of the BCMS are conducted, - conducting management reviews of the BCMS, and - demonstrating its commitment to continual improvement. § 5.2 ¶ 3 {business continuity procedure} The organization shall conduct evaluations at planned intervals and when significant changes occur. § 9.1.2 d) The organization shall evaluate the BCMS performance and the effectiveness of the BCMS. § 9.1.1 ¶ 3 The organization shall evaluate the BCMS performance and the effectiveness of the BCMS. § 9.1.1 ¶ 3 The outputs of the management review shall include decisions related to continual improvement opportunities and the possible need for changes to the BCMS, and include the following: § 9.3 ¶ 4 {periodic exercising} {periodic testing} {periodic post-incident reporting} {periodic performance evaluations} These evaluations shall be undertaken through periodic reviews, exercising, testing, post-incident reporting and performance evaluations. Significant changes arising shall be reflected in the procedure(s) in a timely manner; § 9.1.2 b) {activation procedures} {communication procedures} {internal interdependencies} {internal interactions} {external interactions} {information flow processes} Each plan shall define - purpose and scope, - objectives, - activation criteria and procedures, - implementation procedures, - roles, responsibilities, and authorities, - communication requirements and procedures, - internal and external interdependencies and interactions, - resource requirements, and - information flow and documentation processes. § 8.4.4 ¶ 3 The management review shall include consideration of information on the business continuity performance, including trends in audit results, § 9.3 ¶ 2 c) 3) Top management shall review the organization’s BCMS, at planned intervals, to ensure its continuing suitability, adequacy and effectiveness. § 9.3 ¶ 1 {update of the business impact analysis} {update of the business continuity plans} {update of the related procedures} The outputs of the management review shall include decisions related to continual improvement opportunities and the possible need for changes to the BCMS, and include the following: update of the risk assessment, business impact analysis, business continuity plans and related procedures; § 9.3 ¶ 4 c) {outputs of the management review} modification of procedures and controls to respond to internal or external events that may impact on the BCMS, including changes to § 9.3 ¶ 4 d)] | Operational and Systems Continuity | Preventive | |
| Identify all stakeholders in the continuity plan. CC ID 13256 | Operational and Systems Continuity | Preventive | |
| Include a business continuity testing policy in the continuity plan, as necessary. CC ID 13234 | Operational and Systems Continuity | Preventive | |
| Allocate financial resources to implement the continuity plan, as necessary. CC ID 12993 | Operational and Systems Continuity | Preventive | |
| Include identification procedures in the continuity plan, as necessary. CC ID 14372 | Operational and Systems Continuity | Preventive | |
| Include the continuity strategy in the continuity plan. CC ID 13189 | Operational and Systems Continuity | Preventive | |
| Include roles and responsibilities in the continuity plan, as necessary. CC ID 13254 | Operational and Systems Continuity | Preventive | |
| Document and use the lessons learned to update the continuity plan. CC ID 10037 [The BCMS policy shall - be available as documented information, - be communicated within the organization, - be available to interested parties, as appropriate, - be reviewed for continuing suitability at defined intervals and when significant changes occur. § 5.3 ¶ 2 The organization shall - communicate the results of management review to relevant interested parties, and - take appropriate action relating to those results. § 9.3 ¶ 6 When nonconformity occurs, the organization shall evaluate the need for action to eliminate the causes of the nonconformity, in order that it does not recur or occur elsewhere, by making changes to the BCMS, if necessary. § 10.1 ¶ 1 c) 7 [post-incident review results] When a disruptive incident occurs and results in the activation of its business continuity procedures, the organization shall undertake a post-incident review and record the results. § 9.1.2 ¶ 1 The outputs of the management review shall include decisions related to continual improvement opportunities and the possible need for changes to the BCMS, and include the following: improvement of the effectiveness of the BCMS; § 9.3 ¶ 4 b) {results of BCMS reviews} {key partners} {results of testing} {BCMS performance} {BCMS effectiveness} {emerging good guidance} Management reviews shall consider the performance of the organization, including - follow-up actions from previous management reviews, - the need for changes to the BCMS, including the policy and objectives, - opportunities for improvement, - results of BCMS audits and reviews, including those of key suppliers and partners where appropriate, - techniques, products or procedures, which could be used in the organization to improve the BCMS’ performance and effectiveness, - status of corrective actions, - results of exercising and testing, - risks or issues not adequately addressed in any previous risk assessment, - any changes that could affect the BCMS, whether internal or external to the scope of the BCMS, - adequacy of policy, - recommendations for improvement, - lessons learned and actions arising from disruptive incidents, and - emerging good practice and guidance. § 9.3 ¶ 3] | Operational and Systems Continuity | Preventive | |
| Coordinate and incorporate supply chain members' continuity plans, as necessary. CC ID 13242 | Operational and Systems Continuity | Preventive | |
| Include incident management procedures in the continuity plan. CC ID 13244 | Operational and Systems Continuity | Preventive | |
| Include the use of virtual meeting tools in the continuity plan. CC ID 14390 | Operational and Systems Continuity | Preventive | |
| Include scenario analyses of various contingency scenarios in the continuity plan. CC ID 13057 | Operational and Systems Continuity | Preventive | |
| Include the annual statement based on the continuity plan review in the continuity plan. CC ID 12775 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain the continuity procedures. CC ID 14236 | Operational and Systems Continuity | Corrective | |
| Document the uninterrupted power requirements for all in scope systems. CC ID 06707 | Operational and Systems Continuity | Preventive | |
| Document all supporting information in the continuity plan, such as purpose, scope, and requirements. CC ID 01371 [In establishing the context, the organization shall define the purpose of the BCMS. § 4.1 ¶ 4 4) The scope shall be available as documented information. § 4.3.1 ¶ 3 {activation procedures} {communication procedures} {internal interdependencies} {internal interactions} {external interactions} {information flow processes} Each plan shall define - purpose and scope, - objectives, - activation criteria and procedures, - implementation procedures, - roles, responsibilities, and authorities, - communication requirements and procedures, - internal and external interdependencies and interactions, - resource requirements, and - information flow and documentation processes. § 8.4.4 ¶ 3 {activation procedures} {communication procedures} {internal interdependencies} {internal interactions} {external interactions} {information flow processes} Each plan shall define - purpose and scope, - objectives, - activation criteria and procedures, - implementation procedures, - roles, responsibilities, and authorities, - communication requirements and procedures, - internal and external interdependencies and interactions, - resource requirements, and - information flow and documentation processes. § 8.4.4 ¶ 3 {activation procedures} {communication procedures} {internal interdependencies} {internal interactions} {external interactions} {information flow processes} Each plan shall define - purpose and scope, - objectives, - activation criteria and procedures, - implementation procedures, - roles, responsibilities, and authorities, - communication requirements and procedures, - internal and external interdependencies and interactions, - resource requirements, and - information flow and documentation processes. § 8.4.4 ¶ 3 {activation procedures} {communication procedures} {internal interdependencies} {internal interactions} {external interactions} {information flow processes} Each plan shall define - purpose and scope, - objectives, - activation criteria and procedures, - implementation procedures, - roles, responsibilities, and authorities, - communication requirements and procedures, - internal and external interdependencies and interactions, - resource requirements, and - information flow and documentation processes. § 8.4.4 ¶ 3] | Operational and Systems Continuity | Preventive | |
| Include notifications to alternate facilities in the continuity plan. CC ID 13220 | Operational and Systems Continuity | Preventive | |
| Document the concept of operations in the continuity plan, including a line of succession. CC ID 01372 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain damage assessment procedures. CC ID 01267 [The response structure shall assess the nature and extent of a disruptive incident and its potential impact, § 8.4.2 ¶ 2 b) The response structure shall assess the nature and extent of a disruptive incident and its potential impact, § 8.4.2 ¶ 2 b) The response structure shall assess the nature and extent of a disruptive incident and its potential impact, § 8.4.2 ¶ 2 b) [post-incident review results] When a disruptive incident occurs and results in the activation of its business continuity procedures, the organization shall undertake a post-incident review and record the results. § 9.1.2 ¶ 1] | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain a recovery plan. CC ID 13288 | Operational and Systems Continuity | Preventive | |
| Include procedures to restore network connectivity in the recovery plan. CC ID 16250 | Operational and Systems Continuity | Preventive | |
| Include addressing backup failures in the recovery plan. CC ID 13298 | Operational and Systems Continuity | Preventive | |
| Include procedures to verify completion of the data backup procedure in the recovery plan. CC ID 13297 | Operational and Systems Continuity | Preventive | |
| Include the procedures for the storage of information necessary to recover functionality in the recovery plan. CC ID 13295 | Operational and Systems Continuity | Preventive | |
| Include the backup procedures for information necessary to recover functionality in the recovery plan. CC ID 13294 | Operational and Systems Continuity | Preventive | |
| Include the criteria for activation in the recovery plan. CC ID 13293 | Operational and Systems Continuity | Preventive | |
| Include escalation procedures in the recovery plan. CC ID 16248 | Operational and Systems Continuity | Preventive | |
| Include procedures to preserve data before beginning the recovery process in the recovery plan. CC ID 13292 | Operational and Systems Continuity | Preventive | |
| Document lessons learned from testing the recovery plan or an actual event. CC ID 13301 | Operational and Systems Continuity | Detective | |
| Include risk prioritized recovery procedures for each business unit in the recovery plan. CC ID 01166 [The organization shall determine an appropriate business continuity strategy for stabilizing, continuing, resuming and recovering prioritized activities and their dependencies and supporting resources, and § 8.3.1 ¶ 2 b) The business continuity plans shall collectively contain how the organization will continue or recover its prioritized activities within predetermined timeframes, § 8.4.4 ¶ 2 e)] | Operational and Systems Continuity | Preventive | |
| Include the recovery plan in the continuity plan. CC ID 01377 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain system continuity plan strategies. CC ID 00735 | Operational and Systems Continuity | Preventive | |
| Define and prioritize critical business functions. CC ID 00736 [The organization shall determine an appropriate business continuity strategy for protecting prioritized activities, § 8.3.1 ¶ 2 a) The business continuity plans shall collectively contain details to manage the immediate consequences of a disruptive incident giving due regard to prevention of further loss or unavailability of prioritized activities; § 8.4.4 ¶ 2 c) 3)] | Operational and Systems Continuity | Detective | |
| Review and prioritize the importance of each business process. CC ID 11689 [Top management shall demonstrate leadership and commitment with respect to the BCMS by - ensuring that policies and objectives are established for the business continuity management system and are compatible with the strategic direction of the organization, - ensuring the integration of the business continuity management system requirements into the organization’s business processes, - ensuring that the resources needed for the business continuity management system are available, - communicating the importance of effective business continuity management and conforming to the BCMS requirements, - ensuring that the BCMS achieves its intended outcome(s), - directing and supporting persons to contribute to the effectiveness of the BCMS, - promoting continual improvement, and - supporting other relevant management roles to demonstrate their leadership and commitment as it applies to their areas of responsibility. § 5.2 ¶ 1] | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain Recovery Time Objectives for all in scope systems. CC ID 11688 [The business impact analysis shall include the following: setting prioritized timeframes for resuming these activities at a specified minimum acceptable level, taking into consideration the time within which the impacts of not resuming them would become unacceptable; and § 8.2.2 ¶ 2 c) The determination of strategy shall include approving prioritized time frames for the resumption of activities. § 8.3.1 ¶ 3 {BCMS plans} Top management shall provide evidence of its commitment to the establishment, implementation, operation, monitoring, review, maintenance, and improvement of the BCMS by - establishing a business continuity policy, - ensuring that BCMS objectives and plans are established, - establishing roles, responsibilities, and competencies for business continuity management, and - appointing one or more persons to be responsible for the BCMS with the appropriate authority and competencies to be accountable for the implementation and maintenance of the BCMS. § 5.2 ¶ 2 {incident response procedure} The organization shall establish documented procedures for responding to a disruptive incident and how it will continue or recover its activities within a predetermined timeframe. Such procedures shall address the requirements of those who will use them. § 8.4.4 ¶ 1] | Operational and Systems Continuity | Preventive | |
| Include the protection of personnel in the continuity plan. CC ID 06378 [The business continuity plans shall collectively contain details to manage the immediate consequences of a disruptive incident giving due regard to the welfare of individuals, § 8.4.4 ¶ 2 c) 1)] | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain a critical personnel list. CC ID 00739 [{activation procedures} {communication procedures} {internal interdependencies} {internal interactions} {external interactions} {information flow processes} Each plan shall define - purpose and scope, - objectives, - activation criteria and procedures, - implementation procedures, - roles, responsibilities, and authorities, - communication requirements and procedures, - internal and external interdependencies and interactions, - resource requirements, and - information flow and documentation processes. § 8.4.4 ¶ 3] | Operational and Systems Continuity | Detective | |
| Define the triggering events for when to activate the pandemic plan. CC ID 06801 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain a critical third party list. CC ID 06815 [When establishing its BCMS, the organization shall determine the interested parties that are relevant to the BCMS, and § 4.2.1 ¶ 1 a)] | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain a critical resource list. CC ID 00740 [The outputs of the management review shall include decisions related to continual improvement opportunities and the possible need for changes to the BCMS, and include the following: modification of procedures and controls to respond to internal or external events that may impact on the BCMS, including changes to resource needs, § 9.3 ¶ 4 d) 7] | Operational and Systems Continuity | Detective | |
| Define and maintain continuity Service Level Agreements for all critical resources. CC ID 00741 | Operational and Systems Continuity | Preventive | |
| Establish and maintain a core supply inventory required to support critical business functions. CC ID 04890 [The response structure shall have resources available to support the processes and procedures to manage a disruptive incident in order to minimize impact, and § 8.4.2 ¶ 2 e)] | Operational and Systems Continuity | Preventive | |
| Include damaged site continuity procedures that cover continuing operations in a partially functional primary facility in the continuity plan. CC ID 01374 [{procedures for recording actions taken and decisions made} The organization shall establish, implement and maintain procedures for recording of vital information about the incident, actions taken and decisions made, and the following shall also be considered and implemented where applicable: — alerting interested parties potentially impacted by an actual or impending disruptive incident; — assuring the interoperability of multiple responding organizations and personnel; — operation of a communications facility. § 8.4.3 ¶ 1 g)] | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain at-risk structure removal or relocation procedures. CC ID 01247 | Operational and Systems Continuity | Preventive | |
| Include emergency communications procedures in the continuity plan. CC ID 00750 [The organization shall establish, implement, and maintain procedure(s) for - internal communication amongst interested parties and employees within the organization, - external communication with customers, partner entities, local community, and other interested parties, including the media, - receiving, documenting, and responding to communication from interested parties, - adapting and integrating a national or regional threat advisory system, or equivalent, into planning and operational use, if appropriate, - ensuring availability of the means of communication during a disruptive incident, - facilitating structured communication with appropriate authorities and ensuring the interoperability of multiple responding organizations and personnel, where appropriate, and - operating and testing of communications capabilities intended for use during disruption of normal communications. § 7.4 ¶ 2 The organization shall establish, implement, and maintain procedure(s) for - internal communication amongst interested parties and employees within the organization, - external communication with customers, partner entities, local community, and other interested parties, including the media, - receiving, documenting, and responding to communication from interested parties, - adapting and integrating a national or regional threat advisory system, or equivalent, into planning and operational use, if appropriate, - ensuring availability of the means of communication during a disruptive incident, - facilitating structured communication with appropriate authorities and ensuring the interoperability of multiple responding organizations and personnel, where appropriate, and - operating and testing of communications capabilities intended for use during disruption of normal communications. § 7.4 ¶ 2 The organization shall establish, implement and maintain procedures for assuring availability of the means of communication during a disruptive incident, § 8.4.3 ¶ 1 e) {significant impact} {procedures for alerts} {procedures for warnings} The organization shall decide, using life safety as the first priority and in consultation with relevant interested parties, whether to communicate externally about its significant risks and impacts and document its decision. If the decision is to communicate then the organization shall establish and implement procedures for this external communication, alerts and warnings including the media as appropriate. § 8.4.2 ¶ 3 The business continuity plans shall collectively contain details on how and under what circumstances the organization will communicate with employees and their relatives, key interested parties and emergency contacts, § 8.4.4 ¶ 2 d) {activation procedures} {communication procedures} {internal interdependencies} {internal interactions} {external interactions} {information flow processes} Each plan shall define - purpose and scope, - objectives, - activation criteria and procedures, - implementation procedures, - roles, responsibilities, and authorities, - communication requirements and procedures, - internal and external interdependencies and interactions, - resource requirements, and - information flow and documentation processes. § 8.4.4 ¶ 3] | Operational and Systems Continuity | Preventive | |
| Include managing multiple responding organizations in the emergency communications procedure. CC ID 01249 [The organization shall establish, implement, and maintain procedure(s) for - internal communication amongst interested parties and employees within the organization, - external communication with customers, partner entities, local community, and other interested parties, including the media, - receiving, documenting, and responding to communication from interested parties, - adapting and integrating a national or regional threat advisory system, or equivalent, into planning and operational use, if appropriate, - ensuring availability of the means of communication during a disruptive incident, - facilitating structured communication with appropriate authorities and ensuring the interoperability of multiple responding organizations and personnel, where appropriate, and - operating and testing of communications capabilities intended for use during disruption of normal communications. § 7.4 ¶ 2 The organization shall establish, implement and maintain procedures for facilitating structured communication with emergency responders, § 8.4.3 ¶ 1 f) {procedures for recording actions taken and decisions made} The organization shall establish, implement and maintain procedures for recording of vital information about the incident, actions taken and decisions made, and the following shall also be considered and implemented where applicable: — alerting interested parties potentially impacted by an actual or impending disruptive incident; — assuring the interoperability of multiple responding organizations and personnel; — operation of a communications facility. § 8.4.3 ¶ 1 g)] | Operational and Systems Continuity | Preventive | |
| Maintain contact information for key third parties in a readily accessible manner. CC ID 12764 | Operational and Systems Continuity | Preventive | |
| Minimize system continuity requirements. CC ID 00753 | Operational and Systems Continuity | Preventive | |
| Disseminate and communicate the continuity plan to interested personnel and affected parties. CC ID 00760 [Top management shall demonstrate leadership and commitment with respect to the BCMS by - ensuring that policies and objectives are established for the business continuity management system and are compatible with the strategic direction of the organization, - ensuring the integration of the business continuity management system requirements into the organization’s business processes, - ensuring that the resources needed for the business continuity management system are available, - communicating the importance of effective business continuity management and conforming to the BCMS requirements, - ensuring that the BCMS achieves its intended outcome(s), - directing and supporting persons to contribute to the effectiveness of the BCMS, - promoting continual improvement, and - supporting other relevant management roles to demonstrate their leadership and commitment as it applies to their areas of responsibility. § 5.2 ¶ 1 The BCMS policy shall - be available as documented information, - be communicated within the organization, - be available to interested parties, as appropriate, - be reviewed for continuing suitability at defined intervals and when significant changes occur. § 5.3 ¶ 2 The BCMS policy shall - be available as documented information, - be communicated within the organization, - be available to interested parties, as appropriate, - be reviewed for continuing suitability at defined intervals and when significant changes occur. § 5.3 ¶ 2 Top management shall ensure that business continuity objectives are established and communicated for relevant functions and levels within the organization. § 6.2 ¶ 1 {internal communications} The organization shall determine the need for internal and external communications relevant to the BCMS including on what it will communicate, § 7.4 ¶ 1 a) {internal communications} The organization shall determine the need for internal and external communications relevant to the BCMS including on what it will communicate, § 7.4 ¶ 1 a) {internal communications} The organization shall determine the need for internal and external communications relevant to the BCMS including when to communicate, § 7.4 ¶ 1 b) {internal communications} The organization shall determine the need for internal and external communications relevant to the BCMS including when to communicate, § 7.4 ¶ 1 b) The organization shall - communicate the results of management review to relevant interested parties, and - take appropriate action relating to those results. § 9.3 ¶ 6 {internal communications} The organization shall determine the need for internal and external communications relevant to the BCMS including § 7.4 ¶ 1 {internal communications} The organization shall determine the need for internal and external communications relevant to the BCMS including § 7.4 ¶ 1] | Operational and Systems Continuity | Preventive | |
| Store an up-to-date copy of the continuity plan at the alternate facility. CC ID 01171 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain a continuity test plan. CC ID 04896 [The organization shall conduct exercises and tests that are conducted at planned intervals and when there are significant changes within the organization or to the environment in which it operates. § 8.5 ¶ 2 g) The organization shall conduct exercises and tests that are conducted at planned intervals and when there are significant changes within the organization or to the environment in which it operates. § 8.5 ¶ 2 g)] | Operational and Systems Continuity | Preventive | |
| Include success criteria for testing the plan in the continuity test plan. CC ID 14877 | Operational and Systems Continuity | Preventive | |
| Include recovery procedures in the continuity test plan. CC ID 14876 | Operational and Systems Continuity | Preventive | |
| Include test scripts in the continuity test plan. CC ID 14875 | Operational and Systems Continuity | Preventive | |
| Include test objectives and scope of testing in the continuity test plan. CC ID 14874 | Operational and Systems Continuity | Preventive | |
| Include escalation procedures in the continuity test plan, as necessary. CC ID 14400 | Operational and Systems Continuity | Preventive | |
| Include the succession plan in the continuity test plan, as necessary. CC ID 14401 | Operational and Systems Continuity | Preventive | |
| Include contact information in the continuity test plan. CC ID 14399 | Operational and Systems Continuity | Preventive | |
| Include testing all system components in the continuity test plan. CC ID 13508 | Operational and Systems Continuity | Preventive | |
| Include test scenarios in the continuity test plan. CC ID 13506 | Operational and Systems Continuity | Preventive | |
| Include test dates or test frequency in the continuity test plan, as necessary. CC ID 13243 | Operational and Systems Continuity | Preventive | |
| Include predefined goals and realistic conditions during off-site testing. CC ID 01175 | Operational and Systems Continuity | Preventive | |
| Define the scope for the security operations center. CC ID 15713 | Human Resources management | Preventive | |
| Define and assign the roles and responsibilities of the chairman of the board. CC ID 14786 | Human Resources management | Preventive | |
| Establish, implement, and maintain candidate selection procedures to the board of directors. CC ID 14782 | Human Resources management | Preventive | |
| Include the criteria of mixed experiences and skills in the candidate selection procedures. CC ID 14791 | Human Resources management | Preventive | |
| Establish, implement, and maintain a board committee charter, as necessary. CC ID 14802 | Human Resources management | Preventive | |
| Define and assign the security staff roles and responsibilities. CC ID 11750 | Human Resources management | Preventive | |
| Define the objectives and extent of outsourcing operational roles and responsibilities. CC ID 06383 | Human Resources management | Preventive | |
| Establish, implement, and maintain a personnel management program. CC ID 14018 | Human Resources management | Preventive | |
| Establish, implement, and maintain a personnel security program. CC ID 10628 | Human Resources management | Preventive | |
| Establish, implement, and maintain personnel screening procedures. CC ID 11700 | Human Resources management | Preventive | |
| Perform a criminal records check during personnel screening. CC ID 06643 | Human Resources management | Preventive | |
| Document any reasons a full criminal records check could not be performed. CC ID 13305 | Human Resources management | Preventive | |
| Perform an academic records check during personnel screening. CC ID 06647 | Human Resources management | Preventive | |
| Document the personnel risk assessment results. CC ID 11764 | Human Resources management | Detective | |
| Establish, implement, and maintain security clearance procedures. CC ID 00783 | Human Resources management | Preventive | |
| Document the security clearance procedure results. CC ID 01635 | Human Resources management | Detective | |
| Include evidence of experience in applications for professional certification. CC ID 16193 | Human Resources management | Preventive | |
| Include supporting documentation in applications for professional certification. CC ID 16195 | Human Resources management | Preventive | |
| Document all training in a training record. CC ID 01423 [The organization shall retain appropriate documented information as evidence of competence. § 7.2 ¶ 1 d)] | Human Resources management | Detective | |
| Review the current published guidance and awareness and training programs. CC ID 01245 | Human Resources management | Preventive | |
| Establish, implement, and maintain training plans. CC ID 00828 | Human Resources management | Preventive | |
| Include portions of the visitor control program in the training plan. CC ID 13287 | Human Resources management | Preventive | |
| Establish, implement, and maintain a security awareness program. CC ID 11746 | Human Resources management | Preventive | |
| Establish, implement, and maintain a security awareness and training policy. CC ID 14022 | Human Resources management | Preventive | |
| Include compliance requirements in the security awareness and training policy. CC ID 14092 | Human Resources management | Preventive | |
| Include coordination amongst entities in the security awareness and training policy. CC ID 14091 | Human Resources management | Preventive | |
| Establish, implement, and maintain security awareness and training procedures. CC ID 14054 | Human Resources management | Preventive | |
| Include management commitment in the security awareness and training policy. CC ID 14049 | Human Resources management | Preventive | |
| Include roles and responsibilities in the security awareness and training policy. CC ID 14048 | Human Resources management | Preventive | |
| Include the scope in the security awareness and training policy. CC ID 14047 | Human Resources management | Preventive | |
| Include the purpose in the security awareness and training policy. CC ID 14045 | Human Resources management | Preventive | |
| Include configuration management procedures in the security awareness program. CC ID 13967 | Human Resources management | Preventive | |
| Document security awareness requirements. CC ID 12146 | Human Resources management | Preventive | |
| Include safeguards for information systems in the security awareness program. CC ID 13046 | Human Resources management | Preventive | |
| Include security policies and security standards in the security awareness program. CC ID 13045 | Human Resources management | Preventive | |
| Include mobile device security guidelines in the security awareness program. CC ID 11803 | Human Resources management | Preventive | |
| Include training based on the participants' level of responsibility and access level in the security awareness program. CC ID 11802 | Human Resources management | Preventive | |
| Include a requirement to train all new hires and interested personnel in the security awareness program. CC ID 11800 | Human Resources management | Preventive | |
| Include remote access in the security awareness program. CC ID 13892 | Human Resources management | Preventive | |
| Document the goals of the security awareness program. CC ID 12145 | Human Resources management | Preventive | |
| Compare current security awareness assessment reports to the security awareness baseline. CC ID 12150 | Human Resources management | Preventive | |
| Document the scope of the security awareness program. CC ID 12148 | Human Resources management | Preventive | |
| Establish, implement, and maintain a security awareness baseline. CC ID 12147 | Human Resources management | Preventive | |
| Require personnel to acknowledge, through writing their signature, that they have read and understand the organization's security policies. CC ID 01363 | Human Resources management | Preventive | |
| Establish, implement, and maintain an environmental management system awareness program. CC ID 15200 | Human Resources management | Preventive | |
| Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 | Operational management | Preventive | |
| Establish, implement, and maintain an internal control framework. CC ID 00820 | Operational management | Preventive | |
| Include procedures for continuous quality improvement in the internal control framework. CC ID 00819 [The management review shall include consideration of opportunities for continual improvement. § 9.3 ¶ 2 d) {changes to operational processes} The outputs of the management review shall include decisions related to continual improvement opportunities and the possible need for changes to the BCMS, and include the following: modification of procedures and controls to respond to internal or external events that may impact on the BCMS, including changes to operational conditions and processes, § 9.3 ¶ 4 d) 3) {changes to operational processes} The outputs of the management review shall include decisions related to continual improvement opportunities and the possible need for changes to the BCMS, and include the following: modification of procedures and controls to respond to internal or external events that may impact on the BCMS, including changes to operational conditions and processes, § 9.3 ¶ 4 d) 3)] | Operational management | Preventive | |
| Establish, implement, and maintain an information security program. CC ID 00812 | Operational management | Preventive | |
| Establish, implement, and maintain the Acceptable Use Policy. CC ID 01350 [For the control of documented information, the organization shall address the following activities, as applicable — distribution, access, retrieval and use, — storage and preservation, including preservation of legibility, — control of changes, — retention and disposition, — retrieval and use, — preservation of legibility, and — prevention of the unintended use of obsolete information. § 7.5.3 ¶ 2 For the control of documented information, the organization shall address the following activities, as applicable — distribution, access, retrieval and use, — storage and preservation, including preservation of legibility, — control of changes, — retention and disposition, — retrieval and use, — preservation of legibility, and — prevention of the unintended use of obsolete information. § 7.5.3 ¶ 2] | Operational management | Preventive | |
| Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy. CC ID 01351 | Operational management | Preventive | |
| Include requiring users to protect restricted data in accordance with the Governance, Risk, and Compliance framework in the Acceptable Use Policy. CC ID 11894 | Operational management | Preventive | |
| Include Bring Your Own Device agreements in the Acceptable Use Policy. CC ID 15703 | Operational management | Preventive | |
| Include the obligations of users in the Bring Your Own Device agreement. CC ID 15708 | Operational management | Preventive | |
| Include the rights of the organization in the Bring Your Own Device agreement. CC ID 15707 | Operational management | Preventive | |
| Include the circumstances in which the organization may confiscate, audit, or inspect assets in the Bring Your Own Device agreement. CC ID 15706 | Operational management | Preventive | |
| Include the circumstances in which the organization may manage assets in the Bring Your Own Device agreement. CC ID 15705 | Operational management | Preventive | |
| Include Bring Your Own Device usage in the Acceptable Use Policy. CC ID 12293 | Operational management | Preventive | |
| Include a web usage policy in the Acceptable Use Policy. CC ID 16496 | Operational management | Preventive | |
| Include Bring Your Own Device security guidelines in the Acceptable Use Policy. CC ID 01352 | Operational management | Preventive | |
| Include asset tags in the Acceptable Use Policy. CC ID 01354 | Operational management | Preventive | |
| Specify the owner of applicable assets in the Acceptable Use Policy. CC ID 15699 | Operational management | Preventive | |
| Include asset use policies in the Acceptable Use Policy. CC ID 01355 | Operational management | Preventive | |
| Include authority for access authorization lists for assets in all relevant Acceptable Use Policies. CC ID 11872 | Operational management | Preventive | |
| Include access control mechanisms in the Acceptable Use Policy. CC ID 01353 | Operational management | Preventive | |
| Include prohibiting the copying or moving of restricted data from its original source onto local hard drives or removable storage media in the Acceptable Use Policy. CC ID 11893 | Operational management | Preventive | |
| Correlate the Acceptable Use Policy with the network security policy. CC ID 01356 | Operational management | Preventive | |
| Include appropriate network locations for each technology in the Acceptable Use Policy. CC ID 11881 | Operational management | Preventive | |
| Correlate the Acceptable Use Policy with the approved product list. CC ID 01357 | Operational management | Preventive | |
| Include facility access and facility use in the Acceptable Use Policy. CC ID 06441 | Operational management | Preventive | |
| Include disciplinary actions in the Acceptable Use Policy. CC ID 00296 | Operational management | Corrective | |
| Include the usage restrictions of mobile code technologies in the Acceptable Use Policy. CC ID 15311 | Operational management | Preventive | |
| Include a software installation policy in the Acceptable Use Policy. CC ID 06749 | Operational management | Preventive | |
| Document idle session termination and logout for remote access technologies in the Acceptable Use Policy. CC ID 12472 | Operational management | Preventive | |
| Require interested personnel and affected parties to sign Acceptable Use Policies. CC ID 06661 | Operational management | Preventive | |
| Require interested personnel and affected parties to re-sign Acceptable Use Policies, as necessary. CC ID 06663 | Operational management | Preventive | |
| Establish, implement, and maintain a customer service program. CC ID 00846 | Operational management | Preventive | |
| Include detection procedures in the Incident Management program. CC ID 00588 [The organization shall establish, implement and maintain procedures for detecting an incident, § 8.4.3 ¶ 1 a)] | Operational management | Preventive | |
| Define and document impact thresholds to be used in categorizing incidents. CC ID 10033 [The organization shall identify and document the following: the organization’s activities, functions, services, products, partnerships, supply chains, relationships with interested parties, and the potential impact related to a disruptive incident; § 4.1 ¶ 3 a)] | Operational management | Preventive | |
| Document the incident and any relevant evidence in the incident report. CC ID 08659 [{procedures for recording actions taken and decisions made} The organization shall establish, implement and maintain procedures for recording of vital information about the incident, actions taken and decisions made, and the following shall also be considered and implemented where applicable: — alerting interested parties potentially impacted by an actual or impending disruptive incident; — assuring the interoperability of multiple responding organizations and personnel; — operation of a communications facility. § 8.4.3 ¶ 1 g) {procedures for recording actions taken and decisions made} The organization shall establish, implement and maintain procedures for recording of vital information about the incident, actions taken and decisions made, and the following shall also be considered and implemented where applicable: — alerting interested parties potentially impacted by an actual or impending disruptive incident; — assuring the interoperability of multiple responding organizations and personnel; — operation of a communications facility. § 8.4.3 ¶ 1 g)] | Operational management | Detective | |
| Record actions taken by investigators during a forensic investigation in the forensic investigation report. CC ID 07095 | Operational management | Preventive | |
| Include where the digital forensic evidence was found in the forensic investigation report. CC ID 08674 | Operational management | Detective | |
| Include the condition of the digital forensic evidence in the forensic investigation report. CC ID 08678 | Operational management | Detective | |
| Share data loss event information with interconnected system owners. CC ID 01209 | Operational management | Corrective | |
| Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547 | Operational management | Preventive | |
| Include data loss event notifications in the Incident Response program. CC ID 00364 | Operational management | Preventive | |
| Include legal requirements for data loss event notifications in the Incident Response program. CC ID 11954 | Operational management | Preventive | |
| Include required information in the written request to delay the notification to affected parties. CC ID 16785 | Operational management | Preventive | |
| Design the text of the notice for all incident response notifications to be no smaller than 10-point type. CC ID 12985 | Operational management | Preventive | |
| Establish, implement, and maintain incident response notifications. CC ID 12975 | Operational management | Corrective | |
| Include information required by law in incident response notifications. CC ID 00802 | Operational management | Detective | |
| Title breach notifications "Notice of Data Breach". CC ID 12977 | Operational management | Preventive | |
| Display titles of incident response notifications clearly and conspicuously. CC ID 12986 | Operational management | Preventive | |
| Display headings in incident response notifications clearly and conspicuously. CC ID 12987 | Operational management | Preventive | |
| Design the incident response notification to call attention to its nature and significance. CC ID 12984 | Operational management | Preventive | |
| Use plain language to write incident response notifications. CC ID 12976 | Operational management | Preventive | |
| Include directions for changing the user's authenticator or security questions and answers in the breach notification. CC ID 12983 | Operational management | Preventive | |
| Include the affected parties rights in the incident response notification. CC ID 16811 | Operational management | Preventive | |
| Include details of the investigation in incident response notifications. CC ID 12296 | Operational management | Preventive | |
| Include the issuer's name in incident response notifications. CC ID 12062 | Operational management | Preventive | |
| Include a "What Happened" heading in breach notifications. CC ID 12978 | Operational management | Preventive | |
| Include a general description of the data loss event in incident response notifications. CC ID 04734 | Operational management | Preventive | |
| Include time information in incident response notifications. CC ID 04745 | Operational management | Preventive | |
| Include the identification of the data source in incident response notifications. CC ID 12305 | Operational management | Preventive | |
| Include a "What Information Was Involved" heading in the breach notification. CC ID 12979 | Operational management | Preventive | |
| Include the type of information that was lost in incident response notifications. CC ID 04735 | Operational management | Preventive | |
| Include the type of information the organization maintains about the affected parties in incident response notifications. CC ID 04776 | Operational management | Preventive | |
| Include a "What We Are Doing" heading in the breach notification. CC ID 12982 | Operational management | Preventive | |
| Include what the organization has done to enhance data protection controls in incident response notifications. CC ID 04736 | Operational management | Preventive | |
| Include what the organization is offering or has already done to assist affected parties in incident response notifications. CC ID 04737 | Operational management | Preventive | |
| Include a "For More Information" heading in breach notifications. CC ID 12981 | Operational management | Preventive | |
| Include details of the companies and persons involved in incident response notifications. CC ID 12295 | Operational management | Preventive | |
| Include the credit reporting agencies' contact information in incident response notifications. CC ID 04744 | Operational management | Preventive | |
| Include the reporting individual's contact information in incident response notifications. CC ID 12297 | Operational management | Preventive | |
| Include any consequences in the incident response notifications. CC ID 12604 | Operational management | Preventive | |
| Include whether the notification was delayed due to a law enforcement investigation in incident response notifications. CC ID 04746 | Operational management | Preventive | |
| Include a "What You Can Do" heading in the breach notification. CC ID 12980 | Operational management | Preventive | |
| Include how the affected parties can protect themselves from identity theft in incident response notifications. CC ID 04738 | Operational management | Detective | |
| Include contact information in incident response notifications. CC ID 04739 | Operational management | Preventive | |
| Include contact information in the substitute incident response notification. CC ID 16776 | Operational management | Preventive | |
| Post substitute incident response notifications to the organization's website, as necessary. CC ID 04748 | Operational management | Preventive | |
| Establish, implement, and maintain a containment strategy. CC ID 13480 | Operational management | Preventive | |
| Include the containment approach in the containment strategy. CC ID 13486 | Operational management | Preventive | |
| Include response times in the containment strategy. CC ID 13485 | Operational management | Preventive | |
| Include incident recovery procedures in the Incident Management program. CC ID 01758 [The organization shall establish, implement, and maintain business continuity procedures to manage a disruptive incident and continue its activities based on recovery objectives identified in the business impact analysis. § 8.4.1 ¶ 1] | Operational management | Corrective | |
| Establish, implement, and maintain a restoration log. CC ID 12745 | Operational management | Preventive | |
| Establish, implement, and maintain compromised system reaccreditation procedures. CC ID 00592 | Operational management | Preventive | |
| Analyze security violations in Suspicious Activity Reports. CC ID 00591 | Operational management | Preventive | |
| Update the incident response procedures using the lessons learned. CC ID 01233 [{periodic exercising} {periodic testing} {periodic post-incident reporting} {periodic performance evaluations} These evaluations shall be undertaken through periodic reviews, exercising, testing, post-incident reporting and performance evaluations. Significant changes arising shall be reflected in the procedure(s) in a timely manner; § 9.1.2 b) {update of the business impact analysis} {update of the business continuity plans} {update of the related procedures} The outputs of the management review shall include decisions related to continual improvement opportunities and the possible need for changes to the BCMS, and include the following: update of the risk assessment, business impact analysis, business continuity plans and related procedures; § 9.3 ¶ 4 c)] | Operational management | Preventive | |
| Include incident monitoring procedures in the Incident Management program. CC ID 01207 [The organization shall establish, implement and maintain procedures for regular monitoring of an incident, § 8.4.3 ¶ 1 b)] | Operational management | Preventive | |
| Include incident response procedures in the Incident Management program. CC ID 01218 [The business continuity plans shall collectively contain details to manage the immediate consequences of a disruptive incident giving due regard to § 8.4.4 ¶ 2 c) The business continuity plans shall collectively contain details to manage the immediate consequences of a disruptive incident giving due regard to strategic, tactical and operational options for responding to the disruption, and § 8.4.4 ¶ 2 c) 2)] | Operational management | Preventive | |
| Log incidents in the Incident Management audit log. CC ID 00857 | Operational management | Preventive | |
| Establish, implement, and maintain an Incident Response program. CC ID 00579 [The organization shall identify and document the following: the organization’s activities, functions, services, products, partnerships, supply chains, relationships with interested parties, and the potential impact related to a disruptive incident; § 4.1 ¶ 3 a) {incident response procedure} The organization shall establish documented procedures for responding to a disruptive incident and how it will continue or recover its activities within a predetermined timeframe. Such procedures shall address the requirements of those who will use them. § 8.4.4 ¶ 1] | Operational management | Preventive | |
| Create an incident response report following an incident response. CC ID 12700 | Operational management | Preventive | |
| Include disciplinary actions taken in the incident response report. CC ID 16810 | Operational management | Preventive | |
| Include the persons responsible for the incident in the incident response report. CC ID 16808 | Operational management | Preventive | |
| Include the number of individuals the incident response notification was sent to in the incident response report. CC ID 16789 | Operational management | Preventive | |
| Include any consequences to organizational reputation and confidence due to the incident in the incident response report. CC ID 12728 | Operational management | Preventive | |
| Include the number of customers that were affected by the incident in the incident response report. CC ID 12727 | Operational management | Preventive | |
| Include investments associated with the incident in the incident response report. CC ID 12726 | Operational management | Preventive | |
| Include costs associated with the incident in the incident response report. CC ID 12725 | Operational management | Preventive | |
| Include losses due to the incident in the incident response report. CC ID 12724 | Operational management | Preventive | |
| Include a description of the impact the incident had on customer service in the incident response report. CC ID 12735 | Operational management | Preventive | |
| Include foregone revenue from the incident in the incident response report. CC ID 12723 | Operational management | Preventive | |
| Include the magnitude of the incident in the incident response report. CC ID 12722 | Operational management | Preventive | |
| Include implications of the incident in the incident response report. CC ID 12721 | Operational management | Preventive | |
| Include measures to prevent similar incidents from occurring in the incident response report. CC ID 12720 | Operational management | Preventive | |
| Include breaches of regulatory requirements due to the incident in the incident response report. CC ID 12719 | Operational management | Preventive | |
| Include information on all affected assets in the incident response report. CC ID 12718 | Operational management | Preventive | |
| Include the scope of the incident in the incident response report. CC ID 12717 | Operational management | Preventive | |
| Include the duration of the incident in the incident response report. CC ID 12716 | Operational management | Preventive | |
| Include the extent of the incident in the incident response report. CC ID 12715 | Operational management | Preventive | |
| Include measures to mitigate the root causes of the incident in the incident response report. CC ID 12714 | Operational management | Preventive | |
| Include the reasons the incident occurred in the incident response report. CC ID 12711 | Operational management | Preventive | |
| Include the frequency of similar incidents occurring in the incident response report. CC ID 12712 | Operational management | Preventive | |
| Include lessons learned from the incident in the incident response report. CC ID 12713 | Operational management | Preventive | |
| Include where the incident occurred in the incident response report. CC ID 12710 | Operational management | Preventive | |
| Include when the incident occurred in the incident response report. CC ID 12709 | Operational management | Preventive | |
| Include corrective action taken to eradicate the incident in the incident response report. CC ID 12708 | Operational management | Preventive | |
| Include a description of the impact the incident had on regulatory compliance in the incident response report. CC ID 12704 | Operational management | Preventive | |
| Include a description of the impact the incident had on operations in the incident response report. CC ID 12703 | Operational management | Preventive | |
| Include an executive summary of the incident in the incident response report. CC ID 12702 | Operational management | Preventive | |
| Include a root cause analysis of the incident in the incident response report. CC ID 12701 | Operational management | Preventive | |
| Define target resolution times for incident response in the Incident Response program. CC ID 13072 | Operational management | Preventive | |
| Establish, implement, and maintain an incident response plan. CC ID 12056 | Operational management | Preventive | |
| Include addressing external communications in the incident response plan. CC ID 13351 | Operational management | Preventive | |
| Include addressing internal communications in the incident response plan. CC ID 13350 | Operational management | Preventive | |
| Include change control procedures in the incident response plan. CC ID 15479 | Operational management | Preventive | |
| Include addressing information sharing in the incident response plan. CC ID 13349 | Operational management | Preventive | |
| Include dynamic reconfiguration in the incident response plan. CC ID 14306 | Operational management | Preventive | |
| Include a definition of reportable incidents in the incident response plan. CC ID 14303 | Operational management | Preventive | |
| Include the management support needed for incident response in the incident response plan. CC ID 14300 | Operational management | Preventive | |
| Include root cause analysis in the incident response plan. CC ID 16423 | Operational management | Preventive | |
| Include how incident response fits into the organization in the incident response plan. CC ID 14294 | Operational management | Preventive | |
| Include the resources needed for incident response in the incident response plan. CC ID 14292 | Operational management | Preventive | |
| Establish, implement, and maintain a cyber incident response plan. CC ID 13286 | Operational management | Preventive | |
| Include incident response team structures in the Incident Response program. CC ID 01237 [The organization shall establish, document, and implement procedures and a management structure to respond to a disruptive incident using personnel with the necessary responsibility, authority and competence to manage an incident. § 8.4.2 ¶ 1] | Operational management | Preventive | |
| Assign establishing, implementing, and maintaining incident response procedures to the appropriate role in the incident response program. CC ID 12473 | Operational management | Preventive | |
| Include personnel contact information in the event of an incident in the Incident Response program. CC ID 06385 | Operational management | Preventive | |
| Include what information interested personnel and affected parties need in the event of an incident in the Incident Response program. CC ID 11789 [The organization shall identify and document the following: the organization’s activities, functions, services, products, partnerships, supply chains, relationships with interested parties, and the potential impact related to a disruptive incident; § 4.1 ¶ 3 a) The organization shall identify and document the following: the organization’s activities, functions, services, products, partnerships, supply chains, relationships with interested parties, and the potential impact related to a disruptive incident; § 4.1 ¶ 3 a) The organization shall identify and document the following: the organization’s activities, functions, services, products, partnerships, supply chains, relationships with interested parties, and the potential impact related to a disruptive incident; § 4.1 ¶ 3 a) The organization shall take into account interested parties’ needs and interests, such as customers, investors, shareholders, the supply chain, public and/or community input and needs, expectations and interests (as appropriate), and § 4.3.2 ¶ 1 d) The organization shall take into account interested parties’ needs and interests, such as customers, investors, shareholders, the supply chain, public and/or community input and needs, expectations and interests (as appropriate), and § 4.3.2 ¶ 1 d)] | Operational management | Preventive | |
| Include identifying remediation actions in the incident response plan. CC ID 13354 | Operational management | Preventive | |
| Include procedures for providing updated status information to the crisis management team in the incident response plan. CC ID 12776 | Operational management | Preventive | |
| Include coverage of all system components in the Incident Response program. CC ID 11955 | Operational management | Preventive | |
| Prepare for incident response notifications. CC ID 00584 | Operational management | Preventive | |
| Include incident response team services in the Incident Response program. CC ID 11766 [The business continuity plans shall collectively contain defined roles and responsibilities for people and teams having authority during and following an incident, § 8.4.4 ¶ 2 a) The business continuity plans shall collectively contain defined roles and responsibilities for people and teams having authority during and following an incident, § 8.4.4 ¶ 2 a)] | Operational management | Preventive | |
| Include the incident response training program in the Incident Response program. CC ID 06750 | Operational management | Preventive | |
| Establish, implement, and maintain an incident response policy. CC ID 14024 | Operational management | Preventive | |
| Include compliance requirements in the incident response policy. CC ID 14108 | Operational management | Preventive | |
| Include coordination amongst entities in the incident response policy. CC ID 14107 | Operational management | Preventive | |
| Include management commitment in the incident response policy. CC ID 14106 | Operational management | Preventive | |
| Include roles and responsibilities in the incident response policy. CC ID 14105 | Operational management | Preventive | |
| Include the scope in the incident response policy. CC ID 14104 | Operational management | Preventive | |
| Include the purpose in the incident response policy. CC ID 14101 | Operational management | Preventive | |
| Establish, implement, and maintain incident response procedures. CC ID 01206 [The organization shall document procedures (including necessary arrangements) to ensure continuity of activities and management of a disruptive incident. § 8.4.1 ¶ 2 The procedures shall be specific regarding the immediate steps that are to be taken during a disruption, § 8.4.1 ¶ 3 b) The organization shall establish, document, and implement procedures and a management structure to respond to a disruptive incident using personnel with the necessary responsibility, authority and competence to manage an incident. § 8.4.2 ¶ 1 {processes, and procedures for the activation of the response} {processes, and procedures for the operation of the response} {processes, and procedures for the coordination of the response} {processes, and procedures for the communication of the response} The response structure shall have processes, and procedures for the activation, operation, coordination, and communication of the response, § 8.4.2 ¶ 2 d) {results of BCMS reviews} {key partners} {results of testing} {BCMS performance} {BCMS effectiveness} {emerging good guidance} Management reviews shall consider the performance of the organization, including - follow-up actions from previous management reviews, - the need for changes to the BCMS, including the policy and objectives, - opportunities for improvement, - results of BCMS audits and reviews, including those of key suppliers and partners where appropriate, - techniques, products or procedures, which could be used in the organization to improve the BCMS’ performance and effectiveness, - status of corrective actions, - results of exercising and testing, - risks or issues not adequately addressed in any previous risk assessment, - any changes that could affect the BCMS, whether internal or external to the scope of the BCMS, - adequacy of policy, - recommendations for improvement, - lessons learned and actions arising from disruptive incidents, and - emerging good practice and guidance. § 9.3 ¶ 3] | Operational management | Detective | |
| Include references to industry best practices in the incident response procedures. CC ID 11956 | Operational management | Preventive | |
| Include responding to alerts from security monitoring systems in the incident response procedures. CC ID 11949 [{internal conditions} The procedures shall be flexible to respond to unanticipated threats and changing internal and external conditions, § 8.4.1 ¶ 3 c)] | Operational management | Preventive | |
| Include business continuity procedures in the Incident Response program. CC ID 06433 [The organization shall establish, implement, and maintain business continuity procedures to manage a disruptive incident and continue its activities based on recovery objectives identified in the business impact analysis. § 8.4.1 ¶ 1 {internal conditions} The procedures shall be flexible to respond to unanticipated threats and changing internal and external conditions, § 8.4.1 ¶ 3 c)] | Operational management | Preventive | |
| Coordinate backup procedures as defined in the system continuity plan with backup procedures necessary for incident response procedures. CC ID 06432 | Operational management | Preventive | |
| Include business recovery procedures in the Incident Response program. CC ID 11774 | Operational management | Preventive | |
| Establish, implement, and maintain a digital forensic evidence framework. CC ID 08652 | Operational management | Preventive | |
| Establish, implement, and maintain a chain of custody for all devices containing digital forensic evidence. CC ID 08686 | Operational management | Detective | |
| Define the business scenarios that require digital forensic evidence. CC ID 08653 | Operational management | Preventive | |
| Define the circumstances for collecting digital forensic evidence. CC ID 08657 | Operational management | Preventive | |
| Document the legal requirements for evidence collection. CC ID 08654 | Operational management | Preventive | |
| Establish, implement, and maintain a digital forensic evidence collection program. CC ID 08655 | Operational management | Preventive | |
| Include roles and responsibilities in the digital forensic evidence collection program. CC ID 15724 | Operational management | Preventive | |
| Include the hardware configuration and software configuration of the digital forensic equipment in the forensic investigation report. CC ID 08693 | Operational management | Detective | |
| Include documentation of the system containing and surrounding digital forensic evidence in the forensic investigation report. CC ID 08679 | Operational management | Detective | |
| Include the configuration settings of devices associated with digital forensic evidence in the forensic investigation report. CC ID 08676 | Operational management | Detective | |
| Include the external connections to systems containing digital forensic evidence in the forensic investigation report. CC ID 08680 | Operational management | Detective | |
| Include the electronic media storage devices containing digital forensic evidence in the forensic investigation report. CC ID 08695 | Operational management | Detective | |
| Include all system components of systems containing digital forensic evidence in the forensic investigation report. CC ID 08696 | Operational management | Detective | |
| Disseminate and communicate the incident response procedures to all interested personnel and affected parties. CC ID 01215 [{processes, and procedures for the activation of the response} {processes, and procedures for the operation of the response} {processes, and procedures for the coordination of the response} {processes, and procedures for the communication of the response} The response structure shall have processes, and procedures for the activation, operation, coordination, and communication of the response, § 8.4.2 ¶ 2 d)] | Operational management | Preventive | |
| Establish, implement, and maintain a performance management standard. CC ID 01615 [{periodic exercising} {periodic testing} {periodic post-incident reporting} {periodic performance evaluations} These evaluations shall be undertaken through periodic reviews, exercising, testing, post-incident reporting and performance evaluations. Significant changes arising shall be reflected in the procedure(s) in a timely manner; § 9.1.2 b)] | Operational management | Preventive | |
| Establish, implement, and maintain a remediation plan for deviations in the resource management process. CC ID 13679 | Operational management | Preventive | |
| Establish, implement, and maintain system capacity monitoring procedures. CC ID 01619 | Operational management | Preventive | |
| Establish, implement, and maintain system performance monitoring procedures. CC ID 11752 [{methods for measurement} {methods for analysis} {methods for evaluation} The organization shall determine the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results, § 9.1.1 ¶ 1 b) {methods for measurement} {methods for analysis} {methods for evaluation} The organization shall determine the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results, § 9.1.1 ¶ 1 b) {methods for measurement} {methods for analysis} {methods for evaluation} The organization shall determine the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results, § 9.1.1 ¶ 1 b) {methods for measurement} {methods for analysis} {methods for evaluation} The organization shall determine the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results, § 9.1.1 ¶ 1 b)] | Operational management | Preventive | |
| Establish, implement, and maintain a cost management program. CC ID 13638 | Operational management | Preventive | |
| Prepare an Information Technology budget, as necessary. CC ID 00872 [{funding requirements} The outputs of the management review shall include decisions related to continual improvement opportunities and the possible need for changes to the BCMS, and include the following: modification of procedures and controls to respond to internal or external events that may impact on the BCMS, including changes to funding and budget requirements; and § 9.3 ¶ 4 d) 8)] | Operational management | Detective | |
| Establish, implement, and maintain a change control program. CC ID 00886 [{business requirements} The outputs of the management review shall include decisions related to continual improvement opportunities and the possible need for changes to the BCMS, and include the following: modification of procedures and controls to respond to internal or external events that may impact on the BCMS, including changes to business and operational requirements, § 9.3 ¶ 4 d) 1) {changes to security requirements} The outputs of the management review shall include decisions related to continual improvement opportunities and the possible need for changes to the BCMS, and include the following: modification of procedures and controls to respond to internal or external events that may impact on the BCMS, including changes to risk reduction and security requirements, § 9.3 ¶ 4 d) 2) {results of BCMS reviews} {key partners} {results of testing} {BCMS performance} {BCMS effectiveness} {emerging good guidance} Management reviews shall consider the performance of the organization, including - follow-up actions from previous management reviews, - the need for changes to the BCMS, including the policy and objectives, - opportunities for improvement, - results of BCMS audits and reviews, including those of key suppliers and partners where appropriate, - techniques, products or procedures, which could be used in the organization to improve the BCMS’ performance and effectiveness, - status of corrective actions, - results of exercising and testing, - risks or issues not adequately addressed in any previous risk assessment, - any changes that could affect the BCMS, whether internal or external to the scope of the BCMS, - adequacy of policy, - recommendations for improvement, - lessons learned and actions arising from disruptive incidents, and - emerging good practice and guidance. § 9.3 ¶ 3 {results of BCMS reviews} {key partners} {results of testing} {BCMS performance} {BCMS effectiveness} {emerging good guidance} Management reviews shall consider the performance of the organization, including - follow-up actions from previous management reviews, - the need for changes to the BCMS, including the policy and objectives, - opportunities for improvement, - results of BCMS audits and reviews, including those of key suppliers and partners where appropriate, - techniques, products or procedures, which could be used in the organization to improve the BCMS’ performance and effectiveness, - status of corrective actions, - results of exercising and testing, - risks or issues not adequately addressed in any previous risk assessment, - any changes that could affect the BCMS, whether internal or external to the scope of the BCMS, - adequacy of policy, - recommendations for improvement, - lessons learned and actions arising from disruptive incidents, and - emerging good practice and guidance. § 9.3 ¶ 3] | Operational management | Preventive | |
| Include potential consequences of unintended changes in the change control program. CC ID 12243 [The organization shall control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary. § 8.1 ¶ 2] | Operational management | Preventive | |
| Include version control in the change control program. CC ID 13119 | Operational management | Preventive | |
| Include service design and transition in the change control program. CC ID 13920 | Operational management | Preventive | |
| Establish, implement, and maintain a back-out plan. CC ID 13623 | Operational management | Preventive | |
| Establish, implement, and maintain back-out procedures for each proposed change in a change request. CC ID 00373 | Operational management | Preventive | |
| Approve back-out plans, as necessary. CC ID 13627 | Operational management | Corrective | |
| Include documentation of the impact level of proposed changes in the change request. CC ID 11942 | Operational management | Preventive | |
| Establish and maintain a change request approver list. CC ID 06795 | Operational management | Preventive | |
| Document all change requests in change request forms. CC ID 06794 | Operational management | Preventive | |
| Establish, implement, and maintain emergency change procedures. CC ID 00890 | Operational management | Preventive | |
| Log emergency changes after they have been performed. CC ID 12733 | Operational management | Preventive | |
| Provide audit trails for all approved changes. CC ID 13120 | Operational management | Preventive | |
| Document the sources of all software updates. CC ID 13316 | Operational management | Preventive | |
| Establish, implement, and maintain a patch management policy. CC ID 16432 | Operational management | Preventive | |
| Establish, implement, and maintain patch management procedures. CC ID 15224 | Operational management | Preventive | |
| Establish, implement, and maintain a patch log. CC ID 01642 | Operational management | Preventive | |
| Establish, implement, and maintain a software release policy. CC ID 00893 | Operational management | Preventive | |
| Establish, implement, and maintain approved change acceptance testing procedures. CC ID 06391 | Operational management | Detective | |
| Establish, implement, and maintain a change acceptance testing log. CC ID 06392 | Operational management | Corrective | |
| Update associated documentation after the system configuration has been changed. CC ID 00891 | Operational management | Preventive | |
| Document approved configuration deviations. CC ID 08711 | Operational management | Corrective | |
| Document the organization's local environments. CC ID 06726 [When determining this scope, the organization shall consider — the external and internal issues referred to in 4.1, and — the requirements referred to in 4.2. § 4.3.1 ¶ 2 When planning for the BCMS, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to - ensure the management system can achieve its intended outcome(s), - prevent, or reduce, undesired effects, - achieve continual improvement. § 6.1 ¶ 1 evaluate the effectiveness of these actions (see 9.1). § 6.1 ¶ 2 b) 2) To achieve its business continuity objectives, the organization shall determine — who will be responsible, — what will be done, — what resources will be required, — when it will be completed, and — how the results will be evaluated. § 6.2 ¶ 4 These issues shall be taken into account when establishing, implementing and maintaining the organization's BCMS. § 4.1 ¶ 2 buildings, work environment and associated utilities, § 8.3.2 ¶ 1 c) facilities, equipment and consumables, § 8.3.2 ¶ 1 d) information and communication technology (ICT) systems, § 8.3.2 ¶ 1 e) transportation, § 8.3.2 ¶ 1 f) people, § 8.3.2 ¶ 1 a) information and data, § 8.3.2 ¶ 1 b) finance, and § 8.3.2 ¶ 1 g) partners and suppliers. § 8.3.2 ¶ 1 h)] | Operational management | Preventive | |
| Establish, implement, and maintain local environment security profiles. CC ID 07037 | Operational management | Preventive | |
| Include individuals assigned to the local environment in the local environment security profile. CC ID 07038 | Operational management | Preventive | |
| Include security requirements in the local environment security profile. CC ID 15717 | Operational management | Preventive | |
| Include the business processes assigned to the local environment in the local environment security profile. CC ID 07039 | Operational management | Preventive | |
| Include the technology used in the local environment in the local environment security profile. CC ID 07040 | Operational management | Preventive | |
| Include contact information for critical personnel assigned to the local environment in the local environment security profile. CC ID 07041 | Operational management | Preventive | |
| Include facility information for the local environment in the local environment security profile. CC ID 07042 | Operational management | Preventive | |
| Include facility access information for the local environment in the local environment security profile. CC ID 11773 | Operational management | Preventive | |
| Update the local environment security profile, as necessary. CC ID 07043 | Operational management | Preventive | |
| Establish, implement, and maintain records management policies. CC ID 00903 | Records management | Preventive | |
| Establish, implement, and maintain a record classification scheme for forms. CC ID 00911 | Records management | Detective | |
| Establish, implement, and maintain form creation, management, and distribution procedures. CC ID 06393 [For the control of documented information, the organization shall address the following activities, as applicable — distribution, access, retrieval and use, — storage and preservation, including preservation of legibility, — control of changes, — retention and disposition, — retrieval and use, — preservation of legibility, and — prevention of the unintended use of obsolete information. § 7.5.3 ¶ 2] | Records management | Preventive | |
| Establish, implement, and maintain form disposition procedures. CC ID 06394 | Records management | Preventive | |
| Establish, implement, and maintain a record classification scheme. CC ID 00914 | Records management | Preventive | |
| Define each system's preservation requirements for records and logs. CC ID 00904 | Records management | Detective | |
| Establish, implement, and maintain a data retention program. CC ID 00906 | Records management | Detective | |
| Establish, implement, and maintain records disposition procedures. CC ID 00971 [For the control of documented information, the organization shall address the following activities, as applicable — distribution, access, retrieval and use, — storage and preservation, including preservation of legibility, — control of changes, — retention and disposition, — retrieval and use, — preservation of legibility, and — prevention of the unintended use of obsolete information. § 7.5.3 ¶ 2] | Records management | Preventive | |
| Include methods to identify records that meet or exceed the record's retention event in the records disposition procedures. CC ID 11962 | Records management | Preventive | |
| Maintain disposal records or redeployment records. CC ID 01644 | Records management | Preventive | |
| Include the name of the signing officer in the disposal record. CC ID 15710 | Records management | Preventive | |
| Establish, implement, and maintain records management procedures. CC ID 11619 | Records management | Preventive | |
| Establish, implement, and maintain authorization records. CC ID 14367 | Records management | Preventive | |
| Include the reasons for granting the authorization in the authorization records. CC ID 14371 | Records management | Preventive | |
| Include the date and time the authorization was granted in the authorization records. CC ID 14370 | Records management | Preventive | |
| Include the person's name who approved the authorization in the authorization records. CC ID 14369 | Records management | Preventive | |
| Create summary of care records in accordance with applicable standards. CC ID 14440 | Records management | Preventive | |
| Log the number of routine items received into the recordkeeping system. CC ID 11701 | Records management | Preventive | |
| Include record integrity techniques in the records management procedures. CC ID 06418 [For the control of documented information, the organization shall address the following activities, as applicable — distribution, access, retrieval and use, — storage and preservation, including preservation of legibility, — control of changes, — retention and disposition, — retrieval and use, — preservation of legibility, and — prevention of the unintended use of obsolete information. § 7.5.3 ¶ 2] | Records management | Preventive | |
| Incorporate desktop publishing into the organization's Records Management program. CC ID 06535 | Records management | Preventive | |
| Establish, implement, and maintain electronic storage media management procedures. CC ID 00931 [For the control of documented information, the organization shall address the following activities, as applicable — distribution, access, retrieval and use, — storage and preservation, including preservation of legibility, — control of changes, — retention and disposition, — retrieval and use, — preservation of legibility, and — prevention of the unintended use of obsolete information. § 7.5.3 ¶ 2] | Records management | Preventive | |
| Establish, implement, and maintain security label procedures. CC ID 06747 | Records management | Preventive | |
| Establish, implement, and maintain restricted material identification procedures. CC ID 01889 | Records management | Preventive | |
| Conspicuously locate the restricted record's overall classification. CC ID 01890 | Records management | Preventive | |
| Mark a restricted record's displayed pages or printed pages with the appropriate classification. CC ID 01891 | Records management | Preventive | |
| Mark a restricted record's components (appendices, annexes) with the appropriate classification. CC ID 01892 | Records management | Preventive | |
| Mark a restricted record's portions (paragraphs, sections) with the appropriate classification. CC ID 01893 | Records management | Preventive | |
| Mark a restricted record's subject line or title with the appropriate classification. CC ID 01894 | Records management | Preventive | |
| Establish the minimum originator requirements for security labels. CC ID 06579 | Records management | Preventive | |
| Establish the minimum intermediate system requirements for security labels. CC ID 06581 | Records management | Preventive | |
| Establish the minimum receiver requirements for records or electronic storage media marked with security labels. CC ID 06580 | Records management | Preventive | |
| Establish policy based processing rules to process incoming records or electronic storage media marked with security labels. CC ID 06582 | Records management | Preventive | |
| Establish, implement, and maintain a records lifecycle management program. CC ID 00951 | Records management | Preventive | |
| Establish, implement, and maintain an information preservation policy. CC ID 16483 | Records management | Preventive | |
| Establish, implement, and maintain information preservation procedures. CC ID 06277 [For the control of documented information, the organization shall address the following activities, as applicable — distribution, access, retrieval and use, — storage and preservation, including preservation of legibility, — control of changes, — retention and disposition, — retrieval and use, — preservation of legibility, and — prevention of the unintended use of obsolete information. § 7.5.3 ¶ 2 For the control of documented information, the organization shall address the following activities, as applicable — distribution, access, retrieval and use, — storage and preservation, including preservation of legibility, — control of changes, — retention and disposition, — retrieval and use, — preservation of legibility, and — prevention of the unintended use of obsolete information. § 7.5.3 ¶ 2] | Records management | Preventive | |
| Establish, implement, and maintain an online availability plan that is commensurate with the electronic storage media. CC ID 00934 | Records management | Preventive | |
| Provide audit trails for all pertinent records. CC ID 00372 | Records management | Detective | |
| Include a unique identifier for each removable storage media asset in the removable storage media log. CC ID 12320 | Records management | Preventive | |
| Include the date and time in the removable storage media log. CC ID 12318 | Records management | Preventive | |
| Include the name and signature of the current custodian in the removable storage media log. CC ID 12315 | Records management | Preventive | |
| Include the number of physical media used for the data transfer in the removable storage media log. CC ID 12754 | Records management | Preventive | |
| Include the recipient's name for the data transfer in the removable storage media log. CC ID 12753 | Records management | Preventive | |
| Include the sender's name in the removable storage media log. CC ID 12752 | Records management | Preventive | |
| Include the type of physical media being used for the data transfer in the removable storage media log. CC ID 12751 | Records management | Preventive | |
| Include the reason for transfer in the removable storage media log. CC ID 12316 | Records management | Preventive | |
| Document all actions taken when downgrading electronic storage media. CC ID 10622 | Records management | Preventive | |
| Establish, implement, and maintain document retention procedures. CC ID 11660 [For the control of documented information, the organization shall address the following activities, as applicable — distribution, access, retrieval and use, — storage and preservation, including preservation of legibility, — control of changes, — retention and disposition, — retrieval and use, — preservation of legibility, and — prevention of the unintended use of obsolete information. § 7.5.3 ¶ 2] | Records management | Preventive | |
| Establish, implement, and maintain an e-discovery program. CC ID 00976 | Records management | Preventive | |
| Establish, implement, and maintain e-discovery collection and production procedures. CC ID 00986 | Records management | Preventive | |
| Establish, implement, and maintain a supply chain management program. CC ID 11742 [The organization shall ensure that outsourced processes are controlled. § 8.1 ¶ 3] | Third Party and supply chain oversight | Preventive | |
| Establish, implement, and maintain procedures for establishing, maintaining, and terminating third party contracts. CC ID 00796 | Third Party and supply chain oversight | Preventive | |
| Review and update all contracts, as necessary. CC ID 11612 | Third Party and supply chain oversight | Preventive | |
| Document and maintain supply chain processes. CC ID 08816 | Third Party and supply chain oversight | Preventive | |
| Establish, implement, and maintain an exit plan. CC ID 15492 | Third Party and supply chain oversight | Preventive | |
| Include roles and responsibilities in the exit plan. CC ID 15497 | Third Party and supply chain oversight | Preventive | |
| Include contingency plans in the third party management plan. CC ID 10030 | Third Party and supply chain oversight | Preventive | |
| Include a nondisclosure agreement in third party contracts if a separate nondisclosure agreement does not exist. CC ID 06505 | Third Party and supply chain oversight | Preventive | |
| Establish, implement, and maintain software exchange agreements with all third parties. CC ID 11615 | Third Party and supply chain oversight | Preventive | |
| Include a description of the product or service to be provided in third party contracts. CC ID 06509 | Third Party and supply chain oversight | Preventive | |
| Include a description of the products or services fees in third party contracts. CC ID 10018 | Third Party and supply chain oversight | Preventive | |
| Include which parties are responsible for which fees in third party contracts. CC ID 10019 | Third Party and supply chain oversight | Preventive | |
| Establish, implement, and maintain rules of engagement with third parties. CC ID 13994 | Third Party and supply chain oversight | Preventive | |
| Establish, implement, and maintain information flow agreements with all third parties. CC ID 04543 | Third Party and supply chain oversight | Preventive | |
| Include the type of information being transmitted in the information flow agreement. CC ID 14245 | Third Party and supply chain oversight | Preventive | |
| Include the security requirements in the information flow agreement. CC ID 14244 | Third Party and supply chain oversight | Preventive | |
| Include the interface characteristics in the information flow agreement. CC ID 14240 | Third Party and supply chain oversight | Preventive | |
| Include the scope and inventory of third party systems and assets being provided to the organization in third party contracts. CC ID 06528 | Third Party and supply chain oversight | Preventive | |
| Include proof of license documentation for the third parties with access to in scope systems in third party contracts. CC ID 06529 | Third Party and supply chain oversight | Preventive | |
| Include a description of costs and responsibility for purchasing and maintaining hardware and software in third party contracts. CC ID 10020 | Third Party and supply chain oversight | Preventive | |
| Include a description of the data or information to be covered in third party contracts. CC ID 06510 | Third Party and supply chain oversight | Preventive | |
| Include text about data ownership in third party contracts. CC ID 06502 | Third Party and supply chain oversight | Preventive | |
| Include text about trade secrets and intellectual property in third party contracts. CC ID 06503 | Third Party and supply chain oversight | Preventive | |
| Include text about participation in the organization's testing programs in third party contracts. CC ID 14402 | Third Party and supply chain oversight | Preventive | |
| Include the contract duration in third party contracts. CC ID 16221 | Third Party and supply chain oversight | Preventive | |
| Include roles and responsibilities in third party contracts. CC ID 13487 | Third Party and supply chain oversight | Preventive | |
| Include cryptographic keys in third party contracts. CC ID 16179 | Third Party and supply chain oversight | Preventive | |
| Include bankruptcy provisions in third party contracts. CC ID 16519 | Third Party and supply chain oversight | Preventive | |
| Include cybersecurity supply chain risk management requirements in third party contracts. CC ID 15646 | Third Party and supply chain oversight | Preventive | |
| Include text that organizations must meet organizational compliance requirements in third party contracts. CC ID 06506 | Third Party and supply chain oversight | Preventive | |
| Include compliance with the organization's access policy as a requirement in third party contracts. CC ID 06507 | Third Party and supply chain oversight | Preventive | |
| Include compliance with the organization's breach notification policy as a requirement in third party contracts. CC ID 06508 | Third Party and supply chain oversight | Preventive | |
| Include compliance with the organization's monitoring policies as a requirement in third party contracts. CC ID 06513 | Third Party and supply chain oversight | Preventive | |
| Include compliance with the organization's incident response policy and incident notification policy in third party contracts. CC ID 06515 | Third Party and supply chain oversight | Preventive | |
| Include text about the expected actions to be taken in case of a breach of contract in third party contracts. CC ID 06504 | Third Party and supply chain oversight | Preventive | |
| Include compliance with the organization's privacy policy in third party contracts. CC ID 06518 | Third Party and supply chain oversight | Preventive | |
| Include compliance with the organization's media handling policy in third party contracts. CC ID 06525 | Third Party and supply chain oversight | Preventive | |
| Include third party responsibilities for compliance awareness in third party contracts. CC ID 06530 | Third Party and supply chain oversight | Preventive | |
| Include compliance with the organization's data usage policies in third party contracts. CC ID 16413 | Third Party and supply chain oversight | Preventive | |
| Include compliance with the organization's system hardening framework in third party contracts. CC ID 06531 | Third Party and supply chain oversight | Preventive | |
| Include compliance with the organization's physical access policy in third party contracts. CC ID 06878 | Third Party and supply chain oversight | Preventive | |
| Include a reporting structure in third party contracts. CC ID 06532 | Third Party and supply chain oversight | Preventive | |
| Include points of contact in third party contracts. CC ID 12355 | Third Party and supply chain oversight | Preventive | |
| Include financial reporting in third party contracts, as necessary. CC ID 13573 | Third Party and supply chain oversight | Preventive | |
| Include reporting to the organization of third party audit findings in third party contracts. CC ID 06512 | Third Party and supply chain oversight | Preventive | |
| Include the right of the organization to conduct compliance audits in third party contracts. CC ID 06514 | Third Party and supply chain oversight | Preventive | |
| Include third party responsibilities for maintaining a Business Recovery and Resumption Plan in third party contracts. CC ID 06516 | Third Party and supply chain oversight | Preventive | |
| Include an indemnification and liability clause in third party contracts. CC ID 06517 | Third Party and supply chain oversight | Preventive | |
| Include a third party delegation clause and subcontractor to third party clause in third party contracts. CC ID 06521 | Third Party and supply chain oversight | Preventive | |
| Include text that subcontractors must meet organizational compliance requirements in third party contracts. CC ID 06522 | Third Party and supply chain oversight | Preventive | |
| Include text regarding foreign-based third parties in third party contracts. CC ID 06722 | Third Party and supply chain oversight | Preventive | |
| Include change control clauses in third party contracts, as necessary. CC ID 06523 | Third Party and supply chain oversight | Preventive | |
| Include notification to the organization of any material change in the third party's ability to perform functions according to Service Level Agreements in third party contracts. CC ID 07115 | Third Party and supply chain oversight | Preventive | |
| Include triggers for renegotiating the contract in third party contracts. CC ID 06527 | Third Party and supply chain oversight | Preventive | |
| Include change control notification processes in third party contracts. CC ID 06524 | Third Party and supply chain oversight | Preventive | |
| Include cost structure changes in third party contracts. CC ID 10021 | Third Party and supply chain oversight | Preventive | |
| Include a choice of venue clause in third party contracts. CC ID 06520 | Third Party and supply chain oversight | Preventive | |
| Include a dispute resolution clause in third party contracts. CC ID 06519 | Third Party and supply chain oversight | Preventive | |
| Include the dispute resolution body's contact information in the terms and conditions in third party contracts. CC ID 13813 | Third Party and supply chain oversight | Preventive | |
| Include a termination provision clause in third party contracts. CC ID 01367 | Third Party and supply chain oversight | Detective | |
| Include early termination contingency plans in the third party contracts. CC ID 06526 | Third Party and supply chain oversight | Preventive | |
| Include a liquidated damages clause and material breach clause in third party contracts. CC ID 06817 | Third Party and supply chain oversight | Preventive | |
| Include termination costs in third party contracts. CC ID 10023 | Third Party and supply chain oversight | Preventive | |
| Include text about obtaining adequate insurance in third party contracts. CC ID 06880 | Third Party and supply chain oversight | Preventive | |
| Include incident management procedures and incident reporting procedures in third party contracts. CC ID 01214 | Third Party and supply chain oversight | Preventive | |
| Include a usage limitation of restricted data clause in third party contracts. CC ID 13026 | Third Party and supply chain oversight | Preventive | |
| Include end-of-life information in third party contracts. CC ID 15265 | Third Party and supply chain oversight | Preventive | |
| Establish, implement, and maintain third party transaction authentication procedures. CC ID 00791 | Third Party and supply chain oversight | Preventive | |
| Include responding to privacy rights violation complaints in third party contracts. CC ID 12432 | Third Party and supply chain oversight | Preventive | |
| Include requirements for alternate processing facilities in third party contracts. CC ID 13059 | Third Party and supply chain oversight | Preventive | |
| Document the organization's supply chain in the supply chain management program. CC ID 09958 | Third Party and supply chain oversight | Preventive | |
| Document supply chain dependencies in the supply chain management program. CC ID 08900 | Third Party and supply chain oversight | Detective | |
| Establish and maintain a Third Party Service Provider list. CC ID 12480 | Third Party and supply chain oversight | Preventive | |
| Include required information in the Third Party Service Provider list. CC ID 14429 | Third Party and supply chain oversight | Preventive | |
| Include subcontractors in the Third Party Service Provider list. CC ID 14425 | Third Party and supply chain oversight | Preventive | |
| Include alternate service providers in the Third Party Service Provider list. CC ID 14420 | Third Party and supply chain oversight | Preventive | |
| Include contact information of the Service Provider in the Third Party Service Provider list. CC ID 14430 | Third Party and supply chain oversight | Preventive | |
| Include all contract dates in the Third Party Service Provider list. CC ID 14421 | Third Party and supply chain oversight | Preventive | |
| Include the services provided by each supplier in the Third Party Service Provider list. CC ID 12481 | Third Party and supply chain oversight | Preventive | |
| Include criticality of services in the Third Party Service Provider list. CC ID 14428 | Third Party and supply chain oversight | Preventive | |
| Include a description of data used in the Third Party Service Provider list. CC ID 14427 | Third Party and supply chain oversight | Preventive | |
| Include the location of services provided in the Third Party Service Provider list. CC ID 14423 | Third Party and supply chain oversight | Preventive | |
| Document the supply chain's critical paths in the supply chain management program. CC ID 10032 | Third Party and supply chain oversight | Preventive | |
| Establish and maintain supply chain manufacturing and integration requirements documents for all items being produced for the organization. CC ID 11558 | Third Party and supply chain oversight | Preventive | |
| Establish, implement, and maintain Operational Level Agreements. CC ID 13637 | Third Party and supply chain oversight | Preventive | |
| Include technical processes in operational level agreements, as necessary. CC ID 13639 | Third Party and supply chain oversight | Preventive | |
| Monitor and report on the efficacy of all Service Level Agreements using a Service Level Agreement Monitoring Chart or equivalent. CC ID 00842 | Third Party and supply chain oversight | Detective | |
| Approve all Service Level Agreements. CC ID 00843 [The outputs of the management review shall include decisions related to continual improvement opportunities and the possible need for changes to the BCMS, and include the following: modification of procedures and controls to respond to internal or external events that may impact on the BCMS, including changes to contractual obligations, § 9.3 ¶ 4 d) 5)] | Third Party and supply chain oversight | Detective | |
| Document all chargeable items in Service Level Agreements. CC ID 00844 | Third Party and supply chain oversight | Detective | |
| Categorize all suppliers in the supply chain management program. CC ID 00792 | Third Party and supply chain oversight | Preventive | |
| Include risk management procedures in the supply chain management policy. CC ID 08811 | Third Party and supply chain oversight | Preventive | |
| Include a determination of financial benefits over actual costs of third party relationships in the supply chain risk assessment report. CC ID 10025 | Third Party and supply chain oversight | Preventive | |
| Include a determination of how third party relationships affect strategic initiatives in the supply chain risk assessment report. CC ID 10026 | Third Party and supply chain oversight | Preventive | |
| Include a determination of customer interactions with third parties in the supply chain risk assessment report. CC ID 10028 | Third Party and supply chain oversight | Preventive | |
| Include a determination on the risks third parties pose to Information Security in the supply chain risk assessment report. CC ID 10029 | Third Party and supply chain oversight | Preventive | |
| Establish, implement, and maintain a supply chain management policy. CC ID 08808 | Third Party and supply chain oversight | Preventive | |
| Include supplier assessment principles in the supply chain management policy. CC ID 08809 | Third Party and supply chain oversight | Preventive | |
| Include the third party selection process in the supply chain management policy. CC ID 13132 | Third Party and supply chain oversight | Preventive | |
| Select suppliers based on their qualifications. CC ID 00795 | Third Party and supply chain oversight | Preventive | |
| Include refraining from depending on any individual third party in the supply chain management policy. CC ID 13133 | Third Party and supply chain oversight | Preventive | |
| Include a clear management process in the supply chain management policy. CC ID 08810 | Third Party and supply chain oversight | Preventive | |
| Include roles and responsibilities in the supply chain management policy. CC ID 15499 | Third Party and supply chain oversight | Preventive | |
| Include third party due diligence standards in the supply chain management policy. CC ID 08812 | Third Party and supply chain oversight | Preventive | |
| Require suppliers to commit to the supply chain management policy. CC ID 08813 | Third Party and supply chain oversight | Preventive | |
| Establish, implement, and maintain a conflict minerals policy. CC ID 08943 | Third Party and supply chain oversight | Preventive | |
| Include a statement of avoided areas from receiving minerals in the conflict minerals policy. CC ID 08944 | Third Party and supply chain oversight | Preventive | |
| Include all in scope materials in the conflict minerals policy. CC ID 08945 | Third Party and supply chain oversight | Preventive | |
| Include adherence to international transportation regulations in the conflict minerals policy. CC ID 08946 | Third Party and supply chain oversight | Preventive | |
| Include all applicable authority documents in the conflict minerals policy. CC ID 08947 | Third Party and supply chain oversight | Preventive | |
| Disseminate and communicate the conflict minerals policy to all interested personnel and affected parties. CC ID 08948 | Third Party and supply chain oversight | Preventive | |
| Establish and maintain a conflict materials report. CC ID 08823 | Third Party and supply chain oversight | Preventive | |
| Define documentation requirements for each potential conflict material's source of origin. CC ID 08820 | Third Party and supply chain oversight | Preventive | |
| Define documentation requirements for smelted minerals and legacy refined materials sources of origin. CC ID 08821 | Third Party and supply chain oversight | Preventive | |
Human Resources Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Assign senior management to approve test plans. CC ID 13071 | Monitoring and measurement | Preventive | |
| Align disciplinary actions with the level of compliance violation. CC ID 12404 [Corrective actions shall be appropriate to the effects of the nonconformities encountered. § 10.1 ¶ 2 When nonconformity occurs, the organization shall evaluate the need for action to eliminate the causes of the nonconformity, in order that it does not recur or occur elsewhere, by determining and implementing corrective action needed, § 10.1 ¶ 1 c) 5] | Monitoring and measurement | Preventive | |
| Assign the Board of Directors to address audit findings. CC ID 12396 | Audits and risk management | Corrective | |
| Include roles and responsibilities in the interview procedures. CC ID 16297 | Audits and risk management | Preventive | |
| Identify the audit team members in the audit report. CC ID 15259 | Audits and risk management | Detective | |
| Define the roles and responsibilities for distributing the audit report. CC ID 16845 | Audits and risk management | Preventive | |
| Assign responsibility for remediation actions. CC ID 13622 | Audits and risk management | Preventive | |
| Evaluate the competency of auditors. CC ID 15253 | Audits and risk management | Detective | |
| Employ third parties when implementing a risk assessment, as necessary. CC ID 16306 | Audits and risk management | Detective | |
| Engage appropriate parties to assist with risk assessments, as necessary. CC ID 12153 | Audits and risk management | Preventive | |
| Lead or manage business continuity and system continuity, as necessary. CC ID 12240 [Top management shall demonstrate leadership and commitment with respect to the BCMS by - ensuring that policies and objectives are established for the business continuity management system and are compatible with the strategic direction of the organization, - ensuring the integration of the business continuity management system requirements into the organization’s business processes, - ensuring that the resources needed for the business continuity management system are available, - communicating the importance of effective business continuity management and conforming to the BCMS requirements, - ensuring that the BCMS achieves its intended outcome(s), - directing and supporting persons to contribute to the effectiveness of the BCMS, - promoting continual improvement, and - supporting other relevant management roles to demonstrate their leadership and commitment as it applies to their areas of responsibility. § 5.2 ¶ 1 {BCMS plans} Top management shall provide evidence of its commitment to the establishment, implementation, operation, monitoring, review, maintenance, and improvement of the BCMS by - establishing a business continuity policy, - ensuring that BCMS objectives and plans are established, - establishing roles, responsibilities, and competencies for business continuity management, and - appointing one or more persons to be responsible for the BCMS with the appropriate authority and competencies to be accountable for the implementation and maintenance of the BCMS. § 5.2 ¶ 2 The organization shall determine and provide the resources needed for the establishment, implementation, maintenance and continual improvement of the BCMS. § 7.1 ¶ 1] | Operational and Systems Continuity | Preventive | |
| Allocate personnel to implement the continuity plan, as necessary. CC ID 12992 | Operational and Systems Continuity | Preventive | |
| Include the roles and responsibilities of responders in the recovery plan. CC ID 13296 | Operational and Systems Continuity | Preventive | |
| Identify alternate personnel for each person on the critical personnel list. CC ID 12771 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain a security operations center. CC ID 14762 | Human Resources management | Preventive | |
| Designate an alternate for each organizational leader. CC ID 12053 | Human Resources management | Preventive | |
| Assign the roles and responsibilities of management in establishing, implementing, and maintaining the information security program. CC ID 13112 | Human Resources management | Preventive | |
| Establish and maintain board committees, as necessary. CC ID 14789 | Human Resources management | Preventive | |
| Assign oversight of C-level executives to the Board of Directors. CC ID 14784 | Human Resources management | Preventive | |
| Assign oversight of the financial management program to the board of directors. CC ID 14781 | Human Resources management | Preventive | |
| Assign senior management to the role of supporting Quality Management. CC ID 13692 | Human Resources management | Preventive | |
| Assign members who are independent from management to the Board of Directors. CC ID 12395 | Human Resources management | Preventive | |
| Assign ownership of risks to the Board of Directors or senior management. CC ID 13662 | Human Resources management | Preventive | |
| Assign the organization's board and senior management to oversee the continuity planning process. CC ID 12991 | Human Resources management | Preventive | |
| Rotate members of the board of directors, as necessary. CC ID 14803 | Human Resources management | Corrective | |
| Define and assign board committees, as necessary. CC ID 14787 | Human Resources management | Preventive | |
| Define and assign risk committees, as necessary. CC ID 14795 | Human Resources management | Preventive | |
| Define and assign audit committees, as necessary. CC ID 14788 | Human Resources management | Preventive | |
| Include members with experience in audit practices, financial reporting, and accounting in the audit committee. CC ID 14796 | Human Resources management | Preventive | |
| Define and assign compensation committees, as necessary. CC ID 14793 | Human Resources management | Preventive | |
| Define and assign the network administrator's roles and responsibilities. CC ID 16363 | Human Resources management | Preventive | |
| Define and assign the Data Protection Officer's roles and responsibilities. CC ID 16525 | Human Resources management | Preventive | |
| Define and assign the Chief Risk Officer's roles and responsibilities. CC ID 14333 | Human Resources management | Preventive | |
| Define and assign roles and responsibilities for network management. CC ID 13128 | Human Resources management | Preventive | |
| Define and assign the authorized representatives roles and responsibilities. CC ID 15033 | Human Resources management | Preventive | |
| Establish and maintain an Information Technology steering committee. CC ID 12706 | Human Resources management | Preventive | |
| Assign the Information Technology steering committee to report to senior management. CC ID 12731 | Human Resources management | Preventive | |
| Convene the Information Technology steering committee, as necessary. CC ID 12730 | Human Resources management | Preventive | |
| Assign reviewing investments to the Information Technology steering committee, as necessary. CC ID 13625 | Human Resources management | Preventive | |
| Assign the role of Risk Assessment Manager to applicable controls. CC ID 12143 | Human Resources management | Preventive | |
| Assign the Risk Assessment manager the duty of reporting risk assessment results to organizational management. CC ID 12152 | Human Resources management | Preventive | |
| Refrain from allocating temporary staff to perform sensitive jobs absent the presence and control of authorized permanent staff. CC ID 12299 | Human Resources management | Preventive | |
| Perform security skills assessments for all critical employees. CC ID 12102 | Human Resources management | Detective | |
| Perform a background check during personnel screening. CC ID 11758 | Human Resources management | Detective | |
| Perform a personal identification check during personnel screening. CC ID 06721 | Human Resources management | Preventive | |
| Perform a personal references check during personnel screening. CC ID 06645 | Human Resources management | Preventive | |
| Perform a credit check during personnel screening. CC ID 06646 | Human Resources management | Preventive | |
| Perform a resume check during personnel screening. CC ID 06659 | Human Resources management | Preventive | |
| Perform a curriculum vitae check during personnel screening. CC ID 06660 | Human Resources management | Preventive | |
| Allow personnel being screened to appeal findings and appeal decisions. CC ID 06720 | Human Resources management | Preventive | |
| Perform personnel screening procedures, as necessary. CC ID 11763 | Human Resources management | Preventive | |
| Perform periodic background checks on designated roles, as necessary. CC ID 11759 | Human Resources management | Detective | |
| Perform security clearance procedures, as necessary. CC ID 06644 | Human Resources management | Preventive | |
| Establish and maintain security clearances. CC ID 01634 | Human Resources management | Preventive | |
| Support certification programs as viable training programs. CC ID 13268 | Human Resources management | Preventive | |
| Hire third parties to conduct training, as necessary. CC ID 13167 | Human Resources management | Preventive | |
| Include ethical culture in the training plan, as necessary. CC ID 12801 | Human Resources management | Preventive | |
| Include duties and responsibilities in the training plan, as necessary. CC ID 12800 | Human Resources management | Preventive | |
| Establish and maintain management's commitment to supporting the security awareness program. CC ID 12151 | Human Resources management | Preventive | |
| Establish and maintain a steering committee to guide the security awareness program. CC ID 12149 | Human Resources management | Preventive | |
| Encourage interested personnel to obtain security certification. CC ID 11804 | Human Resources management | Preventive | |
| Implement security controls for personnel that have accessed information absent authorization. CC ID 10611 | Operational management | Corrective | |
| Assign the distribution of security alerts to the appropriate role in the incident response program. CC ID 11887 | Operational management | Preventive | |
| Require third parties to employ a Chief Information Security Officer. CC ID 12057 | Third Party and supply chain oversight | Preventive | |
IT Impact Zone | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Leadership and high level objectives CC ID 00597 | Leadership and high level objectives | IT Impact Zone | |
| Monitoring and measurement CC ID 00636 | Monitoring and measurement | IT Impact Zone | |
| Audits and risk management CC ID 00677 | Audits and risk management | IT Impact Zone | |
| Physical and environmental protection CC ID 00709 | Physical and environmental protection | IT Impact Zone | |
| Operational and Systems Continuity CC ID 00731 | Operational and Systems Continuity | IT Impact Zone | |
| Human Resources management CC ID 00763 | Human Resources management | IT Impact Zone | |
| Operational management CC ID 00805 | Operational management | IT Impact Zone | |
| Records management CC ID 00902 | Records management | IT Impact Zone | |
| Third Party and supply chain oversight CC ID 08807 | Third Party and supply chain oversight | IT Impact Zone | |
Investigate | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Determine the causes of compliance violations. CC ID 12401 [When nonconformity occurs, the organization shall evaluate the need for action to eliminate the causes of the nonconformity, in order that it does not recur or occur elsewhere, by determining the causes of the nonconformity, and § 10.1 ¶ 1 c) 2 {does not occur} When nonconformity occurs, the organization shall evaluate the need for action to eliminate the causes of the nonconformity, in order that it does not recur or occur elsewhere, by § 10.1 ¶ 1 c)] | Monitoring and measurement | Corrective | |
| Determine if multiple compliance violations of the same type could occur. CC ID 12402 [When nonconformity occurs, the organization shall evaluate the need for action to eliminate the causes of the nonconformity, in order that it does not recur or occur elsewhere, by determining if similar nonconformities exist, or could potentially occur, § 10.1 ¶ 1 c) 3] | Monitoring and measurement | Detective | |
| Review the effectiveness of disciplinary actions carried out for compliance violations. CC ID 12403 [When nonconformity occurs, the organization shall review the effectiveness of any corrective action taken, § 10.1 ¶ 1 e) When nonconformity occurs, the organization shall evaluate the need for action to eliminate the causes of the nonconformity, in order that it does not recur or occur elsewhere, by reviewing the effectiveness of any corrective action taken and § 10.1 ¶ 1 c) 6] | Monitoring and measurement | Detective | |
| Examine the availability of the audit criteria in the audit program. CC ID 16520 | Audits and risk management | Preventive | |
| Audit cybersecurity risk management within the policies, standards, and procedures of the organization. CC ID 13011 | Audits and risk management | Detective | |
| Audit information systems, as necessary. CC ID 13010 | Audits and risk management | Detective | |
| Audit the potential costs of compromise to information systems. CC ID 13012 | Audits and risk management | Detective | |
| Permit assessment teams to conduct audits, as necessary. CC ID 16430 | Audits and risk management | Detective | |
| Determine the effect of deficiencies on the audit report, as necessary. CC ID 14886 | Audits and risk management | Detective | |
| Include an analysis of system interdependencies in the threat and risk classification scheme. CC ID 13056 | Audits and risk management | Detective | |
| Evaluate the effectiveness of threat and vulnerability management procedures. CC ID 13491 | Audits and risk management | Detective | |
| Identify changes to in scope systems that could threaten communication between business units. CC ID 13173 | Audits and risk management | Detective | |
| Investigate alternative risk control strategies appropriate to the organization's risk appetite. CC ID 12887 | Audits and risk management | Preventive | |
| Determine the cause for the activation of the recovery plan. CC ID 13291 | Operational and Systems Continuity | Detective | |
| Identify root causes of incidents that force system changes. CC ID 13482 | Operational management | Detective | |
| Refrain from turning on any in scope devices that are turned off when a security incident is detected. CC ID 08677 | Operational management | Detective | |
| Analyze the incident response process following an incident response. CC ID 13179 | Operational management | Detective | |
| Provide progress reports of the incident investigation to the appropriate roles, as necessary. CC ID 12298 | Operational management | Preventive | |
| Assign monitoring and analyzing the security alert when a security alert is received to the appropriate role in the incident response program. CC ID 11886 | Operational management | Detective | |
| Protect devices containing digital forensic evidence during transport. CC ID 08687 | Operational management | Detective | |
| Protect devices containing digital forensic evidence in sealed containers. CC ID 08685 | Operational management | Detective | |
| Conduct forensic investigations in the event of a security compromise. CC ID 11951 | Operational management | Corrective | |
| Identify potential sources of digital forensic evidence. CC ID 08651 | Operational management | Preventive | |
| Prepare digital forensic equipment. CC ID 08688 | Operational management | Detective | |
| Use digital forensic equipment suitable to the circumstances. CC ID 08690 | Operational management | Detective | |
| Provide relevant user manuals for digital forensic equipment during use. CC ID 08691 | Operational management | Detective | |
| Maintain digital forensic equipment for proper performance. CC ID 08689 | Operational management | Detective | |
| Refrain from altering the state of compromised systems when collecting digital forensic evidence. CC ID 08671 | Operational management | Detective | |
| Follow all applicable laws and principles when collecting digital forensic evidence. CC ID 08672 | Operational management | Detective | |
| Remove everyone except interested personnel and affected parties from the proximity of digital forensic evidence. CC ID 08675 | Operational management | Detective | |
| Secure devices containing digital forensic evidence. CC ID 08681 | Operational management | Detective | |
| Use a write blocker to prevent digital forensic evidence from being modified. CC ID 08692 | Operational management | Detective | |
| Capture volatile information from devices containing digital forensic evidence prior to shutdown. CC ID 08684 | Operational management | Detective | |
| Create a system image of the device before collecting digital forensic evidence. CC ID 08673 | Operational management | Detective | |
| Shut down stand alone devices containing digital forensic evidence. CC ID 08682 | Operational management | Detective | |
| Disconnect electronic media storage devices of systems containing digital forensic evidence. CC ID 08697 | Operational management | Detective | |
| Place evidence tape over devices containing digital forensic evidence. CC ID 08683 | Operational management | Detective | |
| Perform an impact assessment of any deviations found in the cost management procedures. CC ID 13641 | Operational management | Detective | |
| Identify deviations in cost management procedures. CC ID 13640 | Operational management | Detective | |
| Analyze mitigating controls for vulnerabilities in the network when certifying the network. CC ID 13126 | Operational management | Detective | |
| Collect data about the network environment when certifying the network. CC ID 13125 | Operational management | Detective | |
Log Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain a Security Information and Event Management metrics program. CC ID 02078 | Monitoring and measurement | Preventive | |
| Report on the percentage of systems for which event logging has been implemented. CC ID 02102 | Monitoring and measurement | Detective | |
| Report on the percentage of systems for which event logs are monitored and reviewed. CC ID 02103 | Monitoring and measurement | Detective | |
| Report on the percentage of systems for which log capacity and log retention schedules have been implemented. CC ID 02104 | Monitoring and measurement | Detective | |
| Restrict access to logs to authorized individuals. CC ID 01342 | Monitoring and measurement | Preventive | |
| Refrain from recording unnecessary restricted data in logs. CC ID 06318 | Monitoring and measurement | Preventive | |
| Back up logs according to backup procedures. CC ID 01344 | Monitoring and measurement | Preventive | |
| Copy logs from all predefined hosts onto a log management infrastructure. CC ID 01346 | Monitoring and measurement | Preventive | |
| Identify hosts with logs that are not being stored. CC ID 06314 | Monitoring and measurement | Preventive | |
| Identify hosts with logs that are being stored at the system level only. CC ID 06315 | Monitoring and measurement | Preventive | |
| Identify hosts with logs that should be stored at both the system level and the infrastructure level. CC ID 06316 | Monitoring and measurement | Preventive | |
| Identify hosts with logs that are being stored at the infrastructure level only. CC ID 06317 | Monitoring and measurement | Preventive | |
| Protect logs from unauthorized activity. CC ID 01345 | Monitoring and measurement | Preventive | |
| Perform testing and validating activities on all logs. CC ID 06322 | Monitoring and measurement | Preventive | |
| Archive the audit trail in accordance with compliance requirements. CC ID 00674 | Monitoring and measurement | Preventive | |
| Preserve the identity of individuals in audit trails. CC ID 10594 | Monitoring and measurement | Preventive | |
| Disseminate and communicate the reviews of audit reports to organizational management. CC ID 00653 [{audit scope} {evidence of the audit results} The organization shall - plan, establish, implement and maintain (an) audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit programme(s) shall take into consideration the importance of the processes concerned and the results of previous audits, - define the audit criteria and scope for each audit, - select auditors and conduct audits to ensure objectivity and the impartiality of the audit process, - ensure that the results of the audits are reported to relevant management, and - retain documented information as evidence of the implementation of the audit programme and the audit results. § 9.2 ¶ 2] | Audits and risk management | Detective | |
| Log important conversations conducted during emergencies with third parties. CC ID 12763 | Operational and Systems Continuity | Preventive | |
| Store system logs for in scope systems as digital forensic evidence after a security incident has been detected. CC ID 01754 | Operational management | Corrective | |
| Submit an incident management audit log to the proper authorities for each security breach that affects a predefined number of individuals, as necessary. CC ID 06326 | Operational management | Detective | |
| Include the organizational functions affected by disruption in the Incident Management audit log. CC ID 12238 [The organization shall identify and document the following: the organization’s activities, functions, services, products, partnerships, supply chains, relationships with interested parties, and the potential impact related to a disruptive incident; § 4.1 ¶ 3 a)] | Operational management | Corrective | |
| Include the organization's business products and services affected by disruptions in the Incident Management audit log. CC ID 12234 [The organization shall identify and document the following: the organization’s activities, functions, services, products, partnerships, supply chains, relationships with interested parties, and the potential impact related to a disruptive incident; § 4.1 ¶ 3 a) The organization shall identify and document the following: the organization’s activities, functions, services, products, partnerships, supply chains, relationships with interested parties, and the potential impact related to a disruptive incident; § 4.1 ¶ 3 a)] | Operational management | Preventive | |
| Log the date and time each item is received into the recordkeeping system. CC ID 11709 | Records management | Preventive | |
| Log the date and time each item is made available into the recordkeeping system. CC ID 11710 | Records management | Preventive | |
| Log the number of routine items in the organization's possession at the close of business for the month in the recordkeeping system. CC ID 11707 | Records management | Preventive | |
| Log the number of routine items received during the month that were turned around in the recordkeeping system. CC ID 11705 | Records management | Preventive | |
| Log the number of routine items received during the month that were not turned around within three business days of receipt in the recordkeeping system. CC ID 11703 | Records management | Preventive | |
| Log the date and time when a notice of refusal to perform the registrar function is received in the recordkeeping system. CC ID 11711 | Records management | Preventive | |
| Log inquiries concerning items in the recordkeeping system, annotating the date received. CC ID 11718 | Records management | Preventive | |
| Log responses to inquiries, annotating the send date for each response into the recordkeeping system. CC ID 11719 | Records management | Preventive | |
| Log the number of non-routine items received into the recordkeeping system. CC ID 11706 | Records management | Preventive | |
| Log the documentation of determination that items received are not routine into the recordkeeping system. CC ID 11716 | Records management | Preventive | |
| Log the number of non-routine items in the organization's possession at the close of business for the month in the recordkeeping system. CC ID 11708 | Records management | Preventive | |
| Log the number of non-routine items received during the month that were turned around in the recordkeeping system. CC ID 11704 | Records management | Preventive | |
| Log performance monitoring into the recordkeeping system. CC ID 11724 | Records management | Preventive | |
| Log the number of inquiries pending as of the close of business into the recordkeeping system. CC ID 11728 | Records management | Preventive | |
| Log the number of inquiries received but not responded to within the required time frame into the recordkeeping system. CC ID 11727 | Records management | Preventive | |
| Log any notices filed by the organization into the recordkeeping system. CC ID 11725 | Records management | Preventive | |
| Log telephone responses into a telephone log, annotating the date of each response, in the recordkeeping system. CC ID 11723 | Records management | Preventive | |
| Log the date each certificate is made available to interested personnel and affected parties into the recordkeeping system. CC ID 11720 | Records management | Preventive | |
| Log the number of items not processed within the required time frame into the recordkeeping system. CC ID 11717 | Records management | Preventive | |
| Log the appointments and termination of appointments of registered transfer agents into the recordkeeping system. CC ID 11712 | Records management | Preventive | |
| Log any stop orders or notices of adverse claims into the recordkeeping system. CC ID 11726 | Records management | Preventive | |
| Log the number of items processed within the required time frame into the recordkeeping system. CC ID 11715 | Records management | Preventive | |
| Establish, implement, and maintain a removable storage media log. CC ID 12317 | Records management | Preventive | |
Maintenance | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Follow the maintenance schedule. CC ID 11791 | Operational management | Preventive | |
| Separate the production environment from development environment or test environment for the change control process. CC ID 11864 | Operational management | Preventive | |
Monitor and Evaluate Occurrences | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Include the capturing and alerting of compliance violations in the notification system. CC ID 12962 | Leadership and high level objectives | Preventive | |
| Include the capturing and alerting of unethical conduct in the notification system. CC ID 12932 | Leadership and high level objectives | Preventive | |
| Include the capturing and alerting of performance variances in the notification system. CC ID 12929 | Leadership and high level objectives | Preventive | |
| Include the capturing and alerting of weaknesses in the notification system. CC ID 12928 | Leadership and high level objectives | Preventive | |
| Include the capturing and alerting of account activity in the notification system. CC ID 15314 | Leadership and high level objectives | Preventive | |
| Analyze organizational objectives, functions, and activities. CC ID 00598 | Leadership and high level objectives | Preventive | |
| Monitor regulatory trends to maintain compliance. CC ID 00604 [{legal requirements} The outputs of the management review shall include decisions related to continual improvement opportunities and the possible need for changes to the BCMS, and include the following: modification of procedures and controls to respond to internal or external events that may impact on the BCMS, including changes to legal and regulatory requirements, § 9.3 ¶ 4 d) 4)] | Leadership and high level objectives | Detective | |
| Monitor for new Information Security solutions. CC ID 07078 | Leadership and high level objectives | Detective | |
| Monitor the organization's exposure to threats, as necessary. CC ID 06494 | Monitoring and measurement | Preventive | |
| Monitor and evaluate environmental threats. CC ID 13481 | Monitoring and measurement | Detective | |
| Monitor for new vulnerabilities. CC ID 06843 | Monitoring and measurement | Preventive | |
| Monitor devices continuously for conformance with production specifications. CC ID 06201 | Monitoring and measurement | Detective | |
| Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726 | Monitoring and measurement | Detective | |
| Establish, implement, and maintain compliance program metrics. CC ID 11625 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a corrective action plan. CC ID 00675 | Monitoring and measurement | Detective | |
| Include monitoring in the corrective action plan. CC ID 11645 [The management responsible for the area being audited shall ensure that any necessary corrections and corrective actions are taken without undue delay to eliminate detected nonconformities and their causes. Follow-up activities shall include the verification of the actions taken and the reporting of verification results. § 9.2 ¶ 4 {results of BCMS reviews} {key partners} {results of testing} {BCMS performance} {BCMS effectiveness} {emerging good guidance} Management reviews shall consider the performance of the organization, including - follow-up actions from previous management reviews, - the need for changes to the BCMS, including the policy and objectives, - opportunities for improvement, - results of BCMS audits and reviews, including those of key suppliers and partners where appropriate, - techniques, products or procedures, which could be used in the organization to improve the BCMS’ performance and effectiveness, - status of corrective actions, - results of exercising and testing, - risks or issues not adequately addressed in any previous risk assessment, - any changes that could affect the BCMS, whether internal or external to the scope of the BCMS, - adequacy of policy, - recommendations for improvement, - lessons learned and actions arising from disruptive incidents, and - emerging good practice and guidance. § 9.3 ¶ 3] | Monitoring and measurement | Detective | |
| Report actions taken on known security issues to the Board of Directors or Senior Executive Committee on a regular basis. CC ID 12330 [The management responsible for the area being audited shall ensure that any necessary corrections and corrective actions are taken without undue delay to eliminate detected nonconformities and their causes. Follow-up activities shall include the verification of the actions taken and the reporting of verification results. § 9.2 ¶ 4] | Monitoring and measurement | Preventive | |
| Supervise interested personnel and affected parties participating in the audit. CC ID 07150 | Audits and risk management | Preventive | |
| Track and measure the implementation of the organizational compliance framework. CC ID 06445 | Audits and risk management | Preventive | |
| Monitor disaster forecasting organizations for when disaster events are discovered. CC ID 06373 | Operational and Systems Continuity | Detective | |
| Monitor and evaluate business continuity management system performance. CC ID 12410 [The procedures for monitoring performance shall provide for - the setting of performance metrics appropriate to the needs of the organization, - monitoring the extent to which the organization’s business continuity policy, objectives and targets are met, - performance of the processes, procedures and functions that protect its prioritized activities, - monitoring compliance with this International Standard and the business continuity objectives, - monitoring historical evidence of deficient BCMS’ performance, and - recording data and results of monitoring and measurement to facilitate subsequent corrective actions. § 9.1.1 ¶ 5 {results of BCMS reviews} {key partners} {results of testing} {BCMS performance} {BCMS effectiveness} {emerging good guidance} Management reviews shall consider the performance of the organization, including - follow-up actions from previous management reviews, - the need for changes to the BCMS, including the policy and objectives, - opportunities for improvement, - results of BCMS audits and reviews, including those of key suppliers and partners where appropriate, - techniques, products or procedures, which could be used in the organization to improve the BCMS’ performance and effectiveness, - status of corrective actions, - results of exercising and testing, - risks or issues not adequately addressed in any previous risk assessment, - any changes that could affect the BCMS, whether internal or external to the scope of the BCMS, - adequacy of policy, - recommendations for improvement, - lessons learned and actions arising from disruptive incidents, and - emerging good practice and guidance. § 9.3 ¶ 3 {results of BCMS reviews} {key partners} {results of testing} {BCMS performance} {BCMS effectiveness} {emerging good guidance} Management reviews shall consider the performance of the organization, including - follow-up actions from previous management reviews, - the need for changes to the BCMS, including the policy and objectives, - opportunities for improvement, - results of BCMS audits and reviews, including those of key suppliers and partners where appropriate, - techniques, products or procedures, which could be used in the organization to improve the BCMS’ performance and effectiveness, - status of corrective actions, - results of exercising and testing, - risks or issues not adequately addressed in any previous risk assessment, - any changes that could affect the BCMS, whether internal or external to the scope of the BCMS, - adequacy of policy, - recommendations for improvement, - lessons learned and actions arising from disruptive incidents, and - emerging good practice and guidance. § 9.3 ¶ 3 {results of BCMS reviews} {key partners} {results of testing} {BCMS performance} {BCMS effectiveness} {emerging good guidance} Management reviews shall consider the performance of the organization, including - follow-up actions from previous management reviews, - the need for changes to the BCMS, including the policy and objectives, - opportunities for improvement, - results of BCMS audits and reviews, including those of key suppliers and partners where appropriate, - techniques, products or procedures, which could be used in the organization to improve the BCMS’ performance and effectiveness, - status of corrective actions, - results of exercising and testing, - risks or issues not adequately addressed in any previous risk assessment, - any changes that could affect the BCMS, whether internal or external to the scope of the BCMS, - adequacy of policy, - recommendations for improvement, - lessons learned and actions arising from disruptive incidents, and - emerging good practice and guidance. § 9.3 ¶ 3] | Operational and Systems Continuity | Detective | |
| Record business continuity management system performance for posterity. CC ID 12411 [The procedures for monitoring performance shall provide for - the setting of performance metrics appropriate to the needs of the organization, - monitoring the extent to which the organization’s business continuity policy, objectives and targets are met, - performance of the processes, procedures and functions that protect its prioritized activities, - monitoring compliance with this International Standard and the business continuity objectives, - monitoring historical evidence of deficient BCMS’ performance, and - recording data and results of monitoring and measurement to facilitate subsequent corrective actions. § 9.1.1 ¶ 5] | Operational and Systems Continuity | Preventive | |
| Monitor and measure the effectiveness of security awareness. CC ID 06262 | Human Resources management | Detective | |
| Analyze and evaluate training records to improve the training program. CC ID 06380 | Human Resources management | Detective | |
| Determine the incident severity level when assessing the security incidents. CC ID 01650 | Operational management | Corrective | |
| Require personnel to monitor for and report known or suspected compromise of assets. CC ID 16453 | Operational management | Detective | |
| Require personnel to monitor for and report suspicious account activity. CC ID 16462 | Operational management | Detective | |
| Respond to and triage when an incident is detected. CC ID 06942 | Operational management | Detective | |
| Escalate incidents, as necessary. CC ID 14861 | Operational management | Corrective | |
| Check the precursors and indicators when assessing the security incidents. CC ID 01761 | Operational management | Corrective | |
| Detect any potentially undiscovered security vulnerabilities on previously compromised systems. CC ID 06265 | Operational management | Detective | |
| Include lessons learned from analyzing security violations in the Incident Management program. CC ID 01234 | Operational management | Preventive | |
| Establish, implement, and maintain online storage monitoring and reporting capabilities. CC ID 00935 | Records management | Detective | |
Physical and Environmental Protection | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain an environmental control program. CC ID 00724 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain physical hazard segregation or removal procedures. CC ID 01248 | Operational and Systems Continuity | Corrective | |
| Place printed records awaiting destruction into secure containers. CC ID 12464 | Records management | Preventive | |
| Destroy printed records so they cannot be reconstructed. CC ID 11779 | Records management | Preventive | |
| Disallow access to restricted information on machines used to manufacture authentication elements. CC ID 11561 | Third Party and supply chain oversight | Preventive | |
Process or Activity | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Assess the effectiveness of the communication methods used in the communication protocol. CC ID 12691 | Leadership and high level objectives | Detective | |
| Establish, implement, and maintain a corrective action plan to address barriers to stakeholder engagement. CC ID 15677 | Leadership and high level objectives | Preventive | |
| Identify barriers to stakeholder engagement. CC ID 15676 | Leadership and high level objectives | Preventive | |
| Include methods to obtain information from interested personnel and affected parties about performance variances in the communication protocol. CC ID 12856 | Leadership and high level objectives | Preventive | |
| Route notifications, as necessary. CC ID 12832 | Leadership and high level objectives | Preventive | |
| Substantiate notifications, as necessary. CC ID 12831 | Leadership and high level objectives | Preventive | |
| Prioritize notifications, as necessary. CC ID 12830 | Leadership and high level objectives | Preventive | |
| Establish and maintain the organization's survey method. CC ID 12869 | Leadership and high level objectives | Preventive | |
| Provide a consolidated view of information in the organization's survey method. CC ID 12894 | Leadership and high level objectives | Preventive | |
| Evaluate organizational objectives to determine impact on other organizational objectives. CC ID 12814 | Leadership and high level objectives | Preventive | |
| Identify events that may affect organizational objectives. CC ID 12961 | Leadership and high level objectives | Preventive | |
| Identify conditions that may affect organizational objectives. CC ID 12958 | Leadership and high level objectives | Preventive | |
| Identify how opportunities, threats, and external requirements are trending. CC ID 12829 | Leadership and high level objectives | Preventive | |
| Identify relationships between opportunities, threats, and external requirements. CC ID 12805 | Leadership and high level objectives | Preventive | |
| Update or adjust fraud detection systems, as necessary. CC ID 13684 | Monitoring and measurement | Corrective | |
| Align the enterprise architecture with the system security plan. CC ID 14255 | Monitoring and measurement | Preventive | |
| Correct compliance violations. CC ID 13515 | Monitoring and measurement | Corrective | |
| Convert data into standard units before reporting metrics. CC ID 15507 | Monitoring and measurement | Corrective | |
| Refrain from approving changes to the audit terms absent reasonable justification. CC ID 13973 | Audits and risk management | Preventive | |
| Determine the effect of fraud and non-compliance on the description of the system in the audit assertion, as necessary. CC ID 13977 | Audits and risk management | Detective | |
| Determine the effect of fraud and non-compliance on the achievement of in scope controls in the audit assertion, as necessary. CC ID 13978 | Audits and risk management | Detective | |
| Review documentation to determine the effectiveness of in scope controls. CC ID 16522 | Audits and risk management | Preventive | |
| Coordinate the scheduling of interviews. CC ID 16293 | Audits and risk management | Preventive | |
| Create a schedule for the interviews. CC ID 16292 | Audits and risk management | Preventive | |
| Identify interviewees. CC ID 16290 | Audits and risk management | Preventive | |
| Discuss unsolved questions with the interviewee. CC ID 16298 | Audits and risk management | Detective | |
| Allow interviewee to respond to explanations. CC ID 16296 | Audits and risk management | Detective | |
| Explain the requirements being discussed to the interviewee. CC ID 16294 | Audits and risk management | Detective | |
| Explain the testing results to the interviewee. CC ID 16291 | Audits and risk management | Preventive | |
| Withdraw from the audit, when defined conditions exist. CC ID 13885 | Audits and risk management | Corrective | |
| Engage subject matter experts when the auditor requires additional expertise during an attestation engagement, as necessary. CC ID 13971 | Audits and risk management | Preventive | |
| Determine the effect of fraud and non-compliance on the audit report, as necessary. CC ID 13979 | Audits and risk management | Detective | |
| Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830 | Audits and risk management | Preventive | |
| Analyze the effect of threats on organizational strategies and objectives. CC ID 12850 | Audits and risk management | Detective | |
| Analyze the effect of opportunities on organizational strategies and objectives. CC ID 12849 | Audits and risk management | Detective | |
| Coordinate continuity planning with governmental entities, as necessary. CC ID 13258 | Operational and Systems Continuity | Preventive | |
| Coordinate continuity planning with community organizations, as necessary. CC ID 13259 | Operational and Systems Continuity | Preventive | |
| Reconfigure restored systems to meet the Recovery Time Objectives. CC ID 11693 | Operational and Systems Continuity | Corrective | |
| Include all residences in the criminal records check. CC ID 13306 | Human Resources management | Preventive | |
| Establish, implement, and maintain consequences for non-compliance with the organizational compliance framework. CC ID 11747 [Persons doing work under the organization’s control shall be aware of the implications of not conforming with the BCMS requirements, and § 7.3 ¶ 1 c) When nonconformity occurs, the organization shall deal with the consequences. § 10.1 ¶ 1 b) 2] | Operational management | Corrective | |
| Include support from law enforcement authorities when conducting incident response activities, as necessary. CC ID 13197 | Operational management | Corrective | |
| Coordinate incident response activities with interested personnel and affected parties. CC ID 13196 | Operational management | Corrective | |
| Contain the incident to prevent further loss. CC ID 01751 | Operational management | Corrective | |
| Revoke the written request to delay the notification. CC ID 16843 | Operational management | Preventive | |
| Post the incident response notification on the organization's website. CC ID 16809 | Operational management | Preventive | |
| Document the determination for providing a substitute incident response notification. CC ID 16841 | Operational management | Preventive | |
| Perform emergency changes, as necessary. CC ID 12707 | Operational management | Preventive | |
| Back up emergency changes after the change has been performed. CC ID 12734 | Operational management | Preventive | |
| Conduct network certifications prior to approving change requests for networks. CC ID 13121 | Operational management | Detective | |
| Establish, implement, and maintain a patch management program. CC ID 00896 | Operational management | Preventive | |
| Determine how long to keep records and logs before disposing them. CC ID 11661 | Records management | Preventive | |
| Define each system's disposition requirements for records and logs. CC ID 11651 | Records management | Preventive | |
| Display required information automatically in electronic health records. CC ID 14442 | Records management | Preventive | |
| Create export summaries, as necessary. CC ID 14446 | Records management | Preventive | |
| Identify patient-specific education resources. CC ID 14439 | Records management | Detective | |
| Establish, implement, and maintain storage media downgrading procedures. CC ID 10619 | Records management | Preventive | |
| Identify electronic storage media that require downgrading. CC ID 10620 | Records management | Detective | |
| Downgrade electronic storage media, as necessary. CC ID 10621 | Records management | Corrective | |
| Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 | Third Party and supply chain oversight | Detective | |
| Establish, implement, and maintain Service Level Agreements with the organization's supply chain. CC ID 00838 | Third Party and supply chain oversight | Preventive | |
Records Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Archive the engagement file and all work papers for the period prescribed by law or contract. CC ID 10038 | Audits and risk management | Preventive | |
| Refrain from including exclusions that could affect business continuity. CC ID 12740 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain incident management audit logs. CC ID 13514 | Operational management | Preventive | |
| Retain collected evidence for potential future legal actions. CC ID 01235 | Operational management | Preventive | |
| Establish, implement, and maintain secure storage and handling of evidence procedures. CC ID 08656 | Operational management | Preventive | |
| Allocate record identifiers to reference the records as a part of document tracking. CC ID 11662 [When creating and updating documented information, the organization shall ensure appropriate identification and description, § 7.5.2 ¶ 1 a) When creating and updating documented information, the organization shall ensure appropriate identification and description, § 7.5.2 ¶ 1 a)] | Records management | Preventive | |
| Retain records in accordance with applicable requirements. CC ID 00968 [The organization shall retain documented information on the business continuity policy. § 5.3 ¶ 3 The organization shall retain documented information on the business continuity objectives. § 6.2 ¶ 3 The organization shall retain appropriate documented information as evidence of the results. § 9.1.1 ¶ 2 {actions to address risks and opportunities} The organization shall plan, implement and control the processes needed to meet requirements, and to implement the actions determined in 6.1, by keeping documented information to the extent necessary to have confidence that the processes have been carried out as planned. § 8.1 ¶ 1 c) {adverse results} Additionally, the organization shall — take action when necessary to address adverse trends or results before a nonconformity occurs, and — retain relevant documented information as evidence of the results. § 9.1.1 ¶ 4 The organization shall retain documented information as evidence of the results of management reviews. § 9.3 ¶ 5 The organization shall retain documented information as evidence of - the nature of the nonconformities and any subsequent actions taken, and - the results of any corrective action. § 10.1 ¶ 3 The organization shall retain documented information as evidence of - the nature of the nonconformities and any subsequent actions taken, and - the results of any corrective action. § 10.1 ¶ 3] | Records management | Preventive | |
| Manage the disposition status for all records. CC ID 00972 | Records management | Preventive | |
| Remove and/or destroy records according to the records' retention event and retention period schedule. CC ID 06621 | Records management | Preventive | |
| Protect records from loss in accordance with applicable requirements. CC ID 12007 [Documented information required by the BCMS and by this International Standard shall be controlled to ensure it is adequately protected. § 7.5.3 ¶ 1 b)] | Records management | Preventive | |
| Capture the records required by organizational compliance requirements. CC ID 00912 [Documented information required by the BCMS and by this International Standard shall be controlled to ensure it is available and suitable for use, where and when it is needed, § 7.5.3 ¶ 1 a)] | Records management | Detective | |
| Review and update Individually Identifiable Health Information in the patient's electronic health records, as necessary. CC ID 14438 | Records management | Preventive | |
| Establish and maintain an implantable device list. CC ID 14444 | Records management | Preventive | |
| Establish, implement, and maintain a recordkeeping system. CC ID 15709 | Records management | Preventive | |
| Log the termination date in the recordkeeping system. CC ID 16181 | Records management | Preventive | |
| Log the name of the requestor in the recordkeeping system. CC ID 15712 | Records management | Preventive | |
| Log the date and time each item is accessed in the recordkeeping system. CC ID 15711 | Records management | Preventive | |
| Log records as being received into the recordkeeping system. CC ID 11696 | Records management | Preventive | |
| Establish, implement, and maintain a transfer journal. CC ID 11729 | Records management | Preventive | |
| Provide a receipt of records logged into the recordkeeping system. CC ID 11697 | Records management | Preventive | |
| Note in electronic records converted from printed records, the location of the original. CC ID 11809 | Records management | Preventive | |
| Provide structures for authorized parties to approve record updates in the Electronic Document and Records Management system. CC ID 11965 | Records management | Preventive | |
| Label printed output for specific record categories as directed by the organization's information classification standard. CC ID 01420 | Records management | Detective | |
| Establish and maintain access controls for all records. CC ID 00371 [When establishing control of documented information, the organization shall ensure that there is adequate protection for the documented information. § 7.5.3 ¶ 4 For the control of documented information, the organization shall address the following activities, as applicable — distribution, access, retrieval and use, — storage and preservation, including preservation of legibility, — control of changes, — retention and disposition, — retrieval and use, — preservation of legibility, and — prevention of the unintended use of obsolete information. § 7.5.3 ¶ 2] | Records management | Preventive | |
| Implement and maintain backups and duplicate copies of organizational records. CC ID 00953 | Records management | Preventive | |
| Establish, implement, and maintain the duplicate original of record indexes. CC ID 00954 | Records management | Preventive | |
| Establish, implement, and maintain a transparent storage media strategy. CC ID 00932 | Records management | Preventive | |
| Establish, implement, and maintain security controls appropriate to the record types and electronic storage media. CC ID 00943 | Records management | Preventive | |
Systems Continuity | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Back up audit trails according to backup procedures. CC ID 11642 | Monitoring and measurement | Preventive | |
| Identify all stakeholders critical to the continuity of operations. CC ID 12741 | Operational and Systems Continuity | Detective | |
| Include information security continuity in the scope of the continuity framework. CC ID 12009 [{activation procedures} {communication procedures} {internal interdependencies} {internal interactions} {external interactions} {information flow processes} Each plan shall define - purpose and scope, - objectives, - activation criteria and procedures, - implementation procedures, - roles, responsibilities, and authorities, - communication requirements and procedures, - internal and external interdependencies and interactions, - resource requirements, and - information flow and documentation processes. § 8.4.4 ¶ 3] | Operational and Systems Continuity | Preventive | |
| Include affected party’s needs and interests in the scope of the continuity framework. CC ID 12698 | Operational and Systems Continuity | Preventive | |
| Coordinate continuity planning with other business units responsible for related plans. CC ID 01386 [{processes, and procedures for the activation of the response} {processes, and procedures for the operation of the response} {processes, and procedures for the coordination of the response} {processes, and procedures for the communication of the response} The response structure shall have processes, and procedures for the activation, operation, coordination, and communication of the response, § 8.4.2 ¶ 2 d)] | Operational and Systems Continuity | Preventive | |
| Re-accredit the continuity procedures after an emergency occurs. CC ID 01246 | Operational and Systems Continuity | Corrective | |
| Evaluate all possible continuity risks and impacts as a part of the continuity framework. CC ID 06374 | Operational and Systems Continuity | Detective | |
| Assess risks related to fault tolerance and redundancy of critical assets. CC ID 13053 | Operational and Systems Continuity | Preventive | |
| Activate the continuity plan if the damage assessment report indicates the activation criterion has been met. CC ID 01373 [The response structure shall activate an appropriate business continuity response, § 8.4.2 ¶ 2 c) The business continuity plans shall collectively contain a process for activating the response, § 8.4.4 ¶ 2 b) {activation procedures} {communication procedures} {internal interdependencies} {internal interactions} {external interactions} {information flow processes} Each plan shall define - purpose and scope, - objectives, - activation criteria and procedures, - implementation procedures, - roles, responsibilities, and authorities, - communication requirements and procedures, - internal and external interdependencies and interactions, - resource requirements, and - information flow and documentation processes. § 8.4.4 ¶ 3 {activation procedures} {communication procedures} {internal interdependencies} {internal interactions} {external interactions} {information flow processes} Each plan shall define - purpose and scope, - objectives, - activation criteria and procedures, - implementation procedures, - roles, responsibilities, and authorities, - communication requirements and procedures, - internal and external interdependencies and interactions, - resource requirements, and - information flow and documentation processes. § 8.4.4 ¶ 3 {processes, and procedures for the activation of the response} {processes, and procedures for the operation of the response} {processes, and procedures for the coordination of the response} {processes, and procedures for the communication of the response} The response structure shall have processes, and procedures for the activation, operation, coordination, and communication of the response, § 8.4.2 ¶ 2 d)] | Operational and Systems Continuity | Corrective | |
| Maintain normal security levels when an emergency occurs. CC ID 06377 | Operational and Systems Continuity | Preventive | |
| Execute fail-safe procedures when an emergency occurs. CC ID 07108 | Operational and Systems Continuity | Preventive | |
| Include the in scope system's location in the continuity plan. CC ID 16246 | Operational and Systems Continuity | Preventive | |
| Include the system description in the continuity plan. CC ID 16241 | Operational and Systems Continuity | Preventive | |
| Restore systems and environments to be operational. CC ID 13476 | Operational and Systems Continuity | Corrective | |
| Approve the continuity plan requirements before documenting the continuity plan. CC ID 12778 | Operational and Systems Continuity | Preventive | |
| Disseminate and communicate business functions across multiple facilities separated by geographic separation. CC ID 10662 | Operational and Systems Continuity | Preventive | |
| Disseminate and communicate processing activities across multiple facilities using geographic separation. CC ID 10663 | Operational and Systems Continuity | Preventive | |
| Disseminate and communicate electronic media storage devices across multiple facilities using geographic separation. CC ID 10664 | Operational and Systems Continuity | Preventive | |
| Use out-of-band channels for the physical delivery or electronic transmission of information, as necessary. CC ID 10665 | Operational and Systems Continuity | Corrective | |
| Review and prioritize the importance of each business unit. CC ID 01165 | Operational and Systems Continuity | Preventive | |
| Document the mean time to failure for system components. CC ID 10684 [Top management shall demonstrate leadership and commitment with respect to the BCMS by - ensuring that policies and objectives are established for the business continuity management system and are compatible with the strategic direction of the organization, - ensuring the integration of the business continuity management system requirements into the organization’s business processes, - ensuring that the resources needed for the business continuity management system are available, - communicating the importance of effective business continuity management and conforming to the BCMS requirements, - ensuring that the BCMS achieves its intended outcome(s), - directing and supporting persons to contribute to the effectiveness of the BCMS, - promoting continual improvement, and - supporting other relevant management roles to demonstrate their leadership and commitment as it applies to their areas of responsibility. § 5.2 ¶ 1] | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain Recovery Time Objectives for all in scope services. CC ID 12241 [The business continuity objectives shall be monitored and updated as appropriate. § 6.2 ¶ 2 e)] | Operational and Systems Continuity | Preventive | |
| Expedite emergency communications' fiscal decisions in accordance with accounting principles. CC ID 01266 | Operational and Systems Continuity | Preventive | |
| Approve the continuity plan test results. CC ID 15718 | Operational and Systems Continuity | Preventive | |
| Include consumer protection procedures in the Incident Response program. CC ID 12755 | Operational management | Preventive | |
| Refrain from placing excessive reliance on third parties that provide support for service continuity. CC ID 12768 | Third Party and supply chain oversight | Preventive | |
| Review third parties' backup policies. CC ID 13043 | Third Party and supply chain oversight | Detective | |
Systems Design, Build, and Implementation | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Include quality gates and testing milestones in the Quality Management program. CC ID 06825 | Leadership and high level objectives | Preventive | |
| Include an issue tracking system in the Quality Management program. CC ID 06824 | Leadership and high level objectives | Preventive | |
| Validate the system before implementing approved changes. CC ID 01510 | Operational management | Preventive | |
| Establish, implement, and maintain traceability documentation. CC ID 16388 | Operational management | Preventive | |
| Establish, implement, and maintain a document retrieval system to use during e-discovery. CC ID 00985 [For the control of documented information, the organization shall address the following activities, as applicable — distribution, access, retrieval and use, — storage and preservation, including preservation of legibility, — control of changes, — retention and disposition, — retrieval and use, — preservation of legibility, and — prevention of the unintended use of obsolete information. § 7.5.3 ¶ 2 For the control of documented information, the organization shall address the following activities, as applicable — distribution, access, retrieval and use, — storage and preservation, including preservation of legibility, — control of changes, — retention and disposition, — retrieval and use, — preservation of legibility, and — prevention of the unintended use of obsolete information. § 7.5.3 ¶ 2] | Records management | Preventive | |
Technical Security | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Subscribe to a threat intelligence service to receive notification of emerging threats. CC ID 12135 [The organization shall establish, implement, and maintain procedure(s) for - internal communication amongst interested parties and employees within the organization, - external communication with customers, partner entities, local community, and other interested parties, including the media, - receiving, documenting, and responding to communication from interested parties, - adapting and integrating a national or regional threat advisory system, or equivalent, into planning and operational use, if appropriate, - ensuring availability of the means of communication during a disruptive incident, - facilitating structured communication with appropriate authorities and ensuring the interoperability of multiple responding organizations and personnel, where appropriate, and - operating and testing of communications capabilities intended for use during disruption of normal communications. § 7.4 ¶ 2 {national risk advisory system} The organization shall establish, implement and maintain procedures for receiving, documenting and responding to any national or regional risk advisory system or equivalent, § 8.4.3 ¶ 1 d) {national risk advisory system} The organization shall establish, implement and maintain procedures for receiving, documenting and responding to any national or regional risk advisory system or equivalent, § 8.4.3 ¶ 1 d) {national risk advisory system} The organization shall establish, implement and maintain procedures for receiving, documenting and responding to any national or regional risk advisory system or equivalent, § 8.4.3 ¶ 1 d)] | Leadership and high level objectives | Detective | |
| Establish, implement, and maintain a network activity baseline. CC ID 13188 | Monitoring and measurement | Detective | |
| Deploy log normalization tools, as necessary. CC ID 12141 | Monitoring and measurement | Preventive | |
| Restrict access to audit trails to a need to know basis. CC ID 11641 | Monitoring and measurement | Preventive | |
| Protect against misusing automated audit tools. CC ID 04547 | Monitoring and measurement | Preventive | |
| Analyze the organization's information security environment. CC ID 13122 | Audits and risk management | Preventive | |
| Include security threats and vulnerabilities in the threat and risk classification scheme. CC ID 00699 | Audits and risk management | Preventive | |
| Implement alternate security mechanisms when the means of implementing the security function is unavailable. CC ID 10605 | Operational and Systems Continuity | Preventive | |
| Include temporary activation of remote access technologies for third parties in the Acceptable Use Policy. CC ID 11892 | Operational management | Preventive | |
| Categorize the incident following an incident response. CC ID 13208 | Operational management | Preventive | |
| Wipe data and memory after an incident has been detected. CC ID 16850 | Operational management | Corrective | |
| Refrain from accessing compromised systems. CC ID 01752 | Operational management | Corrective | |
| Isolate compromised systems from the network. CC ID 01753 | Operational management | Corrective | |
| Change authenticators after a security incident has been detected. CC ID 06789 | Operational management | Corrective | |
| Change wireless access variables after a data loss event has been detected. CC ID 01756 | Operational management | Corrective | |
| Re-image compromised systems with secure builds. CC ID 12086 | Operational management | Corrective | |
| Respond when an integrity violation is detected, as necessary. CC ID 10678 | Operational management | Corrective | |
| Shut down systems when an integrity violation is detected, as necessary. CC ID 10679 | Operational management | Corrective | |
| Restart systems when an integrity violation is detected, as necessary. CC ID 10680 | Operational management | Corrective | |
| Integrate configuration management procedures into the change control program. CC ID 13646 | Operational management | Preventive | |
| Implement patch management software, as necessary. CC ID 12094 | Operational management | Preventive | |
| Include updates and exceptions to hardened images as a part of the patch management program. CC ID 12087 | Operational management | Preventive | |
| Review the patch log for missing patches. CC ID 13186 | Operational management | Detective | |
| Patch software. CC ID 11825 | Operational management | Corrective | |
| Patch the operating system, as necessary. CC ID 11824 | Operational management | Corrective | |
| Implement cryptographic mechanisms to authenticate software and computer firmware before installation. CC ID 10682 | Operational management | Detective | |
| Establish, implement, and maintain label inheritance mechanisms for aggregate data sets. CC ID 06957 | Records management | Preventive | |
| Implement and maintain high availability storage, as necessary. CC ID 00952 | Records management | Preventive | |
| Establish, implement, and maintain online storage controls. CC ID 00942 | Records management | Preventive | |
| Provide encryption for different types of electronic storage media. CC ID 00945 | Records management | Preventive | |
Testing | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Conduct Quality Control to ensure adherence to Information Technology policies, standards, and procedures. CC ID 01008 [{results of BCMS reviews} {key partners} {results of testing} {BCMS performance} {BCMS effectiveness} {emerging good guidance} Management reviews shall consider the performance of the organization, including - follow-up actions from previous management reviews, - the need for changes to the BCMS, including the policy and objectives, - opportunities for improvement, - results of BCMS audits and reviews, including those of key suppliers and partners where appropriate, - techniques, products or procedures, which could be used in the organization to improve the BCMS’ performance and effectiveness, - status of corrective actions, - results of exercising and testing, - risks or issues not adequately addressed in any previous risk assessment, - any changes that could affect the BCMS, whether internal or external to the scope of the BCMS, - adequacy of policy, - recommendations for improvement, - lessons learned and actions arising from disruptive incidents, and - emerging good practice and guidance. § 9.3 ¶ 3] | Leadership and high level objectives | Detective | |
| Establish, implement, and maintain a self-assessment approach as part of the compliance testing strategy. CC ID 12833 | Monitoring and measurement | Preventive | |
| Test compliance controls for proper functionality. CC ID 00660 | Monitoring and measurement | Detective | |
| Establish, implement, and maintain a system security plan. CC ID 01922 | Monitoring and measurement | Preventive | |
| Adhere to the system security plan. CC ID 11640 | Monitoring and measurement | Detective | |
| Validate all testing assumptions in the test plans. CC ID 00663 | Monitoring and measurement | Detective | |
| Require testing procedures to be complete. CC ID 00664 | Monitoring and measurement | Detective | |
| Determine the appropriate assessment method for each testing process in the test plan. CC ID 00665 | Monitoring and measurement | Preventive | |
| Analyze system audit reports and determine the need to perform more tests. CC ID 00666 | Monitoring and measurement | Detective | |
| Evaluate the measurement process used for metrics. CC ID 06920 [{what needs to be measured} The organization shall determine what needs to be monitored and measured, § 9.1.1 ¶ 1 a) The procedures for monitoring performance shall provide for - the setting of performance metrics appropriate to the needs of the organization, - monitoring the extent to which the organization’s business continuity policy, objectives and targets are met, - performance of the processes, procedures and functions that protect its prioritized activities, - monitoring compliance with this International Standard and the business continuity objectives, - monitoring historical evidence of deficient BCMS’ performance, and - recording data and results of monitoring and measurement to facilitate subsequent corrective actions. § 9.1.1 ¶ 5] | Monitoring and measurement | Detective | |
| Report audit findings by the internal audit manager directly to senior management. CC ID 01152 | Audits and risk management | Detective | |
| Review the external audit assertion for accuracy. CC ID 06977 | Audits and risk management | Detective | |
| Review the risk assessments as compared to the in scope controls. CC ID 06978 | Audits and risk management | Detective | |
| Conduct onsite inspections, as necessary. CC ID 16199 | Audits and risk management | Preventive | |
| Determine the accurateness of the audit assertion's in scope system description. CC ID 06979 | Audits and risk management | Detective | |
| Determine if the in scope system has been implemented as described in the audit assertion. CC ID 06983 | Audits and risk management | Detective | |
| Determine if the audit assertion's in scope controls are reasonable. CC ID 06980 | Audits and risk management | Detective | |
| Document test plans for auditing in scope controls. CC ID 06985 | Audits and risk management | Detective | |
| Determine the implementation status of the audit assertion's in scope controls. CC ID 06981 | Audits and risk management | Detective | |
| Determine the effectiveness of in scope controls. CC ID 06984 | Audits and risk management | Detective | |
| Determine any errors or material omissions in the audit assertion that affect in scope control implementations. CC ID 06990 | Audits and risk management | Detective | |
| Audit the in scope system according to the test plan using relevant evidence. CC ID 07112 [Top management shall ensure that the responsibilities and authorities for relevant roles are assigned and communicated within the organization by - defining the criteria for accepting risks and the acceptable levels of risk, - actively engaging in exercising and testing, - ensuring that internal audits of the BCMS are conducted, - conducting management reviews of the BCMS, and - demonstrating its commitment to continual improvement. § 5.2 ¶ 3 The audit programme, including any schedule, shall be based on the results of risk assessments of the organization’s activities, and the results of previous audits. The audit procedures shall cover the scope, frequency, methodologies and competencies, as well as the responsibilities and requirements for conducting audits and reporting results. § 9.2 ¶ 3] | Audits and risk management | Preventive | |
| Provide transactional walkthrough procedures for external auditors. CC ID 00672 | Audits and risk management | Preventive | |
| Conduct interviews, as necessary. CC ID 07188 | Audits and risk management | Detective | |
| Include if in scope control deviations allow in scope controls to be performed acceptably in the work papers. CC ID 06987 | Audits and risk management | Detective | |
| Investigate the nature and causes of identified in scope control deviations. CC ID 06986 | Audits and risk management | Detective | |
| Submit an audit report that is complete. CC ID 01145 | Audits and risk management | Detective | |
| Assess the quality of the audit program in regards to the staff and their qualifications. CC ID 01150 | Audits and risk management | Detective | |
| Establish, implement, and maintain the audit plan. CC ID 01156 | Audits and risk management | Detective | |
| Perform risk assessments for all target environments, as necessary. CC ID 06452 [{formal process} The organization shall establish, implement and maintain a formal and documented process for business impact analysis and risk assessment that includes systematic analysis, prioritization of risk treatments, and their related costs, § 8.2.1 ¶ 1 c)] | Audits and risk management | Preventive | |
| Determine the effectiveness of risk control measures. CC ID 06601 [{formal process} The organization shall establish, implement and maintain a formal and documented process for business impact analysis and risk assessment that establishes the context of the assessment, defines criteria and evaluates the potential impact of a disruptive incident, § 8.2.1 ¶ 1 a)] | Audits and risk management | Detective | |
| Establish, implement, and maintain the organization's call tree. CC ID 01167 | Operational and Systems Continuity | Detective | |
| Test the recovery plan, as necessary. CC ID 13290 | Operational and Systems Continuity | Detective | |
| Test the backup information, as necessary. CC ID 13303 | Operational and Systems Continuity | Detective | |
| Use available financial resources for the efficaciousness of the service continuity strategy. CC ID 01370 [Top management shall demonstrate leadership and commitment with respect to the BCMS by - ensuring that policies and objectives are established for the business continuity management system and are compatible with the strategic direction of the organization, - ensuring the integration of the business continuity management system requirements into the organization’s business processes, - ensuring that the resources needed for the business continuity management system are available, - communicating the importance of effective business continuity management and conforming to the BCMS requirements, - ensuring that the BCMS achieves its intended outcome(s), - directing and supporting persons to contribute to the effectiveness of the BCMS, - promoting continual improvement, and - supporting other relevant management roles to demonstrate their leadership and commitment as it applies to their areas of responsibility. § 5.2 ¶ 1] | Operational and Systems Continuity | Detective | |
| Establish, implement, and maintain a business continuity plan testing program. CC ID 14829 | Operational and Systems Continuity | Preventive | |
| Test the continuity plan, as necessary. CC ID 00755 [The organization shall exercise and test its business continuity procedures to ensure that they are consistent with its business continuity objectives. § 8.5 ¶ 1 The organization shall conduct exercises and tests that are conducted at planned intervals and when there are significant changes within the organization or to the environment in which it operates. § 8.5 ¶ 2 g) The organization shall conduct exercises and tests that are conducted at planned intervals and when there are significant changes within the organization or to the environment in which it operates. § 8.5 ¶ 2 g) The business continuity objectives shall be measurable, § 6.2 ¶ 2 c) The organization shall conduct exercises and tests that produce formalized post-exercise reports that contain outcomes, recommendations and actions to implement improvements, § 8.5 ¶ 2 e) The organization shall conduct exercises and tests that are consistent with the scope and objectives of the BCMS, § 8.5 ¶ 2 a) The organization shall conduct exercises and tests that produce formalized post-exercise reports that contain outcomes, recommendations and actions to implement improvements, § 8.5 ¶ 2 e) {business continuity capabilities} The organization shall conduct evaluations of its business continuity procedures and capabilities in order to ensure their continuing suitability, adequacy and effectiveness; § 9.1.2 a) {business continuity capabilities} The organization shall conduct evaluations of its business continuity procedures and capabilities in order to ensure their continuing suitability, adequacy and effectiveness; § 9.1.2 a) Top management shall ensure that the responsibilities and authorities for relevant roles are assigned and communicated within the organization by - defining the criteria for accepting risks and the acceptable levels of risk, - actively engaging in exercising and testing, - ensuring that internal audits of the BCMS are conducted, - conducting management reviews of the BCMS, and - demonstrating its commitment to continual improvement. § 5.2 ¶ 3 {communication procedures} The communication and warning procedures shall be regularly exercised. § 8.4.3 ¶ 2 {communication procedures} The communication and warning procedures shall be regularly exercised. § 8.4.3 ¶ 2 {periodic exercising} {periodic testing} {periodic post-incident reporting} {periodic performance evaluations} These evaluations shall be undertaken through periodic reviews, exercising, testing, post-incident reporting and performance evaluations. Significant changes arising shall be reflected in the procedure(s) in a timely manner; § 9.1.2 b) {periodic exercising} {periodic testing} {periodic post-incident reporting} {periodic performance evaluations} These evaluations shall be undertaken through periodic reviews, exercising, testing, post-incident reporting and performance evaluations. Significant changes arising shall be reflected in the procedure(s) in a timely manner; § 9.1.2 b)] | Operational and Systems Continuity | Detective | |
| Include coverage of all major components in the scope of testing the continuity plan. CC ID 12767 | Operational and Systems Continuity | Preventive | |
| Include third party recovery services in the scope of testing the continuity plan. CC ID 12766 | Operational and Systems Continuity | Preventive | |
| Validate the emergency communications procedures during continuity plan tests. CC ID 12777 | Operational and Systems Continuity | Preventive | |
| Include the coordination and interfaces among third parties in the coverage of the scope of testing the continuity plan. CC ID 12769 | Operational and Systems Continuity | Preventive | |
| Involve senior management, as necessary, when testing the continuity plan. CC ID 13793 | Operational and Systems Continuity | Detective | |
| Test the continuity plan under conditions that simulate a disaster or disruption. CC ID 00757 [The organization shall conduct exercises and tests that are based on appropriate scenarios that are well planned with clearly defined aims and objectives, § 8.5 ¶ 2 b) The organization shall conduct exercises and tests that minimize the risk of disruption of operations, § 8.5 ¶ 2 d) The organization shall conduct exercises and tests that minimize the risk of disruption of operations, § 8.5 ¶ 2 d)] | Operational and Systems Continuity | Detective | |
| Analyze system interdependence during continuity plan tests. CC ID 13082 | Operational and Systems Continuity | Detective | |
| Validate the evacuation plans during continuity plan tests. CC ID 12760 | Operational and Systems Continuity | Preventive | |
| Test the continuity plan at the alternate facility. CC ID 01174 | Operational and Systems Continuity | Detective | |
| Coordinate testing the continuity plan with all applicable business units and critical business functions. CC ID 01388 [The organization shall conduct exercises and tests that taken together over time validate the whole of its business continuity arrangements, involving relevant interested parties, § 8.5 ¶ 2 c)] | Operational and Systems Continuity | Preventive | |
| Review all third party's continuity plan test results. CC ID 01365 [The organization shall conduct evaluations of the business continuity capabilities of suppliers. § 8.3.1 ¶ 4] | Operational and Systems Continuity | Detective | |
| Automate the off-site testing to more thoroughly test the continuity plan. CC ID 01389 | Operational and Systems Continuity | Detective | |
| Retest the continuity plan after correcting reported deficiencies documented in the continuity plan test results. CC ID 06553 | Operational and Systems Continuity | Detective | |
| Conduct full recovery and restoration of service testing for high impact systems at the alternate facility. CC ID 01404 | Operational and Systems Continuity | Detective | |
| Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 00782 [The organization shall ensure that these persons are competent on the basis of appropriate education, training, and experience, § 7.2 ¶ 1 b)] | Human Resources management | Detective | |
| Perform a drug test during personnel screening. CC ID 06648 | Human Resources management | Preventive | |
| Conduct tests and evaluate training. CC ID 06672 [The organization shall where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken, and § 7.2 ¶ 1 c)] | Human Resources management | Detective | |
| Assess all incidents to determine what information was accessed. CC ID 01226 | Operational management | Corrective | |
| Open a priority incident request after a security breach is detected. CC ID 04838 | Operational management | Corrective | |
| Activate the incident response notification procedures after a security breach is detected. CC ID 04839 | Operational management | Corrective | |
| Establish trust between the incident response team and the end user community during an incident. CC ID 01217 | Operational management | Detective | |
| Test the operation of the digital forensic equipment prior to use. CC ID 08694 | Operational management | Detective | |
| Test the incident response procedures. CC ID 01216 | Operational management | Detective | |
| Test proposed changes prior to their approval. CC ID 00548 | Operational management | Detective | |
| Perform risk assessments prior to approving change requests. CC ID 00888 | Operational management | Preventive | |
| Perform a patch test prior to deploying a patch. CC ID 00898 | Operational management | Detective | |
| Test software patches for any potential compromise of the system's security. CC ID 13175 | Operational management | Detective | |
| Review changes to computer firmware. CC ID 12226 | Operational management | Detective | |
| Certify changes to computer firmware are free of malicious logic. CC ID 12227 | Operational management | Detective | |
| Test the system's operational functionality after implementing approved changes. CC ID 06294 | Operational management | Detective | |
| Perform and pass acceptance testing before moving a system back into operation after an approved change has occurred. CC ID 04541 | Operational management | Detective | |
| Store records on non-rewritable, non-erasable storage media formats, as necessary. CC ID 00944 | Records management | Detective | |
| Test the storage media downgrade for correct performance. CC ID 10623 | Records management | Detective | |
| Test the exit plan, as necessary. CC ID 15495 | Third Party and supply chain oversight | Preventive | |
| Include third party requirements for personnel security in third party contracts. CC ID 00790 | Third Party and supply chain oversight | Detective | |
| Include third party acknowledgment of their data protection responsibilities in third party contracts. CC ID 01364 | Third Party and supply chain oversight | Detective | |
| Include auditing third party security controls and compliance controls in third party contracts. CC ID 01366 | Third Party and supply chain oversight | Detective | |
| Establish the third party's service continuity. CC ID 00797 | Third Party and supply chain oversight | Detective | |
| Determine the adequacy of a third party's alternate site preparations. CC ID 06879 | Third Party and supply chain oversight | Detective | |
| Maintain the third party's compliance framework to be equivalent to that of the organization's compliance requirements. CC ID 06087 | Third Party and supply chain oversight | Detective | |
| Perform risk assessments of third parties, as necessary. CC ID 06454 | Third Party and supply chain oversight | Detective | |
Training | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Include cross-team coordination in continuity plan training. CC ID 16235 | Operational and Systems Continuity | Preventive | |
| Include stay at home order training in the continuity plan training. CC ID 14382 | Operational and Systems Continuity | Preventive | |
| Include avoiding unnecessary travel in the stay at home order training. CC ID 14388 | Operational and Systems Continuity | Preventive | |
| Include personal protection in continuity plan training. CC ID 14394 | Operational and Systems Continuity | Preventive | |
| Submit applications for professional certification. CC ID 16192 | Human Resources management | Preventive | |
| Train personnel to recognize conditions of diseases or sicknesses, as necessary. CC ID 14383 | Human Resources management | Detective | |
| Include prevention techniques in training regarding diseases or sicknesses. CC ID 14387 | Human Resources management | Preventive | |
| Include the concept of disease clusters when training to recognize conditions of diseases or sicknesses. CC ID 14386 | Human Resources management | Preventive | |
| Train personnel to identify and communicate symptoms of exposure to disease or sickness. CC ID 14385 | Human Resources management | Detective | |
| Develop or acquire content to update the training plans. CC ID 12867 | Human Resources management | Preventive | |
| Designate training facilities in the training plan. CC ID 16200 | Human Resources management | Preventive | |
| Include in scope external requirements in the training plan, as necessary. CC ID 13041 | Human Resources management | Preventive | |
| Conduct bespoke roles and responsibilities training, as necessary. CC ID 13192 | Human Resources management | Preventive | |
| Include risk management in the training plan, as necessary. CC ID 13040 | Human Resources management | Preventive | |
| Conduct personal data processing training. CC ID 13757 | Human Resources management | Preventive | |
| Include in personal data processing training how to provide the contact information for the categories of personal data the organization may disclose. CC ID 13758 | Human Resources management | Preventive | |
| Include the cloud service usage standard in the training plan. CC ID 13039 | Human Resources management | Preventive | |
| Include media protection in the security awareness program. CC ID 16368 | Human Resources management | Preventive | |
| Include physical security in the security awareness program. CC ID 16369 | Human Resources management | Preventive | |
| Include updates on emerging issues in the security awareness program. CC ID 13184 | Human Resources management | Preventive | |
| Include cybersecurity in the security awareness program. CC ID 13183 | Human Resources management | Preventive | |
| Include implications of non-compliance in the security awareness program. CC ID 16425 | Human Resources management | Preventive | |
| Include the acceptable use policy in the security awareness program. CC ID 15487 | Human Resources management | Preventive | |
| Train all personnel and third parties on how to recognize and report system failures. CC ID 13475 | Human Resources management | Preventive | |
| Conduct tampering prevention training. CC ID 11875 | Human Resources management | Preventive | |
| Include the mandate to refrain from installing, refrain from replacing, and refrain from returning any asset absent verification in the tampering prevention training. CC ID 11877 | Human Resources management | Preventive | |
| Include how to identify and authenticate third parties claiming to be maintenance personnel in the tampering prevention training. CC ID 11876 | Human Resources management | Preventive | |
| Include how to report tampering and unauthorized substitution in the tampering prevention training. CC ID 11879 | Human Resources management | Preventive | |
| Include how to prevent physical tampering in the tampering prevention training. CC ID 11878 | Human Resources management | Preventive | |
| Include procedures on how to inspect devices in the tampering prevention training. CC ID 11990 | Human Resources management | Preventive | |
| Train interested personnel and affected parties to collect digital forensic evidence. CC ID 08658 | Human Resources management | Preventive | |
| Conduct incident response training. CC ID 11889 | Operational management | Preventive | |
Common Controls andThere are three types of Common Control classifications; corrective, detective, and preventive. Common Controls at the top level have the default assignment of Impact Zone.
Corrective | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Disseminate and communicate updated guidance documentation to interested personnel and affected parties upon discovery of a new threat. CC ID 12191 | Leadership and high level objectives | Communicate | |
| Correct errors and deficiencies in a timely manner. CC ID 13501 | Leadership and high level objectives | Business Processes | |
| Include management's assertions on the effectiveness of internal control in the Statement on Internal Control. CC ID 14771 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Update or adjust fraud detection systems, as necessary. CC ID 13684 | Monitoring and measurement | Process or Activity | |
| Determine the causes of compliance violations. CC ID 12401 [When nonconformity occurs, the organization shall evaluate the need for action to eliminate the causes of the nonconformity, in order that it does not recur or occur elsewhere, by determining the causes of the nonconformity, and § 10.1 ¶ 1 c) 2 {does not occur} When nonconformity occurs, the organization shall evaluate the need for action to eliminate the causes of the nonconformity, in order that it does not recur or occur elsewhere, by § 10.1 ¶ 1 c)] | Monitoring and measurement | Investigate | |
| Correct compliance violations. CC ID 13515 | Monitoring and measurement | Process or Activity | |
| Carry out disciplinary actions when a compliance violation is detected. CC ID 06675 [When nonconformity occurs, the organization shall react to the nonconformity, and, as applicable, § 10.1 ¶ 1 b) {adverse results} Additionally, the organization shall — take action when necessary to address adverse trends or results before a nonconformity occurs, and — retain relevant documented information as evidence of the results. § 9.1.1 ¶ 4 {nonconformity} take action to control and correct it, and § 10.1 ¶ 1 b) 1) {nonconformity} take action to control and correct it, and § 10.1 ¶ 1 b) 1) When nonconformity occurs, the organization shall evaluate the need for action to eliminate the causes of the nonconformity, in order that it does not recur or occur elsewhere, by determining and implementing corrective action needed, § 10.1 ¶ 1 c) 5] | Monitoring and measurement | Behavior | |
| Convert data into standard units before reporting metrics. CC ID 15507 | Monitoring and measurement | Process or Activity | |
| Assign the Board of Directors to address audit findings. CC ID 12396 | Audits and risk management | Human Resources Management | |
| Refrain from changing the date of the practitioner's report on agreed-upon procedures when reissuing it. CC ID 13896 | Audits and risk management | Establish/Maintain Documentation | |
| Withdraw from the audit, when defined conditions exist. CC ID 13885 | Audits and risk management | Process or Activity | |
| Solve any access problems auditors encounter during the audit. CC ID 08959 | Audits and risk management | Audits and Risk Management | |
| Include deficiencies and non-compliance in the audit report. CC ID 14879 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of the reasons for modifying the audit opinion in the audit report. CC ID 13898 | Audits and risk management | Establish/Maintain Documentation | |
| Disclaim the audit opinion in the audit report, as necessary. CC ID 13901 | Audits and risk management | Business Processes | |
| Modify the audit opinion in the audit report under defined conditions. CC ID 13937 | Audits and risk management | Establish/Maintain Documentation | |
| Implement a corrective action plan in response to the audit report. CC ID 06777 [The management responsible for the area being audited shall ensure that any necessary corrections and corrective actions are taken without undue delay to eliminate detected nonconformities and their causes. Follow-up activities shall include the verification of the actions taken and the reporting of verification results. § 9.2 ¶ 4 The management responsible for the area being audited shall ensure that any necessary corrections and corrective actions are taken without undue delay to eliminate detected nonconformities and their causes. Follow-up activities shall include the verification of the actions taken and the reporting of verification results. § 9.2 ¶ 4 {results of BCMS reviews} {key partners} {results of testing} {BCMS performance} {BCMS effectiveness} {emerging good guidance} Management reviews shall consider the performance of the organization, including - follow-up actions from previous management reviews, - the need for changes to the BCMS, including the policy and objectives, - opportunities for improvement, - results of BCMS audits and reviews, including those of key suppliers and partners where appropriate, - techniques, products or procedures, which could be used in the organization to improve the BCMS’ performance and effectiveness, - status of corrective actions, - results of exercising and testing, - risks or issues not adequately addressed in any previous risk assessment, - any changes that could affect the BCMS, whether internal or external to the scope of the BCMS, - adequacy of policy, - recommendations for improvement, - lessons learned and actions arising from disruptive incidents, and - emerging good practice and guidance. § 9.3 ¶ 3] | Audits and risk management | Establish/Maintain Documentation | |
| Monitor and report on the status of mitigation actions in the corrective action plan. CC ID 15250 | Audits and risk management | Actionable Reports or Measurements | |
| Purchase insurance on behalf of interested personnel and affected parties. CC ID 16571 | Audits and risk management | Acquisition/Sale of Assets or Services | |
| Revise the risk treatment strategies in the risk treatment plan, as necessary. CC ID 12552 | Audits and risk management | Establish/Maintain Documentation | |
| Document and communicate a corrective action plan based on the risk assessment findings. CC ID 00705 [The organization shall plan actions to address these risks and opportunities, § 6.1 ¶ 2 a)] | Audits and risk management | Establish/Maintain Documentation | |
| Re-accredit the continuity procedures after an emergency occurs. CC ID 01246 | Operational and Systems Continuity | Systems Continuity | |
| Report changes in the continuity plan to senior management. CC ID 12757 | Operational and Systems Continuity | Communicate | |
| Activate the continuity plan if the damage assessment report indicates the activation criterion has been met. CC ID 01373 [The response structure shall activate an appropriate business continuity response, § 8.4.2 ¶ 2 c) The business continuity plans shall collectively contain a process for activating the response, § 8.4.4 ¶ 2 b) {activation procedures} {communication procedures} {internal interdependencies} {internal interactions} {external interactions} {information flow processes} Each plan shall define - purpose and scope, - objectives, - activation criteria and procedures, - implementation procedures, - roles, responsibilities, and authorities, - communication requirements and procedures, - internal and external interdependencies and interactions, - resource requirements, and - information flow and documentation processes. § 8.4.4 ¶ 3 {activation procedures} {communication procedures} {internal interdependencies} {internal interactions} {external interactions} {information flow processes} Each plan shall define - purpose and scope, - objectives, - activation criteria and procedures, - implementation procedures, - roles, responsibilities, and authorities, - communication requirements and procedures, - internal and external interdependencies and interactions, - resource requirements, and - information flow and documentation processes. § 8.4.4 ¶ 3 {processes, and procedures for the activation of the response} {processes, and procedures for the operation of the response} {processes, and procedures for the coordination of the response} {processes, and procedures for the communication of the response} The response structure shall have processes, and procedures for the activation, operation, coordination, and communication of the response, § 8.4.2 ¶ 2 d)] | Operational and Systems Continuity | Systems Continuity | |
| Restore systems and environments to be operational. CC ID 13476 | Operational and Systems Continuity | Systems Continuity | |
| Establish, implement, and maintain the continuity procedures. CC ID 14236 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Use out-of-band channels for the physical delivery or electronic transmission of information, as necessary. CC ID 10665 | Operational and Systems Continuity | Systems Continuity | |
| Reconfigure restored systems to meet the Recovery Time Objectives. CC ID 11693 | Operational and Systems Continuity | Process or Activity | |
| Establish, implement, and maintain physical hazard segregation or removal procedures. CC ID 01248 | Operational and Systems Continuity | Physical and Environmental Protection | |
| Identify who can speak to the media in the emergency communications procedures. CC ID 12761 | Operational and Systems Continuity | Communicate | |
| Rotate members of the board of directors, as necessary. CC ID 14803 | Human Resources management | Human Resources Management | |
| Conduct secure coding and development training for developers. CC ID 06822 | Human Resources management | Behavior | |
| Include disciplinary actions in the Acceptable Use Policy. CC ID 00296 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain consequences for non-compliance with the organizational compliance framework. CC ID 11747 [Persons doing work under the organization’s control shall be aware of the implications of not conforming with the BCMS requirements, and § 7.3 ¶ 1 c) When nonconformity occurs, the organization shall deal with the consequences. § 10.1 ¶ 1 b) 2] | Operational management | Process or Activity | |
| Determine the incident severity level when assessing the security incidents. CC ID 01650 | Operational management | Monitor and Evaluate Occurrences | |
| Escalate incidents, as necessary. CC ID 14861 | Operational management | Monitor and Evaluate Occurrences | |
| Include support from law enforcement authorities when conducting incident response activities, as necessary. CC ID 13197 | Operational management | Process or Activity | |
| Respond to all alerts from security systems in a timely manner. CC ID 06434 | Operational management | Behavior | |
| Coordinate incident response activities with interested personnel and affected parties. CC ID 13196 | Operational management | Process or Activity | |
| Contain the incident to prevent further loss. CC ID 01751 | Operational management | Process or Activity | |
| Wipe data and memory after an incident has been detected. CC ID 16850 | Operational management | Technical Security | |
| Refrain from accessing compromised systems. CC ID 01752 | Operational management | Technical Security | |
| Isolate compromised systems from the network. CC ID 01753 | Operational management | Technical Security | |
| Store system logs for in scope systems as digital forensic evidence after a security incident has been detected. CC ID 01754 | Operational management | Log Management | |
| Change authenticators after a security incident has been detected. CC ID 06789 | Operational management | Technical Security | |
| Assess all incidents to determine what information was accessed. CC ID 01226 | Operational management | Testing | |
| Check the precursors and indicators when assessing the security incidents. CC ID 01761 | Operational management | Monitor and Evaluate Occurrences | |
| Share incident information with interested personnel and affected parties. CC ID 01212 [The response structure shall communicate with interested parties and authorities, as well as the media. § 8.4.2 ¶ 2 f) The response structure shall communicate with interested parties and authorities, as well as the media. § 8.4.2 ¶ 2 f) {procedures for recording actions taken and decisions made} The organization shall establish, implement and maintain procedures for recording of vital information about the incident, actions taken and decisions made, and the following shall also be considered and implemented where applicable: — alerting interested parties potentially impacted by an actual or impending disruptive incident; — assuring the interoperability of multiple responding organizations and personnel; — operation of a communications facility. § 8.4.3 ¶ 1 g)] | Operational management | Data and Information Management | |
| Share data loss event information with the media. CC ID 01759 [The response structure shall communicate with interested parties and authorities, as well as the media. § 8.4.2 ¶ 2 f) The business continuity plans shall collectively contain details of the organization’s media response following an incident, including a communications strategy, § 8.4.4 ¶ 2 f) 1) The business continuity plans shall collectively contain details of the organization’s media response following an incident, including preferred interface with the media, § 8.4.4 ¶ 2 f) 2) The business continuity plans shall collectively contain details of the organization’s media response following an incident, including guideline or template for drafting a statement for the media, and § 8.4.4 ¶ 2 f) 3) The business continuity plans shall collectively contain details of the organization's media response following an incident, including § 8.4.4 ¶ 2 f)] | Operational management | Behavior | |
| Share data loss event information with interconnected system owners. CC ID 01209 | Operational management | Establish/Maintain Documentation | |
| Report data loss event information to breach notification organizations. CC ID 01210 | Operational management | Data and Information Management | |
| Report to breach notification organizations the time frame in which the organization will send data loss event notifications to interested personnel and affected parties. CC ID 04731 | Operational management | Behavior | |
| Notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00365 | Operational management | Behavior | |
| Delay sending incident response notifications under predetermined conditions. CC ID 00804 | Operational management | Behavior | |
| Establish, implement, and maintain incident response notifications. CC ID 12975 | Operational management | Establish/Maintain Documentation | |
| Provide enrollment information for identity theft prevention services or identity theft mitigation services. CC ID 13767 | Operational management | Communicate | |
| Offer identity theft prevention services or identity theft mitigation services at no cost to the affected parties. CC ID 13766 | Operational management | Business Processes | |
| Send paper incident response notifications to affected parties, as necessary. CC ID 00366 | Operational management | Behavior | |
| Determine if a substitute incident response notification is permitted if notifying affected parties. CC ID 00803 | Operational management | Behavior | |
| Use a substitute incident response notification to notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00368 | Operational management | Behavior | |
| Telephone incident response notifications to affected parties, as necessary. CC ID 04650 | Operational management | Behavior | |
| Publish the incident response notification in a general circulation periodical. CC ID 04651 | Operational management | Behavior | |
| Send electronic incident response notifications to affected parties, as necessary. CC ID 00367 | Operational management | Behavior | |
| Notify interested personnel and affected parties of the privacy breach about any recovered restricted data. CC ID 13347 | Operational management | Communicate | |
| Include incident recovery procedures in the Incident Management program. CC ID 01758 [The organization shall establish, implement, and maintain business continuity procedures to manage a disruptive incident and continue its activities based on recovery objectives identified in the business impact analysis. § 8.4.1 ¶ 1] | Operational management | Establish/Maintain Documentation | |
| Change wireless access variables after a data loss event has been detected. CC ID 01756 | Operational management | Technical Security | |
| Eradicate the cause of the incident after the incident has been contained. CC ID 01757 | Operational management | Business Processes | |
| Implement security controls for personnel that have accessed information absent authorization. CC ID 10611 | Operational management | Human Resources Management | |
| Re-image compromised systems with secure builds. CC ID 12086 | Operational management | Technical Security | |
| Include the organizational functions affected by disruption in the Incident Management audit log. CC ID 12238 [The organization shall identify and document the following: the organization’s activities, functions, services, products, partnerships, supply chains, relationships with interested parties, and the potential impact related to a disruptive incident; § 4.1 ¶ 3 a)] | Operational management | Log Management | |
| Open a priority incident request after a security breach is detected. CC ID 04838 | Operational management | Testing | |
| Activate the incident response notification procedures after a security breach is detected. CC ID 04839 | Operational management | Testing | |
| Notify interested personnel and affected parties that a security breach was detected. CC ID 11788 | Operational management | Communicate | |
| Respond when an integrity violation is detected, as necessary. CC ID 10678 | Operational management | Technical Security | |
| Shut down systems when an integrity violation is detected, as necessary. CC ID 10679 | Operational management | Technical Security | |
| Restart systems when an integrity violation is detected, as necessary. CC ID 10680 | Operational management | Technical Security | |
| Conduct forensic investigations in the event of a security compromise. CC ID 11951 | Operational management | Investigate | |
| Collect evidence from the incident scene. CC ID 02236 | Operational management | Business Processes | |
| Review and approve the Information Technology budget. CC ID 13644 | Operational management | Business Processes | |
| Update the Information Technology budget, as necessary. CC ID 13643 | Operational management | Business Processes | |
| Approve back-out plans, as necessary. CC ID 13627 | Operational management | Establish/Maintain Documentation | |
| Deploy software patches in accordance with organizational standards. CC ID 07032 | Operational management | Configuration | |
| Patch software. CC ID 11825 | Operational management | Technical Security | |
| Patch the operating system, as necessary. CC ID 11824 | Operational management | Technical Security | |
| Deploy software patches in the disaster recovery environment to mirror those in the production environment. CC ID 13174 | Operational management | Configuration | |
| Remove outdated software after software has been updated. CC ID 11792 | Operational management | Configuration | |
| Update computer firmware, as necessary. CC ID 11755 | Operational management | Configuration | |
| Remove outdated computer firmware after the computer firmware has been updated. CC ID 10671 | Operational management | Configuration | |
| Mitigate the adverse effects of unauthorized changes. CC ID 12244 [The organization shall control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary. § 8.1 ¶ 2] | Operational management | Business Processes | |
| Establish, implement, and maintain a change acceptance testing log. CC ID 06392 | Operational management | Establish/Maintain Documentation | |
| Document approved configuration deviations. CC ID 08711 | Operational management | Establish/Maintain Documentation | |
| Downgrade electronic storage media, as necessary. CC ID 10621 | Records management | Process or Activity | |
| Terminate supplier relationships, as necessary. CC ID 13489 | Third Party and supply chain oversight | Business Processes | |
| Enforce third party Service Level Agreements, as necessary. CC ID 07098 | Third Party and supply chain oversight | Business Processes | |
Detective | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Assess the effectiveness of the communication methods used in the communication protocol. CC ID 12691 | Leadership and high level objectives | Process or Activity | |
| Monitor regulatory trends to maintain compliance. CC ID 00604 [{legal requirements} The outputs of the management review shall include decisions related to continual improvement opportunities and the possible need for changes to the BCMS, and include the following: modification of procedures and controls to respond to internal or external events that may impact on the BCMS, including changes to legal and regulatory requirements, § 9.3 ¶ 4 d) 4)] | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
| Monitor for new Information Security solutions. CC ID 07078 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
| Subscribe to a threat intelligence service to receive notification of emerging threats. CC ID 12135 [The organization shall establish, implement, and maintain procedure(s) for - internal communication amongst interested parties and employees within the organization, - external communication with customers, partner entities, local community, and other interested parties, including the media, - receiving, documenting, and responding to communication from interested parties, - adapting and integrating a national or regional threat advisory system, or equivalent, into planning and operational use, if appropriate, - ensuring availability of the means of communication during a disruptive incident, - facilitating structured communication with appropriate authorities and ensuring the interoperability of multiple responding organizations and personnel, where appropriate, and - operating and testing of communications capabilities intended for use during disruption of normal communications. § 7.4 ¶ 2 {national risk advisory system} The organization shall establish, implement and maintain procedures for receiving, documenting and responding to any national or regional risk advisory system or equivalent, § 8.4.3 ¶ 1 d) {national risk advisory system} The organization shall establish, implement and maintain procedures for receiving, documenting and responding to any national or regional risk advisory system or equivalent, § 8.4.3 ¶ 1 d) {national risk advisory system} The organization shall establish, implement and maintain procedures for receiving, documenting and responding to any national or regional risk advisory system or equivalent, § 8.4.3 ¶ 1 d)] | Leadership and high level objectives | Technical Security | |
| Enforce a continuous Quality Control system. CC ID 01005 | Leadership and high level objectives | Business Processes | |
| Conduct Quality Control to ensure adherence to Information Technology policies, standards, and procedures. CC ID 01008 [{results of BCMS reviews} {key partners} {results of testing} {BCMS performance} {BCMS effectiveness} {emerging good guidance} Management reviews shall consider the performance of the organization, including - follow-up actions from previous management reviews, - the need for changes to the BCMS, including the policy and objectives, - opportunities for improvement, - results of BCMS audits and reviews, including those of key suppliers and partners where appropriate, - techniques, products or procedures, which could be used in the organization to improve the BCMS’ performance and effectiveness, - status of corrective actions, - results of exercising and testing, - risks or issues not adequately addressed in any previous risk assessment, - any changes that could affect the BCMS, whether internal or external to the scope of the BCMS, - adequacy of policy, - recommendations for improvement, - lessons learned and actions arising from disruptive incidents, and - emerging good practice and guidance. § 9.3 ¶ 3] | Leadership and high level objectives | Testing | |
| Establish and maintain time frames for correcting deficiencies found during Quality Control. CC ID 07206 | Leadership and high level objectives | Business Processes | |
| Review and analyze any quality improvement goals that were missed. CC ID 07204 | Leadership and high level objectives | Business Processes | |
| Map in scope assets and in scope records to external requirements. CC ID 12189 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the counterterror protective security plan test results in the Statement on Internal Control. CC ID 06867 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Monitor and evaluate environmental threats. CC ID 13481 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Test compliance controls for proper functionality. CC ID 00660 | Monitoring and measurement | Testing | |
| Adhere to the system security plan. CC ID 11640 | Monitoring and measurement | Testing | |
| Validate all testing assumptions in the test plans. CC ID 00663 | Monitoring and measurement | Testing | |
| Require testing procedures to be complete. CC ID 00664 | Monitoring and measurement | Testing | |
| Analyze system audit reports and determine the need to perform more tests. CC ID 00666 | Monitoring and measurement | Testing | |
| Monitor devices continuously for conformance with production specifications. CC ID 06201 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Report on the percentage of critical assets for which an assurance strategy is implemented. CC ID 01657 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of key organizational functions for which an assurance strategy is implemented. CC ID 01658 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of key compliance requirements for which an assurance strategy has been implemented. CC ID 01659 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of the Information System budget allocated to Information Security. CC ID 04571 | Monitoring and measurement | Actionable Reports or Measurements | |
| Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Align enforcement reviews for non-compliance with organizational risk tolerance. CC ID 13063 | Monitoring and measurement | Business Processes | |
| Determine if multiple compliance violations of the same type could occur. CC ID 12402 [When nonconformity occurs, the organization shall evaluate the need for action to eliminate the causes of the nonconformity, in order that it does not recur or occur elsewhere, by determining if similar nonconformities exist, or could potentially occur, § 10.1 ¶ 1 c) 3] | Monitoring and measurement | Investigate | |
| Review the effectiveness of disciplinary actions carried out for compliance violations. CC ID 12403 [When nonconformity occurs, the organization shall review the effectiveness of any corrective action taken, § 10.1 ¶ 1 e) When nonconformity occurs, the organization shall evaluate the need for action to eliminate the causes of the nonconformity, in order that it does not recur or occur elsewhere, by reviewing the effectiveness of any corrective action taken and § 10.1 ¶ 1 c) 6] | Monitoring and measurement | Investigate | |
| Report on the policies and controls that have been implemented by management. CC ID 01670 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of security management roles that have been assigned. CC ID 01671 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of board meetings or committee meetings at which Information Assurance was on the agenda. CC ID 01672 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of supply chain members for which all Information Assurance requirements have been implemented. CC ID 01675 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of organizational units that have an established Business Continuity Plan. CC ID 01676 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of organizational units with a documented Business Continuity Plan for which specific responsibilities have been assigned. CC ID 02057 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of Business Continuity Plans that have been reviewed, tested, and updated. CC ID 02058 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of needed internal audits that have been completed and reviewed. CC ID 01677 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of Information Security requirements from applicable laws and regulations that are included in the audit program. CC ID 02069 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of needed external audits that have been completed and reviewed. CC ID 11632 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of Information Security audits conducted in compliance with the approved audit program. CC ID 02070 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of audit findings that have been resolved since the last audit. CC ID 01678 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of management actions in response to audit findings and audit recommendations that were implemented in a timely way. CC ID 02071 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of total controls for which policies, standards, and procedures exist and for which approval has been granted. CC ID 01679 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of personnel who are assigned and acknowledged responsibilities for approved policies, standards, and procedures. CC ID 01680 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of policy compliance reviews for which no compliance violations were noted. CC ID 01681 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of senior management or business unit heads who have implemented operational compliance procedures. CC ID 01682 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of role descriptions that define the Information Awareness roles for Security Managers and administrators. CC ID 01685 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of role descriptions that define the information awareness roles for interested personnel. CC ID 01686 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of role descriptions that define the information awareness roles for end users. CC ID 01687 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of performance reviews that include the evaluation of Information Assurance responsibilities and policy compliance. CC ID 01688 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of individuals who have access to security software, are trained, and authorized Security Administrators. CC ID 01691 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of individuals who are able to assign security privileges, are trained, and authorized Security Administrators. CC ID 01692 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of new hires who completed training ahead of being granted network access or system access. CC ID 01683 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of personnel who have completed periodic Information Assurance refresher training. CC ID 01684 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of user roles, systems, and applications that comply with the segregation of duties principle. CC ID 01689 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of individuals whose access rights have been reviewed. CC ID 01690 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of users who have access to restricted data or restricted information and have undergone a background check. CC ID 01693 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of critical information assets and information-dependent functions. CC ID 02040 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of critical assets and functions for which the cost of compromise has been quantified. CC ID 02041 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of identified risks that have a defined risk mitigation plan. CC ID 02042 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of systems with approved System Security Plans. CC ID 02145 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of known Information Security risks that are related to supply chain relationships. CC ID 02044 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of critical information assets or critical functions for which access by supply chain personnel is disallowed. CC ID 02045 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of supply chain personnel who have current information asset user privileges. CC ID 02046 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of systems with critical information assets or functions for which electronic connection by supply chain assets is disallowed. CC ID 02047 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of security incidents that involved supply chain personnel. CC ID 02048 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of third party contracts that include a requirement to externally verify policies and procedures. CC ID 02049 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of supply chain relationships that have been reviewed for compliance with information security requirements. CC ID 02050 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of information assets that have been reviewed and classified. CC ID 02053 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of information assets with defined user privileges that have been assigned based on role and according to policy. CC ID 02054 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of scheduled Information Technology inventory processes that occurred on time. CC ID 02055 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of recently identified information security risks related to systems architecture that have been adequately mitigated. CC ID 02060 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of system architecture changes that were approved through appropriate change requests. CC ID 02061 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of critical information assets or functions residing on systems that are currently in compliance with the approved systems architecture. CC ID 02062 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of systems that have been recertified if security controls were updated after the system was developed. CC ID 02142 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of systems that have completed Certification and Accreditation. CC ID 02143 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of critical organizational information assets and functions that have been reviewed from the risk to physical security perspective. CC ID 02064 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of critical organizational information assets and functions exposed to physical risks for which risk mitigation actions have been implemented. CC ID 02065 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of critical assets that have been reviewed from the environmental risk perspective. CC ID 02066 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of servers located in controlled access areas. CC ID 02067 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of unique active user identifiers. CC ID 02074 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of systems and applications that perform authenticator policy verification. CC ID 02086 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of active user passwords that are set to expire. CC ID 02087 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of systems with critical information assets that use stronger authentication than user identifiers and passwords. CC ID 02088 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of systems for which default accounts and default passwords have been disabled or reset. CC ID 02089 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of inactive user accounts that are assigned to personnel who have left or no longer need access. CC ID 02090 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of systems with account lockout thresholds set. CC ID 02091 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of inactive user accounts that have been disabled. CC ID 02092 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of workstations with session timeout or automatic logoff controls set. CC ID 02093 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of users with access to shared accounts. CC ID 04573 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of active computer accounts that have had the current user privileges reviewed. CC ID 02094 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of systems where permission to install nonstandard software is limited. CC ID 02095 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of systems and applications that have user privileges and administrator privileges assigned in compliance with Role-Based Access Controls. CC ID 02096 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of systems for which approved configuration settings have been implemented. CC ID 02097 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of systems with configurations that do not deviate from approved standards. CC ID 02098 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of systems that are continuously monitored for compliance with the configuration standard with out-of-compliance alarms or out-of-compliance reports. CC ID 02099 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of systems whose configuration is compared with a previously established trusted configuration baseline. CC ID 02100 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of systems where the authority to make configuration changes are limited. CC ID 02101 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of system components that undergo maintenance as scheduled. CC ID 04562 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of systems for which event logging has been implemented. CC ID 02102 | Monitoring and measurement | Log Management | |
| Report on the percentage of systems for which event logs are monitored and reviewed. CC ID 02103 | Monitoring and measurement | Log Management | |
| Report on the percentage of systems for which log capacity and log retention schedules have been implemented. CC ID 02104 | Monitoring and measurement | Log Management | |
| Report on the percentage of systems that generate warnings about anomalous activity or potentially unauthorized activity. CC ID 02105 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of laptops and mobile devices that are needing to be in compliance with the approved configuration standard before granting network access. CC ID 02106 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of organizationally controlled communications channels that have been secured. CC ID 02107 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of host servers that are protected from becoming relay hosts. CC ID 02108 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of mobile users who access organizational facilities using secure communications methods. CC ID 02109 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of workstations and laptops that employ automated system security tools. CC ID 02110 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of servers that employ automated system security tools. CC ID 02111 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of mobile devices that employ automated system security tools. CC ID 02112 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of software changes that have been documented and approved through change request forms. CC ID 02152 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of systems with all approved patches installed. CC ID 02113 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the mean time from patch availability to patch installation. CC ID 02114 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of software changes that were reviewed for security impacts before the software configuration is updated. CC ID 02115 | Monitoring and measurement | Actionable Reports or Measurements | |
| Establish, implement, and maintain a network activity baseline. CC ID 13188 | Monitoring and measurement | Technical Security | |
| Report on the percentage of systems configured according to the configuration standard. CC ID 02116 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of network access controls used to gain unauthorized access. CC ID 04572 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of critical information assets stored on network accessible devices that are encrypted with widely tested and published cryptographic algorithms. CC ID 02117 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of mobile devices that use encryption for critical information assets. CC ID 02118 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of passwords and Personal Identification Numbers that are encrypted. CC ID 02119 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of media that passes sanitization procedure testing. CC ID 04574 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of systems with critical information assets or critical business functions that have been backed up in accordance with the backup policy and the system's continuity plan. CC ID 02120 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of systems with critical information assets or critical functions where restoration from a backup has been successfully demonstrated. CC ID 02121 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of backup media stored off site in secure storage. CC ID 02122 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of used backup media or archive media sanitized prior to reuse or disposal. CC ID 02123 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the estimated damage or loss resulting from all security incidents. CC ID 01674 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of security incidents that did not cause confidentiality, integrity, or availability losses beyond the Service Level Agreement thresholds. CC ID 01673 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of operational time that critical services were unavailable due to security incidents. CC ID 02124 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02125 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of systems affected by security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02126 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of security incidents that were managed according to established policies, procedures, and processes. CC ID 02127 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the number of security incidents reported to FedCIRC, NIPC, the Payment Card Industry, or local law enforcement. CC ID 02154 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of systems with critical information assets or critical functions that have been assessed for security vulnerabilities. CC ID 02128 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of vulnerability assessment findings that have been addressed since the last reporting period. CC ID 02129 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the average elapsed time between the discovery of a new vulnerability and implementing corrective action. CC ID 02140 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of physical security incidents that involved entry into a facility containing Information Systems. CC ID 04564 | Monitoring and measurement | Actionable Reports or Measurements | |
| Establish, implement, and maintain a corrective action plan. CC ID 00675 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Include monitoring in the corrective action plan. CC ID 11645 [The management responsible for the area being audited shall ensure that any necessary corrections and corrective actions are taken without undue delay to eliminate detected nonconformities and their causes. Follow-up activities shall include the verification of the actions taken and the reporting of verification results. § 9.2 ¶ 4 {results of BCMS reviews} {key partners} {results of testing} {BCMS performance} {BCMS effectiveness} {emerging good guidance} Management reviews shall consider the performance of the organization, including - follow-up actions from previous management reviews, - the need for changes to the BCMS, including the policy and objectives, - opportunities for improvement, - results of BCMS audits and reviews, including those of key suppliers and partners where appropriate, - techniques, products or procedures, which could be used in the organization to improve the BCMS’ performance and effectiveness, - status of corrective actions, - results of exercising and testing, - risks or issues not adequately addressed in any previous risk assessment, - any changes that could affect the BCMS, whether internal or external to the scope of the BCMS, - adequacy of policy, - recommendations for improvement, - lessons learned and actions arising from disruptive incidents, and - emerging good practice and guidance. § 9.3 ¶ 3] | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Evaluate the measurement process used for metrics. CC ID 06920 [{what needs to be measured} The organization shall determine what needs to be monitored and measured, § 9.1.1 ¶ 1 a) The procedures for monitoring performance shall provide for - the setting of performance metrics appropriate to the needs of the organization, - monitoring the extent to which the organization’s business continuity policy, objectives and targets are met, - performance of the processes, procedures and functions that protect its prioritized activities, - monitoring compliance with this International Standard and the business continuity objectives, - monitoring historical evidence of deficient BCMS’ performance, and - recording data and results of monitoring and measurement to facilitate subsequent corrective actions. § 9.1.1 ¶ 5] | Monitoring and measurement | Testing | |
| Report audit findings by the internal audit manager directly to senior management. CC ID 01152 | Audits and risk management | Testing | |
| Review the external audit assertion for accuracy. CC ID 06977 | Audits and risk management | Testing | |
| Review the risk assessments as compared to the in scope controls. CC ID 06978 | Audits and risk management | Testing | |
| Include nondisclosure agreements in external auditor outsourcing contracts. CC ID 10014 | Audits and risk management | Audits and Risk Management | |
| Determine if requested services create a threat to independence. CC ID 16823 | Audits and risk management | Audits and Risk Management | |
| Determine the presentation method of the audit assertion's in scope system description. CC ID 14885 | Audits and risk management | Establish/Maintain Documentation | |
| Determine the appropriateness of the audit assertion's in scope system description. CC ID 16449 | Audits and risk management | Audits and Risk Management | |
| Confirm audit requirements during the opening meeting. CC ID 15255 | Audits and risk management | Audits and Risk Management | |
| Establish and maintain audit assertions, as necessary. CC ID 14871 | Audits and risk management | Establish/Maintain Documentation | |
| Refrain from performing an attestation engagement under defined conditions. CC ID 13952 | Audits and risk management | Audits and Risk Management | |
| Identify hypothetical assumptions in forecasts and projections during an audit. CC ID 13946 | Audits and risk management | Audits and Risk Management | |
| Refrain from examining forecasts and projections which refrain from disclosing assumptions during an audit. CC ID 13932 | Audits and risk management | Audits and Risk Management | |
| Audit cybersecurity risk management within the policies, standards, and procedures of the organization. CC ID 13011 | Audits and risk management | Investigate | |
| Audit information systems, as necessary. CC ID 13010 | Audits and risk management | Investigate | |
| Audit the potential costs of compromise to information systems. CC ID 13012 | Audits and risk management | Investigate | |
| Determine the accurateness of the audit assertion's in scope system description. CC ID 06979 | Audits and risk management | Testing | |
| Determine if the in scope system has been implemented as described in the audit assertion. CC ID 06983 | Audits and risk management | Testing | |
| Investigate the nature and causes of misstatements in the audit assertion's in scope system description. CC ID 16557 | Audits and risk management | Audits and Risk Management | |
| Determine the effect of fraud and non-compliance on the description of the system in the audit assertion, as necessary. CC ID 13977 | Audits and risk management | Process or Activity | |
| Determine if the audit assertion's in scope controls are reasonable. CC ID 06980 | Audits and risk management | Testing | |
| Determine the effect of fraud and non-compliance on the achievement of in scope controls in the audit assertion, as necessary. CC ID 13978 | Audits and risk management | Process or Activity | |
| Document test plans for auditing in scope controls. CC ID 06985 | Audits and risk management | Testing | |
| Determine the implementation status of the audit assertion's in scope controls. CC ID 06981 | Audits and risk management | Testing | |
| Determine the effectiveness of in scope controls. CC ID 06984 | Audits and risk management | Testing | |
| Review incident management audit logs to determine the effectiveness of in scope controls. CC ID 12157 | Audits and risk management | Audits and Risk Management | |
| Review audit reports to determine the effectiveness of in scope controls. CC ID 12156 | Audits and risk management | Audits and Risk Management | |
| Observe processes to determine the effectiveness of in scope controls. CC ID 12155 | Audits and risk management | Audits and Risk Management | |
| Interview stakeholders to determine the effectiveness of in scope controls. CC ID 12154 | Audits and risk management | Audits and Risk Management | |
| Review policies and procedures to determine the effectiveness of in scope controls. CC ID 12144 | Audits and risk management | Audits and Risk Management | |
| Evaluate personnel status changes to determine the effectiveness of in scope controls. CC ID 16556 | Audits and risk management | Audits and Risk Management | |
| Determine whether individuals performing a control have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 16555 | Audits and risk management | Audits and Risk Management | |
| Determine any errors or material omissions in the audit assertion that affect in scope control implementations. CC ID 06990 | Audits and risk management | Testing | |
| Conduct interviews, as necessary. CC ID 07188 | Audits and risk management | Testing | |
| Verify statements made by interviewees are correct. CC ID 16299 | Audits and risk management | Behavior | |
| Discuss unsolved questions with the interviewee. CC ID 16298 | Audits and risk management | Process or Activity | |
| Allow interviewee to respond to explanations. CC ID 16296 | Audits and risk management | Process or Activity | |
| Explain the requirements being discussed to the interviewee. CC ID 16294 | Audits and risk management | Process or Activity | |
| Explain the goals of the interview to the interviewee. CC ID 07189 | Audits and risk management | Behavior | |
| Include if the audit evidence has identified in scope control deficiencies in the work papers. CC ID 07152 | Audits and risk management | Audits and Risk Management | |
| Include if in scope control deviations allow in scope controls to be performed acceptably in the work papers. CC ID 06987 | Audits and risk management | Testing | |
| Investigate the nature and causes of identified in scope control deviations. CC ID 06986 | Audits and risk management | Testing | |
| Review the subject matter expert's findings. CC ID 16559 | Audits and risk management | Audits and Risk Management | |
| Permit assessment teams to conduct audits, as necessary. CC ID 16430 | Audits and risk management | Investigate | |
| Determine what disclosures are required in the audit report. CC ID 14888 | Audits and risk management | Establish/Maintain Documentation | |
| Identify the audit team members in the audit report. CC ID 15259 | Audits and risk management | Human Resources Management | |
| Identify the participants from the organization being audited in the audit report. CC ID 15258 | Audits and risk management | Audits and Risk Management | |
| Review the adequacy of the internal auditor's work papers. CC ID 01146 | Audits and risk management | Audits and Risk Management | |
| Compare the evaluations completed by the internal auditors and the external auditors in past audit reports. CC ID 01158 | Audits and risk management | Establish/Maintain Documentation | |
| Review the adequacy of the internal auditor's audit reports. CC ID 11620 | Audits and risk management | Audits and Risk Management | |
| Review past audit reports. CC ID 01155 [{audit scope} {evidence of the audit results} The organization shall - plan, establish, implement and maintain (an) audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit programme(s) shall take into consideration the importance of the processes concerned and the results of previous audits, - define the audit criteria and scope for each audit, - select auditors and conduct audits to ensure objectivity and the impartiality of the audit process, - ensure that the results of the audits are reported to relevant management, and - retain documented information as evidence of the implementation of the audit programme and the audit results. § 9.2 ¶ 2 The audit programme, including any schedule, shall be based on the results of risk assessments of the organization’s activities, and the results of previous audits. The audit procedures shall cover the scope, frequency, methodologies and competencies, as well as the responsibilities and requirements for conducting audits and reporting results. § 9.2 ¶ 3] | Audits and risk management | Establish/Maintain Documentation | |
| Review past audit reports for specific process steps and calculations that were stated to support the audit report's conclusions. CC ID 01160 | Audits and risk management | Establish/Maintain Documentation | |
| Review the reporting of material weaknesses and risks in past audit reports. CC ID 01161 | Audits and risk management | Establish/Maintain Documentation | |
| Determine the effect of deficiencies on the audit report, as necessary. CC ID 14886 | Audits and risk management | Investigate | |
| Determine the effect of fraud and non-compliance on the audit report, as necessary. CC ID 13979 | Audits and risk management | Process or Activity | |
| Disseminate and communicate the reviews of audit reports to organizational management. CC ID 00653 [{audit scope} {evidence of the audit results} The organization shall - plan, establish, implement and maintain (an) audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit programme(s) shall take into consideration the importance of the processes concerned and the results of previous audits, - define the audit criteria and scope for each audit, - select auditors and conduct audits to ensure objectivity and the impartiality of the audit process, - ensure that the results of the audits are reported to relevant management, and - retain documented information as evidence of the implementation of the audit programme and the audit results. § 9.2 ¶ 2] | Audits and risk management | Log Management | |
| Review the issues of non-compliance from past audit reports. CC ID 01148 [The business impact analysis shall include the following: assessing the impacts over time of not performing these activities; § 8.2.2 ¶ 2 b) When nonconformity occurs, the organization shall evaluate the need for action to eliminate the causes of the nonconformity, in order that it does not recur or occur elsewhere, by reviewing the nonconformity, § 10.1 ¶ 1 c) 1)] | Audits and risk management | Establish/Maintain Documentation | |
| Submit an audit report that is complete. CC ID 01145 | Audits and risk management | Testing | |
| Review management's response to issues raised in past audit reports. CC ID 01149 [The management review shall include consideration of the status of actions from previous management reviews, § 9.3 ¶ 2 a) The management review shall include consideration of information on the business continuity performance, including trends in nonconformities and corrective actions, § 9.3 ¶ 2 c) 1)] | Audits and risk management | Audits and Risk Management | |
| Assess the quality of the audit program in regards to the staff and their qualifications. CC ID 01150 | Audits and risk management | Testing | |
| Evaluate the competency of auditors. CC ID 15253 | Audits and risk management | Human Resources Management | |
| Review the audit program scope as it relates to the organization's profile. CC ID 01159 | Audits and risk management | Audits and Risk Management | |
| Establish, implement, and maintain the audit plan. CC ID 01156 | Audits and risk management | Testing | |
| Analyze the risk management strategy for addressing requirements. CC ID 12926 | Audits and risk management | Audits and Risk Management | |
| Analyze the risk management strategy for addressing threats. CC ID 12925 | Audits and risk management | Audits and Risk Management | |
| Analyze the risk management strategy for addressing opportunities. CC ID 12924 | Audits and risk management | Audits and Risk Management | |
| Employ third parties when implementing a risk assessment, as necessary. CC ID 16306 | Audits and risk management | Human Resources Management | |
| Include an analysis of system interdependencies in the threat and risk classification scheme. CC ID 13056 | Audits and risk management | Investigate | |
| Review the risk profiles, as necessary. CC ID 16561 | Audits and risk management | Audits and Risk Management | |
| Update the risk assessment upon discovery of a new threat. CC ID 00708 | Audits and risk management | Establish/Maintain Documentation | |
| Update the risk assessment upon changes to the risk profile. CC ID 11627 [{update of the business impact analysis} {update of the business continuity plans} {update of the related procedures} The outputs of the management review shall include decisions related to continual improvement opportunities and the possible need for changes to the BCMS, and include the following: update of the risk assessment, business impact analysis, business continuity plans and related procedures; § 9.3 ¶ 4 c)] | Audits and risk management | Establish/Maintain Documentation | |
| Conduct external audits of risk assessments, as necessary. CC ID 13308 | Audits and risk management | Audits and Risk Management | |
| Evaluate the effectiveness of threat and vulnerability management procedures. CC ID 13491 | Audits and risk management | Investigate | |
| Conduct a Business Impact Analysis, as necessary. CC ID 01147 [{formal and documented process for risk assessment} {required output from the risk assessment} The organization shall establish, implement and maintain a formal and documented process for business impact analysis and risk assessment that defines the required output from the business impact analysis and risk assessment, and § 8.2.1 ¶ 1 d) {formal and documented process for risk assessment} {required output from the risk assessment} The organization shall establish, implement and maintain a formal and documented process for business impact analysis and risk assessment that defines the required output from the business impact analysis and risk assessment, and § 8.2.1 ¶ 1 d) The organization shall establish, implement, and maintain a formal and documented evaluation process for determining continuity and recovery priorities, objectives and targets. This process shall include assessing the impacts of disrupting activities that support the organization’s products and services. § 8.2.2 ¶ 1 {outputs from the risk assessment} Determination and selection of strategy shall be based on the outputs from the business impact analysis and risk assessment. § 8.3.1 ¶ 1 The organization shall establish, implement and maintain a formal and documented process for business impact analysis and risk assessment that specifies the requirements for this information to be kept up-to-date and confidential. § 8.2.1 ¶ 1 e) The organization shall establish, implement and maintain a formal and documented process for business impact analysis and risk assessment that 8.2.1 ¶ 1] | Audits and risk management | Audits and Risk Management | |
| Assess the potential level of business impact risk associated with each business process. CC ID 06463 [The business impact analysis shall include the following: identifying activities that support the provision of products and services; § 8.2.2 ¶ 2 a) The organization shall identify risks of disruption to the organization’s prioritized activities and the processes, systems, information, people, assets, outsource partners and other resources that support them, § 8.2.3 ¶ 2 a)] | Audits and risk management | Audits and Risk Management | |
| Assess the potential level of business impact risk associated with the business environment. CC ID 06464 [The organization shall identify risks of disruption to the organization’s prioritized activities and the processes, systems, information, people, assets, outsource partners and other resources that support them, § 8.2.3 ¶ 2 a)] | Audits and risk management | Audits and Risk Management | |
| Assess the potential level of business impact risk associated with business information of in scope systems. CC ID 06465 | Audits and risk management | Audits and Risk Management | |
| Identify changes to in scope systems that could threaten communication between business units. CC ID 13173 | Audits and risk management | Investigate | |
| Assess the potential business impact risk of in scope systems caused by deliberate threats to their confidentiality, integrity, and availability. CC ID 06466 | Audits and risk management | Audits and Risk Management | |
| Assess the potential level of business impact risk caused by accidental threats to the confidentiality, integrity and availability of critical systems. CC ID 06467 | Audits and risk management | Audits and Risk Management | |
| Assess the potential level of business impact risk associated with reputational damage. CC ID 15335 | Audits and risk management | Audits and Risk Management | |
| Assess the potential level of business impact risk associated with insider threats. CC ID 06468 | Audits and risk management | Audits and Risk Management | |
| Assess the potential level of business impact risk associated with external entities. CC ID 06469 | Audits and risk management | Audits and Risk Management | |
| Assess the potential level of business impact risk associated with natural disasters. CC ID 06470 | Audits and risk management | Actionable Reports or Measurements | |
| Assess the potential level of business impact risk associated with control weaknesses. CC ID 06471 | Audits and risk management | Audits and Risk Management | |
| Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary. CC ID 00704 [{update of the business impact analysis} {update of the business continuity plans} {update of the related procedures} The outputs of the management review shall include decisions related to continual improvement opportunities and the possible need for changes to the BCMS, and include the following: update of the risk assessment, business impact analysis, business continuity plans and related procedures; § 9.3 ¶ 4 c)] | Audits and risk management | Establish/Maintain Documentation | |
| Analyze the effect of threats on organizational strategies and objectives. CC ID 12850 | Audits and risk management | Process or Activity | |
| Analyze the effect of opportunities on organizational strategies and objectives. CC ID 12849 | Audits and risk management | Process or Activity | |
| Determine the effectiveness of risk control measures. CC ID 06601 [{formal process} The organization shall establish, implement and maintain a formal and documented process for business impact analysis and risk assessment that establishes the context of the assessment, defines criteria and evaluates the potential impact of a disruptive incident, § 8.2.1 ¶ 1 a)] | Audits and risk management | Testing | |
| Identify all stakeholders critical to the continuity of operations. CC ID 12741 | Operational and Systems Continuity | Systems Continuity | |
| Monitor disaster forecasting organizations for when disaster events are discovered. CC ID 06373 | Operational and Systems Continuity | Monitor and Evaluate Occurrences | |
| Evaluate all possible continuity risks and impacts as a part of the continuity framework. CC ID 06374 | Operational and Systems Continuity | Systems Continuity | |
| Monitor and evaluate business continuity management system performance. CC ID 12410 [The procedures for monitoring performance shall provide for - the setting of performance metrics appropriate to the needs of the organization, - monitoring the extent to which the organization’s business continuity policy, objectives and targets are met, - performance of the processes, procedures and functions that protect its prioritized activities, - monitoring compliance with this International Standard and the business continuity objectives, - monitoring historical evidence of deficient BCMS’ performance, and - recording data and results of monitoring and measurement to facilitate subsequent corrective actions. § 9.1.1 ¶ 5 {results of BCMS reviews} {key partners} {results of testing} {BCMS performance} {BCMS effectiveness} {emerging good guidance} Management reviews shall consider the performance of the organization, including - follow-up actions from previous management reviews, - the need for changes to the BCMS, including the policy and objectives, - opportunities for improvement, - results of BCMS audits and reviews, including those of key suppliers and partners where appropriate, - techniques, products or procedures, which could be used in the organization to improve the BCMS’ performance and effectiveness, - status of corrective actions, - results of exercising and testing, - risks or issues not adequately addressed in any previous risk assessment, - any changes that could affect the BCMS, whether internal or external to the scope of the BCMS, - adequacy of policy, - recommendations for improvement, - lessons learned and actions arising from disruptive incidents, and - emerging good practice and guidance. § 9.3 ¶ 3 {results of BCMS reviews} {key partners} {results of testing} {BCMS performance} {BCMS effectiveness} {emerging good guidance} Management reviews shall consider the performance of the organization, including - follow-up actions from previous management reviews, - the need for changes to the BCMS, including the policy and objectives, - opportunities for improvement, - results of BCMS audits and reviews, including those of key suppliers and partners where appropriate, - techniques, products or procedures, which could be used in the organization to improve the BCMS’ performance and effectiveness, - status of corrective actions, - results of exercising and testing, - risks or issues not adequately addressed in any previous risk assessment, - any changes that could affect the BCMS, whether internal or external to the scope of the BCMS, - adequacy of policy, - recommendations for improvement, - lessons learned and actions arising from disruptive incidents, and - emerging good practice and guidance. § 9.3 ¶ 3 {results of BCMS reviews} {key partners} {results of testing} {BCMS performance} {BCMS effectiveness} {emerging good guidance} Management reviews shall consider the performance of the organization, including - follow-up actions from previous management reviews, - the need for changes to the BCMS, including the policy and objectives, - opportunities for improvement, - results of BCMS audits and reviews, including those of key suppliers and partners where appropriate, - techniques, products or procedures, which could be used in the organization to improve the BCMS’ performance and effectiveness, - status of corrective actions, - results of exercising and testing, - risks or issues not adequately addressed in any previous risk assessment, - any changes that could affect the BCMS, whether internal or external to the scope of the BCMS, - adequacy of policy, - recommendations for improvement, - lessons learned and actions arising from disruptive incidents, and - emerging good practice and guidance. § 9.3 ¶ 3] | Operational and Systems Continuity | Monitor and Evaluate Occurrences | |
| Establish, implement, and maintain the organization's call tree. CC ID 01167 | Operational and Systems Continuity | Testing | |
| Determine the cause for the activation of the recovery plan. CC ID 13291 | Operational and Systems Continuity | Investigate | |
| Test the recovery plan, as necessary. CC ID 13290 | Operational and Systems Continuity | Testing | |
| Test the backup information, as necessary. CC ID 13303 | Operational and Systems Continuity | Testing | |
| Document lessons learned from testing the recovery plan or an actual event. CC ID 13301 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Define and prioritize critical business functions. CC ID 00736 [The organization shall determine an appropriate business continuity strategy for protecting prioritized activities, § 8.3.1 ¶ 2 a) The business continuity plans shall collectively contain details to manage the immediate consequences of a disruptive incident giving due regard to prevention of further loss or unavailability of prioritized activities; § 8.4.4 ¶ 2 c) 3)] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish, implement, and maintain a critical personnel list. CC ID 00739 [{activation procedures} {communication procedures} {internal interdependencies} {internal interactions} {external interactions} {information flow processes} Each plan shall define - purpose and scope, - objectives, - activation criteria and procedures, - implementation procedures, - roles, responsibilities, and authorities, - communication requirements and procedures, - internal and external interdependencies and interactions, - resource requirements, and - information flow and documentation processes. § 8.4.4 ¶ 3] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish, implement, and maintain a critical resource list. CC ID 00740 [The outputs of the management review shall include decisions related to continual improvement opportunities and the possible need for changes to the BCMS, and include the following: modification of procedures and controls to respond to internal or external events that may impact on the BCMS, including changes to resource needs, § 9.3 ¶ 4 d) 7] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Use available financial resources for the efficaciousness of the service continuity strategy. CC ID 01370 [Top management shall demonstrate leadership and commitment with respect to the BCMS by - ensuring that policies and objectives are established for the business continuity management system and are compatible with the strategic direction of the organization, - ensuring the integration of the business continuity management system requirements into the organization’s business processes, - ensuring that the resources needed for the business continuity management system are available, - communicating the importance of effective business continuity management and conforming to the BCMS requirements, - ensuring that the BCMS achieves its intended outcome(s), - directing and supporting persons to contribute to the effectiveness of the BCMS, - promoting continual improvement, and - supporting other relevant management roles to demonstrate their leadership and commitment as it applies to their areas of responsibility. § 5.2 ¶ 1] | Operational and Systems Continuity | Testing | |
| Test the continuity plan, as necessary. CC ID 00755 [The organization shall exercise and test its business continuity procedures to ensure that they are consistent with its business continuity objectives. § 8.5 ¶ 1 The organization shall conduct exercises and tests that are conducted at planned intervals and when there are significant changes within the organization or to the environment in which it operates. § 8.5 ¶ 2 g) The organization shall conduct exercises and tests that are conducted at planned intervals and when there are significant changes within the organization or to the environment in which it operates. § 8.5 ¶ 2 g) The business continuity objectives shall be measurable, § 6.2 ¶ 2 c) The organization shall conduct exercises and tests that produce formalized post-exercise reports that contain outcomes, recommendations and actions to implement improvements, § 8.5 ¶ 2 e) The organization shall conduct exercises and tests that are consistent with the scope and objectives of the BCMS, § 8.5 ¶ 2 a) The organization shall conduct exercises and tests that produce formalized post-exercise reports that contain outcomes, recommendations and actions to implement improvements, § 8.5 ¶ 2 e) {business continuity capabilities} The organization shall conduct evaluations of its business continuity procedures and capabilities in order to ensure their continuing suitability, adequacy and effectiveness; § 9.1.2 a) {business continuity capabilities} The organization shall conduct evaluations of its business continuity procedures and capabilities in order to ensure their continuing suitability, adequacy and effectiveness; § 9.1.2 a) Top management shall ensure that the responsibilities and authorities for relevant roles are assigned and communicated within the organization by - defining the criteria for accepting risks and the acceptable levels of risk, - actively engaging in exercising and testing, - ensuring that internal audits of the BCMS are conducted, - conducting management reviews of the BCMS, and - demonstrating its commitment to continual improvement. § 5.2 ¶ 3 {communication procedures} The communication and warning procedures shall be regularly exercised. § 8.4.3 ¶ 2 {communication procedures} The communication and warning procedures shall be regularly exercised. § 8.4.3 ¶ 2 {periodic exercising} {periodic testing} {periodic post-incident reporting} {periodic performance evaluations} These evaluations shall be undertaken through periodic reviews, exercising, testing, post-incident reporting and performance evaluations. Significant changes arising shall be reflected in the procedure(s) in a timely manner; § 9.1.2 b) {periodic exercising} {periodic testing} {periodic post-incident reporting} {periodic performance evaluations} These evaluations shall be undertaken through periodic reviews, exercising, testing, post-incident reporting and performance evaluations. Significant changes arising shall be reflected in the procedure(s) in a timely manner; § 9.1.2 b)] | Operational and Systems Continuity | Testing | |
| Involve senior management, as necessary, when testing the continuity plan. CC ID 13793 | Operational and Systems Continuity | Testing | |
| Test the continuity plan under conditions that simulate a disaster or disruption. CC ID 00757 [The organization shall conduct exercises and tests that are based on appropriate scenarios that are well planned with clearly defined aims and objectives, § 8.5 ¶ 2 b) The organization shall conduct exercises and tests that minimize the risk of disruption of operations, § 8.5 ¶ 2 d) The organization shall conduct exercises and tests that minimize the risk of disruption of operations, § 8.5 ¶ 2 d)] | Operational and Systems Continuity | Testing | |
| Analyze system interdependence during continuity plan tests. CC ID 13082 | Operational and Systems Continuity | Testing | |
| Test the continuity plan at the alternate facility. CC ID 01174 | Operational and Systems Continuity | Testing | |
| Review all third party's continuity plan test results. CC ID 01365 [The organization shall conduct evaluations of the business continuity capabilities of suppliers. § 8.3.1 ¶ 4] | Operational and Systems Continuity | Testing | |
| Automate the off-site testing to more thoroughly test the continuity plan. CC ID 01389 | Operational and Systems Continuity | Testing | |
| Retest the continuity plan after correcting reported deficiencies documented in the continuity plan test results. CC ID 06553 | Operational and Systems Continuity | Testing | |
| Conduct full recovery and restoration of service testing for high impact systems at the alternate facility. CC ID 01404 | Operational and Systems Continuity | Testing | |
| Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 00782 [The organization shall ensure that these persons are competent on the basis of appropriate education, training, and experience, § 7.2 ¶ 1 b)] | Human Resources management | Testing | |
| Perform security skills assessments for all critical employees. CC ID 12102 | Human Resources management | Human Resources Management | |
| Perform a background check during personnel screening. CC ID 11758 | Human Resources management | Human Resources Management | |
| Document the personnel risk assessment results. CC ID 11764 | Human Resources management | Establish/Maintain Documentation | |
| Perform periodic background checks on designated roles, as necessary. CC ID 11759 | Human Resources management | Human Resources Management | |
| Document the security clearance procedure results. CC ID 01635 | Human Resources management | Establish/Maintain Documentation | |
| Document and communicate role descriptions to all applicable personnel. CC ID 00776 [Persons doing work under the organization’s control shall be aware of their own role during disruptive incidents. § 7.3 ¶ 1 d)] | Human Resources management | Establish Roles | |
| Evaluate the staffing requirements regularly. CC ID 00775 [The organization shall determine the necessary competence of person(s) doing work under its control that affects its performance, § 7.2 ¶ 1 a)] | Human Resources management | Business Processes | |
| Document all training in a training record. CC ID 01423 [The organization shall retain appropriate documented information as evidence of competence. § 7.2 ¶ 1 d)] | Human Resources management | Establish/Maintain Documentation | |
| Conduct tests and evaluate training. CC ID 06672 [The organization shall where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken, and § 7.2 ¶ 1 c)] | Human Resources management | Testing | |
| Train personnel to recognize conditions of diseases or sicknesses, as necessary. CC ID 14383 | Human Resources management | Training | |
| Train personnel to identify and communicate symptoms of exposure to disease or sickness. CC ID 14385 | Human Resources management | Training | |
| Monitor and measure the effectiveness of security awareness. CC ID 06262 | Human Resources management | Monitor and Evaluate Occurrences | |
| Analyze and evaluate training records to improve the training program. CC ID 06380 | Human Resources management | Monitor and Evaluate Occurrences | |
| Require personnel to monitor for and report known or suspected compromise of assets. CC ID 16453 | Operational management | Monitor and Evaluate Occurrences | |
| Require personnel to monitor for and report suspicious account activity. CC ID 16462 | Operational management | Monitor and Evaluate Occurrences | |
| Identify root causes of incidents that force system changes. CC ID 13482 | Operational management | Investigate | |
| Respond to and triage when an incident is detected. CC ID 06942 | Operational management | Monitor and Evaluate Occurrences | |
| Document the incident and any relevant evidence in the incident report. CC ID 08659 [{procedures for recording actions taken and decisions made} The organization shall establish, implement and maintain procedures for recording of vital information about the incident, actions taken and decisions made, and the following shall also be considered and implemented where applicable: — alerting interested parties potentially impacted by an actual or impending disruptive incident; — assuring the interoperability of multiple responding organizations and personnel; — operation of a communications facility. § 8.4.3 ¶ 1 g) {procedures for recording actions taken and decisions made} The organization shall establish, implement and maintain procedures for recording of vital information about the incident, actions taken and decisions made, and the following shall also be considered and implemented where applicable: — alerting interested parties potentially impacted by an actual or impending disruptive incident; — assuring the interoperability of multiple responding organizations and personnel; — operation of a communications facility. § 8.4.3 ¶ 1 g)] | Operational management | Establish/Maintain Documentation | |
| Refrain from turning on any in scope devices that are turned off when a security incident is detected. CC ID 08677 | Operational management | Investigate | |
| Include where the digital forensic evidence was found in the forensic investigation report. CC ID 08674 | Operational management | Establish/Maintain Documentation | |
| Include the condition of the digital forensic evidence in the forensic investigation report. CC ID 08678 | Operational management | Establish/Maintain Documentation | |
| Analyze the incident response process following an incident response. CC ID 13179 | Operational management | Investigate | |
| Submit an incident management audit log to the proper authorities for each security breach that affects a predefined number of individuals, as necessary. CC ID 06326 | Operational management | Log Management | |
| Determine whether or not incident response notifications are necessary during the privacy breach investigation. CC ID 00801 | Operational management | Behavior | |
| Avoid false positive incident response notifications. CC ID 04732 | Operational management | Behavior | |
| Include information required by law in incident response notifications. CC ID 00802 | Operational management | Establish/Maintain Documentation | |
| Include how the affected parties can protect themselves from identity theft in incident response notifications. CC ID 04738 | Operational management | Establish/Maintain Documentation | |
| Detect any potentially undiscovered security vulnerabilities on previously compromised systems. CC ID 06265 | Operational management | Monitor and Evaluate Occurrences | |
| Analyze and respond to security alerts. CC ID 12504 | Operational management | Business Processes | |
| Assign monitoring and analyzing the security alert when a security alert is received to the appropriate role in the incident response program. CC ID 11886 | Operational management | Investigate | |
| Establish, implement, and maintain incident response procedures. CC ID 01206 [The organization shall document procedures (including necessary arrangements) to ensure continuity of activities and management of a disruptive incident. § 8.4.1 ¶ 2 The procedures shall be specific regarding the immediate steps that are to be taken during a disruption, § 8.4.1 ¶ 3 b) The organization shall establish, document, and implement procedures and a management structure to respond to a disruptive incident using personnel with the necessary responsibility, authority and competence to manage an incident. § 8.4.2 ¶ 1 {processes, and procedures for the activation of the response} {processes, and procedures for the operation of the response} {processes, and procedures for the coordination of the response} {processes, and procedures for the communication of the response} The response structure shall have processes, and procedures for the activation, operation, coordination, and communication of the response, § 8.4.2 ¶ 2 d) {results of BCMS reviews} {key partners} {results of testing} {BCMS performance} {BCMS effectiveness} {emerging good guidance} Management reviews shall consider the performance of the organization, including - follow-up actions from previous management reviews, - the need for changes to the BCMS, including the policy and objectives, - opportunities for improvement, - results of BCMS audits and reviews, including those of key suppliers and partners where appropriate, - techniques, products or procedures, which could be used in the organization to improve the BCMS’ performance and effectiveness, - status of corrective actions, - results of exercising and testing, - risks or issues not adequately addressed in any previous risk assessment, - any changes that could affect the BCMS, whether internal or external to the scope of the BCMS, - adequacy of policy, - recommendations for improvement, - lessons learned and actions arising from disruptive incidents, and - emerging good practice and guidance. § 9.3 ¶ 3] | Operational management | Establish/Maintain Documentation | |
| Establish trust between the incident response team and the end user community during an incident. CC ID 01217 | Operational management | Testing | |
| Protect devices containing digital forensic evidence during transport. CC ID 08687 | Operational management | Investigate | |
| Protect devices containing digital forensic evidence in sealed containers. CC ID 08685 | Operational management | Investigate | |
| Establish, implement, and maintain a chain of custody for all devices containing digital forensic evidence. CC ID 08686 | Operational management | Establish/Maintain Documentation | |
| Contact affected parties to participate in forensic investigations, as necessary. CC ID 12343 | Operational management | Communicate | |
| Prepare digital forensic equipment. CC ID 08688 | Operational management | Investigate | |
| Use digital forensic equipment suitable to the circumstances. CC ID 08690 | Operational management | Investigate | |
| Provide relevant user manuals for digital forensic equipment during use. CC ID 08691 | Operational management | Investigate | |
| Include the hardware configuration and software configuration of the digital forensic equipment in the forensic investigation report. CC ID 08693 | Operational management | Establish/Maintain Documentation | |
| Test the operation of the digital forensic equipment prior to use. CC ID 08694 | Operational management | Testing | |
| Maintain digital forensic equipment for proper performance. CC ID 08689 | Operational management | Investigate | |
| Include documentation of the system containing and surrounding digital forensic evidence in the forensic investigation report. CC ID 08679 | Operational management | Establish/Maintain Documentation | |
| Include the configuration settings of devices associated with digital forensic evidence in the forensic investigation report. CC ID 08676 | Operational management | Establish/Maintain Documentation | |
| Include the external connections to systems containing digital forensic evidence in the forensic investigation report. CC ID 08680 | Operational management | Establish/Maintain Documentation | |
| Include the electronic media storage devices containing digital forensic evidence in the forensic investigation report. CC ID 08695 | Operational management | Establish/Maintain Documentation | |
| Include all system components of systems containing digital forensic evidence in the forensic investigation report. CC ID 08696 | Operational management | Establish/Maintain Documentation | |
| Refrain from altering the state of compromised systems when collecting digital forensic evidence. CC ID 08671 | Operational management | Investigate | |
| Follow all applicable laws and principles when collecting digital forensic evidence. CC ID 08672 | Operational management | Investigate | |
| Remove everyone except interested personnel and affected parties from the proximity of digital forensic evidence. CC ID 08675 | Operational management | Investigate | |
| Secure devices containing digital forensic evidence. CC ID 08681 | Operational management | Investigate | |
| Use a write blocker to prevent digital forensic evidence from being modified. CC ID 08692 | Operational management | Investigate | |
| Capture volatile information from devices containing digital forensic evidence prior to shutdown. CC ID 08684 | Operational management | Investigate | |
| Create a system image of the device before collecting digital forensic evidence. CC ID 08673 | Operational management | Investigate | |
| Shut down stand alone devices containing digital forensic evidence. CC ID 08682 | Operational management | Investigate | |
| Disconnect electronic media storage devices of systems containing digital forensic evidence. CC ID 08697 | Operational management | Investigate | |
| Place evidence tape over devices containing digital forensic evidence. CC ID 08683 | Operational management | Investigate | |
| Test the incident response procedures. CC ID 01216 | Operational management | Testing | |
| Use proactive performance management. CC ID 00937 | Operational management | Business Processes | |
| Utilize resource availability management controls. CC ID 00940 | Operational management | Business Processes | |
| Establish, implement, and maintain cost management procedures. CC ID 00873 [{funding requirements} The outputs of the management review shall include decisions related to continual improvement opportunities and the possible need for changes to the BCMS, and include the following: modification of procedures and controls to respond to internal or external events that may impact on the BCMS, including changes to funding and budget requirements; and § 9.3 ¶ 4 d) 8)] | Operational management | Business Processes | |
| Perform an impact assessment of any deviations found in the cost management procedures. CC ID 13641 | Operational management | Investigate | |
| Identify deviations in cost management procedures. CC ID 13640 | Operational management | Investigate | |
| Identify and allocate departmental costs. CC ID 00871 | Operational management | Business Processes | |
| Prepare an Information Technology budget, as necessary. CC ID 00872 [{funding requirements} The outputs of the management review shall include decisions related to continual improvement opportunities and the possible need for changes to the BCMS, and include the following: modification of procedures and controls to respond to internal or external events that may impact on the BCMS, including changes to funding and budget requirements; and § 9.3 ¶ 4 d) 8)] | Operational management | Establish/Maintain Documentation | |
| Test proposed changes prior to their approval. CC ID 00548 | Operational management | Testing | |
| Examine all changes to ensure they correspond with the change request. CC ID 12345 | Operational management | Business Processes | |
| Conduct network certifications prior to approving change requests for networks. CC ID 13121 | Operational management | Process or Activity | |
| Analyze mitigating controls for vulnerabilities in the network when certifying the network. CC ID 13126 | Operational management | Investigate | |
| Collect data about the network environment when certifying the network. CC ID 13125 | Operational management | Investigate | |
| Review the patch log for missing patches. CC ID 13186 | Operational management | Technical Security | |
| Perform a patch test prior to deploying a patch. CC ID 00898 | Operational management | Testing | |
| Test software patches for any potential compromise of the system's security. CC ID 13175 | Operational management | Testing | |
| Review changes to computer firmware. CC ID 12226 | Operational management | Testing | |
| Certify changes to computer firmware are free of malicious logic. CC ID 12227 | Operational management | Testing | |
| Implement cryptographic mechanisms to authenticate software and computer firmware before installation. CC ID 10682 | Operational management | Technical Security | |
| Establish, implement, and maintain approved change acceptance testing procedures. CC ID 06391 | Operational management | Establish/Maintain Documentation | |
| Test the system's operational functionality after implementing approved changes. CC ID 06294 | Operational management | Testing | |
| Perform and pass acceptance testing before moving a system back into operation after an approved change has occurred. CC ID 04541 | Operational management | Testing | |
| Establish, implement, and maintain a configuration change log. CC ID 08710 | Operational management | Configuration | |
| Establish, implement, and maintain a record classification scheme for forms. CC ID 00911 | Records management | Establish/Maintain Documentation | |
| Define each system's preservation requirements for records and logs. CC ID 00904 | Records management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a data retention program. CC ID 00906 | Records management | Establish/Maintain Documentation | |
| Capture the records required by organizational compliance requirements. CC ID 00912 [Documented information required by the BCMS and by this International Standard shall be controlled to ensure it is available and suitable for use, where and when it is needed, § 7.5.3 ¶ 1 a)] | Records management | Records Management | |
| Assign the appropriate information classification to records imported into the Records Management system. CC ID 04555 | Records management | Data and Information Management | |
| Identify patient-specific education resources. CC ID 14439 | Records management | Process or Activity | |
| Classify restricted data or restricted information in Records Management systems according to the data or information's sensitivity. CC ID 04720 | Records management | Data and Information Management | |
| Label printed output for specific record categories as directed by the organization's information classification standard. CC ID 01420 | Records management | Records Management | |
| Establish, implement, and maintain online storage monitoring and reporting capabilities. CC ID 00935 | Records management | Monitor and Evaluate Occurrences | |
| Store records on non-rewritable, non-erasable storage media formats, as necessary. CC ID 00944 | Records management | Testing | |
| Provide audit trails for all pertinent records. CC ID 00372 | Records management | Establish/Maintain Documentation | |
| Identify electronic storage media that require downgrading. CC ID 10620 | Records management | Process or Activity | |
| Test the storage media downgrade for correct performance. CC ID 10623 | Records management | Testing | |
| Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 | Third Party and supply chain oversight | Process or Activity | |
| Include a termination provision clause in third party contracts. CC ID 01367 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include third party requirements for personnel security in third party contracts. CC ID 00790 | Third Party and supply chain oversight | Testing | |
| Include third party acknowledgment of their data protection responsibilities in third party contracts. CC ID 01364 | Third Party and supply chain oversight | Testing | |
| Include auditing third party security controls and compliance controls in third party contracts. CC ID 01366 | Third Party and supply chain oversight | Testing | |
| Establish the third party's service continuity. CC ID 00797 | Third Party and supply chain oversight | Testing | |
| Determine the adequacy of a third party's alternate site preparations. CC ID 06879 | Third Party and supply chain oversight | Testing | |
| Employ access controls that meet the organization's compliance requirements on third party systems with access to the organization's restricted data. CC ID 04264 | Third Party and supply chain oversight | Data and Information Management | |
| Maintain the third party's compliance framework to be equivalent to that of the organization's compliance requirements. CC ID 06087 | Third Party and supply chain oversight | Testing | |
| Document supply chain dependencies in the supply chain management program. CC ID 08900 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Monitor and report on the efficacy of all Service Level Agreements using a Service Level Agreement Monitoring Chart or equivalent. CC ID 00842 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Approve all Service Level Agreements. CC ID 00843 [The outputs of the management review shall include decisions related to continual improvement opportunities and the possible need for changes to the BCMS, and include the following: modification of procedures and controls to respond to internal or external events that may impact on the BCMS, including changes to contractual obligations, § 9.3 ¶ 4 d) 5)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Track all chargeable items in Service Level Agreements. CC ID 11616 | Third Party and supply chain oversight | Business Processes | |
| Document all chargeable items in Service Level Agreements. CC ID 00844 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Perform risk assessments of third parties, as necessary. CC ID 06454 | Third Party and supply chain oversight | Testing | |
| Re-evaluate risk assessments of third parties, as necessary. CC ID 12158 | Third Party and supply chain oversight | Audits and Risk Management | |
| Assess third parties' business continuity capabilities during due diligence. CC ID 12077 [{results of BCMS reviews} {key partners} {results of testing} {BCMS performance} {BCMS effectiveness} {emerging good guidance} Management reviews shall consider the performance of the organization, including - follow-up actions from previous management reviews, - the need for changes to the BCMS, including the policy and objectives, - opportunities for improvement, - results of BCMS audits and reviews, including those of key suppliers and partners where appropriate, - techniques, products or procedures, which could be used in the organization to improve the BCMS’ performance and effectiveness, - status of corrective actions, - results of exercising and testing, - risks or issues not adequately addressed in any previous risk assessment, - any changes that could affect the BCMS, whether internal or external to the scope of the BCMS, - adequacy of policy, - recommendations for improvement, - lessons learned and actions arising from disruptive incidents, and - emerging good practice and guidance. § 9.3 ¶ 3] | Third Party and supply chain oversight | Business Processes | |
| Review third parties' backup policies. CC ID 13043 | Third Party and supply chain oversight | Systems Continuity | |
IT Impact Zone | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Leadership and high level objectives CC ID 00597 | Leadership and high level objectives | IT Impact Zone | |
| Monitoring and measurement CC ID 00636 | Monitoring and measurement | IT Impact Zone | |
| Audits and risk management CC ID 00677 | Audits and risk management | IT Impact Zone | |
| Physical and environmental protection CC ID 00709 | Physical and environmental protection | IT Impact Zone | |
| Operational and Systems Continuity CC ID 00731 | Operational and Systems Continuity | IT Impact Zone | |
| Human Resources management CC ID 00763 | Human Resources management | IT Impact Zone | |
| Operational management CC ID 00805 | Operational management | IT Impact Zone | |
| Records management CC ID 00902 | Records management | IT Impact Zone | |
| Third Party and supply chain oversight CC ID 08807 | Third Party and supply chain oversight | IT Impact Zone | |
Preventive | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Establish, implement, and maintain a reporting methodology program. CC ID 02072 | Leadership and high level objectives | Business Processes | |
| Establish, implement, and maintain communication protocols. CC ID 12245 [{internal communications protocol} The procedures shall establish an appropriate internal and external communications protocol, § 8.4.1 ¶ 3 a) {internal communications protocol} The procedures shall establish an appropriate internal and external communications protocol, § 8.4.1 ¶ 3 a) The organization shall establish, implement, and maintain procedure(s) for - internal communication amongst interested parties and employees within the organization, - external communication with customers, partner entities, local community, and other interested parties, including the media, - receiving, documenting, and responding to communication from interested parties, - adapting and integrating a national or regional threat advisory system, or equivalent, into planning and operational use, if appropriate, - ensuring availability of the means of communication during a disruptive incident, - facilitating structured communication with appropriate authorities and ensuring the interoperability of multiple responding organizations and personnel, where appropriate, and - operating and testing of communications capabilities intended for use during disruption of normal communications. § 7.4 ¶ 2 The organization shall establish, implement, and maintain procedure(s) for - internal communication amongst interested parties and employees within the organization, - external communication with customers, partner entities, local community, and other interested parties, including the media, - receiving, documenting, and responding to communication from interested parties, - adapting and integrating a national or regional threat advisory system, or equivalent, into planning and operational use, if appropriate, - ensuring availability of the means of communication during a disruptive incident, - facilitating structured communication with appropriate authorities and ensuring the interoperability of multiple responding organizations and personnel, where appropriate, and - operating and testing of communications capabilities intended for use during disruption of normal communications. § 7.4 ¶ 2 {procedures for receiving, documenting and responding to communication from interested parties} The organization shall establish, implement and maintain procedures for internal communication within the organization and receiving, documenting and responding to communication from interested parties, § 8.4.3 ¶ 1 c) {procedures for receiving, documenting and responding to communication from interested parties} The organization shall establish, implement and maintain procedures for internal communication within the organization and receiving, documenting and responding to communication from interested parties, § 8.4.3 ¶ 1 c)] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Use secure communication protocols for telecommunications. CC ID 16458 | Leadership and high level objectives | Business Processes | |
| Align the information being disseminated and communicated with the communication requirements according to the organization's communication protocol. CC ID 12419 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include external requirements in the organization's communication protocol. CC ID 12418 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include disseminating and communicating events surrounding instances of desirable conduct and undesirable conduct in the communication protocols. CC ID 12824 | Leadership and high level objectives | Communicate | |
| Include input from interested personnel and affected parties as a part of the organization’s communication protocol. CC ID 12417 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain a corrective action plan to address barriers to stakeholder engagement. CC ID 15677 | Leadership and high level objectives | Process or Activity | |
| Identify barriers to stakeholder engagement. CC ID 15676 | Leadership and high level objectives | Process or Activity | |
| Identify alternative measures for collecting stakeholder input, as necessary. CC ID 15672 | Leadership and high level objectives | Communicate | |
| Include disseminating and communicating conditions surrounding instances of desirable conduct and undesirable conduct in the communication protocols. CC ID 12804 | Leadership and high level objectives | Communicate | |
| Include methods to obtain information from interested personnel and affected parties about performance variances in the communication protocol. CC ID 12856 | Leadership and high level objectives | Process or Activity | |
| Include disseminating and communicating desirable conduct in the communication protocols. CC ID 12803 | Leadership and high level objectives | Communicate | |
| Include disseminating and communicating undesirable conduct in communication protocols. CC ID 12802 | Leadership and high level objectives | Communicate | |
| Route notifications, as necessary. CC ID 12832 | Leadership and high level objectives | Process or Activity | |
| Substantiate notifications, as necessary. CC ID 12831 | Leadership and high level objectives | Process or Activity | |
| Analyze the flow of information to ensure it is being received by the correct processes. CC ID 12860 | Leadership and high level objectives | Business Processes | |
| Prioritize notifications, as necessary. CC ID 12830 | Leadership and high level objectives | Process or Activity | |
| Report to management and stakeholders on the findings and information gathered from all types of inquiries. CC ID 12797 | Leadership and high level objectives | Actionable Reports or Measurements | |
| Disseminate and communicate internal controls with supply chain members. CC ID 12416 | Leadership and high level objectives | Communicate | |
| Establish and maintain the organization's survey method. CC ID 12869 | Leadership and high level objectives | Process or Activity | |
| Document the findings from surveys. CC ID 16309 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Provide a consolidated view of information in the organization's survey method. CC ID 12894 | Leadership and high level objectives | Process or Activity | |
| Establish, implement, and maintain warning procedures that follow the organization's communication protocol. CC ID 12407 [{significant impact} {procedures for alerts} {procedures for warnings} The organization shall decide, using life safety as the first priority and in consultation with relevant interested parties, whether to communicate externally about its significant risks and impacts and document its decision. If the decision is to communicate then the organization shall establish and implement procedures for this external communication, alerts and warnings including the media as appropriate. § 8.4.2 ¶ 3] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain alert procedures that follow the organization's communication protocol. CC ID 12406 [{significant impact} {procedures for alerts} {procedures for warnings} The organization shall decide, using life safety as the first priority and in consultation with relevant interested parties, whether to communicate externally about its significant risks and impacts and document its decision. If the decision is to communicate then the organization shall establish and implement procedures for this external communication, alerts and warnings including the media as appropriate. § 8.4.2 ¶ 3] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the capturing and alerting of compliance violations in the notification system. CC ID 12962 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
| Include the capturing and alerting of unethical conduct in the notification system. CC ID 12932 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
| Include the capturing and alerting of performance variances in the notification system. CC ID 12929 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
| Include the capturing and alerting of weaknesses in the notification system. CC ID 12928 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
| Include the capturing and alerting of account activity in the notification system. CC ID 15314 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
| Analyze organizational objectives, functions, and activities. CC ID 00598 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
| Establish, implement, and maintain organizational objectives. CC ID 09959 [In establishing the context, the organization shall articulate its objectives, including those concerned with business continuity, § 4.1 ¶ 4 1) In establishing the context, the organization shall articulate its objectives, including those concerned with business continuity, § 4.1 ¶ 4 1) Top management shall ensure that business continuity objectives are established and communicated for relevant functions and levels within the organization. § 6.2 ¶ 1] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Evaluate organizational objectives to determine impact on other organizational objectives. CC ID 12814 | Leadership and high level objectives | Process or Activity | |
| Identify events that may affect organizational objectives. CC ID 12961 | Leadership and high level objectives | Process or Activity | |
| Identify conditions that may affect organizational objectives. CC ID 12958 | Leadership and high level objectives | Process or Activity | |
| Identify requirements that could affect achieving organizational objectives. CC ID 12828 | Leadership and high level objectives | Business Processes | |
| Identify opportunities that could affect achieving organizational objectives. CC ID 12826 | Leadership and high level objectives | Business Processes | |
| Prioritize organizational objectives. CC ID 09960 | Leadership and high level objectives | Business Processes | |
| Select financial reporting objectives consistent with accounting principles available to the organization. CC ID 12400 | Leadership and high level objectives | Business Processes | |
| Establish, implement, and maintain a value generation model. CC ID 15591 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Disseminate and communicate the value generation model to all interested personnel and affected parties. CC ID 15607 | Leadership and high level objectives | Communicate | |
| Include value distribution in the value generation model. CC ID 15603 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include value retention in the value generation model. CC ID 15600 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include value generation procedures in the value generation model. CC ID 15599 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain value generation objectives. CC ID 15583 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain social responsibility objectives. CC ID 15611 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish and maintain a Mission, Vision, and Values Statement. CC ID 12783 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the vision statement in the Mission, Vision, and Values Statement. CC ID 12839 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the mission statement in the Mission, Vision, and Values Statement. CC ID 12838 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include management commitment in the Mission, Vision, and Values Statement. CC ID 12808 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the value statement in the Mission, Vision, and Values Statement. CC ID 12807 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include environmental factors in the Mission, Vision, and Values Statement. CC ID 15590 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include societal factors in the Mission, Vision, and Values Statement. CC ID 15605 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include stakeholder requirements in the Mission, Vision, and Values Statement. CC ID 15586 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Disseminate and communicate the Mission, Vision, and Values Statement to all interested personnel and affected parties. CC ID 15585 | Leadership and high level objectives | Communicate | |
| Disseminate and communicate organizational objectives, functions, and activities to all interested personnel and affected parties. CC ID 13191 | Leadership and high level objectives | Communicate | |
| Document and communicate the linkage between organizational objectives, functions, activities, and general controls. CC ID 12398 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Identify threats that could affect achieving organizational objectives. CC ID 12827 | Leadership and high level objectives | Business Processes | |
| Identify how opportunities, threats, and external requirements are trending. CC ID 12829 | Leadership and high level objectives | Process or Activity | |
| Identify relationships between opportunities, threats, and external requirements. CC ID 12805 | Leadership and high level objectives | Process or Activity | |
| Review the organization's approach to managing information security, as necessary. CC ID 12005 | Leadership and high level objectives | Business Processes | |
| Disseminate and communicate emerging threats to all interested personnel and affected parties. CC ID 12185 | Leadership and high level objectives | Communicate | |
| Establish, implement, and maintain a Quality Management framework. CC ID 07196 [The outputs of the management review shall include decisions related to continual improvement opportunities and the possible need for changes to the BCMS, and include the following: § 9.3 ¶ 4 {results of BCMS reviews} {key partners} {results of testing} {BCMS performance} {BCMS effectiveness} {emerging good guidance} Management reviews shall consider the performance of the organization, including - follow-up actions from previous management reviews, - the need for changes to the BCMS, including the policy and objectives, - opportunities for improvement, - results of BCMS audits and reviews, including those of key suppliers and partners where appropriate, - techniques, products or procedures, which could be used in the organization to improve the BCMS’ performance and effectiveness, - status of corrective actions, - results of exercising and testing, - risks or issues not adequately addressed in any previous risk assessment, - any changes that could affect the BCMS, whether internal or external to the scope of the BCMS, - adequacy of policy, - recommendations for improvement, - lessons learned and actions arising from disruptive incidents, and - emerging good practice and guidance. § 9.3 ¶ 3 {results of BCMS reviews} {key partners} {results of testing} {BCMS performance} {BCMS effectiveness} {emerging good guidance} Management reviews shall consider the performance of the organization, including - follow-up actions from previous management reviews, - the need for changes to the BCMS, including the policy and objectives, - opportunities for improvement, - results of BCMS audits and reviews, including those of key suppliers and partners where appropriate, - techniques, products or procedures, which could be used in the organization to improve the BCMS’ performance and effectiveness, - status of corrective actions, - results of exercising and testing, - risks or issues not adequately addressed in any previous risk assessment, - any changes that could affect the BCMS, whether internal or external to the scope of the BCMS, - adequacy of policy, - recommendations for improvement, - lessons learned and actions arising from disruptive incidents, and - emerging good practice and guidance. § 9.3 ¶ 3] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include supply chain management standards in the Quality Management framework. CC ID 13701 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain a Quality Management policy. CC ID 13694 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include a commitment to satisfy applicable requirements in the Quality Management policy. CC ID 13700 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Tailor the Quality Management policy to support the organization's strategic direction. CC ID 13699 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include a commitment to continual improvement of the Quality Management system in the Quality Management policy. CC ID 13698 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include critical Information Technology processes in the Quality Management framework. CC ID 13645 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Disseminate and communicate the Quality Management policy to all interested personnel and affected parties. CC ID 13695 | Leadership and high level objectives | Communicate | |
| Disseminate and communicate the Quality Management framework to all stakeholders. CC ID 13680 | Leadership and high level objectives | Communicate | |
| Align the quality objectives with the Quality Management policy. CC ID 13697 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain a Quality Management standard. CC ID 01006 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Document the measurements used by Quality Assurance and Quality Control testing. CC ID 07200 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain a Quality Management program. CC ID 07201 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Notify affected parties and interested personnel of quality management system approvals that have been refused, suspended, or withdrawn. CC ID 15045 | Leadership and high level objectives | Communicate | |
| Notify affected parties and interested personnel of quality management system approvals that have been issued. CC ID 15036 | Leadership and high level objectives | Communicate | |
| Include quality objectives in the Quality Management program. CC ID 13693 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include records management in the quality management system. CC ID 15055 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include risk management in the quality management system. CC ID 15054 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include data management procedures in the quality management system. CC ID 15052 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include a post-market monitoring system in the quality management system. CC ID 15027 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include operational roles and responsibilities in the quality management system. CC ID 15028 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include quality gates and testing milestones in the Quality Management program. CC ID 06825 | Leadership and high level objectives | Systems Design, Build, and Implementation | |
| Include resource management in the quality management system. CC ID 15026 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include communication protocols in the quality management system. CC ID 15025 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include incident reporting procedures in the quality management system. CC ID 15023 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include technical specifications in the quality management system. CC ID 15021 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Document the deficiencies in a deficiency report that were found during Quality Control and corrected during Quality Improvement. CC ID 07203 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include program documentation standards in the Quality Management program. CC ID 01016 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include program testing standards in the Quality Management program. CC ID 01017 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include system testing standards in the Quality Management program. CC ID 01018 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include an issue tracking system in the Quality Management program. CC ID 06824 | Leadership and high level objectives | Systems Design, Build, and Implementation | |
| Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain a policy and procedure management program. CC ID 06285 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish and maintain an Authority Document list. CC ID 07113 [{legal requirements} {regulatory requirements} {new legal, regulatory and other requirements} The organization shall document this information and keep it up-to-date. New or variations to legal, regulatory and other requirements shall be communicated to affected employees and other interested parties. § 4.2.2 ¶ 3 [identified and controlled] Documented information of external origin determined by the organization to be necessary for the planning and operation of the BCMS shall be identified, as appropriate, and controlled. § 7.5.3 ¶ 3] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Document organizational procedures that harmonize external requirements, including all legal requirements. CC ID 00623 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain full documentation of all policies, standards, and procedures that support the organization's compliance framework. CC ID 01636 [The organization’s BCMS shall include - documented information required by this International Standard, and - documented information determined by the organization as being necessary for the effectiveness of the BCMS. § 7.5.1 ¶ 1 The organization’s BCMS shall include - documented information required by this International Standard, and - documented information determined by the organization as being necessary for the effectiveness of the BCMS. § 7.5.1 ¶ 1] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Disseminate and communicate the organization’s policies, standards, and procedures to all interested personnel and affected parties. CC ID 12901 | Leadership and high level objectives | Communicate | |
| Disseminate and communicate the list of Authority Documents that support the organization's compliance framework to interested personnel and affected parties. CC ID 01312 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Classify controls according to their preventive, detective, or corrective status. CC ID 06436 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Publish, disseminate, and communicate a Statement on Internal Control, as necessary. CC ID 06727 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include signatures of c-level executives in the Statement on Internal Control. CC ID 14778 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include confirmation of any significant weaknesses in the Statement on Internal Control. CC ID 06861 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include roles and responsibilities in the Statement on Internal Control. CC ID 14774 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include an assurance statement regarding the counterterror protective security plan in the Statement on Internal Control. CC ID 06866 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include limitations of internal control systems in the Statement on Internal Control. CC ID 14773 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include a description of the methodology used to evaluate internal controls in the Statement on Internal Control. CC ID 14772 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Assign legislative body jurisdiction to the organization's assets, as necessary. CC ID 06956 | Leadership and high level objectives | Establish Roles | |
| Approve all compliance documents. CC ID 06286 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Assign the appropriate roles to all applicable compliance documents. CC ID 06284 [Top management shall assign the responsibility and authority for ensuring that the management system conforms to the requirements of this International Standard, and § 5.4 ¶ 2 a)] | Leadership and high level objectives | Establish Roles | |
| Identify and document the Designated Approval Authority for compliance documents. CC ID 07114 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Disseminate and communicate compliance documents to all interested personnel and affected parties. CC ID 06282 | Leadership and high level objectives | Behavior | |
| Disseminate and communicate any compliance document changes when the documents are updated to interested personnel and affected parties. CC ID 06283 [{legal requirements} {regulatory requirements} {new legal, regulatory and other requirements} The organization shall document this information and keep it up-to-date. New or variations to legal, regulatory and other requirements shall be communicated to affected employees and other interested parties. § 4.2.2 ¶ 3] | Leadership and high level objectives | Behavior | |
| Establish, implement, and maintain a strategic plan. CC ID 12784 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain a decision management strategy. CC ID 06913 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Document and evaluate the decision outcomes from the decision-making process. CC ID 06918 [{significant impact} {procedures for alerts} {procedures for warnings} The organization shall decide, using life safety as the first priority and in consultation with relevant interested parties, whether to communicate externally about its significant risks and impacts and document its decision. If the decision is to communicate then the organization shall establish and implement procedures for this external communication, alerts and warnings including the media as appropriate. § 8.4.2 ¶ 3] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain a Strategic Information Technology Plan. CC ID 00628 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include business continuity objectives in the Strategic Information Technology Plan. CC ID 06496 [{activation procedures} {communication procedures} {internal interdependencies} {internal interactions} {external interactions} {information flow processes} Each plan shall define - purpose and scope, - objectives, - activation criteria and procedures, - implementation procedures, - roles, responsibilities, and authorities, - communication requirements and procedures, - internal and external interdependencies and interactions, - resource requirements, and - information flow and documentation processes. § 8.4.4 ¶ 3] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Align business continuity objectives with the business continuity policy. CC ID 12408 [The business continuity objectives shall be consistent with the business continuity policy, § 6.2 ¶ 2 a)] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain a Governance, Risk, and Compliance awareness and training program. CC ID 06492 [Persons doing work under the organization’s control shall be aware of their contribution to the effectiveness of the BCMS, including the benefits of improved business continuity management performance, § 7.3 ¶ 1 b)] | Leadership and high level objectives | Business Processes | |
| Establish and maintain a rapport with business and technical communities throughout the organization to promote the value and importance of Information Security. CC ID 06493 | Leadership and high level objectives | Behavior | |
| Establish, implement, and maintain a risk monitoring program. CC ID 00658 [{what needs to be measured} The organization shall determine what needs to be monitored and measured, § 9.1.1 ¶ 1 a)] | Monitoring and measurement | Establish/Maintain Documentation | |
| Monitor the organization's exposure to threats, as necessary. CC ID 06494 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Implement a fraud detection system. CC ID 13081 | Monitoring and measurement | Business Processes | |
| Monitor for new vulnerabilities. CC ID 06843 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Establish, implement, and maintain a compliance testing strategy. CC ID 00659 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a self-assessment approach as part of the compliance testing strategy. CC ID 12833 | Monitoring and measurement | Testing | |
| Establish, implement, and maintain a system security plan. CC ID 01922 | Monitoring and measurement | Testing | |
| Include a system description in the system security plan. CC ID 16467 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include a description of the operational context in the system security plan. CC ID 14301 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the results of the security categorization in the system security plan. CC ID 14281 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the information types in the system security plan. CC ID 14696 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the security requirements in the system security plan. CC ID 14274 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include threats in the system security plan. CC ID 14693 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include network diagrams in the system security plan. CC ID 14273 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include roles and responsibilities in the system security plan. CC ID 14682 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the results of the privacy risk assessment in the system security plan. CC ID 14676 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include remote access methods in the system security plan. CC ID 16441 | Monitoring and measurement | Establish/Maintain Documentation | |
| Disseminate and communicate the system security plan to interested personnel and affected parties. CC ID 14275 | Monitoring and measurement | Communicate | |
| Include a description of the operational environment in the system security plan. CC ID 14272 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the security categorizations and rationale in the system security plan. CC ID 14270 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the authorization boundary in the system security plan. CC ID 14257 | Monitoring and measurement | Establish/Maintain Documentation | |
| Align the enterprise architecture with the system security plan. CC ID 14255 | Monitoring and measurement | Process or Activity | |
| Include security controls in the system security plan. CC ID 14239 | Monitoring and measurement | Establish/Maintain Documentation | |
| Create specific test plans to test each system component. CC ID 00661 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the roles and responsibilities in the test plan. CC ID 14299 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the assessment team in the test plan. CC ID 14297 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the scope in the test plans. CC ID 14293 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the assessment environment in the test plan. CC ID 14271 | Monitoring and measurement | Establish/Maintain Documentation | |
| Approve the system security plan. CC ID 14241 | Monitoring and measurement | Business Processes | |
| Review the test plans for each system component. CC ID 00662 | Monitoring and measurement | Establish/Maintain Documentation | |
| Document validated testing processes in the testing procedures. CC ID 06200 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include error details, identifying the root causes, and mitigation actions in the testing procedures. CC ID 11827 | Monitoring and measurement | Establish/Maintain Documentation | |
| Determine the appropriate assessment method for each testing process in the test plan. CC ID 00665 | Monitoring and measurement | Testing | |
| Implement automated audit tools. CC ID 04882 | Monitoring and measurement | Acquisition/Sale of Assets or Services | |
| Assign senior management to approve test plans. CC ID 13071 | Monitoring and measurement | Human Resources Management | |
| Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 [{legal requirements} {business continuity objectives} The organization shall periodically evaluate compliance with applicable legal and regulatory requirements, industry best practices, and conformance with its own business continuity policy and objectives; and § 9.1.2 c) {legal requirements} {business continuity objectives} The organization shall periodically evaluate compliance with applicable legal and regulatory requirements, industry best practices, and conformance with its own business continuity policy and objectives; and § 9.1.2 c) {legal requirements} {business continuity objectives} The organization shall periodically evaluate compliance with applicable legal and regulatory requirements, industry best practices, and conformance with its own business continuity policy and objectives; and § 9.1.2 c) {legal requirements} {business continuity objectives} The organization shall periodically evaluate compliance with applicable legal and regulatory requirements, industry best practices, and conformance with its own business continuity policy and objectives; and § 9.1.2 c) {legal requirements} {business continuity objectives} The organization shall periodically evaluate compliance with applicable legal and regulatory requirements, industry best practices, and conformance with its own business continuity policy and objectives; and § 9.1.2 c) The organization shall determine when the monitoring and measuring shall be performed, and § 9.1.1 ¶ 1 c)] | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a metrics policy. CC ID 01654 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653 [The procedures for monitoring performance shall provide for - the setting of performance metrics appropriate to the needs of the organization, - monitoring the extent to which the organization’s business continuity policy, objectives and targets are met, - performance of the processes, procedures and functions that protect its prioritized activities, - monitoring compliance with this International Standard and the business continuity objectives, - monitoring historical evidence of deficient BCMS’ performance, and - recording data and results of monitoring and measurement to facilitate subsequent corrective actions. § 9.1.1 ¶ 5] | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain risk management metrics. CC ID 01656 | Monitoring and measurement | Establish/Maintain Documentation | |
| Identify information being used to support the performance of the governance, risk, and compliance capability. CC ID 12866 | Monitoring and measurement | Business Processes | |
| Identify information being used to support performance reviews for risk optimization. CC ID 12865 | Monitoring and measurement | Audits and Risk Management | |
| Identify and document instances of non-compliance with the compliance framework. CC ID 06499 [When nonconformity occurs, the organization shall identify the nonconformity, § 10.1 ¶ 1 a) The organization shall retain documented information as evidence of - the nature of the nonconformities and any subsequent actions taken, and - the results of any corrective action. § 10.1 ¶ 3 {do not occur} When nonconformity occurs, the organization shall evaluate the need for action to eliminate the causes of the nonconformity, in order that it does not recur or occur elsewhere, by evaluating the need for corrective action to ensure that nonconformities do not recur or occur elsewhere, § 10.1 ¶ 1 c) 4 The management review shall include consideration of information on the business continuity performance, including trends in nonconformities and corrective actions, § 9.3 ¶ 2 c) 1)] | Monitoring and measurement | Establish/Maintain Documentation | |
| Identify and document events surrounding non-compliance with the organizational compliance framework. CC ID 12935 | Monitoring and measurement | Establish/Maintain Documentation | |
| Align disciplinary actions with the level of compliance violation. CC ID 12404 [Corrective actions shall be appropriate to the effects of the nonconformities encountered. § 10.1 ¶ 2 When nonconformity occurs, the organization shall evaluate the need for action to eliminate the causes of the nonconformity, in order that it does not recur or occur elsewhere, by determining and implementing corrective action needed, § 10.1 ¶ 1 c) 5] | Monitoring and measurement | Human Resources Management | |
| Establish, implement, and maintain disciplinary action notices. CC ID 16577 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include a copy of the order in the disciplinary action notice. CC ID 16606 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the sanctions imposed in the disciplinary action notice. CC ID 16599 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the effective date of the sanctions in the disciplinary action notice. CC ID 16589 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the requirements that were violated in the disciplinary action notice. CC ID 16588 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include responses to charges from interested personnel and affected parties in the disciplinary action notice. CC ID 16587 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the reasons for imposing sanctions in the disciplinary action notice. CC ID 16586 | Monitoring and measurement | Establish/Maintain Documentation | |
| Disseminate and communicate the disciplinary action notice to interested personnel and affected parties. CC ID 16585 | Monitoring and measurement | Communicate | |
| Include required information in the disciplinary action notice. CC ID 16584 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include a justification for actions taken in the disciplinary action notice. CC ID 16583 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include a statement on the conclusions of the investigation in the disciplinary action notice. CC ID 16582 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the investigation results in the disciplinary action notice. CC ID 16581 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include a description of the causes of the actions taken in the disciplinary action notice. CC ID 16580 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the name of the person responsible for the charges in the disciplinary action notice. CC ID 16579 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include contact information in the disciplinary action notice. CC ID 16578 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain compliance program metrics. CC ID 11625 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Establish, implement, and maintain a security program metrics program. CC ID 01660 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a key management roles metrics standard. CC ID 11631 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a key stakeholder metrics program. CC ID 01661 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a supply chain member metrics program. CC ID 01662 | Monitoring and measurement | Establish/Maintain Documentation | |
| Report on the Service Level Agreement performance of supply chain members. CC ID 06838 | Monitoring and measurement | Actionable Reports or Measurements | |
| Establish, implement, and maintain a Business Continuity metrics program. CC ID 01663 [Top management shall demonstrate leadership and commitment with respect to the BCMS by - ensuring that policies and objectives are established for the business continuity management system and are compatible with the strategic direction of the organization, - ensuring the integration of the business continuity management system requirements into the organization’s business processes, - ensuring that the resources needed for the business continuity management system are available, - communicating the importance of effective business continuity management and conforming to the BCMS requirements, - ensuring that the BCMS achieves its intended outcome(s), - directing and supporting persons to contribute to the effectiveness of the BCMS, - promoting continual improvement, and - supporting other relevant management roles to demonstrate their leadership and commitment as it applies to their areas of responsibility. § 5.2 ¶ 1 The organization shall determine when the results from monitoring and measurement shall be analysed and evaluated. § 9.1.1 ¶ 1 d) The procedures for monitoring performance shall provide for - the setting of performance metrics appropriate to the needs of the organization, - monitoring the extent to which the organization’s business continuity policy, objectives and targets are met, - performance of the processes, procedures and functions that protect its prioritized activities, - monitoring compliance with this International Standard and the business continuity objectives, - monitoring historical evidence of deficient BCMS’ performance, and - recording data and results of monitoring and measurement to facilitate subsequent corrective actions. § 9.1.1 ¶ 5 The procedures for monitoring performance shall provide for - the setting of performance metrics appropriate to the needs of the organization, - monitoring the extent to which the organization’s business continuity policy, objectives and targets are met, - performance of the processes, procedures and functions that protect its prioritized activities, - monitoring compliance with this International Standard and the business continuity objectives, - monitoring historical evidence of deficient BCMS’ performance, and - recording data and results of monitoring and measurement to facilitate subsequent corrective actions. § 9.1.1 ¶ 5 The procedures for monitoring performance shall provide for - the setting of performance metrics appropriate to the needs of the organization, - monitoring the extent to which the organization’s business continuity policy, objectives and targets are met, - performance of the processes, procedures and functions that protect its prioritized activities, - monitoring compliance with this International Standard and the business continuity objectives, - monitoring historical evidence of deficient BCMS’ performance, and - recording data and results of monitoring and measurement to facilitate subsequent corrective actions. § 9.1.1 ¶ 5 The procedures for monitoring performance shall provide for - the setting of performance metrics appropriate to the needs of the organization, - monitoring the extent to which the organization’s business continuity policy, objectives and targets are met, - performance of the processes, procedures and functions that protect its prioritized activities, - monitoring compliance with this International Standard and the business continuity objectives, - monitoring historical evidence of deficient BCMS’ performance, and - recording data and results of monitoring and measurement to facilitate subsequent corrective actions. § 9.1.1 ¶ 5 The management review shall include consideration of information on the business continuity performance, including trends in monitoring and measurement evaluation results, and § 9.3 ¶ 2 c) 2)] | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain an audit metrics program. CC ID 01664 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain an Information Security metrics program. CC ID 01665 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a metrics standard and template. CC ID 02157 | Monitoring and measurement | Establish/Maintain Documentation | |
| Monitor compliance with the Quality Control system. CC ID 01023 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of complaints received about products or delivered services. CC ID 07199 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of Quality Assurance attained by Quality Improvement practices. CC ID 07202 | Monitoring and measurement | Actionable Reports or Measurements | |
| Establish, implement, and maintain occupational health and safety management metrics program. CC ID 15915 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a policies and controls metrics program. CC ID 01666 [The outputs of the management review shall include decisions related to continual improvement opportunities and the possible need for changes to the BCMS, and include the following: how the effectiveness of controls are measured. § 9.3 ¶ 4 e)] | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a security roles and responsibilities metrics program. CC ID 01667 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a role-based information access metrics program. CC ID 01668 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain an information risk threshold metrics program. CC ID 01694 | Monitoring and measurement | Establish/Maintain Documentation | |
| Monitor the supply chain for Information Assurance effectiveness. CC ID 02043 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain an identification and classification of information assets metrics program. CC ID 02052 | Monitoring and measurement | Business Processes | |
| Establish, implement, and maintain an Information Systems architecture metrics program. CC ID 02059 | Monitoring and measurement | Business Processes | |
| Establish, implement, and maintain a physical environment metrics program. CC ID 02063 | Monitoring and measurement | Business Processes | |
| Establish, implement, and maintain a privacy metrics program. CC ID 15494 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain environmental management system performance metrics. CC ID 15191 | Monitoring and measurement | Actionable Reports or Measurements | |
| Establish, implement, and maintain waste management metrics. CC ID 16152 | Monitoring and measurement | Actionable Reports or Measurements | |
| Establish, implement, and maintain emissions management metrics. CC ID 16145 | Monitoring and measurement | Actionable Reports or Measurements | |
| Establish, implement, and maintain financial management metrics. CC ID 16749 | Monitoring and measurement | Actionable Reports or Measurements | |
| Establish, implement, and maintain a technical measurement metrics policy. CC ID 01655 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a user identification and authentication metrics program. CC ID 02073 | Monitoring and measurement | Business Processes | |
| Establish, implement, and maintain a user account management metrics program. CC ID 02075 | Monitoring and measurement | Business Processes | |
| Establish, implement, and maintain a user and administrator privilege management metrics program. CC ID 02076 | Monitoring and measurement | Actionable Reports or Measurements | |
| Establish, implement, and maintain a Configuration Management metrics program. CC ID 02077 | Monitoring and measurement | Business Processes | |
| Establish, implement, and maintain a Security Information and Event Management metrics program. CC ID 02078 | Monitoring and measurement | Log Management | |
| Establish, implement, and maintain a communications, e-mail, and remote access security management metrics program. CC ID 02079 | Monitoring and measurement | Business Processes | |
| Establish, implement, and maintain a malicious code protection management metrics program. CC ID 02080 | Monitoring and measurement | Business Processes | |
| Establish, implement, and maintain a software change management metrics program. CC ID 02081 | Monitoring and measurement | Business Processes | |
| Establish, implement, and maintain a network management and firewall management metrics program. CC ID 02082 | Monitoring and measurement | Business Processes | |
| Establish, implement, and maintain a data encryption management metrics program. CC ID 02083 | Monitoring and measurement | Business Processes | |
| Establish, implement, and maintain a backup management and recovery management metrics program. CC ID 02084 | Monitoring and measurement | Business Processes | |
| Establish, implement, and maintain an incident management and vulnerability management metrics program. CC ID 02085 | Monitoring and measurement | Business Processes | |
| Delay the reporting of incident management metrics, as necessary. CC ID 15501 | Monitoring and measurement | Communicate | |
| Establish, implement, and maintain an Electronic Health Records measurement metrics program. CC ID 06221 | Monitoring and measurement | Establish/Maintain Documentation | |
| Report on the percentage of unique patients who had at least one medication entered using the Computerized Provider Order Entry system. CC ID 06222 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of unique patients who have diagnoses recorded as structured data into the current and active diagnoses problem list. CC ID 06223 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of permissible prescriptions that are transmitted electronically. CC ID 06224 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of unique patients who have at least one entry recorded as structured data into the active medication list. CC ID 06225 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of unique patients who have at least one entry recorded as structured data into the active medication allergy list. CC ID 06226 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of unique patients who have demographics recorded as structured data. CC ID 06227 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of unique patients over the age of 2 who have their height, weight, and blood pressure recorded as structured data. CC ID 06228 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of unique patients over the age of 13 who have their smoking status recorded as structured data. CC ID 06229 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of patients who are given an electronic copy of their Individually Identifiable Health Information not later than three business days after Individually Identifiable Health Information is requested. CC ID 06230 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of patients who are given clinical summaries not later than three business days after a physician office visit. CC ID 06231 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of lab test results that are incorporated into the Electronic Health Records as structured data. CC ID 06232 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of patients sixty-five years of age or older or five years of age or younger who were sent a reminder. CC ID 06233 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of unique patients who are given electronic access to their Individually Identifiable Health Information not later than four business days after their Individually Identifiable Health Information is updated. CC ID 06234 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of unique patients who are given patient-specific education resources. CC ID 06235 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of medication reconciliations that are performed if a patient is received from another setting or healthcare provider. CC ID 06236 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of summary of care records that are provided for transitions of care or referrals for patients who are transitioned or referred to another setting or healthcare provider. CC ID 06237 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of patients who receive their discharge instructions if discharge instructions are requested. CC ID 06238 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of patients 65 years of age or older who have an indication of advance directive status recorded as structured data. CC ID 06239 | Monitoring and measurement | Actionable Reports or Measurements | |
| Establish, implement, and maintain a log management program. CC ID 00673 | Monitoring and measurement | Establish/Maintain Documentation | |
| Deploy log normalization tools, as necessary. CC ID 12141 | Monitoring and measurement | Technical Security | |
| Restrict access to logs to authorized individuals. CC ID 01342 | Monitoring and measurement | Log Management | |
| Restrict access to audit trails to a need to know basis. CC ID 11641 | Monitoring and measurement | Technical Security | |
| Refrain from recording unnecessary restricted data in logs. CC ID 06318 | Monitoring and measurement | Log Management | |
| Back up audit trails according to backup procedures. CC ID 11642 | Monitoring and measurement | Systems Continuity | |
| Back up logs according to backup procedures. CC ID 01344 | Monitoring and measurement | Log Management | |
| Copy logs from all predefined hosts onto a log management infrastructure. CC ID 01346 | Monitoring and measurement | Log Management | |
| Identify hosts with logs that are not being stored. CC ID 06314 | Monitoring and measurement | Log Management | |
| Identify hosts with logs that are being stored at the system level only. CC ID 06315 | Monitoring and measurement | Log Management | |
| Identify hosts with logs that should be stored at both the system level and the infrastructure level. CC ID 06316 | Monitoring and measurement | Log Management | |
| Identify hosts with logs that are being stored at the infrastructure level only. CC ID 06317 | Monitoring and measurement | Log Management | |
| Protect logs from unauthorized activity. CC ID 01345 | Monitoring and measurement | Log Management | |
| Perform testing and validating activities on all logs. CC ID 06322 | Monitoring and measurement | Log Management | |
| Archive the audit trail in accordance with compliance requirements. CC ID 00674 | Monitoring and measurement | Log Management | |
| Enforce dual authorization as a part of information flow control for logs. CC ID 10098 | Monitoring and measurement | Configuration | |
| Preserve the identity of individuals in audit trails. CC ID 10594 | Monitoring and measurement | Log Management | |
| Establish, implement, and maintain a cross-organizational audit sharing agreement. CC ID 10595 | Monitoring and measurement | Establish/Maintain Documentation | |
| Provide cross-organizational audit information based on the cross-organizational audit sharing agreement. CC ID 10596 | Monitoring and measurement | Audits and Risk Management | |
| Report actions taken on known security issues to the Board of Directors or Senior Executive Committee on a regular basis. CC ID 12330 [The management responsible for the area being audited shall ensure that any necessary corrections and corrective actions are taken without undue delay to eliminate detected nonconformities and their causes. Follow-up activities shall include the verification of the actions taken and the reporting of verification results. § 9.2 ¶ 4] | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Protect against misusing automated audit tools. CC ID 04547 | Monitoring and measurement | Technical Security | |
| Define the roles and responsibilities for personnel assigned to tasks in the Audit function. CC ID 00678 [The audit programme, including any schedule, shall be based on the results of risk assessments of the organization’s activities, and the results of previous audits. The audit procedures shall cover the scope, frequency, methodologies and competencies, as well as the responsibilities and requirements for conducting audits and reporting results. § 9.2 ¶ 3 The audit programme, including any schedule, shall be based on the results of risk assessments of the organization’s activities, and the results of previous audits. The audit procedures shall cover the scope, frequency, methodologies and competencies, as well as the responsibilities and requirements for conducting audits and reporting results. § 9.2 ¶ 3 The audit programme, including any schedule, shall be based on the results of risk assessments of the organization’s activities, and the results of previous audits. The audit procedures shall cover the scope, frequency, methodologies and competencies, as well as the responsibilities and requirements for conducting audits and reporting results. § 9.2 ¶ 3] | Audits and risk management | Establish Roles | |
| Manage supply chain audits. CC ID 01203 | Audits and risk management | Audits and Risk Management | |
| Review the external auditors involvement in assessing Information Technology controls. CC ID 01204 | Audits and risk management | Audits and Risk Management | |
| Rotate auditors, as necessary. CC ID 15589 | Audits and risk management | Audits and Risk Management | |
| Assign the roles and responsibilities for the Board of Directors and senior management in the Audit function. CC ID 00679 | Audits and risk management | Establish Roles | |
| Assign the internal audit staff to be independent from business units reporting to the Board of Directors. CC ID 01184 | Audits and risk management | Establish Roles | |
| Define and assign the internal audit manager's roles and responsibilities. CC ID 00680 | Audits and risk management | Establish Roles | |
| Assign the internal audit manager's compensation and performance review to the Board of Directors or audit committee. CC ID 01186 | Audits and risk management | Establish Roles | |
| Define and assign the internal audit staff's roles and responsibilities. CC ID 00681 | Audits and risk management | Establish Roles | |
| Assign the responsibility for operating an internal control system to the internal audit staff. CC ID 01187 | Audits and risk management | Establish Roles | |
| Define and assign the external auditor's roles and responsibilities. CC ID 00683 | Audits and risk management | Establish Roles | |
| Engage auditors who have adequate knowledge of the subject matter. CC ID 07102 | Audits and risk management | Audits and Risk Management | |
| Retain copies of external auditor outsourcing contracts and engagement letters. CC ID 01188 | Audits and risk management | Establish/Maintain Documentation | |
| Review external auditor outsourcing contracts and engagement letters. CC ID 01189 | Audits and risk management | Establish/Maintain Documentation | |
| Include roles and responsibilities in external auditor outsourcing contracts. CC ID 16523 | Audits and risk management | Establish/Maintain Documentation | |
| Include a change control clause in external auditor outsourcing contracts. CC ID 01192 | Audits and risk management | Establish/Maintain Documentation | |
| Include procedures for resolving problems in external auditor outsourcing contracts. CC ID 01196 | Audits and risk management | Establish/Maintain Documentation | |
| Include procedures for controlling the use of restricted information in external auditor outsourcing contracts. CC ID 01194 | Audits and risk management | Establish/Maintain Documentation | |
| Include reports and work paper Records Management practices in external auditor outsourcing contracts. CC ID 01195 | Audits and risk management | Establish/Maintain Documentation | |
| Include communication protocols in external auditor outsourcing contracts. CC ID 01201 | Audits and risk management | Establish/Maintain Documentation | |
| Review the external audit scope, as necessary. CC ID 01202 | Audits and risk management | Audits and Risk Management | |
| Include the scope and work to be performed in external auditor outsourcing contracts. CC ID 01190 | Audits and risk management | Establish/Maintain Documentation | |
| Include work status reporting requirements in the external auditor outsourcing contracts. CC ID 01191 | Audits and risk management | Establish/Maintain Documentation | |
| Include access to work papers in external auditor outsourcing contracts. CC ID 01193 | Audits and risk management | Establish/Maintain Documentation | |
| Review the external auditor's qualifications. CC ID 01197 | Audits and risk management | Audits and Risk Management | |
| Conduct a performance review of the external auditor's performance during the audit process. CC ID 01198 | Audits and risk management | Audits and Risk Management | |
| Review the adequacy of the external auditor's work papers and audit reports. CC ID 01199 | Audits and risk management | Establish/Maintain Documentation | |
| Review the conclusions of the external auditor's work papers and audit reports. CC ID 01200 | Audits and risk management | Establish/Maintain Documentation | |
| Question external auditors about how audits were conducted and what is in the audit reports. CC ID 04587 | Audits and risk management | Behavior | |
| Disseminate and communicate with the organization about any missing audit documentation. CC ID 06992 | Audits and risk management | Behavior | |
| Evaluate any refusal by the organization to provide missing audit documentation. CC ID 06993 | Audits and risk management | Establish/Maintain Documentation | |
| Take appropriate action if missing audit documentation compromises the audit. CC ID 06994 | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an audit program. CC ID 00684 [{audit scope} {evidence of the audit results} The organization shall - plan, establish, implement and maintain (an) audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit programme(s) shall take into consideration the importance of the processes concerned and the results of previous audits, - define the audit criteria and scope for each audit, - select auditors and conduct audits to ensure objectivity and the impartiality of the audit process, - ensure that the results of the audits are reported to relevant management, and - retain documented information as evidence of the implementation of the audit programme and the audit results. § 9.2 ¶ 2 {audit scope} {evidence of the audit results} The organization shall - plan, establish, implement and maintain (an) audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit programme(s) shall take into consideration the importance of the processes concerned and the results of previous audits, - define the audit criteria and scope for each audit, - select auditors and conduct audits to ensure objectivity and the impartiality of the audit process, - ensure that the results of the audits are reported to relevant management, and - retain documented information as evidence of the implementation of the audit programme and the audit results. § 9.2 ¶ 2] | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain audit policies. CC ID 13166 | Audits and risk management | Establish/Maintain Documentation | |
| Assign the audit to impartial auditors. CC ID 07118 [{audit scope} {evidence of the audit results} The organization shall - plan, establish, implement and maintain (an) audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit programme(s) shall take into consideration the importance of the processes concerned and the results of previous audits, - define the audit criteria and scope for each audit, - select auditors and conduct audits to ensure objectivity and the impartiality of the audit process, - ensure that the results of the audits are reported to relevant management, and - retain documented information as evidence of the implementation of the audit programme and the audit results. § 9.2 ¶ 2] | Audits and risk management | Establish Roles | |
| Define what constitutes a threat to independence. CC ID 16824 | Audits and risk management | Audits and Risk Management | |
| Exercise due professional care during the planning and performance of the audit. CC ID 07119 [{audit scope} {evidence of the audit results} The organization shall - plan, establish, implement and maintain (an) audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit programme(s) shall take into consideration the importance of the processes concerned and the results of previous audits, - define the audit criteria and scope for each audit, - select auditors and conduct audits to ensure objectivity and the impartiality of the audit process, - ensure that the results of the audits are reported to relevant management, and - retain documented information as evidence of the implementation of the audit programme and the audit results. § 9.2 ¶ 2 {audit scope} {evidence of the audit results} The organization shall - plan, establish, implement and maintain (an) audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit programme(s) shall take into consideration the importance of the processes concerned and the results of previous audits, - define the audit criteria and scope for each audit, - select auditors and conduct audits to ensure objectivity and the impartiality of the audit process, - ensure that the results of the audits are reported to relevant management, and - retain documented information as evidence of the implementation of the audit programme and the audit results. § 9.2 ¶ 2] | Audits and risk management | Behavior | |
| Include resource requirements in the audit program. CC ID 15237 | Audits and risk management | Establish/Maintain Documentation | |
| Include risks and opportunities in the audit program. CC ID 15236 | Audits and risk management | Establish/Maintain Documentation | |
| Include provisions for legislative plurality and legislative domain in the audit program. CC ID 06959 [The audit programme, including any schedule, shall be based on the results of risk assessments of the organization’s activities, and the results of previous audits. The audit procedures shall cover the scope, frequency, methodologies and competencies, as well as the responsibilities and requirements for conducting audits and reporting results. § 9.2 ¶ 3 The audit programme, including any schedule, shall be based on the results of risk assessments of the organization’s activities, and the results of previous audits. The audit procedures shall cover the scope, frequency, methodologies and competencies, as well as the responsibilities and requirements for conducting audits and reporting results. § 9.2 ¶ 3] | Audits and risk management | Audits and Risk Management | |
| Establish and maintain audit terms. CC ID 13880 | Audits and risk management | Establish/Maintain Documentation | |
| Refrain from approving changes to the audit terms absent reasonable justification. CC ID 13973 | Audits and risk management | Process or Activity | |
| Include a statement about the inherent limitations of the audit in the audit terms. CC ID 13883 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that the audit will be conducted in accordance with attestation standards in the audit terms. CC ID 13882 | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain agreed upon procedures that are in scope for the audit. CC ID 13893 | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an in scope system description. CC ID 14873 | Audits and risk management | Establish/Maintain Documentation | |
| Include in scope procedures in the audit assertion's in scope system description. CC ID 16551 | Audits and risk management | Audits and Risk Management | |
| Include roles and responsibilities in the audit assertion's in scope system description. CC ID 16558 | Audits and risk management | Audits and Risk Management | |
| Include the audit criteria in the audit assertion's in scope system description. CC ID 16548 | Audits and risk management | Audits and Risk Management | |
| Include third party data in the audit assertion's in scope system description. CC ID 16554 | Audits and risk management | Audits and Risk Management | |
| Include third party personnel in the audit assertion's in scope system description. CC ID 16552 | Audits and risk management | Audits and Risk Management | |
| Include compliance requirements in the audit assertion's in scope system description. CC ID 16506 | Audits and risk management | Audits and Risk Management | |
| Include third party assets in the audit assertion's in scope system description. CC ID 16550 | Audits and risk management | Audits and Risk Management | |
| Include third party services in the audit assertion's in scope system description. CC ID 16503 | Audits and risk management | Establish/Maintain Documentation | |
| Include monitoring controls in the audit assertion's in scope system description. CC ID 16501 | Audits and risk management | Establish/Maintain Documentation | |
| Include availability commitments in the audit assertion's in scope system description. CC ID 14914 | Audits and risk management | Establish/Maintain Documentation | |
| Include deviations and the corrective actions taken in the audit assertion's in scope system description. CC ID 16549 | Audits and risk management | Audits and Risk Management | |
| Include changes in the audit assertion's in scope system description. CC ID 14894 | Audits and risk management | Establish/Maintain Documentation | |
| Include external communications in the audit assertion's in scope system description. CC ID 14913 | Audits and risk management | Establish/Maintain Documentation | |
| Include a section regarding incidents related to the system in the audit assertion’s in scope system description. CC ID 14878 | Audits and risk management | Establish/Maintain Documentation | |
| Include the function performed by the in scope system in the audit assertion's in scope system description. CC ID 14911 | Audits and risk management | Establish/Maintain Documentation | |
| Include the disposition of the incident in the audit assertion's in scope system description. CC ID 14896 | Audits and risk management | Establish/Maintain Documentation | |
| Include the extent of the incident in the audit assertion's in scope system description. CC ID 14895 | Audits and risk management | Establish/Maintain Documentation | |
| Include the timing of each incident in the audit assertion's in scope system description. CC ID 14891 | Audits and risk management | Establish/Maintain Documentation | |
| Include the nature of each incident in the audit assertion's in scope system description. CC ID 14889 | Audits and risk management | Establish/Maintain Documentation | |
| Include a section regarding in scope controls related to the system in the audit assertion's in scope system description. CC ID 14897 | Audits and risk management | Establish/Maintain Documentation | |
| Include how the in scope system meets external requirements in the audit assertion's in scope system description. CC ID 16502 | Audits and risk management | Establish/Maintain Documentation | |
| Include the timing of each control in the audit assertion's in scope system description. CC ID 14916 | Audits and risk management | Establish/Maintain Documentation | |
| Include the nature of the control in the audit assertion's in scope system description. CC ID 14910 | Audits and risk management | Establish/Maintain Documentation | |
| Include the information sources used in performing the control in the audit assertion's in scope system description. CC ID 14909 | Audits and risk management | Establish/Maintain Documentation | |
| Include the responsible party for performing the control in the audit assertion's in scope system description. CC ID 14907 | Audits and risk management | Establish/Maintain Documentation | |
| Include the subject matter to which the control is applied in the audit assertion's in scope system description. CC ID 14904 | Audits and risk management | Establish/Maintain Documentation | |
| Refrain from omitting or distorting information in the audit assertion's in scope system description. CC ID 14893 | Audits and risk management | Establish/Maintain Documentation | |
| Include the timing of each change in the audit assertion's in scope system description. CC ID 14892 | Audits and risk management | Establish/Maintain Documentation | |
| Include the system boundaries in the audit assertion's in scope system description. CC ID 14887 | Audits and risk management | Establish/Maintain Documentation | |
| Include the time frame covered by the description in the audit assertion's in scope system description. CC ID 14884 | Audits and risk management | Establish/Maintain Documentation | |
| Include commitments to third parties in the audit assertion. CC ID 14899 | Audits and risk management | Establish/Maintain Documentation | |
| Determine the completeness of the audit assertion's in scope system description. CC ID 14883 | Audits and risk management | Establish/Maintain Documentation | |
| Include system requirements in the audit assertion's in scope system description. CC ID 14881 | Audits and risk management | Establish/Maintain Documentation | |
| Include third party controls in the audit assertion's in scope system description. CC ID 14880 | Audits and risk management | Establish/Maintain Documentation | |
| Hold an opening meeting with interested personnel and affected parties prior to an audit. CC ID 15256 | Audits and risk management | Audits and Risk Management | |
| Identify personnel who should attend the closing meeting. CC ID 15261 | Audits and risk management | Business Processes | |
| Include discussions about how particular situations will be handled in the opening meeting. CC ID 15254 | Audits and risk management | Audits and Risk Management | |
| Include agreement to the audit scope and audit terms in the audit program. CC ID 06965 [{audit scope} {evidence of the audit results} The organization shall - plan, establish, implement and maintain (an) audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit programme(s) shall take into consideration the importance of the processes concerned and the results of previous audits, - define the audit criteria and scope for each audit, - select auditors and conduct audits to ensure objectivity and the impartiality of the audit process, - ensure that the results of the audits are reported to relevant management, and - retain documented information as evidence of the implementation of the audit programme and the audit results. § 9.2 ¶ 2 {audit scope} {evidence of the audit results} The organization shall - plan, establish, implement and maintain (an) audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit programme(s) shall take into consideration the importance of the processes concerned and the results of previous audits, - define the audit criteria and scope for each audit, - select auditors and conduct audits to ensure objectivity and the impartiality of the audit process, - ensure that the results of the audits are reported to relevant management, and - retain documented information as evidence of the implementation of the audit programme and the audit results. § 9.2 ¶ 2 The audit programme, including any schedule, shall be based on the results of risk assessments of the organization’s activities, and the results of previous audits. The audit procedures shall cover the scope, frequency, methodologies and competencies, as well as the responsibilities and requirements for conducting audits and reporting results. § 9.2 ¶ 3] | Audits and risk management | Establish/Maintain Documentation | |
| Establish and maintain a bespoke audit scope for each audit being performed. CC ID 13077 | Audits and risk management | Establish/Maintain Documentation | |
| Include third party assets in the audit scope. CC ID 16504 | Audits and risk management | Audits and Risk Management | |
| Include audit subject matter in the audit program. CC ID 07103 [{audit scope} {evidence of the audit results} The organization shall - plan, establish, implement and maintain (an) audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit programme(s) shall take into consideration the importance of the processes concerned and the results of previous audits, - define the audit criteria and scope for each audit, - select auditors and conduct audits to ensure objectivity and the impartiality of the audit process, - ensure that the results of the audits are reported to relevant management, and - retain documented information as evidence of the implementation of the audit programme and the audit results. § 9.2 ¶ 2] | Audits and risk management | Establish/Maintain Documentation | |
| Examine the availability of the audit criteria in the audit program. CC ID 16520 | Audits and risk management | Investigate | |
| Examine the objectivity of the audit criteria in the audit program. CC ID 07104 | Audits and risk management | Establish/Maintain Documentation | |
| Examine the measurability of the audit criteria in the audit program. CC ID 07105 | Audits and risk management | Establish/Maintain Documentation | |
| Examine the completeness of the audit criteria in the audit program. CC ID 07106 | Audits and risk management | Establish/Maintain Documentation | |
| Examine the relevance of the audit criteria in the audit program. CC ID 07107 | Audits and risk management | Establish/Maintain Documentation | |
| Determine the appropriateness of the audit subject matter. CC ID 16505 | Audits and risk management | Audits and Risk Management | |
| Disseminate and communicate the audit program with the audit subject matter and audit criteria to all interested personnel and affected parties. CC ID 07116 | Audits and risk management | Establish/Maintain Documentation | |
| Include the in scope material or in scope products in the audit program. CC ID 08961 | Audits and risk management | Audits and Risk Management | |
| Include in scope information in the audit program. CC ID 16198 | Audits and risk management | Establish/Maintain Documentation | |
| Include the out of scope material or out of scope products in the audit program. CC ID 08962 | Audits and risk management | Establish/Maintain Documentation | |
| Provide a representation letter in support of the audit assertion. CC ID 07158 | Audits and risk management | Establish/Maintain Documentation | |
| Include the date of the audit in the representation letter. CC ID 16517 | Audits and risk management | Audits and Risk Management | |
| Include a statement that management has evaluated compliance with external requirements in the representation letter. CC ID 13942 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that the assumptions used for estimates are reasonable in the representation letter. CC ID 13934 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that uncorrected misstatements are believed to be immaterial in the representation letter. CC ID 13884 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that system incidents have been disclosed to the auditor in the representation letter. CC ID 16772 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that incidents of fraud and non-compliance have been disclosed to the auditor in the representation letter. CC ID 16769 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement of responsibility for the subject matter in the representation letter. CC ID 07159 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement of responsibility for selecting the audit criteria in the representation letter. CC ID 07160 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement of responsibility regarding the appropriateness of the audit criteria in the representation letter. CC ID 07161 | Audits and risk management | Establish/Maintain Documentation | |
| Include an assertion about the subject matter based on the selected audit criteria in the representation letter. CC ID 07162 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that all known matters contradicting the audit assertion have been disclosed to the auditor in the representation letter. CC ID 07163 | Audits and risk management | Establish/Maintain Documentation | |
| Include the availability of all in scope records relevant to the subject matter in the representation letter. CC ID 07164 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that any known subsequent events have been disclosed to the auditor in the representation letter. CC ID 07165 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that deficiencies in internal controls have been disclosed to the auditor in the representation letter. CC ID 13899 | Audits and risk management | Establish/Maintain Documentation | |
| Include an in scope system description in the audit assertion. CC ID 14872 | Audits and risk management | Establish/Maintain Documentation | |
| Include any assumptions that are improbable in the audit assertion. CC ID 13950 | Audits and risk management | Establish/Maintain Documentation | |
| Include investigations and legal proceedings in the audit assertion. CC ID 16846 | Audits and risk management | Establish/Maintain Documentation | |
| Include how the audit scope matches in scope controls in the audit assertion. CC ID 06969 | Audits and risk management | Establish/Maintain Documentation | |
| Include why specific criteria are ignored by in scope controls in the audit assertion. CC ID 07027 | Audits and risk management | Establish/Maintain Documentation | |
| Include how the in scope system is designed and implemented in the audit assertion. CC ID 06970 | Audits and risk management | Establish/Maintain Documentation | |
| Include the responsible party's opinion of the quality of the evidence in the audit assertion. CC ID 13949 | Audits and risk management | Establish/Maintain Documentation | |
| Include the end users and affected parties of the in scope system in the audit assertion. CC ID 07028 | Audits and risk management | Establish/Maintain Documentation | |
| Include the in scope services offered or in scope transactions processed in the audit assertion. CC ID 06971 | Audits and risk management | Establish/Maintain Documentation | |
| Include the in scope procedures in the audit assertion. CC ID 06972 | Audits and risk management | Establish/Maintain Documentation | |
| Include the in scope records produced in the audit assertion. CC ID 06968 | Audits and risk management | Establish/Maintain Documentation | |
| Include how in scope material events are monitored and logged in the audit assertion. CC ID 06973 | Audits and risk management | Establish/Maintain Documentation | |
| Include any in scope material events that might affect the assertion in the audit assertion. CC ID 06991 | Audits and risk management | Establish/Maintain Documentation | |
| Include the in scope controls and compliance documents in the audit assertion. CC ID 06974 | Audits and risk management | Establish/Maintain Documentation | |
| Include the in scope risk assessment processes in the audit assertion. CC ID 06975 [The audit programme, including any schedule, shall be based on the results of risk assessments of the organization’s activities, and the results of previous audits. The audit procedures shall cover the scope, frequency, methodologies and competencies, as well as the responsibilities and requirements for conducting audits and reporting results. § 9.2 ¶ 3] | Audits and risk management | Establish/Maintain Documentation | |
| Include in scope change controls in the audit assertion. CC ID 06976 | Audits and risk management | Establish/Maintain Documentation | |
| Include any in scope uncorrected errors or non-compliance issues in the audit assertion. CC ID 06989 | Audits and risk management | Establish/Maintain Documentation | |
| Disseminate and communicate a written audit assertion of the audit scope and audit terms to interested personnel and affected parties. CC ID 06967 | Audits and risk management | Establish/Maintain Documentation | |
| Include the scope for the desired level of assurance in the audit program. CC ID 12793 | Audits and risk management | Communicate | |
| Include conditions that might require modification of the audit program in the audit terms. CC ID 07149 | Audits and risk management | Establish/Maintain Documentation | |
| Include how access to in scope systems, personnel and in scope records are provided to the auditor in the audit terms. CC ID 06988 | Audits and risk management | Establish/Maintain Documentation | |
| Include the criteria for determining the desired level of assurance in the audit program. CC ID 12795 | Audits and risk management | Audits and Risk Management | |
| Establish, implement, and maintain procedures for determining the desired level of assurance in the audit program. CC ID 12794 | Audits and risk management | Establish/Maintain Documentation | |
| Include the expectations for the audit report in the audit terms. CC ID 07148 | Audits and risk management | Establish/Maintain Documentation | |
| Establish and maintain a practitioner’s report on management’s assertions, as necessary. CC ID 13888 | Audits and risk management | Establish/Maintain Documentation | |
| Hold a closing meeting following an audit to present audit findings and conclusions. CC ID 15248 | Audits and risk management | Communicate | |
| Include materiality levels in the audit terms. CC ID 01238 | Audits and risk management | Establish/Maintain Documentation | |
| Include material changes in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01239 | Audits and risk management | Establish/Maintain Documentation | |
| Include material weaknesses, material failures, and material errors in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01240 | Audits and risk management | Establish/Maintain Documentation | |
| Schedule attestation engagement meetings with interested personnel and affected parties, as necessary. CC ID 15263 | Audits and risk management | Business Processes | |
| Refrain from accepting an attestation engagement when the engaging party refuses to sign the engagement letter. CC ID 14912 | Audits and risk management | Business Processes | |
| Refrain from accepting an attestation engagement unless the prospective financial information includes a summary of significant assumptions. CC ID 13954 | Audits and risk management | Behavior | |
| Refrain from accepting an attestation engagement when all parties disagree on the procedures. CC ID 13951 | Audits and risk management | Audits and Risk Management | |
| Accept the attestation engagement when all preconditions are met. CC ID 13933 | Audits and risk management | Business Processes | |
| Audit in scope audit items and compliance documents. CC ID 06730 [The organization shall conduct internal audits at planned intervals to provide information on whether the business continuity management system conforms to the organization’s own requirements for its BCMS, § 9.2 ¶ 1 a) 1) The organization shall conduct internal audits at planned intervals to provide information on whether the business continuity management system conforms to the requirements of this International Standard, and § 9.2 ¶ 1 a) 2) The organization shall conduct internal audits at planned intervals to provide information on whether the business continuity management system is effectively implemented and maintained. § 9.2 ¶ 1 b)] | Audits and risk management | Audits and Risk Management | |
| Collect all work papers for the audit and audit report into an engagement file. CC ID 07001 | Audits and risk management | Actionable Reports or Measurements | |
| Document any after the fact changes to the engagement file. CC ID 07002 | Audits and risk management | Establish/Maintain Documentation | |
| Protect access to the engagement file and all associated audit documentation in compliance with Authority Documents the organization must follow. CC ID 07179 | Audits and risk management | Establish/Maintain Documentation | |
| Disclose work papers in the engagement file in compliance with legal requirements. CC ID 07180 | Audits and risk management | Establish/Maintain Documentation | |
| Archive the engagement file and all work papers for the period prescribed by law or contract. CC ID 10038 | Audits and risk management | Records Management | |
| Conduct onsite inspections, as necessary. CC ID 16199 | Audits and risk management | Testing | |
| Audit policies, standards, and procedures. CC ID 12927 | Audits and risk management | Audits and Risk Management | |
| Edit the audit assertion for accuracy. CC ID 07030 | Audits and risk management | Establish/Maintain Documentation | |
| Determine if the audit assertion's in scope procedures are accurately documented. CC ID 06982 | Audits and risk management | Establish/Maintain Documentation | |
| Review documentation to determine the effectiveness of in scope controls. CC ID 16522 | Audits and risk management | Process or Activity | |
| Include the process of using evidential matter to test in scope controls in the test plan. CC ID 06996 | Audits and risk management | Establish/Maintain Documentation | |
| Audit the in scope system according to the test plan using relevant evidence. CC ID 07112 [Top management shall ensure that the responsibilities and authorities for relevant roles are assigned and communicated within the organization by - defining the criteria for accepting risks and the acceptable levels of risk, - actively engaging in exercising and testing, - ensuring that internal audits of the BCMS are conducted, - conducting management reviews of the BCMS, and - demonstrating its commitment to continual improvement. § 5.2 ¶ 3 The audit programme, including any schedule, shall be based on the results of risk assessments of the organization’s activities, and the results of previous audits. The audit procedures shall cover the scope, frequency, methodologies and competencies, as well as the responsibilities and requirements for conducting audits and reporting results. § 9.2 ¶ 3] | Audits and risk management | Testing | |
| Implement procedures that collect sufficient audit evidence. CC ID 07153 | Audits and risk management | Audits and Risk Management | |
| Collect evidence about the in scope audit items of the audit assertion. CC ID 07154 | Audits and risk management | Audits and Risk Management | |
| Collect audit evidence sufficient to avoid misstatements. CC ID 07155 | Audits and risk management | Audits and Risk Management | |
| Collect audit evidence at the level of the organization's competence in the subject matter. CC ID 07156 | Audits and risk management | Audits and Risk Management | |
| Collect audit evidence sufficient to overcome inadequacies in the organization's attestation. CC ID 07157 | Audits and risk management | Audits and Risk Management | |
| Report that audit evidence collected was not sufficient to the proper authorities. CC ID 16847 | Audits and risk management | Communicate | |
| Provide transactional walkthrough procedures for external auditors. CC ID 00672 | Audits and risk management | Testing | |
| Establish, implement, and maintain interview procedures. CC ID 16282 | Audits and risk management | Establish/Maintain Documentation | |
| Include roles and responsibilities in the interview procedures. CC ID 16297 | Audits and risk management | Human Resources Management | |
| Coordinate the scheduling of interviews. CC ID 16293 | Audits and risk management | Process or Activity | |
| Create a schedule for the interviews. CC ID 16292 | Audits and risk management | Process or Activity | |
| Identify interviewees. CC ID 16290 | Audits and risk management | Process or Activity | |
| Explain the testing results to the interviewee. CC ID 16291 | Audits and risk management | Process or Activity | |
| Establish and maintain work papers, as necessary. CC ID 13891 | Audits and risk management | Establish/Maintain Documentation | |
| Include the auditor's conclusions on work performed by individuals assigned to the audit in the work papers. CC ID 16775 | Audits and risk management | Establish/Maintain Documentation | |
| Include audit irregularities in the work papers. CC ID 16774 | Audits and risk management | Establish/Maintain Documentation | |
| Include corrective actions in the work papers. CC ID 16771 | Audits and risk management | Establish/Maintain Documentation | |
| Include information about the organization being audited and the auditor performing the audit in the work papers. CC ID 16770 | Audits and risk management | Establish/Maintain Documentation | |
| Include discussions with interested personnel and affected parties in the work papers. CC ID 16768 | Audits and risk management | Establish/Maintain Documentation | |
| Include justification for departing from mandatory requirements in the work papers. CC ID 13935 | Audits and risk management | Establish/Maintain Documentation | |
| Include audit evidence obtained from previous engagements in the work papers. CC ID 16518 | Audits and risk management | Audits and Risk Management | |
| Include the reviewer, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06998 | Audits and risk management | Establish/Maintain Documentation | |
| Include the tests, examinations, interviews and observations performed during the audit in the work papers. CC ID 07190 | Audits and risk management | Establish/Maintain Documentation | |
| Include if any subject matter experts or additional research had to be undertaken to test in scope controls in the work papers. CC ID 07026 | Audits and risk management | Establish/Maintain Documentation | |
| Include the tester, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06997 | Audits and risk management | Establish/Maintain Documentation | |
| Include any subsequent events related to the audit assertion or audit subject matter in the work papers. CC ID 07177 | Audits and risk management | Audits and Risk Management | |
| Include the causes of identified in scope control deficiencies in the work papers. CC ID 07000 | Audits and risk management | Establish/Maintain Documentation | |
| Include discussions regarding the causes of identified in scope control deficiencies in the work papers. CC ID 06999 | Audits and risk management | Establish/Maintain Documentation | |
| Supervise interested personnel and affected parties participating in the audit. CC ID 07150 | Audits and risk management | Monitor and Evaluate Occurrences | |
| Notify interested personnel and affected parties participating in the audit of their roles and responsibilities during the audit. CC ID 07151 | Audits and risk management | Establish Roles | |
| Respond to questions or clarification requests regarding the audit. CC ID 08902 | Audits and risk management | Business Processes | |
| Track and measure the implementation of the organizational compliance framework. CC ID 06445 | Audits and risk management | Monitor and Evaluate Occurrences | |
| Review the need for organizational efficiency as balanced against the needs of compliance and security. CC ID 07111 | Audits and risk management | Business Processes | |
| Engage subject matter experts when the auditor requires additional expertise during an attestation engagement, as necessary. CC ID 13971 | Audits and risk management | Process or Activity | |
| Establish, implement, and maintain a practitioner’s report on agreed-upon procedures. CC ID 13894 | Audits and risk management | Establish/Maintain Documentation | |
| Provide auditors access to all in scope records, in scope assets, personnel and in scope procedures. CC ID 06966 | Audits and risk management | Audits and Risk Management | |
| Provide auditors access to affected parties during the audit, as necessary. CC ID 07187 | Audits and risk management | Business Processes | |
| Notify interested personnel and affected parties when an auditee refuses to provide access or participate in the audit. CC ID 08960 | Audits and risk management | Audits and Risk Management | |
| Establish and maintain a practitioner's examination report on pro forma financial information. CC ID 13968 | Audits and risk management | Establish/Maintain Documentation | |
| Include references to where financial information was derived in the practitioner's review report on pro forma financial information. CC ID 13982 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that the financial statements used were audited by other practitioners in the practitioner's examination report on pro forma financial information, as necessary. CC ID 13981 | Audits and risk management | Establish/Maintain Documentation | |
| Establish and maintain organizational audit reports. CC ID 06731 [{audit scope} {evidence of the audit results} The organization shall - plan, establish, implement and maintain (an) audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit programme(s) shall take into consideration the importance of the processes concerned and the results of previous audits, - define the audit criteria and scope for each audit, - select auditors and conduct audits to ensure objectivity and the impartiality of the audit process, - ensure that the results of the audits are reported to relevant management, and - retain documented information as evidence of the implementation of the audit programme and the audit results. § 9.2 ¶ 2] | Audits and risk management | Establish/Maintain Documentation | |
| Include the justification for not following the applicable requirements in the audit report. CC ID 16822 | Audits and risk management | Audits and Risk Management | |
| Include a statement that the applicable requirements were not followed in the audit report. CC ID 16821 | Audits and risk management | Audits and Risk Management | |
| Include audit subject matter in the audit report. CC ID 14882 | Audits and risk management | Establish/Maintain Documentation | |
| Include an other-matter paragraph in the audit report. CC ID 14901 | Audits and risk management | Establish/Maintain Documentation | |
| Include that the auditee did not provide comments in the audit report. CC ID 16849 | Audits and risk management | Establish/Maintain Documentation | |
| Write the audit report using clear and conspicuous language. CC ID 13948 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that the sufficiency of the agreed upon procedures is the responsibility of the specified parties in the audit report. CC ID 13936 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that the financial statements were audited in the audit report. CC ID 13963 | Audits and risk management | Establish/Maintain Documentation | |
| Include the criteria that financial information was measured against in the audit report. CC ID 13966 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of the financial information being reported on in the audit report. CC ID 13965 | Audits and risk management | Establish/Maintain Documentation | |
| Include references to any adjustments of financial information in the audit report. CC ID 13964 | Audits and risk management | Establish/Maintain Documentation | |
| Include in the audit report that audit opinions are not dependent on references to subject matter experts, as necessary. CC ID 13953 | Audits and risk management | Establish/Maintain Documentation | |
| Include references to historical financial information used in the audit report. CC ID 13961 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement about the inherent limitations of the audit in the audit report. CC ID 14900 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of the limitations on the usefulness of hypothetical assumptions in the audit report. CC ID 13958 | Audits and risk management | Establish/Maintain Documentation | |
| Include the word independent in the title of audit reports. CC ID 07003 | Audits and risk management | Actionable Reports or Measurements | |
| Include the date of the audit in the audit report. CC ID 07024 | Audits and risk management | Actionable Reports or Measurements | |
| Structure the audit report to be in the form of procedures and findings. CC ID 13940 | Audits and risk management | Establish/Maintain Documentation | |
| Include information about the organization being audited and the auditor performing the audit in the audit report. CC ID 07004 | Audits and risk management | Actionable Reports or Measurements | |
| Include any discussions of significant findings in the audit report. CC ID 13955 | Audits and risk management | Establish/Maintain Documentation | |
| Include the date and with whom discussions about significant findings took place in the audit report. CC ID 13962 | Audits and risk management | Establish/Maintain Documentation | |
| Include the audit criteria in the audit report. CC ID 13945 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement in the audit report that the agreed upon procedures were potentially insufficient in identifying material risks, as necessary. CC ID 13957 | Audits and risk management | Establish/Maintain Documentation | |
| Include all hypothetical assumptions in the audit report. CC ID 13947 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that access to the report is restricted based on least privilege in the audit report. CC ID 07023 | Audits and risk management | Actionable Reports or Measurements | |
| Include a statement that identifies the distribution list for the report in the audit report. CC ID 07172 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that identifies the use restrictions for the report in the audit report. CC ID 07173 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that the agreed upon procedures involves collecting evidence in the audit report. CC ID 13956 | Audits and risk management | Establish/Maintain Documentation | |
| Include all of the facts and demonstrated plausibility in the audit report. CC ID 08929 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that the agreed upon procedures were performed by all parties in the audit report. CC ID 13931 | Audits and risk management | Establish/Maintain Documentation | |
| Include references to subject matter experts in the audit report when citing qualified opinions. CC ID 13929 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of the assistance provided by Subject Matter Experts in the audit report. CC ID 13939 | Audits and risk management | Establish/Maintain Documentation | |
| Include a review of the subject matter expert's findings in the audit report. CC ID 13972 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement of the character of the engagement in the audit report. CC ID 07166 | Audits and risk management | Establish/Maintain Documentation | |
| Include the nature and scope of the audit performed in the statement of the character of the engagement in the audit report. CC ID 07167 | Audits and risk management | Establish/Maintain Documentation | |
| Include the professional standards governing the audit in the statement of the character of the engagement in the audit report. CC ID 07168 | Audits and risk management | Establish/Maintain Documentation | |
| Include all restrictions on the audit in the audit report. CC ID 13930 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that the auditor has no responsibility to update the audit report after its submission. CC ID 13943 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement on the auditor's ethical requirements in the audit report. CC ID 16767 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that the responsible party refused to provide a written assertion in the audit report. CC ID 13887 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that the examination involves procedures for collecting evidence in the audit report. CC ID 13941 | Audits and risk management | Establish/Maintain Documentation | |
| Express an adverse opinion in the audit report when significant assumptions are not suitably supported. CC ID 13944 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that modifications to historical evidence accurately reflect current evidence in the audit report. CC ID 13938 | Audits and risk management | Establish/Maintain Documentation | |
| Refrain from referencing previous engagements in the audit report. CC ID 16516 | Audits and risk management | Audits and Risk Management | |
| Refrain from referencing other auditor's work in the audit report. CC ID 13881 | Audits and risk management | Establish/Maintain Documentation | |
| Include that the audit findings are not a predictive analysis of future compliance in the audit report. CC ID 07018 | Audits and risk management | Establish/Maintain Documentation | |
| Include how in scope controls meet external requirements in the audit report. CC ID 16450 | Audits and risk management | Establish/Maintain Documentation | |
| Include the in scope records used to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14915 | Audits and risk management | Establish/Maintain Documentation | |
| Include recommended corrective actions in the audit report. CC ID 16197 | Audits and risk management | Establish/Maintain Documentation | |
| Include risks and opportunities in the audit report. CC ID 16196 | Audits and risk management | Establish/Maintain Documentation | |
| Include the description of tests of controls and results in the audit report. CC ID 14898 | Audits and risk management | Establish/Maintain Documentation | |
| Include the nature of the tests performed in the description of tests of controls and results in the audit report. CC ID 14908 | Audits and risk management | Establish/Maintain Documentation | |
| Include the test scope in the description of tests of controls and results in the audit report. CC ID 14906 | Audits and risk management | Establish/Maintain Documentation | |
| Identify the stakeholders interviewed to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14905 | Audits and risk management | Establish/Maintain Documentation | |
| Include the timing of controls in the description of tests of controls and results in the audit report. CC ID 16553 | Audits and risk management | Audits and Risk Management | |
| Include the controls that were tested in the description of tests of controls and results in the audit report. CC ID 14902 | Audits and risk management | Establish/Maintain Documentation | |
| Include subsequent events related to the audit assertion or audit subject matter in the audit report. CC ID 16773 | Audits and risk management | Establish/Maintain Documentation | |
| Include the organization's audit assertion of the in scope system in the audit report. CC ID 07005 | Audits and risk management | Actionable Reports or Measurements | |
| Include that the organization is the responsible party for the content of its audit assertion and in scope system description in the audit report. CC ID 07010 | Audits and risk management | Establish/Maintain Documentation | |
| Include that the organization is the responsible party for providing in scope services in the audit report. CC ID 14903 | Audits and risk management | Establish/Maintain Documentation | |
| Include that the organization is the responsible party for specifying in scope controls not defined by law or contractual obligation in the audit report. CC ID 07011 | Audits and risk management | Establish/Maintain Documentation | |
| Include that the organization is the responsible party for designing and implementing the in scope controls it identified in the audit scope in the audit report. CC ID 07014 | Audits and risk management | Establish/Maintain Documentation | |
| Include the audit opinion regarding the accurateness of the in scope system description in the audit report. CC ID 07019 | Audits and risk management | Establish/Maintain Documentation | |
| Include the attestation standards the auditor follows in the audit report. CC ID 07015 | Audits and risk management | Establish/Maintain Documentation | |
| Include the audit opinion about the audit assertion in relation to the audit criteria used for evaluation in the audit report. CC ID 07169 | Audits and risk management | Establish/Maintain Documentation | |
| Include the auditor's significant reservations about the engagement, the audit assertion, or the audit subject matter in the audit report. CC ID 07170 | Audits and risk management | Establish/Maintain Documentation | |
| Include an emphasis-of-matter paragraph in the audit report. CC ID 14890 | Audits and risk management | Establish/Maintain Documentation | |
| Include the organization's in scope system description in the audit report. CC ID 11626 | Audits and risk management | Audits and Risk Management | |
| Include any out of scope components of in scope systems in the audit report. CC ID 07006 | Audits and risk management | Establish/Maintain Documentation | |
| Include that the organization is the responsible party for identifying material risks in the audit report. CC ID 07012 | Audits and risk management | Establish/Maintain Documentation | |
| Include that the organization is the responsible party for selecting the audit criteria in the audit report. CC ID 07013 | Audits and risk management | Establish/Maintain Documentation | |
| Include the scope and work performed in the audit report. CC ID 11621 | Audits and risk management | Audits and Risk Management | |
| Resolve disputes before creating the audit summary. CC ID 08964 | Audits and risk management | Behavior | |
| Refrain from including the description of the audit in the audit report when the auditor is disclaiming an audit opinion. CC ID 13975 | Audits and risk management | Establish/Maintain Documentation | |
| Refrain from including scope limitations from changed attestation engagements in the audit report. CC ID 13983 | Audits and risk management | Establish/Maintain Documentation | |
| Refrain from including in the audit report any procedures that were performed that the auditor is disclaiming in an audit opinion. CC ID 13974 | Audits and risk management | Establish/Maintain Documentation | |
| Include an audit opinion in the audit report. CC ID 07017 | Audits and risk management | Establish/Maintain Documentation | |
| Include qualified opinions in the audit report. CC ID 13928 | Audits and risk management | Establish/Maintain Documentation | |
| Include that the auditor is the responsible party to express an opinion on the audit subject matter based on examination of evidence in the audit report. CC ID 07174 | Audits and risk management | Establish/Maintain Documentation | |
| Include that the auditor did not express an opinion in the audit report, as necessary. CC ID 13886 | Audits and risk management | Establish/Maintain Documentation | |
| Include items that were excluded from the audit report in the audit report. CC ID 07007 | Audits and risk management | Establish/Maintain Documentation | |
| Include the organization's privacy practices in the audit report. CC ID 07029 | Audits and risk management | Establish/Maintain Documentation | |
| Include items that pertain to third parties in the audit report. CC ID 07008 | Audits and risk management | Establish/Maintain Documentation | |
| Refrain from including reference to procedures performed in previous attestation engagements in the audit report. CC ID 13970 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement in the audit report that no procedures were performed subsequent to the date of the practitioner's review report on pro forma financial information, as necessary. CC ID 13969 | Audits and risk management | Establish/Maintain Documentation | |
| Include any of the organization's use of compensating controls that were not audited in the audit report. CC ID 07009 | Audits and risk management | Establish/Maintain Documentation | |
| Include whether the use of compensating controls are necessary in the audit report. CC ID 07020 | Audits and risk management | Establish/Maintain Documentation | |
| Include the pass or fail test status of all in scope controls in the audit report. CC ID 07016 | Audits and risk management | Establish/Maintain Documentation | |
| Include the process of using evidential matter to test in scope controls in the audit report. CC ID 07021 | Audits and risk management | Establish/Maintain Documentation | |
| Include the nature and causes of identified in scope control deviations in the audit report. CC ID 07022 | Audits and risk management | Establish/Maintain Documentation | |
| Disclose any audit irregularities in the audit report. CC ID 06995 | Audits and risk management | Actionable Reports or Measurements | |
| Include the written signature of the auditor's organization in the audit report. CC ID 13897 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that additional reports are being submitted in the audit report. CC ID 16848 | Audits and risk management | Establish/Maintain Documentation | |
| Disseminate and communicate the audit report to all interested personnel and affected parties identified in the distribution list. CC ID 07117 | Audits and risk management | Establish/Maintain Documentation | |
| Define the roles and responsibilities for distributing the audit report. CC ID 16845 | Audits and risk management | Human Resources Management | |
| Disseminate and communicate the reasons the audit report was delayed to interested personnel and affected parties. CC ID 15257 | Audits and risk management | Communicate | |
| Notify auditees if disclosure of audit documentation is required by law. CC ID 15249 | Audits and risk management | Communicate | |
| Disseminate and communicate to the organization that access and use of audit reports are based on least privilege. CC ID 07171 | Audits and risk management | Behavior | |
| Disseminate and communicate documents that contain information in support of the audit report. CC ID 07175 | Audits and risk management | Establish/Maintain Documentation | |
| Correct any material misstatements in documents that contain information in support of the audit report. CC ID 07176 | Audits and risk management | Establish/Maintain Documentation | |
| Notify interested personnel and affected parties after bribes are offered during the audit. CC ID 08872 | Audits and risk management | Business Processes | |
| Accept the audit report. CC ID 07025 | Audits and risk management | Establish/Maintain Documentation | |
| Assign responsibility for remediation actions. CC ID 13622 | Audits and risk management | Human Resources Management | |
| Define penalties for uncorrected audit findings or remaining non-compliant with the audit report. CC ID 08963 [{results of BCMS reviews} {key partners} {results of testing} {BCMS performance} {BCMS effectiveness} {emerging good guidance} Management reviews shall consider the performance of the organization, including - follow-up actions from previous management reviews, - the need for changes to the BCMS, including the policy and objectives, - opportunities for improvement, - results of BCMS audits and reviews, including those of key suppliers and partners where appropriate, - techniques, products or procedures, which could be used in the organization to improve the BCMS’ performance and effectiveness, - status of corrective actions, - results of exercising and testing, - risks or issues not adequately addressed in any previous risk assessment, - any changes that could affect the BCMS, whether internal or external to the scope of the BCMS, - adequacy of policy, - recommendations for improvement, - lessons learned and actions arising from disruptive incidents, and - emerging good practice and guidance. § 9.3 ¶ 3] | Audits and risk management | Establish/Maintain Documentation | |
| Assess the quality of the audit program in regards to its documentation. CC ID 11622 | Audits and risk management | Audits and Risk Management | |
| Include the audit criteria in the audit plan. CC ID 15262 | Audits and risk management | Establish/Maintain Documentation | |
| Include a list of reference documents in the audit plan. CC ID 15260 | Audits and risk management | Establish/Maintain Documentation | |
| Include the languages to be used for the audit in the audit plan. CC ID 15252 | Audits and risk management | Establish/Maintain Documentation | |
| Include the allocation of resources in the audit plan. CC ID 15251 | Audits and risk management | Establish/Maintain Documentation | |
| Include communication protocols in the audit plan. CC ID 15247 | Audits and risk management | Establish/Maintain Documentation | |
| Include the level of audit sampling necessary to collect sufficient audit evidence in the audit plan. CC ID 15246 | Audits and risk management | Establish/Maintain Documentation | |
| Include meeting schedules in the audit plan. CC ID 15245 | Audits and risk management | Establish/Maintain Documentation | |
| Include the time frames for the audit in the audit plan. CC ID 15244 | Audits and risk management | Establish/Maintain Documentation | |
| Include the time frames for conducting the audit in the audit plan. CC ID 15243 | Audits and risk management | Establish/Maintain Documentation | |
| Include the locations to be audited in the audit plan. CC ID 15242 | Audits and risk management | Establish/Maintain Documentation | |
| Include the processes to be audited in the audit plan. CC ID 15241 | Audits and risk management | Establish/Maintain Documentation | |
| Include audit objectives in the audit plan. CC ID 15240 | Audits and risk management | Establish/Maintain Documentation | |
| Include the risks associated with audit activities in the audit plan. CC ID 15239 | Audits and risk management | Establish/Maintain Documentation | |
| Disseminate and communicate the audit plan to interested personnel and affected parties. CC ID 15238 | Audits and risk management | Communicate | |
| Establish, implement, and maintain an audit schedule for the audit program. CC ID 13158 [The audit programme, including any schedule, shall be based on the results of risk assessments of the organization’s activities, and the results of previous audits. The audit procedures shall cover the scope, frequency, methodologies and competencies, as well as the responsibilities and requirements for conducting audits and reporting results. § 9.2 ¶ 3] | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a risk management program. CC ID 12051 | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain the risk assessment framework. CC ID 00685 [The organization shall establish, implement and maintain a formal and documented process for business impact analysis and risk assessment that specifies the requirements for this information to be kept up-to-date and confidential. § 8.2.1 ¶ 1 e)] | Audits and risk management | Establish/Maintain Documentation | |
| Define and assign the roles and responsibilities for the risk assessment framework, as necessary. CC ID 06456 | Audits and risk management | Establish Roles | |
| Establish, implement, and maintain a risk assessment program. CC ID 00687 | Audits and risk management | Establish/Maintain Documentation | |
| Address past incidents in the risk assessment program. CC ID 12743 | Audits and risk management | Audits and Risk Management | |
| Include the need for risk assessments in the risk assessment program. CC ID 06447 | Audits and risk management | Establish/Maintain Documentation | |
| Include the information flow of restricted data in the risk assessment program. CC ID 12339 | Audits and risk management | Establish/Maintain Documentation | |
| Establish and maintain the factors and context for risk to the organization. CC ID 12230 [{external factor} In establishing the context, the organization shall define the external and internal factors that create the uncertainty that gives rise to risk, § 4.1 ¶ 4 2) Top management shall ensure that the responsibilities and authorities for relevant roles are assigned and communicated within the organization by - defining the criteria for accepting risks and the acceptable levels of risk, - actively engaging in exercising and testing, - ensuring that internal audits of the BCMS are conducted, - conducting management reviews of the BCMS, and - demonstrating its commitment to continual improvement. § 5.2 ¶ 3] | Audits and risk management | Audits and Risk Management | |
| Establish, implement, and maintain a financial plan to support the risk management strategy. CC ID 12786 | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain insurance requirements. CC ID 16562 | Audits and risk management | Establish/Maintain Documentation | |
| Disseminate and communicate insurance options to interested personnel and affected parties. CC ID 16572 | Audits and risk management | Communicate | |
| Disseminate and communicate insurance requirements to interested personnel and affected parties. CC ID 16567 | Audits and risk management | Communicate | |
| Design a portfolio of insurance options in accordance with risk decision-making criteria. CC ID 12878 | Audits and risk management | Business Processes | |
| Design a portfolio of loans in accordance with risk decision-making criteria. CC ID 12877 | Audits and risk management | Business Processes | |
| Design a portfolio of risk limiting and mitigating approaches in organizational contracts in accordance with risk decision-making criteria. CC ID 12903 | Audits and risk management | Business Processes | |
| Address cybersecurity risks in the risk assessment program. CC ID 13193 | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830 | Audits and risk management | Process or Activity | |
| Include a Data Protection Impact Assessment in the risk assessment program. CC ID 12630 | Audits and risk management | Establish/Maintain Documentation | |
| Include an assessment of the necessity and proportionality of the processing operations in relation to the purposes in the Data Protection Impact Assessment. CC ID 12681 | Audits and risk management | Establish/Maintain Documentation | |
| Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371 | Audits and risk management | Establish/Maintain Documentation | |
| Include a risk assessment of data subject's rights in the Data Protection Impact Assessment. CC ID 12674 | Audits and risk management | Establish/Maintain Documentation | |
| Include the description and purpose of processing restricted data in the Data Protection Impact Assessment. CC ID 12673 | Audits and risk management | Establish/Maintain Documentation | |
| Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313 | Audits and risk management | Communicate | |
| Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370 | Audits and risk management | Establish/Maintain Documentation | |
| Include monitoring unsecured areas in the Data Protection Impact Assessment. CC ID 12671 | Audits and risk management | Establish/Maintain Documentation | |
| Include security measures for protecting restricted data in the Data Protection Impact Assessment. CC ID 12635 | Audits and risk management | Establish/Maintain Documentation | |
| Use the risk taxonomy when managing risk. CC ID 12280 | Audits and risk management | Behavior | |
| Establish, implement, and maintain a risk assessment policy. CC ID 14026 | Audits and risk management | Establish/Maintain Documentation | |
| Include compliance requirements in the risk assessment policy. CC ID 14121 | Audits and risk management | Establish/Maintain Documentation | |
| Include coordination amongst entities in the risk assessment policy. CC ID 14120 | Audits and risk management | Establish/Maintain Documentation | |
| Include management commitment in the risk assessment policy. CC ID 14119 | Audits and risk management | Establish/Maintain Documentation | |
| Include roles and responsibilities in the risk assessment policy. CC ID 14118 | Audits and risk management | Establish/Maintain Documentation | |
| Include the scope in the risk assessment policy. CC ID 14117 | Audits and risk management | Establish/Maintain Documentation | |
| Include the purpose in the risk assessment policy. CC ID 14116 | Audits and risk management | Establish/Maintain Documentation | |
| Disseminate and communicate the risk assessment policy to interested personnel and affected parties. CC ID 14115 | Audits and risk management | Communicate | |
| Establish, implement, and maintain risk assessment procedures. CC ID 06446 [The organization shall establish, implement, and maintain a formal documented risk assessment process that systematically identifies, analyses, and evaluates the risk of disruptive incidents to the organization. § 8.2.3 ¶ 1 {formal and documented process for risk assessment} {required output from the risk assessment} The organization shall establish, implement and maintain a formal and documented process for business impact analysis and risk assessment that defines the required output from the business impact analysis and risk assessment, and § 8.2.1 ¶ 1 d) {risk management procedures} The organization shall plan, implement and control the processes needed to meet requirements, and to implement the actions determined in 6.1, by establishing criteria for the processes, § 8.1 ¶ 1 a) The organization shall establish, implement and maintain a formal and documented process for business impact analysis and risk assessment that 8.2.1 ¶ 1] | Audits and risk management | Establish/Maintain Documentation | |
| Employ risk assessment procedures that follow legal requirements and contractual obligations when risk profiling. CC ID 06472 [{formal process} {legal requirements} The organization shall establish, implement and maintain a formal and documented process for business impact analysis and risk assessment that takes into account legal and other requirements to which the organization subscribes, § 8.2.1 ¶ 1 b)] | Audits and risk management | Establish/Maintain Documentation | |
| Analyze the organization's information security environment. CC ID 13122 | Audits and risk management | Technical Security | |
| Document cybersecurity risks. CC ID 12281 | Audits and risk management | Establish/Maintain Documentation | |
| Employ risk assessment procedures that follow standards and best practices, as necessary. CC ID 06473 | Audits and risk management | Establish/Maintain Documentation | |
| Employ risk assessment procedures that take into account both electronic records and printed records. CC ID 06476 | Audits and risk management | Establish/Maintain Documentation | |
| Employ risk assessment procedures that take into account information classification. CC ID 06477 | Audits and risk management | Establish/Maintain Documentation | |
| Employ risk assessment procedures that align with strategic objectives. CC ID 06474 | Audits and risk management | Establish/Maintain Documentation | |
| Engage appropriate parties to assist with risk assessments, as necessary. CC ID 12153 | Audits and risk management | Human Resources Management | |
| Employ risk assessment procedures that take into account prior risk assessment findings of the same scope. CC ID 06478 | Audits and risk management | Establish/Maintain Documentation | |
| Employ risk assessment procedures that take into account the target environment. CC ID 06479 | Audits and risk management | Establish/Maintain Documentation | |
| Employ risk assessment procedures that take into account incidents associated with the target environment. CC ID 06480 | Audits and risk management | Establish/Maintain Documentation | |
| Employ risk assessment procedures that take into account risk factors. CC ID 16560 | Audits and risk management | Audits and Risk Management | |
| Include compliance with disposition requirements in the risk assessment procedures. CC ID 12342 | Audits and risk management | Establish/Maintain Documentation | |
| Include compliance with retention requirements in the risk assessment procedures. CC ID 12341 | Audits and risk management | Establish/Maintain Documentation | |
| Employ risk assessment procedures that include appropriate risk treatment options for each identified risk. CC ID 06484 [The organization shall evaluate which disruption related risks require treatment, and § 8.2.3 ¶ 2 c) {formal process} The organization shall establish, implement and maintain a formal and documented process for business impact analysis and risk assessment that includes systematic analysis, prioritization of risk treatments, and their related costs, § 8.2.1 ¶ 1 c) {formal process} The organization shall establish, implement and maintain a formal and documented process for business impact analysis and risk assessment that includes systematic analysis, prioritization of risk treatments, and their related costs, § 8.2.1 ¶ 1 c) {actions to address risks and opportunities} The organization shall plan, implement and control the processes needed to meet requirements, and to implement the actions determined in 6.1, by implementing control of the processes in accordance with the criteria, and § 8.1 ¶ 1 b) {changes to security requirements} The outputs of the management review shall include decisions related to continual improvement opportunities and the possible need for changes to the BCMS, and include the following: modification of procedures and controls to respond to internal or external events that may impact on the BCMS, including changes to risk reduction and security requirements, § 9.3 ¶ 4 d) 2)] | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a threat and risk classification scheme. CC ID 07183 [{formal process} The organization shall establish, implement and maintain a formal and documented process for business impact analysis and risk assessment that establishes the context of the assessment, defines criteria and evaluates the potential impact of a disruptive incident, § 8.2.1 ¶ 1 a)] | Audits and risk management | Establish/Maintain Documentation | |
| Document organizational risk criteria. CC ID 12277 | Audits and risk management | Establish/Maintain Documentation | |
| Include security threats and vulnerabilities in the threat and risk classification scheme. CC ID 00699 | Audits and risk management | Technical Security | |
| Categorize the systems, information, and data by risk profile in the threat and risk classification scheme. CC ID 01443 | Audits and risk management | Audits and Risk Management | |
| Include risks to critical personnel and assets in the threat and risk classification scheme. CC ID 00698 | Audits and risk management | Audits and Risk Management | |
| Include the traceability of malicious code in the threat and risk classification scheme. CC ID 06600 | Audits and risk management | Establish/Maintain Documentation | |
| Assign a probability of occurrence to all types of threats in the threat and risk classification scheme. CC ID 01173 | Audits and risk management | Audits and Risk Management | |
| Approve the threat and risk classification scheme. CC ID 15693 | Audits and risk management | Business Processes | |
| Establish, implement, and maintain risk profiling procedures for internal risk assessments. CC ID 01157 | Audits and risk management | Audits and Risk Management | |
| Include language that is easy to understand in the risk assessment report. CC ID 06461 | Audits and risk management | Establish/Maintain Documentation | |
| Include the environments that call for risk assessments in the risk assessment program. CC ID 06448 | Audits and risk management | Establish/Maintain Documentation | |
| Include the process for defining the scope of each risk assessment in the risk assessment program. CC ID 06462 [{formal process} The organization shall establish, implement and maintain a formal and documented process for business impact analysis and risk assessment that establishes the context of the assessment, defines criteria and evaluates the potential impact of a disruptive incident, § 8.2.1 ¶ 1 a)] | Audits and risk management | Establish/Maintain Documentation | |
| Include the circumstances that call for risk assessments in the risk assessment program. CC ID 06449 | Audits and risk management | Establish/Maintain Documentation | |
| Include the roles and responsibilities involved in risk assessments in the risk assessment program. CC ID 06450 | Audits and risk management | Establish/Maintain Documentation | |
| Include the methods of managing and responding to the risk assessment report in the risk assessment program. CC ID 06451 | Audits and risk management | Establish/Maintain Documentation | |
| Automate as much of the risk assessment program, as necessary. CC ID 06459 | Audits and risk management | Audits and Risk Management | |
| Disseminate and communicate the risk assessment procedures to interested personnel and affected parties. CC ID 14136 | Audits and risk management | Communicate | |
| Approve the risk assessment program and associated risk assessment procedures at the senior management level. CC ID 06458 | Audits and risk management | Establish/Maintain Documentation | |
| Perform risk assessments for all target environments, as necessary. CC ID 06452 [{formal process} The organization shall establish, implement and maintain a formal and documented process for business impact analysis and risk assessment that includes systematic analysis, prioritization of risk treatments, and their related costs, § 8.2.1 ¶ 1 c)] | Audits and risk management | Testing | |
| Include the probability and potential impact of pandemics in the scope of the risk assessment. CC ID 13241 | Audits and risk management | Establish/Maintain Documentation | |
| Include physical assets in the scope of the risk assessment. CC ID 13075 | Audits and risk management | Establish/Maintain Documentation | |
| Include the results of the risk assessment in the risk assessment report. CC ID 06481 [{formal and documented process for risk assessment} {required output from the risk assessment} The organization shall establish, implement and maintain a formal and documented process for business impact analysis and risk assessment that defines the required output from the business impact analysis and risk assessment, and § 8.2.1 ¶ 1 d)] | Audits and risk management | Establish/Maintain Documentation | |
| Approve the results of the risk assessment as documented in the risk assessment report. CC ID 07109 | Audits and risk management | Audits and Risk Management | |
| Review risks to the organization's audit function when changes in the supply chain occur. CC ID 01154 | Audits and risk management | Audits and Risk Management | |
| Review the risk to the audit function when the audit personnel status changes. CC ID 01153 | Audits and risk management | Audits and Risk Management | |
| Document any reasons for modifying or refraining from modifying the organization's risk assessment when the risk assessment has been reviewed. CC ID 13312 | Audits and risk management | Establish/Maintain Documentation | |
| Create a risk assessment report based on the risk assessment results. CC ID 15695 | Audits and risk management | Establish/Maintain Documentation | |
| Disseminate and communicate the approved risk assessment report to interested personnel and affected parties. CC ID 10633 | Audits and risk management | Communicate | |
| Notify the organization upon completion of the external audits of the organization's risk assessment. CC ID 13313 | Audits and risk management | Communicate | |
| Establish, implement, and maintain a risk assessment awareness and training program. CC ID 06453 | Audits and risk management | Business Processes | |
| Disseminate and communicate information about risks to all interested personnel and affected parties. CC ID 06718 [{significant impact} {procedures for alerts} {procedures for warnings} The organization shall decide, using life safety as the first priority and in consultation with relevant interested parties, whether to communicate externally about its significant risks and impacts and document its decision. If the decision is to communicate then the organization shall establish and implement procedures for this external communication, alerts and warnings including the media as appropriate. § 8.4.2 ¶ 3 {significant impact} {procedures for alerts} {procedures for warnings} The organization shall decide, using life safety as the first priority and in consultation with relevant interested parties, whether to communicate externally about its significant risks and impacts and document its decision. If the decision is to communicate then the organization shall establish and implement procedures for this external communication, alerts and warnings including the media as appropriate. § 8.4.2 ¶ 3] | Audits and risk management | Behavior | |
| Correlate the business impact of identified risks in the risk assessment report. CC ID 00686 | Audits and risk management | Audits and Risk Management | |
| Include recovery of the critical path in the Business Impact Analysis. CC ID 13224 | Audits and risk management | Establish/Maintain Documentation | |
| Include acceptable levels of data loss in the Business Impact Analysis. CC ID 13264 | Audits and risk management | Establish/Maintain Documentation | |
| Include Recovery Point Objectives in the Business Impact Analysis. CC ID 13223 | Audits and risk management | Establish/Maintain Documentation | |
| Include the Recovery Time Objectives in the Business Impact Analysis. CC ID 13222 | Audits and risk management | Establish/Maintain Documentation | |
| Include pandemic risks in the Business Impact Analysis. CC ID 13219 | Audits and risk management | Establish/Maintain Documentation | |
| Include tolerance to downtime in the Business Impact Analysis report. CC ID 01172 [The organization shall establish, implement, and maintain a formal and documented evaluation process for determining continuity and recovery priorities, objectives and targets. This process shall include assessing the impacts of disrupting activities that support the organization’s products and services. § 8.2.2 ¶ 1 The business impact analysis shall include the following: identifying dependencies and supporting resources for these activities, including suppliers, outsource partners and other relevant interested parties. § 8.2.2 ¶ 2 d) The response structure shall identify impact thresholds that justify initiation of formal response, § 8.4.2 ¶ 2 a)] | Audits and risk management | Establish/Maintain Documentation | |
| Disseminate and communicate the Business Impact Analysis to interested personnel and affected parties. CC ID 15300 | Audits and risk management | Communicate | |
| Establish, implement, and maintain a risk register. CC ID 14828 | Audits and risk management | Establish/Maintain Documentation | |
| Document organizational risk tolerance in a risk register. CC ID 09961 [The organization shall identify and document the following: the organization’s risk appetite. § 4.1 ¶ 3 c) The organization shall identify and document the following: the organization’s risk appetite. § 4.1 ¶ 3 c)] | Audits and risk management | Establish/Maintain Documentation | |
| Align organizational risk tolerance to that of industry peers in the risk register. CC ID 09962 | Audits and risk management | Business Processes | |
| Review the Business Impact Analysis, as necessary. CC ID 12774 | Audits and risk management | Business Processes | |
| Analyze and quantify the risks to in scope systems and information. CC ID 00701 [The organization shall systematically analyse risk, § 8.2.3 ¶ 2 b)] | Audits and risk management | Audits and Risk Management | |
| Establish and maintain a Risk Scoping and Measurement Definitions Document. CC ID 00703 | Audits and risk management | Audits and Risk Management | |
| Identify the material risks in the risk assessment report. CC ID 06482 | Audits and risk management | Audits and Risk Management | |
| Establish a risk acceptance level that is appropriate to the organization's risk appetite. CC ID 00706 [The organization shall identify treatments commensurate with business continuity objectives and in accordance with the organization’s risk appetite. § 8.2.3 ¶ 2 d) The organization shall choose and implement appropriate risk treatments in accordance with its risk appetite. § 8.3.3 ¶ 2 In establishing the context, the organization shall set risk criteria taking into account the risk appetite, and § 4.1 ¶ 4 3) Top management shall ensure that the responsibilities and authorities for relevant roles are assigned and communicated within the organization by - defining the criteria for accepting risks and the acceptable levels of risk, - actively engaging in exercising and testing, - ensuring that internal audits of the BCMS are conducted, - conducting management reviews of the BCMS, and - demonstrating its commitment to continual improvement. § 5.2 ¶ 3 The outputs of the management review shall include decisions related to continual improvement opportunities and the possible need for changes to the BCMS, and include the following: modification of procedures and controls to respond to internal or external events that may impact on the BCMS, including changes to levels of risk and/or criteria for accepting risks, § 9.3 ¶ 4 d) 6)] | Audits and risk management | Establish/Maintain Documentation | |
| Investigate alternative risk control strategies appropriate to the organization's risk appetite. CC ID 12887 | Audits and risk management | Investigate | |
| Select the appropriate risk treatment option for each identified risk in the risk register. CC ID 06483 [The organization shall choose and implement appropriate risk treatments in accordance with its risk appetite. § 8.3.3 ¶ 2 For identified risks requiring treatment, the organization shall consider proactive measures that reduce the likelihood of disruption, § 8.3.3 ¶ 1 a) For identified risks requiring treatment, the organization shall consider proactive measures that shorten the period of disruption, and § 8.3.3 ¶ 1 b) For identified risks requiring treatment, the organization shall consider proactive measures that limit the impact of disruption on the organization’s key products and services. § 8.3.3 ¶ 1 c)] | Audits and risk management | Establish/Maintain Documentation | |
| Disseminate and communicate the risk acceptance level in the risk treatment plan to all interested personnel and affected parties. CC ID 06849 | Audits and risk management | Behavior | |
| Document the results of the gap analysis. CC ID 16271 | Audits and risk management | Establish/Maintain Documentation | |
| Prioritize and select controls based on the risk assessment findings. CC ID 00707 [The organization shall identify treatments commensurate with business continuity objectives and in accordance with the organization’s risk appetite. § 8.2.3 ¶ 2 d) {outputs from the risk assessment} Determination and selection of strategy shall be based on the outputs from the business impact analysis and risk assessment. § 8.3.1 ¶ 1] | Audits and risk management | Audits and Risk Management | |
| Prioritize and categorize the effects of opportunities, threats and requirements on control activities. CC ID 12822 | Audits and risk management | Audits and Risk Management | |
| Develop key indicators to inform management on the effectiveness of risk control measures. CC ID 12946 | Audits and risk management | Audits and Risk Management | |
| Establish, implement, and maintain a risk treatment plan. CC ID 11983 [{actions to address these risks and opportunities} The organization shall plan how to integrate and implement the actions into its BCMS processes (see 8.1), § 6.1 ¶ 2 b) 1)] | Audits and risk management | Establish/Maintain Documentation | |
| Include the date of the risk assessment in the risk treatment plan. CC ID 16321 | Audits and risk management | Establish/Maintain Documentation | |
| Include the release status of the risk assessment in the risk treatment plan. CC ID 16320 | Audits and risk management | Audits and Risk Management | |
| Identify the planned actions and controls that address high risk in the risk treatment plan. CC ID 12835 | Audits and risk management | Audits and Risk Management | |
| Identify the current actions and controls that address high risk in the risk treatment plan. CC ID 12834 | Audits and risk management | Audits and Risk Management | |
| Include the risk treatment strategy in the risk treatment plan. CC ID 12159 | Audits and risk management | Establish/Maintain Documentation | |
| Include an overview of the migration project plan in the risk treatment plan. CC ID 11982 | Audits and risk management | Establish/Maintain Documentation | |
| Include change control processes in the risk treatment plan. CC ID 11981 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of the processes to check for new vulnerabilities in the risk treatment plan. CC ID 11980 | Audits and risk management | Establish/Maintain Documentation | |
| Include the implemented risk management controls in the risk treatment plan. CC ID 11979 | Audits and risk management | Establish/Maintain Documentation | |
| Include requirements for monitoring and reporting in the risk treatment plan, as necessary. CC ID 13620 | Audits and risk management | Establish/Maintain Documentation | |
| Include risk assessment results in the risk treatment plan. CC ID 11978 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of usage in the risk treatment plan. CC ID 11977 | Audits and risk management | Establish/Maintain Documentation | |
| Document all constraints applied to the risk treatment plan, as necessary. CC ID 13619 | Audits and risk management | Establish/Maintain Documentation | |
| Disseminate and communicate the risk treatment plan to interested personnel and affected parties. CC ID 15694 | Audits and risk management | Communicate | |
| Approve the risk treatment plan. CC ID 13495 | Audits and risk management | Audits and Risk Management | |
| Integrate the corrective action plan based on the risk assessment findings with other risk management activities. CC ID 06457 [When nonconformity occurs, the organization shall implement any action needed, § 10.1 ¶ 1 d)] | Audits and risk management | Establish/Maintain Documentation | |
| Review and approve the risk assessment findings. CC ID 06485 | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an environmental control program. CC ID 00724 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain environmental control procedures. CC ID 12246 [{internal conditions} The procedures shall be flexible to respond to unanticipated threats and changing internal and external conditions, § 8.4.1 ¶ 3 c)] | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain a business continuity program. CC ID 13210 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish, implement, and maintain a continuity framework. CC ID 00732 [Top management shall establish a business continuity policy that is appropriate to the purpose of the organization, § 5.3 ¶ 1 a) Top management shall establish a business continuity policy that provides a framework for setting business continuity objectives, § 5.3 ¶ 1 b) {BCMS plans} Top management shall provide evidence of its commitment to the establishment, implementation, operation, monitoring, review, maintenance, and improvement of the BCMS by - establishing a business continuity policy, - ensuring that BCMS objectives and plans are established, - establishing roles, responsibilities, and competencies for business continuity management, and - appointing one or more persons to be responsible for the BCMS with the appropriate authority and competencies to be accountable for the implementation and maintenance of the BCMS. § 5.2 ¶ 2 The BCMS policy shall - be available as documented information, - be communicated within the organization, - be available to interested parties, as appropriate, - be reviewed for continuing suitability at defined intervals and when significant changes occur. § 5.3 ¶ 2 The organization shall establish, implement, maintain and continually improve a BCMS, including the processes needed and their interactions, in accordance with the requirements of this International Standard. § 4.4 ¶ 1] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish and maintain the scope of the continuity framework. CC ID 11908 [The organization shall determine the boundaries and applicability of the BCMS to establish its scope. § 4.3.1 ¶ 1 The organization shall define the scope of the BCMS in terms of and appropriate to the size, nature and complexity of the organization. § 4.3.2 ¶ 1 e) {external issues} The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its BCMS. § 4.1 ¶ 1 {external issues} The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its BCMS. § 4.1 ¶ 1] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include network security in the scope of the continuity framework. CC ID 16327 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Explain any exclusions to the scope of the continuity framework. CC ID 12236 [When defining the scope, the organization shall document and explain exclusions; any such exclusions shall not affect the organization’s ability and responsibility to provide continuity of business and operations that meet the BCMS requirements, as determined by business impact analysis or risk assessment and applicable legal or regulatory requirements. § 4.3.2 ¶ 2 The outputs of the management review shall include decisions related to continual improvement opportunities and the possible need for changes to the BCMS, and include the following: variations to the scope of the BCMS; § 9.3 ¶ 4 a)] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Refrain from including exclusions that could affect business continuity. CC ID 12740 | Operational and Systems Continuity | Records Management | |
| Include the organization's business products and services in the scope of the continuity framework. CC ID 12235 [The organization shall identify products and services and all related activities within the scope of the BCMS, § 4.3.2 ¶ 1 c) The business continuity objectives shall take account of the minimum level of products and services that is acceptable to the organization to achieve its objectives, § 6.2 ¶ 2 b)] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include business units in the scope of the continuity framework. CC ID 11898 [The organization shall identify and document the following: links between the business continuity policy and the organization’s objectives and other policies, including its overall risk management strategy; and § 4.1 ¶ 3 b) The organization shall establish the parts of the organization to be included in the BCMS, § 4.3.2 ¶ 1 a) {activation procedures} {communication procedures} {internal interdependencies} {internal interactions} {external interactions} {information flow processes} Each plan shall define - purpose and scope, - objectives, - activation criteria and procedures, - implementation procedures, - roles, responsibilities, and authorities, - communication requirements and procedures, - internal and external interdependencies and interactions, - resource requirements, and - information flow and documentation processes. § 8.4.4 ¶ 3] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include business functions in the scope of the continuity framework. CC ID 12699 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include information security continuity in the scope of the continuity framework. CC ID 12009 [{activation procedures} {communication procedures} {internal interdependencies} {internal interactions} {external interactions} {information flow processes} Each plan shall define - purpose and scope, - objectives, - activation criteria and procedures, - implementation procedures, - roles, responsibilities, and authorities, - communication requirements and procedures, - internal and external interdependencies and interactions, - resource requirements, and - information flow and documentation processes. § 8.4.4 ¶ 3] | Operational and Systems Continuity | Systems Continuity | |
| Include affected party’s needs and interests in the scope of the continuity framework. CC ID 12698 | Operational and Systems Continuity | Systems Continuity | |
| Establish and maintain a list of interested personnel and affected parties with whom to disseminate and communicate the continuity framework. CC ID 12242 [{internal communications} The organization shall determine the need for internal and external communications relevant to the BCMS including with whom to communicate. § 7.4 ¶ 1 c) {internal communications} The organization shall determine the need for internal and external communications relevant to the BCMS including with whom to communicate. § 7.4 ¶ 1 c) The organization shall establish, implement, and maintain procedure(s) for - internal communication amongst interested parties and employees within the organization, - external communication with customers, partner entities, local community, and other interested parties, including the media, - receiving, documenting, and responding to communication from interested parties, - adapting and integrating a national or regional threat advisory system, or equivalent, into planning and operational use, if appropriate, - ensuring availability of the means of communication during a disruptive incident, - facilitating structured communication with appropriate authorities and ensuring the interoperability of multiple responding organizations and personnel, where appropriate, and - operating and testing of communications capabilities intended for use during disruption of normal communications. § 7.4 ¶ 2 The organization shall establish, implement, and maintain procedure(s) for - internal communication amongst interested parties and employees within the organization, - external communication with customers, partner entities, local community, and other interested parties, including the media, - receiving, documenting, and responding to communication from interested parties, - adapting and integrating a national or regional threat advisory system, or equivalent, into planning and operational use, if appropriate, - ensuring availability of the means of communication during a disruptive incident, - facilitating structured communication with appropriate authorities and ensuring the interoperability of multiple responding organizations and personnel, where appropriate, and - operating and testing of communications capabilities intended for use during disruption of normal communications. § 7.4 ¶ 2] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Take into account applicable requirements when establishing, implementing, and maintaining the continuity framework. CC ID 11907 [The organization shall ensure that these applicable legal, regulatory and other requirements to which the organization subscribes are taken into account in establishing, implementing and maintaining its BCMS. § 4.2.2 ¶ 2 When establishing its BCMS, the organization shall determine the requirements of these interested parties § 4.2.1 ¶ 1 b) The business continuity objectives shall take into account applicable requirements, and § 6.2 ¶ 2 d) {legal requirements} The organization shall establish, implement and maintain a procedure(s) to identify, have access to, and assess the applicable legal and regulatory requirements to which the organization subscribes related to the continuity of its operations, products and services, as well as the interests of relevant interested parties. § 4.2.2 ¶ 1 Top management shall establish a business continuity policy that includes a commitment to satisfy applicable requirements, § 5.3 ¶ 1 c) The organization shall determine an appropriate business continuity strategy for mitigating, responding to and managing impacts. § 8.3.1 ¶ 2 c) {internal obligations} The organization shall establish BCMS requirements, considering the organization's mission, goals, internal and external obligations, and legal and regulatory responsibilities, § 4.3.2 ¶ 1 b) {results of BCMS reviews} {key partners} {results of testing} {BCMS performance} {BCMS effectiveness} {emerging good guidance} Management reviews shall consider the performance of the organization, including - follow-up actions from previous management reviews, - the need for changes to the BCMS, including the policy and objectives, - opportunities for improvement, - results of BCMS audits and reviews, including those of key suppliers and partners where appropriate, - techniques, products or procedures, which could be used in the organization to improve the BCMS’ performance and effectiveness, - status of corrective actions, - results of exercising and testing, - risks or issues not adequately addressed in any previous risk assessment, - any changes that could affect the BCMS, whether internal or external to the scope of the BCMS, - adequacy of policy, - recommendations for improvement, - lessons learned and actions arising from disruptive incidents, and - emerging good practice and guidance. § 9.3 ¶ 3 {results of BCMS reviews} {key partners} {results of testing} {BCMS performance} {BCMS effectiveness} {emerging good guidance} Management reviews shall consider the performance of the organization, including - follow-up actions from previous management reviews, - the need for changes to the BCMS, including the policy and objectives, - opportunities for improvement, - results of BCMS audits and reviews, including those of key suppliers and partners where appropriate, - techniques, products or procedures, which could be used in the organization to improve the BCMS’ performance and effectiveness, - status of corrective actions, - results of exercising and testing, - risks or issues not adequately addressed in any previous risk assessment, - any changes that could affect the BCMS, whether internal or external to the scope of the BCMS, - adequacy of policy, - recommendations for improvement, - lessons learned and actions arising from disruptive incidents, and - emerging good practice and guidance. § 9.3 ¶ 3] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish, implement, and maintain a shelter in place plan. CC ID 16260 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Designate safe rooms in the shelter in place plan. CC ID 16276 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include Quality Management in the continuity framework. CC ID 12239 [Top management shall establish a business continuity policy that includes a commitment to continual improvement of the BCMS. § 5.3 ¶ 1 d)] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish and maintain a system continuity plan philosophy. CC ID 00734 [The procedures shall be developed based on stated assumptions and an analysis of interdependencies, and § 8.4.1 ¶ 3 e)] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Define the executive vision of the continuity planning process. CC ID 01243 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include a pandemic plan in the continuity plan. CC ID 06800 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish, implement, and maintain continuity roles and responsibilities. CC ID 00733 [{BCMS plans} Top management shall provide evidence of its commitment to the establishment, implementation, operation, monitoring, review, maintenance, and improvement of the BCMS by - establishing a business continuity policy, - ensuring that BCMS objectives and plans are established, - establishing roles, responsibilities, and competencies for business continuity management, and - appointing one or more persons to be responsible for the BCMS with the appropriate authority and competencies to be accountable for the implementation and maintenance of the BCMS. § 5.2 ¶ 2 {activation procedures} {communication procedures} {internal interdependencies} {internal interactions} {external interactions} {information flow processes} Each plan shall define - purpose and scope, - objectives, - activation criteria and procedures, - implementation procedures, - roles, responsibilities, and authorities, - communication requirements and procedures, - internal and external interdependencies and interactions, - resource requirements, and - information flow and documentation processes. § 8.4.4 ¶ 3] | Operational and Systems Continuity | Establish Roles | |
| Coordinate continuity planning with other business units responsible for related plans. CC ID 01386 [{processes, and procedures for the activation of the response} {processes, and procedures for the operation of the response} {processes, and procedures for the coordination of the response} {processes, and procedures for the communication of the response} The response structure shall have processes, and procedures for the activation, operation, coordination, and communication of the response, § 8.4.2 ¶ 2 d)] | Operational and Systems Continuity | Systems Continuity | |
| Include continuity wrap-up procedures and continuity normalization procedures during continuity planning. CC ID 00761 [The organization shall have documented procedures to restore and return business activities from the temporary measures adopted to support normal business requirements after an incident. § 8.4.5 ¶ 1 The business continuity plans shall collectively contain a process for standing down once the incident is over. § 8.4.4 ¶ 2 g)] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Disseminate and communicate information regarding disaster relief resources to interested personnel and affected parties. CC ID 16573 | Operational and Systems Continuity | Communicate | |
| Assess risks related to fault tolerance and redundancy of critical assets. CC ID 13053 | Operational and Systems Continuity | Systems Continuity | |
| Establish, implement, and maintain a continuity plan. CC ID 00752 [The organization shall continually improve the suitability, adequacy or effectiveness of the BCMS. § 10.2 ¶ 1 The organization shall continually improve the suitability, adequacy or effectiveness of the BCMS. § 10.2 ¶ 1 The organization shall continually improve the suitability, adequacy or effectiveness of the BCMS. § 10.2 ¶ 1 {BCMS plans} Top management shall provide evidence of its commitment to the establishment, implementation, operation, monitoring, review, maintenance, and improvement of the BCMS by - establishing a business continuity policy, - ensuring that BCMS objectives and plans are established, - establishing roles, responsibilities, and competencies for business continuity management, and - appointing one or more persons to be responsible for the BCMS with the appropriate authority and competencies to be accountable for the implementation and maintenance of the BCMS. § 5.2 ¶ 2 Top management shall demonstrate leadership and commitment with respect to the BCMS by - ensuring that policies and objectives are established for the business continuity management system and are compatible with the strategic direction of the organization, - ensuring the integration of the business continuity management system requirements into the organization’s business processes, - ensuring that the resources needed for the business continuity management system are available, - communicating the importance of effective business continuity management and conforming to the BCMS requirements, - ensuring that the BCMS achieves its intended outcome(s), - directing and supporting persons to contribute to the effectiveness of the BCMS, - promoting continual improvement, and - supporting other relevant management roles to demonstrate their leadership and commitment as it applies to their areas of responsibility. § 5.2 ¶ 1 The BCMS policy shall - be available as documented information, - be communicated within the organization, - be available to interested parties, as appropriate, - be reviewed for continuing suitability at defined intervals and when significant changes occur. § 5.3 ¶ 2 The procedures shall focus on the impact of events that could potentially disrupt operations, § 8.4.1 ¶ 3 d) The procedures shall be developed based on stated assumptions and an analysis of interdependencies, and § 8.4.1 ¶ 3 e) The organization shall conduct exercises and tests that are reviewed within the context of promoting continual improvement, and § 8.5 ¶ 2 f) When nonconformity occurs, the organization shall make changes to the business continuity management system, if necessary. § 10.1 ¶ 1 f) Top management shall ensure that the responsibilities and authorities for relevant roles are assigned and communicated within the organization by - defining the criteria for accepting risks and the acceptable levels of risk, - actively engaging in exercising and testing, - ensuring that internal audits of the BCMS are conducted, - conducting management reviews of the BCMS, and - demonstrating its commitment to continual improvement. § 5.2 ¶ 3 {business continuity procedure} The organization shall conduct evaluations at planned intervals and when significant changes occur. § 9.1.2 d) The organization shall evaluate the BCMS performance and the effectiveness of the BCMS. § 9.1.1 ¶ 3 The organization shall evaluate the BCMS performance and the effectiveness of the BCMS. § 9.1.1 ¶ 3 The outputs of the management review shall include decisions related to continual improvement opportunities and the possible need for changes to the BCMS, and include the following: § 9.3 ¶ 4 {periodic exercising} {periodic testing} {periodic post-incident reporting} {periodic performance evaluations} These evaluations shall be undertaken through periodic reviews, exercising, testing, post-incident reporting and performance evaluations. Significant changes arising shall be reflected in the procedure(s) in a timely manner; § 9.1.2 b) {activation procedures} {communication procedures} {internal interdependencies} {internal interactions} {external interactions} {information flow processes} Each plan shall define - purpose and scope, - objectives, - activation criteria and procedures, - implementation procedures, - roles, responsibilities, and authorities, - communication requirements and procedures, - internal and external interdependencies and interactions, - resource requirements, and - information flow and documentation processes. § 8.4.4 ¶ 3 The management review shall include consideration of information on the business continuity performance, including trends in audit results, § 9.3 ¶ 2 c) 3) Top management shall review the organization’s BCMS, at planned intervals, to ensure its continuing suitability, adequacy and effectiveness. § 9.3 ¶ 1 {update of the business impact analysis} {update of the business continuity plans} {update of the related procedures} The outputs of the management review shall include decisions related to continual improvement opportunities and the possible need for changes to the BCMS, and include the following: update of the risk assessment, business impact analysis, business continuity plans and related procedures; § 9.3 ¶ 4 c) {outputs of the management review} modification of procedures and controls to respond to internal or external events that may impact on the BCMS, including changes to § 9.3 ¶ 4 d)] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Identify all stakeholders in the continuity plan. CC ID 13256 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Notify interested personnel and affected parties upon activation of the continuity plan. CC ID 16777 | Operational and Systems Continuity | Communicate | |
| Maintain normal security levels when an emergency occurs. CC ID 06377 | Operational and Systems Continuity | Systems Continuity | |
| Execute fail-safe procedures when an emergency occurs. CC ID 07108 | Operational and Systems Continuity | Systems Continuity | |
| Include a business continuity testing policy in the continuity plan, as necessary. CC ID 13234 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Lead or manage business continuity and system continuity, as necessary. CC ID 12240 [Top management shall demonstrate leadership and commitment with respect to the BCMS by - ensuring that policies and objectives are established for the business continuity management system and are compatible with the strategic direction of the organization, - ensuring the integration of the business continuity management system requirements into the organization’s business processes, - ensuring that the resources needed for the business continuity management system are available, - communicating the importance of effective business continuity management and conforming to the BCMS requirements, - ensuring that the BCMS achieves its intended outcome(s), - directing and supporting persons to contribute to the effectiveness of the BCMS, - promoting continual improvement, and - supporting other relevant management roles to demonstrate their leadership and commitment as it applies to their areas of responsibility. § 5.2 ¶ 1 {BCMS plans} Top management shall provide evidence of its commitment to the establishment, implementation, operation, monitoring, review, maintenance, and improvement of the BCMS by - establishing a business continuity policy, - ensuring that BCMS objectives and plans are established, - establishing roles, responsibilities, and competencies for business continuity management, and - appointing one or more persons to be responsible for the BCMS with the appropriate authority and competencies to be accountable for the implementation and maintenance of the BCMS. § 5.2 ¶ 2 The organization shall determine and provide the resources needed for the establishment, implementation, maintenance and continual improvement of the BCMS. § 7.1 ¶ 1] | Operational and Systems Continuity | Human Resources Management | |
| Allocate financial resources to implement the continuity plan, as necessary. CC ID 12993 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Allocate personnel to implement the continuity plan, as necessary. CC ID 12992 | Operational and Systems Continuity | Human Resources Management | |
| Include the in scope system's location in the continuity plan. CC ID 16246 | Operational and Systems Continuity | Systems Continuity | |
| Include the system description in the continuity plan. CC ID 16241 | Operational and Systems Continuity | Systems Continuity | |
| Establish, implement, and maintain redundant systems. CC ID 16354 | Operational and Systems Continuity | Configuration | |
| Include identification procedures in the continuity plan, as necessary. CC ID 14372 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Refrain from adopting impromptu measures when continuity procedures exist. CC ID 13093 | Operational and Systems Continuity | Behavior | |
| Include the continuity strategy in the continuity plan. CC ID 13189 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include roles and responsibilities in the continuity plan, as necessary. CC ID 13254 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Implement alternate security mechanisms when the means of implementing the security function is unavailable. CC ID 10605 | Operational and Systems Continuity | Technical Security | |
| Document and use the lessons learned to update the continuity plan. CC ID 10037 [The BCMS policy shall - be available as documented information, - be communicated within the organization, - be available to interested parties, as appropriate, - be reviewed for continuing suitability at defined intervals and when significant changes occur. § 5.3 ¶ 2 The organization shall - communicate the results of management review to relevant interested parties, and - take appropriate action relating to those results. § 9.3 ¶ 6 When nonconformity occurs, the organization shall evaluate the need for action to eliminate the causes of the nonconformity, in order that it does not recur or occur elsewhere, by making changes to the BCMS, if necessary. § 10.1 ¶ 1 c) 7 [post-incident review results] When a disruptive incident occurs and results in the activation of its business continuity procedures, the organization shall undertake a post-incident review and record the results. § 9.1.2 ¶ 1 The outputs of the management review shall include decisions related to continual improvement opportunities and the possible need for changes to the BCMS, and include the following: improvement of the effectiveness of the BCMS; § 9.3 ¶ 4 b) {results of BCMS reviews} {key partners} {results of testing} {BCMS performance} {BCMS effectiveness} {emerging good guidance} Management reviews shall consider the performance of the organization, including - follow-up actions from previous management reviews, - the need for changes to the BCMS, including the policy and objectives, - opportunities for improvement, - results of BCMS audits and reviews, including those of key suppliers and partners where appropriate, - techniques, products or procedures, which could be used in the organization to improve the BCMS’ performance and effectiveness, - status of corrective actions, - results of exercising and testing, - risks or issues not adequately addressed in any previous risk assessment, - any changes that could affect the BCMS, whether internal or external to the scope of the BCMS, - adequacy of policy, - recommendations for improvement, - lessons learned and actions arising from disruptive incidents, and - emerging good practice and guidance. § 9.3 ¶ 3] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Coordinate continuity planning with governmental entities, as necessary. CC ID 13258 | Operational and Systems Continuity | Process or Activity | |
| Record business continuity management system performance for posterity. CC ID 12411 [The procedures for monitoring performance shall provide for - the setting of performance metrics appropriate to the needs of the organization, - monitoring the extent to which the organization’s business continuity policy, objectives and targets are met, - performance of the processes, procedures and functions that protect its prioritized activities, - monitoring compliance with this International Standard and the business continuity objectives, - monitoring historical evidence of deficient BCMS’ performance, and - recording data and results of monitoring and measurement to facilitate subsequent corrective actions. § 9.1.1 ¶ 5] | Operational and Systems Continuity | Monitor and Evaluate Occurrences | |
| Coordinate continuity planning with community organizations, as necessary. CC ID 13259 | Operational and Systems Continuity | Process or Activity | |
| Coordinate and incorporate supply chain members' continuity plans, as necessary. CC ID 13242 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include incident management procedures in the continuity plan. CC ID 13244 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include the use of virtual meeting tools in the continuity plan. CC ID 14390 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include scenario analyses of various contingency scenarios in the continuity plan. CC ID 13057 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include the annual statement based on the continuity plan review in the continuity plan. CC ID 12775 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include the roles and responsibilities of the organization's legal counsel in the continuity plan. CC ID 16233 | Operational and Systems Continuity | Establish Roles | |
| Disseminate and communicate the continuity procedures to interested personnel and affected parties. CC ID 14055 | Operational and Systems Continuity | Communicate | |
| Document the uninterrupted power requirements for all in scope systems. CC ID 06707 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Install an Uninterruptible Power Supply sized to support all critical systems. CC ID 00725 | Operational and Systems Continuity | Configuration | |
| Install a generator sized to support the facility. CC ID 06709 | Operational and Systems Continuity | Configuration | |
| Establish, implement, and maintain a fuel supply large enough to support the generators during an emergency. CC ID 06376 | Operational and Systems Continuity | Acquisition/Sale of Assets or Services | |
| Document all supporting information in the continuity plan, such as purpose, scope, and requirements. CC ID 01371 [In establishing the context, the organization shall define the purpose of the BCMS. § 4.1 ¶ 4 4) The scope shall be available as documented information. § 4.3.1 ¶ 3 {activation procedures} {communication procedures} {internal interdependencies} {internal interactions} {external interactions} {information flow processes} Each plan shall define - purpose and scope, - objectives, - activation criteria and procedures, - implementation procedures, - roles, responsibilities, and authorities, - communication requirements and procedures, - internal and external interdependencies and interactions, - resource requirements, and - information flow and documentation processes. § 8.4.4 ¶ 3 {activation procedures} {communication procedures} {internal interdependencies} {internal interactions} {external interactions} {information flow processes} Each plan shall define - purpose and scope, - objectives, - activation criteria and procedures, - implementation procedures, - roles, responsibilities, and authorities, - communication requirements and procedures, - internal and external interdependencies and interactions, - resource requirements, and - information flow and documentation processes. § 8.4.4 ¶ 3 {activation procedures} {communication procedures} {internal interdependencies} {internal interactions} {external interactions} {information flow processes} Each plan shall define - purpose and scope, - objectives, - activation criteria and procedures, - implementation procedures, - roles, responsibilities, and authorities, - communication requirements and procedures, - internal and external interdependencies and interactions, - resource requirements, and - information flow and documentation processes. § 8.4.4 ¶ 3 {activation procedures} {communication procedures} {internal interdependencies} {internal interactions} {external interactions} {information flow processes} Each plan shall define - purpose and scope, - objectives, - activation criteria and procedures, - implementation procedures, - roles, responsibilities, and authorities, - communication requirements and procedures, - internal and external interdependencies and interactions, - resource requirements, and - information flow and documentation processes. § 8.4.4 ¶ 3] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include notifications to alternate facilities in the continuity plan. CC ID 13220 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Approve the continuity plan requirements before documenting the continuity plan. CC ID 12778 | Operational and Systems Continuity | Systems Continuity | |
| Document the concept of operations in the continuity plan, including a line of succession. CC ID 01372 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish, implement, and maintain damage assessment procedures. CC ID 01267 [The response structure shall assess the nature and extent of a disruptive incident and its potential impact, § 8.4.2 ¶ 2 b) The response structure shall assess the nature and extent of a disruptive incident and its potential impact, § 8.4.2 ¶ 2 b) The response structure shall assess the nature and extent of a disruptive incident and its potential impact, § 8.4.2 ¶ 2 b) [post-incident review results] When a disruptive incident occurs and results in the activation of its business continuity procedures, the organization shall undertake a post-incident review and record the results. § 9.1.2 ¶ 1] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish, implement, and maintain a recovery plan. CC ID 13288 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Notify interested personnel and affected parties of updates to the recovery plan. CC ID 13302 | Operational and Systems Continuity | Communicate | |
| Include procedures to restore network connectivity in the recovery plan. CC ID 16250 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include addressing backup failures in the recovery plan. CC ID 13298 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include procedures to verify completion of the data backup procedure in the recovery plan. CC ID 13297 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include the roles and responsibilities of responders in the recovery plan. CC ID 13296 | Operational and Systems Continuity | Human Resources Management | |
| Include the procedures for the storage of information necessary to recover functionality in the recovery plan. CC ID 13295 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include the backup procedures for information necessary to recover functionality in the recovery plan. CC ID 13294 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include the criteria for activation in the recovery plan. CC ID 13293 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include escalation procedures in the recovery plan. CC ID 16248 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include procedures to preserve data before beginning the recovery process in the recovery plan. CC ID 13292 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Disseminate and communicate the recovery plan to interested personnel and affected parties. CC ID 14859 | Operational and Systems Continuity | Communicate | |
| Include restoration procedures in the continuity plan. CC ID 01169 [The business continuity procedures shall be effective in minimizing consequences through implementation of appropriate mitigation strategies. § 8.4.1 ¶ 3 f)] | Operational and Systems Continuity | Establish Roles | |
| Include risk prioritized recovery procedures for each business unit in the recovery plan. CC ID 01166 [The organization shall determine an appropriate business continuity strategy for stabilizing, continuing, resuming and recovering prioritized activities and their dependencies and supporting resources, and § 8.3.1 ¶ 2 b) The business continuity plans shall collectively contain how the organization will continue or recover its prioritized activities within predetermined timeframes, § 8.4.4 ¶ 2 e)] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include the recovery plan in the continuity plan. CC ID 01377 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Disseminate and communicate the recovery status of the contingency plan to interested personnel and affected parties. CC ID 12758 | Operational and Systems Continuity | Communicate | |
| Disseminate and communicate business functions across multiple facilities separated by geographic separation. CC ID 10662 | Operational and Systems Continuity | Systems Continuity | |
| Disseminate and communicate processing activities across multiple facilities using geographic separation. CC ID 10663 | Operational and Systems Continuity | Systems Continuity | |
| Disseminate and communicate electronic media storage devices across multiple facilities using geographic separation. CC ID 10664 | Operational and Systems Continuity | Systems Continuity | |
| Establish, implement, and maintain system continuity plan strategies. CC ID 00735 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Review and prioritize the importance of each business unit. CC ID 01165 | Operational and Systems Continuity | Systems Continuity | |
| Review and prioritize the importance of each business process. CC ID 11689 [Top management shall demonstrate leadership and commitment with respect to the BCMS by - ensuring that policies and objectives are established for the business continuity management system and are compatible with the strategic direction of the organization, - ensuring the integration of the business continuity management system requirements into the organization’s business processes, - ensuring that the resources needed for the business continuity management system are available, - communicating the importance of effective business continuity management and conforming to the BCMS requirements, - ensuring that the BCMS achieves its intended outcome(s), - directing and supporting persons to contribute to the effectiveness of the BCMS, - promoting continual improvement, and - supporting other relevant management roles to demonstrate their leadership and commitment as it applies to their areas of responsibility. § 5.2 ¶ 1] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Document the mean time to failure for system components. CC ID 10684 [Top management shall demonstrate leadership and commitment with respect to the BCMS by - ensuring that policies and objectives are established for the business continuity management system and are compatible with the strategic direction of the organization, - ensuring the integration of the business continuity management system requirements into the organization’s business processes, - ensuring that the resources needed for the business continuity management system are available, - communicating the importance of effective business continuity management and conforming to the BCMS requirements, - ensuring that the BCMS achieves its intended outcome(s), - directing and supporting persons to contribute to the effectiveness of the BCMS, - promoting continual improvement, and - supporting other relevant management roles to demonstrate their leadership and commitment as it applies to their areas of responsibility. § 5.2 ¶ 1] | Operational and Systems Continuity | Systems Continuity | |
| Conduct a risk assessment on reciprocal agreements that provide for recovery capabilities. CC ID 12759 | Operational and Systems Continuity | Audits and Risk Management | |
| Establish, implement, and maintain Recovery Time Objectives for all in scope services. CC ID 12241 [The business continuity objectives shall be monitored and updated as appropriate. § 6.2 ¶ 2 e)] | Operational and Systems Continuity | Systems Continuity | |
| Establish, implement, and maintain Recovery Time Objectives for all in scope systems. CC ID 11688 [The business impact analysis shall include the following: setting prioritized timeframes for resuming these activities at a specified minimum acceptable level, taking into consideration the time within which the impacts of not resuming them would become unacceptable; and § 8.2.2 ¶ 2 c) The determination of strategy shall include approving prioritized time frames for the resumption of activities. § 8.3.1 ¶ 3 {BCMS plans} Top management shall provide evidence of its commitment to the establishment, implementation, operation, monitoring, review, maintenance, and improvement of the BCMS by - establishing a business continuity policy, - ensuring that BCMS objectives and plans are established, - establishing roles, responsibilities, and competencies for business continuity management, and - appointing one or more persons to be responsible for the BCMS with the appropriate authority and competencies to be accountable for the implementation and maintenance of the BCMS. § 5.2 ¶ 2 {incident response procedure} The organization shall establish documented procedures for responding to a disruptive incident and how it will continue or recover its activities within a predetermined timeframe. Such procedures shall address the requirements of those who will use them. § 8.4.4 ¶ 1] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include the protection of personnel in the continuity plan. CC ID 06378 [The business continuity plans shall collectively contain details to manage the immediate consequences of a disruptive incident giving due regard to the welfare of individuals, § 8.4.4 ¶ 2 c) 1)] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Identify alternate personnel for each person on the critical personnel list. CC ID 12771 | Operational and Systems Continuity | Human Resources Management | |
| Define the triggering events for when to activate the pandemic plan. CC ID 06801 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish, implement, and maintain a critical third party list. CC ID 06815 [When establishing its BCMS, the organization shall determine the interested parties that are relevant to the BCMS, and § 4.2.1 ¶ 1 a)] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Disseminate and communicate critical third party dependencies to interested personnel and affected parties. CC ID 06816 [{activation procedures} {communication procedures} {internal interdependencies} {internal interactions} {external interactions} {information flow processes} Each plan shall define - purpose and scope, - objectives, - activation criteria and procedures, - implementation procedures, - roles, responsibilities, and authorities, - communication requirements and procedures, - internal and external interdependencies and interactions, - resource requirements, and - information flow and documentation processes. § 8.4.4 ¶ 3 {activation procedures} {communication procedures} {internal interdependencies} {internal interactions} {external interactions} {information flow processes} Each plan shall define - purpose and scope, - objectives, - activation criteria and procedures, - implementation procedures, - roles, responsibilities, and authorities, - communication requirements and procedures, - internal and external interdependencies and interactions, - resource requirements, and - information flow and documentation processes. § 8.4.4 ¶ 3] | Operational and Systems Continuity | Behavior | |
| Define and maintain continuity Service Level Agreements for all critical resources. CC ID 00741 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish and maintain a core supply inventory required to support critical business functions. CC ID 04890 [The response structure shall have resources available to support the processes and procedures to manage a disruptive incident in order to minimize impact, and § 8.4.2 ¶ 2 e)] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include damaged site continuity procedures that cover continuing operations in a partially functional primary facility in the continuity plan. CC ID 01374 [{procedures for recording actions taken and decisions made} The organization shall establish, implement and maintain procedures for recording of vital information about the incident, actions taken and decisions made, and the following shall also be considered and implemented where applicable: — alerting interested parties potentially impacted by an actual or impending disruptive incident; — assuring the interoperability of multiple responding organizations and personnel; — operation of a communications facility. § 8.4.3 ¶ 1 g)] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish, implement, and maintain at-risk structure removal or relocation procedures. CC ID 01247 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include emergency communications procedures in the continuity plan. CC ID 00750 [The organization shall establish, implement, and maintain procedure(s) for - internal communication amongst interested parties and employees within the organization, - external communication with customers, partner entities, local community, and other interested parties, including the media, - receiving, documenting, and responding to communication from interested parties, - adapting and integrating a national or regional threat advisory system, or equivalent, into planning and operational use, if appropriate, - ensuring availability of the means of communication during a disruptive incident, - facilitating structured communication with appropriate authorities and ensuring the interoperability of multiple responding organizations and personnel, where appropriate, and - operating and testing of communications capabilities intended for use during disruption of normal communications. § 7.4 ¶ 2 The organization shall establish, implement, and maintain procedure(s) for - internal communication amongst interested parties and employees within the organization, - external communication with customers, partner entities, local community, and other interested parties, including the media, - receiving, documenting, and responding to communication from interested parties, - adapting and integrating a national or regional threat advisory system, or equivalent, into planning and operational use, if appropriate, - ensuring availability of the means of communication during a disruptive incident, - facilitating structured communication with appropriate authorities and ensuring the interoperability of multiple responding organizations and personnel, where appropriate, and - operating and testing of communications capabilities intended for use during disruption of normal communications. § 7.4 ¶ 2 The organization shall establish, implement and maintain procedures for assuring availability of the means of communication during a disruptive incident, § 8.4.3 ¶ 1 e) {significant impact} {procedures for alerts} {procedures for warnings} The organization shall decide, using life safety as the first priority and in consultation with relevant interested parties, whether to communicate externally about its significant risks and impacts and document its decision. If the decision is to communicate then the organization shall establish and implement procedures for this external communication, alerts and warnings including the media as appropriate. § 8.4.2 ¶ 3 The business continuity plans shall collectively contain details on how and under what circumstances the organization will communicate with employees and their relatives, key interested parties and emergency contacts, § 8.4.4 ¶ 2 d) {activation procedures} {communication procedures} {internal interdependencies} {internal interactions} {external interactions} {information flow processes} Each plan shall define - purpose and scope, - objectives, - activation criteria and procedures, - implementation procedures, - roles, responsibilities, and authorities, - communication requirements and procedures, - internal and external interdependencies and interactions, - resource requirements, and - information flow and documentation processes. § 8.4.4 ¶ 3] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include managing multiple responding organizations in the emergency communications procedure. CC ID 01249 [The organization shall establish, implement, and maintain procedure(s) for - internal communication amongst interested parties and employees within the organization, - external communication with customers, partner entities, local community, and other interested parties, including the media, - receiving, documenting, and responding to communication from interested parties, - adapting and integrating a national or regional threat advisory system, or equivalent, into planning and operational use, if appropriate, - ensuring availability of the means of communication during a disruptive incident, - facilitating structured communication with appropriate authorities and ensuring the interoperability of multiple responding organizations and personnel, where appropriate, and - operating and testing of communications capabilities intended for use during disruption of normal communications. § 7.4 ¶ 2 The organization shall establish, implement and maintain procedures for facilitating structured communication with emergency responders, § 8.4.3 ¶ 1 f) {procedures for recording actions taken and decisions made} The organization shall establish, implement and maintain procedures for recording of vital information about the incident, actions taken and decisions made, and the following shall also be considered and implemented where applicable: — alerting interested parties potentially impacted by an actual or impending disruptive incident; — assuring the interoperability of multiple responding organizations and personnel; — operation of a communications facility. § 8.4.3 ¶ 1 g)] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Expedite emergency communications' fiscal decisions in accordance with accounting principles. CC ID 01266 | Operational and Systems Continuity | Systems Continuity | |
| Maintain contact information for key third parties in a readily accessible manner. CC ID 12764 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Log important conversations conducted during emergencies with third parties. CC ID 12763 | Operational and Systems Continuity | Log Management | |
| Identify the appropriate staff to route external communications to in the emergency communications procedures. CC ID 12762 | Operational and Systems Continuity | Communicate | |
| Include the ability to obtain additional liquidity in the continuity plan. CC ID 12770 | Operational and Systems Continuity | Acquisition/Sale of Assets or Services | |
| Minimize system continuity requirements. CC ID 00753 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Disseminate and communicate the continuity plan to interested personnel and affected parties. CC ID 00760 [Top management shall demonstrate leadership and commitment with respect to the BCMS by - ensuring that policies and objectives are established for the business continuity management system and are compatible with the strategic direction of the organization, - ensuring the integration of the business continuity management system requirements into the organization’s business processes, - ensuring that the resources needed for the business continuity management system are available, - communicating the importance of effective business continuity management and conforming to the BCMS requirements, - ensuring that the BCMS achieves its intended outcome(s), - directing and supporting persons to contribute to the effectiveness of the BCMS, - promoting continual improvement, and - supporting other relevant management roles to demonstrate their leadership and commitment as it applies to their areas of responsibility. § 5.2 ¶ 1 The BCMS policy shall - be available as documented information, - be communicated within the organization, - be available to interested parties, as appropriate, - be reviewed for continuing suitability at defined intervals and when significant changes occur. § 5.3 ¶ 2 The BCMS policy shall - be available as documented information, - be communicated within the organization, - be available to interested parties, as appropriate, - be reviewed for continuing suitability at defined intervals and when significant changes occur. § 5.3 ¶ 2 Top management shall ensure that business continuity objectives are established and communicated for relevant functions and levels within the organization. § 6.2 ¶ 1 {internal communications} The organization shall determine the need for internal and external communications relevant to the BCMS including on what it will communicate, § 7.4 ¶ 1 a) {internal communications} The organization shall determine the need for internal and external communications relevant to the BCMS including on what it will communicate, § 7.4 ¶ 1 a) {internal communications} The organization shall determine the need for internal and external communications relevant to the BCMS including when to communicate, § 7.4 ¶ 1 b) {internal communications} The organization shall determine the need for internal and external communications relevant to the BCMS including when to communicate, § 7.4 ¶ 1 b) The organization shall - communicate the results of management review to relevant interested parties, and - take appropriate action relating to those results. § 9.3 ¶ 6 {internal communications} The organization shall determine the need for internal and external communications relevant to the BCMS including § 7.4 ¶ 1 {internal communications} The organization shall determine the need for internal and external communications relevant to the BCMS including § 7.4 ¶ 1] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Store an up-to-date copy of the continuity plan at the alternate facility. CC ID 01171 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Train personnel on the continuity plan. CC ID 00759 [The organization shall conduct exercises and tests that taken together over time validate the whole of its business continuity arrangements, involving relevant interested parties, § 8.5 ¶ 2 c)] | Operational and Systems Continuity | Behavior | |
| Utilize automated mechanisms for more realistic continuity plan training. CC ID 01387 | Operational and Systems Continuity | Behavior | |
| Incorporate simulated events into the continuity plan training. CC ID 01402 | Operational and Systems Continuity | Behavior | |
| Include cross-team coordination in continuity plan training. CC ID 16235 | Operational and Systems Continuity | Training | |
| Include stay at home order training in the continuity plan training. CC ID 14382 | Operational and Systems Continuity | Training | |
| Include avoiding unnecessary travel in the stay at home order training. CC ID 14388 | Operational and Systems Continuity | Training | |
| Include personal protection in continuity plan training. CC ID 14394 | Operational and Systems Continuity | Training | |
| Establish, implement, and maintain a business continuity plan testing program. CC ID 14829 | Operational and Systems Continuity | Testing | |
| Establish, implement, and maintain a continuity test plan. CC ID 04896 [The organization shall conduct exercises and tests that are conducted at planned intervals and when there are significant changes within the organization or to the environment in which it operates. § 8.5 ¶ 2 g) The organization shall conduct exercises and tests that are conducted at planned intervals and when there are significant changes within the organization or to the environment in which it operates. § 8.5 ¶ 2 g)] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include success criteria for testing the plan in the continuity test plan. CC ID 14877 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include recovery procedures in the continuity test plan. CC ID 14876 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include test scripts in the continuity test plan. CC ID 14875 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include test objectives and scope of testing in the continuity test plan. CC ID 14874 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include escalation procedures in the continuity test plan, as necessary. CC ID 14400 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include the succession plan in the continuity test plan, as necessary. CC ID 14401 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include contact information in the continuity test plan. CC ID 14399 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include testing all system components in the continuity test plan. CC ID 13508 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include test scenarios in the continuity test plan. CC ID 13506 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include test dates or test frequency in the continuity test plan, as necessary. CC ID 13243 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include coverage of all major components in the scope of testing the continuity plan. CC ID 12767 | Operational and Systems Continuity | Testing | |
| Include third party recovery services in the scope of testing the continuity plan. CC ID 12766 | Operational and Systems Continuity | Testing | |
| Validate the emergency communications procedures during continuity plan tests. CC ID 12777 | Operational and Systems Continuity | Testing | |
| Include the coordination and interfaces among third parties in the coverage of the scope of testing the continuity plan. CC ID 12769 | Operational and Systems Continuity | Testing | |
| Validate the evacuation plans during continuity plan tests. CC ID 12760 | Operational and Systems Continuity | Testing | |
| Include predefined goals and realistic conditions during off-site testing. CC ID 01175 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Coordinate testing the continuity plan with all applicable business units and critical business functions. CC ID 01388 [The organization shall conduct exercises and tests that taken together over time validate the whole of its business continuity arrangements, involving relevant interested parties, § 8.5 ¶ 2 c)] | Operational and Systems Continuity | Testing | |
| Document the continuity plan test results and provide them to interested personnel and affected parties. CC ID 06548 [The organization shall conduct exercises and tests that produce formalized post-exercise reports that contain outcomes, recommendations and actions to implement improvements, § 8.5 ¶ 2 e) {results of BCMS reviews} {key partners} {results of testing} {BCMS performance} {BCMS effectiveness} {emerging good guidance} Management reviews shall consider the performance of the organization, including - follow-up actions from previous management reviews, - the need for changes to the BCMS, including the policy and objectives, - opportunities for improvement, - results of BCMS audits and reviews, including those of key suppliers and partners where appropriate, - techniques, products or procedures, which could be used in the organization to improve the BCMS’ performance and effectiveness, - status of corrective actions, - results of exercising and testing, - risks or issues not adequately addressed in any previous risk assessment, - any changes that could affect the BCMS, whether internal or external to the scope of the BCMS, - adequacy of policy, - recommendations for improvement, - lessons learned and actions arising from disruptive incidents, and - emerging good practice and guidance. § 9.3 ¶ 3 {results of BCMS reviews} {key partners} {results of testing} {BCMS performance} {BCMS effectiveness} {emerging good guidance} Management reviews shall consider the performance of the organization, including - follow-up actions from previous management reviews, - the need for changes to the BCMS, including the policy and objectives, - opportunities for improvement, - results of BCMS audits and reviews, including those of key suppliers and partners where appropriate, - techniques, products or procedures, which could be used in the organization to improve the BCMS’ performance and effectiveness, - status of corrective actions, - results of exercising and testing, - risks or issues not adequately addressed in any previous risk assessment, - any changes that could affect the BCMS, whether internal or external to the scope of the BCMS, - adequacy of policy, - recommendations for improvement, - lessons learned and actions arising from disruptive incidents, and - emerging good practice and guidance. § 9.3 ¶ 3] | Operational and Systems Continuity | Actionable Reports or Measurements | |
| Approve the continuity plan test results. CC ID 15718 | Operational and Systems Continuity | Systems Continuity | |
| Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806 [Top management shall ensure that the responsibilities and authorities for relevant roles are assigned and communicated within the organization. § 5.4 ¶ 1] | Human Resources management | Establish Roles | |
| Define and assign the head of Information Security's roles and responsibilities. CC ID 06091 | Human Resources management | Establish Roles | |
| Establish, implement, and maintain a security operations center. CC ID 14762 | Human Resources management | Human Resources Management | |
| Define the scope for the security operations center. CC ID 15713 | Human Resources management | Establish/Maintain Documentation | |
| Designate an alternate for each organizational leader. CC ID 12053 | Human Resources management | Human Resources Management | |
| Limit the activities performed as a proxy to an organizational leader. CC ID 12054 | Human Resources management | Behavior | |
| Assign the roles and responsibilities of management in establishing, implementing, and maintaining the information security program. CC ID 13112 | Human Resources management | Human Resources Management | |
| Define and assign the Board of Directors roles and responsibilities and senior management roles and responsibilities, including signing off on key policies and procedures. CC ID 00807 [Top management shall assign the responsibility and authority for reporting on the performance of the BCMS to top management. § 5.4 ¶ 2 b)] | Human Resources management | Establish Roles | |
| Establish and maintain board committees, as necessary. CC ID 14789 | Human Resources management | Human Resources Management | |
| Define and assign the roles and responsibilities of the chairman of the board. CC ID 14786 | Human Resources management | Establish/Maintain Documentation | |
| Assign oversight of C-level executives to the Board of Directors. CC ID 14784 | Human Resources management | Human Resources Management | |
| Establish, implement, and maintain candidate selection procedures to the board of directors. CC ID 14782 | Human Resources management | Establish/Maintain Documentation | |
| Include the criteria of mixed experiences and skills in the candidate selection procedures. CC ID 14791 | Human Resources management | Establish/Maintain Documentation | |
| Assign oversight of the financial management program to the board of directors. CC ID 14781 | Human Resources management | Human Resources Management | |
| Assign senior management to the role of supporting Quality Management. CC ID 13692 | Human Resources management | Human Resources Management | |
| Assign senior management to the role of authorizing official. CC ID 14238 | Human Resources management | Establish Roles | |
| Assign members who are independent from management to the Board of Directors. CC ID 12395 | Human Resources management | Human Resources Management | |
| Assign ownership of risks to the Board of Directors or senior management. CC ID 13662 | Human Resources management | Human Resources Management | |
| Assign the organization's board and senior management to oversee the continuity planning process. CC ID 12991 | Human Resources management | Human Resources Management | |
| Define and assign board committees, as necessary. CC ID 14787 | Human Resources management | Human Resources Management | |
| Define and assign risk committees, as necessary. CC ID 14795 | Human Resources management | Human Resources Management | |
| Establish, implement, and maintain a board committee charter, as necessary. CC ID 14802 | Human Resources management | Establish/Maintain Documentation | |
| Define and assign audit committees, as necessary. CC ID 14788 | Human Resources management | Human Resources Management | |
| Include members with experience in audit practices, financial reporting, and accounting in the audit committee. CC ID 14796 | Human Resources management | Human Resources Management | |
| Define and assign compensation committees, as necessary. CC ID 14793 | Human Resources management | Human Resources Management | |
| Define and assign the Chief Information Officer's roles and responsibilities. CC ID 00808 | Human Resources management | Establish Roles | |
| Define and assign the network administrator's roles and responsibilities. CC ID 16363 | Human Resources management | Human Resources Management | |
| Define and assign the Information Technology staff's roles and responsibilities. CC ID 00809 | Human Resources management | Establish Roles | |
| Define and assign the Data Protection Officer's roles and responsibilities. CC ID 16525 | Human Resources management | Human Resources Management | |
| Define and assign the business unit manager's roles and responsibilities. CC ID 00810 | Human Resources management | Establish Roles | |
| Define and assign the Facility Security Officer's roles and responsibilities. CC ID 01887 | Human Resources management | Establish Roles | |
| Define and assign the Chief Risk Officer's roles and responsibilities. CC ID 14333 | Human Resources management | Human Resources Management | |
| Define and assign roles and responsibilities for network management. CC ID 13128 | Human Resources management | Human Resources Management | |
| Define and assign the technology security leader's roles and responsibilities. CC ID 01897 | Human Resources management | Establish Roles | |
| Define and assign the security staff roles and responsibilities. CC ID 11750 | Human Resources management | Establish/Maintain Documentation | |
| Define and assign the authorized representatives roles and responsibilities. CC ID 15033 | Human Resources management | Human Resources Management | |
| Define and assign the property management leader's roles and responsibilities. CC ID 00669 | Human Resources management | Establish Roles | |
| Define and assign the Archives and Records Management oversight's roles and responsibilities. CC ID 00697 | Human Resources management | Establish Roles | |
| Define and assign the Privacy Officer's roles and responsibilities. CC ID 00714 | Human Resources management | Establish Roles | |
| Define and assign critical facility management personnel's roles and responsibilities. CC ID 06381 | Human Resources management | Establish Roles | |
| Define the objectives and extent of outsourcing operational roles and responsibilities. CC ID 06383 | Human Resources management | Establish/Maintain Documentation | |
| Define and assign the Chief Security Officer's roles and responsibilities. CC ID 06431 | Human Resources management | Establish Roles | |
| Establish and maintain an Information Technology steering committee. CC ID 12706 | Human Resources management | Human Resources Management | |
| Assign the Information Technology steering committee to report to senior management. CC ID 12731 | Human Resources management | Human Resources Management | |
| Convene the Information Technology steering committee, as necessary. CC ID 12730 | Human Resources management | Human Resources Management | |
| Assign reviewing investments to the Information Technology steering committee, as necessary. CC ID 13625 | Human Resources management | Human Resources Management | |
| Assign a contact person to all business units. CC ID 07144 | Human Resources management | Establish Roles | |
| Define and assign the assessment team's roles and responsibilities. CC ID 08890 | Human Resources management | Business Processes | |
| Assign the role of Risk Assessment Manager to applicable controls. CC ID 12143 | Human Resources management | Human Resources Management | |
| Assign the Risk Assessment manager the duty of reporting risk assessment results to organizational management. CC ID 12152 | Human Resources management | Human Resources Management | |
| Refrain from allocating temporary staff to perform sensitive jobs absent the presence and control of authorized permanent staff. CC ID 12299 | Human Resources management | Human Resources Management | |
| Establish, implement, and maintain a personnel management program. CC ID 14018 | Human Resources management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a personnel security program. CC ID 10628 | Human Resources management | Establish/Maintain Documentation | |
| Assign security clearance procedures to qualified personnel. CC ID 06812 | Human Resources management | Establish Roles | |
| Assign personnel screening procedures to qualified personnel. CC ID 11699 | Human Resources management | Establish Roles | |
| Establish, implement, and maintain personnel screening procedures. CC ID 11700 | Human Resources management | Establish/Maintain Documentation | |
| Perform a personal identification check during personnel screening. CC ID 06721 | Human Resources management | Human Resources Management | |
| Perform a criminal records check during personnel screening. CC ID 06643 | Human Resources management | Establish/Maintain Documentation | |
| Include all residences in the criminal records check. CC ID 13306 | Human Resources management | Process or Activity | |
| Document any reasons a full criminal records check could not be performed. CC ID 13305 | Human Resources management | Establish/Maintain Documentation | |
| Perform a personal references check during personnel screening. CC ID 06645 | Human Resources management | Human Resources Management | |
| Perform a credit check during personnel screening. CC ID 06646 | Human Resources management | Human Resources Management | |
| Perform an academic records check during personnel screening. CC ID 06647 | Human Resources management | Establish/Maintain Documentation | |
| Perform a drug test during personnel screening. CC ID 06648 | Human Resources management | Testing | |
| Perform a resume check during personnel screening. CC ID 06659 | Human Resources management | Human Resources Management | |
| Perform a curriculum vitae check during personnel screening. CC ID 06660 | Human Resources management | Human Resources Management | |
| Allow personnel being screened to appeal findings and appeal decisions. CC ID 06720 | Human Resources management | Human Resources Management | |
| Disseminate and communicate screening results to interested personnel and affected parties. CC ID 16445 | Human Resources management | Communicate | |
| Perform personnel screening procedures, as necessary. CC ID 11763 | Human Resources management | Human Resources Management | |
| Establish, implement, and maintain security clearance procedures. CC ID 00783 | Human Resources management | Establish/Maintain Documentation | |
| Perform security clearance procedures, as necessary. CC ID 06644 | Human Resources management | Human Resources Management | |
| Establish and maintain security clearances. CC ID 01634 | Human Resources management | Human Resources Management | |
| Establish and maintain the staff structure in line with the strategic plan. CC ID 00764 | Human Resources management | Establish Roles | |
| Train all personnel and third parties, as necessary. CC ID 00785 [The organization shall where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken, and § 7.2 ¶ 1 c)] | Human Resources management | Behavior | |
| Establish, implement, and maintain an education methodology. CC ID 06671 | Human Resources management | Business Processes | |
| Support certification programs as viable training programs. CC ID 13268 | Human Resources management | Human Resources Management | |
| Include evidence of experience in applications for professional certification. CC ID 16193 | Human Resources management | Establish/Maintain Documentation | |
| Include supporting documentation in applications for professional certification. CC ID 16195 | Human Resources management | Establish/Maintain Documentation | |
| Submit applications for professional certification. CC ID 16192 | Human Resources management | Training | |
| Retrain all personnel, as necessary. CC ID 01362 | Human Resources management | Behavior | |
| Tailor training to meet published guidance on the subject being taught. CC ID 02217 | Human Resources management | Behavior | |
| Tailor training to be taught at each person's level of responsibility. CC ID 06674 | Human Resources management | Behavior | |
| Conduct cross-training or staff backup training to minimize dependency on critical individuals. CC ID 00786 | Human Resources management | Behavior | |
| Use automated mechanisms in the training environment, where appropriate. CC ID 06752 | Human Resources management | Behavior | |
| Hire third parties to conduct training, as necessary. CC ID 13167 | Human Resources management | Human Resources Management | |
| Review the current published guidance and awareness and training programs. CC ID 01245 | Human Resources management | Establish/Maintain Documentation | |
| Establish, implement, and maintain training plans. CC ID 00828 | Human Resources management | Establish/Maintain Documentation | |
| Include prevention techniques in training regarding diseases or sicknesses. CC ID 14387 | Human Resources management | Training | |
| Include the concept of disease clusters when training to recognize conditions of diseases or sicknesses. CC ID 14386 | Human Resources management | Training | |
| Develop or acquire content to update the training plans. CC ID 12867 | Human Resources management | Training | |
| Designate training facilities in the training plan. CC ID 16200 | Human Resources management | Training | |
| Include portions of the visitor control program in the training plan. CC ID 13287 | Human Resources management | Establish/Maintain Documentation | |
| Include ethical culture in the training plan, as necessary. CC ID 12801 | Human Resources management | Human Resources Management | |
| Include in scope external requirements in the training plan, as necessary. CC ID 13041 | Human Resources management | Training | |
| Include duties and responsibilities in the training plan, as necessary. CC ID 12800 | Human Resources management | Human Resources Management | |
| Conduct bespoke roles and responsibilities training, as necessary. CC ID 13192 | Human Resources management | Training | |
| Include risk management in the training plan, as necessary. CC ID 13040 | Human Resources management | Training | |
| Conduct Archives and Records Management training. CC ID 00975 | Human Resources management | Behavior | |
| Conduct personal data processing training. CC ID 13757 | Human Resources management | Training | |
| Include in personal data processing training how to provide the contact information for the categories of personal data the organization may disclose. CC ID 13758 | Human Resources management | Training | |
| Include the cloud service usage standard in the training plan. CC ID 13039 | Human Resources management | Training | |
| Establish, implement, and maintain a security awareness program. CC ID 11746 | Human Resources management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a security awareness and training policy. CC ID 14022 | Human Resources management | Establish/Maintain Documentation | |
| Include compliance requirements in the security awareness and training policy. CC ID 14092 | Human Resources management | Establish/Maintain Documentation | |
| Include coordination amongst entities in the security awareness and training policy. CC ID 14091 | Human Resources management | Establish/Maintain Documentation | |
| Establish, implement, and maintain security awareness and training procedures. CC ID 14054 | Human Resources management | Establish/Maintain Documentation | |
| Disseminate and communicate the security awareness and training procedures to interested personnel and affected parties. CC ID 14138 | Human Resources management | Communicate | |
| Include management commitment in the security awareness and training policy. CC ID 14049 | Human Resources management | Establish/Maintain Documentation | |
| Include roles and responsibilities in the security awareness and training policy. CC ID 14048 | Human Resources management | Establish/Maintain Documentation | |
| Include the scope in the security awareness and training policy. CC ID 14047 | Human Resources management | Establish/Maintain Documentation | |
| Include the purpose in the security awareness and training policy. CC ID 14045 | Human Resources management | Establish/Maintain Documentation | |
| Include configuration management procedures in the security awareness program. CC ID 13967 | Human Resources management | Establish/Maintain Documentation | |
| Include media protection in the security awareness program. CC ID 16368 | Human Resources management | Training | |
| Document security awareness requirements. CC ID 12146 | Human Resources management | Establish/Maintain Documentation | |
| Include safeguards for information systems in the security awareness program. CC ID 13046 | Human Resources management | Establish/Maintain Documentation | |
| Include security policies and security standards in the security awareness program. CC ID 13045 | Human Resources management | Establish/Maintain Documentation | |
| Include physical security in the security awareness program. CC ID 16369 | Human Resources management | Training | |
| Include mobile device security guidelines in the security awareness program. CC ID 11803 | Human Resources management | Establish/Maintain Documentation | |
| Include updates on emerging issues in the security awareness program. CC ID 13184 | Human Resources management | Training | |
| Include cybersecurity in the security awareness program. CC ID 13183 | Human Resources management | Training | |
| Include implications of non-compliance in the security awareness program. CC ID 16425 | Human Resources management | Training | |
| Include the acceptable use policy in the security awareness program. CC ID 15487 | Human Resources management | Training | |
| Include training based on the participants' level of responsibility and access level in the security awareness program. CC ID 11802 | Human Resources management | Establish/Maintain Documentation | |
| Include a requirement to train all new hires and interested personnel in the security awareness program. CC ID 11800 | Human Resources management | Establish/Maintain Documentation | |
| Include remote access in the security awareness program. CC ID 13892 | Human Resources management | Establish/Maintain Documentation | |
| Document the goals of the security awareness program. CC ID 12145 | Human Resources management | Establish/Maintain Documentation | |
| Compare current security awareness assessment reports to the security awareness baseline. CC ID 12150 | Human Resources management | Establish/Maintain Documentation | |
| Establish and maintain management's commitment to supporting the security awareness program. CC ID 12151 | Human Resources management | Human Resources Management | |
| Establish and maintain a steering committee to guide the security awareness program. CC ID 12149 | Human Resources management | Human Resources Management | |
| Document the scope of the security awareness program. CC ID 12148 | Human Resources management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a security awareness baseline. CC ID 12147 | Human Resources management | Establish/Maintain Documentation | |
| Encourage interested personnel to obtain security certification. CC ID 11804 | Human Resources management | Human Resources Management | |
| Disseminate and communicate the security awareness program to all interested personnel and affected parties. CC ID 00823 | Human Resources management | Behavior | |
| Train all personnel and third parties on how to recognize and report security incidents. CC ID 01211 | Human Resources management | Behavior | |
| Train all personnel and third parties on how to recognize and report system failures. CC ID 13475 | Human Resources management | Training | |
| Require personnel to acknowledge, through writing their signature, that they have read and understand the organization's security policies. CC ID 01363 | Human Resources management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an environmental management system awareness program. CC ID 15200 | Human Resources management | Establish/Maintain Documentation | |
| Conduct tampering prevention training. CC ID 11875 | Human Resources management | Training | |
| Include the mandate to refrain from installing, refrain from replacing, and refrain from returning any asset absent verification in the tampering prevention training. CC ID 11877 | Human Resources management | Training | |
| Include how to identify and authenticate third parties claiming to be maintenance personnel in the tampering prevention training. CC ID 11876 | Human Resources management | Training | |
| Include how to report tampering and unauthorized substitution in the tampering prevention training. CC ID 11879 | Human Resources management | Training | |
| Include how to prevent physical tampering in the tampering prevention training. CC ID 11878 | Human Resources management | Training | |
| Include procedures on how to inspect devices in the tampering prevention training. CC ID 11990 | Human Resources management | Training | |
| Train interested personnel and affected parties to collect digital forensic evidence. CC ID 08658 | Human Resources management | Training | |
| Conduct crime prevention training. CC ID 06350 | Human Resources management | Behavior | |
| Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a positive information control environment. CC ID 00813 [Persons in top management and other relevant management roles throughout the organization shall demonstrate leadership with respect to the BCMS. § 5.1 ¶ 1 Top management shall demonstrate leadership and commitment with respect to the BCMS by - ensuring that policies and objectives are established for the business continuity management system and are compatible with the strategic direction of the organization, - ensuring the integration of the business continuity management system requirements into the organization’s business processes, - ensuring that the resources needed for the business continuity management system are available, - communicating the importance of effective business continuity management and conforming to the BCMS requirements, - ensuring that the BCMS achieves its intended outcome(s), - directing and supporting persons to contribute to the effectiveness of the BCMS, - promoting continual improvement, and - supporting other relevant management roles to demonstrate their leadership and commitment as it applies to their areas of responsibility. § 5.2 ¶ 1 Top management shall ensure that the responsibilities and authorities for relevant roles are assigned and communicated within the organization by - defining the criteria for accepting risks and the acceptable levels of risk, - actively engaging in exercising and testing, - ensuring that internal audits of the BCMS are conducted, - conducting management reviews of the BCMS, and - demonstrating its commitment to continual improvement. § 5.2 ¶ 3] | Operational management | Business Processes | |
| Make compliance and governance decisions in a timely manner. CC ID 06490 | Operational management | Behavior | |
| Establish, implement, and maintain an internal control framework. CC ID 00820 | Operational management | Establish/Maintain Documentation | |
| Assign resources to implement the internal control framework. CC ID 00816 [The organization shall determine the resource requirements to implement the selected strategies. The types of resources considered shall include but not be limited to § 8.3.2 ¶ 1 {activation procedures} {communication procedures} {internal interdependencies} {internal interactions} {external interactions} {information flow processes} Each plan shall define - purpose and scope, - objectives, - activation criteria and procedures, - implementation procedures, - roles, responsibilities, and authorities, - communication requirements and procedures, - internal and external interdependencies and interactions, - resource requirements, and - information flow and documentation processes. § 8.4.4 ¶ 3] | Operational management | Business Processes | |
| Define and assign the roles and responsibilities for interested personnel and affected parties when establishing, implementing, and maintaining the internal control framework. CC ID 07146 | Operational management | Establish Roles | |
| Include procedures for continuous quality improvement in the internal control framework. CC ID 00819 [The management review shall include consideration of opportunities for continual improvement. § 9.3 ¶ 2 d) {changes to operational processes} The outputs of the management review shall include decisions related to continual improvement opportunities and the possible need for changes to the BCMS, and include the following: modification of procedures and controls to respond to internal or external events that may impact on the BCMS, including changes to operational conditions and processes, § 9.3 ¶ 4 d) 3) {changes to operational processes} The outputs of the management review shall include decisions related to continual improvement opportunities and the possible need for changes to the BCMS, and include the following: modification of procedures and controls to respond to internal or external events that may impact on the BCMS, including changes to operational conditions and processes, § 9.3 ¶ 4 d) 3)] | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an information security program. CC ID 00812 | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739 [Persons doing work under the organization’s control shall be aware of the business continuity policy, § 7.3 ¶ 1 a)] | Operational management | Communicate | |
| Establish, implement, and maintain the Acceptable Use Policy. CC ID 01350 [For the control of documented information, the organization shall address the following activities, as applicable — distribution, access, retrieval and use, — storage and preservation, including preservation of legibility, — control of changes, — retention and disposition, — retrieval and use, — preservation of legibility, and — prevention of the unintended use of obsolete information. § 7.5.3 ¶ 2 For the control of documented information, the organization shall address the following activities, as applicable — distribution, access, retrieval and use, — storage and preservation, including preservation of legibility, — control of changes, — retention and disposition, — retrieval and use, — preservation of legibility, and — prevention of the unintended use of obsolete information. § 7.5.3 ¶ 2] | Operational management | Establish/Maintain Documentation | |
| Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy. CC ID 01351 | Operational management | Establish/Maintain Documentation | |
| Include requiring users to protect restricted data in accordance with the Governance, Risk, and Compliance framework in the Acceptable Use Policy. CC ID 11894 | Operational management | Establish/Maintain Documentation | |
| Include Bring Your Own Device agreements in the Acceptable Use Policy. CC ID 15703 | Operational management | Establish/Maintain Documentation | |
| Include the obligations of users in the Bring Your Own Device agreement. CC ID 15708 | Operational management | Establish/Maintain Documentation | |
| Include the rights of the organization in the Bring Your Own Device agreement. CC ID 15707 | Operational management | Establish/Maintain Documentation | |
| Include the circumstances in which the organization may confiscate, audit, or inspect assets in the Bring Your Own Device agreement. CC ID 15706 | Operational management | Establish/Maintain Documentation | |
| Include the circumstances in which the organization may manage assets in the Bring Your Own Device agreement. CC ID 15705 | Operational management | Establish/Maintain Documentation | |
| Include Bring Your Own Device usage in the Acceptable Use Policy. CC ID 12293 | Operational management | Establish/Maintain Documentation | |
| Include a web usage policy in the Acceptable Use Policy. CC ID 16496 | Operational management | Establish/Maintain Documentation | |
| Include Bring Your Own Device security guidelines in the Acceptable Use Policy. CC ID 01352 | Operational management | Establish/Maintain Documentation | |
| Include asset tags in the Acceptable Use Policy. CC ID 01354 | Operational management | Establish/Maintain Documentation | |
| Specify the owner of applicable assets in the Acceptable Use Policy. CC ID 15699 | Operational management | Establish/Maintain Documentation | |
| Include asset use policies in the Acceptable Use Policy. CC ID 01355 | Operational management | Establish/Maintain Documentation | |
| Include authority for access authorization lists for assets in all relevant Acceptable Use Policies. CC ID 11872 | Operational management | Establish/Maintain Documentation | |
| Include access control mechanisms in the Acceptable Use Policy. CC ID 01353 | Operational management | Establish/Maintain Documentation | |
| Include temporary activation of remote access technologies for third parties in the Acceptable Use Policy. CC ID 11892 | Operational management | Technical Security | |
| Include prohibiting the copying or moving of restricted data from its original source onto local hard drives or removable storage media in the Acceptable Use Policy. CC ID 11893 | Operational management | Establish/Maintain Documentation | |
| Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772 | Operational management | Data and Information Management | |
| Correlate the Acceptable Use Policy with the network security policy. CC ID 01356 | Operational management | Establish/Maintain Documentation | |
| Include appropriate network locations for each technology in the Acceptable Use Policy. CC ID 11881 | Operational management | Establish/Maintain Documentation | |
| Correlate the Acceptable Use Policy with the approved product list. CC ID 01357 | Operational management | Establish/Maintain Documentation | |
| Include facility access and facility use in the Acceptable Use Policy. CC ID 06441 | Operational management | Establish/Maintain Documentation | |
| Include the usage restrictions of mobile code technologies in the Acceptable Use Policy. CC ID 15311 | Operational management | Establish/Maintain Documentation | |
| Include a software installation policy in the Acceptable Use Policy. CC ID 06749 | Operational management | Establish/Maintain Documentation | |
| Document idle session termination and logout for remote access technologies in the Acceptable Use Policy. CC ID 12472 | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate the Acceptable Use Policy to all interested personnel and affected parties. CC ID 12431 | Operational management | Communicate | |
| Require interested personnel and affected parties to sign Acceptable Use Policies. CC ID 06661 | Operational management | Establish/Maintain Documentation | |
| Require interested personnel and affected parties to re-sign Acceptable Use Policies, as necessary. CC ID 06663 | Operational management | Establish/Maintain Documentation | |
| Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 | Operational management | Business Processes | |
| Establish, implement, and maintain a customer service program. CC ID 00846 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an Incident Management program. CC ID 00853 | Operational management | Business Processes | |
| Include detection procedures in the Incident Management program. CC ID 00588 [The organization shall establish, implement and maintain procedures for detecting an incident, § 8.4.3 ¶ 1 a)] | Operational management | Establish/Maintain Documentation | |
| Categorize the incident following an incident response. CC ID 13208 | Operational management | Technical Security | |
| Define and document impact thresholds to be used in categorizing incidents. CC ID 10033 [The organization shall identify and document the following: the organization’s activities, functions, services, products, partnerships, supply chains, relationships with interested parties, and the potential impact related to a disruptive incident; § 4.1 ¶ 3 a)] | Operational management | Establish/Maintain Documentation | |
| Record actions taken by investigators during a forensic investigation in the forensic investigation report. CC ID 07095 | Operational management | Establish/Maintain Documentation | |
| Comply with privacy regulations and civil liberties requirements when sharing data loss event information. CC ID 10036 | Operational management | Data and Information Management | |
| Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539 | Operational management | Communicate | |
| Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538 | Operational management | Communicate | |
| Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547 | Operational management | Establish/Maintain Documentation | |
| Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797 | Operational management | Communicate | |
| Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782 | Operational management | Communicate | |
| Remediate security violations according to organizational standards. CC ID 12338 | Operational management | Business Processes | |
| Include data loss event notifications in the Incident Response program. CC ID 00364 | Operational management | Establish/Maintain Documentation | |
| Include legal requirements for data loss event notifications in the Incident Response program. CC ID 11954 | Operational management | Establish/Maintain Documentation | |
| Include required information in the written request to delay the notification to affected parties. CC ID 16785 | Operational management | Establish/Maintain Documentation | |
| Submit written requests to delay the notification of affected parties. CC ID 16783 | Operational management | Communicate | |
| Revoke the written request to delay the notification. CC ID 16843 | Operational management | Process or Activity | |
| Design the text of the notice for all incident response notifications to be no smaller than 10-point type. CC ID 12985 | Operational management | Establish/Maintain Documentation | |
| Refrain from charging for providing incident response notifications. CC ID 13876 | Operational management | Business Processes | |
| Title breach notifications "Notice of Data Breach". CC ID 12977 | Operational management | Establish/Maintain Documentation | |
| Display titles of incident response notifications clearly and conspicuously. CC ID 12986 | Operational management | Establish/Maintain Documentation | |
| Display headings in incident response notifications clearly and conspicuously. CC ID 12987 | Operational management | Establish/Maintain Documentation | |
| Design the incident response notification to call attention to its nature and significance. CC ID 12984 | Operational management | Establish/Maintain Documentation | |
| Use plain language to write incident response notifications. CC ID 12976 | Operational management | Establish/Maintain Documentation | |
| Include directions for changing the user's authenticator or security questions and answers in the breach notification. CC ID 12983 | Operational management | Establish/Maintain Documentation | |
| Refrain from including restricted information in the incident response notification. CC ID 16806 | Operational management | Actionable Reports or Measurements | |
| Include the affected parties rights in the incident response notification. CC ID 16811 | Operational management | Establish/Maintain Documentation | |
| Include details of the investigation in incident response notifications. CC ID 12296 | Operational management | Establish/Maintain Documentation | |
| Include the issuer's name in incident response notifications. CC ID 12062 | Operational management | Establish/Maintain Documentation | |
| Include a "What Happened" heading in breach notifications. CC ID 12978 | Operational management | Establish/Maintain Documentation | |
| Include a general description of the data loss event in incident response notifications. CC ID 04734 | Operational management | Establish/Maintain Documentation | |
| Include time information in incident response notifications. CC ID 04745 | Operational management | Establish/Maintain Documentation | |
| Include the identification of the data source in incident response notifications. CC ID 12305 | Operational management | Establish/Maintain Documentation | |
| Include a "What Information Was Involved" heading in the breach notification. CC ID 12979 | Operational management | Establish/Maintain Documentation | |
| Include the type of information that was lost in incident response notifications. CC ID 04735 | Operational management | Establish/Maintain Documentation | |
| Include the type of information the organization maintains about the affected parties in incident response notifications. CC ID 04776 | Operational management | Establish/Maintain Documentation | |
| Include a "What We Are Doing" heading in the breach notification. CC ID 12982 | Operational management | Establish/Maintain Documentation | |
| Include what the organization has done to enhance data protection controls in incident response notifications. CC ID 04736 | Operational management | Establish/Maintain Documentation | |
| Include what the organization is offering or has already done to assist affected parties in incident response notifications. CC ID 04737 | Operational management | Establish/Maintain Documentation | |
| Include a "For More Information" heading in breach notifications. CC ID 12981 | Operational management | Establish/Maintain Documentation | |
| Include details of the companies and persons involved in incident response notifications. CC ID 12295 | Operational management | Establish/Maintain Documentation | |
| Include the credit reporting agencies' contact information in incident response notifications. CC ID 04744 | Operational management | Establish/Maintain Documentation | |
| Include the reporting individual's contact information in incident response notifications. CC ID 12297 | Operational management | Establish/Maintain Documentation | |
| Include any consequences in the incident response notifications. CC ID 12604 | Operational management | Establish/Maintain Documentation | |
| Include whether the notification was delayed due to a law enforcement investigation in incident response notifications. CC ID 04746 | Operational management | Establish/Maintain Documentation | |
| Include a "What You Can Do" heading in the breach notification. CC ID 12980 | Operational management | Establish/Maintain Documentation | |
| Include contact information in incident response notifications. CC ID 04739 | Operational management | Establish/Maintain Documentation | |
| Include a copy of the incident response notification in breach notifications, as necessary. CC ID 13085 | Operational management | Communicate | |
| Post the incident response notification on the organization's website. CC ID 16809 | Operational management | Process or Activity | |
| Document the determination for providing a substitute incident response notification. CC ID 16841 | Operational management | Process or Activity | |
| Send electronic substitute incident response notifications to affected parties, as necessary. CC ID 04747 | Operational management | Behavior | |
| Include contact information in the substitute incident response notification. CC ID 16776 | Operational management | Establish/Maintain Documentation | |
| Post substitute incident response notifications to the organization's website, as necessary. CC ID 04748 | Operational management | Establish/Maintain Documentation | |
| Send substitute incident response notifications to breach notification organizations, as necessary. CC ID 04750 | Operational management | Behavior | |
| Publish the substitute incident response notification in a general circulation periodical, as necessary. CC ID 04769 | Operational management | Behavior | |
| Establish, implement, and maintain a containment strategy. CC ID 13480 | Operational management | Establish/Maintain Documentation | |
| Include the containment approach in the containment strategy. CC ID 13486 | Operational management | Establish/Maintain Documentation | |
| Include response times in the containment strategy. CC ID 13485 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a restoration log. CC ID 12745 | Operational management | Establish/Maintain Documentation | |
| Include a description of the restored data that was restored manually in the restoration log. CC ID 15463 | Operational management | Data and Information Management | |
| Include a description of the restored data in the restoration log. CC ID 15462 | Operational management | Data and Information Management | |
| Establish, implement, and maintain compromised system reaccreditation procedures. CC ID 00592 | Operational management | Establish/Maintain Documentation | |
| Analyze security violations in Suspicious Activity Reports. CC ID 00591 | Operational management | Establish/Maintain Documentation | |
| Include lessons learned from analyzing security violations in the Incident Management program. CC ID 01234 | Operational management | Monitor and Evaluate Occurrences | |
| Provide progress reports of the incident investigation to the appropriate roles, as necessary. CC ID 12298 | Operational management | Investigate | |
| Update the incident response procedures using the lessons learned. CC ID 01233 [{periodic exercising} {periodic testing} {periodic post-incident reporting} {periodic performance evaluations} These evaluations shall be undertaken through periodic reviews, exercising, testing, post-incident reporting and performance evaluations. Significant changes arising shall be reflected in the procedure(s) in a timely manner; § 9.1.2 b) {update of the business impact analysis} {update of the business continuity plans} {update of the related procedures} The outputs of the management review shall include decisions related to continual improvement opportunities and the possible need for changes to the BCMS, and include the following: update of the risk assessment, business impact analysis, business continuity plans and related procedures; § 9.3 ¶ 4 c)] | Operational management | Establish/Maintain Documentation | |
| Include incident monitoring procedures in the Incident Management program. CC ID 01207 [The organization shall establish, implement and maintain procedures for regular monitoring of an incident, § 8.4.3 ¶ 1 b)] | Operational management | Establish/Maintain Documentation | |
| Include incident response procedures in the Incident Management program. CC ID 01218 [The business continuity plans shall collectively contain details to manage the immediate consequences of a disruptive incident giving due regard to § 8.4.4 ¶ 2 c) The business continuity plans shall collectively contain details to manage the immediate consequences of a disruptive incident giving due regard to strategic, tactical and operational options for responding to the disruption, and § 8.4.4 ¶ 2 c) 2)] | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain incident management audit logs. CC ID 13514 | Operational management | Records Management | |
| Log incidents in the Incident Management audit log. CC ID 00857 | Operational management | Establish/Maintain Documentation | |
| Include the organization's business products and services affected by disruptions in the Incident Management audit log. CC ID 12234 [The organization shall identify and document the following: the organization’s activities, functions, services, products, partnerships, supply chains, relationships with interested parties, and the potential impact related to a disruptive incident; § 4.1 ¶ 3 a) The organization shall identify and document the following: the organization’s activities, functions, services, products, partnerships, supply chains, relationships with interested parties, and the potential impact related to a disruptive incident; § 4.1 ¶ 3 a)] | Operational management | Log Management | |
| Establish, implement, and maintain an Incident Response program. CC ID 00579 [The organization shall identify and document the following: the organization’s activities, functions, services, products, partnerships, supply chains, relationships with interested parties, and the potential impact related to a disruptive incident; § 4.1 ¶ 3 a) {incident response procedure} The organization shall establish documented procedures for responding to a disruptive incident and how it will continue or recover its activities within a predetermined timeframe. Such procedures shall address the requirements of those who will use them. § 8.4.4 ¶ 1] | Operational management | Establish/Maintain Documentation | |
| Create an incident response report following an incident response. CC ID 12700 | Operational management | Establish/Maintain Documentation | |
| Include disciplinary actions taken in the incident response report. CC ID 16810 | Operational management | Establish/Maintain Documentation | |
| Include the persons responsible for the incident in the incident response report. CC ID 16808 | Operational management | Establish/Maintain Documentation | |
| Include the number of individuals the incident response notification was sent to in the incident response report. CC ID 16789 | Operational management | Establish/Maintain Documentation | |
| Include any consequences to organizational reputation and confidence due to the incident in the incident response report. CC ID 12728 | Operational management | Establish/Maintain Documentation | |
| Include the number of customers that were affected by the incident in the incident response report. CC ID 12727 | Operational management | Establish/Maintain Documentation | |
| Include investments associated with the incident in the incident response report. CC ID 12726 | Operational management | Establish/Maintain Documentation | |
| Include costs associated with the incident in the incident response report. CC ID 12725 | Operational management | Establish/Maintain Documentation | |
| Include losses due to the incident in the incident response report. CC ID 12724 | Operational management | Establish/Maintain Documentation | |
| Include a description of the impact the incident had on customer service in the incident response report. CC ID 12735 | Operational management | Establish/Maintain Documentation | |
| Include foregone revenue from the incident in the incident response report. CC ID 12723 | Operational management | Establish/Maintain Documentation | |
| Include the magnitude of the incident in the incident response report. CC ID 12722 | Operational management | Establish/Maintain Documentation | |
| Include implications of the incident in the incident response report. CC ID 12721 | Operational management | Establish/Maintain Documentation | |
| Include measures to prevent similar incidents from occurring in the incident response report. CC ID 12720 | Operational management | Establish/Maintain Documentation | |
| Include breaches of regulatory requirements due to the incident in the incident response report. CC ID 12719 | Operational management | Establish/Maintain Documentation | |
| Include information on all affected assets in the incident response report. CC ID 12718 | Operational management | Establish/Maintain Documentation | |
| Include the scope of the incident in the incident response report. CC ID 12717 | Operational management | Establish/Maintain Documentation | |
| Include the duration of the incident in the incident response report. CC ID 12716 | Operational management | Establish/Maintain Documentation | |
| Include the extent of the incident in the incident response report. CC ID 12715 | Operational management | Establish/Maintain Documentation | |
| Include measures to mitigate the root causes of the incident in the incident response report. CC ID 12714 | Operational management | Establish/Maintain Documentation | |
| Include the reasons the incident occurred in the incident response report. CC ID 12711 | Operational management | Establish/Maintain Documentation | |
| Include the frequency of similar incidents occurring in the incident response report. CC ID 12712 | Operational management | Establish/Maintain Documentation | |
| Include lessons learned from the incident in the incident response report. CC ID 12713 | Operational management | Establish/Maintain Documentation | |
| Include where the incident occurred in the incident response report. CC ID 12710 | Operational management | Establish/Maintain Documentation | |
| Include when the incident occurred in the incident response report. CC ID 12709 | Operational management | Establish/Maintain Documentation | |
| Include corrective action taken to eradicate the incident in the incident response report. CC ID 12708 | Operational management | Establish/Maintain Documentation | |
| Include a description of the impact the incident had on regulatory compliance in the incident response report. CC ID 12704 | Operational management | Establish/Maintain Documentation | |
| Include a description of the impact the incident had on operations in the incident response report. CC ID 12703 | Operational management | Establish/Maintain Documentation | |
| Include an executive summary of the incident in the incident response report. CC ID 12702 | Operational management | Establish/Maintain Documentation | |
| Include a root cause analysis of the incident in the incident response report. CC ID 12701 | Operational management | Establish/Maintain Documentation | |
| Submit the incident response report to the proper authorities in a timely manner. CC ID 12705 | Operational management | Communicate | |
| Employ tools and mechanisms to support the organization's Incident Response program. CC ID 13182 | Operational management | Acquisition/Sale of Assets or Services | |
| Define target resolution times for incident response in the Incident Response program. CC ID 13072 | Operational management | Establish/Maintain Documentation | |
| Mitigate reported incidents. CC ID 12973 | Operational management | Actionable Reports or Measurements | |
| Establish, implement, and maintain an incident response plan. CC ID 12056 | Operational management | Establish/Maintain Documentation | |
| Include addressing external communications in the incident response plan. CC ID 13351 | Operational management | Establish/Maintain Documentation | |
| Include addressing internal communications in the incident response plan. CC ID 13350 | Operational management | Establish/Maintain Documentation | |
| Include change control procedures in the incident response plan. CC ID 15479 | Operational management | Establish/Maintain Documentation | |
| Include addressing information sharing in the incident response plan. CC ID 13349 | Operational management | Establish/Maintain Documentation | |
| Include dynamic reconfiguration in the incident response plan. CC ID 14306 | Operational management | Establish/Maintain Documentation | |
| Include a definition of reportable incidents in the incident response plan. CC ID 14303 | Operational management | Establish/Maintain Documentation | |
| Include the management support needed for incident response in the incident response plan. CC ID 14300 | Operational management | Establish/Maintain Documentation | |
| Include root cause analysis in the incident response plan. CC ID 16423 | Operational management | Establish/Maintain Documentation | |
| Include how incident response fits into the organization in the incident response plan. CC ID 14294 | Operational management | Establish/Maintain Documentation | |
| Include the resources needed for incident response in the incident response plan. CC ID 14292 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a cyber incident response plan. CC ID 13286 | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate the cyber incident response plan to interested personnel and affected parties. CC ID 16838 | Operational management | Communicate | |
| Include incident response team structures in the Incident Response program. CC ID 01237 [The organization shall establish, document, and implement procedures and a management structure to respond to a disruptive incident using personnel with the necessary responsibility, authority and competence to manage an incident. § 8.4.2 ¶ 1] | Operational management | Establish/Maintain Documentation | |
| Include the incident response team member's roles and responsibilities in the Incident Response program. CC ID 01652 [The business continuity plans shall collectively contain defined roles and responsibilities for people and teams having authority during and following an incident, § 8.4.4 ¶ 2 a) The business continuity plans shall collectively contain defined roles and responsibilities for people and teams having authority during and following an incident, § 8.4.4 ¶ 2 a) {incident response procedure} The organization shall establish documented procedures for responding to a disruptive incident and how it will continue or recover its activities within a predetermined timeframe. Such procedures shall address the requirements of those who will use them. § 8.4.4 ¶ 1] | Operational management | Establish Roles | |
| Include the incident response point of contact's roles and responsibilities in the Incident Response program. CC ID 01877 | Operational management | Establish Roles | |
| Include the head of information security's roles and responsibilities in the Incident Response program. CC ID 01878 | Operational management | Establish Roles | |
| Include the customer database owner's roles and responsibilities in the Incident Response program. CC ID 01879 | Operational management | Establish Roles | |
| Include the online sales department's roles and responsibilities in the Incident Response program. CC ID 01880 | Operational management | Establish Roles | |
| Include the incident response point of contact for credit card payment system's roles and responsibilities in the Incident Response program. CC ID 01881 | Operational management | Establish Roles | |
| Include the organizational legal counsel's roles and responsibilities in the Incident Response program. CC ID 01882 | Operational management | Establish Roles | |
| Include the Human Resources point of contact's roles and responsibilities in the Incident Response program. CC ID 01883 | Operational management | Establish Roles | |
| Include the organizational incident response network architecture point of contact's roles and responsibilities in the Incident Response program. CC ID 01884 | Operational management | Establish Roles | |
| Include the organizational incident response public relations point of contact's roles and responsibilities in the Incident Response program. CC ID 01885 [The business continuity plans shall collectively contain details of the organization’s media response following an incident, including appropriate spokespeople; § 8.4.4 ¶ 2 f) 4] | Operational management | Establish Roles | |
| Include the organizational incident response location manager's roles and responsibilities in the Incident Response program. CC ID 01886 | Operational management | Establish Roles | |
| Assign the distribution of security alerts to the appropriate role in the incident response program. CC ID 11887 | Operational management | Human Resources Management | |
| Assign establishing, implementing, and maintaining incident response procedures to the appropriate role in the incident response program. CC ID 12473 | Operational management | Establish/Maintain Documentation | |
| Assign the distribution of incident response procedures to the appropriate role in the incident response program. CC ID 12474 | Operational management | Communicate | |
| Include personnel contact information in the event of an incident in the Incident Response program. CC ID 06385 | Operational management | Establish/Maintain Documentation | |
| Include what information interested personnel and affected parties need in the event of an incident in the Incident Response program. CC ID 11789 [The organization shall identify and document the following: the organization’s activities, functions, services, products, partnerships, supply chains, relationships with interested parties, and the potential impact related to a disruptive incident; § 4.1 ¶ 3 a) The organization shall identify and document the following: the organization’s activities, functions, services, products, partnerships, supply chains, relationships with interested parties, and the potential impact related to a disruptive incident; § 4.1 ¶ 3 a) The organization shall identify and document the following: the organization’s activities, functions, services, products, partnerships, supply chains, relationships with interested parties, and the potential impact related to a disruptive incident; § 4.1 ¶ 3 a) The organization shall take into account interested parties’ needs and interests, such as customers, investors, shareholders, the supply chain, public and/or community input and needs, expectations and interests (as appropriate), and § 4.3.2 ¶ 1 d) The organization shall take into account interested parties’ needs and interests, such as customers, investors, shareholders, the supply chain, public and/or community input and needs, expectations and interests (as appropriate), and § 4.3.2 ¶ 1 d)] | Operational management | Establish/Maintain Documentation | |
| Include identifying remediation actions in the incident response plan. CC ID 13354 | Operational management | Establish/Maintain Documentation | |
| Include procedures for providing updated status information to the crisis management team in the incident response plan. CC ID 12776 | Operational management | Establish/Maintain Documentation | |
| Include coverage of all system components in the Incident Response program. CC ID 11955 | Operational management | Establish/Maintain Documentation | |
| Prepare for incident response notifications. CC ID 00584 | Operational management | Establish/Maintain Documentation | |
| Include incident response team services in the Incident Response program. CC ID 11766 [The business continuity plans shall collectively contain defined roles and responsibilities for people and teams having authority during and following an incident, § 8.4.4 ¶ 2 a) The business continuity plans shall collectively contain defined roles and responsibilities for people and teams having authority during and following an incident, § 8.4.4 ¶ 2 a)] | Operational management | Establish/Maintain Documentation | |
| Include the incident response training program in the Incident Response program. CC ID 06750 | Operational management | Establish/Maintain Documentation | |
| Incorporate simulated events into the incident response training program. CC ID 06751 | Operational management | Behavior | |
| Incorporate realistic exercises that are tested into the incident response training program. CC ID 06753 | Operational management | Behavior | |
| Conduct incident response training. CC ID 11889 | Operational management | Training | |
| Establish, implement, and maintain an incident response policy. CC ID 14024 | Operational management | Establish/Maintain Documentation | |
| Include compliance requirements in the incident response policy. CC ID 14108 | Operational management | Establish/Maintain Documentation | |
| Include coordination amongst entities in the incident response policy. CC ID 14107 | Operational management | Establish/Maintain Documentation | |
| Include management commitment in the incident response policy. CC ID 14106 | Operational management | Establish/Maintain Documentation | |
| Include roles and responsibilities in the incident response policy. CC ID 14105 | Operational management | Establish/Maintain Documentation | |
| Include the scope in the incident response policy. CC ID 14104 | Operational management | Establish/Maintain Documentation | |
| Include the purpose in the incident response policy. CC ID 14101 | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate the incident response policy to interested personnel and affected parties. CC ID 14099 | Operational management | Communicate | |
| Include references to industry best practices in the incident response procedures. CC ID 11956 | Operational management | Establish/Maintain Documentation | |
| Include responding to alerts from security monitoring systems in the incident response procedures. CC ID 11949 [{internal conditions} The procedures shall be flexible to respond to unanticipated threats and changing internal and external conditions, § 8.4.1 ¶ 3 c)] | Operational management | Establish/Maintain Documentation | |
| Maintain contact with breach notification organizations for notification purposes in the event a privacy breach has occurred. CC ID 01213 | Operational management | Behavior | |
| Include business continuity procedures in the Incident Response program. CC ID 06433 [The organization shall establish, implement, and maintain business continuity procedures to manage a disruptive incident and continue its activities based on recovery objectives identified in the business impact analysis. § 8.4.1 ¶ 1 {internal conditions} The procedures shall be flexible to respond to unanticipated threats and changing internal and external conditions, § 8.4.1 ¶ 3 c)] | Operational management | Establish/Maintain Documentation | |
| Coordinate backup procedures as defined in the system continuity plan with backup procedures necessary for incident response procedures. CC ID 06432 | Operational management | Establish/Maintain Documentation | |
| Include consumer protection procedures in the Incident Response program. CC ID 12755 | Operational management | Systems Continuity | |
| Include the reimbursement of customers for financial losses due to incidents in the Incident Response program. CC ID 12756 | Operational management | Business Processes | |
| Include business recovery procedures in the Incident Response program. CC ID 11774 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a digital forensic evidence framework. CC ID 08652 | Operational management | Establish/Maintain Documentation | |
| Retain collected evidence for potential future legal actions. CC ID 01235 | Operational management | Records Management | |
| Define the business scenarios that require digital forensic evidence. CC ID 08653 | Operational management | Establish/Maintain Documentation | |
| Define the circumstances for collecting digital forensic evidence. CC ID 08657 | Operational management | Establish/Maintain Documentation | |
| Identify potential sources of digital forensic evidence. CC ID 08651 | Operational management | Investigate | |
| Document the legal requirements for evidence collection. CC ID 08654 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a digital forensic evidence collection program. CC ID 08655 | Operational management | Establish/Maintain Documentation | |
| Include roles and responsibilities in the digital forensic evidence collection program. CC ID 15724 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain secure storage and handling of evidence procedures. CC ID 08656 | Operational management | Records Management | |
| Disseminate and communicate the incident response procedures to all interested personnel and affected parties. CC ID 01215 [{processes, and procedures for the activation of the response} {processes, and procedures for the operation of the response} {processes, and procedures for the coordination of the response} {processes, and procedures for the communication of the response} The response structure shall have processes, and procedures for the activation, operation, coordination, and communication of the response, § 8.4.2 ¶ 2 d)] | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate the final incident report, which includes the investigation results and any remediation activity results. CC ID 12306 [{periodic exercising} {periodic testing} {periodic post-incident reporting} {periodic performance evaluations} These evaluations shall be undertaken through periodic reviews, exercising, testing, post-incident reporting and performance evaluations. Significant changes arising shall be reflected in the procedure(s) in a timely manner; § 9.1.2 b)] | Operational management | Actionable Reports or Measurements | |
| Document the results of incident response tests and provide them to senior management. CC ID 14857 | Operational management | Actionable Reports or Measurements | |
| Establish, implement, and maintain a performance management standard. CC ID 01615 [{periodic exercising} {periodic testing} {periodic post-incident reporting} {periodic performance evaluations} These evaluations shall be undertaken through periodic reviews, exercising, testing, post-incident reporting and performance evaluations. Significant changes arising shall be reflected in the procedure(s) in a timely manner; § 9.1.2 b)] | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain future system performance forecasting methods. CC ID 11775 | Operational management | Business Processes | |
| Establish, implement, and maintain a remediation plan for deviations in the resource management process. CC ID 13679 | Operational management | Establish/Maintain Documentation | |
| Follow the maintenance schedule. CC ID 11791 | Operational management | Maintenance | |
| Establish, implement, and maintain rate limiting filters. CC ID 06883 | Operational management | Business Processes | |
| Establish, implement, and maintain system capacity monitoring procedures. CC ID 01619 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain system performance monitoring procedures. CC ID 11752 [{methods for measurement} {methods for analysis} {methods for evaluation} The organization shall determine the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results, § 9.1.1 ¶ 1 b) {methods for measurement} {methods for analysis} {methods for evaluation} The organization shall determine the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results, § 9.1.1 ¶ 1 b) {methods for measurement} {methods for analysis} {methods for evaluation} The organization shall determine the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results, § 9.1.1 ¶ 1 b) {methods for measurement} {methods for analysis} {methods for evaluation} The organization shall determine the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results, § 9.1.1 ¶ 1 b)] | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a cost management program. CC ID 13638 | Operational management | Establish/Maintain Documentation | |
| Update the business cases for cost management procedures, as necessary. CC ID 13642 | Operational management | Business Processes | |
| Establish, implement, and maintain a change control program. CC ID 00886 [{business requirements} The outputs of the management review shall include decisions related to continual improvement opportunities and the possible need for changes to the BCMS, and include the following: modification of procedures and controls to respond to internal or external events that may impact on the BCMS, including changes to business and operational requirements, § 9.3 ¶ 4 d) 1) {changes to security requirements} The outputs of the management review shall include decisions related to continual improvement opportunities and the possible need for changes to the BCMS, and include the following: modification of procedures and controls to respond to internal or external events that may impact on the BCMS, including changes to risk reduction and security requirements, § 9.3 ¶ 4 d) 2) {results of BCMS reviews} {key partners} {results of testing} {BCMS performance} {BCMS effectiveness} {emerging good guidance} Management reviews shall consider the performance of the organization, including - follow-up actions from previous management reviews, - the need for changes to the BCMS, including the policy and objectives, - opportunities for improvement, - results of BCMS audits and reviews, including those of key suppliers and partners where appropriate, - techniques, products or procedures, which could be used in the organization to improve the BCMS’ performance and effectiveness, - status of corrective actions, - results of exercising and testing, - risks or issues not adequately addressed in any previous risk assessment, - any changes that could affect the BCMS, whether internal or external to the scope of the BCMS, - adequacy of policy, - recommendations for improvement, - lessons learned and actions arising from disruptive incidents, and - emerging good practice and guidance. § 9.3 ¶ 3 {results of BCMS reviews} {key partners} {results of testing} {BCMS performance} {BCMS effectiveness} {emerging good guidance} Management reviews shall consider the performance of the organization, including - follow-up actions from previous management reviews, - the need for changes to the BCMS, including the policy and objectives, - opportunities for improvement, - results of BCMS audits and reviews, including those of key suppliers and partners where appropriate, - techniques, products or procedures, which could be used in the organization to improve the BCMS’ performance and effectiveness, - status of corrective actions, - results of exercising and testing, - risks or issues not adequately addressed in any previous risk assessment, - any changes that could affect the BCMS, whether internal or external to the scope of the BCMS, - adequacy of policy, - recommendations for improvement, - lessons learned and actions arising from disruptive incidents, and - emerging good practice and guidance. § 9.3 ¶ 3] | Operational management | Establish/Maintain Documentation | |
| Include potential consequences of unintended changes in the change control program. CC ID 12243 [The organization shall control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary. § 8.1 ¶ 2] | Operational management | Establish/Maintain Documentation | |
| Include version control in the change control program. CC ID 13119 | Operational management | Establish/Maintain Documentation | |
| Include service design and transition in the change control program. CC ID 13920 | Operational management | Establish/Maintain Documentation | |
| Separate the production environment from development environment or test environment for the change control process. CC ID 11864 | Operational management | Maintenance | |
| Integrate configuration management procedures into the change control program. CC ID 13646 | Operational management | Technical Security | |
| Establish, implement, and maintain a back-out plan. CC ID 13623 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain back-out procedures for each proposed change in a change request. CC ID 00373 | Operational management | Establish/Maintain Documentation | |
| Manage change requests. CC ID 00887 [For the control of documented information, the organization shall address the following activities, as applicable — distribution, access, retrieval and use, — storage and preservation, including preservation of legibility, — control of changes, — retention and disposition, — retrieval and use, — preservation of legibility, and — prevention of the unintended use of obsolete information. § 7.5.3 ¶ 2 The management review shall include consideration of changes in external and internal issues that are relevant to the business continuity management system, § 9.3 ¶ 2 b)] | Operational management | Business Processes | |
| Include documentation of the impact level of proposed changes in the change request. CC ID 11942 | Operational management | Establish/Maintain Documentation | |
| Establish and maintain a change request approver list. CC ID 06795 | Operational management | Establish/Maintain Documentation | |
| Document all change requests in change request forms. CC ID 06794 | Operational management | Establish/Maintain Documentation | |
| Approve tested change requests. CC ID 11783 | Operational management | Data and Information Management | |
| Validate the system before implementing approved changes. CC ID 01510 | Operational management | Systems Design, Build, and Implementation | |
| Disseminate and communicate proposed changes to all interested personnel and affected parties. CC ID 06807 | Operational management | Behavior | |
| Establish, implement, and maintain emergency change procedures. CC ID 00890 | Operational management | Establish/Maintain Documentation | |
| Perform emergency changes, as necessary. CC ID 12707 | Operational management | Process or Activity | |
| Back up emergency changes after the change has been performed. CC ID 12734 | Operational management | Process or Activity | |
| Log emergency changes after they have been performed. CC ID 12733 | Operational management | Establish/Maintain Documentation | |
| Perform risk assessments prior to approving change requests. CC ID 00888 | Operational management | Testing | |
| Implement changes according to the change control program. CC ID 11776 [The organization shall control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary. § 8.1 ¶ 2] | Operational management | Business Processes | |
| Provide audit trails for all approved changes. CC ID 13120 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a patch management program. CC ID 00896 | Operational management | Process or Activity | |
| Document the sources of all software updates. CC ID 13316 | Operational management | Establish/Maintain Documentation | |
| Implement patch management software, as necessary. CC ID 12094 | Operational management | Technical Security | |
| Include updates and exceptions to hardened images as a part of the patch management program. CC ID 12087 | Operational management | Technical Security | |
| Establish, implement, and maintain a patch management policy. CC ID 16432 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain patch management procedures. CC ID 15224 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a patch log. CC ID 01642 | Operational management | Establish/Maintain Documentation | |
| Prioritize deploying patches according to vulnerability risk metrics. CC ID 06796 | Operational management | Business Processes | |
| Establish, implement, and maintain a software release policy. CC ID 00893 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain traceability documentation. CC ID 16388 | Operational management | Systems Design, Build, and Implementation | |
| Disseminate and communicate software update information to users and regulators. CC ID 06602 | Operational management | Behavior | |
| Allow interested personnel and affected parties to opt out of specific version releases and software updates. CC ID 06809 | Operational management | Data and Information Management | |
| Update associated documentation after the system configuration has been changed. CC ID 00891 | Operational management | Establish/Maintain Documentation | |
| Document the organization's local environments. CC ID 06726 [When determining this scope, the organization shall consider — the external and internal issues referred to in 4.1, and — the requirements referred to in 4.2. § 4.3.1 ¶ 2 When planning for the BCMS, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to - ensure the management system can achieve its intended outcome(s), - prevent, or reduce, undesired effects, - achieve continual improvement. § 6.1 ¶ 1 evaluate the effectiveness of these actions (see 9.1). § 6.1 ¶ 2 b) 2) To achieve its business continuity objectives, the organization shall determine — who will be responsible, — what will be done, — what resources will be required, — when it will be completed, and — how the results will be evaluated. § 6.2 ¶ 4 These issues shall be taken into account when establishing, implementing and maintaining the organization's BCMS. § 4.1 ¶ 2 buildings, work environment and associated utilities, § 8.3.2 ¶ 1 c) facilities, equipment and consumables, § 8.3.2 ¶ 1 d) information and communication technology (ICT) systems, § 8.3.2 ¶ 1 e) transportation, § 8.3.2 ¶ 1 f) people, § 8.3.2 ¶ 1 a) information and data, § 8.3.2 ¶ 1 b) finance, and § 8.3.2 ¶ 1 g) partners and suppliers. § 8.3.2 ¶ 1 h)] | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain local environment security profiles. CC ID 07037 | Operational management | Establish/Maintain Documentation | |
| Include individuals assigned to the local environment in the local environment security profile. CC ID 07038 | Operational management | Establish/Maintain Documentation | |
| Include security requirements in the local environment security profile. CC ID 15717 | Operational management | Establish/Maintain Documentation | |
| Include the business processes assigned to the local environment in the local environment security profile. CC ID 07039 | Operational management | Establish/Maintain Documentation | |
| Include the technology used in the local environment in the local environment security profile. CC ID 07040 | Operational management | Establish/Maintain Documentation | |
| Include contact information for critical personnel assigned to the local environment in the local environment security profile. CC ID 07041 | Operational management | Establish/Maintain Documentation | |
| Include facility information for the local environment in the local environment security profile. CC ID 07042 | Operational management | Establish/Maintain Documentation | |
| Include facility access information for the local environment in the local environment security profile. CC ID 11773 | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate the local environment security profile to interested personnel and affected parties. CC ID 15716 | Operational management | Communicate | |
| Update the local environment security profile, as necessary. CC ID 07043 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain records management policies. CC ID 00903 | Records management | Establish/Maintain Documentation | |
| Establish, implement, and maintain form creation, management, and distribution procedures. CC ID 06393 [For the control of documented information, the organization shall address the following activities, as applicable — distribution, access, retrieval and use, — storage and preservation, including preservation of legibility, — control of changes, — retention and disposition, — retrieval and use, — preservation of legibility, and — prevention of the unintended use of obsolete information. § 7.5.3 ¶ 2] | Records management | Establish/Maintain Documentation | |
| Establish, implement, and maintain form disposition procedures. CC ID 06394 | Records management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a record classification scheme. CC ID 00914 | Records management | Establish/Maintain Documentation | |
| Allocate record identifiers to reference the records as a part of document tracking. CC ID 11662 [When creating and updating documented information, the organization shall ensure appropriate identification and description, § 7.5.2 ¶ 1 a) When creating and updating documented information, the organization shall ensure appropriate identification and description, § 7.5.2 ¶ 1 a)] | Records management | Records Management | |
| Select the appropriate format for archived data and records. CC ID 06320 [{appropriate media} When creating and updating documented information, the organization shall ensure appropriate format and media, and review and approval for suitability and adequacy. § 7.5.2 ¶ 1 b)] | Records management | Data and Information Management | |
| Determine how long to keep records and logs before disposing them. CC ID 11661 | Records management | Process or Activity | |
| Retain records in accordance with applicable requirements. CC ID 00968 [The organization shall retain documented information on the business continuity policy. § 5.3 ¶ 3 The organization shall retain documented information on the business continuity objectives. § 6.2 ¶ 3 The organization shall retain appropriate documented information as evidence of the results. § 9.1.1 ¶ 2 {actions to address risks and opportunities} The organization shall plan, implement and control the processes needed to meet requirements, and to implement the actions determined in 6.1, by keeping documented information to the extent necessary to have confidence that the processes have been carried out as planned. § 8.1 ¶ 1 c) {adverse results} Additionally, the organization shall — take action when necessary to address adverse trends or results before a nonconformity occurs, and — retain relevant documented information as evidence of the results. § 9.1.1 ¶ 4 The organization shall retain documented information as evidence of the results of management reviews. § 9.3 ¶ 5 The organization shall retain documented information as evidence of - the nature of the nonconformities and any subsequent actions taken, and - the results of any corrective action. § 10.1 ¶ 3 The organization shall retain documented information as evidence of - the nature of the nonconformities and any subsequent actions taken, and - the results of any corrective action. § 10.1 ¶ 3] | Records management | Records Management | |
| Define each system's disposition requirements for records and logs. CC ID 11651 | Records management | Process or Activity | |
| Establish, implement, and maintain records disposition procedures. CC ID 00971 [For the control of documented information, the organization shall address the following activities, as applicable — distribution, access, retrieval and use, — storage and preservation, including preservation of legibility, — control of changes, — retention and disposition, — retrieval and use, — preservation of legibility, and — prevention of the unintended use of obsolete information. § 7.5.3 ¶ 2] | Records management | Establish/Maintain Documentation | |
| Manage the disposition status for all records. CC ID 00972 | Records management | Records Management | |
| Use a second person to confirm and sign-off that manually deleted data was deleted. CC ID 12313 | Records management | Data and Information Management | |
| Remove and/or destroy records according to the records' retention event and retention period schedule. CC ID 06621 | Records management | Records Management | |
| Place printed records awaiting destruction into secure containers. CC ID 12464 | Records management | Physical and Environmental Protection | |
| Destroy printed records so they cannot be reconstructed. CC ID 11779 | Records management | Physical and Environmental Protection | |
| Automate a programmatic process to remove stored data and records that exceed retention requirements. CC ID 06082 | Records management | Data and Information Management | |
| Include methods to identify records that meet or exceed the record's retention event in the records disposition procedures. CC ID 11962 | Records management | Establish/Maintain Documentation | |
| Maintain disposal records or redeployment records. CC ID 01644 | Records management | Establish/Maintain Documentation | |
| Include the name of the signing officer in the disposal record. CC ID 15710 | Records management | Establish/Maintain Documentation | |
| Establish, implement, and maintain records management procedures. CC ID 11619 | Records management | Establish/Maintain Documentation | |
| Protect records from loss in accordance with applicable requirements. CC ID 12007 [Documented information required by the BCMS and by this International Standard shall be controlled to ensure it is adequately protected. § 7.5.3 ¶ 1 b)] | Records management | Records Management | |
| Establish, implement, and maintain authorization records. CC ID 14367 | Records management | Establish/Maintain Documentation | |
| Include the reasons for granting the authorization in the authorization records. CC ID 14371 | Records management | Establish/Maintain Documentation | |
| Include the date and time the authorization was granted in the authorization records. CC ID 14370 | Records management | Establish/Maintain Documentation | |
| Include the person's name who approved the authorization in the authorization records. CC ID 14369 | Records management | Establish/Maintain Documentation | |
| Establish, implement, and maintain electronic health records. CC ID 14436 | Records management | Data and Information Management | |
| Include Individually Identifiable Health Information in the patient's electronic health record. CC ID 14437 | Records management | Data and Information Management | |
| Review and update Individually Identifiable Health Information in the patient's electronic health records, as necessary. CC ID 14438 | Records management | Records Management | |
| Display required information automatically in electronic health records. CC ID 14442 | Records management | Process or Activity | |
| Create summary of care records in accordance with applicable standards. CC ID 14440 | Records management | Establish/Maintain Documentation | |
| Provide the patient with a summary of care record, as necessary. CC ID 14441 | Records management | Actionable Reports or Measurements | |
| Create export summaries, as necessary. CC ID 14446 | Records management | Process or Activity | |
| Import data files into a patient's electronic health record. CC ID 14448 | Records management | Data and Information Management | |
| Export requested sections of the electronic health record. CC ID 14447 | Records management | Data and Information Management | |
| Establish and maintain an implantable device list. CC ID 14444 | Records management | Records Management | |
| Display the implantable device list to authorized users. CC ID 14445 | Records management | Data and Information Management | |
| Establish, implement, and maintain decision support interventions. CC ID 14443 | Records management | Business Processes | |
| Include attributes in the decision support intervention. CC ID 16766 | Records management | Data and Information Management | |
| Establish, implement, and maintain a recordkeeping system. CC ID 15709 | Records management | Records Management | |
| Log the termination date in the recordkeeping system. CC ID 16181 | Records management | Records Management | |
| Log the name of the requestor in the recordkeeping system. CC ID 15712 | Records management | Records Management | |
| Log the date and time each item is accessed in the recordkeeping system. CC ID 15711 | Records management | Records Management | |
| Log records as being received into the recordkeeping system. CC ID 11696 | Records management | Records Management | |
| Log the date and time each item is received into the recordkeeping system. CC ID 11709 | Records management | Log Management | |
| Log the date and time each item is made available into the recordkeeping system. CC ID 11710 | Records management | Log Management | |
| Log the number of routine items received into the recordkeeping system. CC ID 11701 | Records management | Establish/Maintain Documentation | |
| Log the number of routine items in the organization's possession at the close of business for the month in the recordkeeping system. CC ID 11707 | Records management | Log Management | |
| Log the number of routine items received during the month that were turned around in the recordkeeping system. CC ID 11705 | Records management | Log Management | |
| Log the number of routine items received during the month that were not turned around within three business days of receipt in the recordkeeping system. CC ID 11703 | Records management | Log Management | |
| Log the date and time when a notice of refusal to perform the registrar function is received in the recordkeeping system. CC ID 11711 | Records management | Log Management | |
| Log inquiries concerning items in the recordkeeping system, annotating the date received. CC ID 11718 | Records management | Log Management | |
| Log responses to inquiries, annotating the send date for each response into the recordkeeping system. CC ID 11719 | Records management | Log Management | |
| Log the number of non-routine items received into the recordkeeping system. CC ID 11706 | Records management | Log Management | |
| Log the documentation of determination that items received are not routine into the recordkeeping system. CC ID 11716 | Records management | Log Management | |
| Log the number of non-routine items in the organization's possession at the close of business for the month in the recordkeeping system. CC ID 11708 | Records management | Log Management | |
| Log the number of non-routine items received during the month that were turned around in the recordkeeping system. CC ID 11704 | Records management | Log Management | |
| Log performance monitoring into the recordkeeping system. CC ID 11724 | Records management | Log Management | |
| Log the number of inquiries pending as of the close of business into the recordkeeping system. CC ID 11728 | Records management | Log Management | |
| Log the number of inquiries received but not responded to within the required time frame into the recordkeeping system. CC ID 11727 | Records management | Log Management | |
| Establish, implement, and maintain a transfer journal. CC ID 11729 | Records management | Records Management | |
| Log any notices filed by the organization into the recordkeeping system. CC ID 11725 | Records management | Log Management | |
| Log telephone responses into a telephone log, annotating the date of each response, in the recordkeeping system. CC ID 11723 | Records management | Log Management | |
| Log the date each certificate is made available to interested personnel and affected parties into the recordkeeping system. CC ID 11720 | Records management | Log Management | |
| Log the number of items not processed within the required time frame into the recordkeeping system. CC ID 11717 | Records management | Log Management | |
| Provide a receipt of records logged into the recordkeeping system. CC ID 11697 | Records management | Records Management | |
| Log the appointments and termination of appointments of registered transfer agents into the recordkeeping system. CC ID 11712 | Records management | Log Management | |
| Log any stop orders or notices of adverse claims into the recordkeeping system. CC ID 11726 | Records management | Log Management | |
| Log the number of items processed within the required time frame into the recordkeeping system. CC ID 11715 | Records management | Log Management | |
| Include record integrity techniques in the records management procedures. CC ID 06418 [For the control of documented information, the organization shall address the following activities, as applicable — distribution, access, retrieval and use, — storage and preservation, including preservation of legibility, — control of changes, — retention and disposition, — retrieval and use, — preservation of legibility, and — prevention of the unintended use of obsolete information. § 7.5.3 ¶ 2] | Records management | Establish/Maintain Documentation | |
| Note in electronic records converted from printed records, the location of the original. CC ID 11809 | Records management | Records Management | |
| Incorporate desktop publishing into the organization's Records Management program. CC ID 06535 | Records management | Establish/Maintain Documentation | |
| Provide structures for browsing records stored in the Electronic Document and Records Management system. CC ID 10009 | Records management | Business Processes | |
| Provide structures for searching for items stored in the Electronic Document and Records Management system. CC ID 10010 | Records management | Business Processes | |
| Provide structures for downloading records from the Electronic Document and Records Management system. CC ID 10011 | Records management | Business Processes | |
| Provide structures for managing e-mail stored in the Electronic Document and Records Management system. CC ID 10012 | Records management | Business Processes | |
| Provide structures for authorized parties to approve record updates in the Electronic Document and Records Management system. CC ID 11965 | Records management | Records Management | |
| Provide structures for version control of records stored in the Electronic Document and Records Management system. CC ID 10013 | Records management | Business Processes | |
| Establish, implement, and maintain electronic storage media management procedures. CC ID 00931 [For the control of documented information, the organization shall address the following activities, as applicable — distribution, access, retrieval and use, — storage and preservation, including preservation of legibility, — control of changes, — retention and disposition, — retrieval and use, — preservation of legibility, and — prevention of the unintended use of obsolete information. § 7.5.3 ¶ 2] | Records management | Establish/Maintain Documentation | |
| Establish, implement, and maintain security label procedures. CC ID 06747 | Records management | Establish/Maintain Documentation | |
| Label restricted storage media appropriately. CC ID 00966 | Records management | Data and Information Management | |
| Establish, implement, and maintain restricted material identification procedures. CC ID 01889 | Records management | Establish/Maintain Documentation | |
| Conspicuously locate the restricted record's overall classification. CC ID 01890 | Records management | Establish/Maintain Documentation | |
| Mark a restricted record's displayed pages or printed pages with the appropriate classification. CC ID 01891 | Records management | Establish/Maintain Documentation | |
| Mark a restricted record's components (appendices, annexes) with the appropriate classification. CC ID 01892 | Records management | Establish/Maintain Documentation | |
| Mark a restricted record's portions (paragraphs, sections) with the appropriate classification. CC ID 01893 | Records management | Establish/Maintain Documentation | |
| Mark a restricted record's subject line or title with the appropriate classification. CC ID 01894 | Records management | Establish/Maintain Documentation | |
| Mark all forms of electronic messages that contain restricted data or restricted information with the appropriate classification. CC ID 01896 | Records management | Data and Information Management | |
| Establish, implement, and maintain label inheritance mechanisms for aggregate data sets. CC ID 06957 | Records management | Technical Security | |
| Establish the minimum originator requirements for security labels. CC ID 06579 | Records management | Establish/Maintain Documentation | |
| Establish the minimum intermediate system requirements for security labels. CC ID 06581 | Records management | Establish/Maintain Documentation | |
| Establish the minimum receiver requirements for records or electronic storage media marked with security labels. CC ID 06580 | Records management | Establish/Maintain Documentation | |
| Establish policy based processing rules to process incoming records or electronic storage media marked with security labels. CC ID 06582 | Records management | Establish/Maintain Documentation | |
| Establish and maintain access controls for all records. CC ID 00371 [When establishing control of documented information, the organization shall ensure that there is adequate protection for the documented information. § 7.5.3 ¶ 4 For the control of documented information, the organization shall address the following activities, as applicable — distribution, access, retrieval and use, — storage and preservation, including preservation of legibility, — control of changes, — retention and disposition, — retrieval and use, — preservation of legibility, and — prevention of the unintended use of obsolete information. § 7.5.3 ¶ 2] | Records management | Records Management | |
| Reproduce materials containing restricted data or restricted information in accordance with compliance requirements. CC ID 02202 | Records management | Data and Information Management | |
| Establish, implement, and maintain a records lifecycle management program. CC ID 00951 | Records management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an information preservation policy. CC ID 16483 | Records management | Establish/Maintain Documentation | |
| Establish, implement, and maintain information preservation procedures. CC ID 06277 [For the control of documented information, the organization shall address the following activities, as applicable — distribution, access, retrieval and use, — storage and preservation, including preservation of legibility, — control of changes, — retention and disposition, — retrieval and use, — preservation of legibility, and — prevention of the unintended use of obsolete information. § 7.5.3 ¶ 2 For the control of documented information, the organization shall address the following activities, as applicable — distribution, access, retrieval and use, — storage and preservation, including preservation of legibility, — control of changes, — retention and disposition, — retrieval and use, — preservation of legibility, and — prevention of the unintended use of obsolete information. § 7.5.3 ¶ 2] | Records management | Establish/Maintain Documentation | |
| Implement and maintain high availability storage, as necessary. CC ID 00952 | Records management | Technical Security | |
| Implement and maintain backups and duplicate copies of organizational records. CC ID 00953 | Records management | Records Management | |
| Establish, implement, and maintain the duplicate original of record indexes. CC ID 00954 | Records management | Records Management | |
| Establish, implement, and maintain a transparent storage media strategy. CC ID 00932 | Records management | Records Management | |
| Establish, implement, and maintain an online availability plan that is commensurate with the electronic storage media. CC ID 00934 | Records management | Establish/Maintain Documentation | |
| Establish, implement, and maintain online storage controls. CC ID 00942 | Records management | Technical Security | |
| Establish, implement, and maintain security controls appropriate to the record types and electronic storage media. CC ID 00943 | Records management | Records Management | |
| Provide encryption for different types of electronic storage media. CC ID 00945 | Records management | Technical Security | |
| Implement electronic storage media integrity controls. CC ID 00946 | Records management | Configuration | |
| Automate electronic storage media integrity check controls. CC ID 00948 | Records management | Configuration | |
| Provide capacity for indexes on electronic storage media, as necessary. CC ID 00950 | Records management | Configuration | |
| Establish, implement, and maintain a removable storage media log. CC ID 12317 | Records management | Log Management | |
| Include a unique identifier for each removable storage media asset in the removable storage media log. CC ID 12320 | Records management | Establish/Maintain Documentation | |
| Include the date and time in the removable storage media log. CC ID 12318 | Records management | Establish/Maintain Documentation | |
| Include the name and signature of the current custodian in the removable storage media log. CC ID 12315 | Records management | Establish/Maintain Documentation | |
| Include the number of physical media used for the data transfer in the removable storage media log. CC ID 12754 | Records management | Establish/Maintain Documentation | |
| Include the recipient's name for the data transfer in the removable storage media log. CC ID 12753 | Records management | Establish/Maintain Documentation | |
| Include the sender's name in the removable storage media log. CC ID 12752 | Records management | Establish/Maintain Documentation | |
| Include the type of physical media being used for the data transfer in the removable storage media log. CC ID 12751 | Records management | Establish/Maintain Documentation | |
| Include the reason for transfer in the removable storage media log. CC ID 12316 | Records management | Establish/Maintain Documentation | |
| Establish, implement, and maintain storage media downgrading procedures. CC ID 10619 | Records management | Process or Activity | |
| Document all actions taken when downgrading electronic storage media. CC ID 10622 | Records management | Establish/Maintain Documentation | |
| Establish, implement, and maintain document retention procedures. CC ID 11660 [For the control of documented information, the organization shall address the following activities, as applicable — distribution, access, retrieval and use, — storage and preservation, including preservation of legibility, — control of changes, — retention and disposition, — retrieval and use, — preservation of legibility, and — prevention of the unintended use of obsolete information. § 7.5.3 ¶ 2] | Records management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an e-discovery program. CC ID 00976 | Records management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a document retrieval system to use during e-discovery. CC ID 00985 [For the control of documented information, the organization shall address the following activities, as applicable — distribution, access, retrieval and use, — storage and preservation, including preservation of legibility, — control of changes, — retention and disposition, — retrieval and use, — preservation of legibility, and — prevention of the unintended use of obsolete information. § 7.5.3 ¶ 2 For the control of documented information, the organization shall address the following activities, as applicable — distribution, access, retrieval and use, — storage and preservation, including preservation of legibility, — control of changes, — retention and disposition, — retrieval and use, — preservation of legibility, and — prevention of the unintended use of obsolete information. § 7.5.3 ¶ 2] | Records management | Systems Design, Build, and Implementation | |
| Establish, implement, and maintain e-discovery collection and production procedures. CC ID 00986 | Records management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a supply chain management program. CC ID 11742 [The organization shall ensure that outsourced processes are controlled. § 8.1 ¶ 3] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Establish, implement, and maintain procedures for establishing, maintaining, and terminating third party contracts. CC ID 00796 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Review and update all contracts, as necessary. CC ID 11612 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Document and maintain supply chain processes. CC ID 08816 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Establish, implement, and maintain an exit plan. CC ID 15492 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include roles and responsibilities in the exit plan. CC ID 15497 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Test the exit plan, as necessary. CC ID 15495 | Third Party and supply chain oversight | Testing | |
| Include contingency plans in the third party management plan. CC ID 10030 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Refrain from placing excessive reliance on third parties that provide support for service continuity. CC ID 12768 | Third Party and supply chain oversight | Systems Continuity | |
| Include a nondisclosure agreement in third party contracts if a separate nondisclosure agreement does not exist. CC ID 06505 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Establish, implement, and maintain software exchange agreements with all third parties. CC ID 11615 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a description of the product or service to be provided in third party contracts. CC ID 06509 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a description of the products or services fees in third party contracts. CC ID 10018 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include which parties are responsible for which fees in third party contracts. CC ID 10019 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Establish, implement, and maintain rules of engagement with third parties. CC ID 13994 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Establish, implement, and maintain information flow agreements with all third parties. CC ID 04543 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the type of information being transmitted in the information flow agreement. CC ID 14245 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the security requirements in the information flow agreement. CC ID 14244 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the interface characteristics in the information flow agreement. CC ID 14240 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the scope and inventory of third party systems and assets being provided to the organization in third party contracts. CC ID 06528 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include proof of license documentation for the third parties with access to in scope systems in third party contracts. CC ID 06529 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a description of costs and responsibility for purchasing and maintaining hardware and software in third party contracts. CC ID 10020 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a description of the data or information to be covered in third party contracts. CC ID 06510 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include text about access, use, disclosure, and transfer of data or information in third party contracts. CC ID 11610 | Third Party and supply chain oversight | Business Processes | |
| Include text about data ownership in third party contracts. CC ID 06502 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include text about trade secrets and intellectual property in third party contracts. CC ID 06503 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include text about participation in the organization's testing programs in third party contracts. CC ID 14402 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the contract duration in third party contracts. CC ID 16221 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include roles and responsibilities in third party contracts. CC ID 13487 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include cryptographic keys in third party contracts. CC ID 16179 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include bankruptcy provisions in third party contracts. CC ID 16519 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include cybersecurity supply chain risk management requirements in third party contracts. CC ID 15646 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include text that organizations must meet organizational compliance requirements in third party contracts. CC ID 06506 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include compliance with the organization's access policy as a requirement in third party contracts. CC ID 06507 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include compliance with the organization's breach notification policy as a requirement in third party contracts. CC ID 06508 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include compliance with the organization's monitoring policies as a requirement in third party contracts. CC ID 06513 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include compliance with the organization's incident response policy and incident notification policy in third party contracts. CC ID 06515 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include text about the expected actions to be taken in case of a breach of contract in third party contracts. CC ID 06504 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include compliance with the organization's privacy policy in third party contracts. CC ID 06518 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include compliance with the organization's media handling policy in third party contracts. CC ID 06525 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include third party responsibilities for compliance awareness in third party contracts. CC ID 06530 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include compliance with the organization's data usage policies in third party contracts. CC ID 16413 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include compliance with the organization's system hardening framework in third party contracts. CC ID 06531 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include compliance with the organization's physical access policy in third party contracts. CC ID 06878 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a reporting structure in third party contracts. CC ID 06532 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include points of contact in third party contracts. CC ID 12355 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include financial reporting in third party contracts, as necessary. CC ID 13573 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include reporting to the organization of third party audit findings in third party contracts. CC ID 06512 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the right of the organization to conduct compliance audits in third party contracts. CC ID 06514 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include third party responsibilities for maintaining a Business Recovery and Resumption Plan in third party contracts. CC ID 06516 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include training requirements in third party contracts. CC ID 16367 | Third Party and supply chain oversight | Acquisition/Sale of Assets or Services | |
| Include an indemnification and liability clause in third party contracts. CC ID 06517 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a third party delegation clause and subcontractor to third party clause in third party contracts. CC ID 06521 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include text that subcontractors must meet organizational compliance requirements in third party contracts. CC ID 06522 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include text regarding foreign-based third parties in third party contracts. CC ID 06722 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include change control clauses in third party contracts, as necessary. CC ID 06523 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include notification to the organization of any material change in the third party's ability to perform functions according to Service Level Agreements in third party contracts. CC ID 07115 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include triggers for renegotiating the contract in third party contracts. CC ID 06527 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include change control notification processes in third party contracts. CC ID 06524 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include cost structure changes in third party contracts. CC ID 10021 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a choice of venue clause in third party contracts. CC ID 06520 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a dispute resolution clause in third party contracts. CC ID 06519 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the dispute resolution body's contact information in the terms and conditions in third party contracts. CC ID 13813 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include early termination contingency plans in the third party contracts. CC ID 06526 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a liquidated damages clause and material breach clause in third party contracts. CC ID 06817 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include termination costs in third party contracts. CC ID 10023 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include text about obtaining adequate insurance in third party contracts. CC ID 06880 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include incident management procedures and incident reporting procedures in third party contracts. CC ID 01214 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a usage limitation of restricted data clause in third party contracts. CC ID 13026 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include end-of-life information in third party contracts. CC ID 15265 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Establish, implement, and maintain third party transaction authentication procedures. CC ID 00791 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include responding to privacy rights violation complaints in third party contracts. CC ID 12432 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include disclosure requirements in third party contracts. CC ID 08825 | Third Party and supply chain oversight | Business Processes | |
| Include requirements for alternate processing facilities in third party contracts. CC ID 13059 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Document the organization's supply chain in the supply chain management program. CC ID 09958 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Establish and maintain a Third Party Service Provider list. CC ID 12480 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include required information in the Third Party Service Provider list. CC ID 14429 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include subcontractors in the Third Party Service Provider list. CC ID 14425 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include alternate service providers in the Third Party Service Provider list. CC ID 14420 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Disseminate and communicate the Third Party Service Provider list to interested personnel and affected parties. CC ID 14422 | Third Party and supply chain oversight | Communicate | |
| Include contact information of the Service Provider in the Third Party Service Provider list. CC ID 14430 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include all contract dates in the Third Party Service Provider list. CC ID 14421 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the services provided by each supplier in the Third Party Service Provider list. CC ID 12481 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include criticality of services in the Third Party Service Provider list. CC ID 14428 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a description of data used in the Third Party Service Provider list. CC ID 14427 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the location of services provided in the Third Party Service Provider list. CC ID 14423 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Document supply chain transactions in the supply chain management program. CC ID 08857 | Third Party and supply chain oversight | Business Processes | |
| Document the supply chain's critical paths in the supply chain management program. CC ID 10032 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Establish and maintain supply chain manufacturing and integration requirements documents for all items being produced for the organization. CC ID 11558 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Disallow access to restricted information on machines used to manufacture authentication elements. CC ID 11561 | Third Party and supply chain oversight | Physical and Environmental Protection | |
| Establish, implement, and maintain Operational Level Agreements. CC ID 13637 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include technical processes in operational level agreements, as necessary. CC ID 13639 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Establish, implement, and maintain Service Level Agreements with the organization's supply chain. CC ID 00838 | Third Party and supply chain oversight | Process or Activity | |
| Include the responsible party for managing complaints in third party contracts. CC ID 10022 | Third Party and supply chain oversight | Establish Roles | |
| Categorize all suppliers in the supply chain management program. CC ID 00792 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include risk management procedures in the supply chain management policy. CC ID 08811 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a determination of the complexity of the third party relationships in the supply chain risk assessment. CC ID 10024 [The business impact analysis shall include the following: identifying dependencies and supporting resources for these activities, including suppliers, outsource partners and other relevant interested parties. § 8.2.2 ¶ 2 d)] | Third Party and supply chain oversight | Business Processes | |
| Include a determination of financial benefits over actual costs of third party relationships in the supply chain risk assessment report. CC ID 10025 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a determination of how third party relationships affect strategic initiatives in the supply chain risk assessment report. CC ID 10026 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a determination if the third party relationship will affect employees in the supply chain risk assessment report. CC ID 10027 | Third Party and supply chain oversight | Business Processes | |
| Include a determination of customer interactions with third parties in the supply chain risk assessment report. CC ID 10028 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a determination on the risks third parties pose to Information Security in the supply chain risk assessment report. CC ID 10029 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Establish, implement, and maintain a supply chain management policy. CC ID 08808 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Require supply chain members to accept and sign the organization's code of conduct. CC ID 12397 | Third Party and supply chain oversight | Business Processes | |
| Require third parties to employ a Chief Information Security Officer. CC ID 12057 | Third Party and supply chain oversight | Human Resources Management | |
| Include supplier assessment principles in the supply chain management policy. CC ID 08809 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the third party selection process in the supply chain management policy. CC ID 13132 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Select suppliers based on their qualifications. CC ID 00795 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include refraining from depending on any individual third party in the supply chain management policy. CC ID 13133 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a clear management process in the supply chain management policy. CC ID 08810 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include roles and responsibilities in the supply chain management policy. CC ID 15499 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include third party due diligence standards in the supply chain management policy. CC ID 08812 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Disseminate and communicate the supply chain management policy to all interested personnel and affected parties. CC ID 15493 | Third Party and supply chain oversight | Communicate | |
| Require suppliers to commit to the supply chain management policy. CC ID 08813 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Support third parties in building their capabilities. CC ID 08814 | Third Party and supply chain oversight | Business Processes | |
| Implement measurable improvement plans with all third parties. CC ID 08815 | Third Party and supply chain oversight | Business Processes | |
| Post a list of compliant third parties on the organization's website. CC ID 08817 | Third Party and supply chain oversight | Business Processes | |
| Use third parties that are compliant with the applicable requirements. CC ID 08818 | Third Party and supply chain oversight | Business Processes | |
| Establish, implement, and maintain a conflict minerals policy. CC ID 08943 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a statement of avoided areas from receiving minerals in the conflict minerals policy. CC ID 08944 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include all in scope materials in the conflict minerals policy. CC ID 08945 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include adherence to international transportation regulations in the conflict minerals policy. CC ID 08946 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include all applicable authority documents in the conflict minerals policy. CC ID 08947 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Disseminate and communicate the conflict minerals policy to all interested personnel and affected parties. CC ID 08948 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Make the conflict minerals policy Publicly Available Information. CC ID 08949 | Third Party and supply chain oversight | Data and Information Management | |
| Establish and maintain a conflict materials report. CC ID 08823 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Define documentation requirements for each potential conflict material's source of origin. CC ID 08820 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Define documentation requirements for smelted minerals and legacy refined materials sources of origin. CC ID 08821 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Identify supply sources for secondary materials. CC ID 08822 | Third Party and supply chain oversight | Business Processes | |
| Deal directly with third parties that provide any material listed in the conflict materials report. CC ID 08891 | Third Party and supply chain oversight | Business Processes | |
| Conduct all parts of the supply chain due diligence process. CC ID 08854 | Third Party and supply chain oversight | Business Processes | |