Back

International > International Organization for Standardization

ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version



AD ID

0001423

AD STATUS

ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version

ORIGINATOR

International Organization for Standardization

TYPE

International or National Standard

AVAILABILITY

For Purchase

SYNONYMS

ISO 22301- Societal Security - Business Continuity Management Systems - Requirements

ISO 22301: Societal Security - Business Continuity Management Systems - Requirements

EFFECTIVE

2012-06-15

ADDED

The document as a whole was last reviewed and released on 2016-10-18T00:00:00-0700.

AD ID

0001423

AD STATUS

For Purchase

ORIGINATOR

International Organization for Standardization

TYPE

International or National Standard

AVAILABILITY

SYNONYMS

ISO 22301- Societal Security - Business Continuity Management Systems - Requirements

ISO 22301: Societal Security - Business Continuity Management Systems - Requirements

EFFECTIVE

2012-06-15

ADDED

The document as a whole was last reviewed and released on 2016-10-18T00:00:00-0700.


Important Notice

This Authority Document In Depth Report is copyrighted - © 2020 - Network Frontiers LLC. All rights reserved. Copyright in the Authority Document analyzed herein is held by its authors. Network Frontiers makes no claims of copyright in this Authority Document.

This Authority Document In Depth Report is provided for informational purposes only and does not constitute, and should not be construed as, legal advice. The reader is encouraged to consult with an attorney experienced in these areas for further explanation and advice.

This Authority Document In Depth Report provides analysis and guidance for use and implementation of the Authority Document but it is not a substitute for the original authority document itself. Readers should refer to the original authority document as the definitive resource on obligations and compliance requirements.

The process we used to tag and map this document

This document has been mapped into the Unified Compliance Framework using a patented methodology and patented tools (you can research our patents HERE). The mapping team has taken every effort to ensure the quality of mapping is of the highest degree. To learn more about the process we use to map Authority Documents, or to become involved in that process, click HERE.

Controls and asociated Citations breakdown

When the UCF Mapping Teams tag Citations and their associated mandates within an Authority Document, those Citations and Mandates are tied to Common Controls. In addition, and by virtue of those Citations and mandates being tied to Common Controls, there are three sets of meta data that are associated with each Citation; Controls by Impact Zone, Controls by Type, and Controls by Classification.

The online version of the mapping analysis you see here is just a fraction of the work the UCF Mapping Team has done. The downloadable version of this document, available within the Common Controls Hub (available HERE) contains the following:

Document implementation analysis – statistics about the document’s alignment with Common Controls as compared to other Authority Documents and statistics on usage of key terms and non-standard terms.

Citation and Mandate Tagging and Mapping – A complete listing of each and every Citation we found within ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version that have been tagged with their primary and secondary nouns and primary and secondary verbs in three column format. The first column shows the Citation (the marker within the Authority Document that points to where we found the guidance). The second column shows the Citation guidance per se, along with the tagging for the mandate we found within the Citation. The third column shows the Common Control ID that the mandate is linked to, and the final column gives us the Common Control itself.

Dictionary Terms – The dictionary terms listed for ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version are based upon terms either found within the Authority Document’s defined terms section(which most legal documents have), its glossary, and for the most part, as tagged within each mandate. The terms with links are terms that are the standardized version of the term.



Common Controls and
mandates by Impact Zone
186 Mandated Controls - bold    
70 Implied Controls - italic     1422 Implementation

An Impact Zone is a hierarchical way of organizing our suite of Common Controls — it is a taxonomy. The top levels of the UCF hierarchy are called Impact Zones. Common Controls are mapped within the UCF’s Impact Zones and are maintained in a legal hierarchy within that Impact Zone. Each Impact Zone deals with a separate area of policies, standards, and procedures: technology acquisition, physical security, continuity, records management, etc.


The UCF created its taxonomy by looking at the corpus of standards and regulations through the lens of unification and a view toward how the controls impact the organization. Thus, we created a hierarchical structure for each impact zone that takes into account regulatory and standards bodies, doctrines, and language.

Number of Controls
1678 Total
  • Audits and risk management
    404
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Audits and risk management CC ID 00677 IT Impact Zone IT Impact Zone
    Define the roles and responsibilities for personnel assigned to tasks in the Audit function. CC ID 00678
    [The audit programme, including any schedule, shall be based on the results of risk assessments of the organization’s activities, and the results of previous audits. The audit procedures shall cover the scope, frequency, methodologies and competencies, as well as the responsibilities and requirements for conducting audits and reporting results. § 9.2 ¶ 3
    The audit programme, including any schedule, shall be based on the results of risk assessments of the organization’s activities, and the results of previous audits. The audit procedures shall cover the scope, frequency, methodologies and competencies, as well as the responsibilities and requirements for conducting audits and reporting results. § 9.2 ¶ 3
    The audit programme, including any schedule, shall be based on the results of risk assessments of the organization’s activities, and the results of previous audits. The audit procedures shall cover the scope, frequency, methodologies and competencies, as well as the responsibilities and requirements for conducting audits and reporting results. § 9.2 ¶ 3]
    Establish Roles Preventive
    Manage supply chain audits. CC ID 01203 Audits and Risk Management Preventive
    Review the external auditors involvement in assessing Information Technology controls. CC ID 01204 Audits and Risk Management Preventive
    Assign the roles and responsibilities for the Board of Directors and senior management in the Audit function. CC ID 00679 Establish Roles Preventive
    Assign the Board of Directors to address audit findings. CC ID 12396 Human Resources Management Corrective
    Assign the internal Information Technology audit staff to be independent from the Information Technology group reporting to the Board of Directors. CC ID 01184 Establish Roles Preventive
    Define and assign the internal audit manager's roles and responsibilities. CC ID 00680 Establish Roles Preventive
    Report audit findings by the internal audit manager directly to senior management. CC ID 01152 Testing Detective
    Assign the internal audit manager's compensation and performance review to the Board of Directors or audit committee. CC ID 01186 Establish Roles Preventive
    Define and assign the internal Information Technology audit staff's roles and responsibilities. CC ID 00681 Establish Roles Preventive
    Assign the responsibility for operating an internal control system to the internal Information Technology audit staff. CC ID 01187 Establish Roles Preventive
    Define and assign the external auditor's roles and responsibilities. CC ID 00683 Establish Roles Preventive
    Engage auditors who have adequate knowledge of the subject matter. CC ID 07102 Audits and Risk Management Preventive
    Retain copies of external auditor outsourcing contracts and engagement letters. CC ID 01188 Establish/Maintain Documentation Preventive
    Review external auditor outsourcing contracts and engagement letters. CC ID 01189 Establish/Maintain Documentation Preventive
    Include a change control clause in external auditor outsourcing contracts. CC ID 01192 Establish/Maintain Documentation Preventive
    Include procedures for resolving problems in external auditor outsourcing contracts. CC ID 01196 Establish/Maintain Documentation Preventive
    Include procedures for controlling the use of restricted information in external auditor outsourcing contracts. CC ID 01194 Establish/Maintain Documentation Preventive
    Include reports and work paper Records Management practices in external auditor outsourcing contracts. CC ID 01195 Establish/Maintain Documentation Preventive
    Include communication protocols in external auditor outsourcing contracts. CC ID 01201 Establish/Maintain Documentation Preventive
    Review the external audit scope, as necessary. CC ID 01202 Audits and Risk Management Preventive
    Review the external audit assertion for accuracy. CC ID 06977 Testing Detective
    Review the risk assessments as compared to the in scope controls. CC ID 06978 Testing Detective
    Include nondisclosure agreements in external auditor outsourcing contracts. CC ID 10014 Audits and Risk Management Detective
    Include the scope and work to be performed in external auditor outsourcing contracts. CC ID 01190 Establish/Maintain Documentation Preventive
    Include work status reporting requirements in the external auditor outsourcing contracts. CC ID 01191 Establish/Maintain Documentation Preventive
    Include access to work papers in external auditor outsourcing contracts. CC ID 01193 Establish/Maintain Documentation Preventive
    Review the external auditor's qualifications. CC ID 01197 Audits and Risk Management Preventive
    Conduct a performance review of the external auditor's performance during the audit process. CC ID 01198 Audits and Risk Management Preventive
    Review the adequacy of the external auditor's work papers and audit reports. CC ID 01199 Establish/Maintain Documentation Preventive
    Review the conclusions of the external auditor's work papers and audit reports. CC ID 01200 Establish/Maintain Documentation Preventive
    Question external auditors about how audits were conducted and what is in the audit reports. CC ID 04587 Behavior Preventive
    Disseminate and communicate with the organization about any missing audit documentation. CC ID 06992 Behavior Preventive
    Evaluate any refusal by the organization to provide missing audit documentation. CC ID 06993 Establish/Maintain Documentation Preventive
    Take appropriate action if missing audit documentation compromises the audit. CC ID 06994 Establish/Maintain Documentation Preventive
    Establish and maintain an audit program. CC ID 00684
    [{audit scope} {evidence of the audit results} The organization shall - plan, establish, implement and maintain (an) audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit programme(s) shall take into consideration the importance of the processes concerned and the results of previous audits, - define the audit criteria and scope for each audit, - select auditors and conduct audits to ensure objectivity and the impartiality of the audit process, - ensure that the results of the audits are reported to relevant management, and - retain documented information as evidence of the implementation of the audit programme and the audit results. § 9.2 ¶ 2
    {audit scope} {evidence of the audit results} The organization shall - plan, establish, implement and maintain (an) audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit programme(s) shall take into consideration the importance of the processes concerned and the results of previous audits, - define the audit criteria and scope for each audit, - select auditors and conduct audits to ensure objectivity and the impartiality of the audit process, - ensure that the results of the audits are reported to relevant management, and - retain documented information as evidence of the implementation of the audit programme and the audit results. § 9.2 ¶ 2]
    Establish/Maintain Documentation Preventive
    Establish and maintain audit policies, as necessary. CC ID 13166 Establish/Maintain Documentation Preventive
    Assign the audit to impartial auditors. CC ID 07118
    [{audit scope} {evidence of the audit results} The organization shall - plan, establish, implement and maintain (an) audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit programme(s) shall take into consideration the importance of the processes concerned and the results of previous audits, - define the audit criteria and scope for each audit, - select auditors and conduct audits to ensure objectivity and the impartiality of the audit process, - ensure that the results of the audits are reported to relevant management, and - retain documented information as evidence of the implementation of the audit programme and the audit results. § 9.2 ¶ 2]
    Establish Roles Preventive
    Exercise due professional care during the planning and performance of the audit. CC ID 07119
    [{audit scope} {evidence of the audit results} The organization shall - plan, establish, implement and maintain (an) audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit programme(s) shall take into consideration the importance of the processes concerned and the results of previous audits, - define the audit criteria and scope for each audit, - select auditors and conduct audits to ensure objectivity and the impartiality of the audit process, - ensure that the results of the audits are reported to relevant management, and - retain documented information as evidence of the implementation of the audit programme and the audit results. § 9.2 ¶ 2
    {audit scope} {evidence of the audit results} The organization shall - plan, establish, implement and maintain (an) audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit programme(s) shall take into consideration the importance of the processes concerned and the results of previous audits, - define the audit criteria and scope for each audit, - select auditors and conduct audits to ensure objectivity and the impartiality of the audit process, - ensure that the results of the audits are reported to relevant management, and - retain documented information as evidence of the implementation of the audit programme and the audit results. § 9.2 ¶ 2]
    Behavior Preventive
    Include provisions for legislative plurality and legislative domain in the audit program. CC ID 06959
    [The audit programme, including any schedule, shall be based on the results of risk assessments of the organization’s activities, and the results of previous audits. The audit procedures shall cover the scope, frequency, methodologies and competencies, as well as the responsibilities and requirements for conducting audits and reporting results. § 9.2 ¶ 3
    The audit programme, including any schedule, shall be based on the results of risk assessments of the organization’s activities, and the results of previous audits. The audit procedures shall cover the scope, frequency, methodologies and competencies, as well as the responsibilities and requirements for conducting audits and reporting results. § 9.2 ¶ 3]
    Audits and Risk Management Preventive
    Establish and maintain audit terms. CC ID 13880 Establish/Maintain Documentation Preventive
    Refrain from approving changes to the audit terms absent reasonable justification. CC ID 13973 Process or Activity Preventive
    Include a statement about the inherent limitations of the audit in the audit terms. CC ID 13883 Establish/Maintain Documentation Preventive
    Include a statement that the audit will be conducted in accordance with attestation standards in the audit terms. CC ID 13882 Establish/Maintain Documentation Preventive
    Establish and maintain Agreed Upon Procedures that are in scope for the audit. CC ID 13893 Establish/Maintain Documentation Preventive
    Include agreement to the audit scope and audit terms in the audit program. CC ID 06965
    [{audit scope} {evidence of the audit results} The organization shall - plan, establish, implement and maintain (an) audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit programme(s) shall take into consideration the importance of the processes concerned and the results of previous audits, - define the audit criteria and scope for each audit, - select auditors and conduct audits to ensure objectivity and the impartiality of the audit process, - ensure that the results of the audits are reported to relevant management, and - retain documented information as evidence of the implementation of the audit programme and the audit results. § 9.2 ¶ 2
    {audit scope} {evidence of the audit results} The organization shall - plan, establish, implement and maintain (an) audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit programme(s) shall take into consideration the importance of the processes concerned and the results of previous audits, - define the audit criteria and scope for each audit, - select auditors and conduct audits to ensure objectivity and the impartiality of the audit process, - ensure that the results of the audits are reported to relevant management, and - retain documented information as evidence of the implementation of the audit programme and the audit results. § 9.2 ¶ 2
    The audit programme, including any schedule, shall be based on the results of risk assessments of the organization’s activities, and the results of previous audits. The audit procedures shall cover the scope, frequency, methodologies and competencies, as well as the responsibilities and requirements for conducting audits and reporting results. § 9.2 ¶ 3]
    Establish/Maintain Documentation Preventive
    Establish and maintain a bespoke audit scope for each audit being performed. CC ID 13077 Establish/Maintain Documentation Preventive
    Include audit subject matter in the audit program. CC ID 07103
    [{audit scope} {evidence of the audit results} The organization shall - plan, establish, implement and maintain (an) audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit programme(s) shall take into consideration the importance of the processes concerned and the results of previous audits, - define the audit criteria and scope for each audit, - select auditors and conduct audits to ensure objectivity and the impartiality of the audit process, - ensure that the results of the audits are reported to relevant management, and - retain documented information as evidence of the implementation of the audit programme and the audit results. § 9.2 ¶ 2]
    Establish/Maintain Documentation Preventive
    Examine the objectivity of the audit criteria in the audit program. CC ID 07104 Establish/Maintain Documentation Preventive
    Examine the measurability of the audit criteria in the audit program. CC ID 07105 Establish/Maintain Documentation Preventive
    Examine the completeness of the audit criteria in the audit program. CC ID 07106 Establish/Maintain Documentation Preventive
    Examine the relevance of the audit criteria in the audit program. CC ID 07107 Establish/Maintain Documentation Preventive
    Disseminate and communicate the audit program with the audit subject matter and audit criteria to all interested personnel and affected parties. CC ID 07116 Establish/Maintain Documentation Preventive
    Include the in scope material or in scope products in the audit program. CC ID 08961 Audits and Risk Management Preventive
    Include the out of scope material or out of scope products in the audit program. CC ID 08962 Establish/Maintain Documentation Preventive
    Provide a representation letter in support of the audit assertion. CC ID 07158 Establish/Maintain Documentation Preventive
    Include a statement that management has evaluated compliance with external requirements in the representation letter. CC ID 13942 Establish/Maintain Documentation Preventive
    Include a statement that the assumptions used for estimates are reasonable in the representation letter. CC ID 13934 Establish/Maintain Documentation Preventive
    Include a statement that uncorrected misstatements are believed to be immaterial in the representation letter. CC ID 13884 Establish/Maintain Documentation Preventive
    Include a statement of responsibility for the subject matter in the representation letter. CC ID 07159 Establish/Maintain Documentation Preventive
    Include a statement of responsibility for selecting the audit criteria in the representation letter. CC ID 07160 Establish/Maintain Documentation Preventive
    Include a statement of responsibility regarding the appropriateness of the audit criteria in the representation letter. CC ID 07161 Establish/Maintain Documentation Preventive
    Include an assertion about the subject matter based on the selected audit criteria in the representation letter. CC ID 07162 Establish/Maintain Documentation Preventive
    Include a statement that all known matters contradicting the audit assertion have been disclosed to the auditor in the representation letter. CC ID 07163 Establish/Maintain Documentation Preventive
    Include the availability of all in scope records relevant to the subject matter in the representation letter. CC ID 07164 Establish/Maintain Documentation Preventive
    Include a statement that any known subsequent events have been disclosed to the auditor in the representation letter. CC ID 07165 Establish/Maintain Documentation Preventive
    Include a statement that deficiencies in internal controls have been disclosed to the auditor in the representation letter. CC ID 13899 Establish/Maintain Documentation Preventive
    Disseminate and communicate a written audit assertion of the audit scope and audit terms to interested personnel and affected parties. CC ID 06967 Establish/Maintain Documentation Preventive
    Include any assumptions that are improbable in the audit assertion. CC ID 13950 Establish/Maintain Documentation Preventive
    Include how the audit scope matches in scope controls in the audit assertion. CC ID 06969 Establish/Maintain Documentation Preventive
    Include why specific criteria are ignored by in scope controls in the audit assertion. CC ID 07027 Establish/Maintain Documentation Preventive
    Include how the in scope system is designed and implemented in the audit assertion. CC ID 06970 Establish/Maintain Documentation Preventive
    Include the responsible party's opinion of the quality of the evidence in the audit assertion. CC ID 13949 Establish/Maintain Documentation Preventive
    Include the end users and affected parties of the in scope system in the audit assertion. CC ID 07028 Establish/Maintain Documentation Preventive
    Include the in scope services offered or in scope transactions processed in the audit assertion. CC ID 06971 Establish/Maintain Documentation Preventive
    Include the in scope procedures in the audit assertion. CC ID 06972 Establish/Maintain Documentation Preventive
    Include the in scope records produced in the audit assertion. CC ID 06968 Establish/Maintain Documentation Preventive
    Include how in scope material events are monitored and logged in the audit assertion. CC ID 06973 Establish/Maintain Documentation Preventive
    Include any in scope material events that might affect the assertion in the audit assertion. CC ID 06991 Establish/Maintain Documentation Preventive
    Include the in scope controls and compliance documents in the audit assertion. CC ID 06974 Establish/Maintain Documentation Preventive
    Include the in scope risk assessment processes in the audit assertion. CC ID 06975
    [The audit programme, including any schedule, shall be based on the results of risk assessments of the organization’s activities, and the results of previous audits. The audit procedures shall cover the scope, frequency, methodologies and competencies, as well as the responsibilities and requirements for conducting audits and reporting results. § 9.2 ¶ 3]
    Establish/Maintain Documentation Preventive
    Include in scope change controls in the audit assertion. CC ID 06976 Establish/Maintain Documentation Preventive
    Include any in scope uncorrected errors or non-compliance issues in the audit assertion. CC ID 06989 Establish/Maintain Documentation Preventive
    Include the scope for the desired level of assurance in the audit program. CC ID 12793 Communicate Preventive
    Include conditions that might require modification of the audit program in the audit terms. CC ID 07149 Establish/Maintain Documentation Preventive
    Include how access to in scope systems, personnel and in scope records are provided to the auditor in the audit terms. CC ID 06988 Establish/Maintain Documentation Preventive
    Include the criteria for determining the desired level of assurance in the audit program. CC ID 12795 Audits and Risk Management Preventive
    Establish and maintain procedures for determining the desired level of assurance in the audit program. CC ID 12794 Establish/Maintain Documentation Preventive
    Include the expectations for the audit report in the audit terms. CC ID 07148 Establish/Maintain Documentation Preventive
    Establish and maintain a practitioner’s report on management’s assertions, as necessary. CC ID 13888 Establish/Maintain Documentation Preventive
    Refrain from changing the date of the practitioner's report on agreed-upon procedures when reissuing it. CC ID 13896 Establish/Maintain Documentation Corrective
    Include materiality levels in the audit terms. CC ID 01238 Establish/Maintain Documentation Preventive
    Include material changes in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01239 Establish/Maintain Documentation Preventive
    Include material weaknesses, material failures, and material errors in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01240 Establish/Maintain Documentation Preventive
    Refrain from performing an attestation engagement under defined conditions. CC ID 13952 Audits and Risk Management Detective
    Refrain from accepting an attestation engagement unless the prospective financial information includes a summary of significant assumptions. CC ID 13954 Behavior Preventive
    Accept the attestation engagement when all preconditions are met. CC ID 13933 Business Processes Preventive
    Refrain from accepting an attestation engagement when all parties disagree on the procedures. CC ID 13951 Audits and Risk Management Preventive
    Audit in scope audit items and compliance documents as defined in the audit scope. CC ID 06730
    [The organization shall conduct internal audits at planned intervals to provide information on whether the business continuity management system conforms to the organization’s own requirements for its BCMS, § 9.2 ¶ 1 a) 1)
    The organization shall conduct internal audits at planned intervals to provide information on whether the business continuity management system conforms to the requirements of this International Standard, and § 9.2 ¶ 1 a) 2)
    The organization shall conduct internal audits at planned intervals to provide information on whether the business continuity management system is effectively implemented and maintained. § 9.2 ¶ 1 b)]
    Audits and Risk Management Preventive
    Identify hypothetical assumptions in forecasts and projections during an audit. CC ID 13946 Audits and Risk Management Detective
    Refrain from examining forecasts and projections which refrain from disclosing assumptions during an audit. CC ID 13932 Audits and Risk Management Detective
    Audit policies, standards, and procedures. CC ID 12927 Audits and Risk Management Preventive
    Audit cybersecurity risk management within the policies, standards, and procedures of the organization. CC ID 13011 Investigate Detective
    Audit information systems, as necessary. CC ID 13010 Investigate Detective
    Audit the potential costs of compromise to information systems. CC ID 13012 Investigate Detective
    Determine the accurateness of the audit assertion's in scope system description. CC ID 06979 Testing Detective
    Determine if the in scope system has been implemented as described in the audit assertion. CC ID 06983 Testing Detective
    Determine the effect of fraud and non-compliance on the description of the system in the audit assertion, as necessary. CC ID 13977 Process or Activity Detective
    Edit the audit assertion for accuracy. CC ID 07030 Establish/Maintain Documentation Preventive
    Determine if the audit assertion's in scope procedures are accurately documented. CC ID 06982 Establish/Maintain Documentation Preventive
    Determine if the audit assertion's in scope controls are reasonable. CC ID 06980 Testing Detective
    Determine the effect of fraud and non-compliance on the achievement of in scope controls in the audit assertion, as necessary. CC ID 13978 Process or Activity Detective
    Document test plans for auditing in scope controls. CC ID 06985 Testing Detective
    Determine the implementation status of the audit assertion's in scope controls. CC ID 06981 Testing Detective
    Determine the effectiveness of in scope controls. CC ID 06984 Testing Detective
    Review incident management audit logs to determine the effectiveness of in scope controls. CC ID 12157 Audits and Risk Management Detective
    Review audit reports to determine the effectiveness of in scope controls. CC ID 12156 Audits and Risk Management Detective
    Observe processes to determine the effectiveness of in scope controls. CC ID 12155 Audits and Risk Management Detective
    Interview stakeholders to determine the effectiveness of in scope controls. CC ID 12154 Audits and Risk Management Detective
    Review policies and procedures to determine the effectiveness of in scope controls. CC ID 12144 Audits and Risk Management Detective
    Determine any errors or material omissions in the audit assertion that affect in scope control implementations. CC ID 06990 Testing Detective
    Include the process of using evidential matter to test in scope controls in the test plan. CC ID 06996 Establish/Maintain Documentation Preventive
    Audit the in scope system according to the test plan using relevant evidence. CC ID 07112
    [Top management shall ensure that the responsibilities and authorities for relevant roles are assigned and communicated within the organization by - defining the criteria for accepting risks and the acceptable levels of risk, - actively engaging in exercising and testing, - ensuring that internal audits of the BCMS are conducted, - conducting management reviews of the BCMS, and - demonstrating its commitment to continual improvement. § 5.2 ¶ 3
    The audit programme, including any schedule, shall be based on the results of risk assessments of the organization’s activities, and the results of previous audits. The audit procedures shall cover the scope, frequency, methodologies and competencies, as well as the responsibilities and requirements for conducting audits and reporting results. § 9.2 ¶ 3]
    Testing Preventive
    Implement procedures that collect sufficient audit evidence. CC ID 07153 Audits and Risk Management Preventive
    Collect evidence about the in scope audit items of the audit assertion. CC ID 07154 Audits and Risk Management Preventive
    Collect audit evidence sufficient to avoid misstatements. CC ID 07155 Audits and Risk Management Preventive
    Collect audit evidence at the level of the organization's competence in the subject matter. CC ID 07156 Audits and Risk Management Preventive
    Collect audit evidence sufficient to overcome inadequacies in the organization's attestation. CC ID 07157 Audits and Risk Management Preventive
    Conduct interviews of auditees, as necessary. CC ID 07188 Testing Detective
    Explain the goals of the interview to the auditee. CC ID 07189 Behavior Detective
    Withdraw from the audit, when defined conditions exist. CC ID 13885 Process or Activity Corrective
    Establish and maintain work papers, as necessary. CC ID 13891 Establish/Maintain Documentation Preventive
    Include justification for departing from mandatory requirements in the work papers. CC ID 13935 Establish/Maintain Documentation Preventive
    Include the reviewer, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06998 Establish/Maintain Documentation Preventive
    Include the tests, examinations, interviews and observations performed during the audit in the work papers. CC ID 07190 Establish/Maintain Documentation Preventive
    Include if any subject matter experts or additional research had to be undertaken to test in scope controls in the work papers. CC ID 07026 Establish/Maintain Documentation Preventive
    Include the tester, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06997 Establish/Maintain Documentation Preventive
    Include if the audit evidence has identified in scope control deficiencies in the work papers. CC ID 07152 Audits and Risk Management Detective
    Include the causes of identified in scope control deficiencies in the work papers. CC ID 07000 Establish/Maintain Documentation Preventive
    Include discussions regarding the causes of identified in scope control deficiencies in the work papers. CC ID 06999 Establish/Maintain Documentation Preventive
    Investigate the nature and causes of identified in scope control deviations. CC ID 06986 Testing Detective
    Include if in scope control deviations allow in scope controls to be performed acceptably in the work papers. CC ID 06987 Testing Detective
    Supervise interested personnel and affected parties participating in the audit. CC ID 07150 Monitor and Evaluate Occurrences Preventive
    Notify interested personnel and affected parties participating in the audit of their roles and responsibilities during the audit. CC ID 07151 Establish Roles Preventive
    Respond to questions or clarification requests regarding the audit. CC ID 08902 Business Processes Preventive
    Track and measure the implementation of the organizational compliance framework. CC ID 06445 Monitor and Evaluate Occurrences Preventive
    Review the need for organizational efficiency as balanced against the needs of compliance and security. CC ID 07111 Business Processes Preventive
    Establish and maintain a Statement on the Level of Compliance. CC ID 12499 Establish/Maintain Documentation Preventive
    Review the Statement on the Level of Compliance. CC ID 12500 Business Processes Detective
    Approve the Statement on the Level of Compliance. CC ID 12501 Business Processes Preventive
    Include a Statement on the Level of Compliance in the tactical Information Technology plan. CC ID 06842 Actionable Reports or Measurements Preventive
    Engage subject matter experts when the auditor requires additional expertise during an attestation engagement, as necessary. CC ID 13971 Process or Activity Preventive
    Establish, implement, and maintain a practitioner’s report on agreed-upon procedures. CC ID 13894 Establish/Maintain Documentation Preventive
    Provide auditors access to all in scope records, in scope assets, personnel and in scope procedures. CC ID 06966 Audits and Risk Management Preventive
    Provide auditors access to affected parties during the audit, as necessary. CC ID 07187 Business Processes Preventive
    Solve any access problems auditors encounter during the audit. CC ID 08959 Audits and Risk Management Corrective
    Notify interested personnel and affected parties when an auditee refuses to provide access or participate in the audit. CC ID 08960 Audits and Risk Management Preventive
    Establish and maintain a practitioner's examination report on pro forma financial information. CC ID 13968 Establish/Maintain Documentation Preventive
    Include references to where financial information was derived in the practitioner's review report on pro forma financial information. CC ID 13982 Establish/Maintain Documentation Preventive
    Include a statement that the financial statements used were audited by other practitioners in the practitioner's examination report on pro forma financial information, as necessary. CC ID 13981 Establish/Maintain Documentation Preventive
    Establish and maintain organizational audit reports. CC ID 06731
    [{audit scope} {evidence of the audit results} The organization shall - plan, establish, implement and maintain (an) audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit programme(s) shall take into consideration the importance of the processes concerned and the results of previous audits, - define the audit criteria and scope for each audit, - select auditors and conduct audits to ensure objectivity and the impartiality of the audit process, - ensure that the results of the audits are reported to relevant management, and - retain documented information as evidence of the implementation of the audit programme and the audit results. § 9.2 ¶ 2]
    Establish/Maintain Documentation Preventive
    Write the audit report using clear and conspicuous language. CC ID 13948 Establish/Maintain Documentation Preventive
    Include a statement that the sufficiency of the agreed upon procedures is the responsibility of the specified parties in the audit report. CC ID 13936 Establish/Maintain Documentation Preventive
    Include a statement that the financial statements were audited in the audit report. CC ID 13963 Establish/Maintain Documentation Preventive
    Include the criteria that financial information was measured against in the audit report. CC ID 13966 Establish/Maintain Documentation Preventive
    Include a description of the financial information being reported on in the audit report. CC ID 13965 Establish/Maintain Documentation Preventive
    Include references to any adjustments of financial information in the audit report. CC ID 13964 Establish/Maintain Documentation Preventive
    Include in the audit report that audit opinions are not dependent on references to subject matter experts, as necessary. CC ID 13953 Establish/Maintain Documentation Preventive
    Include references to historical financial information used in the audit report. CC ID 13961 Establish/Maintain Documentation Preventive
    Include a description of the limitations on the usefulness of hypothetical assumptions in the audit report. CC ID 13958 Establish/Maintain Documentation Preventive
    Include the word independent in the title of audit reports. CC ID 07003 Actionable Reports or Measurements Preventive
    Include the date of the audit in the audit report. CC ID 07024 Actionable Reports or Measurements Preventive
    Structure the audit report to be in the form of procedures and findings. CC ID 13940 Establish/Maintain Documentation Preventive
    Include information about the organization being audited and the auditor performing the audit in the audit report. CC ID 07004 Actionable Reports or Measurements Preventive
    Include any discussions of significant findings in the audit report. CC ID 13955 Establish/Maintain Documentation Preventive
    Include the date and with whom discussions about significant findings took place in the audit report. CC ID 13962 Establish/Maintain Documentation Preventive
    Include the audit criteria in the audit report. CC ID 13945 Establish/Maintain Documentation Preventive
    Include a statement in the audit report that the agreed upon procedures were potentially insufficient in identifying material risks, as necessary. CC ID 13957 Establish/Maintain Documentation Preventive
    Include all hypothetical assumptions in the audit report. CC ID 13947 Establish/Maintain Documentation Preventive
    Include a statement that access to the report is restricted based on least privilege in the audit report. CC ID 07023 Actionable Reports or Measurements Preventive
    Include a statement that identifies the distribution list for the report in the audit report. CC ID 07172 Establish/Maintain Documentation Preventive
    Include a statement that identifies the use restrictions for the report in the audit report. CC ID 07173 Establish/Maintain Documentation Preventive
    Include a statement that the agreed upon procedures involves collecting evidence in the audit report. CC ID 13956 Establish/Maintain Documentation Preventive
    Include all of the facts and demonstrated plausibility in the audit report. CC ID 08929 Establish/Maintain Documentation Preventive
    Include a statement that the agreed upon procedures were performed by all parties in the audit report. CC ID 13931 Establish/Maintain Documentation Preventive
    Include references to subject matter experts in the audit report when citing qualified opinions. CC ID 13929 Establish/Maintain Documentation Preventive
    Include a description of the assistance provided by Subject Matter Experts in the audit report. CC ID 13939 Establish/Maintain Documentation Preventive
    Include a review of the subject matter expert's findings in the audit report. CC ID 13972 Establish/Maintain Documentation Preventive
    Include a statement of the character of the engagement in the audit report. CC ID 07166 Establish/Maintain Documentation Preventive
    Include the nature and scope of the audit performed in the statement of the character of the engagement in the audit report. CC ID 07167 Establish/Maintain Documentation Preventive
    Include the professional standards governing the audit in the statement of the character of the engagement in the audit report. CC ID 07168 Establish/Maintain Documentation Preventive
    Include all restrictions on the audit in the audit report. CC ID 13930 Establish/Maintain Documentation Preventive
    Include a statement that the auditor has no responsibility to update the audit report after its submission. CC ID 13943 Establish/Maintain Documentation Preventive
    Include a statement that the responsible party refused to provide a written assertion in the audit report. CC ID 13887 Establish/Maintain Documentation Preventive
    Include a statement that the examination involves procedures for collecting evidence in the audit report. CC ID 13941 Establish/Maintain Documentation Preventive
    Express an adverse opinion in the audit report when significant assumptions are not suitably supported. CC ID 13944 Establish/Maintain Documentation Preventive
    Include a statement that modifications to historical evidence accurately reflect current evidence in the audit report. CC ID 13938 Establish/Maintain Documentation Preventive
    Refrain from referencing other auditor's work in the audit report. CC ID 13881 Establish/Maintain Documentation Preventive
    Include that the audit findings are not a predictive analysis of future compliance in the audit report. CC ID 07018 Establish/Maintain Documentation Preventive
    Include the organization's audit assertion of the in scope system in the audit report. CC ID 07005 Actionable Reports or Measurements Preventive
    Include that the organization is the responsible party for the content of its audit assertion and in scope system description in the audit report. CC ID 07010 Establish/Maintain Documentation Preventive
    Include that the organization is the responsible party for specifying in scope controls not defined by law or contractual obligation in the audit report. CC ID 07011 Establish/Maintain Documentation Preventive
    Include that the organization is the responsible party for designing and implementing the in scope controls it identified in the audit scope in the audit report. CC ID 07014 Establish/Maintain Documentation Preventive
    Include the audit opinion regarding the accurateness of the in scope system description in the audit report. CC ID 07019 Establish/Maintain Documentation Preventive
    Include the attestation standards the auditor follows in the audit report. CC ID 07015 Establish/Maintain Documentation Preventive
    Include the audit opinion about the audit assertion in relation to the audit criteria used for evaluation in the audit report. CC ID 07169 Establish/Maintain Documentation Preventive
    Include the auditor's significant reservations about the engagement, the audit assertion, or the audit subject matter in the audit report. CC ID 07170 Establish/Maintain Documentation Preventive
    Include the organization's description of the in scope system in the audit report. CC ID 11626 Audits and Risk Management Preventive
    Include any out of scope components of in scope systems in the audit report. CC ID 07006 Establish/Maintain Documentation Preventive
    Include that the organization is the responsible party for identifying material risks in the audit report. CC ID 07012 Establish/Maintain Documentation Preventive
    Include that the organization is the responsible party for selecting the audit criteria in the audit report. CC ID 07013 Establish/Maintain Documentation Preventive
    Include the scope and work performed in the audit report. CC ID 11621 Audits and Risk Management Preventive
    Review the adequacy of the internal auditor's work papers. CC ID 01146 Audits and Risk Management Detective
    Compare the evaluations completed by the internal auditors and the external auditors in past audit reports. CC ID 01158 Establish/Maintain Documentation Detective
    Review the adequacy of the internal auditor's audit reports. CC ID 11620 Audits and Risk Management Detective
    Review past audit reports. CC ID 01155
    [{audit scope} {evidence of the audit results} The organization shall - plan, establish, implement and maintain (an) audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit programme(s) shall take into consideration the importance of the processes concerned and the results of previous audits, - define the audit criteria and scope for each audit, - select auditors and conduct audits to ensure objectivity and the impartiality of the audit process, - ensure that the results of the audits are reported to relevant management, and - retain documented information as evidence of the implementation of the audit programme and the audit results. § 9.2 ¶ 2
    The audit programme, including any schedule, shall be based on the results of risk assessments of the organization’s activities, and the results of previous audits. The audit procedures shall cover the scope, frequency, methodologies and competencies, as well as the responsibilities and requirements for conducting audits and reporting results. § 9.2 ¶ 3]
    Establish/Maintain Documentation Detective
    Review past audit reports for specific process steps and calculations that were stated to support the audit report's conclusions. CC ID 01160 Establish/Maintain Documentation Detective
    Review the reporting of material weaknesses and risks in past audit reports. CC ID 01161 Establish/Maintain Documentation Detective
    Resolve disputes before creating the audit summary. CC ID 08964 Behavior Preventive
    Refrain from including the description of the audit in the audit report when the auditor is disclaiming an audit opinion. CC ID 13975 Establish/Maintain Documentation Preventive
    Refrain from including scope limitations from changed attestation engagements in the audit report. CC ID 13983 Establish/Maintain Documentation Preventive
    Refrain from including in the audit report any procedures that were performed that the auditor is disclaiming in an audit opinion. CC ID 13974 Establish/Maintain Documentation Preventive
    Determine the effect of fraud and non-compliance on the audit report, as necessary. CC ID 13979 Process or Activity Detective
    Include an audit opinion in the audit report. CC ID 07017 Establish/Maintain Documentation Preventive
    Include qualified opinions in the audit report. CC ID 13928 Establish/Maintain Documentation Preventive
    Include that the auditor is the responsible party to express an opinion on the audit subject matter based on examination of evidence in the audit report. CC ID 07174 Establish/Maintain Documentation Preventive
    Include a description of the reasons for modifying the audit opinion in the audit report. CC ID 13898 Establish/Maintain Documentation Corrective
    Include that the auditor did not express an opinion in the audit report, as necessary. CC ID 13886 Establish/Maintain Documentation Preventive
    Disclaim the audit opinion in the audit report, as necessary. CC ID 13901 Business Processes Corrective
    Collect all work papers for the audit and audit report into an engagement file. CC ID 07001 Actionable Reports or Measurements Preventive
    Include any subsequent events related to the audit assertion or audit subject matter in the work papers. CC ID 07177 Audits and Risk Management Preventive
    Document any after the fact changes to the engagement file. CC ID 07002 Establish/Maintain Documentation Preventive
    Protect access to the engagement file and all associated audit documentation in compliance with Authority Documents the organization must follow. CC ID 07179 Establish/Maintain Documentation Preventive
    Disclose work papers in the engagement file in compliance with legal requirements. CC ID 07180 Establish/Maintain Documentation Preventive
    Archive the engagement file and all work papers for the period prescribed by law or contract. CC ID 10038 Records Management Preventive
    Include items that were excluded from the audit report in the audit report. CC ID 07007 Establish/Maintain Documentation Preventive
    Include the organization's privacy practices in the audit report. CC ID 07029 Establish/Maintain Documentation Preventive
    Include items that pertain to third parties in the audit report. CC ID 07008 Establish/Maintain Documentation Preventive
    Refrain from including reference to procedures performed in previous attestation engagements in the audit report. CC ID 13970 Establish/Maintain Documentation Preventive
    Include a statement in the audit report that no procedures were performed subsequent to the date of the practitioner's review report on pro forma financial information, as necessary. CC ID 13969 Establish/Maintain Documentation Preventive
    Include any of the organization's use of compensating controls that were not audited in the audit report. CC ID 07009 Establish/Maintain Documentation Preventive
    Include whether the use of compensating controls are necessary in the audit report. CC ID 07020 Establish/Maintain Documentation Preventive
    Include the pass or fail test status of all in scope controls in the audit report. CC ID 07016 Establish/Maintain Documentation Preventive
    Include the process of using evidential matter to test in scope controls in the audit report. CC ID 07021 Establish/Maintain Documentation Preventive
    Include the nature and causes of identified in scope control deviations in the audit report. CC ID 07022 Establish/Maintain Documentation Preventive
    Modify the audit opinion in the audit report under defined conditions. CC ID 13937 Establish/Maintain Documentation Corrective
    Disclose any audit irregularities in the audit report. CC ID 06995 Actionable Reports or Measurements Preventive
    Include the written signature of the auditor's organization in the audit report. CC ID 13897 Establish/Maintain Documentation Preventive
    Disseminate and communicate the audit report to all interested personnel and affected parties identified in the distribution list. CC ID 07117 Establish/Maintain Documentation Preventive
    Disseminate and communicate the reviews of audit reports to organizational management. CC ID 00653
    [{audit scope} {evidence of the audit results} The organization shall - plan, establish, implement and maintain (an) audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit programme(s) shall take into consideration the importance of the processes concerned and the results of previous audits, - define the audit criteria and scope for each audit, - select auditors and conduct audits to ensure objectivity and the impartiality of the audit process, - ensure that the results of the audits are reported to relevant management, and - retain documented information as evidence of the implementation of the audit programme and the audit results. § 9.2 ¶ 2]
    Log Management Detective
    Disseminate and communicate to the organization that access and use of audit reports are based on least privilege. CC ID 07171 Behavior Preventive
    Disseminate and communicate documents that contain information in support of the audit report. CC ID 07175 Establish/Maintain Documentation Preventive
    Correct any material misstatements in documents that contain information in support of the audit report. CC ID 07176 Establish/Maintain Documentation Preventive
    Notify interested personnel and affected parties after bribes are offered during the audit. CC ID 08872 Business Processes Preventive
    Submit an audit report that is complete. CC ID 01145 Testing Detective
    Accept the audit report. CC ID 07025 Establish/Maintain Documentation Preventive
    Implement a corrective action plan in response to the audit report. CC ID 06777
    [The management responsible for the area being audited shall ensure that any necessary corrections and corrective actions are taken without undue delay to eliminate detected nonconformities and their causes. Follow-up activities shall include the verification of the actions taken and the reporting of verification results. § 9.2 ¶ 4
    The management responsible for the area being audited shall ensure that any necessary corrections and corrective actions are taken without undue delay to eliminate detected nonconformities and their causes. Follow-up activities shall include the verification of the actions taken and the reporting of verification results. § 9.2 ¶ 4
    {results of BCMS reviews} {key partners} {results of testing} {BCMS performance} {BCMS effectiveness} {emerging good guidance} Management reviews shall consider the performance of the organization, including - follow-up actions from previous management reviews, - the need for changes to the BCMS, including the policy and objectives, - opportunities for improvement, - results of BCMS audits and reviews, including those of key suppliers and partners where appropriate, - techniques, products or procedures, which could be used in the organization to improve the BCMS’ performance and effectiveness, - status of corrective actions, - results of exercising and testing, - risks or issues not adequately addressed in any previous risk assessment, - any changes that could affect the BCMS, whether internal or external to the scope of the BCMS, - adequacy of policy, - recommendations for improvement, - lessons learned and actions arising from disruptive incidents, and - emerging good practice and guidance. § 9.3 ¶ 3]
    Establish/Maintain Documentation Corrective
    Assign responsibility for remediation actions. CC ID 13622 Human Resources Management Preventive
    Review management's response to issues raised in past audit reports. CC ID 01149
    [The management review shall include consideration of the status of actions from previous management reviews, § 9.3 ¶ 2 a)
    The management review shall include consideration of information on the business continuity performance, including trends in nonconformities and corrective actions, § 9.3 ¶ 2 c) 1)]
    Audits and Risk Management Detective
    Define penalties for uncorrected audit findings or remaining non-compliant with the audit report. CC ID 08963
    [{results of BCMS reviews} {key partners} {results of testing} {BCMS performance} {BCMS effectiveness} {emerging good guidance} Management reviews shall consider the performance of the organization, including - follow-up actions from previous management reviews, - the need for changes to the BCMS, including the policy and objectives, - opportunities for improvement, - results of BCMS audits and reviews, including those of key suppliers and partners where appropriate, - techniques, products or procedures, which could be used in the organization to improve the BCMS’ performance and effectiveness, - status of corrective actions, - results of exercising and testing, - risks or issues not adequately addressed in any previous risk assessment, - any changes that could affect the BCMS, whether internal or external to the scope of the BCMS, - adequacy of policy, - recommendations for improvement, - lessons learned and actions arising from disruptive incidents, and - emerging good practice and guidance. § 9.3 ¶ 3]
    Establish/Maintain Documentation Preventive
    Assess the quality of the audit program in regards to the staff and their qualifications. CC ID 01150 Testing Detective
    Review the audit program scope as it relates to the organization's profile. CC ID 01159 Audits and Risk Management Detective
    Assess the quality of the audit program in regards to its documentation. CC ID 11622 Audits and Risk Management Preventive
    Establish, implement, and maintain the audit plan. CC ID 01156 Testing Detective
    Establish and maintain the audit schedule for the audit program. CC ID 13158
    [The audit programme, including any schedule, shall be based on the results of risk assessments of the organization’s activities, and the results of previous audits. The audit procedures shall cover the scope, frequency, methodologies and competencies, as well as the responsibilities and requirements for conducting audits and reporting results. § 9.2 ¶ 3]
    Establish/Maintain Documentation Preventive
    Establish and maintain a risk management program. CC ID 12051 Establish/Maintain Documentation Preventive
    Establish and maintain the risk assessment framework. CC ID 00685
    [The organization shall establish, implement and maintain a formal and documented process for business impact analysis and risk assessment that specifies the requirements for this information to be kept up-to-date and confidential. § 8.2.1 ¶ 1 e)]
    Establish/Maintain Documentation Preventive
    Review the risk assessment framework. CC ID 12813 Audits and Risk Management Detective
    Analyze the risk management strategy for addressing requirements. CC ID 12926 Audits and Risk Management Detective
    Analyze the risk management strategy for addressing threats. CC ID 12925 Audits and Risk Management Detective
    Analyze the risk management strategy for addressing opportunities. CC ID 12924 Audits and Risk Management Detective
    Define and assign the roles and responsibilities for the risk assessment framework, as necessary. CC ID 06456 Establish Roles Preventive
    Establish, implement, and maintain a risk assessment program. CC ID 00687 Establish/Maintain Documentation Preventive
    Address past security incidents in the risk assessment program. CC ID 12743 Audits and Risk Management Preventive
    Include the need for risk assessments in the risk assessment program. CC ID 06447 Establish/Maintain Documentation Preventive
    Include the information flow of restricted data in the risk assessment program. CC ID 12339 Establish/Maintain Documentation Preventive
    Establish and maintain the factors and context for risk to the organization. CC ID 12230
    [{external factor} In establishing the context, the organization shall define the external and internal factors that create the uncertainty that gives rise to risk, § 4.1 ¶ 4 2)
    Top management shall ensure that the responsibilities and authorities for relevant roles are assigned and communicated within the organization by - defining the criteria for accepting risks and the acceptable levels of risk, - actively engaging in exercising and testing, - ensuring that internal audits of the BCMS are conducted, - conducting management reviews of the BCMS, and - demonstrating its commitment to continual improvement. § 5.2 ¶ 3]
    Audits and Risk Management Preventive
    Establish and maintain a financial plan to support the risk management strategy. CC ID 12786 Establish/Maintain Documentation Preventive
    Design a portfolio of insurance options in accordance with risk decision-making criteria. CC ID 12878 Business Processes Preventive
    Design a portfolio of loans in accordance with risk decision-making criteria. CC ID 12877 Business Processes Preventive
    Design a portfolio of risk limiting and mitigating approaches in organizational contracts in accordance with risk decision-making criteria. CC ID 12903 Business Processes Preventive
    Address cybersecurity risks in the risk assessment program. CC ID 13193 Establish/Maintain Documentation Preventive
    Include a Data Protection Impact Assessment in the risk assessment program. CC ID 12630 Establish/Maintain Documentation Preventive
    Include an assessment of the necessity and proportionality of the processing operations in relation to the purposes in the Data Protection Impact Assessment. CC ID 12681 Establish/Maintain Documentation Preventive
    Include a risk assessment of data subject's rights in the Data Protection Impact Assessment. CC ID 12674 Establish/Maintain Documentation Preventive
    Include the description and purpose of personal data processing in the Data Protection Impact Assessment. CC ID 12673 Establish/Maintain Documentation Preventive
    Include monitoring unsecured areas in the Data Protection Impact Assessment. CC ID 12671 Establish/Maintain Documentation Preventive
    Include security measures for protecting personal data in the Data Protection Impact Assessment. CC ID 12635 Establish/Maintain Documentation Preventive
    Review and update the data protection impact assessment, as necessary. CC ID 12665 Audits and Risk Management Preventive
    Use the risk taxonomy when managing risk. CC ID 12280 Behavior Preventive
    Establish, implement, and maintain a risk assessment policy. CC ID 14026 Establish/Maintain Documentation Preventive
    Review and update the risk assessment policy, as necessary. CC ID 14122 Establish/Maintain Documentation Corrective
    Include compliance requirements in the risk assessment policy. CC ID 14121 Establish/Maintain Documentation Preventive
    Include coordination amongst entities in the risk assessment policy. CC ID 14120 Establish/Maintain Documentation Preventive
    Include management commitment in the risk assessment policy. CC ID 14119 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the risk assessment policy. CC ID 14118 Establish/Maintain Documentation Preventive
    Include the scope in the risk assessment policy. CC ID 14117 Establish/Maintain Documentation Preventive
    Include the purpose in the risk assessment policy. CC ID 14116 Establish/Maintain Documentation Preventive
    Disseminate and communicate the risk assessment policy to interested personnel and affected parties. CC ID 14115 Communicate Preventive
    Establish, implement, and maintain risk assessment procedures. CC ID 06446
    [The organization shall establish, implement, and maintain a formal documented risk assessment process that systematically identifies, analyses, and evaluates the risk of disruptive incidents to the organization. § 8.2.3 ¶ 1
    {formal and documented process for risk assessment} {required output from the risk assessment} The organization shall establish, implement and maintain a formal and documented process for business impact analysis and risk assessment that defines the required output from the business impact analysis and risk assessment, and § 8.2.1 ¶ 1 d)
    {risk management procedures} The organization shall plan, implement and control the processes needed to meet requirements, and to implement the actions determined in 6.1, by establishing criteria for the processes, § 8.1 ¶ 1 a)
    The organization shall establish, implement and maintain a formal and documented process for business impact analysis and risk assessment that 8.2.1 ¶ 1]
    Establish/Maintain Documentation Preventive
    Analyze the organization's information security environment. CC ID 13122 Technical Security Preventive
    Document cybersecurity risks. CC ID 12281 Establish/Maintain Documentation Preventive
    Engage third parties to assist with risk assessments, as necessary. CC ID 12153 Human Resources Management Preventive
    Establish and maintain risk profiling procedures for internal risk assessments. CC ID 01157 Audits and Risk Management Preventive
    Include compliance with disposition requirements in the risk assessment procedures. CC ID 12342 Establish/Maintain Documentation Preventive
    Include compliance with retention requirements in the risk assessment procedures. CC ID 12341 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a threat and risk classification scheme. CC ID 07183
    [{formal process} The organization shall establish, implement and maintain a formal and documented process for business impact analysis and risk assessment that establishes the context of the assessment, defines criteria and evaluates the potential impact of a disruptive incident, § 8.2.1 ¶ 1 a)]
    Establish/Maintain Documentation Preventive
    Document organizational risk criteria. CC ID 12277 Establish/Maintain Documentation Preventive
    Include security threats and vulnerabilities to the system in the threat and risk classification scheme. CC ID 00699 Technical Security Preventive
    Include an analysis of system interdependencies in the threat and risk classification scheme. CC ID 13056 Investigate Detective
    Categorize the systems, information, and data by risk profile in the threat and risk classification scheme. CC ID 01443 Audits and Risk Management Preventive
    Include the risks to the organization's critical personnel and assets in the threat and risk classification scheme. CC ID 00698 Audits and Risk Management Preventive
    Include the traceability of malicious code in the threat and risk classification scheme. CC ID 06600 Establish/Maintain Documentation Preventive
    Assign a probability of occurrence to all types of threats in the threat and risk classification scheme. CC ID 01173 Audits and Risk Management Preventive
    Include language that is easy to understand in the risk assessment report. CC ID 06461 Establish/Maintain Documentation Preventive
    Include the environments that call for risk assessments in the risk assessment program. CC ID 06448 Establish/Maintain Documentation Preventive
    Include the process for defining the scope of each risk assessment in the risk assessment program. CC ID 06462
    [{formal process} The organization shall establish, implement and maintain a formal and documented process for business impact analysis and risk assessment that establishes the context of the assessment, defines criteria and evaluates the potential impact of a disruptive incident, § 8.2.1 ¶ 1 a)]
    Establish/Maintain Documentation Preventive
    Include the circumstances that call for risk assessments in the risk assessment program. CC ID 06449 Establish/Maintain Documentation Preventive
    Include the roles and responsibilities involved in risk assessments in the risk assessment program. CC ID 06450 Establish/Maintain Documentation Preventive
    Include the methods of managing and responding to the risk assessment report in the risk assessment program. CC ID 06451 Establish/Maintain Documentation Preventive
    Automate as much of the risk assessment program, as necessary. CC ID 06459 Audits and Risk Management Preventive
    Review the risk assessment procedures, as necessary. CC ID 06460 Establish/Maintain Documentation Preventive
    Employ risk assessment procedures that follow legal requirements and contractual obligations when risk profiling. CC ID 06472
    [{formal process} {legal requirements} The organization shall establish, implement and maintain a formal and documented process for business impact analysis and risk assessment that takes into account legal and other requirements to which the organization subscribes, § 8.2.1 ¶ 1 b)]
    Establish/Maintain Documentation Preventive
    Employ risk assessment procedures that follow standards and best practices, as necessary. CC ID 06473 Establish/Maintain Documentation Preventive
    Employ risk assessment procedures that align with strategic objectives. CC ID 06474 Establish/Maintain Documentation Preventive
    Employ risk assessment procedures that take into account both electronic records and printed records. CC ID 06476 Establish/Maintain Documentation Preventive
    Employ risk assessment procedures that take into account information classification. CC ID 06477 Establish/Maintain Documentation Preventive
    Employ risk assessment procedures that take into account prior risk assessment findings of the same scope. CC ID 06478 Establish/Maintain Documentation Preventive
    Employ risk assessment procedures that take into account the target environment. CC ID 06479 Establish/Maintain Documentation Preventive
    Employ risk assessment procedures that take into account incidents associated with the target environment. CC ID 06480 Establish/Maintain Documentation Preventive
    Employ risk assessment procedures that include appropriate risk treatment options for each identified risk. CC ID 06484
    [The organization shall evaluate which disruption related risks require treatment, and § 8.2.3 ¶ 2 c)
    {formal process} The organization shall establish, implement and maintain a formal and documented process for business impact analysis and risk assessment that includes systematic analysis, prioritization of risk treatments, and their related costs, § 8.2.1 ¶ 1 c)
    {formal process} The organization shall establish, implement and maintain a formal and documented process for business impact analysis and risk assessment that includes systematic analysis, prioritization of risk treatments, and their related costs, § 8.2.1 ¶ 1 c)
    {actions to address risks and opportunities} The organization shall plan, implement and control the processes needed to meet requirements, and to implement the actions determined in 6.1, by implementing control of the processes in accordance with the criteria, and § 8.1 ¶ 1 b)
    {changes to security requirements} The outputs of the management review shall include decisions related to continual improvement opportunities and the possible need for changes to the BCMS, and include the following: modification of procedures and controls to respond to internal or external events that may impact on the BCMS, including changes to risk reduction and security requirements, § 9.3 ¶ 4 d) 2)]
    Establish/Maintain Documentation Preventive
    Disseminate and communicate the risk assessment procedures to interested personnel and affected parties. CC ID 14136 Communicate Preventive
    Approve the risk assessment program and associated risk assessment procedures at the senior management level. CC ID 06458 Establish/Maintain Documentation Preventive
    Perform risk assessments for all target environments, as necessary. CC ID 06452
    [{formal process} The organization shall establish, implement and maintain a formal and documented process for business impact analysis and risk assessment that includes systematic analysis, prioritization of risk treatments, and their related costs, § 8.2.1 ¶ 1 c)]
    Testing Preventive
    Include the probability and potential impact of pandemics in the scope of the risk assessment. CC ID 13241 Establish/Maintain Documentation Preventive
    Include physical assets in the scope of the risk assessment. CC ID 13075 Establish/Maintain Documentation Preventive
    Include the results of the risk assessment in the risk assessment report. CC ID 06481
    [{formal and documented process for risk assessment} {required output from the risk assessment} The organization shall establish, implement and maintain a formal and documented process for business impact analysis and risk assessment that defines the required output from the business impact analysis and risk assessment, and § 8.2.1 ¶ 1 d)]
    Establish/Maintain Documentation Preventive
    Approve the results of the risk assessment as documented in the risk assessment report. CC ID 07109 Audits and Risk Management Preventive
    Update the risk assessment upon discovery of a new threat. CC ID 00708 Establish/Maintain Documentation Detective
    Review risks to the organization's audit function when changes in the supply chain occur. CC ID 01154 Audits and Risk Management Preventive
    Update the risk assessment upon changes to the risk profile. CC ID 11627
    [{update of the business impact analysis} {update of the business continuity plans} {update of the related procedures} The outputs of the management review shall include decisions related to continual improvement opportunities and the possible need for changes to the BCMS, and include the following: update of the risk assessment, business impact analysis, business continuity plans and related procedures; § 9.3 ¶ 4 c)]
    Establish/Maintain Documentation Detective
    Review the risk to the audit function when the audit personnel status changes. CC ID 01153 Audits and Risk Management Preventive
    Document any reasons for modifying or refraining from modifying the organization's risk assessment when the risk assessment has been reviewed. CC ID 13312 Establish/Maintain Documentation Preventive
    Disseminate and communicate the approved risk assessment report to interested personnel and affected parties. CC ID 10633 Communicate Preventive
    Conduct external audits of risk assessments, as necessary. CC ID 13308 Audits and Risk Management Detective
    Notify the organization upon completion of the external audits of the organization's risk assessment. CC ID 13313 Communicate Preventive
    Establish, implement, and maintain a risk assessment awareness and training program. CC ID 06453 Business Processes Preventive
    Disseminate and communicate information about risks to all interested personnel and affected parties. CC ID 06718
    [{significant impact} {procedures for alerts} {procedures for warnings} The organization shall decide, using life safety as the first priority and in consultation with relevant interested parties, whether to communicate externally about its significant risks and impacts and document its decision. If the decision is to communicate then the organization shall establish and implement procedures for this external communication, alerts and warnings including the media as appropriate. § 8.4.2 ¶ 3
    {significant impact} {procedures for alerts} {procedures for warnings} The organization shall decide, using life safety as the first priority and in consultation with relevant interested parties, whether to communicate externally about its significant risks and impacts and document its decision. If the decision is to communicate then the organization shall establish and implement procedures for this external communication, alerts and warnings including the media as appropriate. § 8.4.2 ¶ 3]
    Behavior Preventive
    Evaluate the effectiveness of threat and vulnerability management procedures. CC ID 13491 Investigate Detective
    Correlate the business impact of identified risks in the risk assessment report. CC ID 00686 Audits and Risk Management Preventive
    Conduct a Business Impact Analysis based on the risk assessment findings in the risk assessment report. CC ID 01147
    [{formal and documented process for risk assessment} {required output from the risk assessment} The organization shall establish, implement and maintain a formal and documented process for business impact analysis and risk assessment that defines the required output from the business impact analysis and risk assessment, and § 8.2.1 ¶ 1 d)
    {formal and documented process for risk assessment} {required output from the risk assessment} The organization shall establish, implement and maintain a formal and documented process for business impact analysis and risk assessment that defines the required output from the business impact analysis and risk assessment, and § 8.2.1 ¶ 1 d)
    The organization shall establish, implement, and maintain a formal and documented evaluation process for determining continuity and recovery priorities, objectives and targets. This process shall include assessing the impacts of disrupting activities that support the organization’s products and services. § 8.2.2 ¶ 1
    {outputs from the risk assessment} Determination and selection of strategy shall be based on the outputs from the business impact analysis and risk assessment. § 8.3.1 ¶ 1
    The organization shall establish, implement and maintain a formal and documented process for business impact analysis and risk assessment that specifies the requirements for this information to be kept up-to-date and confidential. § 8.2.1 ¶ 1 e)
    The organization shall establish, implement and maintain a formal and documented process for business impact analysis and risk assessment that 8.2.1 ¶ 1]
    Audits and Risk Management Detective
    Include recovery of the critical path in the Business Impact Analysis. CC ID 13224 Establish/Maintain Documentation Preventive
    Include acceptable levels of data loss in the Business Impact Analysis. CC ID 13264 Establish/Maintain Documentation Preventive
    Include Recovery Point Objectives in the Business Impact Analysis. CC ID 13223 Establish/Maintain Documentation Preventive
    Include the Recovery Time Objectives in the Business Impact Analysis. CC ID 13222 Establish/Maintain Documentation Preventive
    Include pandemic risks in the business impact analysis, as necessary. CC ID 13219 Establish/Maintain Documentation Preventive
    Include tolerance to downtime in the Business Impact Analysis report. CC ID 01172
    [The organization shall establish, implement, and maintain a formal and documented evaluation process for determining continuity and recovery priorities, objectives and targets. This process shall include assessing the impacts of disrupting activities that support the organization’s products and services. § 8.2.2 ¶ 1
    The business impact analysis shall include the following: identifying dependencies and supporting resources for these activities, including suppliers, outsource partners and other relevant interested parties. § 8.2.2 ¶ 2 d)
    The response structure shall identify impact thresholds that justify initiation of formal response, § 8.4.2 ¶ 2 a)]
    Establish/Maintain Documentation Preventive
    Document organizational risk tolerance in a risk register. CC ID 09961
    [The organization shall identify and document the following: the organization’s risk appetite. § 4.1 ¶ 3 c)
    The organization shall identify and document the following: the organization’s risk appetite. § 4.1 ¶ 3 c)]
    Establish/Maintain Documentation Preventive
    Update the risk register, as necessary. CC ID 13047 Establish/Maintain Documentation Preventive
    Align organizational risk tolerance to that of industry peers in the risk register. CC ID 09962 Business Processes Preventive
    Review the issues of non-compliance from past audit reports. CC ID 01148
    [The business impact analysis shall include the following: assessing the impacts over time of not performing these activities; § 8.2.2 ¶ 2 b)
    When nonconformity occurs, the organization shall evaluate the need for action to eliminate the causes of the nonconformity, in order that it does not recur or occur elsewhere, by reviewing the nonconformity, § 10.1 ¶ 1 c) 1)]
    Establish/Maintain Documentation Detective
    Review the Business Impact Analysis, as necessary. CC ID 12774 Business Processes Preventive
    Analyze and quantify the risks to in scope systems and information. CC ID 00701
    [The organization shall systematically analyse risk, § 8.2.3 ¶ 2 b)]
    Audits and Risk Management Preventive
    Establish and maintain a Risk Scoping and Measurement Definitions Document. CC ID 00703 Audits and Risk Management Preventive
    Identify the material risks in the risk assessment report. CC ID 06482 Audits and Risk Management Preventive
    Assess the potential level of business impact risk associated with each business process. CC ID 06463
    [The business impact analysis shall include the following: identifying activities that support the provision of products and services; § 8.2.2 ¶ 2 a)
    The organization shall identify risks of disruption to the organization’s prioritized activities and the processes, systems, information, people, assets, outsource partners and other resources that support them, § 8.2.3 ¶ 2 a)]
    Audits and Risk Management Detective
    Assess the potential level of business impact risk associated with the business environment. CC ID 06464
    [The organization shall identify risks of disruption to the organization’s prioritized activities and the processes, systems, information, people, assets, outsource partners and other resources that support them, § 8.2.3 ¶ 2 a)]
    Audits and Risk Management Detective
    Assess the potential level of business impact risk associated with business information of in scope systems. CC ID 06465 Audits and Risk Management Detective
    Identify changes to in scope systems that could threaten communication between business units. CC ID 13173 Investigate Detective
    Assess the potential business impact risk of in scope systems caused by deliberate threats to their confidentiality, integrity, and availability. CC ID 06466 Audits and Risk Management Detective
    Assess the potential level of business impact risk caused by accidental threats to the confidentiality, integrity and availability of critical systems. CC ID 06467 Audits and Risk Management Detective
    Assess the potential level of business impact risk associated with insider threats. CC ID 06468 Audits and Risk Management Detective
    Assess the potential level of business impact risk associated with external entities. CC ID 06469 Audits and Risk Management Detective
    Assess the potential level of business impact risk associated with natural disasters. CC ID 06470 Actionable Reports or Measurements Detective
    Assess the potential level of business impact risk associated with control weaknesses. CC ID 06471 Audits and Risk Management Detective
    Establish a risk acceptance level that is appropriate to the organization's risk appetite. CC ID 00706
    [The organization shall identify treatments commensurate with business continuity objectives and in accordance with the organization’s risk appetite. § 8.2.3 ¶ 2 d)
    The organization shall choose and implement appropriate risk treatments in accordance with its risk appetite. § 8.3.3 ¶ 2
    In establishing the context, the organization shall set risk criteria taking into account the risk appetite, and § 4.1 ¶ 4 3)
    Top management shall ensure that the responsibilities and authorities for relevant roles are assigned and communicated within the organization by - defining the criteria for accepting risks and the acceptable levels of risk, - actively engaging in exercising and testing, - ensuring that internal audits of the BCMS are conducted, - conducting management reviews of the BCMS, and - demonstrating its commitment to continual improvement. § 5.2 ¶ 3
    The outputs of the management review shall include decisions related to continual improvement opportunities and the possible need for changes to the BCMS, and include the following: modification of procedures and controls to respond to internal or external events that may impact on the BCMS, including changes to levels of risk and/or criteria for accepting risks, § 9.3 ¶ 4 d) 6)]
    Establish/Maintain Documentation Preventive
    Investigate alternative risk control strategies appropriate to the organization's risk appetite. CC ID 12887 Investigate Preventive
    Select the appropriate risk treatment option for each identified risk in the risk register. CC ID 06483
    [The organization shall choose and implement appropriate risk treatments in accordance with its risk appetite. § 8.3.3 ¶ 2
    For identified risks requiring treatment, the organization shall consider proactive measures that reduce the likelihood of disruption, § 8.3.3 ¶ 1 a)
    For identified risks requiring treatment, the organization shall consider proactive measures that shorten the period of disruption, and § 8.3.3 ¶ 1 b)
    For identified risks requiring treatment, the organization shall consider proactive measures that limit the impact of disruption on the organization’s key products and services. § 8.3.3 ¶ 1 c)]
    Establish/Maintain Documentation Preventive
    Disseminate and communicate the risk acceptance level in the risk treatment plan to all interested personnel and affected parties. CC ID 06849 Behavior Preventive
    Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary. CC ID 00704
    [{update of the business impact analysis} {update of the business continuity plans} {update of the related procedures} The outputs of the management review shall include decisions related to continual improvement opportunities and the possible need for changes to the BCMS, and include the following: update of the risk assessment, business impact analysis, business continuity plans and related procedures; § 9.3 ¶ 4 c)]
    Establish/Maintain Documentation Detective
    Prioritize and select controls based on the risk assessment findings. CC ID 00707
    [The organization shall identify treatments commensurate with business continuity objectives and in accordance with the organization’s risk appetite. § 8.2.3 ¶ 2 d)
    {outputs from the risk assessment} Determination and selection of strategy shall be based on the outputs from the business impact analysis and risk assessment. § 8.3.1 ¶ 1]
    Audits and Risk Management Preventive
    Analyze the effect of threats on organizational strategies and objectives. CC ID 12850 Process or Activity Detective
    Analyze the effect of opportunities on organizational strategies and objectives. CC ID 12849 Process or Activity Detective
    Prioritize and categorize the effects of opportunities, threats and requirements on control activities. CC ID 12822 Audits and Risk Management Preventive
    Determine the effectiveness of risk control measures. CC ID 06601
    [{formal process} The organization shall establish, implement and maintain a formal and documented process for business impact analysis and risk assessment that establishes the context of the assessment, defines criteria and evaluates the potential impact of a disruptive incident, § 8.2.1 ¶ 1 a)]
    Testing Detective
    Develop key indicators to inform management on the effectiveness of risk control measures. CC ID 12946 Audits and Risk Management Preventive
    Establish and maintain a risk treatment plan. CC ID 11983
    [{actions to address these risks and opportunities} The organization shall plan how to integrate and implement the actions into its BCMS processes (see 8.1), § 6.1 ¶ 2 b) 1)]
    Establish/Maintain Documentation Preventive
    Identify the planned actions and controls that address high risk. CC ID 12835 Audits and Risk Management Preventive
    Identify the current actions and controls that address high risk. CC ID 12834 Audits and Risk Management Preventive
    Include the risk treatment strategy in the risk treatment plan. CC ID 12159 Establish/Maintain Documentation Preventive
    Revise the risk treatment strategies in the risk treatment plan, as necessary. CC ID 12552 Establish/Maintain Documentation Corrective
    Include an overview of the migration project plan in the risk treatment plan. CC ID 11982 Establish/Maintain Documentation Preventive
    Include change control processes in the risk treatment plan. CC ID 11981 Establish/Maintain Documentation Preventive
    Include a description of the processes to check for new vulnerabilities in the risk treatment plan. CC ID 11980 Establish/Maintain Documentation Preventive
    Include the implemented risk management controls in the risk treatment plan. CC ID 11979 Establish/Maintain Documentation Preventive
    Include requirements for monitoring and reporting in the risk treatment plan, as necessary. CC ID 13620 Establish/Maintain Documentation Preventive
    Include risk assessment results in the risk treatment plan. CC ID 11978 Establish/Maintain Documentation Preventive
    Include a description of usage in the risk treatment plan. CC ID 11977 Establish/Maintain Documentation Preventive
    Document all constraints applied to the risk treatment plan, as necessary. CC ID 13619 Establish/Maintain Documentation Preventive
    Approve the risk treatment plan. CC ID 13495 Audits and Risk Management Preventive
    Integrate the corrective action plan based on the risk assessment findings with other risk management activities. CC ID 06457
    [When nonconformity occurs, the organization shall implement any action needed, § 10.1 ¶ 1 d)]
    Establish/Maintain Documentation Preventive
    Document and communicate a corrective action plan based on the risk assessment findings. CC ID 00705
    [The organization shall plan actions to address these risks and opportunities, § 6.1 ¶ 2 a)]
    Establish/Maintain Documentation Corrective
    Review and approve the risk assessment findings. CC ID 06485 Establish/Maintain Documentation Preventive
  • Human Resources management
    137
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Human Resources management CC ID 00763 IT Impact Zone IT Impact Zone
    Establish and maintain high level operational roles and responsibilities. CC ID 00806
    [Top management shall ensure that the responsibilities and authorities for relevant roles are assigned and communicated within the organization. § 5.4 ¶ 1]
    Establish Roles Preventive
    Define and assign the head of Information Security's roles and responsibilities. CC ID 06091 Establish Roles Preventive
    Designate an alternate for each organizational leader. CC ID 12053 Human Resources Management Preventive
    Limit the activities performed as a proxy to an organizational leader. CC ID 12054 Behavior Preventive
    Assign the roles and responsibilities of management in establishing, implementing, and maintaining the information security program. CC ID 13112 Human Resources Management Preventive
    Define and assign the Board of Directors roles and responsibilities and senior management roles and responsibilities, including signing off on key policies and procedures. CC ID 00807
    [Top management shall assign the responsibility and authority for reporting on the performance of the BCMS to top management. § 5.4 ¶ 2 b)]
    Establish Roles Preventive
    Assign senior management to the role of supporting Quality Management. CC ID 13692 Human Resources Management Preventive
    Assign senior management to the role of authorizing official. CC ID 14238 Establish Roles Preventive
    Assign members who are independent from management to the Board of Directors. CC ID 12395 Human Resources Management Preventive
    Assign ownership of risks to the Board of Directors or senior management. CC ID 13662 Human Resources Management Preventive
    Assign the organization's board and senior management to oversee the continuity planning process. CC ID 12991 Human Resources Management Preventive
    Define and assign the Chief Information Officer's roles and responsibilities. CC ID 00808 Establish Roles Preventive
    Define and assign the Information Technology staff's roles and responsibilities. CC ID 00809 Establish Roles Preventive
    Define and assign the business unit manager's roles and responsibilities. CC ID 00810 Establish Roles Preventive
    Define and assign the Facility Security Officer's roles and responsibilities. CC ID 01887 Establish Roles Preventive
    Define and assign the Chief Risk Officer's roles and responsibilities. CC ID 14333 Human Resources Management Preventive
    Define and assign roles and responsibilities for network management. CC ID 13128 Human Resources Management Preventive
    Define and assign the technology security leader's roles and responsibilities. CC ID 01897 Establish Roles Preventive
    Define and assign the security staff roles and responsibilities. CC ID 11750 Establish/Maintain Documentation Preventive
    Define and assign the property management leader's roles and responsibilities. CC ID 00669 Establish Roles Preventive
    Define and assign the Archives and Records Management oversight's roles and responsibilities. CC ID 00697 Establish Roles Preventive
    Define and assign the Privacy Officer's roles and responsibilities. CC ID 00714 Establish Roles Preventive
    Define and assign the Information Technology facility management personnel's roles and responsibilities. CC ID 06381 Establish Roles Preventive
    Define the objectives and extent of outsourcing operational roles and responsibilities. CC ID 06383 Establish/Maintain Documentation Preventive
    Define and assign the Chief Security Officer's roles and responsibilities. CC ID 06431 Establish Roles Preventive
    Establish and maintain an Information Technology steering committee. CC ID 12706 Human Resources Management Preventive
    Assign the Information Technology steering committee to report to senior management. CC ID 12731 Human Resources Management Preventive
    Convene the Information Technology steering committee, as necessary. CC ID 12730 Human Resources Management Preventive
    Assign reviewing investments to the Information Technology steering committee, as necessary. CC ID 13625 Human Resources Management Preventive
    Assign a contact person to all business units. CC ID 07144 Establish Roles Preventive
    Define and assign the assessment team's roles and responsibilities. CC ID 08890 Business Processes Preventive
    Assign the role of Risk Assessment Manager to applicable controls. CC ID 12143 Human Resources Management Preventive
    Assign the Risk Assessment manager the duty of reporting risk assessment results to organizational management. CC ID 12152 Human Resources Management Preventive
    Refrain from allocating temporary staff to perform sensitive jobs absent the presence and control of authorized permanent staff. CC ID 12299 Human Resources Management Preventive
    Establish and maintain a personnel management program. CC ID 14018 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a personnel security program. CC ID 10628 Establish/Maintain Documentation Preventive
    Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 00782
    [The organization shall ensure that these persons are competent on the basis of appropriate education, training, and experience, § 7.2 ¶ 1 b)]
    Testing Detective
    Perform security skills assessments for all critical employees. CC ID 12102 Human Resources Management Detective
    Assign security clearance procedures to qualified personnel. CC ID 06812 Establish Roles Preventive
    Assign personnel screening procedures to qualified personnel. CC ID 11699 Establish Roles Preventive
    Establish and maintain personnel screening procedures. CC ID 11700 Establish/Maintain Documentation Preventive
    Perform a background check during personnel screening. CC ID 11758 Human Resources Management Detective
    Perform a personal identification check during personnel screening. CC ID 06721 Human Resources Management Preventive
    Perform a criminal records check during personnel screening. CC ID 06643 Establish/Maintain Documentation Preventive
    Include all residences in the criminal records check. CC ID 13306 Process or Activity Preventive
    Document any reasons a full criminal records check could not be performed. CC ID 13305 Establish/Maintain Documentation Preventive
    Perform a personal references check during personnel screening. CC ID 06645 Human Resources Management Preventive
    Perform a credit check during personnel screening. CC ID 06646 Human Resources Management Preventive
    Perform an academic records check during personnel screening. CC ID 06647 Establish/Maintain Documentation Preventive
    Perform a drug test during personnel screening. CC ID 06648 Testing Preventive
    Perform a resume check during personnel screening. CC ID 06659 Human Resources Management Preventive
    Perform a curriculum vitae check during personnel screening. CC ID 06660 Human Resources Management Preventive
    Allow personnel being screened to appeal findings and appeal decisions. CC ID 06720 Human Resources Management Preventive
    Perform personnel screening procedures, as necessary. CC ID 11763 Human Resources Management Preventive
    Document the personnel risk assessment results. CC ID 11764 Establish/Maintain Documentation Detective
    Establish, implement, and maintain security clearance procedures. CC ID 00783 Establish/Maintain Documentation Preventive
    Perform periodic background checks on designated roles, as necessary. CC ID 11759 Human Resources Management Detective
    Perform security clearance procedures, as necessary. CC ID 06644 Human Resources Management Preventive
    Update security clearances, as necessary. CC ID 01634 Human Resources Management Preventive
    Document the security clearance procedure results. CC ID 01635 Establish/Maintain Documentation Detective
    Establish and maintain the Information Technology staff structure in line with the Strategic Information Technology Plan. CC ID 00764 Establish Roles Preventive
    Document and communicate role descriptions to all applicable personnel. CC ID 00776
    [Persons doing work under the organization’s control shall be aware of their own role during disruptive incidents. § 7.3 ¶ 1 d)]
    Establish Roles Detective
    Evaluate the Information Technology staffing requirements regularly. CC ID 00775
    [The organization shall determine the necessary competence of person(s) doing work under its control that affects its performance, § 7.2 ¶ 1 a)]
    Business Processes Detective
    Train all personnel and third parties, as necessary. CC ID 00785
    [The organization shall where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken, and § 7.2 ¶ 1 c)]
    Behavior Preventive
    Establish and maintain an education methodology. CC ID 06671 Business Processes Preventive
    Support certification programs as viable training programs. CC ID 13268 Human Resources Management Preventive
    Retrain all personnel, as necessary. CC ID 01362 Behavior Preventive
    Tailor training to meet published guidance on the subject being taught. CC ID 02217 Behavior Preventive
    Tailor training to be taught at each person's level of responsibility. CC ID 06674 Behavior Preventive
    Conduct cross-training or staff backup training to minimize dependency on critical individuals. CC ID 00786 Behavior Preventive
    Document all training in a training record. CC ID 01423
    [The organization shall retain appropriate documented information as evidence of competence. § 7.2 ¶ 1 d)]
    Establish/Maintain Documentation Detective
    Use automated mechanisms in the training environment, where appropriate. CC ID 06752 Behavior Preventive
    Conduct tests and evaluate training. CC ID 06672
    [The organization shall where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken, and § 7.2 ¶ 1 c)]
    Testing Detective
    Hire third parties to conduct training, as necessary. CC ID 13167 Human Resources Management Preventive
    Review the current published guidance and awareness and training programs. CC ID 01245 Establish/Maintain Documentation Preventive
    Establish and implement training plans. CC ID 00828 Establish/Maintain Documentation Preventive
    Train personnel to recognize conditions of diseases or sicknesses, as necessary. CC ID 14383 Training Detective
    Include prevention techniques in training regarding diseases or sicknesses. CC ID 14387 Training Preventive
    Include the concept of disease clusters when training to recognize conditions of diseases or sicknesses. CC ID 14386 Training Preventive
    Train personnel to identify and communicate symptoms of exposure to disease or sickness. CC ID 14385 Training Detective
    Develop or acquire content to update the training plans. CC ID 12867 Training Preventive
    Include portions of the visitor control program in the training plan. CC ID 13287 Establish/Maintain Documentation Preventive
    Include ethical culture in the training plan, as necessary. CC ID 12801 Human Resources Management Preventive
    Include in scope external requirements in the training plan, as necessary. CC ID 13041 Training Preventive
    Include duties and responsibilities in the training plan, as necessary. CC ID 12800 Human Resources Management Preventive
    Conduct bespoke roles and responsibilities training, as necessary. CC ID 13192 Training Preventive
    Include risk management in the training plan, as necessary. CC ID 13040 Training Preventive
    Conduct Archives and Records Management training. CC ID 00975 Behavior Preventive
    Conduct personal data processing training. CC ID 13757 Training Preventive
    Include in personal data processing training how to provide the contact information for the categories of personal data the organization may disclose. CC ID 13758 Training Preventive
    Include the cloud service usage standard in the training plan. CC ID 13039 Training Preventive
    Establish and maintain a security awareness program. CC ID 11746 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a security awareness and training policy. CC ID 14022 Establish/Maintain Documentation Preventive
    Include compliance requirements in the security awareness and training policy. CC ID 14092 Establish/Maintain Documentation Preventive
    Include coordination amongst entities in the security awareness and training policy. CC ID 14091 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain security awareness and training procedures. CC ID 14054 Establish/Maintain Documentation Preventive
    Review and update the security awareness and training procedures, as necessary. CC ID 14140 Establish/Maintain Documentation Corrective
    Disseminate and communicate the security awareness and training procedures to interested personnel and affected parties. CC ID 14138 Communicate Preventive
    Review and update the security awareness and training policy, as necessary. CC ID 14050 Establish/Maintain Documentation Corrective
    Include management commitment in the security awareness and training policy. CC ID 14049 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the security awareness and training policy. CC ID 14048 Establish/Maintain Documentation Preventive
    Include the scope in the security awareness and training policy. CC ID 14047 Establish/Maintain Documentation Preventive
    Include the purpose in the security awareness and training policy. CC ID 14045 Establish/Maintain Documentation Preventive
    Include configuration management procedures in the security awareness program. CC ID 13967 Establish/Maintain Documentation Preventive
    Document security awareness requirements. CC ID 12146 Establish/Maintain Documentation Preventive
    Include safeguards for information systems in the security awareness program. CC ID 13046 Establish/Maintain Documentation Preventive
    Include security policies and security standards in the security awareness program. CC ID 13045 Establish/Maintain Documentation Preventive
    Include mobile device security guidelines in the security awareness program. CC ID 11803 Establish/Maintain Documentation Preventive
    Include updates on emerging issues in the security awareness program. CC ID 13184 Training Preventive
    Include cybersecurity in the security awareness program. CC ID 13183 Training Preventive
    Include training based on the participants' level of responsibility and access level in the security awareness program. CC ID 11802 Establish/Maintain Documentation Preventive
    Include a requirement to train all new hires and interested personnel in the security awareness program. CC ID 11800 Establish/Maintain Documentation Preventive
    Include remote access in the security awareness program. CC ID 13892 Establish/Maintain Documentation Preventive
    Document the goals of the security awareness program. CC ID 12145 Establish/Maintain Documentation Preventive
    Compare current security awareness assessment reports to the security awareness baseline. CC ID 12150 Establish/Maintain Documentation Preventive
    Establish and maintain management's commitment to supporting the security awareness program. CC ID 12151 Human Resources Management Preventive
    Establish and maintain a steering committee to guide the security awareness program. CC ID 12149 Human Resources Management Preventive
    Document the scope of the security awareness program. CC ID 12148 Establish/Maintain Documentation Preventive
    Establish and maintain a security awareness baseline. CC ID 12147 Establish/Maintain Documentation Preventive
    Encourage interested personnel to obtain security certification. CC ID 11804 Human Resources Management Preventive
    Disseminate and communicate security awareness and the internal control framework to all interested personnel and affected parties. CC ID 00823 Behavior Preventive
    Train all personnel and third parties on how to recognize and report security incidents. CC ID 01211 Behavior Preventive
    Train all personnel and third parties on how to recognize and report system failures. CC ID 13475 Training Preventive
    Require personnel to acknowledge, through writing their signature, that they have read and understand the organization's security policies. CC ID 01363 Establish/Maintain Documentation Preventive
    Monitor and measure the effectiveness of security awareness. CC ID 06262 Monitor and Evaluate Occurrences Detective
    Conduct secure coding and development training for developers. CC ID 06822 Behavior Corrective
    Conduct tampering prevention training. CC ID 11875 Training Preventive
    Include the mandate to refrain from installing, refrain from replacing, refrain from returning any asset absent verification in the tampering prevention training. CC ID 11877 Training Preventive
    Include how to identify and authenticate third parties claiming to be maintenance personnel in the tampering prevention training. CC ID 11876 Training Preventive
    Include how to report tampering in the tampering prevention training. CC ID 11879 Training Preventive
    Include how to prevent physical tampering in the tampering prevention training. CC ID 11878 Training Preventive
    Include procedures on how to inspect devices in the tampering prevention training. CC ID 11990 Training Preventive
    Train interested personnel and affected parties to collect digital forensic evidence. CC ID 08658 Training Preventive
    Update training plans, as necessary. CC ID 12868 Training Preventive
    Conduct crime prevention training. CC ID 06350 Behavior Preventive
    Analyze and evaluate training records to improve the training program. CC ID 06380 Monitor and Evaluate Occurrences Detective
  • Leadership and high level objectives
    105
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Leadership and high level objectives CC ID 00597 IT Impact Zone IT Impact Zone
    Analyze organizational objectives, functions, and activities. CC ID 00598 Monitor and Evaluate Occurrences Preventive
    Document organizational objectives. CC ID 09959
    [In establishing the context, the organization shall articulate its objectives, including those concerned with business continuity, § 4.1 ¶ 4 1)
    In establishing the context, the organization shall articulate its objectives, including those concerned with business continuity, § 4.1 ¶ 4 1)
    Top management shall ensure that business continuity objectives are established and communicated for relevant functions and levels within the organization. § 6.2 ¶ 1]
    Establish/Maintain Documentation Preventive
    Evaluate organizational objectives to determine impact on other organizational objectives. CC ID 12814 Process or Activity Preventive
    Identify events that may affect organizational objectives. CC ID 12961 Process or Activity Preventive
    Identify conditions that may affect organizational objectives. CC ID 12958 Process or Activity Preventive
    Identify requirements that could affect achieving organizational objectives. CC ID 12828 Business Processes Preventive
    Identify opportunities that could affect achieving organizational objectives. CC ID 12826 Business Processes Preventive
    Prioritize organizational objectives. CC ID 09960 Business Processes Preventive
    Review and update organizational objectives, as necessary. CC ID 13494 Establish/Maintain Documentation Preventive
    Select financial reporting objectives consistent with accounting principles available to the organization. CC ID 12400 Business Processes Preventive
    Establish and maintain a Mission, Vision, and Values Statement. CC ID 12783 Establish/Maintain Documentation Preventive
    Include the vision statement in the Mission, Vision, and Values Statement. CC ID 12839 Establish/Maintain Documentation Preventive
    Include the mission statement in the Mission, Vision, and Values Statement. CC ID 12838 Establish/Maintain Documentation Preventive
    Include management commitment in the Mission, Vision, and Values Statement. CC ID 12808 Establish/Maintain Documentation Preventive
    Include the value statement in the Mission, Vision, and Values Statement. CC ID 12807 Establish/Maintain Documentation Preventive
    Disseminate and communicate organizational objectives to all interested personnel and affected parties. CC ID 13191 Communicate Preventive
    Document and communicate the linkage between organizational objectives, functions, activities and general controls. CC ID 12398 Establish/Maintain Documentation Preventive
    Identify threats that could affect achieving organizational objectives. CC ID 12827 Business Processes Preventive
    Identify how opportunities, threats, and external requirements are trending. CC ID 12829 Process or Activity Preventive
    Identify relationships between opportunities, threats, and external requirements. CC ID 12805 Process or Activity Preventive
    Review the organization's approach to managing information security, as necessary. CC ID 12005 Business Processes Preventive
    Monitor regulatory trends to maintain compliance. CC ID 00604
    [{legal requirements} The outputs of the management review shall include decisions related to continual improvement opportunities and the possible need for changes to the BCMS, and include the following: modification of procedures and controls to respond to internal or external events that may impact on the BCMS, including changes to legal and regulatory requirements, § 9.3 ¶ 4 d) 4)]
    Monitor and Evaluate Occurrences Detective
    Monitor for new Information Security solutions. CC ID 07078 Monitor and Evaluate Occurrences Detective
    Subscribe to a threat intelligence service to receive notification of emerging threats. CC ID 12135
    [The organization shall establish, implement, and maintain procedure(s) for - internal communication amongst interested parties and employees within the organization, - external communication with customers, partner entities, local community, and other interested parties, including the media, - receiving, documenting, and responding to communication from interested parties, - adapting and integrating a national or regional threat advisory system, or equivalent, into planning and operational use, if appropriate, - ensuring availability of the means of communication during a disruptive incident, - facilitating structured communication with appropriate authorities and ensuring the interoperability of multiple responding organizations and personnel, where appropriate, and - operating and testing of communications capabilities intended for use during disruption of normal communications. § 7.4 ¶ 2
    {national risk advisory system} The organization shall establish, implement and maintain procedures for receiving, documenting and responding to any national or regional risk advisory system or equivalent, § 8.4.3 ¶ 1 d)
    {national risk advisory system} The organization shall establish, implement and maintain procedures for receiving, documenting and responding to any national or regional risk advisory system or equivalent, § 8.4.3 ¶ 1 d)
    {national risk advisory system} The organization shall establish, implement and maintain procedures for receiving, documenting and responding to any national or regional risk advisory system or equivalent, § 8.4.3 ¶ 1 d)]
    Technical Security Detective
    Disseminate and communicate emerging threats to all interested personnel and affected parties. CC ID 12185 Communicate Preventive
    Disseminate and communicate updated guidance documentation to interested personnel and affected parties upon discovery of a new threat. CC ID 12191 Communicate Corrective
    Establish, implement, and maintain a Quality Management framework. CC ID 07196
    [{results of BCMS reviews} {key partners} {results of testing} {BCMS performance} {BCMS effectiveness} {emerging good guidance} Management reviews shall consider the performance of the organization, including - follow-up actions from previous management reviews, - the need for changes to the BCMS, including the policy and objectives, - opportunities for improvement, - results of BCMS audits and reviews, including those of key suppliers and partners where appropriate, - techniques, products or procedures, which could be used in the organization to improve the BCMS’ performance and effectiveness, - status of corrective actions, - results of exercising and testing, - risks or issues not adequately addressed in any previous risk assessment, - any changes that could affect the BCMS, whether internal or external to the scope of the BCMS, - adequacy of policy, - recommendations for improvement, - lessons learned and actions arising from disruptive incidents, and - emerging good practice and guidance. § 9.3 ¶ 3]
    Establish/Maintain Documentation Preventive
    Include supply chain management standards in the Quality Management framework. CC ID 13701 Establish/Maintain Documentation Preventive
    Establish and maintain a Quality Management policy. CC ID 13694 Establish/Maintain Documentation Preventive
    Include a commitment to satisfy applicable requirements in the Quality Management policy. CC ID 13700 Establish/Maintain Documentation Preventive
    Tailor the Quality Management policy to support the organization's strategic direction. CC ID 13699 Establish/Maintain Documentation Preventive
    Include a commitment to continual improvement of the Quality Management system in the Quality Management policy. CC ID 13698 Establish/Maintain Documentation Preventive
    Include critical Information Technology processes in the Quality Management framework. CC ID 13645 Establish/Maintain Documentation Preventive
    Disseminate and communicate the Quality Management policy to all interested personnel and affected parties. CC ID 13695 Communicate Preventive
    Disseminate and communicate the Quality Management framework to all stakeholders, as necessary. CC ID 13680 Communicate Preventive
    Align the quality objectives with the Quality Management policy. CC ID 13697 Establish/Maintain Documentation Preventive
    Establish and maintain an overall Quality Management standard. CC ID 01006 Establish/Maintain Documentation Preventive
    Document the measurements used by Quality Assurance and Quality Control testing. CC ID 07200 Establish/Maintain Documentation Preventive
    Implement the Quality Management program. CC ID 13696 Business Processes Preventive
    Correct errors and deficiencies in a timely manner. CC ID 13501 Business Processes Corrective
    Enforce a continuous Quality Control system. CC ID 01005 Business Processes Detective
    Conduct Quality Control to ensure adherence to Information Technology policies, standards, and procedures. CC ID 01008
    [{results of BCMS reviews} {key partners} {results of testing} {BCMS performance} {BCMS effectiveness} {emerging good guidance} Management reviews shall consider the performance of the organization, including - follow-up actions from previous management reviews, - the need for changes to the BCMS, including the policy and objectives, - opportunities for improvement, - results of BCMS audits and reviews, including those of key suppliers and partners where appropriate, - techniques, products or procedures, which could be used in the organization to improve the BCMS’ performance and effectiveness, - status of corrective actions, - results of exercising and testing, - risks or issues not adequately addressed in any previous risk assessment, - any changes that could affect the BCMS, whether internal or external to the scope of the BCMS, - adequacy of policy, - recommendations for improvement, - lessons learned and actions arising from disruptive incidents, and - emerging good practice and guidance. § 9.3 ¶ 3]
    Testing Detective
    Establish and maintain a Quality Management program. CC ID 07201 Establish/Maintain Documentation Preventive
    Include quality objectives in the Quality Management program. CC ID 13693 Establish/Maintain Documentation Preventive
    Include quality gates and testing milestones in the Quality Management program. CC ID 06825 Systems Design, Build, and Implementation Preventive
    Document the deficiencies in a deficiency report that were found during Quality Control and corrected during Quality Improvement. CC ID 07203 Establish/Maintain Documentation Preventive
    Include program documentation standards in the Quality Management program. CC ID 01016 Establish/Maintain Documentation Preventive
    Establish and maintain time frames for correcting deficiencies found during Quality Control. CC ID 07206 Business Processes Detective
    Include program testing standards in the Quality Management program. CC ID 01017 Establish/Maintain Documentation Preventive
    Review and analyze any quality improvement goals that were missed. CC ID 07204 Business Processes Detective
    Include system testing standards in the Quality Management program. CC ID 01018 Establish/Maintain Documentation Preventive
    Include a bug tracking system in the Quality Management program. CC ID 06824 Systems Design, Build, and Implementation Preventive
    Review the Quality Management framework, as necessary. CC ID 07198
    [The outputs of the management review shall include decisions related to continual improvement opportunities and the possible need for changes to the BCMS, and include the following: § 9.3 ¶ 4
    {results of BCMS reviews} {key partners} {results of testing} {BCMS performance} {BCMS effectiveness} {emerging good guidance} Management reviews shall consider the performance of the organization, including - follow-up actions from previous management reviews, - the need for changes to the BCMS, including the policy and objectives, - opportunities for improvement, - results of BCMS audits and reviews, including those of key suppliers and partners where appropriate, - techniques, products or procedures, which could be used in the organization to improve the BCMS’ performance and effectiveness, - status of corrective actions, - results of exercising and testing, - risks or issues not adequately addressed in any previous risk assessment, - any changes that could affect the BCMS, whether internal or external to the scope of the BCMS, - adequacy of policy, - recommendations for improvement, - lessons learned and actions arising from disruptive incidents, and - emerging good practice and guidance. § 9.3 ¶ 3]
    Establish/Maintain Documentation Preventive
    Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a policy and procedure management program. CC ID 06285 Establish/Maintain Documentation Preventive
    Establish and maintain a list of compliance documents. CC ID 07113
    [{legal requirements} {regulatory requirements} {new legal, regulatory and other requirements} The organization shall document this information and keep it up-to-date. New or variations to legal, regulatory and other requirements shall be communicated to affected employees and other interested parties. § 4.2.2 ¶ 3
    [identified and controlled] Documented information of external origin determined by the organization to be necessary for the planning and operation of the BCMS shall be identified, as appropriate, and controlled. § 7.5.3 ¶ 3]
    Establish/Maintain Documentation Preventive
    Map in scope assets and in scope records to external requirements. CC ID 12189 Establish/Maintain Documentation Detective
    Document organizational procedures that harmonize external requirements, including all legal requirements. CC ID 00623 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain full documentation of all policies, standards, and procedures that support the organization's compliance framework. CC ID 01636
    [The organization’s BCMS shall include - documented information required by this International Standard, and - documented information determined by the organization as being necessary for the effectiveness of the BCMS. § 7.5.1 ¶ 1
    The organization’s BCMS shall include - documented information required by this International Standard, and - documented information determined by the organization as being necessary for the effectiveness of the BCMS. § 7.5.1 ¶ 1]
    Establish/Maintain Documentation Preventive
    Disseminate and communicate the organization’s policies, standards, and procedures to all interested personnel and affected parties. CC ID 12901 Communicate Preventive
    Disseminate and communicate the list of Authority Documents that support the organization's compliance framework to interested personnel and affected parties. CC ID 01312 Establish/Maintain Documentation Preventive
    Classify controls according to their preventive, detective, or corrective status. CC ID 06436 Establish/Maintain Documentation Preventive
    Publish, disseminate, and communicate a Statement on Internal Control, as necessary. CC ID 06727 Establish/Maintain Documentation Preventive
    Include confirmation of any significant weaknesses in the Statement on Internal Control. CC ID 06861 Establish/Maintain Documentation Preventive
    Include an assurance statement regarding the counterterror protective security plan in the Statement on Internal Control. CC ID 06866 Establish/Maintain Documentation Preventive
    Include the counterterror protective security plan test results in the Statement on Internal Control. CC ID 06867 Establish/Maintain Documentation Detective
    Assign legislative body jurisdiction to the organization's assets, as necessary. CC ID 06956 Establish Roles Preventive
    Approve all compliance documents. CC ID 06286 Establish/Maintain Documentation Preventive
    Assign the appropriate roles to all applicable compliance documents. CC ID 06284
    [Top management shall assign the responsibility and authority for ensuring that the management system conforms to the requirements of this International Standard, and § 5.4 ¶ 2 a)]
    Establish Roles Preventive
    Identify and document the Designated Approval Authority for compliance documents. CC ID 07114 Establish/Maintain Documentation Preventive
    Disseminate and communicate compliance documents to all interested personnel and affected parties. CC ID 06282 Behavior Preventive
    Disseminate and communicate any compliance document changes when the documents are updated to interested personnel and affected parties. CC ID 06283
    [{legal requirements} {regulatory requirements} {new legal, regulatory and other requirements} The organization shall document this information and keep it up-to-date. New or variations to legal, regulatory and other requirements shall be communicated to affected employees and other interested parties. § 4.2.2 ¶ 3]
    Behavior Preventive
    Establish and maintain a strategic plan. CC ID 12784 Establish/Maintain Documentation Preventive
    Establish and maintain a decision management strategy. CC ID 06913 Establish/Maintain Documentation Preventive
    Document and evaluate the decision outcomes from the decision-making process. CC ID 06918
    [{significant impact} {procedures for alerts} {procedures for warnings} The organization shall decide, using life safety as the first priority and in consultation with relevant interested parties, whether to communicate externally about its significant risks and impacts and document its decision. If the decision is to communicate then the organization shall establish and implement procedures for this external communication, alerts and warnings including the media as appropriate. § 8.4.2 ¶ 3]
    Establish/Maintain Documentation Preventive
    Establish and maintain a high-level Strategic Information Technology Plan. CC ID 00628 Establish/Maintain Documentation Preventive
    Include business continuity objectives in the Strategic Information Technology Plan. CC ID 06496
    [{activation procedures} {communication procedures} {internal interdependencies} {internal interactions} {external interactions} {information flow processes} Each plan shall define - purpose and scope, - objectives, - activation criteria and procedures, - implementation procedures, - roles, responsibilities, and authorities, - communication requirements and procedures, - internal and external interdependencies and interactions, - resource requirements, and - information flow and documentation processes. § 8.4.4 ¶ 3]
    Establish/Maintain Documentation Preventive
    Align business continuity objectives with the business continuity policy. CC ID 12408
    [The business continuity objectives shall be consistent with the business continuity policy, § 6.2 ¶ 2 a)]
    Establish/Maintain Documentation Preventive
    Establish and maintain a Governance, Risk, and Compliance awareness and training program. CC ID 06492
    [Persons doing work under the organization’s control shall be aware of their contribution to the effectiveness of the BCMS, including the benefits of improved business continuity management performance, § 7.3 ¶ 1 b)]
    Business Processes Preventive
    Establish and maintain a rapport with business and technical communities throughout the organization to promote the value and importance of Information Security. CC ID 06493 Behavior Preventive
    Establish and maintain communication protocols. CC ID 12245
    [{internal communications protocol} The procedures shall establish an appropriate internal and external communications protocol, § 8.4.1 ¶ 3 a)
    {internal communications protocol} The procedures shall establish an appropriate internal and external communications protocol, § 8.4.1 ¶ 3 a)
    The organization shall establish, implement, and maintain procedure(s) for - internal communication amongst interested parties and employees within the organization, - external communication with customers, partner entities, local community, and other interested parties, including the media, - receiving, documenting, and responding to communication from interested parties, - adapting and integrating a national or regional threat advisory system, or equivalent, into planning and operational use, if appropriate, - ensuring availability of the means of communication during a disruptive incident, - facilitating structured communication with appropriate authorities and ensuring the interoperability of multiple responding organizations and personnel, where appropriate, and - operating and testing of communications capabilities intended for use during disruption of normal communications. § 7.4 ¶ 2
    The organization shall establish, implement, and maintain procedure(s) for - internal communication amongst interested parties and employees within the organization, - external communication with customers, partner entities, local community, and other interested parties, including the media, - receiving, documenting, and responding to communication from interested parties, - adapting and integrating a national or regional threat advisory system, or equivalent, into planning and operational use, if appropriate, - ensuring availability of the means of communication during a disruptive incident, - facilitating structured communication with appropriate authorities and ensuring the interoperability of multiple responding organizations and personnel, where appropriate, and - operating and testing of communications capabilities intended for use during disruption of normal communications. § 7.4 ¶ 2
    {procedures for receiving, documenting and responding to communication from interested parties} The organization shall establish, implement and maintain procedures for internal communication within the organization and receiving, documenting and responding to communication from interested parties, § 8.4.3 ¶ 1 c)
    {procedures for receiving, documenting and responding to communication from interested parties} The organization shall establish, implement and maintain procedures for internal communication within the organization and receiving, documenting and responding to communication from interested parties, § 8.4.3 ¶ 1 c)]
    Establish/Maintain Documentation Preventive
    Align the information being disseminated and communicated with the communication requirements according to the organization's communication protocol. CC ID 12419 Establish/Maintain Documentation Preventive
    Assess the effectiveness of the communication methods used in the communication protocol. CC ID 12691 Process or Activity Detective
    Include external requirements in the organization's communication protocol. CC ID 12418 Establish/Maintain Documentation Preventive
    Include disseminating and communicating events surrounding instances of desirable conduct and undesirable conduct in the communication protocols. CC ID 12824 Communicate Preventive
    Include input from interested personnel and affected parties as a part of the organization’s communication protocol. CC ID 12417 Establish/Maintain Documentation Preventive
    Include disseminating and communicating conditions surrounding instances of desirable conduct and undesirable conduct in the communication protocols. CC ID 12804 Communicate Preventive
    Include methods to obtain information from interested personnel and affected parties about performance variances in the communication protocol. CC ID 12856 Process or Activity Preventive
    Include disseminating and communicating desirable conduct in the communication protocols. CC ID 12803 Communicate Preventive
    Include disseminating and communicating undesirable conduct in communication protocols. CC ID 12802 Communicate Preventive
    Route notifications, as necessary. CC ID 12832 Process or Activity Preventive
    Substantiate notifications, as necessary. CC ID 12831 Process or Activity Preventive
    Analyze the flow of information to ensure it is being received by the correct processes. CC ID 12860 Business Processes Preventive
    Prioritize notifications, as necessary. CC ID 12830 Process or Activity Preventive
    Report to management and stakeholders on the findings and information gathered from all types of inquiries. CC ID 12797 Actionable Reports or Measurements Preventive
    Disseminate and communicate internal controls with supply chain members, as necessary. CC ID 12416 Communicate Preventive
    Establish and maintain the organization's survey method. CC ID 12869 Process or Activity Preventive
    Provide a consolidated view of information in the organization's survey method. CC ID 12894 Process or Activity Preventive
    Establish and maintain warning procedures that follow the organization's communication protocol. CC ID 12407
    [{significant impact} {procedures for alerts} {procedures for warnings} The organization shall decide, using life safety as the first priority and in consultation with relevant interested parties, whether to communicate externally about its significant risks and impacts and document its decision. If the decision is to communicate then the organization shall establish and implement procedures for this external communication, alerts and warnings including the media as appropriate. § 8.4.2 ¶ 3]
    Establish/Maintain Documentation Preventive
    Establish and maintain alert procedures that follow the organization's communication protocol. CC ID 12406
    [{significant impact} {procedures for alerts} {procedures for warnings} The organization shall decide, using life safety as the first priority and in consultation with relevant interested parties, whether to communicate externally about its significant risks and impacts and document its decision. If the decision is to communicate then the organization shall establish and implement procedures for this external communication, alerts and warnings including the media as appropriate. § 8.4.2 ¶ 3]
    Establish/Maintain Documentation Preventive
    Include the capturing and alerting of compliance violations in the notification system. CC ID 12962 Monitor and Evaluate Occurrences Preventive
    Include the capturing and alerting of unethical conduct in the notification system. CC ID 12932 Monitor and Evaluate Occurrences Preventive
    Include the capturing and alerting of performance variances in the notification system. CC ID 12929 Monitor and Evaluate Occurrences Preventive
    Include the capturing and alerting of weaknesses in the notification system. CC ID 12928 Monitor and Evaluate Occurrences Preventive
  • Monitoring and measurement
    244
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Monitoring and measurement CC ID 00636 IT Impact Zone IT Impact Zone
    Establish and maintain a risk monitoring program. CC ID 00658
    [{what needs to be measured} The organization shall determine what needs to be monitored and measured, § 9.1.1 ¶ 1 a)]
    Establish/Maintain Documentation Preventive
    Monitor the organization's exposure to threats, as necessary. CC ID 06494 Monitor and Evaluate Occurrences Preventive
    Monitor and evaluate environmental threats. CC ID 13481 Monitor and Evaluate Occurrences Detective
    Implement a fraud detection system. CC ID 13081 Business Processes Preventive
    Update or adjust fraud detection systems, as necessary. CC ID 13684 Process or Activity Corrective
    Monitor for new vulnerabilities. CC ID 06843 Monitor and Evaluate Occurrences Preventive
    Establish and maintain an overall compliance testing strategy. CC ID 00659 Establish/Maintain Documentation Preventive
    Establish and maintain a self-assessment approach as part of the compliance testing strategy. CC ID 12833 Testing Preventive
    Test compliance controls for proper functionality. CC ID 00660 Testing Detective
    Establish, implement, and maintain a system security plan. CC ID 01922 Testing Preventive
    Include a description of the operational context in the system security plan. CC ID 14301 Establish/Maintain Documentation Preventive
    Review and update the system security plan, as necessary. CC ID 14287 Establish/Maintain Documentation Corrective
    Include the results of the security categorization in the system security plan. CC ID 14281 Establish/Maintain Documentation Preventive
    Include the security requirements in the system security plan. CC ID 14274 Establish/Maintain Documentation Preventive
    Include network diagrams in the system security plan. CC ID 14273 Establish/Maintain Documentation Preventive
    Disseminate and communicate the system security plan to interested personnel and affected parties. CC ID 14275 Communicate Preventive
    Include a description of the operational environment in the system security plan. CC ID 14272 Establish/Maintain Documentation Preventive
    Include the security categorizations and rationale in the system security plan. CC ID 14270 Establish/Maintain Documentation Preventive
    Include the authorization boundary in the system security plan. CC ID 14257 Establish/Maintain Documentation Preventive
    Align the enterprise architecture with the system security plan. CC ID 14255 Process or Activity Preventive
    Include security controls in the system security plan. CC ID 14239 Establish/Maintain Documentation Preventive
    Create specific test plans to test each system component. CC ID 00661 Establish/Maintain Documentation Preventive
    Include the roles and responsibilities in the test plan. CC ID 14299 Establish/Maintain Documentation Preventive
    Include the assessment team in the test plan. CC ID 14297 Establish/Maintain Documentation Preventive
    Include the scope in the test plans. CC ID 14293 Establish/Maintain Documentation Preventive
    Include the assessment environment in the test plan. CC ID 14271 Establish/Maintain Documentation Preventive
    Approve the system security plan. CC ID 14241 Business Processes Preventive
    Adhere to the system security plan. CC ID 11640 Testing Detective
    Review the test plans for each system component. CC ID 00662 Establish/Maintain Documentation Preventive
    Validate all testing assumptions in the test plans. CC ID 00663 Testing Detective
    Document validated testing processes in the testing procedures. CC ID 06200 Establish/Maintain Documentation Preventive
    Require testing procedures to be complete. CC ID 00664 Testing Detective
    Include error details, identifying the root causes, and mitigation actions in the testing procedures. CC ID 11827 Establish/Maintain Documentation Preventive
    Determine the appropriate assessment method for each testing process in the test plan. CC ID 00665 Testing Preventive
    Implement automated audit tools. CC ID 04882 Acquisition/Sale of Assets or Services Preventive
    Assign senior management to approve test plans. CC ID 13071 Human Resources Management Preventive
    Analyze system audit reports and determine the need to perform more tests. CC ID 00666 Testing Detective
    Monitor devices continuously for conformance with production specifications. CC ID 06201 Monitor and Evaluate Occurrences Detective
    Establish and maintain a compliance monitoring policy. CC ID 00671
    [{legal requirements} {business continuity objectives} The organization shall periodically evaluate compliance with applicable legal and regulatory requirements, industry best practices, and conformance with its own business continuity policy and objectives; and § 9.1.2 c)
    {legal requirements} {business continuity objectives} The organization shall periodically evaluate compliance with applicable legal and regulatory requirements, industry best practices, and conformance with its own business continuity policy and objectives; and § 9.1.2 c)
    {legal requirements} {business continuity objectives} The organization shall periodically evaluate compliance with applicable legal and regulatory requirements, industry best practices, and conformance with its own business continuity policy and objectives; and § 9.1.2 c)
    {legal requirements} {business continuity objectives} The organization shall periodically evaluate compliance with applicable legal and regulatory requirements, industry best practices, and conformance with its own business continuity policy and objectives; and § 9.1.2 c)
    {legal requirements} {business continuity objectives} The organization shall periodically evaluate compliance with applicable legal and regulatory requirements, industry best practices, and conformance with its own business continuity policy and objectives; and § 9.1.2 c)
    The organization shall determine when the monitoring and measuring shall be performed, and § 9.1.1 ¶ 1 c)]
    Establish/Maintain Documentation Preventive
    Establish and maintain an approach for compliance monitoring. CC ID 01653
    [The procedures for monitoring performance shall provide for - the setting of performance metrics appropriate to the needs of the organization, - monitoring the extent to which the organization’s business continuity policy, objectives and targets are met, - performance of the processes, procedures and functions that protect its prioritized activities, - monitoring compliance with this International Standard and the business continuity objectives, - monitoring historical evidence of deficient BCMS’ performance, and - recording data and results of monitoring and measurement to facilitate subsequent corrective actions. § 9.1.1 ¶ 5]
    Establish/Maintain Documentation Preventive
    Establish and maintain risk management metrics. CC ID 01656 Establish/Maintain Documentation Preventive
    Report on the percentage of key Information Technology assets for which an assurance strategy is implemented. CC ID 01657 Actionable Reports or Measurements Detective
    Report on the percentage of key organizational functions for which an assurance strategy is implemented. CC ID 01658 Actionable Reports or Measurements Detective
    Report on the percentage of key compliance requirements for which an assurance strategy has been implemented. CC ID 01659 Actionable Reports or Measurements Detective
    Report on the percentage of the Information System budget allocated to Information Security. CC ID 04571 Actionable Reports or Measurements Detective
    Identify information being used to support the performance of the governance, risk, and compliance capability. CC ID 12866 Business Processes Preventive
    Identify information being used to support performance reviews for risk optimization. CC ID 12865 Audits and Risk Management Preventive
    Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726 Monitor and Evaluate Occurrences Detective
    Identify and document instances of non-compliance with the compliance framework. CC ID 06499
    [When nonconformity occurs, the organization shall identify the nonconformity, § 10.1 ¶ 1 a)
    The organization shall retain documented information as evidence of - the nature of the nonconformities and any subsequent actions taken, and - the results of any corrective action. § 10.1 ¶ 3
    {do not occur} When nonconformity occurs, the organization shall evaluate the need for action to eliminate the causes of the nonconformity, in order that it does not recur or occur elsewhere, by evaluating the need for corrective action to ensure that nonconformities do not recur or occur elsewhere, § 10.1 ¶ 1 c) 4
    The management review shall include consideration of information on the business continuity performance, including trends in nonconformities and corrective actions, § 9.3 ¶ 2 c) 1)]
    Establish/Maintain Documentation Preventive
    Align enforcement reviews for non-compliance with organizational risk tolerance. CC ID 13063 Business Processes Detective
    Determine the causes of compliance violations. CC ID 12401
    [When nonconformity occurs, the organization shall evaluate the need for action to eliminate the causes of the nonconformity, in order that it does not recur or occur elsewhere, by determining the causes of the nonconformity, and § 10.1 ¶ 1 c) 2
    {does not occur} When nonconformity occurs, the organization shall evaluate the need for action to eliminate the causes of the nonconformity, in order that it does not recur or occur elsewhere, by § 10.1 ¶ 1 c)]
    Investigate Corrective
    Identify and document events surrounding non-compliance with the organizational compliance framework. CC ID 12935 Establish/Maintain Documentation Preventive
    Determine if multiple compliance violations of the same type could occur. CC ID 12402
    [When nonconformity occurs, the organization shall evaluate the need for action to eliminate the causes of the nonconformity, in order that it does not recur or occur elsewhere, by determining if similar nonconformities exist, or could potentially occur, § 10.1 ¶ 1 c) 3]
    Investigate Detective
    Correct compliance violations. CC ID 13515 Process or Activity Corrective
    Review the effectiveness of disciplinary actions carried out for compliance violations. CC ID 12403
    [When nonconformity occurs, the organization shall review the effectiveness of any corrective action taken, § 10.1 ¶ 1 e)
    When nonconformity occurs, the organization shall evaluate the need for action to eliminate the causes of the nonconformity, in order that it does not recur or occur elsewhere, by reviewing the effectiveness of any corrective action taken and § 10.1 ¶ 1 c) 6]
    Investigate Detective
    Carry out disciplinary actions when a compliance violation is detected. CC ID 06675
    [When nonconformity occurs, the organization shall react to the nonconformity, and, as applicable, § 10.1 ¶ 1 b)
    {adverse results} Additionally, the organization shall — take action when necessary to address adverse trends or results before a nonconformity occurs, and — retain relevant documented information as evidence of the results. § 9.1.1 ¶ 4
    {nonconformity} take action to control and correct it, and § 10.1 ¶ 1 b) 1)
    {nonconformity} take action to control and correct it, and § 10.1 ¶ 1 b) 1)
    When nonconformity occurs, the organization shall evaluate the need for action to eliminate the causes of the nonconformity, in order that it does not recur or occur elsewhere, by determining and implementing corrective action needed, § 10.1 ¶ 1 c) 5]
    Behavior Corrective
    Align disciplinary actions with the level of compliance violation. CC ID 12404
    [Corrective actions shall be appropriate to the effects of the nonconformities encountered. § 10.1 ¶ 2
    When nonconformity occurs, the organization shall evaluate the need for action to eliminate the causes of the nonconformity, in order that it does not recur or occur elsewhere, by determining and implementing corrective action needed, § 10.1 ¶ 1 c) 5]
    Human Resources Management Preventive
    Establish and maintain compliance program metrics. CC ID 11625 Monitor and Evaluate Occurrences Preventive
    Establish and maintain a security program metrics program. CC ID 01660 Establish/Maintain Documentation Preventive
    Report on the policies and controls that have been implemented by management. CC ID 01670 Actionable Reports or Measurements Detective
    Establish, implement, and maintain a key management roles metrics standard. CC ID 11631 Establish/Maintain Documentation Preventive
    Report on the percentage of security management roles that have been assigned. CC ID 01671 Actionable Reports or Measurements Detective
    Establish and maintain a key stakeholder metrics program. CC ID 01661 Establish/Maintain Documentation Preventive
    Report on the percentage of board meetings or committee meetings at which Information Assurance was on the agenda. CC ID 01672 Actionable Reports or Measurements Detective
    Report on the percentage of security incidents that did not cause confidentiality, integrity, or availability losses beyond the Service Level Agreement thresholds. CC ID 01673 Actionable Reports or Measurements Detective
    Report on the estimated damage or loss resulting from all security incidents. CC ID 01674 Actionable Reports or Measurements Detective
    Establish, implement, and maintain a supply chain member metrics program. CC ID 01662 Establish/Maintain Documentation Preventive
    Report on the percentage of supply chain members for which all Information Assurance requirements have been implemented. CC ID 01675 Actionable Reports or Measurements Detective
    Report on the Service Level Agreement performance of supply chain members. CC ID 06838 Actionable Reports or Measurements Preventive
    Establish and maintain a Business Continuity metrics program. CC ID 01663
    [Top management shall demonstrate leadership and commitment with respect to the BCMS by - ensuring that policies and objectives are established for the business continuity management system and are compatible with the strategic direction of the organization, - ensuring the integration of the business continuity management system requirements into the organization’s business processes, - ensuring that the resources needed for the business continuity management system are available, - communicating the importance of effective business continuity management and conforming to the BCMS requirements, - ensuring that the BCMS achieves its intended outcome(s), - directing and supporting persons to contribute to the effectiveness of the BCMS, - promoting continual improvement, and - supporting other relevant management roles to demonstrate their leadership and commitment as it applies to their areas of responsibility. § 5.2 ¶ 1
    The organization shall determine when the results from monitoring and measurement shall be analysed and evaluated. § 9.1.1 ¶ 1 d)
    The procedures for monitoring performance shall provide for - the setting of performance metrics appropriate to the needs of the organization, - monitoring the extent to which the organization’s business continuity policy, objectives and targets are met, - performance of the processes, procedures and functions that protect its prioritized activities, - monitoring compliance with this International Standard and the business continuity objectives, - monitoring historical evidence of deficient BCMS’ performance, and - recording data and results of monitoring and measurement to facilitate subsequent corrective actions. § 9.1.1 ¶ 5
    The procedures for monitoring performance shall provide for - the setting of performance metrics appropriate to the needs of the organization, - monitoring the extent to which the organization’s business continuity policy, objectives and targets are met, - performance of the processes, procedures and functions that protect its prioritized activities, - monitoring compliance with this International Standard and the business continuity objectives, - monitoring historical evidence of deficient BCMS’ performance, and - recording data and results of monitoring and measurement to facilitate subsequent corrective actions. § 9.1.1 ¶ 5
    The procedures for monitoring performance shall provide for - the setting of performance metrics appropriate to the needs of the organization, - monitoring the extent to which the organization’s business continuity policy, objectives and targets are met, - performance of the processes, procedures and functions that protect its prioritized activities, - monitoring compliance with this International Standard and the business continuity objectives, - monitoring historical evidence of deficient BCMS’ performance, and - recording data and results of monitoring and measurement to facilitate subsequent corrective actions. § 9.1.1 ¶ 5
    The procedures for monitoring performance shall provide for - the setting of performance metrics appropriate to the needs of the organization, - monitoring the extent to which the organization’s business continuity policy, objectives and targets are met, - performance of the processes, procedures and functions that protect its prioritized activities, - monitoring compliance with this International Standard and the business continuity objectives, - monitoring historical evidence of deficient BCMS’ performance, and - recording data and results of monitoring and measurement to facilitate subsequent corrective actions. § 9.1.1 ¶ 5
    The management review shall include consideration of information on the business continuity performance, including trends in monitoring and measurement evaluation results, and § 9.3 ¶ 2 c) 2)]
    Establish/Maintain Documentation Preventive
    Report on the percentage of organizational units that have an established Business Continuity Plan. CC ID 01676 Actionable Reports or Measurements Detective
    Report on the percentage of organizational units with a documented Business Continuity Plan for which specific responsibilities have been assigned. CC ID 02057 Actionable Reports or Measurements Detective
    Report on the percentage of Business Continuity Plans that have been reviewed, tested, and updated. CC ID 02058 Actionable Reports or Measurements Detective
    Establish and maintain an audit metrics program. CC ID 01664 Establish/Maintain Documentation Preventive
    Report on the percentage of needed internal audits that have been completed and reviewed. CC ID 01677 Actionable Reports or Measurements Detective
    Report on the percentage of Information Security requirements from applicable laws and regulations that are included in the audit program. CC ID 02069 Actionable Reports or Measurements Detective
    Report on the percentage of needed external audits that have been completed and reviewed. CC ID 11632 Actionable Reports or Measurements Detective
    Report on the percentage of Information Security audits conducted in compliance with the approved audit program. CC ID 02070 Actionable Reports or Measurements Detective
    Report on the percentage of audit findings that have been resolved. CC ID 01678 Actionable Reports or Measurements Detective
    Report on the percentage of management actions in response to audit findings and audit recommendations that were implemented in a timely way. CC ID 02071 Actionable Reports or Measurements Detective
    Establish and maintain an Information Security metrics program. CC ID 01665 Establish/Maintain Documentation Preventive
    Establish and maintain a metrics policy. CC ID 01654 Establish/Maintain Documentation Preventive
    Establish and maintain a metrics standard and template. CC ID 02157 Establish/Maintain Documentation Preventive
    Monitor compliance with the Quality Control system. CC ID 01023 Actionable Reports or Measurements Preventive
    Report on the percentage of complaints received about products or delivered services. CC ID 07199 Actionable Reports or Measurements Preventive
    Report on the percentage of Quality Assurance attained by Quality Improvement practices. CC ID 07202 Actionable Reports or Measurements Preventive
    Establish, implement, and maintain a policies and controls metrics program. CC ID 01666
    [The outputs of the management review shall include decisions related to continual improvement opportunities and the possible need for changes to the BCMS, and include the following: how the effectiveness of controls are measured. § 9.3 ¶ 4 e)]
    Establish/Maintain Documentation Preventive
    Report on the percentage of total controls for which policies, standards, and procedures exist and for which approval has been granted. CC ID 01679 Actionable Reports or Measurements Detective
    Report on the percentage of personnel who are assigned and acknowledged responsibilities for approved policies, standards, and procedures. CC ID 01680 Actionable Reports or Measurements Detective
    Report on the percentage of policy compliance reviews for which no compliance violations were noted. CC ID 01681 Actionable Reports or Measurements Detective
    Report on the percentage of senior management or business unit heads who have implemented operational compliance procedures. CC ID 01682 Actionable Reports or Measurements Detective
    Establish, implement, and maintain a security roles and responsibilities metrics program. CC ID 01667 Establish/Maintain Documentation Preventive
    Report on the percentage of role descriptions that define the Information Awareness roles for Security Managers and administrators. CC ID 01685 Actionable Reports or Measurements Detective
    Report on the percentage of role descriptions that define the information awareness roles for interested personnel. CC ID 01686 Actionable Reports or Measurements Detective
    Report on the percentage of role descriptions that define the information awareness roles for end users. CC ID 01687 Actionable Reports or Measurements Detective
    Report on the percentage of performance reviews that include the evaluation of Information Assurance responsibilities and policy compliance. CC ID 01688 Actionable Reports or Measurements Detective
    Report on the percentage of individuals who have access to security software, are trained, and authorized Security Administrators. CC ID 01691 Actionable Reports or Measurements Detective
    Report on the percentage of individuals who are able to assign security privileges, are trained, and authorized Security Administrators. CC ID 01692 Actionable Reports or Measurements Detective
    Establish and maintain a role-based information access metrics program. CC ID 01668 Establish/Maintain Documentation Preventive
    Report on the percentage of new hires who completed training ahead of being granted network access or system access. CC ID 01683 Actionable Reports or Measurements Detective
    Report on the percentage of personnel who have completed periodic Information Assurance refresher training. CC ID 01684 Actionable Reports or Measurements Detective
    Report on the percentage of user roles, systems, and applications that comply with the segregation of duties principle. CC ID 01689 Actionable Reports or Measurements Detective
    Report on the percentage of individuals whose access rights have been reviewed. CC ID 01690 Actionable Reports or Measurements Detective
    Report on the percentage of users who have access to restricted data or restricted information and have undergone a background check. CC ID 01693 Actionable Reports or Measurements Detective
    Establish, implement, and maintain an information risk threshold metrics program. CC ID 01694 Establish/Maintain Documentation Preventive
    Report on the percentage of critical information assets and information-dependent functions. CC ID 02040 Actionable Reports or Measurements Detective
    Report on the percentage of critical assets and functions for which the cost of compromise has been quantified. CC ID 02041 Actionable Reports or Measurements Detective
    Report on the percentage of identified risks that have a defined risk mitigation plan. CC ID 02042 Actionable Reports or Measurements Detective
    Report on the percentage of systems with approved System Security Plans. CC ID 02145 Actionable Reports or Measurements Detective
    Monitor the supply chain for Information Assurance effectiveness. CC ID 02043 Establish/Maintain Documentation Preventive
    Report on the percentage of known Information Security risks that are related to supply chain relationships. CC ID 02044 Actionable Reports or Measurements Detective
    Report on the percentage of critical information assets or critical functions for which access by supply chain personnel is disallowed. CC ID 02045 Actionable Reports or Measurements Detective
    Report on the percentage of supply chain personnel who have current information asset user privileges. CC ID 02046 Actionable Reports or Measurements Detective
    Report on the percentage of systems with critical information assets or functions for which electronic connection by supply chain assets is disallowed. CC ID 02047 Actionable Reports or Measurements Detective
    Report on the percentage of security incidents that involved supply chain personnel. CC ID 02048 Actionable Reports or Measurements Detective
    Report on the percentage of third party contracts that include a requirement to externally verify policies and procedures. CC ID 02049 Actionable Reports or Measurements Detective
    Report on the percentage of supply chain relationships that have been reviewed for compliance with information security requirements. CC ID 02050 Actionable Reports or Measurements Detective
    Establish, implement, and maintain an identification and classification of information assets metrics program. CC ID 02052 Business Processes Preventive
    Report on the percentage of information assets that have been reviewed and classified. CC ID 02053 Actionable Reports or Measurements Detective
    Report on the percentage of information assets with defined user privileges that have been assigned based on role and according to policy. CC ID 02054 Actionable Reports or Measurements Detective
    Report on the percentage of scheduled Information Technology inventory processes that occurred on time. CC ID 02055 Actionable Reports or Measurements Detective
    Establish, implement, and maintain an Information Systems architecture metrics program. CC ID 02059 Business Processes Preventive
    Report on the percentage of recently identified information security risks related to systems architecture that have been adequately mitigated. CC ID 02060 Actionable Reports or Measurements Detective
    Report on the percentage of system architecture changes that were approved through appropriate change requests. CC ID 02061 Actionable Reports or Measurements Detective
    Report on the percentage of critical information assets or functions residing on systems that are currently in compliance with the approved systems architecture. CC ID 02062 Actionable Reports or Measurements Detective
    Report on the percentage of systems that have been recertified if security controls were updated after the system was developed. CC ID 02142 Actionable Reports or Measurements Detective
    Report on the percentage of systems that have completed Certification and Accreditation. CC ID 02143 Actionable Reports or Measurements Detective
    Establish and maintain a physical environment metrics program. CC ID 02063 Business Processes Preventive
    Report on the percentage of critical organizational information assets and functions that have been reviewed from the risk to physical security perspective. CC ID 02064 Actionable Reports or Measurements Detective
    Report on the percentage of critical organizational information assets and functions exposed to physical risks for which risk mitigation actions have been implemented. CC ID 02065 Actionable Reports or Measurements Detective
    Report on the percentage of critical assets that have been reviewed from the environmental risk perspective. CC ID 02066 Actionable Reports or Measurements Detective
    Report on the percentage of servers located in controlled access areas. CC ID 02067 Actionable Reports or Measurements Detective
    Establish and maintain a reporting methodology program. CC ID 02072 Business Processes Preventive
    Establish, implement, and maintain a technical measurement metrics policy. CC ID 01655 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a user identification and authentication metrics program. CC ID 02073 Business Processes Preventive
    Report on the percentage of unique active user identifiers. CC ID 02074 Actionable Reports or Measurements Detective
    Report on the percentage of systems and applications that perform password policy verification. CC ID 02086 Actionable Reports or Measurements Detective
    Report on the percentage of active user passwords that are set to expire. CC ID 02087 Actionable Reports or Measurements Detective
    Report on the percentage of systems with critical information assets that use stronger authentication than user identifiers and passwords. CC ID 02088 Actionable Reports or Measurements Detective
    Establish, implement, and maintain a user account management metrics program. CC ID 02075 Business Processes Preventive
    Report on the percentage of systems for which default accounts and default passwords have been disabled or reset. CC ID 02089 Actionable Reports or Measurements Detective
    Report on the percentage of inactive user accounts that are assigned to personnel who have left or no longer need access. CC ID 02090 Actionable Reports or Measurements Detective
    Report on the percentage of systems with account lockout thresholds set. CC ID 02091 Actionable Reports or Measurements Detective
    Report on the percentage of inactive user accounts that have been disabled. CC ID 02092 Actionable Reports or Measurements Detective
    Report on the percentage of workstations with session timeout or automatic logoff controls set. CC ID 02093 Actionable Reports or Measurements Detective
    Report on the percentage of users with access to shared accounts. CC ID 04573 Actionable Reports or Measurements Detective
    Establish, implement, and maintain a user and administrator privilege management metrics program. CC ID 02076 Actionable Reports or Measurements Preventive
    Report on the percentage of active computer accounts that have had the current user privileges reviewed. CC ID 02094 Actionable Reports or Measurements Detective
    Report on the percentage of systems where permission to install nonstandard software is limited. CC ID 02095 Actionable Reports or Measurements Detective
    Report on the percentage of systems and applications that have user privileges and administrator privileges assigned in compliance with Role-Based Access Controls. CC ID 02096 Actionable Reports or Measurements Detective
    Establish and maintain a Configuration Management metrics program. CC ID 02077 Business Processes Preventive
    Report on the percentage of systems for which approved configuration settings have been implemented. CC ID 02097 Actionable Reports or Measurements Detective
    Report on the percentage of systems with configurations that do not deviate from approved standards. CC ID 02098 Actionable Reports or Measurements Detective
    Report on the percentage of systems that are continuously monitored for compliance with the configuration standard with out-of-compliance alarms or out-of-compliance reports. CC ID 02099 Actionable Reports or Measurements Detective
    Report on the percentage of systems whose configuration is compared with a previously established trusted configuration baseline. CC ID 02100 Actionable Reports or Measurements Detective
    Report on the percentage of systems where the authority to make configuration changes are limited. CC ID 02101 Actionable Reports or Measurements Detective
    Report on the percentage of system components that undergo maintenance as scheduled. CC ID 04562 Actionable Reports or Measurements Detective
    Establish and maintain a Security Information and Event Management metrics program. CC ID 02078 Log Management Preventive
    Report on the percentage of systems for which event logging has been implemented. CC ID 02102 Log Management Detective
    Report on the percentage of systems for which event logs are monitored and reviewed. CC ID 02103 Log Management Detective
    Report on the percentage of systems for which log capacity and log retention schedules have been implemented. CC ID 02104 Log Management Detective
    Report on the percentage of systems that generate warnings about anomalous activity or potentially unauthorized activity. CC ID 02105 Actionable Reports or Measurements Detective
    Establish and maintain a communications, e-mail, and remote access security management metrics program. CC ID 02079 Business Processes Preventive
    Report on the percentage of laptops and mobile devices that are needing to be in compliance with the approved configuration standard before granting network access. CC ID 02106 Actionable Reports or Measurements Detective
    Report on the percentage of organizationally controlled communications channels that have been secured. CC ID 02107 Actionable Reports or Measurements Detective
    Report on the percentage of host servers that are protected from becoming relay hosts. CC ID 02108 Actionable Reports or Measurements Detective
    Report on the percentage of mobile users who access organizational facilities using secure communications methods. CC ID 02109 Actionable Reports or Measurements Detective
    Establish and maintain a malicious code protection management metrics program. CC ID 02080 Business Processes Preventive
    Report on the percentage of workstations and laptops that employ automated system security tools. CC ID 02110 Actionable Reports or Measurements Detective
    Report on the percentage of servers that employ automated system security tools. CC ID 02111 Actionable Reports or Measurements Detective
    Report on the percentage of mobile devices that employ automated system security tools. CC ID 02112 Actionable Reports or Measurements Detective
    Establish, implement, and maintain a software change management metrics program. CC ID 02081 Business Processes Preventive
    Report on the percentage of software changes that have been documented and approved through change request forms. CC ID 02152 Actionable Reports or Measurements Detective
    Report on the percentage of systems with all approved patches installed. CC ID 02113 Actionable Reports or Measurements Detective
    Report on the mean time from patch availability to patch installation. CC ID 02114 Actionable Reports or Measurements Detective
    Report on the percentage of software changes that were reviewed for security impacts before the software configuration is updated. CC ID 02115 Actionable Reports or Measurements Detective
    Establish and maintain a network management and firewall management metrics program. CC ID 02082 Business Processes Preventive
    Establish and maintain a network activity baseline. CC ID 13188 Technical Security Detective
    Report on the percentage of systems configured according to the configuration standard. CC ID 02116 Actionable Reports or Measurements Detective
    Report on the percentage of network access controls used to gain unauthorized access. CC ID 04572 Actionable Reports or Measurements Detective
    Establish, implement, and maintain a data encryption management metrics program. CC ID 02083 Business Processes Preventive
    Report on the percentage of critical information assets stored on network accessible devices that are encrypted with widely tested and published cryptographic algorithms. CC ID 02117 Actionable Reports or Measurements Detective
    Report on the percentage of mobile devices that use encryption for critical information assets. CC ID 02118 Actionable Reports or Measurements Detective
    Report on the percentage of passwords and Personal Identification Numbers that are encrypted. CC ID 02119 Actionable Reports or Measurements Detective
    Report on the percentage of media that passes sanitization procedure testing. CC ID 04574 Actionable Reports or Measurements Detective
    Establish and maintain a backup management and recovery management metrics program. CC ID 02084 Business Processes Preventive
    Report on the percentage of systems with critical information assets or critical business functions that have been backed up in accordance with the backup policy and the system's continuity plan. CC ID 02120 Actionable Reports or Measurements Detective
    Report on the percentage of systems with critical information assets or critical functions where restoration from a backup has been successfully demonstrated. CC ID 02121 Actionable Reports or Measurements Detective
    Report on the percentage of backup media stored off site in secure storage. CC ID 02122 Actionable Reports or Measurements Detective
    Report on the percentage of used backup media or archive media sanitized prior to reuse or disposal. CC ID 02123 Actionable Reports or Measurements Detective
    Establish and maintain an incident management and vulnerability management metrics program. CC ID 02085 Business Processes Preventive
    Report on the percentage of operational time that critical services were unavailable due to security incidents. CC ID 02124 Actionable Reports or Measurements Detective
    Report on the percentage of security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02125 Actionable Reports or Measurements Detective
    Report on the percentage of systems affected by security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02126 Actionable Reports or Measurements Detective
    Report on the percentage of security incidents that were managed according to established policies, procedures, and processes. CC ID 02127 Actionable Reports or Measurements Detective
    Report on the number of security incidents reported to FedCIRC, NIPC, the Payment Card Industry, or local law enforcement. CC ID 02154 Actionable Reports or Measurements Detective
    Report on the percentage of systems with critical information assets or critical functions that have been assessed for security vulnerabilities. CC ID 02128 Actionable Reports or Measurements Detective
    Report on the percentage of vulnerability assessment findings that have been addressed since the last reporting period. CC ID 02129 Actionable Reports or Measurements Detective
    Report on the average elapsed time between the discovery of a new vulnerability and implementing corrective action. CC ID 02140 Actionable Reports or Measurements Detective
    Report on the percentage of physical security incidents that involved entry into a facility containing Information Systems. CC ID 04564 Actionable Reports or Measurements Detective
    Establish and maintain an Electronic Health Records measurement metrics program. CC ID 06221 Establish/Maintain Documentation Preventive
    Report on the percentage of unique patients who had at least one medication entered using the Computerized Provider Order Entry system. CC ID 06222 Actionable Reports or Measurements Preventive
    Report on the percentage of unique patients who have diagnoses recorded as structured data into the current and active diagnoses problem list. CC ID 06223 Actionable Reports or Measurements Preventive
    Report on the percentage of permissible prescriptions that are transmitted electronically. CC ID 06224 Actionable Reports or Measurements Preventive
    Report on the percentage of unique patients who have at least one entry recorded as structured data into the active medication list. CC ID 06225 Actionable Reports or Measurements Preventive
    Report on the percentage of unique patients who have at least one entry recorded as structured data into the active medication allergy list. CC ID 06226 Actionable Reports or Measurements Preventive
    Report on the percentage of unique patients who have demographics recorded as structured data. CC ID 06227 Actionable Reports or Measurements Preventive
    Report on the percentage of unique patients over the age of 2 who have their height, weight, and blood pressure recorded as structured data. CC ID 06228 Actionable Reports or Measurements Preventive
    Report on the percentage of unique patients over the age of 13 who have their smoking status recorded as structured data. CC ID 06229 Actionable Reports or Measurements Preventive
    Report on the percentage of patients who are given an electronic copy of their Individually Identifiable Health Information not later than three business days after Individually Identifiable Health Information is requested. CC ID 06230 Actionable Reports or Measurements Preventive
    Report on the percentage of patients who are given clinical summaries not later than three business days after a physician office visit. CC ID 06231 Actionable Reports or Measurements Preventive
    Report on the percentage of lab test results that are incorporated into the Electronic Health Records as structured data. CC ID 06232 Actionable Reports or Measurements Preventive
    Report on the percentage of patients sixty-five years of age or older or five years of age or younger who were sent a reminder. CC ID 06233 Actionable Reports or Measurements Preventive
    Report on the percentage of unique patients who are given electronic access to their Individually Identifiable Health Information not later than four business days after their Individually Identifiable Health Information is updated. CC ID 06234 Actionable Reports or Measurements Preventive
    Report on the percentage of unique patients who are given patient-specific education resources. CC ID 06235 Actionable Reports or Measurements Preventive
    Report on the percentage of medication reconciliations that are performed if a patient is received from another setting or healthcare provider. CC ID 06236 Actionable Reports or Measurements Preventive
    Report on the percentage of summary of care records that are provided for transitions of care or referrals for patients who are transitioned or referred to another setting or healthcare provider. CC ID 06237 Actionable Reports or Measurements Preventive
    Report on the percentage of patients who receive their discharge instructions if discharge instructions are requested. CC ID 06238 Actionable Reports or Measurements Preventive
    Report on the percentage of patients 65 years of age or older who have an indication of advance directive status recorded as structured data. CC ID 06239 Actionable Reports or Measurements Preventive
    Provide transactional walkthrough procedures for external auditors. CC ID 00672 Testing Preventive
    Establish and maintain a log management program. CC ID 00673 Establish/Maintain Documentation Preventive
    Deploy log normalization tools, as necessary. CC ID 12141 Technical Security Preventive
    Restrict access to logs to a need to know basis. CC ID 01342 Log Management Preventive
    Restrict access to audit trails to a need to know basis. CC ID 11641 Technical Security Preventive
    Refrain from recording unnecessary restricted data in logs. CC ID 06318 Log Management Preventive
    Back up audit trails according to backup procedures. CC ID 11642 Systems Continuity Preventive
    Back up logs according to backup procedures. CC ID 01344 Log Management Preventive
    Copy logs from all predefined hosts onto a log management infrastructure. CC ID 01346 Log Management Preventive
    Identify hosts with logs that are not being stored. CC ID 06314 Log Management Preventive
    Identify hosts with logs that are being stored at the system level only. CC ID 06315 Log Management Preventive
    Identify hosts with logs that should be stored at both the system level and the infrastructure level. CC ID 06316 Log Management Preventive
    Identify hosts with logs that are being stored at the infrastructure level only. CC ID 06317 Log Management Preventive
    Protect logs from unauthorized activity. CC ID 01345 Log Management Preventive
    Perform testing and validating activities on all logs. CC ID 06322 Log Management Preventive
    Archive the audit trail in accordance with compliance requirements. CC ID 00674 Log Management Preventive
    Enforce dual authorization as a part of information flow control for logs. CC ID 10098 Configuration Preventive
    Preserve the identity of individuals in audit trails. CC ID 10594 Log Management Preventive
    Establish, implement, and maintain a cross-organizational audit sharing agreement. CC ID 10595 Establish/Maintain Documentation Preventive
    Provide cross-organizational audit information based on the cross-organizational audit sharing agreement. CC ID 10596 Audits and Risk Management Preventive
    Include monitoring in the corrective action plan. CC ID 11645
    [The management responsible for the area being audited shall ensure that any necessary corrections and corrective actions are taken without undue delay to eliminate detected nonconformities and their causes. Follow-up activities shall include the verification of the actions taken and the reporting of verification results. § 9.2 ¶ 4
    {results of BCMS reviews} {key partners} {results of testing} {BCMS performance} {BCMS effectiveness} {emerging good guidance} Management reviews shall consider the performance of the organization, including - follow-up actions from previous management reviews, - the need for changes to the BCMS, including the policy and objectives, - opportunities for improvement, - results of BCMS audits and reviews, including those of key suppliers and partners where appropriate, - techniques, products or procedures, which could be used in the organization to improve the BCMS’ performance and effectiveness, - status of corrective actions, - results of exercising and testing, - risks or issues not adequately addressed in any previous risk assessment, - any changes that could affect the BCMS, whether internal or external to the scope of the BCMS, - adequacy of policy, - recommendations for improvement, - lessons learned and actions arising from disruptive incidents, and - emerging good practice and guidance. § 9.3 ¶ 3]
    Monitor and Evaluate Occurrences Detective
    Report actions taken on known security issues to the Board of Directors or Senior Executive Committee on a regular basis. CC ID 12330
    [The management responsible for the area being audited shall ensure that any necessary corrections and corrective actions are taken without undue delay to eliminate detected nonconformities and their causes. Follow-up activities shall include the verification of the actions taken and the reporting of verification results. § 9.2 ¶ 4]
    Monitor and Evaluate Occurrences Preventive
    Protect against misusing automated audit tools. CC ID 04547 Technical Security Preventive
    Evaluate the measurement process used for metrics. CC ID 06920
    [{what needs to be measured} The organization shall determine what needs to be monitored and measured, § 9.1.1 ¶ 1 a)
    The procedures for monitoring performance shall provide for - the setting of performance metrics appropriate to the needs of the organization, - monitoring the extent to which the organization’s business continuity policy, objectives and targets are met, - performance of the processes, procedures and functions that protect its prioritized activities, - monitoring compliance with this International Standard and the business continuity objectives, - monitoring historical evidence of deficient BCMS’ performance, and - recording data and results of monitoring and measurement to facilitate subsequent corrective actions. § 9.1.1 ¶ 5]
    Testing Detective
  • Operational and Systems Continuity
    152
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Operational and Systems Continuity CC ID 00731 IT Impact Zone IT Impact Zone
    Establish and maintain a business continuity program. CC ID 13210 Establish/Maintain Documentation Preventive
    Establish and maintain a continuity framework. CC ID 00732
    [Top management shall establish a business continuity policy that is appropriate to the purpose of the organization, § 5.3 ¶ 1 a)
    Top management shall establish a business continuity policy that provides a framework for setting business continuity objectives, § 5.3 ¶ 1 b)
    {BCMS plans} Top management shall provide evidence of its commitment to the establishment, implementation, operation, monitoring, review, maintenance, and improvement of the BCMS by - establishing a business continuity policy, - ensuring that BCMS objectives and plans are established, - establishing roles, responsibilities, and competencies for business continuity management, and - appointing one or more persons to be responsible for the BCMS with the appropriate authority and competencies to be accountable for the implementation and maintenance of the BCMS. § 5.2 ¶ 2
    The BCMS policy shall - be available as documented information, - be communicated within the organization, - be available to interested parties, as appropriate, - be reviewed for continuing suitability at defined intervals and when significant changes occur. § 5.3 ¶ 2
    The organization shall establish, implement, maintain and continually improve a BCMS, including the processes needed and their interactions, in accordance with the requirements of this International Standard. § 4.4 ¶ 1]
    Establish/Maintain Documentation Preventive
    Establish and maintain the scope of the continuity framework. CC ID 11908
    [The organization shall determine the boundaries and applicability of the BCMS to establish its scope. § 4.3.1 ¶ 1
    The organization shall define the scope of the BCMS in terms of and appropriate to the size, nature and complexity of the organization. § 4.3.2 ¶ 1 e)
    {external issues} The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its BCMS. § 4.1 ¶ 1
    {external issues} The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its BCMS. § 4.1 ¶ 1]
    Establish/Maintain Documentation Preventive
    Identify all stakeholders critical to the continuity of operations. CC ID 12741 Systems Continuity Detective
    Explain any exclusions to the scope of the continuity framework. CC ID 12236
    [When defining the scope, the organization shall document and explain exclusions; any such exclusions shall not affect the organization’s ability and responsibility to provide continuity of business and operations that meet the BCMS requirements, as determined by business impact analysis or risk assessment and applicable legal or regulatory requirements. § 4.3.2 ¶ 2
    The outputs of the management review shall include decisions related to continual improvement opportunities and the possible need for changes to the BCMS, and include the following: variations to the scope of the BCMS; § 9.3 ¶ 4 a)]
    Establish/Maintain Documentation Preventive
    Refrain from including exclusions that could affect business continuity. CC ID 12740 Records Management Preventive
    Include the organization's business products and services in the scope of the continuity framework. CC ID 12235
    [The organization shall identify products and services and all related activities within the scope of the BCMS, § 4.3.2 ¶ 1 c)
    The business continuity objectives shall take account of the minimum level of products and services that is acceptable to the organization to achieve its objectives, § 6.2 ¶ 2 b)]
    Establish/Maintain Documentation Preventive
    Include business units in the scope of the continuity framework. CC ID 11898
    [The organization shall identify and document the following: links between the business continuity policy and the organization’s objectives and other policies, including its overall risk management strategy; and § 4.1 ¶ 3 b)
    The organization shall establish the parts of the organization to be included in the BCMS, § 4.3.2 ¶ 1 a)
    {activation procedures} {communication procedures} {internal interdependencies} {internal interactions} {external interactions} {information flow processes} Each plan shall define - purpose and scope, - objectives, - activation criteria and procedures, - implementation procedures, - roles, responsibilities, and authorities, - communication requirements and procedures, - internal and external interdependencies and interactions, - resource requirements, and - information flow and documentation processes. § 8.4.4 ¶ 3]
    Establish/Maintain Documentation Preventive
    Include business functions in the scope of the continuity framework. CC ID 12699 Establish/Maintain Documentation Preventive
    Include information security continuity in the scope of the continuity framework. CC ID 12009
    [{activation procedures} {communication procedures} {internal interdependencies} {internal interactions} {external interactions} {information flow processes} Each plan shall define - purpose and scope, - objectives, - activation criteria and procedures, - implementation procedures, - roles, responsibilities, and authorities, - communication requirements and procedures, - internal and external interdependencies and interactions, - resource requirements, and - information flow and documentation processes. § 8.4.4 ¶ 3]
    Systems Continuity Preventive
    Include affected party’s needs and interests in the scope of the continuity framework. CC ID 12698 Systems Continuity Preventive
    Establish and maintain a list of interested personnel and affected parties with whom to disseminate and communicate the continuity framework. CC ID 12242
    [{internal communications} The organization shall determine the need for internal and external communications relevant to the BCMS including with whom to communicate. § 7.4 ¶ 1 c)
    {internal communications} The organization shall determine the need for internal and external communications relevant to the BCMS including with whom to communicate. § 7.4 ¶ 1 c)
    The organization shall establish, implement, and maintain procedure(s) for - internal communication amongst interested parties and employees within the organization, - external communication with customers, partner entities, local community, and other interested parties, including the media, - receiving, documenting, and responding to communication from interested parties, - adapting and integrating a national or regional threat advisory system, or equivalent, into planning and operational use, if appropriate, - ensuring availability of the means of communication during a disruptive incident, - facilitating structured communication with appropriate authorities and ensuring the interoperability of multiple responding organizations and personnel, where appropriate, and - operating and testing of communications capabilities intended for use during disruption of normal communications. § 7.4 ¶ 2
    The organization shall establish, implement, and maintain procedure(s) for - internal communication amongst interested parties and employees within the organization, - external communication with customers, partner entities, local community, and other interested parties, including the media, - receiving, documenting, and responding to communication from interested parties, - adapting and integrating a national or regional threat advisory system, or equivalent, into planning and operational use, if appropriate, - ensuring availability of the means of communication during a disruptive incident, - facilitating structured communication with appropriate authorities and ensuring the interoperability of multiple responding organizations and personnel, where appropriate, and - operating and testing of communications capabilities intended for use during disruption of normal communications. § 7.4 ¶ 2]
    Establish/Maintain Documentation Preventive
    Take into account external requirements when establishing, implementing, and maintaining the continuity framework. CC ID 11907
    [The organization shall ensure that these applicable legal, regulatory and other requirements to which the organization subscribes are taken into account in establishing, implementing and maintaining its BCMS. § 4.2.2 ¶ 2
    When establishing its BCMS, the organization shall determine the requirements of these interested parties § 4.2.1 ¶ 1 b)
    The business continuity objectives shall take into account applicable requirements, and § 6.2 ¶ 2 d)
    {legal requirements} The organization shall establish, implement and maintain a procedure(s) to identify, have access to, and assess the applicable legal and regulatory requirements to which the organization subscribes related to the continuity of its operations, products and services, as well as the interests of relevant interested parties. § 4.2.2 ¶ 1
    Top management shall establish a business continuity policy that includes a commitment to satisfy applicable requirements, § 5.3 ¶ 1 c)
    The organization shall determine an appropriate business continuity strategy for mitigating, responding to and managing impacts. § 8.3.1 ¶ 2 c)
    {internal obligations} The organization shall establish BCMS requirements, considering the organization's mission, goals, internal and external obligations, and legal and regulatory responsibilities, § 4.3.2 ¶ 1 b)
    {results of BCMS reviews} {key partners} {results of testing} {BCMS performance} {BCMS effectiveness} {emerging good guidance} Management reviews shall consider the performance of the organization, including - follow-up actions from previous management reviews, - the need for changes to the BCMS, including the policy and objectives, - opportunities for improvement, - results of BCMS audits and reviews, including those of key suppliers and partners where appropriate, - techniques, products or procedures, which could be used in the organization to improve the BCMS’ performance and effectiveness, - status of corrective actions, - results of exercising and testing, - risks or issues not adequately addressed in any previous risk assessment, - any changes that could affect the BCMS, whether internal or external to the scope of the BCMS, - adequacy of policy, - recommendations for improvement, - lessons learned and actions arising from disruptive incidents, and - emerging good practice and guidance. § 9.3 ¶ 3
    {results of BCMS reviews} {key partners} {results of testing} {BCMS performance} {BCMS effectiveness} {emerging good guidance} Management reviews shall consider the performance of the organization, including - follow-up actions from previous management reviews, - the need for changes to the BCMS, including the policy and objectives, - opportunities for improvement, - results of BCMS audits and reviews, including those of key suppliers and partners where appropriate, - techniques, products or procedures, which could be used in the organization to improve the BCMS’ performance and effectiveness, - status of corrective actions, - results of exercising and testing, - risks or issues not adequately addressed in any previous risk assessment, - any changes that could affect the BCMS, whether internal or external to the scope of the BCMS, - adequacy of policy, - recommendations for improvement, - lessons learned and actions arising from disruptive incidents, and - emerging good practice and guidance. § 9.3 ¶ 3]
    Establish/Maintain Documentation Preventive
    Include Quality Management in the continuity framework. CC ID 12239
    [Top management shall establish a business continuity policy that includes a commitment to continual improvement of the BCMS. § 5.3 ¶ 1 d)]
    Establish/Maintain Documentation Preventive
    Establish and maintain a system continuity plan philosophy. CC ID 00734
    [The procedures shall be developed based on stated assumptions and an analysis of interdependencies, and § 8.4.1 ¶ 3 e)]
    Establish/Maintain Documentation Preventive
    Define the executive vision of the continuity planning process. CC ID 01243 Establish/Maintain Documentation Preventive
    Include a pandemic plan in the continuity plan. CC ID 06800 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain continuity roles and responsibilities. CC ID 00733
    [{BCMS plans} Top management shall provide evidence of its commitment to the establishment, implementation, operation, monitoring, review, maintenance, and improvement of the BCMS by - establishing a business continuity policy, - ensuring that BCMS objectives and plans are established, - establishing roles, responsibilities, and competencies for business continuity management, and - appointing one or more persons to be responsible for the BCMS with the appropriate authority and competencies to be accountable for the implementation and maintenance of the BCMS. § 5.2 ¶ 2
    {activation procedures} {communication procedures} {internal interdependencies} {internal interactions} {external interactions} {information flow processes} Each plan shall define - purpose and scope, - objectives, - activation criteria and procedures, - implementation procedures, - roles, responsibilities, and authorities, - communication requirements and procedures, - internal and external interdependencies and interactions, - resource requirements, and - information flow and documentation processes. § 8.4.4 ¶ 3]
    Establish Roles Preventive
    Coordinate continuity planning with other business units responsible for related continuity plans. CC ID 01386
    [{processes, and procedures for the activation of the response} {processes, and procedures for the operation of the response} {processes, and procedures for the coordination of the response} {processes, and procedures for the communication of the response} The response structure shall have processes, and procedures for the activation, operation, coordination, and communication of the response, § 8.4.2 ¶ 2 d)]
    Systems Continuity Preventive
    Include continuity wrap-up procedures and continuity normalization procedures during continuity planning. CC ID 00761
    [The organization shall have documented procedures to restore and return business activities from the temporary measures adopted to support normal business requirements after an incident. § 8.4.5 ¶ 1
    The business continuity plans shall collectively contain a process for standing down once the incident is over. § 8.4.4 ¶ 2 g)]
    Establish/Maintain Documentation Preventive
    Re-accredit the continuity procedures after an emergency occurs. CC ID 01246 Systems Continuity Corrective
    Monitor disaster forecasting organizations for when disaster events are discovered. CC ID 06373 Monitor and Evaluate Occurrences Detective
    Evaluate all possible continuity risks and impacts as a part of the continuity framework. CC ID 06374 Systems Continuity Detective
    Assess risks related to fault tolerance and redundancy of critical assets. CC ID 13053 Systems Continuity Preventive
    Establish, implement, and maintain a continuity plan. CC ID 00752
    [The organization shall continually improve the suitability, adequacy or effectiveness of the BCMS. § 10.2 ¶ 1
    The organization shall continually improve the suitability, adequacy or effectiveness of the BCMS. § 10.2 ¶ 1
    The organization shall continually improve the suitability, adequacy or effectiveness of the BCMS. § 10.2 ¶ 1
    {BCMS plans} Top management shall provide evidence of its commitment to the establishment, implementation, operation, monitoring, review, maintenance, and improvement of the BCMS by - establishing a business continuity policy, - ensuring that BCMS objectives and plans are established, - establishing roles, responsibilities, and competencies for business continuity management, and - appointing one or more persons to be responsible for the BCMS with the appropriate authority and competencies to be accountable for the implementation and maintenance of the BCMS. § 5.2 ¶ 2
    Top management shall demonstrate leadership and commitment with respect to the BCMS by - ensuring that policies and objectives are established for the business continuity management system and are compatible with the strategic direction of the organization, - ensuring the integration of the business continuity management system requirements into the organization’s business processes, - ensuring that the resources needed for the business continuity management system are available, - communicating the importance of effective business continuity management and conforming to the BCMS requirements, - ensuring that the BCMS achieves its intended outcome(s), - directing and supporting persons to contribute to the effectiveness of the BCMS, - promoting continual improvement, and - supporting other relevant management roles to demonstrate their leadership and commitment as it applies to their areas of responsibility. § 5.2 ¶ 1
    The BCMS policy shall - be available as documented information, - be communicated within the organization, - be available to interested parties, as appropriate, - be reviewed for continuing suitability at defined intervals and when significant changes occur. § 5.3 ¶ 2
    The procedures shall focus on the impact of events that could potentially disrupt operations, § 8.4.1 ¶ 3 d)
    The procedures shall be developed based on stated assumptions and an analysis of interdependencies, and § 8.4.1 ¶ 3 e)
    The organization shall conduct exercises and tests that are reviewed within the context of promoting continual improvement, and § 8.5 ¶ 2 f)
    When nonconformity occurs, the organization shall make changes to the business continuity management system, if necessary. § 10.1 ¶ 1 f)
    Top management shall ensure that the responsibilities and authorities for relevant roles are assigned and communicated within the organization by - defining the criteria for accepting risks and the acceptable levels of risk, - actively engaging in exercising and testing, - ensuring that internal audits of the BCMS are conducted, - conducting management reviews of the BCMS, and - demonstrating its commitment to continual improvement. § 5.2 ¶ 3
    {business continuity procedure} The organization shall conduct evaluations at planned intervals and when significant changes occur. § 9.1.2 d)
    The organization shall evaluate the BCMS performance and the effectiveness of the BCMS. § 9.1.1 ¶ 3
    The organization shall evaluate the BCMS performance and the effectiveness of the BCMS. § 9.1.1 ¶ 3
    The outputs of the management review shall include decisions related to continual improvement opportunities and the possible need for changes to the BCMS, and include the following: § 9.3 ¶ 4
    {periodic exercising} {periodic testing} {periodic post-incident reporting} {periodic performance evaluations} These evaluations shall be undertaken through periodic reviews, exercising, testing, post-incident reporting and performance evaluations. Significant changes arising shall be reflected in the procedure(s) in a timely manner; § 9.1.2 b)
    The management review shall include consideration of information on the business continuity performance, including trends in audit results, § 9.3 ¶ 2 c) 3)
    Top management shall review the organization’s BCMS, at planned intervals, to ensure its continuing suitability, adequacy and effectiveness. § 9.3 ¶ 1
    {update of the business impact analysis} {update of the business continuity plans} {update of the related procedures} The outputs of the management review shall include decisions related to continual improvement opportunities and the possible need for changes to the BCMS, and include the following: update of the risk assessment, business impact analysis, business continuity plans and related procedures; § 9.3 ¶ 4 c)
    {outputs of the management review} modification of procedures and controls to respond to internal or external events that may impact on the BCMS, including changes to § 9.3 ¶ 4 d)]
    Establish/Maintain Documentation Preventive
    Report changes in the continuity plan to senior management. CC ID 12757 Communicate Corrective
    Identify all stakeholders in the continuity plan. CC ID 13256 Establish/Maintain Documentation Preventive
    Include a business continuity testing policy in the continuity plan, as necessary. CC ID 13234 Establish/Maintain Documentation Preventive
    Include identification procedures in the continuity plan, as necessary. CC ID 14372 Establish/Maintain Documentation Preventive
    Include the continuity strategy in the continuity plan. CC ID 13189 Establish/Maintain Documentation Preventive
    Document and use the lessons learned to update the continuity plan. CC ID 10037
    [The BCMS policy shall - be available as documented information, - be communicated within the organization, - be available to interested parties, as appropriate, - be reviewed for continuing suitability at defined intervals and when significant changes occur. § 5.3 ¶ 2
    The organization shall - communicate the results of management review to relevant interested parties, and - take appropriate action relating to those results. § 9.3 ¶ 6
    When nonconformity occurs, the organization shall evaluate the need for action to eliminate the causes of the nonconformity, in order that it does not recur or occur elsewhere, by making changes to the BCMS, if necessary. § 10.1 ¶ 1 c) 7
    [post-incident review results] When a disruptive incident occurs and results in the activation of its business continuity procedures, the organization shall undertake a post-incident review and record the results. § 9.1.2 ¶ 1
    The outputs of the management review shall include decisions related to continual improvement opportunities and the possible need for changes to the BCMS, and include the following: improvement of the effectiveness of the BCMS; § 9.3 ¶ 4 b)
    {results of BCMS reviews} {key partners} {results of testing} {BCMS performance} {BCMS effectiveness} {emerging good guidance} Management reviews shall consider the performance of the organization, including - follow-up actions from previous management reviews, - the need for changes to the BCMS, including the policy and objectives, - opportunities for improvement, - results of BCMS audits and reviews, including those of key suppliers and partners where appropriate, - techniques, products or procedures, which could be used in the organization to improve the BCMS’ performance and effectiveness, - status of corrective actions, - results of exercising and testing, - risks or issues not adequately addressed in any previous risk assessment, - any changes that could affect the BCMS, whether internal or external to the scope of the BCMS, - adequacy of policy, - recommendations for improvement, - lessons learned and actions arising from disruptive incidents, and - emerging good practice and guidance. § 9.3 ¶ 3]
    Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the continuity plan, as necessary. CC ID 13254 Establish/Maintain Documentation Preventive
    Coordinate continuity planning with governmental entities, as necessary. CC ID 13258 Process or Activity Preventive
    Coordinate continuity planning with community organizations, as necessary. CC ID 13259 Process or Activity Preventive
    Coordinate and incorporate supply chain members' continuity plans, as necessary. CC ID 13242 Establish/Maintain Documentation Preventive
    Include incident management procedures in the continuity plan. CC ID 13244 Establish/Maintain Documentation Preventive
    Include the use of virtual meeting tools in the continuity plan. CC ID 14390 Establish/Maintain Documentation Preventive
    Include scenario analyses of various contingency scenarios in the continuity plan. CC ID 13057 Establish/Maintain Documentation Preventive
    Include the annual statement based on the continuity plan review in the continuity plan. CC ID 12775 Establish/Maintain Documentation Preventive
    Review and update the continuity procedures, as necessary. CC ID 14236 Establish/Maintain Documentation Corrective
    Document the uninterrupted power requirements for all in scope systems. CC ID 06707 Establish/Maintain Documentation Preventive
    Install an Uninterruptible Power Supply sized to support all critical systems. CC ID 00725 Configuration Preventive
    Install a generator sized to support the facility. CC ID 06709 Configuration Preventive
    Establish, implement, and maintain a fuel supply large enough to support the generators during an emergency. CC ID 06376 Acquisition/Sale of Assets or Services Preventive
    Document all supporting information in the continuity plan, such as purpose, scope, and requirements. CC ID 01371
    [In establishing the context, the organization shall define the purpose of the BCMS. § 4.1 ¶ 4 4)
    The scope shall be available as documented information. § 4.3.1 ¶ 3
    {activation procedures} {communication procedures} {internal interdependencies} {internal interactions} {external interactions} {information flow processes} Each plan shall define - purpose and scope, - objectives, - activation criteria and procedures, - implementation procedures, - roles, responsibilities, and authorities, - communication requirements and procedures, - internal and external interdependencies and interactions, - resource requirements, and - information flow and documentation processes. § 8.4.4 ¶ 3
    {activation procedures} {communication procedures} {internal interdependencies} {internal interactions} {external interactions} {information flow processes} Each plan shall define - purpose and scope, - objectives, - activation criteria and procedures, - implementation procedures, - roles, responsibilities, and authorities, - communication requirements and procedures, - internal and external interdependencies and interactions, - resource requirements, and - information flow and documentation processes. § 8.4.4 ¶ 3
    {activation procedures} {communication procedures} {internal interdependencies} {internal interactions} {external interactions} {information flow processes} Each plan shall define - purpose and scope, - objectives, - activation criteria and procedures, - implementation procedures, - roles, responsibilities, and authorities, - communication requirements and procedures, - internal and external interdependencies and interactions, - resource requirements, and - information flow and documentation processes. § 8.4.4 ¶ 3
    {activation procedures} {communication procedures} {internal interdependencies} {internal interactions} {external interactions} {information flow processes} Each plan shall define - purpose and scope, - objectives, - activation criteria and procedures, - implementation procedures, - roles, responsibilities, and authorities, - communication requirements and procedures, - internal and external interdependencies and interactions, - resource requirements, and - information flow and documentation processes. § 8.4.4 ¶ 3]
    Establish/Maintain Documentation Preventive
    Include notifications to alternate facilities in the continuity plan. CC ID 13220 Establish/Maintain Documentation Preventive
    Approve the continuity plan requirements before documenting the continuity plan. CC ID 12778 Systems Continuity Preventive
    Document the concept of operations in the continuity plan, including a line of succession. CC ID 01372 Establish/Maintain Documentation Preventive
    Review and update the continuity plan call tree mechanism after a personnel status change. CC ID 01167 Testing Detective
    Establish and maintain damage assessment procedures. CC ID 01267
    [The response structure shall assess the nature and extent of a disruptive incident and its potential impact, § 8.4.2 ¶ 2 b)
    The response structure shall assess the nature and extent of a disruptive incident and its potential impact, § 8.4.2 ¶ 2 b)
    The response structure shall assess the nature and extent of a disruptive incident and its potential impact, § 8.4.2 ¶ 2 b)
    [post-incident review results] When a disruptive incident occurs and results in the activation of its business continuity procedures, the organization shall undertake a post-incident review and record the results. § 9.1.2 ¶ 1]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a recovery plan. CC ID 13288 Establish/Maintain Documentation Preventive
    Notify interested personnel and affected parties of updates to the recovery plan. CC ID 13302 Communicate Preventive
    Implement the recovery plan. CC ID 13299 Process or Activity Preventive
    Include addressing backup failures in the recovery plan. CC ID 13298 Establish/Maintain Documentation Preventive
    Include procedures to verify completion of the data and program backup procedures in the recovery plan. CC ID 13297 Establish/Maintain Documentation Preventive
    Include the roles and responsibilities of responders in the recovery plan. CC ID 13296 Human Resources Management Preventive
    Include the procedures for the storage of information necessary to recover functionality in the recovery plan. CC ID 13295 Establish/Maintain Documentation Preventive
    Include the backup procedures for information necessary to recover functionality in the recovery plan. CC ID 13294 Establish/Maintain Documentation Preventive
    Include the criteria for activation in the recovery plan. CC ID 13293 Establish/Maintain Documentation Preventive
    Include procedures to preserve data before beginning the recovery process in the recovery plan. CC ID 13292 Establish/Maintain Documentation Preventive
    Determine the cause for the activation of the recovery plan. CC ID 13291 Investigate Detective
    Test the recovery plan, as necessary. CC ID 13290 Testing Detective
    Test the backup information, as necessary. CC ID 13303 Testing Detective
    Document lessons learned from testing the recovery plan or an actual event. CC ID 13301 Establish/Maintain Documentation Detective
    Include restoration procedures in the continuity plan. CC ID 01169
    [The business continuity procedures shall be effective in minimizing consequences through implementation of appropriate mitigation strategies. § 8.4.1 ¶ 3 f)]
    Establish Roles Preventive
    Include risk prioritized recovery procedures for each business unit in the recovery plan. CC ID 01166
    [The organization shall determine an appropriate business continuity strategy for stabilizing, continuing, resuming and recovering prioritized activities and their dependencies and supporting resources, and § 8.3.1 ¶ 2 b)
    The business continuity plans shall collectively contain how the organization will continue or recover its prioritized activities within predetermined timeframes, § 8.4.4 ¶ 2 e)]
    Establish/Maintain Documentation Preventive
    Include the recovery plan in the continuity plan. CC ID 01377 Establish/Maintain Documentation Preventive
    Disseminate and communicate the recovery status of the contingency plan to interested personnel and affected parties. CC ID 12758 Communicate Preventive
    Disseminate and communicate business functions across multiple facilities separated by geographic separation, as necessary. CC ID 10662 Systems Continuity Preventive
    Disseminate and communicate processing activities across multiple facilities using geographic separation. CC ID 10663 Systems Continuity Preventive
    Disseminate and communicate electronic media storage devices across multiple facilities using geographic separation, as necessary. CC ID 10664 Systems Continuity Preventive
    Use out-of-band channels for the physical delivery or electronic transmission of information, as necessary. CC ID 10665 Systems Continuity Corrective
    Disseminate and communicate the continuity procedures to interested personnel and affected parties. CC ID 14055 Communicate Preventive
    Establish and maintain system continuity plan strategies for all in scope systems. CC ID 00735 Establish/Maintain Documentation Preventive
    Define and prioritize critical business functions. CC ID 00736
    [The organization shall determine an appropriate business continuity strategy for protecting prioritized activities, § 8.3.1 ¶ 2 a)
    The business continuity plans shall collectively contain details to manage the immediate consequences of a disruptive incident giving due regard to prevention of further loss or unavailability of prioritized activities; § 8.4.4 ¶ 2 c) 3)]
    Establish/Maintain Documentation Detective
    Review and prioritize the importance of each business unit. CC ID 01165 Systems Continuity Preventive
    Review and prioritize the importance of each business process. CC ID 11689
    [Top management shall demonstrate leadership and commitment with respect to the BCMS by - ensuring that policies and objectives are established for the business continuity management system and are compatible with the strategic direction of the organization, - ensuring the integration of the business continuity management system requirements into the organization’s business processes, - ensuring that the resources needed for the business continuity management system are available, - communicating the importance of effective business continuity management and conforming to the BCMS requirements, - ensuring that the BCMS achieves its intended outcome(s), - directing and supporting persons to contribute to the effectiveness of the BCMS, - promoting continual improvement, and - supporting other relevant management roles to demonstrate their leadership and commitment as it applies to their areas of responsibility. § 5.2 ¶ 1]
    Establish/Maintain Documentation Preventive
    Document the mean time to failure for system components. CC ID 10684
    [Top management shall demonstrate leadership and commitment with respect to the BCMS by - ensuring that policies and objectives are established for the business continuity management system and are compatible with the strategic direction of the organization, - ensuring the integration of the business continuity management system requirements into the organization’s business processes, - ensuring that the resources needed for the business continuity management system are available, - communicating the importance of effective business continuity management and conforming to the BCMS requirements, - ensuring that the BCMS achieves its intended outcome(s), - directing and supporting persons to contribute to the effectiveness of the BCMS, - promoting continual improvement, and - supporting other relevant management roles to demonstrate their leadership and commitment as it applies to their areas of responsibility. § 5.2 ¶ 1]
    Systems Continuity Preventive
    Conduct a risk assessment on reciprocal agreements that provide for recovery capabilities. CC ID 12759 Audits and Risk Management Preventive
    Establish and maintain Recovery Time Objectives for all in scope services. CC ID 12241
    [The business continuity objectives shall be monitored and updated as appropriate. § 6.2 ¶ 2 e)]
    Systems Continuity Preventive
    Establish and maintain Recovery Time Objectives for all in scope systems. CC ID 11688
    [The business impact analysis shall include the following: setting prioritized timeframes for resuming these activities at a specified minimum acceptable level, taking into consideration the time within which the impacts of not resuming them would become unacceptable; and § 8.2.2 ¶ 2 c)
    The determination of strategy shall include approving prioritized time frames for the resumption of activities. § 8.3.1 ¶ 3
    {BCMS plans} Top management shall provide evidence of its commitment to the establishment, implementation, operation, monitoring, review, maintenance, and improvement of the BCMS by - establishing a business continuity policy, - ensuring that BCMS objectives and plans are established, - establishing roles, responsibilities, and competencies for business continuity management, and - appointing one or more persons to be responsible for the BCMS with the appropriate authority and competencies to be accountable for the implementation and maintenance of the BCMS. § 5.2 ¶ 2
    {incident response procedure} The organization shall establish documented procedures for responding to a disruptive incident and how it will continue or recover its activities within a predetermined timeframe. Such procedures shall address the requirements of those who will use them. § 8.4.4 ¶ 1]
    Establish/Maintain Documentation Preventive
    Reconfigure restored systems to meet the Recovery Point Objectives. CC ID 01256 Configuration Corrective
    Reconfigure restored systems to meet the Recovery Time Objectives. CC ID 11693 Process or Activity Corrective
    Include the protection of personnel in the continuity plan. CC ID 06378
    [The business continuity plans shall collectively contain details to manage the immediate consequences of a disruptive incident giving due regard to the welfare of individuals, § 8.4.4 ¶ 2 c) 1)]
    Establish/Maintain Documentation Preventive
    Establish and maintain a critical personnel list. CC ID 00739
    [{activation procedures} {communication procedures} {internal interdependencies} {internal interactions} {external interactions} {information flow processes} Each plan shall define - purpose and scope, - objectives, - activation criteria and procedures, - implementation procedures, - roles, responsibilities, and authorities, - communication requirements and procedures, - internal and external interdependencies and interactions, - resource requirements, and - information flow and documentation processes. § 8.4.4 ¶ 3]
    Establish/Maintain Documentation Detective
    Identify alternate personnel for each person on the critical personnel list. CC ID 12771 Human Resources Management Preventive
    Define the triggering events for when to activate the pandemic plan. CC ID 06801 Establish/Maintain Documentation Preventive
    Establish and maintain a critical third party list. CC ID 06815
    [When establishing its BCMS, the organization shall determine the interested parties that are relevant to the BCMS, and § 4.2.1 ¶ 1 a)]
    Establish/Maintain Documentation Preventive
    Disseminate and communicate critical third party dependencies to interested personnel and affected parties. CC ID 06816
    [{activation procedures} {communication procedures} {internal interdependencies} {internal interactions} {external interactions} {information flow processes} Each plan shall define - purpose and scope, - objectives, - activation criteria and procedures, - implementation procedures, - roles, responsibilities, and authorities, - communication requirements and procedures, - internal and external interdependencies and interactions, - resource requirements, and - information flow and documentation processes. § 8.4.4 ¶ 3
    {activation procedures} {communication procedures} {internal interdependencies} {internal interactions} {external interactions} {information flow processes} Each plan shall define - purpose and scope, - objectives, - activation criteria and procedures, - implementation procedures, - roles, responsibilities, and authorities, - communication requirements and procedures, - internal and external interdependencies and interactions, - resource requirements, and - information flow and documentation processes. § 8.4.4 ¶ 3]
    Behavior Preventive
    Establish, implement, and maintain a critical Information Technology resource list. CC ID 00740
    [The outputs of the management review shall include decisions related to continual improvement opportunities and the possible need for changes to the BCMS, and include the following: modification of procedures and controls to respond to internal or external events that may impact on the BCMS, including changes to resource needs, § 9.3 ¶ 4 d) 7]
    Establish/Maintain Documentation Detective
    Define and maintain continuity Service Level Agreements for all critical Information Technology resources. CC ID 00741 Establish/Maintain Documentation Preventive
    Establish and maintain a core supply inventory required to support critical business functions. CC ID 04890
    [The response structure shall have resources available to support the processes and procedures to manage a disruptive incident in order to minimize impact, and § 8.4.2 ¶ 2 e)]
    Establish/Maintain Documentation Preventive
    Include damaged site continuity procedures that cover continuing operations in a partially functional primary facility in the continuity plan. CC ID 01374
    [{procedures for recording actions taken and decisions made} The organization shall establish, implement and maintain procedures for recording of vital information about the incident, actions taken and decisions made, and the following shall also be considered and implemented where applicable: — alerting interested parties potentially impacted by an actual or impending disruptive incident; — assuring the interoperability of multiple responding organizations and personnel; — operation of a communications facility. § 8.4.3 ¶ 1 g)]
    Establish/Maintain Documentation Preventive
    Establish and maintain at-risk structure removal or relocation procedures. CC ID 01247 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain physical hazard segregation or removal procedures. CC ID 01248 Physical and Environmental Protection Corrective
    Include emergency communications procedures in the continuity plan. CC ID 00750
    [The organization shall establish, implement, and maintain procedure(s) for - internal communication amongst interested parties and employees within the organization, - external communication with customers, partner entities, local community, and other interested parties, including the media, - receiving, documenting, and responding to communication from interested parties, - adapting and integrating a national or regional threat advisory system, or equivalent, into planning and operational use, if appropriate, - ensuring availability of the means of communication during a disruptive incident, - facilitating structured communication with appropriate authorities and ensuring the interoperability of multiple responding organizations and personnel, where appropriate, and - operating and testing of communications capabilities intended for use during disruption of normal communications. § 7.4 ¶ 2
    The organization shall establish, implement, and maintain procedure(s) for - internal communication amongst interested parties and employees within the organization, - external communication with customers, partner entities, local community, and other interested parties, including the media, - receiving, documenting, and responding to communication from interested parties, - adapting and integrating a national or regional threat advisory system, or equivalent, into planning and operational use, if appropriate, - ensuring availability of the means of communication during a disruptive incident, - facilitating structured communication with appropriate authorities and ensuring the interoperability of multiple responding organizations and personnel, where appropriate, and - operating and testing of communications capabilities intended for use during disruption of normal communications. § 7.4 ¶ 2
    The organization shall establish, implement and maintain procedures for assuring availability of the means of communication during a disruptive incident, § 8.4.3 ¶ 1 e)
    {significant impact} {procedures for alerts} {procedures for warnings} The organization shall decide, using life safety as the first priority and in consultation with relevant interested parties, whether to communicate externally about its significant risks and impacts and document its decision. If the decision is to communicate then the organization shall establish and implement procedures for this external communication, alerts and warnings including the media as appropriate. § 8.4.2 ¶ 3
    The business continuity plans shall collectively contain details on how and under what circumstances the organization will communicate with employees and their relatives, key interested parties and emergency contacts, § 8.4.4 ¶ 2 d)
    {activation procedures} {communication procedures} {internal interdependencies} {internal interactions} {external interactions} {information flow processes} Each plan shall define - purpose and scope, - objectives, - activation criteria and procedures, - implementation procedures, - roles, responsibilities, and authorities, - communication requirements and procedures, - internal and external interdependencies and interactions, - resource requirements, and - information flow and documentation processes. § 8.4.4 ¶ 3]
    Establish/Maintain Documentation Preventive
    Include managing multiple responding organizations in the emergency communications procedure. CC ID 01249
    [The organization shall establish, implement, and maintain procedure(s) for - internal communication amongst interested parties and employees within the organization, - external communication with customers, partner entities, local community, and other interested parties, including the media, - receiving, documenting, and responding to communication from interested parties, - adapting and integrating a national or regional threat advisory system, or equivalent, into planning and operational use, if appropriate, - ensuring availability of the means of communication during a disruptive incident, - facilitating structured communication with appropriate authorities and ensuring the interoperability of multiple responding organizations and personnel, where appropriate, and - operating and testing of communications capabilities intended for use during disruption of normal communications. § 7.4 ¶ 2
    The organization shall establish, implement and maintain procedures for facilitating structured communication with emergency responders, § 8.4.3 ¶ 1 f)
    {procedures for recording actions taken and decisions made} The organization shall establish, implement and maintain procedures for recording of vital information about the incident, actions taken and decisions made, and the following shall also be considered and implemented where applicable: — alerting interested parties potentially impacted by an actual or impending disruptive incident; — assuring the interoperability of multiple responding organizations and personnel; — operation of a communications facility. § 8.4.3 ¶ 1 g)]
    Establish/Maintain Documentation Preventive
    Expedite emergency communications' fiscal decisions in accordance with accounting principles. CC ID 01266 Systems Continuity Preventive
    Maintain contact information for key third parties in a readily accessible manner. CC ID 12764 Establish/Maintain Documentation Preventive
    Log important conversations conducted during emergencies with third parties. CC ID 12763 Log Management Preventive
    Identify the appropriate staff to route external communications to in the emergency communications procedures. CC ID 12762 Communicate Preventive
    Identify who can speak to the media in the emergency communications procedures. CC ID 12761 Communicate Corrective
    Use available financial resources for the efficaciousness of the service continuity strategy. CC ID 01370
    [Top management shall demonstrate leadership and commitment with respect to the BCMS by - ensuring that policies and objectives are established for the business continuity management system and are compatible with the strategic direction of the organization, - ensuring the integration of the business continuity management system requirements into the organization’s business processes, - ensuring that the resources needed for the business continuity management system are available, - communicating the importance of effective business continuity management and conforming to the BCMS requirements, - ensuring that the BCMS achieves its intended outcome(s), - directing and supporting persons to contribute to the effectiveness of the BCMS, - promoting continual improvement, and - supporting other relevant management roles to demonstrate their leadership and commitment as it applies to their areas of responsibility. § 5.2 ¶ 1]
    Testing Detective
    Include the ability to obtain additional liquidity in the continuity plan. CC ID 12770 Acquisition/Sale of Assets or Services Preventive
    Minimize system continuity requirements. CC ID 00753 Establish/Maintain Documentation Preventive
    Disseminate and communicate the continuity plan to interested personnel and affected parties. CC ID 00760
    [Top management shall demonstrate leadership and commitment with respect to the BCMS by - ensuring that policies and objectives are established for the business continuity management system and are compatible with the strategic direction of the organization, - ensuring the integration of the business continuity management system requirements into the organization’s business processes, - ensuring that the resources needed for the business continuity management system are available, - communicating the importance of effective business continuity management and conforming to the BCMS requirements, - ensuring that the BCMS achieves its intended outcome(s), - directing and supporting persons to contribute to the effectiveness of the BCMS, - promoting continual improvement, and - supporting other relevant management roles to demonstrate their leadership and commitment as it applies to their areas of responsibility. § 5.2 ¶ 1
    The BCMS policy shall - be available as documented information, - be communicated within the organization, - be available to interested parties, as appropriate, - be reviewed for continuing suitability at defined intervals and when significant changes occur. § 5.3 ¶ 2
    The BCMS policy shall - be available as documented information, - be communicated within the organization, - be available to interested parties, as appropriate, - be reviewed for continuing suitability at defined intervals and when significant changes occur. § 5.3 ¶ 2
    Top management shall ensure that business continuity objectives are established and communicated for relevant functions and levels within the organization. § 6.2 ¶ 1
    {internal communications} The organization shall determine the need for internal and external communications relevant to the BCMS including on what it will communicate, § 7.4 ¶ 1 a)
    {internal communications} The organization shall determine the need for internal and external communications relevant to the BCMS including on what it will communicate, § 7.4 ¶ 1 a)
    {internal communications} The organization shall determine the need for internal and external communications relevant to the BCMS including when to communicate, § 7.4 ¶ 1 b)
    {internal communications} The organization shall determine the need for internal and external communications relevant to the BCMS including when to communicate, § 7.4 ¶ 1 b)
    The organization shall - communicate the results of management review to relevant interested parties, and - take appropriate action relating to those results. § 9.3 ¶ 6
    {internal communications} The organization shall determine the need for internal and external communications relevant to the BCMS including § 7.4 ¶ 1
    {internal communications} The organization shall determine the need for internal and external communications relevant to the BCMS including § 7.4 ¶ 1]
    Establish/Maintain Documentation Preventive
    Store an up-to-date copy of the continuity plan at the alternate facility. CC ID 01171 Establish/Maintain Documentation Preventive
    Train personnel on the continuity plan. CC ID 00759
    [The organization shall conduct exercises and tests that taken together over time validate the whole of its business continuity arrangements, involving relevant interested parties, § 8.5 ¶ 2 c)]
    Behavior Preventive
    Utilize automated mechanisms for more realistic continuity plan training. CC ID 01387 Behavior Preventive
    Incorporate simulated events into the continuity plan training. CC ID 01402 Behavior Preventive
    Include stay at home order training in the continuity plan training. CC ID 14382 Training Preventive
    Include avoiding unnecessary travel in the stay at home order training. CC ID 14388 Training Preventive
    Include personal protection in continuity plan training. CC ID 14394 Training Preventive
    Establish and maintain a continuity test plan. CC ID 04896
    [The organization shall conduct exercises and tests that are conducted at planned intervals and when there are significant changes within the organization or to the environment in which it operates. § 8.5 ¶ 2 g)
    The organization shall conduct exercises and tests that are conducted at planned intervals and when there are significant changes within the organization or to the environment in which it operates. § 8.5 ¶ 2 g)]
    Establish/Maintain Documentation Preventive
    Include escalation procedures in the continuity test plan, as necessary. CC ID 14400 Establish/Maintain Documentation Preventive
    Include the succession plan in the continuity test plan, as necessary. CC ID 14401 Establish/Maintain Documentation Preventive
    Include contact information in the continuity test plan. CC ID 14399 Establish/Maintain Documentation Preventive
    Include testing all system components in the continuity test plan. CC ID 13508 Establish/Maintain Documentation Preventive
    Include test scenarios in the continuity test plan. CC ID 13506 Establish/Maintain Documentation Preventive
    Include test dates or test frequency in the continuity test plan, as necessary. CC ID 13243 Establish/Maintain Documentation Preventive
    Test the continuity plan, as necessary. CC ID 00755
    [The organization shall exercise and test its business continuity procedures to ensure that they are consistent with its business continuity objectives. § 8.5 ¶ 1
    The organization shall conduct exercises and tests that are conducted at planned intervals and when there are significant changes within the organization or to the environment in which it operates. § 8.5 ¶ 2 g)
    The organization shall conduct exercises and tests that are conducted at planned intervals and when there are significant changes within the organization or to the environment in which it operates. § 8.5 ¶ 2 g)
    The business continuity objectives shall be measurable, § 6.2 ¶ 2 c)
    The organization shall conduct exercises and tests that produce formalized post-exercise reports that contain outcomes, recommendations and actions to implement improvements, § 8.5 ¶ 2 e)
    The organization shall conduct exercises and tests that are consistent with the scope and objectives of the BCMS, § 8.5 ¶ 2 a)
    The organization shall conduct exercises and tests that produce formalized post-exercise reports that contain outcomes, recommendations and actions to implement improvements, § 8.5 ¶ 2 e)
    {business continuity capabilities} The organization shall conduct evaluations of its business continuity procedures and capabilities in order to ensure their continuing suitability, adequacy and effectiveness; § 9.1.2 a)
    {business continuity capabilities} The organization shall conduct evaluations of its business continuity procedures and capabilities in order to ensure their continuing suitability, adequacy and effectiveness; § 9.1.2 a)
    Top management shall ensure that the responsibilities and authorities for relevant roles are assigned and communicated within the organization by - defining the criteria for accepting risks and the acceptable levels of risk, - actively engaging in exercising and testing, - ensuring that internal audits of the BCMS are conducted, - conducting management reviews of the BCMS, and - demonstrating its commitment to continual improvement. § 5.2 ¶ 3
    {communication procedures} The communication and warning procedures shall be regularly exercised. § 8.4.3 ¶ 2
    {communication procedures} The communication and warning procedures shall be regularly exercised. § 8.4.3 ¶ 2
    {periodic exercising} {periodic testing} {periodic post-incident reporting} {periodic performance evaluations} These evaluations shall be undertaken through periodic reviews, exercising, testing, post-incident reporting and performance evaluations. Significant changes arising shall be reflected in the procedure(s) in a timely manner; § 9.1.2 b)
    {periodic exercising} {periodic testing} {periodic post-incident reporting} {periodic performance evaluations} These evaluations shall be undertaken through periodic reviews, exercising, testing, post-incident reporting and performance evaluations. Significant changes arising shall be reflected in the procedure(s) in a timely manner; § 9.1.2 b)]
    Testing Detective
    Include coverage of all major components in the scope of testing the continuity plan. CC ID 12767 Testing Preventive
    Include third party recovery services in the scope of testing the continuity plan. CC ID 12766 Testing Preventive
    Validate the emergency communications procedures during continuity plan tests. CC ID 12777 Testing Preventive
    Include the coordination and interfaces among third parties in the coverage of the scope of testing the continuity plan. CC ID 12769 Testing Preventive
    Involve senior management, as necessary, when testing the continuity plan. CC ID 13793 Testing Detective
    Test the continuity plan under conditions that simulate a disaster or disruption. CC ID 00757
    [The organization shall conduct exercises and tests that are based on appropriate scenarios that are well planned with clearly defined aims and objectives, § 8.5 ¶ 2 b)
    The organization shall conduct exercises and tests that minimize the risk of disruption of operations, § 8.5 ¶ 2 d)
    The organization shall conduct exercises and tests that minimize the risk of disruption of operations, § 8.5 ¶ 2 d)]
    Testing Detective
    Analyze system interdependence during continuity plan tests. CC ID 13082 Testing Detective
    Validate the evacuation plans during continuity plan tests. CC ID 12760 Testing Preventive
    Test the continuity plan at the alternate facility. CC ID 01174 Testing Detective
    Include predefined goals and realistic conditions during off-site testing. CC ID 01175 Establish/Maintain Documentation Preventive
    Coordinate testing the continuity plan with all applicable business units and critical business functions. CC ID 01388
    [The organization shall conduct exercises and tests that taken together over time validate the whole of its business continuity arrangements, involving relevant interested parties, § 8.5 ¶ 2 c)]
    Testing Preventive
    Review all third party's continuity plan test results. CC ID 01365
    [The organization shall conduct evaluations of the business continuity capabilities of suppliers. § 8.3.1 ¶ 4]
    Testing Detective
    Automate the off-site testing to more thoroughly test the continuity plan. CC ID 01389 Testing Detective
    Document the continuity plan test results and provide them to senior management. CC ID 06548
    [The organization shall conduct exercises and tests that produce formalized post-exercise reports that contain outcomes, recommendations and actions to implement improvements, § 8.5 ¶ 2 e)
    {results of BCMS reviews} {key partners} {results of testing} {BCMS performance} {BCMS effectiveness} {emerging good guidance} Management reviews shall consider the performance of the organization, including - follow-up actions from previous management reviews, - the need for changes to the BCMS, including the policy and objectives, - opportunities for improvement, - results of BCMS audits and reviews, including those of key suppliers and partners where appropriate, - techniques, products or procedures, which could be used in the organization to improve the BCMS’ performance and effectiveness, - status of corrective actions, - results of exercising and testing, - risks or issues not adequately addressed in any previous risk assessment, - any changes that could affect the BCMS, whether internal or external to the scope of the BCMS, - adequacy of policy, - recommendations for improvement, - lessons learned and actions arising from disruptive incidents, and - emerging good practice and guidance. § 9.3 ¶ 3
    {results of BCMS reviews} {key partners} {results of testing} {BCMS performance} {BCMS effectiveness} {emerging good guidance} Management reviews shall consider the performance of the organization, including - follow-up actions from previous management reviews, - the need for changes to the BCMS, including the policy and objectives, - opportunities for improvement, - results of BCMS audits and reviews, including those of key suppliers and partners where appropriate, - techniques, products or procedures, which could be used in the organization to improve the BCMS’ performance and effectiveness, - status of corrective actions, - results of exercising and testing, - risks or issues not adequately addressed in any previous risk assessment, - any changes that could affect the BCMS, whether internal or external to the scope of the BCMS, - adequacy of policy, - recommendations for improvement, - lessons learned and actions arising from disruptive incidents, and - emerging good practice and guidance. § 9.3 ¶ 3]
    Actionable Reports or Measurements Preventive
    Retest the continuity plan after correcting reported deficiencies documented in the continuity plan test results. CC ID 06553 Testing Detective
    Conduct full recovery and restoration of service testing for high impact systems at the alternate facility. CC ID 01404 Testing Detective
    Review and update the business continuity plan testing program, as necessary. CC ID 12994 Process or Activity Corrective
    Conduct external audits of the Business Continuity Plan testing program. CC ID 13216 Testing Detective
    Implement the continuity plan, as necessary. CC ID 10604
    [{activation procedures} {communication procedures} {internal interdependencies} {internal interactions} {external interactions} {information flow processes} Each plan shall define - purpose and scope, - objectives, - activation criteria and procedures, - implementation procedures, - roles, responsibilities, and authorities, - communication requirements and procedures, - internal and external interdependencies and interactions, - resource requirements, and - information flow and documentation processes. § 8.4.4 ¶ 3]
    Systems Continuity Corrective
    Activate the continuity plan if the damage assessment report indicates the activation criterion has been met. CC ID 01373
    [The response structure shall activate an appropriate business continuity response, § 8.4.2 ¶ 2 c)
    The business continuity plans shall collectively contain a process for activating the response, § 8.4.4 ¶ 2 b)
    {activation procedures} {communication procedures} {internal interdependencies} {internal interactions} {external interactions} {information flow processes} Each plan shall define - purpose and scope, - objectives, - activation criteria and procedures, - implementation procedures, - roles, responsibilities, and authorities, - communication requirements and procedures, - internal and external interdependencies and interactions, - resource requirements, and - information flow and documentation processes. § 8.4.4 ¶ 3
    {activation procedures} {communication procedures} {internal interdependencies} {internal interactions} {external interactions} {information flow processes} Each plan shall define - purpose and scope, - objectives, - activation criteria and procedures, - implementation procedures, - roles, responsibilities, and authorities, - communication requirements and procedures, - internal and external interdependencies and interactions, - resource requirements, and - information flow and documentation processes. § 8.4.4 ¶ 3
    {processes, and procedures for the activation of the response} {processes, and procedures for the operation of the response} {processes, and procedures for the coordination of the response} {processes, and procedures for the communication of the response} The response structure shall have processes, and procedures for the activation, operation, coordination, and communication of the response, § 8.4.2 ¶ 2 d)]
    Systems Continuity Corrective
    Maintain normal security levels when an emergency occurs. CC ID 06377 Systems Continuity Preventive
    Execute fail-safe procedures when an emergency occurs. CC ID 07108 Systems Continuity Preventive
    Lead or manage business continuity and system continuity, as necessary. CC ID 12240
    [Top management shall demonstrate leadership and commitment with respect to the BCMS by - ensuring that policies and objectives are established for the business continuity management system and are compatible with the strategic direction of the organization, - ensuring the integration of the business continuity management system requirements into the organization’s business processes, - ensuring that the resources needed for the business continuity management system are available, - communicating the importance of effective business continuity management and conforming to the BCMS requirements, - ensuring that the BCMS achieves its intended outcome(s), - directing and supporting persons to contribute to the effectiveness of the BCMS, - promoting continual improvement, and - supporting other relevant management roles to demonstrate their leadership and commitment as it applies to their areas of responsibility. § 5.2 ¶ 1
    {BCMS plans} Top management shall provide evidence of its commitment to the establishment, implementation, operation, monitoring, review, maintenance, and improvement of the BCMS by - establishing a business continuity policy, - ensuring that BCMS objectives and plans are established, - establishing roles, responsibilities, and competencies for business continuity management, and - appointing one or more persons to be responsible for the BCMS with the appropriate authority and competencies to be accountable for the implementation and maintenance of the BCMS. § 5.2 ¶ 2
    The organization shall determine and provide the resources needed for the establishment, implementation, maintenance and continual improvement of the BCMS. § 7.1 ¶ 1]
    Human Resources Management Preventive
    Allocate financial resources to implement the continuity plan, as necessary. CC ID 12993 Establish/Maintain Documentation Preventive
    Allocate personnel to implement the continuity plan, as necessary. CC ID 12992 Human Resources Management Preventive
    Refrain from adopting impromptu measures when continuity procedures exist. CC ID 13093 Behavior Preventive
    Restore systems and environments to be operational. CC ID 13476 Systems Continuity Corrective
    Implement alternate security mechanisms when the means of implementing the security function is unavailable. CC ID 10605 Technical Security Preventive
    Monitor and evaluate business continuity management system performance. CC ID 12410
    [The procedures for monitoring performance shall provide for - the setting of performance metrics appropriate to the needs of the organization, - monitoring the extent to which the organization’s business continuity policy, objectives and targets are met, - performance of the processes, procedures and functions that protect its prioritized activities, - monitoring compliance with this International Standard and the business continuity objectives, - monitoring historical evidence of deficient BCMS’ performance, and - recording data and results of monitoring and measurement to facilitate subsequent corrective actions. § 9.1.1 ¶ 5
    {results of BCMS reviews} {key partners} {results of testing} {BCMS performance} {BCMS effectiveness} {emerging good guidance} Management reviews shall consider the performance of the organization, including - follow-up actions from previous management reviews, - the need for changes to the BCMS, including the policy and objectives, - opportunities for improvement, - results of BCMS audits and reviews, including those of key suppliers and partners where appropriate, - techniques, products or procedures, which could be used in the organization to improve the BCMS’ performance and effectiveness, - status of corrective actions, - results of exercising and testing, - risks or issues not adequately addressed in any previous risk assessment, - any changes that could affect the BCMS, whether internal or external to the scope of the BCMS, - adequacy of policy, - recommendations for improvement, - lessons learned and actions arising from disruptive incidents, and - emerging good practice and guidance. § 9.3 ¶ 3
    {results of BCMS reviews} {key partners} {results of testing} {BCMS performance} {BCMS effectiveness} {emerging good guidance} Management reviews shall consider the performance of the organization, including - follow-up actions from previous management reviews, - the need for changes to the BCMS, including the policy and objectives, - opportunities for improvement, - results of BCMS audits and reviews, including those of key suppliers and partners where appropriate, - techniques, products or procedures, which could be used in the organization to improve the BCMS’ performance and effectiveness, - status of corrective actions, - results of exercising and testing, - risks or issues not adequately addressed in any previous risk assessment, - any changes that could affect the BCMS, whether internal or external to the scope of the BCMS, - adequacy of policy, - recommendations for improvement, - lessons learned and actions arising from disruptive incidents, and - emerging good practice and guidance. § 9.3 ¶ 3
    {results of BCMS reviews} {key partners} {results of testing} {BCMS performance} {BCMS effectiveness} {emerging good guidance} Management reviews shall consider the performance of the organization, including - follow-up actions from previous management reviews, - the need for changes to the BCMS, including the policy and objectives, - opportunities for improvement, - results of BCMS audits and reviews, including those of key suppliers and partners where appropriate, - techniques, products or procedures, which could be used in the organization to improve the BCMS’ performance and effectiveness, - status of corrective actions, - results of exercising and testing, - risks or issues not adequately addressed in any previous risk assessment, - any changes that could affect the BCMS, whether internal or external to the scope of the BCMS, - adequacy of policy, - recommendations for improvement, - lessons learned and actions arising from disruptive incidents, and - emerging good practice and guidance. § 9.3 ¶ 3]
    Monitor and Evaluate Occurrences Detective
    Record business continuity management system performance for posterity. CC ID 12411
    [The procedures for monitoring performance shall provide for - the setting of performance metrics appropriate to the needs of the organization, - monitoring the extent to which the organization’s business continuity policy, objectives and targets are met, - performance of the processes, procedures and functions that protect its prioritized activities, - monitoring compliance with this International Standard and the business continuity objectives, - monitoring historical evidence of deficient BCMS’ performance, and - recording data and results of monitoring and measurement to facilitate subsequent corrective actions. § 9.1.1 ¶ 5]
    Monitor and Evaluate Occurrences Preventive
  • Operational management
    360
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Operational management CC ID 00805 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 Establish/Maintain Documentation Preventive
    Establish and maintain a positive information control environment. CC ID 00813
    [Persons in top management and other relevant management roles throughout the organization shall demonstrate leadership with respect to the BCMS. § 5.1 ¶ 1
    Top management shall demonstrate leadership and commitment with respect to the BCMS by - ensuring that policies and objectives are established for the business continuity management system and are compatible with the strategic direction of the organization, - ensuring the integration of the business continuity management system requirements into the organization’s business processes, - ensuring that the resources needed for the business continuity management system are available, - communicating the importance of effective business continuity management and conforming to the BCMS requirements, - ensuring that the BCMS achieves its intended outcome(s), - directing and supporting persons to contribute to the effectiveness of the BCMS, - promoting continual improvement, and - supporting other relevant management roles to demonstrate their leadership and commitment as it applies to their areas of responsibility. § 5.2 ¶ 1
    Top management shall ensure that the responsibilities and authorities for relevant roles are assigned and communicated within the organization by - defining the criteria for accepting risks and the acceptable levels of risk, - actively engaging in exercising and testing, - ensuring that internal audits of the BCMS are conducted, - conducting management reviews of the BCMS, and - demonstrating its commitment to continual improvement. § 5.2 ¶ 3]
    Business Processes Preventive
    Make compliance and governance decisions in a timely manner. CC ID 06490 Behavior Preventive
    Establish and maintain an internal control framework. CC ID 00820 Establish/Maintain Documentation Preventive
    Assign resources to implement the internal control framework. CC ID 00816
    [The organization shall determine the resource requirements to implement the selected strategies. The types of resources considered shall include but not be limited to § 8.3.2 ¶ 1
    {activation procedures} {communication procedures} {internal interdependencies} {internal interactions} {external interactions} {information flow processes} Each plan shall define - purpose and scope, - objectives, - activation criteria and procedures, - implementation procedures, - roles, responsibilities, and authorities, - communication requirements and procedures, - internal and external interdependencies and interactions, - resource requirements, and - information flow and documentation processes. § 8.4.4 ¶ 3]
    Business Processes Preventive
    Assign the roles and responsibilities for interested personnel and affected parties when establishing, implementing, and maintaining the internal control framework. CC ID 07146 Establish Roles Preventive
    Include procedures for continuous quality improvement in the internal control framework. CC ID 00819
    [The management review shall include consideration of opportunities for continual improvement. § 9.3 ¶ 2 d)
    {changes to operational processes} The outputs of the management review shall include decisions related to continual improvement opportunities and the possible need for changes to the BCMS, and include the following: modification of procedures and controls to respond to internal or external events that may impact on the BCMS, including changes to operational conditions and processes, § 9.3 ¶ 4 d) 3)
    {changes to operational processes} The outputs of the management review shall include decisions related to continual improvement opportunities and the possible need for changes to the BCMS, and include the following: modification of procedures and controls to respond to internal or external events that may impact on the BCMS, including changes to operational conditions and processes, § 9.3 ¶ 4 d) 3)]
    Establish/Maintain Documentation Preventive
    Establish and maintain an information security program. CC ID 00812 Establish/Maintain Documentation Preventive
    Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739
    [Persons doing work under the organization’s control shall be aware of the business continuity policy, § 7.3 ¶ 1 a)]
    Communicate Preventive
    Establish and maintain an Acceptable Use Policy. CC ID 01350
    [For the control of documented information, the organization shall address the following activities, as applicable — distribution, access, retrieval and use, — storage and preservation, including preservation of legibility, — control of changes, — retention and disposition, — retrieval and use, — preservation of legibility, and — prevention of the unintended use of obsolete information. § 7.5.3 ¶ 2
    For the control of documented information, the organization shall address the following activities, as applicable — distribution, access, retrieval and use, — storage and preservation, including preservation of legibility, — control of changes, — retention and disposition, — retrieval and use, — preservation of legibility, and — prevention of the unintended use of obsolete information. § 7.5.3 ¶ 2]
    Establish/Maintain Documentation Preventive
    Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy. CC ID 01351 Establish/Maintain Documentation Preventive
    Include requiring users to protect restricted data in accordance with the Governance, Risk, and Compliance framework in the Acceptable Use Policy. CC ID 11894 Establish/Maintain Documentation Preventive
    Include Bring Your Own Device usage in the Acceptable Use Policy. CC ID 12293 Establish/Maintain Documentation Preventive
    Include Bring Your Own Device security guidelines in the Acceptable Use Policy. CC ID 01352 Establish/Maintain Documentation Preventive
    Include asset tags in the Acceptable Use Policy. CC ID 01354 Establish/Maintain Documentation Preventive
    Include asset use policies in the Acceptable Use Policy. CC ID 01355 Establish/Maintain Documentation Preventive
    Include authority for access authorization lists for assets in all relevant Acceptable Use Policies. CC ID 11872 Establish/Maintain Documentation Preventive
    Include access control mechanisms in the Acceptable Use Policy. CC ID 01353 Establish/Maintain Documentation Preventive
    Include temporary activation of remote access technologies for third parties in the Acceptable Use Policy. CC ID 11892 Technical Security Preventive
    Include prohibiting, copying, or moving of restricted data from its original source onto local hard drives or removable storage media in the Acceptable Use Policy. CC ID 11893 Establish/Maintain Documentation Preventive
    Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772 Data and Information Management Preventive
    Correlate the Acceptable Use Policy with the network security policy. CC ID 01356 Establish/Maintain Documentation Preventive
    Include appropriate network locations for each technology in the Acceptable Use Policy. CC ID 11881 Establish/Maintain Documentation Preventive
    Correlate the Acceptable Use Policy with the approved product list. CC ID 01357 Establish/Maintain Documentation Preventive
    Include facility access and facility use in the Acceptable Use Policy. CC ID 06441 Establish/Maintain Documentation Preventive
    Include disciplinary actions in the Acceptable Use Policy. CC ID 00296 Establish/Maintain Documentation Corrective
    Include a software installation policy in the Acceptable Use Policy. CC ID 06749 Establish/Maintain Documentation Preventive
    Document idle session termination and logout for remote access technologies in the Acceptable Use Policy. CC ID 12472 Establish/Maintain Documentation Preventive
    Disseminate and communicate the Acceptable Use Policy to all interested personnel and affected parties. CC ID 12431 Communicate Preventive
    Review and update the acceptable use policy, as necessary. CC ID 14276 Establish/Maintain Documentation Corrective
    Require interested personnel and affected parties to sign Acceptable Use Policies. CC ID 06661 Establish/Maintain Documentation Preventive
    Require interested personnel and affected parties to re-sign Acceptable Use Policies, as necessary. CC ID 06663 Establish/Maintain Documentation Preventive
    Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 Business Processes Preventive
    Establish and maintain consequences for non-compliance with the organizational compliance framework. CC ID 11747
    [Persons doing work under the organization’s control shall be aware of the implications of not conforming with the BCMS requirements, and § 7.3 ¶ 1 c)
    When nonconformity occurs, the organization shall deal with the consequences. § 10.1 ¶ 1 b) 2]
    Process or Activity Corrective
    Establish and maintain a customer service program. CC ID 00846 Establish/Maintain Documentation Preventive
    Establish and maintain an Incident Management program. CC ID 00853 Business Processes Preventive
    Include intrusion detection procedures in the Incident Management program. CC ID 00588
    [The organization shall establish, implement and maintain procedures for detecting an incident, § 8.4.3 ¶ 1 a)]
    Establish/Maintain Documentation Preventive
    Categorize the incident following an incident response. CC ID 13208 Technical Security Preventive
    Define and document impact thresholds to be used in categorizing incidents. CC ID 10033
    [The organization shall identify and document the following: the organization’s activities, functions, services, products, partnerships, supply chains, relationships with interested parties, and the potential impact related to a disruptive incident; § 4.1 ¶ 3 a)]
    Establish/Maintain Documentation Preventive
    Determine the incident severity level when assessing the security incidents. CC ID 01650 Monitor and Evaluate Occurrences Corrective
    Identify root causes of incidents that force system changes. CC ID 13482 Investigate Detective
    Respond to and triage when a security incident is detected. CC ID 06942 Monitor and Evaluate Occurrences Detective
    Document the incident and any relevant evidence in the incident report. CC ID 08659
    [{procedures for recording actions taken and decisions made} The organization shall establish, implement and maintain procedures for recording of vital information about the incident, actions taken and decisions made, and the following shall also be considered and implemented where applicable: — alerting interested parties potentially impacted by an actual or impending disruptive incident; — assuring the interoperability of multiple responding organizations and personnel; — operation of a communications facility. § 8.4.3 ¶ 1 g)
    {procedures for recording actions taken and decisions made} The organization shall establish, implement and maintain procedures for recording of vital information about the incident, actions taken and decisions made, and the following shall also be considered and implemented where applicable: — alerting interested parties potentially impacted by an actual or impending disruptive incident; — assuring the interoperability of multiple responding organizations and personnel; — operation of a communications facility. § 8.4.3 ¶ 1 g)]
    Establish/Maintain Documentation Detective
    Include support from law enforcement authorities when conducting incident response activities, as necessary. CC ID 13197 Process or Activity Corrective
    Respond to all alerts from security systems in a timely manner. CC ID 06434 Behavior Corrective
    Coordinate incident response activities with interested personnel and affected parties. CC ID 13196 Process or Activity Corrective
    Contain the incident to prevent further loss and preserve the system for forensic analysis. CC ID 01751 Process or Activity Corrective
    Refrain from accessing compromised systems. CC ID 01752 Technical Security Corrective
    Isolate compromised systems from the network. CC ID 01753 Technical Security Corrective
    Store system logs for in scope systems as digital forensic evidence after a security incident has been detected. CC ID 01754 Log Management Corrective
    Change passwords after a security incident has been detected. CC ID 06789 Technical Security Corrective
    Refrain from turning on any in scope devices that are turned off when a security incident is detected. CC ID 08677 Investigate Detective
    Record actions taken by investigators during a forensic investigation in the forensic investigation report. CC ID 07095 Establish/Maintain Documentation Preventive
    Include where the digital forensic evidence was found in the forensic investigation report. CC ID 08674 Establish/Maintain Documentation Detective
    Include the condition of the digital forensic evidence in the forensic investigation report. CC ID 08678 Establish/Maintain Documentation Detective
    Assess all security incidents to determine what information was accessed. CC ID 01226 Testing Corrective
    Check the precursors and indicators when assessing the security incidents. CC ID 01761 Monitor and Evaluate Occurrences Corrective
    Analyze the incident response process following an incident response. CC ID 13179 Investigate Detective
    Create an incident response report following an incident response. CC ID 12700 Establish/Maintain Documentation Preventive
    Include any consequences to organizational reputation and confidence due to the security incident in the incident response report. CC ID 12728 Establish/Maintain Documentation Preventive
    Include the number of customers that were affected by the security incident in the incident response report. CC ID 12727 Establish/Maintain Documentation Preventive
    Include investments associated with the security incident in the incident response report. CC ID 12726 Establish/Maintain Documentation Preventive
    Include costs associated with the security incident in the incident response report. CC ID 12725 Establish/Maintain Documentation Preventive
    Include losses due to the security incident in the incident response report. CC ID 12724 Establish/Maintain Documentation Preventive
    Include a description of the impact the security incident had on customer service in the incident response report. CC ID 12735 Establish/Maintain Documentation Preventive
    Include foregone revenue from the security incident in the incident response report. CC ID 12723 Establish/Maintain Documentation Preventive
    Include the magnitude of the security incident in the incident response report. CC ID 12722 Establish/Maintain Documentation Preventive
    Include implications of the security incident in the incident response report. CC ID 12721 Establish/Maintain Documentation Preventive
    Include measures to prevent similar security incidents from occurring in the incident response report. CC ID 12720 Establish/Maintain Documentation Preventive
    Include breaches of regulatory requirements due to the security incident in the incident response report. CC ID 12719 Establish/Maintain Documentation Preventive
    Include information on all affected assets in the incident response report. CC ID 12718 Establish/Maintain Documentation Preventive
    Include the scope of the security incident in the incident response report. CC ID 12717 Establish/Maintain Documentation Preventive
    Include the duration of the security incident in the incident response report. CC ID 12716 Establish/Maintain Documentation Preventive
    Include the extent of the security incident in the incident response report. CC ID 12715 Establish/Maintain Documentation Preventive
    Include measures to mitigate the root causes of the security incident in the incident response report. CC ID 12714 Establish/Maintain Documentation Preventive
    Include the reasons the security incident occurred in the incident response report. CC ID 12711 Establish/Maintain Documentation Preventive
    Include the frequency of similar security incidents occurring in the incident response report. CC ID 12712 Establish/Maintain Documentation Preventive
    Include lessons learned from the security incident in the incident response report. CC ID 12713 Establish/Maintain Documentation Preventive
    Include where the security incident occurred in the incident response report. CC ID 12710 Establish/Maintain Documentation Preventive
    Include when the security incident occurred in the incident response report. CC ID 12709 Establish/Maintain Documentation Preventive
    Include corrective action taken to eradicate the security incident in the incident response report. CC ID 12708 Establish/Maintain Documentation Preventive
    Include a description of the impact the security incident had on regulatory compliance in the incident response report. CC ID 12704 Establish/Maintain Documentation Preventive
    Include a description of the impact the security incident had on operations in the incident response report. CC ID 12703 Establish/Maintain Documentation Preventive
    Include an executive summary of the security incident in the incident response report. CC ID 12702 Establish/Maintain Documentation Preventive
    Include a root cause analysis of the security incident in the incident response report. CC ID 12701 Establish/Maintain Documentation Preventive
    Submit the incident response report to the proper authorities in a timely manner. CC ID 12705 Communicate Preventive
    Share incident information with interested personnel and affected parties. CC ID 01212
    [The response structure shall communicate with interested parties and authorities, as well as the media. § 8.4.2 ¶ 2 f)
    The response structure shall communicate with interested parties and authorities, as well as the media. § 8.4.2 ¶ 2 f)
    {procedures for recording actions taken and decisions made} The organization shall establish, implement and maintain procedures for recording of vital information about the incident, actions taken and decisions made, and the following shall also be considered and implemented where applicable: — alerting interested parties potentially impacted by an actual or impending disruptive incident; — assuring the interoperability of multiple responding organizations and personnel; — operation of a communications facility. § 8.4.3 ¶ 1 g)]
    Data and Information Management Corrective
    Share data loss event information with the media. CC ID 01759
    [The response structure shall communicate with interested parties and authorities, as well as the media. § 8.4.2 ¶ 2 f)
    The business continuity plans shall collectively contain details of the organization’s media response following an incident, including a communications strategy, § 8.4.4 ¶ 2 f) 1)
    The business continuity plans shall collectively contain details of the organization’s media response following an incident, including preferred interface with the media, § 8.4.4 ¶ 2 f) 2)
    The business continuity plans shall collectively contain details of the organization’s media response following an incident, including guideline or template for drafting a statement for the media, and § 8.4.4 ¶ 2 f) 3)
    The business continuity plans shall collectively contain details of the organization's media response following an incident, including § 8.4.4 ¶ 2 f)]
    Behavior Corrective
    Comply with privacy regulations and civil liberties requirements when sharing data loss event information. CC ID 10036 Data and Information Management Preventive
    Share data loss event information with interconnected system owners. CC ID 01209 Establish/Maintain Documentation Corrective
    Report data loss event information to breach notification organizations. CC ID 01210 Data and Information Management Corrective
    Submit an incident management audit log to the proper authorities for each security breach that affects a predefined number of individuals, as necessary. CC ID 06326 Log Management Detective
    Report to breach notification organizations the time frame in which the organization will send data loss event notifications to interested personnel and affected parties. CC ID 04731 Behavior Corrective
    Remediate security violations according to organizational standards. CC ID 12338 Business Processes Preventive
    Include data loss event notifications in the Incident Response program. CC ID 00364 Establish/Maintain Documentation Preventive
    Include legal requirements for data loss event notifications in the Incident Response program. CC ID 11954 Establish/Maintain Documentation Preventive
    Notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00365 Behavior Corrective
    Determine whether or not incident response notifications are necessary during the privacy breach investigation. CC ID 00801 Behavior Detective
    Delay sending incident response notifications under predetermined conditions. CC ID 00804 Behavior Corrective
    Design the text of the notice for all incident response notifications to be no smaller than 10-point type. CC ID 12985 Establish/Maintain Documentation Preventive
    Avoid false positive incident response notifications. CC ID 04732 Behavior Detective
    Establish and maintain incident response notifications, as necessary. CC ID 12975 Establish/Maintain Documentation Corrective
    Refrain from charging for providing incident response notifications. CC ID 13876 Business Processes Preventive
    Include information required by law in incident response notifications. CC ID 00802 Establish/Maintain Documentation Detective
    Title breach notifications "Notice of Data Breach". CC ID 12977 Establish/Maintain Documentation Preventive
    Display titles of incident response notifications clearly and conspicuously. CC ID 12986 Establish/Maintain Documentation Preventive
    Display headings in incident response notifications clearly and conspicuously. CC ID 12987 Establish/Maintain Documentation Preventive
    Design the incident response notification to call attention to its nature and significance. CC ID 12984 Establish/Maintain Documentation Preventive
    Use plain language to write incident response notifications. CC ID 12976 Establish/Maintain Documentation Preventive
    Include directions for changing the user's password or security questions and answers in the breach notification. CC ID 12983 Establish/Maintain Documentation Preventive
    Include details of the investigation in incident response notifications. CC ID 12296 Establish/Maintain Documentation Preventive
    Include the issuer's name in incident response notifications. CC ID 12062 Establish/Maintain Documentation Preventive
    Include a "What Happened" heading in breach notifications. CC ID 12978 Establish/Maintain Documentation Preventive
    Include a general description of the data loss event in incident response notifications. CC ID 04734 Establish/Maintain Documentation Preventive
    Include the date (or estimated date) the privacy breach was detected in incident response notifications. CC ID 04745 Establish/Maintain Documentation Preventive
    Include the identification of the data source in incident response notifications. CC ID 12305 Establish/Maintain Documentation Preventive
    Include a "What Information Was Involved" heading in the breach notification. CC ID 12979 Establish/Maintain Documentation Preventive
    Include the type of information that was lost in incident response notifications. CC ID 04735 Establish/Maintain Documentation Preventive
    Include the type of information the organization maintains about the affected parties in incident response notifications. CC ID 04776 Establish/Maintain Documentation Preventive
    Include a "What We Are Doing" heading in the breach notification. CC ID 12982 Establish/Maintain Documentation Preventive
    Include what the organization has done to enhance data protection controls in incident response notifications. CC ID 04736 Establish/Maintain Documentation Preventive
    Include what the organization is offering or has already done to assist affected parties in incident response notifications. CC ID 04737 Establish/Maintain Documentation Preventive
    Include a "For More Information" heading in breach notifications. CC ID 12981 Establish/Maintain Documentation Preventive
    Include details of the companies and persons involved in incident response notifications. CC ID 12295 Establish/Maintain Documentation Preventive
    Include the credit reporting agencies' contact information in incident response notifications. CC ID 04744 Establish/Maintain Documentation Preventive
    Include the reporting individual's contact information in incident response notifications. CC ID 12297 Establish/Maintain Documentation Preventive
    Include any consequences in the incident response notifications. CC ID 12604 Establish/Maintain Documentation Preventive
    Include whether the notification was delayed due to a law enforcement investigation in incident response notifications. CC ID 04746 Establish/Maintain Documentation Preventive
    Include a "What You Can Do" heading in the breach notification. CC ID 12980 Establish/Maintain Documentation Preventive
    Include how the affected parties can protect themselves from identity theft in incident response notifications. CC ID 04738 Establish/Maintain Documentation Detective
    Provide enrollment information for identity theft prevention services or identity theft mitigation services. CC ID 13767 Communicate Corrective
    Offer identity theft prevention services or identity theft mitigation services at no cost to the affected parties. CC ID 13766 Business Processes Corrective
    Include contact information in incident response notifications. CC ID 04739 Establish/Maintain Documentation Preventive
    Include a copy of the incident response notification in breach notifications, as necessary. CC ID 13085 Communicate Preventive
    Send paper incident response notifications to affected parties, as necessary. CC ID 00366 Behavior Corrective
    Determine if a substitute incident response notification is permitted if notifying affected parties. CC ID 00803 Behavior Corrective
    Use a substitute incident response notification to notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00368 Behavior Corrective
    Telephone incident response notifications to affected parties, as necessary. CC ID 04650 Behavior Corrective
    Send electronic substitute incident response notifications to affected parties, as necessary. CC ID 04747 Behavior Preventive
    Post substitute incident response notifications to the organization's website, as necessary. CC ID 04748 Establish/Maintain Documentation Preventive
    Send substitute incident response notifications to breach notification organizations, as necessary. CC ID 04750 Behavior Preventive
    Publish the incident response notification in a general circulation periodical. CC ID 04651 Behavior Corrective
    Publish the substitute incident response notification in a general circulation periodical, as necessary. CC ID 04769 Behavior Preventive
    Send electronic incident response notifications to affected parties, as necessary. CC ID 00367 Behavior Corrective
    Notify interested personnel and affected parties of the privacy breach about any recovered personal data. CC ID 13347 Communicate Corrective
    Establish and maintain a containment strategy. CC ID 13480 Establish/Maintain Documentation Preventive
    Include the containment approach in the containment strategy. CC ID 13486 Establish/Maintain Documentation Preventive
    Include response times in the containment strategy. CC ID 13485 Establish/Maintain Documentation Preventive
    Include incident recovery procedures in the Incident Management program. CC ID 01758
    [The organization shall establish, implement, and maintain business continuity procedures to manage a disruptive incident and continue its activities based on recovery objectives identified in the business impact analysis. § 8.4.1 ¶ 1]
    Establish/Maintain Documentation Corrective
    Include a containment strategy in the Incident Management program. CC ID 13478 Establish/Maintain Documentation Corrective
    Change wireless access variables after a data loss event has been detected. CC ID 01756 Technical Security Corrective
    Eradicate the cause of the security incident after the security incident has been contained. CC ID 01757 Business Processes Corrective
    Establish and maintain a restoration log. CC ID 12745 Establish/Maintain Documentation Preventive
    Implement security controls for personnel that have accessed information absent authorization. CC ID 10611 Human Resources Management Corrective
    Establish and maintain compromised system reaccreditation procedures. CC ID 00592 Establish/Maintain Documentation Preventive
    Detect any potentially undiscovered security vulnerabilities on previously compromised systems. CC ID 06265 Monitor and Evaluate Occurrences Detective
    Re-image compromised systems with secure builds. CC ID 12086 Technical Security Corrective
    Analyze security violations in Suspicious Activity Reports. CC ID 00591 Establish/Maintain Documentation Preventive
    Include lessons learned from analyzing security violations in the Incident Management program. CC ID 01234 Monitor and Evaluate Occurrences Preventive
    Provide progress reports of the incident investigation to the appropriate roles, as necessary. CC ID 12298 Investigate Preventive
    Update the incident response procedures using the lessons learned. CC ID 01233
    [{periodic exercising} {periodic testing} {periodic post-incident reporting} {periodic performance evaluations} These evaluations shall be undertaken through periodic reviews, exercising, testing, post-incident reporting and performance evaluations. Significant changes arising shall be reflected in the procedure(s) in a timely manner; § 9.1.2 b)
    {update of the business impact analysis} {update of the business continuity plans} {update of the related procedures} The outputs of the management review shall include decisions related to continual improvement opportunities and the possible need for changes to the BCMS, and include the following: update of the risk assessment, business impact analysis, business continuity plans and related procedures; § 9.3 ¶ 4 c)]
    Establish/Maintain Documentation Preventive
    Include incident monitoring procedures in the Incident Management program. CC ID 01207
    [The organization shall establish, implement and maintain procedures for regular monitoring of an incident, § 8.4.3 ¶ 1 b)]
    Establish/Maintain Documentation Preventive
    Include incident response procedures in the Incident Management program. CC ID 01218
    [The business continuity plans shall collectively contain details to manage the immediate consequences of a disruptive incident giving due regard to § 8.4.4 ¶ 2 c)
    The business continuity plans shall collectively contain details to manage the immediate consequences of a disruptive incident giving due regard to strategic, tactical and operational options for responding to the disruption, and § 8.4.4 ¶ 2 c) 2)]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain incident management audit logs. CC ID 13514 Records Management Preventive
    Log incidents in the Incident Management audit log. CC ID 00857 Establish/Maintain Documentation Preventive
    Include the organizational functions affected by disruption in the Incident Management audit log. CC ID 12238
    [The organization shall identify and document the following: the organization’s activities, functions, services, products, partnerships, supply chains, relationships with interested parties, and the potential impact related to a disruptive incident; § 4.1 ¶ 3 a)]
    Log Management Corrective
    Include the organization's business products and services affected by disruptions in the Incident Management audit log. CC ID 12234
    [The organization shall identify and document the following: the organization’s activities, functions, services, products, partnerships, supply chains, relationships with interested parties, and the potential impact related to a disruptive incident; § 4.1 ¶ 3 a)
    The organization shall identify and document the following: the organization’s activities, functions, services, products, partnerships, supply chains, relationships with interested parties, and the potential impact related to a disruptive incident; § 4.1 ¶ 3 a)]
    Log Management Preventive
    Establish and maintain an Incident Response program. CC ID 00579
    [The organization shall identify and document the following: the organization’s activities, functions, services, products, partnerships, supply chains, relationships with interested parties, and the potential impact related to a disruptive incident; § 4.1 ¶ 3 a)
    {incident response procedure} The organization shall establish documented procedures for responding to a disruptive incident and how it will continue or recover its activities within a predetermined timeframe. Such procedures shall address the requirements of those who will use them. § 8.4.4 ¶ 1]
    Establish/Maintain Documentation Preventive
    Employ tools and mechanisms to support the organization's Incident Response program. CC ID 13182 Acquisition/Sale of Assets or Services Preventive
    Define target resolution times for incident response in the Incident Response program. CC ID 13072 Establish/Maintain Documentation Preventive
    Analyze and respond to security alerts. CC ID 12504 Business Processes Detective
    Mitigate reported incidents. CC ID 12973 Actionable Reports or Measurements Preventive
    Establish and maintain an incident response plan. CC ID 12056 Establish/Maintain Documentation Preventive
    Include addressing external communications in the incident response plan. CC ID 13351 Establish/Maintain Documentation Preventive
    Include addressing internal communications in the incident response plan. CC ID 13350 Establish/Maintain Documentation Preventive
    Include addressing information sharing in the incident response plan. CC ID 13349 Establish/Maintain Documentation Preventive
    Include dynamic reconfiguration in the incident response plan. CC ID 14306 Establish/Maintain Documentation Preventive
    Include a definition of reportable incidents in the incident response plan. CC ID 14303 Establish/Maintain Documentation Preventive
    Include the management support needed for incident response in the incident response plan. CC ID 14300 Establish/Maintain Documentation Preventive
    Include how incident response fits into the organization in the incident response plan. CC ID 14294 Establish/Maintain Documentation Preventive
    Include the resources needed for incident response in the incident response plan. CC ID 14292 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a cyber Incident response plan. CC ID 13286 Establish/Maintain Documentation Preventive
    Include incident response team structures in the Incident Response program. CC ID 01237
    [The organization shall establish, document, and implement procedures and a management structure to respond to a disruptive incident using personnel with the necessary responsibility, authority and competence to manage an incident. § 8.4.2 ¶ 1]
    Establish/Maintain Documentation Preventive
    Include the incident response team member's roles and responsibilities in the Incident Response program. CC ID 01652
    [The business continuity plans shall collectively contain defined roles and responsibilities for people and teams having authority during and following an incident, § 8.4.4 ¶ 2 a)
    The business continuity plans shall collectively contain defined roles and responsibilities for people and teams having authority during and following an incident, § 8.4.4 ¶ 2 a)
    {incident response procedure} The organization shall establish documented procedures for responding to a disruptive incident and how it will continue or recover its activities within a predetermined timeframe. Such procedures shall address the requirements of those who will use them. § 8.4.4 ¶ 1]
    Establish Roles Preventive
    Include the incident response point of contact's roles and responsibilities in the Incident Response program. CC ID 01877 Establish Roles Preventive
    Open a priority incident request after a security breach is detected. CC ID 04838 Testing Corrective
    Activate the incident response notification procedures after a security breach is detected. CC ID 04839 Testing Corrective
    Notify interested personnel and affected parties that a security breach was detected. CC ID 11788 Communicate Corrective
    Include the head of information security's roles and responsibilities in the Incident Response program. CC ID 01878 Establish Roles Preventive
    Include the customer database owner's roles and responsibilities in the Incident Response program. CC ID 01879 Establish Roles Preventive
    Include the online sales department's roles and responsibilities in the Incident Response program. CC ID 01880 Establish Roles Preventive
    Include the incident response point of contact for credit card payment system's roles and responsibilities in the Incident Response program. CC ID 01881 Establish Roles Preventive
    Include the organizational legal counsel's roles and responsibilities in the Incident Response program. CC ID 01882 Establish Roles Preventive
    Include the Human Resources point of contact's roles and responsibilities in the Incident Response program. CC ID 01883 Establish Roles Preventive
    Include the organizational incident response network architecture point of contact's roles and responsibilities in the Incident Response program. CC ID 01884 Establish Roles Preventive
    Include the organizational incident response public relations point of contact's roles and responsibilities in the Incident Response program. CC ID 01885
    [The business continuity plans shall collectively contain details of the organization’s media response following an incident, including appropriate spokespeople; § 8.4.4 ¶ 2 f) 4]
    Establish Roles Preventive
    Include the organizational incident response location manager's roles and responsibilities in the Incident Response program. CC ID 01886 Establish Roles Preventive
    Assign the distribution of security alerts to the appropriate role in the incident response program. CC ID 11887 Human Resources Management Preventive
    Assign monitoring and analyzing the security alert when a security alert is received to the appropriate role in the incident response program. CC ID 11886 Investigate Detective
    Assign establishing, implementing, and maintaining incident response procedures to the appropriate role in the incident response program. CC ID 12473 Establish/Maintain Documentation Preventive
    Assign the distribution of incident response procedures to the appropriate role in the incident response program. CC ID 12474 Communicate Preventive
    Include personnel contact information in the event of an incident in the Incident Response program. CC ID 06385 Establish/Maintain Documentation Preventive
    Include what information interested personnel and affected parties need in the event of an incident in the Incident Response program. CC ID 11789
    [The organization shall identify and document the following: the organization’s activities, functions, services, products, partnerships, supply chains, relationships with interested parties, and the potential impact related to a disruptive incident; § 4.1 ¶ 3 a)
    The organization shall identify and document the following: the organization’s activities, functions, services, products, partnerships, supply chains, relationships with interested parties, and the potential impact related to a disruptive incident; § 4.1 ¶ 3 a)
    The organization shall identify and document the following: the organization’s activities, functions, services, products, partnerships, supply chains, relationships with interested parties, and the potential impact related to a disruptive incident; § 4.1 ¶ 3 a)
    The organization shall take into account interested parties’ needs and interests, such as customers, investors, shareholders, the supply chain, public and/or community input and needs, expectations and interests (as appropriate), and § 4.3.2 ¶ 1 d)
    The organization shall take into account interested parties’ needs and interests, such as customers, investors, shareholders, the supply chain, public and/or community input and needs, expectations and interests (as appropriate), and § 4.3.2 ¶ 1 d)]
    Establish/Maintain Documentation Preventive
    Include identifying remediation actions in the incident response plan. CC ID 13354 Establish/Maintain Documentation Preventive
    Include procedures for providing updated status information to the crisis management team in the incident response plan. CC ID 12776 Establish/Maintain Documentation Preventive
    Include coverage of all system components in the Incident Response program. CC ID 11955 Establish/Maintain Documentation Preventive
    Prepare for incident response notifications. CC ID 00584 Establish/Maintain Documentation Preventive
    Include incident response team services in the Incident Response program. CC ID 11766
    [The business continuity plans shall collectively contain defined roles and responsibilities for people and teams having authority during and following an incident, § 8.4.4 ¶ 2 a)
    The business continuity plans shall collectively contain defined roles and responsibilities for people and teams having authority during and following an incident, § 8.4.4 ¶ 2 a)]
    Establish/Maintain Documentation Preventive
    Include the incident response training program in the Incident Response program. CC ID 06750 Establish/Maintain Documentation Preventive
    Incorporate simulated events into the incident response training program. CC ID 06751 Behavior Preventive
    Incorporate realistic exercises that are tested into the incident response training program. CC ID 06753 Behavior Preventive
    Conduct incident response training. CC ID 11889 Training Preventive
    Establish, implement, and maintain an incident response policy. CC ID 14024 Establish/Maintain Documentation Preventive
    Review and update the incident response policy, as necessary. CC ID 14134 Establish/Maintain Documentation Corrective
    Include compliance requirements in the incident response policy. CC ID 14108 Establish/Maintain Documentation Preventive
    Include coordination amongst entities in the incident response policy. CC ID 14107 Establish/Maintain Documentation Preventive
    Include management commitment in the incident response policy. CC ID 14106 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the incident response policy. CC ID 14105 Establish/Maintain Documentation Preventive
    Include the scope in the incident response policy. CC ID 14104 Establish/Maintain Documentation Preventive
    Include the purpose in the incident response policy. CC ID 14101 Establish/Maintain Documentation Preventive
    Disseminate and communicate the incident response policy to interested personnel and affected parties. CC ID 14099 Communicate Preventive
    Establish and maintain incident response procedures. CC ID 01206
    [The organization shall document procedures (including necessary arrangements) to ensure continuity of activities and management of a disruptive incident. § 8.4.1 ¶ 2
    The procedures shall be specific regarding the immediate steps that are to be taken during a disruption, § 8.4.1 ¶ 3 b)
    The organization shall establish, document, and implement procedures and a management structure to respond to a disruptive incident using personnel with the necessary responsibility, authority and competence to manage an incident. § 8.4.2 ¶ 1
    {processes, and procedures for the activation of the response} {processes, and procedures for the operation of the response} {processes, and procedures for the coordination of the response} {processes, and procedures for the communication of the response} The response structure shall have processes, and procedures for the activation, operation, coordination, and communication of the response, § 8.4.2 ¶ 2 d)]
    Establish/Maintain Documentation Detective
    Include references to industry best practices in the incident response procedures. CC ID 11956 Establish/Maintain Documentation Preventive
    Include responding to alerts from security monitoring systems in the incident response procedures. CC ID 11949
    [{internal conditions} The procedures shall be flexible to respond to unanticipated threats and changing internal and external conditions, § 8.4.1 ¶ 3 c)]
    Establish/Maintain Documentation Preventive
    Automatically respond when an integrity violation is detected. CC ID 10678 Technical Security Corrective
    Shut down systems when an integrity violation is detected, as necessary. CC ID 10679 Technical Security Corrective
    Restart systems when an integrity violation is detected, as necessary. CC ID 10680 Technical Security Corrective
    Maintain contact with breach notification organizations for notification purposes in the event a privacy breach has occurred. CC ID 01213 Behavior Preventive
    Include business continuity procedures in the Incident Response program. CC ID 06433
    [The organization shall establish, implement, and maintain business continuity procedures to manage a disruptive incident and continue its activities based on recovery objectives identified in the business impact analysis. § 8.4.1 ¶ 1
    {internal conditions} The procedures shall be flexible to respond to unanticipated threats and changing internal and external conditions, § 8.4.1 ¶ 3 c)]
    Establish/Maintain Documentation Preventive
    Coordinate backup procedures as defined in the system continuity plan with backup procedures necessary for incident response procedures. CC ID 06432 Establish/Maintain Documentation Preventive
    Include consumer protection procedures in the Incident Response program. CC ID 12755 Systems Continuity Preventive
    Include the reimbursement of customers for financial losses due to security incidents in the Incident Response program. CC ID 12756 Business Processes Preventive
    Establish trust between the incident response team and the end user community during a security incident. CC ID 01217 Testing Detective
    Include business recovery procedures in the Incident Response program. CC ID 11774 Establish/Maintain Documentation Preventive
    Establish and maintain a digital forensic evidence framework. CC ID 08652 Establish/Maintain Documentation Preventive
    Retain collected evidence for potential future legal actions. CC ID 01235 Records Management Preventive
    Protect devices containing digital forensic evidence during transport. CC ID 08687 Investigate Detective
    Protect devices containing digital forensic evidence in sealed containers. CC ID 08685 Investigate Detective
    Establish and maintain a chain of custody for all devices containing digital forensic evidence. CC ID 08686 Establish/Maintain Documentation Detective
    Define the business scenarios that require digital forensic evidence. CC ID 08653 Establish/Maintain Documentation Preventive
    Define the circumstances for collecting digital forensic evidence. CC ID 08657 Establish/Maintain Documentation Preventive
    Conduct forensic investigations in the event of a security compromise. CC ID 11951 Investigate Corrective
    Contact affected parties to participate in forensic investigations, as necessary. CC ID 12343 Communicate Detective
    Identify potential sources of digital forensic evidence. CC ID 08651 Investigate Preventive
    Document the legal requirements for evidence collection. CC ID 08654 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a digital forensic evidence collection program. CC ID 08655 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain secure storage and handling of evidence procedures. CC ID 08656 Records Management Preventive
    Prepare digital forensic equipment. CC ID 08688 Investigate Detective
    Use digital forensic equipment suitable to the circumstances. CC ID 08690 Investigate Detective
    Provide relevant user manuals for digital forensic equipment during use. CC ID 08691 Investigate Detective
    Include the hardware configuration and software configuration of the digital forensic equipment in the forensic investigation report. CC ID 08693 Establish/Maintain Documentation Detective
    Test the operation of the digital forensic equipment prior to use. CC ID 08694 Testing Detective
    Maintain digital forensic equipment for proper performance. CC ID 08689 Investigate Detective
    Collect evidence from the incident scene. CC ID 02236 Business Processes Corrective
    Include documentation of the system containing and surrounding digital forensic evidence in the forensic investigation report. CC ID 08679 Establish/Maintain Documentation Detective
    Include the configuration settings of devices associated with digital forensic evidence in the forensic investigation report. CC ID 08676 Establish/Maintain Documentation Detective
    Include the external connections to systems containing digital forensic evidence in the forensic investigation report. CC ID 08680 Establish/Maintain Documentation Detective
    Include the electronic media storage devices containing digital forensic evidence in the forensic investigation report. CC ID 08695 Establish/Maintain Documentation Detective
    Include all system components of systems containing digital forensic evidence in the forensic investigation report. CC ID 08696 Establish/Maintain Documentation Detective
    Refrain from altering the state of compromised systems when collecting digital forensic evidence. CC ID 08671 Investigate Detective
    Follow all applicable laws and principles when collecting digital forensic evidence. CC ID 08672 Investigate Detective
    Remove everyone except interested personnel and affected parties from the proximity of digital forensic evidence. CC ID 08675 Investigate Detective
    Secure devices containing digital forensic evidence. CC ID 08681 Investigate Detective
    Use a write blocker to prevent digital forensic evidence from being modified. CC ID 08692 Investigate Detective
    Capture volatile information from devices containing digital forensic evidence prior to shutdown. CC ID 08684 Investigate Detective
    Create a system image of the device before collecting digital forensic evidence. CC ID 08673 Investigate Detective
    Shut down stand alone devices containing digital forensic evidence. CC ID 08682 Investigate Detective
    Disconnect electronic media storage devices of systems containing digital forensic evidence. CC ID 08697 Investigate Detective
    Place evidence tape over devices containing digital forensic evidence. CC ID 08683 Investigate Detective
    Review and update the incident response procedures after a security incident has been closed. CC ID 01208
    [{results of BCMS reviews} {key partners} {results of testing} {BCMS performance} {BCMS effectiveness} {emerging good guidance} Management reviews shall consider the performance of the organization, including - follow-up actions from previous management reviews, - the need for changes to the BCMS, including the policy and objectives, - opportunities for improvement, - results of BCMS audits and reviews, including those of key suppliers and partners where appropriate, - techniques, products or procedures, which could be used in the organization to improve the BCMS’ performance and effectiveness, - status of corrective actions, - results of exercising and testing, - risks or issues not adequately addressed in any previous risk assessment, - any changes that could affect the BCMS, whether internal or external to the scope of the BCMS, - adequacy of policy, - recommendations for improvement, - lessons learned and actions arising from disruptive incidents, and - emerging good practice and guidance. § 9.3 ¶ 3]
    Establish/Maintain Documentation Preventive
    Disseminate and communicate the incident response procedures to all interested personnel and affected parties. CC ID 01215
    [{processes, and procedures for the activation of the response} {processes, and procedures for the operation of the response} {processes, and procedures for the coordination of the response} {processes, and procedures for the communication of the response} The response structure shall have processes, and procedures for the activation, operation, coordination, and communication of the response, § 8.4.2 ¶ 2 d)]
    Establish/Maintain Documentation Preventive
    Disseminate and communicate the final incident report, which includes the investigation results and any remediation activity results. CC ID 12306
    [{periodic exercising} {periodic testing} {periodic post-incident reporting} {periodic performance evaluations} These evaluations shall be undertaken through periodic reviews, exercising, testing, post-incident reporting and performance evaluations. Significant changes arising shall be reflected in the procedure(s) in a timely manner; § 9.1.2 b)]
    Actionable Reports or Measurements Preventive
    Test the incident response procedures. CC ID 01216 Testing Detective
    Establish and maintain a performance management standard. CC ID 01615
    [{periodic exercising} {periodic testing} {periodic post-incident reporting} {periodic performance evaluations} These evaluations shall be undertaken through periodic reviews, exercising, testing, post-incident reporting and performance evaluations. Significant changes arising shall be reflected in the procedure(s) in a timely manner; § 9.1.2 b)]
    Establish/Maintain Documentation Preventive
    Establish and maintain future system performance forecasting methods. CC ID 11775 Business Processes Preventive
    Use proactive performance management. CC ID 00937 Business Processes Detective
    Utilize resource availability management controls. CC ID 00940 Business Processes Detective
    Establish and maintain a remediation plan for deviations in the resource management process. CC ID 13679 Establish/Maintain Documentation Preventive
    Follow the maintenance schedule. CC ID 11791 Maintenance Preventive
    Establish, implement, and maintain rate limiting filters. CC ID 06883 Business Processes Preventive
    Establish and maintain system capacity monitoring procedures. CC ID 01619 Establish/Maintain Documentation Preventive
    Establish and maintain system performance monitoring procedures. CC ID 11752
    [{methods for measurement} {methods for analysis} {methods for evaluation} The organization shall determine the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results, § 9.1.1 ¶ 1 b)
    {methods for measurement} {methods for analysis} {methods for evaluation} The organization shall determine the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results, § 9.1.1 ¶ 1 b)
    {methods for measurement} {methods for analysis} {methods for evaluation} The organization shall determine the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results, § 9.1.1 ¶ 1 b)
    {methods for measurement} {methods for analysis} {methods for evaluation} The organization shall determine the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results, § 9.1.1 ¶ 1 b)]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a cost management program. CC ID 13638 Establish/Maintain Documentation Preventive
    Establish and maintain cost management procedures. CC ID 00873
    [{funding requirements} The outputs of the management review shall include decisions related to continual improvement opportunities and the possible need for changes to the BCMS, and include the following: modification of procedures and controls to respond to internal or external events that may impact on the BCMS, including changes to funding and budget requirements; and § 9.3 ¶ 4 d) 8)]
    Business Processes Detective
    Update the business cases for cost management procedures, as necessary. CC ID 13642 Business Processes Preventive
    Perform an impact assessment of any deviations found in the cost management procedures. CC ID 13641 Investigate Detective
    Identify deviations in cost management procedures. CC ID 13640 Investigate Detective
    Identify and allocate departmental costs. CC ID 00871 Business Processes Detective
    Prepare an Information Technology budget, as necessary. CC ID 00872
    [{funding requirements} The outputs of the management review shall include decisions related to continual improvement opportunities and the possible need for changes to the BCMS, and include the following: modification of procedures and controls to respond to internal or external events that may impact on the BCMS, including changes to funding and budget requirements; and § 9.3 ¶ 4 d) 8)]
    Establish/Maintain Documentation Detective
    Review and approve the Information Technology budget. CC ID 13644 Business Processes Corrective
    Update the Information Technology budget, as necessary. CC ID 13643 Business Processes Corrective
    Establish and maintain a change control program. CC ID 00886
    [{business requirements} The outputs of the management review shall include decisions related to continual improvement opportunities and the possible need for changes to the BCMS, and include the following: modification of procedures and controls to respond to internal or external events that may impact on the BCMS, including changes to business and operational requirements, § 9.3 ¶ 4 d) 1)
    {changes to security requirements} The outputs of the management review shall include decisions related to continual improvement opportunities and the possible need for changes to the BCMS, and include the following: modification of procedures and controls to respond to internal or external events that may impact on the BCMS, including changes to risk reduction and security requirements, § 9.3 ¶ 4 d) 2)
    {results of BCMS reviews} {key partners} {results of testing} {BCMS performance} {BCMS effectiveness} {emerging good guidance} Management reviews shall consider the performance of the organization, including - follow-up actions from previous management reviews, - the need for changes to the BCMS, including the policy and objectives, - opportunities for improvement, - results of BCMS audits and reviews, including those of key suppliers and partners where appropriate, - techniques, products or procedures, which could be used in the organization to improve the BCMS’ performance and effectiveness, - status of corrective actions, - results of exercising and testing, - risks or issues not adequately addressed in any previous risk assessment, - any changes that could affect the BCMS, whether internal or external to the scope of the BCMS, - adequacy of policy, - recommendations for improvement, - lessons learned and actions arising from disruptive incidents, and - emerging good practice and guidance. § 9.3 ¶ 3
    {results of BCMS reviews} {key partners} {results of testing} {BCMS performance} {BCMS effectiveness} {emerging good guidance} Management reviews shall consider the performance of the organization, including - follow-up actions from previous management reviews, - the need for changes to the BCMS, including the policy and objectives, - opportunities for improvement, - results of BCMS audits and reviews, including those of key suppliers and partners where appropriate, - techniques, products or procedures, which could be used in the organization to improve the BCMS’ performance and effectiveness, - status of corrective actions, - results of exercising and testing, - risks or issues not adequately addressed in any previous risk assessment, - any changes that could affect the BCMS, whether internal or external to the scope of the BCMS, - adequacy of policy, - recommendations for improvement, - lessons learned and actions arising from disruptive incidents, and - emerging good practice and guidance. § 9.3 ¶ 3]
    Establish/Maintain Documentation Preventive
    Include potential consequences of unintended changes in the change control program. CC ID 12243
    [The organization shall control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary. § 8.1 ¶ 2]
    Establish/Maintain Documentation Preventive
    Include version control in the change control program. CC ID 13119 Establish/Maintain Documentation Preventive
    Include service design and transition in the change control program. CC ID 13920 Establish/Maintain Documentation Preventive
    Separate the production environment from development environment or test environment for the change control process. CC ID 11864 Maintenance Preventive
    Integrate configuration management procedures into the change control program. CC ID 13646 Technical Security Preventive
    Establish and maintain a back-out plan. CC ID 13623 Establish/Maintain Documentation Preventive
    Establish back-out procedures for each proposed change in a change request. CC ID 00373 Establish/Maintain Documentation Preventive
    Review and approve back-out plans, as necessary. CC ID 13627 Establish/Maintain Documentation Corrective
    Manage change requests. CC ID 00887
    [For the control of documented information, the organization shall address the following activities, as applicable — distribution, access, retrieval and use, — storage and preservation, including preservation of legibility, — control of changes, — retention and disposition, — retrieval and use, — preservation of legibility, and — prevention of the unintended use of obsolete information. § 7.5.3 ¶ 2
    The management review shall include consideration of changes in external and internal issues that are relevant to the business continuity management system, § 9.3 ¶ 2 b)]
    Business Processes Preventive
    Include documentation of the impact level of proposed changes in the change request. CC ID 11942 Establish/Maintain Documentation Preventive
    Establish and maintain a change request approver list. CC ID 06795 Establish/Maintain Documentation Preventive
    Document all change requests in change request forms. CC ID 06794 Establish/Maintain Documentation Preventive
    Test proposed changes prior to their approval. CC ID 00548 Testing Detective
    Examine all changes to ensure they correspond with the change request. CC ID 12345 Business Processes Detective
    Approve tested change requests. CC ID 11783 Data and Information Management Preventive
    Validate the system before implementing approved changes. CC ID 01510 Systems Design, Build, and Implementation Preventive
    Disseminate and communicate proposed changes to all interested personnel and affected parties. CC ID 06807 Behavior Preventive
    Establish and maintain emergency change procedures. CC ID 00890 Establish/Maintain Documentation Preventive
    Perform emergency changes, as necessary. CC ID 12707 Process or Activity Preventive
    Back up emergency changes after the change has been performed. CC ID 12734 Process or Activity Preventive
    Log emergency changes after they have been performed. CC ID 12733 Establish/Maintain Documentation Preventive
    Perform risk assessments prior to approving change requests. CC ID 00888 Testing Preventive
    Conduct network certifications prior to approving change requests for networks. CC ID 13121 Process or Activity Detective
    Analyze mitigating controls for vulnerabilities in the network when certifying the network. CC ID 13126 Investigate Detective
    Collect data about the network environment when certifying the network. CC ID 13125 Investigate Detective
    Implement changes according to the change control program. CC ID 11776
    [The organization shall control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary. § 8.1 ¶ 2]
    Business Processes Preventive
    Provide audit trails for all approved changes. CC ID 13120 Establish/Maintain Documentation Preventive
    Establish and maintain a patch management program. CC ID 00896 Process or Activity Preventive
    Document the sources of all software updates. CC ID 13316 Establish/Maintain Documentation Preventive
    Implement patch management software, as necessary. CC ID 12094 Technical Security Preventive
    Include updates and exceptions to hardened images as a part of the patch management program. CC ID 12087 Technical Security Preventive
    Establish and maintain a patch log. CC ID 01642 Establish/Maintain Documentation Preventive
    Review the patch log for missing patches. CC ID 13186 Technical Security Detective
    Perform a patch test prior to deploying a patch. CC ID 00898 Testing Detective
    Prioritize deploying patches according to vulnerability risk metrics. CC ID 06796 Business Processes Preventive
    Deploy software patches. CC ID 07032 Configuration Corrective
    Test software patches for any potential compromise of the system's security. CC ID 13175 Testing Detective
    Patch software. CC ID 11825 Technical Security Corrective
    Patch the operating system, as necessary. CC ID 11824 Technical Security Corrective
    Deploy software patches in the disaster recovery environment to mirror those in the production environment. CC ID 13174 Configuration Corrective
    Remove outdated software after software has been updated. CC ID 11792 Configuration Corrective
    Update computer firmware, as necessary. CC ID 11755 Configuration Corrective
    Review changes to computer firmware. CC ID 12226 Testing Detective
    Certify changes to computer firmware are free of malicious logic. CC ID 12227 Testing Detective
    Remove outdated computer firmware after the computer firmware has been updated. CC ID 10671 Configuration Corrective
    Implement cryptographic mechanisms to authenticate software and computer firmware before installation. CC ID 10682 Technical Security Detective
    Establish and maintain a software release policy. CC ID 00893 Establish/Maintain Documentation Preventive
    Disseminate and communicate software update information to users and regulators. CC ID 06602 Behavior Preventive
    Allow interested personnel and affected parties to opt out of specific version releases and software updates. CC ID 06809 Data and Information Management Preventive
    Mitigate the adverse effects of unauthorized changes. CC ID 12244
    [The organization shall control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary. § 8.1 ¶ 2]
    Business Processes Corrective
    Establish and maintain approved change acceptance testing procedures. CC ID 06391 Establish/Maintain Documentation Detective
    Test the system's operational functionality after implementing approved changes. CC ID 06294 Testing Detective
    Perform and pass acceptance testing before moving a system back into operation after an approved change has occurred. CC ID 04541 Testing Detective
    Establish and maintain a change acceptance testing log. CC ID 06392 Establish/Maintain Documentation Corrective
    Update associated documentation after the system configuration has been changed. CC ID 00891 Establish/Maintain Documentation Preventive
    Establish and maintain a configuration change log. CC ID 08710 Configuration Detective
    Review the configuration change log. CC ID 11754 Configuration Detective
    Document approved configuration deviations. CC ID 08711 Establish/Maintain Documentation Corrective
    Document the organization's local environments. CC ID 06726
    [When determining this scope, the organization shall consider — the external and internal issues referred to in 4.1, and — the requirements referred to in 4.2. § 4.3.1 ¶ 2
    When planning for the BCMS, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to - ensure the management system can achieve its intended outcome(s), - prevent, or reduce, undesired effects, - achieve continual improvement. § 6.1 ¶ 1
    evaluate the effectiveness of these actions (see 9.1). § 6.1 ¶ 2 b) 2)
    To achieve its business continuity objectives, the organization shall determine — who will be responsible, — what will be done, — what resources will be required, — when it will be completed, and — how the results will be evaluated. § 6.2 ¶ 4
    These issues shall be taken into account when establishing, implementing and maintaining the organization's BCMS. § 4.1 ¶ 2
    buildings, work environment and associated utilities, § 8.3.2 ¶ 1 c)
    facilities, equipment and consumables, § 8.3.2 ¶ 1 d)
    information and communication technology (ICT) systems, § 8.3.2 ¶ 1 e)
    transportation, § 8.3.2 ¶ 1 f)
    people, § 8.3.2 ¶ 1 a)
    information and data, § 8.3.2 ¶ 1 b)
    finance, and § 8.3.2 ¶ 1 g)
    partners and suppliers. § 8.3.2 ¶ 1 h)]
    Establish/Maintain Documentation Preventive
    Establish and maintain local environment security profiles. CC ID 07037 Establish/Maintain Documentation Preventive
    Include individuals assigned to the local environment in the local environment security profile. CC ID 07038 Establish/Maintain Documentation Preventive
    Include the business processes assigned to the local environment in the local environment security profile. CC ID 07039 Establish/Maintain Documentation Preventive
    Include the technology used in the local environment in the local environment security profile. CC ID 07040 Establish/Maintain Documentation Preventive
    Include contact information for critical personnel assigned to the local environment in the local environment security profile. CC ID 07041 Establish/Maintain Documentation Preventive
    Include facility information for the local environment in the local environment security profile. CC ID 07042 Establish/Maintain Documentation Preventive
    Include facility access information for the local environment in the local environment security profile. CC ID 11773 Establish/Maintain Documentation Preventive
    Update the local environment security profile, as necessary. CC ID 07043 Establish/Maintain Documentation Preventive
  • Physical and environmental protection
    3
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Physical and environmental protection CC ID 00709 IT Impact Zone IT Impact Zone
    Establish and maintain an environmental control program. CC ID 00724 Physical and Environmental Protection Preventive
    Establish and maintain environmental control procedures. CC ID 12246
    [{internal conditions} The procedures shall be flexible to respond to unanticipated threats and changing internal and external conditions, § 8.4.1 ¶ 3 c)]
    Establish/Maintain Documentation Preventive
  • Records management
    132
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Records management CC ID 00902 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain records management policies. CC ID 00903 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a record classification scheme for forms. CC ID 00911 Establish/Maintain Documentation Detective
    Establish, implement, and maintain form creation, management, and distribution procedures. CC ID 06393
    [For the control of documented information, the organization shall address the following activities, as applicable — distribution, access, retrieval and use, — storage and preservation, including preservation of legibility, — control of changes, — retention and disposition, — retrieval and use, — preservation of legibility, and — prevention of the unintended use of obsolete information. § 7.5.3 ¶ 2]
    Establish/Maintain Documentation Preventive
    Establish and maintain form disposition procedures. CC ID 06394 Establish/Maintain Documentation Preventive
    Establish and maintain a record classification scheme. CC ID 00914 Establish/Maintain Documentation Preventive
    Allocate record identifiers to reference the records as a part of document tracking. CC ID 11662
    [When creating and updating documented information, the organization shall ensure appropriate identification and description, § 7.5.2 ¶ 1 a)
    When creating and updating documented information, the organization shall ensure appropriate identification and description, § 7.5.2 ¶ 1 a)]
    Records Management Preventive
    Establish and maintain Records Management procedures. CC ID 00919 Establish/Maintain Documentation Preventive
    Establish and maintain document retention procedures. CC ID 11660
    [For the control of documented information, the organization shall address the following activities, as applicable — distribution, access, retrieval and use, — storage and preservation, including preservation of legibility, — control of changes, — retention and disposition, — retrieval and use, — preservation of legibility, and — prevention of the unintended use of obsolete information. § 7.5.3 ¶ 2]
    Establish/Maintain Documentation Preventive
    Define each system's preservation requirements for records and logs. CC ID 00904 Establish/Maintain Documentation Detective
    Establish and maintain a data retention program. CC ID 00906 Establish/Maintain Documentation Detective
    Select the appropriate format for archived data and records. CC ID 06320
    [{appropriate media} When creating and updating documented information, the organization shall ensure appropriate format and media, and review and approval for suitability and adequacy. § 7.5.2 ¶ 1 b)]
    Data and Information Management Preventive
    Determine how long to keep records and logs before disposing them. CC ID 11661 Process or Activity Preventive
    Retain records in accordance with applicable requirements. CC ID 00968
    [The organization shall retain documented information on the business continuity policy. § 5.3 ¶ 3
    The organization shall retain documented information on the business continuity objectives. § 6.2 ¶ 3
    The organization shall retain appropriate documented information as evidence of the results. § 9.1.1 ¶ 2
    {actions to address risks and opportunities} The organization shall plan, implement and control the processes needed to meet requirements, and to implement the actions determined in 6.1, by keeping documented information to the extent necessary to have confidence that the processes have been carried out as planned. § 8.1 ¶ 1 c)
    {adverse results} Additionally, the organization shall — take action when necessary to address adverse trends or results before a nonconformity occurs, and — retain relevant documented information as evidence of the results. § 9.1.1 ¶ 4
    The organization shall retain documented information as evidence of the results of management reviews. § 9.3 ¶ 5
    The organization shall retain documented information as evidence of - the nature of the nonconformities and any subsequent actions taken, and - the results of any corrective action. § 10.1 ¶ 3
    The organization shall retain documented information as evidence of - the nature of the nonconformities and any subsequent actions taken, and - the results of any corrective action. § 10.1 ¶ 3]
    Records Management Preventive
    Define each system's disposition requirements for records and logs. CC ID 11651 Process or Activity Preventive
    Establish and maintain records disposition procedures. CC ID 00971
    [For the control of documented information, the organization shall address the following activities, as applicable — distribution, access, retrieval and use, — storage and preservation, including preservation of legibility, — control of changes, — retention and disposition, — retrieval and use, — preservation of legibility, and — prevention of the unintended use of obsolete information. § 7.5.3 ¶ 2]
    Establish/Maintain Documentation Preventive
    Manage the disposition status for all records. CC ID 00972 Records Management Preventive
    Use a second person to confirm and sign-off that manually deleted data was deleted. CC ID 12313 Data and Information Management Preventive
    Remove and/or destroy records according to the records' retention event and retention period schedule. CC ID 06621 Records Management Preventive
    Place printed records awaiting destruction into secure containers. CC ID 12464 Physical and Environmental Protection Preventive
    Destroy printed records so they cannot be reconstructed. CC ID 11779 Physical and Environmental Protection Preventive
    Automate a programmatic process to remove stored data and records that exceed retention requirements. CC ID 06082 Data and Information Management Preventive
    Include methods to identify records that meet or exceed the record's retention event in the records disposition procedures. CC ID 11962 Establish/Maintain Documentation Preventive
    Maintain disposal records or redeployment records. CC ID 01644 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain records management procedures. CC ID 11619 Establish/Maintain Documentation Preventive
    Protect records from loss in accordance with applicable requirements. CC ID 12007
    [Documented information required by the BCMS and by this International Standard shall be controlled to ensure it is adequately protected. § 7.5.3 ¶ 1 b)]
    Records Management Preventive
    Capture the records required by organizational compliance requirements. CC ID 00912
    [Documented information required by the BCMS and by this International Standard shall be controlled to ensure it is available and suitable for use, where and when it is needed, § 7.5.3 ¶ 1 a)]
    Records Management Detective
    Establish and maintain authorization records. CC ID 14367 Establish/Maintain Documentation Preventive
    Include the reasons for granting the authorization in the authorization records. CC ID 14371 Establish/Maintain Documentation Preventive
    Include the date and time the authorization was granted in the authorization records. CC ID 14370 Establish/Maintain Documentation Preventive
    Include the person's name who approved the authorization in the authorization records. CC ID 14369 Establish/Maintain Documentation Preventive
    Assign the appropriate information classification to records imported into the Records Management system. CC ID 04555 Data and Information Management Detective
    Establish and maintain electronic health records. CC ID 14436 Data and Information Management Preventive
    Include Individually Identifiable Health Information in the patient's electronic health record. CC ID 14437 Data and Information Management Preventive
    Review and update Individually Identifiable Health Information in the patient's electronic health records, as necessary. CC ID 14438 Records Management Preventive
    Display required information automatically in electronic health records. CC ID 14442 Process or Activity Preventive
    Create summary of care records in accordance with applicable standards. CC ID 14440 Establish/Maintain Documentation Preventive
    Provide the patient with a summary of care record, as necessary. CC ID 14441 Actionable Reports or Measurements Preventive
    Create export summaries, as necessary. CC ID 14446 Process or Activity Preventive
    Import data files into a patient's electronic health record. CC ID 14448 Data and Information Management Preventive
    Export requested sections of the electronic health record. CC ID 14447 Data and Information Management Preventive
    Identify patient-specific education resources. CC ID 14439 Process or Activity Detective
    Establish and maintain an implantable device list. CC ID 14444 Records Management Preventive
    Display the implantable device list to authorized users. CC ID 14445 Data and Information Management Preventive
    Implement a clinical decision support system. CC ID 14443 Business Processes Preventive
    Log records as being received into the recordkeeping system. CC ID 11696 Records Management Preventive
    Log the date and time each item is received into the recordkeeping system. CC ID 11709 Log Management Preventive
    Log the date and time each item is made available into the recordkeeping system. CC ID 11710 Log Management Preventive
    Log the number of routine items received into the recordkeeping system. CC ID 11701 Establish/Maintain Documentation Preventive
    Log the number of routine items in the organization's possession at the close of business for the month in the recordkeeping system. CC ID 11707 Log Management Preventive
    Log the number of routine items received during the month that were turned around in the recordkeeping system. CC ID 11705 Log Management Preventive
    Log the number of routine items received during the month that were not turned around within three business days of receipt in the recordkeeping system. CC ID 11703 Log Management Preventive
    Log the date and time when a notice of refusal to perform the registrar function is received in the recordkeeping system. CC ID 11711 Log Management Preventive
    Log inquiries concerning items in the recordkeeping system, annotating the date received. CC ID 11718 Log Management Preventive
    Log responses to inquiries, annotating the send date for each response into the recordkeeping system. CC ID 11719 Log Management Preventive
    Log the number of non-routine items received into the recordkeeping system. CC ID 11706 Log Management Preventive
    Log the documentation of determination that items received are not routine into the recordkeeping system. CC ID 11716 Log Management Preventive
    Log the number of non-routine items in the organization's possession at the close of business for the month in the recordkeeping system. CC ID 11708 Log Management Preventive
    Log the number of non-routine items received during the month that were turned around in the recordkeeping system. CC ID 11704 Log Management Preventive
    Log performance monitoring into the recordkeeping system. CC ID 11724 Log Management Preventive
    Log the number of inquiries pending as of the close of business into the recordkeeping system. CC ID 11728 Log Management Preventive
    Log the number of inquiries received but not responded to within the required time frame into the recordkeeping system. CC ID 11727 Log Management Preventive
    Establish and maintain current a transfer journal. CC ID 11729 Records Management Preventive
    Log any notices filed by the organization into the recordkeeping system. CC ID 11725 Log Management Preventive
    Log telephone responses into a telephone log, annotating the date of each response, in the recordkeeping system. CC ID 11723 Log Management Preventive
    Log the date each certificate is made available to the presentor into the recordkeeping system. CC ID 11720 Log Management Preventive
    Log the number of items not processed within the required time frame into the recordkeeping system. CC ID 11717 Log Management Preventive
    Provide a receipt of records logged into the recordkeeping system. CC ID 11697 Records Management Preventive
    Log the appointments and termination of appointments of registered transfer agents into the recordkeeping system. CC ID 11712 Log Management Preventive
    Log the number of items processed within the required time frame into the recordkeeping system. CC ID 11715 Log Management Preventive
    Log any stop orders or notices of adverse claims into the recordkeeping system. CC ID 11726 Log Management Preventive
    Classify restricted data or restricted information in Records Management systems according to the data or information's sensitivity. CC ID 04720 Data and Information Management Detective
    Include record integrity techniques in the Records Management procedures. CC ID 06418
    [For the control of documented information, the organization shall address the following activities, as applicable — distribution, access, retrieval and use, — storage and preservation, including preservation of legibility, — control of changes, — retention and disposition, — retrieval and use, — preservation of legibility, and — prevention of the unintended use of obsolete information. § 7.5.3 ¶ 2]
    Establish/Maintain Documentation Preventive
    Note in electronic records converted from printed records, the location of the original. CC ID 11809 Records Management Preventive
    Incorporate desktop publishing into the organization's Records Management program. CC ID 06535 Establish/Maintain Documentation Preventive
    Provide structures for browsing records stored in the Electronic Document and Records Management system. CC ID 10009 Business Processes Preventive
    Provide structures for searching for items stored in the Electronic Document and Records Management system. CC ID 10010 Business Processes Preventive
    Provide structures for downloading records from the Electronic Document and Records Management system. CC ID 10011 Business Processes Preventive
    Provide structures for managing e-mail stored in the Electronic Document and Records Management system. CC ID 10012 Business Processes Preventive
    Provide structures for authorized parties to approve record updates in the Electronic Document and Records Management system. CC ID 11965 Records Management Preventive
    Provide structures for version control of records stored in the Electronic Document and Records Management system. CC ID 10013 Business Processes Preventive
    Establish and maintain electronic storage media management procedures. CC ID 00931
    [For the control of documented information, the organization shall address the following activities, as applicable — distribution, access, retrieval and use, — storage and preservation, including preservation of legibility, — control of changes, — retention and disposition, — retrieval and use, — preservation of legibility, and — prevention of the unintended use of obsolete information. § 7.5.3 ¶ 2]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain security label procedures for records and storage media. CC ID 06747 Establish/Maintain Documentation Preventive
    Label restricted storage media appropriately. CC ID 00966 Data and Information Management Preventive
    Label printed output for specific record categories as directed by the organization's information classification standard. CC ID 01420 Records Management Detective
    Establish and maintain restricted material identification procedures. CC ID 01889 Establish/Maintain Documentation Preventive
    Conspicuously locate the restricted record's overall classification. CC ID 01890 Establish/Maintain Documentation Preventive
    Mark a restricted record's displayed pages or printed pages with the appropriate classification. CC ID 01891 Establish/Maintain Documentation Preventive
    Mark a restricted record's components (appendices, annexes) with the appropriate classification. CC ID 01892 Establish/Maintain Documentation Preventive
    Mark a restricted record's portions (paragraphs, sections) with the appropriate classification. CC ID 01893 Establish/Maintain Documentation Preventive
    Mark a restricted record's subject line or title with the appropriate classification. CC ID 01894 Establish/Maintain Documentation Preventive
    Mark all forms of electronic messages that contain restricted data or restricted information with the appropriate classification. CC ID 01896 Data and Information Management Preventive
    Establish and maintain label inheritance mechanisms for aggregate data sets. CC ID 06957 Technical Security Preventive
    Establish the minimum originator requirements for security labels. CC ID 06579 Establish/Maintain Documentation Preventive
    Establish the minimum intermediate system requirements for security labels. CC ID 06581 Establish/Maintain Documentation Preventive
    Establish the minimum receiver requirements for records or electronic storage media marked with security labels. CC ID 06580 Establish/Maintain Documentation Preventive
    Establish policy based processing rules to process incoming records or electronic storage media marked with security labels. CC ID 06582 Establish/Maintain Documentation Preventive
    Establish and maintain access controls for all records. CC ID 00371
    [When establishing control of documented information, the organization shall ensure that there is adequate protection for the documented information. § 7.5.3 ¶ 4
    For the control of documented information, the organization shall address the following activities, as applicable — distribution, access, retrieval and use, — storage and preservation, including preservation of legibility, — control of changes, — retention and disposition, — retrieval and use, — preservation of legibility, and — prevention of the unintended use of obsolete information. § 7.5.3 ¶ 2]
    Records Management Preventive
    Reproduce materials containing restricted data or restricted information in accordance with compliance requirements. CC ID 02202 Data and Information Management Preventive
    Establish and maintain a records lifecycle management program. CC ID 00951 Establish/Maintain Documentation Preventive
    Establish and maintain information preservation procedures. CC ID 06277
    [For the control of documented information, the organization shall address the following activities, as applicable — distribution, access, retrieval and use, — storage and preservation, including preservation of legibility, — control of changes, — retention and disposition, — retrieval and use, — preservation of legibility, and — prevention of the unintended use of obsolete information. § 7.5.3 ¶ 2
    For the control of documented information, the organization shall address the following activities, as applicable — distribution, access, retrieval and use, — storage and preservation, including preservation of legibility, — control of changes, — retention and disposition, — retrieval and use, — preservation of legibility, and — prevention of the unintended use of obsolete information. § 7.5.3 ¶ 2]
    Establish/Maintain Documentation Preventive
    Implement and maintain high availability storage, as necessary. CC ID 00952 Technical Security Preventive
    Implement and maintain backups and duplicate copies of organizational records. CC ID 00953 Records Management Preventive
    Implement and maintain a duplicate originals of record indexes. CC ID 00954 Records Management Preventive
    Establish, implement, and maintain a transparent storage media strategy. CC ID 00932 Records Management Preventive
    Establish and maintain an online availability plan that is commensurate with the electronic storage media. CC ID 00934 Establish/Maintain Documentation Preventive
    Establish and maintain online storage monitoring and reporting capabilities. CC ID 00935 Monitor and Evaluate Occurrences Detective
    Establish and maintain online storage controls. CC ID 00942 Technical Security Preventive
    Establish and maintain security controls appropriate to the record types and electronic storage media in use. CC ID 00943 Records Management Preventive
    Store records on non-rewritable, non-erasable storage media formats, as necessary. CC ID 00944 Testing Detective
    Provide encryption for different types of electronic storage media. CC ID 00945 Technical Security Preventive
    Implement electronic storage media integrity controls. CC ID 00946 Configuration Preventive
    Automate electronic storage media integrity check controls. CC ID 00948 Configuration Preventive
    Provide capacity for indexes on electronic storage media, as necessary. CC ID 00950 Configuration Preventive
    Provide audit trails for all pertinent records. CC ID 00372 Establish/Maintain Documentation Detective
    Establish and maintain a removable storage media log. CC ID 12317 Log Management Preventive
    Include a unique identifier for each removable storage media asset in the removable storage media log. CC ID 12320 Establish/Maintain Documentation Preventive
    Include the date and time in the removable storage media log. CC ID 12318 Establish/Maintain Documentation Preventive
    Include the name and signature of the current custodian in the removable storage media log. CC ID 12315 Establish/Maintain Documentation Preventive
    Include the number of physical media used for the data transfer in the removable storage media log. CC ID 12754 Establish/Maintain Documentation Preventive
    Include the recipient's name for the data transfer in the removable storage media log. CC ID 12753 Establish/Maintain Documentation Preventive
    Include the sender's name in the removable storage media log. CC ID 12752 Establish/Maintain Documentation Preventive
    Include the type of physical media being used for the data transfer in the removable storage media log. CC ID 12751 Establish/Maintain Documentation Preventive
    Include the reason for transfer in the removable storage media log. CC ID 12316 Establish/Maintain Documentation Preventive
    Establish and maintain storage media downgrading procedures. CC ID 10619 Process or Activity Preventive
    Identify electronic storage media that require downgrading. CC ID 10620 Process or Activity Detective
    Downgrade electronic storage media, as necessary. CC ID 10621 Process or Activity Corrective
    Document all actions taken when downgrading electronic storage media. CC ID 10622 Establish/Maintain Documentation Preventive
    Test the storage media downgrade for correct performance. CC ID 10623 Testing Detective
    Establish and maintain an e-discovery program. CC ID 00976 Establish/Maintain Documentation Preventive
    Establish and maintain a document retrieval system to use during e-discovery. CC ID 00985
    [For the control of documented information, the organization shall address the following activities, as applicable — distribution, access, retrieval and use, — storage and preservation, including preservation of legibility, — control of changes, — retention and disposition, — retrieval and use, — preservation of legibility, and — prevention of the unintended use of obsolete information. § 7.5.3 ¶ 2
    For the control of documented information, the organization shall address the following activities, as applicable — distribution, access, retrieval and use, — storage and preservation, including preservation of legibility, — control of changes, — retention and disposition, — retrieval and use, — preservation of legibility, and — prevention of the unintended use of obsolete information. § 7.5.3 ¶ 2]
    Systems Design, Build, and Implementation Preventive
    Establish and maintain e-discovery collection and production procedures. CC ID 00986 Establish/Maintain Documentation Preventive
  • Third Party and supply chain oversight
    141
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Third Party and supply chain oversight CC ID 08807 IT Impact Zone IT Impact Zone
    Establish and maintain a supply chain management program. CC ID 11742
    [The organization shall ensure that outsourced processes are controlled. § 8.1 ¶ 3]
    Establish/Maintain Documentation Preventive
    Establish and maintain procedures for establishing, maintaining, and terminating third party contracts. CC ID 00796 Establish/Maintain Documentation Preventive
    Terminate supplier relationships, as necessary. CC ID 13489 Business Processes Corrective
    Document and maintain supply chain processes. CC ID 08816 Establish/Maintain Documentation Preventive
    Include contingency plans in the third party management plan. CC ID 10030 Establish/Maintain Documentation Preventive
    Refrain from placing excessive reliance on third parties that provide support for service continuity. CC ID 12768 Systems Continuity Preventive
    Formalize client and third party relationships with contracts or nondisclosure agreements, as necessary. CC ID 00794 Process or Activity Detective
    Include a nondisclosure agreement in third party contracts if a separate nondisclosure agreement does not exist. CC ID 06505 Establish/Maintain Documentation Preventive
    Establish software exchange agreements with all third parties. CC ID 11615 Establish/Maintain Documentation Preventive
    Include a description of the product or service to be provided in third party contracts. CC ID 06509 Establish/Maintain Documentation Preventive
    Include a description of the products or services fees in third party contracts. CC ID 10018 Establish/Maintain Documentation Preventive
    Include which parties are responsible for which fees in third party contracts. CC ID 10019 Establish/Maintain Documentation Preventive
    Establish and maintain rules of engagement with third parties. CC ID 13994 Establish/Maintain Documentation Preventive
    Establish information flow agreements with all third parties. CC ID 04543 Establish/Maintain Documentation Preventive
    Include the type of information being transmitted in the information flow agreement. CC ID 14245 Establish/Maintain Documentation Preventive
    Include the security requirements in the information flow agreement. CC ID 14244 Establish/Maintain Documentation Preventive
    Include the interface characteristics in the information flow agreement. CC ID 14240 Establish/Maintain Documentation Preventive
    Include the scope and inventory of third party systems and assets being provided to the organization in third party contracts. CC ID 06528 Establish/Maintain Documentation Preventive
    Include proof of license documentation for the third parties with access to in scope systems in third party contracts. CC ID 06529 Establish/Maintain Documentation Preventive
    Include a description of costs and responsibility for purchasing and maintaining hardware and software in third party contracts. CC ID 10020 Establish/Maintain Documentation Preventive
    Include a description of the data or information to be covered in third party contracts. CC ID 06510 Establish/Maintain Documentation Preventive
    Include text about access, use, disclosure, and transfer of data or information in third party contracts. CC ID 11610 Business Processes Preventive
    Include text about data ownership in third party contracts. CC ID 06502 Establish/Maintain Documentation Preventive
    Include text about trade secrets and intellectual property in third party contracts. CC ID 06503 Establish/Maintain Documentation Preventive
    Include text about participation in the organization's testing programs in third party contracts. CC ID 14402 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in third party contracts. CC ID 13487 Establish/Maintain Documentation Preventive
    Include text that signatories must meet organizational compliance requirements in third party contracts. CC ID 06506 Establish/Maintain Documentation Preventive
    Include compliance with the organization's access policy as a requirement in third party contracts. CC ID 06507 Establish/Maintain Documentation Preventive
    Include compliance with the organization's breach notification policy as a requirement in third party contracts. CC ID 06508 Establish/Maintain Documentation Preventive
    Include compliance with the organization's monitoring policies as a requirement in third party contracts. CC ID 06513 Establish/Maintain Documentation Preventive
    Include compliance with the organization's incident response policy and incident notification policy in third party contracts. CC ID 06515 Establish/Maintain Documentation Preventive
    Include text about the expected actions to be taken in case of a breach of contract in third party contracts. CC ID 06504 Establish/Maintain Documentation Preventive
    Include compliance with the organization's privacy policy in third party contracts. CC ID 06518 Establish/Maintain Documentation Preventive
    Include compliance with the organization's media handling policy in third party contracts. CC ID 06525 Establish/Maintain Documentation Preventive
    Include third party responsibilities for compliance awareness in third party contracts. CC ID 06530 Establish/Maintain Documentation Preventive
    Include compliance with the organization's system hardening framework in third party contracts. CC ID 06531 Establish/Maintain Documentation Preventive
    Include compliance with the organization's physical access policy in third party contracts. CC ID 06878 Establish/Maintain Documentation Preventive
    Include a reporting structure in third party contracts. CC ID 06532 Establish/Maintain Documentation Preventive
    Include points of contact in third party contracts. CC ID 12355 Establish/Maintain Documentation Preventive
    Include financial reporting in third party contracts, as necessary. CC ID 13573 Establish/Maintain Documentation Preventive
    Include reporting to the organization of third party audit findings in third party contracts. CC ID 06512 Establish/Maintain Documentation Preventive
    Include Service Level Agreements in third party contracts. CC ID 06511 Establish/Maintain Documentation Preventive
    Include the responsible party for managing complaints in third party contracts. CC ID 10022 Establish Roles Preventive
    Include the right of the organization to conduct compliance audits in third party contracts. CC ID 06514 Establish/Maintain Documentation Preventive
    Include third party responsibilities for maintaining a Business Recovery and Resumption Plan in third party contracts. CC ID 06516 Establish/Maintain Documentation Preventive
    Include an indemnification and liability clause in third party contracts. CC ID 06517 Establish/Maintain Documentation Preventive
    Include a third party delegation clause and subcontractor to third party clause in third party contracts. CC ID 06521 Establish/Maintain Documentation Preventive
    Include text that subcontractors must meet organizational compliance requirements in third party contracts. CC ID 06522 Establish/Maintain Documentation Preventive
    Include text regarding foreign-based third parties in third party contracts. CC ID 06722 Establish/Maintain Documentation Preventive
    Include change control clauses in third party contracts, as necessary. CC ID 06523 Establish/Maintain Documentation Preventive
    Include notification to the organization of any material change in the third party's ability to perform functions according to Service Level Agreements in third party contracts. CC ID 07115 Establish/Maintain Documentation Preventive
    Include triggers for renegotiating the contract in third party contracts. CC ID 06527 Establish/Maintain Documentation Preventive
    Include change control notification processes in third party contracts. CC ID 06524 Establish/Maintain Documentation Preventive
    Include cost structure changes in third party contracts. CC ID 10021 Establish/Maintain Documentation Preventive
    Include a choice of venue clause in third party contracts. CC ID 06520 Establish/Maintain Documentation Preventive
    Include a dispute resolution clause in third party contracts. CC ID 06519 Establish/Maintain Documentation Preventive
    Include the dispute resolution body's contact information in the terms and conditions in third party contracts. CC ID 13813 Establish/Maintain Documentation Preventive
    Include a termination provision clause in third party contracts. CC ID 01367 Establish/Maintain Documentation Detective
    Include early termination contingency plans in the third party contracts. CC ID 06526 Establish/Maintain Documentation Preventive
    Include a liquidated damages clause and material breach clause in third party contracts. CC ID 06817 Establish/Maintain Documentation Preventive
    Include termination costs in third party contracts. CC ID 10023 Establish/Maintain Documentation Preventive
    Include text about obtaining adequate insurance in third party contracts. CC ID 06880 Establish/Maintain Documentation Preventive
    Include incident management procedures and incident reporting procedures in third party contracts. CC ID 01214 Establish/Maintain Documentation Preventive
    Include a usage limitation of personal data clause in third party contracts. CC ID 13026 Establish/Maintain Documentation Preventive
    Include third party requirements for personnel security in third party contracts. CC ID 00790 Testing Detective
    Establish and maintain third party transaction authentication procedures. CC ID 00791 Establish/Maintain Documentation Preventive
    Include third party acknowledgement of their data protection responsibilities in third party contracts. CC ID 01364 Testing Detective
    Include auditing third party security controls and compliance controls in third party contracts. CC ID 01366 Testing Detective
    Include responding to privacy rights violation complaints in third party contracts. CC ID 12432 Establish/Maintain Documentation Preventive
    Establish the third party's service continuity. CC ID 00797 Testing Detective
    Determine the adequacy of a third party's alternate site preparations. CC ID 06879 Testing Detective
    Employ access controls that meet the organization's compliance requirements on third party systems with access to the organization's restricted data. CC ID 04264 Data and Information Management Detective
    Maintain the third party's compliance framework to be equivalent to that of the organization's compliance requirements. CC ID 06087 Testing Detective
    Include disclosure requirements in third party contracts. CC ID 08825 Business Processes Preventive
    Include requirements for alternate processing facilities in third party contracts. CC ID 13059 Establish/Maintain Documentation Preventive
    Document the organization's supply chain in the supply chain management program. CC ID 09958 Establish/Maintain Documentation Preventive
    Establish and maintain a Third Party Service Provider list. CC ID 12480 Establish/Maintain Documentation Preventive
    Include required information in the Third Party Service Provider list. CC ID 14429 Establish/Maintain Documentation Preventive
    Include subcontractors in the Third Party Service Provider list. CC ID 14425 Establish/Maintain Documentation Preventive
    Include alternate service providers in the Third Party Service Provider list. CC ID 14420 Establish/Maintain Documentation Preventive
    Disseminate and communicate the Third Party Service Provider list to interested personnel and affected parties. CC ID 14422 Communicate Preventive
    Include contact information of the Service Provider in the Third Party Service Provider list. CC ID 14430 Establish/Maintain Documentation Preventive
    Include all contract dates in the Third Party Service Provider list. CC ID 14421 Establish/Maintain Documentation Preventive
    Include the services provided by each supplier in the Third Party Service Provider list. CC ID 12481 Establish/Maintain Documentation Preventive
    Include criticality of services in the Third Party Service Provider list. CC ID 14428 Establish/Maintain Documentation Preventive
    Include a description of data used in the Third Party Service Provider list. CC ID 14427 Establish/Maintain Documentation Preventive
    Include the location of services provided in the Third Party Service Provider list. CC ID 14423 Establish/Maintain Documentation Preventive
    Document supply chain transactions in the supply chain management program. CC ID 08857 Business Processes Preventive
    Document the supply chain's critical paths in the supply chain management program. CC ID 10032 Establish/Maintain Documentation Preventive
    Document supply chain dependencies for delivering critical services or critical functions in the supply chain management program. CC ID 08900 Establish/Maintain Documentation Detective
    Establish and maintain supply chain manufacturing and integration requirements documents for all items being produced for the organization. CC ID 11558 Establish/Maintain Documentation Preventive
    Disallow access to restricted information on machines used to manufacture authentication elements. CC ID 11561 Physical and Environmental Protection Preventive
    Establish and maintain Operational Level Agreements, as necessary. CC ID 13637 Establish/Maintain Documentation Preventive
    Include technical processes in operational level agreements, as necessary. CC ID 13639 Establish/Maintain Documentation Preventive
    Establish and maintain Service Level Agreements with the organization's supply chain. CC ID 00838 Process or Activity Preventive
    Monitor and report on the efficacy of all Service Level Agreements using a Service Level Agreement Monitoring Chart or equivalent. CC ID 00842 Establish/Maintain Documentation Detective
    Review and approve all Service Level Agreements. CC ID 00843
    [The outputs of the management review shall include decisions related to continual improvement opportunities and the possible need for changes to the BCMS, and include the following: modification of procedures and controls to respond to internal or external events that may impact on the BCMS, including changes to contractual obligations, § 9.3 ¶ 4 d) 5)]
    Establish/Maintain Documentation Detective
    Review all contracts. CC ID 11612 Establish/Maintain Documentation Preventive
    Track all chargeable items in Service Level Agreements. CC ID 11616 Business Processes Detective
    Document all chargeable items in Service Level Agreements. CC ID 00844 Establish/Maintain Documentation Detective
    Enforce third party Service Level Agreements, as necessary. CC ID 07098 Business Processes Corrective
    Categorize all suppliers in the supply chain management program. CC ID 00792 Establish/Maintain Documentation Preventive
    Include risk management procedures in the supply chain management policy. CC ID 08811 Establish/Maintain Documentation Preventive
    Perform a risk assessment prior to engaging a third party. CC ID 06454 Testing Detective
    Include a determination of the complexity of the third party relationships in the supply chain risk assessment. CC ID 10024
    [The business impact analysis shall include the following: identifying dependencies and supporting resources for these activities, including suppliers, outsource partners and other relevant interested parties. § 8.2.2 ¶ 2 d)]
    Business Processes Preventive
    Include a determination of financial benefits over actual costs of third party relationships in the supply chain risk assessment report. CC ID 10025 Establish/Maintain Documentation Preventive
    Include a determination of how third party relationships affect strategic initiatives in the supply chain risk assessment report. CC ID 10026 Establish/Maintain Documentation Preventive
    Include a determination if the third party relationship will affect employees in the supply chain risk assessment report. CC ID 10027 Business Processes Preventive
    Include a determination of customer interactions with third parties in the supply chain risk assessment report. CC ID 10028 Establish/Maintain Documentation Preventive
    Include a determination on the risks third parties pose to Information Security in the supply chain risk assessment report. CC ID 10029 Establish/Maintain Documentation Preventive
    Re-evaluate risk assessments of third parties, as necessary. CC ID 12158 Audits and Risk Management Detective
    Establish, implement, and maintain a supply chain management policy. CC ID 08808 Establish/Maintain Documentation Preventive
    Require supply chain members to accept and sign the organization's code of conduct. CC ID 12397 Business Processes Preventive
    Require third parties to employ a Chief Information Security Officer. CC ID 12057 Human Resources Management Preventive
    Include supplier assessment principles in the supply chain management policy. CC ID 08809 Establish/Maintain Documentation Preventive
    Include the third party selection process in the supply chain management policy. CC ID 13132 Establish/Maintain Documentation Preventive
    Select suppliers based on their qualifications. CC ID 00795 Establish/Maintain Documentation Preventive
    Include refraining from depending on any individual third party in the supply chain management policy. CC ID 13133 Establish/Maintain Documentation Preventive
    Include a clear management process in the supply chain management policy. CC ID 08810 Establish/Maintain Documentation Preventive
    Include third party due diligence standards in the supply chain management policy. CC ID 08812 Establish/Maintain Documentation Preventive
    Require suppliers to commit to the supply chain management policy. CC ID 08813 Establish/Maintain Documentation Preventive
    Support third parties in building their capabilities. CC ID 08814 Business Processes Preventive
    Implement measurable improvement plans with all third parties. CC ID 08815 Business Processes Preventive
    Post a list of compliant third parties on the organization's website. CC ID 08817 Business Processes Preventive
    Use third parties that are compliant with the applicable requirements. CC ID 08818 Business Processes Preventive
    Establish and maintain a conflict minerals policy. CC ID 08943 Establish/Maintain Documentation Preventive
    Include a statement of avoided areas from receiving minerals in the conflict minerals policy. CC ID 08944 Establish/Maintain Documentation Preventive
    Include all in scope materials in the conflict minerals policy. CC ID 08945 Establish/Maintain Documentation Preventive
    Include adherence to international transportation regulations in the conflict minerals policy. CC ID 08946 Establish/Maintain Documentation Preventive
    Include all applicable authority documents in the conflict minerals policy. CC ID 08947 Establish/Maintain Documentation Preventive
    Disseminate and communicate the conflict minerals policy to all interested personnel and affected parties. CC ID 08948 Establish/Maintain Documentation Preventive
    Make the conflict minerals policy Publicly Available Information. CC ID 08949 Data and Information Management Preventive
    Establish and maintain a conflict materials report. CC ID 08823 Establish/Maintain Documentation Preventive
    Define documentation requirements for each potential conflict material's source of origin. CC ID 08820 Establish/Maintain Documentation Preventive
    Define documentation requirements for smelted minerals and legacy refined materials sources of origin. CC ID 08821 Establish/Maintain Documentation Preventive
    Identify supply sources for secondary materials. CC ID 08822 Business Processes Preventive
    Deal directly with third parties that provide any material listed in the conflict materials report. CC ID 08891 Business Processes Preventive
    Conduct all parts of the supply chain due diligence process. CC ID 08854 Business Processes Preventive
    Assess third parties' business continuity capabilities during due diligence. CC ID 12077
    [{results of BCMS reviews} {key partners} {results of testing} {BCMS performance} {BCMS effectiveness} {emerging good guidance} Management reviews shall consider the performance of the organization, including - follow-up actions from previous management reviews, - the need for changes to the BCMS, including the policy and objectives, - opportunities for improvement, - results of BCMS audits and reviews, including those of key suppliers and partners where appropriate, - techniques, products or procedures, which could be used in the organization to improve the BCMS’ performance and effectiveness, - status of corrective actions, - results of exercising and testing, - risks or issues not adequately addressed in any previous risk assessment, - any changes that could affect the BCMS, whether internal or external to the scope of the BCMS, - adequacy of policy, - recommendations for improvement, - lessons learned and actions arising from disruptive incidents, and - emerging good practice and guidance. § 9.3 ¶ 3]
    Business Processes Detective
    Review third parties' backup policies. CC ID 13043 Systems Continuity Detective
Common Controls and
mandates by Type
186 Mandated Controls - bold    
70 Implied Controls - italic     1422 Implementation

Each Common Control is assigned a meta-data type to help you determine the objective of the Control and associated Authority Document mandates aligned with it. These types include behavioral controls, process controls, records management, technical security, configuration management, etc. They are provided as another tool to dissect the Authority Document’s mandates and assign them effectively within your organization.

Number of Controls
1678 Total
  • Acquisition/Sale of Assets or Services
    4
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Implement automated audit tools. CC ID 04882 Monitoring and measurement Preventive
    Establish, implement, and maintain a fuel supply large enough to support the generators during an emergency. CC ID 06376 Operational and Systems Continuity Preventive
    Include the ability to obtain additional liquidity in the continuity plan. CC ID 12770 Operational and Systems Continuity Preventive
    Employ tools and mechanisms to support the organization's Incident Response program. CC ID 13182 Operational management Preventive
  • Actionable Reports or Measurements
    144
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Report to management and stakeholders on the findings and information gathered from all types of inquiries. CC ID 12797 Leadership and high level objectives Preventive
    Include a Statement on the Level of Compliance in the tactical Information Technology plan. CC ID 06842 Audits and risk management Preventive
    Include the word independent in the title of audit reports. CC ID 07003 Audits and risk management Preventive
    Include the date of the audit in the audit report. CC ID 07024 Audits and risk management Preventive
    Include information about the organization being audited and the auditor performing the audit in the audit report. CC ID 07004 Audits and risk management Preventive
    Include a statement that access to the report is restricted based on least privilege in the audit report. CC ID 07023 Audits and risk management Preventive
    Include the organization's audit assertion of the in scope system in the audit report. CC ID 07005 Audits and risk management Preventive
    Collect all work papers for the audit and audit report into an engagement file. CC ID 07001 Audits and risk management Preventive
    Disclose any audit irregularities in the audit report. CC ID 06995 Audits and risk management Preventive
    Assess the potential level of business impact risk associated with natural disasters. CC ID 06470 Audits and risk management Detective
    Report on the percentage of key Information Technology assets for which an assurance strategy is implemented. CC ID 01657 Monitoring and measurement Detective
    Report on the percentage of key organizational functions for which an assurance strategy is implemented. CC ID 01658 Monitoring and measurement Detective
    Report on the percentage of key compliance requirements for which an assurance strategy has been implemented. CC ID 01659 Monitoring and measurement Detective
    Report on the percentage of the Information System budget allocated to Information Security. CC ID 04571 Monitoring and measurement Detective
    Report on the policies and controls that have been implemented by management. CC ID 01670 Monitoring and measurement Detective
    Report on the percentage of security management roles that have been assigned. CC ID 01671 Monitoring and measurement Detective
    Report on the percentage of board meetings or committee meetings at which Information Assurance was on the agenda. CC ID 01672 Monitoring and measurement Detective
    Report on the percentage of security incidents that did not cause confidentiality, integrity, or availability losses beyond the Service Level Agreement thresholds. CC ID 01673 Monitoring and measurement Detective
    Report on the estimated damage or loss resulting from all security incidents. CC ID 01674 Monitoring and measurement Detective
    Report on the percentage of supply chain members for which all Information Assurance requirements have been implemented. CC ID 01675 Monitoring and measurement Detective
    Report on the Service Level Agreement performance of supply chain members. CC ID 06838 Monitoring and measurement Preventive
    Report on the percentage of organizational units that have an established Business Continuity Plan. CC ID 01676 Monitoring and measurement Detective
    Report on the percentage of organizational units with a documented Business Continuity Plan for which specific responsibilities have been assigned. CC ID 02057 Monitoring and measurement Detective
    Report on the percentage of Business Continuity Plans that have been reviewed, tested, and updated. CC ID 02058 Monitoring and measurement Detective
    Report on the percentage of needed internal audits that have been completed and reviewed. CC ID 01677 Monitoring and measurement Detective
    Report on the percentage of Information Security requirements from applicable laws and regulations that are included in the audit program. CC ID 02069 Monitoring and measurement Detective
    Report on the percentage of needed external audits that have been completed and reviewed. CC ID 11632 Monitoring and measurement Detective
    Report on the percentage of Information Security audits conducted in compliance with the approved audit program. CC ID 02070 Monitoring and measurement Detective
    Report on the percentage of audit findings that have been resolved. CC ID 01678 Monitoring and measurement Detective
    Report on the percentage of management actions in response to audit findings and audit recommendations that were implemented in a timely way. CC ID 02071 Monitoring and measurement Detective
    Monitor compliance with the Quality Control system. CC ID 01023 Monitoring and measurement Preventive
    Report on the percentage of complaints received about products or delivered services. CC ID 07199 Monitoring and measurement Preventive
    Report on the percentage of Quality Assurance attained by Quality Improvement practices. CC ID 07202 Monitoring and measurement Preventive
    Report on the percentage of total controls for which policies, standards, and procedures exist and for which approval has been granted. CC ID 01679 Monitoring and measurement Detective
    Report on the percentage of personnel who are assigned and acknowledged responsibilities for approved policies, standards, and procedures. CC ID 01680 Monitoring and measurement Detective
    Report on the percentage of policy compliance reviews for which no compliance violations were noted. CC ID 01681 Monitoring and measurement Detective
    Report on the percentage of senior management or business unit heads who have implemented operational compliance procedures. CC ID 01682 Monitoring and measurement Detective
    Report on the percentage of role descriptions that define the Information Awareness roles for Security Managers and administrators. CC ID 01685 Monitoring and measurement Detective
    Report on the percentage of role descriptions that define the information awareness roles for interested personnel. CC ID 01686 Monitoring and measurement Detective
    Report on the percentage of role descriptions that define the information awareness roles for end users. CC ID 01687 Monitoring and measurement Detective
    Report on the percentage of performance reviews that include the evaluation of Information Assurance responsibilities and policy compliance. CC ID 01688 Monitoring and measurement Detective
    Report on the percentage of individuals who have access to security software, are trained, and authorized Security Administrators. CC ID 01691 Monitoring and measurement Detective
    Report on the percentage of individuals who are able to assign security privileges, are trained, and authorized Security Administrators. CC ID 01692 Monitoring and measurement Detective
    Report on the percentage of new hires who completed training ahead of being granted network access or system access. CC ID 01683 Monitoring and measurement Detective
    Report on the percentage of personnel who have completed periodic Information Assurance refresher training. CC ID 01684 Monitoring and measurement Detective
    Report on the percentage of user roles, systems, and applications that comply with the segregation of duties principle. CC ID 01689 Monitoring and measurement Detective
    Report on the percentage of individuals whose access rights have been reviewed. CC ID 01690 Monitoring and measurement Detective
    Report on the percentage of users who have access to restricted data or restricted information and have undergone a background check. CC ID 01693 Monitoring and measurement Detective
    Report on the percentage of critical information assets and information-dependent functions. CC ID 02040 Monitoring and measurement Detective
    Report on the percentage of critical assets and functions for which the cost of compromise has been quantified. CC ID 02041 Monitoring and measurement Detective
    Report on the percentage of identified risks that have a defined risk mitigation plan. CC ID 02042 Monitoring and measurement Detective
    Report on the percentage of systems with approved System Security Plans. CC ID 02145 Monitoring and measurement Detective
    Report on the percentage of known Information Security risks that are related to supply chain relationships. CC ID 02044 Monitoring and measurement Detective
    Report on the percentage of critical information assets or critical functions for which access by supply chain personnel is disallowed. CC ID 02045 Monitoring and measurement Detective
    Report on the percentage of supply chain personnel who have current information asset user privileges. CC ID 02046 Monitoring and measurement Detective
    Report on the percentage of systems with critical information assets or functions for which electronic connection by supply chain assets is disallowed. CC ID 02047 Monitoring and measurement Detective
    Report on the percentage of security incidents that involved supply chain personnel. CC ID 02048 Monitoring and measurement Detective
    Report on the percentage of third party contracts that include a requirement to externally verify policies and procedures. CC ID 02049 Monitoring and measurement Detective
    Report on the percentage of supply chain relationships that have been reviewed for compliance with information security requirements. CC ID 02050 Monitoring and measurement Detective
    Report on the percentage of information assets that have been reviewed and classified. CC ID 02053 Monitoring and measurement Detective
    Report on the percentage of information assets with defined user privileges that have been assigned based on role and according to policy. CC ID 02054 Monitoring and measurement Detective
    Report on the percentage of scheduled Information Technology inventory processes that occurred on time. CC ID 02055 Monitoring and measurement Detective
    Report on the percentage of recently identified information security risks related to systems architecture that have been adequately mitigated. CC ID 02060 Monitoring and measurement Detective
    Report on the percentage of system architecture changes that were approved through appropriate change requests. CC ID 02061 Monitoring and measurement Detective
    Report on the percentage of critical information assets or functions residing on systems that are currently in compliance with the approved systems architecture. CC ID 02062 Monitoring and measurement Detective
    Report on the percentage of systems that have been recertified if security controls were updated after the system was developed. CC ID 02142 Monitoring and measurement Detective
    Report on the percentage of systems that have completed Certification and Accreditation. CC ID 02143 Monitoring and measurement Detective
    Report on the percentage of critical organizational information assets and functions that have been reviewed from the risk to physical security perspective. CC ID 02064 Monitoring and measurement Detective
    Report on the percentage of critical organizational information assets and functions exposed to physical risks for which risk mitigation actions have been implemented. CC ID 02065 Monitoring and measurement Detective
    Report on the percentage of critical assets that have been reviewed from the environmental risk perspective. CC ID 02066 Monitoring and measurement Detective
    Report on the percentage of servers located in controlled access areas. CC ID 02067 Monitoring and measurement Detective
    Report on the percentage of unique active user identifiers. CC ID 02074 Monitoring and measurement Detective
    Report on the percentage of systems and applications that perform password policy verification. CC ID 02086 Monitoring and measurement Detective
    Report on the percentage of active user passwords that are set to expire. CC ID 02087 Monitoring and measurement Detective
    Report on the percentage of systems with critical information assets that use stronger authentication than user identifiers and passwords. CC ID 02088 Monitoring and measurement Detective
    Report on the percentage of systems for which default accounts and default passwords have been disabled or reset. CC ID 02089 Monitoring and measurement Detective
    Report on the percentage of inactive user accounts that are assigned to personnel who have left or no longer need access. CC ID 02090 Monitoring and measurement Detective
    Report on the percentage of systems with account lockout thresholds set. CC ID 02091 Monitoring and measurement Detective
    Report on the percentage of inactive user accounts that have been disabled. CC ID 02092 Monitoring and measurement Detective
    Report on the percentage of workstations with session timeout or automatic logoff controls set. CC ID 02093 Monitoring and measurement Detective
    Report on the percentage of users with access to shared accounts. CC ID 04573 Monitoring and measurement Detective
    Establish, implement, and maintain a user and administrator privilege management metrics program. CC ID 02076 Monitoring and measurement Preventive
    Report on the percentage of active computer accounts that have had the current user privileges reviewed. CC ID 02094 Monitoring and measurement Detective
    Report on the percentage of systems where permission to install nonstandard software is limited. CC ID 02095 Monitoring and measurement Detective
    Report on the percentage of systems and applications that have user privileges and administrator privileges assigned in compliance with Role-Based Access Controls. CC ID 02096 Monitoring and measurement Detective
    Report on the percentage of systems for which approved configuration settings have been implemented. CC ID 02097 Monitoring and measurement Detective
    Report on the percentage of systems with configurations that do not deviate from approved standards. CC ID 02098 Monitoring and measurement Detective
    Report on the percentage of systems that are continuously monitored for compliance with the configuration standard with out-of-compliance alarms or out-of-compliance reports. CC ID 02099 Monitoring and measurement Detective
    Report on the percentage of systems whose configuration is compared with a previously established trusted configuration baseline. CC ID 02100 Monitoring and measurement Detective
    Report on the percentage of systems where the authority to make configuration changes are limited. CC ID 02101 Monitoring and measurement Detective
    Report on the percentage of system components that undergo maintenance as scheduled. CC ID 04562 Monitoring and measurement Detective
    Report on the percentage of systems that generate warnings about anomalous activity or potentially unauthorized activity. CC ID 02105 Monitoring and measurement Detective
    Report on the percentage of laptops and mobile devices that are needing to be in compliance with the approved configuration standard before granting network access. CC ID 02106 Monitoring and measurement Detective
    Report on the percentage of organizationally controlled communications channels that have been secured. CC ID 02107 Monitoring and measurement Detective
    Report on the percentage of host servers that are protected from becoming relay hosts. CC ID 02108 Monitoring and measurement Detective
    Report on the percentage of mobile users who access organizational facilities using secure communications methods. CC ID 02109 Monitoring and measurement Detective
    Report on the percentage of workstations and laptops that employ automated system security tools. CC ID 02110 Monitoring and measurement Detective
    Report on the percentage of servers that employ automated system security tools. CC ID 02111 Monitoring and measurement Detective
    Report on the percentage of mobile devices that employ automated system security tools. CC ID 02112 Monitoring and measurement Detective
    Report on the percentage of software changes that have been documented and approved through change request forms. CC ID 02152 Monitoring and measurement Detective
    Report on the percentage of systems with all approved patches installed. CC ID 02113 Monitoring and measurement Detective
    Report on the mean time from patch availability to patch installation. CC ID 02114 Monitoring and measurement Detective
    Report on the percentage of software changes that were reviewed for security impacts before the software configuration is updated. CC ID 02115 Monitoring and measurement Detective
    Report on the percentage of systems configured according to the configuration standard. CC ID 02116 Monitoring and measurement Detective
    Report on the percentage of network access controls used to gain unauthorized access. CC ID 04572 Monitoring and measurement Detective
    Report on the percentage of critical information assets stored on network accessible devices that are encrypted with widely tested and published cryptographic algorithms. CC ID 02117 Monitoring and measurement Detective
    Report on the percentage of mobile devices that use encryption for critical information assets. CC ID 02118 Monitoring and measurement Detective
    Report on the percentage of passwords and Personal Identification Numbers that are encrypted. CC ID 02119 Monitoring and measurement Detective
    Report on the percentage of media that passes sanitization procedure testing. CC ID 04574 Monitoring and measurement Detective
    Report on the percentage of systems with critical information assets or critical business functions that have been backed up in accordance with the backup policy and the system's continuity plan. CC ID 02120 Monitoring and measurement Detective
    Report on the percentage of systems with critical information assets or critical functions where restoration from a backup has been successfully demonstrated. CC ID 02121 Monitoring and measurement Detective
    Report on the percentage of backup media stored off site in secure storage. CC ID 02122 Monitoring and measurement Detective
    Report on the percentage of used backup media or archive media sanitized prior to reuse or disposal. CC ID 02123 Monitoring and measurement Detective
    Report on the percentage of operational time that critical services were unavailable due to security incidents. CC ID 02124 Monitoring and measurement Detective
    Report on the percentage of security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02125 Monitoring and measurement Detective
    Report on the percentage of systems affected by security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02126 Monitoring and measurement Detective
    Report on the percentage of security incidents that were managed according to established policies, procedures, and processes. CC ID 02127 Monitoring and measurement Detective
    Report on the number of security incidents reported to FedCIRC, NIPC, the Payment Card Industry, or local law enforcement. CC ID 02154 Monitoring and measurement Detective
    Report on the percentage of systems with critical information assets or critical functions that have been assessed for security vulnerabilities. CC ID 02128 Monitoring and measurement Detective
    Report on the percentage of vulnerability assessment findings that have been addressed since the last reporting period. CC ID 02129 Monitoring and measurement Detective
    Report on the average elapsed time between the discovery of a new vulnerability and implementing corrective action. CC ID 02140 Monitoring and measurement Detective
    Report on the percentage of physical security incidents that involved entry into a facility containing Information Systems. CC ID 04564 Monitoring and measurement Detective
    Report on the percentage of unique patients who had at least one medication entered using the Computerized Provider Order Entry system. CC ID 06222 Monitoring and measurement Preventive
    Report on the percentage of unique patients who have diagnoses recorded as structured data into the current and active diagnoses problem list. CC ID 06223 Monitoring and measurement Preventive
    Report on the percentage of permissible prescriptions that are transmitted electronically. CC ID 06224 Monitoring and measurement Preventive
    Report on the percentage of unique patients who have at least one entry recorded as structured data into the active medication list. CC ID 06225 Monitoring and measurement Preventive
    Report on the percentage of unique patients who have at least one entry recorded as structured data into the active medication allergy list. CC ID 06226 Monitoring and measurement Preventive
    Report on the percentage of unique patients who have demographics recorded as structured data. CC ID 06227 Monitoring and measurement Preventive
    Report on the percentage of unique patients over the age of 2 who have their height, weight, and blood pressure recorded as structured data. CC ID 06228 Monitoring and measurement Preventive
    Report on the percentage of unique patients over the age of 13 who have their smoking status recorded as structured data. CC ID 06229 Monitoring and measurement Preventive
    Report on the percentage of patients who are given an electronic copy of their Individually Identifiable Health Information not later than three business days after Individually Identifiable Health Information is requested. CC ID 06230 Monitoring and measurement Preventive
    Report on the percentage of patients who are given clinical summaries not later than three business days after a physician office visit. CC ID 06231 Monitoring and measurement Preventive
    Report on the percentage of lab test results that are incorporated into the Electronic Health Records as structured data. CC ID 06232 Monitoring and measurement Preventive
    Report on the percentage of patients sixty-five years of age or older or five years of age or younger who were sent a reminder. CC ID 06233 Monitoring and measurement Preventive
    Report on the percentage of unique patients who are given electronic access to their Individually Identifiable Health Information not later than four business days after their Individually Identifiable Health Information is updated. CC ID 06234 Monitoring and measurement Preventive
    Report on the percentage of unique patients who are given patient-specific education resources. CC ID 06235 Monitoring and measurement Preventive
    Report on the percentage of medication reconciliations that are performed if a patient is received from another setting or healthcare provider. CC ID 06236 Monitoring and measurement Preventive
    Report on the percentage of summary of care records that are provided for transitions of care or referrals for patients who are transitioned or referred to another setting or healthcare provider. CC ID 06237 Monitoring and measurement Preventive
    Report on the percentage of patients who receive their discharge instructions if discharge instructions are requested. CC ID 06238 Monitoring and measurement Preventive
    Report on the percentage of patients 65 years of age or older who have an indication of advance directive status recorded as structured data. CC ID 06239 Monitoring and measurement Preventive
    Document the continuity plan test results and provide them to senior management. CC ID 06548
    [The organization shall conduct exercises and tests that produce formalized post-exercise reports that contain outcomes, recommendations and actions to implement improvements, § 8.5 ¶ 2 e)
    {results of BCMS reviews} {key partners} {results of testing} {BCMS performance} {BCMS effectiveness} {emerging good guidance} Management reviews shall consider the performance of the organization, including - follow-up actions from previous management reviews, - the need for changes to the BCMS, including the policy and objectives, - opportunities for improvement, - results of BCMS audits and reviews, including those of key suppliers and partners where appropriate, - techniques, products or procedures, which could be used in the organization to improve the BCMS’ performance and effectiveness, - status of corrective actions, - results of exercising and testing, - risks or issues not adequately addressed in any previous risk assessment, - any changes that could affect the BCMS, whether internal or external to the scope of the BCMS, - adequacy of policy, - recommendations for improvement, - lessons learned and actions arising from disruptive incidents, and - emerging good practice and guidance. § 9.3 ¶ 3
    {results of BCMS reviews} {key partners} {results of testing} {BCMS performance} {BCMS effectiveness} {emerging good guidance} Management reviews shall consider the performance of the organization, including - follow-up actions from previous management reviews, - the need for changes to the BCMS, including the policy and objectives, - opportunities for improvement, - results of BCMS audits and reviews, including those of key suppliers and partners where appropriate, - techniques, products or procedures, which could be used in the organization to improve the BCMS’ performance and effectiveness, - status of corrective actions, - results of exercising and testing, - risks or issues not adequately addressed in any previous risk assessment, - any changes that could affect the BCMS, whether internal or external to the scope of the BCMS, - adequacy of policy, - recommendations for improvement, - lessons learned and actions arising from disruptive incidents, and - emerging good practice and guidance. § 9.3 ¶ 3]
    Operational and Systems Continuity Preventive
    Mitigate reported incidents. CC ID 12973 Operational management Preventive
    Disseminate and communicate the final incident report, which includes the investigation results and any remediation activity results. CC ID 12306
    [{periodic exercising} {periodic testing} {periodic post-incident reporting} {periodic performance evaluations} These evaluations shall be undertaken through periodic reviews, exercising, testing, post-incident reporting and performance evaluations. Significant changes arising shall be reflected in the procedure(s) in a timely manner; § 9.1.2 b)]
    Operational management Preventive
    Provide the patient with a summary of care record, as necessary. CC ID 14441 Records management Preventive
  • Audits and Risk Management
    77
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Manage supply chain audits. CC ID 01203 Audits and risk management Preventive
    Review the external auditors involvement in assessing Information Technology controls. CC ID 01204 Audits and risk management Preventive
    Engage auditors who have adequate knowledge of the subject matter. CC ID 07102 Audits and risk management Preventive
    Review the external audit scope, as necessary. CC ID 01202 Audits and risk management Preventive
    Include nondisclosure agreements in external auditor outsourcing contracts. CC ID 10014 Audits and risk management Detective
    Review the external auditor's qualifications. CC ID 01197 Audits and risk management Preventive
    Conduct a performance review of the external auditor's performance during the audit process. CC ID 01198 Audits and risk management Preventive
    Include provisions for legislative plurality and legislative domain in the audit program. CC ID 06959
    [The audit programme, including any schedule, shall be based on the results of risk assessments of the organization’s activities, and the results of previous audits. The audit procedures shall cover the scope, frequency, methodologies and competencies, as well as the responsibilities and requirements for conducting audits and reporting results. § 9.2 ¶ 3
    The audit programme, including any schedule, shall be based on the results of risk assessments of the organization’s activities, and the results of previous audits. The audit procedures shall cover the scope, frequency, methodologies and competencies, as well as the responsibilities and requirements for conducting audits and reporting results. § 9.2 ¶ 3]
    Audits and risk management Preventive
    Include the in scope material or in scope products in the audit program. CC ID 08961 Audits and risk management Preventive
    Include the criteria for determining the desired level of assurance in the audit program. CC ID 12795 Audits and risk management Preventive
    Refrain from performing an attestation engagement under defined conditions. CC ID 13952 Audits and risk management Detective
    Refrain from accepting an attestation engagement when all parties disagree on the procedures. CC ID 13951 Audits and risk management Preventive
    Audit in scope audit items and compliance documents as defined in the audit scope. CC ID 06730
    [The organization shall conduct internal audits at planned intervals to provide information on whether the business continuity management system conforms to the organization’s own requirements for its BCMS, § 9.2 ¶ 1 a) 1)
    The organization shall conduct internal audits at planned intervals to provide information on whether the business continuity management system conforms to the requirements of this International Standard, and § 9.2 ¶ 1 a) 2)
    The organization shall conduct internal audits at planned intervals to provide information on whether the business continuity management system is effectively implemented and maintained. § 9.2 ¶ 1 b)]
    Audits and risk management Preventive
    Identify hypothetical assumptions in forecasts and projections during an audit. CC ID 13946 Audits and risk management Detective
    Refrain from examining forecasts and projections which refrain from disclosing assumptions during an audit. CC ID 13932 Audits and risk management Detective
    Audit policies, standards, and procedures. CC ID 12927 Audits and risk management Preventive
    Review incident management audit logs to determine the effectiveness of in scope controls. CC ID 12157 Audits and risk management Detective
    Review audit reports to determine the effectiveness of in scope controls. CC ID 12156 Audits and risk management Detective
    Observe processes to determine the effectiveness of in scope controls. CC ID 12155 Audits and risk management Detective
    Interview stakeholders to determine the effectiveness of in scope controls. CC ID 12154 Audits and risk management Detective
    Review policies and procedures to determine the effectiveness of in scope controls. CC ID 12144 Audits and risk management Detective
    Implement procedures that collect sufficient audit evidence. CC ID 07153 Audits and risk management Preventive
    Collect evidence about the in scope audit items of the audit assertion. CC ID 07154 Audits and risk management Preventive
    Collect audit evidence sufficient to avoid misstatements. CC ID 07155 Audits and risk management Preventive
    Collect audit evidence at the level of the organization's competence in the subject matter. CC ID 07156 Audits and risk management Preventive
    Collect audit evidence sufficient to overcome inadequacies in the organization's attestation. CC ID 07157 Audits and risk management Preventive
    Include if the audit evidence has identified in scope control deficiencies in the work papers. CC ID 07152 Audits and risk management Detective
    Provide auditors access to all in scope records, in scope assets, personnel and in scope procedures. CC ID 06966 Audits and risk management Preventive
    Solve any access problems auditors encounter during the audit. CC ID 08959 Audits and risk management Corrective
    Notify interested personnel and affected parties when an auditee refuses to provide access or participate in the audit. CC ID 08960 Audits and risk management Preventive
    Include the organization's description of the in scope system in the audit report. CC ID 11626 Audits and risk management Preventive
    Include the scope and work performed in the audit report. CC ID 11621 Audits and risk management Preventive
    Review the adequacy of the internal auditor's work papers. CC ID 01146 Audits and risk management Detective
    Review the adequacy of the internal auditor's audit reports. CC ID 11620 Audits and risk management Detective
    Include any subsequent events related to the audit assertion or audit subject matter in the work papers. CC ID 07177 Audits and risk management Preventive
    Review management's response to issues raised in past audit reports. CC ID 01149
    [The management review shall include consideration of the status of actions from previous management reviews, § 9.3 ¶ 2 a)
    The management review shall include consideration of information on the business continuity performance, including trends in nonconformities and corrective actions, § 9.3 ¶ 2 c) 1)]
    Audits and risk management Detective
    Review the audit program scope as it relates to the organization's profile. CC ID 01159 Audits and risk management Detective
    Assess the quality of the audit program in regards to its documentation. CC ID 11622 Audits and risk management Preventive
    Review the risk assessment framework. CC ID 12813 Audits and risk management Detective
    Analyze the risk management strategy for addressing requirements. CC ID 12926 Audits and risk management Detective
    Analyze the risk management strategy for addressing threats. CC ID 12925 Audits and risk management Detective
    Analyze the risk management strategy for addressing opportunities. CC ID 12924 Audits and risk management Detective
    Address past security incidents in the risk assessment program. CC ID 12743 Audits and risk management Preventive
    Establish and maintain the factors and context for risk to the organization. CC ID 12230
    [{external factor} In establishing the context, the organization shall define the external and internal factors that create the uncertainty that gives rise to risk, § 4.1 ¶ 4 2)
    Top management shall ensure that the responsibilities and authorities for relevant roles are assigned and communicated within the organization by - defining the criteria for accepting risks and the acceptable levels of risk, - actively engaging in exercising and testing, - ensuring that internal audits of the BCMS are conducted, - conducting management reviews of the BCMS, and - demonstrating its commitment to continual improvement. § 5.2 ¶ 3]
    Audits and risk management Preventive
    Review and update the data protection impact assessment, as necessary. CC ID 12665 Audits and risk management Preventive
    Establish and maintain risk profiling procedures for internal risk assessments. CC ID 01157 Audits and risk management Preventive
    Categorize the systems, information, and data by risk profile in the threat and risk classification scheme. CC ID 01443 Audits and risk management Preventive
    Include the risks to the organization's critical personnel and assets in the threat and risk classification scheme. CC ID 00698 Audits and risk management Preventive
    Assign a probability of occurrence to all types of threats in the threat and risk classification scheme. CC ID 01173 Audits and risk management Preventive
    Automate as much of the risk assessment program, as necessary. CC ID 06459 Audits and risk management Preventive
    Approve the results of the risk assessment as documented in the risk assessment report. CC ID 07109 Audits and risk management Preventive
    Review risks to the organization's audit function when changes in the supply chain occur. CC ID 01154 Audits and risk management Preventive
    Review the risk to the audit function when the audit personnel status changes. CC ID 01153 Audits and risk management Preventive
    Conduct external audits of risk assessments, as necessary. CC ID 13308 Audits and risk management Detective
    Correlate the business impact of identified risks in the risk assessment report. CC ID 00686 Audits and risk management Preventive
    Conduct a Business Impact Analysis based on the risk assessment findings in the risk assessment report. CC ID 01147
    [{formal and documented process for risk assessment} {required output from the risk assessment} The organization shall establish, implement and maintain a formal and documented process for business impact analysis and risk assessment that defines the required output from the business impact analysis and risk assessment, and § 8.2.1 ¶ 1 d)
    {formal and documented process for risk assessment} {required output from the risk assessment} The organization shall establish, implement and maintain a formal and documented process for business impact analysis and risk assessment that defines the required output from the business impact analysis and risk assessment, and § 8.2.1 ¶ 1 d)
    The organization shall establish, implement, and maintain a formal and documented evaluation process for determining continuity and recovery priorities, objectives and targets. This process shall include assessing the impacts of disrupting activities that support the organization’s products and services. § 8.2.2 ¶ 1
    {outputs from the risk assessment} Determination and selection of strategy shall be based on the outputs from the business impact analysis and risk assessment. § 8.3.1 ¶ 1
    The organization shall establish, implement and maintain a formal and documented process for business impact analysis and risk assessment that specifies the requirements for this information to be kept up-to-date and confidential. § 8.2.1 ¶ 1 e)
    The organization shall establish, implement and maintain a formal and documented process for business impact analysis and risk assessment that 8.2.1 ¶ 1]
    Audits and risk management Detective
    Analyze and quantify the risks to in scope systems and information. CC ID 00701
    [The organization shall systematically analyse risk, § 8.2.3 ¶ 2 b)]
    Audits and risk management Preventive
    Establish and maintain a Risk Scoping and Measurement Definitions Document. CC ID 00703 Audits and risk management Preventive
    Identify the material risks in the risk assessment report. CC ID 06482 Audits and risk management Preventive
    Assess the potential level of business impact risk associated with each business process. CC ID 06463
    [The business impact analysis shall include the following: identifying activities that support the provision of products and services; § 8.2.2 ¶ 2 a)
    The organization shall identify risks of disruption to the organization’s prioritized activities and the processes, systems, information, people, assets, outsource partners and other resources that support them, § 8.2.3 ¶ 2 a)]
    Audits and risk management Detective
    Assess the potential level of business impact risk associated with the business environment. CC ID 06464
    [The organization shall identify risks of disruption to the organization’s prioritized activities and the processes, systems, information, people, assets, outsource partners and other resources that support them, § 8.2.3 ¶ 2 a)]
    Audits and risk management Detective
    Assess the potential level of business impact risk associated with business information of in scope systems. CC ID 06465 Audits and risk management Detective
    Assess the potential business impact risk of in scope systems caused by deliberate threats to their confidentiality, integrity, and availability. CC ID 06466 Audits and risk management Detective
    Assess the potential level of business impact risk caused by accidental threats to the confidentiality, integrity and availability of critical systems. CC ID 06467 Audits and risk management Detective
    Assess the potential level of business impact risk associated with insider threats. CC ID 06468 Audits and risk management Detective
    Assess the potential level of business impact risk associated with external entities. CC ID 06469 Audits and risk management Detective
    Assess the potential level of business impact risk associated with control weaknesses. CC ID 06471 Audits and risk management Detective
    Prioritize and select controls based on the risk assessment findings. CC ID 00707
    [The organization shall identify treatments commensurate with business continuity objectives and in accordance with the organization’s risk appetite. § 8.2.3 ¶ 2 d)
    {outputs from the risk assessment} Determination and selection of strategy shall be based on the outputs from the business impact analysis and risk assessment. § 8.3.1 ¶ 1]
    Audits and risk management Preventive
    Prioritize and categorize the effects of opportunities, threats and requirements on control activities. CC ID 12822 Audits and risk management Preventive
    Develop key indicators to inform management on the effectiveness of risk control measures. CC ID 12946 Audits and risk management Preventive
    Identify the planned actions and controls that address high risk. CC ID 12835 Audits and risk management Preventive
    Identify the current actions and controls that address high risk. CC ID 12834 Audits and risk management Preventive
    Approve the risk treatment plan. CC ID 13495 Audits and risk management Preventive
    Identify information being used to support performance reviews for risk optimization. CC ID 12865 Monitoring and measurement Preventive
    Provide cross-organizational audit information based on the cross-organizational audit sharing agreement. CC ID 10596 Monitoring and measurement Preventive
    Conduct a risk assessment on reciprocal agreements that provide for recovery capabilities. CC ID 12759 Operational and Systems Continuity Preventive
    Re-evaluate risk assessments of third parties, as necessary. CC ID 12158 Third Party and supply chain oversight Detective
  • Behavior
    53
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Disseminate and communicate compliance documents to all interested personnel and affected parties. CC ID 06282 Leadership and high level objectives Preventive
    Disseminate and communicate any compliance document changes when the documents are updated to interested personnel and affected parties. CC ID 06283
    [{legal requirements} {regulatory requirements} {new legal, regulatory and other requirements} The organization shall document this information and keep it up-to-date. New or variations to legal, regulatory and other requirements shall be communicated to affected employees and other interested parties. § 4.2.2 ¶ 3]
    Leadership and high level objectives Preventive
    Establish and maintain a rapport with business and technical communities throughout the organization to promote the value and importance of Information Security. CC ID 06493 Leadership and high level objectives Preventive
    Question external auditors about how audits were conducted and what is in the audit reports. CC ID 04587 Audits and risk management Preventive
    Disseminate and communicate with the organization about any missing audit documentation. CC ID 06992 Audits and risk management Preventive
    Exercise due professional care during the planning and performance of the audit. CC ID 07119
    [{audit scope} {evidence of the audit results} The organization shall - plan, establish, implement and maintain (an) audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit programme(s) shall take into consideration the importance of the processes concerned and the results of previous audits, - define the audit criteria and scope for each audit, - select auditors and conduct audits to ensure objectivity and the impartiality of the audit process, - ensure that the results of the audits are reported to relevant management, and - retain documented information as evidence of the implementation of the audit programme and the audit results. § 9.2 ¶ 2
    {audit scope} {evidence of the audit results} The organization shall - plan, establish, implement and maintain (an) audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit programme(s) shall take into consideration the importance of the processes concerned and the results of previous audits, - define the audit criteria and scope for each audit, - select auditors and conduct audits to ensure objectivity and the impartiality of the audit process, - ensure that the results of the audits are reported to relevant management, and - retain documented information as evidence of the implementation of the audit programme and the audit results. § 9.2 ¶ 2]
    Audits and risk management Preventive
    Refrain from accepting an attestation engagement unless the prospective financial information includes a summary of significant assumptions. CC ID 13954 Audits and risk management Preventive
    Explain the goals of the interview to the auditee. CC ID 07189 Audits and risk management Detective
    Resolve disputes before creating the audit summary. CC ID 08964 Audits and risk management Preventive
    Disseminate and communicate to the organization that access and use of audit reports are based on least privilege. CC ID 07171 Audits and risk management Preventive
    Use the risk taxonomy when managing risk. CC ID 12280 Audits and risk management Preventive
    Disseminate and communicate information about risks to all interested personnel and affected parties. CC ID 06718
    [{significant impact} {procedures for alerts} {procedures for warnings} The organization shall decide, using life safety as the first priority and in consultation with relevant interested parties, whether to communicate externally about its significant risks and impacts and document its decision. If the decision is to communicate then the organization shall establish and implement procedures for this external communication, alerts and warnings including the media as appropriate. § 8.4.2 ¶ 3
    {significant impact} {procedures for alerts} {procedures for warnings} The organization shall decide, using life safety as the first priority and in consultation with relevant interested parties, whether to communicate externally about its significant risks and impacts and document its decision. If the decision is to communicate then the organization shall establish and implement procedures for this external communication, alerts and warnings including the media as appropriate. § 8.4.2 ¶ 3]
    Audits and risk management Preventive
    Disseminate and communicate the risk acceptance level in the risk treatment plan to all interested personnel and affected parties. CC ID 06849 Audits and risk management Preventive
    Carry out disciplinary actions when a compliance violation is detected. CC ID 06675
    [When nonconformity occurs, the organization shall react to the nonconformity, and, as applicable, § 10.1 ¶ 1 b)
    {adverse results} Additionally, the organization shall — take action when necessary to address adverse trends or results before a nonconformity occurs, and — retain relevant documented information as evidence of the results. § 9.1.1 ¶ 4
    {nonconformity} take action to control and correct it, and § 10.1 ¶ 1 b) 1)
    {nonconformity} take action to control and correct it, and § 10.1 ¶ 1 b) 1)
    When nonconformity occurs, the organization shall evaluate the need for action to eliminate the causes of the nonconformity, in order that it does not recur or occur elsewhere, by determining and implementing corrective action needed, § 10.1 ¶ 1 c) 5]
    Monitoring and measurement Corrective
    Disseminate and communicate critical third party dependencies to interested personnel and affected parties. CC ID 06816
    [{activation procedures} {communication procedures} {internal interdependencies} {internal interactions} {external interactions} {information flow processes} Each plan shall define - purpose and scope, - objectives, - activation criteria and procedures, - implementation procedures, - roles, responsibilities, and authorities, - communication requirements and procedures, - internal and external interdependencies and interactions, - resource requirements, and - information flow and documentation processes. § 8.4.4 ¶ 3
    {activation procedures} {communication procedures} {internal interdependencies} {internal interactions} {external interactions} {information flow processes} Each plan shall define - purpose and scope, - objectives, - activation criteria and procedures, - implementation procedures, - roles, responsibilities, and authorities, - communication requirements and procedures, - internal and external interdependencies and interactions, - resource requirements, and - information flow and documentation processes. § 8.4.4 ¶ 3]
    Operational and Systems Continuity Preventive
    Train personnel on the continuity plan. CC ID 00759
    [The organization shall conduct exercises and tests that taken together over time validate the whole of its business continuity arrangements, involving relevant interested parties, § 8.5 ¶ 2 c)]
    Operational and Systems Continuity Preventive
    Utilize automated mechanisms for more realistic continuity plan training. CC ID 01387 Operational and Systems Continuity Preventive
    Incorporate simulated events into the continuity plan training. CC ID 01402 Operational and Systems Continuity Preventive
    Refrain from adopting impromptu measures when continuity procedures exist. CC ID 13093 Operational and Systems Continuity Preventive
    Limit the activities performed as a proxy to an organizational leader. CC ID 12054 Human Resources management Preventive
    Train all personnel and third parties, as necessary. CC ID 00785
    [The organization shall where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken, and § 7.2 ¶ 1 c)]
    Human Resources management Preventive
    Retrain all personnel, as necessary. CC ID 01362 Human Resources management Preventive
    Tailor training to meet published guidance on the subject being taught. CC ID 02217 Human Resources management Preventive
    Tailor training to be taught at each person's level of responsibility. CC ID 06674 Human Resources management Preventive
    Conduct cross-training or staff backup training to minimize dependency on critical individuals. CC ID 00786 Human Resources management Preventive
    Use automated mechanisms in the training environment, where appropriate. CC ID 06752 Human Resources management Preventive
    Conduct Archives and Records Management training. CC ID 00975 Human Resources management Preventive
    Disseminate and communicate security awareness and the internal control framework to all interested personnel and affected parties. CC ID 00823 Human Resources management Preventive
    Train all personnel and third parties on how to recognize and report security incidents. CC ID 01211 Human Resources management Preventive
    Conduct secure coding and development training for developers. CC ID 06822 Human Resources management Corrective
    Conduct crime prevention training. CC ID 06350 Human Resources management Preventive
    Make compliance and governance decisions in a timely manner. CC ID 06490 Operational management Preventive
    Respond to all alerts from security systems in a timely manner. CC ID 06434 Operational management Corrective
    Share data loss event information with the media. CC ID 01759
    [The response structure shall communicate with interested parties and authorities, as well as the media. § 8.4.2 ¶ 2 f)
    The business continuity plans shall collectively contain details of the organization’s media response following an incident, including a communications strategy, § 8.4.4 ¶ 2 f) 1)
    The business continuity plans shall collectively contain details of the organization’s media response following an incident, including preferred interface with the media, § 8.4.4 ¶ 2 f) 2)
    The business continuity plans shall collectively contain details of the organization’s media response following an incident, including guideline or template for drafting a statement for the media, and § 8.4.4 ¶ 2 f) 3)
    The business continuity plans shall collectively contain details of the organization's media response following an incident, including § 8.4.4 ¶ 2 f)]
    Operational management Corrective
    Report to breach notification organizations the time frame in which the organization will send data loss event notifications to interested personnel and affected parties. CC ID 04731 Operational management Corrective
    Notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00365 Operational management Corrective
    Determine whether or not incident response notifications are necessary during the privacy breach investigation. CC ID 00801 Operational management Detective
    Delay sending incident response notifications under predetermined conditions. CC ID 00804 Operational management Corrective
    Avoid false positive incident response notifications. CC ID 04732 Operational management Detective
    Send paper incident response notifications to affected parties, as necessary. CC ID 00366 Operational management Corrective
    Determine if a substitute incident response notification is permitted if notifying affected parties. CC ID 00803 Operational management Corrective
    Use a substitute incident response notification to notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00368 Operational management Corrective
    Telephone incident response notifications to affected parties, as necessary. CC ID 04650 Operational management Corrective
    Send electronic substitute incident response notifications to affected parties, as necessary. CC ID 04747 Operational management Preventive
    Send substitute incident response notifications to breach notification organizations, as necessary. CC ID 04750 Operational management Preventive
    Publish the incident response notification in a general circulation periodical. CC ID 04651 Operational management Corrective
    Publish the substitute incident response notification in a general circulation periodical, as necessary. CC ID 04769 Operational management Preventive
    Send electronic incident response notifications to affected parties, as necessary. CC ID 00367 Operational management Corrective
    Incorporate simulated events into the incident response training program. CC ID 06751 Operational management Preventive
    Incorporate realistic exercises that are tested into the incident response training program. CC ID 06753 Operational management Preventive
    Maintain contact with breach notification organizations for notification purposes in the event a privacy breach has occurred. CC ID 01213 Operational management Preventive
    Disseminate and communicate proposed changes to all interested personnel and affected parties. CC ID 06807 Operational management Preventive
    Disseminate and communicate software update information to users and regulators. CC ID 06602 Operational management Preventive
  • Business Processes
    96
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Identify requirements that could affect achieving organizational objectives. CC ID 12828 Leadership and high level objectives Preventive
    Identify opportunities that could affect achieving organizational objectives. CC ID 12826 Leadership and high level objectives Preventive
    Prioritize organizational objectives. CC ID 09960 Leadership and high level objectives Preventive
    Select financial reporting objectives consistent with accounting principles available to the organization. CC ID 12400 Leadership and high level objectives Preventive
    Identify threats that could affect achieving organizational objectives. CC ID 12827 Leadership and high level objectives Preventive
    Review the organization's approach to managing information security, as necessary. CC ID 12005 Leadership and high level objectives Preventive
    Implement the Quality Management program. CC ID 13696 Leadership and high level objectives Preventive
    Correct errors and deficiencies in a timely manner. CC ID 13501 Leadership and high level objectives Corrective
    Enforce a continuous Quality Control system. CC ID 01005 Leadership and high level objectives Detective
    Establish and maintain time frames for correcting deficiencies found during Quality Control. CC ID 07206 Leadership and high level objectives Detective
    Review and analyze any quality improvement goals that were missed. CC ID 07204 Leadership and high level objectives Detective
    Establish and maintain a Governance, Risk, and Compliance awareness and training program. CC ID 06492
    [Persons doing work under the organization’s control shall be aware of their contribution to the effectiveness of the BCMS, including the benefits of improved business continuity management performance, § 7.3 ¶ 1 b)]
    Leadership and high level objectives Preventive
    Analyze the flow of information to ensure it is being received by the correct processes. CC ID 12860 Leadership and high level objectives Preventive
    Accept the attestation engagement when all preconditions are met. CC ID 13933 Audits and risk management Preventive
    Respond to questions or clarification requests regarding the audit. CC ID 08902 Audits and risk management Preventive
    Review the need for organizational efficiency as balanced against the needs of compliance and security. CC ID 07111 Audits and risk management Preventive
    Review the Statement on the Level of Compliance. CC ID 12500 Audits and risk management Detective
    Approve the Statement on the Level of Compliance. CC ID 12501 Audits and risk management Preventive
    Provide auditors access to affected parties during the audit, as necessary. CC ID 07187 Audits and risk management Preventive
    Disclaim the audit opinion in the audit report, as necessary. CC ID 13901 Audits and risk management Corrective
    Notify interested personnel and affected parties after bribes are offered during the audit. CC ID 08872 Audits and risk management Preventive
    Design a portfolio of insurance options in accordance with risk decision-making criteria. CC ID 12878 Audits and risk management Preventive
    Design a portfolio of loans in accordance with risk decision-making criteria. CC ID 12877 Audits and risk management Preventive
    Design a portfolio of risk limiting and mitigating approaches in organizational contracts in accordance with risk decision-making criteria. CC ID 12903 Audits and risk management Preventive
    Establish, implement, and maintain a risk assessment awareness and training program. CC ID 06453 Audits and risk management Preventive
    Align organizational risk tolerance to that of industry peers in the risk register. CC ID 09962 Audits and risk management Preventive
    Review the Business Impact Analysis, as necessary. CC ID 12774 Audits and risk management Preventive
    Implement a fraud detection system. CC ID 13081 Monitoring and measurement Preventive
    Approve the system security plan. CC ID 14241 Monitoring and measurement Preventive
    Identify information being used to support the performance of the governance, risk, and compliance capability. CC ID 12866 Monitoring and measurement Preventive
    Align enforcement reviews for non-compliance with organizational risk tolerance. CC ID 13063 Monitoring and measurement Detective
    Establish, implement, and maintain an identification and classification of information assets metrics program. CC ID 02052 Monitoring and measurement Preventive
    Establish, implement, and maintain an Information Systems architecture metrics program. CC ID 02059 Monitoring and measurement Preventive
    Establish and maintain a physical environment metrics program. CC ID 02063 Monitoring and measurement Preventive
    Establish and maintain a reporting methodology program. CC ID 02072 Monitoring and measurement Preventive
    Establish, implement, and maintain a user identification and authentication metrics program. CC ID 02073 Monitoring and measurement Preventive
    Establish, implement, and maintain a user account management metrics program. CC ID 02075 Monitoring and measurement Preventive
    Establish and maintain a Configuration Management metrics program. CC ID 02077 Monitoring and measurement Preventive
    Establish and maintain a communications, e-mail, and remote access security management metrics program. CC ID 02079 Monitoring and measurement Preventive
    Establish and maintain a malicious code protection management metrics program. CC ID 02080 Monitoring and measurement Preventive
    Establish, implement, and maintain a software change management metrics program. CC ID 02081 Monitoring and measurement Preventive
    Establish and maintain a network management and firewall management metrics program. CC ID 02082 Monitoring and measurement Preventive
    Establish, implement, and maintain a data encryption management metrics program. CC ID 02083 Monitoring and measurement Preventive
    Establish and maintain a backup management and recovery management metrics program. CC ID 02084 Monitoring and measurement Preventive
    Establish and maintain an incident management and vulnerability management metrics program. CC ID 02085 Monitoring and measurement Preventive
    Define and assign the assessment team's roles and responsibilities. CC ID 08890 Human Resources management Preventive
    Evaluate the Information Technology staffing requirements regularly. CC ID 00775
    [The organization shall determine the necessary competence of person(s) doing work under its control that affects its performance, § 7.2 ¶ 1 a)]
    Human Resources management Detective
    Establish and maintain an education methodology. CC ID 06671 Human Resources management Preventive
    Establish and maintain a positive information control environment. CC ID 00813
    [Persons in top management and other relevant management roles throughout the organization shall demonstrate leadership with respect to the BCMS. § 5.1 ¶ 1
    Top management shall demonstrate leadership and commitment with respect to the BCMS by - ensuring that policies and objectives are established for the business continuity management system and are compatible with the strategic direction of the organization, - ensuring the integration of the business continuity management system requirements into the organization’s business processes, - ensuring that the resources needed for the business continuity management system are available, - communicating the importance of effective business continuity management and conforming to the BCMS requirements, - ensuring that the BCMS achieves its intended outcome(s), - directing and supporting persons to contribute to the effectiveness of the BCMS, - promoting continual improvement, and - supporting other relevant management roles to demonstrate their leadership and commitment as it applies to their areas of responsibility. § 5.2 ¶ 1
    Top management shall ensure that the responsibilities and authorities for relevant roles are assigned and communicated within the organization by - defining the criteria for accepting risks and the acceptable levels of risk, - actively engaging in exercising and testing, - ensuring that internal audits of the BCMS are conducted, - conducting management reviews of the BCMS, and - demonstrating its commitment to continual improvement. § 5.2 ¶ 3]
    Operational management Preventive
    Assign resources to implement the internal control framework. CC ID 00816
    [The organization shall determine the resource requirements to implement the selected strategies. The types of resources considered shall include but not be limited to § 8.3.2 ¶ 1
    {activation procedures} {communication procedures} {internal interdependencies} {internal interactions} {external interactions} {information flow processes} Each plan shall define - purpose and scope, - objectives, - activation criteria and procedures, - implementation procedures, - roles, responsibilities, and authorities, - communication requirements and procedures, - internal and external interdependencies and interactions, - resource requirements, and - information flow and documentation processes. § 8.4.4 ¶ 3]
    Operational management Preventive
    Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 Operational management Preventive
    Establish and maintain an Incident Management program. CC ID 00853 Operational management Preventive
    Remediate security violations according to organizational standards. CC ID 12338 Operational management Preventive
    Refrain from charging for providing incident response notifications. CC ID 13876 Operational management Preventive
    Offer identity theft prevention services or identity theft mitigation services at no cost to the affected parties. CC ID 13766 Operational management Corrective
    Eradicate the cause of the security incident after the security incident has been contained. CC ID 01757 Operational management Corrective
    Analyze and respond to security alerts. CC ID 12504 Operational management Detective
    Include the reimbursement of customers for financial losses due to security incidents in the Incident Response program. CC ID 12756 Operational management Preventive
    Collect evidence from the incident scene. CC ID 02236 Operational management Corrective
    Establish and maintain future system performance forecasting methods. CC ID 11775 Operational management Preventive
    Use proactive performance management. CC ID 00937 Operational management Detective
    Utilize resource availability management controls. CC ID 00940 Operational management Detective
    Establish, implement, and maintain rate limiting filters. CC ID 06883 Operational management Preventive
    Establish and maintain cost management procedures. CC ID 00873
    [{funding requirements} The outputs of the management review shall include decisions related to continual improvement opportunities and the possible need for changes to the BCMS, and include the following: modification of procedures and controls to respond to internal or external events that may impact on the BCMS, including changes to funding and budget requirements; and § 9.3 ¶ 4 d) 8)]
    Operational management Detective
    Update the business cases for cost management procedures, as necessary. CC ID 13642 Operational management Preventive
    Identify and allocate departmental costs. CC ID 00871 Operational management Detective
    Review and approve the Information Technology budget. CC ID 13644 Operational management Corrective
    Update the Information Technology budget, as necessary. CC ID 13643 Operational management Corrective
    Manage change requests. CC ID 00887
    [For the control of documented information, the organization shall address the following activities, as applicable — distribution, access, retrieval and use, — storage and preservation, including preservation of legibility, — control of changes, — retention and disposition, — retrieval and use, — preservation of legibility, and — prevention of the unintended use of obsolete information. § 7.5.3 ¶ 2
    The management review shall include consideration of changes in external and internal issues that are relevant to the business continuity management system, § 9.3 ¶ 2 b)]
    Operational management Preventive
    Examine all changes to ensure they correspond with the change request. CC ID 12345 Operational management Detective
    Implement changes according to the change control program. CC ID 11776
    [The organization shall control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary. § 8.1 ¶ 2]
    Operational management Preventive
    Prioritize deploying patches according to vulnerability risk metrics. CC ID 06796 Operational management Preventive
    Mitigate the adverse effects of unauthorized changes. CC ID 12244
    [The organization shall control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary. § 8.1 ¶ 2]
    Operational management Corrective
    Implement a clinical decision support system. CC ID 14443 Records management Preventive
    Provide structures for browsing records stored in the Electronic Document and Records Management system. CC ID 10009 Records management Preventive
    Provide structures for searching for items stored in the Electronic Document and Records Management system. CC ID 10010 Records management Preventive
    Provide structures for downloading records from the Electronic Document and Records Management system. CC ID 10011 Records management Preventive
    Provide structures for managing e-mail stored in the Electronic Document and Records Management system. CC ID 10012 Records management Preventive
    Provide structures for version control of records stored in the Electronic Document and Records Management system. CC ID 10013 Records management Preventive
    Terminate supplier relationships, as necessary. CC ID 13489 Third Party and supply chain oversight Corrective
    Include text about access, use, disclosure, and transfer of data or information in third party contracts. CC ID 11610 Third Party and supply chain oversight Preventive
    Include disclosure requirements in third party contracts. CC ID 08825 Third Party and supply chain oversight Preventive
    Document supply chain transactions in the supply chain management program. CC ID 08857 Third Party and supply chain oversight Preventive
    Track all chargeable items in Service Level Agreements. CC ID 11616 Third Party and supply chain oversight Detective
    Enforce third party Service Level Agreements, as necessary. CC ID 07098 Third Party and supply chain oversight Corrective
    Include a determination of the complexity of the third party relationships in the supply chain risk assessment. CC ID 10024
    [The business impact analysis shall include the following: identifying dependencies and supporting resources for these activities, including suppliers, outsource partners and other relevant interested parties. § 8.2.2 ¶ 2 d)]
    Third Party and supply chain oversight Preventive
    Include a determination if the third party relationship will affect employees in the supply chain risk assessment report. CC ID 10027 Third Party and supply chain oversight Preventive
    Require supply chain members to accept and sign the organization's code of conduct. CC ID 12397 Third Party and supply chain oversight Preventive
    Support third parties in building their capabilities. CC ID 08814 Third Party and supply chain oversight Preventive
    Implement measurable improvement plans with all third parties. CC ID 08815 Third Party and supply chain oversight Preventive
    Post a list of compliant third parties on the organization's website. CC ID 08817 Third Party and supply chain oversight Preventive
    Use third parties that are compliant with the applicable requirements. CC ID 08818 Third Party and supply chain oversight Preventive
    Identify supply sources for secondary materials. CC ID 08822 Third Party and supply chain oversight Preventive
    Deal directly with third parties that provide any material listed in the conflict materials report. CC ID 08891 Third Party and supply chain oversight Preventive
    Conduct all parts of the supply chain due diligence process. CC ID 08854 Third Party and supply chain oversight Preventive
    Assess third parties' business continuity capabilities during due diligence. CC ID 12077
    [{results of BCMS reviews} {key partners} {results of testing} {BCMS performance} {BCMS effectiveness} {emerging good guidance} Management reviews shall consider the performance of the organization, including - follow-up actions from previous management reviews, - the need for changes to the BCMS, including the policy and objectives, - opportunities for improvement, - results of BCMS audits and reviews, including those of key suppliers and partners where appropriate, - techniques, products or procedures, which could be used in the organization to improve the BCMS’ performance and effectiveness, - status of corrective actions, - results of exercising and testing, - risks or issues not adequately addressed in any previous risk assessment, - any changes that could affect the BCMS, whether internal or external to the scope of the BCMS, - adequacy of policy, - recommendations for improvement, - lessons learned and actions arising from disruptive incidents, and - emerging good practice and guidance. § 9.3 ¶ 3]
    Third Party and supply chain oversight Detective
  • Communicate
    35
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Disseminate and communicate organizational objectives to all interested personnel and affected parties. CC ID 13191 Leadership and high level objectives Preventive
    Disseminate and communicate emerging threats to all interested personnel and affected parties. CC ID 12185 Leadership and high level objectives Preventive
    Disseminate and communicate updated guidance documentation to interested personnel and affected parties upon discovery of a new threat. CC ID 12191 Leadership and high level objectives Corrective
    Disseminate and communicate the Quality Management policy to all interested personnel and affected parties. CC ID 13695 Leadership and high level objectives Preventive
    Disseminate and communicate the Quality Management framework to all stakeholders, as necessary. CC ID 13680 Leadership and high level objectives Preventive
    Disseminate and communicate the organization’s policies, standards, and procedures to all interested personnel and affected parties. CC ID 12901 Leadership and high level objectives Preventive
    Include disseminating and communicating events surrounding instances of desirable conduct and undesirable conduct in the communication protocols. CC ID 12824 Leadership and high level objectives Preventive
    Include disseminating and communicating conditions surrounding instances of desirable conduct and undesirable conduct in the communication protocols. CC ID 12804 Leadership and high level objectives Preventive
    Include disseminating and communicating desirable conduct in the communication protocols. CC ID 12803 Leadership and high level objectives Preventive
    Include disseminating and communicating undesirable conduct in communication protocols. CC ID 12802 Leadership and high level objectives Preventive
    Disseminate and communicate internal controls with supply chain members, as necessary. CC ID 12416 Leadership and high level objectives Preventive
    Include the scope for the desired level of assurance in the audit program. CC ID 12793 Audits and risk management Preventive
    Disseminate and communicate the risk assessment policy to interested personnel and affected parties. CC ID 14115 Audits and risk management Preventive
    Disseminate and communicate the risk assessment procedures to interested personnel and affected parties. CC ID 14136 Audits and risk management Preventive
    Disseminate and communicate the approved risk assessment report to interested personnel and affected parties. CC ID 10633 Audits and risk management Preventive
    Notify the organization upon completion of the external audits of the organization's risk assessment. CC ID 13313 Audits and risk management Preventive
    Disseminate and communicate the system security plan to interested personnel and affected parties. CC ID 14275 Monitoring and measurement Preventive
    Report changes in the continuity plan to senior management. CC ID 12757 Operational and Systems Continuity Corrective
    Notify interested personnel and affected parties of updates to the recovery plan. CC ID 13302 Operational and Systems Continuity Preventive
    Disseminate and communicate the recovery status of the contingency plan to interested personnel and affected parties. CC ID 12758 Operational and Systems Continuity Preventive
    Disseminate and communicate the continuity procedures to interested personnel and affected parties. CC ID 14055 Operational and Systems Continuity Preventive
    Identify the appropriate staff to route external communications to in the emergency communications procedures. CC ID 12762 Operational and Systems Continuity Preventive
    Identify who can speak to the media in the emergency communications procedures. CC ID 12761 Operational and Systems Continuity Corrective
    Disseminate and communicate the security awareness and training procedures to interested personnel and affected parties. CC ID 14138 Human Resources management Preventive
    Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739
    [Persons doing work under the organization’s control shall be aware of the business continuity policy, § 7.3 ¶ 1 a)]
    Operational management Preventive
    Disseminate and communicate the Acceptable Use Policy to all interested personnel and affected parties. CC ID 12431 Operational management Preventive
    Submit the incident response report to the proper authorities in a timely manner. CC ID 12705 Operational management Preventive
    Provide enrollment information for identity theft prevention services or identity theft mitigation services. CC ID 13767 Operational management Corrective
    Include a copy of the incident response notification in breach notifications, as necessary. CC ID 13085 Operational management Preventive
    Notify interested personnel and affected parties of the privacy breach about any recovered personal data. CC ID 13347 Operational management Corrective
    Notify interested personnel and affected parties that a security breach was detected. CC ID 11788 Operational management Corrective
    Assign the distribution of incident response procedures to the appropriate role in the incident response program. CC ID 12474 Operational management Preventive
    Disseminate and communicate the incident response policy to interested personnel and affected parties. CC ID 14099 Operational management Preventive
    Contact affected parties to participate in forensic investigations, as necessary. CC ID 12343 Operational management Detective
    Disseminate and communicate the Third Party Service Provider list to interested personnel and affected parties. CC ID 14422 Third Party and supply chain oversight Preventive
  • Configuration
    14
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Enforce dual authorization as a part of information flow control for logs. CC ID 10098 Monitoring and measurement Preventive
    Install an Uninterruptible Power Supply sized to support all critical systems. CC ID 00725 Operational and Systems Continuity Preventive
    Install a generator sized to support the facility. CC ID 06709 Operational and Systems Continuity Preventive
    Reconfigure restored systems to meet the Recovery Point Objectives. CC ID 01256 Operational and Systems Continuity Corrective
    Deploy software patches. CC ID 07032 Operational management Corrective
    Deploy software patches in the disaster recovery environment to mirror those in the production environment. CC ID 13174 Operational management Corrective
    Remove outdated software after software has been updated. CC ID 11792 Operational management Corrective
    Update computer firmware, as necessary. CC ID 11755 Operational management Corrective
    Remove outdated computer firmware after the computer firmware has been updated. CC ID 10671 Operational management Corrective
    Establish and maintain a configuration change log. CC ID 08710 Operational management Detective
    Review the configuration change log. CC ID 11754 Operational management Detective
    Implement electronic storage media integrity controls. CC ID 00946 Records management Preventive
    Automate electronic storage media integrity check controls. CC ID 00948 Records management Preventive
    Provide capacity for indexes on electronic storage media, as necessary. CC ID 00950 Records management Preventive
  • Data and Information Management
    21
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772 Operational management Preventive
    Share incident information with interested personnel and affected parties. CC ID 01212
    [The response structure shall communicate with interested parties and authorities, as well as the media. § 8.4.2 ¶ 2 f)
    The response structure shall communicate with interested parties and authorities, as well as the media. § 8.4.2 ¶ 2 f)
    {procedures for recording actions taken and decisions made} The organization shall establish, implement and maintain procedures for recording of vital information about the incident, actions taken and decisions made, and the following shall also be considered and implemented where applicable: — alerting interested parties potentially impacted by an actual or impending disruptive incident; — assuring the interoperability of multiple responding organizations and personnel; — operation of a communications facility. § 8.4.3 ¶ 1 g)]
    Operational management Corrective
    Comply with privacy regulations and civil liberties requirements when sharing data loss event information. CC ID 10036 Operational management Preventive
    Report data loss event information to breach notification organizations. CC ID 01210 Operational management Corrective
    Approve tested change requests. CC ID 11783 Operational management Preventive
    Allow interested personnel and affected parties to opt out of specific version releases and software updates. CC ID 06809 Operational management Preventive
    Select the appropriate format for archived data and records. CC ID 06320
    [{appropriate media} When creating and updating documented information, the organization shall ensure appropriate format and media, and review and approval for suitability and adequacy. § 7.5.2 ¶ 1 b)]
    Records management Preventive
    Use a second person to confirm and sign-off that manually deleted data was deleted. CC ID 12313 Records management Preventive
    Automate a programmatic process to remove stored data and records that exceed retention requirements. CC ID 06082 Records management Preventive
    Assign the appropriate information classification to records imported into the Records Management system. CC ID 04555 Records management Detective
    Establish and maintain electronic health records. CC ID 14436 Records management Preventive
    Include Individually Identifiable Health Information in the patient's electronic health record. CC ID 14437 Records management Preventive
    Import data files into a patient's electronic health record. CC ID 14448 Records management Preventive
    Export requested sections of the electronic health record. CC ID 14447 Records management Preventive
    Display the implantable device list to authorized users. CC ID 14445 Records management Preventive
    Classify restricted data or restricted information in Records Management systems according to the data or information's sensitivity. CC ID 04720 Records management Detective
    Label restricted storage media appropriately. CC ID 00966 Records management Preventive
    Mark all forms of electronic messages that contain restricted data or restricted information with the appropriate classification. CC ID 01896 Records management Preventive
    Reproduce materials containing restricted data or restricted information in accordance with compliance requirements. CC ID 02202 Records management Preventive
    Employ access controls that meet the organization's compliance requirements on third party systems with access to the organization's restricted data. CC ID 04264 Third Party and supply chain oversight Detective
    Make the conflict minerals policy Publicly Available Information. CC ID 08949 Third Party and supply chain oversight Preventive
  • Establish Roles
    47
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Assign legislative body jurisdiction to the organization's assets, as necessary. CC ID 06956 Leadership and high level objectives Preventive
    Assign the appropriate roles to all applicable compliance documents. CC ID 06284
    [Top management shall assign the responsibility and authority for ensuring that the management system conforms to the requirements of this International Standard, and § 5.4 ¶ 2 a)]
    Leadership and high level objectives Preventive
    Define the roles and responsibilities for personnel assigned to tasks in the Audit function. CC ID 00678
    [The audit programme, including any schedule, shall be based on the results of risk assessments of the organization’s activities, and the results of previous audits. The audit procedures shall cover the scope, frequency, methodologies and competencies, as well as the responsibilities and requirements for conducting audits and reporting results. § 9.2 ¶ 3
    The audit programme, including any schedule, shall be based on the results of risk assessments of the organization’s activities, and the results of previous audits. The audit procedures shall cover the scope, frequency, methodologies and competencies, as well as the responsibilities and requirements for conducting audits and reporting results. § 9.2 ¶ 3
    The audit programme, including any schedule, shall be based on the results of risk assessments of the organization’s activities, and the results of previous audits. The audit procedures shall cover the scope, frequency, methodologies and competencies, as well as the responsibilities and requirements for conducting audits and reporting results. § 9.2 ¶ 3]
    Audits and risk management Preventive
    Assign the roles and responsibilities for the Board of Directors and senior management in the Audit function. CC ID 00679 Audits and risk management Preventive
    Assign the internal Information Technology audit staff to be independent from the Information Technology group reporting to the Board of Directors. CC ID 01184 Audits and risk management Preventive
    Define and assign the internal audit manager's roles and responsibilities. CC ID 00680 Audits and risk management Preventive
    Assign the internal audit manager's compensation and performance review to the Board of Directors or audit committee. CC ID 01186 Audits and risk management Preventive
    Define and assign the internal Information Technology audit staff's roles and responsibilities. CC ID 00681 Audits and risk management Preventive
    Assign the responsibility for operating an internal control system to the internal Information Technology audit staff. CC ID 01187 Audits and risk management Preventive
    Define and assign the external auditor's roles and responsibilities. CC ID 00683 Audits and risk management Preventive
    Assign the audit to impartial auditors. CC ID 07118
    [{audit scope} {evidence of the audit results} The organization shall - plan, establish, implement and maintain (an) audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit programme(s) shall take into consideration the importance of the processes concerned and the results of previous audits, - define the audit criteria and scope for each audit, - select