Authority Document - Unified Compliance

International > International Organization for Standardization

ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition

AD ID

0003002

AD STATUS

ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition

ORIGINATOR

International Organization for Standardization

TYPE

International or National Standard

AVAILABILITY

For Purchase

SYNONYMS

ISO/IEC 20000-1:2018

ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements

EFFECTIVE

2018-09-01

ADDED

The document as a whole was last reviewed and released on 2022-02-22T00:00:00-0800.

URL

Click here

AD ID

0003002

AD STATUS

For Purchase

ORIGINATOR

International Organization for Standardization

TYPE

International or National Standard

AVAILABILITY

SYNONYMS

ISO/IEC 20000-1:2018

ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements

EFFECTIVE

2018-09-01

ADDED

The document as a whole was last reviewed and released on 2022-02-22T00:00:00-0800.

URL

Click here

Important Notice

This Authority Document In Depth Report is copyrighted - © 2024 - Network Frontiers LLC. All rights reserved. Copyright in the Authority Document analyzed herein is held by its authors. Network Frontiers makes no claims of copyright in this Authority Document.

This Authority Document In Depth Report is provided for informational purposes only and does not constitute, and should not be construed as, legal advice. The reader is encouraged to consult with an attorney experienced in these areas for further explanation and advice.

This Authority Document In Depth Report provides analysis and guidance for use and implementation of the Authority Document but it is not a substitute for the original authority document itself. Readers should refer to the original authority document as the definitive resource on obligations and compliance requirements.

The process we used to tag and map this document

This document has been mapped into the Unified Compliance Framework using a patented methodology and patented tools (you can research our patents HERE). The mapping team has taken every effort to ensure the quality of mapping is of the highest degree. To learn more about the process we use to map Authority Documents, or to become involved in that process, click HERE.

Controls and asociated Citations breakdown

When the UCF Mapping Teams tag Citations and their associated mandates within an Authority Document, those Citations and Mandates are tied to Common Controls. In addition, and by virtue of those Citations and mandates being tied to Common Controls, there are three sets of meta data that are associated with each Citation; Controls by Impact Zone, Controls by Type, and Controls by Classification.

The online version of the mapping analysis you see here is just a fraction of the work the UCF Mapping Team has done. The downloadable version of this document, available within the Common Controls Hub (available HERE) contains the following:

Document implementation analysis – statistics about the document’s alignment with Common Controls as compared to other Authority Documents and statistics on usage of key terms and non-standard terms.

Citation and Mandate Tagging and Mapping – A complete listing of each and every Citation we found within ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition that have been tagged with their primary and secondary nouns and primary and secondary verbs in three column format. The first column shows the Citation (the marker within the Authority Document that points to where we found the guidance). The second column shows the Citation guidance per se, along with the tagging for the mandate we found within the Citation. The third column shows the Common Control ID that the mandate is linked to, and the final column gives us the Common Control itself.

Dictionary Terms – The dictionary terms listed for ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition are based upon terms either found within the Authority Document’s defined terms section(which most legal documents have), its glossary, and for the most part, as tagged within each mandate. The terms with links are terms that are the standardized version of the term.

Common Controls and
mandates by Impact Zone 272 Mandated Controls - bold
104 Implied Controls - italic 2056 Implementation

Number of Controls

2432 Total

Acquisition or sale of facilities, technology, and services

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Acquisition or sale of facilities, technology, and services CC ID 01123	IT Impact Zone	IT Impact Zone
Plan for selling facilities, technology, or services. CC ID 06893 [For services that are to be transferred, the planning shall additionally include the date(s) for the transfer of the services and the activities for the transfer of data, documented information, knowledge and service components. § 8.5.2.1 ¶ 3 For services that are to be transferred, the planning shall additionally include the date(s) for the transfer of the services and the activities for the transfer of data, documented information, knowledge and service components. § 8.5.2.1 ¶ 3 For services that are to be transferred, the planning shall additionally include the date(s) for the transfer of the services and the activities for the transfer of data, documented information, knowledge and service components. § 8.5.2.1 ¶ 3 For services that are to be transferred, the planning shall additionally include the date(s) for the transfer of the services and the activities for the transfer of data, documented information, knowledge and service components. § 8.5.2.1 ¶ 3 For services that are to be transferred, the planning shall additionally include the date(s) for the transfer of the services and the activities for the transfer of data, documented information, knowledge and service components. § 8.5.2.1 ¶ 3]	Acquisition/Sale of Assets or Services	Preventive
Refrain from providing products and services, as necessary. CC ID 15580	Acquisition/Sale of Assets or Services	Preventive
Determine if there is a need for the product or service being sold. CC ID 06894	Acquisition/Sale of Assets or Services	Preventive
Identify new business opportunities based on product or service need, the business strategy, and action plan. CC ID 06901	Acquisition/Sale of Assets or Services	Preventive
Establish, implement, and maintain a product or service pricing program. CC ID 13676	Establish/Maintain Documentation	Preventive
Review and update controls to ensure the timeliness and accuracy of the market prices. CC ID 13688	Process or Activity	Corrective
Provide identification mechanisms for the organization's supply chain members. CC ID 12201	Business Processes	Preventive
Establish, implement, and maintain customer terms and conditions. CC ID 13666	Establish/Maintain Documentation	Preventive
Refrain from charging a fee for the provision of services, as necessary. CC ID 14212	Business Processes	Preventive
Include customer risks in the customer terms and conditions. CC ID 13669	Establish/Maintain Documentation	Preventive
Develop product solicitation responses and service solicitation responses. CC ID 06896	Acquisition/Sale of Assets or Services	Preventive
Prevent the creation or distribution of devices designed to circumvent security measures. CC ID 11514	Acquisition/Sale of Assets or Services	Preventive
Provide a product warranty or service warranty. CC ID 11601	Acquisition/Sale of Assets or Services	Preventive
Include the defined support period for hardware replacements in warranties. CC ID 14932	Establish/Maintain Documentation	Preventive
Include the methods of product replacement in warranties. CC ID 14931	Establish/Maintain Documentation	Preventive
Include rationale for the absence of software updates in warranties, as necessary. CC ID 14930	Establish/Maintain Documentation	Preventive
Include the defined support period in the product warranty or service warranty. CC ID 14927	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain equipment shipping procedures. CC ID 11449	Acquisition/Sale of Assets or Services	Preventive
Ship equipment to customers in tamper-evident packaging, as necessary. CC ID 12271	Physical and Environmental Protection	Preventive
Ship equipment following the equipment shipping procedures. CC ID 11658	Process or Activity	Preventive
Ship goods or provide services to consumers in the agreed upon time frame. CC ID 08618	Business Processes	Preventive
Preserve products created for sale prior to shipping. CC ID 11602	Acquisition/Sale of Assets or Services	Preventive
Clean and maintain products prior to shipping. CC ID 11603	Acquisition/Sale of Assets or Services	Preventive
Detect and remove foreign objects from products prior to shipping. CC ID 11604	Acquisition/Sale of Assets or Services	Preventive
Handle products with due care prior to shipping. CC ID 11605	Acquisition/Sale of Assets or Services	Preventive
Attach safety warnings to products prior to shipping. CC ID 11606	Acquisition/Sale of Assets or Services	Preventive
Rotate the stock of products prior to shipping. CC ID 11607	Acquisition/Sale of Assets or Services	Preventive
Establish, implement, and maintain a consumer complaint management program. CC ID 04570 [Service complaints shall be recorded, managed to closure and reported. Where a service complaint is not resolved through the normal channels, a method of escalation shall be provided. § 8.3.2 ¶ 5]	Business Processes	Preventive
Document consumer complaints. CC ID 13903 [Service complaints shall be recorded, managed to closure and reported. Where a service complaint is not resolved through the normal channels, a method of escalation shall be provided. § 8.3.2 ¶ 5]	Business Processes	Preventive
Assess consumer complaints and litigation. CC ID 16521	Investigate	Preventive
Notify the complainant about their rights after receiving a complaint. CC ID 16794	Communicate	Preventive
Include how to access information from the dispute resolution body in the consumer complaint management program. CC ID 13816	Establish/Maintain Documentation	Preventive
Include any requirements for using information from the dispute resolution body in the consumer complaint management program. CC ID 13815	Establish/Maintain Documentation	Preventive
Post contact information in an easily seen location at facilities. CC ID 13812	Communicate	Preventive
Provide users a list of the available dispute resolution bodies. CC ID 13814	Communicate	Preventive
Post the dispute resolution body's contact information on the organization's website. CC ID 13811	Communicate	Preventive
Establish, implement, and maintain consumer complaint escalation procedures. CC ID 07208 [Service complaints shall be recorded, managed to closure and reported. Where a service complaint is not resolved through the normal channels, a method of escalation shall be provided. § 8.3.2 ¶ 5]	Establish/Maintain Documentation	Preventive
Disseminate and communicate the consumer complaint management program to interested personnel and affected parties. CC ID 16795	Communicate	Preventive
Report the analysis of consumer complaints to the Quality Management committee. CC ID 07209 [Service complaints shall be recorded, managed to closure and reported. Where a service complaint is not resolved through the normal channels, a method of escalation shall be provided. § 8.3.2 ¶ 5]	Actionable Reports or Measurements	Preventive
Establish, implement, and maintain notice and take-down procedures. CC ID 09963	Establish/Maintain Documentation	Preventive
Check communications for take-down requests. CC ID 09964	Monitor and Evaluate Occurrences	Preventive
Include complete information in the take-down request. CC ID 09965	Business Processes	Detective
Include the complainant's contact information in the take-down request. CC ID 09966	Business Processes	Detective
Include the identification of unlawful material or unlawful activities in the take-down request. CC ID 09967	Business Processes	Detective
Include the identification of the right that has allegedly been infringed in the take-down request. CC ID 09968	Business Processes	Detective
Include the remedial action required to be taken in respect of the complaint in the take-down request. CC ID 09969	Business Processes	Detective
Include a statement by the complainant that the information is true and correct in the take-down request. CC ID 09970	Business Processes	Preventive
Include a statement that the complainant is acting in good faith in the take-down request. CC ID 09971	Business Processes	Detective
Include the written signature or electronic signature of the complainant in the take-down request. CC ID 09972	Business Processes	Detective
Notify the complainant regarding any missing information in the take-down request. CC ID 09973	Behavior	Preventive
Analyze the digital content hosted by the organization for any electronic material associated with the take-down request. CC ID 09974	Business Processes	Detective
Document any unlawful material hosted or stored by the organization meeting the take-down request criteria. CC ID 09975	Establish/Maintain Documentation	Preventive
Document any unlawful material hosted or stored by the organization meeting the take-down request criteria that has been removed prior to the take-down request. CC ID 09976	Establish/Maintain Documentation	Preventive
Include whether it is technically feasible to follow the requested remedial action in the take-down request. CC ID 09977	Establish/Maintain Documentation	Preventive
Remove all unlawful material associated with the take-down request that have not been removed and are feasible to remove. CC ID 09978	Business Processes	Preventive
Notify the complainant when all unlawful material associated with the take-down notice that can be removed, has been removed. CC ID 09979	Business Processes	Preventive
Process product return requests. CC ID 11598	Acquisition/Sale of Assets or Services	Corrective
Refrain from returning products absent a return request authorization. CC ID 11599	Acquisition/Sale of Assets or Services	Corrective

Audits and risk management

601

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Audits and risk management CC ID 00677	IT Impact Zone	IT Impact Zone
Define the roles and responsibilities for personnel assigned to tasks in the Audit function. CC ID 00678 [The organization shall: plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration: § 9.2.2 ¶ 1(a)]	Establish Roles	Preventive
Manage supply chain audits. CC ID 01203	Audits and Risk Management	Preventive
Review the external auditors involvement in assessing Information Technology controls. CC ID 01204	Audits and Risk Management	Preventive
Rotate auditors, as necessary. CC ID 15589	Audits and Risk Management	Preventive
Assign the roles and responsibilities for the Board of Directors and senior management in the Audit function. CC ID 00679	Establish Roles	Preventive
Assign the Board of Directors to address audit findings. CC ID 12396	Human Resources Management	Corrective
Assign the internal audit staff to be independent from business units reporting to the Board of Directors. CC ID 01184	Establish Roles	Preventive
Define and assign the internal audit manager's roles and responsibilities. CC ID 00680	Establish Roles	Preventive
Report audit findings by the internal audit manager directly to senior management. CC ID 01152 [The organization shall: ensure that the results of the audits are reported to relevant management; § 9.2.2 ¶ 1(d)]	Testing	Detective
Assign the internal audit manager's compensation and performance review to the Board of Directors or audit committee. CC ID 01186	Establish Roles	Preventive
Define and assign the internal audit staff's roles and responsibilities. CC ID 00681	Establish Roles	Preventive
Assign the responsibility for operating an internal control system to the internal audit staff. CC ID 01187	Establish Roles	Preventive
Define and assign the external auditor's roles and responsibilities. CC ID 00683	Establish Roles	Preventive
Engage auditors who have adequate knowledge of the subject matter. CC ID 07102	Audits and Risk Management	Preventive
Retain copies of external auditor outsourcing contracts and engagement letters. CC ID 01188	Establish/Maintain Documentation	Preventive
Review external auditor outsourcing contracts and engagement letters. CC ID 01189	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in external auditor outsourcing contracts. CC ID 16523	Establish/Maintain Documentation	Preventive
Include a change control clause in external auditor outsourcing contracts. CC ID 01192	Establish/Maintain Documentation	Preventive
Include procedures for resolving problems in external auditor outsourcing contracts. CC ID 01196	Establish/Maintain Documentation	Preventive
Include procedures for controlling the use of restricted information in external auditor outsourcing contracts. CC ID 01194	Establish/Maintain Documentation	Preventive
Include reports and work paper Records Management practices in external auditor outsourcing contracts. CC ID 01195	Establish/Maintain Documentation	Preventive
Include communication protocols in external auditor outsourcing contracts. CC ID 01201	Establish/Maintain Documentation	Preventive
Review the external audit scope, as necessary. CC ID 01202	Audits and Risk Management	Preventive
Review the external audit assertion for accuracy. CC ID 06977	Testing	Detective
Review the risk assessments as compared to the in scope controls. CC ID 06978	Testing	Detective
Include nondisclosure agreements in external auditor outsourcing contracts. CC ID 10014	Audits and Risk Management	Detective
Include the scope and work to be performed in external auditor outsourcing contracts. CC ID 01190	Establish/Maintain Documentation	Preventive
Include work status reporting requirements in the external auditor outsourcing contracts. CC ID 01191	Establish/Maintain Documentation	Preventive
Include access to work papers in external auditor outsourcing contracts. CC ID 01193	Establish/Maintain Documentation	Preventive
Review the external auditor's qualifications. CC ID 01197	Audits and Risk Management	Preventive
Conduct a performance review of the external auditor's performance during the audit process. CC ID 01198	Audits and Risk Management	Preventive
Review the adequacy of the external auditor's work papers and audit reports. CC ID 01199	Establish/Maintain Documentation	Preventive
Review the conclusions of the external auditor's work papers and audit reports. CC ID 01200	Establish/Maintain Documentation	Preventive
Question external auditors about how audits were conducted and what is in the audit reports. CC ID 04587	Behavior	Preventive
Disseminate and communicate with the organization about any missing audit documentation. CC ID 06992	Behavior	Preventive
Evaluate any refusal by the organization to provide missing audit documentation. CC ID 06993	Establish/Maintain Documentation	Preventive
Take appropriate action if missing audit documentation compromises the audit. CC ID 06994	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an audit program. CC ID 00684 [The organization shall: plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration: § 9.2.2 ¶ 1(a)]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain audit policies. CC ID 13166	Establish/Maintain Documentation	Preventive
Assign the audit to impartial auditors. CC ID 07118 [The organization shall: select auditors and conduct audits to ensure objectivity and the impartiality of the audit process; § 9.2.2 ¶ 1(c)]	Establish Roles	Preventive
Define what constitutes a threat to independence. CC ID 16824	Audits and Risk Management	Preventive
Determine if requested services create a threat to independence. CC ID 16823	Audits and Risk Management	Detective
Exercise due professional care during the planning and performance of the audit. CC ID 07119	Behavior	Preventive
Include resource requirements in the audit program. CC ID 15237	Establish/Maintain Documentation	Preventive
Include risks and opportunities in the audit program. CC ID 15236	Establish/Maintain Documentation	Preventive
Include provisions for legislative plurality and legislative domain in the audit program. CC ID 06959	Audits and Risk Management	Preventive
Establish and maintain audit terms. CC ID 13880	Establish/Maintain Documentation	Preventive
Refrain from approving changes to the audit terms absent reasonable justification. CC ID 13973	Process or Activity	Preventive
Include a statement about the inherent limitations of the audit in the audit terms. CC ID 13883	Establish/Maintain Documentation	Preventive
Include a statement that the audit will be conducted in accordance with attestation standards in the audit terms. CC ID 13882	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain agreed upon procedures that are in scope for the audit. CC ID 13893	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an in scope system description. CC ID 14873	Establish/Maintain Documentation	Preventive
Include in scope procedures in the audit assertion's in scope system description. CC ID 16551	Audits and Risk Management	Preventive
Include roles and responsibilities in the audit assertion's in scope system description. CC ID 16558	Audits and Risk Management	Preventive
Include the audit criteria in the audit assertion's in scope system description. CC ID 16548	Audits and Risk Management	Preventive
Include third party data in the audit assertion's in scope system description. CC ID 16554	Audits and Risk Management	Preventive
Include third party personnel in the audit assertion's in scope system description. CC ID 16552	Audits and Risk Management	Preventive
Include compliance requirements in the audit assertion's in scope system description. CC ID 16506	Audits and Risk Management	Preventive
Include third party assets in the audit assertion's in scope system description. CC ID 16550	Audits and Risk Management	Preventive
Include third party services in the audit assertion's in scope system description. CC ID 16503	Establish/Maintain Documentation	Preventive
Include monitoring controls in the audit assertion's in scope system description. CC ID 16501	Establish/Maintain Documentation	Preventive
Include availability commitments in the audit assertion's in scope system description. CC ID 14914	Establish/Maintain Documentation	Preventive
Include deviations and the corrective actions taken in the audit assertion's in scope system description. CC ID 16549	Audits and Risk Management	Preventive
Include changes in the audit assertion's in scope system description. CC ID 14894	Establish/Maintain Documentation	Preventive
Include external communications in the audit assertion's in scope system description. CC ID 14913	Establish/Maintain Documentation	Preventive
Include a section regarding incidents related to the system in the audit assertion’s in scope system description. CC ID 14878	Establish/Maintain Documentation	Preventive
Include the function performed by the in scope system in the audit assertion's in scope system description. CC ID 14911	Establish/Maintain Documentation	Preventive
Include the disposition of the incident in the audit assertion's in scope system description. CC ID 14896	Establish/Maintain Documentation	Preventive
Include the extent of the incident in the audit assertion's in scope system description. CC ID 14895	Establish/Maintain Documentation	Preventive
Include the timing of each incident in the audit assertion's in scope system description. CC ID 14891	Establish/Maintain Documentation	Preventive
Include the nature of each incident in the audit assertion's in scope system description. CC ID 14889	Establish/Maintain Documentation	Preventive
Include a section regarding in scope controls related to the system in the audit assertion's in scope system description. CC ID 14897	Establish/Maintain Documentation	Preventive
Include how the in scope system meets external requirements in the audit assertion's in scope system description. CC ID 16502	Establish/Maintain Documentation	Preventive
Include the timing of each control in the audit assertion's in scope system description. CC ID 14916	Establish/Maintain Documentation	Preventive
Include the nature of the control in the audit assertion's in scope system description. CC ID 14910	Establish/Maintain Documentation	Preventive
Include the information sources used in performing the control in the audit assertion's in scope system description. CC ID 14909	Establish/Maintain Documentation	Preventive
Include the responsible party for performing the control in the audit assertion's in scope system description. CC ID 14907	Establish/Maintain Documentation	Preventive
Include the subject matter to which the control is applied in the audit assertion's in scope system description. CC ID 14904	Establish/Maintain Documentation	Preventive
Refrain from omitting or distorting information in the audit assertion's in scope system description. CC ID 14893	Establish/Maintain Documentation	Preventive
Include the timing of each change in the audit assertion's in scope system description. CC ID 14892	Establish/Maintain Documentation	Preventive
Include the system boundaries in the audit assertion's in scope system description. CC ID 14887	Establish/Maintain Documentation	Preventive
Determine the presentation method of the audit assertion's in scope system description. CC ID 14885	Establish/Maintain Documentation	Detective
Include the time frame covered by the description in the audit assertion's in scope system description. CC ID 14884	Establish/Maintain Documentation	Preventive
Include commitments to third parties in the audit assertion. CC ID 14899	Establish/Maintain Documentation	Preventive
Determine the completeness of the audit assertion's in scope system description. CC ID 14883	Establish/Maintain Documentation	Preventive
Determine the appropriateness of the audit assertion's in scope system description. CC ID 16449	Audits and Risk Management	Detective
Include system requirements in the audit assertion's in scope system description. CC ID 14881	Establish/Maintain Documentation	Preventive
Include third party controls in the audit assertion's in scope system description. CC ID 14880	Establish/Maintain Documentation	Preventive
Hold an opening meeting with interested personnel and affected parties prior to an audit. CC ID 15256	Audits and Risk Management	Preventive
Identify personnel who should attend the closing meeting. CC ID 15261	Business Processes	Preventive
Confirm audit requirements during the opening meeting. CC ID 15255	Audits and Risk Management	Detective
Include discussions about how particular situations will be handled in the opening meeting. CC ID 15254	Audits and Risk Management	Preventive
Include agreement to the audit scope and audit terms in the audit program. CC ID 06965 [{audit scope} The organization shall: define the audit criteria and scope for each audit; § 9.2.2 ¶ 1(b)]	Establish/Maintain Documentation	Preventive
Establish and maintain a bespoke audit scope for each audit being performed. CC ID 13077 [The organization shall: plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration: § 9.2.2 ¶ 1(a)]	Establish/Maintain Documentation	Preventive
Include third party assets in the audit scope. CC ID 16504	Audits and Risk Management	Preventive
Include audit subject matter in the audit program. CC ID 07103 [The organization shall: plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration: the importance of the processes concerned; § 9.2.2 ¶ 1(a)(1)]	Establish/Maintain Documentation	Preventive
Examine the availability of the audit criteria in the audit program. CC ID 16520	Investigate	Preventive
Examine the objectivity of the audit criteria in the audit program. CC ID 07104	Establish/Maintain Documentation	Preventive
Examine the measurability of the audit criteria in the audit program. CC ID 07105	Establish/Maintain Documentation	Preventive
Examine the completeness of the audit criteria in the audit program. CC ID 07106	Establish/Maintain Documentation	Preventive
Examine the relevance of the audit criteria in the audit program. CC ID 07107	Establish/Maintain Documentation	Preventive
Determine the appropriateness of the audit subject matter. CC ID 16505	Audits and Risk Management	Preventive
Disseminate and communicate the audit program with the audit subject matter and audit criteria to all interested personnel and affected parties. CC ID 07116	Establish/Maintain Documentation	Preventive
Include the in scope material or in scope products in the audit program. CC ID 08961	Audits and Risk Management	Preventive
Include in scope information in the audit program. CC ID 16198	Establish/Maintain Documentation	Preventive
Include the out of scope material or out of scope products in the audit program. CC ID 08962	Establish/Maintain Documentation	Preventive
Provide a representation letter in support of the audit assertion. CC ID 07158	Establish/Maintain Documentation	Preventive
Include the date of the audit in the representation letter. CC ID 16517	Audits and Risk Management	Preventive
Include a statement that management has evaluated compliance with external requirements in the representation letter. CC ID 13942	Establish/Maintain Documentation	Preventive
Include a statement that the assumptions used for estimates are reasonable in the representation letter. CC ID 13934	Establish/Maintain Documentation	Preventive
Include a statement that uncorrected misstatements are believed to be immaterial in the representation letter. CC ID 13884	Establish/Maintain Documentation	Preventive
Include a statement that system incidents have been disclosed to the auditor in the representation letter. CC ID 16772	Establish/Maintain Documentation	Preventive
Include a statement that incidents of fraud and non-compliance have been disclosed to the auditor in the representation letter. CC ID 16769	Establish/Maintain Documentation	Preventive
Include a statement of responsibility for the subject matter in the representation letter. CC ID 07159	Establish/Maintain Documentation	Preventive
Include a statement of responsibility for selecting the audit criteria in the representation letter. CC ID 07160	Establish/Maintain Documentation	Preventive
Include a statement of responsibility regarding the appropriateness of the audit criteria in the representation letter. CC ID 07161	Establish/Maintain Documentation	Preventive
Include an assertion about the subject matter based on the selected audit criteria in the representation letter. CC ID 07162	Establish/Maintain Documentation	Preventive
Include a statement that all known matters contradicting the audit assertion have been disclosed to the auditor in the representation letter. CC ID 07163	Establish/Maintain Documentation	Preventive
Include the availability of all in scope records relevant to the subject matter in the representation letter. CC ID 07164	Establish/Maintain Documentation	Preventive
Include a statement that any known subsequent events have been disclosed to the auditor in the representation letter. CC ID 07165	Establish/Maintain Documentation	Preventive
Include a statement that deficiencies in internal controls have been disclosed to the auditor in the representation letter. CC ID 13899	Establish/Maintain Documentation	Preventive
Establish and maintain audit assertions, as necessary. CC ID 14871	Establish/Maintain Documentation	Detective
Include an in scope system description in the audit assertion. CC ID 14872	Establish/Maintain Documentation	Preventive
Include any assumptions that are improbable in the audit assertion. CC ID 13950	Establish/Maintain Documentation	Preventive
Include investigations and legal proceedings in the audit assertion. CC ID 16846	Establish/Maintain Documentation	Preventive
Include how the audit scope matches in scope controls in the audit assertion. CC ID 06969	Establish/Maintain Documentation	Preventive
Include why specific criteria are ignored by in scope controls in the audit assertion. CC ID 07027	Establish/Maintain Documentation	Preventive
Include how the in scope system is designed and implemented in the audit assertion. CC ID 06970	Establish/Maintain Documentation	Preventive
Include the responsible party's opinion of the quality of the evidence in the audit assertion. CC ID 13949	Establish/Maintain Documentation	Preventive
Include the end users and affected parties of the in scope system in the audit assertion. CC ID 07028	Establish/Maintain Documentation	Preventive
Include the in scope services offered or in scope transactions processed in the audit assertion. CC ID 06971	Establish/Maintain Documentation	Preventive
Include the in scope procedures in the audit assertion. CC ID 06972	Establish/Maintain Documentation	Preventive
Include the in scope records produced in the audit assertion. CC ID 06968	Establish/Maintain Documentation	Preventive
Include how in scope material events are monitored and logged in the audit assertion. CC ID 06973	Establish/Maintain Documentation	Preventive
Include any in scope material events that might affect the assertion in the audit assertion. CC ID 06991	Establish/Maintain Documentation	Preventive
Include the in scope controls and compliance documents in the audit assertion. CC ID 06974	Establish/Maintain Documentation	Preventive
Include the in scope risk assessment processes in the audit assertion. CC ID 06975	Establish/Maintain Documentation	Preventive
Include in scope change controls in the audit assertion. CC ID 06976	Establish/Maintain Documentation	Preventive
Include any in scope uncorrected errors or non-compliance issues in the audit assertion. CC ID 06989	Establish/Maintain Documentation	Preventive
Disseminate and communicate a written audit assertion of the audit scope and audit terms to interested personnel and affected parties. CC ID 06967	Establish/Maintain Documentation	Preventive
Include the scope for the desired level of assurance in the audit program. CC ID 12793	Communicate	Preventive
Include conditions that might require modification of the audit program in the audit terms. CC ID 07149	Establish/Maintain Documentation	Preventive
Include how access to in scope systems, personnel and in scope records are provided to the auditor in the audit terms. CC ID 06988	Establish/Maintain Documentation	Preventive
Include the criteria for determining the desired level of assurance in the audit program. CC ID 12795 [{audit scope} The organization shall: define the audit criteria and scope for each audit; § 9.2.2 ¶ 1(b)]	Audits and Risk Management	Preventive
Establish, implement, and maintain procedures for determining the desired level of assurance in the audit program. CC ID 12794 [The organization shall: plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration: § 9.2.2 ¶ 1(a)]	Establish/Maintain Documentation	Preventive
Include the expectations for the audit report in the audit terms. CC ID 07148	Establish/Maintain Documentation	Preventive
Establish and maintain a practitioner’s report on management’s assertions, as necessary. CC ID 13888	Establish/Maintain Documentation	Preventive
Refrain from changing the date of the practitioner's report on agreed-upon procedures when reissuing it. CC ID 13896	Establish/Maintain Documentation	Corrective
Hold a closing meeting following an audit to present audit findings and conclusions. CC ID 15248	Communicate	Preventive
Include materiality levels in the audit terms. CC ID 01238	Establish/Maintain Documentation	Preventive
Include material changes in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01239 [The organization shall: plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration: changes affecting the organization; § 9.2.2 ¶ 1(a)(2)]	Establish/Maintain Documentation	Preventive
Include material weaknesses, material failures, and material errors in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01240	Establish/Maintain Documentation	Preventive
Schedule attestation engagement meetings with interested personnel and affected parties, as necessary. CC ID 15263	Business Processes	Preventive
Refrain from performing an attestation engagement under defined conditions. CC ID 13952	Audits and Risk Management	Detective
Refrain from accepting an attestation engagement when the engaging party refuses to sign the engagement letter. CC ID 14912	Business Processes	Preventive
Refrain from accepting an attestation engagement unless the prospective financial information includes a summary of significant assumptions. CC ID 13954	Behavior	Preventive
Refrain from accepting an attestation engagement when all parties disagree on the procedures. CC ID 13951	Audits and Risk Management	Preventive
Accept the attestation engagement when all preconditions are met. CC ID 13933	Business Processes	Preventive
Audit in scope audit items and compliance documents. CC ID 06730 [The organization shall conduct internal audits at planned intervals to provide information on whether the SMS: conforms to: the organization's own requirements for its SMS; § 9.2.1 ¶ 1(a)(1) The organization shall conduct internal audits at planned intervals to provide information on whether the SMS: conforms to: the requirements of this document; § 9.2.1 ¶ 1(a)(2) The organization shall conduct internal audits at planned intervals to provide information on whether the SMS: is effectively implemented and maintained. § 9.2.1 ¶ 1(b) The organization shall: select auditors and conduct audits to ensure objectivity and the impartiality of the audit process; § 9.2.2 ¶ 1(c)]	Audits and Risk Management	Preventive
Collect all work papers for the audit and audit report into an engagement file. CC ID 07001 [The organization shall: retain documented information as evidence of the implementation of the audit programme(s) and the audit results. § 9.2.2 ¶ (e)]	Actionable Reports or Measurements	Preventive
Document any after the fact changes to the engagement file. CC ID 07002	Establish/Maintain Documentation	Preventive
Protect access to the engagement file and all associated audit documentation in compliance with Authority Documents the organization must follow. CC ID 07179	Establish/Maintain Documentation	Preventive
Disclose work papers in the engagement file in compliance with legal requirements. CC ID 07180	Establish/Maintain Documentation	Preventive
Archive the engagement file and all work papers for the period prescribed by law or contract. CC ID 10038	Records Management	Preventive
Conduct onsite inspections, as necessary. CC ID 16199	Testing	Preventive
Identify hypothetical assumptions in forecasts and projections during an audit. CC ID 13946	Audits and Risk Management	Detective
Refrain from examining forecasts and projections which refrain from disclosing assumptions during an audit. CC ID 13932	Audits and Risk Management	Detective
Audit policies, standards, and procedures. CC ID 12927	Audits and Risk Management	Preventive
Audit cybersecurity risk management within the policies, standards, and procedures of the organization. CC ID 13011	Investigate	Detective
Audit information systems, as necessary. CC ID 13010	Investigate	Detective
Audit the potential costs of compromise to information systems. CC ID 13012	Investigate	Detective
Determine the accurateness of the audit assertion's in scope system description. CC ID 06979	Testing	Detective
Determine if the in scope system has been implemented as described in the audit assertion. CC ID 06983	Testing	Detective
Investigate the nature and causes of misstatements in the audit assertion's in scope system description. CC ID 16557	Audits and Risk Management	Detective
Determine the effect of fraud and non-compliance on the description of the system in the audit assertion, as necessary. CC ID 13977	Process or Activity	Detective
Edit the audit assertion for accuracy. CC ID 07030	Establish/Maintain Documentation	Preventive
Determine if the audit assertion's in scope procedures are accurately documented. CC ID 06982	Establish/Maintain Documentation	Preventive
Determine if the audit assertion's in scope controls are reasonable. CC ID 06980	Testing	Detective
Determine the effect of fraud and non-compliance on the achievement of in scope controls in the audit assertion, as necessary. CC ID 13978	Process or Activity	Detective
Document test plans for auditing in scope controls. CC ID 06985	Testing	Detective
Determine the implementation status of the audit assertion's in scope controls. CC ID 06981	Testing	Detective
Determine the effectiveness of in scope controls. CC ID 06984 [The organization shall monitor and review the effectiveness of information security controls and take necessary actions. § 8.7.3.2 ¶ 3]	Testing	Detective
Review incident management audit logs to determine the effectiveness of in scope controls. CC ID 12157	Audits and Risk Management	Detective
Review audit reports to determine the effectiveness of in scope controls. CC ID 12156	Audits and Risk Management	Detective
Observe processes to determine the effectiveness of in scope controls. CC ID 12155	Audits and Risk Management	Detective
Interview stakeholders to determine the effectiveness of in scope controls. CC ID 12154	Audits and Risk Management	Detective
Review documentation to determine the effectiveness of in scope controls. CC ID 16522	Process or Activity	Preventive
Review policies and procedures to determine the effectiveness of in scope controls. CC ID 12144	Audits and Risk Management	Detective
Evaluate personnel status changes to determine the effectiveness of in scope controls. CC ID 16556	Audits and Risk Management	Detective
Determine whether individuals performing a control have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 16555	Audits and Risk Management	Detective
Determine any errors or material omissions in the audit assertion that affect in scope control implementations. CC ID 06990	Testing	Detective
Include the process of using evidential matter to test in scope controls in the test plan. CC ID 06996	Establish/Maintain Documentation	Preventive
Audit the in scope system according to the test plan using relevant evidence. CC ID 07112 [The organization shall conduct internal audits at planned intervals to provide information on whether the SMS: § 9.2.1 ¶ 1]	Testing	Preventive
Implement procedures that collect sufficient audit evidence. CC ID 07153	Audits and Risk Management	Preventive
Collect evidence about the in scope audit items of the audit assertion. CC ID 07154	Audits and Risk Management	Preventive
Collect audit evidence sufficient to avoid misstatements. CC ID 07155	Audits and Risk Management	Preventive
Collect audit evidence at the level of the organization's competence in the subject matter. CC ID 07156	Audits and Risk Management	Preventive
Collect audit evidence sufficient to overcome inadequacies in the organization's attestation. CC ID 07157	Audits and Risk Management	Preventive
Report that audit evidence collected was not sufficient to the proper authorities. CC ID 16847	Communicate	Preventive
Provide transactional walkthrough procedures for external auditors. CC ID 00672	Testing	Preventive
Establish, implement, and maintain interview procedures. CC ID 16282	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the interview procedures. CC ID 16297	Human Resources Management	Preventive
Coordinate the scheduling of interviews. CC ID 16293	Process or Activity	Preventive
Create a schedule for the interviews. CC ID 16292	Process or Activity	Preventive
Identify interviewees. CC ID 16290	Process or Activity	Preventive
Conduct interviews, as necessary. CC ID 07188	Testing	Detective
Verify statements made by interviewees are correct. CC ID 16299	Behavior	Detective
Discuss unsolved questions with the interviewee. CC ID 16298	Process or Activity	Detective
Allow interviewee to respond to explanations. CC ID 16296	Process or Activity	Detective
Explain the requirements being discussed to the interviewee. CC ID 16294	Process or Activity	Detective
Explain the goals of the interview to the interviewee. CC ID 07189	Behavior	Detective
Explain the testing results to the interviewee. CC ID 16291	Process or Activity	Preventive
Withdraw from the audit, when defined conditions exist. CC ID 13885	Process or Activity	Corrective
Establish and maintain work papers, as necessary. CC ID 13891	Establish/Maintain Documentation	Preventive
Include the auditor's conclusions on work performed by individuals assigned to the audit in the work papers. CC ID 16775	Establish/Maintain Documentation	Preventive
Include audit irregularities in the work papers. CC ID 16774	Establish/Maintain Documentation	Preventive
Include corrective actions in the work papers. CC ID 16771	Establish/Maintain Documentation	Preventive
Include information about the organization being audited and the auditor performing the audit in the work papers. CC ID 16770	Establish/Maintain Documentation	Preventive
Include discussions with interested personnel and affected parties in the work papers. CC ID 16768	Establish/Maintain Documentation	Preventive
Include justification for departing from mandatory requirements in the work papers. CC ID 13935	Establish/Maintain Documentation	Preventive
Include audit evidence obtained from previous engagements in the work papers. CC ID 16518	Audits and Risk Management	Preventive
Include the reviewer, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06998	Establish/Maintain Documentation	Preventive
Include the tests, examinations, interviews and observations performed during the audit in the work papers. CC ID 07190	Establish/Maintain Documentation	Preventive
Include if any subject matter experts or additional research had to be undertaken to test in scope controls in the work papers. CC ID 07026	Establish/Maintain Documentation	Preventive
Include the tester, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06997	Establish/Maintain Documentation	Preventive
Include if the audit evidence has identified in scope control deficiencies in the work papers. CC ID 07152	Audits and Risk Management	Detective
Include any subsequent events related to the audit assertion or audit subject matter in the work papers. CC ID 07177	Audits and Risk Management	Preventive
Include if in scope control deviations allow in scope controls to be performed acceptably in the work papers. CC ID 06987	Testing	Detective
Include the causes of identified in scope control deficiencies in the work papers. CC ID 07000	Establish/Maintain Documentation	Preventive
Include discussions regarding the causes of identified in scope control deficiencies in the work papers. CC ID 06999	Establish/Maintain Documentation	Preventive
Investigate the nature and causes of identified in scope control deviations. CC ID 06986	Testing	Detective
Supervise interested personnel and affected parties participating in the audit. CC ID 07150	Monitor and Evaluate Occurrences	Preventive
Notify interested personnel and affected parties participating in the audit of their roles and responsibilities during the audit. CC ID 07151	Establish Roles	Preventive
Respond to questions or clarification requests regarding the audit. CC ID 08902	Business Processes	Preventive
Track and measure the implementation of the organizational compliance framework. CC ID 06445	Monitor and Evaluate Occurrences	Preventive
Review the need for organizational efficiency as balanced against the needs of compliance and security. CC ID 07111	Business Processes	Preventive
Engage subject matter experts when the auditor requires additional expertise during an attestation engagement, as necessary. CC ID 13971	Process or Activity	Preventive
Review the subject matter expert's findings. CC ID 16559	Audits and Risk Management	Detective
Establish, implement, and maintain a practitioner’s report on agreed-upon procedures. CC ID 13894	Establish/Maintain Documentation	Preventive
Provide auditors access to all in scope records, in scope assets, personnel and in scope procedures. CC ID 06966	Audits and Risk Management	Preventive
Permit assessment teams to conduct audits, as necessary. CC ID 16430	Investigate	Detective
Provide auditors access to affected parties during the audit, as necessary. CC ID 07187	Business Processes	Preventive
Solve any access problems auditors encounter during the audit. CC ID 08959	Audits and Risk Management	Corrective
Notify interested personnel and affected parties when an auditee refuses to provide access or participate in the audit. CC ID 08960	Audits and Risk Management	Preventive
Establish and maintain a practitioner's examination report on pro forma financial information. CC ID 13968	Establish/Maintain Documentation	Preventive
Include references to where financial information was derived in the practitioner's review report on pro forma financial information. CC ID 13982	Establish/Maintain Documentation	Preventive
Include a statement that the financial statements used were audited by other practitioners in the practitioner's examination report on pro forma financial information, as necessary. CC ID 13981	Establish/Maintain Documentation	Preventive
Establish and maintain organizational audit reports. CC ID 06731 [The organization shall: retain documented information as evidence of the implementation of the audit programme(s) and the audit results. § 9.2.2 ¶ (e) The organization shall: plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration: § 9.2.2 ¶ 1(a)]	Establish/Maintain Documentation	Preventive
Determine what disclosures are required in the audit report. CC ID 14888	Establish/Maintain Documentation	Detective
Include the justification for not following the applicable requirements in the audit report. CC ID 16822	Audits and Risk Management	Preventive
Include a statement that the applicable requirements were not followed in the audit report. CC ID 16821	Audits and Risk Management	Preventive
Include audit subject matter in the audit report. CC ID 14882	Establish/Maintain Documentation	Preventive
Include an other-matter paragraph in the audit report. CC ID 14901	Establish/Maintain Documentation	Preventive
Identify the audit team members in the audit report. CC ID 15259	Human Resources Management	Detective
Include that the auditee did not provide comments in the audit report. CC ID 16849	Establish/Maintain Documentation	Preventive
Write the audit report using clear and conspicuous language. CC ID 13948	Establish/Maintain Documentation	Preventive
Include a statement that the sufficiency of the agreed upon procedures is the responsibility of the specified parties in the audit report. CC ID 13936	Establish/Maintain Documentation	Preventive
Include a statement that the financial statements were audited in the audit report. CC ID 13963	Establish/Maintain Documentation	Preventive
Include the criteria that financial information was measured against in the audit report. CC ID 13966	Establish/Maintain Documentation	Preventive
Include a description of the financial information being reported on in the audit report. CC ID 13965	Establish/Maintain Documentation	Preventive
Include references to any adjustments of financial information in the audit report. CC ID 13964	Establish/Maintain Documentation	Preventive
Include in the audit report that audit opinions are not dependent on references to subject matter experts, as necessary. CC ID 13953	Establish/Maintain Documentation	Preventive
Include references to historical financial information used in the audit report. CC ID 13961	Establish/Maintain Documentation	Preventive
Include a statement about the inherent limitations of the audit in the audit report. CC ID 14900	Establish/Maintain Documentation	Preventive
Include a description of the limitations on the usefulness of hypothetical assumptions in the audit report. CC ID 13958	Establish/Maintain Documentation	Preventive
Include the word independent in the title of audit reports. CC ID 07003	Actionable Reports or Measurements	Preventive
Include the date of the audit in the audit report. CC ID 07024	Actionable Reports or Measurements	Preventive
Structure the audit report to be in the form of procedures and findings. CC ID 13940	Establish/Maintain Documentation	Preventive
Include information about the organization being audited and the auditor performing the audit in the audit report. CC ID 07004	Actionable Reports or Measurements	Preventive
Include any discussions of significant findings in the audit report. CC ID 13955	Establish/Maintain Documentation	Preventive
Include the date and with whom discussions about significant findings took place in the audit report. CC ID 13962	Establish/Maintain Documentation	Preventive
Include the audit criteria in the audit report. CC ID 13945	Establish/Maintain Documentation	Preventive
Include a statement in the audit report that the agreed upon procedures were potentially insufficient in identifying material risks, as necessary. CC ID 13957	Establish/Maintain Documentation	Preventive
Include all hypothetical assumptions in the audit report. CC ID 13947	Establish/Maintain Documentation	Preventive
Include a statement that access to the report is restricted based on least privilege in the audit report. CC ID 07023	Actionable Reports or Measurements	Preventive
Include a statement that identifies the distribution list for the report in the audit report. CC ID 07172	Establish/Maintain Documentation	Preventive
Include a statement that identifies the use restrictions for the report in the audit report. CC ID 07173	Establish/Maintain Documentation	Preventive
Include a statement that the agreed upon procedures involves collecting evidence in the audit report. CC ID 13956	Establish/Maintain Documentation	Preventive
Include all of the facts and demonstrated plausibility in the audit report. CC ID 08929	Establish/Maintain Documentation	Preventive
Include a statement that the agreed upon procedures were performed by all parties in the audit report. CC ID 13931	Establish/Maintain Documentation	Preventive
Include references to subject matter experts in the audit report when citing qualified opinions. CC ID 13929	Establish/Maintain Documentation	Preventive
Include a description of the assistance provided by Subject Matter Experts in the audit report. CC ID 13939	Establish/Maintain Documentation	Preventive
Include a review of the subject matter expert's findings in the audit report. CC ID 13972	Establish/Maintain Documentation	Preventive
Include a statement of the character of the engagement in the audit report. CC ID 07166	Establish/Maintain Documentation	Preventive
Include the nature and scope of the audit performed in the statement of the character of the engagement in the audit report. CC ID 07167	Establish/Maintain Documentation	Preventive
Include the professional standards governing the audit in the statement of the character of the engagement in the audit report. CC ID 07168	Establish/Maintain Documentation	Preventive
Include all restrictions on the audit in the audit report. CC ID 13930	Establish/Maintain Documentation	Preventive
Include a statement that the auditor has no responsibility to update the audit report after its submission. CC ID 13943	Establish/Maintain Documentation	Preventive
Include a statement on the auditor's ethical requirements in the audit report. CC ID 16767	Establish/Maintain Documentation	Preventive
Include a statement that the responsible party refused to provide a written assertion in the audit report. CC ID 13887	Establish/Maintain Documentation	Preventive
Include a statement that the examination involves procedures for collecting evidence in the audit report. CC ID 13941	Establish/Maintain Documentation	Preventive
Express an adverse opinion in the audit report when significant assumptions are not suitably supported. CC ID 13944	Establish/Maintain Documentation	Preventive
Include a statement that modifications to historical evidence accurately reflect current evidence in the audit report. CC ID 13938	Establish/Maintain Documentation	Preventive
Refrain from referencing previous engagements in the audit report. CC ID 16516	Audits and Risk Management	Preventive
Refrain from referencing other auditor's work in the audit report. CC ID 13881	Establish/Maintain Documentation	Preventive
Include that the audit findings are not a predictive analysis of future compliance in the audit report. CC ID 07018	Establish/Maintain Documentation	Preventive
Identify the participants from the organization being audited in the audit report. CC ID 15258	Audits and Risk Management	Detective
Include how in scope controls meet external requirements in the audit report. CC ID 16450	Establish/Maintain Documentation	Preventive
Include the in scope records used to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14915	Establish/Maintain Documentation	Preventive
Include recommended corrective actions in the audit report. CC ID 16197	Establish/Maintain Documentation	Preventive
Include risks and opportunities in the audit report. CC ID 16196	Establish/Maintain Documentation	Preventive
Include the description of tests of controls and results in the audit report. CC ID 14898	Establish/Maintain Documentation	Preventive
Include the nature of the tests performed in the description of tests of controls and results in the audit report. CC ID 14908	Establish/Maintain Documentation	Preventive
Include the test scope in the description of tests of controls and results in the audit report. CC ID 14906	Establish/Maintain Documentation	Preventive
Identify the stakeholders interviewed to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14905	Establish/Maintain Documentation	Preventive
Include the timing of controls in the description of tests of controls and results in the audit report. CC ID 16553	Audits and Risk Management	Preventive
Include the controls that were tested in the description of tests of controls and results in the audit report. CC ID 14902	Establish/Maintain Documentation	Preventive
Include subsequent events related to the audit assertion or audit subject matter in the audit report. CC ID 16773	Establish/Maintain Documentation	Preventive
Include the organization's audit assertion of the in scope system in the audit report. CC ID 07005	Actionable Reports or Measurements	Preventive
Include that the organization is the responsible party for the content of its audit assertion and in scope system description in the audit report. CC ID 07010	Establish/Maintain Documentation	Preventive
Include that the organization is the responsible party for providing in scope services in the audit report. CC ID 14903	Establish/Maintain Documentation	Preventive
Include that the organization is the responsible party for specifying in scope controls not defined by law or contractual obligation in the audit report. CC ID 07011	Establish/Maintain Documentation	Preventive
Include that the organization is the responsible party for designing and implementing the in scope controls it identified in the audit scope in the audit report. CC ID 07014	Establish/Maintain Documentation	Preventive
Include the audit opinion regarding the accurateness of the in scope system description in the audit report. CC ID 07019	Establish/Maintain Documentation	Preventive
Include the attestation standards the auditor follows in the audit report. CC ID 07015	Establish/Maintain Documentation	Preventive
Include the audit opinion about the audit assertion in relation to the audit criteria used for evaluation in the audit report. CC ID 07169	Establish/Maintain Documentation	Preventive
Include the auditor's significant reservations about the engagement, the audit assertion, or the audit subject matter in the audit report. CC ID 07170	Establish/Maintain Documentation	Preventive
Include an emphasis-of-matter paragraph in the audit report. CC ID 14890	Establish/Maintain Documentation	Preventive
Include the organization's in scope system description in the audit report. CC ID 11626	Audits and Risk Management	Preventive
Include any out of scope components of in scope systems in the audit report. CC ID 07006	Establish/Maintain Documentation	Preventive
Include that the organization is the responsible party for identifying material risks in the audit report. CC ID 07012	Establish/Maintain Documentation	Preventive
Include that the organization is the responsible party for selecting the audit criteria in the audit report. CC ID 07013	Establish/Maintain Documentation	Preventive
Include the scope and work performed in the audit report. CC ID 11621	Audits and Risk Management	Preventive
Review the adequacy of the internal auditor's work papers. CC ID 01146	Audits and Risk Management	Detective
Compare the evaluations completed by the internal auditors and the external auditors in past audit reports. CC ID 01158	Establish/Maintain Documentation	Detective
Review the adequacy of the internal auditor's audit reports. CC ID 11620	Audits and Risk Management	Detective
Review past audit reports. CC ID 01155 [The organization shall: plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration: the results of previous audits; § 9.2.2 ¶ 1(a)(3) The management review shall include consideration of: information on the performance and effectiveness of the SMS, including trends in: audit results; § 9.3 ¶ 2(c)(3)]	Establish/Maintain Documentation	Detective
Review past audit reports for specific process steps and calculations that were stated to support the audit report's conclusions. CC ID 01160	Establish/Maintain Documentation	Detective
Review the reporting of material weaknesses and risks in past audit reports. CC ID 01161	Establish/Maintain Documentation	Detective
Resolve disputes before creating the audit summary. CC ID 08964	Behavior	Preventive
Refrain from including the description of the audit in the audit report when the auditor is disclaiming an audit opinion. CC ID 13975	Establish/Maintain Documentation	Preventive
Refrain from including scope limitations from changed attestation engagements in the audit report. CC ID 13983	Establish/Maintain Documentation	Preventive
Refrain from including in the audit report any procedures that were performed that the auditor is disclaiming in an audit opinion. CC ID 13974	Establish/Maintain Documentation	Preventive
Include deficiencies and non-compliance in the audit report. CC ID 14879	Establish/Maintain Documentation	Corrective
Determine the effect of deficiencies on the audit report, as necessary. CC ID 14886	Investigate	Detective
Determine the effect of fraud and non-compliance on the audit report, as necessary. CC ID 13979	Process or Activity	Detective
Include an audit opinion in the audit report. CC ID 07017	Establish/Maintain Documentation	Preventive
Include qualified opinions in the audit report. CC ID 13928	Establish/Maintain Documentation	Preventive
Include that the auditor is the responsible party to express an opinion on the audit subject matter based on examination of evidence in the audit report. CC ID 07174	Establish/Maintain Documentation	Preventive
Include a description of the reasons for modifying the audit opinion in the audit report. CC ID 13898	Establish/Maintain Documentation	Corrective
Include that the auditor did not express an opinion in the audit report, as necessary. CC ID 13886	Establish/Maintain Documentation	Preventive
Disclaim the audit opinion in the audit report, as necessary. CC ID 13901	Business Processes	Corrective
Include items that were excluded from the audit report in the audit report. CC ID 07007	Establish/Maintain Documentation	Preventive
Include the organization's privacy practices in the audit report. CC ID 07029	Establish/Maintain Documentation	Preventive
Include items that pertain to third parties in the audit report. CC ID 07008	Establish/Maintain Documentation	Preventive
Refrain from including reference to procedures performed in previous attestation engagements in the audit report. CC ID 13970	Establish/Maintain Documentation	Preventive
Include a statement in the audit report that no procedures were performed subsequent to the date of the practitioner's review report on pro forma financial information, as necessary. CC ID 13969	Establish/Maintain Documentation	Preventive
Include any of the organization's use of compensating controls that were not audited in the audit report. CC ID 07009	Establish/Maintain Documentation	Preventive
Include whether the use of compensating controls are necessary in the audit report. CC ID 07020	Establish/Maintain Documentation	Preventive
Include the pass or fail test status of all in scope controls in the audit report. CC ID 07016	Establish/Maintain Documentation	Preventive
Include the process of using evidential matter to test in scope controls in the audit report. CC ID 07021	Establish/Maintain Documentation	Preventive
Include the nature and causes of identified in scope control deviations in the audit report. CC ID 07022	Establish/Maintain Documentation	Preventive
Modify the audit opinion in the audit report under defined conditions. CC ID 13937	Establish/Maintain Documentation	Corrective
Disclose any audit irregularities in the audit report. CC ID 06995	Actionable Reports or Measurements	Preventive
Include the written signature of the auditor's organization in the audit report. CC ID 13897	Establish/Maintain Documentation	Preventive
Include a statement that additional reports are being submitted in the audit report. CC ID 16848	Establish/Maintain Documentation	Preventive
Disseminate and communicate the audit report to all interested personnel and affected parties identified in the distribution list. CC ID 07117	Establish/Maintain Documentation	Preventive
Define the roles and responsibilities for distributing the audit report. CC ID 16845	Human Resources Management	Preventive
Disseminate and communicate the reviews of audit reports to organizational management. CC ID 00653	Log Management	Detective
Disseminate and communicate the reasons the audit report was delayed to interested personnel and affected parties. CC ID 15257	Communicate	Preventive
Notify auditees if disclosure of audit documentation is required by law. CC ID 15249	Communicate	Preventive
Disseminate and communicate to the organization that access and use of audit reports are based on least privilege. CC ID 07171	Behavior	Preventive
Disseminate and communicate documents that contain information in support of the audit report. CC ID 07175	Establish/Maintain Documentation	Preventive
Correct any material misstatements in documents that contain information in support of the audit report. CC ID 07176	Establish/Maintain Documentation	Preventive
Review the issues of non-compliance from past audit reports. CC ID 01148	Establish/Maintain Documentation	Detective
Notify interested personnel and affected parties after bribes are offered during the audit. CC ID 08872	Business Processes	Preventive
Submit an audit report that is complete. CC ID 01145	Testing	Detective
Accept the audit report. CC ID 07025	Establish/Maintain Documentation	Preventive
Implement a corrective action plan in response to the audit report. CC ID 06777	Establish/Maintain Documentation	Corrective
Assign responsibility for remediation actions. CC ID 13622	Human Resources Management	Preventive
Monitor and report on the status of mitigation actions in the corrective action plan. CC ID 15250	Actionable Reports or Measurements	Corrective
Review management's response to issues raised in past audit reports. CC ID 01149 [The management review shall include consideration of: information on the performance and effectiveness of the SMS, including trends in: nonconformities and corrective actions; § 9.3 ¶ 2(c)(1)]	Audits and Risk Management	Detective
Define penalties for uncorrected audit findings or remaining non-compliant with the audit report. CC ID 08963	Establish/Maintain Documentation	Preventive
Assess the quality of the audit program in regards to the staff and their qualifications. CC ID 01150	Testing	Detective
Evaluate the competency of auditors. CC ID 15253	Human Resources Management	Detective
Review the audit program scope as it relates to the organization's profile. CC ID 01159	Audits and Risk Management	Detective
Assess the quality of the audit program in regards to its documentation. CC ID 11622	Audits and Risk Management	Preventive
Establish, implement, and maintain the audit plan. CC ID 01156	Testing	Detective
Include the audit criteria in the audit plan. CC ID 15262	Establish/Maintain Documentation	Preventive
Include a list of reference documents in the audit plan. CC ID 15260	Establish/Maintain Documentation	Preventive
Include the languages to be used for the audit in the audit plan. CC ID 15252	Establish/Maintain Documentation	Preventive
Include the allocation of resources in the audit plan. CC ID 15251	Establish/Maintain Documentation	Preventive
Include communication protocols in the audit plan. CC ID 15247	Establish/Maintain Documentation	Preventive
Include the level of audit sampling necessary to collect sufficient audit evidence in the audit plan. CC ID 15246	Establish/Maintain Documentation	Preventive
Include meeting schedules in the audit plan. CC ID 15245	Establish/Maintain Documentation	Preventive
Include the time frames for the audit in the audit plan. CC ID 15244	Establish/Maintain Documentation	Preventive
Include the time frames for conducting the audit in the audit plan. CC ID 15243	Establish/Maintain Documentation	Preventive
Include the locations to be audited in the audit plan. CC ID 15242	Establish/Maintain Documentation	Preventive
Include the processes to be audited in the audit plan. CC ID 15241	Establish/Maintain Documentation	Preventive
Include audit objectives in the audit plan. CC ID 15240	Establish/Maintain Documentation	Preventive
Include the risks associated with audit activities in the audit plan. CC ID 15239	Establish/Maintain Documentation	Preventive
Disseminate and communicate the audit plan to interested personnel and affected parties. CC ID 15238	Communicate	Preventive
Establish, implement, and maintain an audit schedule for the audit program. CC ID 13158 [The organization shall: plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration: § 9.2.2 ¶ 1(a)]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a risk management program. CC ID 12051 [The organization shall plan: actions to address these risks and opportunities and their priorities; § 6.1.3 ¶ 1(a) The management review shall include consideration of: results of risk assessment and the effectiveness of actions taken to address risks and opportunities; § 9.3 ¶ 2(k)]	Establish/Maintain Documentation	Preventive
Include the scope of risk management activities in the risk management program. CC ID 13658	Establish/Maintain Documentation	Preventive
Document and justify any exclusions from the scope of the risk management activities in the risk management program. CC ID 15336	Business Processes	Detective
Integrate the risk management program with the organization's business activities. CC ID 13661	Business Processes	Preventive
Integrate the risk management program into daily business decision-making. CC ID 13659 [The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: § 8.5.1.3 ¶ 1]	Business Processes	Preventive
Include managing mobile risks in the risk management program. CC ID 13535	Establish/Maintain Documentation	Preventive
Take into account if the system will be accessed by or have an impact on children in the risk management program. CC ID 14992	Audits and Risk Management	Preventive
Include regular updating in the risk management system. CC ID 14990	Business Processes	Preventive
Establish, implement, and maintain risk management strategies. CC ID 13209	Establish/Maintain Documentation	Preventive
Include off-site storage of supplies in the risk management strategies. CC ID 13221	Establish/Maintain Documentation	Preventive
Include data quality in the risk management strategies. CC ID 15308	Data and Information Management	Preventive
Include the use of alternate service providers in the risk management strategies. CC ID 13217	Establish/Maintain Documentation	Preventive
Include minimizing service interruptions in the risk management strategies. CC ID 13215	Establish/Maintain Documentation	Preventive
Include off-site storage in the risk mitigation strategies. CC ID 13213	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain the risk assessment framework. CC ID 00685	Establish/Maintain Documentation	Preventive
Analyze the risk management strategy for addressing requirements. CC ID 12926	Audits and Risk Management	Detective
Analyze the risk management strategy for addressing threats. CC ID 12925	Audits and Risk Management	Detective
Analyze the risk management strategy for addressing opportunities. CC ID 12924	Audits and Risk Management	Detective
Define and assign the roles and responsibilities for the risk assessment framework, as necessary. CC ID 06456	Establish Roles	Preventive
Establish, implement, and maintain a risk assessment program. CC ID 00687	Establish/Maintain Documentation	Preventive
Address past incidents in the risk assessment program. CC ID 12743	Audits and Risk Management	Preventive
Employ third parties when implementing a risk assessment, as necessary. CC ID 16306	Human Resources Management	Detective
Include the need for risk assessments in the risk assessment program. CC ID 06447	Establish/Maintain Documentation	Preventive
Include the information flow of restricted data in the risk assessment program. CC ID 12339	Establish/Maintain Documentation	Preventive
Establish and maintain the factors and context for risk to the organization. CC ID 12230 [The organization shall determine and document: risks related to: not meeting the service requirements; § 6.1.2 ¶ 1(a)(2)]	Audits and Risk Management	Preventive
Establish, implement, and maintain a financial plan to support the risk management strategy. CC ID 12786	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain insurance requirements. CC ID 16562	Establish/Maintain Documentation	Preventive
Disseminate and communicate insurance options to interested personnel and affected parties. CC ID 16572	Communicate	Preventive
Disseminate and communicate insurance requirements to interested personnel and affected parties. CC ID 16567	Communicate	Preventive
Purchase insurance on behalf of interested personnel and affected parties. CC ID 16571	Acquisition/Sale of Assets or Services	Corrective
Design a portfolio of insurance options in accordance with risk decision-making criteria. CC ID 12878	Business Processes	Preventive
Design a portfolio of loans in accordance with risk decision-making criteria. CC ID 12877	Business Processes	Preventive
Design a portfolio of risk limiting and mitigating approaches in organizational contracts in accordance with risk decision-making criteria. CC ID 12903	Business Processes	Preventive
Address cybersecurity risks in the risk assessment program. CC ID 13193	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830	Process or Activity	Preventive
Include a Data Protection Impact Assessment in the risk assessment program. CC ID 12630	Establish/Maintain Documentation	Preventive
Include an assessment of the necessity and proportionality of the processing operations in relation to the purposes in the Data Protection Impact Assessment. CC ID 12681	Establish/Maintain Documentation	Preventive
Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371	Establish/Maintain Documentation	Preventive
Include a risk assessment of data subject's rights in the Data Protection Impact Assessment. CC ID 12674	Establish/Maintain Documentation	Preventive
Include the description and purpose of processing restricted data in the Data Protection Impact Assessment. CC ID 12673	Establish/Maintain Documentation	Preventive
Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313	Communicate	Preventive
Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370	Establish/Maintain Documentation	Preventive
Include monitoring unsecured areas in the Data Protection Impact Assessment. CC ID 12671	Establish/Maintain Documentation	Preventive
Include security measures for protecting restricted data in the Data Protection Impact Assessment. CC ID 12635	Establish/Maintain Documentation	Preventive
Use the risk taxonomy when managing risk. CC ID 12280	Behavior	Preventive
Establish, implement, and maintain a risk assessment policy. CC ID 14026	Establish/Maintain Documentation	Preventive
Include compliance requirements in the risk assessment policy. CC ID 14121	Establish/Maintain Documentation	Preventive
Include coordination amongst entities in the risk assessment policy. CC ID 14120	Establish/Maintain Documentation	Preventive
Include management commitment in the risk assessment policy. CC ID 14119	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the risk assessment policy. CC ID 14118	Establish/Maintain Documentation	Preventive
Include the scope in the risk assessment policy. CC ID 14117	Establish/Maintain Documentation	Preventive
Include the purpose in the risk assessment policy. CC ID 14116	Establish/Maintain Documentation	Preventive
Disseminate and communicate the risk assessment policy to interested personnel and affected parties. CC ID 14115	Communicate	Preventive
Establish, implement, and maintain risk assessment procedures. CC ID 06446	Establish/Maintain Documentation	Preventive
Employ risk assessment procedures that follow legal requirements and contractual obligations when risk profiling. CC ID 06472	Establish/Maintain Documentation	Preventive
Analyze the organization's information security environment. CC ID 13122	Technical Security	Preventive
Document cybersecurity risks. CC ID 12281	Establish/Maintain Documentation	Preventive
Employ risk assessment procedures that follow standards and best practices, as necessary. CC ID 06473	Establish/Maintain Documentation	Preventive
Employ risk assessment procedures that take into account both electronic records and printed records. CC ID 06476	Establish/Maintain Documentation	Preventive
Employ risk assessment procedures that take into account information classification. CC ID 06477	Establish/Maintain Documentation	Preventive
Employ risk assessment procedures that align with strategic objectives. CC ID 06474	Establish/Maintain Documentation	Preventive
Engage appropriate parties to assist with risk assessments, as necessary. CC ID 12153	Human Resources Management	Preventive
Employ risk assessment procedures that take into account prior risk assessment findings of the same scope. CC ID 06478	Establish/Maintain Documentation	Preventive
Employ risk assessment procedures that take into account the target environment. CC ID 06479	Establish/Maintain Documentation	Preventive
Employ risk assessment procedures that take into account incidents associated with the target environment. CC ID 06480	Establish/Maintain Documentation	Preventive
Employ risk assessment procedures that take into account risk factors. CC ID 16560	Audits and Risk Management	Preventive
Include compliance with disposition requirements in the risk assessment procedures. CC ID 12342	Establish/Maintain Documentation	Preventive
Include compliance with retention requirements in the risk assessment procedures. CC ID 12341	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a threat and risk classification scheme. CC ID 07183	Establish/Maintain Documentation	Preventive
Employ risk assessment procedures that include appropriate risk treatment options for each identified risk. CC ID 06484	Establish/Maintain Documentation	Preventive
Document organizational risk criteria. CC ID 12277	Establish/Maintain Documentation	Preventive
Include security threats and vulnerabilities in the threat and risk classification scheme. CC ID 00699	Technical Security	Preventive
Include an analysis of system interdependencies in the threat and risk classification scheme. CC ID 13056	Investigate	Detective
Categorize the systems, information, and data by risk profile in the threat and risk classification scheme. CC ID 01443	Audits and Risk Management	Preventive
Review the risk profiles, as necessary. CC ID 16561	Audits and Risk Management	Detective
Include risks to critical personnel and assets in the threat and risk classification scheme. CC ID 00698	Audits and Risk Management	Preventive
Include the traceability of malicious code in the threat and risk classification scheme. CC ID 06600	Establish/Maintain Documentation	Preventive
Assign a probability of occurrence to all types of threats in the threat and risk classification scheme. CC ID 01173	Audits and Risk Management	Preventive
Approve the threat and risk classification scheme. CC ID 15693	Business Processes	Preventive
Establish, implement, and maintain risk profiling procedures for internal risk assessments. CC ID 01157	Audits and Risk Management	Preventive
Include language that is easy to understand in the risk assessment report. CC ID 06461	Establish/Maintain Documentation	Preventive
Include the environments that call for risk assessments in the risk assessment program. CC ID 06448	Establish/Maintain Documentation	Preventive
Include the process for defining the scope of each risk assessment in the risk assessment program. CC ID 06462	Establish/Maintain Documentation	Preventive
Include the circumstances that call for risk assessments in the risk assessment program. CC ID 06449	Establish/Maintain Documentation	Preventive
Include the roles and responsibilities involved in risk assessments in the risk assessment program. CC ID 06450	Establish/Maintain Documentation	Preventive
Include the methods of managing and responding to the risk assessment report in the risk assessment program. CC ID 06451	Establish/Maintain Documentation	Preventive
Automate as much of the risk assessment program, as necessary. CC ID 06459	Audits and Risk Management	Preventive
Disseminate and communicate the risk assessment procedures to interested personnel and affected parties. CC ID 14136	Communicate	Preventive
Approve the risk assessment program and associated risk assessment procedures at the senior management level. CC ID 06458	Establish/Maintain Documentation	Preventive
Perform risk assessments for all target environments, as necessary. CC ID 06452 [At planned intervals, the information security risks to the SMS and the services shall be assessed and documented. Information security controls shall be determined, implemented and operated to support the information security policy and address identified information security risks. Decisions about information security controls shall be documented. § 8.7.3.2 ¶ 1]	Testing	Preventive
Include the probability and potential impact of pandemics in the scope of the risk assessment. CC ID 13241	Establish/Maintain Documentation	Preventive
Include physical assets in the scope of the risk assessment. CC ID 13075	Establish/Maintain Documentation	Preventive
Include the results of the risk assessment in the risk assessment report. CC ID 06481	Establish/Maintain Documentation	Preventive
Approve the results of the risk assessment as documented in the risk assessment report. CC ID 07109	Audits and Risk Management	Preventive
Update the risk assessment upon discovery of a new threat. CC ID 00708	Establish/Maintain Documentation	Detective
Review risks to the organization's audit function when changes in the supply chain occur. CC ID 01154	Audits and Risk Management	Preventive
Update the risk assessment upon changes to the risk profile. CC ID 11627	Establish/Maintain Documentation	Detective
Review the risk to the audit function when the audit personnel status changes. CC ID 01153	Audits and Risk Management	Preventive
Document any reasons for modifying or refraining from modifying the organization's risk assessment when the risk assessment has been reviewed. CC ID 13312	Establish/Maintain Documentation	Preventive
Create a risk assessment report based on the risk assessment results. CC ID 15695	Establish/Maintain Documentation	Preventive
Disseminate and communicate the approved risk assessment report to interested personnel and affected parties. CC ID 10633	Communicate	Preventive
Conduct external audits of risk assessments, as necessary. CC ID 13308	Audits and Risk Management	Detective
Notify the organization upon completion of the external audits of the organization's risk assessment. CC ID 13313	Communicate	Preventive
Establish, implement, and maintain a risk assessment awareness and training program. CC ID 06453	Business Processes	Preventive
Disseminate and communicate information about risks to all interested personnel and affected parties. CC ID 06718	Behavior	Preventive
Evaluate the effectiveness of threat and vulnerability management procedures. CC ID 13491	Investigate	Detective
Correlate the business impact of identified risks in the risk assessment report. CC ID 00686	Audits and Risk Management	Preventive
Conduct a Business Impact Analysis, as necessary. CC ID 01147	Audits and Risk Management	Detective
Include recovery of the critical path in the Business Impact Analysis. CC ID 13224	Establish/Maintain Documentation	Preventive
Include acceptable levels of data loss in the Business Impact Analysis. CC ID 13264	Establish/Maintain Documentation	Preventive
Include Recovery Point Objectives in the Business Impact Analysis. CC ID 13223	Establish/Maintain Documentation	Preventive
Include the Recovery Time Objectives in the Business Impact Analysis. CC ID 13222	Establish/Maintain Documentation	Preventive
Include pandemic risks in the Business Impact Analysis. CC ID 13219	Establish/Maintain Documentation	Preventive
Include tolerance to downtime in the Business Impact Analysis report. CC ID 01172	Establish/Maintain Documentation	Preventive
Disseminate and communicate the Business Impact Analysis to interested personnel and affected parties. CC ID 15300	Communicate	Preventive
Establish, implement, and maintain a risk register. CC ID 14828	Establish/Maintain Documentation	Preventive
Document organizational risk tolerance in a risk register. CC ID 09961	Establish/Maintain Documentation	Preventive
Align organizational risk tolerance to that of industry peers in the risk register. CC ID 09962	Business Processes	Preventive
Review the Business Impact Analysis, as necessary. CC ID 12774	Business Processes	Preventive
Analyze and quantify the risks to in scope systems and information. CC ID 00701 [When planning for the SMS, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to: prevent, or reduce, undesired effects; § 6.1.1 ¶ 1(b) The organization shall determine and document: risks related to: the organization; § 6.1.2 ¶ 1(a)(1)]	Audits and Risk Management	Preventive
Establish and maintain a Risk Scoping and Measurement Definitions Document. CC ID 00703 [The organization shall determine and document: the impact on customers of risks and opportunities for the SMS and the services; § 6.1.2 ¶ 1(b)]	Audits and Risk Management	Preventive
Identify the material risks in the risk assessment report. CC ID 06482	Audits and Risk Management	Preventive
Assess the potential level of business impact risk associated with each business process. CC ID 06463	Audits and Risk Management	Detective
Assess the potential level of business impact risk associated with the business environment. CC ID 06464	Audits and Risk Management	Detective
Assess the potential level of business impact risk associated with business information of in scope systems. CC ID 06465	Audits and Risk Management	Detective
Identify changes to in scope systems that could threaten communication between business units. CC ID 13173	Investigate	Detective
Assess the potential business impact risk of in scope systems caused by deliberate threats to their confidentiality, integrity, and availability. CC ID 06466	Audits and Risk Management	Detective
Assess the potential level of business impact risk caused by accidental threats to the confidentiality, integrity and availability of critical systems. CC ID 06467	Audits and Risk Management	Detective
Assess the potential level of business impact risk associated with reputational damage. CC ID 15335	Audits and Risk Management	Detective
Assess the potential level of business impact risk associated with insider threats. CC ID 06468	Audits and Risk Management	Detective
Assess the potential level of business impact risk associated with external entities. CC ID 06469	Audits and Risk Management	Detective
Assess the potential level of business impact risk associated with natural disasters. CC ID 06470	Actionable Reports or Measurements	Detective
Assess the potential level of business impact risk associated with control weaknesses. CC ID 06471	Audits and Risk Management	Detective
Establish a risk acceptance level that is appropriate to the organization's risk appetite. CC ID 00706 [The organization shall determine and document: risk acceptance criteria; § 6.1.2 ¶ 1(c)]	Establish/Maintain Documentation	Preventive
Investigate alternative risk control strategies appropriate to the organization's risk appetite. CC ID 12887	Investigate	Preventive
Select the appropriate risk treatment option for each identified risk in the risk register. CC ID 06483	Establish/Maintain Documentation	Preventive
Disseminate and communicate the risk acceptance level in the risk treatment plan to all interested personnel and affected parties. CC ID 06849	Behavior	Preventive
Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary. CC ID 00704	Establish/Maintain Documentation	Detective
Document the results of the gap analysis. CC ID 16271	Establish/Maintain Documentation	Preventive
Prioritize and select controls based on the risk assessment findings. CC ID 00707 [At planned intervals, the information security risks to the SMS and the services shall be assessed and documented. Information security controls shall be determined, implemented and operated to support the information security policy and address identified information security risks. Decisions about information security controls shall be documented. § 8.7.3.2 ¶ 1]	Audits and Risk Management	Preventive
Analyze the effect of threats on organizational strategies and objectives. CC ID 12850	Process or Activity	Detective
Analyze the effect of opportunities on organizational strategies and objectives. CC ID 12849	Process or Activity	Detective
Prioritize and categorize the effects of opportunities, threats and requirements on control activities. CC ID 12822	Audits and Risk Management	Preventive
Determine the effectiveness of risk control measures. CC ID 06601 [/* Based on the subject of this section, by 'these actions', the document is referring to activities to manage risk*/{risk management activity} evaluate the effectiveness of these actions. § 6.1.3 ¶ 1(b)(2)]	Testing	Detective
Develop key indicators to inform management on the effectiveness of risk control measures. CC ID 12946	Audits and Risk Management	Preventive
Establish, implement, and maintain a risk treatment plan. CC ID 11983	Establish/Maintain Documentation	Preventive
Include the date of the risk assessment in the risk treatment plan. CC ID 16321	Establish/Maintain Documentation	Preventive
Include the release status of the risk assessment in the risk treatment plan. CC ID 16320	Audits and Risk Management	Preventive
Identify the planned actions and controls that address high risk in the risk treatment plan. CC ID 12835	Audits and Risk Management	Preventive
Identify the current actions and controls that address high risk in the risk treatment plan. CC ID 12834	Audits and Risk Management	Preventive
Include the risk treatment strategy in the risk treatment plan. CC ID 12159	Establish/Maintain Documentation	Preventive
Revise the risk treatment strategies in the risk treatment plan, as necessary. CC ID 12552	Establish/Maintain Documentation	Corrective
Include an overview of the migration project plan in the risk treatment plan. CC ID 11982	Establish/Maintain Documentation	Preventive
Include change control processes in the risk treatment plan. CC ID 11981	Establish/Maintain Documentation	Preventive
Include a description of the processes to check for new vulnerabilities in the risk treatment plan. CC ID 11980	Establish/Maintain Documentation	Preventive
Include the implemented risk management controls in the risk treatment plan. CC ID 11979	Establish/Maintain Documentation	Preventive
Include requirements for monitoring and reporting in the risk treatment plan, as necessary. CC ID 13620	Establish/Maintain Documentation	Preventive
Include risk assessment results in the risk treatment plan. CC ID 11978	Establish/Maintain Documentation	Preventive
Include a description of usage in the risk treatment plan. CC ID 11977	Establish/Maintain Documentation	Preventive
Document all constraints applied to the risk treatment plan, as necessary. CC ID 13619	Establish/Maintain Documentation	Preventive
Disseminate and communicate the risk treatment plan to interested personnel and affected parties. CC ID 15694	Communicate	Preventive
Approve the risk treatment plan. CC ID 13495	Audits and Risk Management	Preventive
Integrate the corrective action plan based on the risk assessment findings with other risk management activities. CC ID 06457	Establish/Maintain Documentation	Preventive
Document and communicate a corrective action plan based on the risk assessment findings. CC ID 00705 [The organization shall make decisions and take actions based on the findings in service reports. The agreed actions shall be communicated to interested parties. § 9.4 ¶ 3]	Establish/Maintain Documentation	Corrective
Review and approve the risk assessment findings. CC ID 06485 [The management review shall include consideration of: results of risk assessment and the effectiveness of actions taken to address risks and opportunities; § 9.3 ¶ 2(k)]	Establish/Maintain Documentation	Preventive
Include risk responses in the risk management program. CC ID 13195	Establish/Maintain Documentation	Preventive
Document residual risk in a residual risk report. CC ID 13664	Establish/Maintain Documentation	Corrective
Review and approve material risks documented in the residual risk report, as necessary. CC ID 13672	Business Processes	Preventive
Establish, implement, and maintain an artificial intelligence risk management program. CC ID 16220	Establish/Maintain Documentation	Preventive
Include diversity and equal opportunity in the artificial intelligence risk management program. CC ID 16255	Establish/Maintain Documentation	Preventive
Analyze the impact of artificial intelligence systems on business operations. CC ID 16356	Business Processes	Preventive
Analyze the impact of artificial intelligence systems on society. CC ID 16317	Audits and Risk Management	Detective
Analyze the impact of artificial intelligence systems on individuals. CC ID 16316	Audits and Risk Management	Detective
Establish, implement, and maintain a cybersecurity risk management program. CC ID 16827	Audits and Risk Management	Preventive
Include a commitment to continuous improvement In the cybersecurity risk management program. CC ID 16839	Establish/Maintain Documentation	Preventive
Monitor the effectiveness of the cybersecurity risk management program. CC ID 16831	Monitor and Evaluate Occurrences	Preventive
Establish, implement, and maintain a cybersecurity risk management policy. CC ID 16834	Establish/Maintain Documentation	Preventive
Disseminate and communicate the cybersecurity risk management policy to interested personnel and affected parties. CC ID 16832	Communicate	Preventive
Disseminate and communicate the cybersecurity risk management program to interested personnel and affected parties. CC ID 16829	Communicate	Preventive
Establish, implement, and maintain a cybersecurity risk management strategy. CC ID 11991	Establish/Maintain Documentation	Preventive
Include a risk prioritization approach in the Cybersecurity Risk Management Strategy. CC ID 12276	Establish/Maintain Documentation	Preventive
Include defense in depth strategies in the cybersecurity risk management strategy. CC ID 15582	Establish/Maintain Documentation	Preventive
Disseminate and communicate the cybersecurity risk management strategy to interested personnel and affected parties. CC ID 16825	Communicate	Preventive
Evaluate the cyber insurance market. CC ID 12695	Business Processes	Preventive
Evaluate the usefulness of cyber insurance to the organization. CC ID 12694	Business Processes	Preventive
Acquire cyber insurance, as necessary. CC ID 12693	Business Processes	Preventive
Establish, implement, and maintain a cybersecurity supply chain risk management program. CC ID 16826	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain cybersecurity supply chain risk management procedures. CC ID 16830	Establish/Maintain Documentation	Preventive
Monitor the effectiveness of the cybersecurity supply chain risk management program. CC ID 16828	Monitor and Evaluate Occurrences	Preventive
Establish, implement, and maintain a supply chain risk management policy. CC ID 14663	Establish/Maintain Documentation	Preventive
Include compliance requirements in the supply chain risk management policy. CC ID 14711	Establish/Maintain Documentation	Preventive
Include coordination amongst entities in the supply chain risk management policy. CC ID 14710	Establish/Maintain Documentation	Preventive
Include management commitment in the supply chain risk management policy. CC ID 14709	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the supply chain risk management policy. CC ID 14708	Establish/Maintain Documentation	Preventive
Include the scope in the supply chain risk management policy. CC ID 14707	Establish/Maintain Documentation	Preventive
Include the purpose in the supply chain risk management policy. CC ID 14706	Establish/Maintain Documentation	Preventive
Disseminate and communicate the supply chain risk management policy to all interested personnel and affected parties. CC ID 14662	Communicate	Preventive
Establish, implement, and maintain a supply chain risk management plan. CC ID 14713	Establish/Maintain Documentation	Preventive
Include processes for monitoring and reporting in the supply chain risk management plan. CC ID 15619	Establish/Maintain Documentation	Preventive
Include dates in the supply chain risk management plan. CC ID 15617	Establish/Maintain Documentation	Preventive
Include implementation milestones in the supply chain risk management plan. CC ID 15615	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the supply chain risk management plan. CC ID 15613	Establish/Maintain Documentation	Preventive
Include supply chain risk management procedures in the risk management program. CC ID 13190 [The organization shall assess the alignment of service level targets or other contractual obligations for the external supplier against SLAs with customers, and manage identified risks. § 8.3.4.1 ¶ 3]	Establish/Maintain Documentation	Preventive
Disseminate and communicate the supply chain risk management procedures to all interested personnel and affected parties. CC ID 14712	Communicate	Preventive
Assign key stakeholders to review and approve supply chain risk management procedures. CC ID 13199	Human Resources Management	Preventive
Analyze supply chain risk management procedures, as necessary. CC ID 13198	Process or Activity	Detective
Disseminate and communicate the risk management policy to interested personnel and affected parties. CC ID 13792	Communicate	Preventive

Human Resources management

126

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Human Resources management CC ID 00763	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806	Establish Roles	Preventive
Define and assign the Board of Directors roles and responsibilities and senior management roles and responsibilities, including signing off on key policies and procedures. CC ID 00807 [Top management shall demonstrate leadership and commitment with respect to the SMS by: ensuring that appropriate levels of authority are assigned for making decisions related to the SMS and the services; § 5.1 ¶ 1(c) Top management shall demonstrate leadership and commitment with respect to the SMS by: supporting other relevant management roles to demonstrate their leadership as it applies to their areas of responsibility. § 5.1 ¶ 1(l)]	Establish Roles	Preventive
Establish and maintain board committees, as necessary. CC ID 14789	Human Resources Management	Preventive
Define and assign the roles and responsibilities of the chairman of the board. CC ID 14786	Establish/Maintain Documentation	Preventive
Assign oversight of C-level executives to the Board of Directors. CC ID 14784	Human Resources Management	Preventive
Establish, implement, and maintain candidate selection procedures to the board of directors. CC ID 14782	Establish/Maintain Documentation	Preventive
Include the criteria of mixed experiences and skills in the candidate selection procedures. CC ID 14791	Establish/Maintain Documentation	Preventive
Assign oversight of the financial management program to the board of directors. CC ID 14781	Human Resources Management	Preventive
Assign senior management to the role of supporting Quality Management. CC ID 13692	Human Resources Management	Preventive
Assign senior management to the role of authorizing official. CC ID 14238	Establish Roles	Preventive
Assign members who are independent from management to the Board of Directors. CC ID 12395	Human Resources Management	Preventive
Assign ownership of risks to the Board of Directors or senior management. CC ID 13662	Human Resources Management	Preventive
Assign the organization's board and senior management to oversee the continuity planning process. CC ID 12991	Human Resources Management	Preventive
Rotate members of the board of directors, as necessary. CC ID 14803	Human Resources Management	Corrective
Analyze workforce management. CC ID 12844 [{resource level}{manpower}management review shall include consideration of: current and forecast human, technical, information and financial resource levels, and human and technical resource capabilities; § 9.3 ¶ 2(j)]	Human Resources Management	Detective
Identify root causes of staffing shortages, if any exist. CC ID 13276	Human Resources Management	Detective
Analyze the ability of Human Resources to attract a competent workforce. CC ID 13275	Human Resources Management	Detective
Include how risk is perceived by the workforce in the analysis of workforce management. CC ID 12969	Human Resources Management	Preventive
Include compensation structures in the analysis of workforce management. CC ID 12902	Human Resources Management	Preventive
Establish, implement, and maintain a personnel management program. CC ID 14018	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a personnel security program. CC ID 10628	Establish/Maintain Documentation	Preventive
Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 00782 [The organization shall: ensure that these persons are competent on the basis of appropriate education, training or experience; § 7.2 ¶ 1(b) {staff} The organization shall: determine the necessary competence of persons doing work under its control that affects the performance and effectiveness of the SMS and the services; § 7.2 ¶ 1(a)]	Testing	Detective
Perform security skills assessments for all critical employees. CC ID 12102	Human Resources Management	Detective
Assign security clearance procedures to qualified personnel. CC ID 06812	Establish Roles	Preventive
Assign personnel screening procedures to qualified personnel. CC ID 11699	Establish Roles	Preventive
Establish, implement, and maintain personnel screening procedures. CC ID 11700	Establish/Maintain Documentation	Preventive
Perform a background check during personnel screening. CC ID 11758	Human Resources Management	Detective
Perform a personal identification check during personnel screening. CC ID 06721	Human Resources Management	Preventive
Perform a criminal records check during personnel screening. CC ID 06643	Establish/Maintain Documentation	Preventive
Include all residences in the criminal records check. CC ID 13306	Process or Activity	Preventive
Document any reasons a full criminal records check could not be performed. CC ID 13305	Establish/Maintain Documentation	Preventive
Perform a personal references check during personnel screening. CC ID 06645	Human Resources Management	Preventive
Perform a credit check during personnel screening. CC ID 06646	Human Resources Management	Preventive
Perform an academic records check during personnel screening. CC ID 06647	Establish/Maintain Documentation	Preventive
Perform a drug test during personnel screening. CC ID 06648	Testing	Preventive
Perform a resume check during personnel screening. CC ID 06659	Human Resources Management	Preventive
Perform a curriculum vitae check during personnel screening. CC ID 06660	Human Resources Management	Preventive
Allow personnel being screened to appeal findings and appeal decisions. CC ID 06720	Human Resources Management	Preventive
Disseminate and communicate screening results to interested personnel and affected parties. CC ID 16445	Communicate	Preventive
Perform personnel screening procedures, as necessary. CC ID 11763	Human Resources Management	Preventive
Document the personnel risk assessment results. CC ID 11764	Establish/Maintain Documentation	Detective
Establish, implement, and maintain security clearance procedures. CC ID 00783	Establish/Maintain Documentation	Preventive
Perform periodic background checks on designated roles, as necessary. CC ID 11759	Human Resources Management	Detective
Perform security clearance procedures, as necessary. CC ID 06644	Human Resources Management	Preventive
Establish and maintain security clearances. CC ID 01634	Human Resources Management	Preventive
Document the security clearance procedure results. CC ID 01635	Establish/Maintain Documentation	Detective
Train all personnel and third parties, as necessary. CC ID 00785 [The organization shall: where applicable, take actions to acquire the necessary competence and evaluate the effectiveness of the actions taken; § 7.2 ¶ 1(c)]	Behavior	Preventive
Establish, implement, and maintain an education methodology. CC ID 06671 [{interested party} Instructions for the fulfilment of service requests shall be made available to persons involved in service request fulfilment. § 8.6.2 ¶ 3 {new service} The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: requirements for appropriate education, training and experience; § 8.5.2.2 ¶ 1(c)]	Business Processes	Preventive
Support certification programs as viable training programs. CC ID 13268	Human Resources Management	Preventive
Include evidence of experience in applications for professional certification. CC ID 16193	Establish/Maintain Documentation	Preventive
Include supporting documentation in applications for professional certification. CC ID 16195	Establish/Maintain Documentation	Preventive
Submit applications for professional certification. CC ID 16192	Training	Preventive
Retrain all personnel, as necessary. CC ID 01362	Behavior	Preventive
Tailor training to meet published guidance on the subject being taught. CC ID 02217 [{new service} The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: requirements for appropriate education, training and experience; § 8.5.2.2 ¶ 1(c)]	Behavior	Preventive
Tailor training to be taught at each person's level of responsibility. CC ID 06674 [{be relevant} Persons doing work under the organization's control shall be aware of: the services relevant to their work; § 7.3 ¶ 1(c) The organization shall determine and maintain the knowledge necessary to support the operation of the SMS and the services. § 7.6 ¶ 1 {new service} The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: requirements for appropriate education, training and experience; § 8.5.2.2 ¶ 1(c)]	Behavior	Preventive
Conduct cross-training or staff backup training to minimize dependency on critical individuals. CC ID 00786	Behavior	Preventive
Document all training in a training record. CC ID 01423 [The organization shall: retain appropriate documented information as evidence of competence. § 7.2 ¶ 1(d)]	Establish/Maintain Documentation	Detective
Use automated mechanisms in the training environment, where appropriate. CC ID 06752	Behavior	Preventive
Conduct tests and evaluate training. CC ID 06672 [The organization shall: where applicable, take actions to acquire the necessary competence and evaluate the effectiveness of the actions taken; § 7.2 ¶ 1(c)]	Testing	Detective
Hire third parties to conduct training, as necessary. CC ID 13167	Human Resources Management	Preventive
Review the current published guidance and awareness and training programs. CC ID 01245	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain training plans. CC ID 00828 [{be usable}{be available}{support}{operation}{SMS and the services}by knowledge', based on the section the authors appear to be referring to the knowledge necessary to support the operation of the SMS and the services/ The knowledge shall be relevant, usable and available to appropriate persons. § 7.6 ¶ 2 {be usable}{be available}{support}{operation}{SMS and the services}by knowledge', based on the section the authors appear to be referring to the knowledge necessary to support the operation of the SMS and the services/ The knowledge shall be relevant, usable and available to appropriate persons. § 7.6 ¶ 2 {be usable}{be available}{support}{operation}{SMS and the services}by knowledge', based on the section the authors appear to be referring to the knowledge necessary to support the operation of the SMS and the services/ The knowledge shall be relevant, usable and available to appropriate persons. § 7.6 ¶ 2]	Establish/Maintain Documentation	Preventive
Train personnel to recognize conditions of diseases or sicknesses, as necessary. CC ID 14383	Training	Detective
Include prevention techniques in training regarding diseases or sicknesses. CC ID 14387	Training	Preventive
Include the concept of disease clusters when training to recognize conditions of diseases or sicknesses. CC ID 14386	Training	Preventive
Train personnel to identify and communicate symptoms of exposure to disease or sickness. CC ID 14385	Training	Detective
Develop or acquire content to update the training plans. CC ID 12867	Training	Preventive
Designate training facilities in the training plan. CC ID 16200	Training	Preventive
Include portions of the visitor control program in the training plan. CC ID 13287	Establish/Maintain Documentation	Preventive
Include ethical culture in the training plan, as necessary. CC ID 12801	Human Resources Management	Preventive
Include in scope external requirements in the training plan, as necessary. CC ID 13041	Training	Preventive
Include duties and responsibilities in the training plan, as necessary. CC ID 12800	Human Resources Management	Preventive
Conduct bespoke roles and responsibilities training, as necessary. CC ID 13192	Training	Preventive
Include risk management in the training plan, as necessary. CC ID 13040	Training	Preventive
Conduct Archives and Records Management training. CC ID 00975	Behavior	Preventive
Conduct personal data processing training. CC ID 13757	Training	Preventive
Include in personal data processing training how to provide the contact information for the categories of personal data the organization may disclose. CC ID 13758	Training	Preventive
Include the cloud service usage standard in the training plan. CC ID 13039	Training	Preventive
Establish, implement, and maintain a security awareness program. CC ID 11746	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a security awareness and training policy. CC ID 14022	Establish/Maintain Documentation	Preventive
Include compliance requirements in the security awareness and training policy. CC ID 14092	Establish/Maintain Documentation	Preventive
Include coordination amongst entities in the security awareness and training policy. CC ID 14091	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain security awareness and training procedures. CC ID 14054	Establish/Maintain Documentation	Preventive
Disseminate and communicate the security awareness and training procedures to interested personnel and affected parties. CC ID 14138	Communicate	Preventive
Include management commitment in the security awareness and training policy. CC ID 14049	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the security awareness and training policy. CC ID 14048	Establish/Maintain Documentation	Preventive
Include the scope in the security awareness and training policy. CC ID 14047	Establish/Maintain Documentation	Preventive
Include the purpose in the security awareness and training policy. CC ID 14045	Establish/Maintain Documentation	Preventive
Include configuration management procedures in the security awareness program. CC ID 13967	Establish/Maintain Documentation	Preventive
Include media protection in the security awareness program. CC ID 16368	Training	Preventive
Document security awareness requirements. CC ID 12146	Establish/Maintain Documentation	Preventive
Include safeguards for information systems in the security awareness program. CC ID 13046	Establish/Maintain Documentation	Preventive
Include security policies and security standards in the security awareness program. CC ID 13045	Establish/Maintain Documentation	Preventive
Include physical security in the security awareness program. CC ID 16369	Training	Preventive
Include mobile device security guidelines in the security awareness program. CC ID 11803	Establish/Maintain Documentation	Preventive
Include updates on emerging issues in the security awareness program. CC ID 13184	Training	Preventive
Include cybersecurity in the security awareness program. CC ID 13183	Training	Preventive
Include implications of non-compliance in the security awareness program. CC ID 16425	Training	Preventive
Include the acceptable use policy in the security awareness program. CC ID 15487	Training	Preventive
Include training based on the participants' level of responsibility and access level in the security awareness program. CC ID 11802	Establish/Maintain Documentation	Preventive
Include a requirement to train all new hires and interested personnel in the security awareness program. CC ID 11800	Establish/Maintain Documentation	Preventive
Include remote access in the security awareness program. CC ID 13892	Establish/Maintain Documentation	Preventive
Document the goals of the security awareness program. CC ID 12145	Establish/Maintain Documentation	Preventive
Compare current security awareness assessment reports to the security awareness baseline. CC ID 12150	Establish/Maintain Documentation	Preventive
Establish and maintain management's commitment to supporting the security awareness program. CC ID 12151	Human Resources Management	Preventive
Establish and maintain a steering committee to guide the security awareness program. CC ID 12149	Human Resources Management	Preventive
Document the scope of the security awareness program. CC ID 12148	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a security awareness baseline. CC ID 12147	Establish/Maintain Documentation	Preventive
Encourage interested personnel to obtain security certification. CC ID 11804	Human Resources Management	Preventive
Disseminate and communicate the security awareness program to all interested personnel and affected parties. CC ID 00823	Behavior	Preventive
Train all personnel and third parties on how to recognize and report security incidents. CC ID 01211	Behavior	Preventive
Train all personnel and third parties on how to recognize and report system failures. CC ID 13475	Training	Preventive
Require personnel to acknowledge, through writing their signature, that they have read and understand the organization's security policies. CC ID 01363	Establish/Maintain Documentation	Preventive
Monitor and measure the effectiveness of security awareness. CC ID 06262	Monitor and Evaluate Occurrences	Detective
Establish, implement, and maintain an environmental management system awareness program. CC ID 15200	Establish/Maintain Documentation	Preventive
Conduct secure coding and development training for developers. CC ID 06822	Behavior	Corrective
Conduct tampering prevention training. CC ID 11875	Training	Preventive
Include the mandate to refrain from installing, refrain from replacing, and refrain from returning any asset absent verification in the tampering prevention training. CC ID 11877	Training	Preventive
Include how to identify and authenticate third parties claiming to be maintenance personnel in the tampering prevention training. CC ID 11876	Training	Preventive
Include how to report tampering and unauthorized substitution in the tampering prevention training. CC ID 11879	Training	Preventive
Include how to prevent physical tampering in the tampering prevention training. CC ID 11878	Training	Preventive
Include procedures on how to inspect devices in the tampering prevention training. CC ID 11990	Training	Preventive
Train interested personnel and affected parties to collect digital forensic evidence. CC ID 08658	Training	Preventive
Conduct crime prevention training. CC ID 06350	Behavior	Preventive
Analyze and evaluate training records to improve the training program. CC ID 06380	Monitor and Evaluate Occurrences	Detective

Leadership and high level objectives

310

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Leadership and high level objectives CC ID 00597	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain a reporting methodology program. CC ID 02072	Business Processes	Preventive
Establish, implement, and maintain communication protocols. CC ID 12245 [{internal communication}{be relevant} The organization shall determine the internal and external communications relevant to the SMS and the services including: § 7.4 ¶ 1 The organization shall determine the internal and external communications relevant to the SMS and the services including: when to communicate; § 7.4 ¶ 1(b) The organization shall determine the internal and external communications relevant to the SMS and the services including: with whom to communicate; § 7.4 ¶ 1(c) The organization shall establish arrangements for communicating with its customers and other interested parties. The communication shall promote understanding of the evolving business environment in which the services operate and shall enable the organization to respond to new or changed service requirements. § 8.3.2 ¶ 2 The organization shall determine the internal and external communications relevant to the SMS and the services including: how to communicate; § 7.4 ¶ 1(d) The organization shall determine the internal and external communications relevant to the SMS and the services including: on what it will communicate; § 7.4 ¶ 1(a) The organization shall determine the internal and external communications relevant to the SMS and the services including: who will be responsible for the communication. § 7.4 ¶ 1(e)]	Establish/Maintain Documentation	Preventive
Use secure communication protocols for telecommunications. CC ID 16458	Business Processes	Preventive
Align the information being disseminated and communicated with the communication requirements according to the organization's communication protocol. CC ID 12419 [The organization shall determine reporting requirements and their purpose. § 9.4 ¶ 1]	Establish/Maintain Documentation	Preventive
Assess the effectiveness of the communication methods used in the communication protocol. CC ID 12691	Process or Activity	Detective
Include external requirements in the organization's communication protocol. CC ID 12418 [The organization shall establish arrangements for communicating with its customers and other interested parties. The communication shall promote understanding of the evolving business environment in which the services operate and shall enable the organization to respond to new or changed service requirements. § 8.3.2 ¶ 2]	Establish/Maintain Documentation	Preventive
Include disseminating and communicating events surrounding instances of desirable conduct and undesirable conduct in the communication protocols. CC ID 12824	Communicate	Preventive
Include input from interested personnel and affected parties as a part of the organization’s communication protocol. CC ID 12417	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a corrective action plan to address barriers to stakeholder engagement. CC ID 15677	Process or Activity	Preventive
Identify barriers to stakeholder engagement. CC ID 15676	Process or Activity	Preventive
Identify alternative measures for collecting stakeholder input, as necessary. CC ID 15672	Communicate	Preventive
Include disseminating and communicating conditions surrounding instances of desirable conduct and undesirable conduct in the communication protocols. CC ID 12804	Communicate	Preventive
Include methods to obtain information from interested personnel and affected parties about performance variances in the communication protocol. CC ID 12856	Process or Activity	Preventive
Include disseminating and communicating desirable conduct in the communication protocols. CC ID 12803	Communicate	Preventive
Include disseminating and communicating undesirable conduct in communication protocols. CC ID 12802	Communicate	Preventive
Route notifications, as necessary. CC ID 12832	Process or Activity	Preventive
Substantiate notifications, as necessary. CC ID 12831	Process or Activity	Preventive
Analyze the flow of information to ensure it is being received by the correct processes. CC ID 12860	Business Processes	Preventive
Prioritize notifications, as necessary. CC ID 12830	Process or Activity	Preventive
Report to management and stakeholders on the findings and information gathered from all types of inquiries. CC ID 12797	Actionable Reports or Measurements	Preventive
Disseminate and communicate internal controls with supply chain members. CC ID 12416	Communicate	Preventive
Establish and maintain the organization's survey method. CC ID 12869	Process or Activity	Preventive
Document the findings from surveys. CC ID 16309	Establish/Maintain Documentation	Preventive
Provide a consolidated view of information in the organization's survey method. CC ID 12894	Process or Activity	Preventive
Establish, implement, and maintain warning procedures that follow the organization's communication protocol. CC ID 12407	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain alert procedures that follow the organization's communication protocol. CC ID 12406	Establish/Maintain Documentation	Preventive
Include the capturing and alerting of compliance violations in the notification system. CC ID 12962	Monitor and Evaluate Occurrences	Preventive
Include the capturing and alerting of unethical conduct in the notification system. CC ID 12932	Monitor and Evaluate Occurrences	Preventive
Include the capturing and alerting of performance variances in the notification system. CC ID 12929	Monitor and Evaluate Occurrences	Preventive
Include the capturing and alerting of weaknesses in the notification system. CC ID 12928	Monitor and Evaluate Occurrences	Preventive
Include the capturing and alerting of account activity in the notification system. CC ID 15314	Monitor and Evaluate Occurrences	Preventive
Establish, implement, and maintain an internal reporting program. CC ID 12409 [The organization shall determine reporting requirements and their purpose. § 9.4 ¶ 1]	Business Processes	Preventive
Include transactions and events as a part of internal reporting. CC ID 12413	Business Processes	Preventive
Disseminate and communicate management's choices for managing the organization as a part of internal reporting. CC ID 12412	Communicate	Preventive
Enforce a precision level for non-financial reporting based on user need and appropriate supply chain criteria. CC ID 12399	Establish/Maintain Documentation	Preventive
Define the thresholds for escalation in the internal reporting program. CC ID 14332	Establish/Maintain Documentation	Preventive
Define the thresholds for reporting in the internal reporting program. CC ID 14331	Establish/Maintain Documentation	Preventive
Analyze organizational objectives, functions, and activities. CC ID 00598 [The organization shall establish service management objectives at relevant functions and levels. The service management objectives shall: be measurable; § 6.2.1 ¶ 1(b)]	Monitor and Evaluate Occurrences	Preventive
Develop instructions for setting organizational objectives and strategies. CC ID 12931	Establish/Maintain Documentation	Preventive
Analyze the business environment in which the organization operates. CC ID 12798	Business Processes	Preventive
Identify the internal factors that may affect organizational objectives. CC ID 12957	Process or Activity	Preventive
Include key processes in the analysis of the internal business environment. CC ID 12947	Process or Activity	Preventive
Include existing information in the analysis of the internal business environment. CC ID 12943	Process or Activity	Preventive
Include resources in the analysis of the internal business environment. CC ID 12942 [{resource level}{manpower}management review shall include consideration of: current and forecast human, technical, information and financial resource levels, and human and technical resource capabilities; § 9.3 ¶ 2(j) {resource level}{manpower}management review shall include consideration of: current and forecast human, technical, information and financial resource levels, and human and technical resource capabilities; § 9.3 ¶ 2(j)]	Process or Activity	Preventive
Include the operating plan in the analysis of the internal business environment. CC ID 12941	Process or Activity	Preventive
Include incentives in the analysis of the internal business environment. CC ID 12940	Process or Activity	Preventive
Include organizational structures in the analysis of the internal business environment. CC ID 12939	Process or Activity	Preventive
Include the strategic plan in the analysis of the internal business environment. CC ID 12937	Process or Activity	Preventive
Include strengths and weaknesses in the analysis of the internal business environment. CC ID 12936	Process or Activity	Preventive
Align assets with business functions and the business environment. CC ID 13681	Business Processes	Preventive
Disseminate and communicate the organization's business environment and place in its industry sector. CC ID 13200 [The organization shall establish arrangements for communicating with its customers and other interested parties. The communication shall promote understanding of the evolving business environment in which the services operate and shall enable the organization to respond to new or changed service requirements. § 8.3.2 ¶ 2]	Communicate	Preventive
Monitor for changes which affect organizational strategies in the internal business environment. CC ID 12863 [{service management system} When determining this scope, the organization shall consider: the external and internal issues referred to in 4.1; § 4.3 ¶ 2(a) The management review shall include consideration of: changes in external and internal issues that are relevant to the SMS; § 9.3 ¶ 2(b) The management review shall include consideration of: changes that can affect the SMS and the services. § 9.3 ¶ 2(l)]	Monitor and Evaluate Occurrences	Preventive
Monitor for changes which affect organizational objectives in the internal business environment. CC ID 12862	Monitor and Evaluate Occurrences	Preventive
Analyze the external environment in which the organization operates. CC ID 12799	Business Processes	Preventive
Identify the external forces that may affect organizational objectives. CC ID 12960	Process or Activity	Preventive
Monitor for changes which affect organizational strategies in the external environment. CC ID 12880	Monitor and Evaluate Occurrences	Preventive
Include environmental requirements in the analysis of the external environment. CC ID 12965	Business Processes	Preventive
Monitor for changes which affect organizational objectives in the external environment. CC ID 12879	Monitor and Evaluate Occurrences	Preventive
Include regulatory requirements in the analysis of the external environment. CC ID 12964	Business Processes	Preventive
Include society in the analysis of the external environment. CC ID 12963	Business Processes	Preventive
Include opportunities in the analysis of the external environment. CC ID 12954	Business Processes	Preventive
Include third party relationships in the analysis of the external environment. CC ID 12952	Business Processes	Preventive
Include industry forces in the analysis of the external environment. CC ID 12904	Business Processes	Preventive
Include threats in the analysis of the external environment. CC ID 12898	Business Processes	Preventive
Include geopolitics in the analysis of the external environment. CC ID 12897	Business Processes	Preventive
Include legal requirements in the analysis of the external environment. CC ID 12896	Business Processes	Preventive
Include technology in the analysis of the external environment. CC ID 12837	Business Processes	Preventive
Include analyzing the market in the analysis of the external environment. CC ID 12836	Business Processes	Preventive
Conduct a context analysis to define objectives and strategies. CC ID 12864	Business Processes	Preventive
Establish, implement, and maintain organizational objectives. CC ID 09959	Establish/Maintain Documentation	Preventive
Evaluate organizational objectives to determine impact on other organizational objectives. CC ID 12814	Process or Activity	Preventive
Identify events that may affect organizational objectives. CC ID 12961 [The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its SMS. § 4.1 ¶ 1]	Process or Activity	Preventive
Identify conditions that may affect organizational objectives. CC ID 12958	Process or Activity	Preventive
Identify requirements that could affect achieving organizational objectives. CC ID 12828 [{applicable requirements} The organization shall create, implement and maintain a service management plan. Planning shall take into consideration the service management policy, service management objectives, risks and opportunities, service requirements and requirements specified in this document. § 6.3 ¶ 1]	Business Processes	Preventive
Identify opportunities that could affect achieving organizational objectives. CC ID 12826 [The organization shall plan: actions to address these risks and opportunities and their priorities; § 6.1.3 ¶ 1(a) {applicable requirements} The organization shall create, implement and maintain a service management plan. Planning shall take into consideration the service management policy, service management objectives, risks and opportunities, service requirements and requirements specified in this document. § 6.3 ¶ 1 The organization shall determine and document: the impact on customers of risks and opportunities for the SMS and the services; § 6.1.2 ¶ 1(b)]	Business Processes	Preventive
Prioritize organizational objectives. CC ID 09960	Business Processes	Preventive
Select financial reporting objectives consistent with accounting principles available to the organization. CC ID 12400	Business Processes	Preventive
Establish, implement, and maintain a value generation model. CC ID 15591	Establish/Maintain Documentation	Preventive
Disseminate and communicate the value generation model to all interested personnel and affected parties. CC ID 15607	Communicate	Preventive
Include value distribution in the value generation model. CC ID 15603	Establish/Maintain Documentation	Preventive
Include value retention in the value generation model. CC ID 15600	Establish/Maintain Documentation	Preventive
Include value generation procedures in the value generation model. CC ID 15599	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain value generation objectives. CC ID 15583	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain social responsibility objectives. CC ID 15611	Establish/Maintain Documentation	Preventive
Establish and maintain a Mission, Vision, and Values Statement. CC ID 12783	Establish/Maintain Documentation	Preventive
Include the vision statement in the Mission, Vision, and Values Statement. CC ID 12839	Establish/Maintain Documentation	Preventive
Include the mission statement in the Mission, Vision, and Values Statement. CC ID 12838	Establish/Maintain Documentation	Preventive
Include management commitment in the Mission, Vision, and Values Statement. CC ID 12808	Establish/Maintain Documentation	Preventive
Include the value statement in the Mission, Vision, and Values Statement. CC ID 12807	Establish/Maintain Documentation	Preventive
Include environmental factors in the Mission, Vision, and Values Statement. CC ID 15590	Establish/Maintain Documentation	Preventive
Include societal factors in the Mission, Vision, and Values Statement. CC ID 15605	Establish/Maintain Documentation	Preventive
Include stakeholder requirements in the Mission, Vision, and Values Statement. CC ID 15586	Establish/Maintain Documentation	Preventive
Disseminate and communicate the Mission, Vision, and Values Statement to all interested personnel and affected parties. CC ID 15585	Communicate	Preventive
Disseminate and communicate organizational objectives, functions, and activities to all interested personnel and affected parties. CC ID 13191 [Top management shall demonstrate leadership and commitment with respect to the SMS by: communicating the importance of effective service management, achieving the service management objectives, delivering value and conforming to the SMS requirements; § 5.1 ¶ 1(h)]	Communicate	Preventive
Document and communicate the linkage between organizational objectives, functions, activities, and general controls. CC ID 12398 [At planned intervals, the information security risks to the SMS and the services shall be assessed and documented. Information security controls shall be determined, implemented and operated to support the information security policy and address identified information security risks. Decisions about information security controls shall be documented. § 8.7.3.2 ¶ 1]	Establish/Maintain Documentation	Preventive
Identify threats that could affect achieving organizational objectives. CC ID 12827 [The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its SMS. § 4.1 ¶ 1]	Business Processes	Preventive
Identify how opportunities, threats, and external requirements are trending. CC ID 12829 [When planning for the SMS, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to: § 6.1.1 ¶ 1 The organization shall plan: actions to address these risks and opportunities and their priorities; § 6.1.3 ¶ 1(a)]	Process or Activity	Preventive
Identify relationships between opportunities, threats, and external requirements. CC ID 12805 [The management review shall include consideration of: results of risk assessment and the effectiveness of actions taken to address risks and opportunities; § 9.3 ¶ 2(k)]	Process or Activity	Preventive
Review the organization's approach to managing information security, as necessary. CC ID 12005	Business Processes	Preventive
Identify all interested personnel and affected parties. CC ID 12845 [The organization shall determine: the interested parties that are relevant to the SMS and the services; § 4.2 ¶ 1(a) The customers, users and other interested parties of the services shall be identified and documented. The organization shall have one or more designated individuals responsible for managing customer relationships and maintaining customer satisfaction. § 8.3.2 ¶ 1]	Process or Activity	Detective
Establish, implement, and maintain criteria for grouping stakeholders. CC ID 15584	Process or Activity	Preventive
Analyze and prioritize the requirements of interested personnel and affected parties. CC ID 12796	Business Processes	Preventive
Establish, implement, and maintain data governance and management practices. CC ID 14998	Establish/Maintain Documentation	Preventive
Address shortcomings of the data sets in the data governance and management practices. CC ID 15087	Establish/Maintain Documentation	Preventive
Include any shortcomings of the data sets in the data governance and management practices. CC ID 15086	Establish/Maintain Documentation	Preventive
Include bias for data sets in the data governance and management practices. CC ID 15085	Establish/Maintain Documentation	Preventive
Include a data strategy in the data governance and management practices. CC ID 15304	Establish/Maintain Documentation	Preventive
Include data monitoring in the data governance and management practices. CC ID 15303	Establish/Maintain Documentation	Preventive
Include an assessment of the data sets in the data governance and management practices. CC ID 15084	Establish/Maintain Documentation	Preventive
Include assumptions for the formulation of data sets in the data governance and management practices. CC ID 15083	Establish/Maintain Documentation	Preventive
Include data collection for data sets in the data governance and management practices. CC ID 15082	Establish/Maintain Documentation	Preventive
Include data preparations for data sets in the data governance and management practices. CC ID 15081	Establish/Maintain Documentation	Preventive
Include design choices for data sets in the data governance and management practices. CC ID 15080	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an information classification standard. CC ID 00601	Establish/Maintain Documentation	Preventive
Take into account the accessibility to and location of the data or information when establishing information impact levels. CC ID 04787	Data and Information Management	Preventive
Take into account the organization's obligation to protect data or information when establishing information impact levels. CC ID 04786	Data and Information Management	Preventive
Take into account the context of use for data or information when establishing information impact levels. CC ID 04785	Data and Information Management	Preventive
Take into account the potential aggregation of restricted data fields when establishing information impact levels. CC ID 04784	Data and Information Management	Preventive
Classify the sensitivity to unauthorized disclosure or modification of information in the information classification standard. CC ID 11997	Data and Information Management	Preventive
Take into account the distinguishability factor when establishing information impact levels. CC ID 04783	Data and Information Management	Preventive
Classify the criticality to unauthorized disclosure or modification of information in the information classification standard. CC ID 11996	Data and Information Management	Preventive
Classify the value of information in the information classification standard. CC ID 11995	Data and Information Management	Preventive
Classify the legal requirements of information in the information classification standard. CC ID 11994	Data and Information Management	Preventive
Establish, implement, and maintain a data classification scheme. CC ID 11628	Establish/Maintain Documentation	Preventive
Take into account the characteristics of the geographical, behavioral and functional setting for all datasets. CC ID 15046	Data and Information Management	Preventive
Approve the data classification scheme. CC ID 13858	Establish/Maintain Documentation	Detective
Disseminate and communicate the data classification scheme to interested personnel and affected parties. CC ID 16804	Communicate	Preventive
Establish and maintain an organizational data dictionary, including data syntax rules. CC ID 00600	Establish/Maintain Documentation	Preventive
Refrain from including metadata in the data dictionary. CC ID 13529	Establish/Maintain Documentation	Preventive
Refrain from allowing incompatible data elements in the data dictionary. CC ID 13624	Establish/Maintain Documentation	Preventive
Include information needed to understand each data element and population in the data dictionary. CC ID 13528	Establish/Maintain Documentation	Preventive
Ensure the data dictionary is complete and accurate. CC ID 13527	Investigate	Detective
Include the factors to determine what is included or excluded from the data element in the data dictionary. CC ID 13525	Establish/Maintain Documentation	Preventive
Include the date or time period the data was observed in the data dictionary. CC ID 13524	Establish/Maintain Documentation	Preventive
Include the uncertainty in the population of each data element in the data dictionary. CC ID 13522	Establish/Maintain Documentation	Preventive
Include the uncertainty of each data element in the data dictionary. CC ID 13521	Establish/Maintain Documentation	Preventive
Include the measurement units for each data element in the data dictionary. CC ID 13534	Establish/Maintain Documentation	Preventive
Include the precision of the measurement in the data dictionary. CC ID 13520	Establish/Maintain Documentation	Preventive
Include the data source in the data dictionary. CC ID 13519	Establish/Maintain Documentation	Preventive
Include the nature of each element in the data dictionary. CC ID 13518	Establish/Maintain Documentation	Preventive
Include the population of events or instances in the data dictionary. CC ID 13517	Establish/Maintain Documentation	Preventive
Disseminate and communicate the data dictionary to interested personnel and affected parties. CC ID 13516	Communicate	Preventive
Establish, implement, and maintain an Information and Infrastructure Architecture model. CC ID 00599	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain sustainable infrastructure planning. CC ID 00603	Establish/Maintain Documentation	Preventive
Take into account the need for protecting information confidentiality during infrastructure planning. CC ID 06486	Behavior	Preventive
Establish, implement, and maintain an organizational structure. CC ID 16310	Establish/Maintain Documentation	Preventive
Monitor regulatory trends to maintain compliance. CC ID 00604	Monitor and Evaluate Occurrences	Detective
Monitor for new Information Security solutions. CC ID 07078	Monitor and Evaluate Occurrences	Detective
Subscribe to a threat intelligence service to receive notification of emerging threats. CC ID 12135	Technical Security	Detective
Disseminate and communicate emerging threats to all interested personnel and affected parties. CC ID 12185	Communicate	Preventive
Disseminate and communicate updated guidance documentation to interested personnel and affected parties upon discovery of a new threat. CC ID 12191	Communicate	Corrective
Establish, implement, and maintain a Quality Management framework. CC ID 07196 [The outputs of the management review shall include decisions related to continual improvement opportunities and any need for changes to the SMS and the services. § 9.3 ¶ 3 At planned intervals, the effectiveness of problem resolution shall be monitored, reviewed and reported. § 8.6.3 ¶ 5 The success or failure of releases shall be monitored and analysed. Measurements shall include incidents related to a release in the period following deployment of a release. The results and conclusions drawn from the analysis shall be recorded and reviewed to identify opportunities for improvement. §8.5.3 ¶ 6]	Establish/Maintain Documentation	Preventive
Include supply chain management standards in the Quality Management framework. CC ID 13701	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a Quality Management policy. CC ID 13694	Establish/Maintain Documentation	Preventive
Include a commitment to satisfy applicable requirements in the Quality Management policy. CC ID 13700	Establish/Maintain Documentation	Preventive
Tailor the Quality Management policy to support the organization's strategic direction. CC ID 13699 [Top management shall demonstrate leadership and commitment with respect to the SMS by: ensuring that the service management policy and service management objectives are established and are compatible with the strategic direction of the organization; § 5.1 ¶ 1(a) The organization shall determine evaluation criteria to be applied to the opportunities for improvement when making decisions on their approval. Evaluation criteria shall include alignment of the improvement with service management objectives. § 10.2 ¶ 2 {service improvement activity} Opportunities for improvement shall be documented. The organization shall manage approved improvement activities that include: ensuring that improvements are prioritized, planned and implemented; § 10.2 ¶ 3(b) {new service} The new or changed services shall be built and tested to verify that they meet the service requirements, conform to the documented design and meet the agreed service acceptance criteria. If the service acceptance criteria are not met, the organization and interested parties shall make a decision on necessary actions and deployment. § 8.5.2.3 ¶ 1 {new service} The new or changed services shall be built and tested to verify that they meet the service requirements, conform to the documented design and meet the agreed service acceptance criteria. If the service acceptance criteria are not met, the organization and interested parties shall make a decision on necessary actions and deployment. § 8.5.2.3 ¶ 1]	Establish/Maintain Documentation	Preventive
Include a commitment to continual improvement of the Quality Management system in the Quality Management policy. CC ID 13698	Establish/Maintain Documentation	Preventive
Include critical Information Technology processes in the Quality Management framework. CC ID 13645	Establish/Maintain Documentation	Preventive
Disseminate and communicate the Quality Management policy to all interested personnel and affected parties. CC ID 13695 [Top management shall demonstrate leadership and commitment with respect to the SMS by: communicating the importance of effective service management, achieving the service management objectives, delivering value and conforming to the SMS requirements; § 5.1 ¶ 1(h)]	Communicate	Preventive
Disseminate and communicate the Quality Management framework to all stakeholders. CC ID 13680 [Where the root cause has been identified, but the problem has not been permanently resolved, the organization shall determine actions to reduce or eliminate the impact of the problem on the services. Known errors shall be recorded. Up-to-date information on known errors and problem resolutions shall be made available for other service management activities as appropriate. § 8.6.3 ¶ 4 Where the root cause has been identified, but the problem has not been permanently resolved, the organization shall determine actions to reduce or eliminate the impact of the problem on the services. Known errors shall be recorded. Up-to-date information on known errors and problem resolutions shall be made available for other service management activities as appropriate. § 8.6.3 ¶ 4]	Communicate	Preventive
Align the quality objectives with the Quality Management policy. CC ID 13697	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a Quality Management standard. CC ID 01006	Establish/Maintain Documentation	Preventive
Document the measurements used by Quality Assurance and Quality Control testing. CC ID 07200 [The organization shall determine evaluation criteria to be applied to the opportunities for improvement when making decisions on their approval. Evaluation criteria shall include alignment of the improvement with service management objectives. § 10.2 ¶ 2 The success or failure of releases shall be monitored and analysed. Measurements shall include incidents related to a release in the period following deployment of a release. The results and conclusions drawn from the analysis shall be recorded and reviewed to identify opportunities for improvement. §8.5.3 ¶ 6]	Establish/Maintain Documentation	Preventive
Enforce a continuous Quality Control system. CC ID 01005 [{availability issue}{document} Service availability shall be monitored, the results recorded and compared with the targets. Unplanned non-availability shall be investigated and necessary actions taken. § 8.7.1 ¶ 3]	Business Processes	Detective
Conduct Quality Control to ensure adherence to Information Technology policies, standards, and procedures. CC ID 01008 [The management review shall include consideration of: information on the performance and effectiveness of the SMS, including trends in: § 9.3 ¶ 2(c)]	Testing	Detective
Establish, implement, and maintain a Quality Management program. CC ID 07201 [{service improvement activity} Opportunities for improvement shall be documented. The organization shall manage approved improvement activities that include: setting one or more targets for improvement in areas such as quality, value, capability, cost, productivity, resource utilization and risk reduction; § 10.2 ¶ 3(a) {service improvement activity} Opportunities for improvement shall be documented. The organization shall manage approved improvement activities that include: ensuring that improvements are prioritized, planned and implemented; § 10.2 ¶ 3(b) {service improvement activity} Opportunities for improvement shall be documented. The organization shall manage approved improvement activities that include: ensuring that improvements are prioritized, planned and implemented; § 10.2 ¶ 3(b) {service improvement activity} Opportunities for improvement shall be documented. The organization shall manage approved improvement activities that include: measuring implemented improvements against the target(s) set and where target(s) are not achieved, taking necessary actions; § 10.2 ¶ 3(d)]	Establish/Maintain Documentation	Preventive
Notify affected parties and interested personnel of quality management system approvals that have been refused, suspended, or withdrawn. CC ID 15045	Communicate	Preventive
Notify affected parties and interested personnel of quality management system approvals that have been issued. CC ID 15036	Communicate	Preventive
Include quality objectives in the Quality Management program. CC ID 13693	Establish/Maintain Documentation	Preventive
Correct errors and deficiencies in a timely manner. CC ID 13501	Business Processes	Corrective
Include records management in the quality management system. CC ID 15055	Establish/Maintain Documentation	Preventive
Include risk management in the quality management system. CC ID 15054	Establish/Maintain Documentation	Preventive
Include data management procedures in the quality management system. CC ID 15052	Establish/Maintain Documentation	Preventive
Include a post-market monitoring system in the quality management system. CC ID 15027	Establish/Maintain Documentation	Preventive
Include operational roles and responsibilities in the quality management system. CC ID 15028	Establish/Maintain Documentation	Preventive
Include quality gates and testing milestones in the Quality Management program. CC ID 06825 [The success or failure of releases shall be monitored and analysed. Measurements shall include incidents related to a release in the period following deployment of a release. The results and conclusions drawn from the analysis shall be recorded and reviewed to identify opportunities for improvement. §8.5.3 ¶ 6]	Systems Design, Build, and Implementation	Preventive
Include resource management in the quality management system. CC ID 15026	Establish/Maintain Documentation	Preventive
Include communication protocols in the quality management system. CC ID 15025	Establish/Maintain Documentation	Preventive
Include incident reporting procedures in the quality management system. CC ID 15023	Establish/Maintain Documentation	Preventive
Include technical specifications in the quality management system. CC ID 15021	Establish/Maintain Documentation	Preventive
Document the deficiencies in a deficiency report that were found during Quality Control and corrected during Quality Improvement. CC ID 07203 [{availability issue}{document} Service availability shall be monitored, the results recorded and compared with the targets. Unplanned non-availability shall be investigated and necessary actions taken. § 8.7.1 ¶ 3 Where the root cause has been identified, but the problem has not been permanently resolved, the organization shall determine actions to reduce or eliminate the impact of the problem on the services. Known errors shall be recorded. Up-to-date information on known errors and problem resolutions shall be made available for other service management activities as appropriate. § 8.6.3 ¶ 4 The success or failure of releases shall be monitored and analysed. Measurements shall include incidents related to a release in the period following deployment of a release. The results and conclusions drawn from the analysis shall be recorded and reviewed to identify opportunities for improvement. §8.5.3 ¶ 6]	Establish/Maintain Documentation	Preventive
Include program documentation standards in the Quality Management program. CC ID 01016	Establish/Maintain Documentation	Preventive
Establish and maintain time frames for correcting deficiencies found during Quality Control. CC ID 07206	Business Processes	Detective
Include program testing standards in the Quality Management program. CC ID 01017 [At planned intervals, the organization shall monitor, review and report on: performance against service level targets; § 8.3.3 ¶ 3(a)]	Establish/Maintain Documentation	Preventive
Review and analyze any quality improvement goals that were missed. CC ID 07204 [{service improvement activity} Opportunities for improvement shall be documented. The organization shall manage approved improvement activities that include: measuring implemented improvements against the target(s) set and where target(s) are not achieved, taking necessary actions; § 10.2 ¶ 3(d)]	Business Processes	Detective
Include system testing standards in the Quality Management program. CC ID 01018	Establish/Maintain Documentation	Preventive
Include an issue tracking system in the Quality Management program. CC ID 06824	Systems Design, Build, and Implementation	Preventive
Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a policy and procedure management program. CC ID 06285	Establish/Maintain Documentation	Preventive
Include requirements in the organization’s policies, standards, and procedures. CC ID 12956 [Top management shall demonstrate leadership and commitment with respect to the SMS by: ensuring the integration of the SMS requirements into the organization's business processes; § 5.1 ¶ 1(f)]	Establish/Maintain Documentation	Preventive
Establish and maintain an Authority Document list. CC ID 07113 [Documented information of external origin determined by the organization to be necessary for the planning and operation of the SMS shall be identified as appropriate and controlled. § 7.5.3.2 ¶ 2]	Establish/Maintain Documentation	Preventive
Map in scope assets and in scope records to external requirements. CC ID 12189	Establish/Maintain Documentation	Detective
Document organizational procedures that harmonize external requirements, including all legal requirements. CC ID 00623 [The documented information for the SMS shall include: procedures that are required by this document; § 7.5.4 ¶ 1(k)]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain full documentation of all policies, standards, and procedures that support the organization's compliance framework. CC ID 01636 [Documented information required by the SMS and by this document shall be controlled to ensure: it is available and suitable for use, where and when it is needed; § 7.5.3.1(a) When creating and updating documented information, the organization shall ensure appropriate: review and approval for suitability and adequacy. § 7.5.2 ¶ 1(c)]	Establish/Maintain Documentation	Preventive
Disseminate and communicate the organization’s policies, standards, and procedures to all interested personnel and affected parties. CC ID 12901	Communicate	Preventive
Disseminate and communicate the list of Authority Documents that support the organization's compliance framework to interested personnel and affected parties. CC ID 01312	Establish/Maintain Documentation	Preventive
Classify controls according to their preventive, detective, or corrective status. CC ID 06436	Establish/Maintain Documentation	Preventive
Publish, disseminate, and communicate a Statement on Internal Control, as necessary. CC ID 06727	Establish/Maintain Documentation	Preventive
Include signatures of c-level executives in the Statement on Internal Control. CC ID 14778	Establish/Maintain Documentation	Preventive
Include management's assertions on the effectiveness of internal control in the Statement on Internal Control. CC ID 14771	Establish/Maintain Documentation	Corrective
Include confirmation of any significant weaknesses in the Statement on Internal Control. CC ID 06861	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the Statement on Internal Control. CC ID 14774	Establish/Maintain Documentation	Preventive
Include an assurance statement regarding the counterterror protective security plan in the Statement on Internal Control. CC ID 06866	Establish/Maintain Documentation	Preventive
Include limitations of internal control systems in the Statement on Internal Control. CC ID 14773	Establish/Maintain Documentation	Preventive
Include a description of the methodology used to evaluate internal controls in the Statement on Internal Control. CC ID 14772	Establish/Maintain Documentation	Preventive
Include the counterterror protective security plan test results in the Statement on Internal Control. CC ID 06867	Establish/Maintain Documentation	Detective
Assign legislative body jurisdiction to the organization's assets, as necessary. CC ID 06956	Establish Roles	Preventive
Define the Information Assurance strategic roles and responsibilities. CC ID 00608	Establish Roles	Preventive
Establish and maintain a compliance oversight committee. CC ID 00765	Establish Roles	Detective
Address Information Security during the business planning processes. CC ID 06495	Data and Information Management	Preventive
Document the requirements of stakeholders during the business planning process regarding Information Security. CC ID 06498 [Management with appropriate authority shall approve an information security policy relevant to the organization. The information security policy shall be documented and take into consideration the service requirements and the obligations in 6.3 c). § 8.7.3.1 ¶ 1 Management with appropriate authority shall approve an information security policy relevant to the organization. The information security policy shall be documented and take into consideration the service requirements and the obligations in 6.3 c). § 8.7.3.1 ¶ 1]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a strategic plan. CC ID 12784 [{planning} The organization shall plan, implement and control the processes needed to meet requirements and to implement the actions determined in Clause 6 by: § 8.1 ¶ 1]	Establish/Maintain Documentation	Preventive
Determine progress toward the objectives of the strategic plan. CC ID 12944 [The organization shall establish service management objectives at relevant functions and levels. The service management objectives shall: be monitored; § 6.2.1 ¶ 1(d) The management review shall include consideration of: achievement of service management objectives; § 9.3 ¶ 2(g)]	Process or Activity	Preventive
Include acting with integrity in the strategic plan. CC ID 12870	Establish/Maintain Documentation	Preventive
Disseminate and communicate the strategic plan to all interested personnel and affected parties. CC ID 15592	Communicate	Preventive
Include the outsource partners in the strategic plan, as necessary. CC ID 13960	Establish/Maintain Documentation	Preventive
Align the cybersecurity program strategy with the organization's strategic plan. CC ID 14322	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a planning policy. CC ID 14673	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain planning procedures. CC ID 14698	Establish/Maintain Documentation	Preventive
Disseminate and communicate the planning procedures to interested personnel and affected parties. CC ID 14704	Communicate	Preventive
Disseminate and communicate the planning policy to interested personnel and affected parties. CC ID 14691	Communicate	Preventive
Include compliance requirements in the planning policy. CC ID 14688	Establish/Maintain Documentation	Preventive
Include coordination amongst entities in the planning policy. CC ID 14687	Establish/Maintain Documentation	Preventive
Include management commitment in the planning policy. CC ID 14686	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the planning policy. CC ID 14685	Establish/Maintain Documentation	Preventive
Include the scope in the planning policy. CC ID 14684	Establish/Maintain Documentation	Preventive
Include the purpose in the planning policy. CC ID 14683	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a security planning policy. CC ID 14027	Establish/Maintain Documentation	Preventive
Include compliance requirements in the security planning policy. CC ID 14131	Establish/Maintain Documentation	Preventive
Include coordination amongst entities in the security planning policy. CC ID 14130	Establish/Maintain Documentation	Preventive
Include management commitment in the security planning policy. CC ID 14129	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the security planning policy. CC ID 14128	Establish/Maintain Documentation	Preventive
Include the scope in the security planning policy. CC ID 14127	Establish/Maintain Documentation	Preventive
Include the purpose in the security planning policy. CC ID 14126	Establish/Maintain Documentation	Preventive
Disseminate and communicate the security planning policy to interested personnel and affected parties. CC ID 14125	Communicate	Preventive
Establish, implement, and maintain security planning procedures. CC ID 14060	Establish/Maintain Documentation	Preventive
Disseminate and communicate the security planning procedures to interested personnel and affected parties. CC ID 14135	Communicate	Preventive
Establish, implement, and maintain a decision management strategy. CC ID 06913	Establish/Maintain Documentation	Preventive
Align the reporting methodology with the decision management strategy. CC ID 15659	Business Processes	Preventive
Include an economic impact analysis in the decision management strategy. CC ID 14015	Establish/Maintain Documentation	Preventive
Include cost benefit analysis in the decision management strategy. CC ID 14014	Establish/Maintain Documentation	Preventive
Include criteria for compliance in the decision-making criteria. CC ID 12951	Establish/Maintain Documentation	Preventive
Include criteria for risk tolerance in the decision-making criteria. CC ID 12950	Establish/Maintain Documentation	Preventive
Include criteria for selecting objectives and strategies in the decision-making criteria. CC ID 12949	Establish/Maintain Documentation	Preventive
Include criteria for setting priorities in the decision-making criteria. CC ID 12938 [The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: § 8.5.1.3 ¶ 1]	Establish/Maintain Documentation	Preventive
Align organizational objectives with compliance objectives in the decision-making criteria. CC ID 12847 [The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: policies and plans required by this document; § 8.5.1.3 ¶ 1(c) The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: policies and plans required by this document; § 8.5.1.3 ¶ 1(c)]	Process or Activity	Preventive
Align organizational objectives with performance targets in the decision-making criteria. CC ID 12843 [The organization shall make decisions and take actions based on the findings in service reports. The agreed actions shall be communicated to interested parties. § 9.4 ¶ 3 The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: § 8.5.1.3 ¶ 1 The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: § 8.5.1.3 ¶ 1]	Process or Activity	Preventive
Align organizational objectives with the acceptable residual risk in the decision-making criteria. CC ID 12841 [The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: § 8.5.1.3 ¶ 1]	Process or Activity	Preventive
Identify and document the events that initiate the decision management strategy. CC ID 06914	Establish/Maintain Documentation	Detective
Create additional decision-making criteria to achieve organizational objectives, as necessary. CC ID 12948 [The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: customers, users and other interested parties; § 8.5.1.3 ¶ 1(b)]	Process or Activity	Preventive
Involve knowledgeable and experienced individuals in the decision-making process. CC ID 06915	Behavior	Preventive
Take actions in accordance with the decision-making criteria. CC ID 12909	Process or Activity	Preventive
Document and evaluate the decision outcomes from the decision-making process. CC ID 06918	Establish/Maintain Documentation	Preventive
Disseminate and communicate the decision management strategy to all interested personnel and affected parties. CC ID 13991	Communicate	Preventive
Establish, implement, and maintain an information technology process framework. CC ID 13648	Establish/Maintain Documentation	Preventive
Include maturity models in the Information Technology process framework. CC ID 13652	Establish/Maintain Documentation	Preventive
Include relationships between Information Technology process structures in the Information Technology process framework. CC ID 13651	Establish/Maintain Documentation	Preventive
Include Information Technology process structures in the Information Technology process framework. CC ID 13650	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a tactical plan. CC ID 12785	Establish/Maintain Documentation	Preventive
Include acting with integrity in the tactical plan. CC ID 12871	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a Strategic Information Technology Plan. CC ID 00628	Establish/Maintain Documentation	Preventive
Include the Information Governance Plan in the Strategic Information Technology Plan. CC ID 10053	Establish/Maintain Documentation	Preventive
Engage information governance subject matter experts in the development of the Information Governance Plan. CC ID 10055	Human Resources Management	Preventive
Include the transparency goals in the Information Governance Plan. CC ID 10056	Establish/Maintain Documentation	Preventive
Include the information integrity goals in the Information Governance Plan. CC ID 10057	Establish/Maintain Documentation	Preventive
Include business continuity objectives in the Strategic Information Technology Plan. CC ID 06496	Establish/Maintain Documentation	Preventive
Align business continuity objectives with the business continuity policy. CC ID 12408	Establish/Maintain Documentation	Preventive
Use a risk-based approach to adapt the Strategic Information Technology Plan to the business's needs. CC ID 00631	Business Processes	Corrective
Mirror the organization's business strategy during Information Technology planning in the Strategic Information Technology Plan. CC ID 00630	Business Processes	Preventive
Incorporate protecting restricted information from unauthorized information flow or unauthorized disclosure into the Strategic Information Technology Plan. CC ID 06491	Establish/Maintain Documentation	Preventive
Include the references to the organization's Information Technology systems in the Strategic Information Technology Plan, as necessary. CC ID 13959	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain tactical Information Technology plans in support of the Strategic Information Technology Plan. CC ID 00632	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain tactical Information Technology plans derived from the Strategic Information Technology Plan. CC ID 01609	Establish/Maintain Documentation	Preventive
Document how each Information Technology project plan directly or indirectly supports the Strategic Information Technology Plan. CC ID 06497	Establish/Maintain Documentation	Preventive
Document the business case and return on investment in each Information Technology project plan. CC ID 06846	Establish/Maintain Documentation	Preventive
Escalate for management authorization any proposed projects where effective use of existing resources is overlooked. CC ID 06848	Business Processes	Preventive
Document all desired outcomes for a proposed project in the Information Technology project plan. CC ID 06916	Establish/Maintain Documentation	Preventive
Document the success criteria for the proposed project in the Information Technology project plan. CC ID 06917	Establish/Maintain Documentation	Preventive
Assign senior management to approve business cases. CC ID 13068	Human Resources Management	Preventive
Include milestones for each project phase in the Information Technology project plan. CC ID 12621	Establish/Maintain Documentation	Preventive
Document lessons learned at the conclusion of each Information Technology project. CC ID 13654	Establish/Maintain Documentation	Corrective
Establish, implement, and maintain a counterterror protective security plan. CC ID 06862	Establish/Maintain Documentation	Preventive
Include communications and awareness activities in the counterterror protective security plan. CC ID 06863	Establish/Maintain Documentation	Preventive
Include the protective security measures to implement after a change in the government response level in the counterterror protective security plan. CC ID 06864	Establish/Maintain Documentation	Preventive
Include a search plan in the counterterror protective security plan. CC ID 06865	Establish/Maintain Documentation	Preventive
Include an evacuation plan in the counterterror protective security plan. CC ID 06940	Establish/Maintain Documentation	Preventive
Include a continuity plan in the counterterror protective security plan. CC ID 07031	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain Information Technology projects in support of the Strategic Information Technology Plan. CC ID 13673	Establish/Maintain Documentation	Preventive
Disseminate and communicate the Information Technology Plans to all interested personnel and affected parties. CC ID 00633	Establish/Maintain Documentation	Preventive
Monitor and evaluate the implementation and effectiveness of Information Technology Plans. CC ID 00634	Monitor and Evaluate Occurrences	Detective
Establish and maintain an Information Technology plan status report that covers both Strategic Information Technology Plans and tactical Information Technology plans. CC ID 06839	Actionable Reports or Measurements	Preventive
Include key personnel status changes in the Information Technology Plan status reports. CC ID 06840	Actionable Reports or Measurements	Preventive
Include significant security risks in the Information Technology Plan status reports. CC ID 06939	Actionable Reports or Measurements	Preventive
Include significant risk mitigations in the Information Technology Plan status reports. CC ID 06841	Actionable Reports or Measurements	Preventive
Review and approve the Strategic Information Technology Plan at the level of senior management or the Board of Directors. CC ID 13094	Human Resources Management	Preventive
Establish, implement, and maintain a financial management program. CC ID 13228	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain financial reports. CC ID 14770 [At planned intervals, the organization shall monitor and report on actual costs against the budget, review the financial forecasts and manage costs. § 8.4.1 ¶ 3]	Establish/Maintain Documentation	Preventive
Structure financial reports in accordance with external requirements, as necessary. CC ID 14776	Establish/Maintain Documentation	Preventive
Include the report of independent Certified Public Accountants in the financial report. CC ID 14779	Establish/Maintain Documentation	Preventive
Include the business need justification for lost value in the financial report. CC ID 15588	Establish/Maintain Documentation	Preventive
Disseminate and communicate the financial report to interested personnel and affected parties. CC ID 16342	Communicate	Preventive
Include financial statements in the financial report, as necessary. CC ID 14775	Establish/Maintain Documentation	Preventive
Include capital deductions and adjustments in the financial statement. CC ID 16667	Establish/Maintain Documentation	Preventive
Include earnings per share or loss per share in the financial statement. CC ID 16597	Establish/Maintain Documentation	Preventive
Include material contingencies in the financial statement. CC ID 16596	Establish/Maintain Documentation	Preventive
Include notes to financial statements in the financial report, as necessary. CC ID 14780	Establish/Maintain Documentation	Preventive
Include information on loans to small businesses and small farms in the call report. CC ID 16731	Establish/Maintain Documentation	Preventive
Include assets and liabilities in the call report. CC ID 16729	Establish/Maintain Documentation	Preventive
Disseminate and communicate the call report to interested personnel and affected parties. CC ID 16727	Communicate	Preventive

Monitoring and measurement

274

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Monitoring and measurement CC ID 00636	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain logging and monitoring operations. CC ID 00637	Log Management	Detective
Operationalize key monitoring and logging concepts to ensure the audit trails capture sufficient information. CC ID 00638	Log Management	Detective
Establish, implement, and maintain event logging procedures. CC ID 01335	Log Management	Detective
Include a standard to collect and interpret event logs in the event logging procedures. CC ID 00643 [The management review shall include consideration of: information on the performance and effectiveness of the SMS, including trends in: monitoring and measurement results; § 9.3 ¶ 2(c)(2)]	Log Management	Preventive
Protect the event logs from failure. CC ID 06290	Log Management	Preventive
Overwrite the oldest records when audit logging fails. CC ID 14308	Data and Information Management	Preventive
Supply each in scope asset with audit reduction tool and report generation capabilities to support after-the-fact investigations without altering the event logs. CC ID 01427	Testing	Preventive
Provide predefined suspicious activity reports for suspicious activity discovered in the event log. CC ID 06774	Establish/Maintain Documentation	Corrective
Include identity information of suspects in the suspicious activity report. CC ID 16648	Establish/Maintain Documentation	Preventive
Compile the event logs of multiple components into a system-wide time-correlated audit trail. CC ID 01424	Audits and Risk Management	Preventive
Review and update event logs and audit logs, as necessary. CC ID 00596 [The organization shall analyse data and trends on incidents to identify problems. The organization shall undertake root cause analysis and determine potential actions to prevent the occurrence or recurrence of incidents. § 8.6.3 ¶ 1]	Log Management	Detective
Eliminate false positives in event logs and audit logs. CC ID 07047	Log Management	Corrective
Correlate log entries to security controls to verify the security control's effectiveness. CC ID 13207	Log Management	Detective
Identify cybersecurity events in event logs and audit logs. CC ID 13206	Technical Security	Detective
Follow up exceptions and anomalies identified when reviewing logs. CC ID 11925	Investigate	Corrective
Reproduce the event log if a log failure is captured. CC ID 01426	Log Management	Preventive
Assess customer satisfaction. CC ID 00652 [At planned intervals, the organization shall measure satisfaction with the services based on a representative sample of customers. The results shall be analysed, reviewed to identify opportunities for improvement and reported. § 8.3.2 ¶ 4 At planned intervals, the organization shall measure satisfaction with the services based on a representative sample of customers. The results shall be analysed, reviewed to identify opportunities for improvement and reported. § 8.3.2 ¶ 4 The management review shall include consideration of: feedback from customers and other interested parties; § 9.3 ¶ 2(e)]	Testing	Detective
Establish, implement, and maintain a continuous monitoring program for configuration management. CC ID 06757 [At planned intervals, the organization shall verify the accuracy of the configuration information. Where deficiencies are found, the organization shall take necessary actions. § 8.2.6 ¶ 4]	Establish/Maintain Documentation	Detective
Include the correlation and analysis of information obtained during testing in the continuous monitoring program. CC ID 14250	Process or Activity	Detective
Establish, implement, and maintain an automated configuration monitoring system. CC ID 07058	Monitor and Evaluate Occurrences	Detective
Monitor for and report when a software configuration is updated. CC ID 06746	Monitor and Evaluate Occurrences	Detective
Notify the appropriate personnel when the software configuration is updated absent authorization. CC ID 04886	Monitor and Evaluate Occurrences	Detective
Monitor for firmware updates absent authorization. CC ID 10675	Monitor and Evaluate Occurrences	Detective
Implement file integrity monitoring. CC ID 01205	Monitor and Evaluate Occurrences	Detective
Identify unauthorized modifications during file integrity monitoring. CC ID 12096	Technical Security	Detective
Monitor for software configurations updates absent authorization. CC ID 10676	Monitor and Evaluate Occurrences	Preventive
Allow expected changes during file integrity monitoring. CC ID 12090	Technical Security	Preventive
Monitor for when documents are being updated absent authorization. CC ID 10677	Monitor and Evaluate Occurrences	Preventive
Include a change history and identify who made the changes in the file integrity monitoring report. CC ID 12091	Establish/Maintain Documentation	Preventive
Alert interested personnel and affected parties when an unauthorized modification to critical files is detected. CC ID 12045	Process or Activity	Preventive
Monitor and evaluate user account activity. CC ID 07066	Monitor and Evaluate Occurrences	Detective
Develop and maintain a usage profile for each user account. CC ID 07067	Technical Security	Preventive
Log account usage to determine dormant accounts. CC ID 12118	Log Management	Detective
Log account usage times. CC ID 07099	Log Management	Detective
Generate daily reports of user logons during hours outside of their usage profile. CC ID 07068	Monitor and Evaluate Occurrences	Detective
Generate daily reports of users who have grossly exceeded their usage profile logon duration. CC ID 07069	Monitor and Evaluate Occurrences	Detective
Log account usage durations. CC ID 12117	Monitor and Evaluate Occurrences	Detective
Notify the appropriate personnel after identifying dormant accounts. CC ID 12125	Communicate	Detective
Log Internet Protocol addresses used during logon. CC ID 07100	Log Management	Detective
Report red flags when logon credentials are used on a computer different from the one in the usage profile. CC ID 07070	Monitor and Evaluate Occurrences	Detective
Report inappropriate usage of user accounts to the appropriate personnel. CC ID 14243	Communicate	Detective
Establish, implement, and maintain a service management monitoring and metrics program. CC ID 13916 [At planned intervals, the organization shall: monitor and report on demand and consumption of services. § 8.4.2 ¶ 1(b) At planned intervals, the organization shall: monitor and report on demand and consumption of services. § 8.4.2 ¶ 1(b) Reports on the performance and effectiveness of the SMS and the services shall be produced using information from the SMS activities and delivery of the services. Service reporting shall include trends. § 9.4 ¶ 2 Reports on the performance and effectiveness of the SMS and the services shall be produced using information from the SMS activities and delivery of the services. Service reporting shall include trends. § 9.4 ¶ 2]	Establish/Maintain Documentation	Preventive
Communicate trends in service management to all interested personnel and affected parties. CC ID 13926 [Reports on the performance and effectiveness of the SMS and the services shall be produced using information from the SMS activities and delivery of the services. Service reporting shall include trends. § 9.4 ¶ 2]	Communicate	Preventive
Monitor service availability when implementing the service management monitoring and metrics program. CC ID 13921 [{availability issue}{document} Service availability shall be monitored, the results recorded and compared with the targets. Unplanned non-availability shall be investigated and necessary actions taken. § 8.7.1 ¶ 3 {availability issue}{document} Service availability shall be monitored, the results recorded and compared with the targets. Unplanned non-availability shall be investigated and necessary actions taken. § 8.7.1 ¶ 3]	Monitor and Evaluate Occurrences	Detective
Compare the performance metrics of service availability against their targets, as necessary. CC ID 13922 [{availability issue}{document} Service availability shall be monitored, the results recorded and compared with the targets. Unplanned non-availability shall be investigated and necessary actions taken. § 8.7.1 ¶ 3]	Monitor and Evaluate Occurrences	Detective
Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 [The organization shall determine: when the monitoring and measuring shall be performed; § 9.1 ¶ 1(c)]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a metrics policy. CC ID 01654	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain risk management metrics. CC ID 01656	Establish/Maintain Documentation	Preventive
Report on the percentage of critical assets for which an assurance strategy is implemented. CC ID 01657	Actionable Reports or Measurements	Detective
Report on the percentage of key organizational functions for which an assurance strategy is implemented. CC ID 01658	Actionable Reports or Measurements	Detective
Report on the percentage of key compliance requirements for which an assurance strategy has been implemented. CC ID 01659	Actionable Reports or Measurements	Detective
Report on the percentage of the Information System budget allocated to Information Security. CC ID 04571	Actionable Reports or Measurements	Detective
Identify information being used to support the performance of the governance, risk, and compliance capability. CC ID 12866	Business Processes	Preventive
Identify information being used to support performance reviews for risk optimization. CC ID 12865	Audits and Risk Management	Preventive
Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726 [The management review shall include consideration of: adherence to and suitability of the service management policy and other policies required by this document; § 9.3 ¶ 2(f)]	Monitor and Evaluate Occurrences	Detective
Identify and document instances of non-compliance with the compliance framework. CC ID 06499 [When a nonconformity occurs, the organization shall: evaluate the need for action to eliminate the causes of the nonconformity in order that it does not recur or occur elsewhere by: § 10.1.1 ¶ 1(b) The organization shall retain documented information as evidence of: the nature of the nonconformities and any subsequent actions taken; § 10.1.2 ¶ 1(a)]	Establish/Maintain Documentation	Preventive
Align enforcement reviews for non-compliance with organizational risk tolerance. CC ID 13063	Business Processes	Detective
Determine the causes of compliance violations. CC ID 12401 [When a nonconformity occurs, the organization shall: evaluate the need for action to eliminate the causes of the nonconformity in order that it does not recur or occur elsewhere by: reviewing the nonconformity; § 10.1.1 ¶ 1(b)(1) When a nonconformity occurs, the organization shall: evaluate the need for action to eliminate the causes of the nonconformity in order that it does not recur or occur elsewhere by: determining the causes of the nonconformity; § 10.1.1 ¶ 1(b)(2)]	Investigate	Corrective
Identify and document events surrounding non-compliance with the organizational compliance framework. CC ID 12935	Establish/Maintain Documentation	Preventive
Determine if multiple compliance violations of the same type could occur. CC ID 12402 [When a nonconformity occurs, the organization shall: evaluate the need for action to eliminate the causes of the nonconformity in order that it does not recur or occur elsewhere by: determining if similar nonconformities exist, or could potentially occur; § 10.1.1 ¶ 1(b)(3)]	Investigate	Detective
Correct compliance violations. CC ID 13515 [When a nonconformity occurs, the organization shall: react to the nonconformity, and as applicable: § 10.1.1 ¶ 1(a) When a nonconformity occurs, the organization shall: react to the nonconformity, and as applicable: take action to control and correct it; § 10.1.1 ¶ 1(a)(1) When a nonconformity occurs, the organization shall: react to the nonconformity, and as applicable: deal with the consequences; § 10.1.1 ¶ 1(a)(2) When a nonconformity occurs, the organization shall: implement any action needed; § 10.1.1 ¶ 1(c)]	Process or Activity	Corrective
Review the effectiveness of disciplinary actions carried out for compliance violations. CC ID 12403 [When a nonconformity occurs, the organization shall: review the effectiveness of any corrective action taken; § 10.1.1. ¶ 1(d)]	Investigate	Detective
Carry out disciplinary actions when a compliance violation is detected. CC ID 06675	Behavior	Corrective
Align disciplinary actions with the level of compliance violation. CC ID 12404 [Corrective actions shall be appropriate to the effects of the nonconformities encountered. § 10.1.1 ¶ 2]	Human Resources Management	Preventive
Establish, implement, and maintain disciplinary action notices. CC ID 16577	Establish/Maintain Documentation	Preventive
Include a copy of the order in the disciplinary action notice. CC ID 16606	Establish/Maintain Documentation	Preventive
Include the sanctions imposed in the disciplinary action notice. CC ID 16599	Establish/Maintain Documentation	Preventive
Include the effective date of the sanctions in the disciplinary action notice. CC ID 16589	Establish/Maintain Documentation	Preventive
Include the requirements that were violated in the disciplinary action notice. CC ID 16588	Establish/Maintain Documentation	Preventive
Include responses to charges from interested personnel and affected parties in the disciplinary action notice. CC ID 16587	Establish/Maintain Documentation	Preventive
Include the reasons for imposing sanctions in the disciplinary action notice. CC ID 16586	Establish/Maintain Documentation	Preventive
Disseminate and communicate the disciplinary action notice to interested personnel and affected parties. CC ID 16585	Communicate	Preventive
Include required information in the disciplinary action notice. CC ID 16584	Establish/Maintain Documentation	Preventive
Include a justification for actions taken in the disciplinary action notice. CC ID 16583	Establish/Maintain Documentation	Preventive
Include a statement on the conclusions of the investigation in the disciplinary action notice. CC ID 16582	Establish/Maintain Documentation	Preventive
Include the investigation results in the disciplinary action notice. CC ID 16581	Establish/Maintain Documentation	Preventive
Include a description of the causes of the actions taken in the disciplinary action notice. CC ID 16580	Establish/Maintain Documentation	Preventive
Include the name of the person responsible for the charges in the disciplinary action notice. CC ID 16579	Establish/Maintain Documentation	Preventive
Include contact information in the disciplinary action notice. CC ID 16578	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain compliance program metrics. CC ID 11625	Monitor and Evaluate Occurrences	Preventive
Establish, implement, and maintain a security program metrics program. CC ID 01660	Establish/Maintain Documentation	Preventive
Report on the policies and controls that have been implemented by management. CC ID 01670 [{service improvement activity} Opportunities for improvement shall be documented. The organization shall manage approved improvement activities that include: reporting on implemented improvements. § 10.2 ¶ 3(e)]	Actionable Reports or Measurements	Detective
Establish, implement, and maintain a key management roles metrics standard. CC ID 11631	Establish/Maintain Documentation	Preventive
Report on the percentage of security management roles that have been assigned. CC ID 01671	Actionable Reports or Measurements	Detective
Establish, implement, and maintain a key stakeholder metrics program. CC ID 01661	Establish/Maintain Documentation	Preventive
Report on the percentage of board meetings or committee meetings at which Information Assurance was on the agenda. CC ID 01672	Actionable Reports or Measurements	Detective
Establish, implement, and maintain a supply chain member metrics program. CC ID 01662	Establish/Maintain Documentation	Preventive
Report on the percentage of supply chain members for which all Information Assurance requirements have been implemented. CC ID 01675	Actionable Reports or Measurements	Detective
Report on the Service Level Agreement performance of supply chain members. CC ID 06838	Actionable Reports or Measurements	Preventive
Establish, implement, and maintain a Business Continuity metrics program. CC ID 01663 [The organization shall create, implement and maintain one or more service continuity plans. The service continuity plan(s) shall include or contain a reference to: targets for service availability when the service continuity plan is invoked; § 8.7.2 ¶ 2(c)]	Establish/Maintain Documentation	Preventive
Report on the percentage of organizational units that have an established Business Continuity Plan. CC ID 01676	Actionable Reports or Measurements	Detective
Report on the percentage of organizational units with a documented Business Continuity Plan for which specific responsibilities have been assigned. CC ID 02057	Actionable Reports or Measurements	Detective
Report on the percentage of Business Continuity Plans that have been reviewed, tested, and updated. CC ID 02058	Actionable Reports or Measurements	Detective
Establish, implement, and maintain an audit metrics program. CC ID 01664	Establish/Maintain Documentation	Preventive
Report on the percentage of needed internal audits that have been completed and reviewed. CC ID 01677	Actionable Reports or Measurements	Detective
Report on the percentage of Information Security requirements from applicable laws and regulations that are included in the audit program. CC ID 02069	Actionable Reports or Measurements	Detective
Report on the percentage of needed external audits that have been completed and reviewed. CC ID 11632	Actionable Reports or Measurements	Detective
Report on the percentage of Information Security audits conducted in compliance with the approved audit program. CC ID 02070	Actionable Reports or Measurements	Detective
Report on the percentage of audit findings that have been resolved since the last audit. CC ID 01678	Actionable Reports or Measurements	Detective
Report on the percentage of management actions in response to audit findings and audit recommendations that were implemented in a timely way. CC ID 02071 [{corrective action} The management review shall include consideration of: the status of actions from previous management reviews; § 9.3 ¶ 2(a)]	Actionable Reports or Measurements	Detective
Establish, implement, and maintain an Information Security metrics program. CC ID 01665	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a metrics standard and template. CC ID 02157	Establish/Maintain Documentation	Preventive
Convert data into standard units before reporting metrics. CC ID 15507	Process or Activity	Corrective
Monitor compliance with the Quality Control system. CC ID 01023	Actionable Reports or Measurements	Preventive
Report on the percentage of complaints received about products or delivered services. CC ID 07199	Actionable Reports or Measurements	Preventive
Report on the percentage of Quality Assurance attained by Quality Improvement practices. CC ID 07202	Actionable Reports or Measurements	Preventive
Establish, implement, and maintain occupational health and safety management metrics program. CC ID 15915	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a policies and controls metrics program. CC ID 01666	Establish/Maintain Documentation	Preventive
Report on the percentage of total controls for which policies, standards, and procedures exist and for which approval has been granted. CC ID 01679	Actionable Reports or Measurements	Detective
Report on the percentage of personnel who are assigned and acknowledged responsibilities for approved policies, standards, and procedures. CC ID 01680	Actionable Reports or Measurements	Detective
Report on the percentage of policy compliance reviews for which no compliance violations were noted. CC ID 01681	Actionable Reports or Measurements	Detective
Report on the percentage of senior management or business unit heads who have implemented operational compliance procedures. CC ID 01682	Actionable Reports or Measurements	Detective
Establish, implement, and maintain a security roles and responsibilities metrics program. CC ID 01667	Establish/Maintain Documentation	Preventive
Report on the percentage of role descriptions that define the Information Awareness roles for Security Managers and administrators. CC ID 01685	Actionable Reports or Measurements	Detective
Report on the percentage of role descriptions that define the information awareness roles for interested personnel. CC ID 01686	Actionable Reports or Measurements	Detective
Report on the percentage of role descriptions that define the information awareness roles for end users. CC ID 01687	Actionable Reports or Measurements	Detective
Report on the percentage of performance reviews that include the evaluation of Information Assurance responsibilities and policy compliance. CC ID 01688	Actionable Reports or Measurements	Detective
Report on the percentage of individuals who have access to security software, are trained, and authorized Security Administrators. CC ID 01691	Actionable Reports or Measurements	Detective
Report on the percentage of individuals who are able to assign security privileges, are trained, and authorized Security Administrators. CC ID 01692	Actionable Reports or Measurements	Detective
Establish, implement, and maintain a role-based information access metrics program. CC ID 01668	Establish/Maintain Documentation	Preventive
Report on the percentage of new hires who completed training ahead of being granted network access or system access. CC ID 01683	Actionable Reports or Measurements	Detective
Report on the percentage of personnel who have completed periodic Information Assurance refresher training. CC ID 01684	Actionable Reports or Measurements	Detective
Report on the percentage of user roles, systems, and applications that comply with the segregation of duties principle. CC ID 01689	Actionable Reports or Measurements	Detective
Report on the percentage of individuals whose access rights have been reviewed. CC ID 01690	Actionable Reports or Measurements	Detective
Report on the percentage of users who have access to restricted data or restricted information and have undergone a background check. CC ID 01693	Actionable Reports or Measurements	Detective
Establish, implement, and maintain an information risk threshold metrics program. CC ID 01694	Establish/Maintain Documentation	Preventive
Report on the percentage of critical information assets and information-dependent functions. CC ID 02040	Actionable Reports or Measurements	Detective
Report on the percentage of critical assets and functions for which the cost of compromise has been quantified. CC ID 02041	Actionable Reports or Measurements	Detective
Report on the percentage of identified risks that have a defined risk mitigation plan. CC ID 02042 [The organization shall determine and document: risks related to: approach to be taken for the management of risks. § 6.1.2 ¶ 1(d)]	Actionable Reports or Measurements	Detective
Report on the percentage of systems with approved System Security Plans. CC ID 02145	Actionable Reports or Measurements	Detective
Monitor the supply chain for Information Assurance effectiveness. CC ID 02043	Establish/Maintain Documentation	Preventive
Report on the percentage of known Information Security risks that are related to supply chain relationships. CC ID 02044	Actionable Reports or Measurements	Detective
Report on the percentage of critical information assets or critical functions for which access by supply chain personnel is disallowed. CC ID 02045	Actionable Reports or Measurements	Detective
Report on the percentage of supply chain personnel who have current information asset user privileges. CC ID 02046	Actionable Reports or Measurements	Detective
Report on the percentage of systems with critical information assets or functions for which electronic connection by supply chain assets is disallowed. CC ID 02047	Actionable Reports or Measurements	Detective
Report on the percentage of security incidents that involved supply chain personnel. CC ID 02048	Actionable Reports or Measurements	Detective
Report on the percentage of third party contracts that include a requirement to externally verify policies and procedures. CC ID 02049	Actionable Reports or Measurements	Detective
Report on the percentage of supply chain relationships that have been reviewed for compliance with information security requirements. CC ID 02050	Actionable Reports or Measurements	Detective
Establish, implement, and maintain an identification and classification of information assets metrics program. CC ID 02052	Business Processes	Preventive
Report on the percentage of information assets that have been reviewed and classified. CC ID 02053	Actionable Reports or Measurements	Detective
Report on the percentage of information assets with defined user privileges that have been assigned based on role and according to policy. CC ID 02054	Actionable Reports or Measurements	Detective
Report on the percentage of scheduled Information Technology inventory processes that occurred on time. CC ID 02055	Actionable Reports or Measurements	Detective
Establish, implement, and maintain an Information Systems architecture metrics program. CC ID 02059	Business Processes	Preventive
Report on the percentage of recently identified information security risks related to systems architecture that have been adequately mitigated. CC ID 02060	Actionable Reports or Measurements	Detective
Report on the percentage of system architecture changes that were approved through appropriate change requests. CC ID 02061	Actionable Reports or Measurements	Detective
Report on the percentage of critical information assets or functions residing on systems that are currently in compliance with the approved systems architecture. CC ID 02062	Actionable Reports or Measurements	Detective
Report on the percentage of systems that have been recertified if security controls were updated after the system was developed. CC ID 02142	Actionable Reports or Measurements	Detective
Report on the percentage of systems that have completed Certification and Accreditation. CC ID 02143	Actionable Reports or Measurements	Detective
Establish, implement, and maintain a physical environment metrics program. CC ID 02063	Business Processes	Preventive
Report on the percentage of critical organizational information assets and functions that have been reviewed from the risk to physical security perspective. CC ID 02064	Actionable Reports or Measurements	Detective
Report on the percentage of critical organizational information assets and functions exposed to physical risks for which risk mitigation actions have been implemented. CC ID 02065	Actionable Reports or Measurements	Detective
Report on the percentage of critical assets that have been reviewed from the environmental risk perspective. CC ID 02066	Actionable Reports or Measurements	Detective
Report on the percentage of servers located in controlled access areas. CC ID 02067	Actionable Reports or Measurements	Detective
Establish, implement, and maintain a privacy metrics program. CC ID 15494	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain environmental management system performance metrics. CC ID 15191	Actionable Reports or Measurements	Preventive
Establish, implement, and maintain waste management metrics. CC ID 16152	Actionable Reports or Measurements	Preventive
Establish, implement, and maintain emissions management metrics. CC ID 16145	Actionable Reports or Measurements	Preventive
Establish, implement, and maintain financial management metrics. CC ID 16749	Actionable Reports or Measurements	Preventive
Establish, implement, and maintain a technical measurement metrics policy. CC ID 01655	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a user identification and authentication metrics program. CC ID 02073	Business Processes	Preventive
Report on the percentage of unique active user identifiers. CC ID 02074	Actionable Reports or Measurements	Detective
Report on the percentage of systems and applications that perform authenticator policy verification. CC ID 02086	Actionable Reports or Measurements	Detective
Report on the percentage of active user passwords that are set to expire. CC ID 02087	Actionable Reports or Measurements	Detective
Report on the percentage of systems with critical information assets that use stronger authentication than user identifiers and passwords. CC ID 02088	Actionable Reports or Measurements	Detective
Establish, implement, and maintain a user account management metrics program. CC ID 02075	Business Processes	Preventive
Report on the percentage of systems for which default accounts and default passwords have been disabled or reset. CC ID 02089	Actionable Reports or Measurements	Detective
Report on the percentage of inactive user accounts that are assigned to personnel who have left or no longer need access. CC ID 02090	Actionable Reports or Measurements	Detective
Report on the percentage of systems with account lockout thresholds set. CC ID 02091	Actionable Reports or Measurements	Detective
Report on the percentage of inactive user accounts that have been disabled. CC ID 02092	Actionable Reports or Measurements	Detective
Report on the percentage of workstations with session timeout or automatic logoff controls set. CC ID 02093	Actionable Reports or Measurements	Detective
Report on the percentage of users with access to shared accounts. CC ID 04573	Actionable Reports or Measurements	Detective
Establish, implement, and maintain a user and administrator privilege management metrics program. CC ID 02076	Actionable Reports or Measurements	Preventive
Report on the percentage of active computer accounts that have had the current user privileges reviewed. CC ID 02094	Actionable Reports or Measurements	Detective
Report on the percentage of systems where permission to install nonstandard software is limited. CC ID 02095	Actionable Reports or Measurements	Detective
Report on the percentage of systems and applications that have user privileges and administrator privileges assigned in compliance with Role-Based Access Controls. CC ID 02096	Actionable Reports or Measurements	Detective
Establish, implement, and maintain a Configuration Management metrics program. CC ID 02077	Business Processes	Preventive
Report on the percentage of systems for which approved configuration settings have been implemented. CC ID 02097	Actionable Reports or Measurements	Detective
Report on the percentage of systems with configurations that do not deviate from approved standards. CC ID 02098	Actionable Reports or Measurements	Detective
Report on the percentage of systems that are continuously monitored for compliance with the configuration standard with out-of-compliance alarms or out-of-compliance reports. CC ID 02099	Actionable Reports or Measurements	Detective
Report on the percentage of systems whose configuration is compared with a previously established trusted configuration baseline. CC ID 02100	Actionable Reports or Measurements	Detective
Report on the percentage of systems where the authority to make configuration changes are limited. CC ID 02101	Actionable Reports or Measurements	Detective
Report on the percentage of system components that undergo maintenance as scheduled. CC ID 04562	Actionable Reports or Measurements	Detective
Establish, implement, and maintain a Security Information and Event Management metrics program. CC ID 02078	Log Management	Preventive
Report on the percentage of systems for which event logging has been implemented. CC ID 02102	Log Management	Detective
Report on the percentage of systems for which event logs are monitored and reviewed. CC ID 02103	Log Management	Detective
Report on the percentage of systems for which log capacity and log retention schedules have been implemented. CC ID 02104	Log Management	Detective
Report on the percentage of systems that generate warnings about anomalous activity or potentially unauthorized activity. CC ID 02105	Actionable Reports or Measurements	Detective
Establish, implement, and maintain a communications, e-mail, and remote access security management metrics program. CC ID 02079	Business Processes	Preventive
Report on the percentage of laptops and mobile devices that are needing to be in compliance with the approved configuration standard before granting network access. CC ID 02106	Actionable Reports or Measurements	Detective
Report on the percentage of organizationally controlled communications channels that have been secured. CC ID 02107	Actionable Reports or Measurements	Detective
Report on the percentage of host servers that are protected from becoming relay hosts. CC ID 02108	Actionable Reports or Measurements	Detective
Report on the percentage of mobile users who access organizational facilities using secure communications methods. CC ID 02109	Actionable Reports or Measurements	Detective
Establish, implement, and maintain a malicious code protection management metrics program. CC ID 02080	Business Processes	Preventive
Report on the percentage of workstations and laptops that employ automated system security tools. CC ID 02110	Actionable Reports or Measurements	Detective
Report on the percentage of servers that employ automated system security tools. CC ID 02111	Actionable Reports or Measurements	Detective
Report on the percentage of mobile devices that employ automated system security tools. CC ID 02112	Actionable Reports or Measurements	Detective
Establish, implement, and maintain a software change management metrics program. CC ID 02081	Business Processes	Preventive
Report on the percentage of software changes that have been documented and approved through change request forms. CC ID 02152	Actionable Reports or Measurements	Detective
Report on the percentage of systems with all approved patches installed. CC ID 02113	Actionable Reports or Measurements	Detective
Report on the mean time from patch availability to patch installation. CC ID 02114	Actionable Reports or Measurements	Detective
Report on the percentage of software changes that were reviewed for security impacts before the software configuration is updated. CC ID 02115	Actionable Reports or Measurements	Detective
Establish, implement, and maintain a network management and firewall management metrics program. CC ID 02082	Business Processes	Preventive
Establish, implement, and maintain a network activity baseline. CC ID 13188	Technical Security	Detective
Report on the percentage of systems configured according to the configuration standard. CC ID 02116	Actionable Reports or Measurements	Detective
Report on the percentage of network access controls used to gain unauthorized access. CC ID 04572	Actionable Reports or Measurements	Detective
Establish, implement, and maintain a data encryption management metrics program. CC ID 02083	Business Processes	Preventive
Report on the percentage of critical information assets stored on network accessible devices that are encrypted with widely tested and published cryptographic algorithms. CC ID 02117	Actionable Reports or Measurements	Detective
Report on the percentage of mobile devices that use encryption for critical information assets. CC ID 02118	Actionable Reports or Measurements	Detective
Report on the percentage of passwords and Personal Identification Numbers that are encrypted. CC ID 02119	Actionable Reports or Measurements	Detective
Report on the percentage of media that passes sanitization procedure testing. CC ID 04574	Actionable Reports or Measurements	Detective
Establish, implement, and maintain a backup management and recovery management metrics program. CC ID 02084	Business Processes	Preventive
Report on the percentage of systems with critical information assets or critical business functions that have been backed up in accordance with the backup policy and the system's continuity plan. CC ID 02120	Actionable Reports or Measurements	Detective
Report on the percentage of systems with critical information assets or critical functions where restoration from a backup has been successfully demonstrated. CC ID 02121	Actionable Reports or Measurements	Detective
Report on the percentage of backup media stored off site in secure storage. CC ID 02122	Actionable Reports or Measurements	Detective
Report on the percentage of used backup media or archive media sanitized prior to reuse or disposal. CC ID 02123	Actionable Reports or Measurements	Detective
Establish, implement, and maintain an incident management and vulnerability management metrics program. CC ID 02085	Business Processes	Preventive
Report on the estimated damage or loss resulting from all security incidents. CC ID 01674	Actionable Reports or Measurements	Detective
Report on the percentage of security incidents that did not cause confidentiality, integrity, or availability losses beyond the Service Level Agreement thresholds. CC ID 01673	Actionable Reports or Measurements	Detective
Report on the percentage of operational time that critical services were unavailable due to security incidents. CC ID 02124	Actionable Reports or Measurements	Detective
Report on the percentage of security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02125	Actionable Reports or Measurements	Detective
Report on the percentage of systems affected by security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02126	Actionable Reports or Measurements	Detective
Report on the percentage of security incidents that were managed according to established policies, procedures, and processes. CC ID 02127	Actionable Reports or Measurements	Detective
Report on the number of security incidents reported to FedCIRC, NIPC, the Payment Card Industry, or local law enforcement. CC ID 02154	Actionable Reports or Measurements	Detective
Report on the percentage of systems with critical information assets or critical functions that have been assessed for security vulnerabilities. CC ID 02128	Actionable Reports or Measurements	Detective
Report on the percentage of vulnerability assessment findings that have been addressed since the last reporting period. CC ID 02129	Actionable Reports or Measurements	Detective
Report on the average elapsed time between the discovery of a new vulnerability and implementing corrective action. CC ID 02140	Actionable Reports or Measurements	Detective
Report on the percentage of physical security incidents that involved entry into a facility containing Information Systems. CC ID 04564	Actionable Reports or Measurements	Detective
Delay the reporting of incident management metrics, as necessary. CC ID 15501	Communicate	Preventive
Establish, implement, and maintain an Electronic Health Records measurement metrics program. CC ID 06221	Establish/Maintain Documentation	Preventive
Report on the percentage of unique patients who had at least one medication entered using the Computerized Provider Order Entry system. CC ID 06222	Actionable Reports or Measurements	Preventive
Report on the percentage of unique patients who have diagnoses recorded as structured data into the current and active diagnoses problem list. CC ID 06223	Actionable Reports or Measurements	Preventive
Report on the percentage of permissible prescriptions that are transmitted electronically. CC ID 06224	Actionable Reports or Measurements	Preventive
Report on the percentage of unique patients who have at least one entry recorded as structured data into the active medication list. CC ID 06225	Actionable Reports or Measurements	Preventive
Report on the percentage of unique patients who have at least one entry recorded as structured data into the active medication allergy list. CC ID 06226	Actionable Reports or Measurements	Preventive
Report on the percentage of unique patients who have demographics recorded as structured data. CC ID 06227	Actionable Reports or Measurements	Preventive
Report on the percentage of unique patients over the age of 2 who have their height, weight, and blood pressure recorded as structured data. CC ID 06228	Actionable Reports or Measurements	Preventive
Report on the percentage of unique patients over the age of 13 who have their smoking status recorded as structured data. CC ID 06229	Actionable Reports or Measurements	Preventive
Report on the percentage of patients who are given an electronic copy of their Individually Identifiable Health Information not later than three business days after Individually Identifiable Health Information is requested. CC ID 06230	Actionable Reports or Measurements	Preventive
Report on the percentage of patients who are given clinical summaries not later than three business days after a physician office visit. CC ID 06231	Actionable Reports or Measurements	Preventive
Report on the percentage of lab test results that are incorporated into the Electronic Health Records as structured data. CC ID 06232	Actionable Reports or Measurements	Preventive
Report on the percentage of patients sixty-five years of age or older or five years of age or younger who were sent a reminder. CC ID 06233	Actionable Reports or Measurements	Preventive
Report on the percentage of unique patients who are given electronic access to their Individually Identifiable Health Information not later than four business days after their Individually Identifiable Health Information is updated. CC ID 06234	Actionable Reports or Measurements	Preventive
Report on the percentage of unique patients who are given patient-specific education resources. CC ID 06235	Actionable Reports or Measurements	Preventive
Report on the percentage of medication reconciliations that are performed if a patient is received from another setting or healthcare provider. CC ID 06236	Actionable Reports or Measurements	Preventive
Report on the percentage of summary of care records that are provided for transitions of care or referrals for patients who are transitioned or referred to another setting or healthcare provider. CC ID 06237	Actionable Reports or Measurements	Preventive
Report on the percentage of patients who receive their discharge instructions if discharge instructions are requested. CC ID 06238	Actionable Reports or Measurements	Preventive
Report on the percentage of patients 65 years of age or older who have an indication of advance directive status recorded as structured data. CC ID 06239	Actionable Reports or Measurements	Preventive
Establish, implement, and maintain a log management program. CC ID 00673	Establish/Maintain Documentation	Preventive
Deploy log normalization tools, as necessary. CC ID 12141	Technical Security	Preventive
Restrict access to logs to authorized individuals. CC ID 01342	Log Management	Preventive
Restrict access to audit trails to a need to know basis. CC ID 11641	Technical Security	Preventive
Refrain from recording unnecessary restricted data in logs. CC ID 06318	Log Management	Preventive
Back up audit trails according to backup procedures. CC ID 11642	Systems Continuity	Preventive
Back up logs according to backup procedures. CC ID 01344	Log Management	Preventive
Copy logs from all predefined hosts onto a log management infrastructure. CC ID 01346	Log Management	Preventive
Identify hosts with logs that are not being stored. CC ID 06314	Log Management	Preventive
Identify hosts with logs that are being stored at the system level only. CC ID 06315	Log Management	Preventive
Identify hosts with logs that should be stored at both the system level and the infrastructure level. CC ID 06316	Log Management	Preventive
Identify hosts with logs that are being stored at the infrastructure level only. CC ID 06317	Log Management	Preventive
Protect logs from unauthorized activity. CC ID 01345	Log Management	Preventive
Perform testing and validating activities on all logs. CC ID 06322	Log Management	Preventive
Archive the audit trail in accordance with compliance requirements. CC ID 00674	Log Management	Preventive
Enforce dual authorization as a part of information flow control for logs. CC ID 10098	Configuration	Preventive
Preserve the identity of individuals in audit trails. CC ID 10594	Log Management	Preventive
Establish, implement, and maintain a cross-organizational audit sharing agreement. CC ID 10595	Establish/Maintain Documentation	Preventive
Provide cross-organizational audit information based on the cross-organizational audit sharing agreement. CC ID 10596	Audits and Risk Management	Preventive
Establish, implement, and maintain a corrective action plan. CC ID 00675 [The management review shall include consideration of: information on the performance and effectiveness of the SMS, including trends in: nonconformities and corrective actions; § 9.3 ¶ 2(c)(1) The organization shall monitor and review the effectiveness of information security controls and take necessary actions. § 8.7.3.2 ¶ 3]	Monitor and Evaluate Occurrences	Detective
Align corrective actions with the level of environmental impact. CC ID 15193	Business Processes	Preventive
Include risks and opportunities in the corrective action plan. CC ID 15178	Establish/Maintain Documentation	Preventive
Include environmental aspects in the corrective action plan. CC ID 15177	Establish/Maintain Documentation	Preventive
Include the completion date in the corrective action plan. CC ID 13272	Establish/Maintain Documentation	Preventive
Include monitoring in the corrective action plan. CC ID 11645	Monitor and Evaluate Occurrences	Detective

Operational and Systems Continuity

109

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Operational and Systems Continuity CC ID 00731	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain a business continuity program. CC ID 13210	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a continuity framework. CC ID 00732	Establish/Maintain Documentation	Preventive
Evaluate all possible continuity risks and impacts as a part of the continuity framework. CC ID 06374 [At planned intervals, the risks to service continuity shall be assessed and documented. The organization shall determine the service continuity requirements. The agreed requirements shall take into consideration relevant business requirements, service requirements, SLAs and risks. § 8.7.2 ¶ 1]	Systems Continuity	Detective
Assess risks related to fault tolerance and redundancy of critical assets. CC ID 13053	Systems Continuity	Preventive
Establish, implement, and maintain a continuity plan. CC ID 00752 [The organization shall create, implement and maintain one or more service continuity plans. The service continuity plan(s) shall include or contain a reference to: § 8.7.2 ¶ 2 At planned intervals, the service continuity plan(s) shall be tested against the service continuity requirements. The service continuity plan(s) shall be re-tested after major changes to the service environment. The results of the tests shall be recorded. Reviews shall be conducted after each test and after the service continuity plan(s) has been invoked. Where deficiencies are found, the organization shall take necessary actions. § 8.7.2 ¶ 4 At planned intervals, the service continuity plan(s) shall be tested against the service continuity requirements. The service continuity plan(s) shall be re-tested after major changes to the service environment. The results of the tests shall be recorded. Reviews shall be conducted after each test and after the service continuity plan(s) has been invoked. Where deficiencies are found, the organization shall take necessary actions. § 8.7.2 ¶ 4]	Establish/Maintain Documentation	Preventive
Report changes in the continuity plan to senior management. CC ID 12757	Communicate	Corrective
Activate the continuity plan if the damage assessment report indicates the activation criterion has been met. CC ID 01373 [The organization shall create, implement and maintain one or more service continuity plans. The service continuity plan(s) shall include or contain a reference to: criteria and responsibilities for invoking service continuity; § 8.7.2 ¶ 2(a)]	Systems Continuity	Corrective
Identify all stakeholders in the continuity plan. CC ID 13256	Establish/Maintain Documentation	Preventive
Notify interested personnel and affected parties upon activation of the continuity plan. CC ID 16777	Communicate	Preventive
Maintain normal security levels when an emergency occurs. CC ID 06377	Systems Continuity	Preventive
Execute fail-safe procedures when an emergency occurs. CC ID 07108	Systems Continuity	Preventive
Include a business continuity testing policy in the continuity plan, as necessary. CC ID 13234	Establish/Maintain Documentation	Preventive
Lead or manage business continuity and system continuity, as necessary. CC ID 12240	Human Resources Management	Preventive
Allocate financial resources to implement the continuity plan, as necessary. CC ID 12993	Establish/Maintain Documentation	Preventive
Allocate personnel to implement the continuity plan, as necessary. CC ID 12992	Human Resources Management	Preventive
Include the in scope system's location in the continuity plan. CC ID 16246	Systems Continuity	Preventive
Include the system description in the continuity plan. CC ID 16241	Systems Continuity	Preventive
Establish, implement, and maintain redundant systems. CC ID 16354	Configuration	Preventive
Include identification procedures in the continuity plan, as necessary. CC ID 14372	Establish/Maintain Documentation	Preventive
Refrain from adopting impromptu measures when continuity procedures exist. CC ID 13093	Behavior	Preventive
Restore systems and environments to be operational. CC ID 13476	Systems Continuity	Corrective
Include the continuity strategy in the continuity plan. CC ID 13189	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the continuity plan, as necessary. CC ID 13254 [The organization shall create, implement and maintain one or more service continuity plans. The service continuity plan(s) shall include or contain a reference to: criteria and responsibilities for invoking service continuity; § 8.7.2 ¶ 2(a)]	Establish/Maintain Documentation	Preventive
Document and use the lessons learned to update the continuity plan. CC ID 10037 [The organization shall report on the cause, impact and recovery when the service continuity plan(s) has been invoked. § 8.7.2 ¶ 5 The organization shall report on the cause, impact and recovery when the service continuity plan(s) has been invoked. § 8.7.2 ¶ 5 The organization shall report on the cause, impact and recovery when the service continuity plan(s) has been invoked. § 8.7.2 ¶ 5]	Establish/Maintain Documentation	Preventive
Implement alternate security mechanisms when the means of implementing the security function is unavailable. CC ID 10605	Technical Security	Preventive
Coordinate continuity planning with governmental entities, as necessary. CC ID 13258	Process or Activity	Preventive
Monitor and evaluate business continuity management system performance. CC ID 12410	Monitor and Evaluate Occurrences	Detective
Record business continuity management system performance for posterity. CC ID 12411	Monitor and Evaluate Occurrences	Preventive
Coordinate continuity planning with community organizations, as necessary. CC ID 13259	Process or Activity	Preventive
Coordinate and incorporate supply chain members' continuity plans, as necessary. CC ID 13242	Establish/Maintain Documentation	Preventive
Include incident management procedures in the continuity plan. CC ID 13244	Establish/Maintain Documentation	Preventive
Include the use of virtual meeting tools in the continuity plan. CC ID 14390	Establish/Maintain Documentation	Preventive
Include scenario analyses of various contingency scenarios in the continuity plan. CC ID 13057	Establish/Maintain Documentation	Preventive
Include the annual statement based on the continuity plan review in the continuity plan. CC ID 12775	Establish/Maintain Documentation	Preventive
Include the roles and responsibilities of the organization's legal counsel in the continuity plan. CC ID 16233	Establish Roles	Preventive
Establish, implement, and maintain the continuity procedures. CC ID 14236	Establish/Maintain Documentation	Corrective
Disseminate and communicate the continuity procedures to interested personnel and affected parties. CC ID 14055	Communicate	Preventive
Document the uninterrupted power requirements for all in scope systems. CC ID 06707	Establish/Maintain Documentation	Preventive
Install an Uninterruptible Power Supply sized to support all critical systems. CC ID 00725	Configuration	Preventive
Install a generator sized to support the facility. CC ID 06709	Configuration	Preventive
Establish, implement, and maintain a fuel supply large enough to support the generators during an emergency. CC ID 06376	Acquisition/Sale of Assets or Services	Preventive
Document all supporting information in the continuity plan, such as purpose, scope, and requirements. CC ID 01371 [The organization shall create, implement and maintain one or more service continuity plans. The service continuity plan(s) shall include or contain a reference to: service recovery requirements; § 8.7.2 ¶ 2(d)]	Establish/Maintain Documentation	Preventive
Include notifications to alternate facilities in the continuity plan. CC ID 13220	Establish/Maintain Documentation	Preventive
Approve the continuity plan requirements before documenting the continuity plan. CC ID 12778	Systems Continuity	Preventive
Document the concept of operations in the continuity plan, including a line of succession. CC ID 01372	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain the organization's call tree. CC ID 01167	Testing	Detective
Establish, implement, and maintain damage assessment procedures. CC ID 01267 [The organization shall analyse the information security incidents by type, volume and impact on the SMS, services and interested parties. Information security incidents shall be reported and reviewed to identify opportunities for improvement. § 8.7.3.3 ¶ 2]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a recovery plan. CC ID 13288	Establish/Maintain Documentation	Preventive
Notify interested personnel and affected parties of updates to the recovery plan. CC ID 13302	Communicate	Preventive
Include procedures to restore network connectivity in the recovery plan. CC ID 16250	Establish/Maintain Documentation	Preventive
Include addressing backup failures in the recovery plan. CC ID 13298	Establish/Maintain Documentation	Preventive
Include procedures to verify completion of the data backup procedure in the recovery plan. CC ID 13297	Establish/Maintain Documentation	Preventive
Include the roles and responsibilities of responders in the recovery plan. CC ID 13296	Human Resources Management	Preventive
Include the procedures for the storage of information necessary to recover functionality in the recovery plan. CC ID 13295	Establish/Maintain Documentation	Preventive
Include the backup procedures for information necessary to recover functionality in the recovery plan. CC ID 13294	Establish/Maintain Documentation	Preventive
Include the criteria for activation in the recovery plan. CC ID 13293	Establish/Maintain Documentation	Preventive
Include escalation procedures in the recovery plan. CC ID 16248	Establish/Maintain Documentation	Preventive
Include procedures to preserve data before beginning the recovery process in the recovery plan. CC ID 13292	Establish/Maintain Documentation	Preventive
Determine the cause for the activation of the recovery plan. CC ID 13291	Investigate	Detective
Test the recovery plan, as necessary. CC ID 13290	Testing	Detective
Test the backup information, as necessary. CC ID 13303	Testing	Detective
Document lessons learned from testing the recovery plan or an actual event. CC ID 13301	Establish/Maintain Documentation	Detective
Disseminate and communicate the recovery plan to interested personnel and affected parties. CC ID 14859	Communicate	Preventive
Include restoration procedures in the continuity plan. CC ID 01169 [The organization shall create, implement and maintain one or more service continuity plans. The service continuity plan(s) shall include or contain a reference to: procedures to be implemented in the event of a major loss of service; § 8.7.2 ¶ 2(b) The organization shall create, implement and maintain one or more service continuity plans. The service continuity plan(s) shall include or contain a reference to: procedures for returning to normal working conditions. § 8.7.2 ¶ 2(e)]	Establish Roles	Preventive
Include risk prioritized recovery procedures for each business unit in the recovery plan. CC ID 01166	Establish/Maintain Documentation	Preventive
Include the recovery plan in the continuity plan. CC ID 01377	Establish/Maintain Documentation	Preventive
Disseminate and communicate the recovery status of the contingency plan to interested personnel and affected parties. CC ID 12758	Communicate	Preventive
Disseminate and communicate business functions across multiple facilities separated by geographic separation. CC ID 10662	Systems Continuity	Preventive
Disseminate and communicate processing activities across multiple facilities using geographic separation. CC ID 10663	Systems Continuity	Preventive
Disseminate and communicate electronic media storage devices across multiple facilities using geographic separation. CC ID 10664	Systems Continuity	Preventive
Use out-of-band channels for the physical delivery or electronic transmission of information, as necessary. CC ID 10665	Systems Continuity	Corrective
Establish, implement, and maintain system continuity plan strategies. CC ID 00735	Establish/Maintain Documentation	Preventive
Define and prioritize critical business functions. CC ID 00736 [The organization shall determine the criticality of services based on the needs of the organization, customers, users and other interested parties. The organization shall determine and manage dependencies and duplication between services. § 8.2.2 ¶ 2]	Establish/Maintain Documentation	Detective
Review and prioritize the importance of each business unit. CC ID 01165	Systems Continuity	Preventive
Review and prioritize the importance of each business process. CC ID 11689	Establish/Maintain Documentation	Preventive
Document the mean time to failure for system components. CC ID 10684	Systems Continuity	Preventive
Conduct a risk assessment on reciprocal agreements that provide for recovery capabilities. CC ID 12759	Audits and Risk Management	Preventive
Include emergency communications procedures in the continuity plan. CC ID 00750 [The service continuity plan(s) and list of contacts shall be accessible when access to the normal service location is prevented. § 8.7.2 ¶ 3]	Establish/Maintain Documentation	Preventive
Include managing multiple responding organizations in the emergency communications procedure. CC ID 01249	Establish/Maintain Documentation	Preventive
Expedite emergency communications' fiscal decisions in accordance with accounting principles. CC ID 01266	Systems Continuity	Preventive
Maintain contact information for key third parties in a readily accessible manner. CC ID 12764	Establish/Maintain Documentation	Preventive
Log important conversations conducted during emergencies with third parties. CC ID 12763	Log Management	Preventive
Identify the appropriate staff to route external communications to in the emergency communications procedures. CC ID 12762	Communicate	Preventive
Identify who can speak to the media in the emergency communications procedures. CC ID 12761	Communicate	Corrective
Disseminate and communicate the continuity plan to interested personnel and affected parties. CC ID 00760	Establish/Maintain Documentation	Preventive
Store an up-to-date copy of the continuity plan at the alternate facility. CC ID 01171 [The service continuity plan(s) and list of contacts shall be accessible when access to the normal service location is prevented. § 8.7.2 ¶ 3]	Establish/Maintain Documentation	Preventive
Prepare the alternate facility for an emergency offsite relocation. CC ID 00744	Systems Continuity	Preventive
Establish, implement, and maintain Service Level Agreements for all alternate facilities. CC ID 00745	Establish/Maintain Documentation	Preventive
Include emergency scalability for services, capacity, and capability in the shared service provider's Service Level Agreement. CC ID 04893 [{service availability requirement}{service continuity requirement} The organization shall plan capacity to include: expected impact on capacity of agreed service level targets, requirements for service availability and service continuity; § 8.4.3 ¶ 2(b)]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a business continuity plan testing program. CC ID 14829	Testing	Preventive
Test the continuity plan, as necessary. CC ID 00755 [At planned intervals, the service continuity plan(s) shall be tested against the service continuity requirements. The service continuity plan(s) shall be re-tested after major changes to the service environment. The results of the tests shall be recorded. Reviews shall be conducted after each test and after the service continuity plan(s) has been invoked. Where deficiencies are found, the organization shall take necessary actions. § 8.7.2 ¶ 4 At planned intervals, the service continuity plan(s) shall be tested against the service continuity requirements. The service continuity plan(s) shall be re-tested after major changes to the service environment. The results of the tests shall be recorded. Reviews shall be conducted after each test and after the service continuity plan(s) has been invoked. Where deficiencies are found, the organization shall take necessary actions. § 8.7.2 ¶ 4]	Testing	Detective
Include coverage of all major components in the scope of testing the continuity plan. CC ID 12767	Testing	Preventive
Include third party recovery services in the scope of testing the continuity plan. CC ID 12766	Testing	Preventive
Validate the emergency communications procedures during continuity plan tests. CC ID 12777	Testing	Preventive
Include the coordination and interfaces among third parties in the coverage of the scope of testing the continuity plan. CC ID 12769	Testing	Preventive
Involve senior management, as necessary, when testing the continuity plan. CC ID 13793	Testing	Detective
Test the continuity plan under conditions that simulate a disaster or disruption. CC ID 00757	Testing	Detective
Analyze system interdependence during continuity plan tests. CC ID 13082	Testing	Detective
Validate the evacuation plans during continuity plan tests. CC ID 12760	Testing	Preventive
Test the continuity plan at the alternate facility. CC ID 01174	Testing	Detective
Include predefined goals and realistic conditions during off-site testing. CC ID 01175	Establish/Maintain Documentation	Preventive
Coordinate testing the continuity plan with all applicable business units and critical business functions. CC ID 01388	Testing	Preventive
Review all third party's continuity plan test results. CC ID 01365	Testing	Detective
Automate the off-site testing to more thoroughly test the continuity plan. CC ID 01389	Testing	Detective
Document the continuity plan test results and provide them to interested personnel and affected parties. CC ID 06548 [At planned intervals, the service continuity plan(s) shall be tested against the service continuity requirements. The service continuity plan(s) shall be re-tested after major changes to the service environment. The results of the tests shall be recorded. Reviews shall be conducted after each test and after the service continuity plan(s) has been invoked. Where deficiencies are found, the organization shall take necessary actions. § 8.7.2 ¶ 4]	Actionable Reports or Measurements	Preventive
Approve the continuity plan test results. CC ID 15718	Systems Continuity	Preventive
Retest the continuity plan after correcting reported deficiencies documented in the continuity plan test results. CC ID 06553 [At planned intervals, the service continuity plan(s) shall be tested against the service continuity requirements. The service continuity plan(s) shall be re-tested after major changes to the service environment. The results of the tests shall be recorded. Reviews shall be conducted after each test and after the service continuity plan(s) has been invoked. Where deficiencies are found, the organization shall take necessary actions. § 8.7.2 ¶ 4]	Testing	Detective
Conduct full recovery and restoration of service testing for high impact systems at the alternate facility. CC ID 01404	Testing	Detective

Operational management

442

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Operational management CC ID 00805	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain a capacity management plan. CC ID 11751 [The organization shall plan capacity to include: timescales and thresholds for changes to service capacity. § 8.4.3 ¶ 2(c) The organization shall plan capacity to include: timescales and thresholds for changes to service capacity. § 8.4.3 ¶ 2(c) At planned intervals, the organization shall: determine current demand and forecast future demand for services; § 8.4.2 ¶ 1(a) At planned intervals, the organization shall: determine current demand and forecast future demand for services; § 8.4.2 ¶ 1(a) {service availability target} Service availability requirements and targets shall be documented and maintained. § 8.7.1 ¶ 2 The organization shall plan capacity to include: current and forecast capacity based on demand for services; § 8.4.3 ¶ 2(a)]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a capacity planning baseline. CC ID 13492 [{service availability target} Service availability requirements and targets shall be documented and maintained. § 8.7.1 ¶ 2]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain future system capacity forecasting methods. CC ID 01617	Business Processes	Preventive
Align critical Information Technology resource availability planning with capacity planning. CC ID 01618 [{service availability requirement}{service continuity requirement} The organization shall plan capacity to include: expected impact on capacity of agreed service level targets, requirements for service availability and service continuity; § 8.4.3 ¶ 2(b)]	Business Processes	Preventive
Limit any effects of a Denial of Service attack. CC ID 06754	Technical Security	Preventive
Implement network redundancy, as necessary. CC ID 13048	Systems Continuity	Preventive
Forecast system workloads. CC ID 00938	Testing	Detective
Establish, implement, and maintain workload forecasting tools. CC ID 00936	Systems Design, Build, and Implementation	Preventive
Utilize resource capacity management controls. CC ID 00939	Testing	Detective
Perform system capacity testing. CC ID 01616	Testing	Detective
Perform system performance reviews. CC ID 11866	Testing	Detective
Follow the resource workload schedule. CC ID 00941	Business Processes	Detective
Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a positive information control environment. CC ID 00813 [Top management shall demonstrate leadership and commitment with respect to the SMS by: § 5.1 ¶ 1 Top management shall demonstrate leadership and commitment with respect to the SMS by: ensuring that what constitutes value for the organization and its customers is determined; § 5.1 ¶ 1(d)]	Business Processes	Preventive
Make compliance and governance decisions in a timely manner. CC ID 06490	Behavior	Preventive
Establish, implement, and maintain an internal control framework. CC ID 00820	Establish/Maintain Documentation	Preventive
Include procedures for continuous quality improvement in the internal control framework. CC ID 00819 [Where service level targets are not met, the organization shall identify opportunities for improvement. § 8.3.3 ¶ 4 At planned intervals, the organization shall measure satisfaction with the services based on a representative sample of customers. The results shall be analysed, reviewed to identify opportunities for improvement and reported. § 8.3.2 ¶ 4 {service improvement activity} Opportunities for improvement shall be documented. The organization shall manage approved improvement activities that include: § 10.2 ¶ 3 The outputs of the management review shall include decisions related to continual improvement opportunities and any need for changes to the SMS and the services. § 9.3 ¶ 3 The management review shall include consideration of: opportunities for continual improvement; § 9.3 ¶ 2(d)]	Establish/Maintain Documentation	Preventive
Include incident response escalation procedures in the internal control framework. CC ID 11745 [Information security incidents shall be: escalated if needed; § 8.7.3.3 ¶ 1(c)]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an information security program. CC ID 00812	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an information security policy. CC ID 11740 [Management with appropriate authority shall approve an information security policy relevant to the organization. The information security policy shall be documented and take into consideration the service requirements and the obligations in 6.3 c). § 8.7.3.1 ¶ 1]	Establish/Maintain Documentation	Preventive
Align the information security policy with the organization's risk acceptance level. CC ID 13042	Business Processes	Preventive
Include business processes in the information security policy. CC ID 16326	Establish/Maintain Documentation	Preventive
Include the information security strategy in the information security policy. CC ID 16125	Establish/Maintain Documentation	Preventive
Include a commitment to continuous improvement in the information security policy. CC ID 16123	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the information security policy. CC ID 16120	Establish/Maintain Documentation	Preventive
Include a commitment to the information security requirements in the information security policy. CC ID 13496	Establish/Maintain Documentation	Preventive
Include information security objectives in the information security policy. CC ID 13493	Establish/Maintain Documentation	Preventive
Include the use of Cloud Services in the information security policy. CC ID 13146	Establish/Maintain Documentation	Preventive
Include notification procedures in the information security policy. CC ID 16842	Establish/Maintain Documentation	Preventive
Approve the information security policy at the organization's management level or higher. CC ID 11737 [Management with appropriate authority shall approve an information security policy relevant to the organization. The information security policy shall be documented and take into consideration the service requirements and the obligations in 6.3 c). § 8.7.3.1 ¶ 1]	Process or Activity	Preventive
Establish, implement, and maintain information security procedures. CC ID 12006	Business Processes	Preventive
Describe the group activities that protect restricted data in the information security procedures. CC ID 12294	Establish/Maintain Documentation	Preventive
Disseminate and communicate the information security procedures to all interested personnel and affected parties. CC ID 16303	Communicate	Preventive
Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304	Establish/Maintain Documentation	Preventive
Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739 [The information security policy shall be made available as appropriate. The organization shall communicate the importance of conforming to the information security policy and its applicability to the SMS and the services to appropriate persons within the: external suppliers, internal suppliers and other interested parties. § 8.7.3.1 ¶ 2(c) The information security policy shall be made available as appropriate. The organization shall communicate the importance of conforming to the information security policy and its applicability to the SMS and the services to appropriate persons within: § 8.7.3.1 ¶ 2 The information security policy shall be made available as appropriate. The organization shall communicate the importance of conforming to the information security policy and its applicability to the SMS and the services to appropriate persons within: § 8.7.3.1 ¶ 2 The information security policy shall be made available as appropriate. The organization shall communicate the importance of conforming to the information security policy and its applicability to the SMS and the services to appropriate persons within: § 8.7.3.1 ¶ 2 The information security policy shall be made available as appropriate. The organization shall communicate the importance of conforming to the information security policy and its applicability to the SMS and the services to appropriate persons within: the organization; § 8.7.3.1 ¶ 2(a) The information security policy shall be made available as appropriate. The organization shall communicate the importance of conforming to the information security policy and its applicability to the SMS and the services to appropriate persons within: customers and users; § 8.7.3.1 ¶ 2(b)]	Communicate	Preventive
Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 [implementing control of the processes in accordance with the established performance criteria; § 8.1 ¶ 1(b)]	Business Processes	Preventive
Analyze how policies used to create management boundaries relates to the Governance, Risk, and Compliance approach. CC ID 12821	Process or Activity	Preventive
Analyze how the organization sets limits in policies relating to the Governance, Risk, and Compliance approach. CC ID 12819	Process or Activity	Preventive
Analyze how the Board of Directors' and senior management's tone influences the Governance, Risk, and Compliance approach. CC ID 12818	Process or Activity	Preventive
Analyze the degree to which the governing body is engaged in the Governance, Risk, and Compliance approach. CC ID 12817	Process or Activity	Preventive
Analyze the Governance, Risk, and Compliance approach. CC ID 12816	Process or Activity	Preventive
Analyze the organizational culture. CC ID 12899	Process or Activity	Preventive
Include individual commitment to the organization's Governance, Risk, and Compliance framework in the analysis of the organizational culture. CC ID 12922	Process or Activity	Detective
Include the organizational climate in the analysis of the organizational culture. CC ID 12921	Process or Activity	Detective
Include consistency of leadership actions to mission, vision, and values in the analysis of the organizational culture. CC ID 12920	Process or Activity	Detective
Include employee engagement in the analysis of the organizational culture. CC ID 12914	Behavior	Preventive
Include contractual relationships with workforce members in the analysis of the organizational culture. CC ID 15674	Business Processes	Preventive
Include the number of workforce members who are not employees in the analysis of the organizational culture. CC ID 15673	Business Processes	Preventive
Include the type of work performed by workforce members in the analysis of the organizational culture. CC ID 15675	Business Processes	Preventive
Include skill development in the analysis of the organizational culture. CC ID 12913	Behavior	Preventive
Include employee turnover rates in the analysis of the organizational culture. CC ID 12912	Behavior	Preventive
Include demographic characteristics of employees in the analysis of the organizational culture. CC ID 15671	Business Processes	Preventive
Include employee loyalty in the analysis of the organizational culture. CC ID 12911	Behavior	Preventive
Include employee satisfaction in the analysis of the organizational culture. CC ID 12910	Behavior	Preventive
Establish, implement, and maintain consequences for non-compliance with the organizational compliance framework. CC ID 11747	Process or Activity	Corrective
Comply with all implemented policies in the organization's compliance framework. CC ID 06384 [{planning} The organization shall plan, implement and control the processes needed to meet requirements and to implement the actions determined in Clause 6 by: § 8.1 ¶ 1]	Establish/Maintain Documentation	Preventive
Provide assurance to interested personnel and affected parties that the Governance, Risk, and Compliance capability is reliable, effective, efficient, and responsive. CC ID 12788	Communicate	Preventive
Review systems for compliance with organizational information security policies. CC ID 12004	Business Processes	Preventive
Disseminate and communicate the Governance, Risk, and Compliance framework to all interested personnel and affected parties. CC ID 00815	Behavior	Preventive
Establish, implement, and maintain a Service Management System. CC ID 13889 [Top management shall demonstrate leadership and commitment with respect to the SMS by: ensuring that the SMS achieves its intended outcome(s); § 5.1 ¶ 1(i) When planning for the SMS, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to: § 6.1.1 ¶ 1 {service improvement activity} Opportunities for improvement shall be documented. The organization shall manage approved improvement activities that include: making changes to the SMS, if necessary; § 10.2 ¶ 3(c) When a nonconformity occurs, the organization shall: make changes to the SMS, if necessary. § 10.1.1 ¶ 1(e) The organization shall operate the SMS ensuring co-ordination of the activities and the resources. The organization shall perform the activities required to deliver services. § 8.2.1 ¶ 1]	Business Processes	Preventive
Establish and maintain a scope statement for the Service Management System. CC ID 13890 [The organization shall determine: the relevant requirements of these interested parties. § 4.2 ¶ 1(b) When planning how to achieve its service management objectives, the organization shall determine: what will be done; § 6.2.2 ¶ 1(a) The documented information for the SMS shall include: scope of the SMS; § 7.5.4 ¶ 1(a) {service management system}When determining this scope, the organization shall consider: the requirements referred to in 4.2; § 4.3 ¶ 2(b) {service management system} When determining this scope, the organization shall consider: the services delivered by the organization. § 4.3 ¶ 2(c) The scope of the SMS shall be available and be maintained as documented information. § 4.3 ¶ 4 The service management plan shall include or contain a reference to: obligations such as relevant policies, standards, legal, regulatory and contractual requirements, and how these obligations apply to the SMS and the services; § 6.3 ¶ 2(c) The organization's SMS shall include: documented information determined by the organization as being necessary for the effectiveness of the SMS. § 7.5.1 ¶ 1(b) The organization's SMS shall include: documented information required by this document; § 7.5.1 ¶ 1(a) The definition of the scope of the SMS shall include the services in scope and the name of the organization managing and delivering the services. § 4.3 ¶ 3]	Establish/Maintain Documentation	Preventive
Include the organization's name in the scope statement for the Service Management System. CC ID 13913 [The definition of the scope of the SMS shall include the services in scope and the name of the organization managing and delivering the services. § 4.3 ¶ 3]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a service management program. CC ID 11388 [Top management shall demonstrate leadership and commitment with respect to the SMS by: ensuring that the service management plan is created, implemented and maintained in order to support the service management policy, and the achievement of the service management objectives and service requirements; § 5.1 ¶ 1(b) The service management policy shall: be available as documented information; § 5.2.2 ¶ 1(a) Other planning activities shall maintain alignment with the service management plan. § 6.3 ¶ 3 {applicable requirements} The organization shall create, implement and maintain a service management plan. Planning shall take into consideration the service management policy, service management objectives, risks and opportunities, service requirements and requirements specified in this document. § 6.3 ¶ 1 When planning how to achieve its service management objectives, the organization shall determine: when it will be completed; § 6.2.2 ¶ 1(d) The organization shall establish service management objectives at relevant functions and levels. The service management objectives shall: be updated as appropriate. § 6.2.1 ¶ 1(f) The organization shall integrate services, service components and processes in the SMS that are provided or operated by the organization or other parties to meet the service requirements. The organization shall co-ordinate activities with other parties involved in the service lifecycle including the planning, design, transition, delivery and improvement of services. § 8.2.3.1 ¶ 5 At planned intervals, the organization shall review the performance trends and the outcomes of the services. § 8.3.2 ¶ 3 Top management shall review the organization's SMS and the services, at planned intervals, to ensure their continuing suitability, adequacy and effectiveness. § 9.3 ¶ 1 The organization shall determine: what needs to be monitored and measured for the SMS and the services; § 9.1 ¶ 1(a) {new service} The organization shall plan the deployment of new or changed services and service components into the live environment. Planning shall be co-ordinated with change management and include references to the related requests for change, known errors or problems which are being closed through the release. Planning shall include the dates for deployment of each release, deliverables and methods of deployment. § 8.5.3 ¶ 2 {service availability requirement}{service availability target} At planned intervals, the risks to service availability shall be assessed and documented. The organization shall determine the service availability requirements and targets. The agreed requirements shall take into consideration relevant business requirements, service requirements, SLAs and risks. § 8.7.1 ¶ 1]	Establish/Maintain Documentation	Preventive
Communicate the service management program to interested personnel and affected parties. CC ID 13904 [Top management shall demonstrate leadership and commitment with respect to the SMS by: communicating the importance of effective service management, achieving the service management objectives, delivering value and conforming to the SMS requirements; § 5.1 ¶ 1(h) The service management policy shall: be communicated within the organization; § 5.2.2 ¶ 1(b) The service management policy shall: be available to interested parties, as appropriate. § 5.2.2 ¶ 1(c) The organization shall establish service management objectives at relevant functions and levels. The service management objectives shall: be communicated; § 6.2.1 ¶ (e) Persons doing work under the organization's control shall be aware of: the service management policy; § 7.3 ¶ 1(a) The scope of the SMS shall be available and be maintained as documented information. § 4.3 ¶ 4]	Communicate	Preventive
Communicate service management release success or failures to interested personnel and affected parties, as necessary. CC ID 13927 [Information about the success or failure of releases and future release dates shall be made available for other service management activities as appropriate. § 8.5.3 ¶ 7]	Communicate	Preventive
Communicate the release dates of applicable services to interested personnel and affected parties. CC ID 13924 [Information about the success or failure of releases and future release dates shall be made available for other service management activities as appropriate. § 8.5.3 ¶ 7]	Communicate	Preventive
Include the implications of failing to comply with the Service Management System requirements in the communication plan for the service management program. CC ID 13909 [Persons doing work under the organization's control shall be aware of: the implications of not conforming with the SMS requirements. § 7.3 ¶ 1(e)]	Communicate	Preventive
Include the benefits of improved performance in the communication plan for the service management program. CC ID 13908 [Persons doing work under the organization's control shall be aware of: their contribution to the effectiveness of the SMS, including the benefits of improved performance; § 7.3 ¶ 1(d)]	Communicate	Preventive
Include the importance of conforming to the Service Management System requirements in the communication plan for the service management program. CC ID 13907 [Top management shall demonstrate leadership and commitment with respect to the SMS by: communicating the importance of effective service management, achieving the service management objectives, delivering value and conforming to the SMS requirements; § 5.1 ¶ 1(h)]	Communicate	Preventive
Include a service management plan in the service management program. CC ID 13902 [The documented information for the SMS shall include: service management plan; § 7.5.4 ¶ 1(c)]	Establish/Maintain Documentation	Preventive
Include the information security policy in the service management program. CC ID 13925 [The documented information for the SMS shall include: change management policy, information security policy and service continuity plan(s); § 7.5.4 ¶ 1(d)]	Establish/Maintain Documentation	Preventive
Include the change management policy in the service management program. CC ID 13923 [The documented information for the SMS shall include: change management policy, information security policy and service continuity plan(s); § 7.5.4 ¶ 1(d)]	Establish/Maintain Documentation	Preventive
Include the service management objectives in the service management program. CC ID 11389 [Top management shall demonstrate leadership and commitment with respect to the SMS by: ensuring that the service management plan is created, implemented and maintained in order to support the service management policy, and the achievement of the service management objectives and service requirements; § 5.1 ¶ 1(b) Top management shall demonstrate leadership and commitment with respect to the SMS by: ensuring that the service management policy and service management objectives are established and are compatible with the strategic direction of the organization; § 5.1 ¶ 1(a) Top management shall establish a service management policy that: provides a framework for setting service management objectives; § 5.2.1 ¶ 1(b) The organization shall establish service management objectives at relevant functions and levels. The service management objectives shall: be consistent with the service management policy; § 6.2.1 ¶ 1(a) {applicable requirements} The organization shall create, implement and maintain a service management plan. Planning shall take into consideration the service management policy, service management objectives, risks and opportunities, service requirements and requirements specified in this document. § 6.3 ¶ 1 {organization level} The organization shall establish service management objectives at relevant functions and levels. The service management objectives shall: § 6.2.1 ¶ 1 {organization level} The organization shall establish service management objectives at relevant functions and levels. The service management objectives shall: § 6.2.1 ¶ 1 The documented information for the SMS shall include: policy and objectives for service management; § 7.5.4 ¶ 1(b) The organization shall propose changes where needed to align the services with the service management policy, service management objectives and service requirements, taking into consideration known limitations and risks. § 8.2.2 ¶ 3 {new service} Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: intended outcomes from delivering the new or changed services, expressed in measurable terms; § 8.5.2.1 ¶ 1(g) {service availability requirement}{service availability target} At planned intervals, the risks to service availability shall be assessed and documented. The organization shall determine the service availability requirements and targets. The agreed requirements shall take into consideration relevant business requirements, service requirements, SLAs and risks. § 8.7.1 ¶ 1]	Establish/Maintain Documentation	Preventive
Include the service requirements in the service management program. CC ID 11390 [Top management shall demonstrate leadership and commitment with respect to the SMS by: ensuring that the service management plan is created, implemented and maintained in order to support the service management policy, and the achievement of the service management objectives and service requirements; § 5.1 ¶ 1(b) Top management shall establish a service management policy that: includes a commitment to satisfy applicable requirements; § 5.2.1 ¶ 1(c) {applicable requirements} The organization shall create, implement and maintain a service management plan. Planning shall take into consideration the service management policy, service management objectives, risks and opportunities, service requirements and requirements specified in this document. § 6.3 ¶ 1 The organization shall establish service management objectives at relevant functions and levels. The service management objectives shall: take into account applicable requirements; § 6.2.1 ¶ 1(c) The documented information for the SMS shall include: service requirements; § 7.5.4 ¶ 1(f) The organization shall propose changes where needed to align the services with the service management policy, service management objectives and service requirements, taking into consideration known limitations and risks. § 8.2.2 ¶ 3 The service requirements for existing services, new services and changes to services shall be determined and documented. § 8.2.2 ¶ 1 Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: dependencies on other services; 8.5.2.1 ¶ 1(d) {new service} Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: § 8.5.2.1 ¶ 1 {service availability requirement}{service availability target} At planned intervals, the risks to service availability shall be assessed and documented. The organization shall determine the service availability requirements and targets. The agreed requirements shall take into consideration relevant business requirements, service requirements, SLAs and risks. § 8.7.1 ¶ 1 {service availability requirement}{service availability target} At planned intervals, the risks to service availability shall be assessed and documented. The organization shall determine the service availability requirements and targets. The agreed requirements shall take into consideration relevant business requirements, service requirements, SLAs and risks. § 8.7.1 ¶ 1]	Establish/Maintain Documentation	Preventive
Include known limitations in the service management program. CC ID 11391 [The organization shall determine the boundaries and applicability of the SMS to establish its scope. § 4.3 ¶ 1 The organization shall determine the boundaries and applicability of the SMS to establish its scope. § 4.3 ¶ 1 The organization shall propose changes where needed to align the services with the service management policy, service management objectives and service requirements, taking into consideration known limitations and risks. § 8.2.2 ¶ 3 The service management plan shall include or contain a reference to: known limitations that can impact the SMS and the services; § 6.3 ¶ 2(b) {new service} The organization shall plan the deployment of new or changed services and service components into the live environment. Planning shall be co-ordinated with change management and include references to the related requests for change, known errors or problems which are being closed through the release. Planning shall include the dates for deployment of each release, deliverables and methods of deployment. § 8.5.3 ¶ 2]	Establish/Maintain Documentation	Preventive
Include service management policies in the service management program. CC ID 11392 [Top management shall establish a service management policy that: § 5.2.1 ¶ 1 Top management shall demonstrate leadership and commitment with respect to the SMS by: ensuring that the service management plan is created, implemented and maintained in order to support the service management policy, and the achievement of the service management objectives and service requirements; § 5.1 ¶ 1(b) Top management shall demonstrate leadership and commitment with respect to the SMS by: ensuring that the service management policy and service management objectives are established and are compatible with the strategic direction of the organization; § 5.1 ¶ 1(a) {applicable requirements} The organization shall create, implement and maintain a service management plan. Planning shall take into consideration the service management policy, service management objectives, risks and opportunities, service requirements and requirements specified in this document. § 6.3 ¶ 1 The documented information for the SMS shall include: policy and objectives for service management; § 7.5.4 ¶ 1(b) The organization shall propose changes where needed to align the services with the service management policy, service management objectives and service requirements, taking into consideration known limitations and risks. § 8.2.2 ¶ 3 The service management plan shall include or contain a reference to: obligations such as relevant policies, standards, legal, regulatory and contractual requirements, and how these obligations apply to the SMS and the services; § 6.3 ¶ 2(c) Top management shall establish a service management policy that: is appropriate to the purpose of the organization; § 5.2.1 ¶ 1(a)]	Establish/Maintain Documentation	Preventive
Assign roles and responsibilities in the service management program. CC ID 11393 [Top management shall demonstrate leadership and commitment with respect to the SMS by: directing and supporting persons to contribute to the effectiveness of the SMS and the services; § 5.1 ¶ 1(j) Top management shall assign the responsibility and authority for: ensuring that the SMS conforms to the requirement of this document; § 5.3 ¶ 2(a) Top management shall assign the responsibility and authority for: reporting on the performance of the SMS and the services to top management. § 5.3 ¶ 2(b) {responsible party}When planning how to achieve its service management objectives, the organization shall determine: who will be responsible; § 6.2.2 ¶ 1(c) The organization shall retain accountability for the requirements specified in this document and the delivery of the services regardless of which party is involved in performing activities to support the service lifecycle. § 8.2.3.1 ¶ 1 The organization shall retain accountability for the requirements specified in this document and the delivery of the services regardless of which party is involved in performing activities to support the service lifecycle. § 8.2.3.1 ¶ 1 Top management shall ensure that the responsibilities and authorities for roles relevant to the SMS and the services are assigned and communicated within the organization. § 5.3 ¶ 1 The service management plan shall include or contain a reference to: authorities and responsibilities for the SMS and the services § 6.3 ¶ 2(d) The service management plan shall include or contain a reference to: authorities and responsibilities for the SMS and the services § 6.3 ¶ 2(d) Persons doing work under the organization's control shall be aware of: the service management objectives; § 7.3 ¶ 1(b) {new service} Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: authorities and responsibilities for design, build and transition activities; § 8.5.2.1 ¶ 1(a) {new service} Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: activities to be performed by the organization or other parties with their timescales; § 8.5.2.1 ¶ 1(b) {new service}The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: authorities and responsibilities of the parties involved in the delivery of the new or changed services; § 8.5.2.2 ¶ 1(a) {new service}The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: authorities and responsibilities of the parties involved in the delivery of the new or changed services; § 8.5.2.2 ¶ 1(a) The organization shall operate the SMS ensuring co-ordination of the activities and the resources. The organization shall perform the activities required to deliver services. § 8.2.1 ¶ 1]	Establish/Maintain Documentation	Preventive
Include all resources needed to achieve the objectives in the service management program. CC ID 11394 [Top management shall demonstrate leadership and commitment with respect to the SMS by: ensuring that the resources needed for the SMS and the services are available; § 5.1 ¶ 1(g) When planning how to achieve its service management objectives, the organization shall determine: what resources will be required; § 6.2.2 ¶ 1(b) {necessary resource} The organization shall determine and provide the human, technical, information and financial resources needed for the establishment, implementation, maintenance and continual improvement of the SMS and the operation of the services to meet the service requirements and achieve the service management objectives. § 7.1 ¶ 1 {necessary resource} The organization shall determine and provide the human, technical, information and financial resources needed for the establishment, implementation, maintenance and continual improvement of the SMS and the operation of the services to meet the service requirements and achieve the service management objectives. § 7.1 ¶ 1 {necessary resource} The organization shall determine and provide the human, technical, information and financial resources needed for the establishment, implementation, maintenance and continual improvement of the SMS and the operation of the services to meet the service requirements and achieve the service management objectives. § 7.1 ¶ 1 The organization shall budget and account for services or groups of services in accordance with its financial management policies and processes. § 8.4.1 ¶ 1 {new service}{manpower}{technical resource}{information resource} Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: human, technical, information and financial resources; § 8.5.2.1 ¶ 1(c) {new service}{manpower}{technical resource}{information resource} Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: human, technical, information and financial resources; § 8.5.2.1 ¶ 1(c) {new service}{manpower}{technical resource}{information resource} Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: human, technical, information and financial resources; § 8.5.2.1 ¶ 1(c) {new service}{manpower}{technical resource}{information resource} Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: human, technical, information and financial resources; § 8.5.2.1 ¶ 1(c) {manpower}{technical resource}{information resource}The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: requirements for changes to human, technical, information and financial resources; § 8.5.2.2 ¶ 1(b) {manpower}{technical resource}{information resource}The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: requirements for changes to human, technical, information and financial resources; § 8.5.2.2 ¶ 1(b) {manpower}{technical resource}{information resource}The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: requirements for changes to human, technical, information and financial resources; § 8.5.2.2 ¶ 1(b) {manpower}{technical resource}{information resource}The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: requirements for changes to human, technical, information and financial resources; § 8.5.2.2 ¶ 1(b) {manpower}{technical resource}{information resource}{service requirement} The capacity requirements for human, technical, information and financial resources shall be determined, documented and maintained taking into consideration the service and performance requirements. § 8.4.3 ¶ 1 {manpower}{technical resource}{information resource}{service requirement} The capacity requirements for human, technical, information and financial resources shall be determined, documented and maintained taking into consideration the service and performance requirements. § 8.4.3 ¶ 1 {manpower}{technical resource}{information resource}{service requirement} The capacity requirements for human, technical, information and financial resources shall be determined, documented and maintained taking into consideration the service and performance requirements. § 8.4.3 ¶ 1 {manpower}{technical resource}{information resource}{service requirement} The capacity requirements for human, technical, information and financial resources shall be determined, documented and maintained taking into consideration the service and performance requirements. § 8.4.3 ¶ 1]	Establish/Maintain Documentation	Preventive
Include supply chain management procedures in the service management program. CC ID 11395 [The organization shall ensure that outsourced processes are controlled (see 8.2.3). § 8.1 ¶ 3 Other parties shall not provide or operate all services, service components or processes within the scope of the SMS. § 8.2.3.1 ¶ 3 The organization shall integrate services, service components and processes in the SMS that are provided or operated by the organization or other parties to meet the service requirements. The organization shall co-ordinate activities with other parties involved in the service lifecycle including the planning, design, transition, delivery and improvement of services. § 8.2.3.1 ¶ 5]	Establish/Maintain Documentation	Preventive
Include service management procedures in the service management program. CC ID 11396 [The documented information for the SMS shall include: processes of the organization's SMS; § 7.5.4 ¶ 1(e) {new service} Release and deployment management shall be used to deploy approved new or changed services into the live environment. § 8.5.2.3 ¶ 2 {new service} Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: testing needed for the new or changed services; § 8.5.2.1 ¶ 1(e) The organization shall use service design and transition in 8.5.2 for: removal of a service; § 8.5.1.2 ¶ 2(d) For services that are to be removed, the planning shall additionally include the date(s) for the removal of the services and the activities for archiving, disposal or transfer of data, documented information and service components. § 8.5.2.1 ¶ 2 The organization shall use service design and transition in 8.5.2 for: transfer of an existing service from the organization to a customer or other party; § 8.5.1.2 ¶ 2(e) The organization shall use service design and transition in 8.5.2 for: transfer of an existing service from a customer or other party to the organization. § 8.5.1.2 ¶ 2(f)]	Establish/Maintain Documentation	Preventive
Include risk procedures in the service management program. CC ID 11397 [When planning for the SMS, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to: § 6.1.1 ¶ 1 {applicable requirements} The organization shall create, implement and maintain a service management plan. Planning shall take into consideration the service management policy, service management objectives, risks and opportunities, service requirements and requirements specified in this document. § 6.3 ¶ 1 {risk management activity}The organization shall plan: how to: integrate and implement the actions into its SMS processes; § 6.1.3 ¶ 1(b)(1) {new service} The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: impact on other services; § 8.5.2.2 ¶ 1(f) {service availability requirement}{service availability target} At planned intervals, the risks to service availability shall be assessed and documented. The organization shall determine the service availability requirements and targets. The agreed requirements shall take into consideration relevant business requirements, service requirements, SLAs and risks. § 8.7.1 ¶ 1 {service availability requirement}{service availability target} At planned intervals, the risks to service availability shall be assessed and documented. The organization shall determine the service availability requirements and targets. The agreed requirements shall take into consideration relevant business requirements, service requirements, SLAs and risks. § 8.7.1 ¶ 1]	Establish/Maintain Documentation	Preventive
Include continuity plans in the Service Management program. CC ID 13919 [The documented information for the SMS shall include: change management policy, information security policy and service continuity plan(s); § 7.5.4 ¶ 1(d)]	Establish/Maintain Documentation	Preventive
Include all technologies used to support service management in the service management program. CC ID 11398 [The service management plan shall include or contain a reference to: technology used to support the SMS; § 6.3 ¶ 2(g) {necessary resource} The service management plan shall include or contain a reference to: human, technical, information and financial resources necessary to operate the SMS and the services; § 6.3 ¶ 2(e)]	Establish/Maintain Documentation	Preventive
Include auditing and improving service management procedures in the service management program. CC ID 11399 [When planning for the SMS, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to: give assurance that the SMS can achieve its intended outcome(s); § 6.1.1 ¶ 1(a) Top management shall demonstrate leadership and commitment with respect to the SMS by: promoting continual improvement of the SMS and the services; § 5.1 ¶1(k) Top management shall establish a service management policy that: includes a commitment to continual improvement of the SMS and the services. § 5.2.1 ¶ 1(d) When planning for the SMS, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to: achieve continual improvement of the SMS and the services. § 6.1.1 ¶ 1(c) When planning how to achieve its service management objectives, the organization shall determine: how the results will be evaluated. § 6.2.2 ¶ 1(e) {continuous basis} The organization shall continually improve the suitability, adequacy and effectiveness of the SMS and the services. § 10.2 ¶ 1 {service improvement activity} Opportunities for improvement shall be documented. The organization shall manage approved improvement activities that include: § 10.2 ¶ 3]	Establish/Maintain Documentation	Preventive
Disseminate and communicate the suspension period of suspended services to interested personnel and affected parties. CC ID 15459	Communicate	Preventive
Establish, implement, and maintain an Asset Management program. CC ID 06630 [{external obligation} /* section 6.3 c. refers to external obligations / The organization shall ensure that assets used to deliver services are managed to meet the service requirements and the obligations in 6.3 c). § 8.2.5 ¶ 1 {external obligation} / section 6.3 c. refers to external obligations */ The organization shall ensure that assets used to deliver services are managed to meet the service requirements and the obligations in 6.3 c). § 8.2.5 ¶ 1]	Business Processes	Preventive
Establish, implement, and maintain an asset management policy. CC ID 15219	Establish/Maintain Documentation	Preventive
Include coordination amongst entities in the asset management policy. CC ID 16424	Business Processes	Preventive
Establish, implement, and maintain asset management procedures. CC ID 16748	Establish/Maintain Documentation	Preventive
Assign an information owner to organizational assets, as necessary. CC ID 12729	Human Resources Management	Preventive
Define and prioritize the importance of each asset in the asset management program. CC ID 16837	Business Processes	Preventive
Include life cycle requirements in the security management program. CC ID 16392	Establish/Maintain Documentation	Preventive
Include program objectives in the asset management program. CC ID 14413	Establish/Maintain Documentation	Preventive
Include a commitment to continual improvement in the asset management program. CC ID 14412	Establish/Maintain Documentation	Preventive
Include compliance with applicable requirements in the asset management program. CC ID 14411	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain administrative controls over all assets. CC ID 16400	Business Processes	Preventive
Establish, implement, and maintain classification schemes for all systems and assets. CC ID 01902	Establish/Maintain Documentation	Preventive
Apply security controls to each level of the information classification standard. CC ID 01903	Systems Design, Build, and Implementation	Preventive
Establish, implement, and maintain the systems' confidentiality level. CC ID 01904	Establish/Maintain Documentation	Preventive
Define confidentiality controls. CC ID 01908	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain the systems' availability level. CC ID 01905	Establish/Maintain Documentation	Preventive
Restrict unscheduled downtime in order to maintain high availability for critical systems. CC ID 12742	Process or Activity	Preventive
Define integrity controls. CC ID 01909	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain the systems' integrity level. CC ID 01906	Establish/Maintain Documentation	Preventive
Define availability controls. CC ID 01911	Establish/Maintain Documentation	Preventive
Establish safety classifications for systems according to their potential harmful effects to operators or end users. CC ID 06603	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an asset safety classification scheme. CC ID 06604	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain the Asset Classification Policy. CC ID 06642	Establish/Maintain Documentation	Preventive
Disseminate and communicate the Asset Classification Policy to interested personnel and affected parties. CC ID 14851	Communicate	Preventive
Classify assets according to the Asset Classification Policy. CC ID 07186	Establish Roles	Preventive
Classify virtual systems by type and purpose. CC ID 16332	Business Processes	Preventive
Document the decision for assigning an asset to a specific asset classification in the Asset Classification Policy. CC ID 07185	Establish/Maintain Documentation	Preventive
Apply asset protection mechanisms for all assets according to their assigned Asset Classification Policy. CC ID 07184	Establish Roles	Preventive
Disallow systems from processing information, disseminating and communicating information, or storing information that is above the system's assigned asset classification. CC ID 06606	Configuration	Preventive
Assign decomposed system components the same asset classification as the originating system. CC ID 06605	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an asset inventory. CC ID 06631	Business Processes	Preventive
Establish, implement, and maintain an Information Technology inventory with asset discovery audit trails. CC ID 00689	Establish/Maintain Documentation	Preventive
Include all account types in the Information Technology inventory. CC ID 13311	Establish/Maintain Documentation	Preventive
Include each Information System's system boundaries in the Information Technology inventory. CC ID 00695	Systems Design, Build, and Implementation	Preventive
Identify processes, Information Systems, and third parties that transmit, process, or store restricted data. CC ID 06289	Data and Information Management	Preventive
Include each Information System's major applications in the Information Technology inventory. CC ID 01407	Establish/Maintain Documentation	Preventive
Categorize all major applications according to the business information they process. CC ID 07182	Establish/Maintain Documentation	Preventive
Document the resources, hazards, and Evaluation Assurance Levels for each major application. CC ID 01164	Establish/Maintain Documentation	Preventive
Include the General Support Systems and security support structure in the Information Technology inventory. CC ID 01408	Establish/Maintain Documentation	Preventive
Include each Information System's minor applications in the Information Technology inventory. CC ID 01409	Establish/Maintain Documentation	Preventive
Conduct environmental surveys. CC ID 00690	Physical and Environmental Protection	Preventive
Categorize facilities in the Information Technology inventory according to their environmental risks. CC ID 06729	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a hardware asset inventory. CC ID 00691	Establish/Maintain Documentation	Preventive
Include network equipment in the Information Technology inventory. CC ID 00693	Establish/Maintain Documentation	Preventive
Include mobile devices that store restricted data or restricted information in the Information Technology inventory. CC ID 04719	Establish/Maintain Documentation	Preventive
Include interconnected systems and Software as a Service in the Information Technology inventory. CC ID 04885	Process or Activity	Preventive
Include software in the Information Technology inventory. CC ID 00692	Establish/Maintain Documentation	Preventive
Establish and maintain a list of authorized software and versions required for each system. CC ID 12093	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a storage media inventory. CC ID 00694	Establish/Maintain Documentation	Preventive
Include all electronic storage media containing restricted data or restricted information in the storage media inventory. CC ID 00962	Establish/Maintain Documentation	Detective
Establish, implement, and maintain a records inventory and database inventory. CC ID 01260	Establish/Maintain Documentation	Preventive
Add inventoried assets to the asset register database, as necessary. CC ID 07051	Establish/Maintain Documentation	Preventive
Identify discrepancies between the asset register database and the Information Technology inventory, as necessary. CC ID 07052	Monitor and Evaluate Occurrences	Corrective
Investigate and resolve discrepancies between the asset register database and the Information Technology inventory. CC ID 07053	Monitor and Evaluate Occurrences	Corrective
Organize the asset register database by grouping objects according to an organizational information classification standard. CC ID 07181	Establish/Maintain Documentation	Preventive
Use automated tools to collect Information Technology inventory information, as necessary. CC ID 07054	Technical Security	Preventive
Link the authentication system to the asset inventory. CC ID 13718	Technical Security	Preventive
Record a unique name for each asset in the asset inventory. CC ID 16305	Data and Information Management	Preventive
Record the decommission date for applicable assets in the asset inventory. CC ID 14920	Establish/Maintain Documentation	Preventive
Record the status of information systems in the asset inventory. CC ID 16304	Data and Information Management	Preventive
Record the communication interfaces for applicable assets in the asset inventory. CC ID 16301	Data and Information Management	Preventive
Record the Uniform Resource Locator for applicable assets in the asset inventory. CC ID 14918	Establish/Maintain Documentation	Preventive
Include source code in the asset inventory. CC ID 14858	Records Management	Preventive
Assign ownership of maintaining the asset inventory, as necessary. CC ID 12344	Human Resources Management	Preventive
Employ Dynamic Host Configuration Protocol server logging to detect systems not in the asset inventory. CC ID 12110	Technical Security	Detective
Record the review date for applicable assets in the asset inventory. CC ID 14919	Establish/Maintain Documentation	Preventive
Record software license information for each asset in the asset inventory. CC ID 11736	Data and Information Management	Preventive
Record services for applicable assets in the asset inventory. CC ID 13733	Establish/Maintain Documentation	Preventive
Record protocols for applicable assets in the asset inventory. CC ID 13734	Establish/Maintain Documentation	Preventive
Record the software version in the asset inventory. CC ID 12196	Establish/Maintain Documentation	Preventive
Record the publisher for applicable assets in the asset inventory. CC ID 13725	Establish/Maintain Documentation	Preventive
Record the authentication system in the asset inventory. CC ID 13724	Establish/Maintain Documentation	Preventive
Tag unsupported assets in the asset inventory. CC ID 13723	Establish/Maintain Documentation	Preventive
Record the install date for applicable assets in the asset inventory. CC ID 13720	Establish/Maintain Documentation	Preventive
Record the make, model of device for applicable assets in the asset inventory. CC ID 12465	Establish/Maintain Documentation	Preventive
Record the asset tag for physical assets in the asset inventory. CC ID 06632	Establish/Maintain Documentation	Preventive
Record the host name of applicable assets in the asset inventory. CC ID 13722	Establish/Maintain Documentation	Preventive
Record network ports for applicable assets in the asset inventory. CC ID 13730	Establish/Maintain Documentation	Preventive
Record the MAC address for applicable assets in the asset inventory. CC ID 13721	Establish/Maintain Documentation	Preventive
Record the operating system version for applicable assets in the asset inventory. CC ID 11748	Data and Information Management	Preventive
Record the operating system type for applicable assets in the asset inventory. CC ID 06633	Establish/Maintain Documentation	Preventive
Record rooms at external locations in the asset inventory. CC ID 16302	Data and Information Management	Preventive
Record the department associated with the asset in the asset inventory. CC ID 12084	Establish/Maintain Documentation	Preventive
Record the physical location for applicable assets in the asset inventory. CC ID 06634	Establish/Maintain Documentation	Preventive
Record the manufacturer's serial number for applicable assets in the asset inventory. CC ID 06635	Establish/Maintain Documentation	Preventive
Record the firmware version for applicable assets in the asset inventory. CC ID 12195	Establish/Maintain Documentation	Preventive
Record the related business function for applicable assets in the asset inventory. CC ID 06636	Establish/Maintain Documentation	Preventive
Record the deployment environment for applicable assets in the asset inventory. CC ID 06637	Establish/Maintain Documentation	Preventive
Record the Internet Protocol address for applicable assets in the asset inventory. CC ID 06638	Establish/Maintain Documentation	Preventive
Record trusted keys and certificates in the asset inventory. CC ID 15486	Data and Information Management	Preventive
Record cipher suites and protocols in the asset inventory. CC ID 15489	Data and Information Management	Preventive
Link the software asset inventory to the hardware asset inventory. CC ID 12085	Establish/Maintain Documentation	Preventive
Record the owner for applicable assets in the asset inventory. CC ID 06640	Establish/Maintain Documentation	Preventive
Record all compliance requirements for applicable assets in the asset inventory. CC ID 15696	Establish/Maintain Documentation	Preventive
Record all changes to assets in the asset inventory. CC ID 12190	Establish/Maintain Documentation	Preventive
Record cloud service derived data in the asset inventory. CC ID 13007	Establish/Maintain Documentation	Preventive
Include cloud service customer data in the asset inventory. CC ID 13006	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a software accountability policy. CC ID 00868	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain software asset management procedures. CC ID 00895	Establish/Maintain Documentation	Preventive
Prevent users from disabling required software. CC ID 16417	Technical Security	Preventive
Establish, implement, and maintain software archives procedures. CC ID 00866	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain software distribution procedures. CC ID 00894	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain software documentation management procedures. CC ID 06395	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain software license management procedures. CC ID 06639	Establish/Maintain Documentation	Preventive
Automate software license monitoring, as necessary. CC ID 07057	Monitor and Evaluate Occurrences	Preventive
Establish, implement, and maintain digital legacy procedures. CC ID 16524	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a system redeployment program. CC ID 06276	Establish/Maintain Documentation	Preventive
Test systems for malicious code prior to when the system will be redeployed. CC ID 06339	Testing	Detective
Notify interested personnel and affected parties prior to when the system is redeployed or the system is disposed. CC ID 06400	Behavior	Preventive
Wipe all data on systems prior to when the system is redeployed or the system is disposed. CC ID 06401	Data and Information Management	Preventive
Transfer legal ownership of assets when the system is redeployed to a third party. CC ID 06698	Acquisition/Sale of Assets or Services	Preventive
Document the staff's operating knowledge of the system prior to a personnel status change. CC ID 06937	Establish/Maintain Documentation	Preventive
Redeploy systems to other organizational units, as necessary. CC ID 11452	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a system disposal program. CC ID 14431	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain disposal procedures. CC ID 16513	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain asset sanitization procedures. CC ID 16511	Establish/Maintain Documentation	Preventive
Destroy systems in accordance with the system disposal program. CC ID 16457	Business Processes	Preventive
Approve the release of systems and waste material into the public domain. CC ID 16461	Business Processes	Preventive
Establish, implement, and maintain system destruction procedures. CC ID 16474	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain printer and multifunction device disposition procedures. CC ID 15216	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a system preventive maintenance program. CC ID 00885	Establish/Maintain Documentation	Preventive
Establish and maintain maintenance reports. CC ID 11749	Establish/Maintain Documentation	Preventive
Establish and maintain system inspection reports. CC ID 06346	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a system maintenance policy. CC ID 14032	Establish/Maintain Documentation	Preventive
Include compliance requirements in the system maintenance policy. CC ID 14217	Establish/Maintain Documentation	Preventive
Include management commitment in the system maintenance policy. CC ID 14216	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the system maintenance policy. CC ID 14215	Establish/Maintain Documentation	Preventive
Include the scope in the system maintenance policy. CC ID 14214	Establish/Maintain Documentation	Preventive
Disseminate and communicate the system maintenance policy to interested personnel and affected parties. CC ID 14213	Communicate	Preventive
Include the purpose in the system maintenance policy. CC ID 14187	Establish/Maintain Documentation	Preventive
Include coordination amongst entities in the system maintenance policy. CC ID 14181	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain system maintenance procedures. CC ID 14059	Establish/Maintain Documentation	Preventive
Disseminate and communicate the system maintenance procedures to interested personnel and affected parties. CC ID 14194	Communicate	Preventive
Establish, implement, and maintain a technology refresh plan. CC ID 13061	Establish/Maintain Documentation	Preventive
Plan and conduct maintenance so that it does not interfere with scheduled operations. CC ID 06389	Physical and Environmental Protection	Preventive
Maintain contact with the device manufacturer or component manufacturer for maintenance requests. CC ID 06388	Behavior	Preventive
Use system components only when third party support is available. CC ID 10644	Maintenance	Preventive
Obtain justification for the continued use of system components when third party support is no longer available. CC ID 10645	Maintenance	Preventive
Control and monitor all maintenance tools. CC ID 01432	Physical and Environmental Protection	Detective
Obtain approval before removing maintenance tools from the facility. CC ID 14298	Business Processes	Preventive
Control remote maintenance according to the system's asset classification. CC ID 01433	Technical Security	Preventive
Separate remote maintenance sessions from other network sessions with a logically separate communications path based upon encryption. CC ID 10614	Configuration	Preventive
Approve all remote maintenance sessions. CC ID 10615	Technical Security	Preventive
Log the performance of all remote maintenance. CC ID 13202	Log Management	Preventive
Terminate remote maintenance sessions when the remote maintenance is complete. CC ID 12083	Technical Security	Preventive
Conduct offsite maintenance in authorized facilities. CC ID 16473	Maintenance	Preventive
Conduct maintenance with authorized personnel. CC ID 01434	Testing	Detective
Disconnect non-volatile media from information systems prior to performing maintenance with uncleared personnel. CC ID 14295	Maintenance	Preventive
Sanitize volatile media in information systems prior to performing maintenance with uncleared personnel. CC ID 14291	Maintenance	Preventive
Respond to maintenance requests inside the organizationally established time frame. CC ID 04878	Behavior	Preventive
Establish and maintain an archive of maintenance reports in a maintenance log. CC ID 06202	Establish/Maintain Documentation	Preventive
Acquire spare parts prior to when maintenance requests are scheduled. CC ID 11833	Acquisition/Sale of Assets or Services	Preventive
Perform periodic maintenance according to organizational standards. CC ID 01435	Behavior	Preventive
Restart systems on a periodic basis. CC ID 16498	Maintenance	Preventive
Remove components being serviced from the information system prior to performing maintenance. CC ID 14251	Maintenance	Preventive
Employ dedicated systems during system maintenance. CC ID 12108	Technical Security	Preventive
Isolate dedicated systems used for system maintenance from Internet access. CC ID 12114	Technical Security	Preventive
Control granting access to appropriate parties performing maintenance on organizational assets. CC ID 11873	Human Resources Management	Preventive
Identify and authenticate appropriate parties prior to granting access to maintain assets. CC ID 11874	Physical and Environmental Protection	Preventive
Calibrate assets according to the calibration procedures for the asset. CC ID 06203	Testing	Detective
Post calibration limits or calibration tolerances on or near assets requiring calibration. CC ID 06204	Establish/Maintain Documentation	Preventive
Implement automated mechanisms to transfer predictive maintenance data to a maintenance management system. CC ID 10616	Process or Activity	Preventive
Refrain from protecting physical assets when no longer required. CC ID 13484	Physical and Environmental Protection	Corrective
Disassemble and shut down unnecessary systems or unused systems. CC ID 06280	Business Processes	Preventive
Establish, implement, and maintain an end-of-life management process. CC ID 16540	Establish/Maintain Documentation	Preventive
Dispose of hardware and software at their life cycle end. CC ID 06278	Business Processes	Preventive
Refrain from placing assets being disposed into organizational dumpsters. CC ID 12200	Business Processes	Preventive
Establish, implement, and maintain disposal contracts. CC ID 12199	Establish/Maintain Documentation	Preventive
Include disposal procedures in disposal contracts. CC ID 13905	Establish/Maintain Documentation	Preventive
Remove asset tags prior to disposal of an asset. CC ID 12198	Business Processes	Preventive
Document the storage information for all systems that are stored instead of being disposed or redeployed. CC ID 06936	Establish/Maintain Documentation	Preventive
Test for detrimental environmental factors after a system is disposed. CC ID 06938	Testing	Detective
Review each system's operational readiness. CC ID 06275	Systems Design, Build, and Implementation	Preventive
Establish, implement, and maintain a data stewardship policy. CC ID 06657	Establish/Maintain Documentation	Preventive
Establish and maintain an unauthorized software list. CC ID 10601	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a customer service program. CC ID 00846	Establish/Maintain Documentation	Preventive
Assign roles and responsibilities in the customer service program. CC ID 13911 [The customers, users and other interested parties of the services shall be identified and documented. The organization shall have one or more designated individuals responsible for managing customer relationships and maintaining customer satisfaction. § 8.3.2 ¶ 1]	Human Resources Management	Preventive
Establish, implement, and maintain an Incident Management program. CC ID 00853	Business Processes	Preventive
Include incident escalation procedures in the Incident Management program. CC ID 00856 [Incidents shall be: escalated if needed; § 8.6.1 ¶ 1(c)]	Establish/Maintain Documentation	Preventive
Define the characteristics of the Incident Management program. CC ID 00855	Establish/Maintain Documentation	Preventive
Include the criteria for an incident in the Incident Management program. CC ID 12173 [The organization shall determine criteria to identify a major incident. Major incidents shall be classified and managed according to a documented procedure. Top management shall be kept informed of major incidents. The organization shall assign responsibility for managing each major incident. After the incident has been resolved, the major incident shall be reported and reviewed to identify opportunities for improvement. § 8.6.1 ¶ 3]	Establish/Maintain Documentation	Preventive
Include detection procedures in the Incident Management program. CC ID 00588	Establish/Maintain Documentation	Preventive
Categorize the incident following an incident response. CC ID 13208 [{document} Information security incidents shall be: recorded and classified; § 8.7.3.3 ¶ 1(a) The organization shall analyse the information security incidents by type, volume and impact on the SMS, services and interested parties. Information security incidents shall be reported and reviewed to identify opportunities for improvement. § 8.7.3.3 ¶ 2 The organization shall determine criteria to identify a major incident. Major incidents shall be classified and managed according to a documented procedure. Top management shall be kept informed of major incidents. The organization shall assign responsibility for managing each major incident. After the incident has been resolved, the major incident shall be reported and reviewed to identify opportunities for improvement. § 8.6.1 ¶ 3 Problems shall be: recorded and classified; § 8.6.3 ¶ 2(a)]	Technical Security	Preventive
Define and document impact thresholds to be used in categorizing incidents. CC ID 10033	Establish/Maintain Documentation	Preventive
Determine the incident severity level when assessing the security incidents. CC ID 01650 [The organization shall analyse the information security incidents by type, volume and impact on the SMS, services and interested parties. Information security incidents shall be reported and reviewed to identify opportunities for improvement. § 8.7.3.3 ¶ 2]	Monitor and Evaluate Occurrences	Corrective
Respond to and triage when an incident is detected. CC ID 06942 [Information security incidents shall be: prioritized taking into consideration the information security risk; § 8.7.3.3 ¶ 1(b) Incidents shall be: prioritized taking into consideration impact and urgency; § 8.6.1 ¶ 1(b) Problems shall be: prioritized; § 8.6.3 ¶ 2(b)]	Monitor and Evaluate Occurrences	Detective
Document the incident and any relevant evidence in the incident report. CC ID 08659 [Incidents shall be: recorded and classified; § 8.6.1 ¶ 1(a) The organization shall determine criteria to identify a major incident. Major incidents shall be classified and managed according to a documented procedure. Top management shall be kept informed of major incidents. The organization shall assign responsibility for managing each major incident. After the incident has been resolved, the major incident shall be reported and reviewed to identify opportunities for improvement. § 8.6.1 ¶ 3 Problems shall be: recorded and classified; § 8.6.3 ¶ 2(a)]	Establish/Maintain Documentation	Detective
Escalate incidents, as necessary. CC ID 14861 [Problems shall be: escalated if needed; § 8.6.3 ¶ 2(c)]	Monitor and Evaluate Occurrences	Corrective
Include support from law enforcement authorities when conducting incident response activities, as necessary. CC ID 13197	Process or Activity	Corrective
Respond to all alerts from security systems in a timely manner. CC ID 06434	Behavior	Corrective
Coordinate incident response activities with interested personnel and affected parties. CC ID 13196	Process or Activity	Corrective
Share incident information with interested personnel and affected parties. CC ID 01212 [The organization shall determine criteria to identify a major incident. Major incidents shall be classified and managed according to a documented procedure. Top management shall be kept informed of major incidents. The organization shall assign responsibility for managing each major incident. After the incident has been resolved, the major incident shall be reported and reviewed to identify opportunities for improvement. § 8.6.1 ¶ 3]	Data and Information Management	Corrective
Share data loss event information with the media. CC ID 01759	Behavior	Corrective
Comply with privacy regulations and civil liberties requirements when sharing data loss event information. CC ID 10036	Data and Information Management	Preventive
Share data loss event information with interconnected system owners. CC ID 01209	Establish/Maintain Documentation	Corrective
Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539	Communicate	Preventive
Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538	Communicate	Preventive
Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547	Establish/Maintain Documentation	Preventive
Report data loss event information to breach notification organizations. CC ID 01210	Data and Information Management	Corrective
Submit an incident management audit log to the proper authorities for each security breach that affects a predefined number of individuals, as necessary. CC ID 06326	Log Management	Detective
Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797	Communicate	Preventive
Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782	Communicate	Preventive
Report to breach notification organizations the time frame in which the organization will send data loss event notifications to interested personnel and affected parties. CC ID 04731	Behavior	Corrective
Include incident management procedures in the Incident Management program. CC ID 12689 [The organization shall determine criteria to identify a major incident. Major incidents shall be classified and managed according to a documented procedure. Top management shall be kept informed of major incidents. The organization shall assign responsibility for managing each major incident. After the incident has been resolved, the major incident shall be reported and reviewed to identify opportunities for improvement. § 8.6.1 ¶ 3]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain temporary and emergency access authorization procedures. CC ID 00858	Establish/Maintain Documentation	Corrective
Establish, implement, and maintain temporary and emergency access revocation procedures. CC ID 15334	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain incident management audit logs. CC ID 13514 [Records of incidents shall be updated with actions taken. § 8.6.1 ¶ 2]	Records Management	Preventive
Log incidents in the Incident Management audit log. CC ID 00857	Establish/Maintain Documentation	Preventive
Include who the incident was reported to in the incident management audit log. CC ID 16487	Log Management	Preventive
Include corrective actions in the incident management audit log. CC ID 16466	Establish/Maintain Documentation	Preventive
Include the organizational functions affected by disruption in the Incident Management audit log. CC ID 12238	Log Management	Corrective
Include the organization's business products and services affected by disruptions in the Incident Management audit log. CC ID 12234	Log Management	Preventive
Include incident record closure procedures in the Incident Management program. CC ID 01620 [Information security incidents shall be: closed. § 8.7.3.3 ¶ 1(e) Problems shall be: closed. § 8.6.3 ¶ 2(e) Incidents shall be: closed. § 8.6.1 ¶ 1(e)]	Establish/Maintain Documentation	Preventive
Include incident reporting procedures in the Incident Management program. CC ID 11772 [The organization shall analyse the information security incidents by type, volume and impact on the SMS, services and interested parties. Information security incidents shall be reported and reviewed to identify opportunities for improvement. § 8.7.3.3 ¶ 2]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain incident reporting time frame standards. CC ID 12142	Communicate	Preventive
Investigate and take action regarding help desk queries. CC ID 06324 [Service requests shall be: prioritized; § 8.6.2 ¶ 1(b) Service requests shall be: fulfilled; § 8.6.2 ¶ 1(c)]	Behavior	Corrective
Log help desk queries. CC ID 00848 [Service requests shall be: recorded and classified; § 8.6.2 ¶ 1(a)]	Log Management	Preventive
Establish, implement, and maintain help desk query escalation procedures. CC ID 00849 [Service requests shall be: closed. § 8.6.2 ¶ 1(d)]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an Incident Response program. CC ID 00579	Establish/Maintain Documentation	Preventive
Create an incident response report following an incident response. CC ID 12700	Establish/Maintain Documentation	Preventive
Include measures to prevent similar incidents from occurring in the incident response report. CC ID 12720 [The organization shall analyse data and trends on incidents to identify problems. The organization shall undertake root cause analysis and determine potential actions to prevent the occurrence or recurrence of incidents. § 8.6.3 ¶ 1]	Establish/Maintain Documentation	Preventive
Include corrective action taken to eradicate the incident in the incident response report. CC ID 12708 [Records of problems shall be updated with actions taken. Changes needed for problem resolution shall be managed according to the change management policy. § 8.6.3 ¶ 3]	Establish/Maintain Documentation	Preventive
Include a root cause analysis of the incident in the incident response report. CC ID 12701 [The organization shall analyse data and trends on incidents to identify problems. The organization shall undertake root cause analysis and determine potential actions to prevent the occurrence or recurrence of incidents. § 8.6.3 ¶ 1]	Establish/Maintain Documentation	Preventive
Mitigate reported incidents. CC ID 12973 [Problems shall be: resolved if possible; § 8.6.3 ¶ 2(d)]	Actionable Reports or Measurements	Preventive
Include incident response team structures in the Incident Response program. CC ID 01237	Establish/Maintain Documentation	Preventive
Include the incident response team member's roles and responsibilities in the Incident Response program. CC ID 01652 [The organization shall determine criteria to identify a major incident. Major incidents shall be classified and managed according to a documented procedure. Top management shall be kept informed of major incidents. The organization shall assign responsibility for managing each major incident. After the incident has been resolved, the major incident shall be reported and reviewed to identify opportunities for improvement. § 8.6.1 ¶ 3]	Establish Roles	Preventive
Include the incident response point of contact's roles and responsibilities in the Incident Response program. CC ID 01877	Establish Roles	Preventive
Open a priority incident request after a security breach is detected. CC ID 04838	Testing	Corrective
Activate the incident response notification procedures after a security breach is detected. CC ID 04839	Testing	Corrective
Notify interested personnel and affected parties that a security breach was detected. CC ID 11788	Communicate	Corrective
Include the head of information security's roles and responsibilities in the Incident Response program. CC ID 01878	Establish Roles	Preventive
Include the customer database owner's roles and responsibilities in the Incident Response program. CC ID 01879	Establish Roles	Preventive
Include the online sales department's roles and responsibilities in the Incident Response program. CC ID 01880	Establish Roles	Preventive
Include the incident response point of contact for credit card payment system's roles and responsibilities in the Incident Response program. CC ID 01881	Establish Roles	Preventive
Include the organizational legal counsel's roles and responsibilities in the Incident Response program. CC ID 01882	Establish Roles	Preventive
Include the Human Resources point of contact's roles and responsibilities in the Incident Response program. CC ID 01883	Establish Roles	Preventive
Include the organizational incident response network architecture point of contact's roles and responsibilities in the Incident Response program. CC ID 01884	Establish Roles	Preventive
Include the organizational incident response public relations point of contact's roles and responsibilities in the Incident Response program. CC ID 01885	Establish Roles	Preventive
Include the organizational incident response location manager's roles and responsibilities in the Incident Response program. CC ID 01886	Establish Roles	Preventive
Assign the distribution of security alerts to the appropriate role in the incident response program. CC ID 11887	Human Resources Management	Preventive
Assign monitoring and analyzing the security alert when a security alert is received to the appropriate role in the incident response program. CC ID 11886	Investigate	Detective
Assign establishing, implementing, and maintaining incident response procedures to the appropriate role in the incident response program. CC ID 12473	Establish/Maintain Documentation	Preventive
Assign the distribution of incident response procedures to the appropriate role in the incident response program. CC ID 12474	Communicate	Preventive
Establish, implement, and maintain incident response procedures. CC ID 01206 [Information security incidents shall be: resolved; § 8.7.3.3 ¶ 1(d) Incidents shall be: resolved; § 8.6.1 ¶ 1(d) The organization shall determine criteria to identify a major incident. Major incidents shall be classified and managed according to a documented procedure. Top management shall be kept informed of major incidents. The organization shall assign responsibility for managing each major incident. After the incident has been resolved, the major incident shall be reported and reviewed to identify opportunities for improvement. § 8.6.1 ¶ 3]	Establish/Maintain Documentation	Detective
Include references to industry best practices in the incident response procedures. CC ID 11956	Establish/Maintain Documentation	Preventive
Include responding to alerts from security monitoring systems in the incident response procedures. CC ID 11949	Establish/Maintain Documentation	Preventive
Respond when an integrity violation is detected, as necessary. CC ID 10678	Technical Security	Corrective
Shut down systems when an integrity violation is detected, as necessary. CC ID 10679	Technical Security	Corrective
Restart systems when an integrity violation is detected, as necessary. CC ID 10680	Technical Security	Corrective
Establish, implement, and maintain a performance management standard. CC ID 01615 [{planning requirement} establishing performance criteria for the processes based on requirements; § 8.1 ¶ 1(a)]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain future system performance forecasting methods. CC ID 11775	Business Processes	Preventive
Use proactive performance management. CC ID 00937 [At planned intervals, the organization shall review the performance trends and the outcomes of the services. § 8.3.2 ¶ 3]	Business Processes	Detective
Utilize resource availability management controls. CC ID 00940	Business Processes	Detective
Establish, implement, and maintain a remediation plan for deviations in the resource management process. CC ID 13679	Establish/Maintain Documentation	Preventive
Follow the maintenance schedule. CC ID 11791	Maintenance	Preventive
Establish, implement, and maintain rate limiting filters. CC ID 06883	Business Processes	Preventive
Establish, implement, and maintain system capacity monitoring procedures. CC ID 01619	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain system performance monitoring procedures. CC ID 11752	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a Service Level Agreement framework. CC ID 00839	Establish/Maintain Documentation	Preventive
Include exceptions in the Service Level Agreements, as necessary. CC ID 13912 [For each service delivered, the organization shall establish one or more SLAs based on the documented service requirements. The SLA(s) shall include service level targets, workload limits and exceptions § 8.3.3 ¶ 2]	Establish/Maintain Documentation	Preventive
Include the appropriate aspects of the Quality Management program in the Service Level Agreement. CC ID 00845 [{service availability requirement}{service availability target} At planned intervals, the risks to service availability shall be assessed and documented. The organization shall determine the service availability requirements and targets. The agreed requirements shall take into consideration relevant business requirements, service requirements, SLAs and risks. § 8.7.1 ¶ 1]	Establish/Maintain Documentation	Detective
Include capacity planning in Service Level Agreements. CC ID 13096 [At planned intervals, the organization shall monitor, review and report on: actual and periodic changes in workload compared to workload limits in the SLA(s). § 8.3.3 ¶ 3(b) For each service delivered, the organization shall establish one or more SLAs based on the documented service requirements. The SLA(s) shall include service level targets, workload limits and exceptions § 8.3.3 ¶ 2 {service availability requirement}{service continuity requirement} The organization shall plan capacity to include: expected impact on capacity of agreed service level targets, requirements for service availability and service continuity; § 8.4.3 ¶ 2(b)]	Establish/Maintain Documentation	Preventive
Include business requirements of delivered services in the Service Level Agreement. CC ID 00840 [For each external supplier, the organization shall agree a documented contract. The contract shall include or contain a reference to: service level targets or other contractual obligations; § 8.3.4.1 ¶ 2(c)]	Establish/Maintain Documentation	Preventive
Include performance requirements in the Service Level Agreement. CC ID 00841 [For each service delivered, the organization shall establish one or more SLAs based on the documented service requirements. The SLA(s) shall include service level targets, workload limits and exceptions § 8.3.3 ¶ 2]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a cost management program. CC ID 13638	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain cost management procedures. CC ID 00873 [Costs shall be budgeted to enable effective financial control and decision-making for services. § 8.4.1 ¶ 2 Costs shall be budgeted to enable effective financial control and decision-making for services. § 8.4.1 ¶ 2 At planned intervals, the organization shall monitor and report on actual costs against the budget, review the financial forecasts and manage costs. § 8.4.1 ¶ 3]	Business Processes	Detective
Update the business cases for cost management procedures, as necessary. CC ID 13642	Business Processes	Preventive
Perform an impact assessment of any deviations found in the cost management procedures. CC ID 13641	Investigate	Detective
Identify deviations in cost management procedures. CC ID 13640	Investigate	Detective
Identify and allocate departmental costs. CC ID 00871	Business Processes	Detective
Prepare an Information Technology budget, as necessary. CC ID 00872 [The organization shall budget and account for services or groups of services in accordance with its financial management policies and processes. § 8.4.1 ¶ 1]	Establish/Maintain Documentation	Detective
Review and approve the Information Technology budget. CC ID 13644	Business Processes	Corrective
Update the Information Technology budget, as necessary. CC ID 13643	Business Processes	Corrective
Compare actual Information Technology costs to forecasted Information Technology budgets. CC ID 11753 [At planned intervals, the organization shall monitor and report on actual costs against the budget, review the financial forecasts and manage costs. § 8.4.1 ¶ 3]	Business Processes	Detective
Establish, implement, and maintain a change control program. CC ID 00886 [{information security policy} Specific policies that would be required includepan>, but not limited to, the following: Change management § 8.5.1 A change management policy shall be established and documented to define: § 8.5.1.1 ¶ 1 A change management policy shall be established and documented to define: service components and other items that are under the control of change management; § 8.5.1.1 ¶ 1(a) A change management policy shall be established and documented to define: service components and other items that are under the control of change management; § 8.5.1.1 ¶ 1(a) A change management policy shall be established and documented to define: categories of change, including emergency change, and how they are to be managed; § 8.5.1.1 ¶ 1(b)]	Establish/Maintain Documentation	Preventive
Include potential consequences of unintended changes in the change control program. CC ID 12243 [The organization shall control planned changes to the SMS and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary (see 8.5.1). § 8.1¶ 2]	Establish/Maintain Documentation	Preventive
Include version control in the change control program. CC ID 13119 [For the control of documented information, the organization shall address the following activities, as applicable: control of changes (e.g. version control); § 7.5.3.2(c)]	Establish/Maintain Documentation	Preventive
Include service design and transition in the change control program. CC ID 13920 [The organization shall use service design and transition in 8.5.2 for: changes to services with the potential to have a major impact on customers or other services as determined by the change management policy; § 8.5.1.2 ¶ 2(b) The organization shall use service design and transition in 8.5.2 for: new services with the potential to have a major impact on customers or other services as determined by the change management policy; § 8.5.1.2 ¶ 2(a)]	Establish/Maintain Documentation	Preventive
Separate the production environment from development environment or test environment for the change control process. CC ID 11864	Maintenance	Preventive
Integrate configuration management procedures into the change control program. CC ID 13646	Technical Security	Preventive
Establish, implement, and maintain a back-out plan. CC ID 13623 [The release shall be verified against documented acceptance criteria and approved before deployment. If the acceptance criteria are not met, the organization and interested parties shall make a decision on necessary actions and deployment. § 8.5.3 ¶ 3 The organization shall review changes for effectiveness and take actions agreed with interested parties. § 8.5.1.3 ¶ 4 {take appropriate action} The activities to reverse or remedy an unsuccessful change shall be planned and, where possible, tested. Unsuccessful changes shall be investigated and agreed actions taken. § 8.5.1.3 ¶ 3]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain back-out procedures for each proposed change in a change request. CC ID 00373 [{take appropriate action} The activities to reverse or remedy an unsuccessful change shall be planned and, where possible, tested. Unsuccessful changes shall be investigated and agreed actions taken. § 8.5.1.3 ¶ 3]	Establish/Maintain Documentation	Preventive
Approve back-out plans, as necessary. CC ID 13627 [{take appropriate action} The activities to reverse or remedy an unsuccessful change shall be planned and, where possible, tested. Unsuccessful changes shall be investigated and agreed actions taken. § 8.5.1.3 ¶ 3]	Establish/Maintain Documentation	Corrective
Manage change requests. CC ID 00887 [{new service} The organization shall prioritize requests for change and proposals for new or changed services to align with business needs and service management objectives, taking into consideration available resources. § 8.2.2 ¶ 4 {new service} The organization shall prioritize requests for change and proposals for new or changed services to align with business needs and service management objectives, taking into consideration available resources. § 8.2.2 ¶ 4 {new service} The organization shall plan the deployment of new or changed services and service components into the live environment. Planning shall be co-ordinated with change management and include references to the related requests for change, known errors or problems which are being closed through the release. Planning shall include the dates for deployment of each release, deliverables and methods of deployment. § 8.5.3 ¶ 2 {new service} Assessing, approving, scheduling and reviewing of new or changed services in the scope of 8.5.2 shall be managed through the change management activities in 8.5.1.3. § 8.5.1.2 ¶ 3 {new service} The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: changes to the SMS including new or changed policies, plans, processes, procedures, measures and knowledge; § 8.5.2.2 ¶ 1(e) The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: § 8.5.1.3 ¶ 1 Requests for change not being managed through 8.5.2 shall be managed through the change management activities in 8.5.1.3. § 8.5.1.2 ¶ 4]	Business Processes	Preventive
Include documentation of the impact level of proposed changes in the change request. CC ID 11942 [{new service} Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: impact on the SMS, other services, planned changes, customers, users and other interested parties. § 8.5.2.1 ¶ 1(h) {new service} Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: impact on the SMS, other services, planned changes, customers, users and other interested parties. § 8.5.2.1 ¶ 1(h) {new service} Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: impact on the SMS, other services, planned changes, customers, users and other interested parties. § 8.5.2.1 ¶ 1(h) {new service} Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: impact on the SMS, other services, planned changes, customers, users and other interested parties. § 8.5.2.1 ¶ 1(h) A change management policy shall be established and documented to define: criteria to determine changes with the potential to have a major ="background-color:#F0BBBC;" class="term_primary-noun">impact on customers or services. § 8.5.1.1 ¶ 1(c)]	Establish/Maintain Documentation	Preventive
Establish and maintain a change request approver list. CC ID 06795	Establish/Maintain Documentation	Preventive
Document all change requests in change request forms. CC ID 06794 [Requests for change, including proposals to add, remove or transfer services, shall be recorded and classified. § 8.5.1.2 ¶ 1 Requests for change, including proposals to add, remove or transfer services, shall be recorded and classified. § 8.5.1.2 ¶ 1 {trend analysis} At planned intervals, request for change records shall be analysed to detect trends. The results and conclusions drawn from the analysis shall be recorded and reviewed to identify opportunities for improvement. § 8.5.1.3 ¶ 5]	Establish/Maintain Documentation	Preventive
Test proposed changes prior to their approval. CC ID 00548 [Approved changes shall be prepared, verified and, where possible, tested. Proposed deployment dates and other deployment details for approved changes shall be communicated to interested parties. § 8.5.1.3 ¶ 2]	Testing	Detective
Examine all changes to ensure they correspond with the change request. CC ID 12345 [Approved changes shall be prepared, verified and, where possible, tested. Proposed deployment dates and other deployment details for approved changes shall be communicated to interested parties. § 8.5.1.3 ¶ 2 The organization shall review changes for effectiveness and take actions agreed with interested parties. § 8.5.1.3 ¶ 4 {take appropriate action} The activities to reverse or remedy an unsuccessful change shall be planned and, where possible, tested. Unsuccessful changes shall be investigated and agreed actions taken. § 8.5.1.3 ¶ 3 {trend analysis} At planned intervals, request for change records shall be analysed to detect trends. The results and conclusions drawn from the analysis shall be recorded and reviewed to identify opportunities for improvement. § 8.5.1.3 ¶ 5 {trend analysis} At planned intervals, request for change records shall be analysed to detect trends. The results and conclusions drawn from the analysis shall be recorded and reviewed to identify opportunities for improvement. § 8.5.1.3 ¶ 5]	Business Processes	Detective
Approve tested change requests. CC ID 11783 [The release shall be verified against documented acceptance criteria and approved before deployment. If the acceptance criteria are not met, the organization and interested parties shall make a decision on necessary actions and deployment. § 8.5.3 ¶ 3]	Data and Information Management	Preventive
Validate the system before implementing approved changes. CC ID 01510	Systems Design, Build, and Implementation	Preventive
Disseminate and communicate proposed changes to all interested personnel and affected parties. CC ID 06807 [Approved changes shall be prepared, verified and, where possible, tested. Proposed deployment dates and other deployment details for approved changes shall be communicated to interested parties. § 8.5.1.3 ¶ 2 Approved changes shall be prepared, verified and, where possible, tested. Proposed deployment dates and other deployment details for approved changes shall be communicated to interested parties. § 8.5.1.3 ¶ 2 Following the completion of the transition activities, the organization shall report to interested parties on the achievements against the intended outcomes. § 8.5.2.3 ¶ 3]	Behavior	Preventive
Establish, implement, and maintain emergency change procedures. CC ID 00890	Establish/Maintain Documentation	Preventive
Perform emergency changes, as necessary. CC ID 12707	Process or Activity	Preventive
Back up emergency changes after the change has been performed. CC ID 12734	Process or Activity	Preventive
Log emergency changes after they have been performed. CC ID 12733	Establish/Maintain Documentation	Preventive
Perform risk assessments prior to approving change requests. CC ID 00888 [The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: capacity, service availability, service continuity and information security; § 8.5.1.3 ¶ 1(d) The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: capacity, service availability, service continuity and information security; § 8.5.1.3 ¶ 1(d) The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: capacity, service availability, service continuity and information security; § 8.5.1.3 ¶ 1(d) The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: capacity, service availability, service continuity and information security; § 8.5.1.3 ¶ 1(d) At planned intervals, the organization shall review the contract against current service requirements. Changes identified for the contract shall be assessed for the impact of the change on the SMS and the services before the change is approved. § 8.3.4.1 ¶ 6 The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: existing services; § 8.5.1.3 ¶ 1(a) The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: other requests for change, releases and plans for deployment. § 8.5.1.3 ¶ 1(e) The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: other requests for change, releases and plans for deployment. § 8.5.1.3 ¶ 1(e) The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: other requests for change, releases and plans for deployment. § 8.5.1.3 ¶ 1(e)]	Testing	Preventive
Conduct network certifications prior to approving change requests for networks. CC ID 13121	Process or Activity	Detective
Analyze mitigating controls for vulnerabilities in the network when certifying the network. CC ID 13126	Investigate	Detective
Collect data about the network environment when certifying the network. CC ID 13125	Investigate	Detective
Implement changes according to the change control program. CC ID 11776 [The organization shall control planned changes to the SMS and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary (see 8.5.1). § 8.1¶ 2 Records of problems shall be updated with actions taken. Changes needed for problem resolution shall be managed according to the change management policy. § 8.6.3 ¶ 3 A change management policy shall be established and documented to define: categories of change, including emergency change, and how they are to be managed; § 8.5.1.1 ¶ 1(b) The organization shall use service design and transition in 8.5.2 for: categories of change that are to be managed by service design and transition according to the change management policy; § 8.5.1.2 ¶ 2(c)]	Business Processes	Preventive
Provide audit trails for all approved changes. CC ID 13120	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a patch management program. CC ID 00896	Process or Activity	Preventive
Document the sources of all software updates. CC ID 13316	Establish/Maintain Documentation	Preventive
Implement patch management software, as necessary. CC ID 12094	Technical Security	Preventive
Include updates and exceptions to hardened images as a part of the patch management program. CC ID 12087	Technical Security	Preventive
Establish, implement, and maintain a patch management policy. CC ID 16432	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain patch management procedures. CC ID 15224	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a patch log. CC ID 01642	Establish/Maintain Documentation	Preventive
Review the patch log for missing patches. CC ID 13186	Technical Security	Detective
Perform a patch test prior to deploying a patch. CC ID 00898	Testing	Detective
Prioritize deploying patches according to vulnerability risk metrics. CC ID 06796	Business Processes	Preventive
Deploy software patches in accordance with organizational standards. CC ID 07032	Configuration	Corrective
Test software patches for any potential compromise of the system's security. CC ID 13175	Testing	Detective
Patch software. CC ID 11825	Technical Security	Corrective
Patch the operating system, as necessary. CC ID 11824	Technical Security	Corrective
Deploy software patches in the disaster recovery environment to mirror those in the production environment. CC ID 13174	Configuration	Corrective
Remove outdated software after software has been updated. CC ID 11792	Configuration	Corrective
Update computer firmware, as necessary. CC ID 11755	Configuration	Corrective
Review changes to computer firmware. CC ID 12226	Testing	Detective
Certify changes to computer firmware are free of malicious logic. CC ID 12227	Testing	Detective
Remove outdated computer firmware after the computer firmware has been updated. CC ID 10671	Configuration	Corrective
Implement cryptographic mechanisms to authenticate software and computer firmware before installation. CC ID 10682	Technical Security	Detective
Establish, implement, and maintain a software release policy. CC ID 00893	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain traceability documentation. CC ID 16388	Systems Design, Build, and Implementation	Preventive
Disseminate and communicate software update information to users and regulators. CC ID 06602	Behavior	Preventive
Allow interested personnel and affected parties to opt out of specific version releases and software updates. CC ID 06809	Data and Information Management	Preventive
Mitigate the adverse effects of unauthorized changes. CC ID 12244 [The organization shall control planned changes to the SMS and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary (see 8.5.1). § 8.1¶ 2]	Business Processes	Corrective
Establish, implement, and maintain approved change acceptance testing procedures. CC ID 06391	Establish/Maintain Documentation	Detective
Test the system's operational functionality after implementing approved changes. CC ID 06294	Testing	Detective
Perform and pass acceptance testing before moving a system back into operation after an approved change has occurred. CC ID 04541 [The release shall be verified against documented acceptance criteria and approved before deployment. If the acceptance criteria are not met, the organization and interested parties shall make a decision on necessary actions and deployment. § 8.5.3 ¶ 3]	Testing	Detective
Establish, implement, and maintain a change acceptance testing log. CC ID 06392	Establish/Maintain Documentation	Corrective
Update associated documentation after the system configuration has been changed. CC ID 00891	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a configuration change log. CC ID 08710	Configuration	Detective
Document approved configuration deviations. CC ID 08711	Establish/Maintain Documentation	Corrective
Establish, implement, and maintain production process control procedures. CC ID 06209	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a service delivery and production process Quality Management program. CC ID 07194 [The management review shall include consideration of: adherence to and suitability of the service management policy and other policies required by this document; § 9.3 ¶ 2(f) The management review shall include consideration of: performance of the services; § 9.3 ¶ 2(h) The organization shall determine: the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results; § 9.1 ¶ 1(b) The organization shall determine: when the results from monitoring and measurement shall be analysed and evaluated. § 9.1 ¶ 1(d) The organization shall evaluate the SMS performance against the service management objectives and evaluate the effectiveness of the SMS. The organization shall evaluate the effectiveness of the services against the service requirements. § 9.1 ¶ 3 The organization shall evaluate the SMS performance against the service management objectives and evaluate the effectiveness of the SMS. The organization shall evaluate the effectiveness of the services against the service requirements. § 9.1 ¶ 3 Where the root cause has been identified, but the problem has not been permanently resolved, the organization shall determine actions to reduce or eliminate the impact of the problem on the services. Known errors shall be recorded. Up-to-date information on known errors and problem resolutions shall be made available for other service management activities as appropriate. § 8.6.3 ¶ 4 The release shall be deployed into the live environment so that the integrity of the services and service components is maintained. § 8.5.3 ¶ 5 {new service} The new or changed services shall be built and tested to verify that they meet the service requirements, conform to the documented design and meet the agreed service acceptance criteria. If the service acceptance criteria are not met, the organization and interested parties shall make a decision on necessary actions and deployment. § 8.5.2.3 ¶ 1 {new service} The new or changed services shall be built and tested to verify that they meet the service requirements, conform to the documented design and meet the agreed service acceptance criteria. If the service acceptance criteria are not met, the organization and interested parties shall make a decision on necessary actions and deployment. § 8.5.2.3 ¶ 1 {new service} The new or changed services shall be built and tested to verify that they meet the service requirements, conform to the documented design and meet the agreed service acceptance criteria. If the service acceptance criteria are not met, the organization and interested parties shall make a decision on necessary actions and deployment. § 8.5.2.3 ¶ 1 The service management plan shall include or contain a reference to: how the effectiveness of the SMS and the services will be measured, audited, reported and improved. § 6.3 ¶ 2(h) The service management plan shall include or contain a reference to: how the effectiveness of the SMS and the services will be measured, audited, reported and improved. § 6.3 ¶ 2(h) The service management plan shall include or contain a reference to: how the effectiveness of the SMS and the services will be measured, audited, reported and improved. § 6.3 ¶ 2(h) The service management plan shall include or contain a reference to: how the effectiveness of the SMS and the services will be measured, audited, reported and improved. § 6.3 ¶ 2(h)]	Business Processes	Detective
Include consumer safety quality improvement projects in the service delivery and production process Quality Management program. CC ID 07195	Establish/Maintain Documentation	Detective
Assign interested personnel and affected parties to service delivery and production process quality improvement projects, as necessary. CC ID 07197	Establish Roles	Preventive
Manage the creation of products and services, as necessary. CC ID 13497 [{new service} The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: § 8.5.2.2 ¶ 1 {new service} The organization shall plan the deployment of new or changed services and service components into the live environment. Planning shall be co-ordinated with change management and include references to the related requests for change, known errors or problems which are being closed through the release. Planning shall include the dates for deployment of each release, deliverables and methods of deployment. § 8.5.3 ¶ 2 {new service} The organization shall plan the deployment of new or changed services and service components into the live environment. Planning shall be co-ordinated with change management and include references to the related requests for change, known errors or problems which are being closed through the release. Planning shall include the dates for deployment of each release, deliverables and methods of deployment. § 8.5.3 ¶ 2]	Business Processes	Preventive
Define the processing specifications for products and services creation requirements. CC ID 13523	Establish/Maintain Documentation	Preventive
Define the processing activities to meet products and services creation requirements. CC ID 13499 [{new service} The organization shall plan the deployment of new or changed services and service components into the live environment. Planning shall be co-ordinated with change management and include references to the related requests for change, known errors or problems which are being closed through the release. Planning shall include the dates for deployment of each release, deliverables and methods of deployment. § 8.5.3 ¶ 2 {new service} The organization shall plan the deployment of new or changed services and service components into the live environment. Planning shall be co-ordinated with change management and include references to the related requests for change, known errors or problems which are being closed through the release. Planning shall include the dates for deployment of each release, deliverables and methods of deployment. § 8.5.3 ¶ 2 {new service} The organization shall plan the deployment of new or changed services and service components into the live environment. Planning shall be co-ordinated with change management and include references to the related requests for change, known errors or problems which are being closed through the release. Planning shall include the dates for deployment of each release, deliverables and methods of deployment. § 8.5.3 ¶ 2]	Business Processes	Preventive
Delete age-restricted content, as necessary. CC ID 15450	Process or Activity	Preventive
Establish, implement, and maintain procedures to manage age-restricted content. CC ID 15448	Establish/Maintain Documentation	Preventive
Control the distribution of media containing age-restricted content, as necessary. CC ID 15446	Process or Activity	Preventive
Establish and maintain a service catalog. CC ID 13634 [The service management plan shall include or contain a reference to: list of services; § 6.3 ¶ 2(a) The documented information for the SMS shall include: service catalogue(s); § 7.5.4 ¶ 1(g) The organization shall create and maintain one or more service catalogues. The service catalogue(s) shall include information for the organization, customers, users and other interested parties to describe the services, their intended outcomes and dependencies between the services. § 8.2.4 ¶ 1 {new service} The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: updates to the service catalogue(s). § 8.5.2.2 ¶ 1(g)]	Establish/Maintain Documentation	Preventive
Include a service description in the service catalog. CC ID 13917 [The organization shall create and maintain one or more service catalogues. The service catalogue(s) shall include information for the organization, customers, users and other interested parties to describe the services, their intended outcomes and dependencies between the services. § 8.2.4 ¶ 1]	Establish/Maintain Documentation	Preventive
Assign unique reference numbers to all services in the service catalog. CC ID 14424	Establish/Maintain Documentation	Preventive
Include service deliverables for each service description in the service catalog. CC ID 13918 [The organization shall create and maintain one or more service catalogues. The service catalogue(s) shall include information for the organization, customers, users and other interested parties to describe the services, their intended outcomes and dependencies between the services. § 8.2.4 ¶ 1]	Establish/Maintain Documentation	Preventive
Include relationships and dependencies between services in the service catalog, as necessary. CC ID 13914 [The organization shall create and maintain one or more service catalogues. The service catalogue(s) shall include information for the organization, customers, users and other interested parties to describe the services, their intended outcomes and dependencies between the services. § 8.2.4 ¶ 1]	Establish/Maintain Documentation	Preventive
Include Service Level Agreements in the service catalog, as necessary. CC ID 13636 [{new service}The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: new or changed SLAs, contracts and other documented agreements that support the services; § 8.5.2.2 ¶ 1(d)]	Establish/Maintain Documentation	Preventive
Include Information Technology services in the service catalog, as necessary. CC ID 13635	Establish/Maintain Documentation	Preventive
Base definitions of Information Technology services on their service characteristics. CC ID 13655	Establish/Maintain Documentation	Preventive
Categorize services in the service catalog. CC ID 14419	Establish/Maintain Documentation	Preventive
Refrain from categorizing services as outsourced in the service catalog, as necessary. CC ID 14426	Establish/Maintain Documentation	Preventive
Communicate the service catalog to interested personnel and affected parties. CC ID 13910 [The organization shall provide access to appropriate parts of the service catalogue(s) to its customers, users and other interested parties. § 8.2.4 ¶ 2]	Communicate	Preventive

Privacy protection for information and data

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Privacy protection for information and data CC ID 00008	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a data handling program. CC ID 13427	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain data handling procedures. CC ID 11756 [For services that are to be removed, the planning shall additionally include the date(s) for the removal of the services and the activities for archiving, disposal or transfer of data, documented information and service components. § 8.5.2.1 ¶ 2]	Establish/Maintain Documentation	Preventive
Define personal data that falls under breach notification rules. CC ID 00800	Establish/Maintain Documentation	Preventive
Include data elements that contain an individual's name combined with account numbers or other identifying information as personal data that falls under the breach notification rules. CC ID 04662	Data and Information Management	Preventive
Include data elements that contain an individual's legal surname prior to marriage as personal data that falls under the breach notification rules. CC ID 04669	Data and Information Management	Preventive
Include data elements that contain an individual's date of birth as personal data that falls under the breach notification rules. CC ID 04771	Data and Information Management	Preventive
Include data elements that contain an individual's address as personal data that falls under the breach notification rules. CC ID 04671	Data and Information Management	Preventive
Include data elements that contain an individual's telephone number as personal data that falls under the breach notification rules. CC ID 04672	Data and Information Management	Preventive
Include data elements that contain an individual's fingerprints as personal data that falls under the breach notification rules. CC ID 04670	Data and Information Management	Preventive
Include data elements that contain an individual's Social Security Number or Personal Identification Number as personal data that falls under the breach notification rules. CC ID 04656	Data and Information Management	Preventive
Include data elements that contain an individual's driver's license number or an individual's state identification card number as personal data that falls under the breach notification rules. CC ID 04657	Data and Information Management	Preventive
Include data elements that contain an individual's passport number as personal data that falls under the breach notification rules. CC ID 04774	Data and Information Management	Preventive
Include data elements that contain an individual's Alien Registration Number as personal data that falls under the breach notification rules. CC ID 04775	Data and Information Management	Preventive
Include data elements that contain an individual's Taxpayer Identification Number as personal data that falls under the breach notification rules. CC ID 04764	Data and Information Management	Preventive
Include data elements that contain an individual's financial account number as personal data that falls under the breach notification rules. CC ID 04658	Data and Information Management	Preventive
Include data elements that contain an individual's financial account number with associated password or password hint as personal data that falls under the breach notification rules. CC ID 04660	Data and Information Management	Preventive
Include data elements that contain an individual's electronic identification name or number as personal data that falls under the breach notification rules. CC ID 04663	Data and Information Management	Preventive
Include data elements that contain electronic signatures as personal data that falls under the breach notification rules. CC ID 04666	Data and Information Management	Preventive
Include data elements that contain an individual's biometric data as personal data that falls under the breach notification rules. CC ID 04667	Data and Information Management	Preventive
Include data elements that contain an individual's account number, password, or password hint as personal data that falls under the breach notification rules. CC ID 04668	Data and Information Management	Preventive
Include data elements that contain an individual's payment card information as personal data that falls under the breach notification rules. CC ID 04752	Data and Information Management	Preventive
Include data elements that contain an individual's credit card number or an individual's debit card number as personal data that falls under the breach notification rules. CC ID 04659	Data and Information Management	Preventive
Include data elements that contain an individual's payment card service code as personal data that falls under the breach notification rules. CC ID 04754	Data and Information Management	Preventive
Include data elements that contain an individual's payment card expiration date as personal data that falls under the breach notification rules. CC ID 04756	Data and Information Management	Preventive
Include data elements that contain an individual's payment card full magnetic stripe data as personal data that falls under the breach notification rules. CC ID 04759	Data and Information Management	Preventive
Include data elements that contain an individual's payment card security codes (Card Authentication Value 2/Card Validation Code Value 2/Card Verification Value 2/Card Identification Number) as personal data that falls under the breach notification rules. CC ID 04760	Data and Information Management	Preventive
Include data elements that contain an individual's payment card associated password or password hint as personal data that falls under the breach notification rules. CC ID 04661	Data and Information Management	Preventive
Include data elements that contain an individual's Individually Identifiable Health Information as personal data that falls under the breach notification rules. CC ID 04673	Data and Information Management	Preventive
Include data elements that contain an individual's medical history as personal data that falls under the breach notification rules. CC ID 04674	Data and Information Management	Preventive
Include data elements that contain an individual's medical treatment as personal data that falls under the breach notification rules. CC ID 04675	Data and Information Management	Preventive
Include data elements that contain an individual's medical diagnosis as personal data that falls under the breach notification rules. CC ID 04676	Data and Information Management	Preventive
Include data elements that contain an individual's mental condition or physical condition as personal data that falls under the breach notification rules. CC ID 04682	Data and Information Management	Preventive
Include data elements that contain an individual's health insurance information as personal data that falls under the breach notification rules. CC ID 04681	Data and Information Management	Preventive
Include data elements that contain an individual's health insurance policy number as personal data that falls under the breach notification rules. CC ID 04683	Data and Information Management	Preventive
Include data elements that contain an individual's health insurance application and health insurance claims history (including appeals) as personal data that falls under the breach notification rules. CC ID 04684	Data and Information Management	Preventive
Include data elements that contain an individual's employment information as personal data that falls under the breach notification rules. CC ID 04772	Data and Information Management	Preventive
Include data elements that contain an individual's Employee Identification Number as personal data that falls under the breach notification rules. CC ID 04773	Data and Information Management	Preventive
Include data elements that contain an individual's place of employment as personal data that falls under the breach notification rules. CC ID 04788	Data and Information Management	Preventive
Define an out of scope privacy breach. CC ID 04677	Establish/Maintain Documentation	Preventive
Include personal data that is publicly available information as an out of scope privacy breach. CC ID 04678	Business Processes	Preventive
Include personal data that is encrypted or redacted as an out of scope privacy breach. CC ID 04679	Monitor and Evaluate Occurrences	Preventive
Include cryptographic keys not being accessed during a privacy breach as an out of scope privacy breach. CC ID 04761	Monitor and Evaluate Occurrences	Preventive
Include any personal data that is on an encrypted mobile device as an out of scope privacy breach, if the encryption keys were not accessed and the mobile device was recovered. CC ID 04762	Monitor and Evaluate Occurrences	Preventive
Conduct internal data processing audits. CC ID 00374	Testing	Detective
Disseminate and communicate the data handling procedures to all interested personnel and affected parties. CC ID 15466	Communicate	Preventive

Records management

220

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Records management CC ID 00902	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain records management policies. CC ID 00903 [Documented information required by the SMS and by this document shall be controlled to ensure: § 7.5.3.1]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a record classification scheme for forms. CC ID 00911	Establish/Maintain Documentation	Detective
Establish, implement, and maintain form creation, management, and distribution procedures. CC ID 06393	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain form disposition procedures. CC ID 06394	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a record classification scheme. CC ID 00914	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a business activity classification standard. CC ID 00915	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain records registration procedures. CC ID 00913	Establish/Maintain Documentation	Detective
Define the terms used in the record classification scheme. CC ID 00916	Establish/Maintain Documentation	Detective
Establish, implement, and maintain a records authentication system. CC ID 11648	Establish/Maintain Documentation	Preventive
Allocate record identifiers to reference the records as a part of document tracking. CC ID 11662 [When creating and updating documented information, the organization shall ensure appropriate: identification and description (e.g. a title, date, author or reference number); § 7.5.2 ¶ 1(a) When creating and updating documented information, the organization shall ensure appropriate: identification and description (e.g. a title, date, author or reference number); § 7.5.2 ¶ 1(a)]	Records Management	Preventive
Allocate document serial numbers to reference the records as a part of document tracking. CC ID 00917	Records Management	Detective
Establish and maintain an index of all official records. CC ID 00918	Establish/Maintain Documentation	Preventive
Associate records with their security attributes. CC ID 06764	Records Management	Preventive
Reconfigure the security attributes of records as the information changes. CC ID 06765	Configuration	Preventive
Establish, implement, and maintain electronic signature requirements. CC ID 06219	Establish/Maintain Documentation	Preventive
Implement a signature revocation service. CC ID 14417	Business Processes	Preventive
Allow electronic signatures to satisfy requirements for written signatures, as necessary. CC ID 11807	Records Management	Preventive
Allow authorized parties to authenticate electronic records with electronic signatures. CC ID 11964	Technical Security	Preventive
Allow authorized parties to authenticate transactions with electronic signatures. CC ID 11963	Technical Security	Preventive
Define each system's preservation requirements for records and logs. CC ID 00904	Establish/Maintain Documentation	Detective
Establish, implement, and maintain a data retention program. CC ID 00906	Establish/Maintain Documentation	Detective
Store records and data in accordance with organizational standards. CC ID 16439	Data and Information Management	Preventive
Remove dormant data from systems, as necessary. CC ID 13726	Process or Activity	Preventive
Select the appropriate format for archived data and records. CC ID 06320 [{is appropriate} When creating and updating documented information, the organization shall ensure appropriate: format (e.g. language, software version, graphics) and media (e.g. paper, electronic); § 7.5.2 ¶ 1(b)]	Data and Information Management	Preventive
Archive appropriate records, logs, and database tables. CC ID 06321	Records Management	Preventive
Maintain continued integrity for all stored data and stored records. CC ID 00969	Testing	Detective
Archive document metadata in a fashion that allows for future reading of the metadata. CC ID 10060	Data and Information Management	Preventive
Store personal data that is retained for long periods after use on a separate server or media. CC ID 12314	Data and Information Management	Preventive
Establish, implement, and maintain storage media retention procedures. CC ID 16277	Establish/Maintain Documentation	Preventive
Determine how long to keep records and logs before disposing them. CC ID 11661	Process or Activity	Preventive
Retain records in accordance with applicable requirements. CC ID 00968 [The organization shall retain documented information as evidence of the results of management reviews. § 9.3 ¶ 4 The organization shall retain documented information on the service management objectives. § 6.2.1 ¶ 2 The organization shall retain documented information as evidence of: the results of any corrective action. § 10.1.2 ¶ 1(b) The organization shall retain documented information as evidence of: the nature of the nonconformities and any subsequent actions taken; § 10.1.2 ¶ 1(a) {monitoring and measurement evaluation result} The organization shall retain appropriate documented information as evidence of the results. § 9.1 ¶ 2]	Records Management	Preventive
Define which documents and records the organization may capture. CC ID 00905 [{is appropriate} When creating and updating documented information, the organization shall ensure appropriate: format (e.g. language, software version, graphics) and media (e.g. paper, electronic); § 7.5.2 ¶ 1(b)]	Establish/Maintain Documentation	Detective
Obtain and retain documentation of the number of shares authorized, issued, and outstanding pursuant to the issuer's authorization. CC ID 11714	Records Management	Preventive
Retain all evidence of indebtedness. CC ID 11713	Records Management	Preventive
Capture and maintain distribution records. CC ID 06205	Records Management	Preventive
Capture and maintain Device Master Records. CC ID 06206	Records Management	Preventive
Capture and maintain Device History Records. CC ID 06207	Records Management	Preventive
Capture and maintain Quality System Records. CC ID 06208	Records Management	Preventive
Capture and maintain logs as official records. CC ID 06319	Log Management	Preventive
Capture and maintain all business records, including supporting temporary files. CC ID 06622	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain storage media disposition and destruction procedures. CC ID 11657	Establish/Maintain Documentation	Preventive
Supervise media destruction in accordance with organizational standards. CC ID 16456	Business Processes	Preventive
Sanitize electronic storage media in accordance with organizational standards. CC ID 16464	Data and Information Management	Preventive
Sanitize all electronic storage media before disposing a system or redeploying a system. CC ID 01643	Data and Information Management	Preventive
Degauss as a method of sanitizing electronic storage media. CC ID 00973	Records Management	Preventive
Destroy electronic storage media following the storage media disposition and destruction procedures. CC ID 00970	Testing	Detective
Manage waste materials in accordance with the storage media disposition and destruction procedures. CC ID 16485	Process or Activity	Preventive
Maintain media sanitization equipment in operational condition. CC ID 00721	Testing	Detective
Use approved media sanitization equipment for destruction. CC ID 16459	Business Processes	Preventive
Define each system's disposition requirements for records and logs. CC ID 11651	Process or Activity	Preventive
Establish, implement, and maintain records disposition procedures. CC ID 00971 [For the control of documented information, the organization shall address the following activities, as applicable: retention and disposition. § 7.5.3.2(d)]	Establish/Maintain Documentation	Preventive
Manage the disposition status for all records. CC ID 00972	Records Management	Preventive
Use a second person to confirm and sign-off that manually deleted data was deleted. CC ID 12313	Data and Information Management	Preventive
Remove and/or destroy records according to the records' retention event and retention period schedule. CC ID 06621	Records Management	Preventive
Place printed records awaiting destruction into secure containers. CC ID 12464	Physical and Environmental Protection	Preventive
Destroy printed records so they cannot be reconstructed. CC ID 11779	Physical and Environmental Protection	Preventive
Automate a programmatic process to remove stored data and records that exceed retention requirements. CC ID 06082	Data and Information Management	Preventive
Include methods to identify records that meet or exceed the record's retention event in the records disposition procedures. CC ID 11962	Establish/Maintain Documentation	Preventive
Maintain disposal records or redeployment records. CC ID 01644 [For services that are to be removed, the planning shall additionally include the date(s) for the removal of the services and the activities for archiving, disposal or transfer of data, documented information and service components. § 8.5.2.1 ¶ 2]	Establish/Maintain Documentation	Preventive
Include the name of the signing officer in the disposal record. CC ID 15710	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain secure record transaction standards with third parties. CC ID 06093	Establish/Maintain Documentation	Preventive
Include transfer agreements in the secure record transaction standards. CC ID 14821	Establish/Maintain Documentation	Preventive
Include date and time stamp requirements for delivery receipt in the transfer agreements. CC ID 14823	Establish/Maintain Documentation	Preventive
Include receipt of electronic records in the transfer agreement. CC ID 14822	Establish/Maintain Documentation	Preventive
Include standards for each data element in the secure record transaction standard. CC ID 06094	Establish/Maintain Documentation	Preventive
Notify the supervisory authority of any changes to the required data elements. CC ID 14366	Communicate	Corrective
Establish, implement, and maintain records management procedures. CC ID 11619 [Documented information of external origin determined by the organization to be necessary for the planning and operation of the SMS shall be identified as appropriate and controlled. § 7.5.3.2 ¶ 2 For services that are to be removed, the planning shall additionally include the date(s) for the removal of the services and the activities for archiving, disposal or transfer of data, documented information and service components. § 8.5.2.1 ¶ 2]	Establish/Maintain Documentation	Preventive
Review the information that the organization collects, processes, and stores, as necessary. CC ID 12988	Business Processes	Detective
Establish, implement, and maintain source document authorization tracking. CC ID 01262	Records Management	Detective
Review the information classification of the information that the organization collects, processes, and stores, as necessary. CC ID 13008	Process or Activity	Detective
Review the electronic storage media for the information the organization collects and processes. CC ID 13009	Process or Activity	Detective
Remove non-public information from publicly accessible systems. CC ID 14246	Data and Information Management	Corrective
Establish, implement, and maintain source document error handling tracking. CC ID 01263	Records Management	Detective
Maintain electronic records in an equivalent manner as printed records, as necessary. CC ID 11806	Records Management	Preventive
Process restricted information in a secure environment. CC ID 13058	Process or Activity	Preventive
Refrain from creating printed records as copies of electronic records. CC ID 11808	Records Management	Preventive
Establish, implement, and maintain data input and data access authorization tracking. CC ID 00920	Monitor and Evaluate Occurrences	Detective
Assign ownership for all electronic records. CC ID 14814	Establish/Maintain Documentation	Preventive
Attribute electronic records, as necessary. CC ID 14820	Establish/Maintain Documentation	Preventive
Validate transactions against master files of third parties and clients, as necessary. CC ID 06552	Records Management	Detective
Validate transactions using identifiers and credentials. CC ID 13203	Technical Security	Preventive
Establish, implement, and maintain a system storage log. CC ID 13532	Records Management	Preventive
Establish, implement, and maintain a system input log. CC ID 13531	Establish/Maintain Documentation	Preventive
Protect records from loss in accordance with applicable requirements. CC ID 12007 [Documented information required by the SMS and by this document shall be controlled to ensure: it is adequately protected (e.g. from loss of confidentiality, improper use or loss of integrity). § 7.5.3.1(b)]	Records Management	Preventive
Establish, implement, and maintain data accuracy controls. CC ID 00921	Monitor and Evaluate Occurrences	Detective
Capture the records required by organizational compliance requirements. CC ID 00912 [The documented information for the SMS shall include: records required to demonstrate evidence of conformity to the requirements of this document and the organization's SMS. § 7.5.4 ¶ 1(l) keeping documented information to the extent necessary to have confidence that the processes have been carried out as planned. § 8.1 ¶ 1(c)]	Records Management	Detective
Establish, implement, and maintain data completeness controls. CC ID 11649	Process or Activity	Preventive
Establish, implement, and maintain authorization records. CC ID 14367	Establish/Maintain Documentation	Preventive
Include the reasons for granting the authorization in the authorization records. CC ID 14371	Establish/Maintain Documentation	Preventive
Include the date and time the authorization was granted in the authorization records. CC ID 14370	Establish/Maintain Documentation	Preventive
Include the person's name who approved the authorization in the authorization records. CC ID 14369	Establish/Maintain Documentation	Preventive
Assign the appropriate information classification to records imported into the Records Management system. CC ID 04555	Data and Information Management	Detective
Establish, implement, and maintain electronic health records. CC ID 14436	Data and Information Management	Preventive
Include Individually Identifiable Health Information in the patient's electronic health record. CC ID 14437	Data and Information Management	Preventive
Review and update Individually Identifiable Health Information in the patient's electronic health records, as necessary. CC ID 14438	Records Management	Preventive
Display required information automatically in electronic health records. CC ID 14442	Process or Activity	Preventive
Create summary of care records in accordance with applicable standards. CC ID 14440	Establish/Maintain Documentation	Preventive
Provide the patient with a summary of care record, as necessary. CC ID 14441	Actionable Reports or Measurements	Preventive
Create export summaries, as necessary. CC ID 14446	Process or Activity	Preventive
Import data files into a patient's electronic health record. CC ID 14448	Data and Information Management	Preventive
Export requested sections of the electronic health record. CC ID 14447	Data and Information Management	Preventive
Identify patient-specific education resources. CC ID 14439	Process or Activity	Detective
Establish and maintain an implantable device list. CC ID 14444	Records Management	Preventive
Display the implantable device list to authorized users. CC ID 14445	Data and Information Management	Preventive
Establish, implement, and maintain decision support interventions. CC ID 14443	Business Processes	Preventive
Include attributes in the decision support intervention. CC ID 16766	Data and Information Management	Preventive
Establish, implement, and maintain a recordkeeping system. CC ID 15709	Records Management	Preventive
Log the termination date in the recordkeeping system. CC ID 16181	Records Management	Preventive
Log the name of the requestor in the recordkeeping system. CC ID 15712	Records Management	Preventive
Log the date and time each item is accessed in the recordkeeping system. CC ID 15711	Records Management	Preventive
Log records as being received into the recordkeeping system. CC ID 11696	Records Management	Preventive
Log the date and time each item is received into the recordkeeping system. CC ID 11709	Log Management	Preventive
Log the date and time each item is made available into the recordkeeping system. CC ID 11710	Log Management	Preventive
Log the number of routine items received into the recordkeeping system. CC ID 11701	Establish/Maintain Documentation	Preventive
Log the number of routine items in the organization's possession at the close of business for the month in the recordkeeping system. CC ID 11707	Log Management	Preventive
Log the number of routine items received during the month that were turned around in the recordkeeping system. CC ID 11705	Log Management	Preventive
Log the number of routine items received during the month that were not turned around within three business days of receipt in the recordkeeping system. CC ID 11703	Log Management	Preventive
Log the date and time when a notice of refusal to perform the registrar function is received in the recordkeeping system. CC ID 11711	Log Management	Preventive
Log inquiries concerning items in the recordkeeping system, annotating the date received. CC ID 11718	Log Management	Preventive
Log responses to inquiries, annotating the send date for each response into the recordkeeping system. CC ID 11719	Log Management	Preventive
Log the number of non-routine items received into the recordkeeping system. CC ID 11706	Log Management	Preventive
Log the documentation of determination that items received are not routine into the recordkeeping system. CC ID 11716	Log Management	Preventive
Log the number of non-routine items in the organization's possession at the close of business for the month in the recordkeeping system. CC ID 11708	Log Management	Preventive
Log the number of non-routine items received during the month that were turned around in the recordkeeping system. CC ID 11704	Log Management	Preventive
Log performance monitoring into the recordkeeping system. CC ID 11724	Log Management	Preventive
Log the number of inquiries pending as of the close of business into the recordkeeping system. CC ID 11728	Log Management	Preventive
Log the number of inquiries received but not responded to within the required time frame into the recordkeeping system. CC ID 11727	Log Management	Preventive
Establish, implement, and maintain a transfer journal. CC ID 11729	Records Management	Preventive
Log any notices filed by the organization into the recordkeeping system. CC ID 11725	Log Management	Preventive
Log telephone responses into a telephone log, annotating the date of each response, in the recordkeeping system. CC ID 11723	Log Management	Preventive
Log the date each certificate is made available to interested personnel and affected parties into the recordkeeping system. CC ID 11720	Log Management	Preventive
Log the number of items not processed within the required time frame into the recordkeeping system. CC ID 11717	Log Management	Preventive
Provide a receipt of records logged into the recordkeeping system. CC ID 11697	Records Management	Preventive
Log the appointments and termination of appointments of registered transfer agents into the recordkeeping system. CC ID 11712	Log Management	Preventive
Log any stop orders or notices of adverse claims into the recordkeeping system. CC ID 11726	Log Management	Preventive
Log the number of items processed within the required time frame into the recordkeeping system. CC ID 11715	Log Management	Preventive
Classify restricted data or restricted information in Records Management systems according to the data or information's sensitivity. CC ID 04720	Data and Information Management	Detective
Establish, implement, and maintain data availability controls. CC ID 15301	Data and Information Management	Preventive
Include record integrity techniques in the records management procedures. CC ID 06418	Establish/Maintain Documentation	Preventive
Note in electronic records converted from printed records, the location of the original. CC ID 11809	Records Management	Preventive
Incorporate desktop publishing into the organization's Records Management program. CC ID 06535	Establish/Maintain Documentation	Preventive
Provide structures for browsing records stored in the Electronic Document and Records Management system. CC ID 10009	Business Processes	Preventive
Provide structures for searching for items stored in the Electronic Document and Records Management system. CC ID 10010	Business Processes	Preventive
Provide structures for downloading records from the Electronic Document and Records Management system. CC ID 10011	Business Processes	Preventive
Provide structures for managing e-mail stored in the Electronic Document and Records Management system. CC ID 10012	Business Processes	Preventive
Provide structures for authorized parties to approve record updates in the Electronic Document and Records Management system. CC ID 11965	Records Management	Preventive
Provide structures for version control of records stored in the Electronic Document and Records Management system. CC ID 10013	Business Processes	Preventive
Control error handling when data is being inputted. CC ID 00922	Data and Information Management	Detective
Establish, implement, and maintain electronic storage media security controls. CC ID 13204	Technical Security	Preventive
Use automated entry devices to reduce errors during data input. CC ID 06626	Data and Information Management	Preventive
Establish, implement, and maintain data processing integrity controls. CC ID 00923	Establish Roles	Preventive
Compare each record's data input to its final form. CC ID 11813	Records Management	Detective
Sanitize user input in accordance with organizational standards. CC ID 16856	Process or Activity	Preventive
Establish, implement, and maintain Automated Data Processing validation checks and editing checks. CC ID 00924	Data and Information Management	Preventive
Establish, implement, and maintain Automated Data Processing error handling procedures. CC ID 00925	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain Automated Data Processing error handling reporting. CC ID 11659	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain document security requirements for the output of records. CC ID 11656	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain document handling procedures for paper documents. CC ID 00926	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain electronic storage media management procedures. CC ID 00931	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain security label procedures. CC ID 06747	Establish/Maintain Documentation	Preventive
Label restricted storage media appropriately. CC ID 00966	Data and Information Management	Preventive
Label printed output for specific record categories as directed by the organization's information classification standard. CC ID 01420	Records Management	Detective
Establish, implement, and maintain restricted material identification procedures. CC ID 01889	Establish/Maintain Documentation	Preventive
Conspicuously locate the restricted record's overall classification. CC ID 01890	Establish/Maintain Documentation	Preventive
Mark a restricted record's displayed pages or printed pages with the appropriate classification. CC ID 01891	Establish/Maintain Documentation	Preventive
Mark a restricted record's components (appendices, annexes) with the appropriate classification. CC ID 01892	Establish/Maintain Documentation	Preventive
Mark a restricted record's portions (paragraphs, sections) with the appropriate classification. CC ID 01893	Establish/Maintain Documentation	Preventive
Mark a restricted record's subject line or title with the appropriate classification. CC ID 01894	Establish/Maintain Documentation	Preventive
Mark all forms of electronic messages that contain restricted data or restricted information with the appropriate classification. CC ID 01896	Data and Information Management	Preventive
Establish, implement, and maintain label inheritance mechanisms for aggregate data sets. CC ID 06957	Technical Security	Preventive
Establish the minimum originator requirements for security labels. CC ID 06579	Establish/Maintain Documentation	Preventive
Establish the minimum intermediate system requirements for security labels. CC ID 06581	Establish/Maintain Documentation	Preventive
Establish the minimum receiver requirements for records or electronic storage media marked with security labels. CC ID 06580	Establish/Maintain Documentation	Preventive
Establish policy based processing rules to process incoming records or electronic storage media marked with security labels. CC ID 06582	Establish/Maintain Documentation	Preventive
Establish and maintain access controls for all records. CC ID 00371 [Configuration information shall be recorded to a level of detail appropriate to the criticality and type of services. Access to configuration information shall be controlled. The configuration information recorded for each CI shall include: § 8.2.6 ¶ 2 For the control of documented information, the organization shall address the following activities, as applicable: distribution, access, retrieval and use; § 7.5.3.2(a)]	Records Management	Preventive
Reproduce materials containing restricted data or restricted information in accordance with compliance requirements. CC ID 02202	Data and Information Management	Preventive
Establish, implement, and maintain a records lifecycle management program. CC ID 00951	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an information preservation policy. CC ID 16483	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain information preservation procedures. CC ID 06277 [For the control of documented information, the organization shall address the following activities, as applicable: storage and preservation, including preservation of legibility; § 7.5.3.2(b)]	Establish/Maintain Documentation	Preventive
Implement and maintain high availability storage, as necessary. CC ID 00952	Technical Security	Preventive
Implement and maintain backups and duplicate copies of organizational records. CC ID 00953	Records Management	Preventive
Establish, implement, and maintain the duplicate original of record indexes. CC ID 00954	Records Management	Preventive
Establish, implement, and maintain a transparent storage media strategy. CC ID 00932	Records Management	Preventive
Establish, implement, and maintain an online availability plan that is commensurate with the electronic storage media. CC ID 00934	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain online storage monitoring and reporting capabilities. CC ID 00935	Monitor and Evaluate Occurrences	Detective
Establish, implement, and maintain online storage controls. CC ID 00942	Technical Security	Preventive
Establish, implement, and maintain security controls appropriate to the record types and electronic storage media. CC ID 00943 [For the control of documented information, the organization shall address the following activities, as applicable: storage and preservation, including preservation of legibility; § 7.5.3.2(b)]	Records Management	Preventive
Store records on non-rewritable, non-erasable storage media formats, as necessary. CC ID 00944	Testing	Detective
Provide encryption for different types of electronic storage media. CC ID 00945	Technical Security	Preventive
Implement electronic storage media integrity controls. CC ID 00946	Configuration	Preventive
Automate electronic storage media integrity check controls. CC ID 00948	Configuration	Preventive
Provide capacity for indexes on electronic storage media, as necessary. CC ID 00950	Configuration	Preventive
Provide audit trails for all pertinent records. CC ID 00372	Establish/Maintain Documentation	Detective
Establish, implement, and maintain a removable storage media log. CC ID 12317	Log Management	Preventive
Include a unique identifier for each removable storage media asset in the removable storage media log. CC ID 12320	Establish/Maintain Documentation	Preventive
Include the date and time in the removable storage media log. CC ID 12318	Establish/Maintain Documentation	Preventive
Include the name and signature of the current custodian in the removable storage media log. CC ID 12315	Establish/Maintain Documentation	Preventive
Include the number of physical media used for the data transfer in the removable storage media log. CC ID 12754	Establish/Maintain Documentation	Preventive
Include the recipient's name for the data transfer in the removable storage media log. CC ID 12753	Establish/Maintain Documentation	Preventive
Include the sender's name in the removable storage media log. CC ID 12752	Establish/Maintain Documentation	Preventive
Include the type of physical media being used for the data transfer in the removable storage media log. CC ID 12751	Establish/Maintain Documentation	Preventive
Include the reason for transfer in the removable storage media log. CC ID 12316	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain storage media downgrading procedures. CC ID 10619	Process or Activity	Preventive
Identify electronic storage media that require downgrading. CC ID 10620	Process or Activity	Detective
Downgrade electronic storage media, as necessary. CC ID 10621	Process or Activity	Corrective
Document all actions taken when downgrading electronic storage media. CC ID 10622	Establish/Maintain Documentation	Preventive
Test the storage media downgrade for correct performance. CC ID 10623	Testing	Detective
Establish, implement, and maintain output distribution procedures. CC ID 00927 [For the control of documented information, the organization shall address the following activities, as applicable: distribution, access, retrieval and use; § 7.5.3.2(a)]	Establish/Maintain Documentation	Preventive
Include printed output in output distribution procedures. CC ID 13477	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain document retention procedures. CC ID 11660 [For the control of documented information, the organization shall address the following activities, as applicable: retention and disposition. § 7.5.3.2(d) The organization shall retain documented information as evidence of: § 10.1.2 ¶ 1]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain electronic media distribution procedures. CC ID 11650	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain output balancing audit trails. CC ID 00928	Establish/Maintain Documentation	Detective
Establish and maintain an error suspense file for rejected transactions. CC ID 06623	Records Management	Preventive
Establish and maintain reconciliation audit trails. CC ID 11647	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a data processing output log. CC ID 06624	Log Management	Preventive
Establish, implement, and maintain output review and error handling checks with end users. CC ID 00929	Establish/Maintain Documentation	Detective
Establish, implement, and maintain paper document integrity requirements for the output of records. CC ID 00930	Establish/Maintain Documentation	Preventive
Review and approve output exceptions. CC ID 06625	Records Management	Preventive
Perform regularly scheduled quality and integrity control reviews of output of records. CC ID 06627	Testing	Detective

System hardening through configuration management

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
System hardening through configuration management CC ID 00860	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain a Configuration Management program. CC ID 00867 [{new service} The CIs affected by new or changed services shall be managed through configuration management. § 8.5.2.1 ¶ 4 {be auditable} CIs shall be controlled. Changes to CIs shall be traceable and auditable to maintain the integrity of the configuration information. The configuration information shall be updated following the deployment of changes to CIs. § 8.2.6 ¶ 3]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain configuration control and Configuration Status Accounting. CC ID 00863 [At planned intervals, the organization shall verify the accuracy of the configuration information. Where deficiencies are found, the organization shall take necessary actions. § 8.2.6 ¶ 4]	Business Processes	Preventive
Establish, implement, and maintain appropriate system labeling. CC ID 01900	Establish/Maintain Documentation	Preventive
Include the identification number of the third party who performed the conformity assessment procedures on all promotional materials. CC ID 15041	Establish/Maintain Documentation	Preventive
Include the identification number of the third party who conducted the conformity assessment procedures after the CE marking of conformity. CC ID 15040	Establish/Maintain Documentation	Preventive
Verify configuration files requiring passwords for automation do not contain those passwords after the installation process is complete. CC ID 06555	Configuration	Preventive
Establish, implement, and maintain a configuration management policy. CC ID 14023	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain configuration management procedures. CC ID 14074	Establish/Maintain Documentation	Preventive
Disseminate and communicate the configuration management procedures to interested personnel and affected parties. CC ID 14139	Communicate	Preventive
Include compliance requirements in the configuration management policy. CC ID 14072	Establish/Maintain Documentation	Preventive
Include coordination amongst entities in the configuration management policy. CC ID 14071	Establish/Maintain Documentation	Preventive
Include management commitment in the configuration management policy. CC ID 14070	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the configuration management policy. CC ID 14069	Establish/Maintain Documentation	Preventive
Include the scope in the configuration management policy. CC ID 14068	Establish/Maintain Documentation	Preventive
Include the purpose in the configuration management policy. CC ID 14067	Establish/Maintain Documentation	Preventive
Disseminate and communicate the configuration management policy to interested personnel and affected parties. CC ID 14066	Communicate	Preventive
Establish, implement, and maintain a configuration management plan. CC ID 01901	Establish/Maintain Documentation	Preventive
Include configuration management procedures in the configuration management plan. CC ID 14248	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the configuration management plan. CC ID 14247	Establish/Maintain Documentation	Preventive
Approve the configuration management plan. CC ID 14717	Business Processes	Preventive
Establish, implement, and maintain system tracking documentation. CC ID 15266	Establish/Maintain Documentation	Preventive
Include prioritization codes in the system tracking documentation. CC ID 15283	Establish/Maintain Documentation	Preventive
Include the type and category of the request in the system tracking documentation. CC ID 15281	Establish/Maintain Documentation	Preventive
Include contact information in the system tracking documentation. CC ID 15280	Establish/Maintain Documentation	Preventive
Include the username in the system tracking documentation. CC ID 15278	Establish/Maintain Documentation	Preventive
Include a problem description in the system tracking documentation. CC ID 15276	Establish/Maintain Documentation	Preventive
Include affected systems in the system tracking documentation. CC ID 15275	Establish/Maintain Documentation	Preventive
Include root causes in the system tracking documentation. CC ID 15274	Establish/Maintain Documentation	Preventive
Include the name of who is responsible for resolution in the system tracking documentation. CC ID 15273	Establish/Maintain Documentation	Preventive
Include current status in the system tracking documentation. CC ID 15272	Establish/Maintain Documentation	Preventive
Employ the Configuration Management program. CC ID 11904	Configuration	Preventive
Record Configuration Management items in the Configuration Management database. CC ID 00861	Establish/Maintain Documentation	Preventive
Test network access controls for proper Configuration Management settings. CC ID 01281	Testing	Detective
Disseminate and communicate the configuration management program to all interested personnel and affected parties. CC ID 11946 [Configuration information shall be made available for other service management activities as appropriate. § 8.2.6 ¶ 5]	Communicate	Preventive
Establish, implement, and maintain a Configuration Management Database with accessible reporting capabilities. CC ID 02132	Establish/Maintain Documentation	Preventive
Document external connections for all systems. CC ID 06415	Configuration	Preventive
Establish, implement, and maintain a configuration baseline based on the least functionality principle. CC ID 00862 [Before deployment of a release into the live environment, a baseline of the affected CIs shall be taken. § 8.5.3 ¶ 4]	Establish/Maintain Documentation	Preventive
Include the measures used to account for any differences in operation between the test environments and production environments in the baseline configuration. CC ID 13285	Establish/Maintain Documentation	Preventive
Include the differences between test environments and production environments in the baseline configuration. CC ID 13284	Establish/Maintain Documentation	Preventive
Include the applied security patches in the baseline configuration. CC ID 13271	Establish/Maintain Documentation	Preventive
Include the installed application software and version numbers in the baseline configuration. CC ID 13270	Establish/Maintain Documentation	Preventive
Include installed custom software in the baseline configuration. CC ID 13274	Establish/Maintain Documentation	Preventive
Include network ports in the baseline configuration. CC ID 13273	Establish/Maintain Documentation	Preventive
Include the operating systems and version numbers in the baseline configuration. CC ID 13269	Establish/Maintain Documentation	Preventive
Include backup procedures in the Configuration Management policy. CC ID 01314	Establish/Maintain Documentation	Preventive
Identify and document the system's Configurable Items. CC ID 02133 [Configuration information shall be recorded to a level of detail appropriate to the criticality and type of services. Access to configuration information shall be controlled. The configuration information recorded for each CI shall include: § 8.2.6 ¶ 2 Configuration information shall be recorded to a level of detail appropriate to the criticality and type of services. Access to configuration information shall be controlled. The configuration information recorded for each CI shall include: § 8.2.6 ¶ 2 The types of CI shall be defined. Services shall be classified as CIs. § 8.2.6 ¶ 1 The types of CI shall be defined. Services shall be classified as CIs. § 8.2.6 ¶ 1 Configuration information shall be recorded to a level of detail appropriate to the criticality and type of services. Access to configuration information shall be controlled. The configuration information recorded for each CI shall include: type of CI; § 8.2.6 ¶ 2(b) Configuration information shall be recorded to a level of detail appropriate to the criticality and type of services. Access to configuration information shall be controlled. The configuration information recorded for each CI shall include: description of the CI; § 8.2.6 ¶ 2(c) Configuration information shall be recorded to a level of detail appropriate to the criticality and type of services. Access to configuration information shall be controlled. The configuration information recorded for each CI shall include: status. § 8.2.6 ¶ 2(e)]	Establish/Maintain Documentation	Preventive
Define the relationships and dependencies between Configurable Items. CC ID 02134 [Configuration information shall be recorded to a level of detail appropriate to the criticality and type of services. Access to configuration information shall be controlled. The configuration information recorded for each CI shall include: relationship with other CIs; § 8.2.6 ¶ 2(d)]	Establish/Maintain Documentation	Preventive
Trace each Configurable Item throughout the systems' life cycle. CC ID 02135 [{be auditable} CIs shall be controlled. Changes to CIs shall be traceable and auditable to maintain the integrity of the configuration information. The configuration information shall be updated following the deployment of changes to CIs. § 8.2.6 ¶ 3 Configuration information shall be recorded to a level of detail appropriate to the criticality and type of services. Access to configuration information shall be controlled. The configuration information recorded for each CI shall include: unique identification; § 8.2.6 ¶ 2(a)]	Establish/Maintain Documentation	Preventive
Approve each system's Configurable Items (and changes to those Configurable Items). CC ID 04887	Technical Security	Preventive
Request an acknowledgment from the system owner of the system's configuration. CC ID 10602	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain system hardening procedures. CC ID 12001	Establish/Maintain Documentation	Preventive
Configure Logging settings in accordance with organizational standards. CC ID 07611	Configuration	Preventive
Configure all logs to capture auditable events or actionable events. CC ID 06332	Configuration	Preventive
Configure the log to capture configuration changes. CC ID 06881 [{be auditable} CIs shall be controlled. Changes to CIs shall be traceable and auditable to maintain the integrity of the configuration information. The configuration information shall be updated following the deployment of changes to CIs. § 8.2.6 ¶ 3]	Configuration	Preventive
Log, monitor, and review all changes to time settings on critical systems. CC ID 11608	Configuration	Preventive
Configure the log to capture changes to User privileges, audit policies, and trust policies by enabling audit policy changes. CC ID 01698	Log Management	Detective
Configure the log to capture user account additions, modifications, and deletions. CC ID 16482	Log Management	Preventive
Configure the log to capture all changes to certificates. CC ID 05595	Configuration	Preventive
Configure the log to capture user authenticator changes. CC ID 01917	Log Management	Detective
Audit the configuration of organizational assets, as necessary. CC ID 13653 [{be auditable} CIs shall be controlled. Changes to CIs shall be traceable and auditable to maintain the integrity of the configuration information. The configuration information shall be updated following the deployment of changes to CIs. § 8.2.6 ¶ 3]	Audits and Risk Management	Detective
Audit assets after maintenance was performed. CC ID 13657	Audits and Risk Management	Detective

Systems design, build, and implementation

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Systems design, build, and implementation CC ID 00989	IT Impact Zone	IT Impact Zone
Initiate the System Development Life Cycle planning phase. CC ID 06266	Systems Design, Build, and Implementation	Preventive
Establish, implement, and maintain a system design project management framework. CC ID 00990	Establish/Maintain Documentation	Preventive
Analyze existing systems during preliminary investigations for system design projects. CC ID 01043	Testing	Detective
Assess the continuity requirements during the planning and development stage for new products and services. CC ID 12779 [At planned intervals, the risks to service continuity shall be assessed and documented. The organization shall determine the service continuity requirements. The agreed requirements shall take into consideration relevant business requirements, service requirements, SLAs and risks. § 8.7.2 ¶ 1 At planned intervals, the risks to service continuity shall be assessed and documented. The organization shall determine the service continuity requirements. The agreed requirements shall take into consideration relevant business requirements, service requirements, SLAs and risks. § 8.7.2 ¶ 1 At planned intervals, the risks to service continuity shall be assessed and documented. The organization shall determine the service continuity requirements. The agreed requirements shall take into consideration relevant business requirements, service requirements, SLAs and risks. § 8.7.2 ¶ 1 At planned intervals, the risks to service continuity shall be assessed and documented. The organization shall determine the service continuity requirements. The agreed requirements shall take into consideration relevant business requirements, service requirements, SLAs and risks. § 8.7.2 ¶ 1 At planned intervals, the risks to service continuity shall be assessed and documented. The organization shall determine the service continuity requirements. The agreed requirements shall take into consideration relevant business requirements, service requirements, SLAs and risks. § 8.7.2 ¶ 1]	Process or Activity	Preventive
Initiate the System Development Life Cycle implementation phase. CC ID 06268	Systems Design, Build, and Implementation	Preventive
Manage the system implementation process. CC ID 01115	Behavior	Preventive
Determine if the project is complete after all implementation tasks are finished. CC ID 06912 [{new service} Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: service acceptance criteria; § 8.5.2.1 ¶ 1(f)]	Testing	Detective
Establish, implement, and maintain a product and service release log. CC ID 13705 [The organization shall define the types of release, including emergency release, their frequency and how they are to be managed. § 8.5.3 ¶ 1 The organization shall define the types of release, including emergency release, their frequency and how they are to be managed. § 8.5.3 ¶ 1 The organization shall define the types of release, including emergency release, their frequency and how they are to be managed. § 8.5.3 ¶ 1 Records of service requests shall be updated with actions taken. § 8.6.2 ¶ 2]	Establish/Maintain Documentation	Preventive
Include the name of the person authorizing the release of products and services in the product and service release log. CC ID 13707	Establish/Maintain Documentation	Preventive

Technical security

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Technical security CC ID 00508	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain an access control program. CC ID 11702	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an access rights management plan. CC ID 00513	Establish/Maintain Documentation	Preventive
Control access rights to organizational assets. CC ID 00004 [The organization shall define and manage the interfaces with the external supplier. § 8.3.4.1 ¶ 4]	Technical Security	Preventive
Configure access control lists in accordance with organizational standards. CC ID 16465	Configuration	Preventive
Add all devices requiring access control to the Access Control List. CC ID 06264	Establish/Maintain Documentation	Preventive
Generate but refrain from storing authenticators or Personal Identification Numbers for systems involved in high risk activities. CC ID 06835	Technical Security	Preventive
Disallow application IDs from running as privileged users. CC ID 10050	Configuration	Detective
Define roles for information systems. CC ID 12454	Human Resources Management	Preventive
Define access needs for each role assigned to an information system. CC ID 12455	Human Resources Management	Preventive
Define access needs for each system component of an information system. CC ID 12456	Technical Security	Preventive
Define the level of privilege required for each system component of an information system. CC ID 12457	Technical Security	Preventive
Establish access rights based on least privilege. CC ID 01411	Technical Security	Preventive
Assign user permissions based on job responsibilities. CC ID 00538	Technical Security	Preventive
Assign user privileges after they have management sign off. CC ID 00542	Technical Security	Preventive
Separate processing domains to segregate user privileges and enhance information flow control. CC ID 06767	Configuration	Preventive
Establish, implement, and maintain lockout procedures or lockout mechanisms to be triggered after a predetermined number of consecutive logon attempts. CC ID 01412	Technical Security	Preventive
Configure the lockout procedure to disregard failed logon attempts after the user is authenticated. CC ID 13822	Configuration	Preventive
Notify the user when an authentication is attempted using an expired authenticator. CC ID 13818	Communicate	Corrective
Disallow unlocking user accounts absent system administrator approval. CC ID 01413	Technical Security	Preventive
Establish, implement, and maintain session lock capabilities. CC ID 01417	Configuration	Preventive
Limit concurrent sessions according to account type. CC ID 01416	Configuration	Preventive
Establish session authenticity through Transport Layer Security. CC ID 01627	Technical Security	Preventive
Configure the "tlsverify" argument to organizational standards. CC ID 14460	Configuration	Preventive
Configure the "tlscacert" argument to organizational standards. CC ID 14521	Configuration	Preventive
Configure the "tlscert" argument to organizational standards. CC ID 14520	Configuration	Preventive
Configure the "tlskey" argument to organizational standards. CC ID 14519	Configuration	Preventive
Enable access control for objects and users on each system. CC ID 04553	Configuration	Preventive
Include all system components in the access control system. CC ID 11939	Technical Security	Preventive
Set access control for objects and users to "deny all" unless explicitly authorized. CC ID 06301	Process or Activity	Preventive
Enable access control for objects and users to match restrictions set by the system's security classification. CC ID 04850	Technical Security	Preventive
Enable attribute-based access control for objects and users on information systems. CC ID 16351	Technical Security	Preventive
Enable role-based access control for objects and users on information systems. CC ID 12458	Technical Security	Preventive
Include the objects and users subject to access control in the security policy. CC ID 11836	Establish/Maintain Documentation	Preventive
Assign Information System access authorizations if implementing segregation of duties. CC ID 06323	Establish Roles	Preventive
Enforce access restrictions for change control. CC ID 01428	Technical Security	Preventive
Enforce access restrictions for restricted data. CC ID 01921	Data and Information Management	Preventive
Permit a limited set of user actions absent identification and authentication. CC ID 04849	Technical Security	Preventive
Perform a risk assessment prior to activating third party access to the organization's critical systems. CC ID 06455	Testing	Detective
Activate third party maintenance accounts and user identifiers, as necessary. CC ID 04262	Technical Security	Preventive
Establish, implement, and maintain a system use agreement for each information system. CC ID 06500	Establish/Maintain Documentation	Preventive
Accept and sign the system use agreement before data or system access is enabled. CC ID 06501	Establish/Maintain Documentation	Preventive
Display a logon banner and appropriate logon message before granting access to the system. CC ID 06770	Technical Security	Preventive
Display previous logon information in the logon banner. CC ID 01415	Configuration	Preventive
Document actions that can be performed on an information system absent identification and authentication of the user. CC ID 06771	Establish/Maintain Documentation	Preventive
Use automatic equipment identification as a method of connection authentication absent an individual's identification and authentication. CC ID 06964	Technical Security	Preventive

Third Party and supply chain oversight

126

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Third Party and supply chain oversight CC ID 08807	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain a supply chain management program. CC ID 11742	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain procedures for establishing, maintaining, and terminating third party contracts. CC ID 00796 [The service management plan shall include or contain a reference to: approach to be taken for working with other parties involved in the service lifecycle; § 6.3 ¶ 2(f) The organization shall have one or more designated individuals responsible for managing the relationship, contracts and performance of external suppliers. § 8.3.4.1 ¶ 1]	Establish/Maintain Documentation	Preventive
Review and update all contracts, as necessary. CC ID 11612 [At planned intervals, the organization shall review the contract against current service requirements. Changes identified for the contract shall be assessed for the impact of the change on the SMS and the services before the change is approved. § 8.3.4.1 ¶ 6]	Establish/Maintain Documentation	Preventive
Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 [The documented information for the SMS shall include: contracts with external suppliers; § 7.5.4 ¶ 1(i) For each internal supplier or customer acting as a supplier, the organization shall develop, agree and maintain a documented agreement to define the service level targets, other commitments, activities and interfaces between the parties. § 8.3.4.2 ¶ 1 For each internal supplier or customer acting as a supplier, the organization shall develop, agree and maintain a documented agreement to define the service level targets, other commitments, activities and interfaces between the parties. § 8.3.4.2 ¶ 1 For each internal supplier or customer acting as a supplier, the organization shall develop, agree and maintain a documented agreement to define the service level targets, other commitments, activities and interfaces between the parties. § 8.3.4.2 ¶ 1 For each internal supplier or customer acting as a supplier, the organization shall develop, agree and maintain a documented agreement to define the service level targets, other commitments, activities and interfaces between the parties. § 8.3.4.2 ¶ 1 For each external supplier, the organization shall agree a documented contract. The contract shall include or contain a reference to: § 8.3.4.1 ¶ 2 {new service}The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: new or changed SLAs, contracts and other documented agreements that support the services; § 8.5.2.2 ¶ 1(d) {new service}The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: new or changed SLAs, contracts and other documented agreements that support the services; § 8.5.2.2 ¶ 1(d)]	Process or Activity	Detective
Include a nondisclosure agreement in third party contracts if a separate nondisclosure agreement does not exist. CC ID 06505	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain software exchange agreements with all third parties. CC ID 11615	Establish/Maintain Documentation	Preventive
Include a description of the product or service to be provided in third party contracts. CC ID 06509 [The documented information for the SMS shall include: agreements with internal suppliers or customers acting as a supplier; § 7.5.4 ¶ 1(j)]	Establish/Maintain Documentation	Preventive
Include a description of the products or services fees in third party contracts. CC ID 10018	Establish/Maintain Documentation	Preventive
Include which parties are responsible for which fees in third party contracts. CC ID 10019	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain rules of engagement with third parties. CC ID 13994	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain information flow agreements with all third parties. CC ID 04543	Establish/Maintain Documentation	Preventive
Include the type of information being transmitted in the information flow agreement. CC ID 14245	Establish/Maintain Documentation	Preventive
Include the security requirements in the information flow agreement. CC ID 14244	Establish/Maintain Documentation	Preventive
Include the interface characteristics in the information flow agreement. CC ID 14240	Establish/Maintain Documentation	Preventive
Include the scope and inventory of third party systems and assets being provided to the organization in third party contracts. CC ID 06528 [For each external supplier, the organization shall agree a documented contract. The contract shall include or contain a reference to: scope of the services, service components, processes or parts of processes to be provided or operated by the external supplier; § 8.3.4.1 ¶ 2(a) For each external supplier, the organization shall agree a documented contract. The contract shall include or contain a reference to: scope of the services, service components, processes or parts of processes to be provided or operated by the external supplier; § 8.3.4.1 ¶ 2(a) For each external supplier, the organization shall agree a documented contract. The contract shall include or contain a reference to: scope of the services, service components, processes or parts of processes to be provided or operated by the external supplier; § 8.3.4.1 ¶ 2(a)]	Establish/Maintain Documentation	Preventive
Include proof of license documentation for the third parties with access to in scope systems in third party contracts. CC ID 06529	Establish/Maintain Documentation	Preventive
Include a description of costs and responsibility for purchasing and maintaining hardware and software in third party contracts. CC ID 10020	Establish/Maintain Documentation	Preventive
Include a description of the data or information to be covered in third party contracts. CC ID 06510	Establish/Maintain Documentation	Preventive
Include text about access, use, disclosure, and transfer of data or information in third party contracts. CC ID 11610 [For each external supplier, the organization shall agree a documented contract. The contract shall include or contain a reference to: authorities and responsibilities of the organization and the external supplier. § 8.3.4.1 ¶ 2(d) For each external supplier, the organization shall agree a documented contract. The contract shall include or contain a reference to: authorities and responsibilities of the organization and the external supplier. § 8.3.4.1 ¶ 2(d)]	Business Processes	Preventive
Include text about data ownership in third party contracts. CC ID 06502	Establish/Maintain Documentation	Preventive
Include text about trade secrets and intellectual property in third party contracts. CC ID 06503	Establish/Maintain Documentation	Preventive
Include text about participation in the organization's testing programs in third party contracts. CC ID 14402	Establish/Maintain Documentation	Preventive
Include the contract duration in third party contracts. CC ID 16221	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in third party contracts. CC ID 13487	Establish/Maintain Documentation	Preventive
Include cryptographic keys in third party contracts. CC ID 16179	Establish/Maintain Documentation	Preventive
Include bankruptcy provisions in third party contracts. CC ID 16519	Establish/Maintain Documentation	Preventive
Include cybersecurity supply chain risk management requirements in third party contracts. CC ID 15646	Establish/Maintain Documentation	Preventive
Include text that organizations must meet organizational compliance requirements in third party contracts. CC ID 06506	Establish/Maintain Documentation	Preventive
Include compliance with the organization's access policy as a requirement in third party contracts. CC ID 06507	Establish/Maintain Documentation	Preventive
Include compliance with the organization's breach notification policy as a requirement in third party contracts. CC ID 06508	Establish/Maintain Documentation	Preventive
Include compliance with the organization's monitoring policies as a requirement in third party contracts. CC ID 06513	Establish/Maintain Documentation	Preventive
Include compliance with the organization's incident response policy and incident notification policy in third party contracts. CC ID 06515	Establish/Maintain Documentation	Preventive
Include text about the expected actions to be taken in case of a breach of contract in third party contracts. CC ID 06504	Establish/Maintain Documentation	Preventive
Include compliance with the organization's privacy policy in third party contracts. CC ID 06518	Establish/Maintain Documentation	Preventive
Include compliance with the organization's media handling policy in third party contracts. CC ID 06525	Establish/Maintain Documentation	Preventive
Include third party responsibilities for compliance awareness in third party contracts. CC ID 06530	Establish/Maintain Documentation	Preventive
Include compliance with the organization's data usage policies in third party contracts. CC ID 16413	Establish/Maintain Documentation	Preventive
Include compliance with the organization's system hardening framework in third party contracts. CC ID 06531	Establish/Maintain Documentation	Preventive
Include compliance with the organization's physical access policy in third party contracts. CC ID 06878	Establish/Maintain Documentation	Preventive
Include a reporting structure in third party contracts. CC ID 06532	Establish/Maintain Documentation	Preventive
Include points of contact in third party contracts. CC ID 12355	Establish/Maintain Documentation	Preventive
Include financial reporting in third party contracts, as necessary. CC ID 13573	Establish/Maintain Documentation	Preventive
Include reporting to the organization of third party audit findings in third party contracts. CC ID 06512	Establish/Maintain Documentation	Preventive
Include the right of the organization to conduct compliance audits in third party contracts. CC ID 06514	Establish/Maintain Documentation	Preventive
Include third party responsibilities for maintaining a Business Recovery and Resumption Plan in third party contracts. CC ID 06516	Establish/Maintain Documentation	Preventive
Include training requirements in third party contracts. CC ID 16367	Acquisition/Sale of Assets or Services	Preventive
Include an indemnification and liability clause in third party contracts. CC ID 06517	Establish/Maintain Documentation	Preventive
Include a third party delegation clause and subcontractor to third party clause in third party contracts. CC ID 06521	Establish/Maintain Documentation	Preventive
Include text that subcontractors must meet organizational compliance requirements in third party contracts. CC ID 06522 [For each external supplier, the organization shall agree a documented contract. The contract shall include or contain a reference to: requirements to be met by the external supplier; § 8.3.4.1 ¶ 2(b)]	Establish/Maintain Documentation	Preventive
Include text regarding foreign-based third parties in third party contracts. CC ID 06722	Establish/Maintain Documentation	Preventive
Include change control clauses in third party contracts, as necessary. CC ID 06523	Establish/Maintain Documentation	Preventive
Include notification to the organization of any material change in the third party's ability to perform functions according to Service Level Agreements in third party contracts. CC ID 07115	Establish/Maintain Documentation	Preventive
Include triggers for renegotiating the contract in third party contracts. CC ID 06527	Establish/Maintain Documentation	Preventive
Include change control notification processes in third party contracts. CC ID 06524	Establish/Maintain Documentation	Preventive
Include cost structure changes in third party contracts. CC ID 10021	Establish/Maintain Documentation	Preventive
Include a choice of venue clause in third party contracts. CC ID 06520	Establish/Maintain Documentation	Preventive
Include a dispute resolution clause in third party contracts. CC ID 06519 [Disputes between the organization and the external supplier shall be recorded and managed to closure. § 8.3.4.1 ¶ 7 Disputes between the organization and the external supplier shall be recorded and managed to closure. § 8.3.4.1 ¶ 7]	Establish/Maintain Documentation	Preventive
Include the dispute resolution body's contact information in the terms and conditions in third party contracts. CC ID 13813	Establish/Maintain Documentation	Preventive
Include a termination provision clause in third party contracts. CC ID 01367	Establish/Maintain Documentation	Detective
Include early termination contingency plans in the third party contracts. CC ID 06526	Establish/Maintain Documentation	Preventive
Include a liquidated damages clause and material breach clause in third party contracts. CC ID 06817	Establish/Maintain Documentation	Preventive
Include termination costs in third party contracts. CC ID 10023	Establish/Maintain Documentation	Preventive
Include text about obtaining adequate insurance in third party contracts. CC ID 06880	Establish/Maintain Documentation	Preventive
Include incident management procedures and incident reporting procedures in third party contracts. CC ID 01214	Establish/Maintain Documentation	Preventive
Include a usage limitation of restricted data clause in third party contracts. CC ID 13026	Establish/Maintain Documentation	Preventive
Include end-of-life information in third party contracts. CC ID 15265	Establish/Maintain Documentation	Preventive
Include third party requirements for personnel security in third party contracts. CC ID 00790	Testing	Detective
Establish, implement, and maintain third party transaction authentication procedures. CC ID 00791	Establish/Maintain Documentation	Preventive
Include third party acknowledgment of their data protection responsibilities in third party contracts. CC ID 01364	Testing	Detective
Include auditing third party security controls and compliance controls in third party contracts. CC ID 01366	Testing	Detective
Include responding to privacy rights violation complaints in third party contracts. CC ID 12432	Establish/Maintain Documentation	Preventive
Establish the third party's service continuity. CC ID 00797	Testing	Detective
Determine the adequacy of a third party's alternate site preparations. CC ID 06879	Testing	Detective
Employ access controls that meet the organization's compliance requirements on third party systems with access to the organization's restricted data. CC ID 04264	Data and Information Management	Detective
Maintain the third party's compliance framework to be equivalent to that of the organization's compliance requirements. CC ID 06087	Testing	Detective
Include disclosure requirements in third party contracts. CC ID 08825	Business Processes	Preventive
Include requirements for alternate processing facilities in third party contracts. CC ID 13059	Establish/Maintain Documentation	Preventive
Document the organization's supply chain in the supply chain management program. CC ID 09958 [The organization shall determine and document: service components that are provided or operated by other parties; § 8.2.3.1 ¶ 4(b)]	Establish/Maintain Documentation	Preventive
Document supply chain dependencies in the supply chain management program. CC ID 08900 [The organization shall determine the criticality of services based on the needs of the organization, customers, users and other interested parties. The organization shall determine and manage dependencies and duplication between services. § 8.2.2 ¶ 2]	Establish/Maintain Documentation	Detective
Establish and maintain a Third Party Service Provider list. CC ID 12480	Establish/Maintain Documentation	Preventive
Include required information in the Third Party Service Provider list. CC ID 14429	Establish/Maintain Documentation	Preventive
Include subcontractors in the Third Party Service Provider list. CC ID 14425	Establish/Maintain Documentation	Preventive
Include alternate service providers in the Third Party Service Provider list. CC ID 14420	Establish/Maintain Documentation	Preventive
Disseminate and communicate the Third Party Service Provider list to interested personnel and affected parties. CC ID 14422	Communicate	Preventive
Include contact information of the Service Provider in the Third Party Service Provider list. CC ID 14430	Establish/Maintain Documentation	Preventive
Include all contract dates in the Third Party Service Provider list. CC ID 14421	Establish/Maintain Documentation	Preventive
Include the services provided by each supplier in the Third Party Service Provider list. CC ID 12481 [The organization shall determine and document: services that are provided or operated by other parties; § 8.2.3.1 ¶ 4(a) The organization shall determine and document: processes, or parts of processes, in the organization's SMS that are operated by other parties. § 8.2.3.1 ¶ 4(c)]	Establish/Maintain Documentation	Preventive
Include criticality of services in the Third Party Service Provider list. CC ID 14428	Establish/Maintain Documentation	Preventive
Include a description of data used in the Third Party Service Provider list. CC ID 14427	Establish/Maintain Documentation	Preventive
Include the location of services provided in the Third Party Service Provider list. CC ID 14423	Establish/Maintain Documentation	Preventive
Document supply chain transactions in the supply chain management program. CC ID 08857	Business Processes	Preventive
Document the supply chain's critical paths in the supply chain management program. CC ID 10032	Establish/Maintain Documentation	Preventive
Establish and maintain supply chain manufacturing and integration requirements documents for all items being produced for the organization. CC ID 11558	Establish/Maintain Documentation	Preventive
Disallow access to restricted information on machines used to manufacture authentication elements. CC ID 11561	Physical and Environmental Protection	Preventive
Establish, implement, and maintain Service Level Agreements with the organization's supply chain. CC ID 00838 [The documented information for the SMS shall include: service level agreement(s) (SLA); § 7.5.4 ¶ 1(h) For each service delivered, the organization shall establish one or more SLAs based on the documented service requirements. The SLA(s) shall include service level targets, workload limits and exceptions § 8.3.3 ¶ 2]	Process or Activity	Preventive
Monitor and report on the efficacy of all Service Level Agreements using a Service Level Agreement Monitoring Chart or equivalent. CC ID 00842 [The organization shall make decisions and take actions based on the findings in service reports. The agreed actions shall be communicated to interested parties. § 9.4 ¶ 3]	Establish/Maintain Documentation	Detective
Include the responsible party for managing complaints in third party contracts. CC ID 10022	Establish Roles	Preventive
Approve all Service Level Agreements. CC ID 00843	Establish/Maintain Documentation	Detective
Track all chargeable items in Service Level Agreements. CC ID 11616	Business Processes	Detective
Document all chargeable items in Service Level Agreements. CC ID 00844	Establish/Maintain Documentation	Detective
Enforce third party Service Level Agreements, as necessary. CC ID 07098 [The organization shall assess the alignment of service level targets or other contractual obligations for the external supplier against SLAs with customers, and manage identified risks. § 8.3.4.1 ¶ 3]	Business Processes	Corrective
Include risk management procedures in the supply chain management policy. CC ID 08811	Establish/Maintain Documentation	Preventive
Perform risk assessments of third parties, as necessary. CC ID 06454 [The organization shall determine and document: risks related to: the involvement of other parties in the service lifecycle; § 6.1.2 ¶ 1(a)(3)]	Testing	Detective
Include a determination of the complexity of the third party relationships in the supply chain risk assessment. CC ID 10024	Business Processes	Preventive
Include a determination of financial benefits over actual costs of third party relationships in the supply chain risk assessment report. CC ID 10025	Establish/Maintain Documentation	Preventive
Include a determination of how third party relationships affect strategic initiatives in the supply chain risk assessment report. CC ID 10026	Establish/Maintain Documentation	Preventive
Include a determination if the third party relationship will affect employees in the supply chain risk assessment report. CC ID 10027	Business Processes	Preventive
Include a determination of customer interactions with third parties in the supply chain risk assessment report. CC ID 10028	Establish/Maintain Documentation	Preventive
Include a determination on the risks third parties pose to Information Security in the supply chain risk assessment report. CC ID 10029	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a supply chain management policy. CC ID 08808	Establish/Maintain Documentation	Preventive
Include the third party selection process in the supply chain management policy. CC ID 13132 [The organization shall determine and apply criteria for the evaluation and selection of other parties involved in the service lifecycle. Other parties can be an external supplier, an internal supplier or a customer acting as a supplier. § 8.2.3.1 ¶ 2]	Establish/Maintain Documentation	Preventive
Select suppliers based on their qualifications. CC ID 00795	Establish/Maintain Documentation	Preventive
Include third party due diligence standards in the supply chain management policy. CC ID 08812 [The organization shall determine and apply criteria for the evaluation and selection of other parties involved in the service lifecycle. Other parties can be an external supplier, an internal supplier or a customer acting as a supplier. § 8.2.3.1 ¶ 2]	Establish/Maintain Documentation	Preventive
Implement measurable improvement plans with all third parties. CC ID 08815 [At planned intervals, the organization shall monitor the performance of the internal supplier or the customer acting as a supplier. Where service level targets or other agreed commitments are not met, the organization shall ensure that opportunities for improvement are identified. § 8.3.4.2 ¶ 2 At planned intervals, the organization shall monitor the performance of the external supplier. Where service level targets or other contractual obligations are not met, the organization shall ensure that opportunities for improvement are identified. § 8.3.4.1 ¶ 5]	Business Processes	Preventive
Establish, implement, and maintain supply chain due diligence standards. CC ID 08846	Business Processes	Preventive
Assign the appropriate individuals or groups to oversee and support supply chain due diligence. CC ID 08861 [The organization shall have one or more designated individuals responsible for managing the relationship, contracts and performance of external suppliers. § 8.3.4.1 ¶ 1]	Business Processes	Preventive
Conduct all parts of the supply chain due diligence process. CC ID 08854	Business Processes	Preventive
Establish, implement, and maintain deduplication procedures for third party services. CC ID 13915 [The organization shall determine the criticality of services based on the needs of the organization, customers, users and other interested parties. The organization shall determine and manage dependencies and duplication between services. § 8.2.2 ¶ 2]	Business Processes	Detective
Assess the effectiveness of third party services provided to the organization. CC ID 13142	Business Processes	Detective
Monitor third parties for performance and effectiveness, as necessary. CC ID 00799 [Top management shall demonstrate leadership and commitment with respect to the SMS by: ensuring there is control of other parties involved in the service lifecycle; § 5.1 ¶ 1(e) The organization shall have one or more designated individuals responsible for managing the relationship, contracts and performance of external suppliers. § 8.3.4.1 ¶ 1 At planned intervals, the organization shall monitor the performance of the external supplier. Where service level targets or other contractual obligations are not met, the organization shall ensure that opportunities for improvement are identified. § 8.3.4.1 ¶ 5 The management review shall include consideration of: performance of other parties involved in the delivery of the services; § 9.3 ¶ 2(i)]	Monitor and Evaluate Occurrences	Detective
Monitor third parties' financial conditions. CC ID 13170	Monitor and Evaluate Occurrences	Detective
Review the supply chain's service delivery on a regular basis. CC ID 12010 [At planned intervals, the organization shall monitor the performance of the internal supplier or the customer acting as a supplier. Where service level targets or other agreed commitments are not met, the organization shall ensure that opportunities for improvement are identified. § 8.3.4.2 ¶ 2]	Business Processes	Preventive
Establish, implement, and maintain a chain of custody or traceability system over the entire supply chain. CC ID 08878	Business Processes	Preventive
Provide products or services per customer requests. CC ID 08893 [The organization and the customer shall agree the services to be delivered. § 8.3.3 ¶ 1]	Business Processes	Preventive
Establish, implement, and maintain information security controls for the supply chain. CC ID 13109 [The organization shall define and apply relevant controls for other parties from the following: measurement and evaluation of process performance; § 8.2.3.2(a) The organization shall define and apply relevant controls for other parties from the following: measurement and evaluation of process performance; § 8.2.3.2(a) The organization shall define and apply relevant controls for other parties from the following: measurement and evaluation of the effectiveness of services and service components in meeting the service requirements. § 8.2.3.2(b) The organization shall define and apply relevant controls for other parties from the following: measurement and evaluation of the effectiveness of services and service components in meeting the service requirements. § 8.2.3.2(b) The organization shall define and apply relevant controls for other parties from the following: § 8.2.3.2 The organization shall agree and implement information security controls to address information security risks related to external organizations. § 8.7.3.2 ¶ 2]	Establish/Maintain Documentation	Preventive

Common Controls and
mandates by Type 272 Mandated Controls - bold
104 Implied Controls - italic 2056 Implementation

Number of Controls

2432 Total

Acquisition/Sale of Assets or Services

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Purchase insurance on behalf of interested personnel and affected parties. CC ID 16571	Audits and risk management	Corrective
Establish, implement, and maintain a fuel supply large enough to support the generators during an emergency. CC ID 06376	Operational and Systems Continuity	Preventive
Transfer legal ownership of assets when the system is redeployed to a third party. CC ID 06698	Operational management	Preventive
Acquire spare parts prior to when maintenance requests are scheduled. CC ID 11833	Operational management	Preventive
Plan for selling facilities, technology, or services. CC ID 06893 [For services that are to be transferred, the planning shall additionally include the date(s) for the transfer of the services and the activities for the transfer of data, documented information, knowledge and service components. § 8.5.2.1 ¶ 3 For services that are to be transferred, the planning shall additionally include the date(s) for the transfer of the services and the activities for the transfer of data, documented information, knowledge and service components. § 8.5.2.1 ¶ 3 For services that are to be transferred, the planning shall additionally include the date(s) for the transfer of the services and the activities for the transfer of data, documented information, knowledge and service components. § 8.5.2.1 ¶ 3 For services that are to be transferred, the planning shall additionally include the date(s) for the transfer of the services and the activities for the transfer of data, documented information, knowledge and service components. § 8.5.2.1 ¶ 3 For services that are to be transferred, the planning shall additionally include the date(s) for the transfer of the services and the activities for the transfer of data, documented information, knowledge and service components. § 8.5.2.1 ¶ 3]	Acquisition or sale of facilities, technology, and services	Preventive
Refrain from providing products and services, as necessary. CC ID 15580	Acquisition or sale of facilities, technology, and services	Preventive
Determine if there is a need for the product or service being sold. CC ID 06894	Acquisition or sale of facilities, technology, and services	Preventive
Identify new business opportunities based on product or service need, the business strategy, and action plan. CC ID 06901	Acquisition or sale of facilities, technology, and services	Preventive
Develop product solicitation responses and service solicitation responses. CC ID 06896	Acquisition or sale of facilities, technology, and services	Preventive
Prevent the creation or distribution of devices designed to circumvent security measures. CC ID 11514	Acquisition or sale of facilities, technology, and services	Preventive
Provide a product warranty or service warranty. CC ID 11601	Acquisition or sale of facilities, technology, and services	Preventive
Establish, implement, and maintain equipment shipping procedures. CC ID 11449	Acquisition or sale of facilities, technology, and services	Preventive
Preserve products created for sale prior to shipping. CC ID 11602	Acquisition or sale of facilities, technology, and services	Preventive
Clean and maintain products prior to shipping. CC ID 11603	Acquisition or sale of facilities, technology, and services	Preventive
Detect and remove foreign objects from products prior to shipping. CC ID 11604	Acquisition or sale of facilities, technology, and services	Preventive
Handle products with due care prior to shipping. CC ID 11605	Acquisition or sale of facilities, technology, and services	Preventive
Attach safety warnings to products prior to shipping. CC ID 11606	Acquisition or sale of facilities, technology, and services	Preventive
Rotate the stock of products prior to shipping. CC ID 11607	Acquisition or sale of facilities, technology, and services	Preventive
Process product return requests. CC ID 11598	Acquisition or sale of facilities, technology, and services	Corrective
Refrain from returning products absent a return request authorization. CC ID 11599	Acquisition or sale of facilities, technology, and services	Corrective
Include training requirements in third party contracts. CC ID 16367	Third Party and supply chain oversight	Preventive

Actionable Reports or Measurements

152

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Report to management and stakeholders on the findings and information gathered from all types of inquiries. CC ID 12797	Leadership and high level objectives	Preventive
Establish and maintain an Information Technology plan status report that covers both Strategic Information Technology Plans and tactical Information Technology plans. CC ID 06839	Leadership and high level objectives	Preventive
Include key personnel status changes in the Information Technology Plan status reports. CC ID 06840	Leadership and high level objectives	Preventive
Include significant security risks in the Information Technology Plan status reports. CC ID 06939	Leadership and high level objectives	Preventive
Include significant risk mitigations in the Information Technology Plan status reports. CC ID 06841	Leadership and high level objectives	Preventive
Report on the percentage of critical assets for which an assurance strategy is implemented. CC ID 01657	Monitoring and measurement	Detective
Report on the percentage of key organizational functions for which an assurance strategy is implemented. CC ID 01658	Monitoring and measurement	Detective
Report on the percentage of key compliance requirements for which an assurance strategy has been implemented. CC ID 01659	Monitoring and measurement	Detective
Report on the percentage of the Information System budget allocated to Information Security. CC ID 04571	Monitoring and measurement	Detective
Report on the policies and controls that have been implemented by management. CC ID 01670 [{service improvement activity} Opportunities for improvement shall be documented. The organization shall manage approved improvement activities that include: reporting on implemented improvements. § 10.2 ¶ 3(e)]	Monitoring and measurement	Detective
Report on the percentage of security management roles that have been assigned. CC ID 01671	Monitoring and measurement	Detective
Report on the percentage of board meetings or committee meetings at which Information Assurance was on the agenda. CC ID 01672	Monitoring and measurement	Detective
Report on the percentage of supply chain members for which all Information Assurance requirements have been implemented. CC ID 01675	Monitoring and measurement	Detective
Report on the Service Level Agreement performance of supply chain members. CC ID 06838	Monitoring and measurement	Preventive
Report on the percentage of organizational units that have an established Business Continuity Plan. CC ID 01676	Monitoring and measurement	Detective
Report on the percentage of organizational units with a documented Business Continuity Plan for which specific responsibilities have been assigned. CC ID 02057	Monitoring and measurement	Detective
Report on the percentage of Business Continuity Plans that have been reviewed, tested, and updated. CC ID 02058	Monitoring and measurement	Detective
Report on the percentage of needed internal audits that have been completed and reviewed. CC ID 01677	Monitoring and measurement	Detective
Report on the percentage of Information Security requirements from applicable laws and regulations that are included in the audit program. CC ID 02069	Monitoring and measurement	Detective
Report on the percentage of needed external audits that have been completed and reviewed. CC ID 11632	Monitoring and measurement	Detective
Report on the percentage of Information Security audits conducted in compliance with the approved audit program. CC ID 02070	Monitoring and measurement	Detective
Report on the percentage of audit findings that have been resolved since the last audit. CC ID 01678	Monitoring and measurement	Detective
Report on the percentage of management actions in response to audit findings and audit recommendations that were implemented in a timely way. CC ID 02071 [{corrective action} The management review shall include consideration of: the status of actions from previous management reviews; § 9.3 ¶ 2(a)]	Monitoring and measurement	Detective
Monitor compliance with the Quality Control system. CC ID 01023	Monitoring and measurement	Preventive
Report on the percentage of complaints received about products or delivered services. CC ID 07199	Monitoring and measurement	Preventive
Report on the percentage of Quality Assurance attained by Quality Improvement practices. CC ID 07202	Monitoring and measurement	Preventive
Report on the percentage of total controls for which policies, standards, and procedures exist and for which approval has been granted. CC ID 01679	Monitoring and measurement	Detective
Report on the percentage of personnel who are assigned and acknowledged responsibilities for approved policies, standards, and procedures. CC ID 01680	Monitoring and measurement	Detective
Report on the percentage of policy compliance reviews for which no compliance violations were noted. CC ID 01681	Monitoring and measurement	Detective
Report on the percentage of senior management or business unit heads who have implemented operational compliance procedures. CC ID 01682	Monitoring and measurement	Detective
Report on the percentage of role descriptions that define the Information Awareness roles for Security Managers and administrators. CC ID 01685	Monitoring and measurement	Detective
Report on the percentage of role descriptions that define the information awareness roles for interested personnel. CC ID 01686	Monitoring and measurement	Detective
Report on the percentage of role descriptions that define the information awareness roles for end users. CC ID 01687	Monitoring and measurement	Detective
Report on the percentage of performance reviews that include the evaluation of Information Assurance responsibilities and policy compliance. CC ID 01688	Monitoring and measurement	Detective
Report on the percentage of individuals who have access to security software, are trained, and authorized Security Administrators. CC ID 01691	Monitoring and measurement	Detective
Report on the percentage of individuals who are able to assign security privileges, are trained, and authorized Security Administrators. CC ID 01692	Monitoring and measurement	Detective
Report on the percentage of new hires who completed training ahead of being granted network access or system access. CC ID 01683	Monitoring and measurement	Detective
Report on the percentage of personnel who have completed periodic Information Assurance refresher training. CC ID 01684	Monitoring and measurement	Detective
Report on the percentage of user roles, systems, and applications that comply with the segregation of duties principle. CC ID 01689	Monitoring and measurement	Detective
Report on the percentage of individuals whose access rights have been reviewed. CC ID 01690	Monitoring and measurement	Detective
Report on the percentage of users who have access to restricted data or restricted information and have undergone a background check. CC ID 01693	Monitoring and measurement	Detective
Report on the percentage of critical information assets and information-dependent functions. CC ID 02040	Monitoring and measurement	Detective
Report on the percentage of critical assets and functions for which the cost of compromise has been quantified. CC ID 02041	Monitoring and measurement	Detective
Report on the percentage of identified risks that have a defined risk mitigation plan. CC ID 02042 [The organization shall determine and document: risks related to: approach to be taken for the management of risks. § 6.1.2 ¶ 1(d)]	Monitoring and measurement	Detective
Report on the percentage of systems with approved System Security Plans. CC ID 02145	Monitoring and measurement	Detective
Report on the percentage of known Information Security risks that are related to supply chain relationships. CC ID 02044	Monitoring and measurement	Detective
Report on the percentage of critical information assets or critical functions for which access by supply chain personnel is disallowed. CC ID 02045	Monitoring and measurement	Detective
Report on the percentage of supply chain personnel who have current information asset user privileges. CC ID 02046	Monitoring and measurement	Detective
Report on the percentage of systems with critical information assets or functions for which electronic connection by supply chain assets is disallowed. CC ID 02047	Monitoring and measurement	Detective
Report on the percentage of security incidents that involved supply chain personnel. CC ID 02048	Monitoring and measurement	Detective
Report on the percentage of third party contracts that include a requirement to externally verify policies and procedures. CC ID 02049	Monitoring and measurement	Detective
Report on the percentage of supply chain relationships that have been reviewed for compliance with information security requirements. CC ID 02050	Monitoring and measurement	Detective
Report on the percentage of information assets that have been reviewed and classified. CC ID 02053	Monitoring and measurement	Detective
Report on the percentage of information assets with defined user privileges that have been assigned based on role and according to policy. CC ID 02054	Monitoring and measurement	Detective
Report on the percentage of scheduled Information Technology inventory processes that occurred on time. CC ID 02055	Monitoring and measurement	Detective
Report on the percentage of recently identified information security risks related to systems architecture that have been adequately mitigated. CC ID 02060	Monitoring and measurement	Detective
Report on the percentage of system architecture changes that were approved through appropriate change requests. CC ID 02061	Monitoring and measurement	Detective
Report on the percentage of critical information assets or functions residing on systems that are currently in compliance with the approved systems architecture. CC ID 02062	Monitoring and measurement	Detective
Report on the percentage of systems that have been recertified if security controls were updated after the system was developed. CC ID 02142	Monitoring and measurement	Detective
Report on the percentage of systems that have completed Certification and Accreditation. CC ID 02143	Monitoring and measurement	Detective
Report on the percentage of critical organizational information assets and functions that have been reviewed from the risk to physical security perspective. CC ID 02064	Monitoring and measurement	Detective
Report on the percentage of critical organizational information assets and functions exposed to physical risks for which risk mitigation actions have been implemented. CC ID 02065	Monitoring and measurement	Detective
Report on the percentage of critical assets that have been reviewed from the environmental risk perspective. CC ID 02066	Monitoring and measurement	Detective
Report on the percentage of servers located in controlled access areas. CC ID 02067	Monitoring and measurement	Detective
Establish, implement, and maintain environmental management system performance metrics. CC ID 15191	Monitoring and measurement	Preventive
Establish, implement, and maintain waste management metrics. CC ID 16152	Monitoring and measurement	Preventive
Establish, implement, and maintain emissions management metrics. CC ID 16145	Monitoring and measurement	Preventive
Establish, implement, and maintain financial management metrics. CC ID 16749	Monitoring and measurement	Preventive
Report on the percentage of unique active user identifiers. CC ID 02074	Monitoring and measurement	Detective
Report on the percentage of systems and applications that perform authenticator policy verification. CC ID 02086	Monitoring and measurement	Detective
Report on the percentage of active user passwords that are set to expire. CC ID 02087	Monitoring and measurement	Detective
Report on the percentage of systems with critical information assets that use stronger authentication than user identifiers and passwords. CC ID 02088	Monitoring and measurement	Detective
Report on the percentage of systems for which default accounts and default passwords have been disabled or reset. CC ID 02089	Monitoring and measurement	Detective
Report on the percentage of inactive user accounts that are assigned to personnel who have left or no longer need access. CC ID 02090	Monitoring and measurement	Detective
Report on the percentage of systems with account lockout thresholds set. CC ID 02091	Monitoring and measurement	Detective
Report on the percentage of inactive user accounts that have been disabled. CC ID 02092	Monitoring and measurement	Detective
Report on the percentage of workstations with session timeout or automatic logoff controls set. CC ID 02093	Monitoring and measurement	Detective
Report on the percentage of users with access to shared accounts. CC ID 04573	Monitoring and measurement	Detective
Establish, implement, and maintain a user and administrator privilege management metrics program. CC ID 02076	Monitoring and measurement	Preventive
Report on the percentage of active computer accounts that have had the current user privileges reviewed. CC ID 02094	Monitoring and measurement	Detective
Report on the percentage of systems where permission to install nonstandard software is limited. CC ID 02095	Monitoring and measurement	Detective
Report on the percentage of systems and applications that have user privileges and administrator privileges assigned in compliance with Role-Based Access Controls. CC ID 02096	Monitoring and measurement	Detective
Report on the percentage of systems for which approved configuration settings have been implemented. CC ID 02097	Monitoring and measurement	Detective
Report on the percentage of systems with configurations that do not deviate from approved standards. CC ID 02098	Monitoring and measurement	Detective
Report on the percentage of systems that are continuously monitored for compliance with the configuration standard with out-of-compliance alarms or out-of-compliance reports. CC ID 02099	Monitoring and measurement	Detective
Report on the percentage of systems whose configuration is compared with a previously established trusted configuration baseline. CC ID 02100	Monitoring and measurement	Detective
Report on the percentage of systems where the authority to make configuration changes are limited. CC ID 02101	Monitoring and measurement	Detective
Report on the percentage of system components that undergo maintenance as scheduled. CC ID 04562	Monitoring and measurement	Detective
Report on the percentage of systems that generate warnings about anomalous activity or potentially unauthorized activity. CC ID 02105	Monitoring and measurement	Detective
Report on the percentage of laptops and mobile devices that are needing to be in compliance with the approved configuration standard before granting network access. CC ID 02106	Monitoring and measurement	Detective
Report on the percentage of organizationally controlled communications channels that have been secured. CC ID 02107	Monitoring and measurement	Detective
Report on the percentage of host servers that are protected from becoming relay hosts. CC ID 02108	Monitoring and measurement	Detective
Report on the percentage of mobile users who access organizational facilities using secure communications methods. CC ID 02109	Monitoring and measurement	Detective
Report on the percentage of workstations and laptops that employ automated system security tools. CC ID 02110	Monitoring and measurement	Detective
Report on the percentage of servers that employ automated system security tools. CC ID 02111	Monitoring and measurement	Detective
Report on the percentage of mobile devices that employ automated system security tools. CC ID 02112	Monitoring and measurement	Detective
Report on the percentage of software changes that have been documented and approved through change request forms. CC ID 02152	Monitoring and measurement	Detective
Report on the percentage of systems with all approved patches installed. CC ID 02113	Monitoring and measurement	Detective
Report on the mean time from patch availability to patch installation. CC ID 02114	Monitoring and measurement	Detective
Report on the percentage of software changes that were reviewed for security impacts before the software configuration is updated. CC ID 02115	Monitoring and measurement	Detective
Report on the percentage of systems configured according to the configuration standard. CC ID 02116	Monitoring and measurement	Detective
Report on the percentage of network access controls used to gain unauthorized access. CC ID 04572	Monitoring and measurement	Detective
Report on the percentage of critical information assets stored on network accessible devices that are encrypted with widely tested and published cryptographic algorithms. CC ID 02117	Monitoring and measurement	Detective
Report on the percentage of mobile devices that use encryption for critical information assets. CC ID 02118	Monitoring and measurement	Detective
Report on the percentage of passwords and Personal Identification Numbers that are encrypted. CC ID 02119	Monitoring and measurement	Detective
Report on the percentage of media that passes sanitization procedure testing. CC ID 04574	Monitoring and measurement	Detective
Report on the percentage of systems with critical information assets or critical business functions that have been backed up in accordance with the backup policy and the system's continuity plan. CC ID 02120	Monitoring and measurement	Detective
Report on the percentage of systems with critical information assets or critical functions where restoration from a backup has been successfully demonstrated. CC ID 02121	Monitoring and measurement	Detective
Report on the percentage of backup media stored off site in secure storage. CC ID 02122	Monitoring and measurement	Detective
Report on the percentage of used backup media or archive media sanitized prior to reuse or disposal. CC ID 02123	Monitoring and measurement	Detective
Report on the estimated damage or loss resulting from all security incidents. CC ID 01674	Monitoring and measurement	Detective
Report on the percentage of security incidents that did not cause confidentiality, integrity, or availability losses beyond the Service Level Agreement thresholds. CC ID 01673	Monitoring and measurement	Detective
Report on the percentage of operational time that critical services were unavailable due to security incidents. CC ID 02124	Monitoring and measurement	Detective
Report on the percentage of security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02125	Monitoring and measurement	Detective
Report on the percentage of systems affected by security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02126	Monitoring and measurement	Detective
Report on the percentage of security incidents that were managed according to established policies, procedures, and processes. CC ID 02127	Monitoring and measurement	Detective
Report on the number of security incidents reported to FedCIRC, NIPC, the Payment Card Industry, or local law enforcement. CC ID 02154	Monitoring and measurement	Detective
Report on the percentage of systems with critical information assets or critical functions that have been assessed for security vulnerabilities. CC ID 02128	Monitoring and measurement	Detective
Report on the percentage of vulnerability assessment findings that have been addressed since the last reporting period. CC ID 02129	Monitoring and measurement	Detective
Report on the average elapsed time between the discovery of a new vulnerability and implementing corrective action. CC ID 02140	Monitoring and measurement	Detective
Report on the percentage of physical security incidents that involved entry into a facility containing Information Systems. CC ID 04564	Monitoring and measurement	Detective
Report on the percentage of unique patients who had at least one medication entered using the Computerized Provider Order Entry system. CC ID 06222	Monitoring and measurement	Preventive
Report on the percentage of unique patients who have diagnoses recorded as structured data into the current and active diagnoses problem list. CC ID 06223	Monitoring and measurement	Preventive
Report on the percentage of permissible prescriptions that are transmitted electronically. CC ID 06224	Monitoring and measurement	Preventive
Report on the percentage of unique patients who have at least one entry recorded as structured data into the active medication list. CC ID 06225	Monitoring and measurement	Preventive
Report on the percentage of unique patients who have at least one entry recorded as structured data into the active medication allergy list. CC ID 06226	Monitoring and measurement	Preventive
Report on the percentage of unique patients who have demographics recorded as structured data. CC ID 06227	Monitoring and measurement	Preventive
Report on the percentage of unique patients over the age of 2 who have their height, weight, and blood pressure recorded as structured data. CC ID 06228	Monitoring and measurement	Preventive
Report on the percentage of unique patients over the age of 13 who have their smoking status recorded as structured data. CC ID 06229	Monitoring and measurement	Preventive
Report on the percentage of patients who are given an electronic copy of their Individually Identifiable Health Information not later than three business days after Individually Identifiable Health Information is requested. CC ID 06230	Monitoring and measurement	Preventive
Report on the percentage of patients who are given clinical summaries not later than three business days after a physician office visit. CC ID 06231	Monitoring and measurement	Preventive
Report on the percentage of lab test results that are incorporated into the Electronic Health Records as structured data. CC ID 06232	Monitoring and measurement	Preventive
Report on the percentage of patients sixty-five years of age or older or five years of age or younger who were sent a reminder. CC ID 06233	Monitoring and measurement	Preventive
Report on the percentage of unique patients who are given electronic access to their Individually Identifiable Health Information not later than four business days after their Individually Identifiable Health Information is updated. CC ID 06234	Monitoring and measurement	Preventive
Report on the percentage of unique patients who are given patient-specific education resources. CC ID 06235	Monitoring and measurement	Preventive
Report on the percentage of medication reconciliations that are performed if a patient is received from another setting or healthcare provider. CC ID 06236	Monitoring and measurement	Preventive
Report on the percentage of summary of care records that are provided for transitions of care or referrals for patients who are transitioned or referred to another setting or healthcare provider. CC ID 06237	Monitoring and measurement	Preventive
Report on the percentage of patients who receive their discharge instructions if discharge instructions are requested. CC ID 06238	Monitoring and measurement	Preventive
Report on the percentage of patients 65 years of age or older who have an indication of advance directive status recorded as structured data. CC ID 06239	Monitoring and measurement	Preventive
Collect all work papers for the audit and audit report into an engagement file. CC ID 07001 [The organization shall: retain documented information as evidence of the implementation of the audit programme(s) and the audit results. § 9.2.2 ¶ (e)]	Audits and risk management	Preventive
Include the word independent in the title of audit reports. CC ID 07003	Audits and risk management	Preventive
Include the date of the audit in the audit report. CC ID 07024	Audits and risk management	Preventive
Include information about the organization being audited and the auditor performing the audit in the audit report. CC ID 07004	Audits and risk management	Preventive
Include a statement that access to the report is restricted based on least privilege in the audit report. CC ID 07023	Audits and risk management	Preventive
Include the organization's audit assertion of the in scope system in the audit report. CC ID 07005	Audits and risk management	Preventive
Disclose any audit irregularities in the audit report. CC ID 06995	Audits and risk management	Preventive
Monitor and report on the status of mitigation actions in the corrective action plan. CC ID 15250	Audits and risk management	Corrective
Assess the potential level of business impact risk associated with natural disasters. CC ID 06470	Audits and risk management	Detective
Document the continuity plan test results and provide them to interested personnel and affected parties. CC ID 06548 [At planned intervals, the service continuity plan(s) shall be tested against the service continuity requirements. The service continuity plan(s) shall be re-tested after major changes to the service environment. The results of the tests shall be recorded. Reviews shall be conducted after each test and after the service continuity plan(s) has been invoked. Where deficiencies are found, the organization shall take necessary actions. § 8.7.2 ¶ 4]	Operational and Systems Continuity	Preventive
Mitigate reported incidents. CC ID 12973 [Problems shall be: resolved if possible; § 8.6.3 ¶ 2(d)]	Operational management	Preventive
Provide the patient with a summary of care record, as necessary. CC ID 14441	Records management	Preventive
Report the analysis of consumer complaints to the Quality Management committee. CC ID 07209 [Service complaints shall be recorded, managed to closure and reported. Where a service complaint is not resolved through the normal channels, a method of escalation shall be provided. § 8.3.2 ¶ 5]	Acquisition or sale of facilities, technology, and services	Preventive

Audits and Risk Management

113

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Compile the event logs of multiple components into a system-wide time-correlated audit trail. CC ID 01424	Monitoring and measurement	Preventive
Identify information being used to support performance reviews for risk optimization. CC ID 12865	Monitoring and measurement	Preventive
Provide cross-organizational audit information based on the cross-organizational audit sharing agreement. CC ID 10596	Monitoring and measurement	Preventive
Manage supply chain audits. CC ID 01203	Audits and risk management	Preventive
Review the external auditors involvement in assessing Information Technology controls. CC ID 01204	Audits and risk management	Preventive
Rotate auditors, as necessary. CC ID 15589	Audits and risk management	Preventive
Engage auditors who have adequate knowledge of the subject matter. CC ID 07102	Audits and risk management	Preventive
Review the external audit scope, as necessary. CC ID 01202	Audits and risk management	Preventive
Include nondisclosure agreements in external auditor outsourcing contracts. CC ID 10014	Audits and risk management	Detective
Review the external auditor's qualifications. CC ID 01197	Audits and risk management	Preventive
Conduct a performance review of the external auditor's performance during the audit process. CC ID 01198	Audits and risk management	Preventive
Define what constitutes a threat to independence. CC ID 16824	Audits and risk management	Preventive
Determine if requested services create a threat to independence. CC ID 16823	Audits and risk management	Detective
Include provisions for legislative plurality and legislative domain in the audit program. CC ID 06959	Audits and risk management	Preventive
Include in scope procedures in the audit assertion's in scope system description. CC ID 16551	Audits and risk management	Preventive
Include roles and responsibilities in the audit assertion's in scope system description. CC ID 16558	Audits and risk management	Preventive
Include the audit criteria in the audit assertion's in scope system description. CC ID 16548	Audits and risk management	Preventive
Include third party data in the audit assertion's in scope system description. CC ID 16554	Audits and risk management	Preventive
Include third party personnel in the audit assertion's in scope system description. CC ID 16552	Audits and risk management	Preventive
Include compliance requirements in the audit assertion's in scope system description. CC ID 16506	Audits and risk management	Preventive
Include third party assets in the audit assertion's in scope system description. CC ID 16550	Audits and risk management	Preventive
Include deviations and the corrective actions taken in the audit assertion's in scope system description. CC ID 16549	Audits and risk management	Preventive
Determine the appropriateness of the audit assertion's in scope system description. CC ID 16449	Audits and risk management	Detective
Hold an opening meeting with interested personnel and affected parties prior to an audit. CC ID 15256	Audits and risk management	Preventive
Confirm audit requirements during the opening meeting. CC ID 15255	Audits and risk management	Detective
Include discussions about how particular situations will be handled in the opening meeting. CC ID 15254	Audits and risk management	Preventive
Include third party assets in the audit scope. CC ID 16504	Audits and risk management	Preventive
Determine the appropriateness of the audit subject matter. CC ID 16505	Audits and risk management	Preventive
Include the in scope material or in scope products in the audit program. CC ID 08961	Audits and risk management	Preventive
Include the date of the audit in the representation letter. CC ID 16517	Audits and risk management	Preventive
Include the criteria for determining the desired level of assurance in the audit program. CC ID 12795 [{audit scope} The organization shall: define the audit criteria and scope for each audit; § 9.2.2 ¶ 1(b)]	Audits and risk management	Preventive
Refrain from performing an attestation engagement under defined conditions. CC ID 13952	Audits and risk management	Detective
Refrain from accepting an attestation engagement when all parties disagree on the procedures. CC ID 13951	Audits and risk management	Preventive
Audit in scope audit items and compliance documents. CC ID 06730 [The organization shall conduct internal audits at planned intervals to provide information on whether the SMS: conforms to: the organization's own requirements for its SMS; § 9.2.1 ¶ 1(a)(1) The organization shall conduct internal audits at planned intervals to provide information on whether the SMS: conforms to: the requirements of this document; § 9.2.1 ¶ 1(a)(2) The organization shall conduct internal audits at planned intervals to provide information on whether the SMS: is effectively implemented and maintained. § 9.2.1 ¶ 1(b) The organization shall: select auditors and conduct audits to ensure objectivity and the impartiality of the audit process; § 9.2.2 ¶ 1(c)]	Audits and risk management	Preventive
Identify hypothetical assumptions in forecasts and projections during an audit. CC ID 13946	Audits and risk management	Detective
Refrain from examining forecasts and projections which refrain from disclosing assumptions during an audit. CC ID 13932	Audits and risk management	Detective
Audit policies, standards, and procedures. CC ID 12927	Audits and risk management	Preventive
Investigate the nature and causes of misstatements in the audit assertion's in scope system description. CC ID 16557	Audits and risk management	Detective
Review incident management audit logs to determine the effectiveness of in scope controls. CC ID 12157	Audits and risk management	Detective
Review audit reports to determine the effectiveness of in scope controls. CC ID 12156	Audits and risk management	Detective
Observe processes to determine the effectiveness of in scope controls. CC ID 12155	Audits and risk management	Detective
Interview stakeholders to determine the effectiveness of in scope controls. CC ID 12154	Audits and risk management	Detective
Review policies and procedures to determine the effectiveness of in scope controls. CC ID 12144	Audits and risk management	Detective
Evaluate personnel status changes to determine the effectiveness of in scope controls. CC ID 16556	Audits and risk management	Detective
Determine whether individuals performing a control have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 16555	Audits and risk management	Detective
Implement procedures that collect sufficient audit evidence. CC ID 07153	Audits and risk management	Preventive
Collect evidence about the in scope audit items of the audit assertion. CC ID 07154	Audits and risk management	Preventive
Collect audit evidence sufficient to avoid misstatements. CC ID 07155	Audits and risk management	Preventive
Collect audit evidence at the level of the organization's competence in the subject matter. CC ID 07156	Audits and risk management	Preventive
Collect audit evidence sufficient to overcome inadequacies in the organization's attestation. CC ID 07157	Audits and risk management	Preventive
Include audit evidence obtained from previous engagements in the work papers. CC ID 16518	Audits and risk management	Preventive
Include if the audit evidence has identified in scope control deficiencies in the work papers. CC ID 07152	Audits and risk management	Detective
Include any subsequent events related to the audit assertion or audit subject matter in the work papers. CC ID 07177	Audits and risk management	Preventive
Review the subject matter expert's findings. CC ID 16559	Audits and risk management	Detective
Provide auditors access to all in scope records, in scope assets, personnel and in scope procedures. CC ID 06966	Audits and risk management	Preventive
Solve any access problems auditors encounter during the audit. CC ID 08959	Audits and risk management	Corrective
Notify interested personnel and affected parties when an auditee refuses to provide access or participate in the audit. CC ID 08960	Audits and risk management	Preventive
Include the justification for not following the applicable requirements in the audit report. CC ID 16822	Audits and risk management	Preventive
Include a statement that the applicable requirements were not followed in the audit report. CC ID 16821	Audits and risk management	Preventive
Refrain from referencing previous engagements in the audit report. CC ID 16516	Audits and risk management	Preventive
Identify the participants from the organization being audited in the audit report. CC ID 15258	Audits and risk management	Detective
Include the timing of controls in the description of tests of controls and results in the audit report. CC ID 16553	Audits and risk management	Preventive
Include the organization's in scope system description in the audit report. CC ID 11626	Audits and risk management	Preventive
Include the scope and work performed in the audit report. CC ID 11621	Audits and risk management	Preventive
Review the adequacy of the internal auditor's work papers. CC ID 01146	Audits and risk management	Detective
Review the adequacy of the internal auditor's audit reports. CC ID 11620	Audits and risk management	Detective
Review management's response to issues raised in past audit reports. CC ID 01149 [The management review shall include consideration of: information on the performance and effectiveness of the SMS, including trends in: nonconformities and corrective actions; § 9.3 ¶ 2(c)(1)]	Audits and risk management	Detective
Review the audit program scope as it relates to the organization's profile. CC ID 01159	Audits and risk management	Detective
Assess the quality of the audit program in regards to its documentation. CC ID 11622	Audits and risk management	Preventive
Take into account if the system will be accessed by or have an impact on children in the risk management program. CC ID 14992	Audits and risk management	Preventive
Analyze the risk management strategy for addressing requirements. CC ID 12926	Audits and risk management	Detective
Analyze the risk management strategy for addressing threats. CC ID 12925	Audits and risk management	Detective
Analyze the risk management strategy for addressing opportunities. CC ID 12924	Audits and risk management	Detective
Address past incidents in the risk assessment program. CC ID 12743	Audits and risk management	Preventive
Establish and maintain the factors and context for risk to the organization. CC ID 12230 [The organization shall determine and document: risks related to: not meeting the service requirements; § 6.1.2 ¶ 1(a)(2)]	Audits and risk management	Preventive
Employ risk assessment procedures that take into account risk factors. CC ID 16560	Audits and risk management	Preventive
Categorize the systems, information, and data by risk profile in the threat and risk classification scheme. CC ID 01443	Audits and risk management	Preventive
Review the risk profiles, as necessary. CC ID 16561	Audits and risk management	Detective
Include risks to critical personnel and assets in the threat and risk classification scheme. CC ID 00698	Audits and risk management	Preventive
Assign a probability of occurrence to all types of threats in the threat and risk classification scheme. CC ID 01173	Audits and risk management	Preventive
Establish, implement, and maintain risk profiling procedures for internal risk assessments. CC ID 01157	Audits and risk management	Preventive
Automate as much of the risk assessment program, as necessary. CC ID 06459	Audits and risk management	Preventive
Approve the results of the risk assessment as documented in the risk assessment report. CC ID 07109	Audits and risk management	Preventive
Review risks to the organization's audit function when changes in the supply chain occur. CC ID 01154	Audits and risk management	Preventive
Review the risk to the audit function when the audit personnel status changes. CC ID 01153	Audits and risk management	Preventive
Conduct external audits of risk assessments, as necessary. CC ID 13308	Audits and risk management	Detective
Correlate the business impact of identified risks in the risk assessment report. CC ID 00686	Audits and risk management	Preventive
Conduct a Business Impact Analysis, as necessary. CC ID 01147	Audits and risk management	Detective
Analyze and quantify the risks to in scope systems and information. CC ID 00701 [When planning for the SMS, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to: prevent, or reduce, undesired effects; § 6.1.1 ¶ 1(b) The organization shall determine and document: risks related to: the organization; § 6.1.2 ¶ 1(a)(1)]	Audits and risk management	Preventive
Establish and maintain a Risk Scoping and Measurement Definitions Document. CC ID 00703 [The organization shall determine and document: the impact on customers of risks and opportunities for the SMS and the services; § 6.1.2 ¶ 1(b)]	Audits and risk management	Preventive
Identify the material risks in the risk assessment report. CC ID 06482	Audits and risk management	Preventive
Assess the potential level of business impact risk associated with each business process. CC ID 06463	Audits and risk management	Detective
Assess the potential level of business impact risk associated with the business environment. CC ID 06464	Audits and risk management	Detective
Assess the potential level of business impact risk associated with business information of in scope systems. CC ID 06465	Audits and risk management	Detective
Assess the potential business impact risk of in scope systems caused by deliberate threats to their confidentiality, integrity, and availability. CC ID 06466	Audits and risk management	Detective
Assess the potential level of business impact risk caused by accidental threats to the confidentiality, integrity and availability of critical systems. CC ID 06467	Audits and risk management	Detective
Assess the potential level of business impact risk associated with reputational damage. CC ID 15335	Audits and risk management	Detective
Assess the potential level of business impact risk associated with insider threats. CC ID 06468	Audits and risk management	Detective
Assess the potential level of business impact risk associated with external entities. CC ID 06469	Audits and risk management	Detective
Assess the potential level of business impact risk associated with control weaknesses. CC ID 06471	Audits and risk management	Detective
Prioritize and select controls based on the risk assessment findings. CC ID 00707 [At planned intervals, the information security risks to the SMS and the services shall be assessed and documented. Information security controls shall be determined, implemented and operated to support the information security policy and address identified information security risks. Decisions about information security controls shall be documented. § 8.7.3.2 ¶ 1]	Audits and risk management	Preventive
Prioritize and categorize the effects of opportunities, threats and requirements on control activities. CC ID 12822	Audits and risk management	Preventive
Develop key indicators to inform management on the effectiveness of risk control measures. CC ID 12946	Audits and risk management	Preventive
Include the release status of the risk assessment in the risk treatment plan. CC ID 16320	Audits and risk management	Preventive
Identify the planned actions and controls that address high risk in the risk treatment plan. CC ID 12835	Audits and risk management	Preventive
Identify the current actions and controls that address high risk in the risk treatment plan. CC ID 12834	Audits and risk management	Preventive
Approve the risk treatment plan. CC ID 13495	Audits and risk management	Preventive
Analyze the impact of artificial intelligence systems on society. CC ID 16317	Audits and risk management	Detective
Analyze the impact of artificial intelligence systems on individuals. CC ID 16316	Audits and risk management	Detective
Establish, implement, and maintain a cybersecurity risk management program. CC ID 16827	Audits and risk management	Preventive
Conduct a risk assessment on reciprocal agreements that provide for recovery capabilities. CC ID 12759	Operational and Systems Continuity	Preventive
Audit the configuration of organizational assets, as necessary. CC ID 13653 [{be auditable} CIs shall be controlled. Changes to CIs shall be traceable and auditable to maintain the integrity of the configuration information. The configuration information shall be updated following the deployment of changes to CIs. § 8.2.6 ¶ 3]	System hardening through configuration management	Detective
Audit assets after maintenance was performed. CC ID 13657	System hardening through configuration management	Detective

Behavior

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Take into account the need for protecting information confidentiality during infrastructure planning. CC ID 06486	Leadership and high level objectives	Preventive
Involve knowledgeable and experienced individuals in the decision-making process. CC ID 06915	Leadership and high level objectives	Preventive
Carry out disciplinary actions when a compliance violation is detected. CC ID 06675	Monitoring and measurement	Corrective
Question external auditors about how audits were conducted and what is in the audit reports. CC ID 04587	Audits and risk management	Preventive
Disseminate and communicate with the organization about any missing audit documentation. CC ID 06992	Audits and risk management	Preventive
Exercise due professional care during the planning and performance of the audit. CC ID 07119	Audits and risk management	Preventive
Refrain from accepting an attestation engagement unless the prospective financial information includes a summary of significant assumptions. CC ID 13954	Audits and risk management	Preventive
Verify statements made by interviewees are correct. CC ID 16299	Audits and risk management	Detective
Explain the goals of the interview to the interviewee. CC ID 07189	Audits and risk management	Detective
Resolve disputes before creating the audit summary. CC ID 08964	Audits and risk management	Preventive
Disseminate and communicate to the organization that access and use of audit reports are based on least privilege. CC ID 07171	Audits and risk management	Preventive
Use the risk taxonomy when managing risk. CC ID 12280	Audits and risk management	Preventive
Disseminate and communicate information about risks to all interested personnel and affected parties. CC ID 06718	Audits and risk management	Preventive
Disseminate and communicate the risk acceptance level in the risk treatment plan to all interested personnel and affected parties. CC ID 06849	Audits and risk management	Preventive
Refrain from adopting impromptu measures when continuity procedures exist. CC ID 13093	Operational and Systems Continuity	Preventive
Train all personnel and third parties, as necessary. CC ID 00785 [The organization shall: where applicable, take actions to acquire the necessary competence and evaluate the effectiveness of the actions taken; § 7.2 ¶ 1(c)]	Human Resources management	Preventive
Retrain all personnel, as necessary. CC ID 01362	Human Resources management	Preventive
Tailor training to meet published guidance on the subject being taught. CC ID 02217 [{new service} The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: requirements for appropriate education, training and experience; § 8.5.2.2 ¶ 1(c)]	Human Resources management	Preventive
Tailor training to be taught at each person's level of responsibility. CC ID 06674 [{be relevant} Persons doing work under the organization's control shall be aware of: the services relevant to their work; § 7.3 ¶ 1(c) The organization shall determine and maintain the knowledge necessary to support the operation of the SMS and the services. § 7.6 ¶ 1 {new service} The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: requirements for appropriate education, training and experience; § 8.5.2.2 ¶ 1(c)]	Human Resources management	Preventive
Conduct cross-training or staff backup training to minimize dependency on critical individuals. CC ID 00786	Human Resources management	Preventive
Use automated mechanisms in the training environment, where appropriate. CC ID 06752	Human Resources management	Preventive
Conduct Archives and Records Management training. CC ID 00975	Human Resources management	Preventive
Disseminate and communicate the security awareness program to all interested personnel and affected parties. CC ID 00823	Human Resources management	Preventive
Train all personnel and third parties on how to recognize and report security incidents. CC ID 01211	Human Resources management	Preventive
Conduct secure coding and development training for developers. CC ID 06822	Human Resources management	Corrective
Conduct crime prevention training. CC ID 06350	Human Resources management	Preventive
Make compliance and governance decisions in a timely manner. CC ID 06490	Operational management	Preventive
Include employee engagement in the analysis of the organizational culture. CC ID 12914	Operational management	Preventive
Include skill development in the analysis of the organizational culture. CC ID 12913	Operational management	Preventive
Include employee turnover rates in the analysis of the organizational culture. CC ID 12912	Operational management	Preventive
Include employee loyalty in the analysis of the organizational culture. CC ID 12911	Operational management	Preventive
Include employee satisfaction in the analysis of the organizational culture. CC ID 12910	Operational management	Preventive
Disseminate and communicate the Governance, Risk, and Compliance framework to all interested personnel and affected parties. CC ID 00815	Operational management	Preventive
Notify interested personnel and affected parties prior to when the system is redeployed or the system is disposed. CC ID 06400	Operational management	Preventive
Maintain contact with the device manufacturer or component manufacturer for maintenance requests. CC ID 06388	Operational management	Preventive
Respond to maintenance requests inside the organizationally established time frame. CC ID 04878	Operational management	Preventive
Perform periodic maintenance according to organizational standards. CC ID 01435	Operational management	Preventive
Respond to all alerts from security systems in a timely manner. CC ID 06434	Operational management	Corrective
Share data loss event information with the media. CC ID 01759	Operational management	Corrective
Report to breach notification organizations the time frame in which the organization will send data loss event notifications to interested personnel and affected parties. CC ID 04731	Operational management	Corrective
Investigate and take action regarding help desk queries. CC ID 06324 [Service requests shall be: prioritized; § 8.6.2 ¶ 1(b) Service requests shall be: fulfilled; § 8.6.2 ¶ 1(c)]	Operational management	Corrective
Disseminate and communicate proposed changes to all interested personnel and affected parties. CC ID 06807 [Approved changes shall be prepared, verified and, where possible, tested. Proposed deployment dates and other deployment details for approved changes shall be communicated to interested parties. § 8.5.1.3 ¶ 2 Approved changes shall be prepared, verified and, where possible, tested. Proposed deployment dates and other deployment details for approved changes shall be communicated to interested parties. § 8.5.1.3 ¶ 2 Following the completion of the transition activities, the organization shall report to interested parties on the achievements against the intended outcomes. § 8.5.2.3 ¶ 3]	Operational management	Preventive
Disseminate and communicate software update information to users and regulators. CC ID 06602	Operational management	Preventive
Manage the system implementation process. CC ID 01115	Systems design, build, and implementation	Preventive
Notify the complainant regarding any missing information in the take-down request. CC ID 09973	Acquisition or sale of facilities, technology, and services	Preventive

Business Processes

167

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Establish, implement, and maintain a reporting methodology program. CC ID 02072	Leadership and high level objectives	Preventive
Use secure communication protocols for telecommunications. CC ID 16458	Leadership and high level objectives	Preventive
Analyze the flow of information to ensure it is being received by the correct processes. CC ID 12860	Leadership and high level objectives	Preventive
Establish, implement, and maintain an internal reporting program. CC ID 12409 [The organization shall determine reporting requirements and their purpose. § 9.4 ¶ 1]	Leadership and high level objectives	Preventive
Include transactions and events as a part of internal reporting. CC ID 12413	Leadership and high level objectives	Preventive
Analyze the business environment in which the organization operates. CC ID 12798	Leadership and high level objectives	Preventive
Align assets with business functions and the business environment. CC ID 13681	Leadership and high level objectives	Preventive
Analyze the external environment in which the organization operates. CC ID 12799	Leadership and high level objectives	Preventive
Include environmental requirements in the analysis of the external environment. CC ID 12965	Leadership and high level objectives	Preventive
Include regulatory requirements in the analysis of the external environment. CC ID 12964	Leadership and high level objectives	Preventive
Include society in the analysis of the external environment. CC ID 12963	Leadership and high level objectives	Preventive
Include opportunities in the analysis of the external environment. CC ID 12954	Leadership and high level objectives	Preventive
Include third party relationships in the analysis of the external environment. CC ID 12952	Leadership and high level objectives	Preventive
Include industry forces in the analysis of the external environment. CC ID 12904	Leadership and high level objectives	Preventive
Include threats in the analysis of the external environment. CC ID 12898	Leadership and high level objectives	Preventive
Include geopolitics in the analysis of the external environment. CC ID 12897	Leadership and high level objectives	Preventive
Include legal requirements in the analysis of the external environment. CC ID 12896	Leadership and high level objectives	Preventive
Include technology in the analysis of the external environment. CC ID 12837	Leadership and high level objectives	Preventive
Include analyzing the market in the analysis of the external environment. CC ID 12836	Leadership and high level objectives	Preventive
Conduct a context analysis to define objectives and strategies. CC ID 12864	Leadership and high level objectives	Preventive
Identify requirements that could affect achieving organizational objectives. CC ID 12828 [{applicable requirements} The organization shall create, implement and maintain a service management plan. Planning shall take into consideration the service management policy, service management objectives, risks and opportunities, service requirements and requirements specified in this document. § 6.3 ¶ 1]	Leadership and high level objectives	Preventive
Identify opportunities that could affect achieving organizational objectives. CC ID 12826 [The organization shall plan: actions to address these risks and opportunities and their priorities; § 6.1.3 ¶ 1(a) {applicable requirements} The organization shall create, implement and maintain a service management plan. Planning shall take into consideration the service management policy, service management objectives, risks and opportunities, service requirements and requirements specified in this document. § 6.3 ¶ 1 The organization shall determine and document: the impact on customers of risks and opportunities for the SMS and the services; § 6.1.2 ¶ 1(b)]	Leadership and high level objectives	Preventive
Prioritize organizational objectives. CC ID 09960	Leadership and high level objectives	Preventive
Select financial reporting objectives consistent with accounting principles available to the organization. CC ID 12400	Leadership and high level objectives	Preventive
Identify threats that could affect achieving organizational objectives. CC ID 12827 [The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its SMS. § 4.1 ¶ 1]	Leadership and high level objectives	Preventive
Review the organization's approach to managing information security, as necessary. CC ID 12005	Leadership and high level objectives	Preventive
Analyze and prioritize the requirements of interested personnel and affected parties. CC ID 12796	Leadership and high level objectives	Preventive
Enforce a continuous Quality Control system. CC ID 01005 [{availability issue}{document} Service availability shall be monitored, the results recorded and compared with the targets. Unplanned non-availability shall be investigated and necessary actions taken. § 8.7.1 ¶ 3]	Leadership and high level objectives	Detective
Correct errors and deficiencies in a timely manner. CC ID 13501	Leadership and high level objectives	Corrective
Establish and maintain time frames for correcting deficiencies found during Quality Control. CC ID 07206	Leadership and high level objectives	Detective
Review and analyze any quality improvement goals that were missed. CC ID 07204 [{service improvement activity} Opportunities for improvement shall be documented. The organization shall manage approved improvement activities that include: measuring implemented improvements against the target(s) set and where target(s) are not achieved, taking necessary actions; § 10.2 ¶ 3(d)]	Leadership and high level objectives	Detective
Align the reporting methodology with the decision management strategy. CC ID 15659	Leadership and high level objectives	Preventive
Use a risk-based approach to adapt the Strategic Information Technology Plan to the business's needs. CC ID 00631	Leadership and high level objectives	Corrective
Mirror the organization's business strategy during Information Technology planning in the Strategic Information Technology Plan. CC ID 00630	Leadership and high level objectives	Preventive
Escalate for management authorization any proposed projects where effective use of existing resources is overlooked. CC ID 06848	Leadership and high level objectives	Preventive
Identify information being used to support the performance of the governance, risk, and compliance capability. CC ID 12866	Monitoring and measurement	Preventive
Align enforcement reviews for non-compliance with organizational risk tolerance. CC ID 13063	Monitoring and measurement	Detective
Establish, implement, and maintain an identification and classification of information assets metrics program. CC ID 02052	Monitoring and measurement	Preventive
Establish, implement, and maintain an Information Systems architecture metrics program. CC ID 02059	Monitoring and measurement	Preventive
Establish, implement, and maintain a physical environment metrics program. CC ID 02063	Monitoring and measurement	Preventive
Establish, implement, and maintain a user identification and authentication metrics program. CC ID 02073	Monitoring and measurement	Preventive
Establish, implement, and maintain a user account management metrics program. CC ID 02075	Monitoring and measurement	Preventive
Establish, implement, and maintain a Configuration Management metrics program. CC ID 02077	Monitoring and measurement	Preventive
Establish, implement, and maintain a communications, e-mail, and remote access security management metrics program. CC ID 02079	Monitoring and measurement	Preventive
Establish, implement, and maintain a malicious code protection management metrics program. CC ID 02080	Monitoring and measurement	Preventive
Establish, implement, and maintain a software change management metrics program. CC ID 02081	Monitoring and measurement	Preventive
Establish, implement, and maintain a network management and firewall management metrics program. CC ID 02082	Monitoring and measurement	Preventive
Establish, implement, and maintain a data encryption management metrics program. CC ID 02083	Monitoring and measurement	Preventive
Establish, implement, and maintain a backup management and recovery management metrics program. CC ID 02084	Monitoring and measurement	Preventive
Establish, implement, and maintain an incident management and vulnerability management metrics program. CC ID 02085	Monitoring and measurement	Preventive
Align corrective actions with the level of environmental impact. CC ID 15193	Monitoring and measurement	Preventive
Identify personnel who should attend the closing meeting. CC ID 15261	Audits and risk management	Preventive
Schedule attestation engagement meetings with interested personnel and affected parties, as necessary. CC ID 15263	Audits and risk management	Preventive
Refrain from accepting an attestation engagement when the engaging party refuses to sign the engagement letter. CC ID 14912	Audits and risk management	Preventive
Accept the attestation engagement when all preconditions are met. CC ID 13933	Audits and risk management	Preventive
Respond to questions or clarification requests regarding the audit. CC ID 08902	Audits and risk management	Preventive
Review the need for organizational efficiency as balanced against the needs of compliance and security. CC ID 07111	Audits and risk management	Preventive
Provide auditors access to affected parties during the audit, as necessary. CC ID 07187	Audits and risk management	Preventive
Disclaim the audit opinion in the audit report, as necessary. CC ID 13901	Audits and risk management	Corrective
Notify interested personnel and affected parties after bribes are offered during the audit. CC ID 08872	Audits and risk management	Preventive
Document and justify any exclusions from the scope of the risk management activities in the risk management program. CC ID 15336	Audits and risk management	Detective
Integrate the risk management program with the organization's business activities. CC ID 13661	Audits and risk management	Preventive
Integrate the risk management program into daily business decision-making. CC ID 13659 [The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: § 8.5.1.3 ¶ 1]	Audits and risk management	Preventive
Include regular updating in the risk management system. CC ID 14990	Audits and risk management	Preventive
Design a portfolio of insurance options in accordance with risk decision-making criteria. CC ID 12878	Audits and risk management	Preventive
Design a portfolio of loans in accordance with risk decision-making criteria. CC ID 12877	Audits and risk management	Preventive
Design a portfolio of risk limiting and mitigating approaches in organizational contracts in accordance with risk decision-making criteria. CC ID 12903	Audits and risk management	Preventive
Approve the threat and risk classification scheme. CC ID 15693	Audits and risk management	Preventive
Establish, implement, and maintain a risk assessment awareness and training program. CC ID 06453	Audits and risk management	Preventive
Align organizational risk tolerance to that of industry peers in the risk register. CC ID 09962	Audits and risk management	Preventive
Review the Business Impact Analysis, as necessary. CC ID 12774	Audits and risk management	Preventive
Review and approve material risks documented in the residual risk report, as necessary. CC ID 13672	Audits and risk management	Preventive
Analyze the impact of artificial intelligence systems on business operations. CC ID 16356	Audits and risk management	Preventive
Evaluate the cyber insurance market. CC ID 12695	Audits and risk management	Preventive
Evaluate the usefulness of cyber insurance to the organization. CC ID 12694	Audits and risk management	Preventive
Acquire cyber insurance, as necessary. CC ID 12693	Audits and risk management	Preventive
Establish, implement, and maintain an education methodology. CC ID 06671 [{interested party} Instructions for the fulfilment of service requests shall be made available to persons involved in service request fulfilment. § 8.6.2 ¶ 3 {new service} The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: requirements for appropriate education, training and experience; § 8.5.2.2 ¶ 1(c)]	Human Resources management	Preventive
Establish, implement, and maintain future system capacity forecasting methods. CC ID 01617	Operational management	Preventive
Align critical Information Technology resource availability planning with capacity planning. CC ID 01618 [{service availability requirement}{service continuity requirement} The organization shall plan capacity to include: expected impact on capacity of agreed service level targets, requirements for service availability and service continuity; § 8.4.3 ¶ 2(b)]	Operational management	Preventive
Follow the resource workload schedule. CC ID 00941	Operational management	Detective
Establish, implement, and maintain a positive information control environment. CC ID 00813 [Top management shall demonstrate leadership and commitment with respect to the SMS by: § 5.1 ¶ 1 Top management shall demonstrate leadership and commitment with respect to the SMS by: ensuring that what constitutes value for the organization and its customers is determined; § 5.1 ¶ 1(d)]	Operational management	Preventive
Align the information security policy with the organization's risk acceptance level. CC ID 13042	Operational management	Preventive
Establish, implement, and maintain information security procedures. CC ID 12006	Operational management	Preventive
Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 [implementing control of the processes in accordance with the established performance criteria; § 8.1 ¶ 1(b)]	Operational management	Preventive
Include contractual relationships with workforce members in the analysis of the organizational culture. CC ID 15674	Operational management	Preventive
Include the number of workforce members who are not employees in the analysis of the organizational culture. CC ID 15673	Operational management	Preventive
Include the type of work performed by workforce members in the analysis of the organizational culture. CC ID 15675	Operational management	Preventive
Include demographic characteristics of employees in the analysis of the organizational culture. CC ID 15671	Operational management	Preventive
Review systems for compliance with organizational information security policies. CC ID 12004	Operational management	Preventive
Establish, implement, and maintain a Service Management System. CC ID 13889 [Top management shall demonstrate leadership and commitment with respect to the SMS by: ensuring that the SMS achieves its intended outcome(s); § 5.1 ¶ 1(i) When planning for the SMS, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to: § 6.1.1 ¶ 1 {service improvement activity} Opportunities for improvement shall be documented. The organization shall manage approved improvement activities that include: making changes to the SMS, if necessary; § 10.2 ¶ 3(c) When a nonconformity occurs, the organization shall: make changes to the SMS, if necessary. § 10.1.1 ¶ 1(e) The organization shall operate the SMS ensuring co-ordination of the activities and the resources. The organization shall perform the activities required to deliver services. § 8.2.1 ¶ 1]	Operational management	Preventive
Establish, implement, and maintain an Asset Management program. CC ID 06630 [{external obligation} /* section 6.3 c. refers to external obligations / The organization shall ensure that assets used to deliver services are managed to meet the service requirements and the obligations in 6.3 c). § 8.2.5 ¶ 1 {external obligation} / section 6.3 c. refers to external obligations */ The organization shall ensure that assets used to deliver services are managed to meet the service requirements and the obligations in 6.3 c). § 8.2.5 ¶ 1]	Operational management	Preventive
Include coordination amongst entities in the asset management policy. CC ID 16424	Operational management	Preventive
Define and prioritize the importance of each asset in the asset management program. CC ID 16837	Operational management	Preventive
Establish, implement, and maintain administrative controls over all assets. CC ID 16400	Operational management	Preventive
Classify virtual systems by type and purpose. CC ID 16332	Operational management	Preventive
Establish, implement, and maintain an asset inventory. CC ID 06631	Operational management	Preventive
Destroy systems in accordance with the system disposal program. CC ID 16457	Operational management	Preventive
Approve the release of systems and waste material into the public domain. CC ID 16461	Operational management	Preventive
Obtain approval before removing maintenance tools from the facility. CC ID 14298	Operational management	Preventive
Disassemble and shut down unnecessary systems or unused systems. CC ID 06280	Operational management	Preventive
Dispose of hardware and software at their life cycle end. CC ID 06278	Operational management	Preventive
Refrain from placing assets being disposed into organizational dumpsters. CC ID 12200	Operational management	Preventive
Remove asset tags prior to disposal of an asset. CC ID 12198	Operational management	Preventive
Establish, implement, and maintain an Incident Management program. CC ID 00853	Operational management	Preventive
Establish, implement, and maintain future system performance forecasting methods. CC ID 11775	Operational management	Preventive
Use proactive performance management. CC ID 00937 [At planned intervals, the organization shall review the performance trends and the outcomes of the services. § 8.3.2 ¶ 3]	Operational management	Detective
Utilize resource availability management controls. CC ID 00940	Operational management	Detective
Establish, implement, and maintain rate limiting filters. CC ID 06883	Operational management	Preventive
Establish, implement, and maintain cost management procedures. CC ID 00873 [Costs shall be budgeted to enable effective financial control and decision-making for services. § 8.4.1 ¶ 2 Costs shall be budgeted to enable effective financial control and decision-making for services. § 8.4.1 ¶ 2 At planned intervals, the organization shall monitor and report on actual costs against the budget, review the financial forecasts and manage costs. § 8.4.1 ¶ 3]	Operational management	Detective
Update the business cases for cost management procedures, as necessary. CC ID 13642	Operational management	Preventive
Identify and allocate departmental costs. CC ID 00871	Operational management	Detective
Review and approve the Information Technology budget. CC ID 13644	Operational management	Corrective
Update the Information Technology budget, as necessary. CC ID 13643	Operational management	Corrective
Compare actual Information Technology costs to forecasted Information Technology budgets. CC ID 11753 [At planned intervals, the organization shall monitor and report on actual costs against the budget, review the financial forecasts and manage costs. § 8.4.1 ¶ 3]	Operational management	Detective
Manage change requests. CC ID 00887 [{new service} The organization shall prioritize requests for change and proposals for new or changed services to align with business needs and service management objectives, taking into consideration available resources. § 8.2.2 ¶ 4 {new service} The organization shall prioritize requests for change and proposals for new or changed services to align with business needs and service management objectives, taking into consideration available resources. § 8.2.2 ¶ 4 {new service} The organization shall plan the deployment of new or changed services and service components into the live environment. Planning shall be co-ordinated with change management and include references to the related requests for change, known errors or problems which are being closed through the release. Planning shall include the dates for deployment of each release, deliverables and methods of deployment. § 8.5.3 ¶ 2 {new service} Assessing, approving, scheduling and reviewing of new or changed services in the scope of 8.5.2 shall be managed through the change management activities in 8.5.1.3. § 8.5.1.2 ¶ 3 {new service} The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: changes to the SMS including new or changed policies, plans, processes, procedures, measures and knowledge; § 8.5.2.2 ¶ 1(e) The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: § 8.5.1.3 ¶ 1 Requests for change not being managed through 8.5.2 shall be managed through the change management activities in 8.5.1.3. § 8.5.1.2 ¶ 4]	Operational management	Preventive
Examine all changes to ensure they correspond with the change request. CC ID 12345 [Approved changes shall be prepared, verified and, where possible, tested. Proposed deployment dates and other deployment details for approved changes shall be communicated to interested parties. § 8.5.1.3 ¶ 2 The organization shall review changes for effectiveness and take actions agreed with interested parties. § 8.5.1.3 ¶ 4 {take appropriate action} The activities to reverse or remedy an unsuccessful change shall be planned and, where possible, tested. Unsuccessful changes shall be investigated and agreed actions taken. § 8.5.1.3 ¶ 3 {trend analysis} At planned intervals, request for change records shall be analysed to detect trends. The results and conclusions drawn from the analysis shall be recorded and reviewed to identify opportunities for improvement. § 8.5.1.3 ¶ 5 {trend analysis} At planned intervals, request for change records shall be analysed to detect trends. The results and conclusions drawn from the analysis shall be recorded and reviewed to identify opportunities for improvement. § 8.5.1.3 ¶ 5]	Operational management	Detective
Implement changes according to the change control program. CC ID 11776 [The organization shall control planned changes to the SMS and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary (see 8.5.1). § 8.1¶ 2 Records of problems shall be updated with actions taken. Changes needed for problem resolution shall be managed according to the change management policy. § 8.6.3 ¶ 3 A change management policy shall be established and documented to define: categories of change, including emergency change, and how they are to be managed; § 8.5.1.1 ¶ 1(b) The organization shall use service design and transition in 8.5.2 for: categories of change that are to be managed by service design and transition according to the change management policy; § 8.5.1.2 ¶ 2(c)]	Operational management	Preventive
Prioritize deploying patches according to vulnerability risk metrics. CC ID 06796	Operational management	Preventive
Mitigate the adverse effects of unauthorized changes. CC ID 12244 [The organization shall control planned changes to the SMS and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary (see 8.5.1). § 8.1¶ 2]	Operational management	Corrective
Establish, implement, and maintain a service delivery and production process Quality Management program. CC ID 07194 [The management review shall include consideration of: adherence to and suitability of the service management policy and other policies required by this document; § 9.3 ¶ 2(f) The management review shall include consideration of: performance of the services; § 9.3 ¶ 2(h) The organization shall determine: the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results; § 9.1 ¶ 1(b) The organization shall determine: when the results from monitoring and measurement shall be analysed and evaluated. § 9.1 ¶ 1(d) The organization shall evaluate the SMS performance against the service management objectives and evaluate the effectiveness of the SMS. The organization shall evaluate the effectiveness of the services against the service requirements. § 9.1 ¶ 3 The organization shall evaluate the SMS performance against the service management objectives and evaluate the effectiveness of the SMS. The organization shall evaluate the effectiveness of the services against the service requirements. § 9.1 ¶ 3 Where the root cause has been identified, but the problem has not been permanently resolved, the organization shall determine actions to reduce or eliminate the impact of the problem on the services. Known errors shall be recorded. Up-to-date information on known errors and problem resolutions shall be made available for other service management activities as appropriate. § 8.6.3 ¶ 4 The release shall be deployed into the live environment so that the integrity of the services and service components is maintained. § 8.5.3 ¶ 5 {new service} The new or changed services shall be built and tested to verify that they meet the service requirements, conform to the documented design and meet the agreed service acceptance criteria. If the service acceptance criteria are not met, the organization and interested parties shall make a decision on necessary actions and deployment. § 8.5.2.3 ¶ 1 {new service} The new or changed services shall be built and tested to verify that they meet the service requirements, conform to the documented design and meet the agreed service acceptance criteria. If the service acceptance criteria are not met, the organization and interested parties shall make a decision on necessary actions and deployment. § 8.5.2.3 ¶ 1 {new service} The new or changed services shall be built and tested to verify that they meet the service requirements, conform to the documented design and meet the agreed service acceptance criteria. If the service acceptance criteria are not met, the organization and interested parties shall make a decision on necessary actions and deployment. § 8.5.2.3 ¶ 1 The service management plan shall include or contain a reference to: how the effectiveness of the SMS and the services will be measured, audited, reported and improved. § 6.3 ¶ 2(h) The service management plan shall include or contain a reference to: how the effectiveness of the SMS and the services will be measured, audited, reported and improved. § 6.3 ¶ 2(h) The service management plan shall include or contain a reference to: how the effectiveness of the SMS and the services will be measured, audited, reported and improved. § 6.3 ¶ 2(h) The service management plan shall include or contain a reference to: how the effectiveness of the SMS and the services will be measured, audited, reported and improved. § 6.3 ¶ 2(h)]	Operational management	Detective
Manage the creation of products and services, as necessary. CC ID 13497 [{new service} The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: § 8.5.2.2 ¶ 1 {new service} The organization shall plan the deployment of new or changed services and service components into the live environment. Planning shall be co-ordinated with change management and include references to the related requests for change, known errors or problems which are being closed through the release. Planning shall include the dates for deployment of each release, deliverables and methods of deployment. § 8.5.3 ¶ 2 {new service} The organization shall plan the deployment of new or changed services and service components into the live environment. Planning shall be co-ordinated with change management and include references to the related requests for change, known errors or problems which are being closed through the release. Planning shall include the dates for deployment of each release, deliverables and methods of deployment. § 8.5.3 ¶ 2]	Operational management	Preventive
Define the processing activities to meet products and services creation requirements. CC ID 13499 [{new service} The organization shall plan the deployment of new or changed services and service components into the live environment. Planning shall be co-ordinated with change management and include references to the related requests for change, known errors or problems which are being closed through the release. Planning shall include the dates for deployment of each release, deliverables and methods of deployment. § 8.5.3 ¶ 2 {new service} The organization shall plan the deployment of new or changed services and service components into the live environment. Planning shall be co-ordinated with change management and include references to the related requests for change, known errors or problems which are being closed through the release. Planning shall include the dates for deployment of each release, deliverables and methods of deployment. § 8.5.3 ¶ 2 {new service} The organization shall plan the deployment of new or changed services and service components into the live environment. Planning shall be co-ordinated with change management and include references to the related requests for change, known errors or problems which are being closed through the release. Planning shall include the dates for deployment of each release, deliverables and methods of deployment. § 8.5.3 ¶ 2]	Operational management	Preventive
Establish, implement, and maintain configuration control and Configuration Status Accounting. CC ID 00863 [At planned intervals, the organization shall verify the accuracy of the configuration information. Where deficiencies are found, the organization shall take necessary actions. § 8.2.6 ¶ 4]	System hardening through configuration management	Preventive
Approve the configuration management plan. CC ID 14717	System hardening through configuration management	Preventive
Implement a signature revocation service. CC ID 14417	Records management	Preventive
Supervise media destruction in accordance with organizational standards. CC ID 16456	Records management	Preventive
Use approved media sanitization equipment for destruction. CC ID 16459	Records management	Preventive
Review the information that the organization collects, processes, and stores, as necessary. CC ID 12988	Records management	Detective
Establish, implement, and maintain decision support interventions. CC ID 14443	Records management	Preventive
Provide structures for browsing records stored in the Electronic Document and Records Management system. CC ID 10009	Records management	Preventive
Provide structures for searching for items stored in the Electronic Document and Records Management system. CC ID 10010	Records management	Preventive
Provide structures for downloading records from the Electronic Document and Records Management system. CC ID 10011	Records management	Preventive
Provide structures for managing e-mail stored in the Electronic Document and Records Management system. CC ID 10012	Records management	Preventive
Provide structures for version control of records stored in the Electronic Document and Records Management system. CC ID 10013	Records management	Preventive
Provide identification mechanisms for the organization's supply chain members. CC ID 12201	Acquisition or sale of facilities, technology, and services	Preventive
Refrain from charging a fee for the provision of services, as necessary. CC ID 14212	Acquisition or sale of facilities, technology, and services	Preventive
Ship goods or provide services to consumers in the agreed upon time frame. CC ID 08618	Acquisition or sale of facilities, technology, and services	Preventive
Establish, implement, and maintain a consumer complaint management program. CC ID 04570 [Service complaints shall be recorded, managed to closure and reported. Where a service complaint is not resolved through the normal channels, a method of escalation shall be provided. § 8.3.2 ¶ 5]	Acquisition or sale of facilities, technology, and services	Preventive
Document consumer complaints. CC ID 13903 [Service complaints shall be recorded, managed to closure and reported. Where a service complaint is not resolved through the normal channels, a method of escalation shall be provided. § 8.3.2 ¶ 5]	Acquisition or sale of facilities, technology, and services	Preventive
Include complete information in the take-down request. CC ID 09965	Acquisition or sale of facilities, technology, and services	Detective
Include the complainant's contact information in the take-down request. CC ID 09966	Acquisition or sale of facilities, technology, and services	Detective
Include the identification of unlawful material or unlawful activities in the take-down request. CC ID 09967	Acquisition or sale of facilities, technology, and services	Detective
Include the identification of the right that has allegedly been infringed in the take-down request. CC ID 09968	Acquisition or sale of facilities, technology, and services	Detective
Include the remedial action required to be taken in respect of the complaint in the take-down request. CC ID 09969	Acquisition or sale of facilities, technology, and services	Detective
Include a statement by the complainant that the information is true and correct in the take-down request. CC ID 09970	Acquisition or sale of facilities, technology, and services	Preventive
Include a statement that the complainant is acting in good faith in the take-down request. CC ID 09971	Acquisition or sale of facilities, technology, and services	Detective
Include the written signature or electronic signature of the complainant in the take-down request. CC ID 09972	Acquisition or sale of facilities, technology, and services	Detective
Analyze the digital content hosted by the organization for any electronic material associated with the take-down request. CC ID 09974	Acquisition or sale of facilities, technology, and services	Detective
Remove all unlawful material associated with the take-down request that have not been removed and are feasible to remove. CC ID 09978	Acquisition or sale of facilities, technology, and services	Preventive
Notify the complainant when all unlawful material associated with the take-down notice that can be removed, has been removed. CC ID 09979	Acquisition or sale of facilities, technology, and services	Preventive
Include personal data that is publicly available information as an out of scope privacy breach. CC ID 04678	Privacy protection for information and data	Preventive
Include text about access, use, disclosure, and transfer of data or information in third party contracts. CC ID 11610 [For each external supplier, the organization shall agree a documented contract. The contract shall include or contain a reference to: authorities and responsibilities of the organization and the external supplier. § 8.3.4.1 ¶ 2(d) For each external supplier, the organization shall agree a documented contract. The contract shall include or contain a reference to: authorities and responsibilities of the organization and the external supplier. § 8.3.4.1 ¶ 2(d)]	Third Party and supply chain oversight	Preventive
Include disclosure requirements in third party contracts. CC ID 08825	Third Party and supply chain oversight	Preventive
Document supply chain transactions in the supply chain management program. CC ID 08857	Third Party and supply chain oversight	Preventive
Track all chargeable items in Service Level Agreements. CC ID 11616	Third Party and supply chain oversight	Detective
Enforce third party Service Level Agreements, as necessary. CC ID 07098 [The organization shall assess the alignment of service level targets or other contractual obligations for the external supplier against SLAs with customers, and manage identified risks. § 8.3.4.1 ¶ 3]	Third Party and supply chain oversight	Corrective
Include a determination of the complexity of the third party relationships in the supply chain risk assessment. CC ID 10024	Third Party and supply chain oversight	Preventive
Include a determination if the third party relationship will affect employees in the supply chain risk assessment report. CC ID 10027	Third Party and supply chain oversight	Preventive
Implement measurable improvement plans with all third parties. CC ID 08815 [At planned intervals, the organization shall monitor the performance of the internal supplier or the customer acting as a supplier. Where service level targets or other agreed commitments are not met, the organization shall ensure that opportunities for improvement are identified. § 8.3.4.2 ¶ 2 At planned intervals, the organization shall monitor the performance of the external supplier. Where service level targets or other contractual obligations are not met, the organization shall ensure that opportunities for improvement are identified. § 8.3.4.1 ¶ 5]	Third Party and supply chain oversight	Preventive
Establish, implement, and maintain supply chain due diligence standards. CC ID 08846	Third Party and supply chain oversight	Preventive
Assign the appropriate individuals or groups to oversee and support supply chain due diligence. CC ID 08861 [The organization shall have one or more designated individuals responsible for managing the relationship, contracts and performance of external suppliers. § 8.3.4.1 ¶ 1]	Third Party and supply chain oversight	Preventive
Conduct all parts of the supply chain due diligence process. CC ID 08854	Third Party and supply chain oversight	Preventive
Establish, implement, and maintain deduplication procedures for third party services. CC ID 13915 [The organization shall determine the criticality of services based on the needs of the organization, customers, users and other interested parties. The organization shall determine and manage dependencies and duplication between services. § 8.2.2 ¶ 2]	Third Party and supply chain oversight	Detective
Assess the effectiveness of third party services provided to the organization. CC ID 13142	Third Party and supply chain oversight	Detective
Review the supply chain's service delivery on a regular basis. CC ID 12010 [At planned intervals, the organization shall monitor the performance of the internal supplier or the customer acting as a supplier. Where service level targets or other agreed commitments are not met, the organization shall ensure that opportunities for improvement are identified. § 8.3.4.2 ¶ 2]	Third Party and supply chain oversight	Preventive
Establish, implement, and maintain a chain of custody or traceability system over the entire supply chain. CC ID 08878	Third Party and supply chain oversight	Preventive
Provide products or services per customer requests. CC ID 08893 [The organization and the customer shall agree the services to be delivered. § 8.3.3 ¶ 1]	Third Party and supply chain oversight	Preventive

Communicate

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Include disseminating and communicating events surrounding instances of desirable conduct and undesirable conduct in the communication protocols. CC ID 12824	Leadership and high level objectives	Preventive
Identify alternative measures for collecting stakeholder input, as necessary. CC ID 15672	Leadership and high level objectives	Preventive
Include disseminating and communicating conditions surrounding instances of desirable conduct and undesirable conduct in the communication protocols. CC ID 12804	Leadership and high level objectives	Preventive
Include disseminating and communicating desirable conduct in the communication protocols. CC ID 12803	Leadership and high level objectives	Preventive
Include disseminating and communicating undesirable conduct in communication protocols. CC ID 12802	Leadership and high level objectives	Preventive
Disseminate and communicate internal controls with supply chain members. CC ID 12416	Leadership and high level objectives	Preventive
Disseminate and communicate management's choices for managing the organization as a part of internal reporting. CC ID 12412	Leadership and high level objectives	Preventive
Disseminate and communicate the organization's business environment and place in its industry sector. CC ID 13200 [The organization shall establish arrangements for communicating with its customers and other interested parties. The communication shall promote understanding of the evolving business environment in which the services operate and shall enable the organization to respond to new or changed service requirements. § 8.3.2 ¶ 2]	Leadership and high level objectives	Preventive
Disseminate and communicate the value generation model to all interested personnel and affected parties. CC ID 15607	Leadership and high level objectives	Preventive
Disseminate and communicate the Mission, Vision, and Values Statement to all interested personnel and affected parties. CC ID 15585	Leadership and high level objectives	Preventive
Disseminate and communicate organizational objectives, functions, and activities to all interested personnel and affected parties. CC ID 13191 [Top management shall demonstrate leadership and commitment with respect to the SMS by: communicating the importance of effective service management, achieving the service management objectives, delivering value and conforming to the SMS requirements; § 5.1 ¶ 1(h)]	Leadership and high level objectives	Preventive
Disseminate and communicate the data classification scheme to interested personnel and affected parties. CC ID 16804	Leadership and high level objectives	Preventive
Disseminate and communicate the data dictionary to interested personnel and affected parties. CC ID 13516	Leadership and high level objectives	Preventive
Disseminate and communicate emerging threats to all interested personnel and affected parties. CC ID 12185	Leadership and high level objectives	Preventive
Disseminate and communicate updated guidance documentation to interested personnel and affected parties upon discovery of a new threat. CC ID 12191	Leadership and high level objectives	Corrective
Disseminate and communicate the Quality Management policy to all interested personnel and affected parties. CC ID 13695 [Top management shall demonstrate leadership and commitment with respect to the SMS by: communicating the importance of effective service management, achieving the service management objectives, delivering value and conforming to the SMS requirements; § 5.1 ¶ 1(h)]	Leadership and high level objectives	Preventive
Disseminate and communicate the Quality Management framework to all stakeholders. CC ID 13680 [Where the root cause has been identified, but the problem has not been permanently resolved, the organization shall determine actions to reduce or eliminate the impact of the problem on the services. Known errors shall be recorded. Up-to-date information on known errors and problem resolutions shall be made available for other service management activities as appropriate. § 8.6.3 ¶ 4 Where the root cause has been identified, but the problem has not been permanently resolved, the organization shall determine actions to reduce or eliminate the impact of the problem on the services. Known errors shall be recorded. Up-to-date information on known errors and problem resolutions shall be made available for other service management activities as appropriate. § 8.6.3 ¶ 4]	Leadership and high level objectives	Preventive
Notify affected parties and interested personnel of quality management system approvals that have been refused, suspended, or withdrawn. CC ID 15045	Leadership and high level objectives	Preventive
Notify affected parties and interested personnel of quality management system approvals that have been issued. CC ID 15036	Leadership and high level objectives	Preventive
Disseminate and communicate the organization’s policies, standards, and procedures to all interested personnel and affected parties. CC ID 12901	Leadership and high level objectives	Preventive
Disseminate and communicate the strategic plan to all interested personnel and affected parties. CC ID 15592	Leadership and high level objectives	Preventive
Disseminate and communicate the planning procedures to interested personnel and affected parties. CC ID 14704	Leadership and high level objectives	Preventive
Disseminate and communicate the planning policy to interested personnel and affected parties. CC ID 14691	Leadership and high level objectives	Preventive
Disseminate and communicate the security planning policy to interested personnel and affected parties. CC ID 14125	Leadership and high level objectives	Preventive
Disseminate and communicate the security planning procedures to interested personnel and affected parties. CC ID 14135	Leadership and high level objectives	Preventive
Disseminate and communicate the decision management strategy to all interested personnel and affected parties. CC ID 13991	Leadership and high level objectives	Preventive
Disseminate and communicate the financial report to interested personnel and affected parties. CC ID 16342	Leadership and high level objectives	Preventive
Disseminate and communicate the call report to interested personnel and affected parties. CC ID 16727	Leadership and high level objectives	Preventive
Notify the appropriate personnel after identifying dormant accounts. CC ID 12125	Monitoring and measurement	Detective
Report inappropriate usage of user accounts to the appropriate personnel. CC ID 14243	Monitoring and measurement	Detective
Communicate trends in service management to all interested personnel and affected parties. CC ID 13926 [Reports on the performance and effectiveness of the SMS and the services shall be produced using information from the SMS activities and delivery of the services. Service reporting shall include trends. § 9.4 ¶ 2]	Monitoring and measurement	Preventive
Disseminate and communicate the disciplinary action notice to interested personnel and affected parties. CC ID 16585	Monitoring and measurement	Preventive
Delay the reporting of incident management metrics, as necessary. CC ID 15501	Monitoring and measurement	Preventive
Include the scope for the desired level of assurance in the audit program. CC ID 12793	Audits and risk management	Preventive
Hold a closing meeting following an audit to present audit findings and conclusions. CC ID 15248	Audits and risk management	Preventive
Report that audit evidence collected was not sufficient to the proper authorities. CC ID 16847	Audits and risk management	Preventive
Disseminate and communicate the reasons the audit report was delayed to interested personnel and affected parties. CC ID 15257	Audits and risk management	Preventive
Notify auditees if disclosure of audit documentation is required by law. CC ID 15249	Audits and risk management	Preventive
Disseminate and communicate the audit plan to interested personnel and affected parties. CC ID 15238	Audits and risk management	Preventive
Disseminate and communicate insurance options to interested personnel and affected parties. CC ID 16572	Audits and risk management	Preventive
Disseminate and communicate insurance requirements to interested personnel and affected parties. CC ID 16567	Audits and risk management	Preventive
Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313	Audits and risk management	Preventive
Disseminate and communicate the risk assessment policy to interested personnel and affected parties. CC ID 14115	Audits and risk management	Preventive
Disseminate and communicate the risk assessment procedures to interested personnel and affected parties. CC ID 14136	Audits and risk management	Preventive
Disseminate and communicate the approved risk assessment report to interested personnel and affected parties. CC ID 10633	Audits and risk management	Preventive
Notify the organization upon completion of the external audits of the organization's risk assessment. CC ID 13313	Audits and risk management	Preventive
Disseminate and communicate the Business Impact Analysis to interested personnel and affected parties. CC ID 15300	Audits and risk management	Preventive
Disseminate and communicate the risk treatment plan to interested personnel and affected parties. CC ID 15694	Audits and risk management	Preventive
Disseminate and communicate the cybersecurity risk management policy to interested personnel and affected parties. CC ID 16832	Audits and risk management	Preventive
Disseminate and communicate the cybersecurity risk management program to interested personnel and affected parties. CC ID 16829	Audits and risk management	Preventive
Disseminate and communicate the cybersecurity risk management strategy to interested personnel and affected parties. CC ID 16825	Audits and risk management	Preventive
Disseminate and communicate the supply chain risk management policy to all interested personnel and affected parties. CC ID 14662	Audits and risk management	Preventive
Disseminate and communicate the supply chain risk management procedures to all interested personnel and affected parties. CC ID 14712	Audits and risk management	Preventive
Disseminate and communicate the risk management policy to interested personnel and affected parties. CC ID 13792	Audits and risk management	Preventive
Notify the user when an authentication is attempted using an expired authenticator. CC ID 13818	Technical security	Corrective
Report changes in the continuity plan to senior management. CC ID 12757	Operational and Systems Continuity	Corrective
Notify interested personnel and affected parties upon activation of the continuity plan. CC ID 16777	Operational and Systems Continuity	Preventive
Disseminate and communicate the continuity procedures to interested personnel and affected parties. CC ID 14055	Operational and Systems Continuity	Preventive
Notify interested personnel and affected parties of updates to the recovery plan. CC ID 13302	Operational and Systems Continuity	Preventive
Disseminate and communicate the recovery plan to interested personnel and affected parties. CC ID 14859	Operational and Systems Continuity	Preventive
Disseminate and communicate the recovery status of the contingency plan to interested personnel and affected parties. CC ID 12758	Operational and Systems Continuity	Preventive
Identify the appropriate staff to route external communications to in the emergency communications procedures. CC ID 12762	Operational and Systems Continuity	Preventive
Identify who can speak to the media in the emergency communications procedures. CC ID 12761	Operational and Systems Continuity	Corrective
Disseminate and communicate screening results to interested personnel and affected parties. CC ID 16445	Human Resources management	Preventive
Disseminate and communicate the security awareness and training procedures to interested personnel and affected parties. CC ID 14138	Human Resources management	Preventive
Disseminate and communicate the information security procedures to all interested personnel and affected parties. CC ID 16303	Operational management	Preventive
Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739 [The information security policy shall be made available as appropriate. The organization shall communicate the importance of conforming to the information security policy and its applicability to the SMS and the services to appropriate persons within the: external suppliers, internal suppliers and other interested parties. § 8.7.3.1 ¶ 2(c) The information security policy shall be made available as appropriate. The organization shall communicate the importance of conforming to the information security policy and its applicability to the SMS and the services to appropriate persons within: § 8.7.3.1 ¶ 2 The information security policy shall be made available as appropriate. The organization shall communicate the importance of conforming to the information security policy and its applicability to the SMS and the services to appropriate persons within: § 8.7.3.1 ¶ 2 The information security policy shall be made available as appropriate. The organization shall communicate the importance of conforming to the information security policy and its applicability to the SMS and the services to appropriate persons within: § 8.7.3.1 ¶ 2 The information security policy shall be made available as appropriate. The organization shall communicate the importance of conforming to the information security policy and its applicability to the SMS and the services to appropriate persons within: the organization; § 8.7.3.1 ¶ 2(a) The information security policy shall be made available as appropriate. The organization shall communicate the importance of conforming to the information security policy and its applicability to the SMS and the services to appropriate persons within: customers and users; § 8.7.3.1 ¶ 2(b)]	Operational management	Preventive
Provide assurance to interested personnel and affected parties that the Governance, Risk, and Compliance capability is reliable, effective, efficient, and responsive. CC ID 12788	Operational management	Preventive
Communicate the service management program to interested personnel and affected parties. CC ID 13904 [Top management shall demonstrate leadership and commitment with respect to the SMS by: communicating the importance of effective service management, achieving the service management objectives, delivering value and conforming to the SMS requirements; § 5.1 ¶ 1(h) The service management policy shall: be communicated within the organization; § 5.2.2 ¶ 1(b) The service management policy shall: be available to interested parties, as appropriate. § 5.2.2 ¶ 1(c) The organization shall establish service management objectives at relevant functions and levels. The service management objectives shall: be communicated; § 6.2.1 ¶ (e) Persons doing work under the organization's control shall be aware of: the service management policy; § 7.3 ¶ 1(a) The scope of the SMS shall be available and be maintained as documented information. § 4.3 ¶ 4]	Operational management	Preventive
Communicate service management release success or failures to interested personnel and affected parties, as necessary. CC ID 13927 [Information about the success or failure of releases and future release dates shall be made available for other service management activities as appropriate. § 8.5.3 ¶ 7]	Operational management	Preventive
Communicate the release dates of applicable services to interested personnel and affected parties. CC ID 13924 [Information about the success or failure of releases and future release dates shall be made available for other service management activities as appropriate. § 8.5.3 ¶ 7]	Operational management	Preventive
Include the implications of failing to comply with the Service Management System requirements in the communication plan for the service management program. CC ID 13909 [Persons doing work under the organization's control shall be aware of: the implications of not conforming with the SMS requirements. § 7.3 ¶ 1(e)]	Operational management	Preventive
Include the benefits of improved performance in the communication plan for the service management program. CC ID 13908 [Persons doing work under the organization's control shall be aware of: their contribution to the effectiveness of the SMS, including the benefits of improved performance; § 7.3 ¶ 1(d)]	Operational management	Preventive
Include the importance of conforming to the Service Management System requirements in the communication plan for the service management program. CC ID 13907 [Top management shall demonstrate leadership and commitment with respect to the SMS by: communicating the importance of effective service management, achieving the service management objectives, delivering value and conforming to the SMS requirements; § 5.1 ¶ 1(h)]	Operational management	Preventive
Disseminate and communicate the suspension period of suspended services to interested personnel and affected parties. CC ID 15459	Operational management	Preventive
Disseminate and communicate the Asset Classification Policy to interested personnel and affected parties. CC ID 14851	Operational management	Preventive
Disseminate and communicate the system maintenance policy to interested personnel and affected parties. CC ID 14213	Operational management	Preventive
Disseminate and communicate the system maintenance procedures to interested personnel and affected parties. CC ID 14194	Operational management	Preventive
Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539	Operational management	Preventive
Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538	Operational management	Preventive
Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797	Operational management	Preventive
Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782	Operational management	Preventive
Establish, implement, and maintain incident reporting time frame standards. CC ID 12142	Operational management	Preventive
Notify interested personnel and affected parties that a security breach was detected. CC ID 11788	Operational management	Corrective
Assign the distribution of incident response procedures to the appropriate role in the incident response program. CC ID 12474	Operational management	Preventive
Communicate the service catalog to interested personnel and affected parties. CC ID 13910 [The organization shall provide access to appropriate parts of the service catalogue(s) to its customers, users and other interested parties. § 8.2.4 ¶ 2]	Operational management	Preventive
Disseminate and communicate the configuration management procedures to interested personnel and affected parties. CC ID 14139	System hardening through configuration management	Preventive
Disseminate and communicate the configuration management policy to interested personnel and affected parties. CC ID 14066	System hardening through configuration management	Preventive
Disseminate and communicate the configuration management program to all interested personnel and affected parties. CC ID 11946 [Configuration information shall be made available for other service management activities as appropriate. § 8.2.6 ¶ 5]	System hardening through configuration management	Preventive
Notify the supervisory authority of any changes to the required data elements. CC ID 14366	Records management	Corrective
Notify the complainant about their rights after receiving a complaint. CC ID 16794	Acquisition or sale of facilities, technology, and services	Preventive
Post contact information in an easily seen location at facilities. CC ID 13812	Acquisition or sale of facilities, technology, and services	Preventive
Provide users a list of the available dispute resolution bodies. CC ID 13814	Acquisition or sale of facilities, technology, and services	Preventive
Post the dispute resolution body's contact information on the organization's website. CC ID 13811	Acquisition or sale of facilities, technology, and services	Preventive
Disseminate and communicate the consumer complaint management program to interested personnel and affected parties. CC ID 16795	Acquisition or sale of facilities, technology, and services	Preventive
Disseminate and communicate the data handling procedures to all interested personnel and affected parties. CC ID 15466	Privacy protection for information and data	Preventive
Disseminate and communicate the Third Party Service Provider list to interested personnel and affected parties. CC ID 14422	Third Party and supply chain oversight	Preventive

Configuration

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Enforce dual authorization as a part of information flow control for logs. CC ID 10098	Monitoring and measurement	Preventive
Configure access control lists in accordance with organizational standards. CC ID 16465	Technical security	Preventive
Disallow application IDs from running as privileged users. CC ID 10050	Technical security	Detective
Separate processing domains to segregate user privileges and enhance information flow control. CC ID 06767	Technical security	Preventive
Configure the lockout procedure to disregard failed logon attempts after the user is authenticated. CC ID 13822	Technical security	Preventive
Establish, implement, and maintain session lock capabilities. CC ID 01417	Technical security	Preventive
Limit concurrent sessions according to account type. CC ID 01416	Technical security	Preventive
Configure the "tlsverify" argument to organizational standards. CC ID 14460	Technical security	Preventive
Configure the "tlscacert" argument to organizational standards. CC ID 14521	Technical security	Preventive
Configure the "tlscert" argument to organizational standards. CC ID 14520	Technical security	Preventive
Configure the "tlskey" argument to organizational standards. CC ID 14519	Technical security	Preventive
Enable access control for objects and users on each system. CC ID 04553	Technical security	Preventive
Display previous logon information in the logon banner. CC ID 01415	Technical security	Preventive
Establish, implement, and maintain redundant systems. CC ID 16354	Operational and Systems Continuity	Preventive
Install an Uninterruptible Power Supply sized to support all critical systems. CC ID 00725	Operational and Systems Continuity	Preventive
Install a generator sized to support the facility. CC ID 06709	Operational and Systems Continuity	Preventive
Disallow systems from processing information, disseminating and communicating information, or storing information that is above the system's assigned asset classification. CC ID 06606	Operational management	Preventive
Separate remote maintenance sessions from other network sessions with a logically separate communications path based upon encryption. CC ID 10614	Operational management	Preventive
Deploy software patches in accordance with organizational standards. CC ID 07032	Operational management	Corrective
Deploy software patches in the disaster recovery environment to mirror those in the production environment. CC ID 13174	Operational management	Corrective
Remove outdated software after software has been updated. CC ID 11792	Operational management	Corrective
Update computer firmware, as necessary. CC ID 11755	Operational management	Corrective
Remove outdated computer firmware after the computer firmware has been updated. CC ID 10671	Operational management	Corrective
Establish, implement, and maintain a configuration change log. CC ID 08710	Operational management	Detective
Verify configuration files requiring passwords for automation do not contain those passwords after the installation process is complete. CC ID 06555	System hardening through configuration management	Preventive
Employ the Configuration Management program. CC ID 11904	System hardening through configuration management	Preventive
Document external connections for all systems. CC ID 06415	System hardening through configuration management	Preventive
Configure Logging settings in accordance with organizational standards. CC ID 07611	System hardening through configuration management	Preventive
Configure all logs to capture auditable events or actionable events. CC ID 06332	System hardening through configuration management	Preventive
Configure the log to capture configuration changes. CC ID 06881 [{be auditable} CIs shall be controlled. Changes to CIs shall be traceable and auditable to maintain the integrity of the configuration information. The configuration information shall be updated following the deployment of changes to CIs. § 8.2.6 ¶ 3]	System hardening through configuration management	Preventive
Log, monitor, and review all changes to time settings on critical systems. CC ID 11608	System hardening through configuration management	Preventive
Configure the log to capture all changes to certificates. CC ID 05595	System hardening through configuration management	Preventive
Reconfigure the security attributes of records as the information changes. CC ID 06765	Records management	Preventive
Implement electronic storage media integrity controls. CC ID 00946	Records management	Preventive
Automate electronic storage media integrity check controls. CC ID 00948	Records management	Preventive
Provide capacity for indexes on electronic storage media, as necessary. CC ID 00950	Records management	Preventive

Data and Information Management

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Take into account the accessibility to and location of the data or information when establishing information impact levels. CC ID 04787	Leadership and high level objectives	Preventive
Take into account the organization's obligation to protect data or information when establishing information impact levels. CC ID 04786	Leadership and high level objectives	Preventive
Take into account the context of use for data or information when establishing information impact levels. CC ID 04785	Leadership and high level objectives	Preventive
Take into account the potential aggregation of restricted data fields when establishing information impact levels. CC ID 04784	Leadership and high level objectives	Preventive
Classify the sensitivity to unauthorized disclosure or modification of information in the information classification standard. CC ID 11997	Leadership and high level objectives	Preventive
Take into account the distinguishability factor when establishing information impact levels. CC ID 04783	Leadership and high level objectives	Preventive
Classify the criticality to unauthorized disclosure or modification of information in the information classification standard. CC ID 11996	Leadership and high level objectives	Preventive
Classify the value of information in the information classification standard. CC ID 11995	Leadership and high level objectives	Preventive
Classify the legal requirements of information in the information classification standard. CC ID 11994	Leadership and high level objectives	Preventive
Take into account the characteristics of the geographical, behavioral and functional setting for all datasets. CC ID 15046	Leadership and high level objectives	Preventive
Address Information Security during the business planning processes. CC ID 06495	Leadership and high level objectives	Preventive
Overwrite the oldest records when audit logging fails. CC ID 14308	Monitoring and measurement	Preventive
Include data quality in the risk management strategies. CC ID 15308	Audits and risk management	Preventive
Enforce access restrictions for restricted data. CC ID 01921	Technical security	Preventive
Identify processes, Information Systems, and third parties that transmit, process, or store restricted data. CC ID 06289	Operational management	Preventive
Record a unique name for each asset in the asset inventory. CC ID 16305	Operational management	Preventive
Record the status of information systems in the asset inventory. CC ID 16304	Operational management	Preventive
Record the communication interfaces for applicable assets in the asset inventory. CC ID 16301	Operational management	Preventive
Record software license information for each asset in the asset inventory. CC ID 11736	Operational management	Preventive
Record the operating system version for applicable assets in the asset inventory. CC ID 11748	Operational management	Preventive
Record rooms at external locations in the asset inventory. CC ID 16302	Operational management	Preventive
Record trusted keys and certificates in the asset inventory. CC ID 15486	Operational management	Preventive
Record cipher suites and protocols in the asset inventory. CC ID 15489	Operational management	Preventive
Wipe all data on systems prior to when the system is redeployed or the system is disposed. CC ID 06401	Operational management	Preventive
Share incident information with interested personnel and affected parties. CC ID 01212 [The organization shall determine criteria to identify a major incident. Major incidents shall be classified and managed according to a documented procedure. Top management shall be kept informed of major incidents. The organization shall assign responsibility for managing each major incident. After the incident has been resolved, the major incident shall be reported and reviewed to identify opportunities for improvement. § 8.6.1 ¶ 3]	Operational management	Corrective
Comply with privacy regulations and civil liberties requirements when sharing data loss event information. CC ID 10036	Operational management	Preventive
Report data loss event information to breach notification organizations. CC ID 01210	Operational management	Corrective
Approve tested change requests. CC ID 11783 [The release shall be verified against documented acceptance criteria and approved before deployment. If the acceptance criteria are not met, the organization and interested parties shall make a decision on necessary actions and deployment. § 8.5.3 ¶ 3]	Operational management	Preventive
Allow interested personnel and affected parties to opt out of specific version releases and software updates. CC ID 06809	Operational management	Preventive
Store records and data in accordance with organizational standards. CC ID 16439	Records management	Preventive
Select the appropriate format for archived data and records. CC ID 06320 [{is appropriate} When creating and updating documented information, the organization shall ensure appropriate: format (e.g. language, software version, graphics) and media (e.g. paper, electronic); § 7.5.2 ¶ 1(b)]	Records management	Preventive
Archive document metadata in a fashion that allows for future reading of the metadata. CC ID 10060	Records management	Preventive
Store personal data that is retained for long periods after use on a separate server or media. CC ID 12314	Records management	Preventive
Sanitize electronic storage media in accordance with organizational standards. CC ID 16464	Records management	Preventive
Sanitize all electronic storage media before disposing a system or redeploying a system. CC ID 01643	Records management	Preventive
Use a second person to confirm and sign-off that manually deleted data was deleted. CC ID 12313	Records management	Preventive
Automate a programmatic process to remove stored data and records that exceed retention requirements. CC ID 06082	Records management	Preventive
Remove non-public information from publicly accessible systems. CC ID 14246	Records management	Corrective
Assign the appropriate information classification to records imported into the Records Management system. CC ID 04555	Records management	Detective
Establish, implement, and maintain electronic health records. CC ID 14436	Records management	Preventive
Include Individually Identifiable Health Information in the patient's electronic health record. CC ID 14437	Records management	Preventive
Import data files into a patient's electronic health record. CC ID 14448	Records management	Preventive
Export requested sections of the electronic health record. CC ID 14447	Records management	Preventive
Display the implantable device list to authorized users. CC ID 14445	Records management	Preventive
Include attributes in the decision support intervention. CC ID 16766	Records management	Preventive
Classify restricted data or restricted information in Records Management systems according to the data or information's sensitivity. CC ID 04720	Records management	Detective
Establish, implement, and maintain data availability controls. CC ID 15301	Records management	Preventive
Control error handling when data is being inputted. CC ID 00922	Records management	Detective
Use automated entry devices to reduce errors during data input. CC ID 06626	Records management	Preventive
Establish, implement, and maintain Automated Data Processing validation checks and editing checks. CC ID 00924	Records management	Preventive
Label restricted storage media appropriately. CC ID 00966	Records management	Preventive
Mark all forms of electronic messages that contain restricted data or restricted information with the appropriate classification. CC ID 01896	Records management	Preventive
Reproduce materials containing restricted data or restricted information in accordance with compliance requirements. CC ID 02202	Records management	Preventive
Include data elements that contain an individual's name combined with account numbers or other identifying information as personal data that falls under the breach notification rules. CC ID 04662	Privacy protection for information and data	Preventive
Include data elements that contain an individual's legal surname prior to marriage as personal data that falls under the breach notification rules. CC ID 04669	Privacy protection for information and data	Preventive
Include data elements that contain an individual's date of birth as personal data that falls under the breach notification rules. CC ID 04771	Privacy protection for information and data	Preventive
Include data elements that contain an individual's address as personal data that falls under the breach notification rules. CC ID 04671	Privacy protection for information and data	Preventive
Include data elements that contain an individual's telephone number as personal data that falls under the breach notification rules. CC ID 04672	Privacy protection for information and data	Preventive
Include data elements that contain an individual's fingerprints as personal data that falls under the breach notification rules. CC ID 04670	Privacy protection for information and data	Preventive
Include data elements that contain an individual's Social Security Number or Personal Identification Number as personal data that falls under the breach notification rules. CC ID 04656	Privacy protection for information and data	Preventive
Include data elements that contain an individual's driver's license number or an individual's state identification card number as personal data that falls under the breach notification rules. CC ID 04657	Privacy protection for information and data	Preventive
Include data elements that contain an individual's passport number as personal data that falls under the breach notification rules. CC ID 04774	Privacy protection for information and data	Preventive
Include data elements that contain an individual's Alien Registration Number as personal data that falls under the breach notification rules. CC ID 04775	Privacy protection for information and data	Preventive
Include data elements that contain an individual's Taxpayer Identification Number as personal data that falls under the breach notification rules. CC ID 04764	Privacy protection for information and data	Preventive
Include data elements that contain an individual's financial account number as personal data that falls under the breach notification rules. CC ID 04658	Privacy protection for information and data	Preventive
Include data elements that contain an individual's financial account number with associated password or password hint as personal data that falls under the breach notification rules. CC ID 04660	Privacy protection for information and data	Preventive
Include data elements that contain an individual's electronic identification name or number as personal data that falls under the breach notification rules. CC ID 04663	Privacy protection for information and data	Preventive
Include data elements that contain electronic signatures as personal data that falls under the breach notification rules. CC ID 04666	Privacy protection for information and data	Preventive
Include data elements that contain an individual's biometric data as personal data that falls under the breach notification rules. CC ID 04667	Privacy protection for information and data	Preventive
Include data elements that contain an individual's account number, password, or password hint as personal data that falls under the breach notification rules. CC ID 04668	Privacy protection for information and data	Preventive
Include data elements that contain an individual's payment card information as personal data that falls under the breach notification rules. CC ID 04752	Privacy protection for information and data	Preventive
Include data elements that contain an individual's credit card number or an individual's debit card number as personal data that falls under the breach notification rules. CC ID 04659	Privacy protection for information and data	Preventive
Include data elements that contain an individual's payment card service code as personal data that falls under the breach notification rules. CC ID 04754	Privacy protection for information and data	Preventive
Include data elements that contain an individual's payment card expiration date as personal data that falls under the breach notification rules. CC ID 04756	Privacy protection for information and data	Preventive
Include data elements that contain an individual's payment card full magnetic stripe data as personal data that falls under the breach notification rules. CC ID 04759	Privacy protection for information and data	Preventive
Include data elements that contain an individual's payment card security codes (Card Authentication Value 2/Card Validation Code Value 2/Card Verification Value 2/Card Identification Number) as personal data that falls under the breach notification rules. CC ID 04760	Privacy protection for information and data	Preventive
Include data elements that contain an individual's payment card associated password or password hint as personal data that falls under the breach notification rules. CC ID 04661	Privacy protection for information and data	Preventive
Include data elements that contain an individual's Individually Identifiable Health Information as personal data that falls under the breach notification rules. CC ID 04673	Privacy protection for information and data	Preventive
Include data elements that contain an individual's medical history as personal data that falls under the breach notification rules. CC ID 04674	Privacy protection for information and data	Preventive
Include data elements that contain an individual's medical treatment as personal data that falls under the breach notification rules. CC ID 04675	Privacy protection for information and data	Preventive
Include data elements that contain an individual's medical diagnosis as personal data that falls under the breach notification rules. CC ID 04676	Privacy protection for information and data	Preventive
Include data elements that contain an individual's mental condition or physical condition as personal data that falls under the breach notification rules. CC ID 04682	Privacy protection for information and data	Preventive
Include data elements that contain an individual's health insurance information as personal data that falls under the breach notification rules. CC ID 04681	Privacy protection for information and data	Preventive
Include data elements that contain an individual's health insurance policy number as personal data that falls under the breach notification rules. CC ID 04683	Privacy protection for information and data	Preventive
Include data elements that contain an individual's health insurance application and health insurance claims history (including appeals) as personal data that falls under the breach notification rules. CC ID 04684	Privacy protection for information and data	Preventive
Include data elements that contain an individual's employment information as personal data that falls under the breach notification rules. CC ID 04772	Privacy protection for information and data	Preventive
Include data elements that contain an individual's Employee Identification Number as personal data that falls under the breach notification rules. CC ID 04773	Privacy protection for information and data	Preventive
Include data elements that contain an individual's place of employment as personal data that falls under the breach notification rules. CC ID 04788	Privacy protection for information and data	Preventive
Employ access controls that meet the organization's compliance requirements on third party systems with access to the organization's restricted data. CC ID 04264	Third Party and supply chain oversight	Detective

Establish Roles

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Assign legislative body jurisdiction to the organization's assets, as necessary. CC ID 06956	Leadership and high level objectives	Preventive
Define the Information Assurance strategic roles and responsibilities. CC ID 00608	Leadership and high level objectives	Preventive
Establish and maintain a compliance oversight committee. CC ID 00765	Leadership and high level objectives	Detective
Define the roles and responsibilities for personnel assigned to tasks in the Audit function. CC ID 00678 [The organization shall: plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration: § 9.2.2 ¶ 1(a)]	Audits and risk management	Preventive
Assign the roles and responsibilities for the Board of Directors and senior management in the Audit function. CC ID 00679	Audits and risk management	Preventive
Assign the internal audit staff to be independent from business units reporting to the Board of Directors. CC ID 01184	Audits and risk management	Preventive
Define and assign the internal audit manager's roles and responsibilities. CC ID 00680	Audits and risk management	Preventive
Assign the internal audit manager's compensation and performance review to the Board of Directors or audit committee. CC ID 01186	Audits and risk management	Preventive
Define and assign the internal audit staff's roles and responsibilities. CC ID 00681	Audits and risk management	Preventive
Assign the responsibility for operating an internal control system to the internal audit staff. CC ID 01187	Audits and risk management	Preventive
Define and assign the external auditor's roles and responsibilities. CC ID 00683	Audits and risk management	Preventive
Assign the audit to impartial auditors. CC ID 07118 [The organization shall: select auditors and conduct audits to ensure objectivity and the impartiality of the audit process; § 9.2.2 ¶ 1(c)]	Audits and risk management	Preventive
Notify interested personnel and affected parties participating in the audit of their roles and responsibilities during the audit. CC ID 07151	Audits and risk management	Preventive
Define and assign the roles and responsibilities for the risk assessment framework, as necessary. CC ID 06456	Audits and risk management	Preventive
Assign Information System access authorizations if implementing segregation of duties. CC ID 06323	Technical security	Preventive
Include the roles and responsibilities of the organization's legal counsel in the continuity plan. CC ID 16233	Operational and Systems Continuity	Preventive
Include restoration procedures in the continuity plan. CC ID 01169 [The organization shall create, implement and maintain one or more service continuity plans. The service continuity plan(s) shall include or contain a reference to: procedures to be implemented in the event of a major loss of service; § 8.7.2 ¶ 2(b) The organization shall create, implement and maintain one or more service continuity plans. The service continuity plan(s) shall include or contain a reference to: procedures for returning to normal working conditions. § 8.7.2 ¶ 2(e)]	Operational and Systems Continuity	Preventive
Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806	Human Resources management	Preventive
Define and assign the Board of Directors roles and responsibilities and senior management roles and responsibilities, including signing off on key policies and procedures. CC ID 00807 [Top management shall demonstrate leadership and commitment with respect to the SMS by: ensuring that appropriate levels of authority are assigned for making decisions related to the SMS and the services; § 5.1 ¶ 1(c) Top management shall demonstrate leadership and commitment with respect to the SMS by: supporting other relevant management roles to demonstrate their leadership as it applies to their areas of responsibility. § 5.1 ¶ 1(l)]	Human Resources management	Preventive
Assign senior management to the role of authorizing official. CC ID 14238	Human Resources management	Preventive
Assign security clearance procedures to qualified personnel. CC ID 06812	Human Resources management	Preventive
Assign personnel screening procedures to qualified personnel. CC ID 11699	Human Resources management	Preventive
Classify assets according to the Asset Classification Policy. CC ID 07186	Operational management	Preventive
Apply asset protection mechanisms for all assets according to their assigned Asset Classification Policy. CC ID 07184	Operational management	Preventive
Include the incident response team member's roles and responsibilities in the Incident Response program. CC ID 01652 [The organization shall determine criteria to identify a major incident. Major incidents shall be classified and managed according to a documented procedure. Top management shall be kept informed of major incidents. The organization shall assign responsibility for managing each major incident. After the incident has been resolved, the major incident shall be reported and reviewed to identify opportunities for improvement. § 8.6.1 ¶ 3]	Operational management	Preventive
Include the incident response point of contact's roles and responsibilities in the Incident Response program. CC ID 01877	Operational management	Preventive
Include the head of information security's roles and responsibilities in the Incident Response program. CC ID 01878	Operational management	Preventive
Include the customer database owner's roles and responsibilities in the Incident Response program. CC ID 01879	Operational management	Preventive
Include the online sales department's roles and responsibilities in the Incident Response program. CC ID 01880	Operational management	Preventive
Include the incident response point of contact for credit card payment system's roles and responsibilities in the Incident Response program. CC ID 01881	Operational management	Preventive
Include the organizational legal counsel's roles and responsibilities in the Incident Response program. CC ID 01882	Operational management	Preventive
Include the Human Resources point of contact's roles and responsibilities in the Incident Response program. CC ID 01883	Operational management	Preventive
Include the organizational incident response network architecture point of contact's roles and responsibilities in the Incident Response program. CC ID 01884	Operational management	Preventive
Include the organizational incident response public relations point of contact's roles and responsibilities in the Incident Response program. CC ID 01885	Operational management	Preventive
Include the organizational incident response location manager's roles and responsibilities in the Incident Response program. CC ID 01886	Operational management	Preventive
Assign interested personnel and affected parties to service delivery and production process quality improvement projects, as necessary. CC ID 07197	Operational management	Preventive
Establish, implement, and maintain data processing integrity controls. CC ID 00923	Records management	Preventive
Include the responsible party for managing complaints in third party contracts. CC ID 10022	Third Party and supply chain oversight	Preventive

Establish/Maintain Documentation

1103

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Establish, implement, and maintain communication protocols. CC ID 12245 [{internal communication}{be relevant} The organization shall determine the internal and external communications relevant to the SMS and the services including: § 7.4 ¶ 1 The organization shall determine the internal and external communications relevant to the SMS and the services including: when to communicate; § 7.4 ¶ 1(b) The organization shall determine the internal and external communications relevant to the SMS and the services including: with whom to communicate; § 7.4 ¶ 1(c) The organization shall establish arrangements for communicating with its customers and other interested parties. The communication shall promote understanding of the evolving business environment in which the services operate and shall enable the organization to respond to new or changed service requirements. § 8.3.2 ¶ 2 The organization shall determine the internal and external communications relevant to the SMS and the services including: how to communicate; § 7.4 ¶ 1(d) The organization shall determine the internal and external communications relevant to the SMS and the services including: on what it will communicate; § 7.4 ¶ 1(a) The organization shall determine the internal and external communications relevant to the SMS and the services including: who will be responsible for the communication. § 7.4 ¶ 1(e)]	Leadership and high level objectives	Preventive
Align the information being disseminated and communicated with the communication requirements according to the organization's communication protocol. CC ID 12419 [The organization shall determine reporting requirements and their purpose. § 9.4 ¶ 1]	Leadership and high level objectives	Preventive
Include external requirements in the organization's communication protocol. CC ID 12418 [The organization shall establish arrangements for communicating with its customers and other interested parties. The communication shall promote understanding of the evolving business environment in which the services operate and shall enable the organization to respond to new or changed service requirements. § 8.3.2 ¶ 2]	Leadership and high level objectives	Preventive
Include input from interested personnel and affected parties as a part of the organization’s communication protocol. CC ID 12417	Leadership and high level objectives	Preventive
Document the findings from surveys. CC ID 16309	Leadership and high level objectives	Preventive
Establish, implement, and maintain warning procedures that follow the organization's communication protocol. CC ID 12407	Leadership and high level objectives	Preventive
Establish, implement, and maintain alert procedures that follow the organization's communication protocol. CC ID 12406	Leadership and high level objectives	Preventive
Enforce a precision level for non-financial reporting based on user need and appropriate supply chain criteria. CC ID 12399	Leadership and high level objectives	Preventive
Define the thresholds for escalation in the internal reporting program. CC ID 14332	Leadership and high level objectives	Preventive
Define the thresholds for reporting in the internal reporting program. CC ID 14331	Leadership and high level objectives	Preventive
Develop instructions for setting organizational objectives and strategies. CC ID 12931	Leadership and high level objectives	Preventive
Establish, implement, and maintain organizational objectives. CC ID 09959	Leadership and high level objectives	Preventive
Establish, implement, and maintain a value generation model. CC ID 15591	Leadership and high level objectives	Preventive
Include value distribution in the value generation model. CC ID 15603	Leadership and high level objectives	Preventive
Include value retention in the value generation model. CC ID 15600	Leadership and high level objectives	Preventive
Include value generation procedures in the value generation model. CC ID 15599	Leadership and high level objectives	Preventive
Establish, implement, and maintain value generation objectives. CC ID 15583	Leadership and high level objectives	Preventive
Establish, implement, and maintain social responsibility objectives. CC ID 15611	Leadership and high level objectives	Preventive
Establish and maintain a Mission, Vision, and Values Statement. CC ID 12783	Leadership and high level objectives	Preventive
Include the vision statement in the Mission, Vision, and Values Statement. CC ID 12839	Leadership and high level objectives	Preventive
Include the mission statement in the Mission, Vision, and Values Statement. CC ID 12838	Leadership and high level objectives	Preventive
Include management commitment in the Mission, Vision, and Values Statement. CC ID 12808	Leadership and high level objectives	Preventive
Include the value statement in the Mission, Vision, and Values Statement. CC ID 12807	Leadership and high level objectives	Preventive
Include environmental factors in the Mission, Vision, and Values Statement. CC ID 15590	Leadership and high level objectives	Preventive
Include societal factors in the Mission, Vision, and Values Statement. CC ID 15605	Leadership and high level objectives	Preventive
Include stakeholder requirements in the Mission, Vision, and Values Statement. CC ID 15586	Leadership and high level objectives	Preventive
Document and communicate the linkage between organizational objectives, functions, activities, and general controls. CC ID 12398 [At planned intervals, the information security risks to the SMS and the services shall be assessed and documented. Information security controls shall be determined, implemented and operated to support the information security policy and address identified information security risks. Decisions about information security controls shall be documented. § 8.7.3.2 ¶ 1]	Leadership and high level objectives	Preventive
Establish, implement, and maintain data governance and management practices. CC ID 14998	Leadership and high level objectives	Preventive
Address shortcomings of the data sets in the data governance and management practices. CC ID 15087	Leadership and high level objectives	Preventive
Include any shortcomings of the data sets in the data governance and management practices. CC ID 15086	Leadership and high level objectives	Preventive
Include bias for data sets in the data governance and management practices. CC ID 15085	Leadership and high level objectives	Preventive
Include a data strategy in the data governance and management practices. CC ID 15304	Leadership and high level objectives	Preventive
Include data monitoring in the data governance and management practices. CC ID 15303	Leadership and high level objectives	Preventive
Include an assessment of the data sets in the data governance and management practices. CC ID 15084	Leadership and high level objectives	Preventive
Include assumptions for the formulation of data sets in the data governance and management practices. CC ID 15083	Leadership and high level objectives	Preventive
Include data collection for data sets in the data governance and management practices. CC ID 15082	Leadership and high level objectives	Preventive
Include data preparations for data sets in the data governance and management practices. CC ID 15081	Leadership and high level objectives	Preventive
Include design choices for data sets in the data governance and management practices. CC ID 15080	Leadership and high level objectives	Preventive
Establish, implement, and maintain an information classification standard. CC ID 00601	Leadership and high level objectives	Preventive
Establish, implement, and maintain a data classification scheme. CC ID 11628	Leadership and high level objectives	Preventive
Approve the data classification scheme. CC ID 13858	Leadership and high level objectives	Detective
Establish and maintain an organizational data dictionary, including data syntax rules. CC ID 00600	Leadership and high level objectives	Preventive
Refrain from including metadata in the data dictionary. CC ID 13529	Leadership and high level objectives	Preventive
Refrain from allowing incompatible data elements in the data dictionary. CC ID 13624	Leadership and high level objectives	Preventive
Include information needed to understand each data element and population in the data dictionary. CC ID 13528	Leadership and high level objectives	Preventive
Include the factors to determine what is included or excluded from the data element in the data dictionary. CC ID 13525	Leadership and high level objectives	Preventive
Include the date or time period the data was observed in the data dictionary. CC ID 13524	Leadership and high level objectives	Preventive
Include the uncertainty in the population of each data element in the data dictionary. CC ID 13522	Leadership and high level objectives	Preventive
Include the uncertainty of each data element in the data dictionary. CC ID 13521	Leadership and high level objectives	Preventive
Include the measurement units for each data element in the data dictionary. CC ID 13534	Leadership and high level objectives	Preventive
Include the precision of the measurement in the data dictionary. CC ID 13520	Leadership and high level objectives	Preventive
Include the data source in the data dictionary. CC ID 13519	Leadership and high level objectives	Preventive
Include the nature of each element in the data dictionary. CC ID 13518	Leadership and high level objectives	Preventive
Include the population of events or instances in the data dictionary. CC ID 13517	Leadership and high level objectives	Preventive
Establish, implement, and maintain an Information and Infrastructure Architecture model. CC ID 00599	Leadership and high level objectives	Preventive
Establish, implement, and maintain sustainable infrastructure planning. CC ID 00603	Leadership and high level objectives	Preventive
Establish, implement, and maintain an organizational structure. CC ID 16310	Leadership and high level objectives	Preventive
Establish, implement, and maintain a Quality Management framework. CC ID 07196 [The outputs of the management review shall include decisions related to continual improvement opportunities and any need for changes to the SMS and the services. § 9.3 ¶ 3 At planned intervals, the effectiveness of problem resolution shall be monitored, reviewed and reported. § 8.6.3 ¶ 5 The success or failure of releases shall be monitored and analysed. Measurements shall include incidents related to a release in the period following deployment of a release. The results and conclusions drawn from the analysis shall be recorded and reviewed to identify opportunities for improvement. §8.5.3 ¶ 6]	Leadership and high level objectives	Preventive
Include supply chain management standards in the Quality Management framework. CC ID 13701	Leadership and high level objectives	Preventive
Establish, implement, and maintain a Quality Management policy. CC ID 13694	Leadership and high level objectives	Preventive
Include a commitment to satisfy applicable requirements in the Quality Management policy. CC ID 13700	Leadership and high level objectives	Preventive
Tailor the Quality Management policy to support the organization's strategic direction. CC ID 13699 [Top management shall demonstrate leadership and commitment with respect to the SMS by: ensuring that the service management policy and service management objectives are established and are compatible with the strategic direction of the organization; § 5.1 ¶ 1(a) The organization shall determine evaluation criteria to be applied to the opportunities for improvement when making decisions on their approval. Evaluation criteria shall include alignment of the improvement with service management objectives. § 10.2 ¶ 2 {service improvement activity} Opportunities for improvement shall be documented. The organization shall manage approved improvement activities that include: ensuring that improvements are prioritized, planned and implemented; § 10.2 ¶ 3(b) {new service} The new or changed services shall be built and tested to verify that they meet the service requirements, conform to the documented design and meet the agreed service acceptance criteria. If the service acceptance criteria are not met, the organization and interested parties shall make a decision on necessary actions and deployment. § 8.5.2.3 ¶ 1 {new service} The new or changed services shall be built and tested to verify that they meet the service requirements, conform to the documented design and meet the agreed service acceptance criteria. If the service acceptance criteria are not met, the organization and interested parties shall make a decision on necessary actions and deployment. § 8.5.2.3 ¶ 1]	Leadership and high level objectives	Preventive
Include a commitment to continual improvement of the Quality Management system in the Quality Management policy. CC ID 13698	Leadership and high level objectives	Preventive
Include critical Information Technology processes in the Quality Management framework. CC ID 13645	Leadership and high level objectives	Preventive
Align the quality objectives with the Quality Management policy. CC ID 13697	Leadership and high level objectives	Preventive
Establish, implement, and maintain a Quality Management standard. CC ID 01006	Leadership and high level objectives	Preventive
Document the measurements used by Quality Assurance and Quality Control testing. CC ID 07200 [The organization shall determine evaluation criteria to be applied to the opportunities for improvement when making decisions on their approval. Evaluation criteria shall include alignment of the improvement with service management objectives. § 10.2 ¶ 2 The success or failure of releases shall be monitored and analysed. Measurements shall include incidents related to a release in the period following deployment of a release. The results and conclusions drawn from the analysis shall be recorded and reviewed to identify opportunities for improvement. §8.5.3 ¶ 6]	Leadership and high level objectives	Preventive
Establish, implement, and maintain a Quality Management program. CC ID 07201 [{service improvement activity} Opportunities for improvement shall be documented. The organization shall manage approved improvement activities that include: setting one or more targets for improvement in areas such as quality, value, capability, cost, productivity, resource utilization and risk reduction; § 10.2 ¶ 3(a) {service improvement activity} Opportunities for improvement shall be documented. The organization shall manage approved improvement activities that include: ensuring that improvements are prioritized, planned and implemented; § 10.2 ¶ 3(b) {service improvement activity} Opportunities for improvement shall be documented. The organization shall manage approved improvement activities that include: ensuring that improvements are prioritized, planned and implemented; § 10.2 ¶ 3(b) {service improvement activity} Opportunities for improvement shall be documented. The organization shall manage approved improvement activities that include: measuring implemented improvements against the target(s) set and where target(s) are not achieved, taking necessary actions; § 10.2 ¶ 3(d)]	Leadership and high level objectives	Preventive
Include quality objectives in the Quality Management program. CC ID 13693	Leadership and high level objectives	Preventive
Include records management in the quality management system. CC ID 15055	Leadership and high level objectives	Preventive
Include risk management in the quality management system. CC ID 15054	Leadership and high level objectives	Preventive
Include data management procedures in the quality management system. CC ID 15052	Leadership and high level objectives	Preventive
Include a post-market monitoring system in the quality management system. CC ID 15027	Leadership and high level objectives	Preventive
Include operational roles and responsibilities in the quality management system. CC ID 15028	Leadership and high level objectives	Preventive
Include resource management in the quality management system. CC ID 15026	Leadership and high level objectives	Preventive
Include communication protocols in the quality management system. CC ID 15025	Leadership and high level objectives	Preventive
Include incident reporting procedures in the quality management system. CC ID 15023	Leadership and high level objectives	Preventive
Include technical specifications in the quality management system. CC ID 15021	Leadership and high level objectives	Preventive
Document the deficiencies in a deficiency report that were found during Quality Control and corrected during Quality Improvement. CC ID 07203 [{availability issue}{document} Service availability shall be monitored, the results recorded and compared with the targets. Unplanned non-availability shall be investigated and necessary actions taken. § 8.7.1 ¶ 3 Where the root cause has been identified, but the problem has not been permanently resolved, the organization shall determine actions to reduce or eliminate the impact of the problem on the services. Known errors shall be recorded. Up-to-date information on known errors and problem resolutions shall be made available for other service management activities as appropriate. § 8.6.3 ¶ 4 The success or failure of releases shall be monitored and analysed. Measurements shall include incidents related to a release in the period following deployment of a release. The results and conclusions drawn from the analysis shall be recorded and reviewed to identify opportunities for improvement. §8.5.3 ¶ 6]	Leadership and high level objectives	Preventive
Include program documentation standards in the Quality Management program. CC ID 01016	Leadership and high level objectives	Preventive
Include program testing standards in the Quality Management program. CC ID 01017 [At planned intervals, the organization shall monitor, review and report on: performance against service level targets; § 8.3.3 ¶ 3(a)]	Leadership and high level objectives	Preventive
Include system testing standards in the Quality Management program. CC ID 01018	Leadership and high level objectives	Preventive
Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241	Leadership and high level objectives	Preventive
Establish, implement, and maintain a policy and procedure management program. CC ID 06285	Leadership and high level objectives	Preventive
Include requirements in the organization’s policies, standards, and procedures. CC ID 12956 [Top management shall demonstrate leadership and commitment with respect to the SMS by: ensuring the integration of the SMS requirements into the organization's business processes; § 5.1 ¶ 1(f)]	Leadership and high level objectives	Preventive
Establish and maintain an Authority Document list. CC ID 07113 [Documented information of external origin determined by the organization to be necessary for the planning and operation of the SMS shall be identified as appropriate and controlled. § 7.5.3.2 ¶ 2]	Leadership and high level objectives	Preventive
Map in scope assets and in scope records to external requirements. CC ID 12189	Leadership and high level objectives	Detective
Document organizational procedures that harmonize external requirements, including all legal requirements. CC ID 00623 [The documented information for the SMS shall include: procedures that are required by this document; § 7.5.4 ¶ 1(k)]	Leadership and high level objectives	Preventive
Establish, implement, and maintain full documentation of all policies, standards, and procedures that support the organization's compliance framework. CC ID 01636 [Documented information required by the SMS and by this document shall be controlled to ensure: it is available and suitable for use, where and when it is needed; § 7.5.3.1(a) When creating and updating documented information, the organization shall ensure appropriate: review and approval for suitability and adequacy. § 7.5.2 ¶ 1(c)]	Leadership and high level objectives	Preventive
Disseminate and communicate the list of Authority Documents that support the organization's compliance framework to interested personnel and affected parties. CC ID 01312	Leadership and high level objectives	Preventive
Classify controls according to their preventive, detective, or corrective status. CC ID 06436	Leadership and high level objectives	Preventive
Publish, disseminate, and communicate a Statement on Internal Control, as necessary. CC ID 06727	Leadership and high level objectives	Preventive
Include signatures of c-level executives in the Statement on Internal Control. CC ID 14778	Leadership and high level objectives	Preventive
Include management's assertions on the effectiveness of internal control in the Statement on Internal Control. CC ID 14771	Leadership and high level objectives	Corrective
Include confirmation of any significant weaknesses in the Statement on Internal Control. CC ID 06861	Leadership and high level objectives	Preventive
Include roles and responsibilities in the Statement on Internal Control. CC ID 14774	Leadership and high level objectives	Preventive
Include an assurance statement regarding the counterterror protective security plan in the Statement on Internal Control. CC ID 06866	Leadership and high level objectives	Preventive
Include limitations of internal control systems in the Statement on Internal Control. CC ID 14773	Leadership and high level objectives	Preventive
Include a description of the methodology used to evaluate internal controls in the Statement on Internal Control. CC ID 14772	Leadership and high level objectives	Preventive
Include the counterterror protective security plan test results in the Statement on Internal Control. CC ID 06867	Leadership and high level objectives	Detective
Document the requirements of stakeholders during the business planning process regarding Information Security. CC ID 06498 [Management with appropriate authority shall approve an information security policy relevant to the organization. The information security policy shall be documented and take into consideration the service requirements and the obligations in 6.3 c). § 8.7.3.1 ¶ 1 Management with appropriate authority shall approve an information security policy relevant to the organization. The information security policy shall be documented and take into consideration the service requirements and the obligations in 6.3 c). § 8.7.3.1 ¶ 1]	Leadership and high level objectives	Preventive
Establish, implement, and maintain a strategic plan. CC ID 12784 [{planning} The organization shall plan, implement and control the processes needed to meet requirements and to implement the actions determined in Clause 6 by: § 8.1 ¶ 1]	Leadership and high level objectives	Preventive
Include acting with integrity in the strategic plan. CC ID 12870	Leadership and high level objectives	Preventive
Include the outsource partners in the strategic plan, as necessary. CC ID 13960	Leadership and high level objectives	Preventive
Align the cybersecurity program strategy with the organization's strategic plan. CC ID 14322	Leadership and high level objectives	Preventive
Establish, implement, and maintain a planning policy. CC ID 14673	Leadership and high level objectives	Preventive
Establish, implement, and maintain planning procedures. CC ID 14698	Leadership and high level objectives	Preventive
Include compliance requirements in the planning policy. CC ID 14688	Leadership and high level objectives	Preventive
Include coordination amongst entities in the planning policy. CC ID 14687	Leadership and high level objectives	Preventive
Include management commitment in the planning policy. CC ID 14686	Leadership and high level objectives	Preventive
Include roles and responsibilities in the planning policy. CC ID 14685	Leadership and high level objectives	Preventive
Include the scope in the planning policy. CC ID 14684	Leadership and high level objectives	Preventive
Include the purpose in the planning policy. CC ID 14683	Leadership and high level objectives	Preventive
Establish, implement, and maintain a security planning policy. CC ID 14027	Leadership and high level objectives	Preventive
Include compliance requirements in the security planning policy. CC ID 14131	Leadership and high level objectives	Preventive
Include coordination amongst entities in the security planning policy. CC ID 14130	Leadership and high level objectives	Preventive
Include management commitment in the security planning policy. CC ID 14129	Leadership and high level objectives	Preventive
Include roles and responsibilities in the security planning policy. CC ID 14128	Leadership and high level objectives	Preventive
Include the scope in the security planning policy. CC ID 14127	Leadership and high level objectives	Preventive
Include the purpose in the security planning policy. CC ID 14126	Leadership and high level objectives	Preventive
Establish, implement, and maintain security planning procedures. CC ID 14060	Leadership and high level objectives	Preventive
Establish, implement, and maintain a decision management strategy. CC ID 06913	Leadership and high level objectives	Preventive
Include an economic impact analysis in the decision management strategy. CC ID 14015	Leadership and high level objectives	Preventive
Include cost benefit analysis in the decision management strategy. CC ID 14014	Leadership and high level objectives	Preventive
Include criteria for compliance in the decision-making criteria. CC ID 12951	Leadership and high level objectives	Preventive
Include criteria for risk tolerance in the decision-making criteria. CC ID 12950	Leadership and high level objectives	Preventive
Include criteria for selecting objectives and strategies in the decision-making criteria. CC ID 12949	Leadership and high level objectives	Preventive
Include criteria for setting priorities in the decision-making criteria. CC ID 12938 [The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: § 8.5.1.3 ¶ 1]	Leadership and high level objectives	Preventive
Identify and document the events that initiate the decision management strategy. CC ID 06914	Leadership and high level objectives	Detective
Document and evaluate the decision outcomes from the decision-making process. CC ID 06918	Leadership and high level objectives	Preventive
Establish, implement, and maintain an information technology process framework. CC ID 13648	Leadership and high level objectives	Preventive
Include maturity models in the Information Technology process framework. CC ID 13652	Leadership and high level objectives	Preventive
Include relationships between Information Technology process structures in the Information Technology process framework. CC ID 13651	Leadership and high level objectives	Preventive
Include Information Technology process structures in the Information Technology process framework. CC ID 13650	Leadership and high level objectives	Preventive
Establish, implement, and maintain a tactical plan. CC ID 12785	Leadership and high level objectives	Preventive
Include acting with integrity in the tactical plan. CC ID 12871	Leadership and high level objectives	Preventive
Establish, implement, and maintain a Strategic Information Technology Plan. CC ID 00628	Leadership and high level objectives	Preventive
Include the Information Governance Plan in the Strategic Information Technology Plan. CC ID 10053	Leadership and high level objectives	Preventive
Include the transparency goals in the Information Governance Plan. CC ID 10056	Leadership and high level objectives	Preventive
Include the information integrity goals in the Information Governance Plan. CC ID 10057	Leadership and high level objectives	Preventive
Include business continuity objectives in the Strategic Information Technology Plan. CC ID 06496	Leadership and high level objectives	Preventive
Align business continuity objectives with the business continuity policy. CC ID 12408	Leadership and high level objectives	Preventive
Incorporate protecting restricted information from unauthorized information flow or unauthorized disclosure into the Strategic Information Technology Plan. CC ID 06491	Leadership and high level objectives	Preventive
Include the references to the organization's Information Technology systems in the Strategic Information Technology Plan, as necessary. CC ID 13959	Leadership and high level objectives	Preventive
Establish, implement, and maintain tactical Information Technology plans in support of the Strategic Information Technology Plan. CC ID 00632	Leadership and high level objectives	Preventive
Establish, implement, and maintain tactical Information Technology plans derived from the Strategic Information Technology Plan. CC ID 01609	Leadership and high level objectives	Preventive
Document how each Information Technology project plan directly or indirectly supports the Strategic Information Technology Plan. CC ID 06497	Leadership and high level objectives	Preventive
Document the business case and return on investment in each Information Technology project plan. CC ID 06846	Leadership and high level objectives	Preventive
Document all desired outcomes for a proposed project in the Information Technology project plan. CC ID 06916	Leadership and high level objectives	Preventive
Document the success criteria for the proposed project in the Information Technology project plan. CC ID 06917	Leadership and high level objectives	Preventive
Include milestones for each project phase in the Information Technology project plan. CC ID 12621	Leadership and high level objectives	Preventive
Document lessons learned at the conclusion of each Information Technology project. CC ID 13654	Leadership and high level objectives	Corrective
Establish, implement, and maintain a counterterror protective security plan. CC ID 06862	Leadership and high level objectives	Preventive
Include communications and awareness activities in the counterterror protective security plan. CC ID 06863	Leadership and high level objectives	Preventive
Include the protective security measures to implement after a change in the government response level in the counterterror protective security plan. CC ID 06864	Leadership and high level objectives	Preventive
Include a search plan in the counterterror protective security plan. CC ID 06865	Leadership and high level objectives	Preventive
Include an evacuation plan in the counterterror protective security plan. CC ID 06940	Leadership and high level objectives	Preventive
Include a continuity plan in the counterterror protective security plan. CC ID 07031	Leadership and high level objectives	Preventive
Establish, implement, and maintain Information Technology projects in support of the Strategic Information Technology Plan. CC ID 13673	Leadership and high level objectives	Preventive
Disseminate and communicate the Information Technology Plans to all interested personnel and affected parties. CC ID 00633	Leadership and high level objectives	Preventive
Establish, implement, and maintain a financial management program. CC ID 13228	Leadership and high level objectives	Preventive
Establish, implement, and maintain financial reports. CC ID 14770 [At planned intervals, the organization shall monitor and report on actual costs against the budget, review the financial forecasts and manage costs. § 8.4.1 ¶ 3]	Leadership and high level objectives	Preventive
Structure financial reports in accordance with external requirements, as necessary. CC ID 14776	Leadership and high level objectives	Preventive
Include the report of independent Certified Public Accountants in the financial report. CC ID 14779	Leadership and high level objectives	Preventive
Include the business need justification for lost value in the financial report. CC ID 15588	Leadership and high level objectives	Preventive
Include financial statements in the financial report, as necessary. CC ID 14775	Leadership and high level objectives	Preventive
Include capital deductions and adjustments in the financial statement. CC ID 16667	Leadership and high level objectives	Preventive
Include earnings per share or loss per share in the financial statement. CC ID 16597	Leadership and high level objectives	Preventive
Include material contingencies in the financial statement. CC ID 16596	Leadership and high level objectives	Preventive
Include notes to financial statements in the financial report, as necessary. CC ID 14780	Leadership and high level objectives	Preventive
Include information on loans to small businesses and small farms in the call report. CC ID 16731	Leadership and high level objectives	Preventive
Include assets and liabilities in the call report. CC ID 16729	Leadership and high level objectives	Preventive
Provide predefined suspicious activity reports for suspicious activity discovered in the event log. CC ID 06774	Monitoring and measurement	Corrective
Include identity information of suspects in the suspicious activity report. CC ID 16648	Monitoring and measurement	Preventive
Establish, implement, and maintain a continuous monitoring program for configuration management. CC ID 06757 [At planned intervals, the organization shall verify the accuracy of the configuration information. Where deficiencies are found, the organization shall take necessary actions. § 8.2.6 ¶ 4]	Monitoring and measurement	Detective
Include a change history and identify who made the changes in the file integrity monitoring report. CC ID 12091	Monitoring and measurement	Preventive
Establish, implement, and maintain a service management monitoring and metrics program. CC ID 13916 [At planned intervals, the organization shall: monitor and report on demand and consumption of services. § 8.4.2 ¶ 1(b) At planned intervals, the organization shall: monitor and report on demand and consumption of services. § 8.4.2 ¶ 1(b) Reports on the performance and effectiveness of the SMS and the services shall be produced using information from the SMS activities and delivery of the services. Service reporting shall include trends. § 9.4 ¶ 2 Reports on the performance and effectiveness of the SMS and the services shall be produced using information from the SMS activities and delivery of the services. Service reporting shall include trends. § 9.4 ¶ 2]	Monitoring and measurement	Preventive
Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 [The organization shall determine: when the monitoring and measuring shall be performed; § 9.1 ¶ 1(c)]	Monitoring and measurement	Preventive
Establish, implement, and maintain a metrics policy. CC ID 01654	Monitoring and measurement	Preventive
Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653	Monitoring and measurement	Preventive
Establish, implement, and maintain risk management metrics. CC ID 01656	Monitoring and measurement	Preventive
Identify and document instances of non-compliance with the compliance framework. CC ID 06499 [When a nonconformity occurs, the organization shall: evaluate the need for action to eliminate the causes of the nonconformity in order that it does not recur or occur elsewhere by: § 10.1.1 ¶ 1(b) The organization shall retain documented information as evidence of: the nature of the nonconformities and any subsequent actions taken; § 10.1.2 ¶ 1(a)]	Monitoring and measurement	Preventive
Identify and document events surrounding non-compliance with the organizational compliance framework. CC ID 12935	Monitoring and measurement	Preventive
Establish, implement, and maintain disciplinary action notices. CC ID 16577	Monitoring and measurement	Preventive
Include a copy of the order in the disciplinary action notice. CC ID 16606	Monitoring and measurement	Preventive
Include the sanctions imposed in the disciplinary action notice. CC ID 16599	Monitoring and measurement	Preventive
Include the effective date of the sanctions in the disciplinary action notice. CC ID 16589	Monitoring and measurement	Preventive
Include the requirements that were violated in the disciplinary action notice. CC ID 16588	Monitoring and measurement	Preventive
Include responses to charges from interested personnel and affected parties in the disciplinary action notice. CC ID 16587	Monitoring and measurement	Preventive
Include the reasons for imposing sanctions in the disciplinary action notice. CC ID 16586	Monitoring and measurement	Preventive
Include required information in the disciplinary action notice. CC ID 16584	Monitoring and measurement	Preventive
Include a justification for actions taken in the disciplinary action notice. CC ID 16583	Monitoring and measurement	Preventive
Include a statement on the conclusions of the investigation in the disciplinary action notice. CC ID 16582	Monitoring and measurement	Preventive
Include the investigation results in the disciplinary action notice. CC ID 16581	Monitoring and measurement	Preventive
Include a description of the causes of the actions taken in the disciplinary action notice. CC ID 16580	Monitoring and measurement	Preventive
Include the name of the person responsible for the charges in the disciplinary action notice. CC ID 16579	Monitoring and measurement	Preventive
Include contact information in the disciplinary action notice. CC ID 16578	Monitoring and measurement	Preventive
Establish, implement, and maintain a security program metrics program. CC ID 01660	Monitoring and measurement	Preventive
Establish, implement, and maintain a key management roles metrics standard. CC ID 11631	Monitoring and measurement	Preventive
Establish, implement, and maintain a key stakeholder metrics program. CC ID 01661	Monitoring and measurement	Preventive
Establish, implement, and maintain a supply chain member metrics program. CC ID 01662	Monitoring and measurement	Preventive
Establish, implement, and maintain a Business Continuity metrics program. CC ID 01663 [The organization shall create, implement and maintain one or more service continuity plans. The service continuity plan(s) shall include or contain a reference to: targets for service availability when the service continuity plan is invoked; § 8.7.2 ¶ 2(c)]	Monitoring and measurement	Preventive
Establish, implement, and maintain an audit metrics program. CC ID 01664	Monitoring and measurement	Preventive
Establish, implement, and maintain an Information Security metrics program. CC ID 01665	Monitoring and measurement	Preventive
Establish, implement, and maintain a metrics standard and template. CC ID 02157	Monitoring and measurement	Preventive
Establish, implement, and maintain occupational health and safety management metrics program. CC ID 15915	Monitoring and measurement	Preventive
Establish, implement, and maintain a policies and controls metrics program. CC ID 01666	Monitoring and measurement	Preventive
Establish, implement, and maintain a security roles and responsibilities metrics program. CC ID 01667	Monitoring and measurement	Preventive
Establish, implement, and maintain a role-based information access metrics program. CC ID 01668	Monitoring and measurement	Preventive
Establish, implement, and maintain an information risk threshold metrics program. CC ID 01694	Monitoring and measurement	Preventive
Monitor the supply chain for Information Assurance effectiveness. CC ID 02043	Monitoring and measurement	Preventive
Establish, implement, and maintain a privacy metrics program. CC ID 15494	Monitoring and measurement	Preventive
Establish, implement, and maintain a technical measurement metrics policy. CC ID 01655	Monitoring and measurement	Preventive
Establish, implement, and maintain an Electronic Health Records measurement metrics program. CC ID 06221	Monitoring and measurement	Preventive
Establish, implement, and maintain a log management program. CC ID 00673	Monitoring and measurement	Preventive
Establish, implement, and maintain a cross-organizational audit sharing agreement. CC ID 10595	Monitoring and measurement	Preventive
Include risks and opportunities in the corrective action plan. CC ID 15178	Monitoring and measurement	Preventive
Include environmental aspects in the corrective action plan. CC ID 15177	Monitoring and measurement	Preventive
Include the completion date in the corrective action plan. CC ID 13272	Monitoring and measurement	Preventive
Retain copies of external auditor outsourcing contracts and engagement letters. CC ID 01188	Audits and risk management	Preventive
Review external auditor outsourcing contracts and engagement letters. CC ID 01189	Audits and risk management	Preventive
Include roles and responsibilities in external auditor outsourcing contracts. CC ID 16523	Audits and risk management	Preventive
Include a change control clause in external auditor outsourcing contracts. CC ID 01192	Audits and risk management	Preventive
Include procedures for resolving problems in external auditor outsourcing contracts. CC ID 01196	Audits and risk management	Preventive
Include procedures for controlling the use of restricted information in external auditor outsourcing contracts. CC ID 01194	Audits and risk management	Preventive
Include reports and work paper Records Management practices in external auditor outsourcing contracts. CC ID 01195	Audits and risk management	Preventive
Include communication protocols in external auditor outsourcing contracts. CC ID 01201	Audits and risk management	Preventive
Include the scope and work to be performed in external auditor outsourcing contracts. CC ID 01190	Audits and risk management	Preventive
Include work status reporting requirements in the external auditor outsourcing contracts. CC ID 01191	Audits and risk management	Preventive
Include access to work papers in external auditor outsourcing contracts. CC ID 01193	Audits and risk management	Preventive
Review the adequacy of the external auditor's work papers and audit reports. CC ID 01199	Audits and risk management	Preventive
Review the conclusions of the external auditor's work papers and audit reports. CC ID 01200	Audits and risk management	Preventive
Evaluate any refusal by the organization to provide missing audit documentation. CC ID 06993	Audits and risk management	Preventive
Take appropriate action if missing audit documentation compromises the audit. CC ID 06994	Audits and risk management	Preventive
Establish, implement, and maintain an audit program. CC ID 00684 [The organization shall: plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration: § 9.2.2 ¶ 1(a)]	Audits and risk management	Preventive
Establish, implement, and maintain audit policies. CC ID 13166	Audits and risk management	Preventive
Include resource requirements in the audit program. CC ID 15237	Audits and risk management	Preventive
Include risks and opportunities in the audit program. CC ID 15236	Audits and risk management	Preventive
Establish and maintain audit terms. CC ID 13880	Audits and risk management	Preventive
Include a statement about the inherent limitations of the audit in the audit terms. CC ID 13883	Audits and risk management	Preventive
Include a statement that the audit will be conducted in accordance with attestation standards in the audit terms. CC ID 13882	Audits and risk management	Preventive
Establish, implement, and maintain agreed upon procedures that are in scope for the audit. CC ID 13893	Audits and risk management	Preventive
Establish, implement, and maintain an in scope system description. CC ID 14873	Audits and risk management	Preventive
Include third party services in the audit assertion's in scope system description. CC ID 16503	Audits and risk management	Preventive
Include monitoring controls in the audit assertion's in scope system description. CC ID 16501	Audits and risk management	Preventive
Include availability commitments in the audit assertion's in scope system description. CC ID 14914	Audits and risk management	Preventive
Include changes in the audit assertion's in scope system description. CC ID 14894	Audits and risk management	Preventive
Include external communications in the audit assertion's in scope system description. CC ID 14913	Audits and risk management	Preventive
Include a section regarding incidents related to the system in the audit assertion’s in scope system description. CC ID 14878	Audits and risk management	Preventive
Include the function performed by the in scope system in the audit assertion's in scope system description. CC ID 14911	Audits and risk management	Preventive
Include the disposition of the incident in the audit assertion's in scope system description. CC ID 14896	Audits and risk management	Preventive
Include the extent of the incident in the audit assertion's in scope system description. CC ID 14895	Audits and risk management	Preventive
Include the timing of each incident in the audit assertion's in scope system description. CC ID 14891	Audits and risk management	Preventive
Include the nature of each incident in the audit assertion's in scope system description. CC ID 14889	Audits and risk management	Preventive
Include a section regarding in scope controls related to the system in the audit assertion's in scope system description. CC ID 14897	Audits and risk management	Preventive
Include how the in scope system meets external requirements in the audit assertion's in scope system description. CC ID 16502	Audits and risk management	Preventive
Include the timing of each control in the audit assertion's in scope system description. CC ID 14916	Audits and risk management	Preventive
Include the nature of the control in the audit assertion's in scope system description. CC ID 14910	Audits and risk management	Preventive
Include the information sources used in performing the control in the audit assertion's in scope system description. CC ID 14909	Audits and risk management	Preventive
Include the responsible party for performing the control in the audit assertion's in scope system description. CC ID 14907	Audits and risk management	Preventive
Include the subject matter to which the control is applied in the audit assertion's in scope system description. CC ID 14904	Audits and risk management	Preventive
Refrain from omitting or distorting information in the audit assertion's in scope system description. CC ID 14893	Audits and risk management	Preventive
Include the timing of each change in the audit assertion's in scope system description. CC ID 14892	Audits and risk management	Preventive
Include the system boundaries in the audit assertion's in scope system description. CC ID 14887	Audits and risk management	Preventive
Determine the presentation method of the audit assertion's in scope system description. CC ID 14885	Audits and risk management	Detective
Include the time frame covered by the description in the audit assertion's in scope system description. CC ID 14884	Audits and risk management	Preventive
Include commitments to third parties in the audit assertion. CC ID 14899	Audits and risk management	Preventive
Determine the completeness of the audit assertion's in scope system description. CC ID 14883	Audits and risk management	Preventive
Include system requirements in the audit assertion's in scope system description. CC ID 14881	Audits and risk management	Preventive
Include third party controls in the audit assertion's in scope system description. CC ID 14880	Audits and risk management	Preventive
Include agreement to the audit scope and audit terms in the audit program. CC ID 06965 [{audit scope} The organization shall: define the audit criteria and scope for each audit; § 9.2.2 ¶ 1(b)]	Audits and risk management	Preventive
Establish and maintain a bespoke audit scope for each audit being performed. CC ID 13077 [The organization shall: plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration: § 9.2.2 ¶ 1(a)]	Audits and risk management	Preventive
Include audit subject matter in the audit program. CC ID 07103 [The organization shall: plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration: the importance of the processes concerned; § 9.2.2 ¶ 1(a)(1)]	Audits and risk management	Preventive
Examine the objectivity of the audit criteria in the audit program. CC ID 07104	Audits and risk management	Preventive
Examine the measurability of the audit criteria in the audit program. CC ID 07105	Audits and risk management	Preventive
Examine the completeness of the audit criteria in the audit program. CC ID 07106	Audits and risk management	Preventive
Examine the relevance of the audit criteria in the audit program. CC ID 07107	Audits and risk management	Preventive
Disseminate and communicate the audit program with the audit subject matter and audit criteria to all interested personnel and affected parties. CC ID 07116	Audits and risk management	Preventive
Include in scope information in the audit program. CC ID 16198	Audits and risk management	Preventive
Include the out of scope material or out of scope products in the audit program. CC ID 08962	Audits and risk management	Preventive
Provide a representation letter in support of the audit assertion. CC ID 07158	Audits and risk management	Preventive
Include a statement that management has evaluated compliance with external requirements in the representation letter. CC ID 13942	Audits and risk management	Preventive
Include a statement that the assumptions used for estimates are reasonable in the representation letter. CC ID 13934	Audits and risk management	Preventive
Include a statement that uncorrected misstatements are believed to be immaterial in the representation letter. CC ID 13884	Audits and risk management	Preventive
Include a statement that system incidents have been disclosed to the auditor in the representation letter. CC ID 16772	Audits and risk management	Preventive
Include a statement that incidents of fraud and non-compliance have been disclosed to the auditor in the representation letter. CC ID 16769	Audits and risk management	Preventive
Include a statement of responsibility for the subject matter in the representation letter. CC ID 07159	Audits and risk management	Preventive
Include a statement of responsibility for selecting the audit criteria in the representation letter. CC ID 07160	Audits and risk management	Preventive
Include a statement of responsibility regarding the appropriateness of the audit criteria in the representation letter. CC ID 07161	Audits and risk management	Preventive
Include an assertion about the subject matter based on the selected audit criteria in the representation letter. CC ID 07162	Audits and risk management	Preventive
Include a statement that all known matters contradicting the audit assertion have been disclosed to the auditor in the representation letter. CC ID 07163	Audits and risk management	Preventive
Include the availability of all in scope records relevant to the subject matter in the representation letter. CC ID 07164	Audits and risk management	Preventive
Include a statement that any known subsequent events have been disclosed to the auditor in the representation letter. CC ID 07165	Audits and risk management	Preventive
Include a statement that deficiencies in internal controls have been disclosed to the auditor in the representation letter. CC ID 13899	Audits and risk management	Preventive
Establish and maintain audit assertions, as necessary. CC ID 14871	Audits and risk management	Detective
Include an in scope system description in the audit assertion. CC ID 14872	Audits and risk management	Preventive
Include any assumptions that are improbable in the audit assertion. CC ID 13950	Audits and risk management	Preventive
Include investigations and legal proceedings in the audit assertion. CC ID 16846	Audits and risk management	Preventive
Include how the audit scope matches in scope controls in the audit assertion. CC ID 06969	Audits and risk management	Preventive
Include why specific criteria are ignored by in scope controls in the audit assertion. CC ID 07027	Audits and risk management	Preventive
Include how the in scope system is designed and implemented in the audit assertion. CC ID 06970	Audits and risk management	Preventive
Include the responsible party's opinion of the quality of the evidence in the audit assertion. CC ID 13949	Audits and risk management	Preventive
Include the end users and affected parties of the in scope system in the audit assertion. CC ID 07028	Audits and risk management	Preventive
Include the in scope services offered or in scope transactions processed in the audit assertion. CC ID 06971	Audits and risk management	Preventive
Include the in scope procedures in the audit assertion. CC ID 06972	Audits and risk management	Preventive
Include the in scope records produced in the audit assertion. CC ID 06968	Audits and risk management	Preventive
Include how in scope material events are monitored and logged in the audit assertion. CC ID 06973	Audits and risk management	Preventive
Include any in scope material events that might affect the assertion in the audit assertion. CC ID 06991	Audits and risk management	Preventive
Include the in scope controls and compliance documents in the audit assertion. CC ID 06974	Audits and risk management	Preventive
Include the in scope risk assessment processes in the audit assertion. CC ID 06975	Audits and risk management	Preventive
Include in scope change controls in the audit assertion. CC ID 06976	Audits and risk management	Preventive
Include any in scope uncorrected errors or non-compliance issues in the audit assertion. CC ID 06989	Audits and risk management	Preventive
Disseminate and communicate a written audit assertion of the audit scope and audit terms to interested personnel and affected parties. CC ID 06967	Audits and risk management	Preventive
Include conditions that might require modification of the audit program in the audit terms. CC ID 07149	Audits and risk management	Preventive
Include how access to in scope systems, personnel and in scope records are provided to the auditor in the audit terms. CC ID 06988	Audits and risk management	Preventive
Establish, implement, and maintain procedures for determining the desired level of assurance in the audit program. CC ID 12794 [The organization shall: plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration: § 9.2.2 ¶ 1(a)]	Audits and risk management	Preventive
Include the expectations for the audit report in the audit terms. CC ID 07148	Audits and risk management	Preventive
Establish and maintain a practitioner’s report on management’s assertions, as necessary. CC ID 13888	Audits and risk management	Preventive
Refrain from changing the date of the practitioner's report on agreed-upon procedures when reissuing it. CC ID 13896	Audits and risk management	Corrective
Include materiality levels in the audit terms. CC ID 01238	Audits and risk management	Preventive
Include material changes in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01239 [The organization shall: plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration: changes affecting the organization; § 9.2.2 ¶ 1(a)(2)]	Audits and risk management	Preventive
Include material weaknesses, material failures, and material errors in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01240	Audits and risk management	Preventive
Document any after the fact changes to the engagement file. CC ID 07002	Audits and risk management	Preventive
Protect access to the engagement file and all associated audit documentation in compliance with Authority Documents the organization must follow. CC ID 07179	Audits and risk management	Preventive
Disclose work papers in the engagement file in compliance with legal requirements. CC ID 07180	Audits and risk management	Preventive
Edit the audit assertion for accuracy. CC ID 07030	Audits and risk management	Preventive
Determine if the audit assertion's in scope procedures are accurately documented. CC ID 06982	Audits and risk management	Preventive
Include the process of using evidential matter to test in scope controls in the test plan. CC ID 06996	Audits and risk management	Preventive
Establish, implement, and maintain interview procedures. CC ID 16282	Audits and risk management	Preventive
Establish and maintain work papers, as necessary. CC ID 13891	Audits and risk management	Preventive
Include the auditor's conclusions on work performed by individuals assigned to the audit in the work papers. CC ID 16775	Audits and risk management	Preventive
Include audit irregularities in the work papers. CC ID 16774	Audits and risk management	Preventive
Include corrective actions in the work papers. CC ID 16771	Audits and risk management	Preventive
Include information about the organization being audited and the auditor performing the audit in the work papers. CC ID 16770	Audits and risk management	Preventive
Include discussions with interested personnel and affected parties in the work papers. CC ID 16768	Audits and risk management	Preventive
Include justification for departing from mandatory requirements in the work papers. CC ID 13935	Audits and risk management	Preventive
Include the reviewer, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06998	Audits and risk management	Preventive
Include the tests, examinations, interviews and observations performed during the audit in the work papers. CC ID 07190	Audits and risk management	Preventive
Include if any subject matter experts or additional research had to be undertaken to test in scope controls in the work papers. CC ID 07026	Audits and risk management	Preventive
Include the tester, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06997	Audits and risk management	Preventive
Include the causes of identified in scope control deficiencies in the work papers. CC ID 07000	Audits and risk management	Preventive
Include discussions regarding the causes of identified in scope control deficiencies in the work papers. CC ID 06999	Audits and risk management	Preventive
Establish, implement, and maintain a practitioner’s report on agreed-upon procedures. CC ID 13894	Audits and risk management	Preventive
Establish and maintain a practitioner's examination report on pro forma financial information. CC ID 13968	Audits and risk management	Preventive
Include references to where financial information was derived in the practitioner's review report on pro forma financial information. CC ID 13982	Audits and risk management	Preventive
Include a statement that the financial statements used were audited by other practitioners in the practitioner's examination report on pro forma financial information, as necessary. CC ID 13981	Audits and risk management	Preventive
Establish and maintain organizational audit reports. CC ID 06731 [The organization shall: retain documented information as evidence of the implementation of the audit programme(s) and the audit results. § 9.2.2 ¶ (e) The organization shall: plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration: § 9.2.2 ¶ 1(a)]	Audits and risk management	Preventive
Determine what disclosures are required in the audit report. CC ID 14888	Audits and risk management	Detective
Include audit subject matter in the audit report. CC ID 14882	Audits and risk management	Preventive
Include an other-matter paragraph in the audit report. CC ID 14901	Audits and risk management	Preventive
Include that the auditee did not provide comments in the audit report. CC ID 16849	Audits and risk management	Preventive
Write the audit report using clear and conspicuous language. CC ID 13948	Audits and risk management	Preventive
Include a statement that the sufficiency of the agreed upon procedures is the responsibility of the specified parties in the audit report. CC ID 13936	Audits and risk management	Preventive
Include a statement that the financial statements were audited in the audit report. CC ID 13963	Audits and risk management	Preventive
Include the criteria that financial information was measured against in the audit report. CC ID 13966	Audits and risk management	Preventive
Include a description of the financial information being reported on in the audit report. CC ID 13965	Audits and risk management	Preventive
Include references to any adjustments of financial information in the audit report. CC ID 13964	Audits and risk management	Preventive
Include in the audit report that audit opinions are not dependent on references to subject matter experts, as necessary. CC ID 13953	Audits and risk management	Preventive
Include references to historical financial information used in the audit report. CC ID 13961	Audits and risk management	Preventive
Include a statement about the inherent limitations of the audit in the audit report. CC ID 14900	Audits and risk management	Preventive
Include a description of the limitations on the usefulness of hypothetical assumptions in the audit report. CC ID 13958	Audits and risk management	Preventive
Structure the audit report to be in the form of procedures and findings. CC ID 13940	Audits and risk management	Preventive
Include any discussions of significant findings in the audit report. CC ID 13955	Audits and risk management	Preventive
Include the date and with whom discussions about significant findings took place in the audit report. CC ID 13962	Audits and risk management	Preventive
Include the audit criteria in the audit report. CC ID 13945	Audits and risk management	Preventive
Include a statement in the audit report that the agreed upon procedures were potentially insufficient in identifying material risks, as necessary. CC ID 13957	Audits and risk management	Preventive
Include all hypothetical assumptions in the audit report. CC ID 13947	Audits and risk management	Preventive
Include a statement that identifies the distribution list for the report in the audit report. CC ID 07172	Audits and risk management	Preventive
Include a statement that identifies the use restrictions for the report in the audit report. CC ID 07173	Audits and risk management	Preventive
Include a statement that the agreed upon procedures involves collecting evidence in the audit report. CC ID 13956	Audits and risk management	Preventive
Include all of the facts and demonstrated plausibility in the audit report. CC ID 08929	Audits and risk management	Preventive
Include a statement that the agreed upon procedures were performed by all parties in the audit report. CC ID 13931	Audits and risk management	Preventive
Include references to subject matter experts in the audit report when citing qualified opinions. CC ID 13929	Audits and risk management	Preventive
Include a description of the assistance provided by Subject Matter Experts in the audit report. CC ID 13939	Audits and risk management	Preventive
Include a review of the subject matter expert's findings in the audit report. CC ID 13972	Audits and risk management	Preventive
Include a statement of the character of the engagement in the audit report. CC ID 07166	Audits and risk management	Preventive
Include the nature and scope of the audit performed in the statement of the character of the engagement in the audit report. CC ID 07167	Audits and risk management	Preventive
Include the professional standards governing the audit in the statement of the character of the engagement in the audit report. CC ID 07168	Audits and risk management	Preventive
Include all restrictions on the audit in the audit report. CC ID 13930	Audits and risk management	Preventive
Include a statement that the auditor has no responsibility to update the audit report after its submission. CC ID 13943	Audits and risk management	Preventive
Include a statement on the auditor's ethical requirements in the audit report. CC ID 16767	Audits and risk management	Preventive
Include a statement that the responsible party refused to provide a written assertion in the audit report. CC ID 13887	Audits and risk management	Preventive
Include a statement that the examination involves procedures for collecting evidence in the audit report. CC ID 13941	Audits and risk management	Preventive
Express an adverse opinion in the audit report when significant assumptions are not suitably supported. CC ID 13944	Audits and risk management	Preventive
Include a statement that modifications to historical evidence accurately reflect current evidence in the audit report. CC ID 13938	Audits and risk management	Preventive
Refrain from referencing other auditor's work in the audit report. CC ID 13881	Audits and risk management	Preventive
Include that the audit findings are not a predictive analysis of future compliance in the audit report. CC ID 07018	Audits and risk management	Preventive
Include how in scope controls meet external requirements in the audit report. CC ID 16450	Audits and risk management	Preventive
Include the in scope records used to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14915	Audits and risk management	Preventive
Include recommended corrective actions in the audit report. CC ID 16197	Audits and risk management	Preventive
Include risks and opportunities in the audit report. CC ID 16196	Audits and risk management	Preventive
Include the description of tests of controls and results in the audit report. CC ID 14898	Audits and risk management	Preventive
Include the nature of the tests performed in the description of tests of controls and results in the audit report. CC ID 14908	Audits and risk management	Preventive
Include the test scope in the description of tests of controls and results in the audit report. CC ID 14906	Audits and risk management	Preventive
Identify the stakeholders interviewed to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14905	Audits and risk management	Preventive
Include the controls that were tested in the description of tests of controls and results in the audit report. CC ID 14902	Audits and risk management	Preventive
Include subsequent events related to the audit assertion or audit subject matter in the audit report. CC ID 16773	Audits and risk management	Preventive
Include that the organization is the responsible party for the content of its audit assertion and in scope system description in the audit report. CC ID 07010	Audits and risk management	Preventive
Include that the organization is the responsible party for providing in scope services in the audit report. CC ID 14903	Audits and risk management	Preventive
Include that the organization is the responsible party for specifying in scope controls not defined by law or contractual obligation in the audit report. CC ID 07011	Audits and risk management	Preventive
Include that the organization is the responsible party for designing and implementing the in scope controls it identified in the audit scope in the audit report. CC ID 07014	Audits and risk management	Preventive
Include the audit opinion regarding the accurateness of the in scope system description in the audit report. CC ID 07019	Audits and risk management	Preventive
Include the attestation standards the auditor follows in the audit report. CC ID 07015	Audits and risk management	Preventive
Include the audit opinion about the audit assertion in relation to the audit criteria used for evaluation in the audit report. CC ID 07169	Audits and risk management	Preventive
Include the auditor's significant reservations about the engagement, the audit assertion, or the audit subject matter in the audit report. CC ID 07170	Audits and risk management	Preventive
Include an emphasis-of-matter paragraph in the audit report. CC ID 14890	Audits and risk management	Preventive
Include any out of scope components of in scope systems in the audit report. CC ID 07006	Audits and risk management	Preventive
Include that the organization is the responsible party for identifying material risks in the audit report. CC ID 07012	Audits and risk management	Preventive
Include that the organization is the responsible party for selecting the audit criteria in the audit report. CC ID 07013	Audits and risk management	Preventive
Compare the evaluations completed by the internal auditors and the external auditors in past audit reports. CC ID 01158	Audits and risk management	Detective
Review past audit reports. CC ID 01155 [The organization shall: plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration: the results of previous audits; § 9.2.2 ¶ 1(a)(3) The management review shall include consideration of: information on the performance and effectiveness of the SMS, including trends in: audit results; § 9.3 ¶ 2(c)(3)]	Audits and risk management	Detective
Review past audit reports for specific process steps and calculations that were stated to support the audit report's conclusions. CC ID 01160	Audits and risk management	Detective
Review the reporting of material weaknesses and risks in past audit reports. CC ID 01161	Audits and risk management	Detective
Refrain from including the description of the audit in the audit report when the auditor is disclaiming an audit opinion. CC ID 13975	Audits and risk management	Preventive
Refrain from including scope limitations from changed attestation engagements in the audit report. CC ID 13983	Audits and risk management	Preventive
Refrain from including in the audit report any procedures that were performed that the auditor is disclaiming in an audit opinion. CC ID 13974	Audits and risk management	Preventive
Include deficiencies and non-compliance in the audit report. CC ID 14879	Audits and risk management	Corrective
Include an audit opinion in the audit report. CC ID 07017	Audits and risk management	Preventive
Include qualified opinions in the audit report. CC ID 13928	Audits and risk management	Preventive
Include that the auditor is the responsible party to express an opinion on the audit subject matter based on examination of evidence in the audit report. CC ID 07174	Audits and risk management	Preventive
Include a description of the reasons for modifying the audit opinion in the audit report. CC ID 13898	Audits and risk management	Corrective
Include that the auditor did not express an opinion in the audit report, as necessary. CC ID 13886	Audits and risk management	Preventive
Include items that were excluded from the audit report in the audit report. CC ID 07007	Audits and risk management	Preventive
Include the organization's privacy practices in the audit report. CC ID 07029	Audits and risk management	Preventive
Include items that pertain to third parties in the audit report. CC ID 07008	Audits and risk management	Preventive
Refrain from including reference to procedures performed in previous attestation engagements in the audit report. CC ID 13970	Audits and risk management	Preventive
Include a statement in the audit report that no procedures were performed subsequent to the date of the practitioner's review report on pro forma financial information, as necessary. CC ID 13969	Audits and risk management	Preventive
Include any of the organization's use of compensating controls that were not audited in the audit report. CC ID 07009	Audits and risk management	Preventive
Include whether the use of compensating controls are necessary in the audit report. CC ID 07020	Audits and risk management	Preventive
Include the pass or fail test status of all in scope controls in the audit report. CC ID 07016	Audits and risk management	Preventive
Include the process of using evidential matter to test in scope controls in the audit report. CC ID 07021	Audits and risk management	Preventive
Include the nature and causes of identified in scope control deviations in the audit report. CC ID 07022	Audits and risk management	Preventive
Modify the audit opinion in the audit report under defined conditions. CC ID 13937	Audits and risk management	Corrective
Include the written signature of the auditor's organization in the audit report. CC ID 13897	Audits and risk management	Preventive
Include a statement that additional reports are being submitted in the audit report. CC ID 16848	Audits and risk management	Preventive
Disseminate and communicate the audit report to all interested personnel and affected parties identified in the distribution list. CC ID 07117	Audits and risk management	Preventive
Disseminate and communicate documents that contain information in support of the audit report. CC ID 07175	Audits and risk management	Preventive
Correct any material misstatements in documents that contain information in support of the audit report. CC ID 07176	Audits and risk management	Preventive
Review the issues of non-compliance from past audit reports. CC ID 01148	Audits and risk management	Detective
Accept the audit report. CC ID 07025	Audits and risk management	Preventive
Implement a corrective action plan in response to the audit report. CC ID 06777	Audits and risk management	Corrective
Define penalties for uncorrected audit findings or remaining non-compliant with the audit report. CC ID 08963	Audits and risk management	Preventive
Include the audit criteria in the audit plan. CC ID 15262	Audits and risk management	Preventive
Include a list of reference documents in the audit plan. CC ID 15260	Audits and risk management	Preventive
Include the languages to be used for the audit in the audit plan. CC ID 15252	Audits and risk management	Preventive
Include the allocation of resources in the audit plan. CC ID 15251	Audits and risk management	Preventive
Include communication protocols in the audit plan. CC ID 15247	Audits and risk management	Preventive
Include the level of audit sampling necessary to collect sufficient audit evidence in the audit plan. CC ID 15246	Audits and risk management	Preventive
Include meeting schedules in the audit plan. CC ID 15245	Audits and risk management	Preventive
Include the time frames for the audit in the audit plan. CC ID 15244	Audits and risk management	Preventive
Include the time frames for conducting the audit in the audit plan. CC ID 15243	Audits and risk management	Preventive
Include the locations to be audited in the audit plan. CC ID 15242	Audits and risk management	Preventive
Include the processes to be audited in the audit plan. CC ID 15241	Audits and risk management	Preventive
Include audit objectives in the audit plan. CC ID 15240	Audits and risk management	Preventive
Include the risks associated with audit activities in the audit plan. CC ID 15239	Audits and risk management	Preventive
Establish, implement, and maintain an audit schedule for the audit program. CC ID 13158 [The organization shall: plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration: § 9.2.2 ¶ 1(a)]	Audits and risk management	Preventive
Establish, implement, and maintain a risk management program. CC ID 12051 [The organization shall plan: actions to address these risks and opportunities and their priorities; § 6.1.3 ¶ 1(a) The management review shall include consideration of: results of risk assessment and the effectiveness of actions taken to address risks and opportunities; § 9.3 ¶ 2(k)]	Audits and risk management	Preventive
Include the scope of risk management activities in the risk management program. CC ID 13658	Audits and risk management	Preventive
Include managing mobile risks in the risk management program. CC ID 13535	Audits and risk management	Preventive
Establish, implement, and maintain risk management strategies. CC ID 13209	Audits and risk management	Preventive
Include off-site storage of supplies in the risk management strategies. CC ID 13221	Audits and risk management	Preventive
Include the use of alternate service providers in the risk management strategies. CC ID 13217	Audits and risk management	Preventive
Include minimizing service interruptions in the risk management strategies. CC ID 13215	Audits and risk management	Preventive
Include off-site storage in the risk mitigation strategies. CC ID 13213	Audits and risk management	Preventive
Establish, implement, and maintain the risk assessment framework. CC ID 00685	Audits and risk management	Preventive
Establish, implement, and maintain a risk assessment program. CC ID 00687	Audits and risk management	Preventive
Include the need for risk assessments in the risk assessment program. CC ID 06447	Audits and risk management	Preventive
Include the information flow of restricted data in the risk assessment program. CC ID 12339	Audits and risk management	Preventive
Establish, implement, and maintain a financial plan to support the risk management strategy. CC ID 12786	Audits and risk management	Preventive
Establish, implement, and maintain insurance requirements. CC ID 16562	Audits and risk management	Preventive
Address cybersecurity risks in the risk assessment program. CC ID 13193	Audits and risk management	Preventive
Include a Data Protection Impact Assessment in the risk assessment program. CC ID 12630	Audits and risk management	Preventive
Include an assessment of the necessity and proportionality of the processing operations in relation to the purposes in the Data Protection Impact Assessment. CC ID 12681	Audits and risk management	Preventive
Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371	Audits and risk management	Preventive
Include a risk assessment of data subject's rights in the Data Protection Impact Assessment. CC ID 12674	Audits and risk management	Preventive
Include the description and purpose of processing restricted data in the Data Protection Impact Assessment. CC ID 12673	Audits and risk management	Preventive
Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370	Audits and risk management	Preventive
Include monitoring unsecured areas in the Data Protection Impact Assessment. CC ID 12671	Audits and risk management	Preventive
Include security measures for protecting restricted data in the Data Protection Impact Assessment. CC ID 12635	Audits and risk management	Preventive
Establish, implement, and maintain a risk assessment policy. CC ID 14026	Audits and risk management	Preventive
Include compliance requirements in the risk assessment policy. CC ID 14121	Audits and risk management	Preventive
Include coordination amongst entities in the risk assessment policy. CC ID 14120	Audits and risk management	Preventive
Include management commitment in the risk assessment policy. CC ID 14119	Audits and risk management	Preventive
Include roles and responsibilities in the risk assessment policy. CC ID 14118	Audits and risk management	Preventive
Include the scope in the risk assessment policy. CC ID 14117	Audits and risk management	Preventive
Include the purpose in the risk assessment policy. CC ID 14116	Audits and risk management	Preventive
Establish, implement, and maintain risk assessment procedures. CC ID 06446	Audits and risk management	Preventive
Employ risk assessment procedures that follow legal requirements and contractual obligations when risk profiling. CC ID 06472	Audits and risk management	Preventive
Document cybersecurity risks. CC ID 12281	Audits and risk management	Preventive
Employ risk assessment procedures that follow standards and best practices, as necessary. CC ID 06473	Audits and risk management	Preventive
Employ risk assessment procedures that take into account both electronic records and printed records. CC ID 06476	Audits and risk management	Preventive
Employ risk assessment procedures that take into account information classification. CC ID 06477	Audits and risk management	Preventive
Employ risk assessment procedures that align with strategic objectives. CC ID 06474	Audits and risk management	Preventive
Employ risk assessment procedures that take into account prior risk assessment findings of the same scope. CC ID 06478	Audits and risk management	Preventive
Employ risk assessment procedures that take into account the target environment. CC ID 06479	Audits and risk management	Preventive
Employ risk assessment procedures that take into account incidents associated with the target environment. CC ID 06480	Audits and risk management	Preventive
Include compliance with disposition requirements in the risk assessment procedures. CC ID 12342	Audits and risk management	Preventive
Include compliance with retention requirements in the risk assessment procedures. CC ID 12341	Audits and risk management	Preventive
Establish, implement, and maintain a threat and risk classification scheme. CC ID 07183	Audits and risk management	Preventive
Employ risk assessment procedures that include appropriate risk treatment options for each identified risk. CC ID 06484	Audits and risk management	Preventive
Document organizational risk criteria. CC ID 12277	Audits and risk management	Preventive
Include the traceability of malicious code in the threat and risk classification scheme. CC ID 06600	Audits and risk management	Preventive
Include language that is easy to understand in the risk assessment report. CC ID 06461	Audits and risk management	Preventive
Include the environments that call for risk assessments in the risk assessment program. CC ID 06448	Audits and risk management	Preventive
Include the process for defining the scope of each risk assessment in the risk assessment program. CC ID 06462	Audits and risk management	Preventive
Include the circumstances that call for risk assessments in the risk assessment program. CC ID 06449	Audits and risk management	Preventive
Include the roles and responsibilities involved in risk assessments in the risk assessment program. CC ID 06450	Audits and risk management	Preventive
Include the methods of managing and responding to the risk assessment report in the risk assessment program. CC ID 06451	Audits and risk management	Preventive
Approve the risk assessment program and associated risk assessment procedures at the senior management level. CC ID 06458	Audits and risk management	Preventive
Include the probability and potential impact of pandemics in the scope of the risk assessment. CC ID 13241	Audits and risk management	Preventive
Include physical assets in the scope of the risk assessment. CC ID 13075	Audits and risk management	Preventive
Include the results of the risk assessment in the risk assessment report. CC ID 06481	Audits and risk management	Preventive
Update the risk assessment upon discovery of a new threat. CC ID 00708	Audits and risk management	Detective
Update the risk assessment upon changes to the risk profile. CC ID 11627	Audits and risk management	Detective
Document any reasons for modifying or refraining from modifying the organization's risk assessment when the risk assessment has been reviewed. CC ID 13312	Audits and risk management	Preventive
Create a risk assessment report based on the risk assessment results. CC ID 15695	Audits and risk management	Preventive
Include recovery of the critical path in the Business Impact Analysis. CC ID 13224	Audits and risk management	Preventive
Include acceptable levels of data loss in the Business Impact Analysis. CC ID 13264	Audits and risk management	Preventive
Include Recovery Point Objectives in the Business Impact Analysis. CC ID 13223	Audits and risk management	Preventive
Include the Recovery Time Objectives in the Business Impact Analysis. CC ID 13222	Audits and risk management	Preventive
Include pandemic risks in the Business Impact Analysis. CC ID 13219	Audits and risk management	Preventive
Include tolerance to downtime in the Business Impact Analysis report. CC ID 01172	Audits and risk management	Preventive
Establish, implement, and maintain a risk register. CC ID 14828	Audits and risk management	Preventive
Document organizational risk tolerance in a risk register. CC ID 09961	Audits and risk management	Preventive
Establish a risk acceptance level that is appropriate to the organization's risk appetite. CC ID 00706 [The organization shall determine and document: risk acceptance criteria; § 6.1.2 ¶ 1(c)]	Audits and risk management	Preventive
Select the appropriate risk treatment option for each identified risk in the risk register. CC ID 06483	Audits and risk management	Preventive
Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary. CC ID 00704	Audits and risk management	Detective
Document the results of the gap analysis. CC ID 16271	Audits and risk management	Preventive
Establish, implement, and maintain a risk treatment plan. CC ID 11983	Audits and risk management	Preventive
Include the date of the risk assessment in the risk treatment plan. CC ID 16321	Audits and risk management	Preventive
Include the risk treatment strategy in the risk treatment plan. CC ID 12159	Audits and risk management	Preventive
Revise the risk treatment strategies in the risk treatment plan, as necessary. CC ID 12552	Audits and risk management	Corrective
Include an overview of the migration project plan in the risk treatment plan. CC ID 11982	Audits and risk management	Preventive
Include change control processes in the risk treatment plan. CC ID 11981	Audits and risk management	Preventive
Include a description of the processes to check for new vulnerabilities in the risk treatment plan. CC ID 11980	Audits and risk management	Preventive
Include the implemented risk management controls in the risk treatment plan. CC ID 11979	Audits and risk management	Preventive
Include requirements for monitoring and reporting in the risk treatment plan, as necessary. CC ID 13620	Audits and risk management	Preventive
Include risk assessment results in the risk treatment plan. CC ID 11978	Audits and risk management	Preventive
Include a description of usage in the risk treatment plan. CC ID 11977	Audits and risk management	Preventive
Document all constraints applied to the risk treatment plan, as necessary. CC ID 13619	Audits and risk management	Preventive
Integrate the corrective action plan based on the risk assessment findings with other risk management activities. CC ID 06457	Audits and risk management	Preventive
Document and communicate a corrective action plan based on the risk assessment findings. CC ID 00705 [The organization shall make decisions and take actions based on the findings in service reports. The agreed actions shall be communicated to interested parties. § 9.4 ¶ 3]	Audits and risk management	Corrective
Review and approve the risk assessment findings. CC ID 06485 [The management review shall include consideration of: results of risk assessment and the effectiveness of actions taken to address risks and opportunities; § 9.3 ¶ 2(k)]	Audits and risk management	Preventive
Include risk responses in the risk management program. CC ID 13195	Audits and risk management	Preventive
Document residual risk in a residual risk report. CC ID 13664	Audits and risk management	Corrective
Establish, implement, and maintain an artificial intelligence risk management program. CC ID 16220	Audits and risk management	Preventive
Include diversity and equal opportunity in the artificial intelligence risk management program. CC ID 16255	Audits and risk management	Preventive
Include a commitment to continuous improvement In the cybersecurity risk management program. CC ID 16839	Audits and risk management	Preventive
Establish, implement, and maintain a cybersecurity risk management policy. CC ID 16834	Audits and risk management	Preventive
Establish, implement, and maintain a cybersecurity risk management strategy. CC ID 11991	Audits and risk management	Preventive
Include a risk prioritization approach in the Cybersecurity Risk Management Strategy. CC ID 12276	Audits and risk management	Preventive
Include defense in depth strategies in the cybersecurity risk management strategy. CC ID 15582	Audits and risk management	Preventive
Establish, implement, and maintain a cybersecurity supply chain risk management program. CC ID 16826	Audits and risk management	Preventive
Establish, implement, and maintain cybersecurity supply chain risk management procedures. CC ID 16830	Audits and risk management	Preventive
Establish, implement, and maintain a supply chain risk management policy. CC ID 14663	Audits and risk management	Preventive
Include compliance requirements in the supply chain risk management policy. CC ID 14711	Audits and risk management	Preventive
Include coordination amongst entities in the supply chain risk management policy. CC ID 14710	Audits and risk management	Preventive
Include management commitment in the supply chain risk management policy. CC ID 14709	Audits and risk management	Preventive
Include roles and responsibilities in the supply chain risk management policy. CC ID 14708	Audits and risk management	Preventive
Include the scope in the supply chain risk management policy. CC ID 14707	Audits and risk management	Preventive
Include the purpose in the supply chain risk management policy. CC ID 14706	Audits and risk management	Preventive
Establish, implement, and maintain a supply chain risk management plan. CC ID 14713	Audits and risk management	Preventive
Include processes for monitoring and reporting in the supply chain risk management plan. CC ID 15619	Audits and risk management	Preventive
Include dates in the supply chain risk management plan. CC ID 15617	Audits and risk management	Preventive
Include implementation milestones in the supply chain risk management plan. CC ID 15615	Audits and risk management	Preventive
Include roles and responsibilities in the supply chain risk management plan. CC ID 15613	Audits and risk management	Preventive
Include supply chain risk management procedures in the risk management program. CC ID 13190 [The organization shall assess the alignment of service level targets or other contractual obligations for the external supplier against SLAs with customers, and manage identified risks. § 8.3.4.1 ¶ 3]	Audits and risk management	Preventive
Establish, implement, and maintain an access control program. CC ID 11702	Technical security	Preventive
Establish, implement, and maintain an access rights management plan. CC ID 00513	Technical security	Preventive
Add all devices requiring access control to the Access Control List. CC ID 06264	Technical security	Preventive
Include the objects and users subject to access control in the security policy. CC ID 11836	Technical security	Preventive
Establish, implement, and maintain a system use agreement for each information system. CC ID 06500	Technical security	Preventive
Accept and sign the system use agreement before data or system access is enabled. CC ID 06501	Technical security	Preventive
Document actions that can be performed on an information system absent identification and authentication of the user. CC ID 06771	Technical security	Preventive
Establish, implement, and maintain a business continuity program. CC ID 13210	Operational and Systems Continuity	Preventive
Establish, implement, and maintain a continuity framework. CC ID 00732	Operational and Systems Continuity	Preventive
Establish, implement, and maintain a continuity plan. CC ID 00752 [The organization shall create, implement and maintain one or more service continuity plans. The service continuity plan(s) shall include or contain a reference to: § 8.7.2 ¶ 2 At planned intervals, the service continuity plan(s) shall be tested against the service continuity requirements. The service continuity plan(s) shall be re-tested after major changes to the service environment. The results of the tests shall be recorded. Reviews shall be conducted after each test and after the service continuity plan(s) has been invoked. Where deficiencies are found, the organization shall take necessary actions. § 8.7.2 ¶ 4 At planned intervals, the service continuity plan(s) shall be tested against the service continuity requirements. The service continuity plan(s) shall be re-tested after major changes to the service environment. The results of the tests shall be recorded. Reviews shall be conducted after each test and after the service continuity plan(s) has been invoked. Where deficiencies are found, the organization shall take necessary actions. § 8.7.2 ¶ 4]	Operational and Systems Continuity	Preventive
Identify all stakeholders in the continuity plan. CC ID 13256	Operational and Systems Continuity	Preventive
Include a business continuity testing policy in the continuity plan, as necessary. CC ID 13234	Operational and Systems Continuity	Preventive
Allocate financial resources to implement the continuity plan, as necessary. CC ID 12993	Operational and Systems Continuity	Preventive
Include identification procedures in the continuity plan, as necessary. CC ID 14372	Operational and Systems Continuity	Preventive
Include the continuity strategy in the continuity plan. CC ID 13189	Operational and Systems Continuity	Preventive
Document and use the lessons learned to update the continuity plan. CC ID 10037 [The organization shall report on the cause, impact and recovery when the service continuity plan(s) has been invoked. § 8.7.2 ¶ 5 The organization shall report on the cause, impact and recovery when the service continuity plan(s) has been invoked. § 8.7.2 ¶ 5 The organization shall report on the cause, impact and recovery when the service continuity plan(s) has been invoked. § 8.7.2 ¶ 5]	Operational and Systems Continuity	Preventive
Include roles and responsibilities in the continuity plan, as necessary. CC ID 13254 [The organization shall create, implement and maintain one or more service continuity plans. The service continuity plan(s) shall include or contain a reference to: criteria and responsibilities for invoking service continuity; § 8.7.2 ¶ 2(a)]	Operational and Systems Continuity	Preventive
Coordinate and incorporate supply chain members' continuity plans, as necessary. CC ID 13242	Operational and Systems Continuity	Preventive
Include incident management procedures in the continuity plan. CC ID 13244	Operational and Systems Continuity	Preventive
Include the use of virtual meeting tools in the continuity plan. CC ID 14390	Operational and Systems Continuity	Preventive
Include scenario analyses of various contingency scenarios in the continuity plan. CC ID 13057	Operational and Systems Continuity	Preventive
Include the annual statement based on the continuity plan review in the continuity plan. CC ID 12775	Operational and Systems Continuity	Preventive
Establish, implement, and maintain the continuity procedures. CC ID 14236	Operational and Systems Continuity	Corrective
Document the uninterrupted power requirements for all in scope systems. CC ID 06707	Operational and Systems Continuity	Preventive
Document all supporting information in the continuity plan, such as purpose, scope, and requirements. CC ID 01371 [The organization shall create, implement and maintain one or more service continuity plans. The service continuity plan(s) shall include or contain a reference to: service recovery requirements; § 8.7.2 ¶ 2(d)]	Operational and Systems Continuity	Preventive
Include notifications to alternate facilities in the continuity plan. CC ID 13220	Operational and Systems Continuity	Preventive
Document the concept of operations in the continuity plan, including a line of succession. CC ID 01372	Operational and Systems Continuity	Preventive
Establish, implement, and maintain damage assessment procedures. CC ID 01267 [The organization shall analyse the information security incidents by type, volume and impact on the SMS, services and interested parties. Information security incidents shall be reported and reviewed to identify opportunities for improvement. § 8.7.3.3 ¶ 2]	Operational and Systems Continuity	Preventive
Establish, implement, and maintain a recovery plan. CC ID 13288	Operational and Systems Continuity	Preventive
Include procedures to restore network connectivity in the recovery plan. CC ID 16250	Operational and Systems Continuity	Preventive
Include addressing backup failures in the recovery plan. CC ID 13298	Operational and Systems Continuity	Preventive
Include procedures to verify completion of the data backup procedure in the recovery plan. CC ID 13297	Operational and Systems Continuity	Preventive
Include the procedures for the storage of information necessary to recover functionality in the recovery plan. CC ID 13295	Operational and Systems Continuity	Preventive
Include the backup procedures for information necessary to recover functionality in the recovery plan. CC ID 13294	Operational and Systems Continuity	Preventive
Include the criteria for activation in the recovery plan. CC ID 13293	Operational and Systems Continuity	Preventive
Include escalation procedures in the recovery plan. CC ID 16248	Operational and Systems Continuity	Preventive
Include procedures to preserve data before beginning the recovery process in the recovery plan. CC ID 13292	Operational and Systems Continuity	Preventive
Document lessons learned from testing the recovery plan or an actual event. CC ID 13301	Operational and Systems Continuity	Detective
Include risk prioritized recovery procedures for each business unit in the recovery plan. CC ID 01166	Operational and Systems Continuity	Preventive
Include the recovery plan in the continuity plan. CC ID 01377	Operational and Systems Continuity	Preventive
Establish, implement, and maintain system continuity plan strategies. CC ID 00735	Operational and Systems Continuity	Preventive
Define and prioritize critical business functions. CC ID 00736 [The organization shall determine the criticality of services based on the needs of the organization, customers, users and other interested parties. The organization shall determine and manage dependencies and duplication between services. § 8.2.2 ¶ 2]	Operational and Systems Continuity	Detective
Review and prioritize the importance of each business process. CC ID 11689	Operational and Systems Continuity	Preventive
Include emergency communications procedures in the continuity plan. CC ID 00750 [The service continuity plan(s) and list of contacts shall be accessible when access to the normal service location is prevented. § 8.7.2 ¶ 3]	Operational and Systems Continuity	Preventive
Include managing multiple responding organizations in the emergency communications procedure. CC ID 01249	Operational and Systems Continuity	Preventive
Maintain contact information for key third parties in a readily accessible manner. CC ID 12764	Operational and Systems Continuity	Preventive
Disseminate and communicate the continuity plan to interested personnel and affected parties. CC ID 00760	Operational and Systems Continuity	Preventive
Store an up-to-date copy of the continuity plan at the alternate facility. CC ID 01171 [The service continuity plan(s) and list of contacts shall be accessible when access to the normal service location is prevented. § 8.7.2 ¶ 3]	Operational and Systems Continuity	Preventive
Establish, implement, and maintain Service Level Agreements for all alternate facilities. CC ID 00745	Operational and Systems Continuity	Preventive
Include emergency scalability for services, capacity, and capability in the shared service provider's Service Level Agreement. CC ID 04893 [{service availability requirement}{service continuity requirement} The organization shall plan capacity to include: expected impact on capacity of agreed service level targets, requirements for service availability and service continuity; § 8.4.3 ¶ 2(b)]	Operational and Systems Continuity	Preventive
Include predefined goals and realistic conditions during off-site testing. CC ID 01175	Operational and Systems Continuity	Preventive
Define and assign the roles and responsibilities of the chairman of the board. CC ID 14786	Human Resources management	Preventive
Establish, implement, and maintain candidate selection procedures to the board of directors. CC ID 14782	Human Resources management	Preventive
Include the criteria of mixed experiences and skills in the candidate selection procedures. CC ID 14791	Human Resources management	Preventive
Establish, implement, and maintain a personnel management program. CC ID 14018	Human Resources management	Preventive
Establish, implement, and maintain a personnel security program. CC ID 10628	Human Resources management	Preventive
Establish, implement, and maintain personnel screening procedures. CC ID 11700	Human Resources management	Preventive
Perform a criminal records check during personnel screening. CC ID 06643	Human Resources management	Preventive
Document any reasons a full criminal records check could not be performed. CC ID 13305	Human Resources management	Preventive
Perform an academic records check during personnel screening. CC ID 06647	Human Resources management	Preventive
Document the personnel risk assessment results. CC ID 11764	Human Resources management	Detective
Establish, implement, and maintain security clearance procedures. CC ID 00783	Human Resources management	Preventive
Document the security clearance procedure results. CC ID 01635	Human Resources management	Detective
Include evidence of experience in applications for professional certification. CC ID 16193	Human Resources management	Preventive
Include supporting documentation in applications for professional certification. CC ID 16195	Human Resources management	Preventive
Document all training in a training record. CC ID 01423 [The organization shall: retain appropriate documented information as evidence of competence. § 7.2 ¶ 1(d)]	Human Resources management	Detective
Review the current published guidance and awareness and training programs. CC ID 01245	Human Resources management	Preventive
Establish, implement, and maintain training plans. CC ID 00828 [{be usable}{be available}{support}{operation}{SMS and the services}by knowledge', based on the section the authors appear to be referring to the knowledge necessary to support the operation of the SMS and the services/ The knowledge shall be relevant, usable and available to appropriate persons. § 7.6 ¶ 2 {be usable}{be available}{support}{operation}{SMS and the services}by knowledge', based on the section the authors appear to be referring to the knowledge necessary to support the operation of the SMS and the services/ The knowledge shall be relevant, usable and available to appropriate persons. § 7.6 ¶ 2 {be usable}{be available}{support}{operation}{SMS and the services}by knowledge', based on the section the authors appear to be referring to the knowledge necessary to support the operation of the SMS and the services/ The knowledge shall be relevant, usable and available to appropriate persons. § 7.6 ¶ 2]	Human Resources management	Preventive
Include portions of the visitor control program in the training plan. CC ID 13287	Human Resources management	Preventive
Establish, implement, and maintain a security awareness program. CC ID 11746	Human Resources management	Preventive
Establish, implement, and maintain a security awareness and training policy. CC ID 14022	Human Resources management	Preventive
Include compliance requirements in the security awareness and training policy. CC ID 14092	Human Resources management	Preventive
Include coordination amongst entities in the security awareness and training policy. CC ID 14091	Human Resources management	Preventive
Establish, implement, and maintain security awareness and training procedures. CC ID 14054	Human Resources management	Preventive
Include management commitment in the security awareness and training policy. CC ID 14049	Human Resources management	Preventive
Include roles and responsibilities in the security awareness and training policy. CC ID 14048	Human Resources management	Preventive
Include the scope in the security awareness and training policy. CC ID 14047	Human Resources management	Preventive
Include the purpose in the security awareness and training policy. CC ID 14045	Human Resources management	Preventive
Include configuration management procedures in the security awareness program. CC ID 13967	Human Resources management	Preventive
Document security awareness requirements. CC ID 12146	Human Resources management	Preventive
Include safeguards for information systems in the security awareness program. CC ID 13046	Human Resources management	Preventive
Include security policies and security standards in the security awareness program. CC ID 13045	Human Resources management	Preventive
Include mobile device security guidelines in the security awareness program. CC ID 11803	Human Resources management	Preventive
Include training based on the participants' level of responsibility and access level in the security awareness program. CC ID 11802	Human Resources management	Preventive
Include a requirement to train all new hires and interested personnel in the security awareness program. CC ID 11800	Human Resources management	Preventive
Include remote access in the security awareness program. CC ID 13892	Human Resources management	Preventive
Document the goals of the security awareness program. CC ID 12145	Human Resources management	Preventive
Compare current security awareness assessment reports to the security awareness baseline. CC ID 12150	Human Resources management	Preventive
Document the scope of the security awareness program. CC ID 12148	Human Resources management	Preventive
Establish, implement, and maintain a security awareness baseline. CC ID 12147	Human Resources management	Preventive
Require personnel to acknowledge, through writing their signature, that they have read and understand the organization's security policies. CC ID 01363	Human Resources management	Preventive
Establish, implement, and maintain an environmental management system awareness program. CC ID 15200	Human Resources management	Preventive
Establish, implement, and maintain a capacity management plan. CC ID 11751 [The organization shall plan capacity to include: timescales and thresholds for changes to service capacity. § 8.4.3 ¶ 2(c) The organization shall plan capacity to include: timescales and thresholds for changes to service capacity. § 8.4.3 ¶ 2(c) At planned intervals, the organization shall: determine current demand and forecast future demand for services; § 8.4.2 ¶ 1(a) At planned intervals, the organization shall: determine current demand and forecast future demand for services; § 8.4.2 ¶ 1(a) {service availability target} Service availability requirements and targets shall be documented and maintained. § 8.7.1 ¶ 2 The organization shall plan capacity to include: current and forecast capacity based on demand for services; § 8.4.3 ¶ 2(a)]	Operational management	Preventive
Establish, implement, and maintain a capacity planning baseline. CC ID 13492 [{service availability target} Service availability requirements and targets shall be documented and maintained. § 8.7.1 ¶ 2]	Operational management	Preventive
Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406	Operational management	Preventive
Establish, implement, and maintain an internal control framework. CC ID 00820	Operational management	Preventive
Include procedures for continuous quality improvement in the internal control framework. CC ID 00819 [Where service level targets are not met, the organization shall identify opportunities for improvement. § 8.3.3 ¶ 4 At planned intervals, the organization shall measure satisfaction with the services based on a representative sample of customers. The results shall be analysed, reviewed to identify opportunities for improvement and reported. § 8.3.2 ¶ 4 {service improvement activity} Opportunities for improvement shall be documented. The organization shall manage approved improvement activities that include: § 10.2 ¶ 3 The outputs of the management review shall include decisions related to continual improvement opportunities and any need for changes to the SMS and the services. § 9.3 ¶ 3 The management review shall include consideration of: opportunities for continual improvement; § 9.3 ¶ 2(d)]	Operational management	Preventive
Include incident response escalation procedures in the internal control framework. CC ID 11745 [Information security incidents shall be: escalated if needed; § 8.7.3.3 ¶ 1(c)]	Operational management	Preventive
Establish, implement, and maintain an information security program. CC ID 00812	Operational management	Preventive
Establish, implement, and maintain an information security policy. CC ID 11740 [Management with appropriate authority shall approve an information security policy relevant to the organization. The information security policy shall be documented and take into consideration the service requirements and the obligations in 6.3 c). § 8.7.3.1 ¶ 1]	Operational management	Preventive
Include business processes in the information security policy. CC ID 16326	Operational management	Preventive
Include the information security strategy in the information security policy. CC ID 16125	Operational management	Preventive
Include a commitment to continuous improvement in the information security policy. CC ID 16123	Operational management	Preventive
Include roles and responsibilities in the information security policy. CC ID 16120	Operational management	Preventive
Include a commitment to the information security requirements in the information security policy. CC ID 13496	Operational management	Preventive
Include information security objectives in the information security policy. CC ID 13493	Operational management	Preventive
Include the use of Cloud Services in the information security policy. CC ID 13146	Operational management	Preventive
Include notification procedures in the information security policy. CC ID 16842	Operational management	Preventive
Describe the group activities that protect restricted data in the information security procedures. CC ID 12294	Operational management	Preventive
Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304	Operational management	Preventive
Comply with all implemented policies in the organization's compliance framework. CC ID 06384 [{planning} The organization shall plan, implement and control the processes needed to meet requirements and to implement the actions determined in Clause 6 by: § 8.1 ¶ 1]	Operational management	Preventive
Establish and maintain a scope statement for the Service Management System. CC ID 13890 [The organization shall determine: the relevant requirements of these interested parties. § 4.2 ¶ 1(b) When planning how to achieve its service management objectives, the organization shall determine: what will be done; § 6.2.2 ¶ 1(a) The documented information for the SMS shall include: scope of the SMS; § 7.5.4 ¶ 1(a) {service management system}When determining this scope, the organization shall consider: the requirements referred to in 4.2; § 4.3 ¶ 2(b) {service management system} When determining this scope, the organization shall consider: the services delivered by the organization. § 4.3 ¶ 2(c) The scope of the SMS shall be available and be maintained as documented information. § 4.3 ¶ 4 The service management plan shall include or contain a reference to: obligations such as relevant policies, standards, legal, regulatory and contractual requirements, and how these obligations apply to the SMS and the services; § 6.3 ¶ 2(c) The organization's SMS shall include: documented information determined by the organization as being necessary for the effectiveness of the SMS. § 7.5.1 ¶ 1(b) The organization's SMS shall include: documented information required by this document; § 7.5.1 ¶ 1(a) The definition of the scope of the SMS shall include the services in scope and the name of the organization managing and delivering the services. § 4.3 ¶ 3]	Operational management	Preventive
Include the organization's name in the scope statement for the Service Management System. CC ID 13913 [The definition of the scope of the SMS shall include the services in scope and the name of the organization managing and delivering the services. § 4.3 ¶ 3]	Operational management	Preventive
Establish, implement, and maintain a service management program. CC ID 11388 [Top management shall demonstrate leadership and commitment with respect to the SMS by: ensuring that the service management plan is created, implemented and maintained in order to support the service management policy, and the achievement of the service management objectives and service requirements; § 5.1 ¶ 1(b) The service management policy shall: be available as documented information; § 5.2.2 ¶ 1(a) Other planning activities shall maintain alignment with the service management plan. § 6.3 ¶ 3 {applicable requirements} The organization shall create, implement and maintain a service management plan. Planning shall take into consideration the service management policy, service management objectives, risks and opportunities, service requirements and requirements specified in this document. § 6.3 ¶ 1 When planning how to achieve its service management objectives, the organization shall determine: when it will be completed; § 6.2.2 ¶ 1(d) The organization shall establish service management objectives at relevant functions and levels. The service management objectives shall: be updated as appropriate. § 6.2.1 ¶ 1(f) The organization shall integrate services, service components and processes in the SMS that are provided or operated by the organization or other parties to meet the service requirements. The organization shall co-ordinate activities with other parties involved in the service lifecycle including the planning, design, transition, delivery and improvement of services. § 8.2.3.1 ¶ 5 At planned intervals, the organization shall review the performance trends and the outcomes of the services. § 8.3.2 ¶ 3 Top management shall review the organization's SMS and the services, at planned intervals, to ensure their continuing suitability, adequacy and effectiveness. § 9.3 ¶ 1 The organization shall determine: what needs to be monitored and measured for the SMS and the services; § 9.1 ¶ 1(a) {new service} The organization shall plan the deployment of new or changed services and service components into the live environment. Planning shall be co-ordinated with change management and include references to the related requests for change, known errors or problems which are being closed through the release. Planning shall include the dates for deployment of each release, deliverables and methods of deployment. § 8.5.3 ¶ 2 {service availability requirement}{service availability target} At planned intervals, the risks to service availability shall be assessed and documented. The organization shall determine the service availability requirements and targets. The agreed requirements shall take into consideration relevant business requirements, service requirements, SLAs and risks. § 8.7.1 ¶ 1]	Operational management	Preventive
Include a service management plan in the service management program. CC ID 13902 [The documented information for the SMS shall include: service management plan; § 7.5.4 ¶ 1(c)]	Operational management	Preventive
Include the information security policy in the service management program. CC ID 13925 [The documented information for the SMS shall include: change management policy, information security policy and service continuity plan(s); § 7.5.4 ¶ 1(d)]	Operational management	Preventive
Include the change management policy in the service management program. CC ID 13923 [The documented information for the SMS shall include: change management policy, information security policy and service continuity plan(s); § 7.5.4 ¶ 1(d)]	Operational management	Preventive
Include the service management objectives in the service management program. CC ID 11389 [Top management shall demonstrate leadership and commitment with respect to the SMS by: ensuring that the service management plan is created, implemented and maintained in order to support the service management policy, and the achievement of the service management objectives and service requirements; § 5.1 ¶ 1(b) Top management shall demonstrate leadership and commitment with respect to the SMS by: ensuring that the service management policy and service management objectives are established and are compatible with the strategic direction of the organization; § 5.1 ¶ 1(a) Top management shall establish a service management policy that: provides a framework for setting service management objectives; § 5.2.1 ¶ 1(b) The organization shall establish service management objectives at relevant functions and levels. The service management objectives shall: be consistent with the service management policy; § 6.2.1 ¶ 1(a) {applicable requirements} The organization shall create, implement and maintain a service management plan. Planning shall take into consideration the service management policy, service management objectives, risks and opportunities, service requirements and requirements specified in this document. § 6.3 ¶ 1 {organization level} The organization shall establish service management objectives at relevant functions and levels. The service management objectives shall: § 6.2.1 ¶ 1 {organization level} The organization shall establish service management objectives at relevant functions and levels. The service management objectives shall: § 6.2.1 ¶ 1 The documented information for the SMS shall include: policy and objectives for service management; § 7.5.4 ¶ 1(b) The organization shall propose changes where needed to align the services with the service management policy, service management objectives and service requirements, taking into consideration known limitations and risks. § 8.2.2 ¶ 3 {new service} Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: intended outcomes from delivering the new or changed services, expressed in measurable terms; § 8.5.2.1 ¶ 1(g) {service availability requirement}{service availability target} At planned intervals, the risks to service availability shall be assessed and documented. The organization shall determine the service availability requirements and targets. The agreed requirements shall take into consideration relevant business requirements, service requirements, SLAs and risks. § 8.7.1 ¶ 1]	Operational management	Preventive
Include the service requirements in the service management program. CC ID 11390 [Top management shall demonstrate leadership and commitment with respect to the SMS by: ensuring that the service management plan is created, implemented and maintained in order to support the service management policy, and the achievement of the service management objectives and service requirements; § 5.1 ¶ 1(b) Top management shall establish a service management policy that: includes a commitment to satisfy applicable requirements; § 5.2.1 ¶ 1(c) {applicable requirements} The organization shall create, implement and maintain a service management plan. Planning shall take into consideration the service management policy, service management objectives, risks and opportunities, service requirements and requirements specified in this document. § 6.3 ¶ 1 The organization shall establish service management objectives at relevant functions and levels. The service management objectives shall: take into account applicable requirements; § 6.2.1 ¶ 1(c) The documented information for the SMS shall include: service requirements; § 7.5.4 ¶ 1(f) The organization shall propose changes where needed to align the services with the service management policy, service management objectives and service requirements, taking into consideration known limitations and risks. § 8.2.2 ¶ 3 The service requirements for existing services, new services and changes to services shall be determined and documented. § 8.2.2 ¶ 1 Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: dependencies on other services; 8.5.2.1 ¶ 1(d) {new service} Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: § 8.5.2.1 ¶ 1 {service availability requirement}{service availability target} At planned intervals, the risks to service availability shall be assessed and documented. The organization shall determine the service availability requirements and targets. The agreed requirements shall take into consideration relevant business requirements, service requirements, SLAs and risks. § 8.7.1 ¶ 1 {service availability requirement}{service availability target} At planned intervals, the risks to service availability shall be assessed and documented. The organization shall determine the service availability requirements and targets. The agreed requirements shall take into consideration relevant business requirements, service requirements, SLAs and risks. § 8.7.1 ¶ 1]	Operational management	Preventive
Include known limitations in the service management program. CC ID 11391 [The organization shall determine the boundaries and applicability of the SMS to establish its scope. § 4.3 ¶ 1 The organization shall determine the boundaries and applicability of the SMS to establish its scope. § 4.3 ¶ 1 The organization shall propose changes where needed to align the services with the service management policy, service management objectives and service requirements, taking into consideration known limitations and risks. § 8.2.2 ¶ 3 The service management plan shall include or contain a reference to: known limitations that can impact the SMS and the services; § 6.3 ¶ 2(b) {new service} The organization shall plan the deployment of new or changed services and service components into the live environment. Planning shall be co-ordinated with change management and include references to the related requests for change, known errors or problems which are being closed through the release. Planning shall include the dates for deployment of each release, deliverables and methods of deployment. § 8.5.3 ¶ 2]	Operational management	Preventive
Include service management policies in the service management program. CC ID 11392 [Top management shall establish a service management policy that: § 5.2.1 ¶ 1 Top management shall demonstrate leadership and commitment with respect to the SMS by: ensuring that the service management plan is created, implemented and maintained in order to support the service management policy, and the achievement of the service management objectives and service requirements; § 5.1 ¶ 1(b) Top management shall demonstrate leadership and commitment with respect to the SMS by: ensuring that the service management policy and service management objectives are established and are compatible with the strategic direction of the organization; § 5.1 ¶ 1(a) {applicable requirements} The organization shall create, implement and maintain a service management plan. Planning shall take into consideration the service management policy, service management objectives, risks and opportunities, service requirements and requirements specified in this document. § 6.3 ¶ 1 The documented information for the SMS shall include: policy and objectives for service management; § 7.5.4 ¶ 1(b) The organization shall propose changes where needed to align the services with the service management policy, service management objectives and service requirements, taking into consideration known limitations and risks. § 8.2.2 ¶ 3 The service management plan shall include or contain a reference to: obligations such as relevant policies, standards, legal, regulatory and contractual requirements, and how these obligations apply to the SMS and the services; § 6.3 ¶ 2(c) Top management shall establish a service management policy that: is appropriate to the purpose of the organization; § 5.2.1 ¶ 1(a)]	Operational management	Preventive
Assign roles and responsibilities in the service management program. CC ID 11393 [Top management shall demonstrate leadership and commitment with respect to the SMS by: directing and supporting persons to contribute to the effectiveness of the SMS and the services; § 5.1 ¶ 1(j) Top management shall assign the responsibility and authority for: ensuring that the SMS conforms to the requirement of this document; § 5.3 ¶ 2(a) Top management shall assign the responsibility and authority for: reporting on the performance of the SMS and the services to top management. § 5.3 ¶ 2(b) {responsible party}When planning how to achieve its service management objectives, the organization shall determine: who will be responsible; § 6.2.2 ¶ 1(c) The organization shall retain accountability for the requirements specified in this document and the delivery of the services regardless of which party is involved in performing activities to support the service lifecycle. § 8.2.3.1 ¶ 1 The organization shall retain accountability for the requirements specified in this document and the delivery of the services regardless of which party is involved in performing activities to support the service lifecycle. § 8.2.3.1 ¶ 1 Top management shall ensure that the responsibilities and authorities for roles relevant to the SMS and the services are assigned and communicated within the organization. § 5.3 ¶ 1 The service management plan shall include or contain a reference to: authorities and responsibilities for the SMS and the services § 6.3 ¶ 2(d) The service management plan shall include or contain a reference to: authorities and responsibilities for the SMS and the services § 6.3 ¶ 2(d) Persons doing work under the organization's control shall be aware of: the service management objectives; § 7.3 ¶ 1(b) {new service} Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: authorities and responsibilities for design, build and transition activities; § 8.5.2.1 ¶ 1(a) {new service} Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: activities to be performed by the organization or other parties with their timescales; § 8.5.2.1 ¶ 1(b) {new service}The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: authorities and responsibilities of the parties involved in the delivery of the new or changed services; § 8.5.2.2 ¶ 1(a) {new service}The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: authorities and responsibilities of the parties involved in the delivery of the new or changed services; § 8.5.2.2 ¶ 1(a) The organization shall operate the SMS ensuring co-ordination of the activities and the resources. The organization shall perform the activities required to deliver services. § 8.2.1 ¶ 1]	Operational management	Preventive
Include all resources needed to achieve the objectives in the service management program. CC ID 11394 [Top management shall demonstrate leadership and commitment with respect to the SMS by: ensuring that the resources needed for the SMS and the services are available; § 5.1 ¶ 1(g) When planning how to achieve its service management objectives, the organization shall determine: what resources will be required; § 6.2.2 ¶ 1(b) {necessary resource} The organization shall determine and provide the human, technical, information and financial resources needed for the establishment, implementation, maintenance and continual improvement of the SMS and the operation of the services to meet the service requirements and achieve the service management objectives. § 7.1 ¶ 1 {necessary resource} The organization shall determine and provide the human, technical, information and financial resources needed for the establishment, implementation, maintenance and continual improvement of the SMS and the operation of the services to meet the service requirements and achieve the service management objectives. § 7.1 ¶ 1 {necessary resource} The organization shall determine and provide the human, technical, information and financial resources needed for the establishment, implementation, maintenance and continual improvement of the SMS and the operation of the services to meet the service requirements and achieve the service management objectives. § 7.1 ¶ 1 The organization shall budget and account for services or groups of services in accordance with its financial management policies and processes. § 8.4.1 ¶ 1 {new service}{manpower}{technical resource}{information resource} Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: human, technical, information and financial resources; § 8.5.2.1 ¶ 1(c) {new service}{manpower}{technical resource}{information resource} Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: human, technical, information and financial resources; § 8.5.2.1 ¶ 1(c) {new service}{manpower}{technical resource}{information resource} Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: human, technical, information and financial resources; § 8.5.2.1 ¶ 1(c) {new service}{manpower}{technical resource}{information resource} Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: human, technical, information and financial resources; § 8.5.2.1 ¶ 1(c) {manpower}{technical resource}{information resource}The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: requirements for changes to human, technical, information and financial resources; § 8.5.2.2 ¶ 1(b) {manpower}{technical resource}{information resource}The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: requirements for changes to human, technical, information and financial resources; § 8.5.2.2 ¶ 1(b) {manpower}{technical resource}{information resource}The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: requirements for changes to human, technical, information and financial resources; § 8.5.2.2 ¶ 1(b) {manpower}{technical resource}{information resource}The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: requirements for changes to human, technical, information and financial resources; § 8.5.2.2 ¶ 1(b) {manpower}{technical resource}{information resource}{service requirement} The capacity requirements for human, technical, information and financial resources shall be determined, documented and maintained taking into consideration the service and performance requirements. § 8.4.3 ¶ 1 {manpower}{technical resource}{information resource}{service requirement} The capacity requirements for human, technical, information and financial resources shall be determined, documented and maintained taking into consideration the service and performance requirements. § 8.4.3 ¶ 1 {manpower}{technical resource}{information resource}{service requirement} The capacity requirements for human, technical, information and financial resources shall be determined, documented and maintained taking into consideration the service and performance requirements. § 8.4.3 ¶ 1 {manpower}{technical resource}{information resource}{service requirement} The capacity requirements for human, technical, information and financial resources shall be determined, documented and maintained taking into consideration the service and performance requirements. § 8.4.3 ¶ 1]	Operational management	Preventive
Include supply chain management procedures in the service management program. CC ID 11395 [The organization shall ensure that outsourced processes are controlled (see 8.2.3). § 8.1 ¶ 3 Other parties shall not provide or operate all services, service components or processes within the scope of the SMS. § 8.2.3.1 ¶ 3 The organization shall integrate services, service components and processes in the SMS that are provided or operated by the organization or other parties to meet the service requirements. The organization shall co-ordinate activities with other parties involved in the service lifecycle including the planning, design, transition, delivery and improvement of services. § 8.2.3.1 ¶ 5]	Operational management	Preventive
Include service management procedures in the service management program. CC ID 11396 [The documented information for the SMS shall include: processes of the organization's SMS; § 7.5.4 ¶ 1(e) {new service} Release and deployment management shall be used to deploy approved new or changed services into the live environment. § 8.5.2.3 ¶ 2 {new service} Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: testing needed for the new or changed services; § 8.5.2.1 ¶ 1(e) The organization shall use service design and transition in 8.5.2 for: removal of a service; § 8.5.1.2 ¶ 2(d) For services that are to be removed, the planning shall additionally include the date(s) for the removal of the services and the activities for archiving, disposal or transfer of data, documented information and service components. § 8.5.2.1 ¶ 2 The organization shall use service design and transition in 8.5.2 for: transfer of an existing service from the organization to a customer or other party; § 8.5.1.2 ¶ 2(e) The organization shall use service design and transition in 8.5.2 for: transfer of an existing service from a customer or other party to the organization. § 8.5.1.2 ¶ 2(f)]	Operational management	Preventive
Include risk procedures in the service management program. CC ID 11397 [When planning for the SMS, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to: § 6.1.1 ¶ 1 {applicable requirements} The organization shall create, implement and maintain a service management plan. Planning shall take into consideration the service management policy, service management objectives, risks and opportunities, service requirements and requirements specified in this document. § 6.3 ¶ 1 {risk management activity}The organization shall plan: how to: integrate and implement the actions into its SMS processes; § 6.1.3 ¶ 1(b)(1) {new service} The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: impact on other services; § 8.5.2.2 ¶ 1(f) {service availability requirement}{service availability target} At planned intervals, the risks to service availability shall be assessed and documented. The organization shall determine the service availability requirements and targets. The agreed requirements shall take into consideration relevant business requirements, service requirements, SLAs and risks. § 8.7.1 ¶ 1 {service availability requirement}{service availability target} At planned intervals, the risks to service availability shall be assessed and documented. The organization shall determine the service availability requirements and targets. The agreed requirements shall take into consideration relevant business requirements, service requirements, SLAs and risks. § 8.7.1 ¶ 1]	Operational management	Preventive
Include continuity plans in the Service Management program. CC ID 13919 [The documented information for the SMS shall include: change management policy, information security policy and service continuity plan(s); § 7.5.4 ¶ 1(d)]	Operational management	Preventive
Include all technologies used to support service management in the service management program. CC ID 11398 [The service management plan shall include or contain a reference to: technology used to support the SMS; § 6.3 ¶ 2(g) {necessary resource} The service management plan shall include or contain a reference to: human, technical, information and financial resources necessary to operate the SMS and the services; § 6.3 ¶ 2(e)]	Operational management	Preventive
Include auditing and improving service management procedures in the service management program. CC ID 11399 [When planning for the SMS, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to: give assurance that the SMS can achieve its intended outcome(s); § 6.1.1 ¶ 1(a) Top management shall demonstrate leadership and commitment with respect to the SMS by: promoting continual improvement of the SMS and the services; § 5.1 ¶1(k) Top management shall establish a service management policy that: includes a commitment to continual improvement of the SMS and the services. § 5.2.1 ¶ 1(d) When planning for the SMS, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to: achieve continual improvement of the SMS and the services. § 6.1.1 ¶ 1(c) When planning how to achieve its service management objectives, the organization shall determine: how the results will be evaluated. § 6.2.2 ¶ 1(e) {continuous basis} The organization shall continually improve the suitability, adequacy and effectiveness of the SMS and the services. § 10.2 ¶ 1 {service improvement activity} Opportunities for improvement shall be documented. The organization shall manage approved improvement activities that include: § 10.2 ¶ 3]	Operational management	Preventive
Establish, implement, and maintain an asset management policy. CC ID 15219	Operational management	Preventive
Establish, implement, and maintain asset management procedures. CC ID 16748	Operational management	Preventive
Include life cycle requirements in the security management program. CC ID 16392	Operational management	Preventive
Include program objectives in the asset management program. CC ID 14413	Operational management	Preventive
Include a commitment to continual improvement in the asset management program. CC ID 14412	Operational management	Preventive
Include compliance with applicable requirements in the asset management program. CC ID 14411	Operational management	Preventive
Establish, implement, and maintain classification schemes for all systems and assets. CC ID 01902	Operational management	Preventive
Establish, implement, and maintain the systems' confidentiality level. CC ID 01904	Operational management	Preventive
Define confidentiality controls. CC ID 01908	Operational management	Preventive
Establish, implement, and maintain the systems' availability level. CC ID 01905	Operational management	Preventive
Define integrity controls. CC ID 01909	Operational management	Preventive
Establish, implement, and maintain the systems' integrity level. CC ID 01906	Operational management	Preventive
Define availability controls. CC ID 01911	Operational management	Preventive
Establish safety classifications for systems according to their potential harmful effects to operators or end users. CC ID 06603	Operational management	Preventive
Establish, implement, and maintain an asset safety classification scheme. CC ID 06604	Operational management	Preventive
Establish, implement, and maintain the Asset Classification Policy. CC ID 06642	Operational management	Preventive
Document the decision for assigning an asset to a specific asset classification in the Asset Classification Policy. CC ID 07185	Operational management	Preventive
Assign decomposed system components the same asset classification as the originating system. CC ID 06605	Operational management	Preventive
Establish, implement, and maintain an Information Technology inventory with asset discovery audit trails. CC ID 00689	Operational management	Preventive
Include all account types in the Information Technology inventory. CC ID 13311	Operational management	Preventive
Include each Information System's major applications in the Information Technology inventory. CC ID 01407	Operational management	Preventive
Categorize all major applications according to the business information they process. CC ID 07182	Operational management	Preventive
Document the resources, hazards, and Evaluation Assurance Levels for each major application. CC ID 01164	Operational management	Preventive
Include the General Support Systems and security support structure in the Information Technology inventory. CC ID 01408	Operational management	Preventive
Include each Information System's minor applications in the Information Technology inventory. CC ID 01409	Operational management	Preventive
Categorize facilities in the Information Technology inventory according to their environmental risks. CC ID 06729	Operational management	Preventive
Establish, implement, and maintain a hardware asset inventory. CC ID 00691	Operational management	Preventive
Include network equipment in the Information Technology inventory. CC ID 00693	Operational management	Preventive
Include mobile devices that store restricted data or restricted information in the Information Technology inventory. CC ID 04719	Operational management	Preventive
Include software in the Information Technology inventory. CC ID 00692	Operational management	Preventive
Establish and maintain a list of authorized software and versions required for each system. CC ID 12093	Operational management	Preventive
Establish, implement, and maintain a storage media inventory. CC ID 00694	Operational management	Preventive
Include all electronic storage media containing restricted data or restricted information in the storage media inventory. CC ID 00962	Operational management	Detective
Establish, implement, and maintain a records inventory and database inventory. CC ID 01260	Operational management	Preventive
Add inventoried assets to the asset register database, as necessary. CC ID 07051	Operational management	Preventive
Organize the asset register database by grouping objects according to an organizational information classification standard. CC ID 07181	Operational management	Preventive
Record the decommission date for applicable assets in the asset inventory. CC ID 14920	Operational management	Preventive
Record the Uniform Resource Locator for applicable assets in the asset inventory. CC ID 14918	Operational management	Preventive
Record the review date for applicable assets in the asset inventory. CC ID 14919	Operational management	Preventive
Record services for applicable assets in the asset inventory. CC ID 13733	Operational management	Preventive
Record protocols for applicable assets in the asset inventory. CC ID 13734	Operational management	Preventive
Record the software version in the asset inventory. CC ID 12196	Operational management	Preventive
Record the publisher for applicable assets in the asset inventory. CC ID 13725	Operational management	Preventive
Record the authentication system in the asset inventory. CC ID 13724	Operational management	Preventive
Tag unsupported assets in the asset inventory. CC ID 13723	Operational management	Preventive
Record the install date for applicable assets in the asset inventory. CC ID 13720	Operational management	Preventive
Record the make, model of device for applicable assets in the asset inventory. CC ID 12465	Operational management	Preventive
Record the asset tag for physical assets in the asset inventory. CC ID 06632	Operational management	Preventive
Record the host name of applicable assets in the asset inventory. CC ID 13722	Operational management	Preventive
Record network ports for applicable assets in the asset inventory. CC ID 13730	Operational management	Preventive
Record the MAC address for applicable assets in the asset inventory. CC ID 13721	Operational management	Preventive
Record the operating system type for applicable assets in the asset inventory. CC ID 06633	Operational management	Preventive
Record the department associated with the asset in the asset inventory. CC ID 12084	Operational management	Preventive
Record the physical location for applicable assets in the asset inventory. CC ID 06634	Operational management	Preventive
Record the manufacturer's serial number for applicable assets in the asset inventory. CC ID 06635	Operational management	Preventive
Record the firmware version for applicable assets in the asset inventory. CC ID 12195	Operational management	Preventive
Record the related business function for applicable assets in the asset inventory. CC ID 06636	Operational management	Preventive
Record the deployment environment for applicable assets in the asset inventory. CC ID 06637	Operational management	Preventive
Record the Internet Protocol address for applicable assets in the asset inventory. CC ID 06638	Operational management	Preventive
Link the software asset inventory to the hardware asset inventory. CC ID 12085	Operational management	Preventive
Record the owner for applicable assets in the asset inventory. CC ID 06640	Operational management	Preventive
Record all compliance requirements for applicable assets in the asset inventory. CC ID 15696	Operational management	Preventive
Record all changes to assets in the asset inventory. CC ID 12190	Operational management	Preventive
Record cloud service derived data in the asset inventory. CC ID 13007	Operational management	Preventive
Include cloud service customer data in the asset inventory. CC ID 13006	Operational management	Preventive
Establish, implement, and maintain a software accountability policy. CC ID 00868	Operational management	Preventive
Establish, implement, and maintain software asset management procedures. CC ID 00895	Operational management	Preventive
Establish, implement, and maintain software archives procedures. CC ID 00866	Operational management	Preventive
Establish, implement, and maintain software distribution procedures. CC ID 00894	Operational management	Preventive
Establish, implement, and maintain software documentation management procedures. CC ID 06395	Operational management	Preventive
Establish, implement, and maintain software license management procedures. CC ID 06639	Operational management	Preventive
Establish, implement, and maintain digital legacy procedures. CC ID 16524	Operational management	Preventive
Establish, implement, and maintain a system redeployment program. CC ID 06276	Operational management	Preventive
Document the staff's operating knowledge of the system prior to a personnel status change. CC ID 06937	Operational management	Preventive
Redeploy systems to other organizational units, as necessary. CC ID 11452	Operational management	Preventive
Establish, implement, and maintain a system disposal program. CC ID 14431	Operational management	Preventive
Establish, implement, and maintain disposal procedures. CC ID 16513	Operational management	Preventive
Establish, implement, and maintain asset sanitization procedures. CC ID 16511	Operational management	Preventive
Establish, implement, and maintain system destruction procedures. CC ID 16474	Operational management	Preventive
Establish, implement, and maintain printer and multifunction device disposition procedures. CC ID 15216	Operational management	Preventive
Establish, implement, and maintain a system preventive maintenance program. CC ID 00885	Operational management	Preventive
Establish and maintain maintenance reports. CC ID 11749	Operational management	Preventive
Establish and maintain system inspection reports. CC ID 06346	Operational management	Preventive
Establish, implement, and maintain a system maintenance policy. CC ID 14032	Operational management	Preventive
Include compliance requirements in the system maintenance policy. CC ID 14217	Operational management	Preventive
Include management commitment in the system maintenance policy. CC ID 14216	Operational management	Preventive
Include roles and responsibilities in the system maintenance policy. CC ID 14215	Operational management	Preventive
Include the scope in the system maintenance policy. CC ID 14214	Operational management	Preventive
Include the purpose in the system maintenance policy. CC ID 14187	Operational management	Preventive
Include coordination amongst entities in the system maintenance policy. CC ID 14181	Operational management	Preventive
Establish, implement, and maintain system maintenance procedures. CC ID 14059	Operational management	Preventive
Establish, implement, and maintain a technology refresh plan. CC ID 13061	Operational management	Preventive
Establish and maintain an archive of maintenance reports in a maintenance log. CC ID 06202	Operational management	Preventive
Post calibration limits or calibration tolerances on or near assets requiring calibration. CC ID 06204	Operational management	Preventive
Establish, implement, and maintain an end-of-life management process. CC ID 16540	Operational management	Preventive
Establish, implement, and maintain disposal contracts. CC ID 12199	Operational management	Preventive
Include disposal procedures in disposal contracts. CC ID 13905	Operational management	Preventive
Document the storage information for all systems that are stored instead of being disposed or redeployed. CC ID 06936	Operational management	Preventive
Establish, implement, and maintain a data stewardship policy. CC ID 06657	Operational management	Preventive
Establish and maintain an unauthorized software list. CC ID 10601	Operational management	Preventive
Establish, implement, and maintain a customer service program. CC ID 00846	Operational management	Preventive
Include incident escalation procedures in the Incident Management program. CC ID 00856 [Incidents shall be: escalated if needed; § 8.6.1 ¶ 1(c)]	Operational management	Preventive
Define the characteristics of the Incident Management program. CC ID 00855	Operational management	Preventive
Include the criteria for an incident in the Incident Management program. CC ID 12173 [The organization shall determine criteria to identify a major incident. Major incidents shall be classified and managed according to a documented procedure. Top management shall be kept informed of major incidents. The organization shall assign responsibility for managing each major incident. After the incident has been resolved, the major incident shall be reported and reviewed to identify opportunities for improvement. § 8.6.1 ¶ 3]	Operational management	Preventive
Include detection procedures in the Incident Management program. CC ID 00588	Operational management	Preventive
Define and document impact thresholds to be used in categorizing incidents. CC ID 10033	Operational management	Preventive
Document the incident and any relevant evidence in the incident report. CC ID 08659 [Incidents shall be: recorded and classified; § 8.6.1 ¶ 1(a) The organization shall determine criteria to identify a major incident. Major incidents shall be classified and managed according to a documented procedure. Top management shall be kept informed of major incidents. The organization shall assign responsibility for managing each major incident. After the incident has been resolved, the major incident shall be reported and reviewed to identify opportunities for improvement. § 8.6.1 ¶ 3 Problems shall be: recorded and classified; § 8.6.3 ¶ 2(a)]	Operational management	Detective
Share data loss event information with interconnected system owners. CC ID 01209	Operational management	Corrective
Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547	Operational management	Preventive
Include incident management procedures in the Incident Management program. CC ID 12689 [The organization shall determine criteria to identify a major incident. Major incidents shall be classified and managed according to a documented procedure. Top management shall be kept informed of major incidents. The organization shall assign responsibility for managing each major incident. After the incident has been resolved, the major incident shall be reported and reviewed to identify opportunities for improvement. § 8.6.1 ¶ 3]	Operational management	Preventive
Establish, implement, and maintain temporary and emergency access authorization procedures. CC ID 00858	Operational management	Corrective
Establish, implement, and maintain temporary and emergency access revocation procedures. CC ID 15334	Operational management	Preventive
Log incidents in the Incident Management audit log. CC ID 00857	Operational management	Preventive
Include corrective actions in the incident management audit log. CC ID 16466	Operational management	Preventive
Include incident record closure procedures in the Incident Management program. CC ID 01620 [Information security incidents shall be: closed. § 8.7.3.3 ¶ 1(e) Problems shall be: closed. § 8.6.3 ¶ 2(e) Incidents shall be: closed. § 8.6.1 ¶ 1(e)]	Operational management	Preventive
Include incident reporting procedures in the Incident Management program. CC ID 11772 [The organization shall analyse the information security incidents by type, volume and impact on the SMS, services and interested parties. Information security incidents shall be reported and reviewed to identify opportunities for improvement. § 8.7.3.3 ¶ 2]	Operational management	Preventive
Establish, implement, and maintain help desk query escalation procedures. CC ID 00849 [Service requests shall be: closed. § 8.6.2 ¶ 1(d)]	Operational management	Preventive
Establish, implement, and maintain an Incident Response program. CC ID 00579	Operational management	Preventive
Create an incident response report following an incident response. CC ID 12700	Operational management	Preventive
Include measures to prevent similar incidents from occurring in the incident response report. CC ID 12720 [The organization shall analyse data and trends on incidents to identify problems. The organization shall undertake root cause analysis and determine potential actions to prevent the occurrence or recurrence of incidents. § 8.6.3 ¶ 1]	Operational management	Preventive
Include corrective action taken to eradicate the incident in the incident response report. CC ID 12708 [Records of problems shall be updated with actions taken. Changes needed for problem resolution shall be managed according to the change management policy. § 8.6.3 ¶ 3]	Operational management	Preventive
Include a root cause analysis of the incident in the incident response report. CC ID 12701 [The organization shall analyse data and trends on incidents to identify problems. The organization shall undertake root cause analysis and determine potential actions to prevent the occurrence or recurrence of incidents. § 8.6.3 ¶ 1]	Operational management	Preventive
Include incident response team structures in the Incident Response program. CC ID 01237	Operational management	Preventive
Assign establishing, implementing, and maintaining incident response procedures to the appropriate role in the incident response program. CC ID 12473	Operational management	Preventive
Establish, implement, and maintain incident response procedures. CC ID 01206 [Information security incidents shall be: resolved; § 8.7.3.3 ¶ 1(d) Incidents shall be: resolved; § 8.6.1 ¶ 1(d) The organization shall determine criteria to identify a major incident. Major incidents shall be classified and managed according to a documented procedure. Top management shall be kept informed of major incidents. The organization shall assign responsibility for managing each major incident. After the incident has been resolved, the major incident shall be reported and reviewed to identify opportunities for improvement. § 8.6.1 ¶ 3]	Operational management	Detective
Include references to industry best practices in the incident response procedures. CC ID 11956	Operational management	Preventive
Include responding to alerts from security monitoring systems in the incident response procedures. CC ID 11949	Operational management	Preventive
Establish, implement, and maintain a performance management standard. CC ID 01615 [{planning requirement} establishing performance criteria for the processes based on requirements; § 8.1 ¶ 1(a)]	Operational management	Preventive
Establish, implement, and maintain a remediation plan for deviations in the resource management process. CC ID 13679	Operational management	Preventive
Establish, implement, and maintain system capacity monitoring procedures. CC ID 01619	Operational management	Preventive
Establish, implement, and maintain system performance monitoring procedures. CC ID 11752	Operational management	Preventive
Establish, implement, and maintain a Service Level Agreement framework. CC ID 00839	Operational management	Preventive
Include exceptions in the Service Level Agreements, as necessary. CC ID 13912 [For each service delivered, the organization shall establish one or more SLAs based on the documented service requirements. The SLA(s) shall include service level targets, workload limits and exceptions § 8.3.3 ¶ 2]	Operational management	Preventive
Include the appropriate aspects of the Quality Management program in the Service Level Agreement. CC ID 00845 [{service availability requirement}{service availability target} At planned intervals, the risks to service availability shall be assessed and documented. The organization shall determine the service availability requirements and targets. The agreed requirements shall take into consideration relevant business requirements, service requirements, SLAs and risks. § 8.7.1 ¶ 1]	Operational management	Detective
Include capacity planning in Service Level Agreements. CC ID 13096 [At planned intervals, the organization shall monitor, review and report on: actual and periodic changes in workload compared to workload limits in the SLA(s). § 8.3.3 ¶ 3(b) For each service delivered, the organization shall establish one or more SLAs based on the documented service requirements. The SLA(s) shall include service level targets, workload limits and exceptions § 8.3.3 ¶ 2 {service availability requirement}{service continuity requirement} The organization shall plan capacity to include: expected impact on capacity of agreed service level targets, requirements for service availability and service continuity; § 8.4.3 ¶ 2(b)]	Operational management	Preventive
Include business requirements of delivered services in the Service Level Agreement. CC ID 00840 [For each external supplier, the organization shall agree a documented contract. The contract shall include or contain a reference to: service level targets or other contractual obligations; § 8.3.4.1 ¶ 2(c)]	Operational management	Preventive
Include performance requirements in the Service Level Agreement. CC ID 00841 [For each service delivered, the organization shall establish one or more SLAs based on the documented service requirements. The SLA(s) shall include service level targets, workload limits and exceptions § 8.3.3 ¶ 2]	Operational management	Preventive
Establish, implement, and maintain a cost management program. CC ID 13638	Operational management	Preventive
Prepare an Information Technology budget, as necessary. CC ID 00872 [The organization shall budget and account for services or groups of services in accordance with its financial management policies and processes. § 8.4.1 ¶ 1]	Operational management	Detective
Establish, implement, and maintain a change control program. CC ID 00886 [{information security policy} Specific policies that would be required includepan>, but not limited to, the following: Change management § 8.5.1 A change management policy shall be established and documented to define: § 8.5.1.1 ¶ 1 A change management policy shall be established and documented to define: service components and other items that are under the control of change management; § 8.5.1.1 ¶ 1(a) A change management policy shall be established and documented to define: service components and other items that are under the control of change management; § 8.5.1.1 ¶ 1(a) A change management policy shall be established and documented to define: categories of change, including emergency change, and how they are to be managed; § 8.5.1.1 ¶ 1(b)]	Operational management	Preventive
Include potential consequences of unintended changes in the change control program. CC ID 12243 [The organization shall control planned changes to the SMS and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary (see 8.5.1). § 8.1¶ 2]	Operational management	Preventive
Include version control in the change control program. CC ID 13119 [For the control of documented information, the organization shall address the following activities, as applicable: control of changes (e.g. version control); § 7.5.3.2(c)]	Operational management	Preventive
Include service design and transition in the change control program. CC ID 13920 [The organization shall use service design and transition in 8.5.2 for: changes to services with the potential to have a major impact on customers or other services as determined by the change management policy; § 8.5.1.2 ¶ 2(b) The organization shall use service design and transition in 8.5.2 for: new services with the potential to have a major impact on customers or other services as determined by the change management policy; § 8.5.1.2 ¶ 2(a)]	Operational management	Preventive
Establish, implement, and maintain a back-out plan. CC ID 13623 [The release shall be verified against documented acceptance criteria and approved before deployment. If the acceptance criteria are not met, the organization and interested parties shall make a decision on necessary actions and deployment. § 8.5.3 ¶ 3 The organization shall review changes for effectiveness and take actions agreed with interested parties. § 8.5.1.3 ¶ 4 {take appropriate action} The activities to reverse or remedy an unsuccessful change shall be planned and, where possible, tested. Unsuccessful changes shall be investigated and agreed actions taken. § 8.5.1.3 ¶ 3]	Operational management	Preventive
Establish, implement, and maintain back-out procedures for each proposed change in a change request. CC ID 00373 [{take appropriate action} The activities to reverse or remedy an unsuccessful change shall be planned and, where possible, tested. Unsuccessful changes shall be investigated and agreed actions taken. § 8.5.1.3 ¶ 3]	Operational management	Preventive
Approve back-out plans, as necessary. CC ID 13627 [{take appropriate action} The activities to reverse or remedy an unsuccessful change shall be planned and, where possible, tested. Unsuccessful changes shall be investigated and agreed actions taken. § 8.5.1.3 ¶ 3]	Operational management	Corrective
Include documentation of the impact level of proposed changes in the change request. CC ID 11942 [{new service} Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: impact on the SMS, other services, planned changes, customers, users and other interested parties. § 8.5.2.1 ¶ 1(h) {new service} Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: impact on the SMS, other services, planned changes, customers, users and other interested parties. § 8.5.2.1 ¶ 1(h) {new service} Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: impact on the SMS, other services, planned changes, customers, users and other interested parties. § 8.5.2.1 ¶ 1(h) {new service} Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: impact on the SMS, other services, planned changes, customers, users and other interested parties. § 8.5.2.1 ¶ 1(h) A change management policy shall be established and documented to define: criteria to determine changes with the potential to have a major ="background-color:#F0BBBC;" class="term_primary-noun">impact on customers or services. § 8.5.1.1 ¶ 1(c)]	Operational management	Preventive
Establish and maintain a change request approver list. CC ID 06795	Operational management	Preventive
Document all change requests in change request forms. CC ID 06794 [Requests for change, including proposals to add, remove or transfer services, shall be recorded and classified. § 8.5.1.2 ¶ 1 Requests for change, including proposals to add, remove or transfer services, shall be recorded and classified. § 8.5.1.2 ¶ 1 {trend analysis} At planned intervals, request for change records shall be analysed to detect trends. The results and conclusions drawn from the analysis shall be recorded and reviewed to identify opportunities for improvement. § 8.5.1.3 ¶ 5]	Operational management	Preventive
Establish, implement, and maintain emergency change procedures. CC ID 00890	Operational management	Preventive
Log emergency changes after they have been performed. CC ID 12733	Operational management	Preventive
Provide audit trails for all approved changes. CC ID 13120	Operational management	Preventive
Document the sources of all software updates. CC ID 13316	Operational management	Preventive
Establish, implement, and maintain a patch management policy. CC ID 16432	Operational management	Preventive
Establish, implement, and maintain patch management procedures. CC ID 15224	Operational management	Preventive
Establish, implement, and maintain a patch log. CC ID 01642	Operational management	Preventive
Establish, implement, and maintain a software release policy. CC ID 00893	Operational management	Preventive
Establish, implement, and maintain approved change acceptance testing procedures. CC ID 06391	Operational management	Detective
Establish, implement, and maintain a change acceptance testing log. CC ID 06392	Operational management	Corrective
Update associated documentation after the system configuration has been changed. CC ID 00891	Operational management	Preventive
Document approved configuration deviations. CC ID 08711	Operational management	Corrective
Establish, implement, and maintain production process control procedures. CC ID 06209	Operational management	Preventive
Include consumer safety quality improvement projects in the service delivery and production process Quality Management program. CC ID 07195	Operational management	Detective
Define the processing specifications for products and services creation requirements. CC ID 13523	Operational management	Preventive
Establish, implement, and maintain procedures to manage age-restricted content. CC ID 15448	Operational management	Preventive
Establish and maintain a service catalog. CC ID 13634 [The service management plan shall include or contain a reference to: list of services; § 6.3 ¶ 2(a) The documented information for the SMS shall include: service catalogue(s); § 7.5.4 ¶ 1(g) The organization shall create and maintain one or more service catalogues. The service catalogue(s) shall include information for the organization, customers, users and other interested parties to describe the services, their intended outcomes and dependencies between the services. § 8.2.4 ¶ 1 {new service} The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: updates to the service catalogue(s). § 8.5.2.2 ¶ 1(g)]	Operational management	Preventive
Include a service description in the service catalog. CC ID 13917 [The organization shall create and maintain one or more service catalogues. The service catalogue(s) shall include information for the organization, customers, users and other interested parties to describe the services, their intended outcomes and dependencies between the services. § 8.2.4 ¶ 1]	Operational management	Preventive
Assign unique reference numbers to all services in the service catalog. CC ID 14424	Operational management	Preventive
Include service deliverables for each service description in the service catalog. CC ID 13918 [The organization shall create and maintain one or more service catalogues. The service catalogue(s) shall include information for the organization, customers, users and other interested parties to describe the services, their intended outcomes and dependencies between the services. § 8.2.4 ¶ 1]	Operational management	Preventive
Include relationships and dependencies between services in the service catalog, as necessary. CC ID 13914 [The organization shall create and maintain one or more service catalogues. The service catalogue(s) shall include information for the organization, customers, users and other interested parties to describe the services, their intended outcomes and dependencies between the services. § 8.2.4 ¶ 1]	Operational management	Preventive
Include Service Level Agreements in the service catalog, as necessary. CC ID 13636 [{new service}The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: new or changed SLAs, contracts and other documented agreements that support the services; § 8.5.2.2 ¶ 1(d)]	Operational management	Preventive
Include Information Technology services in the service catalog, as necessary. CC ID 13635	Operational management	Preventive
Base definitions of Information Technology services on their service characteristics. CC ID 13655	Operational management	Preventive
Categorize services in the service catalog. CC ID 14419	Operational management	Preventive
Refrain from categorizing services as outsourced in the service catalog, as necessary. CC ID 14426	Operational management	Preventive
Establish, implement, and maintain a Configuration Management program. CC ID 00867 [{new service} The CIs affected by new or changed services shall be managed through configuration management. § 8.5.2.1 ¶ 4 {be auditable} CIs shall be controlled. Changes to CIs shall be traceable and auditable to maintain the integrity of the configuration information. The configuration information shall be updated following the deployment of changes to CIs. § 8.2.6 ¶ 3]	System hardening through configuration management	Preventive
Establish, implement, and maintain appropriate system labeling. CC ID 01900	System hardening through configuration management	Preventive
Include the identification number of the third party who performed the conformity assessment procedures on all promotional materials. CC ID 15041	System hardening through configuration management	Preventive
Include the identification number of the third party who conducted the conformity assessment procedures after the CE marking of conformity. CC ID 15040	System hardening through configuration management	Preventive
Establish, implement, and maintain a configuration management policy. CC ID 14023	System hardening through configuration management	Preventive
Establish, implement, and maintain configuration management procedures. CC ID 14074	System hardening through configuration management	Preventive
Include compliance requirements in the configuration management policy. CC ID 14072	System hardening through configuration management	Preventive
Include coordination amongst entities in the configuration management policy. CC ID 14071	System hardening through configuration management	Preventive
Include management commitment in the configuration management policy. CC ID 14070	System hardening through configuration management	Preventive
Include roles and responsibilities in the configuration management policy. CC ID 14069	System hardening through configuration management	Preventive
Include the scope in the configuration management policy. CC ID 14068	System hardening through configuration management	Preventive
Include the purpose in the configuration management policy. CC ID 14067	System hardening through configuration management	Preventive
Establish, implement, and maintain a configuration management plan. CC ID 01901	System hardening through configuration management	Preventive
Include configuration management procedures in the configuration management plan. CC ID 14248	System hardening through configuration management	Preventive
Include roles and responsibilities in the configuration management plan. CC ID 14247	System hardening through configuration management	Preventive
Establish, implement, and maintain system tracking documentation. CC ID 15266	System hardening through configuration management	Preventive
Include prioritization codes in the system tracking documentation. CC ID 15283	System hardening through configuration management	Preventive
Include the type and category of the request in the system tracking documentation. CC ID 15281	System hardening through configuration management	Preventive
Include contact information in the system tracking documentation. CC ID 15280	System hardening through configuration management	Preventive
Include the username in the system tracking documentation. CC ID 15278	System hardening through configuration management	Preventive
Include a problem description in the system tracking documentation. CC ID 15276	System hardening through configuration management	Preventive
Include affected systems in the system tracking documentation. CC ID 15275	System hardening through configuration management	Preventive
Include root causes in the system tracking documentation. CC ID 15274	System hardening through configuration management	Preventive
Include the name of who is responsible for resolution in the system tracking documentation. CC ID 15273	System hardening through configuration management	Preventive
Include current status in the system tracking documentation. CC ID 15272	System hardening through configuration management	Preventive
Record Configuration Management items in the Configuration Management database. CC ID 00861	System hardening through configuration management	Preventive
Establish, implement, and maintain a Configuration Management Database with accessible reporting capabilities. CC ID 02132	System hardening through configuration management	Preventive
Establish, implement, and maintain a configuration baseline based on the least functionality principle. CC ID 00862 [Before deployment of a release into the live environment, a baseline of the affected CIs shall be taken. § 8.5.3 ¶ 4]	System hardening through configuration management	Preventive
Include the measures used to account for any differences in operation between the test environments and production environments in the baseline configuration. CC ID 13285	System hardening through configuration management	Preventive
Include the differences between test environments and production environments in the baseline configuration. CC ID 13284	System hardening through configuration management	Preventive
Include the applied security patches in the baseline configuration. CC ID 13271	System hardening through configuration management	Preventive
Include the installed application software and version numbers in the baseline configuration. CC ID 13270	System hardening through configuration management	Preventive
Include installed custom software in the baseline configuration. CC ID 13274	System hardening through configuration management	Preventive
Include network ports in the baseline configuration. CC ID 13273	System hardening through configuration management	Preventive
Include the operating systems and version numbers in the baseline configuration. CC ID 13269	System hardening through configuration management	Preventive
Include backup procedures in the Configuration Management policy. CC ID 01314	System hardening through configuration management	Preventive
Identify and document the system's Configurable Items. CC ID 02133 [Configuration information shall be recorded to a level of detail appropriate to the criticality and type of services. Access to configuration information shall be controlled. The configuration information recorded for each CI shall include: § 8.2.6 ¶ 2 Configuration information shall be recorded to a level of detail appropriate to the criticality and type of services. Access to configuration information shall be controlled. The configuration information recorded for each CI shall include: § 8.2.6 ¶ 2 The types of CI shall be defined. Services shall be classified as CIs. § 8.2.6 ¶ 1 The types of CI shall be defined. Services shall be classified as CIs. § 8.2.6 ¶ 1 Configuration information shall be recorded to a level of detail appropriate to the criticality and type of services. Access to configuration information shall be controlled. The configuration information recorded for each CI shall include: type of CI; § 8.2.6 ¶ 2(b) Configuration information shall be recorded to a level of detail appropriate to the criticality and type of services. Access to configuration information shall be controlled. The configuration information recorded for each CI shall include: description of the CI; § 8.2.6 ¶ 2(c) Configuration information shall be recorded to a level of detail appropriate to the criticality and type of services. Access to configuration information shall be controlled. The configuration information recorded for each CI shall include: status. § 8.2.6 ¶ 2(e)]	System hardening through configuration management	Preventive
Define the relationships and dependencies between Configurable Items. CC ID 02134 [Configuration information shall be recorded to a level of detail appropriate to the criticality and type of services. Access to configuration information shall be controlled. The configuration information recorded for each CI shall include: relationship with other CIs; § 8.2.6 ¶ 2(d)]	System hardening through configuration management	Preventive
Trace each Configurable Item throughout the systems' life cycle. CC ID 02135 [{be auditable} CIs shall be controlled. Changes to CIs shall be traceable and auditable to maintain the integrity of the configuration information. The configuration information shall be updated following the deployment of changes to CIs. § 8.2.6 ¶ 3 Configuration information shall be recorded to a level of detail appropriate to the criticality and type of services. Access to configuration information shall be controlled. The configuration information recorded for each CI shall include: unique identification; § 8.2.6 ¶ 2(a)]	System hardening through configuration management	Preventive
Request an acknowledgment from the system owner of the system's configuration. CC ID 10602	System hardening through configuration management	Preventive
Establish, implement, and maintain system hardening procedures. CC ID 12001	System hardening through configuration management	Preventive
Establish, implement, and maintain records management policies. CC ID 00903 [Documented information required by the SMS and by this document shall be controlled to ensure: § 7.5.3.1]	Records management	Preventive
Establish, implement, and maintain a record classification scheme for forms. CC ID 00911	Records management	Detective
Establish, implement, and maintain form creation, management, and distribution procedures. CC ID 06393	Records management	Preventive
Establish, implement, and maintain form disposition procedures. CC ID 06394	Records management	Preventive
Establish, implement, and maintain a record classification scheme. CC ID 00914	Records management	Preventive
Establish, implement, and maintain a business activity classification standard. CC ID 00915	Records management	Preventive
Establish, implement, and maintain records registration procedures. CC ID 00913	Records management	Detective
Define the terms used in the record classification scheme. CC ID 00916	Records management	Detective
Establish, implement, and maintain a records authentication system. CC ID 11648	Records management	Preventive
Establish and maintain an index of all official records. CC ID 00918	Records management	Preventive
Establish, implement, and maintain electronic signature requirements. CC ID 06219	Records management	Preventive
Define each system's preservation requirements for records and logs. CC ID 00904	Records management	Detective
Establish, implement, and maintain a data retention program. CC ID 00906	Records management	Detective
Establish, implement, and maintain storage media retention procedures. CC ID 16277	Records management	Preventive
Define which documents and records the organization may capture. CC ID 00905 [{is appropriate} When creating and updating documented information, the organization shall ensure appropriate: format (e.g. language, software version, graphics) and media (e.g. paper, electronic); § 7.5.2 ¶ 1(b)]	Records management	Detective
Capture and maintain all business records, including supporting temporary files. CC ID 06622	Records management	Preventive
Establish, implement, and maintain storage media disposition and destruction procedures. CC ID 11657	Records management	Preventive
Establish, implement, and maintain records disposition procedures. CC ID 00971 [For the control of documented information, the organization shall address the following activities, as applicable: retention and disposition. § 7.5.3.2(d)]	Records management	Preventive
Include methods to identify records that meet or exceed the record's retention event in the records disposition procedures. CC ID 11962	Records management	Preventive
Maintain disposal records or redeployment records. CC ID 01644 [For services that are to be removed, the planning shall additionally include the date(s) for the removal of the services and the activities for archiving, disposal or transfer of data, documented information and service components. § 8.5.2.1 ¶ 2]	Records management	Preventive
Include the name of the signing officer in the disposal record. CC ID 15710	Records management	Preventive
Establish, implement, and maintain secure record transaction standards with third parties. CC ID 06093	Records management	Preventive
Include transfer agreements in the secure record transaction standards. CC ID 14821	Records management	Preventive
Include date and time stamp requirements for delivery receipt in the transfer agreements. CC ID 14823	Records management	Preventive
Include receipt of electronic records in the transfer agreement. CC ID 14822	Records management	Preventive
Include standards for each data element in the secure record transaction standard. CC ID 06094	Records management	Preventive
Establish, implement, and maintain records management procedures. CC ID 11619 [Documented information of external origin determined by the organization to be necessary for the planning and operation of the SMS shall be identified as appropriate and controlled. § 7.5.3.2 ¶ 2 For services that are to be removed, the planning shall additionally include the date(s) for the removal of the services and the activities for archiving, disposal or transfer of data, documented information and service components. § 8.5.2.1 ¶ 2]	Records management	Preventive
Assign ownership for all electronic records. CC ID 14814	Records management	Preventive
Attribute electronic records, as necessary. CC ID 14820	Records management	Preventive
Establish, implement, and maintain a system input log. CC ID 13531	Records management	Preventive
Establish, implement, and maintain authorization records. CC ID 14367	Records management	Preventive
Include the reasons for granting the authorization in the authorization records. CC ID 14371	Records management	Preventive
Include the date and time the authorization was granted in the authorization records. CC ID 14370	Records management	Preventive
Include the person's name who approved the authorization in the authorization records. CC ID 14369	Records management	Preventive
Create summary of care records in accordance with applicable standards. CC ID 14440	Records management	Preventive
Log the number of routine items received into the recordkeeping system. CC ID 11701	Records management	Preventive
Include record integrity techniques in the records management procedures. CC ID 06418	Records management	Preventive
Incorporate desktop publishing into the organization's Records Management program. CC ID 06535	Records management	Preventive
Establish, implement, and maintain Automated Data Processing error handling procedures. CC ID 00925	Records management	Preventive
Establish, implement, and maintain Automated Data Processing error handling reporting. CC ID 11659	Records management	Preventive
Establish, implement, and maintain document security requirements for the output of records. CC ID 11656	Records management	Preventive
Establish, implement, and maintain document handling procedures for paper documents. CC ID 00926	Records management	Preventive
Establish, implement, and maintain electronic storage media management procedures. CC ID 00931	Records management	Preventive
Establish, implement, and maintain security label procedures. CC ID 06747	Records management	Preventive
Establish, implement, and maintain restricted material identification procedures. CC ID 01889	Records management	Preventive
Conspicuously locate the restricted record's overall classification. CC ID 01890	Records management	Preventive
Mark a restricted record's displayed pages or printed pages with the appropriate classification. CC ID 01891	Records management	Preventive
Mark a restricted record's components (appendices, annexes) with the appropriate classification. CC ID 01892	Records management	Preventive
Mark a restricted record's portions (paragraphs, sections) with the appropriate classification. CC ID 01893	Records management	Preventive
Mark a restricted record's subject line or title with the appropriate classification. CC ID 01894	Records management	Preventive
Establish the minimum originator requirements for security labels. CC ID 06579	Records management	Preventive
Establish the minimum intermediate system requirements for security labels. CC ID 06581	Records management	Preventive
Establish the minimum receiver requirements for records or electronic storage media marked with security labels. CC ID 06580	Records management	Preventive
Establish policy based processing rules to process incoming records or electronic storage media marked with security labels. CC ID 06582	Records management	Preventive
Establish, implement, and maintain a records lifecycle management program. CC ID 00951	Records management	Preventive
Establish, implement, and maintain an information preservation policy. CC ID 16483	Records management	Preventive
Establish, implement, and maintain information preservation procedures. CC ID 06277 [For the control of documented information, the organization shall address the following activities, as applicable: storage and preservation, including preservation of legibility; § 7.5.3.2(b)]	Records management	Preventive
Establish, implement, and maintain an online availability plan that is commensurate with the electronic storage media. CC ID 00934	Records management	Preventive
Provide audit trails for all pertinent records. CC ID 00372	Records management	Detective
Include a unique identifier for each removable storage media asset in the removable storage media log. CC ID 12320	Records management	Preventive
Include the date and time in the removable storage media log. CC ID 12318	Records management	Preventive
Include the name and signature of the current custodian in the removable storage media log. CC ID 12315	Records management	Preventive
Include the number of physical media used for the data transfer in the removable storage media log. CC ID 12754	Records management	Preventive
Include the recipient's name for the data transfer in the removable storage media log. CC ID 12753	Records management	Preventive
Include the sender's name in the removable storage media log. CC ID 12752	Records management	Preventive
Include the type of physical media being used for the data transfer in the removable storage media log. CC ID 12751	Records management	Preventive
Include the reason for transfer in the removable storage media log. CC ID 12316	Records management	Preventive
Document all actions taken when downgrading electronic storage media. CC ID 10622	Records management	Preventive
Establish, implement, and maintain output distribution procedures. CC ID 00927 [For the control of documented information, the organization shall address the following activities, as applicable: distribution, access, retrieval and use; § 7.5.3.2(a)]	Records management	Preventive
Include printed output in output distribution procedures. CC ID 13477	Records management	Preventive
Establish, implement, and maintain document retention procedures. CC ID 11660 [For the control of documented information, the organization shall address the following activities, as applicable: retention and disposition. § 7.5.3.2(d) The organization shall retain documented information as evidence of: § 10.1.2 ¶ 1]	Records management	Preventive
Establish, implement, and maintain electronic media distribution procedures. CC ID 11650	Records management	Preventive
Establish, implement, and maintain output balancing audit trails. CC ID 00928	Records management	Detective
Establish and maintain reconciliation audit trails. CC ID 11647	Records management	Preventive
Establish, implement, and maintain output review and error handling checks with end users. CC ID 00929	Records management	Detective
Establish, implement, and maintain paper document integrity requirements for the output of records. CC ID 00930	Records management	Preventive
Establish, implement, and maintain a system design project management framework. CC ID 00990	Systems design, build, and implementation	Preventive
Establish, implement, and maintain a product and service release log. CC ID 13705 [The organization shall define the types of release, including emergency release, their frequency and how they are to be managed. § 8.5.3 ¶ 1 The organization shall define the types of release, including emergency release, their frequency and how they are to be managed. § 8.5.3 ¶ 1 The organization shall define the types of release, including emergency release, their frequency and how they are to be managed. § 8.5.3 ¶ 1 Records of service requests shall be updated with actions taken. § 8.6.2 ¶ 2]	Systems design, build, and implementation	Preventive
Include the name of the person authorizing the release of products and services in the product and service release log. CC ID 13707	Systems design, build, and implementation	Preventive
Establish, implement, and maintain a product or service pricing program. CC ID 13676	Acquisition or sale of facilities, technology, and services	Preventive
Establish, implement, and maintain customer terms and conditions. CC ID 13666	Acquisition or sale of facilities, technology, and services	Preventive
Include customer risks in the customer terms and conditions. CC ID 13669	Acquisition or sale of facilities, technology, and services	Preventive
Include the defined support period for hardware replacements in warranties. CC ID 14932	Acquisition or sale of facilities, technology, and services	Preventive
Include the methods of product replacement in warranties. CC ID 14931	Acquisition or sale of facilities, technology, and services	Preventive
Include rationale for the absence of software updates in warranties, as necessary. CC ID 14930	Acquisition or sale of facilities, technology, and services	Preventive
Include the defined support period in the product warranty or service warranty. CC ID 14927	Acquisition or sale of facilities, technology, and services	Preventive
Include how to access information from the dispute resolution body in the consumer complaint management program. CC ID 13816	Acquisition or sale of facilities, technology, and services	Preventive
Include any requirements for using information from the dispute resolution body in the consumer complaint management program. CC ID 13815	Acquisition or sale of facilities, technology, and services	Preventive
Establish, implement, and maintain consumer complaint escalation procedures. CC ID 07208 [Service complaints shall be recorded, managed to closure and reported. Where a service complaint is not resolved through the normal channels, a method of escalation shall be provided. § 8.3.2 ¶ 5]	Acquisition or sale of facilities, technology, and services	Preventive
Establish, implement, and maintain notice and take-down procedures. CC ID 09963	Acquisition or sale of facilities, technology, and services	Preventive
Document any unlawful material hosted or stored by the organization meeting the take-down request criteria. CC ID 09975	Acquisition or sale of facilities, technology, and services	Preventive
Document any unlawful material hosted or stored by the organization meeting the take-down request criteria that has been removed prior to the take-down request. CC ID 09976	Acquisition or sale of facilities, technology, and services	Preventive
Include whether it is technically feasible to follow the requested remedial action in the take-down request. CC ID 09977	Acquisition or sale of facilities, technology, and services	Preventive
Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850	Privacy protection for information and data	Preventive
Establish, implement, and maintain a data handling program. CC ID 13427	Privacy protection for information and data	Preventive
Establish, implement, and maintain data handling procedures. CC ID 11756 [For services that are to be removed, the planning shall additionally include the date(s) for the removal of the services and the activities for archiving, disposal or transfer of data, documented information and service components. § 8.5.2.1 ¶ 2]	Privacy protection for information and data	Preventive
Define personal data that falls under breach notification rules. CC ID 00800	Privacy protection for information and data	Preventive
Define an out of scope privacy breach. CC ID 04677	Privacy protection for information and data	Preventive
Establish, implement, and maintain a supply chain management program. CC ID 11742	Third Party and supply chain oversight	Preventive
Establish, implement, and maintain procedures for establishing, maintaining, and terminating third party contracts. CC ID 00796 [The service management plan shall include or contain a reference to: approach to be taken for working with other parties involved in the service lifecycle; § 6.3 ¶ 2(f) The organization shall have one or more designated individuals responsible for managing the relationship, contracts and performance of external suppliers. § 8.3.4.1 ¶ 1]	Third Party and supply chain oversight	Preventive
Review and update all contracts, as necessary. CC ID 11612 [At planned intervals, the organization shall review the contract against current service requirements. Changes identified for the contract shall be assessed for the impact of the change on the SMS and the services before the change is approved. § 8.3.4.1 ¶ 6]	Third Party and supply chain oversight	Preventive
Include a nondisclosure agreement in third party contracts if a separate nondisclosure agreement does not exist. CC ID 06505	Third Party and supply chain oversight	Preventive
Establish, implement, and maintain software exchange agreements with all third parties. CC ID 11615	Third Party and supply chain oversight	Preventive
Include a description of the product or service to be provided in third party contracts. CC ID 06509 [The documented information for the SMS shall include: agreements with internal suppliers or customers acting as a supplier; § 7.5.4 ¶ 1(j)]	Third Party and supply chain oversight	Preventive
Include a description of the products or services fees in third party contracts. CC ID 10018	Third Party and supply chain oversight	Preventive
Include which parties are responsible for which fees in third party contracts. CC ID 10019	Third Party and supply chain oversight	Preventive
Establish, implement, and maintain rules of engagement with third parties. CC ID 13994	Third Party and supply chain oversight	Preventive
Establish, implement, and maintain information flow agreements with all third parties. CC ID 04543	Third Party and supply chain oversight	Preventive
Include the type of information being transmitted in the information flow agreement. CC ID 14245	Third Party and supply chain oversight	Preventive
Include the security requirements in the information flow agreement. CC ID 14244	Third Party and supply chain oversight	Preventive
Include the interface characteristics in the information flow agreement. CC ID 14240	Third Party and supply chain oversight	Preventive
Include the scope and inventory of third party systems and assets being provided to the organization in third party contracts. CC ID 06528 [For each external supplier, the organization shall agree a documented contract. The contract shall include or contain a reference to: scope of the services, service components, processes or parts of processes to be provided or operated by the external supplier; § 8.3.4.1 ¶ 2(a) For each external supplier, the organization shall agree a documented contract. The contract shall include or contain a reference to: scope of the services, service components, processes or parts of processes to be provided or operated by the external supplier; § 8.3.4.1 ¶ 2(a) For each external supplier, the organization shall agree a documented contract. The contract shall include or contain a reference to: scope of the services, service components, processes or parts of processes to be provided or operated by the external supplier; § 8.3.4.1 ¶ 2(a)]	Third Party and supply chain oversight	Preventive
Include proof of license documentation for the third parties with access to in scope systems in third party contracts. CC ID 06529	Third Party and supply chain oversight	Preventive
Include a description of costs and responsibility for purchasing and maintaining hardware and software in third party contracts. CC ID 10020	Third Party and supply chain oversight	Preventive
Include a description of the data or information to be covered in third party contracts. CC ID 06510	Third Party and supply chain oversight	Preventive
Include text about data ownership in third party contracts. CC ID 06502	Third Party and supply chain oversight	Preventive
Include text about trade secrets and intellectual property in third party contracts. CC ID 06503	Third Party and supply chain oversight	Preventive
Include text about participation in the organization's testing programs in third party contracts. CC ID 14402	Third Party and supply chain oversight	Preventive
Include the contract duration in third party contracts. CC ID 16221	Third Party and supply chain oversight	Preventive
Include roles and responsibilities in third party contracts. CC ID 13487	Third Party and supply chain oversight	Preventive
Include cryptographic keys in third party contracts. CC ID 16179	Third Party and supply chain oversight	Preventive
Include bankruptcy provisions in third party contracts. CC ID 16519	Third Party and supply chain oversight	Preventive
Include cybersecurity supply chain risk management requirements in third party contracts. CC ID 15646	Third Party and supply chain oversight	Preventive
Include text that organizations must meet organizational compliance requirements in third party contracts. CC ID 06506	Third Party and supply chain oversight	Preventive
Include compliance with the organization's access policy as a requirement in third party contracts. CC ID 06507	Third Party and supply chain oversight	Preventive
Include compliance with the organization's breach notification policy as a requirement in third party contracts. CC ID 06508	Third Party and supply chain oversight	Preventive
Include compliance with the organization's monitoring policies as a requirement in third party contracts. CC ID 06513	Third Party and supply chain oversight	Preventive
Include compliance with the organization's incident response policy and incident notification policy in third party contracts. CC ID 06515	Third Party and supply chain oversight	Preventive
Include text about the expected actions to be taken in case of a breach of contract in third party contracts. CC ID 06504	Third Party and supply chain oversight	Preventive
Include compliance with the organization's privacy policy in third party contracts. CC ID 06518	Third Party and supply chain oversight	Preventive
Include compliance with the organization's media handling policy in third party contracts. CC ID 06525	Third Party and supply chain oversight	Preventive
Include third party responsibilities for compliance awareness in third party contracts. CC ID 06530	Third Party and supply chain oversight	Preventive
Include compliance with the organization's data usage policies in third party contracts. CC ID 16413	Third Party and supply chain oversight	Preventive
Include compliance with the organization's system hardening framework in third party contracts. CC ID 06531	Third Party and supply chain oversight	Preventive
Include compliance with the organization's physical access policy in third party contracts. CC ID 06878	Third Party and supply chain oversight	Preventive
Include a reporting structure in third party contracts. CC ID 06532	Third Party and supply chain oversight	Preventive
Include points of contact in third party contracts. CC ID 12355	Third Party and supply chain oversight	Preventive
Include financial reporting in third party contracts, as necessary. CC ID 13573	Third Party and supply chain oversight	Preventive
Include reporting to the organization of third party audit findings in third party contracts. CC ID 06512	Third Party and supply chain oversight	Preventive
Include the right of the organization to conduct compliance audits in third party contracts. CC ID 06514	Third Party and supply chain oversight	Preventive
Include third party responsibilities for maintaining a Business Recovery and Resumption Plan in third party contracts. CC ID 06516	Third Party and supply chain oversight	Preventive
Include an indemnification and liability clause in third party contracts. CC ID 06517	Third Party and supply chain oversight	Preventive
Include a third party delegation clause and subcontractor to third party clause in third party contracts. CC ID 06521	Third Party and supply chain oversight	Preventive
Include text that subcontractors must meet organizational compliance requirements in third party contracts. CC ID 06522 [For each external supplier, the organization shall agree a documented contract. The contract shall include or contain a reference to: requirements to be met by the external supplier; § 8.3.4.1 ¶ 2(b)]	Third Party and supply chain oversight	Preventive
Include text regarding foreign-based third parties in third party contracts. CC ID 06722	Third Party and supply chain oversight	Preventive
Include change control clauses in third party contracts, as necessary. CC ID 06523	Third Party and supply chain oversight	Preventive
Include notification to the organization of any material change in the third party's ability to perform functions according to Service Level Agreements in third party contracts. CC ID 07115	Third Party and supply chain oversight	Preventive
Include triggers for renegotiating the contract in third party contracts. CC ID 06527	Third Party and supply chain oversight	Preventive
Include change control notification processes in third party contracts. CC ID 06524	Third Party and supply chain oversight	Preventive
Include cost structure changes in third party contracts. CC ID 10021	Third Party and supply chain oversight	Preventive
Include a choice of venue clause in third party contracts. CC ID 06520	Third Party and supply chain oversight	Preventive
Include a dispute resolution clause in third party contracts. CC ID 06519 [Disputes between the organization and the external supplier shall be recorded and managed to closure. § 8.3.4.1 ¶ 7 Disputes between the organization and the external supplier shall be recorded and managed to closure. § 8.3.4.1 ¶ 7]	Third Party and supply chain oversight	Preventive
Include the dispute resolution body's contact information in the terms and conditions in third party contracts. CC ID 13813	Third Party and supply chain oversight	Preventive
Include a termination provision clause in third party contracts. CC ID 01367	Third Party and supply chain oversight	Detective
Include early termination contingency plans in the third party contracts. CC ID 06526	Third Party and supply chain oversight	Preventive
Include a liquidated damages clause and material breach clause in third party contracts. CC ID 06817	Third Party and supply chain oversight	Preventive
Include termination costs in third party contracts. CC ID 10023	Third Party and supply chain oversight	Preventive
Include text about obtaining adequate insurance in third party contracts. CC ID 06880	Third Party and supply chain oversight	Preventive
Include incident management procedures and incident reporting procedures in third party contracts. CC ID 01214	Third Party and supply chain oversight	Preventive
Include a usage limitation of restricted data clause in third party contracts. CC ID 13026	Third Party and supply chain oversight	Preventive
Include end-of-life information in third party contracts. CC ID 15265	Third Party and supply chain oversight	Preventive
Establish, implement, and maintain third party transaction authentication procedures. CC ID 00791	Third Party and supply chain oversight	Preventive
Include responding to privacy rights violation complaints in third party contracts. CC ID 12432	Third Party and supply chain oversight	Preventive
Include requirements for alternate processing facilities in third party contracts. CC ID 13059	Third Party and supply chain oversight	Preventive
Document the organization's supply chain in the supply chain management program. CC ID 09958 [The organization shall determine and document: service components that are provided or operated by other parties; § 8.2.3.1 ¶ 4(b)]	Third Party and supply chain oversight	Preventive
Document supply chain dependencies in the supply chain management program. CC ID 08900 [The organization shall determine the criticality of services based on the needs of the organization, customers, users and other interested parties. The organization shall determine and manage dependencies and duplication between services. § 8.2.2 ¶ 2]	Third Party and supply chain oversight	Detective
Establish and maintain a Third Party Service Provider list. CC ID 12480	Third Party and supply chain oversight	Preventive
Include required information in the Third Party Service Provider list. CC ID 14429	Third Party and supply chain oversight	Preventive
Include subcontractors in the Third Party Service Provider list. CC ID 14425	Third Party and supply chain oversight	Preventive
Include alternate service providers in the Third Party Service Provider list. CC ID 14420	Third Party and supply chain oversight	Preventive
Include contact information of the Service Provider in the Third Party Service Provider list. CC ID 14430	Third Party and supply chain oversight	Preventive
Include all contract dates in the Third Party Service Provider list. CC ID 14421	Third Party and supply chain oversight	Preventive
Include the services provided by each supplier in the Third Party Service Provider list. CC ID 12481 [The organization shall determine and document: services that are provided or operated by other parties; § 8.2.3.1 ¶ 4(a) The organization shall determine and document: processes, or parts of processes, in the organization's SMS that are operated by other parties. § 8.2.3.1 ¶ 4(c)]	Third Party and supply chain oversight	Preventive
Include criticality of services in the Third Party Service Provider list. CC ID 14428	Third Party and supply chain oversight	Preventive
Include a description of data used in the Third Party Service Provider list. CC ID 14427	Third Party and supply chain oversight	Preventive
Include the location of services provided in the Third Party Service Provider list. CC ID 14423	Third Party and supply chain oversight	Preventive
Document the supply chain's critical paths in the supply chain management program. CC ID 10032	Third Party and supply chain oversight	Preventive
Establish and maintain supply chain manufacturing and integration requirements documents for all items being produced for the organization. CC ID 11558	Third Party and supply chain oversight	Preventive
Monitor and report on the efficacy of all Service Level Agreements using a Service Level Agreement Monitoring Chart or equivalent. CC ID 00842 [The organization shall make decisions and take actions based on the findings in service reports. The agreed actions shall be communicated to interested parties. § 9.4 ¶ 3]	Third Party and supply chain oversight	Detective
Approve all Service Level Agreements. CC ID 00843	Third Party and supply chain oversight	Detective
Document all chargeable items in Service Level Agreements. CC ID 00844	Third Party and supply chain oversight	Detective
Include risk management procedures in the supply chain management policy. CC ID 08811	Third Party and supply chain oversight	Preventive
Include a determination of financial benefits over actual costs of third party relationships in the supply chain risk assessment report. CC ID 10025	Third Party and supply chain oversight	Preventive
Include a determination of how third party relationships affect strategic initiatives in the supply chain risk assessment report. CC ID 10026	Third Party and supply chain oversight	Preventive
Include a determination of customer interactions with third parties in the supply chain risk assessment report. CC ID 10028	Third Party and supply chain oversight	Preventive
Include a determination on the risks third parties pose to Information Security in the supply chain risk assessment report. CC ID 10029	Third Party and supply chain oversight	Preventive
Establish, implement, and maintain a supply chain management policy. CC ID 08808	Third Party and supply chain oversight	Preventive
Include the third party selection process in the supply chain management policy. CC ID 13132 [The organization shall determine and apply criteria for the evaluation and selection of other parties involved in the service lifecycle. Other parties can be an external supplier, an internal supplier or a customer acting as a supplier. § 8.2.3.1 ¶ 2]	Third Party and supply chain oversight	Preventive
Select suppliers based on their qualifications. CC ID 00795	Third Party and supply chain oversight	Preventive
Include third party due diligence standards in the supply chain management policy. CC ID 08812 [The organization shall determine and apply criteria for the evaluation and selection of other parties involved in the service lifecycle. Other parties can be an external supplier, an internal supplier or a customer acting as a supplier. § 8.2.3.1 ¶ 2]	Third Party and supply chain oversight	Preventive
Establish, implement, and maintain information security controls for the supply chain. CC ID 13109 [The organization shall define and apply relevant controls for other parties from the following: measurement and evaluation of process performance; § 8.2.3.2(a) The organization shall define and apply relevant controls for other parties from the following: measurement and evaluation of process performance; § 8.2.3.2(a) The organization shall define and apply relevant controls for other parties from the following: measurement and evaluation of the effectiveness of services and service components in meeting the service requirements. § 8.2.3.2(b) The organization shall define and apply relevant controls for other parties from the following: measurement and evaluation of the effectiveness of services and service components in meeting the service requirements. § 8.2.3.2(b) The organization shall define and apply relevant controls for other parties from the following: § 8.2.3.2 The organization shall agree and implement information security controls to address information security risks related to external organizations. § 8.7.3.2 ¶ 2]	Third Party and supply chain oversight	Preventive

Human Resources Management

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Engage information governance subject matter experts in the development of the Information Governance Plan. CC ID 10055	Leadership and high level objectives	Preventive
Assign senior management to approve business cases. CC ID 13068	Leadership and high level objectives	Preventive
Review and approve the Strategic Information Technology Plan at the level of senior management or the Board of Directors. CC ID 13094	Leadership and high level objectives	Preventive
Align disciplinary actions with the level of compliance violation. CC ID 12404 [Corrective actions shall be appropriate to the effects of the nonconformities encountered. § 10.1.1 ¶ 2]	Monitoring and measurement	Preventive
Assign the Board of Directors to address audit findings. CC ID 12396	Audits and risk management	Corrective
Include roles and responsibilities in the interview procedures. CC ID 16297	Audits and risk management	Preventive
Identify the audit team members in the audit report. CC ID 15259	Audits and risk management	Detective
Define the roles and responsibilities for distributing the audit report. CC ID 16845	Audits and risk management	Preventive
Assign responsibility for remediation actions. CC ID 13622	Audits and risk management	Preventive
Evaluate the competency of auditors. CC ID 15253	Audits and risk management	Detective
Employ third parties when implementing a risk assessment, as necessary. CC ID 16306	Audits and risk management	Detective
Engage appropriate parties to assist with risk assessments, as necessary. CC ID 12153	Audits and risk management	Preventive
Assign key stakeholders to review and approve supply chain risk management procedures. CC ID 13199	Audits and risk management	Preventive
Define roles for information systems. CC ID 12454	Technical security	Preventive
Define access needs for each role assigned to an information system. CC ID 12455	Technical security	Preventive
Lead or manage business continuity and system continuity, as necessary. CC ID 12240	Operational and Systems Continuity	Preventive
Allocate personnel to implement the continuity plan, as necessary. CC ID 12992	Operational and Systems Continuity	Preventive
Include the roles and responsibilities of responders in the recovery plan. CC ID 13296	Operational and Systems Continuity	Preventive
Establish and maintain board committees, as necessary. CC ID 14789	Human Resources management	Preventive
Assign oversight of C-level executives to the Board of Directors. CC ID 14784	Human Resources management	Preventive
Assign oversight of the financial management program to the board of directors. CC ID 14781	Human Resources management	Preventive
Assign senior management to the role of supporting Quality Management. CC ID 13692	Human Resources management	Preventive
Assign members who are independent from management to the Board of Directors. CC ID 12395	Human Resources management	Preventive
Assign ownership of risks to the Board of Directors or senior management. CC ID 13662	Human Resources management	Preventive
Assign the organization's board and senior management to oversee the continuity planning process. CC ID 12991	Human Resources management	Preventive
Rotate members of the board of directors, as necessary. CC ID 14803	Human Resources management	Corrective
Analyze workforce management. CC ID 12844 [{resource level}{manpower}management review shall include consideration of: current and forecast human, technical, information and financial resource levels, and human and technical resource capabilities; § 9.3 ¶ 2(j)]	Human Resources management	Detective
Identify root causes of staffing shortages, if any exist. CC ID 13276	Human Resources management	Detective
Analyze the ability of Human Resources to attract a competent workforce. CC ID 13275	Human Resources management	Detective
Include how risk is perceived by the workforce in the analysis of workforce management. CC ID 12969	Human Resources management	Preventive
Include compensation structures in the analysis of workforce management. CC ID 12902	Human Resources management	Preventive
Perform security skills assessments for all critical employees. CC ID 12102	Human Resources management	Detective
Perform a background check during personnel screening. CC ID 11758	Human Resources management	Detective
Perform a personal identification check during personnel screening. CC ID 06721	Human Resources management	Preventive
Perform a personal references check during personnel screening. CC ID 06645	Human Resources management	Preventive
Perform a credit check during personnel screening. CC ID 06646	Human Resources management	Preventive
Perform a resume check during personnel screening. CC ID 06659	Human Resources management	Preventive
Perform a curriculum vitae check during personnel screening. CC ID 06660	Human Resources management	Preventive
Allow personnel being screened to appeal findings and appeal decisions. CC ID 06720	Human Resources management	Preventive
Perform personnel screening procedures, as necessary. CC ID 11763	Human Resources management	Preventive
Perform periodic background checks on designated roles, as necessary. CC ID 11759	Human Resources management	Detective
Perform security clearance procedures, as necessary. CC ID 06644	Human Resources management	Preventive
Establish and maintain security clearances. CC ID 01634	Human Resources management	Preventive
Support certification programs as viable training programs. CC ID 13268	Human Resources management	Preventive
Hire third parties to conduct training, as necessary. CC ID 13167	Human Resources management	Preventive
Include ethical culture in the training plan, as necessary. CC ID 12801	Human Resources management	Preventive
Include duties and responsibilities in the training plan, as necessary. CC ID 12800	Human Resources management	Preventive
Establish and maintain management's commitment to supporting the security awareness program. CC ID 12151	Human Resources management	Preventive
Establish and maintain a steering committee to guide the security awareness program. CC ID 12149	Human Resources management	Preventive
Encourage interested personnel to obtain security certification. CC ID 11804	Human Resources management	Preventive
Assign an information owner to organizational assets, as necessary. CC ID 12729	Operational management	Preventive
Assign ownership of maintaining the asset inventory, as necessary. CC ID 12344	Operational management	Preventive
Control granting access to appropriate parties performing maintenance on organizational assets. CC ID 11873	Operational management	Preventive
Assign roles and responsibilities in the customer service program. CC ID 13911 [The customers, users and other interested parties of the services shall be identified and documented. The organization shall have one or more designated individuals responsible for managing customer relationships and maintaining customer satisfaction. § 8.3.2 ¶ 1]	Operational management	Preventive
Assign the distribution of security alerts to the appropriate role in the incident response program. CC ID 11887	Operational management	Preventive

IT Impact Zone

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Leadership and high level objectives CC ID 00597	Leadership and high level objectives	IT Impact Zone
Monitoring and measurement CC ID 00636	Monitoring and measurement	IT Impact Zone
Audits and risk management CC ID 00677	Audits and risk management	IT Impact Zone
Technical security CC ID 00508	Technical security	IT Impact Zone
Operational and Systems Continuity CC ID 00731	Operational and Systems Continuity	IT Impact Zone
Human Resources management CC ID 00763	Human Resources management	IT Impact Zone
Operational management CC ID 00805	Operational management	IT Impact Zone
System hardening through configuration management CC ID 00860	System hardening through configuration management	IT Impact Zone
Records management CC ID 00902	Records management	IT Impact Zone
Systems design, build, and implementation CC ID 00989	Systems design, build, and implementation	IT Impact Zone
Acquisition or sale of facilities, technology, and services CC ID 01123	Acquisition or sale of facilities, technology, and services	IT Impact Zone
Privacy protection for information and data CC ID 00008	Privacy protection for information and data	IT Impact Zone
Third Party and supply chain oversight CC ID 08807	Third Party and supply chain oversight	IT Impact Zone

Investigate

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Ensure the data dictionary is complete and accurate. CC ID 13527	Leadership and high level objectives	Detective
Follow up exceptions and anomalies identified when reviewing logs. CC ID 11925	Monitoring and measurement	Corrective
Determine the causes of compliance violations. CC ID 12401 [When a nonconformity occurs, the organization shall: evaluate the need for action to eliminate the causes of the nonconformity in order that it does not recur or occur elsewhere by: reviewing the nonconformity; § 10.1.1 ¶ 1(b)(1) When a nonconformity occurs, the organization shall: evaluate the need for action to eliminate the causes of the nonconformity in order that it does not recur or occur elsewhere by: determining the causes of the nonconformity; § 10.1.1 ¶ 1(b)(2)]	Monitoring and measurement	Corrective
Determine if multiple compliance violations of the same type could occur. CC ID 12402 [When a nonconformity occurs, the organization shall: evaluate the need for action to eliminate the causes of the nonconformity in order that it does not recur or occur elsewhere by: determining if similar nonconformities exist, or could potentially occur; § 10.1.1 ¶ 1(b)(3)]	Monitoring and measurement	Detective
Review the effectiveness of disciplinary actions carried out for compliance violations. CC ID 12403 [When a nonconformity occurs, the organization shall: review the effectiveness of any corrective action taken; § 10.1.1. ¶ 1(d)]	Monitoring and measurement	Detective
Examine the availability of the audit criteria in the audit program. CC ID 16520	Audits and risk management	Preventive
Audit cybersecurity risk management within the policies, standards, and procedures of the organization. CC ID 13011	Audits and risk management	Detective
Audit information systems, as necessary. CC ID 13010	Audits and risk management	Detective
Audit the potential costs of compromise to information systems. CC ID 13012	Audits and risk management	Detective
Permit assessment teams to conduct audits, as necessary. CC ID 16430	Audits and risk management	Detective
Determine the effect of deficiencies on the audit report, as necessary. CC ID 14886	Audits and risk management	Detective
Include an analysis of system interdependencies in the threat and risk classification scheme. CC ID 13056	Audits and risk management	Detective
Evaluate the effectiveness of threat and vulnerability management procedures. CC ID 13491	Audits and risk management	Detective
Identify changes to in scope systems that could threaten communication between business units. CC ID 13173	Audits and risk management	Detective
Investigate alternative risk control strategies appropriate to the organization's risk appetite. CC ID 12887	Audits and risk management	Preventive
Determine the cause for the activation of the recovery plan. CC ID 13291	Operational and Systems Continuity	Detective
Assign monitoring and analyzing the security alert when a security alert is received to the appropriate role in the incident response program. CC ID 11886	Operational management	Detective
Perform an impact assessment of any deviations found in the cost management procedures. CC ID 13641	Operational management	Detective
Identify deviations in cost management procedures. CC ID 13640	Operational management	Detective
Analyze mitigating controls for vulnerabilities in the network when certifying the network. CC ID 13126	Operational management	Detective
Collect data about the network environment when certifying the network. CC ID 13125	Operational management	Detective
Assess consumer complaints and litigation. CC ID 16521	Acquisition or sale of facilities, technology, and services	Preventive

Log Management

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Establish, implement, and maintain logging and monitoring operations. CC ID 00637	Monitoring and measurement	Detective
Operationalize key monitoring and logging concepts to ensure the audit trails capture sufficient information. CC ID 00638	Monitoring and measurement	Detective
Establish, implement, and maintain event logging procedures. CC ID 01335	Monitoring and measurement	Detective
Include a standard to collect and interpret event logs in the event logging procedures. CC ID 00643 [The management review shall include consideration of: information on the performance and effectiveness of the SMS, including trends in: monitoring and measurement results; § 9.3 ¶ 2(c)(2)]	Monitoring and measurement	Preventive
Protect the event logs from failure. CC ID 06290	Monitoring and measurement	Preventive
Review and update event logs and audit logs, as necessary. CC ID 00596 [The organization shall analyse data and trends on incidents to identify problems. The organization shall undertake root cause analysis and determine potential actions to prevent the occurrence or recurrence of incidents. § 8.6.3 ¶ 1]	Monitoring and measurement	Detective
Eliminate false positives in event logs and audit logs. CC ID 07047	Monitoring and measurement	Corrective
Correlate log entries to security controls to verify the security control's effectiveness. CC ID 13207	Monitoring and measurement	Detective
Reproduce the event log if a log failure is captured. CC ID 01426	Monitoring and measurement	Preventive
Log account usage to determine dormant accounts. CC ID 12118	Monitoring and measurement	Detective
Log account usage times. CC ID 07099	Monitoring and measurement	Detective
Log Internet Protocol addresses used during logon. CC ID 07100	Monitoring and measurement	Detective
Establish, implement, and maintain a Security Information and Event Management metrics program. CC ID 02078	Monitoring and measurement	Preventive
Report on the percentage of systems for which event logging has been implemented. CC ID 02102	Monitoring and measurement	Detective
Report on the percentage of systems for which event logs are monitored and reviewed. CC ID 02103	Monitoring and measurement	Detective
Report on the percentage of systems for which log capacity and log retention schedules have been implemented. CC ID 02104	Monitoring and measurement	Detective
Restrict access to logs to authorized individuals. CC ID 01342	Monitoring and measurement	Preventive
Refrain from recording unnecessary restricted data in logs. CC ID 06318	Monitoring and measurement	Preventive
Back up logs according to backup procedures. CC ID 01344	Monitoring and measurement	Preventive
Copy logs from all predefined hosts onto a log management infrastructure. CC ID 01346	Monitoring and measurement	Preventive
Identify hosts with logs that are not being stored. CC ID 06314	Monitoring and measurement	Preventive
Identify hosts with logs that are being stored at the system level only. CC ID 06315	Monitoring and measurement	Preventive
Identify hosts with logs that should be stored at both the system level and the infrastructure level. CC ID 06316	Monitoring and measurement	Preventive
Identify hosts with logs that are being stored at the infrastructure level only. CC ID 06317	Monitoring and measurement	Preventive
Protect logs from unauthorized activity. CC ID 01345	Monitoring and measurement	Preventive
Perform testing and validating activities on all logs. CC ID 06322	Monitoring and measurement	Preventive
Archive the audit trail in accordance with compliance requirements. CC ID 00674	Monitoring and measurement	Preventive
Preserve the identity of individuals in audit trails. CC ID 10594	Monitoring and measurement	Preventive
Disseminate and communicate the reviews of audit reports to organizational management. CC ID 00653	Audits and risk management	Detective
Log important conversations conducted during emergencies with third parties. CC ID 12763	Operational and Systems Continuity	Preventive
Log the performance of all remote maintenance. CC ID 13202	Operational management	Preventive
Submit an incident management audit log to the proper authorities for each security breach that affects a predefined number of individuals, as necessary. CC ID 06326	Operational management	Detective
Include who the incident was reported to in the incident management audit log. CC ID 16487	Operational management	Preventive
Include the organizational functions affected by disruption in the Incident Management audit log. CC ID 12238	Operational management	Corrective
Include the organization's business products and services affected by disruptions in the Incident Management audit log. CC ID 12234	Operational management	Preventive
Log help desk queries. CC ID 00848 [Service requests shall be: recorded and classified; § 8.6.2 ¶ 1(a)]	Operational management	Preventive
Configure the log to capture changes to User privileges, audit policies, and trust policies by enabling audit policy changes. CC ID 01698	System hardening through configuration management	Detective
Configure the log to capture user account additions, modifications, and deletions. CC ID 16482	System hardening through configuration management	Preventive
Configure the log to capture user authenticator changes. CC ID 01917	System hardening through configuration management	Detective
Capture and maintain logs as official records. CC ID 06319	Records management	Preventive
Log the date and time each item is received into the recordkeeping system. CC ID 11709	Records management	Preventive
Log the date and time each item is made available into the recordkeeping system. CC ID 11710	Records management	Preventive
Log the number of routine items in the organization's possession at the close of business for the month in the recordkeeping system. CC ID 11707	Records management	Preventive
Log the number of routine items received during the month that were turned around in the recordkeeping system. CC ID 11705	Records management	Preventive
Log the number of routine items received during the month that were not turned around within three business days of receipt in the recordkeeping system. CC ID 11703	Records management	Preventive
Log the date and time when a notice of refusal to perform the registrar function is received in the recordkeeping system. CC ID 11711	Records management	Preventive
Log inquiries concerning items in the recordkeeping system, annotating the date received. CC ID 11718	Records management	Preventive
Log responses to inquiries, annotating the send date for each response into the recordkeeping system. CC ID 11719	Records management	Preventive
Log the number of non-routine items received into the recordkeeping system. CC ID 11706	Records management	Preventive
Log the documentation of determination that items received are not routine into the recordkeeping system. CC ID 11716	Records management	Preventive
Log the number of non-routine items in the organization's possession at the close of business for the month in the recordkeeping system. CC ID 11708	Records management	Preventive
Log the number of non-routine items received during the month that were turned around in the recordkeeping system. CC ID 11704	Records management	Preventive
Log performance monitoring into the recordkeeping system. CC ID 11724	Records management	Preventive
Log the number of inquiries pending as of the close of business into the recordkeeping system. CC ID 11728	Records management	Preventive
Log the number of inquiries received but not responded to within the required time frame into the recordkeeping system. CC ID 11727	Records management	Preventive
Log any notices filed by the organization into the recordkeeping system. CC ID 11725	Records management	Preventive
Log telephone responses into a telephone log, annotating the date of each response, in the recordkeeping system. CC ID 11723	Records management	Preventive
Log the date each certificate is made available to interested personnel and affected parties into the recordkeeping system. CC ID 11720	Records management	Preventive
Log the number of items not processed within the required time frame into the recordkeeping system. CC ID 11717	Records management	Preventive
Log the appointments and termination of appointments of registered transfer agents into the recordkeeping system. CC ID 11712	Records management	Preventive
Log any stop orders or notices of adverse claims into the recordkeeping system. CC ID 11726	Records management	Preventive
Log the number of items processed within the required time frame into the recordkeeping system. CC ID 11715	Records management	Preventive
Establish, implement, and maintain a removable storage media log. CC ID 12317	Records management	Preventive
Establish, implement, and maintain a data processing output log. CC ID 06624	Records management	Preventive

Maintenance

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Use system components only when third party support is available. CC ID 10644	Operational management	Preventive
Obtain justification for the continued use of system components when third party support is no longer available. CC ID 10645	Operational management	Preventive
Conduct offsite maintenance in authorized facilities. CC ID 16473	Operational management	Preventive
Disconnect non-volatile media from information systems prior to performing maintenance with uncleared personnel. CC ID 14295	Operational management	Preventive
Sanitize volatile media in information systems prior to performing maintenance with uncleared personnel. CC ID 14291	Operational management	Preventive
Restart systems on a periodic basis. CC ID 16498	Operational management	Preventive
Remove components being serviced from the information system prior to performing maintenance. CC ID 14251	Operational management	Preventive
Follow the maintenance schedule. CC ID 11791	Operational management	Preventive
Separate the production environment from development environment or test environment for the change control process. CC ID 11864	Operational management	Preventive

Monitor and Evaluate Occurrences

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Include the capturing and alerting of compliance violations in the notification system. CC ID 12962	Leadership and high level objectives	Preventive
Include the capturing and alerting of unethical conduct in the notification system. CC ID 12932	Leadership and high level objectives	Preventive
Include the capturing and alerting of performance variances in the notification system. CC ID 12929	Leadership and high level objectives	Preventive
Include the capturing and alerting of weaknesses in the notification system. CC ID 12928	Leadership and high level objectives	Preventive
Include the capturing and alerting of account activity in the notification system. CC ID 15314	Leadership and high level objectives	Preventive
Analyze organizational objectives, functions, and activities. CC ID 00598 [The organization shall establish service management objectives at relevant functions and levels. The service management objectives shall: be measurable; § 6.2.1 ¶ 1(b)]	Leadership and high level objectives	Preventive
Monitor for changes which affect organizational strategies in the internal business environment. CC ID 12863 [{service management system} When determining this scope, the organization shall consider: the external and internal issues referred to in 4.1; § 4.3 ¶ 2(a) The management review shall include consideration of: changes in external and internal issues that are relevant to the SMS; § 9.3 ¶ 2(b) The management review shall include consideration of: changes that can affect the SMS and the services. § 9.3 ¶ 2(l)]	Leadership and high level objectives	Preventive
Monitor for changes which affect organizational objectives in the internal business environment. CC ID 12862	Leadership and high level objectives	Preventive
Monitor for changes which affect organizational strategies in the external environment. CC ID 12880	Leadership and high level objectives	Preventive
Monitor for changes which affect organizational objectives in the external environment. CC ID 12879	Leadership and high level objectives	Preventive
Monitor regulatory trends to maintain compliance. CC ID 00604	Leadership and high level objectives	Detective
Monitor for new Information Security solutions. CC ID 07078	Leadership and high level objectives	Detective
Monitor and evaluate the implementation and effectiveness of Information Technology Plans. CC ID 00634	Leadership and high level objectives	Detective
Establish, implement, and maintain an automated configuration monitoring system. CC ID 07058	Monitoring and measurement	Detective
Monitor for and report when a software configuration is updated. CC ID 06746	Monitoring and measurement	Detective
Notify the appropriate personnel when the software configuration is updated absent authorization. CC ID 04886	Monitoring and measurement	Detective
Monitor for firmware updates absent authorization. CC ID 10675	Monitoring and measurement	Detective
Implement file integrity monitoring. CC ID 01205	Monitoring and measurement	Detective
Monitor for software configurations updates absent authorization. CC ID 10676	Monitoring and measurement	Preventive
Monitor for when documents are being updated absent authorization. CC ID 10677	Monitoring and measurement	Preventive
Monitor and evaluate user account activity. CC ID 07066	Monitoring and measurement	Detective
Generate daily reports of user logons during hours outside of their usage profile. CC ID 07068	Monitoring and measurement	Detective
Generate daily reports of users who have grossly exceeded their usage profile logon duration. CC ID 07069	Monitoring and measurement	Detective
Log account usage durations. CC ID 12117	Monitoring and measurement	Detective
Report red flags when logon credentials are used on a computer different from the one in the usage profile. CC ID 07070	Monitoring and measurement	Detective
Monitor service availability when implementing the service management monitoring and metrics program. CC ID 13921 [{availability issue}{document} Service availability shall be monitored, the results recorded and compared with the targets. Unplanned non-availability shall be investigated and necessary actions taken. § 8.7.1 ¶ 3 {availability issue}{document} Service availability shall be monitored, the results recorded and compared with the targets. Unplanned non-availability shall be investigated and necessary actions taken. § 8.7.1 ¶ 3]	Monitoring and measurement	Detective
Compare the performance metrics of service availability against their targets, as necessary. CC ID 13922 [{availability issue}{document} Service availability shall be monitored, the results recorded and compared with the targets. Unplanned non-availability shall be investigated and necessary actions taken. § 8.7.1 ¶ 3]	Monitoring and measurement	Detective
Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726 [The management review shall include consideration of: adherence to and suitability of the service management policy and other policies required by this document; § 9.3 ¶ 2(f)]	Monitoring and measurement	Detective
Establish, implement, and maintain compliance program metrics. CC ID 11625	Monitoring and measurement	Preventive
Establish, implement, and maintain a corrective action plan. CC ID 00675 [The management review shall include consideration of: information on the performance and effectiveness of the SMS, including trends in: nonconformities and corrective actions; § 9.3 ¶ 2(c)(1) The organization shall monitor and review the effectiveness of information security controls and take necessary actions. § 8.7.3.2 ¶ 3]	Monitoring and measurement	Detective
Include monitoring in the corrective action plan. CC ID 11645	Monitoring and measurement	Detective
Supervise interested personnel and affected parties participating in the audit. CC ID 07150	Audits and risk management	Preventive
Track and measure the implementation of the organizational compliance framework. CC ID 06445	Audits and risk management	Preventive
Monitor the effectiveness of the cybersecurity risk management program. CC ID 16831	Audits and risk management	Preventive
Monitor the effectiveness of the cybersecurity supply chain risk management program. CC ID 16828	Audits and risk management	Preventive
Monitor and evaluate business continuity management system performance. CC ID 12410	Operational and Systems Continuity	Detective
Record business continuity management system performance for posterity. CC ID 12411	Operational and Systems Continuity	Preventive
Monitor and measure the effectiveness of security awareness. CC ID 06262	Human Resources management	Detective
Analyze and evaluate training records to improve the training program. CC ID 06380	Human Resources management	Detective
Identify discrepancies between the asset register database and the Information Technology inventory, as necessary. CC ID 07052	Operational management	Corrective
Investigate and resolve discrepancies between the asset register database and the Information Technology inventory. CC ID 07053	Operational management	Corrective
Automate software license monitoring, as necessary. CC ID 07057	Operational management	Preventive
Determine the incident severity level when assessing the security incidents. CC ID 01650 [The organization shall analyse the information security incidents by type, volume and impact on the SMS, services and interested parties. Information security incidents shall be reported and reviewed to identify opportunities for improvement. § 8.7.3.3 ¶ 2]	Operational management	Corrective
Respond to and triage when an incident is detected. CC ID 06942 [Information security incidents shall be: prioritized taking into consideration the information security risk; § 8.7.3.3 ¶ 1(b) Incidents shall be: prioritized taking into consideration impact and urgency; § 8.6.1 ¶ 1(b) Problems shall be: prioritized; § 8.6.3 ¶ 2(b)]	Operational management	Detective
Escalate incidents, as necessary. CC ID 14861 [Problems shall be: escalated if needed; § 8.6.3 ¶ 2(c)]	Operational management	Corrective
Establish, implement, and maintain data input and data access authorization tracking. CC ID 00920	Records management	Detective
Establish, implement, and maintain data accuracy controls. CC ID 00921	Records management	Detective
Establish, implement, and maintain online storage monitoring and reporting capabilities. CC ID 00935	Records management	Detective
Check communications for take-down requests. CC ID 09964	Acquisition or sale of facilities, technology, and services	Preventive
Include personal data that is encrypted or redacted as an out of scope privacy breach. CC ID 04679	Privacy protection for information and data	Preventive
Include cryptographic keys not being accessed during a privacy breach as an out of scope privacy breach. CC ID 04761	Privacy protection for information and data	Preventive
Include any personal data that is on an encrypted mobile device as an out of scope privacy breach, if the encryption keys were not accessed and the mobile device was recovered. CC ID 04762	Privacy protection for information and data	Preventive
Monitor third parties for performance and effectiveness, as necessary. CC ID 00799 [Top management shall demonstrate leadership and commitment with respect to the SMS by: ensuring there is control of other parties involved in the service lifecycle; § 5.1 ¶ 1(e) The organization shall have one or more designated individuals responsible for managing the relationship, contracts and performance of external suppliers. § 8.3.4.1 ¶ 1 At planned intervals, the organization shall monitor the performance of the external supplier. Where service level targets or other contractual obligations are not met, the organization shall ensure that opportunities for improvement are identified. § 8.3.4.1 ¶ 5 The management review shall include consideration of: performance of other parties involved in the delivery of the services; § 9.3 ¶ 2(i)]	Third Party and supply chain oversight	Detective
Monitor third parties' financial conditions. CC ID 13170	Third Party and supply chain oversight	Detective

Physical and Environmental Protection

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Conduct environmental surveys. CC ID 00690	Operational management	Preventive
Plan and conduct maintenance so that it does not interfere with scheduled operations. CC ID 06389	Operational management	Preventive
Control and monitor all maintenance tools. CC ID 01432	Operational management	Detective
Identify and authenticate appropriate parties prior to granting access to maintain assets. CC ID 11874	Operational management	Preventive
Refrain from protecting physical assets when no longer required. CC ID 13484	Operational management	Corrective
Place printed records awaiting destruction into secure containers. CC ID 12464	Records management	Preventive
Destroy printed records so they cannot be reconstructed. CC ID 11779	Records management	Preventive
Ship equipment to customers in tamper-evident packaging, as necessary. CC ID 12271	Acquisition or sale of facilities, technology, and services	Preventive
Disallow access to restricted information on machines used to manufacture authentication elements. CC ID 11561	Third Party and supply chain oversight	Preventive

Process or Activity

100

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Assess the effectiveness of the communication methods used in the communication protocol. CC ID 12691	Leadership and high level objectives	Detective
Establish, implement, and maintain a corrective action plan to address barriers to stakeholder engagement. CC ID 15677	Leadership and high level objectives	Preventive
Identify barriers to stakeholder engagement. CC ID 15676	Leadership and high level objectives	Preventive
Include methods to obtain information from interested personnel and affected parties about performance variances in the communication protocol. CC ID 12856	Leadership and high level objectives	Preventive
Route notifications, as necessary. CC ID 12832	Leadership and high level objectives	Preventive
Substantiate notifications, as necessary. CC ID 12831	Leadership and high level objectives	Preventive
Prioritize notifications, as necessary. CC ID 12830	Leadership and high level objectives	Preventive
Establish and maintain the organization's survey method. CC ID 12869	Leadership and high level objectives	Preventive
Provide a consolidated view of information in the organization's survey method. CC ID 12894	Leadership and high level objectives	Preventive
Identify the internal factors that may affect organizational objectives. CC ID 12957	Leadership and high level objectives	Preventive
Include key processes in the analysis of the internal business environment. CC ID 12947	Leadership and high level objectives	Preventive
Include existing information in the analysis of the internal business environment. CC ID 12943	Leadership and high level objectives	Preventive
Include resources in the analysis of the internal business environment. CC ID 12942 [{resource level}{manpower}management review shall include consideration of: current and forecast human, technical, information and financial resource levels, and human and technical resource capabilities; § 9.3 ¶ 2(j) {resource level}{manpower}management review shall include consideration of: current and forecast human, technical, information and financial resource levels, and human and technical resource capabilities; § 9.3 ¶ 2(j)]	Leadership and high level objectives	Preventive
Include the operating plan in the analysis of the internal business environment. CC ID 12941	Leadership and high level objectives	Preventive
Include incentives in the analysis of the internal business environment. CC ID 12940	Leadership and high level objectives	Preventive
Include organizational structures in the analysis of the internal business environment. CC ID 12939	Leadership and high level objectives	Preventive
Include the strategic plan in the analysis of the internal business environment. CC ID 12937	Leadership and high level objectives	Preventive
Include strengths and weaknesses in the analysis of the internal business environment. CC ID 12936	Leadership and high level objectives	Preventive
Identify the external forces that may affect organizational objectives. CC ID 12960	Leadership and high level objectives	Preventive
Evaluate organizational objectives to determine impact on other organizational objectives. CC ID 12814	Leadership and high level objectives	Preventive
Identify events that may affect organizational objectives. CC ID 12961 [The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its SMS. § 4.1 ¶ 1]	Leadership and high level objectives	Preventive
Identify conditions that may affect organizational objectives. CC ID 12958	Leadership and high level objectives	Preventive
Identify how opportunities, threats, and external requirements are trending. CC ID 12829 [When planning for the SMS, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to: § 6.1.1 ¶ 1 The organization shall plan: actions to address these risks and opportunities and their priorities; § 6.1.3 ¶ 1(a)]	Leadership and high level objectives	Preventive
Identify relationships between opportunities, threats, and external requirements. CC ID 12805 [The management review shall include consideration of: results of risk assessment and the effectiveness of actions taken to address risks and opportunities; § 9.3 ¶ 2(k)]	Leadership and high level objectives	Preventive
Identify all interested personnel and affected parties. CC ID 12845 [The organization shall determine: the interested parties that are relevant to the SMS and the services; § 4.2 ¶ 1(a) The customers, users and other interested parties of the services shall be identified and documented. The organization shall have one or more designated individuals responsible for managing customer relationships and maintaining customer satisfaction. § 8.3.2 ¶ 1]	Leadership and high level objectives	Detective
Establish, implement, and maintain criteria for grouping stakeholders. CC ID 15584	Leadership and high level objectives	Preventive
Determine progress toward the objectives of the strategic plan. CC ID 12944 [The organization shall establish service management objectives at relevant functions and levels. The service management objectives shall: be monitored; § 6.2.1 ¶ 1(d) The management review shall include consideration of: achievement of service management objectives; § 9.3 ¶ 2(g)]	Leadership and high level objectives	Preventive
Align organizational objectives with compliance objectives in the decision-making criteria. CC ID 12847 [The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: policies and plans required by this document; § 8.5.1.3 ¶ 1(c) The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: policies and plans required by this document; § 8.5.1.3 ¶ 1(c)]	Leadership and high level objectives	Preventive
Align organizational objectives with performance targets in the decision-making criteria. CC ID 12843 [The organization shall make decisions and take actions based on the findings in service reports. The agreed actions shall be communicated to interested parties. § 9.4 ¶ 3 The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: § 8.5.1.3 ¶ 1 The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: § 8.5.1.3 ¶ 1]	Leadership and high level objectives	Preventive
Align organizational objectives with the acceptable residual risk in the decision-making criteria. CC ID 12841 [The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: § 8.5.1.3 ¶ 1]	Leadership and high level objectives	Preventive
Create additional decision-making criteria to achieve organizational objectives, as necessary. CC ID 12948 [The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: customers, users and other interested parties; § 8.5.1.3 ¶ 1(b)]	Leadership and high level objectives	Preventive
Take actions in accordance with the decision-making criteria. CC ID 12909	Leadership and high level objectives	Preventive
Include the correlation and analysis of information obtained during testing in the continuous monitoring program. CC ID 14250	Monitoring and measurement	Detective
Alert interested personnel and affected parties when an unauthorized modification to critical files is detected. CC ID 12045	Monitoring and measurement	Preventive
Correct compliance violations. CC ID 13515 [When a nonconformity occurs, the organization shall: react to the nonconformity, and as applicable: § 10.1.1 ¶ 1(a) When a nonconformity occurs, the organization shall: react to the nonconformity, and as applicable: take action to control and correct it; § 10.1.1 ¶ 1(a)(1) When a nonconformity occurs, the organization shall: react to the nonconformity, and as applicable: deal with the consequences; § 10.1.1 ¶ 1(a)(2) When a nonconformity occurs, the organization shall: implement any action needed; § 10.1.1 ¶ 1(c)]	Monitoring and measurement	Corrective
Convert data into standard units before reporting metrics. CC ID 15507	Monitoring and measurement	Corrective
Refrain from approving changes to the audit terms absent reasonable justification. CC ID 13973	Audits and risk management	Preventive
Determine the effect of fraud and non-compliance on the description of the system in the audit assertion, as necessary. CC ID 13977	Audits and risk management	Detective
Determine the effect of fraud and non-compliance on the achievement of in scope controls in the audit assertion, as necessary. CC ID 13978	Audits and risk management	Detective
Review documentation to determine the effectiveness of in scope controls. CC ID 16522	Audits and risk management	Preventive
Coordinate the scheduling of interviews. CC ID 16293	Audits and risk management	Preventive
Create a schedule for the interviews. CC ID 16292	Audits and risk management	Preventive
Identify interviewees. CC ID 16290	Audits and risk management	Preventive
Discuss unsolved questions with the interviewee. CC ID 16298	Audits and risk management	Detective
Allow interviewee to respond to explanations. CC ID 16296	Audits and risk management	Detective
Explain the requirements being discussed to the interviewee. CC ID 16294	Audits and risk management	Detective
Explain the testing results to the interviewee. CC ID 16291	Audits and risk management	Preventive
Withdraw from the audit, when defined conditions exist. CC ID 13885	Audits and risk management	Corrective
Engage subject matter experts when the auditor requires additional expertise during an attestation engagement, as necessary. CC ID 13971	Audits and risk management	Preventive
Determine the effect of fraud and non-compliance on the audit report, as necessary. CC ID 13979	Audits and risk management	Detective
Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830	Audits and risk management	Preventive
Analyze the effect of threats on organizational strategies and objectives. CC ID 12850	Audits and risk management	Detective
Analyze the effect of opportunities on organizational strategies and objectives. CC ID 12849	Audits and risk management	Detective
Analyze supply chain risk management procedures, as necessary. CC ID 13198	Audits and risk management	Detective
Set access control for objects and users to "deny all" unless explicitly authorized. CC ID 06301	Technical security	Preventive
Coordinate continuity planning with governmental entities, as necessary. CC ID 13258	Operational and Systems Continuity	Preventive
Coordinate continuity planning with community organizations, as necessary. CC ID 13259	Operational and Systems Continuity	Preventive
Include all residences in the criminal records check. CC ID 13306	Human Resources management	Preventive
Approve the information security policy at the organization's management level or higher. CC ID 11737 [Management with appropriate authority shall approve an information security policy relevant to the organization. The information security policy shall be documented and take into consideration the service requirements and the obligations in 6.3 c). § 8.7.3.1 ¶ 1]	Operational management	Preventive
Analyze how policies used to create management boundaries relates to the Governance, Risk, and Compliance approach. CC ID 12821	Operational management	Preventive
Analyze how the organization sets limits in policies relating to the Governance, Risk, and Compliance approach. CC ID 12819	Operational management	Preventive
Analyze how the Board of Directors' and senior management's tone influences the Governance, Risk, and Compliance approach. CC ID 12818	Operational management	Preventive
Analyze the degree to which the governing body is engaged in the Governance, Risk, and Compliance approach. CC ID 12817	Operational management	Preventive
Analyze the Governance, Risk, and Compliance approach. CC ID 12816	Operational management	Preventive
Analyze the organizational culture. CC ID 12899	Operational management	Preventive
Include individual commitment to the organization's Governance, Risk, and Compliance framework in the analysis of the organizational culture. CC ID 12922	Operational management	Detective
Include the organizational climate in the analysis of the organizational culture. CC ID 12921	Operational management	Detective
Include consistency of leadership actions to mission, vision, and values in the analysis of the organizational culture. CC ID 12920	Operational management	Detective
Establish, implement, and maintain consequences for non-compliance with the organizational compliance framework. CC ID 11747	Operational management	Corrective
Restrict unscheduled downtime in order to maintain high availability for critical systems. CC ID 12742	Operational management	Preventive
Include interconnected systems and Software as a Service in the Information Technology inventory. CC ID 04885	Operational management	Preventive
Implement automated mechanisms to transfer predictive maintenance data to a maintenance management system. CC ID 10616	Operational management	Preventive
Include support from law enforcement authorities when conducting incident response activities, as necessary. CC ID 13197	Operational management	Corrective
Coordinate incident response activities with interested personnel and affected parties. CC ID 13196	Operational management	Corrective
Perform emergency changes, as necessary. CC ID 12707	Operational management	Preventive
Back up emergency changes after the change has been performed. CC ID 12734	Operational management	Preventive
Conduct network certifications prior to approving change requests for networks. CC ID 13121	Operational management	Detective
Establish, implement, and maintain a patch management program. CC ID 00896	Operational management	Preventive
Delete age-restricted content, as necessary. CC ID 15450	Operational management	Preventive
Control the distribution of media containing age-restricted content, as necessary. CC ID 15446	Operational management	Preventive
Remove dormant data from systems, as necessary. CC ID 13726	Records management	Preventive
Determine how long to keep records and logs before disposing them. CC ID 11661	Records management	Preventive
Manage waste materials in accordance with the storage media disposition and destruction procedures. CC ID 16485	Records management	Preventive
Define each system's disposition requirements for records and logs. CC ID 11651	Records management	Preventive
Review the information classification of the information that the organization collects, processes, and stores, as necessary. CC ID 13008	Records management	Detective
Review the electronic storage media for the information the organization collects and processes. CC ID 13009	Records management	Detective
Process restricted information in a secure environment. CC ID 13058	Records management	Preventive
Establish, implement, and maintain data completeness controls. CC ID 11649	Records management	Preventive
Display required information automatically in electronic health records. CC ID 14442	Records management	Preventive
Create export summaries, as necessary. CC ID 14446	Records management	Preventive
Identify patient-specific education resources. CC ID 14439	Records management	Detective
Sanitize user input in accordance with organizational standards. CC ID 16856	Records management	Preventive
Establish, implement, and maintain storage media downgrading procedures. CC ID 10619	Records management	Preventive
Identify electronic storage media that require downgrading. CC ID 10620	Records management	Detective
Downgrade electronic storage media, as necessary. CC ID 10621	Records management	Corrective
Assess the continuity requirements during the planning and development stage for new products and services. CC ID 12779 [At planned intervals, the risks to service continuity shall be assessed and documented. The organization shall determine the service continuity requirements. The agreed requirements shall take into consideration relevant business requirements, service requirements, SLAs and risks. § 8.7.2 ¶ 1 At planned intervals, the risks to service continuity shall be assessed and documented. The organization shall determine the service continuity requirements. The agreed requirements shall take into consideration relevant business requirements, service requirements, SLAs and risks. § 8.7.2 ¶ 1 At planned intervals, the risks to service continuity shall be assessed and documented. The organization shall determine the service continuity requirements. The agreed requirements shall take into consideration relevant business requirements, service requirements, SLAs and risks. § 8.7.2 ¶ 1 At planned intervals, the risks to service continuity shall be assessed and documented. The organization shall determine the service continuity requirements. The agreed requirements shall take into consideration relevant business requirements, service requirements, SLAs and risks. § 8.7.2 ¶ 1 At planned intervals, the risks to service continuity shall be assessed and documented. The organization shall determine the service continuity requirements. The agreed requirements shall take into consideration relevant business requirements, service requirements, SLAs and risks. § 8.7.2 ¶ 1]	Systems design, build, and implementation	Preventive
Review and update controls to ensure the timeliness and accuracy of the market prices. CC ID 13688	Acquisition or sale of facilities, technology, and services	Corrective
Ship equipment following the equipment shipping procedures. CC ID 11658	Acquisition or sale of facilities, technology, and services	Preventive
Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 [The documented information for the SMS shall include: contracts with external suppliers; § 7.5.4 ¶ 1(i) For each internal supplier or customer acting as a supplier, the organization shall develop, agree and maintain a documented agreement to define the service level targets, other commitments, activities and interfaces between the parties. § 8.3.4.2 ¶ 1 For each internal supplier or customer acting as a supplier, the organization shall develop, agree and maintain a documented agreement to define the service level targets, other commitments, activities and interfaces between the parties. § 8.3.4.2 ¶ 1 For each internal supplier or customer acting as a supplier, the organization shall develop, agree and maintain a documented agreement to define the service level targets, other commitments, activities and interfaces between the parties. § 8.3.4.2 ¶ 1 For each internal supplier or customer acting as a supplier, the organization shall develop, agree and maintain a documented agreement to define the service level targets, other commitments, activities and interfaces between the parties. § 8.3.4.2 ¶ 1 For each external supplier, the organization shall agree a documented contract. The contract shall include or contain a reference to: § 8.3.4.1 ¶ 2 {new service}The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: new or changed SLAs, contracts and other documented agreements that support the services; § 8.5.2.2 ¶ 1(d) {new service}The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: new or changed SLAs, contracts and other documented agreements that support the services; § 8.5.2.2 ¶ 1(d)]	Third Party and supply chain oversight	Detective
Establish, implement, and maintain Service Level Agreements with the organization's supply chain. CC ID 00838 [The documented information for the SMS shall include: service level agreement(s) (SLA); § 7.5.4 ¶ 1(h) For each service delivered, the organization shall establish one or more SLAs based on the documented service requirements. The SLA(s) shall include service level targets, workload limits and exceptions § 8.3.3 ¶ 2]	Third Party and supply chain oversight	Preventive

Records Management

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Archive the engagement file and all work papers for the period prescribed by law or contract. CC ID 10038	Audits and risk management	Preventive
Include source code in the asset inventory. CC ID 14858	Operational management	Preventive
Establish, implement, and maintain incident management audit logs. CC ID 13514 [Records of incidents shall be updated with actions taken. § 8.6.1 ¶ 2]	Operational management	Preventive
Allocate record identifiers to reference the records as a part of document tracking. CC ID 11662 [When creating and updating documented information, the organization shall ensure appropriate: identification and description (e.g. a title, date, author or reference number); § 7.5.2 ¶ 1(a) When creating and updating documented information, the organization shall ensure appropriate: identification and description (e.g. a title, date, author or reference number); § 7.5.2 ¶ 1(a)]	Records management	Preventive
Allocate document serial numbers to reference the records as a part of document tracking. CC ID 00917	Records management	Detective
Associate records with their security attributes. CC ID 06764	Records management	Preventive
Allow electronic signatures to satisfy requirements for written signatures, as necessary. CC ID 11807	Records management	Preventive
Archive appropriate records, logs, and database tables. CC ID 06321	Records management	Preventive
Retain records in accordance with applicable requirements. CC ID 00968 [The organization shall retain documented information as evidence of the results of management reviews. § 9.3 ¶ 4 The organization shall retain documented information on the service management objectives. § 6.2.1 ¶ 2 The organization shall retain documented information as evidence of: the results of any corrective action. § 10.1.2 ¶ 1(b) The organization shall retain documented information as evidence of: the nature of the nonconformities and any subsequent actions taken; § 10.1.2 ¶ 1(a) {monitoring and measurement evaluation result} The organization shall retain appropriate documented information as evidence of the results. § 9.1 ¶ 2]	Records management	Preventive
Obtain and retain documentation of the number of shares authorized, issued, and outstanding pursuant to the issuer's authorization. CC ID 11714	Records management	Preventive
Retain all evidence of indebtedness. CC ID 11713	Records management	Preventive
Capture and maintain distribution records. CC ID 06205	Records management	Preventive
Capture and maintain Device Master Records. CC ID 06206	Records management	Preventive
Capture and maintain Device History Records. CC ID 06207	Records management	Preventive
Capture and maintain Quality System Records. CC ID 06208	Records management	Preventive
Degauss as a method of sanitizing electronic storage media. CC ID 00973	Records management	Preventive
Manage the disposition status for all records. CC ID 00972	Records management	Preventive
Remove and/or destroy records according to the records' retention event and retention period schedule. CC ID 06621	Records management	Preventive
Establish, implement, and maintain source document authorization tracking. CC ID 01262	Records management	Detective
Maintain electronic records in an equivalent manner as printed records, as necessary. CC ID 11806	Records management	Preventive
Establish, implement, and maintain source document error handling tracking. CC ID 01263	Records management	Detective
Refrain from creating printed records as copies of electronic records. CC ID 11808	Records management	Preventive
Validate transactions against master files of third parties and clients, as necessary. CC ID 06552	Records management	Detective
Establish, implement, and maintain a system storage log. CC ID 13532	Records management	Preventive
Protect records from loss in accordance with applicable requirements. CC ID 12007 [Documented information required by the SMS and by this document shall be controlled to ensure: it is adequately protected (e.g. from loss of confidentiality, improper use or loss of integrity). § 7.5.3.1(b)]	Records management	Preventive
Capture the records required by organizational compliance requirements. CC ID 00912 [The documented information for the SMS shall include: records required to demonstrate evidence of conformity to the requirements of this document and the organization's SMS. § 7.5.4 ¶ 1(l) keeping documented information to the extent necessary to have confidence that the processes have been carried out as planned. § 8.1 ¶ 1(c)]	Records management	Detective
Review and update Individually Identifiable Health Information in the patient's electronic health records, as necessary. CC ID 14438	Records management	Preventive
Establish and maintain an implantable device list. CC ID 14444	Records management	Preventive
Establish, implement, and maintain a recordkeeping system. CC ID 15709	Records management	Preventive
Log the termination date in the recordkeeping system. CC ID 16181	Records management	Preventive
Log the name of the requestor in the recordkeeping system. CC ID 15712	Records management	Preventive
Log the date and time each item is accessed in the recordkeeping system. CC ID 15711	Records management	Preventive
Log records as being received into the recordkeeping system. CC ID 11696	Records management	Preventive
Establish, implement, and maintain a transfer journal. CC ID 11729	Records management	Preventive
Provide a receipt of records logged into the recordkeeping system. CC ID 11697	Records management	Preventive
Note in electronic records converted from printed records, the location of the original. CC ID 11809	Records management	Preventive
Provide structures for authorized parties to approve record updates in the Electronic Document and Records Management system. CC ID 11965	Records management	Preventive
Compare each record's data input to its final form. CC ID 11813	Records management	Detective
Label printed output for specific record categories as directed by the organization's information classification standard. CC ID 01420	Records management	Detective
Establish and maintain access controls for all records. CC ID 00371 [Configuration information shall be recorded to a level of detail appropriate to the criticality and type of services. Access to configuration information shall be controlled. The configuration information recorded for each CI shall include: § 8.2.6 ¶ 2 For the control of documented information, the organization shall address the following activities, as applicable: distribution, access, retrieval and use; § 7.5.3.2(a)]	Records management	Preventive
Implement and maintain backups and duplicate copies of organizational records. CC ID 00953	Records management	Preventive
Establish, implement, and maintain the duplicate original of record indexes. CC ID 00954	Records management	Preventive
Establish, implement, and maintain a transparent storage media strategy. CC ID 00932	Records management	Preventive
Establish, implement, and maintain security controls appropriate to the record types and electronic storage media. CC ID 00943 [For the control of documented information, the organization shall address the following activities, as applicable: storage and preservation, including preservation of legibility; § 7.5.3.2(b)]	Records management	Preventive
Establish and maintain an error suspense file for rejected transactions. CC ID 06623	Records management	Preventive
Review and approve output exceptions. CC ID 06625	Records management	Preventive

Systems Continuity

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Back up audit trails according to backup procedures. CC ID 11642	Monitoring and measurement	Preventive
Evaluate all possible continuity risks and impacts as a part of the continuity framework. CC ID 06374 [At planned intervals, the risks to service continuity shall be assessed and documented. The organization shall determine the service continuity requirements. The agreed requirements shall take into consideration relevant business requirements, service requirements, SLAs and risks. § 8.7.2 ¶ 1]	Operational and Systems Continuity	Detective
Assess risks related to fault tolerance and redundancy of critical assets. CC ID 13053	Operational and Systems Continuity	Preventive
Activate the continuity plan if the damage assessment report indicates the activation criterion has been met. CC ID 01373 [The organization shall create, implement and maintain one or more service continuity plans. The service continuity plan(s) shall include or contain a reference to: criteria and responsibilities for invoking service continuity; § 8.7.2 ¶ 2(a)]	Operational and Systems Continuity	Corrective
Maintain normal security levels when an emergency occurs. CC ID 06377	Operational and Systems Continuity	Preventive
Execute fail-safe procedures when an emergency occurs. CC ID 07108	Operational and Systems Continuity	Preventive
Include the in scope system's location in the continuity plan. CC ID 16246	Operational and Systems Continuity	Preventive
Include the system description in the continuity plan. CC ID 16241	Operational and Systems Continuity	Preventive
Restore systems and environments to be operational. CC ID 13476	Operational and Systems Continuity	Corrective
Approve the continuity plan requirements before documenting the continuity plan. CC ID 12778	Operational and Systems Continuity	Preventive
Disseminate and communicate business functions across multiple facilities separated by geographic separation. CC ID 10662	Operational and Systems Continuity	Preventive
Disseminate and communicate processing activities across multiple facilities using geographic separation. CC ID 10663	Operational and Systems Continuity	Preventive
Disseminate and communicate electronic media storage devices across multiple facilities using geographic separation. CC ID 10664	Operational and Systems Continuity	Preventive
Use out-of-band channels for the physical delivery or electronic transmission of information, as necessary. CC ID 10665	Operational and Systems Continuity	Corrective
Review and prioritize the importance of each business unit. CC ID 01165	Operational and Systems Continuity	Preventive
Document the mean time to failure for system components. CC ID 10684	Operational and Systems Continuity	Preventive
Expedite emergency communications' fiscal decisions in accordance with accounting principles. CC ID 01266	Operational and Systems Continuity	Preventive
Prepare the alternate facility for an emergency offsite relocation. CC ID 00744	Operational and Systems Continuity	Preventive
Approve the continuity plan test results. CC ID 15718	Operational and Systems Continuity	Preventive
Implement network redundancy, as necessary. CC ID 13048	Operational management	Preventive

Systems Design, Build, and Implementation

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Include quality gates and testing milestones in the Quality Management program. CC ID 06825 [The success or failure of releases shall be monitored and analysed. Measurements shall include incidents related to a release in the period following deployment of a release. The results and conclusions drawn from the analysis shall be recorded and reviewed to identify opportunities for improvement. §8.5.3 ¶ 6]	Leadership and high level objectives	Preventive
Include an issue tracking system in the Quality Management program. CC ID 06824	Leadership and high level objectives	Preventive
Establish, implement, and maintain workload forecasting tools. CC ID 00936	Operational management	Preventive
Apply security controls to each level of the information classification standard. CC ID 01903	Operational management	Preventive
Include each Information System's system boundaries in the Information Technology inventory. CC ID 00695	Operational management	Preventive
Review each system's operational readiness. CC ID 06275	Operational management	Preventive
Validate the system before implementing approved changes. CC ID 01510	Operational management	Preventive
Establish, implement, and maintain traceability documentation. CC ID 16388	Operational management	Preventive
Initiate the System Development Life Cycle planning phase. CC ID 06266	Systems design, build, and implementation	Preventive
Initiate the System Development Life Cycle implementation phase. CC ID 06268	Systems design, build, and implementation	Preventive

Technical Security

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Subscribe to a threat intelligence service to receive notification of emerging threats. CC ID 12135	Leadership and high level objectives	Detective
Identify cybersecurity events in event logs and audit logs. CC ID 13206	Monitoring and measurement	Detective
Identify unauthorized modifications during file integrity monitoring. CC ID 12096	Monitoring and measurement	Detective
Allow expected changes during file integrity monitoring. CC ID 12090	Monitoring and measurement	Preventive
Develop and maintain a usage profile for each user account. CC ID 07067	Monitoring and measurement	Preventive
Establish, implement, and maintain a network activity baseline. CC ID 13188	Monitoring and measurement	Detective
Deploy log normalization tools, as necessary. CC ID 12141	Monitoring and measurement	Preventive
Restrict access to audit trails to a need to know basis. CC ID 11641	Monitoring and measurement	Preventive
Analyze the organization's information security environment. CC ID 13122	Audits and risk management	Preventive
Include security threats and vulnerabilities in the threat and risk classification scheme. CC ID 00699	Audits and risk management	Preventive
Control access rights to organizational assets. CC ID 00004 [The organization shall define and manage the interfaces with the external supplier. § 8.3.4.1 ¶ 4]	Technical security	Preventive
Generate but refrain from storing authenticators or Personal Identification Numbers for systems involved in high risk activities. CC ID 06835	Technical security	Preventive
Define access needs for each system component of an information system. CC ID 12456	Technical security	Preventive
Define the level of privilege required for each system component of an information system. CC ID 12457	Technical security	Preventive
Establish access rights based on least privilege. CC ID 01411	Technical security	Preventive
Assign user permissions based on job responsibilities. CC ID 00538	Technical security	Preventive
Assign user privileges after they have management sign off. CC ID 00542	Technical security	Preventive
Establish, implement, and maintain lockout procedures or lockout mechanisms to be triggered after a predetermined number of consecutive logon attempts. CC ID 01412	Technical security	Preventive
Disallow unlocking user accounts absent system administrator approval. CC ID 01413	Technical security	Preventive
Establish session authenticity through Transport Layer Security. CC ID 01627	Technical security	Preventive
Include all system components in the access control system. CC ID 11939	Technical security	Preventive
Enable access control for objects and users to match restrictions set by the system's security classification. CC ID 04850	Technical security	Preventive
Enable attribute-based access control for objects and users on information systems. CC ID 16351	Technical security	Preventive
Enable role-based access control for objects and users on information systems. CC ID 12458	Technical security	Preventive
Enforce access restrictions for change control. CC ID 01428	Technical security	Preventive
Permit a limited set of user actions absent identification and authentication. CC ID 04849	Technical security	Preventive
Activate third party maintenance accounts and user identifiers, as necessary. CC ID 04262	Technical security	Preventive
Display a logon banner and appropriate logon message before granting access to the system. CC ID 06770	Technical security	Preventive
Use automatic equipment identification as a method of connection authentication absent an individual's identification and authentication. CC ID 06964	Technical security	Preventive
Implement alternate security mechanisms when the means of implementing the security function is unavailable. CC ID 10605	Operational and Systems Continuity	Preventive
Limit any effects of a Denial of Service attack. CC ID 06754	Operational management	Preventive
Use automated tools to collect Information Technology inventory information, as necessary. CC ID 07054	Operational management	Preventive
Link the authentication system to the asset inventory. CC ID 13718	Operational management	Preventive
Employ Dynamic Host Configuration Protocol server logging to detect systems not in the asset inventory. CC ID 12110	Operational management	Detective
Prevent users from disabling required software. CC ID 16417	Operational management	Preventive
Control remote maintenance according to the system's asset classification. CC ID 01433	Operational management	Preventive
Approve all remote maintenance sessions. CC ID 10615	Operational management	Preventive
Terminate remote maintenance sessions when the remote maintenance is complete. CC ID 12083	Operational management	Preventive
Employ dedicated systems during system maintenance. CC ID 12108	Operational management	Preventive
Isolate dedicated systems used for system maintenance from Internet access. CC ID 12114	Operational management	Preventive
Categorize the incident following an incident response. CC ID 13208 [{document} Information security incidents shall be: recorded and classified; § 8.7.3.3 ¶ 1(a) The organization shall analyse the information security incidents by type, volume and impact on the SMS, services and interested parties. Information security incidents shall be reported and reviewed to identify opportunities for improvement. § 8.7.3.3 ¶ 2 The organization shall determine criteria to identify a major incident. Major incidents shall be classified and managed according to a documented procedure. Top management shall be kept informed of major incidents. The organization shall assign responsibility for managing each major incident. After the incident has been resolved, the major incident shall be reported and reviewed to identify opportunities for improvement. § 8.6.1 ¶ 3 Problems shall be: recorded and classified; § 8.6.3 ¶ 2(a)]	Operational management	Preventive
Respond when an integrity violation is detected, as necessary. CC ID 10678	Operational management	Corrective
Shut down systems when an integrity violation is detected, as necessary. CC ID 10679	Operational management	Corrective
Restart systems when an integrity violation is detected, as necessary. CC ID 10680	Operational management	Corrective
Integrate configuration management procedures into the change control program. CC ID 13646	Operational management	Preventive
Implement patch management software, as necessary. CC ID 12094	Operational management	Preventive
Include updates and exceptions to hardened images as a part of the patch management program. CC ID 12087	Operational management	Preventive
Review the patch log for missing patches. CC ID 13186	Operational management	Detective
Patch software. CC ID 11825	Operational management	Corrective
Patch the operating system, as necessary. CC ID 11824	Operational management	Corrective
Implement cryptographic mechanisms to authenticate software and computer firmware before installation. CC ID 10682	Operational management	Detective
Approve each system's Configurable Items (and changes to those Configurable Items). CC ID 04887	System hardening through configuration management	Preventive
Allow authorized parties to authenticate electronic records with electronic signatures. CC ID 11964	Records management	Preventive
Allow authorized parties to authenticate transactions with electronic signatures. CC ID 11963	Records management	Preventive
Validate transactions using identifiers and credentials. CC ID 13203	Records management	Preventive
Establish, implement, and maintain electronic storage media security controls. CC ID 13204	Records management	Preventive
Establish, implement, and maintain label inheritance mechanisms for aggregate data sets. CC ID 06957	Records management	Preventive
Implement and maintain high availability storage, as necessary. CC ID 00952	Records management	Preventive
Establish, implement, and maintain online storage controls. CC ID 00942	Records management	Preventive
Provide encryption for different types of electronic storage media. CC ID 00945	Records management	Preventive

Testing

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Conduct Quality Control to ensure adherence to Information Technology policies, standards, and procedures. CC ID 01008 [The management review shall include consideration of: information on the performance and effectiveness of the SMS, including trends in: § 9.3 ¶ 2(c)]	Leadership and high level objectives	Detective
Supply each in scope asset with audit reduction tool and report generation capabilities to support after-the-fact investigations without altering the event logs. CC ID 01427	Monitoring and measurement	Preventive
Assess customer satisfaction. CC ID 00652 [At planned intervals, the organization shall measure satisfaction with the services based on a representative sample of customers. The results shall be analysed, reviewed to identify opportunities for improvement and reported. § 8.3.2 ¶ 4 At planned intervals, the organization shall measure satisfaction with the services based on a representative sample of customers. The results shall be analysed, reviewed to identify opportunities for improvement and reported. § 8.3.2 ¶ 4 The management review shall include consideration of: feedback from customers and other interested parties; § 9.3 ¶ 2(e)]	Monitoring and measurement	Detective
Report audit findings by the internal audit manager directly to senior management. CC ID 01152 [The organization shall: ensure that the results of the audits are reported to relevant management; § 9.2.2 ¶ 1(d)]	Audits and risk management	Detective
Review the external audit assertion for accuracy. CC ID 06977	Audits and risk management	Detective
Review the risk assessments as compared to the in scope controls. CC ID 06978	Audits and risk management	Detective
Conduct onsite inspections, as necessary. CC ID 16199	Audits and risk management	Preventive
Determine the accurateness of the audit assertion's in scope system description. CC ID 06979	Audits and risk management	Detective
Determine if the in scope system has been implemented as described in the audit assertion. CC ID 06983	Audits and risk management	Detective
Determine if the audit assertion's in scope controls are reasonable. CC ID 06980	Audits and risk management	Detective
Document test plans for auditing in scope controls. CC ID 06985	Audits and risk management	Detective
Determine the implementation status of the audit assertion's in scope controls. CC ID 06981	Audits and risk management	Detective
Determine the effectiveness of in scope controls. CC ID 06984 [The organization shall monitor and review the effectiveness of information security controls and take necessary actions. § 8.7.3.2 ¶ 3]	Audits and risk management	Detective
Determine any errors or material omissions in the audit assertion that affect in scope control implementations. CC ID 06990	Audits and risk management	Detective
Audit the in scope system according to the test plan using relevant evidence. CC ID 07112 [The organization shall conduct internal audits at planned intervals to provide information on whether the SMS: § 9.2.1 ¶ 1]	Audits and risk management	Preventive
Provide transactional walkthrough procedures for external auditors. CC ID 00672	Audits and risk management	Preventive
Conduct interviews, as necessary. CC ID 07188	Audits and risk management	Detective
Include if in scope control deviations allow in scope controls to be performed acceptably in the work papers. CC ID 06987	Audits and risk management	Detective
Investigate the nature and causes of identified in scope control deviations. CC ID 06986	Audits and risk management	Detective
Submit an audit report that is complete. CC ID 01145	Audits and risk management	Detective
Assess the quality of the audit program in regards to the staff and their qualifications. CC ID 01150	Audits and risk management	Detective
Establish, implement, and maintain the audit plan. CC ID 01156	Audits and risk management	Detective
Perform risk assessments for all target environments, as necessary. CC ID 06452 [At planned intervals, the information security risks to the SMS and the services shall be assessed and documented. Information security controls shall be determined, implemented and operated to support the information security policy and address identified information security risks. Decisions about information security controls shall be documented. § 8.7.3.2 ¶ 1]	Audits and risk management	Preventive
Determine the effectiveness of risk control measures. CC ID 06601 [/* Based on the subject of this section, by 'these actions', the document is referring to activities to manage risk*/{risk management activity} evaluate the effectiveness of these actions. § 6.1.3 ¶ 1(b)(2)]	Audits and risk management	Detective
Perform a risk assessment prior to activating third party access to the organization's critical systems. CC ID 06455	Technical security	Detective
Establish, implement, and maintain the organization's call tree. CC ID 01167	Operational and Systems Continuity	Detective
Test the recovery plan, as necessary. CC ID 13290	Operational and Systems Continuity	Detective
Test the backup information, as necessary. CC ID 13303	Operational and Systems Continuity	Detective
Establish, implement, and maintain a business continuity plan testing program. CC ID 14829	Operational and Systems Continuity	Preventive
Test the continuity plan, as necessary. CC ID 00755 [At planned intervals, the service continuity plan(s) shall be tested against the service continuity requirements. The service continuity plan(s) shall be re-tested after major changes to the service environment. The results of the tests shall be recorded. Reviews shall be conducted after each test and after the service continuity plan(s) has been invoked. Where deficiencies are found, the organization shall take necessary actions. § 8.7.2 ¶ 4 At planned intervals, the service continuity plan(s) shall be tested against the service continuity requirements. The service continuity plan(s) shall be re-tested after major changes to the service environment. The results of the tests shall be recorded. Reviews shall be conducted after each test and after the service continuity plan(s) has been invoked. Where deficiencies are found, the organization shall take necessary actions. § 8.7.2 ¶ 4]	Operational and Systems Continuity	Detective
Include coverage of all major components in the scope of testing the continuity plan. CC ID 12767	Operational and Systems Continuity	Preventive
Include third party recovery services in the scope of testing the continuity plan. CC ID 12766	Operational and Systems Continuity	Preventive
Validate the emergency communications procedures during continuity plan tests. CC ID 12777	Operational and Systems Continuity	Preventive
Include the coordination and interfaces among third parties in the coverage of the scope of testing the continuity plan. CC ID 12769	Operational and Systems Continuity	Preventive
Involve senior management, as necessary, when testing the continuity plan. CC ID 13793	Operational and Systems Continuity	Detective
Test the continuity plan under conditions that simulate a disaster or disruption. CC ID 00757	Operational and Systems Continuity	Detective
Analyze system interdependence during continuity plan tests. CC ID 13082	Operational and Systems Continuity	Detective
Validate the evacuation plans during continuity plan tests. CC ID 12760	Operational and Systems Continuity	Preventive
Test the continuity plan at the alternate facility. CC ID 01174	Operational and Systems Continuity	Detective
Coordinate testing the continuity plan with all applicable business units and critical business functions. CC ID 01388	Operational and Systems Continuity	Preventive
Review all third party's continuity plan test results. CC ID 01365	Operational and Systems Continuity	Detective
Automate the off-site testing to more thoroughly test the continuity plan. CC ID 01389	Operational and Systems Continuity	Detective
Retest the continuity plan after correcting reported deficiencies documented in the continuity plan test results. CC ID 06553 [At planned intervals, the service continuity plan(s) shall be tested against the service continuity requirements. The service continuity plan(s) shall be re-tested after major changes to the service environment. The results of the tests shall be recorded. Reviews shall be conducted after each test and after the service continuity plan(s) has been invoked. Where deficiencies are found, the organization shall take necessary actions. § 8.7.2 ¶ 4]	Operational and Systems Continuity	Detective
Conduct full recovery and restoration of service testing for high impact systems at the alternate facility. CC ID 01404	Operational and Systems Continuity	Detective
Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 00782 [The organization shall: ensure that these persons are competent on the basis of appropriate education, training or experience; § 7.2 ¶ 1(b) {staff} The organization shall: determine the necessary competence of persons doing work under its control that affects the performance and effectiveness of the SMS and the services; § 7.2 ¶ 1(a)]	Human Resources management	Detective
Perform a drug test during personnel screening. CC ID 06648	Human Resources management	Preventive
Conduct tests and evaluate training. CC ID 06672 [The organization shall: where applicable, take actions to acquire the necessary competence and evaluate the effectiveness of the actions taken; § 7.2 ¶ 1(c)]	Human Resources management	Detective
Forecast system workloads. CC ID 00938	Operational management	Detective
Utilize resource capacity management controls. CC ID 00939	Operational management	Detective
Perform system capacity testing. CC ID 01616	Operational management	Detective
Perform system performance reviews. CC ID 11866	Operational management	Detective
Test systems for malicious code prior to when the system will be redeployed. CC ID 06339	Operational management	Detective
Conduct maintenance with authorized personnel. CC ID 01434	Operational management	Detective
Calibrate assets according to the calibration procedures for the asset. CC ID 06203	Operational management	Detective
Test for detrimental environmental factors after a system is disposed. CC ID 06938	Operational management	Detective
Open a priority incident request after a security breach is detected. CC ID 04838	Operational management	Corrective
Activate the incident response notification procedures after a security breach is detected. CC ID 04839	Operational management	Corrective
Test proposed changes prior to their approval. CC ID 00548 [Approved changes shall be prepared, verified and, where possible, tested. Proposed deployment dates and other deployment details for approved changes shall be communicated to interested parties. § 8.5.1.3 ¶ 2]	Operational management	Detective
Perform risk assessments prior to approving change requests. CC ID 00888 [The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: capacity, service availability, service continuity and information security; § 8.5.1.3 ¶ 1(d) The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: capacity, service availability, service continuity and information security; § 8.5.1.3 ¶ 1(d) The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: capacity, service availability, service continuity and information security; § 8.5.1.3 ¶ 1(d) The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: capacity, service availability, service continuity and information security; § 8.5.1.3 ¶ 1(d) At planned intervals, the organization shall review the contract against current service requirements. Changes identified for the contract shall be assessed for the impact of the change on the SMS and the services before the change is approved. § 8.3.4.1 ¶ 6 The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: existing services; § 8.5.1.3 ¶ 1(a) The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: other requests for change, releases and plans for deployment. § 8.5.1.3 ¶ 1(e) The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: other requests for change, releases and plans for deployment. § 8.5.1.3 ¶ 1(e) The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: other requests for change, releases and plans for deployment. § 8.5.1.3 ¶ 1(e)]	Operational management	Preventive
Perform a patch test prior to deploying a patch. CC ID 00898	Operational management	Detective
Test software patches for any potential compromise of the system's security. CC ID 13175	Operational management	Detective
Review changes to computer firmware. CC ID 12226	Operational management	Detective
Certify changes to computer firmware are free of malicious logic. CC ID 12227	Operational management	Detective
Test the system's operational functionality after implementing approved changes. CC ID 06294	Operational management	Detective
Perform and pass acceptance testing before moving a system back into operation after an approved change has occurred. CC ID 04541 [The release shall be verified against documented acceptance criteria and approved before deployment. If the acceptance criteria are not met, the organization and interested parties shall make a decision on necessary actions and deployment. § 8.5.3 ¶ 3]	Operational management	Detective
Test network access controls for proper Configuration Management settings. CC ID 01281	System hardening through configuration management	Detective
Maintain continued integrity for all stored data and stored records. CC ID 00969	Records management	Detective
Destroy electronic storage media following the storage media disposition and destruction procedures. CC ID 00970	Records management	Detective
Maintain media sanitization equipment in operational condition. CC ID 00721	Records management	Detective
Store records on non-rewritable, non-erasable storage media formats, as necessary. CC ID 00944	Records management	Detective
Test the storage media downgrade for correct performance. CC ID 10623	Records management	Detective
Perform regularly scheduled quality and integrity control reviews of output of records. CC ID 06627	Records management	Detective
Analyze existing systems during preliminary investigations for system design projects. CC ID 01043	Systems design, build, and implementation	Detective
Determine if the project is complete after all implementation tasks are finished. CC ID 06912 [{new service} Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: service acceptance criteria; § 8.5.2.1 ¶ 1(f)]	Systems design, build, and implementation	Detective
Conduct internal data processing audits. CC ID 00374	Privacy protection for information and data	Detective
Include third party requirements for personnel security in third party contracts. CC ID 00790	Third Party and supply chain oversight	Detective
Include third party acknowledgment of their data protection responsibilities in third party contracts. CC ID 01364	Third Party and supply chain oversight	Detective
Include auditing third party security controls and compliance controls in third party contracts. CC ID 01366	Third Party and supply chain oversight	Detective
Establish the third party's service continuity. CC ID 00797	Third Party and supply chain oversight	Detective
Determine the adequacy of a third party's alternate site preparations. CC ID 06879	Third Party and supply chain oversight	Detective
Maintain the third party's compliance framework to be equivalent to that of the organization's compliance requirements. CC ID 06087	Third Party and supply chain oversight	Detective
Perform risk assessments of third parties, as necessary. CC ID 06454 [The organization shall determine and document: risks related to: the involvement of other parties in the service lifecycle; § 6.1.2 ¶ 1(a)(3)]	Third Party and supply chain oversight	Detective

Training

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Submit applications for professional certification. CC ID 16192	Human Resources management	Preventive
Train personnel to recognize conditions of diseases or sicknesses, as necessary. CC ID 14383	Human Resources management	Detective
Include prevention techniques in training regarding diseases or sicknesses. CC ID 14387	Human Resources management	Preventive
Include the concept of disease clusters when training to recognize conditions of diseases or sicknesses. CC ID 14386	Human Resources management	Preventive
Train personnel to identify and communicate symptoms of exposure to disease or sickness. CC ID 14385	Human Resources management	Detective
Develop or acquire content to update the training plans. CC ID 12867	Human Resources management	Preventive
Designate training facilities in the training plan. CC ID 16200	Human Resources management	Preventive
Include in scope external requirements in the training plan, as necessary. CC ID 13041	Human Resources management	Preventive
Conduct bespoke roles and responsibilities training, as necessary. CC ID 13192	Human Resources management	Preventive
Include risk management in the training plan, as necessary. CC ID 13040	Human Resources management	Preventive
Conduct personal data processing training. CC ID 13757	Human Resources management	Preventive
Include in personal data processing training how to provide the contact information for the categories of personal data the organization may disclose. CC ID 13758	Human Resources management	Preventive
Include the cloud service usage standard in the training plan. CC ID 13039	Human Resources management	Preventive
Include media protection in the security awareness program. CC ID 16368	Human Resources management	Preventive
Include physical security in the security awareness program. CC ID 16369	Human Resources management	Preventive
Include updates on emerging issues in the security awareness program. CC ID 13184	Human Resources management	Preventive
Include cybersecurity in the security awareness program. CC ID 13183	Human Resources management	Preventive
Include implications of non-compliance in the security awareness program. CC ID 16425	Human Resources management	Preventive
Include the acceptable use policy in the security awareness program. CC ID 15487	Human Resources management	Preventive
Train all personnel and third parties on how to recognize and report system failures. CC ID 13475	Human Resources management	Preventive
Conduct tampering prevention training. CC ID 11875	Human Resources management	Preventive
Include the mandate to refrain from installing, refrain from replacing, and refrain from returning any asset absent verification in the tampering prevention training. CC ID 11877	Human Resources management	Preventive
Include how to identify and authenticate third parties claiming to be maintenance personnel in the tampering prevention training. CC ID 11876	Human Resources management	Preventive
Include how to report tampering and unauthorized substitution in the tampering prevention training. CC ID 11879	Human Resources management	Preventive
Include how to prevent physical tampering in the tampering prevention training. CC ID 11878	Human Resources management	Preventive
Include procedures on how to inspect devices in the tampering prevention training. CC ID 11990	Human Resources management	Preventive
Train interested personnel and affected parties to collect digital forensic evidence. CC ID 08658	Human Resources management	Preventive

Common Controls and
mandates by Classification 272 Mandated Controls - bold
104 Implied Controls - italic 2056 Implementation

Number of Controls

2432 Total

Corrective

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	TYPE
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Disseminate and communicate updated guidance documentation to interested personnel and affected parties upon discovery of a new threat. CC ID 12191	Leadership and high level objectives	Communicate
Correct errors and deficiencies in a timely manner. CC ID 13501	Leadership and high level objectives	Business Processes
Include management's assertions on the effectiveness of internal control in the Statement on Internal Control. CC ID 14771	Leadership and high level objectives	Establish/Maintain Documentation
Use a risk-based approach to adapt the Strategic Information Technology Plan to the business's needs. CC ID 00631	Leadership and high level objectives	Business Processes
Document lessons learned at the conclusion of each Information Technology project. CC ID 13654	Leadership and high level objectives	Establish/Maintain Documentation
Provide predefined suspicious activity reports for suspicious activity discovered in the event log. CC ID 06774	Monitoring and measurement	Establish/Maintain Documentation
Eliminate false positives in event logs and audit logs. CC ID 07047	Monitoring and measurement	Log Management
Follow up exceptions and anomalies identified when reviewing logs. CC ID 11925	Monitoring and measurement	Investigate
Determine the causes of compliance violations. CC ID 12401 [When a nonconformity occurs, the organization shall: evaluate the need for action to eliminate the causes of the nonconformity in order that it does not recur or occur elsewhere by: reviewing the nonconformity; § 10.1.1 ¶ 1(b)(1) When a nonconformity occurs, the organization shall: evaluate the need for action to eliminate the causes of the nonconformity in order that it does not recur or occur elsewhere by: determining the causes of the nonconformity; § 10.1.1 ¶ 1(b)(2)]	Monitoring and measurement	Investigate
Correct compliance violations. CC ID 13515 [When a nonconformity occurs, the organization shall: react to the nonconformity, and as applicable: § 10.1.1 ¶ 1(a) When a nonconformity occurs, the organization shall: react to the nonconformity, and as applicable: take action to control and correct it; § 10.1.1 ¶ 1(a)(1) When a nonconformity occurs, the organization shall: react to the nonconformity, and as applicable: deal with the consequences; § 10.1.1 ¶ 1(a)(2) When a nonconformity occurs, the organization shall: implement any action needed; § 10.1.1 ¶ 1(c)]	Monitoring and measurement	Process or Activity
Carry out disciplinary actions when a compliance violation is detected. CC ID 06675	Monitoring and measurement	Behavior
Convert data into standard units before reporting metrics. CC ID 15507	Monitoring and measurement	Process or Activity
Assign the Board of Directors to address audit findings. CC ID 12396	Audits and risk management	Human Resources Management
Refrain from changing the date of the practitioner's report on agreed-upon procedures when reissuing it. CC ID 13896	Audits and risk management	Establish/Maintain Documentation
Withdraw from the audit, when defined conditions exist. CC ID 13885	Audits and risk management	Process or Activity
Solve any access problems auditors encounter during the audit. CC ID 08959	Audits and risk management	Audits and Risk Management
Include deficiencies and non-compliance in the audit report. CC ID 14879	Audits and risk management	Establish/Maintain Documentation
Include a description of the reasons for modifying the audit opinion in the audit report. CC ID 13898	Audits and risk management	Establish/Maintain Documentation
Disclaim the audit opinion in the audit report, as necessary. CC ID 13901	Audits and risk management	Business Processes
Modify the audit opinion in the audit report under defined conditions. CC ID 13937	Audits and risk management	Establish/Maintain Documentation
Implement a corrective action plan in response to the audit report. CC ID 06777	Audits and risk management	Establish/Maintain Documentation
Monitor and report on the status of mitigation actions in the corrective action plan. CC ID 15250	Audits and risk management	Actionable Reports or Measurements
Purchase insurance on behalf of interested personnel and affected parties. CC ID 16571	Audits and risk management	Acquisition/Sale of Assets or Services
Revise the risk treatment strategies in the risk treatment plan, as necessary. CC ID 12552	Audits and risk management	Establish/Maintain Documentation
Document and communicate a corrective action plan based on the risk assessment findings. CC ID 00705 [The organization shall make decisions and take actions based on the findings in service reports. The agreed actions shall be communicated to interested parties. § 9.4 ¶ 3]	Audits and risk management	Establish/Maintain Documentation
Document residual risk in a residual risk report. CC ID 13664	Audits and risk management	Establish/Maintain Documentation
Notify the user when an authentication is attempted using an expired authenticator. CC ID 13818	Technical security	Communicate
Report changes in the continuity plan to senior management. CC ID 12757	Operational and Systems Continuity	Communicate
Activate the continuity plan if the damage assessment report indicates the activation criterion has been met. CC ID 01373 [The organization shall create, implement and maintain one or more service continuity plans. The service continuity plan(s) shall include or contain a reference to: criteria and responsibilities for invoking service continuity; § 8.7.2 ¶ 2(a)]	Operational and Systems Continuity	Systems Continuity
Restore systems and environments to be operational. CC ID 13476	Operational and Systems Continuity	Systems Continuity
Establish, implement, and maintain the continuity procedures. CC ID 14236	Operational and Systems Continuity	Establish/Maintain Documentation
Use out-of-band channels for the physical delivery or electronic transmission of information, as necessary. CC ID 10665	Operational and Systems Continuity	Systems Continuity
Identify who can speak to the media in the emergency communications procedures. CC ID 12761	Operational and Systems Continuity	Communicate
Rotate members of the board of directors, as necessary. CC ID 14803	Human Resources management	Human Resources Management
Conduct secure coding and development training for developers. CC ID 06822	Human Resources management	Behavior
Establish, implement, and maintain consequences for non-compliance with the organizational compliance framework. CC ID 11747	Operational management	Process or Activity
Identify discrepancies between the asset register database and the Information Technology inventory, as necessary. CC ID 07052	Operational management	Monitor and Evaluate Occurrences
Investigate and resolve discrepancies between the asset register database and the Information Technology inventory. CC ID 07053	Operational management	Monitor and Evaluate Occurrences
Refrain from protecting physical assets when no longer required. CC ID 13484	Operational management	Physical and Environmental Protection
Determine the incident severity level when assessing the security incidents. CC ID 01650 [The organization shall analyse the information security incidents by type, volume and impact on the SMS, services and interested parties. Information security incidents shall be reported and reviewed to identify opportunities for improvement. § 8.7.3.3 ¶ 2]	Operational management	Monitor and Evaluate Occurrences
Escalate incidents, as necessary. CC ID 14861 [Problems shall be: escalated if needed; § 8.6.3 ¶ 2(c)]	Operational management	Monitor and Evaluate Occurrences
Include support from law enforcement authorities when conducting incident response activities, as necessary. CC ID 13197	Operational management	Process or Activity
Respond to all alerts from security systems in a timely manner. CC ID 06434	Operational management	Behavior
Coordinate incident response activities with interested personnel and affected parties. CC ID 13196	Operational management	Process or Activity
Share incident information with interested personnel and affected parties. CC ID 01212 [The organization shall determine criteria to identify a major incident. Major incidents shall be classified and managed according to a documented procedure. Top management shall be kept informed of major incidents. The organization shall assign responsibility for managing each major incident. After the incident has been resolved, the major incident shall be reported and reviewed to identify opportunities for improvement. § 8.6.1 ¶ 3]	Operational management	Data and Information Management
Share data loss event information with the media. CC ID 01759	Operational management	Behavior
Share data loss event information with interconnected system owners. CC ID 01209	Operational management	Establish/Maintain Documentation
Report data loss event information to breach notification organizations. CC ID 01210	Operational management	Data and Information Management
Report to breach notification organizations the time frame in which the organization will send data loss event notifications to interested personnel and affected parties. CC ID 04731	Operational management	Behavior
Establish, implement, and maintain temporary and emergency access authorization procedures. CC ID 00858	Operational management	Establish/Maintain Documentation
Include the organizational functions affected by disruption in the Incident Management audit log. CC ID 12238	Operational management	Log Management
Investigate and take action regarding help desk queries. CC ID 06324 [Service requests shall be: prioritized; § 8.6.2 ¶ 1(b) Service requests shall be: fulfilled; § 8.6.2 ¶ 1(c)]	Operational management	Behavior
Open a priority incident request after a security breach is detected. CC ID 04838	Operational management	Testing
Activate the incident response notification procedures after a security breach is detected. CC ID 04839	Operational management	Testing
Notify interested personnel and affected parties that a security breach was detected. CC ID 11788	Operational management	Communicate
Respond when an integrity violation is detected, as necessary. CC ID 10678	Operational management	Technical Security
Shut down systems when an integrity violation is detected, as necessary. CC ID 10679	Operational management	Technical Security
Restart systems when an integrity violation is detected, as necessary. CC ID 10680	Operational management	Technical Security
Review and approve the Information Technology budget. CC ID 13644	Operational management	Business Processes
Update the Information Technology budget, as necessary. CC ID 13643	Operational management	Business Processes
Approve back-out plans, as necessary. CC ID 13627 [{take appropriate action} The activities to reverse or remedy an unsuccessful change shall be planned and, where possible, tested. Unsuccessful changes shall be investigated and agreed actions taken. § 8.5.1.3 ¶ 3]	Operational management	Establish/Maintain Documentation
Deploy software patches in accordance with organizational standards. CC ID 07032	Operational management	Configuration
Patch software. CC ID 11825	Operational management	Technical Security
Patch the operating system, as necessary. CC ID 11824	Operational management	Technical Security
Deploy software patches in the disaster recovery environment to mirror those in the production environment. CC ID 13174	Operational management	Configuration
Remove outdated software after software has been updated. CC ID 11792	Operational management	Configuration
Update computer firmware, as necessary. CC ID 11755	Operational management	Configuration
Remove outdated computer firmware after the computer firmware has been updated. CC ID 10671	Operational management	Configuration
Mitigate the adverse effects of unauthorized changes. CC ID 12244 [The organization shall control planned changes to the SMS and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary (see 8.5.1). § 8.1¶ 2]	Operational management	Business Processes
Establish, implement, and maintain a change acceptance testing log. CC ID 06392	Operational management	Establish/Maintain Documentation
Document approved configuration deviations. CC ID 08711	Operational management	Establish/Maintain Documentation
Notify the supervisory authority of any changes to the required data elements. CC ID 14366	Records management	Communicate
Remove non-public information from publicly accessible systems. CC ID 14246	Records management	Data and Information Management
Downgrade electronic storage media, as necessary. CC ID 10621	Records management	Process or Activity
Review and update controls to ensure the timeliness and accuracy of the market prices. CC ID 13688	Acquisition or sale of facilities, technology, and services	Process or Activity
Process product return requests. CC ID 11598	Acquisition or sale of facilities, technology, and services	Acquisition/Sale of Assets or Services
Refrain from returning products absent a return request authorization. CC ID 11599	Acquisition or sale of facilities, technology, and services	Acquisition/Sale of Assets or Services
Enforce third party Service Level Agreements, as necessary. CC ID 07098 [The organization shall assess the alignment of service level targets or other contractual obligations for the external supplier against SLAs with customers, and manage identified risks. § 8.3.4.1 ¶ 3]	Third Party and supply chain oversight	Business Processes

Detective

400

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	TYPE
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Assess the effectiveness of the communication methods used in the communication protocol. CC ID 12691	Leadership and high level objectives	Process or Activity
Identify all interested personnel and affected parties. CC ID 12845 [The organization shall determine: the interested parties that are relevant to the SMS and the services; § 4.2 ¶ 1(a) The customers, users and other interested parties of the services shall be identified and documented. The organization shall have one or more designated individuals responsible for managing customer relationships and maintaining customer satisfaction. § 8.3.2 ¶ 1]	Leadership and high level objectives	Process or Activity
Approve the data classification scheme. CC ID 13858	Leadership and high level objectives	Establish/Maintain Documentation
Ensure the data dictionary is complete and accurate. CC ID 13527	Leadership and high level objectives	Investigate
Monitor regulatory trends to maintain compliance. CC ID 00604	Leadership and high level objectives	Monitor and Evaluate Occurrences
Monitor for new Information Security solutions. CC ID 07078	Leadership and high level objectives	Monitor and Evaluate Occurrences
Subscribe to a threat intelligence service to receive notification of emerging threats. CC ID 12135	Leadership and high level objectives	Technical Security
Enforce a continuous Quality Control system. CC ID 01005 [{availability issue}{document} Service availability shall be monitored, the results recorded and compared with the targets. Unplanned non-availability shall be investigated and necessary actions taken. § 8.7.1 ¶ 3]	Leadership and high level objectives	Business Processes
Conduct Quality Control to ensure adherence to Information Technology policies, standards, and procedures. CC ID 01008 [The management review shall include consideration of: information on the performance and effectiveness of the SMS, including trends in: § 9.3 ¶ 2(c)]	Leadership and high level objectives	Testing
Establish and maintain time frames for correcting deficiencies found during Quality Control. CC ID 07206	Leadership and high level objectives	Business Processes
Review and analyze any quality improvement goals that were missed. CC ID 07204 [{service improvement activity} Opportunities for improvement shall be documented. The organization shall manage approved improvement activities that include: measuring implemented improvements against the target(s) set and where target(s) are not achieved, taking necessary actions; § 10.2 ¶ 3(d)]	Leadership and high level objectives	Business Processes
Map in scope assets and in scope records to external requirements. CC ID 12189	Leadership and high level objectives	Establish/Maintain Documentation
Include the counterterror protective security plan test results in the Statement on Internal Control. CC ID 06867	Leadership and high level objectives	Establish/Maintain Documentation
Establish and maintain a compliance oversight committee. CC ID 00765	Leadership and high level objectives	Establish Roles
Identify and document the events that initiate the decision management strategy. CC ID 06914	Leadership and high level objectives	Establish/Maintain Documentation
Monitor and evaluate the implementation and effectiveness of Information Technology Plans. CC ID 00634	Leadership and high level objectives	Monitor and Evaluate Occurrences
Establish, implement, and maintain logging and monitoring operations. CC ID 00637	Monitoring and measurement	Log Management
Operationalize key monitoring and logging concepts to ensure the audit trails capture sufficient information. CC ID 00638	Monitoring and measurement	Log Management
Establish, implement, and maintain event logging procedures. CC ID 01335	Monitoring and measurement	Log Management
Review and update event logs and audit logs, as necessary. CC ID 00596 [The organization shall analyse data and trends on incidents to identify problems. The organization shall undertake root cause analysis and determine potential actions to prevent the occurrence or recurrence of incidents. § 8.6.3 ¶ 1]	Monitoring and measurement	Log Management
Correlate log entries to security controls to verify the security control's effectiveness. CC ID 13207	Monitoring and measurement	Log Management
Identify cybersecurity events in event logs and audit logs. CC ID 13206	Monitoring and measurement	Technical Security
Assess customer satisfaction. CC ID 00652 [At planned intervals, the organization shall measure satisfaction with the services based on a representative sample of customers. The results shall be analysed, reviewed to identify opportunities for improvement and reported. § 8.3.2 ¶ 4 At planned intervals, the organization shall measure satisfaction with the services based on a representative sample of customers. The results shall be analysed, reviewed to identify opportunities for improvement and reported. § 8.3.2 ¶ 4 The management review shall include consideration of: feedback from customers and other interested parties; § 9.3 ¶ 2(e)]	Monitoring and measurement	Testing
Establish, implement, and maintain a continuous monitoring program for configuration management. CC ID 06757 [At planned intervals, the organization shall verify the accuracy of the configuration information. Where deficiencies are found, the organization shall take necessary actions. § 8.2.6 ¶ 4]	Monitoring and measurement	Establish/Maintain Documentation
Include the correlation and analysis of information obtained during testing in the continuous monitoring program. CC ID 14250	Monitoring and measurement	Process or Activity
Establish, implement, and maintain an automated configuration monitoring system. CC ID 07058	Monitoring and measurement	Monitor and Evaluate Occurrences
Monitor for and report when a software configuration is updated. CC ID 06746	Monitoring and measurement	Monitor and Evaluate Occurrences
Notify the appropriate personnel when the software configuration is updated absent authorization. CC ID 04886	Monitoring and measurement	Monitor and Evaluate Occurrences
Monitor for firmware updates absent authorization. CC ID 10675	Monitoring and measurement	Monitor and Evaluate Occurrences
Implement file integrity monitoring. CC ID 01205	Monitoring and measurement	Monitor and Evaluate Occurrences
Identify unauthorized modifications during file integrity monitoring. CC ID 12096	Monitoring and measurement	Technical Security
Monitor and evaluate user account activity. CC ID 07066	Monitoring and measurement	Monitor and Evaluate Occurrences
Log account usage to determine dormant accounts. CC ID 12118	Monitoring and measurement	Log Management
Log account usage times. CC ID 07099	Monitoring and measurement	Log Management
Generate daily reports of user logons during hours outside of their usage profile. CC ID 07068	Monitoring and measurement	Monitor and Evaluate Occurrences
Generate daily reports of users who have grossly exceeded their usage profile logon duration. CC ID 07069	Monitoring and measurement	Monitor and Evaluate Occurrences
Log account usage durations. CC ID 12117	Monitoring and measurement	Monitor and Evaluate Occurrences
Notify the appropriate personnel after identifying dormant accounts. CC ID 12125	Monitoring and measurement	Communicate
Log Internet Protocol addresses used during logon. CC ID 07100	Monitoring and measurement	Log Management
Report red flags when logon credentials are used on a computer different from the one in the usage profile. CC ID 07070	Monitoring and measurement	Monitor and Evaluate Occurrences
Report inappropriate usage of user accounts to the appropriate personnel. CC ID 14243	Monitoring and measurement	Communicate
Monitor service availability when implementing the service management monitoring and metrics program. CC ID 13921 [{availability issue}{document} Service availability shall be monitored, the results recorded and compared with the targets. Unplanned non-availability shall be investigated and necessary actions taken. § 8.7.1 ¶ 3 {availability issue}{document} Service availability shall be monitored, the results recorded and compared with the targets. Unplanned non-availability shall be investigated and necessary actions taken. § 8.7.1 ¶ 3]	Monitoring and measurement	Monitor and Evaluate Occurrences
Compare the performance metrics of service availability against their targets, as necessary. CC ID 13922 [{availability issue}{document} Service availability shall be monitored, the results recorded and compared with the targets. Unplanned non-availability shall be investigated and necessary actions taken. § 8.7.1 ¶ 3]	Monitoring and measurement	Monitor and Evaluate Occurrences
Report on the percentage of critical assets for which an assurance strategy is implemented. CC ID 01657	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of key organizational functions for which an assurance strategy is implemented. CC ID 01658	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of key compliance requirements for which an assurance strategy has been implemented. CC ID 01659	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of the Information System budget allocated to Information Security. CC ID 04571	Monitoring and measurement	Actionable Reports or Measurements
Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726 [The management review shall include consideration of: adherence to and suitability of the service management policy and other policies required by this document; § 9.3 ¶ 2(f)]	Monitoring and measurement	Monitor and Evaluate Occurrences
Align enforcement reviews for non-compliance with organizational risk tolerance. CC ID 13063	Monitoring and measurement	Business Processes
Determine if multiple compliance violations of the same type could occur. CC ID 12402 [When a nonconformity occurs, the organization shall: evaluate the need for action to eliminate the causes of the nonconformity in order that it does not recur or occur elsewhere by: determining if similar nonconformities exist, or could potentially occur; § 10.1.1 ¶ 1(b)(3)]	Monitoring and measurement	Investigate
Review the effectiveness of disciplinary actions carried out for compliance violations. CC ID 12403 [When a nonconformity occurs, the organization shall: review the effectiveness of any corrective action taken; § 10.1.1. ¶ 1(d)]	Monitoring and measurement	Investigate
Report on the policies and controls that have been implemented by management. CC ID 01670 [{service improvement activity} Opportunities for improvement shall be documented. The organization shall manage approved improvement activities that include: reporting on implemented improvements. § 10.2 ¶ 3(e)]	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of security management roles that have been assigned. CC ID 01671	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of board meetings or committee meetings at which Information Assurance was on the agenda. CC ID 01672	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of supply chain members for which all Information Assurance requirements have been implemented. CC ID 01675	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of organizational units that have an established Business Continuity Plan. CC ID 01676	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of organizational units with a documented Business Continuity Plan for which specific responsibilities have been assigned. CC ID 02057	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of Business Continuity Plans that have been reviewed, tested, and updated. CC ID 02058	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of needed internal audits that have been completed and reviewed. CC ID 01677	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of Information Security requirements from applicable laws and regulations that are included in the audit program. CC ID 02069	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of needed external audits that have been completed and reviewed. CC ID 11632	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of Information Security audits conducted in compliance with the approved audit program. CC ID 02070	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of audit findings that have been resolved since the last audit. CC ID 01678	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of management actions in response to audit findings and audit recommendations that were implemented in a timely way. CC ID 02071 [{corrective action} The management review shall include consideration of: the status of actions from previous management reviews; § 9.3 ¶ 2(a)]	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of total controls for which policies, standards, and procedures exist and for which approval has been granted. CC ID 01679	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of personnel who are assigned and acknowledged responsibilities for approved policies, standards, and procedures. CC ID 01680	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of policy compliance reviews for which no compliance violations were noted. CC ID 01681	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of senior management or business unit heads who have implemented operational compliance procedures. CC ID 01682	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of role descriptions that define the Information Awareness roles for Security Managers and administrators. CC ID 01685	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of role descriptions that define the information awareness roles for interested personnel. CC ID 01686	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of role descriptions that define the information awareness roles for end users. CC ID 01687	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of performance reviews that include the evaluation of Information Assurance responsibilities and policy compliance. CC ID 01688	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of individuals who have access to security software, are trained, and authorized Security Administrators. CC ID 01691	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of individuals who are able to assign security privileges, are trained, and authorized Security Administrators. CC ID 01692	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of new hires who completed training ahead of being granted network access or system access. CC ID 01683	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of personnel who have completed periodic Information Assurance refresher training. CC ID 01684	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of user roles, systems, and applications that comply with the segregation of duties principle. CC ID 01689	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of individuals whose access rights have been reviewed. CC ID 01690	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of users who have access to restricted data or restricted information and have undergone a background check. CC ID 01693	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of critical information assets and information-dependent functions. CC ID 02040	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of critical assets and functions for which the cost of compromise has been quantified. CC ID 02041	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of identified risks that have a defined risk mitigation plan. CC ID 02042 [The organization shall determine and document: risks related to: approach to be taken for the management of risks. § 6.1.2 ¶ 1(d)]	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of systems with approved System Security Plans. CC ID 02145	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of known Information Security risks that are related to supply chain relationships. CC ID 02044	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of critical information assets or critical functions for which access by supply chain personnel is disallowed. CC ID 02045	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of supply chain personnel who have current information asset user privileges. CC ID 02046	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of systems with critical information assets or functions for which electronic connection by supply chain assets is disallowed. CC ID 02047	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of security incidents that involved supply chain personnel. CC ID 02048	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of third party contracts that include a requirement to externally verify policies and procedures. CC ID 02049	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of supply chain relationships that have been reviewed for compliance with information security requirements. CC ID 02050	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of information assets that have been reviewed and classified. CC ID 02053	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of information assets with defined user privileges that have been assigned based on role and according to policy. CC ID 02054	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of scheduled Information Technology inventory processes that occurred on time. CC ID 02055	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of recently identified information security risks related to systems architecture that have been adequately mitigated. CC ID 02060	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of system architecture changes that were approved through appropriate change requests. CC ID 02061	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of critical information assets or functions residing on systems that are currently in compliance with the approved systems architecture. CC ID 02062	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of systems that have been recertified if security controls were updated after the system was developed. CC ID 02142	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of systems that have completed Certification and Accreditation. CC ID 02143	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of critical organizational information assets and functions that have been reviewed from the risk to physical security perspective. CC ID 02064	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of critical organizational information assets and functions exposed to physical risks for which risk mitigation actions have been implemented. CC ID 02065	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of critical assets that have been reviewed from the environmental risk perspective. CC ID 02066	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of servers located in controlled access areas. CC ID 02067	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of unique active user identifiers. CC ID 02074	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of systems and applications that perform authenticator policy verification. CC ID 02086	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of active user passwords that are set to expire. CC ID 02087	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of systems with critical information assets that use stronger authentication than user identifiers and passwords. CC ID 02088	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of systems for which default accounts and default passwords have been disabled or reset. CC ID 02089	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of inactive user accounts that are assigned to personnel who have left or no longer need access. CC ID 02090	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of systems with account lockout thresholds set. CC ID 02091	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of inactive user accounts that have been disabled. CC ID 02092	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of workstations with session timeout or automatic logoff controls set. CC ID 02093	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of users with access to shared accounts. CC ID 04573	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of active computer accounts that have had the current user privileges reviewed. CC ID 02094	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of systems where permission to install nonstandard software is limited. CC ID 02095	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of systems and applications that have user privileges and administrator privileges assigned in compliance with Role-Based Access Controls. CC ID 02096	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of systems for which approved configuration settings have been implemented. CC ID 02097	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of systems with configurations that do not deviate from approved standards. CC ID 02098	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of systems that are continuously monitored for compliance with the configuration standard with out-of-compliance alarms or out-of-compliance reports. CC ID 02099	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of systems whose configuration is compared with a previously established trusted configuration baseline. CC ID 02100	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of systems where the authority to make configuration changes are limited. CC ID 02101	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of system components that undergo maintenance as scheduled. CC ID 04562	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of systems for which event logging has been implemented. CC ID 02102	Monitoring and measurement	Log Management
Report on the percentage of systems for which event logs are monitored and reviewed. CC ID 02103	Monitoring and measurement	Log Management
Report on the percentage of systems for which log capacity and log retention schedules have been implemented. CC ID 02104	Monitoring and measurement	Log Management
Report on the percentage of systems that generate warnings about anomalous activity or potentially unauthorized activity. CC ID 02105	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of laptops and mobile devices that are needing to be in compliance with the approved configuration standard before granting network access. CC ID 02106	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of organizationally controlled communications channels that have been secured. CC ID 02107	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of host servers that are protected from becoming relay hosts. CC ID 02108	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of mobile users who access organizational facilities using secure communications methods. CC ID 02109	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of workstations and laptops that employ automated system security tools. CC ID 02110	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of servers that employ automated system security tools. CC ID 02111	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of mobile devices that employ automated system security tools. CC ID 02112	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of software changes that have been documented and approved through change request forms. CC ID 02152	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of systems with all approved patches installed. CC ID 02113	Monitoring and measurement	Actionable Reports or Measurements
Report on the mean time from patch availability to patch installation. CC ID 02114	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of software changes that were reviewed for security impacts before the software configuration is updated. CC ID 02115	Monitoring and measurement	Actionable Reports or Measurements
Establish, implement, and maintain a network activity baseline. CC ID 13188	Monitoring and measurement	Technical Security
Report on the percentage of systems configured according to the configuration standard. CC ID 02116	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of network access controls used to gain unauthorized access. CC ID 04572	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of critical information assets stored on network accessible devices that are encrypted with widely tested and published cryptographic algorithms. CC ID 02117	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of mobile devices that use encryption for critical information assets. CC ID 02118	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of passwords and Personal Identification Numbers that are encrypted. CC ID 02119	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of media that passes sanitization procedure testing. CC ID 04574	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of systems with critical information assets or critical business functions that have been backed up in accordance with the backup policy and the system's continuity plan. CC ID 02120	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of systems with critical information assets or critical functions where restoration from a backup has been successfully demonstrated. CC ID 02121	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of backup media stored off site in secure storage. CC ID 02122	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of used backup media or archive media sanitized prior to reuse or disposal. CC ID 02123	Monitoring and measurement	Actionable Reports or Measurements
Report on the estimated damage or loss resulting from all security incidents. CC ID 01674	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of security incidents that did not cause confidentiality, integrity, or availability losses beyond the Service Level Agreement thresholds. CC ID 01673	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of operational time that critical services were unavailable due to security incidents. CC ID 02124	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02125	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of systems affected by security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02126	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of security incidents that were managed according to established policies, procedures, and processes. CC ID 02127	Monitoring and measurement	Actionable Reports or Measurements
Report on the number of security incidents reported to FedCIRC, NIPC, the Payment Card Industry, or local law enforcement. CC ID 02154	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of systems with critical information assets or critical functions that have been assessed for security vulnerabilities. CC ID 02128	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of vulnerability assessment findings that have been addressed since the last reporting period. CC ID 02129	Monitoring and measurement	Actionable Reports or Measurements
Report on the average elapsed time between the discovery of a new vulnerability and implementing corrective action. CC ID 02140	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of physical security incidents that involved entry into a facility containing Information Systems. CC ID 04564	Monitoring and measurement	Actionable Reports or Measurements
Establish, implement, and maintain a corrective action plan. CC ID 00675 [The management review shall include consideration of: information on the performance and effectiveness of the SMS, including trends in: nonconformities and corrective actions; § 9.3 ¶ 2(c)(1) The organization shall monitor and review the effectiveness of information security controls and take necessary actions. § 8.7.3.2 ¶ 3]	Monitoring and measurement	Monitor and Evaluate Occurrences
Include monitoring in the corrective action plan. CC ID 11645	Monitoring and measurement	Monitor and Evaluate Occurrences
Report audit findings by the internal audit manager directly to senior management. CC ID 01152 [The organization shall: ensure that the results of the audits are reported to relevant management; § 9.2.2 ¶ 1(d)]	Audits and risk management	Testing
Review the external audit assertion for accuracy. CC ID 06977	Audits and risk management	Testing
Review the risk assessments as compared to the in scope controls. CC ID 06978	Audits and risk management	Testing
Include nondisclosure agreements in external auditor outsourcing contracts. CC ID 10014	Audits and risk management	Audits and Risk Management
Determine if requested services create a threat to independence. CC ID 16823	Audits and risk management	Audits and Risk Management
Determine the presentation method of the audit assertion's in scope system description. CC ID 14885	Audits and risk management	Establish/Maintain Documentation
Determine the appropriateness of the audit assertion's in scope system description. CC ID 16449	Audits and risk management	Audits and Risk Management
Confirm audit requirements during the opening meeting. CC ID 15255	Audits and risk management	Audits and Risk Management
Establish and maintain audit assertions, as necessary. CC ID 14871	Audits and risk management	Establish/Maintain Documentation
Refrain from performing an attestation engagement under defined conditions. CC ID 13952	Audits and risk management	Audits and Risk Management
Identify hypothetical assumptions in forecasts and projections during an audit. CC ID 13946	Audits and risk management	Audits and Risk Management
Refrain from examining forecasts and projections which refrain from disclosing assumptions during an audit. CC ID 13932	Audits and risk management	Audits and Risk Management
Audit cybersecurity risk management within the policies, standards, and procedures of the organization. CC ID 13011	Audits and risk management	Investigate
Audit information systems, as necessary. CC ID 13010	Audits and risk management	Investigate
Audit the potential costs of compromise to information systems. CC ID 13012	Audits and risk management	Investigate
Determine the accurateness of the audit assertion's in scope system description. CC ID 06979	Audits and risk management	Testing
Determine if the in scope system has been implemented as described in the audit assertion. CC ID 06983	Audits and risk management	Testing
Investigate the nature and causes of misstatements in the audit assertion's in scope system description. CC ID 16557	Audits and risk management	Audits and Risk Management
Determine the effect of fraud and non-compliance on the description of the system in the audit assertion, as necessary. CC ID 13977	Audits and risk management	Process or Activity
Determine if the audit assertion's in scope controls are reasonable. CC ID 06980	Audits and risk management	Testing
Determine the effect of fraud and non-compliance on the achievement of in scope controls in the audit assertion, as necessary. CC ID 13978	Audits and risk management	Process or Activity
Document test plans for auditing in scope controls. CC ID 06985	Audits and risk management	Testing
Determine the implementation status of the audit assertion's in scope controls. CC ID 06981	Audits and risk management	Testing
Determine the effectiveness of in scope controls. CC ID 06984 [The organization shall monitor and review the effectiveness of information security controls and take necessary actions. § 8.7.3.2 ¶ 3]	Audits and risk management	Testing
Review incident management audit logs to determine the effectiveness of in scope controls. CC ID 12157	Audits and risk management	Audits and Risk Management
Review audit reports to determine the effectiveness of in scope controls. CC ID 12156	Audits and risk management	Audits and Risk Management
Observe processes to determine the effectiveness of in scope controls. CC ID 12155	Audits and risk management	Audits and Risk Management
Interview stakeholders to determine the effectiveness of in scope controls. CC ID 12154	Audits and risk management	Audits and Risk Management
Review policies and procedures to determine the effectiveness of in scope controls. CC ID 12144	Audits and risk management	Audits and Risk Management
Evaluate personnel status changes to determine the effectiveness of in scope controls. CC ID 16556	Audits and risk management	Audits and Risk Management
Determine whether individuals performing a control have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 16555	Audits and risk management	Audits and Risk Management
Determine any errors or material omissions in the audit assertion that affect in scope control implementations. CC ID 06990	Audits and risk management	Testing
Conduct interviews, as necessary. CC ID 07188	Audits and risk management	Testing
Verify statements made by interviewees are correct. CC ID 16299	Audits and risk management	Behavior
Discuss unsolved questions with the interviewee. CC ID 16298	Audits and risk management	Process or Activity
Allow interviewee to respond to explanations. CC ID 16296	Audits and risk management	Process or Activity
Explain the requirements being discussed to the interviewee. CC ID 16294	Audits and risk management	Process or Activity
Explain the goals of the interview to the interviewee. CC ID 07189	Audits and risk management	Behavior
Include if the audit evidence has identified in scope control deficiencies in the work papers. CC ID 07152	Audits and risk management	Audits and Risk Management
Include if in scope control deviations allow in scope controls to be performed acceptably in the work papers. CC ID 06987	Audits and risk management	Testing
Investigate the nature and causes of identified in scope control deviations. CC ID 06986	Audits and risk management	Testing
Review the subject matter expert's findings. CC ID 16559	Audits and risk management	Audits and Risk Management
Permit assessment teams to conduct audits, as necessary. CC ID 16430	Audits and risk management	Investigate
Determine what disclosures are required in the audit report. CC ID 14888	Audits and risk management	Establish/Maintain Documentation
Identify the audit team members in the audit report. CC ID 15259	Audits and risk management	Human Resources Management
Identify the participants from the organization being audited in the audit report. CC ID 15258	Audits and risk management	Audits and Risk Management
Review the adequacy of the internal auditor's work papers. CC ID 01146	Audits and risk management	Audits and Risk Management
Compare the evaluations completed by the internal auditors and the external auditors in past audit reports. CC ID 01158	Audits and risk management	Establish/Maintain Documentation
Review the adequacy of the internal auditor's audit reports. CC ID 11620	Audits and risk management	Audits and Risk Management
Review past audit reports. CC ID 01155 [The organization shall: plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration: the results of previous audits; § 9.2.2 ¶ 1(a)(3) The management review shall include consideration of: information on the performance and effectiveness of the SMS, including trends in: audit results; § 9.3 ¶ 2(c)(3)]	Audits and risk management	Establish/Maintain Documentation
Review past audit reports for specific process steps and calculations that were stated to support the audit report's conclusions. CC ID 01160	Audits and risk management	Establish/Maintain Documentation
Review the reporting of material weaknesses and risks in past audit reports. CC ID 01161	Audits and risk management	Establish/Maintain Documentation
Determine the effect of deficiencies on the audit report, as necessary. CC ID 14886	Audits and risk management	Investigate
Determine the effect of fraud and non-compliance on the audit report, as necessary. CC ID 13979	Audits and risk management	Process or Activity
Disseminate and communicate the reviews of audit reports to organizational management. CC ID 00653	Audits and risk management	Log Management
Review the issues of non-compliance from past audit reports. CC ID 01148	Audits and risk management	Establish/Maintain Documentation
Submit an audit report that is complete. CC ID 01145	Audits and risk management	Testing
Review management's response to issues raised in past audit reports. CC ID 01149 [The management review shall include consideration of: information on the performance and effectiveness of the SMS, including trends in: nonconformities and corrective actions; § 9.3 ¶ 2(c)(1)]	Audits and risk management	Audits and Risk Management
Assess the quality of the audit program in regards to the staff and their qualifications. CC ID 01150	Audits and risk management	Testing
Evaluate the competency of auditors. CC ID 15253	Audits and risk management	Human Resources Management
Review the audit program scope as it relates to the organization's profile. CC ID 01159	Audits and risk management	Audits and Risk Management
Establish, implement, and maintain the audit plan. CC ID 01156	Audits and risk management	Testing
Document and justify any exclusions from the scope of the risk management activities in the risk management program. CC ID 15336	Audits and risk management	Business Processes
Analyze the risk management strategy for addressing requirements. CC ID 12926	Audits and risk management	Audits and Risk Management
Analyze the risk management strategy for addressing threats. CC ID 12925	Audits and risk management	Audits and Risk Management
Analyze the risk management strategy for addressing opportunities. CC ID 12924	Audits and risk management	Audits and Risk Management
Employ third parties when implementing a risk assessment, as necessary. CC ID 16306	Audits and risk management	Human Resources Management
Include an analysis of system interdependencies in the threat and risk classification scheme. CC ID 13056	Audits and risk management	Investigate
Review the risk profiles, as necessary. CC ID 16561	Audits and risk management	Audits and Risk Management
Update the risk assessment upon discovery of a new threat. CC ID 00708	Audits and risk management	Establish/Maintain Documentation
Update the risk assessment upon changes to the risk profile. CC ID 11627	Audits and risk management	Establish/Maintain Documentation
Conduct external audits of risk assessments, as necessary. CC ID 13308	Audits and risk management	Audits and Risk Management
Evaluate the effectiveness of threat and vulnerability management procedures. CC ID 13491	Audits and risk management	Investigate
Conduct a Business Impact Analysis, as necessary. CC ID 01147	Audits and risk management	Audits and Risk Management
Assess the potential level of business impact risk associated with each business process. CC ID 06463	Audits and risk management	Audits and Risk Management
Assess the potential level of business impact risk associated with the business environment. CC ID 06464	Audits and risk management	Audits and Risk Management
Assess the potential level of business impact risk associated with business information of in scope systems. CC ID 06465	Audits and risk management	Audits and Risk Management
Identify changes to in scope systems that could threaten communication between business units. CC ID 13173	Audits and risk management	Investigate
Assess the potential business impact risk of in scope systems caused by deliberate threats to their confidentiality, integrity, and availability. CC ID 06466	Audits and risk management	Audits and Risk Management
Assess the potential level of business impact risk caused by accidental threats to the confidentiality, integrity and availability of critical systems. CC ID 06467	Audits and risk management	Audits and Risk Management
Assess the potential level of business impact risk associated with reputational damage. CC ID 15335	Audits and risk management	Audits and Risk Management
Assess the potential level of business impact risk associated with insider threats. CC ID 06468	Audits and risk management	Audits and Risk Management
Assess the potential level of business impact risk associated with external entities. CC ID 06469	Audits and risk management	Audits and Risk Management
Assess the potential level of business impact risk associated with natural disasters. CC ID 06470	Audits and risk management	Actionable Reports or Measurements
Assess the potential level of business impact risk associated with control weaknesses. CC ID 06471	Audits and risk management	Audits and Risk Management
Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary. CC ID 00704	Audits and risk management	Establish/Maintain Documentation
Analyze the effect of threats on organizational strategies and objectives. CC ID 12850	Audits and risk management	Process or Activity
Analyze the effect of opportunities on organizational strategies and objectives. CC ID 12849	Audits and risk management	Process or Activity
Determine the effectiveness of risk control measures. CC ID 06601 [/* Based on the subject of this section, by 'these actions', the document is referring to activities to manage risk*/{risk management activity} evaluate the effectiveness of these actions. § 6.1.3 ¶ 1(b)(2)]	Audits and risk management	Testing
Analyze the impact of artificial intelligence systems on society. CC ID 16317	Audits and risk management	Audits and Risk Management
Analyze the impact of artificial intelligence systems on individuals. CC ID 16316	Audits and risk management	Audits and Risk Management
Analyze supply chain risk management procedures, as necessary. CC ID 13198	Audits and risk management	Process or Activity
Disallow application IDs from running as privileged users. CC ID 10050	Technical security	Configuration
Perform a risk assessment prior to activating third party access to the organization's critical systems. CC ID 06455	Technical security	Testing
Evaluate all possible continuity risks and impacts as a part of the continuity framework. CC ID 06374 [At planned intervals, the risks to service continuity shall be assessed and documented. The organization shall determine the service continuity requirements. The agreed requirements shall take into consideration relevant business requirements, service requirements, SLAs and risks. § 8.7.2 ¶ 1]	Operational and Systems Continuity	Systems Continuity
Monitor and evaluate business continuity management system performance. CC ID 12410	Operational and Systems Continuity	Monitor and Evaluate Occurrences
Establish, implement, and maintain the organization's call tree. CC ID 01167	Operational and Systems Continuity	Testing
Determine the cause for the activation of the recovery plan. CC ID 13291	Operational and Systems Continuity	Investigate
Test the recovery plan, as necessary. CC ID 13290	Operational and Systems Continuity	Testing
Test the backup information, as necessary. CC ID 13303	Operational and Systems Continuity	Testing
Document lessons learned from testing the recovery plan or an actual event. CC ID 13301	Operational and Systems Continuity	Establish/Maintain Documentation
Define and prioritize critical business functions. CC ID 00736 [The organization shall determine the criticality of services based on the needs of the organization, customers, users and other interested parties. The organization shall determine and manage dependencies and duplication between services. § 8.2.2 ¶ 2]	Operational and Systems Continuity	Establish/Maintain Documentation
Test the continuity plan, as necessary. CC ID 00755 [At planned intervals, the service continuity plan(s) shall be tested against the service continuity requirements. The service continuity plan(s) shall be re-tested after major changes to the service environment. The results of the tests shall be recorded. Reviews shall be conducted after each test and after the service continuity plan(s) has been invoked. Where deficiencies are found, the organization shall take necessary actions. § 8.7.2 ¶ 4 At planned intervals, the service continuity plan(s) shall be tested against the service continuity requirements. The service continuity plan(s) shall be re-tested after major changes to the service environment. The results of the tests shall be recorded. Reviews shall be conducted after each test and after the service continuity plan(s) has been invoked. Where deficiencies are found, the organization shall take necessary actions. § 8.7.2 ¶ 4]	Operational and Systems Continuity	Testing
Involve senior management, as necessary, when testing the continuity plan. CC ID 13793	Operational and Systems Continuity	Testing
Test the continuity plan under conditions that simulate a disaster or disruption. CC ID 00757	Operational and Systems Continuity	Testing
Analyze system interdependence during continuity plan tests. CC ID 13082	Operational and Systems Continuity	Testing
Test the continuity plan at the alternate facility. CC ID 01174	Operational and Systems Continuity	Testing
Review all third party's continuity plan test results. CC ID 01365	Operational and Systems Continuity	Testing
Automate the off-site testing to more thoroughly test the continuity plan. CC ID 01389	Operational and Systems Continuity	Testing
Retest the continuity plan after correcting reported deficiencies documented in the continuity plan test results. CC ID 06553 [At planned intervals, the service continuity plan(s) shall be tested against the service continuity requirements. The service continuity plan(s) shall be re-tested after major changes to the service environment. The results of the tests shall be recorded. Reviews shall be conducted after each test and after the service continuity plan(s) has been invoked. Where deficiencies are found, the organization shall take necessary actions. § 8.7.2 ¶ 4]	Operational and Systems Continuity	Testing
Conduct full recovery and restoration of service testing for high impact systems at the alternate facility. CC ID 01404	Operational and Systems Continuity	Testing
Analyze workforce management. CC ID 12844 [{resource level}{manpower}management review shall include consideration of: current and forecast human, technical, information and financial resource levels, and human and technical resource capabilities; § 9.3 ¶ 2(j)]	Human Resources management	Human Resources Management
Identify root causes of staffing shortages, if any exist. CC ID 13276	Human Resources management	Human Resources Management
Analyze the ability of Human Resources to attract a competent workforce. CC ID 13275	Human Resources management	Human Resources Management
Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 00782 [The organization shall: ensure that these persons are competent on the basis of appropriate education, training or experience; § 7.2 ¶ 1(b) {staff} The organization shall: determine the necessary competence of persons doing work under its control that affects the performance and effectiveness of the SMS and the services; § 7.2 ¶ 1(a)]	Human Resources management	Testing
Perform security skills assessments for all critical employees. CC ID 12102	Human Resources management	Human Resources Management
Perform a background check during personnel screening. CC ID 11758	Human Resources management	Human Resources Management
Document the personnel risk assessment results. CC ID 11764	Human Resources management	Establish/Maintain Documentation
Perform periodic background checks on designated roles, as necessary. CC ID 11759	Human Resources management	Human Resources Management
Document the security clearance procedure results. CC ID 01635	Human Resources management	Establish/Maintain Documentation
Document all training in a training record. CC ID 01423 [The organization shall: retain appropriate documented information as evidence of competence. § 7.2 ¶ 1(d)]	Human Resources management	Establish/Maintain Documentation
Conduct tests and evaluate training. CC ID 06672 [The organization shall: where applicable, take actions to acquire the necessary competence and evaluate the effectiveness of the actions taken; § 7.2 ¶ 1(c)]	Human Resources management	Testing
Train personnel to recognize conditions of diseases or sicknesses, as necessary. CC ID 14383	Human Resources management	Training
Train personnel to identify and communicate symptoms of exposure to disease or sickness. CC ID 14385	Human Resources management	Training
Monitor and measure the effectiveness of security awareness. CC ID 06262	Human Resources management	Monitor and Evaluate Occurrences
Analyze and evaluate training records to improve the training program. CC ID 06380	Human Resources management	Monitor and Evaluate Occurrences
Forecast system workloads. CC ID 00938	Operational management	Testing
Utilize resource capacity management controls. CC ID 00939	Operational management	Testing
Perform system capacity testing. CC ID 01616	Operational management	Testing
Perform system performance reviews. CC ID 11866	Operational management	Testing
Follow the resource workload schedule. CC ID 00941	Operational management	Business Processes
Include individual commitment to the organization's Governance, Risk, and Compliance framework in the analysis of the organizational culture. CC ID 12922	Operational management	Process or Activity
Include the organizational climate in the analysis of the organizational culture. CC ID 12921	Operational management	Process or Activity
Include consistency of leadership actions to mission, vision, and values in the analysis of the organizational culture. CC ID 12920	Operational management	Process or Activity
Include all electronic storage media containing restricted data or restricted information in the storage media inventory. CC ID 00962	Operational management	Establish/Maintain Documentation
Employ Dynamic Host Configuration Protocol server logging to detect systems not in the asset inventory. CC ID 12110	Operational management	Technical Security
Test systems for malicious code prior to when the system will be redeployed. CC ID 06339	Operational management	Testing
Control and monitor all maintenance tools. CC ID 01432	Operational management	Physical and Environmental Protection
Conduct maintenance with authorized personnel. CC ID 01434	Operational management	Testing
Calibrate assets according to the calibration procedures for the asset. CC ID 06203	Operational management	Testing
Test for detrimental environmental factors after a system is disposed. CC ID 06938	Operational management	Testing
Respond to and triage when an incident is detected. CC ID 06942 [Information security incidents shall be: prioritized taking into consideration the information security risk; § 8.7.3.3 ¶ 1(b) Incidents shall be: prioritized taking into consideration impact and urgency; § 8.6.1 ¶ 1(b) Problems shall be: prioritized; § 8.6.3 ¶ 2(b)]	Operational management	Monitor and Evaluate Occurrences
Document the incident and any relevant evidence in the incident report. CC ID 08659 [Incidents shall be: recorded and classified; § 8.6.1 ¶ 1(a) The organization shall determine criteria to identify a major incident. Major incidents shall be classified and managed according to a documented procedure. Top management shall be kept informed of major incidents. The organization shall assign responsibility for managing each major incident. After the incident has been resolved, the major incident shall be reported and reviewed to identify opportunities for improvement. § 8.6.1 ¶ 3 Problems shall be: recorded and classified; § 8.6.3 ¶ 2(a)]	Operational management	Establish/Maintain Documentation
Submit an incident management audit log to the proper authorities for each security breach that affects a predefined number of individuals, as necessary. CC ID 06326	Operational management	Log Management
Assign monitoring and analyzing the security alert when a security alert is received to the appropriate role in the incident response program. CC ID 11886	Operational management	Investigate
Establish, implement, and maintain incident response procedures. CC ID 01206 [Information security incidents shall be: resolved; § 8.7.3.3 ¶ 1(d) Incidents shall be: resolved; § 8.6.1 ¶ 1(d) The organization shall determine criteria to identify a major incident. Major incidents shall be classified and managed according to a documented procedure. Top management shall be kept informed of major incidents. The organization shall assign responsibility for managing each major incident. After the incident has been resolved, the major incident shall be reported and reviewed to identify opportunities for improvement. § 8.6.1 ¶ 3]	Operational management	Establish/Maintain Documentation
Use proactive performance management. CC ID 00937 [At planned intervals, the organization shall review the performance trends and the outcomes of the services. § 8.3.2 ¶ 3]	Operational management	Business Processes
Utilize resource availability management controls. CC ID 00940	Operational management	Business Processes
Include the appropriate aspects of the Quality Management program in the Service Level Agreement. CC ID 00845 [{service availability requirement}{service availability target} At planned intervals, the risks to service availability shall be assessed and documented. The organization shall determine the service availability requirements and targets. The agreed requirements shall take into consideration relevant business requirements, service requirements, SLAs and risks. § 8.7.1 ¶ 1]	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain cost management procedures. CC ID 00873 [Costs shall be budgeted to enable effective financial control and decision-making for services. § 8.4.1 ¶ 2 Costs shall be budgeted to enable effective financial control and decision-making for services. § 8.4.1 ¶ 2 At planned intervals, the organization shall monitor and report on actual costs against the budget, review the financial forecasts and manage costs. § 8.4.1 ¶ 3]	Operational management	Business Processes
Perform an impact assessment of any deviations found in the cost management procedures. CC ID 13641	Operational management	Investigate
Identify deviations in cost management procedures. CC ID 13640	Operational management	Investigate
Identify and allocate departmental costs. CC ID 00871	Operational management	Business Processes
Prepare an Information Technology budget, as necessary. CC ID 00872 [The organization shall budget and account for services or groups of services in accordance with its financial management policies and processes. § 8.4.1 ¶ 1]	Operational management	Establish/Maintain Documentation
Compare actual Information Technology costs to forecasted Information Technology budgets. CC ID 11753 [At planned intervals, the organization shall monitor and report on actual costs against the budget, review the financial forecasts and manage costs. § 8.4.1 ¶ 3]	Operational management	Business Processes
Test proposed changes prior to their approval. CC ID 00548 [Approved changes shall be prepared, verified and, where possible, tested. Proposed deployment dates and other deployment details for approved changes shall be communicated to interested parties. § 8.5.1.3 ¶ 2]	Operational management	Testing
Examine all changes to ensure they correspond with the change request. CC ID 12345 [Approved changes shall be prepared, verified and, where possible, tested. Proposed deployment dates and other deployment details for approved changes shall be communicated to interested parties. § 8.5.1.3 ¶ 2 The organization shall review changes for effectiveness and take actions agreed with interested parties. § 8.5.1.3 ¶ 4 {take appropriate action} The activities to reverse or remedy an unsuccessful change shall be planned and, where possible, tested. Unsuccessful changes shall be investigated and agreed actions taken. § 8.5.1.3 ¶ 3 {trend analysis} At planned intervals, request for change records shall be analysed to detect trends. The results and conclusions drawn from the analysis shall be recorded and reviewed to identify opportunities for improvement. § 8.5.1.3 ¶ 5 {trend analysis} At planned intervals, request for change records shall be analysed to detect trends. The results and conclusions drawn from the analysis shall be recorded and reviewed to identify opportunities for improvement. § 8.5.1.3 ¶ 5]	Operational management	Business Processes
Conduct network certifications prior to approving change requests for networks. CC ID 13121	Operational management	Process or Activity
Analyze mitigating controls for vulnerabilities in the network when certifying the network. CC ID 13126	Operational management	Investigate
Collect data about the network environment when certifying the network. CC ID 13125	Operational management	Investigate
Review the patch log for missing patches. CC ID 13186	Operational management	Technical Security
Perform a patch test prior to deploying a patch. CC ID 00898	Operational management	Testing
Test software patches for any potential compromise of the system's security. CC ID 13175	Operational management	Testing
Review changes to computer firmware. CC ID 12226	Operational management	Testing
Certify changes to computer firmware are free of malicious logic. CC ID 12227	Operational management	Testing
Implement cryptographic mechanisms to authenticate software and computer firmware before installation. CC ID 10682	Operational management	Technical Security
Establish, implement, and maintain approved change acceptance testing procedures. CC ID 06391	Operational management	Establish/Maintain Documentation
Test the system's operational functionality after implementing approved changes. CC ID 06294	Operational management	Testing
Perform and pass acceptance testing before moving a system back into operation after an approved change has occurred. CC ID 04541 [The release shall be verified against documented acceptance criteria and approved before deployment. If the acceptance criteria are not met, the organization and interested parties shall make a decision on necessary actions and deployment. § 8.5.3 ¶ 3]	Operational management	Testing
Establish, implement, and maintain a configuration change log. CC ID 08710	Operational management	Configuration
Establish, implement, and maintain a service delivery and production process Quality Management program. CC ID 07194 [The management review shall include consideration of: adherence to and suitability of the service management policy and other policies required by this document; § 9.3 ¶ 2(f) The management review shall include consideration of: performance of the services; § 9.3 ¶ 2(h) The organization shall determine: the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results; § 9.1 ¶ 1(b) The organization shall determine: when the results from monitoring and measurement shall be analysed and evaluated. § 9.1 ¶ 1(d) The organization shall evaluate the SMS performance against the service management objectives and evaluate the effectiveness of the SMS. The organization shall evaluate the effectiveness of the services against the service requirements. § 9.1 ¶ 3 The organization shall evaluate the SMS performance against the service management objectives and evaluate the effectiveness of the SMS. The organization shall evaluate the effectiveness of the services against the service requirements. § 9.1 ¶ 3 Where the root cause has been identified, but the problem has not been permanently resolved, the organization shall determine actions to reduce or eliminate the impact of the problem on the services. Known errors shall be recorded. Up-to-date information on known errors and problem resolutions shall be made available for other service management activities as appropriate. § 8.6.3 ¶ 4 The release shall be deployed into the live environment so that the integrity of the services and service components is maintained. § 8.5.3 ¶ 5 {new service} The new or changed services shall be built and tested to verify that they meet the service requirements, conform to the documented design and meet the agreed service acceptance criteria. If the service acceptance criteria are not met, the organization and interested parties shall make a decision on necessary actions and deployment. § 8.5.2.3 ¶ 1 {new service} The new or changed services shall be built and tested to verify that they meet the service requirements, conform to the documented design and meet the agreed service acceptance criteria. If the service acceptance criteria are not met, the organization and interested parties shall make a decision on necessary actions and deployment. § 8.5.2.3 ¶ 1 {new service} The new or changed services shall be built and tested to verify that they meet the service requirements, conform to the documented design and meet the agreed service acceptance criteria. If the service acceptance criteria are not met, the organization and interested parties shall make a decision on necessary actions and deployment. § 8.5.2.3 ¶ 1 The service management plan shall include or contain a reference to: how the effectiveness of the SMS and the services will be measured, audited, reported and improved. § 6.3 ¶ 2(h) The service management plan shall include or contain a reference to: how the effectiveness of the SMS and the services will be measured, audited, reported and improved. § 6.3 ¶ 2(h) The service management plan shall include or contain a reference to: how the effectiveness of the SMS and the services will be measured, audited, reported and improved. § 6.3 ¶ 2(h) The service management plan shall include or contain a reference to: how the effectiveness of the SMS and the services will be measured, audited, reported and improved. § 6.3 ¶ 2(h)]	Operational management	Business Processes
Include consumer safety quality improvement projects in the service delivery and production process Quality Management program. CC ID 07195	Operational management	Establish/Maintain Documentation
Test network access controls for proper Configuration Management settings. CC ID 01281	System hardening through configuration management	Testing
Configure the log to capture changes to User privileges, audit policies, and trust policies by enabling audit policy changes. CC ID 01698	System hardening through configuration management	Log Management
Configure the log to capture user authenticator changes. CC ID 01917	System hardening through configuration management	Log Management
Audit the configuration of organizational assets, as necessary. CC ID 13653 [{be auditable} CIs shall be controlled. Changes to CIs shall be traceable and auditable to maintain the integrity of the configuration information. The configuration information shall be updated following the deployment of changes to CIs. § 8.2.6 ¶ 3]	System hardening through configuration management	Audits and Risk Management
Audit assets after maintenance was performed. CC ID 13657	System hardening through configuration management	Audits and Risk Management
Establish, implement, and maintain a record classification scheme for forms. CC ID 00911	Records management	Establish/Maintain Documentation
Establish, implement, and maintain records registration procedures. CC ID 00913	Records management	Establish/Maintain Documentation
Define the terms used in the record classification scheme. CC ID 00916	Records management	Establish/Maintain Documentation
Allocate document serial numbers to reference the records as a part of document tracking. CC ID 00917	Records management	Records Management
Define each system's preservation requirements for records and logs. CC ID 00904	Records management	Establish/Maintain Documentation
Establish, implement, and maintain a data retention program. CC ID 00906	Records management	Establish/Maintain Documentation
Maintain continued integrity for all stored data and stored records. CC ID 00969	Records management	Testing
Define which documents and records the organization may capture. CC ID 00905 [{is appropriate} When creating and updating documented information, the organization shall ensure appropriate: format (e.g. language, software version, graphics) and media (e.g. paper, electronic); § 7.5.2 ¶ 1(b)]	Records management	Establish/Maintain Documentation
Destroy electronic storage media following the storage media disposition and destruction procedures. CC ID 00970	Records management	Testing
Maintain media sanitization equipment in operational condition. CC ID 00721	Records management	Testing
Establish, implement, and maintain source document authorization tracking. CC ID 01262	Records management	Records Management
Review the information that the organization collects, processes, and stores, as necessary. CC ID 12988	Records management	Business Processes
Review the information classification of the information that the organization collects, processes, and stores, as necessary. CC ID 13008	Records management	Process or Activity
Review the electronic storage media for the information the organization collects and processes. CC ID 13009	Records management	Process or Activity
Establish, implement, and maintain source document error handling tracking. CC ID 01263	Records management	Records Management
Establish, implement, and maintain data input and data access authorization tracking. CC ID 00920	Records management	Monitor and Evaluate Occurrences
Validate transactions against master files of third parties and clients, as necessary. CC ID 06552	Records management	Records Management
Establish, implement, and maintain data accuracy controls. CC ID 00921	Records management	Monitor and Evaluate Occurrences
Capture the records required by organizational compliance requirements. CC ID 00912 [The documented information for the SMS shall include: records required to demonstrate evidence of conformity to the requirements of this document and the organization's SMS. § 7.5.4 ¶ 1(l) keeping documented information to the extent necessary to have confidence that the processes have been carried out as planned. § 8.1 ¶ 1(c)]	Records management	Records Management
Assign the appropriate information classification to records imported into the Records Management system. CC ID 04555	Records management	Data and Information Management
Identify patient-specific education resources. CC ID 14439	Records management	Process or Activity
Classify restricted data or restricted information in Records Management systems according to the data or information's sensitivity. CC ID 04720	Records management	Data and Information Management
Control error handling when data is being inputted. CC ID 00922	Records management	Data and Information Management
Compare each record's data input to its final form. CC ID 11813	Records management	Records Management
Label printed output for specific record categories as directed by the organization's information classification standard. CC ID 01420	Records management	Records Management
Establish, implement, and maintain online storage monitoring and reporting capabilities. CC ID 00935	Records management	Monitor and Evaluate Occurrences
Store records on non-rewritable, non-erasable storage media formats, as necessary. CC ID 00944	Records management	Testing
Provide audit trails for all pertinent records. CC ID 00372	Records management	Establish/Maintain Documentation
Identify electronic storage media that require downgrading. CC ID 10620	Records management	Process or Activity
Test the storage media downgrade for correct performance. CC ID 10623	Records management	Testing
Establish, implement, and maintain output balancing audit trails. CC ID 00928	Records management	Establish/Maintain Documentation
Establish, implement, and maintain output review and error handling checks with end users. CC ID 00929	Records management	Establish/Maintain Documentation
Perform regularly scheduled quality and integrity control reviews of output of records. CC ID 06627	Records management	Testing
Analyze existing systems during preliminary investigations for system design projects. CC ID 01043	Systems design, build, and implementation	Testing
Determine if the project is complete after all implementation tasks are finished. CC ID 06912 [{new service} Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: service acceptance criteria; § 8.5.2.1 ¶ 1(f)]	Systems design, build, and implementation	Testing
Include complete information in the take-down request. CC ID 09965	Acquisition or sale of facilities, technology, and services	Business Processes
Include the complainant's contact information in the take-down request. CC ID 09966	Acquisition or sale of facilities, technology, and services	Business Processes
Include the identification of unlawful material or unlawful activities in the take-down request. CC ID 09967	Acquisition or sale of facilities, technology, and services	Business Processes
Include the identification of the right that has allegedly been infringed in the take-down request. CC ID 09968	Acquisition or sale of facilities, technology, and services	Business Processes
Include the remedial action required to be taken in respect of the complaint in the take-down request. CC ID 09969	Acquisition or sale of facilities, technology, and services	Business Processes
Include a statement that the complainant is acting in good faith in the take-down request. CC ID 09971	Acquisition or sale of facilities, technology, and services	Business Processes
Include the written signature or electronic signature of the complainant in the take-down request. CC ID 09972	Acquisition or sale of facilities, technology, and services	Business Processes
Analyze the digital content hosted by the organization for any electronic material associated with the take-down request. CC ID 09974	Acquisition or sale of facilities, technology, and services	Business Processes
Conduct internal data processing audits. CC ID 00374	Privacy protection for information and data	Testing
Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 [The documented information for the SMS shall include: contracts with external suppliers; § 7.5.4 ¶ 1(i) For each internal supplier or customer acting as a supplier, the organization shall develop, agree and maintain a documented agreement to define the service level targets, other commitments, activities and interfaces between the parties. § 8.3.4.2 ¶ 1 For each internal supplier or customer acting as a supplier, the organization shall develop, agree and maintain a documented agreement to define the service level targets, other commitments, activities and interfaces between the parties. § 8.3.4.2 ¶ 1 For each internal supplier or customer acting as a supplier, the organization shall develop, agree and maintain a documented agreement to define the service level targets, other commitments, activities and interfaces between the parties. § 8.3.4.2 ¶ 1 For each internal supplier or customer acting as a supplier, the organization shall develop, agree and maintain a documented agreement to define the service level targets, other commitments, activities and interfaces between the parties. § 8.3.4.2 ¶ 1 For each external supplier, the organization shall agree a documented contract. The contract shall include or contain a reference to: § 8.3.4.1 ¶ 2 {new service}The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: new or changed SLAs, contracts and other documented agreements that support the services; § 8.5.2.2 ¶ 1(d) {new service}The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: new or changed SLAs, contracts and other documented agreements that support the services; § 8.5.2.2 ¶ 1(d)]	Third Party and supply chain oversight	Process or Activity
Include a termination provision clause in third party contracts. CC ID 01367	Third Party and supply chain oversight	Establish/Maintain Documentation
Include third party requirements for personnel security in third party contracts. CC ID 00790	Third Party and supply chain oversight	Testing
Include third party acknowledgment of their data protection responsibilities in third party contracts. CC ID 01364	Third Party and supply chain oversight	Testing
Include auditing third party security controls and compliance controls in third party contracts. CC ID 01366	Third Party and supply chain oversight	Testing
Establish the third party's service continuity. CC ID 00797	Third Party and supply chain oversight	Testing
Determine the adequacy of a third party's alternate site preparations. CC ID 06879	Third Party and supply chain oversight	Testing
Employ access controls that meet the organization's compliance requirements on third party systems with access to the organization's restricted data. CC ID 04264	Third Party and supply chain oversight	Data and Information Management
Maintain the third party's compliance framework to be equivalent to that of the organization's compliance requirements. CC ID 06087	Third Party and supply chain oversight	Testing
Document supply chain dependencies in the supply chain management program. CC ID 08900 [The organization shall determine the criticality of services based on the needs of the organization, customers, users and other interested parties. The organization shall determine and manage dependencies and duplication between services. § 8.2.2 ¶ 2]	Third Party and supply chain oversight	Establish/Maintain Documentation
Monitor and report on the efficacy of all Service Level Agreements using a Service Level Agreement Monitoring Chart or equivalent. CC ID 00842 [The organization shall make decisions and take actions based on the findings in service reports. The agreed actions shall be communicated to interested parties. § 9.4 ¶ 3]	Third Party and supply chain oversight	Establish/Maintain Documentation
Approve all Service Level Agreements. CC ID 00843	Third Party and supply chain oversight	Establish/Maintain Documentation
Track all chargeable items in Service Level Agreements. CC ID 11616	Third Party and supply chain oversight	Business Processes
Document all chargeable items in Service Level Agreements. CC ID 00844	Third Party and supply chain oversight	Establish/Maintain Documentation
Perform risk assessments of third parties, as necessary. CC ID 06454 [The organization shall determine and document: risks related to: the involvement of other parties in the service lifecycle; § 6.1.2 ¶ 1(a)(3)]	Third Party and supply chain oversight	Testing
Establish, implement, and maintain deduplication procedures for third party services. CC ID 13915 [The organization shall determine the criticality of services based on the needs of the organization, customers, users and other interested parties. The organization shall determine and manage dependencies and duplication between services. § 8.2.2 ¶ 2]	Third Party and supply chain oversight	Business Processes
Assess the effectiveness of third party services provided to the organization. CC ID 13142	Third Party and supply chain oversight	Business Processes
Monitor third parties for performance and effectiveness, as necessary. CC ID 00799 [Top management shall demonstrate leadership and commitment with respect to the SMS by: ensuring there is control of other parties involved in the service lifecycle; § 5.1 ¶ 1(e) The organization shall have one or more designated individuals responsible for managing the relationship, contracts and performance of external suppliers. § 8.3.4.1 ¶ 1 At planned intervals, the organization shall monitor the performance of the external supplier. Where service level targets or other contractual obligations are not met, the organization shall ensure that opportunities for improvement are identified. § 8.3.4.1 ¶ 5 The management review shall include consideration of: performance of other parties involved in the delivery of the services; § 9.3 ¶ 2(i)]	Third Party and supply chain oversight	Monitor and Evaluate Occurrences
Monitor third parties' financial conditions. CC ID 13170	Third Party and supply chain oversight	Monitor and Evaluate Occurrences

IT Impact Zone

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	TYPE
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Leadership and high level objectives CC ID 00597	Leadership and high level objectives	IT Impact Zone
Monitoring and measurement CC ID 00636	Monitoring and measurement	IT Impact Zone
Audits and risk management CC ID 00677	Audits and risk management	IT Impact Zone
Technical security CC ID 00508	Technical security	IT Impact Zone
Operational and Systems Continuity CC ID 00731	Operational and Systems Continuity	IT Impact Zone
Human Resources management CC ID 00763	Human Resources management	IT Impact Zone
Operational management CC ID 00805	Operational management	IT Impact Zone
System hardening through configuration management CC ID 00860	System hardening through configuration management	IT Impact Zone
Records management CC ID 00902	Records management	IT Impact Zone
Systems design, build, and implementation CC ID 00989	Systems design, build, and implementation	IT Impact Zone
Acquisition or sale of facilities, technology, and services CC ID 01123	Acquisition or sale of facilities, technology, and services	IT Impact Zone
Privacy protection for information and data CC ID 00008	Privacy protection for information and data	IT Impact Zone
Third Party and supply chain oversight CC ID 08807	Third Party and supply chain oversight	IT Impact Zone

Preventive

1941

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	TYPE
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Establish, implement, and maintain a reporting methodology program. CC ID 02072	Leadership and high level objectives	Business Processes
Establish, implement, and maintain communication protocols. CC ID 12245 [{internal communication}{be relevant} The organization shall determine the internal and external communications relevant to the SMS and the services including: § 7.4 ¶ 1 The organization shall determine the internal and external communications relevant to the SMS and the services including: when to communicate; § 7.4 ¶ 1(b) The organization shall determine the internal and external communications relevant to the SMS and the services including: with whom to communicate; § 7.4 ¶ 1(c) The organization shall establish arrangements for communicating with its customers and other interested parties. The communication shall promote understanding of the evolving business environment in which the services operate and shall enable the organization to respond to new or changed service requirements. § 8.3.2 ¶ 2 The organization shall determine the internal and external communications relevant to the SMS and the services including: how to communicate; § 7.4 ¶ 1(d) The organization shall determine the internal and external communications relevant to the SMS and the services including: on what it will communicate; § 7.4 ¶ 1(a) The organization shall determine the internal and external communications relevant to the SMS and the services including: who will be responsible for the communication. § 7.4 ¶ 1(e)]	Leadership and high level objectives	Establish/Maintain Documentation
Use secure communication protocols for telecommunications. CC ID 16458	Leadership and high level objectives	Business Processes
Align the information being disseminated and communicated with the communication requirements according to the organization's communication protocol. CC ID 12419 [The organization shall determine reporting requirements and their purpose. § 9.4 ¶ 1]	Leadership and high level objectives	Establish/Maintain Documentation
Include external requirements in the organization's communication protocol. CC ID 12418 [The organization shall establish arrangements for communicating with its customers and other interested parties. The communication shall promote understanding of the evolving business environment in which the services operate and shall enable the organization to respond to new or changed service requirements. § 8.3.2 ¶ 2]	Leadership and high level objectives	Establish/Maintain Documentation
Include disseminating and communicating events surrounding instances of desirable conduct and undesirable conduct in the communication protocols. CC ID 12824	Leadership and high level objectives	Communicate
Include input from interested personnel and affected parties as a part of the organization’s communication protocol. CC ID 12417	Leadership and high level objectives	Establish/Maintain Documentation
Establish, implement, and maintain a corrective action plan to address barriers to stakeholder engagement. CC ID 15677	Leadership and high level objectives	Process or Activity
Identify barriers to stakeholder engagement. CC ID 15676	Leadership and high level objectives	Process or Activity
Identify alternative measures for collecting stakeholder input, as necessary. CC ID 15672	Leadership and high level objectives	Communicate
Include disseminating and communicating conditions surrounding instances of desirable conduct and undesirable conduct in the communication protocols. CC ID 12804	Leadership and high level objectives	Communicate
Include methods to obtain information from interested personnel and affected parties about performance variances in the communication protocol. CC ID 12856	Leadership and high level objectives	Process or Activity
Include disseminating and communicating desirable conduct in the communication protocols. CC ID 12803	Leadership and high level objectives	Communicate
Include disseminating and communicating undesirable conduct in communication protocols. CC ID 12802	Leadership and high level objectives	Communicate
Route notifications, as necessary. CC ID 12832	Leadership and high level objectives	Process or Activity
Substantiate notifications, as necessary. CC ID 12831	Leadership and high level objectives	Process or Activity
Analyze the flow of information to ensure it is being received by the correct processes. CC ID 12860	Leadership and high level objectives	Business Processes
Prioritize notifications, as necessary. CC ID 12830	Leadership and high level objectives	Process or Activity
Report to management and stakeholders on the findings and information gathered from all types of inquiries. CC ID 12797	Leadership and high level objectives	Actionable Reports or Measurements
Disseminate and communicate internal controls with supply chain members. CC ID 12416	Leadership and high level objectives	Communicate
Establish and maintain the organization's survey method. CC ID 12869	Leadership and high level objectives	Process or Activity
Document the findings from surveys. CC ID 16309	Leadership and high level objectives	Establish/Maintain Documentation
Provide a consolidated view of information in the organization's survey method. CC ID 12894	Leadership and high level objectives	Process or Activity
Establish, implement, and maintain warning procedures that follow the organization's communication protocol. CC ID 12407	Leadership and high level objectives	Establish/Maintain Documentation
Establish, implement, and maintain alert procedures that follow the organization's communication protocol. CC ID 12406	Leadership and high level objectives	Establish/Maintain Documentation
Include the capturing and alerting of compliance violations in the notification system. CC ID 12962	Leadership and high level objectives	Monitor and Evaluate Occurrences
Include the capturing and alerting of unethical conduct in the notification system. CC ID 12932	Leadership and high level objectives	Monitor and Evaluate Occurrences
Include the capturing and alerting of performance variances in the notification system. CC ID 12929	Leadership and high level objectives	Monitor and Evaluate Occurrences
Include the capturing and alerting of weaknesses in the notification system. CC ID 12928	Leadership and high level objectives	Monitor and Evaluate Occurrences
Include the capturing and alerting of account activity in the notification system. CC ID 15314	Leadership and high level objectives	Monitor and Evaluate Occurrences
Establish, implement, and maintain an internal reporting program. CC ID 12409 [The organization shall determine reporting requirements and their purpose. § 9.4 ¶ 1]	Leadership and high level objectives	Business Processes
Include transactions and events as a part of internal reporting. CC ID 12413	Leadership and high level objectives	Business Processes
Disseminate and communicate management's choices for managing the organization as a part of internal reporting. CC ID 12412	Leadership and high level objectives	Communicate
Enforce a precision level for non-financial reporting based on user need and appropriate supply chain criteria. CC ID 12399	Leadership and high level objectives	Establish/Maintain Documentation
Define the thresholds for escalation in the internal reporting program. CC ID 14332	Leadership and high level objectives	Establish/Maintain Documentation
Define the thresholds for reporting in the internal reporting program. CC ID 14331	Leadership and high level objectives	Establish/Maintain Documentation
Analyze organizational objectives, functions, and activities. CC ID 00598 [The organization shall establish service management objectives at relevant functions and levels. The service management objectives shall: be measurable; § 6.2.1 ¶ 1(b)]	Leadership and high level objectives	Monitor and Evaluate Occurrences
Develop instructions for setting organizational objectives and strategies. CC ID 12931	Leadership and high level objectives	Establish/Maintain Documentation
Analyze the business environment in which the organization operates. CC ID 12798	Leadership and high level objectives	Business Processes
Identify the internal factors that may affect organizational objectives. CC ID 12957	Leadership and high level objectives	Process or Activity
Include key processes in the analysis of the internal business environment. CC ID 12947	Leadership and high level objectives	Process or Activity
Include existing information in the analysis of the internal business environment. CC ID 12943	Leadership and high level objectives	Process or Activity
Include resources in the analysis of the internal business environment. CC ID 12942 [{resource level}{manpower}management review shall include consideration of: current and forecast human, technical, information and financial resource levels, and human and technical resource capabilities; § 9.3 ¶ 2(j) {resource level}{manpower}management review shall include consideration of: current and forecast human, technical, information and financial resource levels, and human and technical resource capabilities; § 9.3 ¶ 2(j)]	Leadership and high level objectives	Process or Activity
Include the operating plan in the analysis of the internal business environment. CC ID 12941	Leadership and high level objectives	Process or Activity
Include incentives in the analysis of the internal business environment. CC ID 12940	Leadership and high level objectives	Process or Activity
Include organizational structures in the analysis of the internal business environment. CC ID 12939	Leadership and high level objectives	Process or Activity
Include the strategic plan in the analysis of the internal business environment. CC ID 12937	Leadership and high level objectives	Process or Activity
Include strengths and weaknesses in the analysis of the internal business environment. CC ID 12936	Leadership and high level objectives	Process or Activity
Align assets with business functions and the business environment. CC ID 13681	Leadership and high level objectives	Business Processes
Disseminate and communicate the organization's business environment and place in its industry sector. CC ID 13200 [The organization shall establish arrangements for communicating with its customers and other interested parties. The communication shall promote understanding of the evolving business environment in which the services operate and shall enable the organization to respond to new or changed service requirements. § 8.3.2 ¶ 2]	Leadership and high level objectives	Communicate
Monitor for changes which affect organizational strategies in the internal business environment. CC ID 12863 [{service management system} When determining this scope, the organization shall consider: the external and internal issues referred to in 4.1; § 4.3 ¶ 2(a) The management review shall include consideration of: changes in external and internal issues that are relevant to the SMS; § 9.3 ¶ 2(b) The management review shall include consideration of: changes that can affect the SMS and the services. § 9.3 ¶ 2(l)]	Leadership and high level objectives	Monitor and Evaluate Occurrences
Monitor for changes which affect organizational objectives in the internal business environment. CC ID 12862	Leadership and high level objectives	Monitor and Evaluate Occurrences
Analyze the external environment in which the organization operates. CC ID 12799	Leadership and high level objectives	Business Processes
Identify the external forces that may affect organizational objectives. CC ID 12960	Leadership and high level objectives	Process or Activity
Monitor for changes which affect organizational strategies in the external environment. CC ID 12880	Leadership and high level objectives	Monitor and Evaluate Occurrences
Include environmental requirements in the analysis of the external environment. CC ID 12965	Leadership and high level objectives	Business Processes
Monitor for changes which affect organizational objectives in the external environment. CC ID 12879	Leadership and high level objectives	Monitor and Evaluate Occurrences
Include regulatory requirements in the analysis of the external environment. CC ID 12964	Leadership and high level objectives	Business Processes
Include society in the analysis of the external environment. CC ID 12963	Leadership and high level objectives	Business Processes
Include opportunities in the analysis of the external environment. CC ID 12954	Leadership and high level objectives	Business Processes
Include third party relationships in the analysis of the external environment. CC ID 12952	Leadership and high level objectives	Business Processes
Include industry forces in the analysis of the external environment. CC ID 12904	Leadership and high level objectives	Business Processes
Include threats in the analysis of the external environment. CC ID 12898	Leadership and high level objectives	Business Processes
Include geopolitics in the analysis of the external environment. CC ID 12897	Leadership and high level objectives	Business Processes
Include legal requirements in the analysis of the external environment. CC ID 12896	Leadership and high level objectives	Business Processes
Include technology in the analysis of the external environment. CC ID 12837	Leadership and high level objectives	Business Processes
Include analyzing the market in the analysis of the external environment. CC ID 12836	Leadership and high level objectives	Business Processes
Conduct a context analysis to define objectives and strategies. CC ID 12864	Leadership and high level objectives	Business Processes
Establish, implement, and maintain organizational objectives. CC ID 09959	Leadership and high level objectives	Establish/Maintain Documentation
Evaluate organizational objectives to determine impact on other organizational objectives. CC ID 12814	Leadership and high level objectives	Process or Activity
Identify events that may affect organizational objectives. CC ID 12961 [The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its SMS. § 4.1 ¶ 1]	Leadership and high level objectives	Process or Activity
Identify conditions that may affect organizational objectives. CC ID 12958	Leadership and high level objectives	Process or Activity
Identify requirements that could affect achieving organizational objectives. CC ID 12828 [{applicable requirements} The organization shall create, implement and maintain a service management plan. Planning shall take into consideration the service management policy, service management objectives, risks and opportunities, service requirements and requirements specified in this document. § 6.3 ¶ 1]	Leadership and high level objectives	Business Processes
Identify opportunities that could affect achieving organizational objectives. CC ID 12826 [The organization shall plan: actions to address these risks and opportunities and their priorities; § 6.1.3 ¶ 1(a) {applicable requirements} The organization shall create, implement and maintain a service management plan. Planning shall take into consideration the service management policy, service management objectives, risks and opportunities, service requirements and requirements specified in this document. § 6.3 ¶ 1 The organization shall determine and document: the impact on customers of risks and opportunities for the SMS and the services; § 6.1.2 ¶ 1(b)]	Leadership and high level objectives	Business Processes
Prioritize organizational objectives. CC ID 09960	Leadership and high level objectives	Business Processes
Select financial reporting objectives consistent with accounting principles available to the organization. CC ID 12400	Leadership and high level objectives	Business Processes
Establish, implement, and maintain a value generation model. CC ID 15591	Leadership and high level objectives	Establish/Maintain Documentation
Disseminate and communicate the value generation model to all interested personnel and affected parties. CC ID 15607	Leadership and high level objectives	Communicate
Include value distribution in the value generation model. CC ID 15603	Leadership and high level objectives	Establish/Maintain Documentation
Include value retention in the value generation model. CC ID 15600	Leadership and high level objectives	Establish/Maintain Documentation
Include value generation procedures in the value generation model. CC ID 15599	Leadership and high level objectives	Establish/Maintain Documentation
Establish, implement, and maintain value generation objectives. CC ID 15583	Leadership and high level objectives	Establish/Maintain Documentation
Establish, implement, and maintain social responsibility objectives. CC ID 15611	Leadership and high level objectives	Establish/Maintain Documentation
Establish and maintain a Mission, Vision, and Values Statement. CC ID 12783	Leadership and high level objectives	Establish/Maintain Documentation
Include the vision statement in the Mission, Vision, and Values Statement. CC ID 12839	Leadership and high level objectives	Establish/Maintain Documentation
Include the mission statement in the Mission, Vision, and Values Statement. CC ID 12838	Leadership and high level objectives	Establish/Maintain Documentation
Include management commitment in the Mission, Vision, and Values Statement. CC ID 12808	Leadership and high level objectives	Establish/Maintain Documentation
Include the value statement in the Mission, Vision, and Values Statement. CC ID 12807	Leadership and high level objectives	Establish/Maintain Documentation
Include environmental factors in the Mission, Vision, and Values Statement. CC ID 15590	Leadership and high level objectives	Establish/Maintain Documentation
Include societal factors in the Mission, Vision, and Values Statement. CC ID 15605	Leadership and high level objectives	Establish/Maintain Documentation
Include stakeholder requirements in the Mission, Vision, and Values Statement. CC ID 15586	Leadership and high level objectives	Establish/Maintain Documentation
Disseminate and communicate the Mission, Vision, and Values Statement to all interested personnel and affected parties. CC ID 15585	Leadership and high level objectives	Communicate
Disseminate and communicate organizational objectives, functions, and activities to all interested personnel and affected parties. CC ID 13191 [Top management shall demonstrate leadership and commitment with respect to the SMS by: communicating the importance of effective service management, achieving the service management objectives, delivering value and conforming to the SMS requirements; § 5.1 ¶ 1(h)]	Leadership and high level objectives	Communicate
Document and communicate the linkage between organizational objectives, functions, activities, and general controls. CC ID 12398 [At planned intervals, the information security risks to the SMS and the services shall be assessed and documented. Information security controls shall be determined, implemented and operated to support the information security policy and address identified information security risks. Decisions about information security controls shall be documented. § 8.7.3.2 ¶ 1]	Leadership and high level objectives	Establish/Maintain Documentation
Identify threats that could affect achieving organizational objectives. CC ID 12827 [The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its SMS. § 4.1 ¶ 1]	Leadership and high level objectives	Business Processes
Identify how opportunities, threats, and external requirements are trending. CC ID 12829 [When planning for the SMS, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to: § 6.1.1 ¶ 1 The organization shall plan: actions to address these risks and opportunities and their priorities; § 6.1.3 ¶ 1(a)]	Leadership and high level objectives	Process or Activity
Identify relationships between opportunities, threats, and external requirements. CC ID 12805 [The management review shall include consideration of: results of risk assessment and the effectiveness of actions taken to address risks and opportunities; § 9.3 ¶ 2(k)]	Leadership and high level objectives	Process or Activity
Review the organization's approach to managing information security, as necessary. CC ID 12005	Leadership and high level objectives	Business Processes
Establish, implement, and maintain criteria for grouping stakeholders. CC ID 15584	Leadership and high level objectives	Process or Activity
Analyze and prioritize the requirements of interested personnel and affected parties. CC ID 12796	Leadership and high level objectives	Business Processes
Establish, implement, and maintain data governance and management practices. CC ID 14998	Leadership and high level objectives	Establish/Maintain Documentation
Address shortcomings of the data sets in the data governance and management practices. CC ID 15087	Leadership and high level objectives	Establish/Maintain Documentation
Include any shortcomings of the data sets in the data governance and management practices. CC ID 15086	Leadership and high level objectives	Establish/Maintain Documentation
Include bias for data sets in the data governance and management practices. CC ID 15085	Leadership and high level objectives	Establish/Maintain Documentation
Include a data strategy in the data governance and management practices. CC ID 15304	Leadership and high level objectives	Establish/Maintain Documentation
Include data monitoring in the data governance and management practices. CC ID 15303	Leadership and high level objectives	Establish/Maintain Documentation
Include an assessment of the data sets in the data governance and management practices. CC ID 15084	Leadership and high level objectives	Establish/Maintain Documentation
Include assumptions for the formulation of data sets in the data governance and management practices. CC ID 15083	Leadership and high level objectives	Establish/Maintain Documentation
Include data collection for data sets in the data governance and management practices. CC ID 15082	Leadership and high level objectives	Establish/Maintain Documentation
Include data preparations for data sets in the data governance and management practices. CC ID 15081	Leadership and high level objectives	Establish/Maintain Documentation
Include design choices for data sets in the data governance and management practices. CC ID 15080	Leadership and high level objectives	Establish/Maintain Documentation
Establish, implement, and maintain an information classification standard. CC ID 00601	Leadership and high level objectives	Establish/Maintain Documentation
Take into account the accessibility to and location of the data or information when establishing information impact levels. CC ID 04787	Leadership and high level objectives	Data and Information Management
Take into account the organization's obligation to protect data or information when establishing information impact levels. CC ID 04786	Leadership and high level objectives	Data and Information Management
Take into account the context of use for data or information when establishing information impact levels. CC ID 04785	Leadership and high level objectives	Data and Information Management
Take into account the potential aggregation of restricted data fields when establishing information impact levels. CC ID 04784	Leadership and high level objectives	Data and Information Management
Classify the sensitivity to unauthorized disclosure or modification of information in the information classification standard. CC ID 11997	Leadership and high level objectives	Data and Information Management
Take into account the distinguishability factor when establishing information impact levels. CC ID 04783	Leadership and high level objectives	Data and Information Management
Classify the criticality to unauthorized disclosure or modification of information in the information classification standard. CC ID 11996	Leadership and high level objectives	Data and Information Management
Classify the value of information in the information classification standard. CC ID 11995	Leadership and high level objectives	Data and Information Management
Classify the legal requirements of information in the information classification standard. CC ID 11994	Leadership and high level objectives	Data and Information Management
Establish, implement, and maintain a data classification scheme. CC ID 11628	Leadership and high level objectives	Establish/Maintain Documentation
Take into account the characteristics of the geographical, behavioral and functional setting for all datasets. CC ID 15046	Leadership and high level objectives	Data and Information Management
Disseminate and communicate the data classification scheme to interested personnel and affected parties. CC ID 16804	Leadership and high level objectives	Communicate
Establish and maintain an organizational data dictionary, including data syntax rules. CC ID 00600	Leadership and high level objectives	Establish/Maintain Documentation
Refrain from including metadata in the data dictionary. CC ID 13529	Leadership and high level objectives	Establish/Maintain Documentation
Refrain from allowing incompatible data elements in the data dictionary. CC ID 13624	Leadership and high level objectives	Establish/Maintain Documentation
Include information needed to understand each data element and population in the data dictionary. CC ID 13528	Leadership and high level objectives	Establish/Maintain Documentation
Include the factors to determine what is included or excluded from the data element in the data dictionary. CC ID 13525	Leadership and high level objectives	Establish/Maintain Documentation
Include the date or time period the data was observed in the data dictionary. CC ID 13524	Leadership and high level objectives	Establish/Maintain Documentation
Include the uncertainty in the population of each data element in the data dictionary. CC ID 13522	Leadership and high level objectives	Establish/Maintain Documentation
Include the uncertainty of each data element in the data dictionary. CC ID 13521	Leadership and high level objectives	Establish/Maintain Documentation
Include the measurement units for each data element in the data dictionary. CC ID 13534	Leadership and high level objectives	Establish/Maintain Documentation
Include the precision of the measurement in the data dictionary. CC ID 13520	Leadership and high level objectives	Establish/Maintain Documentation
Include the data source in the data dictionary. CC ID 13519	Leadership and high level objectives	Establish/Maintain Documentation
Include the nature of each element in the data dictionary. CC ID 13518	Leadership and high level objectives	Establish/Maintain Documentation
Include the population of events or instances in the data dictionary. CC ID 13517	Leadership and high level objectives	Establish/Maintain Documentation
Disseminate and communicate the data dictionary to interested personnel and affected parties. CC ID 13516	Leadership and high level objectives	Communicate
Establish, implement, and maintain an Information and Infrastructure Architecture model. CC ID 00599	Leadership and high level objectives	Establish/Maintain Documentation
Establish, implement, and maintain sustainable infrastructure planning. CC ID 00603	Leadership and high level objectives	Establish/Maintain Documentation
Take into account the need for protecting information confidentiality during infrastructure planning. CC ID 06486	Leadership and high level objectives	Behavior
Establish, implement, and maintain an organizational structure. CC ID 16310	Leadership and high level objectives	Establish/Maintain Documentation
Disseminate and communicate emerging threats to all interested personnel and affected parties. CC ID 12185	Leadership and high level objectives	Communicate
Establish, implement, and maintain a Quality Management framework. CC ID 07196 [The outputs of the management review shall include decisions related to continual improvement opportunities and any need for changes to the SMS and the services. § 9.3 ¶ 3 At planned intervals, the effectiveness of problem resolution shall be monitored, reviewed and reported. § 8.6.3 ¶ 5 The success or failure of releases shall be monitored and analysed. Measurements shall include incidents related to a release in the period following deployment of a release. The results and conclusions drawn from the analysis shall be recorded and reviewed to identify opportunities for improvement. §8.5.3 ¶ 6]	Leadership and high level objectives	Establish/Maintain Documentation
Include supply chain management standards in the Quality Management framework. CC ID 13701	Leadership and high level objectives	Establish/Maintain Documentation
Establish, implement, and maintain a Quality Management policy. CC ID 13694	Leadership and high level objectives	Establish/Maintain Documentation
Include a commitment to satisfy applicable requirements in the Quality Management policy. CC ID 13700	Leadership and high level objectives	Establish/Maintain Documentation
Tailor the Quality Management policy to support the organization's strategic direction. CC ID 13699 [Top management shall demonstrate leadership and commitment with respect to the SMS by: ensuring that the service management policy and service management objectives are established and are compatible with the strategic direction of the organization; § 5.1 ¶ 1(a) The organization shall determine evaluation criteria to be applied to the opportunities for improvement when making decisions on their approval. Evaluation criteria shall include alignment of the improvement with service management objectives. § 10.2 ¶ 2 {service improvement activity} Opportunities for improvement shall be documented. The organization shall manage approved improvement activities that include: ensuring that improvements are prioritized, planned and implemented; § 10.2 ¶ 3(b) {new service} The new or changed services shall be built and tested to verify that they meet the service requirements, conform to the documented design and meet the agreed service acceptance criteria. If the service acceptance criteria are not met, the organization and interested parties shall make a decision on necessary actions and deployment. § 8.5.2.3 ¶ 1 {new service} The new or changed services shall be built and tested to verify that they meet the service requirements, conform to the documented design and meet the agreed service acceptance criteria. If the service acceptance criteria are not met, the organization and interested parties shall make a decision on necessary actions and deployment. § 8.5.2.3 ¶ 1]	Leadership and high level objectives	Establish/Maintain Documentation
Include a commitment to continual improvement of the Quality Management system in the Quality Management policy. CC ID 13698	Leadership and high level objectives	Establish/Maintain Documentation
Include critical Information Technology processes in the Quality Management framework. CC ID 13645	Leadership and high level objectives	Establish/Maintain Documentation
Disseminate and communicate the Quality Management policy to all interested personnel and affected parties. CC ID 13695 [Top management shall demonstrate leadership and commitment with respect to the SMS by: communicating the importance of effective service management, achieving the service management objectives, delivering value and conforming to the SMS requirements; § 5.1 ¶ 1(h)]	Leadership and high level objectives	Communicate
Disseminate and communicate the Quality Management framework to all stakeholders. CC ID 13680 [Where the root cause has been identified, but the problem has not been permanently resolved, the organization shall determine actions to reduce or eliminate the impact of the problem on the services. Known errors shall be recorded. Up-to-date information on known errors and problem resolutions shall be made available for other service management activities as appropriate. § 8.6.3 ¶ 4 Where the root cause has been identified, but the problem has not been permanently resolved, the organization shall determine actions to reduce or eliminate the impact of the problem on the services. Known errors shall be recorded. Up-to-date information on known errors and problem resolutions shall be made available for other service management activities as appropriate. § 8.6.3 ¶ 4]	Leadership and high level objectives	Communicate
Align the quality objectives with the Quality Management policy. CC ID 13697	Leadership and high level objectives	Establish/Maintain Documentation
Establish, implement, and maintain a Quality Management standard. CC ID 01006	Leadership and high level objectives	Establish/Maintain Documentation
Document the measurements used by Quality Assurance and Quality Control testing. CC ID 07200 [The organization shall determine evaluation criteria to be applied to the opportunities for improvement when making decisions on their approval. Evaluation criteria shall include alignment of the improvement with service management objectives. § 10.2 ¶ 2 The success or failure of releases shall be monitored and analysed. Measurements shall include incidents related to a release in the period following deployment of a release. The results and conclusions drawn from the analysis shall be recorded and reviewed to identify opportunities for improvement. §8.5.3 ¶ 6]	Leadership and high level objectives	Establish/Maintain Documentation
Establish, implement, and maintain a Quality Management program. CC ID 07201 [{service improvement activity} Opportunities for improvement shall be documented. The organization shall manage approved improvement activities that include: setting one or more targets for improvement in areas such as quality, value, capability, cost, productivity, resource utilization and risk reduction; § 10.2 ¶ 3(a) {service improvement activity} Opportunities for improvement shall be documented. The organization shall manage approved improvement activities that include: ensuring that improvements are prioritized, planned and implemented; § 10.2 ¶ 3(b) {service improvement activity} Opportunities for improvement shall be documented. The organization shall manage approved improvement activities that include: ensuring that improvements are prioritized, planned and implemented; § 10.2 ¶ 3(b) {service improvement activity} Opportunities for improvement shall be documented. The organization shall manage approved improvement activities that include: measuring implemented improvements against the target(s) set and where target(s) are not achieved, taking necessary actions; § 10.2 ¶ 3(d)]	Leadership and high level objectives	Establish/Maintain Documentation
Notify affected parties and interested personnel of quality management system approvals that have been refused, suspended, or withdrawn. CC ID 15045	Leadership and high level objectives	Communicate
Notify affected parties and interested personnel of quality management system approvals that have been issued. CC ID 15036	Leadership and high level objectives	Communicate
Include quality objectives in the Quality Management program. CC ID 13693	Leadership and high level objectives	Establish/Maintain Documentation
Include records management in the quality management system. CC ID 15055	Leadership and high level objectives	Establish/Maintain Documentation
Include risk management in the quality management system. CC ID 15054	Leadership and high level objectives	Establish/Maintain Documentation
Include data management procedures in the quality management system. CC ID 15052	Leadership and high level objectives	Establish/Maintain Documentation
Include a post-market monitoring system in the quality management system. CC ID 15027	Leadership and high level objectives	Establish/Maintain Documentation
Include operational roles and responsibilities in the quality management system. CC ID 15028	Leadership and high level objectives	Establish/Maintain Documentation
Include quality gates and testing milestones in the Quality Management program. CC ID 06825 [The success or failure of releases shall be monitored and analysed. Measurements shall include incidents related to a release in the period following deployment of a release. The results and conclusions drawn from the analysis shall be recorded and reviewed to identify opportunities for improvement. §8.5.3 ¶ 6]	Leadership and high level objectives	Systems Design, Build, and Implementation
Include resource management in the quality management system. CC ID 15026	Leadership and high level objectives	Establish/Maintain Documentation
Include communication protocols in the quality management system. CC ID 15025	Leadership and high level objectives	Establish/Maintain Documentation
Include incident reporting procedures in the quality management system. CC ID 15023	Leadership and high level objectives	Establish/Maintain Documentation
Include technical specifications in the quality management system. CC ID 15021	Leadership and high level objectives	Establish/Maintain Documentation
Document the deficiencies in a deficiency report that were found during Quality Control and corrected during Quality Improvement. CC ID 07203 [{availability issue}{document} Service availability shall be monitored, the results recorded and compared with the targets. Unplanned non-availability shall be investigated and necessary actions taken. § 8.7.1 ¶ 3 Where the root cause has been identified, but the problem has not been permanently resolved, the organization shall determine actions to reduce or eliminate the impact of the problem on the services. Known errors shall be recorded. Up-to-date information on known errors and problem resolutions shall be made available for other service management activities as appropriate. § 8.6.3 ¶ 4 The success or failure of releases shall be monitored and analysed. Measurements shall include incidents related to a release in the period following deployment of a release. The results and conclusions drawn from the analysis shall be recorded and reviewed to identify opportunities for improvement. §8.5.3 ¶ 6]	Leadership and high level objectives	Establish/Maintain Documentation
Include program documentation standards in the Quality Management program. CC ID 01016	Leadership and high level objectives	Establish/Maintain Documentation
Include program testing standards in the Quality Management program. CC ID 01017 [At planned intervals, the organization shall monitor, review and report on: performance against service level targets; § 8.3.3 ¶ 3(a)]	Leadership and high level objectives	Establish/Maintain Documentation
Include system testing standards in the Quality Management program. CC ID 01018	Leadership and high level objectives	Establish/Maintain Documentation
Include an issue tracking system in the Quality Management program. CC ID 06824	Leadership and high level objectives	Systems Design, Build, and Implementation
Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241	Leadership and high level objectives	Establish/Maintain Documentation
Establish, implement, and maintain a policy and procedure management program. CC ID 06285	Leadership and high level objectives	Establish/Maintain Documentation
Include requirements in the organization’s policies, standards, and procedures. CC ID 12956 [Top management shall demonstrate leadership and commitment with respect to the SMS by: ensuring the integration of the SMS requirements into the organization's business processes; § 5.1 ¶ 1(f)]	Leadership and high level objectives	Establish/Maintain Documentation
Establish and maintain an Authority Document list. CC ID 07113 [Documented information of external origin determined by the organization to be necessary for the planning and operation of the SMS shall be identified as appropriate and controlled. § 7.5.3.2 ¶ 2]	Leadership and high level objectives	Establish/Maintain Documentation
Document organizational procedures that harmonize external requirements, including all legal requirements. CC ID 00623 [The documented information for the SMS shall include: procedures that are required by this document; § 7.5.4 ¶ 1(k)]	Leadership and high level objectives	Establish/Maintain Documentation
Establish, implement, and maintain full documentation of all policies, standards, and procedures that support the organization's compliance framework. CC ID 01636 [Documented information required by the SMS and by this document shall be controlled to ensure: it is available and suitable for use, where and when it is needed; § 7.5.3.1(a) When creating and updating documented information, the organization shall ensure appropriate: review and approval for suitability and adequacy. § 7.5.2 ¶ 1(c)]	Leadership and high level objectives	Establish/Maintain Documentation
Disseminate and communicate the organization’s policies, standards, and procedures to all interested personnel and affected parties. CC ID 12901	Leadership and high level objectives	Communicate
Disseminate and communicate the list of Authority Documents that support the organization's compliance framework to interested personnel and affected parties. CC ID 01312	Leadership and high level objectives	Establish/Maintain Documentation
Classify controls according to their preventive, detective, or corrective status. CC ID 06436	Leadership and high level objectives	Establish/Maintain Documentation
Publish, disseminate, and communicate a Statement on Internal Control, as necessary. CC ID 06727	Leadership and high level objectives	Establish/Maintain Documentation
Include signatures of c-level executives in the Statement on Internal Control. CC ID 14778	Leadership and high level objectives	Establish/Maintain Documentation
Include confirmation of any significant weaknesses in the Statement on Internal Control. CC ID 06861	Leadership and high level objectives	Establish/Maintain Documentation
Include roles and responsibilities in the Statement on Internal Control. CC ID 14774	Leadership and high level objectives	Establish/Maintain Documentation
Include an assurance statement regarding the counterterror protective security plan in the Statement on Internal Control. CC ID 06866	Leadership and high level objectives	Establish/Maintain Documentation
Include limitations of internal control systems in the Statement on Internal Control. CC ID 14773	Leadership and high level objectives	Establish/Maintain Documentation
Include a description of the methodology used to evaluate internal controls in the Statement on Internal Control. CC ID 14772	Leadership and high level objectives	Establish/Maintain Documentation
Assign legislative body jurisdiction to the organization's assets, as necessary. CC ID 06956	Leadership and high level objectives	Establish Roles
Define the Information Assurance strategic roles and responsibilities. CC ID 00608	Leadership and high level objectives	Establish Roles
Address Information Security during the business planning processes. CC ID 06495	Leadership and high level objectives	Data and Information Management
Document the requirements of stakeholders during the business planning process regarding Information Security. CC ID 06498 [Management with appropriate authority shall approve an information security policy relevant to the organization. The information security policy shall be documented and take into consideration the service requirements and the obligations in 6.3 c). § 8.7.3.1 ¶ 1 Management with appropriate authority shall approve an information security policy relevant to the organization. The information security policy shall be documented and take into consideration the service requirements and the obligations in 6.3 c). § 8.7.3.1 ¶ 1]	Leadership and high level objectives	Establish/Maintain Documentation
Establish, implement, and maintain a strategic plan. CC ID 12784 [{planning} The organization shall plan, implement and control the processes needed to meet requirements and to implement the actions determined in Clause 6 by: § 8.1 ¶ 1]	Leadership and high level objectives	Establish/Maintain Documentation
Determine progress toward the objectives of the strategic plan. CC ID 12944 [The organization shall establish service management objectives at relevant functions and levels. The service management objectives shall: be monitored; § 6.2.1 ¶ 1(d) The management review shall include consideration of: achievement of service management objectives; § 9.3 ¶ 2(g)]	Leadership and high level objectives	Process or Activity
Include acting with integrity in the strategic plan. CC ID 12870	Leadership and high level objectives	Establish/Maintain Documentation
Disseminate and communicate the strategic plan to all interested personnel and affected parties. CC ID 15592	Leadership and high level objectives	Communicate
Include the outsource partners in the strategic plan, as necessary. CC ID 13960	Leadership and high level objectives	Establish/Maintain Documentation
Align the cybersecurity program strategy with the organization's strategic plan. CC ID 14322	Leadership and high level objectives	Establish/Maintain Documentation
Establish, implement, and maintain a planning policy. CC ID 14673	Leadership and high level objectives	Establish/Maintain Documentation
Establish, implement, and maintain planning procedures. CC ID 14698	Leadership and high level objectives	Establish/Maintain Documentation
Disseminate and communicate the planning procedures to interested personnel and affected parties. CC ID 14704	Leadership and high level objectives	Communicate
Disseminate and communicate the planning policy to interested personnel and affected parties. CC ID 14691	Leadership and high level objectives	Communicate
Include compliance requirements in the planning policy. CC ID 14688	Leadership and high level objectives	Establish/Maintain Documentation
Include coordination amongst entities in the planning policy. CC ID 14687	Leadership and high level objectives	Establish/Maintain Documentation
Include management commitment in the planning policy. CC ID 14686	Leadership and high level objectives	Establish/Maintain Documentation
Include roles and responsibilities in the planning policy. CC ID 14685	Leadership and high level objectives	Establish/Maintain Documentation
Include the scope in the planning policy. CC ID 14684	Leadership and high level objectives	Establish/Maintain Documentation
Include the purpose in the planning policy. CC ID 14683	Leadership and high level objectives	Establish/Maintain Documentation
Establish, implement, and maintain a security planning policy. CC ID 14027	Leadership and high level objectives	Establish/Maintain Documentation
Include compliance requirements in the security planning policy. CC ID 14131	Leadership and high level objectives	Establish/Maintain Documentation
Include coordination amongst entities in the security planning policy. CC ID 14130	Leadership and high level objectives	Establish/Maintain Documentation
Include management commitment in the security planning policy. CC ID 14129	Leadership and high level objectives	Establish/Maintain Documentation
Include roles and responsibilities in the security planning policy. CC ID 14128	Leadership and high level objectives	Establish/Maintain Documentation
Include the scope in the security planning policy. CC ID 14127	Leadership and high level objectives	Establish/Maintain Documentation
Include the purpose in the security planning policy. CC ID 14126	Leadership and high level objectives	Establish/Maintain Documentation
Disseminate and communicate the security planning policy to interested personnel and affected parties. CC ID 14125	Leadership and high level objectives	Communicate
Establish, implement, and maintain security planning procedures. CC ID 14060	Leadership and high level objectives	Establish/Maintain Documentation
Disseminate and communicate the security planning procedures to interested personnel and affected parties. CC ID 14135	Leadership and high level objectives	Communicate
Establish, implement, and maintain a decision management strategy. CC ID 06913	Leadership and high level objectives	Establish/Maintain Documentation
Align the reporting methodology with the decision management strategy. CC ID 15659	Leadership and high level objectives	Business Processes
Include an economic impact analysis in the decision management strategy. CC ID 14015	Leadership and high level objectives	Establish/Maintain Documentation
Include cost benefit analysis in the decision management strategy. CC ID 14014	Leadership and high level objectives	Establish/Maintain Documentation
Include criteria for compliance in the decision-making criteria. CC ID 12951	Leadership and high level objectives	Establish/Maintain Documentation
Include criteria for risk tolerance in the decision-making criteria. CC ID 12950	Leadership and high level objectives	Establish/Maintain Documentation
Include criteria for selecting objectives and strategies in the decision-making criteria. CC ID 12949	Leadership and high level objectives	Establish/Maintain Documentation
Include criteria for setting priorities in the decision-making criteria. CC ID 12938 [The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: § 8.5.1.3 ¶ 1]	Leadership and high level objectives	Establish/Maintain Documentation
Align organizational objectives with compliance objectives in the decision-making criteria. CC ID 12847 [The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: policies and plans required by this document; § 8.5.1.3 ¶ 1(c) The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: policies and plans required by this document; § 8.5.1.3 ¶ 1(c)]	Leadership and high level objectives	Process or Activity
Align organizational objectives with performance targets in the decision-making criteria. CC ID 12843 [The organization shall make decisions and take actions based on the findings in service reports. The agreed actions shall be communicated to interested parties. § 9.4 ¶ 3 The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: § 8.5.1.3 ¶ 1 The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: § 8.5.1.3 ¶ 1]	Leadership and high level objectives	Process or Activity
Align organizational objectives with the acceptable residual risk in the decision-making criteria. CC ID 12841 [The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: § 8.5.1.3 ¶ 1]	Leadership and high level objectives	Process or Activity
Create additional decision-making criteria to achieve organizational objectives, as necessary. CC ID 12948 [The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: customers, users and other interested parties; § 8.5.1.3 ¶ 1(b)]	Leadership and high level objectives	Process or Activity
Involve knowledgeable and experienced individuals in the decision-making process. CC ID 06915	Leadership and high level objectives	Behavior
Take actions in accordance with the decision-making criteria. CC ID 12909	Leadership and high level objectives	Process or Activity
Document and evaluate the decision outcomes from the decision-making process. CC ID 06918	Leadership and high level objectives	Establish/Maintain Documentation
Disseminate and communicate the decision management strategy to all interested personnel and affected parties. CC ID 13991	Leadership and high level objectives	Communicate
Establish, implement, and maintain an information technology process framework. CC ID 13648	Leadership and high level objectives	Establish/Maintain Documentation
Include maturity models in the Information Technology process framework. CC ID 13652	Leadership and high level objectives	Establish/Maintain Documentation
Include relationships between Information Technology process structures in the Information Technology process framework. CC ID 13651	Leadership and high level objectives	Establish/Maintain Documentation
Include Information Technology process structures in the Information Technology process framework. CC ID 13650	Leadership and high level objectives	Establish/Maintain Documentation
Establish, implement, and maintain a tactical plan. CC ID 12785	Leadership and high level objectives	Establish/Maintain Documentation
Include acting with integrity in the tactical plan. CC ID 12871	Leadership and high level objectives	Establish/Maintain Documentation
Establish, implement, and maintain a Strategic Information Technology Plan. CC ID 00628	Leadership and high level objectives	Establish/Maintain Documentation
Include the Information Governance Plan in the Strategic Information Technology Plan. CC ID 10053	Leadership and high level objectives	Establish/Maintain Documentation
Engage information governance subject matter experts in the development of the Information Governance Plan. CC ID 10055	Leadership and high level objectives	Human Resources Management
Include the transparency goals in the Information Governance Plan. CC ID 10056	Leadership and high level objectives	Establish/Maintain Documentation
Include the information integrity goals in the Information Governance Plan. CC ID 10057	Leadership and high level objectives	Establish/Maintain Documentation
Include business continuity objectives in the Strategic Information Technology Plan. CC ID 06496	Leadership and high level objectives	Establish/Maintain Documentation
Align business continuity objectives with the business continuity policy. CC ID 12408	Leadership and high level objectives	Establish/Maintain Documentation
Mirror the organization's business strategy during Information Technology planning in the Strategic Information Technology Plan. CC ID 00630	Leadership and high level objectives	Business Processes
Incorporate protecting restricted information from unauthorized information flow or unauthorized disclosure into the Strategic Information Technology Plan. CC ID 06491	Leadership and high level objectives	Establish/Maintain Documentation
Include the references to the organization's Information Technology systems in the Strategic Information Technology Plan, as necessary. CC ID 13959	Leadership and high level objectives	Establish/Maintain Documentation
Establish, implement, and maintain tactical Information Technology plans in support of the Strategic Information Technology Plan. CC ID 00632	Leadership and high level objectives	Establish/Maintain Documentation
Establish, implement, and maintain tactical Information Technology plans derived from the Strategic Information Technology Plan. CC ID 01609	Leadership and high level objectives	Establish/Maintain Documentation
Document how each Information Technology project plan directly or indirectly supports the Strategic Information Technology Plan. CC ID 06497	Leadership and high level objectives	Establish/Maintain Documentation
Document the business case and return on investment in each Information Technology project plan. CC ID 06846	Leadership and high level objectives	Establish/Maintain Documentation
Escalate for management authorization any proposed projects where effective use of existing resources is overlooked. CC ID 06848	Leadership and high level objectives	Business Processes
Document all desired outcomes for a proposed project in the Information Technology project plan. CC ID 06916	Leadership and high level objectives	Establish/Maintain Documentation
Document the success criteria for the proposed project in the Information Technology project plan. CC ID 06917	Leadership and high level objectives	Establish/Maintain Documentation
Assign senior management to approve business cases. CC ID 13068	Leadership and high level objectives	Human Resources Management
Include milestones for each project phase in the Information Technology project plan. CC ID 12621	Leadership and high level objectives	Establish/Maintain Documentation
Establish, implement, and maintain a counterterror protective security plan. CC ID 06862	Leadership and high level objectives	Establish/Maintain Documentation
Include communications and awareness activities in the counterterror protective security plan. CC ID 06863	Leadership and high level objectives	Establish/Maintain Documentation
Include the protective security measures to implement after a change in the government response level in the counterterror protective security plan. CC ID 06864	Leadership and high level objectives	Establish/Maintain Documentation
Include a search plan in the counterterror protective security plan. CC ID 06865	Leadership and high level objectives	Establish/Maintain Documentation
Include an evacuation plan in the counterterror protective security plan. CC ID 06940	Leadership and high level objectives	Establish/Maintain Documentation
Include a continuity plan in the counterterror protective security plan. CC ID 07031	Leadership and high level objectives	Establish/Maintain Documentation
Establish, implement, and maintain Information Technology projects in support of the Strategic Information Technology Plan. CC ID 13673	Leadership and high level objectives	Establish/Maintain Documentation
Disseminate and communicate the Information Technology Plans to all interested personnel and affected parties. CC ID 00633	Leadership and high level objectives	Establish/Maintain Documentation
Establish and maintain an Information Technology plan status report that covers both Strategic Information Technology Plans and tactical Information Technology plans. CC ID 06839	Leadership and high level objectives	Actionable Reports or Measurements
Include key personnel status changes in the Information Technology Plan status reports. CC ID 06840	Leadership and high level objectives	Actionable Reports or Measurements
Include significant security risks in the Information Technology Plan status reports. CC ID 06939	Leadership and high level objectives	Actionable Reports or Measurements
Include significant risk mitigations in the Information Technology Plan status reports. CC ID 06841	Leadership and high level objectives	Actionable Reports or Measurements
Review and approve the Strategic Information Technology Plan at the level of senior management or the Board of Directors. CC ID 13094	Leadership and high level objectives	Human Resources Management
Establish, implement, and maintain a financial management program. CC ID 13228	Leadership and high level objectives	Establish/Maintain Documentation
Establish, implement, and maintain financial reports. CC ID 14770 [At planned intervals, the organization shall monitor and report on actual costs against the budget, review the financial forecasts and manage costs. § 8.4.1 ¶ 3]	Leadership and high level objectives	Establish/Maintain Documentation
Structure financial reports in accordance with external requirements, as necessary. CC ID 14776	Leadership and high level objectives	Establish/Maintain Documentation
Include the report of independent Certified Public Accountants in the financial report. CC ID 14779	Leadership and high level objectives	Establish/Maintain Documentation
Include the business need justification for lost value in the financial report. CC ID 15588	Leadership and high level objectives	Establish/Maintain Documentation
Disseminate and communicate the financial report to interested personnel and affected parties. CC ID 16342	Leadership and high level objectives	Communicate
Include financial statements in the financial report, as necessary. CC ID 14775	Leadership and high level objectives	Establish/Maintain Documentation
Include capital deductions and adjustments in the financial statement. CC ID 16667	Leadership and high level objectives	Establish/Maintain Documentation
Include earnings per share or loss per share in the financial statement. CC ID 16597	Leadership and high level objectives	Establish/Maintain Documentation
Include material contingencies in the financial statement. CC ID 16596	Leadership and high level objectives	Establish/Maintain Documentation
Include notes to financial statements in the financial report, as necessary. CC ID 14780	Leadership and high level objectives	Establish/Maintain Documentation
Include information on loans to small businesses and small farms in the call report. CC ID 16731	Leadership and high level objectives	Establish/Maintain Documentation
Include assets and liabilities in the call report. CC ID 16729	Leadership and high level objectives	Establish/Maintain Documentation
Disseminate and communicate the call report to interested personnel and affected parties. CC ID 16727	Leadership and high level objectives	Communicate
Include a standard to collect and interpret event logs in the event logging procedures. CC ID 00643 [The management review shall include consideration of: information on the performance and effectiveness of the SMS, including trends in: monitoring and measurement results; § 9.3 ¶ 2(c)(2)]	Monitoring and measurement	Log Management
Protect the event logs from failure. CC ID 06290	Monitoring and measurement	Log Management
Overwrite the oldest records when audit logging fails. CC ID 14308	Monitoring and measurement	Data and Information Management
Supply each in scope asset with audit reduction tool and report generation capabilities to support after-the-fact investigations without altering the event logs. CC ID 01427	Monitoring and measurement	Testing
Include identity information of suspects in the suspicious activity report. CC ID 16648	Monitoring and measurement	Establish/Maintain Documentation
Compile the event logs of multiple components into a system-wide time-correlated audit trail. CC ID 01424	Monitoring and measurement	Audits and Risk Management
Reproduce the event log if a log failure is captured. CC ID 01426	Monitoring and measurement	Log Management
Monitor for software configurations updates absent authorization. CC ID 10676	Monitoring and measurement	Monitor and Evaluate Occurrences
Allow expected changes during file integrity monitoring. CC ID 12090	Monitoring and measurement	Technical Security
Monitor for when documents are being updated absent authorization. CC ID 10677	Monitoring and measurement	Monitor and Evaluate Occurrences
Include a change history and identify who made the changes in the file integrity monitoring report. CC ID 12091	Monitoring and measurement	Establish/Maintain Documentation
Alert interested personnel and affected parties when an unauthorized modification to critical files is detected. CC ID 12045	Monitoring and measurement	Process or Activity
Develop and maintain a usage profile for each user account. CC ID 07067	Monitoring and measurement	Technical Security
Establish, implement, and maintain a service management monitoring and metrics program. CC ID 13916 [At planned intervals, the organization shall: monitor and report on demand and consumption of services. § 8.4.2 ¶ 1(b) At planned intervals, the organization shall: monitor and report on demand and consumption of services. § 8.4.2 ¶ 1(b) Reports on the performance and effectiveness of the SMS and the services shall be produced using information from the SMS activities and delivery of the services. Service reporting shall include trends. § 9.4 ¶ 2 Reports on the performance and effectiveness of the SMS and the services shall be produced using information from the SMS activities and delivery of the services. Service reporting shall include trends. § 9.4 ¶ 2]	Monitoring and measurement	Establish/Maintain Documentation
Communicate trends in service management to all interested personnel and affected parties. CC ID 13926 [Reports on the performance and effectiveness of the SMS and the services shall be produced using information from the SMS activities and delivery of the services. Service reporting shall include trends. § 9.4 ¶ 2]	Monitoring and measurement	Communicate
Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 [The organization shall determine: when the monitoring and measuring shall be performed; § 9.1 ¶ 1(c)]	Monitoring and measurement	Establish/Maintain Documentation
Establish, implement, and maintain a metrics policy. CC ID 01654	Monitoring and measurement	Establish/Maintain Documentation
Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653	Monitoring and measurement	Establish/Maintain Documentation
Establish, implement, and maintain risk management metrics. CC ID 01656	Monitoring and measurement	Establish/Maintain Documentation
Identify information being used to support the performance of the governance, risk, and compliance capability. CC ID 12866	Monitoring and measurement	Business Processes
Identify information being used to support performance reviews for risk optimization. CC ID 12865	Monitoring and measurement	Audits and Risk Management
Identify and document instances of non-compliance with the compliance framework. CC ID 06499 [When a nonconformity occurs, the organization shall: evaluate the need for action to eliminate the causes of the nonconformity in order that it does not recur or occur elsewhere by: § 10.1.1 ¶ 1(b) The organization shall retain documented information as evidence of: the nature of the nonconformities and any subsequent actions taken; § 10.1.2 ¶ 1(a)]	Monitoring and measurement	Establish/Maintain Documentation
Identify and document events surrounding non-compliance with the organizational compliance framework. CC ID 12935	Monitoring and measurement	Establish/Maintain Documentation
Align disciplinary actions with the level of compliance violation. CC ID 12404 [Corrective actions shall be appropriate to the effects of the nonconformities encountered. § 10.1.1 ¶ 2]	Monitoring and measurement	Human Resources Management
Establish, implement, and maintain disciplinary action notices. CC ID 16577	Monitoring and measurement	Establish/Maintain Documentation
Include a copy of the order in the disciplinary action notice. CC ID 16606	Monitoring and measurement	Establish/Maintain Documentation
Include the sanctions imposed in the disciplinary action notice. CC ID 16599	Monitoring and measurement	Establish/Maintain Documentation
Include the effective date of the sanctions in the disciplinary action notice. CC ID 16589	Monitoring and measurement	Establish/Maintain Documentation
Include the requirements that were violated in the disciplinary action notice. CC ID 16588	Monitoring and measurement	Establish/Maintain Documentation
Include responses to charges from interested personnel and affected parties in the disciplinary action notice. CC ID 16587	Monitoring and measurement	Establish/Maintain Documentation
Include the reasons for imposing sanctions in the disciplinary action notice. CC ID 16586	Monitoring and measurement	Establish/Maintain Documentation
Disseminate and communicate the disciplinary action notice to interested personnel and affected parties. CC ID 16585	Monitoring and measurement	Communicate
Include required information in the disciplinary action notice. CC ID 16584	Monitoring and measurement	Establish/Maintain Documentation
Include a justification for actions taken in the disciplinary action notice. CC ID 16583	Monitoring and measurement	Establish/Maintain Documentation
Include a statement on the conclusions of the investigation in the disciplinary action notice. CC ID 16582	Monitoring and measurement	Establish/Maintain Documentation
Include the investigation results in the disciplinary action notice. CC ID 16581	Monitoring and measurement	Establish/Maintain Documentation
Include a description of the causes of the actions taken in the disciplinary action notice. CC ID 16580	Monitoring and measurement	Establish/Maintain Documentation
Include the name of the person responsible for the charges in the disciplinary action notice. CC ID 16579	Monitoring and measurement	Establish/Maintain Documentation
Include contact information in the disciplinary action notice. CC ID 16578	Monitoring and measurement	Establish/Maintain Documentation
Establish, implement, and maintain compliance program metrics. CC ID 11625	Monitoring and measurement	Monitor and Evaluate Occurrences
Establish, implement, and maintain a security program metrics program. CC ID 01660	Monitoring and measurement	Establish/Maintain Documentation
Establish, implement, and maintain a key management roles metrics standard. CC ID 11631	Monitoring and measurement	Establish/Maintain Documentation
Establish, implement, and maintain a key stakeholder metrics program. CC ID 01661	Monitoring and measurement	Establish/Maintain Documentation
Establish, implement, and maintain a supply chain member metrics program. CC ID 01662	Monitoring and measurement	Establish/Maintain Documentation
Report on the Service Level Agreement performance of supply chain members. CC ID 06838	Monitoring and measurement	Actionable Reports or Measurements
Establish, implement, and maintain a Business Continuity metrics program. CC ID 01663 [The organization shall create, implement and maintain one or more service continuity plans. The service continuity plan(s) shall include or contain a reference to: targets for service availability when the service continuity plan is invoked; § 8.7.2 ¶ 2(c)]	Monitoring and measurement	Establish/Maintain Documentation
Establish, implement, and maintain an audit metrics program. CC ID 01664	Monitoring and measurement	Establish/Maintain Documentation
Establish, implement, and maintain an Information Security metrics program. CC ID 01665	Monitoring and measurement	Establish/Maintain Documentation
Establish, implement, and maintain a metrics standard and template. CC ID 02157	Monitoring and measurement	Establish/Maintain Documentation
Monitor compliance with the Quality Control system. CC ID 01023	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of complaints received about products or delivered services. CC ID 07199	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of Quality Assurance attained by Quality Improvement practices. CC ID 07202	Monitoring and measurement	Actionable Reports or Measurements
Establish, implement, and maintain occupational health and safety management metrics program. CC ID 15915	Monitoring and measurement	Establish/Maintain Documentation
Establish, implement, and maintain a policies and controls metrics program. CC ID 01666	Monitoring and measurement	Establish/Maintain Documentation
Establish, implement, and maintain a security roles and responsibilities metrics program. CC ID 01667	Monitoring and measurement	Establish/Maintain Documentation
Establish, implement, and maintain a role-based information access metrics program. CC ID 01668	Monitoring and measurement	Establish/Maintain Documentation
Establish, implement, and maintain an information risk threshold metrics program. CC ID 01694	Monitoring and measurement	Establish/Maintain Documentation
Monitor the supply chain for Information Assurance effectiveness. CC ID 02043	Monitoring and measurement	Establish/Maintain Documentation
Establish, implement, and maintain an identification and classification of information assets metrics program. CC ID 02052	Monitoring and measurement	Business Processes
Establish, implement, and maintain an Information Systems architecture metrics program. CC ID 02059	Monitoring and measurement	Business Processes
Establish, implement, and maintain a physical environment metrics program. CC ID 02063	Monitoring and measurement	Business Processes
Establish, implement, and maintain a privacy metrics program. CC ID 15494	Monitoring and measurement	Establish/Maintain Documentation
Establish, implement, and maintain environmental management system performance metrics. CC ID 15191	Monitoring and measurement	Actionable Reports or Measurements
Establish, implement, and maintain waste management metrics. CC ID 16152	Monitoring and measurement	Actionable Reports or Measurements
Establish, implement, and maintain emissions management metrics. CC ID 16145	Monitoring and measurement	Actionable Reports or Measurements
Establish, implement, and maintain financial management metrics. CC ID 16749	Monitoring and measurement	Actionable Reports or Measurements
Establish, implement, and maintain a technical measurement metrics policy. CC ID 01655	Monitoring and measurement	Establish/Maintain Documentation
Establish, implement, and maintain a user identification and authentication metrics program. CC ID 02073	Monitoring and measurement	Business Processes
Establish, implement, and maintain a user account management metrics program. CC ID 02075	Monitoring and measurement	Business Processes
Establish, implement, and maintain a user and administrator privilege management metrics program. CC ID 02076	Monitoring and measurement	Actionable Reports or Measurements
Establish, implement, and maintain a Configuration Management metrics program. CC ID 02077	Monitoring and measurement	Business Processes
Establish, implement, and maintain a Security Information and Event Management metrics program. CC ID 02078	Monitoring and measurement	Log Management
Establish, implement, and maintain a communications, e-mail, and remote access security management metrics program. CC ID 02079	Monitoring and measurement	Business Processes
Establish, implement, and maintain a malicious code protection management metrics program. CC ID 02080	Monitoring and measurement	Business Processes
Establish, implement, and maintain a software change management metrics program. CC ID 02081	Monitoring and measurement	Business Processes
Establish, implement, and maintain a network management and firewall management metrics program. CC ID 02082	Monitoring and measurement	Business Processes
Establish, implement, and maintain a data encryption management metrics program. CC ID 02083	Monitoring and measurement	Business Processes
Establish, implement, and maintain a backup management and recovery management metrics program. CC ID 02084	Monitoring and measurement	Business Processes
Establish, implement, and maintain an incident management and vulnerability management metrics program. CC ID 02085	Monitoring and measurement	Business Processes
Delay the reporting of incident management metrics, as necessary. CC ID 15501	Monitoring and measurement	Communicate
Establish, implement, and maintain an Electronic Health Records measurement metrics program. CC ID 06221	Monitoring and measurement	Establish/Maintain Documentation
Report on the percentage of unique patients who had at least one medication entered using the Computerized Provider Order Entry system. CC ID 06222	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of unique patients who have diagnoses recorded as structured data into the current and active diagnoses problem list. CC ID 06223	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of permissible prescriptions that are transmitted electronically. CC ID 06224	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of unique patients who have at least one entry recorded as structured data into the active medication list. CC ID 06225	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of unique patients who have at least one entry recorded as structured data into the active medication allergy list. CC ID 06226	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of unique patients who have demographics recorded as structured data. CC ID 06227	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of unique patients over the age of 2 who have their height, weight, and blood pressure recorded as structured data. CC ID 06228	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of unique patients over the age of 13 who have their smoking status recorded as structured data. CC ID 06229	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of patients who are given an electronic copy of their Individually Identifiable Health Information not later than three business days after Individually Identifiable Health Information is requested. CC ID 06230	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of patients who are given clinical summaries not later than three business days after a physician office visit. CC ID 06231	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of lab test results that are incorporated into the Electronic Health Records as structured data. CC ID 06232	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of patients sixty-five years of age or older or five years of age or younger who were sent a reminder. CC ID 06233	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of unique patients who are given electronic access to their Individually Identifiable Health Information not later than four business days after their Individually Identifiable Health Information is updated. CC ID 06234	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of unique patients who are given patient-specific education resources. CC ID 06235	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of medication reconciliations that are performed if a patient is received from another setting or healthcare provider. CC ID 06236	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of summary of care records that are provided for transitions of care or referrals for patients who are transitioned or referred to another setting or healthcare provider. CC ID 06237	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of patients who receive their discharge instructions if discharge instructions are requested. CC ID 06238	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of patients 65 years of age or older who have an indication of advance directive status recorded as structured data. CC ID 06239	Monitoring and measurement	Actionable Reports or Measurements
Establish, implement, and maintain a log management program. CC ID 00673	Monitoring and measurement	Establish/Maintain Documentation
Deploy log normalization tools, as necessary. CC ID 12141	Monitoring and measurement	Technical Security
Restrict access to logs to authorized individuals. CC ID 01342	Monitoring and measurement	Log Management
Restrict access to audit trails to a need to know basis. CC ID 11641	Monitoring and measurement	Technical Security
Refrain from recording unnecessary restricted data in logs. CC ID 06318	Monitoring and measurement	Log Management
Back up audit trails according to backup procedures. CC ID 11642	Monitoring and measurement	Systems Continuity
Back up logs according to backup procedures. CC ID 01344	Monitoring and measurement	Log Management
Copy logs from all predefined hosts onto a log management infrastructure. CC ID 01346	Monitoring and measurement	Log Management
Identify hosts with logs that are not being stored. CC ID 06314	Monitoring and measurement	Log Management
Identify hosts with logs that are being stored at the system level only. CC ID 06315	Monitoring and measurement	Log Management
Identify hosts with logs that should be stored at both the system level and the infrastructure level. CC ID 06316	Monitoring and measurement	Log Management
Identify hosts with logs that are being stored at the infrastructure level only. CC ID 06317	Monitoring and measurement	Log Management
Protect logs from unauthorized activity. CC ID 01345	Monitoring and measurement	Log Management
Perform testing and validating activities on all logs. CC ID 06322	Monitoring and measurement	Log Management
Archive the audit trail in accordance with compliance requirements. CC ID 00674	Monitoring and measurement	Log Management
Enforce dual authorization as a part of information flow control for logs. CC ID 10098	Monitoring and measurement	Configuration
Preserve the identity of individuals in audit trails. CC ID 10594	Monitoring and measurement	Log Management
Establish, implement, and maintain a cross-organizational audit sharing agreement. CC ID 10595	Monitoring and measurement	Establish/Maintain Documentation
Provide cross-organizational audit information based on the cross-organizational audit sharing agreement. CC ID 10596	Monitoring and measurement	Audits and Risk Management
Align corrective actions with the level of environmental impact. CC ID 15193	Monitoring and measurement	Business Processes
Include risks and opportunities in the corrective action plan. CC ID 15178	Monitoring and measurement	Establish/Maintain Documentation
Include environmental aspects in the corrective action plan. CC ID 15177	Monitoring and measurement	Establish/Maintain Documentation
Include the completion date in the corrective action plan. CC ID 13272	Monitoring and measurement	Establish/Maintain Documentation
Define the roles and responsibilities for personnel assigned to tasks in the Audit function. CC ID 00678 [The organization shall: plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration: § 9.2.2 ¶ 1(a)]	Audits and risk management	Establish Roles
Manage supply chain audits. CC ID 01203	Audits and risk management	Audits and Risk Management
Review the external auditors involvement in assessing Information Technology controls. CC ID 01204	Audits and risk management	Audits and Risk Management
Rotate auditors, as necessary. CC ID 15589	Audits and risk management	Audits and Risk Management
Assign the roles and responsibilities for the Board of Directors and senior management in the Audit function. CC ID 00679	Audits and risk management	Establish Roles
Assign the internal audit staff to be independent from business units reporting to the Board of Directors. CC ID 01184	Audits and risk management	Establish Roles
Define and assign the internal audit manager's roles and responsibilities. CC ID 00680	Audits and risk management	Establish Roles
Assign the internal audit manager's compensation and performance review to the Board of Directors or audit committee. CC ID 01186	Audits and risk management	Establish Roles
Define and assign the internal audit staff's roles and responsibilities. CC ID 00681	Audits and risk management	Establish Roles
Assign the responsibility for operating an internal control system to the internal audit staff. CC ID 01187	Audits and risk management	Establish Roles
Define and assign the external auditor's roles and responsibilities. CC ID 00683	Audits and risk management	Establish Roles
Engage auditors who have adequate knowledge of the subject matter. CC ID 07102	Audits and risk management	Audits and Risk Management
Retain copies of external auditor outsourcing contracts and engagement letters. CC ID 01188	Audits and risk management	Establish/Maintain Documentation
Review external auditor outsourcing contracts and engagement letters. CC ID 01189	Audits and risk management	Establish/Maintain Documentation
Include roles and responsibilities in external auditor outsourcing contracts. CC ID 16523	Audits and risk management	Establish/Maintain Documentation
Include a change control clause in external auditor outsourcing contracts. CC ID 01192	Audits and risk management	Establish/Maintain Documentation
Include procedures for resolving problems in external auditor outsourcing contracts. CC ID 01196	Audits and risk management	Establish/Maintain Documentation
Include procedures for controlling the use of restricted information in external auditor outsourcing contracts. CC ID 01194	Audits and risk management	Establish/Maintain Documentation
Include reports and work paper Records Management practices in external auditor outsourcing contracts. CC ID 01195	Audits and risk management	Establish/Maintain Documentation
Include communication protocols in external auditor outsourcing contracts. CC ID 01201	Audits and risk management	Establish/Maintain Documentation
Review the external audit scope, as necessary. CC ID 01202	Audits and risk management	Audits and Risk Management
Include the scope and work to be performed in external auditor outsourcing contracts. CC ID 01190	Audits and risk management	Establish/Maintain Documentation
Include work status reporting requirements in the external auditor outsourcing contracts. CC ID 01191	Audits and risk management	Establish/Maintain Documentation
Include access to work papers in external auditor outsourcing contracts. CC ID 01193	Audits and risk management	Establish/Maintain Documentation
Review the external auditor's qualifications. CC ID 01197	Audits and risk management	Audits and Risk Management
Conduct a performance review of the external auditor's performance during the audit process. CC ID 01198	Audits and risk management	Audits and Risk Management
Review the adequacy of the external auditor's work papers and audit reports. CC ID 01199	Audits and risk management	Establish/Maintain Documentation
Review the conclusions of the external auditor's work papers and audit reports. CC ID 01200	Audits and risk management	Establish/Maintain Documentation
Question external auditors about how audits were conducted and what is in the audit reports. CC ID 04587	Audits and risk management	Behavior
Disseminate and communicate with the organization about any missing audit documentation. CC ID 06992	Audits and risk management	Behavior
Evaluate any refusal by the organization to provide missing audit documentation. CC ID 06993	Audits and risk management	Establish/Maintain Documentation
Take appropriate action if missing audit documentation compromises the audit. CC ID 06994	Audits and risk management	Establish/Maintain Documentation
Establish, implement, and maintain an audit program. CC ID 00684 [The organization shall: plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration: § 9.2.2 ¶ 1(a)]	Audits and risk management	Establish/Maintain Documentation
Establish, implement, and maintain audit policies. CC ID 13166	Audits and risk management	Establish/Maintain Documentation
Assign the audit to impartial auditors. CC ID 07118 [The organization shall: select auditors and conduct audits to ensure objectivity and the impartiality of the audit process; § 9.2.2 ¶ 1(c)]	Audits and risk management	Establish Roles
Define what constitutes a threat to independence. CC ID 16824	Audits and risk management	Audits and Risk Management
Exercise due professional care during the planning and performance of the audit. CC ID 07119	Audits and risk management	Behavior
Include resource requirements in the audit program. CC ID 15237	Audits and risk management	Establish/Maintain Documentation
Include risks and opportunities in the audit program. CC ID 15236	Audits and risk management	Establish/Maintain Documentation
Include provisions for legislative plurality and legislative domain in the audit program. CC ID 06959	Audits and risk management	Audits and Risk Management
Establish and maintain audit terms. CC ID 13880	Audits and risk management	Establish/Maintain Documentation
Refrain from approving changes to the audit terms absent reasonable justification. CC ID 13973	Audits and risk management	Process or Activity
Include a statement about the inherent limitations of the audit in the audit terms. CC ID 13883	Audits and risk management	Establish/Maintain Documentation
Include a statement that the audit will be conducted in accordance with attestation standards in the audit terms. CC ID 13882	Audits and risk management	Establish/Maintain Documentation
Establish, implement, and maintain agreed upon procedures that are in scope for the audit. CC ID 13893	Audits and risk management	Establish/Maintain Documentation
Establish, implement, and maintain an in scope system description. CC ID 14873	Audits and risk management	Establish/Maintain Documentation
Include in scope procedures in the audit assertion's in scope system description. CC ID 16551	Audits and risk management	Audits and Risk Management
Include roles and responsibilities in the audit assertion's in scope system description. CC ID 16558	Audits and risk management	Audits and Risk Management
Include the audit criteria in the audit assertion's in scope system description. CC ID 16548	Audits and risk management	Audits and Risk Management
Include third party data in the audit assertion's in scope system description. CC ID 16554	Audits and risk management	Audits and Risk Management
Include third party personnel in the audit assertion's in scope system description. CC ID 16552	Audits and risk management	Audits and Risk Management
Include compliance requirements in the audit assertion's in scope system description. CC ID 16506	Audits and risk management	Audits and Risk Management
Include third party assets in the audit assertion's in scope system description. CC ID 16550	Audits and risk management	Audits and Risk Management
Include third party services in the audit assertion's in scope system description. CC ID 16503	Audits and risk management	Establish/Maintain Documentation
Include monitoring controls in the audit assertion's in scope system description. CC ID 16501	Audits and risk management	Establish/Maintain Documentation
Include availability commitments in the audit assertion's in scope system description. CC ID 14914	Audits and risk management	Establish/Maintain Documentation
Include deviations and the corrective actions taken in the audit assertion's in scope system description. CC ID 16549	Audits and risk management	Audits and Risk Management
Include changes in the audit assertion's in scope system description. CC ID 14894	Audits and risk management	Establish/Maintain Documentation
Include external communications in the audit assertion's in scope system description. CC ID 14913	Audits and risk management	Establish/Maintain Documentation
Include a section regarding incidents related to the system in the audit assertion’s in scope system description. CC ID 14878	Audits and risk management	Establish/Maintain Documentation
Include the function performed by the in scope system in the audit assertion's in scope system description. CC ID 14911	Audits and risk management	Establish/Maintain Documentation
Include the disposition of the incident in the audit assertion's in scope system description. CC ID 14896	Audits and risk management	Establish/Maintain Documentation
Include the extent of the incident in the audit assertion's in scope system description. CC ID 14895	Audits and risk management	Establish/Maintain Documentation
Include the timing of each incident in the audit assertion's in scope system description. CC ID 14891	Audits and risk management	Establish/Maintain Documentation
Include the nature of each incident in the audit assertion's in scope system description. CC ID 14889	Audits and risk management	Establish/Maintain Documentation
Include a section regarding in scope controls related to the system in the audit assertion's in scope system description. CC ID 14897	Audits and risk management	Establish/Maintain Documentation
Include how the in scope system meets external requirements in the audit assertion's in scope system description. CC ID 16502	Audits and risk management	Establish/Maintain Documentation
Include the timing of each control in the audit assertion's in scope system description. CC ID 14916	Audits and risk management	Establish/Maintain Documentation
Include the nature of the control in the audit assertion's in scope system description. CC ID 14910	Audits and risk management	Establish/Maintain Documentation
Include the information sources used in performing the control in the audit assertion's in scope system description. CC ID 14909	Audits and risk management	Establish/Maintain Documentation
Include the responsible party for performing the control in the audit assertion's in scope system description. CC ID 14907	Audits and risk management	Establish/Maintain Documentation
Include the subject matter to which the control is applied in the audit assertion's in scope system description. CC ID 14904	Audits and risk management	Establish/Maintain Documentation
Refrain from omitting or distorting information in the audit assertion's in scope system description. CC ID 14893	Audits and risk management	Establish/Maintain Documentation
Include the timing of each change in the audit assertion's in scope system description. CC ID 14892	Audits and risk management	Establish/Maintain Documentation
Include the system boundaries in the audit assertion's in scope system description. CC ID 14887	Audits and risk management	Establish/Maintain Documentation
Include the time frame covered by the description in the audit assertion's in scope system description. CC ID 14884	Audits and risk management	Establish/Maintain Documentation
Include commitments to third parties in the audit assertion. CC ID 14899	Audits and risk management	Establish/Maintain Documentation
Determine the completeness of the audit assertion's in scope system description. CC ID 14883	Audits and risk management	Establish/Maintain Documentation
Include system requirements in the audit assertion's in scope system description. CC ID 14881	Audits and risk management	Establish/Maintain Documentation
Include third party controls in the audit assertion's in scope system description. CC ID 14880	Audits and risk management	Establish/Maintain Documentation
Hold an opening meeting with interested personnel and affected parties prior to an audit. CC ID 15256	Audits and risk management	Audits and Risk Management
Identify personnel who should attend the closing meeting. CC ID 15261	Audits and risk management	Business Processes
Include discussions about how particular situations will be handled in the opening meeting. CC ID 15254	Audits and risk management	Audits and Risk Management
Include agreement to the audit scope and audit terms in the audit program. CC ID 06965 [{audit scope} The organization shall: define the audit criteria and scope for each audit; § 9.2.2 ¶ 1(b)]	Audits and risk management	Establish/Maintain Documentation
Establish and maintain a bespoke audit scope for each audit being performed. CC ID 13077 [The organization shall: plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration: § 9.2.2 ¶ 1(a)]	Audits and risk management	Establish/Maintain Documentation
Include third party assets in the audit scope. CC ID 16504	Audits and risk management	Audits and Risk Management
Include audit subject matter in the audit program. CC ID 07103 [The organization shall: plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration: the importance of the processes concerned; § 9.2.2 ¶ 1(a)(1)]	Audits and risk management	Establish/Maintain Documentation
Examine the availability of the audit criteria in the audit program. CC ID 16520	Audits and risk management	Investigate
Examine the objectivity of the audit criteria in the audit program. CC ID 07104	Audits and risk management	Establish/Maintain Documentation
Examine the measurability of the audit criteria in the audit program. CC ID 07105	Audits and risk management	Establish/Maintain Documentation
Examine the completeness of the audit criteria in the audit program. CC ID 07106	Audits and risk management	Establish/Maintain Documentation
Examine the relevance of the audit criteria in the audit program. CC ID 07107	Audits and risk management	Establish/Maintain Documentation
Determine the appropriateness of the audit subject matter. CC ID 16505	Audits and risk management	Audits and Risk Management
Disseminate and communicate the audit program with the audit subject matter and audit criteria to all interested personnel and affected parties. CC ID 07116	Audits and risk management	Establish/Maintain Documentation
Include the in scope material or in scope products in the audit program. CC ID 08961	Audits and risk management	Audits and Risk Management
Include in scope information in the audit program. CC ID 16198	Audits and risk management	Establish/Maintain Documentation
Include the out of scope material or out of scope products in the audit program. CC ID 08962	Audits and risk management	Establish/Maintain Documentation
Provide a representation letter in support of the audit assertion. CC ID 07158	Audits and risk management	Establish/Maintain Documentation
Include the date of the audit in the representation letter. CC ID 16517	Audits and risk management	Audits and Risk Management
Include a statement that management has evaluated compliance with external requirements in the representation letter. CC ID 13942	Audits and risk management	Establish/Maintain Documentation
Include a statement that the assumptions used for estimates are reasonable in the representation letter. CC ID 13934	Audits and risk management	Establish/Maintain Documentation
Include a statement that uncorrected misstatements are believed to be immaterial in the representation letter. CC ID 13884	Audits and risk management	Establish/Maintain Documentation
Include a statement that system incidents have been disclosed to the auditor in the representation letter. CC ID 16772	Audits and risk management	Establish/Maintain Documentation
Include a statement that incidents of fraud and non-compliance have been disclosed to the auditor in the representation letter. CC ID 16769	Audits and risk management	Establish/Maintain Documentation
Include a statement of responsibility for the subject matter in the representation letter. CC ID 07159	Audits and risk management	Establish/Maintain Documentation
Include a statement of responsibility for selecting the audit criteria in the representation letter. CC ID 07160	Audits and risk management	Establish/Maintain Documentation
Include a statement of responsibility regarding the appropriateness of the audit criteria in the representation letter. CC ID 07161	Audits and risk management	Establish/Maintain Documentation
Include an assertion about the subject matter based on the selected audit criteria in the representation letter. CC ID 07162	Audits and risk management	Establish/Maintain Documentation
Include a statement that all known matters contradicting the audit assertion have been disclosed to the auditor in the representation letter. CC ID 07163	Audits and risk management	Establish/Maintain Documentation
Include the availability of all in scope records relevant to the subject matter in the representation letter. CC ID 07164	Audits and risk management	Establish/Maintain Documentation
Include a statement that any known subsequent events have been disclosed to the auditor in the representation letter. CC ID 07165	Audits and risk management	Establish/Maintain Documentation
Include a statement that deficiencies in internal controls have been disclosed to the auditor in the representation letter. CC ID 13899	Audits and risk management	Establish/Maintain Documentation
Include an in scope system description in the audit assertion. CC ID 14872	Audits and risk management	Establish/Maintain Documentation
Include any assumptions that are improbable in the audit assertion. CC ID 13950	Audits and risk management	Establish/Maintain Documentation
Include investigations and legal proceedings in the audit assertion. CC ID 16846	Audits and risk management	Establish/Maintain Documentation
Include how the audit scope matches in scope controls in the audit assertion. CC ID 06969	Audits and risk management	Establish/Maintain Documentation
Include why specific criteria are ignored by in scope controls in the audit assertion. CC ID 07027	Audits and risk management	Establish/Maintain Documentation
Include how the in scope system is designed and implemented in the audit assertion. CC ID 06970	Audits and risk management	Establish/Maintain Documentation
Include the responsible party's opinion of the quality of the evidence in the audit assertion. CC ID 13949	Audits and risk management	Establish/Maintain Documentation
Include the end users and affected parties of the in scope system in the audit assertion. CC ID 07028	Audits and risk management	Establish/Maintain Documentation
Include the in scope services offered or in scope transactions processed in the audit assertion. CC ID 06971	Audits and risk management	Establish/Maintain Documentation
Include the in scope procedures in the audit assertion. CC ID 06972	Audits and risk management	Establish/Maintain Documentation
Include the in scope records produced in the audit assertion. CC ID 06968	Audits and risk management	Establish/Maintain Documentation
Include how in scope material events are monitored and logged in the audit assertion. CC ID 06973	Audits and risk management	Establish/Maintain Documentation
Include any in scope material events that might affect the assertion in the audit assertion. CC ID 06991	Audits and risk management	Establish/Maintain Documentation
Include the in scope controls and compliance documents in the audit assertion. CC ID 06974	Audits and risk management	Establish/Maintain Documentation
Include the in scope risk assessment processes in the audit assertion. CC ID 06975	Audits and risk management	Establish/Maintain Documentation
Include in scope change controls in the audit assertion. CC ID 06976	Audits and risk management	Establish/Maintain Documentation
Include any in scope uncorrected errors or non-compliance issues in the audit assertion. CC ID 06989	Audits and risk management	Establish/Maintain Documentation
Disseminate and communicate a written audit assertion of the audit scope and audit terms to interested personnel and affected parties. CC ID 06967	Audits and risk management	Establish/Maintain Documentation
Include the scope for the desired level of assurance in the audit program. CC ID 12793	Audits and risk management	Communicate
Include conditions that might require modification of the audit program in the audit terms. CC ID 07149	Audits and risk management	Establish/Maintain Documentation
Include how access to in scope systems, personnel and in scope records are provided to the auditor in the audit terms. CC ID 06988	Audits and risk management	Establish/Maintain Documentation
Include the criteria for determining the desired level of assurance in the audit program. CC ID 12795 [{audit scope} The organization shall: define the audit criteria and scope for each audit; § 9.2.2 ¶ 1(b)]	Audits and risk management	Audits and Risk Management
Establish, implement, and maintain procedures for determining the desired level of assurance in the audit program. CC ID 12794 [The organization shall: plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration: § 9.2.2 ¶ 1(a)]	Audits and risk management	Establish/Maintain Documentation
Include the expectations for the audit report in the audit terms. CC ID 07148	Audits and risk management	Establish/Maintain Documentation
Establish and maintain a practitioner’s report on management’s assertions, as necessary. CC ID 13888	Audits and risk management	Establish/Maintain Documentation
Hold a closing meeting following an audit to present audit findings and conclusions. CC ID 15248	Audits and risk management	Communicate
Include materiality levels in the audit terms. CC ID 01238	Audits and risk management	Establish/Maintain Documentation
Include material changes in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01239 [The organization shall: plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration: changes affecting the organization; § 9.2.2 ¶ 1(a)(2)]	Audits and risk management	Establish/Maintain Documentation
Include material weaknesses, material failures, and material errors in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01240	Audits and risk management	Establish/Maintain Documentation
Schedule attestation engagement meetings with interested personnel and affected parties, as necessary. CC ID 15263	Audits and risk management	Business Processes
Refrain from accepting an attestation engagement when the engaging party refuses to sign the engagement letter. CC ID 14912	Audits and risk management	Business Processes
Refrain from accepting an attestation engagement unless the prospective financial information includes a summary of significant assumptions. CC ID 13954	Audits and risk management	Behavior
Refrain from accepting an attestation engagement when all parties disagree on the procedures. CC ID 13951	Audits and risk management	Audits and Risk Management
Accept the attestation engagement when all preconditions are met. CC ID 13933	Audits and risk management	Business Processes
Audit in scope audit items and compliance documents. CC ID 06730 [The organization shall conduct internal audits at planned intervals to provide information on whether the SMS: conforms to: the organization's own requirements for its SMS; § 9.2.1 ¶ 1(a)(1) The organization shall conduct internal audits at planned intervals to provide information on whether the SMS: conforms to: the requirements of this document; § 9.2.1 ¶ 1(a)(2) The organization shall conduct internal audits at planned intervals to provide information on whether the SMS: is effectively implemented and maintained. § 9.2.1 ¶ 1(b) The organization shall: select auditors and conduct audits to ensure objectivity and the impartiality of the audit process; § 9.2.2 ¶ 1(c)]	Audits and risk management	Audits and Risk Management
Collect all work papers for the audit and audit report into an engagement file. CC ID 07001 [The organization shall: retain documented information as evidence of the implementation of the audit programme(s) and the audit results. § 9.2.2 ¶ (e)]	Audits and risk management	Actionable Reports or Measurements
Document any after the fact changes to the engagement file. CC ID 07002	Audits and risk management	Establish/Maintain Documentation
Protect access to the engagement file and all associated audit documentation in compliance with Authority Documents the organization must follow. CC ID 07179	Audits and risk management	Establish/Maintain Documentation
Disclose work papers in the engagement file in compliance with legal requirements. CC ID 07180	Audits and risk management	Establish/Maintain Documentation
Archive the engagement file and all work papers for the period prescribed by law or contract. CC ID 10038	Audits and risk management	Records Management
Conduct onsite inspections, as necessary. CC ID 16199	Audits and risk management	Testing
Audit policies, standards, and procedures. CC ID 12927	Audits and risk management	Audits and Risk Management
Edit the audit assertion for accuracy. CC ID 07030	Audits and risk management	Establish/Maintain Documentation
Determine if the audit assertion's in scope procedures are accurately documented. CC ID 06982	Audits and risk management	Establish/Maintain Documentation
Review documentation to determine the effectiveness of in scope controls. CC ID 16522	Audits and risk management	Process or Activity
Include the process of using evidential matter to test in scope controls in the test plan. CC ID 06996	Audits and risk management	Establish/Maintain Documentation
Audit the in scope system according to the test plan using relevant evidence. CC ID 07112 [The organization shall conduct internal audits at planned intervals to provide information on whether the SMS: § 9.2.1 ¶ 1]	Audits and risk management	Testing
Implement procedures that collect sufficient audit evidence. CC ID 07153	Audits and risk management	Audits and Risk Management
Collect evidence about the in scope audit items of the audit assertion. CC ID 07154	Audits and risk management	Audits and Risk Management
Collect audit evidence sufficient to avoid misstatements. CC ID 07155	Audits and risk management	Audits and Risk Management
Collect audit evidence at the level of the organization's competence in the subject matter. CC ID 07156	Audits and risk management	Audits and Risk Management
Collect audit evidence sufficient to overcome inadequacies in the organization's attestation. CC ID 07157	Audits and risk management	Audits and Risk Management
Report that audit evidence collected was not sufficient to the proper authorities. CC ID 16847	Audits and risk management	Communicate
Provide transactional walkthrough procedures for external auditors. CC ID 00672	Audits and risk management	Testing
Establish, implement, and maintain interview procedures. CC ID 16282	Audits and risk management	Establish/Maintain Documentation
Include roles and responsibilities in the interview procedures. CC ID 16297	Audits and risk management	Human Resources Management
Coordinate the scheduling of interviews. CC ID 16293	Audits and risk management	Process or Activity
Create a schedule for the interviews. CC ID 16292	Audits and risk management	Process or Activity
Identify interviewees. CC ID 16290	Audits and risk management	Process or Activity
Explain the testing results to the interviewee. CC ID 16291	Audits and risk management	Process or Activity
Establish and maintain work papers, as necessary. CC ID 13891	Audits and risk management	Establish/Maintain Documentation
Include the auditor's conclusions on work performed by individuals assigned to the audit in the work papers. CC ID 16775	Audits and risk management	Establish/Maintain Documentation
Include audit irregularities in the work papers. CC ID 16774	Audits and risk management	Establish/Maintain Documentation
Include corrective actions in the work papers. CC ID 16771	Audits and risk management	Establish/Maintain Documentation
Include information about the organization being audited and the auditor performing the audit in the work papers. CC ID 16770	Audits and risk management	Establish/Maintain Documentation
Include discussions with interested personnel and affected parties in the work papers. CC ID 16768	Audits and risk management	Establish/Maintain Documentation
Include justification for departing from mandatory requirements in the work papers. CC ID 13935	Audits and risk management	Establish/Maintain Documentation
Include audit evidence obtained from previous engagements in the work papers. CC ID 16518	Audits and risk management	Audits and Risk Management
Include the reviewer, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06998	Audits and risk management	Establish/Maintain Documentation
Include the tests, examinations, interviews and observations performed during the audit in the work papers. CC ID 07190	Audits and risk management	Establish/Maintain Documentation
Include if any subject matter experts or additional research had to be undertaken to test in scope controls in the work papers. CC ID 07026	Audits and risk management	Establish/Maintain Documentation
Include the tester, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06997	Audits and risk management	Establish/Maintain Documentation
Include any subsequent events related to the audit assertion or audit subject matter in the work papers. CC ID 07177	Audits and risk management	Audits and Risk Management
Include the causes of identified in scope control deficiencies in the work papers. CC ID 07000	Audits and risk management	Establish/Maintain Documentation
Include discussions regarding the causes of identified in scope control deficiencies in the work papers. CC ID 06999	Audits and risk management	Establish/Maintain Documentation
Supervise interested personnel and affected parties participating in the audit. CC ID 07150	Audits and risk management	Monitor and Evaluate Occurrences
Notify interested personnel and affected parties participating in the audit of their roles and responsibilities during the audit. CC ID 07151	Audits and risk management	Establish Roles
Respond to questions or clarification requests regarding the audit. CC ID 08902	Audits and risk management	Business Processes
Track and measure the implementation of the organizational compliance framework. CC ID 06445	Audits and risk management	Monitor and Evaluate Occurrences
Review the need for organizational efficiency as balanced against the needs of compliance and security. CC ID 07111	Audits and risk management	Business Processes
Engage subject matter experts when the auditor requires additional expertise during an attestation engagement, as necessary. CC ID 13971	Audits and risk management	Process or Activity
Establish, implement, and maintain a practitioner’s report on agreed-upon procedures. CC ID 13894	Audits and risk management	Establish/Maintain Documentation
Provide auditors access to all in scope records, in scope assets, personnel and in scope procedures. CC ID 06966	Audits and risk management	Audits and Risk Management
Provide auditors access to affected parties during the audit, as necessary. CC ID 07187	Audits and risk management	Business Processes
Notify interested personnel and affected parties when an auditee refuses to provide access or participate in the audit. CC ID 08960	Audits and risk management	Audits and Risk Management
Establish and maintain a practitioner's examination report on pro forma financial information. CC ID 13968	Audits and risk management	Establish/Maintain Documentation
Include references to where financial information was derived in the practitioner's review report on pro forma financial information. CC ID 13982	Audits and risk management	Establish/Maintain Documentation
Include a statement that the financial statements used were audited by other practitioners in the practitioner's examination report on pro forma financial information, as necessary. CC ID 13981	Audits and risk management	Establish/Maintain Documentation
Establish and maintain organizational audit reports. CC ID 06731 [The organization shall: retain documented information as evidence of the implementation of the audit programme(s) and the audit results. § 9.2.2 ¶ (e) The organization shall: plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration: § 9.2.2 ¶ 1(a)]	Audits and risk management	Establish/Maintain Documentation
Include the justification for not following the applicable requirements in the audit report. CC ID 16822	Audits and risk management	Audits and Risk Management
Include a statement that the applicable requirements were not followed in the audit report. CC ID 16821	Audits and risk management	Audits and Risk Management
Include audit subject matter in the audit report. CC ID 14882	Audits and risk management	Establish/Maintain Documentation
Include an other-matter paragraph in the audit report. CC ID 14901	Audits and risk management	Establish/Maintain Documentation
Include that the auditee did not provide comments in the audit report. CC ID 16849	Audits and risk management	Establish/Maintain Documentation
Write the audit report using clear and conspicuous language. CC ID 13948	Audits and risk management	Establish/Maintain Documentation
Include a statement that the sufficiency of the agreed upon procedures is the responsibility of the specified parties in the audit report. CC ID 13936	Audits and risk management	Establish/Maintain Documentation
Include a statement that the financial statements were audited in the audit report. CC ID 13963	Audits and risk management	Establish/Maintain Documentation
Include the criteria that financial information was measured against in the audit report. CC ID 13966	Audits and risk management	Establish/Maintain Documentation
Include a description of the financial information being reported on in the audit report. CC ID 13965	Audits and risk management	Establish/Maintain Documentation
Include references to any adjustments of financial information in the audit report. CC ID 13964	Audits and risk management	Establish/Maintain Documentation
Include in the audit report that audit opinions are not dependent on references to subject matter experts, as necessary. CC ID 13953	Audits and risk management	Establish/Maintain Documentation
Include references to historical financial information used in the audit report. CC ID 13961	Audits and risk management	Establish/Maintain Documentation
Include a statement about the inherent limitations of the audit in the audit report. CC ID 14900	Audits and risk management	Establish/Maintain Documentation
Include a description of the limitations on the usefulness of hypothetical assumptions in the audit report. CC ID 13958	Audits and risk management	Establish/Maintain Documentation
Include the word independent in the title of audit reports. CC ID 07003	Audits and risk management	Actionable Reports or Measurements
Include the date of the audit in the audit report. CC ID 07024	Audits and risk management	Actionable Reports or Measurements
Structure the audit report to be in the form of procedures and findings. CC ID 13940	Audits and risk management	Establish/Maintain Documentation
Include information about the organization being audited and the auditor performing the audit in the audit report. CC ID 07004	Audits and risk management	Actionable Reports or Measurements
Include any discussions of significant findings in the audit report. CC ID 13955	Audits and risk management	Establish/Maintain Documentation
Include the date and with whom discussions about significant findings took place in the audit report. CC ID 13962	Audits and risk management	Establish/Maintain Documentation
Include the audit criteria in the audit report. CC ID 13945	Audits and risk management	Establish/Maintain Documentation
Include a statement in the audit report that the agreed upon procedures were potentially insufficient in identifying material risks, as necessary. CC ID 13957	Audits and risk management	Establish/Maintain Documentation
Include all hypothetical assumptions in the audit report. CC ID 13947	Audits and risk management	Establish/Maintain Documentation
Include a statement that access to the report is restricted based on least privilege in the audit report. CC ID 07023	Audits and risk management	Actionable Reports or Measurements
Include a statement that identifies the distribution list for the report in the audit report. CC ID 07172	Audits and risk management	Establish/Maintain Documentation
Include a statement that identifies the use restrictions for the report in the audit report. CC ID 07173	Audits and risk management	Establish/Maintain Documentation
Include a statement that the agreed upon procedures involves collecting evidence in the audit report. CC ID 13956	Audits and risk management	Establish/Maintain Documentation
Include all of the facts and demonstrated plausibility in the audit report. CC ID 08929	Audits and risk management	Establish/Maintain Documentation
Include a statement that the agreed upon procedures were performed by all parties in the audit report. CC ID 13931	Audits and risk management	Establish/Maintain Documentation
Include references to subject matter experts in the audit report when citing qualified opinions. CC ID 13929	Audits and risk management	Establish/Maintain Documentation
Include a description of the assistance provided by Subject Matter Experts in the audit report. CC ID 13939	Audits and risk management	Establish/Maintain Documentation
Include a review of the subject matter expert's findings in the audit report. CC ID 13972	Audits and risk management	Establish/Maintain Documentation
Include a statement of the character of the engagement in the audit report. CC ID 07166	Audits and risk management	Establish/Maintain Documentation
Include the nature and scope of the audit performed in the statement of the character of the engagement in the audit report. CC ID 07167	Audits and risk management	Establish/Maintain Documentation
Include the professional standards governing the audit in the statement of the character of the engagement in the audit report. CC ID 07168	Audits and risk management	Establish/Maintain Documentation
Include all restrictions on the audit in the audit report. CC ID 13930	Audits and risk management	Establish/Maintain Documentation
Include a statement that the auditor has no responsibility to update the audit report after its submission. CC ID 13943	Audits and risk management	Establish/Maintain Documentation
Include a statement on the auditor's ethical requirements in the audit report. CC ID 16767	Audits and risk management	Establish/Maintain Documentation
Include a statement that the responsible party refused to provide a written assertion in the audit report. CC ID 13887	Audits and risk management	Establish/Maintain Documentation
Include a statement that the examination involves procedures for collecting evidence in the audit report. CC ID 13941	Audits and risk management	Establish/Maintain Documentation
Express an adverse opinion in the audit report when significant assumptions are not suitably supported. CC ID 13944	Audits and risk management	Establish/Maintain Documentation
Include a statement that modifications to historical evidence accurately reflect current evidence in the audit report. CC ID 13938	Audits and risk management	Establish/Maintain Documentation
Refrain from referencing previous engagements in the audit report. CC ID 16516	Audits and risk management	Audits and Risk Management
Refrain from referencing other auditor's work in the audit report. CC ID 13881	Audits and risk management	Establish/Maintain Documentation
Include that the audit findings are not a predictive analysis of future compliance in the audit report. CC ID 07018	Audits and risk management	Establish/Maintain Documentation
Include how in scope controls meet external requirements in the audit report. CC ID 16450	Audits and risk management	Establish/Maintain Documentation
Include the in scope records used to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14915	Audits and risk management	Establish/Maintain Documentation
Include recommended corrective actions in the audit report. CC ID 16197	Audits and risk management	Establish/Maintain Documentation
Include risks and opportunities in the audit report. CC ID 16196	Audits and risk management	Establish/Maintain Documentation
Include the description of tests of controls and results in the audit report. CC ID 14898	Audits and risk management	Establish/Maintain Documentation
Include the nature of the tests performed in the description of tests of controls and results in the audit report. CC ID 14908	Audits and risk management	Establish/Maintain Documentation
Include the test scope in the description of tests of controls and results in the audit report. CC ID 14906	Audits and risk management	Establish/Maintain Documentation
Identify the stakeholders interviewed to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14905	Audits and risk management	Establish/Maintain Documentation
Include the timing of controls in the description of tests of controls and results in the audit report. CC ID 16553	Audits and risk management	Audits and Risk Management
Include the controls that were tested in the description of tests of controls and results in the audit report. CC ID 14902	Audits and risk management	Establish/Maintain Documentation
Include subsequent events related to the audit assertion or audit subject matter in the audit report. CC ID 16773	Audits and risk management	Establish/Maintain Documentation
Include the organization's audit assertion of the in scope system in the audit report. CC ID 07005	Audits and risk management	Actionable Reports or Measurements
Include that the organization is the responsible party for the content of its audit assertion and in scope system description in the audit report. CC ID 07010	Audits and risk management	Establish/Maintain Documentation
Include that the organization is the responsible party for providing in scope services in the audit report. CC ID 14903	Audits and risk management	Establish/Maintain Documentation
Include that the organization is the responsible party for specifying in scope controls not defined by law or contractual obligation in the audit report. CC ID 07011	Audits and risk management	Establish/Maintain Documentation
Include that the organization is the responsible party for designing and implementing the in scope controls it identified in the audit scope in the audit report. CC ID 07014	Audits and risk management	Establish/Maintain Documentation
Include the audit opinion regarding the accurateness of the in scope system description in the audit report. CC ID 07019	Audits and risk management	Establish/Maintain Documentation
Include the attestation standards the auditor follows in the audit report. CC ID 07015	Audits and risk management	Establish/Maintain Documentation
Include the audit opinion about the audit assertion in relation to the audit criteria used for evaluation in the audit report. CC ID 07169	Audits and risk management	Establish/Maintain Documentation
Include the auditor's significant reservations about the engagement, the audit assertion, or the audit subject matter in the audit report. CC ID 07170	Audits and risk management	Establish/Maintain Documentation
Include an emphasis-of-matter paragraph in the audit report. CC ID 14890	Audits and risk management	Establish/Maintain Documentation
Include the organization's in scope system description in the audit report. CC ID 11626	Audits and risk management	Audits and Risk Management
Include any out of scope components of in scope systems in the audit report. CC ID 07006	Audits and risk management	Establish/Maintain Documentation
Include that the organization is the responsible party for identifying material risks in the audit report. CC ID 07012	Audits and risk management	Establish/Maintain Documentation
Include that the organization is the responsible party for selecting the audit criteria in the audit report. CC ID 07013	Audits and risk management	Establish/Maintain Documentation
Include the scope and work performed in the audit report. CC ID 11621	Audits and risk management	Audits and Risk Management
Resolve disputes before creating the audit summary. CC ID 08964	Audits and risk management	Behavior
Refrain from including the description of the audit in the audit report when the auditor is disclaiming an audit opinion. CC ID 13975	Audits and risk management	Establish/Maintain Documentation
Refrain from including scope limitations from changed attestation engagements in the audit report. CC ID 13983	Audits and risk management	Establish/Maintain Documentation
Refrain from including in the audit report any procedures that were performed that the auditor is disclaiming in an audit opinion. CC ID 13974	Audits and risk management	Establish/Maintain Documentation
Include an audit opinion in the audit report. CC ID 07017	Audits and risk management	Establish/Maintain Documentation
Include qualified opinions in the audit report. CC ID 13928	Audits and risk management	Establish/Maintain Documentation
Include that the auditor is the responsible party to express an opinion on the audit subject matter based on examination of evidence in the audit report. CC ID 07174	Audits and risk management	Establish/Maintain Documentation
Include that the auditor did not express an opinion in the audit report, as necessary. CC ID 13886	Audits and risk management	Establish/Maintain Documentation
Include items that were excluded from the audit report in the audit report. CC ID 07007	Audits and risk management	Establish/Maintain Documentation
Include the organization's privacy practices in the audit report. CC ID 07029	Audits and risk management	Establish/Maintain Documentation
Include items that pertain to third parties in the audit report. CC ID 07008	Audits and risk management	Establish/Maintain Documentation
Refrain from including reference to procedures performed in previous attestation engagements in the audit report. CC ID 13970	Audits and risk management	Establish/Maintain Documentation
Include a statement in the audit report that no procedures were performed subsequent to the date of the practitioner's review report on pro forma financial information, as necessary. CC ID 13969	Audits and risk management	Establish/Maintain Documentation
Include any of the organization's use of compensating controls that were not audited in the audit report. CC ID 07009	Audits and risk management	Establish/Maintain Documentation
Include whether the use of compensating controls are necessary in the audit report. CC ID 07020	Audits and risk management	Establish/Maintain Documentation
Include the pass or fail test status of all in scope controls in the audit report. CC ID 07016	Audits and risk management	Establish/Maintain Documentation
Include the process of using evidential matter to test in scope controls in the audit report. CC ID 07021	Audits and risk management	Establish/Maintain Documentation
Include the nature and causes of identified in scope control deviations in the audit report. CC ID 07022	Audits and risk management	Establish/Maintain Documentation
Disclose any audit irregularities in the audit report. CC ID 06995	Audits and risk management	Actionable Reports or Measurements
Include the written signature of the auditor's organization in the audit report. CC ID 13897	Audits and risk management	Establish/Maintain Documentation
Include a statement that additional reports are being submitted in the audit report. CC ID 16848	Audits and risk management	Establish/Maintain Documentation
Disseminate and communicate the audit report to all interested personnel and affected parties identified in the distribution list. CC ID 07117	Audits and risk management	Establish/Maintain Documentation
Define the roles and responsibilities for distributing the audit report. CC ID 16845	Audits and risk management	Human Resources Management
Disseminate and communicate the reasons the audit report was delayed to interested personnel and affected parties. CC ID 15257	Audits and risk management	Communicate
Notify auditees if disclosure of audit documentation is required by law. CC ID 15249	Audits and risk management	Communicate
Disseminate and communicate to the organization that access and use of audit reports are based on least privilege. CC ID 07171	Audits and risk management	Behavior
Disseminate and communicate documents that contain information in support of the audit report. CC ID 07175	Audits and risk management	Establish/Maintain Documentation
Correct any material misstatements in documents that contain information in support of the audit report. CC ID 07176	Audits and risk management	Establish/Maintain Documentation
Notify interested personnel and affected parties after bribes are offered during the audit. CC ID 08872	Audits and risk management	Business Processes
Accept the audit report. CC ID 07025	Audits and risk management	Establish/Maintain Documentation
Assign responsibility for remediation actions. CC ID 13622	Audits and risk management	Human Resources Management
Define penalties for uncorrected audit findings or remaining non-compliant with the audit report. CC ID 08963	Audits and risk management	Establish/Maintain Documentation
Assess the quality of the audit program in regards to its documentation. CC ID 11622	Audits and risk management	Audits and Risk Management
Include the audit criteria in the audit plan. CC ID 15262	Audits and risk management	Establish/Maintain Documentation
Include a list of reference documents in the audit plan. CC ID 15260	Audits and risk management	Establish/Maintain Documentation
Include the languages to be used for the audit in the audit plan. CC ID 15252	Audits and risk management	Establish/Maintain Documentation
Include the allocation of resources in the audit plan. CC ID 15251	Audits and risk management	Establish/Maintain Documentation
Include communication protocols in the audit plan. CC ID 15247	Audits and risk management	Establish/Maintain Documentation
Include the level of audit sampling necessary to collect sufficient audit evidence in the audit plan. CC ID 15246	Audits and risk management	Establish/Maintain Documentation
Include meeting schedules in the audit plan. CC ID 15245	Audits and risk management	Establish/Maintain Documentation
Include the time frames for the audit in the audit plan. CC ID 15244	Audits and risk management	Establish/Maintain Documentation
Include the time frames for conducting the audit in the audit plan. CC ID 15243	Audits and risk management	Establish/Maintain Documentation
Include the locations to be audited in the audit plan. CC ID 15242	Audits and risk management	Establish/Maintain Documentation
Include the processes to be audited in the audit plan. CC ID 15241	Audits and risk management	Establish/Maintain Documentation
Include audit objectives in the audit plan. CC ID 15240	Audits and risk management	Establish/Maintain Documentation
Include the risks associated with audit activities in the audit plan. CC ID 15239	Audits and risk management	Establish/Maintain Documentation
Disseminate and communicate the audit plan to interested personnel and affected parties. CC ID 15238	Audits and risk management	Communicate
Establish, implement, and maintain an audit schedule for the audit program. CC ID 13158 [The organization shall: plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration: § 9.2.2 ¶ 1(a)]	Audits and risk management	Establish/Maintain Documentation
Establish, implement, and maintain a risk management program. CC ID 12051 [The organization shall plan: actions to address these risks and opportunities and their priorities; § 6.1.3 ¶ 1(a) The management review shall include consideration of: results of risk assessment and the effectiveness of actions taken to address risks and opportunities; § 9.3 ¶ 2(k)]	Audits and risk management	Establish/Maintain Documentation
Include the scope of risk management activities in the risk management program. CC ID 13658	Audits and risk management	Establish/Maintain Documentation
Integrate the risk management program with the organization's business activities. CC ID 13661	Audits and risk management	Business Processes
Integrate the risk management program into daily business decision-making. CC ID 13659 [The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: § 8.5.1.3 ¶ 1]	Audits and risk management	Business Processes
Include managing mobile risks in the risk management program. CC ID 13535	Audits and risk management	Establish/Maintain Documentation
Take into account if the system will be accessed by or have an impact on children in the risk management program. CC ID 14992	Audits and risk management	Audits and Risk Management
Include regular updating in the risk management system. CC ID 14990	Audits and risk management	Business Processes
Establish, implement, and maintain risk management strategies. CC ID 13209	Audits and risk management	Establish/Maintain Documentation
Include off-site storage of supplies in the risk management strategies. CC ID 13221	Audits and risk management	Establish/Maintain Documentation
Include data quality in the risk management strategies. CC ID 15308	Audits and risk management	Data and Information Management
Include the use of alternate service providers in the risk management strategies. CC ID 13217	Audits and risk management	Establish/Maintain Documentation
Include minimizing service interruptions in the risk management strategies. CC ID 13215	Audits and risk management	Establish/Maintain Documentation
Include off-site storage in the risk mitigation strategies. CC ID 13213	Audits and risk management	Establish/Maintain Documentation
Establish, implement, and maintain the risk assessment framework. CC ID 00685	Audits and risk management	Establish/Maintain Documentation
Define and assign the roles and responsibilities for the risk assessment framework, as necessary. CC ID 06456	Audits and risk management	Establish Roles
Establish, implement, and maintain a risk assessment program. CC ID 00687	Audits and risk management	Establish/Maintain Documentation
Address past incidents in the risk assessment program. CC ID 12743	Audits and risk management	Audits and Risk Management
Include the need for risk assessments in the risk assessment program. CC ID 06447	Audits and risk management	Establish/Maintain Documentation
Include the information flow of restricted data in the risk assessment program. CC ID 12339	Audits and risk management	Establish/Maintain Documentation
Establish and maintain the factors and context for risk to the organization. CC ID 12230 [The organization shall determine and document: risks related to: not meeting the service requirements; § 6.1.2 ¶ 1(a)(2)]	Audits and risk management	Audits and Risk Management
Establish, implement, and maintain a financial plan to support the risk management strategy. CC ID 12786	Audits and risk management	Establish/Maintain Documentation
Establish, implement, and maintain insurance requirements. CC ID 16562	Audits and risk management	Establish/Maintain Documentation
Disseminate and communicate insurance options to interested personnel and affected parties. CC ID 16572	Audits and risk management	Communicate
Disseminate and communicate insurance requirements to interested personnel and affected parties. CC ID 16567	Audits and risk management	Communicate
Design a portfolio of insurance options in accordance with risk decision-making criteria. CC ID 12878	Audits and risk management	Business Processes
Design a portfolio of loans in accordance with risk decision-making criteria. CC ID 12877	Audits and risk management	Business Processes
Design a portfolio of risk limiting and mitigating approaches in organizational contracts in accordance with risk decision-making criteria. CC ID 12903	Audits and risk management	Business Processes
Address cybersecurity risks in the risk assessment program. CC ID 13193	Audits and risk management	Establish/Maintain Documentation
Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830	Audits and risk management	Process or Activity
Include a Data Protection Impact Assessment in the risk assessment program. CC ID 12630	Audits and risk management	Establish/Maintain Documentation
Include an assessment of the necessity and proportionality of the processing operations in relation to the purposes in the Data Protection Impact Assessment. CC ID 12681	Audits and risk management	Establish/Maintain Documentation
Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371	Audits and risk management	Establish/Maintain Documentation
Include a risk assessment of data subject's rights in the Data Protection Impact Assessment. CC ID 12674	Audits and risk management	Establish/Maintain Documentation
Include the description and purpose of processing restricted data in the Data Protection Impact Assessment. CC ID 12673	Audits and risk management	Establish/Maintain Documentation
Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313	Audits and risk management	Communicate
Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370	Audits and risk management	Establish/Maintain Documentation
Include monitoring unsecured areas in the Data Protection Impact Assessment. CC ID 12671	Audits and risk management	Establish/Maintain Documentation
Include security measures for protecting restricted data in the Data Protection Impact Assessment. CC ID 12635	Audits and risk management	Establish/Maintain Documentation
Use the risk taxonomy when managing risk. CC ID 12280	Audits and risk management	Behavior
Establish, implement, and maintain a risk assessment policy. CC ID 14026	Audits and risk management	Establish/Maintain Documentation
Include compliance requirements in the risk assessment policy. CC ID 14121	Audits and risk management	Establish/Maintain Documentation
Include coordination amongst entities in the risk assessment policy. CC ID 14120	Audits and risk management	Establish/Maintain Documentation
Include management commitment in the risk assessment policy. CC ID 14119	Audits and risk management	Establish/Maintain Documentation
Include roles and responsibilities in the risk assessment policy. CC ID 14118	Audits and risk management	Establish/Maintain Documentation
Include the scope in the risk assessment policy. CC ID 14117	Audits and risk management	Establish/Maintain Documentation
Include the purpose in the risk assessment policy. CC ID 14116	Audits and risk management	Establish/Maintain Documentation
Disseminate and communicate the risk assessment policy to interested personnel and affected parties. CC ID 14115	Audits and risk management	Communicate
Establish, implement, and maintain risk assessment procedures. CC ID 06446	Audits and risk management	Establish/Maintain Documentation
Employ risk assessment procedures that follow legal requirements and contractual obligations when risk profiling. CC ID 06472	Audits and risk management	Establish/Maintain Documentation
Analyze the organization's information security environment. CC ID 13122	Audits and risk management	Technical Security
Document cybersecurity risks. CC ID 12281	Audits and risk management	Establish/Maintain Documentation
Employ risk assessment procedures that follow standards and best practices, as necessary. CC ID 06473	Audits and risk management	Establish/Maintain Documentation
Employ risk assessment procedures that take into account both electronic records and printed records. CC ID 06476	Audits and risk management	Establish/Maintain Documentation
Employ risk assessment procedures that take into account information classification. CC ID 06477	Audits and risk management	Establish/Maintain Documentation
Employ risk assessment procedures that align with strategic objectives. CC ID 06474	Audits and risk management	Establish/Maintain Documentation
Engage appropriate parties to assist with risk assessments, as necessary. CC ID 12153	Audits and risk management	Human Resources Management
Employ risk assessment procedures that take into account prior risk assessment findings of the same scope. CC ID 06478	Audits and risk management	Establish/Maintain Documentation
Employ risk assessment procedures that take into account the target environment. CC ID 06479	Audits and risk management	Establish/Maintain Documentation
Employ risk assessment procedures that take into account incidents associated with the target environment. CC ID 06480	Audits and risk management	Establish/Maintain Documentation
Employ risk assessment procedures that take into account risk factors. CC ID 16560	Audits and risk management	Audits and Risk Management
Include compliance with disposition requirements in the risk assessment procedures. CC ID 12342	Audits and risk management	Establish/Maintain Documentation
Include compliance with retention requirements in the risk assessment procedures. CC ID 12341	Audits and risk management	Establish/Maintain Documentation
Establish, implement, and maintain a threat and risk classification scheme. CC ID 07183	Audits and risk management	Establish/Maintain Documentation
Employ risk assessment procedures that include appropriate risk treatment options for each identified risk. CC ID 06484	Audits and risk management	Establish/Maintain Documentation
Document organizational risk criteria. CC ID 12277	Audits and risk management	Establish/Maintain Documentation
Include security threats and vulnerabilities in the threat and risk classification scheme. CC ID 00699	Audits and risk management	Technical Security
Categorize the systems, information, and data by risk profile in the threat and risk classification scheme. CC ID 01443	Audits and risk management	Audits and Risk Management
Include risks to critical personnel and assets in the threat and risk classification scheme. CC ID 00698	Audits and risk management	Audits and Risk Management
Include the traceability of malicious code in the threat and risk classification scheme. CC ID 06600	Audits and risk management	Establish/Maintain Documentation
Assign a probability of occurrence to all types of threats in the threat and risk classification scheme. CC ID 01173	Audits and risk management	Audits and Risk Management
Approve the threat and risk classification scheme. CC ID 15693	Audits and risk management	Business Processes
Establish, implement, and maintain risk profiling procedures for internal risk assessments. CC ID 01157	Audits and risk management	Audits and Risk Management
Include language that is easy to understand in the risk assessment report. CC ID 06461	Audits and risk management	Establish/Maintain Documentation
Include the environments that call for risk assessments in the risk assessment program. CC ID 06448	Audits and risk management	Establish/Maintain Documentation
Include the process for defining the scope of each risk assessment in the risk assessment program. CC ID 06462	Audits and risk management	Establish/Maintain Documentation
Include the circumstances that call for risk assessments in the risk assessment program. CC ID 06449	Audits and risk management	Establish/Maintain Documentation
Include the roles and responsibilities involved in risk assessments in the risk assessment program. CC ID 06450	Audits and risk management	Establish/Maintain Documentation
Include the methods of managing and responding to the risk assessment report in the risk assessment program. CC ID 06451	Audits and risk management	Establish/Maintain Documentation
Automate as much of the risk assessment program, as necessary. CC ID 06459	Audits and risk management	Audits and Risk Management
Disseminate and communicate the risk assessment procedures to interested personnel and affected parties. CC ID 14136	Audits and risk management	Communicate
Approve the risk assessment program and associated risk assessment procedures at the senior management level. CC ID 06458	Audits and risk management	Establish/Maintain Documentation
Perform risk assessments for all target environments, as necessary. CC ID 06452 [At planned intervals, the information security risks to the SMS and the services shall be assessed and documented. Information security controls shall be determined, implemented and operated to support the information security policy and address identified information security risks. Decisions about information security controls shall be documented. § 8.7.3.2 ¶ 1]	Audits and risk management	Testing
Include the probability and potential impact of pandemics in the scope of the risk assessment. CC ID 13241	Audits and risk management	Establish/Maintain Documentation
Include physical assets in the scope of the risk assessment. CC ID 13075	Audits and risk management	Establish/Maintain Documentation
Include the results of the risk assessment in the risk assessment report. CC ID 06481	Audits and risk management	Establish/Maintain Documentation
Approve the results of the risk assessment as documented in the risk assessment report. CC ID 07109	Audits and risk management	Audits and Risk Management
Review risks to the organization's audit function when changes in the supply chain occur. CC ID 01154	Audits and risk management	Audits and Risk Management
Review the risk to the audit function when the audit personnel status changes. CC ID 01153	Audits and risk management	Audits and Risk Management
Document any reasons for modifying or refraining from modifying the organization's risk assessment when the risk assessment has been reviewed. CC ID 13312	Audits and risk management	Establish/Maintain Documentation
Create a risk assessment report based on the risk assessment results. CC ID 15695	Audits and risk management	Establish/Maintain Documentation
Disseminate and communicate the approved risk assessment report to interested personnel and affected parties. CC ID 10633	Audits and risk management	Communicate
Notify the organization upon completion of the external audits of the organization's risk assessment. CC ID 13313	Audits and risk management	Communicate
Establish, implement, and maintain a risk assessment awareness and training program. CC ID 06453	Audits and risk management	Business Processes
Disseminate and communicate information about risks to all interested personnel and affected parties. CC ID 06718	Audits and risk management	Behavior
Correlate the business impact of identified risks in the risk assessment report. CC ID 00686	Audits and risk management	Audits and Risk Management
Include recovery of the critical path in the Business Impact Analysis. CC ID 13224	Audits and risk management	Establish/Maintain Documentation
Include acceptable levels of data loss in the Business Impact Analysis. CC ID 13264	Audits and risk management	Establish/Maintain Documentation
Include Recovery Point Objectives in the Business Impact Analysis. CC ID 13223	Audits and risk management	Establish/Maintain Documentation
Include the Recovery Time Objectives in the Business Impact Analysis. CC ID 13222	Audits and risk management	Establish/Maintain Documentation
Include pandemic risks in the Business Impact Analysis. CC ID 13219	Audits and risk management	Establish/Maintain Documentation
Include tolerance to downtime in the Business Impact Analysis report. CC ID 01172	Audits and risk management	Establish/Maintain Documentation
Disseminate and communicate the Business Impact Analysis to interested personnel and affected parties. CC ID 15300	Audits and risk management	Communicate
Establish, implement, and maintain a risk register. CC ID 14828	Audits and risk management	Establish/Maintain Documentation
Document organizational risk tolerance in a risk register. CC ID 09961	Audits and risk management	Establish/Maintain Documentation
Align organizational risk tolerance to that of industry peers in the risk register. CC ID 09962	Audits and risk management	Business Processes
Review the Business Impact Analysis, as necessary. CC ID 12774	Audits and risk management	Business Processes
Analyze and quantify the risks to in scope systems and information. CC ID 00701 [When planning for the SMS, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to: prevent, or reduce, undesired effects; § 6.1.1 ¶ 1(b) The organization shall determine and document: risks related to: the organization; § 6.1.2 ¶ 1(a)(1)]	Audits and risk management	Audits and Risk Management
Establish and maintain a Risk Scoping and Measurement Definitions Document. CC ID 00703 [The organization shall determine and document: the impact on customers of risks and opportunities for the SMS and the services; § 6.1.2 ¶ 1(b)]	Audits and risk management	Audits and Risk Management
Identify the material risks in the risk assessment report. CC ID 06482	Audits and risk management	Audits and Risk Management
Establish a risk acceptance level that is appropriate to the organization's risk appetite. CC ID 00706 [The organization shall determine and document: risk acceptance criteria; § 6.1.2 ¶ 1(c)]	Audits and risk management	Establish/Maintain Documentation
Investigate alternative risk control strategies appropriate to the organization's risk appetite. CC ID 12887	Audits and risk management	Investigate
Select the appropriate risk treatment option for each identified risk in the risk register. CC ID 06483	Audits and risk management	Establish/Maintain Documentation
Disseminate and communicate the risk acceptance level in the risk treatment plan to all interested personnel and affected parties. CC ID 06849	Audits and risk management	Behavior
Document the results of the gap analysis. CC ID 16271	Audits and risk management	Establish/Maintain Documentation
Prioritize and select controls based on the risk assessment findings. CC ID 00707 [At planned intervals, the information security risks to the SMS and the services shall be assessed and documented. Information security controls shall be determined, implemented and operated to support the information security policy and address identified information security risks. Decisions about information security controls shall be documented. § 8.7.3.2 ¶ 1]	Audits and risk management	Audits and Risk Management
Prioritize and categorize the effects of opportunities, threats and requirements on control activities. CC ID 12822	Audits and risk management	Audits and Risk Management
Develop key indicators to inform management on the effectiveness of risk control measures. CC ID 12946	Audits and risk management	Audits and Risk Management
Establish, implement, and maintain a risk treatment plan. CC ID 11983	Audits and risk management	Establish/Maintain Documentation
Include the date of the risk assessment in the risk treatment plan. CC ID 16321	Audits and risk management	Establish/Maintain Documentation
Include the release status of the risk assessment in the risk treatment plan. CC ID 16320	Audits and risk management	Audits and Risk Management
Identify the planned actions and controls that address high risk in the risk treatment plan. CC ID 12835	Audits and risk management	Audits and Risk Management
Identify the current actions and controls that address high risk in the risk treatment plan. CC ID 12834	Audits and risk management	Audits and Risk Management
Include the risk treatment strategy in the risk treatment plan. CC ID 12159	Audits and risk management	Establish/Maintain Documentation
Include an overview of the migration project plan in the risk treatment plan. CC ID 11982	Audits and risk management	Establish/Maintain Documentation
Include change control processes in the risk treatment plan. CC ID 11981	Audits and risk management	Establish/Maintain Documentation
Include a description of the processes to check for new vulnerabilities in the risk treatment plan. CC ID 11980	Audits and risk management	Establish/Maintain Documentation
Include the implemented risk management controls in the risk treatment plan. CC ID 11979	Audits and risk management	Establish/Maintain Documentation
Include requirements for monitoring and reporting in the risk treatment plan, as necessary. CC ID 13620	Audits and risk management	Establish/Maintain Documentation
Include risk assessment results in the risk treatment plan. CC ID 11978	Audits and risk management	Establish/Maintain Documentation
Include a description of usage in the risk treatment plan. CC ID 11977	Audits and risk management	Establish/Maintain Documentation
Document all constraints applied to the risk treatment plan, as necessary. CC ID 13619	Audits and risk management	Establish/Maintain Documentation
Disseminate and communicate the risk treatment plan to interested personnel and affected parties. CC ID 15694	Audits and risk management	Communicate
Approve the risk treatment plan. CC ID 13495	Audits and risk management	Audits and Risk Management
Integrate the corrective action plan based on the risk assessment findings with other risk management activities. CC ID 06457	Audits and risk management	Establish/Maintain Documentation
Review and approve the risk assessment findings. CC ID 06485 [The management review shall include consideration of: results of risk assessment and the effectiveness of actions taken to address risks and opportunities; § 9.3 ¶ 2(k)]	Audits and risk management	Establish/Maintain Documentation
Include risk responses in the risk management program. CC ID 13195	Audits and risk management	Establish/Maintain Documentation
Review and approve material risks documented in the residual risk report, as necessary. CC ID 13672	Audits and risk management	Business Processes
Establish, implement, and maintain an artificial intelligence risk management program. CC ID 16220	Audits and risk management	Establish/Maintain Documentation
Include diversity and equal opportunity in the artificial intelligence risk management program. CC ID 16255	Audits and risk management	Establish/Maintain Documentation
Analyze the impact of artificial intelligence systems on business operations. CC ID 16356	Audits and risk management	Business Processes
Establish, implement, and maintain a cybersecurity risk management program. CC ID 16827	Audits and risk management	Audits and Risk Management
Include a commitment to continuous improvement In the cybersecurity risk management program. CC ID 16839	Audits and risk management	Establish/Maintain Documentation
Monitor the effectiveness of the cybersecurity risk management program. CC ID 16831	Audits and risk management	Monitor and Evaluate Occurrences
Establish, implement, and maintain a cybersecurity risk management policy. CC ID 16834	Audits and risk management	Establish/Maintain Documentation
Disseminate and communicate the cybersecurity risk management policy to interested personnel and affected parties. CC ID 16832	Audits and risk management	Communicate
Disseminate and communicate the cybersecurity risk management program to interested personnel and affected parties. CC ID 16829	Audits and risk management	Communicate
Establish, implement, and maintain a cybersecurity risk management strategy. CC ID 11991	Audits and risk management	Establish/Maintain Documentation
Include a risk prioritization approach in the Cybersecurity Risk Management Strategy. CC ID 12276	Audits and risk management	Establish/Maintain Documentation
Include defense in depth strategies in the cybersecurity risk management strategy. CC ID 15582	Audits and risk management	Establish/Maintain Documentation
Disseminate and communicate the cybersecurity risk management strategy to interested personnel and affected parties. CC ID 16825	Audits and risk management	Communicate
Evaluate the cyber insurance market. CC ID 12695	Audits and risk management	Business Processes
Evaluate the usefulness of cyber insurance to the organization. CC ID 12694	Audits and risk management	Business Processes
Acquire cyber insurance, as necessary. CC ID 12693	Audits and risk management	Business Processes
Establish, implement, and maintain a cybersecurity supply chain risk management program. CC ID 16826	Audits and risk management	Establish/Maintain Documentation
Establish, implement, and maintain cybersecurity supply chain risk management procedures. CC ID 16830	Audits and risk management	Establish/Maintain Documentation
Monitor the effectiveness of the cybersecurity supply chain risk management program. CC ID 16828	Audits and risk management	Monitor and Evaluate Occurrences
Establish, implement, and maintain a supply chain risk management policy. CC ID 14663	Audits and risk management	Establish/Maintain Documentation
Include compliance requirements in the supply chain risk management policy. CC ID 14711	Audits and risk management	Establish/Maintain Documentation
Include coordination amongst entities in the supply chain risk management policy. CC ID 14710	Audits and risk management	Establish/Maintain Documentation
Include management commitment in the supply chain risk management policy. CC ID 14709	Audits and risk management	Establish/Maintain Documentation
Include roles and responsibilities in the supply chain risk management policy. CC ID 14708	Audits and risk management	Establish/Maintain Documentation
Include the scope in the supply chain risk management policy. CC ID 14707	Audits and risk management	Establish/Maintain Documentation
Include the purpose in the supply chain risk management policy. CC ID 14706	Audits and risk management	Establish/Maintain Documentation
Disseminate and communicate the supply chain risk management policy to all interested personnel and affected parties. CC ID 14662	Audits and risk management	Communicate
Establish, implement, and maintain a supply chain risk management plan. CC ID 14713	Audits and risk management	Establish/Maintain Documentation
Include processes for monitoring and reporting in the supply chain risk management plan. CC ID 15619	Audits and risk management	Establish/Maintain Documentation
Include dates in the supply chain risk management plan. CC ID 15617	Audits and risk management	Establish/Maintain Documentation
Include implementation milestones in the supply chain risk management plan. CC ID 15615	Audits and risk management	Establish/Maintain Documentation
Include roles and responsibilities in the supply chain risk management plan. CC ID 15613	Audits and risk management	Establish/Maintain Documentation
Include supply chain risk management procedures in the risk management program. CC ID 13190 [The organization shall assess the alignment of service level targets or other contractual obligations for the external supplier against SLAs with customers, and manage identified risks. § 8.3.4.1 ¶ 3]	Audits and risk management	Establish/Maintain Documentation
Disseminate and communicate the supply chain risk management procedures to all interested personnel and affected parties. CC ID 14712	Audits and risk management	Communicate
Assign key stakeholders to review and approve supply chain risk management procedures. CC ID 13199	Audits and risk management	Human Resources Management
Disseminate and communicate the risk management policy to interested personnel and affected parties. CC ID 13792	Audits and risk management	Communicate
Establish, implement, and maintain an access control program. CC ID 11702	Technical security	Establish/Maintain Documentation
Establish, implement, and maintain an access rights management plan. CC ID 00513	Technical security	Establish/Maintain Documentation
Control access rights to organizational assets. CC ID 00004 [The organization shall define and manage the interfaces with the external supplier. § 8.3.4.1 ¶ 4]	Technical security	Technical Security
Configure access control lists in accordance with organizational standards. CC ID 16465	Technical security	Configuration
Add all devices requiring access control to the Access Control List. CC ID 06264	Technical security	Establish/Maintain Documentation
Generate but refrain from storing authenticators or Personal Identification Numbers for systems involved in high risk activities. CC ID 06835	Technical security	Technical Security
Define roles for information systems. CC ID 12454	Technical security	Human Resources Management
Define access needs for each role assigned to an information system. CC ID 12455	Technical security	Human Resources Management
Define access needs for each system component of an information system. CC ID 12456	Technical security	Technical Security
Define the level of privilege required for each system component of an information system. CC ID 12457	Technical security	Technical Security
Establish access rights based on least privilege. CC ID 01411	Technical security	Technical Security
Assign user permissions based on job responsibilities. CC ID 00538	Technical security	Technical Security
Assign user privileges after they have management sign off. CC ID 00542	Technical security	Technical Security
Separate processing domains to segregate user privileges and enhance information flow control. CC ID 06767	Technical security	Configuration
Establish, implement, and maintain lockout procedures or lockout mechanisms to be triggered after a predetermined number of consecutive logon attempts. CC ID 01412	Technical security	Technical Security
Configure the lockout procedure to disregard failed logon attempts after the user is authenticated. CC ID 13822	Technical security	Configuration
Disallow unlocking user accounts absent system administrator approval. CC ID 01413	Technical security	Technical Security
Establish, implement, and maintain session lock capabilities. CC ID 01417	Technical security	Configuration
Limit concurrent sessions according to account type. CC ID 01416	Technical security	Configuration
Establish session authenticity through Transport Layer Security. CC ID 01627	Technical security	Technical Security
Configure the "tlsverify" argument to organizational standards. CC ID 14460	Technical security	Configuration
Configure the "tlscacert" argument to organizational standards. CC ID 14521	Technical security	Configuration
Configure the "tlscert" argument to organizational standards. CC ID 14520	Technical security	Configuration
Configure the "tlskey" argument to organizational standards. CC ID 14519	Technical security	Configuration
Enable access control for objects and users on each system. CC ID 04553	Technical security	Configuration
Include all system components in the access control system. CC ID 11939	Technical security	Technical Security
Set access control for objects and users to "deny all" unless explicitly authorized. CC ID 06301	Technical security	Process or Activity
Enable access control for objects and users to match restrictions set by the system's security classification. CC ID 04850	Technical security	Technical Security
Enable attribute-based access control for objects and users on information systems. CC ID 16351	Technical security	Technical Security
Enable role-based access control for objects and users on information systems. CC ID 12458	Technical security	Technical Security
Include the objects and users subject to access control in the security policy. CC ID 11836	Technical security	Establish/Maintain Documentation
Assign Information System access authorizations if implementing segregation of duties. CC ID 06323	Technical security	Establish Roles
Enforce access restrictions for change control. CC ID 01428	Technical security	Technical Security
Enforce access restrictions for restricted data. CC ID 01921	Technical security	Data and Information Management
Permit a limited set of user actions absent identification and authentication. CC ID 04849	Technical security	Technical Security
Activate third party maintenance accounts and user identifiers, as necessary. CC ID 04262	Technical security	Technical Security
Establish, implement, and maintain a system use agreement for each information system. CC ID 06500	Technical security	Establish/Maintain Documentation
Accept and sign the system use agreement before data or system access is enabled. CC ID 06501	Technical security	Establish/Maintain Documentation
Display a logon banner and appropriate logon message before granting access to the system. CC ID 06770	Technical security	Technical Security
Display previous logon information in the logon banner. CC ID 01415	Technical security	Configuration
Document actions that can be performed on an information system absent identification and authentication of the user. CC ID 06771	Technical security	Establish/Maintain Documentation
Use automatic equipment identification as a method of connection authentication absent an individual's identification and authentication. CC ID 06964	Technical security	Technical Security
Establish, implement, and maintain a business continuity program. CC ID 13210	Operational and Systems Continuity	Establish/Maintain Documentation
Establish, implement, and maintain a continuity framework. CC ID 00732	Operational and Systems Continuity	Establish/Maintain Documentation
Assess risks related to fault tolerance and redundancy of critical assets. CC ID 13053	Operational and Systems Continuity	Systems Continuity
Establish, implement, and maintain a continuity plan. CC ID 00752 [The organization shall create, implement and maintain one or more service continuity plans. The service continuity plan(s) shall include or contain a reference to: § 8.7.2 ¶ 2 At planned intervals, the service continuity plan(s) shall be tested against the service continuity requirements. The service continuity plan(s) shall be re-tested after major changes to the service environment. The results of the tests shall be recorded. Reviews shall be conducted after each test and after the service continuity plan(s) has been invoked. Where deficiencies are found, the organization shall take necessary actions. § 8.7.2 ¶ 4 At planned intervals, the service continuity plan(s) shall be tested against the service continuity requirements. The service continuity plan(s) shall be re-tested after major changes to the service environment. The results of the tests shall be recorded. Reviews shall be conducted after each test and after the service continuity plan(s) has been invoked. Where deficiencies are found, the organization shall take necessary actions. § 8.7.2 ¶ 4]	Operational and Systems Continuity	Establish/Maintain Documentation
Identify all stakeholders in the continuity plan. CC ID 13256	Operational and Systems Continuity	Establish/Maintain Documentation
Notify interested personnel and affected parties upon activation of the continuity plan. CC ID 16777	Operational and Systems Continuity	Communicate
Maintain normal security levels when an emergency occurs. CC ID 06377	Operational and Systems Continuity	Systems Continuity
Execute fail-safe procedures when an emergency occurs. CC ID 07108	Operational and Systems Continuity	Systems Continuity
Lead or manage business continuity and system continuity, as necessary. CC ID 12240	Operational and Systems Continuity	Human Resources Management
Include a business continuity testing policy in the continuity plan, as necessary. CC ID 13234	Operational and Systems Continuity	Establish/Maintain Documentation
Allocate financial resources to implement the continuity plan, as necessary. CC ID 12993	Operational and Systems Continuity	Establish/Maintain Documentation
Allocate personnel to implement the continuity plan, as necessary. CC ID 12992	Operational and Systems Continuity	Human Resources Management
Include the in scope system's location in the continuity plan. CC ID 16246	Operational and Systems Continuity	Systems Continuity
Include the system description in the continuity plan. CC ID 16241	Operational and Systems Continuity	Systems Continuity
Establish, implement, and maintain redundant systems. CC ID 16354	Operational and Systems Continuity	Configuration
Include identification procedures in the continuity plan, as necessary. CC ID 14372	Operational and Systems Continuity	Establish/Maintain Documentation
Refrain from adopting impromptu measures when continuity procedures exist. CC ID 13093	Operational and Systems Continuity	Behavior
Include the continuity strategy in the continuity plan. CC ID 13189	Operational and Systems Continuity	Establish/Maintain Documentation
Include roles and responsibilities in the continuity plan, as necessary. CC ID 13254 [The organization shall create, implement and maintain one or more service continuity plans. The service continuity plan(s) shall include or contain a reference to: criteria and responsibilities for invoking service continuity; § 8.7.2 ¶ 2(a)]	Operational and Systems Continuity	Establish/Maintain Documentation
Document and use the lessons learned to update the continuity plan. CC ID 10037 [The organization shall report on the cause, impact and recovery when the service continuity plan(s) has been invoked. § 8.7.2 ¶ 5 The organization shall report on the cause, impact and recovery when the service continuity plan(s) has been invoked. § 8.7.2 ¶ 5 The organization shall report on the cause, impact and recovery when the service continuity plan(s) has been invoked. § 8.7.2 ¶ 5]	Operational and Systems Continuity	Establish/Maintain Documentation
Implement alternate security mechanisms when the means of implementing the security function is unavailable. CC ID 10605	Operational and Systems Continuity	Technical Security
Coordinate continuity planning with governmental entities, as necessary. CC ID 13258	Operational and Systems Continuity	Process or Activity
Record business continuity management system performance for posterity. CC ID 12411	Operational and Systems Continuity	Monitor and Evaluate Occurrences
Coordinate continuity planning with community organizations, as necessary. CC ID 13259	Operational and Systems Continuity	Process or Activity
Coordinate and incorporate supply chain members' continuity plans, as necessary. CC ID 13242	Operational and Systems Continuity	Establish/Maintain Documentation
Include incident management procedures in the continuity plan. CC ID 13244	Operational and Systems Continuity	Establish/Maintain Documentation
Include the use of virtual meeting tools in the continuity plan. CC ID 14390	Operational and Systems Continuity	Establish/Maintain Documentation
Include scenario analyses of various contingency scenarios in the continuity plan. CC ID 13057	Operational and Systems Continuity	Establish/Maintain Documentation
Include the annual statement based on the continuity plan review in the continuity plan. CC ID 12775	Operational and Systems Continuity	Establish/Maintain Documentation
Include the roles and responsibilities of the organization's legal counsel in the continuity plan. CC ID 16233	Operational and Systems Continuity	Establish Roles
Disseminate and communicate the continuity procedures to interested personnel and affected parties. CC ID 14055	Operational and Systems Continuity	Communicate
Document the uninterrupted power requirements for all in scope systems. CC ID 06707	Operational and Systems Continuity	Establish/Maintain Documentation
Install an Uninterruptible Power Supply sized to support all critical systems. CC ID 00725	Operational and Systems Continuity	Configuration
Install a generator sized to support the facility. CC ID 06709	Operational and Systems Continuity	Configuration
Establish, implement, and maintain a fuel supply large enough to support the generators during an emergency. CC ID 06376	Operational and Systems Continuity	Acquisition/Sale of Assets or Services
Document all supporting information in the continuity plan, such as purpose, scope, and requirements. CC ID 01371 [The organization shall create, implement and maintain one or more service continuity plans. The service continuity plan(s) shall include or contain a reference to: service recovery requirements; § 8.7.2 ¶ 2(d)]	Operational and Systems Continuity	Establish/Maintain Documentation
Include notifications to alternate facilities in the continuity plan. CC ID 13220	Operational and Systems Continuity	Establish/Maintain Documentation
Approve the continuity plan requirements before documenting the continuity plan. CC ID 12778	Operational and Systems Continuity	Systems Continuity
Document the concept of operations in the continuity plan, including a line of succession. CC ID 01372	Operational and Systems Continuity	Establish/Maintain Documentation
Establish, implement, and maintain damage assessment procedures. CC ID 01267 [The organization shall analyse the information security incidents by type, volume and impact on the SMS, services and interested parties. Information security incidents shall be reported and reviewed to identify opportunities for improvement. § 8.7.3.3 ¶ 2]	Operational and Systems Continuity	Establish/Maintain Documentation
Establish, implement, and maintain a recovery plan. CC ID 13288	Operational and Systems Continuity	Establish/Maintain Documentation
Notify interested personnel and affected parties of updates to the recovery plan. CC ID 13302	Operational and Systems Continuity	Communicate
Include procedures to restore network connectivity in the recovery plan. CC ID 16250	Operational and Systems Continuity	Establish/Maintain Documentation
Include addressing backup failures in the recovery plan. CC ID 13298	Operational and Systems Continuity	Establish/Maintain Documentation
Include procedures to verify completion of the data backup procedure in the recovery plan. CC ID 13297	Operational and Systems Continuity	Establish/Maintain Documentation
Include the roles and responsibilities of responders in the recovery plan. CC ID 13296	Operational and Systems Continuity	Human Resources Management
Include the procedures for the storage of information necessary to recover functionality in the recovery plan. CC ID 13295	Operational and Systems Continuity	Establish/Maintain Documentation
Include the backup procedures for information necessary to recover functionality in the recovery plan. CC ID 13294	Operational and Systems Continuity	Establish/Maintain Documentation
Include the criteria for activation in the recovery plan. CC ID 13293	Operational and Systems Continuity	Establish/Maintain Documentation
Include escalation procedures in the recovery plan. CC ID 16248	Operational and Systems Continuity	Establish/Maintain Documentation
Include procedures to preserve data before beginning the recovery process in the recovery plan. CC ID 13292	Operational and Systems Continuity	Establish/Maintain Documentation
Disseminate and communicate the recovery plan to interested personnel and affected parties. CC ID 14859	Operational and Systems Continuity	Communicate
Include restoration procedures in the continuity plan. CC ID 01169 [The organization shall create, implement and maintain one or more service continuity plans. The service continuity plan(s) shall include or contain a reference to: procedures to be implemented in the event of a major loss of service; § 8.7.2 ¶ 2(b) The organization shall create, implement and maintain one or more service continuity plans. The service continuity plan(s) shall include or contain a reference to: procedures for returning to normal working conditions. § 8.7.2 ¶ 2(e)]	Operational and Systems Continuity	Establish Roles
Include risk prioritized recovery procedures for each business unit in the recovery plan. CC ID 01166	Operational and Systems Continuity	Establish/Maintain Documentation
Include the recovery plan in the continuity plan. CC ID 01377	Operational and Systems Continuity	Establish/Maintain Documentation
Disseminate and communicate the recovery status of the contingency plan to interested personnel and affected parties. CC ID 12758	Operational and Systems Continuity	Communicate
Disseminate and communicate business functions across multiple facilities separated by geographic separation. CC ID 10662	Operational and Systems Continuity	Systems Continuity
Disseminate and communicate processing activities across multiple facilities using geographic separation. CC ID 10663	Operational and Systems Continuity	Systems Continuity
Disseminate and communicate electronic media storage devices across multiple facilities using geographic separation. CC ID 10664	Operational and Systems Continuity	Systems Continuity
Establish, implement, and maintain system continuity plan strategies. CC ID 00735	Operational and Systems Continuity	Establish/Maintain Documentation
Review and prioritize the importance of each business unit. CC ID 01165	Operational and Systems Continuity	Systems Continuity
Review and prioritize the importance of each business process. CC ID 11689	Operational and Systems Continuity	Establish/Maintain Documentation
Document the mean time to failure for system components. CC ID 10684	Operational and Systems Continuity	Systems Continuity
Conduct a risk assessment on reciprocal agreements that provide for recovery capabilities. CC ID 12759	Operational and Systems Continuity	Audits and Risk Management
Include emergency communications procedures in the continuity plan. CC ID 00750 [The service continuity plan(s) and list of contacts shall be accessible when access to the normal service location is prevented. § 8.7.2 ¶ 3]	Operational and Systems Continuity	Establish/Maintain Documentation
Include managing multiple responding organizations in the emergency communications procedure. CC ID 01249	Operational and Systems Continuity	Establish/Maintain Documentation
Expedite emergency communications' fiscal decisions in accordance with accounting principles. CC ID 01266	Operational and Systems Continuity	Systems Continuity
Maintain contact information for key third parties in a readily accessible manner. CC ID 12764	Operational and Systems Continuity	Establish/Maintain Documentation
Log important conversations conducted during emergencies with third parties. CC ID 12763	Operational and Systems Continuity	Log Management
Identify the appropriate staff to route external communications to in the emergency communications procedures. CC ID 12762	Operational and Systems Continuity	Communicate
Disseminate and communicate the continuity plan to interested personnel and affected parties. CC ID 00760	Operational and Systems Continuity	Establish/Maintain Documentation
Store an up-to-date copy of the continuity plan at the alternate facility. CC ID 01171 [The service continuity plan(s) and list of contacts shall be accessible when access to the normal service location is prevented. § 8.7.2 ¶ 3]	Operational and Systems Continuity	Establish/Maintain Documentation
Prepare the alternate facility for an emergency offsite relocation. CC ID 00744	Operational and Systems Continuity	Systems Continuity
Establish, implement, and maintain Service Level Agreements for all alternate facilities. CC ID 00745	Operational and Systems Continuity	Establish/Maintain Documentation
Include emergency scalability for services, capacity, and capability in the shared service provider's Service Level Agreement. CC ID 04893 [{service availability requirement}{service continuity requirement} The organization shall plan capacity to include: expected impact on capacity of agreed service level targets, requirements for service availability and service continuity; § 8.4.3 ¶ 2(b)]	Operational and Systems Continuity	Establish/Maintain Documentation
Establish, implement, and maintain a business continuity plan testing program. CC ID 14829	Operational and Systems Continuity	Testing
Include coverage of all major components in the scope of testing the continuity plan. CC ID 12767	Operational and Systems Continuity	Testing
Include third party recovery services in the scope of testing the continuity plan. CC ID 12766	Operational and Systems Continuity	Testing
Validate the emergency communications procedures during continuity plan tests. CC ID 12777	Operational and Systems Continuity	Testing
Include the coordination and interfaces among third parties in the coverage of the scope of testing the continuity plan. CC ID 12769	Operational and Systems Continuity	Testing
Validate the evacuation plans during continuity plan tests. CC ID 12760	Operational and Systems Continuity	Testing
Include predefined goals and realistic conditions during off-site testing. CC ID 01175	Operational and Systems Continuity	Establish/Maintain Documentation
Coordinate testing the continuity plan with all applicable business units and critical business functions. CC ID 01388	Operational and Systems Continuity	Testing
Document the continuity plan test results and provide them to interested personnel and affected parties. CC ID 06548 [At planned intervals, the service continuity plan(s) shall be tested against the service continuity requirements. The service continuity plan(s) shall be re-tested after major changes to the service environment. The results of the tests shall be recorded. Reviews shall be conducted after each test and after the service continuity plan(s) has been invoked. Where deficiencies are found, the organization shall take necessary actions. § 8.7.2 ¶ 4]	Operational and Systems Continuity	Actionable Reports or Measurements
Approve the continuity plan test results. CC ID 15718	Operational and Systems Continuity	Systems Continuity
Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806	Human Resources management	Establish Roles
Define and assign the Board of Directors roles and responsibilities and senior management roles and responsibilities, including signing off on key policies and procedures. CC ID 00807 [Top management shall demonstrate leadership and commitment with respect to the SMS by: ensuring that appropriate levels of authority are assigned for making decisions related to the SMS and the services; § 5.1 ¶ 1(c) Top management shall demonstrate leadership and commitment with respect to the SMS by: supporting other relevant management roles to demonstrate their leadership as it applies to their areas of responsibility. § 5.1 ¶ 1(l)]	Human Resources management	Establish Roles
Establish and maintain board committees, as necessary. CC ID 14789	Human Resources management	Human Resources Management
Define and assign the roles and responsibilities of the chairman of the board. CC ID 14786	Human Resources management	Establish/Maintain Documentation
Assign oversight of C-level executives to the Board of Directors. CC ID 14784	Human Resources management	Human Resources Management
Establish, implement, and maintain candidate selection procedures to the board of directors. CC ID 14782	Human Resources management	Establish/Maintain Documentation
Include the criteria of mixed experiences and skills in the candidate selection procedures. CC ID 14791	Human Resources management	Establish/Maintain Documentation
Assign oversight of the financial management program to the board of directors. CC ID 14781	Human Resources management	Human Resources Management
Assign senior management to the role of supporting Quality Management. CC ID 13692	Human Resources management	Human Resources Management
Assign senior management to the role of authorizing official. CC ID 14238	Human Resources management	Establish Roles
Assign members who are independent from management to the Board of Directors. CC ID 12395	Human Resources management	Human Resources Management
Assign ownership of risks to the Board of Directors or senior management. CC ID 13662	Human Resources management	Human Resources Management
Assign the organization's board and senior management to oversee the continuity planning process. CC ID 12991	Human Resources management	Human Resources Management
Include how risk is perceived by the workforce in the analysis of workforce management. CC ID 12969	Human Resources management	Human Resources Management
Include compensation structures in the analysis of workforce management. CC ID 12902	Human Resources management	Human Resources Management
Establish, implement, and maintain a personnel management program. CC ID 14018	Human Resources management	Establish/Maintain Documentation
Establish, implement, and maintain a personnel security program. CC ID 10628	Human Resources management	Establish/Maintain Documentation
Assign security clearance procedures to qualified personnel. CC ID 06812	Human Resources management	Establish Roles
Assign personnel screening procedures to qualified personnel. CC ID 11699	Human Resources management	Establish Roles
Establish, implement, and maintain personnel screening procedures. CC ID 11700	Human Resources management	Establish/Maintain Documentation
Perform a personal identification check during personnel screening. CC ID 06721	Human Resources management	Human Resources Management
Perform a criminal records check during personnel screening. CC ID 06643	Human Resources management	Establish/Maintain Documentation
Include all residences in the criminal records check. CC ID 13306	Human Resources management	Process or Activity
Document any reasons a full criminal records check could not be performed. CC ID 13305	Human Resources management	Establish/Maintain Documentation
Perform a personal references check during personnel screening. CC ID 06645	Human Resources management	Human Resources Management
Perform a credit check during personnel screening. CC ID 06646	Human Resources management	Human Resources Management
Perform an academic records check during personnel screening. CC ID 06647	Human Resources management	Establish/Maintain Documentation
Perform a drug test during personnel screening. CC ID 06648	Human Resources management	Testing
Perform a resume check during personnel screening. CC ID 06659	Human Resources management	Human Resources Management
Perform a curriculum vitae check during personnel screening. CC ID 06660	Human Resources management	Human Resources Management
Allow personnel being screened to appeal findings and appeal decisions. CC ID 06720	Human Resources management	Human Resources Management
Disseminate and communicate screening results to interested personnel and affected parties. CC ID 16445	Human Resources management	Communicate
Perform personnel screening procedures, as necessary. CC ID 11763	Human Resources management	Human Resources Management
Establish, implement, and maintain security clearance procedures. CC ID 00783	Human Resources management	Establish/Maintain Documentation
Perform security clearance procedures, as necessary. CC ID 06644	Human Resources management	Human Resources Management
Establish and maintain security clearances. CC ID 01634	Human Resources management	Human Resources Management
Train all personnel and third parties, as necessary. CC ID 00785 [The organization shall: where applicable, take actions to acquire the necessary competence and evaluate the effectiveness of the actions taken; § 7.2 ¶ 1(c)]	Human Resources management	Behavior
Establish, implement, and maintain an education methodology. CC ID 06671 [{interested party} Instructions for the fulfilment of service requests shall be made available to persons involved in service request fulfilment. § 8.6.2 ¶ 3 {new service} The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: requirements for appropriate education, training and experience; § 8.5.2.2 ¶ 1(c)]	Human Resources management	Business Processes
Support certification programs as viable training programs. CC ID 13268	Human Resources management	Human Resources Management
Include evidence of experience in applications for professional certification. CC ID 16193	Human Resources management	Establish/Maintain Documentation
Include supporting documentation in applications for professional certification. CC ID 16195	Human Resources management	Establish/Maintain Documentation
Submit applications for professional certification. CC ID 16192	Human Resources management	Training
Retrain all personnel, as necessary. CC ID 01362	Human Resources management	Behavior
Tailor training to meet published guidance on the subject being taught. CC ID 02217 [{new service} The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: requirements for appropriate education, training and experience; § 8.5.2.2 ¶ 1(c)]	Human Resources management	Behavior
Tailor training to be taught at each person's level of responsibility. CC ID 06674 [{be relevant} Persons doing work under the organization's control shall be aware of: the services relevant to their work; § 7.3 ¶ 1(c) The organization shall determine and maintain the knowledge necessary to support the operation of the SMS and the services. § 7.6 ¶ 1 {new service} The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: requirements for appropriate education, training and experience; § 8.5.2.2 ¶ 1(c)]	Human Resources management	Behavior
Conduct cross-training or staff backup training to minimize dependency on critical individuals. CC ID 00786	Human Resources management	Behavior
Use automated mechanisms in the training environment, where appropriate. CC ID 06752	Human Resources management	Behavior
Hire third parties to conduct training, as necessary. CC ID 13167	Human Resources management	Human Resources Management
Review the current published guidance and awareness and training programs. CC ID 01245	Human Resources management	Establish/Maintain Documentation
Establish, implement, and maintain training plans. CC ID 00828 [{be usable}{be available}{support}{operation}{SMS and the services}by knowledge', based on the section the authors appear to be referring to the knowledge necessary to support the operation of the SMS and the services/ The knowledge shall be relevant, usable and available to appropriate persons. § 7.6 ¶ 2 {be usable}{be available}{support}{operation}{SMS and the services}by knowledge', based on the section the authors appear to be referring to the knowledge necessary to support the operation of the SMS and the services/ The knowledge shall be relevant, usable and available to appropriate persons. § 7.6 ¶ 2 {be usable}{be available}{support}{operation}{SMS and the services}by knowledge', based on the section the authors appear to be referring to the knowledge necessary to support the operation of the SMS and the services/ The knowledge shall be relevant, usable and available to appropriate persons. § 7.6 ¶ 2]	Human Resources management	Establish/Maintain Documentation
Include prevention techniques in training regarding diseases or sicknesses. CC ID 14387	Human Resources management	Training
Include the concept of disease clusters when training to recognize conditions of diseases or sicknesses. CC ID 14386	Human Resources management	Training
Develop or acquire content to update the training plans. CC ID 12867	Human Resources management	Training
Designate training facilities in the training plan. CC ID 16200	Human Resources management	Training
Include portions of the visitor control program in the training plan. CC ID 13287	Human Resources management	Establish/Maintain Documentation
Include ethical culture in the training plan, as necessary. CC ID 12801	Human Resources management	Human Resources Management
Include in scope external requirements in the training plan, as necessary. CC ID 13041	Human Resources management	Training
Include duties and responsibilities in the training plan, as necessary. CC ID 12800	Human Resources management	Human Resources Management
Conduct bespoke roles and responsibilities training, as necessary. CC ID 13192	Human Resources management	Training
Include risk management in the training plan, as necessary. CC ID 13040	Human Resources management	Training
Conduct Archives and Records Management training. CC ID 00975	Human Resources management	Behavior
Conduct personal data processing training. CC ID 13757	Human Resources management	Training
Include in personal data processing training how to provide the contact information for the categories of personal data the organization may disclose. CC ID 13758	Human Resources management	Training
Include the cloud service usage standard in the training plan. CC ID 13039	Human Resources management	Training
Establish, implement, and maintain a security awareness program. CC ID 11746	Human Resources management	Establish/Maintain Documentation
Establish, implement, and maintain a security awareness and training policy. CC ID 14022	Human Resources management	Establish/Maintain Documentation
Include compliance requirements in the security awareness and training policy. CC ID 14092	Human Resources management	Establish/Maintain Documentation
Include coordination amongst entities in the security awareness and training policy. CC ID 14091	Human Resources management	Establish/Maintain Documentation
Establish, implement, and maintain security awareness and training procedures. CC ID 14054	Human Resources management	Establish/Maintain Documentation
Disseminate and communicate the security awareness and training procedures to interested personnel and affected parties. CC ID 14138	Human Resources management	Communicate
Include management commitment in the security awareness and training policy. CC ID 14049	Human Resources management	Establish/Maintain Documentation
Include roles and responsibilities in the security awareness and training policy. CC ID 14048	Human Resources management	Establish/Maintain Documentation
Include the scope in the security awareness and training policy. CC ID 14047	Human Resources management	Establish/Maintain Documentation
Include the purpose in the security awareness and training policy. CC ID 14045	Human Resources management	Establish/Maintain Documentation
Include configuration management procedures in the security awareness program. CC ID 13967	Human Resources management	Establish/Maintain Documentation
Include media protection in the security awareness program. CC ID 16368	Human Resources management	Training
Document security awareness requirements. CC ID 12146	Human Resources management	Establish/Maintain Documentation
Include safeguards for information systems in the security awareness program. CC ID 13046	Human Resources management	Establish/Maintain Documentation
Include security policies and security standards in the security awareness program. CC ID 13045	Human Resources management	Establish/Maintain Documentation
Include physical security in the security awareness program. CC ID 16369	Human Resources management	Training
Include mobile device security guidelines in the security awareness program. CC ID 11803	Human Resources management	Establish/Maintain Documentation
Include updates on emerging issues in the security awareness program. CC ID 13184	Human Resources management	Training
Include cybersecurity in the security awareness program. CC ID 13183	Human Resources management	Training
Include implications of non-compliance in the security awareness program. CC ID 16425	Human Resources management	Training
Include the acceptable use policy in the security awareness program. CC ID 15487	Human Resources management	Training
Include training based on the participants' level of responsibility and access level in the security awareness program. CC ID 11802	Human Resources management	Establish/Maintain Documentation
Include a requirement to train all new hires and interested personnel in the security awareness program. CC ID 11800	Human Resources management	Establish/Maintain Documentation
Include remote access in the security awareness program. CC ID 13892	Human Resources management	Establish/Maintain Documentation
Document the goals of the security awareness program. CC ID 12145	Human Resources management	Establish/Maintain Documentation
Compare current security awareness assessment reports to the security awareness baseline. CC ID 12150	Human Resources management	Establish/Maintain Documentation
Establish and maintain management's commitment to supporting the security awareness program. CC ID 12151	Human Resources management	Human Resources Management
Establish and maintain a steering committee to guide the security awareness program. CC ID 12149	Human Resources management	Human Resources Management
Document the scope of the security awareness program. CC ID 12148	Human Resources management	Establish/Maintain Documentation
Establish, implement, and maintain a security awareness baseline. CC ID 12147	Human Resources management	Establish/Maintain Documentation
Encourage interested personnel to obtain security certification. CC ID 11804	Human Resources management	Human Resources Management
Disseminate and communicate the security awareness program to all interested personnel and affected parties. CC ID 00823	Human Resources management	Behavior
Train all personnel and third parties on how to recognize and report security incidents. CC ID 01211	Human Resources management	Behavior
Train all personnel and third parties on how to recognize and report system failures. CC ID 13475	Human Resources management	Training
Require personnel to acknowledge, through writing their signature, that they have read and understand the organization's security policies. CC ID 01363	Human Resources management	Establish/Maintain Documentation
Establish, implement, and maintain an environmental management system awareness program. CC ID 15200	Human Resources management	Establish/Maintain Documentation
Conduct tampering prevention training. CC ID 11875	Human Resources management	Training
Include the mandate to refrain from installing, refrain from replacing, and refrain from returning any asset absent verification in the tampering prevention training. CC ID 11877	Human Resources management	Training
Include how to identify and authenticate third parties claiming to be maintenance personnel in the tampering prevention training. CC ID 11876	Human Resources management	Training
Include how to report tampering and unauthorized substitution in the tampering prevention training. CC ID 11879	Human Resources management	Training
Include how to prevent physical tampering in the tampering prevention training. CC ID 11878	Human Resources management	Training
Include procedures on how to inspect devices in the tampering prevention training. CC ID 11990	Human Resources management	Training
Train interested personnel and affected parties to collect digital forensic evidence. CC ID 08658	Human Resources management	Training
Conduct crime prevention training. CC ID 06350	Human Resources management	Behavior
Establish, implement, and maintain a capacity management plan. CC ID 11751 [The organization shall plan capacity to include: timescales and thresholds for changes to service capacity. § 8.4.3 ¶ 2(c) The organization shall plan capacity to include: timescales and thresholds for changes to service capacity. § 8.4.3 ¶ 2(c) At planned intervals, the organization shall: determine current demand and forecast future demand for services; § 8.4.2 ¶ 1(a) At planned intervals, the organization shall: determine current demand and forecast future demand for services; § 8.4.2 ¶ 1(a) {service availability target} Service availability requirements and targets shall be documented and maintained. § 8.7.1 ¶ 2 The organization shall plan capacity to include: current and forecast capacity based on demand for services; § 8.4.3 ¶ 2(a)]	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain a capacity planning baseline. CC ID 13492 [{service availability target} Service availability requirements and targets shall be documented and maintained. § 8.7.1 ¶ 2]	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain future system capacity forecasting methods. CC ID 01617	Operational management	Business Processes
Align critical Information Technology resource availability planning with capacity planning. CC ID 01618 [{service availability requirement}{service continuity requirement} The organization shall plan capacity to include: expected impact on capacity of agreed service level targets, requirements for service availability and service continuity; § 8.4.3 ¶ 2(b)]	Operational management	Business Processes
Limit any effects of a Denial of Service attack. CC ID 06754	Operational management	Technical Security
Implement network redundancy, as necessary. CC ID 13048	Operational management	Systems Continuity
Establish, implement, and maintain workload forecasting tools. CC ID 00936	Operational management	Systems Design, Build, and Implementation
Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain a positive information control environment. CC ID 00813 [Top management shall demonstrate leadership and commitment with respect to the SMS by: § 5.1 ¶ 1 Top management shall demonstrate leadership and commitment with respect to the SMS by: ensuring that what constitutes value for the organization and its customers is determined; § 5.1 ¶ 1(d)]	Operational management	Business Processes
Make compliance and governance decisions in a timely manner. CC ID 06490	Operational management	Behavior
Establish, implement, and maintain an internal control framework. CC ID 00820	Operational management	Establish/Maintain Documentation
Include procedures for continuous quality improvement in the internal control framework. CC ID 00819 [Where service level targets are not met, the organization shall identify opportunities for improvement. § 8.3.3 ¶ 4 At planned intervals, the organization shall measure satisfaction with the services based on a representative sample of customers. The results shall be analysed, reviewed to identify opportunities for improvement and reported. § 8.3.2 ¶ 4 {service improvement activity} Opportunities for improvement shall be documented. The organization shall manage approved improvement activities that include: § 10.2 ¶ 3 The outputs of the management review shall include decisions related to continual improvement opportunities and any need for changes to the SMS and the services. § 9.3 ¶ 3 The management review shall include consideration of: opportunities for continual improvement; § 9.3 ¶ 2(d)]	Operational management	Establish/Maintain Documentation
Include incident response escalation procedures in the internal control framework. CC ID 11745 [Information security incidents shall be: escalated if needed; § 8.7.3.3 ¶ 1(c)]	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain an information security program. CC ID 00812	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain an information security policy. CC ID 11740 [Management with appropriate authority shall approve an information security policy relevant to the organization. The information security policy shall be documented and take into consideration the service requirements and the obligations in 6.3 c). § 8.7.3.1 ¶ 1]	Operational management	Establish/Maintain Documentation
Align the information security policy with the organization's risk acceptance level. CC ID 13042	Operational management	Business Processes
Include business processes in the information security policy. CC ID 16326	Operational management	Establish/Maintain Documentation
Include the information security strategy in the information security policy. CC ID 16125	Operational management	Establish/Maintain Documentation
Include a commitment to continuous improvement in the information security policy. CC ID 16123	Operational management	Establish/Maintain Documentation
Include roles and responsibilities in the information security policy. CC ID 16120	Operational management	Establish/Maintain Documentation
Include a commitment to the information security requirements in the information security policy. CC ID 13496	Operational management	Establish/Maintain Documentation
Include information security objectives in the information security policy. CC ID 13493	Operational management	Establish/Maintain Documentation
Include the use of Cloud Services in the information security policy. CC ID 13146	Operational management	Establish/Maintain Documentation
Include notification procedures in the information security policy. CC ID 16842	Operational management	Establish/Maintain Documentation
Approve the information security policy at the organization's management level or higher. CC ID 11737 [Management with appropriate authority shall approve an information security policy relevant to the organization. The information security policy shall be documented and take into consideration the service requirements and the obligations in 6.3 c). § 8.7.3.1 ¶ 1]	Operational management	Process or Activity
Establish, implement, and maintain information security procedures. CC ID 12006	Operational management	Business Processes
Describe the group activities that protect restricted data in the information security procedures. CC ID 12294	Operational management	Establish/Maintain Documentation
Disseminate and communicate the information security procedures to all interested personnel and affected parties. CC ID 16303	Operational management	Communicate
Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304	Operational management	Establish/Maintain Documentation
Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739 [The information security policy shall be made available as appropriate. The organization shall communicate the importance of conforming to the information security policy and its applicability to the SMS and the services to appropriate persons within the: external suppliers, internal suppliers and other interested parties. § 8.7.3.1 ¶ 2(c) The information security policy shall be made available as appropriate. The organization shall communicate the importance of conforming to the information security policy and its applicability to the SMS and the services to appropriate persons within: § 8.7.3.1 ¶ 2 The information security policy shall be made available as appropriate. The organization shall communicate the importance of conforming to the information security policy and its applicability to the SMS and the services to appropriate persons within: § 8.7.3.1 ¶ 2 The information security policy shall be made available as appropriate. The organization shall communicate the importance of conforming to the information security policy and its applicability to the SMS and the services to appropriate persons within: § 8.7.3.1 ¶ 2 The information security policy shall be made available as appropriate. The organization shall communicate the importance of conforming to the information security policy and its applicability to the SMS and the services to appropriate persons within: the organization; § 8.7.3.1 ¶ 2(a) The information security policy shall be made available as appropriate. The organization shall communicate the importance of conforming to the information security policy and its applicability to the SMS and the services to appropriate persons within: customers and users; § 8.7.3.1 ¶ 2(b)]	Operational management	Communicate
Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 [implementing control of the processes in accordance with the established performance criteria; § 8.1 ¶ 1(b)]	Operational management	Business Processes
Analyze how policies used to create management boundaries relates to the Governance, Risk, and Compliance approach. CC ID 12821	Operational management	Process or Activity
Analyze how the organization sets limits in policies relating to the Governance, Risk, and Compliance approach. CC ID 12819	Operational management	Process or Activity
Analyze how the Board of Directors' and senior management's tone influences the Governance, Risk, and Compliance approach. CC ID 12818	Operational management	Process or Activity
Analyze the degree to which the governing body is engaged in the Governance, Risk, and Compliance approach. CC ID 12817	Operational management	Process or Activity
Analyze the Governance, Risk, and Compliance approach. CC ID 12816	Operational management	Process or Activity
Analyze the organizational culture. CC ID 12899	Operational management	Process or Activity
Include employee engagement in the analysis of the organizational culture. CC ID 12914	Operational management	Behavior
Include contractual relationships with workforce members in the analysis of the organizational culture. CC ID 15674	Operational management	Business Processes
Include the number of workforce members who are not employees in the analysis of the organizational culture. CC ID 15673	Operational management	Business Processes
Include the type of work performed by workforce members in the analysis of the organizational culture. CC ID 15675	Operational management	Business Processes
Include skill development in the analysis of the organizational culture. CC ID 12913	Operational management	Behavior
Include employee turnover rates in the analysis of the organizational culture. CC ID 12912	Operational management	Behavior
Include demographic characteristics of employees in the analysis of the organizational culture. CC ID 15671	Operational management	Business Processes
Include employee loyalty in the analysis of the organizational culture. CC ID 12911	Operational management	Behavior
Include employee satisfaction in the analysis of the organizational culture. CC ID 12910	Operational management	Behavior
Comply with all implemented policies in the organization's compliance framework. CC ID 06384 [{planning} The organization shall plan, implement and control the processes needed to meet requirements and to implement the actions determined in Clause 6 by: § 8.1 ¶ 1]	Operational management	Establish/Maintain Documentation
Provide assurance to interested personnel and affected parties that the Governance, Risk, and Compliance capability is reliable, effective, efficient, and responsive. CC ID 12788	Operational management	Communicate
Review systems for compliance with organizational information security policies. CC ID 12004	Operational management	Business Processes
Disseminate and communicate the Governance, Risk, and Compliance framework to all interested personnel and affected parties. CC ID 00815	Operational management	Behavior
Establish, implement, and maintain a Service Management System. CC ID 13889 [Top management shall demonstrate leadership and commitment with respect to the SMS by: ensuring that the SMS achieves its intended outcome(s); § 5.1 ¶ 1(i) When planning for the SMS, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to: § 6.1.1 ¶ 1 {service improvement activity} Opportunities for improvement shall be documented. The organization shall manage approved improvement activities that include: making changes to the SMS, if necessary; § 10.2 ¶ 3(c) When a nonconformity occurs, the organization shall: make changes to the SMS, if necessary. § 10.1.1 ¶ 1(e) The organization shall operate the SMS ensuring co-ordination of the activities and the resources. The organization shall perform the activities required to deliver services. § 8.2.1 ¶ 1]	Operational management	Business Processes
Establish and maintain a scope statement for the Service Management System. CC ID 13890 [The organization shall determine: the relevant requirements of these interested parties. § 4.2 ¶ 1(b) When planning how to achieve its service management objectives, the organization shall determine: what will be done; § 6.2.2 ¶ 1(a) The documented information for the SMS shall include: scope of the SMS; § 7.5.4 ¶ 1(a) {service management system}When determining this scope, the organization shall consider: the requirements referred to in 4.2; § 4.3 ¶ 2(b) {service management system} When determining this scope, the organization shall consider: the services delivered by the organization. § 4.3 ¶ 2(c) The scope of the SMS shall be available and be maintained as documented information. § 4.3 ¶ 4 The service management plan shall include or contain a reference to: obligations such as relevant policies, standards, legal, regulatory and contractual requirements, and how these obligations apply to the SMS and the services; § 6.3 ¶ 2(c) The organization's SMS shall include: documented information determined by the organization as being necessary for the effectiveness of the SMS. § 7.5.1 ¶ 1(b) The organization's SMS shall include: documented information required by this document; § 7.5.1 ¶ 1(a) The definition of the scope of the SMS shall include the services in scope and the name of the organization managing and delivering the services. § 4.3 ¶ 3]	Operational management	Establish/Maintain Documentation
Include the organization's name in the scope statement for the Service Management System. CC ID 13913 [The definition of the scope of the SMS shall include the services in scope and the name of the organization managing and delivering the services. § 4.3 ¶ 3]	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain a service management program. CC ID 11388 [Top management shall demonstrate leadership and commitment with respect to the SMS by: ensuring that the service management plan is created, implemented and maintained in order to support the service management policy, and the achievement of the service management objectives and service requirements; § 5.1 ¶ 1(b) The service management policy shall: be available as documented information; § 5.2.2 ¶ 1(a) Other planning activities shall maintain alignment with the service management plan. § 6.3 ¶ 3 {applicable requirements} The organization shall create, implement and maintain a service management plan. Planning shall take into consideration the service management policy, service management objectives, risks and opportunities, service requirements and requirements specified in this document. § 6.3 ¶ 1 When planning how to achieve its service management objectives, the organization shall determine: when it will be completed; § 6.2.2 ¶ 1(d) The organization shall establish service management objectives at relevant functions and levels. The service management objectives shall: be updated as appropriate. § 6.2.1 ¶ 1(f) The organization shall integrate services, service components and processes in the SMS that are provided or operated by the organization or other parties to meet the service requirements. The organization shall co-ordinate activities with other parties involved in the service lifecycle including the planning, design, transition, delivery and improvement of services. § 8.2.3.1 ¶ 5 At planned intervals, the organization shall review the performance trends and the outcomes of the services. § 8.3.2 ¶ 3 Top management shall review the organization's SMS and the services, at planned intervals, to ensure their continuing suitability, adequacy and effectiveness. § 9.3 ¶ 1 The organization shall determine: what needs to be monitored and measured for the SMS and the services; § 9.1 ¶ 1(a) {new service} The organization shall plan the deployment of new or changed services and service components into the live environment. Planning shall be co-ordinated with change management and include references to the related requests for change, known errors or problems which are being closed through the release. Planning shall include the dates for deployment of each release, deliverables and methods of deployment. § 8.5.3 ¶ 2 {service availability requirement}{service availability target} At planned intervals, the risks to service availability shall be assessed and documented. The organization shall determine the service availability requirements and targets. The agreed requirements shall take into consideration relevant business requirements, service requirements, SLAs and risks. § 8.7.1 ¶ 1]	Operational management	Establish/Maintain Documentation
Communicate the service management program to interested personnel and affected parties. CC ID 13904 [Top management shall demonstrate leadership and commitment with respect to the SMS by: communicating the importance of effective service management, achieving the service management objectives, delivering value and conforming to the SMS requirements; § 5.1 ¶ 1(h) The service management policy shall: be communicated within the organization; § 5.2.2 ¶ 1(b) The service management policy shall: be available to interested parties, as appropriate. § 5.2.2 ¶ 1(c) The organization shall establish service management objectives at relevant functions and levels. The service management objectives shall: be communicated; § 6.2.1 ¶ (e) Persons doing work under the organization's control shall be aware of: the service management policy; § 7.3 ¶ 1(a) The scope of the SMS shall be available and be maintained as documented information. § 4.3 ¶ 4]	Operational management	Communicate
Communicate service management release success or failures to interested personnel and affected parties, as necessary. CC ID 13927 [Information about the success or failure of releases and future release dates shall be made available for other service management activities as appropriate. § 8.5.3 ¶ 7]	Operational management	Communicate
Communicate the release dates of applicable services to interested personnel and affected parties. CC ID 13924 [Information about the success or failure of releases and future release dates shall be made available for other service management activities as appropriate. § 8.5.3 ¶ 7]	Operational management	Communicate
Include the implications of failing to comply with the Service Management System requirements in the communication plan for the service management program. CC ID 13909 [Persons doing work under the organization's control shall be aware of: the implications of not conforming with the SMS requirements. § 7.3 ¶ 1(e)]	Operational management	Communicate
Include the benefits of improved performance in the communication plan for the service management program. CC ID 13908 [Persons doing work under the organization's control shall be aware of: their contribution to the effectiveness of the SMS, including the benefits of improved performance; § 7.3 ¶ 1(d)]	Operational management	Communicate
Include the importance of conforming to the Service Management System requirements in the communication plan for the service management program. CC ID 13907 [Top management shall demonstrate leadership and commitment with respect to the SMS by: communicating the importance of effective service management, achieving the service management objectives, delivering value and conforming to the SMS requirements; § 5.1 ¶ 1(h)]	Operational management	Communicate
Include a service management plan in the service management program. CC ID 13902 [The documented information for the SMS shall include: service management plan; § 7.5.4 ¶ 1(c)]	Operational management	Establish/Maintain Documentation
Include the information security policy in the service management program. CC ID 13925 [The documented information for the SMS shall include: change management policy, information security policy and service continuity plan(s); § 7.5.4 ¶ 1(d)]	Operational management	Establish/Maintain Documentation
Include the change management policy in the service management program. CC ID 13923 [The documented information for the SMS shall include: change management policy, information security policy and service continuity plan(s); § 7.5.4 ¶ 1(d)]	Operational management	Establish/Maintain Documentation
Include the service management objectives in the service management program. CC ID 11389 [Top management shall demonstrate leadership and commitment with respect to the SMS by: ensuring that the service management plan is created, implemented and maintained in order to support the service management policy, and the achievement of the service management objectives and service requirements; § 5.1 ¶ 1(b) Top management shall demonstrate leadership and commitment with respect to the SMS by: ensuring that the service management policy and service management objectives are established and are compatible with the strategic direction of the organization; § 5.1 ¶ 1(a) Top management shall establish a service management policy that: provides a framework for setting service management objectives; § 5.2.1 ¶ 1(b) The organization shall establish service management objectives at relevant functions and levels. The service management objectives shall: be consistent with the service management policy; § 6.2.1 ¶ 1(a) {applicable requirements} The organization shall create, implement and maintain a service management plan. Planning shall take into consideration the service management policy, service management objectives, risks and opportunities, service requirements and requirements specified in this document. § 6.3 ¶ 1 {organization level} The organization shall establish service management objectives at relevant functions and levels. The service management objectives shall: § 6.2.1 ¶ 1 {organization level} The organization shall establish service management objectives at relevant functions and levels. The service management objectives shall: § 6.2.1 ¶ 1 The documented information for the SMS shall include: policy and objectives for service management; § 7.5.4 ¶ 1(b) The organization shall propose changes where needed to align the services with the service management policy, service management objectives and service requirements, taking into consideration known limitations and risks. § 8.2.2 ¶ 3 {new service} Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: intended outcomes from delivering the new or changed services, expressed in measurable terms; § 8.5.2.1 ¶ 1(g) {service availability requirement}{service availability target} At planned intervals, the risks to service availability shall be assessed and documented. The organization shall determine the service availability requirements and targets. The agreed requirements shall take into consideration relevant business requirements, service requirements, SLAs and risks. § 8.7.1 ¶ 1]	Operational management	Establish/Maintain Documentation
Include the service requirements in the service management program. CC ID 11390 [Top management shall demonstrate leadership and commitment with respect to the SMS by: ensuring that the service management plan is created, implemented and maintained in order to support the service management policy, and the achievement of the service management objectives and service requirements; § 5.1 ¶ 1(b) Top management shall establish a service management policy that: includes a commitment to satisfy applicable requirements; § 5.2.1 ¶ 1(c) {applicable requirements} The organization shall create, implement and maintain a service management plan. Planning shall take into consideration the service management policy, service management objectives, risks and opportunities, service requirements and requirements specified in this document. § 6.3 ¶ 1 The organization shall establish service management objectives at relevant functions and levels. The service management objectives shall: take into account applicable requirements; § 6.2.1 ¶ 1(c) The documented information for the SMS shall include: service requirements; § 7.5.4 ¶ 1(f) The organization shall propose changes where needed to align the services with the service management policy, service management objectives and service requirements, taking into consideration known limitations and risks. § 8.2.2 ¶ 3 The service requirements for existing services, new services and changes to services shall be determined and documented. § 8.2.2 ¶ 1 Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: dependencies on other services; 8.5.2.1 ¶ 1(d) {new service} Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: § 8.5.2.1 ¶ 1 {service availability requirement}{service availability target} At planned intervals, the risks to service availability shall be assessed and documented. The organization shall determine the service availability requirements and targets. The agreed requirements shall take into consideration relevant business requirements, service requirements, SLAs and risks. § 8.7.1 ¶ 1 {service availability requirement}{service availability target} At planned intervals, the risks to service availability shall be assessed and documented. The organization shall determine the service availability requirements and targets. The agreed requirements shall take into consideration relevant business requirements, service requirements, SLAs and risks. § 8.7.1 ¶ 1]	Operational management	Establish/Maintain Documentation
Include known limitations in the service management program. CC ID 11391 [The organization shall determine the boundaries and applicability of the SMS to establish its scope. § 4.3 ¶ 1 The organization shall determine the boundaries and applicability of the SMS to establish its scope. § 4.3 ¶ 1 The organization shall propose changes where needed to align the services with the service management policy, service management objectives and service requirements, taking into consideration known limitations and risks. § 8.2.2 ¶ 3 The service management plan shall include or contain a reference to: known limitations that can impact the SMS and the services; § 6.3 ¶ 2(b) {new service} The organization shall plan the deployment of new or changed services and service components into the live environment. Planning shall be co-ordinated with change management and include references to the related requests for change, known errors or problems which are being closed through the release. Planning shall include the dates for deployment of each release, deliverables and methods of deployment. § 8.5.3 ¶ 2]	Operational management	Establish/Maintain Documentation
Include service management policies in the service management program. CC ID 11392 [Top management shall establish a service management policy that: § 5.2.1 ¶ 1 Top management shall demonstrate leadership and commitment with respect to the SMS by: ensuring that the service management plan is created, implemented and maintained in order to support the service management policy, and the achievement of the service management objectives and service requirements; § 5.1 ¶ 1(b) Top management shall demonstrate leadership and commitment with respect to the SMS by: ensuring that the service management policy and service management objectives are established and are compatible with the strategic direction of the organization; § 5.1 ¶ 1(a) {applicable requirements} The organization shall create, implement and maintain a service management plan. Planning shall take into consideration the service management policy, service management objectives, risks and opportunities, service requirements and requirements specified in this document. § 6.3 ¶ 1 The documented information for the SMS shall include: policy and objectives for service management; § 7.5.4 ¶ 1(b) The organization shall propose changes where needed to align the services with the service management policy, service management objectives and service requirements, taking into consideration known limitations and risks. § 8.2.2 ¶ 3 The service management plan shall include or contain a reference to: obligations such as relevant policies, standards, legal, regulatory and contractual requirements, and how these obligations apply to the SMS and the services; § 6.3 ¶ 2(c) Top management shall establish a service management policy that: is appropriate to the purpose of the organization; § 5.2.1 ¶ 1(a)]	Operational management	Establish/Maintain Documentation
Assign roles and responsibilities in the service management program. CC ID 11393 [Top management shall demonstrate leadership and commitment with respect to the SMS by: directing and supporting persons to contribute to the effectiveness of the SMS and the services; § 5.1 ¶ 1(j) Top management shall assign the responsibility and authority for: ensuring that the SMS conforms to the requirement of this document; § 5.3 ¶ 2(a) Top management shall assign the responsibility and authority for: reporting on the performance of the SMS and the services to top management. § 5.3 ¶ 2(b) {responsible party}When planning how to achieve its service management objectives, the organization shall determine: who will be responsible; § 6.2.2 ¶ 1(c) The organization shall retain accountability for the requirements specified in this document and the delivery of the services regardless of which party is involved in performing activities to support the service lifecycle. § 8.2.3.1 ¶ 1 The organization shall retain accountability for the requirements specified in this document and the delivery of the services regardless of which party is involved in performing activities to support the service lifecycle. § 8.2.3.1 ¶ 1 Top management shall ensure that the responsibilities and authorities for roles relevant to the SMS and the services are assigned and communicated within the organization. § 5.3 ¶ 1 The service management plan shall include or contain a reference to: authorities and responsibilities for the SMS and the services § 6.3 ¶ 2(d) The service management plan shall include or contain a reference to: authorities and responsibilities for the SMS and the services § 6.3 ¶ 2(d) Persons doing work under the organization's control shall be aware of: the service management objectives; § 7.3 ¶ 1(b) {new service} Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: authorities and responsibilities for design, build and transition activities; § 8.5.2.1 ¶ 1(a) {new service} Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: activities to be performed by the organization or other parties with their timescales; § 8.5.2.1 ¶ 1(b) {new service}The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: authorities and responsibilities of the parties involved in the delivery of the new or changed services; § 8.5.2.2 ¶ 1(a) {new service}The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: authorities and responsibilities of the parties involved in the delivery of the new or changed services; § 8.5.2.2 ¶ 1(a) The organization shall operate the SMS ensuring co-ordination of the activities and the resources. The organization shall perform the activities required to deliver services. § 8.2.1 ¶ 1]	Operational management	Establish/Maintain Documentation
Include all resources needed to achieve the objectives in the service management program. CC ID 11394 [Top management shall demonstrate leadership and commitment with respect to the SMS by: ensuring that the resources needed for the SMS and the services are available; § 5.1 ¶ 1(g) When planning how to achieve its service management objectives, the organization shall determine: what resources will be required; § 6.2.2 ¶ 1(b) {necessary resource} The organization shall determine and provide the human, technical, information and financial resources needed for the establishment, implementation, maintenance and continual improvement of the SMS and the operation of the services to meet the service requirements and achieve the service management objectives. § 7.1 ¶ 1 {necessary resource} The organization shall determine and provide the human, technical, information and financial resources needed for the establishment, implementation, maintenance and continual improvement of the SMS and the operation of the services to meet the service requirements and achieve the service management objectives. § 7.1 ¶ 1 {necessary resource} The organization shall determine and provide the human, technical, information and financial resources needed for the establishment, implementation, maintenance and continual improvement of the SMS and the operation of the services to meet the service requirements and achieve the service management objectives. § 7.1 ¶ 1 The organization shall budget and account for services or groups of services in accordance with its financial management policies and processes. § 8.4.1 ¶ 1 {new service}{manpower}{technical resource}{information resource} Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: human, technical, information and financial resources; § 8.5.2.1 ¶ 1(c) {new service}{manpower}{technical resource}{information resource} Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: human, technical, information and financial resources; § 8.5.2.1 ¶ 1(c) {new service}{manpower}{technical resource}{information resource} Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: human, technical, information and financial resources; § 8.5.2.1 ¶ 1(c) {new service}{manpower}{technical resource}{information resource} Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: human, technical, information and financial resources; § 8.5.2.1 ¶ 1(c) {manpower}{technical resource}{information resource}The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: requirements for changes to human, technical, information and financial resources; § 8.5.2.2 ¶ 1(b) {manpower}{technical resource}{information resource}The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: requirements for changes to human, technical, information and financial resources; § 8.5.2.2 ¶ 1(b) {manpower}{technical resource}{information resource}The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: requirements for changes to human, technical, information and financial resources; § 8.5.2.2 ¶ 1(b) {manpower}{technical resource}{information resource}The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: requirements for changes to human, technical, information and financial resources; § 8.5.2.2 ¶ 1(b) {manpower}{technical resource}{information resource}{service requirement} The capacity requirements for human, technical, information and financial resources shall be determined, documented and maintained taking into consideration the service and performance requirements. § 8.4.3 ¶ 1 {manpower}{technical resource}{information resource}{service requirement} The capacity requirements for human, technical, information and financial resources shall be determined, documented and maintained taking into consideration the service and performance requirements. § 8.4.3 ¶ 1 {manpower}{technical resource}{information resource}{service requirement} The capacity requirements for human, technical, information and financial resources shall be determined, documented and maintained taking into consideration the service and performance requirements. § 8.4.3 ¶ 1 {manpower}{technical resource}{information resource}{service requirement} The capacity requirements for human, technical, information and financial resources shall be determined, documented and maintained taking into consideration the service and performance requirements. § 8.4.3 ¶ 1]	Operational management	Establish/Maintain Documentation
Include supply chain management procedures in the service management program. CC ID 11395 [The organization shall ensure that outsourced processes are controlled (see 8.2.3). § 8.1 ¶ 3 Other parties shall not provide or operate all services, service components or processes within the scope of the SMS. § 8.2.3.1 ¶ 3 The organization shall integrate services, service components and processes in the SMS that are provided or operated by the organization or other parties to meet the service requirements. The organization shall co-ordinate activities with other parties involved in the service lifecycle including the planning, design, transition, delivery and improvement of services. § 8.2.3.1 ¶ 5]	Operational management	Establish/Maintain Documentation
Include service management procedures in the service management program. CC ID 11396 [The documented information for the SMS shall include: processes of the organization's SMS; § 7.5.4 ¶ 1(e) {new service} Release and deployment management shall be used to deploy approved new or changed services into the live environment. § 8.5.2.3 ¶ 2 {new service} Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: testing needed for the new or changed services; § 8.5.2.1 ¶ 1(e) The organization shall use service design and transition in 8.5.2 for: removal of a service; § 8.5.1.2 ¶ 2(d) For services that are to be removed, the planning shall additionally include the date(s) for the removal of the services and the activities for archiving, disposal or transfer of data, documented information and service components. § 8.5.2.1 ¶ 2 The organization shall use service design and transition in 8.5.2 for: transfer of an existing service from the organization to a customer or other party; § 8.5.1.2 ¶ 2(e) The organization shall use service design and transition in 8.5.2 for: transfer of an existing service from a customer or other party to the organization. § 8.5.1.2 ¶ 2(f)]	Operational management	Establish/Maintain Documentation
Include risk procedures in the service management program. CC ID 11397 [When planning for the SMS, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to: § 6.1.1 ¶ 1 {applicable requirements} The organization shall create, implement and maintain a service management plan. Planning shall take into consideration the service management policy, service management objectives, risks and opportunities, service requirements and requirements specified in this document. § 6.3 ¶ 1 {risk management activity}The organization shall plan: how to: integrate and implement the actions into its SMS processes; § 6.1.3 ¶ 1(b)(1) {new service} The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: impact on other services; § 8.5.2.2 ¶ 1(f) {service availability requirement}{service availability target} At planned intervals, the risks to service availability shall be assessed and documented. The organization shall determine the service availability requirements and targets. The agreed requirements shall take into consideration relevant business requirements, service requirements, SLAs and risks. § 8.7.1 ¶ 1 {service availability requirement}{service availability target} At planned intervals, the risks to service availability shall be assessed and documented. The organization shall determine the service availability requirements and targets. The agreed requirements shall take into consideration relevant business requirements, service requirements, SLAs and risks. § 8.7.1 ¶ 1]	Operational management	Establish/Maintain Documentation
Include continuity plans in the Service Management program. CC ID 13919 [The documented information for the SMS shall include: change management policy, information security policy and service continuity plan(s); § 7.5.4 ¶ 1(d)]	Operational management	Establish/Maintain Documentation
Include all technologies used to support service management in the service management program. CC ID 11398 [The service management plan shall include or contain a reference to: technology used to support the SMS; § 6.3 ¶ 2(g) {necessary resource} The service management plan shall include or contain a reference to: human, technical, information and financial resources necessary to operate the SMS and the services; § 6.3 ¶ 2(e)]	Operational management	Establish/Maintain Documentation
Include auditing and improving service management procedures in the service management program. CC ID 11399 [When planning for the SMS, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to: give assurance that the SMS can achieve its intended outcome(s); § 6.1.1 ¶ 1(a) Top management shall demonstrate leadership and commitment with respect to the SMS by: promoting continual improvement of the SMS and the services; § 5.1 ¶1(k) Top management shall establish a service management policy that: includes a commitment to continual improvement of the SMS and the services. § 5.2.1 ¶ 1(d) When planning for the SMS, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to: achieve continual improvement of the SMS and the services. § 6.1.1 ¶ 1(c) When planning how to achieve its service management objectives, the organization shall determine: how the results will be evaluated. § 6.2.2 ¶ 1(e) {continuous basis} The organization shall continually improve the suitability, adequacy and effectiveness of the SMS and the services. § 10.2 ¶ 1 {service improvement activity} Opportunities for improvement shall be documented. The organization shall manage approved improvement activities that include: § 10.2 ¶ 3]	Operational management	Establish/Maintain Documentation
Disseminate and communicate the suspension period of suspended services to interested personnel and affected parties. CC ID 15459	Operational management	Communicate
Establish, implement, and maintain an Asset Management program. CC ID 06630 [{external obligation} /* section 6.3 c. refers to external obligations / The organization shall ensure that assets used to deliver services are managed to meet the service requirements and the obligations in 6.3 c). § 8.2.5 ¶ 1 {external obligation} / section 6.3 c. refers to external obligations */ The organization shall ensure that assets used to deliver services are managed to meet the service requirements and the obligations in 6.3 c). § 8.2.5 ¶ 1]	Operational management	Business Processes
Establish, implement, and maintain an asset management policy. CC ID 15219	Operational management	Establish/Maintain Documentation
Include coordination amongst entities in the asset management policy. CC ID 16424	Operational management	Business Processes
Establish, implement, and maintain asset management procedures. CC ID 16748	Operational management	Establish/Maintain Documentation
Assign an information owner to organizational assets, as necessary. CC ID 12729	Operational management	Human Resources Management
Define and prioritize the importance of each asset in the asset management program. CC ID 16837	Operational management	Business Processes
Include life cycle requirements in the security management program. CC ID 16392	Operational management	Establish/Maintain Documentation
Include program objectives in the asset management program. CC ID 14413	Operational management	Establish/Maintain Documentation
Include a commitment to continual improvement in the asset management program. CC ID 14412	Operational management	Establish/Maintain Documentation
Include compliance with applicable requirements in the asset management program. CC ID 14411	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain administrative controls over all assets. CC ID 16400	Operational management	Business Processes
Establish, implement, and maintain classification schemes for all systems and assets. CC ID 01902	Operational management	Establish/Maintain Documentation
Apply security controls to each level of the information classification standard. CC ID 01903	Operational management	Systems Design, Build, and Implementation
Establish, implement, and maintain the systems' confidentiality level. CC ID 01904	Operational management	Establish/Maintain Documentation
Define confidentiality controls. CC ID 01908	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain the systems' availability level. CC ID 01905	Operational management	Establish/Maintain Documentation
Restrict unscheduled downtime in order to maintain high availability for critical systems. CC ID 12742	Operational management	Process or Activity
Define integrity controls. CC ID 01909	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain the systems' integrity level. CC ID 01906	Operational management	Establish/Maintain Documentation
Define availability controls. CC ID 01911	Operational management	Establish/Maintain Documentation
Establish safety classifications for systems according to their potential harmful effects to operators or end users. CC ID 06603	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain an asset safety classification scheme. CC ID 06604	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain the Asset Classification Policy. CC ID 06642	Operational management	Establish/Maintain Documentation
Disseminate and communicate the Asset Classification Policy to interested personnel and affected parties. CC ID 14851	Operational management	Communicate
Classify assets according to the Asset Classification Policy. CC ID 07186	Operational management	Establish Roles
Classify virtual systems by type and purpose. CC ID 16332	Operational management	Business Processes
Document the decision for assigning an asset to a specific asset classification in the Asset Classification Policy. CC ID 07185	Operational management	Establish/Maintain Documentation
Apply asset protection mechanisms for all assets according to their assigned Asset Classification Policy. CC ID 07184	Operational management	Establish Roles
Disallow systems from processing information, disseminating and communicating information, or storing information that is above the system's assigned asset classification. CC ID 06606	Operational management	Configuration
Assign decomposed system components the same asset classification as the originating system. CC ID 06605	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain an asset inventory. CC ID 06631	Operational management	Business Processes
Establish, implement, and maintain an Information Technology inventory with asset discovery audit trails. CC ID 00689	Operational management	Establish/Maintain Documentation
Include all account types in the Information Technology inventory. CC ID 13311	Operational management	Establish/Maintain Documentation
Include each Information System's system boundaries in the Information Technology inventory. CC ID 00695	Operational management	Systems Design, Build, and Implementation
Identify processes, Information Systems, and third parties that transmit, process, or store restricted data. CC ID 06289	Operational management	Data and Information Management
Include each Information System's major applications in the Information Technology inventory. CC ID 01407	Operational management	Establish/Maintain Documentation
Categorize all major applications according to the business information they process. CC ID 07182	Operational management	Establish/Maintain Documentation
Document the resources, hazards, and Evaluation Assurance Levels for each major application. CC ID 01164	Operational management	Establish/Maintain Documentation
Include the General Support Systems and security support structure in the Information Technology inventory. CC ID 01408	Operational management	Establish/Maintain Documentation
Include each Information System's minor applications in the Information Technology inventory. CC ID 01409	Operational management	Establish/Maintain Documentation
Conduct environmental surveys. CC ID 00690	Operational management	Physical and Environmental Protection
Categorize facilities in the Information Technology inventory according to their environmental risks. CC ID 06729	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain a hardware asset inventory. CC ID 00691	Operational management	Establish/Maintain Documentation
Include network equipment in the Information Technology inventory. CC ID 00693	Operational management	Establish/Maintain Documentation
Include mobile devices that store restricted data or restricted information in the Information Technology inventory. CC ID 04719	Operational management	Establish/Maintain Documentation
Include interconnected systems and Software as a Service in the Information Technology inventory. CC ID 04885	Operational management	Process or Activity
Include software in the Information Technology inventory. CC ID 00692	Operational management	Establish/Maintain Documentation
Establish and maintain a list of authorized software and versions required for each system. CC ID 12093	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain a storage media inventory. CC ID 00694	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain a records inventory and database inventory. CC ID 01260	Operational management	Establish/Maintain Documentation
Add inventoried assets to the asset register database, as necessary. CC ID 07051	Operational management	Establish/Maintain Documentation
Organize the asset register database by grouping objects according to an organizational information classification standard. CC ID 07181	Operational management	Establish/Maintain Documentation
Use automated tools to collect Information Technology inventory information, as necessary. CC ID 07054	Operational management	Technical Security
Link the authentication system to the asset inventory. CC ID 13718	Operational management	Technical Security
Record a unique name for each asset in the asset inventory. CC ID 16305	Operational management	Data and Information Management
Record the decommission date for applicable assets in the asset inventory. CC ID 14920	Operational management	Establish/Maintain Documentation
Record the status of information systems in the asset inventory. CC ID 16304	Operational management	Data and Information Management
Record the communication interfaces for applicable assets in the asset inventory. CC ID 16301	Operational management	Data and Information Management
Record the Uniform Resource Locator for applicable assets in the asset inventory. CC ID 14918	Operational management	Establish/Maintain Documentation
Include source code in the asset inventory. CC ID 14858	Operational management	Records Management
Assign ownership of maintaining the asset inventory, as necessary. CC ID 12344	Operational management	Human Resources Management
Record the review date for applicable assets in the asset inventory. CC ID 14919	Operational management	Establish/Maintain Documentation
Record software license information for each asset in the asset inventory. CC ID 11736	Operational management	Data and Information Management
Record services for applicable assets in the asset inventory. CC ID 13733	Operational management	Establish/Maintain Documentation
Record protocols for applicable assets in the asset inventory. CC ID 13734	Operational management	Establish/Maintain Documentation
Record the software version in the asset inventory. CC ID 12196	Operational management	Establish/Maintain Documentation
Record the publisher for applicable assets in the asset inventory. CC ID 13725	Operational management	Establish/Maintain Documentation
Record the authentication system in the asset inventory. CC ID 13724	Operational management	Establish/Maintain Documentation
Tag unsupported assets in the asset inventory. CC ID 13723	Operational management	Establish/Maintain Documentation
Record the install date for applicable assets in the asset inventory. CC ID 13720	Operational management	Establish/Maintain Documentation
Record the make, model of device for applicable assets in the asset inventory. CC ID 12465	Operational management	Establish/Maintain Documentation
Record the asset tag for physical assets in the asset inventory. CC ID 06632	Operational management	Establish/Maintain Documentation
Record the host name of applicable assets in the asset inventory. CC ID 13722	Operational management	Establish/Maintain Documentation
Record network ports for applicable assets in the asset inventory. CC ID 13730	Operational management	Establish/Maintain Documentation
Record the MAC address for applicable assets in the asset inventory. CC ID 13721	Operational management	Establish/Maintain Documentation
Record the operating system version for applicable assets in the asset inventory. CC ID 11748	Operational management	Data and Information Management
Record the operating system type for applicable assets in the asset inventory. CC ID 06633	Operational management	Establish/Maintain Documentation
Record rooms at external locations in the asset inventory. CC ID 16302	Operational management	Data and Information Management
Record the department associated with the asset in the asset inventory. CC ID 12084	Operational management	Establish/Maintain Documentation
Record the physical location for applicable assets in the asset inventory. CC ID 06634	Operational management	Establish/Maintain Documentation
Record the manufacturer's serial number for applicable assets in the asset inventory. CC ID 06635	Operational management	Establish/Maintain Documentation
Record the firmware version for applicable assets in the asset inventory. CC ID 12195	Operational management	Establish/Maintain Documentation
Record the related business function for applicable assets in the asset inventory. CC ID 06636	Operational management	Establish/Maintain Documentation
Record the deployment environment for applicable assets in the asset inventory. CC ID 06637	Operational management	Establish/Maintain Documentation
Record the Internet Protocol address for applicable assets in the asset inventory. CC ID 06638	Operational management	Establish/Maintain Documentation
Record trusted keys and certificates in the asset inventory. CC ID 15486	Operational management	Data and Information Management
Record cipher suites and protocols in the asset inventory. CC ID 15489	Operational management	Data and Information Management
Link the software asset inventory to the hardware asset inventory. CC ID 12085	Operational management	Establish/Maintain Documentation
Record the owner for applicable assets in the asset inventory. CC ID 06640	Operational management	Establish/Maintain Documentation
Record all compliance requirements for applicable assets in the asset inventory. CC ID 15696	Operational management	Establish/Maintain Documentation
Record all changes to assets in the asset inventory. CC ID 12190	Operational management	Establish/Maintain Documentation
Record cloud service derived data in the asset inventory. CC ID 13007	Operational management	Establish/Maintain Documentation
Include cloud service customer data in the asset inventory. CC ID 13006	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain a software accountability policy. CC ID 00868	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain software asset management procedures. CC ID 00895	Operational management	Establish/Maintain Documentation
Prevent users from disabling required software. CC ID 16417	Operational management	Technical Security
Establish, implement, and maintain software archives procedures. CC ID 00866	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain software distribution procedures. CC ID 00894	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain software documentation management procedures. CC ID 06395	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain software license management procedures. CC ID 06639	Operational management	Establish/Maintain Documentation
Automate software license monitoring, as necessary. CC ID 07057	Operational management	Monitor and Evaluate Occurrences
Establish, implement, and maintain digital legacy procedures. CC ID 16524	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain a system redeployment program. CC ID 06276	Operational management	Establish/Maintain Documentation
Notify interested personnel and affected parties prior to when the system is redeployed or the system is disposed. CC ID 06400	Operational management	Behavior
Wipe all data on systems prior to when the system is redeployed or the system is disposed. CC ID 06401	Operational management	Data and Information Management
Transfer legal ownership of assets when the system is redeployed to a third party. CC ID 06698	Operational management	Acquisition/Sale of Assets or Services
Document the staff's operating knowledge of the system prior to a personnel status change. CC ID 06937	Operational management	Establish/Maintain Documentation
Redeploy systems to other organizational units, as necessary. CC ID 11452	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain a system disposal program. CC ID 14431	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain disposal procedures. CC ID 16513	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain asset sanitization procedures. CC ID 16511	Operational management	Establish/Maintain Documentation
Destroy systems in accordance with the system disposal program. CC ID 16457	Operational management	Business Processes
Approve the release of systems and waste material into the public domain. CC ID 16461	Operational management	Business Processes
Establish, implement, and maintain system destruction procedures. CC ID 16474	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain printer and multifunction device disposition procedures. CC ID 15216	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain a system preventive maintenance program. CC ID 00885	Operational management	Establish/Maintain Documentation
Establish and maintain maintenance reports. CC ID 11749	Operational management	Establish/Maintain Documentation
Establish and maintain system inspection reports. CC ID 06346	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain a system maintenance policy. CC ID 14032	Operational management	Establish/Maintain Documentation
Include compliance requirements in the system maintenance policy. CC ID 14217	Operational management	Establish/Maintain Documentation
Include management commitment in the system maintenance policy. CC ID 14216	Operational management	Establish/Maintain Documentation
Include roles and responsibilities in the system maintenance policy. CC ID 14215	Operational management	Establish/Maintain Documentation
Include the scope in the system maintenance policy. CC ID 14214	Operational management	Establish/Maintain Documentation
Disseminate and communicate the system maintenance policy to interested personnel and affected parties. CC ID 14213	Operational management	Communicate
Include the purpose in the system maintenance policy. CC ID 14187	Operational management	Establish/Maintain Documentation
Include coordination amongst entities in the system maintenance policy. CC ID 14181	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain system maintenance procedures. CC ID 14059	Operational management	Establish/Maintain Documentation
Disseminate and communicate the system maintenance procedures to interested personnel and affected parties. CC ID 14194	Operational management	Communicate
Establish, implement, and maintain a technology refresh plan. CC ID 13061	Operational management	Establish/Maintain Documentation
Plan and conduct maintenance so that it does not interfere with scheduled operations. CC ID 06389	Operational management	Physical and Environmental Protection
Maintain contact with the device manufacturer or component manufacturer for maintenance requests. CC ID 06388	Operational management	Behavior
Use system components only when third party support is available. CC ID 10644	Operational management	Maintenance
Obtain justification for the continued use of system components when third party support is no longer available. CC ID 10645	Operational management	Maintenance
Obtain approval before removing maintenance tools from the facility. CC ID 14298	Operational management	Business Processes
Control remote maintenance according to the system's asset classification. CC ID 01433	Operational management	Technical Security
Separate remote maintenance sessions from other network sessions with a logically separate communications path based upon encryption. CC ID 10614	Operational management	Configuration
Approve all remote maintenance sessions. CC ID 10615	Operational management	Technical Security
Log the performance of all remote maintenance. CC ID 13202	Operational management	Log Management
Terminate remote maintenance sessions when the remote maintenance is complete. CC ID 12083	Operational management	Technical Security
Conduct offsite maintenance in authorized facilities. CC ID 16473	Operational management	Maintenance
Disconnect non-volatile media from information systems prior to performing maintenance with uncleared personnel. CC ID 14295	Operational management	Maintenance
Sanitize volatile media in information systems prior to performing maintenance with uncleared personnel. CC ID 14291	Operational management	Maintenance
Respond to maintenance requests inside the organizationally established time frame. CC ID 04878	Operational management	Behavior
Establish and maintain an archive of maintenance reports in a maintenance log. CC ID 06202	Operational management	Establish/Maintain Documentation
Acquire spare parts prior to when maintenance requests are scheduled. CC ID 11833	Operational management	Acquisition/Sale of Assets or Services
Perform periodic maintenance according to organizational standards. CC ID 01435	Operational management	Behavior
Restart systems on a periodic basis. CC ID 16498	Operational management	Maintenance
Remove components being serviced from the information system prior to performing maintenance. CC ID 14251	Operational management	Maintenance
Employ dedicated systems during system maintenance. CC ID 12108	Operational management	Technical Security
Isolate dedicated systems used for system maintenance from Internet access. CC ID 12114	Operational management	Technical Security
Control granting access to appropriate parties performing maintenance on organizational assets. CC ID 11873	Operational management	Human Resources Management
Identify and authenticate appropriate parties prior to granting access to maintain assets. CC ID 11874	Operational management	Physical and Environmental Protection
Post calibration limits or calibration tolerances on or near assets requiring calibration. CC ID 06204	Operational management	Establish/Maintain Documentation
Implement automated mechanisms to transfer predictive maintenance data to a maintenance management system. CC ID 10616	Operational management	Process or Activity
Disassemble and shut down unnecessary systems or unused systems. CC ID 06280	Operational management	Business Processes
Establish, implement, and maintain an end-of-life management process. CC ID 16540	Operational management	Establish/Maintain Documentation
Dispose of hardware and software at their life cycle end. CC ID 06278	Operational management	Business Processes
Refrain from placing assets being disposed into organizational dumpsters. CC ID 12200	Operational management	Business Processes
Establish, implement, and maintain disposal contracts. CC ID 12199	Operational management	Establish/Maintain Documentation
Include disposal procedures in disposal contracts. CC ID 13905	Operational management	Establish/Maintain Documentation
Remove asset tags prior to disposal of an asset. CC ID 12198	Operational management	Business Processes
Document the storage information for all systems that are stored instead of being disposed or redeployed. CC ID 06936	Operational management	Establish/Maintain Documentation
Review each system's operational readiness. CC ID 06275	Operational management	Systems Design, Build, and Implementation
Establish, implement, and maintain a data stewardship policy. CC ID 06657	Operational management	Establish/Maintain Documentation
Establish and maintain an unauthorized software list. CC ID 10601	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain a customer service program. CC ID 00846	Operational management	Establish/Maintain Documentation
Assign roles and responsibilities in the customer service program. CC ID 13911 [The customers, users and other interested parties of the services shall be identified and documented. The organization shall have one or more designated individuals responsible for managing customer relationships and maintaining customer satisfaction. § 8.3.2 ¶ 1]	Operational management	Human Resources Management
Establish, implement, and maintain an Incident Management program. CC ID 00853	Operational management	Business Processes
Include incident escalation procedures in the Incident Management program. CC ID 00856 [Incidents shall be: escalated if needed; § 8.6.1 ¶ 1(c)]	Operational management	Establish/Maintain Documentation
Define the characteristics of the Incident Management program. CC ID 00855	Operational management	Establish/Maintain Documentation
Include the criteria for an incident in the Incident Management program. CC ID 12173 [The organization shall determine criteria to identify a major incident. Major incidents shall be classified and managed according to a documented procedure. Top management shall be kept informed of major incidents. The organization shall assign responsibility for managing each major incident. After the incident has been resolved, the major incident shall be reported and reviewed to identify opportunities for improvement. § 8.6.1 ¶ 3]	Operational management	Establish/Maintain Documentation
Include detection procedures in the Incident Management program. CC ID 00588	Operational management	Establish/Maintain Documentation
Categorize the incident following an incident response. CC ID 13208 [{document} Information security incidents shall be: recorded and classified; § 8.7.3.3 ¶ 1(a) The organization shall analyse the information security incidents by type, volume and impact on the SMS, services and interested parties. Information security incidents shall be reported and reviewed to identify opportunities for improvement. § 8.7.3.3 ¶ 2 The organization shall determine criteria to identify a major incident. Major incidents shall be classified and managed according to a documented procedure. Top management shall be kept informed of major incidents. The organization shall assign responsibility for managing each major incident. After the incident has been resolved, the major incident shall be reported and reviewed to identify opportunities for improvement. § 8.6.1 ¶ 3 Problems shall be: recorded and classified; § 8.6.3 ¶ 2(a)]	Operational management	Technical Security
Define and document impact thresholds to be used in categorizing incidents. CC ID 10033	Operational management	Establish/Maintain Documentation
Comply with privacy regulations and civil liberties requirements when sharing data loss event information. CC ID 10036	Operational management	Data and Information Management
Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539	Operational management	Communicate
Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538	Operational management	Communicate
Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547	Operational management	Establish/Maintain Documentation
Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797	Operational management	Communicate
Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782	Operational management	Communicate
Include incident management procedures in the Incident Management program. CC ID 12689 [The organization shall determine criteria to identify a major incident. Major incidents shall be classified and managed according to a documented procedure. Top management shall be kept informed of major incidents. The organization shall assign responsibility for managing each major incident. After the incident has been resolved, the major incident shall be reported and reviewed to identify opportunities for improvement. § 8.6.1 ¶ 3]	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain temporary and emergency access revocation procedures. CC ID 15334	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain incident management audit logs. CC ID 13514 [Records of incidents shall be updated with actions taken. § 8.6.1 ¶ 2]	Operational management	Records Management
Log incidents in the Incident Management audit log. CC ID 00857	Operational management	Establish/Maintain Documentation
Include who the incident was reported to in the incident management audit log. CC ID 16487	Operational management	Log Management
Include corrective actions in the incident management audit log. CC ID 16466	Operational management	Establish/Maintain Documentation
Include the organization's business products and services affected by disruptions in the Incident Management audit log. CC ID 12234	Operational management	Log Management
Include incident record closure procedures in the Incident Management program. CC ID 01620 [Information security incidents shall be: closed. § 8.7.3.3 ¶ 1(e) Problems shall be: closed. § 8.6.3 ¶ 2(e) Incidents shall be: closed. § 8.6.1 ¶ 1(e)]	Operational management	Establish/Maintain Documentation
Include incident reporting procedures in the Incident Management program. CC ID 11772 [The organization shall analyse the information security incidents by type, volume and impact on the SMS, services and interested parties. Information security incidents shall be reported and reviewed to identify opportunities for improvement. § 8.7.3.3 ¶ 2]	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain incident reporting time frame standards. CC ID 12142	Operational management	Communicate
Log help desk queries. CC ID 00848 [Service requests shall be: recorded and classified; § 8.6.2 ¶ 1(a)]	Operational management	Log Management
Establish, implement, and maintain help desk query escalation procedures. CC ID 00849 [Service requests shall be: closed. § 8.6.2 ¶ 1(d)]	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain an Incident Response program. CC ID 00579	Operational management	Establish/Maintain Documentation
Create an incident response report following an incident response. CC ID 12700	Operational management	Establish/Maintain Documentation
Include measures to prevent similar incidents from occurring in the incident response report. CC ID 12720 [The organization shall analyse data and trends on incidents to identify problems. The organization shall undertake root cause analysis and determine potential actions to prevent the occurrence or recurrence of incidents. § 8.6.3 ¶ 1]	Operational management	Establish/Maintain Documentation
Include corrective action taken to eradicate the incident in the incident response report. CC ID 12708 [Records of problems shall be updated with actions taken. Changes needed for problem resolution shall be managed according to the change management policy. § 8.6.3 ¶ 3]	Operational management	Establish/Maintain Documentation
Include a root cause analysis of the incident in the incident response report. CC ID 12701 [The organization shall analyse data and trends on incidents to identify problems. The organization shall undertake root cause analysis and determine potential actions to prevent the occurrence or recurrence of incidents. § 8.6.3 ¶ 1]	Operational management	Establish/Maintain Documentation
Mitigate reported incidents. CC ID 12973 [Problems shall be: resolved if possible; § 8.6.3 ¶ 2(d)]	Operational management	Actionable Reports or Measurements
Include incident response team structures in the Incident Response program. CC ID 01237	Operational management	Establish/Maintain Documentation
Include the incident response team member's roles and responsibilities in the Incident Response program. CC ID 01652 [The organization shall determine criteria to identify a major incident. Major incidents shall be classified and managed according to a documented procedure. Top management shall be kept informed of major incidents. The organization shall assign responsibility for managing each major incident. After the incident has been resolved, the major incident shall be reported and reviewed to identify opportunities for improvement. § 8.6.1 ¶ 3]	Operational management	Establish Roles
Include the incident response point of contact's roles and responsibilities in the Incident Response program. CC ID 01877	Operational management	Establish Roles
Include the head of information security's roles and responsibilities in the Incident Response program. CC ID 01878	Operational management	Establish Roles
Include the customer database owner's roles and responsibilities in the Incident Response program. CC ID 01879	Operational management	Establish Roles
Include the online sales department's roles and responsibilities in the Incident Response program. CC ID 01880	Operational management	Establish Roles
Include the incident response point of contact for credit card payment system's roles and responsibilities in the Incident Response program. CC ID 01881	Operational management	Establish Roles
Include the organizational legal counsel's roles and responsibilities in the Incident Response program. CC ID 01882	Operational management	Establish Roles
Include the Human Resources point of contact's roles and responsibilities in the Incident Response program. CC ID 01883	Operational management	Establish Roles
Include the organizational incident response network architecture point of contact's roles and responsibilities in the Incident Response program. CC ID 01884	Operational management	Establish Roles
Include the organizational incident response public relations point of contact's roles and responsibilities in the Incident Response program. CC ID 01885	Operational management	Establish Roles
Include the organizational incident response location manager's roles and responsibilities in the Incident Response program. CC ID 01886	Operational management	Establish Roles
Assign the distribution of security alerts to the appropriate role in the incident response program. CC ID 11887	Operational management	Human Resources Management
Assign establishing, implementing, and maintaining incident response procedures to the appropriate role in the incident response program. CC ID 12473	Operational management	Establish/Maintain Documentation
Assign the distribution of incident response procedures to the appropriate role in the incident response program. CC ID 12474	Operational management	Communicate
Include references to industry best practices in the incident response procedures. CC ID 11956	Operational management	Establish/Maintain Documentation
Include responding to alerts from security monitoring systems in the incident response procedures. CC ID 11949	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain a performance management standard. CC ID 01615 [{planning requirement} establishing performance criteria for the processes based on requirements; § 8.1 ¶ 1(a)]	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain future system performance forecasting methods. CC ID 11775	Operational management	Business Processes
Establish, implement, and maintain a remediation plan for deviations in the resource management process. CC ID 13679	Operational management	Establish/Maintain Documentation
Follow the maintenance schedule. CC ID 11791	Operational management	Maintenance
Establish, implement, and maintain rate limiting filters. CC ID 06883	Operational management	Business Processes
Establish, implement, and maintain system capacity monitoring procedures. CC ID 01619	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain system performance monitoring procedures. CC ID 11752	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain a Service Level Agreement framework. CC ID 00839	Operational management	Establish/Maintain Documentation
Include exceptions in the Service Level Agreements, as necessary. CC ID 13912 [For each service delivered, the organization shall establish one or more SLAs based on the documented service requirements. The SLA(s) shall include service level targets, workload limits and exceptions § 8.3.3 ¶ 2]	Operational management	Establish/Maintain Documentation
Include capacity planning in Service Level Agreements. CC ID 13096 [At planned intervals, the organization shall monitor, review and report on: actual and periodic changes in workload compared to workload limits in the SLA(s). § 8.3.3 ¶ 3(b) For each service delivered, the organization shall establish one or more SLAs based on the documented service requirements. The SLA(s) shall include service level targets, workload limits and exceptions § 8.3.3 ¶ 2 {service availability requirement}{service continuity requirement} The organization shall plan capacity to include: expected impact on capacity of agreed service level targets, requirements for service availability and service continuity; § 8.4.3 ¶ 2(b)]	Operational management	Establish/Maintain Documentation
Include business requirements of delivered services in the Service Level Agreement. CC ID 00840 [For each external supplier, the organization shall agree a documented contract. The contract shall include or contain a reference to: service level targets or other contractual obligations; § 8.3.4.1 ¶ 2(c)]	Operational management	Establish/Maintain Documentation
Include performance requirements in the Service Level Agreement. CC ID 00841 [For each service delivered, the organization shall establish one or more SLAs based on the documented service requirements. The SLA(s) shall include service level targets, workload limits and exceptions § 8.3.3 ¶ 2]	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain a cost management program. CC ID 13638	Operational management	Establish/Maintain Documentation
Update the business cases for cost management procedures, as necessary. CC ID 13642	Operational management	Business Processes
Establish, implement, and maintain a change control program. CC ID 00886 [{information security policy} Specific policies that would be required includepan>, but not limited to, the following: Change management § 8.5.1 A change management policy shall be established and documented to define: § 8.5.1.1 ¶ 1 A change management policy shall be established and documented to define: service components and other items that are under the control of change management; § 8.5.1.1 ¶ 1(a) A change management policy shall be established and documented to define: service components and other items that are under the control of change management; § 8.5.1.1 ¶ 1(a) A change management policy shall be established and documented to define: categories of change, including emergency change, and how they are to be managed; § 8.5.1.1 ¶ 1(b)]	Operational management	Establish/Maintain Documentation
Include potential consequences of unintended changes in the change control program. CC ID 12243 [The organization shall control planned changes to the SMS and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary (see 8.5.1). § 8.1¶ 2]	Operational management	Establish/Maintain Documentation
Include version control in the change control program. CC ID 13119 [For the control of documented information, the organization shall address the following activities, as applicable: control of changes (e.g. version control); § 7.5.3.2(c)]	Operational management	Establish/Maintain Documentation
Include service design and transition in the change control program. CC ID 13920 [The organization shall use service design and transition in 8.5.2 for: changes to services with the potential to have a major impact on customers or other services as determined by the change management policy; § 8.5.1.2 ¶ 2(b) The organization shall use service design and transition in 8.5.2 for: new services with the potential to have a major impact on customers or other services as determined by the change management policy; § 8.5.1.2 ¶ 2(a)]	Operational management	Establish/Maintain Documentation
Separate the production environment from development environment or test environment for the change control process. CC ID 11864	Operational management	Maintenance
Integrate configuration management procedures into the change control program. CC ID 13646	Operational management	Technical Security
Establish, implement, and maintain a back-out plan. CC ID 13623 [The release shall be verified against documented acceptance criteria and approved before deployment. If the acceptance criteria are not met, the organization and interested parties shall make a decision on necessary actions and deployment. § 8.5.3 ¶ 3 The organization shall review changes for effectiveness and take actions agreed with interested parties. § 8.5.1.3 ¶ 4 {take appropriate action} The activities to reverse or remedy an unsuccessful change shall be planned and, where possible, tested. Unsuccessful changes shall be investigated and agreed actions taken. § 8.5.1.3 ¶ 3]	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain back-out procedures for each proposed change in a change request. CC ID 00373 [{take appropriate action} The activities to reverse or remedy an unsuccessful change shall be planned and, where possible, tested. Unsuccessful changes shall be investigated and agreed actions taken. § 8.5.1.3 ¶ 3]	Operational management	Establish/Maintain Documentation
Manage change requests. CC ID 00887 [{new service} The organization shall prioritize requests for change and proposals for new or changed services to align with business needs and service management objectives, taking into consideration available resources. § 8.2.2 ¶ 4 {new service} The organization shall prioritize requests for change and proposals for new or changed services to align with business needs and service management objectives, taking into consideration available resources. § 8.2.2 ¶ 4 {new service} The organization shall plan the deployment of new or changed services and service components into the live environment. Planning shall be co-ordinated with change management and include references to the related requests for change, known errors or problems which are being closed through the release. Planning shall include the dates for deployment of each release, deliverables and methods of deployment. § 8.5.3 ¶ 2 {new service} Assessing, approving, scheduling and reviewing of new or changed services in the scope of 8.5.2 shall be managed through the change management activities in 8.5.1.3. § 8.5.1.2 ¶ 3 {new service} The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: changes to the SMS including new or changed policies, plans, processes, procedures, measures and knowledge; § 8.5.2.2 ¶ 1(e) The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: § 8.5.1.3 ¶ 1 Requests for change not being managed through 8.5.2 shall be managed through the change management activities in 8.5.1.3. § 8.5.1.2 ¶ 4]	Operational management	Business Processes
Include documentation of the impact level of proposed changes in the change request. CC ID 11942 [{new service} Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: impact on the SMS, other services, planned changes, customers, users and other interested parties. § 8.5.2.1 ¶ 1(h) {new service} Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: impact on the SMS, other services, planned changes, customers, users and other interested parties. § 8.5.2.1 ¶ 1(h) {new service} Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: impact on the SMS, other services, planned changes, customers, users and other interested parties. § 8.5.2.1 ¶ 1(h) {new service} Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: impact on the SMS, other services, planned changes, customers, users and other interested parties. § 8.5.2.1 ¶ 1(h) A change management policy shall be established and documented to define: criteria to determine changes with the potential to have a major ="background-color:#F0BBBC;" class="term_primary-noun">impact on customers or services. § 8.5.1.1 ¶ 1(c)]	Operational management	Establish/Maintain Documentation
Establish and maintain a change request approver list. CC ID 06795	Operational management	Establish/Maintain Documentation
Document all change requests in change request forms. CC ID 06794 [Requests for change, including proposals to add, remove or transfer services, shall be recorded and classified. § 8.5.1.2 ¶ 1 Requests for change, including proposals to add, remove or transfer services, shall be recorded and classified. § 8.5.1.2 ¶ 1 {trend analysis} At planned intervals, request for change records shall be analysed to detect trends. The results and conclusions drawn from the analysis shall be recorded and reviewed to identify opportunities for improvement. § 8.5.1.3 ¶ 5]	Operational management	Establish/Maintain Documentation
Approve tested change requests. CC ID 11783 [The release shall be verified against documented acceptance criteria and approved before deployment. If the acceptance criteria are not met, the organization and interested parties shall make a decision on necessary actions and deployment. § 8.5.3 ¶ 3]	Operational management	Data and Information Management
Validate the system before implementing approved changes. CC ID 01510	Operational management	Systems Design, Build, and Implementation
Disseminate and communicate proposed changes to all interested personnel and affected parties. CC ID 06807 [Approved changes shall be prepared, verified and, where possible, tested. Proposed deployment dates and other deployment details for approved changes shall be communicated to interested parties. § 8.5.1.3 ¶ 2 Approved changes shall be prepared, verified and, where possible, tested. Proposed deployment dates and other deployment details for approved changes shall be communicated to interested parties. § 8.5.1.3 ¶ 2 Following the completion of the transition activities, the organization shall report to interested parties on the achievements against the intended outcomes. § 8.5.2.3 ¶ 3]	Operational management	Behavior
Establish, implement, and maintain emergency change procedures. CC ID 00890	Operational management	Establish/Maintain Documentation
Perform emergency changes, as necessary. CC ID 12707	Operational management	Process or Activity
Back up emergency changes after the change has been performed. CC ID 12734	Operational management	Process or Activity
Log emergency changes after they have been performed. CC ID 12733	Operational management	Establish/Maintain Documentation
Perform risk assessments prior to approving change requests. CC ID 00888 [The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: capacity, service availability, service continuity and information security; § 8.5.1.3 ¶ 1(d) The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: capacity, service availability, service continuity and information security; § 8.5.1.3 ¶ 1(d) The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: capacity, service availability, service continuity and information security; § 8.5.1.3 ¶ 1(d) The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: capacity, service availability, service continuity and information security; § 8.5.1.3 ¶ 1(d) At planned intervals, the organization shall review the contract against current service requirements. Changes identified for the contract shall be assessed for the impact of the change on the SMS and the services before the change is approved. § 8.3.4.1 ¶ 6 The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: existing services; § 8.5.1.3 ¶ 1(a) The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: other requests for change, releases and plans for deployment. § 8.5.1.3 ¶ 1(e) The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: other requests for change, releases and plans for deployment. § 8.5.1.3 ¶ 1(e) The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: other requests for change, releases and plans for deployment. § 8.5.1.3 ¶ 1(e)]	Operational management	Testing
Implement changes according to the change control program. CC ID 11776 [The organization shall control planned changes to the SMS and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary (see 8.5.1). § 8.1¶ 2 Records of problems shall be updated with actions taken. Changes needed for problem resolution shall be managed according to the change management policy. § 8.6.3 ¶ 3 A change management policy shall be established and documented to define: categories of change, including emergency change, and how they are to be managed; § 8.5.1.1 ¶ 1(b) The organization shall use service design and transition in 8.5.2 for: categories of change that are to be managed by service design and transition according to the change management policy; § 8.5.1.2 ¶ 2(c)]	Operational management	Business Processes
Provide audit trails for all approved changes. CC ID 13120	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain a patch management program. CC ID 00896	Operational management	Process or Activity
Document the sources of all software updates. CC ID 13316	Operational management	Establish/Maintain Documentation
Implement patch management software, as necessary. CC ID 12094	Operational management	Technical Security
Include updates and exceptions to hardened images as a part of the patch management program. CC ID 12087	Operational management	Technical Security
Establish, implement, and maintain a patch management policy. CC ID 16432	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain patch management procedures. CC ID 15224	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain a patch log. CC ID 01642	Operational management	Establish/Maintain Documentation
Prioritize deploying patches according to vulnerability risk metrics. CC ID 06796	Operational management	Business Processes
Establish, implement, and maintain a software release policy. CC ID 00893	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain traceability documentation. CC ID 16388	Operational management	Systems Design, Build, and Implementation
Disseminate and communicate software update information to users and regulators. CC ID 06602	Operational management	Behavior
Allow interested personnel and affected parties to opt out of specific version releases and software updates. CC ID 06809	Operational management	Data and Information Management
Update associated documentation after the system configuration has been changed. CC ID 00891	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain production process control procedures. CC ID 06209	Operational management	Establish/Maintain Documentation
Assign interested personnel and affected parties to service delivery and production process quality improvement projects, as necessary. CC ID 07197	Operational management	Establish Roles
Manage the creation of products and services, as necessary. CC ID 13497 [{new service} The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: § 8.5.2.2 ¶ 1 {new service} The organization shall plan the deployment of new or changed services and service components into the live environment. Planning shall be co-ordinated with change management and include references to the related requests for change, known errors or problems which are being closed through the release. Planning shall include the dates for deployment of each release, deliverables and methods of deployment. § 8.5.3 ¶ 2 {new service} The organization shall plan the deployment of new or changed services and service components into the live environment. Planning shall be co-ordinated with change management and include references to the related requests for change, known errors or problems which are being closed through the release. Planning shall include the dates for deployment of each release, deliverables and methods of deployment. § 8.5.3 ¶ 2]	Operational management	Business Processes
Define the processing specifications for products and services creation requirements. CC ID 13523	Operational management	Establish/Maintain Documentation
Define the processing activities to meet products and services creation requirements. CC ID 13499 [{new service} The organization shall plan the deployment of new or changed services and service components into the live environment. Planning shall be co-ordinated with change management and include references to the related requests for change, known errors or problems which are being closed through the release. Planning shall include the dates for deployment of each release, deliverables and methods of deployment. § 8.5.3 ¶ 2 {new service} The organization shall plan the deployment of new or changed services and service components into the live environment. Planning shall be co-ordinated with change management and include references to the related requests for change, known errors or problems which are being closed through the release. Planning shall include the dates for deployment of each release, deliverables and methods of deployment. § 8.5.3 ¶ 2 {new service} The organization shall plan the deployment of new or changed services and service components into the live environment. Planning shall be co-ordinated with change management and include references to the related requests for change, known errors or problems which are being closed through the release. Planning shall include the dates for deployment of each release, deliverables and methods of deployment. § 8.5.3 ¶ 2]	Operational management	Business Processes
Delete age-restricted content, as necessary. CC ID 15450	Operational management	Process or Activity
Establish, implement, and maintain procedures to manage age-restricted content. CC ID 15448	Operational management	Establish/Maintain Documentation
Control the distribution of media containing age-restricted content, as necessary. CC ID 15446	Operational management	Process or Activity
Establish and maintain a service catalog. CC ID 13634 [The service management plan shall include or contain a reference to: list of services; § 6.3 ¶ 2(a) The documented information for the SMS shall include: service catalogue(s); § 7.5.4 ¶ 1(g) The organization shall create and maintain one or more service catalogues. The service catalogue(s) shall include information for the organization, customers, users and other interested parties to describe the services, their intended outcomes and dependencies between the services. § 8.2.4 ¶ 1 {new service} The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: updates to the service catalogue(s). § 8.5.2.2 ¶ 1(g)]	Operational management	Establish/Maintain Documentation
Include a service description in the service catalog. CC ID 13917 [The organization shall create and maintain one or more service catalogues. The service catalogue(s) shall include information for the organization, customers, users and other interested parties to describe the services, their intended outcomes and dependencies between the services. § 8.2.4 ¶ 1]	Operational management	Establish/Maintain Documentation
Assign unique reference numbers to all services in the service catalog. CC ID 14424	Operational management	Establish/Maintain Documentation
Include service deliverables for each service description in the service catalog. CC ID 13918 [The organization shall create and maintain one or more service catalogues. The service catalogue(s) shall include information for the organization, customers, users and other interested parties to describe the services, their intended outcomes and dependencies between the services. § 8.2.4 ¶ 1]	Operational management	Establish/Maintain Documentation
Include relationships and dependencies between services in the service catalog, as necessary. CC ID 13914 [The organization shall create and maintain one or more service catalogues. The service catalogue(s) shall include information for the organization, customers, users and other interested parties to describe the services, their intended outcomes and dependencies between the services. § 8.2.4 ¶ 1]	Operational management	Establish/Maintain Documentation
Include Service Level Agreements in the service catalog, as necessary. CC ID 13636 [{new service}The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: new or changed SLAs, contracts and other documented agreements that support the services; § 8.5.2.2 ¶ 1(d)]	Operational management	Establish/Maintain Documentation
Include Information Technology services in the service catalog, as necessary. CC ID 13635	Operational management	Establish/Maintain Documentation
Base definitions of Information Technology services on their service characteristics. CC ID 13655	Operational management	Establish/Maintain Documentation
Categorize services in the service catalog. CC ID 14419	Operational management	Establish/Maintain Documentation
Refrain from categorizing services as outsourced in the service catalog, as necessary. CC ID 14426	Operational management	Establish/Maintain Documentation
Communicate the service catalog to interested personnel and affected parties. CC ID 13910 [The organization shall provide access to appropriate parts of the service catalogue(s) to its customers, users and other interested parties. § 8.2.4 ¶ 2]	Operational management	Communicate
Establish, implement, and maintain a Configuration Management program. CC ID 00867 [{new service} The CIs affected by new or changed services shall be managed through configuration management. § 8.5.2.1 ¶ 4 {be auditable} CIs shall be controlled. Changes to CIs shall be traceable and auditable to maintain the integrity of the configuration information. The configuration information shall be updated following the deployment of changes to CIs. § 8.2.6 ¶ 3]	System hardening through configuration management	Establish/Maintain Documentation
Establish, implement, and maintain configuration control and Configuration Status Accounting. CC ID 00863 [At planned intervals, the organization shall verify the accuracy of the configuration information. Where deficiencies are found, the organization shall take necessary actions. § 8.2.6 ¶ 4]	System hardening through configuration management	Business Processes
Establish, implement, and maintain appropriate system labeling. CC ID 01900	System hardening through configuration management	Establish/Maintain Documentation
Include the identification number of the third party who performed the conformity assessment procedures on all promotional materials. CC ID 15041	System hardening through configuration management	Establish/Maintain Documentation
Include the identification number of the third party who conducted the conformity assessment procedures after the CE marking of conformity. CC ID 15040	System hardening through configuration management	Establish/Maintain Documentation
Verify configuration files requiring passwords for automation do not contain those passwords after the installation process is complete. CC ID 06555	System hardening through configuration management	Configuration
Establish, implement, and maintain a configuration management policy. CC ID 14023	System hardening through configuration management	Establish/Maintain Documentation
Establish, implement, and maintain configuration management procedures. CC ID 14074	System hardening through configuration management	Establish/Maintain Documentation
Disseminate and communicate the configuration management procedures to interested personnel and affected parties. CC ID 14139	System hardening through configuration management	Communicate
Include compliance requirements in the configuration management policy. CC ID 14072	System hardening through configuration management	Establish/Maintain Documentation
Include coordination amongst entities in the configuration management policy. CC ID 14071	System hardening through configuration management	Establish/Maintain Documentation
Include management commitment in the configuration management policy. CC ID 14070	System hardening through configuration management	Establish/Maintain Documentation
Include roles and responsibilities in the configuration management policy. CC ID 14069	System hardening through configuration management	Establish/Maintain Documentation
Include the scope in the configuration management policy. CC ID 14068	System hardening through configuration management	Establish/Maintain Documentation
Include the purpose in the configuration management policy. CC ID 14067	System hardening through configuration management	Establish/Maintain Documentation
Disseminate and communicate the configuration management policy to interested personnel and affected parties. CC ID 14066	System hardening through configuration management	Communicate
Establish, implement, and maintain a configuration management plan. CC ID 01901	System hardening through configuration management	Establish/Maintain Documentation
Include configuration management procedures in the configuration management plan. CC ID 14248	System hardening through configuration management	Establish/Maintain Documentation
Include roles and responsibilities in the configuration management plan. CC ID 14247	System hardening through configuration management	Establish/Maintain Documentation
Approve the configuration management plan. CC ID 14717	System hardening through configuration management	Business Processes
Establish, implement, and maintain system tracking documentation. CC ID 15266	System hardening through configuration management	Establish/Maintain Documentation
Include prioritization codes in the system tracking documentation. CC ID 15283	System hardening through configuration management	Establish/Maintain Documentation
Include the type and category of the request in the system tracking documentation. CC ID 15281	System hardening through configuration management	Establish/Maintain Documentation
Include contact information in the system tracking documentation. CC ID 15280	System hardening through configuration management	Establish/Maintain Documentation
Include the username in the system tracking documentation. CC ID 15278	System hardening through configuration management	Establish/Maintain Documentation
Include a problem description in the system tracking documentation. CC ID 15276	System hardening through configuration management	Establish/Maintain Documentation
Include affected systems in the system tracking documentation. CC ID 15275	System hardening through configuration management	Establish/Maintain Documentation
Include root causes in the system tracking documentation. CC ID 15274	System hardening through configuration management	Establish/Maintain Documentation
Include the name of who is responsible for resolution in the system tracking documentation. CC ID 15273	System hardening through configuration management	Establish/Maintain Documentation
Include current status in the system tracking documentation. CC ID 15272	System hardening through configuration management	Establish/Maintain Documentation
Employ the Configuration Management program. CC ID 11904	System hardening through configuration management	Configuration
Record Configuration Management items in the Configuration Management database. CC ID 00861	System hardening through configuration management	Establish/Maintain Documentation
Disseminate and communicate the configuration management program to all interested personnel and affected parties. CC ID 11946 [Configuration information shall be made available for other service management activities as appropriate. § 8.2.6 ¶ 5]	System hardening through configuration management	Communicate
Establish, implement, and maintain a Configuration Management Database with accessible reporting capabilities. CC ID 02132	System hardening through configuration management	Establish/Maintain Documentation
Document external connections for all systems. CC ID 06415	System hardening through configuration management	Configuration
Establish, implement, and maintain a configuration baseline based on the least functionality principle. CC ID 00862 [Before deployment of a release into the live environment, a baseline of the affected CIs shall be taken. § 8.5.3 ¶ 4]	System hardening through configuration management	Establish/Maintain Documentation
Include the measures used to account for any differences in operation between the test environments and production environments in the baseline configuration. CC ID 13285	System hardening through configuration management	Establish/Maintain Documentation
Include the differences between test environments and production environments in the baseline configuration. CC ID 13284	System hardening through configuration management	Establish/Maintain Documentation
Include the applied security patches in the baseline configuration. CC ID 13271	System hardening through configuration management	Establish/Maintain Documentation
Include the installed application software and version numbers in the baseline configuration. CC ID 13270	System hardening through configuration management	Establish/Maintain Documentation
Include installed custom software in the baseline configuration. CC ID 13274	System hardening through configuration management	Establish/Maintain Documentation
Include network ports in the baseline configuration. CC ID 13273	System hardening through configuration management	Establish/Maintain Documentation
Include the operating systems and version numbers in the baseline configuration. CC ID 13269	System hardening through configuration management	Establish/Maintain Documentation
Include backup procedures in the Configuration Management policy. CC ID 01314	System hardening through configuration management	Establish/Maintain Documentation
Identify and document the system's Configurable Items. CC ID 02133 [Configuration information shall be recorded to a level of detail appropriate to the criticality and type of services. Access to configuration information shall be controlled. The configuration information recorded for each CI shall include: § 8.2.6 ¶ 2 Configuration information shall be recorded to a level of detail appropriate to the criticality and type of services. Access to configuration information shall be controlled. The configuration information recorded for each CI shall include: § 8.2.6 ¶ 2 The types of CI shall be defined. Services shall be classified as CIs. § 8.2.6 ¶ 1 The types of CI shall be defined. Services shall be classified as CIs. § 8.2.6 ¶ 1 Configuration information shall be recorded to a level of detail appropriate to the criticality and type of services. Access to configuration information shall be controlled. The configuration information recorded for each CI shall include: type of CI; § 8.2.6 ¶ 2(b) Configuration information shall be recorded to a level of detail appropriate to the criticality and type of services. Access to configuration information shall be controlled. The configuration information recorded for each CI shall include: description of the CI; § 8.2.6 ¶ 2(c) Configuration information shall be recorded to a level of detail appropriate to the criticality and type of services. Access to configuration information shall be controlled. The configuration information recorded for each CI shall include: status. § 8.2.6 ¶ 2(e)]	System hardening through configuration management	Establish/Maintain Documentation
Define the relationships and dependencies between Configurable Items. CC ID 02134 [Configuration information shall be recorded to a level of detail appropriate to the criticality and type of services. Access to configuration information shall be controlled. The configuration information recorded for each CI shall include: relationship with other CIs; § 8.2.6 ¶ 2(d)]	System hardening through configuration management	Establish/Maintain Documentation
Trace each Configurable Item throughout the systems' life cycle. CC ID 02135 [{be auditable} CIs shall be controlled. Changes to CIs shall be traceable and auditable to maintain the integrity of the configuration information. The configuration information shall be updated following the deployment of changes to CIs. § 8.2.6 ¶ 3 Configuration information shall be recorded to a level of detail appropriate to the criticality and type of services. Access to configuration information shall be controlled. The configuration information recorded for each CI shall include: unique identification; § 8.2.6 ¶ 2(a)]	System hardening through configuration management	Establish/Maintain Documentation
Approve each system's Configurable Items (and changes to those Configurable Items). CC ID 04887	System hardening through configuration management	Technical Security
Request an acknowledgment from the system owner of the system's configuration. CC ID 10602	System hardening through configuration management	Establish/Maintain Documentation
Establish, implement, and maintain system hardening procedures. CC ID 12001	System hardening through configuration management	Establish/Maintain Documentation
Configure Logging settings in accordance with organizational standards. CC ID 07611	System hardening through configuration management	Configuration
Configure all logs to capture auditable events or actionable events. CC ID 06332	System hardening through configuration management	Configuration
Configure the log to capture configuration changes. CC ID 06881 [{be auditable} CIs shall be controlled. Changes to CIs shall be traceable and auditable to maintain the integrity of the configuration information. The configuration information shall be updated following the deployment of changes to CIs. § 8.2.6 ¶ 3]	System hardening through configuration management	Configuration
Log, monitor, and review all changes to time settings on critical systems. CC ID 11608	System hardening through configuration management	Configuration
Configure the log to capture user account additions, modifications, and deletions. CC ID 16482	System hardening through configuration management	Log Management
Configure the log to capture all changes to certificates. CC ID 05595	System hardening through configuration management	Configuration
Establish, implement, and maintain records management policies. CC ID 00903 [Documented information required by the SMS and by this document shall be controlled to ensure: § 7.5.3.1]	Records management	Establish/Maintain Documentation
Establish, implement, and maintain form creation, management, and distribution procedures. CC ID 06393	Records management	Establish/Maintain Documentation
Establish, implement, and maintain form disposition procedures. CC ID 06394	Records management	Establish/Maintain Documentation
Establish, implement, and maintain a record classification scheme. CC ID 00914	Records management	Establish/Maintain Documentation
Establish, implement, and maintain a business activity classification standard. CC ID 00915	Records management	Establish/Maintain Documentation
Establish, implement, and maintain a records authentication system. CC ID 11648	Records management	Establish/Maintain Documentation
Allocate record identifiers to reference the records as a part of document tracking. CC ID 11662 [When creating and updating documented information, the organization shall ensure appropriate: identification and description (e.g. a title, date, author or reference number); § 7.5.2 ¶ 1(a) When creating and updating documented information, the organization shall ensure appropriate: identification and description (e.g. a title, date, author or reference number); § 7.5.2 ¶ 1(a)]	Records management	Records Management
Establish and maintain an index of all official records. CC ID 00918	Records management	Establish/Maintain Documentation
Associate records with their security attributes. CC ID 06764	Records management	Records Management
Reconfigure the security attributes of records as the information changes. CC ID 06765	Records management	Configuration
Establish, implement, and maintain electronic signature requirements. CC ID 06219	Records management	Establish/Maintain Documentation
Implement a signature revocation service. CC ID 14417	Records management	Business Processes
Allow electronic signatures to satisfy requirements for written signatures, as necessary. CC ID 11807	Records management	Records Management
Allow authorized parties to authenticate electronic records with electronic signatures. CC ID 11964	Records management	Technical Security
Allow authorized parties to authenticate transactions with electronic signatures. CC ID 11963	Records management	Technical Security
Store records and data in accordance with organizational standards. CC ID 16439	Records management	Data and Information Management
Remove dormant data from systems, as necessary. CC ID 13726	Records management	Process or Activity
Select the appropriate format for archived data and records. CC ID 06320 [{is appropriate} When creating and updating documented information, the organization shall ensure appropriate: format (e.g. language, software version, graphics) and media (e.g. paper, electronic); § 7.5.2 ¶ 1(b)]	Records management	Data and Information Management
Archive appropriate records, logs, and database tables. CC ID 06321	Records management	Records Management
Archive document metadata in a fashion that allows for future reading of the metadata. CC ID 10060	Records management	Data and Information Management
Store personal data that is retained for long periods after use on a separate server or media. CC ID 12314	Records management	Data and Information Management
Establish, implement, and maintain storage media retention procedures. CC ID 16277	Records management	Establish/Maintain Documentation
Determine how long to keep records and logs before disposing them. CC ID 11661	Records management	Process or Activity
Retain records in accordance with applicable requirements. CC ID 00968 [The organization shall retain documented information as evidence of the results of management reviews. § 9.3 ¶ 4 The organization shall retain documented information on the service management objectives. § 6.2.1 ¶ 2 The organization shall retain documented information as evidence of: the results of any corrective action. § 10.1.2 ¶ 1(b) The organization shall retain documented information as evidence of: the nature of the nonconformities and any subsequent actions taken; § 10.1.2 ¶ 1(a) {monitoring and measurement evaluation result} The organization shall retain appropriate documented information as evidence of the results. § 9.1 ¶ 2]	Records management	Records Management
Obtain and retain documentation of the number of shares authorized, issued, and outstanding pursuant to the issuer's authorization. CC ID 11714	Records management	Records Management
Retain all evidence of indebtedness. CC ID 11713	Records management	Records Management
Capture and maintain distribution records. CC ID 06205	Records management	Records Management
Capture and maintain Device Master Records. CC ID 06206	Records management	Records Management
Capture and maintain Device History Records. CC ID 06207	Records management	Records Management
Capture and maintain Quality System Records. CC ID 06208	Records management	Records Management
Capture and maintain logs as official records. CC ID 06319	Records management	Log Management
Capture and maintain all business records, including supporting temporary files. CC ID 06622	Records management	Establish/Maintain Documentation
Establish, implement, and maintain storage media disposition and destruction procedures. CC ID 11657	Records management	Establish/Maintain Documentation
Supervise media destruction in accordance with organizational standards. CC ID 16456	Records management	Business Processes
Sanitize electronic storage media in accordance with organizational standards. CC ID 16464	Records management	Data and Information Management
Sanitize all electronic storage media before disposing a system or redeploying a system. CC ID 01643	Records management	Data and Information Management
Degauss as a method of sanitizing electronic storage media. CC ID 00973	Records management	Records Management
Manage waste materials in accordance with the storage media disposition and destruction procedures. CC ID 16485	Records management	Process or Activity
Use approved media sanitization equipment for destruction. CC ID 16459	Records management	Business Processes
Define each system's disposition requirements for records and logs. CC ID 11651	Records management	Process or Activity
Establish, implement, and maintain records disposition procedures. CC ID 00971 [For the control of documented information, the organization shall address the following activities, as applicable: retention and disposition. § 7.5.3.2(d)]	Records management	Establish/Maintain Documentation
Manage the disposition status for all records. CC ID 00972	Records management	Records Management
Use a second person to confirm and sign-off that manually deleted data was deleted. CC ID 12313	Records management	Data and Information Management
Remove and/or destroy records according to the records' retention event and retention period schedule. CC ID 06621	Records management	Records Management
Place printed records awaiting destruction into secure containers. CC ID 12464	Records management	Physical and Environmental Protection
Destroy printed records so they cannot be reconstructed. CC ID 11779	Records management	Physical and Environmental Protection
Automate a programmatic process to remove stored data and records that exceed retention requirements. CC ID 06082	Records management	Data and Information Management
Include methods to identify records that meet or exceed the record's retention event in the records disposition procedures. CC ID 11962	Records management	Establish/Maintain Documentation
Maintain disposal records or redeployment records. CC ID 01644 [For services that are to be removed, the planning shall additionally include the date(s) for the removal of the services and the activities for archiving, disposal or transfer of data, documented information and service components. § 8.5.2.1 ¶ 2]	Records management	Establish/Maintain Documentation
Include the name of the signing officer in the disposal record. CC ID 15710	Records management	Establish/Maintain Documentation
Establish, implement, and maintain secure record transaction standards with third parties. CC ID 06093	Records management	Establish/Maintain Documentation
Include transfer agreements in the secure record transaction standards. CC ID 14821	Records management	Establish/Maintain Documentation
Include date and time stamp requirements for delivery receipt in the transfer agreements. CC ID 14823	Records management	Establish/Maintain Documentation
Include receipt of electronic records in the transfer agreement. CC ID 14822	Records management	Establish/Maintain Documentation
Include standards for each data element in the secure record transaction standard. CC ID 06094	Records management	Establish/Maintain Documentation
Establish, implement, and maintain records management procedures. CC ID 11619 [Documented information of external origin determined by the organization to be necessary for the planning and operation of the SMS shall be identified as appropriate and controlled. § 7.5.3.2 ¶ 2 For services that are to be removed, the planning shall additionally include the date(s) for the removal of the services and the activities for archiving, disposal or transfer of data, documented information and service components. § 8.5.2.1 ¶ 2]	Records management	Establish/Maintain Documentation
Maintain electronic records in an equivalent manner as printed records, as necessary. CC ID 11806	Records management	Records Management
Process restricted information in a secure environment. CC ID 13058	Records management	Process or Activity
Refrain from creating printed records as copies of electronic records. CC ID 11808	Records management	Records Management
Assign ownership for all electronic records. CC ID 14814	Records management	Establish/Maintain Documentation
Attribute electronic records, as necessary. CC ID 14820	Records management	Establish/Maintain Documentation
Validate transactions using identifiers and credentials. CC ID 13203	Records management	Technical Security
Establish, implement, and maintain a system storage log. CC ID 13532	Records management	Records Management
Establish, implement, and maintain a system input log. CC ID 13531	Records management	Establish/Maintain Documentation
Protect records from loss in accordance with applicable requirements. CC ID 12007 [Documented information required by the SMS and by this document shall be controlled to ensure: it is adequately protected (e.g. from loss of confidentiality, improper use or loss of integrity). § 7.5.3.1(b)]	Records management	Records Management
Establish, implement, and maintain data completeness controls. CC ID 11649	Records management	Process or Activity
Establish, implement, and maintain authorization records. CC ID 14367	Records management	Establish/Maintain Documentation
Include the reasons for granting the authorization in the authorization records. CC ID 14371	Records management	Establish/Maintain Documentation
Include the date and time the authorization was granted in the authorization records. CC ID 14370	Records management	Establish/Maintain Documentation
Include the person's name who approved the authorization in the authorization records. CC ID 14369	Records management	Establish/Maintain Documentation
Establish, implement, and maintain electronic health records. CC ID 14436	Records management	Data and Information Management
Include Individually Identifiable Health Information in the patient's electronic health record. CC ID 14437	Records management	Data and Information Management
Review and update Individually Identifiable Health Information in the patient's electronic health records, as necessary. CC ID 14438	Records management	Records Management
Display required information automatically in electronic health records. CC ID 14442	Records management	Process or Activity
Create summary of care records in accordance with applicable standards. CC ID 14440	Records management	Establish/Maintain Documentation
Provide the patient with a summary of care record, as necessary. CC ID 14441	Records management	Actionable Reports or Measurements
Create export summaries, as necessary. CC ID 14446	Records management	Process or Activity
Import data files into a patient's electronic health record. CC ID 14448	Records management	Data and Information Management
Export requested sections of the electronic health record. CC ID 14447	Records management	Data and Information Management
Establish and maintain an implantable device list. CC ID 14444	Records management	Records Management
Display the implantable device list to authorized users. CC ID 14445	Records management	Data and Information Management
Establish, implement, and maintain decision support interventions. CC ID 14443	Records management	Business Processes
Include attributes in the decision support intervention. CC ID 16766	Records management	Data and Information Management
Establish, implement, and maintain a recordkeeping system. CC ID 15709	Records management	Records Management
Log the termination date in the recordkeeping system. CC ID 16181	Records management	Records Management
Log the name of the requestor in the recordkeeping system. CC ID 15712	Records management	Records Management
Log the date and time each item is accessed in the recordkeeping system. CC ID 15711	Records management	Records Management
Log records as being received into the recordkeeping system. CC ID 11696	Records management	Records Management
Log the date and time each item is received into the recordkeeping system. CC ID 11709	Records management	Log Management
Log the date and time each item is made available into the recordkeeping system. CC ID 11710	Records management	Log Management
Log the number of routine items received into the recordkeeping system. CC ID 11701	Records management	Establish/Maintain Documentation
Log the number of routine items in the organization's possession at the close of business for the month in the recordkeeping system. CC ID 11707	Records management	Log Management
Log the number of routine items received during the month that were turned around in the recordkeeping system. CC ID 11705	Records management	Log Management
Log the number of routine items received during the month that were not turned around within three business days of receipt in the recordkeeping system. CC ID 11703	Records management	Log Management
Log the date and time when a notice of refusal to perform the registrar function is received in the recordkeeping system. CC ID 11711	Records management	Log Management
Log inquiries concerning items in the recordkeeping system, annotating the date received. CC ID 11718	Records management	Log Management
Log responses to inquiries, annotating the send date for each response into the recordkeeping system. CC ID 11719	Records management	Log Management
Log the number of non-routine items received into the recordkeeping system. CC ID 11706	Records management	Log Management
Log the documentation of determination that items received are not routine into the recordkeeping system. CC ID 11716	Records management	Log Management
Log the number of non-routine items in the organization's possession at the close of business for the month in the recordkeeping system. CC ID 11708	Records management	Log Management
Log the number of non-routine items received during the month that were turned around in the recordkeeping system. CC ID 11704	Records management	Log Management
Log performance monitoring into the recordkeeping system. CC ID 11724	Records management	Log Management
Log the number of inquiries pending as of the close of business into the recordkeeping system. CC ID 11728	Records management	Log Management
Log the number of inquiries received but not responded to within the required time frame into the recordkeeping system. CC ID 11727	Records management	Log Management
Establish, implement, and maintain a transfer journal. CC ID 11729	Records management	Records Management
Log any notices filed by the organization into the recordkeeping system. CC ID 11725	Records management	Log Management
Log telephone responses into a telephone log, annotating the date of each response, in the recordkeeping system. CC ID 11723	Records management	Log Management
Log the date each certificate is made available to interested personnel and affected parties into the recordkeeping system. CC ID 11720	Records management	Log Management
Log the number of items not processed within the required time frame into the recordkeeping system. CC ID 11717	Records management	Log Management
Provide a receipt of records logged into the recordkeeping system. CC ID 11697	Records management	Records Management
Log the appointments and termination of appointments of registered transfer agents into the recordkeeping system. CC ID 11712	Records management	Log Management
Log any stop orders or notices of adverse claims into the recordkeeping system. CC ID 11726	Records management	Log Management
Log the number of items processed within the required time frame into the recordkeeping system. CC ID 11715	Records management	Log Management
Include record integrity techniques in the records management procedures. CC ID 06418	Records management	Establish/Maintain Documentation
Establish, implement, and maintain data availability controls. CC ID 15301	Records management	Data and Information Management
Note in electronic records converted from printed records, the location of the original. CC ID 11809	Records management	Records Management
Incorporate desktop publishing into the organization's Records Management program. CC ID 06535	Records management	Establish/Maintain Documentation
Provide structures for browsing records stored in the Electronic Document and Records Management system. CC ID 10009	Records management	Business Processes
Provide structures for searching for items stored in the Electronic Document and Records Management system. CC ID 10010	Records management	Business Processes
Provide structures for downloading records from the Electronic Document and Records Management system. CC ID 10011	Records management	Business Processes
Provide structures for managing e-mail stored in the Electronic Document and Records Management system. CC ID 10012	Records management	Business Processes
Provide structures for authorized parties to approve record updates in the Electronic Document and Records Management system. CC ID 11965	Records management	Records Management
Provide structures for version control of records stored in the Electronic Document and Records Management system. CC ID 10013	Records management	Business Processes
Establish, implement, and maintain electronic storage media security controls. CC ID 13204	Records management	Technical Security
Use automated entry devices to reduce errors during data input. CC ID 06626	Records management	Data and Information Management
Establish, implement, and maintain data processing integrity controls. CC ID 00923	Records management	Establish Roles
Sanitize user input in accordance with organizational standards. CC ID 16856	Records management	Process or Activity
Establish, implement, and maintain Automated Data Processing validation checks and editing checks. CC ID 00924	Records management	Data and Information Management
Establish, implement, and maintain Automated Data Processing error handling procedures. CC ID 00925	Records management	Establish/Maintain Documentation
Establish, implement, and maintain Automated Data Processing error handling reporting. CC ID 11659	Records management	Establish/Maintain Documentation
Establish, implement, and maintain document security requirements for the output of records. CC ID 11656	Records management	Establish/Maintain Documentation
Establish, implement, and maintain document handling procedures for paper documents. CC ID 00926	Records management	Establish/Maintain Documentation
Establish, implement, and maintain electronic storage media management procedures. CC ID 00931	Records management	Establish/Maintain Documentation
Establish, implement, and maintain security label procedures. CC ID 06747	Records management	Establish/Maintain Documentation
Label restricted storage media appropriately. CC ID 00966	Records management	Data and Information Management
Establish, implement, and maintain restricted material identification procedures. CC ID 01889	Records management	Establish/Maintain Documentation
Conspicuously locate the restricted record's overall classification. CC ID 01890	Records management	Establish/Maintain Documentation
Mark a restricted record's displayed pages or printed pages with the appropriate classification. CC ID 01891	Records management	Establish/Maintain Documentation
Mark a restricted record's components (appendices, annexes) with the appropriate classification. CC ID 01892	Records management	Establish/Maintain Documentation
Mark a restricted record's portions (paragraphs, sections) with the appropriate classification. CC ID 01893	Records management	Establish/Maintain Documentation
Mark a restricted record's subject line or title with the appropriate classification. CC ID 01894	Records management	Establish/Maintain Documentation
Mark all forms of electronic messages that contain restricted data or restricted information with the appropriate classification. CC ID 01896	Records management	Data and Information Management
Establish, implement, and maintain label inheritance mechanisms for aggregate data sets. CC ID 06957	Records management	Technical Security
Establish the minimum originator requirements for security labels. CC ID 06579	Records management	Establish/Maintain Documentation
Establish the minimum intermediate system requirements for security labels. CC ID 06581	Records management	Establish/Maintain Documentation
Establish the minimum receiver requirements for records or electronic storage media marked with security labels. CC ID 06580	Records management	Establish/Maintain Documentation
Establish policy based processing rules to process incoming records or electronic storage media marked with security labels. CC ID 06582	Records management	Establish/Maintain Documentation
Establish and maintain access controls for all records. CC ID 00371 [Configuration information shall be recorded to a level of detail appropriate to the criticality and type of services. Access to configuration information shall be controlled. The configuration information recorded for each CI shall include: § 8.2.6 ¶ 2 For the control of documented information, the organization shall address the following activities, as applicable: distribution, access, retrieval and use; § 7.5.3.2(a)]	Records management	Records Management
Reproduce materials containing restricted data or restricted information in accordance with compliance requirements. CC ID 02202	Records management	Data and Information Management
Establish, implement, and maintain a records lifecycle management program. CC ID 00951	Records management	Establish/Maintain Documentation
Establish, implement, and maintain an information preservation policy. CC ID 16483	Records management	Establish/Maintain Documentation
Establish, implement, and maintain information preservation procedures. CC ID 06277 [For the control of documented information, the organization shall address the following activities, as applicable: storage and preservation, including preservation of legibility; § 7.5.3.2(b)]	Records management	Establish/Maintain Documentation
Implement and maintain high availability storage, as necessary. CC ID 00952	Records management	Technical Security
Implement and maintain backups and duplicate copies of organizational records. CC ID 00953	Records management	Records Management
Establish, implement, and maintain the duplicate original of record indexes. CC ID 00954	Records management	Records Management
Establish, implement, and maintain a transparent storage media strategy. CC ID 00932	Records management	Records Management
Establish, implement, and maintain an online availability plan that is commensurate with the electronic storage media. CC ID 00934	Records management	Establish/Maintain Documentation
Establish, implement, and maintain online storage controls. CC ID 00942	Records management	Technical Security
Establish, implement, and maintain security controls appropriate to the record types and electronic storage media. CC ID 00943 [For the control of documented information, the organization shall address the following activities, as applicable: storage and preservation, including preservation of legibility; § 7.5.3.2(b)]	Records management	Records Management
Provide encryption for different types of electronic storage media. CC ID 00945	Records management	Technical Security
Implement electronic storage media integrity controls. CC ID 00946	Records management	Configuration
Automate electronic storage media integrity check controls. CC ID 00948	Records management	Configuration
Provide capacity for indexes on electronic storage media, as necessary. CC ID 00950	Records management	Configuration
Establish, implement, and maintain a removable storage media log. CC ID 12317	Records management	Log Management
Include a unique identifier for each removable storage media asset in the removable storage media log. CC ID 12320	Records management	Establish/Maintain Documentation
Include the date and time in the removable storage media log. CC ID 12318	Records management	Establish/Maintain Documentation
Include the name and signature of the current custodian in the removable storage media log. CC ID 12315	Records management	Establish/Maintain Documentation
Include the number of physical media used for the data transfer in the removable storage media log. CC ID 12754	Records management	Establish/Maintain Documentation
Include the recipient's name for the data transfer in the removable storage media log. CC ID 12753	Records management	Establish/Maintain Documentation
Include the sender's name in the removable storage media log. CC ID 12752	Records management	Establish/Maintain Documentation
Include the type of physical media being used for the data transfer in the removable storage media log. CC ID 12751	Records management	Establish/Maintain Documentation
Include the reason for transfer in the removable storage media log. CC ID 12316	Records management	Establish/Maintain Documentation
Establish, implement, and maintain storage media downgrading procedures. CC ID 10619	Records management	Process or Activity
Document all actions taken when downgrading electronic storage media. CC ID 10622	Records management	Establish/Maintain Documentation
Establish, implement, and maintain output distribution procedures. CC ID 00927 [For the control of documented information, the organization shall address the following activities, as applicable: distribution, access, retrieval and use; § 7.5.3.2(a)]	Records management	Establish/Maintain Documentation
Include printed output in output distribution procedures. CC ID 13477	Records management	Establish/Maintain Documentation
Establish, implement, and maintain document retention procedures. CC ID 11660 [For the control of documented information, the organization shall address the following activities, as applicable: retention and disposition. § 7.5.3.2(d) The organization shall retain documented information as evidence of: § 10.1.2 ¶ 1]	Records management	Establish/Maintain Documentation
Establish, implement, and maintain electronic media distribution procedures. CC ID 11650	Records management	Establish/Maintain Documentation
Establish and maintain an error suspense file for rejected transactions. CC ID 06623	Records management	Records Management
Establish and maintain reconciliation audit trails. CC ID 11647	Records management	Establish/Maintain Documentation
Establish, implement, and maintain a data processing output log. CC ID 06624	Records management	Log Management
Establish, implement, and maintain paper document integrity requirements for the output of records. CC ID 00930	Records management	Establish/Maintain Documentation
Review and approve output exceptions. CC ID 06625	Records management	Records Management
Initiate the System Development Life Cycle planning phase. CC ID 06266	Systems design, build, and implementation	Systems Design, Build, and Implementation
Establish, implement, and maintain a system design project management framework. CC ID 00990	Systems design, build, and implementation	Establish/Maintain Documentation
Assess the continuity requirements during the planning and development stage for new products and services. CC ID 12779 [At planned intervals, the risks to service continuity shall be assessed and documented. The organization shall determine the service continuity requirements. The agreed requirements shall take into consideration relevant business requirements, service requirements, SLAs and risks. § 8.7.2 ¶ 1 At planned intervals, the risks to service continuity shall be assessed and documented. The organization shall determine the service continuity requirements. The agreed requirements shall take into consideration relevant business requirements, service requirements, SLAs and risks. § 8.7.2 ¶ 1 At planned intervals, the risks to service continuity shall be assessed and documented. The organization shall determine the service continuity requirements. The agreed requirements shall take into consideration relevant business requirements, service requirements, SLAs and risks. § 8.7.2 ¶ 1 At planned intervals, the risks to service continuity shall be assessed and documented. The organization shall determine the service continuity requirements. The agreed requirements shall take into consideration relevant business requirements, service requirements, SLAs and risks. § 8.7.2 ¶ 1 At planned intervals, the risks to service continuity shall be assessed and documented. The organization shall determine the service continuity requirements. The agreed requirements shall take into consideration relevant business requirements, service requirements, SLAs and risks. § 8.7.2 ¶ 1]	Systems design, build, and implementation	Process or Activity
Initiate the System Development Life Cycle implementation phase. CC ID 06268	Systems design, build, and implementation	Systems Design, Build, and Implementation
Manage the system implementation process. CC ID 01115	Systems design, build, and implementation	Behavior
Establish, implement, and maintain a product and service release log. CC ID 13705 [The organization shall define the types of release, including emergency release, their frequency and how they are to be managed. § 8.5.3 ¶ 1 The organization shall define the types of release, including emergency release, their frequency and how they are to be managed. § 8.5.3 ¶ 1 The organization shall define the types of release, including emergency release, their frequency and how they are to be managed. § 8.5.3 ¶ 1 Records of service requests shall be updated with actions taken. § 8.6.2 ¶ 2]	Systems design, build, and implementation	Establish/Maintain Documentation
Include the name of the person authorizing the release of products and services in the product and service release log. CC ID 13707	Systems design, build, and implementation	Establish/Maintain Documentation
Plan for selling facilities, technology, or services. CC ID 06893 [For services that are to be transferred, the planning shall additionally include the date(s) for the transfer of the services and the activities for the transfer of data, documented information, knowledge and service components. § 8.5.2.1 ¶ 3 For services that are to be transferred, the planning shall additionally include the date(s) for the transfer of the services and the activities for the transfer of data, documented information, knowledge and service components. § 8.5.2.1 ¶ 3 For services that are to be transferred, the planning shall additionally include the date(s) for the transfer of the services and the activities for the transfer of data, documented information, knowledge and service components. § 8.5.2.1 ¶ 3 For services that are to be transferred, the planning shall additionally include the date(s) for the transfer of the services and the activities for the transfer of data, documented information, knowledge and service components. § 8.5.2.1 ¶ 3 For services that are to be transferred, the planning shall additionally include the date(s) for the transfer of the services and the activities for the transfer of data, documented information, knowledge and service components. § 8.5.2.1 ¶ 3]	Acquisition or sale of facilities, technology, and services	Acquisition/Sale of Assets or Services
Refrain from providing products and services, as necessary. CC ID 15580	Acquisition or sale of facilities, technology, and services	Acquisition/Sale of Assets or Services
Determine if there is a need for the product or service being sold. CC ID 06894	Acquisition or sale of facilities, technology, and services	Acquisition/Sale of Assets or Services
Identify new business opportunities based on product or service need, the business strategy, and action plan. CC ID 06901	Acquisition or sale of facilities, technology, and services	Acquisition/Sale of Assets or Services
Establish, implement, and maintain a product or service pricing program. CC ID 13676	Acquisition or sale of facilities, technology, and services	Establish/Maintain Documentation
Provide identification mechanisms for the organization's supply chain members. CC ID 12201	Acquisition or sale of facilities, technology, and services	Business Processes
Establish, implement, and maintain customer terms and conditions. CC ID 13666	Acquisition or sale of facilities, technology, and services	Establish/Maintain Documentation
Refrain from charging a fee for the provision of services, as necessary. CC ID 14212	Acquisition or sale of facilities, technology, and services	Business Processes
Include customer risks in the customer terms and conditions. CC ID 13669	Acquisition or sale of facilities, technology, and services	Establish/Maintain Documentation
Develop product solicitation responses and service solicitation responses. CC ID 06896	Acquisition or sale of facilities, technology, and services	Acquisition/Sale of Assets or Services
Prevent the creation or distribution of devices designed to circumvent security measures. CC ID 11514	Acquisition or sale of facilities, technology, and services	Acquisition/Sale of Assets or Services
Provide a product warranty or service warranty. CC ID 11601	Acquisition or sale of facilities, technology, and services	Acquisition/Sale of Assets or Services
Include the defined support period for hardware replacements in warranties. CC ID 14932	Acquisition or sale of facilities, technology, and services	Establish/Maintain Documentation
Include the methods of product replacement in warranties. CC ID 14931	Acquisition or sale of facilities, technology, and services	Establish/Maintain Documentation
Include rationale for the absence of software updates in warranties, as necessary. CC ID 14930	Acquisition or sale of facilities, technology, and services	Establish/Maintain Documentation
Include the defined support period in the product warranty or service warranty. CC ID 14927	Acquisition or sale of facilities, technology, and services	Establish/Maintain Documentation
Establish, implement, and maintain equipment shipping procedures. CC ID 11449	Acquisition or sale of facilities, technology, and services	Acquisition/Sale of Assets or Services
Ship equipment to customers in tamper-evident packaging, as necessary. CC ID 12271	Acquisition or sale of facilities, technology, and services	Physical and Environmental Protection
Ship equipment following the equipment shipping procedures. CC ID 11658	Acquisition or sale of facilities, technology, and services	Process or Activity
Ship goods or provide services to consumers in the agreed upon time frame. CC ID 08618	Acquisition or sale of facilities, technology, and services	Business Processes
Preserve products created for sale prior to shipping. CC ID 11602	Acquisition or sale of facilities, technology, and services	Acquisition/Sale of Assets or Services
Clean and maintain products prior to shipping. CC ID 11603	Acquisition or sale of facilities, technology, and services	Acquisition/Sale of Assets or Services
Detect and remove foreign objects from products prior to shipping. CC ID 11604	Acquisition or sale of facilities, technology, and services	Acquisition/Sale of Assets or Services
Handle products with due care prior to shipping. CC ID 11605	Acquisition or sale of facilities, technology, and services	Acquisition/Sale of Assets or Services
Attach safety warnings to products prior to shipping. CC ID 11606	Acquisition or sale of facilities, technology, and services	Acquisition/Sale of Assets or Services
Rotate the stock of products prior to shipping. CC ID 11607	Acquisition or sale of facilities, technology, and services	Acquisition/Sale of Assets or Services
Establish, implement, and maintain a consumer complaint management program. CC ID 04570 [Service complaints shall be recorded, managed to closure and reported. Where a service complaint is not resolved through the normal channels, a method of escalation shall be provided. § 8.3.2 ¶ 5]	Acquisition or sale of facilities, technology, and services	Business Processes
Document consumer complaints. CC ID 13903 [Service complaints shall be recorded, managed to closure and reported. Where a service complaint is not resolved through the normal channels, a method of escalation shall be provided. § 8.3.2 ¶ 5]	Acquisition or sale of facilities, technology, and services	Business Processes
Assess consumer complaints and litigation. CC ID 16521	Acquisition or sale of facilities, technology, and services	Investigate
Notify the complainant about their rights after receiving a complaint. CC ID 16794	Acquisition or sale of facilities, technology, and services	Communicate
Include how to access information from the dispute resolution body in the consumer complaint management program. CC ID 13816	Acquisition or sale of facilities, technology, and services	Establish/Maintain Documentation
Include any requirements for using information from the dispute resolution body in the consumer complaint management program. CC ID 13815	Acquisition or sale of facilities, technology, and services	Establish/Maintain Documentation
Post contact information in an easily seen location at facilities. CC ID 13812	Acquisition or sale of facilities, technology, and services	Communicate
Provide users a list of the available dispute resolution bodies. CC ID 13814	Acquisition or sale of facilities, technology, and services	Communicate
Post the dispute resolution body's contact information on the organization's website. CC ID 13811	Acquisition or sale of facilities, technology, and services	Communicate
Establish, implement, and maintain consumer complaint escalation procedures. CC ID 07208 [Service complaints shall be recorded, managed to closure and reported. Where a service complaint is not resolved through the normal channels, a method of escalation shall be provided. § 8.3.2 ¶ 5]	Acquisition or sale of facilities, technology, and services	Establish/Maintain Documentation
Disseminate and communicate the consumer complaint management program to interested personnel and affected parties. CC ID 16795	Acquisition or sale of facilities, technology, and services	Communicate
Report the analysis of consumer complaints to the Quality Management committee. CC ID 07209 [Service complaints shall be recorded, managed to closure and reported. Where a service complaint is not resolved through the normal channels, a method of escalation shall be provided. § 8.3.2 ¶ 5]	Acquisition or sale of facilities, technology, and services	Actionable Reports or Measurements
Establish, implement, and maintain notice and take-down procedures. CC ID 09963	Acquisition or sale of facilities, technology, and services	Establish/Maintain Documentation
Check communications for take-down requests. CC ID 09964	Acquisition or sale of facilities, technology, and services	Monitor and Evaluate Occurrences
Include a statement by the complainant that the information is true and correct in the take-down request. CC ID 09970	Acquisition or sale of facilities, technology, and services	Business Processes
Notify the complainant regarding any missing information in the take-down request. CC ID 09973	Acquisition or sale of facilities, technology, and services	Behavior
Document any unlawful material hosted or stored by the organization meeting the take-down request criteria. CC ID 09975	Acquisition or sale of facilities, technology, and services	Establish/Maintain Documentation
Document any unlawful material hosted or stored by the organization meeting the take-down request criteria that has been removed prior to the take-down request. CC ID 09976	Acquisition or sale of facilities, technology, and services	Establish/Maintain Documentation
Include whether it is technically feasible to follow the requested remedial action in the take-down request. CC ID 09977	Acquisition or sale of facilities, technology, and services	Establish/Maintain Documentation
Remove all unlawful material associated with the take-down request that have not been removed and are feasible to remove. CC ID 09978	Acquisition or sale of facilities, technology, and services	Business Processes
Notify the complainant when all unlawful material associated with the take-down notice that can be removed, has been removed. CC ID 09979	Acquisition or sale of facilities, technology, and services	Business Processes
Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain a data handling program. CC ID 13427	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain data handling procedures. CC ID 11756 [For services that are to be removed, the planning shall additionally include the date(s) for the removal of the services and the activities for archiving, disposal or transfer of data, documented information and service components. § 8.5.2.1 ¶ 2]	Privacy protection for information and data	Establish/Maintain Documentation
Define personal data that falls under breach notification rules. CC ID 00800	Privacy protection for information and data	Establish/Maintain Documentation
Include data elements that contain an individual's name combined with account numbers or other identifying information as personal data that falls under the breach notification rules. CC ID 04662	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's legal surname prior to marriage as personal data that falls under the breach notification rules. CC ID 04669	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's date of birth as personal data that falls under the breach notification rules. CC ID 04771	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's address as personal data that falls under the breach notification rules. CC ID 04671	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's telephone number as personal data that falls under the breach notification rules. CC ID 04672	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's fingerprints as personal data that falls under the breach notification rules. CC ID 04670	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's Social Security Number or Personal Identification Number as personal data that falls under the breach notification rules. CC ID 04656	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's driver's license number or an individual's state identification card number as personal data that falls under the breach notification rules. CC ID 04657	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's passport number as personal data that falls under the breach notification rules. CC ID 04774	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's Alien Registration Number as personal data that falls under the breach notification rules. CC ID 04775	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's Taxpayer Identification Number as personal data that falls under the breach notification rules. CC ID 04764	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's financial account number as personal data that falls under the breach notification rules. CC ID 04658	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's financial account number with associated password or password hint as personal data that falls under the breach notification rules. CC ID 04660	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's electronic identification name or number as personal data that falls under the breach notification rules. CC ID 04663	Privacy protection for information and data	Data and Information Management
Include data elements that contain electronic signatures as personal data that falls under the breach notification rules. CC ID 04666	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's biometric data as personal data that falls under the breach notification rules. CC ID 04667	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's account number, password, or password hint as personal data that falls under the breach notification rules. CC ID 04668	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's payment card information as personal data that falls under the breach notification rules. CC ID 04752	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's credit card number or an individual's debit card number as personal data that falls under the breach notification rules. CC ID 04659	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's payment card service code as personal data that falls under the breach notification rules. CC ID 04754	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's payment card expiration date as personal data that falls under the breach notification rules. CC ID 04756	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's payment card full magnetic stripe data as personal data that falls under the breach notification rules. CC ID 04759	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's payment card security codes (Card Authentication Value 2/Card Validation Code Value 2/Card Verification Value 2/Card Identification Number) as personal data that falls under the breach notification rules. CC ID 04760	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's payment card associated password or password hint as personal data that falls under the breach notification rules. CC ID 04661	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's Individually Identifiable Health Information as personal data that falls under the breach notification rules. CC ID 04673	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's medical history as personal data that falls under the breach notification rules. CC ID 04674	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's medical treatment as personal data that falls under the breach notification rules. CC ID 04675	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's medical diagnosis as personal data that falls under the breach notification rules. CC ID 04676	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's mental condition or physical condition as personal data that falls under the breach notification rules. CC ID 04682	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's health insurance information as personal data that falls under the breach notification rules. CC ID 04681	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's health insurance policy number as personal data that falls under the breach notification rules. CC ID 04683	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's health insurance application and health insurance claims history (including appeals) as personal data that falls under the breach notification rules. CC ID 04684	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's employment information as personal data that falls under the breach notification rules. CC ID 04772	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's Employee Identification Number as personal data that falls under the breach notification rules. CC ID 04773	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's place of employment as personal data that falls under the breach notification rules. CC ID 04788	Privacy protection for information and data	Data and Information Management
Define an out of scope privacy breach. CC ID 04677	Privacy protection for information and data	Establish/Maintain Documentation
Include personal data that is publicly available information as an out of scope privacy breach. CC ID 04678	Privacy protection for information and data	Business Processes
Include personal data that is encrypted or redacted as an out of scope privacy breach. CC ID 04679	Privacy protection for information and data	Monitor and Evaluate Occurrences
Include cryptographic keys not being accessed during a privacy breach as an out of scope privacy breach. CC ID 04761	Privacy protection for information and data	Monitor and Evaluate Occurrences
Include any personal data that is on an encrypted mobile device as an out of scope privacy breach, if the encryption keys were not accessed and the mobile device was recovered. CC ID 04762	Privacy protection for information and data	Monitor and Evaluate Occurrences
Disseminate and communicate the data handling procedures to all interested personnel and affected parties. CC ID 15466	Privacy protection for information and data	Communicate
Establish, implement, and maintain a supply chain management program. CC ID 11742	Third Party and supply chain oversight	Establish/Maintain Documentation
Establish, implement, and maintain procedures for establishing, maintaining, and terminating third party contracts. CC ID 00796 [The service management plan shall include or contain a reference to: approach to be taken for working with other parties involved in the service lifecycle; § 6.3 ¶ 2(f) The organization shall have one or more designated individuals responsible for managing the relationship, contracts and performance of external suppliers. § 8.3.4.1 ¶ 1]	Third Party and supply chain oversight	Establish/Maintain Documentation
Review and update all contracts, as necessary. CC ID 11612 [At planned intervals, the organization shall review the contract against current service requirements. Changes identified for the contract shall be assessed for the impact of the change on the SMS and the services before the change is approved. § 8.3.4.1 ¶ 6]	Third Party and supply chain oversight	Establish/Maintain Documentation
Include a nondisclosure agreement in third party contracts if a separate nondisclosure agreement does not exist. CC ID 06505	Third Party and supply chain oversight	Establish/Maintain Documentation
Establish, implement, and maintain software exchange agreements with all third parties. CC ID 11615	Third Party and supply chain oversight	Establish/Maintain Documentation
Include a description of the product or service to be provided in third party contracts. CC ID 06509 [The documented information for the SMS shall include: agreements with internal suppliers or customers acting as a supplier; § 7.5.4 ¶ 1(j)]	Third Party and supply chain oversight	Establish/Maintain Documentation
Include a description of the products or services fees in third party contracts. CC ID 10018	Third Party and supply chain oversight	Establish/Maintain Documentation
Include which parties are responsible for which fees in third party contracts. CC ID 10019	Third Party and supply chain oversight	Establish/Maintain Documentation
Establish, implement, and maintain rules of engagement with third parties. CC ID 13994	Third Party and supply chain oversight	Establish/Maintain Documentation
Establish, implement, and maintain information flow agreements with all third parties. CC ID 04543	Third Party and supply chain oversight	Establish/Maintain Documentation
Include the type of information being transmitted in the information flow agreement. CC ID 14245	Third Party and supply chain oversight	Establish/Maintain Documentation
Include the security requirements in the information flow agreement. CC ID 14244	Third Party and supply chain oversight	Establish/Maintain Documentation
Include the interface characteristics in the information flow agreement. CC ID 14240	Third Party and supply chain oversight	Establish/Maintain Documentation
Include the scope and inventory of third party systems and assets being provided to the organization in third party contracts. CC ID 06528 [For each external supplier, the organization shall agree a documented contract. The contract shall include or contain a reference to: scope of the services, service components, processes or parts of processes to be provided or operated by the external supplier; § 8.3.4.1 ¶ 2(a) For each external supplier, the organization shall agree a documented contract. The contract shall include or contain a reference to: scope of the services, service components, processes or parts of processes to be provided or operated by the external supplier; § 8.3.4.1 ¶ 2(a) For each external supplier, the organization shall agree a documented contract. The contract shall include or contain a reference to: scope of the services, service components, processes or parts of processes to be provided or operated by the external supplier; § 8.3.4.1 ¶ 2(a)]	Third Party and supply chain oversight	Establish/Maintain Documentation
Include proof of license documentation for the third parties with access to in scope systems in third party contracts. CC ID 06529	Third Party and supply chain oversight	Establish/Maintain Documentation
Include a description of costs and responsibility for purchasing and maintaining hardware and software in third party contracts. CC ID 10020	Third Party and supply chain oversight	Establish/Maintain Documentation
Include a description of the data or information to be covered in third party contracts. CC ID 06510	Third Party and supply chain oversight	Establish/Maintain Documentation
Include text about access, use, disclosure, and transfer of data or information in third party contracts. CC ID 11610 [For each external supplier, the organization shall agree a documented contract. The contract shall include or contain a reference to: authorities and responsibilities of the organization and the external supplier. § 8.3.4.1 ¶ 2(d) For each external supplier, the organization shall agree a documented contract. The contract shall include or contain a reference to: authorities and responsibilities of the organization and the external supplier. § 8.3.4.1 ¶ 2(d)]	Third Party and supply chain oversight	Business Processes
Include text about data ownership in third party contracts. CC ID 06502	Third Party and supply chain oversight	Establish/Maintain Documentation
Include text about trade secrets and intellectual property in third party contracts. CC ID 06503	Third Party and supply chain oversight	Establish/Maintain Documentation
Include text about participation in the organization's testing programs in third party contracts. CC ID 14402	Third Party and supply chain oversight	Establish/Maintain Documentation
Include the contract duration in third party contracts. CC ID 16221	Third Party and supply chain oversight	Establish/Maintain Documentation
Include roles and responsibilities in third party contracts. CC ID 13487	Third Party and supply chain oversight	Establish/Maintain Documentation
Include cryptographic keys in third party contracts. CC ID 16179	Third Party and supply chain oversight	Establish/Maintain Documentation
Include bankruptcy provisions in third party contracts. CC ID 16519	Third Party and supply chain oversight	Establish/Maintain Documentation
Include cybersecurity supply chain risk management requirements in third party contracts. CC ID 15646	Third Party and supply chain oversight	Establish/Maintain Documentation
Include text that organizations must meet organizational compliance requirements in third party contracts. CC ID 06506	Third Party and supply chain oversight	Establish/Maintain Documentation
Include compliance with the organization's access policy as a requirement in third party contracts. CC ID 06507	Third Party and supply chain oversight	Establish/Maintain Documentation
Include compliance with the organization's breach notification policy as a requirement in third party contracts. CC ID 06508	Third Party and supply chain oversight	Establish/Maintain Documentation
Include compliance with the organization's monitoring policies as a requirement in third party contracts. CC ID 06513	Third Party and supply chain oversight	Establish/Maintain Documentation
Include compliance with the organization's incident response policy and incident notification policy in third party contracts. CC ID 06515	Third Party and supply chain oversight	Establish/Maintain Documentation
Include text about the expected actions to be taken in case of a breach of contract in third party contracts. CC ID 06504	Third Party and supply chain oversight	Establish/Maintain Documentation
Include compliance with the organization's privacy policy in third party contracts. CC ID 06518	Third Party and supply chain oversight	Establish/Maintain Documentation
Include compliance with the organization's media handling policy in third party contracts. CC ID 06525	Third Party and supply chain oversight	Establish/Maintain Documentation
Include third party responsibilities for compliance awareness in third party contracts. CC ID 06530	Third Party and supply chain oversight	Establish/Maintain Documentation
Include compliance with the organization's data usage policies in third party contracts. CC ID 16413	Third Party and supply chain oversight	Establish/Maintain Documentation
Include compliance with the organization's system hardening framework in third party contracts. CC ID 06531	Third Party and supply chain oversight	Establish/Maintain Documentation
Include compliance with the organization's physical access policy in third party contracts. CC ID 06878	Third Party and supply chain oversight	Establish/Maintain Documentation
Include a reporting structure in third party contracts. CC ID 06532	Third Party and supply chain oversight	Establish/Maintain Documentation
Include points of contact in third party contracts. CC ID 12355	Third Party and supply chain oversight	Establish/Maintain Documentation
Include financial reporting in third party contracts, as necessary. CC ID 13573	Third Party and supply chain oversight	Establish/Maintain Documentation
Include reporting to the organization of third party audit findings in third party contracts. CC ID 06512	Third Party and supply chain oversight	Establish/Maintain Documentation
Include the right of the organization to conduct compliance audits in third party contracts. CC ID 06514	Third Party and supply chain oversight	Establish/Maintain Documentation
Include third party responsibilities for maintaining a Business Recovery and Resumption Plan in third party contracts. CC ID 06516	Third Party and supply chain oversight	Establish/Maintain Documentation
Include training requirements in third party contracts. CC ID 16367	Third Party and supply chain oversight	Acquisition/Sale of Assets or Services
Include an indemnification and liability clause in third party contracts. CC ID 06517	Third Party and supply chain oversight	Establish/Maintain Documentation
Include a third party delegation clause and subcontractor to third party clause in third party contracts. CC ID 06521	Third Party and supply chain oversight	Establish/Maintain Documentation
Include text that subcontractors must meet organizational compliance requirements in third party contracts. CC ID 06522 [For each external supplier, the organization shall agree a documented contract. The contract shall include or contain a reference to: requirements to be met by the external supplier; § 8.3.4.1 ¶ 2(b)]	Third Party and supply chain oversight	Establish/Maintain Documentation
Include text regarding foreign-based third parties in third party contracts. CC ID 06722	Third Party and supply chain oversight	Establish/Maintain Documentation
Include change control clauses in third party contracts, as necessary. CC ID 06523	Third Party and supply chain oversight	Establish/Maintain Documentation
Include notification to the organization of any material change in the third party's ability to perform functions according to Service Level Agreements in third party contracts. CC ID 07115	Third Party and supply chain oversight	Establish/Maintain Documentation
Include triggers for renegotiating the contract in third party contracts. CC ID 06527	Third Party and supply chain oversight	Establish/Maintain Documentation
Include change control notification processes in third party contracts. CC ID 06524	Third Party and supply chain oversight	Establish/Maintain Documentation
Include cost structure changes in third party contracts. CC ID 10021	Third Party and supply chain oversight	Establish/Maintain Documentation
Include a choice of venue clause in third party contracts. CC ID 06520	Third Party and supply chain oversight	Establish/Maintain Documentation
Include a dispute resolution clause in third party contracts. CC ID 06519 [Disputes between the organization and the external supplier shall be recorded and managed to closure. § 8.3.4.1 ¶ 7 Disputes between the organization and the external supplier shall be recorded and managed to closure. § 8.3.4.1 ¶ 7]	Third Party and supply chain oversight	Establish/Maintain Documentation
Include the dispute resolution body's contact information in the terms and conditions in third party contracts. CC ID 13813	Third Party and supply chain oversight	Establish/Maintain Documentation
Include early termination contingency plans in the third party contracts. CC ID 06526	Third Party and supply chain oversight	Establish/Maintain Documentation
Include a liquidated damages clause and material breach clause in third party contracts. CC ID 06817	Third Party and supply chain oversight	Establish/Maintain Documentation
Include termination costs in third party contracts. CC ID 10023	Third Party and supply chain oversight	Establish/Maintain Documentation
Include text about obtaining adequate insurance in third party contracts. CC ID 06880	Third Party and supply chain oversight	Establish/Maintain Documentation
Include incident management procedures and incident reporting procedures in third party contracts. CC ID 01214	Third Party and supply chain oversight	Establish/Maintain Documentation
Include a usage limitation of restricted data clause in third party contracts. CC ID 13026	Third Party and supply chain oversight	Establish/Maintain Documentation
Include end-of-life information in third party contracts. CC ID 15265	Third Party and supply chain oversight	Establish/Maintain Documentation
Establish, implement, and maintain third party transaction authentication procedures. CC ID 00791	Third Party and supply chain oversight	Establish/Maintain Documentation
Include responding to privacy rights violation complaints in third party contracts. CC ID 12432	Third Party and supply chain oversight	Establish/Maintain Documentation
Include disclosure requirements in third party contracts. CC ID 08825	Third Party and supply chain oversight	Business Processes
Include requirements for alternate processing facilities in third party contracts. CC ID 13059	Third Party and supply chain oversight	Establish/Maintain Documentation
Document the organization's supply chain in the supply chain management program. CC ID 09958 [The organization shall determine and document: service components that are provided or operated by other parties; § 8.2.3.1 ¶ 4(b)]	Third Party and supply chain oversight	Establish/Maintain Documentation
Establish and maintain a Third Party Service Provider list. CC ID 12480	Third Party and supply chain oversight	Establish/Maintain Documentation
Include required information in the Third Party Service Provider list. CC ID 14429	Third Party and supply chain oversight	Establish/Maintain Documentation
Include subcontractors in the Third Party Service Provider list. CC ID 14425	Third Party and supply chain oversight	Establish/Maintain Documentation
Include alternate service providers in the Third Party Service Provider list. CC ID 14420	Third Party and supply chain oversight	Establish/Maintain Documentation
Disseminate and communicate the Third Party Service Provider list to interested personnel and affected parties. CC ID 14422	Third Party and supply chain oversight	Communicate
Include contact information of the Service Provider in the Third Party Service Provider list. CC ID 14430	Third Party and supply chain oversight	Establish/Maintain Documentation
Include all contract dates in the Third Party Service Provider list. CC ID 14421	Third Party and supply chain oversight	Establish/Maintain Documentation
Include the services provided by each supplier in the Third Party Service Provider list. CC ID 12481 [The organization shall determine and document: services that are provided or operated by other parties; § 8.2.3.1 ¶ 4(a) The organization shall determine and document: processes, or parts of processes, in the organization's SMS that are operated by other parties. § 8.2.3.1 ¶ 4(c)]	Third Party and supply chain oversight	Establish/Maintain Documentation
Include criticality of services in the Third Party Service Provider list. CC ID 14428	Third Party and supply chain oversight	Establish/Maintain Documentation
Include a description of data used in the Third Party Service Provider list. CC ID 14427	Third Party and supply chain oversight	Establish/Maintain Documentation
Include the location of services provided in the Third Party Service Provider list. CC ID 14423	Third Party and supply chain oversight	Establish/Maintain Documentation
Document supply chain transactions in the supply chain management program. CC ID 08857	Third Party and supply chain oversight	Business Processes
Document the supply chain's critical paths in the supply chain management program. CC ID 10032	Third Party and supply chain oversight	Establish/Maintain Documentation
Establish and maintain supply chain manufacturing and integration requirements documents for all items being produced for the organization. CC ID 11558	Third Party and supply chain oversight	Establish/Maintain Documentation
Disallow access to restricted information on machines used to manufacture authentication elements. CC ID 11561	Third Party and supply chain oversight	Physical and Environmental Protection
Establish, implement, and maintain Service Level Agreements with the organization's supply chain. CC ID 00838 [The documented information for the SMS shall include: service level agreement(s) (SLA); § 7.5.4 ¶ 1(h) For each service delivered, the organization shall establish one or more SLAs based on the documented service requirements. The SLA(s) shall include service level targets, workload limits and exceptions § 8.3.3 ¶ 2]	Third Party and supply chain oversight	Process or Activity
Include the responsible party for managing complaints in third party contracts. CC ID 10022	Third Party and supply chain oversight	Establish Roles
Include risk management procedures in the supply chain management policy. CC ID 08811	Third Party and supply chain oversight	Establish/Maintain Documentation
Include a determination of the complexity of the third party relationships in the supply chain risk assessment. CC ID 10024	Third Party and supply chain oversight	Business Processes
Include a determination of financial benefits over actual costs of third party relationships in the supply chain risk assessment report. CC ID 10025	Third Party and supply chain oversight	Establish/Maintain Documentation
Include a determination of how third party relationships affect strategic initiatives in the supply chain risk assessment report. CC ID 10026	Third Party and supply chain oversight	Establish/Maintain Documentation
Include a determination if the third party relationship will affect employees in the supply chain risk assessment report. CC ID 10027	Third Party and supply chain oversight	Business Processes
Include a determination of customer interactions with third parties in the supply chain risk assessment report. CC ID 10028	Third Party and supply chain oversight	Establish/Maintain Documentation
Include a determination on the risks third parties pose to Information Security in the supply chain risk assessment report. CC ID 10029	Third Party and supply chain oversight	Establish/Maintain Documentation
Establish, implement, and maintain a supply chain management policy. CC ID 08808	Third Party and supply chain oversight	Establish/Maintain Documentation
Include the third party selection process in the supply chain management policy. CC ID 13132 [The organization shall determine and apply criteria for the evaluation and selection of other parties involved in the service lifecycle. Other parties can be an external supplier, an internal supplier or a customer acting as a supplier. § 8.2.3.1 ¶ 2]	Third Party and supply chain oversight	Establish/Maintain Documentation
Select suppliers based on their qualifications. CC ID 00795	Third Party and supply chain oversight	Establish/Maintain Documentation
Include third party due diligence standards in the supply chain management policy. CC ID 08812 [The organization shall determine and apply criteria for the evaluation and selection of other parties involved in the service lifecycle. Other parties can be an external supplier, an internal supplier or a customer acting as a supplier. § 8.2.3.1 ¶ 2]	Third Party and supply chain oversight	Establish/Maintain Documentation
Implement measurable improvement plans with all third parties. CC ID 08815 [At planned intervals, the organization shall monitor the performance of the internal supplier or the customer acting as a supplier. Where service level targets or other agreed commitments are not met, the organization shall ensure that opportunities for improvement are identified. § 8.3.4.2 ¶ 2 At planned intervals, the organization shall monitor the performance of the external supplier. Where service level targets or other contractual obligations are not met, the organization shall ensure that opportunities for improvement are identified. § 8.3.4.1 ¶ 5]	Third Party and supply chain oversight	Business Processes
Establish, implement, and maintain supply chain due diligence standards. CC ID 08846	Third Party and supply chain oversight	Business Processes
Assign the appropriate individuals or groups to oversee and support supply chain due diligence. CC ID 08861 [The organization shall have one or more designated individuals responsible for managing the relationship, contracts and performance of external suppliers. § 8.3.4.1 ¶ 1]	Third Party and supply chain oversight	Business Processes
Conduct all parts of the supply chain due diligence process. CC ID 08854	Third Party and supply chain oversight	Business Processes
Review the supply chain's service delivery on a regular basis. CC ID 12010 [At planned intervals, the organization shall monitor the performance of the internal supplier or the customer acting as a supplier. Where service level targets or other agreed commitments are not met, the organization shall ensure that opportunities for improvement are identified. § 8.3.4.2 ¶ 2]	Third Party and supply chain oversight	Business Processes
Establish, implement, and maintain a chain of custody or traceability system over the entire supply chain. CC ID 08878	Third Party and supply chain oversight	Business Processes
Provide products or services per customer requests. CC ID 08893 [The organization and the customer shall agree the services to be delivered. § 8.3.3 ¶ 1]	Third Party and supply chain oversight	Business Processes
Establish, implement, and maintain information security controls for the supply chain. CC ID 13109 [The organization shall define and apply relevant controls for other parties from the following: measurement and evaluation of process performance; § 8.2.3.2(a) The organization shall define and apply relevant controls for other parties from the following: measurement and evaluation of process performance; § 8.2.3.2(a) The organization shall define and apply relevant controls for other parties from the following: measurement and evaluation of the effectiveness of services and service components in meeting the service requirements. § 8.2.3.2(b) The organization shall define and apply relevant controls for other parties from the following: measurement and evaluation of the effectiveness of services and service components in meeting the service requirements. § 8.2.3.2(b) The organization shall define and apply relevant controls for other parties from the following: § 8.2.3.2 The organization shall agree and implement information security controls to address information security risks related to external organizations. § 8.7.3.2 ¶ 2]	Third Party and supply chain oversight	Establish/Maintain Documentation