Back

International > International Organization for Standardization

ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition



AD ID

0003002

AD STATUS

ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition

ORIGINATOR

International Organization for Standardization

TYPE

International or National Standard

AVAILABILITY

For Purchase

SYNONYMS

ISO/IEC 20000-1:2018

ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements

EFFECTIVE

2018-09-01

ADDED

The document as a whole was last reviewed and released on 2019-06-03T00:00:00+0000.

AD ID

0003002

AD STATUS

For Purchase

ORIGINATOR

International Organization for Standardization

TYPE

International or National Standard

AVAILABILITY

SYNONYMS

ISO/IEC 20000-1:2018

ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements

EFFECTIVE

2018-09-01

ADDED

The document as a whole was last reviewed and released on 2019-06-03T00:00:00+0000.


Important Notice

This Authority Document In Depth Report is copyrighted - © 2020 - Network Frontiers LLC. All rights reserved. Copyright in the Authority Document analyzed herein is held by its authors. Network Frontiers makes no claims of copyright in this Authority Document.

This Authority Document In Depth Report is provided for informational purposes only and does not constitute, and should not be construed as, legal advice. The reader is encouraged to consult with an attorney experienced in these areas for further explanation and advice.

This Authority Document In Depth Report provides analysis and guidance for use and implementation of the Authority Document but it is not a substitute for the original authority document itself. Readers should refer to the original authority document as the definitive resource on obligations and compliance requirements.

The process we used to tag and map this document

This document has been mapped into the Unified Compliance Framework using a patented methodology and patented tools (you can research our patents HERE). The mapping team has taken every effort to ensure the quality of mapping is of the highest degree. To learn more about the process we use to map Authority Documents, or to become involved in that process, click HERE.

Controls and asociated Citations breakdown

When the UCF Mapping Teams tag Citations and their associated mandates within an Authority Document, those Citations and Mandates are tied to Common Controls. In addition, and by virtue of those Citations and mandates being tied to Common Controls, there are three sets of meta data that are associated with each Citation; Controls by Impact Zone, Controls by Type, and Controls by Classification.

The online version of the mapping analysis you see here is just a fraction of the work the UCF Mapping Team has done. The downloadable version of this document, available within the Common Controls Hub (available HERE) contains the following:

Document implementation analysis – statistics about the document’s alignment with Common Controls as compared to other Authority Documents and statistics on usage of key terms and non-standard terms.

Citation and Mandate Tagging and Mapping – A complete listing of each and every Citation we found within ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition that have been tagged with their primary and secondary nouns and primary and secondary verbs in three column format. The first column shows the Citation (the marker within the Authority Document that points to where we found the guidance). The second column shows the Citation guidance per se, along with the tagging for the mandate we found within the Citation. The third column shows the Common Control ID that the mandate is linked to, and the final column gives us the Common Control itself.

Dictionary Terms – The dictionary terms listed for ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition are based upon terms either found within the Authority Document’s defined terms section(which most legal documents have), its glossary, and for the most part, as tagged within each mandate. The terms with links are terms that are the standardized version of the term.



Common Controls and
mandates by Impact Zone
276 Mandated Controls - bold    
107 Implied Controls - italic     1597 Implementation

An Impact Zone is a hierarchical way of organizing our suite of Common Controls — it is a taxonomy. The top levels of the UCF hierarchy are called Impact Zones. Common Controls are mapped within the UCF’s Impact Zones and are maintained in a legal hierarchy within that Impact Zone. Each Impact Zone deals with a separate area of policies, standards, and procedures: technology acquisition, physical security, continuity, records management, etc.


The UCF created its taxonomy by looking at the corpus of standards and regulations through the lens of unification and a view toward how the controls impact the organization. Thus, we created a hierarchical structure for each impact zone that takes into account regulatory and standards bodies, doctrines, and language.

Number of Controls
1980 Total
  • Acquisition or sale of facilities, technology, and services
    51
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Acquisition or sale of facilities, technology, and services CC ID 01123 IT Impact Zone IT Impact Zone
    Plan for selling facilities, technology, or services. CC ID 06893
    [For services that are to be transferred, the planning shall additionally include the date(s) for the transfer of the services and the activities for the transfer of data, documented information, knowledge and service components. § 8.5.2.1 ¶ 3
    For services that are to be transferred, the planning shall additionally include the date(s) for the transfer of the services and the activities for the transfer of data, documented information, knowledge and service components. § 8.5.2.1 ¶ 3
    For services that are to be transferred, the planning shall additionally include the date(s) for the transfer of the services and the activities for the transfer of data, documented information, knowledge and service components. § 8.5.2.1 ¶ 3
    For services that are to be transferred, the planning shall additionally include the date(s) for the transfer of the services and the activities for the transfer of data, documented information, knowledge and service components. § 8.5.2.1 ¶ 3
    For services that are to be transferred, the planning shall additionally include the date(s) for the transfer of the services and the activities for the transfer of data, documented information, knowledge and service components. § 8.5.2.1 ¶ 3]
    Acquisition/Sale of Assets or Services Preventive
    Determine if there is a need for the product or service being sold. CC ID 06894 Acquisition/Sale of Assets or Services Preventive
    Identify new business opportunities based on product or service need, the business strategy, and action plan. CC ID 06901 Acquisition/Sale of Assets or Services Preventive
    Establish, implement, and maintain a product or service pricing program. CC ID 13676 Establish/Maintain Documentation Preventive
    Review and update controls to ensure the timeliness and accuracy of the market prices. CC ID 13688 Process or Activity Corrective
    Provide identification mechanisms for the organization's supply chain members. CC ID 12201 Business Processes Preventive
    Establish and maintain customer terms and conditions, as necessary. CC ID 13666 Establish/Maintain Documentation Preventive
    Refrain from charging a fee for the provision of services, as necessary. CC ID 14212 Business Processes Preventive
    Include customer risks in the customer terms and conditions. CC ID 13669 Establish/Maintain Documentation Preventive
    Develop product solicitation responses and service solicitation responses. CC ID 06896 Acquisition/Sale of Assets or Services Preventive
    Prevent the creation or distribution of devices designed to circumvent security measures. CC ID 11514 Acquisition/Sale of Assets or Services Preventive
    Provide a product warranty or service warranty. CC ID 11601 Acquisition/Sale of Assets or Services Preventive
    Establish and maintain equipment shipping procedures. CC ID 11449 Acquisition/Sale of Assets or Services Preventive
    Ship equipment to customers in tamper-evident packaging, as necessary. CC ID 12271 Physical and Environmental Protection Preventive
    Ship equipment following the equipment shipping procedures. CC ID 11658 Process or Activity Preventive
    Ship goods or provide services to consumers in the agreed upon time frame. CC ID 08618 Business Processes Preventive
    Preserve products created for sale prior to shipping. CC ID 11602 Acquisition/Sale of Assets or Services Preventive
    Clean and maintain products prior to shipping. CC ID 11603 Acquisition/Sale of Assets or Services Preventive
    Detect and remove foreign objects from products prior to shipping. CC ID 11604 Acquisition/Sale of Assets or Services Preventive
    Handle products with due care prior to shipping. CC ID 11605 Acquisition/Sale of Assets or Services Preventive
    Attach safety warnings to products prior to shipping. CC ID 11606 Acquisition/Sale of Assets or Services Preventive
    Rotate the stock of products prior to shipping. CC ID 11607 Acquisition/Sale of Assets or Services Preventive
    Establish and maintain a consumer complaint management program. CC ID 04570
    [Service complaints shall be recorded, managed to closure and reported. Where a service complaint is not resolved through the normal channels, a method of escalation shall be provided. § 8.3.2 ¶ 5]
    Business Processes Preventive
    Document consumer complaints. CC ID 13903
    [Service complaints shall be recorded, managed to closure and reported. Where a service complaint is not resolved through the normal channels, a method of escalation shall be provided. § 8.3.2 ¶ 5]
    Business Processes Preventive
    Include how to access information from the dispute resolution body in the consumer complaint management program. CC ID 13816 Establish/Maintain Documentation Preventive
    Include any requirements for using information from the dispute resolution body in the consumer complaint management program. CC ID 13815 Establish/Maintain Documentation Preventive
    Post the dispute resolution body's contact information in an easily seen location at facilities. CC ID 13812 Communicate Preventive
    Provide users a list of the available dispute resolution bodies. CC ID 13814 Communicate Preventive
    Post the dispute resolution body's contact information on the organization's website. CC ID 13811 Communicate Preventive
    Establish and maintain consumer complaint escalation procedures. CC ID 07208
    [Service complaints shall be recorded, managed to closure and reported. Where a service complaint is not resolved through the normal channels, a method of escalation shall be provided. § 8.3.2 ¶ 5]
    Establish/Maintain Documentation Preventive
    Report the analysis of consumer complaints to the Quality Management committee. CC ID 07209
    [Service complaints shall be recorded, managed to closure and reported. Where a service complaint is not resolved through the normal channels, a method of escalation shall be provided. § 8.3.2 ¶ 5]
    Actionable Reports or Measurements Preventive
    Establish and maintain notice and take-down procedures. CC ID 09963 Establish/Maintain Documentation Preventive
    Check communications for take-down requests. CC ID 09964 Monitor and Evaluate Occurrences Preventive
    Include complete information in the take-down request. CC ID 09965 Business Processes Detective
    Include the complainant's contact information in the take-down request. CC ID 09966 Business Processes Detective
    Include the identification of unlawful material or unlawful activities in the take-down request. CC ID 09967 Business Processes Detective
    Include the identification of the right that has allegedly been infringed in the take-down request. CC ID 09968 Business Processes Detective
    Include the remedial action required to be taken in respect of the complaint in the take-down request. CC ID 09969 Business Processes Detective
    Include a statement by the complainant that the information is true and correct in the take-down request. CC ID 09970 Business Processes Preventive
    Include a statement that the complainant is acting in good faith in the take-down request. CC ID 09971 Business Processes Detective
    Include the written signature or electronic signature of the complainant in the take-down request. CC ID 09972 Business Processes Detective
    Notify the complainant regarding any missing information in the take-down request. CC ID 09973 Behavior Preventive
    Analyze the digital content hosted by the organization for any electronic material associated with the take-down request. CC ID 09974 Business Processes Detective
    Document any unlawful material hosted or stored by the organization meeting the take-down request criteria. CC ID 09975 Establish/Maintain Documentation Preventive
    Document any unlawful material hosted or stored by the organization meeting the take-down request criteria that has been removed prior to the take-down request. CC ID 09976 Establish/Maintain Documentation Preventive
    Include whether it is technically feasible to follow the requested remedial action in the take-down request. CC ID 09977 Establish/Maintain Documentation Preventive
    Remove all unlawful material associated with the take-down request that have not been removed and are feasible to remove. CC ID 09978 Business Processes Preventive
    Notify the complainant when all unlawful material associated with the take-down notice that can be removed, has been removed. CC ID 09979 Business Processes Preventive
    Process product return requests. CC ID 11598 Acquisition/Sale of Assets or Services Corrective
    Refrain from returning products absent a return request authorization. CC ID 11599 Acquisition/Sale of Assets or Services Corrective
  • Audits and risk management
    428
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Audits and risk management CC ID 00677 IT Impact Zone IT Impact Zone
    Define the roles and responsibilities for personnel assigned to tasks in the Audit function. CC ID 00678
    [The organization shall: plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration: § 9.2.2 ¶ 1(a)]
    Establish Roles Preventive
    Manage supply chain audits. CC ID 01203 Audits and Risk Management Preventive
    Review the external auditors involvement in assessing Information Technology controls. CC ID 01204 Audits and Risk Management Preventive
    Assign the roles and responsibilities for the Board of Directors and senior management in the Audit function. CC ID 00679 Establish Roles Preventive
    Assign the Board of Directors to address audit findings. CC ID 12396 Human Resources Management Corrective
    Assign the internal Information Technology audit staff to be independent from the Information Technology group reporting to the Board of Directors. CC ID 01184 Establish Roles Preventive
    Define and assign the internal audit manager's roles and responsibilities. CC ID 00680 Establish Roles Preventive
    Report audit findings by the internal audit manager directly to senior management. CC ID 01152
    [The organization shall: ensure that the results of the audits are reported to relevant management; § 9.2.2 ¶ 1(d)]
    Testing Detective
    Assign the internal audit manager's compensation and performance review to the Board of Directors or audit committee. CC ID 01186 Establish Roles Preventive
    Define and assign the internal Information Technology audit staff's roles and responsibilities. CC ID 00681 Establish Roles Preventive
    Assign the responsibility for operating an internal control system to the internal Information Technology audit staff. CC ID 01187 Establish Roles Preventive
    Define and assign the external auditor's roles and responsibilities. CC ID 00683 Establish Roles Preventive
    Engage auditors who have adequate knowledge of the subject matter. CC ID 07102 Audits and Risk Management Preventive
    Retain copies of external auditor outsourcing contracts and engagement letters. CC ID 01188 Establish/Maintain Documentation Preventive
    Review external auditor outsourcing contracts and engagement letters. CC ID 01189 Establish/Maintain Documentation Preventive
    Include a Change Control clause in external auditor outsourcing contracts. CC ID 01192 Establish/Maintain Documentation Preventive
    Include procedures for resolving problems in external auditor outsourcing contracts. CC ID 01196 Establish/Maintain Documentation Preventive
    Include procedures for controlling the use of restricted information in external auditor outsourcing contracts. CC ID 01194 Establish/Maintain Documentation Preventive
    Include reports and work paper Records Management practices in external auditor outsourcing contracts. CC ID 01195 Establish/Maintain Documentation Preventive
    Include communication protocols in external auditor outsourcing contracts. CC ID 01201 Establish/Maintain Documentation Preventive
    Review the audit scope when the Risk Profile is updated. CC ID 01202 Audits and Risk Management Preventive
    Review the audit assertion furnished by the organization for accuracy. CC ID 06977 Testing Detective
    Review the risk assessments as compared to the in scope controls. CC ID 06978 Testing Detective
    Include nondisclosure agreements in external auditor outsourcing contracts. CC ID 10014 Audits and Risk Management Detective
    Include the scope and work to be performed in external auditor outsourcing contracts. CC ID 01190 Establish/Maintain Documentation Preventive
    Include work status reporting requirements in the external auditor outsourcing contracts. CC ID 01191 Establish/Maintain Documentation Preventive
    Include access to work papers in external auditor outsourcing contracts. CC ID 01193 Establish/Maintain Documentation Preventive
    Review the external auditor's qualifications. CC ID 01197 Audits and Risk Management Preventive
    Conduct a performance review of the external auditor's performance during the audit process. CC ID 01198 Audits and Risk Management Preventive
    Review the adequacy of the external auditor's work papers and audit reports. CC ID 01199 Establish/Maintain Documentation Preventive
    Review the conclusions of the external auditor's work papers and audit reports. CC ID 01200 Establish/Maintain Documentation Preventive
    Question external auditors about how audits were conducted and what is in the audit reports. CC ID 04587 Behavior Preventive
    Disseminate and communicate with the organization about any missing audit documentation. CC ID 06992 Behavior Preventive
    Evaluate any refusal by the organization to provide missing audit documentation. CC ID 06993 Establish/Maintain Documentation Preventive
    Take appropriate action if missing audit documentation compromises the audit. CC ID 06994 Establish/Maintain Documentation Preventive
    Establish and maintain an audit program. CC ID 00684
    [The organization shall: plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration: § 9.2.2 ¶ 1(a)]
    Establish/Maintain Documentation Preventive
    Establish and maintain audit policies, as necessary. CC ID 13166 Establish/Maintain Documentation Preventive
    Assign the audit to impartial auditors. CC ID 07118
    [The organization shall: select auditors and conduct audits to ensure objectivity and the impartiality of the audit process; § 9.2.2 ¶ 1(c)]
    Establish Roles Preventive
    Exercise due professional care during the planning and performance of the audit. CC ID 07119 Behavior Preventive
    Include provisions for legislative plurality and legislative domain in the audit program. CC ID 06959 Audits and Risk Management Preventive
    Establish and maintain audit terms. CC ID 13880 Establish/Maintain Documentation Preventive
    Refrain from approving changes to the audit terms absent reasonable justification. CC ID 13973 Process or Activity Preventive
    Include a statement about the inherent limitations of the audit in the audit terms. CC ID 13883 Establish/Maintain Documentation Preventive
    Include a statement that the audit will be conducted in accordance with attestation standards in the audit terms. CC ID 13882 Establish/Maintain Documentation Preventive
    Establish and maintain Agreed Upon Procedures that are in scope for the audit. CC ID 13893 Establish/Maintain Documentation Preventive
    Include agreement to the audit scope and audit terms in the audit program. CC ID 06965
    [{audit scope} The organization shall: define the audit criteria and scope for each audit; § 9.2.2 ¶ 1(b)]
    Establish/Maintain Documentation Preventive
    Establish and maintain a bespoke audit scope for each audit being performed. CC ID 13077
    [The organization shall: plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration: § 9.2.2 ¶ 1(a)]
    Establish/Maintain Documentation Preventive
    Include audit subject matter in the audit program. CC ID 07103
    [The organization shall: plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration: the importance of the processes concerned; § 9.2.2 ¶ 1(a)(1)]
    Establish/Maintain Documentation Preventive
    Examine the objectivity of the audit criteria in the audit program. CC ID 07104 Establish/Maintain Documentation Preventive
    Examine the measurability of the audit criteria in the audit program. CC ID 07105 Establish/Maintain Documentation Preventive
    Examine the completeness of the audit criteria in the audit program. CC ID 07106 Establish/Maintain Documentation Preventive
    Examine the relevance of the audit criteria in the audit program. CC ID 07107 Establish/Maintain Documentation Preventive
    Disseminate and communicate the audit program with the audit subject matter and audit criteria to all interested personnel and affected parties. CC ID 07116 Establish/Maintain Documentation Preventive
    Include the in scope material or in scope products in the audit program. CC ID 08961 Audits and Risk Management Preventive
    Include the out of scope material or out of scope products in the audit program. CC ID 08962 Establish/Maintain Documentation Preventive
    Provide a representation letter in support of the audit assertion. CC ID 07158 Establish/Maintain Documentation Preventive
    Include a statement that management has evaluated compliance with external requirements in the representation letter. CC ID 13942 Establish/Maintain Documentation Preventive
    Include a statement that the assumptions used for estimates are reasonable in the representation letter. CC ID 13934 Establish/Maintain Documentation Preventive
    Include a statement that uncorrected misstatements are believed to be immaterial in the representation letter. CC ID 13884 Establish/Maintain Documentation Preventive
    Include a statement of responsibility for the subject matter in the representation letter. CC ID 07159 Establish/Maintain Documentation Preventive
    Include a statement of responsibility for selecting the audit criteria in the representation letter. CC ID 07160 Establish/Maintain Documentation Preventive
    Include a statement of responsibility regarding the appropriateness of the audit criteria in the representation letter. CC ID 07161 Establish/Maintain Documentation Preventive
    Include an assertion about the subject matter based on the selected audit criteria in the representation letter. CC ID 07162 Establish/Maintain Documentation Preventive
    Include a statement that all known matters contradicting the audit assertion have been disclosed to the auditor in the representation letter. CC ID 07163 Establish/Maintain Documentation Preventive
    Include the availability of all in scope records relevant to the subject matter in the representation letter. CC ID 07164 Establish/Maintain Documentation Preventive
    Include a statement that any known subsequent events have been disclosed to the auditor in the representation letter. CC ID 07165 Establish/Maintain Documentation Preventive
    Include a statement that deficiencies in internal controls have been disclosed to the auditor in the representation letter. CC ID 13899 Establish/Maintain Documentation Preventive
    Disseminate and communicate a written audit assertion of the audit scope and audit terms to interested personnel and affected parties. CC ID 06967 Establish/Maintain Documentation Preventive
    Include any assumptions that are improbable in the audit assertion. CC ID 13950 Establish/Maintain Documentation Preventive
    Include how the audit scope matches in scope controls in the audit assertion. CC ID 06969 Establish/Maintain Documentation Preventive
    Include why specific criteria are ignored by in scope controls in the audit assertion. CC ID 07027 Establish/Maintain Documentation Preventive
    Include how the in scope system is designed and implemented in the audit assertion. CC ID 06970 Establish/Maintain Documentation Preventive
    Include the responsible party's opinion of the quality of the evidence in the audit assertion. CC ID 13949 Establish/Maintain Documentation Preventive
    Include the end users and affected parties of the in scope system in the audit assertion. CC ID 07028 Establish/Maintain Documentation Preventive
    Include the in scope services offered or in scope transactions processed in the audit assertion. CC ID 06971 Establish/Maintain Documentation Preventive
    Include the in scope procedures in the audit assertion. CC ID 06972 Establish/Maintain Documentation Preventive
    Include the in scope records produced in the audit assertion. CC ID 06968 Establish/Maintain Documentation Preventive
    Include how in scope material events are monitored and logged in the audit assertion. CC ID 06973 Establish/Maintain Documentation Preventive
    Include any in scope material events that might affect the assertion in the audit assertion. CC ID 06991 Establish/Maintain Documentation Preventive
    Include the in scope controls and compliance documents in the audit assertion. CC ID 06974 Establish/Maintain Documentation Preventive
    Include the in scope risk assessment processes in the audit assertion. CC ID 06975 Establish/Maintain Documentation Preventive
    Include in scope change controls in the audit assertion. CC ID 06976 Establish/Maintain Documentation Preventive
    Include any in scope uncorrected errors or non-compliance issues in the audit assertion. CC ID 06989 Establish/Maintain Documentation Preventive
    Include the scope for the desired level of assurance in the audit program. CC ID 12793 Communicate Preventive
    Include conditions that might require modification of the audit program in the audit terms. CC ID 07149 Establish/Maintain Documentation Preventive
    Include how access to in scope systems, personnel and in scope records are provided to the auditor in the audit terms. CC ID 06988 Establish/Maintain Documentation Preventive
    Include the criteria for determining the desired level of assurance in the audit program. CC ID 12795
    [{audit scope} The organization shall: define the audit criteria and scope for each audit; § 9.2.2 ¶ 1(b)]
    Audits and Risk Management Preventive
    Establish and maintain procedures for determining the desired level of assurance in the audit program. CC ID 12794
    [The organization shall: plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration: § 9.2.2 ¶ 1(a)]
    Establish/Maintain Documentation Preventive
    Include the expectations for the audit report in the audit terms. CC ID 07148 Establish/Maintain Documentation Preventive
    Establish and maintain a practitioner’s report on management’s assertions, as necessary. CC ID 13888 Establish/Maintain Documentation Preventive
    Refrain from changing the date of the practitioner's report on agreed-upon procedures when reissuing it. CC ID 13896 Establish/Maintain Documentation Corrective
    Include materiality levels in the audit terms. CC ID 01238 Establish/Maintain Documentation Preventive
    Include material changes in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01239
    [The organization shall: plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration: changes affecting the organization; § 9.2.2 ¶ 1(a)(2)]
    Establish/Maintain Documentation Preventive
    Include material weaknesses, material failures, and material errors in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01240 Establish/Maintain Documentation Preventive
    Refrain from performing an attestation engagement under defined conditions. CC ID 13952 Audits and Risk Management Detective
    Refrain from accepting an attestation engagement unless the prospective financial information includes a summary of significant assumptions. CC ID 13954 Behavior Preventive
    Accept the attestation engagement when all preconditions are met. CC ID 13933 Business Processes Preventive
    Refrain from accepting an attestation engagement when all parties disagree on the procedures. CC ID 13951 Audits and Risk Management Preventive
    Audit in scope audit items and compliance documents as defined in the audit scope. CC ID 06730
    [The organization shall conduct internal audits at planned intervals to provide information on whether the SMS: conforms to: the organization's own requirements for its SMS; § 9.2.1 ¶ 1(a)(1)
    The organization shall conduct internal audits at planned intervals to provide information on whether the SMS: conforms to: the requirements of this document; § 9.2.1 ¶ 1(a)(2)
    The organization shall conduct internal audits at planned intervals to provide information on whether the SMS: is effectively implemented and maintained. § 9.2.1 ¶ 1(b)
    The organization shall: select auditors and conduct audits to ensure objectivity and the impartiality of the audit process; § 9.2.2 ¶ 1(c)]
    Audits and Risk Management Preventive
    Identify hypothetical assumptions in forecasts and projections during an audit. CC ID 13946 Audits and Risk Management Detective
    Refrain from examining forecasts and projections which refrain from disclosing assumptions during an audit. CC ID 13932 Audits and Risk Management Detective
    Audit policies, standards, and procedures. CC ID 12927 Audits and Risk Management Preventive
    Audit cybersecurity risk management within the policies, standards, and procedures of the organization. CC ID 13011 Investigate Detective
    Audit information systems, as necessary. CC ID 13010 Investigate Detective
    Audit the potential costs of compromise to information systems. CC ID 13012 Investigate Detective
    Determine the accurateness of the audit assertion's in scope system description. CC ID 06979 Testing Detective
    Determine if the in scope system has been implemented as described in the audit assertion. CC ID 06983 Testing Detective
    Determine the effect of fraud and non-compliance on the description of the system in the audit assertion, as necessary. CC ID 13977 Process or Activity Detective
    Edit the audit assertion for accuracy. CC ID 07030 Establish/Maintain Documentation Preventive
    Determine if the audit assertion's in scope procedures are accurately documented. CC ID 06982 Establish/Maintain Documentation Preventive
    Determine if the audit assertion's in scope controls are reasonable. CC ID 06980 Testing Detective
    Determine the effect of fraud and non-compliance on the achievement of in scope controls in the audit assertion, as necessary. CC ID 13978 Process or Activity Detective
    Document test plans for auditing in scope controls. CC ID 06985 Testing Detective
    Determine the implementation status of the audit assertion's in scope controls. CC ID 06981 Testing Detective
    Determine the effectiveness of in scope controls. CC ID 06984
    [The organization shall monitor and review the effectiveness of information security controls and take necessary actions. § 8.7.3.2 ¶ 3]
    Testing Detective
    Review incident management audit logs to determine the effectiveness of in scope controls. CC ID 12157 Audits and Risk Management Detective
    Review audit reports to determine the effectiveness of in scope controls. CC ID 12156 Audits and Risk Management Detective
    Observe processes to determine the effectiveness of in scope controls. CC ID 12155 Audits and Risk Management Detective
    Interview stakeholders to determine the effectiveness of in scope controls. CC ID 12154 Audits and Risk Management Detective
    Review policies and procedures to determine the effectiveness of in scope controls. CC ID 12144 Audits and Risk Management Detective
    Determine any errors or material omissions in the audit assertion that affect in scope control implementations. CC ID 06990 Testing Detective
    Include the process of using evidential matter to test in scope controls in the test plan. CC ID 06996 Establish/Maintain Documentation Preventive
    Audit the in scope system according to the test plan using relevant evidence. CC ID 07112
    [The organization shall conduct internal audits at planned intervals to provide information on whether the SMS: § 9.2.1 ¶ 1]
    Testing Preventive
    Implement procedures that collect sufficient audit evidence. CC ID 07153 Audits and Risk Management Preventive
    Collect evidence about the in scope audit items of the audit assertion. CC ID 07154 Audits and Risk Management Preventive
    Collect audit evidence sufficient to avoid misstatements. CC ID 07155 Audits and Risk Management Preventive
    Collect audit evidence at the level of the organization's competence in the subject matter. CC ID 07156 Audits and Risk Management Preventive
    Collect audit evidence sufficient to overcome inadequacies in the organization's attestation. CC ID 07157 Audits and Risk Management Preventive
    Conduct interviews of auditees, as necessary. CC ID 07188 Testing Detective
    Explain the goals of the interview to the auditee. CC ID 07189 Behavior Detective
    Withdraw from the audit, when defined conditions exist. CC ID 13885 Process or Activity Corrective
    Establish and maintain work papers, as necessary. CC ID 13891 Establish/Maintain Documentation Preventive
    Include justification for departing from mandatory requirements in the work papers. CC ID 13935 Establish/Maintain Documentation Preventive
    Include the reviewer, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06998 Establish/Maintain Documentation Preventive
    Include the tests, examinations, interviews and observations performed during the audit in the work papers. CC ID 07190 Establish/Maintain Documentation Preventive
    Include if any subject matter experts or additional research had to be undertaken to test in scope controls in the work papers. CC ID 07026 Establish/Maintain Documentation Preventive
    Include the tester, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06997 Establish/Maintain Documentation Preventive
    Include if the audit evidence has identified in scope control deficiencies in the work papers. CC ID 07152 Audits and Risk Management Detective
    Include the causes of identified in scope control deficiencies in the work papers. CC ID 07000 Establish/Maintain Documentation Preventive
    Include discussions regarding the causes of identified in scope control deficiencies in the work papers. CC ID 06999 Establish/Maintain Documentation Preventive
    Investigate the nature and causes of identified in scope control deviations. CC ID 06986 Testing Detective
    Include if in scope control deviations allow in scope controls to be performed acceptably in the work papers. CC ID 06987 Testing Detective
    Supervise interested personnel and affected parties participating in the audit. CC ID 07150 Monitor and Evaluate Occurrences Preventive
    Notify interested personnel and affected parties participating in the audit of their roles and responsibilities during the audit. CC ID 07151 Establish Roles Preventive
    Respond to questions or clarification requests regarding the audit. CC ID 08902 Business Processes Preventive
    Track and measure the implementation of the organizational compliance framework. CC ID 06445 Monitor and Evaluate Occurrences Preventive
    Review the need for organizational efficiency as balanced against the needs of compliance and security. CC ID 07111 Business Processes Preventive
    Establish and maintain a Statement on the Level of Compliance. CC ID 12499 Establish/Maintain Documentation Preventive
    Review the Statement on the Level of Compliance. CC ID 12500 Business Processes Detective
    Approve the Statement on the Level of Compliance. CC ID 12501 Business Processes Preventive
    Include a Statement on the Level of Compliance in the tactical Information Technology plan. CC ID 06842 Actionable Reports or Measurements Preventive
    Engage subject matter experts when the auditor requires additional expertise during an attestation engagement, as necessary. CC ID 13971 Process or Activity Preventive
    Establish and maintain a practitioner’s report on agreed-upon procedures. CC ID 13894 Establish/Maintain Documentation Preventive
    Provide auditors access to all in scope records, in scope assets, personnel and in scope procedures. CC ID 06966 Audits and Risk Management Preventive
    Provide auditors access to affected parties during the audit, as necessary. CC ID 07187 Business Processes Preventive
    Solve any access problems auditors encounter during the audit. CC ID 08959 Audits and Risk Management Corrective
    Notify interested personnel and affected parties when an auditee refuses to provide access or participate in the audit. CC ID 08960 Audits and Risk Management Preventive
    Establish and maintain a practitioner's examination report on pro forma financial information. CC ID 13968 Establish/Maintain Documentation Preventive
    Include references to where financial information was derived in the practitioner's review report on pro forma financial information. CC ID 13982 Establish/Maintain Documentation Preventive
    Include a statement that the financial statements used were audited by other practitioners in the practitioner's examination report on pro forma financial information, as necessary. CC ID 13981 Establish/Maintain Documentation Preventive
    Establish and maintain organizational audit reports. CC ID 06731
    [The organization shall: retain documented information as evidence of the implementation of the audit programme(s) and the audit results. § 9.2.2 ¶ (e)
    The organization shall: plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration: § 9.2.2 ¶ 1(a)]
    Establish/Maintain Documentation Preventive
    Write the audit report using clear and conspicuous language. CC ID 13948 Establish/Maintain Documentation Preventive
    Include a statement that the sufficiency of the agreed upon procedures is the responsibility of the specified parties in the audit report. CC ID 13936 Establish/Maintain Documentation Preventive
    Include a statement that the financial statements were audited in the audit report. CC ID 13963 Establish/Maintain Documentation Preventive
    Include the criteria that financial information was measured against in the audit report. CC ID 13966 Establish/Maintain Documentation Preventive
    Include a description of the financial information being reported on in the audit report. CC ID 13965 Establish/Maintain Documentation Preventive
    Include references to any adjustments of financial information in the audit report. CC ID 13964 Establish/Maintain Documentation Preventive
    Include in the audit report that audit opinions are not dependent on references to subject matter experts, as necessary. CC ID 13953 Establish/Maintain Documentation Preventive
    Include references to historical financial information used in the audit report. CC ID 13961 Establish/Maintain Documentation Preventive
    Include a description of the limitations on the usefulness of hypothetical assumptions in the audit report. CC ID 13958 Establish/Maintain Documentation Preventive
    Include the word independent in the title of audit reports. CC ID 07003 Actionable Reports or Measurements Preventive
    Include the date of the audit in the audit report. CC ID 07024 Actionable Reports or Measurements Preventive
    Structure the audit report to be in the form of procedures and findings. CC ID 13940 Establish/Maintain Documentation Preventive
    Include information about the organization being audited and the auditor performing the audit in the audit report. CC ID 07004 Actionable Reports or Measurements Preventive
    Include any discussions of significant findings in the audit report, as necessary. CC ID 13955 Establish/Maintain Documentation Preventive
    Include the date and with whom discussions about significant findings took place in the audit report. CC ID 13962 Establish/Maintain Documentation Preventive
    Include the audit criteria in the audit report. CC ID 13945 Establish/Maintain Documentation Preventive
    Include a statement in the audit report that the agreed upon procedures were potentially insufficient in identifying material risks, as necessary. CC ID 13957 Establish/Maintain Documentation Preventive
    Identify all hypothetical assumptions in the audit report. CC ID 13947 Establish/Maintain Documentation Preventive
    Include a statement that access to the report is restricted based on least privilege in the audit report. CC ID 07023 Actionable Reports or Measurements Preventive
    Include a statement that identifies the distribution list for the report in the audit report. CC ID 07172 Establish/Maintain Documentation Preventive
    Include a statement that identifies the use restrictions for the report in the audit report. CC ID 07173 Establish/Maintain Documentation Preventive
    Include a statement that the agreed upon procedures involves collecting evidence in the audit report. CC ID 13956 Establish/Maintain Documentation Preventive
    Include all of the facts and demonstrated plausibility in the audit report. CC ID 08929 Establish/Maintain Documentation Preventive
    Include a statement that the agreed upon procedures were performed by all parties in the audit report. CC ID 13931 Establish/Maintain Documentation Preventive
    Include references to Subject Matter Expert in the audit report when citing qualified opinions. CC ID 13929 Establish/Maintain Documentation Preventive
    Include a description of the assistance provided by Subject Matter Experts in the audit report. CC ID 13939 Establish/Maintain Documentation Preventive
    Include a review of the subject matter expert's findings in the audit report, as necessary. CC ID 13972 Establish/Maintain Documentation Preventive
    Include a statement of the character of the engagement in the audit report. CC ID 07166 Establish/Maintain Documentation Preventive
    Include the nature and scope of the audit performed in the statement of the character of the engagement in the audit report. CC ID 07167 Establish/Maintain Documentation Preventive
    Include the professional standards governing the audit in the statement of the character of the engagement in the audit report. CC ID 07168 Establish/Maintain Documentation Preventive
    Include all restrictions on the audit in the audit report. CC ID 13930 Establish/Maintain Documentation Preventive
    Include a statement that the auditor has no responsibility to update the audit report after its submission. CC ID 13943 Establish/Maintain Documentation Preventive
    Include a statement that the responsible party refused to provide a written assertion in the audit report. CC ID 13887 Establish/Maintain Documentation Preventive
    Include a statement that the examination involves procedures for collecting evidence in the audit report. CC ID 13941 Establish/Maintain Documentation Preventive
    Express an adverse opinion in the audit report when significant assumptions are not suitably supported. CC ID 13944 Establish/Maintain Documentation Preventive
    Include a statement that modifications to historical evidence accurately reflect current evidence in the audit report. CC ID 13938 Establish/Maintain Documentation Preventive
    Refrain from referencing other auditor's work in the audit report. CC ID 13881 Establish/Maintain Documentation Preventive
    Include that the audit findings are not a predictive analysis of future compliance in the audit report. CC ID 07018 Establish/Maintain Documentation Preventive
    Include the organization's audit assertion of the in scope system in the audit report. CC ID 07005 Actionable Reports or Measurements Preventive
    Include that the organization is the responsible party for the content of its audit assertion and in scope system description in the audit report. CC ID 07010 Establish/Maintain Documentation Preventive
    Include that the organization is the responsible party for specifying in scope controls not defined by law or contractual obligation in the audit report. CC ID 07011 Establish/Maintain Documentation Preventive
    Include that the organization is the responsible party for designing and implementing the in scope controls it identified in the audit scope in the audit report. CC ID 07014 Establish/Maintain Documentation Preventive
    Include the audit opinion regarding the accurateness of the in scope system description in the audit report. CC ID 07019 Establish/Maintain Documentation Preventive
    Include the attestation standards the auditor follows in the audit report. CC ID 07015 Establish/Maintain Documentation Preventive
    Include the audit opinion about the audit assertion in relation to the audit criteria used for evaluation in the audit report. CC ID 07169 Establish/Maintain Documentation Preventive
    Include the auditor's significant reservations about the engagement, the audit assertion, or the audit subject matter in the audit report. CC ID 07170 Establish/Maintain Documentation Preventive
    Include the organization's description of the in scope system in the audit report. CC ID 11626 Audits and Risk Management Preventive
    Include any out of scope components of in scope systems in the audit report. CC ID 07006 Establish/Maintain Documentation Preventive
    Include that the organization is the responsible party for identifying material risks in the audit report. CC ID 07012 Establish/Maintain Documentation Preventive
    Include that the organization is the responsible party for selecting the audit criteria in the audit report. CC ID 07013 Establish/Maintain Documentation Preventive
    Include the scope and work performed in the audit report. CC ID 11621 Audits and Risk Management Preventive
    Review the adequacy of the internal auditor's work papers. CC ID 01146 Audits and Risk Management Detective
    Compare the evaluations completed by the internal auditors and the external auditors in past audit reports. CC ID 01158 Establish/Maintain Documentation Detective
    Review the adequacy of the internal auditor's audit reports. CC ID 11620 Audits and Risk Management Detective
    Review past audit reports. CC ID 01155
    [The organization shall: plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration: the results of previous audits; § 9.2.2 ¶ 1(a)(3)
    The management review shall include consideration of: information on the performance and effectiveness of the SMS, including trends in: audit results; § 9.3 ¶ 2(c)(3)]
    Establish/Maintain Documentation Detective
    Review past audit reports for specific process steps and calculations that were stated to support the audit report's conclusions. CC ID 01160 Establish/Maintain Documentation Detective
    Review the reporting of material weaknesses and risks in past audit reports. CC ID 01161 Establish/Maintain Documentation Detective
    Resolve disputes before creating the audit summary. CC ID 08964 Behavior Preventive
    Refrain from including the description of the audit in the audit report when the auditor is disclaiming an audit opinion. CC ID 13975 Establish/Maintain Documentation Preventive
    Refrain from including scope limitations from changed attestation engagements in the audit report. CC ID 13983 Establish/Maintain Documentation Preventive
    Refrain from including in the audit report any procedures that were performed that the auditor is disclaiming in an audit opinion. CC ID 13974 Establish/Maintain Documentation Preventive
    Determine the effect of fraud and non-compliance on the audit report, as necessary. CC ID 13979 Process or Activity Detective
    Include an audit opinion in the audit report. CC ID 07017 Establish/Maintain Documentation Preventive
    Include qualified opinions in the audit report, as necessary. CC ID 13928 Establish/Maintain Documentation Preventive
    Include that the auditor is the responsible party to express an opinion on the audit subject matter based on examination of evidence in the audit report. CC ID 07174 Establish/Maintain Documentation Preventive
    Include a description of the reasons for modifying the audit opinion in the audit report. CC ID 13898 Establish/Maintain Documentation Corrective
    Include that the auditor did not express an opinion in the audit report, as necessary. CC ID 13886 Establish/Maintain Documentation Preventive
    Disclaim the audit opinion in the audit report, as necessary. CC ID 13901 Business Processes Corrective
    Collect all work papers for the audit and audit report into an engagement file. CC ID 07001
    [The organization shall: retain documented information as evidence of the implementation of the audit programme(s) and the audit results. § 9.2.2 ¶ (e)]
    Actionable Reports or Measurements Preventive
    Include any subsequent events related to the audit assertion or audit subject matter in the work papers. CC ID 07177 Audits and Risk Management Preventive
    Document any after the fact changes to the engagement file. CC ID 07002 Establish/Maintain Documentation Preventive
    Protect access to the engagement file and all associated audit documentation in compliance with Authority Documents the organization must follow. CC ID 07179 Establish/Maintain Documentation Preventive
    Disclose work papers in the engagement file in compliance with legal requirements. CC ID 07180 Establish/Maintain Documentation Preventive
    Archive the engagement file and all work papers for the period prescribed by law or contract. CC ID 10038 Records Management Preventive
    Include items that were excluded from the audit report in the audit report. CC ID 07007 Establish/Maintain Documentation Preventive
    Include the organization's privacy practices in the audit report. CC ID 07029 Establish/Maintain Documentation Preventive
    Include items that pertain to third parties in the audit report. CC ID 07008 Establish/Maintain Documentation Preventive
    Refrain from including reference to procedures performed in previous attestation engagements in the audit report. CC ID 13970 Establish/Maintain Documentation Preventive
    Include a statement in the audit report that no procedures were performed subsequent to the date of the practitioner's review report on pro forma financial information, as necessary. CC ID 13969 Establish/Maintain Documentation Preventive
    Include any of the organization's use of compensating controls that were not audited in the audit report. CC ID 07009 Establish/Maintain Documentation Preventive
    Include whether the use of compensating controls are necessary in the audit report. CC ID 07020 Establish/Maintain Documentation Preventive
    Include the pass or fail test status of all in scope controls in the audit report. CC ID 07016 Establish/Maintain Documentation Preventive
    Include the process of using evidential matter to test in scope controls in the audit report. CC ID 07021 Establish/Maintain Documentation Preventive
    Include the nature and causes of identified in scope control deviations in the audit report. CC ID 07022 Establish/Maintain Documentation Preventive
    Modify the audit opinion in the audit report under defined conditions. CC ID 13937 Establish/Maintain Documentation Corrective
    Disclose any audit irregularities in the audit report. CC ID 06995 Actionable Reports or Measurements Preventive
    Include the written signature of the auditor's organization in the audit report. CC ID 13897 Establish/Maintain Documentation Preventive
    Disseminate and communicate the audit report to all interested personnel and affected parties identified in the distribution list. CC ID 07117 Establish/Maintain Documentation Preventive
    Disseminate and communicate to the organization that access and use of audit reports are based on least privilege. CC ID 07171 Behavior Preventive
    Disseminate and communicate documents that contain information in support of the audit report. CC ID 07175 Establish/Maintain Documentation Preventive
    Correct any material misstatements in documents that contain information in support of the audit report. CC ID 07176 Establish/Maintain Documentation Preventive
    Notify interested personnel and affected parties after bribes are offered during the audit. CC ID 08872 Business Processes Preventive
    Submit an audit report that is complete. CC ID 01145 Testing Detective
    Accept the audit report. CC ID 07025 Establish/Maintain Documentation Preventive
    Implement a corrective action plan in response to the audit report. CC ID 06777 Establish/Maintain Documentation Corrective
    Assign responsibility for remediation actions, as necessary. CC ID 13622 Human Resources Management Preventive
    Review management's response to issues raised in past audit reports. CC ID 01149
    [The management review shall include consideration of: information on the performance and effectiveness of the SMS, including trends in: nonconformities and corrective actions; § 9.3 ¶ 2(c)(1)]
    Audits and Risk Management Detective
    Define penalties for uncorrected audit findings or remaining non-compliant with the audit report. CC ID 08963 Establish/Maintain Documentation Preventive
    Take appropriate action to correct deficiencies identified in the audit report. CC ID 01177 Testing Detective
    Assess the quality of the audit program in regards to the staff and their qualifications. CC ID 01150 Testing Detective
    Review the audit program scope as it relates to the organization's profile. CC ID 01159 Audits and Risk Management Detective
    Assess the quality of the audit program in regards to its documentation. CC ID 11622 Audits and Risk Management Preventive
    Establish and maintain the audit plan for the audit program. CC ID 01156 Testing Detective
    Establish and maintain the audit schedule for the audit program. CC ID 13158
    [The organization shall: plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration: § 9.2.2 ¶ 1(a)]
    Establish/Maintain Documentation Preventive
    Establish and maintain a risk management program. CC ID 12051
    [The organization shall plan: actions to address these risks and opportunities and their priorities; § 6.1.3 ¶ 1(a)]
    Establish/Maintain Documentation Preventive
    Include the scope of risk management activities in the risk management program. CC ID 13658 Establish/Maintain Documentation Preventive
    Integrate the risk management program with the organization's business activities. CC ID 13661 Business Processes Preventive
    Integrate the risk management program into daily business decision-making. CC ID 13659
    [The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: § 8.5.1.3 ¶ 1]
    Business Processes Preventive
    Include managing mobile risks in the risk management program. CC ID 13535 Establish/Maintain Documentation Preventive
    Establish and maintain risk management strategies, as necessary. CC ID 13209 Establish/Maintain Documentation Preventive
    Include off-site storage of supplies in the risk management strategies, as necessary. CC ID 13221 Establish/Maintain Documentation Preventive
    Include the use of alternate service providers in the risk management strategies. CC ID 13217 Establish/Maintain Documentation Preventive
    Include minimizing service interruptions in the risk management strategies. CC ID 13215 Establish/Maintain Documentation Preventive
    Include off-site storage in organizational risk mitigation strategies. CC ID 13213 Establish/Maintain Documentation Preventive
    Establish and maintain the risk assessment framework. CC ID 00685 Establish/Maintain Documentation Preventive
    Review the risk assessment framework. CC ID 12813 Audits and Risk Management Detective
    Analyze the risk management strategy for addressing requirements. CC ID 12926 Audits and Risk Management Detective
    Analyze the risk management strategy for addressing threats. CC ID 12925 Audits and Risk Management Detective
    Analyze the risk management strategy for addressing opportunities. CC ID 12924 Audits and Risk Management Detective
    Define and assign the roles and responsibilities for the risk assessment framework, as necessary. CC ID 06456 Establish Roles Preventive
    Establish, implement, and maintain a risk assessment program to manage internal threats and external threats. CC ID 00687 Establish/Maintain Documentation Preventive
    Establish and maintain the factors and context for risk to the organization. CC ID 12230
    [The organization shall determine and document: risks related to: not meeting the service requirements; § 6.1.2 ¶ 1(a)(2)]
    Audits and Risk Management Preventive
    Establish and maintain a financial plan to support the risk management strategy. CC ID 12786 Establish/Maintain Documentation Preventive
    Design a portfolio of insurance options in accordance with risk decision-making criteria. CC ID 12878 Business Processes Preventive
    Design a portfolio of loans in accordance with risk decision-making criteria. CC ID 12877 Business Processes Preventive
    Design a portfolio of risk limiting and mitigating approaches in organizational contracts in accordance with risk decision-making criteria. CC ID 12903 Business Processes Preventive
    Address cybersecurity risks in the risk assessment program. CC ID 13193 Establish/Maintain Documentation Preventive
    Include a data protection impact assessment in the risk assessment program. CC ID 12630 Establish/Maintain Documentation Preventive
    Include an assessment of the necessity and proportionality of the processing operations in relation to the purposes in the Data Protection Impact Assessment. CC ID 12681 Establish/Maintain Documentation Preventive
    Include a risk assessment of data subject's rights in the Data Protection Impact Assessment. CC ID 12674 Establish/Maintain Documentation Preventive
    Include the description and purpose of personal data processing in the Data Protection Impact Assessment. CC ID 12673 Establish/Maintain Documentation Preventive
    Include monitoring unsecured areas in the Data Protection Impact Assessment. CC ID 12671 Establish/Maintain Documentation Preventive
    Include a description of the personal data processing operations in the Data Protection Impact Assessment. CC ID 12672 Establish/Maintain Documentation Preventive
    Include security measures for protecting personal data in the Data Protection Impact Assessment. CC ID 12635 Establish/Maintain Documentation Preventive
    Review the data protection impact assessment, as necessary. CC ID 12665 Audits and Risk Management Preventive
    Use the risk taxonomy when managing risk. CC ID 12280 Behavior Preventive
    Establish, implement, and maintain a risk assessment policy. CC ID 14026 Establish/Maintain Documentation Preventive
    Review and update the risk assessment policy, as necessary. CC ID 14122 Establish/Maintain Documentation Corrective
    Include compliance requirements in the risk assessment policy. CC ID 14121 Establish/Maintain Documentation Preventive
    Include coordination amongst entities in the risk assessment policy. CC ID 14120 Establish/Maintain Documentation Preventive
    Include management commitment in the risk assessment policy. CC ID 14119 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the risk assessment policy. CC ID 14118 Establish/Maintain Documentation Preventive
    Include the scope in the risk assessment policy. CC ID 14117 Establish/Maintain Documentation Preventive
    Include the purpose in the risk assessment policy. CC ID 14116 Establish/Maintain Documentation Preventive
    Disseminate and communicate the risk assessment policy to interested personnel and affected parties. CC ID 14115 Communicate Preventive
    Establish, implement, and maintain risk assessment procedures. CC ID 06446 Establish/Maintain Documentation Preventive
    Analyze the organization's information security environment. CC ID 13122 Technical Security Preventive
    Document cybersecurity risks. CC ID 12281 Establish/Maintain Documentation Preventive
    Engage third parties to assist with risk assessments, as necessary. CC ID 12153 Human Resources Management Preventive
    Establish and maintain risk profiling procedures for internal risk assessments. CC ID 01157 Audits and Risk Management Preventive
    Include compliance with disposition requirements in the risk assessment procedures. CC ID 12342 Establish/Maintain Documentation Preventive
    Include compliance with retention requirements in the risk assessment procedures. CC ID 12341 Establish/Maintain Documentation Preventive
    Establish and maintain a threat and risk classification scheme. CC ID 07183 Establish/Maintain Documentation Preventive
    Document organizational risk criteria. CC ID 12277 Establish/Maintain Documentation Preventive
    Include security threats and vulnerabilities to the system in the threat and risk classification scheme. CC ID 00699 Technical Security Preventive
    Include an analysis of system interdependencies in the threat and risk classification scheme. CC ID 13056 Investigate Detective
    Categorize the systems, information, and data by risk profile in the threat and risk classification scheme. CC ID 01443 Audits and Risk Management Preventive
    Include the risks to the organization's critical personnel and assets in the threat and risk classification scheme. CC ID 00698 Audits and Risk Management Preventive
    Include the traceability of malicious code in the threat and risk classification scheme. CC ID 06600 Establish/Maintain Documentation Preventive
    Assign a probability of occurrence to all types of threats in the threat and risk classification scheme. CC ID 01173 Audits and Risk Management Preventive
    Include the information flow of restricted data in the risk assessment program. CC ID 12339 Establish/Maintain Documentation Preventive
    Include language that is easy to understand in the risk assessment report. CC ID 06461 Establish/Maintain Documentation Preventive
    Include the need for risk assessments in the risk assessment program. CC ID 06447 Establish/Maintain Documentation Preventive
    Address past security incidents in the risk assessment program. CC ID 12743 Audits and Risk Management Preventive
    Include the environments that call for risk assessments in the risk assessment program. CC ID 06448 Establish/Maintain Documentation Preventive
    Include the process for defining the scope of each risk assessment in the risk assessment program. CC ID 06462 Establish/Maintain Documentation Preventive
    Include the circumstances that call for risk assessments in the risk assessment program. CC ID 06449 Establish/Maintain Documentation Preventive
    Include the roles and responsibilities involved in risk assessments in the risk assessment program. CC ID 06450 Establish/Maintain Documentation Preventive
    Include the methods of managing and responding to the risk assessment report in the risk assessment program. CC ID 06451 Establish/Maintain Documentation Preventive
    Automate as much of the risk assessment program, as necessary. CC ID 06459 Audits and Risk Management Preventive
    Review the risk assessment procedures, as necessary. CC ID 06460 Establish/Maintain Documentation Preventive
    Employ risk assessment methodologies that follow legal requirements and contractual obligations when risk profiling. CC ID 06472 Establish/Maintain Documentation Preventive
    Employ risk assessment methodologies that follow standards and best practices, as necessary. CC ID 06473 Establish/Maintain Documentation Preventive
    Employ risk assessment methodologies that align with organizational strategic objectives. CC ID 06474 Establish/Maintain Documentation Preventive
    Employ risk assessment methodologies that take into account both electronic records and printed records. CC ID 06476 Establish/Maintain Documentation Preventive
    Employ risk assessment methodologies that take into account information classification. CC ID 06477 Establish/Maintain Documentation Preventive
    Employ risk assessment methodologies that take into account prior risk assessment findings of the same scope. CC ID 06478 Establish/Maintain Documentation Preventive
    Employ risk assessment methodologies that take into account the target environment. CC ID 06479 Establish/Maintain Documentation Preventive
    Employ risk assessment methodologies that take into account incidents associated with the target environment. CC ID 06480 Establish/Maintain Documentation Preventive
    Employ risk assessment methodologies that include appropriate risk treatment options for each identified risk. CC ID 06484 Establish/Maintain Documentation Preventive
    Disseminate and communicate the risk assessment procedures to interested personnel and affected parties. CC ID 14136 Communicate Preventive
    Approve the risk assessment program and all associated risk assessment methodologies at the senior management level within the organization. CC ID 06458 Establish/Maintain Documentation Preventive
    Perform risk assessments for all target environments, as necessary. CC ID 06452
    [At planned intervals, the information security risks to the SMS and the services shall be assessed and documented. Information security controls shall be determined, implemented and operated to support the information security policy and address identified information security risks. Decisions about information security controls shall be documented. § 8.7.3.2 ¶ 1]
    Testing Preventive
    Include the probability and potential impact of pandemics in the scope of the risk assessment. CC ID 13241 Establish/Maintain Documentation Preventive
    Include physical assets in the scope of the risk assessment. CC ID 13075 Establish/Maintain Documentation Preventive
    Include the results of the risk assessment in the risk assessment report. CC ID 06481 Establish/Maintain Documentation Preventive
    Approve the results of the risk assessment as documented in the risk assessment report. CC ID 07109 Audits and Risk Management Preventive
    Update the risk assessment upon discovery of a new threat. CC ID 00708 Establish/Maintain Documentation Detective
    Review risks to the organization's audit function when changes in the supply chain occur. CC ID 01154 Audits and Risk Management Preventive
    Update the risk assessment upon changes to the risk profile. CC ID 11627 Establish/Maintain Documentation Detective
    Review the risk to the audit function when the audit personnel status changes. CC ID 01153 Audits and Risk Management Preventive
    Document any reasons for modifying or refraining from modifying the organization's risk assessment when the risk assessment has been reviewed. CC ID 13312 Establish/Maintain Documentation Preventive
    Disseminate and communicate the approved risk assessment report to interested personnel and affected parties. CC ID 10633 Communicate Preventive
    Conduct external audits of the organization's risk assessment. CC ID 13308 Audits and Risk Management Detective
    Notify the organization upon completion of the external audits of the organization's risk assessment. CC ID 13313 Communicate Preventive
    Conduct external audits of the organization's risk assessment within any mandated timeframes. CC ID 13310 Audits and Risk Management Detective
    Establish, implement, and maintain a risk assessment awareness and training program. CC ID 06453 Business Processes Preventive
    Disseminate and communicate information about risks to all interested personnel and affected parties. CC ID 06718 Behavior Preventive
    Evaluate the effectiveness of threat and vulnerability management procedures. CC ID 13491 Investigate Detective
    Correlate the business impact of identified risks in the risk assessment report. CC ID 00686 Audits and Risk Management Preventive
    Conduct a Business Impact Analysis based on the risk assessment findings in the risk assessment report. CC ID 01147 Audits and Risk Management Detective
    Include recovery of the critical path in the Business Impact Analysis. CC ID 13224 Establish/Maintain Documentation Preventive
    Include acceptable levels of data loss in the Business Impact Analysis. CC ID 13264 Establish/Maintain Documentation Preventive
    Include Recovery Point Objectives in the Business Impact Analysis. CC ID 13223 Establish/Maintain Documentation Preventive
    Include the Recovery Time Objectives in the Business Impact Analysis. CC ID 13222 Establish/Maintain Documentation Preventive
    Include pandemic risks in the business impact analysis, as necessary. CC ID 13219 Establish/Maintain Documentation Preventive
    Include tolerance to downtime in the Business Impact Analysis report. CC ID 01172 Establish/Maintain Documentation Preventive
    Document organizational risk tolerance in a risk register. CC ID 09961 Establish/Maintain Documentation Preventive
    Update the risk register, as necessary. CC ID 13047 Establish/Maintain Documentation Preventive
    Align organizational risk tolerance to that of industry peers in the risk register. CC ID 09962 Business Processes Preventive
    Review the issues of non-compliance from past audit reports. CC ID 01148 Establish/Maintain Documentation Detective
    Review the Business Impact Analysis, as necessary. CC ID 12774 Business Processes Preventive
    Analyze and quantify the risks to in scope systems and information. CC ID 00701
    [When planning for the SMS, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to: prevent, or reduce, undesired effects; § 6.1.1 ¶ 1(b)
    The organization shall determine and document: risks related to: the organization; § 6.1.2 ¶ 1(a)(1)]
    Audits and Risk Management Preventive
    Establish and maintain a Risk Scoping and Measurement Definitions Document. CC ID 00703
    [The organization shall determine and document: the impact on customers of risks and opportunities for the SMS and the services; § 6.1.2 ¶ 1(b)]
    Audits and Risk Management Preventive
    Identify the material risks in the risk assessment report. CC ID 06482 Audits and Risk Management Preventive
    Assess the potential level of business impact risk associated with each business process. CC ID 06463 Audits and Risk Management Detective
    Assess the potential level of business impact risk associated with the business environment. CC ID 06464 Audits and Risk Management Detective
    Assess the potential level of business impact risk associated with business information of in scope systems. CC ID 06465 Audits and Risk Management Detective
    Identify changes to in scope systems that could threaten communication between business units. CC ID 13173 Investigate Detective
    Assess the potential business impact risk of in scope systems caused by deliberate threats to their confidentiality, integrity, and availability. CC ID 06466 Audits and Risk Management Detective
    Assess the potential level of business impact risk caused by accidental threats to the confidentiality, integrity and availability of critical systems. CC ID 06467 Audits and Risk Management Detective
    Assess the potential level of business impact risk associated with insider threats. CC ID 06468 Audits and Risk Management Detective
    Assess the potential level of business impact risk associated with external entities. CC ID 06469 Audits and Risk Management Detective
    Assess the potential level of business impact risk associated with natural disasters. CC ID 06470 Actionable Reports or Measurements Detective
    Assess the potential level of business impact risk associated with control weaknesses. CC ID 06471 Audits and Risk Management Detective
    Establish a risk acceptance level that is appropriate to the organization's risk appetite. CC ID 00706
    [The organization shall determine and document: risk acceptance criteria; § 6.1.2 ¶ 1(c)]
    Establish/Maintain Documentation Preventive
    Investigate alternative risk control strategies appropriate to the organization's risk appetite. CC ID 12887 Investigate Preventive
    Select the appropriate risk treatment option for each identified risk in the risk register. CC ID 06483 Establish/Maintain Documentation Preventive
    Disseminate and communicate the risk acceptance level in the risk treatment plan to all interested personnel and affected parties. CC ID 06849 Behavior Preventive
    Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary. CC ID 00704 Establish/Maintain Documentation Detective
    Prioritize and select controls based on the risk assessment findings. CC ID 00707
    [At planned intervals, the information security risks to the SMS and the services shall be assessed and documented. Information security controls shall be determined, implemented and operated to support the information security policy and address identified information security risks. Decisions about information security controls shall be documented. § 8.7.3.2 ¶ 1]
    Audits and Risk Management Preventive
    Analyze the effect of threats on organizational strategies and objectives. CC ID 12850 Process or Activity Detective
    Analyze the effect of opportunities on organizational strategies and objectives. CC ID 12849 Process or Activity Detective
    Prioritize and categorize the effects of opportunities, threats and requirements on control activities. CC ID 12822 Audits and Risk Management Preventive
    Determine the effectiveness of risk control measures. CC ID 06601
    [/* Based on the subject of this section, by 'these actions', the document is referring to activities to manage risk*/{risk management activity} evaluate the effectiveness of these actions. § 6.1.3 ¶ 1(b)(2)]
    Testing Detective
    Develop key indicators to inform management on the effectiveness of risk control measures. CC ID 12946 Audits and Risk Management Preventive
    Establish and maintain a risk treatment plan. CC ID 11983 Establish/Maintain Documentation Preventive
    Identify the planned actions and controls that address high risk. CC ID 12835 Audits and Risk Management Preventive
    Identify the current actions and controls that address high risk. CC ID 12834 Audits and Risk Management Preventive
    Include the risk treatment strategy in the risk treatment plan. CC ID 12159 Establish/Maintain Documentation Preventive
    Revise the risk treatment strategies in the risk treatment plan, as necessary. CC ID 12552 Establish/Maintain Documentation Corrective
    Include an overview of the migration project plan in the risk treatment plan. CC ID 11982 Establish/Maintain Documentation Preventive
    Include change control processes in the risk treatment plan. CC ID 11981 Establish/Maintain Documentation Preventive
    Include a description of the processes to check for new vulnerabilities in the risk treatment plan. CC ID 11980 Establish/Maintain Documentation Preventive
    Include the implemented risk management controls in the risk treatment plan. CC ID 11979 Establish/Maintain Documentation Preventive
    Include requirements for monitoring and reporting in the risk treatment plan, as necessary. CC ID 13620 Establish/Maintain Documentation Preventive
    Include risk assessment results in the risk treatment plan. CC ID 11978 Establish/Maintain Documentation Preventive
    Include a description of usage in the risk treatment plan. CC ID 11977 Establish/Maintain Documentation Preventive
    Document all constraints applied to the risk treatment plan, as necessary. CC ID 13619 Establish/Maintain Documentation Preventive
    Approve the risk treatment plan. CC ID 13495 Audits and Risk Management Preventive
    Integrate the corrective action plan based on the risk assessment findings with other risk management activities. CC ID 06457 Establish/Maintain Documentation Preventive
    Document and communicate a corrective action plan based on the risk assessment findings. CC ID 00705
    [The organization shall make decisions and take actions based on the findings in service reports. The agreed actions shall be communicated to interested parties. § 9.4 ¶ 3]
    Establish/Maintain Documentation Corrective
    Review and approve the risk assessment findings. CC ID 06485
    [The management review shall include consideration of: results of risk assessment and the effectiveness of actions taken to address risks and opportunities; § 9.3 ¶ 2(k)]
    Establish/Maintain Documentation Preventive
    Include risk responses in the risk management program. CC ID 13195 Establish/Maintain Documentation Preventive
    Document residual risk in a residual risk report. CC ID 13664 Establish/Maintain Documentation Corrective
    Review and approve material risks documented in the residual risk report, as necessary. CC ID 13672 Business Processes Preventive
    Establish and Maintain a Cybersecurity Risk Management Strategy. CC ID 11991 Establish/Maintain Documentation Preventive
    Include a risk prioritization approach in the Cybersecurity Risk Management Strategy. CC ID 12276 Establish/Maintain Documentation Preventive
    Evaluate the cyber insurance market. CC ID 12695 Business Processes Preventive
    Evaluate the usefulness of cyber insurance to the organization. CC ID 12694 Business Processes Preventive
    Acquire cyber insurance, as necessary. CC ID 12693 Business Processes Preventive
    Include supply chain risk management procedures in the risk management program. CC ID 13190
    [The organization shall assess the alignment of service level targets or other contractual obligations for the external supplier against SLAs with customers, and manage identified risks. § 8.3.4.1 ¶ 3]
    Establish/Maintain Documentation Preventive
    Assign key stakeholders to review and approve supply chain risk management procedures. CC ID 13199 Human Resources Management Preventive
    Analyze supply chain risk management procedures, as necessary. CC ID 13198 Process or Activity Detective
    Disseminate and communicate the organization's risk management policy to interested personnel and affected parties. CC ID 13792 Communicate Preventive
    Review and update the risk management program, as necessary. CC ID 13049
    [The management review shall include consideration of: results of risk assessment and the effectiveness of actions taken to address risks and opportunities; § 9.3 ¶ 2(k)]
    Establish/Maintain Documentation Preventive
  • Human Resources management
    109
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Human Resources management CC ID 00763 IT Impact Zone IT Impact Zone
    Establish and maintain high level operational roles and responsibilities. CC ID 00806 Establish Roles Preventive
    Define and assign the Board of Directors roles and responsibilities and senior management roles and responsibilities, including signing off on key policies and procedures. CC ID 00807
    [Top management shall demonstrate leadership and commitment with respect to the SMS by: ensuring that appropriate levels of authority are assigned for making decisions related to the SMS and the services; § 5.1 ¶ 1(c)
    Top management shall demonstrate leadership and commitment with respect to the SMS by: supporting other relevant management roles to demonstrate their leadership as it applies to their areas of responsibility. § 5.1 ¶ 1(l)]
    Establish Roles Preventive
    Assign senior management to the role of supporting Quality Management. CC ID 13692 Human Resources Management Preventive
    Assign senior management to the role of authorizing official. CC ID 14238 Establish Roles Preventive
    Assign members who are independent from management to the Board of Directors. CC ID 12395 Human Resources Management Preventive
    Assign ownership of risks to the Board of Directors or senior management. CC ID 13662 Human Resources Management Preventive
    Assign the organization's board and senior management to oversee the continuity planning process. CC ID 12991 Human Resources Management Preventive
    Analyze workforce management. CC ID 12844
    [{resource level}{manpower}management review shall include consideration of: current and forecast human, technical, information and financial resource levels, and human and technical resource capabilities; § 9.3 ¶ 2(j)]
    Human Resources Management Detective
    Evaluate Information Technology personnel job performance. CC ID 00787 Behavior Detective
    Identify root causes of staffing shortages, if any exist. CC ID 13276 Human Resources Management Detective
    Analyze the ability of Human Resources to attract a competent workforce. CC ID 13275 Human Resources Management Detective
    Include how risk is perceived by the workforce in the analysis of workforce management. CC ID 12969 Human Resources Management Preventive
    Include compensation structures in the analysis of workforce management. CC ID 12902 Human Resources Management Preventive
    Establish and maintain a personnel management program. CC ID 14018 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a personnel security program. CC ID 10628 Establish/Maintain Documentation Preventive
    Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 00782
    [The organization shall: ensure that these persons are competent on the basis of appropriate education, training or experience; § 7.2 ¶ 1(b)
    {staff} The organization shall: determine the necessary competence of persons doing work under its control that affects the performance and effectiveness of the SMS and the services; § 7.2 ¶ 1(a)]
    Testing Detective
    Perform security skills assessments for all critical employees. CC ID 12102 Human Resources Management Detective
    Assign security clearance procedures to qualified personnel. CC ID 06812 Establish Roles Preventive
    Assign personnel screening procedures to qualified personnel. CC ID 11699 Establish Roles Preventive
    Establish and maintain personnel screening procedures. CC ID 11700 Establish/Maintain Documentation Preventive
    Perform a background check during personnel screening. CC ID 11758 Human Resources Management Detective
    Perform a personal identification check during personnel screening. CC ID 06721 Human Resources Management Preventive
    Perform a criminal records check during personnel screening. CC ID 06643 Establish/Maintain Documentation Preventive
    Include all residences in the criminal records check. CC ID 13306 Process or Activity Preventive
    Document any reasons a full criminal records check could not be performed. CC ID 13305 Establish/Maintain Documentation Preventive
    Perform a personal references check during personnel screening. CC ID 06645 Human Resources Management Preventive
    Perform a credit check during personnel screening. CC ID 06646 Human Resources Management Preventive
    Perform an academic records check during personnel screening. CC ID 06647 Establish/Maintain Documentation Preventive
    Perform a drug test during personnel screening. CC ID 06648 Testing Preventive
    Perform a resume check during personnel screening. CC ID 06659 Human Resources Management Preventive
    Perform a curriculum vitae check during personnel screening. CC ID 06660 Human Resources Management Preventive
    Allow personnel being screened to appeal findings and appeal decisions. CC ID 06720 Human Resources Management Preventive
    Perform personnel screening procedures, as necessary. CC ID 11763 Human Resources Management Preventive
    Document the personnel risk assessment results. CC ID 11764 Establish/Maintain Documentation Detective
    Establish, implement, and maintain security clearance procedures. CC ID 00783 Establish/Maintain Documentation Preventive
    Perform periodic background checks on designated roles, as necessary. CC ID 11759 Human Resources Management Detective
    Perform security clearance procedures, as necessary. CC ID 06644 Human Resources Management Preventive
    Update security clearances, as necessary. CC ID 01634 Human Resources Management Preventive
    Document the security clearance procedure results. CC ID 01635 Establish/Maintain Documentation Detective
    Train all personnel and third parties, as necessary. CC ID 00785
    [The organization shall: where applicable, take actions to acquire the necessary competence and evaluate the effectiveness of the actions taken; § 7.2 ¶ 1(c)]
    Behavior Preventive
    Establish and maintain an education methodology. CC ID 06671
    [{interested party} Instructions for the fulfilment of service requests shall be made available to persons involved in service request fulfilment. § 8.6.2 ¶ 3
    {new service} The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: requirements for appropriate education, training and experience; § 8.5.2.2 ¶ 1(c)]
    Business Processes Preventive
    Support certification programs as viable training programs. CC ID 13268 Human Resources Management Preventive
    Retrain all personnel annually or as necessary. CC ID 01362 Behavior Preventive
    Tailor training to meet published guidance on the subject being taught. CC ID 02217
    [{new service} The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: requirements for appropriate education, training and experience; § 8.5.2.2 ¶ 1(c)]
    Behavior Preventive
    Tailor training to be taught at each person's level of responsibility. CC ID 06674
    [{be relevant} Persons doing work under the organization's control shall be aware of: the services relevant to their work; § 7.3 ¶ 1(c)
    The organization shall determine and maintain the knowledge necessary to support the operation of the SMS and the services. § 7.6 ¶ 1
    {new service} The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: requirements for appropriate education, training and experience; § 8.5.2.2 ¶ 1(c)]
    Behavior Preventive
    Conduct cross-training or staff backup training to minimize dependency on critical individuals. CC ID 00786 Behavior Preventive
    Document all training in a training record. CC ID 01423
    [The organization shall: retain appropriate documented information as evidence of competence. § 7.2 ¶ 1(d)]
    Establish/Maintain Documentation Detective
    Use automated mechanisms in the training environment, where appropriate. CC ID 06752 Behavior Preventive
    Conduct tests and evaluate training. CC ID 06672
    [The organization shall: where applicable, take actions to acquire the necessary competence and evaluate the effectiveness of the actions taken; § 7.2 ¶ 1(c)]
    Testing Detective
    Hire third parties to conduct training, as necessary. CC ID 13167 Human Resources Management Preventive
    Review the current published guidance and awareness and training programs. CC ID 01245 Establish/Maintain Documentation Preventive
    Establish and implement training plans. CC ID 00828
    [{be usable}{be available}{support}{operation}{SMS and the services}*by knowledge', based on the section the authors appear to be referring to the knowledge necessary to support the operation of the SMS and the services*/ The knowledge shall be relevant, usable and available to appropriate persons. § 7.6 ¶ 2
    {be usable}{be available}{support}{operation}{SMS and the services}*by knowledge', based on the section the authors appear to be referring to the knowledge necessary to support the operation of the SMS and the services*/ The knowledge shall be relevant, usable and available to appropriate persons. § 7.6 ¶ 2
    {be usable}{be available}{support}{operation}{SMS and the services}*by knowledge', based on the section the authors appear to be referring to the knowledge necessary to support the operation of the SMS and the services*/ The knowledge shall be relevant, usable and available to appropriate persons. § 7.6 ¶ 2]
    Establish/Maintain Documentation Preventive
    Develop or acquire content to update the training plans. CC ID 12867 Training Preventive
    Include portions of the visitor control program in the training plans, as necessary. CC ID 13287 Establish/Maintain Documentation Preventive
    Include ethical culture in the training plan, as necessary. CC ID 12801 Human Resources Management Preventive
    Include in scope external requirements in the training plan, as necessary. CC ID 13041 Training Preventive
    Include duties and responsibilities in the training plan, as necessary. CC ID 12800 Human Resources Management Preventive
    Conduct bespoke roles and responsibilities training, as necessary. CC ID 13192 Training Preventive
    Include risk management in the training plan, as necessary. CC ID 13040 Training Preventive
    Conduct Archives and Records Management training. CC ID 00975 Behavior Preventive
    Conduct personal data processing training. CC ID 13757 Training Preventive
    Include in personal data processing training how to provide the contact information for the categories of personal data the organization may disclose. CC ID 13758 Training Preventive
    Include the cloud service usage standard in training plans, as necessary. CC ID 13039 Training Preventive
    Establish and maintain a security awareness program. CC ID 11746 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a security awareness and training policy. CC ID 14022 Establish/Maintain Documentation Preventive
    Include compliance requirements in the security awareness and training policy. CC ID 14092 Establish/Maintain Documentation Preventive
    Include coordination amongst entities in the security awareness and training policy. CC ID 14091 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain security awareness and training procedures. CC ID 14054 Establish/Maintain Documentation Preventive
    Review and update the security awareness and training procedures, as necessary. CC ID 14140 Establish/Maintain Documentation Corrective
    Disseminate and communicate the security awareness and training procedures to interested personnel and affected parties. CC ID 14138 Communicate Preventive
    Review and update the security awareness and training policy, as necessary. CC ID 14050 Establish/Maintain Documentation Corrective
    Include management commitment in the security awareness and training policy. CC ID 14049 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the security awareness and training policy. CC ID 14048 Establish/Maintain Documentation Preventive
    Include the scope in the security awareness and training policy. CC ID 14047 Establish/Maintain Documentation Preventive
    Include the purpose in the security awareness and training policy. CC ID 14045 Establish/Maintain Documentation Preventive
    Include configuration management procedures in the security awareness program. CC ID 13967 Establish/Maintain Documentation Preventive
    Document security awareness requirements. CC ID 12146 Establish/Maintain Documentation Preventive
    Include safeguards for information systems in the security awareness program. CC ID 13046 Establish/Maintain Documentation Preventive
    Include security policies and security standards in the security awareness program. CC ID 13045 Establish/Maintain Documentation Preventive
    Include mobile device security guidelines in the security awareness program. CC ID 11803 Establish/Maintain Documentation Preventive
    Include updates on emerging issues in the security awareness program. CC ID 13184 Training Preventive
    Include cybersecurity in the security awareness program. CC ID 13183 Training Preventive
    Include training based on the participants' level of responsibility and access level in the security awareness program. CC ID 11802 Establish/Maintain Documentation Preventive
    Include a requirement to train all new hires and interested personnel in the security awareness program. CC ID 11800 Establish/Maintain Documentation Preventive
    Include remote access in the security awareness program. CC ID 13892 Establish/Maintain Documentation Preventive
    Document the goals of the security awareness program. CC ID 12145 Establish/Maintain Documentation Preventive
    Compare current security awareness assessment reports to the security awareness baseline. CC ID 12150 Establish/Maintain Documentation Preventive
    Establish and maintain management's commitment to supporting the security awareness program. CC ID 12151 Human Resources Management Preventive
    Establish and maintain a steering committee to guide the security awareness program. CC ID 12149 Human Resources Management Preventive
    Document the scope of the security awareness program. CC ID 12148 Establish/Maintain Documentation Preventive
    Establish and maintain a security awareness baseline. CC ID 12147 Establish/Maintain Documentation Preventive
    Encourage interested personnel to obtain security certification. CC ID 11804 Human Resources Management Preventive
    Disseminate and communicate security awareness and the internal control framework to all interested personnel and affected parties. CC ID 00823 Behavior Preventive
    Train all personnel and third parties on how to recognize and report security incidents. CC ID 01211 Behavior Preventive
    Train all personnel and third parties on how to recognize and report system failures. CC ID 13475 Training Preventive
    Require personnel to acknowledge, through writing their signature, that they have read and understand the organization's security policies. CC ID 01363 Establish/Maintain Documentation Preventive
    Monitor and measure the effectiveness of security awareness. CC ID 06262 Monitor and Evaluate Occurrences Detective
    Conduct secure coding and development training for developers. CC ID 06822 Behavior Corrective
    Conduct tampering prevention training. CC ID 11875 Training Preventive
    Include the mandate to refrain from installing, refrain from replacing, refrain from returning any asset absent verification in the tampering prevention training. CC ID 11877 Training Preventive
    Include how to identify and authenticate third parties claiming to be maintenance personnel in the tampering prevention training. CC ID 11876 Training Preventive
    Include how to report tampering in the tampering prevention training. CC ID 11879 Training Preventive
    Include how to prevent physical tampering in the tampering prevention training. CC ID 11878 Training Preventive
    Include procedures on how to inspect devices in the tampering prevention training. CC ID 11990 Training Preventive
    Train interested personnel and affected parties to collect digital forensic evidence. CC ID 08658 Training Preventive
    Update training plans, as necessary. CC ID 12868 Training Preventive
    Conduct crime prevention training. CC ID 06350 Behavior Preventive
    Analyze and evaluate training records to improve the training program. CC ID 06380 Monitor and Evaluate Occurrences Detective
  • Leadership and high level objectives
    247
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Leadership and high level objectives CC ID 00597 IT Impact Zone IT Impact Zone
    Analyze organizational objectives, functions, and activities. CC ID 00598
    [The organization shall establish service management objectives at relevant functions and levels. The service management objectives shall: be measurable; § 6.2.1 ¶ 1(b)]
    Monitor and Evaluate Occurrences Preventive
    Develop instructions for setting organizational objectives and strategies. CC ID 12931 Establish/Maintain Documentation Preventive
    Analyze the business environment in which the organization operates. CC ID 12798 Business Processes Preventive
    Identify the internal factors that may affect organizational objectives. CC ID 12957 Process or Activity Preventive
    Include key processes in the analysis of the internal business environment. CC ID 12947 Process or Activity Preventive
    Include existing information in the analysis of the internal business environment. CC ID 12943 Process or Activity Preventive
    Include resources in the analysis of the internal business environment. CC ID 12942
    [{resource level}{manpower}management review shall include consideration of: current and forecast human, technical, information and financial resource levels, and human and technical resource capabilities; § 9.3 ¶ 2(j)
    {resource level}{manpower}management review shall include consideration of: current and forecast human, technical, information and financial resource levels, and human and technical resource capabilities; § 9.3 ¶ 2(j)]
    Process or Activity Preventive
    Include the operating plan in the analysis of the internal business environment. CC ID 12941 Process or Activity Preventive
    Include incentives in the analysis of the internal business environment. CC ID 12940 Process or Activity Preventive
    Include organizational structures in the analysis of the internal business environment. CC ID 12939 Process or Activity Preventive
    Include the strategic plan in the analysis of the internal business environment. CC ID 12937 Process or Activity Preventive
    Include strengths and weaknesses in the analysis of the internal business environment. CC ID 12936 Process or Activity Preventive
    Align assets with business functions and the business environment. CC ID 13681 Business Processes Preventive
    Disseminate and communicate the organization's business environment and place in its industry sector, as necessary. CC ID 13200
    [The organization shall establish arrangements for communicating with its customers and other interested parties. The communication shall promote understanding of the evolving business environment in which the services operate and shall enable the organization to respond to new or changed service requirements. § 8.3.2 ¶ 2]
    Communicate Preventive
    Monitor for changes which affect organizational strategies in the internal business environment. CC ID 12863
    [{service management system} When determining this scope, the organization shall consider: the external and internal issues referred to in 4.1; § 4.3 ¶ 2(a)
    The management review shall include consideration of: changes in external and internal issues that are relevant to the SMS; § 9.3 ¶ 2(b)
    The management review shall include consideration of: changes that can affect the SMS and the services. § 9.3 ¶ 2(l)]
    Monitor and Evaluate Occurrences Preventive
    Monitor for changes which affect organizational objectives in the internal business environment. CC ID 12862 Monitor and Evaluate Occurrences Preventive
    Analyze the external environment in which the organization operates. CC ID 12799 Business Processes Preventive
    Identify the external forces that may affect organizational objectives. CC ID 12960 Process or Activity Preventive
    Monitor for changes which affect organizational strategies in the external environment. CC ID 12880 Monitor and Evaluate Occurrences Preventive
    Include environmental requirements in the analysis of the external environment. CC ID 12965 Business Processes Preventive
    Monitor for changes which affect organizational objectives in the external environment. CC ID 12879 Monitor and Evaluate Occurrences Preventive
    Include regulatory requirements in the analysis of the external environment. CC ID 12964 Business Processes Preventive
    Include society in the analysis of the external environment. CC ID 12963 Business Processes Preventive
    Include opportunities in the analysis of the external environment. CC ID 12954 Business Processes Preventive
    Include third party relationships in the analysis of the external environment. CC ID 12952 Business Processes Preventive
    Include industry forces in the analysis of the external environment. CC ID 12904 Business Processes Preventive
    Include threats in the analysis of the external environment. CC ID 12898 Business Processes Preventive
    Include geopolitics in the analysis of the external environment. CC ID 12897 Business Processes Preventive
    Include legal requirements in the analysis of the external environment. CC ID 12896 Business Processes Preventive
    Include technology in the analysis of the external environment. CC ID 12837 Business Processes Preventive
    Include analyzing the market in the analysis of the external environment. CC ID 12836 Business Processes Preventive
    Conduct a context analysis to define objectives and strategies. CC ID 12864 Business Processes Preventive
    Document organizational objectives. CC ID 09959 Establish/Maintain Documentation Preventive
    Evaluate organizational objectives to determine impact on other organizational objectives. CC ID 12814 Process or Activity Preventive
    Identify events that may affect organizational objectives. CC ID 12961
    [The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its SMS. § 4.1 ¶ 1]
    Process or Activity Preventive
    Identify conditions that may affect organizational objectives. CC ID 12958 Process or Activity Preventive
    Identify requirements that could affect achieving organizational objectives. CC ID 12828
    [{applicable requirements} The organization shall create, implement and maintain a service management plan. Planning shall take into consideration the service management policy, service management objectives, risks and opportunities, service requirements and requirements specified in this document. § 6.3 ¶ 1]
    Business Processes Preventive
    Identify opportunities that could affect achieving organizational objectives. CC ID 12826
    [The organization shall plan: actions to address these risks and opportunities and their priorities; § 6.1.3 ¶ 1(a)
    {applicable requirements} The organization shall create, implement and maintain a service management plan. Planning shall take into consideration the service management policy, service management objectives, risks and opportunities, service requirements and requirements specified in this document. § 6.3 ¶ 1
    The organization shall determine and document: the impact on customers of risks and opportunities for the SMS and the services; § 6.1.2 ¶ 1(b)]
    Business Processes Preventive
    Prioritize organizational objectives. CC ID 09960 Business Processes Preventive
    Review and update organizational objectives, as necessary. CC ID 13494 Establish/Maintain Documentation Preventive
    Select financial reporting objectives consistent with accounting principles available to the organization. CC ID 12400 Business Processes Preventive
    Establish and maintain a Mission, Vision, and Values Statement. CC ID 12783 Establish/Maintain Documentation Preventive
    Include the vision statement in the Mission, Vision, and Values Statement. CC ID 12839 Establish/Maintain Documentation Preventive
    Include the mission statement in the Mission, Vision, and Values Statement. CC ID 12838 Establish/Maintain Documentation Preventive
    Include management commitment in the Mission, Vision, and Values Statement. CC ID 12808 Establish/Maintain Documentation Preventive
    Include the value statement in the Mission, Vision, and Values Statement. CC ID 12807 Establish/Maintain Documentation Preventive
    Disseminate and communicate organizational objectives to all interested personnel and affected parties. CC ID 13191
    [Top management shall demonstrate leadership and commitment with respect to the SMS by: communicating the importance of effective service management, achieving the service management objectives, delivering value and conforming to the SMS requirements; § 5.1 ¶ 1(h)]
    Communicate Preventive
    Document and communicate the linkage between organizational objectives, functions, activities and general controls. CC ID 12398
    [At planned intervals, the information security risks to the SMS and the services shall be assessed and documented. Information security controls shall be determined, implemented and operated to support the information security policy and address identified information security risks. Decisions about information security controls shall be documented. § 8.7.3.2 ¶ 1]
    Establish/Maintain Documentation Preventive
    Identify threats that could affect achieving organizational objectives. CC ID 12827
    [The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its SMS. § 4.1 ¶ 1]
    Business Processes Preventive
    Identify how opportunities, threats, and external requirements are trending. CC ID 12829
    [When planning for the SMS, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to: § 6.1.1 ¶ 1
    The organization shall plan: actions to address these risks and opportunities and their priorities; § 6.1.3 ¶ 1(a)]
    Process or Activity Preventive
    Identify relationships between opportunities, threats, and external requirements. CC ID 12805
    [The management review shall include consideration of: results of risk assessment and the effectiveness of actions taken to address risks and opportunities; § 9.3 ¶ 2(k)]
    Process or Activity Preventive
    Review the organization's approach to managing information security, as necessary. CC ID 12005 Business Processes Preventive
    Identify all interested personnel and affected parties. CC ID 12845
    [The organization shall determine: the interested parties that are relevant to the SMS and the services; § 4.2 ¶ 1(a)
    The customers, users and other interested parties of the services shall be identified and documented. The organization shall have one or more designated individuals responsible for managing customer relationships and maintaining customer satisfaction. § 8.3.2 ¶ 1]
    Process or Activity Detective
    Analyze and prioritize the requirements of interested personnel and affected parties. CC ID 12796 Business Processes Preventive
    Establish, implement, and maintain an information classification standard. CC ID 00601 Establish/Maintain Documentation Preventive
    Take into account the accessibility to and location of the data or information when establishing information impact levels. CC ID 04787 Data and Information Management Preventive
    Take into account the organization's obligation to protect data or information when establishing information impact levels. CC ID 04786 Data and Information Management Preventive
    Take into account the context of use for data or information when establishing information impact levels. CC ID 04785 Data and Information Management Preventive
    Take into account the potential aggregation of restricted data fields when establishing information impact levels. CC ID 04784 Data and Information Management Preventive
    Classify the sensitivity to unauthorized disclosure or modification of information in the information classification standard. CC ID 11997 Data and Information Management Preventive
    Take into account the distinguishability factor when establishing information impact levels. CC ID 04783 Data and Information Management Preventive
    Classify the criticality to unauthorized disclosure or modification of information in the information classification standard. CC ID 11996 Data and Information Management Preventive
    Classify the value of information in the information classification standard. CC ID 11995 Data and Information Management Preventive
    Classify the legal requirements of information in the information classification standard. CC ID 11994 Data and Information Management Preventive
    Update the information classification standard regularly or when new threats are discovered. CC ID 07048 Establish/Maintain Documentation Corrective
    Establish and maintain a data classification scheme. CC ID 11628 Establish/Maintain Documentation Preventive
    Review and approve the data classification scheme. CC ID 13858 Establish/Maintain Documentation Detective
    Establish and maintain an organizational data dictionary, including data syntax rules. CC ID 00600 Establish/Maintain Documentation Preventive
    Refrain from including metadata in the data dictionary. CC ID 13529 Establish/Maintain Documentation Preventive
    Refrain from allowing incompatible data elements in the data dictionary. CC ID 13624 Establish/Maintain Documentation Preventive
    Include information needed to understand each data element and population in the data dictionary. CC ID 13528 Establish/Maintain Documentation Preventive
    Ensure the data dictionary is complete and accurate. CC ID 13527 Investigate Detective
    Include the factors to determine what is included or excluded from the data element in the data dictionary. CC ID 13525 Establish/Maintain Documentation Preventive
    Include the date or time period the data was observed in the data dictionary. CC ID 13524 Establish/Maintain Documentation Preventive
    Include the uncertainty in the population of each data element in the data dictionary. CC ID 13522 Establish/Maintain Documentation Preventive
    Include the uncertainty of each data element in the data dictionary. CC ID 13521 Establish/Maintain Documentation Preventive
    Include the measurement units for each data element in the data dictionary. CC ID 13534 Establish/Maintain Documentation Preventive
    Include the precision of the measurement in the data dictionary. CC ID 13520 Establish/Maintain Documentation Preventive
    Include the data source in the data dictionary. CC ID 13519 Establish/Maintain Documentation Preventive
    Include the nature of each element in the data dictionary. CC ID 13518 Establish/Maintain Documentation Preventive
    Include the population of events or instances in the data dictionary. CC ID 13517 Establish/Maintain Documentation Preventive
    Disseminate and communicate the data dictionary to interested personnel and affected parties. CC ID 13516 Communicate Preventive
    Establish and maintain an Information and Infrastructure Architecture model. CC ID 00599 Establish/Maintain Documentation Preventive
    Establish and maintain sustainable infrastructure planning. CC ID 00603 Establish/Maintain Documentation Preventive
    Take into account the need for protecting information confidentiality during infrastructure planning. CC ID 06486 Behavior Preventive
    Monitor regulatory trends to maintain compliance. CC ID 00604 Monitor and Evaluate Occurrences Detective
    Monitor for new Information Security solutions. CC ID 07078 Monitor and Evaluate Occurrences Detective
    Subscribe to a threat intelligence service to receive notification of emerging threats. CC ID 12135 Technical Security Detective
    Disseminate and communicate emerging threats to all affected parties. CC ID 12185 Communicate Preventive
    Disseminate and communicate updated guidance documentation to affected parties upon discovery of a new threat. CC ID 12191 Communicate Corrective
    Establish, implement, and maintain a Quality Management framework. CC ID 07196 Establish/Maintain Documentation Preventive
    Include supply chain management standards in the quality management framework. CC ID 13701 Establish/Maintain Documentation Preventive
    Establish and maintain a Quality Management policy. CC ID 13694 Establish/Maintain Documentation Preventive
    Include a commitment to satisfy applicable requirements in the Quality Management policy. CC ID 13700 Establish/Maintain Documentation Preventive
    Tailor the Quality Management policy to support the organization's strategic direction. CC ID 13699
    [Top management shall demonstrate leadership and commitment with respect to the SMS by: ensuring that the service management policy and service management objectives are established and are compatible with the strategic direction of the organization; § 5.1 ¶ 1(a)
    The organization shall determine evaluation criteria to be applied to the opportunities for improvement when making decisions on their approval. Evaluation criteria shall include alignment of the improvement with service management objectives. § 10.2 ¶ 2
    {service improvement activity} Opportunities for improvement shall be documented. The organization shall manage approved improvement activities that include: ensuring that improvements are prioritized, planned and implemented; § 10.2 ¶ 3(b)
    {new service} The new or changed services shall be built and tested to verify that they meet the service requirements, conform to the documented design and meet the agreed service acceptance criteria. If the service acceptance criteria are not met, the organization and interested parties shall make a decision on necessary actions and deployment. § 8.5.2.3 ¶ 1
    {new service} The new or changed services shall be built and tested to verify that they meet the service requirements, conform to the documented design and meet the agreed service acceptance criteria. If the service acceptance criteria are not met, the organization and interested parties shall make a decision on necessary actions and deployment. § 8.5.2.3 ¶ 1]
    Establish/Maintain Documentation Preventive
    Include a commitment to continual improvement of the Quality Management system in the Quality Management policy. CC ID 13698 Establish/Maintain Documentation Preventive
    Include critical Information Technology processes in the Quality Management Framework. CC ID 13645 Establish/Maintain Documentation Preventive
    Disseminate and communicate the Quality Management policy to all interested personnel and affected parties. CC ID 13695
    [Top management shall demonstrate leadership and commitment with respect to the SMS by: communicating the importance of effective service management, achieving the service management objectives, delivering value and conforming to the SMS requirements; § 5.1 ¶ 1(h)]
    Communicate Preventive
    Disseminate and communicate the Quality Management framework to all stakeholders, as necessary. CC ID 13680
    [Where the root cause has been identified, but the problem has not been permanently resolved, the organization shall determine actions to reduce or eliminate the impact of the problem on the services. Known errors shall be recorded. Up-to-date information on known errors and problem resolutions shall be made available for other service management activities as appropriate. § 8.6.3 ¶ 4
    Where the root cause has been identified, but the problem has not been permanently resolved, the organization shall determine actions to reduce or eliminate the impact of the problem on the services. Known errors shall be recorded. Up-to-date information on known errors and problem resolutions shall be made available for other service management activities as appropriate. § 8.6.3 ¶ 4]
    Communicate Preventive
    Align the quality objectives with the Quality Management policy. CC ID 13697 Establish/Maintain Documentation Preventive
    Establish and maintain an overall Quality Management standard. CC ID 01006 Establish/Maintain Documentation Preventive
    Document the measurements used by Quality Assurance and Quality Control testing. CC ID 07200
    [The organization shall determine evaluation criteria to be applied to the opportunities for improvement when making decisions on their approval. Evaluation criteria shall include alignment of the improvement with service management objectives. § 10.2 ¶ 2
    The success or failure of releases shall be monitored and analysed. Measurements shall include incidents related to a release in the period following deployment of a release. The results and conclusions drawn from the analysis shall be recorded and reviewed to identify opportunities for improvement. §8.5.3 ¶ 6]
    Establish/Maintain Documentation Preventive
    Implement the quality management program. CC ID 13696
    [{service improvement activity} Opportunities for improvement shall be documented. The organization shall manage approved improvement activities that include: ensuring that improvements are prioritized, planned and implemented; § 10.2 ¶ 3(b)]
    Business Processes Preventive
    Correct errors and deficiencies in a timely manner. CC ID 13501 Business Processes Corrective
    Enforce a continuous Quality Control system. CC ID 01005
    [{availability issue}{document} Service availability shall be monitored, the results recorded and compared with the targets. Unplanned non-availability shall be investigated and necessary actions taken. § 8.7.1 ¶ 3]
    Business Processes Detective
    Conduct Quality Control to ensure adherence to Information Technology policies, standards, and procedures. CC ID 01008
    [The management review shall include consideration of: information on the performance and effectiveness of the SMS, including trends in: § 9.3 ¶ 2(c)]
    Testing Detective
    Establish and maintain a Quality Management program. CC ID 07201
    [{service improvement activity} Opportunities for improvement shall be documented. The organization shall manage approved improvement activities that include: setting one or more targets for improvement in areas such as quality, value, capability, cost, productivity, resource utilization and risk reduction; § 10.2 ¶ 3(a)
    {service improvement activity} Opportunities for improvement shall be documented. The organization shall manage approved improvement activities that include: ensuring that improvements are prioritized, planned and implemented; § 10.2 ¶ 3(b)
    {service improvement activity} Opportunities for improvement shall be documented. The organization shall manage approved improvement activities that include: measuring implemented improvements against the target(s) set and where target(s) are not achieved, taking necessary actions; § 10.2 ¶ 3(d)]
    Establish/Maintain Documentation Preventive
    Include quality objectives in the Quality Management program. CC ID 13693 Establish/Maintain Documentation Preventive
    Include quality gates and testing milestones in the Quality Management program. CC ID 06825
    [The success or failure of releases shall be monitored and analysed. Measurements shall include incidents related to a release in the period following deployment of a release. The results and conclusions drawn from the analysis shall be recorded and reviewed to identify opportunities for improvement. §8.5.3 ¶ 6]
    Systems Design, Build, and Implementation Preventive
    Document the deficiencies in a deficiency report that were found during Quality Control and corrected during Quality Improvement. CC ID 07203
    [{availability issue}{document} Service availability shall be monitored, the results recorded and compared with the targets. Unplanned non-availability shall be investigated and necessary actions taken. § 8.7.1 ¶ 3
    Where the root cause has been identified, but the problem has not been permanently resolved, the organization shall determine actions to reduce or eliminate the impact of the problem on the services. Known errors shall be recorded. Up-to-date information on known errors and problem resolutions shall be made available for other service management activities as appropriate. § 8.6.3 ¶ 4
    The success or failure of releases shall be monitored and analysed. Measurements shall include incidents related to a release in the period following deployment of a release. The results and conclusions drawn from the analysis shall be recorded and reviewed to identify opportunities for improvement. §8.5.3 ¶ 6]
    Establish/Maintain Documentation Preventive
    Include program documentation standards in the Quality Management program. CC ID 01016 Establish/Maintain Documentation Preventive
    Establish and maintain time frames for correcting deficiencies found during Quality Control. CC ID 07206 Business Processes Detective
    Include program testing standards in the Quality Management program. CC ID 01017
    [At planned intervals, the organization shall monitor, review and report on: performance against service level targets; § 8.3.3 ¶ 3(a)]
    Establish/Maintain Documentation Preventive
    Review and analyze any quality improvement goals that were missed. CC ID 07204
    [{service improvement activity} Opportunities for improvement shall be documented. The organization shall manage approved improvement activities that include: measuring implemented improvements against the target(s) set and where target(s) are not achieved, taking necessary actions; § 10.2 ¶ 3(d)]
    Business Processes Detective
    Include system testing standards in the Quality Management program. CC ID 01018 Establish/Maintain Documentation Preventive
    Include a bug tracking system in the Quality Management program. CC ID 06824 Systems Design, Build, and Implementation Preventive
    Review the Quality Management framework, as necessary. CC ID 07198
    [The outputs of the management review shall include decisions related to continual improvement opportunities and any need for changes to the SMS and the services. § 9.3 ¶ 3
    At planned intervals, the effectiveness of problem resolution shall be monitored, reviewed and reported. § 8.6.3 ¶ 5
    The success or failure of releases shall be monitored and analysed. Measurements shall include incidents related to a release in the period following deployment of a release. The results and conclusions drawn from the analysis shall be recorded and reviewed to identify opportunities for improvement. §8.5.3 ¶ 6]
    Establish/Maintain Documentation Preventive
    Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 Establish/Maintain Documentation Preventive
    Establish and maintain an organizational policy and procedure management program. CC ID 06285 Establish/Maintain Documentation Preventive
    Implement organizational policies, standards, and procedures. CC ID 12893 Business Processes Preventive
    Include requirements in the organization’s policies, standards, and procedures. CC ID 12956
    [Top management shall demonstrate leadership and commitment with respect to the SMS by: ensuring the integration of the SMS requirements into the organization's business processes; § 5.1 ¶ 1(f)]
    Establish/Maintain Documentation Preventive
    Establish and maintain a list of compliance documents. CC ID 07113
    [Documented information of external origin determined by the organization to be necessary for the planning and operation of the SMS shall be identified as appropriate and controlled. § 7.5.3.2 ¶ 2]
    Establish/Maintain Documentation Preventive
    Map in scope assets and in scope records to external requirements. CC ID 12189 Establish/Maintain Documentation Detective
    Document organizational procedures that harmonize external requirements, including all legal requirements. CC ID 00623
    [The documented information for the SMS shall include: procedures that are required by this document; § 7.5.4 ¶ 1(k)]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain full documentation of all policies, standards, and procedures that support the organization's compliance framework. CC ID 01636
    [Documented information required by the SMS and by this document shall be controlled to ensure: it is available and suitable for use, where and when it is needed; § 7.5.3.1(a)
    When creating and updating documented information, the organization shall ensure appropriate: review and approval for suitability and adequacy. § 7.5.2 ¶ 1(c)]
    Establish/Maintain Documentation Preventive
    Disseminate and communicate the organization’s policies, standards, and procedures to all interested personnel and affected parties. CC ID 12901 Communicate Preventive
    Disseminate and communicate the list of Authority Documents that support the organization's compliance framework to interested personnel and affected parties. CC ID 01312 Establish/Maintain Documentation Preventive
    Classify controls according to their preventive, detective, or corrective status. CC ID 06436 Establish/Maintain Documentation Preventive
    Publish and disseminate and communicate an annual Statement on Internal Control. CC ID 06727 Establish/Maintain Documentation Preventive
    Include confirmation of any significant weaknesses in the annual Statement on Internal Control. CC ID 06861 Establish/Maintain Documentation Preventive
    Include an assurance statement regarding the organization's counterterror protective security plan in the annual Statement on Internal Control. CC ID 06866 Establish/Maintain Documentation Preventive
    Include the counterterror protective security plan test results in the annual Statement on Internal Control. CC ID 06867 Establish/Maintain Documentation Detective
    Assign legislative body jurisdiction to the organization's assets, as necessary. CC ID 06956 Establish Roles Preventive
    Define the Information Assurance strategic roles and responsibilities. CC ID 00608 Establish Roles Preventive
    Establish and maintain a compliance oversight committee. CC ID 00765 Establish Roles Detective
    Address Information Security during the business planning processes. CC ID 06495 Data and Information Management Preventive
    Document the requirements of stakeholders during the business planning process regarding Information Security. CC ID 06498
    [Management with appropriate authority shall approve an information security policy relevant to the organization. The information security policy shall be documented and take into consideration the service requirements and the obligations in 6.3 c). § 8.7.3.1 ¶ 1
    Management with appropriate authority shall approve an information security policy relevant to the organization. The information security policy shall be documented and take into consideration the service requirements and the obligations in 6.3 c). § 8.7.3.1 ¶ 1]
    Establish/Maintain Documentation Preventive
    Establish and maintain a strategic plan. CC ID 12784
    [{planning} The organization shall plan, implement and control the processes needed to meet requirements and to implement the actions determined in Clause 6 by: § 8.1 ¶ 1]
    Establish/Maintain Documentation Preventive
    Determine progress toward the objectives of the integrated plan. CC ID 12944
    [The organization shall establish service management objectives at relevant functions and levels. The service management objectives shall: be monitored; § 6.2.1 ¶ 1(d)
    The management review shall include consideration of: achievement of service management objectives; § 9.3 ¶ 2(g)]
    Process or Activity Preventive
    Include acting with integrity in the strategic plan. CC ID 12870 Establish/Maintain Documentation Preventive
    Include the outsource partners in the strategic plan, as necessary. CC ID 13960 Establish/Maintain Documentation Preventive
    Align the cybersecurity program strategy with the organization's strategic plan. CC ID 14322 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a security planning policy. CC ID 14027 Establish/Maintain Documentation Preventive
    Review and update the security planning policy, as necessary. CC ID 14132 Establish/Maintain Documentation Corrective
    Include compliance requirements in the security planning policy. CC ID 14131 Establish/Maintain Documentation Preventive
    Include coordination amongst entities in the security planning policy. CC ID 14130 Establish/Maintain Documentation Preventive
    Include management commitment in the security planning policy. CC ID 14129 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the security planning policy. CC ID 14128 Establish/Maintain Documentation Preventive
    Include the scope in the security planning policy. CC ID 14127 Establish/Maintain Documentation Preventive
    Include the purpose in the security planning policy. CC ID 14126 Establish/Maintain Documentation Preventive
    Disseminate and communicate the security planning policy to interested personnel and affected parties. CC ID 14125 Communicate Preventive
    Establish, implement, and maintain security planning procedures. CC ID 14060 Establish/Maintain Documentation Preventive
    Disseminate and communicate the security planning procedures to interested personnel and affected parties. CC ID 14135 Communicate Preventive
    Review and update the security planning procedures. CC ID 14133 Establish/Maintain Documentation Corrective
    Establish and maintain a decision management strategy. CC ID 06913 Establish/Maintain Documentation Preventive
    Include an economic impact analysis in the decision management strategy. CC ID 14015 Establish/Maintain Documentation Preventive
    Include cost benefit analysis in the decision management strategy. CC ID 14014 Establish/Maintain Documentation Preventive
    Include criteria for compliance in the decision management strategy. CC ID 12951 Establish/Maintain Documentation Preventive
    Include criteria for risk tolerance in the decision management strategy. CC ID 12950 Establish/Maintain Documentation Preventive
    Include criteria for selecting objectives and strategies in the decision management strategy. CC ID 12949 Establish/Maintain Documentation Preventive
    Include criteria for setting priorities in the decision management strategy. CC ID 12938
    [The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: § 8.5.1.3 ¶ 1]
    Establish/Maintain Documentation Preventive
    Align organizational objectives with compliance objectives in the decision-making criteria. CC ID 12847
    [The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: policies and plans required by this document; § 8.5.1.3 ¶ 1(c)
    The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: policies and plans required by this document; § 8.5.1.3 ¶ 1(c)]
    Process or Activity Preventive
    Align organizational objectives with performance targets in the decision-making criteria. CC ID 12843
    [The organization shall make decisions and take actions based on the findings in service reports. The agreed actions shall be communicated to interested parties. § 9.4 ¶ 3
    The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: § 8.5.1.3 ¶ 1
    The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: § 8.5.1.3 ¶ 1]
    Process or Activity Preventive
    Align organizational objectives with the acceptable residual risk in the decision-making criteria. CC ID 12841
    [The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: § 8.5.1.3 ¶ 1]
    Process or Activity Preventive
    Identify and document the events that initiate the decision management strategy. CC ID 06914 Establish/Maintain Documentation Detective
    Create additional decision-making criteria to achieve organizational objectives, as necessary. CC ID 12948
    [The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: customers, users and other interested parties; § 8.5.1.3 ¶ 1(b)]
    Process or Activity Preventive
    Involve knowledgeable and experienced individuals in the decision-making process. CC ID 06915 Behavior Preventive
    Take actions in accordance with the decision-making criteria. CC ID 12909 Process or Activity Preventive
    Document and evaluate the decision outcomes from the decision-making process. CC ID 06918 Establish/Maintain Documentation Preventive
    Communicate the decision management strategy to all interested personnel and affected parties, as necessary. CC ID 13991 Communicate Preventive
    Establish and maintain an information technology process framework. CC ID 13648 Establish/Maintain Documentation Preventive
    Include maturity models in the Information Technology process framework. CC ID 13652 Establish/Maintain Documentation Preventive
    Include relationships between Information Technology process structures in the Information Technology process framework. CC ID 13651 Establish/Maintain Documentation Preventive
    Include Information Technology process structures in the Information Technology process framework. CC ID 13650 Establish/Maintain Documentation Preventive
    Establish and maintain a tactical plan. CC ID 12785 Establish/Maintain Documentation Preventive
    Include acting with integrity in the tactical plan. CC ID 12871 Establish/Maintain Documentation Preventive
    Establish and maintain a high-level Strategic Information Technology Plan. CC ID 00628 Establish/Maintain Documentation Preventive
    Include business continuity objectives in the Strategic Information Technology Plan. CC ID 06496 Establish/Maintain Documentation Preventive
    Align business continuity objectives with the business continuity policy. CC ID 12408 Establish/Maintain Documentation Preventive
    Use a risk-based approach to adapt the Strategic Information Technology Plan to the business's needs. CC ID 00631 Business Processes Corrective
    Mirror the organization's business strategy during Information Technology planning in the Strategic Information Technology Plan. CC ID 00630 Business Processes Preventive
    Incorporate protecting restricted information from unauthorized information flow or unauthorized disclosure into the Strategic Information Technology Plan. CC ID 06491 Establish/Maintain Documentation Preventive
    Include the references to the organization's Information Technology systems in the Strategic Information Technology Plan, as necessary. CC ID 13959 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain tactical Information Technology plans in support of the Strategic Information Technology Plan. CC ID 00632 Establish/Maintain Documentation Preventive
    Establish and maintain tactical Information Technology plans derived from the Strategic Information Technology Plan. CC ID 01609 Establish/Maintain Documentation Preventive
    Document how each Information Technology project plan directly or indirectly supports the Strategic Information Technology Plan. CC ID 06497 Establish/Maintain Documentation Preventive
    Document the business case and return on investment in each Information Technology project plan. CC ID 06846 Establish/Maintain Documentation Preventive
    Escalate for management authorization any proposed projects where effective use of existing resources is overlooked. CC ID 06848 Business Processes Preventive
    Document all desired outcomes for a proposed project in the Information Technology project plan. CC ID 06916 Establish/Maintain Documentation Preventive
    Document the success criteria for the proposed project in the Information Technology project plan. CC ID 06917 Establish/Maintain Documentation Preventive
    Assign senior management to approve business cases. CC ID 13068 Human Resources Management Preventive
    Include milestones for each project phase in the Information Technology project plan. CC ID 12621 Establish/Maintain Documentation Preventive
    Document lessons learned at the conclusion of each Information Technology project. CC ID 13654 Establish/Maintain Documentation Corrective
    Establish and maintain a counterterror protective security plan. CC ID 06862 Establish/Maintain Documentation Preventive
    Include communications and awareness activities in the counterterror protective security plan. CC ID 06863 Establish/Maintain Documentation Preventive
    Include the protective security measures to implement after a change in the government response level in the counterterror protective security plan. CC ID 06864 Establish/Maintain Documentation Preventive
    Include a search plan in the counterterror protective security plan. CC ID 06865 Establish/Maintain Documentation Preventive
    Include an evacuation plan in the counterterror protective security plan. CC ID 06940 Establish/Maintain Documentation Preventive
    Include a continuity plan in the counterterror protective security plan. CC ID 07031 Establish/Maintain Documentation Preventive
    Establish and maintain Information Technology projects in support of the Strategic Information Technology Plan. CC ID 13673 Establish/Maintain Documentation Preventive
    Disseminate and communicate the Information Technology Plans to all interested personnel and affected parties. CC ID 00633 Establish/Maintain Documentation Preventive
    Monitor and evaluate the implementation and effectiveness of Information Technology Plans. CC ID 00634 Monitor and Evaluate Occurrences Detective
    Establish and maintain an Information Technology plan status report that covers both Strategic Information Technology Plans and tactical Information Technology plans CC ID 06839 Actionable Reports or Measurements Preventive
    Include key personnel status changes in the Information Technology Plan status reports. CC ID 06840 Actionable Reports or Measurements Preventive
    Include significant security risks in the Information Technology Plan status reports. CC ID 06939 Actionable Reports or Measurements Preventive
    Include significant risk mitigations in the Information Technology Plan status reports. CC ID 06841 Actionable Reports or Measurements Preventive
    Establish and maintain Capital Planning and Investment Control policy. CC ID 06279 Establish/Maintain Documentation Preventive
    Include the Information Governance Plan in the Strategic Information Technology Plan. CC ID 10053 Establish/Maintain Documentation Preventive
    Assign accountability for the Information Governance Plan to senior management. CC ID 10054 Human Resources Management Preventive
    Assign responsibility for enforcing the requirements of the Information Governance Plan to senior management. CC ID 12058 Human Resources Management Preventive
    Engage information governance subject matter experts in the development of the Information Governance Plan. CC ID 10055 Human Resources Management Preventive
    Include the transparency goals in the Information Governance Plan. CC ID 10056 Establish/Maintain Documentation Preventive
    Include the information integrity goals in the Information Governance Plan. CC ID 10057 Establish/Maintain Documentation Preventive
    Review and approve the Strategic Information Technology Plan at the level of senior management or the Board of Directors CC ID 13094 Human Resources Management Preventive
    Establish, implement, and maintain a financial management program, as necessary. CC ID 13228 Establish/Maintain Documentation Preventive
    Review financial reports, as necessary. CC ID 13229
    [At planned intervals, the organization shall monitor and report on actual costs against the budget, review the financial forecasts and manage costs. § 8.4.1 ¶ 3]
    Investigate Detective
    Establish and maintain communication protocols. CC ID 12245
    [{internal communication}{be relevant} The organization shall determine the internal and external communications relevant to the SMS and the services including: § 7.4 ¶ 1
    The organization shall determine the internal and external communications relevant to the SMS and the services including: when to communicate; § 7.4 ¶ 1(b)
    The organization shall determine the internal and external communications relevant to the SMS and the services including: with whom to communicate; § 7.4 ¶ 1(c)
    The organization shall establish arrangements for communicating with its customers and other interested parties. The communication shall promote understanding of the evolving business environment in which the services operate and shall enable the organization to respond to new or changed service requirements. § 8.3.2 ¶ 2
    The organization shall determine the internal and external communications relevant to the SMS and the services including: how to communicate; § 7.4 ¶ 1(d)
    The organization shall determine the internal and external communications relevant to the SMS and the services including: on what it will communicate; § 7.4 ¶ 1(a)
    The organization shall determine the internal and external communications relevant to the SMS and the services including: who will be responsible for the communication. § 7.4 ¶ 1(e)]
    Establish/Maintain Documentation Preventive
    Align the information being disseminated and communicated with the communication requirements according to the organization's communication protocol. CC ID 12419
    [The organization shall determine reporting requirements and their purpose. § 9.4 ¶ 1]
    Establish/Maintain Documentation Preventive
    Assess the effectiveness of the communication methods used in the communication protocol. CC ID 12691 Process or Activity Detective
    Include external requirements in the organization's communication protocol. CC ID 12418
    [The organization shall establish arrangements for communicating with its customers and other interested parties. The communication shall promote understanding of the evolving business environment in which the services operate and shall enable the organization to respond to new or changed service requirements. § 8.3.2 ¶ 2]
    Establish/Maintain Documentation Preventive
    Include disseminating and communicating events surrounding instances of desirable conduct and undesirable conduct in the communication protocols. CC ID 12824 Communicate Preventive
    Include input from interested personnel and affected parties as a part of the organization’s communication protocol. CC ID 12417 Establish/Maintain Documentation Preventive
    Include disseminating and communicating conditions surrounding instances of desirable conduct and undesirable conduct in the communication protocols. CC ID 12804 Communicate Preventive
    Include methods to obtain information from interested personnel and affected parties about performance variances in the communication protocol. CC ID 12856 Process or Activity Preventive
    Include disseminating and communicating desirable conduct in the communication protocols. CC ID 12803 Communicate Preventive
    Include disseminating and communicating undesirable conduct in communication protocols. CC ID 12802 Communicate Preventive
    Route notifications, as necessary. CC ID 12832 Process or Activity Preventive
    Substantiate notifications, as necessary. CC ID 12831 Process or Activity Preventive
    Analyze the flow of information to ensure it is being received by the correct processes. CC ID 12860 Business Processes Preventive
    Prioritize notifications, as necessary. CC ID 12830 Process or Activity Preventive
    Report to management and stakeholders on the findings and information gathered from all types of inquiries. CC ID 12797 Actionable Reports or Measurements Preventive
    Disseminate and communicate internal controls with supply chain members, as necessary. CC ID 12416 Communicate Preventive
    Establish and maintain the organization's survey method. CC ID 12869 Process or Activity Preventive
    Provide a consolidated view of information in the organization's survey method. CC ID 12894 Process or Activity Preventive
    Establish and maintain warning procedures that follow the organization's communication protocol. CC ID 12407 Establish/Maintain Documentation Preventive
    Establish and maintain alert procedures that follow the organization's communication protocol. CC ID 12406 Establish/Maintain Documentation Preventive
    Include the capturing and alerting of compliance violations in the notification system. CC ID 12962 Monitor and Evaluate Occurrences Preventive
    Include the capturing and alerting of unethical conduct in the notification system. CC ID 12932 Monitor and Evaluate Occurrences Preventive
    Include the capturing and alerting of performance variances in the notification system. CC ID 12929 Monitor and Evaluate Occurrences Preventive
    Include the capturing and alerting of weaknesses in the notification system. CC ID 12928 Monitor and Evaluate Occurrences Preventive
    Establish and maintain an internal reporting program. CC ID 12409
    [The organization shall determine reporting requirements and their purpose. § 9.4 ¶ 1]
    Business Processes Preventive
    Include transactions and events as a part of internal reporting. CC ID 12413 Business Processes Preventive
    Disseminate and communicate management's choices for managing the organization as a part of internal reporting. CC ID 12412 Communicate Preventive
    Enforce a precision level for non-financial reporting based on user need and appropriate supply chain criteria. CC ID 12399 Establish/Maintain Documentation Preventive
    Define the thresholds for escalation in the internal reporting program. CC ID 14332 Establish/Maintain Documentation Preventive
    Define the thresholds for reporting in the internal reporting program. CC ID 14331 Establish/Maintain Documentation Preventive
  • Monitoring and measurement
    252
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Monitoring and measurement CC ID 00636 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain logging and monitoring operations. CC ID 00637 Log Management Detective
    Establish and maintain intrusion management operations. CC ID 00580 Monitor and Evaluate Occurrences Preventive
    Monitor systems for inappropriate usage and other security violations. CC ID 00585 Monitor and Evaluate Occurrences Detective
    Address operational anomalies within the problem management system. CC ID 00589
    [Problems shall be: recorded and classified; § 8.6.3 ¶ 2(a)
    Problems shall be: prioritized; § 8.6.3 ¶ 2(b)
    Problems shall be: escalated if needed; § 8.6.3 ¶ 2(c)
    Problems shall be: resolved if possible; § 8.6.3 ¶ 2(d)
    Records of problems shall be updated with actions taken. Changes needed for problem resolution shall be managed according to the change management policy. § 8.6.3 ¶ 3]
    Business Processes Detective
    Include a standard to collect and interpret event logs in the event logging procedures. CC ID 00643
    [The management review shall include consideration of: information on the performance and effectiveness of the SMS, including trends in: monitoring and measurement results; § 9.3 ¶ 2(c)(2)]
    Log Management Preventive
    Protect the event logs from failure. CC ID 06290 Log Management Preventive
    Overwrite the oldest records when audit logging fails. CC ID 14308 Data and Information Management Preventive
    Supply each in scope asset with audit reduction tool and report generation capabilities to support after-the-fact investigations without altering the event logs. CC ID 01427 Testing Preventive
    Provide predefined suspicious activity reports for suspicious activity discovered in the event log. CC ID 06774 Establish/Maintain Documentation Corrective
    Compile the event logs of multiple components into a system-wide time-correlated audit trail. CC ID 01424 Audits and Risk Management Preventive
    Review event logs, Intrusion Detection System reports, security incident tracking reports, and other security logs regularly. CC ID 00596
    [The organization shall analyse data and trends on incidents to identify problems. The organization shall undertake root cause analysis and determine potential actions to prevent the occurrence or recurrence of incidents. § 8.6.3 ¶ 1]
    Log Management Detective
    Eliminate false positives in event logs, intrusion detection system reports, security incident tracking reports, and other security logs. CC ID 07047 Log Management Corrective
    Correlate log entries to security controls to verify the security control's effectiveness. CC ID 13207 Log Management Detective
    Identify cybersecurity events in event logs and audit logs. CC ID 13206 Technical Security Detective
    Follow up exceptions and anomalies identified when reviewing logs. CC ID 11925 Investigate Corrective
    Reproduce the event log if a log failure is captured. CC ID 01426 Log Management Preventive
    Assess customer satisfaction. CC ID 00652
    [At planned intervals, the organization shall measure satisfaction with the services based on a representative sample of customers. The results shall be analysed, reviewed to identify opportunities for improvement and reported. § 8.3.2 ¶ 4
    At planned intervals, the organization shall measure satisfaction with the services based on a representative sample of customers. The results shall be analysed, reviewed to identify opportunities for improvement and reported. § 8.3.2 ¶ 4
    The management review shall include consideration of: feedback from customers and other interested parties; § 9.3 ¶ 2(e)]
    Testing Detective
    Establish and maintain a continuous monitoring for Configuration Management program. CC ID 06757
    [At planned intervals, the organization shall verify the accuracy of the configuration information. Where deficiencies are found, the organization shall take necessary actions. § 8.2.6 ¶ 4]
    Establish/Maintain Documentation Detective
    Include the correlation and analysis of information obtained during testing in the continuous monitoring program. CC ID 14250 Process or Activity Detective
    Establish and maintain an automated configuration monitoring system, as necessary. CC ID 07058 Monitor and Evaluate Occurrences Detective
    Monitor for and report when a software configuration is updated. CC ID 06746 Monitor and Evaluate Occurrences Detective
    Escalate the report when the software configuration is updated absent authorization. CC ID 04886 Monitor and Evaluate Occurrences Detective
    Monitor for firmware updates absent authorization. CC ID 10675 Monitor and Evaluate Occurrences Detective
    Implement file integrity monitoring. CC ID 01205 Monitor and Evaluate Occurrences Detective
    Identify unauthorized modifications during file integrity monitoring. CC ID 12096 Technical Security Detective
    Monitor for software configurations updates absent authorization. CC ID 10676 Monitor and Evaluate Occurrences Preventive
    Allow expected changes during file integrity monitoring. CC ID 12090 Technical Security Preventive
    Monitor for when documents are being updated absent authorization. CC ID 10677 Monitor and Evaluate Occurrences Preventive
    Include a change history and identify who made the changes in the file integrity monitoring report. CC ID 12091 Establish/Maintain Documentation Preventive
    Alert interested personnel and affected parties when an unauthorized modification to critical files is detected. CC ID 12045 Process or Activity Preventive
    Refrain from adopting impromptu measures when continuity procedures exist. CC ID 13093 Behavior Preventive
    Monitor and evaluate user account activity. CC ID 07066 Monitor and Evaluate Occurrences Detective
    Develop and maintain a usage profile for each user account. CC ID 07067 Technical Security Preventive
    Log account usage to determine dormant accounts. CC ID 12118 Log Management Detective
    Log account usage times. CC ID 07099 Log Management Detective
    Generate daily reports of user logons during hours outside of their usage profile. CC ID 07068 Monitor and Evaluate Occurrences Detective
    Generate daily reports of users who have grossly exceeded their usage profile logon duration. CC ID 07069 Monitor and Evaluate Occurrences Detective
    Log account usage durations. CC ID 12117 Monitor and Evaluate Occurrences Detective
    Notify the appropriate personnel after identifying dormant accounts. CC ID 12125 Communicate Detective
    Log Internet Protocol addresses used during logon. CC ID 07100 Log Management Detective
    Report red flags when logon credentials are used on a computer different from the one in the usage profile. CC ID 07070 Monitor and Evaluate Occurrences Detective
    Report inappropriate usage of user accounts to the appropriate personnel. CC ID 14243 Communicate Detective
    Establish and maintain a service management monitoring and metrics program. CC ID 13916
    [At planned intervals, the organization shall: monitor and report on demand and consumption of services. § 8.4.2 ¶ 1(b)
    At planned intervals, the organization shall: monitor and report on demand and consumption of services. § 8.4.2 ¶ 1(b)
    Reports on the performance and effectiveness of the SMS and the services shall be produced using information from the SMS activities and delivery of the services. Service reporting shall include trends. § 9.4 ¶ 2
    Reports on the performance and effectiveness of the SMS and the services shall be produced using information from the SMS activities and delivery of the services. Service reporting shall include trends. § 9.4 ¶ 2]
    Establish/Maintain Documentation Preventive
    Communicate trends in service management to all interested personnel and affected parties. CC ID 13926
    [Reports on the performance and effectiveness of the SMS and the services shall be produced using information from the SMS activities and delivery of the services. Service reporting shall include trends. § 9.4 ¶ 2]
    Communicate Preventive
    Monitor service availability when implementing the service management monitoring and metrics program. CC ID 13921
    [{availability issue}{document} Service availability shall be monitored, the results recorded and compared with the targets. Unplanned non-availability shall be investigated and necessary actions taken. § 8.7.1 ¶ 3
    {availability issue}{document} Service availability shall be monitored, the results recorded and compared with the targets. Unplanned non-availability shall be investigated and necessary actions taken. § 8.7.1 ¶ 3]
    Monitor and Evaluate Occurrences Detective
    Compare the performance metrics of service availability against their targets, as necessary. CC ID 13922
    [{availability issue}{document} Service availability shall be monitored, the results recorded and compared with the targets. Unplanned non-availability shall be investigated and necessary actions taken. § 8.7.1 ¶ 3]
    Monitor and Evaluate Occurrences Detective
    Establish and maintain a compliance monitoring policy. CC ID 00671
    [The organization shall determine: when the monitoring and measuring shall be performed; § 9.1 ¶ 1(c)]
    Establish/Maintain Documentation Preventive
    Establish and maintain an approach for compliance monitoring. CC ID 01653 Establish/Maintain Documentation Preventive
    Establish and maintain risk management metrics. CC ID 01656 Establish/Maintain Documentation Preventive
    Report on the percentage of key Information Technology assets for which an assurance strategy is implemented. CC ID 01657 Actionable Reports or Measurements Detective
    Report on the percentage of key organizational functions for which an assurance strategy is implemented. CC ID 01658 Actionable Reports or Measurements Detective
    Report on the percentage of key compliance requirements for which an assurance strategy has been implemented. CC ID 01659 Actionable Reports or Measurements Detective
    Report on the percentage of the Information System budget allocated to Information Security. CC ID 04571 Actionable Reports or Measurements Detective
    Identify information being used to support the performance of the governance, risk, and compliance capability. CC ID 12866 Business Processes Preventive
    Identify information being used to support performance reviews for risk optimization. CC ID 12865 Audits and Risk Management Preventive
    Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726
    [The management review shall include consideration of: adherence to and suitability of the service management policy and other policies required by this document; § 9.3 ¶ 2(f)]
    Monitor and Evaluate Occurrences Detective
    Identify and document instances of non-compliance with the organizational compliance framework. CC ID 06499
    [The organization shall retain documented information as evidence of: the nature of the nonconformities and any subsequent actions taken; § 10.1.2 ¶ 1(a)]
    Establish/Maintain Documentation Preventive
    Align enforcement reviews for non-compliance with organizational risk tolerance. CC ID 13063 Business Processes Detective
    Determine the causes of compliance violations. CC ID 12401
    [When a nonconformity occurs, the organization shall: evaluate the need for action to eliminate the causes of the nonconformity in order that it does not recur or occur elsewhere by: reviewing the nonconformity; § 10.1.1 ¶ 1(b)(1)
    When a nonconformity occurs, the organization shall: evaluate the need for action to eliminate the causes of the nonconformity in order that it does not recur or occur elsewhere by: determining the causes of the nonconformity; § 10.1.1 ¶ 1(b)(2)]
    Investigate Corrective
    Identify and document events surrounding non-compliance with the organizational compliance framework. CC ID 12935 Establish/Maintain Documentation Preventive
    Identify and document conditions of non-compliance with the organizational compliance framework. CC ID 12934
    [When a nonconformity occurs, the organization shall: evaluate the need for action to eliminate the causes of the nonconformity in order that it does not recur or occur elsewhere by: § 10.1.1 ¶ 1(b)]
    Establish/Maintain Documentation Preventive
    Determine if multiple compliance violations of the same type could occur. CC ID 12402
    [When a nonconformity occurs, the organization shall: evaluate the need for action to eliminate the causes of the nonconformity in order that it does not recur or occur elsewhere by: determining if similar nonconformities exist, or could potentially occur; § 10.1.1 ¶ 1(b)(3)]
    Investigate Detective
    Correct compliance violations. CC ID 13515
    [When a nonconformity occurs, the organization shall: react to the nonconformity, and as applicable: § 10.1.1 ¶ 1(a)
    When a nonconformity occurs, the organization shall: react to the nonconformity, and as applicable: take action to control and correct it; § 10.1.1 ¶ 1(a)(1)
    When a nonconformity occurs, the organization shall: react to the nonconformity, and as applicable: deal with the consequences; § 10.1.1 ¶ 1(a)(2)
    When a nonconformity occurs, the organization shall: implement any action needed; § 10.1.1 ¶ 1(c)]
    Process or Activity Corrective
    Review the effectiveness of disciplinary actions carried out for compliance violations. CC ID 12403
    [When a nonconformity occurs, the organization shall: review the effectiveness of any corrective action taken; § 10.1.1. ¶ 1(d)]
    Investigate Detective
    Carry out disciplinary actions when a compliance violation is detected. CC ID 06675 Behavior Corrective
    Align disciplinary actions with the level of compliance violation. CC ID 12404
    [Corrective actions shall be appropriate to the effects of the nonconformities encountered. § 10.1.1 ¶ 2]
    Human Resources Management Preventive
    Establish and maintain compliance program metrics. CC ID 11625 Monitor and Evaluate Occurrences Preventive
    Establish and maintain a security program metrics program. CC ID 01660 Establish/Maintain Documentation Preventive
    Report on the policies and controls that have been implemented by management. CC ID 01670
    [{service improvement activity} Opportunities for improvement shall be documented. The organization shall manage approved improvement activities that include: reporting on implemented improvements. § 10.2 ¶ 3(e)]
    Actionable Reports or Measurements Detective
    Establish and maintain a key management roles metrics standard. CC ID 11631 Establish/Maintain Documentation Preventive
    Report on the percentage of security management roles that have been assigned. CC ID 01671 Actionable Reports or Measurements Detective
    Establish and maintain a key stakeholder metrics program. CC ID 01661 Establish/Maintain Documentation Preventive
    Report on the percentage of board meetings or committee meetings at which Information Assurance was on the agenda. CC ID 01672 Actionable Reports or Measurements Detective
    Report on the percentage of security incidents that did not cause confidentiality, integrity, or availability losses beyond the Service Level Agreement thresholds. CC ID 01673 Actionable Reports or Measurements Detective
    Report on the estimated damage or loss resulting from all security incidents. CC ID 01674 Actionable Reports or Measurements Detective
    Establish, implement, and maintain a supply chain member metrics program. CC ID 01662 Establish/Maintain Documentation Preventive
    Report on the percentage of supply chain members for which all Information Assurance requirements have been implemented. CC ID 01675 Actionable Reports or Measurements Detective
    Report on the Service Level Agreement performance of supply chain members. CC ID 06838 Actionable Reports or Measurements Preventive
    Establish and maintain a Business Continuity metrics program. CC ID 01663
    [The organization shall create, implement and maintain one or more service continuity plans. The service continuity plan(s) shall include or contain a reference to: targets for service availability when the service continuity plan is invoked; § 8.7.2 ¶ 2(c)]
    Establish/Maintain Documentation Preventive
    Report on the percentage of organizational units that have an established Business Continuity Plan. CC ID 01676 Actionable Reports or Measurements Detective
    Report on the percentage of organizational units with a documented Business Continuity Plan for which specific responsibilities have been assigned. CC ID 02057 Actionable Reports or Measurements Detective
    Report on the percentage of Business Continuity Plans that have been reviewed, tested, and updated. CC ID 02058 Actionable Reports or Measurements Detective
    Establish and maintain an audit metrics program. CC ID 01664 Establish/Maintain Documentation Preventive
    Report on the percentage of needed internal audits that have been completed and reviewed. CC ID 01677 Actionable Reports or Measurements Detective
    Report on the percentage of Information Security requirements from applicable laws and regulations that are included in the audit program. CC ID 02069 Actionable Reports or Measurements Detective
    Report on the percentage of needed external audits that have been completed and reviewed. CC ID 11632 Actionable Reports or Measurements Detective
    Report on the percentage of Information Security audits conducted in compliance with the approved audit program. CC ID 02070 Actionable Reports or Measurements Detective
    Report on the percentage of audit findings that have been resolved. CC ID 01678 Actionable Reports or Measurements Detective
    Report on the percentage of management actions in response to audit findings and audit recommendations that were implemented in a timely way. CC ID 02071
    [{corrective action} The management review shall include consideration of: the status of actions from previous management reviews; § 9.3 ¶ 2(a)]
    Actionable Reports or Measurements Detective
    Establish and maintain an Information Security metrics program. CC ID 01665 Establish/Maintain Documentation Preventive
    Establish and maintain a metrics policy. CC ID 01654 Establish/Maintain Documentation Preventive
    Establish and maintain a metrics standard and template. CC ID 02157 Establish/Maintain Documentation Preventive
    Monitor compliance with the Quality Control system. CC ID 01023 Actionable Reports or Measurements Preventive
    Report on the percentage of complaints received about products or delivered services. CC ID 07199 Actionable Reports or Measurements Preventive
    Report on the percentage of Quality Assurance attained by Quality Improvement practices. CC ID 07202 Actionable Reports or Measurements Preventive
    Establish and maintain a policies and controls metrics program. CC ID 01666 Establish/Maintain Documentation Preventive
    Report on the percentage of total controls for which policies, standards, and procedures exist and for which approval has been granted. CC ID 01679 Actionable Reports or Measurements Detective
    Report on the percentage of personnel who are assigned and acknowledged responsibilities for approved policies, standards, and procedures. CC ID 01680 Actionable Reports or Measurements Detective
    Report on the percentage of policy compliance reviews for which no compliance violations were noted. CC ID 01681 Actionable Reports or Measurements Detective
    Report on the percentage of senior management or business unit heads who have implemented operational compliance procedures. CC ID 01682 Actionable Reports or Measurements Detective
    Establish, implement, and maintain a security roles and responsibilities metrics program. CC ID 01667 Establish/Maintain Documentation Preventive
    Report on the percentage of role descriptions that define the Information Awareness roles for Security Managers and administrators. CC ID 01685 Actionable Reports or Measurements Detective
    Report on the percentage of role descriptions that define the information awareness roles for interested personnel. CC ID 01686 Actionable Reports or Measurements Detective
    Report on the percentage of role descriptions that define the information awareness roles for end users. CC ID 01687 Actionable Reports or Measurements Detective
    Report on the percentage of performance reviews that include the evaluation of Information Assurance responsibilities and policy compliance. CC ID 01688 Actionable Reports or Measurements Detective
    Report on the percentage of individuals who have access to security software, are trained, and authorized Security Administrators. CC ID 01691 Actionable Reports or Measurements Detective
    Report on the percentage of individuals who are able to assign security privileges, are trained, and authorized Security Administrators. CC ID 01692 Actionable Reports or Measurements Detective
    Establish and maintain a role-based information access metrics program. CC ID 01668 Establish/Maintain Documentation Preventive
    Report on the percentage of new hires who completed training ahead of being granted network access or system access. CC ID 01683 Actionable Reports or Measurements Detective
    Report on the percentage of personnel who have completed periodic Information Assurance refresher training. CC ID 01684 Actionable Reports or Measurements Detective
    Report on the percentage of user roles, systems, and applications that comply with the segregation of duties principle. CC ID 01689 Actionable Reports or Measurements Detective
    Report on the percentage of individuals whose access rights have been reviewed. CC ID 01690 Actionable Reports or Measurements Detective
    Report on the percentage of users who have access to restricted data or restricted information and have undergone a background check. CC ID 01693 Actionable Reports or Measurements Detective
    Establish and maintain an information risk threshold metrics program. CC ID 01694 Establish/Maintain Documentation Preventive
    Report on the percentage of critical information assets and information-dependent functions. CC ID 02040 Actionable Reports or Measurements Detective
    Report on the percentage of critical assets and functions for which the cost of compromise has been quantified. CC ID 02041 Actionable Reports or Measurements Detective
    Report on the percentage of identified risks that have a defined risk mitigation plan. CC ID 02042
    [The organization shall determine and document: risks related to: approach to be taken for the management of risks. § 6.1.2 ¶ 1(d)]
    Actionable Reports or Measurements Detective
    Report on the percentage of systems with approved System Security Plans. CC ID 02145 Actionable Reports or Measurements Detective
    Monitor the supply chain for Information Assurance effectiveness. CC ID 02043 Establish/Maintain Documentation Preventive
    Report on the percentage of known Information Security risks that are related to supply chain relationships. CC ID 02044 Actionable Reports or Measurements Detective
    Report on the percentage of critical information assets or critical functions for which access by supply chain personnel is disallowed. CC ID 02045 Actionable Reports or Measurements Detective
    Report on the percentage of supply chain personnel who have current information asset user privileges. CC ID 02046 Actionable Reports or Measurements Detective
    Report on the percentage of systems with critical information assets or functions for which electronic connection by supply chain assets is disallowed. CC ID 02047 Actionable Reports or Measurements Detective
    Report on the percentage of security incidents that involved supply chain personnel. CC ID 02048 Actionable Reports or Measurements Detective
    Report on the percentage of third party contracts that include a requirement to externally verify policies and procedures. CC ID 02049 Actionable Reports or Measurements Detective
    Report on the percentage of supply chain relationships that have been reviewed for compliance with information security requirements. CC ID 02050 Actionable Reports or Measurements Detective
    Report on the percentage of audit findings that have been corrected since the last audit. CC ID 02051 Actionable Reports or Measurements Detective
    Establish, implement, and maintain an identification and classification of information assets metrics program. CC ID 02052 Business Processes Preventive
    Report on the percentage of information assets that have been reviewed and classified. CC ID 02053 Actionable Reports or Measurements Detective
    Report on the percentage of information assets with defined user privileges that have been assigned based on role and according to policy. CC ID 02054 Actionable Reports or Measurements Detective
    Report on the percentage of scheduled Information Technology inventory processes that occurred on time. CC ID 02055 Actionable Reports or Measurements Detective
    Establish and maintain an Information Systems architecture metrics program. CC ID 02059 Business Processes Preventive
    Report on the percentage of recently identified information security risks related to systems architecture that have been adequately mitigated. CC ID 02060 Actionable Reports or Measurements Detective
    Report on the percentage of system architecture changes that were approved through appropriate change requests. CC ID 02061 Actionable Reports or Measurements Detective
    Report on the percentage of critical information assets or functions residing on systems that are currently in compliance with the approved systems architecture. CC ID 02062 Actionable Reports or Measurements Detective
    Report on the percentage of systems that have been recertified if security controls were updated after the system was developed. CC ID 02142 Actionable Reports or Measurements Detective
    Report on the percentage of systems that have completed Certification and Accreditation. CC ID 02143 Actionable Reports or Measurements Detective
    Establish and maintain a physical environment metrics program. CC ID 02063 Business Processes Preventive
    Report on the percentage of critical organizational information assets and functions that have been reviewed from the risk to physical security perspective. CC ID 02064 Actionable Reports or Measurements Detective
    Report on the percentage of critical organizational information assets and functions exposed to physical risks for which risk mitigation actions have been implemented. CC ID 02065 Actionable Reports or Measurements Detective
    Report on the percentage of critical assets that have been reviewed from the environmental risk perspective. CC ID 02066 Actionable Reports or Measurements Detective
    Report on the percentage of servers located in controlled access areas. CC ID 02067 Actionable Reports or Measurements Detective
    Establish and maintain a reporting methodology program. CC ID 02072 Business Processes Preventive
    Establish, implement, and maintain a technical measurement metrics policy. CC ID 01655 Establish/Maintain Documentation Preventive
    Establish and maintain a user identification and authentication metrics program. CC ID 02073 Business Processes Preventive
    Report on the percentage of unique active user identifiers. CC ID 02074 Actionable Reports or Measurements Detective
    Report on the percentage of systems and applications that perform password policy verification. CC ID 02086 Actionable Reports or Measurements Detective
    Report on the percentage of active user passwords that are set to expire. CC ID 02087 Actionable Reports or Measurements Detective
    Report on the percentage of systems with critical information assets that use stronger authentication than user identifiers and passwords. CC ID 02088 Actionable Reports or Measurements Detective
    Establish and maintain a user account management metrics program. CC ID 02075 Business Processes Preventive
    Report on the percentage of systems for which default accounts and default passwords have been disabled or reset. CC ID 02089 Actionable Reports or Measurements Detective
    Report on the percentage of inactive user accounts that are assigned to personnel who have left or no longer need access. CC ID 02090 Actionable Reports or Measurements Detective
    Report on the percentage of systems with account lockout thresholds set. CC ID 02091 Actionable Reports or Measurements Detective
    Report on the percentage of inactive user accounts that have been disabled. CC ID 02092 Actionable Reports or Measurements Detective
    Report on the percentage of workstations with session timeout or automatic logoff controls set. CC ID 02093 Actionable Reports or Measurements Detective
    Report on the percentage of users with access to shared accounts. CC ID 04573 Actionable Reports or Measurements Detective
    Establish, implement, and maintain a user and administrator privilege management metrics program. CC ID 02076 Actionable Reports or Measurements Preventive
    Report on the percentage of active computer accounts that have had the current user privileges reviewed. CC ID 02094 Actionable Reports or Measurements Detective
    Report on the percentage of systems where permission to install nonstandard software is limited. CC ID 02095 Actionable Reports or Measurements Detective
    Report on the percentage of systems and applications that have user privileges and administrator privileges assigned in compliance with Role-Based Access Controls. CC ID 02096 Actionable Reports or Measurements Detective
    Establish and maintain a Configuration Management metrics program. CC ID 02077 Business Processes Preventive
    Report on the percentage of systems for which approved configuration settings have been implemented. CC ID 02097 Actionable Reports or Measurements Detective
    Report on the percentage of systems with configurations that do not deviate from approved standards. CC ID 02098 Actionable Reports or Measurements Detective
    Report on the percentage of systems that are continuously monitored for compliance with the configuration standard with out-of-compliance alarms or out-of-compliance reports. CC ID 02099 Actionable Reports or Measurements Detective
    Report on the percentage of systems whose configuration is compared with a previously established trusted configuration baseline. CC ID 02100 Actionable Reports or Measurements Detective
    Report on the percentage of systems where the authority to make configuration changes are limited. CC ID 02101 Actionable Reports or Measurements Detective
    Report on the percentage of system components that undergo maintenance as scheduled. CC ID 04562 Actionable Reports or Measurements Detective
    Establish and maintain a Security Information and Event Management metrics program. CC ID 02078 Log Management Preventive
    Report on the percentage of systems for which event logging has been implemented. CC ID 02102 Log Management Detective
    Report on the percentage of systems for which event logs are monitored and reviewed. CC ID 02103 Log Management Detective
    Report on the percentage of systems for which log capacity and log retention schedules have been implemented. CC ID 02104 Log Management Detective
    Report on the percentage of systems that generate warnings about anomalous activity or potentially unauthorized activity. CC ID 02105 Actionable Reports or Measurements Detective
    Establish and maintain a communications, e-mail, and remote access security management metrics program. CC ID 02079 Business Processes Preventive
    Report on the percentage of laptops and mobile devices that are needing to be in compliance with the approved configuration standard before granting network access. CC ID 02106 Actionable Reports or Measurements Detective
    Report on the percentage of organizationally controlled communications channels that have been secured. CC ID 02107 Actionable Reports or Measurements Detective
    Report on the percentage of host servers that are protected from becoming relay hosts. CC ID 02108 Actionable Reports or Measurements Detective
    Report on the percentage of mobile users who access organizational facilities using secure communications methods. CC ID 02109 Actionable Reports or Measurements Detective
    Establish and maintain a malicious code protection management metrics program. CC ID 02080 Business Processes Preventive
    Report on the percentage of workstations and laptops that employ automated system security tools. CC ID 02110 Actionable Reports or Measurements Detective
    Report on the percentage of servers that employ automated system security tools. CC ID 02111 Actionable Reports or Measurements Detective
    Report on the percentage of mobile devices that employ automated system security tools. CC ID 02112 Actionable Reports or Measurements Detective
    Establish and maintain a Software Change Management metrics program. CC ID 02081 Business Processes Preventive
    Report on the percentage of software changes that have been documented and approved through change request forms. CC ID 02152 Actionable Reports or Measurements Detective
    Report on the percentage of systems with all approved patches installed. CC ID 02113 Actionable Reports or Measurements Detective
    Report on the mean time from patch availability to patch installation. CC ID 02114 Actionable Reports or Measurements Detective
    Report on the percentage of software changes that were reviewed for security impacts before the software configuration is updated. CC ID 02115 Actionable Reports or Measurements Detective
    Establish and maintain a network management and firewall management metrics program. CC ID 02082 Business Processes Preventive
    Establish and maintain a network activity baseline. CC ID 13188 Technical Security Detective
    Report on the percentage of systems configured according to the configuration standard. CC ID 02116 Actionable Reports or Measurements Detective
    Report on the percentage of network access controls used to gain unauthorized access. CC ID 04572 Actionable Reports or Measurements Detective
    Establish, implement, and maintain a data encryption management metrics program. CC ID 02083 Business Processes Preventive
    Report on the percentage of critical information assets stored on network accessible devices that are encrypted with widely tested and published cryptographic algorithms. CC ID 02117 Actionable Reports or Measurements Detective
    Report on the percentage of mobile devices that use encryption for critical information assets. CC ID 02118 Actionable Reports or Measurements Detective
    Report on the percentage of passwords and Personal Identification Numbers that are encrypted. CC ID 02119 Actionable Reports or Measurements Detective
    Report on the percentage of media that passes sanitization procedure testing. CC ID 04574 Actionable Reports or Measurements Detective
    Establish and maintain a backup management and recovery management metrics program. CC ID 02084 Business Processes Preventive
    Report on the percentage of systems with critical information assets or critical business functions that have been backed up in accordance with the backup policy and the system's continuity plan. CC ID 02120 Actionable Reports or Measurements Detective
    Report on the percentage of systems with critical information assets or critical functions where restoration from a backup has been successfully demonstrated. CC ID 02121 Actionable Reports or Measurements Detective
    Report on the percentage of backup media stored off site in secure storage. CC ID 02122 Actionable Reports or Measurements Detective
    Report on the percentage of used backup media or archive media sanitized prior to reuse or disposal. CC ID 02123 Actionable Reports or Measurements Detective
    Establish and maintain an incident management and vulnerability management metrics program. CC ID 02085 Business Processes Preventive
    Report on the percentage of operational time that critical services were unavailable due to security incidents. CC ID 02124 Actionable Reports or Measurements Detective
    Report on the percentage of security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02125 Actionable Reports or Measurements Detective
    Report on the percentage of systems affected by security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02126 Actionable Reports or Measurements Detective
    Report on the percentage of security incidents that were managed according to established policies, procedures, and processes. CC ID 02127 Actionable Reports or Measurements Detective
    Report on the number of security incidents reported to FedCIRC, NIPC, the Payment Card Industry, or local law enforcement. CC ID 02154 Actionable Reports or Measurements Detective
    Report on the percentage of systems with critical information assets or critical functions that have been assessed for security vulnerabilities. CC ID 02128 Actionable Reports or Measurements Detective
    Report on the percentage of vulnerability assessment findings that have been addressed since the last reporting period. CC ID 02129 Actionable Reports or Measurements Detective
    Report on the average elapsed time between the discovery of a new vulnerability and implementing corrective action. CC ID 02140 Actionable Reports or Measurements Detective
    Report on the percentage of physical security incidents that involved entry into a facility containing Information Systems. CC ID 04564 Actionable Reports or Measurements Detective
    Establish and maintain an Electronic Health Records measurement metrics program. CC ID 06221 Establish/Maintain Documentation Preventive
    Report on the percentage of unique patients who had at least one medication entered using the Computerized Provider Order Entry system. CC ID 06222 Actionable Reports or Measurements Preventive
    Report on the percentage of unique patients who have diagnoses recorded as structured data into the current and active diagnoses problem list. CC ID 06223 Actionable Reports or Measurements Preventive
    Report on the percentage of permissible prescriptions that are transmitted electronically. CC ID 06224 Actionable Reports or Measurements Preventive
    Report on the percentage of unique patients who have at least one entry recorded as structured data into the active medication list. CC ID 06225 Actionable Reports or Measurements Preventive
    Report on the percentage of unique patients who have at least one entry recorded as structured data into the active medication allergy list. CC ID 06226 Actionable Reports or Measurements Preventive
    Report on the percentage of unique patients who have demographics recorded as structured data. CC ID 06227 Actionable Reports or Measurements Preventive
    Report on the percentage of unique patients over the age of 2 who have their height, weight, and blood pressure recorded as structured data. CC ID 06228 Actionable Reports or Measurements Preventive
    Report on the percentage of unique patients over the age of 13 who have their smoking status recorded as structured data. CC ID 06229 Actionable Reports or Measurements Preventive
    Report on the percentage of patients who are given an electronic copy of their Individually Identifiable Health Information not later than three business days after Individually Identifiable Health Information is requested. CC ID 06230 Actionable Reports or Measurements Preventive
    Report on the percentage of patients who are given clinical summaries not later than three business days after a physician office visit. CC ID 06231 Actionable Reports or Measurements Preventive
    Report on the percentage of lab test results that are incorporated into the Electronic Health Records as structured data. CC ID 06232 Actionable Reports or Measurements Preventive
    Report on the percentage of patients sixty-five years of age or older or five years of age or younger who were sent a reminder. CC ID 06233 Actionable Reports or Measurements Preventive
    Report on the percentage of unique patients who are given electronic access to their Individually Identifiable Health Information not later than four business days after their Individually Identifiable Health Information is updated. CC ID 06234 Actionable Reports or Measurements Preventive
    Report on the percentage of unique patients who are given patient-specific education resources. CC ID 06235 Actionable Reports or Measurements Preventive
    Report on the percentage of medication reconciliations that are performed if a patient is received from another setting or healthcare provider. CC ID 06236 Actionable Reports or Measurements Preventive
    Report on the percentage of summary of care records that are provided for transitions of care or referrals for patients who are transitioned or referred to another setting or healthcare provider. CC ID 06237 Actionable Reports or Measurements Preventive
    Report on the percentage of patients who receive their discharge instructions if discharge instructions are requested. CC ID 06238 Actionable Reports or Measurements Preventive
    Report on the percentage of patients 65 years of age or older who have an indication of advance directive status recorded as structured data. CC ID 06239 Actionable Reports or Measurements Preventive
    Provide transactional walkthrough procedures for external auditors. CC ID 00672 Testing Preventive
    Establish and maintain a log management program. CC ID 00673 Establish/Maintain Documentation Preventive
    Deploy log normalization tools, as necessary. CC ID 12141 Technical Security Preventive
    Restrict access to logs to a need to know basis. CC ID 01342 Log Management Preventive
    Restrict access to audit trails to a need to know basis. CC ID 11641 Technical Security Preventive
    Refrain from recording unnecessary restricted data in logs. CC ID 06318 Log Management Preventive
    Back up audit trails according to backup procedures. CC ID 11642 Systems Continuity Preventive
    Back up logs according to backup procedures. CC ID 01344 Log Management Preventive
    Copy logs from all predefined hosts onto a log management infrastructure. CC ID 01346 Log Management Preventive
    Identify hosts with logs that are not being stored. CC ID 06314 Log Management Preventive
    Identify hosts with logs that are being stored at the system level only. CC ID 06315 Log Management Preventive
    Identify hosts with logs that should be stored at both the system level and the infrastructure level. CC ID 06316 Log Management Preventive
    Identify hosts with logs that are being stored at the infrastructure level only. CC ID 06317 Log Management Preventive
    Protect logs from unauthorized activity. CC ID 01345 Log Management Preventive
    Perform testing and validating activities on all logs. CC ID 06322 Log Management Preventive
    Archive the audit trail in accordance with compliance requirements. CC ID 00674 Log Management Preventive
    Enforce dual authorization as a part of information flow control for logs. CC ID 10098 Configuration Preventive
    Preserve the identity of individuals in audit trails. CC ID 10594 Log Management Preventive
    Establish and maintain a cross-organizational audit sharing agreement. CC ID 10595 Establish/Maintain Documentation Preventive
    Provide cross-organizational audit information based on the cross-organizational audit sharing agreement. CC ID 10596 Audits and Risk Management Preventive
    Create a plan of action to correct control deficiencies identified in an audit. CC ID 00675
    [The management review shall include consideration of: information on the performance and effectiveness of the SMS, including trends in: nonconformities and corrective actions; § 9.3 ¶ 2(c)(1)
    The organization shall monitor and review the effectiveness of information security controls and take necessary actions. § 8.7.3.2 ¶ 3]
    Monitor and Evaluate Occurrences Detective
    Include the completion date in the plan of action. CC ID 13272 Establish/Maintain Documentation Preventive
  • Operational and Systems Continuity
    99
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Operational and Systems Continuity CC ID 00731 IT Impact Zone IT Impact Zone
    Establish and maintain a business continuity program. CC ID 13210 Establish/Maintain Documentation Preventive
    Establish and maintain a continuity framework. CC ID 00732 Establish/Maintain Documentation Preventive
    Evaluate all possible continuity risks and impacts as a part of the continuity framework. CC ID 06374
    [At planned intervals, the risks to service continuity shall be assessed and documented. The organization shall determine the service continuity requirements. The agreed requirements shall take into consideration relevant business requirements, service requirements, SLAs and risks. § 8.7.2 ¶ 1]
    Systems Continuity Detective
    Assess risks related to fault tolerance and redundancy of critical assets. CC ID 13053 Systems Continuity Preventive
    Establish, implement, and maintain a continuity plan and associated continuity procedures. CC ID 00752
    [The organization shall create, implement and maintain one or more service continuity plans. The service continuity plan(s) shall include or contain a reference to: § 8.7.2 ¶ 2]
    Establish/Maintain Documentation Preventive
    Identify all stakeholders in the continuity plan. CC ID 13256 Establish/Maintain Documentation Preventive
    Include a business continuity testing policy in the continuity plan, as necessary. CC ID 13234 Establish/Maintain Documentation Preventive
    Include the continuity strategy in the organization's continuity plan. CC ID 13189 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the continuity plan, as necessary. CC ID 13254
    [The organization shall create, implement and maintain one or more service continuity plans. The service continuity plan(s) shall include or contain a reference to: criteria and responsibilities for invoking service continuity; § 8.7.2 ¶ 2(a)]
    Establish/Maintain Documentation Preventive
    Coordinate continuity planning with governmental entities, as necessary. CC ID 13258 Process or Activity Preventive
    Coordinate continuity planning with community organizations, as necessary. CC ID 13259 Process or Activity Preventive
    Coordinate and incorporate supply chain members' continuity plans, as necessary. CC ID 13242 Establish/Maintain Documentation Preventive
    Include incident management procedures in the continuity plan. CC ID 13244 Establish/Maintain Documentation Preventive
    Include scenario analyses of various contingency scenarios in the continuity plan. CC ID 13057 Establish/Maintain Documentation Preventive
    Include the annual statement based on the continuity plan review in the continuity plan. CC ID 12775 Establish/Maintain Documentation Preventive
    Review and update the continuity procedures, as necessary. CC ID 14236 Establish/Maintain Documentation Corrective
    Document the uninterrupted power requirements for all in scope systems. CC ID 06707 Establish/Maintain Documentation Preventive
    Install an Uninterruptible Power Supply sized to support all critical systems. CC ID 00725 Configuration Preventive
    Install a generator sized to support the facility. CC ID 06709 Configuration Preventive
    Establish, implement, and maintain a fuel supply large enough to support the generators during an emergency. CC ID 06376 Acquisition/Sale of Assets or Services Preventive
    Document all supporting information in the continuity plan, such as purpose, scope, and requirements. CC ID 01371
    [The organization shall create, implement and maintain one or more service continuity plans. The service continuity plan(s) shall include or contain a reference to: service recovery requirements; § 8.7.2 ¶ 2(d)]
    Establish/Maintain Documentation Preventive
    Include notifications to alternate facilities in the continuity plan. CC ID 13220 Establish/Maintain Documentation Preventive
    Approve the continuity plan requirements before documenting the continuity plan. CC ID 12778 Systems Continuity Preventive
    Document the concept of operations in the continuity plan, including a line of succession. CC ID 01372 Establish/Maintain Documentation Preventive
    Review and update the continuity plan call tree mechanism after a personnel status change. CC ID 01167 Testing Detective
    Establish and maintain damage assessment procedures. CC ID 01267
    [The organization shall analyse the information security incidents by type, volume and impact on the SMS, services and interested parties. Information security incidents shall be reported and reviewed to identify opportunities for improvement. § 8.7.3.3 ¶ 2]
    Establish/Maintain Documentation Preventive
    Establish and maintain a recovery plan. CC ID 13288 Establish/Maintain Documentation Preventive
    Review and update the recovery plan, as necessary. CC ID 13300 Establish/Maintain Documentation Corrective
    Notify interested personnel and affected parties of updates to the recovery plan. CC ID 13302 Communicate Preventive
    Implement the recovery plan. CC ID 13299 Process or Activity Preventive
    Include addressing backup failures in the recovery plan. CC ID 13298 Establish/Maintain Documentation Preventive
    Include procedures to verify completion of the data and program backup procedures in the recovery plan. CC ID 13297 Establish/Maintain Documentation Preventive
    Include the roles and responsibilities of responders in the recovery plan. CC ID 13296 Human Resources Management Preventive
    Include the procedures for the storage of information necessary to recover functionality in the recovery plan. CC ID 13295 Establish/Maintain Documentation Preventive
    Include the backup procedures for information necessary to recover functionality in the recovery plan. CC ID 13294 Establish/Maintain Documentation Preventive
    Include the criteria for activation in the recovery plan. CC ID 13293 Establish/Maintain Documentation Preventive
    Include procedures to preserve data before beginning the recovery process in the recovery plan. CC ID 13292 Establish/Maintain Documentation Preventive
    Determine the cause for the activation of the recovery plan. CC ID 13291 Investigate Detective
    Test the recovery plan, as necessary. CC ID 13290 Testing Detective
    Test the backup information, as necessary. CC ID 13303 Testing Detective
    Document lessons learned from testing the recovery plan or an actual event. CC ID 13301 Establish/Maintain Documentation Detective
    Include restoration procedures in the continuity plan. CC ID 01169
    [The organization shall create, implement and maintain one or more service continuity plans. The service continuity plan(s) shall include or contain a reference to: procedures to be implemented in the event of a major loss of service; § 8.7.2 ¶ 2(b)
    The organization shall create, implement and maintain one or more service continuity plans. The service continuity plan(s) shall include or contain a reference to: procedures for returning to normal working conditions. § 8.7.2 ¶ 2(e)]
    Establish Roles Preventive
    Include risk prioritized recovery procedures for each business unit in the recovery plan. CC ID 01166 Establish/Maintain Documentation Preventive
    Include the recovery plan in the continuity plan. CC ID 01377 Establish/Maintain Documentation Preventive
    Disseminate and communicate the recovery status of the contingency plan to interested personnel and affected parties. CC ID 12758 Communicate Preventive
    Disseminate and communicate business functions across multiple facilities separated by geographic separation, as necessary. CC ID 10662 Systems Continuity Preventive
    Disseminate and communicate processing activities across multiple facilities using geographic separation. CC ID 10663 Systems Continuity Preventive
    Disseminate and communicate electronic media storage devices across multiple facilities using geographic separation, as necessary. CC ID 10664 Systems Continuity Preventive
    Use out-of-band channels for the physical delivery or electronic transmission of information, as necessary. CC ID 10665 Systems Continuity Corrective
    Disseminate and communicate the continuity procedures to interested personnel and affected parties. CC ID 14055 Communicate Preventive
    Establish and maintain system continuity plan strategies for all in scope systems. CC ID 00735 Establish/Maintain Documentation Preventive
    Define and prioritize critical business functions. CC ID 00736
    [The organization shall determine the criticality of services based on the needs of the organization, customers, users and other interested parties. The organization shall determine and manage dependencies and duplication between services. § 8.2.2 ¶ 2]
    Establish/Maintain Documentation Detective
    Review and prioritize the importance of each business unit. CC ID 01165 Systems Continuity Preventive
    Review and prioritize the importance of each business process. CC ID 11689 Establish/Maintain Documentation Preventive
    Document the mean time to failure for system components. CC ID 10684 Systems Continuity Preventive
    Conduct a risk assessment on reciprocal agreements that provide for recovery capabilities. CC ID 12759 Audits and Risk Management Preventive
    Include emergency communications procedures in the continuity plan. CC ID 00750
    [The service continuity plan(s) and list of contacts shall be accessible when access to the normal service location is prevented. § 8.7.2 ¶ 3]
    Establish/Maintain Documentation Preventive
    Include managing multiple responding organizations in the emergency communications plan. CC ID 01249 Establish/Maintain Documentation Preventive
    Expedite emergency communications' fiscal decisions in accordance with accounting principles. CC ID 01266 Systems Continuity Preventive
    Maintain contact information for key third parties in a readily accessible manner. CC ID 12764 Establish/Maintain Documentation Preventive
    Log important conversations conducted during emergencies with third parties. CC ID 12763 Log Management Preventive
    Identify the appropriate staff to route external communications to in the emergency communications procedures. CC ID 12762 Communicate Preventive
    Identify who can speak to the media in the emergency communications procedures. CC ID 12761 Communicate Corrective
    Disseminate and communicate the continuity plan to interested personnel and affected parties. CC ID 00760 Establish/Maintain Documentation Preventive
    Store an up-to-date copy of the continuity plan at the alternate facility. CC ID 01171
    [The service continuity plan(s) and list of contacts shall be accessible when access to the normal service location is prevented. § 8.7.2 ¶ 3]
    Establish/Maintain Documentation Preventive
    Prepare the alternate facility for an emergency offsite relocation. CC ID 00744 Systems Continuity Preventive
    Establish, implement, and maintain Service Level Agreements for all alternate facilities. CC ID 00745 Establish/Maintain Documentation Preventive
    Include emergency scalability for services, capacity, and capability in the shared service provider's Service Level Agreement. CC ID 04893
    [{service availability requirement}{service continuity requirement} The organization shall plan capacity to include: expected impact on capacity of agreed service level targets, requirements for service availability and service continuity; § 8.4.3 ¶ 2(b)]
    Establish/Maintain Documentation Preventive
    Test the continuity plan, as necessary. CC ID 00755
    [At planned intervals, the service continuity plan(s) shall be tested against the service continuity requirements. The service continuity plan(s) shall be re-tested after major changes to the service environment. The results of the tests shall be recorded. Reviews shall be conducted after each test and after the service continuity plan(s) has been invoked. Where deficiencies are found, the organization shall take necessary actions. § 8.7.2 ¶ 4
    At planned intervals, the service continuity plan(s) shall be tested against the service continuity requirements. The service continuity plan(s) shall be re-tested after major changes to the service environment. The results of the tests shall be recorded. Reviews shall be conducted after each test and after the service continuity plan(s) has been invoked. Where deficiencies are found, the organization shall take necessary actions. § 8.7.2 ¶ 4]
    Testing Detective
    Establish and maintain a continuity test plan. CC ID 04896 Establish/Maintain Documentation Preventive
    Include testing all system components in the continuity test plan. CC ID 13508 Establish/Maintain Documentation Preventive
    Include test scenarios in the continuity test plan. CC ID 13506 Establish/Maintain Documentation Preventive
    Include test dates or test frequency in the continuity test plan, as necessary. CC ID 13243 Establish/Maintain Documentation Preventive
    Include coverage of all major components in the scope of testing the continuity plan. CC ID 12767 Testing Preventive
    Include third party recovery services in the scope of testing the continuity plan. CC ID 12766 Testing Preventive
    Validate the emergency communications procedures during continuity plan tests. CC ID 12777 Testing Preventive
    Include the coordination and interfaces among third parties in the coverage of the scope of testing the continuity plan. CC ID 12769 Testing Preventive
    Involve senior management, as necessary, when testing the continuity plan. CC ID 13793 Testing Detective
    Test the continuity plan under conditions that simulate a disaster or disruption. CC ID 00757 Testing Detective
    Analyze system interdependence during continuity plan tests. CC ID 13082 Testing Detective
    Validate the evacuation plans during continuity plan tests. CC ID 12760 Testing Preventive
    Test the continuity plan at the alternate facility. CC ID 01174 Testing Detective
    Include predefined goals and realistic conditions during off-site testing. CC ID 01175 Establish/Maintain Documentation Preventive
    Coordinate testing the continuity plan with all applicable business units and critical business functions. CC ID 01388 Testing Preventive
    Review all third party's continuity plan test results. CC ID 01365 Testing Detective
    Automate the off-site testing to more thoroughly test the continuity plan. CC ID 01389 Testing Detective
    Document the continuity plan test results and provide them to senior management. CC ID 06548
    [At planned intervals, the service continuity plan(s) shall be tested against the service continuity requirements. The service continuity plan(s) shall be re-tested after major changes to the service environment. The results of the tests shall be recorded. Reviews shall be conducted after each test and after the service continuity plan(s) has been invoked. Where deficiencies are found, the organization shall take necessary actions. § 8.7.2 ¶ 4]
    Actionable Reports or Measurements Preventive
    Retest the continuity plan after correcting reported deficiencies documented in the continuity plan test results. CC ID 06553
    [At planned intervals, the service continuity plan(s) shall be tested against the service continuity requirements. The service continuity plan(s) shall be re-tested after major changes to the service environment. The results of the tests shall be recorded. Reviews shall be conducted after each test and after the service continuity plan(s) has been invoked. Where deficiencies are found, the organization shall take necessary actions. § 8.7.2 ¶ 4]
    Testing Detective
    Conduct full recovery and restoration of service testing for high impact systems at the alternate facility. CC ID 01404 Testing Detective
    Review and update the business continuity plan testing program, as necessary. CC ID 12994 Process or Activity Corrective
    Conduct external audits of the Business Continuity Plan testing program. CC ID 13216 Testing Detective
    Implement the continuity plan, as necessary. CC ID 10604 Systems Continuity Corrective
    Activate the continuity plan if the damage assessment report indicates the activation criterion has been met. CC ID 01373
    [The organization shall create, implement and maintain one or more service continuity plans. The service continuity plan(s) shall include or contain a reference to: criteria and responsibilities for invoking service continuity; § 8.7.2 ¶ 2(a)]
    Systems Continuity Corrective
    Maintain normal security levels when an emergency occurs. CC ID 06377 Systems Continuity Preventive
    Execute fail-safe procedures when an emergency occurs. CC ID 07108 Systems Continuity Preventive
    Review and update the continuity plan. CC ID 00754
    [At planned intervals, the service continuity plan(s) shall be tested against the service continuity requirements. The service continuity plan(s) shall be re-tested after major changes to the service environment. The results of the tests shall be recorded. Reviews shall be conducted after each test and after the service continuity plan(s) has been invoked. Where deficiencies are found, the organization shall take necessary actions. § 8.7.2 ¶ 4
    At planned intervals, the service continuity plan(s) shall be tested against the service continuity requirements. The service continuity plan(s) shall be re-tested after major changes to the service environment. The results of the tests shall be recorded. Reviews shall be conducted after each test and after the service continuity plan(s) has been invoked. Where deficiencies are found, the organization shall take necessary actions. § 8.7.2 ¶ 4]
    Establish/Maintain Documentation Preventive
    Report changes in the continuity plan to senior management. CC ID 12757 Communicate Corrective
    Document and use the lessons learned to update the continuity plan. CC ID 10037
    [The organization shall report on the cause, impact and recovery when the service continuity plan(s) has been invoked. § 8.7.2 ¶ 5
    The organization shall report on the cause, impact and recovery when the service continuity plan(s) has been invoked. § 8.7.2 ¶ 5
    The organization shall report on the cause, impact and recovery when the service continuity plan(s) has been invoked. § 8.7.2 ¶ 5]
    Establish/Maintain Documentation Preventive
  • Operational management
    358
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Operational management CC ID 00805 IT Impact Zone IT Impact Zone
    Establish and implement a capacity management plan. CC ID 11751
    [The organization shall plan capacity to include: timescales and thresholds for changes to service capacity. § 8.4.3 ¶ 2(c)
    The organization shall plan capacity to include: timescales and thresholds for changes to service capacity. § 8.4.3 ¶ 2(c)
    At planned intervals, the organization shall: determine current demand and forecast future demand for services; § 8.4.2 ¶ 1(a)
    At planned intervals, the organization shall: determine current demand and forecast future demand for services; § 8.4.2 ¶ 1(a)
    {service availability target} Service availability requirements and targets shall be documented and maintained. § 8.7.1 ¶ 2
    The organization shall plan capacity to include: current and forecast capacity based on demand for services; § 8.4.3 ¶ 2(a)]
    Establish/Maintain Documentation Preventive
    Establish and maintain a capacity planning baseline. CC ID 13492
    [{service availability target} Service availability requirements and targets shall be documented and maintained. § 8.7.1 ¶ 2]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain future system capacity forecasting methods. CC ID 01617 Business Processes Preventive
    Align critical Information Technology resource availability planning with capacity planning. CC ID 01618
    [{service availability requirement}{service continuity requirement} The organization shall plan capacity to include: expected impact on capacity of agreed service level targets, requirements for service availability and service continuity; § 8.4.3 ¶ 2(b)]
    Business Processes Preventive
    Provide excess capacity or redundancy to limit any effects of a Denial of Service attack. CC ID 06754 Technical Security Preventive
    Implement network redundancy, as necessary. CC ID 13048 Systems Continuity Preventive
    Forecast system workloads. CC ID 00938 Testing Detective
    Establish and maintain workload forecasting tools. CC ID 00936 Systems Design, Build, and Implementation Preventive
    Utilize resource capacity management controls. CC ID 00939 Testing Detective
    Perform system capacity testing. CC ID 01616 Testing Detective
    Perform system performance reviews. CC ID 11866 Testing Detective
    Follow the resource workload schedule. CC ID 00941 Business Processes Detective
    Establish and maintain a Governance, Risk, and Compliance framework. CC ID 01406 Establish/Maintain Documentation Preventive
    Establish and maintain a positive information control environment. CC ID 00813
    [Top management shall demonstrate leadership and commitment with respect to the SMS by: § 5.1 ¶ 1
    Top management shall demonstrate leadership and commitment with respect to the SMS by: ensuring that what constitutes value for the organization and its customers is determined; § 5.1 ¶ 1(d)]
    Business Processes Preventive
    Make compliance and governance decisions in a timely manner. CC ID 06490 Behavior Preventive
    Establish and maintain an internal control framework. CC ID 00820 Establish/Maintain Documentation Preventive
    Include procedures for continuous quality improvement in the internal control framework. CC ID 00819
    [Where service level targets are not met, the organization shall identify opportunities for improvement. § 8.3.3 ¶ 4
    At planned intervals, the organization shall measure satisfaction with the services based on a representative sample of customers. The results shall be analysed, reviewed to identify opportunities for improvement and reported. § 8.3.2 ¶ 4
    {service improvement activity} Opportunities for improvement shall be documented. The organization shall manage approved improvement activities that include: § 10.2 ¶ 3
    The outputs of the management review shall include decisions related to continual improvement opportunities and any need for changes to the SMS and the services. § 9.3 ¶ 3
    The management review shall include consideration of: opportunities for continual improvement; § 9.3 ¶ 2(d)]
    Establish/Maintain Documentation Preventive
    Include incident response escalation procedures in the internal control framework. CC ID 11745
    [Information security incidents shall be: escalated if needed; § 8.7.3.3 ¶ 1(c)]
    Establish/Maintain Documentation Preventive
    Establish and maintain an information security program. CC ID 00812 Establish/Maintain Documentation Preventive
    Establish and maintain an information security policy. CC ID 11740
    [Management with appropriate authority shall approve an information security policy relevant to the organization. The information security policy shall be documented and take into consideration the service requirements and the obligations in 6.3 c). § 8.7.3.1 ¶ 1]
    Establish/Maintain Documentation Preventive
    Align the information security policy with the organization's risk acceptance level. CC ID 13042 Business Processes Preventive
    Include a commitment to the information security requirements in the information security policy. CC ID 13496 Establish/Maintain Documentation Preventive
    Include information security objectives in the information security policy. CC ID 13493 Establish/Maintain Documentation Preventive
    Include the use of Cloud Services in the information security policy. CC ID 13146 Establish/Maintain Documentation Preventive
    Review and update the information security policy, as necessary. CC ID 11741 Establish/Maintain Documentation Corrective
    Review the information security procedures, as necessary. CC ID 12006 Business Processes Preventive
    Approve the information security policy at the organization's management level or higher. CC ID 11737
    [Management with appropriate authority shall approve an information security policy relevant to the organization. The information security policy shall be documented and take into consideration the service requirements and the obligations in 6.3 c). § 8.7.3.1 ¶ 1]
    Process or Activity Preventive
    Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739
    [The information security policy shall be made available as appropriate. The organization shall communicate the importance of conforming to the information security policy and its applicability to the SMS and the services to appropriate persons within the: external suppliers, internal suppliers and other interested parties. § 8.7.3.1 ¶ 2(c)
    The information security policy shall be made available as appropriate. The organization shall communicate the importance of conforming to the information security policy and its applicability to the SMS and the services to appropriate persons within: § 8.7.3.1 ¶ 2
    The information security policy shall be made available as appropriate. The organization shall communicate the importance of conforming to the information security policy and its applicability to the SMS and the services to appropriate persons within: § 8.7.3.1 ¶ 2
    The information security policy shall be made available as appropriate. The organization shall communicate the importance of conforming to the information security policy and its applicability to the SMS and the services to appropriate persons within: § 8.7.3.1 ¶ 2
    The information security policy shall be made available as appropriate. The organization shall communicate the importance of conforming to the information security policy and its applicability to the SMS and the services to appropriate persons within: the organization; § 8.7.3.1 ¶ 2(a)
    The information security policy shall be made available as appropriate. The organization shall communicate the importance of conforming to the information security policy and its applicability to the SMS and the services to appropriate persons within: customers and users; § 8.7.3.1 ¶ 2(b)]
    Communicate Preventive
    Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818
    [implementing control of the processes in accordance with the established performance criteria; § 8.1 ¶ 1(b)]
    Business Processes Preventive
    Analyze how policies are used to create management boundaries relates to the governance, risk, and compliance approach. CC ID 12821 Process or Activity Preventive
    Analyze how the organization sets limits in policies relating to the governance, risk, and compliance approach. CC ID 12819 Process or Activity Preventive
    Analyze how the tone at the top influences the governance, risk, and compliance approach. CC ID 12818 Process or Activity Preventive
    Analyze the degree to which the governing body is engaged in the governance, risk, and compliance approach. CC ID 12817 Process or Activity Preventive
    Analyze the organization's governance, risk, and compliance approach. CC ID 12816 Process or Activity Preventive
    Analyze the organizational culture. CC ID 12899 Process or Activity Preventive
    Include individual commitment to the organization's Governance, Risk, and Compliance framework in the analysis of the organizational culture. CC ID 12922 Process or Activity Detective
    Include the organizational climate in the analysis of the organizational culture. CC ID 12921 Process or Activity Detective
    Include consistency of leadership actions to mission, vision, and values in the analysis of the organizational culture. CC ID 12920 Process or Activity Detective
    Include employee engagement in the analysis of the organizational culture. CC ID 12914 Behavior Preventive
    Include skill development in the analysis of the organizational culture. CC ID 12913 Behavior Preventive
    Include employee turnover rates in the analysis of the organizational culture. CC ID 12912 Behavior Preventive
    Include employee loyalty in the analysis of the organizational culture. CC ID 12911 Behavior Preventive
    Include employee satisfaction in the analysis of the organizational culture. CC ID 12910 Behavior Preventive
    Establish and maintain consequences for non-compliance with the organizational compliance framework. CC ID 11747 Process or Activity Corrective
    Comply with all implemented policies in the organization's compliance framework. CC ID 06384
    [{planning} The organization shall plan, implement and control the processes needed to meet requirements and to implement the actions determined in Clause 6 by: § 8.1 ¶ 1]
    Establish/Maintain Documentation Preventive
    Provide assurance to interested personnel and affected parties that the governance, risk, and compliance capability is reliable, effective, efficient, and responsive. CC ID 12788 Communicate Preventive
    Review systems for compliance with organizational information security policies. CC ID 12004 Business Processes Preventive
    Disseminate and communicate the Governance, Risk, and Compliance framework to all interested personnel and affected parties. CC ID 00815 Behavior Preventive
    Establish and maintain a Service Management System, as necessary. CC ID 13889
    [Top management shall demonstrate leadership and commitment with respect to the SMS by: ensuring that the SMS achieves its intended outcome(s); § 5.1 ¶ 1(i)
    When planning for the SMS, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to: § 6.1.1 ¶ 1
    {service improvement activity} Opportunities for improvement shall be documented. The organization shall manage approved improvement activities that include: making changes to the SMS, if necessary; § 10.2 ¶ 3(c)
    When a nonconformity occurs, the organization shall: make changes to the SMS, if necessary. § 10.1.1 ¶ 1(e)
    The organization shall operate the SMS ensuring co-ordination of the activities and the resources. The organization shall perform the activities required to deliver services. § 8.2.1 ¶ 1]
    Business Processes Preventive
    Establish and maintain a scope statement for the Service Management System. CC ID 13890
    [The organization shall determine: the relevant requirements of these interested parties. § 4.2 ¶ 1(b)
    When planning how to achieve its service management objectives, the organization shall determine: what will be done; § 6.2.2 ¶ 1(a)
    The documented information for the SMS shall include: scope of the SMS; § 7.5.4 ¶ 1(a)
    {service management system}When determining this scope, the organization shall consider: the requirements referred to in 4.2; § 4.3 ¶ 2(b)
    {service management system} When determining this scope, the organization shall consider: the services delivered by the organization. § 4.3 ¶ 2(c)
    The scope of the SMS shall be available and be maintained as documented information. § 4.3 ¶ 4
    The service management plan shall include or contain a reference to: obligations such as relevant policies, standards, legal, regulatory and contractual requirements, and how these obligations apply to the SMS and the services; § 6.3 ¶ 2(c)
    The organization's SMS shall include: documented information determined by the organization as being necessary for the effectiveness of the SMS. § 7.5.1 ¶ 1(b)
    The organization's SMS shall include: documented information required by this document; § 7.5.1 ¶ 1(a)
    The definition of the scope of the SMS shall include the services in scope and the name of the organization managing and delivering the services. § 4.3 ¶ 3]
    Establish/Maintain Documentation Preventive
    Include the organization's name in the scope statement for the Service Management System. CC ID 13913
    [The definition of the scope of the SMS shall include the services in scope and the name of the organization managing and delivering the services. § 4.3 ¶ 3]
    Establish/Maintain Documentation Preventive
    Establish and maintain a service management program. CC ID 11388
    [Top management shall demonstrate leadership and commitment with respect to the SMS by: ensuring that the service management plan is created, implemented and maintained in order to support the service management policy, and the achievement of the service management objectives and service requirements; § 5.1 ¶ 1(b)
    The service management policy shall: be available as documented information; § 5.2.2 ¶ 1(a)
    Other planning activities shall maintain alignment with the service management plan. § 6.3 ¶ 3
    {applicable requirements} The organization shall create, implement and maintain a service management plan. Planning shall take into consideration the service management policy, service management objectives, risks and opportunities, service requirements and requirements specified in this document. § 6.3 ¶ 1
    When planning how to achieve its service management objectives, the organization shall determine: when it will be completed; § 6.2.2 ¶ 1(d)
    The organization shall establish service management objectives at relevant functions and levels. The service management objectives shall: be updated as appropriate. § 6.2.1 ¶ 1(f)
    The organization shall integrate services, service components and processes in the SMS that are provided or operated by the organization or other parties to meet the service requirements. The organization shall co-ordinate activities with other parties involved in the service lifecycle including the planning, design, transition, delivery and improvement of services. § 8.2.3.1 ¶ 5
    At planned intervals, the organization shall review the performance trends and the outcomes of the services. § 8.3.2 ¶ 3
    Top management shall review the organization's SMS and the services, at planned intervals, to ensure their continuing suitability, adequacy and effectiveness. § 9.3 ¶ 1
    The organization shall determine: what needs to be monitored and measured for the SMS and the services; § 9.1 ¶ 1(a)
    {new service} The organization shall plan the deployment of new or changed services and service components into the live environment. Planning shall be co-ordinated with change management and include references to the related requests for change, known errors or problems which are being closed through the release. Planning shall include the dates for deployment of each release, deliverables and methods of deployment. § 8.5.3 ¶ 2
    {service availability requirement}{service availability target} At planned intervals, the risks to service availability shall be assessed and documented. The organization shall determine the service availability requirements and targets. The agreed requirements shall take into consideration relevant business requirements, service requirements, SLAs and risks. § 8.7.1 ¶ 1]
    Establish/Maintain Documentation Preventive
    Communicate the service management program to interested personnel and affected parties. CC ID 13904
    [Top management shall demonstrate leadership and commitment with respect to the SMS by: communicating the importance of effective service management, achieving the service management objectives, delivering value and conforming to the SMS requirements; § 5.1 ¶ 1(h)
    The service management policy shall: be communicated within the organization; § 5.2.2 ¶ 1(b)
    The service management policy shall: be available to interested parties, as appropriate. § 5.2.2 ¶ 1(c)
    The organization shall establish service management objectives at relevant functions and levels. The service management objectives shall: be communicated; § 6.2.1 ¶ (e)
    Persons doing work under the organization's control shall be aware of: the service management policy; § 7.3 ¶ 1(a)
    The scope of the SMS shall be available and be maintained as documented information. § 4.3 ¶ 4]
    Communicate Preventive
    Communicate service management release success or failures to interested personnel and affected parties, as necessary. CC ID 13927
    [Information about the success or failure of releases and future release dates shall be made available for other service management activities as appropriate. § 8.5.3 ¶ 7]
    Communicate Preventive
    Communicate the release dates of applicable services to interested personnel and affected parties. CC ID 13924
    [Information about the success or failure of releases and future release dates shall be made available for other service management activities as appropriate. § 8.5.3 ¶ 7]
    Communicate Preventive
    Include the implications of failing to comply with the Service Management System requirements in the communication plan for the service management program. CC ID 13909
    [Persons doing work under the organization's control shall be aware of: the implications of not conforming with the SMS requirements. § 7.3 ¶ 1(e)]
    Communicate Preventive
    Include the benefits of improved performance in the communication plan for the service management program. CC ID 13908
    [Persons doing work under the organization's control shall be aware of: their contribution to the effectiveness of the SMS, including the benefits of improved performance; § 7.3 ¶ 1(d)]
    Communicate Preventive
    Include the importance of conforming to the Service Management System requirements in the communication plan for the service management program. CC ID 13907
    [Top management shall demonstrate leadership and commitment with respect to the SMS by: communicating the importance of effective service management, achieving the service management objectives, delivering value and conforming to the SMS requirements; § 5.1 ¶ 1(h)]
    Communicate Preventive
    Include a service management plan in the service management program. CC ID 13902
    [The documented information for the SMS shall include: service management plan; § 7.5.4 ¶ 1(c)]
    Establish/Maintain Documentation Preventive
    Include the information security policy in the service management program. CC ID 13925
    [The documented information for the SMS shall include: change management policy, information security policy and service continuity plan(s); § 7.5.4 ¶ 1(d)]
    Establish/Maintain Documentation Preventive
    Include the change management policy in the service management program. CC ID 13923
    [The documented information for the SMS shall include: change management policy, information security policy and service continuity plan(s); § 7.5.4 ¶ 1(d)]
    Establish/Maintain Documentation Preventive
    Include the service management objectives in the service management program. CC ID 11389
    [Top management shall demonstrate leadership and commitment with respect to the SMS by: ensuring that the service management plan is created, implemented and maintained in order to support the service management policy, and the achievement of the service management objectives and service requirements; § 5.1 ¶ 1(b)
    Top management shall demonstrate leadership and commitment with respect to the SMS by: ensuring that the service management policy and service management objectives are established and are compatible with the strategic direction of the organization; § 5.1 ¶ 1(a)
    Top management shall establish a service management policy that: provides a framework for setting service management objectives; § 5.2.1 ¶ 1(b)
    The organization shall establish service management objectives at relevant functions and levels. The service management objectives shall: be consistent with the service management policy; § 6.2.1 ¶ 1(a)
    {applicable requirements} The organization shall create, implement and maintain a service management plan. Planning shall take into consideration the service management policy, service management objectives, risks and opportunities, service requirements and requirements specified in this document. § 6.3 ¶ 1
    {organization level} The organization shall establish service management objectives at relevant functions and levels. The service management objectives shall: § 6.2.1 ¶ 1
    {organization level} The organization shall establish service management objectives at relevant functions and levels. The service management objectives shall: § 6.2.1 ¶ 1
    The documented information for the SMS shall include: policy and objectives for service management; § 7.5.4 ¶ 1(b)
    The organization shall propose changes where needed to align the services with the service management policy, service management objectives and service requirements, taking into consideration known limitations and risks. § 8.2.2 ¶ 3
    {new service} Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: intended outcomes from delivering the new or changed services, expressed in measurable terms; § 8.5.2.1 ¶ 1(g)
    {service availability requirement}{service availability target} At planned intervals, the risks to service availability shall be assessed and documented. The organization shall determine the service availability requirements and targets. The agreed requirements shall take into consideration relevant business requirements, service requirements, SLAs and risks. § 8.7.1 ¶ 1]
    Establish/Maintain Documentation Preventive
    Include the service requirements in the service management program. CC ID 11390
    [Top management shall demonstrate leadership and commitment with respect to the SMS by: ensuring that the service management plan is created, implemented and maintained in order to support the service management policy, and the achievement of the service management objectives and service requirements; § 5.1 ¶ 1(b)
    Top management shall establish a service management policy that: includes a commitment to satisfy applicable requirements; § 5.2.1 ¶ 1(c)
    {applicable requirements} The organization shall create, implement and maintain a service management plan. Planning shall take into consideration the service management policy, service management objectives, risks and opportunities, service requirements and requirements specified in this document. § 6.3 ¶ 1
    The organization shall establish service management objectives at relevant functions and levels. The service management objectives shall: take into account applicable requirements; § 6.2.1 ¶ 1(c)
    The documented information for the SMS shall include: service requirements; § 7.5.4 ¶ 1(f)
    The organization shall propose changes where needed to align the services with the service management policy, service management objectives and service requirements, taking into consideration known limitations and risks. § 8.2.2 ¶ 3
    The service requirements for existing services, new services and changes to services shall be determined and documented. § 8.2.2 ¶ 1
    Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: dependencies on other services; 8.5.2.1 ¶ 1(d)
    {new service} Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: § 8.5.2.1 ¶ 1
    {service availability requirement}{service availability target} At planned intervals, the risks to service availability shall be assessed and documented. The organization shall determine the service availability requirements and targets. The agreed requirements shall take into consideration relevant business requirements, service requirements, SLAs and risks. § 8.7.1 ¶ 1
    {service availability requirement}{service availability target} At planned intervals, the risks to service availability shall be assessed and documented. The organization shall determine the service availability requirements and targets. The agreed requirements shall take into consideration relevant business requirements, service requirements, SLAs and risks. § 8.7.1 ¶ 1]
    Establish/Maintain Documentation Preventive
    Include known limitations in the service management program. CC ID 11391
    [The organization shall determine the boundaries and applicability of the SMS to establish its scope. § 4.3 ¶ 1
    The organization shall determine the boundaries and applicability of the SMS to establish its scope. § 4.3 ¶ 1
    The organization shall propose changes where needed to align the services with the service management policy, service management objectives and service requirements, taking into consideration known limitations and risks. § 8.2.2 ¶ 3
    The service management plan shall include or contain a reference to: known limitations that can impact the SMS and the services; § 6.3 ¶ 2(b)
    {new service} The organization shall plan the deployment of new or changed services and service components into the live environment. Planning shall be co-ordinated with change management and include references to the related requests for change, known errors or problems which are being closed through the release. Planning shall include the dates for deployment of each release, deliverables and methods of deployment. § 8.5.3 ¶ 2]
    Establish/Maintain Documentation Preventive
    Include service management policies in the service management program. CC ID 11392
    [Top management shall establish a service management policy that: § 5.2.1 ¶ 1
    Top management shall demonstrate leadership and commitment with respect to the SMS by: ensuring that the service management plan is created, implemented and maintained in order to support the service management policy, and the achievement of the service management objectives and service requirements; § 5.1 ¶ 1(b)
    Top management shall demonstrate leadership and commitment with respect to the SMS by: ensuring that the service management policy and service management objectives are established and are compatible with the strategic direction of the organization; § 5.1 ¶ 1(a)
    {applicable requirements} The organization shall create, implement and maintain a service management plan. Planning shall take into consideration the service management policy, service management objectives, risks and opportunities, service requirements and requirements specified in this document. § 6.3 ¶ 1
    The documented information for the SMS shall include: policy and objectives for service management; § 7.5.4 ¶ 1(b)
    The organization shall propose changes where needed to align the services with the service management policy, service management objectives and service requirements, taking into consideration known limitations and risks. § 8.2.2 ¶ 3
    The service management plan shall include or contain a reference to: obligations such as relevant policies, standards, legal, regulatory and contractual requirements, and how these obligations apply to the SMS and the services; § 6.3 ¶ 2(c)
    Top management shall establish a service management policy that: is appropriate to the purpose of the organization; § 5.2.1 ¶ 1(a)]
    Establish/Maintain Documentation Preventive
    Assign roles and responsibilities in the service management program. CC ID 11393
    [Top management shall demonstrate leadership and commitment with respect to the SMS by: directing and supporting persons to contribute to the effectiveness of the SMS and the services; § 5.1 ¶ 1(j)
    Top management shall assign the responsibility and authority for: ensuring that the SMS conforms to the requirement of this document; § 5.3 ¶ 2(a)
    Top management shall assign the responsibility and authority for: reporting on the performance of the SMS and the services to top management. § 5.3 ¶ 2(b)
    {responsible party}When planning how to achieve its service management objectives, the organization shall determine: who will be responsible; § 6.2.2 ¶ 1(c)
    The organization shall retain accountability for the requirements specified in this document and the delivery of the services regardless of which party is involved in performing activities to support the service lifecycle. § 8.2.3.1 ¶ 1
    The organization shall retain accountability for the requirements specified in this document and the delivery of the services regardless of which party is involved in performing activities to support the service lifecycle. § 8.2.3.1 ¶ 1
    Top management shall ensure that the responsibilities and authorities for roles relevant to the SMS and the services are assigned and communicated within the organization. § 5.3 ¶ 1
    The service management plan shall include or contain a reference to: authorities and responsibilities for the SMS and the services § 6.3 ¶ 2(d)
    The service management plan shall include or contain a reference to: authorities and responsibilities for the SMS and the services § 6.3 ¶ 2(d)
    Persons doing work under the organization's control shall be aware of: the service management objectives; § 7.3 ¶ 1(b)
    {new service} Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: authorities and responsibilities for design, build and transition activities; § 8.5.2.1 ¶ 1(a)
    {new service} Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: activities to be performed by the organization or other parties with their timescales; § 8.5.2.1 ¶ 1(b)
    {new service}The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: authorities and responsibilities of the parties involved in the delivery of the new or changed services; § 8.5.2.2 ¶ 1(a)
    {new service}The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: authorities and responsibilities of the parties involved in the delivery of the new or changed services; § 8.5.2.2 ¶ 1(a)
    The organization shall operate the SMS ensuring co-ordination of the activities and the resources. The organization shall perform the activities required to deliver services. § 8.2.1 ¶ 1]
    Establish/Maintain Documentation Preventive
    Include all resources needed to achieve the objectives in the service management program. CC ID 11394
    [Top management shall demonstrate leadership and commitment with respect to the SMS by: ensuring that the resources needed for the SMS and the services are available; § 5.1 ¶ 1(g)
    When planning how to achieve its service management objectives, the organization shall determine: what resources will be required; § 6.2.2 ¶ 1(b)
    {necessary resource} The organization shall determine and provide the human, technical, information and financial resources needed for the establishment, implementation, maintenance and continual improvement of the SMS and the operation of the services to meet the service requirements and achieve the service management objectives. § 7.1 ¶ 1
    {necessary resource} The organization shall determine and provide the human, technical, information and financial resources needed for the establishment, implementation, maintenance and continual improvement of the SMS and the operation of the services to meet the service requirements and achieve the service management objectives. § 7.1 ¶ 1
    {necessary resource} The organization shall determine and provide the human, technical, information and financial resources needed for the establishment, implementation, maintenance and continual improvement of the SMS and the operation of the services to meet the service requirements and achieve the service management objectives. § 7.1 ¶ 1
    The organization shall budget and account for services or groups of services in accordance with its financial management policies and processes. § 8.4.1 ¶ 1
    {new service}{manpower}{technical resource}{information resource} Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: human, technical, information and financial resources; § 8.5.2.1 ¶ 1(c)
    {new service}{manpower}{technical resource}{information resource} Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: human, technical, information and financial resources; § 8.5.2.1 ¶ 1(c)
    {new service}{manpower}{technical resource}{information resource} Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: human, technical, information and financial resources; § 8.5.2.1 ¶ 1(c)
    {new service}{manpower}{technical resource}{information resource} Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: human, technical, information and financial resources; § 8.5.2.1 ¶ 1(c)
    {manpower}{technical resource}{information resource}The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: requirements for changes to human, technical, information and financial resources; § 8.5.2.2 ¶ 1(b)
    {manpower}{technical resource}{information resource}The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: requirements for changes to human, technical, information and financial resources; § 8.5.2.2 ¶ 1(b)
    {manpower}{technical resource}{information resource}The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: requirements for changes to human, technical, information and financial resources; § 8.5.2.2 ¶ 1(b)
    {manpower}{technical resource}{information resource}The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: requirements for changes to human, technical, information and financial resources; § 8.5.2.2 ¶ 1(b)
    {manpower}{technical resource}{information resource}{service requirement} The capacity requirements for human, technical, information and financial resources shall be determined, documented and maintained taking into consideration the service and performance requirements. § 8.4.3 ¶ 1
    {manpower}{technical resource}{information resource}{service requirement} The capacity requirements for human, technical, information and financial resources shall be determined, documented and maintained taking into consideration the service and performance requirements. § 8.4.3 ¶ 1
    {manpower}{technical resource}{information resource}{service requirement} The capacity requirements for human, technical, information and financial resources shall be determined, documented and maintained taking into consideration the service and performance requirements. § 8.4.3 ¶ 1
    {manpower}{technical resource}{information resource}{service requirement} The capacity requirements for human, technical, information and financial resources shall be determined, documented and maintained taking into consideration the service and performance requirements. § 8.4.3 ¶ 1]
    Establish/Maintain Documentation Preventive
    Include supply chain management procedures in the service management program. CC ID 11395
    [The organization shall ensure that outsourced processes are controlled (see 8.2.3). § 8.1 ¶ 3
    Other parties shall not provide or operate all services, service components or processes within the scope of the SMS. § 8.2.3.1 ¶ 3
    The organization shall integrate services, service components and processes in the SMS that are provided or operated by the organization or other parties to meet the service requirements. The organization shall co-ordinate activities with other parties involved in the service lifecycle including the planning, design, transition, delivery and improvement of services. § 8.2.3.1 ¶ 5]
    Establish/Maintain Documentation Preventive
    Include service management procedures in the service management program. CC ID 11396
    [The documented information for the SMS shall include: processes of the organization's SMS; § 7.5.4 ¶ 1(e)
    {new service} Release and deployment management shall be used to deploy approved new or changed services into the live environment. § 8.5.2.3 ¶ 2
    {new service} Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: testing needed for the new or changed services; § 8.5.2.1 ¶ 1(e)
    The organization shall use service design and transition in 8.5.2 for: removal of a service; § 8.5.1.2 ¶ 2(d)
    For services that are to be removed, the planning shall additionally include the date(s) for the removal of the services and the activities for archiving, disposal or transfer of data, documented information and service components. § 8.5.2.1 ¶ 2
    The organization shall use service design and transition in 8.5.2 for: transfer of an existing service from the organization to a customer or other party; § 8.5.1.2 ¶ 2(e)
    The organization shall use service design and transition in 8.5.2 for: transfer of an existing service from a customer or other party to the organization. § 8.5.1.2 ¶ 2(f)]
    Establish/Maintain Documentation Preventive
    Include risk procedures in the service management program. CC ID 11397
    [When planning for the SMS, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to: § 6.1.1 ¶ 1
    {applicable requirements} The organization shall create, implement and maintain a service management plan. Planning shall take into consideration the service management policy, service management objectives, risks and opportunities, service requirements and requirements specified in this document. § 6.3 ¶ 1
    {risk management activity}The organization shall plan: how to: integrate and implement the actions into its SMS processes; § 6.1.3 ¶ 1(b)(1)
    {new service} The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: impact on other services; § 8.5.2.2 ¶ 1(f)
    {service availability requirement}{service availability target} At planned intervals, the risks to service availability shall be assessed and documented. The organization shall determine the service availability requirements and targets. The agreed requirements shall take into consideration relevant business requirements, service requirements, SLAs and risks. § 8.7.1 ¶ 1
    {service availability requirement}{service availability target} At planned intervals, the risks to service availability shall be assessed and documented. The organization shall determine the service availability requirements and targets. The agreed requirements shall take into consideration relevant business requirements, service requirements, SLAs and risks. § 8.7.1 ¶ 1]
    Establish/Maintain Documentation Preventive
    Include all technologies used to support service management in the service management program. CC ID 11398
    [The service management plan shall include or contain a reference to: technology used to support the SMS; § 6.3 ¶ 2(g)
    {necessary resource} The service management plan shall include or contain a reference to: human, technical, information and financial resources necessary to operate the SMS and the services; § 6.3 ¶ 2(e)]
    Establish/Maintain Documentation Preventive
    Include auditing and improving service management procedures in the service management program. CC ID 11399
    [When planning for the SMS, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to: give assurance that the SMS can achieve its intended outcome(s); § 6.1.1 ¶ 1(a)
    Top management shall demonstrate leadership and commitment with respect to the SMS by: promoting continual improvement of the SMS and the services; § 5.1 ¶1(k)
    Top management shall establish a service management policy that: includes a commitment to continual improvement of the SMS and the services. § 5.2.1 ¶ 1(d)
    When planning for the SMS, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to: achieve continual improvement of the SMS and the services. § 6.1.1 ¶ 1(c)
    When planning how to achieve its service management objectives, the organization shall determine: how the results will be evaluated. § 6.2.2 ¶ 1(e)
    {continuous basis} The organization shall continually improve the suitability, adequacy and effectiveness of the SMS and the services. § 10.2 ¶ 1
    {service improvement activity} Opportunities for improvement shall be documented. The organization shall manage approved improvement activities that include: § 10.2 ¶ 3]
    Establish/Maintain Documentation Preventive
    Include continuity plans in the Service Management program. CC ID 13919
    [The documented information for the SMS shall include: change management policy, information security policy and service continuity plan(s); § 7.5.4 ¶ 1(d)]
    Establish/Maintain Documentation Preventive
    Establish and maintain an Asset Management program. CC ID 06630
    [{external obligation} /* section 6.3 c. refers to external obligations */ The organization shall ensure that assets used to deliver services are managed to meet the service requirements and the obligations in 6.3 c). § 8.2.5 ¶ 1
    {external obligation} /* section 6.3 c. refers to external obligations */ The organization shall ensure that assets used to deliver services are managed to meet the service requirements and the obligations in 6.3 c). § 8.2.5 ¶ 1]
    Business Processes Preventive
    Assign an information owner to organizational assets, as necessary. CC ID 12729 Human Resources Management Preventive
    Establish and apply classification schemes for all systems and assets. CC ID 01902 Establish/Maintain Documentation Preventive
    Apply security controls to each level of the information classification standard. CC ID 01903 Systems Design, Build, and Implementation Preventive
    Establish and maintain the systems' confidentiality level. CC ID 01904 Establish/Maintain Documentation Preventive
    Define confidentiality controls. CC ID 01908 Establish/Maintain Documentation Preventive
    Establish and maintain the systems' availability level. CC ID 01905 Establish/Maintain Documentation Preventive
    Restrict unscheduled downtime in order to maintain high availability for critical systems. CC ID 12742 Process or Activity Preventive
    Define integrity controls. CC ID 01909 Establish/Maintain Documentation Preventive
    Establish and maintain the systems' integrity level. CC ID 01906 Establish/Maintain Documentation Preventive
    Define availability controls. CC ID 01911 Establish/Maintain Documentation Preventive
    Establish safety classifications for systems according to their potential harmful effects to operators or end users. CC ID 06603 Establish/Maintain Documentation Preventive
    Establish and maintain an asset safety classification scheme. CC ID 06604 Establish/Maintain Documentation Preventive
    Document and disseminate and communicate the Asset Classification Policy. CC ID 06642 Establish/Maintain Documentation Preventive
    Classify assets according to the Asset Classification Policy. CC ID 07186 Establish Roles Preventive
    Document the decision for assigning an asset to a specific asset classification in the Asset Classification Policy. CC ID 07185 Establish/Maintain Documentation Preventive
    Apply asset protection mechanisms for all assets according to their assigned Asset Classification Policy. CC ID 07184 Establish Roles Preventive
    Disallow systems from processing information, disseminating and communicating information, or storing information that is above the system's assigned asset classification. CC ID 06606 Configuration Preventive
    Assign decomposed system components the same asset classification as the originating system. CC ID 06605 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an asset inventory database. CC ID 06631 Business Processes Preventive
    Link the authentication system to the asset inventory. CC ID 13718 Technical Security Preventive
    Assign ownership of maintaining the asset inventory, as necessary. CC ID 12344 Human Resources Management Preventive
    Employ Dynamic Host Configuration Protocol server logging to detect systems not in the asset inventory. CC ID 12110 Technical Security Detective
    Record software license information for each asset in the asset inventory. CC ID 11736 Data and Information Management Preventive
    Record services for applicable assets in the asset inventory. CC ID 13733 Establish/Maintain Documentation Preventive
    Record protocols for applicable assets in the asset inventory. CC ID 13734 Establish/Maintain Documentation Preventive
    Include the software version for applicable assets in the asset inventory. CC ID 12196 Establish/Maintain Documentation Preventive
    Record the publisher for applicable assets in the asset inventory. CC ID 13725 Establish/Maintain Documentation Preventive
    Include authentication systems in the asset inventory. CC ID 13724 Establish/Maintain Documentation Preventive
    Tag unsupported assets in the asset inventory. CC ID 13723 Establish/Maintain Documentation Preventive
    Record the install date for applicable assets in the asset inventory. CC ID 13720 Establish/Maintain Documentation Preventive
    Record the make, model of device for applicable assets in the asset inventory. CC ID 12465 Establish/Maintain Documentation Preventive
    Record the asset tag for physical assets in the asset inventory. CC ID 06632 Establish/Maintain Documentation Preventive
    Record the host name of applicable assets in the asset inventory. CC ID 13722 Establish/Maintain Documentation Preventive
    Record network ports for applicable assets in the asset inventory. CC ID 13730 Establish/Maintain Documentation Preventive
    Record the MAC address for applicable assets in the asset inventory. CC ID 13721 Establish/Maintain Documentation Preventive
    Record the operating system version for applicable assets in the asset inventory. CC ID 11748 Data and Information Management Preventive
    Record the operating system type for applicable assets in the asset inventory. CC ID 06633 Establish/Maintain Documentation Preventive
    Record the department associated with the asset in the asset inventory. CC ID 12084 Establish/Maintain Documentation Preventive
    Record the physical location for applicable assets in the asset inventory. CC ID 06634 Establish/Maintain Documentation Preventive
    Record the manufacturer's serial number for applicable assets in the asset inventory. CC ID 06635 Establish/Maintain Documentation Preventive
    Record the firmware version for applicable assets in the asset inventory. CC ID 12195 Establish/Maintain Documentation Preventive
    Record the related business function for applicable assets in the asset inventory. CC ID 06636 Establish/Maintain Documentation Preventive
    Record the deployment environment for applicable assets in the asset inventory. CC ID 06637 Establish/Maintain Documentation Preventive
    Record the Internet Protocol address for applicable assets in the asset inventory. CC ID 06638 Establish/Maintain Documentation Preventive
    Link the software asset inventory to the hardware asset inventory. CC ID 12085 Establish/Maintain Documentation Preventive
    Record the owner for applicable assets in the asset inventory. CC ID 06640 Establish/Maintain Documentation Preventive
    Record all changes to assets in the asset inventory database. CC ID 12190 Establish/Maintain Documentation Preventive
    Include cloud service derived data in the asset inventory database. CC ID 13007 Establish/Maintain Documentation Preventive
    Include cloud service customer data in the asset inventory database, as necessary. CC ID 13006 Establish/Maintain Documentation Preventive
    Establish and maintain a software accountability policy. CC ID 00868 Establish/Maintain Documentation Preventive
    Establish and maintain software asset management procedures. CC ID 00895 Establish/Maintain Documentation Preventive
    Establish and maintain software archives procedures. CC ID 00866 Establish/Maintain Documentation Preventive
    Establish and maintain software distribution procedures. CC ID 00894 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain software documentation management procedures. CC ID 06395 Establish/Maintain Documentation Preventive
    Establish and maintain software license management procedures. CC ID 06639 Establish/Maintain Documentation Preventive
    Automate software license monitoring, as necessary. CC ID 07057 Monitor and Evaluate Occurrences Preventive
    Establish and maintain a system redeployment or disposal program. CC ID 06276 Establish/Maintain Documentation Preventive
    Test systems for malicious code prior to when the system will be redeployed. CC ID 06339 Testing Detective
    Notify organizational unit leaders prior to when the system is redeployed or the system is disposed. CC ID 06400 Behavior Preventive
    Wipe all data on systems prior to when the system is redeployed or the system is disposed. CC ID 06401 Data and Information Management Preventive
    Transfer legal ownership of assets when the system is redeployed to a third party. CC ID 06698 Acquisition/Sale of Assets or Services Preventive
    Document the staff's operating knowledge of the system prior to a personnel status change. CC ID 06937 Establish/Maintain Documentation Preventive
    Redeploy systems to other organizational units, as necessary. CC ID 11452 Establish/Maintain Documentation Preventive
    Establish and maintain a system preventive maintenance program. CC ID 00885 Establish/Maintain Documentation Preventive
    Establish and maintain maintenance reports. CC ID 11749 Establish/Maintain Documentation Preventive
    Establish and maintain system inspection reports. CC ID 06346 Establish/Maintain Documentation Preventive
    Review maintenance reports. CC ID 10612 Establish/Maintain Documentation Corrective
    Establish, implement, and maintain a system maintenance policy. CC ID 14032 Establish/Maintain Documentation Preventive
    Include compliance requirements in the system maintenance policy. CC ID 14217 Establish/Maintain Documentation Preventive
    Include management commitment in the system maintenance policy. CC ID 14216 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the system maintenance policy. CC ID 14215 Establish/Maintain Documentation Preventive
    Include the scope in the system maintenance policy. CC ID 14214 Establish/Maintain Documentation Preventive
    Disseminate and communicate the system maintenance policy to interested personnel and affected parties. CC ID 14213 Communicate Preventive
    Review and update the system maintenance policy. CC ID 14193 Establish/Maintain Documentation Corrective
    Include the purpose in the system maintenance policy. CC ID 14187 Establish/Maintain Documentation Preventive
    Include coordination amongst entities in the system maintenance policy. CC ID 14181 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain system maintenance procedures. CC ID 14059 Establish/Maintain Documentation Preventive
    Disseminate and communicate the system maintenance procedures to interested personnel and affected parties. CC ID 14194 Communicate Preventive
    Review and update the system maintenance procedures, as necessary. CC ID 14178 Establish/Maintain Documentation Corrective
    Include a technology refresh plan in the system preventive maintenance program. CC ID 13061 Establish/Maintain Documentation Preventive
    Plan and conduct maintenance so that it does not interfere with scheduled operations. CC ID 06389 Physical and Environmental Protection Preventive
    Maintain contact with the device manufacturer or component manufacturer for maintenance requests. CC ID 06388 Behavior Preventive
    Replace system components when third party support is no longer available. CC ID 10644 Maintenance Preventive
    Obtain justification for the continued use of system components when third party support is no longer available. CC ID 10645 Maintenance Preventive
    Control and monitor all maintenance tools. CC ID 01432 Physical and Environmental Protection Detective
    Obtain approval before removing maintenance tools from the facility. CC ID 14298 Business Processes Preventive
    Control remote maintenance according to the system's asset classification. CC ID 01433 Technical Security Preventive
    Separate remote maintenance sessions from other network sessions with a logically separate communications path based upon encryption. CC ID 10614 Configuration Preventive
    Approve all remote maintenance sessions. CC ID 10615 Technical Security Preventive
    Log the performance of all remote maintenance. CC ID 13202 Log Management Preventive
    Terminate remote maintenance sessions when the remote maintenance is complete. CC ID 12083 Technical Security Preventive
    Conduct maintenance with authorized personnel. CC ID 01434 Testing Detective
    Disconnect non-volatile media from information systems prior to performing maintenance with uncleared personnel. CC ID 14295 Maintenance Preventive
    Sanitize volatile media in information systems prior to performing maintenance with uncleared personnel. CC ID 14291 Maintenance Preventive
    Respond to maintenance requests inside the organizationally established time frame. CC ID 04878 Behavior Preventive
    Establish and maintain an archive of maintenance reports in a maintenance log. CC ID 06202 Establish/Maintain Documentation Preventive
    Acquire spare parts prior to when maintenance requests are scheduled. CC ID 11833 Acquisition/Sale of Assets or Services Preventive
    Perform periodic maintenance according to organizational standards. CC ID 01435 Behavior Preventive
    Remove components being serviced from the information system prior to performing maintenance. CC ID 14251 Maintenance Preventive
    Employ dedicated systems during system management. CC ID 12108 Technical Security Preventive
    Isolate dedicated systems used for system management from Internet access. CC ID 12114 Technical Security Preventive
    Control granting access to third parties performing maintenance on organizational assets. CC ID 11873 Human Resources Management Preventive
    Identify and authenticate third parties prior to granting access to maintain assets. CC ID 11874 Physical and Environmental Protection Preventive
    Calibrate assets according to the calibration procedures for the asset. CC ID 06203 Testing Detective
    Post calibration limits or calibration tolerances on or near assets requiring calibration. CC ID 06204 Establish/Maintain Documentation Preventive
    Implement automated mechanisms to transfer predictive maintenance data to a maintenance management system. CC ID 10616 Process or Activity Preventive
    Refrain from protecting physical assets when no longer required. CC ID 13484 Physical and Environmental Protection Corrective
    Disassemble and shut down unnecessary systems or unused systems. CC ID 06280 Business Processes Preventive
    Dispose of hardware and software at their life cycle end. CC ID 06278 Business Processes Preventive
    Refrain from placing assets being disposed into organizational dumpsters. CC ID 12200 Business Processes Preventive
    Establish and maintain disposal contracts, as necessary. CC ID 12199 Establish/Maintain Documentation Preventive
    Include disposal procedures in disposal contracts. CC ID 13905 Establish/Maintain Documentation Preventive
    Remove asset tags prior to disposal of an asset. CC ID 12198 Business Processes Preventive
    Document the storage information for all systems that are stored instead of being disposed or redeployed. CC ID 06936 Establish/Maintain Documentation Preventive
    Test for detrimental environmental factors after a system is disposed. CC ID 06938 Testing Detective
    Review each system's operational readiness. CC ID 06275 Systems Design, Build, and Implementation Preventive
    Establish and maintain a data stewardship policy. CC ID 06657 Establish/Maintain Documentation Preventive
    Establish and maintain an unauthorized software list. CC ID 10601 Establish/Maintain Documentation Preventive
    Establish and maintain a customer service program. CC ID 00846 Establish/Maintain Documentation Preventive
    Assign roles and responsibilities in the customer service program. CC ID 13911
    [The customers, users and other interested parties of the services shall be identified and documented. The organization shall have one or more designated individuals responsible for managing customer relationships and maintaining customer satisfaction. § 8.3.2 ¶ 1]
    Human Resources Management Preventive
    Establish and maintain an Incident Management program. CC ID 00853 Business Processes Preventive
    Include incident escalation procedures in the Incident Management program. CC ID 00856
    [Incidents shall be: escalated if needed; § 8.6.1 ¶ 1(c)]
    Establish/Maintain Documentation Preventive
    Define the characteristics of the Incident Management program. CC ID 00855 Establish/Maintain Documentation Preventive
    Include the criteria for a security incident in the Incident Management program. CC ID 12173
    [The organization shall determine criteria to identify a major incident. Major incidents shall be classified and managed according to a documented procedure. Top management shall be kept informed of major incidents. The organization shall assign responsibility for managing each major incident. After the incident has been resolved, the major incident shall be reported and reviewed to identify opportunities for improvement. § 8.6.1 ¶ 3]
    Establish/Maintain Documentation Preventive
    Include intrusion detection procedures in the Incident Management program. CC ID 00588 Establish/Maintain Documentation Preventive
    Categorize the incident following an incident response. CC ID 13208
    [{document} Information security incidents shall be: recorded and classified; § 8.7.3.3 ¶ 1(a)
    The organization shall analyse the information security incidents by type, volume and impact on the SMS, services and interested parties. Information security incidents shall be reported and reviewed to identify opportunities for improvement. § 8.7.3.3 ¶ 2
    The organization shall determine criteria to identify a major incident. Major incidents shall be classified and managed according to a documented procedure. Top management shall be kept informed of major incidents. The organization shall assign responsibility for managing each major incident. After the incident has been resolved, the major incident shall be reported and reviewed to identify opportunities for improvement. § 8.6.1 ¶ 3]
    Technical Security Preventive
    Define and document impact thresholds to be used in categorizing incidents. CC ID 10033 Establish/Maintain Documentation Preventive
    Determine the incident severity level when assessing the security incidents. CC ID 01650
    [The organization shall analyse the information security incidents by type, volume and impact on the SMS, services and interested parties. Information security incidents shall be reported and reviewed to identify opportunities for improvement. § 8.7.3.3 ¶ 2]
    Monitor and Evaluate Occurrences Corrective
    Respond to and triage when a security incident is detected. CC ID 06942
    [Information security incidents shall be: prioritized taking into consideration the information security risk; § 8.7.3.3 ¶ 1(b)
    Incidents shall be: prioritized taking into consideration impact and urgency; § 8.6.1 ¶ 1(b)]
    Monitor and Evaluate Occurrences Detective
    Document the incident and any relevant evidence in the incident report. CC ID 08659
    [Incidents shall be: recorded and classified; § 8.6.1 ¶ 1(a)
    The organization shall determine criteria to identify a major incident. Major incidents shall be classified and managed according to a documented procedure. Top management shall be kept informed of major incidents. The organization shall assign responsibility for managing each major incident. After the incident has been resolved, the major incident shall be reported and reviewed to identify opportunities for improvement. § 8.6.1 ¶ 3]
    Establish/Maintain Documentation Detective
    Include support from law enforcement authorities when conducting incident response activities, as necessary. CC ID 13197 Process or Activity Corrective
    Respond to all alerts from security systems in a timely manner. CC ID 06434 Behavior Corrective
    Coordinate incident response activities with interested personnel and affected parties. CC ID 13196 Process or Activity Corrective
    Create an incident response report following an incident response. CC ID 12700 Establish/Maintain Documentation Preventive
    Include measures to prevent similar security incidents from occurring in the incident response report. CC ID 12720
    [The organization shall analyse data and trends on incidents to identify problems. The organization shall undertake root cause analysis and determine potential actions to prevent the occurrence or recurrence of incidents. § 8.6.3 ¶ 1]
    Establish/Maintain Documentation Preventive
    Include a root cause analysis of the security incident in the incident response report. CC ID 12701
    [The organization shall analyse data and trends on incidents to identify problems. The organization shall undertake root cause analysis and determine potential actions to prevent the occurrence or recurrence of incidents. § 8.6.3 ¶ 1]
    Establish/Maintain Documentation Preventive
    Share incident information with interested personnel and affected parties. CC ID 01212
    [The organization shall determine criteria to identify a major incident. Major incidents shall be classified and managed according to a documented procedure. Top management shall be kept informed of major incidents. The organization shall assign responsibility for managing each major incident. After the incident has been resolved, the major incident shall be reported and reviewed to identify opportunities for improvement. § 8.6.1 ¶ 3]
    Data and Information Management Corrective
    Share data loss event information with the media. CC ID 01759 Behavior Corrective
    Comply with privacy regulations and civil liberties requirements when sharing data loss event information. CC ID 10036 Data and Information Management Preventive
    Share data loss event information with interconnected system owners. CC ID 01209 Establish/Maintain Documentation Corrective
    Report data loss event information to breach notification organizations. CC ID 01210 Data and Information Management Corrective
    Submit an incident management audit log to the proper authorities for each security breach that affects a predefined number of individuals, as necessary. CC ID 06326 Log Management Detective
    Report to breach notification organizations the time frame in which the organization will send data loss event notifications to interested personnel and affected parties. CC ID 04731 Behavior Corrective
    Include incident management procedures in the Incident Management program. CC ID 12689
    [The organization shall determine criteria to identify a major incident. Major incidents shall be classified and managed according to a documented procedure. Top management shall be kept informed of major incidents. The organization shall assign responsibility for managing each major incident. After the incident has been resolved, the major incident shall be reported and reviewed to identify opportunities for improvement. § 8.6.1 ¶ 3]
    Establish/Maintain Documentation Preventive
    Include temporary and emergency access authorization procedures in the Incident Management program. CC ID 00858 Establish/Maintain Documentation Corrective
    Establish, implement, and maintain incident management audit logs. CC ID 13514
    [Records of incidents shall be updated with actions taken. § 8.6.1 ¶ 2]
    Records Management Preventive
    Log incidents in the Incident Management audit log. CC ID 00857 Establish/Maintain Documentation Preventive
    Include the organizational functions affected by disruption in the Incident Management audit log. CC ID 12238 Log Management Corrective
    Include the organization's business products and services affected by disruptions in the Incident Management audit log. CC ID 12234 Log Management Preventive
    Include incident record closure procedures in the Incident Management program. CC ID 01620
    [Information security incidents shall be: closed. § 8.7.3.3 ¶ 1(e)
    Problems shall be: closed. § 8.6.3 ¶ 2(e)
    Incidents shall be: closed. § 8.6.1 ¶ 1(e)]
    Establish/Maintain Documentation Preventive
    Include incident reporting procedures in the Incident Management program. CC ID 11772
    [The organization shall analyse the information security incidents by type, volume and impact on the SMS, services and interested parties. Information security incidents shall be reported and reviewed to identify opportunities for improvement. § 8.7.3.3 ¶ 2]
    Establish/Maintain Documentation Preventive
    Establish incident reporting time frame standards. CC ID 12142 Communicate Preventive
    Investigate and take action regarding help desk queries. CC ID 06324
    [Service requests shall be: prioritized; § 8.6.2 ¶ 1(b)
    Service requests shall be: fulfilled; § 8.6.2 ¶ 1(c)]
    Behavior Corrective
    Log help desk queries. CC ID 00848
    [Service requests shall be: recorded and classified; § 8.6.2 ¶ 1(a)]
    Log Management Preventive
    Establish and maintain help desk query escalation procedures. CC ID 00849
    [Service requests shall be: closed. § 8.6.2 ¶ 1(d)]
    Establish/Maintain Documentation Preventive
    Establish and maintain an Incident Response program. CC ID 00579 Establish/Maintain Documentation Preventive
    Include incident response team structures in the Incident Response program. CC ID 01237 Establish/Maintain Documentation Preventive
    Include the incident response team member's roles and responsibilities in the Incident Response program. CC ID 01652
    [The organization shall determine criteria to identify a major incident. Major incidents shall be classified and managed according to a documented procedure. Top management shall be kept informed of major incidents. The organization shall assign responsibility for managing each major incident. After the incident has been resolved, the major incident shall be reported and reviewed to identify opportunities for improvement. § 8.6.1 ¶ 3]
    Establish Roles Preventive
    Include the incident response point of contact's roles and responsibilities in the Incident Response program. CC ID 01877 Establish Roles Preventive
    Open a priority incident request after a security breach is detected. CC ID 04838 Testing Corrective
    Activate the incident response notification procedures after a security breach is detected. CC ID 04839 Testing Corrective
    Notify interested personnel and affected parties that a security breach was detected. CC ID 11788 Communicate Corrective
    Include the head of information security's roles and responsibilities in the Incident Response program. CC ID 01878 Establish Roles Preventive
    Include the customer database owner's roles and responsibilities in the Incident Response program. CC ID 01879 Establish Roles Preventive
    Include the online sales department's roles and responsibilities in the Incident Response program. CC ID 01880 Establish Roles Preventive
    Include the incident response point of contact for credit card payment system's roles and responsibilities in the Incident Response program. CC ID 01881 Establish Roles Preventive
    Include the organizational legal counsel's roles and responsibilities in the Incident Response program. CC ID 01882 Establish Roles Preventive
    Include the Human Resources point of contact's roles and responsibilities in the Incident Response program. CC ID 01883 Establish Roles Preventive
    Include the organizational incident response network architecture point of contact's roles and responsibilities in the Incident Response program. CC ID 01884 Establish Roles Preventive
    Include the organizational incident response public relations point of contact's roles and responsibilities in the Incident Response program. CC ID 01885 Establish Roles Preventive
    Include the organizational incident response location manager's roles and responsibilities in the Incident Response program. CC ID 01886 Establish Roles Preventive
    Assign the distribution of security alerts to the appropriate role in the incident response program. CC ID 11887 Human Resources Management Preventive
    Assign monitoring and analyzing the security alert when a security alert is received to the appropriate role in the incident response program. CC ID 11886 Investigate Detective
    Assign establishing, implementing, and maintaining incident response procedures to the appropriate role in the incident response program. CC ID 12473 Establish/Maintain Documentation Preventive
    Assign the distribution of incident response procedures to the appropriate role in the incident response program. CC ID 12474 Communicate Preventive
    Establish and maintain incident response procedures. CC ID 01206
    [Information security incidents shall be: resolved; § 8.7.3.3 ¶ 1(d)
    Incidents shall be: resolved; § 8.6.1 ¶ 1(d)]
    Establish/Maintain Documentation Detective
    Include references to industry best practices in the incident response procedures. CC ID 11956 Establish/Maintain Documentation Preventive
    Include responding to alerts from security monitoring systems in the incident response procedures. CC ID 11949 Establish/Maintain Documentation Preventive
    Automatically respond when an integrity violation is detected. CC ID 10678 Technical Security Corrective
    Shut down systems when an integrity violation is detected, as necessary. CC ID 10679 Technical Security Corrective
    Restart systems when an integrity violation is detected, as necessary. CC ID 10680 Technical Security Corrective
    Review and update the incident response procedures after a security incident has been closed. CC ID 01208
    [The organization shall determine criteria to identify a major incident. Major incidents shall be classified and managed according to a documented procedure. Top management shall be kept informed of major incidents. The organization shall assign responsibility for managing each major incident. After the incident has been resolved, the major incident shall be reported and reviewed to identify opportunities for improvement. § 8.6.1 ¶ 3]
    Establish/Maintain Documentation Preventive
    Establish and maintain a performance management standard. CC ID 01615
    [{planning requirement} establishing performance criteria for the processes based on requirements; § 8.1 ¶ 1(a)]
    Establish/Maintain Documentation Preventive
    Establish and maintain future system performance forecasting methods. CC ID 11775 Business Processes Preventive
    Use proactive performance management. CC ID 00937
    [At planned intervals, the organization shall review the performance trends and the outcomes of the services. § 8.3.2 ¶ 3]
    Business Processes Detective
    Utilize resource availability management controls. CC ID 00940 Business Processes Detective
    Establish and maintain a remediation plan for deviations in the resource management process. CC ID 13679 Establish/Maintain Documentation Preventive
    Follow the maintenance schedule. CC ID 11791 Maintenance Preventive
    Establish, implement, and maintain rate limiting filters. CC ID 06883 Business Processes Preventive
    Establish and maintain system capacity monitoring procedures. CC ID 01619 Establish/Maintain Documentation Preventive
    Establish and maintain system performance monitoring procedures. CC ID 11752 Establish/Maintain Documentation Preventive
    Establish and maintain a Service Level Agreement framework. CC ID 00839 Establish/Maintain Documentation Preventive
    Include exceptions in the Service Level Agreements, as necessary. CC ID 13912
    [For each service delivered, the organization shall establish one or more SLAs based on the documented service requirements. The SLA(s) shall include service level targets, workload limits and exceptions § 8.3.3 ¶ 2]
    Establish/Maintain Documentation Preventive
    Include the appropriate aspects of the Quality Management program in the Service Level Agreement. CC ID 00845
    [{service availability requirement}{service availability target} At planned intervals, the risks to service availability shall be assessed and documented. The organization shall determine the service availability requirements and targets. The agreed requirements shall take into consideration relevant business requirements, service requirements, SLAs and risks. § 8.7.1 ¶ 1]
    Establish/Maintain Documentation Detective
    Include capacity planning in Service Level Agreements. CC ID 13096
    [At planned intervals, the organization shall monitor, review and report on: actual and periodic changes in workload compared to workload limits in the SLA(s). § 8.3.3 ¶ 3(b)
    For each service delivered, the organization shall establish one or more SLAs based on the documented service requirements. The SLA(s) shall include service level targets, workload limits and exceptions § 8.3.3 ¶ 2
    {service availability requirement}{service continuity requirement} The organization shall plan capacity to include: expected impact on capacity of agreed service level targets, requirements for service availability and service continuity; § 8.4.3 ¶ 2(b)]
    Establish/Maintain Documentation Preventive
    Include business requirements of delivered services in the Service Level Agreement. CC ID 00840
    [For each external supplier, the organization shall agree a documented contract. The contract shall include or contain a reference to: service level targets or other contractual obligations; § 8.3.4.1 ¶ 2(c)]
    Establish/Maintain Documentation Preventive
    Include performance requirements in the Service Level Agreement. CC ID 00841
    [For each service delivered, the organization shall establish one or more SLAs based on the documented service requirements. The SLA(s) shall include service level targets, workload limits and exceptions § 8.3.3 ¶ 2]
    Establish/Maintain Documentation Preventive
    Establish and maintain a cost management program, as necessary. CC ID 13638 Establish/Maintain Documentation Preventive
    Establish and maintain cost management procedures. CC ID 00873
    [Costs shall be budgeted to enable effective financial control and decision-making for services. § 8.4.1 ¶ 2
    Costs shall be budgeted to enable effective financial control and decision-making for services. § 8.4.1 ¶ 2
    At planned intervals, the organization shall monitor and report on actual costs against the budget, review the financial forecasts and manage costs. § 8.4.1 ¶ 3]
    Business Processes Detective
    Update the business cases for cost management procedures, as necessary. CC ID 13642 Business Processes Preventive
    Perform an impact assessment of any deviations found in the cost management procedures. CC ID 13641 Investigate Detective
    Identify deviations in cost management procedures. CC ID 13640 Investigate Detective
    Identify and allocate departmental costs. CC ID 00871 Business Processes Detective
    Prepare an annual Information Technology budget. CC ID 00872
    [The organization shall budget and account for services or groups of services in accordance with its financial management policies and processes. § 8.4.1 ¶ 1]
    Establish/Maintain Documentation Detective
    Review and approve the Information Technology budget. CC ID 13644 Business Processes Corrective
    Update the Information Technology budget, as necessary. CC ID 13643 Business Processes Corrective
    Compare actual Information Technology costs to forecasted Information Technology budgets. CC ID 11753
    [At planned intervals, the organization shall monitor and report on actual costs against the budget, review the financial forecasts and manage costs. § 8.4.1 ¶ 3]
    Business Processes Detective
    Establish and maintain a change control program. CC ID 00886
    [{information security policy} Specific policies that would be required includepan>, but not limited to, the following: Change management § 8.5.1
    A change management policy shall be established and documented to define: § 8.5.1.1 ¶ 1
    A change management policy shall be established and documented to define: service components and other items that are under the control of change management; § 8.5.1.1 ¶ 1(a)
    A change management policy shall be established and documented to define: service components and other items that are under the control of change management; § 8.5.1.1 ¶ 1(a)
    A change management policy shall be established and documented to define: categories of change, including emergency change, and how they are to be managed; § 8.5.1.1 ¶ 1(b)]
    Establish/Maintain Documentation Preventive
    Include potential consequences of unintended changes in the change control program. CC ID 12243
    [The organization shall control planned changes to the SMS and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary (see 8.5.1). § 8.1¶ 2]
    Establish/Maintain Documentation Preventive
    Include version control in the change control program. CC ID 13119
    [For the control of documented information, the organization shall address the following activities, as applicable: control of changes (e.g. version control); § 7.5.3.2(c)]
    Establish/Maintain Documentation Preventive
    Include service design and transition in the change control program. CC ID 13920
    [The organization shall use service design and transition in 8.5.2 for: changes to services with the potential to have a major impact on customers or other services as determined by the change management policy; § 8.5.1.2 ¶ 2(b)
    The organization shall use service design and transition in 8.5.2 for: new services with the potential to have a major impact on customers or other services as determined by the change management policy; § 8.5.1.2 ¶ 2(a)]
    Establish/Maintain Documentation Preventive
    Separate the production environment from development environment or test environment for the change control process. CC ID 11864 Maintenance Preventive
    Integrate configuration management procedures into the change control program. CC ID 13646 Technical Security Preventive
    Establish and maintain a back-out plan. CC ID 13623
    [The release shall be verified against documented acceptance criteria and approved before deployment. If the acceptance criteria are not met, the organization and interested parties shall make a decision on necessary actions and deployment. § 8.5.3 ¶ 3
    The organization shall review changes for effectiveness and take actions agreed with interested parties. § 8.5.1.3 ¶ 4
    {take appropriate action} The activities to reverse or remedy an unsuccessful change shall be planned and, where possible, tested. Unsuccessful changes shall be investigated and agreed actions taken. § 8.5.1.3 ¶ 3]
    Establish/Maintain Documentation Preventive
    Establish back-out procedures for each proposed change in a change request. CC ID 00373
    [{take appropriate action} The activities to reverse or remedy an unsuccessful change shall be planned and, where possible, tested. Unsuccessful changes shall be investigated and agreed actions taken. § 8.5.1.3 ¶ 3]
    Establish/Maintain Documentation Preventive
    Review and approve back-out plans, as necessary. CC ID 13627
    [{take appropriate action} The activities to reverse or remedy an unsuccessful change shall be planned and, where possible, tested. Unsuccessful changes shall be investigated and agreed actions taken. § 8.5.1.3 ¶ 3]
    Establish/Maintain Documentation Corrective
    Manage change requests. CC ID 00887
    [{new service} The organization shall prioritize requests for change and proposals for new or changed services to align with business needs and service management objectives, taking into consideration available resources. § 8.2.2 ¶ 4
    {new service} The organization shall prioritize requests for change and proposals for new or changed services to align with business needs and service management objectives, taking into consideration available resources. § 8.2.2 ¶ 4
    {new service} The organization shall plan the deployment of new or changed services and service components into the live environment. Planning shall be co-ordinated with change management and include references to the related requests for change, known errors or problems which are being closed through the release. Planning shall include the dates for deployment of each release, deliverables and methods of deployment. § 8.5.3 ¶ 2
    {new service} Assessing, approving, scheduling and reviewing of new or changed services in the scope of 8.5.2 shall be managed through the change management activities in 8.5.1.3. § 8.5.1.2 ¶ 3
    {new service} The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: changes to the SMS including new or changed policies, plans, processes, procedures, measures and knowledge; § 8.5.2.2 ¶ 1(e)
    The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: § 8.5.1.3 ¶ 1
    Requests for change not being managed through 8.5.2 shall be managed through the change management activities in 8.5.1.3. § 8.5.1.2 ¶ 4]
    Business Processes Preventive
    Include documentation of the impact level of proposed changes in the change request. CC ID 11942
    [{new service} Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: impact on the SMS, other services, planned changes, customers, users and other interested parties. § 8.5.2.1 ¶ 1(h)
    {new service} Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: impact on the SMS, other services, planned changes, customers, users and other interested parties. § 8.5.2.1 ¶ 1(h)
    {new service} Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: impact on the SMS, other services, planned changes, customers, users and other interested parties. § 8.5.2.1 ¶ 1(h)
    {new service} Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: impact on the SMS, other services, planned changes, customers, users and other interested parties. § 8.5.2.1 ¶ 1(h)
    A change management policy shall be established and documented to define: criteria to determine changes with the potential to have a major ="background-color:#F0BBBC;" class="term_primary-noun">impact on customers or services. § 8.5.1.1 ¶ 1(c)]
    Establish/Maintain Documentation Preventive
    Establish and maintain a change request approver list. CC ID 06795 Establish/Maintain Documentation Preventive
    Document all change requests in change request forms. CC ID 06794
    [Requests for change, including proposals to add, remove or transfer services, shall be recorded and classified. § 8.5.1.2 ¶ 1
    Requests for change, including proposals to add, remove or transfer services, shall be recorded and classified. § 8.5.1.2 ¶ 1
    {trend analysis} At planned intervals, request for change records shall be analysed to detect trends. The results and conclusions drawn from the analysis shall be recorded and reviewed to identify opportunities for improvement. § 8.5.1.3 ¶ 5]
    Establish/Maintain Documentation Preventive
    Test proposed changes prior to their approval. CC ID 00548
    [Approved changes shall be prepared, verified and, where possible, tested. Proposed deployment dates and other deployment details for approved changes shall be communicated to interested parties. § 8.5.1.3 ¶ 2]
    Testing Detective
    Examine all changes to ensure they correspond with the change request. CC ID 12345
    [Approved changes shall be prepared, verified and, where possible, tested. Proposed deployment dates and other deployment details for approved changes shall be communicated to interested parties. § 8.5.1.3 ¶ 2
    The organization shall review changes for effectiveness and take actions agreed with interested parties. § 8.5.1.3 ¶ 4
    {take appropriate action} The activities to reverse or remedy an unsuccessful change shall be planned and, where possible, tested. Unsuccessful changes shall be investigated and agreed actions taken. § 8.5.1.3 ¶ 3
    {trend analysis} At planned intervals, request for change records shall be analysed to detect trends. The results and conclusions drawn from the analysis shall be recorded and reviewed to identify opportunities for improvement. § 8.5.1.3 ¶ 5
    {trend analysis} At planned intervals, request for change records shall be analysed to detect trends. The results and conclusions drawn from the analysis shall be recorded and reviewed to identify opportunities for improvement. § 8.5.1.3 ¶ 5]
    Business Processes Detective
    Approve tested change requests. CC ID 11783
    [The release shall be verified against documented acceptance criteria and approved before deployment. If the acceptance criteria are not met, the organization and interested parties shall make a decision on necessary actions and deployment. § 8.5.3 ¶ 3]
    Data and Information Management Preventive
    Validate the system before implementing approved changes. CC ID 01510 Systems Design, Build, and Implementation Preventive
    Disseminate and communicate proposed changes to all interested personnel and affected parties. CC ID 06807
    [Approved changes shall be prepared, verified and, where possible, tested. Proposed deployment dates and other deployment details for approved changes shall be communicated to interested parties. § 8.5.1.3 ¶ 2
    Approved changes shall be prepared, verified and, where possible, tested. Proposed deployment dates and other deployment details for approved changes shall be communicated to interested parties. § 8.5.1.3 ¶ 2
    Following the completion of the transition activities, the organization shall report to interested parties on the achievements against the intended outcomes. § 8.5.2.3 ¶ 3]
    Behavior Preventive
    Establish and maintain emergency change procedures. CC ID 00890 Establish/Maintain Documentation Preventive
    Perform emergency changes, as necessary. CC ID 12707 Process or Activity Preventive
    Back up emergency changes after the change has been performed. CC ID 12734 Process or Activity Preventive
    Log emergency changes after they have been performed. CC ID 12733 Establish/Maintain Documentation Preventive
    Perform risk assessments prior to approving change requests. CC ID 00888
    [The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: capacity, service availability, service continuity and information security; § 8.5.1.3 ¶ 1(d)
    The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: capacity, service availability, service continuity and information security; § 8.5.1.3 ¶ 1(d)
    The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: capacity, service availability, service continuity and information security; § 8.5.1.3 ¶ 1(d)
    The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: capacity, service availability, service continuity and information security; § 8.5.1.3 ¶ 1(d)
    At planned intervals, the organization shall review the contract against current service requirements. Changes identified for the contract shall be assessed for the impact of the change on the SMS and the services before the change is approved. § 8.3.4.1 ¶ 6
    The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: existing services; § 8.5.1.3 ¶ 1(a)
    The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: other requests for change, releases and plans for deployment. § 8.5.1.3 ¶ 1(e)
    The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: other requests for change, releases and plans for deployment. § 8.5.1.3 ¶ 1(e)
    The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: other requests for change, releases and plans for deployment. § 8.5.1.3 ¶ 1(e)]
    Testing Preventive
    Conduct network certifications prior to approving change requests for networks. CC ID 13121 Process or Activity Detective
    Analyze mitigating controls for vulnerabilities in the network when certifying the network. CC ID 13126 Investigate Detective
    Collect data about the network environment when certifying the network. CC ID 13125 Investigate Detective
    Implement changes according to the change control program. CC ID 11776
    [The organization shall control planned changes to the SMS and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary (see 8.5.1). § 8.1¶ 2
    Records of problems shall be updated with actions taken. Changes needed for problem resolution shall be managed according to the change management policy. § 8.6.3 ¶ 3
    A change management policy shall be established and documented to define: categories of change, including emergency change, and how they are to be managed; § 8.5.1.1 ¶ 1(b)
    The organization shall use service design and transition in 8.5.2 for: categories of change that are to be managed by service design and transition according to the change management policy; § 8.5.1.2 ¶ 2(c)]
    Business Processes Preventive
    Provide audit trails for all approved changes. CC ID 13120 Establish/Maintain Documentation Preventive
    Establish and maintain a patch management program. CC ID 00896 Process or Activity Preventive
    Document the sources of all software updates. CC ID 13316 Establish/Maintain Documentation Preventive
    Implement patch management software, as necessary. CC ID 12094 Technical Security Preventive
    Include updates and exceptions to hardened images as a part of the patch management program. CC ID 12087 Technical Security Preventive
    Establish and maintain a patch log. CC ID 01642 Establish/Maintain Documentation Preventive
    Review the patch log for missing patches. CC ID 13186 Technical Security Detective
    Perform a patch test prior to deploying a patch. CC ID 00898 Testing Detective
    Prioritize deploying patches according to vulnerability risk metrics. CC ID 06796 Business Processes Preventive
    Deploy software patches. CC ID 07032 Configuration Corrective
    Test software patches for any potential compromise of the system's security. CC ID 13175 Testing Detective
    Patch software. CC ID 11825 Technical Security Corrective
    Patch Operating System software. CC ID 11824 Technical Security Corrective
    Deploy software patches in the disaster recovery environment to mirror those in the production environment. CC ID 13174 Configuration Corrective
    Remove outdated software after software has been updated. CC ID 11792 Configuration Corrective
    Update computer firmware. CC ID 11755 Configuration Corrective
    Update computer firmware to the latest version once upgrade notification has been received. CC ID 06081 Configuration Preventive
    Review changes to computer firmware. CC ID 12226 Testing Detective
    Certify changes to computer firmware are free of malicious logic. CC ID 12227 Testing Detective
    Remove outdated computer firmware after the computer firmware has been updated. CC ID 10671 Configuration Corrective
    Implement cryptographic mechanisms to authenticate software and computer firmware before installation. CC ID 10682 Technical Security Detective
    Establish and maintain a software release policy. CC ID 00893 Establish/Maintain Documentation Preventive
    Disseminate and communicate software update information to users and regulators. CC ID 06602 Behavior Preventive
    Allow interested personnel and affected parties to opt out of specific version releases and software updates. CC ID 06809 Data and Information Management Preventive
    Mitigate the adverse effects of unauthorized changes. CC ID 12244
    [The organization shall control planned changes to the SMS and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary (see 8.5.1). § 8.1¶ 2]
    Business Processes Corrective
    Establish and maintain approved change acceptance testing procedures. CC ID 06391 Establish/Maintain Documentation Detective
    Test the system's operational functionality after implementing approved changes. CC ID 06294 Testing Detective
    Perform and pass acceptance testing before moving a system back into operation after an approved change has occurred. CC ID 04541
    [The release shall be verified against documented acceptance criteria and approved before deployment. If the acceptance criteria are not met, the organization and interested parties shall make a decision on necessary actions and deployment. § 8.5.3 ¶ 3]
    Testing Detective
    Establish and maintain a change acceptance testing log. CC ID 06392 Establish/Maintain Documentation Corrective
    Update associated documentation after the system configuration has been changed. CC ID 00891 Establish/Maintain Documentation Preventive
    Establish and maintain a configuration change log. CC ID 08710 Configuration Detective
    Review the configuration change log. CC ID 11754 Configuration Detective
    Document approved configuration deviations. CC ID 08711 Establish/Maintain Documentation Corrective
    Update the system's backup procedures after an approved change has occurred. CC ID 04498 Data and Information Management Preventive
    Establish and maintain production process control procedures. CC ID 06209 Establish/Maintain Documentation Preventive
    Establish and maintain a service delivery and production process Quality Management program. CC ID 07194
    [The management review shall include consideration of: adherence to and suitability of the service management policy and other policies required by this document; § 9.3 ¶ 2(f)
    The management review shall include consideration of: performance of the services; § 9.3 ¶ 2(h)
    The organization shall determine: the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results; § 9.1 ¶ 1(b)
    The organization shall determine: when the results from monitoring and measurement shall be analysed and evaluated. § 9.1 ¶ 1(d)
    The organization shall evaluate the SMS performance against the service management objectives and evaluate the effectiveness of the SMS. The organization shall evaluate the effectiveness of the services against the service requirements. § 9.1 ¶ 3
    The organization shall evaluate the SMS performance against the service management objectives and evaluate the effectiveness of the SMS. The organization shall evaluate the effectiveness of the services against the service requirements. § 9.1 ¶ 3
    Where the root cause has been identified, but the problem has not been permanently resolved, the organization shall determine actions to reduce or eliminate the impact of the problem on the services. Known errors shall be recorded. Up-to-date information on known errors and problem resolutions shall be made available for other service management activities as appropriate. § 8.6.3 ¶ 4
    The release shall be deployed into the live environment so that the integrity of the services and service components is maintained. § 8.5.3 ¶ 5
    {new service} The new or changed services shall be built and tested to verify that they meet the service requirements, conform to the documented design and meet the agreed service acceptance criteria. If the service acceptance criteria are not met, the organization and interested parties shall make a decision on necessary actions and deployment. § 8.5.2.3 ¶ 1
    {new service} The new or changed services shall be built and tested to verify that they meet the service requirements, conform to the documented design and meet the agreed service acceptance criteria. If the service acceptance criteria are not met, the organization and interested parties shall make a decision on necessary actions and deployment. § 8.5.2.3 ¶ 1
    {new service} The new or changed services shall be built and tested to verify that they meet the service requirements, conform to the documented design and meet the agreed service acceptance criteria. If the service acceptance criteria are not met, the organization and interested parties shall make a decision on necessary actions and deployment. § 8.5.2.3 ¶ 1
    The service management plan shall include or contain a reference to: how the effectiveness of the SMS and the services will be measured, audited, reported and improved. § 6.3 ¶ 2(h)
    The service management plan shall include or contain a reference to: how the effectiveness of the SMS and the services will be measured, audited, reported and improved. § 6.3 ¶ 2(h)
    The service management plan shall include or contain a reference to: how the effectiveness of the SMS and the services will be measured, audited, reported and improved. § 6.3 ¶ 2(h)
    The service management plan shall include or contain a reference to: how the effectiveness of the SMS and the services will be measured, audited, reported and improved. § 6.3 ¶ 2(h)]
    Business Processes Detective
    Include consumer safety quality improvement projects in the service delivery and production process Quality Management program. CC ID 07195 Establish/Maintain Documentation Detective
    Assign interested personnel and affected parties to service delivery and production process quality improvement projects, as necessary. CC ID 07197 Establish Roles Preventive
    Manage the creation of products and services, as necessary. CC ID 13497
    [{new service} The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: § 8.5.2.2 ¶ 1
    {new service} The organization shall plan the deployment of new or changed services and service components into the live environment. Planning shall be co-ordinated with change management and include references to the related requests for change, known errors or problems which are being closed through the release. Planning shall include the dates for deployment of each release, deliverables and methods of deployment. § 8.5.3 ¶ 2
    {new service} The organization shall plan the deployment of new or changed services and service components into the live environment. Planning shall be co-ordinated with change management and include references to the related requests for change, known errors or problems which are being closed through the release. Planning shall include the dates for deployment of each release, deliverables and methods of deployment. § 8.5.3 ¶ 2]
    Business Processes Preventive
    Define the processing specifications for products and services creation requirements. CC ID 13523 Establish/Maintain Documentation Preventive
    Define the processing activities to meet products and services creation requirements. CC ID 13499
    [{new service} The organization shall plan the deployment of new or changed services and service components into the live environment. Planning shall be co-ordinated with change management and include references to the related requests for change, known errors or problems which are being closed through the release. Planning shall include the dates for deployment of each release, deliverables and methods of deployment. § 8.5.3 ¶ 2
    {new service} The organization shall plan the deployment of new or changed services and service components into the live environment. Planning shall be co-ordinated with change management and include references to the related requests for change, known errors or problems which are being closed through the release. Planning shall include the dates for deployment of each release, deliverables and methods of deployment. § 8.5.3 ¶ 2
    {new service} The organization shall plan the deployment of new or changed services and service components into the live environment. Planning shall be co-ordinated with change management and include references to the related requests for change, known errors or problems which are being closed through the release. Planning shall include the dates for deployment of each release, deliverables and methods of deployment. § 8.5.3 ¶ 2]
    Business Processes Preventive
    Establish and maintain a service catalog. CC ID 13634
    [The service management plan shall include or contain a reference to: list of services; § 6.3 ¶ 2(a)
    The documented information for the SMS shall include: service catalogue(s); § 7.5.4 ¶ 1(g)
    The organization shall create and maintain one or more service catalogues. The service catalogue(s) shall include information for the organization, customers, users and other interested parties to describe the services, their intended outcomes and dependencies between the services. § 8.2.4 ¶ 1
    {new service} The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: updates to the service catalogue(s). § 8.5.2.2 ¶ 1(g)]
    Establish/Maintain Documentation Preventive
    Include service deliverables for each service description in the service catalog. CC ID 13918
    [The organization shall create and maintain one or more service catalogues. The service catalogue(s) shall include information for the organization, customers, users and other interested parties to describe the services, their intended outcomes and dependencies between the services. § 8.2.4 ¶ 1]
    Establish/Maintain Documentation Preventive
    Include a service description in the service catalog. CC ID 13917
    [The organization shall create and maintain one or more service catalogues. The service catalogue(s) shall include information for the organization, customers, users and other interested parties to describe the services, their intended outcomes and dependencies between the services. § 8.2.4 ¶ 1]
    Establish/Maintain Documentation Preventive
    Include relationships and dependencies between services in the service catalog, as necessary. CC ID 13914
    [The organization shall create and maintain one or more service catalogues. The service catalogue(s) shall include information for the organization, customers, users and other interested parties to describe the services, their intended outcomes and dependencies between the services. § 8.2.4 ¶ 1]
    Establish/Maintain Documentation Preventive
    Include Service Level Agreements in the service catalog, as necessary. CC ID 13636
    [{new service}The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: new or changed SLAs, contracts and other documented agreements that support the services; § 8.5.2.2 ¶ 1(d)]
    Establish/Maintain Documentation Preventive
    Include Information Technology services in the service catalog, as necessary. CC ID 13635 Establish/Maintain Documentation Preventive
    Base definitions of Information Technology services on their service characteristics. CC ID 13655 Establish/Maintain Documentation Preventive
    Communicate the service catalog to interested personnel and affected parties. CC ID 13910
    [The organization shall provide access to appropriate parts of the service catalogue(s) to its customers, users and other interested parties. § 8.2.4 ¶ 2]
    Communicate Preventive
  • Privacy protection for information and data
    46
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Privacy protection for information and data CC ID 00008 IT Impact Zone IT Impact Zone
    Establish and maintain a privacy framework that protects restricted data. CC ID 11850 Establish/Maintain Documentation Preventive
    Establish and maintain a data handling program. CC ID 13427 Establish/Maintain Documentation Preventive
    Establish and maintain data handling procedures. CC ID 11756
    [For services that are to be removed, the planning shall additionally include the date(s) for the removal of the services and the activities for archiving, disposal or transfer of data, documented information and service components. § 8.5.2.1 ¶ 2]
    Establish/Maintain Documentation Preventive
    Define personal data that falls under breach notification rules. CC ID 00800 Establish/Maintain Documentation Preventive
    Include data elements that contain an individual's name combined with account numbers or other identifying information as personal data that falls under the breach notification rules. CC ID 04662 Data and Information Management Preventive
    Include data elements that contain an individual's legal surname prior to marriage as personal data that falls under the breach notification rules. CC ID 04669 Data and Information Management Preventive
    Include data elements that contain an individual's date of birth as personal data that falls under the breach notification rules. CC ID 04771 Data and Information Management Preventive
    Include data elements that contain an individual's address as personal data that falls under the breach notification rules. CC ID 04671 Data and Information Management Preventive
    Include data elements that contain an individual's telephone number as personal data that falls under the breach notification rules. CC ID 04672 Data and Information Management Preventive
    Include data elements that contain an individual's fingerprints as personal data that falls under the breach notification rules. CC ID 04670 Data and Information Management Preventive
    Include data elements that contain an individual's Social Security Number or Personal Identification Number as personal data that falls under the breach notification rules. CC ID 04656 Data and Information Management Preventive
    Include data elements that contain an individual's driver's license number or an individual's state identification card number as personal data that falls under the breach notification rules. CC ID 04657 Data and Information Management Preventive
    Include data elements that contain an individual's passport number as personal data that falls under the breach notification rules. CC ID 04774 Data and Information Management Preventive
    Include data elements that contain an individual's Alien Registration Number as personal data that falls under the breach notification rules. CC ID 04775 Data and Information Management Preventive
    Include data elements that contain an individual's Taxpayer Identification Number as personal data that falls under the breach notification rules. CC ID 04764 Data and Information Management Preventive
    Include data elements that contain an individual's financial account number as personal data that falls under the breach notification rules. CC ID 04658 Data and Information Management Preventive
    Include data elements that contain an individual's financial account number with associated password or password hint as personal data that falls under the breach notification rules. CC ID 04660 Data and Information Management Preventive
    Include data elements that contain an individual's electronic identification name or number as personal data that falls under the breach notification rules. CC ID 04663 Data and Information Management Preventive
    Include data elements that contain electronic signatures as personal data that falls under the breach notification rules. CC ID 04666 Data and Information Management Preventive
    Include data elements that contain an individual's biometric data as personal data that falls under the breach notification rules. CC ID 04667 Data and Information Management Preventive
    Include data elements that contain an individual's account number, password, or password hint as personal data that falls under the breach notification rules. CC ID 04668 Data and Information Management Preventive
    Include data elements that contain an individual's payment card information as personal data that falls under the breach notification rules. CC ID 04752 Data and Information Management Preventive
    Include data elements that contain an individual's credit card number or an individual's debit card number as personal data that falls under the breach notification rules. CC ID 04659 Data and Information Management Preventive
    Include data elements that contain an individual's payment card service code as personal data that falls under the breach notification rules. CC ID 04754 Data and Information Management Preventive
    Include data elements that contain an individual's payment card expiration date as personal data that falls under the breach notification rules. CC ID 04756 Data and Information Management Preventive
    Include data elements that contain an individual's payment card full magnetic stripe data as personal data that falls under the breach notification rules. CC ID 04759 Data and Information Management Preventive
    Include data elements that contain an individual's payment card security codes (Card Authentication Value 2/Card Validation Code Value 2/Card Verification Value 2/Card Identification Number) as personal data that falls under the breach notification rules. CC ID 04760 Data and Information Management Preventive
    Include data elements that contain an individual's payment card associated password or password hint as personal data that falls under the breach notification rules. CC ID 04661 Data and Information Management Preventive
    Include data elements that contain an individual's Individually Identifiable Health Information as personal data that falls under the breach notification rules. CC ID 04673 Data and Information Management Preventive
    Include data elements that contain an individual's medical history as personal data that falls under the breach notification rules. CC ID 04674 Data and Information Management Preventive
    Include data elements that contain an individual's medical treatment as personal data that falls under the breach notification rules. CC ID 04675 Data and Information Management Preventive
    Include data elements that contain an individual's medical diagnosis as personal data that falls under the breach notification rules. CC ID 04676 Data and Information Management Preventive
    Include data elements that contain an individual's mental condition or physical condition as personal data that falls under the breach notification rules. CC ID 04682 Data and Information Management Preventive
    Include data elements that contain an individual's health insurance information as personal data that falls under the breach notification rules. CC ID 04681 Data and Information Management Preventive
    Include data elements that contain an individual's health insurance policy number as personal data that falls under the breach notification rules. CC ID 04683 Data and Information Management Preventive
    Include data elements that contain an individual's health insurance application and health insurance claims history (including appeals) as personal data that falls under the breach notification rules. CC ID 04684 Data and Information Management Preventive
    Include data elements that contain an individual's employment information as personal data that falls under the breach notification rules. CC ID 04772 Data and Information Management Preventive
    Include data elements that contain an individual's Employee Identification Number as personal data that falls under the breach notification rules. CC ID 04773 Data and Information Management Preventive
    Include data elements that contain an individual's place of employment as personal data that falls under the breach notification rules. CC ID 04788 Data and Information Management Preventive
    Define an out of scope privacy breach. CC ID 04677 Establish/Maintain Documentation Preventive
    Include personal data that is publicly available information as an out of scope privacy breach. CC ID 04678 Business Processes Preventive
    Include personal data that is encrypted or redacted as an out of scope privacy breach. CC ID 04679 Monitor and Evaluate Occurrences Preventive
    Include cryptographic keys not being accessed during a privacy breach as an out of scope privacy breach. CC ID 04761 Monitor and Evaluate Occurrences Preventive
    Include any personal data that is on an encrypted mobile device as an out of scope privacy breach, if the encryption keys were not accessed and the mobile device was recovered. CC ID 04762 Monitor and Evaluate Occurrences Preventive
    Conduct internal data processing audits. CC ID 00374 Testing Detective
  • Records management
    182
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Records management CC ID 00902 IT Impact Zone IT Impact Zone
    Establish and maintain records management policies used to manage organizational records. CC ID 00903
    [Documented information required by the SMS and by this document shall be controlled to ensure: § 7.5.3.1]
    Establish/Maintain Documentation Preventive
    Establish and maintain a record classification scheme for forms. CC ID 00911 Establish/Maintain Documentation Detective
    Establish and maintain form creation, management, and distribution procedures. CC ID 06393 Establish/Maintain Documentation Preventive
    Establish and maintain form disposition procedures. CC ID 06394 Establish/Maintain Documentation Preventive
    Establish and maintain a record classification scheme. CC ID 00914 Establish/Maintain Documentation Preventive
    Establish and maintain a business activity classification standard. CC ID 00915 Establish/Maintain Documentation Preventive
    Establish and maintain records registration procedures. CC ID 00913 Establish/Maintain Documentation Detective
    Define the terms used in the record classification scheme. CC ID 00916 Establish/Maintain Documentation Detective
    Establish and maintain a records authentication system. CC ID 11648 Establish/Maintain Documentation Preventive
    Allocate record identifiers to reference the records as a part of document tracking. CC ID 11662
    [When creating and updating documented information, the organization shall ensure appropriate: identification and description (e.g. a title, date, author or reference number); § 7.5.2 ¶ 1(a)
    When creating and updating documented information, the organization shall ensure appropriate: identification and description (e.g. a title, date, author or reference number); § 7.5.2 ¶ 1(a)]
    Records Management Preventive
    Allocate document serial numbers to reference the records as a part of document tracking. CC ID 00917 Records Management Detective
    Establish and maintain an index of all official records. CC ID 00918 Establish/Maintain Documentation Preventive
    Associate records with their security attributes. CC ID 06764 Records Management Preventive
    Reconfigure the security attributes of records as the information changes. CC ID 06765 Configuration Preventive
    Establish and maintain Records Management procedures. CC ID 00919
    [For services that are to be removed, the planning shall additionally include the date(s) for the removal of the services and the activities for archiving, disposal or transfer of data, documented information and service components. § 8.5.2.1 ¶ 2]
    Establish/Maintain Documentation Preventive
    Establish and maintain source document authorization tracking. CC ID 01262 Records Management Detective
    Establish, implement, and maintain source document error handling tracking. CC ID 01263 Records Management Detective
    Establish and maintain data input and data access authorization tracking. CC ID 00920 Monitor and Evaluate Occurrences Detective
    Validate transactions against master files of third parties and clients as necessary. CC ID 06552 Records Management Detective
    Validate transactions using identifiers and credentials. CC ID 13203 Technical Security Preventive
    Establish, implement, and maintain a system storage log. CC ID 13532 Records Management Preventive
    Establish and maintain a system input log. CC ID 13531 Establish/Maintain Documentation Preventive
    Establish and maintain data accuracy controls. CC ID 00921 Monitor and Evaluate Occurrences Detective
    Establish and maintain data completeness controls. CC ID 11649 Process or Activity Preventive
    Control error handling during data input. CC ID 00922 Data and Information Management Detective
    Use automated entry devices to reduce errors during data input. CC ID 06626 Data and Information Management Preventive
    Establish and maintain data processing integrity controls. CC ID 00923 Establish Roles Preventive
    Compare each record's data input to its final form. CC ID 11813 Records Management Detective
    Establish and maintain Automated Data Processing validation checks and editing checks. CC ID 00924 Data and Information Management Preventive
    Establish and maintain Automated Data Processing error handling procedures. CC ID 00925 Establish/Maintain Documentation Preventive
    Establish and maintain Automated Data Processing error handling reporting. CC ID 11659 Establish/Maintain Documentation Preventive
    Establish and maintain document security requirements for the output of records. CC ID 11656 Establish/Maintain Documentation Preventive
    Establish and maintain document handling procedures for paper documents. CC ID 00926 Establish/Maintain Documentation Preventive
    Establish and maintain output distribution procedures. CC ID 00927
    [For the control of documented information, the organization shall address the following activities, as applicable: distribution, access, retrieval and use; § 7.5.3.2(a)]
    Establish/Maintain Documentation Preventive
    Include printed output in output distribution procedures. CC ID 13477 Establish/Maintain Documentation Preventive
    Establish and maintain document retention procedures. CC ID 11660
    [For the control of documented information, the organization shall address the following activities, as applicable: retention and disposition. § 7.5.3.2(d)
    The organization shall retain documented information as evidence of: § 10.1.2 ¶ 1]
    Establish/Maintain Documentation Preventive
    Establish and maintain electronic media distribution procedures. CC ID 11650 Establish/Maintain Documentation Preventive
    Establish and maintain output balancing audit trails. CC ID 00928 Establish/Maintain Documentation Detective
    Establish and maintain an error suspense file for rejected transactions. CC ID 06623 Records Management Preventive
    Establish and maintain reconciliation audit trails. CC ID 11647 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a data processing output log. CC ID 06624 Log Management Preventive
    Establish and maintain output review and error handling checks with end users. CC ID 00929 Establish/Maintain Documentation Detective
    Establish and maintain paper document integrity requirements for the output of records. CC ID 00930 Establish/Maintain Documentation Preventive
    Review and approve output exceptions. CC ID 06625 Records Management Preventive
    Perform regularly scheduled quality and integrity control reviews of output of records. CC ID 06627 Testing Detective
    Establish and maintain electronic signature requirements. CC ID 06219 Establish/Maintain Documentation Preventive
    Allow electronic signatures to satisfy requirements for written signatures, as necessary. CC ID 11807 Records Management Preventive
    Allow authorized parties to authenticate electronic records with electronic signatures. CC ID 11964 Technical Security Preventive
    Allow authorized parties to authenticate transactions with electronic signatures. CC ID 11963 Technical Security Preventive
    Define each system's preservation requirements for records and logs. CC ID 00904 Establish/Maintain Documentation Detective
    Establish and maintain a data retention program. CC ID 00906 Establish/Maintain Documentation Detective
    Remove dormant data from systems, as necessary. CC ID 13726 Process or Activity Preventive
    Select the appropriate format for archived data and records. CC ID 06320
    [{is appropriate} When creating and updating documented information, the organization shall ensure appropriate: format (e.g. language, software version, graphics) and media (e.g. paper, electronic); § 7.5.2 ¶ 1(b)]
    Data and Information Management Preventive
    Archive appropriate records, logs, and database tables. CC ID 06321 Records Management Preventive
    Maintain continued integrity for all stored data and stored records. CC ID 00969 Testing Detective
    Archive document metadata in a fashion that allows for future reading of the metadata. CC ID 10060 Data and Information Management Preventive
    Store personal data that is retained for long periods after use on a separate server or media. CC ID 12314 Data and Information Management Preventive
    Determine how long to keep records and logs before disposing them. CC ID 11661 Process or Activity Preventive
    Retain records in accordance with applicable requirements. CC ID 00968
    [The organization shall retain documented information as evidence of the results of management reviews. § 9.3 ¶ 4
    The organization shall retain documented information on the service management objectives. § 6.2.1 ¶ 2
    The organization shall retain documented information as evidence of: the results of any corrective action. § 10.1.2 ¶ 1(b)
    The organization shall retain documented information as evidence of: the nature of the nonconformities and any subsequent actions taken; § 10.1.2 ¶ 1(a)
    {monitoring and measurement evaluation result} The organization shall retain appropriate documented information as evidence of the results. § 9.1 ¶ 2]
    Records Management Preventive
    Define which documents and records the organization may capture. CC ID 00905
    [{is appropriate} When creating and updating documented information, the organization shall ensure appropriate: format (e.g. language, software version, graphics) and media (e.g. paper, electronic); § 7.5.2 ¶ 1(b)]
    Establish/Maintain Documentation Detective
    Obtain and retain documentation of the number of shares authorized, issued, and outstanding pursuant to the issuer's authorization. CC ID 11714 Records Management Preventive
    Retain all evidence of indebtedness. CC ID 11713 Records Management Preventive
    Capture and maintain distribution records. CC ID 06205 Records Management Preventive
    Capture and maintain Device Master Records. CC ID 06206 Records Management Preventive
    Capture and maintain Device History Records. CC ID 06207 Records Management Preventive
    Capture and maintain Quality System Records. CC ID 06208 Records Management Preventive
    Capture and maintain logs as official records. CC ID 06319 Log Management Preventive
    Capture and maintain all business records, including supporting temporary files. CC ID 06622 Establish/Maintain Documentation Preventive
    Establish and maintain storage media disposition and destruction procedures. CC ID 11657 Establish/Maintain Documentation Preventive
    Sanitize all electronic storage media before disposing a system or redeploying a system. CC ID 01643 Data and Information Management Preventive
    Degauss as a method of sanitizing electronic storage media. CC ID 00973 Records Management Preventive
    Destroy electronic storage media following the storage media disposition and destruction procedures. CC ID 00970 Testing Detective
    Maintain media sanitization equipment in operational condition. CC ID 00721 Testing Detective
    Define each system's disposition requirements for records and logs. CC ID 11651 Process or Activity Preventive
    Establish and maintain records disposition procedures. CC ID 00971
    [For the control of documented information, the organization shall address the following activities, as applicable: retention and disposition. § 7.5.3.2(d)]
    Establish/Maintain Documentation Preventive
    Manage the disposition status for all records. CC ID 00972 Records Management Preventive
    Use a second person to confirm and sign-off that manually deleted data was deleted. CC ID 12313 Data and Information Management Preventive
    Remove and/or destroy records according to the records' retention event and retention period schedule. CC ID 06621 Records Management Preventive
    Place printed records awaiting destruction into secure containers. CC ID 12464 Physical and Environmental Protection Preventive
    Destroy printed records so they cannot be reconstructed. CC ID 11779 Physical and Environmental Protection Preventive
    Automate a programmatic process to remove stored data and records that exceed retention requirements. CC ID 06082 Data and Information Management Preventive
    Include methods to Identify records that meet or exceed the record's retention event in the records disposition procedures. CC ID 11962 Establish/Maintain Documentation Preventive
    Maintain disposal records or redeployment records. CC ID 01644
    [For services that are to be removed, the planning shall additionally include the date(s) for the removal of the services and the activities for archiving, disposal or transfer of data, documented information and service components. § 8.5.2.1 ¶ 2]
    Establish/Maintain Documentation Preventive
    Establish and maintain secure record transaction standards with third parties. CC ID 06093 Establish/Maintain Documentation Preventive
    Include standards for each data element in the secure record transaction standard. CC ID 06094 Establish/Maintain Documentation Preventive
    Establish and maintain records management procedures used to manage organizational records. CC ID 11619
    [Documented information of external origin determined by the organization to be necessary for the planning and operation of the SMS shall be identified as appropriate and controlled. § 7.5.3.2 ¶ 2]
    Establish/Maintain Documentation Preventive
    Review the information that the organization collects, processes, and stores, as necessary. CC ID 12988 Business Processes Detective
    Review the information classification of the information that the organization collects, processes, and stores, as necessary. CC ID 13008 Process or Activity Detective
    Review the electronic storage media for the information the organization collects and processes. CC ID 13009 Process or Activity Detective
    Remove non-public information from publicly accessible systems. CC ID 14246 Data and Information Management Corrective
    Maintain electronic records in an equivalent manner as printed records, as necessary. CC ID 11806 Records Management Preventive
    Process restricted information in a secure environment. CC ID 13058 Process or Activity Preventive
    Refrain from creating printed records as copies of electronic records. CC ID 11808 Records Management Preventive
    Protect records from loss in accordance with applicable requirements. CC ID 12007
    [Documented information required by the SMS and by this document shall be controlled to ensure: it is adequately protected (e.g. from loss of confidentiality, improper use or loss of integrity). § 7.5.3.1(b)]
    Records Management Preventive
    Capture the records required by organizational compliance requirements. CC ID 00912
    [The documented information for the SMS shall include: records required to demonstrate evidence of conformity to the requirements of this document and the organization's SMS. § 7.5.4 ¶ 1(l)
    keeping documented information to the extent necessary to have confidence that the processes have been carried out as planned. § 8.1 ¶ 1(c)]
    Records Management Detective
    Assign the appropriate information classification to records imported into the Records Management system. CC ID 04555 Data and Information Management Detective
    Log records as being received into the recordkeeping system. CC ID 11696 Records Management Preventive
    Log the date and time each item is received into the recordkeeping system. CC ID 11709 Log Management Preventive
    Log the date and time in the recordkeeping system each item is made available. CC ID 11710 Log Management Preventive
    Log the number of routine items received into the recordkeeping system. CC ID 11701 Establish/Maintain Documentation Preventive
    Log the number of routine items in the organization's possession at the close of business for the month in the recordkeeping system. CC ID 11707 Log Management Preventive
    Log the number of routine items received during the month that were turned around in the recordkeeping system. CC ID 11705 Log Management Preventive
    Log the number of routine items received during the month that were not turned around within three business days of receipt in the recordkeeping system. CC ID 11703 Log Management Preventive
    Log the date and time when a notice of refusal to perform the registrar function is received in the recordkeeping system. CC ID 11711 Log Management Preventive
    Log inquiries concerning items in the recordkeeping system, annotating the date received. CC ID 11718 Log Management Preventive
    Log responses to inquiries, annotating the send date for each response. CC ID 11719 Log Management Preventive
    Log the number of non-routine items received into the recordkeeping system. CC ID 11706 Log Management Preventive
    Log the documentation of determination that items received are not routine. CC ID 11716 Log Management Preventive
    Log the number of non-routine items in the organization's possession at the close of business for the month in the recordkeeping system. CC ID 11708 Log Management Preventive
    Log the number of non-routine items received during the month that were turned around in the recordkeeping system. CC ID 11704 Log Management Preventive
    Log performance monitoring for the organization. CC ID 11724 Log Management Preventive
    Log the number of inquiries pending as of the close of business. CC ID 11728 Log Management Preventive
    Log the number of inquiries received but not responded to within the required time frame. CC ID 11727 Log Management Preventive
    Establish and maintain current a transfer journal. CC ID 11729 Records Management Preventive
    Log any notices filed by the organization. CC ID 11725 Log Management Preventive
    Log telephone responses into a telephone log, annotating the date of each response. CC ID 11723 Log Management Preventive
    Log the date each certificate is made available to the presentor. CC ID 11720 Log Management Preventive
    Log the number of items not processed within the required time frame. CC ID 11717 Log Management Preventive
    Provide a receipt of records logged into the recordkeeping system. CC ID 11697 Records Management Preventive
    Log the appointments and termination of appointments of registered transfer agents. CC ID 11712 Log Management Preventive
    Log the number of items processed within the required time frame. CC ID 11715 Log Management Preventive
    Log any stop orders or notices of adverse claims. CC ID 11726 Log Management Preventive
    Classify restricted data or restricted information in Records Management systems according to the data or information's sensitivity. CC ID 04720 Data and Information Management Detective
    Include record integrity techniques in the Records Management procedures. CC ID 06418 Establish/Maintain Documentation Preventive
    Note in electronic records converted from printed records, the location of the original. CC ID 11809 Records Management Preventive
    Incorporate desktop publishing into the organization's Records Management program. CC ID 06535 Establish/Maintain Documentation Preventive
    Provide structures for browsing records stored in the Electronic Document and Records Management system. CC ID 10009 Business Processes Preventive
    Provide structures for searching for items stored in the Electronic Document and Records Management system. CC ID 10010 Business Processes Preventive
    Provide structures for downloading records from the Electronic Document and Records Management system. CC ID 10011 Business Processes Preventive
    Provide structures for managing e-mail stored in the Electronic Document and Records Management system. CC ID 10012 Business Processes Preventive
    Provide structures for authorized parties to approve record updates in the Electronic Document and Records Management system. CC ID 11965 Records Management Preventive
    Provide structures for version control of records stored in the Electronic Document and Records Management system. CC ID 10013 Business Processes Preventive
    Establish and maintain electronic storage media security controls. CC ID 13204 Technical Security Preventive
    Establish and maintain electronic storage media management procedures. CC ID 00931 Establish/Maintain Documentation Preventive
    Establish and maintain storage media and record security label procedures. CC ID 06747 Establish/Maintain Documentation Preventive
    Label restricted storage media appropriately. CC ID 00966 Data and Information Management Preventive
    Label printed output for specific record categories as directed by the organization's information classification standard. CC ID 01420 Records Management Detective
    Establish and maintain restricted material identification procedures. CC ID 01889 Establish/Maintain Documentation Preventive
    Conspicuously locate the restricted record's overall classification. CC ID 01890 Establish/Maintain Documentation Preventive
    Mark a restricted record's displayed pages or printed pages with the appropriate classification. CC ID 01891 Establish/Maintain Documentation Preventive
    Mark a restricted record's components (appendices, annexes) with the appropriate classification. CC ID 01892 Establish/Maintain Documentation Preventive
    Mark a restricted record's portions (paragraphs, sections) with the appropriate classification. CC ID 01893 Establish/Maintain Documentation Preventive
    Mark a restricted record's subject line or title with the appropriate classification. CC ID 01894 Establish/Maintain Documentation Preventive
    Mark all forms of electronic messages that contain restricted data or restricted information with the appropriate classification. CC ID 01896 Data and Information Management Preventive
    Establish and maintain label inheritance mechanisms for aggregate data sets. CC ID 06957 Technical Security Preventive
    Establish the minimum originator requirements for security labels. CC ID 06579 Establish/Maintain Documentation Preventive
    Establish the minimum intermediate system requirements for security labels. CC ID 06581 Establish/Maintain Documentation Preventive
    Establish the minimum receiver requirements for records or electronic storage media marked with security labels. CC ID 06580 Establish/Maintain Documentation Preventive
    Establish policy based processing rules to process incoming records or electronic storage media marked with security labels. CC ID 06582 Establish/Maintain Documentation Preventive
    Establish and maintain access controls for all records. CC ID 00371
    [Configuration information shall be recorded to a level of detail appropriate to the criticality and type of services. Access to configuration information shall be controlled. The configuration information recorded for each CI shall include: § 8.2.6 ¶ 2
    For the control of documented information, the organization shall address the following activities, as applicable: distribution, access, retrieval and use; § 7.5.3.2(a)]
    Records Management Preventive
    Reproduce materials containing restricted data or restricted information in accordance with compliance requirements. CC ID 02202 Data and Information Management Preventive
    Establish and maintain a records lifecycle management program. CC ID 00951 Establish/Maintain Documentation Preventive
    Establish and maintain information preservation procedures. CC ID 06277
    [For the control of documented information, the organization shall address the following activities, as applicable: storage and preservation, including preservation of legibility; § 7.5.3.2(b)]
    Establish/Maintain Documentation Preventive
    Implement and maintain high availability storage, as necessary. CC ID 00952 Technical Security Preventive
    Implement and maintain backups and duplicate copies of organizational records. CC ID 00953 Records Management Preventive
    Implement and maintain a duplicate originals of record indexes. CC ID 00954 Records Management Preventive
    Establish and maintain a transparent storage media strategy. CC ID 00932 Records Management Preventive
    Establish and maintain an online availability plan that is commensurate with the electronic storage media. CC ID 00934 Establish/Maintain Documentation Preventive
    Establish and maintain online storage monitoring and reporting capabilities. CC ID 00935 Monitor and Evaluate Occurrences Detective
    Establish and maintain online storage controls. CC ID 00942 Technical Security Preventive
    Establish and maintain security controls appropriate to the record types and electronic storage media in use. CC ID 00943
    [For the control of documented information, the organization shall address the following activities, as applicable: storage and preservation, including preservation of legibility; § 7.5.3.2(b)]
    Records Management Preventive
    Store records on non-rewritable, non-erasable storage media formats, as necessary. CC ID 00944 Testing Detective
    Provide encryption for different types of electronic storage media. CC ID 00945 Technical Security Preventive
    Implement electronic storage media integrity controls. CC ID 00946 Configuration Preventive
    Automate electronic storage media integrity check controls. CC ID 00948 Configuration Preventive
    Provide capacity for indexes on electronic storage media, as necessary. CC ID 00950 Configuration Preventive
    Provide audit trails for all pertinent records. CC ID 00372 Establish/Maintain Documentation Detective
    Establish and maintain a removable storage media log. CC ID 12317 Log Management Preventive
    Include a unique identifier for each removable storage media asset in the removable storage media log. CC ID 12320 Establish/Maintain Documentation Preventive
    Include the date and time in the removable storage media log. CC ID 12318 Establish/Maintain Documentation Preventive
    Include the name and signature of the current custodian in the removable storage media log. CC ID 12315 Establish/Maintain Documentation Preventive
    Record the number of physical media used for the data transfer in the removable storage media log. CC ID 12754 Establish/Maintain Documentation Preventive
    Record the recipient's name for the data transfer in the removable storage media log. CC ID 12753 Establish/Maintain Documentation Preventive
    Record the sender's name in the removable storage media log. CC ID 12752 Establish/Maintain Documentation Preventive
    Record the type of physical media being used for the data transfer in the removable storage media log. CC ID 12751 Establish/Maintain Documentation Preventive
    Include the reason for transfer in the removable storage media log. CC ID 12316 Establish/Maintain Documentation Preventive
    Establish and maintain storage media downgrading procedures. CC ID 10619 Process or Activity Preventive
    Identify electronic storage media that require downgrading. CC ID 10620 Process or Activity Detective
    Downgrade electronic storage media, as necessary. CC ID 10621 Process or Activity Corrective
    Document all actions taken when downgrading electronic storage media. CC ID 10622 Establish/Maintain Documentation Preventive
    Test the storage media downgrade for correct performance. CC ID 10623 Testing Detective
  • System hardening through configuration management
    50
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    System hardening through configuration management CC ID 00860 IT Impact Zone IT Impact Zone
    Establish and maintain a Configuration Management program. CC ID 00867
    [{new service} The CIs affected by new or changed services shall be managed through configuration management. § 8.5.2.1 ¶ 4
    {be auditable} CIs shall be controlled. Changes to CIs shall be traceable and auditable to maintain the integrity of the configuration information. The configuration information shall be updated following the deployment of changes to CIs. § 8.2.6 ¶ 3]
    Establish/Maintain Documentation Preventive
    Establish and maintain configuration control and Configuration Status Accounting for each system. CC ID 00863
    [At planned intervals, the organization shall verify the accuracy of the configuration information. Where deficiencies are found, the organization shall take necessary actions. § 8.2.6 ¶ 4]
    Business Processes Preventive
    Establish and maintain appropriate system labeling. CC ID 01900 Establish/Maintain Documentation Preventive
    Verify configuration files requiring passwords for automation do not contain those passwords after the installation process is complete. CC ID 06555 Configuration Preventive
    Establish, implement, and maintain a configuration management policy. CC ID 14023 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain configuration management procedures. CC ID 14074 Establish/Maintain Documentation Preventive
    Disseminate and communicate the configuration management procedures to interested personnel and affected parties. CC ID 14139 Communicate Preventive
    Review and update the configuration management procedures, as necessary. CC ID 14093 Establish/Maintain Documentation Corrective
    Review and update the configuration management policy, as necessary. CC ID 14073 Establish/Maintain Documentation Corrective
    Include compliance requirements in the configuration management policy. CC ID 14072 Establish/Maintain Documentation Preventive
    Include coordination amongst entities in the configuration management policy. CC ID 14071 Establish/Maintain Documentation Preventive
    Include management commitment in the configuration management policy. CC ID 14070 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the configuration management policy. CC ID 14069 Establish/Maintain Documentation Preventive
    Include the scope in the configuration management policy. CC ID 14068 Establish/Maintain Documentation Preventive
    Include the purpose in the configuration management policy. CC ID 14067 Establish/Maintain Documentation Preventive
    Disseminate and communicate the configuration management policy to interested personnel and affected parties. CC ID 14066 Communicate Preventive
    Establish, implement, and maintain a Configuration Management Plan. CC ID 01901 Establish/Maintain Documentation Preventive
    Include configuration management procedures in the configuration management plan. CC ID 14248 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the configuration management plan. CC ID 14247 Establish/Maintain Documentation Preventive
    Employ the configuration management program. CC ID 11904 Configuration Preventive
    Record Configuration Management items in the Configuration Management database. CC ID 00861 Establish/Maintain Documentation Preventive
    Test network access controls for proper Configuration Management settings. CC ID 01281 Testing Detective
    Disseminate and communicate the configuration management program to all interested personnel and affected parties. CC ID 11946
    [Configuration information shall be made available for other service management activities as appropriate. § 8.2.6 ¶ 5]
    Communicate Preventive
    Establish and maintain an accurate Configuration Management Database with accessible reporting capabilities. CC ID 02132 Establish/Maintain Documentation Preventive
    Document external connections for all systems. CC ID 06415 Configuration Preventive
    Establish and maintain a current configuration baseline based on the least functionality principle. CC ID 00862
    [Before deployment of a release into the live environment, a baseline of the affected CIs shall be taken. § 8.5.3 ¶ 4]
    Establish/Maintain Documentation Preventive
    Include the measures used to account for any differences in operation between the test environments and production environments in the baseline configuration. CC ID 13285 Establish/Maintain Documentation Preventive
    Include the differences between test environments and production environments in the baseline configuration. CC ID 13284 Establish/Maintain Documentation Preventive
    Include the applied security patches in the baseline configuration. CC ID 13271 Establish/Maintain Documentation Preventive
    Include the installed application software and version numbers in the baseline configuration. CC ID 13270 Establish/Maintain Documentation Preventive
    Include installed custom software in the baseline configuration. CC ID 13274 Establish/Maintain Documentation Preventive
    Include network ports in the baseline configuration. CC ID 13273 Establish/Maintain Documentation Preventive
    Include the operating systems and version numbers in the baseline configuration. CC ID 13269 Establish/Maintain Documentation Preventive
    Include backup procedures in the Configuration Management policy. CC ID 01314 Establish/Maintain Documentation Preventive
    Identify and document the system's Configurable Items. CC ID 02133
    [Configuration information shall be recorded to a level of detail appropriate to the criticality and type of services. Access to configuration information shall be controlled. The configuration information recorded for each CI shall include: § 8.2.6 ¶ 2
    Configuration information shall be recorded to a level of detail appropriate to the criticality and type of services. Access to configuration information shall be controlled. The configuration information recorded for each CI shall include: § 8.2.6 ¶ 2
    The types of CI shall be defined. Services shall be classified as CIs. § 8.2.6 ¶ 1
    The types of CI shall be defined. Services shall be classified as CIs. § 8.2.6 ¶ 1
    Configuration information shall be recorded to a level of detail appropriate to the criticality and type of services. Access to configuration information shall be controlled. The configuration information recorded for each CI shall include: type of CI; § 8.2.6 ¶ 2(b)
    Configuration information shall be recorded to a level of detail appropriate to the criticality and type of services. Access to configuration information shall be controlled. The configuration information recorded for each CI shall include: description of the CI; § 8.2.6 ¶ 2(c)
    Configuration information shall be recorded to a level of detail appropriate to the criticality and type of services. Access to configuration information shall be controlled. The configuration information recorded for each CI shall include: status. § 8.2.6 ¶ 2(e)]
    Establish/Maintain Documentation Preventive
    Define the relationships and dependencies between Configurable Items. CC ID 02134
    [Configuration information shall be recorded to a level of detail appropriate to the criticality and type of services. Access to configuration information shall be controlled. The configuration information recorded for each CI shall include: relationship with other CIs; § 8.2.6 ¶ 2(d)]
    Establish/Maintain Documentation Preventive
    Trace each Configurable Item throughout the systems' life cycle. CC ID 02135
    [{be auditable} CIs shall be controlled. Changes to CIs shall be traceable and auditable to maintain the integrity of the configuration information. The configuration information shall be updated following the deployment of changes to CIs. § 8.2.6 ¶ 3
    Configuration information shall be recorded to a level of detail appropriate to the criticality and type of services. Access to configuration information shall be controlled. The configuration information recorded for each CI shall include: unique identification; § 8.2.6 ¶ 2(a)]
    Establish/Maintain Documentation Preventive
    Approve each system's Configurable Items (and changes to those Configurable Items). CC ID 04887 Technical Security Preventive
    Request an acknowledgment from the system owner of the system's configuration. CC ID 10602 Establish/Maintain Documentation Preventive
    Establish and maintain system hardening procedures. CC ID 12001 Establish/Maintain Documentation Preventive
    Enable and configure auditing operations and logging operations, as necessary. CC ID 01522 Log Management Preventive
    Configure all logs to capture auditable events or actionable events. CC ID 06332 Configuration Preventive
    Configure the log to capture configuration changes. CC ID 06881
    [{be auditable} CIs shall be controlled. Changes to CIs shall be traceable and auditable to maintain the integrity of the configuration information. The configuration information shall be updated following the deployment of changes to CIs. § 8.2.6 ¶ 3]
    Configuration Preventive
    Log, monitor, and review all changes to time settings on critical systems. CC ID 11608 Configuration Preventive
    Configure the log to capture changes to User privileges, audit policies, and trust policies by enabling audit policy changes. CC ID 01698 Log Management Detective
    Configure the log to capture all changes to certificates. CC ID 05595 Configuration Preventive
    Configure the log to capture user authenticator changes. CC ID 01917 Log Management Detective
    Audit the configuration of organizational assets, as necessary. CC ID 13653
    [{be auditable} CIs shall be controlled. Changes to CIs shall be traceable and auditable to maintain the integrity of the configuration information. The configuration information shall be updated following the deployment of changes to CIs. § 8.2.6 ¶ 3]
    Audits and Risk Management Detective
    Audit assets after maintenance was performed. CC ID 13657 Audits and Risk Management Detective
  • Systems design, build, and implementation
    10
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Systems design, build, and implementation CC ID 00989 IT Impact Zone IT Impact Zone
    Initiate the System Development Life Cycle planning phase. CC ID 06266 Systems Design, Build, and Implementation Preventive
    Establish and maintain a system design project management framework. CC ID 00990 Establish/Maintain Documentation Preventive
    Analyze existing systems during preliminary investigations for system design projects. CC ID 01043 Testing Detective
    Assess the continuity requirements during the planning and development stage for new products and services. CC ID 12779
    [At planned intervals, the risks to service continuity shall be assessed and documented. The organization shall determine the service continuity requirements. The agreed requirements shall take into consideration relevant business requirements, service requirements, SLAs and risks. § 8.7.2 ¶ 1
    At planned intervals, the risks to service continuity shall be assessed and documented. The organization shall determine the service continuity requirements. The agreed requirements shall take into consideration relevant business requirements, service requirements, SLAs and risks. § 8.7.2 ¶ 1
    At planned intervals, the risks to service continuity shall be assessed and documented. The organization shall determine the service continuity requirements. The agreed requirements shall take into consideration relevant business requirements, service requirements, SLAs and risks. § 8.7.2 ¶ 1
    At planned intervals, the risks to service continuity shall be assessed and documented. The organization shall determine the service continuity requirements. The agreed requirements shall take into consideration relevant business requirements, service requirements, SLAs and risks. § 8.7.2 ¶ 1
    At planned intervals, the risks to service continuity shall be assessed and documented. The organization shall determine the service continuity requirements. The agreed requirements shall take into consideration relevant business requirements, service requirements, SLAs and risks. § 8.7.2 ¶ 1]
    Process or Activity Preventive
    Initiate the System Development Life Cycle implementation phase. CC ID 06268 Systems Design, Build, and Implementation Preventive
    Manage the system implementation process. CC ID 01115 Behavior Preventive
    Determine if the project is complete after all implementation tasks are finished. CC ID 06912
    [{new service} Planning shall use the service requirements for the new or changed services determined in 8.2.2 and shall include or contain a reference to: service acceptance criteria; § 8.5.2.1 ¶ 1(f)]
    Testing Detective
    Establish and maintain a product and service release log. CC ID 13705
    [The organization shall define the types of release, including emergency release, their frequency and how they are to be managed. § 8.5.3 ¶ 1
    The organization shall define the types of release, including emergency release, their frequency and how they are to be managed. § 8.5.3 ¶ 1
    The organization shall define the types of release, including emergency release, their frequency and how they are to be managed. § 8.5.3 ¶ 1
    Records of service requests shall be updated with actions taken. § 8.6.2 ¶ 2]
    Establish/Maintain Documentation Preventive
    Include the name of the person authorizing the release of products and services in the product and service release log. CC ID 13707 Establish/Maintain Documentation Preventive
  • Technical security
    41
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Technical security CC ID 00508 IT Impact Zone IT Impact Zone
    Establish and maintain an access control program. CC ID 11702 Establish/Maintain Documentation Preventive
    Establish and maintain an access rights management plan. CC ID 00513 Establish/Maintain Documentation Preventive
    Control access rights to organizational assets. CC ID 00004
    [The organization shall define and manage the interfaces with the external supplier. § 8.3.4.1 ¶ 4]
    Technical Security Preventive
    Add all devices requiring access control to the Access Control List. CC ID 06264 Establish/Maintain Documentation Preventive
    Generate but refrain from storing passwords or Personal Identification Numbers for systems involved in high risk activities. CC ID 06835 Technical Security Preventive
    Disallow application IDs from running as privileged users. CC ID 10050 Configuration Detective
    Define Roles for information systems. CC ID 12454 Human Resources Management Preventive
    Define access needs for each Role assigned to an information system. CC ID 12455 Human Resources Management Preventive
    Define access needs for each system component of an information system. CC ID 12456 Technical Security Preventive
    Define the level of privilege required for each system component of an information system. CC ID 12457 Technical Security Preventive
    Establish access rights based on least privilege. CC ID 01411 Technical Security Preventive
    Assign user permissions based on job responsibilities. CC ID 00538 Technical Security Preventive
    Assign user privileges after they have management sign off. CC ID 00542 Technical Security Preventive
    Separate processing domains to segregate user privileges and enhance information flow control. CC ID 06767 Configuration Preventive
    Establish lockout procedures or lockout mechanisms to be triggered after a predetermined number of consecutive logon attempts. CC ID 01412 Technical Security Preventive
    Configure the lockout procedure to disregard failed logon attempts after the user is authenticated. CC ID 13822 Configuration Preventive
    Notify the user when an authentication is attempted using an expired authenticator. CC ID 13818 Communicate Corrective
    Disallow unlocking user accounts absent system administrator approval. CC ID 01413 Technical Security Preventive
    Establish session lock capabilities. CC ID 01417 Configuration Preventive
    Limit concurrent sessions according to account type. CC ID 01416 Configuration Preventive
    Establish session authenticity through Transport Layer Security. CC ID 01627 Technical Security Preventive
    Enable access control for objects and users on each system. CC ID 04553 Configuration Preventive
    Include all system components in the access control system. CC ID 11939 Technical Security Preventive
    Set access control for objects and users to "deny all" unless explicitly authorized. CC ID 06301 Process or Activity Preventive
    Enable access control for objects and users to match restrictions set by the system's security classification. CC ID 04850 Technical Security Preventive
    Enable Role-based access control for objects and users on information systems. CC ID 12458 Technical Security Preventive
    Include the objects and users subject to access control in the security policy. CC ID 11836 Establish/Maintain Documentation Preventive
    Assign Information System access authorizations if implementing segregation of duties. CC ID 06323 Establish Roles Preventive
    Enforce access restrictions for change control. CC ID 01428 Technical Security Preventive
    Enforce access restrictions for restricted data. CC ID 01921 Data and Information Management Preventive
    Permit a limited set of user actions if identification and/or authentication are not given. CC ID 04849 Technical Security Preventive
    Perform a risk assessment prior to activating third party access to the organization's critical systems. CC ID 06455 Testing Detective
    Activate third party maintenance accounts and user identifiers, as necessary. CC ID 04262 Technical Security Preventive
    Establish and maintain a system use agreement for each information system. CC ID 06500 Establish/Maintain Documentation Preventive
    Ensure interested personnel and affected parties accept and sign the system use agreement before data or system access is enabled. CC ID 06501 Establish/Maintain Documentation Preventive
    Review and update the system use agreement, as necessary. CC ID 14305 Establish/Maintain Documentation Corrective
    Display a logon banner and appropriate logon message before granting access to the system. CC ID 06770 Technical Security Preventive
    Display previous logon information in the logon banner. CC ID 01415 Configuration Preventive
    Document actions that can be performed on an information system absent identification and authentication of the user. CC ID 06771 Establish/Maintain Documentation Preventive
    Use automatic equipment identification as a method of connection authentication absent an individual's identification and authentication. CC ID 06964 Technical Security Preventive
  • Third Party and supply chain oversight
    107
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Third Party and supply chain oversight CC ID 08807 IT Impact Zone IT Impact Zone
    Establish and maintain a supply chain management program. CC ID 11742 Establish/Maintain Documentation Preventive
    Establish and maintain procedures for establishing, maintaining, and terminating third party contracts. CC ID 00796
    [The service management plan shall include or contain a reference to: approach to be taken for working with other parties involved in the service lifecycle; § 6.3 ¶ 2(f)
    The organization shall have one or more designated individuals responsible for managing the relationship, contracts and performance of external suppliers. § 8.3.4.1 ¶ 1]
    Establish/Maintain Documentation Preventive
    Formalize client and third party relationships with contracts or nondisclosure agreements, as necessary. CC ID 00794
    [The documented information for the SMS shall include: contracts with external suppliers; § 7.5.4 ¶ 1(i)
    For each internal supplier or customer acting as a supplier, the organization shall develop, agree and maintain a documented agreement to define the service level targets, other commitments, activities and interfaces between the parties. § 8.3.4.2 ¶ 1
    For each internal supplier or customer acting as a supplier, the organization shall develop, agree and maintain a documented agreement to define the service level targets, other commitments, activities and interfaces between the parties. § 8.3.4.2 ¶ 1
    For each internal supplier or customer acting as a supplier, the organization shall develop, agree and maintain a documented agreement to define the service level targets, other commitments, activities and interfaces between the parties. § 8.3.4.2 ¶ 1
    For each internal supplier or customer acting as a supplier, the organization shall develop, agree and maintain a documented agreement to define the service level targets, other commitments, activities and interfaces between the parties. § 8.3.4.2 ¶ 1
    For each external supplier, the organization shall agree a documented contract. The contract shall include or contain a reference to: § 8.3.4.1 ¶ 2
    {new service}The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: new or changed SLAs, contracts and other documented agreements that support the services; § 8.5.2.2 ¶ 1(d)
    {new service}The new or changed services shall be designed and documented to meet the service requirements determined in 8.2.2. The design shall include relevant items from the following: new or changed SLAs, contracts and other documented agreements that support the services; § 8.5.2.2 ¶ 1(d)]
    Process or Activity Detective
    Include a nondisclosure agreement in third party contracts if a separate nondisclosure agreement does not exist. CC ID 06505 Establish/Maintain Documentation Preventive
    Establish software exchange agreements with all third parties. CC ID 11615 Establish/Maintain Documentation Preventive
    Include a description of the product or service to be provided in third party contracts. CC ID 06509
    [The documented information for the SMS shall include: agreements with internal suppliers or customers acting as a supplier; § 7.5.4 ¶ 1(j)]
    Establish/Maintain Documentation Preventive
    Include a description of the products or services fees in third party contracts. CC ID 10018 Establish/Maintain Documentation Preventive
    Include which parties are responsible for which fees in third party contracts. CC ID 10019 Establish/Maintain Documentation Preventive
    Establish and maintain rules of engagement with third parties. CC ID 13994 Establish/Maintain Documentation Preventive
    Establish information flow agreements with all third parties. CC ID 04543 Establish/Maintain Documentation Preventive
    Include the type of information being transmitted in the information flow agreement. CC ID 14245 Establish/Maintain Documentation Preventive
    Include the security requirements in the information flow agreement. CC ID 14244 Establish/Maintain Documentation Preventive
    Include the interface characteristics in the information flow agreement. CC ID 14240 Establish/Maintain Documentation Preventive
    Include the scope and inventory of third party systems and assets being provided to the organization in third party contracts. CC ID 06528
    [For each external supplier, the organization shall agree a documented contract. The contract shall include or contain a reference to: scope of the services, service components, processes or parts of processes to be provided or operated by the external supplier; § 8.3.4.1 ¶ 2(a)
    For each external supplier, the organization shall agree a documented contract. The contract shall include or contain a reference to: scope of the services, service components, processes or parts of processes to be provided or operated by the external supplier; § 8.3.4.1 ¶ 2(a)
    For each external supplier, the organization shall agree a documented contract. The contract shall include or contain a reference to: scope of the services, service components, processes or parts of processes to be provided or operated by the external supplier; § 8.3.4.1 ¶ 2(a)]
    Establish/Maintain Documentation Preventive
    Include proof of license documentation for the third parties with access to in scope systems in third party contracts. CC ID 06529 Establish/Maintain Documentation Preventive
    Include a description of costs and responsibility for purchasing and maintaining hardware and software in third party contracts. CC ID 10020 Establish/Maintain Documentation Preventive
    Include a description of the data or information to be covered in third party contracts. CC ID 06510 Establish/Maintain Documentation Preventive
    Include text about access, use, disclosure, and transfer of data or information in third party contracts. CC ID 11610
    [For each external supplier, the organization shall agree a documented contract. The contract shall include or contain a reference to: authorities and responsibilities of the organization and the external supplier. § 8.3.4.1 ¶ 2(d)
    For each external supplier, the organization shall agree a documented contract. The contract shall include or contain a reference to: authorities and responsibilities of the organization and the external supplier. § 8.3.4.1 ¶ 2(d)]
    Business Processes Preventive
    Include text about data ownership in third party contracts. CC ID 06502 Establish/Maintain Documentation Preventive
    Include text about trade secrets and intellectual property in third party contracts. CC ID 06503 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in third party contracts. CC ID 13487 Establish/Maintain Documentation Preventive
    Include text that signatories must meet organizational compliance requirements in third party contracts. CC ID 06506 Establish/Maintain Documentation Preventive
    Include compliance with the organization's access policy as a requirement in third party contracts. CC ID 06507 Establish/Maintain Documentation Preventive
    Include compliance with the organization's breach notification policy as a requirement in third party contracts. CC ID 06508 Establish/Maintain Documentation Preventive
    Include compliance with the organization's monitoring policies as a requirement in third party contracts. CC ID 06513 Establish/Maintain Documentation Preventive
    Include compliance with the organization's incident response policy and incident notification policy in third party contracts. CC ID 06515 Establish/Maintain Documentation Preventive
    Include text about the expected actions to be taken in case of a breach of contract in third party contracts. CC ID 06504 Establish/Maintain Documentation Preventive
    Include compliance with the organization's privacy policy in third party contracts. CC ID 06518 Establish/Maintain Documentation Preventive
    Include compliance with the organization's media handling policy in third party contracts. CC ID 06525 Establish/Maintain Documentation Preventive
    Include third party responsibilities for compliance awareness in third party contracts. CC ID 06530 Establish/Maintain Documentation Preventive
    Include compliance with the organization's system hardening framework in third party contracts. CC ID 06531 Establish/Maintain Documentation Preventive
    Include compliance with the organization's physical access policy in third party contracts. CC ID 06878 Establish/Maintain Documentation Preventive
    Include a reporting structure in third party contracts. CC ID 06532 Establish/Maintain Documentation Preventive
    Include points of contact in third party contracts. CC ID 12355 Establish/Maintain Documentation Preventive
    Include financial reporting in third party contracts, as necessary. CC ID 13573 Establish/Maintain Documentation Preventive
    Include reporting to the organization of third party audit findings in third party contracts. CC ID 06512 Establish/Maintain Documentation Preventive
    Include Service Level Agreements in third party contracts. CC ID 06511
    [The documented information for the SMS shall include: service level agreement(s) (SLA); § 7.5.4 ¶ 1(h)
    For each service delivered, the organization shall establish one or more SLAs based on the documented service requirements. The SLA(s) shall include service level targets, workload limits and exceptions § 8.3.3 ¶ 2]
    Establish/Maintain Documentation Preventive
    Include the responsible party for managing complaints in third party contracts. CC ID 10022 Establish Roles Preventive
    Include the right of the organization to conduct compliance audits in third party contracts. CC ID 06514 Establish/Maintain Documentation Preventive
    Include third party responsibilities for maintaining a Business Recovery and Resumption Plan in third party contracts. CC ID 06516 Establish/Maintain Documentation Preventive
    Include an indemnification and liability clause in third party contracts. CC ID 06517 Establish/Maintain Documentation Preventive
    Include a third party delegation clause and subcontractor to third party clause in third party contracts. CC ID 06521 Establish/Maintain Documentation Preventive
    Include text that subcontractors must meet organizational compliance requirements in third party contracts. CC ID 06522
    [For each external supplier, the organization shall agree a documented contract. The contract shall include or contain a reference to: requirements to be met by the external supplier; § 8.3.4.1 ¶ 2(b)]
    Establish/Maintain Documentation Preventive
    Include text regarding foreign-based third parties in third party contracts. CC ID 06722 Establish/Maintain Documentation Preventive
    Include change control clauses in third party contracts, as necessary. CC ID 06523 Establish/Maintain Documentation Preventive
    Include notification to the organization of any material change in the third party's ability to perform functions according to Service Level Agreements in third party contracts. CC ID 07115 Establish/Maintain Documentation Preventive
    Include triggers for renegotiating the contract in third party contracts. CC ID 06527 Establish/Maintain Documentation Preventive
    Include change control notification processes in third party contracts. CC ID 06524 Establish/Maintain Documentation Preventive
    Include cost structure changes in third party contracts. CC ID 10021 Establish/Maintain Documentation Preventive
    Include a choice of venue clause in third party contracts. CC ID 06520 Establish/Maintain Documentation Preventive
    Include a dispute resolution clause in third party contracts. CC ID 06519
    [Disputes between the organization and the external supplier shall be recorded and managed to closure. § 8.3.4.1 ¶ 7
    Disputes between the organization and the external supplier shall be recorded and managed to closure. § 8.3.4.1 ¶ 7]
    Establish/Maintain Documentation Preventive
    Include the dispute resolution body's contact information in the terms and conditions in third party contracts. CC ID 13813 Establish/Maintain Documentation Preventive
    Include a termination provision clause in third party contracts. CC ID 01367 Establish/Maintain Documentation Detective
    Include early termination contingency plans in the third party contracts. CC ID 06526 Establish/Maintain Documentation Preventive
    Include a liquidated damages clause and material breach clause in third party contracts. CC ID 06817 Establish/Maintain Documentation Preventive
    Include termination costs in third party contracts. CC ID 10023 Establish/Maintain Documentation Preventive
    Include text about obtaining adequate insurance in third party contracts. CC ID 06880 Establish/Maintain Documentation Preventive
    Include incident management procedures and incident reporting procedures in third party contracts. CC ID 01214 Establish/Maintain Documentation Preventive
    Include a usage limitation of personal data clause in third party contracts. CC ID 13026 Establish/Maintain Documentation Preventive
    Include third party requirements for personnel security in third party contracts. CC ID 00790 Testing Detective
    Establish and maintain third party transaction authentication procedures. CC ID 00791 Establish/Maintain Documentation Preventive
    Include third party acknowledgement of their data protection responsibilities in third party contracts. CC ID 01364 Testing Detective
    Include auditing third party security controls and compliance controls in third party contracts. CC ID 01366 Testing Detective
    Include responding to privacy rights violation complaints in third party contracts. CC ID 12432 Establish/Maintain Documentation Preventive
    Establish the third party's service continuity. CC ID 00797 Testing Detective
    Determine the adequacy of a third party's alternate site preparations. CC ID 06879 Testing Detective
    Employ access controls that meet the organization's compliance requirements on third party systems with access to the organization's restricted data. CC ID 04264 Data and Information Management Detective
    Maintain the third party's compliance framework to be equivalent to that of the organization's compliance requirements. CC ID 06087 Testing Detective
    Include disclosure requirements in third party contracts. CC ID 08825 Business Processes Preventive
    Include requirements for alternate processing facilities in third party contracts. CC ID 13059 Establish/Maintain Documentation Preventive
    Document the organization's supply chain in the supply chain management program. CC ID 09958
    [The organization shall determine and document: service components that are provided or operated by other parties; § 8.2.3.1 ¶ 4(b)]
    Establish/Maintain Documentation Preventive
    Establish and maintain a Third Party Service Provider list. CC ID 12480 Establish/Maintain Documentation Preventive
    Include the services provided by each supplier in the Third Party Service Provider list. CC ID 12481
    [The organization shall determine and document: services that are provided or operated by other parties; § 8.2.3.1 ¶ 4(a)
    The organization shall determine and document: processes, or parts of processes, in the organization's SMS that are operated by other parties. § 8.2.3.1 ¶ 4(c)]
    Establish/Maintain Documentation Preventive
    Document supply chain transactions in the supply chain management program. CC ID 08857 Business Processes Preventive
    Document the supply chain's critical paths in the supply chain management program. CC ID 10032 Establish/Maintain Documentation Preventive
    Document supply chain dependencies for delivering critical services or critical functions in the supply chain management program. CC ID 08900
    [The organization shall determine the criticality of services based on the needs of the organization, customers, users and other interested parties. The organization shall determine and manage dependencies and duplication between services. § 8.2.2 ¶ 2]
    Establish/Maintain Documentation Detective
    Establish and maintain supply chain manufacturing and integration requirements documents for all items being produced for the organization. CC ID 11558 Establish/Maintain Documentation Preventive
    Disallow access to restricted information on machines used to manufacture authentication elements. CC ID 11561 Physical and Environmental Protection Preventive
    Establish and maintain Service Level Agreements with the organization's supply chain. CC ID 00838 Process or Activity Preventive
    Monitor and report on the efficacy of all Service Level Agreements using a Service Level Agreement Monitoring Chart or equivalent. CC ID 00842
    [The organization shall make decisions and take actions based on the findings in service reports. The agreed actions shall be communicated to interested parties. § 9.4 ¶ 3]
    Establish/Maintain Documentation Detective
    Review all contracts. CC ID 11612
    [At planned intervals, the organization shall review the contract against current service requirements. Changes identified for the contract shall be assessed for the impact of the change on the SMS and the services before the change is approved. § 8.3.4.1 ¶ 6]
    Establish/Maintain Documentation Preventive
    Enforce third party Service Level Agreements, as necessary. CC ID 07098
    [The organization shall assess the alignment of service level targets or other contractual obligations for the external supplier against SLAs with customers, and manage identified risks. § 8.3.4.1 ¶ 3]
    Business Processes Corrective
    Include risk management procedures in the supply chain management policy. CC ID 08811 Establish/Maintain Documentation Preventive
    Perform a risk assessment prior to engaging a third party. CC ID 06454
    [The organization shall determine and document: risks related to: the involvement of other parties in the service lifecycle; § 6.1.2 ¶ 1(a)(3)]
    Testing Detective
    Include a determination of the complexity of the third party relationships in the supply chain risk assessment. CC ID 10024 Business Processes Preventive
    Include a determination of financial benefits over actual costs of third party relationships in the supply chain risk assessment report. CC ID 10025 Establish/Maintain Documentation Preventive
    Include a determination of how third party relationships affect strategic initiatives in the supply chain risk assessment report. CC ID 10026 Establish/Maintain Documentation Preventive
    Include a determination if the third party relationship will affect employees in the supply chain risk assessment report. CC ID 10027 Business Processes Preventive
    Include a determination of customer interactions with third parties in the supply chain risk assessment report. CC ID 10028 Establish/Maintain Documentation Preventive
    Include a determination on the risks third parties pose to Information Security in the supply chain risk assessment report. CC ID 10029 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a supply chain management policy. CC ID 08808 Establish/Maintain Documentation Preventive
    Include the third party selection process in the supply chain management policy. CC ID 13132
    [The organization shall determine and apply criteria for the evaluation and selection of other parties involved in the service lifecycle. Other parties can be an external supplier, an internal supplier or a customer acting as a supplier. § 8.2.3.1 ¶ 2]
    Establish/Maintain Documentation Preventive
    Select suppliers based on their qualifications. CC ID 00795 Establish/Maintain Documentation Preventive
    Include third party due diligence standards in the supply chain management policy. CC ID 08812
    [The organization shall determine and apply criteria for the evaluation and selection of other parties involved in the service lifecycle. Other parties can be an external supplier, an internal supplier or a customer acting as a supplier. § 8.2.3.1 ¶ 2]
    Establish/Maintain Documentation Preventive
    Implement measurable improvement plans with all third parties. CC ID 08815
    [At planned intervals, the organization shall monitor the performance of the internal supplier or the customer acting as a supplier. Where service level targets or other agreed commitments are not met, the organization shall ensure that opportunities for improvement are identified. § 8.3.4.2 ¶ 2
    At planned intervals, the organization shall monitor the performance of the external supplier. Where service level targets or other contractual obligations are not met, the organization shall ensure that opportunities for improvement are identified. § 8.3.4.1 ¶ 5]
    Business Processes Preventive
    Establish, implement, and maintain supply chain due diligence standards. CC ID 08846 Business Processes Preventive
    Assign the appropriate individuals or groups to oversee and support supply chain due diligence. CC ID 08861
    [The organization shall have one or more designated individuals responsible for managing the relationship, contracts and performance of external suppliers. § 8.3.4.1 ¶ 1]
    Business Processes Preventive
    Conduct all parts of the supply chain due diligence process. CC ID 08854 Business Processes Preventive
    Establish and implement deduplication procedures for third party services. CC ID 13915
    [The organization shall determine the criticality of services based on the needs of the organization, customers, users and other interested parties. The organization shall determine and manage dependencies and duplication between services. § 8.2.2 ¶ 2]
    Business Processes Detective
    Assess the effectiveness of Third Parties' services provided to the organization. CC ID 13142 Business Processes Detective
    Monitor third parties for performance and effectiveness, as necessary. CC ID 00799
    [Top management shall demonstrate leadership and commitment with respect to the SMS by: ensuring there is control of other parties involved in the service lifecycle; § 5.1 ¶ 1(e)
    The organization shall have one or more designated individuals responsible for managing the relationship, contracts and performance of external suppliers. § 8.3.4.1 ¶ 1
    At planned intervals, the organization shall monitor the performance of the external supplier. Where service level targets or other contractual obligations are not met, the organization shall ensure that opportunities for improvement are identified. § 8.3.4.1 ¶ 5
    The management review shall include consideration of: performance of other parties involved in the delivery of the services; § 9.3 ¶ 2(i)]
    Monitor and Evaluate Occurrences Detective
    Monitor third parties' financial conditions. CC ID 13170 Monitor and Evaluate Occurrences Detective
    Review the supply chain's service delivery on a regular basis. CC ID 12010
    [At planned intervals, the organization shall monitor the performance of the internal supplier or the customer acting as a supplier. Where service level targets or other agreed commitments are not met, the organization shall ensure that opportunities for improvement are identified. § 8.3.4.2 ¶ 2]
    Business Processes Preventive
    Establish and maintain a chain of custody or traceability system over the entire supply chain. CC ID 08878 Business Processes Preventive
    Provide products per customer requests. CC ID 08893
    [The organization and the customer shall agree the services to be delivered. § 8.3.3 ¶ 1]
    Business Processes Preventive
    Establish and maintain information security controls for the supply chain. CC ID 13109
    [The organization shall define and apply relevant controls for other parties from the following: measurement and evaluation of process performance; § 8.2.3.2(a)
    The organization shall define and apply relevant controls for other parties from the following: measurement and evaluation of process performance; § 8.2.3.2(a)
    The organization shall define and apply relevant controls for other parties from the following: measurement and evaluation of the effectiveness of services and service components in meeting the service requirements. § 8.2.3.2(b)
    The organization shall define and apply relevant controls for other parties from the following: measurement and evaluation of the effectiveness of services and service components in meeting the service requirements. § 8.2.3.2(b)
    The organization shall define and apply relevant controls for other parties from the following: § 8.2.3.2
    The organization shall agree and implement information security controls to address information security risks related to external organizations. § 8.7.3.2 ¶ 2]
    Establish/Maintain Documentation Preventive
Common Controls and
mandates by Type
276 Mandated Controls - bold    
107 Implied Controls - italic     1597 Implementation

Each Common Control is assigned a meta-data type to help you determine the objective of the Control and associated Authority Document mandates aligned with it. These types include behavioral controls, process controls, records management, technical security, configuration management, etc. They are provided as another tool to dissect the Authority Document’s mandates and assign them effectively within your organization.

Number of Controls
1980 Total
  • Acquisition/Sale of Assets or Services
    18
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Establish, implement, and maintain a fuel supply large enough to support the generators during an emergency. CC ID 06376 Operational and Systems Continuity Preventive
    Transfer legal ownership of assets when the system is redeployed to a third party. CC ID 06698 Operational management Preventive
    Acquire spare parts prior to when maintenance requests are scheduled. CC ID 11833 Operational management Preventive
    Plan for selling facilities, technology, or services. CC ID 06893
    [For services that are to be transferred, the planning shall additionally include the date(s) for the transfer of the services and the activities for the transfer of data, documented information, knowledge and service components. § 8.5.2.1 ¶ 3
    For services that are to be transferred, the planning shall additionally include the date(s) for the transfer of the services and the activities for the transfer of data, documented information, knowledge and service components. § 8.5.2.1 ¶ 3
    For services that are to be transferred, the planning shall additionally include the date(s) for the transfer of the services and the activities for the transfer of data, documented information, knowledge and service components. § 8.5.2.1 ¶ 3
    For services that are to be transferred, the planning shall additionally include the date(s) for the transfer of the services and the activities for the transfer of data, documented information, knowledge and service components. § 8.5.2.1 ¶ 3
    For services that are to be transferred, the planning shall additionally include the date(s) for the transfer of the services and the activities for the transfer of data, documented information, knowledge and service components. § 8.5.2.1 ¶ 3]
    Acquisition or sale of facilities, technology, and services Preventive
    Determine if there is a need for the product or service being sold. CC ID 06894 Acquisition or sale of facilities, technology, and services Preventive
    Identify new business opportunities based on product or service need, the business strategy, and action plan. CC ID 06901 Acquisition or sale of facilities, technology, and services Preventive
    Develop product solicitation responses and service solicitation responses. CC ID 06896 Acquisition or sale of facilities, technology, and services Preventive
    Prevent the creation or distribution of devices designed to circumvent security measures. CC ID 11514 Acquisition or sale of facilities, technology, and services Preventive
    Provide a product warranty or service warranty. CC ID 11601 Acquisition or sale of facilities, technology, and services Preventive
    Establish and maintain equipment shipping procedures. CC ID 11449 Acquisition or sale of facilities, technology, and services Preventive
    Preserve products created for sale prior to shipping. CC ID 11602 Acquisition or sale of facilities, technology, and services Preventive
    Clean and maintain products prior to shipping. CC ID 11603 Acquisition or sale of facilities, technology, and services Preventive
    Detect and remove foreign objects from products prior to shipping. CC ID 11604 Acquisition or sale of facilities, technology, and services Preventive
    Handle products with due care prior to shipping. CC ID 11605 Acquisition or sale of facilities, technology, and services Preventive
    Attach safety warnings to products prior to shipping. CC ID 11606 Acquisition or sale of facilities, technology, and services Preventive
    Rotate the stock of products prior to shipping. CC ID 11607 Acquisition or sale of facilities, technology, and services Preventive
    Process product return requests. CC ID 11598 Acquisition or sale of facilities, technology, and services Corrective
    Refrain from returning products absent a return request authorization. CC ID 11599 Acquisition or sale of facilities, technology, and services Corrective
  • Actionable Reports or Measurements
    147
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Establish and maintain an Information Technology plan status report that covers both Strategic Information Technology Plans and tactical Information Technology plans CC ID 06839 Leadership and high level objectives Preventive
    Include key personnel status changes in the Information Technology Plan status reports. CC ID 06840 Leadership and high level objectives Preventive
    Include significant security risks in the Information Technology Plan status reports. CC ID 06939 Leadership and high level objectives Preventive
    Include significant risk mitigations in the Information Technology Plan status reports. CC ID 06841 Leadership and high level objectives Preventive
    Report to management and stakeholders on the findings and information gathered from all types of inquiries. CC ID 12797 Leadership and high level objectives Preventive
    Include a Statement on the Level of Compliance in the tactical Information Technology plan. CC ID 06842 Audits and risk management Preventive
    Include the word independent in the title of audit reports. CC ID 07003 Audits and risk management Preventive
    Include the date of the audit in the audit report. CC ID 07024 Audits and risk management Preventive
    Include information about the organization being audited and the auditor performing the audit in the audit report. CC ID 07004 Audits and risk management Preventive
    Include a statement that access to the report is restricted based on least privilege in the audit report. CC ID 07023 Audits and risk management Preventive
    Include the organization's audit assertion of the in scope system in the audit report. CC ID 07005 Audits and risk management Preventive
    Collect all work papers for the audit and audit report into an engagement file. CC ID 07001
    [The organization shall: retain documented information as evidence of the implementation of the audit programme(s) and the audit results. § 9.2.2 ¶ (e)]
    Audits and risk management Preventive
    Disclose any audit irregularities in the audit report. CC ID 06995 Audits and risk management Preventive
    Assess the potential level of business impact risk associated with natural disasters. CC ID 06470 Audits and risk management Detective
    Report on the percentage of key Information Technology assets for which an assurance strategy is implemented. CC ID 01657 Monitoring and measurement Detective
    Report on the percentage of key organizational functions for which an assurance strategy is implemented. CC ID 01658 Monitoring and measurement Detective
    Report on the percentage of key compliance requirements for which an assurance strategy has been implemented. CC ID 01659 Monitoring and measurement Detective
    Report on the percentage of the Information System budget allocated to Information Security. CC ID 04571 Monitoring and measurement Detective
    Report on the policies and controls that have been implemented by management. CC ID 01670
    [{service improvement activity} Opportunities for improvement shall be documented. The organization shall manage approved improvement activities that include: reporting on implemented improvements. § 10.2 ¶ 3(e)]
    Monitoring and measurement Detective
    Report on the percentage of security management roles that have been assigned. CC ID 01671 Monitoring and measurement Detective
    Report on the percentage of board meetings or committee meetings at which Information Assurance was on the agenda. CC ID 01672 Monitoring and measurement Detective
    Report on the percentage of security incidents that did not cause confidentiality, integrity, or availability losses beyond the Service Level Agreement thresholds. CC ID 01673 Monitoring and measurement Detective
    Report on the estimated damage or loss resulting from all security incidents. CC ID 01674 Monitoring and measurement Detective
    Report on the percentage of supply chain members for which all Information Assurance requirements have been implemented. CC ID 01675 Monitoring and measurement Detective
    Report on the Service Level Agreement performance of supply chain members. CC ID 06838 Monitoring and measurement Preventive
    Report on the percentage of organizational units that have an established Business Continuity Plan. CC ID 01676 Monitoring and measurement Detective
    Report on the percentage of organizational units with a documented Business Continuity Plan for which specific responsibilities have been assigned. CC ID 02057 Monitoring and measurement Detective
    Report on the percentage of Business Continuity Plans that have been reviewed, tested, and updated. CC ID 02058 Monitoring and measurement Detective
    Report on the percentage of needed internal audits that have been completed and reviewed. CC ID 01677 Monitoring and measurement Detective
    Report on the percentage of Information Security requirements from applicable laws and regulations that are included in the audit program. CC ID 02069 Monitoring and measurement Detective
    Report on the percentage of needed external audits that have been completed and reviewed. CC ID 11632 Monitoring and measurement Detective
    Report on the percentage of Information Security audits conducted in compliance with the approved audit program. CC ID 02070 Monitoring and measurement Detective
    Report on the percentage of audit findings that have been resolved. CC ID 01678 Monitoring and measurement Detective
    Report on the percentage of management actions in response to audit findings and audit recommendations that were implemented in a timely way. CC ID 02071
    [{corrective action} The management review shall include consideration of: the status of actions from previous management reviews; § 9.3 ¶ 2(a)]
    Monitoring and measurement Detective
    Monitor compliance with the Quality Control system. CC ID 01023 Monitoring and measurement Preventive
    Report on the percentage of complaints received about products or delivered services. CC ID 07199 Monitoring and measurement Preventive
    Report on the percentage of Quality Assurance attained by Quality Improvement practices. CC ID 07202 Monitoring and measurement Preventive
    Report on the percentage of total controls for which policies, standards, and procedures exist and for which approval has been granted. CC ID 01679 Monitoring and measurement Detective
    Report on the percentage of personnel who are assigned and acknowledged responsibilities for approved policies, standards, and procedures. CC ID 01680 Monitoring and measurement Detective
    Report on the percentage of policy compliance reviews for which no compliance violations were noted. CC ID 01681 Monitoring and measurement Detective
    Report on the percentage of senior management or business unit heads who have implemented operational compliance procedures. CC ID 01682 Monitoring and measurement Detective
    Report on the percentage of role descriptions that define the Information Awareness roles for Security Managers and administrators. CC ID 01685 Monitoring and measurement Detective
    Report on the percentage of role descriptions that define the information awareness roles for interested personnel. CC ID 01686 Monitoring and measurement Detective
    Report on the percentage of role descriptions that define the information awareness roles for end users. CC ID 01687 Monitoring and measurement Detective
    Report on the percentage of performance reviews that include the evaluation of Information Assurance responsibilities and policy compliance. CC ID 01688 Monitoring and measurement Detective
    Report on the percentage of individuals who have access to security software, are trained, and authorized Security Administrators. CC ID 01691 Monitoring and measurement Detective
    Report on the percentage of individuals who are able to assign security privileges, are trained, and authorized Security Administrators. CC ID 01692 Monitoring and measurement Detective
    Report on the percentage of new hires who completed training ahead of being granted network access or system access. CC ID 01683 Monitoring and measurement Detective
    Report on the percentage of personnel who have completed periodic Information Assurance refresher training. CC ID 01684 Monitoring and measurement Detective
    Report on the percentage of user roles, systems, and applications that comply with the segregation of duties principle. CC ID 01689 Monitoring and measurement Detective
    Report on the percentage of individuals whose access rights have been reviewed. CC ID 01690 Monitoring and measurement Detective
    Report on the percentage of users who have access to restricted data or restricted information and have undergone a background check. CC ID 01693 Monitoring and measurement Detective
    Report on the percentage of critical information assets and information-dependent functions. CC ID 02040 Monitoring and measurement Detective
    Report on the percentage of critical assets and functions for which the cost of compromise has been quantified. CC ID 02041 Monitoring and measurement Detective
    Report on the percentage of identified risks that have a defined risk mitigation plan. CC ID 02042
    [The organization shall determine and document: risks related to: approach to be taken for the management of risks. § 6.1.2 ¶ 1(d)]
    Monitoring and measurement Detective
    Report on the percentage of systems with approved System Security Plans. CC ID 02145 Monitoring and measurement Detective
    Report on the percentage of known Information Security risks that are related to supply chain relationships. CC ID 02044 Monitoring and measurement Detective
    Report on the percentage of critical information assets or critical functions for which access by supply chain personnel is disallowed. CC ID 02045 Monitoring and measurement Detective
    Report on the percentage of supply chain personnel who have current information asset user privileges. CC ID 02046 Monitoring and measurement Detective
    Report on the percentage of systems with critical information assets or functions for which electronic connection by supply chain assets is disallowed. CC ID 02047 Monitoring and measurement Detective
    Report on the percentage of security incidents that involved supply chain personnel. CC ID 02048 Monitoring and measurement Detective
    Report on the percentage of third party contracts that include a requirement to externally verify policies and procedures. CC ID 02049 Monitoring and measurement Detective
    Report on the percentage of supply chain relationships that have been reviewed for compliance with information security requirements. CC ID 02050 Monitoring and measurement Detective
    Report on the percentage of audit findings that have been corrected since the last audit. CC ID 02051 Monitoring and measurement Detective
    Report on the percentage of information assets that have been reviewed and classified. CC ID 02053 Monitoring and measurement Detective
    Report on the percentage of information assets with defined user privileges that have been assigned based on role and according to policy. CC ID 02054 Monitoring and measurement Detective
    Report on the percentage of scheduled Information Technology inventory processes that occurred on time. CC ID 02055 Monitoring and measurement Detective
    Report on the percentage of recently identified information security risks related to systems architecture that have been adequately mitigated. CC ID 02060 Monitoring and measurement Detective
    Report on the percentage of system architecture changes that were approved through appropriate change requests. CC ID 02061 Monitoring and measurement Detective
    Report on the percentage of critical information assets or functions residing on systems that are currently in compliance with the approved systems architecture. CC ID 02062 Monitoring and measurement Detective
    Report on the percentage of systems that have been recertified if security controls were updated after the system was developed. CC ID 02142 Monitoring and measurement Detective
    Report on the percentage of systems that have completed Certification and Accreditation. CC ID 02143 Monitoring and measurement Detective
    Report on the percentage of critical organizational information assets and functions that have been reviewed from the risk to physical security perspective. CC ID 02064 Monitoring and measurement Detective
    Report on the percentage of critical organizational information assets and functions exposed to physical risks for which risk mitigation actions have been implemented. CC ID 02065 Monitoring and measurement Detective
    Report on the percentage of critical assets that have been reviewed from the environmental risk perspective. CC ID 02066 Monitoring and measurement Detective
    Report on the percentage of servers located in controlled access areas. CC ID 02067 Monitoring and measurement Detective
    Report on the percentage of unique active user identifiers. CC ID 02074 Monitoring and measurement Detective
    Report on the percentage of systems and applications that perform password policy verification. CC ID 02086 Monitoring and measurement Detective
    Report on the percentage of active user passwords that are set to expire. CC ID 02087 Monitoring and measurement Detective
    Report on the percentage of systems with critical information assets that use stronger authentication than user identifiers and passwords. CC ID 02088 Monitoring and measurement Detective
    Report on the percentage of systems for which default accounts and default passwords have been disabled or reset. CC ID 02089 Monitoring and measurement Detective
    Report on the percentage of inactive user accounts that are assigned to personnel who have left or no longer need access. CC ID 02090 Monitoring and measurement Detective
    Report on the percentage of systems with account lockout thresholds set. CC ID 02091 Monitoring and measurement Detective
    Report on the percentage of inactive user accounts that have been disabled. CC ID 02092 Monitoring and measurement Detective
    Report on the percentage of workstations with session timeout or automatic logoff controls set. CC ID 02093 Monitoring and measurement Detective
    Report on the percentage of users with access to shared accounts. CC ID 04573 Monitoring and measurement Detective
    Establish, implement, and maintain a user and administrator privilege management metrics program. CC ID 02076 Monitoring and measurement Preventive
    Report on the percentage of active computer accounts that have had the current user privileges reviewed. CC ID 02094 Monitoring and measurement Detective
    Report on the percentage of systems where permission to install nonstandard software is limited. CC ID 02095 Monitoring and measurement Detective
    Report on the percentage of systems and applications that have user privileges and administrator privileges assigned in compliance with Role-Based Access Controls. CC ID 02096 Monitoring and measurement Detective
    Report on the percentage of systems for which approved configuration settings have been implemented. CC ID 02097 Monitoring and measurement Detective
    Report on the percentage of systems with configurations that do not deviate from approved standards. CC ID 02098 Monitoring and measurement Detective
    Report on the percentage of systems that are continuously monitored for compliance with the configuration standard with out-of-compliance alarms or out-of-compliance reports. CC ID 02099 Monitoring and measurement Detective
    Report on the percentage of systems whose configuration is compared with a previously established trusted configuration baseline. CC ID 02100 Monitoring and measurement Detective
    Report on the percentage of systems where the authority to make configuration changes are limited. CC ID 02101 Monitoring and measurement Detective
    Report on the percentage of system components that undergo maintenance as scheduled. CC ID 04562 Monitoring and measurement Detective
    Report on the percentage of systems that generate warnings about anomalous activity or potentially unauthorized activity. CC ID 02105 Monitoring and measurement Detective
    Report on the percentage of laptops and mobile devices that are needing to be in compliance with the approved configuration standard before granting network access. CC ID 02106 Monitoring and measurement Detective
    Report on the percentage of organizationally controlled communications channels that have been secured. CC ID 02107 Monitoring and measurement Detective
    Report on the percentage of host servers that are protected from becoming relay hosts. CC ID 02108 Monitoring and measurement Detective
    Report on the percentage of mobile users who access organizational facilities using secure communications methods. CC ID 02109 Monitoring and measurement Detective
    Report on the percentage of workstations and laptops that employ automated system security tools. CC ID 02110 Monitoring and measurement Detective
    Report on the percentage of servers that employ automated system security tools. CC ID 02111 Monitoring and measurement Detective
    Report on the percentage of mobile devices that employ automated system security tools. CC ID 02112 Monitoring and measurement Detective
    Report on the percentage of software changes that have been documented and approved through change request forms. CC ID 02152 Monitoring and measurement Detective
    Report on the percentage of systems with all approved patches installed. CC ID 02113 Monitoring and measurement Detective
    Report on the mean time from patch availability to patch installation. CC ID 02114 Monitoring and measurement Detective
    Report on the percentage of software changes that were reviewed for security impacts before the software configuration is updated. CC ID 02115 Monitoring and measurement Detective
    Report on the percentage of systems configured according to the configuration standard. CC ID 02116 Monitoring and measurement Detective
    Report on the percentage of network access controls used to gain unauthorized access. CC ID 04572 Monitoring and measurement Detective
    Report on the percentage of critical information assets stored on network accessible devices that are encrypted with widely tested and published cryptographic algorithms. CC ID 02117 Monitoring and measurement Detective
    Report on the percentage of mobile devices that use encryption for critical information assets. CC ID 02118 Monitoring and measurement Detective
    Report on the percentage of passwords and Personal Identification Numbers that are encrypted. CC ID 02119 Monitoring and measurement Detective
    Report on the percentage of media that passes sanitization procedure testing. CC ID 04574 Monitoring and measurement Detective
    Report on the percentage of systems with critical information assets or critical business functions that have been backed up in accordance with the backup policy and the system's continuity plan. CC ID 02120 Monitoring and measurement Detective
    Report on the percentage of systems with critical information assets or critical functions where restoration from a backup has been successfully demonstrated. CC ID 02121 Monitoring and measurement Detective
    Report on the percentage of backup media stored off site in secure storage. CC ID 02122 Monitoring and measurement Detective
    Report on the percentage of used backup media or archive media sanitized prior to reuse or disposal. CC ID 02123 Monitoring and measurement Detective
    Report on the percentage of operational time that critical services were unavailable due to security incidents. CC ID 02124 Monitoring and measurement Detective
    Report on the percentage of security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02125 Monitoring and measurement Detective
    Report on the percentage of systems affected by security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02126 Monitoring and measurement Detective
    Report on the percentage of security incidents that were managed according to established policies, procedures, and processes. CC ID 02127 Monitoring and measurement Detective
    Report on the number of security incidents reported to FedCIRC, NIPC, the Payment Card Industry, or local law enforcement. CC ID 02154 Monitoring and measurement Detective
    Report on the percentage of systems with critical information assets or critical functions that have been assessed for security vulnerabilities. CC ID 02128 Monitoring and measurement Detective
    Report on the percentage of vulnerability assessment findings that have been addressed since the last reporting period. CC ID 02129 Monitoring and measurement Detective
    Report on the average elapsed time between the discovery of a new vulnerability and implementing corrective action. CC ID 02140 Monitoring and measurement Detective
    Report on the percentage of physical security incidents that involved entry into a facility containing Information Systems. CC ID 04564 Monitoring and measurement Detective
    Report on the percentage of unique patients who had at least one medication entered using the Computerized Provider Order Entry system. CC ID 06222 Monitoring and measurement Preventive
    Report on the percentage of unique patients who have diagnoses recorded as structured data into the current and active diagnoses problem list. CC ID 06223 Monitoring and measurement Preventive
    Report on the percentage of permissible prescriptions that are transmitted electronically. CC ID 06224 Monitoring and measurement Preventive
    Report on the percentage of unique patients who have at least one entry recorded as structured data into the active medication list. CC ID 06225 Monitoring and measurement Preventive
    Report on the percentage of unique patients who have at least one entry recorded as structured data into the active medication allergy list. CC ID 06226 Monitoring and measurement Preventive
    Report on the percentage of unique patients who have demographics recorded as structured data. CC ID 06227 Monitoring and measurement Preventive
    Report on the percentage of unique patients over the age of 2 who have their height, weight, and blood pressure recorded as structured data. CC ID 06228 Monitoring and measurement Preventive
    Report on the percentage of unique patients over the age of 13 who have their smoking status recorded as structured data. CC ID 06229 Monitoring and measurement Preventive
    Report on the percentage of patients who are given an electronic copy of their Individually Identifiable Health Information not later than three business days after Individually Identifiable Health Information is requested. CC ID 06230 Monitoring and measurement Preventive
    Report on the percentage of patients who are given clinical summaries not later than three business days after a physician office visit. CC ID 06231 Monitoring and measurement Preventive
    Report on the percentage of lab test results that are incorporated into the Electronic Health Records as structured data. CC ID 06232 Monitoring and measurement Preventive
    Report on the percentage of patients sixty-five years of age or older or five years of age or younger who were sent a reminder. CC ID 06233 Monitoring and measurement Preventive
    Report on the percentage of unique patients who are given electronic access to their Individually Identifiable Health Information not later than four business days after their Individually Identifiable Health Information is updated. CC ID 06234 Monitoring and measurement Preventive
    Report on the percentage of unique patients who are given patient-specific education resources. CC ID 06235 Monitoring and measurement Preventive
    Report on the percentage of medication reconciliations that are performed if a patient is received from another setting or healthcare provider. CC ID 06236 Monitoring and measurement Preventive
    Report on the percentage of summary of care records that are provided for transitions of care or referrals for patients who are transitioned or referred to another setting or healthcare provider. CC ID 06237 Monitoring and measurement Preventive
    Report on the percentage of patients who receive their discharge instructions if discharge instructions are requested. CC ID 06238 Monitoring and measurement Preventive
    Report on the percentage of patients 65 years of age or older who have an indication of advance directive status recorded as structured data. CC ID 06239 Monitoring and measurement Preventive
    Document the continuity plan test results and provide them to senior management. CC ID 06548
    [At planned intervals, the service continuity plan(s) shall be tested against the service continuity requirements. The service continuity plan(s) shall be re-tested after major changes to the service environment. The results of the tests shall be recorded. Reviews shall be conducted after each test and after the service continuity plan(s) has been invoked. Where deficiencies are found, the organization shall take necessary actions. § 8.7.2 ¶ 4]
    Operational and Systems Continuity Preventive
    Report the analysis of consumer complaints to the Quality Management committee. CC ID 07209
    [Service complaints shall be recorded, managed to closure and reported. Where a service complaint is not resolved through the normal channels, a method of escalation shall be provided. § 8.3.2 ¶ 5]
    Acquisition or sale of facilities, technology, and services Preventive
  • Audits and Risk Management
    80
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Manage supply chain audits. CC ID 01203 Audits and risk management Preventive
    Review the external auditors involvement in assessing Information Technology controls. CC ID 01204 Audits and risk management Preventive
    Engage auditors who have adequate knowledge of the subject matter. CC ID 07102 Audits and risk management Preventive
    Review the audit scope when the Risk Profile is updated. CC ID 01202 Audits and risk management Preventive
    Include nondisclosure agreements in external auditor outsourcing contracts. CC ID 10014 Audits and risk management Detective
    Review the external auditor's qualifications. CC ID 01197 Audits and risk management Preventive
    Conduct a performance review of the external auditor's performance during the audit process. CC ID 01198 Audits and risk management Preventive
    Include provisions for legislative plurality and legislative domain in the audit program. CC ID 06959 Audits and risk management Preventive
    Include the in scope material or in scope products in the audit program. CC ID 08961 Audits and risk management Preventive
    Include the criteria for determining the desired level of assurance in the audit program. CC ID 12795
    [{audit scope} The organization shall: define the audit criteria and scope for each audit; § 9.2.2 ¶ 1(b)]
    Audits and risk management Preventive
    Refrain from performing an attestation engagement under defined conditions. CC ID 13952 Audits and risk management Detective
    Refrain from accepting an attestation engagement when all parties disagree on the procedures. CC ID 13951 Audits and risk management Preventive
    Audit in scope audit items and compliance documents as defined in the audit scope. CC ID 06730
    [The organization shall conduct internal audits at planned intervals to provide information on whether the SMS: conforms to: the organization's own requirements for its SMS; § 9.2.1 ¶ 1(a)(1)
    The organization shall conduct internal audits at planned intervals to provide information on whether the SMS: conforms to: the requirements of this document; § 9.2.1 ¶ 1(a)(2)
    The organization shall conduct internal audits at planned intervals to provide information on whether the SMS: is effectively implemented and maintained. § 9.2.1 ¶ 1(b)
    The organization shall: select auditors and conduct audits to ensure objectivity and the impartiality of the audit process; § 9.2.2 ¶ 1(c)]
    Audits and risk management Preventive
    Identify hypothetical assumptions in forecasts and projections during an audit. CC ID 13946 Audits and risk management Detective
    Refrain from examining forecasts and projections which refrain from disclosing assumptions during an audit. CC ID 13932 Audits and risk management Detective
    Audit policies, standards, and procedures. CC ID 12927 Audits and risk management Preventive
    Review incident management audit logs to determine the effectiveness of in scope controls. CC ID 12157 Audits and risk management Detective
    Review audit reports to determine the effectiveness of in scope controls. CC ID 12156 Audits and risk management Detective
    Observe processes to determine the effectiveness of in scope controls. CC ID 12155 Audits and risk management Detective
    Interview stakeholders to determine the effectiveness of in scope controls. CC ID 12154 Audits and risk management Detective
    Review policies and procedures to determine the effectiveness of in scope controls. CC ID 12144 Audits and risk management Detective
    Implement procedures that collect sufficient audit evidence. CC ID 07153 Audits and risk management Preventive
    Collect evidence about the in scope audit items of the audit assertion. CC ID 07154 Audits and risk management Preventive
    Collect audit evidence sufficient to avoid misstatements. CC ID 07155 Audits and risk management Preventive
    Collect audit evidence at the level of the organization's competence in the subject matter. CC ID 07156 Audits and risk management Preventive
    Collect audit evidence sufficient to overcome inadequacies in the organization's attestation. CC ID 07157 Audits and risk management<