0003002
ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition
International Organization for Standardization
International or National Standard
For Purchase
ISO/IEC 20000-1:2018
ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements
2018-09-01
The document as a whole was last reviewed and released on 2022-02-22T00:00:00-0800.
0003002
For Purchase
International Organization for Standardization
International or National Standard
ISO/IEC 20000-1:2018
ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements
2018-09-01
The document as a whole was last reviewed and released on 2022-02-22T00:00:00-0800.
This Authority Document In Depth Report is copyrighted - © 2024 - Network Frontiers LLC. All rights reserved. Copyright in the Authority Document analyzed herein is held by its authors. Network Frontiers makes no claims of copyright in this Authority Document.
This Authority Document In Depth Report is provided for informational purposes only and does not constitute, and should not be construed as, legal advice. The reader is encouraged to consult with an attorney experienced in these areas for further explanation and advice.
This Authority Document In Depth Report provides analysis and guidance for use and implementation of the Authority Document but it is not a substitute for the original authority document itself. Readers should refer to the original authority document as the definitive resource on obligations and compliance requirements.
This document has been mapped into the Unified Compliance Framework using a patented methodology and patented tools (you can research our patents HERE). The mapping team has taken every effort to ensure the quality of mapping is of the highest degree. To learn more about the process we use to map Authority Documents, or to become involved in that process, click HERE.
When the UCF Mapping Teams tag Citations and their associated mandates within an Authority Document, those Citations and Mandates are tied to Common Controls. In addition, and by virtue of those Citations and mandates being tied to Common Controls, there are three sets of meta data that are associated with each Citation; Controls by Impact Zone, Controls by Type, and Controls by Classification.
The online version of the mapping analysis you see here is just a fraction of the work the UCF Mapping Team has done. The downloadable version of this document, available within the Common Controls Hub (available HERE) contains the following:
Document implementation analysis – statistics about the document’s alignment with Common Controls as compared to other Authority Documents and statistics on usage of key terms and non-standard terms.
Citation and Mandate Tagging and Mapping – A complete listing of each and every Citation we found within ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition that have been tagged with their primary and secondary nouns and primary and secondary verbs in three column format. The first column shows the Citation (the marker within the Authority Document that points to where we found the guidance). The second column shows the Citation guidance per se, along with the tagging for the mandate we found within the Citation. The third column shows the Common Control ID that the mandate is linked to, and the final column gives us the Common Control itself.
Dictionary Terms – The dictionary terms listed for ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition are based upon terms either found within the Authority Document’s defined terms section(which most legal documents have), its glossary, and for the most part, as tagged within each mandate. The terms with links are terms that are the standardized version of the term.
An Impact Zone is a hierarchical way of organizing our suite of Common Controls — it is a taxonomy. The top levels of the UCF hierarchy are called Impact Zones. Common Controls are mapped within the UCF’s Impact Zones and are maintained in a legal hierarchy within that Impact Zone. Each Impact Zone deals with a separate area of policies, standards, and procedures: technology acquisition, physical security, continuity, records management, etc.
The UCF created its taxonomy by looking at the corpus of standards and regulations through the lens of unification and a view toward how the controls impact the organization. Thus, we created a hierarchical structure for each impact zone that takes into account regulatory and standards bodies, doctrines, and language.
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Acquisition or sale of facilities, technology, and services CC ID 01123 | IT Impact Zone | IT Impact Zone | |
Plan for selling facilities, technology, or services. CC ID 06893 [For services that are to be transferred, the planning shall additionally include the date(s) for the transfer of the services and the activities for the transfer of data, documented information, knowledge and service components. § 8.5.2.1 ¶ 3 For services that are to be transferred, the planning shall additionally include the date(s) for the transfer of the services and the activities for the transfer of data, documented information, knowledge and service components. § 8.5.2.1 ¶ 3 For services that are to be transferred, the planning shall additionally include the date(s) for the transfer of the services and the activities for the transfer of data, documented information, knowledge and service components. § 8.5.2.1 ¶ 3 For services that are to be transferred, the planning shall additionally include the date(s) for the transfer of the services and the activities for the transfer of data, documented information, knowledge and service components. § 8.5.2.1 ¶ 3 For services that are to be transferred, the planning shall additionally include the date(s) for the transfer of the services and the activities for the transfer of data, documented information, knowledge and service components. § 8.5.2.1 ¶ 3] | Acquisition/Sale of Assets or Services | Preventive | |
Refrain from providing products and services, as necessary. CC ID 15580 | Acquisition/Sale of Assets or Services | Preventive | |
Determine if there is a need for the product or service being sold. CC ID 06894 | Acquisition/Sale of Assets or Services | Preventive | |
Identify new business opportunities based on product or service need, the business strategy, and action plan. CC ID 06901 | Acquisition/Sale of Assets or Services | Preventive | |
Establish, implement, and maintain a product or service pricing program. CC ID 13676 | Establish/Maintain Documentation | Preventive | |
Review and update controls to ensure the timeliness and accuracy of the market prices. CC ID 13688 | Process or Activity | Corrective | |
Provide identification mechanisms for the organization's supply chain members. CC ID 12201 | Business Processes | Preventive | |
Establish, implement, and maintain customer terms and conditions. CC ID 13666 | Establish/Maintain Documentation | Preventive | |
Refrain from charging a fee for the provision of services, as necessary. CC ID 14212 | Business Processes | Preventive | |
Include customer risks in the customer terms and conditions. CC ID 13669 | Establish/Maintain Documentation | Preventive | |
Develop product solicitation responses and service solicitation responses. CC ID 06896 | Acquisition/Sale of Assets or Services | Preventive | |
Prevent the creation or distribution of devices designed to circumvent security measures. CC ID 11514 | Acquisition/Sale of Assets or Services | Preventive | |
Provide a product warranty or service warranty. CC ID 11601 | Acquisition/Sale of Assets or Services | Preventive | |
Include the defined support period for hardware replacements in warranties. CC ID 14932 | Establish/Maintain Documentation | Preventive | |
Include the methods of product replacement in warranties. CC ID 14931 | Establish/Maintain Documentation | Preventive | |
Include rationale for the absence of software updates in warranties, as necessary. CC ID 14930 | Establish/Maintain Documentation | Preventive | |
Include the defined support period in the product warranty or service warranty. CC ID 14927 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain equipment shipping procedures. CC ID 11449 | Acquisition/Sale of Assets or Services | Preventive | |
Ship equipment to customers in tamper-evident packaging, as necessary. CC ID 12271 | Physical and Environmental Protection | Preventive | |
Ship equipment following the equipment shipping procedures. CC ID 11658 | Process or Activity | Preventive | |
Ship goods or provide services to consumers in the agreed upon time frame. CC ID 08618 | Business Processes | Preventive | |
Preserve products created for sale prior to shipping. CC ID 11602 | Acquisition/Sale of Assets or Services | Preventive | |
Clean and maintain products prior to shipping. CC ID 11603 | Acquisition/Sale of Assets or Services | Preventive | |
Detect and remove foreign objects from products prior to shipping. CC ID 11604 | Acquisition/Sale of Assets or Services | Preventive | |
Handle products with due care prior to shipping. CC ID 11605 | Acquisition/Sale of Assets or Services | Preventive | |
Attach safety warnings to products prior to shipping. CC ID 11606 | Acquisition/Sale of Assets or Services | Preventive | |
Rotate the stock of products prior to shipping. CC ID 11607 | Acquisition/Sale of Assets or Services | Preventive | |
Establish, implement, and maintain a consumer complaint management program. CC ID 04570 [Service complaints shall be recorded, managed to closure and reported. Where a service complaint is not resolved through the normal channels, a method of escalation shall be provided. § 8.3.2 ¶ 5] | Business Processes | Preventive | |
Document consumer complaints. CC ID 13903 [Service complaints shall be recorded, managed to closure and reported. Where a service complaint is not resolved through the normal channels, a method of escalation shall be provided. § 8.3.2 ¶ 5] | Business Processes | Preventive | |
Assess consumer complaints and litigation. CC ID 16521 | Investigate | Preventive | |
Notify the complainant about their rights after receiving a complaint. CC ID 16794 | Communicate | Preventive | |
Include how to access information from the dispute resolution body in the consumer complaint management program. CC ID 13816 | Establish/Maintain Documentation | Preventive | |
Include any requirements for using information from the dispute resolution body in the consumer complaint management program. CC ID 13815 | Establish/Maintain Documentation | Preventive | |
Post contact information in an easily seen location at facilities. CC ID 13812 | Communicate | Preventive | |
Provide users a list of the available dispute resolution bodies. CC ID 13814 | Communicate | Preventive | |
Post the dispute resolution body's contact information on the organization's website. CC ID 13811 | Communicate | Preventive | |
Establish, implement, and maintain consumer complaint escalation procedures. CC ID 07208 [Service complaints shall be recorded, managed to closure and reported. Where a service complaint is not resolved through the normal channels, a method of escalation shall be provided. § 8.3.2 ¶ 5] | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the consumer complaint management program to interested personnel and affected parties. CC ID 16795 | Communicate | Preventive | |
Report the analysis of consumer complaints to the Quality Management committee. CC ID 07209 [Service complaints shall be recorded, managed to closure and reported. Where a service complaint is not resolved through the normal channels, a method of escalation shall be provided. § 8.3.2 ¶ 5] | Actionable Reports or Measurements | Preventive | |
Establish, implement, and maintain notice and take-down procedures. CC ID 09963 | Establish/Maintain Documentation | Preventive | |
Check communications for take-down requests. CC ID 09964 | Monitor and Evaluate Occurrences | Preventive | |
Include complete information in the take-down request. CC ID 09965 | Business Processes | Detective | |
Include the complainant's contact information in the take-down request. CC ID 09966 | Business Processes | Detective | |
Include the identification of unlawful material or unlawful activities in the take-down request. CC ID 09967 | Business Processes | Detective | |
Include the identification of the right that has allegedly been infringed in the take-down request. CC ID 09968 | Business Processes | Detective | |
Include the remedial action required to be taken in respect of the complaint in the take-down request. CC ID 09969 | Business Processes | Detective | |
Include a statement by the complainant that the information is true and correct in the take-down request. CC ID 09970 | Business Processes | Preventive | |
Include a statement that the complainant is acting in good faith in the take-down request. CC ID 09971 | Business Processes | Detective | |
Include the written signature or electronic signature of the complainant in the take-down request. CC ID 09972 | Business Processes | Detective | |
Notify the complainant regarding any missing information in the take-down request. CC ID 09973 | Behavior | Preventive | |
Analyze the digital content hosted by the organization for any electronic material associated with the take-down request. CC ID 09974 | Business Processes | Detective | |
Document any unlawful material hosted or stored by the organization meeting the take-down request criteria. CC ID 09975 | Establish/Maintain Documentation | Preventive | |
Document any unlawful material hosted or stored by the organization meeting the take-down request criteria that has been removed prior to the take-down request. CC ID 09976 | Establish/Maintain Documentation | Preventive | |
Include whether it is technically feasible to follow the requested remedial action in the take-down request. CC ID 09977 | Establish/Maintain Documentation | Preventive | |
Remove all unlawful material associated with the take-down request that have not been removed and are feasible to remove. CC ID 09978 | Business Processes | Preventive | |
Notify the complainant when all unlawful material associated with the take-down notice that can be removed, has been removed. CC ID 09979 | Business Processes | Preventive | |
Process product return requests. CC ID 11598 | Acquisition/Sale of Assets or Services | Corrective | |
Refrain from returning products absent a return request authorization. CC ID 11599 | Acquisition/Sale of Assets or Services | Corrective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Audits and risk management CC ID 00677 | IT Impact Zone | IT Impact Zone | |
Define the roles and responsibilities for personnel assigned to tasks in the Audit function. CC ID 00678 [The organization shall: plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration: § 9.2.2 ¶ 1(a)] | Establish Roles | Preventive | |
Manage supply chain audits. CC ID 01203 | Audits and Risk Management | Preventive | |
Review the external auditors involvement in assessing Information Technology controls. CC ID 01204 | Audits and Risk Management | Preventive | |
Rotate auditors, as necessary. CC ID 15589 | Audits and Risk Management | Preventive | |
Assign the roles and responsibilities for the Board of Directors and senior management in the Audit function. CC ID 00679 | Establish Roles | Preventive | |
Assign the Board of Directors to address audit findings. CC ID 12396 | Human Resources Management | Corrective | |
Assign the internal audit staff to be independent from business units reporting to the Board of Directors. CC ID 01184 | Establish Roles | Preventive | |
Define and assign the internal audit manager's roles and responsibilities. CC ID 00680 | Establish Roles | Preventive | |
Report audit findings by the internal audit manager directly to senior management. CC ID 01152 [The organization shall: ensure that the results of the audits are reported to relevant management; § 9.2.2 ¶ 1(d)] | Testing | Detective | |
Assign the internal audit manager's compensation and performance review to the Board of Directors or audit committee. CC ID 01186 | Establish Roles | Preventive | |
Define and assign the internal audit staff's roles and responsibilities. CC ID 00681 | Establish Roles | Preventive | |
Assign the responsibility for operating an internal control system to the internal audit staff. CC ID 01187 | Establish Roles | Preventive | |
Define and assign the external auditor's roles and responsibilities. CC ID 00683 | Establish Roles | Preventive | |
Engage auditors who have adequate knowledge of the subject matter. CC ID 07102 | Audits and Risk Management | Preventive | |
Retain copies of external auditor outsourcing contracts and engagement letters. CC ID 01188 | Establish/Maintain Documentation | Preventive | |
Review external auditor outsourcing contracts and engagement letters. CC ID 01189 | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in external auditor outsourcing contracts. CC ID 16523 | Establish/Maintain Documentation | Preventive | |
Include a change control clause in external auditor outsourcing contracts. CC ID 01192 | Establish/Maintain Documentation | Preventive | |
Include procedures for resolving problems in external auditor outsourcing contracts. CC ID 01196 | Establish/Maintain Documentation | Preventive | |
Include procedures for controlling the use of restricted information in external auditor outsourcing contracts. CC ID 01194 | Establish/Maintain Documentation | Preventive | |
Include reports and work paper Records Management practices in external auditor outsourcing contracts. CC ID 01195 | Establish/Maintain Documentation | Preventive | |
Include communication protocols in external auditor outsourcing contracts. CC ID 01201 | Establish/Maintain Documentation | Preventive | |
Review the external audit scope, as necessary. CC ID 01202 | Audits and Risk Management | Preventive | |
Review the external audit assertion for accuracy. CC ID 06977 | Testing | Detective | |
Review the risk assessments as compared to the in scope controls. CC ID 06978 | Testing | Detective | |
Include nondisclosure agreements in external auditor outsourcing contracts. CC ID 10014 | Audits and Risk Management | Detective | |
Include the scope and work to be performed in external auditor outsourcing contracts. CC ID 01190 | Establish/Maintain Documentation | Preventive | |
Include work status reporting requirements in the external auditor outsourcing contracts. CC ID 01191 | Establish/Maintain Documentation | Preventive | |
Include access to work papers in external auditor outsourcing contracts. CC ID 01193 | Establish/Maintain Documentation | Preventive | |
Review the external auditor's qualifications. CC ID 01197 | Audits and Risk Management | Preventive | |
Conduct a performance review of the external auditor's performance during the audit process. CC ID 01198 | Audits and Risk Management | Preventive | |
Review the adequacy of the external auditor's work papers and audit reports. CC ID 01199 | Establish/Maintain Documentation | Preventive | |
Review the conclusions of the external auditor's work papers and audit reports. CC ID 01200 | Establish/Maintain Documentation | Preventive | |
Question external auditors about how audits were conducted and what is in the audit reports. CC ID 04587 | Behavior | Preventive | |
Disseminate and communicate with the organization about any missing audit documentation. CC ID 06992 | Behavior | Preventive | |
Evaluate any refusal by the organization to provide missing audit documentation. CC ID 06993 | Establish/Maintain Documentation | Preventive | |
Take appropriate action if missing audit documentation compromises the audit. CC ID 06994 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an audit program. CC ID 00684 [The organization shall: plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration: § 9.2.2 ¶ 1(a)] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain audit policies. CC ID 13166 | Establish/Maintain Documentation | Preventive | |
Assign the audit to impartial auditors. CC ID 07118 [The organization shall: select auditors and conduct audits to ensure objectivity and the impartiality of the audit process; § 9.2.2 ¶ 1(c)] | Establish Roles | Preventive | |
Define what constitutes a threat to independence. CC ID 16824 | Audits and Risk Management | Preventive | |
Determine if requested services create a threat to independence. CC ID 16823 | Audits and Risk Management | Detective | |
Exercise due professional care during the planning and performance of the audit. CC ID 07119 | Behavior | Preventive | |
Include resource requirements in the audit program. CC ID 15237 | Establish/Maintain Documentation | Preventive | |
Include risks and opportunities in the audit program. CC ID 15236 | Establish/Maintain Documentation | Preventive | |
Include provisions for legislative plurality and legislative domain in the audit program. CC ID 06959 | Audits and Risk Management | Preventive | |
Establish and maintain audit terms. CC ID 13880 | Establish/Maintain Documentation | Preventive | |
Refrain from approving changes to the audit terms absent reasonable justification. CC ID 13973 | Process or Activity | Preventive | |
Include a statement about the inherent limitations of the audit in the audit terms. CC ID 13883 | Establish/Maintain Documentation | Preventive | |
Include a statement that the audit will be conducted in accordance with attestation standards in the audit terms. CC ID 13882 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain agreed upon procedures that are in scope for the audit. CC ID 13893 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an in scope system description. CC ID 14873 | Establish/Maintain Documentation | Preventive | |
Include in scope procedures in the audit assertion's in scope system description. CC ID 16551 | Audits and Risk Management | Preventive | |
Include roles and responsibilities in the audit assertion's in scope system description. CC ID 16558 | Audits and Risk Management | Preventive | |
Include the audit criteria in the audit assertion's in scope system description. CC ID 16548 | Audits and Risk Management | Preventive | |
Include third party data in the audit assertion's in scope system description. CC ID 16554 | Audits and Risk Management | Preventive | |
Include third party personnel in the audit assertion's in scope system description. CC ID 16552 | Audits and Risk Management | Preventive | |
Include compliance requirements in the audit assertion's in scope system description. CC ID 16506 | Audits and Risk Management | Preventive | |
Include third party assets in the audit assertion's in scope system description. CC ID 16550 | Audits and Risk Management | Preventive | |
Include third party services in the audit assertion's in scope system description. CC ID 16503 | Establish/Maintain Documentation | Preventive | |
Include monitoring controls in the audit assertion's in scope system description. CC ID 16501 | Establish/Maintain Documentation | Preventive | |
Include availability commitments in the audit assertion's in scope system description. CC ID 14914 | Establish/Maintain Documentation | Preventive | |
Include deviations and the corrective actions taken in the audit assertion's in scope system description. CC ID 16549 | Audits and Risk Management | Preventive | |
Include changes in the audit assertion's in scope system description. CC ID 14894 | Establish/Maintain Documentation | Preventive | |
Include external communications in the audit assertion's in scope system description. CC ID 14913 | Establish/Maintain Documentation | Preventive | |
Include a section regarding incidents related to the system in the audit assertion’s in scope system description. CC ID 14878 | Establish/Maintain Documentation | Preventive | |
Include the function performed by the in scope system in the audit assertion's in scope system description. CC ID 14911 | Establish/Maintain Documentation | Preventive | |
Include the disposition of the incident in the audit assertion's in scope system description. CC ID 14896 | Establish/Maintain Documentation | Preventive | |
Include the extent of the incident in the audit assertion's in scope system description. CC ID 14895 | Establish/Maintain Documentation | Preventive | |
Include the timing of each incident in the audit assertion's in scope system description. CC ID 14891 | Establish/Maintain Documentation | Preventive | |
Include the nature of each incident in the audit assertion's in scope system description. CC ID 14889 | Establish/Maintain Documentation | Preventive | |
Include a section regarding in scope controls related to the system in the audit assertion's in scope system description. CC ID 14897 | Establish/Maintain Documentation | Preventive | |
Include how the in scope system meets external requirements in the audit assertion's in scope system description. CC ID 16502 | Establish/Maintain Documentation | Preventive | |
Include the timing of each control in the audit assertion's in scope system description. CC ID 14916 | Establish/Maintain Documentation | Preventive | |
Include the nature of the control in the audit assertion's in scope system description. CC ID 14910 | Establish/Maintain Documentation | Preventive | |
Include the information sources used in performing the control in the audit assertion's in scope system description. CC ID 14909 | Establish/Maintain Documentation | Preventive | |
Include the responsible party for performing the control in the audit assertion's in scope system description. CC ID 14907 | Establish/Maintain Documentation | Preventive | |
Include the subject matter to which the control is applied in the audit assertion's in scope system description. CC ID 14904 | Establish/Maintain Documentation | Preventive | |
Refrain from omitting or distorting information in the audit assertion's in scope system description. CC ID 14893 | Establish/Maintain Documentation | Preventive | |
Include the timing of each change in the audit assertion's in scope system description. CC ID 14892 | Establish/Maintain Documentation | Preventive | |
Include the system boundaries in the audit assertion's in scope system description. CC ID 14887 | Establish/Maintain Documentation | Preventive | |
Determine the presentation method of the audit assertion's in scope system description. CC ID 14885 | Establish/Maintain Documentation | Detective | |
Include the time frame covered by the description in the audit assertion's in scope system description. CC ID 14884 | Establish/Maintain Documentation | Preventive | |
Include commitments to third parties in the audit assertion. CC ID 14899 | Establish/Maintain Documentation | Preventive | |
Determine the completeness of the audit assertion's in scope system description. CC ID 14883 | Establish/Maintain Documentation | Preventive | |
Determine the appropriateness of the audit assertion's in scope system description. CC ID 16449 | Audits and Risk Management | Detective | |
Include system requirements in the audit assertion's in scope system description. CC ID 14881 | Establish/Maintain Documentation | Preventive | |
Include third party controls in the audit assertion's in scope system description. CC ID 14880 | Establish/Maintain Documentation | Preventive | |
Hold an opening meeting with interested personnel and affected parties prior to an audit. CC ID 15256 | Audits and Risk Management | Preventive | |
Identify personnel who should attend the closing meeting. CC ID 15261 | Business Processes | Preventive | |
Confirm audit requirements during the opening meeting. CC ID 15255 | Audits and Risk Management | Detective | |
Include discussions about how particular situations will be handled in the opening meeting. CC ID 15254 | Audits and Risk Management | Preventive | |
Include agreement to the audit scope and audit terms in the audit program. CC ID 06965 [{audit scope} The organization shall: define the audit criteria and scope for each audit; § 9.2.2 ¶ 1(b)] | Establish/Maintain Documentation | Preventive | |
Establish and maintain a bespoke audit scope for each audit being performed. CC ID 13077 [The organization shall: plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration: § 9.2.2 ¶ 1(a)] | Establish/Maintain Documentation | Preventive | |
Include third party assets in the audit scope. CC ID 16504 | Audits and Risk Management | Preventive | |
Include audit subject matter in the audit program. CC ID 07103 [The organization shall: plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration: the importance of the processes concerned; § 9.2.2 ¶ 1(a)(1)] | Establish/Maintain Documentation | Preventive | |
Examine the availability of the audit criteria in the audit program. CC ID 16520 | Investigate | Preventive | |
Examine the objectivity of the audit criteria in the audit program. CC ID 07104 | Establish/Maintain Documentation | Preventive | |
Examine the measurability of the audit criteria in the audit program. CC ID 07105 | Establish/Maintain Documentation | Preventive | |
Examine the completeness of the audit criteria in the audit program. CC ID 07106 | Establish/Maintain Documentation | Preventive | |
Examine the relevance of the audit criteria in the audit program. CC ID 07107 | Establish/Maintain Documentation | Preventive | |
Determine the appropriateness of the audit subject matter. CC ID 16505 | Audits and Risk Management | Preventive | |
Disseminate and communicate the audit program with the audit subject matter and audit criteria to all interested personnel and affected parties. CC ID 07116 | Establish/Maintain Documentation | Preventive | |
Include the in scope material or in scope products in the audit program. CC ID 08961 | Audits and Risk Management | Preventive | |
Include in scope information in the audit program. CC ID 16198 | Establish/Maintain Documentation | Preventive | |
Include the out of scope material or out of scope products in the audit program. CC ID 08962 | Establish/Maintain Documentation | Preventive | |
Provide a representation letter in support of the audit assertion. CC ID 07158 | Establish/Maintain Documentation | Preventive | |
Include the date of the audit in the representation letter. CC ID 16517 | Audits and Risk Management | Preventive | |
Include a statement that management has evaluated compliance with external requirements in the representation letter. CC ID 13942 | Establish/Maintain Documentation | Preventive | |
Include a statement that the assumptions used for estimates are reasonable in the representation letter. CC ID 13934 | Establish/Maintain Documentation | Preventive | |
Include a statement that uncorrected misstatements are believed to be immaterial in the representation letter. CC ID 13884 | Establish/Maintain Documentation | Preventive | |
Include a statement that system incidents have been disclosed to the auditor in the representation letter. CC ID 16772 | Establish/Maintain Documentation | Preventive | |
Include a statement that incidents of fraud and non-compliance have been disclosed to the auditor in the representation letter. CC ID 16769 | Establish/Maintain Documentation | Preventive | |
Include a statement of responsibility for the subject matter in the representation letter. CC ID 07159 | Establish/Maintain Documentation | Preventive | |
Include a statement of responsibility for selecting the audit criteria in the representation letter. CC ID 07160 | Establish/Maintain Documentation | Preventive | |
Include a statement of responsibility regarding the appropriateness of the audit criteria in the representation letter. CC ID 07161 | Establish/Maintain Documentation | Preventive | |
Include an assertion about the subject matter based on the selected audit criteria in the representation letter. CC ID 07162 | Establish/Maintain Documentation | Preventive | |
Include a statement that all known matters contradicting the audit assertion have been disclosed to the auditor in the representation letter. CC ID 07163 | Establish/Maintain Documentation | Preventive | |
Include the availability of all in scope records relevant to the subject matter in the representation letter. CC ID 07164 | Establish/Maintain Documentation | Preventive | |
Include a statement that any known subsequent events have been disclosed to the auditor in the representation letter. CC ID 07165 | Establish/Maintain Documentation | Preventive | |
Include a statement that deficiencies in internal controls have been disclosed to the auditor in the representation letter. CC ID 13899 | Establish/Maintain Documentation | Preventive | |
Establish and maintain audit assertions, as necessary. CC ID 14871 | Establish/Maintain Documentation | Detective | |
Include an in scope system description in the audit assertion. CC ID 14872 | Establish/Maintain Documentation | Preventive | |
Include any assumptions that are improbable in the audit assertion. CC ID 13950 | Establish/Maintain Documentation | Preventive | |
Include investigations and legal proceedings in the audit assertion. CC ID 16846 | Establish/Maintain Documentation | Preventive | |
Include how the audit scope matches in scope controls in the audit assertion. CC ID 06969 | Establish/Maintain Documentation | Preventive | |
Include why specific criteria are ignored by in scope controls in the audit assertion. CC ID 07027 | Establish/Maintain Documentation | Preventive | |
Include how the in scope system is designed and implemented in the audit assertion. CC ID 06970 | Establish/Maintain Documentation | Preventive | |
Include the responsible party's opinion of the quality of the evidence in the audit assertion. CC ID 13949 | Establish/Maintain Documentation | Preventive | |
Include the end users and affected parties of the in scope system in the audit assertion. CC ID 07028 | Establish/Maintain Documentation | Preventive | |
Include the in scope services offered or in scope transactions processed in the audit assertion. CC ID 06971 | Establish/Maintain Documentation | Preventive | |
Include the in scope procedures in the audit assertion. CC ID 06972 | Establish/Maintain Documentation | Preventive | |
Include the in scope records produced in the audit assertion. CC ID 06968 | Establish/Maintain Documentation | Preventive | |
Include how in scope material events are monitored and logged in the audit assertion. CC ID 06973 | Establish/Maintain Documentation | Preventive | |
Include any in scope material events that might affect the assertion in the audit assertion. CC ID 06991 | Establish/Maintain Documentation | Preventive | |
Include the in scope controls and compliance documents in the audit assertion. CC ID 06974 | Establish/Maintain Documentation | Preventive | |
Include the in scope risk assessment processes in the audit assertion. CC ID 06975 | Establish/Maintain Documentation | Preventive | |
Include in scope change controls in the audit assertion. CC ID 06976 | Establish/Maintain Documentation | Preventive | |
Include any in scope uncorrected errors or non-compliance issues in the audit assertion. CC ID 06989 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate a written audit assertion of the audit scope and audit terms to interested personnel and affected parties. CC ID 06967 | Establish/Maintain Documentation | Preventive | |
Include the scope for the desired level of assurance in the audit program. CC ID 12793 | Communicate | Preventive | |
Include conditions that might require modification of the audit program in the audit terms. CC ID 07149 | Establish/Maintain Documentation | Preventive | |
Include how access to in scope systems, personnel and in scope records are provided to the auditor in the audit terms. CC ID 06988 | Establish/Maintain Documentation | Preventive | |
Include the criteria for determining the desired level of assurance in the audit program. CC ID 12795 [{audit scope} The organization shall: define the audit criteria and scope for each audit; § 9.2.2 ¶ 1(b)] | Audits and Risk Management | Preventive | |
Establish, implement, and maintain procedures for determining the desired level of assurance in the audit program. CC ID 12794 [The organization shall: plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration: § 9.2.2 ¶ 1(a)] | Establish/Maintain Documentation | Preventive | |
Include the expectations for the audit report in the audit terms. CC ID 07148 | Establish/Maintain Documentation | Preventive | |
Establish and maintain a practitioner’s report on management’s assertions, as necessary. CC ID 13888 | Establish/Maintain Documentation | Preventive | |
Refrain from changing the date of the practitioner's report on agreed-upon procedures when reissuing it. CC ID 13896 | Establish/Maintain Documentation | Corrective | |
Hold a closing meeting following an audit to present audit findings and conclusions. CC ID 15248 | Communicate | Preventive | |
Include materiality levels in the audit terms. CC ID 01238 | Establish/Maintain Documentation | Preventive | |
Include material changes in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01239 [The organization shall: plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration: changes affecting the organization; § 9.2.2 ¶ 1(a)(2)] | Establish/Maintain Documentation | Preventive | |
Include material weaknesses, material failures, and material errors in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01240 | Establish/Maintain Documentation | Preventive | |
Schedule attestation engagement meetings with interested personnel and affected parties, as necessary. CC ID 15263 | Business Processes | Preventive | |
Refrain from performing an attestation engagement under defined conditions. CC ID 13952 | Audits and Risk Management | Detective | |
Refrain from accepting an attestation engagement when the engaging party refuses to sign the engagement letter. CC ID 14912 | Business Processes | Preventive | |
Refrain from accepting an attestation engagement unless the prospective financial information includes a summary of significant assumptions. CC ID 13954 | Behavior | Preventive | |
Refrain from accepting an attestation engagement when all parties disagree on the procedures. CC ID 13951 | Audits and Risk Management | Preventive | |
Accept the attestation engagement when all preconditions are met. CC ID 13933 | Business Processes | Preventive | |
Audit in scope audit items and compliance documents. CC ID 06730 [The organization shall conduct internal audits at planned intervals to provide information on whether the SMS: conforms to: the organization's own requirements for its SMS; § 9.2.1 ¶ 1(a)(1) The organization shall conduct internal audits at planned intervals to provide information on whether the SMS: conforms to: the requirements of this document; § 9.2.1 ¶ 1(a)(2) The organization shall conduct internal audits at planned intervals to provide information on whether the SMS: is effectively implemented and maintained. § 9.2.1 ¶ 1(b) The organization shall: select auditors and conduct audits to ensure objectivity and the impartiality of the audit process; § 9.2.2 ¶ 1(c)] | Audits and Risk Management | Preventive | |
Collect all work papers for the audit and audit report into an engagement file. CC ID 07001 [The organization shall: retain documented information as evidence of the implementation of the audit programme(s) and the audit results. § 9.2.2 ¶ (e)] | Actionable Reports or Measurements | Preventive | |
Document any after the fact changes to the engagement file. CC ID 07002 | Establish/Maintain Documentation | Preventive | |
Protect access to the engagement file and all associated audit documentation in compliance with Authority Documents the organization must follow. CC ID 07179 | Establish/Maintain Documentation | Preventive | |
Disclose work papers in the engagement file in compliance with legal requirements. CC ID 07180 | Establish/Maintain Documentation | Preventive | |
Archive the engagement file and all work papers for the period prescribed by law or contract. CC ID 10038 | Records Management | Preventive | |
Conduct onsite inspections, as necessary. CC ID 16199 | Testing | Preventive | |
Identify hypothetical assumptions in forecasts and projections during an audit. CC ID 13946 | Audits and Risk Management | Detective | |
Refrain from examining forecasts and projections which refrain from disclosing assumptions during an audit. CC ID 13932 | Audits and Risk Management | Detective | |
Audit policies, standards, and procedures. CC ID 12927 | Audits and Risk Management | Preventive | |
Audit cybersecurity risk management within the policies, standards, and procedures of the organization. CC ID 13011 | Investigate | Detective | |
Audit information systems, as necessary. CC ID 13010 | Investigate | Detective | |
Audit the potential costs of compromise to information systems. CC ID 13012 | Investigate | Detective | |
Determine the accurateness of the audit assertion's in scope system description. CC ID 06979 | Testing | Detective | |
Determine if the in scope system has been implemented as described in the audit assertion. CC ID 06983 | Testing | Detective | |
Investigate the nature and causes of misstatements in the audit assertion's in scope system description. CC ID 16557 | Audits and Risk Management | Detective | |
Determine the effect of fraud and non-compliance on the description of the system in the audit assertion, as necessary. CC ID 13977 | Process or Activity | Detective | |
Edit the audit assertion for accuracy. CC ID 07030 | Establish/Maintain Documentation | Preventive | |
Determine if the audit assertion's in scope procedures are accurately documented. CC ID 06982 | Establish/Maintain Documentation | Preventive | |
Determine if the audit assertion's in scope controls are reasonable. CC ID 06980 | Testing | Detective | |
Determine the effect of fraud and non-compliance on the achievement of in scope controls in the audit assertion, as necessary. CC ID 13978 | Process or Activity | Detective | |
Document test plans for auditing in scope controls. CC ID 06985 | Testing | Detective | |
Determine the implementation status of the audit assertion's in scope controls. CC ID 06981 | Testing | Detective | |
Determine the effectiveness of in scope controls. CC ID 06984 [The organization shall monitor and review the effectiveness of information security controls and take necessary actions. § 8.7.3.2 ¶ 3] | Testing | Detective | |
Review incident management audit logs to determine the effectiveness of in scope controls. CC ID 12157 | Audits and Risk Management | Detective | |
Review audit reports to determine the effectiveness of in scope controls. CC ID 12156 | Audits and Risk Management | Detective | |
Observe processes to determine the effectiveness of in scope controls. CC ID 12155 | Audits and Risk Management | Detective | |
Interview stakeholders to determine the effectiveness of in scope controls. CC ID 12154 | Audits and Risk Management | Detective | |
Review documentation to determine the effectiveness of in scope controls. CC ID 16522 | Process or Activity | Preventive | |
Review policies and procedures to determine the effectiveness of in scope controls. CC ID 12144 | Audits and Risk Management | Detective | |
Evaluate personnel status changes to determine the effectiveness of in scope controls. CC ID 16556 | Audits and Risk Management | Detective | |
Determine whether individuals performing a control have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 16555 | Audits and Risk Management | Detective | |
Determine any errors or material omissions in the audit assertion that affect in scope control implementations. CC ID 06990 | Testing | Detective | |
Include the process of using evidential matter to test in scope controls in the test plan. CC ID 06996 | Establish/Maintain Documentation | Preventive | |
Audit the in scope system according to the test plan using relevant evidence. CC ID 07112 [The organization shall conduct internal audits at planned intervals to provide information on whether the SMS: § 9.2.1 ¶ 1] | Testing | Preventive | |
Implement procedures that collect sufficient audit evidence. CC ID 07153 | Audits and Risk Management | Preventive | |
Collect evidence about the in scope audit items of the audit assertion. CC ID 07154 | Audits and Risk Management | Preventive | |
Collect audit evidence sufficient to avoid misstatements. CC ID 07155 | Audits and Risk Management | Preventive | |
Collect audit evidence at the level of the organization's competence in the subject matter. CC ID 07156 | Audits and Risk Management | Preventive | |
Collect audit evidence sufficient to overcome inadequacies in the organization's attestation. CC ID 07157 | Audits and Risk Management | Preventive | |
Report that audit evidence collected was not sufficient to the proper authorities. CC ID 16847 | Communicate | Preventive | |
Provide transactional walkthrough procedures for external auditors. CC ID 00672 | Testing | Preventive | |
Establish, implement, and maintain interview procedures. CC ID 16282 | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in the interview procedures. CC ID 16297 | Human Resources Management | Preventive | |
Coordinate the scheduling of interviews. CC ID 16293 | Process or Activity | Preventive | |
Create a schedule for the interviews. CC ID 16292 | Process or Activity | Preventive | |
Identify interviewees. CC ID 16290 | Process or Activity | Preventive | |
Conduct interviews, as necessary. CC ID 07188 | Testing | Detective | |
Verify statements made by interviewees are correct. CC ID 16299 | Behavior | Detective | |
Discuss unsolved questions with the interviewee. CC ID 16298 | Process or Activity | Detective | |
Allow interviewee to respond to explanations. CC ID 16296 | Process or Activity | Detective | |
Explain the requirements being discussed to the interviewee. CC ID 16294 | Process or Activity | Detective | |
Explain the goals of the interview to the interviewee. CC ID 07189 | Behavior | Detective | |
Explain the testing results to the interviewee. CC ID 16291 | Process or Activity | Preventive | |
Withdraw from the audit, when defined conditions exist. CC ID 13885 | Process or Activity | Corrective | |
Establish and maintain work papers, as necessary. CC ID 13891 | Establish/Maintain Documentation | Preventive | |
Include the auditor's conclusions on work performed by individuals assigned to the audit in the work papers. CC ID 16775 | Establish/Maintain Documentation | Preventive | |
Include audit irregularities in the work papers. CC ID 16774 | Establish/Maintain Documentation | Preventive | |
Include corrective actions in the work papers. CC ID 16771 | Establish/Maintain Documentation | Preventive | |
Include information about the organization being audited and the auditor performing the audit in the work papers. CC ID 16770 | Establish/Maintain Documentation | Preventive | |
Include discussions with interested personnel and affected parties in the work papers. CC ID 16768 | Establish/Maintain Documentation | Preventive | |
Include justification for departing from mandatory requirements in the work papers. CC ID 13935 | Establish/Maintain Documentation | Preventive | |
Include audit evidence obtained from previous engagements in the work papers. CC ID 16518 | Audits and Risk Management | Preventive | |
Include the reviewer, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06998 | Establish/Maintain Documentation | Preventive | |
Include the tests, examinations, interviews and observations performed during the audit in the work papers. CC ID 07190 | Establish/Maintain Documentation | Preventive | |
Include if any subject matter experts or additional research had to be undertaken to test in scope controls in the work papers. CC ID 07026 | Establish/Maintain Documentation | Preventive | |
Include the tester, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06997 | Establish/Maintain Documentation | Preventive | |
Include if the audit evidence has identified in scope control deficiencies in the work papers. CC ID 07152 | Audits and Risk Management | Detective | |
Include any subsequent events related to the audit assertion or audit subject matter in the work papers. CC ID 07177 | Audits and Risk Management | Preventive | |
Include if in scope control deviations allow in scope controls to be performed acceptably in the work papers. CC ID 06987 | Testing | Detective | |
Include the causes of identified in scope control deficiencies in the work papers. CC ID 07000 | Establish/Maintain Documentation | Preventive | |
Include discussions regarding the causes of identified in scope control deficiencies in the work papers. CC ID 06999 | Establish/Maintain Documentation | Preventive | |
Investigate the nature and causes of identified in scope control deviations. CC ID 06986 | Testing | Detective | |
Supervise interested personnel and affected parties participating in the audit. CC ID 07150 | Monitor and Evaluate Occurrences | Preventive | |
Notify interested personnel and affected parties participating in the audit of their roles and responsibilities during the audit. CC ID 07151 | Establish Roles | Preventive | |
Respond to questions or clarification requests regarding the audit. CC ID 08902 | Business Processes | Preventive | |
Track and measure the implementation of the organizational compliance framework. CC ID 06445 | Monitor and Evaluate Occurrences | Preventive | |
Review the need for organizational efficiency as balanced against the needs of compliance and security. CC ID 07111 | Business Processes | Preventive | |
Engage subject matter experts when the auditor requires additional expertise during an attestation engagement, as necessary. CC ID 13971 | Process or Activity | Preventive | |
Review the subject matter expert's findings. CC ID 16559 | Audits and Risk Management | Detective | |
Establish, implement, and maintain a practitioner’s report on agreed-upon procedures. CC ID 13894 | Establish/Maintain Documentation | Preventive | |
Provide auditors access to all in scope records, in scope assets, personnel and in scope procedures. CC ID 06966 | Audits and Risk Management | Preventive | |
Permit assessment teams to conduct audits, as necessary. CC ID 16430 | Investigate | Detective | |
Provide auditors access to affected parties during the audit, as necessary. CC ID 07187 | Business Processes | Preventive | |
Solve any access problems auditors encounter during the audit. CC ID 08959 | Audits and Risk Management | Corrective | |
Notify interested personnel and affected parties when an auditee refuses to provide access or participate in the audit. CC ID 08960 | Audits and Risk Management | Preventive | |
Establish and maintain a practitioner's examination report on pro forma financial information. CC ID 13968 | Establish/Maintain Documentation | Preventive | |
Include references to where financial information was derived in the practitioner's review report on pro forma financial information. CC ID 13982 | Establish/Maintain Documentation | Preventive | |
Include a statement that the financial statements used were audited by other practitioners in the practitioner's examination report on pro forma financial information, as necessary. CC ID 13981 | Establish/Maintain Documentation | Preventive | |
Establish and maintain organizational audit reports. CC ID 06731 [The organization shall: retain documented information as evidence of the implementation of the audit programme(s) and the audit results. § 9.2.2 ¶ (e) The organization shall: plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration: § 9.2.2 ¶ 1(a)] | Establish/Maintain Documentation | Preventive | |
Determine what disclosures are required in the audit report. CC ID 14888 | Establish/Maintain Documentation | Detective | |
Include the justification for not following the applicable requirements in the audit report. CC ID 16822 | Audits and Risk Management | Preventive | |
Include a statement that the applicable requirements were not followed in the audit report. CC ID 16821 | Audits and Risk Management | Preventive | |
Include audit subject matter in the audit report. CC ID 14882 | Establish/Maintain Documentation | Preventive | |
Include an other-matter paragraph in the audit report. CC ID 14901 | Establish/Maintain Documentation | Preventive | |
Identify the audit team members in the audit report. CC ID 15259 | Human Resources Management | Detective | |
Include that the auditee did not provide comments in the audit report. CC ID 16849 | Establish/Maintain Documentation | Preventive | |
Write the audit report using clear and conspicuous language. CC ID 13948 | Establish/Maintain Documentation | Preventive | |
Include a statement that the sufficiency of the agreed upon procedures is the responsibility of the specified parties in the audit report. CC ID 13936 | Establish/Maintain Documentation | Preventive | |
Include a statement that the financial statements were audited in the audit report. CC ID 13963 | Establish/Maintain Documentation | Preventive | |
Include the criteria that financial information was measured against in the audit report. CC ID 13966 | Establish/Maintain Documentation | Preventive | |
Include a description of the financial information being reported on in the audit report. CC ID 13965 | Establish/Maintain Documentation | Preventive | |
Include references to any adjustments of financial information in the audit report. CC ID 13964 | Establish/Maintain Documentation | Preventive | |
Include in the audit report that audit opinions are not dependent on references to subject matter experts, as necessary. CC ID 13953 | Establish/Maintain Documentation | Preventive | |
Include references to historical financial information used in the audit report. CC ID 13961 | Establish/Maintain Documentation | Preventive | |
Include a statement about the inherent limitations of the audit in the audit report. CC ID 14900 | Establish/Maintain Documentation | Preventive | |
Include a description of the limitations on the usefulness of hypothetical assumptions in the audit report. CC ID 13958 | Establish/Maintain Documentation | Preventive | |
Include the word independent in the title of audit reports. CC ID 07003 | Actionable Reports or Measurements | Preventive | |
Include the date of the audit in the audit report. CC ID 07024 | Actionable Reports or Measurements | Preventive | |
Structure the audit report to be in the form of procedures and findings. CC ID 13940 | Establish/Maintain Documentation | Preventive | |
Include information about the organization being audited and the auditor performing the audit in the audit report. CC ID 07004 | Actionable Reports or Measurements | Preventive | |
Include any discussions of significant findings in the audit report. CC ID 13955 | Establish/Maintain Documentation | Preventive | |
Include the date and with whom discussions about significant findings took place in the audit report. CC ID 13962 | Establish/Maintain Documentation | Preventive | |
Include the audit criteria in the audit report. CC ID 13945 | Establish/Maintain Documentation | Preventive | |
Include a statement in the audit report that the agreed upon procedures were potentially insufficient in identifying material risks, as necessary. CC ID 13957 | Establish/Maintain Documentation | Preventive | |
Include all hypothetical assumptions in the audit report. CC ID 13947 | Establish/Maintain Documentation | Preventive | |
Include a statement that access to the report is restricted based on least privilege in the audit report. CC ID 07023 | Actionable Reports or Measurements | Preventive | |
Include a statement that identifies the distribution list for the report in the audit report. CC ID 07172 | Establish/Maintain Documentation | Preventive | |
Include a statement that identifies the use restrictions for the report in the audit report. CC ID 07173 | Establish/Maintain Documentation | Preventive | |
Include a statement that the agreed upon procedures involves collecting evidence in the audit report. CC ID 13956 | Establish/Maintain Documentation | Preventive | |
Include all of the facts and demonstrated plausibility in the audit report. CC ID 08929 | Establish/Maintain Documentation | Preventive | |
Include a statement that the agreed upon procedures were performed by all parties in the audit report. CC ID 13931 | Establish/Maintain Documentation | Preventive | |
Include references to subject matter experts in the audit report when citing qualified opinions. CC ID 13929 | Establish/Maintain Documentation | Preventive | |
Include a description of the assistance provided by Subject Matter Experts in the audit report. CC ID 13939 | Establish/Maintain Documentation | Preventive | |
Include a review of the subject matter expert's findings in the audit report. CC ID 13972 | Establish/Maintain Documentation | Preventive | |
Include a statement of the character of the engagement in the audit report. CC ID 07166 | Establish/Maintain Documentation | Preventive | |
Include the nature and scope of the audit performed in the statement of the character of the engagement in the audit report. CC ID 07167 | Establish/Maintain Documentation | Preventive | |
Include the professional standards governing the audit in the statement of the character of the engagement in the audit report. CC ID 07168 | Establish/Maintain Documentation | Preventive | |
Include all restrictions on the audit in the audit report. CC ID 13930 | Establish/Maintain Documentation | Preventive | |
Include a statement that the auditor has no responsibility to update the audit report after its submission. CC ID 13943 | Establish/Maintain Documentation | Preventive | |
Include a statement on the auditor's ethical requirements in the audit report. CC ID 16767 | Establish/Maintain Documentation | Preventive | |
Include a statement that the responsible party refused to provide a written assertion in the audit report. CC ID 13887 | Establish/Maintain Documentation | Preventive | |
Include a statement that the examination involves procedures for collecting evidence in the audit report. CC ID 13941 | Establish/Maintain Documentation | Preventive | |
Express an adverse opinion in the audit report when significant assumptions are not suitably supported. CC ID 13944 | Establish/Maintain Documentation | Preventive | |
Include a statement that modifications to historical evidence accurately reflect current evidence in the audit report. CC ID 13938 | Establish/Maintain Documentation | Preventive | |
Refrain from referencing previous engagements in the audit report. CC ID 16516 | Audits and Risk Management | Preventive | |
Refrain from referencing other auditor's work in the audit report. CC ID 13881 | Establish/Maintain Documentation | Preventive | |
Include that the audit findings are not a predictive analysis of future compliance in the audit report. CC ID 07018 | Establish/Maintain Documentation | Preventive | |
Identify the participants from the organization being audited in the audit report. CC ID 15258 | Audits and Risk Management | Detective | |
Include how in scope controls meet external requirements in the audit report. CC ID 16450 | Establish/Maintain Documentation | Preventive | |
Include the in scope records used to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14915 | Establish/Maintain Documentation | Preventive | |
Include recommended corrective actions in the audit report. CC ID 16197 | Establish/Maintain Documentation | Preventive | |
Include risks and opportunities in the audit report. CC ID 16196 | Establish/Maintain Documentation | Preventive | |
Include the description of tests of controls and results in the audit report. CC ID 14898 | Establish/Maintain Documentation | Preventive | |
Include the nature of the tests performed in the description of tests of controls and results in the audit report. CC ID 14908 | Establish/Maintain Documentation | Preventive | |
Include the test scope in the description of tests of controls and results in the audit report. CC ID 14906 | Establish/Maintain Documentation | Preventive | |
Identify the stakeholders interviewed to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14905 | Establish/Maintain Documentation | Preventive | |
Include the timing of controls in the description of tests of controls and results in the audit report. CC ID 16553 | Audits and Risk Management | Preventive | |
Include the controls that were tested in the description of tests of controls and results in the audit report. CC ID 14902 | Establish/Maintain Documentation | Preventive | |
Include subsequent events related to the audit assertion or audit subject matter in the audit report. CC ID 16773 | Establish/Maintain Documentation | Preventive | |
Include the organization's audit assertion of the in scope system in the audit report. CC ID 07005 | Actionable Reports or Measurements | Preventive | |
Include that the organization is the responsible party for the content of its audit assertion and in scope system description in the audit report. CC ID 07010 | Establish/Maintain Documentation | Preventive | |
Include that the organization is the responsible party for providing in scope services in the audit report. CC ID 14903 | Establish/Maintain Documentation | Preventive | |
Include that the organization is the responsible party for specifying in scope controls not defined by law or contractual obligation in the audit report. CC ID 07011 | Establish/Maintain Documentation | Preventive | |
Include that the organization is the responsible party for designing and implementing the in scope controls it identified in the audit scope in the audit report. CC ID 07014 | Establish/Maintain Documentation | Preventive | |
Include the audit opinion regarding the accurateness of the in scope system description in the audit report. CC ID 07019 | Establish/Maintain Documentation | Preventive | |
Include the attestation standards the auditor follows in the audit report. CC ID 07015 | Establish/Maintain Documentation | Preventive | |
Include the audit opinion about the audit assertion in relation to the audit criteria used for evaluation in the audit report. CC ID 07169 | Establish/Maintain Documentation | Preventive | |
Include the auditor's significant reservations about the engagement, the audit assertion, or the audit subject matter in the audit report. CC ID 07170 | Establish/Maintain Documentation | Preventive | |
Include an emphasis-of-matter paragraph in the audit report. CC ID 14890 | Establish/Maintain Documentation | Preventive | |
Include the organization's in scope system description in the audit report. CC ID 11626 | Audits and Risk Management | Preventive | |
Include any out of scope components of in scope systems in the audit report. CC ID 07006 | Establish/Maintain Documentation | Preventive | |
Include that the organization is the responsible party for identifying material risks in the audit report. CC ID 07012 | Establish/Maintain Documentation | Preventive | |
Include that the organization is the responsible party for selecting the audit criteria in the audit report. CC ID 07013 | Establish/Maintain Documentation | Preventive | |
Include the scope and work performed in the audit report. CC ID 11621 | Audits and Risk Management | Preventive | |
Review the adequacy of the internal auditor's work papers. CC ID 01146 | Audits and Risk Management | Detective | |
Compare the evaluations completed by the internal auditors and the external auditors in past audit reports. CC ID 01158 | Establish/Maintain Documentation | Detective | |
Review the adequacy of the internal auditor's audit reports. CC ID 11620 | Audits and Risk Management | Detective | |
Review past audit reports. CC ID 01155 [The organization shall: plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration: the results of previous audits; § 9.2.2 ¶ 1(a)(3) The management review shall include consideration of: information on the performance and effectiveness of the SMS, including trends in: audit results; § 9.3 ¶ 2(c)(3)] | Establish/Maintain Documentation | Detective | |
Review past audit reports for specific process steps and calculations that were stated to support the audit report's conclusions. CC ID 01160 | Establish/Maintain Documentation | Detective | |
Review the reporting of material weaknesses and risks in past audit reports. CC ID 01161 | Establish/Maintain Documentation | Detective | |
Resolve disputes before creating the audit summary. CC ID 08964 | Behavior | Preventive | |
Refrain from including the description of the audit in the audit report when the auditor is disclaiming an audit opinion. CC ID 13975 | Establish/Maintain Documentation | Preventive | |
Refrain from including scope limitations from changed attestation engagements in the audit report. CC ID 13983 | Establish/Maintain Documentation | Preventive | |
Refrain from including in the audit report any procedures that were performed that the auditor is disclaiming in an audit opinion. CC ID 13974 | Establish/Maintain Documentation | Preventive | |
Include deficiencies and non-compliance in the audit report. CC ID 14879 | Establish/Maintain Documentation | Corrective | |
Determine the effect of deficiencies on the audit report, as necessary. CC ID 14886 | Investigate | Detective | |
Determine the effect of fraud and non-compliance on the audit report, as necessary. CC ID 13979 | Process or Activity | Detective | |
Include an audit opinion in the audit report. CC ID 07017 | Establish/Maintain Documentation | Preventive | |
Include qualified opinions in the audit report. CC ID 13928 | Establish/Maintain Documentation | Preventive | |
Include that the auditor is the responsible party to express an opinion on the audit subject matter based on examination of evidence in the audit report. CC ID 07174 | Establish/Maintain Documentation | Preventive | |
Include a description of the reasons for modifying the audit opinion in the audit report. CC ID 13898 | Establish/Maintain Documentation | Corrective | |
Include that the auditor did not express an opinion in the audit report, as necessary. CC ID 13886 | Establish/Maintain Documentation | Preventive | |
Disclaim the audit opinion in the audit report, as necessary. CC ID 13901 | Business Processes | Corrective | |
Include items that were excluded from the audit report in the audit report. CC ID 07007 | Establish/Maintain Documentation | Preventive | |
Include the organization's privacy practices in the audit report. CC ID 07029 | Establish/Maintain Documentation | Preventive | |
Include items that pertain to third parties in the audit report. CC ID 07008 | Establish/Maintain Documentation | Preventive | |
Refrain from including reference to procedures performed in previous attestation engagements in the audit report. CC ID 13970 | Establish/Maintain Documentation | Preventive | |
Include a statement in the audit report that no procedures were performed subsequent to the date of the practitioner's review report on pro forma financial information, as necessary. CC ID 13969 | Establish/Maintain Documentation | Preventive | |
Include any of the organization's use of compensating controls that were not audited in the audit report. CC ID 07009 | Establish/Maintain Documentation | Preventive | |
Include whether the use of compensating controls are necessary in the audit report. CC ID 07020 | Establish/Maintain Documentation | Preventive | |
Include the pass or fail test status of all in scope controls in the audit report. CC ID 07016 | Establish/Maintain Documentation | Preventive | |
Include the process of using evidential matter to test in scope controls in the audit report. CC ID 07021 | Establish/Maintain Documentation | Preventive | |
Include the nature and causes of identified in scope control deviations in the audit report. CC ID 07022 | Establish/Maintain Documentation | Preventive | |
Modify the audit opinion in the audit report under defined conditions. CC ID 13937 | Establish/Maintain Documentation | Corrective | |
Disclose any audit irregularities in the audit report. CC ID 06995 | Actionable Reports or Measurements | Preventive | |
Include the written signature of the auditor's organization in the audit report. CC ID 13897 | Establish/Maintain Documentation | Preventive | |
Include a statement that additional reports are being submitted in the audit report. CC ID 16848 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the audit report to all interested personnel and affected parties identified in the distribution list. CC ID 07117 | Establish/Maintain Documentation | Preventive | |
Define the roles and responsibilities for distributing the audit report. CC ID 16845 | Human Resources Management | Preventive | |
Disseminate and communicate the reviews of audit reports to organizational management. CC ID 00653 | Log Management | Detective | |
Disseminate and communicate the reasons the audit report was delayed to interested personnel and affected parties. CC ID 15257 | Communicate | Preventive | |
Notify auditees if disclosure of audit documentation is required by law. CC ID 15249 | Communicate | Preventive | |
Disseminate and communicate to the organization that access and use of audit reports are based on least privilege. CC ID 07171 | Behavior | Preventive | |
Disseminate and communicate documents that contain information in support of the audit report. CC ID 07175 | Establish/Maintain Documentation | Preventive | |
Correct any material misstatements in documents that contain information in support of the audit report. CC ID 07176 | Establish/Maintain Documentation | Preventive | |
Review the issues of non-compliance from past audit reports. CC ID 01148 | Establish/Maintain Documentation | Detective | |
Notify interested personnel and affected parties after bribes are offered during the audit. CC ID 08872 | Business Processes | Preventive | |
Submit an audit report that is complete. CC ID 01145 | Testing | Detective | |
Accept the audit report. CC ID 07025 | Establish/Maintain Documentation | Preventive | |
Implement a corrective action plan in response to the audit report. CC ID 06777 | Establish/Maintain Documentation | Corrective | |
Assign responsibility for remediation actions. CC ID 13622 | Human Resources Management | Preventive | |
Monitor and report on the status of mitigation actions in the corrective action plan. CC ID 15250 | Actionable Reports or Measurements | Corrective | |
Review management's response to issues raised in past audit reports. CC ID 01149 [The management review shall include consideration of: information on the performance and effectiveness of the SMS, including trends in: nonconformities and corrective actions; § 9.3 ¶ 2(c)(1)] | Audits and Risk Management | Detective | |
Define penalties for uncorrected audit findings or remaining non-compliant with the audit report. CC ID 08963 | Establish/Maintain Documentation | Preventive | |
Assess the quality of the audit program in regards to the staff and their qualifications. CC ID 01150 | Testing | Detective | |
Evaluate the competency of auditors. CC ID 15253 | Human Resources Management | Detective | |
Review the audit program scope as it relates to the organization's profile. CC ID 01159 | Audits and Risk Management | Detective | |
Assess the quality of the audit program in regards to its documentation. CC ID 11622 | Audits and Risk Management | Preventive | |
Establish, implement, and maintain the audit plan. CC ID 01156 | Testing | Detective | |
Include the audit criteria in the audit plan. CC ID 15262 | Establish/Maintain Documentation | Preventive | |
Include a list of reference documents in the audit plan. CC ID 15260 | Establish/Maintain Documentation | Preventive | |
Include the languages to be used for the audit in the audit plan. CC ID 15252 | Establish/Maintain Documentation | Preventive | |
Include the allocation of resources in the audit plan. CC ID 15251 | Establish/Maintain Documentation | Preventive | |
Include communication protocols in the audit plan. CC ID 15247 | Establish/Maintain Documentation | Preventive | |
Include the level of audit sampling necessary to collect sufficient audit evidence in the audit plan. CC ID 15246 | Establish/Maintain Documentation | Preventive | |
Include meeting schedules in the audit plan. CC ID 15245 | Establish/Maintain Documentation | Preventive | |
Include the time frames for the audit in the audit plan. CC ID 15244 | Establish/Maintain Documentation | Preventive | |
Include the time frames for conducting the audit in the audit plan. CC ID 15243 | Establish/Maintain Documentation | Preventive | |
Include the locations to be audited in the audit plan. CC ID 15242 | Establish/Maintain Documentation | Preventive | |
Include the processes to be audited in the audit plan. CC ID 15241 | Establish/Maintain Documentation | Preventive | |
Include audit objectives in the audit plan. CC ID 15240 | Establish/Maintain Documentation | Preventive | |
Include the risks associated with audit activities in the audit plan. CC ID 15239 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the audit plan to interested personnel and affected parties. CC ID 15238 | Communicate | Preventive | |
Establish, implement, and maintain an audit schedule for the audit program. CC ID 13158 [The organization shall: plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration: § 9.2.2 ¶ 1(a)] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a risk management program. CC ID 12051 [The organization shall plan: actions to address these risks and opportunities and their priorities; § 6.1.3 ¶ 1(a) The management review shall include consideration of: results of risk assessment and the effectiveness of actions taken to address risks and opportunities; § 9.3 ¶ 2(k)] | Establish/Maintain Documentation | Preventive | |
Include the scope of risk management activities in the risk management program. CC ID 13658 | Establish/Maintain Documentation | Preventive | |
Document and justify any exclusions from the scope of the risk management activities in the risk management program. CC ID 15336 | Business Processes | Detective | |
Integrate the risk management program with the organization's business activities. CC ID 13661 | Business Processes | Preventive | |
Integrate the risk management program into daily business decision-making. CC ID 13659 [The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: § 8.5.1.3 ¶ 1] | Business Processes | Preventive | |
Include managing mobile risks in the risk management program. CC ID 13535 | Establish/Maintain Documentation | Preventive | |
Take into account if the system will be accessed by or have an impact on children in the risk management program. CC ID 14992 | Audits and Risk Management | Preventive | |
Include regular updating in the risk management system. CC ID 14990 | Business Processes | Preventive | |
Establish, implement, and maintain risk management strategies. CC ID 13209 | Establish/Maintain Documentation | Preventive | |
Include off-site storage of supplies in the risk management strategies. CC ID 13221 | Establish/Maintain Documentation | Preventive | |
Include data quality in the risk management strategies. CC ID 15308 | Data and Information Management | Preventive | |
Include the use of alternate service providers in the risk management strategies. CC ID 13217 | Establish/Maintain Documentation | Preventive | |
Include minimizing service interruptions in the risk management strategies. CC ID 13215 | Establish/Maintain Documentation | Preventive | |
Include off-site storage in the risk mitigation strategies. CC ID 13213 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain the risk assessment framework. CC ID 00685 | Establish/Maintain Documentation | Preventive | |
Analyze the risk management strategy for addressing requirements. CC ID 12926 | Audits and Risk Management | Detective | |
Analyze the risk management strategy for addressing threats. CC ID 12925 | Audits and Risk Management | Detective | |
Analyze the risk management strategy for addressing opportunities. CC ID 12924 | Audits and Risk Management | Detective | |
Define and assign the roles and responsibilities for the risk assessment framework, as necessary. CC ID 06456 | Establish Roles | Preventive | |
Establish, implement, and maintain a risk assessment program. CC ID 00687 | Establish/Maintain Documentation | Preventive | |
Address past incidents in the risk assessment program. CC ID 12743 | Audits and Risk Management | Preventive | |
Employ third parties when implementing a risk assessment, as necessary. CC ID 16306 | Human Resources Management | Detective | |
Include the need for risk assessments in the risk assessment program. CC ID 06447 | Establish/Maintain Documentation | Preventive | |
Include the information flow of restricted data in the risk assessment program. CC ID 12339 | Establish/Maintain Documentation | Preventive | |
Establish and maintain the factors and context for risk to the organization. CC ID 12230 [The organization shall determine and document: risks related to: not meeting the service requirements; § 6.1.2 ¶ 1(a)(2)] | Audits and Risk Management | Preventive | |
Establish, implement, and maintain a financial plan to support the risk management strategy. CC ID 12786 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain insurance requirements. CC ID 16562 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate insurance options to interested personnel and affected parties. CC ID 16572 | Communicate | Preventive | |
Disseminate and communicate insurance requirements to interested personnel and affected parties. CC ID 16567 | Communicate | Preventive | |
Purchase insurance on behalf of interested personnel and affected parties. CC ID 16571 | Acquisition/Sale of Assets or Services | Corrective | |
Design a portfolio of insurance options in accordance with risk decision-making criteria. CC ID 12878 | Business Processes | Preventive | |
Design a portfolio of loans in accordance with risk decision-making criteria. CC ID 12877 | Business Processes | Preventive | |
Design a portfolio of risk limiting and mitigating approaches in organizational contracts in accordance with risk decision-making criteria. CC ID 12903 | Business Processes | Preventive | |
Address cybersecurity risks in the risk assessment program. CC ID 13193 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830 | Process or Activity | Preventive | |
Include a Data Protection Impact Assessment in the risk assessment program. CC ID 12630 | Establish/Maintain Documentation | Preventive | |
Include an assessment of the necessity and proportionality of the processing operations in relation to the purposes in the Data Protection Impact Assessment. CC ID 12681 | Establish/Maintain Documentation | Preventive | |
Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371 | Establish/Maintain Documentation | Preventive | |
Include a risk assessment of data subject's rights in the Data Protection Impact Assessment. CC ID 12674 | Establish/Maintain Documentation | Preventive | |
Include the description and purpose of processing restricted data in the Data Protection Impact Assessment. CC ID 12673 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313 | Communicate | Preventive | |
Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370 | Establish/Maintain Documentation | Preventive | |
Include monitoring unsecured areas in the Data Protection Impact Assessment. CC ID 12671 | Establish/Maintain Documentation | Preventive | |
Include security measures for protecting restricted data in the Data Protection Impact Assessment. CC ID 12635 | Establish/Maintain Documentation | Preventive | |
Use the risk taxonomy when managing risk. CC ID 12280 | Behavior | Preventive | |
Establish, implement, and maintain a risk assessment policy. CC ID 14026 | Establish/Maintain Documentation | Preventive | |
Include compliance requirements in the risk assessment policy. CC ID 14121 | Establish/Maintain Documentation | Preventive | |
Include coordination amongst entities in the risk assessment policy. CC ID 14120 | Establish/Maintain Documentation | Preventive | |
Include management commitment in the risk assessment policy. CC ID 14119 | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in the risk assessment policy. CC ID 14118 | Establish/Maintain Documentation | Preventive | |
Include the scope in the risk assessment policy. CC ID 14117 | Establish/Maintain Documentation | Preventive | |
Include the purpose in the risk assessment policy. CC ID 14116 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the risk assessment policy to interested personnel and affected parties. CC ID 14115 | Communicate | Preventive | |
Establish, implement, and maintain risk assessment procedures. CC ID 06446 | Establish/Maintain Documentation | Preventive | |
Employ risk assessment procedures that follow legal requirements and contractual obligations when risk profiling. CC ID 06472 | Establish/Maintain Documentation | Preventive | |
Analyze the organization's information security environment. CC ID 13122 | Technical Security | Preventive | |
Document cybersecurity risks. CC ID 12281 | Establish/Maintain Documentation | Preventive | |
Employ risk assessment procedures that follow standards and best practices, as necessary. CC ID 06473 | Establish/Maintain Documentation | Preventive | |
Employ risk assessment procedures that take into account both electronic records and printed records. CC ID 06476 | Establish/Maintain Documentation | Preventive | |
Employ risk assessment procedures that take into account information classification. CC ID 06477 | Establish/Maintain Documentation | Preventive | |
Employ risk assessment procedures that align with strategic objectives. CC ID 06474 | Establish/Maintain Documentation | Preventive | |
Engage appropriate parties to assist with risk assessments, as necessary. CC ID 12153 | Human Resources Management | Preventive | |
Employ risk assessment procedures that take into account prior risk assessment findings of the same scope. CC ID 06478 | Establish/Maintain Documentation | Preventive | |
Employ risk assessment procedures that take into account the target environment. CC ID 06479 | Establish/Maintain Documentation | Preventive | |
Employ risk assessment procedures that take into account incidents associated with the target environment. CC ID 06480 | Establish/Maintain Documentation | Preventive | |
Employ risk assessment procedures that take into account risk factors. CC ID 16560 | Audits and Risk Management | Preventive | |
Include compliance with disposition requirements in the risk assessment procedures. CC ID 12342 | Establish/Maintain Documentation | Preventive | |
Include compliance with retention requirements in the risk assessment procedures. CC ID 12341 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a threat and risk classification scheme. CC ID 07183 | Establish/Maintain Documentation | Preventive | |
Employ risk assessment procedures that include appropriate risk treatment options for each identified risk. CC ID 06484 | Establish/Maintain Documentation | Preventive | |
Document organizational risk criteria. CC ID 12277 | Establish/Maintain Documentation | Preventive | |
Include security threats and vulnerabilities in the threat and risk classification scheme. CC ID 00699 | Technical Security | Preventive | |
Include an analysis of system interdependencies in the threat and risk classification scheme. CC ID 13056 | Investigate | Detective | |
Categorize the systems, information, and data by risk profile in the threat and risk classification scheme. CC ID 01443 | Audits and Risk Management | Preventive | |
Review the risk profiles, as necessary. CC ID 16561 | Audits and Risk Management | Detective | |
Include risks to critical personnel and assets in the threat and risk classification scheme. CC ID 00698 | Audits and Risk Management | Preventive | |
Include the traceability of malicious code in the threat and risk classification scheme. CC ID 06600 | Establish/Maintain Documentation | Preventive | |
Assign a probability of occurrence to all types of threats in the threat and risk classification scheme. CC ID 01173 | Audits and Risk Management | Preventive | |
Approve the threat and risk classification scheme. CC ID 15693 | Business Processes | Preventive | |
Establish, implement, and maintain risk profiling procedures for internal risk assessments. CC ID 01157 | Audits and Risk Management | Preventive | |
Include language that is easy to understand in the risk assessment report. CC ID 06461 | Establish/Maintain Documentation | Preventive | |
Include the environments that call for risk assessments in the risk assessment program. CC ID 06448 | Establish/Maintain Documentation | Preventive | |
Include the process for defining the scope of each risk assessment in the risk assessment program. CC ID 06462 | Establish/Maintain Documentation | Preventive | |
Include the circumstances that call for risk assessments in the risk assessment program. CC ID 06449 | Establish/Maintain Documentation | Preventive | |
Include the roles and responsibilities involved in risk assessments in the risk assessment program. CC ID 06450 | Establish/Maintain Documentation | Preventive | |
Include the methods of managing and responding to the risk assessment report in the risk assessment program. CC ID 06451 | Establish/Maintain Documentation | Preventive | |
Automate as much of the risk assessment program, as necessary. CC ID 06459 | Audits and Risk Management | Preventive | |
Disseminate and communicate the risk assessment procedures to interested personnel and affected parties. CC ID 14136 | Communicate | Preventive | |
Approve the risk assessment program and associated risk assessment procedures at the senior management level. CC ID 06458 | Establish/Maintain Documentation | Preventive | |
Perform risk assessments for all target environments, as necessary. CC ID 06452 [At planned intervals, the information security risks to the SMS and the services shall be assessed and documented. Information security controls shall be determined, implemented and operated to support the information security policy and address identified information security risks. Decisions about information security controls shall be documented. § 8.7.3.2 ¶ 1] | Testing | Preventive | |
Include the probability and potential impact of pandemics in the scope of the risk assessment. CC ID 13241 | Establish/Maintain Documentation | Preventive | |
Include physical assets in the scope of the risk assessment. CC ID 13075 | Establish/Maintain Documentation | Preventive | |
Include the results of the risk assessment in the risk assessment report. CC ID 06481 | Establish/Maintain Documentation | Preventive | |
Approve the results of the risk assessment as documented in the risk assessment report. CC ID 07109 | Audits and Risk Management | Preventive | |
Update the risk assessment upon discovery of a new threat. CC ID 00708 | Establish/Maintain Documentation | Detective | |
Review risks to the organization's audit function when changes in the supply chain occur. CC ID 01154 | Audits and Risk Management | Preventive | |
Update the risk assessment upon changes to the risk profile. CC ID 11627 | Establish/Maintain Documentation | Detective | |
Review the risk to the audit function when the audit personnel status changes. CC ID 01153 | Audits and Risk Management | Preventive | |
Document any reasons for modifying or refraining from modifying the organization's risk assessment when the risk assessment has been reviewed. CC ID 13312 | Establish/Maintain Documentation | Preventive | |
Create a risk assessment report based on the risk assessment results. CC ID 15695 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the approved risk assessment report to interested personnel and affected parties. CC ID 10633 | Communicate | Preventive | |
Conduct external audits of risk assessments, as necessary. CC ID 13308 | Audits and Risk Management | Detective | |
Notify the organization upon completion of the external audits of the organization's risk assessment. CC ID 13313 | Communicate | Preventive | |
Establish, implement, and maintain a risk assessment awareness and training program. CC ID 06453 | Business Processes | Preventive | |
Disseminate and communicate information about risks to all interested personnel and affected parties. CC ID 06718 | Behavior | Preventive | |
Evaluate the effectiveness of threat and vulnerability management procedures. CC ID 13491 | Investigate | Detective | |
Correlate the business impact of identified risks in the risk assessment report. CC ID 00686 | Audits and Risk Management | Preventive | |
Conduct a Business Impact Analysis, as necessary. CC ID 01147 | Audits and Risk Management | Detective | |
Include recovery of the critical path in the Business Impact Analysis. CC ID 13224 | Establish/Maintain Documentation | Preventive | |
Include acceptable levels of data loss in the Business Impact Analysis. CC ID 13264 | Establish/Maintain Documentation | Preventive | |
Include Recovery Point Objectives in the Business Impact Analysis. CC ID 13223 | Establish/Maintain Documentation | Preventive | |
Include the Recovery Time Objectives in the Business Impact Analysis. CC ID 13222 | Establish/Maintain Documentation | Preventive | |
Include pandemic risks in the Business Impact Analysis. CC ID 13219 | Establish/Maintain Documentation | Preventive | |
Include tolerance to downtime in the Business Impact Analysis report. CC ID 01172 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the Business Impact Analysis to interested personnel and affected parties. CC ID 15300 | Communicate | Preventive | |
Establish, implement, and maintain a risk register. CC ID 14828 | Establish/Maintain Documentation | Preventive | |
Document organizational risk tolerance in a risk register. CC ID 09961 | Establish/Maintain Documentation | Preventive | |
Align organizational risk tolerance to that of industry peers in the risk register. CC ID 09962 | Business Processes | Preventive | |
Review the Business Impact Analysis, as necessary. CC ID 12774 | Business Processes | Preventive | |
Analyze and quantify the risks to in scope systems and information. CC ID 00701 [When planning for the SMS, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to: prevent, or reduce, undesired effects; § 6.1.1 ¶ 1(b) The organization shall determine and document: risks related to: the organization; § 6.1.2 ¶ 1(a)(1)] | Audits and Risk Management | Preventive | |
Establish and maintain a Risk Scoping and Measurement Definitions Document. CC ID 00703 [The organization shall determine and document: the impact on customers of risks and opportunities for the SMS and the services; § 6.1.2 ¶ 1(b)] | Audits and Risk Management | Preventive | |
Identify the material risks in the risk assessment report. CC ID 06482 | Audits and Risk Management | Preventive | |
Assess the potential level of business impact risk associated with each business process. CC ID 06463 | Audits and Risk Management | Detective | |
Assess the potential level of business impact risk associated with the business environment. CC ID 06464 | Audits and Risk Management | Detective | |
Assess the potential level of business impact risk associated with business information of in scope systems. CC ID 06465 | Audits and Risk Management | Detective | |
Identify changes to in scope systems that could threaten communication between business units. CC ID 13173 | Investigate | Detective | |
Assess the potential business impact risk of in scope systems caused by deliberate threats to their confidentiality, integrity, and availability. CC ID 06466 | Audits and Risk Management | Detective | |
Assess the potential level of business impact risk caused by accidental threats to the confidentiality, integrity and availability of critical systems. CC ID 06467 | Audits and Risk Management | Detective | |
Assess the potential level of business impact risk associated with reputational damage. CC ID 15335 | Audits and Risk Management | Detective | |
Assess the potential level of business impact risk associated with insider threats. CC ID 06468 | Audits and Risk Management | Detective | |
Assess the potential level of business impact risk associated with external entities. CC ID 06469 | Audits and Risk Management | Detective | |
Assess the potential level of business impact risk associated with natural disasters. CC ID 06470 | Actionable Reports or Measurements | Detective | |
Assess the potential level of business impact risk associated with control weaknesses. CC ID 06471 | Audits and Risk Management | Detective | |
Establish a risk acceptance level that is appropriate to the organization's risk appetite. CC ID 00706 [The organization shall determine and document: risk acceptance criteria; § 6.1.2 ¶ 1(c)] | Establish/Maintain Documentation | Preventive | |
Investigate alternative risk control strategies appropriate to the organization's risk appetite. CC ID 12887 | Investigate | Preventive | |
Select the appropriate risk treatment option for each identified risk in the risk register. CC ID 06483 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the risk acceptance level in the risk treatment plan to all interested personnel and affected parties. CC ID 06849 | Behavior | Preventive | |
Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary. CC ID 00704 | Establish/Maintain Documentation | Detective | |
Document the results of the gap analysis. CC ID 16271 | Establish/Maintain Documentation | Preventive | |
Prioritize and select controls based on the risk assessment findings. CC ID 00707 [At planned intervals, the information security risks to the SMS and the services shall be assessed and documented. Information security controls shall be determined, implemented and operated to support the information security policy and address identified information security risks. Decisions about information security controls shall be documented. § 8.7.3.2 ¶ 1] | Audits and Risk Management | Preventive | |
Analyze the effect of threats on organizational strategies and objectives. CC ID 12850 | Process or Activity | Detective | |
Analyze the effect of opportunities on organizational strategies and objectives. CC ID 12849 | Process or Activity | Detective | |
Prioritize and categorize the effects of opportunities, threats and requirements on control activities. CC ID 12822 | Audits and Risk Management | Preventive | |
Determine the effectiveness of risk control measures. CC ID 06601 [/* Based on the subject of this section, by 'these actions', the document is referring to activities to manage risk*/{risk management activity} evaluate the effectiveness of these actions. § 6.1.3 ¶ 1(b)(2)] | Testing | Detective | |
Develop key indicators to inform management on the effectiveness of risk control measures. CC ID 12946 | Audits and Risk Management | Preventive | |
Establish, implement, and maintain a risk treatment plan. CC ID 11983 | Establish/Maintain Documentation | Preventive | |
Include the date of the risk assessment in the risk treatment plan. CC ID 16321 | Establish/Maintain Documentation | Preventive | |
Include the release status of the risk assessment in the risk treatment plan. CC ID 16320 | Audits and Risk Management | Preventive | |
Identify the planned actions and controls that address high risk in the risk treatment plan. CC ID 12835 | Audits and Risk Management | Preventive | |
Identify the current actions and controls that address high risk in the risk treatment plan. CC ID 12834 | Audits and Risk Management | Preventive | |
Include the risk treatment strategy in the risk treatment plan. CC ID 12159 | Establish/Maintain Documentation | Preventive | |
Revise the risk treatment strategies in the risk treatment plan, as necessary. CC ID 12552 | Establish/Maintain Documentation | Corrective | |
Include an overview of the migration project plan in the risk treatment plan. CC ID 11982 | Establish/Maintain Documentation | Preventive | |
Include change control processes in the risk treatment plan. CC ID 11981 | Establish/Maintain Documentation | Preventive | |
Include a description of the processes to check for new vulnerabilities in the risk treatment plan. CC ID 11980 | Establish/Maintain Documentation | Preventive | |
Include the implemented risk management controls in the risk treatment plan. CC ID 11979 | Establish/Maintain Documentation | Preventive | |
Include requirements for monitoring and reporting in the risk treatment plan, as necessary. CC ID 13620 | Establish/Maintain Documentation | Preventive | |
Include risk assessment results in the risk treatment plan. CC ID 11978 | Establish/Maintain Documentation | Preventive | |
Include a description of usage in the risk treatment plan. CC ID 11977 | Establish/Maintain Documentation | Preventive | |
Document all constraints applied to the risk treatment plan, as necessary. CC ID 13619 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the risk treatment plan to interested personnel and affected parties. CC ID 15694 | Communicate | Preventive | |
Approve the risk treatment plan. CC ID 13495 | Audits and Risk Management | Preventive | |
Integrate the corrective action plan based on the risk assessment findings with other risk management activities. CC ID 06457 | Establish/Maintain Documentation | Preventive | |
Document and communicate a corrective action plan based on the risk assessment findings. CC ID 00705 [The organization shall make decisions and take actions based on the findings in service reports. The agreed actions shall be communicated to interested parties. § 9.4 ¶ 3] | Establish/Maintain Documentation | Corrective | |
Review and approve the risk assessment findings. CC ID 06485 [The management review shall include consideration of: results of risk assessment and the effectiveness of actions taken to address risks and opportunities; § 9.3 ¶ 2(k)] | Establish/Maintain Documentation | Preventive | |
Include risk responses in the risk management program. CC ID 13195 | Establish/Maintain Documentation | Preventive | |
Document residual risk in a residual risk report. CC ID 13664 | Establish/Maintain Documentation | Corrective | |
Review and approve material risks documented in the residual risk report, as necessary. CC ID 13672 | Business Processes | Preventive | |
Establish, implement, and maintain an artificial intelligence risk management program. CC ID 16220 | Establish/Maintain Documentation | Preventive | |
Include diversity and equal opportunity in the artificial intelligence risk management program. CC ID 16255 | Establish/Maintain Documentation | Preventive | |
Analyze the impact of artificial intelligence systems on business operations. CC ID 16356 | Business Processes | Preventive | |
Analyze the impact of artificial intelligence systems on society. CC ID 16317 | Audits and Risk Management | Detective | |
Analyze the impact of artificial intelligence systems on individuals. CC ID 16316 | Audits and Risk Management | Detective | |
Establish, implement, and maintain a cybersecurity risk management program. CC ID 16827 | Audits and Risk Management | Preventive | |
Include a commitment to continuous improvement In the cybersecurity risk management program. CC ID 16839 | Establish/Maintain Documentation | Preventive | |
Monitor the effectiveness of the cybersecurity risk management program. CC ID 16831 | Monitor and Evaluate Occurrences | Preventive | |
Establish, implement, and maintain a cybersecurity risk management policy. CC ID 16834 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the cybersecurity risk management policy to interested personnel and affected parties. CC ID 16832 | Communicate | Preventive | |
Disseminate and communicate the cybersecurity risk management program to interested personnel and affected parties. CC ID 16829 | Communicate | Preventive | |
Establish, implement, and maintain a cybersecurity risk management strategy. CC ID 11991 | Establish/Maintain Documentation | Preventive | |
Include a risk prioritization approach in the Cybersecurity Risk Management Strategy. CC ID 12276 | Establish/Maintain Documentation | Preventive | |
Include defense in depth strategies in the cybersecurity risk management strategy. CC ID 15582 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the cybersecurity risk management strategy to interested personnel and affected parties. CC ID 16825 | Communicate | Preventive | |
Evaluate the cyber insurance market. CC ID 12695 | Business Processes | Preventive | |
Evaluate the usefulness of cyber insurance to the organization. CC ID 12694 | Business Processes | Preventive | |
Acquire cyber insurance, as necessary. CC ID 12693 | Business Processes | Preventive | |
Establish, implement, and maintain a cybersecurity supply chain risk management program. CC ID 16826 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain cybersecurity supply chain risk management procedures. CC ID 16830 | Establish/Maintain Documentation | Preventive | |
Monitor the effectiveness of the cybersecurity supply chain risk management program. CC ID 16828 | Monitor and Evaluate Occurrences | Preventive | |
Establish, implement, and maintain a supply chain risk management policy. CC ID 14663 | Establish/Maintain Documentation | Preventive | |
Include compliance requirements in the supply chain risk management policy. CC ID 14711 | Establish/Maintain Documentation | Preventive | |
Include coordination amongst entities in the supply chain risk management policy. CC ID 14710 | Establish/Maintain Documentation | Preventive | |
Include management commitment in the supply chain risk management policy. CC ID 14709 | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in the supply chain risk management policy. CC ID 14708 | Establish/Maintain Documentation | Preventive | |
Include the scope in the supply chain risk management policy. CC ID 14707 | Establish/Maintain Documentation | Preventive | |
Include the purpose in the supply chain risk management policy. CC ID 14706 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the supply chain risk management policy to all interested personnel and affected parties. CC ID 14662 | Communicate | Preventive | |
Establish, implement, and maintain a supply chain risk management plan. CC ID 14713 | Establish/Maintain Documentation | Preventive | |
Include processes for monitoring and reporting in the supply chain risk management plan. CC ID 15619 | Establish/Maintain Documentation | Preventive | |
Include dates in the supply chain risk management plan. CC ID 15617 | Establish/Maintain Documentation | Preventive | |
Include implementation milestones in the supply chain risk management plan. CC ID 15615 | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in the supply chain risk management plan. CC ID 15613 | Establish/Maintain Documentation | Preventive | |
Include supply chain risk management procedures in the risk management program. CC ID 13190 [The organization shall assess the alignment of service level targets or other contractual obligations for the external supplier against SLAs with customers, and manage identified risks. § 8.3.4.1 ¶ 3] | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the supply chain risk management procedures to all interested personnel and affected parties. CC ID 14712 | Communicate | Preventive | |
Assign key stakeholders to review and approve supply chain risk management procedures. CC ID 13199 | Human Resources Management | Preventive | |
Analyze supply chain risk management procedures, as necessary. CC ID 13198 | Process or Activity | Detective | |
Disseminate and communicate the risk management policy to interested personnel and affected parties. CC ID 13792 | Communicate | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Human Resources management CC ID 00763 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806 | Establish Roles | Preventive | |
Define and assign the Board of Directors roles and responsibilities and senior management roles and responsibilities, including signing off on key policies and procedures. CC ID 00807 [Top management shall demonstrate leadership and commitment with respect to the SMS by: ensuring that appropriate levels of authority are assigned for making decisions related to the SMS and the services; § 5.1 ¶ 1(c) Top management shall demonstrate leadership and commitment with respect to the SMS by: supporting other relevant management roles to demonstrate their leadership as it applies to their areas of responsibility. § 5.1 ¶ 1(l)] | Establish Roles | Preventive | |
Establish and maintain board committees, as necessary. CC ID 14789 | Human Resources Management | Preventive | |
Define and assign the roles and responsibilities of the chairman of the board. CC ID 14786 | Establish/Maintain Documentation | Preventive | |
Assign oversight of C-level executives to the Board of Directors. CC ID 14784 | Human Resources Management | Preventive | |
Establish, implement, and maintain candidate selection procedures to the board of directors. CC ID 14782 | Establish/Maintain Documentation | Preventive | |
Include the criteria of mixed experiences and skills in the candidate selection procedures. CC ID 14791 | Establish/Maintain Documentation | Preventive | |
Assign oversight of the financial management program to the board of directors. CC ID 14781 | Human Resources Management | Preventive | |
Assign senior management to the role of supporting Quality Management. CC ID 13692 | Human Resources Management | Preventive | |
Assign senior management to the role of authorizing official. CC ID 14238 | Establish Roles | Preventive | |
Assign members who are independent from management to the Board of Directors. CC ID 12395 | Human Resources Management | Preventive | |
Assign ownership of risks to the Board of Directors or senior management. CC ID 13662 | Human Resources Management | Preventive | |
Assign the organization's board and senior management to oversee the continuity planning process. CC ID 12991 | Human Resources Management | Preventive | |
Rotate members of the board of directors, as necessary. CC ID 14803 | Human Resources Management | Corrective | |
Analyze workforce management. CC ID 12844 [{resource level}{manpower}management review shall include consideration of: current and forecast human, technical, information and financial resource levels, and human and technical resource capabilities; § 9.3 ¶ 2(j)] | Human Resources Management | Detective | |
Identify root causes of staffing shortages, if any exist. CC ID 13276 | Human Resources Management | Detective | |
Analyze the ability of Human Resources to attract a competent workforce. CC ID 13275 | Human Resources Management | Detective | |
Include how risk is perceived by the workforce in the analysis of workforce management. CC ID 12969 | Human Resources Management | Preventive | |
Include compensation structures in the analysis of workforce management. CC ID 12902 | Human Resources Management | Preventive | |
Establish, implement, and maintain a personnel management program. CC ID 14018 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a personnel security program. CC ID 10628 | Establish/Maintain Documentation | Preventive | |
Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 00782 [The organization shall: ensure that these persons are competent on the basis of appropriate education, training or experience; § 7.2 ¶ 1(b) {staff} The organization shall: determine the necessary competence of persons doing work under its control that affects the performance and effectiveness of the SMS and the services; § 7.2 ¶ 1(a)] | Testing | Detective | |
Perform security skills assessments for all critical employees. CC ID 12102 | Human Resources Management | Detective | |
Assign security clearance procedures to qualified personnel. CC ID 06812 | Establish Roles | Preventive | |
Assign personnel screening procedures to qualified personnel. CC ID 11699 | Establish Roles | Preventive | |
Establish, implement, and maintain personnel screening procedures. CC ID 11700 | Establish/Maintain Documentation | Preventive | |
Perform a background check during personnel screening. CC ID 11758 | Human Resources Management | Detective | |
Perform a personal identification check during personnel screening. CC ID 06721 | Human Resources Management | Preventive | |
Perform a criminal records check during personnel screening. CC ID 06643 | Establish/Maintain Documentation | Preventive | |
Include all residences in the criminal records check. CC ID 13306 | Process or Activity | Preventive | |
Document any reasons a full criminal records check could not be performed. CC ID 13305 | Establish/Maintain Documentation | Preventive | |
Perform a personal references check during personnel screening. CC ID 06645 | Human Resources Management | Preventive | |
Perform a credit check during personnel screening. CC ID 06646 | Human Resources Management | Preventive | |
Perform an academic records check during personnel screening. CC ID 06647 | Establish/Maintain Documentation | Preventive | |
Perform a drug test during personnel screening. CC ID 06648 | Testing | Preventive | |
Perform a resume check during personnel screening. CC ID 06659 | Human Resources Management | Preventive | |
Perform a curriculum vitae check during personnel screening. CC ID 06660 | Human Resources Management | Preventive | |
Allow personnel being screened to appeal findings and appeal decisions. CC ID 06720 | Human Resources Management | Preventive | |
Disseminate and communicate screening results to interested personnel and affected parties. CC ID 16445 | Communicate | Preventive | |
Perform personnel screening procedures, as necessary. CC ID 11763 | Human Resources Management | Preventive | |
Document the personnel risk assessment results. CC ID 11764 | Establish/Maintain Documentation | Detective | |
Establish, implement, and maintain security clearance procedures. CC ID 00783 | Establish/Maintain Documentation | Preventive | |
Perform periodic background checks on designated roles, as necessary. CC ID 11759 | Human Resources Management | Detective | |
Perform security clearance procedures, as necessary. CC ID 06644 | Human Resources Management | Preventive | |
Establish and maintain security clearances. CC ID 01634 | Human Resources Management | Preventive | |
Document the security clearance procedure results. CC ID 01635 | Establish/Maintain Documentation | Detective | |
Train all personnel and third parties, as necessary. CC ID 00785 [The organization shall: where applicable, take actions to acquire the necessary competence and evaluate the effectiveness of the actions taken; § 7.2 ¶ 1(c)] | Behavior | Preventive | |
Establish, implement, and maintain an education methodology. CC ID 06671 [{interested party} Instructions for the fulfilment of service requests shall be made available to persons involved in service request fulfilment. § 8.6.2 ¶ 3 {new service} The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: requirements for appropriate education, training and experience; § 8.5.2.2 ¶ 1(c)] | Business Processes | Preventive | |
Support certification programs as viable training programs. CC ID 13268 | Human Resources Management | Preventive | |
Include evidence of experience in applications for professional certification. CC ID 16193 | Establish/Maintain Documentation | Preventive | |
Include supporting documentation in applications for professional certification. CC ID 16195 | Establish/Maintain Documentation | Preventive | |
Submit applications for professional certification. CC ID 16192 | Training | Preventive | |
Retrain all personnel, as necessary. CC ID 01362 | Behavior | Preventive | |
Tailor training to meet published guidance on the subject being taught. CC ID 02217 [{new service} The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: requirements for appropriate education, training and experience; § 8.5.2.2 ¶ 1(c)] | Behavior | Preventive | |
Tailor training to be taught at each person's level of responsibility. CC ID 06674 [{be relevant} Persons doing work under the organization's control shall be aware of: the services relevant to their work; § 7.3 ¶ 1(c) The organization shall determine and maintain the knowledge necessary to support the operation of the SMS and the services. § 7.6 ¶ 1 {new service} The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: requirements for appropriate education, training and experience; § 8.5.2.2 ¶ 1(c)] | Behavior | Preventive | |
Conduct cross-training or staff backup training to minimize dependency on critical individuals. CC ID 00786 | Behavior | Preventive | |
Document all training in a training record. CC ID 01423 [The organization shall: retain appropriate documented information as evidence of competence. § 7.2 ¶ 1(d)] | Establish/Maintain Documentation | Detective | |
Use automated mechanisms in the training environment, where appropriate. CC ID 06752 | Behavior | Preventive | |
Conduct tests and evaluate training. CC ID 06672 [The organization shall: where applicable, take actions to acquire the necessary competence and evaluate the effectiveness of the actions taken; § 7.2 ¶ 1(c)] | Testing | Detective | |
Hire third parties to conduct training, as necessary. CC ID 13167 | Human Resources Management | Preventive | |
Review the current published guidance and awareness and training programs. CC ID 01245 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain training plans. CC ID 00828 [{be usable}{be available}{support}{operation}{SMS and the services}*by knowledge', based on the section the authors appear to be referring to the knowledge necessary to support the operation of the SMS and the services*/ The knowledge shall be relevant, usable and available to appropriate persons. § 7.6 ¶ 2 {be usable}{be available}{support}{operation}{SMS and the services}*by knowledge', based on the section the authors appear to be referring to the knowledge necessary to support the operation of the SMS and the services*/ The knowledge shall be relevant, usable and available to appropriate persons. § 7.6 ¶ 2 {be usable}{be available}{support}{operation}{SMS and the services}*by knowledge', based on the section the authors appear to be referring to the knowledge necessary to support the operation of the SMS and the services*/ The knowledge shall be relevant, usable and available to appropriate persons. § 7.6 ¶ 2] | Establish/Maintain Documentation | Preventive | |
Train personnel to recognize conditions of diseases or sicknesses, as necessary. CC ID 14383 | Training | Detective | |
Include prevention techniques in training regarding diseases or sicknesses. CC ID 14387 | Training | Preventive | |
Include the concept of disease clusters when training to recognize conditions of diseases or sicknesses. CC ID 14386 | Training | Preventive | |
Train personnel to identify and communicate symptoms of exposure to disease or sickness. CC ID 14385 | Training | Detective | |
Develop or acquire content to update the training plans. CC ID 12867 | Training | Preventive | |
Designate training facilities in the training plan. CC ID 16200 | Training | Preventive | |
Include portions of the visitor control program in the training plan. CC ID 13287 | Establish/Maintain Documentation | Preventive | |
Include ethical culture in the training plan, as necessary. CC ID 12801 | Human Resources Management | Preventive | |
Include in scope external requirements in the training plan, as necessary. CC ID 13041 | Training | Preventive | |
Include duties and responsibilities in the training plan, as necessary. CC ID 12800 | Human Resources Management | Preventive | |
Conduct bespoke roles and responsibilities training, as necessary. CC ID 13192 | Training | Preventive | |
Include risk management in the training plan, as necessary. CC ID 13040 | Training | Preventive | |
Conduct Archives and Records Management training. CC ID 00975 | Behavior | Preventive | |
Conduct personal data processing training. CC ID 13757 | Training | Preventive | |
Include in personal data processing training how to provide the contact information for the categories of personal data the organization may disclose. CC ID 13758 | Training | Preventive | |
Include the cloud service usage standard in the training plan. CC ID 13039 | Training | Preventive | |
Establish, implement, and maintain a security awareness program. CC ID 11746 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a security awareness and training policy. CC ID 14022 | Establish/Maintain Documentation | Preventive | |
Include compliance requirements in the security awareness and training policy. CC ID 14092 | Establish/Maintain Documentation | Preventive | |
Include coordination amongst entities in the security awareness and training policy. CC ID 14091 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain security awareness and training procedures. CC ID 14054 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the security awareness and training procedures to interested personnel and affected parties. CC ID 14138 | Communicate | Preventive | |
Include management commitment in the security awareness and training policy. CC ID 14049 | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in the security awareness and training policy. CC ID 14048 | Establish/Maintain Documentation | Preventive | |
Include the scope in the security awareness and training policy. CC ID 14047 | Establish/Maintain Documentation | Preventive | |
Include the purpose in the security awareness and training policy. CC ID 14045 | Establish/Maintain Documentation | Preventive | |
Include configuration management procedures in the security awareness program. CC ID 13967 | Establish/Maintain Documentation | Preventive | |
Include media protection in the security awareness program. CC ID 16368 | Training | Preventive | |
Document security awareness requirements. CC ID 12146 | Establish/Maintain Documentation | Preventive | |
Include safeguards for information systems in the security awareness program. CC ID 13046 | Establish/Maintain Documentation | Preventive | |
Include security policies and security standards in the security awareness program. CC ID 13045 | Establish/Maintain Documentation | Preventive | |
Include physical security in the security awareness program. CC ID 16369 | Training | Preventive | |
Include mobile device security guidelines in the security awareness program. CC ID 11803 | Establish/Maintain Documentation | Preventive | |
Include updates on emerging issues in the security awareness program. CC ID 13184 | Training | Preventive | |
Include cybersecurity in the security awareness program. CC ID 13183 | Training | Preventive | |
Include implications of non-compliance in the security awareness program. CC ID 16425 | Training | Preventive | |
Include the acceptable use policy in the security awareness program. CC ID 15487 | Training | Preventive | |
Include training based on the participants' level of responsibility and access level in the security awareness program. CC ID 11802 | Establish/Maintain Documentation | Preventive | |
Include a requirement to train all new hires and interested personnel in the security awareness program. CC ID 11800 | Establish/Maintain Documentation | Preventive | |
Include remote access in the security awareness program. CC ID 13892 | Establish/Maintain Documentation | Preventive | |
Document the goals of the security awareness program. CC ID 12145 | Establish/Maintain Documentation | Preventive | |
Compare current security awareness assessment reports to the security awareness baseline. CC ID 12150 | Establish/Maintain Documentation | Preventive | |
Establish and maintain management's commitment to supporting the security awareness program. CC ID 12151 | Human Resources Management | Preventive | |
Establish and maintain a steering committee to guide the security awareness program. CC ID 12149 | Human Resources Management | Preventive | |
Document the scope of the security awareness program. CC ID 12148 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a security awareness baseline. CC ID 12147 | Establish/Maintain Documentation | Preventive | |
Encourage interested personnel to obtain security certification. CC ID 11804 | Human Resources Management | Preventive | |
Disseminate and communicate the security awareness program to all interested personnel and affected parties. CC ID 00823 | Behavior | Preventive | |
Train all personnel and third parties on how to recognize and report security incidents. CC ID 01211 | Behavior | Preventive | |
Train all personnel and third parties on how to recognize and report system failures. CC ID 13475 | Training | Preventive | |
Require personnel to acknowledge, through writing their signature, that they have read and understand the organization's security policies. CC ID 01363 | Establish/Maintain Documentation | Preventive | |
Monitor and measure the effectiveness of security awareness. CC ID 06262 | Monitor and Evaluate Occurrences | Detective | |
Establish, implement, and maintain an environmental management system awareness program. CC ID 15200 | Establish/Maintain Documentation | Preventive | |
Conduct secure coding and development training for developers. CC ID 06822 | Behavior | Corrective | |
Conduct tampering prevention training. CC ID 11875 | Training | Preventive | |
Include the mandate to refrain from installing, refrain from replacing, and refrain from returning any asset absent verification in the tampering prevention training. CC ID 11877 | Training | Preventive | |
Include how to identify and authenticate third parties claiming to be maintenance personnel in the tampering prevention training. CC ID 11876 | Training | Preventive | |
Include how to report tampering and unauthorized substitution in the tampering prevention training. CC ID 11879 | Training | Preventive | |
Include how to prevent physical tampering in the tampering prevention training. CC ID 11878 | Training | Preventive | |
Include procedures on how to inspect devices in the tampering prevention training. CC ID 11990 | Training | Preventive | |
Train interested personnel and affected parties to collect digital forensic evidence. CC ID 08658 | Training | Preventive | |
Conduct crime prevention training. CC ID 06350 | Behavior | Preventive | |
Analyze and evaluate training records to improve the training program. CC ID 06380 | Monitor and Evaluate Occurrences | Detective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Leadership and high level objectives CC ID 00597 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain a reporting methodology program. CC ID 02072 | Business Processes | Preventive | |
Establish, implement, and maintain communication protocols. CC ID 12245 [{internal communication}{be relevant} The organization shall determine the internal and external communications relevant to the SMS and the services including: § 7.4 ¶ 1 The organization shall determine the internal and external communications relevant to the SMS and the services including: when to communicate; § 7.4 ¶ 1(b) The organization shall determine the internal and external communications relevant to the SMS and the services including: with whom to communicate; § 7.4 ¶ 1(c) The organization shall establish arrangements for communicating with its customers and other interested parties. The communication shall promote understanding of the evolving business environment in which the services operate and shall enable the organization to respond to new or changed service requirements. § 8.3.2 ¶ 2 The organization shall determine the internal and external communications relevant to the SMS and the services including: how to communicate; § 7.4 ¶ 1(d) The organization shall determine the internal and external communications relevant to the SMS and the services including: on what it will communicate; § 7.4 ¶ 1(a) The organization shall determine the internal and external communications relevant to the SMS and the services including: who will be responsible for the communication. § 7.4 ¶ 1(e)] | Establish/Maintain Documentation | Preventive | |
Use secure communication protocols for telecommunications. CC ID 16458 | Business Processes | Preventive | |
Align the information being disseminated and communicated with the communication requirements according to the organization's communication protocol. CC ID 12419 [The organization shall determine reporting requirements and their purpose. § 9.4 ¶ 1] | Establish/Maintain Documentation | Preventive | |
Assess the effectiveness of the communication methods used in the communication protocol. CC ID 12691 | Process or Activity | Detective | |
Include external requirements in the organization's communication protocol. CC ID 12418 [The organization shall establish arrangements for communicating with its customers and other interested parties. The communication shall promote understanding of the evolving business environment in which the services operate and shall enable the organization to respond to new or changed service requirements. § 8.3.2 ¶ 2] | Establish/Maintain Documentation | Preventive | |
Include disseminating and communicating events surrounding instances of desirable conduct and undesirable conduct in the communication protocols. CC ID 12824 | Communicate | Preventive | |
Include input from interested personnel and affected parties as a part of the organization’s communication protocol. CC ID 12417 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a corrective action plan to address barriers to stakeholder engagement. CC ID 15677 | Process or Activity | Preventive | |
Identify barriers to stakeholder engagement. CC ID 15676 | Process or Activity | Preventive | |
Identify alternative measures for collecting stakeholder input, as necessary. CC ID 15672 | Communicate | Preventive | |
Include disseminating and communicating conditions surrounding instances of desirable conduct and undesirable conduct in the communication protocols. CC ID 12804 | Communicate | Preventive | |
Include methods to obtain information from interested personnel and affected parties about performance variances in the communication protocol. CC ID 12856 | Process or Activity | Preventive | |
Include disseminating and communicating desirable conduct in the communication protocols. CC ID 12803 | Communicate | Preventive | |
Include disseminating and communicating undesirable conduct in communication protocols. CC ID 12802 | Communicate | Preventive | |
Route notifications, as necessary. CC ID 12832 | Process or Activity | Preventive | |
Substantiate notifications, as necessary. CC ID 12831 | Process or Activity | Preventive | |
Analyze the flow of information to ensure it is being received by the correct processes. CC ID 12860 | Business Processes | Preventive | |
Prioritize notifications, as necessary. CC ID 12830 | Process or Activity | Preventive | |
Report to management and stakeholders on the findings and information gathered from all types of inquiries. CC ID 12797 | Actionable Reports or Measurements | Preventive | |
Disseminate and communicate internal controls with supply chain members. CC ID 12416 | Communicate | Preventive | |
Establish and maintain the organization's survey method. CC ID 12869 | Process or Activity | Preventive | |
Document the findings from surveys. CC ID 16309 | Establish/Maintain Documentation | Preventive | |
Provide a consolidated view of information in the organization's survey method. CC ID 12894 | Process or Activity | Preventive | |
Establish, implement, and maintain warning procedures that follow the organization's communication protocol. CC ID 12407 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain alert procedures that follow the organization's communication protocol. CC ID 12406 | Establish/Maintain Documentation | Preventive | |
Include the capturing and alerting of compliance violations in the notification system. CC ID 12962 | Monitor and Evaluate Occurrences | Preventive | |
Include the capturing and alerting of unethical conduct in the notification system. CC ID 12932 | Monitor and Evaluate Occurrences | Preventive | |
Include the capturing and alerting of performance variances in the notification system. CC ID 12929 | Monitor and Evaluate Occurrences | Preventive | |
Include the capturing and alerting of weaknesses in the notification system. CC ID 12928 | Monitor and Evaluate Occurrences | Preventive | |
Include the capturing and alerting of account activity in the notification system. CC ID 15314 | Monitor and Evaluate Occurrences | Preventive | |
Establish, implement, and maintain an internal reporting program. CC ID 12409 [The organization shall determine reporting requirements and their purpose. § 9.4 ¶ 1] | Business Processes | Preventive | |
Include transactions and events as a part of internal reporting. CC ID 12413 | Business Processes | Preventive | |
Disseminate and communicate management's choices for managing the organization as a part of internal reporting. CC ID 12412 | Communicate | Preventive | |
Enforce a precision level for non-financial reporting based on user need and appropriate supply chain criteria. CC ID 12399 | Establish/Maintain Documentation | Preventive | |
Define the thresholds for escalation in the internal reporting program. CC ID 14332 | Establish/Maintain Documentation | Preventive | |
Define the thresholds for reporting in the internal reporting program. CC ID 14331 | Establish/Maintain Documentation | Preventive | |
Analyze organizational objectives, functions, and activities. CC ID 00598 [The organization shall establish service management objectives at relevant functions and levels. The service management objectives shall: be measurable; § 6.2.1 ¶ 1(b)] | Monitor and Evaluate Occurrences | Preventive | |
Develop instructions for setting organizational objectives and strategies. CC ID 12931 | Establish/Maintain Documentation | Preventive | |
Analyze the business environment in which the organization operates. CC ID 12798 | Business Processes | Preventive | |
Identify the internal factors that may affect organizational objectives. CC ID 12957 | Process or Activity | Preventive | |
Include key processes in the analysis of the internal business environment. CC ID 12947 | Process or Activity | Preventive | |
Include existing information in the analysis of the internal business environment. CC ID 12943 | Process or Activity | Preventive | |
Include resources in the analysis of the internal business environment. CC ID 12942 [{resource level}{manpower}management review shall include consideration of: current and forecast human, technical, information and financial resource levels, and human and technical resource capabilities; § 9.3 ¶ 2(j) {resource level}{manpower}management review shall include consideration of: current and forecast human, technical, information and financial resource levels, and human and technical resource capabilities; § 9.3 ¶ 2(j)] | Process or Activity | Preventive | |
Include the operating plan in the analysis of the internal business environment. CC ID 12941 | Process or Activity | Preventive | |
Include incentives in the analysis of the internal business environment. CC ID 12940 | Process or Activity | Preventive | |
Include organizational structures in the analysis of the internal business environment. CC ID 12939 | Process or Activity | Preventive | |
Include the strategic plan in the analysis of the internal business environment. CC ID 12937 | Process or Activity | Preventive | |
Include strengths and weaknesses in the analysis of the internal business environment. CC ID 12936 | Process or Activity | Preventive | |
Align assets with business functions and the business environment. CC ID 13681 | Business Processes | Preventive | |
Disseminate and communicate the organization's business environment and place in its industry sector. CC ID 13200 [The organization shall establish arrangements for communicating with its customers and other interested parties. The communication shall promote understanding of the evolving business environment in which the services operate and shall enable the organization to respond to new or changed service requirements. § 8.3.2 ¶ 2] | Communicate | Preventive | |
Monitor for changes which affect organizational strategies in the internal business environment. CC ID 12863 [{service management system} When determining this scope, the organization shall consider: the external and internal issues referred to in 4.1; § 4.3 ¶ 2(a) The management review shall include consideration of: changes in external and internal issues that are relevant to the SMS; § 9.3 ¶ 2(b) The management review shall include consideration of: changes that can affect the SMS and the services. § 9.3 ¶ 2(l)] | Monitor and Evaluate Occurrences | Preventive | |
Monitor for changes which affect organizational objectives in the internal business environment. CC ID 12862 | Monitor and Evaluate Occurrences | Preventive | |
Analyze the external environment in which the organization operates. CC ID 12799 | Business Processes | Preventive | |
Identify the external forces that may affect organizational objectives. CC ID 12960 | Process or Activity | Preventive | |
Monitor for changes which affect organizational strategies in the external environment. CC ID 12880 | Monitor and Evaluate Occurrences | Preventive | |
Include environmental requirements in the analysis of the external environment. CC ID 12965 | Business Processes | Preventive | |
Monitor for changes which affect organizational objectives in the external environment. CC ID 12879 | Monitor and Evaluate Occurrences | Preventive | |
Include regulatory requirements in the analysis of the external environment. CC ID 12964 | Business Processes | Preventive | |
Include society in the analysis of the external environment. CC ID 12963 | Business Processes | Preventive | |
Include opportunities in the analysis of the external environment. CC ID 12954 | Business Processes | Preventive | |
Include third party relationships in the analysis of the external environment. CC ID 12952 | Business Processes | Preventive | |
Include industry forces in the analysis of the external environment. CC ID 12904 | Business Processes | Preventive | |
Include threats in the analysis of the external environment. CC ID 12898 | Business Processes | Preventive | |
Include geopolitics in the analysis of the external environment. CC ID 12897 | Business Processes | Preventive | |
Include legal requirements in the analysis of the external environment. CC ID 12896 | Business Processes | Preventive | |
Include technology in the analysis of the external environment. CC ID 12837 | Business Processes | Preventive | |
Include analyzing the market in the analysis of the external environment. CC ID 12836 | Business Processes | Preventive | |
Conduct a context analysis to define objectives and strategies. CC ID 12864 | Business Processes | Preventive | |
Establish, implement, and maintain organizational objectives. CC ID 09959 | Establish/Maintain Documentation | Preventive | |
Evaluate organizational objectives to determine impact on other organizational objectives. CC ID 12814 | Process or Activity | Preventive | |
Identify events that may affect organizational objectives. CC ID 12961 [The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its SMS. § 4.1 ¶ 1] | Process or Activity | Preventive | |
Identify conditions that may affect organizational objectives. CC ID 12958 | Process or Activity | Preventive | |
Identify requirements that could affect achieving organizational objectives. CC ID 12828 [{applicable requirements} The organization shall create, implement and maintain a service management plan. Planning shall take into consideration the service management policy, service management objectives, risks and opportunities, service requirements and requirements specified in this document. § 6.3 ¶ 1] | Business Processes | Preventive | |
Identify opportunities that could affect achieving organizational objectives. CC ID 12826 [The organization shall plan: actions to address these risks and opportunities and their priorities; § 6.1.3 ¶ 1(a) {applicable requirements} The organization shall create, implement and maintain a service management plan. Planning shall take into consideration the service management policy, service management objectives, risks and opportunities, service requirements and requirements specified in this document. § 6.3 ¶ 1 The organization shall determine and document: the impact on customers of risks and opportunities for the SMS and the services; § 6.1.2 ¶ 1(b)] | Business Processes | Preventive | |
Prioritize organizational objectives. CC ID 09960 | Business Processes | Preventive | |
Select financial reporting objectives consistent with accounting principles available to the organization. CC ID 12400 | Business Processes | Preventive | |
Establish, implement, and maintain a value generation model. CC ID 15591 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the value generation model to all interested personnel and affected parties. CC ID 15607 | Communicate | Preventive | |
Include value distribution in the value generation model. CC ID 15603 | Establish/Maintain Documentation | Preventive | |
Include value retention in the value generation model. CC ID 15600 | Establish/Maintain Documentation | Preventive | |
Include value generation procedures in the value generation model. CC ID 15599 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain value generation objectives. CC ID 15583 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain social responsibility objectives. CC ID 15611 | Establish/Maintain Documentation | Preventive | |
Establish and maintain a Mission, Vision, and Values Statement. CC ID 12783 | Establish/Maintain Documentation | Preventive | |
Include the vision statement in the Mission, Vision, and Values Statement. CC ID 12839 | Establish/Maintain Documentation | Preventive | |
Include the mission statement in the Mission, Vision, and Values Statement. CC ID 12838 | Establish/Maintain Documentation | Preventive | |
Include management commitment in the Mission, Vision, and Values Statement. CC ID 12808 | Establish/Maintain Documentation | Preventive | |
Include the value statement in the Mission, Vision, and Values Statement. CC ID 12807 | Establish/Maintain Documentation | Preventive | |
Include environmental factors in the Mission, Vision, and Values Statement. CC ID 15590 | Establish/Maintain Documentation | Preventive | |
Include societal factors in the Mission, Vision, and Values Statement. CC ID 15605 | Establish/Maintain Documentation | Preventive | |
Include stakeholder requirements in the Mission, Vision, and Values Statement. CC ID 15586 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the Mission, Vision, and Values Statement to all interested personnel and affected parties. CC ID 15585 | Communicate | Preventive | |
Disseminate and communicate organizational objectives, functions, and activities to all interested personnel and affected parties. CC ID 13191 [Top management shall demonstrate leadership and commitment with respect to the SMS by: communicating the importance of effective service management, achieving the service management objectives, delivering value and conforming to the SMS requirements; § 5.1 ¶ 1(h)] | Communicate | Preventive | |
Document and communicate the linkage between organizational objectives, functions, activities, and general controls. CC ID 12398 [At planned intervals, the information security risks to the SMS and the services shall be assessed and documented. Information security controls shall be determined, implemented and operated to support the information security policy and address identified information security risks. Decisions about information security controls shall be documented. § 8.7.3.2 ¶ 1] | Establish/Maintain Documentation | Preventive | |
Identify threats that could affect achieving organizational objectives. CC ID 12827 [The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its SMS. § 4.1 ¶ 1] | Business Processes | Preventive | |
Identify how opportunities, threats, and external requirements are trending. CC ID 12829 [When planning for the SMS, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to: § 6.1.1 ¶ 1 The organization shall plan: actions to address these risks and opportunities and their priorities; § 6.1.3 ¶ 1(a)] | Process or Activity | Preventive | |
Identify relationships between opportunities, threats, and external requirements. CC ID 12805 [The management review shall include consideration of: results of risk assessment and the effectiveness of actions taken to address risks and opportunities; § 9.3 ¶ 2(k)] | Process or Activity | Preventive | |
Review the organization's approach to managing information security, as necessary. CC ID 12005 | Business Processes | Preventive | |
Identify all interested personnel and affected parties. CC ID 12845 [The organization shall determine: the interested parties that are relevant to the SMS and the services; § 4.2 ¶ 1(a) The customers, users and other interested parties of the services shall be identified and documented. The organization shall have one or more designated individuals responsible for managing customer relationships and maintaining customer satisfaction. § 8.3.2 ¶ 1] | Process or Activity | Detective | |
Establish, implement, and maintain criteria for grouping stakeholders. CC ID 15584 | Process or Activity | Preventive | |
Analyze and prioritize the requirements of interested personnel and affected parties. CC ID 12796 | Business Processes | Preventive | |
Establish, implement, and maintain data governance and management practices. CC ID 14998 | Establish/Maintain Documentation | Preventive | |
Address shortcomings of the data sets in the data governance and management practices. CC ID 15087 | Establish/Maintain Documentation | Preventive | |
Include any shortcomings of the data sets in the data governance and management practices. CC ID 15086 | Establish/Maintain Documentation | Preventive | |
Include bias for data sets in the data governance and management practices. CC ID 15085 | Establish/Maintain Documentation | Preventive | |
Include a data strategy in the data governance and management practices. CC ID 15304 | Establish/Maintain Documentation | Preventive | |
Include data monitoring in the data governance and management practices. CC ID 15303 | Establish/Maintain Documentation | Preventive | |
Include an assessment of the data sets in the data governance and management practices. CC ID 15084 | Establish/Maintain Documentation | Preventive | |
Include assumptions for the formulation of data sets in the data governance and management practices. CC ID 15083 | Establish/Maintain Documentation | Preventive | |
Include data collection for data sets in the data governance and management practices. CC ID 15082 | Establish/Maintain Documentation | Preventive | |
Include data preparations for data sets in the data governance and management practices. CC ID 15081 | Establish/Maintain Documentation | Preventive | |
Include design choices for data sets in the data governance and management practices. CC ID 15080 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an information classification standard. CC ID 00601 | Establish/Maintain Documentation | Preventive | |
Take into account the accessibility to and location of the data or information when establishing information impact levels. CC ID 04787 | Data and Information Management | Preventive | |
Take into account the organization's obligation to protect data or information when establishing information impact levels. CC ID 04786 | Data and Information Management | Preventive | |
Take into account the context of use for data or information when establishing information impact levels. CC ID 04785 | Data and Information Management | Preventive | |
Take into account the potential aggregation of restricted data fields when establishing information impact levels. CC ID 04784 | Data and Information Management | Preventive | |
Classify the sensitivity to unauthorized disclosure or modification of information in the information classification standard. CC ID 11997 | Data and Information Management | Preventive | |
Take into account the distinguishability factor when establishing information impact levels. CC ID 04783 | Data and Information Management | Preventive | |
Classify the criticality to unauthorized disclosure or modification of information in the information classification standard. CC ID 11996 | Data and Information Management | Preventive | |
Classify the value of information in the information classification standard. CC ID 11995 | Data and Information Management | Preventive | |
Classify the legal requirements of information in the information classification standard. CC ID 11994 | Data and Information Management | Preventive | |
Establish, implement, and maintain a data classification scheme. CC ID 11628 | Establish/Maintain Documentation | Preventive | |
Take into account the characteristics of the geographical, behavioral and functional setting for all datasets. CC ID 15046 | Data and Information Management | Preventive | |
Approve the data classification scheme. CC ID 13858 | Establish/Maintain Documentation | Detective | |
Disseminate and communicate the data classification scheme to interested personnel and affected parties. CC ID 16804 | Communicate | Preventive | |
Establish and maintain an organizational data dictionary, including data syntax rules. CC ID 00600 | Establish/Maintain Documentation | Preventive | |
Refrain from including metadata in the data dictionary. CC ID 13529 | Establish/Maintain Documentation | Preventive | |
Refrain from allowing incompatible data elements in the data dictionary. CC ID 13624 | Establish/Maintain Documentation | Preventive | |
Include information needed to understand each data element and population in the data dictionary. CC ID 13528 | Establish/Maintain Documentation | Preventive | |
Ensure the data dictionary is complete and accurate. CC ID 13527 | Investigate | Detective | |
Include the factors to determine what is included or excluded from the data element in the data dictionary. CC ID 13525 | Establish/Maintain Documentation | Preventive | |
Include the date or time period the data was observed in the data dictionary. CC ID 13524 | Establish/Maintain Documentation | Preventive | |
Include the uncertainty in the population of each data element in the data dictionary. CC ID 13522 | Establish/Maintain Documentation | Preventive | |
Include the uncertainty of each data element in the data dictionary. CC ID 13521 | Establish/Maintain Documentation | Preventive | |
Include the measurement units for each data element in the data dictionary. CC ID 13534 | Establish/Maintain Documentation | Preventive | |
Include the precision of the measurement in the data dictionary. CC ID 13520 | Establish/Maintain Documentation | Preventive | |
Include the data source in the data dictionary. CC ID 13519 | Establish/Maintain Documentation | Preventive | |
Include the nature of each element in the data dictionary. CC ID 13518 | Establish/Maintain Documentation | Preventive | |
Include the population of events or instances in the data dictionary. CC ID 13517 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the data dictionary to interested personnel and affected parties. CC ID 13516 | Communicate | Preventive | |
Establish, implement, and maintain an Information and Infrastructure Architecture model. CC ID 00599 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain sustainable infrastructure planning. CC ID 00603 | Establish/Maintain Documentation | Preventive | |
Take into account the need for protecting information confidentiality during infrastructure planning. CC ID 06486 | Behavior | Preventive | |
Establish, implement, and maintain an organizational structure. CC ID 16310 | Establish/Maintain Documentation | Preventive | |
Monitor regulatory trends to maintain compliance. CC ID 00604 | Monitor and Evaluate Occurrences | Detective | |
Monitor for new Information Security solutions. CC ID 07078 | Monitor and Evaluate Occurrences | Detective | |
Subscribe to a threat intelligence service to receive notification of emerging threats. CC ID 12135 | Technical Security | Detective | |
Disseminate and communicate emerging threats to all interested personnel and affected parties. CC ID 12185 | Communicate | Preventive | |
Disseminate and communicate updated guidance documentation to interested personnel and affected parties upon discovery of a new threat. CC ID 12191 | Communicate | Corrective | |
Establish, implement, and maintain a Quality Management framework. CC ID 07196 [The outputs of the management review shall include decisions related to continual improvement opportunities and any need for changes to the SMS and the services. § 9.3 ¶ 3 At planned intervals, the effectiveness of problem resolution shall be monitored, reviewed and reported. § 8.6.3 ¶ 5 The success or failure of releases shall be monitored and analysed. Measurements shall include incidents related to a release in the period following deployment of a release. The results and conclusions drawn from the analysis shall be recorded and reviewed to identify opportunities for improvement. §8.5.3 ¶ 6] | Establish/Maintain Documentation | Preventive | |
Include supply chain management standards in the Quality Management framework. CC ID 13701 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a Quality Management policy. CC ID 13694 | Establish/Maintain Documentation | Preventive | |
Include a commitment to satisfy applicable requirements in the Quality Management policy. CC ID 13700 | Establish/Maintain Documentation | Preventive | |
Tailor the Quality Management policy to support the organization's strategic direction. CC ID 13699 [Top management shall demonstrate leadership and commitment with respect to the SMS by: ensuring that the service management policy and service management objectives are established and are compatible with the strategic direction of the organization; § 5.1 ¶ 1(a) The organization shall determine evaluation criteria to be applied to the opportunities for improvement when making decisions on their approval. Evaluation criteria shall include alignment of the improvement with service management objectives. § 10.2 ¶ 2 {service improvement activity} Opportunities for improvement shall be documented. The organization shall manage approved improvement activities that include: ensuring that improvements are prioritized, planned and implemented; § 10.2 ¶ 3(b) {new service} The new or changed services shall be built and tested to verify that they meet the service requirements, conform to the documented design and meet the agreed service acceptance criteria. If the service acceptance criteria are not met, the organization and interested parties shall make a decision on necessary actions and deployment. § 8.5.2.3 ¶ 1 {new service} The new or changed services shall be built and tested to verify that they meet the service requirements, conform to the documented design and meet the agreed service acceptance criteria. If the service acceptance criteria are not met, the organization and interested parties shall make a decision on necessary actions and deployment. § 8.5.2.3 ¶ 1] | Establish/Maintain Documentation | Preventive | |
Include a commitment to continual improvement of the Quality Management system in the Quality Management policy. CC ID 13698 | Establish/Maintain Documentation | Preventive | |
Include critical Information Technology processes in the Quality Management framework. CC ID 13645 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the Quality Management policy to all interested personnel and affected parties. CC ID 13695 [Top management shall demonstrate leadership and commitment with respect to the SMS by: communicating the importance of effective service management, achieving the service management objectives, delivering value and conforming to the SMS requirements; § 5.1 ¶ 1(h)] | Communicate | Preventive | |
Disseminate and communicate the Quality Management framework to all stakeholders. CC ID 13680 [Where the root cause has been identified, but the problem has not been permanently resolved, the organization shall determine actions to reduce or eliminate the impact of the problem on the services. Known errors shall be recorded. Up-to-date information on known errors and problem resolutions shall be made available for other service management activities as appropriate. § 8.6.3 ¶ 4 Where the root cause has been identified, but the problem has not been permanently resolved, the organization shall determine actions to reduce or eliminate the impact of the problem on the services. Known errors shall be recorded. Up-to-date information on known errors and problem resolutions shall be made available for other service management activities as appropriate. § 8.6.3 ¶ 4] | Communicate | Preventive | |
Align the quality objectives with the Quality Management policy. CC ID 13697 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a Quality Management standard. CC ID 01006 | Establish/Maintain Documentation | Preventive | |
Document the measurements used by Quality Assurance and Quality Control testing. CC ID 07200 [The organization shall determine evaluation criteria to be applied to the opportunities for improvement when making decisions on their approval. Evaluation criteria shall include alignment of the improvement with service management objectives. § 10.2 ¶ 2 The success or failure of releases shall be monitored and analysed. Measurements shall include incidents related to a release in the period following deployment of a release. The results and conclusions drawn from the analysis shall be recorded and reviewed to identify opportunities for improvement. §8.5.3 ¶ 6] | Establish/Maintain Documentation | Preventive | |
Enforce a continuous Quality Control system. CC ID 01005 [{availability issue}{document} Service availability shall be monitored, the results recorded and compared with the targets. Unplanned non-availability shall be investigated and necessary actions taken. § 8.7.1 ¶ 3] | Business Processes | Detective | |
Conduct Quality Control to ensure adherence to Information Technology policies, standards, and procedures. CC ID 01008 [The management review shall include consideration of: information on the performance and effectiveness of the SMS, including trends in: § 9.3 ¶ 2(c)] | Testing | Detective | |
Establish, implement, and maintain a Quality Management program. CC ID 07201 [{service improvement activity} Opportunities for improvement shall be documented. The organization shall manage approved improvement activities that include: setting one or more targets for improvement in areas such as quality, value, capability, cost, productivity, resource utilization and risk reduction; § 10.2 ¶ 3(a) {service improvement activity} Opportunities for improvement shall be documented. The organization shall manage approved improvement activities that include: ensuring that improvements are prioritized, planned and implemented; § 10.2 ¶ 3(b) {service improvement activity} Opportunities for improvement shall be documented. The organization shall manage approved improvement activities that include: ensuring that improvements are prioritized, planned and implemented; § 10.2 ¶ 3(b) {service improvement activity} Opportunities for improvement shall be documented. The organization shall manage approved improvement activities that include: measuring implemented improvements against the target(s) set and where target(s) are not achieved, taking necessary actions; § 10.2 ¶ 3(d)] | Establish/Maintain Documentation | Preventive | |
Notify affected parties and interested personnel of quality management system approvals that have been refused, suspended, or withdrawn. CC ID 15045 | Communicate | Preventive | |
Notify affected parties and interested personnel of quality management system approvals that have been issued. CC ID 15036 | Communicate | Preventive | |
Include quality objectives in the Quality Management program. CC ID 13693 | Establish/Maintain Documentation | Preventive | |
Correct errors and deficiencies in a timely manner. CC ID 13501 | Business Processes | Corrective | |
Include records management in the quality management system. CC ID 15055 | Establish/Maintain Documentation | Preventive | |
Include risk management in the quality management system. CC ID 15054 | Establish/Maintain Documentation | Preventive | |
Include data management procedures in the quality management system. CC ID 15052 | Establish/Maintain Documentation | Preventive | |
Include a post-market monitoring system in the quality management system. CC ID 15027 | Establish/Maintain Documentation | Preventive | |
Include operational roles and responsibilities in the quality management system. CC ID 15028 | Establish/Maintain Documentation | Preventive | |
Include quality gates and testing milestones in the Quality Management program. CC ID 06825 [The success or failure of releases shall be monitored and analysed. Measurements shall include incidents related to a release in the period following deployment of a release. The results and conclusions drawn from the analysis shall be recorded and reviewed to identify opportunities for improvement. §8.5.3 ¶ 6] | Systems Design, Build, and Implementation | Preventive | |
Include resource management in the quality management system. CC ID 15026 | Establish/Maintain Documentation | Preventive | |
Include communication protocols in the quality management system. CC ID 15025 | Establish/Maintain Documentation | Preventive | |
Include incident reporting procedures in the quality management system. CC ID 15023 | Establish/Maintain Documentation | Preventive | |
Include technical specifications in the quality management system. CC ID 15021 | Establish/Maintain Documentation | Preventive | |
Document the deficiencies in a deficiency report that were found during Quality Control and corrected during Quality Improvement. CC ID 07203 [{availability issue}{document} Service availability shall be monitored, the results recorded and compared with the targets. Unplanned non-availability shall be investigated and necessary actions taken. § 8.7.1 ¶ 3 Where the root cause has been identified, but the problem has not been permanently resolved, the organization shall determine actions to reduce or eliminate the impact of the problem on the services. Known errors shall be recorded. Up-to-date information on known errors and problem resolutions shall be made available for other service management activities as appropriate. § 8.6.3 ¶ 4 The success or failure of releases shall be monitored and analysed. Measurements shall include incidents related to a release in the period following deployment of a release. The results and conclusions drawn from the analysis shall be recorded and reviewed to identify opportunities for improvement. §8.5.3 ¶ 6] | Establish/Maintain Documentation | Preventive | |
Include program documentation standards in the Quality Management program. CC ID 01016 | Establish/Maintain Documentation | Preventive | |
Establish and maintain time frames for correcting deficiencies found during Quality Control. CC ID 07206 | Business Processes | Detective | |
Include program testing standards in the Quality Management program. CC ID 01017 [At planned intervals, the organization shall monitor, review and report on: performance against service level targets; § 8.3.3 ¶ 3(a)] | Establish/Maintain Documentation | Preventive | |
Review and analyze any quality improvement goals that were missed. CC ID 07204 [{service improvement activity} Opportunities for improvement shall be documented. The organization shall manage approved improvement activities that include: measuring implemented improvements against the target(s) set and where target(s) are not achieved, taking necessary actions; § 10.2 ¶ 3(d)] | Business Processes | Detective | |
Include system testing standards in the Quality Management program. CC ID 01018 | Establish/Maintain Documentation | Preventive | |
Include an issue tracking system in the Quality Management program. CC ID 06824 | Systems Design, Build, and Implementation | Preventive | |
Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a policy and procedure management program. CC ID 06285 | Establish/Maintain Documentation | Preventive | |
Include requirements in the organization’s policies, standards, and procedures. CC ID 12956 [Top management shall demonstrate leadership and commitment with respect to the SMS by: ensuring the integration of the SMS requirements into the organization's business processes; § 5.1 ¶ 1(f)] | Establish/Maintain Documentation | Preventive | |
Establish and maintain an Authority Document list. CC ID 07113 [Documented information of external origin determined by the organization to be necessary for the planning and operation of the SMS shall be identified as appropriate and controlled. § 7.5.3.2 ¶ 2] | Establish/Maintain Documentation | Preventive | |
Map in scope assets and in scope records to external requirements. CC ID 12189 | Establish/Maintain Documentation | Detective | |
Document organizational procedures that harmonize external requirements, including all legal requirements. CC ID 00623 [The documented information for the SMS shall include: procedures that are required by this document; § 7.5.4 ¶ 1(k)] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain full documentation of all policies, standards, and procedures that support the organization's compliance framework. CC ID 01636 [Documented information required by the SMS and by this document shall be controlled to ensure: it is available and suitable for use, where and when it is needed; § 7.5.3.1(a) When creating and updating documented information, the organization shall ensure appropriate: review and approval for suitability and adequacy. § 7.5.2 ¶ 1(c)] | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the organization’s policies, standards, and procedures to all interested personnel and affected parties. CC ID 12901 | Communicate | Preventive | |
Disseminate and communicate the list of Authority Documents that support the organization's compliance framework to interested personnel and affected parties. CC ID 01312 | Establish/Maintain Documentation | Preventive | |
Classify controls according to their preventive, detective, or corrective status. CC ID 06436 | Establish/Maintain Documentation | Preventive | |
Publish, disseminate, and communicate a Statement on Internal Control, as necessary. CC ID 06727 | Establish/Maintain Documentation | Preventive | |
Include signatures of c-level executives in the Statement on Internal Control. CC ID 14778 | Establish/Maintain Documentation | Preventive | |
Include management's assertions on the effectiveness of internal control in the Statement on Internal Control. CC ID 14771 | Establish/Maintain Documentation | Corrective | |
Include confirmation of any significant weaknesses in the Statement on Internal Control. CC ID 06861 | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in the Statement on Internal Control. CC ID 14774 | Establish/Maintain Documentation | Preventive | |
Include an assurance statement regarding the counterterror protective security plan in the Statement on Internal Control. CC ID 06866 | Establish/Maintain Documentation | Preventive | |
Include limitations of internal control systems in the Statement on Internal Control. CC ID 14773 | Establish/Maintain Documentation | Preventive | |
Include a description of the methodology used to evaluate internal controls in the Statement on Internal Control. CC ID 14772 | Establish/Maintain Documentation | Preventive | |
Include the counterterror protective security plan test results in the Statement on Internal Control. CC ID 06867 | Establish/Maintain Documentation | Detective | |
Assign legislative body jurisdiction to the organization's assets, as necessary. CC ID 06956 | Establish Roles | Preventive | |
Define the Information Assurance strategic roles and responsibilities. CC ID 00608 | Establish Roles | Preventive | |
Establish and maintain a compliance oversight committee. CC ID 00765 | Establish Roles | Detective | |
Address Information Security during the business planning processes. CC ID 06495 | Data and Information Management | Preventive | |
Document the requirements of stakeholders during the business planning process regarding Information Security. CC ID 06498 [Management with appropriate authority shall approve an information security policy relevant to the organization. The information security policy shall be documented and take into consideration the service requirements and the obligations in 6.3 c). § 8.7.3.1 ¶ 1 Management with appropriate authority shall approve an information security policy relevant to the organization. The information security policy shall be documented and take into consideration the service requirements and the obligations in 6.3 c). § 8.7.3.1 ¶ 1] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a strategic plan. CC ID 12784 [{planning} The organization shall plan, implement and control the processes needed to meet requirements and to implement the actions determined in Clause 6 by: § 8.1 ¶ 1] | Establish/Maintain Documentation | Preventive | |
Determine progress toward the objectives of the strategic plan. CC ID 12944 [The organization shall establish service management objectives at relevant functions and levels. The service management objectives shall: be monitored; § 6.2.1 ¶ 1(d) The management review shall include consideration of: achievement of service management objectives; § 9.3 ¶ 2(g)] | Process or Activity | Preventive | |
Include acting with integrity in the strategic plan. CC ID 12870 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the strategic plan to all interested personnel and affected parties. CC ID 15592 | Communicate | Preventive | |
Include the outsource partners in the strategic plan, as necessary. CC ID 13960 | Establish/Maintain Documentation | Preventive | |
Align the cybersecurity program strategy with the organization's strategic plan. CC ID 14322 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a planning policy. CC ID 14673 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain planning procedures. CC ID 14698 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the planning procedures to interested personnel and affected parties. CC ID 14704 | Communicate | Preventive | |
Disseminate and communicate the planning policy to interested personnel and affected parties. CC ID 14691 | Communicate | Preventive | |
Include compliance requirements in the planning policy. CC ID 14688 | Establish/Maintain Documentation | Preventive | |
Include coordination amongst entities in the planning policy. CC ID 14687 | Establish/Maintain Documentation | Preventive | |
Include management commitment in the planning policy. CC ID 14686 | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in the planning policy. CC ID 14685 | Establish/Maintain Documentation | Preventive | |
Include the scope in the planning policy. CC ID 14684 | Establish/Maintain Documentation | Preventive | |
Include the purpose in the planning policy. CC ID 14683 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a security planning policy. CC ID 14027 | Establish/Maintain Documentation | Preventive | |
Include compliance requirements in the security planning policy. CC ID 14131 | Establish/Maintain Documentation | Preventive | |
Include coordination amongst entities in the security planning policy. CC ID 14130 | Establish/Maintain Documentation | Preventive | |
Include management commitment in the security planning policy. CC ID 14129 | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in the security planning policy. CC ID 14128 | Establish/Maintain Documentation | Preventive | |
Include the scope in the security planning policy. CC ID 14127 | Establish/Maintain Documentation | Preventive | |
Include the purpose in the security planning policy. CC ID 14126 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the security planning policy to interested personnel and affected parties. CC ID 14125 | Communicate | Preventive | |
Establish, implement, and maintain security planning procedures. CC ID 14060 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the security planning procedures to interested personnel and affected parties. CC ID 14135 | Communicate | Preventive | |
Establish, implement, and maintain a decision management strategy. CC ID 06913 | Establish/Maintain Documentation | Preventive | |
Align the reporting methodology with the decision management strategy. CC ID 15659 | Business Processes | Preventive | |
Include an economic impact analysis in the decision management strategy. CC ID 14015 | Establish/Maintain Documentation | Preventive | |
Include cost benefit analysis in the decision management strategy. CC ID 14014 | Establish/Maintain Documentation | Preventive | |
Include criteria for compliance in the decision-making criteria. CC ID 12951 | Establish/Maintain Documentation | Preventive | |
Include criteria for risk tolerance in the decision-making criteria. CC ID 12950 | Establish/Maintain Documentation | Preventive | |
Include criteria for selecting objectives and strategies in the decision-making criteria. CC ID 12949 | Establish/Maintain Documentation | Preventive | |
Include criteria for setting priorities in the decision-making criteria. CC ID 12938 [The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: § 8.5.1.3 ¶ 1] | Establish/Maintain Documentation | Preventive | |
Align organizational objectives with compliance objectives in the decision-making criteria. CC ID 12847 [The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: policies and plans required by this document; § 8.5.1.3 ¶ 1(c) The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: policies and plans required by this document; § 8.5.1.3 ¶ 1(c)] | Process or Activity | Preventive | |
Align organizational objectives with performance targets in the decision-making criteria. CC ID 12843 [The organization shall make decisions and take actions based on the findings in service reports. The agreed actions shall be communicated to interested parties. § 9.4 ¶ 3 The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: § 8.5.1.3 ¶ 1 The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: § 8.5.1.3 ¶ 1] | Process or Activity | Preventive | |
Align organizational objectives with the acceptable residual risk in the decision-making criteria. CC ID 12841 [The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: § 8.5.1.3 ¶ 1] | Process or Activity | Preventive | |
Identify and document the events that initiate the decision management strategy. CC ID 06914 | Establish/Maintain Documentation | Detective | |
Create additional decision-making criteria to achieve organizational objectives, as necessary. CC ID 12948 [The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: customers, users and other interested parties; § 8.5.1.3 ¶ 1(b)] | Process or Activity | Preventive | |
Involve knowledgeable and experienced individuals in the decision-making process. CC ID 06915 | Behavior | Preventive | |
Take actions in accordance with the decision-making criteria. CC ID 12909 | Process or Activity | Preventive | |
Document and evaluate the decision outcomes from the decision-making process. CC ID 06918 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the decision management strategy to all interested personnel and affected parties. CC ID 13991 | Communicate | Preventive | |
Establish, implement, and maintain an information technology process framework. CC ID 13648 | Establish/Maintain Documentation | Preventive | |
Include maturity models in the Information Technology process framework. CC ID 13652 | Establish/Maintain Documentation | Preventive | |
Include relationships between Information Technology process structures in the Information Technology process framework. CC ID 13651 | Establish/Maintain Documentation | Preventive | |
Include Information Technology process structures in the Information Technology process framework. CC ID 13650 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a tactical plan. CC ID 12785 | Establish/Maintain Documentation | Preventive | |
Include acting with integrity in the tactical plan. CC ID 12871 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a Strategic Information Technology Plan. CC ID 00628 | Establish/Maintain Documentation | Preventive | |
Include the Information Governance Plan in the Strategic Information Technology Plan. CC ID 10053 | Establish/Maintain Documentation | Preventive | |
Engage information governance subject matter experts in the development of the Information Governance Plan. CC ID 10055 | Human Resources Management | Preventive | |
Include the transparency goals in the Information Governance Plan. CC ID 10056 | Establish/Maintain Documentation | Preventive | |
Include the information integrity goals in the Information Governance Plan. CC ID 10057 | Establish/Maintain Documentation | Preventive | |
Include business continuity objectives in the Strategic Information Technology Plan. CC ID 06496 | Establish/Maintain Documentation | Preventive | |
Align business continuity objectives with the business continuity policy. CC ID 12408 | Establish/Maintain Documentation | Preventive | |
Use a risk-based approach to adapt the Strategic Information Technology Plan to the business's needs. CC ID 00631 | Business Processes | Corrective | |
Mirror the organization's business strategy during Information Technology planning in the Strategic Information Technology Plan. CC ID 00630 | Business Processes | Preventive | |
Incorporate protecting restricted information from unauthorized information flow or unauthorized disclosure into the Strategic Information Technology Plan. CC ID 06491 | Establish/Maintain Documentation | Preventive | |
Include the references to the organization's Information Technology systems in the Strategic Information Technology Plan, as necessary. CC ID 13959 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain tactical Information Technology plans in support of the Strategic Information Technology Plan. CC ID 00632 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain tactical Information Technology plans derived from the Strategic Information Technology Plan. CC ID 01609 | Establish/Maintain Documentation | Preventive | |
Document how each Information Technology project plan directly or indirectly supports the Strategic Information Technology Plan. CC ID 06497 | Establish/Maintain Documentation | Preventive | |
Document the business case and return on investment in each Information Technology project plan. CC ID 06846 | Establish/Maintain Documentation | Preventive | |
Escalate for management authorization any proposed projects where effective use of existing resources is overlooked. CC ID 06848 | Business Processes | Preventive | |
Document all desired outcomes for a proposed project in the Information Technology project plan. CC ID 06916 | Establish/Maintain Documentation | Preventive | |
Document the success criteria for the proposed project in the Information Technology project plan. CC ID 06917 | Establish/Maintain Documentation | Preventive | |
Assign senior management to approve business cases. CC ID 13068 | Human Resources Management | Preventive | |
Include milestones for each project phase in the Information Technology project plan. CC ID 12621 | Establish/Maintain Documentation | Preventive | |
Document lessons learned at the conclusion of each Information Technology project. CC ID 13654 | Establish/Maintain Documentation | Corrective | |
Establish, implement, and maintain a counterterror protective security plan. CC ID 06862 | Establish/Maintain Documentation | Preventive | |
Include communications and awareness activities in the counterterror protective security plan. CC ID 06863 | Establish/Maintain Documentation | Preventive | |
Include the protective security measures to implement after a change in the government response level in the counterterror protective security plan. CC ID 06864 | Establish/Maintain Documentation | Preventive | |
Include a search plan in the counterterror protective security plan. CC ID 06865 | Establish/Maintain Documentation | Preventive | |
Include an evacuation plan in the counterterror protective security plan. CC ID 06940 | Establish/Maintain Documentation | Preventive | |
Include a continuity plan in the counterterror protective security plan. CC ID 07031 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain Information Technology projects in support of the Strategic Information Technology Plan. CC ID 13673 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the Information Technology Plans to all interested personnel and affected parties. CC ID 00633 | Establish/Maintain Documentation | Preventive | |
Monitor and evaluate the implementation and effectiveness of Information Technology Plans. CC ID 00634 | Monitor and Evaluate Occurrences | Detective | |
Establish and maintain an Information Technology plan status report that covers both Strategic Information Technology Plans and tactical Information Technology plans. CC ID 06839 | Actionable Reports or Measurements | Preventive | |
Include key personnel status changes in the Information Technology Plan status reports. CC ID 06840 | Actionable Reports or Measurements | Preventive | |
Include significant security risks in the Information Technology Plan status reports. CC ID 06939 | Actionable Reports or Measurements | Preventive | |
Include significant risk mitigations in the Information Technology Plan status reports. CC ID 06841 | Actionable Reports or Measurements | Preventive | |
Review and approve the Strategic Information Technology Plan at the level of senior management or the Board of Directors. CC ID 13094 | Human Resources Management | Preventive | |
Establish, implement, and maintain a financial management program. CC ID 13228 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain financial reports. CC ID 14770 [At planned intervals, the organization shall monitor and report on actual costs against the budget, review the financial forecasts and manage costs. § 8.4.1 ¶ 3] | Establish/Maintain Documentation | Preventive | |
Structure financial reports in accordance with external requirements, as necessary. CC ID 14776 | Establish/Maintain Documentation | Preventive | |
Include the report of independent Certified Public Accountants in the financial report. CC ID 14779 | Establish/Maintain Documentation | Preventive | |
Include the business need justification for lost value in the financial report. CC ID 15588 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the financial report to interested personnel and affected parties. CC ID 16342 | Communicate | Preventive | |
Include financial statements in the financial report, as necessary. CC ID 14775 | Establish/Maintain Documentation | Preventive | |
Include capital deductions and adjustments in the financial statement. CC ID 16667 | Establish/Maintain Documentation | Preventive | |
Include earnings per share or loss per share in the financial statement. CC ID 16597 | Establish/Maintain Documentation | Preventive | |
Include material contingencies in the financial statement. CC ID 16596 | Establish/Maintain Documentation | Preventive | |
Include notes to financial statements in the financial report, as necessary. CC ID 14780 | Establish/Maintain Documentation | Preventive | |
Include information on loans to small businesses and small farms in the call report. CC ID 16731 | Establish/Maintain Documentation | Preventive | |
Include assets and liabilities in the call report. CC ID 16729 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the call report to interested personnel and affected parties. CC ID 16727 | Communicate | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Monitoring and measurement CC ID 00636 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain logging and monitoring operations. CC ID 00637 | Log Management | Detective | |
Operationalize key monitoring and logging concepts to ensure the audit trails capture sufficient information. CC ID 00638 | Log Management | Detective | |
Establish, implement, and maintain event logging procedures. CC ID 01335 | Log Management | Detective | |
Include a standard to collect and interpret event logs in the event logging procedures. CC ID 00643 [The management review shall include consideration of: information on the performance and effectiveness of the SMS, including trends in: monitoring and measurement results; § 9.3 ¶ 2(c)(2)] | Log Management | Preventive | |
Protect the event logs from failure. CC ID 06290 | Log Management | Preventive | |
Overwrite the oldest records when audit logging fails. CC ID 14308 | Data and Information Management | Preventive | |
Supply each in scope asset with audit reduction tool and report generation capabilities to support after-the-fact investigations without altering the event logs. CC ID 01427 | Testing | Preventive | |
Provide predefined suspicious activity reports for suspicious activity discovered in the event log. CC ID 06774 | Establish/Maintain Documentation | Corrective | |
Include identity information of suspects in the suspicious activity report. CC ID 16648 | Establish/Maintain Documentation | Preventive | |
Compile the event logs of multiple components into a system-wide time-correlated audit trail. CC ID 01424 | Audits and Risk Management | Preventive | |
Review and update event logs and audit logs, as necessary. CC ID 00596 [The organization shall analyse data and trends on incidents to identify problems. The organization shall undertake root cause analysis and determine potential actions to prevent the occurrence or recurrence of incidents. § 8.6.3 ¶ 1] | Log Management | Detective | |
Eliminate false positives in event logs and audit logs. CC ID 07047 | Log Management | Corrective | |
Correlate log entries to security controls to verify the security control's effectiveness. CC ID 13207 | Log Management | Detective | |
Identify cybersecurity events in event logs and audit logs. CC ID 13206 | Technical Security | Detective | |
Follow up exceptions and anomalies identified when reviewing logs. CC ID 11925 | Investigate | Corrective | |
Reproduce the event log if a log failure is captured. CC ID 01426 | Log Management | Preventive | |
Assess customer satisfaction. CC ID 00652 [At planned intervals, the organization shall measure satisfaction with the services based on a representative sample of customers. The results shall be analysed, reviewed to identify opportunities for improvement and reported. § 8.3.2 ¶ 4 At planned intervals, the organization shall measure satisfaction with the services based on a representative sample of customers. The results shall be analysed, reviewed to identify opportunities for improvement and reported. § 8.3.2 ¶ 4 The management review shall include consideration of: feedback from customers and other interested parties; § 9.3 ¶ 2(e)] | Testing | Detective | |
Establish, implement, and maintain a continuous monitoring program for configuration management. CC ID 06757 [At planned intervals, the organization shall verify the accuracy of the configuration information. Where deficiencies are found, the organization shall take necessary actions. § 8.2.6 ¶ 4] | Establish/Maintain Documentation | Detective | |
Include the correlation and analysis of information obtained during testing in the continuous monitoring program. CC ID 14250 | Process or Activity | Detective | |
Establish, implement, and maintain an automated configuration monitoring system. CC ID 07058 | Monitor and Evaluate Occurrences | Detective | |
Monitor for and report when a software configuration is updated. CC ID 06746 | Monitor and Evaluate Occurrences | Detective | |
Notify the appropriate personnel when the software configuration is updated absent authorization. CC ID 04886 | Monitor and Evaluate Occurrences | Detective | |
Monitor for firmware updates absent authorization. CC ID 10675 | Monitor and Evaluate Occurrences | Detective | |
Implement file integrity monitoring. CC ID 01205 | Monitor and Evaluate Occurrences | Detective | |
Identify unauthorized modifications during file integrity monitoring. CC ID 12096 | Technical Security | Detective | |
Monitor for software configurations updates absent authorization. CC ID 10676 | Monitor and Evaluate Occurrences | Preventive | |
Allow expected changes during file integrity monitoring. CC ID 12090 | Technical Security | Preventive | |
Monitor for when documents are being updated absent authorization. CC ID 10677 | Monitor and Evaluate Occurrences | Preventive | |
Include a change history and identify who made the changes in the file integrity monitoring report. CC ID 12091 | Establish/Maintain Documentation | Preventive | |
Alert interested personnel and affected parties when an unauthorized modification to critical files is detected. CC ID 12045 | Process or Activity | Preventive | |
Monitor and evaluate user account activity. CC ID 07066 | Monitor and Evaluate Occurrences | Detective | |
Develop and maintain a usage profile for each user account. CC ID 07067 | Technical Security | Preventive | |
Log account usage to determine dormant accounts. CC ID 12118 | Log Management | Detective | |
Log account usage times. CC ID 07099 | Log Management | Detective | |
Generate daily reports of user logons during hours outside of their usage profile. CC ID 07068 | Monitor and Evaluate Occurrences | Detective | |
Generate daily reports of users who have grossly exceeded their usage profile logon duration. CC ID 07069 | Monitor and Evaluate Occurrences | Detective | |
Log account usage durations. CC ID 12117 | Monitor and Evaluate Occurrences | Detective | |
Notify the appropriate personnel after identifying dormant accounts. CC ID 12125 | Communicate | Detective | |
Log Internet Protocol addresses used during logon. CC ID 07100 | Log Management | Detective | |
Report red flags when logon credentials are used on a computer different from the one in the usage profile. CC ID 07070 | Monitor and Evaluate Occurrences | Detective | |
Report inappropriate usage of user accounts to the appropriate personnel. CC ID 14243 | Communicate | Detective | |
Establish, implement, and maintain a service management monitoring and metrics program. CC ID 13916 [At planned intervals, the organization shall: monitor and report on demand and consumption of services. § 8.4.2 ¶ 1(b) At planned intervals, the organization shall: monitor and report on demand and consumption of services. § 8.4.2 ¶ 1(b) Reports on the performance and effectiveness of the SMS and the services shall be produced using information from the SMS activities and delivery of the services. Service reporting shall include trends. § 9.4 ¶ 2 Reports on the performance and effectiveness of the SMS and the services shall be produced using information from the SMS activities and delivery of the services. Service reporting shall include trends. § 9.4 ¶ 2] | Establish/Maintain Documentation | Preventive | |
Communicate trends in service management to all interested personnel and affected parties. CC ID 13926 [Reports on the performance and effectiveness of the SMS and the services shall be produced using information from the SMS activities and delivery of the services. Service reporting shall include trends. § 9.4 ¶ 2] | Communicate | Preventive | |
Monitor service availability when implementing the service management monitoring and metrics program. CC ID 13921 [{availability issue}{document} Service availability shall be monitored, the results recorded and compared with the targets. Unplanned non-availability shall be investigated and necessary actions taken. § 8.7.1 ¶ 3 {availability issue}{document} Service availability shall be monitored, the results recorded and compared with the targets. Unplanned non-availability shall be investigated and necessary actions taken. § 8.7.1 ¶ 3] | Monitor and Evaluate Occurrences | Detective | |
Compare the performance metrics of service availability against their targets, as necessary. CC ID 13922 [{availability issue}{document} Service availability shall be monitored, the results recorded and compared with the targets. Unplanned non-availability shall be investigated and necessary actions taken. § 8.7.1 ¶ 3] | Monitor and Evaluate Occurrences | Detective | |
Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 [The organization shall determine: when the monitoring and measuring shall be performed; § 9.1 ¶ 1(c)] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a metrics policy. CC ID 01654 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain risk management metrics. CC ID 01656 | Establish/Maintain Documentation | Preventive | |
Report on the percentage of critical assets for which an assurance strategy is implemented. CC ID 01657 | Actionable Reports or Measurements | Detective | |
Report on the percentage of key organizational functions for which an assurance strategy is implemented. CC ID 01658 | Actionable Reports or Measurements | Detective | |
Report on the percentage of key compliance requirements for which an assurance strategy has been implemented. CC ID 01659 | Actionable Reports or Measurements | Detective | |
Report on the percentage of the Information System budget allocated to Information Security. CC ID 04571 | Actionable Reports or Measurements | Detective | |
Identify information being used to support the performance of the governance, risk, and compliance capability. CC ID 12866 | Business Processes | Preventive | |
Identify information being used to support performance reviews for risk optimization. CC ID 12865 | Audits and Risk Management | Preventive | |
Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726 [The management review shall include consideration of: adherence to and suitability of the service management policy and other policies required by this document; § 9.3 ¶ 2(f)] | Monitor and Evaluate Occurrences | Detective | |
Identify and document instances of non-compliance with the compliance framework. CC ID 06499 [When a nonconformity occurs, the organization shall: evaluate the need for action to eliminate the causes of the nonconformity in order that it does not recur or occur elsewhere by: § 10.1.1 ¶ 1(b) The organization shall retain documented information as evidence of: the nature of the nonconformities and any subsequent actions taken; § 10.1.2 ¶ 1(a)] | Establish/Maintain Documentation | Preventive | |
Align enforcement reviews for non-compliance with organizational risk tolerance. CC ID 13063 | Business Processes | Detective | |
Determine the causes of compliance violations. CC ID 12401 [When a nonconformity occurs, the organization shall: evaluate the need for action to eliminate the causes of the nonconformity in order that it does not recur or occur elsewhere by: reviewing the nonconformity; § 10.1.1 ¶ 1(b)(1) When a nonconformity occurs, the organization shall: evaluate the need for action to eliminate the causes of the nonconformity in order that it does not recur or occur elsewhere by: determining the causes of the nonconformity; § 10.1.1 ¶ 1(b)(2)] | Investigate | Corrective | |
Identify and document events surrounding non-compliance with the organizational compliance framework. CC ID 12935 | Establish/Maintain Documentation | Preventive | |
Determine if multiple compliance violations of the same type could occur. CC ID 12402 [When a nonconformity occurs, the organization shall: evaluate the need for action to eliminate the causes of the nonconformity in order that it does not recur or occur elsewhere by: determining if similar nonconformities exist, or could potentially occur; § 10.1.1 ¶ 1(b)(3)] | Investigate | Detective | |
Correct compliance violations. CC ID 13515 [When a nonconformity occurs, the organization shall: react to the nonconformity, and as applicable: § 10.1.1 ¶ 1(a) When a nonconformity occurs, the organization shall: react to the nonconformity, and as applicable: take action to control and correct it; § 10.1.1 ¶ 1(a)(1) When a nonconformity occurs, the organization shall: react to the nonconformity, and as applicable: deal with the consequences; § 10.1.1 ¶ 1(a)(2) When a nonconformity occurs, the organization shall: implement any action needed; § 10.1.1 ¶ 1(c)] | Process or Activity | Corrective | |
Review the effectiveness of disciplinary actions carried out for compliance violations. CC ID 12403 [When a nonconformity occurs, the organization shall: review the effectiveness of any corrective action taken; § 10.1.1. ¶ 1(d)] | Investigate | Detective | |
Carry out disciplinary actions when a compliance violation is detected. CC ID 06675 | Behavior | Corrective | |
Align disciplinary actions with the level of compliance violation. CC ID 12404 [Corrective actions shall be appropriate to the effects of the nonconformities encountered. § 10.1.1 ¶ 2] | Human Resources Management | Preventive | |
Establish, implement, and maintain disciplinary action notices. CC ID 16577 | Establish/Maintain Documentation | Preventive | |
Include a copy of the order in the disciplinary action notice. CC ID 16606 | Establish/Maintain Documentation | Preventive | |
Include the sanctions imposed in the disciplinary action notice. CC ID 16599 | Establish/Maintain Documentation | Preventive | |
Include the effective date of the sanctions in the disciplinary action notice. CC ID 16589 | Establish/Maintain Documentation | Preventive | |
Include the requirements that were violated in the disciplinary action notice. CC ID 16588 | Establish/Maintain Documentation | Preventive | |
Include responses to charges from interested personnel and affected parties in the disciplinary action notice. CC ID 16587 | Establish/Maintain Documentation | Preventive | |
Include the reasons for imposing sanctions in the disciplinary action notice. CC ID 16586 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the disciplinary action notice to interested personnel and affected parties. CC ID 16585 | Communicate | Preventive | |
Include required information in the disciplinary action notice. CC ID 16584 | Establish/Maintain Documentation | Preventive | |
Include a justification for actions taken in the disciplinary action notice. CC ID 16583 | Establish/Maintain Documentation | Preventive | |
Include a statement on the conclusions of the investigation in the disciplinary action notice. CC ID 16582 | Establish/Maintain Documentation | Preventive | |
Include the investigation results in the disciplinary action notice. CC ID 16581 | Establish/Maintain Documentation | Preventive | |
Include a description of the causes of the actions taken in the disciplinary action notice. CC ID 16580 | Establish/Maintain Documentation | Preventive | |
Include the name of the person responsible for the charges in the disciplinary action notice. CC ID 16579 | Establish/Maintain Documentation | Preventive | |
Include contact information in the disciplinary action notice. CC ID 16578 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain compliance program metrics. CC ID 11625 | Monitor and Evaluate Occurrences | Preventive | |
Establish, implement, and maintain a security program metrics program. CC ID 01660 | Establish/Maintain Documentation | Preventive | |
Report on the policies and controls that have been implemented by management. CC ID 01670 [{service improvement activity} Opportunities for improvement shall be documented. The organization shall manage approved improvement activities that include: reporting on implemented improvements. § 10.2 ¶ 3(e)] | Actionable Reports or Measurements | Detective | |
Establish, implement, and maintain a key management roles metrics standard. CC ID 11631 | Establish/Maintain Documentation | Preventive | |
Report on the percentage of security management roles that have been assigned. CC ID 01671 | Actionable Reports or Measurements | Detective | |
Establish, implement, and maintain a key stakeholder metrics program. CC ID 01661 | Establish/Maintain Documentation | Preventive | |
Report on the percentage of board meetings or committee meetings at which Information Assurance was on the agenda. CC ID 01672 | Actionable Reports or Measurements | Detective | |
Establish, implement, and maintain a supply chain member metrics program. CC ID 01662 | Establish/Maintain Documentation | Preventive | |
Report on the percentage of supply chain members for which all Information Assurance requirements have been implemented. CC ID 01675 | Actionable Reports or Measurements | Detective | |
Report on the Service Level Agreement performance of supply chain members. CC ID 06838 | Actionable Reports or Measurements | Preventive | |
Establish, implement, and maintain a Business Continuity metrics program. CC ID 01663 [The organization shall create, implement and maintain one or more service continuity plans. The service continuity plan(s) shall include or contain a reference to: targets for service availability when the service continuity plan is invoked; § 8.7.2 ¶ 2(c)] | Establish/Maintain Documentation | Preventive | |
Report on the percentage of organizational units that have an established Business Continuity Plan. CC ID 01676 | Actionable Reports or Measurements | Detective | |
Report on the percentage of organizational units with a documented Business Continuity Plan for which specific responsibilities have been assigned. CC ID 02057 | Actionable Reports or Measurements | Detective | |
Report on the percentage of Business Continuity Plans that have been reviewed, tested, and updated. CC ID 02058 | Actionable Reports or Measurements | Detective | |
Establish, implement, and maintain an audit metrics program. CC ID 01664 | Establish/Maintain Documentation | Preventive | |
Report on the percentage of needed internal audits that have been completed and reviewed. CC ID 01677 | Actionable Reports or Measurements | Detective | |
Report on the percentage of Information Security requirements from applicable laws and regulations that are included in the audit program. CC ID 02069 | Actionable Reports or Measurements | Detective | |
Report on the percentage of needed external audits that have been completed and reviewed. CC ID 11632 | Actionable Reports or Measurements | Detective | |
Report on the percentage of Information Security audits conducted in compliance with the approved audit program. CC ID 02070 | Actionable Reports or Measurements | Detective | |
Report on the percentage of audit findings that have been resolved since the last audit. CC ID 01678 | Actionable Reports or Measurements | Detective | |
Report on the percentage of management actions in response to audit findings and audit recommendations that were implemented in a timely way. CC ID 02071 [{corrective action} The management review shall include consideration of: the status of actions from previous management reviews; § 9.3 ¶ 2(a)] | Actionable Reports or Measurements | Detective | |
Establish, implement, and maintain an Information Security metrics program. CC ID 01665 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a metrics standard and template. CC ID 02157 | Establish/Maintain Documentation | Preventive | |
Convert data into standard units before reporting metrics. CC ID 15507 | Process or Activity | Corrective | |
Monitor compliance with the Quality Control system. CC ID 01023 | Actionable Reports or Measurements | Preventive | |
Report on the percentage of complaints received about products or delivered services. CC ID 07199 | Actionable Reports or Measurements | Preventive | |
Report on the percentage of Quality Assurance attained by Quality Improvement practices. CC ID 07202 | Actionable Reports or Measurements | Preventive | |
Establish, implement, and maintain occupational health and safety management metrics program. CC ID 15915 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a policies and controls metrics program. CC ID 01666 | Establish/Maintain Documentation | Preventive | |
Report on the percentage of total controls for which policies, standards, and procedures exist and for which approval has been granted. CC ID 01679 | Actionable Reports or Measurements | Detective | |
Report on the percentage of personnel who are assigned and acknowledged responsibilities for approved policies, standards, and procedures. CC ID 01680 | Actionable Reports or Measurements | Detective | |
Report on the percentage of policy compliance reviews for which no compliance violations were noted. CC ID 01681 | Actionable Reports or Measurements | Detective | |
Report on the percentage of senior management or business unit heads who have implemented operational compliance procedures. CC ID 01682 | Actionable Reports or Measurements | Detective | |
Establish, implement, and maintain a security roles and responsibilities metrics program. CC ID 01667 | Establish/Maintain Documentation | Preventive | |
Report on the percentage of role descriptions that define the Information Awareness roles for Security Managers and administrators. CC ID 01685 | Actionable Reports or Measurements | Detective | |
Report on the percentage of role descriptions that define the information awareness roles for interested personnel. CC ID 01686 | Actionable Reports or Measurements | Detective | |
Report on the percentage of role descriptions that define the information awareness roles for end users. CC ID 01687 | Actionable Reports or Measurements | Detective | |
Report on the percentage of performance reviews that include the evaluation of Information Assurance responsibilities and policy compliance. CC ID 01688 | Actionable Reports or Measurements | Detective | |
Report on the percentage of individuals who have access to security software, are trained, and authorized Security Administrators. CC ID 01691 | Actionable Reports or Measurements | Detective | |
Report on the percentage of individuals who are able to assign security privileges, are trained, and authorized Security Administrators. CC ID 01692 | Actionable Reports or Measurements | Detective | |
Establish, implement, and maintain a role-based information access metrics program. CC ID 01668 | Establish/Maintain Documentation | Preventive | |
Report on the percentage of new hires who completed training ahead of being granted network access or system access. CC ID 01683 | Actionable Reports or Measurements | Detective | |
Report on the percentage of personnel who have completed periodic Information Assurance refresher training. CC ID 01684 | Actionable Reports or Measurements | Detective | |
Report on the percentage of user roles, systems, and applications that comply with the segregation of duties principle. CC ID 01689 | Actionable Reports or Measurements | Detective | |
Report on the percentage of individuals whose access rights have been reviewed. CC ID 01690 | Actionable Reports or Measurements | Detective | |
Report on the percentage of users who have access to restricted data or restricted information and have undergone a background check. CC ID 01693 | Actionable Reports or Measurements | Detective | |
Establish, implement, and maintain an information risk threshold metrics program. CC ID 01694 | Establish/Maintain Documentation | Preventive | |
Report on the percentage of critical information assets and information-dependent functions. CC ID 02040 | Actionable Reports or Measurements | Detective | |
Report on the percentage of critical assets and functions for which the cost of compromise has been quantified. CC ID 02041 | Actionable Reports or Measurements | Detective | |
Report on the percentage of identified risks that have a defined risk mitigation plan. CC ID 02042 [The organization shall determine and document: risks related to: approach to be taken for the management of risks. § 6.1.2 ¶ 1(d)] | Actionable Reports or Measurements | Detective | |
Report on the percentage of systems with approved System Security Plans. CC ID 02145 | Actionable Reports or Measurements | Detective | |
Monitor the supply chain for Information Assurance effectiveness. CC ID 02043 | Establish/Maintain Documentation | Preventive | |
Report on the percentage of known Information Security risks that are related to supply chain relationships. CC ID 02044 | Actionable Reports or Measurements | Detective | |
Report on the percentage of critical information assets or critical functions for which access by supply chain personnel is disallowed. CC ID 02045 | Actionable Reports or Measurements | Detective | |
Report on the percentage of supply chain personnel who have current information asset user privileges. CC ID 02046 | Actionable Reports or Measurements | Detective | |
Report on the percentage of systems with critical information assets or functions for which electronic connection by supply chain assets is disallowed. CC ID 02047 | Actionable Reports or Measurements | Detective | |
Report on the percentage of security incidents that involved supply chain personnel. CC ID 02048 | Actionable Reports or Measurements | Detective | |
Report on the percentage of third party contracts that include a requirement to externally verify policies and procedures. CC ID 02049 | Actionable Reports or Measurements | Detective | |
Report on the percentage of supply chain relationships that have been reviewed for compliance with information security requirements. CC ID 02050 | Actionable Reports or Measurements | Detective | |
Establish, implement, and maintain an identification and classification of information assets metrics program. CC ID 02052 | Business Processes | Preventive | |
Report on the percentage of information assets that have been reviewed and classified. CC ID 02053 | Actionable Reports or Measurements | Detective | |
Report on the percentage of information assets with defined user privileges that have been assigned based on role and according to policy. CC ID 02054 | Actionable Reports or Measurements | Detective | |
Report on the percentage of scheduled Information Technology inventory processes that occurred on time. CC ID 02055 | Actionable Reports or Measurements | Detective | |
Establish, implement, and maintain an Information Systems architecture metrics program. CC ID 02059 | Business Processes | Preventive | |
Report on the percentage of recently identified information security risks related to systems architecture that have been adequately mitigated. CC ID 02060 | Actionable Reports or Measurements | Detective | |
Report on the percentage of system architecture changes that were approved through appropriate change requests. CC ID 02061 | Actionable Reports or Measurements | Detective | |
Report on the percentage of critical information assets or functions residing on systems that are currently in compliance with the approved systems architecture. CC ID 02062 | Actionable Reports or Measurements | Detective | |
Report on the percentage of systems that have been recertified if security controls were updated after the system was developed. CC ID 02142 | Actionable Reports or Measurements | Detective | |
Report on the percentage of systems that have completed Certification and Accreditation. CC ID 02143 | Actionable Reports or Measurements | Detective | |
Establish, implement, and maintain a physical environment metrics program. CC ID 02063 | Business Processes | Preventive | |
Report on the percentage of critical organizational information assets and functions that have been reviewed from the risk to physical security perspective. CC ID 02064 | Actionable Reports or Measurements | Detective | |
Report on the percentage of critical organizational information assets and functions exposed to physical risks for which risk mitigation actions have been implemented. CC ID 02065 | Actionable Reports or Measurements | Detective | |
Report on the percentage of critical assets that have been reviewed from the environmental risk perspective. CC ID 02066 | Actionable Reports or Measurements | Detective | |
Report on the percentage of servers located in controlled access areas. CC ID 02067 | Actionable Reports or Measurements | Detective | |
Establish, implement, and maintain a privacy metrics program. CC ID 15494 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain environmental management system performance metrics. CC ID 15191 | Actionable Reports or Measurements | Preventive | |
Establish, implement, and maintain waste management metrics. CC ID 16152 | Actionable Reports or Measurements | Preventive | |
Establish, implement, and maintain emissions management metrics. CC ID 16145 | Actionable Reports or Measurements | Preventive | |
Establish, implement, and maintain financial management metrics. CC ID 16749 | Actionable Reports or Measurements | Preventive | |
Establish, implement, and maintain a technical measurement metrics policy. CC ID 01655 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a user identification and authentication metrics program. CC ID 02073 | Business Processes | Preventive | |
Report on the percentage of unique active user identifiers. CC ID 02074 | Actionable Reports or Measurements | Detective | |
Report on the percentage of systems and applications that perform authenticator policy verification. CC ID 02086 | Actionable Reports or Measurements | Detective | |
Report on the percentage of active user passwords that are set to expire. CC ID 02087 | Actionable Reports or Measurements | Detective | |
Report on the percentage of systems with critical information assets that use stronger authentication than user identifiers and passwords. CC ID 02088 | Actionable Reports or Measurements | Detective | |
Establish, implement, and maintain a user account management metrics program. CC ID 02075 | Business Processes | Preventive | |
Report on the percentage of systems for which default accounts and default passwords have been disabled or reset. CC ID 02089 | Actionable Reports or Measurements | Detective | |
Report on the percentage of inactive user accounts that are assigned to personnel who have left or no longer need access. CC ID 02090 | Actionable Reports or Measurements | Detective | |
Report on the percentage of systems with account lockout thresholds set. CC ID 02091 | Actionable Reports or Measurements | Detective | |
Report on the percentage of inactive user accounts that have been disabled. CC ID 02092 | Actionable Reports or Measurements | Detective | |
Report on the percentage of workstations with session timeout or automatic logoff controls set. CC ID 02093 | Actionable Reports or Measurements | Detective | |
Report on the percentage of users with access to shared accounts. CC ID 04573 | Actionable Reports or Measurements | Detective | |
Establish, implement, and maintain a user and administrator privilege management metrics program. CC ID 02076 | Actionable Reports or Measurements | Preventive | |
Report on the percentage of active computer accounts that have had the current user privileges reviewed. CC ID 02094 | Actionable Reports or Measurements | Detective | |
Report on the percentage of systems where permission to install nonstandard software is limited. CC ID 02095 | Actionable Reports or Measurements | Detective | |
Report on the percentage of systems and applications that have user privileges and administrator privileges assigned in compliance with Role-Based Access Controls. CC ID 02096 | Actionable Reports or Measurements | Detective | |
Establish, implement, and maintain a Configuration Management metrics program. CC ID 02077 | Business Processes | Preventive | |
Report on the percentage of systems for which approved configuration settings have been implemented. CC ID 02097 | Actionable Reports or Measurements | Detective | |
Report on the percentage of systems with configurations that do not deviate from approved standards. CC ID 02098 | Actionable Reports or Measurements | Detective | |
Report on the percentage of systems that are continuously monitored for compliance with the configuration standard with out-of-compliance alarms or out-of-compliance reports. CC ID 02099 | Actionable Reports or Measurements | Detective | |
Report on the percentage of systems whose configuration is compared with a previously established trusted configuration baseline. CC ID 02100 | Actionable Reports or Measurements | Detective | |
Report on the percentage of systems where the authority to make configuration changes are limited. CC ID 02101 | Actionable Reports or Measurements | Detective | |
Report on the percentage of system components that undergo maintenance as scheduled. CC ID 04562 | Actionable Reports or Measurements | Detective | |
Establish, implement, and maintain a Security Information and Event Management metrics program. CC ID 02078 | Log Management | Preventive | |
Report on the percentage of systems for which event logging has been implemented. CC ID 02102 | Log Management | Detective | |
Report on the percentage of systems for which event logs are monitored and reviewed. CC ID 02103 | Log Management | Detective | |
Report on the percentage of systems for which log capacity and log retention schedules have been implemented. CC ID 02104 | Log Management | Detective | |
Report on the percentage of systems that generate warnings about anomalous activity or potentially unauthorized activity. CC ID 02105 | Actionable Reports or Measurements | Detective | |
Establish, implement, and maintain a communications, e-mail, and remote access security management metrics program. CC ID 02079 | Business Processes | Preventive | |
Report on the percentage of laptops and mobile devices that are needing to be in compliance with the approved configuration standard before granting network access. CC ID 02106 | Actionable Reports or Measurements | Detective | |
Report on the percentage of organizationally controlled communications channels that have been secured. CC ID 02107 | Actionable Reports or Measurements | Detective | |
Report on the percentage of host servers that are protected from becoming relay hosts. CC ID 02108 | Actionable Reports or Measurements | Detective | |
Report on the percentage of mobile users who access organizational facilities using secure communications methods. CC ID 02109 | Actionable Reports or Measurements | Detective | |
Establish, implement, and maintain a malicious code protection management metrics program. CC ID 02080 | Business Processes | Preventive | |
Report on the percentage of workstations and laptops that employ automated system security tools. CC ID 02110 | Actionable Reports or Measurements | Detective | |
Report on the percentage of servers that employ automated system security tools. CC ID 02111 | Actionable Reports or Measurements | Detective | |
Report on the percentage of mobile devices that employ automated system security tools. CC ID 02112 | Actionable Reports or Measurements | Detective | |
Establish, implement, and maintain a software change management metrics program. CC ID 02081 | Business Processes | Preventive | |
Report on the percentage of software changes that have been documented and approved through change request forms. CC ID 02152 | Actionable Reports or Measurements | Detective | |
Report on the percentage of systems with all approved patches installed. CC ID 02113 | Actionable Reports or Measurements | Detective | |
Report on the mean time from patch availability to patch installation. CC ID 02114 | Actionable Reports or Measurements | Detective | |
Report on the percentage of software changes that were reviewed for security impacts before the software configuration is updated. CC ID 02115 | Actionable Reports or Measurements | Detective | |
Establish, implement, and maintain a network management and firewall management metrics program. CC ID 02082 | Business Processes | Preventive | |
Establish, implement, and maintain a network activity baseline. CC ID 13188 | Technical Security | Detective | |
Report on the percentage of systems configured according to the configuration standard. CC ID 02116 | Actionable Reports or Measurements | Detective | |
Report on the percentage of network access controls used to gain unauthorized access. CC ID 04572 | Actionable Reports or Measurements | Detective | |
Establish, implement, and maintain a data encryption management metrics program. CC ID 02083 | Business Processes | Preventive | |
Report on the percentage of critical information assets stored on network accessible devices that are encrypted with widely tested and published cryptographic algorithms. CC ID 02117 | Actionable Reports or Measurements | Detective | |
Report on the percentage of mobile devices that use encryption for critical information assets. CC ID 02118 | Actionable Reports or Measurements | Detective | |
Report on the percentage of passwords and Personal Identification Numbers that are encrypted. CC ID 02119 | Actionable Reports or Measurements | Detective | |
Report on the percentage of media that passes sanitization procedure testing. CC ID 04574 | Actionable Reports or Measurements | Detective | |
Establish, implement, and maintain a backup management and recovery management metrics program. CC ID 02084 | Business Processes | Preventive | |
Report on the percentage of systems with critical information assets or critical business functions that have been backed up in accordance with the backup policy and the system's continuity plan. CC ID 02120 | Actionable Reports or Measurements | Detective | |
Report on the percentage of systems with critical information assets or critical functions where restoration from a backup has been successfully demonstrated. CC ID 02121 | Actionable Reports or Measurements | Detective | |
Report on the percentage of backup media stored off site in secure storage. CC ID 02122 | Actionable Reports or Measurements | Detective | |
Report on the percentage of used backup media or archive media sanitized prior to reuse or disposal. CC ID 02123 | Actionable Reports or Measurements | Detective | |
Establish, implement, and maintain an incident management and vulnerability management metrics program. CC ID 02085 | Business Processes | Preventive | |
Report on the estimated damage or loss resulting from all security incidents. CC ID 01674 | Actionable Reports or Measurements | Detective | |
Report on the percentage of security incidents that did not cause confidentiality, integrity, or availability losses beyond the Service Level Agreement thresholds. CC ID 01673 | Actionable Reports or Measurements | Detective | |
Report on the percentage of operational time that critical services were unavailable due to security incidents. CC ID 02124 | Actionable Reports or Measurements | Detective | |
Report on the percentage of security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02125 | Actionable Reports or Measurements | Detective | |
Report on the percentage of systems affected by security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02126 | Actionable Reports or Measurements | Detective | |
Report on the percentage of security incidents that were managed according to established policies, procedures, and processes. CC ID 02127 | Actionable Reports or Measurements | Detective | |
Report on the number of security incidents reported to FedCIRC, NIPC, the Payment Card Industry, or local law enforcement. CC ID 02154 | Actionable Reports or Measurements | Detective | |
Report on the percentage of systems with critical information assets or critical functions that have been assessed for security vulnerabilities. CC ID 02128 | Actionable Reports or Measurements | Detective | |
Report on the percentage of vulnerability assessment findings that have been addressed since the last reporting period. CC ID 02129 | Actionable Reports or Measurements | Detective | |
Report on the average elapsed time between the discovery of a new vulnerability and implementing corrective action. CC ID 02140 | Actionable Reports or Measurements | Detective | |
Report on the percentage of physical security incidents that involved entry into a facility containing Information Systems. CC ID 04564 | Actionable Reports or Measurements | Detective | |
Delay the reporting of incident management metrics, as necessary. CC ID 15501 | Communicate | Preventive | |
Establish, implement, and maintain an Electronic Health Records measurement metrics program. CC ID 06221 | Establish/Maintain Documentation | Preventive | |
Report on the percentage of unique patients who had at least one medication entered using the Computerized Provider Order Entry system. CC ID 06222 | Actionable Reports or Measurements | Preventive | |
Report on the percentage of unique patients who have diagnoses recorded as structured data into the current and active diagnoses problem list. CC ID 06223 | Actionable Reports or Measurements | Preventive | |
Report on the percentage of permissible prescriptions that are transmitted electronically. CC ID 06224 | Actionable Reports or Measurements | Preventive | |
Report on the percentage of unique patients who have at least one entry recorded as structured data into the active medication list. CC ID 06225 | Actionable Reports or Measurements | Preventive | |
Report on the percentage of unique patients who have at least one entry recorded as structured data into the active medication allergy list. CC ID 06226 | Actionable Reports or Measurements | Preventive | |
Report on the percentage of unique patients who have demographics recorded as structured data. CC ID 06227 | Actionable Reports or Measurements | Preventive | |
Report on the percentage of unique patients over the age of 2 who have their height, weight, and blood pressure recorded as structured data. CC ID 06228 | Actionable Reports or Measurements | Preventive | |
Report on the percentage of unique patients over the age of 13 who have their smoking status recorded as structured data. CC ID 06229 | Actionable Reports or Measurements | Preventive | |
Report on the percentage of patients who are given an electronic copy of their Individually Identifiable Health Information not later than three business days after Individually Identifiable Health Information is requested. CC ID 06230 | Actionable Reports or Measurements | Preventive | |
Report on the percentage of patients who are given clinical summaries not later than three business days after a physician office visit. CC ID 06231 | Actionable Reports or Measurements | Preventive | |
Report on the percentage of lab test results that are incorporated into the Electronic Health Records as structured data. CC ID 06232 | Actionable Reports or Measurements | Preventive | |
Report on the percentage of patients sixty-five years of age or older or five years of age or younger who were sent a reminder. CC ID 06233 | Actionable Reports or Measurements | Preventive | |
Report on the percentage of unique patients who are given electronic access to their Individually Identifiable Health Information not later than four business days after their Individually Identifiable Health Information is updated. CC ID 06234 | Actionable Reports or Measurements | Preventive | |
Report on the percentage of unique patients who are given patient-specific education resources. CC ID 06235 | Actionable Reports or Measurements | Preventive | |
Report on the percentage of medication reconciliations that are performed if a patient is received from another setting or healthcare provider. CC ID 06236 | Actionable Reports or Measurements | Preventive | |
Report on the percentage of summary of care records that are provided for transitions of care or referrals for patients who are transitioned or referred to another setting or healthcare provider. CC ID 06237 | Actionable Reports or Measurements | Preventive | |
Report on the percentage of patients who receive their discharge instructions if discharge instructions are requested. CC ID 06238 | Actionable Reports or Measurements | Preventive | |
Report on the percentage of patients 65 years of age or older who have an indication of advance directive status recorded as structured data. CC ID 06239 | Actionable Reports or Measurements | Preventive | |
Establish, implement, and maintain a log management program. CC ID 00673 | Establish/Maintain Documentation | Preventive | |
Deploy log normalization tools, as necessary. CC ID 12141 | Technical Security | Preventive | |
Restrict access to logs to authorized individuals. CC ID 01342 | Log Management | Preventive | |
Restrict access to audit trails to a need to know basis. CC ID 11641 | Technical Security | Preventive | |
Refrain from recording unnecessary restricted data in logs. CC ID 06318 | Log Management | Preventive | |
Back up audit trails according to backup procedures. CC ID 11642 | Systems Continuity | Preventive | |
Back up logs according to backup procedures. CC ID 01344 | Log Management | Preventive | |
Copy logs from all predefined hosts onto a log management infrastructure. CC ID 01346 | Log Management | Preventive | |
Identify hosts with logs that are not being stored. CC ID 06314 | Log Management | Preventive | |
Identify hosts with logs that are being stored at the system level only. CC ID 06315 | Log Management | Preventive | |
Identify hosts with logs that should be stored at both the system level and the infrastructure level. CC ID 06316 | Log Management | Preventive | |
Identify hosts with logs that are being stored at the infrastructure level only. CC ID 06317 | Log Management | Preventive | |
Protect logs from unauthorized activity. CC ID 01345 | Log Management | Preventive | |
Perform testing and validating activities on all logs. CC ID 06322 | Log Management | Preventive | |
Archive the audit trail in accordance with compliance requirements. CC ID 00674 | Log Management | Preventive | |
Enforce dual authorization as a part of information flow control for logs. CC ID 10098 | Configuration | Preventive | |
Preserve the identity of individuals in audit trails. CC ID 10594 | Log Management | Preventive | |
Establish, implement, and maintain a cross-organizational audit sharing agreement. CC ID 10595 | Establish/Maintain Documentation | Preventive | |
Provide cross-organizational audit information based on the cross-organizational audit sharing agreement. CC ID 10596 | Audits and Risk Management | Preventive | |
Establish, implement, and maintain a corrective action plan. CC ID 00675 [The management review shall include consideration of: information on the performance and effectiveness of the SMS, including trends in: nonconformities and corrective actions; § 9.3 ¶ 2(c)(1) The organization shall monitor and review the effectiveness of information security controls and take necessary actions. § 8.7.3.2 ¶ 3] | Monitor and Evaluate Occurrences | Detective | |
Align corrective actions with the level of environmental impact. CC ID 15193 | Business Processes | Preventive | |
Include risks and opportunities in the corrective action plan. CC ID 15178 | Establish/Maintain Documentation | Preventive | |
Include environmental aspects in the corrective action plan. CC ID 15177 | Establish/Maintain Documentation | Preventive | |
Include the completion date in the corrective action plan. CC ID 13272 | Establish/Maintain Documentation | Preventive | |
Include monitoring in the corrective action plan. CC ID 11645 | Monitor and Evaluate Occurrences | Detective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Operational and Systems Continuity CC ID 00731 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain a business continuity program. CC ID 13210 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a continuity framework. CC ID 00732 | Establish/Maintain Documentation | Preventive | |
Evaluate all possible continuity risks and impacts as a part of the continuity framework. CC ID 06374 [At planned intervals, the risks to service continuity shall be assessed and documented. The organization shall determine the service continuity requirements. The agreed requirements shall take into consideration relevant business requirements, service requirements, SLAs and risks. § 8.7.2 ¶ 1] | Systems Continuity | Detective | |
Assess risks related to fault tolerance and redundancy of critical assets. CC ID 13053 | Systems Continuity | Preventive | |
Establish, implement, and maintain a continuity plan. CC ID 00752 [The organization shall create, implement and maintain one or more service continuity plans. The service continuity plan(s) shall include or contain a reference to: § 8.7.2 ¶ 2 At planned intervals, the service continuity plan(s) shall be tested against the service continuity requirements. The service continuity plan(s) shall be re-tested after major changes to the service environment. The results of the tests shall be recorded. Reviews shall be conducted after each test and after the service continuity plan(s) has been invoked. Where deficiencies are found, the organization shall take necessary actions. § 8.7.2 ¶ 4 At planned intervals, the service continuity plan(s) shall be tested against the service continuity requirements. The service continuity plan(s) shall be re-tested after major changes to the service environment. The results of the tests shall be recorded. Reviews shall be conducted after each test and after the service continuity plan(s) has been invoked. Where deficiencies are found, the organization shall take necessary actions. § 8.7.2 ¶ 4] | Establish/Maintain Documentation | Preventive | |
Report changes in the continuity plan to senior management. CC ID 12757 | Communicate | Corrective | |
Activate the continuity plan if the damage assessment report indicates the activation criterion has been met. CC ID 01373 [The organization shall create, implement and maintain one or more service continuity plans. The service continuity plan(s) shall include or contain a reference to: criteria and responsibilities for invoking service continuity; § 8.7.2 ¶ 2(a)] | Systems Continuity | Corrective | |
Identify all stakeholders in the continuity plan. CC ID 13256 | Establish/Maintain Documentation | Preventive | |
Notify interested personnel and affected parties upon activation of the continuity plan. CC ID 16777 | Communicate | Preventive | |
Maintain normal security levels when an emergency occurs. CC ID 06377 | Systems Continuity | Preventive | |
Execute fail-safe procedures when an emergency occurs. CC ID 07108 | Systems Continuity | Preventive | |
Include a business continuity testing policy in the continuity plan, as necessary. CC ID 13234 | Establish/Maintain Documentation | Preventive | |
Lead or manage business continuity and system continuity, as necessary. CC ID 12240 | Human Resources Management | Preventive | |
Allocate financial resources to implement the continuity plan, as necessary. CC ID 12993 | Establish/Maintain Documentation | Preventive | |
Allocate personnel to implement the continuity plan, as necessary. CC ID 12992 | Human Resources Management | Preventive | |
Include the in scope system's location in the continuity plan. CC ID 16246 | Systems Continuity | Preventive | |
Include the system description in the continuity plan. CC ID 16241 | Systems Continuity | Preventive | |
Establish, implement, and maintain redundant systems. CC ID 16354 | Configuration | Preventive | |
Include identification procedures in the continuity plan, as necessary. CC ID 14372 | Establish/Maintain Documentation | Preventive | |
Refrain from adopting impromptu measures when continuity procedures exist. CC ID 13093 | Behavior | Preventive | |
Restore systems and environments to be operational. CC ID 13476 | Systems Continuity | Corrective | |
Include the continuity strategy in the continuity plan. CC ID 13189 | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in the continuity plan, as necessary. CC ID 13254 [The organization shall create, implement and maintain one or more service continuity plans. The service continuity plan(s) shall include or contain a reference to: criteria and responsibilities for invoking service continuity; § 8.7.2 ¶ 2(a)] | Establish/Maintain Documentation | Preventive | |
Document and use the lessons learned to update the continuity plan. CC ID 10037 [The organization shall report on the cause, impact and recovery when the service continuity plan(s) has been invoked. § 8.7.2 ¶ 5 The organization shall report on the cause, impact and recovery when the service continuity plan(s) has been invoked. § 8.7.2 ¶ 5 The organization shall report on the cause, impact and recovery when the service continuity plan(s) has been invoked. § 8.7.2 ¶ 5] | Establish/Maintain Documentation | Preventive | |
Implement alternate security mechanisms when the means of implementing the security function is unavailable. CC ID 10605 | Technical Security | Preventive | |
Coordinate continuity planning with governmental entities, as necessary. CC ID 13258 | Process or Activity | Preventive | |
Monitor and evaluate business continuity management system performance. CC ID 12410 | Monitor and Evaluate Occurrences | Detective | |
Record business continuity management system performance for posterity. CC ID 12411 | Monitor and Evaluate Occurrences | Preventive | |
Coordinate continuity planning with community organizations, as necessary. CC ID 13259 | Process or Activity | Preventive | |
Coordinate and incorporate supply chain members' continuity plans, as necessary. CC ID 13242 | Establish/Maintain Documentation | Preventive | |
Include incident management procedures in the continuity plan. CC ID 13244 | Establish/Maintain Documentation | Preventive | |
Include the use of virtual meeting tools in the continuity plan. CC ID 14390 | Establish/Maintain Documentation | Preventive | |
Include scenario analyses of various contingency scenarios in the continuity plan. CC ID 13057 | Establish/Maintain Documentation | Preventive | |
Include the annual statement based on the continuity plan review in the continuity plan. CC ID 12775 | Establish/Maintain Documentation | Preventive | |
Include the roles and responsibilities of the organization's legal counsel in the continuity plan. CC ID 16233 | Establish Roles | Preventive | |
Establish, implement, and maintain the continuity procedures. CC ID 14236 | Establish/Maintain Documentation | Corrective | |
Disseminate and communicate the continuity procedures to interested personnel and affected parties. CC ID 14055 | Communicate | Preventive | |
Document the uninterrupted power requirements for all in scope systems. CC ID 06707 | Establish/Maintain Documentation | Preventive | |
Install an Uninterruptible Power Supply sized to support all critical systems. CC ID 00725 | Configuration | Preventive | |
Install a generator sized to support the facility. CC ID 06709 | Configuration | Preventive | |
Establish, implement, and maintain a fuel supply large enough to support the generators during an emergency. CC ID 06376 | Acquisition/Sale of Assets or Services | Preventive | |
Document all supporting information in the continuity plan, such as purpose, scope, and requirements. CC ID 01371 [The organization shall create, implement and maintain one or more service continuity plans. The service continuity plan(s) shall include or contain a reference to: service recovery requirements; § 8.7.2 ¶ 2(d)] | Establish/Maintain Documentation | Preventive | |
Include notifications to alternate facilities in the continuity plan. CC ID 13220 | Establish/Maintain Documentation | Preventive | |
Approve the continuity plan requirements before documenting the continuity plan. CC ID 12778 | Systems Continuity | Preventive | |
Document the concept of operations in the continuity plan, including a line of succession. CC ID 01372 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain the organization's call tree. CC ID 01167 | Testing | Detective | |
Establish, implement, and maintain damage assessment procedures. CC ID 01267 [The organization shall analyse the information security incidents by type, volume and impact on the SMS, services and interested parties. Information security incidents shall be reported and reviewed to identify opportunities for improvement. § 8.7.3.3 ¶ 2] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a recovery plan. CC ID 13288 | Establish/Maintain Documentation | Preventive | |
Notify interested personnel and affected parties of updates to the recovery plan. CC ID 13302 | Communicate | Preventive | |
Include procedures to restore network connectivity in the recovery plan. CC ID 16250 | Establish/Maintain Documentation | Preventive | |
Include addressing backup failures in the recovery plan. CC ID 13298 | Establish/Maintain Documentation | Preventive | |
Include procedures to verify completion of the data backup procedure in the recovery plan. CC ID 13297 | Establish/Maintain Documentation | Preventive | |
Include the roles and responsibilities of responders in the recovery plan. CC ID 13296 | Human Resources Management | Preventive | |
Include the procedures for the storage of information necessary to recover functionality in the recovery plan. CC ID 13295 | Establish/Maintain Documentation | Preventive | |
Include the backup procedures for information necessary to recover functionality in the recovery plan. CC ID 13294 | Establish/Maintain Documentation | Preventive | |
Include the criteria for activation in the recovery plan. CC ID 13293 | Establish/Maintain Documentation | Preventive | |
Include escalation procedures in the recovery plan. CC ID 16248 | Establish/Maintain Documentation | Preventive | |
Include procedures to preserve data before beginning the recovery process in the recovery plan. CC ID 13292 | Establish/Maintain Documentation | Preventive | |
Determine the cause for the activation of the recovery plan. CC ID 13291 | Investigate | Detective | |
Test the recovery plan, as necessary. CC ID 13290 | Testing | Detective | |
Test the backup information, as necessary. CC ID 13303 | Testing | Detective | |
Document lessons learned from testing the recovery plan or an actual event. CC ID 13301 | Establish/Maintain Documentation | Detective | |
Disseminate and communicate the recovery plan to interested personnel and affected parties. CC ID 14859 | Communicate | Preventive | |
Include restoration procedures in the continuity plan. CC ID 01169 [The organization shall create, implement and maintain one or more service continuity plans. The service continuity plan(s) shall include or contain a reference to: procedures to be implemented in the event of a major loss of service; § 8.7.2 ¶ 2(b) The organization shall create, implement and maintain one or more service continuity plans. The service continuity plan(s) shall include or contain a reference to: procedures for returning to normal working conditions. § 8.7.2 ¶ 2(e)] | Establish Roles | Preventive | |
Include risk prioritized recovery procedures for each business unit in the recovery plan. CC ID 01166 | Establish/Maintain Documentation | Preventive | |
Include the recovery plan in the continuity plan. CC ID 01377 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the recovery status of the contingency plan to interested personnel and affected parties. CC ID 12758 | Communicate | Preventive | |
Disseminate and communicate business functions across multiple facilities separated by geographic separation. CC ID 10662 | Systems Continuity | Preventive | |
Disseminate and communicate processing activities across multiple facilities using geographic separation. CC ID 10663 | Systems Continuity | Preventive | |
Disseminate and communicate electronic media storage devices across multiple facilities using geographic separation. CC ID 10664 | Systems Continuity | Preventive | |
Use out-of-band channels for the physical delivery or electronic transmission of information, as necessary. CC ID 10665 | Systems Continuity | Corrective | |
Establish, implement, and maintain system continuity plan strategies. CC ID 00735 | Establish/Maintain Documentation | Preventive | |
Define and prioritize critical business functions. CC ID 00736 [The organization shall determine the criticality of services based on the needs of the organization, customers, users and other interested parties. The organization shall determine and manage dependencies and duplication between services. § 8.2.2 ¶ 2] | Establish/Maintain Documentation | Detective | |
Review and prioritize the importance of each business unit. CC ID 01165 | Systems Continuity | Preventive | |
Review and prioritize the importance of each business process. CC ID 11689 | Establish/Maintain Documentation | Preventive | |
Document the mean time to failure for system components. CC ID 10684 | Systems Continuity | Preventive | |
Conduct a risk assessment on reciprocal agreements that provide for recovery capabilities. CC ID 12759 | Audits and Risk Management | Preventive | |
Include emergency communications procedures in the continuity plan. CC ID 00750 [The service continuity plan(s) and list of contacts shall be accessible when access to the normal service location is prevented. § 8.7.2 ¶ 3] | Establish/Maintain Documentation | Preventive | |
Include managing multiple responding organizations in the emergency communications procedure. CC ID 01249 | Establish/Maintain Documentation | Preventive | |
Expedite emergency communications' fiscal decisions in accordance with accounting principles. CC ID 01266 | Systems Continuity | Preventive | |
Maintain contact information for key third parties in a readily accessible manner. CC ID 12764 | Establish/Maintain Documentation | Preventive | |
Log important conversations conducted during emergencies with third parties. CC ID 12763 | Log Management | Preventive | |
Identify the appropriate staff to route external communications to in the emergency communications procedures. CC ID 12762 | Communicate | Preventive | |
Identify who can speak to the media in the emergency communications procedures. CC ID 12761 | Communicate | Corrective | |
Disseminate and communicate the continuity plan to interested personnel and affected parties. CC ID 00760 | Establish/Maintain Documentation | Preventive | |
Store an up-to-date copy of the continuity plan at the alternate facility. CC ID 01171 [The service continuity plan(s) and list of contacts shall be accessible when access to the normal service location is prevented. § 8.7.2 ¶ 3] | Establish/Maintain Documentation | Preventive | |
Prepare the alternate facility for an emergency offsite relocation. CC ID 00744 | Systems Continuity | Preventive | |
Establish, implement, and maintain Service Level Agreements for all alternate facilities. CC ID 00745 | Establish/Maintain Documentation | Preventive | |
Include emergency scalability for services, capacity, and capability in the shared service provider's Service Level Agreement. CC ID 04893 [{service availability requirement}{service continuity requirement} The organization shall plan capacity to include: expected impact on capacity of agreed service level targets, requirements for service availability and service continuity; § 8.4.3 ¶ 2(b)] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a business continuity plan testing program. CC ID 14829 | Testing | Preventive | |
Test the continuity plan, as necessary. CC ID 00755 [At planned intervals, the service continuity plan(s) shall be tested against the service continuity requirements. The service continuity plan(s) shall be re-tested after major changes to the service environment. The results of the tests shall be recorded. Reviews shall be conducted after each test and after the service continuity plan(s) has been invoked. Where deficiencies are found, the organization shall take necessary actions. § 8.7.2 ¶ 4 At planned intervals, the service continuity plan(s) shall be tested against the service continuity requirements. The service continuity plan(s) shall be re-tested after major changes to the service environment. The results of the tests shall be recorded. Reviews shall be conducted after each test and after the service continuity plan(s) has been invoked. Where deficiencies are found, the organization shall take necessary actions. § 8.7.2 ¶ 4] | Testing | Detective | |
Include coverage of all major components in the scope of testing the continuity plan. CC ID 12767 | Testing | Preventive | |
Include third party recovery services in the scope of testing the continuity plan. CC ID 12766 | Testing | Preventive | |
Validate the emergency communications procedures during continuity plan tests. CC ID 12777 | Testing | Preventive | |
Include the coordination and interfaces among third parties in the coverage of the scope of testing the continuity plan. CC ID 12769 | Testing | Preventive | |
Involve senior management, as necessary, when testing the continuity plan. CC ID 13793 | Testing | Detective | |
Test the continuity plan under conditions that simulate a disaster or disruption. CC ID 00757 | Testing | Detective | |
Analyze system interdependence during continuity plan tests. CC ID 13082 | Testing | Detective | |
Validate the evacuation plans during continuity plan tests. CC ID 12760 | Testing | Preventive | |
Test the continuity plan at the alternate facility. CC ID 01174 | Testing | Detective | |
Include predefined goals and realistic conditions during off-site testing. CC ID 01175 | Establish/Maintain Documentation | Preventive | |
Coordinate testing the continuity plan with all applicable business units and critical business functions. CC ID 01388 | Testing | Preventive | |
Review all third party's continuity plan test results. CC ID 01365 | Testing | Detective | |
Automate the off-site testing to more thoroughly test the continuity plan. CC ID 01389 | Testing | Detective | |
Document the continuity plan test results and provide them to interested personnel and affected parties. CC ID 06548 [At planned intervals, the service continuity plan(s) shall be tested against the service continuity requirements. The service continuity plan(s) shall be re-tested after major changes to the service environment. The results of the tests shall be recorded. Reviews shall be conducted after each test and after the service continuity plan(s) has been invoked. Where deficiencies are found, the organization shall take necessary actions. § 8.7.2 ¶ 4] | Actionable Reports or Measurements | Preventive | |
Approve the continuity plan test results. CC ID 15718 | Systems Continuity | Preventive | |
Retest the continuity plan after correcting reported deficiencies documented in the continuity plan test results. CC ID 06553 [At planned intervals, the service continuity plan(s) shall be tested against the service continuity requirements. The service continuity plan(s) shall be re-tested after major changes to the service environment. The results of the tests shall be recorded. Reviews shall be conducted after each test and after the service continuity plan(s) has been invoked. Where deficiencies are found, the organization shall take necessary actions. § 8.7.2 ¶ 4] | Testing | Detective | |
Conduct full recovery and restoration of service testing for high impact systems at the alternate facility. CC ID 01404 | Testing | Detective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Operational management CC ID 00805 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain a capacity management plan. CC ID 11751 [The organization shall plan capacity to include: timescales and thresholds for changes to service capacity. § 8.4.3 ¶ 2(c) The organization shall plan capacity to include: timescales and thresholds for changes to service capacity. § 8.4.3 ¶ 2(c) At planned intervals, the organization shall: determine current demand and forecast future demand for services; § 8.4.2 ¶ 1(a) At planned intervals, the organization shall: determine current demand and forecast future demand for services; § 8.4.2 ¶ 1(a) {service availability target} Service availability requirements and targets shall be documented and maintained. § 8.7.1 ¶ 2 The organization shall plan capacity to include: current and forecast capacity based on demand for services; § 8.4.3 ¶ 2(a)] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a capacity planning baseline. CC ID 13492 [{service availability target} Service availability requirements and targets shall be documented and maintained. § 8.7.1 ¶ 2] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain future system capacity forecasting methods. CC ID 01617 | Business Processes | Preventive | |
Align critical Information Technology resource availability planning with capacity planning. CC ID 01618 [{service availability requirement}{service continuity requirement} The organization shall plan capacity to include: expected impact on capacity of agreed service level targets, requirements for service availability and service continuity; § 8.4.3 ¶ 2(b)] | Business Processes | Preventive | |
Limit any effects of a Denial of Service attack. CC ID 06754 | Technical Security | Preventive | |
Implement network redundancy, as necessary. CC ID 13048 | Systems Continuity | Preventive | |
Forecast system workloads. CC ID 00938 | Testing | Detective | |
Establish, implement, and maintain workload forecasting tools. CC ID 00936 | Systems Design, Build, and Implementation | Preventive | |
Utilize resource capacity management controls. CC ID 00939 | Testing | Detective | |
Perform system capacity testing. CC ID 01616 | Testing | Detective | |
Perform system performance reviews. CC ID 11866 | Testing | Detective | |
Follow the resource workload schedule. CC ID 00941 | Business Processes | Detective | |
Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a positive information control environment. CC ID 00813 [Top management shall demonstrate leadership and commitment with respect to the SMS by: § 5.1 ¶ 1 Top management shall demonstrate leadership and commitment with respect to the SMS by: ensuring that what constitutes value for the organization and its customers is determined; § 5.1 ¶ 1(d)] | Business Processes | Preventive | |
Make compliance and governance decisions in a timely manner. CC ID 06490 | Behavior | Preventive | |
Establish, implement, and maintain an internal control framework. CC ID 00820 | Establish/Maintain Documentation | Preventive | |
Include procedures for continuous quality improvement in the internal control framework. CC ID 00819 [Where service level targets are not met, the organization shall identify opportunities for improvement. § 8.3.3 ¶ 4 At planned intervals, the organization shall measure satisfaction with the services based on a representative sample of customers. The results shall be analysed, reviewed to identify opportunities for improvement and reported. § 8.3.2 ¶ 4 {service improvement activity} Opportunities for improvement shall be documented. The organization shall manage approved improvement activities that include: § 10.2 ¶ 3 The outputs of the management review shall include decisions related to continual improvement opportunities and any need for changes to the SMS and the services. § 9.3 ¶ 3 The management review shall include consideration of: opportunities for continual improvement; § 9.3 ¶ 2(d)] | Establish/Maintain Documentation | Preventive | |
Include incident response escalation procedures in the internal control framework. CC ID 11745 [Information security incidents shall be: escalated if needed; § 8.7.3.3 ¶ 1(c)] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an information security program. CC ID 00812 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an information security policy. CC ID 11740 [Management with appropriate authority shall approve an information security policy relevant to the organization. The information security policy shall be documented and take into consideration the service requirements and the obligations in 6.3 c). § 8.7.3.1 ¶ 1] | Establish/Maintain Documentation | Preventive | |
Align the information security policy with the organization's risk acceptance level. CC ID 13042 | Business Processes | Preventive | |
Include business processes in the information security policy. CC ID 16326 | Establish/Maintain Documentation | Preventive | |
Include the information security strategy in the information security policy. CC ID 16125 | Establish/Maintain Documentation | Preventive | |
Include a commitment to continuous improvement in the information security policy. CC ID 16123 | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in the information security policy. CC ID 16120 | Establish/Maintain Documentation | Preventive | |
Include a commitment to the information security requirements in the information security policy. CC ID 13496 | Establish/Maintain Documentation | Preventive | |
Include information security objectives in the information security policy. CC ID 13493 | Establish/Maintain Documentation | Preventive | |
Include the use of Cloud Services in the information security policy. CC ID 13146 | Establish/Maintain Documentation | Preventive | |
Include notification procedures in the information security policy. CC ID 16842 | Establish/Maintain Documentation | Preventive | |
Approve the information security policy at the organization's management level or higher. CC ID 11737 [Management with appropriate authority shall approve an information security policy relevant to the organization. The information security policy shall be documented and take into consideration the service requirements and the obligations in 6.3 c). § 8.7.3.1 ¶ 1] | Process or Activity | Preventive | |
Establish, implement, and maintain information security procedures. CC ID 12006 | Business Processes | Preventive | |
Describe the group activities that protect restricted data in the information security procedures. CC ID 12294 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the information security procedures to all interested personnel and affected parties. CC ID 16303 | Communicate | Preventive | |
Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739 [The information security policy shall be made available as appropriate. The organization shall communicate the importance of conforming to the information security policy and its applicability to the SMS and the services to appropriate persons within the: external suppliers, internal suppliers and other interested parties. § 8.7.3.1 ¶ 2(c) The information security policy shall be made available as appropriate. The organization shall communicate the importance of conforming to the information security policy and its applicability to the SMS and the services to appropriate persons within: § 8.7.3.1 ¶ 2 The information security policy shall be made available as appropriate. The organization shall communicate the importance of conforming to the information security policy and its applicability to the SMS and the services to appropriate persons within: § 8.7.3.1 ¶ 2 The information security policy shall be made available as appropriate. The organization shall communicate the importance of conforming to the information security policy and its applicability to the SMS and the services to appropriate persons within: § 8.7.3.1 ¶ 2 The information security policy shall be made available as appropriate. The organization shall communicate the importance of conforming to the information security policy and its applicability to the SMS and the services to appropriate persons within: the organization; § 8.7.3.1 ¶ 2(a) The information security policy shall be made available as appropriate. The organization shall communicate the importance of conforming to the information security policy and its applicability to the SMS and the services to appropriate persons within: customers and users; § 8.7.3.1 ¶ 2(b)] | Communicate | Preventive | |
Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 [implementing control of the processes in accordance with the established performance criteria; § 8.1 ¶ 1(b)] | Business Processes | Preventive | |
Analyze how policies used to create management boundaries relates to the Governance, Risk, and Compliance approach. CC ID 12821 | Process or Activity | Preventive | |
Analyze how the organization sets limits in policies relating to the Governance, Risk, and Compliance approach. CC ID 12819 | Process or Activity | Preventive | |
Analyze how the Board of Directors' and senior management's tone influences the Governance, Risk, and Compliance approach. CC ID 12818 | Process or Activity | Preventive | |
Analyze the degree to which the governing body is engaged in the Governance, Risk, and Compliance approach. CC ID 12817 | Process or Activity | Preventive | |
Analyze the Governance, Risk, and Compliance approach. CC ID 12816 | Process or Activity | Preventive | |
Analyze the organizational culture. CC ID 12899 | Process or Activity | Preventive | |
Include individual commitment to the organization's Governance, Risk, and Compliance framework in the analysis of the organizational culture. CC ID 12922 | Process or Activity | Detective | |
Include the organizational climate in the analysis of the organizational culture. CC ID 12921 | Process or Activity | Detective | |
Include consistency of leadership actions to mission, vision, and values in the analysis of the organizational culture. CC ID 12920 | Process or Activity | Detective | |
Include employee engagement in the analysis of the organizational culture. CC ID 12914 | Behavior | Preventive | |
Include contractual relationships with workforce members in the analysis of the organizational culture. CC ID 15674 | Business Processes | Preventive | |
Include the number of workforce members who are not employees in the analysis of the organizational culture. CC ID 15673 | Business Processes | Preventive | |
Include the type of work performed by workforce members in the analysis of the organizational culture. CC ID 15675 | Business Processes | Preventive | |
Include skill development in the analysis of the organizational culture. CC ID 12913 | Behavior | Preventive | |
Include employee turnover rates in the analysis of the organizational culture. CC ID 12912 | Behavior | Preventive | |
Include demographic characteristics of employees in the analysis of the organizational culture. CC ID 15671 | Business Processes | Preventive | |
Include employee loyalty in the analysis of the organizational culture. CC ID 12911 | Behavior | Preventive | |
Include employee satisfaction in the analysis of the organizational culture. CC ID 12910 | Behavior | Preventive | |
Establish, implement, and maintain consequences for non-compliance with the organizational compliance framework. CC ID 11747 | Process or Activity | Corrective | |
Comply with all implemented policies in the organization's compliance framework. CC ID 06384 [{planning} The organization shall plan, implement and control the processes needed to meet requirements and to implement the actions determined in Clause 6 by: § 8.1 ¶ 1] | Establish/Maintain Documentation | Preventive | |
Provide assurance to interested personnel and affected parties that the Governance, Risk, and Compliance capability is reliable, effective, efficient, and responsive. CC ID 12788 | Communicate | Preventive | |
Review systems for compliance with organizational information security policies. CC ID 12004 | Business Processes | Preventive | |
Disseminate and communicate the Governance, Risk, and Compliance framework to all interested personnel and affected parties. CC ID 00815 | Behavior | Preventive | |
Establish, implement, and maintain a Service Management System. CC ID 13889 [Top management shall demonstrate leadership and commitment with respect to the SMS by: ensuring that the SMS achieves its intended outcome(s); § 5.1 ¶ 1(i) When planning for the SMS, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to: § 6.1.1 ¶ 1 {service improvement activity} Opportunities for improvement shall be documented. The organization shall manage approved improvement activities that include: making changes to the SMS, if necessary; § 10.2 ¶ 3(c) When a nonconformity occurs, the organization shall: make changes to the SMS, if necessary. § 10.1.1 ¶ 1(e) The organization shall operate the SMS ensuring co-ordination of the activities and the resources. The organization shall perform the activities required to deliver services. § 8.2.1 ¶ 1] | Business Processes | Preventive | |
Establish and maintain a scope statement for the Service Management System. CC ID 13890 [The organization shall determine: the relevant requirements of these interested parties. § 4.2 ¶ 1(b) When planning how to achieve its service management objectives, the organization shall determine: what will be done; § 6.2.2 ¶ 1(a) The documented information for the SMS shall include: scope of the SMS; § 7.5.4 ¶ 1(a) {service management system}When determining this scope, the organization shall consider: the requirements referred to in 4.2; § 4.3 ¶ 2(b) {service management system} When determining this scope, the organization shall consider: the services delivered by the organization. § 4.3 ¶ 2(c) The scope of the SMS shall be available and be maintained as documented information. § 4.3 ¶ 4 The service management plan shall include or contain a reference to: obligations such as relevant policies, standards, legal, regulatory and contractual requirements, and how these obligations apply to the SMS and the services; § 6.3 ¶ 2(c) The organization's SMS shall include: documented information determined by the organization as being necessary for the effectiveness of the SMS. § 7.5.1 ¶ 1(b) The organization's SMS shall include: documented information required by this document; § 7.5.1 ¶ 1(a) The definition of the scope of the SMS shall include the services in scope and the name of the organization managing and delivering the services. § 4.3 ¶ 3] | Establish/Maintain Documentation | Preventive | |
Include the organization's name in the scope statement for the Service Management System. CC ID 13913 [The definition of the scope of the SMS shall include the services in scope and the name of the organization managing and delivering the services. § 4.3 ¶ 3] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a service management program. CC ID 11388 [Top management shall demonstrate leadership and commitment with respect to the SMS by: ensuring that the service management plan is created, implemented and maintained in order to support the service management policy, and the achievement of the service management objectives and service requirements; § 5.1 ¶ 1(b) The service management policy shall: be available as documented information; § 5.2.2 ¶ 1(a) Other planning activities shall maintain alignment with the service management plan. § 6.3 ¶ 3 {applicable requirements} The organization shall create, implement and maintain a service management plan. Planning shall take into consideration the service management policy, service management objectives, risks and opportunities, service requirements and requirements specified in this document. § 6.3 ¶ 1 When planning how to achieve its service management objectives, the organization shall determine: when it will be completed; § 6.2.2 ¶ 1(d) The organization shall establish service management objectives at relevant functions and levels. The service management objectives shall: be updated as appropriate. § 6.2.1 ¶ 1(f) The organization shall integrate services, service components and processes in the SMS that are provided or operated by the organization or other parties to meet the service requirements. The organization shall co-ordinate activities with other parties involved in the service lifecycle including the planning, design, transition, delivery and improvement of services. § 8.2.3.1 ¶ 5 At planned intervals, the organization shall review the performance trends and the outcomes of the services. § 8.3.2 ¶ 3 Top management shall review the organization's SMS and the services, at planned intervals, to ensure their continuing suitability, adequacy and effectiveness. § 9.3 ¶ 1 The organization shall determine: what needs to be monitored and measured for the SMS and the services; § 9.1 ¶ 1(a) {new service} The organization shall plan the deployment of new or changed services and service components into the live environment. Planning shall be co-ordinated with change management and include references to the related requests for change, known errors or problems which are being closed through the release. Planning shall include the dates for deployment of each release, deliverables and methods of deployment. § 8.5.3 ¶ 2 {service availability requirement}{service availability target} At planned intervals, the risks to service availability shall be assessed and documented. The organization shall determine the service availability requirements and targets. The agreed requirements shall take into consideration relevant business requirements, service requirements, SLAs and risks. § 8.7.1 ¶ 1] | Establish/Maintain Documentation | Preventive | |
Communicate the service management program to interested personnel and affected parties. CC ID 13904 [Top management shall demonstrate leadership and commitment with respect to the SMS by: communicating the importance of effective service management, achieving the service management objectives, delivering value and conforming to the SMS requirements; § 5.1 ¶ 1(h) The service management policy shall: be communicated within the organization; § 5.2.2 ¶ 1(b) The service management policy shall: be available to interested parties, as appropriate. § 5.2.2 ¶ 1(c) The organization shall establish service management objectives at relevant functions and levels. The service management objectives shall: be communicated; § 6.2.1 ¶ (e) Persons doing work under the organization's control shall be aware of: the service management policy; § 7.3 ¶ 1(a) The scope of the SMS shall be available and be maintained as documented information. § 4.3 ¶ 4] | Communicate | Preventive | |
Communicate service management release success or failures to interested personnel and affected parties, as necessary. CC ID 13927 [Information about the success or failure of releases and future release dates shall be made available for other service management activities as appropriate. § 8.5.3 ¶ 7] | Communicate | Preventive | |
Communicate the release dates of applicable services to interested personnel and affected parties. CC ID 13924 [Information about the success or failure of releases and future release dates shall be made available for other service management activities as appropriate. § 8.5.3 ¶ 7] | Communicate | Preventive | |
Include the implications of failing to comply with the Service Management System requirements in the communication plan for the service management program. CC ID 13909 [Persons doing work under the organization's control shall be aware of: the implications of not conforming with the SMS requirements. § 7.3 ¶ 1(e)] | Communicate | Preventive | |
Include the benefits of improved performance in the communication plan for the service management program. CC ID 13908 [Persons doing work under the organization's control shall be aware of: their contribution to the effectiveness of the SMS, including the benefits of improved performance; § 7.3 ¶ 1(d)] | Communicate | Preventive | |
Include the importance of conforming to the Service Management System requirements in the communication plan for the service management program. CC ID 13907 [Top management shall demonstrate leadership and commitment with respect to the SMS by: communicating the importance of effective service management, achieving the service management objectives, delivering value and conforming to the SMS requirements; § 5.1 ¶ 1(h)] | Communicate | Preventive | |
Include a service management plan in the service management program. CC ID 13902 [The documented information for the SMS shall include: service management plan; § 7.5.4 ¶ 1(c)] | Establish/Maintain Documentation | Preventive | |
Include the information security policy in the service management program. CC ID 13925 [The documented information for the SMS shall include: change management policy, information security policy and service continuity plan(s); § 7.5.4 ¶ 1(d)] | Establish/Maintain Documentation | Preventive | |
Include the change management policy in the service management program. CC ID 13923 [The documented information for the SMS shall include: change management policy, information security policy and service continuity plan(s); § 7.5.4 ¶ 1(d)] | Establish/Maintain Documentation | Preventive | |
Include the service management objectives in the service management program. CC ID 11389 [Top management shall demonstrate leadership and commitment with respect to the SMS by: ensuring that the service management plan is created, implemented and maintained in order to support the service management policy, and the achievement of the service management objectives and service requirements; § 5.1 ¶ 1(b) Top management shall demonstrate leadership and commitment with respect to the SMS by: ensuring that the service management policy and service management objectives are established and are compatible with the strategic direction of the organization; § 5.1 ¶ 1(a) Top management shall establish a service management policy that: provides a framework for setting service management objectives; § 5.2.1 ¶ 1(b) The organization shall establish service management objectives at relevant functions and levels. The service management objectives shall: be consistent with the service management policy; § 6.2.1 ¶ 1(a) {applicable requirements} The organization shall create, implement and maintain a service management plan. Planning shall take into consideration the service management policy, service management objectives, risks and opportunities, service requirements and requirements specified in this document. § 6.3 ¶ 1 {organization level} The organization shall establish service management objectives at relevant functions and levels. The service management objectives shall: § 6.2.1 ¶ 1 {organization level} The organization shall establish service management objectives at relevant functions and levels. The service management objectives shall: § 6.2.1 ¶ 1 The documented information for the SMS shall include: policy and objectives for service management; § 7.5.4 ¶ 1(b) The organization shall propose changes where needed to align the services with the service management policy, service management objectives and service requirements, taking into consideration known limitations and risks. § 8.2.2 ¶ 3 {new service} Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: intended outcomes from delivering the new or changed services, expressed in measurable terms; § 8.5.2.1 ¶ 1(g) {service availability requirement}{service availability target} At planned intervals, the risks to service availability shall be assessed and documented. The organization shall determine the service availability requirements and targets. The agreed requirements shall take into consideration relevant business requirements, service requirements, SLAs and risks. § 8.7.1 ¶ 1] | Establish/Maintain Documentation | Preventive | |
Include the service requirements in the service management program. CC ID 11390 [Top management shall demonstrate leadership and commitment with respect to the SMS by: ensuring that the service management plan is created, implemented and maintained in order to support the service management policy, and the achievement of the service management objectives and service requirements; § 5.1 ¶ 1(b) Top management shall establish a service management policy that: includes a commitment to satisfy applicable requirements; § 5.2.1 ¶ 1(c) {applicable requirements} The organization shall create, implement and maintain a service management plan. Planning shall take into consideration the service management policy, service management objectives, risks and opportunities, service requirements and requirements specified in this document. § 6.3 ¶ 1 The organization shall establish service management objectives at relevant functions and levels. The service management objectives shall: take into account applicable requirements; § 6.2.1 ¶ 1(c) The documented information for the SMS shall include: service requirements; § 7.5.4 ¶ 1(f) The organization shall propose changes where needed to align the services with the service management policy, service management objectives and service requirements, taking into consideration known limitations and risks. § 8.2.2 ¶ 3 The service requirements for existing services, new services and changes to services shall be determined and documented. § 8.2.2 ¶ 1 Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: dependencies on other services; 8.5.2.1 ¶ 1(d) {new service} Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: § 8.5.2.1 ¶ 1 {service availability requirement}{service availability target} At planned intervals, the risks to service availability shall be assessed and documented. The organization shall determine the service availability requirements and targets. The agreed requirements shall take into consideration relevant business requirements, service requirements, SLAs and risks. § 8.7.1 ¶ 1 {service availability requirement}{service availability target} At planned intervals, the risks to service availability shall be assessed and documented. The organization shall determine the service availability requirements and targets. The agreed requirements shall take into consideration relevant business requirements, service requirements, SLAs and risks. § 8.7.1 ¶ 1] | Establish/Maintain Documentation | Preventive | |
Include known limitations in the service management program. CC ID 11391 [The organization shall determine the boundaries and applicability of the SMS to establish its scope. § 4.3 ¶ 1 The organization shall determine the boundaries and applicability of the SMS to establish its scope. § 4.3 ¶ 1 The organization shall propose changes where needed to align the services with the service management policy, service management objectives and service requirements, taking into consideration known limitations and risks. § 8.2.2 ¶ 3 The service management plan shall include or contain a reference to: known limitations that can impact the SMS and the services; § 6.3 ¶ 2(b) {new service} The organization shall plan the deployment of new or changed services and service components into the live environment. Planning shall be co-ordinated with change management and include references to the related requests for change, known errors or problems which are being closed through the release. Planning shall include the dates for deployment of each release, deliverables and methods of deployment. § 8.5.3 ¶ 2] | Establish/Maintain Documentation | Preventive | |
Include service management policies in the service management program. CC ID 11392 [Top management shall establish a service management policy that: § 5.2.1 ¶ 1 Top management shall demonstrate leadership and commitment with respect to the SMS by: ensuring that the service management plan is created, implemented and maintained in order to support the service management policy, and the achievement of the service management objectives and service requirements; § 5.1 ¶ 1(b) Top management shall demonstrate leadership and commitment with respect to the SMS by: ensuring that the service management policy and service management objectives are established and are compatible with the strategic direction of the organization; § 5.1 ¶ 1(a) {applicable requirements} The organization shall create, implement and maintain a service management plan. Planning shall take into consideration the service management policy, service management objectives, risks and opportunities, service requirements and requirements specified in this document. § 6.3 ¶ 1 The documented information for the SMS shall include: policy and objectives for service management; § 7.5.4 ¶ 1(b) The organization shall propose changes where needed to align the services with the service management policy, service management objectives and service requirements, taking into consideration known limitations and risks. § 8.2.2 ¶ 3 The service management plan shall include or contain a reference to: obligations such as relevant policies, standards, legal, regulatory and contractual requirements, and how these obligations apply to the SMS and the services; § 6.3 ¶ 2(c) Top management shall establish a service management policy that: is appropriate to the purpose of the organization; § 5.2.1 ¶ 1(a)] | Establish/Maintain Documentation | Preventive | |
Assign roles and responsibilities in the service management program. CC ID 11393 [Top management shall demonstrate leadership and commitment with respect to the SMS by: directing and supporting persons to contribute to the effectiveness of the SMS and the services; § 5.1 ¶ 1(j) Top management shall assign the responsibility and authority for: ensuring that the SMS conforms to the requirement of this document; § 5.3 ¶ 2(a) Top management shall assign the responsibility and authority for: reporting on the performance of the SMS and the services to top management. § 5.3 ¶ 2(b) {responsible party}When planning how to achieve its service management objectives, the organization shall determine: who will be responsible; § 6.2.2 ¶ 1(c) The organization shall retain accountability for the requirements specified in this document and the delivery of the services regardless of which party is involved in performing activities to support the service lifecycle. § 8.2.3.1 ¶ 1 The organization shall retain accountability for the requirements specified in this document and the delivery of the services regardless of which party is involved in performing activities to support the service lifecycle. § 8.2.3.1 ¶ 1 Top management shall ensure that the responsibilities and authorities for roles relevant to the SMS and the services are assigned and communicated within the organization. § 5.3 ¶ 1 The service management plan shall include or contain a reference to: authorities and responsibilities for the SMS and the services § 6.3 ¶ 2(d) The service management plan shall include or contain a reference to: authorities and responsibilities for the SMS and the services § 6.3 ¶ 2(d) Persons doing work under the organization's control shall be aware of: the service management objectives; § 7.3 ¶ 1(b) {new service} Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: authorities and responsibilities for design, build and transition activities; § 8.5.2.1 ¶ 1(a) {new service} Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: activities to be performed by the organization or other parties with their timescales; § 8.5.2.1 ¶ 1(b) {new service}The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: authorities and responsibilities of the parties involved in the delivery of the new or changed services; § 8.5.2.2 ¶ 1(a) {new service}The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: authorities and responsibilities of the parties involved in the delivery of the new or changed services; § 8.5.2.2 ¶ 1(a) The organization shall operate the SMS ensuring co-ordination of the activities and the resources. The organization shall perform the activities required to deliver services. § 8.2.1 ¶ 1] | Establish/Maintain Documentation | Preventive | |
Include all resources needed to achieve the objectives in the service management program. CC ID 11394 [Top management shall demonstrate leadership and commitment with respect to the SMS by: ensuring that the resources needed for the SMS and the services are available; § 5.1 ¶ 1(g) When planning how to achieve its service management objectives, the organization shall determine: what resources will be required; § 6.2.2 ¶ 1(b) {necessary resource} The organization shall determine and provide the human, technical, information and financial resources needed for the establishment, implementation, maintenance and continual improvement of the SMS and the operation of the services to meet the service requirements and achieve the service management objectives. § 7.1 ¶ 1 {necessary resource} The organization shall determine and provide the human, technical, information and financial resources needed for the establishment, implementation, maintenance and continual improvement of the SMS and the operation of the services to meet the service requirements and achieve the service management objectives. § 7.1 ¶ 1 {necessary resource} The organization shall determine and provide the human, technical, information and financial resources needed for the establishment, implementation, maintenance and continual improvement of the SMS and the operation of the services to meet the service requirements and achieve the service management objectives. § 7.1 ¶ 1 The organization shall budget and account for services or groups of services in accordance with its financial management policies and processes. § 8.4.1 ¶ 1 {new service}{manpower}{technical resource}{information resource} Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: human, technical, information and financial resources; § 8.5.2.1 ¶ 1(c) {new service}{manpower}{technical resource}{information resource} Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: human, technical, information and financial resources; § 8.5.2.1 ¶ 1(c) {new service}{manpower}{technical resource}{information resource} Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: human, technical, information and financial resources; § 8.5.2.1 ¶ 1(c) {new service}{manpower}{technical resource}{information resource} Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: human, technical, information and financial resources; § 8.5.2.1 ¶ 1(c) {manpower}{technical resource}{information resource}The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: requirements for changes to human, technical, information and financial resources; § 8.5.2.2 ¶ 1(b) {manpower}{technical resource}{information resource}The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: requirements for changes to human, technical, information and financial resources; § 8.5.2.2 ¶ 1(b) {manpower}{technical resource}{information resource}The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: requirements for changes to human, technical, information and financial resources; § 8.5.2.2 ¶ 1(b) {manpower}{technical resource}{information resource}The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: requirements for changes to human, technical, information and financial resources; § 8.5.2.2 ¶ 1(b) {manpower}{technical resource}{information resource}{service requirement} The capacity requirements for human, technical, information and financial resources shall be determined, documented and maintained taking into consideration the service and performance requirements. § 8.4.3 ¶ 1 {manpower}{technical resource}{information resource}{service requirement} The capacity requirements for human, technical, information and financial resources shall be determined, documented and maintained taking into consideration the service and performance requirements. § 8.4.3 ¶ 1 {manpower}{technical resource}{information resource}{service requirement} The capacity requirements for human, technical, information and financial resources shall be determined, documented and maintained taking into consideration the service and performance requirements. § 8.4.3 ¶ 1 {manpower}{technical resource}{information resource}{service requirement} The capacity requirements for human, technical, information and financial resources shall be determined, documented and maintained taking into consideration the service and performance requirements. § 8.4.3 ¶ 1] | Establish/Maintain Documentation | Preventive | |
Include supply chain management procedures in the service management program. CC ID 11395 [The organization shall ensure that outsourced processes are controlled (see 8.2.3). § 8.1 ¶ 3 Other parties shall not provide or operate all services, service components or processes within the scope of the SMS. § 8.2.3.1 ¶ 3 The organization shall integrate services, service components and processes in the SMS that are provided or operated by the organization or other parties to meet the service requirements. The organization shall co-ordinate activities with other parties involved in the service lifecycle including the planning, design, transition, delivery and improvement of services. § 8.2.3.1 ¶ 5] | Establish/Maintain Documentation | Preventive | |
Include service management procedures in the service management program. CC ID 11396 [The documented information for the SMS shall include: processes of the organization's SMS; § 7.5.4 ¶ 1(e) {new service} Release and deployment management shall be used to deploy approved new or changed services into the live environment. § 8.5.2.3 ¶ 2 {new service} Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: testing needed for the new or changed services; § 8.5.2.1 ¶ 1(e) The organization shall use service design and transition in 8.5.2 for: removal of a service; § 8.5.1.2 ¶ 2(d) For services that are to be removed, the planning shall additionally include the date(s) for the removal of the services and the activities for archiving, disposal or transfer of data, documented information and service components. § 8.5.2.1 ¶ 2 The organization shall use service design and transition in 8.5.2 for: transfer of an existing service from the organization to a customer or other party; § 8.5.1.2 ¶ 2(e) The organization shall use service design and transition in 8.5.2 for: transfer of an existing service from a customer or other party to the organization. § 8.5.1.2 ¶ 2(f)] | Establish/Maintain Documentation | Preventive | |
Include risk procedures in the service management program. CC ID 11397 [When planning for the SMS, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to: § 6.1.1 ¶ 1 {applicable requirements} The organization shall create, implement and maintain a service management plan. Planning shall take into consideration the service management policy, service management objectives, risks and opportunities, service requirements and requirements specified in this document. § 6.3 ¶ 1 {risk management activity}The organization shall plan: how to: integrate and implement the actions into its SMS processes; § 6.1.3 ¶ 1(b)(1) {new service} The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: impact on other services; § 8.5.2.2 ¶ 1(f) {service availability requirement}{service availability target} At planned intervals, the risks to service availability shall be assessed and documented. The organization shall determine the service availability requirements and targets. The agreed requirements shall take into consideration relevant business requirements, service requirements, SLAs and risks. § 8.7.1 ¶ 1 {service availability requirement}{service availability target} At planned intervals, the risks to service availability shall be assessed and documented. The organization shall determine the service availability requirements and targets. The agreed requirements shall take into consideration relevant business requirements, service requirements, SLAs and risks. § 8.7.1 ¶ 1] | Establish/Maintain Documentation | Preventive | |
Include continuity plans in the Service Management program. CC ID 13919 [The documented information for the SMS shall include: change management policy, information security policy and service continuity plan(s); § 7.5.4 ¶ 1(d)] | Establish/Maintain Documentation | Preventive | |
Include all technologies used to support service management in the service management program. CC ID 11398 [The service management plan shall include or contain a reference to: technology used to support the SMS; § 6.3 ¶ 2(g) {necessary resource} The service management plan shall include or contain a reference to: human, technical, information and financial resources necessary to operate the SMS and the services; § 6.3 ¶ 2(e)] | Establish/Maintain Documentation | Preventive | |
Include auditing and improving service management procedures in the service management program. CC ID 11399 [When planning for the SMS, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to: give assurance that the SMS can achieve its intended outcome(s); § 6.1.1 ¶ 1(a) Top management shall demonstrate leadership and commitment with respect to the SMS by: promoting continual improvement of the SMS and the services; § 5.1 ¶1(k) Top management shall establish a service management policy that: includes a commitment to continual improvement of the SMS and the services. § 5.2.1 ¶ 1(d) When planning for the SMS, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to: achieve continual improvement of the SMS and the services. § 6.1.1 ¶ 1(c) When planning how to achieve its service management objectives, the organization shall determine: how the results will be evaluated. § 6.2.2 ¶ 1(e) {continuous basis} The organization shall continually improve the suitability, adequacy and effectiveness of the SMS and the services. § 10.2 ¶ 1 {service improvement activity} Opportunities for improvement shall be documented. The organization shall manage approved improvement activities that include: § 10.2 ¶ 3] | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the suspension period of suspended services to interested personnel and affected parties. CC ID 15459 | Communicate | Preventive | |
Establish, implement, and maintain an Asset Management program. CC ID 06630 [{external obligation} /* section 6.3 c. refers to external obligations */ The organization shall ensure that assets used to deliver services are managed to meet the service requirements and the obligations in 6.3 c). § 8.2.5 ¶ 1 {external obligation} /* section 6.3 c. refers to external obligations */ The organization shall ensure that assets used to deliver services are managed to meet the service requirements and the obligations in 6.3 c). § 8.2.5 ¶ 1] | Business Processes | Preventive | |
Establish, implement, and maintain an asset management policy. CC ID 15219 | Establish/Maintain Documentation | Preventive | |
Include coordination amongst entities in the asset management policy. CC ID 16424 | Business Processes | Preventive | |
Establish, implement, and maintain asset management procedures. CC ID 16748 | Establish/Maintain Documentation | Preventive | |
Assign an information owner to organizational assets, as necessary. CC ID 12729 | Human Resources Management | Preventive | |
Define and prioritize the importance of each asset in the asset management program. CC ID 16837 | Business Processes | Preventive | |
Include life cycle requirements in the security management program. CC ID 16392 | Establish/Maintain Documentation | Preventive | |
Include program objectives in the asset management program. CC ID 14413 | Establish/Maintain Documentation | Preventive | |
Include a commitment to continual improvement in the asset management program. CC ID 14412 | Establish/Maintain Documentation | Preventive | |
Include compliance with applicable requirements in the asset management program. CC ID 14411 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain administrative controls over all assets. CC ID 16400 | Business Processes | Preventive | |
Establish, implement, and maintain classification schemes for all systems and assets. CC ID 01902 | Establish/Maintain Documentation | Preventive | |
Apply security controls to each level of the information classification standard. CC ID 01903 | Systems Design, Build, and Implementation | Preventive | |
Establish, implement, and maintain the systems' confidentiality level. CC ID 01904 | Establish/Maintain Documentation | Preventive | |
Define confidentiality controls. CC ID 01908 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain the systems' availability level. CC ID 01905 | Establish/Maintain Documentation | Preventive | |
Restrict unscheduled downtime in order to maintain high availability for critical systems. CC ID 12742 | Process or Activity | Preventive | |
Define integrity controls. CC ID 01909 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain the systems' integrity level. CC ID 01906 | Establish/Maintain Documentation | Preventive | |
Define availability controls. CC ID 01911 | Establish/Maintain Documentation | Preventive | |
Establish safety classifications for systems according to their potential harmful effects to operators or end users. CC ID 06603 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an asset safety classification scheme. CC ID 06604 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain the Asset Classification Policy. CC ID 06642 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the Asset Classification Policy to interested personnel and affected parties. CC ID 14851 | Communicate | Preventive | |
Classify assets according to the Asset Classification Policy. CC ID 07186 | Establish Roles | Preventive | |
Classify virtual systems by type and purpose. CC ID 16332 | Business Processes | Preventive | |
Document the decision for assigning an asset to a specific asset classification in the Asset Classification Policy. CC ID 07185 | Establish/Maintain Documentation | Preventive | |
Apply asset protection mechanisms for all assets according to their assigned Asset Classification Policy. CC ID 07184 | Establish Roles | Preventive | |
Disallow systems from processing information, disseminating and communicating information, or storing information that is above the system's assigned asset classification. CC ID 06606 | Configuration | Preventive | |
Assign decomposed system components the same asset classification as the originating system. CC ID 06605 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an asset inventory. CC ID 06631 | Business Processes | Preventive | |
Establish, implement, and maintain an Information Technology inventory with asset discovery audit trails. CC ID 00689 | Establish/Maintain Documentation | Preventive | |
Include all account types in the Information Technology inventory. CC ID 13311 | Establish/Maintain Documentation | Preventive | |
Include each Information System's system boundaries in the Information Technology inventory. CC ID 00695 | Systems Design, Build, and Implementation | Preventive | |
Identify processes, Information Systems, and third parties that transmit, process, or store restricted data. CC ID 06289 | Data and Information Management | Preventive | |
Include each Information System's major applications in the Information Technology inventory. CC ID 01407 | Establish/Maintain Documentation | Preventive | |
Categorize all major applications according to the business information they process. CC ID 07182 | Establish/Maintain Documentation | Preventive | |
Document the resources, hazards, and Evaluation Assurance Levels for each major application. CC ID 01164 | Establish/Maintain Documentation | Preventive | |
Include the General Support Systems and security support structure in the Information Technology inventory. CC ID 01408 | Establish/Maintain Documentation | Preventive | |
Include each Information System's minor applications in the Information Technology inventory. CC ID 01409 | Establish/Maintain Documentation | Preventive | |
Conduct environmental surveys. CC ID 00690 | Physical and Environmental Protection | Preventive | |
Categorize facilities in the Information Technology inventory according to their environmental risks. CC ID 06729 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a hardware asset inventory. CC ID 00691 | Establish/Maintain Documentation | Preventive | |
Include network equipment in the Information Technology inventory. CC ID 00693 | Establish/Maintain Documentation | Preventive | |
Include mobile devices that store restricted data or restricted information in the Information Technology inventory. CC ID 04719 | Establish/Maintain Documentation | Preventive | |
Include interconnected systems and Software as a Service in the Information Technology inventory. CC ID 04885 | Process or Activity | Preventive | |
Include software in the Information Technology inventory. CC ID 00692 | Establish/Maintain Documentation | Preventive | |
Establish and maintain a list of authorized software and versions required for each system. CC ID 12093 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a storage media inventory. CC ID 00694 | Establish/Maintain Documentation | Preventive | |
Include all electronic storage media containing restricted data or restricted information in the storage media inventory. CC ID 00962 | Establish/Maintain Documentation | Detective | |
Establish, implement, and maintain a records inventory and database inventory. CC ID 01260 | Establish/Maintain Documentation | Preventive | |
Add inventoried assets to the asset register database, as necessary. CC ID 07051 | Establish/Maintain Documentation | Preventive | |
Identify discrepancies between the asset register database and the Information Technology inventory, as necessary. CC ID 07052 | Monitor and Evaluate Occurrences | Corrective | |
Investigate and resolve discrepancies between the asset register database and the Information Technology inventory. CC ID 07053 | Monitor and Evaluate Occurrences | Corrective | |
Organize the asset register database by grouping objects according to an organizational information classification standard. CC ID 07181 | Establish/Maintain Documentation | Preventive | |
Use automated tools to collect Information Technology inventory information, as necessary. CC ID 07054 | Technical Security | Preventive | |
Link the authentication system to the asset inventory. CC ID 13718 | Technical Security | Preventive | |
Record a unique name for each asset in the asset inventory. CC ID 16305 | Data and Information Management | Preventive | |
Record the decommission date for applicable assets in the asset inventory. CC ID 14920 | Establish/Maintain Documentation | Preventive | |
Record the status of information systems in the asset inventory. CC ID 16304 | Data and Information Management | Preventive | |
Record the communication interfaces for applicable assets in the asset inventory. CC ID 16301 | Data and Information Management | Preventive | |
Record the Uniform Resource Locator for applicable assets in the asset inventory. CC ID 14918 | Establish/Maintain Documentation | Preventive | |
Include source code in the asset inventory. CC ID 14858 | Records Management | Preventive | |
Assign ownership of maintaining the asset inventory, as necessary. CC ID 12344 | Human Resources Management | Preventive | |
Employ Dynamic Host Configuration Protocol server logging to detect systems not in the asset inventory. CC ID 12110 | Technical Security | Detective | |
Record the review date for applicable assets in the asset inventory. CC ID 14919 | Establish/Maintain Documentation | Preventive | |
Record software license information for each asset in the asset inventory. CC ID 11736 | Data and Information Management | Preventive | |
Record services for applicable assets in the asset inventory. CC ID 13733 | Establish/Maintain Documentation | Preventive | |
Record protocols for applicable assets in the asset inventory. CC ID 13734 | Establish/Maintain Documentation | Preventive | |
Record the software version in the asset inventory. CC ID 12196 | Establish/Maintain Documentation | Preventive | |
Record the publisher for applicable assets in the asset inventory. CC ID 13725 | Establish/Maintain Documentation | Preventive | |
Record the authentication system in the asset inventory. CC ID 13724 | Establish/Maintain Documentation | Preventive | |
Tag unsupported assets in the asset inventory. CC ID 13723 | Establish/Maintain Documentation | Preventive | |
Record the install date for applicable assets in the asset inventory. CC ID 13720 | Establish/Maintain Documentation | Preventive | |
Record the make, model of device for applicable assets in the asset inventory. CC ID 12465 | Establish/Maintain Documentation | Preventive | |
Record the asset tag for physical assets in the asset inventory. CC ID 06632 | Establish/Maintain Documentation | Preventive | |
Record the host name of applicable assets in the asset inventory. CC ID 13722 | Establish/Maintain Documentation | Preventive | |
Record network ports for applicable assets in the asset inventory. CC ID 13730 | Establish/Maintain Documentation | Preventive | |
Record the MAC address for applicable assets in the asset inventory. CC ID 13721 | Establish/Maintain Documentation | Preventive | |
Record the operating system version for applicable assets in the asset inventory. CC ID 11748 | Data and Information Management | Preventive | |
Record the operating system type for applicable assets in the asset inventory. CC ID 06633 | Establish/Maintain Documentation | Preventive | |
Record rooms at external locations in the asset inventory. CC ID 16302 | Data and Information Management | Preventive | |
Record the department associated with the asset in the asset inventory. CC ID 12084 | Establish/Maintain Documentation | Preventive | |
Record the physical location for applicable assets in the asset inventory. CC ID 06634 | Establish/Maintain Documentation | Preventive | |
Record the manufacturer's serial number for applicable assets in the asset inventory. CC ID 06635 | Establish/Maintain Documentation | Preventive | |
Record the firmware version for applicable assets in the asset inventory. CC ID 12195 | Establish/Maintain Documentation | Preventive | |
Record the related business function for applicable assets in the asset inventory. CC ID 06636 | Establish/Maintain Documentation | Preventive | |
Record the deployment environment for applicable assets in the asset inventory. CC ID 06637 | Establish/Maintain Documentation | Preventive | |
Record the Internet Protocol address for applicable assets in the asset inventory. CC ID 06638 | Establish/Maintain Documentation | Preventive | |
Record trusted keys and certificates in the asset inventory. CC ID 15486 | Data and Information Management | Preventive | |
Record cipher suites and protocols in the asset inventory. CC ID 15489 | Data and Information Management | Preventive | |
Link the software asset inventory to the hardware asset inventory. CC ID 12085 | Establish/Maintain Documentation | Preventive | |
Record the owner for applicable assets in the asset inventory. CC ID 06640 | Establish/Maintain Documentation | Preventive | |
Record all compliance requirements for applicable assets in the asset inventory. CC ID 15696 | Establish/Maintain Documentation | Preventive | |
Record all changes to assets in the asset inventory. CC ID 12190 | Establish/Maintain Documentation | Preventive | |
Record cloud service derived data in the asset inventory. CC ID 13007 | Establish/Maintain Documentation | Preventive | |
Include cloud service customer data in the asset inventory. CC ID 13006 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a software accountability policy. CC ID 00868 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain software asset management procedures. CC ID 00895 | Establish/Maintain Documentation | Preventive | |
Prevent users from disabling required software. CC ID 16417 | Technical Security | Preventive | |
Establish, implement, and maintain software archives procedures. CC ID 00866 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain software distribution procedures. CC ID 00894 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain software documentation management procedures. CC ID 06395 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain software license management procedures. CC ID 06639 | Establish/Maintain Documentation | Preventive | |
Automate software license monitoring, as necessary. CC ID 07057 | Monitor and Evaluate Occurrences | Preventive | |
Establish, implement, and maintain digital legacy procedures. CC ID 16524 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a system redeployment program. CC ID 06276 | Establish/Maintain Documentation | Preventive | |
Test systems for malicious code prior to when the system will be redeployed. CC ID 06339 | Testing | Detective | |
Notify interested personnel and affected parties prior to when the system is redeployed or the system is disposed. CC ID 06400 | Behavior | Preventive | |
Wipe all data on systems prior to when the system is redeployed or the system is disposed. CC ID 06401 | Data and Information Management | Preventive | |
Transfer legal ownership of assets when the system is redeployed to a third party. CC ID 06698 | Acquisition/Sale of Assets or Services | Preventive | |
Document the staff's operating knowledge of the system prior to a personnel status change. CC ID 06937 | Establish/Maintain Documentation | Preventive | |
Redeploy systems to other organizational units, as necessary. CC ID 11452 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a system disposal program. CC ID 14431 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain disposal procedures. CC ID 16513 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain asset sanitization procedures. CC ID 16511 | Establish/Maintain Documentation | Preventive | |
Destroy systems in accordance with the system disposal program. CC ID 16457 | Business Processes | Preventive | |
Approve the release of systems and waste material into the public domain. CC ID 16461 | Business Processes | Preventive | |
Establish, implement, and maintain system destruction procedures. CC ID 16474 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain printer and multifunction device disposition procedures. CC ID 15216 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a system preventive maintenance program. CC ID 00885 | Establish/Maintain Documentation | Preventive | |
Establish and maintain maintenance reports. CC ID 11749 | Establish/Maintain Documentation | Preventive | |
Establish and maintain system inspection reports. CC ID 06346 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a system maintenance policy. CC ID 14032 | Establish/Maintain Documentation | Preventive | |
Include compliance requirements in the system maintenance policy. CC ID 14217 | Establish/Maintain Documentation | Preventive | |
Include management commitment in the system maintenance policy. CC ID 14216 | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in the system maintenance policy. CC ID 14215 | Establish/Maintain Documentation | Preventive | |
Include the scope in the system maintenance policy. CC ID 14214 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the system maintenance policy to interested personnel and affected parties. CC ID 14213 | Communicate | Preventive | |
Include the purpose in the system maintenance policy. CC ID 14187 | Establish/Maintain Documentation | Preventive | |
Include coordination amongst entities in the system maintenance policy. CC ID 14181 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain system maintenance procedures. CC ID 14059 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the system maintenance procedures to interested personnel and affected parties. CC ID 14194 | Communicate | Preventive | |
Establish, implement, and maintain a technology refresh plan. CC ID 13061 | Establish/Maintain Documentation | Preventive | |
Plan and conduct maintenance so that it does not interfere with scheduled operations. CC ID 06389 | Physical and Environmental Protection | Preventive | |
Maintain contact with the device manufacturer or component manufacturer for maintenance requests. CC ID 06388 | Behavior | Preventive | |
Use system components only when third party support is available. CC ID 10644 | Maintenance | Preventive | |
Obtain justification for the continued use of system components when third party support is no longer available. CC ID 10645 | Maintenance | Preventive | |
Control and monitor all maintenance tools. CC ID 01432 | Physical and Environmental Protection | Detective | |
Obtain approval before removing maintenance tools from the facility. CC ID 14298 | Business Processes | Preventive | |
Control remote maintenance according to the system's asset classification. CC ID 01433 | Technical Security | Preventive | |
Separate remote maintenance sessions from other network sessions with a logically separate communications path based upon encryption. CC ID 10614 | Configuration | Preventive | |
Approve all remote maintenance sessions. CC ID 10615 | Technical Security | Preventive | |
Log the performance of all remote maintenance. CC ID 13202 | Log Management | Preventive | |
Terminate remote maintenance sessions when the remote maintenance is complete. CC ID 12083 | Technical Security | Preventive | |
Conduct offsite maintenance in authorized facilities. CC ID 16473 | Maintenance | Preventive | |
Conduct maintenance with authorized personnel. CC ID 01434 | Testing | Detective | |
Disconnect non-volatile media from information systems prior to performing maintenance with uncleared personnel. CC ID 14295 | Maintenance | Preventive | |
Sanitize volatile media in information systems prior to performing maintenance with uncleared personnel. CC ID 14291 | Maintenance | Preventive | |
Respond to maintenance requests inside the organizationally established time frame. CC ID 04878 | Behavior | Preventive | |
Establish and maintain an archive of maintenance reports in a maintenance log. CC ID 06202 | Establish/Maintain Documentation | Preventive | |
Acquire spare parts prior to when maintenance requests are scheduled. CC ID 11833 | Acquisition/Sale of Assets or Services | Preventive | |
Perform periodic maintenance according to organizational standards. CC ID 01435 | Behavior | Preventive | |
Restart systems on a periodic basis. CC ID 16498 | Maintenance | Preventive | |
Remove components being serviced from the information system prior to performing maintenance. CC ID 14251 | Maintenance | Preventive | |
Employ dedicated systems during system maintenance. CC ID 12108 | Technical Security | Preventive | |
Isolate dedicated systems used for system maintenance from Internet access. CC ID 12114 | Technical Security | Preventive | |
Control granting access to appropriate parties performing maintenance on organizational assets. CC ID 11873 | Human Resources Management | Preventive | |
Identify and authenticate appropriate parties prior to granting access to maintain assets. CC ID 11874 | Physical and Environmental Protection | Preventive | |
Calibrate assets according to the calibration procedures for the asset. CC ID 06203 | Testing | Detective | |
Post calibration limits or calibration tolerances on or near assets requiring calibration. CC ID 06204 | Establish/Maintain Documentation | Preventive | |
Implement automated mechanisms to transfer predictive maintenance data to a maintenance management system. CC ID 10616 | Process or Activity | Preventive | |
Refrain from protecting physical assets when no longer required. CC ID 13484 | Physical and Environmental Protection | Corrective | |
Disassemble and shut down unnecessary systems or unused systems. CC ID 06280 | Business Processes | Preventive | |
Establish, implement, and maintain an end-of-life management process. CC ID 16540 | Establish/Maintain Documentation | Preventive | |
Dispose of hardware and software at their life cycle end. CC ID 06278 | Business Processes | Preventive | |
Refrain from placing assets being disposed into organizational dumpsters. CC ID 12200 | Business Processes | Preventive | |
Establish, implement, and maintain disposal contracts. CC ID 12199 | Establish/Maintain Documentation | Preventive | |
Include disposal procedures in disposal contracts. CC ID 13905 | Establish/Maintain Documentation | Preventive | |
Remove asset tags prior to disposal of an asset. CC ID 12198 | Business Processes | Preventive | |
Document the storage information for all systems that are stored instead of being disposed or redeployed. CC ID 06936 | Establish/Maintain Documentation | Preventive | |
Test for detrimental environmental factors after a system is disposed. CC ID 06938 | Testing | Detective | |
Review each system's operational readiness. CC ID 06275 | Systems Design, Build, and Implementation | Preventive | |
Establish, implement, and maintain a data stewardship policy. CC ID 06657 | Establish/Maintain Documentation | Preventive | |
Establish and maintain an unauthorized software list. CC ID 10601 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a customer service program. CC ID 00846 | Establish/Maintain Documentation | Preventive | |
Assign roles and responsibilities in the customer service program. CC ID 13911 [The customers, users and other interested parties of the services shall be identified and documented. The organization shall have one or more designated individuals responsible for managing customer relationships and maintaining customer satisfaction. § 8.3.2 ¶ 1] | Human Resources Management | Preventive | |
Establish, implement, and maintain an Incident Management program. CC ID 00853 | Business Processes | Preventive | |
Include incident escalation procedures in the Incident Management program. CC ID 00856 [Incidents shall be: escalated if needed; § 8.6.1 ¶ 1(c)] | Establish/Maintain Documentation | Preventive | |
Define the characteristics of the Incident Management program. CC ID 00855 | Establish/Maintain Documentation | Preventive | |
Include the criteria for an incident in the Incident Management program. CC ID 12173 [The organization shall determine criteria to identify a major incident. Major incidents shall be classified and managed according to a documented procedure. Top management shall be kept informed of major incidents. The organization shall assign responsibility for managing each major incident. After the incident has been resolved, the major incident shall be reported and reviewed to identify opportunities for improvement. § 8.6.1 ¶ 3] | Establish/Maintain Documentation | Preventive | |
Include detection procedures in the Incident Management program. CC ID 00588 | Establish/Maintain Documentation | Preventive | |
Categorize the incident following an incident response. CC ID 13208 [{document} Information security incidents shall be: recorded and classified; § 8.7.3.3 ¶ 1(a) The organization shall analyse the information security incidents by type, volume and impact on the SMS, services and interested parties. Information security incidents shall be reported and reviewed to identify opportunities for improvement. § 8.7.3.3 ¶ 2 The organization shall determine criteria to identify a major incident. Major incidents shall be classified and managed according to a documented procedure. Top management shall be kept informed of major incidents. The organization shall assign responsibility for managing each major incident. After the incident has been resolved, the major incident shall be reported and reviewed to identify opportunities for improvement. § 8.6.1 ¶ 3 Problems shall be: recorded and classified; § 8.6.3 ¶ 2(a)] | Technical Security | Preventive | |
Define and document impact thresholds to be used in categorizing incidents. CC ID 10033 | Establish/Maintain Documentation | Preventive | |
Determine the incident severity level when assessing the security incidents. CC ID 01650 [The organization shall analyse the information security incidents by type, volume and impact on the SMS, services and interested parties. Information security incidents shall be reported and reviewed to identify opportunities for improvement. § 8.7.3.3 ¶ 2] | Monitor and Evaluate Occurrences | Corrective | |
Respond to and triage when an incident is detected. CC ID 06942 [Information security incidents shall be: prioritized taking into consideration the information security risk; § 8.7.3.3 ¶ 1(b) Incidents shall be: prioritized taking into consideration impact and urgency; § 8.6.1 ¶ 1(b) Problems shall be: prioritized; § 8.6.3 ¶ 2(b)] | Monitor and Evaluate Occurrences | Detective | |
Document the incident and any relevant evidence in the incident report. CC ID 08659 [Incidents shall be: recorded and classified; § 8.6.1 ¶ 1(a) The organization shall determine criteria to identify a major incident. Major incidents shall be classified and managed according to a documented procedure. Top management shall be kept informed of major incidents. The organization shall assign responsibility for managing each major incident. After the incident has been resolved, the major incident shall be reported and reviewed to identify opportunities for improvement. § 8.6.1 ¶ 3 Problems shall be: recorded and classified; § 8.6.3 ¶ 2(a)] | Establish/Maintain Documentation | Detective | |
Escalate incidents, as necessary. CC ID 14861 [Problems shall be: escalated if needed; § 8.6.3 ¶ 2(c)] | Monitor and Evaluate Occurrences | Corrective | |
Include support from law enforcement authorities when conducting incident response activities, as necessary. CC ID 13197 | Process or Activity | Corrective | |
Respond to all alerts from security systems in a timely manner. CC ID 06434 | Behavior | Corrective | |
Coordinate incident response activities with interested personnel and affected parties. CC ID 13196 | Process or Activity | Corrective | |
Share incident information with interested personnel and affected parties. CC ID 01212 [The organization shall determine criteria to identify a major incident. Major incidents shall be classified and managed according to a documented procedure. Top management shall be kept informed of major incidents. The organization shall assign responsibility for managing each major incident. After the incident has been resolved, the major incident shall be reported and reviewed to identify opportunities for improvement. § 8.6.1 ¶ 3] | Data and Information Management | Corrective | |
Share data loss event information with the media. CC ID 01759 | Behavior | Corrective | |
Comply with privacy regulations and civil liberties requirements when sharing data loss event information. CC ID 10036 | Data and Information Management | Preventive | |
Share data loss event information with interconnected system owners. CC ID 01209 | Establish/Maintain Documentation | Corrective | |
Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539 | Communicate | Preventive | |
Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538 | Communicate | Preventive | |
Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547 | Establish/Maintain Documentation | Preventive | |
Report data loss event information to breach notification organizations. CC ID 01210 | Data and Information Management | Corrective | |
Submit an incident management audit log to the proper authorities for each security breach that affects a predefined number of individuals, as necessary. CC ID 06326 | Log Management | Detective | |
Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797 | Communicate | Preventive | |
Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782 | Communicate | Preventive | |
Report to breach notification organizations the time frame in which the organization will send data loss event notifications to interested personnel and affected parties. CC ID 04731 | Behavior | Corrective | |
Include incident management procedures in the Incident Management program. CC ID 12689 [The organization shall determine criteria to identify a major incident. Major incidents shall be classified and managed according to a documented procedure. Top management shall be kept informed of major incidents. The organization shall assign responsibility for managing each major incident. After the incident has been resolved, the major incident shall be reported and reviewed to identify opportunities for improvement. § 8.6.1 ¶ 3] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain temporary and emergency access authorization procedures. CC ID 00858 | Establish/Maintain Documentation | Corrective | |
Establish, implement, and maintain temporary and emergency access revocation procedures. CC ID 15334 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain incident management audit logs. CC ID 13514 [Records of incidents shall be updated with actions taken. § 8.6.1 ¶ 2] | Records Management | Preventive | |
Log incidents in the Incident Management audit log. CC ID 00857 | Establish/Maintain Documentation | Preventive | |
Include who the incident was reported to in the incident management audit log. CC ID 16487 | Log Management | Preventive | |
Include corrective actions in the incident management audit log. CC ID 16466 | Establish/Maintain Documentation | Preventive | |
Include the organizational functions affected by disruption in the Incident Management audit log. CC ID 12238 | Log Management | Corrective | |
Include the organization's business products and services affected by disruptions in the Incident Management audit log. CC ID 12234 | Log Management | Preventive | |
Include incident record closure procedures in the Incident Management program. CC ID 01620 [Information security incidents shall be: closed. § 8.7.3.3 ¶ 1(e) Problems shall be: closed. § 8.6.3 ¶ 2(e) Incidents shall be: closed. § 8.6.1 ¶ 1(e)] | Establish/Maintain Documentation | Preventive | |
Include incident reporting procedures in the Incident Management program. CC ID 11772 [The organization shall analyse the information security incidents by type, volume and impact on the SMS, services and interested parties. Information security incidents shall be reported and reviewed to identify opportunities for improvement. § 8.7.3.3 ¶ 2] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain incident reporting time frame standards. CC ID 12142 | Communicate | Preventive | |
Investigate and take action regarding help desk queries. CC ID 06324 [Service requests shall be: prioritized; § 8.6.2 ¶ 1(b) Service requests shall be: fulfilled; § 8.6.2 ¶ 1(c)] | Behavior | Corrective | |
Log help desk queries. CC ID 00848 [Service requests shall be: recorded and classified; § 8.6.2 ¶ 1(a)] | Log Management | Preventive | |
Establish, implement, and maintain help desk query escalation procedures. CC ID 00849 [Service requests shall be: closed. § 8.6.2 ¶ 1(d)] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an Incident Response program. CC ID 00579 | Establish/Maintain Documentation | Preventive | |
Create an incident response report following an incident response. CC ID 12700 | Establish/Maintain Documentation | Preventive | |
Include measures to prevent similar incidents from occurring in the incident response report. CC ID 12720 [The organization shall analyse data and trends on incidents to identify problems. The organization shall undertake root cause analysis and determine potential actions to prevent the occurrence or recurrence of incidents. § 8.6.3 ¶ 1] | Establish/Maintain Documentation | Preventive | |
Include corrective action taken to eradicate the incident in the incident response report. CC ID 12708 [Records of problems shall be updated with actions taken. Changes needed for problem resolution shall be managed according to the change management policy. § 8.6.3 ¶ 3] | Establish/Maintain Documentation | Preventive | |
Include a root cause analysis of the incident in the incident response report. CC ID 12701 [The organization shall analyse data and trends on incidents to identify problems. The organization shall undertake root cause analysis and determine potential actions to prevent the occurrence or recurrence of incidents. § 8.6.3 ¶ 1] | Establish/Maintain Documentation | Preventive | |
Mitigate reported incidents. CC ID 12973 [Problems shall be: resolved if possible; § 8.6.3 ¶ 2(d)] | Actionable Reports or Measurements | Preventive | |
Include incident response team structures in the Incident Response program. CC ID 01237 | Establish/Maintain Documentation | Preventive | |
Include the incident response team member's roles and responsibilities in the Incident Response program. CC ID 01652 [The organization shall determine criteria to identify a major incident. Major incidents shall be classified and managed according to a documented procedure. Top management shall be kept informed of major incidents. The organization shall assign responsibility for managing each major incident. After the incident has been resolved, the major incident shall be reported and reviewed to identify opportunities for improvement. § 8.6.1 ¶ 3] | Establish Roles | Preventive | |
Include the incident response point of contact's roles and responsibilities in the Incident Response program. CC ID 01877 | Establish Roles | Preventive | |
Open a priority incident request after a security breach is detected. CC ID 04838 | Testing | Corrective | |
Activate the incident response notification procedures after a security breach is detected. CC ID 04839 | Testing | Corrective | |
Notify interested personnel and affected parties that a security breach was detected. CC ID 11788 | Communicate | Corrective | |
Include the head of information security's roles and responsibilities in the Incident Response program. CC ID 01878 | Establish Roles | Preventive | |
Include the customer database owner's roles and responsibilities in the Incident Response program. CC ID 01879 | Establish Roles | Preventive | |
Include the online sales department's roles and responsibilities in the Incident Response program. CC ID 01880 | Establish Roles | Preventive | |
Include the incident response point of contact for credit card payment system's roles and responsibilities in the Incident Response program. CC ID 01881 | Establish Roles | Preventive | |
Include the organizational legal counsel's roles and responsibilities in the Incident Response program. CC ID 01882 | Establish Roles | Preventive | |
Include the Human Resources point of contact's roles and responsibilities in the Incident Response program. CC ID 01883 | Establish Roles | Preventive | |
Include the organizational incident response network architecture point of contact's roles and responsibilities in the Incident Response program. CC ID 01884 | Establish Roles | Preventive | |
Include the organizational incident response public relations point of contact's roles and responsibilities in the Incident Response program. CC ID 01885 | Establish Roles | Preventive | |
Include the organizational incident response location manager's roles and responsibilities in the Incident Response program. CC ID 01886 | Establish Roles | Preventive | |
Assign the distribution of security alerts to the appropriate role in the incident response program. CC ID 11887 | Human Resources Management | Preventive | |
Assign monitoring and analyzing the security alert when a security alert is received to the appropriate role in the incident response program. CC ID 11886 | Investigate | Detective | |
Assign establishing, implementing, and maintaining incident response procedures to the appropriate role in the incident response program. CC ID 12473 | Establish/Maintain Documentation | Preventive | |
Assign the distribution of incident response procedures to the appropriate role in the incident response program. CC ID 12474 | Communicate | Preventive | |
Establish, implement, and maintain incident response procedures. CC ID 01206 [Information security incidents shall be: resolved; § 8.7.3.3 ¶ 1(d) Incidents shall be: resolved; § 8.6.1 ¶ 1(d) The organization shall determine criteria to identify a major incident. Major incidents shall be classified and managed according to a documented procedure. Top management shall be kept informed of major incidents. The organization shall assign responsibility for managing each major incident. After the incident has been resolved, the major incident shall be reported and reviewed to identify opportunities for improvement. § 8.6.1 ¶ 3] | Establish/Maintain Documentation | Detective | |
Include references to industry best practices in the incident response procedures. CC ID 11956 | Establish/Maintain Documentation | Preventive | |
Include responding to alerts from security monitoring systems in the incident response procedures. CC ID 11949 | Establish/Maintain Documentation | Preventive | |
Respond when an integrity violation is detected, as necessary. CC ID 10678 | Technical Security | Corrective | |
Shut down systems when an integrity violation is detected, as necessary. CC ID 10679 | Technical Security | Corrective | |
Restart systems when an integrity violation is detected, as necessary. CC ID 10680 | Technical Security | Corrective | |
Establish, implement, and maintain a performance management standard. CC ID 01615 [{planning requirement} establishing performance criteria for the processes based on requirements; § 8.1 ¶ 1(a)] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain future system performance forecasting methods. CC ID 11775 | Business Processes | Preventive | |
Use proactive performance management. CC ID 00937 [At planned intervals, the organization shall review the performance trends and the outcomes of the services. § 8.3.2 ¶ 3] | Business Processes | Detective | |
Utilize resource availability management controls. CC ID 00940 | Business Processes | Detective | |
Establish, implement, and maintain a remediation plan for deviations in the resource management process. CC ID 13679 | Establish/Maintain Documentation | Preventive | |
Follow the maintenance schedule. CC ID 11791 | Maintenance | Preventive | |
Establish, implement, and maintain rate limiting filters. CC ID 06883 | Business Processes | Preventive | |
Establish, implement, and maintain system capacity monitoring procedures. CC ID 01619 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain system performance monitoring procedures. CC ID 11752 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a Service Level Agreement framework. CC ID 00839 | Establish/Maintain Documentation | Preventive | |
Include exceptions in the Service Level Agreements, as necessary. CC ID 13912 [For each service delivered, the organization shall establish one or more SLAs based on the documented service requirements. The SLA(s) shall include service level targets, workload limits and exceptions § 8.3.3 ¶ 2] | Establish/Maintain Documentation | Preventive | |
Include the appropriate aspects of the Quality Management program in the Service Level Agreement. CC ID 00845 [{service availability requirement}{service availability target} At planned intervals, the risks to service availability shall be assessed and documented. The organization shall determine the service availability requirements and targets. The agreed requirements shall take into consideration relevant business requirements, service requirements, SLAs and risks. § 8.7.1 ¶ 1] | Establish/Maintain Documentation | Detective | |
Include capacity planning in Service Level Agreements. CC ID 13096 [At planned intervals, the organization shall monitor, review and report on: actual and periodic changes in workload compared to workload limits in the SLA(s). § 8.3.3 ¶ 3(b) For each service delivered, the organization shall establish one or more SLAs based on the documented service requirements. The SLA(s) shall include service level targets, workload limits and exceptions § 8.3.3 ¶ 2 {service availability requirement}{service continuity requirement} The organization shall plan capacity to include: expected impact on capacity of agreed service level targets, requirements for service availability and service continuity; § 8.4.3 ¶ 2(b)] | Establish/Maintain Documentation | Preventive | |
Include business requirements of delivered services in the Service Level Agreement. CC ID 00840 [For each external supplier, the organization shall agree a documented contract. The contract shall include or contain a reference to: service level targets or other contractual obligations; § 8.3.4.1 ¶ 2(c)] | Establish/Maintain Documentation | Preventive | |
Include performance requirements in the Service Level Agreement. CC ID 00841 [For each service delivered, the organization shall establish one or more SLAs based on the documented service requirements. The SLA(s) shall include service level targets, workload limits and exceptions § 8.3.3 ¶ 2] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a cost management program. CC ID 13638 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain cost management procedures. CC ID 00873 [Costs shall be budgeted to enable effective financial control and decision-making for services. § 8.4.1 ¶ 2 Costs shall be budgeted to enable effective financial control and decision-making for services. § 8.4.1 ¶ 2 At planned intervals, the organization shall monitor and report on actual costs against the budget, review the financial forecasts and manage costs. § 8.4.1 ¶ 3] | Business Processes | Detective | |
Update the business cases for cost management procedures, as necessary. CC ID 13642 | Business Processes | Preventive | |
Perform an impact assessment of any deviations found in the cost management procedures. CC ID 13641 | Investigate | Detective | |
Identify deviations in cost management procedures. CC ID 13640 | Investigate | Detective | |
Identify and allocate departmental costs. CC ID 00871 | Business Processes | Detective | |
Prepare an Information Technology budget, as necessary. CC ID 00872 [The organization shall budget and account for services or groups of services in accordance with its financial management policies and processes. § 8.4.1 ¶ 1] | Establish/Maintain Documentation | Detective | |
Review and approve the Information Technology budget. CC ID 13644 | Business Processes | Corrective | |
Update the Information Technology budget, as necessary. CC ID 13643 | Business Processes | Corrective | |
Compare actual Information Technology costs to forecasted Information Technology budgets. CC ID 11753 [At planned intervals, the organization shall monitor and report on actual costs against the budget, review the financial forecasts and manage costs. § 8.4.1 ¶ 3] | Business Processes | Detective | |
Establish, implement, and maintain a change control program. CC ID 00886 [{information security policy} Specific policies that would be required includepan>, but not limited to, the following: Change management § 8.5.1 A change management policy shall be established and documented to define: § 8.5.1.1 ¶ 1 A change management policy shall be established and documented to define: service components and other items that are under the control of change management; § 8.5.1.1 ¶ 1(a) A change management policy shall be established and documented to define: service components and other items that are under the control of change management; § 8.5.1.1 ¶ 1(a) A change management policy shall be established and documented to define: categories of change, including emergency change, and how they are to be managed; § 8.5.1.1 ¶ 1(b)] | Establish/Maintain Documentation | Preventive | |
Include potential consequences of unintended changes in the change control program. CC ID 12243 [The organization shall control planned changes to the SMS and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary (see 8.5.1). § 8.1¶ 2] | Establish/Maintain Documentation | Preventive | |
Include version control in the change control program. CC ID 13119 [For the control of documented information, the organization shall address the following activities, as applicable: control of changes (e.g. version control); § 7.5.3.2(c)] | Establish/Maintain Documentation | Preventive | |
Include service design and transition in the change control program. CC ID 13920 [The organization shall use service design and transition in 8.5.2 for: changes to services with the potential to have a major impact on customers or other services as determined by the change management policy; § 8.5.1.2 ¶ 2(b) The organization shall use service design and transition in 8.5.2 for: new services with the potential to have a major impact on customers or other services as determined by the change management policy; § 8.5.1.2 ¶ 2(a)] | Establish/Maintain Documentation | Preventive | |
Separate the production environment from development environment or test environment for the change control process. CC ID 11864 | Maintenance | Preventive | |
Integrate configuration management procedures into the change control program. CC ID 13646 | Technical Security | Preventive | |
Establish, implement, and maintain a back-out plan. CC ID 13623 [The release shall be verified against documented acceptance criteria and approved before deployment. If the acceptance criteria are not met, the organization and interested parties shall make a decision on necessary actions and deployment. § 8.5.3 ¶ 3 The organization shall review changes for effectiveness and take actions agreed with interested parties. § 8.5.1.3 ¶ 4 {take appropriate action} The activities to reverse or remedy an unsuccessful change shall be planned and, where possible, tested. Unsuccessful changes shall be investigated and agreed actions taken. § 8.5.1.3 ¶ 3] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain back-out procedures for each proposed change in a change request. CC ID 00373 [{take appropriate action} The activities to reverse or remedy an unsuccessful change shall be planned and, where possible, tested. Unsuccessful changes shall be investigated and agreed actions taken. § 8.5.1.3 ¶ 3] | Establish/Maintain Documentation | Preventive | |
Approve back-out plans, as necessary. CC ID 13627 [{take appropriate action} The activities to reverse or remedy an unsuccessful change shall be planned and, where possible, tested. Unsuccessful changes shall be investigated and agreed actions taken. § 8.5.1.3 ¶ 3] | Establish/Maintain Documentation | Corrective | |
Manage change requests. CC ID 00887 [{new service} The organization shall prioritize requests for change and proposals for new or changed services to align with business needs and service management objectives, taking into consideration available resources. § 8.2.2 ¶ 4 {new service} The organization shall prioritize requests for change and proposals for new or changed services to align with business needs and service management objectives, taking into consideration available resources. § 8.2.2 ¶ 4 {new service} The organization shall plan the deployment of new or changed services and service components into the live environment. Planning shall be co-ordinated with change management and include references to the related requests for change, known errors or problems which are being closed through the release. Planning shall include the dates for deployment of each release, deliverables and methods of deployment. § 8.5.3 ¶ 2 {new service} Assessing, approving, scheduling and reviewing of new or changed services in the scope of 8.5.2 shall be managed through the change management activities in 8.5.1.3. § 8.5.1.2 ¶ 3 {new service} The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: changes to the SMS including new or changed policies, plans, processes, procedures, measures and knowledge; § 8.5.2.2 ¶ 1(e) The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: § 8.5.1.3 ¶ 1 Requests for change not being managed through 8.5.2 shall be managed through the change management activities in 8.5.1.3. § 8.5.1.2 ¶ 4] | Business Processes | Preventive | |
Include documentation of the impact level of proposed changes in the change request. CC ID 11942 [{new service} Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: impact on the SMS, other services, planned changes, customers, users and other interested parties. § 8.5.2.1 ¶ 1(h) {new service} Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: impact on the SMS, other services, planned changes, customers, users and other interested parties. § 8.5.2.1 ¶ 1(h) {new service} Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: impact on the SMS, other services, planned changes, customers, users and other interested parties. § 8.5.2.1 ¶ 1(h) {new service} Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: impact on the SMS, other services, planned changes, customers, users and other interested parties. § 8.5.2.1 ¶ 1(h) A change management policy shall be established and documented to define: criteria to determine changes with the potential to have a major ="background-color:#F0BBBC;" class="term_primary-noun">impact on customers or services. § 8.5.1.1 ¶ 1(c)] | Establish/Maintain Documentation | Preventive | |
Establish and maintain a change request approver list. CC ID 06795 | Establish/Maintain Documentation | Preventive | |
Document all change requests in change request forms. CC ID 06794 [Requests for change, including proposals to add, remove or transfer services, shall be recorded and classified. § 8.5.1.2 ¶ 1 Requests for change, including proposals to add, remove or transfer services, shall be recorded and classified. § 8.5.1.2 ¶ 1 {trend analysis} At planned intervals, request for change records shall be analysed to detect trends. The results and conclusions drawn from the analysis shall be recorded and reviewed to identify opportunities for improvement. § 8.5.1.3 ¶ 5] | Establish/Maintain Documentation | Preventive | |
Test proposed changes prior to their approval. CC ID 00548 [Approved changes shall be prepared, verified and, where possible, tested. Proposed deployment dates and other deployment details for approved changes shall be communicated to interested parties. § 8.5.1.3 ¶ 2] | Testing | Detective | |
Examine all changes to ensure they correspond with the change request. CC ID 12345 [Approved changes shall be prepared, verified and, where possible, tested. Proposed deployment dates and other deployment details for approved changes shall be communicated to interested parties. § 8.5.1.3 ¶ 2 The organization shall review changes for effectiveness and take actions agreed with interested parties. § 8.5.1.3 ¶ 4 {take appropriate action} The activities to reverse or remedy an unsuccessful change shall be planned and, where possible, tested. Unsuccessful changes shall be investigated and agreed actions taken. § 8.5.1.3 ¶ 3 {trend analysis} At planned intervals, request for change records shall be analysed to detect trends. The results and conclusions drawn from the analysis shall be recorded and reviewed to identify opportunities for improvement. § 8.5.1.3 ¶ 5 {trend analysis} At planned intervals, request for change records shall be analysed to detect trends. The results and conclusions drawn from the analysis shall be recorded and reviewed to identify opportunities for improvement. § 8.5.1.3 ¶ 5] | Business Processes | Detective | |
Approve tested change requests. CC ID 11783 [The release shall be verified against documented acceptance criteria and approved before deployment. If the acceptance criteria are not met, the organization and interested parties shall make a decision on necessary actions and deployment. § 8.5.3 ¶ 3] | Data and Information Management | Preventive | |
Validate the system before implementing approved changes. CC ID 01510 | Systems Design, Build, and Implementation | Preventive | |
Disseminate and communicate proposed changes to all interested personnel and affected parties. CC ID 06807 [Approved changes shall be prepared, verified and, where possible, tested. Proposed deployment dates and other deployment details for approved changes shall be communicated to interested parties. § 8.5.1.3 ¶ 2 Approved changes shall be prepared, verified and, where possible, tested. Proposed deployment dates and other deployment details for approved changes shall be communicated to interested parties. § 8.5.1.3 ¶ 2 Following the completion of the transition activities, the organization shall report to interested parties on the achievements against the intended outcomes. § 8.5.2.3 ¶ 3] | Behavior | Preventive | |
Establish, implement, and maintain emergency change procedures. CC ID 00890 | Establish/Maintain Documentation | Preventive | |
Perform emergency changes, as necessary. CC ID 12707 | Process or Activity | Preventive | |
Back up emergency changes after the change has been performed. CC ID 12734 | Process or Activity | Preventive | |
Log emergency changes after they have been performed. CC ID 12733 | Establish/Maintain Documentation | Preventive | |
Perform risk assessments prior to approving change requests. CC ID 00888 [The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: capacity, service availability, service continuity and information security; § 8.5.1.3 ¶ 1(d) The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: capacity, service availability, service continuity and information security; § 8.5.1.3 ¶ 1(d) The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: capacity, service availability, service continuity and information security; § 8.5.1.3 ¶ 1(d) The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: capacity, service availability, service continuity and information security; § 8.5.1.3 ¶ 1(d) At planned intervals, the organization shall review the contract against current service requirements. Changes identified for the contract shall be assessed for the impact of the change on the SMS and the services before the change is approved. § 8.3.4.1 ¶ 6 The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: existing services; § 8.5.1.3 ¶ 1(a) The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: other requests for change, releases and plans for deployment. § 8.5.1.3 ¶ 1(e) The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: other requests for change, releases and plans for deployment. § 8.5.1.3 ¶ 1(e) The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: other requests for change, releases and plans for deployment. § 8.5.1.3 ¶ 1(e)] | Testing | Preventive | |
Conduct network certifications prior to approving change requests for networks. CC ID 13121 | Process or Activity | Detective | |
Analyze mitigating controls for vulnerabilities in the network when certifying the network. CC ID 13126 | Investigate | Detective | |
Collect data about the network environment when certifying the network. CC ID 13125 | Investigate | Detective | |
Implement changes according to the change control program. CC ID 11776 [The organization shall control planned changes to the SMS and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary (see 8.5.1). § 8.1¶ 2 Records of problems shall be updated with actions taken. Changes needed for problem resolution shall be managed according to the change management policy. § 8.6.3 ¶ 3 A change management policy shall be established and documented to define: categories of change, including emergency change, and how they are to be managed; § 8.5.1.1 ¶ 1(b) The organization shall use service design and transition in 8.5.2 for: categories of change that are to be managed by service design and transition according to the change management policy; § 8.5.1.2 ¶ 2(c)] | Business Processes | Preventive | |
Provide audit trails for all approved changes. CC ID 13120 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a patch management program. CC ID 00896 | Process or Activity | Preventive | |
Document the sources of all software updates. CC ID 13316 | Establish/Maintain Documentation | Preventive | |
Implement patch management software, as necessary. CC ID 12094 | Technical Security | Preventive | |
Include updates and exceptions to hardened images as a part of the patch management program. CC ID 12087 | Technical Security | Preventive | |
Establish, implement, and maintain a patch management policy. CC ID 16432 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain patch management procedures. CC ID 15224 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a patch log. CC ID 01642 | Establish/Maintain Documentation | Preventive | |
Review the patch log for missing patches. CC ID 13186 | Technical Security | Detective | |
Perform a patch test prior to deploying a patch. CC ID 00898 | Testing | Detective | |
Prioritize deploying patches according to vulnerability risk metrics. CC ID 06796 | Business Processes | Preventive | |
Deploy software patches in accordance with organizational standards. CC ID 07032 | Configuration | Corrective | |
Test software patches for any potential compromise of the system's security. CC ID 13175 | Testing | Detective | |
Patch software. CC ID 11825 | Technical Security | Corrective | |
Patch the operating system, as necessary. CC ID 11824 | Technical Security | Corrective | |
Deploy software patches in the disaster recovery environment to mirror those in the production environment. CC ID 13174 | Configuration | Corrective | |
Remove outdated software after software has been updated. CC ID 11792 | Configuration | Corrective | |
Update computer firmware, as necessary. CC ID 11755 | Configuration | Corrective | |
Review changes to computer firmware. CC ID 12226 | Testing | Detective | |
Certify changes to computer firmware are free of malicious logic. CC ID 12227 | Testing | Detective | |
Remove outdated computer firmware after the computer firmware has been updated. CC ID 10671 | Configuration | Corrective | |
Implement cryptographic mechanisms to authenticate software and computer firmware before installation. CC ID 10682 | Technical Security | Detective | |
Establish, implement, and maintain a software release policy. CC ID 00893 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain traceability documentation. CC ID 16388 | Systems Design, Build, and Implementation | Preventive | |
Disseminate and communicate software update information to users and regulators. CC ID 06602 | Behavior | Preventive | |
Allow interested personnel and affected parties to opt out of specific version releases and software updates. CC ID 06809 | Data and Information Management | Preventive | |
Mitigate the adverse effects of unauthorized changes. CC ID 12244 [The organization shall control planned changes to the SMS and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary (see 8.5.1). § 8.1¶ 2] | Business Processes | Corrective | |
Establish, implement, and maintain approved change acceptance testing procedures. CC ID 06391 | Establish/Maintain Documentation | Detective | |
Test the system's operational functionality after implementing approved changes. CC ID 06294 | Testing | Detective | |
Perform and pass acceptance testing before moving a system back into operation after an approved change has occurred. CC ID 04541 [The release shall be verified against documented acceptance criteria and approved before deployment. If the acceptance criteria are not met, the organization and interested parties shall make a decision on necessary actions and deployment. § 8.5.3 ¶ 3] | Testing | Detective | |
Establish, implement, and maintain a change acceptance testing log. CC ID 06392 | Establish/Maintain Documentation | Corrective | |
Update associated documentation after the system configuration has been changed. CC ID 00891 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a configuration change log. CC ID 08710 | Configuration | Detective | |
Document approved configuration deviations. CC ID 08711 | Establish/Maintain Documentation | Corrective | |
Establish, implement, and maintain production process control procedures. CC ID 06209 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a service delivery and production process Quality Management program. CC ID 07194 [The management review shall include consideration of: adherence to and suitability of the service management policy and other policies required by this document; § 9.3 ¶ 2(f) The management review shall include consideration of: performance of the services; § 9.3 ¶ 2(h) The organization shall determine: the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results; § 9.1 ¶ 1(b) The organization shall determine: when the results from monitoring and measurement shall be analysed and evaluated. § 9.1 ¶ 1(d) The organization shall evaluate the SMS performance against the service management objectives and evaluate the effectiveness of the SMS. The organization shall evaluate the effectiveness of the services against the service requirements. § 9.1 ¶ 3 The organization shall evaluate the SMS performance against the service management objectives and evaluate the effectiveness of the SMS. The organization shall evaluate the effectiveness of the services against the service requirements. § 9.1 ¶ 3 Where the root cause has been identified, but the problem has not been permanently resolved, the organization shall determine actions to reduce or eliminate the impact of the problem on the services. Known errors shall be recorded. Up-to-date information on known errors and problem resolutions shall be made available for other service management activities as appropriate. § 8.6.3 ¶ 4 The release shall be deployed into the live environment so that the integrity of the services and service components is maintained. § 8.5.3 ¶ 5 {new service} The new or changed services shall be built and tested to verify that they meet the service requirements, conform to the documented design and meet the agreed service acceptance criteria. If the service acceptance criteria are not met, the organization and interested parties shall make a decision on necessary actions and deployment. § 8.5.2.3 ¶ 1 {new service} The new or changed services shall be built and tested to verify that they meet the service requirements, conform to the documented design and meet the agreed service acceptance criteria. If the service acceptance criteria are not met, the organization and interested parties shall make a decision on necessary actions and deployment. § 8.5.2.3 ¶ 1 {new service} The new or changed services shall be built and tested to verify that they meet the service requirements, conform to the documented design and meet the agreed service acceptance criteria. If the service acceptance criteria are not met, the organization and interested parties shall make a decision on necessary actions and deployment. § 8.5.2.3 ¶ 1 The service management plan shall include or contain a reference to: how the effectiveness of the SMS and the services will be measured, audited, reported and improved. § 6.3 ¶ 2(h) The service management plan shall include or contain a reference to: how the effectiveness of the SMS and the services will be measured, audited, reported and improved. § 6.3 ¶ 2(h) The service management plan shall include or contain a reference to: how the effectiveness of the SMS and the services will be measured, audited, reported and improved. § 6.3 ¶ 2(h) The service management plan shall include or contain a reference to: how the effectiveness of the SMS and the services will be measured, audited, reported and improved. § 6.3 ¶ 2(h)] | Business Processes | Detective | |
Include consumer safety quality improvement projects in the service delivery and production process Quality Management program. CC ID 07195 | Establish/Maintain Documentation | Detective | |
Assign interested personnel and affected parties to service delivery and production process quality improvement projects, as necessary. CC ID 07197 | Establish Roles | Preventive | |
Manage the creation of products and services, as necessary. CC ID 13497 [{new service} The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: § 8.5.2.2 ¶ 1 {new service} The organization shall plan the deployment of new or changed services and service components into the live environment. Planning shall be co-ordinated with change management and include references to the related requests for change, known errors or problems which are being closed through the release. Planning shall include the dates for deployment of each release, deliverables and methods of deployment. § 8.5.3 ¶ 2 {new service} The organization shall plan the deployment of new or changed services and service components into the live environment. Planning shall be co-ordinated with change management and include references to the related requests for change, known errors or problems which are being closed through the release. Planning shall include the dates for deployment of each release, deliverables and methods of deployment. § 8.5.3 ¶ 2] | Business Processes | Preventive | |
Define the processing specifications for products and services creation requirements. CC ID 13523 | Establish/Maintain Documentation | Preventive | |
Define the processing activities to meet products and services creation requirements. CC ID 13499 [{new service} The organization shall plan the deployment of new or changed services and service components into the live environment. Planning shall be co-ordinated with change management and include references to the related requests for change, known errors or problems which are being closed through the release. Planning shall include the dates for deployment of each release, deliverables and methods of deployment. § 8.5.3 ¶ 2 {new service} The organization shall plan the deployment of new or changed services and service components into the live environment. Planning shall be co-ordinated with change management and include references to the related requests for change, known errors or problems which are being closed through the release. Planning shall include the dates for deployment of each release, deliverables and methods of deployment. § 8.5.3 ¶ 2 {new service} The organization shall plan the deployment of new or changed services and service components into the live environment. Planning shall be co-ordinated with change management and include references to the related requests for change, known errors or problems which are being closed through the release. Planning shall include the dates for deployment of each release, deliverables and methods of deployment. § 8.5.3 ¶ 2] | Business Processes | Preventive | |
Delete age-restricted content, as necessary. CC ID 15450 | Process or Activity | Preventive | |
Establish, implement, and maintain procedures to manage age-restricted content. CC ID 15448 | Establish/Maintain Documentation | Preventive | |
Control the distribution of media containing age-restricted content, as necessary. CC ID 15446 | Process or Activity | Preventive | |
Establish and maintain a service catalog. CC ID 13634 [The service management plan shall include or contain a reference to: list of services; § 6.3 ¶ 2(a) The documented information for the SMS shall include: service catalogue(s); § 7.5.4 ¶ 1(g) The organization shall create and maintain one or more service catalogues. The service catalogue(s) shall include information for the organization, customers, users and other interested parties to describe the services, their intended outcomes and dependencies between the services. § 8.2.4 ¶ 1 {new service} The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: updates to the service catalogue(s). § 8.5.2.2 ¶ 1(g)] | Establish/Maintain Documentation | Preventive | |
Include a service description in the service catalog. CC ID 13917 [The organization shall create and maintain one or more service catalogues. The service catalogue(s) shall include information for the organization, customers, users and other interested parties to describe the services, their intended outcomes and dependencies between the services. § 8.2.4 ¶ 1] | Establish/Maintain Documentation | Preventive | |
Assign unique reference numbers to all services in the service catalog. CC ID 14424 | Establish/Maintain Documentation | Preventive | |
Include service deliverables for each service description in the service catalog. CC ID 13918 [The organization shall create and maintain one or more service catalogues. The service catalogue(s) shall include information for the organization, customers, users and other interested parties to describe the services, their intended outcomes and dependencies between the services. § 8.2.4 ¶ 1] | Establish/Maintain Documentation | Preventive | |
Include relationships and dependencies between services in the service catalog, as necessary. CC ID 13914 [The organization shall create and maintain one or more service catalogues. The service catalogue(s) shall include information for the organization, customers, users and other interested parties to describe the services, their intended outcomes and dependencies between the services. § 8.2.4 ¶ 1] | Establish/Maintain Documentation | Preventive | |
Include Service Level Agreements in the service catalog, as necessary. CC ID 13636 [{new service}The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: new or changed SLAs, contracts and other documented agreements that support the services; § 8.5.2.2 ¶ 1(d)] | Establish/Maintain Documentation | Preventive | |
Include Information Technology services in the service catalog, as necessary. CC ID 13635 | Establish/Maintain Documentation | Preventive | |
Base definitions of Information Technology services on their service characteristics. CC ID 13655 | Establish/Maintain Documentation | Preventive | |
Categorize services in the service catalog. CC ID 14419 | Establish/Maintain Documentation | Preventive | |
Refrain from categorizing services as outsourced in the service catalog, as necessary. CC ID 14426 | Establish/Maintain Documentation | Preventive | |
Communicate the service catalog to interested personnel and affected parties. CC ID 13910 [The organization shall provide access to appropriate parts of the service catalogue(s) to its customers, users and other interested parties. § 8.2.4 ¶ 2] | Communicate | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Privacy protection for information and data CC ID 00008 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a data handling program. CC ID 13427 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain data handling procedures. CC ID 11756 [For services that are to be removed, the planning shall additionally include the date(s) for the removal of the services and the activities for archiving, disposal or transfer of data, documented information and service components. § 8.5.2.1 ¶ 2] | Establish/Maintain Documentation | Preventive | |
Define personal data that falls under breach notification rules. CC ID 00800 | Establish/Maintain Documentation | Preventive | |
Include data elements that contain an individual's name combined with account numbers or other identifying information as personal data that falls under the breach notification rules. CC ID 04662 | Data and Information Management | Preventive | |
Include data elements that contain an individual's legal surname prior to marriage as personal data that falls under the breach notification rules. CC ID 04669 | Data and Information Management | Preventive | |
Include data elements that contain an individual's date of birth as personal data that falls under the breach notification rules. CC ID 04771 | Data and Information Management | Preventive | |
Include data elements that contain an individual's address as personal data that falls under the breach notification rules. CC ID 04671 | Data and Information Management | Preventive | |
Include data elements that contain an individual's telephone number as personal data that falls under the breach notification rules. CC ID 04672 | Data and Information Management | Preventive | |
Include data elements that contain an individual's fingerprints as personal data that falls under the breach notification rules. CC ID 04670 | Data and Information Management | Preventive | |
Include data elements that contain an individual's Social Security Number or Personal Identification Number as personal data that falls under the breach notification rules. CC ID 04656 | Data and Information Management | Preventive | |
Include data elements that contain an individual's driver's license number or an individual's state identification card number as personal data that falls under the breach notification rules. CC ID 04657 | Data and Information Management | Preventive | |
Include data elements that contain an individual's passport number as personal data that falls under the breach notification rules. CC ID 04774 | Data and Information Management | Preventive | |
Include data elements that contain an individual's Alien Registration Number as personal data that falls under the breach notification rules. CC ID 04775 | Data and Information Management | Preventive | |
Include data elements that contain an individual's Taxpayer Identification Number as personal data that falls under the breach notification rules. CC ID 04764 | Data and Information Management | Preventive | |
Include data elements that contain an individual's financial account number as personal data that falls under the breach notification rules. CC ID 04658 | Data and Information Management | Preventive | |
Include data elements that contain an individual's financial account number with associated password or password hint as personal data that falls under the breach notification rules. CC ID 04660 | Data and Information Management | Preventive | |
Include data elements that contain an individual's electronic identification name or number as personal data that falls under the breach notification rules. CC ID 04663 | Data and Information Management | Preventive | |
Include data elements that contain electronic signatures as personal data that falls under the breach notification rules. CC ID 04666 | Data and Information Management | Preventive | |
Include data elements that contain an individual's biometric data as personal data that falls under the breach notification rules. CC ID 04667 | Data and Information Management | Preventive | |
Include data elements that contain an individual's account number, password, or password hint as personal data that falls under the breach notification rules. CC ID 04668 | Data and Information Management | Preventive | |
Include data elements that contain an individual's payment card information as personal data that falls under the breach notification rules. CC ID 04752 | Data and Information Management | Preventive | |
Include data elements that contain an individual's credit card number or an individual's debit card number as personal data that falls under the breach notification rules. CC ID 04659 | Data and Information Management | Preventive | |
Include data elements that contain an individual's payment card service code as personal data that falls under the breach notification rules. CC ID 04754 | Data and Information Management | Preventive | |
Include data elements that contain an individual's payment card expiration date as personal data that falls under the breach notification rules. CC ID 04756 | Data and Information Management | Preventive | |
Include data elements that contain an individual's payment card full magnetic stripe data as personal data that falls under the breach notification rules. CC ID 04759 | Data and Information Management | Preventive | |
Include data elements that contain an individual's payment card security codes (Card Authentication Value 2/Card Validation Code Value 2/Card Verification Value 2/Card Identification Number) as personal data that falls under the breach notification rules. CC ID 04760 | Data and Information Management | Preventive | |
Include data elements that contain an individual's payment card associated password or password hint as personal data that falls under the breach notification rules. CC ID 04661 | Data and Information Management | Preventive | |
Include data elements that contain an individual's Individually Identifiable Health Information as personal data that falls under the breach notification rules. CC ID 04673 | Data and Information Management | Preventive | |
Include data elements that contain an individual's medical history as personal data that falls under the breach notification rules. CC ID 04674 | Data and Information Management | Preventive | |
Include data elements that contain an individual's medical treatment as personal data that falls under the breach notification rules. CC ID 04675 | Data and Information Management | Preventive | |
Include data elements that contain an individual's medical diagnosis as personal data that falls under the breach notification rules. CC ID 04676 | Data and Information Management | Preventive | |
Include data elements that contain an individual's mental condition or physical condition as personal data that falls under the breach notification rules. CC ID 04682 | Data and Information Management | Preventive | |
Include data elements that contain an individual's health insurance information as personal data that falls under the breach notification rules. CC ID 04681 | Data and Information Management | Preventive | |
Include data elements that contain an individual's health insurance policy number as personal data that falls under the breach notification rules. CC ID 04683 | Data and Information Management | Preventive | |
Include data elements that contain an individual's health insurance application and health insurance claims history (including appeals) as personal data that falls under the breach notification rules. CC ID 04684 | Data and Information Management | Preventive | |
Include data elements that contain an individual's employment information as personal data that falls under the breach notification rules. CC ID 04772 | Data and Information Management | Preventive | |
Include data elements that contain an individual's Employee Identification Number as personal data that falls under the breach notification rules. CC ID 04773 | Data and Information Management | Preventive | |
Include data elements that contain an individual's place of employment as personal data that falls under the breach notification rules. CC ID 04788 | Data and Information Management | Preventive | |
Define an out of scope privacy breach. CC ID 04677 | Establish/Maintain Documentation | Preventive | |
Include personal data that is publicly available information as an out of scope privacy breach. CC ID 04678 | Business Processes | Preventive | |
Include personal data that is encrypted or redacted as an out of scope privacy breach. CC ID 04679 | Monitor and Evaluate Occurrences | Preventive | |
Include cryptographic keys not being accessed during a privacy breach as an out of scope privacy breach. CC ID 04761 | Monitor and Evaluate Occurrences | Preventive | |
Include any personal data that is on an encrypted mobile device as an out of scope privacy breach, if the encryption keys were not accessed and the mobile device was recovered. CC ID 04762 | Monitor and Evaluate Occurrences | Preventive | |
Conduct internal data processing audits. CC ID 00374 | Testing | Detective | |
Disseminate and communicate the data handling procedures to all interested personnel and affected parties. CC ID 15466 | Communicate | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Records management CC ID 00902 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain records management policies. CC ID 00903 [Documented information required by the SMS and by this document shall be controlled to ensure: § 7.5.3.1] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a record classification scheme for forms. CC ID 00911 | Establish/Maintain Documentation | Detective | |
Establish, implement, and maintain form creation, management, and distribution procedures. CC ID 06393 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain form disposition procedures. CC ID 06394 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a record classification scheme. CC ID 00914 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a business activity classification standard. CC ID 00915 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain records registration procedures. CC ID 00913 | Establish/Maintain Documentation | Detective | |
Define the terms used in the record classification scheme. CC ID 00916 | Establish/Maintain Documentation | Detective | |
Establish, implement, and maintain a records authentication system. CC ID 11648 | Establish/Maintain Documentation | Preventive | |
Allocate record identifiers to reference the records as a part of document tracking. CC ID 11662 [When creating and updating documented information, the organization shall ensure appropriate: identification and description (e.g. a title, date, author or reference number); § 7.5.2 ¶ 1(a) When creating and updating documented information, the organization shall ensure appropriate: identification and description (e.g. a title, date, author or reference number); § 7.5.2 ¶ 1(a)] | Records Management | Preventive | |
Allocate document serial numbers to reference the records as a part of document tracking. CC ID 00917 | Records Management | Detective | |
Establish and maintain an index of all official records. CC ID 00918 | Establish/Maintain Documentation | Preventive | |
Associate records with their security attributes. CC ID 06764 | Records Management | Preventive | |
Reconfigure the security attributes of records as the information changes. CC ID 06765 | Configuration | Preventive | |
Establish, implement, and maintain electronic signature requirements. CC ID 06219 | Establish/Maintain Documentation | Preventive | |
Implement a signature revocation service. CC ID 14417 | Business Processes | Preventive | |
Allow electronic signatures to satisfy requirements for written signatures, as necessary. CC ID 11807 | Records Management | Preventive | |
Allow authorized parties to authenticate electronic records with electronic signatures. CC ID 11964 | Technical Security | Preventive | |
Allow authorized parties to authenticate transactions with electronic signatures. CC ID 11963 | Technical Security | Preventive | |
Define each system's preservation requirements for records and logs. CC ID 00904 | Establish/Maintain Documentation | Detective | |
Establish, implement, and maintain a data retention program. CC ID 00906 | Establish/Maintain Documentation | Detective | |
Store records and data in accordance with organizational standards. CC ID 16439 | Data and Information Management | Preventive | |
Remove dormant data from systems, as necessary. CC ID 13726 | Process or Activity | Preventive | |
Select the appropriate format for archived data and records. CC ID 06320 [{is appropriate} When creating and updating documented information, the organization shall ensure appropriate: format (e.g. language, software version, graphics) and media (e.g. paper, electronic); § 7.5.2 ¶ 1(b)] | Data and Information Management | Preventive | |
Archive appropriate records, logs, and database tables. CC ID 06321 | Records Management | Preventive | |
Maintain continued integrity for all stored data and stored records. CC ID 00969 | Testing | Detective | |
Archive document metadata in a fashion that allows for future reading of the metadata. CC ID 10060 | Data and Information Management | Preventive | |
Store personal data that is retained for long periods after use on a separate server or media. CC ID 12314 | Data and Information Management | Preventive | |
Establish, implement, and maintain storage media retention procedures. CC ID 16277 | Establish/Maintain Documentation | Preventive | |
Determine how long to keep records and logs before disposing them. CC ID 11661 | Process or Activity | Preventive | |
Retain records in accordance with applicable requirements. CC ID 00968 [The organization shall retain documented information as evidence of the results of management reviews. § 9.3 ¶ 4 The organization shall retain documented information on the service management objectives. § 6.2.1 ¶ 2 The organization shall retain documented information as evidence of: the results of any corrective action. § 10.1.2 ¶ 1(b) The organization shall retain documented information as evidence of: the nature of the nonconformities and any subsequent actions taken; § 10.1.2 ¶ 1(a) {monitoring and measurement evaluation result} The organization shall retain appropriate documented information as evidence of the results. § 9.1 ¶ 2] | Records Management | Preventive | |
Define which documents and records the organization may capture. CC ID 00905 [{is appropriate} When creating and updating documented information, the organization shall ensure appropriate: format (e.g. language, software version, graphics) and media (e.g. paper, electronic); § 7.5.2 ¶ 1(b)] | Establish/Maintain Documentation | Detective | |
Obtain and retain documentation of the number of shares authorized, issued, and outstanding pursuant to the issuer's authorization. CC ID 11714 | Records Management | Preventive | |
Retain all evidence of indebtedness. CC ID 11713 | Records Management | Preventive | |
Capture and maintain distribution records. CC ID 06205 | Records Management | Preventive | |
Capture and maintain Device Master Records. CC ID 06206 | Records Management | Preventive | |
Capture and maintain Device History Records. CC ID 06207 | Records Management | Preventive | |
Capture and maintain Quality System Records. CC ID 06208 | Records Management | Preventive | |
Capture and maintain logs as official records. CC ID 06319 | Log Management | Preventive | |
Capture and maintain all business records, including supporting temporary files. CC ID 06622 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain storage media disposition and destruction procedures. CC ID 11657 | Establish/Maintain Documentation | Preventive | |
Supervise media destruction in accordance with organizational standards. CC ID 16456 | Business Processes | Preventive | |
Sanitize electronic storage media in accordance with organizational standards. CC ID 16464 | Data and Information Management | Preventive | |
Sanitize all electronic storage media before disposing a system or redeploying a system. CC ID 01643 | Data and Information Management | Preventive | |
Degauss as a method of sanitizing electronic storage media. CC ID 00973 | Records Management | Preventive | |
Destroy electronic storage media following the storage media disposition and destruction procedures. CC ID 00970 | Testing | Detective | |
Manage waste materials in accordance with the storage media disposition and destruction procedures. CC ID 16485 | Process or Activity | Preventive | |
Maintain media sanitization equipment in operational condition. CC ID 00721 | Testing | Detective | |
Use approved media sanitization equipment for destruction. CC ID 16459 | Business Processes | Preventive | |
Define each system's disposition requirements for records and logs. CC ID 11651 | Process or Activity | Preventive | |
Establish, implement, and maintain records disposition procedures. CC ID 00971 [For the control of documented information, the organization shall address the following activities, as applicable: retention and disposition. § 7.5.3.2(d)] | Establish/Maintain Documentation | Preventive | |
Manage the disposition status for all records. CC ID 00972 | Records Management | Preventive | |
Use a second person to confirm and sign-off that manually deleted data was deleted. CC ID 12313 | Data and Information Management | Preventive | |
Remove and/or destroy records according to the records' retention event and retention period schedule. CC ID 06621 | Records Management | Preventive | |
Place printed records awaiting destruction into secure containers. CC ID 12464 | Physical and Environmental Protection | Preventive | |
Destroy printed records so they cannot be reconstructed. CC ID 11779 | Physical and Environmental Protection | Preventive | |
Automate a programmatic process to remove stored data and records that exceed retention requirements. CC ID 06082 | Data and Information Management | Preventive | |
Include methods to identify records that meet or exceed the record's retention event in the records disposition procedures. CC ID 11962 | Establish/Maintain Documentation | Preventive | |
Maintain disposal records or redeployment records. CC ID 01644 [For services that are to be removed, the planning shall additionally include the date(s) for the removal of the services and the activities for archiving, disposal or transfer of data, documented information and service components. § 8.5.2.1 ¶ 2] | Establish/Maintain Documentation | Preventive | |
Include the name of the signing officer in the disposal record. CC ID 15710 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain secure record transaction standards with third parties. CC ID 06093 | Establish/Maintain Documentation | Preventive | |
Include transfer agreements in the secure record transaction standards. CC ID 14821 | Establish/Maintain Documentation | Preventive | |
Include date and time stamp requirements for delivery receipt in the transfer agreements. CC ID 14823 | Establish/Maintain Documentation | Preventive | |
Include receipt of electronic records in the transfer agreement. CC ID 14822 | Establish/Maintain Documentation | Preventive | |
Include standards for each data element in the secure record transaction standard. CC ID 06094 | Establish/Maintain Documentation | Preventive | |
Notify the supervisory authority of any changes to the required data elements. CC ID 14366 | Communicate | Corrective | |
Establish, implement, and maintain records management procedures. CC ID 11619 [Documented information of external origin determined by the organization to be necessary for the planning and operation of the SMS shall be identified as appropriate and controlled. § 7.5.3.2 ¶ 2 For services that are to be removed, the planning shall additionally include the date(s) for the removal of the services and the activities for archiving, disposal or transfer of data, documented information and service components. § 8.5.2.1 ¶ 2] | Establish/Maintain Documentation | Preventive | |
Review the information that the organization collects, processes, and stores, as necessary. CC ID 12988 | Business Processes | Detective | |
Establish, implement, and maintain source document authorization tracking. CC ID 01262 | Records Management | Detective | |
Review the information classification of the information that the organization collects, processes, and stores, as necessary. CC ID 13008 | Process or Activity | Detective | |
Review the electronic storage media for the information the organization collects and processes. CC ID 13009 | Process or Activity | Detective | |
Remove non-public information from publicly accessible systems. CC ID 14246 | Data and Information Management | Corrective | |
Establish, implement, and maintain source document error handling tracking. CC ID 01263 | Records Management | Detective | |
Maintain electronic records in an equivalent manner as printed records, as necessary. CC ID 11806 | Records Management | Preventive | |
Process restricted information in a secure environment. CC ID 13058 | Process or Activity | Preventive | |
Refrain from creating printed records as copies of electronic records. CC ID 11808 | Records Management | Preventive | |
Establish, implement, and maintain data input and data access authorization tracking. CC ID 00920 | Monitor and Evaluate Occurrences | Detective | |
Assign ownership for all electronic records. CC ID 14814 | Establish/Maintain Documentation | Preventive | |
Attribute electronic records, as necessary. CC ID 14820 | Establish/Maintain Documentation | Preventive | |
Validate transactions against master files of third parties and clients, as necessary. CC ID 06552 | Records Management | Detective | |
Validate transactions using identifiers and credentials. CC ID 13203 | Technical Security | Preventive | |
Establish, implement, and maintain a system storage log. CC ID 13532 | Records Management | Preventive | |
Establish, implement, and maintain a system input log. CC ID 13531 | Establish/Maintain Documentation | Preventive | |
Protect records from loss in accordance with applicable requirements. CC ID 12007 [Documented information required by the SMS and by this document shall be controlled to ensure: it is adequately protected (e.g. from loss of confidentiality, improper use or loss of integrity). § 7.5.3.1(b)] | Records Management | Preventive | |
Establish, implement, and maintain data accuracy controls. CC ID 00921 | Monitor and Evaluate Occurrences | Detective | |
Capture the records required by organizational compliance requirements. CC ID 00912 [The documented information for the SMS shall include: records required to demonstrate evidence of conformity to the requirements of this document and the organization's SMS. § 7.5.4 ¶ 1(l) keeping documented information to the extent necessary to have confidence that the processes have been carried out as planned. § 8.1 ¶ 1(c)] | Records Management | Detective | |
Establish, implement, and maintain data completeness controls. CC ID 11649 | Process or Activity | Preventive | |
Establish, implement, and maintain authorization records. CC ID 14367 | Establish/Maintain Documentation | Preventive | |
Include the reasons for granting the authorization in the authorization records. CC ID 14371 | Establish/Maintain Documentation | Preventive | |
Include the date and time the authorization was granted in the authorization records. CC ID 14370 | Establish/Maintain Documentation | Preventive | |
Include the person's name who approved the authorization in the authorization records. CC ID 14369 | Establish/Maintain Documentation | Preventive | |
Assign the appropriate information classification to records imported into the Records Management system. CC ID 04555 | Data and Information Management | Detective | |
Establish, implement, and maintain electronic health records. CC ID 14436 | Data and Information Management | Preventive | |
Include Individually Identifiable Health Information in the patient's electronic health record. CC ID 14437 | Data and Information Management | Preventive | |
Review and update Individually Identifiable Health Information in the patient's electronic health records, as necessary. CC ID 14438 | Records Management | Preventive | |
Display required information automatically in electronic health records. CC ID 14442 | Process or Activity | Preventive | |
Create summary of care records in accordance with applicable standards. CC ID 14440 | Establish/Maintain Documentation | Preventive | |
Provide the patient with a summary of care record, as necessary. CC ID 14441 | Actionable Reports or Measurements | Preventive | |
Create export summaries, as necessary. CC ID 14446 | Process or Activity | Preventive | |
Import data files into a patient's electronic health record. CC ID 14448 | Data and Information Management | Preventive | |
Export requested sections of the electronic health record. CC ID 14447 | Data and Information Management | Preventive | |
Identify patient-specific education resources. CC ID 14439 | Process or Activity | Detective | |
Establish and maintain an implantable device list. CC ID 14444 | Records Management | Preventive | |
Display the implantable device list to authorized users. CC ID 14445 | Data and Information Management | Preventive | |
Establish, implement, and maintain decision support interventions. CC ID 14443 | Business Processes | Preventive | |
Include attributes in the decision support intervention. CC ID 16766 | Data and Information Management | Preventive | |
Establish, implement, and maintain a recordkeeping system. CC ID 15709 | Records Management | Preventive | |
Log the termination date in the recordkeeping system. CC ID 16181 | Records Management | Preventive | |
Log the name of the requestor in the recordkeeping system. CC ID 15712 | Records Management | Preventive | |
Log the date and time each item is accessed in the recordkeeping system. CC ID 15711 | Records Management | Preventive | |
Log records as being received into the recordkeeping system. CC ID 11696 | Records Management | Preventive | |
Log the date and time each item is received into the recordkeeping system. CC ID 11709 | Log Management | Preventive | |
Log the date and time each item is made available into the recordkeeping system. CC ID 11710 | Log Management | Preventive | |
Log the number of routine items received into the recordkeeping system. CC ID 11701 | Establish/Maintain Documentation | Preventive | |
Log the number of routine items in the organization's possession at the close of business for the month in the recordkeeping system. CC ID 11707 | Log Management | Preventive | |
Log the number of routine items received during the month that were turned around in the recordkeeping system. CC ID 11705 | Log Management | Preventive | |
Log the number of routine items received during the month that were not turned around within three business days of receipt in the recordkeeping system. CC ID 11703 | Log Management | Preventive | |
Log the date and time when a notice of refusal to perform the registrar function is received in the recordkeeping system. CC ID 11711 | Log Management | Preventive | |
Log inquiries concerning items in the recordkeeping system, annotating the date received. CC ID 11718 | Log Management | Preventive | |
Log responses to inquiries, annotating the send date for each response into the recordkeeping system. CC ID 11719 | Log Management | Preventive | |
Log the number of non-routine items received into the recordkeeping system. CC ID 11706 | Log Management | Preventive | |
Log the documentation of determination that items received are not routine into the recordkeeping system. CC ID 11716 | Log Management | Preventive | |
Log the number of non-routine items in the organization's possession at the close of business for the month in the recordkeeping system. CC ID 11708 | Log Management | Preventive | |
Log the number of non-routine items received during the month that were turned around in the recordkeeping system. CC ID 11704 | Log Management | Preventive | |
Log performance monitoring into the recordkeeping system. CC ID 11724 | Log Management | Preventive | |
Log the number of inquiries pending as of the close of business into the recordkeeping system. CC ID 11728 | Log Management | Preventive | |
Log the number of inquiries received but not responded to within the required time frame into the recordkeeping system. CC ID 11727 | Log Management | Preventive | |
Establish, implement, and maintain a transfer journal. CC ID 11729 | Records Management | Preventive | |
Log any notices filed by the organization into the recordkeeping system. CC ID 11725 | Log Management | Preventive | |
Log telephone responses into a telephone log, annotating the date of each response, in the recordkeeping system. CC ID 11723 | Log Management | Preventive | |
Log the date each certificate is made available to interested personnel and affected parties into the recordkeeping system. CC ID 11720 | Log Management | Preventive | |
Log the number of items not processed within the required time frame into the recordkeeping system. CC ID 11717 | Log Management | Preventive | |
Provide a receipt of records logged into the recordkeeping system. CC ID 11697 | Records Management | Preventive | |
Log the appointments and termination of appointments of registered transfer agents into the recordkeeping system. CC ID 11712 | Log Management | Preventive | |
Log any stop orders or notices of adverse claims into the recordkeeping system. CC ID 11726 | Log Management | Preventive | |
Log the number of items processed within the required time frame into the recordkeeping system. CC ID 11715 | Log Management | Preventive | |
Classify restricted data or restricted information in Records Management systems according to the data or information's sensitivity. CC ID 04720 | Data and Information Management | Detective | |
Establish, implement, and maintain data availability controls. CC ID 15301 | Data and Information Management | Preventive | |
Include record integrity techniques in the records management procedures. CC ID 06418 | Establish/Maintain Documentation | Preventive | |
Note in electronic records converted from printed records, the location of the original. CC ID 11809 | Records Management | Preventive | |
Incorporate desktop publishing into the organization's Records Management program. CC ID 06535 | Establish/Maintain Documentation | Preventive | |
Provide structures for browsing records stored in the Electronic Document and Records Management system. CC ID 10009 | Business Processes | Preventive | |
Provide structures for searching for items stored in the Electronic Document and Records Management system. CC ID 10010 | Business Processes | Preventive | |
Provide structures for downloading records from the Electronic Document and Records Management system. CC ID 10011 | Business Processes | Preventive | |
Provide structures for managing e-mail stored in the Electronic Document and Records Management system. CC ID 10012 | Business Processes | Preventive | |
Provide structures for authorized parties to approve record updates in the Electronic Document and Records Management system. CC ID 11965 | Records Management | Preventive | |
Provide structures for version control of records stored in the Electronic Document and Records Management system. CC ID 10013 | Business Processes | Preventive | |
Control error handling when data is being inputted. CC ID 00922 | Data and Information Management | Detective | |
Establish, implement, and maintain electronic storage media security controls. CC ID 13204 | Technical Security | Preventive | |
Use automated entry devices to reduce errors during data input. CC ID 06626 | Data and Information Management | Preventive | |
Establish, implement, and maintain data processing integrity controls. CC ID 00923 | Establish Roles | Preventive | |
Compare each record's data input to its final form. CC ID 11813 | Records Management | Detective | |
Sanitize user input in accordance with organizational standards. CC ID 16856 | Process or Activity | Preventive | |
Establish, implement, and maintain Automated Data Processing validation checks and editing checks. CC ID 00924 | Data and Information Management | Preventive | |
Establish, implement, and maintain Automated Data Processing error handling procedures. CC ID 00925 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain Automated Data Processing error handling reporting. CC ID 11659 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain document security requirements for the output of records. CC ID 11656 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain document handling procedures for paper documents. CC ID 00926 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain electronic storage media management procedures. CC ID 00931 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain security label procedures. CC ID 06747 | Establish/Maintain Documentation | Preventive | |
Label restricted storage media appropriately. CC ID 00966 | Data and Information Management | Preventive | |
Label printed output for specific record categories as directed by the organization's information classification standard. CC ID 01420 | Records Management | Detective | |
Establish, implement, and maintain restricted material identification procedures. CC ID 01889 | Establish/Maintain Documentation | Preventive | |
Conspicuously locate the restricted record's overall classification. CC ID 01890 | Establish/Maintain Documentation | Preventive | |
Mark a restricted record's displayed pages or printed pages with the appropriate classification. CC ID 01891 | Establish/Maintain Documentation | Preventive | |
Mark a restricted record's components (appendices, annexes) with the appropriate classification. CC ID 01892 | Establish/Maintain Documentation | Preventive | |
Mark a restricted record's portions (paragraphs, sections) with the appropriate classification. CC ID 01893 | Establish/Maintain Documentation | Preventive | |
Mark a restricted record's subject line or title with the appropriate classification. CC ID 01894 | Establish/Maintain Documentation | Preventive | |
Mark all forms of electronic messages that contain restricted data or restricted information with the appropriate classification. CC ID 01896 | Data and Information Management | Preventive | |
Establish, implement, and maintain label inheritance mechanisms for aggregate data sets. CC ID 06957 | Technical Security | Preventive | |
Establish the minimum originator requirements for security labels. CC ID 06579 | Establish/Maintain Documentation | Preventive | |
Establish the minimum intermediate system requirements for security labels. CC ID 06581 | Establish/Maintain Documentation | Preventive | |
Establish the minimum receiver requirements for records or electronic storage media marked with security labels. CC ID 06580 | Establish/Maintain Documentation | Preventive | |
Establish policy based processing rules to process incoming records or electronic storage media marked with security labels. CC ID 06582 | Establish/Maintain Documentation | Preventive | |
Establish and maintain access controls for all records. CC ID 00371 [Configuration information shall be recorded to a level of detail appropriate to the criticality and type of services. Access to configuration information shall be controlled. The configuration information recorded for each CI shall include: § 8.2.6 ¶ 2 For the control of documented information, the organization shall address the following activities, as applicable: distribution, access, retrieval and use; § 7.5.3.2(a)] | Records Management | Preventive | |
Reproduce materials containing restricted data or restricted information in accordance with compliance requirements. CC ID 02202 | Data and Information Management | Preventive | |
Establish, implement, and maintain a records lifecycle management program. CC ID 00951 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an information preservation policy. CC ID 16483 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain information preservation procedures. CC ID 06277 [For the control of documented information, the organization shall address the following activities, as applicable: storage and preservation, including preservation of legibility; § 7.5.3.2(b)] | Establish/Maintain Documentation | Preventive | |
Implement and maintain high availability storage, as necessary. CC ID 00952 | Technical Security | Preventive | |
Implement and maintain backups and duplicate copies of organizational records. CC ID 00953 | Records Management | Preventive | |
Establish, implement, and maintain the duplicate original of record indexes. CC ID 00954 | Records Management | Preventive | |
Establish, implement, and maintain a transparent storage media strategy. CC ID 00932 | Records Management | Preventive | |
Establish, implement, and maintain an online availability plan that is commensurate with the electronic storage media. CC ID 00934 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain online storage monitoring and reporting capabilities. CC ID 00935 | Monitor and Evaluate Occurrences | Detective | |
Establish, implement, and maintain online storage controls. CC ID 00942 | Technical Security | Preventive | |
Establish, implement, and maintain security controls appropriate to the record types and electronic storage media. CC ID 00943 [For the control of documented information, the organization shall address the following activities, as applicable: storage and preservation, including preservation of legibility; § 7.5.3.2(b)] | Records Management | Preventive | |
Store records on non-rewritable, non-erasable storage media formats, as necessary. CC ID 00944 | Testing | Detective | |
Provide encryption for different types of electronic storage media. CC ID 00945 | Technical Security | Preventive | |
Implement electronic storage media integrity controls. CC ID 00946 | Configuration | Preventive | |
Automate electronic storage media integrity check controls. CC ID 00948 | Configuration | Preventive | |
Provide capacity for indexes on electronic storage media, as necessary. CC ID 00950 | Configuration | Preventive | |
Provide audit trails for all pertinent records. CC ID 00372 | Establish/Maintain Documentation | Detective | |
Establish, implement, and maintain a removable storage media log. CC ID 12317 | Log Management | Preventive | |
Include a unique identifier for each removable storage media asset in the removable storage media log. CC ID 12320 | Establish/Maintain Documentation | Preventive | |
Include the date and time in the removable storage media log. CC ID 12318 | Establish/Maintain Documentation | Preventive | |
Include the name and signature of the current custodian in the removable storage media log. CC ID 12315 | Establish/Maintain Documentation | Preventive | |
Include the number of physical media used for the data transfer in the removable storage media log. CC ID 12754 | Establish/Maintain Documentation | Preventive | |
Include the recipient's name for the data transfer in the removable storage media log. CC ID 12753 | Establish/Maintain Documentation | Preventive | |
Include the sender's name in the removable storage media log. CC ID 12752 | Establish/Maintain Documentation | Preventive | |
Include the type of physical media being used for the data transfer in the removable storage media log. CC ID 12751 | Establish/Maintain Documentation | Preventive | |
Include the reason for transfer in the removable storage media log. CC ID 12316 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain storage media downgrading procedures. CC ID 10619 | Process or Activity | Preventive | |
Identify electronic storage media that require downgrading. CC ID 10620 | Process or Activity | Detective | |
Downgrade electronic storage media, as necessary. CC ID 10621 | Process or Activity | Corrective | |
Document all actions taken when downgrading electronic storage media. CC ID 10622 | Establish/Maintain Documentation | Preventive | |
Test the storage media downgrade for correct performance. CC ID 10623 | Testing | Detective | |
Establish, implement, and maintain output distribution procedures. CC ID 00927 [For the control of documented information, the organization shall address the following activities, as applicable: distribution, access, retrieval and use; § 7.5.3.2(a)] | Establish/Maintain Documentation | Preventive | |
Include printed output in output distribution procedures. CC ID 13477 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain document retention procedures. CC ID 11660 [For the control of documented information, the organization shall address the following activities, as applicable: retention and disposition. § 7.5.3.2(d) The organization shall retain documented information as evidence of: § 10.1.2 ¶ 1] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain electronic media distribution procedures. CC ID 11650 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain output balancing audit trails. CC ID 00928 | Establish/Maintain Documentation | Detective | |
Establish and maintain an error suspense file for rejected transactions. CC ID 06623 | Records Management | Preventive | |
Establish and maintain reconciliation audit trails. CC ID 11647 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a data processing output log. CC ID 06624 | Log Management | Preventive | |
Establish, implement, and maintain output review and error handling checks with end users. CC ID 00929 | Establish/Maintain Documentation | Detective | |
Establish, implement, and maintain paper document integrity requirements for the output of records. CC ID 00930 | Establish/Maintain Documentation | Preventive | |
Review and approve output exceptions. CC ID 06625 | Records Management | Preventive | |
Perform regularly scheduled quality and integrity control reviews of output of records. CC ID 06627 | Testing | Detective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
System hardening through configuration management CC ID 00860 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain a Configuration Management program. CC ID 00867 [{new service} The CIs affected by new or changed services shall be managed through configuration management. § 8.5.2.1 ¶ 4 {be auditable} CIs shall be controlled. Changes to CIs shall be traceable and auditable to maintain the integrity of the configuration information. The configuration information shall be updated following the deployment of changes to CIs. § 8.2.6 ¶ 3] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain configuration control and Configuration Status Accounting. CC ID 00863 [At planned intervals, the organization shall verify the accuracy of the configuration information. Where deficiencies are found, the organization shall take necessary actions. § 8.2.6 ¶ 4] | Business Processes | Preventive | |
Establish, implement, and maintain appropriate system labeling. CC ID 01900 | Establish/Maintain Documentation | Preventive | |
Include the identification number of the third party who performed the conformity assessment procedures on all promotional materials. CC ID 15041 | Establish/Maintain Documentation | Preventive | |
Include the identification number of the third party who conducted the conformity assessment procedures after the CE marking of conformity. CC ID 15040 | Establish/Maintain Documentation | Preventive | |
Verify configuration files requiring passwords for automation do not contain those passwords after the installation process is complete. CC ID 06555 | Configuration | Preventive | |
Establish, implement, and maintain a configuration management policy. CC ID 14023 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain configuration management procedures. CC ID 14074 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the configuration management procedures to interested personnel and affected parties. CC ID 14139 | Communicate | Preventive | |
Include compliance requirements in the configuration management policy. CC ID 14072 | Establish/Maintain Documentation | Preventive | |
Include coordination amongst entities in the configuration management policy. CC ID 14071 | Establish/Maintain Documentation | Preventive | |
Include management commitment in the configuration management policy. CC ID 14070 | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in the configuration management policy. CC ID 14069 | Establish/Maintain Documentation | Preventive | |
Include the scope in the configuration management policy. CC ID 14068 | Establish/Maintain Documentation | Preventive | |
Include the purpose in the configuration management policy. CC ID 14067 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the configuration management policy to interested personnel and affected parties. CC ID 14066 | Communicate | Preventive | |
Establish, implement, and maintain a configuration management plan. CC ID 01901 | Establish/Maintain Documentation | Preventive | |
Include configuration management procedures in the configuration management plan. CC ID 14248 | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in the configuration management plan. CC ID 14247 | Establish/Maintain Documentation | Preventive | |
Approve the configuration management plan. CC ID 14717 | Business Processes | Preventive | |
Establish, implement, and maintain system tracking documentation. CC ID 15266 | Establish/Maintain Documentation | Preventive | |
Include prioritization codes in the system tracking documentation. CC ID 15283 | Establish/Maintain Documentation | Preventive | |
Include the type and category of the request in the system tracking documentation. CC ID 15281 | Establish/Maintain Documentation | Preventive | |
Include contact information in the system tracking documentation. CC ID 15280 | Establish/Maintain Documentation | Preventive | |
Include the username in the system tracking documentation. CC ID 15278 | Establish/Maintain Documentation | Preventive | |
Include a problem description in the system tracking documentation. CC ID 15276 | Establish/Maintain Documentation | Preventive | |
Include affected systems in the system tracking documentation. CC ID 15275 | Establish/Maintain Documentation | Preventive | |
Include root causes in the system tracking documentation. CC ID 15274 | Establish/Maintain Documentation | Preventive | |
Include the name of who is responsible for resolution in the system tracking documentation. CC ID 15273 | Establish/Maintain Documentation | Preventive | |
Include current status in the system tracking documentation. CC ID 15272 | Establish/Maintain Documentation | Preventive | |
Employ the Configuration Management program. CC ID 11904 | Configuration | Preventive | |
Record Configuration Management items in the Configuration Management database. CC ID 00861 | Establish/Maintain Documentation | Preventive | |
Test network access controls for proper Configuration Management settings. CC ID 01281 | Testing | Detective | |
Disseminate and communicate the configuration management program to all interested personnel and affected parties. CC ID 11946 [Configuration information shall be made available for other service management activities as appropriate. § 8.2.6 ¶ 5] | Communicate | Preventive | |
Establish, implement, and maintain a Configuration Management Database with accessible reporting capabilities. CC ID 02132 | Establish/Maintain Documentation | Preventive | |
Document external connections for all systems. CC ID 06415 | Configuration | Preventive | |
Establish, implement, and maintain a configuration baseline based on the least functionality principle. CC ID 00862 [Before deployment of a release into the live environment, a baseline of the affected CIs shall be taken. § 8.5.3 ¶ 4] | Establish/Maintain Documentation | Preventive | |
Include the measures used to account for any differences in operation between the test environments and production environments in the baseline configuration. CC ID 13285 | Establish/Maintain Documentation | Preventive | |
Include the differences between test environments and production environments in the baseline configuration. CC ID 13284 | Establish/Maintain Documentation | Preventive | |
Include the applied security patches in the baseline configuration. CC ID 13271 | Establish/Maintain Documentation | Preventive | |
Include the installed application software and version numbers in the baseline configuration. CC ID 13270 | Establish/Maintain Documentation | Preventive | |
Include installed custom software in the baseline configuration. CC ID 13274 | Establish/Maintain Documentation | Preventive | |
Include network ports in the baseline configuration. CC ID 13273 | Establish/Maintain Documentation | Preventive | |
Include the operating systems and version numbers in the baseline configuration. CC ID 13269 | Establish/Maintain Documentation | Preventive | |
Include backup procedures in the Configuration Management policy. CC ID 01314 | Establish/Maintain Documentation | Preventive | |
Identify and document the system's Configurable Items. CC ID 02133 [Configuration information shall be recorded to a level of detail appropriate to the criticality and type of services. Access to configuration information shall be controlled. The configuration information recorded for each CI shall include: § 8.2.6 ¶ 2 Configuration information shall be recorded to a level of detail appropriate to the criticality and type of services. Access to configuration information shall be controlled. The configuration information recorded for each CI shall include: § 8.2.6 ¶ 2 The types of CI shall be defined. Services shall be classified as CIs. § 8.2.6 ¶ 1 The types of CI shall be defined. Services shall be classified as CIs. § 8.2.6 ¶ 1 Configuration information shall be recorded to a level of detail appropriate to the criticality and type of services. Access to configuration information shall be controlled. The configuration information recorded for each CI shall include: type of CI; § 8.2.6 ¶ 2(b) Configuration information shall be recorded to a level of detail appropriate to the criticality and type of services. Access to configuration information shall be controlled. The configuration information recorded for each CI shall include: description of the CI; § 8.2.6 ¶ 2(c) Configuration information shall be recorded to a level of detail appropriate to the criticality and type of services. Access to configuration information shall be controlled. The configuration information recorded for each CI shall include: status. § 8.2.6 ¶ 2(e)] | Establish/Maintain Documentation | Preventive | |
Define the relationships and dependencies between Configurable Items. CC ID 02134 [Configuration information shall be recorded to a level of detail appropriate to the criticality and type of services. Access to configuration information shall be controlled. The configuration information recorded for each CI shall include: relationship with other CIs; § 8.2.6 ¶ 2(d)] | Establish/Maintain Documentation | Preventive | |
Trace each Configurable Item throughout the systems' life cycle. CC ID 02135 [{be auditable} CIs shall be controlled. Changes to CIs shall be traceable and auditable to maintain the integrity of the configuration information. The configuration information shall be updated following the deployment of changes to CIs. § 8.2.6 ¶ 3 Configuration information shall be recorded to a level of detail appropriate to the criticality and type of services. Access to configuration information shall be controlled. The configuration information recorded for each CI shall include: unique identification; § 8.2.6 ¶ 2(a)] | Establish/Maintain Documentation | Preventive | |
Approve each system's Configurable Items (and changes to those Configurable Items). CC ID 04887 | Technical Security | Preventive | |
Request an acknowledgment from the system owner of the system's configuration. CC ID 10602 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain system hardening procedures. CC ID 12001 | Establish/Maintain Documentation | Preventive | |
Configure Logging settings in accordance with organizational standards. CC ID 07611 | Configuration | Preventive | |
Configure all logs to capture auditable events or actionable events. CC ID 06332 | Configuration | Preventive | |
Configure the log to capture configuration changes. CC ID 06881 [{be auditable} CIs shall be controlled. Changes to CIs shall be traceable and auditable to maintain the integrity of the configuration information. The configuration information shall be updated following the deployment of changes to CIs. § 8.2.6 ¶ 3] | Configuration | Preventive | |
Log, monitor, and review all changes to time settings on critical systems. CC ID 11608 | Configuration | Preventive | |
Configure the log to capture changes to User privileges, audit policies, and trust policies by enabling audit policy changes. CC ID 01698 | Log Management | Detective | |
Configure the log to capture user account additions, modifications, and deletions. CC ID 16482 | Log Management | Preventive | |
Configure the log to capture all changes to certificates. CC ID 05595 | Configuration | Preventive | |
Configure the log to capture user authenticator changes. CC ID 01917 | Log Management | Detective | |
Audit the configuration of organizational assets, as necessary. CC ID 13653 [{be auditable} CIs shall be controlled. Changes to CIs shall be traceable and auditable to maintain the integrity of the configuration information. The configuration information shall be updated following the deployment of changes to CIs. § 8.2.6 ¶ 3] | Audits and Risk Management | Detective | |
Audit assets after maintenance was performed. CC ID 13657 | Audits and Risk Management | Detective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Systems design, build, and implementation CC ID 00989 | IT Impact Zone | IT Impact Zone | |
Initiate the System Development Life Cycle planning phase. CC ID 06266 | Systems Design, Build, and Implementation | Preventive | |
Establish, implement, and maintain a system design project management framework. CC ID 00990 | Establish/Maintain Documentation | Preventive | |
Analyze existing systems during preliminary investigations for system design projects. CC ID 01043 | Testing | Detective | |
Assess the continuity requirements during the planning and development stage for new products and services. CC ID 12779 [At planned intervals, the risks to service continuity shall be assessed and documented. The organization shall determine the service continuity requirements. The agreed requirements shall take into consideration relevant business requirements, service requirements, SLAs and risks. § 8.7.2 ¶ 1 At planned intervals, the risks to service continuity shall be assessed and documented. The organization shall determine the service continuity requirements. The agreed requirements shall take into consideration relevant business requirements, service requirements, SLAs and risks. § 8.7.2 ¶ 1 At planned intervals, the risks to service continuity shall be assessed and documented. The organization shall determine the service continuity requirements. The agreed requirements shall take into consideration relevant business requirements, service requirements, SLAs and risks. § 8.7.2 ¶ 1 At planned intervals, the risks to service continuity shall be assessed and documented. The organization shall determine the service continuity requirements. The agreed requirements shall take into consideration relevant business requirements, service requirements, SLAs and risks. § 8.7.2 ¶ 1 At planned intervals, the risks to service continuity shall be assessed and documented. The organization shall determine the service continuity requirements. The agreed requirements shall take into consideration relevant business requirements, service requirements, SLAs and risks. § 8.7.2 ¶ 1] | Process or Activity | Preventive | |
Initiate the System Development Life Cycle implementation phase. CC ID 06268 | Systems Design, Build, and Implementation | Preventive | |
Manage the system implementation process. CC ID 01115 | Behavior | Preventive | |
Determine if the project is complete after all implementation tasks are finished. CC ID 06912 [{new service} Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: service acceptance criteria; § 8.5.2.1 ¶ 1(f)] | Testing | Detective | |
Establish, implement, and maintain a product and service release log. CC ID 13705 [The organization shall define the types of release, including emergency release, their frequency and how they are to be managed. § 8.5.3 ¶ 1 The organization shall define the types of release, including emergency release, their frequency and how they are to be managed. § 8.5.3 ¶ 1 The organization shall define the types of release, including emergency release, their frequency and how they are to be managed. § 8.5.3 ¶ 1 Records of service requests shall be updated with actions taken. § 8.6.2 ¶ 2] | Establish/Maintain Documentation | Preventive | |
Include the name of the person authorizing the release of products and services in the product and service release log. CC ID 13707 | Establish/Maintain Documentation | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Technical security CC ID 00508 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain an access control program. CC ID 11702 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an access rights management plan. CC ID 00513 | Establish/Maintain Documentation | Preventive | |
Control access rights to organizational assets. CC ID 00004 [The organization shall define and manage the interfaces with the external supplier. § 8.3.4.1 ¶ 4] | Technical Security | Preventive | |
Configure access control lists in accordance with organizational standards. CC ID 16465 | Configuration | Preventive | |
Add all devices requiring access control to the Access Control List. CC ID 06264 | Establish/Maintain Documentation | Preventive | |
Generate but refrain from storing authenticators or Personal Identification Numbers for systems involved in high risk activities. CC ID 06835 | Technical Security | Preventive | |
Disallow application IDs from running as privileged users. CC ID 10050 | Configuration | Detective | |
Define roles for information systems. CC ID 12454 | Human Resources Management | Preventive | |
Define access needs for each role assigned to an information system. CC ID 12455 | Human Resources Management | Preventive | |
Define access needs for each system component of an information system. CC ID 12456 | Technical Security | Preventive | |
Define the level of privilege required for each system component of an information system. CC ID 12457 | Technical Security | Preventive | |
Establish access rights based on least privilege. CC ID 01411 | Technical Security | Preventive | |
Assign user permissions based on job responsibilities. CC ID 00538 | Technical Security | Preventive | |
Assign user privileges after they have management sign off. CC ID 00542 | Technical Security | Preventive | |
Separate processing domains to segregate user privileges and enhance information flow control. CC ID 06767 | Configuration | Preventive | |
Establish, implement, and maintain lockout procedures or lockout mechanisms to be triggered after a predetermined number of consecutive logon attempts. CC ID 01412 | Technical Security | Preventive | |
Configure the lockout procedure to disregard failed logon attempts after the user is authenticated. CC ID 13822 | Configuration | Preventive | |
Notify the user when an authentication is attempted using an expired authenticator. CC ID 13818 | Communicate | Corrective | |
Disallow unlocking user accounts absent system administrator approval. CC ID 01413 | Technical Security | Preventive | |
Establish, implement, and maintain session lock capabilities. CC ID 01417 | Configuration | Preventive | |
Limit concurrent sessions according to account type. CC ID 01416 | Configuration | Preventive | |
Establish session authenticity through Transport Layer Security. CC ID 01627 | Technical Security | Preventive | |
Configure the "tlsverify" argument to organizational standards. CC ID 14460 | Configuration | Preventive | |
Configure the "tlscacert" argument to organizational standards. CC ID 14521 | Configuration | Preventive | |
Configure the "tlscert" argument to organizational standards. CC ID 14520 | Configuration | Preventive | |
Configure the "tlskey" argument to organizational standards. CC ID 14519 | Configuration | Preventive | |
Enable access control for objects and users on each system. CC ID 04553 | Configuration | Preventive | |
Include all system components in the access control system. CC ID 11939 | Technical Security | Preventive | |
Set access control for objects and users to "deny all" unless explicitly authorized. CC ID 06301 | Process or Activity | Preventive | |
Enable access control for objects and users to match restrictions set by the system's security classification. CC ID 04850 | Technical Security | Preventive | |
Enable attribute-based access control for objects and users on information systems. CC ID 16351 | Technical Security | Preventive | |
Enable role-based access control for objects and users on information systems. CC ID 12458 | Technical Security | Preventive | |
Include the objects and users subject to access control in the security policy. CC ID 11836 | Establish/Maintain Documentation | Preventive | |
Assign Information System access authorizations if implementing segregation of duties. CC ID 06323 | Establish Roles | Preventive | |
Enforce access restrictions for change control. CC ID 01428 | Technical Security | Preventive | |
Enforce access restrictions for restricted data. CC ID 01921 | Data and Information Management | Preventive | |
Permit a limited set of user actions absent identification and authentication. CC ID 04849 | Technical Security | Preventive | |
Perform a risk assessment prior to activating third party access to the organization's critical systems. CC ID 06455 | Testing | Detective | |
Activate third party maintenance accounts and user identifiers, as necessary. CC ID 04262 | Technical Security | Preventive | |
Establish, implement, and maintain a system use agreement for each information system. CC ID 06500 | Establish/Maintain Documentation | Preventive | |
Accept and sign the system use agreement before data or system access is enabled. CC ID 06501 | Establish/Maintain Documentation | Preventive | |
Display a logon banner and appropriate logon message before granting access to the system. CC ID 06770 | Technical Security | Preventive | |
Display previous logon information in the logon banner. CC ID 01415 | Configuration | Preventive | |
Document actions that can be performed on an information system absent identification and authentication of the user. CC ID 06771 | Establish/Maintain Documentation | Preventive | |
Use automatic equipment identification as a method of connection authentication absent an individual's identification and authentication. CC ID 06964 | Technical Security | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Third Party and supply chain oversight CC ID 08807 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain a supply chain management program. CC ID 11742 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain procedures for establishing, maintaining, and terminating third party contracts. CC ID 00796 [The service management plan shall include or contain a reference to: approach to be taken for working with other parties involved in the service lifecycle; § 6.3 ¶ 2(f) The organization shall have one or more designated individuals responsible for managing the relationship, contracts and performance of external suppliers. § 8.3.4.1 ¶ 1] | Establish/Maintain Documentation | Preventive | |
Review and update all contracts, as necessary. CC ID 11612 [At planned intervals, the organization shall review the contract against current service requirements. Changes identified for the contract shall be assessed for the impact of the change on the SMS and the services before the change is approved. § 8.3.4.1 ¶ 6] | Establish/Maintain Documentation | Preventive | |
Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 [The documented information for the SMS shall include: contracts with external suppliers; § 7.5.4 ¶ 1(i) For each internal supplier or customer acting as a supplier, the organization shall develop, agree and maintain a documented agreement to define the service level targets, other commitments, activities and interfaces between the parties. § 8.3.4.2 ¶ 1 For each internal supplier or customer acting as a supplier, the organization shall develop, agree and maintain a documented agreement to define the service level targets, other commitments, activities and interfaces between the parties. § 8.3.4.2 ¶ 1 For each internal supplier or customer acting as a supplier, the organization shall develop, agree and maintain a documented agreement to define the service level targets, other commitments, activities and interfaces between the parties. § 8.3.4.2 ¶ 1 For each internal supplier or customer acting as a supplier, the organization shall develop, agree and maintain a documented agreement to define the service level targets, other commitments, activities and interfaces between the parties. § 8.3.4.2 ¶ 1 For each external supplier, the organization shall agree a documented contract. The contract shall include or contain a reference to: § 8.3.4.1 ¶ 2 {new service}The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: new or changed SLAs, contracts and other documented agreements that support the services; § 8.5.2.2 ¶ 1(d) {new service}The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: new or changed SLAs, contracts and other documented agreements that support the services; § 8.5.2.2 ¶ 1(d)] | Process or Activity | Detective | |
Include a nondisclosure agreement in third party contracts if a separate nondisclosure agreement does not exist. CC ID 06505 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain software exchange agreements with all third parties. CC ID 11615 | Establish/Maintain Documentation | Preventive | |
Include a description of the product or service to be provided in third party contracts. CC ID 06509 [The documented information for the SMS shall include: agreements with internal suppliers or customers acting as a supplier; § 7.5.4 ¶ 1(j)] | Establish/Maintain Documentation | Preventive | |
Include a description of the products or services fees in third party contracts. CC ID 10018 | Establish/Maintain Documentation | Preventive | |
Include which parties are responsible for which fees in third party contracts. CC ID 10019 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain rules of engagement with third parties. CC ID 13994 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain information flow agreements with all third parties. CC ID 04543 | Establish/Maintain Documentation | Preventive | |
Include the type of information being transmitted in the information flow agreement. CC ID 14245 | Establish/Maintain Documentation | Preventive | |
Include the security requirements in the information flow agreement. CC ID 14244 | Establish/Maintain Documentation | Preventive | |
Include the interface characteristics in the information flow agreement. CC ID 14240 | Establish/Maintain Documentation | Preventive | |
Include the scope and inventory of third party systems and assets being provided to the organization in third party contracts. CC ID 06528 [For each external supplier, the organization shall agree a documented contract. The contract shall include or contain a reference to: scope of the services, service components, processes or parts of processes to be provided or operated by the external supplier; § 8.3.4.1 ¶ 2(a) For each external supplier, the organization shall agree a documented contract. The contract shall include or contain a reference to: scope of the services, service components, processes or parts of processes to be provided or operated by the external supplier; § 8.3.4.1 ¶ 2(a) For each external supplier, the organization shall agree a documented contract. The contract shall include or contain a reference to: scope of the services, service components, processes or parts of processes to be provided or operated by the external supplier; § 8.3.4.1 ¶ 2(a)] | Establish/Maintain Documentation | Preventive | |
Include proof of license documentation for the third parties with access to in scope systems in third party contracts. CC ID 06529 | Establish/Maintain Documentation | Preventive | |
Include a description of costs and responsibility for purchasing and maintaining hardware and software in third party contracts. CC ID 10020 | Establish/Maintain Documentation | Preventive | |
Include a description of the data or information to be covered in third party contracts. CC ID 06510 | Establish/Maintain Documentation | Preventive | |
Include text about access, use, disclosure, and transfer of data or information in third party contracts. CC ID 11610 [For each external supplier, the organization shall agree a documented contract. The contract shall include or contain a reference to: authorities and responsibilities of the organization and the external supplier. § 8.3.4.1 ¶ 2(d) For each external supplier, the organization shall agree a documented contract. The contract shall include or contain a reference to: authorities and responsibilities of the organization and the external supplier. § 8.3.4.1 ¶ 2(d)] | Business Processes | Preventive | |
Include text about data ownership in third party contracts. CC ID 06502 | Establish/Maintain Documentation | Preventive | |
Include text about trade secrets and intellectual property in third party contracts. CC ID 06503 | Establish/Maintain Documentation | Preventive | |
Include text about participation in the organization's testing programs in third party contracts. CC ID 14402 | Establish/Maintain Documentation | Preventive | |
Include the contract duration in third party contracts. CC ID 16221 | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in third party contracts. CC ID 13487 | Establish/Maintain Documentation | Preventive | |
Include cryptographic keys in third party contracts. CC ID 16179 | Establish/Maintain Documentation | Preventive | |
Include bankruptcy provisions in third party contracts. CC ID 16519 | Establish/Maintain Documentation | Preventive | |
Include cybersecurity supply chain risk management requirements in third party contracts. CC ID 15646 | Establish/Maintain Documentation | Preventive | |
Include text that organizations must meet organizational compliance requirements in third party contracts. CC ID 06506 | Establish/Maintain Documentation | Preventive | |
Include compliance with the organization's access policy as a requirement in third party contracts. CC ID 06507 | Establish/Maintain Documentation | Preventive | |
Include compliance with the organization's breach notification policy as a requirement in third party contracts. CC ID 06508 | Establish/Maintain Documentation | Preventive | |
Include compliance with the organization's monitoring policies as a requirement in third party contracts. CC ID 06513 | Establish/Maintain Documentation | Preventive | |
Include compliance with the organization's incident response policy and incident notification policy in third party contracts. CC ID 06515 | Establish/Maintain Documentation | Preventive | |
Include text about the expected actions to be taken in case of a breach of contract in third party contracts. CC ID 06504 | Establish/Maintain Documentation | Preventive | |
Include compliance with the organization's privacy policy in third party contracts. CC ID 06518 | Establish/Maintain Documentation | Preventive | |
Include compliance with the organization's media handling policy in third party contracts. CC ID 06525 | Establish/Maintain Documentation | Preventive | |
Include third party responsibilities for compliance awareness in third party contracts. CC ID 06530 | Establish/Maintain Documentation | Preventive | |
Include compliance with the organization's data usage policies in third party contracts. CC ID 16413 | Establish/Maintain Documentation | Preventive | |
Include compliance with the organization's system hardening framework in third party contracts. CC ID 06531 | Establish/Maintain Documentation | Preventive | |
Include compliance with the organization's physical access policy in third party contracts. CC ID 06878 | Establish/Maintain Documentation | Preventive | |
Include a reporting structure in third party contracts. CC ID 06532 | Establish/Maintain Documentation | Preventive | |
Include points of contact in third party contracts. CC ID 12355 | Establish/Maintain Documentation | Preventive | |
Include financial reporting in third party contracts, as necessary. CC ID 13573 | Establish/Maintain Documentation | Preventive | |
Include reporting to the organization of third party audit findings in third party contracts. CC ID 06512 | Establish/Maintain Documentation | Preventive | |
Include the right of the organization to conduct compliance audits in third party contracts. CC ID 06514 | Establish/Maintain Documentation | Preventive | |
Include third party responsibilities for maintaining a Business Recovery and Resumption Plan in third party contracts. CC ID 06516 | Establish/Maintain Documentation | Preventive | |
Include training requirements in third party contracts. CC ID 16367 | Acquisition/Sale of Assets or Services | Preventive | |
Include an indemnification and liability clause in third party contracts. CC ID 06517 | Establish/Maintain Documentation | Preventive | |
Include a third party delegation clause and subcontractor to third party clause in third party contracts. CC ID 06521 | Establish/Maintain Documentation | Preventive | |
Include text that subcontractors must meet organizational compliance requirements in third party contracts. CC ID 06522 [For each external supplier, the organization shall agree a documented contract. The contract shall include or contain a reference to: requirements to be met by the external supplier; § 8.3.4.1 ¶ 2(b)] | Establish/Maintain Documentation | Preventive | |
Include text regarding foreign-based third parties in third party contracts. CC ID 06722 | Establish/Maintain Documentation | Preventive | |
Include change control clauses in third party contracts, as necessary. CC ID 06523 | Establish/Maintain Documentation | Preventive | |
Include notification to the organization of any material change in the third party's ability to perform functions according to Service Level Agreements in third party contracts. CC ID 07115 | Establish/Maintain Documentation | Preventive | |
Include triggers for renegotiating the contract in third party contracts. CC ID 06527 | Establish/Maintain Documentation | Preventive | |
Include change control notification processes in third party contracts. CC ID 06524 | Establish/Maintain Documentation | Preventive | |
Include cost structure changes in third party contracts. CC ID 10021 | Establish/Maintain Documentation | Preventive | |
Include a choice of venue clause in third party contracts. CC ID 06520 | Establish/Maintain Documentation | Preventive | |
Include a dispute resolution clause in third party contracts. CC ID 06519 [Disputes between the organization and the external supplier shall be recorded and managed to closure. § 8.3.4.1 ¶ 7 Disputes between the organization and the external supplier shall be recorded and managed to closure. § 8.3.4.1 ¶ 7] | Establish/Maintain Documentation | Preventive | |
Include the dispute resolution body's contact information in the terms and conditions in third party contracts. CC ID 13813 | Establish/Maintain Documentation | Preventive | |
Include a termination provision clause in third party contracts. CC ID 01367 | Establish/Maintain Documentation | Detective | |
Include early termination contingency plans in the third party contracts. CC ID 06526 | Establish/Maintain Documentation | Preventive | |
Include a liquidated damages clause and material breach clause in third party contracts. CC ID 06817 | Establish/Maintain Documentation | Preventive | |
Include termination costs in third party contracts. CC ID 10023 | Establish/Maintain Documentation | Preventive | |
Include text about obtaining adequate insurance in third party contracts. CC ID 06880 | Establish/Maintain Documentation | Preventive | |
Include incident management procedures and incident reporting procedures in third party contracts. CC ID 01214 | Establish/Maintain Documentation | Preventive | |
Include a usage limitation of restricted data clause in third party contracts. CC ID 13026 | Establish/Maintain Documentation | Preventive | |
Include end-of-life information in third party contracts. CC ID 15265 | Establish/Maintain Documentation | Preventive | |
Include third party requirements for personnel security in third party contracts. CC ID 00790 | Testing | Detective | |
Establish, implement, and maintain third party transaction authentication procedures. CC ID 00791 | Establish/Maintain Documentation | Preventive | |
Include third party acknowledgment of their data protection responsibilities in third party contracts. CC ID 01364 | Testing | Detective | |
Include auditing third party security controls and compliance controls in third party contracts. CC ID 01366 | Testing | Detective | |
Include responding to privacy rights violation complaints in third party contracts. CC ID 12432 | Establish/Maintain Documentation | Preventive | |
Establish the third party's service continuity. CC ID 00797 | Testing | Detective | |
Determine the adequacy of a third party's alternate site preparations. CC ID 06879 | Testing | Detective | |
Employ access controls that meet the organization's compliance requirements on third party systems with access to the organization's restricted data. CC ID 04264 | Data and Information Management | Detective | |
Maintain the third party's compliance framework to be equivalent to that of the organization's compliance requirements. CC ID 06087 | Testing | Detective | |
Include disclosure requirements in third party contracts. CC ID 08825 | Business Processes | Preventive | |
Include requirements for alternate processing facilities in third party contracts. CC ID 13059 | Establish/Maintain Documentation | Preventive | |
Document the organization's supply chain in the supply chain management program. CC ID 09958 [The organization shall determine and document: service components that are provided or operated by other parties; § 8.2.3.1 ¶ 4(b)] | Establish/Maintain Documentation | Preventive | |
Document supply chain dependencies in the supply chain management program. CC ID 08900 [The organization shall determine the criticality of services based on the needs of the organization, customers, users and other interested parties. The organization shall determine and manage dependencies and duplication between services. § 8.2.2 ¶ 2] | Establish/Maintain Documentation | Detective | |
Establish and maintain a Third Party Service Provider list. CC ID 12480 | Establish/Maintain Documentation | Preventive | |
Include required information in the Third Party Service Provider list. CC ID 14429 | Establish/Maintain Documentation | Preventive | |
Include subcontractors in the Third Party Service Provider list. CC ID 14425 | Establish/Maintain Documentation | Preventive | |
Include alternate service providers in the Third Party Service Provider list. CC ID 14420 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the Third Party Service Provider list to interested personnel and affected parties. CC ID 14422 | Communicate | Preventive | |
Include contact information of the Service Provider in the Third Party Service Provider list. CC ID 14430 | Establish/Maintain Documentation | Preventive | |
Include all contract dates in the Third Party Service Provider list. CC ID 14421 | Establish/Maintain Documentation | Preventive | |
Include the services provided by each supplier in the Third Party Service Provider list. CC ID 12481 [The organization shall determine and document: services that are provided or operated by other parties; § 8.2.3.1 ¶ 4(a) The organization shall determine and document: processes, or parts of processes, in the organization's SMS that are operated by other parties. § 8.2.3.1 ¶ 4(c)] | Establish/Maintain Documentation | Preventive | |
Include criticality of services in the Third Party Service Provider list. CC ID 14428 | Establish/Maintain Documentation | Preventive | |
Include a description of data used in the Third Party Service Provider list. CC ID 14427 | Establish/Maintain Documentation | Preventive | |
Include the location of services provided in the Third Party Service Provider list. CC ID 14423 | Establish/Maintain Documentation | Preventive | |
Document supply chain transactions in the supply chain management program. CC ID 08857 | Business Processes | Preventive | |
Document the supply chain's critical paths in the supply chain management program. CC ID 10032 | Establish/Maintain Documentation | Preventive | |
Establish and maintain supply chain manufacturing and integration requirements documents for all items being produced for the organization. CC ID 11558 | Establish/Maintain Documentation | Preventive | |
Disallow access to restricted information on machines used to manufacture authentication elements. CC ID 11561 | Physical and Environmental Protection | Preventive | |
Establish, implement, and maintain Service Level Agreements with the organization's supply chain. CC ID 00838 [The documented information for the SMS shall include: service level agreement(s) (SLA); § 7.5.4 ¶ 1(h) For each service delivered, the organization shall establish one or more SLAs based on the documented service requirements. The SLA(s) shall include service level targets, workload limits and exceptions § 8.3.3 ¶ 2] | Process or Activity | Preventive | |
Monitor and report on the efficacy of all Service Level Agreements using a Service Level Agreement Monitoring Chart or equivalent. CC ID 00842 [The organization shall make decisions and take actions based on the findings in service reports. The agreed actions shall be communicated to interested parties. § 9.4 ¶ 3] | Establish/Maintain Documentation | Detective | |
Include the responsible party for managing complaints in third party contracts. CC ID 10022 | Establish Roles | Preventive | |
Approve all Service Level Agreements. CC ID 00843 | Establish/Maintain Documentation | Detective | |
Track all chargeable items in Service Level Agreements. CC ID 11616 | Business Processes | Detective | |
Document all chargeable items in Service Level Agreements. CC ID 00844 | Establish/Maintain Documentation | Detective | |
Enforce third party Service Level Agreements, as necessary. CC ID 07098 [The organization shall assess the alignment of service level targets or other contractual obligations for the external supplier against SLAs with customers, and manage identified risks. § 8.3.4.1 ¶ 3] | Business Processes | Corrective | |
Include risk management procedures in the supply chain management policy. CC ID 08811 | Establish/Maintain Documentation | Preventive | |
Perform risk assessments of third parties, as necessary. CC ID 06454 [The organization shall determine and document: risks related to: the involvement of other parties in the service lifecycle; § 6.1.2 ¶ 1(a)(3)] | Testing | Detective | |
Include a determination of the complexity of the third party relationships in the supply chain risk assessment. CC ID 10024 | Business Processes | Preventive | |
Include a determination of financial benefits over actual costs of third party relationships in the supply chain risk assessment report. CC ID 10025 | Establish/Maintain Documentation | Preventive | |
Include a determination of how third party relationships affect strategic initiatives in the supply chain risk assessment report. CC ID 10026 | Establish/Maintain Documentation | Preventive | |
Include a determination if the third party relationship will affect employees in the supply chain risk assessment report. CC ID 10027 | Business Processes | Preventive | |
Include a determination of customer interactions with third parties in the supply chain risk assessment report. CC ID 10028 | Establish/Maintain Documentation | Preventive | |
Include a determination on the risks third parties pose to Information Security in the supply chain risk assessment report. CC ID 10029 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a supply chain management policy. CC ID 08808 | Establish/Maintain Documentation | Preventive | |
Include the third party selection process in the supply chain management policy. CC ID 13132 [The organization shall determine and apply criteria for the evaluation and selection of other parties involved in the service lifecycle. Other parties can be an external supplier, an internal supplier or a customer acting as a supplier. § 8.2.3.1 ¶ 2] | Establish/Maintain Documentation | Preventive | |
Select suppliers based on their qualifications. CC ID 00795 | Establish/Maintain Documentation | Preventive | |
Include third party due diligence standards in the supply chain management policy. CC ID 08812 [The organization shall determine and apply criteria for the evaluation and selection of other parties involved in the service lifecycle. Other parties can be an external supplier, an internal supplier or a customer acting as a supplier. § 8.2.3.1 ¶ 2] | Establish/Maintain Documentation | Preventive | |
Implement measurable improvement plans with all third parties. CC ID 08815 [At planned intervals, the organization shall monitor the performance of the internal supplier or the customer acting as a supplier. Where service level targets or other agreed commitments are not met, the organization shall ensure that opportunities for improvement are identified. § 8.3.4.2 ¶ 2 At planned intervals, the organization shall monitor the performance of the external supplier. Where service level targets or other contractual obligations are not met, the organization shall ensure that opportunities for improvement are identified. § 8.3.4.1 ¶ 5] | Business Processes | Preventive | |
Establish, implement, and maintain supply chain due diligence standards. CC ID 08846 | Business Processes | Preventive | |
Assign the appropriate individuals or groups to oversee and support supply chain due diligence. CC ID 08861 [The organization shall have one or more designated individuals responsible for managing the relationship, contracts and performance of external suppliers. § 8.3.4.1 ¶ 1] | Business Processes | Preventive | |
Conduct all parts of the supply chain due diligence process. CC ID 08854 | Business Processes | Preventive | |
Establish, implement, and maintain deduplication procedures for third party services. CC ID 13915 [The organization shall determine the criticality of services based on the needs of the organization, customers, users and other interested parties. The organization shall determine and manage dependencies and duplication between services. § 8.2.2 ¶ 2] | Business Processes | Detective | |
Assess the effectiveness of third party services provided to the organization. CC ID 13142 | Business Processes | Detective | |
Monitor third parties for performance and effectiveness, as necessary. CC ID 00799 [Top management shall demonstrate leadership and commitment with respect to the SMS by: ensuring there is control of other parties involved in the service lifecycle; § 5.1 ¶ 1(e) The organization shall have one or more designated individuals responsible for managing the relationship, contracts and performance of external suppliers. § 8.3.4.1 ¶ 1 At planned intervals, the organization shall monitor the performance of the external supplier. Where service level targets or other contractual obligations are not met, the organization shall ensure that opportunities for improvement are identified. § 8.3.4.1 ¶ 5 The management review shall include consideration of: performance of other parties involved in the delivery of the services; § 9.3 ¶ 2(i)] | Monitor and Evaluate Occurrences | Detective | |
Monitor third parties' financial conditions. CC ID 13170 | Monitor and Evaluate Occurrences | Detective | |
Review the supply chain's service delivery on a regular basis. CC ID 12010 [At planned intervals, the organization shall monitor the performance of the internal supplier or the customer acting as a supplier. Where service level targets or other agreed commitments are not met, the organization shall ensure that opportunities for improvement are identified. § 8.3.4.2 ¶ 2] | Business Processes | Preventive | |
Establish, implement, and maintain a chain of custody or traceability system over the entire supply chain. CC ID 08878 | Business Processes | Preventive | |
Provide products or services per customer requests. CC ID 08893 [The organization and the customer shall agree the services to be delivered. § 8.3.3 ¶ 1] | Business Processes | Preventive | |
Establish, implement, and maintain information security controls for the supply chain. CC ID 13109 [The organization shall define and apply relevant controls for other parties from the following: measurement and evaluation of process performance; § 8.2.3.2(a) The organization shall define and apply relevant controls for other parties from the following: measurement and evaluation of process performance; § 8.2.3.2(a) The organization shall define and apply relevant controls for other parties from the following: measurement and evaluation of the effectiveness of services and service components in meeting the service requirements. § 8.2.3.2(b) The organization shall define and apply relevant controls for other parties from the following: measurement and evaluation of the effectiveness of services and service components in meeting the service requirements. § 8.2.3.2(b) The organization shall define and apply relevant controls for other parties from the following: § 8.2.3.2 The organization shall agree and implement information security controls to address information security risks related to external organizations. § 8.7.3.2 ¶ 2] | Establish/Maintain Documentation | Preventive |
Each Common Control is assigned a meta-data type to help you determine the objective of the Control and associated Authority Document mandates aligned with it. These types include behavioral controls, process controls, records management, technical security, configuration management, etc. They are provided as another tool to dissect the Authority Document’s mandates and assign them effectively within your organization.
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Purchase insurance on behalf of interested personnel and affected parties. CC ID 16571 | Audits and risk management | Corrective | |
Establish, implement, and maintain a fuel supply large enough to support the generators during an emergency. CC ID 06376 | Operational and Systems Continuity | Preventive | |
Transfer legal ownership of assets when the system is redeployed to a third party. CC ID 06698 | Operational management | Preventive | |
Acquire spare parts prior to when maintenance requests are scheduled. CC ID 11833 | Operational management | Preventive | |
Plan for selling facilities, technology, or services. CC ID 06893 [For services that are to be transferred, the planning shall additionally include the date(s) for the transfer of the services and the activities for the transfer of data, documented information, knowledge and service components. § 8.5.2.1 ¶ 3 For services that are to be transferred, the planning shall additionally include the date(s) for the transfer of the services and the activities for the transfer of data, documented information, knowledge and service components. § 8.5.2.1 ¶ 3 For services that are to be transferred, the planning shall additionally include the date(s) for the transfer of the services and the activities for the transfer of data, documented information, knowledge and service components. § 8.5.2.1 ¶ 3 For services that are to be transferred, the planning shall additionally include the date(s) for the transfer of the services and the activities for the transfer of data, documented information, knowledge and service components. § 8.5.2.1 ¶ 3 For services that are to be transferred, the planning shall additionally include the date(s) for the transfer of the services and the activities for the transfer of data, documented information, knowledge and service components. § 8.5.2.1 ¶ 3] | Acquisition or sale of facilities, technology, and services | Preventive | |
Refrain from providing products and services, as necessary. CC ID 15580 | Acquisition or sale of facilities, technology, and services | Preventive | |
Determine if there is a need for the product or service being sold. CC ID 06894 | Acquisition or sale of facilities, technology, and services | Preventive | |
Identify new business opportunities based on product or service need, the business strategy, and action plan. CC ID 06901 | Acquisition or sale of facilities, technology, and services | Preventive | |
Develop product solicitation responses and service solicitation responses. CC ID 06896 | Acquisition or sale of facilities, technology, and services | Preventive | |
Prevent the creation or distribution of devices designed to circumvent security measures. CC ID 11514 | Acquisition or sale of facilities, technology, and services | Preventive | |
Provide a product warranty or service warranty. CC ID 11601 | Acquisition or sale of facilities, technology, and services | Preventive | |
Establish, implement, and maintain equipment shipping procedures. CC ID 11449 | Acquisition or sale of facilities, technology, and services | Preventive | |
Preserve products created for sale prior to shipping. CC ID 11602 | Acquisition or sale of facilities, technology, and services | Preventive | |
Clean and maintain products prior to shipping. CC ID 11603 | Acquisition or sale of facilities, technology, and services | Preventive | |
Detect and remove foreign objects from products prior to shipping. CC ID 11604 | Acquisition or sale of facilities, technology, and services | Preventive | |
Handle products with due care prior to shipping. CC ID 11605 | Acquisition or sale of facilities, technology, and services | Preventive | |
Attach safety warnings to products prior to shipping. CC ID 11606 | Acquisition or sale of facilities, technology, and services | Preventive | |
Rotate the stock of products prior to shipping. CC ID 11607 | Acquisition or sale of facilities, technology, and services | Preventive | |
Process product return requests. CC ID 11598 | Acquisition or sale of facilities, technology, and services | Corrective | |
Refrain from returning products absent a return request authorization. CC ID 11599 | Acquisition or sale of facilities, technology, and services | Corrective | |
Include training requirements in third party contracts. CC ID 16367 | Third Party and supply chain oversight | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Report to management and stakeholders on the findings and information gathered from all types of inquiries. CC ID 12797 | Leadership and high level objectives | Preventive | |
Establish and maintain an Information Technology plan status report that covers both Strategic Information Technology Plans and tactical Information Technology plans. CC ID 06839 | Leadership and high level objectives | Preventive | |
Include key personnel status changes in the Information Technology Plan status reports. CC ID 06840 | Leadership and high level objectives | Preventive | |
Include significant security risks in the Information Technology Plan status reports. CC ID 06939 | Leadership and high level objectives | Preventive | |
Include significant risk mitigations in the Information Technology Plan status reports. CC ID 06841 | Leadership and high level objectives | Preventive | |
Report on the percentage of critical assets for which an assurance strategy is implemented. CC ID 01657 | Monitoring and measurement | Detective | |
Report on the percentage of key organizational functions for which an assurance strategy is implemented. CC ID 01658 | Monitoring and measurement | Detective | |
Report on the percentage of key compliance requirements for which an assurance strategy has been implemented. CC ID 01659 | Monitoring and measurement | Detective | |
Report on the percentage of the Information System budget allocated to Information Security. CC ID 04571 | Monitoring and measurement | Detective | |
Report on the policies and controls that have been implemented by management. CC ID 01670 [{service improvement activity} Opportunities for improvement shall be documented. The organization shall manage approved improvement activities that include: reporting on implemented improvements. § 10.2 ¶ 3(e)] | Monitoring and measurement | Detective | |
Report on the percentage of security management roles that have been assigned. CC ID 01671 | Monitoring and measurement | Detective | |
Report on the percentage of board meetings or committee meetings at which Information Assurance was on the agenda. CC ID 01672 | Monitoring and measurement | Detective | |
Report on the percentage of supply chain members for which all Information Assurance requirements have been implemented. CC ID 01675 | Monitoring and measurement | Detective | |
Report on the Service Level Agreement performance of supply chain members. CC ID 06838 | Monitoring and measurement | Preventive | |
Report on the percentage of organizational units that have an established Business Continuity Plan. CC ID 01676 | Monitoring and measurement | Detective | |
Report on the percentage of organizational units with a documented Business Continuity Plan for which specific responsibilities have been assigned. CC ID 02057 | Monitoring and measurement | Detective | |
Report on the percentage of Business Continuity Plans that have been reviewed, tested, and updated. CC ID 02058 | Monitoring and measurement | Detective | |
Report on the percentage of needed internal audits that have been completed and reviewed. CC ID 01677 | Monitoring and measurement | Detective | |
Report on the percentage of Information Security requirements from applicable laws and regulations that are included in the audit program. CC ID 02069 | Monitoring and measurement | Detective | |
Report on the percentage of needed external audits that have been completed and reviewed. CC ID 11632 | Monitoring and measurement | Detective | |
Report on the percentage of Information Security audits conducted in compliance with the approved audit program. CC ID 02070 | Monitoring and measurement | Detective | |
Report on the percentage of audit findings that have been resolved since the last audit. CC ID 01678 | Monitoring and measurement | Detective | |
Report on the percentage of management actions in response to audit findings and audit recommendations that were implemented in a timely way. CC ID 02071 [{corrective action} The management review shall include consideration of: the status of actions from previous management reviews; § 9.3 ¶ 2(a)] | Monitoring and measurement | Detective | |
Monitor compliance with the Quality Control system. CC ID 01023 | Monitoring and measurement | Preventive | |
Report on the percentage of complaints received about products or delivered services. CC ID 07199 | Monitoring and measurement | Preventive | |
Report on the percentage of Quality Assurance attained by Quality Improvement practices. CC ID 07202 | Monitoring and measurement | Preventive | |
Report on the percentage of total controls for which policies, standards, and procedures exist and for which approval has been granted. CC ID 01679 | Monitoring and measurement | Detective | |
Report on the percentage of personnel who are assigned and acknowledged responsibilities for approved policies, standards, and procedures. CC ID 01680 | Monitoring and measurement | Detective | |
Report on the percentage of policy compliance reviews for which no compliance violations were noted. CC ID 01681 | Monitoring and measurement | Detective | |
Report on the percentage of senior management or business unit heads who have implemented operational compliance procedures. CC ID 01682 | Monitoring and measurement | Detective | |
Report on the percentage of role descriptions that define the Information Awareness roles for Security Managers and administrators. CC ID 01685 | Monitoring and measurement | Detective | |
Report on the percentage of role descriptions that define the information awareness roles for interested personnel. CC ID 01686 | Monitoring and measurement | Detective | |
Report on the percentage of role descriptions that define the information awareness roles for end users. CC ID 01687 | Monitoring and measurement | Detective | |
Report on the percentage of performance reviews that include the evaluation of Information Assurance responsibilities and policy compliance. CC ID 01688 | Monitoring and measurement | Detective | |
Report on the percentage of individuals who have access to security software, are trained, and authorized Security Administrators. CC ID 01691 | Monitoring and measurement | Detective | |
Report on the percentage of individuals who are able to assign security privileges, are trained, and authorized Security Administrators. CC ID 01692 | Monitoring and measurement | Detective | |
Report on the percentage of new hires who completed training ahead of being granted network access or system access. CC ID 01683 | Monitoring and measurement | Detective | |
Report on the percentage of personnel who have completed periodic Information Assurance refresher training. CC ID 01684 | Monitoring and measurement | Detective | |
Report on the percentage of user roles, systems, and applications that comply with the segregation of duties principle. CC ID 01689 | Monitoring and measurement | Detective | |
Report on the percentage of individuals whose access rights have been reviewed. CC ID 01690 | Monitoring and measurement | Detective | |
Report on the percentage of users who have access to restricted data or restricted information and have undergone a background check. CC ID 01693 | Monitoring and measurement | Detective | |
Report on the percentage of critical information assets and information-dependent functions. CC ID 02040 | Monitoring and measurement | Detective | |
Report on the percentage of critical assets and functions for which the cost of compromise has been quantified. CC ID 02041 | Monitoring and measurement | Detective | |
Report on the percentage of identified risks that have a defined risk mitigation plan. CC ID 02042 [The organization shall determine and document: risks related to: approach to be taken for the management of risks. § 6.1.2 ¶ 1(d)] | Monitoring and measurement | Detective | |
Report on the percentage of systems with approved System Security Plans. CC ID 02145 | Monitoring and measurement | Detective | |
Report on the percentage of known Information Security risks that are related to supply chain relationships. CC ID 02044 | Monitoring and measurement | Detective | |
Report on the percentage of critical information assets or critical functions for which access by supply chain personnel is disallowed. CC ID 02045 | Monitoring and measurement | Detective | |
Report on the percentage of supply chain personnel who have current information asset user privileges. CC ID 02046 | Monitoring and measurement | Detective | |
Report on the percentage of systems with critical information assets or functions for which electronic connection by supply chain assets is disallowed. CC ID 02047 | Monitoring and measurement | Detective | |
Report on the percentage of security incidents that involved supply chain personnel. CC ID 02048 | Monitoring and measurement | Detective | |
Report on the percentage of third party contracts that include a requirement to externally verify policies and procedures. CC ID 02049 | Monitoring and measurement | Detective | |
Report on the percentage of supply chain relationships that have been reviewed for compliance with information security requirements. CC ID 02050 | Monitoring and measurement | Detective | |
Report on the percentage of information assets that have been reviewed and classified. CC ID 02053 | Monitoring and measurement | Detective | |
Report on the percentage of information assets with defined user privileges that have been assigned based on role and according to policy. CC ID 02054 | Monitoring and measurement | Detective | |
Report on the percentage of scheduled Information Technology inventory processes that occurred on time. CC ID 02055 | Monitoring and measurement | Detective | |
Report on the percentage of recently identified information security risks related to systems architecture that have been adequately mitigated. CC ID 02060 | Monitoring and measurement | Detective | |
Report on the percentage of system architecture changes that were approved through appropriate change requests. CC ID 02061 | Monitoring and measurement | Detective | |
Report on the percentage of critical information assets or functions residing on systems that are currently in compliance with the approved systems architecture. CC ID 02062 | Monitoring and measurement | Detective | |
Report on the percentage of systems that have been recertified if security controls were updated after the system was developed. CC ID 02142 | Monitoring and measurement | Detective | |
Report on the percentage of systems that have completed Certification and Accreditation. CC ID 02143 | Monitoring and measurement | Detective | |
Report on the percentage of critical organizational information assets and functions that have been reviewed from the risk to physical security perspective. CC ID 02064 | Monitoring and measurement | Detective | |
Report on the percentage of critical organizational information assets and functions exposed to physical risks for which risk mitigation actions have been implemented. CC ID 02065 | Monitoring and measurement | Detective | |
Report on the percentage of critical assets that have been reviewed from the environmental risk perspective. CC ID 02066 | Monitoring and measurement | Detective | |
Report on the percentage of servers located in controlled access areas. CC ID 02067 | Monitoring and measurement | Detective | |
Establish, implement, and maintain environmental management system performance metrics. CC ID 15191 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain waste management metrics. CC ID 16152 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain emissions management metrics. CC ID 16145 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain financial management metrics. CC ID 16749 | Monitoring and measurement | Preventive | |
Report on the percentage of unique active user identifiers. CC ID 02074 | Monitoring and measurement | Detective | |
Report on the percentage of systems and applications that perform authenticator policy verification. CC ID 02086 | Monitoring and measurement | Detective | |
Report on the percentage of active user passwords that are set to expire. CC ID 02087 | Monitoring and measurement | Detective | |
Report on the percentage of systems with critical information assets that use stronger authentication than user identifiers and passwords. CC ID 02088 | Monitoring and measurement | Detective | |
Report on the percentage of systems for which default accounts and default passwords have been disabled or reset. CC ID 02089 | Monitoring and measurement | Detective | |
Report on the percentage of inactive user accounts that are assigned to personnel who have left or no longer need access. CC ID 02090 | Monitoring and measurement | Detective | |
Report on the percentage of systems with account lockout thresholds set. CC ID 02091 | Monitoring and measurement | Detective | |
Report on the percentage of inactive user accounts that have been disabled. CC ID 02092 | Monitoring and measurement | Detective | |
Report on the percentage of workstations with session timeout or automatic logoff controls set. CC ID 02093 | Monitoring and measurement | Detective | |
Report on the percentage of users with access to shared accounts. CC ID 04573 | Monitoring and measurement | Detective | |
Establish, implement, and maintain a user and administrator privilege management metrics program. CC ID 02076 | Monitoring and measurement | Preventive | |
Report on the percentage of active computer accounts that have had the current user privileges reviewed. CC ID 02094 | Monitoring and measurement | Detective | |
Report on the percentage of systems where permission to install nonstandard software is limited. CC ID 02095 | Monitoring and measurement | Detective | |
Report on the percentage of systems and applications that have user privileges and administrator privileges assigned in compliance with Role-Based Access Controls. CC ID 02096 | Monitoring and measurement | Detective | |
Report on the percentage of systems for which approved configuration settings have been implemented. CC ID 02097 | Monitoring and measurement | Detective | |
Report on the percentage of systems with configurations that do not deviate from approved standards. CC ID 02098 | Monitoring and measurement | Detective | |
Report on the percentage of systems that are continuously monitored for compliance with the configuration standard with out-of-compliance alarms or out-of-compliance reports. CC ID 02099 | Monitoring and measurement | Detective | |
Report on the percentage of systems whose configuration is compared with a previously established trusted configuration baseline. CC ID 02100 | Monitoring and measurement | Detective | |
Report on the percentage of systems where the authority to make configuration changes are limited. CC ID 02101 | Monitoring and measurement | Detective | |
Report on the percentage of system components that undergo maintenance as scheduled. CC ID 04562 | Monitoring and measurement | Detective | |
Report on the percentage of systems that generate warnings about anomalous activity or potentially unauthorized activity. CC ID 02105 | Monitoring and measurement | Detective | |
Report on the percentage of laptops and mobile devices that are needing to be in compliance with the approved configuration standard before granting network access. CC ID 02106 | Monitoring and measurement | Detective | |
Report on the percentage of organizationally controlled communications channels that have been secured. CC ID 02107 | Monitoring and measurement | Detective | |
Report on the percentage of host servers that are protected from becoming relay hosts. CC ID 02108 | Monitoring and measurement | Detective | |
Report on the percentage of mobile users who access organizational facilities using secure communications methods. CC ID 02109 | Monitoring and measurement | Detective | |
Report on the percentage of workstations and laptops that employ automated system security tools. CC ID 02110 | Monitoring and measurement | Detective | |
Report on the percentage of servers that employ automated system security tools. CC ID 02111 | Monitoring and measurement | Detective | |
Report on the percentage of mobile devices that employ automated system security tools. CC ID 02112 | Monitoring and measurement | Detective | |
Report on the percentage of software changes that have been documented and approved through change request forms. CC ID 02152 | Monitoring and measurement | Detective | |
Report on the percentage of systems with all approved patches installed. CC ID 02113 | Monitoring and measurement | Detective | |
Report on the mean time from patch availability to patch installation. CC ID 02114 | Monitoring and measurement | Detective | |
Report on the percentage of software changes that were reviewed for security impacts before the software configuration is updated. CC ID 02115 | Monitoring and measurement | Detective | |
Report on the percentage of systems configured according to the configuration standard. CC ID 02116 | Monitoring and measurement | Detective | |
Report on the percentage of network access controls used to gain unauthorized access. CC ID 04572 | Monitoring and measurement | Detective | |
Report on the percentage of critical information assets stored on network accessible devices that are encrypted with widely tested and published cryptographic algorithms. CC ID 02117 | Monitoring and measurement | Detective | |
Report on the percentage of mobile devices that use encryption for critical information assets. CC ID 02118 | Monitoring and measurement | Detective | |
Report on the percentage of passwords and Personal Identification Numbers that are encrypted. CC ID 02119 | Monitoring and measurement | Detective | |
Report on the percentage of media that passes sanitization procedure testing. CC ID 04574 | Monitoring and measurement | Detective | |
Report on the percentage of systems with critical information assets or critical business functions that have been backed up in accordance with the backup policy and the system's continuity plan. CC ID 02120 | Monitoring and measurement | Detective | |
Report on the percentage of systems with critical information assets or critical functions where restoration from a backup has been successfully demonstrated. CC ID 02121 | Monitoring and measurement | Detective | |
Report on the percentage of backup media stored off site in secure storage. CC ID 02122 | Monitoring and measurement | Detective | |
Report on the percentage of used backup media or archive media sanitized prior to reuse or disposal. CC ID 02123 | Monitoring and measurement | Detective | |
Report on the estimated damage or loss resulting from all security incidents. CC ID 01674 | Monitoring and measurement | Detective | |
Report on the percentage of security incidents that did not cause confidentiality, integrity, or availability losses beyond the Service Level Agreement thresholds. CC ID 01673 | Monitoring and measurement | Detective | |
Report on the percentage of operational time that critical services were unavailable due to security incidents. CC ID 02124 | Monitoring and measurement | Detective | |
Report on the percentage of security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02125 | Monitoring and measurement | Detective | |
Report on the percentage of systems affected by security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02126 | Monitoring and measurement | Detective | |
Report on the percentage of security incidents that were managed according to established policies, procedures, and processes. CC ID 02127 | Monitoring and measurement | Detective | |
Report on the number of security incidents reported to FedCIRC, NIPC, the Payment Card Industry, or local law enforcement. CC ID 02154 | Monitoring and measurement | Detective | |
Report on the percentage of systems with critical information assets or critical functions that have been assessed for security vulnerabilities. CC ID 02128 | Monitoring and measurement | Detective | |
Report on the percentage of vulnerability assessment findings that have been addressed since the last reporting period. CC ID 02129 | Monitoring and measurement | Detective | |
Report on the average elapsed time between the discovery of a new vulnerability and implementing corrective action. CC ID 02140 | Monitoring and measurement | Detective | |
Report on the percentage of physical security incidents that involved entry into a facility containing Information Systems. CC ID 04564 | Monitoring and measurement | Detective | |
Report on the percentage of unique patients who had at least one medication entered using the Computerized Provider Order Entry system. CC ID 06222 | Monitoring and measurement | Preventive | |
Report on the percentage of unique patients who have diagnoses recorded as structured data into the current and active diagnoses problem list. CC ID 06223 | Monitoring and measurement | Preventive | |
Report on the percentage of permissible prescriptions that are transmitted electronically. CC ID 06224 | Monitoring and measurement | Preventive | |
Report on the percentage of unique patients who have at least one entry recorded as structured data into the active medication list. CC ID 06225 | Monitoring and measurement | Preventive | |
Report on the percentage of unique patients who have at least one entry recorded as structured data into the active medication allergy list. CC ID 06226 | Monitoring and measurement | Preventive | |
Report on the percentage of unique patients who have demographics recorded as structured data. CC ID 06227 | Monitoring and measurement | Preventive | |
Report on the percentage of unique patients over the age of 2 who have their height, weight, and blood pressure recorded as structured data. CC ID 06228 | Monitoring and measurement | Preventive | |
Report on the percentage of unique patients over the age of 13 who have their smoking status recorded as structured data. CC ID 06229 | Monitoring and measurement | Preventive | |
Report on the percentage of patients who are given an electronic copy of their Individually Identifiable Health Information not later than three business days after Individually Identifiable Health Information is requested. CC ID 06230 | Monitoring and measurement | Preventive | |
Report on the percentage of patients who are given clinical summaries not later than three business days after a physician office visit. CC ID 06231 | Monitoring and measurement | Preventive | |
Report on the percentage of lab test results that are incorporated into the Electronic Health Records as structured data. CC ID 06232 | Monitoring and measurement | Preventive | |
Report on the percentage of patients sixty-five years of age or older or five years of age or younger who were sent a reminder. CC ID 06233 | Monitoring and measurement | Preventive | |
Report on the percentage of unique patients who are given electronic access to their Individually Identifiable Health Information not later than four business days after their Individually Identifiable Health Information is updated. CC ID 06234 | Monitoring and measurement | Preventive | |
Report on the percentage of unique patients who are given patient-specific education resources. CC ID 06235 | Monitoring and measurement | Preventive | |
Report on the percentage of medication reconciliations that are performed if a patient is received from another setting or healthcare provider. CC ID 06236 | Monitoring and measurement | Preventive | |
Report on the percentage of summary of care records that are provided for transitions of care or referrals for patients who are transitioned or referred to another setting or healthcare provider. CC ID 06237 | Monitoring and measurement | Preventive | |
Report on the percentage of patients who receive their discharge instructions if discharge instructions are requested. CC ID 06238 | Monitoring and measurement | Preventive | |
Report on the percentage of patients 65 years of age or older who have an indication of advance directive status recorded as structured data. CC ID 06239 | Monitoring and measurement | Preventive | |
Collect all work papers for the audit and audit report into an engagement file. CC ID 07001 [The organization shall: retain documented information as evidence of the implementation of the audit programme(s) and the audit results. § 9.2.2 ¶ (e)] | Audits and risk management | Preventive | |
Include the word independent in the title of audit reports. CC ID 07003 | Audits and risk management | Preventive | |
Include the date of the audit in the audit report. CC ID 07024 | Audits and risk management | Preventive | |
Include information about the organization being audited and the auditor performing the audit in the audit report. CC ID 07004 | Audits and risk management | Preventive | |
Include a statement that access to the report is restricted based on least privilege in the audit report. CC ID 07023 | Audits and risk management | Preventive | |
Include the organization's audit assertion of the in scope system in the audit report. CC ID 07005 | Audits and risk management | Preventive | |
Disclose any audit irregularities in the audit report. CC ID 06995 | Audits and risk management | Preventive | |
Monitor and report on the status of mitigation actions in the corrective action plan. CC ID 15250 | Audits and risk management | Corrective | |
Assess the potential level of business impact risk associated with natural disasters. CC ID 06470 | Audits and risk management | Detective | |
Document the continuity plan test results and provide them to interested personnel and affected parties. CC ID 06548 [At planned intervals, the service continuity plan(s) shall be tested against the service continuity requirements. The service continuity plan(s) shall be re-tested after major changes to the service environment. The results of the tests shall be recorded. Reviews shall be conducted after each test and after the service continuity plan(s) has been invoked. Where deficiencies are found, the organization shall take necessary actions. § 8.7.2 ¶ 4] | Operational and Systems Continuity | Preventive | |
Mitigate reported incidents. CC ID 12973 [Problems shall be: resolved if possible; § 8.6.3 ¶ 2(d)] | Operational management | Preventive | |
Provide the patient with a summary of care record, as necessary. CC ID 14441 | Records management | Preventive | |
Report the analysis of consumer complaints to the Quality Management committee. CC ID 07209 [Service complaints shall be recorded, managed to closure and reported. Where a service complaint is not resolved through the normal channels, a method of escalation shall be provided. § 8.3.2 ¶ 5] | Acquisition or sale of facilities, technology, and services | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Compile the event logs of multiple components into a system-wide time-correlated audit trail. CC ID 01424 | Monitoring and measurement | Preventive | |
Identify information being used to support performance reviews for risk optimization. CC ID 12865 | Monitoring and measurement | Preventive | |
Provide cross-organizational audit information based on the cross-organizational audit sharing agreement. CC ID 10596 | Monitoring and measurement | Preventive | |
Manage supply chain audits. CC ID 01203 | Audits and risk management | Preventive | |
Review the external auditors involvement in assessing Information Technology controls. CC ID 01204 | Audits and risk management | Preventive | |
Rotate auditors, as necessary. CC ID 15589 | Audits and risk management | Preventive | |
Engage auditors who have adequate knowledge of the subject matter. CC ID 07102 | Audits and risk management | Preventive | |
Review the external audit scope, as necessary. CC ID 01202 | Audits and risk management | Preventive | |
Include nondisclosure agreements in external auditor outsourcing contracts. CC ID 10014 | Audits and risk management | Detective | |
Review the external auditor's qualifications. CC ID 01197 | Audits and risk management | Preventive | |
Conduct a performance review of the external auditor's performance during the audit process. CC ID 01198 | Audits and risk management | Preventive | |
Define what constitutes a threat to independence. CC ID 16824 | Audits and risk management | Preventive | |
Determine if requested services create a threat to independence. CC ID 16823 | Audits and risk management | Detective | |
Include provisions for legislative plurality and legislative domain in the audit program. CC ID 06959 | Audits and risk management | Preventive | |
Include in scope procedures in the audit assertion's in scope system description. CC ID 16551 | Audits and risk management | Preventive | |
Include roles and responsibilities in the audit assertion's in scope system description. CC ID 16558 | Audits and risk management | Preventive | |
Include the audit criteria in the audit assertion's in scope system description. CC ID 16548 | Audits and risk management | Preventive | |
Include third party data in the audit assertion's in scope system description. CC ID 16554 | Audits and risk management | Preventive | |
Include third party personnel in the audit assertion's in scope system description. CC ID 16552 | Audits and risk management | Preventive | |
Include compliance requirements in the audit assertion's in scope system description. CC ID 16506 | Audits and risk management | Preventive | |
Include third party assets in the audit assertion's in scope system description. CC ID 16550 | Audits and risk management | Preventive | |
Include deviations and the corrective actions taken in the audit assertion's in scope system description. CC ID 16549 | Audits and risk management | Preventive | |
Determine the appropriateness of the audit assertion's in scope system description. CC ID 16449 | Audits and risk management | Detective | |
Hold an opening meeting with interested personnel and affected parties prior to an audit. CC ID 15256 | Audits and risk management | Preventive | |
Confirm audit requirements during the opening meeting. CC ID 15255 | Audits and risk management | Detective | |
Include discussions about how particular situations will be handled in the opening meeting. CC ID 15254 | Audits and risk management | Preventive | |
Include third party assets in the audit scope. CC ID 16504 | Audits and risk management | Preventive | |
Determine the appropriateness of the audit subject matter. CC ID 16505 | Audits and risk management | Preventive | |
Include the in scope material or in scope products in the audit program. CC ID 08961 | Audits and risk management | Preventive | |
Include the date of the audit in the representation letter. CC ID 16517 | Audits and risk management | Preventive | |
Include the criteria for determining the desired level of assurance in the audit program. CC ID 12795 [{audit scope} The organization shall: define the audit criteria and scope for each audit; § 9.2.2 ¶ 1(b)] | Audits and risk management | Preventive | |
Refrain from performing an attestation engagement under defined conditions. CC ID 13952 | Audits and risk management | Detective | |
Refrain from accepting an attestation engagement when all parties disagree on the procedures. CC ID 13951 | Audits and risk management | Preventive | |
Audit in scope audit items and compliance documents. CC ID 06730 [The organization shall conduct internal audits at planned intervals to provide information on whether the SMS: conforms to: the organization's own requirements for its SMS; § 9.2.1 ¶ 1(a)(1) The organization shall conduct internal audits at planned intervals to provide information on whether the SMS: conforms to: the requirements of this document; § 9.2.1 ¶ 1(a)(2) The organization shall conduct internal audits at planned intervals to provide information on whether the SMS: is effectively implemented and maintained. § 9.2.1 ¶ 1(b) The organization shall: select auditors and conduct audits to ensure objectivity and the impartiality of the audit process; § 9.2.2 ¶ 1(c)] | Audits and risk management | Preventive | |
Identify hypothetical assumptions in forecasts and projections during an audit. CC ID 13946 | Audits and risk management | Detective | |
Refrain from examining forecasts and projections which refrain from disclosing assumptions during an audit. CC ID 13932 | Audits and risk management | Detective | |
Audit policies, standards, and procedures. CC ID 12927 | Audits and risk management | Preventive | |
Investigate the nature and causes of misstatements in the audit assertion's in scope system description. CC ID 16557 | Audits and risk management | Detective | |
Review incident management audit logs to determine the effectiveness of in scope controls. CC ID 12157 | Audits and risk management | Detective | |
Review audit reports to determine the effectiveness of in scope controls. CC ID 12156 | Audits and risk management | Detective | |
Observe processes to determine the effectiveness of in scope controls. CC ID 12155 | Audits and risk management | Detective | |
Interview stakeholders to determine the effectiveness of in scope controls. CC ID 12154 | Audits and risk management | Detective | |
Review policies and procedures to determine the effectiveness of in scope controls. CC ID 12144 | Audits and risk management | Detective | |
Evaluate personnel status changes to determine the effectiveness of in scope controls. CC ID 16556 | Audits and risk management | Detective | |
Determine whether individuals performing a control have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 16555 | Audits and risk management | Detective | |
Implement procedures that collect sufficient audit evidence. CC ID 07153 | Audits and risk management | Preventive | |
Collect evidence about the in scope audit items of the audit assertion. CC ID 07154 | Audits and risk management | Preventive | |
Collect audit evidence sufficient to avoid misstatements. CC ID 07155 | Audits and risk management | Preventive | |
Collect audit evidence at the level of the organization's competence in the subject matter. CC ID 07156 | Audits and risk management | Preventive | |
Collect audit evidence sufficient to overcome inadequacies in the organization's attestation. CC ID 07157 | Audits and risk management | Preventive | |
Include audit evidence obtained from previous engagements in the work papers. CC ID 16518 | Audits and risk management | Preventive | |
Include if the audit evidence has identified in scope control deficiencies in the work papers. CC ID 07152 | Audits and risk management | Detective | |
Include any subsequent events related to the audit assertion or audit subject matter in the work papers. CC ID 07177 | Audits and risk management | Preventive | |
Review the subject matter expert's findings. CC ID 16559 | Audits and risk management | Detective | |
Provide auditors access to all in scope records, in scope assets, personnel and in scope procedures. CC ID 06966 | Audits and risk management | Preventive | |
Solve any access problems auditors encounter during the audit. CC ID 08959 | Audits and risk management | Corrective | |
Notify interested personnel and affected parties when an auditee refuses to provide access or participate in the audit. CC ID 08960 | Audits and risk management | Preventive | |
Include the justification for not following the applicable requirements in the audit report. CC ID 16822 | Audits and risk management | Preventive | |
Include a statement that the applicable requirements were not followed in the audit report. CC ID 16821 | Audits and risk management | Preventive | |
Refrain from referencing previous engagements in the audit report. CC ID 16516 | Audits and risk management | Preventive | |
Identify the participants from the organization being audited in the audit report. CC ID 15258 | Audits and risk management | Detective | |
Include the timing of controls in the description of tests of controls and results in the audit report. CC ID 16553 | Audits and risk management | Preventive | |
Include the organization's in scope system description in the audit report. CC ID 11626 | Audits and risk management | Preventive | |
Include the scope and work performed in the audit report. CC ID 11621 | Audits and risk management | Preventive | |
Review the adequacy of the internal auditor's work papers. CC ID 01146 | Audits and risk management | Detective | |
Review the adequacy of the internal auditor's audit reports. CC ID 11620 | Audits and risk management | Detective | |
Review management's response to issues raised in past audit reports. CC ID 01149 [The management review shall include consideration of: information on the performance and effectiveness of the SMS, including trends in: nonconformities and corrective actions; § 9.3 ¶ 2(c)(1)] | Audits and risk management | Detective | |
Review the audit program scope as it relates to the organization's profile. CC ID 01159 | Audits and risk management | Detective | |
Assess the quality of the audit program in regards to its documentation. CC ID 11622 | Audits and risk management | Preventive | |
Take into account if the system will be accessed by or have an impact on children in the risk management program. CC ID 14992 | Audits and risk management | Preventive | |
Analyze the risk management strategy for addressing requirements. CC ID 12926 | Audits and risk management | Detective | |
Analyze the risk management strategy for addressing threats. CC ID 12925 | Audits and risk management | Detective | |
Analyze the risk management strategy for addressing opportunities. CC ID 12924 | Audits and risk management | Detective | |
Address past incidents in the risk assessment program. CC ID 12743 | Audits and risk management | Preventive | |
Establish and maintain the factors and context for risk to the organization. CC ID 12230 [The organization shall determine and document: risks related to: not meeting the service requirements; § 6.1.2 ¶ 1(a)(2)] | Audits and risk management | Preventive | |
Employ risk assessment procedures that take into account risk factors. CC ID 16560 | Audits and risk management | Preventive | |
Categorize the systems, information, and data by risk profile in the threat and risk classification scheme. CC ID 01443 | Audits and risk management | Preventive | |
Review the risk profiles, as necessary. CC ID 16561 | Audits and risk management | Detective | |
Include risks to critical personnel and assets in the threat and risk classification scheme. CC ID 00698 | Audits and risk management | Preventive | |
Assign a probability of occurrence to all types of threats in the threat and risk classification scheme. CC ID 01173 | Audits and risk management | Preventive | |
Establish, implement, and maintain risk profiling procedures for internal risk assessments. CC ID 01157 | Audits and risk management | Preventive | |
Automate as much of the risk assessment program, as necessary. CC ID 06459 | Audits and risk management | Preventive | |
Approve the results of the risk assessment as documented in the risk assessment report. CC ID 07109 | Audits and risk management | Preventive | |
Review risks to the organization's audit function when changes in the supply chain occur. CC ID 01154 | Audits and risk management | Preventive | |
Review the risk to the audit function when the audit personnel status changes. CC ID 01153 | Audits and risk management | Preventive | |
Conduct external audits of risk assessments, as necessary. CC ID 13308 | Audits and risk management | Detective | |
Correlate the business impact of identified risks in the risk assessment report. CC ID 00686 | Audits and risk management | Preventive | |
Conduct a Business Impact Analysis, as necessary. CC ID 01147 | Audits and risk management | Detective | |
Analyze and quantify the risks to in scope systems and information. CC ID 00701 [When planning for the SMS, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to: prevent, or reduce, undesired effects; § 6.1.1 ¶ 1(b) The organization shall determine and document: risks related to: the organization; § 6.1.2 ¶ 1(a)(1)] | Audits and risk management | Preventive | |
Establish and maintain a Risk Scoping and Measurement Definitions Document. CC ID 00703 [The organization shall determine and document: the impact on customers of risks and opportunities for the SMS and the services; § 6.1.2 ¶ 1(b)] | Audits and risk management | Preventive | |
Identify the material risks in the risk assessment report. CC ID 06482 | Audits and risk management | Preventive | |
Assess the potential level of business impact risk associated with each business process. CC ID 06463 | Audits and risk management | Detective | |
Assess the potential level of business impact risk associated with the business environment. CC ID 06464 | Audits and risk management | Detective | |
Assess the potential level of business impact risk associated with business information of in scope systems. CC ID 06465 | Audits and risk management | Detective | |
Assess the potential business impact risk of in scope systems caused by deliberate threats to their confidentiality, integrity, and availability. CC ID 06466 | Audits and risk management | Detective | |
Assess the potential level of business impact risk caused by accidental threats to the confidentiality, integrity and availability of critical systems. CC ID 06467 | Audits and risk management | Detective | |
Assess the potential level of business impact risk associated with reputational damage. CC ID 15335 | Audits and risk management | Detective | |
Assess the potential level of business impact risk associated with insider threats. CC ID 06468 | Audits and risk management | Detective | |
Assess the potential level of business impact risk associated with external entities. CC ID 06469 | Audits and risk management | Detective | |
Assess the potential level of business impact risk associated with control weaknesses. CC ID 06471 | Audits and risk management | Detective | |
Prioritize and select controls based on the risk assessment findings. CC ID 00707 [At planned intervals, the information security risks to the SMS and the services shall be assessed and documented. Information security controls shall be determined, implemented and operated to support the information security policy and address identified information security risks. Decisions about information security controls shall be documented. § 8.7.3.2 ¶ 1] | Audits and risk management | Preventive | |
Prioritize and categorize the effects of opportunities, threats and requirements on control activities. CC ID 12822 | Audits and risk management | Preventive | |
Develop key indicators to inform management on the effectiveness of risk control measures. CC ID 12946 | Audits and risk management | Preventive | |
Include the release status of the risk assessment in the risk treatment plan. CC ID 16320 | Audits and risk management | Preventive | |
Identify the planned actions and controls that address high risk in the risk treatment plan. CC ID 12835 | Audits and risk management | Preventive | |
Identify the current actions and controls that address high risk in the risk treatment plan. CC ID 12834 | Audits and risk management | Preventive | |
Approve the risk treatment plan. CC ID 13495 | Audits and risk management | Preventive | |
Analyze the impact of artificial intelligence systems on society. CC ID 16317 | Audits and risk management | Detective | |
Analyze the impact of artificial intelligence systems on individuals. CC ID 16316 | Audits and risk management | Detective | |
Establish, implement, and maintain a cybersecurity risk management program. CC ID 16827 | Audits and risk management | Preventive | |
Conduct a risk assessment on reciprocal agreements that provide for recovery capabilities. CC ID 12759 | Operational and Systems Continuity | Preventive | |
Audit the configuration of organizational assets, as necessary. CC ID 13653 [{be auditable} CIs shall be controlled. Changes to CIs shall be traceable and auditable to maintain the integrity of the configuration information. The configuration information shall be updated following the deployment of changes to CIs. § 8.2.6 ¶ 3] | System hardening through configuration management | Detective | |
Audit assets after maintenance was performed. CC ID 13657 | System hardening through configuration management | Detective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Take into account the need for protecting information confidentiality during infrastructure planning. CC ID 06486 | Leadership and high level objectives | Preventive | |
Involve knowledgeable and experienced individuals in the decision-making process. CC ID 06915 | Leadership and high level objectives | Preventive | |
Carry out disciplinary actions when a compliance violation is detected. CC ID 06675 | Monitoring and measurement | Corrective | |
Question external auditors about how audits were conducted and what is in the audit reports. CC ID 04587 | Audits and risk management | Preventive | |
Disseminate and communicate with the organization about any missing audit documentation. CC ID 06992 | Audits and risk management | Preventive | |
Exercise due professional care during the planning and performance of the audit. CC ID 07119 | Audits and risk management | Preventive | |
Refrain from accepting an attestation engagement unless the prospective financial information includes a summary of significant assumptions. CC ID 13954 | Audits and risk management | Preventive | |
Verify statements made by interviewees are correct. CC ID 16299 | Audits and risk management | Detective | |
Explain the goals of the interview to the interviewee. CC ID 07189 | Audits and risk management | Detective | |
Resolve disputes before creating the audit summary. CC ID 08964 | Audits and risk management | Preventive | |
Disseminate and communicate to the organization that access and use of audit reports are based on least privilege. CC ID 07171 | Audits and risk management | Preventive | |
Use the risk taxonomy when managing risk. CC ID 12280 | Audits and risk management | Preventive | |
Disseminate and communicate information about risks to all interested personnel and affected parties. CC ID 06718 | Audits and risk management | Preventive | |
Disseminate and communicate the risk acceptance level in the risk treatment plan to all interested personnel and affected parties. CC ID 06849 | Audits and risk management | Preventive | |
Refrain from adopting impromptu measures when continuity procedures exist. CC ID 13093 | Operational and Systems Continuity | Preventive | |
Train all personnel and third parties, as necessary. CC ID 00785 [The organization shall: where applicable, take actions to acquire the necessary competence and evaluate the effectiveness of the actions taken; § 7.2 ¶ 1(c)] | Human Resources management | Preventive | |
Retrain all personnel, as necessary. CC ID 01362 | Human Resources management | Preventive | |
Tailor training to meet published guidance on the subject being taught. CC ID 02217 [{new service} The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: requirements for appropriate education, training and experience; § 8.5.2.2 ¶ 1(c)] | Human Resources management | Preventive | |
Tailor training to be taught at each person's level of responsibility. CC ID 06674 [{be relevant} Persons doing work under the organization's control shall be aware of: the services relevant to their work; § 7.3 ¶ 1(c) The organization shall determine and maintain the knowledge necessary to support the operation of the SMS and the services. § 7.6 ¶ 1 {new service} The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: requirements for appropriate education, training and experience; § 8.5.2.2 ¶ 1(c)] | Human Resources management | Preventive | |
Conduct cross-training or staff backup training to minimize dependency on critical individuals. CC ID 00786 | Human Resources management | Preventive | |
Use automated mechanisms in the training environment, where appropriate. CC ID 06752 | Human Resources management | Preventive | |
Conduct Archives and Records Management training. CC ID 00975 | Human Resources management | Preventive | |
Disseminate and communicate the security awareness program to all interested personnel and affected parties. CC ID 00823 | Human Resources management | Preventive | |
Train all personnel and third parties on how to recognize and report security incidents. CC ID 01211 | Human Resources management | Preventive | |
Conduct secure coding and development training for developers. CC ID 06822 | Human Resources management | Corrective | |
Conduct crime prevention training. CC ID 06350 | Human Resources management | Preventive | |
Make compliance and governance decisions in a timely manner. CC ID 06490 | Operational management | Preventive | |
Include employee engagement in the analysis of the organizational culture. CC ID 12914 | Operational management | Preventive | |
Include skill development in the analysis of the organizational culture. CC ID 12913 | Operational management | Preventive | |
Include employee turnover rates in the analysis of the organizational culture. CC ID 12912 | Operational management | Preventive | |
Include employee loyalty in the analysis of the organizational culture. CC ID 12911 | Operational management | Preventive | |
Include employee satisfaction in the analysis of the organizational culture. CC ID 12910 | Operational management | Preventive | |
Disseminate and communicate the Governance, Risk, and Compliance framework to all interested personnel and affected parties. CC ID 00815 | Operational management | Preventive | |
Notify interested personnel and affected parties prior to when the system is redeployed or the system is disposed. CC ID 06400 | Operational management | Preventive | |
Maintain contact with the device manufacturer or component manufacturer for maintenance requests. CC ID 06388 | Operational management | Preventive | |
Respond to maintenance requests inside the organizationally established time frame. CC ID 04878 | Operational management | Preventive | |
Perform periodic maintenance according to organizational standards. CC ID 01435 | Operational management | Preventive | |
Respond to all alerts from security systems in a timely manner. CC ID 06434 | Operational management | Corrective | |
Share data loss event information with the media. CC ID 01759 | Operational management | Corrective | |
Report to breach notification organizations the time frame in which the organization will send data loss event notifications to interested personnel and affected parties. CC ID 04731 | Operational management | Corrective | |
Investigate and take action regarding help desk queries. CC ID 06324 [Service requests shall be: prioritized; § 8.6.2 ¶ 1(b) Service requests shall be: fulfilled; § 8.6.2 ¶ 1(c)] | Operational management | Corrective | |
Disseminate and communicate proposed changes to all interested personnel and affected parties. CC ID 06807 [Approved changes shall be prepared, verified and, where possible, tested. Proposed deployment dates and other deployment details for approved changes shall be communicated to interested parties. § 8.5.1.3 ¶ 2 Approved changes shall be prepared, verified and, where possible, tested. Proposed deployment dates and other deployment details for approved changes shall be communicated to interested parties. § 8.5.1.3 ¶ 2 Following the completion of the transition activities, the organization shall report to interested parties on the achievements against the intended outcomes. § 8.5.2.3 ¶ 3] | Operational management | Preventive | |
Disseminate and communicate software update information to users and regulators. CC ID 06602 | Operational management | Preventive | |
Manage the system implementation process. CC ID 01115 | Systems design, build, and implementation | Preventive | |
Notify the complainant regarding any missing information in the take-down request. CC ID 09973 | Acquisition or sale of facilities, technology, and services | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Establish, implement, and maintain a reporting methodology program. CC ID 02072 | Leadership and high level objectives | Preventive | |
Use secure communication protocols for telecommunications. CC ID 16458 | Leadership and high level objectives | Preventive | |
Analyze the flow of information to ensure it is being received by the correct processes. CC ID 12860 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain an internal reporting program. CC ID 12409 [The organization shall determine reporting requirements and their purpose. § 9.4 ¶ 1] | Leadership and high level objectives | Preventive | |
Include transactions and events as a part of internal reporting. CC ID 12413 | Leadership and high level objectives | Preventive | |
Analyze the business environment in which the organization operates. CC ID 12798 | Leadership and high level objectives | Preventive | |
Align assets with business functions and the business environment. CC ID 13681 | Leadership and high level objectives | Preventive | |
Analyze the external environment in which the organization operates. CC ID 12799 | Leadership and high level objectives | Preventive | |
Include environmental requirements in the analysis of the external environment. CC ID 12965 | Leadership and high level objectives | Preventive | |
Include regulatory requirements in the analysis of the external environment. CC ID 12964 | Leadership and high level objectives | Preventive | |
Include society in the analysis of the external environment. CC ID 12963 | Leadership and high level objectives | Preventive | |
Include opportunities in the analysis of the external environment. CC ID 12954 | Leadership and high level objectives | Preventive | |
Include third party relationships in the analysis of the external environment. CC ID 12952 | Leadership and high level objectives | Preventive | |
Include industry forces in the analysis of the external environment. CC ID 12904 | Leadership and high level objectives | Preventive | |
Include threats in the analysis of the external environment. CC ID 12898 | Leadership and high level objectives | Preventive | |
Include geopolitics in the analysis of the external environment. CC ID 12897 | Leadership and high level objectives | Preventive | |
Include legal requirements in the analysis of the external environment. CC ID 12896 | Leadership and high level objectives | Preventive | |
Include technology in the analysis of the external environment. CC ID 12837 | Leadership and high level objectives | Preventive | |
Include analyzing the market in the analysis of the external environment. CC ID 12836 | Leadership and high level objectives | Preventive | |
Conduct a context analysis to define objectives and strategies. CC ID 12864 | Leadership and high level objectives | Preventive | |
Identify requirements that could affect achieving organizational objectives. CC ID 12828 [{applicable requirements} The organization shall create, implement and maintain a service management plan. Planning shall take into consideration the service management policy, service management objectives, risks and opportunities, service requirements and requirements specified in this document. § 6.3 ¶ 1] | Leadership and high level objectives | Preventive | |
Identify opportunities that could affect achieving organizational objectives. CC ID 12826 [The organization shall plan: actions to address these risks and opportunities and their priorities; § 6.1.3 ¶ 1(a) {applicable requirements} The organization shall create, implement and maintain a service management plan. Planning shall take into consideration the service management policy, service management objectives, risks and opportunities, service requirements and requirements specified in this document. § 6.3 ¶ 1 The organization shall determine and document: the impact on customers of risks and opportunities for the SMS and the services; § 6.1.2 ¶ 1(b)] | Leadership and high level objectives | Preventive | |
Prioritize organizational objectives. CC ID 09960 | Leadership and high level objectives | Preventive | |
Select financial reporting objectives consistent with accounting principles available to the organization. CC ID 12400 | Leadership and high level objectives | Preventive | |
Identify threats that could affect achieving organizational objectives. CC ID 12827 [The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its SMS. § 4.1 ¶ 1] | Leadership and high level objectives | Preventive | |
Review the organization's approach to managing information security, as necessary. CC ID 12005 | Leadership and high level objectives | Preventive | |
Analyze and prioritize the requirements of interested personnel and affected parties. CC ID 12796 | Leadership and high level objectives | Preventive | |
Enforce a continuous Quality Control system. CC ID 01005 [{availability issue}{document} Service availability shall be monitored, the results recorded and compared with the targets. Unplanned non-availability shall be investigated and necessary actions taken. § 8.7.1 ¶ 3] | Leadership and high level objectives | Detective | |
Correct errors and deficiencies in a timely manner. CC ID 13501 | Leadership and high level objectives | Corrective | |
Establish and maintain time frames for correcting deficiencies found during Quality Control. CC ID 07206 | Leadership and high level objectives | Detective | |
Review and analyze any quality improvement goals that were missed. CC ID 07204 [{service improvement activity} Opportunities for improvement shall be documented. The organization shall manage approved improvement activities that include: measuring implemented improvements against the target(s) set and where target(s) are not achieved, taking necessary actions; § 10.2 ¶ 3(d)] | Leadership and high level objectives | Detective | |
Align the reporting methodology with the decision management strategy. CC ID 15659 | Leadership and high level objectives | Preventive | |
Use a risk-based approach to adapt the Strategic Information Technology Plan to the business's needs. CC ID 00631 | Leadership and high level objectives | Corrective | |
Mirror the organization's business strategy during Information Technology planning in the Strategic Information Technology Plan. CC ID 00630 | Leadership and high level objectives | Preventive | |
Escalate for management authorization any proposed projects where effective use of existing resources is overlooked. CC ID 06848 | Leadership and high level objectives | Preventive | |
Identify information being used to support the performance of the governance, risk, and compliance capability. CC ID 12866 | Monitoring and measurement | Preventive | |
Align enforcement reviews for non-compliance with organizational risk tolerance. CC ID 13063 | Monitoring and measurement | Detective | |
Establish, implement, and maintain an identification and classification of information assets metrics program. CC ID 02052 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain an Information Systems architecture metrics program. CC ID 02059 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a physical environment metrics program. CC ID 02063 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a user identification and authentication metrics program. CC ID 02073 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a user account management metrics program. CC ID 02075 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a Configuration Management metrics program. CC ID 02077 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a communications, e-mail, and remote access security management metrics program. CC ID 02079 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a malicious code protection management metrics program. CC ID 02080 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a software change management metrics program. CC ID 02081 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a network management and firewall management metrics program. CC ID 02082 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a data encryption management metrics program. CC ID 02083 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a backup management and recovery management metrics program. CC ID 02084 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain an incident management and vulnerability management metrics program. CC ID 02085 | Monitoring and measurement | Preventive | |
Align corrective actions with the level of environmental impact. CC ID 15193 | Monitoring and measurement | Preventive | |
Identify personnel who should attend the closing meeting. CC ID 15261 | Audits and risk management | Preventive | |
Schedule attestation engagement meetings with interested personnel and affected parties, as necessary. CC ID 15263 | Audits and risk management | Preventive | |
Refrain from accepting an attestation engagement when the engaging party refuses to sign the engagement letter. CC ID 14912 | Audits and risk management | Preventive | |
Accept the attestation engagement when all preconditions are met. CC ID 13933 | Audits and risk management | Preventive | |
Respond to questions or clarification requests regarding the audit. CC ID 08902 | Audits and risk management | Preventive | |
Review the need for organizational efficiency as balanced against the needs of compliance and security. CC ID 07111 | Audits and risk management | Preventive | |
Provide auditors access to affected parties during the audit, as necessary. CC ID 07187 | Audits and risk management | Preventive | |
Disclaim the audit opinion in the audit report, as necessary. CC ID 13901 | Audits and risk management | Corrective | |
Notify interested personnel and affected parties after bribes are offered during the audit. CC ID 08872 | Audits and risk management | Preventive | |
Document and justify any exclusions from the scope of the risk management activities in the risk management program. CC ID 15336 | Audits and risk management | Detective | |
Integrate the risk management program with the organization's business activities. CC ID 13661 | Audits and risk management | Preventive | |
Integrate the risk management program into daily business decision-making. CC ID 13659 [The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: § 8.5.1.3 ¶ 1] | Audits and risk management | Preventive | |
Include regular updating in the risk management system. CC ID 14990 | Audits and risk management | Preventive | |
Design a portfolio of insurance options in accordance with risk decision-making criteria. CC ID 12878 | Audits and risk management | Preventive | |
Design a portfolio of loans in accordance with risk decision-making criteria. CC ID 12877 | Audits and risk management | Preventive | |
Design a portfolio of risk limiting and mitigating approaches in organizational contracts in accordance with risk decision-making criteria. CC ID 12903 | Audits and risk management | Preventive | |
Approve the threat and risk classification scheme. CC ID 15693 | Audits and risk management | Preventive | |
Establish, implement, and maintain a risk assessment awareness and training program. CC ID 06453 | Audits and risk management | Preventive | |
Align organizational risk tolerance to that of industry peers in the risk register. CC ID 09962 | Audits and risk management | Preventive | |
Review the Business Impact Analysis, as necessary. CC ID 12774 | Audits and risk management | Preventive | |
Review and approve material risks documented in the residual risk report, as necessary. CC ID 13672 | Audits and risk management | Preventive | |
Analyze the impact of artificial intelligence systems on business operations. CC ID 16356 | Audits and risk management | Preventive | |
Evaluate the cyber insurance market. CC ID 12695 | Audits and risk management | Preventive | |
Evaluate the usefulness of cyber insurance to the organization. CC ID 12694 | Audits and risk management | Preventive | |
Acquire cyber insurance, as necessary. CC ID 12693 | Audits and risk management | Preventive | |
Establish, implement, and maintain an education methodology. CC ID 06671 [{interested party} Instructions for the fulfilment of service requests shall be made available to persons involved in service request fulfilment. § 8.6.2 ¶ 3 {new service} The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: requirements for appropriate education, training and experience; § 8.5.2.2 ¶ 1(c)] | Human Resources management | Preventive | |
Establish, implement, and maintain future system capacity forecasting methods. CC ID 01617 | Operational management | Preventive | |
Align critical Information Technology resource availability planning with capacity planning. CC ID 01618 [{service availability requirement}{service continuity requirement} The organization shall plan capacity to include: expected impact on capacity of agreed service level targets, requirements for service availability and service continuity; § 8.4.3 ¶ 2(b)] | Operational management | Preventive | |
Follow the resource workload schedule. CC ID 00941 | Operational management | Detective | |
Establish, implement, and maintain a positive information control environment. CC ID 00813 [Top management shall demonstrate leadership and commitment with respect to the SMS by: § 5.1 ¶ 1 Top management shall demonstrate leadership and commitment with respect to the SMS by: ensuring that what constitutes value for the organization and its customers is determined; § 5.1 ¶ 1(d)] | Operational management | Preventive | |
Align the information security policy with the organization's risk acceptance level. CC ID 13042 | Operational management | Preventive | |
Establish, implement, and maintain information security procedures. CC ID 12006 | Operational management | Preventive | |
Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 [implementing control of the processes in accordance with the established performance criteria; § 8.1 ¶ 1(b)] | Operational management | Preventive | |
Include contractual relationships with workforce members in the analysis of the organizational culture. CC ID 15674 | Operational management | Preventive | |
Include the number of workforce members who are not employees in the analysis of the organizational culture. CC ID 15673 | Operational management | Preventive | |
Include the type of work performed by workforce members in the analysis of the organizational culture. CC ID 15675 | Operational management | Preventive | |
Include demographic characteristics of employees in the analysis of the organizational culture. CC ID 15671 | Operational management | Preventive | |
Review systems for compliance with organizational information security policies. CC ID 12004 | Operational management | Preventive | |
Establish, implement, and maintain a Service Management System. CC ID 13889 [Top management shall demonstrate leadership and commitment with respect to the SMS by: ensuring that the SMS achieves its intended outcome(s); § 5.1 ¶ 1(i) When planning for the SMS, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to: § 6.1.1 ¶ 1 {service improvement activity} Opportunities for improvement shall be documented. The organization shall manage approved improvement activities that include: making changes to the SMS, if necessary; § 10.2 ¶ 3(c) When a nonconformity occurs, the organization shall: make changes to the SMS, if necessary. § 10.1.1 ¶ 1(e) The organization shall operate the SMS ensuring co-ordination of the activities and the resources. The organization shall perform the activities required to deliver services. § 8.2.1 ¶ 1] | Operational management | Preventive | |
Establish, implement, and maintain an Asset Management program. CC ID 06630 [{external obligation} /* section 6.3 c. refers to external obligations */ The organization shall ensure that assets used to deliver services are managed to meet the service requirements and the obligations in 6.3 c). § 8.2.5 ¶ 1 {external obligation} /* section 6.3 c. refers to external obligations */ The organization shall ensure that assets used to deliver services are managed to meet the service requirements and the obligations in 6.3 c). § 8.2.5 ¶ 1] | Operational management | Preventive | |
Include coordination amongst entities in the asset management policy. CC ID 16424 | Operational management | Preventive | |
Define and prioritize the importance of each asset in the asset management program. CC ID 16837 | Operational management | Preventive | |
Establish, implement, and maintain administrative controls over all assets. CC ID 16400 | Operational management | Preventive | |
Classify virtual systems by type and purpose. CC ID 16332 | Operational management | Preventive | |
Establish, implement, and maintain an asset inventory. CC ID 06631 | Operational management | Preventive | |
Destroy systems in accordance with the system disposal program. CC ID 16457 | Operational management | Preventive | |
Approve the release of systems and waste material into the public domain. CC ID 16461 | Operational management | Preventive | |
Obtain approval before removing maintenance tools from the facility. CC ID 14298 | Operational management | Preventive | |
Disassemble and shut down unnecessary systems or unused systems. CC ID 06280 | Operational management | Preventive | |
Dispose of hardware and software at their life cycle end. CC ID 06278 | Operational management | Preventive | |
Refrain from placing assets being disposed into organizational dumpsters. CC ID 12200 | Operational management | Preventive | |
Remove asset tags prior to disposal of an asset. CC ID 12198 | Operational management | Preventive | |
Establish, implement, and maintain an Incident Management program. CC ID 00853 | Operational management | Preventive | |
Establish, implement, and maintain future system performance forecasting methods. CC ID 11775 | Operational management | Preventive | |
Use proactive performance management. CC ID 00937 [At planned intervals, the organization shall review the performance trends and the outcomes of the services. § 8.3.2 ¶ 3] | Operational management | Detective | |
Utilize resource availability management controls. CC ID 00940 | Operational management | Detective | |
Establish, implement, and maintain rate limiting filters. CC ID 06883 | Operational management | Preventive | |
Establish, implement, and maintain cost management procedures. CC ID 00873 [Costs shall be budgeted to enable effective financial control and decision-making for services. § 8.4.1 ¶ 2 Costs shall be budgeted to enable effective financial control and decision-making for services. § 8.4.1 ¶ 2 At planned intervals, the organization shall monitor and report on actual costs against the budget, review the financial forecasts and manage costs. § 8.4.1 ¶ 3] | Operational management | Detective | |
Update the business cases for cost management procedures, as necessary. CC ID 13642 | Operational management | Preventive | |
Identify and allocate departmental costs. CC ID 00871 | Operational management | Detective | |
Review and approve the Information Technology budget. CC ID 13644 | Operational management | Corrective | |
Update the Information Technology budget, as necessary. CC ID 13643 | Operational management | Corrective | |
Compare actual Information Technology costs to forecasted Information Technology budgets. CC ID 11753 [At planned intervals, the organization shall monitor and report on actual costs against the budget, review the financial forecasts and manage costs. § 8.4.1 ¶ 3] | Operational management | Detective | |
Manage change requests. CC ID 00887 [{new service} The organization shall prioritize requests for change and proposals for new or changed services to align with business needs and service management objectives, taking into consideration available resources. § 8.2.2 ¶ 4 {new service} The organization shall prioritize requests for change and proposals for new or changed services to align with business needs and service management objectives, taking into consideration available resources. § 8.2.2 ¶ 4 {new service} The organization shall plan the deployment of new or changed services and service components into the live environment. Planning shall be co-ordinated with change management and include references to the related requests for change, known errors or problems which are being closed through the release. Planning shall include the dates for deployment of each release, deliverables and methods of deployment. § 8.5.3 ¶ 2 {new service} Assessing, approving, scheduling and reviewing of new or changed services in the scope of 8.5.2 shall be managed through the change management activities in 8.5.1.3. § 8.5.1.2 ¶ 3 {new service} The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: changes to the SMS including new or changed policies, plans, processes, procedures, measures and knowledge; § 8.5.2.2 ¶ 1(e) The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: § 8.5.1.3 ¶ 1 Requests for change not being managed through 8.5.2 shall be managed through the change management activities in 8.5.1.3. § 8.5.1.2 ¶ 4] | Operational management | Preventive | |
Examine all changes to ensure they correspond with the change request. CC ID 12345 [Approved changes shall be prepared, verified and, where possible, tested. Proposed deployment dates and other deployment details for approved changes shall be communicated to interested parties. § 8.5.1.3 ¶ 2 The organization shall review changes for effectiveness and take actions agreed with interested parties. § 8.5.1.3 ¶ 4 {take appropriate action} The activities to reverse or remedy an unsuccessful change shall be planned and, where possible, tested. Unsuccessful changes shall be investigated and agreed actions taken. § 8.5.1.3 ¶ 3 {trend analysis} At planned intervals, request for change records shall be analysed to detect trends. The results and conclusions drawn from the analysis shall be recorded and reviewed to identify opportunities for improvement. § 8.5.1.3 ¶ 5 {trend analysis} At planned intervals, request for change records shall be analysed to detect trends. The results and conclusions drawn from the analysis shall be recorded and reviewed to identify opportunities for improvement. § 8.5.1.3 ¶ 5] | Operational management | Detective | |
Implement changes according to the change control program. CC ID 11776 [The organization shall control planned changes to the SMS and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary (see 8.5.1). § 8.1¶ 2 Records of problems shall be updated with actions taken. Changes needed for problem resolution shall be managed according to the change management policy. § 8.6.3 ¶ 3 A change management policy shall be established and documented to define: categories of change, including emergency change, and how they are to be managed; § 8.5.1.1 ¶ 1(b) The organization shall use service design and transition in 8.5.2 for: categories of change that are to be managed by service design and transition according to the change management policy; § 8.5.1.2 ¶ 2(c)] | Operational management | Preventive | |
Prioritize deploying patches according to vulnerability risk metrics. CC ID 06796 | Operational management | Preventive | |
Mitigate the adverse effects of unauthorized changes. CC ID 12244 [The organization shall control planned changes to the SMS and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary (see 8.5.1). § 8.1¶ 2] | Operational management | Corrective | |
Establish, implement, and maintain a service delivery and production process Quality Management program. CC ID 07194 [The management review shall include consideration of: adherence to and suitability of the service management policy and other policies required by this document; § 9.3 ¶ 2(f) The management review shall include consideration of: performance of the services; § 9.3 ¶ 2(h) The organization shall determine: the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results; § 9.1 ¶ 1(b) The organization shall determine: when the results from monitoring and measurement shall be analysed and evaluated. § 9.1 ¶ 1(d) The organization shall evaluate the SMS performance against the service management objectives and evaluate the effectiveness of the SMS. The organization shall evaluate the effectiveness of the services against the service requirements. § 9.1 ¶ 3 The organization shall evaluate the SMS performance against the service management objectives and evaluate the effectiveness of the SMS. The organization shall evaluate the effectiveness of the services against the service requirements. § 9.1 ¶ 3 Where the root cause has been identified, but the problem has not been permanently resolved, the organization shall determine actions to reduce or eliminate the impact of the problem on the services. Known errors shall be recorded. Up-to-date information on known errors and problem resolutions shall be made available for other service management activities as appropriate. § 8.6.3 ¶ 4 The release shall be deployed into the live environment so that the integrity of the services and service components is maintained. § 8.5.3 ¶ 5 {new service} The new or changed services shall be built and tested to verify that they meet the service requirements, conform to the documented design and meet the agreed service acceptance criteria. If the service acceptance criteria are not met, the organization and interested parties shall make a decision on necessary actions and deployment. § 8.5.2.3 ¶ 1 {new service} The new or changed services shall be built and tested to verify that they meet the service requirements, conform to the documented design and meet the agreed service acceptance criteria. If the service acceptance criteria are not met, the organization and interested parties shall make a decision on necessary actions and deployment. § 8.5.2.3 ¶ 1 {new service} The new or changed services shall be built and tested to verify that they meet the service requirements, conform to the documented design and meet the agreed service acceptance criteria. If the service acceptance criteria are not met, the organization and interested parties shall make a decision on necessary actions and deployment. § 8.5.2.3 ¶ 1 The service management plan shall include or contain a reference to: how the effectiveness of the SMS and the services will be measured, audited, reported and improved. § 6.3 ¶ 2(h) The service management plan shall include or contain a reference to: how the effectiveness of the SMS and the services will be measured, audited, reported and improved. § 6.3 ¶ 2(h) The service management plan shall include or contain a reference to: how the effectiveness of the SMS and the services will be measured, audited, reported and improved. § 6.3 ¶ 2(h) The service management plan shall include or contain a reference to: how the effectiveness of the SMS and the services will be measured, audited, reported and improved. § 6.3 ¶ 2(h)] | Operational management | Detective | |
Manage the creation of products and services, as necessary. CC ID 13497 [{new service} The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: § 8.5.2.2 ¶ 1 {new service} The organization shall plan the deployment of new or changed services and service components into the live environment. Planning shall be co-ordinated with change management and include references to the related requests for change, known errors or problems which are being closed through the release. Planning shall include the dates for deployment of each release, deliverables and methods of deployment. § 8.5.3 ¶ 2 {new service} The organization shall plan the deployment of new or changed services and service components into the live environment. Planning shall be co-ordinated with change management and include references to the related requests for change, known errors or problems which are being closed through the release. Planning shall include the dates for deployment of each release, deliverables and methods of deployment. § 8.5.3 ¶ 2] | Operational management | Preventive | |
Define the processing activities to meet products and services creation requirements. CC ID 13499 [{new service} The organization shall plan the deployment of new or changed services and service components into the live environment. Planning shall be co-ordinated with change management and include references to the related requests for change, known errors or problems which are being closed through the release. Planning shall include the dates for deployment of each release, deliverables and methods of deployment. § 8.5.3 ¶ 2 {new service} The organization shall plan the deployment of new or changed services and service components into the live environment. Planning shall be co-ordinated with change management and include references to the related requests for change, known errors or problems which are being closed through the release. Planning shall include the dates for deployment of each release, deliverables and methods of deployment. § 8.5.3 ¶ 2 {new service} The organization shall plan the deployment of new or changed services and service components into the live environment. Planning shall be co-ordinated with change management and include references to the related requests for change, known errors or problems which are being closed through the release. Planning shall include the dates for deployment of each release, deliverables and methods of deployment. § 8.5.3 ¶ 2] | Operational management | Preventive | |
Establish, implement, and maintain configuration control and Configuration Status Accounting. CC ID 00863 [At planned intervals, the organization shall verify the accuracy of the configuration information. Where deficiencies are found, the organization shall take necessary actions. § 8.2.6 ¶ 4] | System hardening through configuration management | Preventive | |
Approve the configuration management plan. CC ID 14717 | System hardening through configuration management | Preventive | |
Implement a signature revocation service. CC ID 14417 | Records management | Preventive | |
Supervise media destruction in accordance with organizational standards. CC ID 16456 | Records management | Preventive | |
Use approved media sanitization equipment for destruction. CC ID 16459 | Records management | Preventive | |
Review the information that the organization collects, processes, and stores, as necessary. CC ID 12988 | Records management | Detective | |
Establish, implement, and maintain decision support interventions. CC ID 14443 | Records management | Preventive | |
Provide structures for browsing records stored in the Electronic Document and Records Management system. CC ID 10009 | Records management | Preventive | |
Provide structures for searching for items stored in the Electronic Document and Records Management system. CC ID 10010 | Records management | Preventive | |
Provide structures for downloading records from the Electronic Document and Records Management system. CC ID 10011 | Records management | Preventive | |
Provide structures for managing e-mail stored in the Electronic Document and Records Management system. CC ID 10012 | Records management | Preventive | |
Provide structures for version control of records stored in the Electronic Document and Records Management system. CC ID 10013 | Records management | Preventive | |
Provide identification mechanisms for the organization's supply chain members. CC ID 12201 | Acquisition or sale of facilities, technology, and services | Preventive | |
Refrain from charging a fee for the provision of services, as necessary. CC ID 14212 | Acquisition or sale of facilities, technology, and services | Preventive | |
Ship goods or provide services to consumers in the agreed upon time frame. CC ID 08618 | Acquisition or sale of facilities, technology, and services | Preventive | |
Establish, implement, and maintain a consumer complaint management program. CC ID 04570 [Service complaints shall be recorded, managed to closure and reported. Where a service complaint is not resolved through the normal channels, a method of escalation shall be provided. § 8.3.2 ¶ 5] | Acquisition or sale of facilities, technology, and services | Preventive | |
Document consumer complaints. CC ID 13903 [Service complaints shall be recorded, managed to closure and reported. Where a service complaint is not resolved through the normal channels, a method of escalation shall be provided. § 8.3.2 ¶ 5] | Acquisition or sale of facilities, technology, and services | Preventive | |
Include complete information in the take-down request. CC ID 09965 | Acquisition or sale of facilities, technology, and services | Detective | |
Include the complainant's contact information in the take-down request. CC ID 09966 | Acquisition or sale of facilities, technology, and services | Detective | |
Include the identification of unlawful material or unlawful activities in the take-down request. CC ID 09967 | Acquisition or sale of facilities, technology, and services | Detective | |
Include the identification of the right that has allegedly been infringed in the take-down request. CC ID 09968 | Acquisition or sale of facilities, technology, and services | Detective | |
Include the remedial action required to be taken in respect of the complaint in the take-down request. CC ID 09969 | Acquisition or sale of facilities, technology, and services | Detective | |
Include a statement by the complainant that the information is true and correct in the take-down request. CC ID 09970 | Acquisition or sale of facilities, technology, and services | Preventive | |
Include a statement that the complainant is acting in good faith in the take-down request. CC ID 09971 | Acquisition or sale of facilities, technology, and services | Detective | |
Include the written signature or electronic signature of the complainant in the take-down request. CC ID 09972 | Acquisition or sale of facilities, technology, and services | Detective | |
Analyze the digital content hosted by the organization for any electronic material associated with the take-down request. CC ID 09974 | Acquisition or sale of facilities, technology, and services | Detective | |
Remove all unlawful material associated with the take-down request that have not been removed and are feasible to remove. CC ID 09978 | Acquisition or sale of facilities, technology, and services | Preventive | |
Notify the complainant when all unlawful material associated with the take-down notice that can be removed, has been removed. CC ID 09979 | Acquisition or sale of facilities, technology, and services | Preventive | |
Include personal data that is publicly available information as an out of scope privacy breach. CC ID 04678 | Privacy protection for information and data | Preventive | |
Include text about access, use, disclosure, and transfer of data or information in third party contracts. CC ID 11610 [For each external supplier, the organization shall agree a documented contract. The contract shall include or contain a reference to: authorities and responsibilities of the organization and the external supplier. § 8.3.4.1 ¶ 2(d) For each external supplier, the organization shall agree a documented contract. The contract shall include or contain a reference to: authorities and responsibilities of the organization and the external supplier. § 8.3.4.1 ¶ 2(d)] | Third Party and supply chain oversight | Preventive | |
Include disclosure requirements in third party contracts. CC ID 08825 | Third Party and supply chain oversight | Preventive | |
Document supply chain transactions in the supply chain management program. CC ID 08857 | Third Party and supply chain oversight | Preventive | |
Track all chargeable items in Service Level Agreements. CC ID 11616 | Third Party and supply chain oversight | Detective | |
Enforce third party Service Level Agreements, as necessary. CC ID 07098 [The organization shall assess the alignment of service level targets or other contractual obligations for the external supplier against SLAs with customers, and manage identified risks. § 8.3.4.1 ¶ 3] | Third Party and supply chain oversight | Corrective | |
Include a determination of the complexity of the third party relationships in the supply chain risk assessment. CC ID 10024 | Third Party and supply chain oversight | Preventive | |
Include a determination if the third party relationship will affect employees in the supply chain risk assessment report. CC ID 10027 | Third Party and supply chain oversight | Preventive | |
Implement measurable improvement plans with all third parties. CC ID 08815 [At planned intervals, the organization shall monitor the performance of the internal supplier or the customer acting as a supplier. Where service level targets or other agreed commitments are not met, the organization shall ensure that opportunities for improvement are identified. § 8.3.4.2 ¶ 2 At planned intervals, the organization shall monitor the performance of the external supplier. Where service level targets or other contractual obligations are not met, the organization shall ensure that opportunities for improvement are identified. § 8.3.4.1 ¶ 5] | Third Party and supply chain oversight | Preventive | |
Establish, implement, and maintain supply chain due diligence standards. CC ID 08846 | Third Party and supply chain oversight | Preventive | |
Assign the appropriate individuals or groups to oversee and support supply chain due diligence. CC ID 08861 [The organization shall have one or more designated individuals responsible for managing the relationship, contracts and performance of external suppliers. § 8.3.4.1 ¶ 1] | Third Party and supply chain oversight | Preventive | |
Conduct all parts of the supply chain due diligence process. CC ID 08854 | Third Party and supply chain oversight | Preventive | |
Establish, implement, and maintain deduplication procedures for third party services. CC ID 13915 [The organization shall determine the criticality of services based on the needs of the organization, customers, users and other interested parties. The organization shall determine and manage dependencies and duplication between services. § 8.2.2 ¶ 2] | Third Party and supply chain oversight | Detective | |
Assess the effectiveness of third party services provided to the organization. CC ID 13142 | Third Party and supply chain oversight | Detective | |
Review the supply chain's service delivery on a regular basis. CC ID 12010 [At planned intervals, the organization shall monitor the performance of the internal supplier or the customer acting as a supplier. Where service level targets or other agreed commitments are not met, the organization shall ensure that opportunities for improvement are identified. § 8.3.4.2 ¶ 2] | Third Party and supply chain oversight | Preventive | |
Establish, implement, and maintain a chain of custody or traceability system over the entire supply chain. CC ID 08878 | Third Party and supply chain oversight | Preventive | |
Provide products or services per customer requests. CC ID 08893 [The organization and the customer shall agree the services to be delivered. § 8.3.3 ¶ 1] | Third Party and supply chain oversight | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Include disseminating and communicating events surrounding instances of desirable conduct and undesirable conduct in the communication protocols. CC ID 12824 | Leadership and high level objectives | Preventive | |
Identify alternative measures for collecting stakeholder input, as necessary. CC ID 15672 | Leadership and high level objectives | Preventive | |
Include disseminating and communicating conditions surrounding instances of desirable conduct and undesirable conduct in the communication protocols. CC ID 12804 | Leadership and high level objectives | Preventive | |
Include disseminating and communicating desirable conduct in the communication protocols. CC ID 12803 | Leadership and high level objectives | Preventive | |
Include disseminating and communicating undesirable conduct in communication protocols. CC ID 12802 | Leadership and high level objectives | Preventive | |
Disseminate and communicate internal controls with supply chain members. CC ID 12416 | Leadership and high level objectives | Preventive | |
Disseminate and communicate management's choices for managing the organization as a part of internal reporting. CC ID 12412 | Leadership and high level objectives | Preventive | |
Disseminate and communicate the organization's business environment and place in its industry sector. CC ID 13200 [The organization shall establish arrangements for communicating with its customers and other interested parties. The communication shall promote understanding of the evolving business environment in which the services operate and shall enable the organization to respond to new or changed service requirements. § 8.3.2 ¶ 2] | Leadership and high level objectives | Preventive | |
Disseminate and communicate the value generation model to all interested personnel and affected parties. CC ID 15607 | Leadership and high level objectives | Preventive | |
Disseminate and communicate the Mission, Vision, and Values Statement to all interested personnel and affected parties. CC ID 15585 | Leadership and high level objectives | Preventive | |
Disseminate and communicate organizational objectives, functions, and activities to all interested personnel and affected parties. CC ID 13191 [Top management shall demonstrate leadership and commitment with respect to the SMS by: communicating the importance of effective service management, achieving the service management objectives, delivering value and conforming to the SMS requirements; § 5.1 ¶ 1(h)] | Leadership and high level objectives | Preventive | |
Disseminate and communicate the data classification scheme to interested personnel and affected parties. CC ID 16804 | Leadership and high level objectives | Preventive | |
Disseminate and communicate the data dictionary to interested personnel and affected parties. CC ID 13516 | Leadership and high level objectives | Preventive | |
Disseminate and communicate emerging threats to all interested personnel and affected parties. CC ID 12185 | Leadership and high level objectives | Preventive | |
Disseminate and communicate updated guidance documentation to interested personnel and affected parties upon discovery of a new threat. CC ID 12191 | Leadership and high level objectives | Corrective | |
Disseminate and communicate the Quality Management policy to all interested personnel and affected parties. CC ID 13695 [Top management shall demonstrate leadership and commitment with respect to the SMS by: communicating the importance of effective service management, achieving the service management objectives, delivering value and conforming to the SMS requirements; § 5.1 ¶ 1(h)] | Leadership and high level objectives | Preventive | |
Disseminate and communicate the Quality Management framework to all stakeholders. CC ID 13680 [Where the root cause has been identified, but the problem has not been permanently resolved, the organization shall determine actions to reduce or eliminate the impact of the problem on the services. Known errors shall be recorded. Up-to-date information on known errors and problem resolutions shall be made available for other service management activities as appropriate. § 8.6.3 ¶ 4 Where the root cause has been identified, but the problem has not been permanently resolved, the organization shall determine actions to reduce or eliminate the impact of the problem on the services. Known errors shall be recorded. Up-to-date information on known errors and problem resolutions shall be made available for other service management activities as appropriate. § 8.6.3 ¶ 4] | Leadership and high level objectives | Preventive | |
Notify affected parties and interested personnel of quality management system approvals that have been refused, suspended, or withdrawn. CC ID 15045 | Leadership and high level objectives | Preventive | |
Notify affected parties and interested personnel of quality management system approvals that have been issued. CC ID 15036 | Leadership and high level objectives | Preventive | |
Disseminate and communicate the organization’s policies, standards, and procedures to all interested personnel and affected parties. CC ID 12901 | Leadership and high level objectives | Preventive | |
Disseminate and communicate the strategic plan to all interested personnel and affected parties. CC ID 15592 | Leadership and high level objectives | Preventive | |
Disseminate and communicate the planning procedures to interested personnel and affected parties. CC ID 14704 | Leadership and high level objectives | Preventive | |
Disseminate and communicate the planning policy to interested personnel and affected parties. CC ID 14691 | Leadership and high level objectives | Preventive | |
Disseminate and communicate the security planning policy to interested personnel and affected parties. CC ID 14125 | Leadership and high level objectives | Preventive | |
Disseminate and communicate the security planning procedures to interested personnel and affected parties. CC ID 14135 | Leadership and high level objectives | Preventive | |
Disseminate and communicate the decision management strategy to all interested personnel and affected parties. CC ID 13991 | Leadership and high level objectives | Preventive | |
Disseminate and communicate the financial report to interested personnel and affected parties. CC ID 16342 | Leadership and high level objectives | Preventive | |
Disseminate and communicate the call report to interested personnel and affected parties. CC ID 16727 | Leadership and high level objectives | Preventive | |
Notify the appropriate personnel after identifying dormant accounts. CC ID 12125 | Monitoring and measurement | Detective | |
Report inappropriate usage of user accounts to the appropriate personnel. CC ID 14243 | Monitoring and measurement | Detective | |
Communicate trends in service management to all interested personnel and affected parties. CC ID 13926 [Reports on the performance and effectiveness of the SMS and the services shall be produced using information from the SMS activities and delivery of the services. Service reporting shall include trends. § 9.4 ¶ 2] | Monitoring and measurement | Preventive | |
Disseminate and communicate the disciplinary action notice to interested personnel and affected parties. CC ID 16585 | Monitoring and measurement | Preventive | |
Delay the reporting of incident management metrics, as necessary. CC ID 15501 | Monitoring and measurement | Preventive | |
Include the scope for the desired level of assurance in the audit program. CC ID 12793 | Audits and risk management | Preventive | |
Hold a closing meeting following an audit to present audit findings and conclusions. CC ID 15248 | Audits and risk management | Preventive | |
Report that audit evidence collected was not sufficient to the proper authorities. CC ID 16847 | Audits and risk management | Preventive | |
Disseminate and communicate the reasons the audit report was delayed to interested personnel and affected parties. CC ID 15257 | Audits and risk management | Preventive | |
Notify auditees if disclosure of audit documentation is required by law. CC ID 15249 | Audits and risk management | Preventive | |
Disseminate and communicate the audit plan to interested personnel and affected parties. CC ID 15238 | Audits and risk management | Preventive | |
Disseminate and communicate insurance options to interested personnel and affected parties. CC ID 16572 | Audits and risk management | Preventive | |
Disseminate and communicate insurance requirements to interested personnel and affected parties. CC ID 16567 | Audits and risk management | Preventive | |
Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313 | Audits and risk management | Preventive | |
Disseminate and communicate the risk assessment policy to interested personnel and affected parties. CC ID 14115 | Audits and risk management | Preventive | |
Disseminate and communicate the risk assessment procedures to interested personnel and affected parties. CC ID 14136 | Audits and risk management | Preventive | |
Disseminate and communicate the approved risk assessment report to interested personnel and affected parties. CC ID 10633 | Audits and risk management | Preventive | |
Notify the organization upon completion of the external audits of the organization's risk assessment. CC ID 13313 | Audits and risk management | Preventive | |
Disseminate and communicate the Business Impact Analysis to interested personnel and affected parties. CC ID 15300 | Audits and risk management | Preventive | |
Disseminate and communicate the risk treatment plan to interested personnel and affected parties. CC ID 15694 | Audits and risk management | Preventive | |
Disseminate and communicate the cybersecurity risk management policy to interested personnel and affected parties. CC ID 16832 | Audits and risk management | Preventive | |
Disseminate and communicate the cybersecurity risk management program to interested personnel and affected parties. CC ID 16829 | Audits and risk management | Preventive | |
Disseminate and communicate the cybersecurity risk management strategy to interested personnel and affected parties. CC ID 16825 | Audits and risk management | Preventive | |
Disseminate and communicate the supply chain risk management policy to all interested personnel and affected parties. CC ID 14662 | Audits and risk management | Preventive | |
Disseminate and communicate the supply chain risk management procedures to all interested personnel and affected parties. CC ID 14712 | Audits and risk management | Preventive | |
Disseminate and communicate the risk management policy to interested personnel and affected parties. CC ID 13792 | Audits and risk management | Preventive | |
Notify the user when an authentication is attempted using an expired authenticator. CC ID 13818 | Technical security | Corrective | |
Report changes in the continuity plan to senior management. CC ID 12757 | Operational and Systems Continuity | Corrective | |
Notify interested personnel and affected parties upon activation of the continuity plan. CC ID 16777 | Operational and Systems Continuity | Preventive | |
Disseminate and communicate the continuity procedures to interested personnel and affected parties. CC ID 14055 | Operational and Systems Continuity | Preventive | |
Notify interested personnel and affected parties of updates to the recovery plan. CC ID 13302 | Operational and Systems Continuity | Preventive | |
Disseminate and communicate the recovery plan to interested personnel and affected parties. CC ID 14859 | Operational and Systems Continuity | Preventive | |
Disseminate and communicate the recovery status of the contingency plan to interested personnel and affected parties. CC ID 12758 | Operational and Systems Continuity | Preventive | |
Identify the appropriate staff to route external communications to in the emergency communications procedures. CC ID 12762 | Operational and Systems Continuity | Preventive | |
Identify who can speak to the media in the emergency communications procedures. CC ID 12761 | Operational and Systems Continuity | Corrective | |
Disseminate and communicate screening results to interested personnel and affected parties. CC ID 16445 | Human Resources management | Preventive | |
Disseminate and communicate the security awareness and training procedures to interested personnel and affected parties. CC ID 14138 | Human Resources management | Preventive | |
Disseminate and communicate the information security procedures to all interested personnel and affected parties. CC ID 16303 | Operational management | Preventive | |
Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739 [The information security policy shall be made available as appropriate. The organization shall communicate the importance of conforming to the information security policy and its applicability to the SMS and the services to appropriate persons within the: external suppliers, internal suppliers and other interested parties. § 8.7.3.1 ¶ 2(c) The information security policy shall be made available as appropriate. The organization shall communicate the importance of conforming to the information security policy and its applicability to the SMS and the services to appropriate persons within: § 8.7.3.1 ¶ 2 The information security policy shall be made available as appropriate. The organization shall communicate the importance of conforming to the information security policy and its applicability to the SMS and the services to appropriate persons within: § 8.7.3.1 ¶ 2 The information security policy shall be made available as appropriate. The organization shall communicate the importance of conforming to the information security policy and its applicability to the SMS and the services to appropriate persons within: § 8.7.3.1 ¶ 2 The information security policy shall be made available as appropriate. The organization shall communicate the importance of conforming to the information security policy and its applicability to the SMS and the services to appropriate persons within: the organization; § 8.7.3.1 ¶ 2(a) The information security policy shall be made available as appropriate. The organization shall communicate the importance of conforming to the information security policy and its applicability to the SMS and the services to appropriate persons within: customers and users; § 8.7.3.1 ¶ 2(b)] | Operational management | Preventive | |
Provide assurance to interested personnel and affected parties that the Governance, Risk, and Compliance capability is reliable, effective, efficient, and responsive. CC ID 12788 | Operational management | Preventive | |
Communicate the service management program to interested personnel and affected parties. CC ID 13904 [Top management shall demonstrate leadership and commitment with respect to the SMS by: communicating the importance of effective service management, achieving the service management objectives, delivering value and conforming to the SMS requirements; § 5.1 ¶ 1(h) The service management policy shall: be communicated within the organization; § 5.2.2 ¶ 1(b) The service management policy shall: be available to interested parties, as appropriate. § 5.2.2 ¶ 1(c) The organization shall establish service management objectives at relevant functions and levels. The service management objectives shall: be communicated; § 6.2.1 ¶ (e) Persons doing work under the organization's control shall be aware of: the service management policy; § 7.3 ¶ 1(a) The scope of the SMS shall be available and be maintained as documented information. § 4.3 ¶ 4] | Operational management | Preventive | |
Communicate service management release success or failures to interested personnel and affected parties, as necessary. CC ID 13927 [Information about the success or failure of releases and future release dates shall be made available for other service management activities as appropriate. § 8.5.3 ¶ 7] | Operational management | Preventive | |
Communicate the release dates of applicable services to interested personnel and affected parties. CC ID 13924 [Information about the success or failure of releases and future release dates shall be made available for other service management activities as appropriate. § 8.5.3 ¶ 7] | Operational management | Preventive | |
Include the implications of failing to comply with the Service Management System requirements in the communication plan for the service management program. CC ID 13909 [Persons doing work under the organization's control shall be aware of: the implications of not conforming with the SMS requirements. § 7.3 ¶ 1(e)] | Operational management | Preventive | |
Include the benefits of improved performance in the communication plan for the service management program. CC ID 13908 [Persons doing work under the organization's control shall be aware of: their contribution to the effectiveness of the SMS, including the benefits of improved performance; § 7.3 ¶ 1(d)] | Operational management | Preventive | |
Include the importance of conforming to the Service Management System requirements in the communication plan for the service management program. CC ID 13907 [Top management shall demonstrate leadership and commitment with respect to the SMS by: communicating the importance of effective service management, achieving the service management objectives, delivering value and conforming to the SMS requirements; § 5.1 ¶ 1(h)] | Operational management | Preventive | |
Disseminate and communicate the suspension period of suspended services to interested personnel and affected parties. CC ID 15459 | Operational management | Preventive | |
Disseminate and communicate the Asset Classification Policy to interested personnel and affected parties. CC ID 14851 | Operational management | Preventive | |
Disseminate and communicate the system maintenance policy to interested personnel and affected parties. CC ID 14213 | Operational management | Preventive | |
Disseminate and communicate the system maintenance procedures to interested personnel and affected parties. CC ID 14194 | Operational management | Preventive | |
Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539 | Operational management | Preventive | |
Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538 | Operational management | Preventive | |
Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797 | Operational management | Preventive | |
Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782 | Operational management | Preventive | |
Establish, implement, and maintain incident reporting time frame standards. CC ID 12142 | Operational management | Preventive | |
Notify interested personnel and affected parties that a security breach was detected. CC ID 11788 | Operational management | Corrective | |
Assign the distribution of incident response procedures to the appropriate role in the incident response program. CC ID 12474 | Operational management | Preventive | |
Communicate the service catalog to interested personnel and affected parties. CC ID 13910 [The organization shall provide access to appropriate parts of the service catalogue(s) to its customers, users and other interested parties. § 8.2.4 ¶ 2] | Operational management | Preventive | |
Disseminate and communicate the configuration management procedures to interested personnel and affected parties. CC ID 14139 | System hardening through configuration management | Preventive | |
Disseminate and communicate the configuration management policy to interested personnel and affected parties. CC ID 14066 | System hardening through configuration management | Preventive | |
Disseminate and communicate the configuration management program to all interested personnel and affected parties. CC ID 11946 [Configuration information shall be made available for other service management activities as appropriate. § 8.2.6 ¶ 5] | System hardening through configuration management | Preventive | |
Notify the supervisory authority of any changes to the required data elements. CC ID 14366 | Records management | Corrective | |
Notify the complainant about their rights after receiving a complaint. CC ID 16794 | Acquisition or sale of facilities, technology, and services | Preventive | |
Post contact information in an easily seen location at facilities. CC ID 13812 | Acquisition or sale of facilities, technology, and services | Preventive | |
Provide users a list of the available dispute resolution bodies. CC ID 13814 | Acquisition or sale of facilities, technology, and services | Preventive | |
Post the dispute resolution body's contact information on the organization's website. CC ID 13811 | Acquisition or sale of facilities, technology, and services | Preventive | |
Disseminate and communicate the consumer complaint management program to interested personnel and affected parties. CC ID 16795 | Acquisition or sale of facilities, technology, and services | Preventive | |
Disseminate and communicate the data handling procedures to all interested personnel and affected parties. CC ID 15466 | Privacy protection for information and data | Preventive | |
Disseminate and communicate the Third Party Service Provider list to interested personnel and affected parties. CC ID 14422 | Third Party and supply chain oversight | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Enforce dual authorization as a part of information flow control for logs. CC ID 10098 | Monitoring and measurement | Preventive | |
Configure access control lists in accordance with organizational standards. CC ID 16465 | Technical security | Preventive | |
Disallow application IDs from running as privileged users. CC ID 10050 | Technical security | Detective | |
Separate processing domains to segregate user privileges and enhance information flow control. CC ID 06767 | Technical security | Preventive | |
Configure the lockout procedure to disregard failed logon attempts after the user is authenticated. CC ID 13822 | Technical security | Preventive | |
Establish, implement, and maintain session lock capabilities. CC ID 01417 | Technical security | Preventive | |
Limit concurrent sessions according to account type. CC ID 01416 | Technical security | Preventive | |
Configure the "tlsverify" argument to organizational standards. CC ID 14460 | Technical security | Preventive | |
Configure the "tlscacert" argument to organizational standards. CC ID 14521 | Technical security | Preventive | |
Configure the "tlscert" argument to organizational standards. CC ID 14520 | Technical security | Preventive | |
Configure the "tlskey" argument to organizational standards. CC ID 14519 | Technical security | Preventive | |
Enable access control for objects and users on each system. CC ID 04553 | Technical security | Preventive | |
Display previous logon information in the logon banner. CC ID 01415 | Technical security | Preventive | |
Establish, implement, and maintain redundant systems. CC ID 16354 | Operational and Systems Continuity | Preventive | |
Install an Uninterruptible Power Supply sized to support all critical systems. CC ID 00725 | Operational and Systems Continuity | Preventive | |
Install a generator sized to support the facility. CC ID 06709 | Operational and Systems Continuity | Preventive | |
Disallow systems from processing information, disseminating and communicating information, or storing information that is above the system's assigned asset classification. CC ID 06606 | Operational management | Preventive | |
Separate remote maintenance sessions from other network sessions with a logically separate communications path based upon encryption. CC ID 10614 | Operational management | Preventive | |
Deploy software patches in accordance with organizational standards. CC ID 07032 | Operational management | Corrective | |
Deploy software patches in the disaster recovery environment to mirror those in the production environment. CC ID 13174 | Operational management | Corrective | |
Remove outdated software after software has been updated. CC ID 11792 | Operational management | Corrective | |
Update computer firmware, as necessary. CC ID 11755 | Operational management | Corrective | |
Remove outdated computer firmware after the computer firmware has been updated. CC ID 10671 | Operational management | Corrective | |
Establish, implement, and maintain a configuration change log. CC ID 08710 | Operational management | Detective | |
Verify configuration files requiring passwords for automation do not contain those passwords after the installation process is complete. CC ID 06555 | System hardening through configuration management | Preventive | |
Employ the Configuration Management program. CC ID 11904 | System hardening through configuration management | Preventive | |
Document external connections for all systems. CC ID 06415 | System hardening through configuration management | Preventive | |
Configure Logging settings in accordance with organizational standards. CC ID 07611 | System hardening through configuration management | Preventive | |
Configure all logs to capture auditable events or actionable events. CC ID 06332 | System hardening through configuration management | Preventive | |
Configure the log to capture configuration changes. CC ID 06881 [{be auditable} CIs shall be controlled. Changes to CIs shall be traceable and auditable to maintain the integrity of the configuration information. The configuration information shall be updated following the deployment of changes to CIs. § 8.2.6 ¶ 3] | System hardening through configuration management | Preventive | |
Log, monitor, and review all changes to time settings on critical systems. CC ID 11608 | System hardening through configuration management | Preventive | |
Configure the log to capture all changes to certificates. CC ID 05595 | System hardening through configuration management | Preventive | |
Reconfigure the security attributes of records as the information changes. CC ID 06765 | Records management | Preventive | |
Implement electronic storage media integrity controls. CC ID 00946 | Records management | Preventive | |
Automate electronic storage media integrity check controls. CC ID 00948 | Records management | Preventive | |
Provide capacity for indexes on electronic storage media, as necessary. CC ID 00950 | Records management | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Take into account the accessibility to and location of the data or information when establishing information impact levels. CC ID 04787 | Leadership and high level objectives | Preventive | |
Take into account the organization's obligation to protect data or information when establishing information impact levels. CC ID 04786 | Leadership and high level objectives | Preventive | |
Take into account the context of use for data or information when establishing information impact levels. CC ID 04785 | Leadership and high level objectives | Preventive | |
Take into account the potential aggregation of restricted data fields when establishing information impact levels. CC ID 04784 | Leadership and high level objectives | Preventive | |
Classify the sensitivity to unauthorized disclosure or modification of information in the information classification standard. CC ID 11997 | Leadership and high level objectives | Preventive | |
Take into account the distinguishability factor when establishing information impact levels. CC ID 04783 | Leadership and high level objectives | Preventive | |
Classify the criticality to unauthorized disclosure or modification of information in the information classification standard. CC ID 11996 | Leadership and high level objectives | Preventive | |
Classify the value of information in the information classification standard. CC ID 11995 | Leadership and high level objectives | Preventive | |
Classify the legal requirements of information in the information classification standard. CC ID 11994 | Leadership and high level objectives | Preventive | |
Take into account the characteristics of the geographical, behavioral and functional setting for all datasets. CC ID 15046 | Leadership and high level objectives | Preventive | |
Address Information Security during the business planning processes. CC ID 06495 | Leadership and high level objectives | Preventive | |
Overwrite the oldest records when audit logging fails. CC ID 14308 | Monitoring and measurement | Preventive | |
Include data quality in the risk management strategies. CC ID 15308 | Audits and risk management | Preventive | |
Enforce access restrictions for restricted data. CC ID 01921 | Technical security | Preventive | |
Identify processes, Information Systems, and third parties that transmit, process, or store restricted data. CC ID 06289 | Operational management | Preventive | |
Record a unique name for each asset in the asset inventory. CC ID 16305 | Operational management | Preventive | |
Record the status of information systems in the asset inventory. CC ID 16304 | Operational management | Preventive | |
Record the communication interfaces for applicable assets in the asset inventory. CC ID 16301 | Operational management | Preventive | |
Record software license information for each asset in the asset inventory. CC ID 11736 | Operational management | Preventive | |
Record the operating system version for applicable assets in the asset inventory. CC ID 11748 | Operational management | Preventive | |
Record rooms at external locations in the asset inventory. CC ID 16302 | Operational management | Preventive | |
Record trusted keys and certificates in the asset inventory. CC ID 15486 | Operational management | Preventive | |
Record cipher suites and protocols in the asset inventory. CC ID 15489 | Operational management | Preventive | |
Wipe all data on systems prior to when the system is redeployed or the system is disposed. CC ID 06401 | Operational management | Preventive | |
Share incident information with interested personnel and affected parties. CC ID 01212 [The organization shall determine criteria to identify a major incident. Major incidents shall be classified and managed according to a documented procedure. Top management shall be kept informed of major incidents. The organization shall assign responsibility for managing each major incident. After the incident has been resolved, the major incident shall be reported and reviewed to identify opportunities for improvement. § 8.6.1 ¶ 3] | Operational management | Corrective | |
Comply with privacy regulations and civil liberties requirements when sharing data loss event information. CC ID 10036 | Operational management | Preventive | |
Report data loss event information to breach notification organizations. CC ID 01210 | Operational management | Corrective | |
Approve tested change requests. CC ID 11783 [The release shall be verified against documented acceptance criteria and approved before deployment. If the acceptance criteria are not met, the organization and interested parties shall make a decision on necessary actions and deployment. § 8.5.3 ¶ 3] | Operational management | Preventive | |
Allow interested personnel and affected parties to opt out of specific version releases and software updates. CC ID 06809 | Operational management | Preventive | |
Store records and data in accordance with organizational standards. CC ID 16439 | Records management | Preventive | |
Select the appropriate format for archived data and records. CC ID 06320 [{is appropriate} When creating and updating documented information, the organization shall ensure appropriate: format (e.g. language, software version, graphics) and media (e.g. paper, electronic); § 7.5.2 ¶ 1(b)] | Records management | Preventive | |
Archive document metadata in a fashion that allows for future reading of the metadata. CC ID 10060 | Records management | Preventive | |
Store personal data that is retained for long periods after use on a separate server or media. CC ID 12314 | Records management | Preventive | |
Sanitize electronic storage media in accordance with organizational standards. CC ID 16464 | Records management | Preventive | |
Sanitize all electronic storage media before disposing a system or redeploying a system. CC ID 01643 | Records management | Preventive | |
Use a second person to confirm and sign-off that manually deleted data was deleted. CC ID 12313 | Records management | Preventive | |
Automate a programmatic process to remove stored data and records that exceed retention requirements. CC ID 06082 | Records management | Preventive | |
Remove non-public information from publicly accessible systems. CC ID 14246 | Records management | Corrective | |
Assign the appropriate information classification to records imported into the Records Management system. CC ID 04555 | Records management | Detective | |
Establish, implement, and maintain electronic health records. CC ID 14436 | Records management | Preventive | |
Include Individually Identifiable Health Information in the patient's electronic health record. CC ID 14437 | Records management | Preventive | |
Import data files into a patient's electronic health record. CC ID 14448 | Records management | Preventive | |
Export requested sections of the electronic health record. CC ID 14447 | Records management | Preventive | |
Display the implantable device list to authorized users. CC ID 14445 | Records management | Preventive | |
Include attributes in the decision support intervention. CC ID 16766 | Records management | Preventive | |
Classify restricted data or restricted information in Records Management systems according to the data or information's sensitivity. CC ID 04720 | Records management | Detective | |
Establish, implement, and maintain data availability controls. CC ID 15301 | Records management | Preventive | |
Control error handling when data is being inputted. CC ID 00922 | Records management | Detective | |
Use automated entry devices to reduce errors during data input. CC ID 06626 | Records management | Preventive | |
Establish, implement, and maintain Automated Data Processing validation checks and editing checks. CC ID 00924 | Records management | Preventive | |
Label restricted storage media appropriately. CC ID 00966 | Records management | Preventive | |
Mark all forms of electronic messages that contain restricted data or restricted information with the appropriate classification. CC ID 01896 | Records management | Preventive | |
Reproduce materials containing restricted data or restricted information in accordance with compliance requirements. CC ID 02202 | Records management | Preventive | |
Include data elements that contain an individual's name combined with account numbers or other identifying information as personal data that falls under the breach notification rules. CC ID 04662 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's legal surname prior to marriage as personal data that falls under the breach notification rules. CC ID 04669 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's date of birth as personal data that falls under the breach notification rules. CC ID 04771 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's address as personal data that falls under the breach notification rules. CC ID 04671 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's telephone number as personal data that falls under the breach notification rules. CC ID 04672 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's fingerprints as personal data that falls under the breach notification rules. CC ID 04670 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's Social Security Number or Personal Identification Number as personal data that falls under the breach notification rules. CC ID 04656 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's driver's license number or an individual's state identification card number as personal data that falls under the breach notification rules. CC ID 04657 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's passport number as personal data that falls under the breach notification rules. CC ID 04774 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's Alien Registration Number as personal data that falls under the breach notification rules. CC ID 04775 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's Taxpayer Identification Number as personal data that falls under the breach notification rules. CC ID 04764 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's financial account number as personal data that falls under the breach notification rules. CC ID 04658 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's financial account number with associated password or password hint as personal data that falls under the breach notification rules. CC ID 04660 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's electronic identification name or number as personal data that falls under the breach notification rules. CC ID 04663 | Privacy protection for information and data | Preventive | |
Include data elements that contain electronic signatures as personal data that falls under the breach notification rules. CC ID 04666 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's biometric data as personal data that falls under the breach notification rules. CC ID 04667 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's account number, password, or password hint as personal data that falls under the breach notification rules. CC ID 04668 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's payment card information as personal data that falls under the breach notification rules. CC ID 04752 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's credit card number or an individual's debit card number as personal data that falls under the breach notification rules. CC ID 04659 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's payment card service code as personal data that falls under the breach notification rules. CC ID 04754 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's payment card expiration date as personal data that falls under the breach notification rules. CC ID 04756 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's payment card full magnetic stripe data as personal data that falls under the breach notification rules. CC ID 04759 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's payment card security codes (Card Authentication Value 2/Card Validation Code Value 2/Card Verification Value 2/Card Identification Number) as personal data that falls under the breach notification rules. CC ID 04760 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's payment card associated password or password hint as personal data that falls under the breach notification rules. CC ID 04661 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's Individually Identifiable Health Information as personal data that falls under the breach notification rules. CC ID 04673 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's medical history as personal data that falls under the breach notification rules. CC ID 04674 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's medical treatment as personal data that falls under the breach notification rules. CC ID 04675 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's medical diagnosis as personal data that falls under the breach notification rules. CC ID 04676 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's mental condition or physical condition as personal data that falls under the breach notification rules. CC ID 04682 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's health insurance information as personal data that falls under the breach notification rules. CC ID 04681 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's health insurance policy number as personal data that falls under the breach notification rules. CC ID 04683 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's health insurance application and health insurance claims history (including appeals) as personal data that falls under the breach notification rules. CC ID 04684 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's employment information as personal data that falls under the breach notification rules. CC ID 04772 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's Employee Identification Number as personal data that falls under the breach notification rules. CC ID 04773 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's place of employment as personal data that falls under the breach notification rules. CC ID 04788 | Privacy protection for information and data | Preventive | |
Employ access controls that meet the organization's compliance requirements on third party systems with access to the organization's restricted data. CC ID 04264 | Third Party and supply chain oversight | Detective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Assign legislative body jurisdiction to the organization's assets, as necessary. CC ID 06956 | Leadership and high level objectives | Preventive | |
Define the Information Assurance strategic roles and responsibilities. CC ID 00608 | Leadership and high level objectives | Preventive | |
Establish and maintain a compliance oversight committee. CC ID 00765 | Leadership and high level objectives | Detective | |
Define the roles and responsibilities for personnel assigned to tasks in the Audit function. CC ID 00678 [The organization shall: plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration: § 9.2.2 ¶ 1(a)] | Audits and risk management | Preventive | |
Assign the roles and responsibilities for the Board of Directors and senior management in the Audit function. CC ID 00679 | Audits and risk management | Preventive | |
Assign the internal audit staff to be independent from business units reporting to the Board of Directors. CC ID 01184 | Audits and risk management | Preventive | |
Define and assign the internal audit manager's roles and responsibilities. CC ID 00680 | Audits and risk management | Preventive | |
Assign the internal audit manager's compensation and performance review to the Board of Directors or audit committee. CC ID 01186 | Audits and risk management | Preventive | |
Define and assign the internal audit staff's roles and responsibilities. CC ID 00681 | Audits and risk management | Preventive | |
Assign the responsibility for operating an internal control system to the internal audit staff. CC ID 01187 | Audits and risk management | Preventive | |
Define and assign the external auditor's roles and responsibilities. CC ID 00683 | Audits and risk management | Preventive | |
Assign the audit to impartial auditors. CC ID 07118 [The organization shall: select auditors and conduct audits to ensure objectivity and the impartiality of the audit process; § 9.2.2 ¶ 1(c)] | Audits and risk management | Preventive | |
Notify interested personnel and affected parties participating in the audit of their roles and responsibilities during the audit. CC ID 07151 | Audits and risk management | Preventive | |
Define and assign the roles and responsibilities for the risk assessment framework, as necessary. CC ID 06456 | Audits and risk management | Preventive | |
Assign Information System access authorizations if implementing segregation of duties. CC ID 06323 | Technical security | Preventive | |
Include the roles and responsibilities of the organization's legal counsel in the continuity plan. CC ID 16233 | Operational and Systems Continuity | Preventive | |
Include restoration procedures in the continuity plan. CC ID 01169 [The organization shall create, implement and maintain one or more service continuity plans. The service continuity plan(s) shall include or contain a reference to: procedures to be implemented in the event of a major loss of service; § 8.7.2 ¶ 2(b) The organization shall create, implement and maintain one or more service continuity plans. The service continuity plan(s) shall include or contain a reference to: procedures for returning to normal working conditions. § 8.7.2 ¶ 2(e)] | Operational and Systems Continuity | Preventive | |
Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806 | Human Resources management | Preventive | |
Define and assign the Board of Directors roles and responsibilities and senior management roles and responsibilities, including signing off on key policies and procedures. CC ID 00807 [Top management shall demonstrate leadership and commitment with respect to the SMS by: ensuring that appropriate levels of authority are assigned for making decisions related to the SMS and the services; § 5.1 ¶ 1(c) Top management shall demonstrate leadership and commitment with respect to the SMS by: supporting other relevant management roles to demonstrate their leadership as it applies to their areas of responsibility. § 5.1 ¶ 1(l)] | Human Resources management | Preventive | |
Assign senior management to the role of authorizing official. CC ID 14238 | Human Resources management | Preventive | |
Assign security clearance procedures to qualified personnel. CC ID 06812 | Human Resources management | Preventive | |
Assign personnel screening procedures to qualified personnel. CC ID 11699 | Human Resources management | Preventive | |
Classify assets according to the Asset Classification Policy. CC ID 07186 | Operational management | Preventive | |
Apply asset protection mechanisms for all assets according to their assigned Asset Classification Policy. CC ID 07184 | Operational management | Preventive | |
Include the incident response team member's roles and responsibilities in the Incident Response program. CC ID 01652 [The organization shall determine criteria to identify a major incident. Major incidents shall be classified and managed according to a documented procedure. Top management shall be kept informed of major incidents. The organization shall assign responsibility for managing each major incident. After the incident has been resolved, the major incident shall be reported and reviewed to identify opportunities for improvement. § 8.6.1 ¶ 3] | Operational management | Preventive | |
Include the incident response point of contact's roles and responsibilities in the Incident Response program. CC ID 01877 | Operational management | Preventive | |
Include the head of information security's roles and responsibilities in the Incident Response program. CC ID 01878 | Operational management | Preventive | |
Include the customer database owner's roles and responsibilities in the Incident Response program. CC ID 01879 | Operational management | Preventive | |
Include the online sales department's roles and responsibilities in the Incident Response program. CC ID 01880 | Operational management | Preventive | |
Include the incident response point of contact for credit card payment system's roles and responsibilities in the Incident Response program. CC ID 01881 | Operational management | Preventive | |
Include the organizational legal counsel's roles and responsibilities in the Incident Response program. CC ID 01882 | Operational management | Preventive | |
Include the Human Resources point of contact's roles and responsibilities in the Incident Response program. CC ID 01883 | Operational management | Preventive | |
Include the organizational incident response network architecture point of contact's roles and responsibilities in the Incident Response program. CC ID 01884 | Operational management | Preventive | |
Include the organizational incident response public relations point of contact's roles and responsibilities in the Incident Response program. CC ID 01885 | Operational management | Preventive | |
Include the organizational incident response location manager's roles and responsibilities in the Incident Response program. CC ID 01886 | Operational management | Preventive | |
Assign interested personnel and affected parties to service delivery and production process quality improvement projects, as necessary. CC ID 07197 | Operational management | Preventive | |
Establish, implement, and maintain data processing integrity controls. CC ID 00923 | Records management | Preventive | |
Include the responsible party for managing complaints in third party contracts. CC ID 10022 | Third Party and supply chain oversight | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Establish, implement, and maintain communication protocols. CC ID 12245 [{internal communication}{be relevant} The organization shall determine the internal and external communications relevant to the SMS and the services including: § 7.4 ¶ 1 The organization shall determine the internal and external communications relevant to the SMS and the services including: when to communicate; § 7.4 ¶ 1(b) The organization shall determine the internal and external communications relevant to the SMS and the services including: with whom to communicate; § 7.4 ¶ 1(c) The organization shall establish arrangements for communicating with its customers and other interested parties. The communication shall promote understanding of the evolving business environment in which the services operate and shall enable the organization to respond to new or changed service requirements. § 8.3.2 ¶ 2 The organization shall determine the internal and external communications relevant to the SMS and the services including: how to communicate; § 7.4 ¶ 1(d) The organization shall determine the internal and external communications relevant to the SMS and the services including: on what it will communicate; § 7.4 ¶ 1(a) The organization shall determine the internal and external communications relevant to the SMS and the services including: who will be responsible for the communication. § 7.4 ¶ 1(e)] | Leadership and high level objectives | Preventive | |
Align the information being disseminated and communicated with the communication requirements according to the organization's communication protocol. CC ID 12419 [The organization shall determine reporting requirements and their purpose. § 9.4 ¶ 1] | Leadership and high level objectives | Preventive | |
Include external requirements in the organization's communication protocol. CC ID 12418 [The organization shall establish arrangements for communicating with its customers and other interested parties. The communication shall promote understanding of the evolving business environment in which the services operate and shall enable the organization to respond to new or changed service requirements. § 8.3.2 ¶ 2] | Leadership and high level objectives | Preventive | |
Include input from interested personnel and affected parties as a part of the organization’s communication protocol. CC ID 12417 | Leadership and high level objectives | Preventive | |
Document the findings from surveys. CC ID 16309 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain warning procedures that follow the organization's communication protocol. CC ID 12407 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain alert procedures that follow the organization's communication protocol. CC ID 12406 | Leadership and high level objectives | Preventive | |
Enforce a precision level for non-financial reporting based on user need and appropriate supply chain criteria. CC ID 12399 | Leadership and high level objectives | Preventive | |
Define the thresholds for escalation in the internal reporting program. CC ID 14332 | Leadership and high level objectives | Preventive | |
Define the thresholds for reporting in the internal reporting program. CC ID 14331 | Leadership and high level objectives | Preventive | |
Develop instructions for setting organizational objectives and strategies. CC ID 12931 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain organizational objectives. CC ID 09959 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a value generation model. CC ID 15591 | Leadership and high level objectives | Preventive | |
Include value distribution in the value generation model. CC ID 15603 | Leadership and high level objectives | Preventive | |
Include value retention in the value generation model. CC ID 15600 | Leadership and high level objectives | Preventive | |
Include value generation procedures in the value generation model. CC ID 15599 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain value generation objectives. CC ID 15583 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain social responsibility objectives. CC ID 15611 | Leadership and high level objectives | Preventive | |
Establish and maintain a Mission, Vision, and Values Statement. CC ID 12783 | Leadership and high level objectives | Preventive | |
Include the vision statement in the Mission, Vision, and Values Statement. CC ID 12839 | Leadership and high level objectives | Preventive | |
Include the mission statement in the Mission, Vision, and Values Statement. CC ID 12838 | Leadership and high level objectives | Preventive | |
Include management commitment in the Mission, Vision, and Values Statement. CC ID 12808 | Leadership and high level objectives | Preventive | |
Include the value statement in the Mission, Vision, and Values Statement. CC ID 12807 | Leadership and high level objectives | Preventive | |
Include environmental factors in the Mission, Vision, and Values Statement. CC ID 15590 | Leadership and high level objectives | Preventive | |
Include societal factors in the Mission, Vision, and Values Statement. CC ID 15605 | Leadership and high level objectives | Preventive | |
Include stakeholder requirements in the Mission, Vision, and Values Statement. CC ID 15586 | Leadership and high level objectives | Preventive | |
Document and communicate the linkage between organizational objectives, functions, activities, and general controls. CC ID 12398 [At planned intervals, the information security risks to the SMS and the services shall be assessed and documented. Information security controls shall be determined, implemented and operated to support the information security policy and address identified information security risks. Decisions about information security controls shall be documented. § 8.7.3.2 ¶ 1] | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain data governance and management practices. CC ID 14998 | Leadership and high level objectives | Preventive | |
Address shortcomings of the data sets in the data governance and management practices. CC ID 15087 | Leadership and high level objectives | Preventive | |
Include any shortcomings of the data sets in the data governance and management practices. CC ID 15086 | Leadership and high level objectives | Preventive | |
Include bias for data sets in the data governance and management practices. CC ID 15085 | Leadership and high level objectives | Preventive | |
Include a data strategy in the data governance and management practices. CC ID 15304 | Leadership and high level objectives | Preventive | |
Include data monitoring in the data governance and management practices. CC ID 15303 | Leadership and high level objectives | Preventive | |
Include an assessment of the data sets in the data governance and management practices. CC ID 15084 | Leadership and high level objectives | Preventive | |
Include assumptions for the formulation of data sets in the data governance and management practices. CC ID 15083 | Leadership and high level objectives | Preventive | |
Include data collection for data sets in the data governance and management practices. CC ID 15082 | Leadership and high level objectives | Preventive | |
Include data preparations for data sets in the data governance and management practices. CC ID 15081 | Leadership and high level objectives | Preventive | |
Include design choices for data sets in the data governance and management practices. CC ID 15080 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain an information classification standard. CC ID 00601 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a data classification scheme. CC ID 11628 | Leadership and high level objectives | Preventive | |
Approve the data classification scheme. CC ID 13858 | Leadership and high level objectives | Detective | |
Establish and maintain an organizational data dictionary, including data syntax rules. CC ID 00600 | Leadership and high level objectives | Preventive | |
Refrain from including metadata in the data dictionary. CC ID 13529 | Leadership and high level objectives | Preventive | |
Refrain from allowing incompatible data elements in the data dictionary. CC ID 13624 | Leadership and high level objectives | Preventive | |
Include information needed to understand each data element and population in the data dictionary. CC ID 13528 | Leadership and high level objectives | Preventive | |
Include the factors to determine what is included or excluded from the data element in the data dictionary. CC ID 13525 | Leadership and high level objectives | Preventive | |
Include the date or time period the data was observed in the data dictionary. CC ID 13524 | Leadership and high level objectives | Preventive | |
Include the uncertainty in the population of each data element in the data dictionary. CC ID 13522 | Leadership and high level objectives | Preventive | |
Include the uncertainty of each data element in the data dictionary. CC ID 13521 | Leadership and high level objectives | Preventive | |
Include the measurement units for each data element in the data dictionary. CC ID 13534 | Leadership and high level objectives | Preventive | |
Include the precision of the measurement in the data dictionary. CC ID 13520 | Leadership and high level objectives | Preventive | |
Include the data source in the data dictionary. CC ID 13519 | Leadership and high level objectives | Preventive | |
Include the nature of each element in the data dictionary. CC ID 13518 | Leadership and high level objectives | Preventive | |
Include the population of events or instances in the data dictionary. CC ID 13517 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain an Information and Infrastructure Architecture model. CC ID 00599 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain sustainable infrastructure planning. CC ID 00603 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain an organizational structure. CC ID 16310 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a Quality Management framework. CC ID 07196 [The outputs of the management review shall include decisions related to continual improvement opportunities and any need for changes to the SMS and the services. § 9.3 ¶ 3 At planned intervals, the effectiveness of problem resolution shall be monitored, reviewed and reported. § 8.6.3 ¶ 5 The success or failure of releases shall be monitored and analysed. Measurements shall include incidents related to a release in the period following deployment of a release. The results and conclusions drawn from the analysis shall be recorded and reviewed to identify opportunities for improvement. §8.5.3 ¶ 6] | Leadership and high level objectives | Preventive | |
Include supply chain management standards in the Quality Management framework. CC ID 13701 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a Quality Management policy. CC ID 13694 | Leadership and high level objectives | Preventive | |
Include a commitment to satisfy applicable requirements in the Quality Management policy. CC ID 13700 | Leadership and high level objectives | Preventive | |
Tailor the Quality Management policy to support the organization's strategic direction. CC ID 13699 [Top management shall demonstrate leadership and commitment with respect to the SMS by: ensuring that the service management policy and service management objectives are established and are compatible with the strategic direction of the organization; § 5.1 ¶ 1(a) The organization shall determine evaluation criteria to be applied to the opportunities for improvement when making decisions on their approval. Evaluation criteria shall include alignment of the improvement with service management objectives. § 10.2 ¶ 2 {service improvement activity} Opportunities for improvement shall be documented. The organization shall manage approved improvement activities that include: ensuring that improvements are prioritized, planned and implemented; § 10.2 ¶ 3(b) {new service} The new or changed services shall be built and tested to verify that they meet the service requirements, conform to the documented design and meet the agreed service acceptance criteria. If the service acceptance criteria are not met, the organization and interested parties shall make a decision on necessary actions and deployment. § 8.5.2.3 ¶ 1 {new service} The new or changed services shall be built and tested to verify that they meet the service requirements, conform to the documented design and meet the agreed service acceptance criteria. If the service acceptance criteria are not met, the organization and interested parties shall make a decision on necessary actions and deployment. § 8.5.2.3 ¶ 1] | Leadership and high level objectives | Preventive | |
Include a commitment to continual improvement of the Quality Management system in the Quality Management policy. CC ID 13698 | Leadership and high level objectives | Preventive | |
Include critical Information Technology processes in the Quality Management framework. CC ID 13645 | Leadership and high level objectives | Preventive | |
Align the quality objectives with the Quality Management policy. CC ID 13697 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a Quality Management standard. CC ID 01006 | Leadership and high level objectives | Preventive | |
Document the measurements used by Quality Assurance and Quality Control testing. CC ID 07200 [The organization shall determine evaluation criteria to be applied to the opportunities for improvement when making decisions on their approval. Evaluation criteria shall include alignment of the improvement with service management objectives. § 10.2 ¶ 2 The success or failure of releases shall be monitored and analysed. Measurements shall include incidents related to a release in the period following deployment of a release. The results and conclusions drawn from the analysis shall be recorded and reviewed to identify opportunities for improvement. §8.5.3 ¶ 6] | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a Quality Management program. CC ID 07201 [{service improvement activity} Opportunities for improvement shall be documented. The organization shall manage approved improvement activities that include: setting one or more targets for improvement in areas such as quality, value, capability, cost, productivity, resource utilization and risk reduction; § 10.2 ¶ 3(a) {service improvement activity} Opportunities for improvement shall be documented. The organization shall manage approved improvement activities that include: ensuring that improvements are prioritized, planned and implemented; § 10.2 ¶ 3(b) {service improvement activity} Opportunities for improvement shall be documented. The organization shall manage approved improvement activities that include: ensuring that improvements are prioritized, planned and implemented; § 10.2 ¶ 3(b) {service improvement activity} Opportunities for improvement shall be documented. The organization shall manage approved improvement activities that include: measuring implemented improvements against the target(s) set and where target(s) are not achieved, taking necessary actions; § 10.2 ¶ 3(d)] | Leadership and high level objectives | Preventive | |
Include quality objectives in the Quality Management program. CC ID 13693 | Leadership and high level objectives | Preventive | |
Include records management in the quality management system. CC ID 15055 | Leadership and high level objectives | Preventive | |
Include risk management in the quality management system. CC ID 15054 | Leadership and high level objectives | Preventive | |
Include data management procedures in the quality management system. CC ID 15052 | Leadership and high level objectives | Preventive | |
Include a post-market monitoring system in the quality management system. CC ID 15027 | Leadership and high level objectives | Preventive | |
Include operational roles and responsibilities in the quality management system. CC ID 15028 | Leadership and high level objectives | Preventive | |
Include resource management in the quality management system. CC ID 15026 | Leadership and high level objectives | Preventive | |
Include communication protocols in the quality management system. CC ID 15025 | Leadership and high level objectives | Preventive | |
Include incident reporting procedures in the quality management system. CC ID 15023 | Leadership and high level objectives | Preventive | |
Include technical specifications in the quality management system. CC ID 15021 | Leadership and high level objectives | Preventive | |
Document the deficiencies in a deficiency report that were found during Quality Control and corrected during Quality Improvement. CC ID 07203 [{availability issue}{document} Service availability shall be monitored, the results recorded and compared with the targets. Unplanned non-availability shall be investigated and necessary actions taken. § 8.7.1 ¶ 3 Where the root cause has been identified, but the problem has not been permanently resolved, the organization shall determine actions to reduce or eliminate the impact of the problem on the services. Known errors shall be recorded. Up-to-date information on known errors and problem resolutions shall be made available for other service management activities as appropriate. § 8.6.3 ¶ 4 The success or failure of releases shall be monitored and analysed. Measurements shall include incidents related to a release in the period following deployment of a release. The results and conclusions drawn from the analysis shall be recorded and reviewed to identify opportunities for improvement. §8.5.3 ¶ 6] | Leadership and high level objectives | Preventive | |
Include program documentation standards in the Quality Management program. CC ID 01016 | Leadership and high level objectives | Preventive | |
Include program testing standards in the Quality Management program. CC ID 01017 [At planned intervals, the organization shall monitor, review and report on: performance against service level targets; § 8.3.3 ¶ 3(a)] | Leadership and high level objectives | Preventive | |
Include system testing standards in the Quality Management program. CC ID 01018 | Leadership and high level objectives | Preventive | |
Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a policy and procedure management program. CC ID 06285 | Leadership and high level objectives | Preventive | |
Include requirements in the organization’s policies, standards, and procedures. CC ID 12956 [Top management shall demonstrate leadership and commitment with respect to the SMS by: ensuring the integration of the SMS requirements into the organization's business processes; § 5.1 ¶ 1(f)] | Leadership and high level objectives | Preventive | |
Establish and maintain an Authority Document list. CC ID 07113 [Documented information of external origin determined by the organization to be necessary for the planning and operation of the SMS shall be identified as appropriate and controlled. § 7.5.3.2 ¶ 2] | Leadership and high level objectives | Preventive | |
Map in scope assets and in scope records to external requirements. CC ID 12189 | Leadership and high level objectives | Detective | |
Document organizational procedures that harmonize external requirements, including all legal requirements. CC ID 00623 [The documented information for the SMS shall include: procedures that are required by this document; § 7.5.4 ¶ 1(k)] | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain full documentation of all policies, standards, and procedures that support the organization's compliance framework. CC ID 01636 [Documented information required by the SMS and by this document shall be controlled to ensure: it is available and suitable for use, where and when it is needed; § 7.5.3.1(a) When creating and updating documented information, the organization shall ensure appropriate: review and approval for suitability and adequacy. § 7.5.2 ¶ 1(c)] | Leadership and high level objectives | Preventive | |
Disseminate and communicate the list of Authority Documents that support the organization's compliance framework to interested personnel and affected parties. CC ID 01312 | Leadership and high level objectives | Preventive | |
Classify controls according to their preventive, detective, or corrective status. CC ID 06436 | Leadership and high level objectives | Preventive | |
Publish, disseminate, and communicate a Statement on Internal Control, as necessary. CC ID 06727 | Leadership and high level objectives | Preventive | |
Include signatures of c-level executives in the Statement on Internal Control. CC ID 14778 | Leadership and high level objectives | Preventive | |
Include management's assertions on the effectiveness of internal control in the Statement on Internal Control. CC ID 14771 | Leadership and high level objectives | Corrective | |
Include confirmation of any significant weaknesses in the Statement on Internal Control. CC ID 06861 | Leadership and high level objectives | Preventive | |
Include roles and responsibilities in the Statement on Internal Control. CC ID 14774 | Leadership and high level objectives | Preventive | |
Include an assurance statement regarding the counterterror protective security plan in the Statement on Internal Control. CC ID 06866 | Leadership and high level objectives | Preventive | |
Include limitations of internal control systems in the Statement on Internal Control. CC ID 14773 | Leadership and high level objectives | Preventive | |
Include a description of the methodology used to evaluate internal controls in the Statement on Internal Control. CC ID 14772 | Leadership and high level objectives | Preventive | |
Include the counterterror protective security plan test results in the Statement on Internal Control. CC ID 06867 | Leadership and high level objectives | Detective | |
Document the requirements of stakeholders during the business planning process regarding Information Security. CC ID 06498 [Management with appropriate authority shall approve an information security policy relevant to the organization. The information security policy shall be documented and take into consideration the service requirements and the obligations in 6.3 c). § 8.7.3.1 ¶ 1 Management with appropriate authority shall approve an information security policy relevant to the organization. The information security policy shall be documented and take into consideration the service requirements and the obligations in 6.3 c). § 8.7.3.1 ¶ 1] | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a strategic plan. CC ID 12784 [{planning} The organization shall plan, implement and control the processes needed to meet requirements and to implement the actions determined in Clause 6 by: § 8.1 ¶ 1] | Leadership and high level objectives | Preventive | |
Include acting with integrity in the strategic plan. CC ID 12870 | Leadership and high level objectives | Preventive | |
Include the outsource partners in the strategic plan, as necessary. CC ID 13960 | Leadership and high level objectives | Preventive | |
Align the cybersecurity program strategy with the organization's strategic plan. CC ID 14322 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a planning policy. CC ID 14673 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain planning procedures. CC ID 14698 | Leadership and high level objectives | Preventive | |
Include compliance requirements in the planning policy. CC ID 14688 | Leadership and high level objectives | Preventive | |
Include coordination amongst entities in the planning policy. CC ID 14687 | Leadership and high level objectives | Preventive | |
Include management commitment in the planning policy. CC ID 14686 | Leadership and high level objectives | Preventive | |
Include roles and responsibilities in the planning policy. CC ID 14685 | Leadership and high level objectives | Preventive | |
Include the scope in the planning policy. CC ID 14684 | Leadership and high level objectives | Preventive | |
Include the purpose in the planning policy. CC ID 14683 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a security planning policy. CC ID 14027 | Leadership and high level objectives | Preventive | |
Include compliance requirements in the security planning policy. CC ID 14131 | Leadership and high level objectives | Preventive | |
Include coordination amongst entities in the security planning policy. CC ID 14130 | Leadership and high level objectives | Preventive | |
Include management commitment in the security planning policy. CC ID 14129 | Leadership and high level objectives | Preventive | |
Include roles and responsibilities in the security planning policy. CC ID 14128 | Leadership and high level objectives | Preventive | |
Include the scope in the security planning policy. CC ID 14127 | Leadership and high level objectives | Preventive | |
Include the purpose in the security planning policy. CC ID 14126 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain security planning procedures. CC ID 14060 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a decision management strategy. CC ID 06913 | Leadership and high level objectives | Preventive | |
Include an economic impact analysis in the decision management strategy. CC ID 14015 | Leadership and high level objectives | Preventive | |
Include cost benefit analysis in the decision management strategy. CC ID 14014 | Leadership and high level objectives | Preventive | |
Include criteria for compliance in the decision-making criteria. CC ID 12951 | Leadership and high level objectives | Preventive | |
Include criteria for risk tolerance in the decision-making criteria. CC ID 12950 | Leadership and high level objectives | Preventive | |
Include criteria for selecting objectives and strategies in the decision-making criteria. CC ID 12949 | Leadership and high level objectives | Preventive | |
Include criteria for setting priorities in the decision-making criteria. CC ID 12938 [The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: § 8.5.1.3 ¶ 1] | Leadership and high level objectives | Preventive | |
Identify and document the events that initiate the decision management strategy. CC ID 06914 | Leadership and high level objectives | Detective | |
Document and evaluate the decision outcomes from the decision-making process. CC ID 06918 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain an information technology process framework. CC ID 13648 | Leadership and high level objectives | Preventive | |
Include maturity models in the Information Technology process framework. CC ID 13652 | Leadership and high level objectives | Preventive | |
Include relationships between Information Technology process structures in the Information Technology process framework. CC ID 13651 | Leadership and high level objectives | Preventive | |
Include Information Technology process structures in the Information Technology process framework. CC ID 13650 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a tactical plan. CC ID 12785 | Leadership and high level objectives | Preventive | |
Include acting with integrity in the tactical plan. CC ID 12871 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a Strategic Information Technology Plan. CC ID 00628 | Leadership and high level objectives | Preventive | |
Include the Information Governance Plan in the Strategic Information Technology Plan. CC ID 10053 | Leadership and high level objectives | Preventive | |
Include the transparency goals in the Information Governance Plan. CC ID 10056 | Leadership and high level objectives | Preventive | |
Include the information integrity goals in the Information Governance Plan. CC ID 10057 | Leadership and high level objectives | Preventive | |
Include business continuity objectives in the Strategic Information Technology Plan. CC ID 06496 | Leadership and high level objectives | Preventive | |
Align business continuity objectives with the business continuity policy. CC ID 12408 | Leadership and high level objectives | Preventive | |
Incorporate protecting restricted information from unauthorized information flow or unauthorized disclosure into the Strategic Information Technology Plan. CC ID 06491 | Leadership and high level objectives | Preventive | |
Include the references to the organization's Information Technology systems in the Strategic Information Technology Plan, as necessary. CC ID 13959 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain tactical Information Technology plans in support of the Strategic Information Technology Plan. CC ID 00632 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain tactical Information Technology plans derived from the Strategic Information Technology Plan. CC ID 01609 | Leadership and high level objectives | Preventive | |
Document how each Information Technology project plan directly or indirectly supports the Strategic Information Technology Plan. CC ID 06497 | Leadership and high level objectives | Preventive | |
Document the business case and return on investment in each Information Technology project plan. CC ID 06846 | Leadership and high level objectives | Preventive | |
Document all desired outcomes for a proposed project in the Information Technology project plan. CC ID 06916 | Leadership and high level objectives | Preventive | |
Document the success criteria for the proposed project in the Information Technology project plan. CC ID 06917 | Leadership and high level objectives | Preventive | |
Include milestones for each project phase in the Information Technology project plan. CC ID 12621 | Leadership and high level objectives | Preventive | |
Document lessons learned at the conclusion of each Information Technology project. CC ID 13654 | Leadership and high level objectives | Corrective | |
Establish, implement, and maintain a counterterror protective security plan. CC ID 06862 | Leadership and high level objectives | Preventive | |
Include communications and awareness activities in the counterterror protective security plan. CC ID 06863 | Leadership and high level objectives | Preventive | |
Include the protective security measures to implement after a change in the government response level in the counterterror protective security plan. CC ID 06864 | Leadership and high level objectives | Preventive | |
Include a search plan in the counterterror protective security plan. CC ID 06865 | Leadership and high level objectives | Preventive | |
Include an evacuation plan in the counterterror protective security plan. CC ID 06940 | Leadership and high level objectives | Preventive | |
Include a continuity plan in the counterterror protective security plan. CC ID 07031 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain Information Technology projects in support of the Strategic Information Technology Plan. CC ID 13673 | Leadership and high level objectives | Preventive | |
Disseminate and communicate the Information Technology Plans to all interested personnel and affected parties. CC ID 00633 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a financial management program. CC ID 13228 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain financial reports. CC ID 14770 [At planned intervals, the organization shall monitor and report on actual costs against the budget, review the financial forecasts and manage costs. § 8.4.1 ¶ 3] | Leadership and high level objectives | Preventive | |
Structure financial reports in accordance with external requirements, as necessary. CC ID 14776 | Leadership and high level objectives | Preventive | |
Include the report of independent Certified Public Accountants in the financial report. CC ID 14779 | Leadership and high level objectives | Preventive | |
Include the business need justification for lost value in the financial report. CC ID 15588 | Leadership and high level objectives | Preventive | |
Include financial statements in the financial report, as necessary. CC ID 14775 | Leadership and high level objectives | Preventive | |
Include capital deductions and adjustments in the financial statement. CC ID 16667 | Leadership and high level objectives | Preventive | |
Include earnings per share or loss per share in the financial statement. CC ID 16597 | Leadership and high level objectives | Preventive | |
Include material contingencies in the financial statement. CC ID 16596 | Leadership and high level objectives | Preventive | |
Include notes to financial statements in the financial report, as necessary. CC ID 14780 | Leadership and high level objectives | Preventive | |
Include information on loans to small businesses and small farms in the call report. CC ID 16731 | Leadership and high level objectives | Preventive | |
Include assets and liabilities in the call report. CC ID 16729 | Leadership and high level objectives | Preventive | |
Provide predefined suspicious activity reports for suspicious activity discovered in the event log. CC ID 06774 | Monitoring and measurement | Corrective | |
Include identity information of suspects in the suspicious activity report. CC ID 16648 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a continuous monitoring program for configuration management. CC ID 06757 [At planned intervals, the organization shall verify the accuracy of the configuration information. Where deficiencies are found, the organization shall take necessary actions. § 8.2.6 ¶ 4] | Monitoring and measurement | Detective | |
Include a change history and identify who made the changes in the file integrity monitoring report. CC ID 12091 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a service management monitoring and metrics program. CC ID 13916 [At planned intervals, the organization shall: monitor and report on demand and consumption of services. § 8.4.2 ¶ 1(b) At planned intervals, the organization shall: monitor and report on demand and consumption of services. § 8.4.2 ¶ 1(b) Reports on the performance and effectiveness of the SMS and the services shall be produced using information from the SMS activities and delivery of the services. Service reporting shall include trends. § 9.4 ¶ 2 Reports on the performance and effectiveness of the SMS and the services shall be produced using information from the SMS activities and delivery of the services. Service reporting shall include trends. § 9.4 ¶ 2] | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 [The organization shall determine: when the monitoring and measuring shall be performed; § 9.1 ¶ 1(c)] | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a metrics policy. CC ID 01654 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain risk management metrics. CC ID 01656 | Monitoring and measurement | Preventive | |
Identify and document instances of non-compliance with the compliance framework. CC ID 06499 [When a nonconformity occurs, the organization shall: evaluate the need for action to eliminate the causes of the nonconformity in order that it does not recur or occur elsewhere by: § 10.1.1 ¶ 1(b) The organization shall retain documented information as evidence of: the nature of the nonconformities and any subsequent actions taken; § 10.1.2 ¶ 1(a)] | Monitoring and measurement | Preventive | |
Identify and document events surrounding non-compliance with the organizational compliance framework. CC ID 12935 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain disciplinary action notices. CC ID 16577 | Monitoring and measurement | Preventive | |
Include a copy of the order in the disciplinary action notice. CC ID 16606 | Monitoring and measurement | Preventive | |
Include the sanctions imposed in the disciplinary action notice. CC ID 16599 | Monitoring and measurement | Preventive | |
Include the effective date of the sanctions in the disciplinary action notice. CC ID 16589 | Monitoring and measurement | Preventive | |
Include the requirements that were violated in the disciplinary action notice. CC ID 16588 | Monitoring and measurement | Preventive | |
Include responses to charges from interested personnel and affected parties in the disciplinary action notice. CC ID 16587 | Monitoring and measurement | Preventive | |
Include the reasons for imposing sanctions in the disciplinary action notice. CC ID 16586 | Monitoring and measurement | Preventive | |
Include required information in the disciplinary action notice. CC ID 16584 | Monitoring and measurement | Preventive | |
Include a justification for actions taken in the disciplinary action notice. CC ID 16583 | Monitoring and measurement | Preventive | |
Include a statement on the conclusions of the investigation in the disciplinary action notice. CC ID 16582 | Monitoring and measurement | Preventive | |
Include the investigation results in the disciplinary action notice. CC ID 16581 | Monitoring and measurement | Preventive | |
Include a description of the causes of the actions taken in the disciplinary action notice. CC ID 16580 | Monitoring and measurement | Preventive | |
Include the name of the person responsible for the charges in the disciplinary action notice. CC ID 16579 | Monitoring and measurement | Preventive | |
Include contact information in the disciplinary action notice. CC ID 16578 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a security program metrics program. CC ID 01660 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a key management roles metrics standard. CC ID 11631 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a key stakeholder metrics program. CC ID 01661 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a supply chain member metrics program. CC ID 01662 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a Business Continuity metrics program. CC ID 01663 [The organization shall create, implement and maintain one or more service continuity plans. The service continuity plan(s) shall include or contain a reference to: targets for service availability when the service continuity plan is invoked; § 8.7.2 ¶ 2(c)] | Monitoring and measurement | Preventive | |
Establish, implement, and maintain an audit metrics program. CC ID 01664 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain an Information Security metrics program. CC ID 01665 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a metrics standard and template. CC ID 02157 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain occupational health and safety management metrics program. CC ID 15915 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a policies and controls metrics program. CC ID 01666 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a security roles and responsibilities metrics program. CC ID 01667 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a role-based information access metrics program. CC ID 01668 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain an information risk threshold metrics program. CC ID 01694 | Monitoring and measurement | Preventive | |
Monitor the supply chain for Information Assurance effectiveness. CC ID 02043 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a privacy metrics program. CC ID 15494 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a technical measurement metrics policy. CC ID 01655 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain an Electronic Health Records measurement metrics program. CC ID 06221 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a log management program. CC ID 00673 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a cross-organizational audit sharing agreement. CC ID 10595 | Monitoring and measurement | Preventive | |
Include risks and opportunities in the corrective action plan. CC ID 15178 | Monitoring and measurement | Preventive | |
Include environmental aspects in the corrective action plan. CC ID 15177 | Monitoring and measurement | Preventive | |
Include the completion date in the corrective action plan. CC ID 13272 | Monitoring and measurement | Preventive | |
Retain copies of external auditor outsourcing contracts and engagement letters. CC ID 01188 | Audits and risk management | Preventive | |
Review external auditor outsourcing contracts and engagement letters. CC ID 01189 | Audits and risk management | Preventive | |
Include roles and responsibilities in external auditor outsourcing contracts. CC ID 16523 | Audits and risk management | Preventive | |
Include a change control clause in external auditor outsourcing contracts. CC ID 01192 | Audits and risk management | Preventive | |
Include procedures for resolving problems in external auditor outsourcing contracts. CC ID 01196 | Audits and risk management | Preventive | |
Include procedures for controlling the use of restricted information in external auditor outsourcing contracts. CC ID 01194 | Audits and risk management | Preventive | |
Include reports and work paper Records Management practices in external auditor outsourcing contracts. CC ID 01195 | Audits and risk management | Preventive | |
Include communication protocols in external auditor outsourcing contracts. CC ID 01201 | Audits and risk management | Preventive | |
Include the scope and work to be performed in external auditor outsourcing contracts. CC ID 01190 | Audits and risk management | Preventive | |
Include work status reporting requirements in the external auditor outsourcing contracts. CC ID 01191 | Audits and risk management | Preventive | |
Include access to work papers in external auditor outsourcing contracts. CC ID 01193 | Audits and risk management | Preventive | |
Review the adequacy of the external auditor's work papers and audit reports. CC ID 01199 | Audits and risk management | Preventive | |
Review the conclusions of the external auditor's work papers and audit reports. CC ID 01200 | Audits and risk management | Preventive | |
Evaluate any refusal by the organization to provide missing audit documentation. CC ID 06993 | Audits and risk management | Preventive | |
Take appropriate action if missing audit documentation compromises the audit. CC ID 06994 | Audits and risk management | Preventive | |
Establish, implement, and maintain an audit program. CC ID 00684 [The organization shall: plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration: § 9.2.2 ¶ 1(a)] | Audits and risk management | Preventive | |
Establish, implement, and maintain audit policies. CC ID 13166 | Audits and risk management | Preventive | |
Include resource requirements in the audit program. CC ID 15237 | Audits and risk management | Preventive | |
Include risks and opportunities in the audit program. CC ID 15236 | Audits and risk management | Preventive | |
Establish and maintain audit terms. CC ID 13880 | Audits and risk management | Preventive | |
Include a statement about the inherent limitations of the audit in the audit terms. CC ID 13883 | Audits and risk management | Preventive | |
Include a statement that the audit will be conducted in accordance with attestation standards in the audit terms. CC ID 13882 | Audits and risk management | Preventive | |
Establish, implement, and maintain agreed upon procedures that are in scope for the audit. CC ID 13893 | Audits and risk management | Preventive | |
Establish, implement, and maintain an in scope system description. CC ID 14873 | Audits and risk management | Preventive | |
Include third party services in the audit assertion's in scope system description. CC ID 16503 | Audits and risk management | Preventive | |
Include monitoring controls in the audit assertion's in scope system description. CC ID 16501 | Audits and risk management | Preventive | |
Include availability commitments in the audit assertion's in scope system description. CC ID 14914 | Audits and risk management | Preventive | |
Include changes in the audit assertion's in scope system description. CC ID 14894 | Audits and risk management | Preventive | |
Include external communications in the audit assertion's in scope system description. CC ID 14913 | Audits and risk management | Preventive | |
Include a section regarding incidents related to the system in the audit assertion’s in scope system description. CC ID 14878 | Audits and risk management | Preventive | |
Include the function performed by the in scope system in the audit assertion's in scope system description. CC ID 14911 | Audits and risk management | Preventive | |
Include the disposition of the incident in the audit assertion's in scope system description. CC ID 14896 | Audits and risk management | Preventive | |
Include the extent of the incident in the audit assertion's in scope system description. CC ID 14895 | Audits and risk management | Preventive | |
Include the timing of each incident in the audit assertion's in scope system description. CC ID 14891 | Audits and risk management | Preventive | |
Include the nature of each incident in the audit assertion's in scope system description. CC ID 14889 | Audits and risk management | Preventive | |
Include a section regarding in scope controls related to the system in the audit assertion's in scope system description. CC ID 14897 | Audits and risk management | Preventive | |
Include how the in scope system meets external requirements in the audit assertion's in scope system description. CC ID 16502 | Audits and risk management | Preventive | |
Include the timing of each control in the audit assertion's in scope system description. CC ID 14916 | Audits and risk management | Preventive | |
Include the nature of the control in the audit assertion's in scope system description. CC ID 14910 | Audits and risk management | Preventive | |
Include the information sources used in performing the control in the audit assertion's in scope system description. CC ID 14909 | Audits and risk management | Preventive | |
Include the responsible party for performing the control in the audit assertion's in scope system description. CC ID 14907 | Audits and risk management | Preventive | |
Include the subject matter to which the control is applied in the audit assertion's in scope system description. CC ID 14904 | Audits and risk management | Preventive | |
Refrain from omitting or distorting information in the audit assertion's in scope system description. CC ID 14893 | Audits and risk management | Preventive | |
Include the timing of each change in the audit assertion's in scope system description. CC ID 14892 | Audits and risk management | Preventive | |
Include the system boundaries in the audit assertion's in scope system description. CC ID 14887 | Audits and risk management | Preventive | |
Determine the presentation method of the audit assertion's in scope system description. CC ID 14885 | Audits and risk management | Detective | |
Include the time frame covered by the description in the audit assertion's in scope system description. CC ID 14884 | Audits and risk management | Preventive | |
Include commitments to third parties in the audit assertion. CC ID 14899 | Audits and risk management | Preventive | |
Determine the completeness of the audit assertion's in scope system description. CC ID 14883 | Audits and risk management | Preventive | |
Include system requirements in the audit assertion's in scope system description. CC ID 14881 | Audits and risk management | Preventive | |
Include third party controls in the audit assertion's in scope system description. CC ID 14880 | Audits and risk management | Preventive | |
Include agreement to the audit scope and audit terms in the audit program. CC ID 06965 [{audit scope} The organization shall: define the audit criteria and scope for each audit; § 9.2.2 ¶ 1(b)] | Audits and risk management | Preventive | |
Establish and maintain a bespoke audit scope for each audit being performed. CC ID 13077 [The organization shall: plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration: § 9.2.2 ¶ 1(a)] | Audits and risk management | Preventive | |
Include audit subject matter in the audit program. CC ID 07103 [The organization shall: plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration: the importance of the processes concerned; § 9.2.2 ¶ 1(a)(1)] | Audits and risk management | Preventive | |
Examine the objectivity of the audit criteria in the audit program. CC ID 07104 | Audits and risk management | Preventive | |
Examine the measurability of the audit criteria in the audit program. CC ID 07105 | Audits and risk management | Preventive | |
Examine the completeness of the audit criteria in the audit program. CC ID 07106 | Audits and risk management | Preventive | |
Examine the relevance of the audit criteria in the audit program. CC ID 07107 | Audits and risk management | Preventive | |
Disseminate and communicate the audit program with the audit subject matter and audit criteria to all interested personnel and affected parties. CC ID 07116 | Audits and risk management | Preventive | |
Include in scope information in the audit program. CC ID 16198 | Audits and risk management | Preventive | |
Include the out of scope material or out of scope products in the audit program. CC ID 08962 | Audits and risk management | Preventive | |
Provide a representation letter in support of the audit assertion. CC ID 07158 | Audits and risk management | Preventive | |
Include a statement that management has evaluated compliance with external requirements in the representation letter. CC ID 13942 | Audits and risk management | Preventive | |
Include a statement that the assumptions used for estimates are reasonable in the representation letter. CC ID 13934 | Audits and risk management | Preventive | |
Include a statement that uncorrected misstatements are believed to be immaterial in the representation letter. CC ID 13884 | Audits and risk management | Preventive | |
Include a statement that system incidents have been disclosed to the auditor in the representation letter. CC ID 16772 | Audits and risk management | Preventive | |
Include a statement that incidents of fraud and non-compliance have been disclosed to the auditor in the representation letter. CC ID 16769 | Audits and risk management | Preventive | |
Include a statement of responsibility for the subject matter in the representation letter. CC ID 07159 | Audits and risk management | Preventive | |
Include a statement of responsibility for selecting the audit criteria in the representation letter. CC ID 07160 | Audits and risk management | Preventive | |
Include a statement of responsibility regarding the appropriateness of the audit criteria in the representation letter. CC ID 07161 | Audits and risk management | Preventive | |
Include an assertion about the subject matter based on the selected audit criteria in the representation letter. CC ID 07162 | Audits and risk management | Preventive | |
Include a statement that all known matters contradicting the audit assertion have been disclosed to the auditor in the representation letter. CC ID 07163 | Audits and risk management | Preventive | |
Include the availability of all in scope records relevant to the subject matter in the representation letter. CC ID 07164 | Audits and risk management | Preventive | |
Include a statement that any known subsequent events have been disclosed to the auditor in the representation letter. CC ID 07165 | Audits and risk management | Preventive | |
Include a statement that deficiencies in internal controls have been disclosed to the auditor in the representation letter. CC ID 13899 | Audits and risk management | Preventive | |
Establish and maintain audit assertions, as necessary. CC ID 14871 | Audits and risk management | Detective | |
Include an in scope system description in the audit assertion. CC ID 14872 | Audits and risk management | Preventive | |
Include any assumptions that are improbable in the audit assertion. CC ID 13950 | Audits and risk management | Preventive | |
Include investigations and legal proceedings in the audit assertion. CC ID 16846 | Audits and risk management | Preventive | |
Include how the audit scope matches in scope controls in the audit assertion. CC ID 06969 | Audits and risk management | Preventive | |
Include why specific criteria are ignored by in scope controls in the audit assertion. CC ID 07027 | Audits and risk management | Preventive | |
Include how the in scope system is designed and implemented in the audit assertion. CC ID 06970 | Audits and risk management | Preventive | |
Include the responsible party's opinion of the quality of the evidence in the audit assertion. CC ID 13949 | Audits and risk management | Preventive | |
Include the end users and affected parties of the in scope system in the audit assertion. CC ID 07028 | Audits and risk management | Preventive | |
Include the in scope services offered or in scope transactions processed in the audit assertion. CC ID 06971 | Audits and risk management | Preventive | |
Include the in scope procedures in the audit assertion. CC ID 06972 | Audits and risk management | Preventive | |
Include the in scope records produced in the audit assertion. CC ID 06968 | Audits and risk management | Preventive | |
Include how in scope material events are monitored and logged in the audit assertion. CC ID 06973 | Audits and risk management | Preventive | |
Include any in scope material events that might affect the assertion in the audit assertion. CC ID 06991 | Audits and risk management | Preventive | |
Include the in scope controls and compliance documents in the audit assertion. CC ID 06974 | Audits and risk management | Preventive | |
Include the in scope risk assessment processes in the audit assertion. CC ID 06975 | Audits and risk management | Preventive | |
Include in scope change controls in the audit assertion. CC ID 06976 | Audits and risk management | Preventive | |
Include any in scope uncorrected errors or non-compliance issues in the audit assertion. CC ID 06989 | Audits and risk management | Preventive | |
Disseminate and communicate a written audit assertion of the audit scope and audit terms to interested personnel and affected parties. CC ID 06967 | Audits and risk management | Preventive | |
Include conditions that might require modification of the audit program in the audit terms. CC ID 07149 | Audits and risk management | Preventive | |
Include how access to in scope systems, personnel and in scope records are provided to the auditor in the audit terms. CC ID 06988 | Audits and risk management | Preventive | |
Establish, implement, and maintain procedures for determining the desired level of assurance in the audit program. CC ID 12794 [The organization shall: plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration: § 9.2.2 ¶ 1(a)] | Audits and risk management | Preventive | |
Include the expectations for the audit report in the audit terms. CC ID 07148 | Audits and risk management | Preventive | |
Establish and maintain a practitioner’s report on management’s assertions, as necessary. CC ID 13888 | Audits and risk management | Preventive | |
Refrain from changing the date of the practitioner's report on agreed-upon procedures when reissuing it. CC ID 13896 | Audits and risk management | Corrective | |
Include materiality levels in the audit terms. CC ID 01238 | Audits and risk management | Preventive | |
Include material changes in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01239 [The organization shall: plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration: changes affecting the organization; § 9.2.2 ¶ 1(a)(2)] | Audits and risk management | Preventive | |
Include material weaknesses, material failures, and material errors in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01240 | Audits and risk management | Preventive | |
Document any after the fact changes to the engagement file. CC ID 07002 | Audits and risk management | Preventive | |
Protect access to the engagement file and all associated audit documentation in compliance with Authority Documents the organization must follow. CC ID 07179 | Audits and risk management | Preventive | |
Disclose work papers in the engagement file in compliance with legal requirements. CC ID 07180 | Audits and risk management | Preventive | |
Edit the audit assertion for accuracy. CC ID 07030 | Audits and risk management | Preventive | |
Determine if the audit assertion's in scope procedures are accurately documented. CC ID 06982 | Audits and risk management | Preventive | |
Include the process of using evidential matter to test in scope controls in the test plan. CC ID 06996 | Audits and risk management | Preventive | |
Establish, implement, and maintain interview procedures. CC ID 16282 | Audits and risk management | Preventive | |
Establish and maintain work papers, as necessary. CC ID 13891 | Audits and risk management | Preventive | |
Include the auditor's conclusions on work performed by individuals assigned to the audit in the work papers. CC ID 16775 | Audits and risk management | Preventive | |
Include audit irregularities in the work papers. CC ID 16774 | Audits and risk management | Preventive | |
Include corrective actions in the work papers. CC ID 16771 | Audits and risk management | Preventive | |
Include information about the organization being audited and the auditor performing the audit in the work papers. CC ID 16770 | Audits and risk management | Preventive | |
Include discussions with interested personnel and affected parties in the work papers. CC ID 16768 | Audits and risk management | Preventive | |
Include justification for departing from mandatory requirements in the work papers. CC ID 13935 | Audits and risk management | Preventive | |
Include the reviewer, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06998 | Audits and risk management | Preventive | |
Include the tests, examinations, interviews and observations performed during the audit in the work papers. CC ID 07190 | Audits and risk management | Preventive | |
Include if any subject matter experts or additional research had to be undertaken to test in scope controls in the work papers. CC ID 07026 | Audits and risk management | Preventive | |
Include the tester, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06997 | Audits and risk management | Preventive | |
Include the causes of identified in scope control deficiencies in the work papers. CC ID 07000 | Audits and risk management | Preventive | |
Include discussions regarding the causes of identified in scope control deficiencies in the work papers. CC ID 06999 | Audits and risk management | Preventive | |
Establish, implement, and maintain a practitioner’s report on agreed-upon procedures. CC ID 13894 | Audits and risk management | Preventive | |
Establish and maintain a practitioner's examination report on pro forma financial information. CC ID 13968 | Audits and risk management | Preventive | |
Include references to where financial information was derived in the practitioner's review report on pro forma financial information. CC ID 13982 | Audits and risk management | Preventive | |
Include a statement that the financial statements used were audited by other practitioners in the practitioner's examination report on pro forma financial information, as necessary. CC ID 13981 | Audits and risk management | Preventive | |
Establish and maintain organizational audit reports. CC ID 06731 [The organization shall: retain documented information as evidence of the implementation of the audit programme(s) and the audit results. § 9.2.2 ¶ (e) The organization shall: plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration: § 9.2.2 ¶ 1(a)] | Audits and risk management | Preventive | |
Determine what disclosures are required in the audit report. CC ID 14888 | Audits and risk management | Detective | |
Include audit subject matter in the audit report. CC ID 14882 | Audits and risk management | Preventive | |
Include an other-matter paragraph in the audit report. CC ID 14901 | Audits and risk management | Preventive | |
Include that the auditee did not provide comments in the audit report. CC ID 16849 | Audits and risk management | Preventive | |
Write the audit report using clear and conspicuous language. CC ID 13948 | Audits and risk management | Preventive | |
Include a statement that the sufficiency of the agreed upon procedures is the responsibility of the specified parties in the audit report. CC ID 13936 | Audits and risk management | Preventive | |
Include a statement that the financial statements were audited in the audit report. CC ID 13963 | Audits and risk management | Preventive | |
Include the criteria that financial information was measured against in the audit report. CC ID 13966 | Audits and risk management | Preventive | |
Include a description of the financial information being reported on in the audit report. CC ID 13965 | Audits and risk management | Preventive | |
Include references to any adjustments of financial information in the audit report. CC ID 13964 | Audits and risk management | Preventive | |
Include in the audit report that audit opinions are not dependent on references to subject matter experts, as necessary. CC ID 13953 | Audits and risk management | Preventive | |
Include references to historical financial information used in the audit report. CC ID 13961 | Audits and risk management | Preventive | |
Include a statement about the inherent limitations of the audit in the audit report. CC ID 14900 | Audits and risk management | Preventive | |
Include a description of the limitations on the usefulness of hypothetical assumptions in the audit report. CC ID 13958 | Audits and risk management | Preventive | |
Structure the audit report to be in the form of procedures and findings. CC ID 13940 | Audits and risk management | Preventive | |
Include any discussions of significant findings in the audit report. CC ID 13955 | Audits and risk management | Preventive | |
Include the date and with whom discussions about significant findings took place in the audit report. CC ID 13962 | Audits and risk management | Preventive | |
Include the audit criteria in the audit report. CC ID 13945 | Audits and risk management | Preventive | |
Include a statement in the audit report that the agreed upon procedures were potentially insufficient in identifying material risks, as necessary. CC ID 13957 | Audits and risk management | Preventive | |
Include all hypothetical assumptions in the audit report. CC ID 13947 | Audits and risk management | Preventive | |
Include a statement that identifies the distribution list for the report in the audit report. CC ID 07172 | Audits and risk management | Preventive | |
Include a statement that identifies the use restrictions for the report in the audit report. CC ID 07173 | Audits and risk management | Preventive | |
Include a statement that the agreed upon procedures involves collecting evidence in the audit report. CC ID 13956 | Audits and risk management | Preventive | |
Include all of the facts and demonstrated plausibility in the audit report. CC ID 08929 | Audits and risk management | Preventive | |
Include a statement that the agreed upon procedures were performed by all parties in the audit report. CC ID 13931 | Audits and risk management | Preventive | |
Include references to subject matter experts in the audit report when citing qualified opinions. CC ID 13929 | Audits and risk management | Preventive | |
Include a description of the assistance provided by Subject Matter Experts in the audit report. CC ID 13939 | Audits and risk management | Preventive | |
Include a review of the subject matter expert's findings in the audit report. CC ID 13972 | Audits and risk management | Preventive | |
Include a statement of the character of the engagement in the audit report. CC ID 07166 | Audits and risk management | Preventive | |
Include the nature and scope of the audit performed in the statement of the character of the engagement in the audit report. CC ID 07167 | Audits and risk management | Preventive | |
Include the professional standards governing the audit in the statement of the character of the engagement in the audit report. CC ID 07168 | Audits and risk management | Preventive | |
Include all restrictions on the audit in the audit report. CC ID 13930 | Audits and risk management | Preventive | |
Include a statement that the auditor has no responsibility to update the audit report after its submission. CC ID 13943 | Audits and risk management | Preventive | |
Include a statement on the auditor's ethical requirements in the audit report. CC ID 16767 | Audits and risk management | Preventive | |
Include a statement that the responsible party refused to provide a written assertion in the audit report. CC ID 13887 | Audits and risk management | Preventive | |
Include a statement that the examination involves procedures for collecting evidence in the audit report. CC ID 13941 | Audits and risk management | Preventive | |
Express an adverse opinion in the audit report when significant assumptions are not suitably supported. CC ID 13944 | Audits and risk management | Preventive | |
Include a statement that modifications to historical evidence accurately reflect current evidence in the audit report. CC ID 13938 | Audits and risk management | Preventive | |
Refrain from referencing other auditor's work in the audit report. CC ID 13881 | Audits and risk management | Preventive | |
Include that the audit findings are not a predictive analysis of future compliance in the audit report. CC ID 07018 | Audits and risk management | Preventive | |
Include how in scope controls meet external requirements in the audit report. CC ID 16450 | Audits and risk management | Preventive | |
Include the in scope records used to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14915 | Audits and risk management | Preventive | |
Include recommended corrective actions in the audit report. CC ID 16197 | Audits and risk management | Preventive | |
Include risks and opportunities in the audit report. CC ID 16196 | Audits and risk management | Preventive | |
Include the description of tests of controls and results in the audit report. CC ID 14898 | Audits and risk management | Preventive | |
Include the nature of the tests performed in the description of tests of controls and results in the audit report. CC ID 14908 | Audits and risk management | Preventive | |
Include the test scope in the description of tests of controls and results in the audit report. CC ID 14906 | Audits and risk management | Preventive | |
Identify the stakeholders interviewed to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14905 | Audits and risk management | Preventive | |
Include the controls that were tested in the description of tests of controls and results in the audit report. CC ID 14902 | Audits and risk management | Preventive | |
Include subsequent events related to the audit assertion or audit subject matter in the audit report. CC ID 16773 | Audits and risk management | Preventive | |
Include that the organization is the responsible party for the content of its audit assertion and in scope system description in the audit report. CC ID 07010 | Audits and risk management | Preventive | |
Include that the organization is the responsible party for providing in scope services in the audit report. CC ID 14903 | Audits and risk management | Preventive | |
Include that the organization is the responsible party for specifying in scope controls not defined by law or contractual obligation in the audit report. CC ID 07011 | Audits and risk management | Preventive | |
Include that the organization is the responsible party for designing and implementing the in scope controls it identified in the audit scope in the audit report. CC ID 07014 | Audits and risk management | Preventive | |
Include the audit opinion regarding the accurateness of the in scope system description in the audit report. CC ID 07019 | Audits and risk management | Preventive | |
Include the attestation standards the auditor follows in the audit report. CC ID 07015 | Audits and risk management | Preventive | |
Include the audit opinion about the audit assertion in relation to the audit criteria used for evaluation in the audit report. CC ID 07169 | Audits and risk management | Preventive | |
Include the auditor's significant reservations about the engagement, the audit assertion, or the audit subject matter in the audit report. CC ID 07170 | Audits and risk management | Preventive | |
Include an emphasis-of-matter paragraph in the audit report. CC ID 14890 | Audits and risk management | Preventive | |
Include any out of scope components of in scope systems in the audit report. CC ID 07006 | Audits and risk management | Preventive | |
Include that the organization is the responsible party for identifying material risks in the audit report. CC ID 07012 | Audits and risk management | Preventive | |
Include that the organization is the responsible party for selecting the audit criteria in the audit report. CC ID 07013 | Audits and risk management | Preventive | |
Compare the evaluations completed by the internal auditors and the external auditors in past audit reports. CC ID 01158 | Audits and risk management | Detective | |
Review past audit reports. CC ID 01155 [The organization shall: plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration: the results of previous audits; § 9.2.2 ¶ 1(a)(3) The management review shall include consideration of: information on the performance and effectiveness of the SMS, including trends in: audit results; § 9.3 ¶ 2(c)(3)] | Audits and risk management | Detective | |
Review past audit reports for specific process steps and calculations that were stated to support the audit report's conclusions. CC ID 01160 | Audits and risk management | Detective | |
Review the reporting of material weaknesses and risks in past audit reports. CC ID 01161 | Audits and risk management | Detective | |
Refrain from including the description of the audit in the audit report when the auditor is disclaiming an audit opinion. CC ID 13975 | Audits and risk management | Preventive | |
Refrain from including scope limitations from changed attestation engagements in the audit report. CC ID 13983 | Audits and risk management | Preventive | |
Refrain from including in the audit report any procedures that were performed that the auditor is disclaiming in an audit opinion. CC ID 13974 | Audits and risk management | Preventive | |
Include deficiencies and non-compliance in the audit report. CC ID 14879 | Audits and risk management | Corrective | |
Include an audit opinion in the audit report. CC ID 07017 | Audits and risk management | Preventive | |
Include qualified opinions in the audit report. CC ID 13928 | Audits and risk management | Preventive | |
Include that the auditor is the responsible party to express an opinion on the audit subject matter based on examination of evidence in the audit report. CC ID 07174 | Audits and risk management | Preventive | |
Include a description of the reasons for modifying the audit opinion in the audit report. CC ID 13898 | Audits and risk management | Corrective | |
Include that the auditor did not express an opinion in the audit report, as necessary. CC ID 13886 | Audits and risk management | Preventive | |
Include items that were excluded from the audit report in the audit report. CC ID 07007 | Audits and risk management | Preventive | |
Include the organization's privacy practices in the audit report. CC ID 07029 | Audits and risk management | Preventive | |
Include items that pertain to third parties in the audit report. CC ID 07008 | Audits and risk management | Preventive | |
Refrain from including reference to procedures performed in previous attestation engagements in the audit report. CC ID 13970 | Audits and risk management | Preventive | |
Include a statement in the audit report that no procedures were performed subsequent to the date of the practitioner's review report on pro forma financial information, as necessary. CC ID 13969 | Audits and risk management | Preventive | |
Include any of the organization's use of compensating controls that were not audited in the audit report. CC ID 07009 | Audits and risk management | Preventive | |
Include whether the use of compensating controls are necessary in the audit report. CC ID 07020 | Audits and risk management | Preventive | |
Include the pass or fail test status of all in scope controls in the audit report. CC ID 07016 | Audits and risk management | Preventive | |
Include the process of using evidential matter to test in scope controls in the audit report. CC ID 07021 | Audits and risk management | Preventive | |
Include the nature and causes of identified in scope control deviations in the audit report. CC ID 07022 | Audits and risk management | Preventive | |
Modify the audit opinion in the audit report under defined conditions. CC ID 13937 | Audits and risk management | Corrective | |
Include the written signature of the auditor's organization in the audit report. CC ID 13897 | Audits and risk management | Preventive | |
Include a statement that additional reports are being submitted in the audit report. CC ID 16848 | Audits and risk management | Preventive | |
Disseminate and communicate the audit report to all interested personnel and affected parties identified in the distribution list. CC ID 07117 | Audits and risk management | Preventive | |
Disseminate and communicate documents that contain information in support of the audit report. CC ID 07175 | Audits and risk management | Preventive | |
Correct any material misstatements in documents that contain information in support of the audit report. CC ID 07176 | Audits and risk management | Preventive | |
Review the issues of non-compliance from past audit reports. CC ID 01148 | Audits and risk management | Detective | |
Accept the audit report. CC ID 07025 | Audits and risk management | Preventive | |
Implement a corrective action plan in response to the audit report. CC ID 06777 | Audits and risk management | Corrective | |
Define penalties for uncorrected audit findings or remaining non-compliant with the audit report. CC ID 08963 | Audits and risk management | Preventive | |
Include the audit criteria in the audit plan. CC ID 15262 | Audits and risk management | Preventive | |
Include a list of reference documents in the audit plan. CC ID 15260 | Audits and risk management | Preventive | |
Include the languages to be used for the audit in the audit plan. CC ID 15252 | Audits and risk management | Preventive | |
Include the allocation of resources in the audit plan. CC ID 15251 | Audits and risk management | Preventive | |
Include communication protocols in the audit plan. CC ID 15247 | Audits and risk management | Preventive | |
Include the level of audit sampling necessary to collect sufficient audit evidence in the audit plan. CC ID 15246 | Audits and risk management | Preventive | |
Include meeting schedules in the audit plan. CC ID 15245 | Audits and risk management | Preventive | |
Include the time frames for the audit in the audit plan. CC ID 15244 | Audits and risk management | Preventive | |
Include the time frames for conducting the audit in the audit plan. CC ID 15243 | Audits and risk management | Preventive | |
Include the locations to be audited in the audit plan. CC ID 15242 | Audits and risk management | Preventive | |
Include the processes to be audited in the audit plan. CC ID 15241 | Audits and risk management | Preventive | |
Include audit objectives in the audit plan. CC ID 15240 | Audits and risk management | Preventive | |
Include the risks associated with audit activities in the audit plan. CC ID 15239 | Audits and risk management | Preventive | |
Establish, implement, and maintain an audit schedule for the audit program. CC ID 13158 [The organization shall: plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration: § 9.2.2 ¶ 1(a)] | Audits and risk management | Preventive | |
Establish, implement, and maintain a risk management program. CC ID 12051 [The organization shall plan: actions to address these risks and opportunities and their priorities; § 6.1.3 ¶ 1(a) The management review shall include consideration of: results of risk assessment and the effectiveness of actions taken to address risks and opportunities; § 9.3 ¶ 2(k)] | Audits and risk management | Preventive | |
Include the scope of risk management activities in the risk management program. CC ID 13658 | Audits and risk management | Preventive | |
Include managing mobile risks in the risk management program. CC ID 13535 | Audits and risk management | Preventive | |
Establish, implement, and maintain risk management strategies. CC ID 13209 | Audits and risk management | Preventive | |
Include off-site storage of supplies in the risk management strategies. CC ID 13221 | Audits and risk management | Preventive | |
Include the use of alternate service providers in the risk management strategies. CC ID 13217 | Audits and risk management | Preventive | |
Include minimizing service interruptions in the risk management strategies. CC ID 13215 | Audits and risk management | Preventive | |
Include off-site storage in the risk mitigation strategies. CC ID 13213 | Audits and risk management | Preventive | |
Establish, implement, and maintain the risk assessment framework. CC ID 00685 | Audits and risk management | Preventive | |
Establish, implement, and maintain a risk assessment program. CC ID 00687 | Audits and risk management | Preventive | |
Include the need for risk assessments in the risk assessment program. CC ID 06447 | Audits and risk management | Preventive | |
Include the information flow of restricted data in the risk assessment program. CC ID 12339 | Audits and risk management | Preventive | |
Establish, implement, and maintain a financial plan to support the risk management strategy. CC ID 12786 | Audits and risk management | Preventive | |
Establish, implement, and maintain insurance requirements. CC ID 16562 | Audits and risk management | Preventive | |
Address cybersecurity risks in the risk assessment program. CC ID 13193 | Audits and risk management | Preventive | |
Include a Data Protection Impact Assessment in the risk assessment program. CC ID 12630 | Audits and risk management | Preventive | |
Include an assessment of the necessity and proportionality of the processing operations in relation to the purposes in the Data Protection Impact Assessment. CC ID 12681 | Audits and risk management | Preventive | |
Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371 | Audits and risk management | Preventive | |
Include a risk assessment of data subject's rights in the Data Protection Impact Assessment. CC ID 12674 | Audits and risk management | Preventive | |
Include the description and purpose of processing restricted data in the Data Protection Impact Assessment. CC ID 12673 | Audits and risk management | Preventive | |
Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370 | Audits and risk management | Preventive | |
Include monitoring unsecured areas in the Data Protection Impact Assessment. CC ID 12671 | Audits and risk management | Preventive | |
Include security measures for protecting restricted data in the Data Protection Impact Assessment. CC ID 12635 | Audits and risk management | Preventive | |
Establish, implement, and maintain a risk assessment policy. CC ID 14026 | Audits and risk management | Preventive | |
Include compliance requirements in the risk assessment policy. CC ID 14121 | Audits and risk management | Preventive | |
Include coordination amongst entities in the risk assessment policy. CC ID 14120 | Audits and risk management | Preventive | |
Include management commitment in the risk assessment policy. CC ID 14119 | Audits and risk management | Preventive | |
Include roles and responsibilities in the risk assessment policy. CC ID 14118 | Audits and risk management | Preventive | |
Include the scope in the risk assessment policy. CC ID 14117 | Audits and risk management | Preventive | |
Include the purpose in the risk assessment policy. CC ID 14116 | Audits and risk management | Preventive | |
Establish, implement, and maintain risk assessment procedures. CC ID 06446 | Audits and risk management | Preventive | |
Employ risk assessment procedures that follow legal requirements and contractual obligations when risk profiling. CC ID 06472 | Audits and risk management | Preventive | |
Document cybersecurity risks. CC ID 12281 | Audits and risk management | Preventive | |
Employ risk assessment procedures that follow standards and best practices, as necessary. CC ID 06473 | Audits and risk management | Preventive | |
Employ risk assessment procedures that take into account both electronic records and printed records. CC ID 06476 | Audits and risk management | Preventive | |
Employ risk assessment procedures that take into account information classification. CC ID 06477 | Audits and risk management | Preventive | |
Employ risk assessment procedures that align with strategic objectives. CC ID 06474 | Audits and risk management | Preventive | |
Employ risk assessment procedures that take into account prior risk assessment findings of the same scope. CC ID 06478 | Audits and risk management | Preventive | |
Employ risk assessment procedures that take into account the target environment. CC ID 06479 | Audits and risk management | Preventive | |
Employ risk assessment procedures that take into account incidents associated with the target environment. CC ID 06480 | Audits and risk management | Preventive | |
Include compliance with disposition requirements in the risk assessment procedures. CC ID 12342 | Audits and risk management | Preventive | |
Include compliance with retention requirements in the risk assessment procedures. CC ID 12341 | Audits and risk management | Preventive | |
Establish, implement, and maintain a threat and risk classification scheme. CC ID 07183 | Audits and risk management | Preventive | |
Employ risk assessment procedures that include appropriate risk treatment options for each identified risk. CC ID 06484 | Audits and risk management | Preventive | |
Document organizational risk criteria. CC ID 12277 | Audits and risk management | Preventive | |
Include the traceability of malicious code in the threat and risk classification scheme. CC ID 06600 | Audits and risk management | Preventive | |
Include language that is easy to understand in the risk assessment report. CC ID 06461 | Audits and risk management | Preventive | |
Include the environments that call for risk assessments in the risk assessment program. CC ID 06448 | Audits and risk management | Preventive | |
Include the process for defining the scope of each risk assessment in the risk assessment program. CC ID 06462 | Audits and risk management | Preventive | |
Include the circumstances that call for risk assessments in the risk assessment program. CC ID 06449 | Audits and risk management | Preventive | |
Include the roles and responsibilities involved in risk assessments in the risk assessment program. CC ID 06450 | Audits and risk management | Preventive | |
Include the methods of managing and responding to the risk assessment report in the risk assessment program. CC ID 06451 | Audits and risk management | Preventive | |
Approve the risk assessment program and associated risk assessment procedures at the senior management level. CC ID 06458 | Audits and risk management | Preventive | |
Include the probability and potential impact of pandemics in the scope of the risk assessment. CC ID 13241 | Audits and risk management | Preventive | |
Include physical assets in the scope of the risk assessment. CC ID 13075 | Audits and risk management | Preventive | |
Include the results of the risk assessment in the risk assessment report. CC ID 06481 | Audits and risk management | Preventive | |
Update the risk assessment upon discovery of a new threat. CC ID 00708 | Audits and risk management | Detective | |
Update the risk assessment upon changes to the risk profile. CC ID 11627 | Audits and risk management | Detective | |
Document any reasons for modifying or refraining from modifying the organization's risk assessment when the risk assessment has been reviewed. CC ID 13312 | Audits and risk management | Preventive | |
Create a risk assessment report based on the risk assessment results. CC ID 15695 | Audits and risk management | Preventive | |
Include recovery of the critical path in the Business Impact Analysis. CC ID 13224 | Audits and risk management | Preventive | |
Include acceptable levels of data loss in the Business Impact Analysis. CC ID 13264 | Audits and risk management | Preventive | |
Include Recovery Point Objectives in the Business Impact Analysis. CC ID 13223 | Audits and risk management | Preventive | |
Include the Recovery Time Objectives in the Business Impact Analysis. CC ID 13222 | Audits and risk management | Preventive | |
Include pandemic risks in the Business Impact Analysis. CC ID 13219 | Audits and risk management | Preventive | |
Include tolerance to downtime in the Business Impact Analysis report. CC ID 01172 | Audits and risk management | Preventive | |
Establish, implement, and maintain a risk register. CC ID 14828 | Audits and risk management | Preventive | |
Document organizational risk tolerance in a risk register. CC ID 09961 | Audits and risk management | Preventive | |
Establish a risk acceptance level that is appropriate to the organization's risk appetite. CC ID 00706 [The organization shall determine and document: risk acceptance criteria; § 6.1.2 ¶ 1(c)] | Audits and risk management | Preventive | |
Select the appropriate risk treatment option for each identified risk in the risk register. CC ID 06483 | Audits and risk management | Preventive | |
Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary. CC ID 00704 | Audits and risk management | Detective | |
Document the results of the gap analysis. CC ID 16271 | Audits and risk management | Preventive | |
Establish, implement, and maintain a risk treatment plan. CC ID 11983 | Audits and risk management | Preventive | |
Include the date of the risk assessment in the risk treatment plan. CC ID 16321 | Audits and risk management | Preventive | |
Include the risk treatment strategy in the risk treatment plan. CC ID 12159 | Audits and risk management | Preventive | |
Revise the risk treatment strategies in the risk treatment plan, as necessary. CC ID 12552 | Audits and risk management | Corrective | |
Include an overview of the migration project plan in the risk treatment plan. CC ID 11982 | Audits and risk management | Preventive | |
Include change control processes in the risk treatment plan. CC ID 11981 | Audits and risk management | Preventive | |
Include a description of the processes to check for new vulnerabilities in the risk treatment plan. CC ID 11980 | Audits and risk management | Preventive | |
Include the implemented risk management controls in the risk treatment plan. CC ID 11979 | Audits and risk management | Preventive | |
Include requirements for monitoring and reporting in the risk treatment plan, as necessary. CC ID 13620 | Audits and risk management | Preventive | |
Include risk assessment results in the risk treatment plan. CC ID 11978 | Audits and risk management | Preventive | |
Include a description of usage in the risk treatment plan. CC ID 11977 | Audits and risk management | Preventive | |
Document all constraints applied to the risk treatment plan, as necessary. CC ID 13619 | Audits and risk management | Preventive | |
Integrate the corrective action plan based on the risk assessment findings with other risk management activities. CC ID 06457 | Audits and risk management | Preventive | |
Document and communicate a corrective action plan based on the risk assessment findings. CC ID 00705 [The organization shall make decisions and take actions based on the findings in service reports. The agreed actions shall be communicated to interested parties. § 9.4 ¶ 3] | Audits and risk management | Corrective | |
Review and approve the risk assessment findings. CC ID 06485 [The management review shall include consideration of: results of risk assessment and the effectiveness of actions taken to address risks and opportunities; § 9.3 ¶ 2(k)] | Audits and risk management | Preventive | |
Include risk responses in the risk management program. CC ID 13195 | Audits and risk management | Preventive | |
Document residual risk in a residual risk report. CC ID 13664 | Audits and risk management | Corrective | |
Establish, implement, and maintain an artificial intelligence risk management program. CC ID 16220 | Audits and risk management | Preventive | |
Include diversity and equal opportunity in the artificial intelligence risk management program. CC ID 16255 | Audits and risk management | Preventive | |
Include a commitment to continuous improvement In the cybersecurity risk management program. CC ID 16839 | Audits and risk management | Preventive | |
Establish, implement, and maintain a cybersecurity risk management policy. CC ID 16834 | Audits and risk management | Preventive | |
Establish, implement, and maintain a cybersecurity risk management strategy. CC ID 11991 | Audits and risk management | Preventive | |
Include a risk prioritization approach in the Cybersecurity Risk Management Strategy. CC ID 12276 | Audits and risk management | Preventive | |
Include defense in depth strategies in the cybersecurity risk management strategy. CC ID 15582 | Audits and risk management | Preventive | |
Establish, implement, and maintain a cybersecurity supply chain risk management program. CC ID 16826 | Audits and risk management | Preventive | |
Establish, implement, and maintain cybersecurity supply chain risk management procedures. CC ID 16830 | Audits and risk management | Preventive | |
Establish, implement, and maintain a supply chain risk management policy. CC ID 14663 | Audits and risk management | Preventive | |
Include compliance requirements in the supply chain risk management policy. CC ID 14711 | Audits and risk management | Preventive | |
Include coordination amongst entities in the supply chain risk management policy. CC ID 14710 | Audits and risk management | Preventive | |
Include management commitment in the supply chain risk management policy. CC ID 14709 | Audits and risk management | Preventive | |
Include roles and responsibilities in the supply chain risk management policy. CC ID 14708 | Audits and risk management | Preventive | |
Include the scope in the supply chain risk management policy. CC ID 14707 | Audits and risk management | Preventive | |
Include the purpose in the supply chain risk management policy. CC ID 14706 | Audits and risk management | Preventive | |
Establish, implement, and maintain a supply chain risk management plan. CC ID 14713 | Audits and risk management | Preventive | |
Include processes for monitoring and reporting in the supply chain risk management plan. CC ID 15619 | Audits and risk management | Preventive | |
Include dates in the supply chain risk management plan. CC ID 15617 | Audits and risk management | Preventive | |
Include implementation milestones in the supply chain risk management plan. CC ID 15615 | Audits and risk management | Preventive | |
Include roles and responsibilities in the supply chain risk management plan. CC ID 15613 | Audits and risk management | Preventive | |
Include supply chain risk management procedures in the risk management program. CC ID 13190 [The organization shall assess the alignment of service level targets or other contractual obligations for the external supplier against SLAs with customers, and manage identified risks. § 8.3.4.1 ¶ 3] | Audits and risk management | Preventive | |
Establish, implement, and maintain an access control program. CC ID 11702 | Technical security | Preventive | |
Establish, implement, and maintain an access rights management plan. CC ID 00513 | Technical security | Preventive | |
Add all devices requiring access control to the Access Control List. CC ID 06264 | Technical security | Preventive | |
Include the objects and users subject to access control in the security policy. CC ID 11836 | Technical security | Preventive | |
Establish, implement, and maintain a system use agreement for each information system. CC ID 06500 | Technical security | Preventive | |
Accept and sign the system use agreement before data or system access is enabled. CC ID 06501 | Technical security | Preventive | |
Document actions that can be performed on an information system absent identification and authentication of the user. CC ID 06771 | Technical security | Preventive | |
Establish, implement, and maintain a business continuity program. CC ID 13210 | Operational and Systems Continuity | Preventive | |
Establish, implement, and maintain a continuity framework. CC ID 00732 | Operational and Systems Continuity | Preventive | |
Establish, implement, and maintain a continuity plan. CC ID 00752 [The organization shall create, implement and maintain one or more service continuity plans. The service continuity plan(s) shall include or contain a reference to: § 8.7.2 ¶ 2 At planned intervals, the service continuity plan(s) shall be tested against the service continuity requirements. The service continuity plan(s) shall be re-tested after major changes to the service environment. The results of the tests shall be recorded. Reviews shall be conducted after each test and after the service continuity plan(s) has been invoked. Where deficiencies are found, the organization shall take necessary actions. § 8.7.2 ¶ 4 At planned intervals, the service continuity plan(s) shall be tested against the service continuity requirements. The service continuity plan(s) shall be re-tested after major changes to the service environment. The results of the tests shall be recorded. Reviews shall be conducted after each test and after the service continuity plan(s) has been invoked. Where deficiencies are found, the organization shall take necessary actions. § 8.7.2 ¶ 4] | Operational and Systems Continuity | Preventive | |
Identify all stakeholders in the continuity plan. CC ID 13256 | Operational and Systems Continuity | Preventive | |
Include a business continuity testing policy in the continuity plan, as necessary. CC ID 13234 | Operational and Systems Continuity | Preventive | |
Allocate financial resources to implement the continuity plan, as necessary. CC ID 12993 | Operational and Systems Continuity | Preventive | |
Include identification procedures in the continuity plan, as necessary. CC ID 14372 | Operational and Systems Continuity | Preventive | |
Include the continuity strategy in the continuity plan. CC ID 13189 | Operational and Systems Continuity | Preventive | |
Document and use the lessons learned to update the continuity plan. CC ID 10037 [The organization shall report on the cause, impact and recovery when the service continuity plan(s) has been invoked. § 8.7.2 ¶ 5 The organization shall report on the cause, impact and recovery when the service continuity plan(s) has been invoked. § 8.7.2 ¶ 5 The organization shall report on the cause, impact and recovery when the service continuity plan(s) has been invoked. § 8.7.2 ¶ 5] | Operational and Systems Continuity | Preventive | |
Include roles and responsibilities in the continuity plan, as necessary. CC ID 13254 [The organization shall create, implement and maintain one or more service continuity plans. The service continuity plan(s) shall include or contain a reference to: criteria and responsibilities for invoking service continuity; § 8.7.2 ¶ 2(a)] | Operational and Systems Continuity | Preventive | |
Coordinate and incorporate supply chain members' continuity plans, as necessary. CC ID 13242 | Operational and Systems Continuity | Preventive | |
Include incident management procedures in the continuity plan. CC ID 13244 | Operational and Systems Continuity | Preventive | |
Include the use of virtual meeting tools in the continuity plan. CC ID 14390 | Operational and Systems Continuity | Preventive | |
Include scenario analyses of various contingency scenarios in the continuity plan. CC ID 13057 | Operational and Systems Continuity | Preventive | |
Include the annual statement based on the continuity plan review in the continuity plan. CC ID 12775 | Operational and Systems Continuity | Preventive | |
Establish, implement, and maintain the continuity procedures. CC ID 14236 | Operational and Systems Continuity | Corrective | |
Document the uninterrupted power requirements for all in scope systems. CC ID 06707 | Operational and Systems Continuity | Preventive | |
Document all supporting information in the continuity plan, such as purpose, scope, and requirements. CC ID 01371 [The organization shall create, implement and maintain one or more service continuity plans. The service continuity plan(s) shall include or contain a reference to: service recovery requirements; § 8.7.2 ¶ 2(d)] | Operational and Systems Continuity | Preventive | |
Include notifications to alternate facilities in the continuity plan. CC ID 13220 | Operational and Systems Continuity | Preventive | |
Document the concept of operations in the continuity plan, including a line of succession. CC ID 01372 | Operational and Systems Continuity | Preventive | |
Establish, implement, and maintain damage assessment procedures. CC ID 01267 [The organization shall analyse the information security incidents by type, volume and impact on the SMS, services and interested parties. Information security incidents shall be reported and reviewed to identify opportunities for improvement. § 8.7.3.3 ¶ 2] | Operational and Systems Continuity | Preventive | |
Establish, implement, and maintain a recovery plan. CC ID 13288 | Operational and Systems Continuity | Preventive | |
Include procedures to restore network connectivity in the recovery plan. CC ID 16250 | Operational and Systems Continuity | Preventive | |
Include addressing backup failures in the recovery plan. CC ID 13298 | Operational and Systems Continuity | Preventive | |
Include procedures to verify completion of the data backup procedure in the recovery plan. CC ID 13297 | Operational and Systems Continuity | Preventive | |
Include the procedures for the storage of information necessary to recover functionality in the recovery plan. CC ID 13295 | Operational and Systems Continuity | Preventive | |
Include the backup procedures for information necessary to recover functionality in the recovery plan. CC ID 13294 | Operational and Systems Continuity | Preventive | |
Include the criteria for activation in the recovery plan. CC ID 13293 | Operational and Systems Continuity | Preventive | |
Include escalation procedures in the recovery plan. CC ID 16248 | Operational and Systems Continuity | Preventive | |
Include procedures to preserve data before beginning the recovery process in the recovery plan. CC ID 13292 | Operational and Systems Continuity | Preventive | |
Document lessons learned from testing the recovery plan or an actual event. CC ID 13301 | Operational and Systems Continuity | Detective | |
Include risk prioritized recovery procedures for each business unit in the recovery plan. CC ID 01166 | Operational and Systems Continuity | Preventive | |
Include the recovery plan in the continuity plan. CC ID 01377 | Operational and Systems Continuity | Preventive | |
Establish, implement, and maintain system continuity plan strategies. CC ID 00735 | Operational and Systems Continuity | Preventive | |
Define and prioritize critical business functions. CC ID 00736 [The organization shall determine the criticality of services based on the needs of the organization, customers, users and other interested parties. The organization shall determine and manage dependencies and duplication between services. § 8.2.2 ¶ 2] | Operational and Systems Continuity | Detective | |
Review and prioritize the importance of each business process. CC ID 11689 | Operational and Systems Continuity | Preventive | |
Include emergency communications procedures in the continuity plan. CC ID 00750 [The service continuity plan(s) and list of contacts shall be accessible when access to the normal service location is prevented. § 8.7.2 ¶ 3] | Operational and Systems Continuity | Preventive | |
Include managing multiple responding organizations in the emergency communications procedure. CC ID 01249 | Operational and Systems Continuity | Preventive | |
Maintain contact information for key third parties in a readily accessible manner. CC ID 12764 | Operational and Systems Continuity | Preventive | |
Disseminate and communicate the continuity plan to interested personnel and affected parties. CC ID 00760 | Operational and Systems Continuity | Preventive | |
Store an up-to-date copy of the continuity plan at the alternate facility. CC ID 01171 [The service continuity plan(s) and list of contacts shall be accessible when access to the normal service location is prevented. § 8.7.2 ¶ 3] | Operational and Systems Continuity | Preventive | |
Establish, implement, and maintain Service Level Agreements for all alternate facilities. CC ID 00745 | Operational and Systems Continuity | Preventive | |
Include emergency scalability for services, capacity, and capability in the shared service provider's Service Level Agreement. CC ID 04893 [{service availability requirement}{service continuity requirement} The organization shall plan capacity to include: expected impact on capacity of agreed service level targets, requirements for service availability and service continuity; § 8.4.3 ¶ 2(b)] | Operational and Systems Continuity | Preventive | |
Include predefined goals and realistic conditions during off-site testing. CC ID 01175 | Operational and Systems Continuity | Preventive | |
Define and assign the roles and responsibilities of the chairman of the board. CC ID 14786 | Human Resources management | Preventive | |
Establish, implement, and maintain candidate selection procedures to the board of directors. CC ID 14782 | Human Resources management | Preventive | |
Include the criteria of mixed experiences and skills in the candidate selection procedures. CC ID 14791 | Human Resources management | Preventive | |
Establish, implement, and maintain a personnel management program. CC ID 14018 | Human Resources management | Preventive | |
Establish, implement, and maintain a personnel security program. CC ID 10628 | Human Resources management | Preventive | |
Establish, implement, and maintain personnel screening procedures. CC ID 11700 | Human Resources management | Preventive | |
Perform a criminal records check during personnel screening. CC ID 06643 | Human Resources management | Preventive | |
Document any reasons a full criminal records check could not be performed. CC ID 13305 | Human Resources management | Preventive | |
Perform an academic records check during personnel screening. CC ID 06647 | Human Resources management | Preventive | |
Document the personnel risk assessment results. CC ID 11764 | Human Resources management | Detective | |
Establish, implement, and maintain security clearance procedures. CC ID 00783 | Human Resources management | Preventive | |
Document the security clearance procedure results. CC ID 01635 | Human Resources management | Detective | |
Include evidence of experience in applications for professional certification. CC ID 16193 | Human Resources management | Preventive | |
Include supporting documentation in applications for professional certification. CC ID 16195 | Human Resources management | Preventive | |
Document all training in a training record. CC ID 01423 [The organization shall: retain appropriate documented information as evidence of competence. § 7.2 ¶ 1(d)] | Human Resources management | Detective | |
Review the current published guidance and awareness and training programs. CC ID 01245 | Human Resources management | Preventive | |
Establish, implement, and maintain training plans. CC ID 00828 [{be usable}{be available}{support}{operation}{SMS and the services}*by knowledge', based on the section the authors appear to be referring to the knowledge necessary to support the operation of the SMS and the services*/ The knowledge shall be relevant, usable and available to appropriate persons. § 7.6 ¶ 2 {be usable}{be available}{support}{operation}{SMS and the services}*by knowledge', based on the section the authors appear to be referring to the knowledge necessary to support the operation of the SMS and the services*/ The knowledge shall be relevant, usable and available to appropriate persons. § 7.6 ¶ 2 {be usable}{be available}{support}{operation}{SMS and the services}*by knowledge', based on the section the authors appear to be referring to the knowledge necessary to support the operation of the SMS and the services*/ The knowledge shall be relevant, usable and available to appropriate persons. § 7.6 ¶ 2] | Human Resources management | Preventive | |
Include portions of the visitor control program in the training plan. CC ID 13287 | Human Resources management | Preventive | |
Establish, implement, and maintain a security awareness program. CC ID 11746 | Human Resources management | Preventive | |
Establish, implement, and maintain a security awareness and training policy. CC ID 14022 | Human Resources management | Preventive | |
Include compliance requirements in the security awareness and training policy. CC ID 14092 | Human Resources management | Preventive | |
Include coordination amongst entities in the security awareness and training policy. CC ID 14091 | Human Resources management | Preventive | |
Establish, implement, and maintain security awareness and training procedures. CC ID 14054 | Human Resources management | Preventive | |
Include management commitment in the security awareness and training policy. CC ID 14049 | Human Resources management | Preventive | |
Include roles and responsibilities in the security awareness and training policy. CC ID 14048 | Human Resources management | Preventive | |
Include the scope in the security awareness and training policy. CC ID 14047 | Human Resources management | Preventive | |
Include the purpose in the security awareness and training policy. CC ID 14045 | Human Resources management | Preventive | |
Include configuration management procedures in the security awareness program. CC ID 13967 | Human Resources management | Preventive | |
Document security awareness requirements. CC ID 12146 | Human Resources management | Preventive | |
Include safeguards for information systems in the security awareness program. CC ID 13046 | Human Resources management | Preventive | |
Include security policies and security standards in the security awareness program. CC ID 13045 | Human Resources management | Preventive | |
Include mobile device security guidelines in the security awareness program. CC ID 11803 | Human Resources management | Preventive | |
Include training based on the participants' level of responsibility and access level in the security awareness program. CC ID 11802 | Human Resources management | Preventive | |
Include a requirement to train all new hires and interested personnel in the security awareness program. CC ID 11800 | Human Resources management | Preventive | |
Include remote access in the security awareness program. CC ID 13892 | Human Resources management | Preventive | |
Document the goals of the security awareness program. CC ID 12145 | Human Resources management | Preventive | |
Compare current security awareness assessment reports to the security awareness baseline. CC ID 12150 | Human Resources management | Preventive | |
Document the scope of the security awareness program. CC ID 12148 | Human Resources management | Preventive | |
Establish, implement, and maintain a security awareness baseline. CC ID 12147 | Human Resources management | Preventive | |
Require personnel to acknowledge, through writing their signature, that they have read and understand the organization's security policies. CC ID 01363 | Human Resources management | Preventive | |
Establish, implement, and maintain an environmental management system awareness program. CC ID 15200 | Human Resources management | Preventive | |
Establish, implement, and maintain a capacity management plan. CC ID 11751 [The organization shall plan capacity to include: timescales and thresholds for changes to service capacity. § 8.4.3 ¶ 2(c) The organization shall plan capacity to include: timescales and thresholds for changes to service capacity. § 8.4.3 ¶ 2(c) At planned intervals, the organization shall: determine current demand and forecast future demand for services; § 8.4.2 ¶ 1(a) At planned intervals, the organization shall: determine current demand and forecast future demand for services; § 8.4.2 ¶ 1(a) {service availability target} Service availability requirements and targets shall be documented and maintained. § 8.7.1 ¶ 2 The organization shall plan capacity to include: current and forecast capacity based on demand for services; § 8.4.3 ¶ 2(a)] | Operational management | Preventive | |
Establish, implement, and maintain a capacity planning baseline. CC ID 13492 [{service availability target} Service availability requirements and targets shall be documented and maintained. § 8.7.1 ¶ 2] | Operational management | Preventive | |
Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 | Operational management | Preventive | |
Establish, implement, and maintain an internal control framework. CC ID 00820 | Operational management | Preventive | |
Include procedures for continuous quality improvement in the internal control framework. CC ID 00819 [Where service level targets are not met, the organization shall identify opportunities for improvement. § 8.3.3 ¶ 4 At planned intervals, the organization shall measure satisfaction with the services based on a representative sample of customers. The results shall be analysed, reviewed to identify opportunities for improvement and reported. § 8.3.2 ¶ 4 {service improvement activity} Opportunities for improvement shall be documented. The organization shall manage approved improvement activities that include: § 10.2 ¶ 3 The outputs of the management review shall include decisions related to continual improvement opportunities and any need for changes to the SMS and the services. § 9.3 ¶ 3 The management review shall include consideration of: opportunities for continual improvement; § 9.3 ¶ 2(d)] | Operational management | Preventive | |
Include incident response escalation procedures in the internal control framework. CC ID 11745 [Information security incidents shall be: escalated if needed; § 8.7.3.3 ¶ 1(c)] | Operational management | Preventive | |
Establish, implement, and maintain an information security program. CC ID 00812 | Operational management | Preventive | |
Establish, implement, and maintain an information security policy. CC ID 11740 [Management with appropriate authority shall approve an information security policy relevant to the organization. The information security policy shall be documented and take into consideration the service requirements and the obligations in 6.3 c). § 8.7.3.1 ¶ 1] | Operational management | Preventive | |
Include business processes in the information security policy. CC ID 16326 | Operational management | Preventive | |
Include the information security strategy in the information security policy. CC ID 16125 | Operational management | Preventive | |
Include a commitment to continuous improvement in the information security policy. CC ID 16123 | Operational management | Preventive | |
Include roles and responsibilities in the information security policy. CC ID 16120 | Operational management | Preventive | |
Include a commitment to the information security requirements in the information security policy. CC ID 13496 | Operational management | Preventive | |
Include information security objectives in the information security policy. CC ID 13493 | Operational management | Preventive | |
Include the use of Cloud Services in the information security policy. CC ID 13146 | Operational management | Preventive | |
Include notification procedures in the information security policy. CC ID 16842 | Operational management | Preventive | |
Describe the group activities that protect restricted data in the information security procedures. CC ID 12294 | Operational management | Preventive | |
Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304 | Operational management | Preventive | |
Comply with all implemented policies in the organization's compliance framework. CC ID 06384 [{planning} The organization shall plan, implement and control the processes needed to meet requirements and to implement the actions determined in Clause 6 by: § 8.1 ¶ 1] | Operational management | Preventive | |
Establish and maintain a scope statement for the Service Management System. CC ID 13890 [The organization shall determine: the relevant requirements of these interested parties. § 4.2 ¶ 1(b) When planning how to achieve its service management objectives, the organization shall determine: what will be done; § 6.2.2 ¶ 1(a) The documented information for the SMS shall include: scope of the SMS; § 7.5.4 ¶ 1(a) {service management system}When determining this scope, the organization shall consider: the requirements referred to in 4.2; § 4.3 ¶ 2(b) {service management system} When determining this scope, the organization shall consider: the services delivered by the organization. § 4.3 ¶ 2(c) The scope of the SMS shall be available and be maintained as documented information. § 4.3 ¶ 4 The service management plan shall include or contain a reference to: obligations such as relevant policies, standards, legal, regulatory and contractual requirements, and how these obligations apply to the SMS and the services; § 6.3 ¶ 2(c) The organization's SMS shall include: documented information determined by the organization as being necessary for the effectiveness of the SMS. § 7.5.1 ¶ 1(b) The organization's SMS shall include: documented information required by this document; § 7.5.1 ¶ 1(a) The definition of the scope of the SMS shall include the services in scope and the name of the organization managing and delivering the services. § 4.3 ¶ 3] | Operational management | Preventive | |
Include the organization's name in the scope statement for the Service Management System. CC ID 13913 [The definition of the scope of the SMS shall include the services in scope and the name of the organization managing and delivering the services. § 4.3 ¶ 3] | Operational management | Preventive | |
Establish, implement, and maintain a service management program. CC ID 11388 [Top management shall demonstrate leadership and commitment with respect to the SMS by: ensuring that the service management plan is created, implemented and maintained in order to support the service management policy, and the achievement of the service management objectives and service requirements; § 5.1 ¶ 1(b) The service management policy shall: be available as documented information; § 5.2.2 ¶ 1(a) Other planning activities shall maintain alignment with the service management plan. § 6.3 ¶ 3 {applicable requirements} The organization shall create, implement and maintain a service management plan. Planning shall take into consideration the service management policy, service management objectives, risks and opportunities, service requirements and requirements specified in this document. § 6.3 ¶ 1 When planning how to achieve its service management objectives, the organization shall determine: when it will be completed; § 6.2.2 ¶ 1(d) The organization shall establish service management objectives at relevant functions and levels. The service management objectives shall: be updated as appropriate. § 6.2.1 ¶ 1(f) The organization shall integrate services, service components and processes in the SMS that are provided or operated by the organization or other parties to meet the service requirements. The organization shall co-ordinate activities with other parties involved in the service lifecycle including the planning, design, transition, delivery and improvement of services. § 8.2.3.1 ¶ 5 At planned intervals, the organization shall review the performance trends and the outcomes of the services. § 8.3.2 ¶ 3 Top management shall review the organization's SMS and the services, at planned intervals, to ensure their continuing suitability, adequacy and effectiveness. § 9.3 ¶ 1 The organization shall determine: what needs to be monitored and measured for the SMS and the services; § 9.1 ¶ 1(a) {new service} The organization shall plan the deployment of new or changed services and service components into the live environment. Planning shall be co-ordinated with change management and include references to the related requests for change, known errors or problems which are being closed through the release. Planning shall include the dates for deployment of each release, deliverables and methods of deployment. § 8.5.3 ¶ 2 {service availability requirement}{service availability target} At planned intervals, the risks to service availability shall be assessed and documented. The organization shall determine the service availability requirements and targets. The agreed requirements shall take into consideration relevant business requirements, service requirements, SLAs and risks. § 8.7.1 ¶ 1] | Operational management | Preventive | |
Include a service management plan in the service management program. CC ID 13902 [The documented information for the SMS shall include: service management plan; § 7.5.4 ¶ 1(c)] | Operational management | Preventive | |
Include the information security policy in the service management program. CC ID 13925 [The documented information for the SMS shall include: change management policy, information security policy and service continuity plan(s); § 7.5.4 ¶ 1(d)] | Operational management | Preventive | |
Include the change management policy in the service management program. CC ID 13923 [The documented information for the SMS shall include: change management policy, information security policy and service continuity plan(s); § 7.5.4 ¶ 1(d)] | Operational management | Preventive | |
Include the service management objectives in the service management program. CC ID 11389 [Top management shall demonstrate leadership and commitment with respect to the SMS by: ensuring that the service management plan is created, implemented and maintained in order to support the service management policy, and the achievement of the service management objectives and service requirements; § 5.1 ¶ 1(b) Top management shall demonstrate leadership and commitment with respect to the SMS by: ensuring that the service management policy and service management objectives are established and are compatible with the strategic direction of the organization; § 5.1 ¶ 1(a) Top management shall establish a service management policy that: provides a framework for setting service management objectives; § 5.2.1 ¶ 1(b) The organization shall establish service management objectives at relevant functions and levels. The service management objectives shall: be consistent with the service management policy; § 6.2.1 ¶ 1(a) {applicable requirements} The organization shall create, implement and maintain a service management plan. Planning shall take into consideration the service management policy, service management objectives, risks and opportunities, service requirements and requirements specified in this document. § 6.3 ¶ 1 {organization level} The organization shall establish service management objectives at relevant functions and levels. The service management objectives shall: § 6.2.1 ¶ 1 {organization level} The organization shall establish service management objectives at relevant functions and levels. The service management objectives shall: § 6.2.1 ¶ 1 The documented information for the SMS shall include: policy and objectives for service management; § 7.5.4 ¶ 1(b) The organization shall propose changes where needed to align the services with the service management policy, service management objectives and service requirements, taking into consideration known limitations and risks. § 8.2.2 ¶ 3 {new service} Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: intended outcomes from delivering the new or changed services, expressed in measurable terms; § 8.5.2.1 ¶ 1(g) {service availability requirement}{service availability target} At planned intervals, the risks to service availability shall be assessed and documented. The organization shall determine the service availability requirements and targets. The agreed requirements shall take into consideration relevant business requirements, service requirements, SLAs and risks. § 8.7.1 ¶ 1] | Operational management | Preventive | |
Include the service requirements in the service management program. CC ID 11390 [Top management shall demonstrate leadership and commitment with respect to the SMS by: ensuring that the service management plan is created, implemented and maintained in order to support the service management policy, and the achievement of the service management objectives and service requirements; § 5.1 ¶ 1(b) Top management shall establish a service management policy that: includes a commitment to satisfy applicable requirements; § 5.2.1 ¶ 1(c) {applicable requirements} The organization shall create, implement and maintain a service management plan. Planning shall take into consideration the service management policy, service management objectives, risks and opportunities, service requirements and requirements specified in this document. § 6.3 ¶ 1 The organization shall establish service management objectives at relevant functions and levels. The service management objectives shall: take into account applicable requirements; § 6.2.1 ¶ 1(c) The documented information for the SMS shall include: service requirements; § 7.5.4 ¶ 1(f) The organization shall propose changes where needed to align the services with the service management policy, service management objectives and service requirements, taking into consideration known limitations and risks. § 8.2.2 ¶ 3 The service requirements for existing services, new services and changes to services shall be determined and documented. § 8.2.2 ¶ 1 Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: dependencies on other services; 8.5.2.1 ¶ 1(d) {new service} Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: § 8.5.2.1 ¶ 1 {service availability requirement}{service availability target} At planned intervals, the risks to service availability shall be assessed and documented. The organization shall determine the service availability requirements and targets. The agreed requirements shall take into consideration relevant business requirements, service requirements, SLAs and risks. § 8.7.1 ¶ 1 {service availability requirement}{service availability target} At planned intervals, the risks to service availability shall be assessed and documented. The organization shall determine the service availability requirements and targets. The agreed requirements shall take into consideration relevant business requirements, service requirements, SLAs and risks. § 8.7.1 ¶ 1] | Operational management | Preventive | |
Include known limitations in the service management program. CC ID 11391 [The organization shall determine the boundaries and applicability of the SMS to establish its scope. § 4.3 ¶ 1 The organization shall determine the boundaries and applicability of the SMS to establish its scope. § 4.3 ¶ 1 The organization shall propose changes where needed to align the services with the service management policy, service management objectives and service requirements, taking into consideration known limitations and risks. § 8.2.2 ¶ 3 The service management plan shall include or contain a reference to: known limitations that can impact the SMS and the services; § 6.3 ¶ 2(b) {new service} The organization shall plan the deployment of new or changed services and service components into the live environment. Planning shall be co-ordinated with change management and include references to the related requests for change, known errors or problems which are being closed through the release. Planning shall include the dates for deployment of each release, deliverables and methods of deployment. § 8.5.3 ¶ 2] | Operational management | Preventive | |
Include service management policies in the service management program. CC ID 11392 [Top management shall establish a service management policy that: § 5.2.1 ¶ 1 Top management shall demonstrate leadership and commitment with respect to the SMS by: ensuring that the service management plan is created, implemented and maintained in order to support the service management policy, and the achievement of the service management objectives and service requirements; § 5.1 ¶ 1(b) Top management shall demonstrate leadership and commitment with respect to the SMS by: ensuring that the service management policy and service management objectives are established and are compatible with the strategic direction of the organization; § 5.1 ¶ 1(a) {applicable requirements} The organization shall create, implement and maintain a service management plan. Planning shall take into consideration the service management policy, service management objectives, risks and opportunities, service requirements and requirements specified in this document. § 6.3 ¶ 1 The documented information for the SMS shall include: policy and objectives for service management; § 7.5.4 ¶ 1(b) The organization shall propose changes where needed to align the services with the service management policy, service management objectives and service requirements, taking into consideration known limitations and risks. § 8.2.2 ¶ 3 The service management plan shall include or contain a reference to: obligations such as relevant policies, standards, legal, regulatory and contractual requirements, and how these obligations apply to the SMS and the services; § 6.3 ¶ 2(c) Top management shall establish a service management policy that: is appropriate to the purpose of the organization; § 5.2.1 ¶ 1(a)] | Operational management | Preventive | |
Assign roles and responsibilities in the service management program. CC ID 11393 [Top management shall demonstrate leadership and commitment with respect to the SMS by: directing and supporting persons to contribute to the effectiveness of the SMS and the services; § 5.1 ¶ 1(j) Top management shall assign the responsibility and authority for: ensuring that the SMS conforms to the requirement of this document; § 5.3 ¶ 2(a) Top management shall assign the responsibility and authority for: reporting on the performance of the SMS and the services to top management. § 5.3 ¶ 2(b) {responsible party}When planning how to achieve its service management objectives, the organization shall determine: who will be responsible; § 6.2.2 ¶ 1(c) The organization shall retain accountability for the requirements specified in this document and the delivery of the services regardless of which party is involved in performing activities to support the service lifecycle. § 8.2.3.1 ¶ 1 The organization shall retain accountability for the requirements specified in this document and the delivery of the services regardless of which party is involved in performing activities to support the service lifecycle. § 8.2.3.1 ¶ 1 Top management shall ensure that the responsibilities and authorities for roles relevant to the SMS and the services are assigned and communicated within the organization. § 5.3 ¶ 1 The service management plan shall include or contain a reference to: authorities and responsibilities for the SMS and the services § 6.3 ¶ 2(d) The service management plan shall include or contain a reference to: authorities and responsibilities for the SMS and the services § 6.3 ¶ 2(d) Persons doing work under the organization's control shall be aware of: the service management objectives; § 7.3 ¶ 1(b) {new service} Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: authorities and responsibilities for design, build and transition activities; § 8.5.2.1 ¶ 1(a) {new service} Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: activities to be performed by the organization or other parties with their timescales; § 8.5.2.1 ¶ 1(b) {new service}The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: authorities and responsibilities of the parties involved in the delivery of the new or changed services; § 8.5.2.2 ¶ 1(a) {new service}The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: authorities and responsibilities of the parties involved in the delivery of the new or changed services; § 8.5.2.2 ¶ 1(a) The organization shall operate the SMS ensuring co-ordination of the activities and the resources. The organization shall perform the activities required to deliver services. § 8.2.1 ¶ 1] | Operational management | Preventive | |
Include all resources needed to achieve the objectives in the service management program. CC ID 11394 [Top management shall demonstrate leadership and commitment with respect to the SMS by: ensuring that the resources needed for the SMS and the services are available; § 5.1 ¶ 1(g) When planning how to achieve its service management objectives, the organization shall determine: what resources will be required; § 6.2.2 ¶ 1(b) {necessary resource} The organization shall determine and provide the human, technical, information and financial resources needed for the establishment, implementation, maintenance and continual improvement of the SMS and the operation of the services to meet the service requirements and achieve the service management objectives. § 7.1 ¶ 1 {necessary resource} The organization shall determine and provide the human, technical, information and financial resources needed for the establishment, implementation, maintenance and continual improvement of the SMS and the operation of the services to meet the service requirements and achieve the service management objectives. § 7.1 ¶ 1 {necessary resource} The organization shall determine and provide the human, technical, information and financial resources needed for the establishment, implementation, maintenance and continual improvement of the SMS and the operation of the services to meet the service requirements and achieve the service management objectives. § 7.1 ¶ 1 The organization shall budget and account for services or groups of services in accordance with its financial management policies and processes. § 8.4.1 ¶ 1 {new service}{manpower}{technical resource}{information resource} Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: human, technical, information and financial resources; § 8.5.2.1 ¶ 1(c) {new service}{manpower}{technical resource}{information resource} Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: human, technical, information and financial resources; § 8.5.2.1 ¶ 1(c) {new service}{manpower}{technical resource}{information resource} Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: human, technical, information and financial resources; § 8.5.2.1 ¶ 1(c) {new service}{manpower}{technical resource}{information resource} Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: human, technical, information and financial resources; § 8.5.2.1 ¶ 1(c) {manpower}{technical resource}{information resource}The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: requirements for changes to human, technical, information and financial resources; § 8.5.2.2 ¶ 1(b) {manpower}{technical resource}{information resource}The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: requirements for changes to human, technical, information and financial resources; § 8.5.2.2 ¶ 1(b) {manpower}{technical resource}{information resource}The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: requirements for changes to human, technical, information and financial resources; § 8.5.2.2 ¶ 1(b) {manpower}{technical resource}{information resource}The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: requirements for changes to human, technical, information and financial resources; § 8.5.2.2 ¶ 1(b) {manpower}{technical resource}{information resource}{service requirement} The capacity requirements for human, technical, information and financial resources shall be determined, documented and maintained taking into consideration the service and performance requirements. § 8.4.3 ¶ 1 {manpower}{technical resource}{information resource}{service requirement} The capacity requirements for human, technical, information and financial resources shall be determined, documented and maintained taking into consideration the service and performance requirements. § 8.4.3 ¶ 1 {manpower}{technical resource}{information resource}{service requirement} The capacity requirements for human, technical, information and financial resources shall be determined, documented and maintained taking into consideration the service and performance requirements. § 8.4.3 ¶ 1 {manpower}{technical resource}{information resource}{service requirement} The capacity requirements for human, technical, information and financial resources shall be determined, documented and maintained taking into consideration the service and performance requirements. § 8.4.3 ¶ 1] | Operational management | Preventive | |
Include supply chain management procedures in the service management program. CC ID 11395 [The organization shall ensure that outsourced processes are controlled (see 8.2.3). § 8.1 ¶ 3 Other parties shall not provide or operate all services, service components or processes within the scope of the SMS. § 8.2.3.1 ¶ 3 The organization shall integrate services, service components and processes in the SMS that are provided or operated by the organization or other parties to meet the service requirements. The organization shall co-ordinate activities with other parties involved in the service lifecycle including the planning, design, transition, delivery and improvement of services. § 8.2.3.1 ¶ 5] | Operational management | Preventive | |
Include service management procedures in the service management program. CC ID 11396 [The documented information for the SMS shall include: processes of the organization's SMS; § 7.5.4 ¶ 1(e) {new service} Release and deployment management shall be used to deploy approved new or changed services into the live environment. § 8.5.2.3 ¶ 2 {new service} Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: testing needed for the new or changed services; § 8.5.2.1 ¶ 1(e) The organization shall use service design and transition in 8.5.2 for: removal of a service; § 8.5.1.2 ¶ 2(d) For services that are to be removed, the planning shall additionally include the date(s) for the removal of the services and the activities for archiving, disposal or transfer of data, documented information and service components. § 8.5.2.1 ¶ 2 The organization shall use service design and transition in 8.5.2 for: transfer of an existing service from the organization to a customer or other party; § 8.5.1.2 ¶ 2(e) The organization shall use service design and transition in 8.5.2 for: transfer of an existing service from a customer or other party to the organization. § 8.5.1.2 ¶ 2(f)] | Operational management | Preventive | |
Include risk procedures in the service management program. CC ID 11397 [When planning for the SMS, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to: § 6.1.1 ¶ 1 {applicable requirements} The organization shall create, implement and maintain a service management plan. Planning shall take into consideration the service management policy, service management objectives, risks and opportunities, service requirements and requirements specified in this document. § 6.3 ¶ 1 {risk management activity}The organization shall plan: how to: integrate and implement the actions into its SMS processes; § 6.1.3 ¶ 1(b)(1) {new service} The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: impact on other services; § 8.5.2.2 ¶ 1(f) {service availability requirement}{service availability target} At planned intervals, the risks to service availability shall be assessed and documented. The organization shall determine the service availability requirements and targets. The agreed requirements shall take into consideration relevant business requirements, service requirements, SLAs and risks. § 8.7.1 ¶ 1 {service availability requirement}{service availability target} At planned intervals, the risks to service availability shall be assessed and documented. The organization shall determine the service availability requirements and targets. The agreed requirements shall take into consideration relevant business requirements, service requirements, SLAs and risks. § 8.7.1 ¶ 1] | Operational management | Preventive | |
Include continuity plans in the Service Management program. CC ID 13919 [The documented information for the SMS shall include: change management policy, information security policy and service continuity plan(s); § 7.5.4 ¶ 1(d)] | Operational management | Preventive | |
Include all technologies used to support service management in the service management program. CC ID 11398 [The service management plan shall include or contain a reference to: technology used to support the SMS; § 6.3 ¶ 2(g) {necessary resource} The service management plan shall include or contain a reference to: human, technical, information and financial resources necessary to operate the SMS and the services; § 6.3 ¶ 2(e)] | Operational management | Preventive | |
Include auditing and improving service management procedures in the service management program. CC ID 11399 [When planning for the SMS, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to: give assurance that the SMS can achieve its intended outcome(s); § 6.1.1 ¶ 1(a) Top management shall demonstrate leadership and commitment with respect to the SMS by: promoting continual improvement of the SMS and the services; § 5.1 ¶1(k) Top management shall establish a service management policy that: includes a commitment to continual improvement of the SMS and the services. § 5.2.1 ¶ 1(d) When planning for the SMS, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to: achieve continual improvement of the SMS and the services. § 6.1.1 ¶ 1(c) When planning how to achieve its service management objectives, the organization shall determine: how the results will be evaluated. § 6.2.2 ¶ 1(e) {continuous basis} The organization shall continually improve the suitability, adequacy and effectiveness of the SMS and the services. § 10.2 ¶ 1 {service improvement activity} Opportunities for improvement shall be documented. The organization shall manage approved improvement activities that include: § 10.2 ¶ 3] | Operational management | Preventive | |
Establish, implement, and maintain an asset management policy. CC ID 15219 | Operational management | Preventive | |
Establish, implement, and maintain asset management procedures. CC ID 16748 | Operational management | Preventive | |
Include life cycle requirements in the security management program. CC ID 16392 | Operational management | Preventive | |
Include program objectives in the asset management program. CC ID 14413 | Operational management | Preventive | |
Include a commitment to continual improvement in the asset management program. CC ID 14412 | Operational management | Preventive | |
Include compliance with applicable requirements in the asset management program. CC ID 14411 | Operational management | Preventive | |
Establish, implement, and maintain classification schemes for all systems and assets. CC ID 01902 | Operational management | Preventive | |
Establish, implement, and maintain the systems' confidentiality level. CC ID 01904 | Operational management | Preventive | |
Define confidentiality controls. CC ID 01908 | Operational management | Preventive | |
Establish, implement, and maintain the systems' availability level. CC ID 01905 | Operational management | Preventive | |
Define integrity controls. CC ID 01909 | Operational management | Preventive | |
Establish, implement, and maintain the systems' integrity level. CC ID 01906 | Operational management | Preventive | |
Define availability controls. CC ID 01911 | Operational management | Preventive | |
Establish safety classifications for systems according to their potential harmful effects to operators or end users. CC ID 06603 | Operational management | Preventive | |
Establish, implement, and maintain an asset safety classification scheme. CC ID 06604 | Operational management | Preventive | |
Establish, implement, and maintain the Asset Classification Policy. CC ID 06642 | Operational management | Preventive | |
Document the decision for assigning an asset to a specific asset classification in the Asset Classification Policy. CC ID 07185 | Operational management | Preventive | |
Assign decomposed system components the same asset classification as the originating system. CC ID 06605 | Operational management | Preventive | |
Establish, implement, and maintain an Information Technology inventory with asset discovery audit trails. CC ID 00689 | Operational management | Preventive | |
Include all account types in the Information Technology inventory. CC ID 13311 | Operational management | Preventive | |
Include each Information System's major applications in the Information Technology inventory. CC ID 01407 | Operational management | Preventive | |
Categorize all major applications according to the business information they process. CC ID 07182 | Operational management | Preventive | |
Document the resources, hazards, and Evaluation Assurance Levels for each major application. CC ID 01164 | Operational management | Preventive | |
Include the General Support Systems and security support structure in the Information Technology inventory. CC ID 01408 | Operational management | Preventive | |
Include each Information System's minor applications in the Information Technology inventory. CC ID 01409 | Operational management | Preventive | |
Categorize facilities in the Information Technology inventory according to their environmental risks. CC ID 06729 | Operational management | Preventive | |
Establish, implement, and maintain a hardware asset inventory. CC ID 00691 | Operational management | Preventive | |
Include network equipment in the Information Technology inventory. CC ID 00693 | Operational management | Preventive | |
Include mobile devices that store restricted data or restricted information in the Information Technology inventory. CC ID 04719 | Operational management | Preventive | |
Include software in the Information Technology inventory. CC ID 00692 | Operational management | Preventive | |
Establish and maintain a list of authorized software and versions required for each system. CC ID 12093 | Operational management | Preventive | |
Establish, implement, and maintain a storage media inventory. CC ID 00694 | Operational management | Preventive | |
Include all electronic storage media containing restricted data or restricted information in the storage media inventory. CC ID 00962 | Operational management | Detective | |
Establish, implement, and maintain a records inventory and database inventory. CC ID 01260 | Operational management | Preventive | |
Add inventoried assets to the asset register database, as necessary. CC ID 07051 | Operational management | Preventive | |
Organize the asset register database by grouping objects according to an organizational information classification standard. CC ID 07181 | Operational management | Preventive | |
Record the decommission date for applicable assets in the asset inventory. CC ID 14920 | Operational management | Preventive | |
Record the Uniform Resource Locator for applicable assets in the asset inventory. CC ID 14918 | Operational management | Preventive | |
Record the review date for applicable assets in the asset inventory. CC ID 14919 | Operational management | Preventive | |
Record services for applicable assets in the asset inventory. CC ID 13733 | Operational management | Preventive | |
Record protocols for applicable assets in the asset inventory. CC ID 13734 | Operational management | Preventive | |
Record the software version in the asset inventory. CC ID 12196 | Operational management | Preventive | |
Record the publisher for applicable assets in the asset inventory. CC ID 13725 | Operational management | Preventive | |
Record the authentication system in the asset inventory. CC ID 13724 | Operational management | Preventive | |
Tag unsupported assets in the asset inventory. CC ID 13723 | Operational management | Preventive | |
Record the install date for applicable assets in the asset inventory. CC ID 13720 | Operational management | Preventive | |
Record the make, model of device for applicable assets in the asset inventory. CC ID 12465 | Operational management | Preventive | |
Record the asset tag for physical assets in the asset inventory. CC ID 06632 | Operational management | Preventive | |
Record the host name of applicable assets in the asset inventory. CC ID 13722 | Operational management | Preventive | |
Record network ports for applicable assets in the asset inventory. CC ID 13730 | Operational management | Preventive | |
Record the MAC address for applicable assets in the asset inventory. CC ID 13721 | Operational management | Preventive | |
Record the operating system type for applicable assets in the asset inventory. CC ID 06633 | Operational management | Preventive | |
Record the department associated with the asset in the asset inventory. CC ID 12084 | Operational management | Preventive | |
Record the physical location for applicable assets in the asset inventory. CC ID 06634 | Operational management | Preventive | |
Record the manufacturer's serial number for applicable assets in the asset inventory. CC ID 06635 | Operational management | Preventive | |
Record the firmware version for applicable assets in the asset inventory. CC ID 12195 | Operational management | Preventive | |
Record the related business function for applicable assets in the asset inventory. CC ID 06636 | Operational management | Preventive | |
Record the deployment environment for applicable assets in the asset inventory. CC ID 06637 | Operational management | Preventive | |
Record the Internet Protocol address for applicable assets in the asset inventory. CC ID 06638 | Operational management | Preventive | |
Link the software asset inventory to the hardware asset inventory. CC ID 12085 | Operational management | Preventive | |
Record the owner for applicable assets in the asset inventory. CC ID 06640 | Operational management | Preventive | |
Record all compliance requirements for applicable assets in the asset inventory. CC ID 15696 | Operational management | Preventive | |
Record all changes to assets in the asset inventory. CC ID 12190 | Operational management | Preventive | |
Record cloud service derived data in the asset inventory. CC ID 13007 | Operational management | Preventive | |
Include cloud service customer data in the asset inventory. CC ID 13006 | Operational management | Preventive | |
Establish, implement, and maintain a software accountability policy. CC ID 00868 | Operational management | Preventive | |
Establish, implement, and maintain software asset management procedures. CC ID 00895 | Operational management | Preventive | |
Establish, implement, and maintain software archives procedures. CC ID 00866 | Operational management | Preventive | |
Establish, implement, and maintain software distribution procedures. CC ID 00894 | Operational management | Preventive | |
Establish, implement, and maintain software documentation management procedures. CC ID 06395 | Operational management | Preventive | |
Establish, implement, and maintain software license management procedures. CC ID 06639 | Operational management | Preventive | |
Establish, implement, and maintain digital legacy procedures. CC ID 16524 | Operational management | Preventive | |
Establish, implement, and maintain a system redeployment program. CC ID 06276 | Operational management | Preventive | |
Document the staff's operating knowledge of the system prior to a personnel status change. CC ID 06937 | Operational management | Preventive | |
Redeploy systems to other organizational units, as necessary. CC ID 11452 | Operational management | Preventive | |
Establish, implement, and maintain a system disposal program. CC ID 14431 | Operational management | Preventive | |
Establish, implement, and maintain disposal procedures. CC ID 16513 | Operational management | Preventive | |
Establish, implement, and maintain asset sanitization procedures. CC ID 16511 | Operational management | Preventive | |
Establish, implement, and maintain system destruction procedures. CC ID 16474 | Operational management | Preventive | |
Establish, implement, and maintain printer and multifunction device disposition procedures. CC ID 15216 | Operational management | Preventive | |
Establish, implement, and maintain a system preventive maintenance program. CC ID 00885 | Operational management | Preventive | |
Establish and maintain maintenance reports. CC ID 11749 | Operational management | Preventive | |
Establish and maintain system inspection reports. CC ID 06346 | Operational management | Preventive | |
Establish, implement, and maintain a system maintenance policy. CC ID 14032 | Operational management | Preventive | |
Include compliance requirements in the system maintenance policy. CC ID 14217 | Operational management | Preventive | |
Include management commitment in the system maintenance policy. CC ID 14216 | Operational management | Preventive | |
Include roles and responsibilities in the system maintenance policy. CC ID 14215 | Operational management | Preventive | |
Include the scope in the system maintenance policy. CC ID 14214 | Operational management | Preventive | |
Include the purpose in the system maintenance policy. CC ID 14187 | Operational management | Preventive | |
Include coordination amongst entities in the system maintenance policy. CC ID 14181 | Operational management | Preventive | |
Establish, implement, and maintain system maintenance procedures. CC ID 14059 | Operational management | Preventive | |
Establish, implement, and maintain a technology refresh plan. CC ID 13061 | Operational management | Preventive | |
Establish and maintain an archive of maintenance reports in a maintenance log. CC ID 06202 | Operational management | Preventive | |
Post calibration limits or calibration tolerances on or near assets requiring calibration. CC ID 06204 | Operational management | Preventive | |
Establish, implement, and maintain an end-of-life management process. CC ID 16540 | Operational management | Preventive | |
Establish, implement, and maintain disposal contracts. CC ID 12199 | Operational management | Preventive | |
Include disposal procedures in disposal contracts. CC ID 13905 | Operational management | Preventive | |
Document the storage information for all systems that are stored instead of being disposed or redeployed. CC ID 06936 | Operational management | Preventive | |
Establish, implement, and maintain a data stewardship policy. CC ID 06657 | Operational management | Preventive | |
Establish and maintain an unauthorized software list. CC ID 10601 | Operational management | Preventive | |
Establish, implement, and maintain a customer service program. CC ID 00846 | Operational management | Preventive | |
Include incident escalation procedures in the Incident Management program. CC ID 00856 [Incidents shall be: escalated if needed; § 8.6.1 ¶ 1(c)] | Operational management | Preventive | |
Define the characteristics of the Incident Management program. CC ID 00855 | Operational management | Preventive | |
Include the criteria for an incident in the Incident Management program. CC ID 12173 [The organization shall determine criteria to identify a major incident. Major incidents shall be classified and managed according to a documented procedure. Top management shall be kept informed of major incidents. The organization shall assign responsibility for managing each major incident. After the incident has been resolved, the major incident shall be reported and reviewed to identify opportunities for improvement. § 8.6.1 ¶ 3] | Operational management | Preventive | |
Include detection procedures in the Incident Management program. CC ID 00588 | Operational management | Preventive | |
Define and document impact thresholds to be used in categorizing incidents. CC ID 10033 | Operational management | Preventive | |
Document the incident and any relevant evidence in the incident report. CC ID 08659 [Incidents shall be: recorded and classified; § 8.6.1 ¶ 1(a) The organization shall determine criteria to identify a major incident. Major incidents shall be classified and managed according to a documented procedure. Top management shall be kept informed of major incidents. The organization shall assign responsibility for managing each major incident. After the incident has been resolved, the major incident shall be reported and reviewed to identify opportunities for improvement. § 8.6.1 ¶ 3 Problems shall be: recorded and classified; § 8.6.3 ¶ 2(a)] | Operational management | Detective | |
Share data loss event information with interconnected system owners. CC ID 01209 | Operational management | Corrective | |
Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547 | Operational management | Preventive | |
Include incident management procedures in the Incident Management program. CC ID 12689 [The organization shall determine criteria to identify a major incident. Major incidents shall be classified and managed according to a documented procedure. Top management shall be kept informed of major incidents. The organization shall assign responsibility for managing each major incident. After the incident has been resolved, the major incident shall be reported and reviewed to identify opportunities for improvement. § 8.6.1 ¶ 3] | Operational management | Preventive | |
Establish, implement, and maintain temporary and emergency access authorization procedures. CC ID 00858 | Operational management | Corrective | |
Establish, implement, and maintain temporary and emergency access revocation procedures. CC ID 15334 | Operational management | Preventive | |
Log incidents in the Incident Management audit log. CC ID 00857 | Operational management | Preventive | |
Include corrective actions in the incident management audit log. CC ID 16466 | Operational management | Preventive | |
Include incident record closure procedures in the Incident Management program. CC ID 01620 [Information security incidents shall be: closed. § 8.7.3.3 ¶ 1(e) Problems shall be: closed. § 8.6.3 ¶ 2(e) Incidents shall be: closed. § 8.6.1 ¶ 1(e)] | Operational management | Preventive | |
Include incident reporting procedures in the Incident Management program. CC ID 11772 [The organization shall analyse the information security incidents by type, volume and impact on the SMS, services and interested parties. Information security incidents shall be reported and reviewed to identify opportunities for improvement. § 8.7.3.3 ¶ 2] | Operational management | Preventive | |
Establish, implement, and maintain help desk query escalation procedures. CC ID 00849 [Service requests shall be: closed. § 8.6.2 ¶ 1(d)] | Operational management | Preventive | |
Establish, implement, and maintain an Incident Response program. CC ID 00579 | Operational management | Preventive | |
Create an incident response report following an incident response. CC ID 12700 | Operational management | Preventive | |
Include measures to prevent similar incidents from occurring in the incident response report. CC ID 12720 [The organization shall analyse data and trends on incidents to identify problems. The organization shall undertake root cause analysis and determine potential actions to prevent the occurrence or recurrence of incidents. § 8.6.3 ¶ 1] | Operational management | Preventive | |
Include corrective action taken to eradicate the incident in the incident response report. CC ID 12708 [Records of problems shall be updated with actions taken. Changes needed for problem resolution shall be managed according to the change management policy. § 8.6.3 ¶ 3] | Operational management | Preventive | |
Include a root cause analysis of the incident in the incident response report. CC ID 12701 [The organization shall analyse data and trends on incidents to identify problems. The organization shall undertake root cause analysis and determine potential actions to prevent the occurrence or recurrence of incidents. § 8.6.3 ¶ 1] | Operational management | Preventive | |
Include incident response team structures in the Incident Response program. CC ID 01237 | Operational management | Preventive | |
Assign establishing, implementing, and maintaining incident response procedures to the appropriate role in the incident response program. CC ID 12473 | Operational management | Preventive | |
Establish, implement, and maintain incident response procedures. CC ID 01206 [Information security incidents shall be: resolved; § 8.7.3.3 ¶ 1(d) Incidents shall be: resolved; § 8.6.1 ¶ 1(d) The organization shall determine criteria to identify a major incident. Major incidents shall be classified and managed according to a documented procedure. Top management shall be kept informed of major incidents. The organization shall assign responsibility for managing each major incident. After the incident has been resolved, the major incident shall be reported and reviewed to identify opportunities for improvement. § 8.6.1 ¶ 3] | Operational management | Detective | |
Include references to industry best practices in the incident response procedures. CC ID 11956 | Operational management | Preventive | |
Include responding to alerts from security monitoring systems in the incident response procedures. CC ID 11949 | Operational management | Preventive | |
Establish, implement, and maintain a performance management standard. CC ID 01615 [{planning requirement} establishing performance criteria for the processes based on requirements; § 8.1 ¶ 1(a)] | Operational management | Preventive | |
Establish, implement, and maintain a remediation plan for deviations in the resource management process. CC ID 13679 | Operational management | Preventive | |
Establish, implement, and maintain system capacity monitoring procedures. CC ID 01619 | Operational management | Preventive | |
Establish, implement, and maintain system performance monitoring procedures. CC ID 11752 | Operational management | Preventive | |
Establish, implement, and maintain a Service Level Agreement framework. CC ID 00839 | Operational management | Preventive | |
Include exceptions in the Service Level Agreements, as necessary. CC ID 13912 [For each service delivered, the organization shall establish one or more SLAs based on the documented service requirements. The SLA(s) shall include service level targets, workload limits and exceptions § 8.3.3 ¶ 2] | Operational management | Preventive | |
Include the appropriate aspects of the Quality Management program in the Service Level Agreement. CC ID 00845 [{service availability requirement}{service availability target} At planned intervals, the risks to service availability shall be assessed and documented. The organization shall determine the service availability requirements and targets. The agreed requirements shall take into consideration relevant business requirements, service requirements, SLAs and risks. § 8.7.1 ¶ 1] | Operational management | Detective | |
Include capacity planning in Service Level Agreements. CC ID 13096 [At planned intervals, the organization shall monitor, review and report on: actual and periodic changes in workload compared to workload limits in the SLA(s). § 8.3.3 ¶ 3(b) For each service delivered, the organization shall establish one or more SLAs based on the documented service requirements. The SLA(s) shall include service level targets, workload limits and exceptions § 8.3.3 ¶ 2 {service availability requirement}{service continuity requirement} The organization shall plan capacity to include: expected impact on capacity of agreed service level targets, requirements for service availability and service continuity; § 8.4.3 ¶ 2(b)] | Operational management | Preventive | |
Include business requirements of delivered services in the Service Level Agreement. CC ID 00840 [For each external supplier, the organization shall agree a documented contract. The contract shall include or contain a reference to: service level targets or other contractual obligations; § 8.3.4.1 ¶ 2(c)] | Operational management | Preventive | |
Include performance requirements in the Service Level Agreement. CC ID 00841 [For each service delivered, the organization shall establish one or more SLAs based on the documented service requirements. The SLA(s) shall include service level targets, workload limits and exceptions § 8.3.3 ¶ 2] | Operational management | Preventive | |
Establish, implement, and maintain a cost management program. CC ID 13638 | Operational management | Preventive | |
Prepare an Information Technology budget, as necessary. CC ID 00872 [The organization shall budget and account for services or groups of services in accordance with its financial management policies and processes. § 8.4.1 ¶ 1] | Operational management | Detective | |
Establish, implement, and maintain a change control program. CC ID 00886 [{information security policy} Specific policies that would be required includepan>, but not limited to, the following: Change management § 8.5.1 A change management policy shall be established and documented to define: § 8.5.1.1 ¶ 1 A change management policy shall be established and documented to define: service components and other items that are under the control of change management; § 8.5.1.1 ¶ 1(a) A change management policy shall be established and documented to define: service components and other items that are under the control of change management; § 8.5.1.1 ¶ 1(a) A change management policy shall be established and documented to define: categories of change, including emergency change, and how they are to be managed; § 8.5.1.1 ¶ 1(b)] | Operational management | Preventive | |
Include potential consequences of unintended changes in the change control program. CC ID 12243 [The organization shall control planned changes to the SMS and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary (see 8.5.1). § 8.1¶ 2] | Operational management | Preventive | |
Include version control in the change control program. CC ID 13119 [For the control of documented information, the organization shall address the following activities, as applicable: control of changes (e.g. version control); § 7.5.3.2(c)] | Operational management | Preventive | |
Include service design and transition in the change control program. CC ID 13920 [The organization shall use service design and transition in 8.5.2 for: changes to services with the potential to have a major impact on customers or other services as determined by the change management policy; § 8.5.1.2 ¶ 2(b) The organization shall use service design and transition in 8.5.2 for: new services with the potential to have a major impact on customers or other services as determined by the change management policy; § 8.5.1.2 ¶ 2(a)] | Operational management | Preventive | |
Establish, implement, and maintain a back-out plan. CC ID 13623 [The release shall be verified against documented acceptance criteria and approved before deployment. If the acceptance criteria are not met, the organization and interested parties shall make a decision on necessary actions and deployment. § 8.5.3 ¶ 3 The organization shall review changes for effectiveness and take actions agreed with interested parties. § 8.5.1.3 ¶ 4 {take appropriate action} The activities to reverse or remedy an unsuccessful change shall be planned and, where possible, tested. Unsuccessful changes shall be investigated and agreed actions taken. § 8.5.1.3 ¶ 3] | Operational management | Preventive | |
Establish, implement, and maintain back-out procedures for each proposed change in a change request. CC ID 00373 [{take appropriate action} The activities to reverse or remedy an unsuccessful change shall be planned and, where possible, tested. Unsuccessful changes shall be investigated and agreed actions taken. § 8.5.1.3 ¶ 3] | Operational management | Preventive | |
Approve back-out plans, as necessary. CC ID 13627 [{take appropriate action} The activities to reverse or remedy an unsuccessful change shall be planned and, where possible, tested. Unsuccessful changes shall be investigated and agreed actions taken. § 8.5.1.3 ¶ 3] | Operational management | Corrective | |
Include documentation of the impact level of proposed changes in the change request. CC ID 11942 [{new service} Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: impact on the SMS, other services, planned changes, customers, users and other interested parties. § 8.5.2.1 ¶ 1(h) {new service} Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: impact on the SMS, other services, planned changes, customers, users and other interested parties. § 8.5.2.1 ¶ 1(h) {new service} Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: impact on the SMS, other services, planned changes, customers, users and other interested parties. § 8.5.2.1 ¶ 1(h) {new service} Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: impact on the SMS, other services, planned changes, customers, users and other interested parties. § 8.5.2.1 ¶ 1(h) A change management policy shall be established and documented to define: criteria to determine changes with the potential to have a major ="background-color:#F0BBBC;" class="term_primary-noun">impact on customers or services. § 8.5.1.1 ¶ 1(c)] | Operational management | Preventive | |
Establish and maintain a change request approver list. CC ID 06795 | Operational management | Preventive | |
Document all change requests in change request forms. CC ID 06794 [Requests for change, including proposals to add, remove or transfer services, shall be recorded and classified. § 8.5.1.2 ¶ 1 Requests for change, including proposals to add, remove or transfer services, shall be recorded and classified. § 8.5.1.2 ¶ 1 {trend analysis} At planned intervals, request for change records shall be analysed to detect trends. The results and conclusions drawn from the analysis shall be recorded and reviewed to identify opportunities for improvement. § 8.5.1.3 ¶ 5] | Operational management | Preventive | |
Establish, implement, and maintain emergency change procedures. CC ID 00890 | Operational management | Preventive | |
Log emergency changes after they have been performed. CC ID 12733 | Operational management | Preventive | |
Provide audit trails for all approved changes. CC ID 13120 | Operational management | Preventive | |
Document the sources of all software updates. CC ID 13316 | Operational management | Preventive | |
Establish, implement, and maintain a patch management policy. CC ID 16432 | Operational management | Preventive | |
Establish, implement, and maintain patch management procedures. CC ID 15224 | Operational management | Preventive | |
Establish, implement, and maintain a patch log. CC ID 01642 | Operational management | Preventive | |
Establish, implement, and maintain a software release policy. CC ID 00893 | Operational management | Preventive | |
Establish, implement, and maintain approved change acceptance testing procedures. CC ID 06391 | Operational management | Detective | |
Establish, implement, and maintain a change acceptance testing log. CC ID 06392 | Operational management | Corrective | |
Update associated documentation after the system configuration has been changed. CC ID 00891 | Operational management | Preventive | |
Document approved configuration deviations. CC ID 08711 | Operational management | Corrective | |
Establish, implement, and maintain production process control procedures. CC ID 06209 | Operational management | Preventive | |
Include consumer safety quality improvement projects in the service delivery and production process Quality Management program. CC ID 07195 | Operational management | Detective | |
Define the processing specifications for products and services creation requirements. CC ID 13523 | Operational management | Preventive | |
Establish, implement, and maintain procedures to manage age-restricted content. CC ID 15448 | Operational management | Preventive | |
Establish and maintain a service catalog. CC ID 13634 [The service management plan shall include or contain a reference to: list of services; § 6.3 ¶ 2(a) The documented information for the SMS shall include: service catalogue(s); § 7.5.4 ¶ 1(g) The organization shall create and maintain one or more service catalogues. The service catalogue(s) shall include information for the organization, customers, users and other interested parties to describe the services, their intended outcomes and dependencies between the services. § 8.2.4 ¶ 1 {new service} The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: updates to the service catalogue(s). § 8.5.2.2 ¶ 1(g)] | Operational management | Preventive | |
Include a service description in the service catalog. CC ID 13917 [The organization shall create and maintain one or more service catalogues. The service catalogue(s) shall include information for the organization, customers, users and other interested parties to describe the services, their intended outcomes and dependencies between the services. § 8.2.4 ¶ 1] | Operational management | Preventive | |
Assign unique reference numbers to all services in the service catalog. CC ID 14424 | Operational management | Preventive | |
Include service deliverables for each service description in the service catalog. CC ID 13918 [The organization shall create and maintain one or more service catalogues. The service catalogue(s) shall include information for the organization, customers, users and other interested parties to describe the services, their intended outcomes and dependencies between the services. § 8.2.4 ¶ 1] | Operational management | Preventive | |
Include relationships and dependencies between services in the service catalog, as necessary. CC ID 13914 [The organization shall create and maintain one or more service catalogues. The service catalogue(s) shall include information for the organization, customers, users and other interested parties to describe the services, their intended outcomes and dependencies between the services. § 8.2.4 ¶ 1] | Operational management | Preventive | |
Include Service Level Agreements in the service catalog, as necessary. CC ID 13636 [{new service}The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: new or changed SLAs, contracts and other documented agreements that support the services; § 8.5.2.2 ¶ 1(d)] | Operational management | Preventive | |
Include Information Technology services in the service catalog, as necessary. CC ID 13635 | Operational management | Preventive | |
Base definitions of Information Technology services on their service characteristics. CC ID 13655 | Operational management | Preventive | |
Categorize services in the service catalog. CC ID 14419 | Operational management | Preventive | |
Refrain from categorizing services as outsourced in the service catalog, as necessary. CC ID 14426 | Operational management | Preventive | |
Establish, implement, and maintain a Configuration Management program. CC ID 00867 [{new service} The CIs affected by new or changed services shall be managed through configuration management. § 8.5.2.1 ¶ 4 {be auditable} CIs shall be controlled. Changes to CIs shall be traceable and auditable to maintain the integrity of the configuration information. The configuration information shall be updated following the deployment of changes to CIs. § 8.2.6 ¶ 3] | System hardening through configuration management | Preventive | |
Establish, implement, and maintain appropriate system labeling. CC ID 01900 | System hardening through configuration management | Preventive | |
Include the identification number of the third party who performed the conformity assessment procedures on all promotional materials. CC ID 15041 | System hardening through configuration management | Preventive | |
Include the identification number of the third party who conducted the conformity assessment procedures after the CE marking of conformity. CC ID 15040 | System hardening through configuration management | Preventive | |
Establish, implement, and maintain a configuration management policy. CC ID 14023 | System hardening through configuration management | Preventive | |
Establish, implement, and maintain configuration management procedures. CC ID 14074 | System hardening through configuration management | Preventive | |
Include compliance requirements in the configuration management policy. CC ID 14072 | System hardening through configuration management | Preventive | |
Include coordination amongst entities in the configuration management policy. CC ID 14071 | System hardening through configuration management | Preventive | |
Include management commitment in the configuration management policy. CC ID 14070 | System hardening through configuration management | Preventive | |
Include roles and responsibilities in the configuration management policy. CC ID 14069 | System hardening through configuration management | Preventive | |
Include the scope in the configuration management policy. CC ID 14068 | System hardening through configuration management | Preventive | |
Include the purpose in the configuration management policy. CC ID 14067 | System hardening through configuration management | Preventive | |
Establish, implement, and maintain a configuration management plan. CC ID 01901 | System hardening through configuration management | Preventive | |
Include configuration management procedures in the configuration management plan. CC ID 14248 | System hardening through configuration management | Preventive | |
Include roles and responsibilities in the configuration management plan. CC ID 14247 | System hardening through configuration management | Preventive | |
Establish, implement, and maintain system tracking documentation. CC ID 15266 | System hardening through configuration management | Preventive | |
Include prioritization codes in the system tracking documentation. CC ID 15283 | System hardening through configuration management | Preventive | |
Include the type and category of the request in the system tracking documentation. CC ID 15281 | System hardening through configuration management | Preventive | |
Include contact information in the system tracking documentation. CC ID 15280 | System hardening through configuration management | Preventive | |
Include the username in the system tracking documentation. CC ID 15278 | System hardening through configuration management | Preventive | |
Include a problem description in the system tracking documentation. CC ID 15276 | System hardening through configuration management | Preventive | |
Include affected systems in the system tracking documentation. CC ID 15275 | System hardening through configuration management | Preventive | |
Include root causes in the system tracking documentation. CC ID 15274 | System hardening through configuration management | Preventive | |
Include the name of who is responsible for resolution in the system tracking documentation. CC ID 15273 | System hardening through configuration management | Preventive | |
Include current status in the system tracking documentation. CC ID 15272 | System hardening through configuration management | Preventive | |
Record Configuration Management items in the Configuration Management database. CC ID 00861 | System hardening through configuration management | Preventive | |
Establish, implement, and maintain a Configuration Management Database with accessible reporting capabilities. CC ID 02132 | System hardening through configuration management | Preventive | |
Establish, implement, and maintain a configuration baseline based on the least functionality principle. CC ID 00862 [Before deployment of a release into the live environment, a baseline of the affected CIs shall be taken. § 8.5.3 ¶ 4] | System hardening through configuration management | Preventive | |
Include the measures used to account for any differences in operation between the test environments and production environments in the baseline configuration. CC ID 13285 | System hardening through configuration management | Preventive | |
Include the differences between test environments and production environments in the baseline configuration. CC ID 13284 | System hardening through configuration management | Preventive | |
Include the applied security patches in the baseline configuration. CC ID 13271 | System hardening through configuration management | Preventive | |
Include the installed application software and version numbers in the baseline configuration. CC ID 13270 | System hardening through configuration management | Preventive | |
Include installed custom software in the baseline configuration. CC ID 13274 | System hardening through configuration management | Preventive | |
Include network ports in the baseline configuration. CC ID 13273 | System hardening through configuration management | Preventive | |
Include the operating systems and version numbers in the baseline configuration. CC ID 13269 | System hardening through configuration management | Preventive | |
Include backup procedures in the Configuration Management policy. CC ID 01314 | System hardening through configuration management | Preventive | |
Identify and document the system's Configurable Items. CC ID 02133 [Configuration information shall be recorded to a level of detail appropriate to the criticality and type of services. Access to configuration information shall be controlled. The configuration information recorded for each CI shall include: § 8.2.6 ¶ 2 Configuration information shall be recorded to a level of detail appropriate to the criticality and type of services. Access to configuration information shall be controlled. The configuration information recorded for each CI shall include: § 8.2.6 ¶ 2 The types of CI shall be defined. Services shall be classified as CIs. § 8.2.6 ¶ 1 The types of CI shall be defined. Services shall be classified as CIs. § 8.2.6 ¶ 1 Configuration information shall be recorded to a level of detail appropriate to the criticality and type of services. Access to configuration information shall be controlled. The configuration information recorded for each CI shall include: type of CI; § 8.2.6 ¶ 2(b) Configuration information shall be recorded to a level of detail appropriate to the criticality and type of services. Access to configuration information shall be controlled. The configuration information recorded for each CI shall include: description of the CI; § 8.2.6 ¶ 2(c) Configuration information shall be recorded to a level of detail appropriate to the criticality and type of services. Access to configuration information shall be controlled. The configuration information recorded for each CI shall include: status. § 8.2.6 ¶ 2(e)] | System hardening through configuration management | Preventive | |
Define the relationships and dependencies between Configurable Items. CC ID 02134 [Configuration information shall be recorded to a level of detail appropriate to the criticality and type of services. Access to configuration information shall be controlled. The configuration information recorded for each CI shall include: relationship with other CIs; § 8.2.6 ¶ 2(d)] | System hardening through configuration management | Preventive | |
Trace each Configurable Item throughout the systems' life cycle. CC ID 02135 [{be auditable} CIs shall be controlled. Changes to CIs shall be traceable and auditable to maintain the integrity of the configuration information. The configuration information shall be updated following the deployment of changes to CIs. § 8.2.6 ¶ 3 Configuration information shall be recorded to a level of detail appropriate to the criticality and type of services. Access to configuration information shall be controlled. The configuration information recorded for each CI shall include: unique identification; § 8.2.6 ¶ 2(a)] | System hardening through configuration management | Preventive | |
Request an acknowledgment from the system owner of the system's configuration. CC ID 10602 | System hardening through configuration management | Preventive | |
Establish, implement, and maintain system hardening procedures. CC ID 12001 | System hardening through configuration management | Preventive | |
Establish, implement, and maintain records management policies. CC ID 00903 [Documented information required by the SMS and by this document shall be controlled to ensure: § 7.5.3.1] | Records management | Preventive | |
Establish, implement, and maintain a record classification scheme for forms. CC ID 00911 | Records management | Detective | |
Establish, implement, and maintain form creation, management, and distribution procedures. CC ID 06393 | Records management | Preventive | |
Establish, implement, and maintain form disposition procedures. CC ID 06394 | Records management | Preventive | |
Establish, implement, and maintain a record classification scheme. CC ID 00914 | Records management | Preventive | |
Establish, implement, and maintain a business activity classification standard. CC ID 00915 | Records management | Preventive | |
Establish, implement, and maintain records registration procedures. CC ID 00913 | Records management | Detective | |
Define the terms used in the record classification scheme. CC ID 00916 | Records management | Detective | |
Establish, implement, and maintain a records authentication system. CC ID 11648 | Records management | Preventive | |
Establish and maintain an index of all official records. CC ID 00918 | Records management | Preventive | |
Establish, implement, and maintain electronic signature requirements. CC ID 06219 | Records management | Preventive | |
Define each system's preservation requirements for records and logs. CC ID 00904 | Records management | Detective | |
Establish, implement, and maintain a data retention program. CC ID 00906 | Records management | Detective | |
Establish, implement, and maintain storage media retention procedures. CC ID 16277 | Records management | Preventive | |
Define which documents and records the organization may capture. CC ID 00905 [{is appropriate} When creating and updating documented information, the organization shall ensure appropriate: format (e.g. language, software version, graphics) and media (e.g. paper, electronic); § 7.5.2 ¶ 1(b)] | Records management | Detective | |
Capture and maintain all business records, including supporting temporary files. CC ID 06622 | Records management | Preventive | |
Establish, implement, and maintain storage media disposition and destruction procedures. CC ID 11657 | Records management | Preventive | |
Establish, implement, and maintain records disposition procedures. CC ID 00971 [For the control of documented information, the organization shall address the following activities, as applicable: retention and disposition. § 7.5.3.2(d)] | Records management | Preventive | |
Include methods to identify records that meet or exceed the record's retention event in the records disposition procedures. CC ID 11962 | Records management | Preventive | |
Maintain disposal records or redeployment records. CC ID 01644 [For services that are to be removed, the planning shall additionally include the date(s) for the removal of the services and the activities for archiving, disposal or transfer of data, documented information and service components. § 8.5.2.1 ¶ 2] | Records management | Preventive | |
Include the name of the signing officer in the disposal record. CC ID 15710 | Records management | Preventive | |
Establish, implement, and maintain secure record transaction standards with third parties. CC ID 06093 | Records management | Preventive | |
Include transfer agreements in the secure record transaction standards. CC ID 14821 | Records management | Preventive | |
Include date and time stamp requirements for delivery receipt in the transfer agreements. CC ID 14823 | Records management | Preventive | |
Include receipt of electronic records in the transfer agreement. CC ID 14822 | Records management | Preventive | |
Include standards for each data element in the secure record transaction standard. CC ID 06094 | Records management | Preventive | |
Establish, implement, and maintain records management procedures. CC ID 11619 [Documented information of external origin determined by the organization to be necessary for the planning and operation of the SMS shall be identified as appropriate and controlled. § 7.5.3.2 ¶ 2 For services that are to be removed, the planning shall additionally include the date(s) for the removal of the services and the activities for archiving, disposal or transfer of data, documented information and service components. § 8.5.2.1 ¶ 2] | Records management | Preventive | |
Assign ownership for all electronic records. CC ID 14814 | Records management | Preventive | |
Attribute electronic records, as necessary. CC ID 14820 | Records management | Preventive | |
Establish, implement, and maintain a system input log. CC ID 13531 | Records management | Preventive | |
Establish, implement, and maintain authorization records. CC ID 14367 | Records management | Preventive | |
Include the reasons for granting the authorization in the authorization records. CC ID 14371 | Records management | Preventive | |
Include the date and time the authorization was granted in the authorization records. CC ID 14370 | Records management | Preventive | |
Include the person's name who approved the authorization in the authorization records. CC ID 14369 | Records management | Preventive | |
Create summary of care records in accordance with applicable standards. CC ID 14440 | Records management | Preventive | |
Log the number of routine items received into the recordkeeping system. CC ID 11701 | Records management | Preventive | |
Include record integrity techniques in the records management procedures. CC ID 06418 | Records management | Preventive | |
Incorporate desktop publishing into the organization's Records Management program. CC ID 06535 | Records management | Preventive | |
Establish, implement, and maintain Automated Data Processing error handling procedures. CC ID 00925 | Records management | Preventive | |
Establish, implement, and maintain Automated Data Processing error handling reporting. CC ID 11659 | Records management | Preventive | |
Establish, implement, and maintain document security requirements for the output of records. CC ID 11656 | Records management | Preventive | |
Establish, implement, and maintain document handling procedures for paper documents. CC ID 00926 | Records management | Preventive | |
Establish, implement, and maintain electronic storage media management procedures. CC ID 00931 | Records management | Preventive | |
Establish, implement, and maintain security label procedures. CC ID 06747 | Records management | Preventive | |
Establish, implement, and maintain restricted material identification procedures. CC ID 01889 | Records management | Preventive | |
Conspicuously locate the restricted record's overall classification. CC ID 01890 | Records management | Preventive | |
Mark a restricted record's displayed pages or printed pages with the appropriate classification. CC ID 01891 | Records management | Preventive | |
Mark a restricted record's components (appendices, annexes) with the appropriate classification. CC ID 01892 | Records management | Preventive | |
Mark a restricted record's portions (paragraphs, sections) with the appropriate classification. CC ID 01893 | Records management | Preventive | |
Mark a restricted record's subject line or title with the appropriate classification. CC ID 01894 | Records management | Preventive | |
Establish the minimum originator requirements for security labels. CC ID 06579 | Records management | Preventive | |
Establish the minimum intermediate system requirements for security labels. CC ID 06581 | Records management | Preventive | |
Establish the minimum receiver requirements for records or electronic storage media marked with security labels. CC ID 06580 | Records management | Preventive | |
Establish policy based processing rules to process incoming records or electronic storage media marked with security labels. CC ID 06582 | Records management | Preventive | |
Establish, implement, and maintain a records lifecycle management program. CC ID 00951 | Records management | Preventive | |
Establish, implement, and maintain an information preservation policy. CC ID 16483 | Records management | Preventive | |
Establish, implement, and maintain information preservation procedures. CC ID 06277 [For the control of documented information, the organization shall address the following activities, as applicable: storage and preservation, including preservation of legibility; § 7.5.3.2(b)] | Records management | Preventive | |
Establish, implement, and maintain an online availability plan that is commensurate with the electronic storage media. CC ID 00934 | Records management | Preventive | |
Provide audit trails for all pertinent records. CC ID 00372 | Records management | Detective | |
Include a unique identifier for each removable storage media asset in the removable storage media log. CC ID 12320 | Records management | Preventive | |
Include the date and time in the removable storage media log. CC ID 12318 | Records management | Preventive | |
Include the name and signature of the current custodian in the removable storage media log. CC ID 12315 | Records management | Preventive | |
Include the number of physical media used for the data transfer in the removable storage media log. CC ID 12754 | Records management | Preventive | |
Include the recipient's name for the data transfer in the removable storage media log. CC ID 12753 | Records management | Preventive | |
Include the sender's name in the removable storage media log. CC ID 12752 | Records management | Preventive | |
Include the type of physical media being used for the data transfer in the removable storage media log. CC ID 12751 | Records management | Preventive | |
Include the reason for transfer in the removable storage media log. CC ID 12316 | Records management | Preventive | |
Document all actions taken when downgrading electronic storage media. CC ID 10622 | Records management | Preventive | |
Establish, implement, and maintain output distribution procedures. CC ID 00927 [For the control of documented information, the organization shall address the following activities, as applicable: distribution, access, retrieval and use; § 7.5.3.2(a)] | Records management | Preventive | |
Include printed output in output distribution procedures. CC ID 13477 | Records management | Preventive | |
Establish, implement, and maintain document retention procedures. CC ID 11660 [For the control of documented information, the organization shall address the following activities, as applicable: retention and disposition. § 7.5.3.2(d) The organization shall retain documented information as evidence of: § 10.1.2 ¶ 1] | Records management | Preventive | |
Establish, implement, and maintain electronic media distribution procedures. CC ID 11650 | Records management | Preventive | |
Establish, implement, and maintain output balancing audit trails. CC ID 00928 | Records management | Detective | |
Establish and maintain reconciliation audit trails. CC ID 11647 | Records management | Preventive | |
Establish, implement, and maintain output review and error handling checks with end users. CC ID 00929 | Records management | Detective | |
Establish, implement, and maintain paper document integrity requirements for the output of records. CC ID 00930 | Records management | Preventive | |
Establish, implement, and maintain a system design project management framework. CC ID 00990 | Systems design, build, and implementation | Preventive | |
Establish, implement, and maintain a product and service release log. CC ID 13705 [The organization shall define the types of release, including emergency release, their frequency and how they are to be managed. § 8.5.3 ¶ 1 The organization shall define the types of release, including emergency release, their frequency and how they are to be managed. § 8.5.3 ¶ 1 The organization shall define the types of release, including emergency release, their frequency and how they are to be managed. § 8.5.3 ¶ 1 Records of service requests shall be updated with actions taken. § 8.6.2 ¶ 2] | Systems design, build, and implementation | Preventive | |
Include the name of the person authorizing the release of products and services in the product and service release log. CC ID 13707 | Systems design, build, and implementation | Preventive | |
Establish, implement, and maintain a product or service pricing program. CC ID 13676 | Acquisition or sale of facilities, technology, and services | Preventive | |
Establish, implement, and maintain customer terms and conditions. CC ID 13666 | Acquisition or sale of facilities, technology, and services | Preventive | |
Include customer risks in the customer terms and conditions. CC ID 13669 | Acquisition or sale of facilities, technology, and services | Preventive | |
Include the defined support period for hardware replacements in warranties. CC ID 14932 | Acquisition or sale of facilities, technology, and services | Preventive | |
Include the methods of product replacement in warranties. CC ID 14931 | Acquisition or sale of facilities, technology, and services | Preventive | |
Include rationale for the absence of software updates in warranties, as necessary. CC ID 14930 | Acquisition or sale of facilities, technology, and services | Preventive | |
Include the defined support period in the product warranty or service warranty. CC ID 14927 | Acquisition or sale of facilities, technology, and services | Preventive | |
Include how to access information from the dispute resolution body in the consumer complaint management program. CC ID 13816 | Acquisition or sale of facilities, technology, and services | Preventive | |
Include any requirements for using information from the dispute resolution body in the consumer complaint management program. CC ID 13815 | Acquisition or sale of facilities, technology, and services | Preventive | |
Establish, implement, and maintain consumer complaint escalation procedures. CC ID 07208 [Service complaints shall be recorded, managed to closure and reported. Where a service complaint is not resolved through the normal channels, a method of escalation shall be provided. § 8.3.2 ¶ 5] | Acquisition or sale of facilities, technology, and services | Preventive | |
Establish, implement, and maintain notice and take-down procedures. CC ID 09963 | Acquisition or sale of facilities, technology, and services | Preventive | |
Document any unlawful material hosted or stored by the organization meeting the take-down request criteria. CC ID 09975 | Acquisition or sale of facilities, technology, and services | Preventive | |
Document any unlawful material hosted or stored by the organization meeting the take-down request criteria that has been removed prior to the take-down request. CC ID 09976 | Acquisition or sale of facilities, technology, and services | Preventive | |
Include whether it is technically feasible to follow the requested remedial action in the take-down request. CC ID 09977 | Acquisition or sale of facilities, technology, and services | Preventive | |
Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain a data handling program. CC ID 13427 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain data handling procedures. CC ID 11756 [For services that are to be removed, the planning shall additionally include the date(s) for the removal of the services and the activities for archiving, disposal or transfer of data, documented information and service components. § 8.5.2.1 ¶ 2] | Privacy protection for information and data | Preventive | |
Define personal data that falls under breach notification rules. CC ID 00800 | Privacy protection for information and data | Preventive | |
Define an out of scope privacy breach. CC ID 04677 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain a supply chain management program. CC ID 11742 | Third Party and supply chain oversight | Preventive | |
Establish, implement, and maintain procedures for establishing, maintaining, and terminating third party contracts. CC ID 00796 [The service management plan shall include or contain a reference to: approach to be taken for working with other parties involved in the service lifecycle; § 6.3 ¶ 2(f) The organization shall have one or more designated individuals responsible for managing the relationship, contracts and performance of external suppliers. § 8.3.4.1 ¶ 1] | Third Party and supply chain oversight | Preventive | |
Review and update all contracts, as necessary. CC ID 11612 [At planned intervals, the organization shall review the contract against current service requirements. Changes identified for the contract shall be assessed for the impact of the change on the SMS and the services before the change is approved. § 8.3.4.1 ¶ 6] | Third Party and supply chain oversight | Preventive | |
Include a nondisclosure agreement in third party contracts if a separate nondisclosure agreement does not exist. CC ID 06505 | Third Party and supply chain oversight | Preventive | |
Establish, implement, and maintain software exchange agreements with all third parties. CC ID 11615 | Third Party and supply chain oversight | Preventive | |
Include a description of the product or service to be provided in third party contracts. CC ID 06509 [The documented information for the SMS shall include: agreements with internal suppliers or customers acting as a supplier; § 7.5.4 ¶ 1(j)] | Third Party and supply chain oversight | Preventive | |
Include a description of the products or services fees in third party contracts. CC ID 10018 | Third Party and supply chain oversight | Preventive | |
Include which parties are responsible for which fees in third party contracts. CC ID 10019 | Third Party and supply chain oversight | Preventive | |
Establish, implement, and maintain rules of engagement with third parties. CC ID 13994 | Third Party and supply chain oversight | Preventive | |
Establish, implement, and maintain information flow agreements with all third parties. CC ID 04543 | Third Party and supply chain oversight | Preventive | |
Include the type of information being transmitted in the information flow agreement. CC ID 14245 | Third Party and supply chain oversight | Preventive | |
Include the security requirements in the information flow agreement. CC ID 14244 | Third Party and supply chain oversight | Preventive | |
Include the interface characteristics in the information flow agreement. CC ID 14240 | Third Party and supply chain oversight | Preventive | |
Include the scope and inventory of third party systems and assets being provided to the organization in third party contracts. CC ID 06528 [For each external supplier, the organization shall agree a documented contract. The contract shall include or contain a reference to: scope of the services, service components, processes or parts of processes to be provided or operated by the external supplier; § 8.3.4.1 ¶ 2(a) For each external supplier, the organization shall agree a documented contract. The contract shall include or contain a reference to: scope of the services, service components, processes or parts of processes to be provided or operated by the external supplier; § 8.3.4.1 ¶ 2(a) For each external supplier, the organization shall agree a documented contract. The contract shall include or contain a reference to: scope of the services, service components, processes or parts of processes to be provided or operated by the external supplier; § 8.3.4.1 ¶ 2(a)] | Third Party and supply chain oversight | Preventive | |
Include proof of license documentation for the third parties with access to in scope systems in third party contracts. CC ID 06529 | Third Party and supply chain oversight | Preventive | |
Include a description of costs and responsibility for purchasing and maintaining hardware and software in third party contracts. CC ID 10020 | Third Party and supply chain oversight | Preventive | |
Include a description of the data or information to be covered in third party contracts. CC ID 06510 | Third Party and supply chain oversight | Preventive | |
Include text about data ownership in third party contracts. CC ID 06502 | Third Party and supply chain oversight | Preventive | |
Include text about trade secrets and intellectual property in third party contracts. CC ID 06503 | Third Party and supply chain oversight | Preventive | |
Include text about participation in the organization's testing programs in third party contracts. CC ID 14402 | Third Party and supply chain oversight | Preventive | |
Include the contract duration in third party contracts. CC ID 16221 | Third Party and supply chain oversight | Preventive | |
Include roles and responsibilities in third party contracts. CC ID 13487 | Third Party and supply chain oversight | Preventive | |
Include cryptographic keys in third party contracts. CC ID 16179 | Third Party and supply chain oversight | Preventive | |
Include bankruptcy provisions in third party contracts. CC ID 16519 | Third Party and supply chain oversight | Preventive | |
Include cybersecurity supply chain risk management requirements in third party contracts. CC ID 15646 | Third Party and supply chain oversight | Preventive | |
Include text that organizations must meet organizational compliance requirements in third party contracts. CC ID 06506 | Third Party and supply chain oversight | Preventive | |
Include compliance with the organization's access policy as a requirement in third party contracts. CC ID 06507 | Third Party and supply chain oversight | Preventive | |
Include compliance with the organization's breach notification policy as a requirement in third party contracts. CC ID 06508 | Third Party and supply chain oversight | Preventive | |
Include compliance with the organization's monitoring policies as a requirement in third party contracts. CC ID 06513 | Third Party and supply chain oversight | Preventive | |
Include compliance with the organization's incident response policy and incident notification policy in third party contracts. CC ID 06515 | Third Party and supply chain oversight | Preventive | |
Include text about the expected actions to be taken in case of a breach of contract in third party contracts. CC ID 06504 | Third Party and supply chain oversight | Preventive | |
Include compliance with the organization's privacy policy in third party contracts. CC ID 06518 | Third Party and supply chain oversight | Preventive | |
Include compliance with the organization's media handling policy in third party contracts. CC ID 06525 | Third Party and supply chain oversight | Preventive | |
Include third party responsibilities for compliance awareness in third party contracts. CC ID 06530 | Third Party and supply chain oversight | Preventive | |
Include compliance with the organization's data usage policies in third party contracts. CC ID 16413 | Third Party and supply chain oversight | Preventive | |
Include compliance with the organization's system hardening framework in third party contracts. CC ID 06531 | Third Party and supply chain oversight | Preventive | |
Include compliance with the organization's physical access policy in third party contracts. CC ID 06878 | Third Party and supply chain oversight | Preventive | |
Include a reporting structure in third party contracts. CC ID 06532 | Third Party and supply chain oversight | Preventive | |
Include points of contact in third party contracts. CC ID 12355 | Third Party and supply chain oversight | Preventive | |
Include financial reporting in third party contracts, as necessary. CC ID 13573 | Third Party and supply chain oversight | Preventive | |
Include reporting to the organization of third party audit findings in third party contracts. CC ID 06512 | Third Party and supply chain oversight | Preventive | |
Include the right of the organization to conduct compliance audits in third party contracts. CC ID 06514 | Third Party and supply chain oversight | Preventive | |
Include third party responsibilities for maintaining a Business Recovery and Resumption Plan in third party contracts. CC ID 06516 | Third Party and supply chain oversight | Preventive | |
Include an indemnification and liability clause in third party contracts. CC ID 06517 | Third Party and supply chain oversight | Preventive | |
Include a third party delegation clause and subcontractor to third party clause in third party contracts. CC ID 06521 | Third Party and supply chain oversight | Preventive | |
Include text that subcontractors must meet organizational compliance requirements in third party contracts. CC ID 06522 [For each external supplier, the organization shall agree a documented contract. The contract shall include or contain a reference to: requirements to be met by the external supplier; § 8.3.4.1 ¶ 2(b)] | Third Party and supply chain oversight | Preventive | |
Include text regarding foreign-based third parties in third party contracts. CC ID 06722 | Third Party and supply chain oversight | Preventive | |
Include change control clauses in third party contracts, as necessary. CC ID 06523 | Third Party and supply chain oversight | Preventive | |
Include notification to the organization of any material change in the third party's ability to perform functions according to Service Level Agreements in third party contracts. CC ID 07115 | Third Party and supply chain oversight | Preventive | |
Include triggers for renegotiating the contract in third party contracts. CC ID 06527 | Third Party and supply chain oversight | Preventive | |
Include change control notification processes in third party contracts. CC ID 06524 | Third Party and supply chain oversight | Preventive | |
Include cost structure changes in third party contracts. CC ID 10021 | Third Party and supply chain oversight | Preventive | |
Include a choice of venue clause in third party contracts. CC ID 06520 | Third Party and supply chain oversight | Preventive | |
Include a dispute resolution clause in third party contracts. CC ID 06519 [Disputes between the organization and the external supplier shall be recorded and managed to closure. § 8.3.4.1 ¶ 7 Disputes between the organization and the external supplier shall be recorded and managed to closure. § 8.3.4.1 ¶ 7] | Third Party and supply chain oversight | Preventive | |
Include the dispute resolution body's contact information in the terms and conditions in third party contracts. CC ID 13813 | Third Party and supply chain oversight | Preventive | |
Include a termination provision clause in third party contracts. CC ID 01367 | Third Party and supply chain oversight | Detective | |
Include early termination contingency plans in the third party contracts. CC ID 06526 | Third Party and supply chain oversight | Preventive | |
Include a liquidated damages clause and material breach clause in third party contracts. CC ID 06817 | Third Party and supply chain oversight | Preventive | |
Include termination costs in third party contracts. CC ID 10023 | Third Party and supply chain oversight | Preventive | |
Include text about obtaining adequate insurance in third party contracts. CC ID 06880 | Third Party and supply chain oversight | Preventive | |
Include incident management procedures and incident reporting procedures in third party contracts. CC ID 01214 | Third Party and supply chain oversight | Preventive | |
Include a usage limitation of restricted data clause in third party contracts. CC ID 13026 | Third Party and supply chain oversight | Preventive | |
Include end-of-life information in third party contracts. CC ID 15265 | Third Party and supply chain oversight | Preventive | |
Establish, implement, and maintain third party transaction authentication procedures. CC ID 00791 | Third Party and supply chain oversight | Preventive | |
Include responding to privacy rights violation complaints in third party contracts. CC ID 12432 | Third Party and supply chain oversight | Preventive | |
Include requirements for alternate processing facilities in third party contracts. CC ID 13059 | Third Party and supply chain oversight | Preventive | |
Document the organization's supply chain in the supply chain management program. CC ID 09958 [The organization shall determine and document: service components that are provided or operated by other parties; § 8.2.3.1 ¶ 4(b)] | Third Party and supply chain oversight | Preventive | |
Document supply chain dependencies in the supply chain management program. CC ID 08900 [The organization shall determine the criticality of services based on the needs of the organization, customers, users and other interested parties. The organization shall determine and manage dependencies and duplication between services. § 8.2.2 ¶ 2] | Third Party and supply chain oversight | Detective | |
Establish and maintain a Third Party Service Provider list. CC ID 12480 | Third Party and supply chain oversight | Preventive | |
Include required information in the Third Party Service Provider list. CC ID 14429 | Third Party and supply chain oversight | Preventive | |
Include subcontractors in the Third Party Service Provider list. CC ID 14425 | Third Party and supply chain oversight | Preventive | |
Include alternate service providers in the Third Party Service Provider list. CC ID 14420 | Third Party and supply chain oversight | Preventive | |
Include contact information of the Service Provider in the Third Party Service Provider list. CC ID 14430 | Third Party and supply chain oversight | Preventive | |
Include all contract dates in the Third Party Service Provider list. CC ID 14421 | Third Party and supply chain oversight | Preventive | |
Include the services provided by each supplier in the Third Party Service Provider list. CC ID 12481 [The organization shall determine and document: services that are provided or operated by other parties; § 8.2.3.1 ¶ 4(a) The organization shall determine and document: processes, or parts of processes, in the organization's SMS that are operated by other parties. § 8.2.3.1 ¶ 4(c)] | Third Party and supply chain oversight | Preventive | |
Include criticality of services in the Third Party Service Provider list. CC ID 14428 | Third Party and supply chain oversight | Preventive | |
Include a description of data used in the Third Party Service Provider list. CC ID 14427 | Third Party and supply chain oversight | Preventive | |
Include the location of services provided in the Third Party Service Provider list. CC ID 14423 | Third Party and supply chain oversight | Preventive | |
Document the supply chain's critical paths in the supply chain management program. CC ID 10032 | Third Party and supply chain oversight | Preventive | |
Establish and maintain supply chain manufacturing and integration requirements documents for all items being produced for the organization. CC ID 11558 | Third Party and supply chain oversight | Preventive | |
Monitor and report on the efficacy of all Service Level Agreements using a Service Level Agreement Monitoring Chart or equivalent. CC ID 00842 [The organization shall make decisions and take actions based on the findings in service reports. The agreed actions shall be communicated to interested parties. § 9.4 ¶ 3] | Third Party and supply chain oversight | Detective | |
Approve all Service Level Agreements. CC ID 00843 | Third Party and supply chain oversight | Detective | |
Document all chargeable items in Service Level Agreements. CC ID 00844 | Third Party and supply chain oversight | Detective | |
Include risk management procedures in the supply chain management policy. CC ID 08811 | Third Party and supply chain oversight | Preventive | |
Include a determination of financial benefits over actual costs of third party relationships in the supply chain risk assessment report. CC ID 10025 | Third Party and supply chain oversight | Preventive | |
Include a determination of how third party relationships affect strategic initiatives in the supply chain risk assessment report. CC ID 10026 | Third Party and supply chain oversight | Preventive | |
Include a determination of customer interactions with third parties in the supply chain risk assessment report. CC ID 10028 | Third Party and supply chain oversight | Preventive | |
Include a determination on the risks third parties pose to Information Security in the supply chain risk assessment report. CC ID 10029 | Third Party and supply chain oversight | Preventive | |
Establish, implement, and maintain a supply chain management policy. CC ID 08808 | Third Party and supply chain oversight | Preventive | |
Include the third party selection process in the supply chain management policy. CC ID 13132 [The organization shall determine and apply criteria for the evaluation and selection of other parties involved in the service lifecycle. Other parties can be an external supplier, an internal supplier or a customer acting as a supplier. § 8.2.3.1 ¶ 2] | Third Party and supply chain oversight | Preventive | |
Select suppliers based on their qualifications. CC ID 00795 | Third Party and supply chain oversight | Preventive | |
Include third party due diligence standards in the supply chain management policy. CC ID 08812 [The organization shall determine and apply criteria for the evaluation and selection of other parties involved in the service lifecycle. Other parties can be an external supplier, an internal supplier or a customer acting as a supplier. § 8.2.3.1 ¶ 2] | Third Party and supply chain oversight | Preventive | |
Establish, implement, and maintain information security controls for the supply chain. CC ID 13109 [The organization shall define and apply relevant controls for other parties from the following: measurement and evaluation of process performance; § 8.2.3.2(a) The organization shall define and apply relevant controls for other parties from the following: measurement and evaluation of process performance; § 8.2.3.2(a) The organization shall define and apply relevant controls for other parties from the following: measurement and evaluation of the effectiveness of services and service components in meeting the service requirements. § 8.2.3.2(b) The organization shall define and apply relevant controls for other parties from the following: measurement and evaluation of the effectiveness of services and service components in meeting the service requirements. § 8.2.3.2(b) The organization shall define and apply relevant controls for other parties from the following: § 8.2.3.2 The organization shall agree and implement information security controls to address information security risks related to external organizations. § 8.7.3.2 ¶ 2] | Third Party and supply chain oversight | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Engage information governance subject matter experts in the development of the Information Governance Plan. CC ID 10055 | Leadership and high level objectives | Preventive | |
Assign senior management to approve business cases. CC ID 13068 | Leadership and high level objectives | Preventive | |
Review and approve the Strategic Information Technology Plan at the level of senior management or the Board of Directors. CC ID 13094 | Leadership and high level objectives | Preventive | |
Align disciplinary actions with the level of compliance violation. CC ID 12404 [Corrective actions shall be appropriate to the effects of the nonconformities encountered. § 10.1.1 ¶ 2] | Monitoring and measurement | Preventive | |
Assign the Board of Directors to address audit findings. CC ID 12396 | Audits and risk management | Corrective | |
Include roles and responsibilities in the interview procedures. CC ID 16297 | Audits and risk management | Preventive | |
Identify the audit team members in the audit report. CC ID 15259 | Audits and risk management | Detective | |
Define the roles and responsibilities for distributing the audit report. CC ID 16845 | Audits and risk management | Preventive | |
Assign responsibility for remediation actions. CC ID 13622 | Audits and risk management | Preventive | |
Evaluate the competency of auditors. CC ID 15253 | Audits and risk management | Detective | |
Employ third parties when implementing a risk assessment, as necessary. CC ID 16306 | Audits and risk management | Detective | |
Engage appropriate parties to assist with risk assessments, as necessary. CC ID 12153 | Audits and risk management | Preventive | |
Assign key stakeholders to review and approve supply chain risk management procedures. CC ID 13199 | Audits and risk management | Preventive | |
Define roles for information systems. CC ID 12454 | Technical security | Preventive | |
Define access needs for each role assigned to an information system. CC ID 12455 | Technical security | Preventive | |
Lead or manage business continuity and system continuity, as necessary. CC ID 12240 | Operational and Systems Continuity | Preventive | |
Allocate personnel to implement the continuity plan, as necessary. CC ID 12992 | Operational and Systems Continuity | Preventive | |
Include the roles and responsibilities of responders in the recovery plan. CC ID 13296 | Operational and Systems Continuity | Preventive | |
Establish and maintain board committees, as necessary. CC ID 14789 | Human Resources management | Preventive | |
Assign oversight of C-level executives to the Board of Directors. CC ID 14784 | Human Resources management | Preventive | |
Assign oversight of the financial management program to the board of directors. CC ID 14781 | Human Resources management | Preventive | |
Assign senior management to the role of supporting Quality Management. CC ID 13692 | Human Resources management | Preventive | |
Assign members who are independent from management to the Board of Directors. CC ID 12395 | Human Resources management | Preventive | |
Assign ownership of risks to the Board of Directors or senior management. CC ID 13662 | Human Resources management | Preventive | |
Assign the organization's board and senior management to oversee the continuity planning process. CC ID 12991 | Human Resources management | Preventive | |
Rotate members of the board of directors, as necessary. CC ID 14803 | Human Resources management | Corrective | |
Analyze workforce management. CC ID 12844 [{resource level}{manpower}management review shall include consideration of: current and forecast human, technical, information and financial resource levels, and human and technical resource capabilities; § 9.3 ¶ 2(j)] | Human Resources management | Detective | |
Identify root causes of staffing shortages, if any exist. CC ID 13276 | Human Resources management | Detective | |
Analyze the ability of Human Resources to attract a competent workforce. CC ID 13275 | Human Resources management | Detective | |
Include how risk is perceived by the workforce in the analysis of workforce management. CC ID 12969 | Human Resources management | Preventive | |
Include compensation structures in the analysis of workforce management. CC ID 12902 | Human Resources management | Preventive | |
Perform security skills assessments for all critical employees. CC ID 12102 | Human Resources management | Detective | |
Perform a background check during personnel screening. CC ID 11758 | Human Resources management | Detective | |
Perform a personal identification check during personnel screening. CC ID 06721 | Human Resources management | Preventive | |
Perform a personal references check during personnel screening. CC ID 06645 | Human Resources management | Preventive | |
Perform a credit check during personnel screening. CC ID 06646 | Human Resources management | Preventive | |
Perform a resume check during personnel screening. CC ID 06659 | Human Resources management | Preventive | |
Perform a curriculum vitae check during personnel screening. CC ID 06660 | Human Resources management | Preventive | |
Allow personnel being screened to appeal findings and appeal decisions. CC ID 06720 | Human Resources management | Preventive | |
Perform personnel screening procedures, as necessary. CC ID 11763 | Human Resources management | Preventive | |
Perform periodic background checks on designated roles, as necessary. CC ID 11759 | Human Resources management | Detective | |
Perform security clearance procedures, as necessary. CC ID 06644 | Human Resources management | Preventive | |
Establish and maintain security clearances. CC ID 01634 | Human Resources management | Preventive | |
Support certification programs as viable training programs. CC ID 13268 | Human Resources management | Preventive | |
Hire third parties to conduct training, as necessary. CC ID 13167 | Human Resources management | Preventive | |
Include ethical culture in the training plan, as necessary. CC ID 12801 | Human Resources management | Preventive | |
Include duties and responsibilities in the training plan, as necessary. CC ID 12800 | Human Resources management | Preventive | |
Establish and maintain management's commitment to supporting the security awareness program. CC ID 12151 | Human Resources management | Preventive | |
Establish and maintain a steering committee to guide the security awareness program. CC ID 12149 | Human Resources management | Preventive | |
Encourage interested personnel to obtain security certification. CC ID 11804 | Human Resources management | Preventive | |
Assign an information owner to organizational assets, as necessary. CC ID 12729 | Operational management | Preventive | |
Assign ownership of maintaining the asset inventory, as necessary. CC ID 12344 | Operational management | Preventive | |
Control granting access to appropriate parties performing maintenance on organizational assets. CC ID 11873 | Operational management | Preventive | |
Assign roles and responsibilities in the customer service program. CC ID 13911 [The customers, users and other interested parties of the services shall be identified and documented. The organization shall have one or more designated individuals responsible for managing customer relationships and maintaining customer satisfaction. § 8.3.2 ¶ 1] | Operational management | Preventive | |
Assign the distribution of security alerts to the appropriate role in the incident response program. CC ID 11887 | Operational management | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Leadership and high level objectives CC ID 00597 | Leadership and high level objectives | IT Impact Zone | |
Monitoring and measurement CC ID 00636 | Monitoring and measurement | IT Impact Zone | |
Audits and risk management CC ID 00677 | Audits and risk management | IT Impact Zone | |
Technical security CC ID 00508 | Technical security | IT Impact Zone | |
Operational and Systems Continuity CC ID 00731 | Operational and Systems Continuity | IT Impact Zone | |
Human Resources management CC ID 00763 | Human Resources management | IT Impact Zone | |
Operational management CC ID 00805 | Operational management | IT Impact Zone | |
System hardening through configuration management CC ID 00860 | System hardening through configuration management | IT Impact Zone | |
Records management CC ID 00902 | Records management | IT Impact Zone | |
Systems design, build, and implementation CC ID 00989 | Systems design, build, and implementation | IT Impact Zone | |
Acquisition or sale of facilities, technology, and services CC ID 01123 | Acquisition or sale of facilities, technology, and services | IT Impact Zone | |
Privacy protection for information and data CC ID 00008 | Privacy protection for information and data | IT Impact Zone | |
Third Party and supply chain oversight CC ID 08807 | Third Party and supply chain oversight | IT Impact Zone |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Ensure the data dictionary is complete and accurate. CC ID 13527 | Leadership and high level objectives | Detective | |
Follow up exceptions and anomalies identified when reviewing logs. CC ID 11925 | Monitoring and measurement | Corrective | |
Determine the causes of compliance violations. CC ID 12401 [When a nonconformity occurs, the organization shall: evaluate the need for action to eliminate the causes of the nonconformity in order that it does not recur or occur elsewhere by: reviewing the nonconformity; § 10.1.1 ¶ 1(b)(1) When a nonconformity occurs, the organization shall: evaluate the need for action to eliminate the causes of the nonconformity in order that it does not recur or occur elsewhere by: determining the causes of the nonconformity; § 10.1.1 ¶ 1(b)(2)] | Monitoring and measurement | Corrective | |
Determine if multiple compliance violations of the same type could occur. CC ID 12402 [When a nonconformity occurs, the organization shall: evaluate the need for action to eliminate the causes of the nonconformity in order that it does not recur or occur elsewhere by: determining if similar nonconformities exist, or could potentially occur; § 10.1.1 ¶ 1(b)(3)] | Monitoring and measurement | Detective | |
Review the effectiveness of disciplinary actions carried out for compliance violations. CC ID 12403 [When a nonconformity occurs, the organization shall: review the effectiveness of any corrective action taken; § 10.1.1. ¶ 1(d)] | Monitoring and measurement | Detective | |
Examine the availability of the audit criteria in the audit program. CC ID 16520 | Audits and risk management | Preventive | |
Audit cybersecurity risk management within the policies, standards, and procedures of the organization. CC ID 13011 | Audits and risk management | Detective | |
Audit information systems, as necessary. CC ID 13010 | Audits and risk management | Detective | |
Audit the potential costs of compromise to information systems. CC ID 13012 | Audits and risk management | Detective | |
Permit assessment teams to conduct audits, as necessary. CC ID 16430 | Audits and risk management | Detective | |
Determine the effect of deficiencies on the audit report, as necessary. CC ID 14886 | Audits and risk management | Detective | |
Include an analysis of system interdependencies in the threat and risk classification scheme. CC ID 13056 | Audits and risk management | Detective | |
Evaluate the effectiveness of threat and vulnerability management procedures. CC ID 13491 | Audits and risk management | Detective | |
Identify changes to in scope systems that could threaten communication between business units. CC ID 13173 | Audits and risk management | Detective | |
Investigate alternative risk control strategies appropriate to the organization's risk appetite. CC ID 12887 | Audits and risk management | Preventive | |
Determine the cause for the activation of the recovery plan. CC ID 13291 | Operational and Systems Continuity | Detective | |
Assign monitoring and analyzing the security alert when a security alert is received to the appropriate role in the incident response program. CC ID 11886 | Operational management | Detective | |
Perform an impact assessment of any deviations found in the cost management procedures. CC ID 13641 | Operational management | Detective | |
Identify deviations in cost management procedures. CC ID 13640 | Operational management | Detective | |
Analyze mitigating controls for vulnerabilities in the network when certifying the network. CC ID 13126 | Operational management | Detective | |
Collect data about the network environment when certifying the network. CC ID 13125 | Operational management | Detective | |
Assess consumer complaints and litigation. CC ID 16521 | Acquisition or sale of facilities, technology, and services | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Establish, implement, and maintain logging and monitoring operations. CC ID 00637 | Monitoring and measurement | Detective | |
Operationalize key monitoring and logging concepts to ensure the audit trails capture sufficient information. CC ID 00638 | Monitoring and measurement | Detective | |
Establish, implement, and maintain event logging procedures. CC ID 01335 | Monitoring and measurement | Detective | |
Include a standard to collect and interpret event logs in the event logging procedures. CC ID 00643 [The management review shall include consideration of: information on the performance and effectiveness of the SMS, including trends in: monitoring and measurement results; § 9.3 ¶ 2(c)(2)] | Monitoring and measurement | Preventive | |
Protect the event logs from failure. CC ID 06290 | Monitoring and measurement | Preventive | |
Review and update event logs and audit logs, as necessary. CC ID 00596 [The organization shall analyse data and trends on incidents to identify problems. The organization shall undertake root cause analysis and determine potential actions to prevent the occurrence or recurrence of incidents. § 8.6.3 ¶ 1] | Monitoring and measurement | Detective | |
Eliminate false positives in event logs and audit logs. CC ID 07047 | Monitoring and measurement | Corrective | |
Correlate log entries to security controls to verify the security control's effectiveness. CC ID 13207 | Monitoring and measurement | Detective | |
Reproduce the event log if a log failure is captured. CC ID 01426 | Monitoring and measurement | Preventive | |
Log account usage to determine dormant accounts. CC ID 12118 | Monitoring and measurement | Detective | |
Log account usage times. CC ID 07099 | Monitoring and measurement | Detective | |
Log Internet Protocol addresses used during logon. CC ID 07100 | Monitoring and measurement | Detective | |
Establish, implement, and maintain a Security Information and Event Management metrics program. CC ID 02078 | Monitoring and measurement | Preventive | |
Report on the percentage of systems for which event logging has been implemented. CC ID 02102 | Monitoring and measurement | Detective | |
Report on the percentage of systems for which event logs are monitored and reviewed. CC ID 02103 | Monitoring and measurement | Detective | |
Report on the percentage of systems for which log capacity and log retention schedules have been implemented. CC ID 02104 | Monitoring and measurement | Detective | |
Restrict access to logs to authorized individuals. CC ID 01342 | Monitoring and measurement | Preventive | |
Refrain from recording unnecessary restricted data in logs. CC ID 06318 | Monitoring and measurement | Preventive | |
Back up logs according to backup procedures. CC ID 01344 | Monitoring and measurement | Preventive | |
Copy logs from all predefined hosts onto a log management infrastructure. CC ID 01346 | Monitoring and measurement | Preventive | |
Identify hosts with logs that are not being stored. CC ID 06314 | Monitoring and measurement | Preventive | |
Identify hosts with logs that are being stored at the system level only. CC ID 06315 | Monitoring and measurement | Preventive | |
Identify hosts with logs that should be stored at both the system level and the infrastructure level. CC ID 06316 | Monitoring and measurement | Preventive | |
Identify hosts with logs that are being stored at the infrastructure level only. CC ID 06317 | Monitoring and measurement | Preventive | |
Protect logs from unauthorized activity. CC ID 01345 | Monitoring and measurement | Preventive | |
Perform testing and validating activities on all logs. CC ID 06322 | Monitoring and measurement | Preventive | |
Archive the audit trail in accordance with compliance requirements. CC ID 00674 | Monitoring and measurement | Preventive | |
Preserve the identity of individuals in audit trails. CC ID 10594 | Monitoring and measurement | Preventive | |
Disseminate and communicate the reviews of audit reports to organizational management. CC ID 00653 | Audits and risk management | Detective | |
Log important conversations conducted during emergencies with third parties. CC ID 12763 | Operational and Systems Continuity | Preventive | |
Log the performance of all remote maintenance. CC ID 13202 | Operational management | Preventive | |
Submit an incident management audit log to the proper authorities for each security breach that affects a predefined number of individuals, as necessary. CC ID 06326 | Operational management | Detective | |
Include who the incident was reported to in the incident management audit log. CC ID 16487 | Operational management | Preventive | |
Include the organizational functions affected by disruption in the Incident Management audit log. CC ID 12238 | Operational management | Corrective | |
Include the organization's business products and services affected by disruptions in the Incident Management audit log. CC ID 12234 | Operational management | Preventive | |
Log help desk queries. CC ID 00848 [Service requests shall be: recorded and classified; § 8.6.2 ¶ 1(a)] | Operational management | Preventive | |
Configure the log to capture changes to User privileges, audit policies, and trust policies by enabling audit policy changes. CC ID 01698 | System hardening through configuration management | Detective | |
Configure the log to capture user account additions, modifications, and deletions. CC ID 16482 | System hardening through configuration management | Preventive | |
Configure the log to capture user authenticator changes. CC ID 01917 | System hardening through configuration management | Detective | |
Capture and maintain logs as official records. CC ID 06319 | Records management | Preventive | |
Log the date and time each item is received into the recordkeeping system. CC ID 11709 | Records management | Preventive | |
Log the date and time each item is made available into the recordkeeping system. CC ID 11710 | Records management | Preventive | |
Log the number of routine items in the organization's possession at the close of business for the month in the recordkeeping system. CC ID 11707 | Records management | Preventive | |
Log the number of routine items received during the month that were turned around in the recordkeeping system. CC ID 11705 | Records management | Preventive | |
Log the number of routine items received during the month that were not turned around within three business days of receipt in the recordkeeping system. CC ID 11703 | Records management | Preventive | |
Log the date and time when a notice of refusal to perform the registrar function is received in the recordkeeping system. CC ID 11711 | Records management | Preventive | |
Log inquiries concerning items in the recordkeeping system, annotating the date received. CC ID 11718 | Records management | Preventive | |
Log responses to inquiries, annotating the send date for each response into the recordkeeping system. CC ID 11719 | Records management | Preventive | |
Log the number of non-routine items received into the recordkeeping system. CC ID 11706 | Records management | Preventive | |
Log the documentation of determination that items received are not routine into the recordkeeping system. CC ID 11716 | Records management | Preventive | |
Log the number of non-routine items in the organization's possession at the close of business for the month in the recordkeeping system. CC ID 11708 | Records management | Preventive | |
Log the number of non-routine items received during the month that were turned around in the recordkeeping system. CC ID 11704 | Records management | Preventive | |
Log performance monitoring into the recordkeeping system. CC ID 11724 | Records management | Preventive | |
Log the number of inquiries pending as of the close of business into the recordkeeping system. CC ID 11728 | Records management | Preventive | |
Log the number of inquiries received but not responded to within the required time frame into the recordkeeping system. CC ID 11727 | Records management | Preventive | |
Log any notices filed by the organization into the recordkeeping system. CC ID 11725 | Records management | Preventive | |
Log telephone responses into a telephone log, annotating the date of each response, in the recordkeeping system. CC ID 11723 | Records management | Preventive | |
Log the date each certificate is made available to interested personnel and affected parties into the recordkeeping system. CC ID 11720 | Records management | Preventive | |
Log the number of items not processed within the required time frame into the recordkeeping system. CC ID 11717 | Records management | Preventive | |
Log the appointments and termination of appointments of registered transfer agents into the recordkeeping system. CC ID 11712 | Records management | Preventive | |
Log any stop orders or notices of adverse claims into the recordkeeping system. CC ID 11726 | Records management | Preventive | |
Log the number of items processed within the required time frame into the recordkeeping system. CC ID 11715 | Records management | Preventive | |
Establish, implement, and maintain a removable storage media log. CC ID 12317 | Records management | Preventive | |
Establish, implement, and maintain a data processing output log. CC ID 06624 | Records management | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Use system components only when third party support is available. CC ID 10644 | Operational management | Preventive | |
Obtain justification for the continued use of system components when third party support is no longer available. CC ID 10645 | Operational management | Preventive | |
Conduct offsite maintenance in authorized facilities. CC ID 16473 | Operational management | Preventive | |
Disconnect non-volatile media from information systems prior to performing maintenance with uncleared personnel. CC ID 14295 | Operational management | Preventive | |
Sanitize volatile media in information systems prior to performing maintenance with uncleared personnel. CC ID 14291 | Operational management | Preventive | |
Restart systems on a periodic basis. CC ID 16498 | Operational management | Preventive | |
Remove components being serviced from the information system prior to performing maintenance. CC ID 14251 | Operational management | Preventive | |
Follow the maintenance schedule. CC ID 11791 | Operational management | Preventive | |
Separate the production environment from development environment or test environment for the change control process. CC ID 11864 | Operational management | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Include the capturing and alerting of compliance violations in the notification system. CC ID 12962 | Leadership and high level objectives | Preventive | |
Include the capturing and alerting of unethical conduct in the notification system. CC ID 12932 | Leadership and high level objectives | Preventive | |
Include the capturing and alerting of performance variances in the notification system. CC ID 12929 | Leadership and high level objectives | Preventive | |
Include the capturing and alerting of weaknesses in the notification system. CC ID 12928 | Leadership and high level objectives | Preventive | |
Include the capturing and alerting of account activity in the notification system. CC ID 15314 | Leadership and high level objectives | Preventive | |
Analyze organizational objectives, functions, and activities. CC ID 00598 [The organization shall establish service management objectives at relevant functions and levels. The service management objectives shall: be measurable; § 6.2.1 ¶ 1(b)] | Leadership and high level objectives | Preventive | |
Monitor for changes which affect organizational strategies in the internal business environment. CC ID 12863 [{service management system} When determining this scope, the organization shall consider: the external and internal issues referred to in 4.1; § 4.3 ¶ 2(a) The management review shall include consideration of: changes in external and internal issues that are relevant to the SMS; § 9.3 ¶ 2(b) The management review shall include consideration of: changes that can affect the SMS and the services. § 9.3 ¶ 2(l)] | Leadership and high level objectives | Preventive | |
Monitor for changes which affect organizational objectives in the internal business environment. CC ID 12862 | Leadership and high level objectives | Preventive | |
Monitor for changes which affect organizational strategies in the external environment. CC ID 12880 | Leadership and high level objectives | Preventive | |
Monitor for changes which affect organizational objectives in the external environment. CC ID 12879 | Leadership and high level objectives | Preventive | |
Monitor regulatory trends to maintain compliance. CC ID 00604 | Leadership and high level objectives | Detective | |
Monitor for new Information Security solutions. CC ID 07078 | Leadership and high level objectives | Detective | |
Monitor and evaluate the implementation and effectiveness of Information Technology Plans. CC ID 00634 | Leadership and high level objectives | Detective | |
Establish, implement, and maintain an automated configuration monitoring system. CC ID 07058 | Monitoring and measurement | Detective | |
Monitor for and report when a software configuration is updated. CC ID 06746 | Monitoring and measurement | Detective | |
Notify the appropriate personnel when the software configuration is updated absent authorization. CC ID 04886 | Monitoring and measurement | Detective | |
Monitor for firmware updates absent authorization. CC ID 10675 | Monitoring and measurement | Detective | |
Implement file integrity monitoring. CC ID 01205 | Monitoring and measurement | Detective | |
Monitor for software configurations updates absent authorization. CC ID 10676 | Monitoring and measurement | Preventive | |
Monitor for when documents are being updated absent authorization. CC ID 10677 | Monitoring and measurement | Preventive | |
Monitor and evaluate user account activity. CC ID 07066 | Monitoring and measurement | Detective | |
Generate daily reports of user logons during hours outside of their usage profile. CC ID 07068 | Monitoring and measurement | Detective | |
Generate daily reports of users who have grossly exceeded their usage profile logon duration. CC ID 07069 | Monitoring and measurement | Detective | |
Log account usage durations. CC ID 12117 | Monitoring and measurement | Detective | |
Report red flags when logon credentials are used on a computer different from the one in the usage profile. CC ID 07070 | Monitoring and measurement | Detective | |
Monitor service availability when implementing the service management monitoring and metrics program. CC ID 13921 [{availability issue}{document} Service availability shall be monitored, the results recorded and compared with the targets. Unplanned non-availability shall be investigated and necessary actions taken. § 8.7.1 ¶ 3 {availability issue}{document} Service availability shall be monitored, the results recorded and compared with the targets. Unplanned non-availability shall be investigated and necessary actions taken. § 8.7.1 ¶ 3] | Monitoring and measurement | Detective | |
Compare the performance metrics of service availability against their targets, as necessary. CC ID 13922 [{availability issue}{document} Service availability shall be monitored, the results recorded and compared with the targets. Unplanned non-availability shall be investigated and necessary actions taken. § 8.7.1 ¶ 3] | Monitoring and measurement | Detective | |
Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726 [The management review shall include consideration of: adherence to and suitability of the service management policy and other policies required by this document; § 9.3 ¶ 2(f)] | Monitoring and measurement | Detective | |
Establish, implement, and maintain compliance program metrics. CC ID 11625 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a corrective action plan. CC ID 00675 [The management review shall include consideration of: information on the performance and effectiveness of the SMS, including trends in: nonconformities and corrective actions; § 9.3 ¶ 2(c)(1) The organization shall monitor and review the effectiveness of information security controls and take necessary actions. § 8.7.3.2 ¶ 3] | Monitoring and measurement | Detective | |
Include monitoring in the corrective action plan. CC ID 11645 | Monitoring and measurement | Detective | |
Supervise interested personnel and affected parties participating in the audit. CC ID 07150 | Audits and risk management | Preventive | |
Track and measure the implementation of the organizational compliance framework. CC ID 06445 | Audits and risk management | Preventive | |
Monitor the effectiveness of the cybersecurity risk management program. CC ID 16831 | Audits and risk management | Preventive | |
Monitor the effectiveness of the cybersecurity supply chain risk management program. CC ID 16828 | Audits and risk management | Preventive | |
Monitor and evaluate business continuity management system performance. CC ID 12410 | Operational and Systems Continuity | Detective | |
Record business continuity management system performance for posterity. CC ID 12411 | Operational and Systems Continuity | Preventive | |
Monitor and measure the effectiveness of security awareness. CC ID 06262 | Human Resources management | Detective | |
Analyze and evaluate training records to improve the training program. CC ID 06380 | Human Resources management | Detective | |
Identify discrepancies between the asset register database and the Information Technology inventory, as necessary. CC ID 07052 | Operational management | Corrective | |
Investigate and resolve discrepancies between the asset register database and the Information Technology inventory. CC ID 07053 | Operational management | Corrective | |
Automate software license monitoring, as necessary. CC ID 07057 | Operational management | Preventive | |
Determine the incident severity level when assessing the security incidents. CC ID 01650 [The organization shall analyse the information security incidents by type, volume and impact on the SMS, services and interested parties. Information security incidents shall be reported and reviewed to identify opportunities for improvement. § 8.7.3.3 ¶ 2] | Operational management | Corrective | |
Respond to and triage when an incident is detected. CC ID 06942 [Information security incidents shall be: prioritized taking into consideration the information security risk; § 8.7.3.3 ¶ 1(b) Incidents shall be: prioritized taking into consideration impact and urgency; § 8.6.1 ¶ 1(b) Problems shall be: prioritized; § 8.6.3 ¶ 2(b)] | Operational management | Detective | |
Escalate incidents, as necessary. CC ID 14861 [Problems shall be: escalated if needed; § 8.6.3 ¶ 2(c)] | Operational management | Corrective | |
Establish, implement, and maintain data input and data access authorization tracking. CC ID 00920 | Records management | Detective | |
Establish, implement, and maintain data accuracy controls. CC ID 00921 | Records management | Detective | |
Establish, implement, and maintain online storage monitoring and reporting capabilities. CC ID 00935 | Records management | Detective | |
Check communications for take-down requests. CC ID 09964 | Acquisition or sale of facilities, technology, and services | Preventive | |
Include personal data that is encrypted or redacted as an out of scope privacy breach. CC ID 04679 | Privacy protection for information and data | Preventive | |
Include cryptographic keys not being accessed during a privacy breach as an out of scope privacy breach. CC ID 04761 | Privacy protection for information and data | Preventive | |
Include any personal data that is on an encrypted mobile device as an out of scope privacy breach, if the encryption keys were not accessed and the mobile device was recovered. CC ID 04762 | Privacy protection for information and data | Preventive | |
Monitor third parties for performance and effectiveness, as necessary. CC ID 00799 [Top management shall demonstrate leadership and commitment with respect to the SMS by: ensuring there is control of other parties involved in the service lifecycle; § 5.1 ¶ 1(e) The organization shall have one or more designated individuals responsible for managing the relationship, contracts and performance of external suppliers. § 8.3.4.1 ¶ 1 At planned intervals, the organization shall monitor the performance of the external supplier. Where service level targets or other contractual obligations are not met, the organization shall ensure that opportunities for improvement are identified. § 8.3.4.1 ¶ 5 The management review shall include consideration of: performance of other parties involved in the delivery of the services; § 9.3 ¶ 2(i)] | Third Party and supply chain oversight | Detective | |
Monitor third parties' financial conditions. CC ID 13170 | Third Party and supply chain oversight | Detective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Conduct environmental surveys. CC ID 00690 | Operational management | Preventive | |
Plan and conduct maintenance so that it does not interfere with scheduled operations. CC ID 06389 | Operational management | Preventive | |
Control and monitor all maintenance tools. CC ID 01432 | Operational management | Detective | |
Identify and authenticate appropriate parties prior to granting access to maintain assets. CC ID 11874 | Operational management | Preventive | |
Refrain from protecting physical assets when no longer required. CC ID 13484 | Operational management | Corrective | |
Place printed records awaiting destruction into secure containers. CC ID 12464 | Records management | Preventive | |
Destroy printed records so they cannot be reconstructed. CC ID 11779 | Records management | Preventive | |
Ship equipment to customers in tamper-evident packaging, as necessary. CC ID 12271 | Acquisition or sale of facilities, technology, and services | Preventive | |
Disallow access to restricted information on machines used to manufacture authentication elements. CC ID 11561 | Third Party and supply chain oversight | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Assess the effectiveness of the communication methods used in the communication protocol. CC ID 12691 | Leadership and high level objectives | Detective | |
Establish, implement, and maintain a corrective action plan to address barriers to stakeholder engagement. CC ID 15677 | Leadership and high level objectives | Preventive | |
Identify barriers to stakeholder engagement. CC ID 15676 | Leadership and high level objectives | Preventive | |
Include methods to obtain information from interested personnel and affected parties about performance variances in the communication protocol. CC ID 12856 | Leadership and high level objectives | Preventive | |
Route notifications, as necessary. CC ID 12832 | Leadership and high level objectives | Preventive | |
Substantiate notifications, as necessary. CC ID 12831 | Leadership and high level objectives | Preventive | |
Prioritize notifications, as necessary. CC ID 12830 | Leadership and high level objectives | Preventive | |
Establish and maintain the organization's survey method. CC ID 12869 | Leadership and high level objectives | Preventive | |
Provide a consolidated view of information in the organization's survey method. CC ID 12894 | Leadership and high level objectives | Preventive | |
Identify the internal factors that may affect organizational objectives. CC ID 12957 | Leadership and high level objectives | Preventive | |
Include key processes in the analysis of the internal business environment. CC ID 12947 | Leadership and high level objectives | Preventive | |
Include existing information in the analysis of the internal business environment. CC ID 12943 | Leadership and high level objectives | Preventive | |
Include resources in the analysis of the internal business environment. CC ID 12942 [{resource level}{manpower}management review shall include consideration of: current and forecast human, technical, information and financial resource levels, and human and technical resource capabilities; § 9.3 ¶ 2(j) {resource level}{manpower}management review shall include consideration of: current and forecast human, technical, information and financial resource levels, and human and technical resource capabilities; § 9.3 ¶ 2(j)] | Leadership and high level objectives | Preventive | |
Include the operating plan in the analysis of the internal business environment. CC ID 12941 | Leadership and high level objectives | Preventive | |
Include incentives in the analysis of the internal business environment. CC ID 12940 | Leadership and high level objectives | Preventive | |
Include organizational structures in the analysis of the internal business environment. CC ID 12939 | Leadership and high level objectives | Preventive | |
Include the strategic plan in the analysis of the internal business environment. CC ID 12937 | Leadership and high level objectives | Preventive | |
Include strengths and weaknesses in the analysis of the internal business environment. CC ID 12936 | Leadership and high level objectives | Preventive | |
Identify the external forces that may affect organizational objectives. CC ID 12960 | Leadership and high level objectives | Preventive | |
Evaluate organizational objectives to determine impact on other organizational objectives. CC ID 12814 | Leadership and high level objectives | Preventive | |
Identify events that may affect organizational objectives. CC ID 12961 [The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its SMS. § 4.1 ¶ 1] | Leadership and high level objectives | Preventive | |
Identify conditions that may affect organizational objectives. CC ID 12958 | Leadership and high level objectives | Preventive | |
Identify how opportunities, threats, and external requirements are trending. CC ID 12829 [When planning for the SMS, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to: § 6.1.1 ¶ 1 The organization shall plan: actions to address these risks and opportunities and their priorities; § 6.1.3 ¶ 1(a)] | Leadership and high level objectives | Preventive | |
Identify relationships between opportunities, threats, and external requirements. CC ID 12805 [The management review shall include consideration of: results of risk assessment and the effectiveness of actions taken to address risks and opportunities; § 9.3 ¶ 2(k)] | Leadership and high level objectives | Preventive | |
Identify all interested personnel and affected parties. CC ID 12845 [The organization shall determine: the interested parties that are relevant to the SMS and the services; § 4.2 ¶ 1(a) The customers, users and other interested parties of the services shall be identified and documented. The organization shall have one or more designated individuals responsible for managing customer relationships and maintaining customer satisfaction. § 8.3.2 ¶ 1] | Leadership and high level objectives | Detective | |
Establish, implement, and maintain criteria for grouping stakeholders. CC ID 15584 | Leadership and high level objectives | Preventive | |
Determine progress toward the objectives of the strategic plan. CC ID 12944 [The organization shall establish service management objectives at relevant functions and levels. The service management objectives shall: be monitored; § 6.2.1 ¶ 1(d) The management review shall include consideration of: achievement of service management objectives; § 9.3 ¶ 2(g)] | Leadership and high level objectives | Preventive | |
Align organizational objectives with compliance objectives in the decision-making criteria. CC ID 12847 [The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: policies and plans required by this document; § 8.5.1.3 ¶ 1(c) The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: policies and plans required by this document; § 8.5.1.3 ¶ 1(c)] | Leadership and high level objectives | Preventive | |
Align organizational objectives with performance targets in the decision-making criteria. CC ID 12843 [The organization shall make decisions and take actions based on the findings in service reports. The agreed actions shall be communicated to interested parties. § 9.4 ¶ 3 The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: § 8.5.1.3 ¶ 1 The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: § 8.5.1.3 ¶ 1] | Leadership and high level objectives | Preventive | |
Align organizational objectives with the acceptable residual risk in the decision-making criteria. CC ID 12841 [The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: § 8.5.1.3 ¶ 1] | Leadership and high level objectives | Preventive | |
Create additional decision-making criteria to achieve organizational objectives, as necessary. CC ID 12948 [The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: customers, users and other interested parties; § 8.5.1.3 ¶ 1(b)] | Leadership and high level objectives | Preventive | |
Take actions in accordance with the decision-making criteria. CC ID 12909 | Leadership and high level objectives | Preventive | |
Include the correlation and analysis of information obtained during testing in the continuous monitoring program. CC ID 14250 | Monitoring and measurement | Detective | |
Alert interested personnel and affected parties when an unauthorized modification to critical files is detected. CC ID 12045 | Monitoring and measurement | Preventive | |
Correct compliance violations. CC ID 13515 [When a nonconformity occurs, the organization shall: react to the nonconformity, and as applicable: § 10.1.1 ¶ 1(a) When a nonconformity occurs, the organization shall: react to the nonconformity, and as applicable: take action to control and correct it; § 10.1.1 ¶ 1(a)(1) When a nonconformity occurs, the organization shall: react to the nonconformity, and as applicable: deal with the consequences; § 10.1.1 ¶ 1(a)(2) When a nonconformity occurs, the organization shall: implement any action needed; § 10.1.1 ¶ 1(c)] | Monitoring and measurement | Corrective | |
Convert data into standard units before reporting metrics. CC ID 15507 | Monitoring and measurement | Corrective | |
Refrain from approving changes to the audit terms absent reasonable justification. CC ID 13973 | Audits and risk management | Preventive | |
Determine the effect of fraud and non-compliance on the description of the system in the audit assertion, as necessary. CC ID 13977 | Audits and risk management | Detective | |
Determine the effect of fraud and non-compliance on the achievement of in scope controls in the audit assertion, as necessary. CC ID 13978 | Audits and risk management | Detective | |
Review documentation to determine the effectiveness of in scope controls. CC ID 16522 | Audits and risk management | Preventive | |
Coordinate the scheduling of interviews. CC ID 16293 | Audits and risk management | Preventive | |
Create a schedule for the interviews. CC ID 16292 | Audits and risk management | Preventive | |
Identify interviewees. CC ID 16290 | Audits and risk management | Preventive | |
Discuss unsolved questions with the interviewee. CC ID 16298 | Audits and risk management | Detective | |
Allow interviewee to respond to explanations. CC ID 16296 | Audits and risk management | Detective | |
Explain the requirements being discussed to the interviewee. CC ID 16294 | Audits and risk management | Detective | |
Explain the testing results to the interviewee. CC ID 16291 | Audits and risk management | Preventive | |
Withdraw from the audit, when defined conditions exist. CC ID 13885 | Audits and risk management | Corrective | |
Engage subject matter experts when the auditor requires additional expertise during an attestation engagement, as necessary. CC ID 13971 | Audits and risk management | Preventive | |
Determine the effect of fraud and non-compliance on the audit report, as necessary. CC ID 13979 | Audits and risk management | Detective | |
Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830 | Audits and risk management | Preventive | |
Analyze the effect of threats on organizational strategies and objectives. CC ID 12850 | Audits and risk management | Detective | |
Analyze the effect of opportunities on organizational strategies and objectives. CC ID 12849 | Audits and risk management | Detective | |
Analyze supply chain risk management procedures, as necessary. CC ID 13198 | Audits and risk management | Detective | |
Set access control for objects and users to "deny all" unless explicitly authorized. CC ID 06301 | Technical security | Preventive | |
Coordinate continuity planning with governmental entities, as necessary. CC ID 13258 | Operational and Systems Continuity | Preventive | |
Coordinate continuity planning with community organizations, as necessary. CC ID 13259 | Operational and Systems Continuity | Preventive | |
Include all residences in the criminal records check. CC ID 13306 | Human Resources management | Preventive | |
Approve the information security policy at the organization's management level or higher. CC ID 11737 [Management with appropriate authority shall approve an information security policy relevant to the organization. The information security policy shall be documented and take into consideration the service requirements and the obligations in 6.3 c). § 8.7.3.1 ¶ 1] | Operational management | Preventive | |
Analyze how policies used to create management boundaries relates to the Governance, Risk, and Compliance approach. CC ID 12821 | Operational management | Preventive | |
Analyze how the organization sets limits in policies relating to the Governance, Risk, and Compliance approach. CC ID 12819 | Operational management | Preventive | |
Analyze how the Board of Directors' and senior management's tone influences the Governance, Risk, and Compliance approach. CC ID 12818 | Operational management | Preventive | |
Analyze the degree to which the governing body is engaged in the Governance, Risk, and Compliance approach. CC ID 12817 | Operational management | Preventive | |
Analyze the Governance, Risk, and Compliance approach. CC ID 12816 | Operational management | Preventive | |
Analyze the organizational culture. CC ID 12899 | Operational management | Preventive | |
Include individual commitment to the organization's Governance, Risk, and Compliance framework in the analysis of the organizational culture. CC ID 12922 | Operational management | Detective | |
Include the organizational climate in the analysis of the organizational culture. CC ID 12921 | Operational management | Detective | |
Include consistency of leadership actions to mission, vision, and values in the analysis of the organizational culture. CC ID 12920 | Operational management | Detective | |
Establish, implement, and maintain consequences for non-compliance with the organizational compliance framework. CC ID 11747 | Operational management | Corrective | |
Restrict unscheduled downtime in order to maintain high availability for critical systems. CC ID 12742 | Operational management | Preventive | |
Include interconnected systems and Software as a Service in the Information Technology inventory. CC ID 04885 | Operational management | Preventive | |
Implement automated mechanisms to transfer predictive maintenance data to a maintenance management system. CC ID 10616 | Operational management | Preventive | |
Include support from law enforcement authorities when conducting incident response activities, as necessary. CC ID 13197 | Operational management | Corrective | |
Coordinate incident response activities with interested personnel and affected parties. CC ID 13196 | Operational management | Corrective | |
Perform emergency changes, as necessary. CC ID 12707 | Operational management | Preventive | |
Back up emergency changes after the change has been performed. CC ID 12734 | Operational management | Preventive | |
Conduct network certifications prior to approving change requests for networks. CC ID 13121 | Operational management | Detective | |
Establish, implement, and maintain a patch management program. CC ID 00896 | Operational management | Preventive | |
Delete age-restricted content, as necessary. CC ID 15450 | Operational management | Preventive | |
Control the distribution of media containing age-restricted content, as necessary. CC ID 15446 | Operational management | Preventive | |
Remove dormant data from systems, as necessary. CC ID 13726 | Records management | Preventive | |
Determine how long to keep records and logs before disposing them. CC ID 11661 | Records management | Preventive | |
Manage waste materials in accordance with the storage media disposition and destruction procedures. CC ID 16485 | Records management | Preventive | |
Define each system's disposition requirements for records and logs. CC ID 11651 | Records management | Preventive | |
Review the information classification of the information that the organization collects, processes, and stores, as necessary. CC ID 13008 | Records management | Detective | |
Review the electronic storage media for the information the organization collects and processes. CC ID 13009 | Records management | Detective | |
Process restricted information in a secure environment. CC ID 13058 | Records management | Preventive | |
Establish, implement, and maintain data completeness controls. CC ID 11649 | Records management | Preventive | |
Display required information automatically in electronic health records. CC ID 14442 | Records management | Preventive | |
Create export summaries, as necessary. CC ID 14446 | Records management | Preventive | |
Identify patient-specific education resources. CC ID 14439 | Records management | Detective | |
Sanitize user input in accordance with organizational standards. CC ID 16856 | Records management | Preventive | |
Establish, implement, and maintain storage media downgrading procedures. CC ID 10619 | Records management | Preventive | |
Identify electronic storage media that require downgrading. CC ID 10620 | Records management | Detective | |
Downgrade electronic storage media, as necessary. CC ID 10621 | Records management | Corrective | |
Assess the continuity requirements during the planning and development stage for new products and services. CC ID 12779 [At planned intervals, the risks to service continuity shall be assessed and documented. The organization shall determine the service continuity requirements. The agreed requirements shall take into consideration relevant business requirements, service requirements, SLAs and risks. § 8.7.2 ¶ 1 At planned intervals, the risks to service continuity shall be assessed and documented. The organization shall determine the service continuity requirements. The agreed requirements shall take into consideration relevant business requirements, service requirements, SLAs and risks. § 8.7.2 ¶ 1 At planned intervals, the risks to service continuity shall be assessed and documented. The organization shall determine the service continuity requirements. The agreed requirements shall take into consideration relevant business requirements, service requirements, SLAs and risks. § 8.7.2 ¶ 1 At planned intervals, the risks to service continuity shall be assessed and documented. The organization shall determine the service continuity requirements. The agreed requirements shall take into consideration relevant business requirements, service requirements, SLAs and risks. § 8.7.2 ¶ 1 At planned intervals, the risks to service continuity shall be assessed and documented. The organization shall determine the service continuity requirements. The agreed requirements shall take into consideration relevant business requirements, service requirements, SLAs and risks. § 8.7.2 ¶ 1] | Systems design, build, and implementation | Preventive | |
Review and update controls to ensure the timeliness and accuracy of the market prices. CC ID 13688 | Acquisition or sale of facilities, technology, and services | Corrective | |
Ship equipment following the equipment shipping procedures. CC ID 11658 | Acquisition or sale of facilities, technology, and services | Preventive | |
Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 [The documented information for the SMS shall include: contracts with external suppliers; § 7.5.4 ¶ 1(i) For each internal supplier or customer acting as a supplier, the organization shall develop, agree and maintain a documented agreement to define the service level targets, other commitments, activities and interfaces between the parties. § 8.3.4.2 ¶ 1 For each internal supplier or customer acting as a supplier, the organization shall develop, agree and maintain a documented agreement to define the service level targets, other commitments, activities and interfaces between the parties. § 8.3.4.2 ¶ 1 For each internal supplier or customer acting as a supplier, the organization shall develop, agree and maintain a documented agreement to define the service level targets, other commitments, activities and interfaces between the parties. § 8.3.4.2 ¶ 1 For each internal supplier or customer acting as a supplier, the organization shall develop, agree and maintain a documented agreement to define the service level targets, other commitments, activities and interfaces between the parties. § 8.3.4.2 ¶ 1 For each external supplier, the organization shall agree a documented contract. The contract shall include or contain a reference to: § 8.3.4.1 ¶ 2 {new service}The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: new or changed SLAs, contracts and other documented agreements that support the services; § 8.5.2.2 ¶ 1(d) {new service}The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: new or changed SLAs, contracts and other documented agreements that support the services; § 8.5.2.2 ¶ 1(d)] | Third Party and supply chain oversight | Detective | |
Establish, implement, and maintain Service Level Agreements with the organization's supply chain. CC ID 00838 [The documented information for the SMS shall include: service level agreement(s) (SLA); § 7.5.4 ¶ 1(h) For each service delivered, the organization shall establish one or more SLAs based on the documented service requirements. The SLA(s) shall include service level targets, workload limits and exceptions § 8.3.3 ¶ 2] | Third Party and supply chain oversight | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Archive the engagement file and all work papers for the period prescribed by law or contract. CC ID 10038 | Audits and risk management | Preventive | |
Include source code in the asset inventory. CC ID 14858 | Operational management | Preventive | |
Establish, implement, and maintain incident management audit logs. CC ID 13514 [Records of incidents shall be updated with actions taken. § 8.6.1 ¶ 2] | Operational management | Preventive | |
Allocate record identifiers to reference the records as a part of document tracking. CC ID 11662 [When creating and updating documented information, the organization shall ensure appropriate: identification and description (e.g. a title, date, author or reference number); § 7.5.2 ¶ 1(a) When creating and updating documented information, the organization shall ensure appropriate: identification and description (e.g. a title, date, author or reference number); § 7.5.2 ¶ 1(a)] | Records management | Preventive | |
Allocate document serial numbers to reference the records as a part of document tracking. CC ID 00917 | Records management | Detective | |
Associate records with their security attributes. CC ID 06764 | Records management | Preventive | |
Allow electronic signatures to satisfy requirements for written signatures, as necessary. CC ID 11807 | Records management | Preventive | |
Archive appropriate records, logs, and database tables. CC ID 06321 | Records management | Preventive | |
Retain records in accordance with applicable requirements. CC ID 00968 [The organization shall retain documented information as evidence of the results of management reviews. § 9.3 ¶ 4 The organization shall retain documented information on the service management objectives. § 6.2.1 ¶ 2 The organization shall retain documented information as evidence of: the results of any corrective action. § 10.1.2 ¶ 1(b) The organization shall retain documented information as evidence of: the nature of the nonconformities and any subsequent actions taken; § 10.1.2 ¶ 1(a) {monitoring and measurement evaluation result} The organization shall retain appropriate documented information as evidence of the results. § 9.1 ¶ 2] | Records management | Preventive | |
Obtain and retain documentation of the number of shares authorized, issued, and outstanding pursuant to the issuer's authorization. CC ID 11714 | Records management | Preventive | |
Retain all evidence of indebtedness. CC ID 11713 | Records management | Preventive | |
Capture and maintain distribution records. CC ID 06205 | Records management | Preventive | |
Capture and maintain Device Master Records. CC ID 06206 | Records management | Preventive | |
Capture and maintain Device History Records. CC ID 06207 | Records management | Preventive | |
Capture and maintain Quality System Records. CC ID 06208 | Records management | Preventive | |
Degauss as a method of sanitizing electronic storage media. CC ID 00973 | Records management | Preventive | |
Manage the disposition status for all records. CC ID 00972 | Records management | Preventive | |
Remove and/or destroy records according to the records' retention event and retention period schedule. CC ID 06621 | Records management | Preventive | |
Establish, implement, and maintain source document authorization tracking. CC ID 01262 | Records management | Detective | |
Maintain electronic records in an equivalent manner as printed records, as necessary. CC ID 11806 | Records management | Preventive | |
Establish, implement, and maintain source document error handling tracking. CC ID 01263 | Records management | Detective | |
Refrain from creating printed records as copies of electronic records. CC ID 11808 | Records management | Preventive | |
Validate transactions against master files of third parties and clients, as necessary. CC ID 06552 | Records management | Detective | |
Establish, implement, and maintain a system storage log. CC ID 13532 | Records management | Preventive | |
Protect records from loss in accordance with applicable requirements. CC ID 12007 [Documented information required by the SMS and by this document shall be controlled to ensure: it is adequately protected (e.g. from loss of confidentiality, improper use or loss of integrity). § 7.5.3.1(b)] | Records management | Preventive | |
Capture the records required by organizational compliance requirements. CC ID 00912 [The documented information for the SMS shall include: records required to demonstrate evidence of conformity to the requirements of this document and the organization's SMS. § 7.5.4 ¶ 1(l) keeping documented information to the extent necessary to have confidence that the processes have been carried out as planned. § 8.1 ¶ 1(c)] | Records management | Detective | |
Review and update Individually Identifiable Health Information in the patient's electronic health records, as necessary. CC ID 14438 | Records management | Preventive | |
Establish and maintain an implantable device list. CC ID 14444 | Records management | Preventive | |
Establish, implement, and maintain a recordkeeping system. CC ID 15709 | Records management | Preventive | |
Log the termination date in the recordkeeping system. CC ID 16181 | Records management | Preventive | |
Log the name of the requestor in the recordkeeping system. CC ID 15712 | Records management | Preventive | |
Log the date and time each item is accessed in the recordkeeping system. CC ID 15711 | Records management | Preventive | |
Log records as being received into the recordkeeping system. CC ID 11696 | Records management | Preventive | |
Establish, implement, and maintain a transfer journal. CC ID 11729 | Records management | Preventive | |
Provide a receipt of records logged into the recordkeeping system. CC ID 11697 | Records management | Preventive | |
Note in electronic records converted from printed records, the location of the original. CC ID 11809 | Records management | Preventive | |
Provide structures for authorized parties to approve record updates in the Electronic Document and Records Management system. CC ID 11965 | Records management | Preventive | |
Compare each record's data input to its final form. CC ID 11813 | Records management | Detective | |
Label printed output for specific record categories as directed by the organization's information classification standard. CC ID 01420 | Records management | Detective | |
Establish and maintain access controls for all records. CC ID 00371 [Configuration information shall be recorded to a level of detail appropriate to the criticality and type of services. Access to configuration information shall be controlled. The configuration information recorded for each CI shall include: § 8.2.6 ¶ 2 For the control of documented information, the organization shall address the following activities, as applicable: distribution, access, retrieval and use; § 7.5.3.2(a)] | Records management | Preventive | |
Implement and maintain backups and duplicate copies of organizational records. CC ID 00953 | Records management | Preventive | |
Establish, implement, and maintain the duplicate original of record indexes. CC ID 00954 | Records management | Preventive | |
Establish, implement, and maintain a transparent storage media strategy. CC ID 00932 | Records management | Preventive | |
Establish, implement, and maintain security controls appropriate to the record types and electronic storage media. CC ID 00943 [For the control of documented information, the organization shall address the following activities, as applicable: storage and preservation, including preservation of legibility; § 7.5.3.2(b)] | Records management | Preventive | |
Establish and maintain an error suspense file for rejected transactions. CC ID 06623 | Records management | Preventive | |
Review and approve output exceptions. CC ID 06625 | Records management | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Back up audit trails according to backup procedures. CC ID 11642 | Monitoring and measurement | Preventive | |
Evaluate all possible continuity risks and impacts as a part of the continuity framework. CC ID 06374 [At planned intervals, the risks to service continuity shall be assessed and documented. The organization shall determine the service continuity requirements. The agreed requirements shall take into consideration relevant business requirements, service requirements, SLAs and risks. § 8.7.2 ¶ 1] | Operational and Systems Continuity | Detective | |
Assess risks related to fault tolerance and redundancy of critical assets. CC ID 13053 | Operational and Systems Continuity | Preventive | |
Activate the continuity plan if the damage assessment report indicates the activation criterion has been met. CC ID 01373 [The organization shall create, implement and maintain one or more service continuity plans. The service continuity plan(s) shall include or contain a reference to: criteria and responsibilities for invoking service continuity; § 8.7.2 ¶ 2(a)] | Operational and Systems Continuity | Corrective | |
Maintain normal security levels when an emergency occurs. CC ID 06377 | Operational and Systems Continuity | Preventive | |
Execute fail-safe procedures when an emergency occurs. CC ID 07108 | Operational and Systems Continuity | Preventive | |
Include the in scope system's location in the continuity plan. CC ID 16246 | Operational and Systems Continuity | Preventive | |
Include the system description in the continuity plan. CC ID 16241 | Operational and Systems Continuity | Preventive | |
Restore systems and environments to be operational. CC ID 13476 | Operational and Systems Continuity | Corrective | |
Approve the continuity plan requirements before documenting the continuity plan. CC ID 12778 | Operational and Systems Continuity | Preventive | |
Disseminate and communicate business functions across multiple facilities separated by geographic separation. CC ID 10662 | Operational and Systems Continuity | Preventive | |
Disseminate and communicate processing activities across multiple facilities using geographic separation. CC ID 10663 | Operational and Systems Continuity | Preventive | |
Disseminate and communicate electronic media storage devices across multiple facilities using geographic separation. CC ID 10664 | Operational and Systems Continuity | Preventive | |
Use out-of-band channels for the physical delivery or electronic transmission of information, as necessary. CC ID 10665 | Operational and Systems Continuity | Corrective | |
Review and prioritize the importance of each business unit. CC ID 01165 | Operational and Systems Continuity | Preventive | |
Document the mean time to failure for system components. CC ID 10684 | Operational and Systems Continuity | Preventive | |
Expedite emergency communications' fiscal decisions in accordance with accounting principles. CC ID 01266 | Operational and Systems Continuity | Preventive | |
Prepare the alternate facility for an emergency offsite relocation. CC ID 00744 | Operational and Systems Continuity | Preventive | |
Approve the continuity plan test results. CC ID 15718 | Operational and Systems Continuity | Preventive | |
Implement network redundancy, as necessary. CC ID 13048 | Operational management | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Include quality gates and testing milestones in the Quality Management program. CC ID 06825 [The success or failure of releases shall be monitored and analysed. Measurements shall include incidents related to a release in the period following deployment of a release. The results and conclusions drawn from the analysis shall be recorded and reviewed to identify opportunities for improvement. §8.5.3 ¶ 6] | Leadership and high level objectives | Preventive | |
Include an issue tracking system in the Quality Management program. CC ID 06824 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain workload forecasting tools. CC ID 00936 | Operational management | Preventive | |
Apply security controls to each level of the information classification standard. CC ID 01903 | Operational management | Preventive | |
Include each Information System's system boundaries in the Information Technology inventory. CC ID 00695 | Operational management | Preventive | |
Review each system's operational readiness. CC ID 06275 | Operational management | Preventive | |
Validate the system before implementing approved changes. CC ID 01510 | Operational management | Preventive | |
Establish, implement, and maintain traceability documentation. CC ID 16388 | Operational management | Preventive | |
Initiate the System Development Life Cycle planning phase. CC ID 06266 | Systems design, build, and implementation | Preventive | |
Initiate the System Development Life Cycle implementation phase. CC ID 06268 | Systems design, build, and implementation | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Subscribe to a threat intelligence service to receive notification of emerging threats. CC ID 12135 | Leadership and high level objectives | Detective | |
Identify cybersecurity events in event logs and audit logs. CC ID 13206 | Monitoring and measurement | Detective | |
Identify unauthorized modifications during file integrity monitoring. CC ID 12096 | Monitoring and measurement | Detective | |
Allow expected changes during file integrity monitoring. CC ID 12090 | Monitoring and measurement | Preventive | |
Develop and maintain a usage profile for each user account. CC ID 07067 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a network activity baseline. CC ID 13188 | Monitoring and measurement | Detective | |
Deploy log normalization tools, as necessary. CC ID 12141 | Monitoring and measurement | Preventive | |
Restrict access to audit trails to a need to know basis. CC ID 11641 | Monitoring and measurement | Preventive | |
Analyze the organization's information security environment. CC ID 13122 | Audits and risk management | Preventive | |
Include security threats and vulnerabilities in the threat and risk classification scheme. CC ID 00699 | Audits and risk management | Preventive | |
Control access rights to organizational assets. CC ID 00004 [The organization shall define and manage the interfaces with the external supplier. § 8.3.4.1 ¶ 4] | Technical security | Preventive | |
Generate but refrain from storing authenticators or Personal Identification Numbers for systems involved in high risk activities. CC ID 06835 | Technical security | Preventive | |
Define access needs for each system component of an information system. CC ID 12456 | Technical security | Preventive | |
Define the level of privilege required for each system component of an information system. CC ID 12457 | Technical security | Preventive | |
Establish access rights based on least privilege. CC ID 01411 | Technical security | Preventive | |
Assign user permissions based on job responsibilities. CC ID 00538 | Technical security | Preventive | |
Assign user privileges after they have management sign off. CC ID 00542 | Technical security | Preventive | |
Establish, implement, and maintain lockout procedures or lockout mechanisms to be triggered after a predetermined number of consecutive logon attempts. CC ID 01412 | Technical security | Preventive | |
Disallow unlocking user accounts absent system administrator approval. CC ID 01413 | Technical security | Preventive | |
Establish session authenticity through Transport Layer Security. CC ID 01627 | Technical security | Preventive | |
Include all system components in the access control system. CC ID 11939 | Technical security | Preventive | |
Enable access control for objects and users to match restrictions set by the system's security classification. CC ID 04850 | Technical security | Preventive | |
Enable attribute-based access control for objects and users on information systems. CC ID 16351 | Technical security | Preventive | |
Enable role-based access control for objects and users on information systems. CC ID 12458 | Technical security | Preventive | |
Enforce access restrictions for change control. CC ID 01428 | Technical security | Preventive | |
Permit a limited set of user actions absent identification and authentication. CC ID 04849 | Technical security | Preventive | |
Activate third party maintenance accounts and user identifiers, as necessary. CC ID 04262 | Technical security | Preventive | |
Display a logon banner and appropriate logon message before granting access to the system. CC ID 06770 | Technical security | Preventive | |
Use automatic equipment identification as a method of connection authentication absent an individual's identification and authentication. CC ID 06964 | Technical security | Preventive | |
Implement alternate security mechanisms when the means of implementing the security function is unavailable. CC ID 10605 | Operational and Systems Continuity | Preventive | |
Limit any effects of a Denial of Service attack. CC ID 06754 | Operational management | Preventive | |
Use automated tools to collect Information Technology inventory information, as necessary. CC ID 07054 | Operational management | Preventive | |
Link the authentication system to the asset inventory. CC ID 13718 | Operational management | Preventive | |
Employ Dynamic Host Configuration Protocol server logging to detect systems not in the asset inventory. CC ID 12110 | Operational management | Detective | |
Prevent users from disabling required software. CC ID 16417 | Operational management | Preventive | |
Control remote maintenance according to the system's asset classification. CC ID 01433 | Operational management | Preventive | |
Approve all remote maintenance sessions. CC ID 10615 | Operational management | Preventive | |
Terminate remote maintenance sessions when the remote maintenance is complete. CC ID 12083 | Operational management | Preventive | |
Employ dedicated systems during system maintenance. CC ID 12108 | Operational management | Preventive | |
Isolate dedicated systems used for system maintenance from Internet access. CC ID 12114 | Operational management | Preventive | |
Categorize the incident following an incident response. CC ID 13208 [{document} Information security incidents shall be: recorded and classified; § 8.7.3.3 ¶ 1(a) The organization shall analyse the information security incidents by type, volume and impact on the SMS, services and interested parties. Information security incidents shall be reported and reviewed to identify opportunities for improvement. § 8.7.3.3 ¶ 2 The organization shall determine criteria to identify a major incident. Major incidents shall be classified and managed according to a documented procedure. Top management shall be kept informed of major incidents. The organization shall assign responsibility for managing each major incident. After the incident has been resolved, the major incident shall be reported and reviewed to identify opportunities for improvement. § 8.6.1 ¶ 3 Problems shall be: recorded and classified; § 8.6.3 ¶ 2(a)] | Operational management | Preventive | |
Respond when an integrity violation is detected, as necessary. CC ID 10678 | Operational management | Corrective | |
Shut down systems when an integrity violation is detected, as necessary. CC ID 10679 | Operational management | Corrective | |
Restart systems when an integrity violation is detected, as necessary. CC ID 10680 | Operational management | Corrective | |
Integrate configuration management procedures into the change control program. CC ID 13646 | Operational management | Preventive | |
Implement patch management software, as necessary. CC ID 12094 | Operational management | Preventive | |
Include updates and exceptions to hardened images as a part of the patch management program. CC ID 12087 | Operational management | Preventive | |
Review the patch log for missing patches. CC ID 13186 | Operational management | Detective | |
Patch software. CC ID 11825 | Operational management | Corrective | |
Patch the operating system, as necessary. CC ID 11824 | Operational management | Corrective | |
Implement cryptographic mechanisms to authenticate software and computer firmware before installation. CC ID 10682 | Operational management | Detective | |
Approve each system's Configurable Items (and changes to those Configurable Items). CC ID 04887 | System hardening through configuration management | Preventive | |
Allow authorized parties to authenticate electronic records with electronic signatures. CC ID 11964 | Records management | Preventive | |
Allow authorized parties to authenticate transactions with electronic signatures. CC ID 11963 | Records management | Preventive | |
Validate transactions using identifiers and credentials. CC ID 13203 | Records management | Preventive | |
Establish, implement, and maintain electronic storage media security controls. CC ID 13204 | Records management | Preventive | |
Establish, implement, and maintain label inheritance mechanisms for aggregate data sets. CC ID 06957 | Records management | Preventive | |
Implement and maintain high availability storage, as necessary. CC ID 00952 | Records management | Preventive | |
Establish, implement, and maintain online storage controls. CC ID 00942 | Records management | Preventive | |
Provide encryption for different types of electronic storage media. CC ID 00945 | Records management | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Conduct Quality Control to ensure adherence to Information Technology policies, standards, and procedures. CC ID 01008 [The management review shall include consideration of: information on the performance and effectiveness of the SMS, including trends in: § 9.3 ¶ 2(c)] | Leadership and high level objectives | Detective | |
Supply each in scope asset with audit reduction tool and report generation capabilities to support after-the-fact investigations without altering the event logs. CC ID 01427 | Monitoring and measurement | Preventive | |
Assess customer satisfaction. CC ID 00652 [At planned intervals, the organization shall measure satisfaction with the services based on a representative sample of customers. The results shall be analysed, reviewed to identify opportunities for improvement and reported. § 8.3.2 ¶ 4 At planned intervals, the organization shall measure satisfaction with the services based on a representative sample of customers. The results shall be analysed, reviewed to identify opportunities for improvement and reported. § 8.3.2 ¶ 4 The management review shall include consideration of: feedback from customers and other interested parties; § 9.3 ¶ 2(e)] | Monitoring and measurement | Detective | |
Report audit findings by the internal audit manager directly to senior management. CC ID 01152 [The organization shall: ensure that the results of the audits are reported to relevant management; § 9.2.2 ¶ 1(d)] | Audits and risk management | Detective | |
Review the external audit assertion for accuracy. CC ID 06977 | Audits and risk management | Detective | |
Review the risk assessments as compared to the in scope controls. CC ID 06978 | Audits and risk management | Detective | |
Conduct onsite inspections, as necessary. CC ID 16199 | Audits and risk management | Preventive | |
Determine the accurateness of the audit assertion's in scope system description. CC ID 06979 | Audits and risk management | Detective | |
Determine if the in scope system has been implemented as described in the audit assertion. CC ID 06983 | Audits and risk management | Detective | |
Determine if the audit assertion's in scope controls are reasonable. CC ID 06980 | Audits and risk management | Detective | |
Document test plans for auditing in scope controls. CC ID 06985 | Audits and risk management | Detective | |
Determine the implementation status of the audit assertion's in scope controls. CC ID 06981 | Audits and risk management | Detective | |
Determine the effectiveness of in scope controls. CC ID 06984 [The organization shall monitor and review the effectiveness of information security controls and take necessary actions. § 8.7.3.2 ¶ 3] | Audits and risk management | Detective | |
Determine any errors or material omissions in the audit assertion that affect in scope control implementations. CC ID 06990 | Audits and risk management | Detective | |
Audit the in scope system according to the test plan using relevant evidence. CC ID 07112 [The organization shall conduct internal audits at planned intervals to provide information on whether the SMS: § 9.2.1 ¶ 1] | Audits and risk management | Preventive | |
Provide transactional walkthrough procedures for external auditors. CC ID 00672 | Audits and risk management | Preventive | |
Conduct interviews, as necessary. CC ID 07188 | Audits and risk management | Detective | |
Include if in scope control deviations allow in scope controls to be performed acceptably in the work papers. CC ID 06987 | Audits and risk management | Detective | |
Investigate the nature and causes of identified in scope control deviations. CC ID 06986 | Audits and risk management | Detective | |
Submit an audit report that is complete. CC ID 01145 | Audits and risk management | Detective | |
Assess the quality of the audit program in regards to the staff and their qualifications. CC ID 01150 | Audits and risk management | Detective | |
Establish, implement, and maintain the audit plan. CC ID 01156 | Audits and risk management | Detective | |
Perform risk assessments for all target environments, as necessary. CC ID 06452 [At planned intervals, the information security risks to the SMS and the services shall be assessed and documented. Information security controls shall be determined, implemented and operated to support the information security policy and address identified information security risks. Decisions about information security controls shall be documented. § 8.7.3.2 ¶ 1] | Audits and risk management | Preventive | |
Determine the effectiveness of risk control measures. CC ID 06601 [/* Based on the subject of this section, by 'these actions', the document is referring to activities to manage risk*/{risk management activity} evaluate the effectiveness of these actions. § 6.1.3 ¶ 1(b)(2)] | Audits and risk management | Detective | |
Perform a risk assessment prior to activating third party access to the organization's critical systems. CC ID 06455 | Technical security | Detective | |
Establish, implement, and maintain the organization's call tree. CC ID 01167 | Operational and Systems Continuity | Detective | |
Test the recovery plan, as necessary. CC ID 13290 | Operational and Systems Continuity | Detective | |
Test the backup information, as necessary. CC ID 13303 | Operational and Systems Continuity | Detective | |
Establish, implement, and maintain a business continuity plan testing program. CC ID 14829 | Operational and Systems Continuity | Preventive | |
Test the continuity plan, as necessary. CC ID 00755 [At planned intervals, the service continuity plan(s) shall be tested against the service continuity requirements. The service continuity plan(s) shall be re-tested after major changes to the service environment. The results of the tests shall be recorded. Reviews shall be conducted after each test and after the service continuity plan(s) has been invoked. Where deficiencies are found, the organization shall take necessary actions. § 8.7.2 ¶ 4 At planned intervals, the service continuity plan(s) shall be tested against the service continuity requirements. The service continuity plan(s) shall be re-tested after major changes to the service environment. The results of the tests shall be recorded. Reviews shall be conducted after each test and after the service continuity plan(s) has been invoked. Where deficiencies are found, the organization shall take necessary actions. § 8.7.2 ¶ 4] | Operational and Systems Continuity | Detective | |
Include coverage of all major components in the scope of testing the continuity plan. CC ID 12767 | Operational and Systems Continuity | Preventive | |
Include third party recovery services in the scope of testing the continuity plan. CC ID 12766 | Operational and Systems Continuity | Preventive | |
Validate the emergency communications procedures during continuity plan tests. CC ID 12777 | Operational and Systems Continuity | Preventive | |
Include the coordination and interfaces among third parties in the coverage of the scope of testing the continuity plan. CC ID 12769 | Operational and Systems Continuity | Preventive | |
Involve senior management, as necessary, when testing the continuity plan. CC ID 13793 | Operational and Systems Continuity | Detective | |
Test the continuity plan under conditions that simulate a disaster or disruption. CC ID 00757 | Operational and Systems Continuity | Detective | |
Analyze system interdependence during continuity plan tests. CC ID 13082 | Operational and Systems Continuity | Detective | |
Validate the evacuation plans during continuity plan tests. CC ID 12760 | Operational and Systems Continuity | Preventive | |
Test the continuity plan at the alternate facility. CC ID 01174 | Operational and Systems Continuity | Detective | |
Coordinate testing the continuity plan with all applicable business units and critical business functions. CC ID 01388 | Operational and Systems Continuity | Preventive | |
Review all third party's continuity plan test results. CC ID 01365 | Operational and Systems Continuity | Detective | |
Automate the off-site testing to more thoroughly test the continuity plan. CC ID 01389 | Operational and Systems Continuity | Detective | |
Retest the continuity plan after correcting reported deficiencies documented in the continuity plan test results. CC ID 06553 [At planned intervals, the service continuity plan(s) shall be tested against the service continuity requirements. The service continuity plan(s) shall be re-tested after major changes to the service environment. The results of the tests shall be recorded. Reviews shall be conducted after each test and after the service continuity plan(s) has been invoked. Where deficiencies are found, the organization shall take necessary actions. § 8.7.2 ¶ 4] | Operational and Systems Continuity | Detective | |
Conduct full recovery and restoration of service testing for high impact systems at the alternate facility. CC ID 01404 | Operational and Systems Continuity | Detective | |
Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 00782 [The organization shall: ensure that these persons are competent on the basis of appropriate education, training or experience; § 7.2 ¶ 1(b) {staff} The organization shall: determine the necessary competence of persons doing work under its control that affects the performance and effectiveness of the SMS and the services; § 7.2 ¶ 1(a)] | Human Resources management | Detective | |
Perform a drug test during personnel screening. CC ID 06648 | Human Resources management | Preventive | |
Conduct tests and evaluate training. CC ID 06672 [The organization shall: where applicable, take actions to acquire the necessary competence and evaluate the effectiveness of the actions taken; § 7.2 ¶ 1(c)] | Human Resources management | Detective | |
Forecast system workloads. CC ID 00938 | Operational management | Detective | |
Utilize resource capacity management controls. CC ID 00939 | Operational management | Detective | |
Perform system capacity testing. CC ID 01616 | Operational management | Detective | |
Perform system performance reviews. CC ID 11866 | Operational management | Detective | |
Test systems for malicious code prior to when the system will be redeployed. CC ID 06339 | Operational management | Detective | |
Conduct maintenance with authorized personnel. CC ID 01434 | Operational management | Detective | |
Calibrate assets according to the calibration procedures for the asset. CC ID 06203 | Operational management | Detective | |
Test for detrimental environmental factors after a system is disposed. CC ID 06938 | Operational management | Detective | |
Open a priority incident request after a security breach is detected. CC ID 04838 | Operational management | Corrective | |
Activate the incident response notification procedures after a security breach is detected. CC ID 04839 | Operational management | Corrective | |
Test proposed changes prior to their approval. CC ID 00548 [Approved changes shall be prepared, verified and, where possible, tested. Proposed deployment dates and other deployment details for approved changes shall be communicated to interested parties. § 8.5.1.3 ¶ 2] | Operational management | Detective | |
Perform risk assessments prior to approving change requests. CC ID 00888 [The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: capacity, service availability, service continuity and information security; § 8.5.1.3 ¶ 1(d) The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: capacity, service availability, service continuity and information security; § 8.5.1.3 ¶ 1(d) The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: capacity, service availability, service continuity and information security; § 8.5.1.3 ¶ 1(d) The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: capacity, service availability, service continuity and information security; § 8.5.1.3 ¶ 1(d) At planned intervals, the organization shall review the contract against current service requirements. Changes identified for the contract shall be assessed for the impact of the change on the SMS and the services before the change is approved. § 8.3.4.1 ¶ 6 The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: existing services; § 8.5.1.3 ¶ 1(a) The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: other requests for change, releases and plans for deployment. § 8.5.1.3 ¶ 1(e) The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: other requests for change, releases and plans for deployment. § 8.5.1.3 ¶ 1(e) The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: other requests for change, releases and plans for deployment. § 8.5.1.3 ¶ 1(e)] | Operational management | Preventive | |
Perform a patch test prior to deploying a patch. CC ID 00898 | Operational management | Detective | |
Test software patches for any potential compromise of the system's security. CC ID 13175 | Operational management | Detective | |
Review changes to computer firmware. CC ID 12226 | Operational management | Detective | |
Certify changes to computer firmware are free of malicious logic. CC ID 12227 | Operational management | Detective | |
Test the system's operational functionality after implementing approved changes. CC ID 06294 | Operational management | Detective | |
Perform and pass acceptance testing before moving a system back into operation after an approved change has occurred. CC ID 04541 [The release shall be verified against documented acceptance criteria and approved before deployment. If the acceptance criteria are not met, the organization and interested parties shall make a decision on necessary actions and deployment. § 8.5.3 ¶ 3] | Operational management | Detective | |
Test network access controls for proper Configuration Management settings. CC ID 01281 | System hardening through configuration management | Detective | |
Maintain continued integrity for all stored data and stored records. CC ID 00969 | Records management | Detective | |
Destroy electronic storage media following the storage media disposition and destruction procedures. CC ID 00970 | Records management | Detective | |
Maintain media sanitization equipment in operational condition. CC ID 00721 | Records management | Detective | |
Store records on non-rewritable, non-erasable storage media formats, as necessary. CC ID 00944 | Records management | Detective | |
Test the storage media downgrade for correct performance. CC ID 10623 | Records management | Detective | |
Perform regularly scheduled quality and integrity control reviews of output of records. CC ID 06627 | Records management | Detective | |
Analyze existing systems during preliminary investigations for system design projects. CC ID 01043 | Systems design, build, and implementation | Detective | |
Determine if the project is complete after all implementation tasks are finished. CC ID 06912 [{new service} Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: service acceptance criteria; § 8.5.2.1 ¶ 1(f)] | Systems design, build, and implementation | Detective | |
Conduct internal data processing audits. CC ID 00374 | Privacy protection for information and data | Detective | |
Include third party requirements for personnel security in third party contracts. CC ID 00790 | Third Party and supply chain oversight | Detective | |
Include third party acknowledgment of their data protection responsibilities in third party contracts. CC ID 01364 | Third Party and supply chain oversight | Detective | |
Include auditing third party security controls and compliance controls in third party contracts. CC ID 01366 | Third Party and supply chain oversight | Detective | |
Establish the third party's service continuity. CC ID 00797 | Third Party and supply chain oversight | Detective | |
Determine the adequacy of a third party's alternate site preparations. CC ID 06879 | Third Party and supply chain oversight | Detective | |
Maintain the third party's compliance framework to be equivalent to that of the organization's compliance requirements. CC ID 06087 | Third Party and supply chain oversight | Detective | |
Perform risk assessments of third parties, as necessary. CC ID 06454 [The organization shall determine and document: risks related to: the involvement of other parties in the service lifecycle; § 6.1.2 ¶ 1(a)(3)] | Third Party and supply chain oversight | Detective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Submit applications for professional certification. CC ID 16192 | Human Resources management | Preventive | |
Train personnel to recognize conditions of diseases or sicknesses, as necessary. CC ID 14383 | Human Resources management | Detective | |
Include prevention techniques in training regarding diseases or sicknesses. CC ID 14387 | Human Resources management | Preventive | |
Include the concept of disease clusters when training to recognize conditions of diseases or sicknesses. CC ID 14386 | Human Resources management | Preventive | |
Train personnel to identify and communicate symptoms of exposure to disease or sickness. CC ID 14385 | Human Resources management | Detective | |
Develop or acquire content to update the training plans. CC ID 12867 | Human Resources management | Preventive | |
Designate training facilities in the training plan. CC ID 16200 | Human Resources management | Preventive | |
Include in scope external requirements in the training plan, as necessary. CC ID 13041 | Human Resources management | Preventive | |
Conduct bespoke roles and responsibilities training, as necessary. CC ID 13192 | Human Resources management | Preventive | |
Include risk management in the training plan, as necessary. CC ID 13040 | Human Resources management | Preventive | |
Conduct personal data processing training. CC ID 13757 | Human Resources management | Preventive | |
Include in personal data processing training how to provide the contact information for the categories of personal data the organization may disclose. CC ID 13758 | Human Resources management | Preventive | |
Include the cloud service usage standard in the training plan. CC ID 13039 | Human Resources management | Preventive | |
Include media protection in the security awareness program. CC ID 16368 | Human Resources management | Preventive | |
Include physical security in the security awareness program. CC ID 16369 | Human Resources management | Preventive | |
Include updates on emerging issues in the security awareness program. CC ID 13184 | Human Resources management | Preventive | |
Include cybersecurity in the security awareness program. CC ID 13183 | Human Resources management | Preventive | |
Include implications of non-compliance in the security awareness program. CC ID 16425 | Human Resources management | Preventive | |
Include the acceptable use policy in the security awareness program. CC ID 15487 | Human Resources management | Preventive | |
Train all personnel and third parties on how to recognize and report system failures. CC ID 13475 | Human Resources management | Preventive | |
Conduct tampering prevention training. CC ID 11875 | Human Resources management | Preventive | |
Include the mandate to refrain from installing, refrain from replacing, and refrain from returning any asset absent verification in the tampering prevention training. CC ID 11877 | Human Resources management | Preventive | |
Include how to identify and authenticate third parties claiming to be maintenance personnel in the tampering prevention training. CC ID 11876 | Human Resources management | Preventive | |
Include how to report tampering and unauthorized substitution in the tampering prevention training. CC ID 11879 | Human Resources management | Preventive | |
Include how to prevent physical tampering in the tampering prevention training. CC ID 11878 | Human Resources management | Preventive | |
Include procedures on how to inspect devices in the tampering prevention training. CC ID 11990 | Human Resources management | Preventive | |
Train interested personnel and affected parties to collect digital forensic evidence. CC ID 08658 | Human Resources management | Preventive |
There are three types of Common Control classifications; corrective, detective, and preventive. Common Controls at the top level have the default assignment of Impact Zone.
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
---|---|---|---|
Disseminate and communicate updated guidance documentation to interested personnel and affected parties upon discovery of a new threat. CC ID 12191 | Leadership and high level objectives | Communicate | |
Correct errors and deficiencies in a timely manner. CC ID 13501 | Leadership and high level objectives | Business Processes | |
Include management's assertions on the effectiveness of internal control in the Statement on Internal Control. CC ID 14771 | Leadership and high level objectives | Establish/Maintain Documentation | |
Use a risk-based approach to adapt the Strategic Information Technology Plan to the business's needs. CC ID 00631 | Leadership and high level objectives | Business Processes | |
Document lessons learned at the conclusion of each Information Technology project. CC ID 13654 | Leadership and high level objectives | Establish/Maintain Documentation | |
Provide predefined suspicious activity reports for suspicious activity discovered in the event log. CC ID 06774 | Monitoring and measurement | Establish/Maintain Documentation | |
Eliminate false positives in event logs and audit logs. CC ID 07047 | Monitoring and measurement | Log Management | |
Follow up exceptions and anomalies identified when reviewing logs. CC ID 11925 | Monitoring and measurement | Investigate | |
Determine the causes of compliance violations. CC ID 12401 [When a nonconformity occurs, the organization shall: evaluate the need for action to eliminate the causes of the nonconformity in order that it does not recur or occur elsewhere by: reviewing the nonconformity; § 10.1.1 ¶ 1(b)(1) When a nonconformity occurs, the organization shall: evaluate the need for action to eliminate the causes of the nonconformity in order that it does not recur or occur elsewhere by: determining the causes of the nonconformity; § 10.1.1 ¶ 1(b)(2)] | Monitoring and measurement | Investigate | |
Correct compliance violations. CC ID 13515 [When a nonconformity occurs, the organization shall: react to the nonconformity, and as applicable: § 10.1.1 ¶ 1(a) When a nonconformity occurs, the organization shall: react to the nonconformity, and as applicable: take action to control and correct it; § 10.1.1 ¶ 1(a)(1) When a nonconformity occurs, the organization shall: react to the nonconformity, and as applicable: deal with the consequences; § 10.1.1 ¶ 1(a)(2) When a nonconformity occurs, the organization shall: implement any action needed; § 10.1.1 ¶ 1(c)] | Monitoring and measurement | Process or Activity | |
Carry out disciplinary actions when a compliance violation is detected. CC ID 06675 | Monitoring and measurement | Behavior | |
Convert data into standard units before reporting metrics. CC ID 15507 | Monitoring and measurement | Process or Activity | |
Assign the Board of Directors to address audit findings. CC ID 12396 | Audits and risk management | Human Resources Management | |
Refrain from changing the date of the practitioner's report on agreed-upon procedures when reissuing it. CC ID 13896 | Audits and risk management | Establish/Maintain Documentation | |
Withdraw from the audit, when defined conditions exist. CC ID 13885 | Audits and risk management | Process or Activity | |
Solve any access problems auditors encounter during the audit. CC ID 08959 | Audits and risk management | Audits and Risk Management | |
Include deficiencies and non-compliance in the audit report. CC ID 14879 | Audits and risk management | Establish/Maintain Documentation | |
Include a description of the reasons for modifying the audit opinion in the audit report. CC ID 13898 | Audits and risk management | Establish/Maintain Documentation | |
Disclaim the audit opinion in the audit report, as necessary. CC ID 13901 | Audits and risk management | Business Processes | |
Modify the audit opinion in the audit report under defined conditions. CC ID 13937 | Audits and risk management | Establish/Maintain Documentation | |
Implement a corrective action plan in response to the audit report. CC ID 06777 | Audits and risk management | Establish/Maintain Documentation | |
Monitor and report on the status of mitigation actions in the corrective action plan. CC ID 15250 | Audits and risk management | Actionable Reports or Measurements | |
Purchase insurance on behalf of interested personnel and affected parties. CC ID 16571 | Audits and risk management | Acquisition/Sale of Assets or Services | |
Revise the risk treatment strategies in the risk treatment plan, as necessary. CC ID 12552 | Audits and risk management | Establish/Maintain Documentation | |
Document and communicate a corrective action plan based on the risk assessment findings. CC ID 00705 [The organization shall make decisions and take actions based on the findings in service reports. The agreed actions shall be communicated to interested parties. § 9.4 ¶ 3] | Audits and risk management | Establish/Maintain Documentation | |
Document residual risk in a residual risk report. CC ID 13664 | Audits and risk management | Establish/Maintain Documentation | |
Notify the user when an authentication is attempted using an expired authenticator. CC ID 13818 | Technical security | Communicate | |
Report changes in the continuity plan to senior management. CC ID 12757 | Operational and Systems Continuity | Communicate | |
Activate the continuity plan if the damage assessment report indicates the activation criterion has been met. CC ID 01373 [The organization shall create, implement and maintain one or more service continuity plans. The service continuity plan(s) shall include or contain a reference to: criteria and responsibilities for invoking service continuity; § 8.7.2 ¶ 2(a)] | Operational and Systems Continuity | Systems Continuity | |
Restore systems and environments to be operational. CC ID 13476 | Operational and Systems Continuity | Systems Continuity | |
Establish, implement, and maintain the continuity procedures. CC ID 14236 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Use out-of-band channels for the physical delivery or electronic transmission of information, as necessary. CC ID 10665 | Operational and Systems Continuity | Systems Continuity | |
Identify who can speak to the media in the emergency communications procedures. CC ID 12761 | Operational and Systems Continuity | Communicate | |
Rotate members of the board of directors, as necessary. CC ID 14803 | Human Resources management | Human Resources Management | |
Conduct secure coding and development training for developers. CC ID 06822 | Human Resources management | Behavior | |
Establish, implement, and maintain consequences for non-compliance with the organizational compliance framework. CC ID 11747 | Operational management | Process or Activity | |
Identify discrepancies between the asset register database and the Information Technology inventory, as necessary. CC ID 07052 | Operational management | Monitor and Evaluate Occurrences | |
Investigate and resolve discrepancies between the asset register database and the Information Technology inventory. CC ID 07053 | Operational management | Monitor and Evaluate Occurrences | |
Refrain from protecting physical assets when no longer required. CC ID 13484 | Operational management | Physical and Environmental Protection | |
Determine the incident severity level when assessing the security incidents. CC ID 01650 [The organization shall analyse the information security incidents by type, volume and impact on the SMS, services and interested parties. Information security incidents shall be reported and reviewed to identify opportunities for improvement. § 8.7.3.3 ¶ 2] | Operational management | Monitor and Evaluate Occurrences | |
Escalate incidents, as necessary. CC ID 14861 [Problems shall be: escalated if needed; § 8.6.3 ¶ 2(c)] | Operational management | Monitor and Evaluate Occurrences | |
Include support from law enforcement authorities when conducting incident response activities, as necessary. CC ID 13197 | Operational management | Process or Activity | |
Respond to all alerts from security systems in a timely manner. CC ID 06434 | Operational management | Behavior | |
Coordinate incident response activities with interested personnel and affected parties. CC ID 13196 | Operational management | Process or Activity | |
Share incident information with interested personnel and affected parties. CC ID 01212 [The organization shall determine criteria to identify a major incident. Major incidents shall be classified and managed according to a documented procedure. Top management shall be kept informed of major incidents. The organization shall assign responsibility for managing each major incident. After the incident has been resolved, the major incident shall be reported and reviewed to identify opportunities for improvement. § 8.6.1 ¶ 3] | Operational management | Data and Information Management | |
Share data loss event information with the media. CC ID 01759 | Operational management | Behavior | |
Share data loss event information with interconnected system owners. CC ID 01209 | Operational management | Establish/Maintain Documentation | |
Report data loss event information to breach notification organizations. CC ID 01210 | Operational management | Data and Information Management | |
Report to breach notification organizations the time frame in which the organization will send data loss event notifications to interested personnel and affected parties. CC ID 04731 | Operational management | Behavior | |
Establish, implement, and maintain temporary and emergency access authorization procedures. CC ID 00858 | Operational management | Establish/Maintain Documentation | |
Include the organizational functions affected by disruption in the Incident Management audit log. CC ID 12238 | Operational management | Log Management | |
Investigate and take action regarding help desk queries. CC ID 06324 [Service requests shall be: prioritized; § 8.6.2 ¶ 1(b) Service requests shall be: fulfilled; § 8.6.2 ¶ 1(c)] | Operational management | Behavior | |
Open a priority incident request after a security breach is detected. CC ID 04838 | Operational management | Testing | |
Activate the incident response notification procedures after a security breach is detected. CC ID 04839 | Operational management | Testing | |
Notify interested personnel and affected parties that a security breach was detected. CC ID 11788 | Operational management | Communicate | |
Respond when an integrity violation is detected, as necessary. CC ID 10678 | Operational management | Technical Security | |
Shut down systems when an integrity violation is detected, as necessary. CC ID 10679 | Operational management | Technical Security | |
Restart systems when an integrity violation is detected, as necessary. CC ID 10680 | Operational management | Technical Security | |
Review and approve the Information Technology budget. CC ID 13644 | Operational management | Business Processes | |
Update the Information Technology budget, as necessary. CC ID 13643 | Operational management | Business Processes | |
Approve back-out plans, as necessary. CC ID 13627 [{take appropriate action} The activities to reverse or remedy an unsuccessful change shall be planned and, where possible, tested. Unsuccessful changes shall be investigated and agreed actions taken. § 8.5.1.3 ¶ 3] | Operational management | Establish/Maintain Documentation | |
Deploy software patches in accordance with organizational standards. CC ID 07032 | Operational management | Configuration | |
Patch software. CC ID 11825 | Operational management | Technical Security | |
Patch the operating system, as necessary. CC ID 11824 | Operational management | Technical Security | |
Deploy software patches in the disaster recovery environment to mirror those in the production environment. CC ID 13174 | Operational management | Configuration | |
Remove outdated software after software has been updated. CC ID 11792 | Operational management | Configuration | |
Update computer firmware, as necessary. CC ID 11755 | Operational management | Configuration | |
Remove outdated computer firmware after the computer firmware has been updated. CC ID 10671 | Operational management | Configuration | |
Mitigate the adverse effects of unauthorized changes. CC ID 12244 [The organization shall control planned changes to the SMS and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary (see 8.5.1). § 8.1¶ 2] | Operational management | Business Processes | |
Establish, implement, and maintain a change acceptance testing log. CC ID 06392 | Operational management | Establish/Maintain Documentation | |
Document approved configuration deviations. CC ID 08711 | Operational management | Establish/Maintain Documentation | |
Notify the supervisory authority of any changes to the required data elements. CC ID 14366 | Records management | Communicate | |
Remove non-public information from publicly accessible systems. CC ID 14246 | Records management | Data and Information Management | |
Downgrade electronic storage media, as necessary. CC ID 10621 | Records management | Process or Activity | |
Review and update controls to ensure the timeliness and accuracy of the market prices. CC ID 13688 | Acquisition or sale of facilities, technology, and services | Process or Activity | |
Process product return requests. CC ID 11598 | Acquisition or sale of facilities, technology, and services | Acquisition/Sale of Assets or Services | |
Refrain from returning products absent a return request authorization. CC ID 11599 | Acquisition or sale of facilities, technology, and services | Acquisition/Sale of Assets or Services | |
Enforce third party Service Level Agreements, as necessary. CC ID 07098 [The organization shall assess the alignment of service level targets or other contractual obligations for the external supplier against SLAs with customers, and manage identified risks. § 8.3.4.1 ¶ 3] | Third Party and supply chain oversight | Business Processes |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
---|---|---|---|
Assess the effectiveness of the communication methods used in the communication protocol. CC ID 12691 | Leadership and high level objectives | Process or Activity | |
Identify all interested personnel and affected parties. CC ID 12845 [The organization shall determine: the interested parties that are relevant to the SMS and the services; § 4.2 ¶ 1(a) The customers, users and other interested parties of the services shall be identified and documented. The organization shall have one or more designated individuals responsible for managing customer relationships and maintaining customer satisfaction. § 8.3.2 ¶ 1] | Leadership and high level objectives | Process or Activity | |
Approve the data classification scheme. CC ID 13858 | Leadership and high level objectives | Establish/Maintain Documentation | |
Ensure the data dictionary is complete and accurate. CC ID 13527 | Leadership and high level objectives | Investigate | |
Monitor regulatory trends to maintain compliance. CC ID 00604 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
Monitor for new Information Security solutions. CC ID 07078 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
Subscribe to a threat intelligence service to receive notification of emerging threats. CC ID 12135 | Leadership and high level objectives | Technical Security | |
Enforce a continuous Quality Control system. CC ID 01005 [{availability issue}{document} Service availability shall be monitored, the results recorded and compared with the targets. Unplanned non-availability shall be investigated and necessary actions taken. § 8.7.1 ¶ 3] | Leadership and high level objectives | Business Processes | |
Conduct Quality Control to ensure adherence to Information Technology policies, standards, and procedures. CC ID 01008 [The management review shall include consideration of: information on the performance and effectiveness of the SMS, including trends in: § 9.3 ¶ 2(c)] | Leadership and high level objectives | Testing | |
Establish and maintain time frames for correcting deficiencies found during Quality Control. CC ID 07206 | Leadership and high level objectives | Business Processes | |
Review and analyze any quality improvement goals that were missed. CC ID 07204 [{service improvement activity} Opportunities for improvement shall be documented. The organization shall manage approved improvement activities that include: measuring implemented improvements against the target(s) set and where target(s) are not achieved, taking necessary actions; § 10.2 ¶ 3(d)] | Leadership and high level objectives | Business Processes | |
Map in scope assets and in scope records to external requirements. CC ID 12189 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the counterterror protective security plan test results in the Statement on Internal Control. CC ID 06867 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish and maintain a compliance oversight committee. CC ID 00765 | Leadership and high level objectives | Establish Roles | |
Identify and document the events that initiate the decision management strategy. CC ID 06914 | Leadership and high level objectives | Establish/Maintain Documentation | |
Monitor and evaluate the implementation and effectiveness of Information Technology Plans. CC ID 00634 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
Establish, implement, and maintain logging and monitoring operations. CC ID 00637 | Monitoring and measurement | Log Management | |
Operationalize key monitoring and logging concepts to ensure the audit trails capture sufficient information. CC ID 00638 | Monitoring and measurement | Log Management | |
Establish, implement, and maintain event logging procedures. CC ID 01335 | Monitoring and measurement | Log Management | |
Review and update event logs and audit logs, as necessary. CC ID 00596 [The organization shall analyse data and trends on incidents to identify problems. The organization shall undertake root cause analysis and determine potential actions to prevent the occurrence or recurrence of incidents. § 8.6.3 ¶ 1] | Monitoring and measurement | Log Management | |
Correlate log entries to security controls to verify the security control's effectiveness. CC ID 13207 | Monitoring and measurement | Log Management | |
Identify cybersecurity events in event logs and audit logs. CC ID 13206 | Monitoring and measurement | Technical Security | |
Assess customer satisfaction. CC ID 00652 [At planned intervals, the organization shall measure satisfaction with the services based on a representative sample of customers. The results shall be analysed, reviewed to identify opportunities for improvement and reported. § 8.3.2 ¶ 4 At planned intervals, the organization shall measure satisfaction with the services based on a representative sample of customers. The results shall be analysed, reviewed to identify opportunities for improvement and reported. § 8.3.2 ¶ 4 The management review shall include consideration of: feedback from customers and other interested parties; § 9.3 ¶ 2(e)] | Monitoring and measurement | Testing | |
Establish, implement, and maintain a continuous monitoring program for configuration management. CC ID 06757 [At planned intervals, the organization shall verify the accuracy of the configuration information. Where deficiencies are found, the organization shall take necessary actions. § 8.2.6 ¶ 4] | Monitoring and measurement | Establish/Maintain Documentation | |
Include the correlation and analysis of information obtained during testing in the continuous monitoring program. CC ID 14250 | Monitoring and measurement | Process or Activity | |
Establish, implement, and maintain an automated configuration monitoring system. CC ID 07058 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
Monitor for and report when a software configuration is updated. CC ID 06746 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
Notify the appropriate personnel when the software configuration is updated absent authorization. CC ID 04886 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
Monitor for firmware updates absent authorization. CC ID 10675 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
Implement file integrity monitoring. CC ID 01205 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
Identify unauthorized modifications during file integrity monitoring. CC ID 12096 | Monitoring and measurement | Technical Security | |
Monitor and evaluate user account activity. CC ID 07066 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
Log account usage to determine dormant accounts. CC ID 12118 | Monitoring and measurement | Log Management | |
Log account usage times. CC ID 07099 | Monitoring and measurement | Log Management | |
Generate daily reports of user logons during hours outside of their usage profile. CC ID 07068 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
Generate daily reports of users who have grossly exceeded their usage profile logon duration. CC ID 07069 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
Log account usage durations. CC ID 12117 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
Notify the appropriate personnel after identifying dormant accounts. CC ID 12125 | Monitoring and measurement | Communicate | |
Log Internet Protocol addresses used during logon. CC ID 07100 | Monitoring and measurement | Log Management | |
Report red flags when logon credentials are used on a computer different from the one in the usage profile. CC ID 07070 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
Report inappropriate usage of user accounts to the appropriate personnel. CC ID 14243 | Monitoring and measurement | Communicate | |
Monitor service availability when implementing the service management monitoring and metrics program. CC ID 13921 [{availability issue}{document} Service availability shall be monitored, the results recorded and compared with the targets. Unplanned non-availability shall be investigated and necessary actions taken. § 8.7.1 ¶ 3 {availability issue}{document} Service availability shall be monitored, the results recorded and compared with the targets. Unplanned non-availability shall be investigated and necessary actions taken. § 8.7.1 ¶ 3] | Monitoring and measurement | Monitor and Evaluate Occurrences | |
Compare the performance metrics of service availability against their targets, as necessary. CC ID 13922 [{availability issue}{document} Service availability shall be monitored, the results recorded and compared with the targets. Unplanned non-availability shall be investigated and necessary actions taken. § 8.7.1 ¶ 3] | Monitoring and measurement | Monitor and Evaluate Occurrences | |
Report on the percentage of critical assets for which an assurance strategy is implemented. CC ID 01657 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of key organizational functions for which an assurance strategy is implemented. CC ID 01658 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of key compliance requirements for which an assurance strategy has been implemented. CC ID 01659 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of the Information System budget allocated to Information Security. CC ID 04571 | Monitoring and measurement | Actionable Reports or Measurements | |
Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726 [The management review shall include consideration of: adherence to and suitability of the service management policy and other policies required by this document; § 9.3 ¶ 2(f)] | Monitoring and measurement | Monitor and Evaluate Occurrences | |
Align enforcement reviews for non-compliance with organizational risk tolerance. CC ID 13063 | Monitoring and measurement | Business Processes | |
Determine if multiple compliance violations of the same type could occur. CC ID 12402 [When a nonconformity occurs, the organization shall: evaluate the need for action to eliminate the causes of the nonconformity in order that it does not recur or occur elsewhere by: determining if similar nonconformities exist, or could potentially occur; § 10.1.1 ¶ 1(b)(3)] | Monitoring and measurement | Investigate | |
Review the effectiveness of disciplinary actions carried out for compliance violations. CC ID 12403 [When a nonconformity occurs, the organization shall: review the effectiveness of any corrective action taken; § 10.1.1. ¶ 1(d)] | Monitoring and measurement | Investigate | |
Report on the policies and controls that have been implemented by management. CC ID 01670 [{service improvement activity} Opportunities for improvement shall be documented. The organization shall manage approved improvement activities that include: reporting on implemented improvements. § 10.2 ¶ 3(e)] | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of security management roles that have been assigned. CC ID 01671 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of board meetings or committee meetings at which Information Assurance was on the agenda. CC ID 01672 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of supply chain members for which all Information Assurance requirements have been implemented. CC ID 01675 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of organizational units that have an established Business Continuity Plan. CC ID 01676 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of organizational units with a documented Business Continuity Plan for which specific responsibilities have been assigned. CC ID 02057 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of Business Continuity Plans that have been reviewed, tested, and updated. CC ID 02058 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of needed internal audits that have been completed and reviewed. CC ID 01677 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of Information Security requirements from applicable laws and regulations that are included in the audit program. CC ID 02069 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of needed external audits that have been completed and reviewed. CC ID 11632 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of Information Security audits conducted in compliance with the approved audit program. CC ID 02070 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of audit findings that have been resolved since the last audit. CC ID 01678 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of management actions in response to audit findings and audit recommendations that were implemented in a timely way. CC ID 02071 [{corrective action} The management review shall include consideration of: the status of actions from previous management reviews; § 9.3 ¶ 2(a)] | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of total controls for which policies, standards, and procedures exist and for which approval has been granted. CC ID 01679 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of personnel who are assigned and acknowledged responsibilities for approved policies, standards, and procedures. CC ID 01680 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of policy compliance reviews for which no compliance violations were noted. CC ID 01681 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of senior management or business unit heads who have implemented operational compliance procedures. CC ID 01682 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of role descriptions that define the Information Awareness roles for Security Managers and administrators. CC ID 01685 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of role descriptions that define the information awareness roles for interested personnel. CC ID 01686 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of role descriptions that define the information awareness roles for end users. CC ID 01687 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of performance reviews that include the evaluation of Information Assurance responsibilities and policy compliance. CC ID 01688 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of individuals who have access to security software, are trained, and authorized Security Administrators. CC ID 01691 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of individuals who are able to assign security privileges, are trained, and authorized Security Administrators. CC ID 01692 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of new hires who completed training ahead of being granted network access or system access. CC ID 01683 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of personnel who have completed periodic Information Assurance refresher training. CC ID 01684 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of user roles, systems, and applications that comply with the segregation of duties principle. CC ID 01689 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of individuals whose access rights have been reviewed. CC ID 01690 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of users who have access to restricted data or restricted information and have undergone a background check. CC ID 01693 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of critical information assets and information-dependent functions. CC ID 02040 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of critical assets and functions for which the cost of compromise has been quantified. CC ID 02041 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of identified risks that have a defined risk mitigation plan. CC ID 02042 [The organization shall determine and document: risks related to: approach to be taken for the management of risks. § 6.1.2 ¶ 1(d)] | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of systems with approved System Security Plans. CC ID 02145 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of known Information Security risks that are related to supply chain relationships. CC ID 02044 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of critical information assets or critical functions for which access by supply chain personnel is disallowed. CC ID 02045 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of supply chain personnel who have current information asset user privileges. CC ID 02046 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of systems with critical information assets or functions for which electronic connection by supply chain assets is disallowed. CC ID 02047 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of security incidents that involved supply chain personnel. CC ID 02048 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of third party contracts that include a requirement to externally verify policies and procedures. CC ID 02049 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of supply chain relationships that have been reviewed for compliance with information security requirements. CC ID 02050 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of information assets that have been reviewed and classified. CC ID 02053 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of information assets with defined user privileges that have been assigned based on role and according to policy. CC ID 02054 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of scheduled Information Technology inventory processes that occurred on time. CC ID 02055 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of recently identified information security risks related to systems architecture that have been adequately mitigated. CC ID 02060 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of system architecture changes that were approved through appropriate change requests. CC ID 02061 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of critical information assets or functions residing on systems that are currently in compliance with the approved systems architecture. CC ID 02062 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of systems that have been recertified if security controls were updated after the system was developed. CC ID 02142 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of systems that have completed Certification and Accreditation. CC ID 02143 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of critical organizational information assets and functions that have been reviewed from the risk to physical security perspective. CC ID 02064 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of critical organizational information assets and functions exposed to physical risks for which risk mitigation actions have been implemented. CC ID 02065 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of critical assets that have been reviewed from the environmental risk perspective. CC ID 02066 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of servers located in controlled access areas. CC ID 02067 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of unique active user identifiers. CC ID 02074 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of systems and applications that perform authenticator policy verification. CC ID 02086 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of active user passwords that are set to expire. CC ID 02087 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of systems with critical information assets that use stronger authentication than user identifiers and passwords. CC ID 02088 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of systems for which default accounts and default passwords have been disabled or reset. CC ID 02089 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of inactive user accounts that are assigned to personnel who have left or no longer need access. CC ID 02090 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of systems with account lockout thresholds set. CC ID 02091 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of inactive user accounts that have been disabled. CC ID 02092 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of workstations with session timeout or automatic logoff controls set. CC ID 02093 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of users with access to shared accounts. CC ID 04573 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of active computer accounts that have had the current user privileges reviewed. CC ID 02094 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of systems where permission to install nonstandard software is limited. CC ID 02095 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of systems and applications that have user privileges and administrator privileges assigned in compliance with Role-Based Access Controls. CC ID 02096 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of systems for which approved configuration settings have been implemented. CC ID 02097 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of systems with configurations that do not deviate from approved standards. CC ID 02098 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of systems that are continuously monitored for compliance with the configuration standard with out-of-compliance alarms or out-of-compliance reports. CC ID 02099 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of systems whose configuration is compared with a previously established trusted configuration baseline. CC ID 02100 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of systems where the authority to make configuration changes are limited. CC ID 02101 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of system components that undergo maintenance as scheduled. CC ID 04562 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of systems for which event logging has been implemented. CC ID 02102 | Monitoring and measurement | Log Management | |
Report on the percentage of systems for which event logs are monitored and reviewed. CC ID 02103 | Monitoring and measurement | Log Management | |
Report on the percentage of systems for which log capacity and log retention schedules have been implemented. CC ID 02104 | Monitoring and measurement | Log Management | |
Report on the percentage of systems that generate warnings about anomalous activity or potentially unauthorized activity. CC ID 02105 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of laptops and mobile devices that are needing to be in compliance with the approved configuration standard before granting network access. CC ID 02106 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of organizationally controlled communications channels that have been secured. CC ID 02107 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of host servers that are protected from becoming relay hosts. CC ID 02108 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of mobile users who access organizational facilities using secure communications methods. CC ID 02109 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of workstations and laptops that employ automated system security tools. CC ID 02110 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of servers that employ automated system security tools. CC ID 02111 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of mobile devices that employ automated system security tools. CC ID 02112 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of software changes that have been documented and approved through change request forms. CC ID 02152 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of systems with all approved patches installed. CC ID 02113 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the mean time from patch availability to patch installation. CC ID 02114 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of software changes that were reviewed for security impacts before the software configuration is updated. CC ID 02115 | Monitoring and measurement | Actionable Reports or Measurements | |
Establish, implement, and maintain a network activity baseline. CC ID 13188 | Monitoring and measurement | Technical Security | |
Report on the percentage of systems configured according to the configuration standard. CC ID 02116 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of network access controls used to gain unauthorized access. CC ID 04572 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of critical information assets stored on network accessible devices that are encrypted with widely tested and published cryptographic algorithms. CC ID 02117 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of mobile devices that use encryption for critical information assets. CC ID 02118 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of passwords and Personal Identification Numbers that are encrypted. CC ID 02119 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of media that passes sanitization procedure testing. CC ID 04574 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of systems with critical information assets or critical business functions that have been backed up in accordance with the backup policy and the system's continuity plan. CC ID 02120 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of systems with critical information assets or critical functions where restoration from a backup has been successfully demonstrated. CC ID 02121 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of backup media stored off site in secure storage. CC ID 02122 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of used backup media or archive media sanitized prior to reuse or disposal. CC ID 02123 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the estimated damage or loss resulting from all security incidents. CC ID 01674 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of security incidents that did not cause confidentiality, integrity, or availability losses beyond the Service Level Agreement thresholds. CC ID 01673 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of operational time that critical services were unavailable due to security incidents. CC ID 02124 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02125 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of systems affected by security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02126 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of security incidents that were managed according to established policies, procedures, and processes. CC ID 02127 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the number of security incidents reported to FedCIRC, NIPC, the Payment Card Industry, or local law enforcement. CC ID 02154 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of systems with critical information assets or critical functions that have been assessed for security vulnerabilities. CC ID 02128 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of vulnerability assessment findings that have been addressed since the last reporting period. CC ID 02129 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the average elapsed time between the discovery of a new vulnerability and implementing corrective action. CC ID 02140 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of physical security incidents that involved entry into a facility containing Information Systems. CC ID 04564 | Monitoring and measurement | Actionable Reports or Measurements | |
Establish, implement, and maintain a corrective action plan. CC ID 00675 [The management review shall include consideration of: information on the performance and effectiveness of the SMS, including trends in: nonconformities and corrective actions; § 9.3 ¶ 2(c)(1) The organization shall monitor and review the effectiveness of information security controls and take necessary actions. § 8.7.3.2 ¶ 3] | Monitoring and measurement | Monitor and Evaluate Occurrences | |
Include monitoring in the corrective action plan. CC ID 11645 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
Report audit findings by the internal audit manager directly to senior management. CC ID 01152 [The organization shall: ensure that the results of the audits are reported to relevant management; § 9.2.2 ¶ 1(d)] | Audits and risk management | Testing | |
Review the external audit assertion for accuracy. CC ID 06977 | Audits and risk management | Testing | |
Review the risk assessments as compared to the in scope controls. CC ID 06978 | Audits and risk management | Testing | |
Include nondisclosure agreements in external auditor outsourcing contracts. CC ID 10014 | Audits and risk management | Audits and Risk Management | |
Determine if requested services create a threat to independence. CC ID 16823 | Audits and risk management | Audits and Risk Management | |
Determine the presentation method of the audit assertion's in scope system description. CC ID 14885 | Audits and risk management | Establish/Maintain Documentation | |
Determine the appropriateness of the audit assertion's in scope system description. CC ID 16449 | Audits and risk management | Audits and Risk Management | |
Confirm audit requirements during the opening meeting. CC ID 15255 | Audits and risk management | Audits and Risk Management | |
Establish and maintain audit assertions, as necessary. CC ID 14871 | Audits and risk management | Establish/Maintain Documentation | |
Refrain from performing an attestation engagement under defined conditions. CC ID 13952 | Audits and risk management | Audits and Risk Management | |
Identify hypothetical assumptions in forecasts and projections during an audit. CC ID 13946 | Audits and risk management | Audits and Risk Management | |
Refrain from examining forecasts and projections which refrain from disclosing assumptions during an audit. CC ID 13932 | Audits and risk management | Audits and Risk Management | |
Audit cybersecurity risk management within the policies, standards, and procedures of the organization. CC ID 13011 | Audits and risk management | Investigate | |
Audit information systems, as necessary. CC ID 13010 | Audits and risk management | Investigate | |
Audit the potential costs of compromise to information systems. CC ID 13012 | Audits and risk management | Investigate | |
Determine the accurateness of the audit assertion's in scope system description. CC ID 06979 | Audits and risk management | Testing | |
Determine if the in scope system has been implemented as described in the audit assertion. CC ID 06983 | Audits and risk management | Testing | |
Investigate the nature and causes of misstatements in the audit assertion's in scope system description. CC ID 16557 | Audits and risk management | Audits and Risk Management | |
Determine the effect of fraud and non-compliance on the description of the system in the audit assertion, as necessary. CC ID 13977 | Audits and risk management | Process or Activity | |
Determine if the audit assertion's in scope controls are reasonable. CC ID 06980 | Audits and risk management | Testing | |
Determine the effect of fraud and non-compliance on the achievement of in scope controls in the audit assertion, as necessary. CC ID 13978 | Audits and risk management | Process or Activity | |
Document test plans for auditing in scope controls. CC ID 06985 | Audits and risk management | Testing | |
Determine the implementation status of the audit assertion's in scope controls. CC ID 06981 | Audits and risk management | Testing | |
Determine the effectiveness of in scope controls. CC ID 06984 [The organization shall monitor and review the effectiveness of information security controls and take necessary actions. § 8.7.3.2 ¶ 3] | Audits and risk management | Testing | |
Review incident management audit logs to determine the effectiveness of in scope controls. CC ID 12157 | Audits and risk management | Audits and Risk Management | |
Review audit reports to determine the effectiveness of in scope controls. CC ID 12156 | Audits and risk management | Audits and Risk Management | |
Observe processes to determine the effectiveness of in scope controls. CC ID 12155 | Audits and risk management | Audits and Risk Management | |
Interview stakeholders to determine the effectiveness of in scope controls. CC ID 12154 | Audits and risk management | Audits and Risk Management | |
Review policies and procedures to determine the effectiveness of in scope controls. CC ID 12144 | Audits and risk management | Audits and Risk Management | |
Evaluate personnel status changes to determine the effectiveness of in scope controls. CC ID 16556 | Audits and risk management | Audits and Risk Management | |
Determine whether individuals performing a control have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 16555 | Audits and risk management | Audits and Risk Management | |
Determine any errors or material omissions in the audit assertion that affect in scope control implementations. CC ID 06990 | Audits and risk management | Testing | |
Conduct interviews, as necessary. CC ID 07188 | Audits and risk management | Testing | |
Verify statements made by interviewees are correct. CC ID 16299 | Audits and risk management | Behavior | |
Discuss unsolved questions with the interviewee. CC ID 16298 | Audits and risk management | Process or Activity | |
Allow interviewee to respond to explanations. CC ID 16296 | Audits and risk management | Process or Activity | |
Explain the requirements being discussed to the interviewee. CC ID 16294 | Audits and risk management | Process or Activity | |
Explain the goals of the interview to the interviewee. CC ID 07189 | Audits and risk management | Behavior | |
Include if the audit evidence has identified in scope control deficiencies in the work papers. CC ID 07152 | Audits and risk management | Audits and Risk Management | |
Include if in scope control deviations allow in scope controls to be performed acceptably in the work papers. CC ID 06987 | Audits and risk management | Testing | |
Investigate the nature and causes of identified in scope control deviations. CC ID 06986 | Audits and risk management | Testing | |
Review the subject matter expert's findings. CC ID 16559 | Audits and risk management | Audits and Risk Management | |
Permit assessment teams to conduct audits, as necessary. CC ID 16430 | Audits and risk management | Investigate | |
Determine what disclosures are required in the audit report. CC ID 14888 | Audits and risk management | Establish/Maintain Documentation | |
Identify the audit team members in the audit report. CC ID 15259 | Audits and risk management | Human Resources Management | |
Identify the participants from the organization being audited in the audit report. CC ID 15258 | Audits and risk management | Audits and Risk Management | |
Review the adequacy of the internal auditor's work papers. CC ID 01146 | Audits and risk management | Audits and Risk Management | |
Compare the evaluations completed by the internal auditors and the external auditors in past audit reports. CC ID 01158 | Audits and risk management | Establish/Maintain Documentation | |
Review the adequacy of the internal auditor's audit reports. CC ID 11620 | Audits and risk management | Audits and Risk Management | |
Review past audit reports. CC ID 01155 [The organization shall: plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration: the results of previous audits; § 9.2.2 ¶ 1(a)(3) The management review shall include consideration of: information on the performance and effectiveness of the SMS, including trends in: audit results; § 9.3 ¶ 2(c)(3)] | Audits and risk management | Establish/Maintain Documentation | |
Review past audit reports for specific process steps and calculations that were stated to support the audit report's conclusions. CC ID 01160 | Audits and risk management | Establish/Maintain Documentation | |
Review the reporting of material weaknesses and risks in past audit reports. CC ID 01161 | Audits and risk management | Establish/Maintain Documentation | |
Determine the effect of deficiencies on the audit report, as necessary. CC ID 14886 | Audits and risk management | Investigate | |
Determine the effect of fraud and non-compliance on the audit report, as necessary. CC ID 13979 | Audits and risk management | Process or Activity | |
Disseminate and communicate the reviews of audit reports to organizational management. CC ID 00653 | Audits and risk management | Log Management | |
Review the issues of non-compliance from past audit reports. CC ID 01148 | Audits and risk management | Establish/Maintain Documentation | |
Submit an audit report that is complete. CC ID 01145 | Audits and risk management | Testing | |
Review management's response to issues raised in past audit reports. CC ID 01149 [The management review shall include consideration of: information on the performance and effectiveness of the SMS, including trends in: nonconformities and corrective actions; § 9.3 ¶ 2(c)(1)] | Audits and risk management | Audits and Risk Management | |
Assess the quality of the audit program in regards to the staff and their qualifications. CC ID 01150 | Audits and risk management | Testing | |
Evaluate the competency of auditors. CC ID 15253 | Audits and risk management | Human Resources Management | |
Review the audit program scope as it relates to the organization's profile. CC ID 01159 | Audits and risk management | Audits and Risk Management | |
Establish, implement, and maintain the audit plan. CC ID 01156 | Audits and risk management | Testing | |
Document and justify any exclusions from the scope of the risk management activities in the risk management program. CC ID 15336 | Audits and risk management | Business Processes | |
Analyze the risk management strategy for addressing requirements. CC ID 12926 | Audits and risk management | Audits and Risk Management | |
Analyze the risk management strategy for addressing threats. CC ID 12925 | Audits and risk management | Audits and Risk Management | |
Analyze the risk management strategy for addressing opportunities. CC ID 12924 | Audits and risk management | Audits and Risk Management | |
Employ third parties when implementing a risk assessment, as necessary. CC ID 16306 | Audits and risk management | Human Resources Management | |
Include an analysis of system interdependencies in the threat and risk classification scheme. CC ID 13056 | Audits and risk management | Investigate | |
Review the risk profiles, as necessary. CC ID 16561 | Audits and risk management | Audits and Risk Management | |
Update the risk assessment upon discovery of a new threat. CC ID 00708 | Audits and risk management | Establish/Maintain Documentation | |
Update the risk assessment upon changes to the risk profile. CC ID 11627 | Audits and risk management | Establish/Maintain Documentation | |
Conduct external audits of risk assessments, as necessary. CC ID 13308 | Audits and risk management | Audits and Risk Management | |
Evaluate the effectiveness of threat and vulnerability management procedures. CC ID 13491 | Audits and risk management | Investigate | |
Conduct a Business Impact Analysis, as necessary. CC ID 01147 | Audits and risk management | Audits and Risk Management | |
Assess the potential level of business impact risk associated with each business process. CC ID 06463 | Audits and risk management | Audits and Risk Management | |
Assess the potential level of business impact risk associated with the business environment. CC ID 06464 | Audits and risk management | Audits and Risk Management | |
Assess the potential level of business impact risk associated with business information of in scope systems. CC ID 06465 | Audits and risk management | Audits and Risk Management | |
Identify changes to in scope systems that could threaten communication between business units. CC ID 13173 | Audits and risk management | Investigate | |
Assess the potential business impact risk of in scope systems caused by deliberate threats to their confidentiality, integrity, and availability. CC ID 06466 | Audits and risk management | Audits and Risk Management | |
Assess the potential level of business impact risk caused by accidental threats to the confidentiality, integrity and availability of critical systems. CC ID 06467 | Audits and risk management | Audits and Risk Management | |
Assess the potential level of business impact risk associated with reputational damage. CC ID 15335 | Audits and risk management | Audits and Risk Management | |
Assess the potential level of business impact risk associated with insider threats. CC ID 06468 | Audits and risk management | Audits and Risk Management | |
Assess the potential level of business impact risk associated with external entities. CC ID 06469 | Audits and risk management | Audits and Risk Management | |
Assess the potential level of business impact risk associated with natural disasters. CC ID 06470 | Audits and risk management | Actionable Reports or Measurements | |
Assess the potential level of business impact risk associated with control weaknesses. CC ID 06471 | Audits and risk management | Audits and Risk Management | |
Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary. CC ID 00704 | Audits and risk management | Establish/Maintain Documentation | |
Analyze the effect of threats on organizational strategies and objectives. CC ID 12850 | Audits and risk management | Process or Activity | |
Analyze the effect of opportunities on organizational strategies and objectives. CC ID 12849 | Audits and risk management | Process or Activity | |
Determine the effectiveness of risk control measures. CC ID 06601 [/* Based on the subject of this section, by 'these actions', the document is referring to activities to manage risk*/{risk management activity} evaluate the effectiveness of these actions. § 6.1.3 ¶ 1(b)(2)] | Audits and risk management | Testing | |
Analyze the impact of artificial intelligence systems on society. CC ID 16317 | Audits and risk management | Audits and Risk Management | |
Analyze the impact of artificial intelligence systems on individuals. CC ID 16316 | Audits and risk management | Audits and Risk Management | |
Analyze supply chain risk management procedures, as necessary. CC ID 13198 | Audits and risk management | Process or Activity | |
Disallow application IDs from running as privileged users. CC ID 10050 | Technical security | Configuration | |
Perform a risk assessment prior to activating third party access to the organization's critical systems. CC ID 06455 | Technical security | Testing | |
Evaluate all possible continuity risks and impacts as a part of the continuity framework. CC ID 06374 [At planned intervals, the risks to service continuity shall be assessed and documented. The organization shall determine the service continuity requirements. The agreed requirements shall take into consideration relevant business requirements, service requirements, SLAs and risks. § 8.7.2 ¶ 1] | Operational and Systems Continuity | Systems Continuity | |
Monitor and evaluate business continuity management system performance. CC ID 12410 | Operational and Systems Continuity | Monitor and Evaluate Occurrences | |
Establish, implement, and maintain the organization's call tree. CC ID 01167 | Operational and Systems Continuity | Testing | |
Determine the cause for the activation of the recovery plan. CC ID 13291 | Operational and Systems Continuity | Investigate | |
Test the recovery plan, as necessary. CC ID 13290 | Operational and Systems Continuity | Testing | |
Test the backup information, as necessary. CC ID 13303 | Operational and Systems Continuity | Testing | |
Document lessons learned from testing the recovery plan or an actual event. CC ID 13301 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Define and prioritize critical business functions. CC ID 00736 [The organization shall determine the criticality of services based on the needs of the organization, customers, users and other interested parties. The organization shall determine and manage dependencies and duplication between services. § 8.2.2 ¶ 2] | Operational and Systems Continuity | Establish/Maintain Documentation | |
Test the continuity plan, as necessary. CC ID 00755 [At planned intervals, the service continuity plan(s) shall be tested against the service continuity requirements. The service continuity plan(s) shall be re-tested after major changes to the service environment. The results of the tests shall be recorded. Reviews shall be conducted after each test and after the service continuity plan(s) has been invoked. Where deficiencies are found, the organization shall take necessary actions. § 8.7.2 ¶ 4 At planned intervals, the service continuity plan(s) shall be tested against the service continuity requirements. The service continuity plan(s) shall be re-tested after major changes to the service environment. The results of the tests shall be recorded. Reviews shall be conducted after each test and after the service continuity plan(s) has been invoked. Where deficiencies are found, the organization shall take necessary actions. § 8.7.2 ¶ 4] | Operational and Systems Continuity | Testing | |
Involve senior management, as necessary, when testing the continuity plan. CC ID 13793 | Operational and Systems Continuity | Testing | |
Test the continuity plan under conditions that simulate a disaster or disruption. CC ID 00757 | Operational and Systems Continuity | Testing | |
Analyze system interdependence during continuity plan tests. CC ID 13082 | Operational and Systems Continuity | Testing | |
Test the continuity plan at the alternate facility. CC ID 01174 | Operational and Systems Continuity | Testing | |
Review all third party's continuity plan test results. CC ID 01365 | Operational and Systems Continuity | Testing | |
Automate the off-site testing to more thoroughly test the continuity plan. CC ID 01389 | Operational and Systems Continuity | Testing | |
Retest the continuity plan after correcting reported deficiencies documented in the continuity plan test results. CC ID 06553 [At planned intervals, the service continuity plan(s) shall be tested against the service continuity requirements. The service continuity plan(s) shall be re-tested after major changes to the service environment. The results of the tests shall be recorded. Reviews shall be conducted after each test and after the service continuity plan(s) has been invoked. Where deficiencies are found, the organization shall take necessary actions. § 8.7.2 ¶ 4] | Operational and Systems Continuity | Testing | |
Conduct full recovery and restoration of service testing for high impact systems at the alternate facility. CC ID 01404 | Operational and Systems Continuity | Testing | |
Analyze workforce management. CC ID 12844 [{resource level}{manpower}management review shall include consideration of: current and forecast human, technical, information and financial resource levels, and human and technical resource capabilities; § 9.3 ¶ 2(j)] | Human Resources management | Human Resources Management | |
Identify root causes of staffing shortages, if any exist. CC ID 13276 | Human Resources management | Human Resources Management | |
Analyze the ability of Human Resources to attract a competent workforce. CC ID 13275 | Human Resources management | Human Resources Management | |
Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 00782 [The organization shall: ensure that these persons are competent on the basis of appropriate education, training or experience; § 7.2 ¶ 1(b) {staff} The organization shall: determine the necessary competence of persons doing work under its control that affects the performance and effectiveness of the SMS and the services; § 7.2 ¶ 1(a)] | Human Resources management | Testing | |
Perform security skills assessments for all critical employees. CC ID 12102 | Human Resources management | Human Resources Management | |
Perform a background check during personnel screening. CC ID 11758 | Human Resources management | Human Resources Management | |
Document the personnel risk assessment results. CC ID 11764 | Human Resources management | Establish/Maintain Documentation | |
Perform periodic background checks on designated roles, as necessary. CC ID 11759 | Human Resources management | Human Resources Management | |
Document the security clearance procedure results. CC ID 01635 | Human Resources management | Establish/Maintain Documentation | |
Document all training in a training record. CC ID 01423 [The organization shall: retain appropriate documented information as evidence of competence. § 7.2 ¶ 1(d)] | Human Resources management | Establish/Maintain Documentation | |
Conduct tests and evaluate training. CC ID 06672 [The organization shall: where applicable, take actions to acquire the necessary competence and evaluate the effectiveness of the actions taken; § 7.2 ¶ 1(c)] | Human Resources management | Testing | |
Train personnel to recognize conditions of diseases or sicknesses, as necessary. CC ID 14383 | Human Resources management | Training | |
Train personnel to identify and communicate symptoms of exposure to disease or sickness. CC ID 14385 | Human Resources management | Training | |
Monitor and measure the effectiveness of security awareness. CC ID 06262 | Human Resources management | Monitor and Evaluate Occurrences | |
Analyze and evaluate training records to improve the training program. CC ID 06380 | Human Resources management | Monitor and Evaluate Occurrences | |
Forecast system workloads. CC ID 00938 | Operational management | Testing | |
Utilize resource capacity management controls. CC ID 00939 | Operational management | Testing | |
Perform system capacity testing. CC ID 01616 | Operational management | Testing | |
Perform system performance reviews. CC ID 11866 | Operational management | Testing | |
Follow the resource workload schedule. CC ID 00941 | Operational management | Business Processes | |
Include individual commitment to the organization's Governance, Risk, and Compliance framework in the analysis of the organizational culture. CC ID 12922 | Operational management | Process or Activity | |
Include the organizational climate in the analysis of the organizational culture. CC ID 12921 | Operational management | Process or Activity | |
Include consistency of leadership actions to mission, vision, and values in the analysis of the organizational culture. CC ID 12920 | Operational management | Process or Activity | |
Include all electronic storage media containing restricted data or restricted information in the storage media inventory. CC ID 00962 | Operational management | Establish/Maintain Documentation | |
Employ Dynamic Host Configuration Protocol server logging to detect systems not in the asset inventory. CC ID 12110 | Operational management | Technical Security | |
Test systems for malicious code prior to when the system will be redeployed. CC ID 06339 | Operational management | Testing | |
Control and monitor all maintenance tools. CC ID 01432 | Operational management | Physical and Environmental Protection | |
Conduct maintenance with authorized personnel. CC ID 01434 | Operational management | Testing | |
Calibrate assets according to the calibration procedures for the asset. CC ID 06203 | Operational management | Testing | |
Test for detrimental environmental factors after a system is disposed. CC ID 06938 | Operational management | Testing | |
Respond to and triage when an incident is detected. CC ID 06942 [Information security incidents shall be: prioritized taking into consideration the information security risk; § 8.7.3.3 ¶ 1(b) Incidents shall be: prioritized taking into consideration impact and urgency; § 8.6.1 ¶ 1(b) Problems shall be: prioritized; § 8.6.3 ¶ 2(b)] | Operational management | Monitor and Evaluate Occurrences | |
Document the incident and any relevant evidence in the incident report. CC ID 08659 [Incidents shall be: recorded and classified; § 8.6.1 ¶ 1(a) The organization shall determine criteria to identify a major incident. Major incidents shall be classified and managed according to a documented procedure. Top management shall be kept informed of major incidents. The organization shall assign responsibility for managing each major incident. After the incident has been resolved, the major incident shall be reported and reviewed to identify opportunities for improvement. § 8.6.1 ¶ 3 Problems shall be: recorded and classified; § 8.6.3 ¶ 2(a)] | Operational management | Establish/Maintain Documentation | |
Submit an incident management audit log to the proper authorities for each security breach that affects a predefined number of individuals, as necessary. CC ID 06326 | Operational management | Log Management | |
Assign monitoring and analyzing the security alert when a security alert is received to the appropriate role in the incident response program. CC ID 11886 | Operational management | Investigate | |
Establish, implement, and maintain incident response procedures. CC ID 01206 [Information security incidents shall be: resolved; § 8.7.3.3 ¶ 1(d) Incidents shall be: resolved; § 8.6.1 ¶ 1(d) The organization shall determine criteria to identify a major incident. Major incidents shall be classified and managed according to a documented procedure. Top management shall be kept informed of major incidents. The organization shall assign responsibility for managing each major incident. After the incident has been resolved, the major incident shall be reported and reviewed to identify opportunities for improvement. § 8.6.1 ¶ 3] | Operational management | Establish/Maintain Documentation | |
Use proactive performance management. CC ID 00937 [At planned intervals, the organization shall review the performance trends and the outcomes of the services. § 8.3.2 ¶ 3] | Operational management | Business Processes | |
Utilize resource availability management controls. CC ID 00940 | Operational management | Business Processes | |
Include the appropriate aspects of the Quality Management program in the Service Level Agreement. CC ID 00845 [{service availability requirement}{service availability target} At planned intervals, the risks to service availability shall be assessed and documented. The organization shall determine the service availability requirements and targets. The agreed requirements shall take into consideration relevant business requirements, service requirements, SLAs and risks. § 8.7.1 ¶ 1] | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain cost management procedures. CC ID 00873 [Costs shall be budgeted to enable effective financial control and decision-making for services. § 8.4.1 ¶ 2 Costs shall be budgeted to enable effective financial control and decision-making for services. § 8.4.1 ¶ 2 At planned intervals, the organization shall monitor and report on actual costs against the budget, review the financial forecasts and manage costs. § 8.4.1 ¶ 3] | Operational management | Business Processes | |
Perform an impact assessment of any deviations found in the cost management procedures. CC ID 13641 | Operational management | Investigate | |
Identify deviations in cost management procedures. CC ID 13640 | Operational management | Investigate | |
Identify and allocate departmental costs. CC ID 00871 | Operational management | Business Processes | |
Prepare an Information Technology budget, as necessary. CC ID 00872 [The organization shall budget and account for services or groups of services in accordance with its financial management policies and processes. § 8.4.1 ¶ 1] | Operational management | Establish/Maintain Documentation | |
Compare actual Information Technology costs to forecasted Information Technology budgets. CC ID 11753 [At planned intervals, the organization shall monitor and report on actual costs against the budget, review the financial forecasts and manage costs. § 8.4.1 ¶ 3] | Operational management | Business Processes | |
Test proposed changes prior to their approval. CC ID 00548 [Approved changes shall be prepared, verified and, where possible, tested. Proposed deployment dates and other deployment details for approved changes shall be communicated to interested parties. § 8.5.1.3 ¶ 2] | Operational management | Testing | |
Examine all changes to ensure they correspond with the change request. CC ID 12345 [Approved changes shall be prepared, verified and, where possible, tested. Proposed deployment dates and other deployment details for approved changes shall be communicated to interested parties. § 8.5.1.3 ¶ 2 The organization shall review changes for effectiveness and take actions agreed with interested parties. § 8.5.1.3 ¶ 4 {take appropriate action} The activities to reverse or remedy an unsuccessful change shall be planned and, where possible, tested. Unsuccessful changes shall be investigated and agreed actions taken. § 8.5.1.3 ¶ 3 {trend analysis} At planned intervals, request for change records shall be analysed to detect trends. The results and conclusions drawn from the analysis shall be recorded and reviewed to identify opportunities for improvement. § 8.5.1.3 ¶ 5 {trend analysis} At planned intervals, request for change records shall be analysed to detect trends. The results and conclusions drawn from the analysis shall be recorded and reviewed to identify opportunities for improvement. § 8.5.1.3 ¶ 5] | Operational management | Business Processes | |
Conduct network certifications prior to approving change requests for networks. CC ID 13121 | Operational management | Process or Activity | |
Analyze mitigating controls for vulnerabilities in the network when certifying the network. CC ID 13126 | Operational management | Investigate | |
Collect data about the network environment when certifying the network. CC ID 13125 | Operational management | Investigate | |
Review the patch log for missing patches. CC ID 13186 | Operational management | Technical Security | |
Perform a patch test prior to deploying a patch. CC ID 00898 | Operational management | Testing | |
Test software patches for any potential compromise of the system's security. CC ID 13175 | Operational management | Testing | |
Review changes to computer firmware. CC ID 12226 | Operational management | Testing | |
Certify changes to computer firmware are free of malicious logic. CC ID 12227 | Operational management | Testing | |
Implement cryptographic mechanisms to authenticate software and computer firmware before installation. CC ID 10682 | Operational management | Technical Security | |
Establish, implement, and maintain approved change acceptance testing procedures. CC ID 06391 | Operational management | Establish/Maintain Documentation | |
Test the system's operational functionality after implementing approved changes. CC ID 06294 | Operational management | Testing | |
Perform and pass acceptance testing before moving a system back into operation after an approved change has occurred. CC ID 04541 [The release shall be verified against documented acceptance criteria and approved before deployment. If the acceptance criteria are not met, the organization and interested parties shall make a decision on necessary actions and deployment. § 8.5.3 ¶ 3] | Operational management | Testing | |
Establish, implement, and maintain a configuration change log. CC ID 08710 | Operational management | Configuration | |
Establish, implement, and maintain a service delivery and production process Quality Management program. CC ID 07194 [The management review shall include consideration of: adherence to and suitability of the service management policy and other policies required by this document; § 9.3 ¶ 2(f) The management review shall include consideration of: performance of the services; § 9.3 ¶ 2(h) The organization shall determine: the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results; § 9.1 ¶ 1(b) The organization shall determine: when the results from monitoring and measurement shall be analysed and evaluated. § 9.1 ¶ 1(d) The organization shall evaluate the SMS performance against the service management objectives and evaluate the effectiveness of the SMS. The organization shall evaluate the effectiveness of the services against the service requirements. § 9.1 ¶ 3 The organization shall evaluate the SMS performance against the service management objectives and evaluate the effectiveness of the SMS. The organization shall evaluate the effectiveness of the services against the service requirements. § 9.1 ¶ 3 Where the root cause has been identified, but the problem has not been permanently resolved, the organization shall determine actions to reduce or eliminate the impact of the problem on the services. Known errors shall be recorded. Up-to-date information on known errors and problem resolutions shall be made available for other service management activities as appropriate. § 8.6.3 ¶ 4 The release shall be deployed into the live environment so that the integrity of the services and service components is maintained. § 8.5.3 ¶ 5 {new service} The new or changed services shall be built and tested to verify that they meet the service requirements, conform to the documented design and meet the agreed service acceptance criteria. If the service acceptance criteria are not met, the organization and interested parties shall make a decision on necessary actions and deployment. § 8.5.2.3 ¶ 1 {new service} The new or changed services shall be built and tested to verify that they meet the service requirements, conform to the documented design and meet the agreed service acceptance criteria. If the service acceptance criteria are not met, the organization and interested parties shall make a decision on necessary actions and deployment. § 8.5.2.3 ¶ 1 {new service} The new or changed services shall be built and tested to verify that they meet the service requirements, conform to the documented design and meet the agreed service acceptance criteria. If the service acceptance criteria are not met, the organization and interested parties shall make a decision on necessary actions and deployment. § 8.5.2.3 ¶ 1 The service management plan shall include or contain a reference to: how the effectiveness of the SMS and the services will be measured, audited, reported and improved. § 6.3 ¶ 2(h) The service management plan shall include or contain a reference to: how the effectiveness of the SMS and the services will be measured, audited, reported and improved. § 6.3 ¶ 2(h) The service management plan shall include or contain a reference to: how the effectiveness of the SMS and the services will be measured, audited, reported and improved. § 6.3 ¶ 2(h) The service management plan shall include or contain a reference to: how the effectiveness of the SMS and the services will be measured, audited, reported and improved. § 6.3 ¶ 2(h)] | Operational management | Business Processes | |
Include consumer safety quality improvement projects in the service delivery and production process Quality Management program. CC ID 07195 | Operational management | Establish/Maintain Documentation | |
Test network access controls for proper Configuration Management settings. CC ID 01281 | System hardening through configuration management | Testing | |
Configure the log to capture changes to User privileges, audit policies, and trust policies by enabling audit policy changes. CC ID 01698 | System hardening through configuration management | Log Management | |
Configure the log to capture user authenticator changes. CC ID 01917 | System hardening through configuration management | Log Management | |
Audit the configuration of organizational assets, as necessary. CC ID 13653 [{be auditable} CIs shall be controlled. Changes to CIs shall be traceable and auditable to maintain the integrity of the configuration information. The configuration information shall be updated following the deployment of changes to CIs. § 8.2.6 ¶ 3] | System hardening through configuration management | Audits and Risk Management | |
Audit assets after maintenance was performed. CC ID 13657 | System hardening through configuration management | Audits and Risk Management | |
Establish, implement, and maintain a record classification scheme for forms. CC ID 00911 | Records management | Establish/Maintain Documentation | |
Establish, implement, and maintain records registration procedures. CC ID 00913 | Records management | Establish/Maintain Documentation | |
Define the terms used in the record classification scheme. CC ID 00916 | Records management | Establish/Maintain Documentation | |
Allocate document serial numbers to reference the records as a part of document tracking. CC ID 00917 | Records management | Records Management | |
Define each system's preservation requirements for records and logs. CC ID 00904 | Records management | Establish/Maintain Documentation | |
Establish, implement, and maintain a data retention program. CC ID 00906 | Records management | Establish/Maintain Documentation | |
Maintain continued integrity for all stored data and stored records. CC ID 00969 | Records management | Testing | |
Define which documents and records the organization may capture. CC ID 00905 [{is appropriate} When creating and updating documented information, the organization shall ensure appropriate: format (e.g. language, software version, graphics) and media (e.g. paper, electronic); § 7.5.2 ¶ 1(b)] | Records management | Establish/Maintain Documentation | |
Destroy electronic storage media following the storage media disposition and destruction procedures. CC ID 00970 | Records management | Testing | |
Maintain media sanitization equipment in operational condition. CC ID 00721 | Records management | Testing | |
Establish, implement, and maintain source document authorization tracking. CC ID 01262 | Records management | Records Management | |
Review the information that the organization collects, processes, and stores, as necessary. CC ID 12988 | Records management | Business Processes | |
Review the information classification of the information that the organization collects, processes, and stores, as necessary. CC ID 13008 | Records management | Process or Activity | |
Review the electronic storage media for the information the organization collects and processes. CC ID 13009 | Records management | Process or Activity | |
Establish, implement, and maintain source document error handling tracking. CC ID 01263 | Records management | Records Management | |
Establish, implement, and maintain data input and data access authorization tracking. CC ID 00920 | Records management | Monitor and Evaluate Occurrences | |
Validate transactions against master files of third parties and clients, as necessary. CC ID 06552 | Records management | Records Management | |
Establish, implement, and maintain data accuracy controls. CC ID 00921 | Records management | Monitor and Evaluate Occurrences | |
Capture the records required by organizational compliance requirements. CC ID 00912 [The documented information for the SMS shall include: records required to demonstrate evidence of conformity to the requirements of this document and the organization's SMS. § 7.5.4 ¶ 1(l) keeping documented information to the extent necessary to have confidence that the processes have been carried out as planned. § 8.1 ¶ 1(c)] | Records management | Records Management | |
Assign the appropriate information classification to records imported into the Records Management system. CC ID 04555 | Records management | Data and Information Management | |
Identify patient-specific education resources. CC ID 14439 | Records management | Process or Activity | |
Classify restricted data or restricted information in Records Management systems according to the data or information's sensitivity. CC ID 04720 | Records management | Data and Information Management | |
Control error handling when data is being inputted. CC ID 00922 | Records management | Data and Information Management | |
Compare each record's data input to its final form. CC ID 11813 | Records management | Records Management | |
Label printed output for specific record categories as directed by the organization's information classification standard. CC ID 01420 | Records management | Records Management | |
Establish, implement, and maintain online storage monitoring and reporting capabilities. CC ID 00935 | Records management | Monitor and Evaluate Occurrences | |
Store records on non-rewritable, non-erasable storage media formats, as necessary. CC ID 00944 | Records management | Testing | |
Provide audit trails for all pertinent records. CC ID 00372 | Records management | Establish/Maintain Documentation | |
Identify electronic storage media that require downgrading. CC ID 10620 | Records management | Process or Activity | |
Test the storage media downgrade for correct performance. CC ID 10623 | Records management | Testing | |
Establish, implement, and maintain output balancing audit trails. CC ID 00928 | Records management | Establish/Maintain Documentation | |
Establish, implement, and maintain output review and error handling checks with end users. CC ID 00929 | Records management | Establish/Maintain Documentation | |
Perform regularly scheduled quality and integrity control reviews of output of records. CC ID 06627 | Records management | Testing | |
Analyze existing systems during preliminary investigations for system design projects. CC ID 01043 | Systems design, build, and implementation | Testing | |
Determine if the project is complete after all implementation tasks are finished. CC ID 06912 [{new service} Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: service acceptance criteria; § 8.5.2.1 ¶ 1(f)] | Systems design, build, and implementation | Testing | |
Include complete information in the take-down request. CC ID 09965 | Acquisition or sale of facilities, technology, and services | Business Processes | |
Include the complainant's contact information in the take-down request. CC ID 09966 | Acquisition or sale of facilities, technology, and services | Business Processes | |
Include the identification of unlawful material or unlawful activities in the take-down request. CC ID 09967 | Acquisition or sale of facilities, technology, and services | Business Processes | |
Include the identification of the right that has allegedly been infringed in the take-down request. CC ID 09968 | Acquisition or sale of facilities, technology, and services | Business Processes | |
Include the remedial action required to be taken in respect of the complaint in the take-down request. CC ID 09969 | Acquisition or sale of facilities, technology, and services | Business Processes | |
Include a statement that the complainant is acting in good faith in the take-down request. CC ID 09971 | Acquisition or sale of facilities, technology, and services | Business Processes | |
Include the written signature or electronic signature of the complainant in the take-down request. CC ID 09972 | Acquisition or sale of facilities, technology, and services | Business Processes | |
Analyze the digital content hosted by the organization for any electronic material associated with the take-down request. CC ID 09974 | Acquisition or sale of facilities, technology, and services | Business Processes | |
Conduct internal data processing audits. CC ID 00374 | Privacy protection for information and data | Testing | |
Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 [The documented information for the SMS shall include: contracts with external suppliers; § 7.5.4 ¶ 1(i) For each internal supplier or customer acting as a supplier, the organization shall develop, agree and maintain a documented agreement to define the service level targets, other commitments, activities and interfaces between the parties. § 8.3.4.2 ¶ 1 For each internal supplier or customer acting as a supplier, the organization shall develop, agree and maintain a documented agreement to define the service level targets, other commitments, activities and interfaces between the parties. § 8.3.4.2 ¶ 1 For each internal supplier or customer acting as a supplier, the organization shall develop, agree and maintain a documented agreement to define the service level targets, other commitments, activities and interfaces between the parties. § 8.3.4.2 ¶ 1 For each internal supplier or customer acting as a supplier, the organization shall develop, agree and maintain a documented agreement to define the service level targets, other commitments, activities and interfaces between the parties. § 8.3.4.2 ¶ 1 For each external supplier, the organization shall agree a documented contract. The contract shall include or contain a reference to: § 8.3.4.1 ¶ 2 {new service}The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: new or changed SLAs, contracts and other documented agreements that support the services; § 8.5.2.2 ¶ 1(d) {new service}The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: new or changed SLAs, contracts and other documented agreements that support the services; § 8.5.2.2 ¶ 1(d)] | Third Party and supply chain oversight | Process or Activity | |
Include a termination provision clause in third party contracts. CC ID 01367 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include third party requirements for personnel security in third party contracts. CC ID 00790 | Third Party and supply chain oversight | Testing | |
Include third party acknowledgment of their data protection responsibilities in third party contracts. CC ID 01364 | Third Party and supply chain oversight | Testing | |
Include auditing third party security controls and compliance controls in third party contracts. CC ID 01366 | Third Party and supply chain oversight | Testing | |
Establish the third party's service continuity. CC ID 00797 | Third Party and supply chain oversight | Testing | |
Determine the adequacy of a third party's alternate site preparations. CC ID 06879 | Third Party and supply chain oversight | Testing | |
Employ access controls that meet the organization's compliance requirements on third party systems with access to the organization's restricted data. CC ID 04264 | Third Party and supply chain oversight | Data and Information Management | |
Maintain the third party's compliance framework to be equivalent to that of the organization's compliance requirements. CC ID 06087 | Third Party and supply chain oversight | Testing | |
Document supply chain dependencies in the supply chain management program. CC ID 08900 [The organization shall determine the criticality of services based on the needs of the organization, customers, users and other interested parties. The organization shall determine and manage dependencies and duplication between services. § 8.2.2 ¶ 2] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Monitor and report on the efficacy of all Service Level Agreements using a Service Level Agreement Monitoring Chart or equivalent. CC ID 00842 [The organization shall make decisions and take actions based on the findings in service reports. The agreed actions shall be communicated to interested parties. § 9.4 ¶ 3] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Approve all Service Level Agreements. CC ID 00843 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Track all chargeable items in Service Level Agreements. CC ID 11616 | Third Party and supply chain oversight | Business Processes | |
Document all chargeable items in Service Level Agreements. CC ID 00844 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Perform risk assessments of third parties, as necessary. CC ID 06454 [The organization shall determine and document: risks related to: the involvement of other parties in the service lifecycle; § 6.1.2 ¶ 1(a)(3)] | Third Party and supply chain oversight | Testing | |
Establish, implement, and maintain deduplication procedures for third party services. CC ID 13915 [The organization shall determine the criticality of services based on the needs of the organization, customers, users and other interested parties. The organization shall determine and manage dependencies and duplication between services. § 8.2.2 ¶ 2] | Third Party and supply chain oversight | Business Processes | |
Assess the effectiveness of third party services provided to the organization. CC ID 13142 | Third Party and supply chain oversight | Business Processes | |
Monitor third parties for performance and effectiveness, as necessary. CC ID 00799 [Top management shall demonstrate leadership and commitment with respect to the SMS by: ensuring there is control of other parties involved in the service lifecycle; § 5.1 ¶ 1(e) The organization shall have one or more designated individuals responsible for managing the relationship, contracts and performance of external suppliers. § 8.3.4.1 ¶ 1 At planned intervals, the organization shall monitor the performance of the external supplier. Where service level targets or other contractual obligations are not met, the organization shall ensure that opportunities for improvement are identified. § 8.3.4.1 ¶ 5 The management review shall include consideration of: performance of other parties involved in the delivery of the services; § 9.3 ¶ 2(i)] | Third Party and supply chain oversight | Monitor and Evaluate Occurrences | |
Monitor third parties' financial conditions. CC ID 13170 | Third Party and supply chain oversight | Monitor and Evaluate Occurrences |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
---|---|---|---|
Leadership and high level objectives CC ID 00597 | Leadership and high level objectives | IT Impact Zone | |
Monitoring and measurement CC ID 00636 | Monitoring and measurement | IT Impact Zone | |
Audits and risk management CC ID 00677 | Audits and risk management | IT Impact Zone | |
Technical security CC ID 00508 | Technical security | IT Impact Zone | |
Operational and Systems Continuity CC ID 00731 | Operational and Systems Continuity | IT Impact Zone | |
Human Resources management CC ID 00763 | Human Resources management | IT Impact Zone | |
Operational management CC ID 00805 | Operational management | IT Impact Zone | |
System hardening through configuration management CC ID 00860 | System hardening through configuration management | IT Impact Zone | |
Records management CC ID 00902 | Records management | IT Impact Zone | |
Systems design, build, and implementation CC ID 00989 | Systems design, build, and implementation | IT Impact Zone | |
Acquisition or sale of facilities, technology, and services CC ID 01123 | Acquisition or sale of facilities, technology, and services | IT Impact Zone | |
Privacy protection for information and data CC ID 00008 | Privacy protection for information and data | IT Impact Zone | |
Third Party and supply chain oversight CC ID 08807 | Third Party and supply chain oversight | IT Impact Zone |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
---|---|---|---|
Establish, implement, and maintain a reporting methodology program. CC ID 02072 | Leadership and high level objectives | Business Processes | |
Establish, implement, and maintain communication protocols. CC ID 12245 [{internal communication}{be relevant} The organization shall determine the internal and external communications relevant to the SMS and the services including: § 7.4 ¶ 1 The organization shall determine the internal and external communications relevant to the SMS and the services including: when to communicate; § 7.4 ¶ 1(b) The organization shall determine the internal and external communications relevant to the SMS and the services including: with whom to communicate; § 7.4 ¶ 1(c) The organization shall establish arrangements for communicating with its customers and other interested parties. The communication shall promote understanding of the evolving business environment in which the services operate and shall enable the organization to respond to new or changed service requirements. § 8.3.2 ¶ 2 The organization shall determine the internal and external communications relevant to the SMS and the services including: how to communicate; § 7.4 ¶ 1(d) The organization shall determine the internal and external communications relevant to the SMS and the services including: on what it will communicate; § 7.4 ¶ 1(a) The organization shall determine the internal and external communications relevant to the SMS and the services including: who will be responsible for the communication. § 7.4 ¶ 1(e)] | Leadership and high level objectives | Establish/Maintain Documentation | |
Use secure communication protocols for telecommunications. CC ID 16458 | Leadership and high level objectives | Business Processes | |
Align the information being disseminated and communicated with the communication requirements according to the organization's communication protocol. CC ID 12419 [The organization shall determine reporting requirements and their purpose. § 9.4 ¶ 1] | Leadership and high level objectives | Establish/Maintain Documentation | |
Include external requirements in the organization's communication protocol. CC ID 12418 [The organization shall establish arrangements for communicating with its customers and other interested parties. The communication shall promote understanding of the evolving business environment in which the services operate and shall enable the organization to respond to new or changed service requirements. § 8.3.2 ¶ 2] | Leadership and high level objectives | Establish/Maintain Documentation | |
Include disseminating and communicating events surrounding instances of desirable conduct and undesirable conduct in the communication protocols. CC ID 12824 | Leadership and high level objectives | Communicate | |
Include input from interested personnel and affected parties as a part of the organization’s communication protocol. CC ID 12417 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain a corrective action plan to address barriers to stakeholder engagement. CC ID 15677 | Leadership and high level objectives | Process or Activity | |
Identify barriers to stakeholder engagement. CC ID 15676 | Leadership and high level objectives | Process or Activity | |
Identify alternative measures for collecting stakeholder input, as necessary. CC ID 15672 | Leadership and high level objectives | Communicate | |
Include disseminating and communicating conditions surrounding instances of desirable conduct and undesirable conduct in the communication protocols. CC ID 12804 | Leadership and high level objectives | Communicate | |
Include methods to obtain information from interested personnel and affected parties about performance variances in the communication protocol. CC ID 12856 | Leadership and high level objectives | Process or Activity | |
Include disseminating and communicating desirable conduct in the communication protocols. CC ID 12803 | Leadership and high level objectives | Communicate | |
Include disseminating and communicating undesirable conduct in communication protocols. CC ID 12802 | Leadership and high level objectives | Communicate | |
Route notifications, as necessary. CC ID 12832 | Leadership and high level objectives | Process or Activity | |
Substantiate notifications, as necessary. CC ID 12831 | Leadership and high level objectives | Process or Activity | |
Analyze the flow of information to ensure it is being received by the correct processes. CC ID 12860 | Leadership and high level objectives | Business Processes | |
Prioritize notifications, as necessary. CC ID 12830 | Leadership and high level objectives | Process or Activity | |
Report to management and stakeholders on the findings and information gathered from all types of inquiries. CC ID 12797 | Leadership and high level objectives | Actionable Reports or Measurements | |
Disseminate and communicate internal controls with supply chain members. CC ID 12416 | Leadership and high level objectives | Communicate | |
Establish and maintain the organization's survey method. CC ID 12869 | Leadership and high level objectives | Process or Activity | |
Document the findings from surveys. CC ID 16309 | Leadership and high level objectives | Establish/Maintain Documentation | |
Provide a consolidated view of information in the organization's survey method. CC ID 12894 | Leadership and high level objectives | Process or Activity | |
Establish, implement, and maintain warning procedures that follow the organization's communication protocol. CC ID 12407 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain alert procedures that follow the organization's communication protocol. CC ID 12406 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the capturing and alerting of compliance violations in the notification system. CC ID 12962 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
Include the capturing and alerting of unethical conduct in the notification system. CC ID 12932 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
Include the capturing and alerting of performance variances in the notification system. CC ID 12929 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
Include the capturing and alerting of weaknesses in the notification system. CC ID 12928 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
Include the capturing and alerting of account activity in the notification system. CC ID 15314 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
Establish, implement, and maintain an internal reporting program. CC ID 12409 [The organization shall determine reporting requirements and their purpose. § 9.4 ¶ 1] | Leadership and high level objectives | Business Processes | |
Include transactions and events as a part of internal reporting. CC ID 12413 | Leadership and high level objectives | Business Processes | |
Disseminate and communicate management's choices for managing the organization as a part of internal reporting. CC ID 12412 | Leadership and high level objectives | Communicate | |
Enforce a precision level for non-financial reporting based on user need and appropriate supply chain criteria. CC ID 12399 | Leadership and high level objectives | Establish/Maintain Documentation | |
Define the thresholds for escalation in the internal reporting program. CC ID 14332 | Leadership and high level objectives | Establish/Maintain Documentation | |
Define the thresholds for reporting in the internal reporting program. CC ID 14331 | Leadership and high level objectives | Establish/Maintain Documentation | |
Analyze organizational objectives, functions, and activities. CC ID 00598 [The organization shall establish service management objectives at relevant functions and levels. The service management objectives shall: be measurable; § 6.2.1 ¶ 1(b)] | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
Develop instructions for setting organizational objectives and strategies. CC ID 12931 | Leadership and high level objectives | Establish/Maintain Documentation | |
Analyze the business environment in which the organization operates. CC ID 12798 | Leadership and high level objectives | Business Processes | |
Identify the internal factors that may affect organizational objectives. CC ID 12957 | Leadership and high level objectives | Process or Activity | |
Include key processes in the analysis of the internal business environment. CC ID 12947 | Leadership and high level objectives | Process or Activity | |
Include existing information in the analysis of the internal business environment. CC ID 12943 | Leadership and high level objectives | Process or Activity | |
Include resources in the analysis of the internal business environment. CC ID 12942 [{resource level}{manpower}management review shall include consideration of: current and forecast human, technical, information and financial resource levels, and human and technical resource capabilities; § 9.3 ¶ 2(j) {resource level}{manpower}management review shall include consideration of: current and forecast human, technical, information and financial resource levels, and human and technical resource capabilities; § 9.3 ¶ 2(j)] | Leadership and high level objectives | Process or Activity | |
Include the operating plan in the analysis of the internal business environment. CC ID 12941 | Leadership and high level objectives | Process or Activity | |
Include incentives in the analysis of the internal business environment. CC ID 12940 | Leadership and high level objectives | Process or Activity | |
Include organizational structures in the analysis of the internal business environment. CC ID 12939 | Leadership and high level objectives | Process or Activity | |
Include the strategic plan in the analysis of the internal business environment. CC ID 12937 | Leadership and high level objectives | Process or Activity | |
Include strengths and weaknesses in the analysis of the internal business environment. CC ID 12936 | Leadership and high level objectives | Process or Activity | |
Align assets with business functions and the business environment. CC ID 13681 | Leadership and high level objectives | Business Processes | |
Disseminate and communicate the organization's business environment and place in its industry sector. CC ID 13200 [The organization shall establish arrangements for communicating with its customers and other interested parties. The communication shall promote understanding of the evolving business environment in which the services operate and shall enable the organization to respond to new or changed service requirements. § 8.3.2 ¶ 2] | Leadership and high level objectives | Communicate | |
Monitor for changes which affect organizational strategies in the internal business environment. CC ID 12863 [{service management system} When determining this scope, the organization shall consider: the external and internal issues referred to in 4.1; § 4.3 ¶ 2(a) The management review shall include consideration of: changes in external and internal issues that are relevant to the SMS; § 9.3 ¶ 2(b) The management review shall include consideration of: changes that can affect the SMS and the services. § 9.3 ¶ 2(l)] | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
Monitor for changes which affect organizational objectives in the internal business environment. CC ID 12862 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
Analyze the external environment in which the organization operates. CC ID 12799 | Leadership and high level objectives | Business Processes | |
Identify the external forces that may affect organizational objectives. CC ID 12960 | Leadership and high level objectives | Process or Activity | |
Monitor for changes which affect organizational strategies in the external environment. CC ID 12880 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
Include environmental requirements in the analysis of the external environment. CC ID 12965 | Leadership and high level objectives | Business Processes | |
Monitor for changes which affect organizational objectives in the external environment. CC ID 12879 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
Include regulatory requirements in the analysis of the external environment. CC ID 12964 | Leadership and high level objectives | Business Processes | |
Include society in the analysis of the external environment. CC ID 12963 | Leadership and high level objectives | Business Processes | |
Include opportunities in the analysis of the external environment. CC ID 12954 | Leadership and high level objectives | Business Processes | |
Include third party relationships in the analysis of the external environment. CC ID 12952 | Leadership and high level objectives | Business Processes | |
Include industry forces in the analysis of the external environment. CC ID 12904 | Leadership and high level objectives | Business Processes | |
Include threats in the analysis of the external environment. CC ID 12898 | Leadership and high level objectives | Business Processes | |
Include geopolitics in the analysis of the external environment. CC ID 12897 | Leadership and high level objectives | Business Processes | |
Include legal requirements in the analysis of the external environment. CC ID 12896 | Leadership and high level objectives | Business Processes | |
Include technology in the analysis of the external environment. CC ID 12837 | Leadership and high level objectives | Business Processes | |
Include analyzing the market in the analysis of the external environment. CC ID 12836 | Leadership and high level objectives | Business Processes | |
Conduct a context analysis to define objectives and strategies. CC ID 12864 | Leadership and high level objectives | Business Processes | |
Establish, implement, and maintain organizational objectives. CC ID 09959 | Leadership and high level objectives | Establish/Maintain Documentation | |
Evaluate organizational objectives to determine impact on other organizational objectives. CC ID 12814 | Leadership and high level objectives | Process or Activity | |
Identify events that may affect organizational objectives. CC ID 12961 [The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its SMS. § 4.1 ¶ 1] | Leadership and high level objectives | Process or Activity | |
Identify conditions that may affect organizational objectives. CC ID 12958 | Leadership and high level objectives | Process or Activity | |
Identify requirements that could affect achieving organizational objectives. CC ID 12828 [{applicable requirements} The organization shall create, implement and maintain a service management plan. Planning shall take into consideration the service management policy, service management objectives, risks and opportunities, service requirements and requirements specified in this document. § 6.3 ¶ 1] | Leadership and high level objectives | Business Processes | |
Identify opportunities that could affect achieving organizational objectives. CC ID 12826 [The organization shall plan: actions to address these risks and opportunities and their priorities; § 6.1.3 ¶ 1(a) {applicable requirements} The organization shall create, implement and maintain a service management plan. Planning shall take into consideration the service management policy, service management objectives, risks and opportunities, service requirements and requirements specified in this document. § 6.3 ¶ 1 The organization shall determine and document: the impact on customers of risks and opportunities for the SMS and the services; § 6.1.2 ¶ 1(b)] | Leadership and high level objectives | Business Processes | |
Prioritize organizational objectives. CC ID 09960 | Leadership and high level objectives | Business Processes | |
Select financial reporting objectives consistent with accounting principles available to the organization. CC ID 12400 | Leadership and high level objectives | Business Processes | |
Establish, implement, and maintain a value generation model. CC ID 15591 | Leadership and high level objectives | Establish/Maintain Documentation | |
Disseminate and communicate the value generation model to all interested personnel and affected parties. CC ID 15607 | Leadership and high level objectives | Communicate | |
Include value distribution in the value generation model. CC ID 15603 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include value retention in the value generation model. CC ID 15600 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include value generation procedures in the value generation model. CC ID 15599 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain value generation objectives. CC ID 15583 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain social responsibility objectives. CC ID 15611 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish and maintain a Mission, Vision, and Values Statement. CC ID 12783 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the vision statement in the Mission, Vision, and Values Statement. CC ID 12839 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the mission statement in the Mission, Vision, and Values Statement. CC ID 12838 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include management commitment in the Mission, Vision, and Values Statement. CC ID 12808 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the value statement in the Mission, Vision, and Values Statement. CC ID 12807 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include environmental factors in the Mission, Vision, and Values Statement. CC ID 15590 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include societal factors in the Mission, Vision, and Values Statement. CC ID 15605 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include stakeholder requirements in the Mission, Vision, and Values Statement. CC ID 15586 | Leadership and high level objectives | Establish/Maintain Documentation | |
Disseminate and communicate the Mission, Vision, and Values Statement to all interested personnel and affected parties. CC ID 15585 | Leadership and high level objectives | Communicate | |
Disseminate and communicate organizational objectives, functions, and activities to all interested personnel and affected parties. CC ID 13191 [Top management shall demonstrate leadership and commitment with respect to the SMS by: communicating the importance of effective service management, achieving the service management objectives, delivering value and conforming to the SMS requirements; § 5.1 ¶ 1(h)] | Leadership and high level objectives | Communicate | |
Document and communicate the linkage between organizational objectives, functions, activities, and general controls. CC ID 12398 [At planned intervals, the information security risks to the SMS and the services shall be assessed and documented. Information security controls shall be determined, implemented and operated to support the information security policy and address identified information security risks. Decisions about information security controls shall be documented. § 8.7.3.2 ¶ 1] | Leadership and high level objectives | Establish/Maintain Documentation | |
Identify threats that could affect achieving organizational objectives. CC ID 12827 [The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its SMS. § 4.1 ¶ 1] | Leadership and high level objectives | Business Processes | |
Identify how opportunities, threats, and external requirements are trending. CC ID 12829 [When planning for the SMS, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to: § 6.1.1 ¶ 1 The organization shall plan: actions to address these risks and opportunities and their priorities; § 6.1.3 ¶ 1(a)] | Leadership and high level objectives | Process or Activity | |
Identify relationships between opportunities, threats, and external requirements. CC ID 12805 [The management review shall include consideration of: results of risk assessment and the effectiveness of actions taken to address risks and opportunities; § 9.3 ¶ 2(k)] | Leadership and high level objectives | Process or Activity | |
Review the organization's approach to managing information security, as necessary. CC ID 12005 | Leadership and high level objectives | Business Processes | |
Establish, implement, and maintain criteria for grouping stakeholders. CC ID 15584 | Leadership and high level objectives | Process or Activity | |
Analyze and prioritize the requirements of interested personnel and affected parties. CC ID 12796 | Leadership and high level objectives | Business Processes | |
Establish, implement, and maintain data governance and management practices. CC ID 14998 | Leadership and high level objectives | Establish/Maintain Documentation | |
Address shortcomings of the data sets in the data governance and management practices. CC ID 15087 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include any shortcomings of the data sets in the data governance and management practices. CC ID 15086 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include bias for data sets in the data governance and management practices. CC ID 15085 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include a data strategy in the data governance and management practices. CC ID 15304 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include data monitoring in the data governance and management practices. CC ID 15303 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include an assessment of the data sets in the data governance and management practices. CC ID 15084 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include assumptions for the formulation of data sets in the data governance and management practices. CC ID 15083 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include data collection for data sets in the data governance and management practices. CC ID 15082 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include data preparations for data sets in the data governance and management practices. CC ID 15081 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include design choices for data sets in the data governance and management practices. CC ID 15080 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain an information classification standard. CC ID 00601 | Leadership and high level objectives | Establish/Maintain Documentation | |
Take into account the accessibility to and location of the data or information when establishing information impact levels. CC ID 04787 | Leadership and high level objectives | Data and Information Management | |
Take into account the organization's obligation to protect data or information when establishing information impact levels. CC ID 04786 | Leadership and high level objectives | Data and Information Management | |
Take into account the context of use for data or information when establishing information impact levels. CC ID 04785 | Leadership and high level objectives | Data and Information Management | |
Take into account the potential aggregation of restricted data fields when establishing information impact levels. CC ID 04784 | Leadership and high level objectives | Data and Information Management | |
Classify the sensitivity to unauthorized disclosure or modification of information in the information classification standard. CC ID 11997 | Leadership and high level objectives | Data and Information Management | |
Take into account the distinguishability factor when establishing information impact levels. CC ID 04783 | Leadership and high level objectives | Data and Information Management | |
Classify the criticality to unauthorized disclosure or modification of information in the information classification standard. CC ID 11996 | Leadership and high level objectives | Data and Information Management | |
Classify the value of information in the information classification standard. CC ID 11995 | Leadership and high level objectives | Data and Information Management | |
Classify the legal requirements of information in the information classification standard. CC ID 11994 | Leadership and high level objectives | Data and Information Management | |
Establish, implement, and maintain a data classification scheme. CC ID 11628 | Leadership and high level objectives | Establish/Maintain Documentation | |
Take into account the characteristics of the geographical, behavioral and functional setting for all datasets. CC ID 15046 | Leadership and high level objectives | Data and Information Management | |
Disseminate and communicate the data classification scheme to interested personnel and affected parties. CC ID 16804 | Leadership and high level objectives | Communicate | |
Establish and maintain an organizational data dictionary, including data syntax rules. CC ID 00600 | Leadership and high level objectives | Establish/Maintain Documentation | |
Refrain from including metadata in the data dictionary. CC ID 13529 | Leadership and high level objectives | Establish/Maintain Documentation | |
Refrain from allowing incompatible data elements in the data dictionary. CC ID 13624 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include information needed to understand each data element and population in the data dictionary. CC ID 13528 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the factors to determine what is included or excluded from the data element in the data dictionary. CC ID 13525 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the date or time period the data was observed in the data dictionary. CC ID 13524 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the uncertainty in the population of each data element in the data dictionary. CC ID 13522 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the uncertainty of each data element in the data dictionary. CC ID 13521 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the measurement units for each data element in the data dictionary. CC ID 13534 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the precision of the measurement in the data dictionary. CC ID 13520 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the data source in the data dictionary. CC ID 13519 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the nature of each element in the data dictionary. CC ID 13518 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the population of events or instances in the data dictionary. CC ID 13517 | Leadership and high level objectives | Establish/Maintain Documentation | |
Disseminate and communicate the data dictionary to interested personnel and affected parties. CC ID 13516 | Leadership and high level objectives | Communicate | |
Establish, implement, and maintain an Information and Infrastructure Architecture model. CC ID 00599 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain sustainable infrastructure planning. CC ID 00603 | Leadership and high level objectives | Establish/Maintain Documentation | |
Take into account the need for protecting information confidentiality during infrastructure planning. CC ID 06486 | Leadership and high level objectives | Behavior | |
Establish, implement, and maintain an organizational structure. CC ID 16310 | Leadership and high level objectives | Establish/Maintain Documentation | |
Disseminate and communicate emerging threats to all interested personnel and affected parties. CC ID 12185 | Leadership and high level objectives | Communicate | |
Establish, implement, and maintain a Quality Management framework. CC ID 07196 [The outputs of the management review shall include decisions related to continual improvement opportunities and any need for changes to the SMS and the services. § 9.3 ¶ 3 At planned intervals, the effectiveness of problem resolution shall be monitored, reviewed and reported. § 8.6.3 ¶ 5 The success or failure of releases shall be monitored and analysed. Measurements shall include incidents related to a release in the period following deployment of a release. The results and conclusions drawn from the analysis shall be recorded and reviewed to identify opportunities for improvement. §8.5.3 ¶ 6] | Leadership and high level objectives | Establish/Maintain Documentation | |
Include supply chain management standards in the Quality Management framework. CC ID 13701 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain a Quality Management policy. CC ID 13694 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include a commitment to satisfy applicable requirements in the Quality Management policy. CC ID 13700 | Leadership and high level objectives | Establish/Maintain Documentation | |
Tailor the Quality Management policy to support the organization's strategic direction. CC ID 13699 [Top management shall demonstrate leadership and commitment with respect to the SMS by: ensuring that the service management policy and service management objectives are established and are compatible with the strategic direction of the organization; § 5.1 ¶ 1(a) The organization shall determine evaluation criteria to be applied to the opportunities for improvement when making decisions on their approval. Evaluation criteria shall include alignment of the improvement with service management objectives. § 10.2 ¶ 2 {service improvement activity} Opportunities for improvement shall be documented. The organization shall manage approved improvement activities that include: ensuring that improvements are prioritized, planned and implemented; § 10.2 ¶ 3(b) {new service} The new or changed services shall be built and tested to verify that they meet the service requirements, conform to the documented design and meet the agreed service acceptance criteria. If the service acceptance criteria are not met, the organization and interested parties shall make a decision on necessary actions and deployment. § 8.5.2.3 ¶ 1 {new service} The new or changed services shall be built and tested to verify that they meet the service requirements, conform to the documented design and meet the agreed service acceptance criteria. If the service acceptance criteria are not met, the organization and interested parties shall make a decision on necessary actions and deployment. § 8.5.2.3 ¶ 1] | Leadership and high level objectives | Establish/Maintain Documentation | |
Include a commitment to continual improvement of the Quality Management system in the Quality Management policy. CC ID 13698 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include critical Information Technology processes in the Quality Management framework. CC ID 13645 | Leadership and high level objectives | Establish/Maintain Documentation | |
Disseminate and communicate the Quality Management policy to all interested personnel and affected parties. CC ID 13695 [Top management shall demonstrate leadership and commitment with respect to the SMS by: communicating the importance of effective service management, achieving the service management objectives, delivering value and conforming to the SMS requirements; § 5.1 ¶ 1(h)] | Leadership and high level objectives | Communicate | |
Disseminate and communicate the Quality Management framework to all stakeholders. CC ID 13680 [Where the root cause has been identified, but the problem has not been permanently resolved, the organization shall determine actions to reduce or eliminate the impact of the problem on the services. Known errors shall be recorded. Up-to-date information on known errors and problem resolutions shall be made available for other service management activities as appropriate. § 8.6.3 ¶ 4 Where the root cause has been identified, but the problem has not been permanently resolved, the organization shall determine actions to reduce or eliminate the impact of the problem on the services. Known errors shall be recorded. Up-to-date information on known errors and problem resolutions shall be made available for other service management activities as appropriate. § 8.6.3 ¶ 4] | Leadership and high level objectives | Communicate | |
Align the quality objectives with the Quality Management policy. CC ID 13697 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain a Quality Management standard. CC ID 01006 | Leadership and high level objectives | Establish/Maintain Documentation | |
Document the measurements used by Quality Assurance and Quality Control testing. CC ID 07200 [The organization shall determine evaluation criteria to be applied to the opportunities for improvement when making decisions on their approval. Evaluation criteria shall include alignment of the improvement with service management objectives. § 10.2 ¶ 2 The success or failure of releases shall be monitored and analysed. Measurements shall include incidents related to a release in the period following deployment of a release. The results and conclusions drawn from the analysis shall be recorded and reviewed to identify opportunities for improvement. §8.5.3 ¶ 6] | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain a Quality Management program. CC ID 07201 [{service improvement activity} Opportunities for improvement shall be documented. The organization shall manage approved improvement activities that include: setting one or more targets for improvement in areas such as quality, value, capability, cost, productivity, resource utilization and risk reduction; § 10.2 ¶ 3(a) {service improvement activity} Opportunities for improvement shall be documented. The organization shall manage approved improvement activities that include: ensuring that improvements are prioritized, planned and implemented; § 10.2 ¶ 3(b) {service improvement activity} Opportunities for improvement shall be documented. The organization shall manage approved improvement activities that include: ensuring that improvements are prioritized, planned and implemented; § 10.2 ¶ 3(b) {service improvement activity} Opportunities for improvement shall be documented. The organization shall manage approved improvement activities that include: measuring implemented improvements against the target(s) set and where target(s) are not achieved, taking necessary actions; § 10.2 ¶ 3(d)] | Leadership and high level objectives | Establish/Maintain Documentation | |
Notify affected parties and interested personnel of quality management system approvals that have been refused, suspended, or withdrawn. CC ID 15045 | Leadership and high level objectives | Communicate | |
Notify affected parties and interested personnel of quality management system approvals that have been issued. CC ID 15036 | Leadership and high level objectives | Communicate | |
Include quality objectives in the Quality Management program. CC ID 13693 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include records management in the quality management system. CC ID 15055 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include risk management in the quality management system. CC ID 15054 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include data management procedures in the quality management system. CC ID 15052 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include a post-market monitoring system in the quality management system. CC ID 15027 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include operational roles and responsibilities in the quality management system. CC ID 15028 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include quality gates and testing milestones in the Quality Management program. CC ID 06825 [The success or failure of releases shall be monitored and analysed. Measurements shall include incidents related to a release in the period following deployment of a release. The results and conclusions drawn from the analysis shall be recorded and reviewed to identify opportunities for improvement. §8.5.3 ¶ 6] | Leadership and high level objectives | Systems Design, Build, and Implementation | |
Include resource management in the quality management system. CC ID 15026 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include communication protocols in the quality management system. CC ID 15025 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include incident reporting procedures in the quality management system. CC ID 15023 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include technical specifications in the quality management system. CC ID 15021 | Leadership and high level objectives | Establish/Maintain Documentation | |
Document the deficiencies in a deficiency report that were found during Quality Control and corrected during Quality Improvement. CC ID 07203 [{availability issue}{document} Service availability shall be monitored, the results recorded and compared with the targets. Unplanned non-availability shall be investigated and necessary actions taken. § 8.7.1 ¶ 3 Where the root cause has been identified, but the problem has not been permanently resolved, the organization shall determine actions to reduce or eliminate the impact of the problem on the services. Known errors shall be recorded. Up-to-date information on known errors and problem resolutions shall be made available for other service management activities as appropriate. § 8.6.3 ¶ 4 The success or failure of releases shall be monitored and analysed. Measurements shall include incidents related to a release in the period following deployment of a release. The results and conclusions drawn from the analysis shall be recorded and reviewed to identify opportunities for improvement. §8.5.3 ¶ 6] | Leadership and high level objectives | Establish/Maintain Documentation | |
Include program documentation standards in the Quality Management program. CC ID 01016 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include program testing standards in the Quality Management program. CC ID 01017 [At planned intervals, the organization shall monitor, review and report on: performance against service level targets; § 8.3.3 ¶ 3(a)] | Leadership and high level objectives | Establish/Maintain Documentation | |
Include system testing standards in the Quality Management program. CC ID 01018 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include an issue tracking system in the Quality Management program. CC ID 06824 | Leadership and high level objectives | Systems Design, Build, and Implementation | |
Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain a policy and procedure management program. CC ID 06285 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include requirements in the organization’s policies, standards, and procedures. CC ID 12956 [Top management shall demonstrate leadership and commitment with respect to the SMS by: ensuring the integration of the SMS requirements into the organization's business processes; § 5.1 ¶ 1(f)] | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish and maintain an Authority Document list. CC ID 07113 [Documented information of external origin determined by the organization to be necessary for the planning and operation of the SMS shall be identified as appropriate and controlled. § 7.5.3.2 ¶ 2] | Leadership and high level objectives | Establish/Maintain Documentation | |
Document organizational procedures that harmonize external requirements, including all legal requirements. CC ID 00623 [The documented information for the SMS shall include: procedures that are required by this document; § 7.5.4 ¶ 1(k)] | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain full documentation of all policies, standards, and procedures that support the organization's compliance framework. CC ID 01636 [Documented information required by the SMS and by this document shall be controlled to ensure: it is available and suitable for use, where and when it is needed; § 7.5.3.1(a) When creating and updating documented information, the organization shall ensure appropriate: review and approval for suitability and adequacy. § 7.5.2 ¶ 1(c)] | Leadership and high level objectives | Establish/Maintain Documentation | |
Disseminate and communicate the organization’s policies, standards, and procedures to all interested personnel and affected parties. CC ID 12901 | Leadership and high level objectives | Communicate | |
Disseminate and communicate the list of Authority Documents that support the organization's compliance framework to interested personnel and affected parties. CC ID 01312 | Leadership and high level objectives | Establish/Maintain Documentation | |
Classify controls according to their preventive, detective, or corrective status. CC ID 06436 | Leadership and high level objectives | Establish/Maintain Documentation | |
Publish, disseminate, and communicate a Statement on Internal Control, as necessary. CC ID 06727 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include signatures of c-level executives in the Statement on Internal Control. CC ID 14778 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include confirmation of any significant weaknesses in the Statement on Internal Control. CC ID 06861 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include roles and responsibilities in the Statement on Internal Control. CC ID 14774 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include an assurance statement regarding the counterterror protective security plan in the Statement on Internal Control. CC ID 06866 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include limitations of internal control systems in the Statement on Internal Control. CC ID 14773 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include a description of the methodology used to evaluate internal controls in the Statement on Internal Control. CC ID 14772 | Leadership and high level objectives | Establish/Maintain Documentation | |
Assign legislative body jurisdiction to the organization's assets, as necessary. CC ID 06956 | Leadership and high level objectives | Establish Roles | |
Define the Information Assurance strategic roles and responsibilities. CC ID 00608 | Leadership and high level objectives | Establish Roles | |
Address Information Security during the business planning processes. CC ID 06495 | Leadership and high level objectives | Data and Information Management | |
Document the requirements of stakeholders during the business planning process regarding Information Security. CC ID 06498 [Management with appropriate authority shall approve an information security policy relevant to the organization. The information security policy shall be documented and take into consideration the service requirements and the obligations in 6.3 c). § 8.7.3.1 ¶ 1 Management with appropriate authority shall approve an information security policy relevant to the organization. The information security policy shall be documented and take into consideration the service requirements and the obligations in 6.3 c). § 8.7.3.1 ¶ 1] | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain a strategic plan. CC ID 12784 [{planning} The organization shall plan, implement and control the processes needed to meet requirements and to implement the actions determined in Clause 6 by: § 8.1 ¶ 1] | Leadership and high level objectives | Establish/Maintain Documentation | |
Determine progress toward the objectives of the strategic plan. CC ID 12944 [The organization shall establish service management objectives at relevant functions and levels. The service management objectives shall: be monitored; § 6.2.1 ¶ 1(d) The management review shall include consideration of: achievement of service management objectives; § 9.3 ¶ 2(g)] | Leadership and high level objectives | Process or Activity | |
Include acting with integrity in the strategic plan. CC ID 12870 | Leadership and high level objectives | Establish/Maintain Documentation | |
Disseminate and communicate the strategic plan to all interested personnel and affected parties. CC ID 15592 | Leadership and high level objectives | Communicate | |
Include the outsource partners in the strategic plan, as necessary. CC ID 13960 | Leadership and high level objectives | Establish/Maintain Documentation | |
Align the cybersecurity program strategy with the organization's strategic plan. CC ID 14322 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain a planning policy. CC ID 14673 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain planning procedures. CC ID 14698 | Leadership and high level objectives | Establish/Maintain Documentation | |
Disseminate and communicate the planning procedures to interested personnel and affected parties. CC ID 14704 | Leadership and high level objectives | Communicate | |
Disseminate and communicate the planning policy to interested personnel and affected parties. CC ID 14691 | Leadership and high level objectives | Communicate | |
Include compliance requirements in the planning policy. CC ID 14688 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include coordination amongst entities in the planning policy. CC ID 14687 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include management commitment in the planning policy. CC ID 14686 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include roles and responsibilities in the planning policy. CC ID 14685 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the scope in the planning policy. CC ID 14684 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the purpose in the planning policy. CC ID 14683 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain a security planning policy. CC ID 14027 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include compliance requirements in the security planning policy. CC ID 14131 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include coordination amongst entities in the security planning policy. CC ID 14130 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include management commitment in the security planning policy. CC ID 14129 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include roles and responsibilities in the security planning policy. CC ID 14128 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the scope in the security planning policy. CC ID 14127 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the purpose in the security planning policy. CC ID 14126 | Leadership and high level objectives | Establish/Maintain Documentation | |
Disseminate and communicate the security planning policy to interested personnel and affected parties. CC ID 14125 | Leadership and high level objectives | Communicate | |
Establish, implement, and maintain security planning procedures. CC ID 14060 | Leadership and high level objectives | Establish/Maintain Documentation | |
Disseminate and communicate the security planning procedures to interested personnel and affected parties. CC ID 14135 | Leadership and high level objectives | Communicate | |
Establish, implement, and maintain a decision management strategy. CC ID 06913 | Leadership and high level objectives | Establish/Maintain Documentation | |
Align the reporting methodology with the decision management strategy. CC ID 15659 | Leadership and high level objectives | Business Processes | |
Include an economic impact analysis in the decision management strategy. CC ID 14015 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include cost benefit analysis in the decision management strategy. CC ID 14014 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include criteria for compliance in the decision-making criteria. CC ID 12951 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include criteria for risk tolerance in the decision-making criteria. CC ID 12950 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include criteria for selecting objectives and strategies in the decision-making criteria. CC ID 12949 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include criteria for setting priorities in the decision-making criteria. CC ID 12938 [The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: § 8.5.1.3 ¶ 1] | Leadership and high level objectives | Establish/Maintain Documentation | |
Align organizational objectives with compliance objectives in the decision-making criteria. CC ID 12847 [The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: policies and plans required by this document; § 8.5.1.3 ¶ 1(c) The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: policies and plans required by this document; § 8.5.1.3 ¶ 1(c)] | Leadership and high level objectives | Process or Activity | |
Align organizational objectives with performance targets in the decision-making criteria. CC ID 12843 [The organization shall make decisions and take actions based on the findings in service reports. The agreed actions shall be communicated to interested parties. § 9.4 ¶ 3 The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: § 8.5.1.3 ¶ 1 The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: § 8.5.1.3 ¶ 1] | Leadership and high level objectives | Process or Activity | |
Align organizational objectives with the acceptable residual risk in the decision-making criteria. CC ID 12841 [The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: § 8.5.1.3 ¶ 1] | Leadership and high level objectives | Process or Activity | |
Create additional decision-making criteria to achieve organizational objectives, as necessary. CC ID 12948 [The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: customers, users and other interested parties; § 8.5.1.3 ¶ 1(b)] | Leadership and high level objectives | Process or Activity | |
Involve knowledgeable and experienced individuals in the decision-making process. CC ID 06915 | Leadership and high level objectives | Behavior | |
Take actions in accordance with the decision-making criteria. CC ID 12909 | Leadership and high level objectives | Process or Activity | |
Document and evaluate the decision outcomes from the decision-making process. CC ID 06918 | Leadership and high level objectives | Establish/Maintain Documentation | |
Disseminate and communicate the decision management strategy to all interested personnel and affected parties. CC ID 13991 | Leadership and high level objectives | Communicate | |
Establish, implement, and maintain an information technology process framework. CC ID 13648 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include maturity models in the Information Technology process framework. CC ID 13652 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include relationships between Information Technology process structures in the Information Technology process framework. CC ID 13651 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include Information Technology process structures in the Information Technology process framework. CC ID 13650 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain a tactical plan. CC ID 12785 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include acting with integrity in the tactical plan. CC ID 12871 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain a Strategic Information Technology Plan. CC ID 00628 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the Information Governance Plan in the Strategic Information Technology Plan. CC ID 10053 | Leadership and high level objectives | Establish/Maintain Documentation | |
Engage information governance subject matter experts in the development of the Information Governance Plan. CC ID 10055 | Leadership and high level objectives | Human Resources Management | |
Include the transparency goals in the Information Governance Plan. CC ID 10056 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the information integrity goals in the Information Governance Plan. CC ID 10057 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include business continuity objectives in the Strategic Information Technology Plan. CC ID 06496 | Leadership and high level objectives | Establish/Maintain Documentation | |
Align business continuity objectives with the business continuity policy. CC ID 12408 | Leadership and high level objectives | Establish/Maintain Documentation | |
Mirror the organization's business strategy during Information Technology planning in the Strategic Information Technology Plan. CC ID 00630 | Leadership and high level objectives | Business Processes | |
Incorporate protecting restricted information from unauthorized information flow or unauthorized disclosure into the Strategic Information Technology Plan. CC ID 06491 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the references to the organization's Information Technology systems in the Strategic Information Technology Plan, as necessary. CC ID 13959 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain tactical Information Technology plans in support of the Strategic Information Technology Plan. CC ID 00632 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain tactical Information Technology plans derived from the Strategic Information Technology Plan. CC ID 01609 | Leadership and high level objectives | Establish/Maintain Documentation | |
Document how each Information Technology project plan directly or indirectly supports the Strategic Information Technology Plan. CC ID 06497 | Leadership and high level objectives | Establish/Maintain Documentation | |
Document the business case and return on investment in each Information Technology project plan. CC ID 06846 | Leadership and high level objectives | Establish/Maintain Documentation | |
Escalate for management authorization any proposed projects where effective use of existing resources is overlooked. CC ID 06848 | Leadership and high level objectives | Business Processes | |
Document all desired outcomes for a proposed project in the Information Technology project plan. CC ID 06916 | Leadership and high level objectives | Establish/Maintain Documentation | |
Document the success criteria for the proposed project in the Information Technology project plan. CC ID 06917 | Leadership and high level objectives | Establish/Maintain Documentation | |
Assign senior management to approve business cases. CC ID 13068 | Leadership and high level objectives | Human Resources Management | |
Include milestones for each project phase in the Information Technology project plan. CC ID 12621 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain a counterterror protective security plan. CC ID 06862 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include communications and awareness activities in the counterterror protective security plan. CC ID 06863 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the protective security measures to implement after a change in the government response level in the counterterror protective security plan. CC ID 06864 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include a search plan in the counterterror protective security plan. CC ID 06865 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include an evacuation plan in the counterterror protective security plan. CC ID 06940 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include a continuity plan in the counterterror protective security plan. CC ID 07031 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain Information Technology projects in support of the Strategic Information Technology Plan. CC ID 13673 | Leadership and high level objectives | Establish/Maintain Documentation | |
Disseminate and communicate the Information Technology Plans to all interested personnel and affected parties. CC ID 00633 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish and maintain an Information Technology plan status report that covers both Strategic Information Technology Plans and tactical Information Technology plans. CC ID 06839 | Leadership and high level objectives | Actionable Reports or Measurements | |
Include key personnel status changes in the Information Technology Plan status reports. CC ID 06840 | Leadership and high level objectives | Actionable Reports or Measurements | |
Include significant security risks in the Information Technology Plan status reports. CC ID 06939 | Leadership and high level objectives | Actionable Reports or Measurements | |
Include significant risk mitigations in the Information Technology Plan status reports. CC ID 06841 | Leadership and high level objectives | Actionable Reports or Measurements | |
Review and approve the Strategic Information Technology Plan at the level of senior management or the Board of Directors. CC ID 13094 | Leadership and high level objectives | Human Resources Management | |
Establish, implement, and maintain a financial management program. CC ID 13228 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain financial reports. CC ID 14770 [At planned intervals, the organization shall monitor and report on actual costs against the budget, review the financial forecasts and manage costs. § 8.4.1 ¶ 3] | Leadership and high level objectives | Establish/Maintain Documentation | |
Structure financial reports in accordance with external requirements, as necessary. CC ID 14776 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the report of independent Certified Public Accountants in the financial report. CC ID 14779 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the business need justification for lost value in the financial report. CC ID 15588 | Leadership and high level objectives | Establish/Maintain Documentation | |
Disseminate and communicate the financial report to interested personnel and affected parties. CC ID 16342 | Leadership and high level objectives | Communicate | |
Include financial statements in the financial report, as necessary. CC ID 14775 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include capital deductions and adjustments in the financial statement. CC ID 16667 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include earnings per share or loss per share in the financial statement. CC ID 16597 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include material contingencies in the financial statement. CC ID 16596 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include notes to financial statements in the financial report, as necessary. CC ID 14780 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include information on loans to small businesses and small farms in the call report. CC ID 16731 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include assets and liabilities in the call report. CC ID 16729 | Leadership and high level objectives | Establish/Maintain Documentation | |
Disseminate and communicate the call report to interested personnel and affected parties. CC ID 16727 | Leadership and high level objectives | Communicate | |
Include a standard to collect and interpret event logs in the event logging procedures. CC ID 00643 [The management review shall include consideration of: information on the performance and effectiveness of the SMS, including trends in: monitoring and measurement results; § 9.3 ¶ 2(c)(2)] | Monitoring and measurement | Log Management | |
Protect the event logs from failure. CC ID 06290 | Monitoring and measurement | Log Management | |
Overwrite the oldest records when audit logging fails. CC ID 14308 | Monitoring and measurement | Data and Information Management | |
Supply each in scope asset with audit reduction tool and report generation capabilities to support after-the-fact investigations without altering the event logs. CC ID 01427 | Monitoring and measurement | Testing | |
Include identity information of suspects in the suspicious activity report. CC ID 16648 | Monitoring and measurement | Establish/Maintain Documentation | |
Compile the event logs of multiple components into a system-wide time-correlated audit trail. CC ID 01424 | Monitoring and measurement | Audits and Risk Management | |
Reproduce the event log if a log failure is captured. CC ID 01426 | Monitoring and measurement | Log Management | |
Monitor for software configurations updates absent authorization. CC ID 10676 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
Allow expected changes during file integrity monitoring. CC ID 12090 | Monitoring and measurement | Technical Security | |
Monitor for when documents are being updated absent authorization. CC ID 10677 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
Include a change history and identify who made the changes in the file integrity monitoring report. CC ID 12091 | Monitoring and measurement | Establish/Maintain Documentation | |
Alert interested personnel and affected parties when an unauthorized modification to critical files is detected. CC ID 12045 | Monitoring and measurement | Process or Activity | |
Develop and maintain a usage profile for each user account. CC ID 07067 | Monitoring and measurement | Technical Security | |
Establish, implement, and maintain a service management monitoring and metrics program. CC ID 13916 [At planned intervals, the organization shall: monitor and report on demand and consumption of services. § 8.4.2 ¶ 1(b) At planned intervals, the organization shall: monitor and report on demand and consumption of services. § 8.4.2 ¶ 1(b) Reports on the performance and effectiveness of the SMS and the services shall be produced using information from the SMS activities and delivery of the services. Service reporting shall include trends. § 9.4 ¶ 2 Reports on the performance and effectiveness of the SMS and the services shall be produced using information from the SMS activities and delivery of the services. Service reporting shall include trends. § 9.4 ¶ 2] | Monitoring and measurement | Establish/Maintain Documentation | |
Communicate trends in service management to all interested personnel and affected parties. CC ID 13926 [Reports on the performance and effectiveness of the SMS and the services shall be produced using information from the SMS activities and delivery of the services. Service reporting shall include trends. § 9.4 ¶ 2] | Monitoring and measurement | Communicate | |
Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 [The organization shall determine: when the monitoring and measuring shall be performed; § 9.1 ¶ 1(c)] | Monitoring and measurement | Establish/Maintain Documentation | |
Establish, implement, and maintain a metrics policy. CC ID 01654 | Monitoring and measurement | Establish/Maintain Documentation | |
Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653 | Monitoring and measurement | Establish/Maintain Documentation | |
Establish, implement, and maintain risk management metrics. CC ID 01656 | Monitoring and measurement | Establish/Maintain Documentation | |
Identify information being used to support the performance of the governance, risk, and compliance capability. CC ID 12866 | Monitoring and measurement | Business Processes | |
Identify information being used to support performance reviews for risk optimization. CC ID 12865 | Monitoring and measurement | Audits and Risk Management | |
Identify and document instances of non-compliance with the compliance framework. CC ID 06499 [When a nonconformity occurs, the organization shall: evaluate the need for action to eliminate the causes of the nonconformity in order that it does not recur or occur elsewhere by: § 10.1.1 ¶ 1(b) The organization shall retain documented information as evidence of: the nature of the nonconformities and any subsequent actions taken; § 10.1.2 ¶ 1(a)] | Monitoring and measurement | Establish/Maintain Documentation | |
Identify and document events surrounding non-compliance with the organizational compliance framework. CC ID 12935 | Monitoring and measurement | Establish/Maintain Documentation | |
Align disciplinary actions with the level of compliance violation. CC ID 12404 [Corrective actions shall be appropriate to the effects of the nonconformities encountered. § 10.1.1 ¶ 2] | Monitoring and measurement | Human Resources Management | |
Establish, implement, and maintain disciplinary action notices. CC ID 16577 | Monitoring and measurement | Establish/Maintain Documentation | |
Include a copy of the order in the disciplinary action notice. CC ID 16606 | Monitoring and measurement | Establish/Maintain Documentation | |
Include the sanctions imposed in the disciplinary action notice. CC ID 16599 | Monitoring and measurement | Establish/Maintain Documentation | |
Include the effective date of the sanctions in the disciplinary action notice. CC ID 16589 | Monitoring and measurement | Establish/Maintain Documentation | |
Include the requirements that were violated in the disciplinary action notice. CC ID 16588 | Monitoring and measurement | Establish/Maintain Documentation | |
Include responses to charges from interested personnel and affected parties in the disciplinary action notice. CC ID 16587 | Monitoring and measurement | Establish/Maintain Documentation | |
Include the reasons for imposing sanctions in the disciplinary action notice. CC ID 16586 | Monitoring and measurement | Establish/Maintain Documentation | |
Disseminate and communicate the disciplinary action notice to interested personnel and affected parties. CC ID 16585 | Monitoring and measurement | Communicate | |
Include required information in the disciplinary action notice. CC ID 16584 | Monitoring and measurement | Establish/Maintain Documentation | |
Include a justification for actions taken in the disciplinary action notice. CC ID 16583 | Monitoring and measurement | Establish/Maintain Documentation | |
Include a statement on the conclusions of the investigation in the disciplinary action notice. CC ID 16582 | Monitoring and measurement | Establish/Maintain Documentation | |
Include the investigation results in the disciplinary action notice. CC ID 16581 | Monitoring and measurement | Establish/Maintain Documentation | |
Include a description of the causes of the actions taken in the disciplinary action notice. CC ID 16580 | Monitoring and measurement | Establish/Maintain Documentation | |
Include the name of the person responsible for the charges in the disciplinary action notice. CC ID 16579 | Monitoring and measurement | Establish/Maintain Documentation | |
Include contact information in the disciplinary action notice. CC ID 16578 | Monitoring and measurement | Establish/Maintain Documentation | |
Establish, implement, and maintain compliance program metrics. CC ID 11625 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
Establish, implement, and maintain a security program metrics program. CC ID 01660 | Monitoring and measurement | Establish/Maintain Documentation | |
Establish, implement, and maintain a key management roles metrics standard. CC ID 11631 | Monitoring and measurement | Establish/Maintain Documentation | |
Establish, implement, and maintain a key stakeholder metrics program. CC ID 01661 | Monitoring and measurement | Establish/Maintain Documentation | |
Establish, implement, and maintain a supply chain member metrics program. CC ID 01662 | Monitoring and measurement | Establish/Maintain Documentation | |
Report on the Service Level Agreement performance of supply chain members. CC ID 06838 | Monitoring and measurement | Actionable Reports or Measurements | |
Establish, implement, and maintain a Business Continuity metrics program. CC ID 01663 [The organization shall create, implement and maintain one or more service continuity plans. The service continuity plan(s) shall include or contain a reference to: targets for service availability when the service continuity plan is invoked; § 8.7.2 ¶ 2(c)] | Monitoring and measurement | Establish/Maintain Documentation | |
Establish, implement, and maintain an audit metrics program. CC ID 01664 | Monitoring and measurement | Establish/Maintain Documentation | |
Establish, implement, and maintain an Information Security metrics program. CC ID 01665 | Monitoring and measurement | Establish/Maintain Documentation | |
Establish, implement, and maintain a metrics standard and template. CC ID 02157 | Monitoring and measurement | Establish/Maintain Documentation | |
Monitor compliance with the Quality Control system. CC ID 01023 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of complaints received about products or delivered services. CC ID 07199 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of Quality Assurance attained by Quality Improvement practices. CC ID 07202 | Monitoring and measurement | Actionable Reports or Measurements | |
Establish, implement, and maintain occupational health and safety management metrics program. CC ID 15915 | Monitoring and measurement | Establish/Maintain Documentation | |
Establish, implement, and maintain a policies and controls metrics program. CC ID 01666 | Monitoring and measurement | Establish/Maintain Documentation | |
Establish, implement, and maintain a security roles and responsibilities metrics program. CC ID 01667 | Monitoring and measurement | Establish/Maintain Documentation | |
Establish, implement, and maintain a role-based information access metrics program. CC ID 01668 | Monitoring and measurement | Establish/Maintain Documentation | |
Establish, implement, and maintain an information risk threshold metrics program. CC ID 01694 | Monitoring and measurement | Establish/Maintain Documentation | |
Monitor the supply chain for Information Assurance effectiveness. CC ID 02043 | Monitoring and measurement | Establish/Maintain Documentation | |
Establish, implement, and maintain an identification and classification of information assets metrics program. CC ID 02052 | Monitoring and measurement | Business Processes | |
Establish, implement, and maintain an Information Systems architecture metrics program. CC ID 02059 | Monitoring and measurement | Business Processes | |
Establish, implement, and maintain a physical environment metrics program. CC ID 02063 | Monitoring and measurement | Business Processes | |
Establish, implement, and maintain a privacy metrics program. CC ID 15494 | Monitoring and measurement | Establish/Maintain Documentation | |
Establish, implement, and maintain environmental management system performance metrics. CC ID 15191 | Monitoring and measurement | Actionable Reports or Measurements | |
Establish, implement, and maintain waste management metrics. CC ID 16152 | Monitoring and measurement | Actionable Reports or Measurements | |
Establish, implement, and maintain emissions management metrics. CC ID 16145 | Monitoring and measurement | Actionable Reports or Measurements | |
Establish, implement, and maintain financial management metrics. CC ID 16749 | Monitoring and measurement | Actionable Reports or Measurements | |
Establish, implement, and maintain a technical measurement metrics policy. CC ID 01655 | Monitoring and measurement | Establish/Maintain Documentation | |
Establish, implement, and maintain a user identification and authentication metrics program. CC ID 02073 | Monitoring and measurement | Business Processes | |
Establish, implement, and maintain a user account management metrics program. CC ID 02075 | Monitoring and measurement | Business Processes | |
Establish, implement, and maintain a user and administrator privilege management metrics program. CC ID 02076 | Monitoring and measurement | Actionable Reports or Measurements | |
Establish, implement, and maintain a Configuration Management metrics program. CC ID 02077 | Monitoring and measurement | Business Processes | |
Establish, implement, and maintain a Security Information and Event Management metrics program. CC ID 02078 | Monitoring and measurement | Log Management | |
Establish, implement, and maintain a communications, e-mail, and remote access security management metrics program. CC ID 02079 | Monitoring and measurement | Business Processes | |
Establish, implement, and maintain a malicious code protection management metrics program. CC ID 02080 | Monitoring and measurement | Business Processes | |
Establish, implement, and maintain a software change management metrics program. CC ID 02081 | Monitoring and measurement | Business Processes | |
Establish, implement, and maintain a network management and firewall management metrics program. CC ID 02082 | Monitoring and measurement | Business Processes | |
Establish, implement, and maintain a data encryption management metrics program. CC ID 02083 | Monitoring and measurement | Business Processes | |
Establish, implement, and maintain a backup management and recovery management metrics program. CC ID 02084 | Monitoring and measurement | Business Processes | |
Establish, implement, and maintain an incident management and vulnerability management metrics program. CC ID 02085 | Monitoring and measurement | Business Processes | |
Delay the reporting of incident management metrics, as necessary. CC ID 15501 | Monitoring and measurement | Communicate | |
Establish, implement, and maintain an Electronic Health Records measurement metrics program. CC ID 06221 | Monitoring and measurement | Establish/Maintain Documentation | |
Report on the percentage of unique patients who had at least one medication entered using the Computerized Provider Order Entry system. CC ID 06222 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of unique patients who have diagnoses recorded as structured data into the current and active diagnoses problem list. CC ID 06223 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of permissible prescriptions that are transmitted electronically. CC ID 06224 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of unique patients who have at least one entry recorded as structured data into the active medication list. CC ID 06225 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of unique patients who have at least one entry recorded as structured data into the active medication allergy list. CC ID 06226 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of unique patients who have demographics recorded as structured data. CC ID 06227 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of unique patients over the age of 2 who have their height, weight, and blood pressure recorded as structured data. CC ID 06228 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of unique patients over the age of 13 who have their smoking status recorded as structured data. CC ID 06229 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of patients who are given an electronic copy of their Individually Identifiable Health Information not later than three business days after Individually Identifiable Health Information is requested. CC ID 06230 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of patients who are given clinical summaries not later than three business days after a physician office visit. CC ID 06231 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of lab test results that are incorporated into the Electronic Health Records as structured data. CC ID 06232 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of patients sixty-five years of age or older or five years of age or younger who were sent a reminder. CC ID 06233 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of unique patients who are given electronic access to their Individually Identifiable Health Information not later than four business days after their Individually Identifiable Health Information is updated. CC ID 06234 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of unique patients who are given patient-specific education resources. CC ID 06235 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of medication reconciliations that are performed if a patient is received from another setting or healthcare provider. CC ID 06236 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of summary of care records that are provided for transitions of care or referrals for patients who are transitioned or referred to another setting or healthcare provider. CC ID 06237 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of patients who receive their discharge instructions if discharge instructions are requested. CC ID 06238 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of patients 65 years of age or older who have an indication of advance directive status recorded as structured data. CC ID 06239 | Monitoring and measurement | Actionable Reports or Measurements | |
Establish, implement, and maintain a log management program. CC ID 00673 | Monitoring and measurement | Establish/Maintain Documentation | |
Deploy log normalization tools, as necessary. CC ID 12141 | Monitoring and measurement | Technical Security | |
Restrict access to logs to authorized individuals. CC ID 01342 | Monitoring and measurement | Log Management | |
Restrict access to audit trails to a need to know basis. CC ID 11641 | Monitoring and measurement | Technical Security | |
Refrain from recording unnecessary restricted data in logs. CC ID 06318 | Monitoring and measurement | Log Management | |
Back up audit trails according to backup procedures. CC ID 11642 | Monitoring and measurement | Systems Continuity | |
Back up logs according to backup procedures. CC ID 01344 | Monitoring and measurement | Log Management | |
Copy logs from all predefined hosts onto a log management infrastructure. CC ID 01346 | Monitoring and measurement | Log Management | |
Identify hosts with logs that are not being stored. CC ID 06314 | Monitoring and measurement | Log Management | |
Identify hosts with logs that are being stored at the system level only. CC ID 06315 | Monitoring and measurement | Log Management | |
Identify hosts with logs that should be stored at both the system level and the infrastructure level. CC ID 06316 | Monitoring and measurement | Log Management | |
Identify hosts with logs that are being stored at the infrastructure level only. CC ID 06317 | Monitoring and measurement | Log Management | |
Protect logs from unauthorized activity. CC ID 01345 | Monitoring and measurement | Log Management | |
Perform testing and validating activities on all logs. CC ID 06322 | Monitoring and measurement | Log Management | |
Archive the audit trail in accordance with compliance requirements. CC ID 00674 | Monitoring and measurement | Log Management | |
Enforce dual authorization as a part of information flow control for logs. CC ID 10098 | Monitoring and measurement | Configuration | |
Preserve the identity of individuals in audit trails. CC ID 10594 | Monitoring and measurement | Log Management | |
Establish, implement, and maintain a cross-organizational audit sharing agreement. CC ID 10595 | Monitoring and measurement | Establish/Maintain Documentation | |
Provide cross-organizational audit information based on the cross-organizational audit sharing agreement. CC ID 10596 | Monitoring and measurement | Audits and Risk Management | |
Align corrective actions with the level of environmental impact. CC ID 15193 | Monitoring and measurement | Business Processes | |
Include risks and opportunities in the corrective action plan. CC ID 15178 | Monitoring and measurement | Establish/Maintain Documentation | |
Include environmental aspects in the corrective action plan. CC ID 15177 | Monitoring and measurement | Establish/Maintain Documentation | |
Include the completion date in the corrective action plan. CC ID 13272 | Monitoring and measurement | Establish/Maintain Documentation | |
Define the roles and responsibilities for personnel assigned to tasks in the Audit function. CC ID 00678 [The organization shall: plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration: § 9.2.2 ¶ 1(a)] | Audits and risk management | Establish Roles | |
Manage supply chain audits. CC ID 01203 | Audits and risk management | Audits and Risk Management | |
Review the external auditors involvement in assessing Information Technology controls. CC ID 01204 | Audits and risk management | Audits and Risk Management | |
Rotate auditors, as necessary. CC ID 15589 | Audits and risk management | Audits and Risk Management | |
Assign the roles and responsibilities for the Board of Directors and senior management in the Audit function. CC ID 00679 | Audits and risk management | Establish Roles | |
Assign the internal audit staff to be independent from business units reporting to the Board of Directors. CC ID 01184 | Audits and risk management | Establish Roles | |
Define and assign the internal audit manager's roles and responsibilities. CC ID 00680 | Audits and risk management | Establish Roles | |
Assign the internal audit manager's compensation and performance review to the Board of Directors or audit committee. CC ID 01186 | Audits and risk management | Establish Roles | |
Define and assign the internal audit staff's roles and responsibilities. CC ID 00681 | Audits and risk management | Establish Roles | |
Assign the responsibility for operating an internal control system to the internal audit staff. CC ID 01187 | Audits and risk management | Establish Roles | |
Define and assign the external auditor's roles and responsibilities. CC ID 00683 | Audits and risk management | Establish Roles | |
Engage auditors who have adequate knowledge of the subject matter. CC ID 07102 | Audits and risk management | Audits and Risk Management | |
Retain copies of external auditor outsourcing contracts and engagement letters. CC ID 01188 | Audits and risk management | Establish/Maintain Documentation | |
Review external auditor outsourcing contracts and engagement letters. CC ID 01189 | Audits and risk management | Establish/Maintain Documentation | |
Include roles and responsibilities in external auditor outsourcing contracts. CC ID 16523 | Audits and risk management | Establish/Maintain Documentation | |
Include a change control clause in external auditor outsourcing contracts. CC ID 01192 | Audits and risk management | Establish/Maintain Documentation | |
Include procedures for resolving problems in external auditor outsourcing contracts. CC ID 01196 | Audits and risk management | Establish/Maintain Documentation | |
Include procedures for controlling the use of restricted information in external auditor outsourcing contracts. CC ID 01194 | Audits and risk management | Establish/Maintain Documentation | |
Include reports and work paper Records Management practices in external auditor outsourcing contracts. CC ID 01195 | Audits and risk management | Establish/Maintain Documentation | |
Include communication protocols in external auditor outsourcing contracts. CC ID 01201 | Audits and risk management | Establish/Maintain Documentation | |
Review the external audit scope, as necessary. CC ID 01202 | Audits and risk management | Audits and Risk Management | |
Include the scope and work to be performed in external auditor outsourcing contracts. CC ID 01190 | Audits and risk management | Establish/Maintain Documentation | |
Include work status reporting requirements in the external auditor outsourcing contracts. CC ID 01191 | Audits and risk management | Establish/Maintain Documentation | |
Include access to work papers in external auditor outsourcing contracts. CC ID 01193 | Audits and risk management | Establish/Maintain Documentation | |
Review the external auditor's qualifications. CC ID 01197 | Audits and risk management | Audits and Risk Management | |
Conduct a performance review of the external auditor's performance during the audit process. CC ID 01198 | Audits and risk management | Audits and Risk Management | |
Review the adequacy of the external auditor's work papers and audit reports. CC ID 01199 | Audits and risk management | Establish/Maintain Documentation | |
Review the conclusions of the external auditor's work papers and audit reports. CC ID 01200 | Audits and risk management | Establish/Maintain Documentation | |
Question external auditors about how audits were conducted and what is in the audit reports. CC ID 04587 | Audits and risk management | Behavior | |
Disseminate and communicate with the organization about any missing audit documentation. CC ID 06992 | Audits and risk management | Behavior | |
Evaluate any refusal by the organization to provide missing audit documentation. CC ID 06993 | Audits and risk management | Establish/Maintain Documentation | |
Take appropriate action if missing audit documentation compromises the audit. CC ID 06994 | Audits and risk management | Establish/Maintain Documentation | |
Establish, implement, and maintain an audit program. CC ID 00684 [The organization shall: plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration: § 9.2.2 ¶ 1(a)] | Audits and risk management | Establish/Maintain Documentation | |
Establish, implement, and maintain audit policies. CC ID 13166 | Audits and risk management | Establish/Maintain Documentation | |
Assign the audit to impartial auditors. CC ID 07118 [The organization shall: select auditors and conduct audits to ensure objectivity and the impartiality of the audit process; § 9.2.2 ¶ 1(c)] | Audits and risk management | Establish Roles | |
Define what constitutes a threat to independence. CC ID 16824 | Audits and risk management | Audits and Risk Management | |
Exercise due professional care during the planning and performance of the audit. CC ID 07119 | Audits and risk management | Behavior | |
Include resource requirements in the audit program. CC ID 15237 | Audits and risk management | Establish/Maintain Documentation | |
Include risks and opportunities in the audit program. CC ID 15236 | Audits and risk management | Establish/Maintain Documentation | |
Include provisions for legislative plurality and legislative domain in the audit program. CC ID 06959 | Audits and risk management | Audits and Risk Management | |
Establish and maintain audit terms. CC ID 13880 | Audits and risk management | Establish/Maintain Documentation | |
Refrain from approving changes to the audit terms absent reasonable justification. CC ID 13973 | Audits and risk management | Process or Activity | |
Include a statement about the inherent limitations of the audit in the audit terms. CC ID 13883 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement that the audit will be conducted in accordance with attestation standards in the audit terms. CC ID 13882 | Audits and risk management | Establish/Maintain Documentation | |
Establish, implement, and maintain agreed upon procedures that are in scope for the audit. CC ID 13893 | Audits and risk management | Establish/Maintain Documentation | |
Establish, implement, and maintain an in scope system description. CC ID 14873 | Audits and risk management | Establish/Maintain Documentation | |
Include in scope procedures in the audit assertion's in scope system description. CC ID 16551 | Audits and risk management | Audits and Risk Management | |
Include roles and responsibilities in the audit assertion's in scope system description. CC ID 16558 | Audits and risk management | Audits and Risk Management | |
Include the audit criteria in the audit assertion's in scope system description. CC ID 16548 | Audits and risk management | Audits and Risk Management | |
Include third party data in the audit assertion's in scope system description. CC ID 16554 | Audits and risk management | Audits and Risk Management | |
Include third party personnel in the audit assertion's in scope system description. CC ID 16552 | Audits and risk management | Audits and Risk Management | |
Include compliance requirements in the audit assertion's in scope system description. CC ID 16506 | Audits and risk management | Audits and Risk Management | |
Include third party assets in the audit assertion's in scope system description. CC ID 16550 | Audits and risk management | Audits and Risk Management | |
Include third party services in the audit assertion's in scope system description. CC ID 16503 | Audits and risk management | Establish/Maintain Documentation | |
Include monitoring controls in the audit assertion's in scope system description. CC ID 16501 | Audits and risk management | Establish/Maintain Documentation | |
Include availability commitments in the audit assertion's in scope system description. CC ID 14914 | Audits and risk management | Establish/Maintain Documentation | |
Include deviations and the corrective actions taken in the audit assertion's in scope system description. CC ID 16549 | Audits and risk management | Audits and Risk Management | |
Include changes in the audit assertion's in scope system description. CC ID 14894 | Audits and risk management | Establish/Maintain Documentation | |
Include external communications in the audit assertion's in scope system description. CC ID 14913 | Audits and risk management | Establish/Maintain Documentation | |
Include a section regarding incidents related to the system in the audit assertion’s in scope system description. CC ID 14878 | Audits and risk management | Establish/Maintain Documentation | |
Include the function performed by the in scope system in the audit assertion's in scope system description. CC ID 14911 | Audits and risk management | Establish/Maintain Documentation | |
Include the disposition of the incident in the audit assertion's in scope system description. CC ID 14896 | Audits and risk management | Establish/Maintain Documentation | |
Include the extent of the incident in the audit assertion's in scope system description. CC ID 14895 | Audits and risk management | Establish/Maintain Documentation | |
Include the timing of each incident in the audit assertion's in scope system description. CC ID 14891 | Audits and risk management | Establish/Maintain Documentation | |
Include the nature of each incident in the audit assertion's in scope system description. CC ID 14889 | Audits and risk management | Establish/Maintain Documentation | |
Include a section regarding in scope controls related to the system in the audit assertion's in scope system description. CC ID 14897 | Audits and risk management | Establish/Maintain Documentation | |
Include how the in scope system meets external requirements in the audit assertion's in scope system description. CC ID 16502 | Audits and risk management | Establish/Maintain Documentation | |
Include the timing of each control in the audit assertion's in scope system description. CC ID 14916 | Audits and risk management | Establish/Maintain Documentation | |
Include the nature of the control in the audit assertion's in scope system description. CC ID 14910 | Audits and risk management | Establish/Maintain Documentation | |
Include the information sources used in performing the control in the audit assertion's in scope system description. CC ID 14909 | Audits and risk management | Establish/Maintain Documentation | |
Include the responsible party for performing the control in the audit assertion's in scope system description. CC ID 14907 | Audits and risk management | Establish/Maintain Documentation | |
Include the subject matter to which the control is applied in the audit assertion's in scope system description. CC ID 14904 | Audits and risk management | Establish/Maintain Documentation | |
Refrain from omitting or distorting information in the audit assertion's in scope system description. CC ID 14893 | Audits and risk management | Establish/Maintain Documentation | |
Include the timing of each change in the audit assertion's in scope system description. CC ID 14892 | Audits and risk management | Establish/Maintain Documentation | |
Include the system boundaries in the audit assertion's in scope system description. CC ID 14887 | Audits and risk management | Establish/Maintain Documentation | |
Include the time frame covered by the description in the audit assertion's in scope system description. CC ID 14884 | Audits and risk management | Establish/Maintain Documentation | |
Include commitments to third parties in the audit assertion. CC ID 14899 | Audits and risk management | Establish/Maintain Documentation | |
Determine the completeness of the audit assertion's in scope system description. CC ID 14883 | Audits and risk management | Establish/Maintain Documentation | |
Include system requirements in the audit assertion's in scope system description. CC ID 14881 | Audits and risk management | Establish/Maintain Documentation | |
Include third party controls in the audit assertion's in scope system description. CC ID 14880 | Audits and risk management | Establish/Maintain Documentation | |
Hold an opening meeting with interested personnel and affected parties prior to an audit. CC ID 15256 | Audits and risk management | Audits and Risk Management | |
Identify personnel who should attend the closing meeting. CC ID 15261 | Audits and risk management | Business Processes | |
Include discussions about how particular situations will be handled in the opening meeting. CC ID 15254 | Audits and risk management | Audits and Risk Management | |
Include agreement to the audit scope and audit terms in the audit program. CC ID 06965 [{audit scope} The organization shall: define the audit criteria and scope for each audit; § 9.2.2 ¶ 1(b)] | Audits and risk management | Establish/Maintain Documentation | |
Establish and maintain a bespoke audit scope for each audit being performed. CC ID 13077 [The organization shall: plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration: § 9.2.2 ¶ 1(a)] | Audits and risk management | Establish/Maintain Documentation | |
Include third party assets in the audit scope. CC ID 16504 | Audits and risk management | Audits and Risk Management | |
Include audit subject matter in the audit program. CC ID 07103 [The organization shall: plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration: the importance of the processes concerned; § 9.2.2 ¶ 1(a)(1)] | Audits and risk management | Establish/Maintain Documentation | |
Examine the availability of the audit criteria in the audit program. CC ID 16520 | Audits and risk management | Investigate | |
Examine the objectivity of the audit criteria in the audit program. CC ID 07104 | Audits and risk management | Establish/Maintain Documentation | |
Examine the measurability of the audit criteria in the audit program. CC ID 07105 | Audits and risk management | Establish/Maintain Documentation | |
Examine the completeness of the audit criteria in the audit program. CC ID 07106 | Audits and risk management | Establish/Maintain Documentation | |
Examine the relevance of the audit criteria in the audit program. CC ID 07107 | Audits and risk management | Establish/Maintain Documentation | |
Determine the appropriateness of the audit subject matter. CC ID 16505 | Audits and risk management | Audits and Risk Management | |
Disseminate and communicate the audit program with the audit subject matter and audit criteria to all interested personnel and affected parties. CC ID 07116 | Audits and risk management | Establish/Maintain Documentation | |
Include the in scope material or in scope products in the audit program. CC ID 08961 | Audits and risk management | Audits and Risk Management | |
Include in scope information in the audit program. CC ID 16198 | Audits and risk management | Establish/Maintain Documentation | |
Include the out of scope material or out of scope products in the audit program. CC ID 08962 | Audits and risk management | Establish/Maintain Documentation | |
Provide a representation letter in support of the audit assertion. CC ID 07158 | Audits and risk management | Establish/Maintain Documentation | |
Include the date of the audit in the representation letter. CC ID 16517 | Audits and risk management | Audits and Risk Management | |
Include a statement that management has evaluated compliance with external requirements in the representation letter. CC ID 13942 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement that the assumptions used for estimates are reasonable in the representation letter. CC ID 13934 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement that uncorrected misstatements are believed to be immaterial in the representation letter. CC ID 13884 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement that system incidents have been disclosed to the auditor in the representation letter. CC ID 16772 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement that incidents of fraud and non-compliance have been disclosed to the auditor in the representation letter. CC ID 16769 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement of responsibility for the subject matter in the representation letter. CC ID 07159 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement of responsibility for selecting the audit criteria in the representation letter. CC ID 07160 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement of responsibility regarding the appropriateness of the audit criteria in the representation letter. CC ID 07161 | Audits and risk management | Establish/Maintain Documentation | |
Include an assertion about the subject matter based on the selected audit criteria in the representation letter. CC ID 07162 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement that all known matters contradicting the audit assertion have been disclosed to the auditor in the representation letter. CC ID 07163 | Audits and risk management | Establish/Maintain Documentation | |
Include the availability of all in scope records relevant to the subject matter in the representation letter. CC ID 07164 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement that any known subsequent events have been disclosed to the auditor in the representation letter. CC ID 07165 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement that deficiencies in internal controls have been disclosed to the auditor in the representation letter. CC ID 13899 | Audits and risk management | Establish/Maintain Documentation | |
Include an in scope system description in the audit assertion. CC ID 14872 | Audits and risk management | Establish/Maintain Documentation | |
Include any assumptions that are improbable in the audit assertion. CC ID 13950 | Audits and risk management | Establish/Maintain Documentation | |
Include investigations and legal proceedings in the audit assertion. CC ID 16846 | Audits and risk management | Establish/Maintain Documentation | |
Include how the audit scope matches in scope controls in the audit assertion. CC ID 06969 | Audits and risk management | Establish/Maintain Documentation | |
Include why specific criteria are ignored by in scope controls in the audit assertion. CC ID 07027 | Audits and risk management | Establish/Maintain Documentation | |
Include how the in scope system is designed and implemented in the audit assertion. CC ID 06970 | Audits and risk management | Establish/Maintain Documentation | |
Include the responsible party's opinion of the quality of the evidence in the audit assertion. CC ID 13949 | Audits and risk management | Establish/Maintain Documentation | |
Include the end users and affected parties of the in scope system in the audit assertion. CC ID 07028 | Audits and risk management | Establish/Maintain Documentation | |
Include the in scope services offered or in scope transactions processed in the audit assertion. CC ID 06971 | Audits and risk management | Establish/Maintain Documentation | |
Include the in scope procedures in the audit assertion. CC ID 06972 | Audits and risk management | Establish/Maintain Documentation | |
Include the in scope records produced in the audit assertion. CC ID 06968 | Audits and risk management | Establish/Maintain Documentation | |
Include how in scope material events are monitored and logged in the audit assertion. CC ID 06973 | Audits and risk management | Establish/Maintain Documentation | |
Include any in scope material events that might affect the assertion in the audit assertion. CC ID 06991 | Audits and risk management | Establish/Maintain Documentation | |
Include the in scope controls and compliance documents in the audit assertion. CC ID 06974 | Audits and risk management | Establish/Maintain Documentation | |
Include the in scope risk assessment processes in the audit assertion. CC ID 06975 | Audits and risk management | Establish/Maintain Documentation | |
Include in scope change controls in the audit assertion. CC ID 06976 | Audits and risk management | Establish/Maintain Documentation | |
Include any in scope uncorrected errors or non-compliance issues in the audit assertion. CC ID 06989 | Audits and risk management | Establish/Maintain Documentation | |
Disseminate and communicate a written audit assertion of the audit scope and audit terms to interested personnel and affected parties. CC ID 06967 | Audits and risk management | Establish/Maintain Documentation | |
Include the scope for the desired level of assurance in the audit program. CC ID 12793 | Audits and risk management | Communicate | |
Include conditions that might require modification of the audit program in the audit terms. CC ID 07149 | Audits and risk management | Establish/Maintain Documentation | |
Include how access to in scope systems, personnel and in scope records are provided to the auditor in the audit terms. CC ID 06988 | Audits and risk management | Establish/Maintain Documentation | |
Include the criteria for determining the desired level of assurance in the audit program. CC ID 12795 [{audit scope} The organization shall: define the audit criteria and scope for each audit; § 9.2.2 ¶ 1(b)] | Audits and risk management | Audits and Risk Management | |
Establish, implement, and maintain procedures for determining the desired level of assurance in the audit program. CC ID 12794 [The organization shall: plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration: § 9.2.2 ¶ 1(a)] | Audits and risk management | Establish/Maintain Documentation | |
Include the expectations for the audit report in the audit terms. CC ID 07148 | Audits and risk management | Establish/Maintain Documentation | |
Establish and maintain a practitioner’s report on management’s assertions, as necessary. CC ID 13888 | Audits and risk management | Establish/Maintain Documentation | |
Hold a closing meeting following an audit to present audit findings and conclusions. CC ID 15248 | Audits and risk management | Communicate | |
Include materiality levels in the audit terms. CC ID 01238 | Audits and risk management | Establish/Maintain Documentation | |
Include material changes in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01239 [The organization shall: plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration: changes affecting the organization; § 9.2.2 ¶ 1(a)(2)] | Audits and risk management | Establish/Maintain Documentation | |
Include material weaknesses, material failures, and material errors in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01240 | Audits and risk management | Establish/Maintain Documentation | |
Schedule attestation engagement meetings with interested personnel and affected parties, as necessary. CC ID 15263 | Audits and risk management | Business Processes | |
Refrain from accepting an attestation engagement when the engaging party refuses to sign the engagement letter. CC ID 14912 | Audits and risk management | Business Processes | |
Refrain from accepting an attestation engagement unless the prospective financial information includes a summary of significant assumptions. CC ID 13954 | Audits and risk management | Behavior | |
Refrain from accepting an attestation engagement when all parties disagree on the procedures. CC ID 13951 | Audits and risk management | Audits and Risk Management | |
Accept the attestation engagement when all preconditions are met. CC ID 13933 | Audits and risk management | Business Processes | |
Audit in scope audit items and compliance documents. CC ID 06730 [The organization shall conduct internal audits at planned intervals to provide information on whether the SMS: conforms to: the organization's own requirements for its SMS; § 9.2.1 ¶ 1(a)(1) The organization shall conduct internal audits at planned intervals to provide information on whether the SMS: conforms to: the requirements of this document; § 9.2.1 ¶ 1(a)(2) The organization shall conduct internal audits at planned intervals to provide information on whether the SMS: is effectively implemented and maintained. § 9.2.1 ¶ 1(b) The organization shall: select auditors and conduct audits to ensure objectivity and the impartiality of the audit process; § 9.2.2 ¶ 1(c)] | Audits and risk management | Audits and Risk Management | |
Collect all work papers for the audit and audit report into an engagement file. CC ID 07001 [The organization shall: retain documented information as evidence of the implementation of the audit programme(s) and the audit results. § 9.2.2 ¶ (e)] | Audits and risk management | Actionable Reports or Measurements | |
Document any after the fact changes to the engagement file. CC ID 07002 | Audits and risk management | Establish/Maintain Documentation | |
Protect access to the engagement file and all associated audit documentation in compliance with Authority Documents the organization must follow. CC ID 07179 | Audits and risk management | Establish/Maintain Documentation | |
Disclose work papers in the engagement file in compliance with legal requirements. CC ID 07180 | Audits and risk management | Establish/Maintain Documentation | |
Archive the engagement file and all work papers for the period prescribed by law or contract. CC ID 10038 | Audits and risk management | Records Management | |
Conduct onsite inspections, as necessary. CC ID 16199 | Audits and risk management | Testing | |
Audit policies, standards, and procedures. CC ID 12927 | Audits and risk management | Audits and Risk Management | |
Edit the audit assertion for accuracy. CC ID 07030 | Audits and risk management | Establish/Maintain Documentation | |
Determine if the audit assertion's in scope procedures are accurately documented. CC ID 06982 | Audits and risk management | Establish/Maintain Documentation | |
Review documentation to determine the effectiveness of in scope controls. CC ID 16522 | Audits and risk management | Process or Activity | |
Include the process of using evidential matter to test in scope controls in the test plan. CC ID 06996 | Audits and risk management | Establish/Maintain Documentation | |
Audit the in scope system according to the test plan using relevant evidence. CC ID 07112 [The organization shall conduct internal audits at planned intervals to provide information on whether the SMS: § 9.2.1 ¶ 1] | Audits and risk management | Testing | |
Implement procedures that collect sufficient audit evidence. CC ID 07153 | Audits and risk management | Audits and Risk Management | |
Collect evidence about the in scope audit items of the audit assertion. CC ID 07154 | Audits and risk management | Audits and Risk Management | |
Collect audit evidence sufficient to avoid misstatements. CC ID 07155 | Audits and risk management | Audits and Risk Management | |
Collect audit evidence at the level of the organization's competence in the subject matter. CC ID 07156 | Audits and risk management | Audits and Risk Management | |
Collect audit evidence sufficient to overcome inadequacies in the organization's attestation. CC ID 07157 | Audits and risk management | Audits and Risk Management | |
Report that audit evidence collected was not sufficient to the proper authorities. CC ID 16847 | Audits and risk management | Communicate | |
Provide transactional walkthrough procedures for external auditors. CC ID 00672 | Audits and risk management | Testing | |
Establish, implement, and maintain interview procedures. CC ID 16282 | Audits and risk management | Establish/Maintain Documentation | |
Include roles and responsibilities in the interview procedures. CC ID 16297 | Audits and risk management | Human Resources Management | |
Coordinate the scheduling of interviews. CC ID 16293 | Audits and risk management | Process or Activity | |
Create a schedule for the interviews. CC ID 16292 | Audits and risk management | Process or Activity | |
Identify interviewees. CC ID 16290 | Audits and risk management | Process or Activity | |
Explain the testing results to the interviewee. CC ID 16291 | Audits and risk management | Process or Activity | |
Establish and maintain work papers, as necessary. CC ID 13891 | Audits and risk management | Establish/Maintain Documentation | |
Include the auditor's conclusions on work performed by individuals assigned to the audit in the work papers. CC ID 16775 | Audits and risk management | Establish/Maintain Documentation | |
Include audit irregularities in the work papers. CC ID 16774 | Audits and risk management | Establish/Maintain Documentation | |
Include corrective actions in the work papers. CC ID 16771 | Audits and risk management | Establish/Maintain Documentation | |
Include information about the organization being audited and the auditor performing the audit in the work papers. CC ID 16770 | Audits and risk management | Establish/Maintain Documentation | |
Include discussions with interested personnel and affected parties in the work papers. CC ID 16768 | Audits and risk management | Establish/Maintain Documentation | |
Include justification for departing from mandatory requirements in the work papers. CC ID 13935 | Audits and risk management | Establish/Maintain Documentation | |
Include audit evidence obtained from previous engagements in the work papers. CC ID 16518 | Audits and risk management | Audits and Risk Management | |
Include the reviewer, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06998 | Audits and risk management | Establish/Maintain Documentation | |
Include the tests, examinations, interviews and observations performed during the audit in the work papers. CC ID 07190 | Audits and risk management | Establish/Maintain Documentation | |
Include if any subject matter experts or additional research had to be undertaken to test in scope controls in the work papers. CC ID 07026 | Audits and risk management | Establish/Maintain Documentation | |
Include the tester, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06997 | Audits and risk management | Establish/Maintain Documentation | |
Include any subsequent events related to the audit assertion or audit subject matter in the work papers. CC ID 07177 | Audits and risk management | Audits and Risk Management | |
Include the causes of identified in scope control deficiencies in the work papers. CC ID 07000 | Audits and risk management | Establish/Maintain Documentation | |
Include discussions regarding the causes of identified in scope control deficiencies in the work papers. CC ID 06999 | Audits and risk management | Establish/Maintain Documentation | |
Supervise interested personnel and affected parties participating in the audit. CC ID 07150 | Audits and risk management | Monitor and Evaluate Occurrences | |
Notify interested personnel and affected parties participating in the audit of their roles and responsibilities during the audit. CC ID 07151 | Audits and risk management | Establish Roles | |
Respond to questions or clarification requests regarding the audit. CC ID 08902 | Audits and risk management | Business Processes | |
Track and measure the implementation of the organizational compliance framework. CC ID 06445 | Audits and risk management | Monitor and Evaluate Occurrences | |
Review the need for organizational efficiency as balanced against the needs of compliance and security. CC ID 07111 | Audits and risk management | Business Processes | |
Engage subject matter experts when the auditor requires additional expertise during an attestation engagement, as necessary. CC ID 13971 | Audits and risk management | Process or Activity | |
Establish, implement, and maintain a practitioner’s report on agreed-upon procedures. CC ID 13894 | Audits and risk management | Establish/Maintain Documentation | |
Provide auditors access to all in scope records, in scope assets, personnel and in scope procedures. CC ID 06966 | Audits and risk management | Audits and Risk Management | |
Provide auditors access to affected parties during the audit, as necessary. CC ID 07187 | Audits and risk management | Business Processes | |
Notify interested personnel and affected parties when an auditee refuses to provide access or participate in the audit. CC ID 08960 | Audits and risk management | Audits and Risk Management | |
Establish and maintain a practitioner's examination report on pro forma financial information. CC ID 13968 | Audits and risk management | Establish/Maintain Documentation | |
Include references to where financial information was derived in the practitioner's review report on pro forma financial information. CC ID 13982 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement that the financial statements used were audited by other practitioners in the practitioner's examination report on pro forma financial information, as necessary. CC ID 13981 | Audits and risk management | Establish/Maintain Documentation | |
Establish and maintain organizational audit reports. CC ID 06731 [The organization shall: retain documented information as evidence of the implementation of the audit programme(s) and the audit results. § 9.2.2 ¶ (e) The organization shall: plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration: § 9.2.2 ¶ 1(a)] | Audits and risk management | Establish/Maintain Documentation | |
Include the justification for not following the applicable requirements in the audit report. CC ID 16822 | Audits and risk management | Audits and Risk Management | |
Include a statement that the applicable requirements were not followed in the audit report. CC ID 16821 | Audits and risk management | Audits and Risk Management | |
Include audit subject matter in the audit report. CC ID 14882 | Audits and risk management | Establish/Maintain Documentation | |
Include an other-matter paragraph in the audit report. CC ID 14901 | Audits and risk management | Establish/Maintain Documentation | |
Include that the auditee did not provide comments in the audit report. CC ID 16849 | Audits and risk management | Establish/Maintain Documentation | |
Write the audit report using clear and conspicuous language. CC ID 13948 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement that the sufficiency of the agreed upon procedures is the responsibility of the specified parties in the audit report. CC ID 13936 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement that the financial statements were audited in the audit report. CC ID 13963 | Audits and risk management | Establish/Maintain Documentation | |
Include the criteria that financial information was measured against in the audit report. CC ID 13966 | Audits and risk management | Establish/Maintain Documentation | |
Include a description of the financial information being reported on in the audit report. CC ID 13965 | Audits and risk management | Establish/Maintain Documentation | |
Include references to any adjustments of financial information in the audit report. CC ID 13964 | Audits and risk management | Establish/Maintain Documentation | |
Include in the audit report that audit opinions are not dependent on references to subject matter experts, as necessary. CC ID 13953 | Audits and risk management | Establish/Maintain Documentation | |
Include references to historical financial information used in the audit report. CC ID 13961 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement about the inherent limitations of the audit in the audit report. CC ID 14900 | Audits and risk management | Establish/Maintain Documentation | |
Include a description of the limitations on the usefulness of hypothetical assumptions in the audit report. CC ID 13958 | Audits and risk management | Establish/Maintain Documentation | |
Include the word independent in the title of audit reports. CC ID 07003 | Audits and risk management | Actionable Reports or Measurements | |
Include the date of the audit in the audit report. CC ID 07024 | Audits and risk management | Actionable Reports or Measurements | |
Structure the audit report to be in the form of procedures and findings. CC ID 13940 | Audits and risk management | Establish/Maintain Documentation | |
Include information about the organization being audited and the auditor performing the audit in the audit report. CC ID 07004 | Audits and risk management | Actionable Reports or Measurements | |
Include any discussions of significant findings in the audit report. CC ID 13955 | Audits and risk management | Establish/Maintain Documentation | |
Include the date and with whom discussions about significant findings took place in the audit report. CC ID 13962 | Audits and risk management | Establish/Maintain Documentation | |
Include the audit criteria in the audit report. CC ID 13945 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement in the audit report that the agreed upon procedures were potentially insufficient in identifying material risks, as necessary. CC ID 13957 | Audits and risk management | Establish/Maintain Documentation | |
Include all hypothetical assumptions in the audit report. CC ID 13947 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement that access to the report is restricted based on least privilege in the audit report. CC ID 07023 | Audits and risk management | Actionable Reports or Measurements | |
Include a statement that identifies the distribution list for the report in the audit report. CC ID 07172 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement that identifies the use restrictions for the report in the audit report. CC ID 07173 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement that the agreed upon procedures involves collecting evidence in the audit report. CC ID 13956 | Audits and risk management | Establish/Maintain Documentation | |
Include all of the facts and demonstrated plausibility in the audit report. CC ID 08929 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement that the agreed upon procedures were performed by all parties in the audit report. CC ID 13931 | Audits and risk management | Establish/Maintain Documentation | |
Include references to subject matter experts in the audit report when citing qualified opinions. CC ID 13929 | Audits and risk management | Establish/Maintain Documentation | |
Include a description of the assistance provided by Subject Matter Experts in the audit report. CC ID 13939 | Audits and risk management | Establish/Maintain Documentation | |
Include a review of the subject matter expert's findings in the audit report. CC ID 13972 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement of the character of the engagement in the audit report. CC ID 07166 | Audits and risk management | Establish/Maintain Documentation | |
Include the nature and scope of the audit performed in the statement of the character of the engagement in the audit report. CC ID 07167 | Audits and risk management | Establish/Maintain Documentation | |
Include the professional standards governing the audit in the statement of the character of the engagement in the audit report. CC ID 07168 | Audits and risk management | Establish/Maintain Documentation | |
Include all restrictions on the audit in the audit report. CC ID 13930 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement that the auditor has no responsibility to update the audit report after its submission. CC ID 13943 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement on the auditor's ethical requirements in the audit report. CC ID 16767 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement that the responsible party refused to provide a written assertion in the audit report. CC ID 13887 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement that the examination involves procedures for collecting evidence in the audit report. CC ID 13941 | Audits and risk management | Establish/Maintain Documentation | |
Express an adverse opinion in the audit report when significant assumptions are not suitably supported. CC ID 13944 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement that modifications to historical evidence accurately reflect current evidence in the audit report. CC ID 13938 | Audits and risk management | Establish/Maintain Documentation | |
Refrain from referencing previous engagements in the audit report. CC ID 16516 | Audits and risk management | Audits and Risk Management | |
Refrain from referencing other auditor's work in the audit report. CC ID 13881 | Audits and risk management | Establish/Maintain Documentation | |
Include that the audit findings are not a predictive analysis of future compliance in the audit report. CC ID 07018 | Audits and risk management | Establish/Maintain Documentation | |
Include how in scope controls meet external requirements in the audit report. CC ID 16450 | Audits and risk management | Establish/Maintain Documentation | |
Include the in scope records used to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14915 | Audits and risk management | Establish/Maintain Documentation | |
Include recommended corrective actions in the audit report. CC ID 16197 | Audits and risk management | Establish/Maintain Documentation | |
Include risks and opportunities in the audit report. CC ID 16196 | Audits and risk management | Establish/Maintain Documentation | |
Include the description of tests of controls and results in the audit report. CC ID 14898 | Audits and risk management | Establish/Maintain Documentation | |
Include the nature of the tests performed in the description of tests of controls and results in the audit report. CC ID 14908 | Audits and risk management | Establish/Maintain Documentation | |
Include the test scope in the description of tests of controls and results in the audit report. CC ID 14906 | Audits and risk management | Establish/Maintain Documentation | |
Identify the stakeholders interviewed to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14905 | Audits and risk management | Establish/Maintain Documentation | |
Include the timing of controls in the description of tests of controls and results in the audit report. CC ID 16553 | Audits and risk management | Audits and Risk Management | |
Include the controls that were tested in the description of tests of controls and results in the audit report. CC ID 14902 | Audits and risk management | Establish/Maintain Documentation | |
Include subsequent events related to the audit assertion or audit subject matter in the audit report. CC ID 16773 | Audits and risk management | Establish/Maintain Documentation | |
Include the organization's audit assertion of the in scope system in the audit report. CC ID 07005 | Audits and risk management | Actionable Reports or Measurements | |
Include that the organization is the responsible party for the content of its audit assertion and in scope system description in the audit report. CC ID 07010 | Audits and risk management | Establish/Maintain Documentation | |
Include that the organization is the responsible party for providing in scope services in the audit report. CC ID 14903 | Audits and risk management | Establish/Maintain Documentation | |
Include that the organization is the responsible party for specifying in scope controls not defined by law or contractual obligation in the audit report. CC ID 07011 | Audits and risk management | Establish/Maintain Documentation | |
Include that the organization is the responsible party for designing and implementing the in scope controls it identified in the audit scope in the audit report. CC ID 07014 | Audits and risk management | Establish/Maintain Documentation | |
Include the audit opinion regarding the accurateness of the in scope system description in the audit report. CC ID 07019 | Audits and risk management | Establish/Maintain Documentation | |
Include the attestation standards the auditor follows in the audit report. CC ID 07015 | Audits and risk management | Establish/Maintain Documentation | |
Include the audit opinion about the audit assertion in relation to the audit criteria used for evaluation in the audit report. CC ID 07169 | Audits and risk management | Establish/Maintain Documentation | |
Include the auditor's significant reservations about the engagement, the audit assertion, or the audit subject matter in the audit report. CC ID 07170 | Audits and risk management | Establish/Maintain Documentation | |
Include an emphasis-of-matter paragraph in the audit report. CC ID 14890 | Audits and risk management | Establish/Maintain Documentation | |
Include the organization's in scope system description in the audit report. CC ID 11626 | Audits and risk management | Audits and Risk Management | |
Include any out of scope components of in scope systems in the audit report. CC ID 07006 | Audits and risk management | Establish/Maintain Documentation | |
Include that the organization is the responsible party for identifying material risks in the audit report. CC ID 07012 | Audits and risk management | Establish/Maintain Documentation | |
Include that the organization is the responsible party for selecting the audit criteria in the audit report. CC ID 07013 | Audits and risk management | Establish/Maintain Documentation | |
Include the scope and work performed in the audit report. CC ID 11621 | Audits and risk management | Audits and Risk Management | |
Resolve disputes before creating the audit summary. CC ID 08964 | Audits and risk management | Behavior | |
Refrain from including the description of the audit in the audit report when the auditor is disclaiming an audit opinion. CC ID 13975 | Audits and risk management | Establish/Maintain Documentation | |
Refrain from including scope limitations from changed attestation engagements in the audit report. CC ID 13983 | Audits and risk management | Establish/Maintain Documentation | |
Refrain from including in the audit report any procedures that were performed that the auditor is disclaiming in an audit opinion. CC ID 13974 | Audits and risk management | Establish/Maintain Documentation | |
Include an audit opinion in the audit report. CC ID 07017 | Audits and risk management | Establish/Maintain Documentation | |
Include qualified opinions in the audit report. CC ID 13928 | Audits and risk management | Establish/Maintain Documentation | |
Include that the auditor is the responsible party to express an opinion on the audit subject matter based on examination of evidence in the audit report. CC ID 07174 | Audits and risk management | Establish/Maintain Documentation | |
Include that the auditor did not express an opinion in the audit report, as necessary. CC ID 13886 | Audits and risk management | Establish/Maintain Documentation | |
Include items that were excluded from the audit report in the audit report. CC ID 07007 | Audits and risk management | Establish/Maintain Documentation | |
Include the organization's privacy practices in the audit report. CC ID 07029 | Audits and risk management | Establish/Maintain Documentation | |
Include items that pertain to third parties in the audit report. CC ID 07008 | Audits and risk management | Establish/Maintain Documentation | |
Refrain from including reference to procedures performed in previous attestation engagements in the audit report. CC ID 13970 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement in the audit report that no procedures were performed subsequent to the date of the practitioner's review report on pro forma financial information, as necessary. CC ID 13969 | Audits and risk management | Establish/Maintain Documentation | |
Include any of the organization's use of compensating controls that were not audited in the audit report. CC ID 07009 | Audits and risk management | Establish/Maintain Documentation | |
Include whether the use of compensating controls are necessary in the audit report. CC ID 07020 | Audits and risk management | Establish/Maintain Documentation | |
Include the pass or fail test status of all in scope controls in the audit report. CC ID 07016 | Audits and risk management | Establish/Maintain Documentation | |
Include the process of using evidential matter to test in scope controls in the audit report. CC ID 07021 | Audits and risk management | Establish/Maintain Documentation | |
Include the nature and causes of identified in scope control deviations in the audit report. CC ID 07022 | Audits and risk management | Establish/Maintain Documentation | |
Disclose any audit irregularities in the audit report. CC ID 06995 | Audits and risk management | Actionable Reports or Measurements | |
Include the written signature of the auditor's organization in the audit report. CC ID 13897 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement that additional reports are being submitted in the audit report. CC ID 16848 | Audits and risk management | Establish/Maintain Documentation | |
Disseminate and communicate the audit report to all interested personnel and affected parties identified in the distribution list. CC ID 07117 | Audits and risk management | Establish/Maintain Documentation | |
Define the roles and responsibilities for distributing the audit report. CC ID 16845 | Audits and risk management | Human Resources Management | |
Disseminate and communicate the reasons the audit report was delayed to interested personnel and affected parties. CC ID 15257 | Audits and risk management | Communicate | |
Notify auditees if disclosure of audit documentation is required by law. CC ID 15249 | Audits and risk management | Communicate | |
Disseminate and communicate to the organization that access and use of audit reports are based on least privilege. CC ID 07171 | Audits and risk management | Behavior | |
Disseminate and communicate documents that contain information in support of the audit report. CC ID 07175 | Audits and risk management | Establish/Maintain Documentation | |
Correct any material misstatements in documents that contain information in support of the audit report. CC ID 07176 | Audits and risk management | Establish/Maintain Documentation | |
Notify interested personnel and affected parties after bribes are offered during the audit. CC ID 08872 | Audits and risk management | Business Processes | |
Accept the audit report. CC ID 07025 | Audits and risk management | Establish/Maintain Documentation | |
Assign responsibility for remediation actions. CC ID 13622 | Audits and risk management | Human Resources Management | |
Define penalties for uncorrected audit findings or remaining non-compliant with the audit report. CC ID 08963 | Audits and risk management | Establish/Maintain Documentation | |
Assess the quality of the audit program in regards to its documentation. CC ID 11622 | Audits and risk management | Audits and Risk Management | |
Include the audit criteria in the audit plan. CC ID 15262 | Audits and risk management | Establish/Maintain Documentation | |
Include a list of reference documents in the audit plan. CC ID 15260 | Audits and risk management | Establish/Maintain Documentation | |
Include the languages to be used for the audit in the audit plan. CC ID 15252 | Audits and risk management | Establish/Maintain Documentation | |
Include the allocation of resources in the audit plan. CC ID 15251 | Audits and risk management | Establish/Maintain Documentation | |
Include communication protocols in the audit plan. CC ID 15247 | Audits and risk management | Establish/Maintain Documentation | |
Include the level of audit sampling necessary to collect sufficient audit evidence in the audit plan. CC ID 15246 | Audits and risk management | Establish/Maintain Documentation | |
Include meeting schedules in the audit plan. CC ID 15245 | Audits and risk management | Establish/Maintain Documentation | |
Include the time frames for the audit in the audit plan. CC ID 15244 | Audits and risk management | Establish/Maintain Documentation | |
Include the time frames for conducting the audit in the audit plan. CC ID 15243 | Audits and risk management | Establish/Maintain Documentation | |
Include the locations to be audited in the audit plan. CC ID 15242 | Audits and risk management | Establish/Maintain Documentation | |
Include the processes to be audited in the audit plan. CC ID 15241 | Audits and risk management | Establish/Maintain Documentation | |
Include audit objectives in the audit plan. CC ID 15240 | Audits and risk management | Establish/Maintain Documentation | |
Include the risks associated with audit activities in the audit plan. CC ID 15239 | Audits and risk management | Establish/Maintain Documentation | |
Disseminate and communicate the audit plan to interested personnel and affected parties. CC ID 15238 | Audits and risk management | Communicate | |
Establish, implement, and maintain an audit schedule for the audit program. CC ID 13158 [The organization shall: plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration: § 9.2.2 ¶ 1(a)] | Audits and risk management | Establish/Maintain Documentation | |
Establish, implement, and maintain a risk management program. CC ID 12051 [The organization shall plan: actions to address these risks and opportunities and their priorities; § 6.1.3 ¶ 1(a) The management review shall include consideration of: results of risk assessment and the effectiveness of actions taken to address risks and opportunities; § 9.3 ¶ 2(k)] | Audits and risk management | Establish/Maintain Documentation | |
Include the scope of risk management activities in the risk management program. CC ID 13658 | Audits and risk management | Establish/Maintain Documentation | |
Integrate the risk management program with the organization's business activities. CC ID 13661 | Audits and risk management | Business Processes | |
Integrate the risk management program into daily business decision-making. CC ID 13659 [The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: § 8.5.1.3 ¶ 1] | Audits and risk management | Business Processes | |
Include managing mobile risks in the risk management program. CC ID 13535 | Audits and risk management | Establish/Maintain Documentation | |
Take into account if the system will be accessed by or have an impact on children in the risk management program. CC ID 14992 | Audits and risk management | Audits and Risk Management | |
Include regular updating in the risk management system. CC ID 14990 | Audits and risk management | Business Processes | |
Establish, implement, and maintain risk management strategies. CC ID 13209 | Audits and risk management | Establish/Maintain Documentation | |
Include off-site storage of supplies in the risk management strategies. CC ID 13221 | Audits and risk management | Establish/Maintain Documentation | |
Include data quality in the risk management strategies. CC ID 15308 | Audits and risk management | Data and Information Management | |
Include the use of alternate service providers in the risk management strategies. CC ID 13217 | Audits and risk management | Establish/Maintain Documentation | |
Include minimizing service interruptions in the risk management strategies. CC ID 13215 | Audits and risk management | Establish/Maintain Documentation | |
Include off-site storage in the risk mitigation strategies. CC ID 13213 | Audits and risk management | Establish/Maintain Documentation | |
Establish, implement, and maintain the risk assessment framework. CC ID 00685 | Audits and risk management | Establish/Maintain Documentation | |
Define and assign the roles and responsibilities for the risk assessment framework, as necessary. CC ID 06456 | Audits and risk management | Establish Roles | |
Establish, implement, and maintain a risk assessment program. CC ID 00687 | Audits and risk management | Establish/Maintain Documentation | |
Address past incidents in the risk assessment program. CC ID 12743 | Audits and risk management | Audits and Risk Management | |
Include the need for risk assessments in the risk assessment program. CC ID 06447 | Audits and risk management | Establish/Maintain Documentation | |
Include the information flow of restricted data in the risk assessment program. CC ID 12339 | Audits and risk management | Establish/Maintain Documentation | |
Establish and maintain the factors and context for risk to the organization. CC ID 12230 [The organization shall determine and document: risks related to: not meeting the service requirements; § 6.1.2 ¶ 1(a)(2)] | Audits and risk management | Audits and Risk Management | |
Establish, implement, and maintain a financial plan to support the risk management strategy. CC ID 12786 | Audits and risk management | Establish/Maintain Documentation | |
Establish, implement, and maintain insurance requirements. CC ID 16562 | Audits and risk management | Establish/Maintain Documentation | |
Disseminate and communicate insurance options to interested personnel and affected parties. CC ID 16572 | Audits and risk management | Communicate | |
Disseminate and communicate insurance requirements to interested personnel and affected parties. CC ID 16567 | Audits and risk management | Communicate | |
Design a portfolio of insurance options in accordance with risk decision-making criteria. CC ID 12878 | Audits and risk management | Business Processes | |
Design a portfolio of loans in accordance with risk decision-making criteria. CC ID 12877 | Audits and risk management | Business Processes | |
Design a portfolio of risk limiting and mitigating approaches in organizational contracts in accordance with risk decision-making criteria. CC ID 12903 | Audits and risk management | Business Processes | |
Address cybersecurity risks in the risk assessment program. CC ID 13193 | Audits and risk management | Establish/Maintain Documentation | |
Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830 | Audits and risk management | Process or Activity | |
Include a Data Protection Impact Assessment in the risk assessment program. CC ID 12630 | Audits and risk management | Establish/Maintain Documentation | |
Include an assessment of the necessity and proportionality of the processing operations in relation to the purposes in the Data Protection Impact Assessment. CC ID 12681 | Audits and risk management | Establish/Maintain Documentation | |
Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371 | Audits and risk management | Establish/Maintain Documentation | |
Include a risk assessment of data subject's rights in the Data Protection Impact Assessment. CC ID 12674 | Audits and risk management | Establish/Maintain Documentation | |
Include the description and purpose of processing restricted data in the Data Protection Impact Assessment. CC ID 12673 | Audits and risk management | Establish/Maintain Documentation | |
Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313 | Audits and risk management | Communicate | |
Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370 | Audits and risk management | Establish/Maintain Documentation | |
Include monitoring unsecured areas in the Data Protection Impact Assessment. CC ID 12671 | Audits and risk management | Establish/Maintain Documentation | |
Include security measures for protecting restricted data in the Data Protection Impact Assessment. CC ID 12635 | Audits and risk management | Establish/Maintain Documentation | |
Use the risk taxonomy when managing risk. CC ID 12280 | Audits and risk management | Behavior | |
Establish, implement, and maintain a risk assessment policy. CC ID 14026 | Audits and risk management | Establish/Maintain Documentation | |
Include compliance requirements in the risk assessment policy. CC ID 14121 | Audits and risk management | Establish/Maintain Documentation | |
Include coordination amongst entities in the risk assessment policy. CC ID 14120 | Audits and risk management | Establish/Maintain Documentation | |
Include management commitment in the risk assessment policy. CC ID 14119 | Audits and risk management | Establish/Maintain Documentation | |
Include roles and responsibilities in the risk assessment policy. CC ID 14118 | Audits and risk management | Establish/Maintain Documentation | |
Include the scope in the risk assessment policy. CC ID 14117 | Audits and risk management | Establish/Maintain Documentation | |
Include the purpose in the risk assessment policy. CC ID 14116 | Audits and risk management | Establish/Maintain Documentation | |
Disseminate and communicate the risk assessment policy to interested personnel and affected parties. CC ID 14115 | Audits and risk management | Communicate | |
Establish, implement, and maintain risk assessment procedures. CC ID 06446 | Audits and risk management | Establish/Maintain Documentation | |
Employ risk assessment procedures that follow legal requirements and contractual obligations when risk profiling. CC ID 06472 | Audits and risk management | Establish/Maintain Documentation | |
Analyze the organization's information security environment. CC ID 13122 | Audits and risk management | Technical Security | |
Document cybersecurity risks. CC ID 12281 | Audits and risk management | Establish/Maintain Documentation | |
Employ risk assessment procedures that follow standards and best practices, as necessary. CC ID 06473 | Audits and risk management | Establish/Maintain Documentation | |
Employ risk assessment procedures that take into account both electronic records and printed records. CC ID 06476 | Audits and risk management | Establish/Maintain Documentation | |
Employ risk assessment procedures that take into account information classification. CC ID 06477 | Audits and risk management | Establish/Maintain Documentation | |
Employ risk assessment procedures that align with strategic objectives. CC ID 06474 | Audits and risk management | Establish/Maintain Documentation | |
Engage appropriate parties to assist with risk assessments, as necessary. CC ID 12153 | Audits and risk management | Human Resources Management | |
Employ risk assessment procedures that take into account prior risk assessment findings of the same scope. CC ID 06478 | Audits and risk management | Establish/Maintain Documentation | |
Employ risk assessment procedures that take into account the target environment. CC ID 06479 | Audits and risk management | Establish/Maintain Documentation | |
Employ risk assessment procedures that take into account incidents associated with the target environment. CC ID 06480 | Audits and risk management | Establish/Maintain Documentation | |
Employ risk assessment procedures that take into account risk factors. CC ID 16560 | Audits and risk management | Audits and Risk Management | |
Include compliance with disposition requirements in the risk assessment procedures. CC ID 12342 | Audits and risk management | Establish/Maintain Documentation | |
Include compliance with retention requirements in the risk assessment procedures. CC ID 12341 | Audits and risk management | Establish/Maintain Documentation | |
Establish, implement, and maintain a threat and risk classification scheme. CC ID 07183 | Audits and risk management | Establish/Maintain Documentation | |
Employ risk assessment procedures that include appropriate risk treatment options for each identified risk. CC ID 06484 | Audits and risk management | Establish/Maintain Documentation | |
Document organizational risk criteria. CC ID 12277 | Audits and risk management | Establish/Maintain Documentation | |
Include security threats and vulnerabilities in the threat and risk classification scheme. CC ID 00699 | Audits and risk management | Technical Security | |
Categorize the systems, information, and data by risk profile in the threat and risk classification scheme. CC ID 01443 | Audits and risk management | Audits and Risk Management | |
Include risks to critical personnel and assets in the threat and risk classification scheme. CC ID 00698 | Audits and risk management | Audits and Risk Management | |
Include the traceability of malicious code in the threat and risk classification scheme. CC ID 06600 | Audits and risk management | Establish/Maintain Documentation | |
Assign a probability of occurrence to all types of threats in the threat and risk classification scheme. CC ID 01173 | Audits and risk management | Audits and Risk Management | |
Approve the threat and risk classification scheme. CC ID 15693 | Audits and risk management | Business Processes | |
Establish, implement, and maintain risk profiling procedures for internal risk assessments. CC ID 01157 | Audits and risk management | Audits and Risk Management | |
Include language that is easy to understand in the risk assessment report. CC ID 06461 | Audits and risk management | Establish/Maintain Documentation | |
Include the environments that call for risk assessments in the risk assessment program. CC ID 06448 | Audits and risk management | Establish/Maintain Documentation | |
Include the process for defining the scope of each risk assessment in the risk assessment program. CC ID 06462 | Audits and risk management | Establish/Maintain Documentation | |
Include the circumstances that call for risk assessments in the risk assessment program. CC ID 06449 | Audits and risk management | Establish/Maintain Documentation | |
Include the roles and responsibilities involved in risk assessments in the risk assessment program. CC ID 06450 | Audits and risk management | Establish/Maintain Documentation | |
Include the methods of managing and responding to the risk assessment report in the risk assessment program. CC ID 06451 | Audits and risk management | Establish/Maintain Documentation | |
Automate as much of the risk assessment program, as necessary. CC ID 06459 | Audits and risk management | Audits and Risk Management | |
Disseminate and communicate the risk assessment procedures to interested personnel and affected parties. CC ID 14136 | Audits and risk management | Communicate | |
Approve the risk assessment program and associated risk assessment procedures at the senior management level. CC ID 06458 | Audits and risk management | Establish/Maintain Documentation | |
Perform risk assessments for all target environments, as necessary. CC ID 06452 [At planned intervals, the information security risks to the SMS and the services shall be assessed and documented. Information security controls shall be determined, implemented and operated to support the information security policy and address identified information security risks. Decisions about information security controls shall be documented. § 8.7.3.2 ¶ 1] | Audits and risk management | Testing | |
Include the probability and potential impact of pandemics in the scope of the risk assessment. CC ID 13241 | Audits and risk management | Establish/Maintain Documentation | |
Include physical assets in the scope of the risk assessment. CC ID 13075 | Audits and risk management | Establish/Maintain Documentation | |
Include the results of the risk assessment in the risk assessment report. CC ID 06481 | Audits and risk management | Establish/Maintain Documentation | |
Approve the results of the risk assessment as documented in the risk assessment report. CC ID 07109 | Audits and risk management | Audits and Risk Management | |
Review risks to the organization's audit function when changes in the supply chain occur. CC ID 01154 | Audits and risk management | Audits and Risk Management | |
Review the risk to the audit function when the audit personnel status changes. CC ID 01153 | Audits and risk management | Audits and Risk Management | |
Document any reasons for modifying or refraining from modifying the organization's risk assessment when the risk assessment has been reviewed. CC ID 13312 | Audits and risk management | Establish/Maintain Documentation | |
Create a risk assessment report based on the risk assessment results. CC ID 15695 | Audits and risk management | Establish/Maintain Documentation | |
Disseminate and communicate the approved risk assessment report to interested personnel and affected parties. CC ID 10633 | Audits and risk management | Communicate | |
Notify the organization upon completion of the external audits of the organization's risk assessment. CC ID 13313 | Audits and risk management | Communicate | |
Establish, implement, and maintain a risk assessment awareness and training program. CC ID 06453 | Audits and risk management | Business Processes | |
Disseminate and communicate information about risks to all interested personnel and affected parties. CC ID 06718 | Audits and risk management | Behavior | |
Correlate the business impact of identified risks in the risk assessment report. CC ID 00686 | Audits and risk management | Audits and Risk Management | |
Include recovery of the critical path in the Business Impact Analysis. CC ID 13224 | Audits and risk management | Establish/Maintain Documentation | |
Include acceptable levels of data loss in the Business Impact Analysis. CC ID 13264 | Audits and risk management | Establish/Maintain Documentation | |
Include Recovery Point Objectives in the Business Impact Analysis. CC ID 13223 | Audits and risk management | Establish/Maintain Documentation | |
Include the Recovery Time Objectives in the Business Impact Analysis. CC ID 13222 | Audits and risk management | Establish/Maintain Documentation | |
Include pandemic risks in the Business Impact Analysis. CC ID 13219 | Audits and risk management | Establish/Maintain Documentation | |
Include tolerance to downtime in the Business Impact Analysis report. CC ID 01172 | Audits and risk management | Establish/Maintain Documentation | |
Disseminate and communicate the Business Impact Analysis to interested personnel and affected parties. CC ID 15300 | Audits and risk management | Communicate | |
Establish, implement, and maintain a risk register. CC ID 14828 | Audits and risk management | Establish/Maintain Documentation | |
Document organizational risk tolerance in a risk register. CC ID 09961 | Audits and risk management | Establish/Maintain Documentation | |
Align organizational risk tolerance to that of industry peers in the risk register. CC ID 09962 | Audits and risk management | Business Processes | |
Review the Business Impact Analysis, as necessary. CC ID 12774 | Audits and risk management | Business Processes | |
Analyze and quantify the risks to in scope systems and information. CC ID 00701 [When planning for the SMS, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to: prevent, or reduce, undesired effects; § 6.1.1 ¶ 1(b) The organization shall determine and document: risks related to: the organization; § 6.1.2 ¶ 1(a)(1)] | Audits and risk management | Audits and Risk Management | |
Establish and maintain a Risk Scoping and Measurement Definitions Document. CC ID 00703 [The organization shall determine and document: the impact on customers of risks and opportunities for the SMS and the services; § 6.1.2 ¶ 1(b)] | Audits and risk management | Audits and Risk Management | |
Identify the material risks in the risk assessment report. CC ID 06482 | Audits and risk management | Audits and Risk Management | |
Establish a risk acceptance level that is appropriate to the organization's risk appetite. CC ID 00706 [The organization shall determine and document: risk acceptance criteria; § 6.1.2 ¶ 1(c)] | Audits and risk management | Establish/Maintain Documentation | |
Investigate alternative risk control strategies appropriate to the organization's risk appetite. CC ID 12887 | Audits and risk management | Investigate | |
Select the appropriate risk treatment option for each identified risk in the risk register. CC ID 06483 | Audits and risk management | Establish/Maintain Documentation | |
Disseminate and communicate the risk acceptance level in the risk treatment plan to all interested personnel and affected parties. CC ID 06849 | Audits and risk management | Behavior | |
Document the results of the gap analysis. CC ID 16271 | Audits and risk management | Establish/Maintain Documentation | |
Prioritize and select controls based on the risk assessment findings. CC ID 00707 [At planned intervals, the information security risks to the SMS and the services shall be assessed and documented. Information security controls shall be determined, implemented and operated to support the information security policy and address identified information security risks. Decisions about information security controls shall be documented. § 8.7.3.2 ¶ 1] | Audits and risk management | Audits and Risk Management | |
Prioritize and categorize the effects of opportunities, threats and requirements on control activities. CC ID 12822 | Audits and risk management | Audits and Risk Management | |
Develop key indicators to inform management on the effectiveness of risk control measures. CC ID 12946 | Audits and risk management | Audits and Risk Management | |
Establish, implement, and maintain a risk treatment plan. CC ID 11983 | Audits and risk management | Establish/Maintain Documentation | |
Include the date of the risk assessment in the risk treatment plan. CC ID 16321 | Audits and risk management | Establish/Maintain Documentation | |
Include the release status of the risk assessment in the risk treatment plan. CC ID 16320 | Audits and risk management | Audits and Risk Management | |
Identify the planned actions and controls that address high risk in the risk treatment plan. CC ID 12835 | Audits and risk management | Audits and Risk Management | |
Identify the current actions and controls that address high risk in the risk treatment plan. CC ID 12834 | Audits and risk management | Audits and Risk Management | |
Include the risk treatment strategy in the risk treatment plan. CC ID 12159 | Audits and risk management | Establish/Maintain Documentation | |
Include an overview of the migration project plan in the risk treatment plan. CC ID 11982 | Audits and risk management | Establish/Maintain Documentation | |
Include change control processes in the risk treatment plan. CC ID 11981 | Audits and risk management | Establish/Maintain Documentation | |
Include a description of the processes to check for new vulnerabilities in the risk treatment plan. CC ID 11980 | Audits and risk management | Establish/Maintain Documentation | |
Include the implemented risk management controls in the risk treatment plan. CC ID 11979 | Audits and risk management | Establish/Maintain Documentation | |
Include requirements for monitoring and reporting in the risk treatment plan, as necessary. CC ID 13620 | Audits and risk management | Establish/Maintain Documentation | |
Include risk assessment results in the risk treatment plan. CC ID 11978 | Audits and risk management | Establish/Maintain Documentation | |
Include a description of usage in the risk treatment plan. CC ID 11977 | Audits and risk management | Establish/Maintain Documentation | |
Document all constraints applied to the risk treatment plan, as necessary. CC ID 13619 | Audits and risk management | Establish/Maintain Documentation | |
Disseminate and communicate the risk treatment plan to interested personnel and affected parties. CC ID 15694 | Audits and risk management | Communicate | |
Approve the risk treatment plan. CC ID 13495 | Audits and risk management | Audits and Risk Management | |
Integrate the corrective action plan based on the risk assessment findings with other risk management activities. CC ID 06457 | Audits and risk management | Establish/Maintain Documentation | |
Review and approve the risk assessment findings. CC ID 06485 [The management review shall include consideration of: results of risk assessment and the effectiveness of actions taken to address risks and opportunities; § 9.3 ¶ 2(k)] | Audits and risk management | Establish/Maintain Documentation | |
Include risk responses in the risk management program. CC ID 13195 | Audits and risk management | Establish/Maintain Documentation | |
Review and approve material risks documented in the residual risk report, as necessary. CC ID 13672 | Audits and risk management | Business Processes | |
Establish, implement, and maintain an artificial intelligence risk management program. CC ID 16220 | Audits and risk management | Establish/Maintain Documentation | |
Include diversity and equal opportunity in the artificial intelligence risk management program. CC ID 16255 | Audits and risk management | Establish/Maintain Documentation | |
Analyze the impact of artificial intelligence systems on business operations. CC ID 16356 | Audits and risk management | Business Processes | |
Establish, implement, and maintain a cybersecurity risk management program. CC ID 16827 | Audits and risk management | Audits and Risk Management | |
Include a commitment to continuous improvement In the cybersecurity risk management program. CC ID 16839 | Audits and risk management | Establish/Maintain Documentation | |
Monitor the effectiveness of the cybersecurity risk management program. CC ID 16831 | Audits and risk management | Monitor and Evaluate Occurrences | |
Establish, implement, and maintain a cybersecurity risk management policy. CC ID 16834 | Audits and risk management | Establish/Maintain Documentation | |
Disseminate and communicate the cybersecurity risk management policy to interested personnel and affected parties. CC ID 16832 | Audits and risk management | Communicate | |
Disseminate and communicate the cybersecurity risk management program to interested personnel and affected parties. CC ID 16829 | Audits and risk management | Communicate | |
Establish, implement, and maintain a cybersecurity risk management strategy. CC ID 11991 | Audits and risk management | Establish/Maintain Documentation | |
Include a risk prioritization approach in the Cybersecurity Risk Management Strategy. CC ID 12276 | Audits and risk management | Establish/Maintain Documentation | |
Include defense in depth strategies in the cybersecurity risk management strategy. CC ID 15582 | Audits and risk management | Establish/Maintain Documentation | |
Disseminate and communicate the cybersecurity risk management strategy to interested personnel and affected parties. CC ID 16825 | Audits and risk management | Communicate | |
Evaluate the cyber insurance market. CC ID 12695 | Audits and risk management | Business Processes | |
Evaluate the usefulness of cyber insurance to the organization. CC ID 12694 | Audits and risk management | Business Processes | |
Acquire cyber insurance, as necessary. CC ID 12693 | Audits and risk management | Business Processes | |
Establish, implement, and maintain a cybersecurity supply chain risk management program. CC ID 16826 | Audits and risk management | Establish/Maintain Documentation | |
Establish, implement, and maintain cybersecurity supply chain risk management procedures. CC ID 16830 | Audits and risk management | Establish/Maintain Documentation | |
Monitor the effectiveness of the cybersecurity supply chain risk management program. CC ID 16828 | Audits and risk management | Monitor and Evaluate Occurrences | |
Establish, implement, and maintain a supply chain risk management policy. CC ID 14663 | Audits and risk management | Establish/Maintain Documentation | |
Include compliance requirements in the supply chain risk management policy. CC ID 14711 | Audits and risk management | Establish/Maintain Documentation | |
Include coordination amongst entities in the supply chain risk management policy. CC ID 14710 | Audits and risk management | Establish/Maintain Documentation | |
Include management commitment in the supply chain risk management policy. CC ID 14709 | Audits and risk management | Establish/Maintain Documentation | |
Include roles and responsibilities in the supply chain risk management policy. CC ID 14708 | Audits and risk management | Establish/Maintain Documentation | |
Include the scope in the supply chain risk management policy. CC ID 14707 | Audits and risk management | Establish/Maintain Documentation | |
Include the purpose in the supply chain risk management policy. CC ID 14706 | Audits and risk management | Establish/Maintain Documentation | |
Disseminate and communicate the supply chain risk management policy to all interested personnel and affected parties. CC ID 14662 | Audits and risk management | Communicate | |
Establish, implement, and maintain a supply chain risk management plan. CC ID 14713 | Audits and risk management | Establish/Maintain Documentation | |
Include processes for monitoring and reporting in the supply chain risk management plan. CC ID 15619 | Audits and risk management | Establish/Maintain Documentation | |
Include dates in the supply chain risk management plan. CC ID 15617 | Audits and risk management | Establish/Maintain Documentation | |
Include implementation milestones in the supply chain risk management plan. CC ID 15615 | Audits and risk management | Establish/Maintain Documentation | |
Include roles and responsibilities in the supply chain risk management plan. CC ID 15613 | Audits and risk management | Establish/Maintain Documentation | |
Include supply chain risk management procedures in the risk management program. CC ID 13190 [The organization shall assess the alignment of service level targets or other contractual obligations for the external supplier against SLAs with customers, and manage identified risks. § 8.3.4.1 ¶ 3] | Audits and risk management | Establish/Maintain Documentation | |
Disseminate and communicate the supply chain risk management procedures to all interested personnel and affected parties. CC ID 14712 | Audits and risk management | Communicate | |
Assign key stakeholders to review and approve supply chain risk management procedures. CC ID 13199 | Audits and risk management | Human Resources Management | |
Disseminate and communicate the risk management policy to interested personnel and affected parties. CC ID 13792 | Audits and risk management | Communicate | |
Establish, implement, and maintain an access control program. CC ID 11702 | Technical security | Establish/Maintain Documentation | |
Establish, implement, and maintain an access rights management plan. CC ID 00513 | Technical security | Establish/Maintain Documentation | |
Control access rights to organizational assets. CC ID 00004 [The organization shall define and manage the interfaces with the external supplier. § 8.3.4.1 ¶ 4] | Technical security | Technical Security | |
Configure access control lists in accordance with organizational standards. CC ID 16465 | Technical security | Configuration | |
Add all devices requiring access control to the Access Control List. CC ID 06264 | Technical security | Establish/Maintain Documentation | |
Generate but refrain from storing authenticators or Personal Identification Numbers for systems involved in high risk activities. CC ID 06835 | Technical security | Technical Security | |
Define roles for information systems. CC ID 12454 | Technical security | Human Resources Management | |
Define access needs for each role assigned to an information system. CC ID 12455 | Technical security | Human Resources Management | |
Define access needs for each system component of an information system. CC ID 12456 | Technical security | Technical Security | |
Define the level of privilege required for each system component of an information system. CC ID 12457 | Technical security | Technical Security | |
Establish access rights based on least privilege. CC ID 01411 | Technical security | Technical Security | |
Assign user permissions based on job responsibilities. CC ID 00538 | Technical security | Technical Security | |
Assign user privileges after they have management sign off. CC ID 00542 | Technical security | Technical Security | |
Separate processing domains to segregate user privileges and enhance information flow control. CC ID 06767 | Technical security | Configuration | |
Establish, implement, and maintain lockout procedures or lockout mechanisms to be triggered after a predetermined number of consecutive logon attempts. CC ID 01412 | Technical security | Technical Security | |
Configure the lockout procedure to disregard failed logon attempts after the user is authenticated. CC ID 13822 | Technical security | Configuration | |
Disallow unlocking user accounts absent system administrator approval. CC ID 01413 | Technical security | Technical Security | |
Establish, implement, and maintain session lock capabilities. CC ID 01417 | Technical security | Configuration | |
Limit concurrent sessions according to account type. CC ID 01416 | Technical security | Configuration | |
Establish session authenticity through Transport Layer Security. CC ID 01627 | Technical security | Technical Security | |
Configure the "tlsverify" argument to organizational standards. CC ID 14460 | Technical security | Configuration | |
Configure the "tlscacert" argument to organizational standards. CC ID 14521 | Technical security | Configuration | |
Configure the "tlscert" argument to organizational standards. CC ID 14520 | Technical security | Configuration | |
Configure the "tlskey" argument to organizational standards. CC ID 14519 | Technical security | Configuration | |
Enable access control for objects and users on each system. CC ID 04553 | Technical security | Configuration | |
Include all system components in the access control system. CC ID 11939 | Technical security | Technical Security | |
Set access control for objects and users to "deny all" unless explicitly authorized. CC ID 06301 | Technical security | Process or Activity | |
Enable access control for objects and users to match restrictions set by the system's security classification. CC ID 04850 | Technical security | Technical Security | |
Enable attribute-based access control for objects and users on information systems. CC ID 16351 | Technical security | Technical Security | |
Enable role-based access control for objects and users on information systems. CC ID 12458 | Technical security | Technical Security | |
Include the objects and users subject to access control in the security policy. CC ID 11836 | Technical security | Establish/Maintain Documentation | |
Assign Information System access authorizations if implementing segregation of duties. CC ID 06323 | Technical security | Establish Roles | |
Enforce access restrictions for change control. CC ID 01428 | Technical security | Technical Security | |
Enforce access restrictions for restricted data. CC ID 01921 | Technical security | Data and Information Management | |
Permit a limited set of user actions absent identification and authentication. CC ID 04849 | Technical security | Technical Security | |
Activate third party maintenance accounts and user identifiers, as necessary. CC ID 04262 | Technical security | Technical Security | |
Establish, implement, and maintain a system use agreement for each information system. CC ID 06500 | Technical security | Establish/Maintain Documentation | |
Accept and sign the system use agreement before data or system access is enabled. CC ID 06501 | Technical security | Establish/Maintain Documentation | |
Display a logon banner and appropriate logon message before granting access to the system. CC ID 06770 | Technical security | Technical Security | |
Display previous logon information in the logon banner. CC ID 01415 | Technical security | Configuration | |
Document actions that can be performed on an information system absent identification and authentication of the user. CC ID 06771 | Technical security | Establish/Maintain Documentation | |
Use automatic equipment identification as a method of connection authentication absent an individual's identification and authentication. CC ID 06964 | Technical security | Technical Security | |
Establish, implement, and maintain a business continuity program. CC ID 13210 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Establish, implement, and maintain a continuity framework. CC ID 00732 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Assess risks related to fault tolerance and redundancy of critical assets. CC ID 13053 | Operational and Systems Continuity | Systems Continuity | |
Establish, implement, and maintain a continuity plan. CC ID 00752 [The organization shall create, implement and maintain one or more service continuity plans. The service continuity plan(s) shall include or contain a reference to: § 8.7.2 ¶ 2 At planned intervals, the service continuity plan(s) shall be tested against the service continuity requirements. The service continuity plan(s) shall be re-tested after major changes to the service environment. The results of the tests shall be recorded. Reviews shall be conducted after each test and after the service continuity plan(s) has been invoked. Where deficiencies are found, the organization shall take necessary actions. § 8.7.2 ¶ 4 At planned intervals, the service continuity plan(s) shall be tested against the service continuity requirements. The service continuity plan(s) shall be re-tested after major changes to the service environment. The results of the tests shall be recorded. Reviews shall be conducted after each test and after the service continuity plan(s) has been invoked. Where deficiencies are found, the organization shall take necessary actions. § 8.7.2 ¶ 4] | Operational and Systems Continuity | Establish/Maintain Documentation | |
Identify all stakeholders in the continuity plan. CC ID 13256 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Notify interested personnel and affected parties upon activation of the continuity plan. CC ID 16777 | Operational and Systems Continuity | Communicate | |
Maintain normal security levels when an emergency occurs. CC ID 06377 | Operational and Systems Continuity | Systems Continuity | |
Execute fail-safe procedures when an emergency occurs. CC ID 07108 | Operational and Systems Continuity | Systems Continuity | |
Lead or manage business continuity and system continuity, as necessary. CC ID 12240 | Operational and Systems Continuity | Human Resources Management | |
Include a business continuity testing policy in the continuity plan, as necessary. CC ID 13234 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Allocate financial resources to implement the continuity plan, as necessary. CC ID 12993 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Allocate personnel to implement the continuity plan, as necessary. CC ID 12992 | Operational and Systems Continuity | Human Resources Management | |
Include the in scope system's location in the continuity plan. CC ID 16246 | Operational and Systems Continuity | Systems Continuity | |
Include the system description in the continuity plan. CC ID 16241 | Operational and Systems Continuity | Systems Continuity | |
Establish, implement, and maintain redundant systems. CC ID 16354 | Operational and Systems Continuity | Configuration | |
Include identification procedures in the continuity plan, as necessary. CC ID 14372 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Refrain from adopting impromptu measures when continuity procedures exist. CC ID 13093 | Operational and Systems Continuity | Behavior | |
Include the continuity strategy in the continuity plan. CC ID 13189 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Include roles and responsibilities in the continuity plan, as necessary. CC ID 13254 [The organization shall create, implement and maintain one or more service continuity plans. The service continuity plan(s) shall include or contain a reference to: criteria and responsibilities for invoking service continuity; § 8.7.2 ¶ 2(a)] | Operational and Systems Continuity | Establish/Maintain Documentation | |
Document and use the lessons learned to update the continuity plan. CC ID 10037 [The organization shall report on the cause, impact and recovery when the service continuity plan(s) has been invoked. § 8.7.2 ¶ 5 The organization shall report on the cause, impact and recovery when the service continuity plan(s) has been invoked. § 8.7.2 ¶ 5 The organization shall report on the cause, impact and recovery when the service continuity plan(s) has been invoked. § 8.7.2 ¶ 5] | Operational and Systems Continuity | Establish/Maintain Documentation | |
Implement alternate security mechanisms when the means of implementing the security function is unavailable. CC ID 10605 | Operational and Systems Continuity | Technical Security | |
Coordinate continuity planning with governmental entities, as necessary. CC ID 13258 | Operational and Systems Continuity | Process or Activity | |
Record business continuity management system performance for posterity. CC ID 12411 | Operational and Systems Continuity | Monitor and Evaluate Occurrences | |
Coordinate continuity planning with community organizations, as necessary. CC ID 13259 | Operational and Systems Continuity | Process or Activity | |
Coordinate and incorporate supply chain members' continuity plans, as necessary. CC ID 13242 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Include incident management procedures in the continuity plan. CC ID 13244 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Include the use of virtual meeting tools in the continuity plan. CC ID 14390 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Include scenario analyses of various contingency scenarios in the continuity plan. CC ID 13057 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Include the annual statement based on the continuity plan review in the continuity plan. CC ID 12775 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Include the roles and responsibilities of the organization's legal counsel in the continuity plan. CC ID 16233 | Operational and Systems Continuity | Establish Roles | |
Disseminate and communicate the continuity procedures to interested personnel and affected parties. CC ID 14055 | Operational and Systems Continuity | Communicate | |
Document the uninterrupted power requirements for all in scope systems. CC ID 06707 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Install an Uninterruptible Power Supply sized to support all critical systems. CC ID 00725 | Operational and Systems Continuity | Configuration | |
Install a generator sized to support the facility. CC ID 06709 | Operational and Systems Continuity | Configuration | |
Establish, implement, and maintain a fuel supply large enough to support the generators during an emergency. CC ID 06376 | Operational and Systems Continuity | Acquisition/Sale of Assets or Services | |
Document all supporting information in the continuity plan, such as purpose, scope, and requirements. CC ID 01371 [The organization shall create, implement and maintain one or more service continuity plans. The service continuity plan(s) shall include or contain a reference to: service recovery requirements; § 8.7.2 ¶ 2(d)] | Operational and Systems Continuity | Establish/Maintain Documentation | |
Include notifications to alternate facilities in the continuity plan. CC ID 13220 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Approve the continuity plan requirements before documenting the continuity plan. CC ID 12778 | Operational and Systems Continuity | Systems Continuity | |
Document the concept of operations in the continuity plan, including a line of succession. CC ID 01372 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Establish, implement, and maintain damage assessment procedures. CC ID 01267 [The organization shall analyse the information security incidents by type, volume and impact on the SMS, services and interested parties. Information security incidents shall be reported and reviewed to identify opportunities for improvement. § 8.7.3.3 ¶ 2] | Operational and Systems Continuity | Establish/Maintain Documentation | |
Establish, implement, and maintain a recovery plan. CC ID 13288 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Notify interested personnel and affected parties of updates to the recovery plan. CC ID 13302 | Operational and Systems Continuity | Communicate | |
Include procedures to restore network connectivity in the recovery plan. CC ID 16250 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Include addressing backup failures in the recovery plan. CC ID 13298 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Include procedures to verify completion of the data backup procedure in the recovery plan. CC ID 13297 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Include the roles and responsibilities of responders in the recovery plan. CC ID 13296 | Operational and Systems Continuity | Human Resources Management | |
Include the procedures for the storage of information necessary to recover functionality in the recovery plan. CC ID 13295 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Include the backup procedures for information necessary to recover functionality in the recovery plan. CC ID 13294 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Include the criteria for activation in the recovery plan. CC ID 13293 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Include escalation procedures in the recovery plan. CC ID 16248 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Include procedures to preserve data before beginning the recovery process in the recovery plan. CC ID 13292 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Disseminate and communicate the recovery plan to interested personnel and affected parties. CC ID 14859 | Operational and Systems Continuity | Communicate | |
Include restoration procedures in the continuity plan. CC ID 01169 [The organization shall create, implement and maintain one or more service continuity plans. The service continuity plan(s) shall include or contain a reference to: procedures to be implemented in the event of a major loss of service; § 8.7.2 ¶ 2(b) The organization shall create, implement and maintain one or more service continuity plans. The service continuity plan(s) shall include or contain a reference to: procedures for returning to normal working conditions. § 8.7.2 ¶ 2(e)] | Operational and Systems Continuity | Establish Roles | |
Include risk prioritized recovery procedures for each business unit in the recovery plan. CC ID 01166 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Include the recovery plan in the continuity plan. CC ID 01377 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Disseminate and communicate the recovery status of the contingency plan to interested personnel and affected parties. CC ID 12758 | Operational and Systems Continuity | Communicate | |
Disseminate and communicate business functions across multiple facilities separated by geographic separation. CC ID 10662 | Operational and Systems Continuity | Systems Continuity | |
Disseminate and communicate processing activities across multiple facilities using geographic separation. CC ID 10663 | Operational and Systems Continuity | Systems Continuity | |
Disseminate and communicate electronic media storage devices across multiple facilities using geographic separation. CC ID 10664 | Operational and Systems Continuity | Systems Continuity | |
Establish, implement, and maintain system continuity plan strategies. CC ID 00735 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Review and prioritize the importance of each business unit. CC ID 01165 | Operational and Systems Continuity | Systems Continuity | |
Review and prioritize the importance of each business process. CC ID 11689 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Document the mean time to failure for system components. CC ID 10684 | Operational and Systems Continuity | Systems Continuity | |
Conduct a risk assessment on reciprocal agreements that provide for recovery capabilities. CC ID 12759 | Operational and Systems Continuity | Audits and Risk Management | |
Include emergency communications procedures in the continuity plan. CC ID 00750 [The service continuity plan(s) and list of contacts shall be accessible when access to the normal service location is prevented. § 8.7.2 ¶ 3] | Operational and Systems Continuity | Establish/Maintain Documentation | |
Include managing multiple responding organizations in the emergency communications procedure. CC ID 01249 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Expedite emergency communications' fiscal decisions in accordance with accounting principles. CC ID 01266 | Operational and Systems Continuity | Systems Continuity | |
Maintain contact information for key third parties in a readily accessible manner. CC ID 12764 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Log important conversations conducted during emergencies with third parties. CC ID 12763 | Operational and Systems Continuity | Log Management | |
Identify the appropriate staff to route external communications to in the emergency communications procedures. CC ID 12762 | Operational and Systems Continuity | Communicate | |
Disseminate and communicate the continuity plan to interested personnel and affected parties. CC ID 00760 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Store an up-to-date copy of the continuity plan at the alternate facility. CC ID 01171 [The service continuity plan(s) and list of contacts shall be accessible when access to the normal service location is prevented. § 8.7.2 ¶ 3] | Operational and Systems Continuity | Establish/Maintain Documentation | |
Prepare the alternate facility for an emergency offsite relocation. CC ID 00744 | Operational and Systems Continuity | Systems Continuity | |
Establish, implement, and maintain Service Level Agreements for all alternate facilities. CC ID 00745 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Include emergency scalability for services, capacity, and capability in the shared service provider's Service Level Agreement. CC ID 04893 [{service availability requirement}{service continuity requirement} The organization shall plan capacity to include: expected impact on capacity of agreed service level targets, requirements for service availability and service continuity; § 8.4.3 ¶ 2(b)] | Operational and Systems Continuity | Establish/Maintain Documentation | |
Establish, implement, and maintain a business continuity plan testing program. CC ID 14829 | Operational and Systems Continuity | Testing | |
Include coverage of all major components in the scope of testing the continuity plan. CC ID 12767 | Operational and Systems Continuity | Testing | |
Include third party recovery services in the scope of testing the continuity plan. CC ID 12766 | Operational and Systems Continuity | Testing | |
Validate the emergency communications procedures during continuity plan tests. CC ID 12777 | Operational and Systems Continuity | Testing | |
Include the coordination and interfaces among third parties in the coverage of the scope of testing the continuity plan. CC ID 12769 | Operational and Systems Continuity | Testing | |
Validate the evacuation plans during continuity plan tests. CC ID 12760 | Operational and Systems Continuity | Testing | |
Include predefined goals and realistic conditions during off-site testing. CC ID 01175 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Coordinate testing the continuity plan with all applicable business units and critical business functions. CC ID 01388 | Operational and Systems Continuity | Testing | |
Document the continuity plan test results and provide them to interested personnel and affected parties. CC ID 06548 [At planned intervals, the service continuity plan(s) shall be tested against the service continuity requirements. The service continuity plan(s) shall be re-tested after major changes to the service environment. The results of the tests shall be recorded. Reviews shall be conducted after each test and after the service continuity plan(s) has been invoked. Where deficiencies are found, the organization shall take necessary actions. § 8.7.2 ¶ 4] | Operational and Systems Continuity | Actionable Reports or Measurements | |
Approve the continuity plan test results. CC ID 15718 | Operational and Systems Continuity | Systems Continuity | |
Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806 | Human Resources management | Establish Roles | |
Define and assign the Board of Directors roles and responsibilities and senior management roles and responsibilities, including signing off on key policies and procedures. CC ID 00807 [Top management shall demonstrate leadership and commitment with respect to the SMS by: ensuring that appropriate levels of authority are assigned for making decisions related to the SMS and the services; § 5.1 ¶ 1(c) Top management shall demonstrate leadership and commitment with respect to the SMS by: supporting other relevant management roles to demonstrate their leadership as it applies to their areas of responsibility. § 5.1 ¶ 1(l)] | Human Resources management | Establish Roles | |
Establish and maintain board committees, as necessary. CC ID 14789 | Human Resources management | Human Resources Management | |
Define and assign the roles and responsibilities of the chairman of the board. CC ID 14786 | Human Resources management | Establish/Maintain Documentation | |
Assign oversight of C-level executives to the Board of Directors. CC ID 14784 | Human Resources management | Human Resources Management | |
Establish, implement, and maintain candidate selection procedures to the board of directors. CC ID 14782 | Human Resources management | Establish/Maintain Documentation | |
Include the criteria of mixed experiences and skills in the candidate selection procedures. CC ID 14791 | Human Resources management | Establish/Maintain Documentation | |
Assign oversight of the financial management program to the board of directors. CC ID 14781 | Human Resources management | Human Resources Management | |
Assign senior management to the role of supporting Quality Management. CC ID 13692 | Human Resources management | Human Resources Management | |
Assign senior management to the role of authorizing official. CC ID 14238 | Human Resources management | Establish Roles | |
Assign members who are independent from management to the Board of Directors. CC ID 12395 | Human Resources management | Human Resources Management | |
Assign ownership of risks to the Board of Directors or senior management. CC ID 13662 | Human Resources management | Human Resources Management | |
Assign the organization's board and senior management to oversee the continuity planning process. CC ID 12991 | Human Resources management | Human Resources Management | |
Include how risk is perceived by the workforce in the analysis of workforce management. CC ID 12969 | Human Resources management | Human Resources Management | |
Include compensation structures in the analysis of workforce management. CC ID 12902 | Human Resources management | Human Resources Management | |
Establish, implement, and maintain a personnel management program. CC ID 14018 | Human Resources management | Establish/Maintain Documentation | |
Establish, implement, and maintain a personnel security program. CC ID 10628 | Human Resources management | Establish/Maintain Documentation | |
Assign security clearance procedures to qualified personnel. CC ID 06812 | Human Resources management | Establish Roles | |
Assign personnel screening procedures to qualified personnel. CC ID 11699 | Human Resources management | Establish Roles | |
Establish, implement, and maintain personnel screening procedures. CC ID 11700 | Human Resources management | Establish/Maintain Documentation | |
Perform a personal identification check during personnel screening. CC ID 06721 | Human Resources management | Human Resources Management | |
Perform a criminal records check during personnel screening. CC ID 06643 | Human Resources management | Establish/Maintain Documentation | |
Include all residences in the criminal records check. CC ID 13306 | Human Resources management | Process or Activity | |
Document any reasons a full criminal records check could not be performed. CC ID 13305 | Human Resources management | Establish/Maintain Documentation | |
Perform a personal references check during personnel screening. CC ID 06645 | Human Resources management | Human Resources Management | |
Perform a credit check during personnel screening. CC ID 06646 | Human Resources management | Human Resources Management | |
Perform an academic records check during personnel screening. CC ID 06647 | Human Resources management | Establish/Maintain Documentation | |
Perform a drug test during personnel screening. CC ID 06648 | Human Resources management | Testing | |
Perform a resume check during personnel screening. CC ID 06659 | Human Resources management | Human Resources Management | |
Perform a curriculum vitae check during personnel screening. CC ID 06660 | Human Resources management | Human Resources Management | |
Allow personnel being screened to appeal findings and appeal decisions. CC ID 06720 | Human Resources management | Human Resources Management | |
Disseminate and communicate screening results to interested personnel and affected parties. CC ID 16445 | Human Resources management | Communicate | |
Perform personnel screening procedures, as necessary. CC ID 11763 | Human Resources management | Human Resources Management | |
Establish, implement, and maintain security clearance procedures. CC ID 00783 | Human Resources management | Establish/Maintain Documentation | |
Perform security clearance procedures, as necessary. CC ID 06644 | Human Resources management | Human Resources Management | |
Establish and maintain security clearances. CC ID 01634 | Human Resources management | Human Resources Management | |
Train all personnel and third parties, as necessary. CC ID 00785 [The organization shall: where applicable, take actions to acquire the necessary competence and evaluate the effectiveness of the actions taken; § 7.2 ¶ 1(c)] | Human Resources management | Behavior | |
Establish, implement, and maintain an education methodology. CC ID 06671 [{interested party} Instructions for the fulfilment of service requests shall be made available to persons involved in service request fulfilment. § 8.6.2 ¶ 3 {new service} The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: requirements for appropriate education, training and experience; § 8.5.2.2 ¶ 1(c)] | Human Resources management | Business Processes | |
Support certification programs as viable training programs. CC ID 13268 | Human Resources management | Human Resources Management | |
Include evidence of experience in applications for professional certification. CC ID 16193 | Human Resources management | Establish/Maintain Documentation | |
Include supporting documentation in applications for professional certification. CC ID 16195 | Human Resources management | Establish/Maintain Documentation | |
Submit applications for professional certification. CC ID 16192 | Human Resources management | Training | |
Retrain all personnel, as necessary. CC ID 01362 | Human Resources management | Behavior | |
Tailor training to meet published guidance on the subject being taught. CC ID 02217 [{new service} The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: requirements for appropriate education, training and experience; § 8.5.2.2 ¶ 1(c)] | Human Resources management | Behavior | |
Tailor training to be taught at each person's level of responsibility. CC ID 06674 [{be relevant} Persons doing work under the organization's control shall be aware of: the services relevant to their work; § 7.3 ¶ 1(c) The organization shall determine and maintain the knowledge necessary to support the operation of the SMS and the services. § 7.6 ¶ 1 {new service} The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: requirements for appropriate education, training and experience; § 8.5.2.2 ¶ 1(c)] | Human Resources management | Behavior | |
Conduct cross-training or staff backup training to minimize dependency on critical individuals. CC ID 00786 | Human Resources management | Behavior | |
Use automated mechanisms in the training environment, where appropriate. CC ID 06752 | Human Resources management | Behavior | |
Hire third parties to conduct training, as necessary. CC ID 13167 | Human Resources management | Human Resources Management | |
Review the current published guidance and awareness and training programs. CC ID 01245 | Human Resources management | Establish/Maintain Documentation | |
Establish, implement, and maintain training plans. CC ID 00828 [{be usable}{be available}{support}{operation}{SMS and the services}*by knowledge', based on the section the authors appear to be referring to the knowledge necessary to support the operation of the SMS and the services*/ The knowledge shall be relevant, usable and available to appropriate persons. § 7.6 ¶ 2 {be usable}{be available}{support}{operation}{SMS and the services}*by knowledge', based on the section the authors appear to be referring to the knowledge necessary to support the operation of the SMS and the services*/ The knowledge shall be relevant, usable and available to appropriate persons. § 7.6 ¶ 2 {be usable}{be available}{support}{operation}{SMS and the services}*by knowledge', based on the section the authors appear to be referring to the knowledge necessary to support the operation of the SMS and the services*/ The knowledge shall be relevant, usable and available to appropriate persons. § 7.6 ¶ 2] | Human Resources management | Establish/Maintain Documentation | |
Include prevention techniques in training regarding diseases or sicknesses. CC ID 14387 | Human Resources management | Training | |
Include the concept of disease clusters when training to recognize conditions of diseases or sicknesses. CC ID 14386 | Human Resources management | Training | |
Develop or acquire content to update the training plans. CC ID 12867 | Human Resources management | Training | |
Designate training facilities in the training plan. CC ID 16200 | Human Resources management | Training | |
Include portions of the visitor control program in the training plan. CC ID 13287 | Human Resources management | Establish/Maintain Documentation | |
Include ethical culture in the training plan, as necessary. CC ID 12801 | Human Resources management | Human Resources Management | |
Include in scope external requirements in the training plan, as necessary. CC ID 13041 | Human Resources management | Training | |
Include duties and responsibilities in the training plan, as necessary. CC ID 12800 | Human Resources management | Human Resources Management | |
Conduct bespoke roles and responsibilities training, as necessary. CC ID 13192 | Human Resources management | Training | |
Include risk management in the training plan, as necessary. CC ID 13040 | Human Resources management | Training | |
Conduct Archives and Records Management training. CC ID 00975 | Human Resources management | Behavior | |
Conduct personal data processing training. CC ID 13757 | Human Resources management | Training | |
Include in personal data processing training how to provide the contact information for the categories of personal data the organization may disclose. CC ID 13758 | Human Resources management | Training | |
Include the cloud service usage standard in the training plan. CC ID 13039 | Human Resources management | Training | |
Establish, implement, and maintain a security awareness program. CC ID 11746 | Human Resources management | Establish/Maintain Documentation | |
Establish, implement, and maintain a security awareness and training policy. CC ID 14022 | Human Resources management | Establish/Maintain Documentation | |
Include compliance requirements in the security awareness and training policy. CC ID 14092 | Human Resources management | Establish/Maintain Documentation | |
Include coordination amongst entities in the security awareness and training policy. CC ID 14091 | Human Resources management | Establish/Maintain Documentation | |
Establish, implement, and maintain security awareness and training procedures. CC ID 14054 | Human Resources management | Establish/Maintain Documentation | |
Disseminate and communicate the security awareness and training procedures to interested personnel and affected parties. CC ID 14138 | Human Resources management | Communicate | |
Include management commitment in the security awareness and training policy. CC ID 14049 | Human Resources management | Establish/Maintain Documentation | |
Include roles and responsibilities in the security awareness and training policy. CC ID 14048 | Human Resources management | Establish/Maintain Documentation | |
Include the scope in the security awareness and training policy. CC ID 14047 | Human Resources management | Establish/Maintain Documentation | |
Include the purpose in the security awareness and training policy. CC ID 14045 | Human Resources management | Establish/Maintain Documentation | |
Include configuration management procedures in the security awareness program. CC ID 13967 | Human Resources management | Establish/Maintain Documentation | |
Include media protection in the security awareness program. CC ID 16368 | Human Resources management | Training | |
Document security awareness requirements. CC ID 12146 | Human Resources management | Establish/Maintain Documentation | |
Include safeguards for information systems in the security awareness program. CC ID 13046 | Human Resources management | Establish/Maintain Documentation | |
Include security policies and security standards in the security awareness program. CC ID 13045 | Human Resources management | Establish/Maintain Documentation | |
Include physical security in the security awareness program. CC ID 16369 | Human Resources management | Training | |
Include mobile device security guidelines in the security awareness program. CC ID 11803 | Human Resources management | Establish/Maintain Documentation | |
Include updates on emerging issues in the security awareness program. CC ID 13184 | Human Resources management | Training | |
Include cybersecurity in the security awareness program. CC ID 13183 | Human Resources management | Training | |
Include implications of non-compliance in the security awareness program. CC ID 16425 | Human Resources management | Training | |
Include the acceptable use policy in the security awareness program. CC ID 15487 | Human Resources management | Training | |
Include training based on the participants' level of responsibility and access level in the security awareness program. CC ID 11802 | Human Resources management | Establish/Maintain Documentation | |
Include a requirement to train all new hires and interested personnel in the security awareness program. CC ID 11800 | Human Resources management | Establish/Maintain Documentation | |
Include remote access in the security awareness program. CC ID 13892 | Human Resources management | Establish/Maintain Documentation | |
Document the goals of the security awareness program. CC ID 12145 | Human Resources management | Establish/Maintain Documentation | |
Compare current security awareness assessment reports to the security awareness baseline. CC ID 12150 | Human Resources management | Establish/Maintain Documentation | |
Establish and maintain management's commitment to supporting the security awareness program. CC ID 12151 | Human Resources management | Human Resources Management | |
Establish and maintain a steering committee to guide the security awareness program. CC ID 12149 | Human Resources management | Human Resources Management | |
Document the scope of the security awareness program. CC ID 12148 | Human Resources management | Establish/Maintain Documentation | |
Establish, implement, and maintain a security awareness baseline. CC ID 12147 | Human Resources management | Establish/Maintain Documentation | |
Encourage interested personnel to obtain security certification. CC ID 11804 | Human Resources management | Human Resources Management | |
Disseminate and communicate the security awareness program to all interested personnel and affected parties. CC ID 00823 | Human Resources management | Behavior | |
Train all personnel and third parties on how to recognize and report security incidents. CC ID 01211 | Human Resources management | Behavior | |
Train all personnel and third parties on how to recognize and report system failures. CC ID 13475 | Human Resources management | Training | |
Require personnel to acknowledge, through writing their signature, that they have read and understand the organization's security policies. CC ID 01363 | Human Resources management | Establish/Maintain Documentation | |
Establish, implement, and maintain an environmental management system awareness program. CC ID 15200 | Human Resources management | Establish/Maintain Documentation | |
Conduct tampering prevention training. CC ID 11875 | Human Resources management | Training | |
Include the mandate to refrain from installing, refrain from replacing, and refrain from returning any asset absent verification in the tampering prevention training. CC ID 11877 | Human Resources management | Training | |
Include how to identify and authenticate third parties claiming to be maintenance personnel in the tampering prevention training. CC ID 11876 | Human Resources management | Training | |
Include how to report tampering and unauthorized substitution in the tampering prevention training. CC ID 11879 | Human Resources management | Training | |
Include how to prevent physical tampering in the tampering prevention training. CC ID 11878 | Human Resources management | Training | |
Include procedures on how to inspect devices in the tampering prevention training. CC ID 11990 | Human Resources management | Training | |
Train interested personnel and affected parties to collect digital forensic evidence. CC ID 08658 | Human Resources management | Training | |
Conduct crime prevention training. CC ID 06350 | Human Resources management | Behavior | |
Establish, implement, and maintain a capacity management plan. CC ID 11751 [The organization shall plan capacity to include: timescales and thresholds for changes to service capacity. § 8.4.3 ¶ 2(c) The organization shall plan capacity to include: timescales and thresholds for changes to service capacity. § 8.4.3 ¶ 2(c) At planned intervals, the organization shall: determine current demand and forecast future demand for services; § 8.4.2 ¶ 1(a) At planned intervals, the organization shall: determine current demand and forecast future demand for services; § 8.4.2 ¶ 1(a) {service availability target} Service availability requirements and targets shall be documented and maintained. § 8.7.1 ¶ 2 The organization shall plan capacity to include: current and forecast capacity based on demand for services; § 8.4.3 ¶ 2(a)] | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain a capacity planning baseline. CC ID 13492 [{service availability target} Service availability requirements and targets shall be documented and maintained. § 8.7.1 ¶ 2] | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain future system capacity forecasting methods. CC ID 01617 | Operational management | Business Processes | |
Align critical Information Technology resource availability planning with capacity planning. CC ID 01618 [{service availability requirement}{service continuity requirement} The organization shall plan capacity to include: expected impact on capacity of agreed service level targets, requirements for service availability and service continuity; § 8.4.3 ¶ 2(b)] | Operational management | Business Processes | |
Limit any effects of a Denial of Service attack. CC ID 06754 | Operational management | Technical Security | |
Implement network redundancy, as necessary. CC ID 13048 | Operational management | Systems Continuity | |
Establish, implement, and maintain workload forecasting tools. CC ID 00936 | Operational management | Systems Design, Build, and Implementation | |
Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain a positive information control environment. CC ID 00813 [Top management shall demonstrate leadership and commitment with respect to the SMS by: § 5.1 ¶ 1 Top management shall demonstrate leadership and commitment with respect to the SMS by: ensuring that what constitutes value for the organization and its customers is determined; § 5.1 ¶ 1(d)] | Operational management | Business Processes | |
Make compliance and governance decisions in a timely manner. CC ID 06490 | Operational management | Behavior | |
Establish, implement, and maintain an internal control framework. CC ID 00820 | Operational management | Establish/Maintain Documentation | |
Include procedures for continuous quality improvement in the internal control framework. CC ID 00819 [Where service level targets are not met, the organization shall identify opportunities for improvement. § 8.3.3 ¶ 4 At planned intervals, the organization shall measure satisfaction with the services based on a representative sample of customers. The results shall be analysed, reviewed to identify opportunities for improvement and reported. § 8.3.2 ¶ 4 {service improvement activity} Opportunities for improvement shall be documented. The organization shall manage approved improvement activities that include: § 10.2 ¶ 3 The outputs of the management review shall include decisions related to continual improvement opportunities and any need for changes to the SMS and the services. § 9.3 ¶ 3 The management review shall include consideration of: opportunities for continual improvement; § 9.3 ¶ 2(d)] | Operational management | Establish/Maintain Documentation | |
Include incident response escalation procedures in the internal control framework. CC ID 11745 [Information security incidents shall be: escalated if needed; § 8.7.3.3 ¶ 1(c)] | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain an information security program. CC ID 00812 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain an information security policy. CC ID 11740 [Management with appropriate authority shall approve an information security policy relevant to the organization. The information security policy shall be documented and take into consideration the service requirements and the obligations in 6.3 c). § 8.7.3.1 ¶ 1] | Operational management | Establish/Maintain Documentation | |
Align the information security policy with the organization's risk acceptance level. CC ID 13042 | Operational management | Business Processes | |
Include business processes in the information security policy. CC ID 16326 | Operational management | Establish/Maintain Documentation | |
Include the information security strategy in the information security policy. CC ID 16125 | Operational management | Establish/Maintain Documentation | |
Include a commitment to continuous improvement in the information security policy. CC ID 16123 | Operational management | Establish/Maintain Documentation | |
Include roles and responsibilities in the information security policy. CC ID 16120 | Operational management | Establish/Maintain Documentation | |
Include a commitment to the information security requirements in the information security policy. CC ID 13496 | Operational management | Establish/Maintain Documentation | |
Include information security objectives in the information security policy. CC ID 13493 | Operational management | Establish/Maintain Documentation | |
Include the use of Cloud Services in the information security policy. CC ID 13146 | Operational management | Establish/Maintain Documentation | |
Include notification procedures in the information security policy. CC ID 16842 | Operational management | Establish/Maintain Documentation | |
Approve the information security policy at the organization's management level or higher. CC ID 11737 [Management with appropriate authority shall approve an information security policy relevant to the organization. The information security policy shall be documented and take into consideration the service requirements and the obligations in 6.3 c). § 8.7.3.1 ¶ 1] | Operational management | Process or Activity | |
Establish, implement, and maintain information security procedures. CC ID 12006 | Operational management | Business Processes | |
Describe the group activities that protect restricted data in the information security procedures. CC ID 12294 | Operational management | Establish/Maintain Documentation | |
Disseminate and communicate the information security procedures to all interested personnel and affected parties. CC ID 16303 | Operational management | Communicate | |
Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304 | Operational management | Establish/Maintain Documentation | |
Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739 [The information security policy shall be made available as appropriate. The organization shall communicate the importance of conforming to the information security policy and its applicability to the SMS and the services to appropriate persons within the: external suppliers, internal suppliers and other interested parties. § 8.7.3.1 ¶ 2(c) The information security policy shall be made available as appropriate. The organization shall communicate the importance of conforming to the information security policy and its applicability to the SMS and the services to appropriate persons within: § 8.7.3.1 ¶ 2 The information security policy shall be made available as appropriate. The organization shall communicate the importance of conforming to the information security policy and its applicability to the SMS and the services to appropriate persons within: § 8.7.3.1 ¶ 2 The information security policy shall be made available as appropriate. The organization shall communicate the importance of conforming to the information security policy and its applicability to the SMS and the services to appropriate persons within: § 8.7.3.1 ¶ 2 The information security policy shall be made available as appropriate. The organization shall communicate the importance of conforming to the information security policy and its applicability to the SMS and the services to appropriate persons within: the organization; § 8.7.3.1 ¶ 2(a) The information security policy shall be made available as appropriate. The organization shall communicate the importance of conforming to the information security policy and its applicability to the SMS and the services to appropriate persons within: customers and users; § 8.7.3.1 ¶ 2(b)] | Operational management | Communicate | |
Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 [implementing control of the processes in accordance with the established performance criteria; § 8.1 ¶ 1(b)] | Operational management | Business Processes | |
Analyze how policies used to create management boundaries relates to the Governance, Risk, and Compliance approach. CC ID 12821 | Operational management | Process or Activity | |
Analyze how the organization sets limits in policies relating to the Governance, Risk, and Compliance approach. CC ID 12819 | Operational management | Process or Activity | |
Analyze how the Board of Directors' and senior management's tone influences the Governance, Risk, and Compliance approach. CC ID 12818 | Operational management | Process or Activity | |
Analyze the degree to which the governing body is engaged in the Governance, Risk, and Compliance approach. CC ID 12817 | Operational management | Process or Activity | |
Analyze the Governance, Risk, and Compliance approach. CC ID 12816 | Operational management | Process or Activity | |
Analyze the organizational culture. CC ID 12899 | Operational management | Process or Activity | |
Include employee engagement in the analysis of the organizational culture. CC ID 12914 | Operational management | Behavior | |
Include contractual relationships with workforce members in the analysis of the organizational culture. CC ID 15674 | Operational management | Business Processes | |
Include the number of workforce members who are not employees in the analysis of the organizational culture. CC ID 15673 | Operational management | Business Processes | |
Include the type of work performed by workforce members in the analysis of the organizational culture. CC ID 15675 | Operational management | Business Processes | |
Include skill development in the analysis of the organizational culture. CC ID 12913 | Operational management | Behavior | |
Include employee turnover rates in the analysis of the organizational culture. CC ID 12912 | Operational management | Behavior | |
Include demographic characteristics of employees in the analysis of the organizational culture. CC ID 15671 | Operational management | Business Processes | |
Include employee loyalty in the analysis of the organizational culture. CC ID 12911 | Operational management | Behavior | |
Include employee satisfaction in the analysis of the organizational culture. CC ID 12910 | Operational management | Behavior | |
Comply with all implemented policies in the organization's compliance framework. CC ID 06384 [{planning} The organization shall plan, implement and control the processes needed to meet requirements and to implement the actions determined in Clause 6 by: § 8.1 ¶ 1] | Operational management | Establish/Maintain Documentation | |
Provide assurance to interested personnel and affected parties that the Governance, Risk, and Compliance capability is reliable, effective, efficient, and responsive. CC ID 12788 | Operational management | Communicate | |
Review systems for compliance with organizational information security policies. CC ID 12004 | Operational management | Business Processes | |
Disseminate and communicate the Governance, Risk, and Compliance framework to all interested personnel and affected parties. CC ID 00815 | Operational management | Behavior | |
Establish, implement, and maintain a Service Management System. CC ID 13889 [Top management shall demonstrate leadership and commitment with respect to the SMS by: ensuring that the SMS achieves its intended outcome(s); § 5.1 ¶ 1(i) When planning for the SMS, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to: § 6.1.1 ¶ 1 {service improvement activity} Opportunities for improvement shall be documented. The organization shall manage approved improvement activities that include: making changes to the SMS, if necessary; § 10.2 ¶ 3(c) When a nonconformity occurs, the organization shall: make changes to the SMS, if necessary. § 10.1.1 ¶ 1(e) The organization shall operate the SMS ensuring co-ordination of the activities and the resources. The organization shall perform the activities required to deliver services. § 8.2.1 ¶ 1] | Operational management | Business Processes | |
Establish and maintain a scope statement for the Service Management System. CC ID 13890 [The organization shall determine: the relevant requirements of these interested parties. § 4.2 ¶ 1(b) When planning how to achieve its service management objectives, the organization shall determine: what will be done; § 6.2.2 ¶ 1(a) The documented information for the SMS shall include: scope of the SMS; § 7.5.4 ¶ 1(a) {service management system}When determining this scope, the organization shall consider: the requirements referred to in 4.2; § 4.3 ¶ 2(b) {service management system} When determining this scope, the organization shall consider: the services delivered by the organization. § 4.3 ¶ 2(c) The scope of the SMS shall be available and be maintained as documented information. § 4.3 ¶ 4 The service management plan shall include or contain a reference to: obligations such as relevant policies, standards, legal, regulatory and contractual requirements, and how these obligations apply to the SMS and the services; § 6.3 ¶ 2(c) The organization's SMS shall include: documented information determined by the organization as being necessary for the effectiveness of the SMS. § 7.5.1 ¶ 1(b) The organization's SMS shall include: documented information required by this document; § 7.5.1 ¶ 1(a) The definition of the scope of the SMS shall include the services in scope and the name of the organization managing and delivering the services. § 4.3 ¶ 3] | Operational management | Establish/Maintain Documentation | |
Include the organization's name in the scope statement for the Service Management System. CC ID 13913 [The definition of the scope of the SMS shall include the services in scope and the name of the organization managing and delivering the services. § 4.3 ¶ 3] | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain a service management program. CC ID 11388 [Top management shall demonstrate leadership and commitment with respect to the SMS by: ensuring that the service management plan is created, implemented and maintained in order to support the service management policy, and the achievement of the service management objectives and service requirements; § 5.1 ¶ 1(b) The service management policy shall: be available as documented information; § 5.2.2 ¶ 1(a) Other planning activities shall maintain alignment with the service management plan. § 6.3 ¶ 3 {applicable requirements} The organization shall create, implement and maintain a service management plan. Planning shall take into consideration the service management policy, service management objectives, risks and opportunities, service requirements and requirements specified in this document. § 6.3 ¶ 1 When planning how to achieve its service management objectives, the organization shall determine: when it will be completed; § 6.2.2 ¶ 1(d) The organization shall establish service management objectives at relevant functions and levels. The service management objectives shall: be updated as appropriate. § 6.2.1 ¶ 1(f) The organization shall integrate services, service components and processes in the SMS that are provided or operated by the organization or other parties to meet the service requirements. The organization shall co-ordinate activities with other parties involved in the service lifecycle including the planning, design, transition, delivery and improvement of services. § 8.2.3.1 ¶ 5 At planned intervals, the organization shall review the performance trends and the outcomes of the services. § 8.3.2 ¶ 3 Top management shall review the organization's SMS and the services, at planned intervals, to ensure their continuing suitability, adequacy and effectiveness. § 9.3 ¶ 1 The organization shall determine: what needs to be monitored and measured for the SMS and the services; § 9.1 ¶ 1(a) {new service} The organization shall plan the deployment of new or changed services and service components into the live environment. Planning shall be co-ordinated with change management and include references to the related requests for change, known errors or problems which are being closed through the release. Planning shall include the dates for deployment of each release, deliverables and methods of deployment. § 8.5.3 ¶ 2 {service availability requirement}{service availability target} At planned intervals, the risks to service availability shall be assessed and documented. The organization shall determine the service availability requirements and targets. The agreed requirements shall take into consideration relevant business requirements, service requirements, SLAs and risks. § 8.7.1 ¶ 1] | Operational management | Establish/Maintain Documentation | |
Communicate the service management program to interested personnel and affected parties. CC ID 13904 [Top management shall demonstrate leadership and commitment with respect to the SMS by: communicating the importance of effective service management, achieving the service management objectives, delivering value and conforming to the SMS requirements; § 5.1 ¶ 1(h) The service management policy shall: be communicated within the organization; § 5.2.2 ¶ 1(b) The service management policy shall: be available to interested parties, as appropriate. § 5.2.2 ¶ 1(c) The organization shall establish service management objectives at relevant functions and levels. The service management objectives shall: be communicated; § 6.2.1 ¶ (e) Persons doing work under the organization's control shall be aware of: the service management policy; § 7.3 ¶ 1(a) The scope of the SMS shall be available and be maintained as documented information. § 4.3 ¶ 4] | Operational management | Communicate | |
Communicate service management release success or failures to interested personnel and affected parties, as necessary. CC ID 13927 [Information about the success or failure of releases and future release dates shall be made available for other service management activities as appropriate. § 8.5.3 ¶ 7] | Operational management | Communicate | |
Communicate the release dates of applicable services to interested personnel and affected parties. CC ID 13924 [Information about the success or failure of releases and future release dates shall be made available for other service management activities as appropriate. § 8.5.3 ¶ 7] | Operational management | Communicate | |
Include the implications of failing to comply with the Service Management System requirements in the communication plan for the service management program. CC ID 13909 [Persons doing work under the organization's control shall be aware of: the implications of not conforming with the SMS requirements. § 7.3 ¶ 1(e)] | Operational management | Communicate | |
Include the benefits of improved performance in the communication plan for the service management program. CC ID 13908 [Persons doing work under the organization's control shall be aware of: their contribution to the effectiveness of the SMS, including the benefits of improved performance; § 7.3 ¶ 1(d)] | Operational management | Communicate | |
Include the importance of conforming to the Service Management System requirements in the communication plan for the service management program. CC ID 13907 [Top management shall demonstrate leadership and commitment with respect to the SMS by: communicating the importance of effective service management, achieving the service management objectives, delivering value and conforming to the SMS requirements; § 5.1 ¶ 1(h)] | Operational management | Communicate | |
Include a service management plan in the service management program. CC ID 13902 [The documented information for the SMS shall include: service management plan; § 7.5.4 ¶ 1(c)] | Operational management | Establish/Maintain Documentation | |
Include the information security policy in the service management program. CC ID 13925 [The documented information for the SMS shall include: change management policy, information security policy and service continuity plan(s); § 7.5.4 ¶ 1(d)] | Operational management | Establish/Maintain Documentation | |
Include the change management policy in the service management program. CC ID 13923 [The documented information for the SMS shall include: change management policy, information security policy and service continuity plan(s); § 7.5.4 ¶ 1(d)] | Operational management | Establish/Maintain Documentation | |
Include the service management objectives in the service management program. CC ID 11389 [Top management shall demonstrate leadership and commitment with respect to the SMS by: ensuring that the service management plan is created, implemented and maintained in order to support the service management policy, and the achievement of the service management objectives and service requirements; § 5.1 ¶ 1(b) Top management shall demonstrate leadership and commitment with respect to the SMS by: ensuring that the service management policy and service management objectives are established and are compatible with the strategic direction of the organization; § 5.1 ¶ 1(a) Top management shall establish a service management policy that: provides a framework for setting service management objectives; § 5.2.1 ¶ 1(b) The organization shall establish service management objectives at relevant functions and levels. The service management objectives shall: be consistent with the service management policy; § 6.2.1 ¶ 1(a) {applicable requirements} The organization shall create, implement and maintain a service management plan. Planning shall take into consideration the service management policy, service management objectives, risks and opportunities, service requirements and requirements specified in this document. § 6.3 ¶ 1 {organization level} The organization shall establish service management objectives at relevant functions and levels. The service management objectives shall: § 6.2.1 ¶ 1 {organization level} The organization shall establish service management objectives at relevant functions and levels. The service management objectives shall: § 6.2.1 ¶ 1 The documented information for the SMS shall include: policy and objectives for service management; § 7.5.4 ¶ 1(b) The organization shall propose changes where needed to align the services with the service management policy, service management objectives and service requirements, taking into consideration known limitations and risks. § 8.2.2 ¶ 3 {new service} Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: intended outcomes from delivering the new or changed services, expressed in measurable terms; § 8.5.2.1 ¶ 1(g) {service availability requirement}{service availability target} At planned intervals, the risks to service availability shall be assessed and documented. The organization shall determine the service availability requirements and targets. The agreed requirements shall take into consideration relevant business requirements, service requirements, SLAs and risks. § 8.7.1 ¶ 1] | Operational management | Establish/Maintain Documentation | |
Include the service requirements in the service management program. CC ID 11390 [Top management shall demonstrate leadership and commitment with respect to the SMS by: ensuring that the service management plan is created, implemented and maintained in order to support the service management policy, and the achievement of the service management objectives and service requirements; § 5.1 ¶ 1(b) Top management shall establish a service management policy that: includes a commitment to satisfy applicable requirements; § 5.2.1 ¶ 1(c) {applicable requirements} The organization shall create, implement and maintain a service management plan. Planning shall take into consideration the service management policy, service management objectives, risks and opportunities, service requirements and requirements specified in this document. § 6.3 ¶ 1 The organization shall establish service management objectives at relevant functions and levels. The service management objectives shall: take into account applicable requirements; § 6.2.1 ¶ 1(c) The documented information for the SMS shall include: service requirements; § 7.5.4 ¶ 1(f) The organization shall propose changes where needed to align the services with the service management policy, service management objectives and service requirements, taking into consideration known limitations and risks. § 8.2.2 ¶ 3 The service requirements for existing services, new services and changes to services shall be determined and documented. § 8.2.2 ¶ 1 Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: dependencies on other services; 8.5.2.1 ¶ 1(d) {new service} Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: § 8.5.2.1 ¶ 1 {service availability requirement}{service availability target} At planned intervals, the risks to service availability shall be assessed and documented. The organization shall determine the service availability requirements and targets. The agreed requirements shall take into consideration relevant business requirements, service requirements, SLAs and risks. § 8.7.1 ¶ 1 {service availability requirement}{service availability target} At planned intervals, the risks to service availability shall be assessed and documented. The organization shall determine the service availability requirements and targets. The agreed requirements shall take into consideration relevant business requirements, service requirements, SLAs and risks. § 8.7.1 ¶ 1] | Operational management | Establish/Maintain Documentation | |
Include known limitations in the service management program. CC ID 11391 [The organization shall determine the boundaries and applicability of the SMS to establish its scope. § 4.3 ¶ 1 The organization shall determine the boundaries and applicability of the SMS to establish its scope. § 4.3 ¶ 1 The organization shall propose changes where needed to align the services with the service management policy, service management objectives and service requirements, taking into consideration known limitations and risks. § 8.2.2 ¶ 3 The service management plan shall include or contain a reference to: known limitations that can impact the SMS and the services; § 6.3 ¶ 2(b) {new service} The organization shall plan the deployment of new or changed services and service components into the live environment. Planning shall be co-ordinated with change management and include references to the related requests for change, known errors or problems which are being closed through the release. Planning shall include the dates for deployment of each release, deliverables and methods of deployment. § 8.5.3 ¶ 2] | Operational management | Establish/Maintain Documentation | |
Include service management policies in the service management program. CC ID 11392 [Top management shall establish a service management policy that: § 5.2.1 ¶ 1 Top management shall demonstrate leadership and commitment with respect to the SMS by: ensuring that the service management plan is created, implemented and maintained in order to support the service management policy, and the achievement of the service management objectives and service requirements; § 5.1 ¶ 1(b) Top management shall demonstrate leadership and commitment with respect to the SMS by: ensuring that the service management policy and service management objectives are established and are compatible with the strategic direction of the organization; § 5.1 ¶ 1(a) {applicable requirements} The organization shall create, implement and maintain a service management plan. Planning shall take into consideration the service management policy, service management objectives, risks and opportunities, service requirements and requirements specified in this document. § 6.3 ¶ 1 The documented information for the SMS shall include: policy and objectives for service management; § 7.5.4 ¶ 1(b) The organization shall propose changes where needed to align the services with the service management policy, service management objectives and service requirements, taking into consideration known limitations and risks. § 8.2.2 ¶ 3 The service management plan shall include or contain a reference to: obligations such as relevant policies, standards, legal, regulatory and contractual requirements, and how these obligations apply to the SMS and the services; § 6.3 ¶ 2(c) Top management shall establish a service management policy that: is appropriate to the purpose of the organization; § 5.2.1 ¶ 1(a)] | Operational management | Establish/Maintain Documentation | |
Assign roles and responsibilities in the service management program. CC ID 11393 [Top management shall demonstrate leadership and commitment with respect to the SMS by: directing and supporting persons to contribute to the effectiveness of the SMS and the services; § 5.1 ¶ 1(j) Top management shall assign the responsibility and authority for: ensuring that the SMS conforms to the requirement of this document; § 5.3 ¶ 2(a) Top management shall assign the responsibility and authority for: reporting on the performance of the SMS and the services to top management. § 5.3 ¶ 2(b) {responsible party}When planning how to achieve its service management objectives, the organization shall determine: who will be responsible; § 6.2.2 ¶ 1(c) The organization shall retain accountability for the requirements specified in this document and the delivery of the services regardless of which party is involved in performing activities to support the service lifecycle. § 8.2.3.1 ¶ 1 The organization shall retain accountability for the requirements specified in this document and the delivery of the services regardless of which party is involved in performing activities to support the service lifecycle. § 8.2.3.1 ¶ 1 Top management shall ensure that the responsibilities and authorities for roles relevant to the SMS and the services are assigned and communicated within the organization. § 5.3 ¶ 1 The service management plan shall include or contain a reference to: authorities and responsibilities for the SMS and the services § 6.3 ¶ 2(d) The service management plan shall include or contain a reference to: authorities and responsibilities for the SMS and the services § 6.3 ¶ 2(d) Persons doing work under the organization's control shall be aware of: the service management objectives; § 7.3 ¶ 1(b) {new service} Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: authorities and responsibilities for design, build and transition activities; § 8.5.2.1 ¶ 1(a) {new service} Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: activities to be performed by the organization or other parties with their timescales; § 8.5.2.1 ¶ 1(b) {new service}The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: authorities and responsibilities of the parties involved in the delivery of the new or changed services; § 8.5.2.2 ¶ 1(a) {new service}The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: authorities and responsibilities of the parties involved in the delivery of the new or changed services; § 8.5.2.2 ¶ 1(a) The organization shall operate the SMS ensuring co-ordination of the activities and the resources. The organization shall perform the activities required to deliver services. § 8.2.1 ¶ 1] | Operational management | Establish/Maintain Documentation | |
Include all resources needed to achieve the objectives in the service management program. CC ID 11394 [Top management shall demonstrate leadership and commitment with respect to the SMS by: ensuring that the resources needed for the SMS and the services are available; § 5.1 ¶ 1(g) When planning how to achieve its service management objectives, the organization shall determine: what resources will be required; § 6.2.2 ¶ 1(b) {necessary resource} The organization shall determine and provide the human, technical, information and financial resources needed for the establishment, implementation, maintenance and continual improvement of the SMS and the operation of the services to meet the service requirements and achieve the service management objectives. § 7.1 ¶ 1 {necessary resource} The organization shall determine and provide the human, technical, information and financial resources needed for the establishment, implementation, maintenance and continual improvement of the SMS and the operation of the services to meet the service requirements and achieve the service management objectives. § 7.1 ¶ 1 {necessary resource} The organization shall determine and provide the human, technical, information and financial resources needed for the establishment, implementation, maintenance and continual improvement of the SMS and the operation of the services to meet the service requirements and achieve the service management objectives. § 7.1 ¶ 1 The organization shall budget and account for services or groups of services in accordance with its financial management policies and processes. § 8.4.1 ¶ 1 {new service}{manpower}{technical resource}{information resource} Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: human, technical, information and financial resources; § 8.5.2.1 ¶ 1(c) {new service}{manpower}{technical resource}{information resource} Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: human, technical, information and financial resources; § 8.5.2.1 ¶ 1(c) {new service}{manpower}{technical resource}{information resource} Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: human, technical, information and financial resources; § 8.5.2.1 ¶ 1(c) {new service}{manpower}{technical resource}{information resource} Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: human, technical, information and financial resources; § 8.5.2.1 ¶ 1(c) {manpower}{technical resource}{information resource}The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: requirements for changes to human, technical, information and financial resources; § 8.5.2.2 ¶ 1(b) {manpower}{technical resource}{information resource}The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: requirements for changes to human, technical, information and financial resources; § 8.5.2.2 ¶ 1(b) {manpower}{technical resource}{information resource}The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: requirements for changes to human, technical, information and financial resources; § 8.5.2.2 ¶ 1(b) {manpower}{technical resource}{information resource}The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: requirements for changes to human, technical, information and financial resources; § 8.5.2.2 ¶ 1(b) {manpower}{technical resource}{information resource}{service requirement} The capacity requirements for human, technical, information and financial resources shall be determined, documented and maintained taking into consideration the service and performance requirements. § 8.4.3 ¶ 1 {manpower}{technical resource}{information resource}{service requirement} The capacity requirements for human, technical, information and financial resources shall be determined, documented and maintained taking into consideration the service and performance requirements. § 8.4.3 ¶ 1 {manpower}{technical resource}{information resource}{service requirement} The capacity requirements for human, technical, information and financial resources shall be determined, documented and maintained taking into consideration the service and performance requirements. § 8.4.3 ¶ 1 {manpower}{technical resource}{information resource}{service requirement} The capacity requirements for human, technical, information and financial resources shall be determined, documented and maintained taking into consideration the service and performance requirements. § 8.4.3 ¶ 1] | Operational management | Establish/Maintain Documentation | |
Include supply chain management procedures in the service management program. CC ID 11395 [The organization shall ensure that outsourced processes are controlled (see 8.2.3). § 8.1 ¶ 3 Other parties shall not provide or operate all services, service components or processes within the scope of the SMS. § 8.2.3.1 ¶ 3 The organization shall integrate services, service components and processes in the SMS that are provided or operated by the organization or other parties to meet the service requirements. The organization shall co-ordinate activities with other parties involved in the service lifecycle including the planning, design, transition, delivery and improvement of services. § 8.2.3.1 ¶ 5] | Operational management | Establish/Maintain Documentation | |
Include service management procedures in the service management program. CC ID 11396 [The documented information for the SMS shall include: processes of the organization's SMS; § 7.5.4 ¶ 1(e) {new service} Release and deployment management shall be used to deploy approved new or changed services into the live environment. § 8.5.2.3 ¶ 2 {new service} Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: testing needed for the new or changed services; § 8.5.2.1 ¶ 1(e) The organization shall use service design and transition in 8.5.2 for: removal of a service; § 8.5.1.2 ¶ 2(d) For services that are to be removed, the planning shall additionally include the date(s) for the removal of the services and the activities for archiving, disposal or transfer of data, documented information and service components. § 8.5.2.1 ¶ 2 The organization shall use service design and transition in 8.5.2 for: transfer of an existing service from the organization to a customer or other party; § 8.5.1.2 ¶ 2(e) The organization shall use service design and transition in 8.5.2 for: transfer of an existing service from a customer or other party to the organization. § 8.5.1.2 ¶ 2(f)] | Operational management | Establish/Maintain Documentation | |
Include risk procedures in the service management program. CC ID 11397 [When planning for the SMS, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to: § 6.1.1 ¶ 1 {applicable requirements} The organization shall create, implement and maintain a service management plan. Planning shall take into consideration the service management policy, service management objectives, risks and opportunities, service requirements and requirements specified in this document. § 6.3 ¶ 1 {risk management activity}The organization shall plan: how to: integrate and implement the actions into its SMS processes; § 6.1.3 ¶ 1(b)(1) {new service} The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: impact on other services; § 8.5.2.2 ¶ 1(f) {service availability requirement}{service availability target} At planned intervals, the risks to service availability shall be assessed and documented. The organization shall determine the service availability requirements and targets. The agreed requirements shall take into consideration relevant business requirements, service requirements, SLAs and risks. § 8.7.1 ¶ 1 {service availability requirement}{service availability target} At planned intervals, the risks to service availability shall be assessed and documented. The organization shall determine the service availability requirements and targets. The agreed requirements shall take into consideration relevant business requirements, service requirements, SLAs and risks. § 8.7.1 ¶ 1] | Operational management | Establish/Maintain Documentation | |
Include continuity plans in the Service Management program. CC ID 13919 [The documented information for the SMS shall include: change management policy, information security policy and service continuity plan(s); § 7.5.4 ¶ 1(d)] | Operational management | Establish/Maintain Documentation | |
Include all technologies used to support service management in the service management program. CC ID 11398 [The service management plan shall include or contain a reference to: technology used to support the SMS; § 6.3 ¶ 2(g) {necessary resource} The service management plan shall include or contain a reference to: human, technical, information and financial resources necessary to operate the SMS and the services; § 6.3 ¶ 2(e)] | Operational management | Establish/Maintain Documentation | |
Include auditing and improving service management procedures in the service management program. CC ID 11399 [When planning for the SMS, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to: give assurance that the SMS can achieve its intended outcome(s); § 6.1.1 ¶ 1(a) Top management shall demonstrate leadership and commitment with respect to the SMS by: promoting continual improvement of the SMS and the services; § 5.1 ¶1(k) Top management shall establish a service management policy that: includes a commitment to continual improvement of the SMS and the services. § 5.2.1 ¶ 1(d) When planning for the SMS, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to: achieve continual improvement of the SMS and the services. § 6.1.1 ¶ 1(c) When planning how to achieve its service management objectives, the organization shall determine: how the results will be evaluated. § 6.2.2 ¶ 1(e) {continuous basis} The organization shall continually improve the suitability, adequacy and effectiveness of the SMS and the services. § 10.2 ¶ 1 {service improvement activity} Opportunities for improvement shall be documented. The organization shall manage approved improvement activities that include: § 10.2 ¶ 3] | Operational management | Establish/Maintain Documentation | |
Disseminate and communicate the suspension period of suspended services to interested personnel and affected parties. CC ID 15459 | Operational management | Communicate | |
Establish, implement, and maintain an Asset Management program. CC ID 06630 [{external obligation} /* section 6.3 c. refers to external obligations */ The organization shall ensure that assets used to deliver services are managed to meet the service requirements and the obligations in 6.3 c). § 8.2.5 ¶ 1 {external obligation} /* section 6.3 c. refers to external obligations */ The organization shall ensure that assets used to deliver services are managed to meet the service requirements and the obligations in 6.3 c). § 8.2.5 ¶ 1] | Operational management | Business Processes | |
Establish, implement, and maintain an asset management policy. CC ID 15219 | Operational management | Establish/Maintain Documentation | |
Include coordination amongst entities in the asset management policy. CC ID 16424 | Operational management | Business Processes | |
Establish, implement, and maintain asset management procedures. CC ID 16748 | Operational management | Establish/Maintain Documentation | |
Assign an information owner to organizational assets, as necessary. CC ID 12729 | Operational management | Human Resources Management | |
Define and prioritize the importance of each asset in the asset management program. CC ID 16837 | Operational management | Business Processes | |
Include life cycle requirements in the security management program. CC ID 16392 | Operational management | Establish/Maintain Documentation | |
Include program objectives in the asset management program. CC ID 14413 | Operational management | Establish/Maintain Documentation | |
Include a commitment to continual improvement in the asset management program. CC ID 14412 | Operational management | Establish/Maintain Documentation | |
Include compliance with applicable requirements in the asset management program. CC ID 14411 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain administrative controls over all assets. CC ID 16400 | Operational management | Business Processes | |
Establish, implement, and maintain classification schemes for all systems and assets. CC ID 01902 | Operational management | Establish/Maintain Documentation | |
Apply security controls to each level of the information classification standard. CC ID 01903 | Operational management | Systems Design, Build, and Implementation | |
Establish, implement, and maintain the systems' confidentiality level. CC ID 01904 | Operational management | Establish/Maintain Documentation | |
Define confidentiality controls. CC ID 01908 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain the systems' availability level. CC ID 01905 | Operational management | Establish/Maintain Documentation | |
Restrict unscheduled downtime in order to maintain high availability for critical systems. CC ID 12742 | Operational management | Process or Activity | |
Define integrity controls. CC ID 01909 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain the systems' integrity level. CC ID 01906 | Operational management | Establish/Maintain Documentation | |
Define availability controls. CC ID 01911 | Operational management | Establish/Maintain Documentation | |
Establish safety classifications for systems according to their potential harmful effects to operators or end users. CC ID 06603 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain an asset safety classification scheme. CC ID 06604 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain the Asset Classification Policy. CC ID 06642 | Operational management | Establish/Maintain Documentation | |
Disseminate and communicate the Asset Classification Policy to interested personnel and affected parties. CC ID 14851 | Operational management | Communicate | |
Classify assets according to the Asset Classification Policy. CC ID 07186 | Operational management | Establish Roles | |
Classify virtual systems by type and purpose. CC ID 16332 | Operational management | Business Processes | |
Document the decision for assigning an asset to a specific asset classification in the Asset Classification Policy. CC ID 07185 | Operational management | Establish/Maintain Documentation | |
Apply asset protection mechanisms for all assets according to their assigned Asset Classification Policy. CC ID 07184 | Operational management | Establish Roles | |
Disallow systems from processing information, disseminating and communicating information, or storing information that is above the system's assigned asset classification. CC ID 06606 | Operational management | Configuration | |
Assign decomposed system components the same asset classification as the originating system. CC ID 06605 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain an asset inventory. CC ID 06631 | Operational management | Business Processes | |
Establish, implement, and maintain an Information Technology inventory with asset discovery audit trails. CC ID 00689 | Operational management | Establish/Maintain Documentation | |
Include all account types in the Information Technology inventory. CC ID 13311 | Operational management | Establish/Maintain Documentation | |
Include each Information System's system boundaries in the Information Technology inventory. CC ID 00695 | Operational management | Systems Design, Build, and Implementation | |
Identify processes, Information Systems, and third parties that transmit, process, or store restricted data. CC ID 06289 | Operational management | Data and Information Management | |
Include each Information System's major applications in the Information Technology inventory. CC ID 01407 | Operational management | Establish/Maintain Documentation | |
Categorize all major applications according to the business information they process. CC ID 07182 | Operational management | Establish/Maintain Documentation | |
Document the resources, hazards, and Evaluation Assurance Levels for each major application. CC ID 01164 | Operational management | Establish/Maintain Documentation | |
Include the General Support Systems and security support structure in the Information Technology inventory. CC ID 01408 | Operational management | Establish/Maintain Documentation | |
Include each Information System's minor applications in the Information Technology inventory. CC ID 01409 | Operational management | Establish/Maintain Documentation | |
Conduct environmental surveys. CC ID 00690 | Operational management | Physical and Environmental Protection | |
Categorize facilities in the Information Technology inventory according to their environmental risks. CC ID 06729 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain a hardware asset inventory. CC ID 00691 | Operational management | Establish/Maintain Documentation | |
Include network equipment in the Information Technology inventory. CC ID 00693 | Operational management | Establish/Maintain Documentation | |
Include mobile devices that store restricted data or restricted information in the Information Technology inventory. CC ID 04719 | Operational management | Establish/Maintain Documentation | |
Include interconnected systems and Software as a Service in the Information Technology inventory. CC ID 04885 | Operational management | Process or Activity | |
Include software in the Information Technology inventory. CC ID 00692 | Operational management | Establish/Maintain Documentation | |
Establish and maintain a list of authorized software and versions required for each system. CC ID 12093 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain a storage media inventory. CC ID 00694 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain a records inventory and database inventory. CC ID 01260 | Operational management | Establish/Maintain Documentation | |
Add inventoried assets to the asset register database, as necessary. CC ID 07051 | Operational management | Establish/Maintain Documentation | |
Organize the asset register database by grouping objects according to an organizational information classification standard. CC ID 07181 | Operational management | Establish/Maintain Documentation | |
Use automated tools to collect Information Technology inventory information, as necessary. CC ID 07054 | Operational management | Technical Security | |
Link the authentication system to the asset inventory. CC ID 13718 | Operational management | Technical Security | |
Record a unique name for each asset in the asset inventory. CC ID 16305 | Operational management | Data and Information Management | |
Record the decommission date for applicable assets in the asset inventory. CC ID 14920 | Operational management | Establish/Maintain Documentation | |
Record the status of information systems in the asset inventory. CC ID 16304 | Operational management | Data and Information Management | |
Record the communication interfaces for applicable assets in the asset inventory. CC ID 16301 | Operational management | Data and Information Management | |
Record the Uniform Resource Locator for applicable assets in the asset inventory. CC ID 14918 | Operational management | Establish/Maintain Documentation | |
Include source code in the asset inventory. CC ID 14858 | Operational management | Records Management | |
Assign ownership of maintaining the asset inventory, as necessary. CC ID 12344 | Operational management | Human Resources Management | |
Record the review date for applicable assets in the asset inventory. CC ID 14919 | Operational management | Establish/Maintain Documentation | |
Record software license information for each asset in the asset inventory. CC ID 11736 | Operational management | Data and Information Management | |
Record services for applicable assets in the asset inventory. CC ID 13733 | Operational management | Establish/Maintain Documentation | |
Record protocols for applicable assets in the asset inventory. CC ID 13734 | Operational management | Establish/Maintain Documentation | |
Record the software version in the asset inventory. CC ID 12196 | Operational management | Establish/Maintain Documentation | |
Record the publisher for applicable assets in the asset inventory. CC ID 13725 | Operational management | Establish/Maintain Documentation | |
Record the authentication system in the asset inventory. CC ID 13724 | Operational management | Establish/Maintain Documentation | |
Tag unsupported assets in the asset inventory. CC ID 13723 | Operational management | Establish/Maintain Documentation | |
Record the install date for applicable assets in the asset inventory. CC ID 13720 | Operational management | Establish/Maintain Documentation | |
Record the make, model of device for applicable assets in the asset inventory. CC ID 12465 | Operational management | Establish/Maintain Documentation | |
Record the asset tag for physical assets in the asset inventory. CC ID 06632 | Operational management | Establish/Maintain Documentation | |
Record the host name of applicable assets in the asset inventory. CC ID 13722 | Operational management | Establish/Maintain Documentation | |
Record network ports for applicable assets in the asset inventory. CC ID 13730 | Operational management | Establish/Maintain Documentation | |
Record the MAC address for applicable assets in the asset inventory. CC ID 13721 | Operational management | Establish/Maintain Documentation | |
Record the operating system version for applicable assets in the asset inventory. CC ID 11748 | Operational management | Data and Information Management | |
Record the operating system type for applicable assets in the asset inventory. CC ID 06633 | Operational management | Establish/Maintain Documentation | |
Record rooms at external locations in the asset inventory. CC ID 16302 | Operational management | Data and Information Management | |
Record the department associated with the asset in the asset inventory. CC ID 12084 | Operational management | Establish/Maintain Documentation | |
Record the physical location for applicable assets in the asset inventory. CC ID 06634 | Operational management | Establish/Maintain Documentation | |
Record the manufacturer's serial number for applicable assets in the asset inventory. CC ID 06635 | Operational management | Establish/Maintain Documentation | |
Record the firmware version for applicable assets in the asset inventory. CC ID 12195 | Operational management | Establish/Maintain Documentation | |
Record the related business function for applicable assets in the asset inventory. CC ID 06636 | Operational management | Establish/Maintain Documentation | |
Record the deployment environment for applicable assets in the asset inventory. CC ID 06637 | Operational management | Establish/Maintain Documentation | |
Record the Internet Protocol address for applicable assets in the asset inventory. CC ID 06638 | Operational management | Establish/Maintain Documentation | |
Record trusted keys and certificates in the asset inventory. CC ID 15486 | Operational management | Data and Information Management | |
Record cipher suites and protocols in the asset inventory. CC ID 15489 | Operational management | Data and Information Management | |
Link the software asset inventory to the hardware asset inventory. CC ID 12085 | Operational management | Establish/Maintain Documentation | |
Record the owner for applicable assets in the asset inventory. CC ID 06640 | Operational management | Establish/Maintain Documentation | |
Record all compliance requirements for applicable assets in the asset inventory. CC ID 15696 | Operational management | Establish/Maintain Documentation | |
Record all changes to assets in the asset inventory. CC ID 12190 | Operational management | Establish/Maintain Documentation | |
Record cloud service derived data in the asset inventory. CC ID 13007 | Operational management | Establish/Maintain Documentation | |
Include cloud service customer data in the asset inventory. CC ID 13006 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain a software accountability policy. CC ID 00868 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain software asset management procedures. CC ID 00895 | Operational management | Establish/Maintain Documentation | |
Prevent users from disabling required software. CC ID 16417 | Operational management | Technical Security | |
Establish, implement, and maintain software archives procedures. CC ID 00866 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain software distribution procedures. CC ID 00894 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain software documentation management procedures. CC ID 06395 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain software license management procedures. CC ID 06639 | Operational management | Establish/Maintain Documentation | |
Automate software license monitoring, as necessary. CC ID 07057 | Operational management | Monitor and Evaluate Occurrences | |
Establish, implement, and maintain digital legacy procedures. CC ID 16524 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain a system redeployment program. CC ID 06276 | Operational management | Establish/Maintain Documentation | |
Notify interested personnel and affected parties prior to when the system is redeployed or the system is disposed. CC ID 06400 | Operational management | Behavior | |
Wipe all data on systems prior to when the system is redeployed or the system is disposed. CC ID 06401 | Operational management | Data and Information Management | |
Transfer legal ownership of assets when the system is redeployed to a third party. CC ID 06698 | Operational management | Acquisition/Sale of Assets or Services | |
Document the staff's operating knowledge of the system prior to a personnel status change. CC ID 06937 | Operational management | Establish/Maintain Documentation | |
Redeploy systems to other organizational units, as necessary. CC ID 11452 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain a system disposal program. CC ID 14431 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain disposal procedures. CC ID 16513 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain asset sanitization procedures. CC ID 16511 | Operational management | Establish/Maintain Documentation | |
Destroy systems in accordance with the system disposal program. CC ID 16457 | Operational management | Business Processes | |
Approve the release of systems and waste material into the public domain. CC ID 16461 | Operational management | Business Processes | |
Establish, implement, and maintain system destruction procedures. CC ID 16474 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain printer and multifunction device disposition procedures. CC ID 15216 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain a system preventive maintenance program. CC ID 00885 | Operational management | Establish/Maintain Documentation | |
Establish and maintain maintenance reports. CC ID 11749 | Operational management | Establish/Maintain Documentation | |
Establish and maintain system inspection reports. CC ID 06346 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain a system maintenance policy. CC ID 14032 | Operational management | Establish/Maintain Documentation | |
Include compliance requirements in the system maintenance policy. CC ID 14217 | Operational management | Establish/Maintain Documentation | |
Include management commitment in the system maintenance policy. CC ID 14216 | Operational management | Establish/Maintain Documentation | |
Include roles and responsibilities in the system maintenance policy. CC ID 14215 | Operational management | Establish/Maintain Documentation | |
Include the scope in the system maintenance policy. CC ID 14214 | Operational management | Establish/Maintain Documentation | |
Disseminate and communicate the system maintenance policy to interested personnel and affected parties. CC ID 14213 | Operational management | Communicate | |
Include the purpose in the system maintenance policy. CC ID 14187 | Operational management | Establish/Maintain Documentation | |
Include coordination amongst entities in the system maintenance policy. CC ID 14181 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain system maintenance procedures. CC ID 14059 | Operational management | Establish/Maintain Documentation | |
Disseminate and communicate the system maintenance procedures to interested personnel and affected parties. CC ID 14194 | Operational management | Communicate | |
Establish, implement, and maintain a technology refresh plan. CC ID 13061 | Operational management | Establish/Maintain Documentation | |
Plan and conduct maintenance so that it does not interfere with scheduled operations. CC ID 06389 | Operational management | Physical and Environmental Protection | |
Maintain contact with the device manufacturer or component manufacturer for maintenance requests. CC ID 06388 | Operational management | Behavior | |
Use system components only when third party support is available. CC ID 10644 | Operational management | Maintenance | |
Obtain justification for the continued use of system components when third party support is no longer available. CC ID 10645 | Operational management | Maintenance | |
Obtain approval before removing maintenance tools from the facility. CC ID 14298 | Operational management | Business Processes | |
Control remote maintenance according to the system's asset classification. CC ID 01433 | Operational management | Technical Security | |
Separate remote maintenance sessions from other network sessions with a logically separate communications path based upon encryption. CC ID 10614 | Operational management | Configuration | |
Approve all remote maintenance sessions. CC ID 10615 | Operational management | Technical Security | |
Log the performance of all remote maintenance. CC ID 13202 | Operational management | Log Management | |
Terminate remote maintenance sessions when the remote maintenance is complete. CC ID 12083 | Operational management | Technical Security | |
Conduct offsite maintenance in authorized facilities. CC ID 16473 | Operational management | Maintenance | |
Disconnect non-volatile media from information systems prior to performing maintenance with uncleared personnel. CC ID 14295 | Operational management | Maintenance | |
Sanitize volatile media in information systems prior to performing maintenance with uncleared personnel. CC ID 14291 | Operational management | Maintenance | |
Respond to maintenance requests inside the organizationally established time frame. CC ID 04878 | Operational management | Behavior | |
Establish and maintain an archive of maintenance reports in a maintenance log. CC ID 06202 | Operational management | Establish/Maintain Documentation | |
Acquire spare parts prior to when maintenance requests are scheduled. CC ID 11833 | Operational management | Acquisition/Sale of Assets or Services | |
Perform periodic maintenance according to organizational standards. CC ID 01435 | Operational management | Behavior | |
Restart systems on a periodic basis. CC ID 16498 | Operational management | Maintenance | |
Remove components being serviced from the information system prior to performing maintenance. CC ID 14251 | Operational management | Maintenance | |
Employ dedicated systems during system maintenance. CC ID 12108 | Operational management | Technical Security | |
Isolate dedicated systems used for system maintenance from Internet access. CC ID 12114 | Operational management | Technical Security | |
Control granting access to appropriate parties performing maintenance on organizational assets. CC ID 11873 | Operational management | Human Resources Management | |
Identify and authenticate appropriate parties prior to granting access to maintain assets. CC ID 11874 | Operational management | Physical and Environmental Protection | |
Post calibration limits or calibration tolerances on or near assets requiring calibration. CC ID 06204 | Operational management | Establish/Maintain Documentation | |
Implement automated mechanisms to transfer predictive maintenance data to a maintenance management system. CC ID 10616 | Operational management | Process or Activity | |
Disassemble and shut down unnecessary systems or unused systems. CC ID 06280 | Operational management | Business Processes | |
Establish, implement, and maintain an end-of-life management process. CC ID 16540 | Operational management | Establish/Maintain Documentation | |
Dispose of hardware and software at their life cycle end. CC ID 06278 | Operational management | Business Processes | |
Refrain from placing assets being disposed into organizational dumpsters. CC ID 12200 | Operational management | Business Processes | |
Establish, implement, and maintain disposal contracts. CC ID 12199 | Operational management | Establish/Maintain Documentation | |
Include disposal procedures in disposal contracts. CC ID 13905 | Operational management | Establish/Maintain Documentation | |
Remove asset tags prior to disposal of an asset. CC ID 12198 | Operational management | Business Processes | |
Document the storage information for all systems that are stored instead of being disposed or redeployed. CC ID 06936 | Operational management | Establish/Maintain Documentation | |
Review each system's operational readiness. CC ID 06275 | Operational management | Systems Design, Build, and Implementation | |
Establish, implement, and maintain a data stewardship policy. CC ID 06657 | Operational management | Establish/Maintain Documentation | |
Establish and maintain an unauthorized software list. CC ID 10601 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain a customer service program. CC ID 00846 | Operational management | Establish/Maintain Documentation | |
Assign roles and responsibilities in the customer service program. CC ID 13911 [The customers, users and other interested parties of the services shall be identified and documented. The organization shall have one or more designated individuals responsible for managing customer relationships and maintaining customer satisfaction. § 8.3.2 ¶ 1] | Operational management | Human Resources Management | |
Establish, implement, and maintain an Incident Management program. CC ID 00853 | Operational management | Business Processes | |
Include incident escalation procedures in the Incident Management program. CC ID 00856 [Incidents shall be: escalated if needed; § 8.6.1 ¶ 1(c)] | Operational management | Establish/Maintain Documentation | |
Define the characteristics of the Incident Management program. CC ID 00855 | Operational management | Establish/Maintain Documentation | |
Include the criteria for an incident in the Incident Management program. CC ID 12173 [The organization shall determine criteria to identify a major incident. Major incidents shall be classified and managed according to a documented procedure. Top management shall be kept informed of major incidents. The organization shall assign responsibility for managing each major incident. After the incident has been resolved, the major incident shall be reported and reviewed to identify opportunities for improvement. § 8.6.1 ¶ 3] | Operational management | Establish/Maintain Documentation | |
Include detection procedures in the Incident Management program. CC ID 00588 | Operational management | Establish/Maintain Documentation | |
Categorize the incident following an incident response. CC ID 13208 [{document} Information security incidents shall be: recorded and classified; § 8.7.3.3 ¶ 1(a) The organization shall analyse the information security incidents by type, volume and impact on the SMS, services and interested parties. Information security incidents shall be reported and reviewed to identify opportunities for improvement. § 8.7.3.3 ¶ 2 The organization shall determine criteria to identify a major incident. Major incidents shall be classified and managed according to a documented procedure. Top management shall be kept informed of major incidents. The organization shall assign responsibility for managing each major incident. After the incident has been resolved, the major incident shall be reported and reviewed to identify opportunities for improvement. § 8.6.1 ¶ 3 Problems shall be: recorded and classified; § 8.6.3 ¶ 2(a)] | Operational management | Technical Security | |
Define and document impact thresholds to be used in categorizing incidents. CC ID 10033 | Operational management | Establish/Maintain Documentation | |
Comply with privacy regulations and civil liberties requirements when sharing data loss event information. CC ID 10036 | Operational management | Data and Information Management | |
Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539 | Operational management | Communicate | |
Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538 | Operational management | Communicate | |
Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547 | Operational management | Establish/Maintain Documentation | |
Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797 | Operational management | Communicate | |
Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782 | Operational management | Communicate | |
Include incident management procedures in the Incident Management program. CC ID 12689 [The organization shall determine criteria to identify a major incident. Major incidents shall be classified and managed according to a documented procedure. Top management shall be kept informed of major incidents. The organization shall assign responsibility for managing each major incident. After the incident has been resolved, the major incident shall be reported and reviewed to identify opportunities for improvement. § 8.6.1 ¶ 3] | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain temporary and emergency access revocation procedures. CC ID 15334 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain incident management audit logs. CC ID 13514 [Records of incidents shall be updated with actions taken. § 8.6.1 ¶ 2] | Operational management | Records Management | |
Log incidents in the Incident Management audit log. CC ID 00857 | Operational management | Establish/Maintain Documentation | |
Include who the incident was reported to in the incident management audit log. CC ID 16487 | Operational management | Log Management | |
Include corrective actions in the incident management audit log. CC ID 16466 | Operational management | Establish/Maintain Documentation | |
Include the organization's business products and services affected by disruptions in the Incident Management audit log. CC ID 12234 | Operational management | Log Management | |
Include incident record closure procedures in the Incident Management program. CC ID 01620 [Information security incidents shall be: closed. § 8.7.3.3 ¶ 1(e) Problems shall be: closed. § 8.6.3 ¶ 2(e) Incidents shall be: closed. § 8.6.1 ¶ 1(e)] | Operational management | Establish/Maintain Documentation | |
Include incident reporting procedures in the Incident Management program. CC ID 11772 [The organization shall analyse the information security incidents by type, volume and impact on the SMS, services and interested parties. Information security incidents shall be reported and reviewed to identify opportunities for improvement. § 8.7.3.3 ¶ 2] | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain incident reporting time frame standards. CC ID 12142 | Operational management | Communicate | |
Log help desk queries. CC ID 00848 [Service requests shall be: recorded and classified; § 8.6.2 ¶ 1(a)] | Operational management | Log Management | |
Establish, implement, and maintain help desk query escalation procedures. CC ID 00849 [Service requests shall be: closed. § 8.6.2 ¶ 1(d)] | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain an Incident Response program. CC ID 00579 | Operational management | Establish/Maintain Documentation | |
Create an incident response report following an incident response. CC ID 12700 | Operational management | Establish/Maintain Documentation | |
Include measures to prevent similar incidents from occurring in the incident response report. CC ID 12720 [The organization shall analyse data and trends on incidents to identify problems. The organization shall undertake root cause analysis and determine potential actions to prevent the occurrence or recurrence of incidents. § 8.6.3 ¶ 1] | Operational management | Establish/Maintain Documentation | |
Include corrective action taken to eradicate the incident in the incident response report. CC ID 12708 [Records of problems shall be updated with actions taken. Changes needed for problem resolution shall be managed according to the change management policy. § 8.6.3 ¶ 3] | Operational management | Establish/Maintain Documentation | |
Include a root cause analysis of the incident in the incident response report. CC ID 12701 [The organization shall analyse data and trends on incidents to identify problems. The organization shall undertake root cause analysis and determine potential actions to prevent the occurrence or recurrence of incidents. § 8.6.3 ¶ 1] | Operational management | Establish/Maintain Documentation | |
Mitigate reported incidents. CC ID 12973 [Problems shall be: resolved if possible; § 8.6.3 ¶ 2(d)] | Operational management | Actionable Reports or Measurements | |
Include incident response team structures in the Incident Response program. CC ID 01237 | Operational management | Establish/Maintain Documentation | |
Include the incident response team member's roles and responsibilities in the Incident Response program. CC ID 01652 [The organization shall determine criteria to identify a major incident. Major incidents shall be classified and managed according to a documented procedure. Top management shall be kept informed of major incidents. The organization shall assign responsibility for managing each major incident. After the incident has been resolved, the major incident shall be reported and reviewed to identify opportunities for improvement. § 8.6.1 ¶ 3] | Operational management | Establish Roles | |
Include the incident response point of contact's roles and responsibilities in the Incident Response program. CC ID 01877 | Operational management | Establish Roles | |
Include the head of information security's roles and responsibilities in the Incident Response program. CC ID 01878 | Operational management | Establish Roles | |
Include the customer database owner's roles and responsibilities in the Incident Response program. CC ID 01879 | Operational management | Establish Roles | |
Include the online sales department's roles and responsibilities in the Incident Response program. CC ID 01880 | Operational management | Establish Roles | |
Include the incident response point of contact for credit card payment system's roles and responsibilities in the Incident Response program. CC ID 01881 | Operational management | Establish Roles | |
Include the organizational legal counsel's roles and responsibilities in the Incident Response program. CC ID 01882 | Operational management | Establish Roles | |
Include the Human Resources point of contact's roles and responsibilities in the Incident Response program. CC ID 01883 | Operational management | Establish Roles | |
Include the organizational incident response network architecture point of contact's roles and responsibilities in the Incident Response program. CC ID 01884 | Operational management | Establish Roles | |
Include the organizational incident response public relations point of contact's roles and responsibilities in the Incident Response program. CC ID 01885 | Operational management | Establish Roles | |
Include the organizational incident response location manager's roles and responsibilities in the Incident Response program. CC ID 01886 | Operational management | Establish Roles | |
Assign the distribution of security alerts to the appropriate role in the incident response program. CC ID 11887 | Operational management | Human Resources Management | |
Assign establishing, implementing, and maintaining incident response procedures to the appropriate role in the incident response program. CC ID 12473 | Operational management | Establish/Maintain Documentation | |
Assign the distribution of incident response procedures to the appropriate role in the incident response program. CC ID 12474 | Operational management | Communicate | |
Include references to industry best practices in the incident response procedures. CC ID 11956 | Operational management | Establish/Maintain Documentation | |
Include responding to alerts from security monitoring systems in the incident response procedures. CC ID 11949 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain a performance management standard. CC ID 01615 [{planning requirement} establishing performance criteria for the processes based on requirements; § 8.1 ¶ 1(a)] | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain future system performance forecasting methods. CC ID 11775 | Operational management | Business Processes | |
Establish, implement, and maintain a remediation plan for deviations in the resource management process. CC ID 13679 | Operational management | Establish/Maintain Documentation | |
Follow the maintenance schedule. CC ID 11791 | Operational management | Maintenance | |
Establish, implement, and maintain rate limiting filters. CC ID 06883 | Operational management | Business Processes | |
Establish, implement, and maintain system capacity monitoring procedures. CC ID 01619 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain system performance monitoring procedures. CC ID 11752 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain a Service Level Agreement framework. CC ID 00839 | Operational management | Establish/Maintain Documentation | |
Include exceptions in the Service Level Agreements, as necessary. CC ID 13912 [For each service delivered, the organization shall establish one or more SLAs based on the documented service requirements. The SLA(s) shall include service level targets, workload limits and exceptions § 8.3.3 ¶ 2] | Operational management | Establish/Maintain Documentation | |
Include capacity planning in Service Level Agreements. CC ID 13096 [At planned intervals, the organization shall monitor, review and report on: actual and periodic changes in workload compared to workload limits in the SLA(s). § 8.3.3 ¶ 3(b) For each service delivered, the organization shall establish one or more SLAs based on the documented service requirements. The SLA(s) shall include service level targets, workload limits and exceptions § 8.3.3 ¶ 2 {service availability requirement}{service continuity requirement} The organization shall plan capacity to include: expected impact on capacity of agreed service level targets, requirements for service availability and service continuity; § 8.4.3 ¶ 2(b)] | Operational management | Establish/Maintain Documentation | |
Include business requirements of delivered services in the Service Level Agreement. CC ID 00840 [For each external supplier, the organization shall agree a documented contract. The contract shall include or contain a reference to: service level targets or other contractual obligations; § 8.3.4.1 ¶ 2(c)] | Operational management | Establish/Maintain Documentation | |
Include performance requirements in the Service Level Agreement. CC ID 00841 [For each service delivered, the organization shall establish one or more SLAs based on the documented service requirements. The SLA(s) shall include service level targets, workload limits and exceptions § 8.3.3 ¶ 2] | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain a cost management program. CC ID 13638 | Operational management | Establish/Maintain Documentation | |
Update the business cases for cost management procedures, as necessary. CC ID 13642 | Operational management | Business Processes | |
Establish, implement, and maintain a change control program. CC ID 00886 [{information security policy} Specific policies that would be required includepan>, but not limited to, the following: Change management § 8.5.1 A change management policy shall be established and documented to define: § 8.5.1.1 ¶ 1 A change management policy shall be established and documented to define: service components and other items that are under the control of change management; § 8.5.1.1 ¶ 1(a) A change management policy shall be established and documented to define: service components and other items that are under the control of change management; § 8.5.1.1 ¶ 1(a) A change management policy shall be established and documented to define: categories of change, including emergency change, and how they are to be managed; § 8.5.1.1 ¶ 1(b)] | Operational management | Establish/Maintain Documentation | |
Include potential consequences of unintended changes in the change control program. CC ID 12243 [The organization shall control planned changes to the SMS and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary (see 8.5.1). § 8.1¶ 2] | Operational management | Establish/Maintain Documentation | |
Include version control in the change control program. CC ID 13119 [For the control of documented information, the organization shall address the following activities, as applicable: control of changes (e.g. version control); § 7.5.3.2(c)] | Operational management | Establish/Maintain Documentation | |
Include service design and transition in the change control program. CC ID 13920 [The organization shall use service design and transition in 8.5.2 for: changes to services with the potential to have a major impact on customers or other services as determined by the change management policy; § 8.5.1.2 ¶ 2(b) The organization shall use service design and transition in 8.5.2 for: new services with the potential to have a major impact on customers or other services as determined by the change management policy; § 8.5.1.2 ¶ 2(a)] | Operational management | Establish/Maintain Documentation | |
Separate the production environment from development environment or test environment for the change control process. CC ID 11864 | Operational management | Maintenance | |
Integrate configuration management procedures into the change control program. CC ID 13646 | Operational management | Technical Security | |
Establish, implement, and maintain a back-out plan. CC ID 13623 [The release shall be verified against documented acceptance criteria and approved before deployment. If the acceptance criteria are not met, the organization and interested parties shall make a decision on necessary actions and deployment. § 8.5.3 ¶ 3 The organization shall review changes for effectiveness and take actions agreed with interested parties. § 8.5.1.3 ¶ 4 {take appropriate action} The activities to reverse or remedy an unsuccessful change shall be planned and, where possible, tested. Unsuccessful changes shall be investigated and agreed actions taken. § 8.5.1.3 ¶ 3] | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain back-out procedures for each proposed change in a change request. CC ID 00373 [{take appropriate action} The activities to reverse or remedy an unsuccessful change shall be planned and, where possible, tested. Unsuccessful changes shall be investigated and agreed actions taken. § 8.5.1.3 ¶ 3] | Operational management | Establish/Maintain Documentation | |
Manage change requests. CC ID 00887 [{new service} The organization shall prioritize requests for change and proposals for new or changed services to align with business needs and service management objectives, taking into consideration available resources. § 8.2.2 ¶ 4 {new service} The organization shall prioritize requests for change and proposals for new or changed services to align with business needs and service management objectives, taking into consideration available resources. § 8.2.2 ¶ 4 {new service} The organization shall plan the deployment of new or changed services and service components into the live environment. Planning shall be co-ordinated with change management and include references to the related requests for change, known errors or problems which are being closed through the release. Planning shall include the dates for deployment of each release, deliverables and methods of deployment. § 8.5.3 ¶ 2 {new service} Assessing, approving, scheduling and reviewing of new or changed services in the scope of 8.5.2 shall be managed through the change management activities in 8.5.1.3. § 8.5.1.2 ¶ 3 {new service} The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: changes to the SMS including new or changed policies, plans, processes, procedures, measures and knowledge; § 8.5.2.2 ¶ 1(e) The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: § 8.5.1.3 ¶ 1 Requests for change not being managed through 8.5.2 shall be managed through the change management activities in 8.5.1.3. § 8.5.1.2 ¶ 4] | Operational management | Business Processes | |
Include documentation of the impact level of proposed changes in the change request. CC ID 11942 [{new service} Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: impact on the SMS, other services, planned changes, customers, users and other interested parties. § 8.5.2.1 ¶ 1(h) {new service} Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: impact on the SMS, other services, planned changes, customers, users and other interested parties. § 8.5.2.1 ¶ 1(h) {new service} Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: impact on the SMS, other services, planned changes, customers, users and other interested parties. § 8.5.2.1 ¶ 1(h) {new service} Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: impact on the SMS, other services, planned changes, customers, users and other interested parties. § 8.5.2.1 ¶ 1(h) A change management policy shall be established and documented to define: criteria to determine changes with the potential to have a major ="background-color:#F0BBBC;" class="term_primary-noun">impact on customers or services. § 8.5.1.1 ¶ 1(c)] | Operational management | Establish/Maintain Documentation | |
Establish and maintain a change request approver list. CC ID 06795 | Operational management | Establish/Maintain Documentation | |
Document all change requests in change request forms. CC ID 06794 [Requests for change, including proposals to add, remove or transfer services, shall be recorded and classified. § 8.5.1.2 ¶ 1 Requests for change, including proposals to add, remove or transfer services, shall be recorded and classified. § 8.5.1.2 ¶ 1 {trend analysis} At planned intervals, request for change records shall be analysed to detect trends. The results and conclusions drawn from the analysis shall be recorded and reviewed to identify opportunities for improvement. § 8.5.1.3 ¶ 5] | Operational management | Establish/Maintain Documentation | |
Approve tested change requests. CC ID 11783 [The release shall be verified against documented acceptance criteria and approved before deployment. If the acceptance criteria are not met, the organization and interested parties shall make a decision on necessary actions and deployment. § 8.5.3 ¶ 3] | Operational management | Data and Information Management | |
Validate the system before implementing approved changes. CC ID 01510 | Operational management | Systems Design, Build, and Implementation | |
Disseminate and communicate proposed changes to all interested personnel and affected parties. CC ID 06807 [Approved changes shall be prepared, verified and, where possible, tested. Proposed deployment dates and other deployment details for approved changes shall be communicated to interested parties. § 8.5.1.3 ¶ 2 Approved changes shall be prepared, verified and, where possible, tested. Proposed deployment dates and other deployment details for approved changes shall be communicated to interested parties. § 8.5.1.3 ¶ 2 Following the completion of the transition activities, the organization shall report to interested parties on the achievements against the intended outcomes. § 8.5.2.3 ¶ 3] | Operational management | Behavior | |
Establish, implement, and maintain emergency change procedures. CC ID 00890 | Operational management | Establish/Maintain Documentation | |
Perform emergency changes, as necessary. CC ID 12707 | Operational management | Process or Activity | |
Back up emergency changes after the change has been performed. CC ID 12734 | Operational management | Process or Activity | |
Log emergency changes after they have been performed. CC ID 12733 | Operational management | Establish/Maintain Documentation | |
Perform risk assessments prior to approving change requests. CC ID 00888 [The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: capacity, service availability, service continuity and information security; § 8.5.1.3 ¶ 1(d) The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: capacity, service availability, service continuity and information security; § 8.5.1.3 ¶ 1(d) The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: capacity, service availability, service continuity and information security; § 8.5.1.3 ¶ 1(d) The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: capacity, service availability, service continuity and information security; § 8.5.1.3 ¶ 1(d) At planned intervals, the organization shall review the contract against current service requirements. Changes identified for the contract shall be assessed for the impact of the change on the SMS and the services before the change is approved. § 8.3.4.1 ¶ 6 The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: existing services; § 8.5.1.3 ¶ 1(a) The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: other requests for change, releases and plans for deployment. § 8.5.1.3 ¶ 1(e) The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: other requests for change, releases and plans for deployment. § 8.5.1.3 ¶ 1(e) The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: other requests for change, releases and plans for deployment. § 8.5.1.3 ¶ 1(e)] | Operational management | Testing | |
Implement changes according to the change control program. CC ID 11776 [The organization shall control planned changes to the SMS and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary (see 8.5.1). § 8.1¶ 2 Records of problems shall be updated with actions taken. Changes needed for problem resolution shall be managed according to the change management policy. § 8.6.3 ¶ 3 A change management policy shall be established and documented to define: categories of change, including emergency change, and how they are to be managed; § 8.5.1.1 ¶ 1(b) The organization shall use service design and transition in 8.5.2 for: categories of change that are to be managed by service design and transition according to the change management policy; § 8.5.1.2 ¶ 2(c)] | Operational management | Business Processes | |
Provide audit trails for all approved changes. CC ID 13120 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain a patch management program. CC ID 00896 | Operational management | Process or Activity | |
Document the sources of all software updates. CC ID 13316 | Operational management | Establish/Maintain Documentation | |
Implement patch management software, as necessary. CC ID 12094 | Operational management | Technical Security | |
Include updates and exceptions to hardened images as a part of the patch management program. CC ID 12087 | Operational management | Technical Security | |
Establish, implement, and maintain a patch management policy. CC ID 16432 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain patch management procedures. CC ID 15224 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain a patch log. CC ID 01642 | Operational management | Establish/Maintain Documentation | |
Prioritize deploying patches according to vulnerability risk metrics. CC ID 06796 | Operational management | Business Processes | |
Establish, implement, and maintain a software release policy. CC ID 00893 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain traceability documentation. CC ID 16388 | Operational management | Systems Design, Build, and Implementation | |
Disseminate and communicate software update information to users and regulators. CC ID 06602 | Operational management | Behavior | |
Allow interested personnel and affected parties to opt out of specific version releases and software updates. CC ID 06809 | Operational management | Data and Information Management | |
Update associated documentation after the system configuration has been changed. CC ID 00891 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain production process control procedures. CC ID 06209 | Operational management | Establish/Maintain Documentation | |
Assign interested personnel and affected parties to service delivery and production process quality improvement projects, as necessary. CC ID 07197 | Operational management | Establish Roles | |
Manage the creation of products and services, as necessary. CC ID 13497 [{new service} The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: § 8.5.2.2 ¶ 1 {new service} The organization shall plan the deployment of new or changed services and service components into the live environment. Planning shall be co-ordinated with change management and include references to the related requests for change, known errors or problems which are being closed through the release. Planning shall include the dates for deployment of each release, deliverables and methods of deployment. § 8.5.3 ¶ 2 {new service} The organization shall plan the deployment of new or changed services and service components into the live environment. Planning shall be co-ordinated with change management and include references to the related requests for change, known errors or problems which are being closed through the release. Planning shall include the dates for deployment of each release, deliverables and methods of deployment. § 8.5.3 ¶ 2] | Operational management | Business Processes | |
Define the processing specifications for products and services creation requirements. CC ID 13523 | Operational management | Establish/Maintain Documentation | |
Define the processing activities to meet products and services creation requirements. CC ID 13499 [{new service} The organization shall plan the deployment of new or changed services and service components into the live environment. Planning shall be co-ordinated with change management and include references to the related requests for change, known errors or problems which are being closed through the release. Planning shall include the dates for deployment of each release, deliverables and methods of deployment. § 8.5.3 ¶ 2 {new service} The organization shall plan the deployment of new or changed services and service components into the live environment. Planning shall be co-ordinated with change management and include references to the related requests for change, known errors or problems which are being closed through the release. Planning shall include the dates for deployment of each release, deliverables and methods of deployment. § 8.5.3 ¶ 2 {new service} The organization shall plan the deployment of new or changed services and service components into the live environment. Planning shall be co-ordinated with change management and include references to the related requests for change, known errors or problems which are being closed through the release. Planning shall include the dates for deployment of each release, deliverables and methods of deployment. § 8.5.3 ¶ 2] | Operational management | Business Processes | |
Delete age-restricted content, as necessary. CC ID 15450 | Operational management | Process or Activity | |
Establish, implement, and maintain procedures to manage age-restricted content. CC ID 15448 | Operational management | Establish/Maintain Documentation | |
Control the distribution of media containing age-restricted content, as necessary. CC ID 15446 | Operational management | Process or Activity | |
Establish and maintain a service catalog. CC ID 13634 [The service management plan shall include or contain a reference to: list of services; § 6.3 ¶ 2(a) The documented information for the SMS shall include: service catalogue(s); § 7.5.4 ¶ 1(g) The organization shall create and maintain one or more service catalogues. The service catalogue(s) shall include information for the organization, customers, users and other interested parties to describe the services, their intended outcomes and dependencies between the services. § 8.2.4 ¶ 1 {new service} The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: updates to the service catalogue(s). § 8.5.2.2 ¶ 1(g)] | Operational management | Establish/Maintain Documentation | |
Include a service description in the service catalog. CC ID 13917 [The organization shall create and maintain one or more service catalogues. The service catalogue(s) shall include information for the organization, customers, users and other interested parties to describe the services, their intended outcomes and dependencies between the services. § 8.2.4 ¶ 1] | Operational management | Establish/Maintain Documentation | |
Assign unique reference numbers to all services in the service catalog. CC ID 14424 | Operational management | Establish/Maintain Documentation | |
Include service deliverables for each service description in the service catalog. CC ID 13918 [The organization shall create and maintain one or more service catalogues. The service catalogue(s) shall include information for the organization, customers, users and other interested parties to describe the services, their intended outcomes and dependencies between the services. § 8.2.4 ¶ 1] | Operational management | Establish/Maintain Documentation | |
Include relationships and dependencies between services in the service catalog, as necessary. CC ID 13914 [The organization shall create and maintain one or more service catalogues. The service catalogue(s) shall include information for the organization, customers, users and other interested parties to describe the services, their intended outcomes and dependencies between the services. § 8.2.4 ¶ 1] | Operational management | Establish/Maintain Documentation | |
Include Service Level Agreements in the service catalog, as necessary. CC ID 13636 [{new service}The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: new or changed SLAs, contracts and other documented agreements that support the services; § 8.5.2.2 ¶ 1(d)] | Operational management | Establish/Maintain Documentation | |
Include Information Technology services in the service catalog, as necessary. CC ID 13635 | Operational management | Establish/Maintain Documentation | |
Base definitions of Information Technology services on their service characteristics. CC ID 13655 | Operational management | Establish/Maintain Documentation | |
Categorize services in the service catalog. CC ID 14419 | Operational management | Establish/Maintain Documentation | |
Refrain from categorizing services as outsourced in the service catalog, as necessary. CC ID 14426 | Operational management | Establish/Maintain Documentation | |
Communicate the service catalog to interested personnel and affected parties. CC ID 13910 [The organization shall provide access to appropriate parts of the service catalogue(s) to its customers, users and other interested parties. § 8.2.4 ¶ 2] | Operational management | Communicate | |
Establish, implement, and maintain a Configuration Management program. CC ID 00867 [{new service} The CIs affected by new or changed services shall be managed through configuration management. § 8.5.2.1 ¶ 4 {be auditable} CIs shall be controlled. Changes to CIs shall be traceable and auditable to maintain the integrity of the configuration information. The configuration information shall be updated following the deployment of changes to CIs. § 8.2.6 ¶ 3] | System hardening through configuration management | Establish/Maintain Documentation | |
Establish, implement, and maintain configuration control and Configuration Status Accounting. CC ID 00863 [At planned intervals, the organization shall verify the accuracy of the configuration information. Where deficiencies are found, the organization shall take necessary actions. § 8.2.6 ¶ 4] | System hardening through configuration management | Business Processes | |
Establish, implement, and maintain appropriate system labeling. CC ID 01900 | System hardening through configuration management | Establish/Maintain Documentation | |
Include the identification number of the third party who performed the conformity assessment procedures on all promotional materials. CC ID 15041 | System hardening through configuration management | Establish/Maintain Documentation | |
Include the identification number of the third party who conducted the conformity assessment procedures after the CE marking of conformity. CC ID 15040 | System hardening through configuration management | Establish/Maintain Documentation | |
Verify configuration files requiring passwords for automation do not contain those passwords after the installation process is complete. CC ID 06555 | System hardening through configuration management | Configuration | |
Establish, implement, and maintain a configuration management policy. CC ID 14023 | System hardening through configuration management | Establish/Maintain Documentation | |
Establish, implement, and maintain configuration management procedures. CC ID 14074 | System hardening through configuration management | Establish/Maintain Documentation | |
Disseminate and communicate the configuration management procedures to interested personnel and affected parties. CC ID 14139 | System hardening through configuration management | Communicate | |
Include compliance requirements in the configuration management policy. CC ID 14072 | System hardening through configuration management | Establish/Maintain Documentation | |
Include coordination amongst entities in the configuration management policy. CC ID 14071 | System hardening through configuration management | Establish/Maintain Documentation | |
Include management commitment in the configuration management policy. CC ID 14070 | System hardening through configuration management | Establish/Maintain Documentation | |
Include roles and responsibilities in the configuration management policy. CC ID 14069 | System hardening through configuration management | Establish/Maintain Documentation | |
Include the scope in the configuration management policy. CC ID 14068 | System hardening through configuration management | Establish/Maintain Documentation | |
Include the purpose in the configuration management policy. CC ID 14067 | System hardening through configuration management | Establish/Maintain Documentation | |
Disseminate and communicate the configuration management policy to interested personnel and affected parties. CC ID 14066 | System hardening through configuration management | Communicate | |
Establish, implement, and maintain a configuration management plan. CC ID 01901 | System hardening through configuration management | Establish/Maintain Documentation | |
Include configuration management procedures in the configuration management plan. CC ID 14248 | System hardening through configuration management | Establish/Maintain Documentation | |
Include roles and responsibilities in the configuration management plan. CC ID 14247 | System hardening through configuration management | Establish/Maintain Documentation | |
Approve the configuration management plan. CC ID 14717 | System hardening through configuration management | Business Processes | |
Establish, implement, and maintain system tracking documentation. CC ID 15266 | System hardening through configuration management | Establish/Maintain Documentation | |
Include prioritization codes in the system tracking documentation. CC ID 15283 | System hardening through configuration management | Establish/Maintain Documentation | |
Include the type and category of the request in the system tracking documentation. CC ID 15281 | System hardening through configuration management | Establish/Maintain Documentation | |
Include contact information in the system tracking documentation. CC ID 15280 | System hardening through configuration management | Establish/Maintain Documentation | |
Include the username in the system tracking documentation. CC ID 15278 | System hardening through configuration management | Establish/Maintain Documentation | |
Include a problem description in the system tracking documentation. CC ID 15276 | System hardening through configuration management | Establish/Maintain Documentation | |
Include affected systems in the system tracking documentation. CC ID 15275 | System hardening through configuration management | Establish/Maintain Documentation | |
Include root causes in the system tracking documentation. CC ID 15274 | System hardening through configuration management | Establish/Maintain Documentation | |
Include the name of who is responsible for resolution in the system tracking documentation. CC ID 15273 | System hardening through configuration management | Establish/Maintain Documentation | |
Include current status in the system tracking documentation. CC ID 15272 | System hardening through configuration management | Establish/Maintain Documentation | |
Employ the Configuration Management program. CC ID 11904 | System hardening through configuration management | Configuration | |
Record Configuration Management items in the Configuration Management database. CC ID 00861 | System hardening through configuration management | Establish/Maintain Documentation | |
Disseminate and communicate the configuration management program to all interested personnel and affected parties. CC ID 11946 [Configuration information shall be made available for other service management activities as appropriate. § 8.2.6 ¶ 5] | System hardening through configuration management | Communicate | |
Establish, implement, and maintain a Configuration Management Database with accessible reporting capabilities. CC ID 02132 | System hardening through configuration management | Establish/Maintain Documentation | |
Document external connections for all systems. CC ID 06415 | System hardening through configuration management | Configuration | |
Establish, implement, and maintain a configuration baseline based on the least functionality principle. CC ID 00862 [Before deployment of a release into the live environment, a baseline of the affected CIs shall be taken. § 8.5.3 ¶ 4] | System hardening through configuration management | Establish/Maintain Documentation | |
Include the measures used to account for any differences in operation between the test environments and production environments in the baseline configuration. CC ID 13285 | System hardening through configuration management | Establish/Maintain Documentation | |
Include the differences between test environments and production environments in the baseline configuration. CC ID 13284 | System hardening through configuration management | Establish/Maintain Documentation | |
Include the applied security patches in the baseline configuration. CC ID 13271 | System hardening through configuration management | Establish/Maintain Documentation | |
Include the installed application software and version numbers in the baseline configuration. CC ID 13270 | System hardening through configuration management | Establish/Maintain Documentation | |
Include installed custom software in the baseline configuration. CC ID 13274 | System hardening through configuration management | Establish/Maintain Documentation | |
Include network ports in the baseline configuration. CC ID 13273 | System hardening through configuration management | Establish/Maintain Documentation | |
Include the operating systems and version numbers in the baseline configuration. CC ID 13269 | System hardening through configuration management | Establish/Maintain Documentation | |
Include backup procedures in the Configuration Management policy. CC ID 01314 | System hardening through configuration management | Establish/Maintain Documentation | |
Identify and document the system's Configurable Items. CC ID 02133 [Configuration information shall be recorded to a level of detail appropriate to the criticality and type of services. Access to configuration information shall be controlled. The configuration information recorded for each CI shall include: § 8.2.6 ¶ 2 Configuration information shall be recorded to a level of detail appropriate to the criticality and type of services. Access to configuration information shall be controlled. The configuration information recorded for each CI shall include: § 8.2.6 ¶ 2 The types of CI shall be defined. Services shall be classified as CIs. § 8.2.6 ¶ 1 The types of CI shall be defined. Services shall be classified as CIs. § 8.2.6 ¶ 1 Configuration information shall be recorded to a level of detail appropriate to the criticality and type of services. Access to configuration information shall be controlled. The configuration information recorded for each CI shall include: type of CI; § 8.2.6 ¶ 2(b) Configuration information shall be recorded to a level of detail appropriate to the criticality and type of services. Access to configuration information shall be controlled. The configuration information recorded for each CI shall include: description of the CI; § 8.2.6 ¶ 2(c) Configuration information shall be recorded to a level of detail appropriate to the criticality and type of services. Access to configuration information shall be controlled. The configuration information recorded for each CI shall include: status. § 8.2.6 ¶ 2(e)] | System hardening through configuration management | Establish/Maintain Documentation | |
Define the relationships and dependencies between Configurable Items. CC ID 02134 [Configuration information shall be recorded to a level of detail appropriate to the criticality and type of services. Access to configuration information shall be controlled. The configuration information recorded for each CI shall include: relationship with other CIs; § 8.2.6 ¶ 2(d)] | System hardening through configuration management | Establish/Maintain Documentation | |
Trace each Configurable Item throughout the systems' life cycle. CC ID 02135 [{be auditable} CIs shall be controlled. Changes to CIs shall be traceable and auditable to maintain the integrity of the configuration information. The configuration information shall be updated following the deployment of changes to CIs. § 8.2.6 ¶ 3 Configuration information shall be recorded to a level of detail appropriate to the criticality and type of services. Access to configuration information shall be controlled. The configuration information recorded for each CI shall include: unique identification; § 8.2.6 ¶ 2(a)] | System hardening through configuration management | Establish/Maintain Documentation | |
Approve each system's Configurable Items (and changes to those Configurable Items). CC ID 04887 | System hardening through configuration management | Technical Security | |
Request an acknowledgment from the system owner of the system's configuration. CC ID 10602 | System hardening through configuration management | Establish/Maintain Documentation | |
Establish, implement, and maintain system hardening procedures. CC ID 12001 | System hardening through configuration management | Establish/Maintain Documentation | |
Configure Logging settings in accordance with organizational standards. CC ID 07611 | System hardening through configuration management | Configuration | |
Configure all logs to capture auditable events or actionable events. CC ID 06332 | System hardening through configuration management | Configuration | |
Configure the log to capture configuration changes. CC ID 06881 [{be auditable} CIs shall be controlled. Changes to CIs shall be traceable and auditable to maintain the integrity of the configuration information. The configuration information shall be updated following the deployment of changes to CIs. § 8.2.6 ¶ 3] | System hardening through configuration management | Configuration | |
Log, monitor, and review all changes to time settings on critical systems. CC ID 11608 | System hardening through configuration management | Configuration | |
Configure the log to capture user account additions, modifications, and deletions. CC ID 16482 | System hardening through configuration management | Log Management | |
Configure the log to capture all changes to certificates. CC ID 05595 | System hardening through configuration management | Configuration | |
Establish, implement, and maintain records management policies. CC ID 00903 [Documented information required by the SMS and by this document shall be controlled to ensure: § 7.5.3.1] | Records management | Establish/Maintain Documentation | |
Establish, implement, and maintain form creation, management, and distribution procedures. CC ID 06393 | Records management | Establish/Maintain Documentation | |
Establish, implement, and maintain form disposition procedures. CC ID 06394 | Records management | Establish/Maintain Documentation | |
Establish, implement, and maintain a record classification scheme. CC ID 00914 | Records management | Establish/Maintain Documentation | |
Establish, implement, and maintain a business activity classification standard. CC ID 00915 | Records management | Establish/Maintain Documentation | |
Establish, implement, and maintain a records authentication system. CC ID 11648 | Records management | Establish/Maintain Documentation | |
Allocate record identifiers to reference the records as a part of document tracking. CC ID 11662 [When creating and updating documented information, the organization shall ensure appropriate: identification and description (e.g. a title, date, author or reference number); § 7.5.2 ¶ 1(a) When creating and updating documented information, the organization shall ensure appropriate: identification and description (e.g. a title, date, author or reference number); § 7.5.2 ¶ 1(a)] | Records management | Records Management | |
Establish and maintain an index of all official records. CC ID 00918 | Records management | Establish/Maintain Documentation | |
Associate records with their security attributes. CC ID 06764 | Records management | Records Management | |
Reconfigure the security attributes of records as the information changes. CC ID 06765 | Records management | Configuration | |
Establish, implement, and maintain electronic signature requirements. CC ID 06219 | Records management | Establish/Maintain Documentation | |
Implement a signature revocation service. CC ID 14417 | Records management | Business Processes | |
Allow electronic signatures to satisfy requirements for written signatures, as necessary. CC ID 11807 | Records management | Records Management | |
Allow authorized parties to authenticate electronic records with electronic signatures. CC ID 11964 | Records management | Technical Security | |
Allow authorized parties to authenticate transactions with electronic signatures. CC ID 11963 | Records management | Technical Security | |
Store records and data in accordance with organizational standards. CC ID 16439 | Records management | Data and Information Management | |
Remove dormant data from systems, as necessary. CC ID 13726 | Records management | Process or Activity | |
Select the appropriate format for archived data and records. CC ID 06320 [{is appropriate} When creating and updating documented information, the organization shall ensure appropriate: format (e.g. language, software version, graphics) and media (e.g. paper, electronic); § 7.5.2 ¶ 1(b)] | Records management | Data and Information Management | |
Archive appropriate records, logs, and database tables. CC ID 06321 | Records management | Records Management | |
Archive document metadata in a fashion that allows for future reading of the metadata. CC ID 10060 | Records management | Data and Information Management | |
Store personal data that is retained for long periods after use on a separate server or media. CC ID 12314 | Records management | Data and Information Management | |
Establish, implement, and maintain storage media retention procedures. CC ID 16277 | Records management | Establish/Maintain Documentation | |
Determine how long to keep records and logs before disposing them. CC ID 11661 | Records management | Process or Activity | |
Retain records in accordance with applicable requirements. CC ID 00968 [The organization shall retain documented information as evidence of the results of management reviews. § 9.3 ¶ 4 The organization shall retain documented information on the service management objectives. § 6.2.1 ¶ 2 The organization shall retain documented information as evidence of: the results of any corrective action. § 10.1.2 ¶ 1(b) The organization shall retain documented information as evidence of: the nature of the nonconformities and any subsequent actions taken; § 10.1.2 ¶ 1(a) {monitoring and measurement evaluation result} The organization shall retain appropriate documented information as evidence of the results. § 9.1 ¶ 2] | Records management | Records Management | |
Obtain and retain documentation of the number of shares authorized, issued, and outstanding pursuant to the issuer's authorization. CC ID 11714 | Records management | Records Management | |
Retain all evidence of indebtedness. CC ID 11713 | Records management | Records Management | |
Capture and maintain distribution records. CC ID 06205 | Records management | Records Management | |
Capture and maintain Device Master Records. CC ID 06206 | Records management | Records Management | |
Capture and maintain Device History Records. CC ID 06207 | Records management | Records Management | |
Capture and maintain Quality System Records. CC ID 06208 | Records management | Records Management | |
Capture and maintain logs as official records. CC ID 06319 | Records management | Log Management | |
Capture and maintain all business records, including supporting temporary files. CC ID 06622 | Records management | Establish/Maintain Documentation | |
Establish, implement, and maintain storage media disposition and destruction procedures. CC ID 11657 | Records management | Establish/Maintain Documentation | |
Supervise media destruction in accordance with organizational standards. CC ID 16456 | Records management | Business Processes | |
Sanitize electronic storage media in accordance with organizational standards. CC ID 16464 | Records management | Data and Information Management | |
Sanitize all electronic storage media before disposing a system or redeploying a system. CC ID 01643 | Records management | Data and Information Management | |
Degauss as a method of sanitizing electronic storage media. CC ID 00973 | Records management | Records Management | |
Manage waste materials in accordance with the storage media disposition and destruction procedures. CC ID 16485 | Records management | Process or Activity | |
Use approved media sanitization equipment for destruction. CC ID 16459 | Records management | Business Processes | |
Define each system's disposition requirements for records and logs. CC ID 11651 | Records management | Process or Activity | |
Establish, implement, and maintain records disposition procedures. CC ID 00971 [For the control of documented information, the organization shall address the following activities, as applicable: retention and disposition. § 7.5.3.2(d)] | Records management | Establish/Maintain Documentation | |
Manage the disposition status for all records. CC ID 00972 | Records management | Records Management | |
Use a second person to confirm and sign-off that manually deleted data was deleted. CC ID 12313 | Records management | Data and Information Management | |
Remove and/or destroy records according to the records' retention event and retention period schedule. CC ID 06621 | Records management | Records Management | |
Place printed records awaiting destruction into secure containers. CC ID 12464 | Records management | Physical and Environmental Protection | |
Destroy printed records so they cannot be reconstructed. CC ID 11779 | Records management | Physical and Environmental Protection | |
Automate a programmatic process to remove stored data and records that exceed retention requirements. CC ID 06082 | Records management | Data and Information Management | |
Include methods to identify records that meet or exceed the record's retention event in the records disposition procedures. CC ID 11962 | Records management | Establish/Maintain Documentation | |
Maintain disposal records or redeployment records. CC ID 01644 [For services that are to be removed, the planning shall additionally include the date(s) for the removal of the services and the activities for archiving, disposal or transfer of data, documented information and service components. § 8.5.2.1 ¶ 2] | Records management | Establish/Maintain Documentation | |
Include the name of the signing officer in the disposal record. CC ID 15710 | Records management | Establish/Maintain Documentation | |
Establish, implement, and maintain secure record transaction standards with third parties. CC ID 06093 | Records management | Establish/Maintain Documentation | |
Include transfer agreements in the secure record transaction standards. CC ID 14821 | Records management | Establish/Maintain Documentation | |
Include date and time stamp requirements for delivery receipt in the transfer agreements. CC ID 14823 | Records management | Establish/Maintain Documentation | |
Include receipt of electronic records in the transfer agreement. CC ID 14822 | Records management | Establish/Maintain Documentation | |
Include standards for each data element in the secure record transaction standard. CC ID 06094 | Records management | Establish/Maintain Documentation | |
Establish, implement, and maintain records management procedures. CC ID 11619 [Documented information of external origin determined by the organization to be necessary for the planning and operation of the SMS shall be identified as appropriate and controlled. § 7.5.3.2 ¶ 2 For services that are to be removed, the planning shall additionally include the date(s) for the removal of the services and the activities for archiving, disposal or transfer of data, documented information and service components. § 8.5.2.1 ¶ 2] | Records management | Establish/Maintain Documentation | |
Maintain electronic records in an equivalent manner as printed records, as necessary. CC ID 11806 | Records management | Records Management | |
Process restricted information in a secure environment. CC ID 13058 | Records management | Process or Activity | |
Refrain from creating printed records as copies of electronic records. CC ID 11808 | Records management | Records Management | |
Assign ownership for all electronic records. CC ID 14814 | Records management | Establish/Maintain Documentation | |
Attribute electronic records, as necessary. CC ID 14820 | Records management | Establish/Maintain Documentation | |
Validate transactions using identifiers and credentials. CC ID 13203 | Records management | Technical Security | |
Establish, implement, and maintain a system storage log. CC ID 13532 | Records management | Records Management | |
Establish, implement, and maintain a system input log. CC ID 13531 | Records management | Establish/Maintain Documentation | |
Protect records from loss in accordance with applicable requirements. CC ID 12007 [Documented information required by the SMS and by this document shall be controlled to ensure: it is adequately protected (e.g. from loss of confidentiality, improper use or loss of integrity). § 7.5.3.1(b)] | Records management | Records Management | |
Establish, implement, and maintain data completeness controls. CC ID 11649 | Records management | Process or Activity | |
Establish, implement, and maintain authorization records. CC ID 14367 | Records management | Establish/Maintain Documentation | |
Include the reasons for granting the authorization in the authorization records. CC ID 14371 | Records management | Establish/Maintain Documentation | |
Include the date and time the authorization was granted in the authorization records. CC ID 14370 | Records management | Establish/Maintain Documentation | |
Include the person's name who approved the authorization in the authorization records. CC ID 14369 | Records management | Establish/Maintain Documentation | |
Establish, implement, and maintain electronic health records. CC ID 14436 | Records management | Data and Information Management | |
Include Individually Identifiable Health Information in the patient's electronic health record. CC ID 14437 | Records management | Data and Information Management | |
Review and update Individually Identifiable Health Information in the patient's electronic health records, as necessary. CC ID 14438 | Records management | Records Management | |
Display required information automatically in electronic health records. CC ID 14442 | Records management | Process or Activity | |
Create summary of care records in accordance with applicable standards. CC ID 14440 | Records management | Establish/Maintain Documentation | |
Provide the patient with a summary of care record, as necessary. CC ID 14441 | Records management | Actionable Reports or Measurements | |
Create export summaries, as necessary. CC ID 14446 | Records management | Process or Activity | |
Import data files into a patient's electronic health record. CC ID 14448 | Records management | Data and Information Management | |
Export requested sections of the electronic health record. CC ID 14447 | Records management | Data and Information Management | |
Establish and maintain an implantable device list. CC ID 14444 | Records management | Records Management | |
Display the implantable device list to authorized users. CC ID 14445 | Records management | Data and Information Management | |
Establish, implement, and maintain decision support interventions. CC ID 14443 | Records management | Business Processes | |
Include attributes in the decision support intervention. CC ID 16766 | Records management | Data and Information Management | |
Establish, implement, and maintain a recordkeeping system. CC ID 15709 | Records management | Records Management | |
Log the termination date in the recordkeeping system. CC ID 16181 | Records management | Records Management | |
Log the name of the requestor in the recordkeeping system. CC ID 15712 | Records management | Records Management | |
Log the date and time each item is accessed in the recordkeeping system. CC ID 15711 | Records management | Records Management | |
Log records as being received into the recordkeeping system. CC ID 11696 | Records management | Records Management | |
Log the date and time each item is received into the recordkeeping system. CC ID 11709 | Records management | Log Management | |
Log the date and time each item is made available into the recordkeeping system. CC ID 11710 | Records management | Log Management | |
Log the number of routine items received into the recordkeeping system. CC ID 11701 | Records management | Establish/Maintain Documentation | |
Log the number of routine items in the organization's possession at the close of business for the month in the recordkeeping system. CC ID 11707 | Records management | Log Management | |
Log the number of routine items received during the month that were turned around in the recordkeeping system. CC ID 11705 | Records management | Log Management | |
Log the number of routine items received during the month that were not turned around within three business days of receipt in the recordkeeping system. CC ID 11703 | Records management | Log Management | |
Log the date and time when a notice of refusal to perform the registrar function is received in the recordkeeping system. CC ID 11711 | Records management | Log Management | |
Log inquiries concerning items in the recordkeeping system, annotating the date received. CC ID 11718 | Records management | Log Management | |
Log responses to inquiries, annotating the send date for each response into the recordkeeping system. CC ID 11719 | Records management | Log Management | |
Log the number of non-routine items received into the recordkeeping system. CC ID 11706 | Records management | Log Management | |
Log the documentation of determination that items received are not routine into the recordkeeping system. CC ID 11716 | Records management | Log Management | |
Log the number of non-routine items in the organization's possession at the close of business for the month in the recordkeeping system. CC ID 11708 | Records management | Log Management | |
Log the number of non-routine items received during the month that were turned around in the recordkeeping system. CC ID 11704 | Records management | Log Management | |
Log performance monitoring into the recordkeeping system. CC ID 11724 | Records management | Log Management | |
Log the number of inquiries pending as of the close of business into the recordkeeping system. CC ID 11728 | Records management | Log Management | |
Log the number of inquiries received but not responded to within the required time frame into the recordkeeping system. CC ID 11727 | Records management | Log Management | |
Establish, implement, and maintain a transfer journal. CC ID 11729 | Records management | Records Management | |
Log any notices filed by the organization into the recordkeeping system. CC ID 11725 | Records management | Log Management | |
Log telephone responses into a telephone log, annotating the date of each response, in the recordkeeping system. CC ID 11723 | Records management | Log Management | |
Log the date each certificate is made available to interested personnel and affected parties into the recordkeeping system. CC ID 11720 | Records management | Log Management | |
Log the number of items not processed within the required time frame into the recordkeeping system. CC ID 11717 | Records management | Log Management | |
Provide a receipt of records logged into the recordkeeping system. CC ID 11697 | Records management | Records Management | |
Log the appointments and termination of appointments of registered transfer agents into the recordkeeping system. CC ID 11712 | Records management | Log Management | |
Log any stop orders or notices of adverse claims into the recordkeeping system. CC ID 11726 | Records management | Log Management | |
Log the number of items processed within the required time frame into the recordkeeping system. CC ID 11715 | Records management | Log Management | |
Include record integrity techniques in the records management procedures. CC ID 06418 | Records management | Establish/Maintain Documentation | |
Establish, implement, and maintain data availability controls. CC ID 15301 | Records management | Data and Information Management | |
Note in electronic records converted from printed records, the location of the original. CC ID 11809 | Records management | Records Management | |
Incorporate desktop publishing into the organization's Records Management program. CC ID 06535 | Records management | Establish/Maintain Documentation | |
Provide structures for browsing records stored in the Electronic Document and Records Management system. CC ID 10009 | Records management | Business Processes | |
Provide structures for searching for items stored in the Electronic Document and Records Management system. CC ID 10010 | Records management | Business Processes | |
Provide structures for downloading records from the Electronic Document and Records Management system. CC ID 10011 | Records management | Business Processes | |
Provide structures for managing e-mail stored in the Electronic Document and Records Management system. CC ID 10012 | Records management | Business Processes | |
Provide structures for authorized parties to approve record updates in the Electronic Document and Records Management system. CC ID 11965 | Records management | Records Management | |
Provide structures for version control of records stored in the Electronic Document and Records Management system. CC ID 10013 | Records management | Business Processes | |
Establish, implement, and maintain electronic storage media security controls. CC ID 13204 | Records management | Technical Security | |
Use automated entry devices to reduce errors during data input. CC ID 06626 | Records management | Data and Information Management | |
Establish, implement, and maintain data processing integrity controls. CC ID 00923 | Records management | Establish Roles | |
Sanitize user input in accordance with organizational standards. CC ID 16856 | Records management | Process or Activity | |
Establish, implement, and maintain Automated Data Processing validation checks and editing checks. CC ID 00924 | Records management | Data and Information Management | |
Establish, implement, and maintain Automated Data Processing error handling procedures. CC ID 00925 | Records management | Establish/Maintain Documentation | |
Establish, implement, and maintain Automated Data Processing error handling reporting. CC ID 11659 | Records management | Establish/Maintain Documentation | |
Establish, implement, and maintain document security requirements for the output of records. CC ID 11656 | Records management | Establish/Maintain Documentation | |
Establish, implement, and maintain document handling procedures for paper documents. CC ID 00926 | Records management | Establish/Maintain Documentation | |
Establish, implement, and maintain electronic storage media management procedures. CC ID 00931 | Records management | Establish/Maintain Documentation | |
Establish, implement, and maintain security label procedures. CC ID 06747 | Records management | Establish/Maintain Documentation | |
Label restricted storage media appropriately. CC ID 00966 | Records management | Data and Information Management | |
Establish, implement, and maintain restricted material identification procedures. CC ID 01889 | Records management | Establish/Maintain Documentation | |
Conspicuously locate the restricted record's overall classification. CC ID 01890 | Records management | Establish/Maintain Documentation | |
Mark a restricted record's displayed pages or printed pages with the appropriate classification. CC ID 01891 | Records management | Establish/Maintain Documentation | |
Mark a restricted record's components (appendices, annexes) with the appropriate classification. CC ID 01892 | Records management | Establish/Maintain Documentation | |
Mark a restricted record's portions (paragraphs, sections) with the appropriate classification. CC ID 01893 | Records management | Establish/Maintain Documentation | |
Mark a restricted record's subject line or title with the appropriate classification. CC ID 01894 | Records management | Establish/Maintain Documentation | |
Mark all forms of electronic messages that contain restricted data or restricted information with the appropriate classification. CC ID 01896 | Records management | Data and Information Management | |
Establish, implement, and maintain label inheritance mechanisms for aggregate data sets. CC ID 06957 | Records management | Technical Security | |
Establish the minimum originator requirements for security labels. CC ID 06579 | Records management | Establish/Maintain Documentation | |
Establish the minimum intermediate system requirements for security labels. CC ID 06581 | Records management | Establish/Maintain Documentation | |
Establish the minimum receiver requirements for records or electronic storage media marked with security labels. CC ID 06580 | Records management | Establish/Maintain Documentation | |
Establish policy based processing rules to process incoming records or electronic storage media marked with security labels. CC ID 06582 | Records management | Establish/Maintain Documentation | |
Establish and maintain access controls for all records. CC ID 00371 [Configuration information shall be recorded to a level of detail appropriate to the criticality and type of services. Access to configuration information shall be controlled. The configuration information recorded for each CI shall include: § 8.2.6 ¶ 2 For the control of documented information, the organization shall address the following activities, as applicable: distribution, access, retrieval and use; § 7.5.3.2(a)] | Records management | Records Management | |
Reproduce materials containing restricted data or restricted information in accordance with compliance requirements. CC ID 02202 | Records management | Data and Information Management | |
Establish, implement, and maintain a records lifecycle management program. CC ID 00951 | Records management | Establish/Maintain Documentation | |
Establish, implement, and maintain an information preservation policy. CC ID 16483 | Records management | Establish/Maintain Documentation | |
Establish, implement, and maintain information preservation procedures. CC ID 06277 [For the control of documented information, the organization shall address the following activities, as applicable: storage and preservation, including preservation of legibility; § 7.5.3.2(b)] | Records management | Establish/Maintain Documentation | |
Implement and maintain high availability storage, as necessary. CC ID 00952 | Records management | Technical Security | |
Implement and maintain backups and duplicate copies of organizational records. CC ID 00953 | Records management | Records Management | |
Establish, implement, and maintain the duplicate original of record indexes. CC ID 00954 | Records management | Records Management | |
Establish, implement, and maintain a transparent storage media strategy. CC ID 00932 | Records management | Records Management | |
Establish, implement, and maintain an online availability plan that is commensurate with the electronic storage media. CC ID 00934 | Records management | Establish/Maintain Documentation | |
Establish, implement, and maintain online storage controls. CC ID 00942 | Records management | Technical Security | |
Establish, implement, and maintain security controls appropriate to the record types and electronic storage media. CC ID 00943 [For the control of documented information, the organization shall address the following activities, as applicable: storage and preservation, including preservation of legibility; § 7.5.3.2(b)] | Records management | Records Management | |
Provide encryption for different types of electronic storage media. CC ID 00945 | Records management | Technical Security | |
Implement electronic storage media integrity controls. CC ID 00946 | Records management | Configuration | |
Automate electronic storage media integrity check controls. CC ID 00948 | Records management | Configuration | |
Provide capacity for indexes on electronic storage media, as necessary. CC ID 00950 | Records management | Configuration | |
Establish, implement, and maintain a removable storage media log. CC ID 12317 | Records management | Log Management | |
Include a unique identifier for each removable storage media asset in the removable storage media log. CC ID 12320 | Records management | Establish/Maintain Documentation | |
Include the date and time in the removable storage media log. CC ID 12318 | Records management | Establish/Maintain Documentation | |
Include the name and signature of the current custodian in the removable storage media log. CC ID 12315 | Records management | Establish/Maintain Documentation | |
Include the number of physical media used for the data transfer in the removable storage media log. CC ID 12754 | Records management | Establish/Maintain Documentation | |
Include the recipient's name for the data transfer in the removable storage media log. CC ID 12753 | Records management | Establish/Maintain Documentation | |
Include the sender's name in the removable storage media log. CC ID 12752 | Records management | Establish/Maintain Documentation | |
Include the type of physical media being used for the data transfer in the removable storage media log. CC ID 12751 | Records management | Establish/Maintain Documentation | |
Include the reason for transfer in the removable storage media log. CC ID 12316 | Records management | Establish/Maintain Documentation | |
Establish, implement, and maintain storage media downgrading procedures. CC ID 10619 | Records management | Process or Activity | |
Document all actions taken when downgrading electronic storage media. CC ID 10622 | Records management | Establish/Maintain Documentation | |
Establish, implement, and maintain output distribution procedures. CC ID 00927 [For the control of documented information, the organization shall address the following activities, as applicable: distribution, access, retrieval and use; § 7.5.3.2(a)] | Records management | Establish/Maintain Documentation | |
Include printed output in output distribution procedures. CC ID 13477 | Records management | Establish/Maintain Documentation | |
Establish, implement, and maintain document retention procedures. CC ID 11660 [For the control of documented information, the organization shall address the following activities, as applicable: retention and disposition. § 7.5.3.2(d) The organization shall retain documented information as evidence of: § 10.1.2 ¶ 1] | Records management | Establish/Maintain Documentation | |
Establish, implement, and maintain electronic media distribution procedures. CC ID 11650 | Records management | Establish/Maintain Documentation | |
Establish and maintain an error suspense file for rejected transactions. CC ID 06623 | Records management | Records Management | |
Establish and maintain reconciliation audit trails. CC ID 11647 | Records management | Establish/Maintain Documentation | |
Establish, implement, and maintain a data processing output log. CC ID 06624 | Records management | Log Management | |
Establish, implement, and maintain paper document integrity requirements for the output of records. CC ID 00930 | Records management | Establish/Maintain Documentation | |
Review and approve output exceptions. CC ID 06625 | Records management | Records Management | |
Initiate the System Development Life Cycle planning phase. CC ID 06266 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
Establish, implement, and maintain a system design project management framework. CC ID 00990 | Systems design, build, and implementation | Establish/Maintain Documentation | |
Assess the continuity requirements during the planning and development stage for new products and services. CC ID 12779 [At planned intervals, the risks to service continuity shall be assessed and documented. The organization shall determine the service continuity requirements. The agreed requirements shall take into consideration relevant business requirements, service requirements, SLAs and risks. § 8.7.2 ¶ 1 At planned intervals, the risks to service continuity shall be assessed and documented. The organization shall determine the service continuity requirements. The agreed requirements shall take into consideration relevant business requirements, service requirements, SLAs and risks. § 8.7.2 ¶ 1 At planned intervals, the risks to service continuity shall be assessed and documented. The organization shall determine the service continuity requirements. The agreed requirements shall take into consideration relevant business requirements, service requirements, SLAs and risks. § 8.7.2 ¶ 1 At planned intervals, the risks to service continuity shall be assessed and documented. The organization shall determine the service continuity requirements. The agreed requirements shall take into consideration relevant business requirements, service requirements, SLAs and risks. § 8.7.2 ¶ 1 At planned intervals, the risks to service continuity shall be assessed and documented. The organization shall determine the service continuity requirements. The agreed requirements shall take into consideration relevant business requirements, service requirements, SLAs and risks. § 8.7.2 ¶ 1] | Systems design, build, and implementation | Process or Activity | |
Initiate the System Development Life Cycle implementation phase. CC ID 06268 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
Manage the system implementation process. CC ID 01115 | Systems design, build, and implementation | Behavior | |
Establish, implement, and maintain a product and service release log. CC ID 13705 [The organization shall define the types of release, including emergency release, their frequency and how they are to be managed. § 8.5.3 ¶ 1 The organization shall define the types of release, including emergency release, their frequency and how they are to be managed. § 8.5.3 ¶ 1 The organization shall define the types of release, including emergency release, their frequency and how they are to be managed. § 8.5.3 ¶ 1 Records of service requests shall be updated with actions taken. § 8.6.2 ¶ 2] | Systems design, build, and implementation | Establish/Maintain Documentation | |
Include the name of the person authorizing the release of products and services in the product and service release log. CC ID 13707 | Systems design, build, and implementation | Establish/Maintain Documentation | |
Plan for selling facilities, technology, or services. CC ID 06893 [For services that are to be transferred, the planning shall additionally include the date(s) for the transfer of the services and the activities for the transfer of data, documented information, knowledge and service components. § 8.5.2.1 ¶ 3 For services that are to be transferred, the planning shall additionally include the date(s) for the transfer of the services and the activities for the transfer of data, documented information, knowledge and service components. § 8.5.2.1 ¶ 3 For services that are to be transferred, the planning shall additionally include the date(s) for the transfer of the services and the activities for the transfer of data, documented information, knowledge and service components. § 8.5.2.1 ¶ 3 For services that are to be transferred, the planning shall additionally include the date(s) for the transfer of the services and the activities for the transfer of data, documented information, knowledge and service components. § 8.5.2.1 ¶ 3 For services that are to be transferred, the planning shall additionally include the date(s) for the transfer of the services and the activities for the transfer of data, documented information, knowledge and service components. § 8.5.2.1 ¶ 3] | Acquisition or sale of facilities, technology, and services | Acquisition/Sale of Assets or Services | |
Refrain from providing products and services, as necessary. CC ID 15580 | Acquisition or sale of facilities, technology, and services | Acquisition/Sale of Assets or Services | |
Determine if there is a need for the product or service being sold. CC ID 06894 | Acquisition or sale of facilities, technology, and services | Acquisition/Sale of Assets or Services | |
Identify new business opportunities based on product or service need, the business strategy, and action plan. CC ID 06901 | Acquisition or sale of facilities, technology, and services | Acquisition/Sale of Assets or Services | |
Establish, implement, and maintain a product or service pricing program. CC ID 13676 | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
Provide identification mechanisms for the organization's supply chain members. CC ID 12201 | Acquisition or sale of facilities, technology, and services | Business Processes | |
Establish, implement, and maintain customer terms and conditions. CC ID 13666 | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
Refrain from charging a fee for the provision of services, as necessary. CC ID 14212 | Acquisition or sale of facilities, technology, and services | Business Processes | |
Include customer risks in the customer terms and conditions. CC ID 13669 | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
Develop product solicitation responses and service solicitation responses. CC ID 06896 | Acquisition or sale of facilities, technology, and services | Acquisition/Sale of Assets or Services | |
Prevent the creation or distribution of devices designed to circumvent security measures. CC ID 11514 | Acquisition or sale of facilities, technology, and services | Acquisition/Sale of Assets or Services | |
Provide a product warranty or service warranty. CC ID 11601 | Acquisition or sale of facilities, technology, and services | Acquisition/Sale of Assets or Services | |
Include the defined support period for hardware replacements in warranties. CC ID 14932 | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
Include the methods of product replacement in warranties. CC ID 14931 | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
Include rationale for the absence of software updates in warranties, as necessary. CC ID 14930 | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
Include the defined support period in the product warranty or service warranty. CC ID 14927 | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
Establish, implement, and maintain equipment shipping procedures. CC ID 11449 | Acquisition or sale of facilities, technology, and services | Acquisition/Sale of Assets or Services | |
Ship equipment to customers in tamper-evident packaging, as necessary. CC ID 12271 | Acquisition or sale of facilities, technology, and services | Physical and Environmental Protection | |
Ship equipment following the equipment shipping procedures. CC ID 11658 | Acquisition or sale of facilities, technology, and services | Process or Activity | |
Ship goods or provide services to consumers in the agreed upon time frame. CC ID 08618 | Acquisition or sale of facilities, technology, and services | Business Processes | |
Preserve products created for sale prior to shipping. CC ID 11602 | Acquisition or sale of facilities, technology, and services | Acquisition/Sale of Assets or Services | |
Clean and maintain products prior to shipping. CC ID 11603 | Acquisition or sale of facilities, technology, and services | Acquisition/Sale of Assets or Services | |
Detect and remove foreign objects from products prior to shipping. CC ID 11604 | Acquisition or sale of facilities, technology, and services | Acquisition/Sale of Assets or Services | |
Handle products with due care prior to shipping. CC ID 11605 | Acquisition or sale of facilities, technology, and services | Acquisition/Sale of Assets or Services | |
Attach safety warnings to products prior to shipping. CC ID 11606 | Acquisition or sale of facilities, technology, and services | Acquisition/Sale of Assets or Services | |
Rotate the stock of products prior to shipping. CC ID 11607 | Acquisition or sale of facilities, technology, and services | Acquisition/Sale of Assets or Services | |
Establish, implement, and maintain a consumer complaint management program. CC ID 04570 [Service complaints shall be recorded, managed to closure and reported. Where a service complaint is not resolved through the normal channels, a method of escalation shall be provided. § 8.3.2 ¶ 5] | Acquisition or sale of facilities, technology, and services | Business Processes | |
Document consumer complaints. CC ID 13903 [Service complaints shall be recorded, managed to closure and reported. Where a service complaint is not resolved through the normal channels, a method of escalation shall be provided. § 8.3.2 ¶ 5] | Acquisition or sale of facilities, technology, and services | Business Processes | |
Assess consumer complaints and litigation. CC ID 16521 | Acquisition or sale of facilities, technology, and services | Investigate | |
Notify the complainant about their rights after receiving a complaint. CC ID 16794 | Acquisition or sale of facilities, technology, and services | Communicate | |
Include how to access information from the dispute resolution body in the consumer complaint management program. CC ID 13816 | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
Include any requirements for using information from the dispute resolution body in the consumer complaint management program. CC ID 13815 | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
Post contact information in an easily seen location at facilities. CC ID 13812 | Acquisition or sale of facilities, technology, and services | Communicate | |
Provide users a list of the available dispute resolution bodies. CC ID 13814 | Acquisition or sale of facilities, technology, and services | Communicate | |
Post the dispute resolution body's contact information on the organization's website. CC ID 13811 | Acquisition or sale of facilities, technology, and services | Communicate | |
Establish, implement, and maintain consumer complaint escalation procedures. CC ID 07208 [Service complaints shall be recorded, managed to closure and reported. Where a service complaint is not resolved through the normal channels, a method of escalation shall be provided. § 8.3.2 ¶ 5] | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
Disseminate and communicate the consumer complaint management program to interested personnel and affected parties. CC ID 16795 | Acquisition or sale of facilities, technology, and services | Communicate | |
Report the analysis of consumer complaints to the Quality Management committee. CC ID 07209 [Service complaints shall be recorded, managed to closure and reported. Where a service complaint is not resolved through the normal channels, a method of escalation shall be provided. § 8.3.2 ¶ 5] | Acquisition or sale of facilities, technology, and services | Actionable Reports or Measurements | |
Establish, implement, and maintain notice and take-down procedures. CC ID 09963 | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
Check communications for take-down requests. CC ID 09964 | Acquisition or sale of facilities, technology, and services | Monitor and Evaluate Occurrences | |
Include a statement by the complainant that the information is true and correct in the take-down request. CC ID 09970 | Acquisition or sale of facilities, technology, and services | Business Processes | |
Notify the complainant regarding any missing information in the take-down request. CC ID 09973 | Acquisition or sale of facilities, technology, and services | Behavior | |
Document any unlawful material hosted or stored by the organization meeting the take-down request criteria. CC ID 09975 | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
Document any unlawful material hosted or stored by the organization meeting the take-down request criteria that has been removed prior to the take-down request. CC ID 09976 | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
Include whether it is technically feasible to follow the requested remedial action in the take-down request. CC ID 09977 | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
Remove all unlawful material associated with the take-down request that have not been removed and are feasible to remove. CC ID 09978 | Acquisition or sale of facilities, technology, and services | Business Processes | |
Notify the complainant when all unlawful material associated with the take-down notice that can be removed, has been removed. CC ID 09979 | Acquisition or sale of facilities, technology, and services | Business Processes | |
Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 | Privacy protection for information and data | Establish/Maintain Documentation | |
Establish, implement, and maintain a data handling program. CC ID 13427 | Privacy protection for information and data | Establish/Maintain Documentation | |
Establish, implement, and maintain data handling procedures. CC ID 11756 [For services that are to be removed, the planning shall additionally include the date(s) for the removal of the services and the activities for archiving, disposal or transfer of data, documented information and service components. § 8.5.2.1 ¶ 2] | Privacy protection for information and data | Establish/Maintain Documentation | |
Define personal data that falls under breach notification rules. CC ID 00800 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include data elements that contain an individual's name combined with account numbers or other identifying information as personal data that falls under the breach notification rules. CC ID 04662 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's legal surname prior to marriage as personal data that falls under the breach notification rules. CC ID 04669 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's date of birth as personal data that falls under the breach notification rules. CC ID 04771 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's address as personal data that falls under the breach notification rules. CC ID 04671 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's telephone number as personal data that falls under the breach notification rules. CC ID 04672 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's fingerprints as personal data that falls under the breach notification rules. CC ID 04670 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's Social Security Number or Personal Identification Number as personal data that falls under the breach notification rules. CC ID 04656 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's driver's license number or an individual's state identification card number as personal data that falls under the breach notification rules. CC ID 04657 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's passport number as personal data that falls under the breach notification rules. CC ID 04774 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's Alien Registration Number as personal data that falls under the breach notification rules. CC ID 04775 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's Taxpayer Identification Number as personal data that falls under the breach notification rules. CC ID 04764 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's financial account number as personal data that falls under the breach notification rules. CC ID 04658 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's financial account number with associated password or password hint as personal data that falls under the breach notification rules. CC ID 04660 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's electronic identification name or number as personal data that falls under the breach notification rules. CC ID 04663 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain electronic signatures as personal data that falls under the breach notification rules. CC ID 04666 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's biometric data as personal data that falls under the breach notification rules. CC ID 04667 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's account number, password, or password hint as personal data that falls under the breach notification rules. CC ID 04668 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's payment card information as personal data that falls under the breach notification rules. CC ID 04752 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's credit card number or an individual's debit card number as personal data that falls under the breach notification rules. CC ID 04659 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's payment card service code as personal data that falls under the breach notification rules. CC ID 04754 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's payment card expiration date as personal data that falls under the breach notification rules. CC ID 04756 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's payment card full magnetic stripe data as personal data that falls under the breach notification rules. CC ID 04759 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's payment card security codes (Card Authentication Value 2/Card Validation Code Value 2/Card Verification Value 2/Card Identification Number) as personal data that falls under the breach notification rules. CC ID 04760 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's payment card associated password or password hint as personal data that falls under the breach notification rules. CC ID 04661 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's Individually Identifiable Health Information as personal data that falls under the breach notification rules. CC ID 04673 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's medical history as personal data that falls under the breach notification rules. CC ID 04674 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's medical treatment as personal data that falls under the breach notification rules. CC ID 04675 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's medical diagnosis as personal data that falls under the breach notification rules. CC ID 04676 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's mental condition or physical condition as personal data that falls under the breach notification rules. CC ID 04682 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's health insurance information as personal data that falls under the breach notification rules. CC ID 04681 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's health insurance policy number as personal data that falls under the breach notification rules. CC ID 04683 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's health insurance application and health insurance claims history (including appeals) as personal data that falls under the breach notification rules. CC ID 04684 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's employment information as personal data that falls under the breach notification rules. CC ID 04772 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's Employee Identification Number as personal data that falls under the breach notification rules. CC ID 04773 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's place of employment as personal data that falls under the breach notification rules. CC ID 04788 | Privacy protection for information and data | Data and Information Management | |
Define an out of scope privacy breach. CC ID 04677 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include personal data that is publicly available information as an out of scope privacy breach. CC ID 04678 | Privacy protection for information and data | Business Processes | |
Include personal data that is encrypted or redacted as an out of scope privacy breach. CC ID 04679 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
Include cryptographic keys not being accessed during a privacy breach as an out of scope privacy breach. CC ID 04761 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
Include any personal data that is on an encrypted mobile device as an out of scope privacy breach, if the encryption keys were not accessed and the mobile device was recovered. CC ID 04762 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
Disseminate and communicate the data handling procedures to all interested personnel and affected parties. CC ID 15466 | Privacy protection for information and data | Communicate | |
Establish, implement, and maintain a supply chain management program. CC ID 11742 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Establish, implement, and maintain procedures for establishing, maintaining, and terminating third party contracts. CC ID 00796 [The service management plan shall include or contain a reference to: approach to be taken for working with other parties involved in the service lifecycle; § 6.3 ¶ 2(f) The organization shall have one or more designated individuals responsible for managing the relationship, contracts and performance of external suppliers. § 8.3.4.1 ¶ 1] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Review and update all contracts, as necessary. CC ID 11612 [At planned intervals, the organization shall review the contract against current service requirements. Changes identified for the contract shall be assessed for the impact of the change on the SMS and the services before the change is approved. § 8.3.4.1 ¶ 6] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include a nondisclosure agreement in third party contracts if a separate nondisclosure agreement does not exist. CC ID 06505 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Establish, implement, and maintain software exchange agreements with all third parties. CC ID 11615 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include a description of the product or service to be provided in third party contracts. CC ID 06509 [The documented information for the SMS shall include: agreements with internal suppliers or customers acting as a supplier; § 7.5.4 ¶ 1(j)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include a description of the products or services fees in third party contracts. CC ID 10018 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include which parties are responsible for which fees in third party contracts. CC ID 10019 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Establish, implement, and maintain rules of engagement with third parties. CC ID 13994 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Establish, implement, and maintain information flow agreements with all third parties. CC ID 04543 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include the type of information being transmitted in the information flow agreement. CC ID 14245 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include the security requirements in the information flow agreement. CC ID 14244 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include the interface characteristics in the information flow agreement. CC ID 14240 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include the scope and inventory of third party systems and assets being provided to the organization in third party contracts. CC ID 06528 [For each external supplier, the organization shall agree a documented contract. The contract shall include or contain a reference to: scope of the services, service components, processes or parts of processes to be provided or operated by the external supplier; § 8.3.4.1 ¶ 2(a) For each external supplier, the organization shall agree a documented contract. The contract shall include or contain a reference to: scope of the services, service components, processes or parts of processes to be provided or operated by the external supplier; § 8.3.4.1 ¶ 2(a) For each external supplier, the organization shall agree a documented contract. The contract shall include or contain a reference to: scope of the services, service components, processes or parts of processes to be provided or operated by the external supplier; § 8.3.4.1 ¶ 2(a)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include proof of license documentation for the third parties with access to in scope systems in third party contracts. CC ID 06529 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include a description of costs and responsibility for purchasing and maintaining hardware and software in third party contracts. CC ID 10020 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include a description of the data or information to be covered in third party contracts. CC ID 06510 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include text about access, use, disclosure, and transfer of data or information in third party contracts. CC ID 11610 [For each external supplier, the organization shall agree a documented contract. The contract shall include or contain a reference to: authorities and responsibilities of the organization and the external supplier. § 8.3.4.1 ¶ 2(d) For each external supplier, the organization shall agree a documented contract. The contract shall include or contain a reference to: authorities and responsibilities of the organization and the external supplier. § 8.3.4.1 ¶ 2(d)] | Third Party and supply chain oversight | Business Processes | |
Include text about data ownership in third party contracts. CC ID 06502 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include text about trade secrets and intellectual property in third party contracts. CC ID 06503 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include text about participation in the organization's testing programs in third party contracts. CC ID 14402 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include the contract duration in third party contracts. CC ID 16221 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include roles and responsibilities in third party contracts. CC ID 13487 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include cryptographic keys in third party contracts. CC ID 16179 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include bankruptcy provisions in third party contracts. CC ID 16519 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include cybersecurity supply chain risk management requirements in third party contracts. CC ID 15646 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include text that organizations must meet organizational compliance requirements in third party contracts. CC ID 06506 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include compliance with the organization's access policy as a requirement in third party contracts. CC ID 06507 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include compliance with the organization's breach notification policy as a requirement in third party contracts. CC ID 06508 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include compliance with the organization's monitoring policies as a requirement in third party contracts. CC ID 06513 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include compliance with the organization's incident response policy and incident notification policy in third party contracts. CC ID 06515 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include text about the expected actions to be taken in case of a breach of contract in third party contracts. CC ID 06504 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include compliance with the organization's privacy policy in third party contracts. CC ID 06518 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include compliance with the organization's media handling policy in third party contracts. CC ID 06525 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include third party responsibilities for compliance awareness in third party contracts. CC ID 06530 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include compliance with the organization's data usage policies in third party contracts. CC ID 16413 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include compliance with the organization's system hardening framework in third party contracts. CC ID 06531 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include compliance with the organization's physical access policy in third party contracts. CC ID 06878 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include a reporting structure in third party contracts. CC ID 06532 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include points of contact in third party contracts. CC ID 12355 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include financial reporting in third party contracts, as necessary. CC ID 13573 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include reporting to the organization of third party audit findings in third party contracts. CC ID 06512 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include the right of the organization to conduct compliance audits in third party contracts. CC ID 06514 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include third party responsibilities for maintaining a Business Recovery and Resumption Plan in third party contracts. CC ID 06516 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include training requirements in third party contracts. CC ID 16367 | Third Party and supply chain oversight | Acquisition/Sale of Assets or Services | |
Include an indemnification and liability clause in third party contracts. CC ID 06517 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include a third party delegation clause and subcontractor to third party clause in third party contracts. CC ID 06521 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include text that subcontractors must meet organizational compliance requirements in third party contracts. CC ID 06522 [For each external supplier, the organization shall agree a documented contract. The contract shall include or contain a reference to: requirements to be met by the external supplier; § 8.3.4.1 ¶ 2(b)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include text regarding foreign-based third parties in third party contracts. CC ID 06722 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include change control clauses in third party contracts, as necessary. CC ID 06523 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include notification to the organization of any material change in the third party's ability to perform functions according to Service Level Agreements in third party contracts. CC ID 07115 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include triggers for renegotiating the contract in third party contracts. CC ID 06527 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include change control notification processes in third party contracts. CC ID 06524 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include cost structure changes in third party contracts. CC ID 10021 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include a choice of venue clause in third party contracts. CC ID 06520 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include a dispute resolution clause in third party contracts. CC ID 06519 [Disputes between the organization and the external supplier shall be recorded and managed to closure. § 8.3.4.1 ¶ 7 Disputes between the organization and the external supplier shall be recorded and managed to closure. § 8.3.4.1 ¶ 7] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include the dispute resolution body's contact information in the terms and conditions in third party contracts. CC ID 13813 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include early termination contingency plans in the third party contracts. CC ID 06526 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include a liquidated damages clause and material breach clause in third party contracts. CC ID 06817 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include termination costs in third party contracts. CC ID 10023 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include text about obtaining adequate insurance in third party contracts. CC ID 06880 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include incident management procedures and incident reporting procedures in third party contracts. CC ID 01214 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include a usage limitation of restricted data clause in third party contracts. CC ID 13026 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include end-of-life information in third party contracts. CC ID 15265 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Establish, implement, and maintain third party transaction authentication procedures. CC ID 00791 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include responding to privacy rights violation complaints in third party contracts. CC ID 12432 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include disclosure requirements in third party contracts. CC ID 08825 | Third Party and supply chain oversight | Business Processes | |
Include requirements for alternate processing facilities in third party contracts. CC ID 13059 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Document the organization's supply chain in the supply chain management program. CC ID 09958 [The organization shall determine and document: service components that are provided or operated by other parties; § 8.2.3.1 ¶ 4(b)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Establish and maintain a Third Party Service Provider list. CC ID 12480 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include required information in the Third Party Service Provider list. CC ID 14429 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include subcontractors in the Third Party Service Provider list. CC ID 14425 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include alternate service providers in the Third Party Service Provider list. CC ID 14420 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Disseminate and communicate the Third Party Service Provider list to interested personnel and affected parties. CC ID 14422 | Third Party and supply chain oversight | Communicate | |
Include contact information of the Service Provider in the Third Party Service Provider list. CC ID 14430 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include all contract dates in the Third Party Service Provider list. CC ID 14421 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include the services provided by each supplier in the Third Party Service Provider list. CC ID 12481 [The organization shall determine and document: services that are provided or operated by other parties; § 8.2.3.1 ¶ 4(a) The organization shall determine and document: processes, or parts of processes, in the organization's SMS that are operated by other parties. § 8.2.3.1 ¶ 4(c)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include criticality of services in the Third Party Service Provider list. CC ID 14428 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include a description of data used in the Third Party Service Provider list. CC ID 14427 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include the location of services provided in the Third Party Service Provider list. CC ID 14423 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Document supply chain transactions in the supply chain management program. CC ID 08857 | Third Party and supply chain oversight | Business Processes | |
Document the supply chain's critical paths in the supply chain management program. CC ID 10032 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Establish and maintain supply chain manufacturing and integration requirements documents for all items being produced for the organization. CC ID 11558 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Disallow access to restricted information on machines used to manufacture authentication elements. CC ID 11561 | Third Party and supply chain oversight | Physical and Environmental Protection | |
Establish, implement, and maintain Service Level Agreements with the organization's supply chain. CC ID 00838 [The documented information for the SMS shall include: service level agreement(s) (SLA); § 7.5.4 ¶ 1(h) For each service delivered, the organization shall establish one or more SLAs based on the documented service requirements. The SLA(s) shall include service level targets, workload limits and exceptions § 8.3.3 ¶ 2] | Third Party and supply chain oversight | Process or Activity | |
Include the responsible party for managing complaints in third party contracts. CC ID 10022 | Third Party and supply chain oversight | Establish Roles | |
Include risk management procedures in the supply chain management policy. CC ID 08811 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include a determination of the complexity of the third party relationships in the supply chain risk assessment. CC ID 10024 | Third Party and supply chain oversight | Business Processes | |
Include a determination of financial benefits over actual costs of third party relationships in the supply chain risk assessment report. CC ID 10025 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include a determination of how third party relationships affect strategic initiatives in the supply chain risk assessment report. CC ID 10026 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include a determination if the third party relationship will affect employees in the supply chain risk assessment report. CC ID 10027 | Third Party and supply chain oversight | Business Processes | |
Include a determination of customer interactions with third parties in the supply chain risk assessment report. CC ID 10028 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include a determination on the risks third parties pose to Information Security in the supply chain risk assessment report. CC ID 10029 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Establish, implement, and maintain a supply chain management policy. CC ID 08808 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include the third party selection process in the supply chain management policy. CC ID 13132 [The organization shall determine and apply criteria for the evaluation and selection of other parties involved in the service lifecycle. Other parties can be an external supplier, an internal supplier or a customer acting as a supplier. § 8.2.3.1 ¶ 2] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Select suppliers based on their qualifications. CC ID 00795 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include third party due diligence standards in the supply chain management policy. CC ID 08812 [The organization shall determine and apply criteria for the evaluation and selection of other parties involved in the service lifecycle. Other parties can be an external supplier, an internal supplier or a customer acting as a supplier. § 8.2.3.1 ¶ 2] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Implement measurable improvement plans with all third parties. CC ID 08815 [At planned intervals, the organization shall monitor the performance of the internal supplier or the customer acting as a supplier. Where service level targets or other agreed commitments are not met, the organization shall ensure that opportunities for improvement are identified. § 8.3.4.2 ¶ 2 At planned intervals, the organization shall monitor the performance of the external supplier. Where service level targets or other contractual obligations are not met, the organization shall ensure that opportunities for improvement are identified. § 8.3.4.1 ¶ 5] | Third Party and supply chain oversight | Business Processes | |
Establish, implement, and maintain supply chain due diligence standards. CC ID 08846 | Third Party and supply chain oversight | Business Processes | |
Assign the appropriate individuals or groups to oversee and support supply chain due diligence. CC ID 08861 [The organization shall have one or more designated individuals responsible for managing the relationship, contracts and performance of external suppliers. § 8.3.4.1 ¶ 1] | Third Party and supply chain oversight | Business Processes | |
Conduct all parts of the supply chain due diligence process. CC ID 08854 | Third Party and supply chain oversight | Business Processes | |
Review the supply chain's service delivery on a regular basis. CC ID 12010 [At planned intervals, the organization shall monitor the performance of the internal supplier or the customer acting as a supplier. Where service level targets or other agreed commitments are not met, the organization shall ensure that opportunities for improvement are identified. § 8.3.4.2 ¶ 2] | Third Party and supply chain oversight | Business Processes | |
Establish, implement, and maintain a chain of custody or traceability system over the entire supply chain. CC ID 08878 | Third Party and supply chain oversight | Business Processes | |
Provide products or services per customer requests. CC ID 08893 [The organization and the customer shall agree the services to be delivered. § 8.3.3 ¶ 1] | Third Party and supply chain oversight | Business Processes | |
Establish, implement, and maintain information security controls for the supply chain. CC ID 13109 [The organization shall define and apply relevant controls for other parties from the following: measurement and evaluation of process performance; § 8.2.3.2(a) The organization shall define and apply relevant controls for other parties from the following: measurement and evaluation of process performance; § 8.2.3.2(a) The organization shall define and apply relevant controls for other parties from the following: measurement and evaluation of the effectiveness of services and service components in meeting the service requirements. § 8.2.3.2(b) The organization shall define and apply relevant controls for other parties from the following: measurement and evaluation of the effectiveness of services and service components in meeting the service requirements. § 8.2.3.2(b) The organization shall define and apply relevant controls for other parties from the following: § 8.2.3.2 The organization shall agree and implement information security controls to address information security risks related to external organizations. § 8.7.3.2 ¶ 2] | Third Party and supply chain oversight | Establish/Maintain Documentation |