Back

International > International Organization for Standardization

ISO 14001:2015 - Environmental management systems — Requirements with guidance for use, Third Edition



AD ID

0003329

AD STATUS

ISO 14001:2015 - Environmental management systems — Requirements with guidance for use, Third Edition

ORIGINATOR

International Organization for Standardization

TYPE

International or National Standard

AVAILABILITY

For Purchase

SYNONYMS

ISO 14001:2015

ISO 14001:2015 - Environmental management systems — Requirements with guidance for use

EFFECTIVE

2015-09-15

ADDED

The document as a whole was last reviewed and released on 2021-08-30T00:00:00-0700.

AD ID

0003329

AD STATUS

For Purchase

ORIGINATOR

International Organization for Standardization

TYPE

International or National Standard

AVAILABILITY

SYNONYMS

ISO 14001:2015

ISO 14001:2015 - Environmental management systems — Requirements with guidance for use

EFFECTIVE

2015-09-15

ADDED

The document as a whole was last reviewed and released on 2021-08-30T00:00:00-0700.


Important Notice

This Authority Document In Depth Report is copyrighted - © 2024 - Network Frontiers LLC. All rights reserved. Copyright in the Authority Document analyzed herein is held by its authors. Network Frontiers makes no claims of copyright in this Authority Document.

This Authority Document In Depth Report is provided for informational purposes only and does not constitute, and should not be construed as, legal advice. The reader is encouraged to consult with an attorney experienced in these areas for further explanation and advice.

This Authority Document In Depth Report provides analysis and guidance for use and implementation of the Authority Document but it is not a substitute for the original authority document itself. Readers should refer to the original authority document as the definitive resource on obligations and compliance requirements.

The process we used to tag and map this document

This document has been mapped into the Unified Compliance Framework using a patented methodology and patented tools (you can research our patents HERE). The mapping team has taken every effort to ensure the quality of mapping is of the highest degree. To learn more about the process we use to map Authority Documents, or to become involved in that process, click HERE.

Controls and asociated Citations breakdown

When the UCF Mapping Teams tag Citations and their associated mandates within an Authority Document, those Citations and Mandates are tied to Common Controls. In addition, and by virtue of those Citations and mandates being tied to Common Controls, there are three sets of meta data that are associated with each Citation; Controls by Impact Zone, Controls by Type, and Controls by Classification.

The online version of the mapping analysis you see here is just a fraction of the work the UCF Mapping Team has done. The downloadable version of this document, available within the Common Controls Hub (available HERE) contains the following:

Document implementation analysis – statistics about the document’s alignment with Common Controls as compared to other Authority Documents and statistics on usage of key terms and non-standard terms.

Citation and Mandate Tagging and Mapping – A complete listing of each and every Citation we found within ISO 14001:2015 - Environmental management systems — Requirements with guidance for use, Third Edition that have been tagged with their primary and secondary nouns and primary and secondary verbs in three column format. The first column shows the Citation (the marker within the Authority Document that points to where we found the guidance). The second column shows the Citation guidance per se, along with the tagging for the mandate we found within the Citation. The third column shows the Common Control ID that the mandate is linked to, and the final column gives us the Common Control itself.

Dictionary Terms – The dictionary terms listed for ISO 14001:2015 - Environmental management systems — Requirements with guidance for use, Third Edition are based upon terms either found within the Authority Document’s defined terms section(which most legal documents have), its glossary, and for the most part, as tagged within each mandate. The terms with links are terms that are the standardized version of the term.



Common Controls and
mandates by Impact Zone
161 Mandated Controls - bold    
48 Implied Controls - italic     1772 Implementation

An Impact Zone is a hierarchical way of organizing our suite of Common Controls — it is a taxonomy. The top levels of the UCF hierarchy are called Impact Zones. Common Controls are mapped within the UCF’s Impact Zones and are maintained in a legal hierarchy within that Impact Zone. Each Impact Zone deals with a separate area of policies, standards, and procedures: technology acquisition, physical security, continuity, records management, etc.


The UCF created its taxonomy by looking at the corpus of standards and regulations through the lens of unification and a view toward how the controls impact the organization. Thus, we created a hierarchical structure for each impact zone that takes into account regulatory and standards bodies, doctrines, and language.

Number of Controls
1981 Total
  • Acquisition or sale of facilities, technology, and services
    21
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Acquisition or sale of facilities, technology, and services CC ID 01123 IT Impact Zone IT Impact Zone
    Plan for acquiring facilities, technology, or services. CC ID 06892 Acquisition/Sale of Assets or Services Preventive
    Establish, implement, and maintain a product and services acquisition program. CC ID 01136
    [Consistent with a life cycle perspective, the organization shall: determine its environmental requirement(s) for the procurement of products and services, as appropriate; § 8.1 ¶ 4 b)]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a product and services acquisition policy. CC ID 14028 Establish/Maintain Documentation Preventive
    Obtain authorization for marketing new products. CC ID 16805 Business Processes Preventive
    Include compliance requirements in the product and services acquisition policy. CC ID 14163 Establish/Maintain Documentation Preventive
    Include coordination amongst entities in the product and services acquisition policy. CC ID 14162 Establish/Maintain Documentation Preventive
    Include management commitment in the product and services acquisition policy. CC ID 14161 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the product and services acquisition policy. CC ID 14160 Establish/Maintain Documentation Preventive
    Include the scope in the product and services acquisition policy. CC ID 14159 Establish/Maintain Documentation Preventive
    Include the purpose in the product and services acquisition policy. CC ID 14158 Establish/Maintain Documentation Preventive
    Disseminate and communicate the product and services acquisition policy to interested personnel and affected parties. CC ID 14157 Communicate Preventive
    Establish, implement, and maintain product and services acquisition procedures. CC ID 14065 Establish/Maintain Documentation Preventive
    Disseminate and communicate the product and services acquisition procedures to interested personnel and affected parties. CC ID 14152 Communicate Preventive
    Establish, implement, and maintain acquisition approval requirements. CC ID 13704 Establish/Maintain Documentation Preventive
    Disseminate and communicate acquisition approval requirements to all affected parties. CC ID 13706 Communicate Preventive
    Include preventive maintenance contracts in system acquisition contracts. CC ID 06658 Establish/Maintain Documentation Preventive
    Prohibit the use of Personal Electronic Devices, absent approval. CC ID 04599 Behavior Detective
    Sign a forfeiture statement acknowledging unapproved Personal Electronic Devices will be confiscated. CC ID 11667 Physical and Environmental Protection Preventive
    Include chain of custody procedures in the product and services acquisition program. CC ID 10058 Acquisition/Sale of Assets or Services Preventive
    Review and update the acquisition contracts, as necessary. CC ID 14279 Acquisition/Sale of Assets or Services Corrective
  • Audits and risk management
    394
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Audits and risk management CC ID 00677 IT Impact Zone IT Impact Zone
    Define the roles and responsibilities for personnel assigned to tasks in the Audit function. CC ID 00678
    [The organization shall establish, implement and maintain (an) internal audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting of its internal audits. § 9.2.2 ¶ 1]
    Establish Roles Preventive
    Manage supply chain audits. CC ID 01203 Audits and Risk Management Preventive
    Review the external auditors involvement in assessing Information Technology controls. CC ID 01204 Audits and Risk Management Preventive
    Rotate auditors, as necessary. CC ID 15589 Audits and Risk Management Preventive
    Assign the roles and responsibilities for the Board of Directors and senior management in the Audit function. CC ID 00679 Establish Roles Preventive
    Assign the Board of Directors to address audit findings. CC ID 12396 Human Resources Management Corrective
    Assign the internal audit staff to be independent from business units reporting to the Board of Directors. CC ID 01184 Establish Roles Preventive
    Define and assign the internal audit manager's roles and responsibilities. CC ID 00680 Establish Roles Preventive
    Report audit findings by the internal audit manager directly to senior management. CC ID 01152
    [The organization shall: ensure that the results of the audits are reported to relevant management. § 9.2.2 ¶ 3 c)]
    Testing Detective
    Assign the internal audit manager's compensation and performance review to the Board of Directors or audit committee. CC ID 01186 Establish Roles Preventive
    Define and assign the internal audit staff's roles and responsibilities. CC ID 00681 Establish Roles Preventive
    Assign the responsibility for operating an internal control system to the internal audit staff. CC ID 01187 Establish Roles Preventive
    Define and assign the external auditor's roles and responsibilities. CC ID 00683 Establish Roles Preventive
    Engage auditors who have adequate knowledge of the subject matter. CC ID 07102 Audits and Risk Management Preventive
    Retain copies of external auditor outsourcing contracts and engagement letters. CC ID 01188 Establish/Maintain Documentation Preventive
    Review external auditor outsourcing contracts and engagement letters. CC ID 01189 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in external auditor outsourcing contracts. CC ID 16523 Establish/Maintain Documentation Preventive
    Include a change control clause in external auditor outsourcing contracts. CC ID 01192 Establish/Maintain Documentation Preventive
    Include procedures for resolving problems in external auditor outsourcing contracts. CC ID 01196 Establish/Maintain Documentation Preventive
    Include procedures for controlling the use of restricted information in external auditor outsourcing contracts. CC ID 01194 Establish/Maintain Documentation Preventive
    Include reports and work paper Records Management practices in external auditor outsourcing contracts. CC ID 01195 Establish/Maintain Documentation Preventive
    Include communication protocols in external auditor outsourcing contracts. CC ID 01201 Establish/Maintain Documentation Preventive
    Review the external audit scope, as necessary. CC ID 01202 Audits and Risk Management Preventive
    Review the external audit assertion for accuracy. CC ID 06977 Testing Detective
    Review the risk assessments as compared to the in scope controls. CC ID 06978 Testing Detective
    Include nondisclosure agreements in external auditor outsourcing contracts. CC ID 10014 Audits and Risk Management Detective
    Include the scope and work to be performed in external auditor outsourcing contracts. CC ID 01190 Establish/Maintain Documentation Preventive
    Include work status reporting requirements in the external auditor outsourcing contracts. CC ID 01191 Establish/Maintain Documentation Preventive
    Include access to work papers in external auditor outsourcing contracts. CC ID 01193 Establish/Maintain Documentation Preventive
    Review the external auditor's qualifications. CC ID 01197 Audits and Risk Management Preventive
    Conduct a performance review of the external auditor's performance during the audit process. CC ID 01198 Audits and Risk Management Preventive
    Review the adequacy of the external auditor's work papers and audit reports. CC ID 01199 Establish/Maintain Documentation Preventive
    Review the conclusions of the external auditor's work papers and audit reports. CC ID 01200 Establish/Maintain Documentation Preventive
    Question external auditors about how audits were conducted and what is in the audit reports. CC ID 04587 Behavior Preventive
    Disseminate and communicate with the organization about any missing audit documentation. CC ID 06992 Behavior Preventive
    Evaluate any refusal by the organization to provide missing audit documentation. CC ID 06993 Establish/Maintain Documentation Preventive
    Take appropriate action if missing audit documentation compromises the audit. CC ID 06994 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an audit program. CC ID 00684
    [The organization shall establish, implement and maintain (an) internal audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting of its internal audits. § 9.2.2 ¶ 1]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain audit policies. CC ID 13166 Establish/Maintain Documentation Preventive
    Assign the audit to impartial auditors. CC ID 07118
    [The organization shall: select auditors and conduct audits to ensure objectivity and the "term_primary-noun">impartiality of the audit process; § 9.2.2 ¶ 3 b)]
    Establish Roles Preventive
    Define what constitutes a threat to independence. CC ID 16824 Audits and Risk Management Preventive
    Determine if requested services create a threat to independence. CC ID 16823 Audits and Risk Management Detective
    Exercise due professional care during the planning and performance of the audit. CC ID 07119
    [{environmental process} When establishing the internal audit programme, the organization shall take into consideration the environmental importance of the processes concerned, changes affecting the organization and the results of previous audits. § 9.2.2 ¶ 2]
    Behavior Preventive
    Include resource requirements in the audit program. CC ID 15237 Establish/Maintain Documentation Preventive
    Include risks and opportunities in the audit program. CC ID 15236 Establish/Maintain Documentation Preventive
    Include provisions for legislative plurality and legislative domain in the audit program. CC ID 06959 Audits and Risk Management Preventive
    Establish and maintain audit terms. CC ID 13880 Establish/Maintain Documentation Preventive
    Refrain from approving changes to the audit terms absent reasonable justification. CC ID 13973 Process or Activity Preventive
    Include a statement about the inherent limitations of the audit in the audit terms. CC ID 13883 Establish/Maintain Documentation Preventive
    Include a statement that the audit will be conducted in accordance with attestation standards in the audit terms. CC ID 13882 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain agreed upon procedures that are in scope for the audit. CC ID 13893 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an in scope system description. CC ID 14873 Establish/Maintain Documentation Preventive
    Include in scope procedures in the audit assertion's in scope system description. CC ID 16551 Audits and Risk Management Preventive
    Include roles and responsibilities in the audit assertion's in scope system description. CC ID 16558 Audits and Risk Management Preventive
    Include the audit criteria in the audit assertion's in scope system description. CC ID 16548 Audits and Risk Management Preventive
    Include third party data in the audit assertion's in scope system description. CC ID 16554 Audits and Risk Management Preventive
    Include third party personnel in the audit assertion's in scope system description. CC ID 16552 Audits and Risk Management Preventive
    Include compliance requirements in the audit assertion's in scope system description. CC ID 16506 Audits and Risk Management Preventive
    Include third party assets in the audit assertion's in scope system description. CC ID 16550 Audits and Risk Management Preventive
    Include third party services in the audit assertion's in scope system description. CC ID 16503 Establish/Maintain Documentation Preventive
    Include monitoring controls in the audit assertion's in scope system description. CC ID 16501 Establish/Maintain Documentation Preventive
    Include availability commitments in the audit assertion's in scope system description. CC ID 14914 Establish/Maintain Documentation Preventive
    Include deviations and the corrective actions taken in the audit assertion's in scope system description. CC ID 16549 Audits and Risk Management Preventive
    Include changes in the audit assertion's in scope system description. CC ID 14894 Establish/Maintain Documentation Preventive
    Include external communications in the audit assertion's in scope system description. CC ID 14913 Establish/Maintain Documentation Preventive
    Include a section regarding incidents related to the system in the audit assertion’s in scope system description. CC ID 14878 Establish/Maintain Documentation Preventive
    Include the function performed by the in scope system in the audit assertion's in scope system description. CC ID 14911 Establish/Maintain Documentation Preventive
    Include the disposition of the incident in the audit assertion's in scope system description. CC ID 14896 Establish/Maintain Documentation Preventive
    Include the extent of the incident in the audit assertion's in scope system description. CC ID 14895 Establish/Maintain Documentation Preventive
    Include the timing of each incident in the audit assertion's in scope system description. CC ID 14891 Establish/Maintain Documentation Preventive
    Include the nature of each incident in the audit assertion's in scope system description. CC ID 14889 Establish/Maintain Documentation Preventive
    Include a section regarding in scope controls related to the system in the audit assertion's in scope system description. CC ID 14897 Establish/Maintain Documentation Preventive
    Include how the in scope system meets external requirements in the audit assertion's in scope system description. CC ID 16502 Establish/Maintain Documentation Preventive
    Include the timing of each control in the audit assertion's in scope system description. CC ID 14916 Establish/Maintain Documentation Preventive
    Include the nature of the control in the audit assertion's in scope system description. CC ID 14910 Establish/Maintain Documentation Preventive
    Include the information sources used in performing the control in the audit assertion's in scope system description. CC ID 14909 Establish/Maintain Documentation Preventive
    Include the responsible party for performing the control in the audit assertion's in scope system description. CC ID 14907 Establish/Maintain Documentation Preventive
    Include the subject matter to which the control is applied in the audit assertion's in scope system description. CC ID 14904 Establish/Maintain Documentation Preventive
    Refrain from omitting or distorting information in the audit assertion's in scope system description. CC ID 14893 Establish/Maintain Documentation Preventive
    Include the timing of each change in the audit assertion's in scope system description. CC ID 14892 Establish/Maintain Documentation Preventive
    Include the system boundaries in the audit assertion's in scope system description. CC ID 14887 Establish/Maintain Documentation Preventive
    Determine the presentation method of the audit assertion's in scope system description. CC ID 14885 Establish/Maintain Documentation Detective
    Include the time frame covered by the description in the audit assertion's in scope system description. CC ID 14884 Establish/Maintain Documentation Preventive
    Include commitments to third parties in the audit assertion. CC ID 14899 Establish/Maintain Documentation Preventive
    Determine the completeness of the audit assertion's in scope system description. CC ID 14883 Establish/Maintain Documentation Preventive
    Determine the appropriateness of the audit assertion's in scope system description. CC ID 16449 Audits and Risk Management Detective
    Include system requirements in the audit assertion's in scope system description. CC ID 14881 Establish/Maintain Documentation Preventive
    Include third party controls in the audit assertion's in scope system description. CC ID 14880 Establish/Maintain Documentation Preventive
    Hold an opening meeting with interested personnel and affected parties prior to an audit. CC ID 15256 Audits and Risk Management Preventive
    Identify personnel who should attend the closing meeting. CC ID 15261 Business Processes Preventive
    Confirm audit requirements during the opening meeting. CC ID 15255 Audits and Risk Management Detective
    Include discussions about how particular situations will be handled in the opening meeting. CC ID 15254 Audits and Risk Management Preventive
    Include agreement to the audit scope and audit terms in the audit program. CC ID 06965
    [{audit scope} The organization shall: define the audit criteria and scope for each audit; § 9.2.2 ¶ 3 a)]
    Establish/Maintain Documentation Preventive
    Establish and maintain a bespoke audit scope for each audit being performed. CC ID 13077
    [The organization shall establish, implement and maintain (an) internal audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting of its internal audits. § 9.2.2 ¶ 1]
    Establish/Maintain Documentation Preventive
    Include third party assets in the audit scope. CC ID 16504 Audits and Risk Management Preventive
    Include audit subject matter in the audit program. CC ID 07103 Establish/Maintain Documentation Preventive
    Examine the availability of the audit criteria in the audit program. CC ID 16520 Investigate Preventive
    Examine the objectivity of the audit criteria in the audit program. CC ID 07104 Establish/Maintain Documentation Preventive
    Examine the measurability of the audit criteria in the audit program. CC ID 07105 Establish/Maintain Documentation Preventive
    Examine the completeness of the audit criteria in the audit program. CC ID 07106 Establish/Maintain Documentation Preventive
    Examine the relevance of the audit criteria in the audit program. CC ID 07107 Establish/Maintain Documentation Preventive
    Determine the appropriateness of the audit subject matter. CC ID 16505 Audits and Risk Management Preventive
    Disseminate and communicate the audit program with the audit subject matter and audit criteria to all interested personnel and affected parties. CC ID 07116 Establish/Maintain Documentation Preventive
    Include the in scope material or in scope products in the audit program. CC ID 08961 Audits and Risk Management Preventive
    Include in scope information in the audit program. CC ID 16198 Establish/Maintain Documentation Preventive
    Include the out of scope material or out of scope products in the audit program. CC ID 08962 Establish/Maintain Documentation Preventive
    Provide a representation letter in support of the audit assertion. CC ID 07158 Establish/Maintain Documentation Preventive
    Include the date of the audit in the representation letter. CC ID 16517 Audits and Risk Management Preventive
    Include a statement that management has evaluated compliance with external requirements in the representation letter. CC ID 13942 Establish/Maintain Documentation Preventive
    Include a statement that the assumptions used for estimates are reasonable in the representation letter. CC ID 13934 Establish/Maintain Documentation Preventive
    Include a statement that uncorrected misstatements are believed to be immaterial in the representation letter. CC ID 13884 Establish/Maintain Documentation Preventive
    Include a statement that system incidents have been disclosed to the auditor in the representation letter. CC ID 16772 Establish/Maintain Documentation Preventive
    Include a statement that incidents of fraud and non-compliance have been disclosed to the auditor in the representation letter. CC ID 16769 Establish/Maintain Documentation Preventive
    Include a statement of responsibility for the subject matter in the representation letter. CC ID 07159 Establish/Maintain Documentation Preventive
    Include a statement of responsibility for selecting the audit criteria in the representation letter. CC ID 07160 Establish/Maintain Documentation Preventive
    Include a statement of responsibility regarding the appropriateness of the audit criteria in the representation letter. CC ID 07161 Establish/Maintain Documentation Preventive
    Include an assertion about the subject matter based on the selected audit criteria in the representation letter. CC ID 07162 Establish/Maintain Documentation Preventive
    Include a statement that all known matters contradicting the audit assertion have been disclosed to the auditor in the representation letter. CC ID 07163 Establish/Maintain Documentation Preventive
    Include the availability of all in scope records relevant to the subject matter in the representation letter. CC ID 07164 Establish/Maintain Documentation Preventive
    Include a statement that any known subsequent events have been disclosed to the auditor in the representation letter. CC ID 07165 Establish/Maintain Documentation Preventive
    Include a statement that deficiencies in internal controls have been disclosed to the auditor in the representation letter. CC ID 13899 Establish/Maintain Documentation Preventive
    Establish and maintain audit assertions, as necessary. CC ID 14871 Establish/Maintain Documentation Detective
    Include an in scope system description in the audit assertion. CC ID 14872 Establish/Maintain Documentation Preventive
    Include any assumptions that are improbable in the audit assertion. CC ID 13950 Establish/Maintain Documentation Preventive
    Include investigations and legal proceedings in the audit assertion. CC ID 16846 Establish/Maintain Documentation Preventive
    Include how the audit scope matches in scope controls in the audit assertion. CC ID 06969 Establish/Maintain Documentation Preventive
    Include why specific criteria are ignored by in scope controls in the audit assertion. CC ID 07027 Establish/Maintain Documentation Preventive
    Include how the in scope system is designed and implemented in the audit assertion. CC ID 06970 Establish/Maintain Documentation Preventive
    Include the responsible party's opinion of the quality of the evidence in the audit assertion. CC ID 13949 Establish/Maintain Documentation Preventive
    Include the end users and affected parties of the in scope system in the audit assertion. CC ID 07028 Establish/Maintain Documentation Preventive
    Include the in scope services offered or in scope transactions processed in the audit assertion. CC ID 06971 Establish/Maintain Documentation Preventive
    Include the in scope procedures in the audit assertion. CC ID 06972 Establish/Maintain Documentation Preventive
    Include the in scope records produced in the audit assertion. CC ID 06968 Establish/Maintain Documentation Preventive
    Include how in scope material events are monitored and logged in the audit assertion. CC ID 06973 Establish/Maintain Documentation Preventive
    Include any in scope material events that might affect the assertion in the audit assertion. CC ID 06991 Establish/Maintain Documentation Preventive
    Include the in scope controls and compliance documents in the audit assertion. CC ID 06974 Establish/Maintain Documentation Preventive
    Include the in scope risk assessment processes in the audit assertion. CC ID 06975 Establish/Maintain Documentation Preventive
    Include in scope change controls in the audit assertion. CC ID 06976 Establish/Maintain Documentation Preventive
    Include any in scope uncorrected errors or non-compliance issues in the audit assertion. CC ID 06989 Establish/Maintain Documentation Preventive
    Disseminate and communicate a written audit assertion of the audit scope and audit terms to interested personnel and affected parties. CC ID 06967 Establish/Maintain Documentation Preventive
    Include the scope for the desired level of assurance in the audit program. CC ID 12793 Communicate Preventive
    Include conditions that might require modification of the audit program in the audit terms. CC ID 07149 Establish/Maintain Documentation Preventive
    Include how access to in scope systems, personnel and in scope records are provided to the auditor in the audit terms. CC ID 06988 Establish/Maintain Documentation Preventive
    Include the criteria for determining the desired level of assurance in the audit program. CC ID 12795
    [{audit scope} The organization shall: define the audit criteria and scope for each audit; § 9.2.2 ¶ 3 a)]
    Audits and Risk Management Preventive
    Establish, implement, and maintain procedures for determining the desired level of assurance in the audit program. CC ID 12794
    [The organization shall establish, implement and maintain (an) internal audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting of its internal audits. § 9.2.2 ¶ 1]
    Establish/Maintain Documentation Preventive
    Include the expectations for the audit report in the audit terms. CC ID 07148 Establish/Maintain Documentation Preventive
    Establish and maintain a practitioner’s report on management’s assertions, as necessary. CC ID 13888 Establish/Maintain Documentation Preventive
    Refrain from changing the date of the practitioner's report on agreed-upon procedures when reissuing it. CC ID 13896 Establish/Maintain Documentation Corrective
    Hold a closing meeting following an audit to present audit findings and conclusions. CC ID 15248 Communicate Preventive
    Include materiality levels in the audit terms. CC ID 01238 Establish/Maintain Documentation Preventive
    Include material changes in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01239 Establish/Maintain Documentation Preventive
    Include material weaknesses, material failures, and material errors in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01240 Establish/Maintain Documentation Preventive
    Schedule attestation engagement meetings with interested personnel and affected parties, as necessary. CC ID 15263 Business Processes Preventive
    Refrain from performing an attestation engagement under defined conditions. CC ID 13952 Audits and Risk Management Detective
    Refrain from accepting an attestation engagement when the engaging party refuses to sign the engagement letter. CC ID 14912 Business Processes Preventive
    Refrain from accepting an attestation engagement unless the prospective financial information includes a summary of significant assumptions. CC ID 13954 Behavior Preventive
    Refrain from accepting an attestation engagement when all parties disagree on the procedures. CC ID 13951 Audits and Risk Management Preventive
    Accept the attestation engagement when all preconditions are met. CC ID 13933 Business Processes Preventive
    Audit in scope audit items and compliance documents. CC ID 06730
    [The organization shall: select auditors and conduct audits to ensure objectivity and the "term_primary-noun">impartiality of the audit process; § 9.2.2 ¶ 3 b)
    The organization shall conduct internal audits at planned intervals to provide information on whether the environmental management system: § 9.2.1 ¶ 1]
    Audits and Risk Management Preventive
    Collect all work papers for the audit and audit report into an engagement file. CC ID 07001
    [The organization shall retain documented information as evidence of the implementation of the audit programme and the audit results. § 9.2.2 ¶ 4]
    Actionable Reports or Measurements Preventive
    Document any after the fact changes to the engagement file. CC ID 07002 Establish/Maintain Documentation Preventive
    Protect access to the engagement file and all associated audit documentation in compliance with Authority Documents the organization must follow. CC ID 07179 Establish/Maintain Documentation Preventive
    Disclose work papers in the engagement file in compliance with legal requirements. CC ID 07180 Establish/Maintain Documentation Preventive
    Archive the engagement file and all work papers for the period prescribed by law or contract. CC ID 10038 Records Management Preventive
    Conduct onsite inspections, as necessary. CC ID 16199 Testing Preventive
    Identify hypothetical assumptions in forecasts and projections during an audit. CC ID 13946 Audits and Risk Management Detective
    Refrain from examining forecasts and projections which refrain from disclosing assumptions during an audit. CC ID 13932 Audits and Risk Management Detective
    Audit policies, standards, and procedures. CC ID 12927
    [The organization shall conduct internal audits at planned intervals to provide information on whether the environmental management system: conforms to: the requirements of this International Standard; § 9.2.1 ¶ 1 a) 2)
    The organization shall conduct internal audits at planned intervals to provide information on whether the environmental management system: conforms to: the organization's own requirements for its environmental management system; § 9.2.1 ¶ 1 a) 1)]
    Audits and Risk Management Preventive
    Audit cybersecurity risk management within the policies, standards, and procedures of the organization. CC ID 13011 Investigate Detective
    Audit information systems, as necessary. CC ID 13010 Investigate Detective
    Audit the potential costs of compromise to information systems. CC ID 13012 Investigate Detective
    Determine the accurateness of the audit assertion's in scope system description. CC ID 06979 Testing Detective
    Determine if the in scope system has been implemented as described in the audit assertion. CC ID 06983 Testing Detective
    Investigate the nature and causes of misstatements in the audit assertion's in scope system description. CC ID 16557 Audits and Risk Management Detective
    Determine the effect of fraud and non-compliance on the description of the system in the audit assertion, as necessary. CC ID 13977 Process or Activity Detective
    Edit the audit assertion for accuracy. CC ID 07030 Establish/Maintain Documentation Preventive
    Determine if the audit assertion's in scope procedures are accurately documented. CC ID 06982 Establish/Maintain Documentation Preventive
    Determine if the audit assertion's in scope controls are reasonable. CC ID 06980 Testing Detective
    Determine the effect of fraud and non-compliance on the achievement of in scope controls in the audit assertion, as necessary. CC ID 13978 Process or Activity Detective
    Document test plans for auditing in scope controls. CC ID 06985 Testing Detective
    Determine the implementation status of the audit assertion's in scope controls. CC ID 06981 Testing Detective
    Determine the effectiveness of in scope controls. CC ID 06984 Testing Detective
    Review incident management audit logs to determine the effectiveness of in scope controls. CC ID 12157 Audits and Risk Management Detective
    Review audit reports to determine the effectiveness of in scope controls. CC ID 12156 Audits and Risk Management Detective
    Observe processes to determine the effectiveness of in scope controls. CC ID 12155 Audits and Risk Management Detective
    Interview stakeholders to determine the effectiveness of in scope controls. CC ID 12154 Audits and Risk Management Detective
    Review documentation to determine the effectiveness of in scope controls. CC ID 16522 Process or Activity Preventive
    Review policies and procedures to determine the effectiveness of in scope controls. CC ID 12144
    [{be effective}The organization shall conduct internal audits at planned intervals to provide information on whether the environmental management system: is effectively implemented and maintained. § 9.2.1 ¶ 1 b)]
    Audits and Risk Management Detective
    Evaluate personnel status changes to determine the effectiveness of in scope controls. CC ID 16556 Audits and Risk Management Detective
    Determine whether individuals performing a control have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 16555 Audits and Risk Management Detective
    Determine any errors or material omissions in the audit assertion that affect in scope control implementations. CC ID 06990 Testing Detective
    Include the process of using evidential matter to test in scope controls in the test plan. CC ID 06996 Establish/Maintain Documentation Preventive
    Audit the in scope system according to the test plan using relevant evidence. CC ID 07112 Testing Preventive
    Implement procedures that collect sufficient audit evidence. CC ID 07153 Audits and Risk Management Preventive
    Collect evidence about the in scope audit items of the audit assertion. CC ID 07154 Audits and Risk Management Preventive
    Collect audit evidence sufficient to avoid misstatements. CC ID 07155 Audits and Risk Management Preventive
    Collect audit evidence at the level of the organization's competence in the subject matter. CC ID 07156 Audits and Risk Management Preventive
    Collect audit evidence sufficient to overcome inadequacies in the organization's attestation. CC ID 07157 Audits and Risk Management Preventive
    Report that audit evidence collected was not sufficient to the proper authorities. CC ID 16847 Communicate Preventive
    Provide transactional walkthrough procedures for external auditors. CC ID 00672 Testing Preventive
    Establish, implement, and maintain interview procedures. CC ID 16282 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the interview procedures. CC ID 16297 Human Resources Management Preventive
    Coordinate the scheduling of interviews. CC ID 16293 Process or Activity Preventive
    Create a schedule for the interviews. CC ID 16292 Process or Activity Preventive
    Identify interviewees. CC ID 16290 Process or Activity Preventive
    Conduct interviews, as necessary. CC ID 07188 Testing Detective
    Verify statements made by interviewees are correct. CC ID 16299 Behavior Detective
    Discuss unsolved questions with the interviewee. CC ID 16298 Process or Activity Detective
    Allow interviewee to respond to explanations. CC ID 16296 Process or Activity Detective
    Explain the requirements being discussed to the interviewee. CC ID 16294 Process or Activity Detective
    Explain the goals of the interview to the interviewee. CC ID 07189 Behavior Detective
    Explain the testing results to the interviewee. CC ID 16291 Process or Activity Preventive
    Withdraw from the audit, when defined conditions exist. CC ID 13885 Process or Activity Corrective
    Establish and maintain work papers, as necessary. CC ID 13891 Establish/Maintain Documentation Preventive
    Include the auditor's conclusions on work performed by individuals assigned to the audit in the work papers. CC ID 16775 Establish/Maintain Documentation Preventive
    Include audit irregularities in the work papers. CC ID 16774 Establish/Maintain Documentation Preventive
    Include corrective actions in the work papers. CC ID 16771 Establish/Maintain Documentation Preventive
    Include information about the organization being audited and the auditor performing the audit in the work papers. CC ID 16770 Establish/Maintain Documentation Preventive
    Include discussions with interested personnel and affected parties in the work papers. CC ID 16768 Establish/Maintain Documentation Preventive
    Include justification for departing from mandatory requirements in the work papers. CC ID 13935 Establish/Maintain Documentation Preventive
    Include audit evidence obtained from previous engagements in the work papers. CC ID 16518 Audits and Risk Management Preventive
    Include the reviewer, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06998 Establish/Maintain Documentation Preventive
    Include the tests, examinations, interviews and observations performed during the audit in the work papers. CC ID 07190 Establish/Maintain Documentation Preventive
    Include if any subject matter experts or additional research had to be undertaken to test in scope controls in the work papers. CC ID 07026 Establish/Maintain Documentation Preventive
    Include the tester, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06997 Establish/Maintain Documentation Preventive
    Include if the audit evidence has identified in scope control deficiencies in the work papers. CC ID 07152 Audits and Risk Management Detective
    Include any subsequent events related to the audit assertion or audit subject matter in the work papers. CC ID 07177 Audits and Risk Management Preventive
    Include if in scope control deviations allow in scope controls to be performed acceptably in the work papers. CC ID 06987 Testing Detective
    Include the causes of identified in scope control deficiencies in the work papers. CC ID 07000 Establish/Maintain Documentation Preventive
    Include discussions regarding the causes of identified in scope control deficiencies in the work papers. CC ID 06999 Establish/Maintain Documentation Preventive
    Investigate the nature and causes of identified in scope control deviations. CC ID 06986 Testing Detective
    Supervise interested personnel and affected parties participating in the audit. CC ID 07150 Monitor and Evaluate Occurrences Preventive
    Notify interested personnel and affected parties participating in the audit of their roles and responsibilities during the audit. CC ID 07151 Establish Roles Preventive
    Respond to questions or clarification requests regarding the audit. CC ID 08902 Business Processes Preventive
    Track and measure the implementation of the organizational compliance framework. CC ID 06445 Monitor and Evaluate Occurrences Preventive
    Review the need for organizational efficiency as balanced against the needs of compliance and security. CC ID 07111 Business Processes Preventive
    Engage subject matter experts when the auditor requires additional expertise during an attestation engagement, as necessary. CC ID 13971 Process or Activity Preventive
    Review the subject matter expert's findings. CC ID 16559 Audits and Risk Management Detective
    Establish, implement, and maintain a practitioner’s report on agreed-upon procedures. CC ID 13894 Establish/Maintain Documentation Preventive
    Provide auditors access to all in scope records, in scope assets, personnel and in scope procedures. CC ID 06966 Audits and Risk Management Preventive
    Permit assessment teams to conduct audits, as necessary. CC ID 16430 Investigate Detective
    Provide auditors access to affected parties during the audit, as necessary. CC ID 07187 Business Processes Preventive
    Solve any access problems auditors encounter during the audit. CC ID 08959 Audits and Risk Management Corrective
    Notify interested personnel and affected parties when an auditee refuses to provide access or participate in the audit. CC ID 08960 Audits and Risk Management Preventive
    Establish and maintain a practitioner's examination report on pro forma financial information. CC ID 13968 Establish/Maintain Documentation Preventive
    Include references to where financial information was derived in the practitioner's review report on pro forma financial information. CC ID 13982 Establish/Maintain Documentation Preventive
    Include a statement that the financial statements used were audited by other practitioners in the practitioner's examination report on pro forma financial information, as necessary. CC ID 13981 Establish/Maintain Documentation Preventive
    Establish and maintain organizational audit reports. CC ID 06731
    [The organization shall establish, implement and maintain (an) internal audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting of its internal audits. § 9.2.2 ¶ 1]
    Establish/Maintain Documentation Preventive
    Determine what disclosures are required in the audit report. CC ID 14888 Establish/Maintain Documentation Detective
    Include the justification for not following the applicable requirements in the audit report. CC ID 16822 Audits and Risk Management Preventive
    Include a statement that the applicable requirements were not followed in the audit report. CC ID 16821 Audits and Risk Management Preventive
    Include audit subject matter in the audit report. CC ID 14882 Establish/Maintain Documentation Preventive
    Include an other-matter paragraph in the audit report. CC ID 14901 Establish/Maintain Documentation Preventive
    Identify the audit team members in the audit report. CC ID 15259 Human Resources Management Detective
    Include that the auditee did not provide comments in the audit report. CC ID 16849 Establish/Maintain Documentation Preventive
    Write the audit report using clear and conspicuous language. CC ID 13948 Establish/Maintain Documentation Preventive
    Include a statement that the sufficiency of the agreed upon procedures is the responsibility of the specified parties in the audit report. CC ID 13936 Establish/Maintain Documentation Preventive
    Include a statement that the financial statements were audited in the audit report. CC ID 13963 Establish/Maintain Documentation Preventive
    Include the criteria that financial information was measured against in the audit report. CC ID 13966 Establish/Maintain Documentation Preventive
    Include a description of the financial information being reported on in the audit report. CC ID 13965 Establish/Maintain Documentation Preventive
    Include references to any adjustments of financial information in the audit report. CC ID 13964 Establish/Maintain Documentation Preventive
    Include in the audit report that audit opinions are not dependent on references to subject matter experts, as necessary. CC ID 13953 Establish/Maintain Documentation Preventive
    Include references to historical financial information used in the audit report. CC ID 13961 Establish/Maintain Documentation Preventive
    Include a statement about the inherent limitations of the audit in the audit report. CC ID 14900 Establish/Maintain Documentation Preventive
    Include a description of the limitations on the usefulness of hypothetical assumptions in the audit report. CC ID 13958 Establish/Maintain Documentation Preventive
    Include the word independent in the title of audit reports. CC ID 07003 Actionable Reports or Measurements Preventive
    Include the date of the audit in the audit report. CC ID 07024 Actionable Reports or Measurements Preventive
    Structure the audit report to be in the form of procedures and findings. CC ID 13940 Establish/Maintain Documentation Preventive
    Include information about the organization being audited and the auditor performing the audit in the audit report. CC ID 07004 Actionable Reports or Measurements Preventive
    Include any discussions of significant findings in the audit report. CC ID 13955 Establish/Maintain Documentation Preventive
    Include the date and with whom discussions about significant findings took place in the audit report. CC ID 13962 Establish/Maintain Documentation Preventive
    Include the audit criteria in the audit report. CC ID 13945 Establish/Maintain Documentation Preventive
    Include a statement in the audit report that the agreed upon procedures were potentially insufficient in identifying material risks, as necessary. CC ID 13957 Establish/Maintain Documentation Preventive
    Include all hypothetical assumptions in the audit report. CC ID 13947 Establish/Maintain Documentation Preventive
    Include a statement that access to the report is restricted based on least privilege in the audit report. CC ID 07023 Actionable Reports or Measurements Preventive
    Include a statement that identifies the distribution list for the report in the audit report. CC ID 07172 Establish/Maintain Documentation Preventive
    Include a statement that identifies the use restrictions for the report in the audit report. CC ID 07173 Establish/Maintain Documentation Preventive
    Include a statement that the agreed upon procedures involves collecting evidence in the audit report. CC ID 13956 Establish/Maintain Documentation Preventive
    Include all of the facts and demonstrated plausibility in the audit report. CC ID 08929 Establish/Maintain Documentation Preventive
    Include a statement that the agreed upon procedures were performed by all parties in the audit report. CC ID 13931 Establish/Maintain Documentation Preventive
    Include references to subject matter experts in the audit report when citing qualified opinions. CC ID 13929 Establish/Maintain Documentation Preventive
    Include a description of the assistance provided by Subject Matter Experts in the audit report. CC ID 13939 Establish/Maintain Documentation Preventive
    Include a review of the subject matter expert's findings in the audit report. CC ID 13972 Establish/Maintain Documentation Preventive
    Include a statement of the character of the engagement in the audit report. CC ID 07166 Establish/Maintain Documentation Preventive
    Include the nature and scope of the audit performed in the statement of the character of the engagement in the audit report. CC ID 07167 Establish/Maintain Documentation Preventive
    Include the professional standards governing the audit in the statement of the character of the engagement in the audit report. CC ID 07168 Establish/Maintain Documentation Preventive
    Include all restrictions on the audit in the audit report. CC ID 13930 Establish/Maintain Documentation Preventive
    Include a statement that the auditor has no responsibility to update the audit report after its submission. CC ID 13943 Establish/Maintain Documentation Preventive
    Include a statement on the auditor's ethical requirements in the audit report. CC ID 16767 Establish/Maintain Documentation Preventive
    Include a statement that the responsible party refused to provide a written assertion in the audit report. CC ID 13887 Establish/Maintain Documentation Preventive
    Include a statement that the examination involves procedures for collecting evidence in the audit report. CC ID 13941 Establish/Maintain Documentation Preventive
    Express an adverse opinion in the audit report when significant assumptions are not suitably supported. CC ID 13944 Establish/Maintain Documentation Preventive
    Include a statement that modifications to historical evidence accurately reflect current evidence in the audit report. CC ID 13938 Establish/Maintain Documentation Preventive
    Refrain from referencing previous engagements in the audit report. CC ID 16516 Audits and Risk Management Preventive
    Refrain from referencing other auditor's work in the audit report. CC ID 13881 Establish/Maintain Documentation Preventive
    Include that the audit findings are not a predictive analysis of future compliance in the audit report. CC ID 07018 Establish/Maintain Documentation Preventive
    Identify the participants from the organization being audited in the audit report. CC ID 15258 Audits and Risk Management Detective
    Include how in scope controls meet external requirements in the audit report. CC ID 16450 Establish/Maintain Documentation Preventive
    Include the in scope records used to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14915 Establish/Maintain Documentation Preventive
    Include recommended corrective actions in the audit report. CC ID 16197 Establish/Maintain Documentation Preventive
    Include risks and opportunities in the audit report. CC ID 16196 Establish/Maintain Documentation Preventive
    Include the description of tests of controls and results in the audit report. CC ID 14898 Establish/Maintain Documentation Preventive
    Include the nature of the tests performed in the description of tests of controls and results in the audit report. CC ID 14908 Establish/Maintain Documentation Preventive
    Include the test scope in the description of tests of controls and results in the audit report. CC ID 14906 Establish/Maintain Documentation Preventive
    Identify the stakeholders interviewed to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14905 Establish/Maintain Documentation Preventive
    Include the timing of controls in the description of tests of controls and results in the audit report. CC ID 16553 Audits and Risk Management Preventive
    Include the controls that were tested in the description of tests of controls and results in the audit report. CC ID 14902 Establish/Maintain Documentation Preventive
    Include subsequent events related to the audit assertion or audit subject matter in the audit report. CC ID 16773 Establish/Maintain Documentation Preventive
    Include the organization's audit assertion of the in scope system in the audit report. CC ID 07005 Actionable Reports or Measurements Preventive
    Include that the organization is the responsible party for the content of its audit assertion and in scope system description in the audit report. CC ID 07010 Establish/Maintain Documentation Preventive
    Include that the organization is the responsible party for providing in scope services in the audit report. CC ID 14903 Establish/Maintain Documentation Preventive
    Include that the organization is the responsible party for specifying in scope controls not defined by law or contractual obligation in the audit report. CC ID 07011 Establish/Maintain Documentation Preventive
    Include that the organization is the responsible party for designing and implementing the in scope controls it identified in the audit scope in the audit report. CC ID 07014 Establish/Maintain Documentation Preventive
    Include the audit opinion regarding the accurateness of the in scope system description in the audit report. CC ID 07019 Establish/Maintain Documentation Preventive
    Include the attestation standards the auditor follows in the audit report. CC ID 07015 Establish/Maintain Documentation Preventive
    Include the audit opinion about the audit assertion in relation to the audit criteria used for evaluation in the audit report. CC ID 07169 Establish/Maintain Documentation Preventive
    Include the auditor's significant reservations about the engagement, the audit assertion, or the audit subject matter in the audit report. CC ID 07170 Establish/Maintain Documentation Preventive
    Include an emphasis-of-matter paragraph in the audit report. CC ID 14890 Establish/Maintain Documentation Preventive
    Include the organization's in scope system description in the audit report. CC ID 11626 Audits and Risk Management Preventive
    Include any out of scope components of in scope systems in the audit report. CC ID 07006 Establish/Maintain Documentation Preventive
    Include that the organization is the responsible party for identifying material risks in the audit report. CC ID 07012 Establish/Maintain Documentation Preventive
    Include that the organization is the responsible party for selecting the audit criteria in the audit report. CC ID 07013 Establish/Maintain Documentation Preventive
    Include the scope and work performed in the audit report. CC ID 11621 Audits and Risk Management Preventive
    Review the adequacy of the internal auditor's work papers. CC ID 01146 Audits and Risk Management Detective
    Compare the evaluations completed by the internal auditors and the external auditors in past audit reports. CC ID 01158 Establish/Maintain Documentation Detective
    Review the adequacy of the internal auditor's audit reports. CC ID 11620 Audits and Risk Management Detective
    Review past audit reports. CC ID 01155
    [{environmental process} When establishing the internal audit programme, the organization shall take into consideration the environmental importance of the processes concerned, changes affecting the organization and the results of previous audits. § 9.2.2 ¶ 2
    The management review shall include consideration of: information on the organization's environmental performance, including trends in: audit results; § 9.3 ¶ 2 d) 4)]
    Establish/Maintain Documentation Detective
    Review past audit reports for specific process steps and calculations that were stated to support the audit report's conclusions. CC ID 01160 Establish/Maintain Documentation Detective
    Review the reporting of material weaknesses and risks in past audit reports. CC ID 01161 Establish/Maintain Documentation Detective
    Resolve disputes before creating the audit summary. CC ID 08964 Behavior Preventive
    Refrain from including the description of the audit in the audit report when the auditor is disclaiming an audit opinion. CC ID 13975 Establish/Maintain Documentation Preventive
    Refrain from including scope limitations from changed attestation engagements in the audit report. CC ID 13983 Establish/Maintain Documentation Preventive
    Refrain from including in the audit report any procedures that were performed that the auditor is disclaiming in an audit opinion. CC ID 13974 Establish/Maintain Documentation Preventive
    Include deficiencies and non-compliance in the audit report. CC ID 14879 Establish/Maintain Documentation Corrective
    Determine the effect of deficiencies on the audit report, as necessary. CC ID 14886 Investigate Detective
    Determine the effect of fraud and non-compliance on the audit report, as necessary. CC ID 13979 Process or Activity Detective
    Include an audit opinion in the audit report. CC ID 07017 Establish/Maintain Documentation Preventive
    Include qualified opinions in the audit report. CC ID 13928 Establish/Maintain Documentation Preventive
    Include that the auditor is the responsible party to express an opinion on the audit subject matter based on examination of evidence in the audit report. CC ID 07174 Establish/Maintain Documentation Preventive
    Include a description of the reasons for modifying the audit opinion in the audit report. CC ID 13898 Establish/Maintain Documentation Corrective
    Include that the auditor did not express an opinion in the audit report, as necessary. CC ID 13886 Establish/Maintain Documentation Preventive
    Disclaim the audit opinion in the audit report, as necessary. CC ID 13901 Business Processes Corrective
    Include items that were excluded from the audit report in the audit report. CC ID 07007 Establish/Maintain Documentation Preventive
    Include the organization's privacy practices in the audit report. CC ID 07029 Establish/Maintain Documentation Preventive
    Include items that pertain to third parties in the audit report. CC ID 07008 Establish/Maintain Documentation Preventive
    Refrain from including reference to procedures performed in previous attestation engagements in the audit report. CC ID 13970 Establish/Maintain Documentation Preventive
    Include a statement in the audit report that no procedures were performed subsequent to the date of the practitioner's review report on pro forma financial information, as necessary. CC ID 13969 Establish/Maintain Documentation Preventive
    Include any of the organization's use of compensating controls that were not audited in the audit report. CC ID 07009 Establish/Maintain Documentation Preventive
    Include whether the use of compensating controls are necessary in the audit report. CC ID 07020 Establish/Maintain Documentation Preventive
    Include the pass or fail test status of all in scope controls in the audit report. CC ID 07016 Establish/Maintain Documentation Preventive
    Include the process of using evidential matter to test in scope controls in the audit report. CC ID 07021 Establish/Maintain Documentation Preventive
    Include the nature and causes of identified in scope control deviations in the audit report. CC ID 07022 Establish/Maintain Documentation Preventive
    Modify the audit opinion in the audit report under defined conditions. CC ID 13937 Establish/Maintain Documentation Corrective
    Disclose any audit irregularities in the audit report. CC ID 06995 Actionable Reports or Measurements Preventive
    Include the written signature of the auditor's organization in the audit report. CC ID 13897 Establish/Maintain Documentation Preventive
    Include a statement that additional reports are being submitted in the audit report. CC ID 16848 Establish/Maintain Documentation Preventive
    Disseminate and communicate the audit report to all interested personnel and affected parties identified in the distribution list. CC ID 07117 Establish/Maintain Documentation Preventive
    Define the roles and responsibilities for distributing the audit report. CC ID 16845 Human Resources Management Preventive
    Disseminate and communicate the reviews of audit reports to organizational management. CC ID 00653 Log Management Detective
    Disseminate and communicate the reasons the audit report was delayed to interested personnel and affected parties. CC ID 15257 Communicate Preventive
    Notify auditees if disclosure of audit documentation is required by law. CC ID 15249 Communicate Preventive
    Disseminate and communicate to the organization that access and use of audit reports are based on least privilege. CC ID 07171 Behavior Preventive
    Disseminate and communicate documents that contain information in support of the audit report. CC ID 07175 Establish/Maintain Documentation Preventive
    Correct any material misstatements in documents that contain information in support of the audit report. CC ID 07176 Establish/Maintain Documentation Preventive
    Review the issues of non-compliance from past audit reports. CC ID 01148 Establish/Maintain Documentation Detective
    Notify interested personnel and affected parties after bribes are offered during the audit. CC ID 08872 Business Processes Preventive
    Submit an audit report that is complete. CC ID 01145 Testing Detective
    Accept the audit report. CC ID 07025 Establish/Maintain Documentation Preventive
    Implement a corrective action plan in response to the audit report. CC ID 06777
    [{environmental process} When establishing the internal audit programme, the organization shall take into consideration the environmental importance of the processes concerned, changes affecting the organization and the results of previous audits. § 9.2.2 ¶ 2]
    Establish/Maintain Documentation Corrective
    Assign responsibility for remediation actions. CC ID 13622 Human Resources Management Preventive
    Monitor and report on the status of mitigation actions in the corrective action plan. CC ID 15250 Actionable Reports or Measurements Corrective
    Review management's response to issues raised in past audit reports. CC ID 01149 Audits and Risk Management Detective
    Define penalties for uncorrected audit findings or remaining non-compliant with the audit report. CC ID 08963 Establish/Maintain Documentation Preventive
    Assess the quality of the audit program in regards to the staff and their qualifications. CC ID 01150 Testing Detective
    Evaluate the competency of auditors. CC ID 15253 Human Resources Management Detective
    Review the audit program scope as it relates to the organization's profile. CC ID 01159 Audits and Risk Management Detective
    Assess the quality of the audit program in regards to its documentation. CC ID 11622 Audits and Risk Management Preventive
    Establish, implement, and maintain the audit plan. CC ID 01156 Testing Detective
    Include the audit criteria in the audit plan. CC ID 15262 Establish/Maintain Documentation Preventive
    Include a list of reference documents in the audit plan. CC ID 15260 Establish/Maintain Documentation Preventive
    Include the languages to be used for the audit in the audit plan. CC ID 15252 Establish/Maintain Documentation Preventive
    Include the allocation of resources in the audit plan. CC ID 15251 Establish/Maintain Documentation Preventive
    Include communication protocols in the audit plan. CC ID 15247 Establish/Maintain Documentation Preventive
    Include the level of audit sampling necessary to collect sufficient audit evidence in the audit plan. CC ID 15246 Establish/Maintain Documentation Preventive
    Include meeting schedules in the audit plan. CC ID 15245 Establish/Maintain Documentation Preventive
    Include the time frames for the audit in the audit plan. CC ID 15244 Establish/Maintain Documentation Preventive
    Include the time frames for conducting the audit in the audit plan. CC ID 15243 Establish/Maintain Documentation Preventive
    Include the locations to be audited in the audit plan. CC ID 15242 Establish/Maintain Documentation Preventive
    Include the processes to be audited in the audit plan. CC ID 15241 Establish/Maintain Documentation Preventive
    Include audit objectives in the audit plan. CC ID 15240 Establish/Maintain Documentation Preventive
    Include the risks associated with audit activities in the audit plan. CC ID 15239 Establish/Maintain Documentation Preventive
    Disseminate and communicate the audit plan to interested personnel and affected parties. CC ID 15238 Communicate Preventive
    Establish, implement, and maintain an audit schedule for the audit program. CC ID 13158
    [The organization shall establish, implement and maintain (an) internal audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting of its internal audits. § 9.2.2 ¶ 1]
    Establish/Maintain Documentation Preventive
  • Harmonization Methods and Manual of Style
    11
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Harmonization Methods and Manual of Style CC ID 06095 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain organizational documents. CC ID 16202 Establish/Maintain Documentation Preventive
    Organize all compliance documents. CC ID 06096 Establish/Maintain Documentation Preventive
    Organize all compliance documents to fit the message. CC ID 06097 Establish/Maintain Documentation Preventive
    Define the structure for compliance documents and governance documents. CC ID 06111
    [When creating and updating documented information the organization shall ensure appropriate: y-noun">identification and e="background-color:#F0BBBC;" class="term_primary-noun">description (e.g. a title, date, author, or reference number); § 7.5.2 ¶ 1 a)]
    Establish/Maintain Documentation Preventive
    Subordinate the structure of the compliance document to fit the topic. CC ID 06109 Establish/Maintain Documentation Preventive
    Define visual and formatting styles for all structured headings. CC ID 06110 Establish/Maintain Documentation Preventive
    Define the section heading style, if section headings are being used. CC ID 06112 Establish/Maintain Documentation Preventive
    Use a table of contents to show sections and headings, if section headings are being used. CC ID 06113 Establish/Maintain Documentation Preventive
    Place the table of contents at the document's beginning. CC ID 06114 Establish/Maintain Documentation Preventive
    Add term definitions to the document's end. CC ID 06115 Establish/Maintain Documentation Preventive
  • Human Resources management
    187
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Human Resources management CC ID 00763 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806
    [Top management shall ensure that the responsibilities and authorities for relevant roles are <condary-verb">span style="background-color:#B7D8ED;" class="term_primary-verb">assigned and communicated within the organization. § 5.3 ¶ 1]
    Establish Roles Preventive
    Define and assign the head of Information Security's roles and responsibilities. CC ID 06091 Establish Roles Preventive
    Establish, implement, and maintain a security operations center. CC ID 14762 Human Resources Management Preventive
    Define the scope for the security operations center. CC ID 15713 Establish/Maintain Documentation Preventive
    Designate an alternate for each organizational leader. CC ID 12053 Human Resources Management Preventive
    Limit the activities performed as a proxy to an organizational leader. CC ID 12054 Behavior Preventive
    Assign the roles and responsibilities of management in establishing, implementing, and maintaining the information security program. CC ID 13112 Human Resources Management Preventive
    Define and assign the Board of Directors roles and responsibilities and senior management roles and responsibilities, including signing off on key policies and procedures. CC ID 00807 Establish Roles Preventive
    Establish and maintain board committees, as necessary. CC ID 14789 Human Resources Management Preventive
    Define and assign the roles and responsibilities of the chairman of the board. CC ID 14786 Establish/Maintain Documentation Preventive
    Assign oversight of C-level executives to the Board of Directors. CC ID 14784 Human Resources Management Preventive
    Establish, implement, and maintain candidate selection procedures to the board of directors. CC ID 14782 Establish/Maintain Documentation Preventive
    Include the criteria of mixed experiences and skills in the candidate selection procedures. CC ID 14791 Establish/Maintain Documentation Preventive
    Assign oversight of the financial management program to the board of directors. CC ID 14781 Human Resources Management Preventive
    Assign senior management to the role of supporting Quality Management. CC ID 13692 Human Resources Management Preventive
    Assign senior management to the role of authorizing official. CC ID 14238 Establish Roles Preventive
    Assign members who are independent from management to the Board of Directors. CC ID 12395 Human Resources Management Preventive
    Assign ownership of risks to the Board of Directors or senior management. CC ID 13662 Human Resources Management Preventive
    Assign the organization's board and senior management to oversee the continuity planning process. CC ID 12991 Human Resources Management Preventive
    Rotate members of the board of directors, as necessary. CC ID 14803 Human Resources Management Corrective
    Define and assign board committees, as necessary. CC ID 14787 Human Resources Management Preventive
    Define and assign risk committees, as necessary. CC ID 14795 Human Resources Management Preventive
    Establish, implement, and maintain a board committee charter, as necessary. CC ID 14802 Establish/Maintain Documentation Preventive
    Define and assign audit committees, as necessary. CC ID 14788 Human Resources Management Preventive
    Include members with experience in audit practices, financial reporting, and accounting in the audit committee. CC ID 14796 Human Resources Management Preventive
    Define and assign compensation committees, as necessary. CC ID 14793 Human Resources Management Preventive
    Define and assign the Chief Information Officer's roles and responsibilities. CC ID 00808 Establish Roles Preventive
    Define and assign the network administrator's roles and responsibilities. CC ID 16363 Human Resources Management Preventive
    Define and assign the Information Technology staff's roles and responsibilities. CC ID 00809 Establish Roles Preventive
    Define and assign the Data Protection Officer's roles and responsibilities. CC ID 16525 Human Resources Management Preventive
    Define and assign the business unit manager's roles and responsibilities. CC ID 00810 Establish Roles Preventive
    Define and assign the Facility Security Officer's roles and responsibilities. CC ID 01887 Establish Roles Preventive
    Define and assign the Chief Risk Officer's roles and responsibilities. CC ID 14333 Human Resources Management Preventive
    Define and assign roles and responsibilities for network management. CC ID 13128 Human Resources Management Preventive
    Define and assign the technology security leader's roles and responsibilities. CC ID 01897 Establish Roles Preventive
    Define and assign the security staff roles and responsibilities. CC ID 11750 Establish/Maintain Documentation Preventive
    Define and assign the authorized representatives roles and responsibilities. CC ID 15033 Human Resources Management Preventive
    Define and assign the property management leader's roles and responsibilities. CC ID 00669 Establish Roles Preventive
    Define and assign the Archives and Records Management oversight's roles and responsibilities. CC ID 00697 Establish Roles Preventive
    Define and assign the Privacy Officer's roles and responsibilities. CC ID 00714 Establish Roles Preventive
    Define and assign critical facility management personnel's roles and responsibilities. CC ID 06381 Establish Roles Preventive
    Define the objectives and extent of outsourcing operational roles and responsibilities. CC ID 06383 Establish/Maintain Documentation Preventive
    Define and assign the Chief Security Officer's roles and responsibilities. CC ID 06431 Establish Roles Preventive
    Establish and maintain an Information Technology steering committee. CC ID 12706 Human Resources Management Preventive
    Assign the Information Technology steering committee to report to senior management. CC ID 12731 Human Resources Management Preventive
    Convene the Information Technology steering committee, as necessary. CC ID 12730 Human Resources Management Preventive
    Assign reviewing investments to the Information Technology steering committee, as necessary. CC ID 13625 Human Resources Management Preventive
    Assign a contact person to all business units. CC ID 07144 Establish Roles Preventive
    Define and assign the assessment team's roles and responsibilities. CC ID 08890 Business Processes Preventive
    Assign the role of Risk Assessment Manager to applicable controls. CC ID 12143 Human Resources Management Preventive
    Assign the Risk Assessment manager the duty of reporting risk assessment results to organizational management. CC ID 12152 Human Resources Management Preventive
    Refrain from allocating temporary staff to perform sensitive jobs absent the presence and control of authorized permanent staff. CC ID 12299 Human Resources Management Preventive
    Establish, implement, and maintain a personnel management program. CC ID 14018 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a personnel security program. CC ID 10628 Establish/Maintain Documentation Preventive
    Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 00782
    [The organization shall: ensure that these persons are competent on the basis of appropriate education, training or experience; § 7.2 ¶ 1 b)]
    Testing Detective
    Perform security skills assessments for all critical employees. CC ID 12102 Human Resources Management Detective
    Assign security clearance procedures to qualified personnel. CC ID 06812 Establish Roles Preventive
    Assign personnel screening procedures to qualified personnel. CC ID 11699 Establish Roles Preventive
    Establish, implement, and maintain personnel screening procedures. CC ID 11700 Establish/Maintain Documentation Preventive
    Perform a background check during personnel screening. CC ID 11758 Human Resources Management Detective
    Perform a personal identification check during personnel screening. CC ID 06721 Human Resources Management Preventive
    Perform a criminal records check during personnel screening. CC ID 06643 Establish/Maintain Documentation Preventive
    Include all residences in the criminal records check. CC ID 13306 Process or Activity Preventive
    Document any reasons a full criminal records check could not be performed. CC ID 13305 Establish/Maintain Documentation Preventive
    Perform a personal references check during personnel screening. CC ID 06645 Human Resources Management Preventive
    Perform a credit check during personnel screening. CC ID 06646 Human Resources Management Preventive
    Perform an academic records check during personnel screening. CC ID 06647 Establish/Maintain Documentation Preventive
    Perform a drug test during personnel screening. CC ID 06648 Testing Preventive
    Perform a resume check during personnel screening. CC ID 06659 Human Resources Management Preventive
    Perform a curriculum vitae check during personnel screening. CC ID 06660 Human Resources Management Preventive
    Allow personnel being screened to appeal findings and appeal decisions. CC ID 06720 Human Resources Management Preventive
    Disseminate and communicate screening results to interested personnel and affected parties. CC ID 16445 Communicate Preventive
    Perform personnel screening procedures, as necessary. CC ID 11763 Human Resources Management Preventive
    Document the personnel risk assessment results. CC ID 11764 Establish/Maintain Documentation Detective
    Establish, implement, and maintain security clearance procedures. CC ID 00783 Establish/Maintain Documentation Preventive
    Perform periodic background checks on designated roles, as necessary. CC ID 11759 Human Resources Management Detective
    Perform security clearance procedures, as necessary. CC ID 06644 Human Resources Management Preventive
    Establish and maintain security clearances. CC ID 01634 Human Resources Management Preventive
    Document the security clearance procedure results. CC ID 01635 Establish/Maintain Documentation Detective
    Establish and maintain the staff structure in line with the strategic plan. CC ID 00764 Establish Roles Preventive
    Evaluate the staffing requirements regularly. CC ID 00775
    [The organization shall: determine the necessary competence of person(s) doing work under its control that affects its environmental performance and its ability to fulfil its compliance obligations; § 7.2 ¶ 1 a)]
    Business Processes Detective
    Establish job categorization criteria, job recruitment criteria, and promotion criteria. CC ID 00781
    [The organization shall: determine the necessary competence of person(s) doing work under its control that affects its environmental performance and its ability to fulfil its compliance obligations; § 7.2 ¶ 1 a)]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a compensation, reward, and recognition program. CC ID 12806 Human Resources Management Preventive
    Establish and maintain an annual report on compensation. CC ID 14801 Establish/Maintain Documentation Preventive
    Include the design characteristics of the remuneration system in the annual report on compensation. CC ID 14804 Establish/Maintain Documentation Preventive
    Disseminate and communicate the compensation, reward, and recognition program to interested personnel and affected parties. CC ID 14800 Communicate Preventive
    Establish, implement, and maintain roles and responsibilities in the compensation, reward, and recognition program. CC ID 14798 Establish/Maintain Documentation Preventive
    Align the compensation, reward, and recognition program with the risk management program. CC ID 14797 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain remuneration standards, as necessary. CC ID 14794 Establish/Maintain Documentation Preventive
    Refrain from using employees' privacy choices to restrict employment. CC ID 12425 Human Resources Management Preventive
    Refrain from using employees' privacy choices to take punitive actions. CC ID 16815 Human Resources Management Preventive
    Use rewards and career development to motivate personnel. CC ID 06906 Behavior Preventive
    Disseminate and communicate the organization’s ethical culture in job recruitment criteria and promotion criteria. CC ID 12825 Human Resources Management Preventive
    Recognize personnel who reinforce desirable conduct with incentives. CC ID 12815 Human Resources Management Preventive
    Establish, implement, and maintain job applications. CC ID 16180 Establish/Maintain Documentation Preventive
    Include a space for the applicant's name on the job application. CC ID 16190 Human Resources Management Preventive
    Include a space for the applicant's current address on the job application. CC ID 16189 Human Resources Management Preventive
    Include a space for the applicant's social security number on the job application. CC ID 16188 Human Resources Management Preventive
    Include a space for the applicant's date of birth on the job application. CC ID 16186 Human Resources Management Preventive
    Include a space for previous employers and business relationships on the job application. CC ID 16185 Human Resources Management Preventive
    Include a space to explain formal disciplinary actions and sanctions on the job application. CC ID 16184 Human Resources Management Preventive
    Include a space for the start date on the job application. CC ID 16187 Human Resources Management Preventive
    Include a space to explain legal penalties on the job application. CC ID 16183 Human Resources Management Preventive
    Approve the wording of job applications. CC ID 16182 Human Resources Management Preventive
    Include a space for past aliases and other used names on job applications. CC ID 12301 Human Resources Management Preventive
    Include a space for previous addresses and previous residences on the job application. CC ID 12302 Human Resources Management Preventive
    Include a space to explain employment gaps on the job application. CC ID 12303 Human Resources Management Preventive
    Train all personnel and third parties, as necessary. CC ID 00785
    [The organization shall: where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken. § 7.2 ¶ 1 d)]
    Behavior Preventive
    Establish, implement, and maintain an education methodology. CC ID 06671 Business Processes Preventive
    Support certification programs as viable training programs. CC ID 13268 Human Resources Management Preventive
    Include evidence of experience in applications for professional certification. CC ID 16193 Establish/Maintain Documentation Preventive
    Include supporting documentation in applications for professional certification. CC ID 16195 Establish/Maintain Documentation Preventive
    Submit applications for professional certification. CC ID 16192 Training Preventive
    Retrain all personnel, as necessary. CC ID 01362 Behavior Preventive
    Tailor training to meet published guidance on the subject being taught. CC ID 02217 Behavior Preventive
    Tailor training to be taught at each person's level of responsibility. CC ID 06674 Behavior Preventive
    Conduct cross-training or staff backup training to minimize dependency on critical individuals. CC ID 00786 Behavior Preventive
    Document all training in a training record. CC ID 01423
    [The organization shall retain appropriate documented information as evidence of competence. § 7.2 ¶ 2]
    Establish/Maintain Documentation Detective
    Use automated mechanisms in the training environment, where appropriate. CC ID 06752 Behavior Preventive
    Conduct tests and evaluate training. CC ID 06672
    [The organization shall: where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken. § 7.2 ¶ 1 d)]
    Testing Detective
    Hire third parties to conduct training, as necessary. CC ID 13167 Human Resources Management Preventive
    Review the current published guidance and awareness and training programs. CC ID 01245 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain training plans. CC ID 00828
    [The organization shall: determine training needs associated with its environmental aspects and its environmental management system; § 7.2 ¶ 1 c)]
    Establish/Maintain Documentation Preventive
    Train personnel to recognize conditions of diseases or sicknesses, as necessary. CC ID 14383 Training Detective
    Include prevention techniques in training regarding diseases or sicknesses. CC ID 14387 Training Preventive
    Include the concept of disease clusters when training to recognize conditions of diseases or sicknesses. CC ID 14386 Training Preventive
    Train personnel to identify and communicate symptoms of exposure to disease or sickness. CC ID 14385 Training Detective
    Develop or acquire content to update the training plans. CC ID 12867 Training Preventive
    Designate training facilities in the training plan. CC ID 16200 Training Preventive
    Include portions of the visitor control program in the training plan. CC ID 13287 Establish/Maintain Documentation Preventive
    Include ethical culture in the training plan, as necessary. CC ID 12801 Human Resources Management Preventive
    Include in scope external requirements in the training plan, as necessary. CC ID 13041 Training Preventive
    Include duties and responsibilities in the training plan, as necessary. CC ID 12800 Human Resources Management Preventive
    Conduct bespoke roles and responsibilities training, as necessary. CC ID 13192 Training Preventive
    Include risk management in the training plan, as necessary. CC ID 13040 Training Preventive
    Conduct Archives and Records Management training. CC ID 00975 Behavior Preventive
    Conduct personal data processing training. CC ID 13757 Training Preventive
    Include in personal data processing training how to provide the contact information for the categories of personal data the organization may disclose. CC ID 13758 Training Preventive
    Include the cloud service usage standard in the training plan. CC ID 13039 Training Preventive
    Establish, implement, and maintain a security awareness program. CC ID 11746 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a security awareness and training policy. CC ID 14022 Establish/Maintain Documentation Preventive
    Include compliance requirements in the security awareness and training policy. CC ID 14092 Establish/Maintain Documentation Preventive
    Include coordination amongst entities in the security awareness and training policy. CC ID 14091 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain security awareness and training procedures. CC ID 14054 Establish/Maintain Documentation Preventive
    Disseminate and communicate the security awareness and training procedures to interested personnel and affected parties. CC ID 14138 Communicate Preventive
    Include management commitment in the security awareness and training policy. CC ID 14049 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the security awareness and training policy. CC ID 14048 Establish/Maintain Documentation Preventive
    Include the scope in the security awareness and training policy. CC ID 14047 Establish/Maintain Documentation Preventive
    Include the purpose in the security awareness and training policy. CC ID 14045 Establish/Maintain Documentation Preventive
    Include configuration management procedures in the security awareness program. CC ID 13967 Establish/Maintain Documentation Preventive
    Include media protection in the security awareness program. CC ID 16368 Training Preventive
    Document security awareness requirements. CC ID 12146 Establish/Maintain Documentation Preventive
    Include safeguards for information systems in the security awareness program. CC ID 13046 Establish/Maintain Documentation Preventive
    Include security policies and security standards in the security awareness program. CC ID 13045 Establish/Maintain Documentation Preventive
    Include physical security in the security awareness program. CC ID 16369 Training Preventive
    Include mobile device security guidelines in the security awareness program. CC ID 11803 Establish/Maintain Documentation Preventive
    Include updates on emerging issues in the security awareness program. CC ID 13184 Training Preventive
    Include cybersecurity in the security awareness program. CC ID 13183 Training Preventive
    Include implications of non-compliance in the security awareness program. CC ID 16425 Training Preventive
    Include the acceptable use policy in the security awareness program. CC ID 15487 Training Preventive
    Include training based on the participants' level of responsibility and access level in the security awareness program. CC ID 11802 Establish/Maintain Documentation Preventive
    Include a requirement to train all new hires and interested personnel in the security awareness program. CC ID 11800 Establish/Maintain Documentation Preventive
    Include remote access in the security awareness program. CC ID 13892 Establish/Maintain Documentation Preventive
    Document the goals of the security awareness program. CC ID 12145 Establish/Maintain Documentation Preventive
    Compare current security awareness assessment reports to the security awareness baseline. CC ID 12150 Establish/Maintain Documentation Preventive
    Establish and maintain management's commitment to supporting the security awareness program. CC ID 12151 Human Resources Management Preventive
    Establish and maintain a steering committee to guide the security awareness program. CC ID 12149 Human Resources Management Preventive
    Document the scope of the security awareness program. CC ID 12148 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a security awareness baseline. CC ID 12147 Establish/Maintain Documentation Preventive
    Encourage interested personnel to obtain security certification. CC ID 11804 Human Resources Management Preventive
    Disseminate and communicate the security awareness program to all interested personnel and affected parties. CC ID 00823 Behavior Preventive
    Train all personnel and third parties on how to recognize and report security incidents. CC ID 01211 Behavior Preventive
    Train all personnel and third parties on how to recognize and report system failures. CC ID 13475 Training Preventive
    Require personnel to acknowledge, through writing their signature, that they have read and understand the organization's security policies. CC ID 01363 Establish/Maintain Documentation Preventive
    Monitor and measure the effectiveness of security awareness. CC ID 06262 Monitor and Evaluate Occurrences Detective
    Establish, implement, and maintain an environmental management system awareness program. CC ID 15200
    [The organization shall ensure that persons doing work under the organization's control are aware of: the significant environmental aspects and related actual or potential environmental impacts associated with their work; § 7.3 ¶ 1 b)
    The organization shall ensure that persons doing work under the organization's control are aware of: the environmental policy; § 7.3 ¶ 1 a)
    The organization shall ensure that persons doing work under the organization's control are aware of: the implications of not conforming with the environmental management system requirements, including not fulfilling the organization's compliance obligations. § 7.3 ¶ 1 d)
    The organization shall ensure that persons doing work under the organization's control are aware of: their contribution to the effectiveness of the environmental management system, including the benefits of enhanced environmental performance; § 7.3 ¶ 1 c)
    The organization shall ensure that persons doing work under the organization's control are aware of: their contribution to the effectiveness of the environmental management system, including the benefits of enhanced environmental performance; § 7.3 ¶ 1 c)]
    Establish/Maintain Documentation Preventive
    Conduct secure coding and development training for developers. CC ID 06822 Behavior Corrective
    Conduct tampering prevention training. CC ID 11875 Training Preventive
    Include the mandate to refrain from installing, refrain from replacing, and refrain from returning any asset absent verification in the tampering prevention training. CC ID 11877 Training Preventive
    Include how to identify and authenticate third parties claiming to be maintenance personnel in the tampering prevention training. CC ID 11876 Training Preventive
    Include how to report tampering and unauthorized substitution in the tampering prevention training. CC ID 11879 Training Preventive
    Include how to prevent physical tampering in the tampering prevention training. CC ID 11878 Training Preventive
    Include procedures on how to inspect devices in the tampering prevention training. CC ID 11990 Training Preventive
    Train interested personnel and affected parties to collect digital forensic evidence. CC ID 08658 Training Preventive
    Conduct crime prevention training. CC ID 06350 Behavior Preventive
    Analyze and evaluate training records to improve the training program. CC ID 06380 Monitor and Evaluate Occurrences Detective
  • Leadership and high level objectives
    421
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Leadership and high level objectives CC ID 00597 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain a reporting methodology program. CC ID 02072
    [Top management shall assign the responsibility and authority for: reporting on the performance of the environmental management system, including environmental performance, to top management. § 5.3 ¶ 2 b)]
    Business Processes Preventive
    Establish, implement, and maintain communication protocols. CC ID 12245
    [When establishing its communication process(es), the organization shall: take into account its compliance obligations; § 7.4.1 ¶ 2 Bullet 1
    {internal communications}The organization shall establish, implement and maintain the process(es) needed for internal and external communications relevant to the environmental management system, including: on what it will communicate; § 7.4.1 ¶ 1 a)
    {internal communications}The organization shall establish, implement and maintain the process(es) needed for internal and external communications relevant to the environmental management system, including: on what it will communicate; § 7.4.1 ¶ 1 a)
    {internal communications}The organization shall establish, implement and maintain the process(es) needed for internal and external communications relevant to the environmental management system, including: when to communicate; § 7.4.1 ¶ 1 b)
    {internal communications}The organization shall establish, implement and maintain the process(es) needed for internal and external communications relevant to the environmental management system, including: when to communicate; § 7.4.1 ¶ 1 b)
    {subject}{internal communications}The organization shall establish, implement and maintain the process(es) needed for internal and external communications relevant to the environmental management system, including: with whom to communicate; § 7.4.1 ¶ 1 c)
    {subject}{internal communications}The organization shall establish, implement and maintain the process(es) needed for internal and external communications relevant to the environmental management system, including: with whom to communicate; § 7.4.1 ¶ 1 c)
    {internal communications}The organization shall establish, implement and maintain the process(es) needed for internal and external communications relevant to the environmental management system, including: how to communicate. § 7.4.1 ¶ 1 d)
    {internal communications}The organization shall establish, implement and maintain the process(es) needed for internal and external communications relevant to the environmental management system, including: how to communicate. § 7.4.1 ¶ 1 d)
    {be relevant} The organization shall respond to relevant communications on its environmental management system. § 7.4.1 ¶ 3]
    Establish/Maintain Documentation Preventive
    Use secure communication protocols for telecommunications. CC ID 16458 Business Processes Preventive
    Align the information being disseminated and communicated with the communication requirements according to the organization's communication protocol. CC ID 12419
    [When establishing its communication process(es), the organization shall: ensure that environmental information communicated is consistent with information generated within the environmental management system, and is reliable. § 7.4.1 ¶ 2 Bullet 2
    When establishing its communication process(es), the organization shall: ensure that environmental information communicated is consistent with information generated within the environmental management system, and is reliable. § 7.4.1 ¶ 2 Bullet 2]
    Establish/Maintain Documentation Preventive
    Assess the effectiveness of the communication methods used in the communication protocol. CC ID 12691
    [{internal communication}The organization shall: ensure its communication process(es) enable(s) persons doing work under the organization's control to contribute to continual improvement. § 7.4.2 ¶ 1 b)]
    Process or Activity Detective
    Include external requirements in the organization's communication protocol. CC ID 12418 Establish/Maintain Documentation Preventive
    Include disseminating and communicating events surrounding instances of desirable conduct and undesirable conduct in the communication protocols. CC ID 12824 Communicate Preventive
    Include input from interested personnel and affected parties as a part of the organization’s communication protocol. CC ID 12417
    [The management review shall include consideration of: changes in: the needs and expectations of interested parties, including compliance obligations; § 9.3 ¶ 2 b) 2)
    The management review shall include consideration of: relevant communication(s) from interested parties, including complaints; § 9.3 ¶ 2 f)
    The management review shall include consideration of: relevant communication(s) from interested parties, including complaints; § 9.3 ¶ 2 f)]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a corrective action plan to address barriers to stakeholder engagement. CC ID 15677 Process or Activity Preventive
    Identify barriers to stakeholder engagement. CC ID 15676 Process or Activity Preventive
    Identify alternative measures for collecting stakeholder input, as necessary. CC ID 15672 Communicate Preventive
    Include disseminating and communicating conditions surrounding instances of desirable conduct and undesirable conduct in the communication protocols. CC ID 12804 Communicate Preventive
    Include methods to obtain information from interested personnel and affected parties about performance variances in the communication protocol. CC ID 12856 Process or Activity Preventive
    Include disseminating and communicating desirable conduct in the communication protocols. CC ID 12803 Communicate Preventive
    Include disseminating and communicating undesirable conduct in communication protocols. CC ID 12802 Communicate Preventive
    Route notifications, as necessary. CC ID 12832 Process or Activity Preventive
    Substantiate notifications, as necessary. CC ID 12831 Process or Activity Preventive
    Analyze the flow of information to ensure it is being received by the correct processes. CC ID 12860 Business Processes Preventive
    Prioritize notifications, as necessary. CC ID 12830 Process or Activity Preventive
    Report to management and stakeholders on the findings and information gathered from all types of inquiries. CC ID 12797 Actionable Reports or Measurements Preventive
    Disseminate and communicate internal controls with supply chain members. CC ID 12416 Communicate Preventive
    Establish and maintain the organization's survey method. CC ID 12869 Process or Activity Preventive
    Document the findings from surveys. CC ID 16309 Establish/Maintain Documentation Preventive
    Provide a consolidated view of information in the organization's survey method. CC ID 12894 Process or Activity Preventive
    Establish, implement, and maintain warning procedures that follow the organization's communication protocol. CC ID 12407 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain alert procedures that follow the organization's communication protocol. CC ID 12406 Establish/Maintain Documentation Preventive
    Include the capturing and alerting of compliance violations in the notification system. CC ID 12962 Monitor and Evaluate Occurrences Preventive
    Include the capturing and alerting of unethical conduct in the notification system. CC ID 12932 Monitor and Evaluate Occurrences Preventive
    Include the capturing and alerting of performance variances in the notification system. CC ID 12929 Monitor and Evaluate Occurrences Preventive
    Include the capturing and alerting of weaknesses in the notification system. CC ID 12928 Monitor and Evaluate Occurrences Preventive
    Include the capturing and alerting of account activity in the notification system. CC ID 15314 Monitor and Evaluate Occurrences Preventive
    Establish, implement, and maintain an internal reporting program. CC ID 12409 Business Processes Preventive
    Include transactions and events as a part of internal reporting. CC ID 12413 Business Processes Preventive
    Disseminate and communicate management's choices for managing the organization as a part of internal reporting. CC ID 12412 Communicate Preventive
    Enforce a precision level for non-financial reporting based on user need and appropriate supply chain criteria. CC ID 12399 Establish/Maintain Documentation Preventive
    Define the thresholds for escalation in the internal reporting program. CC ID 14332 Establish/Maintain Documentation Preventive
    Define the thresholds for reporting in the internal reporting program. CC ID 14331 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an external reporting program. CC ID 12876 Communicate Preventive
    Provide identifying information about the organization to the responsible party. CC ID 16715 Communicate Preventive
    Identify the material topics required to be reported on. CC ID 15654 Business Processes Preventive
    Check the list of material topics for completeness. CC ID 15692 Investigate Preventive
    Prioritize material topics used in reporting. CC ID 15678 Communicate Preventive
    Review and approve the material topics, as necessary. CC ID 15670 Process or Activity Preventive
    Define the thresholds for reporting in the external reporting program. CC ID 15679 Establish/Maintain Documentation Preventive
    Include time requirements in the external reporting program. CC ID 16566 Communicate Preventive
    Include information about the organizational culture in the external reporting program. CC ID 15610 Establish/Maintain Documentation Preventive
    Include reporting to governing bodies in the external reporting plan. CC ID 12923 Communicate Preventive
    Submit confidential treatment applications to interested personnel and affected parties. CC ID 16592 Communicate Preventive
    Include the reasons for objections to public disclosure in confidential treatment applications. CC ID 16594 Establish/Maintain Documentation Preventive
    Include contact information for the interested personnel and affected parties the report was filed with in the confidential treatment application. CC ID 16595 Establish/Maintain Documentation Preventive
    Include the information that was omitted in the confidential treatment application. CC ID 16593 Establish/Maintain Documentation Preventive
    Analyze organizational objectives, functions, and activities. CC ID 00598
    [{external and internal issues}and determine the risks and opportunities, related to its environmental aspects (see 6.1.2), compliance obligations (see 6.1.3) and other issues and requirements, identified in 4.1 and 4.2, that need to be addressed to: prevent or reduce undesired effects, including the potential for external environmental conditions to affect the organization; § 6.1.1 ¶ 3 Bullet 2
    When determining this scope, the organization shall consider: its activities, products and services; § 4.3 ¶ 2 d)
    The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcomesan> of its <span style="bary-verb">ackground-color:#F0BBBC;" class="term_primary-noun">environmental management system. Such issues shall include environmental conditions being affected by or capable of affecting the organization. § 4.1 ¶ 1]
    Monitor and Evaluate Occurrences Preventive
    Develop instructions for setting organizational objectives and strategies. CC ID 12931
    [The organization shall determine: which of these needs and expectations become its compliance obligations. § 4.2 ¶ 1 c)]
    Establish/Maintain Documentation Preventive
    Analyze the business environment in which the organization operates. CC ID 12798
    [{financial requirement}{operational requirement} When planning these actions, the organization shall consider its technological options and its financial, operational and business requirements. § 6.1.4 ¶ 2]
    Business Processes Preventive
    Identify the internal factors that may affect organizational objectives. CC ID 12957 Process or Activity Preventive
    Include key processes in the analysis of the internal business environment. CC ID 12947 Process or Activity Preventive
    Include existing information in the analysis of the internal business environment. CC ID 12943 Process or Activity Preventive
    Include resources in the analysis of the internal business environment. CC ID 12942
    [The management review shall include consideration of: adequacy of resources; § 9.3 ¶ 2 e)]
    Process or Activity Preventive
    Include the operating plan in the analysis of the internal business environment. CC ID 12941 Process or Activity Preventive
    Include incentives in the analysis of the internal business environment. CC ID 12940 Process or Activity Preventive
    Include organizational structures in the analysis of the internal business environment. CC ID 12939
    [When determining this scope, the organization shall consider: its organizational units, functions and physical boundaries; § 4.3 ¶ 2 c)]
    Process or Activity Preventive
    Include the strategic plan in the analysis of the internal business environment. CC ID 12937 Process or Activity Preventive
    Include strengths and weaknesses in the analysis of the internal business environment. CC ID 12936 Process or Activity Preventive
    Align assets with business functions and the business environment. CC ID 13681 Business Processes Preventive
    Disseminate and communicate the organization's business environment and place in its industry sector. CC ID 13200 Communicate Preventive
    Monitor for changes which affect organizational strategies in the internal business environment. CC ID 12863 Monitor and Evaluate Occurrences Preventive
    Monitor for changes which affect organizational objectives in the internal business environment. CC ID 12862 Monitor and Evaluate Occurrences Preventive
    Analyze the external environment in which the organization operates. CC ID 12799
    [The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcomes of its environmental management system. Such issues shall include environmental conditions being affected by or capable of affecting the organization. § 4.1 ¶ 1]
    Business Processes Preventive
    Identify the external forces that may affect organizational objectives. CC ID 12960 Process or Activity Preventive
    Monitor for changes which affect organizational strategies in the external environment. CC ID 12880 Monitor and Evaluate Occurrences Preventive
    Include environmental requirements in the analysis of the external environment. CC ID 12965
    [Top management shall demonstrate leadership and commitment with respect to the environmental management system by: ensuring the integration of the environmental management system requirements into the organization's business processes; § 5.1 ¶ 1 c)]
    Business Processes Preventive
    Monitor for changes which affect organizational objectives in the external environment. CC ID 12879
    [The management review shall include consideration of: changes in: the needs and expectations of interested parties, including compliance obligations; § 9.3 ¶ 2 b) 2)]
    Monitor and Evaluate Occurrences Preventive
    Include regulatory requirements in the analysis of the external environment. CC ID 12964 Business Processes Preventive
    Include society in the analysis of the external environment. CC ID 12963 Business Processes Preventive
    Include opportunities in the analysis of the external environment. CC ID 12954 Business Processes Preventive
    Include third party relationships in the analysis of the external environment. CC ID 12952 Business Processes Preventive
    Include industry forces in the analysis of the external environment. CC ID 12904 Business Processes Preventive
    Include threats in the analysis of the external environment. CC ID 12898 Business Processes Preventive
    Include geopolitics in the analysis of the external environment. CC ID 12897 Business Processes Preventive
    Include legal requirements in the analysis of the external environment. CC ID 12896 Business Processes Preventive
    Include technology in the analysis of the external environment. CC ID 12837 Business Processes Preventive
    Include analyzing the market in the analysis of the external environment. CC ID 12836 Business Processes Preventive
    Conduct a context analysis to define objectives and strategies. CC ID 12864 Business Processes Preventive
    Establish, implement, and maintain organizational objectives. CC ID 09959 Establish/Maintain Documentation Preventive
    Evaluate organizational objectives to determine impact on other organizational objectives. CC ID 12814 Process or Activity Preventive
    Identify events that may affect organizational objectives. CC ID 12961 Process or Activity Preventive
    Identify conditions that may affect organizational objectives. CC ID 12958 Process or Activity Preventive
    Identify requirements that could affect achieving organizational objectives. CC ID 12828 Business Processes Preventive
    Identify opportunities that could affect achieving organizational objectives. CC ID 12826 Business Processes Preventive
    Prioritize organizational objectives. CC ID 09960 Business Processes Preventive
    Select financial reporting objectives consistent with accounting principles available to the organization. CC ID 12400 Business Processes Preventive
    Establish, implement, and maintain a value generation model. CC ID 15591 Establish/Maintain Documentation Preventive
    Disseminate and communicate the value generation model to all interested personnel and affected parties. CC ID 15607 Communicate Preventive
    Include value distribution in the value generation model. CC ID 15603 Establish/Maintain Documentation Preventive
    Include value retention in the value generation model. CC ID 15600 Establish/Maintain Documentation Preventive
    Include value generation procedures in the value generation model. CC ID 15599 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain value generation objectives. CC ID 15583 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain social responsibility objectives. CC ID 15611 Establish/Maintain Documentation Preventive
    Establish and maintain a Mission, Vision, and Values Statement. CC ID 12783 Establish/Maintain Documentation Preventive
    Include the vision statement in the Mission, Vision, and Values Statement. CC ID 12839 Establish/Maintain Documentation Preventive
    Include the mission statement in the Mission, Vision, and Values Statement. CC ID 12838 Establish/Maintain Documentation Preventive
    Include management commitment in the Mission, Vision, and Values Statement. CC ID 12808 Establish/Maintain Documentation Preventive
    Include the value statement in the Mission, Vision, and Values Statement. CC ID 12807 Establish/Maintain Documentation Preventive
    Include environmental factors in the Mission, Vision, and Values Statement. CC ID 15590 Establish/Maintain Documentation Preventive
    Include societal factors in the Mission, Vision, and Values Statement. CC ID 15605 Establish/Maintain Documentation Preventive
    Include stakeholder requirements in the Mission, Vision, and Values Statement. CC ID 15586 Establish/Maintain Documentation Preventive
    Disseminate and communicate the Mission, Vision, and Values Statement to all interested personnel and affected parties. CC ID 15585 Communicate Preventive
    Disseminate and communicate organizational objectives, functions, and activities to all interested personnel and affected parties. CC ID 13191 Communicate Preventive
    Document and communicate the linkage between organizational objectives, functions, activities, and general controls. CC ID 12398
    [The management review shall include consideration of: changes in: external and internal issues that are relevant to the environmental management system; § 9.3 ¶ 2 b) 1)]
    Establish/Maintain Documentation Preventive
    Identify threats that could affect achieving organizational objectives. CC ID 12827 Business Processes Preventive
    Identify how opportunities, threats, and external requirements are trending. CC ID 12829 Process or Activity Preventive
    Identify relationships between opportunities, threats, and external requirements. CC ID 12805 Process or Activity Preventive
    Review the organization's approach to managing information security, as necessary. CC ID 12005 Business Processes Preventive
    Identify all interested personnel and affected parties. CC ID 12845
    [The organization shall determine: the interested parties that are relevant to the environmental management system; § 4.2 ¶ 1 a)]
    Process or Activity Detective
    Establish, implement, and maintain criteria for grouping stakeholders. CC ID 15584 Process or Activity Preventive
    Analyze and prioritize the requirements of interested personnel and affected parties. CC ID 12796
    [The organization shall determine: the relevant needs and expectations (i.e. requirements) of these interested parties; § 4.2 ¶ 1 b)]
    Business Processes Preventive
    Establish, implement, and maintain data governance and management practices. CC ID 14998 Establish/Maintain Documentation Preventive
    Address shortcomings of the data sets in the data governance and management practices. CC ID 15087 Establish/Maintain Documentation Preventive
    Include any shortcomings of the data sets in the data governance and management practices. CC ID 15086 Establish/Maintain Documentation Preventive
    Include bias for data sets in the data governance and management practices. CC ID 15085 Establish/Maintain Documentation Preventive
    Include a data strategy in the data governance and management practices. CC ID 15304 Establish/Maintain Documentation Preventive
    Include data monitoring in the data governance and management practices. CC ID 15303 Establish/Maintain Documentation Preventive
    Include an assessment of the data sets in the data governance and management practices. CC ID 15084 Establish/Maintain Documentation Preventive
    Include assumptions for the formulation of data sets in the data governance and management practices. CC ID 15083 Establish/Maintain Documentation Preventive
    Include data collection for data sets in the data governance and management practices. CC ID 15082 Establish/Maintain Documentation Preventive
    Include data preparations for data sets in the data governance and management practices. CC ID 15081 Establish/Maintain Documentation Preventive
    Include design choices for data sets in the data governance and management practices. CC ID 15080 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an information classification standard. CC ID 00601 Establish/Maintain Documentation Preventive
    Take into account the accessibility to and location of the data or information when establishing information impact levels. CC ID 04787 Data and Information Management Preventive
    Take into account the organization's obligation to protect data or information when establishing information impact levels. CC ID 04786 Data and Information Management Preventive
    Take into account the context of use for data or information when establishing information impact levels. CC ID 04785 Data and Information Management Preventive
    Take into account the potential aggregation of restricted data fields when establishing information impact levels. CC ID 04784 Data and Information Management Preventive
    Classify the sensitivity to unauthorized disclosure or modification of information in the information classification standard. CC ID 11997 Data and Information Management Preventive
    Take into account the distinguishability factor when establishing information impact levels. CC ID 04783 Data and Information Management Preventive
    Classify the criticality to unauthorized disclosure or modification of information in the information classification standard. CC ID 11996 Data and Information Management Preventive
    Classify the value of information in the information classification standard. CC ID 11995 Data and Information Management Preventive
    Classify the legal requirements of information in the information classification standard. CC ID 11994 Data and Information Management Preventive
    Establish, implement, and maintain a data classification scheme. CC ID 11628 Establish/Maintain Documentation Preventive
    Take into account the characteristics of the geographical, behavioral and functional setting for all datasets. CC ID 15046 Data and Information Management Preventive
    Approve the data classification scheme. CC ID 13858 Establish/Maintain Documentation Detective
    Disseminate and communicate the data classification scheme to interested personnel and affected parties. CC ID 16804 Communicate Preventive
    Establish and maintain an organizational data dictionary, including data syntax rules. CC ID 00600 Establish/Maintain Documentation Preventive
    Refrain from including metadata in the data dictionary. CC ID 13529 Establish/Maintain Documentation Preventive
    Refrain from allowing incompatible data elements in the data dictionary. CC ID 13624 Establish/Maintain Documentation Preventive
    Include information needed to understand each data element and population in the data dictionary. CC ID 13528 Establish/Maintain Documentation Preventive
    Ensure the data dictionary is complete and accurate. CC ID 13527 Investigate Detective
    Include the factors to determine what is included or excluded from the data element in the data dictionary. CC ID 13525 Establish/Maintain Documentation Preventive
    Include the date or time period the data was observed in the data dictionary. CC ID 13524 Establish/Maintain Documentation Preventive
    Include the uncertainty in the population of each data element in the data dictionary. CC ID 13522 Establish/Maintain Documentation Preventive
    Include the uncertainty of each data element in the data dictionary. CC ID 13521 Establish/Maintain Documentation Preventive
    Include the measurement units for each data element in the data dictionary. CC ID 13534 Establish/Maintain Documentation Preventive
    Include the precision of the measurement in the data dictionary. CC ID 13520 Establish/Maintain Documentation Preventive
    Include the data source in the data dictionary. CC ID 13519 Establish/Maintain Documentation Preventive
    Include the nature of each element in the data dictionary. CC ID 13518 Establish/Maintain Documentation Preventive
    Include the population of events or instances in the data dictionary. CC ID 13517 Establish/Maintain Documentation Preventive
    Disseminate and communicate the data dictionary to interested personnel and affected parties. CC ID 13516 Communicate Preventive
    Establish, implement, and maintain an Information and Infrastructure Architecture model. CC ID 00599 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain sustainable infrastructure planning. CC ID 00603 Establish/Maintain Documentation Preventive
    Take into account the need for protecting information confidentiality during infrastructure planning. CC ID 06486 Behavior Preventive
    Establish, implement, and maintain an organizational structure. CC ID 16310 Establish/Maintain Documentation Preventive
    Monitor regulatory trends to maintain compliance. CC ID 00604
    [The management review shall include consideration of: information on the organization's environmental performance, including trends in: fulfilment of its compliance obligations; § 9.3 ¶ 2 d) 3)]
    Monitor and Evaluate Occurrences Detective
    Monitor for new Information Security solutions. CC ID 07078 Monitor and Evaluate Occurrences Detective
    Subscribe to a threat intelligence service to receive notification of emerging threats. CC ID 12135 Technical Security Detective
    Disseminate and communicate emerging threats to all interested personnel and affected parties. CC ID 12185 Communicate Preventive
    Disseminate and communicate updated guidance documentation to interested personnel and affected parties upon discovery of a new threat. CC ID 12191 Communicate Corrective
    Establish, implement, and maintain a Quality Management framework. CC ID 07196 Establish/Maintain Documentation Preventive
    Include supply chain management standards in the Quality Management framework. CC ID 13701 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a Quality Management policy. CC ID 13694 Establish/Maintain Documentation Preventive
    Include a commitment to satisfy applicable requirements in the Quality Management policy. CC ID 13700 Establish/Maintain Documentation Preventive
    Tailor the Quality Management policy to support the organization's strategic direction. CC ID 13699 Establish/Maintain Documentation Preventive
    Include a commitment to continual improvement of the Quality Management system in the Quality Management policy. CC ID 13698 Establish/Maintain Documentation Preventive
    Include critical Information Technology processes in the Quality Management framework. CC ID 13645 Establish/Maintain Documentation Preventive
    Disseminate and communicate the Quality Management policy to all interested personnel and affected parties. CC ID 13695 Communicate Preventive
    Disseminate and communicate the Quality Management framework to all stakeholders. CC ID 13680 Communicate Preventive
    Align the quality objectives with the Quality Management policy. CC ID 13697 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a Quality Management standard. CC ID 01006 Establish/Maintain Documentation Preventive
    Document the measurements used by Quality Assurance and Quality Control testing. CC ID 07200 Establish/Maintain Documentation Preventive
    Enforce a continuous Quality Control system. CC ID 01005 Business Processes Detective
    Conduct Quality Control to ensure adherence to Information Technology policies, standards, and procedures. CC ID 01008 Testing Detective
    Establish, implement, and maintain a Quality Management program. CC ID 07201 Establish/Maintain Documentation Preventive
    Notify affected parties and interested personnel of quality management system approvals that have been refused, suspended, or withdrawn. CC ID 15045 Communicate Preventive
    Notify affected parties and interested personnel of quality management system approvals that have been issued. CC ID 15036 Communicate Preventive
    Include quality objectives in the Quality Management program. CC ID 13693 Establish/Maintain Documentation Preventive
    Correct errors and deficiencies in a timely manner. CC ID 13501 Business Processes Corrective
    Include records management in the quality management system. CC ID 15055 Establish/Maintain Documentation Preventive
    Include risk management in the quality management system. CC ID 15054 Establish/Maintain Documentation Preventive
    Include data management procedures in the quality management system. CC ID 15052 Establish/Maintain Documentation Preventive
    Include a post-market monitoring system in the quality management system. CC ID 15027 Establish/Maintain Documentation Preventive
    Include operational roles and responsibilities in the quality management system. CC ID 15028 Establish/Maintain Documentation Preventive
    Include quality gates and testing milestones in the Quality Management program. CC ID 06825 Systems Design, Build, and Implementation Preventive
    Include resource management in the quality management system. CC ID 15026 Establish/Maintain Documentation Preventive
    Include communication protocols in the quality management system. CC ID 15025 Establish/Maintain Documentation Preventive
    Include incident reporting procedures in the quality management system. CC ID 15023 Establish/Maintain Documentation Preventive
    Include technical specifications in the quality management system. CC ID 15021 Establish/Maintain Documentation Preventive
    Document the deficiencies in a deficiency report that were found during Quality Control and corrected during Quality Improvement. CC ID 07203 Establish/Maintain Documentation Preventive
    Include program documentation standards in the Quality Management program. CC ID 01016 Establish/Maintain Documentation Preventive
    Establish and maintain time frames for correcting deficiencies found during Quality Control. CC ID 07206 Business Processes Detective
    Include program testing standards in the Quality Management program. CC ID 01017 Establish/Maintain Documentation Preventive
    Review and analyze any quality improvement goals that were missed. CC ID 07204 Business Processes Detective
    Include system testing standards in the Quality Management program. CC ID 01018 Establish/Maintain Documentation Preventive
    Include an issue tracking system in the Quality Management program. CC ID 06824 Systems Design, Build, and Implementation Preventive
    Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241
    [When determining this scope, the organization shall consider: the "background-color:#F0BBBC;" class="term_primary-noun">external and internal issues referred to in 4.1; § 4.3 ¶ 2 a)
    {interested parties}{environmental management system}When determining this scope, the organization shall consider: the compliance obligations referred to in 4.2; § 4.3 ¶ 2 b)]
    Establish/Maintain Documentation Preventive
    Define the scope of the security policy. CC ID 07145 Data and Information Management Preventive
    Identify roles, tasks, information, systems, and assets that fall under the organization's mandated Authority Documents. CC ID 00688 Business Processes Preventive
    Establish and maintain an Information Systems Assurance Categories Definitions document. CC ID 01608 Establish/Maintain Documentation Preventive
    Correlate Information Systems with applicable controls. CC ID 01621 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a policy and procedure management program. CC ID 06285 Establish/Maintain Documentation Preventive
    Include requirements in the organization’s policies, standards, and procedures. CC ID 12956 Establish/Maintain Documentation Preventive
    Include the effective date on all organizational policies. CC ID 06820 Establish/Maintain Documentation Preventive
    Include threats in the organization’s policies, standards, and procedures. CC ID 12953 Establish/Maintain Documentation Preventive
    Analyze organizational policies, as necessary. CC ID 14037 Establish/Maintain Documentation Detective
    Assess the impact of changes to organizational policies, standards, and procedures, as necessary. CC ID 14824 Business Processes Preventive
    Include opportunities in the organization’s policies, standards, and procedures. CC ID 12945 Establish/Maintain Documentation Preventive
    Establish and maintain an Authority Document list. CC ID 07113
    [The organization shall: determine and have access to the compliance obligations related to its environmental aspects; § 6.1.3 ¶ 1 a)]
    Establish/Maintain Documentation Preventive
    Map in scope assets and in scope records to external requirements. CC ID 12189 Establish/Maintain Documentation Detective
    Document organizational procedures that harmonize external requirements, including all legal requirements. CC ID 00623 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain full documentation of all policies, standards, and procedures that support the organization's compliance framework. CC ID 01636
    [When creating and updating documented information, the organization shall ensuren> appropriate: style="background-color:#F0BBBC;" class="term_primary-noun">review and approval for suitability and adequacy. § 7.5.2 ¶ 1 c)
    The scope shall be maintained as documented information and be available to interested parties. § 4.3 ¶ 4
    The organization shall maintain documented information of its compliance obligations. § 6.1.3 ¶ 2
    The organization's environmental management system shall include: documented information required by this International Standard; § 7.5.1 ¶ 1 a)]
    Establish/Maintain Documentation Preventive
    Disseminate and communicate the organization’s policies, standards, and procedures to all interested personnel and affected parties. CC ID 12901
    [The scope shall be maintained as documented information and be available to interested parties. § 4.3 ¶ 4]
    Communicate Preventive
    Disseminate and communicate the list of Authority Documents that support the organization's compliance framework to interested personnel and affected parties. CC ID 01312 Establish/Maintain Documentation Preventive
    Classify controls according to their preventive, detective, or corrective status. CC ID 06436 Establish/Maintain Documentation Preventive
    Publish, disseminate, and communicate a Statement on Internal Control, as necessary. CC ID 06727 Establish/Maintain Documentation Preventive
    Include signatures of c-level executives in the Statement on Internal Control. CC ID 14778 Establish/Maintain Documentation Preventive
    Include management's assertions on the effectiveness of internal control in the Statement on Internal Control. CC ID 14771 Establish/Maintain Documentation Corrective
    Include confirmation of any significant weaknesses in the Statement on Internal Control. CC ID 06861 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the Statement on Internal Control. CC ID 14774 Establish/Maintain Documentation Preventive
    Include an assurance statement regarding the counterterror protective security plan in the Statement on Internal Control. CC ID 06866 Establish/Maintain Documentation Preventive
    Include limitations of internal control systems in the Statement on Internal Control. CC ID 14773 Establish/Maintain Documentation Preventive
    Include a description of the methodology used to evaluate internal controls in the Statement on Internal Control. CC ID 14772 Establish/Maintain Documentation Preventive
    Include the counterterror protective security plan test results in the Statement on Internal Control. CC ID 06867 Establish/Maintain Documentation Detective
    Assign legislative body jurisdiction to the organization's assets, as necessary. CC ID 06956 Establish Roles Preventive
    Approve all compliance documents. CC ID 06286 Establish/Maintain Documentation Preventive
    Align the Authority Document list with external requirements. CC ID 06288
    [The organization shall: determine how these compliance obligations apply to the organization; § 6.1.3 ¶ 1 b)
    Documented information of external origin determined by the organization to be necessary for the planning and operation of the environmental management system shall be identified, as appropriate, and controlled. § 7.5.3 ¶ 3
    Documented information of external origin determined by the organization to be necessary for the planning and operation of the environmental management system shall be identified, as appropriate, and controlled. § 7.5.3 ¶ 3
    The organization shall: determine and have access to the compliance obligations related to its environmental aspects; § 6.1.3 ¶ 1 a)]
    Establish/Maintain Documentation Preventive
    Assign the appropriate roles to all applicable compliance documents. CC ID 06284 Establish Roles Preventive
    Identify and document the Designated Approval Authority for compliance documents. CC ID 07114 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a compliance exception standard. CC ID 01628 Establish/Maintain Documentation Preventive
    Include the authority for granting exemptions in the compliance exception standard. CC ID 14329 Establish/Maintain Documentation Preventive
    Include all compliance exceptions in the compliance exception standard. CC ID 01630 Establish/Maintain Documentation Detective
    Include explanations, compensating controls, or risk acceptance in the compliance exceptions Exceptions document. CC ID 01631 Establish/Maintain Documentation Preventive
    Review the compliance exceptions in the exceptions document, as necessary. CC ID 01632 Business Processes Preventive
    Include when exemptions expire in the compliance exception standard. CC ID 14330 Establish/Maintain Documentation Preventive
    Assign the approval of compliance exceptions to the appropriate roles inside the organization. CC ID 06443 Establish Roles Preventive
    Include management of the exemption register in the compliance exception standard. CC ID 14328 Establish/Maintain Documentation Preventive
    Disseminate and communicate compliance documents to all interested personnel and affected parties. CC ID 06282 Behavior Preventive
    Disseminate and communicate any compliance document changes when the documents are updated to interested personnel and affected parties. CC ID 06283 Behavior Preventive
    Estimate the costs of implementing the compliance framework. CC ID 07191 Business Processes Preventive
    Establish, implement, and maintain a strategic plan. CC ID 12784 Establish/Maintain Documentation Preventive
    Determine progress toward the objectives of the strategic plan. CC ID 12944
    [The management review shall include consideration of: the extent to which environmental objectives have been achieved; § 9.3 ¶ 2 c)]
    Process or Activity Preventive
    Establish, implement, and maintain a decision management strategy. CC ID 06913
    [When determining this scope, the organization shall consider: its authority and ability to exercise control and influence. § 4.3 ¶ 2 e)]
    Establish/Maintain Documentation Preventive
    Align the reporting methodology with the decision management strategy. CC ID 15659 Business Processes Preventive
    Include an economic impact analysis in the decision management strategy. CC ID 14015 Establish/Maintain Documentation Preventive
    Include cost benefit analysis in the decision management strategy. CC ID 14014 Establish/Maintain Documentation Preventive
    Include criteria for compliance in the decision-making criteria. CC ID 12951 Establish/Maintain Documentation Preventive
    Include criteria for risk tolerance in the decision-making criteria. CC ID 12950 Establish/Maintain Documentation Preventive
    Include criteria for selecting objectives and strategies in the decision-making criteria. CC ID 12949 Establish/Maintain Documentation Preventive
    Include criteria for setting priorities in the decision-making criteria. CC ID 12938 Establish/Maintain Documentation Preventive
    Align organizational objectives with compliance objectives in the decision-making criteria. CC ID 12847 Process or Activity Preventive
    Align organizational objectives with performance targets in the decision-making criteria. CC ID 12843 Process or Activity Preventive
    Align organizational objectives with the acceptable residual risk in the decision-making criteria. CC ID 12841 Process or Activity Preventive
    Identify and document the events that initiate the decision management strategy. CC ID 06914 Establish/Maintain Documentation Detective
    Create additional decision-making criteria to achieve organizational objectives, as necessary. CC ID 12948 Process or Activity Preventive
    Involve knowledgeable and experienced individuals in the decision-making process. CC ID 06915 Behavior Preventive
    Take actions in accordance with the decision-making criteria. CC ID 12909 Process or Activity Preventive
    Document and evaluate the decision outcomes from the decision-making process. CC ID 06918 Establish/Maintain Documentation Preventive
    Disseminate and communicate the decision management strategy to all interested personnel and affected parties. CC ID 13991 Communicate Preventive
    Establish, implement, and maintain a Governance, Risk, and Compliance awareness and training program. CC ID 06492
    [The organization shall ensure that persons doing work under the organization's control are aware of: the implications of not conforming with the environmental management system requirements, including not fulfilling the organization's compliance obligations. § 7.3 ¶ 1 d)]
    Business Processes Preventive
    Establish and maintain a rapport with business and technical communities throughout the organization to promote the value and importance of Information Security. CC ID 06493 Behavior Preventive
    Establish, implement, and maintain a financial management program. CC ID 13228
    [{financial requirement}{operational requirement} When planning these actions, the organization shall consider its technological options and its financial, operational and business requirements. § 6.1.4 ¶ 2]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain funds transfer procedures. CC ID 16754 Establish/Maintain Documentation Preventive
    Provide required information that is missing from a funds transfer to the responsible party. CC ID 16761 Communicate Preventive
    Return the funds from a funds transfer when required information is not received or discrepancies resolved. CC ID 16760 Business Processes Preventive
    Delay the funds transfer until all required information has been received or discrepancies resolved. CC ID 16759 Business Processes Preventive
    Refrain from making funds from a funds transfer available to the interested personnel until all required information is received. CC ID 16758 Business Processes Preventive
    Investigate discrepancies between the information received and the information verified for each funds transfer. CC ID 16757 Investigate Detective
    Attach the required information to each funds transfer. CC ID 16756 Business Processes Preventive
    Verify all required information is attached to each funds transfer. CC ID 16755 Business Processes Detective
    Establish, implement, and maintain protective measures for customers from a bank's insolvency or default. CC ID 16738 Business Processes Preventive
    Test the protective measures for effectiveness to prevent financial impact to responsible parties. CC ID 16750 Testing Preventive
    Include communication protocols in the financial management program. CC ID 16763 Establish/Maintain Documentation Preventive
    Include ongoing monitoring in the financial management program. CC ID 16762 Process or Activity Preventive
    Employ tools to manage settlement and funding flows. CC ID 16743 Process or Activity Preventive
    Refrain from setting up anonymous financial accounts. CC ID 16721 Business Processes Preventive
    Identify and maintain positions in financial accounts. CC ID 16751 Business Processes Preventive
    Establish, implement, and maintain a financial products and services disclosure policy. CC ID 16717 Establish/Maintain Documentation Preventive
    Require acknowledgment of receipt from the customer in the financial products and services disclosure policy. CC ID 16725 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a subsidiary compliance program. CC ID 16694 Process or Activity Preventive
    Establish, implement, and maintain financial resource management procedures. CC ID 16642 Establish/Maintain Documentation Preventive
    Document the rationale for the amount of financial resources being held. CC ID 16688 Establish/Maintain Documentation Preventive
    Supplement financial resources, as necessary. CC ID 16685 Business Processes Preventive
    Establish, implement, and maintain collateral procedures. CC ID 16653 Establish/Maintain Documentation Preventive
    Include the use of appropriate models in the collateral procedures. CC ID 16687 Establish/Maintain Documentation Preventive
    Define the collateral requirements in the collateral procedures. CC ID 16686 Establish/Maintain Documentation Preventive
    Test the collateral requirements for appropriateness. CC ID 16681 Testing Preventive
    Limit the types of assets accepted as collateral. CC ID 16602 Business Processes Preventive
    Avoid the use of concentrated holdings of assets. CC ID 16651 Business Processes Preventive
    Establish, implement, and maintain stress test plans for financial resources. CC ID 16644 Testing Preventive
    Include stress scenarios in the stress test plan. CC ID 16659 Testing Preventive
    Analyze the effectiveness of the stress test plan. CC ID 16657 Process or Activity Detective
    Perform stress testing in accordance with the stress test plan. CC ID 16652 Testing Preventive
    Disseminate and communicate the results of stress testing to interested personnel and affected parties. CC ID 16630 Communicate Preventive
    Identify and document the financial resources available for use. CC ID 16643 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain credit loss procedures. CC ID 16683 Establish/Maintain Documentation Preventive
    Include the allocation of credit losses in the credit loss procedures. CC ID 16684 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a securities trading program. CC ID 16626 Business Processes Preventive
    Include fairness and equitability standards in the securities trading program. CC ID 16690 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the securities trading program. CC ID 16689 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a capital restoration plan. CC ID 16613 Establish/Maintain Documentation Preventive
    Include performance guarantees in the capital restoration plan. CC ID 16616 Establish/Maintain Documentation Preventive
    Include corrective actions taken in the capital restoration plan. CC ID 16612 Establish/Maintain Documentation Preventive
    Include required information in the capital restoration plan. CC ID 16609 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain valuation procedures. CC ID 16634 Establish/Maintain Documentation Preventive
    Include investment information in approval requests for investments. CC ID 16590 Business Processes Preventive
    Establish, implement, and maintain capital withdrawal requirements. CC ID 16576 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain lending policies. CC ID 16608 Establish/Maintain Documentation Preventive
    Align the lending policy with the organization's risk acceptance level. CC ID 16716 Process or Activity Preventive
    Include the requirements for risk assessments in the lending policy. CC ID 16730 Establish/Maintain Documentation Preventive
    Include the requirements for sensitivity analyses in the lending policy. CC ID 16728 Establish/Maintain Documentation Preventive
    Include the requirements for feasibility studies in the lending policy. CC ID 16726 Establish/Maintain Documentation Preventive
    Include pricing structures in the lending policy. CC ID 16724 Establish/Maintain Documentation Preventive
    Include monitoring requirements in the lending policy. CC ID 16710 Establish/Maintain Documentation Preventive
    Include loan origination procedures in the lending policy. CC ID 16709 Establish/Maintain Documentation Preventive
    Include review procedures and approval procedures for exception loans in the lending policy. CC ID 16708 Establish/Maintain Documentation Preventive
    Include loan requirements in the lending policy. CC ID 16706 Establish/Maintain Documentation Preventive
    Include appraisals and evaluations in the lending policy. CC ID 16705 Establish/Maintain Documentation Preventive
    Include terms and conditions in the lending policy. CC ID 16695 Establish/Maintain Documentation Preventive
    Include the scope and distribution of loans in the lending policy. CC ID 16693 Establish/Maintain Documentation Preventive
    Include geographic areas in the lending policy. CC ID 16691 Establish/Maintain Documentation Preventive
    Include underwriting guidelines in the lending policy. CC ID 16619 Establish/Maintain Documentation Preventive
    Include credit review in the underwriting guidelines. CC ID 16765 Establish/Maintain Documentation Preventive
    Include loan-to-value ratio limits in the lending policy. CC ID 16618 Establish/Maintain Documentation Preventive
    Include documentation requirements in the lending policy. CC ID 16617 Establish/Maintain Documentation Preventive
    Include the purpose of the loan in the loan documentation. CC ID 16747 Establish/Maintain Documentation Preventive
    Include the source of repayment in the loan documentation. CC ID 16746 Establish/Maintain Documentation Preventive
    Include approval requirements in the lending policy. CC ID 16615 Establish/Maintain Documentation Preventive
    Include reporting requirements in the lending policy. CC ID 16614 Establish/Maintain Documentation Preventive
    Include loan portfolio diversification standards in the lending policy. CC ID 16611 Establish/Maintain Documentation Preventive
    Include loan administration procedures in the lending policy. CC ID 16610 Establish/Maintain Documentation Preventive
    Include loan participation agreements in the loan administration procedures. CC ID 16745 Establish/Maintain Documentation Preventive
    Include termination procedures in the loan participation agreement. CC ID 16753 Establish/Maintain Documentation Preventive
    Justify the safety and efficiency of the participation requirements in the loan participation agreement. CC ID 16752 Establish/Maintain Documentation Preventive
    Include servicing agreements in the loan administration procedures. CC ID 16744 Establish/Maintain Documentation Preventive
    Include claims processing in the loan administration procedures. CC ID 16742 Establish/Maintain Documentation Preventive
    Include forbearance management in the loan administration procedures. CC ID 16741 Establish/Maintain Documentation Preventive
    Include foreclosure management in the loan administration procedures. CC ID 16740 Establish/Maintain Documentation Preventive
    Include delinquency management in the loan administration procedures. CC ID 16739 Establish/Maintain Documentation Preventive
    Include customer due diligence in the loan administration procedures. CC ID 16736 Process or Activity Preventive
    Include the requirements for financial statements in the loan administration procedures. CC ID 16735 Establish/Maintain Documentation Preventive
    Include loan closing in the loan administration procedures. CC ID 16734 Establish/Maintain Documentation Preventive
    Include payoff statements in the loan administration procedures. CC ID 16733 Establish/Maintain Documentation Preventive
    Include payment processing in the loan administration procedures. CC ID 16732 Establish/Maintain Documentation Preventive
    Include loan reviews in the loan administration procedures. CC ID 16703 Establish/Maintain Documentation Preventive
    Include collections in the loan administration procedures. CC ID 16701 Establish/Maintain Documentation Preventive
    Include collateral inspections in the loan administration procedures. CC ID 16699 Establish/Maintain Documentation Preventive
    Include disbursements in the loan administration procedures. CC ID 16697 Establish/Maintain Documentation Preventive
    Review and approve lending policies. CC ID 16607 Business Processes Preventive
    Establish, implement, and maintain a dividend policy. CC ID 16569 Establish/Maintain Documentation Preventive
    Include compliance requirements in the dividend policy. CC ID 16570 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain margin systems. CC ID 16601 Business Processes Preventive
    Include valuation models in the margin system. CC ID 16663 Data and Information Management Preventive
    Include procedures for collecting price data in the margin system. CC ID 16662 Data and Information Management Preventive
    Include reliable sources for price data in the margin system. CC ID 16661 Data and Information Management Preventive
    Validate the margin system on a regular basis. CC ID 16660 Testing Detective
    Assess the properties of the margin model used in the margin system. CC ID 16658 Process or Activity Detective
    Monitor the performance of the margin system. CC ID 16655 Monitor and Evaluate Occurrences Detective
    Analyze the performance of the margin system. CC ID 16654 Process or Activity Detective
    Establish, implement, and maintain capital adequacy measures. CC ID 16568 Business Processes Preventive
    Establish, implement, and maintain escrow procedures for financial transactions. CC ID 16564 Establish/Maintain Documentation Preventive
    Determine the amount of assets to be held in escrow. CC ID 16575 Investigate Detective
    Disseminate and communicate the escrow procedures to interested personnel and affected parties. CC ID 16565 Communicate Preventive
    Establish, implement, and maintain a Capital Planning and Investment Control policy. CC ID 06279 Establish/Maintain Documentation Preventive
    Include risk management in the Capital Planning and Investment Control policy. CC ID 16764 Establish/Maintain Documentation Preventive
    Include debt rating requirements in the Capital Planning and Investment Control policy. CC ID 16692 Establish/Maintain Documentation Preventive
    Include divestiture requirements in the Capital Planning and Investment Control policy. CC ID 16591 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a recordkeeping system for securities transactions. CC ID 16631 Establish/Maintain Documentation Preventive
    Include order tickets in the recordkeeping system for securities transactions. CC ID 16640 Data and Information Management Preventive
    Include receipts and deliveries of securities in the recordkeeping system for securities transactions. CC ID 16650 Data and Information Management Preventive
    Include debits and credits in the recordkeeping system for securities transactions. CC ID 16639 Data and Information Management Preventive
    Include a description of the transaction in the recordkeeping system for securities transactions. CC ID 16645 Data and Information Management Preventive
    Include chronological records of transactions in the recordkeeping system for securities transactions. CC ID 16638 Data and Information Management Preventive
    Include the name of the dealer in the recordkeeping system for securities transactions. CC ID 16637 Data and Information Management Preventive
    Include the execution price in the recordkeeping system for securities transactions. CC ID 16636 Data and Information Management Preventive
    Include the date and time of the transaction in the recordkeeping system for securities transactions. CC ID 16635 Data and Information Management Preventive
    Include the type of transaction in the recordkeeping system for securities transactions. CC ID 16633 Data and Information Management Preventive
    Include account information In the recordkeeping system for securities transactions. CC ID 16632 Data and Information Management Preventive
    Establish, implement, and maintain securities transaction notifications. CC ID 16600 Establish/Maintain Documentation Preventive
    Include the call date in the securities transaction notification. CC ID 16680 Establish/Maintain Documentation Preventive
    Include service charges and commissions in the securities transaction notification. CC ID 16702 Establish/Maintain Documentation Preventive
    Include the funds and securities in the possession of the organization in the securities transaction notification. CC ID 16679 Establish/Maintain Documentation Preventive
    Include the call price in the securities transaction notification. CC ID 16678 Establish/Maintain Documentation Preventive
    Include debits and credits in the securities transaction notification. CC ID 16677 Establish/Maintain Documentation Preventive
    Include transactions in the securities transaction notification. CC ID 16676 Establish/Maintain Documentation Preventive
    Include the credit rating of securities in the securities transaction notification. CC ID 16674 Establish/Maintain Documentation Preventive
    Include yield information in the securities transaction notification. CC ID 16673 Establish/Maintain Documentation Preventive
    Include redemption information in the securities transaction notification. CC ID 16672 Establish/Maintain Documentation Preventive
    Include the price calculated from the yield in the securities transaction notification. CC ID 16669 Establish/Maintain Documentation Preventive
    Include the type of call in the securities transaction notification. CC ID 16668 Establish/Maintain Documentation Preventive
    Include an account statement in the securities transaction notification. CC ID 16666 Establish/Maintain Documentation Preventive
    Include the yield to maturity in the securities transaction notification. CC ID 16665 Establish/Maintain Documentation Preventive
    Include the execution price in the securities transaction notification. CC ID 16664 Establish/Maintain Documentation Preventive
    Include the organization's role in the securities transaction notification. CC ID 16646 Establish/Maintain Documentation Preventive
    Include the name of the broker in the securities transaction notification. CC ID 16647 Establish/Maintain Documentation Preventive
    Include the name of the customer in the securities transaction notification. CC ID 16625 Establish/Maintain Documentation Preventive
    Include the organization's name in the securities transaction notification. CC ID 16624 Establish/Maintain Documentation Preventive
    Include confirmations in the securities transaction notification. CC ID 16623 Establish/Maintain Documentation Preventive
    Include remunerations in the securities transaction notification. CC ID 16622 Establish/Maintain Documentation Preventive
    Include requested information in the securities transaction notification. CC ID 16641 Establish/Maintain Documentation Preventive
    Disseminate and communicate securities transaction notifications to interested personnel and affected parties. CC ID 16621 Communicate Preventive
    Include the execution date in the securities transaction notification. CC ID 16620 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain financial reports. CC ID 14770 Establish/Maintain Documentation Preventive
    Structure financial reports in accordance with external requirements, as necessary. CC ID 14776 Establish/Maintain Documentation Preventive
    Include the report of independent Certified Public Accountants in the financial report. CC ID 14779 Establish/Maintain Documentation Preventive
    Include the business need justification for lost value in the financial report. CC ID 15588 Establish/Maintain Documentation Preventive
    Disseminate and communicate the financial report to interested personnel and affected parties. CC ID 16342 Communicate Preventive
    Include financial statements in the financial report, as necessary. CC ID 14775 Establish/Maintain Documentation Preventive
    Include capital deductions and adjustments in the financial statement. CC ID 16667 Establish/Maintain Documentation Preventive
    Include earnings per share or loss per share in the financial statement. CC ID 16597 Establish/Maintain Documentation Preventive
    Include material contingencies in the financial statement. CC ID 16596 Establish/Maintain Documentation Preventive
    Include notes to financial statements in the financial report, as necessary. CC ID 14780 Establish/Maintain Documentation Preventive
    Include information on loans to small businesses and small farms in the call report. CC ID 16731 Establish/Maintain Documentation Preventive
    Include assets and liabilities in the call report. CC ID 16729 Establish/Maintain Documentation Preventive
    Disseminate and communicate the call report to interested personnel and affected parties. CC ID 16727 Communicate Preventive
  • Monitoring and measurement
    232
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Monitoring and measurement CC ID 00636 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain a compliance monitoring policy. CC ID 00671
    [{what needs to be measured} The organization shall determine: what needs to be monitored and measured; § 9.1.1 ¶ 2 a)
    The organization shall determine: when the monitoring and measuring shall be performed; § 9.1.1 ¶ 2 d)]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a metrics policy. CC ID 01654 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653
    [The organization shall: determine the frequency that compliance will be evaluated; § 9.1.2 ¶ 2 a)]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain risk management metrics. CC ID 01656 Establish/Maintain Documentation Preventive
    Report on the percentage of critical assets for which an assurance strategy is implemented. CC ID 01657 Actionable Reports or Measurements Detective
    Report on the percentage of key organizational functions for which an assurance strategy is implemented. CC ID 01658 Actionable Reports or Measurements Detective
    Report on the percentage of key compliance requirements for which an assurance strategy has been implemented. CC ID 01659 Actionable Reports or Measurements Detective
    Report on the percentage of the Information System budget allocated to Information Security. CC ID 04571 Actionable Reports or Measurements Detective
    Identify information being used to support the performance of the governance, risk, and compliance capability. CC ID 12866
    [The organization's environmental management system shall include: documented information determined by the organization as being necessary for the effectiveness of the environmental management system. § 7.5.1 ¶ 1 b)
    The management review shall include consideration of: information on the organization's environmental performance, including trends in: § 9.3 ¶ 2 d)]
    Business Processes Preventive
    Identify information being used to support performance reviews for risk optimization. CC ID 12865 Audits and Risk Management Preventive
    Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726 Monitor and Evaluate Occurrences Detective
    Identify and document instances of non-compliance with the compliance framework. CC ID 06499
    [The organization shall retain documented information as evidence of: the nature of the nonconformities and any subsequent actions taken; § 10.2 ¶ 3 Bullet 1
    The management review shall include consideration of: information on the organization's environmental performance, including trends in: nonconformities and corrective actions; § 9.3 ¶ 2 d) 1)]
    Establish/Maintain Documentation Preventive
    Align enforcement reviews for non-compliance with organizational risk tolerance. CC ID 13063
    [When a nonconformity occurs, the organization shall: evaluate the need for action to eliminate the causes of the nonconformity, in order that it does not recur or occur elsewhere, by: § 10.2 ¶ 1 b)]
    Business Processes Detective
    Determine the causes of compliance violations. CC ID 12401
    [When a nonconformity occurs, the organization shall: evaluate the need for action to eliminate the causes of the nonconformity in order that it does not recur or occur elsewhere by: ground-color:#B7D8ED;" class="tendary-verb">rm_primary-verb">reviewing the nonconformity; § 10.2 ¶ 1 b) 1)
    When a nonconformity occurs, the organization shall: evaluate the need for action to eliminate the causes of the nonconformity in order that it does not recur or occur elsewhere by: determining the <span style="background-color:#F0ndary-verb">BBBC;" class="term_primary-noun">causes of the nonconformity; § 10.2 ¶ 1 b) 2)]
    Investigate Corrective
    Identify and document events surrounding non-compliance with the organizational compliance framework. CC ID 12935 Establish/Maintain Documentation Preventive
    Determine if multiple compliance violations of the same type could occur. CC ID 12402
    [When a nonconformity occurs, the organization shall: evaluate the need for action to eliminate the causes of the nonconformity in order that it does not recur or occur elsewhere by: ground-color:#B7D8ED;" class="term_primary-verb">determining if similar nonconformitiespan> n style="background-color:#CBD0E5;" class="term_secondary-verb">exist, or could potentially occur; § 10.2 ¶ 1 b) 3)]
    Investigate Detective
    Correct compliance violations. CC ID 13515
    [When a nonconformity occurs, the organization shall: react to the nonconformity, and as applicable: take action to primary-verb">control and correct it; § 10.2 ¶ 1 a) 1)
    When a nonconformity occurs, the organization shall: implement any -verb">or:#F0BBBC;" class="term_primary-noun">action needed; § 10.2 ¶ 1 c)
    The organization shall: evaluate compliance and take action if needed; § 9.1.2 ¶ 2 b)
    The management review shall include consideration of: information on the organization's environmental performance, including trends in: nonconformities and corrective actions; § 9.3 ¶ 2 d) 1)]
    Process or Activity Corrective
    Review the effectiveness of disciplinary actions carried out for compliance violations. CC ID 12403
    [When a nonconformity occurs, the organization shall: review the effectiveness of any -verb">le="background-color:#F0BBBC;" class="term_primary-noun">corrective action taken; § 10.2 ¶ 1 d)]
    Investigate Detective
    Carry out disciplinary actions when a compliance violation is detected. CC ID 06675
    [When a nonconformity occurs, the organization shall: react to the nonconformity and, as applicable: § 10.2 ¶ 1 a)]
    Behavior Corrective
    Align disciplinary actions with the level of compliance violation. CC ID 12404
    [Corrective actions shall be appropriate to the significance of the effects of the nonconformities encountered, including the environmental impact(s). § 10.2 ¶ 2]
    Human Resources Management Preventive
    Establish, implement, and maintain disciplinary action notices. CC ID 16577 Establish/Maintain Documentation Preventive
    Include a copy of the order in the disciplinary action notice. CC ID 16606 Establish/Maintain Documentation Preventive
    Include the sanctions imposed in the disciplinary action notice. CC ID 16599 Establish/Maintain Documentation Preventive
    Include the effective date of the sanctions in the disciplinary action notice. CC ID 16589 Establish/Maintain Documentation Preventive
    Include the requirements that were violated in the disciplinary action notice. CC ID 16588 Establish/Maintain Documentation Preventive
    Include responses to charges from interested personnel and affected parties in the disciplinary action notice. CC ID 16587 Establish/Maintain Documentation Preventive
    Include the reasons for imposing sanctions in the disciplinary action notice. CC ID 16586 Establish/Maintain Documentation Preventive
    Disseminate and communicate the disciplinary action notice to interested personnel and affected parties. CC ID 16585 Communicate Preventive
    Include required information in the disciplinary action notice. CC ID 16584 Establish/Maintain Documentation Preventive
    Include a justification for actions taken in the disciplinary action notice. CC ID 16583 Establish/Maintain Documentation Preventive
    Include a statement on the conclusions of the investigation in the disciplinary action notice. CC ID 16582 Establish/Maintain Documentation Preventive
    Include the investigation results in the disciplinary action notice. CC ID 16581 Establish/Maintain Documentation Preventive
    Include a description of the causes of the actions taken in the disciplinary action notice. CC ID 16580 Establish/Maintain Documentation Preventive
    Include the name of the person responsible for the charges in the disciplinary action notice. CC ID 16579 Establish/Maintain Documentation Preventive
    Include contact information in the disciplinary action notice. CC ID 16578 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain compliance program metrics. CC ID 11625 Monitor and Evaluate Occurrences Preventive
    Establish, implement, and maintain a security program metrics program. CC ID 01660 Establish/Maintain Documentation Preventive
    Report on the policies and controls that have been implemented by management. CC ID 01670 Actionable Reports or Measurements Detective
    Establish, implement, and maintain a key management roles metrics standard. CC ID 11631 Establish/Maintain Documentation Preventive
    Report on the percentage of security management roles that have been assigned. CC ID 01671 Actionable Reports or Measurements Detective
    Establish, implement, and maintain a key stakeholder metrics program. CC ID 01661 Establish/Maintain Documentation Preventive
    Report on the percentage of board meetings or committee meetings at which Information Assurance was on the agenda. CC ID 01672 Actionable Reports or Measurements Detective
    Establish, implement, and maintain a supply chain member metrics program. CC ID 01662 Establish/Maintain Documentation Preventive
    Report on the percentage of supply chain members for which all Information Assurance requirements have been implemented. CC ID 01675 Actionable Reports or Measurements Detective
    Report on the Service Level Agreement performance of supply chain members. CC ID 06838 Actionable Reports or Measurements Preventive
    Establish, implement, and maintain a Business Continuity metrics program. CC ID 01663 Establish/Maintain Documentation Preventive
    Report on the percentage of organizational units that have an established Business Continuity Plan. CC ID 01676 Actionable Reports or Measurements Detective
    Report on the percentage of organizational units with a documented Business Continuity Plan for which specific responsibilities have been assigned. CC ID 02057 Actionable Reports or Measurements Detective
    Report on the percentage of Business Continuity Plans that have been reviewed, tested, and updated. CC ID 02058 Actionable Reports or Measurements Detective
    Establish, implement, and maintain an audit metrics program. CC ID 01664 Establish/Maintain Documentation Preventive
    Report on the percentage of needed internal audits that have been completed and reviewed. CC ID 01677 Actionable Reports or Measurements Detective
    Report on the percentage of Information Security requirements from applicable laws and regulations that are included in the audit program. CC ID 02069 Actionable Reports or Measurements Detective
    Report on the percentage of needed external audits that have been completed and reviewed. CC ID 11632 Actionable Reports or Measurements Detective
    Report on the percentage of Information Security audits conducted in compliance with the approved audit program. CC ID 02070 Actionable Reports or Measurements Detective
    Report on the percentage of audit findings that have been resolved since the last audit. CC ID 01678 Actionable Reports or Measurements Detective
    Report on the percentage of management actions in response to audit findings and audit recommendations that were implemented in a timely way. CC ID 02071
    [{corrective action} The management review shall include consideration of: the status of actions from previous management reviews; § 9.3 ¶ 2 a)]
    Actionable Reports or Measurements Detective
    Establish, implement, and maintain an Information Security metrics program. CC ID 01665 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a metrics standard and template. CC ID 02157 Establish/Maintain Documentation Preventive
    Convert data into standard units before reporting metrics. CC ID 15507 Process or Activity Corrective
    Monitor compliance with the Quality Control system. CC ID 01023 Actionable Reports or Measurements Preventive
    Report on the percentage of complaints received about products or delivered services. CC ID 07199 Actionable Reports or Measurements Preventive
    Report on the percentage of Quality Assurance attained by Quality Improvement practices. CC ID 07202 Actionable Reports or Measurements Preventive
    Establish, implement, and maintain occupational health and safety management metrics program. CC ID 15915 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a policies and controls metrics program. CC ID 01666 Establish/Maintain Documentation Preventive
    Report on the percentage of total controls for which policies, standards, and procedures exist and for which approval has been granted. CC ID 01679 Actionable Reports or Measurements Detective
    Report on the percentage of personnel who are assigned and acknowledged responsibilities for approved policies, standards, and procedures. CC ID 01680 Actionable Reports or Measurements Detective
    Report on the percentage of policy compliance reviews for which no compliance violations were noted. CC ID 01681 Actionable Reports or Measurements Detective
    Report on the percentage of senior management or business unit heads who have implemented operational compliance procedures. CC ID 01682 Actionable Reports or Measurements Detective
    Establish, implement, and maintain a security roles and responsibilities metrics program. CC ID 01667 Establish/Maintain Documentation Preventive
    Report on the percentage of role descriptions that define the Information Awareness roles for Security Managers and administrators. CC ID 01685 Actionable Reports or Measurements Detective
    Report on the percentage of role descriptions that define the information awareness roles for interested personnel. CC ID 01686 Actionable Reports or Measurements Detective
    Report on the percentage of role descriptions that define the information awareness roles for end users. CC ID 01687 Actionable Reports or Measurements Detective
    Report on the percentage of performance reviews that include the evaluation of Information Assurance responsibilities and policy compliance. CC ID 01688 Actionable Reports or Measurements Detective
    Report on the percentage of individuals who have access to security software, are trained, and authorized Security Administrators. CC ID 01691 Actionable Reports or Measurements Detective
    Report on the percentage of individuals who are able to assign security privileges, are trained, and authorized Security Administrators. CC ID 01692 Actionable Reports or Measurements Detective
    Establish, implement, and maintain a role-based information access metrics program. CC ID 01668 Establish/Maintain Documentation Preventive
    Report on the percentage of new hires who completed training ahead of being granted network access or system access. CC ID 01683 Actionable Reports or Measurements Detective
    Report on the percentage of personnel who have completed periodic Information Assurance refresher training. CC ID 01684 Actionable Reports or Measurements Detective
    Report on the percentage of user roles, systems, and applications that comply with the segregation of duties principle. CC ID 01689 Actionable Reports or Measurements Detective
    Report on the percentage of individuals whose access rights have been reviewed. CC ID 01690 Actionable Reports or Measurements Detective
    Report on the percentage of users who have access to restricted data or restricted information and have undergone a background check. CC ID 01693 Actionable Reports or Measurements Detective
    Establish, implement, and maintain an information risk threshold metrics program. CC ID 01694 Establish/Maintain Documentation Preventive
    Report on the percentage of critical information assets and information-dependent functions. CC ID 02040 Actionable Reports or Measurements Detective
    Report on the percentage of critical assets and functions for which the cost of compromise has been quantified. CC ID 02041 Actionable Reports or Measurements Detective
    Report on the percentage of identified risks that have a defined risk mitigation plan. CC ID 02042 Actionable Reports or Measurements Detective
    Report on the percentage of systems with approved System Security Plans. CC ID 02145 Actionable Reports or Measurements Detective
    Monitor the supply chain for Information Assurance effectiveness. CC ID 02043 Establish/Maintain Documentation Preventive
    Report on the percentage of known Information Security risks that are related to supply chain relationships. CC ID 02044 Actionable Reports or Measurements Detective
    Report on the percentage of critical information assets or critical functions for which access by supply chain personnel is disallowed. CC ID 02045 Actionable Reports or Measurements Detective
    Report on the percentage of supply chain personnel who have current information asset user privileges. CC ID 02046 Actionable Reports or Measurements Detective
    Report on the percentage of systems with critical information assets or functions for which electronic connection by supply chain assets is disallowed. CC ID 02047 Actionable Reports or Measurements Detective
    Report on the percentage of security incidents that involved supply chain personnel. CC ID 02048 Actionable Reports or Measurements Detective
    Report on the percentage of third party contracts that include a requirement to externally verify policies and procedures. CC ID 02049 Actionable Reports or Measurements Detective
    Report on the percentage of supply chain relationships that have been reviewed for compliance with information security requirements. CC ID 02050 Actionable Reports or Measurements Detective
    Establish, implement, and maintain an identification and classification of information assets metrics program. CC ID 02052 Business Processes Preventive
    Report on the percentage of information assets that have been reviewed and classified. CC ID 02053 Actionable Reports or Measurements Detective
    Report on the percentage of information assets with defined user privileges that have been assigned based on role and according to policy. CC ID 02054 Actionable Reports or Measurements Detective
    Report on the percentage of scheduled Information Technology inventory processes that occurred on time. CC ID 02055 Actionable Reports or Measurements Detective
    Establish, implement, and maintain an Information Systems architecture metrics program. CC ID 02059 Business Processes Preventive
    Report on the percentage of recently identified information security risks related to systems architecture that have been adequately mitigated. CC ID 02060 Actionable Reports or Measurements Detective
    Report on the percentage of system architecture changes that were approved through appropriate change requests. CC ID 02061 Actionable Reports or Measurements Detective
    Report on the percentage of critical information assets or functions residing on systems that are currently in compliance with the approved systems architecture. CC ID 02062 Actionable Reports or Measurements Detective
    Report on the percentage of systems that have been recertified if security controls were updated after the system was developed. CC ID 02142 Actionable Reports or Measurements Detective
    Report on the percentage of systems that have completed Certification and Accreditation. CC ID 02143 Actionable Reports or Measurements Detective
    Establish, implement, and maintain a physical environment metrics program. CC ID 02063 Business Processes Preventive
    Report on the percentage of critical organizational information assets and functions that have been reviewed from the risk to physical security perspective. CC ID 02064 Actionable Reports or Measurements Detective
    Report on the percentage of critical organizational information assets and functions exposed to physical risks for which risk mitigation actions have been implemented. CC ID 02065 Actionable Reports or Measurements Detective
    Report on the percentage of critical assets that have been reviewed from the environmental risk perspective. CC ID 02066 Actionable Reports or Measurements Detective
    Report on the percentage of servers located in controlled access areas. CC ID 02067 Actionable Reports or Measurements Detective
    Establish, implement, and maintain a privacy metrics program. CC ID 15494 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain environmental management system performance metrics. CC ID 15191
    [The management review shall include consideration of: information on the organization's environmental performance, including trends in: monitoring and measurement results; § 9.3 ¶ 2 d) 2)
    The organization shall monitor, measure, analyse and evaluate its environmental performance. § 9.1.1 ¶ 1
    The organization shall determine: the criteria against which the organization will evaluate its environmental performance, and appropriate indicators; § 9.1.1 ¶ 2 c)
    {be measurable}The environmental objectives shall be: measurable (if practicable); § 6.2.1 ¶ 2 b)]
    Actionable Reports or Measurements Preventive
    Establish, implement, and maintain waste management metrics. CC ID 16152 Actionable Reports or Measurements Preventive
    Establish, implement, and maintain emissions management metrics. CC ID 16145 Actionable Reports or Measurements Preventive
    Establish, implement, and maintain financial management metrics. CC ID 16749 Actionable Reports or Measurements Preventive
    Establish, implement, and maintain a technical measurement metrics policy. CC ID 01655 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a user identification and authentication metrics program. CC ID 02073 Business Processes Preventive
    Report on the percentage of unique active user identifiers. CC ID 02074 Actionable Reports or Measurements Detective
    Report on the percentage of systems and applications that perform authenticator policy verification. CC ID 02086 Actionable Reports or Measurements Detective
    Report on the percentage of active user passwords that are set to expire. CC ID 02087 Actionable Reports or Measurements Detective
    Report on the percentage of systems with critical information assets that use stronger authentication than user identifiers and passwords. CC ID 02088 Actionable Reports or Measurements Detective
    Establish, implement, and maintain a user account management metrics program. CC ID 02075 Business Processes Preventive
    Report on the percentage of systems for which default accounts and default passwords have been disabled or reset. CC ID 02089 Actionable Reports or Measurements Detective
    Report on the percentage of inactive user accounts that are assigned to personnel who have left or no longer need access. CC ID 02090 Actionable Reports or Measurements Detective
    Report on the percentage of systems with account lockout thresholds set. CC ID 02091 Actionable Reports or Measurements Detective
    Report on the percentage of inactive user accounts that have been disabled. CC ID 02092 Actionable Reports or Measurements Detective
    Report on the percentage of workstations with session timeout or automatic logoff controls set. CC ID 02093 Actionable Reports or Measurements Detective
    Report on the percentage of users with access to shared accounts. CC ID 04573 Actionable Reports or Measurements Detective
    Establish, implement, and maintain a user and administrator privilege management metrics program. CC ID 02076 Actionable Reports or Measurements Preventive
    Report on the percentage of active computer accounts that have had the current user privileges reviewed. CC ID 02094 Actionable Reports or Measurements Detective
    Report on the percentage of systems where permission to install nonstandard software is limited. CC ID 02095 Actionable Reports or Measurements Detective
    Report on the percentage of systems and applications that have user privileges and administrator privileges assigned in compliance with Role-Based Access Controls. CC ID 02096 Actionable Reports or Measurements Detective
    Establish, implement, and maintain a Configuration Management metrics program. CC ID 02077 Business Processes Preventive
    Report on the percentage of systems for which approved configuration settings have been implemented. CC ID 02097 Actionable Reports or Measurements Detective
    Report on the percentage of systems with configurations that do not deviate from approved standards. CC ID 02098 Actionable Reports or Measurements Detective
    Report on the percentage of systems that are continuously monitored for compliance with the configuration standard with out-of-compliance alarms or out-of-compliance reports. CC ID 02099 Actionable Reports or Measurements Detective
    Report on the percentage of systems whose configuration is compared with a previously established trusted configuration baseline. CC ID 02100 Actionable Reports or Measurements Detective
    Report on the percentage of systems where the authority to make configuration changes are limited. CC ID 02101 Actionable Reports or Measurements Detective
    Report on the percentage of system components that undergo maintenance as scheduled. CC ID 04562 Actionable Reports or Measurements Detective
    Establish, implement, and maintain a Security Information and Event Management metrics program. CC ID 02078 Log Management Preventive
    Report on the percentage of systems for which event logging has been implemented. CC ID 02102 Log Management Detective
    Report on the percentage of systems for which event logs are monitored and reviewed. CC ID 02103 Log Management Detective
    Report on the percentage of systems for which log capacity and log retention schedules have been implemented. CC ID 02104 Log Management Detective
    Report on the percentage of systems that generate warnings about anomalous activity or potentially unauthorized activity. CC ID 02105 Actionable Reports or Measurements Detective
    Establish, implement, and maintain a communications, e-mail, and remote access security management metrics program. CC ID 02079 Business Processes Preventive
    Report on the percentage of laptops and mobile devices that are needing to be in compliance with the approved configuration standard before granting network access. CC ID 02106 Actionable Reports or Measurements Detective
    Report on the percentage of organizationally controlled communications channels that have been secured. CC ID 02107 Actionable Reports or Measurements Detective
    Report on the percentage of host servers that are protected from becoming relay hosts. CC ID 02108 Actionable Reports or Measurements Detective
    Report on the percentage of mobile users who access organizational facilities using secure communications methods. CC ID 02109 Actionable Reports or Measurements Detective
    Establish, implement, and maintain a malicious code protection management metrics program. CC ID 02080 Business Processes Preventive
    Report on the percentage of workstations and laptops that employ automated system security tools. CC ID 02110 Actionable Reports or Measurements Detective
    Report on the percentage of servers that employ automated system security tools. CC ID 02111 Actionable Reports or Measurements Detective
    Report on the percentage of mobile devices that employ automated system security tools. CC ID 02112 Actionable Reports or Measurements Detective
    Establish, implement, and maintain a software change management metrics program. CC ID 02081 Business Processes Preventive
    Report on the percentage of software changes that have been documented and approved through change request forms. CC ID 02152 Actionable Reports or Measurements Detective
    Report on the percentage of systems with all approved patches installed. CC ID 02113 Actionable Reports or Measurements Detective
    Report on the mean time from patch availability to patch installation. CC ID 02114 Actionable Reports or Measurements Detective
    Report on the percentage of software changes that were reviewed for security impacts before the software configuration is updated. CC ID 02115 Actionable Reports or Measurements Detective
    Establish, implement, and maintain a network management and firewall management metrics program. CC ID 02082 Business Processes Preventive
    Establish, implement, and maintain a network activity baseline. CC ID 13188 Technical Security Detective
    Report on the percentage of systems configured according to the configuration standard. CC ID 02116 Actionable Reports or Measurements Detective
    Report on the percentage of network access controls used to gain unauthorized access. CC ID 04572 Actionable Reports or Measurements Detective
    Establish, implement, and maintain a data encryption management metrics program. CC ID 02083 Business Processes Preventive
    Report on the percentage of critical information assets stored on network accessible devices that are encrypted with widely tested and published cryptographic algorithms. CC ID 02117 Actionable Reports or Measurements Detective
    Report on the percentage of mobile devices that use encryption for critical information assets. CC ID 02118 Actionable Reports or Measurements Detective
    Report on the percentage of passwords and Personal Identification Numbers that are encrypted. CC ID 02119 Actionable Reports or Measurements Detective
    Report on the percentage of media that passes sanitization procedure testing. CC ID 04574 Actionable Reports or Measurements Detective
    Establish, implement, and maintain a backup management and recovery management metrics program. CC ID 02084 Business Processes Preventive
    Report on the percentage of systems with critical information assets or critical business functions that have been backed up in accordance with the backup policy and the system's continuity plan. CC ID 02120 Actionable Reports or Measurements Detective
    Report on the percentage of systems with critical information assets or critical functions where restoration from a backup has been successfully demonstrated. CC ID 02121 Actionable Reports or Measurements Detective
    Report on the percentage of backup media stored off site in secure storage. CC ID 02122 Actionable Reports or Measurements Detective
    Report on the percentage of used backup media or archive media sanitized prior to reuse or disposal. CC ID 02123 Actionable Reports or Measurements Detective
    Establish, implement, and maintain an incident management and vulnerability management metrics program. CC ID 02085 Business Processes Preventive
    Report on the estimated damage or loss resulting from all security incidents. CC ID 01674 Actionable Reports or Measurements Detective
    Report on the percentage of security incidents that did not cause confidentiality, integrity, or availability losses beyond the Service Level Agreement thresholds. CC ID 01673 Actionable Reports or Measurements Detective
    Report on the percentage of operational time that critical services were unavailable due to security incidents. CC ID 02124 Actionable Reports or Measurements Detective
    Report on the percentage of security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02125 Actionable Reports or Measurements Detective
    Report on the percentage of systems affected by security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02126 Actionable Reports or Measurements Detective
    Report on the percentage of security incidents that were managed according to established policies, procedures, and processes. CC ID 02127 Actionable Reports or Measurements Detective
    Report on the number of security incidents reported to FedCIRC, NIPC, the Payment Card Industry, or local law enforcement. CC ID 02154 Actionable Reports or Measurements Detective
    Report on the percentage of systems with critical information assets or critical functions that have been assessed for security vulnerabilities. CC ID 02128 Actionable Reports or Measurements Detective
    Report on the percentage of vulnerability assessment findings that have been addressed since the last reporting period. CC ID 02129 Actionable Reports or Measurements Detective
    Report on the average elapsed time between the discovery of a new vulnerability and implementing corrective action. CC ID 02140 Actionable Reports or Measurements Detective
    Report on the percentage of physical security incidents that involved entry into a facility containing Information Systems. CC ID 04564 Actionable Reports or Measurements Detective
    Delay the reporting of incident management metrics, as necessary. CC ID 15501 Communicate Preventive
    Establish, implement, and maintain an Electronic Health Records measurement metrics program. CC ID 06221 Establish/Maintain Documentation Preventive
    Report on the percentage of unique patients who had at least one medication entered using the Computerized Provider Order Entry system. CC ID 06222 Actionable Reports or Measurements Preventive
    Report on the percentage of unique patients who have diagnoses recorded as structured data into the current and active diagnoses problem list. CC ID 06223 Actionable Reports or Measurements Preventive
    Report on the percentage of permissible prescriptions that are transmitted electronically. CC ID 06224 Actionable Reports or Measurements Preventive
    Report on the percentage of unique patients who have at least one entry recorded as structured data into the active medication list. CC ID 06225 Actionable Reports or Measurements Preventive
    Report on the percentage of unique patients who have at least one entry recorded as structured data into the active medication allergy list. CC ID 06226 Actionable Reports or Measurements Preventive
    Report on the percentage of unique patients who have demographics recorded as structured data. CC ID 06227 Actionable Reports or Measurements Preventive
    Report on the percentage of unique patients over the age of 2 who have their height, weight, and blood pressure recorded as structured data. CC ID 06228 Actionable Reports or Measurements Preventive
    Report on the percentage of unique patients over the age of 13 who have their smoking status recorded as structured data. CC ID 06229 Actionable Reports or Measurements Preventive
    Report on the percentage of patients who are given an electronic copy of their Individually Identifiable Health Information not later than three business days after Individually Identifiable Health Information is requested. CC ID 06230 Actionable Reports or Measurements Preventive
    Report on the percentage of patients who are given clinical summaries not later than three business days after a physician office visit. CC ID 06231 Actionable Reports or Measurements Preventive
    Report on the percentage of lab test results that are incorporated into the Electronic Health Records as structured data. CC ID 06232 Actionable Reports or Measurements Preventive
    Report on the percentage of patients sixty-five years of age or older or five years of age or younger who were sent a reminder. CC ID 06233 Actionable Reports or Measurements Preventive
    Report on the percentage of unique patients who are given electronic access to their Individually Identifiable Health Information not later than four business days after their Individually Identifiable Health Information is updated. CC ID 06234 Actionable Reports or Measurements Preventive
    Report on the percentage of unique patients who are given patient-specific education resources. CC ID 06235 Actionable Reports or Measurements Preventive
    Report on the percentage of medication reconciliations that are performed if a patient is received from another setting or healthcare provider. CC ID 06236 Actionable Reports or Measurements Preventive
    Report on the percentage of summary of care records that are provided for transitions of care or referrals for patients who are transitioned or referred to another setting or healthcare provider. CC ID 06237 Actionable Reports or Measurements Preventive
    Report on the percentage of patients who receive their discharge instructions if discharge instructions are requested. CC ID 06238 Actionable Reports or Measurements Preventive
    Report on the percentage of patients 65 years of age or older who have an indication of advance directive status recorded as structured data. CC ID 06239 Actionable Reports or Measurements Preventive
    Establish, implement, and maintain a log management program. CC ID 00673 Establish/Maintain Documentation Preventive
    Deploy log normalization tools, as necessary. CC ID 12141 Technical Security Preventive
    Restrict access to logs to authorized individuals. CC ID 01342 Log Management Preventive
    Restrict access to audit trails to a need to know basis. CC ID 11641 Technical Security Preventive
    Refrain from recording unnecessary restricted data in logs. CC ID 06318 Log Management Preventive
    Back up audit trails according to backup procedures. CC ID 11642 Systems Continuity Preventive
    Back up logs according to backup procedures. CC ID 01344 Log Management Preventive
    Copy logs from all predefined hosts onto a log management infrastructure. CC ID 01346 Log Management Preventive
    Identify hosts with logs that are not being stored. CC ID 06314 Log Management Preventive
    Identify hosts with logs that are being stored at the system level only. CC ID 06315 Log Management Preventive
    Identify hosts with logs that should be stored at both the system level and the infrastructure level. CC ID 06316 Log Management Preventive
    Identify hosts with logs that are being stored at the infrastructure level only. CC ID 06317 Log Management Preventive
    Protect logs from unauthorized activity. CC ID 01345 Log Management Preventive
    Perform testing and validating activities on all logs. CC ID 06322 Log Management Preventive
    Archive the audit trail in accordance with compliance requirements. CC ID 00674 Log Management Preventive
    Enforce dual authorization as a part of information flow control for logs. CC ID 10098 Configuration Preventive
    Preserve the identity of individuals in audit trails. CC ID 10594 Log Management Preventive
    Establish, implement, and maintain a cross-organizational audit sharing agreement. CC ID 10595 Establish/Maintain Documentation Preventive
    Provide cross-organizational audit information based on the cross-organizational audit sharing agreement. CC ID 10596 Audits and Risk Management Preventive
    Monitor the performance of the governance, risk, and compliance capability. CC ID 12857
    [When planning how to achieve its environmental objectives, the organization shall determine: how the results will be evaluated, including indicators for monitoring progress toward achievement of its measurable environmental objectives (see 9.1.1). § 6.2.2 ¶ 1 e)]
    Monitor and Evaluate Occurrences Preventive
    Establish, implement, and maintain a corrective action plan. CC ID 00675
    [When a nonconformity occurs, the organization shall: react to the nonconformity and, as applicable: deal with the consequences, including mitigating adverse environmental impacts; § 10.2 ¶ 1 a) 2)
    The organization shall determine opportunities for improvement (see 9.1, 9.2 and 9.3) and implement necessary actions to achieve the intended outcomes of its environmental management system. § 10.1 ¶ 1]
    Monitor and Evaluate Occurrences Detective
    Align corrective actions with the level of environmental impact. CC ID 15193
    [Corrective actions shall be appropriate to the significance of the effects of the nonconformities encountered, including the environmental impact(s). § 10.2 ¶ 2]
    Business Processes Preventive
    Include risks and opportunities in the corrective action plan. CC ID 15178
    [{environmental aspect}The organization shall plan: to take actions to address its: risks and opportunities identified in 6.1.1; § 6.1.4 ¶ 1 a) 3)]
    Establish/Maintain Documentation Preventive
    Include environmental aspects in the corrective action plan. CC ID 15177
    [The organization shall plan: to take actions to address its: significant environmental aspects; § 6.1.4 ¶ 1 a) 1)]
    Establish/Maintain Documentation Preventive
    Include the completion date in the corrective action plan. CC ID 13272 Establish/Maintain Documentation Preventive
    Include monitoring in the corrective action plan. CC ID 11645 Monitor and Evaluate Occurrences Detective
    Protect against misusing automated audit tools. CC ID 04547 Technical Security Preventive
    Evaluate the measurement process used for metrics. CC ID 06920
    [{what needs to be measured} The organization shall determine: what needs to be monitored and measured; § 9.1.1 ¶ 2 a)]
    Testing Detective
  • Operational and Systems Continuity
    76
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Operational and Systems Continuity CC ID 00731 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain a business continuity program. CC ID 13210 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a continuity plan. CC ID 00752
    [{response}{adverse impact}The organization shall: prepare to respond by planning actions to prevent or mitigate adverse environmental impacts from emergency situations; § 8.2 ¶ 2 a)]
    Establish/Maintain Documentation Preventive
    Report changes in the continuity plan to senior management. CC ID 12757 Communicate Corrective
    Identify all stakeholders in the continuity plan. CC ID 13256 Establish/Maintain Documentation Preventive
    Activate the continuity plan if the damage assessment report indicates the activation criterion has been met. CC ID 01373
    [The organization shall: respond to actual emergency situations; § 8.2 ¶ 2 b)]
    Systems Continuity Corrective
    Notify interested personnel and affected parties upon activation of the continuity plan. CC ID 16777 Communicate Preventive
    Maintain normal security levels when an emergency occurs. CC ID 06377 Systems Continuity Preventive
    Execute fail-safe procedures when an emergency occurs. CC ID 07108 Systems Continuity Preventive
    Lead or manage business continuity and system continuity, as necessary. CC ID 12240 Human Resources Management Preventive
    Include a business continuity testing policy in the continuity plan, as necessary. CC ID 13234 Establish/Maintain Documentation Preventive
    Allocate financial resources to implement the continuity plan, as necessary. CC ID 12993 Establish/Maintain Documentation Preventive
    Allocate personnel to implement the continuity plan, as necessary. CC ID 12992 Human Resources Management Preventive
    Include the in scope system's location in the continuity plan. CC ID 16246 Systems Continuity Preventive
    Include the system description in the continuity plan. CC ID 16241 Systems Continuity Preventive
    Establish, implement, and maintain redundant systems. CC ID 16354 Configuration Preventive
    Refrain from adopting impromptu measures when continuity procedures exist. CC ID 13093 Behavior Preventive
    Include identification procedures in the continuity plan, as necessary. CC ID 14372 Establish/Maintain Documentation Preventive
    Restore systems and environments to be operational. CC ID 13476 Systems Continuity Corrective
    Include the continuity strategy in the continuity plan. CC ID 13189 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the continuity plan, as necessary. CC ID 13254 Establish/Maintain Documentation Preventive
    Implement alternate security mechanisms when the means of implementing the security function is unavailable. CC ID 10605 Technical Security Preventive
    Document and use the lessons learned to update the continuity plan. CC ID 10037 Establish/Maintain Documentation Preventive
    Monitor and evaluate business continuity management system performance. CC ID 12410 Monitor and Evaluate Occurrences Detective
    Coordinate continuity planning with governmental entities, as necessary. CC ID 13258 Process or Activity Preventive
    Record business continuity management system performance for posterity. CC ID 12411 Monitor and Evaluate Occurrences Preventive
    Coordinate continuity planning with community organizations, as necessary. CC ID 13259 Process or Activity Preventive
    Coordinate and incorporate supply chain members' continuity plans, as necessary. CC ID 13242 Establish/Maintain Documentation Preventive
    Include incident management procedures in the continuity plan. CC ID 13244 Establish/Maintain Documentation Preventive
    Include the use of virtual meeting tools in the continuity plan. CC ID 14390 Establish/Maintain Documentation Preventive
    Include scenario analyses of various contingency scenarios in the continuity plan. CC ID 13057 Establish/Maintain Documentation Preventive
    Include the annual statement based on the continuity plan review in the continuity plan. CC ID 12775 Establish/Maintain Documentation Preventive
    Include the roles and responsibilities of the organization's legal counsel in the continuity plan. CC ID 16233 Establish Roles Preventive
    Establish, implement, and maintain the continuity procedures. CC ID 14236
    [The organization shall establish, implement and maintain the process(es) needed to prepare for and respond to potential emergency situations identified in 6.1.1. § 8.2 ¶ 1]
    Establish/Maintain Documentation Corrective
    Disseminate and communicate the continuity procedures to interested personnel and affected parties. CC ID 14055 Communicate Preventive
    Document the uninterrupted power requirements for all in scope systems. CC ID 06707 Establish/Maintain Documentation Preventive
    Install an Uninterruptible Power Supply sized to support all critical systems. CC ID 00725 Configuration Preventive
    Install a generator sized to support the facility. CC ID 06709 Configuration Preventive
    Establish, implement, and maintain a fuel supply large enough to support the generators during an emergency. CC ID 06376 Acquisition/Sale of Assets or Services Preventive
    Document all supporting information in the continuity plan, such as purpose, scope, and requirements. CC ID 01371 Establish/Maintain Documentation Preventive
    Include notifications to alternate facilities in the continuity plan. CC ID 13220 Establish/Maintain Documentation Preventive
    Approve the continuity plan requirements before documenting the continuity plan. CC ID 12778 Systems Continuity Preventive
    Document the concept of operations in the continuity plan, including a line of succession. CC ID 01372 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain the organization's call tree. CC ID 01167 Testing Detective
    Establish, implement, and maintain damage assessment procedures. CC ID 01267 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a recovery plan. CC ID 13288
    [The organization shall: periodically review and revise the process(es) and planned response actions, in particular after the occurrence of emergency situations or tests; § 8.2 ¶ 2 e)
    {be appropriate}The organization shall: take action to prevent or mitigate the consequences of emergency situations, appropriate to the magnitude of the emergency and the potential environmental impact; § 8.2 ¶ 2 c)]
    Establish/Maintain Documentation Preventive
    Notify interested personnel and affected parties of updates to the recovery plan. CC ID 13302 Communicate Preventive
    Include procedures to restore network connectivity in the recovery plan. CC ID 16250 Establish/Maintain Documentation Preventive
    Include addressing backup failures in the recovery plan. CC ID 13298 Establish/Maintain Documentation Preventive
    Include procedures to verify completion of the data backup procedure in the recovery plan. CC ID 13297 Establish/Maintain Documentation Preventive
    Include the roles and responsibilities of responders in the recovery plan. CC ID 13296 Human Resources Management Preventive
    Include the procedures for the storage of information necessary to recover functionality in the recovery plan. CC ID 13295 Establish/Maintain Documentation Preventive
    Include the backup procedures for information necessary to recover functionality in the recovery plan. CC ID 13294 Establish/Maintain Documentation Preventive
    Include the criteria for activation in the recovery plan. CC ID 13293 Establish/Maintain Documentation Preventive
    Include escalation procedures in the recovery plan. CC ID 16248 Establish/Maintain Documentation Preventive
    Include procedures to preserve data before beginning the recovery process in the recovery plan. CC ID 13292 Establish/Maintain Documentation Preventive
    Determine the cause for the activation of the recovery plan. CC ID 13291 Investigate Detective
    Test the recovery plan, as necessary. CC ID 13290
    [The organization shall: periodically test the planned response actions, where practicable; § 8.2 ¶ 2 d)]
    Testing Detective
    Test the backup information, as necessary. CC ID 13303 Testing Detective
    Document lessons learned from testing the recovery plan or an actual event. CC ID 13301 Establish/Maintain Documentation Detective
    Disseminate and communicate the recovery plan to interested personnel and affected parties. CC ID 14859 Communicate Preventive
    Include restoration procedures in the continuity plan. CC ID 01169 Establish Roles Preventive
    Include risk prioritized recovery procedures for each business unit in the recovery plan. CC ID 01166 Establish/Maintain Documentation Preventive
    Include the recovery plan in the continuity plan. CC ID 01377 Establish/Maintain Documentation Preventive
    Disseminate and communicate the recovery status of the contingency plan to interested personnel and affected parties. CC ID 12758 Communicate Preventive
    Disseminate and communicate business functions across multiple facilities separated by geographic separation. CC ID 10662 Systems Continuity Preventive
    Disseminate and communicate processing activities across multiple facilities using geographic separation. CC ID 10663 Systems Continuity Preventive
    Disseminate and communicate electronic media storage devices across multiple facilities using geographic separation. CC ID 10664 Systems Continuity Preventive
    Use out-of-band channels for the physical delivery or electronic transmission of information, as necessary. CC ID 10665 Systems Continuity Corrective
    Train personnel on the continuity plan. CC ID 00759
    [The organization shall: provide relevant information and training related to emergency preparedness and response, as appropriate, to relevant interested parties, including persons working under its control. § 8.2 ¶ 2 f)]
    Behavior Preventive
    Utilize automated mechanisms for more realistic continuity plan training. CC ID 01387 Behavior Preventive
    Incorporate simulated events into the continuity plan training. CC ID 01402 Behavior Preventive
    Include cross-team coordination in continuity plan training. CC ID 16235 Training Preventive
    Include stay at home order training in the continuity plan training. CC ID 14382 Training Preventive
    Include avoiding unnecessary travel in the stay at home order training. CC ID 14388 Training Preventive
    Include personal protection in continuity plan training. CC ID 14394 Training Preventive
  • Operational management
    451
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Operational management CC ID 00805 IT Impact Zone IT Impact Zone
    Plan for business process conversions, as necessary. CC ID 13678
    [The organization shall plan: how to: integrate and implement the actions into its environmental management system processes (se e 6.2, Clause 7, Clause 8 and 9.1), or other business processes; § 6.1.4 ¶ 1 b) 1)]
    Business Processes Corrective
    Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406
    [The organization shall plan: to take actions to address its: compliance obligations; § 6.1.4 ¶ 1 a) 2)
    The organization shall establish, implement and maintain the process(es) needed to evaluate fulfilment of its compliance obligations. § 9.1.2 ¶ 1]
    Establish/Maintain Documentation Preventive
    Include enterprise architecture in the Governance, Risk, and Compliance framework. CC ID 13266 Establish/Maintain Documentation Preventive
    Disseminate and communicate updates to the Governance, Risk, and Compliance framework to interested personnel and affected parties. CC ID 06955
    [{internal communication}{be relevant}The organization shall: internally communicate information relevant to the environmental management system among the various levels and functions of the organization, including changes to the environmental management system, as appropriate; § 7.4.2 ¶ 1 a)]
    Behavior Preventive
    Establish, implement, and maintain security requirements based on applicable regulations. CC ID 16283 Establish/Maintain Documentation Preventive
    Acquire resources necessary to support Governance, Risk, and Compliance. CC ID 12861
    [Top management shall demonstrate leadership and commitment with respect to the environmental management system by: ensuring that the resources needed for the environmental management system are available; § 5.1 ¶ 1 d)
    The organization shall determine and provide the resources needed for the establishment, implementation, maintenance and continual improvement of the environmental management system. § 7.1 ¶ 1
    The outputs of the management review shall include: decisions related to any need for changes to the environmental management system, including resources; § 9.3 ¶ 3 Bullet 3]
    Acquisition/Sale of Assets or Services Preventive
    Integrate the use of technology in supporting the Governance, Risk, and Compliance capabilities. CC ID 12915 Process or Activity Preventive
    Establish, implement, and maintain a prioritized plan for updating the Governance, Risk, and Compliance framework. CC ID 12853
    [{financial requirement}{operational requirement} When planning these actions, the organization shall consider its technological options and its financial, operational and business requirements. § 6.1.4 ¶ 2
    The management review shall include consideration of: changes in: its significant environmental aspects; § 9.3 ¶ 2 b) 3)
    The management review shall include consideration of: changes in: risks and opportunities; § 9.3 ¶ 2 b) 4)
    The outputs of the management review shall include: decisions related to any need for changes to the environmental management system, including resources; § 9.3 ¶ 3 Bullet 3]
    Establish/Maintain Documentation Preventive
    Evaluate the use of technology in supporting Governance, Risk, and Compliance capabilities. CC ID 12895
    [{financial requirement}{operational requirement} When planning these actions, the organization shall consider its technological options and its financial, operational and business requirements. § 6.1.4 ¶ 2]
    Process or Activity Preventive
    Analyze the effect of the Governance, Risk, and Compliance capability to achieve organizational objectives. CC ID 12809
    [{external and internal issues}and determine the risks and opportunities, related to its environmental aspects (see 6.1.2), compliance obligations (see 6.1.3) and other issues and requirements, identified in 4.1 and 4.2, that need to be addressed to: prevent or reduce undesired effects, including the potential for external environmental conditions to affect the organization; § 6.1.1 ¶ 3 Bullet 2
    The organization shall plan: how to: evaluate the effectiveness of these actions (see 9.1). § 6.1.4 ¶ 1 b) 2)
    When planning how to achieve its environmental objectives, the organization shall determine: how the results will be evaluated, including indicators for monitoring progress toward achievement of its measurable environmental objectives (see 9.1.1). § 6.2.2 ¶ 1 e)
    The organization shall evaluate its environmental performance and the effectiveness of the environmental management system. § 9.1.1 ¶ 4
    The outputs of the management review shall include: actions, if needed, when environmental objectives have not been achieved; § 9.3 ¶ 3 Bullet 4
    The outputs of the management review shall include: any implications for the strategic direction of the organization. § 9.3 ¶ 3 Bullet 6]
    Audits and Risk Management Preventive
    Assign accountability for maintaining the Governance, Risk, and Compliance framework. CC ID 12523 Human Resources Management Preventive
    Assign defining the program for disseminating and communicating the Governance, Risk, and Compliance framework. CC ID 12524 Human Resources Management Preventive
    Establish, implement, and maintain a compliance policy. CC ID 14807 Establish/Maintain Documentation Preventive
    Include the standard of conduct and accountability in the compliance policy. CC ID 14813 Establish/Maintain Documentation Preventive
    Include the scope in the compliance policy. CC ID 14812 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the compliance policy. CC ID 14811 Establish/Maintain Documentation Preventive
    Include a commitment to continual improvement in the compliance policy. CC ID 14810 Establish/Maintain Documentation Preventive
    Disseminate and communicate the compliance policy to interested personnel and affected parties. CC ID 14809 Communicate Preventive
    Include management commitment in the compliance policy. CC ID 14808 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a governance policy. CC ID 15587 Establish/Maintain Documentation Preventive
    Disseminate and communicate the governance policy to all interested personnel and affected parties. CC ID 15625 Communicate Preventive
    Include a commitment to continuous improvement in the governance policy. CC ID 15595 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the governance policy. CC ID 15594 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a positive information control environment. CC ID 00813 Business Processes Preventive
    Make compliance and governance decisions in a timely manner. CC ID 06490 Behavior Preventive
    Establish, implement, and maintain an internal control framework. CC ID 00820 Establish/Maintain Documentation Preventive
    Define the scope for the internal control framework. CC ID 16325 Business Processes Preventive
    Review the relevance of information supporting internal controls. CC ID 12420 Business Processes Detective
    Measure policy compliance when reviewing the internal control framework. CC ID 06442 Actionable Reports or Measurements Corrective
    Assign ownership of the internal control framework to the appropriate organizational role. CC ID 06437 Establish Roles Preventive
    Assign resources to implement the internal control framework. CC ID 00816 Business Processes Preventive
    Define and assign the roles and responsibilities for interested personnel and affected parties when establishing, implementing, and maintaining the internal control framework. CC ID 07146 Establish Roles Preventive
    Establish, implement, and maintain a baseline of internal controls. CC ID 12415 Business Processes Preventive
    Include the business need justification for excluding controls in the baseline of internal controls. CC ID 16129 Establish/Maintain Documentation Preventive
    Include the implementation status of controls in the baseline of internal controls. CC ID 16128 Establish/Maintain Documentation Preventive
    Leverage actionable information to support internal controls. CC ID 12414 Business Processes Preventive
    Include procedures for continuous quality improvement in the internal control framework. CC ID 00819
    [The management review shall include consideration of opportunities for style="background-color:#F0BBBC;" class="term_primary-noun">continual improvement. § 9.3 ¶ 2 g)
    The outputs of the management review shall include: decisions related to continual improvement opportunities; § 9.3 ¶ 3 Bullet 2]
    Establish/Maintain Documentation Preventive
    Include continuous service account management procedures in the internal control framework. CC ID 13860 Establish/Maintain Documentation Preventive
    Include threat assessment in the internal control framework. CC ID 01347 Establish/Maintain Documentation Preventive
    Automate threat assessments, as necessary. CC ID 06877 Configuration Preventive
    Include vulnerability management and risk assessment in the internal control framework. CC ID 13102 Establish/Maintain Documentation Preventive
    Automate vulnerability management, as necessary. CC ID 11730 Configuration Preventive
    Include personnel security procedures in the internal control framework. CC ID 01349 Establish/Maintain Documentation Preventive
    Include continuous security warning monitoring procedures in the internal control framework. CC ID 01358 Establish/Maintain Documentation Preventive
    Include incident alert thresholds in the continuous security warning monitoring procedures. CC ID 13205 Establish/Maintain Documentation Preventive
    Include security information sharing procedures in the internal control framework. CC ID 06489 Establish/Maintain Documentation Preventive
    Share security information with interested personnel and affected parties. CC ID 11732 Communicate Preventive
    Evaluate information sharing partners, as necessary. CC ID 12749 Process or Activity Preventive
    Include security incident response procedures in the internal control framework. CC ID 01359 Establish/Maintain Documentation Preventive
    Include incident response escalation procedures in the internal control framework. CC ID 11745 Establish/Maintain Documentation Preventive
    Include continuous user account management procedures in the internal control framework. CC ID 01360 Establish/Maintain Documentation Preventive
    Include emergency response procedures in the internal control framework. CC ID 06779 Establish/Maintain Documentation Detective
    Authorize and document all exceptions to the internal control framework. CC ID 06781 Establish/Maintain Documentation Preventive
    Disseminate and communicate the internal control framework to all interested personnel and affected parties. CC ID 15229 Communicate Preventive
    Disseminate and communicate the cybersecurity policy to interested personnel and affected parties. CC ID 16835 Communicate Preventive
    Establish, implement, and maintain a cybersecurity policy. CC ID 16833 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an information security program. CC ID 00812 Establish/Maintain Documentation Preventive
    Include physical safeguards in the information security program. CC ID 12375 Establish/Maintain Documentation Preventive
    Include technical safeguards in the information security program. CC ID 12374 Establish/Maintain Documentation Preventive
    Include administrative safeguards in the information security program. CC ID 12373 Establish/Maintain Documentation Preventive
    Include system development in the information security program. CC ID 12389 Establish/Maintain Documentation Preventive
    Include system maintenance in the information security program. CC ID 12388 Establish/Maintain Documentation Preventive
    Include system acquisition in the information security program. CC ID 12387 Establish/Maintain Documentation Preventive
    Include access control in the information security program. CC ID 12386 Establish/Maintain Documentation Preventive
    Review and approve access controls, as necessary. CC ID 13074 Process or Activity Detective
    Include operations management in the information security program. CC ID 12385 Establish/Maintain Documentation Preventive
    Include communication management in the information security program. CC ID 12384 Establish/Maintain Documentation Preventive
    Include environmental security in the information security program. CC ID 12383 Establish/Maintain Documentation Preventive
    Include physical security in the information security program. CC ID 12382 Establish/Maintain Documentation Preventive
    Include human resources security in the information security program. CC ID 12381 Establish/Maintain Documentation Preventive
    Include asset management in the information security program. CC ID 12380 Establish/Maintain Documentation Preventive
    Include a continuous monitoring program in the information security program. CC ID 14323 Establish/Maintain Documentation Preventive
    Include change management procedures in the continuous monitoring plan. CC ID 16227 Establish/Maintain Documentation Preventive
    include recovery procedures in the continuous monitoring plan. CC ID 16226 Establish/Maintain Documentation Preventive
    Include mechanisms for decommissioning a system in the continuous monitoring plan. CC ID 16225 Establish/Maintain Documentation Preventive
    Include mechanisms for appeal and override in the continuous monitoring plan. CC ID 16223 Establish/Maintain Documentation Preventive
    Include how the information security department is organized in the information security program. CC ID 12379 Establish/Maintain Documentation Preventive
    Include risk management in the information security program. CC ID 12378 Establish/Maintain Documentation Preventive
    Include mitigating supply chain risks in the information security program. CC ID 13352 Establish/Maintain Documentation Preventive
    Provide management direction and support for the information security program. CC ID 11999 Process or Activity Preventive
    Monitor and review the effectiveness of the information security program. CC ID 12744 Monitor and Evaluate Occurrences Preventive
    Establish, implement, and maintain an information security policy. CC ID 11740 Establish/Maintain Documentation Preventive
    Align the information security policy with the organization's risk acceptance level. CC ID 13042 Business Processes Preventive
    Include business processes in the information security policy. CC ID 16326 Establish/Maintain Documentation Preventive
    Include the information security strategy in the information security policy. CC ID 16125 Establish/Maintain Documentation Preventive
    Include a commitment to continuous improvement in the information security policy. CC ID 16123 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the information security policy. CC ID 16120 Establish/Maintain Documentation Preventive
    Include a commitment to the information security requirements in the information security policy. CC ID 13496 Establish/Maintain Documentation Preventive
    Include information security objectives in the information security policy. CC ID 13493 Establish/Maintain Documentation Preventive
    Include the use of Cloud Services in the information security policy. CC ID 13146 Establish/Maintain Documentation Preventive
    Include notification procedures in the information security policy. CC ID 16842 Establish/Maintain Documentation Preventive
    Approve the information security policy at the organization's management level or higher. CC ID 11737 Process or Activity Preventive
    Establish, implement, and maintain information security procedures. CC ID 12006 Business Processes Preventive
    Describe the group activities that protect restricted data in the information security procedures. CC ID 12294 Establish/Maintain Documentation Preventive
    Disseminate and communicate the information security procedures to all interested personnel and affected parties. CC ID 16303 Communicate Preventive
    Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304 Establish/Maintain Documentation Preventive
    Define thresholds for approving information security activities in the information security program. CC ID 15702 Process or Activity Preventive
    Assign ownership of the information security program to the appropriate role. CC ID 00814 Establish Roles Preventive
    Assign the responsibility for establishing, implementing, and maintaining the information security program to the appropriate role. CC ID 11884 Human Resources Management Preventive
    Assign information security responsibilities to interested personnel and affected parties in the information security program. CC ID 11885 Establish/Maintain Documentation Preventive
    Assign the responsibility for distributing the information security program to the appropriate role. CC ID 11883 Human Resources Management Preventive
    Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739 Communicate Preventive
    Establish, implement, and maintain a social media governance program. CC ID 06536 Establish/Maintain Documentation Preventive
    Refrain from requiring supervision when users are accessing social media applications. CC ID 14011 Business Processes Preventive
    Refrain from requiring users to disclose social media account usernames or authenticators. CC ID 14009 Business Processes Preventive
    Refrain from accepting instant messages from unknown senders. CC ID 12537 Behavior Preventive
    Include instant messaging, texting, and tweeting in the social media acceptable use policy. CC ID 04578 Establish/Maintain Documentation Preventive
    Include explicit restrictions in the social media acceptable use policy. CC ID 06655 Establish/Maintain Documentation Preventive
    Include contributive content sites in the social media acceptable use policy. CC ID 06656 Establish/Maintain Documentation Preventive
    Perform social network analysis, as necessary. CC ID 14864 Investigate Detective
    Establish, implement, and maintain operational control procedures. CC ID 00831 Establish/Maintain Documentation Preventive
    Include assigning and approving operations in operational control procedures. CC ID 06382 Establish/Maintain Documentation Preventive
    Include startup processes in operational control procedures. CC ID 00833 Establish/Maintain Documentation Preventive
    Include change control processes in the operational control procedures. CC ID 16793 Establish/Maintain Documentation Preventive
    Establish and maintain a data processing run manual. CC ID 00832 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826 Establish/Maintain Documentation Preventive
    Use systems in accordance with the standard operating procedures manual. CC ID 15049 Process or Activity Preventive
    Include metrics in the standard operating procedures manual. CC ID 14988 Establish/Maintain Documentation Preventive
    Include maintenance measures in the standard operating procedures manual. CC ID 14986 Establish/Maintain Documentation Preventive
    Include the expected lifetime of the system in the standard operating procedures manual. CC ID 14984 Establish/Maintain Documentation Preventive
    Include technical measures used to interpret output in the standard operating procedures manual. CC ID 14982 Establish/Maintain Documentation Preventive
    Include predetermined changes in the standard operating procedures manual. CC ID 14977 Establish/Maintain Documentation Preventive
    Include specifications for input data in the standard operating procedures manual. CC ID 14975 Establish/Maintain Documentation Preventive
    Include risks to health and safety or fundamental rights in the standard operating procedures manual. CC ID 14973 Establish/Maintain Documentation Preventive
    Include circumstances that may impact the system in the standard operating procedures manual. CC ID 14972 Establish/Maintain Documentation Preventive
    Include what the system was tested and validated for in the standard operating procedures manual. CC ID 14969 Establish/Maintain Documentation Preventive
    Include the intended purpose in the standard operating procedures manual. CC ID 14967 Establish/Maintain Documentation Preventive
    Include information on system performance in the standard operating procedures manual. CC ID 14965 Establish/Maintain Documentation Preventive
    Include contact details in the standard operating procedures manual. CC ID 14962 Establish/Maintain Documentation Preventive
    Include information sharing procedures in standard operating procedures. CC ID 12974 Records Management Preventive
    Establish, implement, and maintain information sharing agreements. CC ID 15645 Business Processes Preventive
    Provide support for information sharing activities. CC ID 15644 Process or Activity Preventive
    Adhere to operating procedures as defined in the Standard Operating Procedures Manual. CC ID 06328 Business Processes Preventive
    Update operating procedures that contribute to user errors. CC ID 06935 Establish/Maintain Documentation Corrective
    Disseminate and communicate the Standard Operating Procedures Manual to all interested personnel and affected parties. CC ID 12026 Communicate Preventive
    Establish, implement, and maintain a job scheduling methodology. CC ID 00834 Establish/Maintain Documentation Preventive
    Establish and maintain a job schedule exceptions list. CC ID 00835 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a data processing continuity plan. CC ID 00836 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain Voice over Internet Protocol operating procedures. CC ID 04583 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain the Acceptable Use Policy. CC ID 01350 Establish/Maintain Documentation Preventive
    Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy. CC ID 01351 Establish/Maintain Documentation Preventive
    Include requiring users to protect restricted data in accordance with the Governance, Risk, and Compliance framework in the Acceptable Use Policy. CC ID 11894 Establish/Maintain Documentation Preventive
    Include Bring Your Own Device agreements in the Acceptable Use Policy. CC ID 15703 Establish/Maintain Documentation Preventive
    Include the obligations of users in the Bring Your Own Device agreement. CC ID 15708 Establish/Maintain Documentation Preventive
    Include the rights of the organization in the Bring Your Own Device agreement. CC ID 15707 Establish/Maintain Documentation Preventive
    Include the circumstances in which the organization may confiscate, audit, or inspect assets in the Bring Your Own Device agreement. CC ID 15706 Establish/Maintain Documentation Preventive
    Include the circumstances in which the organization may manage assets in the Bring Your Own Device agreement. CC ID 15705 Establish/Maintain Documentation Preventive
    Include Bring Your Own Device usage in the Acceptable Use Policy. CC ID 12293 Establish/Maintain Documentation Preventive
    Include a web usage policy in the Acceptable Use Policy. CC ID 16496 Establish/Maintain Documentation Preventive
    Include Bring Your Own Device security guidelines in the Acceptable Use Policy. CC ID 01352 Establish/Maintain Documentation Preventive
    Include asset tags in the Acceptable Use Policy. CC ID 01354 Establish/Maintain Documentation Preventive
    Specify the owner of applicable assets in the Acceptable Use Policy. CC ID 15699 Establish/Maintain Documentation Preventive
    Include asset use policies in the Acceptable Use Policy. CC ID 01355 Establish/Maintain Documentation Preventive
    Include authority for access authorization lists for assets in all relevant Acceptable Use Policies. CC ID 11872 Establish/Maintain Documentation Preventive
    Include access control mechanisms in the Acceptable Use Policy. CC ID 01353 Establish/Maintain Documentation Preventive
    Include temporary activation of remote access technologies for third parties in the Acceptable Use Policy. CC ID 11892 Technical Security Preventive
    Include prohibiting the copying or moving of restricted data from its original source onto local hard drives or removable storage media in the Acceptable Use Policy. CC ID 11893 Establish/Maintain Documentation Preventive
    Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772 Data and Information Management Preventive
    Correlate the Acceptable Use Policy with the network security policy. CC ID 01356 Establish/Maintain Documentation Preventive
    Include appropriate network locations for each technology in the Acceptable Use Policy. CC ID 11881 Establish/Maintain Documentation Preventive
    Correlate the Acceptable Use Policy with the approved product list. CC ID 01357 Establish/Maintain Documentation Preventive
    Include facility access and facility use in the Acceptable Use Policy. CC ID 06441 Establish/Maintain Documentation Preventive
    Include disciplinary actions in the Acceptable Use Policy. CC ID 00296 Establish/Maintain Documentation Corrective
    Include the usage restrictions of mobile code technologies in the Acceptable Use Policy. CC ID 15311 Establish/Maintain Documentation Preventive
    Include a software installation policy in the Acceptable Use Policy. CC ID 06749 Establish/Maintain Documentation Preventive
    Document idle session termination and logout for remote access technologies in the Acceptable Use Policy. CC ID 12472 Establish/Maintain Documentation Preventive
    Disseminate and communicate the Acceptable Use Policy to all interested personnel and affected parties. CC ID 12431 Communicate Preventive
    Require interested personnel and affected parties to sign Acceptable Use Policies. CC ID 06661 Establish/Maintain Documentation Preventive
    Require interested personnel and affected parties to re-sign Acceptable Use Policies, as necessary. CC ID 06663 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an Intellectual Property Right program. CC ID 00821 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain domain name registration and renewal procedures. CC ID 07075 Business Processes Preventive
    Establish, implement, and maintain Intellectual Property Rights protection procedures. CC ID 11512 Establish/Maintain Documentation Preventive
    Protect against circumvention of the organization's Intellectual Property Rights. CC ID 11513 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an e-mail policy. CC ID 06439 Establish/Maintain Documentation Preventive
    Include business use of personal e-mail in the e-mail policy. CC ID 14381 Establish/Maintain Documentation Preventive
    Identify the sender in all electronic messages. CC ID 13996 Data and Information Management Preventive
    Protect policies, standards, and procedures from unauthorized modification or disclosure. CC ID 10603 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain nondisclosure agreements. CC ID 04536 Establish/Maintain Documentation Preventive
    Disseminate and communicate nondisclosure agreements to interested personnel and affected parties. CC ID 16191 Communicate Preventive
    Require interested personnel and affected parties to sign nondisclosure agreements. CC ID 06667 Establish/Maintain Documentation Preventive
    Require interested personnel and affected parties to re-sign nondisclosure agreements, as necessary. CC ID 06669 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a use of information agreement. CC ID 06215 Establish/Maintain Documentation Preventive
    Include use limitations in the use of information agreement. CC ID 06244 Establish/Maintain Documentation Preventive
    Include disclosure requirements in the use of information agreement. CC ID 11735 Establish/Maintain Documentation Preventive
    Include information recipients in the use of information agreement. CC ID 06245 Establish/Maintain Documentation Preventive
    Include reporting out of scope use of information in the use of information agreement. CC ID 06246 Establish/Maintain Documentation Preventive
    Include disclosure of information in the use of information agreement. CC ID 11830 Establish/Maintain Documentation Preventive
    Include information security procedures assigned to the information recipient in the use of information agreement. CC ID 07130 Establish/Maintain Documentation Preventive
    Include information security procedures assigned to the originator in the use of information agreement. CC ID 14418 Establish/Maintain Documentation Preventive
    Include a do not contact rule for the individuals identified in a data set in the use of information agreement. CC ID 07131 Establish/Maintain Documentation Preventive
    Include the information recipient's third parties accepting the agreement in the use of information agreement. CC ID 07132 Establish/Maintain Documentation Preventive
    Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 Business Processes Preventive
    Analyze how policies used to create management boundaries relates to the Governance, Risk, and Compliance approach. CC ID 12821 Process or Activity Preventive
    Analyze how the organization sets limits in policies relating to the Governance, Risk, and Compliance approach. CC ID 12819 Process or Activity Preventive
    Analyze how the Board of Directors' and senior management's tone influences the Governance, Risk, and Compliance approach. CC ID 12818
    [Top management shall demonstrate leadership and commitment with respect to the environmental management system by: § 5.1 ¶ 1]
    Process or Activity Preventive
    Analyze the degree to which the governing body is engaged in the Governance, Risk, and Compliance approach. CC ID 12817 Process or Activity Preventive
    Analyze the Governance, Risk, and Compliance approach. CC ID 12816 Process or Activity Preventive
    Analyze the organizational culture. CC ID 12899 Process or Activity Preventive
    Include individual commitment to the organization's Governance, Risk, and Compliance framework in the analysis of the organizational culture. CC ID 12922 Process or Activity Detective
    Include the organizational climate in the analysis of the organizational culture. CC ID 12921 Process or Activity Detective
    Include consistency of leadership actions to mission, vision, and values in the analysis of the organizational culture. CC ID 12920 Process or Activity Detective
    Include employee engagement in the analysis of the organizational culture. CC ID 12914 Behavior Preventive
    Include contractual relationships with workforce members in the analysis of the organizational culture. CC ID 15674 Business Processes Preventive
    Include the number of workforce members who are not employees in the analysis of the organizational culture. CC ID 15673 Business Processes Preventive
    Include the type of work performed by workforce members in the analysis of the organizational culture. CC ID 15675 Business Processes Preventive
    Include skill development in the analysis of the organizational culture. CC ID 12913 Behavior Preventive
    Include employee turnover rates in the analysis of the organizational culture. CC ID 12912 Behavior Preventive
    Include demographic characteristics of employees in the analysis of the organizational culture. CC ID 15671 Business Processes Preventive
    Include employee loyalty in the analysis of the organizational culture. CC ID 12911 Behavior Preventive
    Include employee satisfaction in the analysis of the organizational culture. CC ID 12910 Behavior Preventive
    Establish, implement, and maintain consequences for non-compliance with the organizational compliance framework. CC ID 11747 Process or Activity Corrective
    Comply with all implemented policies in the organization's compliance framework. CC ID 06384
    [Top management shall assign the responsibility and authority for: ensuring that the environmental management system conforms to the requirements of this International Standard; § 5.3 ¶ 2 a)
    The outputs of the management review shall include: opportunities to improve integration of the environmental management system with other business processes, if needed; § 9.3 ¶ 3 Bullet 5]
    Establish/Maintain Documentation Preventive
    Provide assurance to interested personnel and affected parties that the Governance, Risk, and Compliance capability is reliable, effective, efficient, and responsive. CC ID 12788 Communicate Preventive
    Review systems for compliance with organizational information security policies. CC ID 12004 Business Processes Preventive
    Disseminate and communicate the Governance, Risk, and Compliance framework to all interested personnel and affected parties. CC ID 00815
    [{internal communication}{be relevant}The organization shall: internally communicate information relevant to the environmental management system among the various levels and functions of the organization, including changes to the environmental management system, as appropriate; § 7.4.2 ¶ 1 a)
    {external communication}{be relevant} The organization shall externally communicate information relevant to the environmental management system, as established by the organization's communication process(es) and as required by its compliance obligations. § 7.4.3 ¶ 1
    {external communication}{be relevant} The organization shall externally communicate information relevant to the environmental management system, as established by the organization's communication process(es) and as required by its compliance obligations. § 7.4.3 ¶ 1
    The organization shall: maintain knowledge and understanding of its compliance status. § 9.1.2 ¶ 2 c)
    The organization shall communicate relevant environmental performance information both internally and externally, as identified in its communication process(es) and as required by its compliance obligations. § 9.1.1 ¶ 5]
    Behavior Preventive
    Establish, implement, and maintain an Asset Management program. CC ID 06630
    [Consistent with a life cycle perspective, the organization shall: consider the need to provide information about potential significant environmental impacts associated with the transportation or delivery, use, end-of-life treatment and final disposal of its products and services. § 8.1 ¶ 4 d)]
    Business Processes Preventive
    Establish, implement, and maintain an asset management policy. CC ID 15219 Establish/Maintain Documentation Preventive
    Include coordination amongst entities in the asset management policy. CC ID 16424 Business Processes Preventive
    Establish, implement, and maintain asset management procedures. CC ID 16748 Establish/Maintain Documentation Preventive
    Assign an information owner to organizational assets, as necessary. CC ID 12729 Human Resources Management Preventive
    Define and prioritize the importance of each asset in the asset management program. CC ID 16837 Business Processes Preventive
    Include life cycle requirements in the security management program. CC ID 16392 Establish/Maintain Documentation Preventive
    Include program objectives in the asset management program. CC ID 14413 Establish/Maintain Documentation Preventive
    Include a commitment to continual improvement in the asset management program. CC ID 14412 Establish/Maintain Documentation Preventive
    Include compliance with applicable requirements in the asset management program. CC ID 14411 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain administrative controls over all assets. CC ID 16400 Business Processes Preventive
    Establish, implement, and maintain classification schemes for all systems and assets. CC ID 01902 Establish/Maintain Documentation Preventive
    Apply security controls to each level of the information classification standard. CC ID 01903 Systems Design, Build, and Implementation Preventive
    Establish, implement, and maintain the systems' confidentiality level. CC ID 01904 Establish/Maintain Documentation Preventive
    Define confidentiality controls. CC ID 01908 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain the systems' availability level. CC ID 01905 Establish/Maintain Documentation Preventive
    Restrict unscheduled downtime in order to maintain high availability for critical systems. CC ID 12742 Process or Activity Preventive
    Define integrity controls. CC ID 01909 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain the systems' integrity level. CC ID 01906 Establish/Maintain Documentation Preventive
    Define availability controls. CC ID 01911 Establish/Maintain Documentation Preventive
    Establish safety classifications for systems according to their potential harmful effects to operators or end users. CC ID 06603 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an asset safety classification scheme. CC ID 06604 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain the Asset Classification Policy. CC ID 06642 Establish/Maintain Documentation Preventive
    Disseminate and communicate the Asset Classification Policy to interested personnel and affected parties. CC ID 14851 Communicate Preventive
    Classify assets according to the Asset Classification Policy. CC ID 07186 Establish Roles Preventive
    Classify virtual systems by type and purpose. CC ID 16332 Business Processes Preventive
    Document the decision for assigning an asset to a specific asset classification in the Asset Classification Policy. CC ID 07185 Establish/Maintain Documentation Preventive
    Apply asset protection mechanisms for all assets according to their assigned Asset Classification Policy. CC ID 07184 Establish Roles Preventive
    Disallow systems from processing information, disseminating and communicating information, or storing information that is above the system's assigned asset classification. CC ID 06606 Configuration Preventive
    Assign decomposed system components the same asset classification as the originating system. CC ID 06605 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an asset inventory. CC ID 06631 Business Processes Preventive
    Establish, implement, and maintain an Information Technology inventory with asset discovery audit trails. CC ID 00689 Establish/Maintain Documentation Preventive
    Include all account types in the Information Technology inventory. CC ID 13311 Establish/Maintain Documentation Preventive
    Include each Information System's system boundaries in the Information Technology inventory. CC ID 00695 Systems Design, Build, and Implementation Preventive
    Identify processes, Information Systems, and third parties that transmit, process, or store restricted data. CC ID 06289 Data and Information Management Preventive
    Include each Information System's major applications in the Information Technology inventory. CC ID 01407 Establish/Maintain Documentation Preventive
    Categorize all major applications according to the business information they process. CC ID 07182 Establish/Maintain Documentation Preventive
    Document the resources, hazards, and Evaluation Assurance Levels for each major application. CC ID 01164 Establish/Maintain Documentation Preventive
    Include the General Support Systems and security support structure in the Information Technology inventory. CC ID 01408 Establish/Maintain Documentation Preventive
    Include each Information System's minor applications in the Information Technology inventory. CC ID 01409 Establish/Maintain Documentation Preventive
    Conduct environmental surveys. CC ID 00690 Physical and Environmental Protection Preventive
    Categorize facilities in the Information Technology inventory according to their environmental risks. CC ID 06729 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a hardware asset inventory. CC ID 00691 Establish/Maintain Documentation Preventive
    Include network equipment in the Information Technology inventory. CC ID 00693 Establish/Maintain Documentation Preventive
    Include mobile devices that store restricted data or restricted information in the Information Technology inventory. CC ID 04719 Establish/Maintain Documentation Preventive
    Include interconnected systems and Software as a Service in the Information Technology inventory. CC ID 04885 Process or Activity Preventive
    Include software in the Information Technology inventory. CC ID 00692 Establish/Maintain Documentation Preventive
    Establish and maintain a list of authorized software and versions required for each system. CC ID 12093 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a storage media inventory. CC ID 00694 Establish/Maintain Documentation Preventive
    Include all electronic storage media containing restricted data or restricted information in the storage media inventory. CC ID 00962 Establish/Maintain Documentation Detective
    Establish, implement, and maintain a records inventory and database inventory. CC ID 01260 Establish/Maintain Documentation Preventive
    Add inventoried assets to the asset register database, as necessary. CC ID 07051 Establish/Maintain Documentation Preventive
    Identify discrepancies between the asset register database and the Information Technology inventory, as necessary. CC ID 07052 Monitor and Evaluate Occurrences Corrective
    Investigate and resolve discrepancies between the asset register database and the Information Technology inventory. CC ID 07053 Monitor and Evaluate Occurrences Corrective
    Organize the asset register database by grouping objects according to an organizational information classification standard. CC ID 07181 Establish/Maintain Documentation Preventive
    Use automated tools to collect Information Technology inventory information, as necessary. CC ID 07054 Technical Security Preventive
    Link the authentication system to the asset inventory. CC ID 13718 Technical Security Preventive
    Record a unique name for each asset in the asset inventory. CC ID 16305 Data and Information Management Preventive
    Record the decommission date for applicable assets in the asset inventory. CC ID 14920 Establish/Maintain Documentation Preventive
    Record the status of information systems in the asset inventory. CC ID 16304 Data and Information Management Preventive
    Record the communication interfaces for applicable assets in the asset inventory. CC ID 16301 Data and Information Management Preventive
    Record the Uniform Resource Locator for applicable assets in the asset inventory. CC ID 14918 Establish/Maintain Documentation Preventive
    Include source code in the asset inventory. CC ID 14858 Records Management Preventive
    Assign ownership of maintaining the asset inventory, as necessary. CC ID 12344 Human Resources Management Preventive
    Employ Dynamic Host Configuration Protocol server logging to detect systems not in the asset inventory. CC ID 12110 Technical Security Detective
    Record the review date for applicable assets in the asset inventory. CC ID 14919 Establish/Maintain Documentation Preventive
    Record software license information for each asset in the asset inventory. CC ID 11736 Data and Information Management Preventive
    Record services for applicable assets in the asset inventory. CC ID 13733 Establish/Maintain Documentation Preventive
    Record protocols for applicable assets in the asset inventory. CC ID 13734 Establish/Maintain Documentation Preventive
    Record the software version in the asset inventory. CC ID 12196 Establish/Maintain Documentation Preventive
    Record the publisher for applicable assets in the asset inventory. CC ID 13725 Establish/Maintain Documentation Preventive
    Record the authentication system in the asset inventory. CC ID 13724 Establish/Maintain Documentation Preventive
    Tag unsupported assets in the asset inventory. CC ID 13723 Establish/Maintain Documentation Preventive
    Record the install date for applicable assets in the asset inventory. CC ID 13720 Establish/Maintain Documentation Preventive
    Record the make, model of device for applicable assets in the asset inventory. CC ID 12465 Establish/Maintain Documentation Preventive
    Record the asset tag for physical assets in the asset inventory. CC ID 06632 Establish/Maintain Documentation Preventive
    Record the host name of applicable assets in the asset inventory. CC ID 13722 Establish/Maintain Documentation Preventive
    Record network ports for applicable assets in the asset inventory. CC ID 13730 Establish/Maintain Documentation Preventive
    Record the MAC address for applicable assets in the asset inventory. CC ID 13721 Establish/Maintain Documentation Preventive
    Record the operating system version for applicable assets in the asset inventory. CC ID 11748 Data and Information Management Preventive
    Record the operating system type for applicable assets in the asset inventory. CC ID 06633 Establish/Maintain Documentation Preventive
    Record rooms at external locations in the asset inventory. CC ID 16302 Data and Information Management Preventive
    Record the department associated with the asset in the asset inventory. CC ID 12084 Establish/Maintain Documentation Preventive
    Record the physical location for applicable assets in the asset inventory. CC ID 06634 Establish/Maintain Documentation Preventive
    Record the manufacturer's serial number for applicable assets in the asset inventory. CC ID 06635 Establish/Maintain Documentation Preventive
    Record the firmware version for applicable assets in the asset inventory. CC ID 12195 Establish/Maintain Documentation Preventive
    Record the related business function for applicable assets in the asset inventory. CC ID 06636 Establish/Maintain Documentation Preventive
    Record the deployment environment for applicable assets in the asset inventory. CC ID 06637 Establish/Maintain Documentation Preventive
    Record the Internet Protocol address for applicable assets in the asset inventory. CC ID 06638 Establish/Maintain Documentation Preventive
    Record trusted keys and certificates in the asset inventory. CC ID 15486 Data and Information Management Preventive
    Record cipher suites and protocols in the asset inventory. CC ID 15489 Data and Information Management Preventive
    Link the software asset inventory to the hardware asset inventory. CC ID 12085 Establish/Maintain Documentation Preventive
    Record the owner for applicable assets in the asset inventory. CC ID 06640 Establish/Maintain Documentation Preventive
    Record all compliance requirements for applicable assets in the asset inventory. CC ID 15696 Establish/Maintain Documentation Preventive
    Record all changes to assets in the asset inventory. CC ID 12190 Establish/Maintain Documentation Preventive
    Record cloud service derived data in the asset inventory. CC ID 13007 Establish/Maintain Documentation Preventive
    Include cloud service customer data in the asset inventory. CC ID 13006 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a software accountability policy. CC ID 00868 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain software asset management procedures. CC ID 00895 Establish/Maintain Documentation Preventive
    Prevent users from disabling required software. CC ID 16417 Technical Security Preventive
    Establish, implement, and maintain software archives procedures. CC ID 00866 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain software distribution procedures. CC ID 00894 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain software documentation management procedures. CC ID 06395 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain software license management procedures. CC ID 06639 Establish/Maintain Documentation Preventive
    Automate software license monitoring, as necessary. CC ID 07057 Monitor and Evaluate Occurrences Preventive
    Establish, implement, and maintain digital legacy procedures. CC ID 16524 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a system redeployment program. CC ID 06276 Establish/Maintain Documentation Preventive
    Test systems for malicious code prior to when the system will be redeployed. CC ID 06339 Testing Detective
    Notify interested personnel and affected parties prior to when the system is redeployed or the system is disposed. CC ID 06400 Behavior Preventive
    Wipe all data on systems prior to when the system is redeployed or the system is disposed. CC ID 06401 Data and Information Management Preventive
    Transfer legal ownership of assets when the system is redeployed to a third party. CC ID 06698 Acquisition/Sale of Assets or Services Preventive
    Document the staff's operating knowledge of the system prior to a personnel status change. CC ID 06937 Establish/Maintain Documentation Preventive
    Redeploy systems to other organizational units, as necessary. CC ID 11452 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a system disposal program. CC ID 14431 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain disposal procedures. CC ID 16513 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain asset sanitization procedures. CC ID 16511 Establish/Maintain Documentation Preventive
    Destroy systems in accordance with the system disposal program. CC ID 16457 Business Processes Preventive
    Approve the release of systems and waste material into the public domain. CC ID 16461 Business Processes Preventive
    Establish, implement, and maintain system destruction procedures. CC ID 16474 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain printer and multifunction device disposition procedures. CC ID 15216 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a system preventive maintenance program. CC ID 00885 Establish/Maintain Documentation Preventive
    Establish and maintain maintenance reports. CC ID 11749 Establish/Maintain Documentation Preventive
    Establish and maintain system inspection reports. CC ID 06346 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a system maintenance policy. CC ID 14032 Establish/Maintain Documentation Preventive
    Include compliance requirements in the system maintenance policy. CC ID 14217 Establish/Maintain Documentation Preventive
    Include management commitment in the system maintenance policy. CC ID 14216 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the system maintenance policy. CC ID 14215 Establish/Maintain Documentation Preventive
    Include the scope in the system maintenance policy. CC ID 14214 Establish/Maintain Documentation Preventive
    Disseminate and communicate the system maintenance policy to interested personnel and affected parties. CC ID 14213 Communicate Preventive
    Include the purpose in the system maintenance policy. CC ID 14187 Establish/Maintain Documentation Preventive
    Include coordination amongst entities in the system maintenance policy. CC ID 14181 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain system maintenance procedures. CC ID 14059 Establish/Maintain Documentation Preventive
    Disseminate and communicate the system maintenance procedures to interested personnel and affected parties. CC ID 14194 Communicate Preventive
    Establish, implement, and maintain a technology refresh plan. CC ID 13061 Establish/Maintain Documentation Preventive
    Plan and conduct maintenance so that it does not interfere with scheduled operations. CC ID 06389 Physical and Environmental Protection Preventive
    Maintain contact with the device manufacturer or component manufacturer for maintenance requests. CC ID 06388 Behavior Preventive
    Use system components only when third party support is available. CC ID 10644 Maintenance Preventive
    Obtain justification for the continued use of system components when third party support is no longer available. CC ID 10645 Maintenance Preventive
    Control and monitor all maintenance tools. CC ID 01432 Physical and Environmental Protection Detective
    Obtain approval before removing maintenance tools from the facility. CC ID 14298 Business Processes Preventive
    Control remote maintenance according to the system's asset classification. CC ID 01433 Technical Security Preventive
    Separate remote maintenance sessions from other network sessions with a logically separate communications path based upon encryption. CC ID 10614 Configuration Preventive
    Approve all remote maintenance sessions. CC ID 10615 Technical Security Preventive
    Log the performance of all remote maintenance. CC ID 13202 Log Management Preventive
    Terminate remote maintenance sessions when the remote maintenance is complete. CC ID 12083 Technical Security Preventive
    Conduct offsite maintenance in authorized facilities. CC ID 16473 Maintenance Preventive
    Conduct maintenance with authorized personnel. CC ID 01434 Testing Detective
    Disconnect non-volatile media from information systems prior to performing maintenance with uncleared personnel. CC ID 14295 Maintenance Preventive
    Sanitize volatile media in information systems prior to performing maintenance with uncleared personnel. CC ID 14291 Maintenance Preventive
    Respond to maintenance requests inside the organizationally established time frame. CC ID 04878 Behavior Preventive
    Establish and maintain an archive of maintenance reports in a maintenance log. CC ID 06202 Establish/Maintain Documentation Preventive
    Acquire spare parts prior to when maintenance requests are scheduled. CC ID 11833 Acquisition/Sale of Assets or Services Preventive
    Perform periodic maintenance according to organizational standards. CC ID 01435 Behavior Preventive
    Restart systems on a periodic basis. CC ID 16498 Maintenance Preventive
    Remove components being serviced from the information system prior to performing maintenance. CC ID 14251 Maintenance Preventive
    Employ dedicated systems during system maintenance. CC ID 12108 Technical Security Preventive
    Isolate dedicated systems used for system maintenance from Internet access. CC ID 12114 Technical Security Preventive
    Control granting access to appropriate parties performing maintenance on organizational assets. CC ID 11873 Human Resources Management Preventive
    Identify and authenticate appropriate parties prior to granting access to maintain assets. CC ID 11874 Physical and Environmental Protection Preventive
    Calibrate assets according to the calibration procedures for the asset. CC ID 06203
    [The organization shall ensure that calibrated or verified monitoring and measurement equipment is used and maintained, as appropriate. § 9.1.1 ¶ 3]
    Testing Detective
    Post calibration limits or calibration tolerances on or near assets requiring calibration. CC ID 06204 Establish/Maintain Documentation Preventive
    Implement automated mechanisms to transfer predictive maintenance data to a maintenance management system. CC ID 10616 Process or Activity Preventive
    Refrain from protecting physical assets when no longer required. CC ID 13484 Physical and Environmental Protection Corrective
    Disassemble and shut down unnecessary systems or unused systems. CC ID 06280 Business Processes Preventive
    Establish, implement, and maintain an end-of-life management process. CC ID 16540 Establish/Maintain Documentation Preventive
    Dispose of hardware and software at their life cycle end. CC ID 06278 Business Processes Preventive
    Refrain from placing assets being disposed into organizational dumpsters. CC ID 12200 Business Processes Preventive
    Establish, implement, and maintain disposal contracts. CC ID 12199 Establish/Maintain Documentation Preventive
    Include disposal procedures in disposal contracts. CC ID 13905 Establish/Maintain Documentation Preventive
    Remove asset tags prior to disposal of an asset. CC ID 12198 Business Processes Preventive
    Document the storage information for all systems that are stored instead of being disposed or redeployed. CC ID 06936 Establish/Maintain Documentation Preventive
    Test for detrimental environmental factors after a system is disposed. CC ID 06938 Testing Detective
    Review each system's operational readiness. CC ID 06275 Systems Design, Build, and Implementation Preventive
    Establish, implement, and maintain a data stewardship policy. CC ID 06657 Establish/Maintain Documentation Preventive
    Establish and maintain an unauthorized software list. CC ID 10601 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a change control program. CC ID 00886 Establish/Maintain Documentation Preventive
    Include potential consequences of unintended changes in the change control program. CC ID 12243
    [The organization shall control planned changes and review the ckground-color:#F0BBBC;" class="term_primary-noun">consequences of unintended changes, taking action to mitigate any adverse effects, as necessary. § 8.1 ¶ 2]
    Establish/Maintain Documentation Preventive
    Include version control in the change control program. CC ID 13119
    [For the control of documented information, the organization shall address the following activities, as applicable: control of changes (e.g. version control); § 7.5.3 ¶ 2 Bullet 3]
    Establish/Maintain Documentation Preventive
    Implement changes according to the change control program. CC ID 11776
    [The organization shall control "term_primary-noun">planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary. § 8.1 ¶ 2]
    Business Processes Preventive
    Provide audit trails for all approved changes. CC ID 13120 Establish/Maintain Documentation Preventive
    Mitigate the adverse effects of unauthorized changes. CC ID 12244
    [The organization shall control planned changes and review the consequences of unintended changes, taking action to mitigate any -color:#F0BBBC;" class="term_primary-noun">adverse effects, as necessary. § 8.1 ¶ 2]
    Business Processes Corrective
    Manage the creation of products and services, as necessary. CC ID 13497
    [Consistent with a life cycle perspective, the organization shall: establish controls, as appropriate, to ensure that its environmental requirement(s) is (are) addressed in the design and development process for the product or service, considering each life cycle stage; § 8.1 ¶ 4 a)]
    Business Processes Preventive
    Define the processing specifications for products and services creation requirements. CC ID 13523 Establish/Maintain Documentation Preventive
    Define the processing activities to meet products and services creation requirements. CC ID 13499 Business Processes Preventive
    Delete age-restricted content, as necessary. CC ID 15450 Process or Activity Preventive
    Establish, implement, and maintain procedures to manage age-restricted content. CC ID 15448 Establish/Maintain Documentation Preventive
    Control the distribution of media containing age-restricted content, as necessary. CC ID 15446 Process or Activity Preventive
    Establish, implement, and maintain an environmental management system. CC ID 14945
    [The organization shall consider the knowledge gained in 4.1 and 4.2 when establishing and maintaining the environmental management system. § 4.4 ¶ 2
    Top management shall demonstrate leadership and commitment with respect to the environmental management system by: ensuring that the environmental management system achieves its intended outcomes; § 5.1 ¶ 1 f)
    To achieve the intended outcomes, including enhancing its environmental performance, the organization shall establish, implement, maintain and continually improve an environmental management system, including the processes needed and their interactions, in accordance with the requirements of this International Standard. § 4.4 ¶ 1
    To achieve the intended outcomes, including enhancing its environmental performance, the organization shall establish, implement, maintain and continually improve an environmental management system, including the processes needed and their interactions, in accordance with the requirements of this International Standard. § 4.4 ¶ 1
    The organization shall continually improve the suitability, adequacy and effectiveness of the environmental management system to enhance environmental performance. § 10.3 ¶ 1
    The outputs of the management review shall include: conclusions on the continuing suitability, adequacy and effectiveness of the environmental management system; § 9.3 ¶ 3 Bullet 1
    {environmental objectives}{compliance obligations} The organization shall establish, implement, control and maintain the processes needed to meet environmental management system requirements, and to implement the actions identified in 6.1 and 6.2, by: § 8.1 ¶ 1
    When a nonconformity occurs, the organization shall: make changes to the environmental management system, if necessary. § 10.2 ¶ 1 e)
    Top management shall review the organization's environmental management system, at planned intervals, to ensure its continuing suitability, adequacy and effectiveness. § 9.3 ¶ 1]
    Business Processes Preventive
    Establish, implement, and maintain environmental management system processes. CC ID 14954
    [The organization shall establish, implement and maintain the process(es) needed to meet the requirements in 6.1.1 to 6.1.4. § 6.1.1 ¶ 1
    The organization shall plan: how to: integrate and implement the actions into its environmental management system processes (se e 6.2, Clause 7, Clause 8 and 9.1), or other business processes; § 6.1.4 ¶ 1 b) 1)
    {environmental objectives}{compliance obligations} The organization shall establish, implement, control and maintain the processes needed to meet environmental management system requirements, and to implement the actions identified in 6.1 and 6.2, by: § 8.1 ¶ 1
    {environmental objective}{compliance obligation}{operating process}The organization shall establish, implement, control and maintain the processes needed to meet environmental management system requirements, and to implement the actions identified in 6.1 and 6.2, by: establishing operating criteria for the process(es); § 8.1 ¶ 1 Bullet 1]
    Process or Activity Preventive
    Include risks and opportunities in the environmental management system. CC ID 15201
    [{external and internal issues} and determine the risks and opportunities, related to its environmental aspects (see 6.1.2), compliance obligations (see 6.1.3) and other issues and requirements, identified in 4.1 and 4.2, that need to be addressed to: § 6.1.1 ¶ 3
    The organization shall maintain documented information of its: risks and opportunities that need to be addressed; § 6.1.1 ¶ 5 Bullet 1
    {external and internal issues} and determine the risks and opportunities, related to its environmental aspects (see 6.1.2), compliance obligations (see 6.1.3) and other issues and requirements, identified in 4.1 and 4.2, that need to be addressed to: § 6.1.1 ¶ 3
    {external and internal issues} and determine the risks and opportunities, related to its environmental aspects (see 6.1.2), compliance obligations (see 6.1.3) and other issues and requirements, identified in 4.1 and 4.2, that need to be addressed to: § 6.1.1 ¶ 3
    {external and internal issues} and determine the risks and opportunities, related to its environmental aspects (see 6.1.2), compliance obligations (see 6.1.3) and other issues and requirements, identified in 4.1 and 4.2, that need to be addressed to: § 6.1.1 ¶ 3]
    Establish/Maintain Documentation Preventive
    Include communications in the environmental management system. CC ID 15199
    [{internal communications} The organization shall establish, implement and maintain the process(es) needed for internal and external communications relevant to the environmental management system, including: § 7.4.1 ¶ 1
    {internal communications} The organization shall establish, implement and maintain the process(es) needed for internal and external communications relevant to the environmental management system, including: § 7.4.1 ¶ 1]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain environmental performance monitoring procedures. CC ID 15222
    [The organization shall determine: the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results; § 9.1.1 ¶ 2 b)]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an approach for environmental performance monitoring. CC ID 15220
    [The organization shall determine: when the results from monitoring and measurement shall be analysed and evaluated. § 9.1.1 ¶ 2 e)]
    Business Processes Preventive
    Prioritize and select controls based on environmental management system requirements. CC ID 15197
    [{environmental objective}{compliance obligation}{process control}{operating standard}The organization shall establish, implement, control and maintain the processes needed to meet environmental management system requirements, and to implement the actions identified in 6.1 and 6.2, by: implementing control of the process(es), in accordance with the operating criteria. § 8.1 ¶ 1 Bullet 2
    {environmental objective}{compliance obligation}{process control}{operating standard}The organization shall establish, implement, control and maintain the processes needed to meet environmental management system requirements, and to implement the actions identified in 6.1 and 6.2, by: implementing control of the process(es), in accordance with the operating criteria. § 8.1 ¶ 1 Bullet 2]
    Process or Activity Preventive
    Disseminate and communicate environmental information to interested personnel and affected parties. CC ID 15195
    [The organization shall communicate relevant environmental performance information both internally and externally, as identified in its communication process(es) and as required by its compliance obligations. § 9.1.1 ¶ 5]
    Establish/Maintain Documentation Preventive
    Disseminate and communicate environmental requirements to interested personnel and affected parties. CC ID 15196
    [Consistent with a life cycle perspective, the organization shall: communicate its relevant environmental requirement(s) to external providers, including contractors; § 8.1 ¶ 4 c)]
    Communicate Preventive
    Include compliance obligations in the environmental management system. CC ID 15185
    [{take into account}The organization shall: take these compliance obligations into account when establishing, implementing, maintaining and continually improving its environmental management system. § 6.1.3 ¶ 1 c)]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain environmental objectives. CC ID 15186
    [Top management shall establish, implement and maintain an environmental policy that, within the defined scope of its environmental management system: provides a framework for setting environmental objectives; § 5.2 ¶ 1 b)
    The organization shall establish environmental objectives at relevant functions and levels, taking into account the organization's significant environmental aspects and associated compliance obligations, and considering its risks and opportunities. § 6.2.1 ¶ 1
    {be consistent}The environmental objectives shall be: consistent with the environmental policy; § 6.2.1 ¶ 2 a)
    The organization shall maintain documented information on the environmental objectives. § 6.2.1 ¶ 3
    When planning how to achieve its environmental objectives, the organization shall determine: when it will be completed; § 6.2.2 ¶ 1 d)
    When planning how to achieve its environmental objectives, the organization shall determine: what will be done; § 6.2.2 ¶ 1 a)
    The environmental objectives shall be: updated as appropriate. § 6.2.1 ¶ 2 e)]
    Establish/Maintain Documentation Preventive
    Monitor environmental objectives. CC ID 15189
    [The environmental objectives shall be: monitored; § 6.2.1 ¶ 2 c)]
    Monitor and Evaluate Occurrences Detective
    Include risks and opportunities in the environmental objectives. CC ID 15188
    [The organization shall establish environmental objectives at relevant functions and levels, taking into account the organization's significant environmental aspects and associated compliance obligations, and considering its risks and opportunities. § 6.2.1 ¶ 1]
    Establish/Maintain Documentation Preventive
    Integrate environmental objectives into the business process. CC ID 15192
    [The organization shall consider how actions to achieve its environmental objectives can be integrated into the organization's business processes. § 6.2.2 ¶ 2]
    Business Processes Preventive
    Include the required resources in the environmental objectives. CC ID 15221
    [When planning how to achieve its environmental objectives, the organization shall determine: what resources will be required; § 6.2.2 ¶ 1 b)]
    Establish/Maintain Documentation Preventive
    Include compliance requirements in the environmental objectives. CC ID 15187
    [The organization shall establish environmental objectives at relevant functions and levels, taking into account the organization's significant environmental aspects and associated compliance obligations, and considering its risks and opportunities. § 6.2.1 ¶ 1]
    Establish/Maintain Documentation Preventive
    Disseminate and communicate the environmental objectives to interested personnel and affected parties. CC ID 15190
    [The environmental objectives shall be: communicated; § 6.2.1 ¶ 2 d)]
    Communicate Preventive
    Analyze environmental aspects using established criteria. CC ID 15230
    [{be significant} The organization shall determine those aspects that have or can have a significant environmental impact, i.e. significant environmental aspects, by using established criteria. § 6.1.2 ¶ 3]
    Process or Activity Detective
    Document the criteria used to determine the environmental aspects. CC ID 15181
    [The organization shall maintain documented information of its: criteria used to determine its significant environmental aspects; § 6.1.2 ¶ 5 Bullet 2]
    Establish/Maintain Documentation Preventive
    Take into account emergency situations when determining environmental aspects. CC ID 15180
    [When determining environmental aspects, the organization shall take into account: abnormal conditions and reasonably foreseeable emergency situations. § 6.1.2 ¶ 2 b)]
    Establish/Maintain Documentation Preventive
    Take into account abnormal conditions when determining environmental aspects. CC ID 15179
    [When determining environmental aspects, the organization shall take into account: abnormal conditions and reasonably foreseeable emergency situations. § 6.1.2 ¶ 2 b)]
    Establish/Maintain Documentation Preventive
    Include the organization's significant environmental aspects in the environmental management system. CC ID 15176
    [The organization shall maintain documented information of its: significant environmental aspects. § 6.1.2 ¶ 5 Bullet 3]
    Establish/Maintain Documentation Preventive
    Disseminate and communicate the environmental aspects to interested personnel and affected parties. CC ID 14983
    [The organization shall communicate its significant environmental aspects among the various levels and functions of the organization, as appropriate. § 6.1.2 ¶ 4]
    Communicate Preventive
    Include the environmental management system requirements in the environmental management system. CC ID 14978
    [{be effective}Top management shall demonstrate leadership and commitment with respect to the environmental management system by: communicating the importance of effective environmental management and of conforming to the environmental management system requirements; § 5.1 ¶ 1 e)
    {environmental objective}{compliance obligation}{operating process}The organization shall establish, implement, control and maintain the processes needed to meet environmental management system requirements, and to implement the actions identified in 6.1 and 6.2, by: establishing operating criteria for the process(es); § 8.1 ¶ 1 Bullet 1]
    Establish/Maintain Documentation Preventive
    Include environmental impacts in the environmental management system. CC ID 15175
    [The organization shall maintain documented information of its: environmental aspects and associated environmental impacts; § 6.1.2 ¶ 5 Bullet 1]
    Establish/Maintain Documentation Preventive
    Analyze the environmental impact of organizational changes. CC ID 14979
    [When determining environmental aspects, the organization shall take into account: change, including planned or new developments, and new or modified activities, products and services; § 6.1.2 ¶ 2 a)]
    Process or Activity Detective
    Analyze the environmental impact of changes in developments, activities, products, and services. CC ID 14980
    [When determining environmental aspects, the organization shall take into account: change, including planned or new developments, and new or modified activities, products and services; § 6.1.2 ¶ 2 a)]
    Process or Activity Detective
    Disseminate and communicate the environmental management system to interested personnel and affected parties. CC ID 14976
    [{be effective}Top management shall demonstrate leadership and commitment with respect to the environmental management system by: communicating the importance of effective environmental management and of conforming to the environmental management system requirements; § 5.1 ¶ 1 e)]
    Communicate Preventive
    Include roles and responsibilities in the environmental management system. CC ID 14971
    [Top management shall demonstrate leadership and commitment with respect to the environmental management system by: supporting other relevant management roles to demonstrate their leadership as it applies to their areas of responsibility. § 5.1 ¶ 1 i)
    {responsible party}When planning how to achieve its environmental objectives, the organization shall determine: who will be responsible; § 6.2.2 ¶ 1 c)]
    Human Resources Management Preventive
    Include a commitment to continuous improvement in the environmental management system. CC ID 14970
    [Top management shall demonstrate leadership and commitment with respect to the environmental management system by: promoting continual improvement; § 5.1 ¶ 1 h)
    {external and internal issues}and determine the risks and opportunities, related to its environmental aspects (see 6.1.2), compliance obligations (see 6.1.3) and other issues and requirements, identified in 4.1 and 4.2, that need to be addressed to: achieve continual improvement. § 6.1.1 ¶ 3 Bullet 3]
    Establish/Maintain Documentation Preventive
    Provide management direction and support for the environmental management system. CC ID 14968
    [Top management shall demonstrate leadership and commitment with respect to the environmental management system by: directing and supporting persons to contribute to the effectiveness of the environmental management system; § 5.1 ¶ 1 g)]
    Business Processes Preventive
    Assign accountability for the effectiveness of the environmental management system. CC ID 14966
    [Top management shall demonstrate leadership and commitment with respect to the environmental management system by: taking accountability for the effectiveness of the environmental management system; § 5.1 ¶ 1 a)]
    Establish Roles Preventive
    Include third party requirements in the environmental management system. CC ID 14964
    [{interested parties}{compliance obligations}When planning for the environmental management system, the organization shall consider: the requirements referred to in 4.2; § 6.1.1 ¶ 2 b)
    {interested parties}{compliance obligations}When planning for the environmental management system, the organization shall consider: the requirements referred to in 4.2; § 6.1.1 ¶ 2 b)]
    Establish/Maintain Documentation Preventive
    Provide assurance that the environmental management system meets all compliance requirements. CC ID 14958
    [{external and internal issues}and determine the risks and opportunities, related to its environmental aspects (see 6.1.2), compliance obligations (see 6.1.3) and other issues and requirements, identified in 4.1 and 4.2, that need to be addressed to: give assurance that the environmental management system can achieve its intended outcomes; § 6.1.1 ¶ 3 Bullet 1]
    Business Processes Preventive
    Include environmental conditions in the environmental management system. CC ID 14952
    [{external and internal issues}{environmental conditions}When planning for the environmental management system, the organization shall consider: the issues referred to in 4.1; § 6.1.1 ¶ 2 a)]
    Establish/Maintain Documentation Preventive
    Include the scope in the environmental management system. CC ID 14950
    [When planning for the environmental management system, the organization shall consider: the scope of its environmental management system; § 6.1.1 ¶ 2 c)
    The organization shall determine the boundaries and applicability of the environmental management system to ass="term_primary-verb">establish its scope. § 4.3 ¶ 1]
    Establish/Maintain Documentation Preventive
    Include emergency situations in the scope of the environmental management system. CC ID 14995
    [Within the scope of the environmental management system, the organization shall determine potential emergency situations, including those that can have an environmental impact. § 6.1.1 ¶ 4]
    Establish/Maintain Documentation Preventive
    Include the environmental impact of activities, products, and services in the scope of the environmental management system. CC ID 15184
    [Within the defined scope of the environmental management system, the organization shall determine the environmental aspects of its activities, products and services that it can control and those that it can influence, and their associated environmental impacts, considering a life cycle perspective. § 6.1.2 ¶ 1]
    Establish/Maintain Documentation Preventive
    Analyze activities, products, and services within the scope of the environmental management system to determine the environmental aspects. CC ID 15183
    [Within the defined scope of the environmental management system, the organization shall determine the environmental aspects of its activities, products and services that it can control and those that it can influence, and their associated environmental impacts, considering a life cycle perspective. § 6.1.2 ¶ 1]
    Business Processes Detective
    Include activities, products, and services in the scope of the environmental management system. CC ID 15182
    [Within the defined scope of the environmental management system, the organization shall determine the environmental aspects of its activities, products and services that it can control and those that it can influence, and their associated environmental impacts, considering a life cycle perspective. § 6.1.2 ¶ 1]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an environmental policy. CC ID 14947
    [Top management shall establish, implement and maintain an environmental policy that, within the defined scope of its environmental management system: § 5.2 ¶ 1
    Top management shall demonstrate leadership and commitment with respect to the environmental management system by: ensuring that the environmental policy and environmental objectives are established and are compatible with the strategic direction and the context of the organization; § 5.1 ¶ 1 b)
    The environmental policy shall: be maintained as documented information; § 5.2 ¶ 2 Bullet 1]
    Establish/Maintain Documentation Preventive
    Include continuous improvement of environmental performance in the environmental policy. CC ID 14994
    [Top management shall establish, implement and maintain an environmental policy that, within the defined scope of its environmental management system: includes a commitment to continual improvement of the environmental management system to enhance environmental performance. § 5.2 ¶ 1 e)]
    Establish/Maintain Documentation Preventive
    Include compliance obligations in the environmental policy. CC ID 14993
    [Top management shall establish, implement and maintain an environmental policy that, within the defined scope of its environmental management system: includes a commitment to fulfil its compliance obligations; § 5.2 ¶ 1 d)]
    Establish/Maintain Documentation Preventive
    Include a commitment to the protection of the environment in the environmental policy. CC ID 14991
    [Top management shall establish, implement and maintain an environmental policy that, within the defined scope of its environmental management system: includes a commitment to the protection of the environment, including prevention of pollution and other specific commitment(s) relevant to the context of the organization; § 5.2 ¶ 1 c)
    Top management shall establish, implement and maintain an environmental policy that, within the defined scope of its environmental management system: includes a commitment to the protection of the environment, including prevention of pollution and other specific commitment(s) relevant to the context of the organization; § 5.2 ¶ 1 c)]
    Establish/Maintain Documentation Preventive
    Include the scope in the environmental policy. CC ID 14987
    [Top management shall establish, implement and maintain an environmental policy that, within the defined scope of its environmental management system: is appropriate to the purpose and context of the organization, including the nature, scale and environmental impacts of its activities, products and services; § 5.2 ¶ 1 a)]
    Establish/Maintain Documentation Preventive
    Include purpose and context in the environmental policy. CC ID 14985
    [Top management shall establish, implement and maintain an environmental policy that, within the defined scope of its environmental management system: is appropriate to the purpose and context of the organization, including the nature, scale and environmental impacts of its activities, products and services; § 5.2 ¶ 1 a)]
    Establish/Maintain Documentation Preventive
    Tailor the environmental policy to be compatible with the organization's strategic direction. CC ID 14974
    [Top management shall demonstrate leadership and commitment with respect to the environmental management system by: ensuring that the environmental policy and environmental objectives are established and are compatible with the strategic direction and the context of the organization; § 5.1 ¶ 1 b)]
    Establish/Maintain Documentation Preventive
    Disseminate and communicate the environmental policy to all interested personnel and affected parties. CC ID 14956
    [The environmental policy shall: be communicated within the organization; § 5.2 ¶ 2 Bullet 2
    The environmental policy shall: be available to interested parties. § 5.2 ¶ 2 Bullet 3]
    Communicate Preventive
  • Physical and environmental protection
    5
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Physical and environmental protection CC ID 00709 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain a physical and environmental protection policy. CC ID 14030 Establish/Maintain Documentation Preventive
    Include the scope in the physical and environmental protection policy. CC ID 14170
    [The organization shall determine the boundaries and applicability of the environmental management system to establish its scope. § 4.3 ¶ 1]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain physical and environmental protection procedures. CC ID 14061
    [Once the scope is defined, all activities, products and services of the organization within that scope need to be included in the environmental management system. § 4.3 ¶ 3]
    Establish/Maintain Documentation Preventive
    Disseminate and communicate the physical and environmental protection procedures to interested personnel and affected parties. CC ID 14175 Communicate Preventive
  • Records management
    172
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Records management CC ID 00902 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain records management policies. CC ID 00903
    [{place}{time}Documented information required by the environmental management system and by this International Standard shall be controlled to ensure: it is available and suitable for use, where and when it is needed; § 7.5.3 ¶ 1 a)]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a record classification scheme for forms. CC ID 00911 Establish/Maintain Documentation Detective
    Establish, implement, and maintain form creation, management, and distribution procedures. CC ID 06393 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain form disposition procedures. CC ID 06394 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a record classification scheme. CC ID 00914 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a business activity classification standard. CC ID 00915 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain records registration procedures. CC ID 00913 Establish/Maintain Documentation Detective
    Define the terms used in the record classification scheme. CC ID 00916 Establish/Maintain Documentation Detective
    Establish, implement, and maintain a records authentication system. CC ID 11648 Establish/Maintain Documentation Preventive
    Allocate record identifiers to reference the records as a part of document tracking. CC ID 11662 Records Management Preventive
    Allocate document serial numbers to reference the records as a part of document tracking. CC ID 00917 Records Management Detective
    Establish and maintain an index of all official records. CC ID 00918 Establish/Maintain Documentation Preventive
    Associate records with their security attributes. CC ID 06764 Records Management Preventive
    Reconfigure the security attributes of records as the information changes. CC ID 06765 Configuration Preventive
    Establish, implement, and maintain electronic signature requirements. CC ID 06219 Establish/Maintain Documentation Preventive
    Implement a signature revocation service. CC ID 14417 Business Processes Preventive
    Allow electronic signatures to satisfy requirements for written signatures, as necessary. CC ID 11807 Records Management Preventive
    Allow authorized parties to authenticate electronic records with electronic signatures. CC ID 11964 Technical Security Preventive
    Allow authorized parties to authenticate transactions with electronic signatures. CC ID 11963 Technical Security Preventive
    Define each system's preservation requirements for records and logs. CC ID 00904 Establish/Maintain Documentation Detective
    Establish, implement, and maintain a data retention program. CC ID 00906 Establish/Maintain Documentation Detective
    Store records and data in accordance with organizational standards. CC ID 16439 Data and Information Management Preventive
    Remove dormant data from systems, as necessary. CC ID 13726 Process or Activity Preventive
    Select the appropriate format for archived data and records. CC ID 06320
    [When creating and updating documented information the organization should ensuren> appropriate: style="background-color:#F0BBBC;" class="term_primary-noun">format (e.g. language, software version, graphics) and media (e.g. paper, electronic); § 7.5.2 ¶ 1 b)]
    Data and Information Management Preventive
    Archive appropriate records, logs, and database tables. CC ID 06321 Records Management Preventive
    Maintain continued integrity for all stored data and stored records. CC ID 00969 Testing Detective
    Archive document metadata in a fashion that allows for future reading of the metadata. CC ID 10060 Data and Information Management Preventive
    Store personal data that is retained for long periods after use on a separate server or media. CC ID 12314 Data and Information Management Preventive
    Establish, implement, and maintain storage media retention procedures. CC ID 16277 Establish/Maintain Documentation Preventive
    Determine how long to keep records and logs before disposing them. CC ID 11661 Process or Activity Preventive
    Retain records in accordance with applicable requirements. CC ID 00968
    [The organization shall retain documented information as evidence of the results of management reviews. § 9.3 ¶ 4
    The organization shall retain documented information as evidence of: the nature of the nonconformities and any rm_primary-noun">subsequent actions taken; § 10.2 ¶ 3 Bullet 1
    The organization shall retain documented information as evidence of: the results of any corrective action. § 10.2 ¶ 3 Bullet 2
    The organization shall retain documented information as evidence of its communications, as appropriate. § 7.4.1 ¶ 4
    The organization shall maintain documented information to the extent necessary to have confidence that the processes have been carried out as planned. § 8.1 ¶ 5
    The organization shall retain appropriate documented information as evidence of the monitoring, measurement, analysis and evaluation results. § 9.1.1 ¶ 6
    The organization shall retain documented information as evidence of the compliance evaluation result(s). § 9.1.2 ¶ 3]
    Records Management Preventive
    Define which documents and records the organization may capture. CC ID 00905 Establish/Maintain Documentation Detective
    Obtain and retain documentation of the number of shares authorized, issued, and outstanding pursuant to the issuer's authorization. CC ID 11714 Records Management Preventive
    Retain all evidence of indebtedness. CC ID 11713 Records Management Preventive
    Capture and maintain distribution records. CC ID 06205 Records Management Preventive
    Capture and maintain Device Master Records. CC ID 06206 Records Management Preventive
    Capture and maintain Device History Records. CC ID 06207 Records Management Preventive
    Capture and maintain Quality System Records. CC ID 06208 Records Management Preventive
    Capture and maintain logs as official records. CC ID 06319 Log Management Preventive
    Capture and maintain all business records, including supporting temporary files. CC ID 06622 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain storage media disposition and destruction procedures. CC ID 11657 Establish/Maintain Documentation Preventive
    Supervise media destruction in accordance with organizational standards. CC ID 16456 Business Processes Preventive
    Sanitize electronic storage media in accordance with organizational standards. CC ID 16464 Data and Information Management Preventive
    Sanitize all electronic storage media before disposing a system or redeploying a system. CC ID 01643 Data and Information Management Preventive
    Degauss as a method of sanitizing electronic storage media. CC ID 00973 Records Management Preventive
    Destroy electronic storage media following the storage media disposition and destruction procedures. CC ID 00970 Testing Detective
    Manage waste materials in accordance with the storage media disposition and destruction procedures. CC ID 16485 Process or Activity Preventive
    Maintain media sanitization equipment in operational condition. CC ID 00721 Testing Detective
    Use approved media sanitization equipment for destruction. CC ID 16459 Business Processes Preventive
    Define each system's disposition requirements for records and logs. CC ID 11651 Process or Activity Preventive
    Establish, implement, and maintain records disposition procedures. CC ID 00971
    [For the control of documented information, the organization shall address the following activities, as applicable: retention and disposition. § 7.5.3 ¶ 2 Bullet 4]
    Establish/Maintain Documentation Preventive
    Manage the disposition status for all records. CC ID 00972 Records Management Preventive
    Use a second person to confirm and sign-off that manually deleted data was deleted. CC ID 12313 Data and Information Management Preventive
    Remove and/or destroy records according to the records' retention event and retention period schedule. CC ID 06621 Records Management Preventive
    Place printed records awaiting destruction into secure containers. CC ID 12464 Physical and Environmental Protection Preventive
    Destroy printed records so they cannot be reconstructed. CC ID 11779 Physical and Environmental Protection Preventive
    Automate a programmatic process to remove stored data and records that exceed retention requirements. CC ID 06082 Data and Information Management Preventive
    Include methods to identify records that meet or exceed the record's retention event in the records disposition procedures. CC ID 11962 Establish/Maintain Documentation Preventive
    Maintain disposal records or redeployment records. CC ID 01644 Establish/Maintain Documentation Preventive
    Include the name of the signing officer in the disposal record. CC ID 15710 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain secure record transaction standards with third parties. CC ID 06093 Establish/Maintain Documentation Preventive
    Include transfer agreements in the secure record transaction standards. CC ID 14821 Establish/Maintain Documentation Preventive
    Include date and time stamp requirements for delivery receipt in the transfer agreements. CC ID 14823 Establish/Maintain Documentation Preventive
    Include receipt of electronic records in the transfer agreement. CC ID 14822 Establish/Maintain Documentation Preventive
    Include standards for each data element in the secure record transaction standard. CC ID 06094 Establish/Maintain Documentation Preventive
    Notify the supervisory authority of any changes to the required data elements. CC ID 14366 Communicate Corrective
    Establish, implement, and maintain records management procedures. CC ID 11619 Establish/Maintain Documentation Preventive
    Protect records from loss in accordance with applicable requirements. CC ID 12007
    [Documented information required by the environmental management system and by this International Standard shall be controlled to ensure: it is adequately protected (e.g. from loss of confidentiality, improper use, or loss of integrity). § 7.5.3 ¶ 1 b)]
    Records Management Preventive
    Capture the records required by organizational compliance requirements. CC ID 00912
    [Documented information required by the environmental management system and by this International Standard shall be controlled to ensure: § 7.5.3 ¶ 1
    The organization shall maintain documented information to the extent necessary to have confidence that the process(es) is (are) carried out as planned. § 8.2 ¶ 3]
    Records Management Detective
    Establish, implement, and maintain authorization records. CC ID 14367 Establish/Maintain Documentation Preventive
    Include the reasons for granting the authorization in the authorization records. CC ID 14371 Establish/Maintain Documentation Preventive
    Include the date and time the authorization was granted in the authorization records. CC ID 14370 Establish/Maintain Documentation Preventive
    Include the person's name who approved the authorization in the authorization records. CC ID 14369 Establish/Maintain Documentation Preventive
    Assign the appropriate information classification to records imported into the Records Management system. CC ID 04555 Data and Information Management Detective
    Establish, implement, and maintain electronic health records. CC ID 14436 Data and Information Management Preventive
    Include Individually Identifiable Health Information in the patient's electronic health record. CC ID 14437 Data and Information Management Preventive
    Review and update Individually Identifiable Health Information in the patient's electronic health records, as necessary. CC ID 14438 Records Management Preventive
    Display required information automatically in electronic health records. CC ID 14442 Process or Activity Preventive
    Create summary of care records in accordance with applicable standards. CC ID 14440 Establish/Maintain Documentation Preventive
    Provide the patient with a summary of care record, as necessary. CC ID 14441 Actionable Reports or Measurements Preventive
    Create export summaries, as necessary. CC ID 14446 Process or Activity Preventive
    Import data files into a patient's electronic health record. CC ID 14448 Data and Information Management Preventive
    Export requested sections of the electronic health record. CC ID 14447 Data and Information Management Preventive
    Identify patient-specific education resources. CC ID 14439 Process or Activity Detective
    Establish and maintain an implantable device list. CC ID 14444 Records Management Preventive
    Display the implantable device list to authorized users. CC ID 14445 Data and Information Management Preventive
    Establish, implement, and maintain decision support interventions. CC ID 14443 Business Processes Preventive
    Include attributes in the decision support intervention. CC ID 16766 Data and Information Management Preventive
    Establish, implement, and maintain a recordkeeping system. CC ID 15709 Records Management Preventive
    Log the termination date in the recordkeeping system. CC ID 16181 Records Management Preventive
    Log the name of the requestor in the recordkeeping system. CC ID 15712 Records Management Preventive
    Log the date and time each item is accessed in the recordkeeping system. CC ID 15711 Records Management Preventive
    Log records as being received into the recordkeeping system. CC ID 11696 Records Management Preventive
    Log the date and time each item is received into the recordkeeping system. CC ID 11709 Log Management Preventive
    Log the date and time each item is made available into the recordkeeping system. CC ID 11710 Log Management Preventive
    Log the number of routine items received into the recordkeeping system. CC ID 11701 Establish/Maintain Documentation Preventive
    Log the number of routine items in the organization's possession at the close of business for the month in the recordkeeping system. CC ID 11707 Log Management Preventive
    Log the number of routine items received during the month that were turned around in the recordkeeping system. CC ID 11705 Log Management Preventive
    Log the number of routine items received during the month that were not turned around within three business days of receipt in the recordkeeping system. CC ID 11703 Log Management Preventive
    Log the date and time when a notice of refusal to perform the registrar function is received in the recordkeeping system. CC ID 11711 Log Management Preventive
    Log inquiries concerning items in the recordkeeping system, annotating the date received. CC ID 11718 Log Management Preventive
    Log responses to inquiries, annotating the send date for each response into the recordkeeping system. CC ID 11719 Log Management Preventive
    Log the number of non-routine items received into the recordkeeping system. CC ID 11706 Log Management Preventive
    Log the documentation of determination that items received are not routine into the recordkeeping system. CC ID 11716 Log Management Preventive
    Log the number of non-routine items in the organization's possession at the close of business for the month in the recordkeeping system. CC ID 11708 Log Management Preventive
    Log the number of non-routine items received during the month that were turned around in the recordkeeping system. CC ID 11704 Log Management Preventive
    Log performance monitoring into the recordkeeping system. CC ID 11724 Log Management Preventive
    Log the number of inquiries pending as of the close of business into the recordkeeping system. CC ID 11728 Log Management Preventive
    Log the number of inquiries received but not responded to within the required time frame into the recordkeeping system. CC ID 11727 Log Management Preventive
    Establish, implement, and maintain a transfer journal. CC ID 11729 Records Management Preventive
    Log any notices filed by the organization into the recordkeeping system. CC ID 11725 Log Management Preventive
    Log telephone responses into a telephone log, annotating the date of each response, in the recordkeeping system. CC ID 11723 Log Management Preventive
    Log the date each certificate is made available to interested personnel and affected parties into the recordkeeping system. CC ID 11720 Log Management Preventive
    Log the number of items not processed within the required time frame into the recordkeeping system. CC ID 11717 Log Management Preventive
    Provide a receipt of records logged into the recordkeeping system. CC ID 11697 Records Management Preventive
    Log the appointments and termination of appointments of registered transfer agents into the recordkeeping system. CC ID 11712 Log Management Preventive
    Log any stop orders or notices of adverse claims into the recordkeeping system. CC ID 11726 Log Management Preventive
    Log the number of items processed within the required time frame into the recordkeeping system. CC ID 11715 Log Management Preventive
    Classify restricted data or restricted information in Records Management systems according to the data or information's sensitivity. CC ID 04720 Data and Information Management Detective
    Establish, implement, and maintain electronic storage media management procedures. CC ID 00931
    [When creating and updating documented information the organization should ensuren> appropriate: format (e.g. language, software version, graphics) and media (e.g. paper, electronic); § 7.5.2 ¶ 1 b)]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain security label procedures. CC ID 06747 Establish/Maintain Documentation Preventive
    Label restricted storage media appropriately. CC ID 00966 Data and Information Management Preventive
    Label printed output for specific record categories as directed by the organization's information classification standard. CC ID 01420 Records Management Detective
    Establish, implement, and maintain restricted material identification procedures. CC ID 01889 Establish/Maintain Documentation Preventive
    Conspicuously locate the restricted record's overall classification. CC ID 01890 Establish/Maintain Documentation Preventive
    Mark a restricted record's displayed pages or printed pages with the appropriate classification. CC ID 01891 Establish/Maintain Documentation Preventive
    Mark a restricted record's components (appendices, annexes) with the appropriate classification. CC ID 01892 Establish/Maintain Documentation Preventive
    Mark a restricted record's portions (paragraphs, sections) with the appropriate classification. CC ID 01893 Establish/Maintain Documentation Preventive
    Mark a restricted record's subject line or title with the appropriate classification. CC ID 01894 Establish/Maintain Documentation Preventive
    Mark all forms of electronic messages that contain restricted data or restricted information with the appropriate classification. CC ID 01896 Data and Information Management Preventive
    Establish, implement, and maintain label inheritance mechanisms for aggregate data sets. CC ID 06957 Technical Security Preventive
    Establish the minimum originator requirements for security labels. CC ID 06579 Establish/Maintain Documentation Preventive
    Establish the minimum intermediate system requirements for security labels. CC ID 06581 Establish/Maintain Documentation Preventive
    Establish the minimum receiver requirements for records or electronic storage media marked with security labels. CC ID 06580 Establish/Maintain Documentation Preventive
    Establish policy based processing rules to process incoming records or electronic storage media marked with security labels. CC ID 06582 Establish/Maintain Documentation Preventive
    Establish and maintain access controls for all records. CC ID 00371
    [For the control of documented information, the organization shall address the following activities, as applicable: distribution, access, retrieval and use; § 7.5.3 ¶ 2 Bullet 1]
    Records Management Preventive
    Reproduce materials containing restricted data or restricted information in accordance with compliance requirements. CC ID 02202 Data and Information Management Preventive
    Establish, implement, and maintain a records lifecycle management program. CC ID 00951 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an information preservation policy. CC ID 16483 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain information preservation procedures. CC ID 06277
    [For the control of documented information, the organization shall address the following activities, as applicable: storage and :#F0BBBC;" class="term_primary-noun">preservation, including preservation of legibility; § 7.5.3 ¶ 2 Bullet 2]
    Establish/Maintain Documentation Preventive
    Implement and maintain high availability storage, as necessary. CC ID 00952 Technical Security Preventive
    Implement and maintain backups and duplicate copies of organizational records. CC ID 00953 Records Management Preventive
    Establish, implement, and maintain the duplicate original of record indexes. CC ID 00954 Records Management Preventive
    Establish, implement, and maintain a transparent storage media strategy. CC ID 00932 Records Management Preventive
    Establish, implement, and maintain an online availability plan that is commensurate with the electronic storage media. CC ID 00934 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain online storage monitoring and reporting capabilities. CC ID 00935 Monitor and Evaluate Occurrences Detective
    Establish, implement, and maintain online storage controls. CC ID 00942 Technical Security Preventive
    Establish, implement, and maintain security controls appropriate to the record types and electronic storage media. CC ID 00943
    [For the control of documented information, the organization shall address the following activities, as applicable: storage and preservation, including preservation of legibility; § 7.5.3 ¶ 2 Bullet 2]
    Records Management Preventive
    Store records on non-rewritable, non-erasable storage media formats, as necessary. CC ID 00944 Testing Detective
    Provide encryption for different types of electronic storage media. CC ID 00945 Technical Security Preventive
    Implement electronic storage media integrity controls. CC ID 00946 Configuration Preventive
    Automate electronic storage media integrity check controls. CC ID 00948 Configuration Preventive
    Provide capacity for indexes on electronic storage media, as necessary. CC ID 00950 Configuration Preventive
    Provide audit trails for all pertinent records. CC ID 00372 Establish/Maintain Documentation Detective
    Establish, implement, and maintain a removable storage media log. CC ID 12317 Log Management Preventive
    Include a unique identifier for each removable storage media asset in the removable storage media log. CC ID 12320 Establish/Maintain Documentation Preventive
    Include the date and time in the removable storage media log. CC ID 12318 Establish/Maintain Documentation Preventive
    Include the name and signature of the current custodian in the removable storage media log. CC ID 12315 Establish/Maintain Documentation Preventive
    Include the number of physical media used for the data transfer in the removable storage media log. CC ID 12754 Establish/Maintain Documentation Preventive
    Include the recipient's name for the data transfer in the removable storage media log. CC ID 12753 Establish/Maintain Documentation Preventive
    Include the sender's name in the removable storage media log. CC ID 12752 Establish/Maintain Documentation Preventive
    Include the type of physical media being used for the data transfer in the removable storage media log. CC ID 12751 Establish/Maintain Documentation Preventive
    Include the reason for transfer in the removable storage media log. CC ID 12316 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain storage media downgrading procedures. CC ID 10619 Process or Activity Preventive
    Identify electronic storage media that require downgrading. CC ID 10620 Process or Activity Detective
    Downgrade electronic storage media, as necessary. CC ID 10621 Process or Activity Corrective
    Document all actions taken when downgrading electronic storage media. CC ID 10622 Establish/Maintain Documentation Preventive
    Test the storage media downgrade for correct performance. CC ID 10623 Testing Detective
    Establish, implement, and maintain output distribution procedures. CC ID 00927
    [For the control of documented information, the organization shall address the following activities, as applicable: distribution, access, retrieval and use; § 7.5.3 ¶ 2 Bullet 1]
    Establish/Maintain Documentation Preventive
    Include printed output in output distribution procedures. CC ID 13477 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain document retention procedures. CC ID 11660
    [For the control of documented information, the organization shall address the following activities, as applicable: retention and disposition. § 7.5.3 ¶ 2 Bullet 4
    The organization shall retain documented information as evidence of: § 10.2 ¶ 3]
    Establish/Maintain Documentation Preventive
  • Third Party and supply chain oversight
    11
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Third Party and supply chain oversight CC ID 08807 IT Impact Zone IT Impact Zone
    Assess the effectiveness of third party services provided to the organization. CC ID 13142
    [The organization shall ensure that outsourced processes are controlled or influenced. The type and extent of control or influence to be applied to the process(es) shall be defined within the environmental management system. § 8.1 ¶ 3]
    Business Processes Detective
    Monitor third parties for performance and effectiveness, as necessary. CC ID 00799
    [The organization shall ensure that outsourced processes are controlled or influenced. The type and extent of control or influence to be applied to the process(es) shall be defined within the environmental management system. § 8.1 ¶ 3]
    Monitor and Evaluate Occurrences Detective
    Monitor third parties' financial conditions. CC ID 13170 Monitor and Evaluate Occurrences Detective
    Review the supply chain's service delivery on a regular basis. CC ID 12010 Business Processes Preventive
    Identify red flags in the supply chain. CC ID 08873 Business Processes Preventive
    Detect red flags in the supply chain. CC ID 08874 Business Processes Preventive
    Notify interested personnel and affected parties when critical components or materials are not obtained from an authorized source. CC ID 11516 Business Processes Preventive
    Review third party red flag locations to identify facts for the supply chain risk assessment. CC ID 08875 Business Processes Preventive
    Establish and maintain an interactive map of third party red flag locations. CC ID 08876 Business Processes Preventive
    Collect information on red-flagged supply chains. CC ID 08877 Business Processes Preventive
Common Controls and
mandates by Type
161 Mandated Controls - bold    
48 Implied Controls - italic     1772 Implementation

Each Common Control is assigned a meta-data type to help you determine the objective of the Control and associated Authority Document mandates aligned with it. These types include behavioral controls, process controls, records management, technical security, configuration management, etc. They are provided as another tool to dissect the Authority Document’s mandates and assign them effectively within your organization.

Number of Controls
1981 Total
  • Acquisition/Sale of Assets or Services
    7
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Establish, implement, and maintain a fuel supply large enough to support the generators during an emergency. CC ID 06376 Operational and Systems Continuity Preventive
    Acquire resources necessary to support Governance, Risk, and Compliance. CC ID 12861
    [Top management shall demonstrate leadership and commitment with respect to the environmental management system by: ensuring that the resources needed for the environmental management system are available; § 5.1 ¶ 1 d)
    The organization shall determine and provide the resources needed for the establishment, implementation, maintenance and continual improvement of the environmental management system. § 7.1 ¶ 1
    The outputs of the management review shall include: decisions related to any need for changes to the environmental management system, including resources; § 9.3 ¶ 3 Bullet 3]
    Operational management Preventive
    Transfer legal ownership of assets when the system is redeployed to a third party. CC ID 06698 Operational management Preventive
    Acquire spare parts prior to when maintenance requests are scheduled. CC ID 11833 Operational management Preventive
    Plan for acquiring facilities, technology, or services. CC ID 06892 Acquisition or sale of facilities, technology, and services Preventive
    Include chain of custody procedures in the product and services acquisition program. CC ID 10058 Acquisition or sale of facilities, technology, and services Preventive
    Review and update the acquisition contracts, as necessary. CC ID 14279 Acquisition or sale of facilities, technology, and services Corrective
  • Actionable Reports or Measurements
    145
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Report to management and stakeholders on the findings and information gathered from all types of inquiries. CC ID 12797 Leadership and high level objectives Preventive
    Report on the percentage of critical assets for which an assurance strategy is implemented. CC ID 01657 Monitoring and measurement Detective
    Report on the percentage of key organizational functions for which an assurance strategy is implemented. CC ID 01658 Monitoring and measurement Detective
    Report on the percentage of key compliance requirements for which an assurance strategy has been implemented. CC ID 01659 Monitoring and measurement Detective
    Report on the percentage of the Information System budget allocated to Information Security. CC ID 04571 Monitoring and measurement Detective
    Report on the policies and controls that have been implemented by management. CC ID 01670 Monitoring and measurement Detective
    Report on the percentage of security management roles that have been assigned. CC ID 01671 Monitoring and measurement Detective
    Report on the percentage of board meetings or committee meetings at which Information Assurance was on the agenda. CC ID 01672 Monitoring and measurement Detective
    Report on the percentage of supply chain members for which all Information Assurance requirements have been implemented. CC ID 01675 Monitoring and measurement Detective
    Report on the Service Level Agreement performance of supply chain members. CC ID 06838 Monitoring and measurement Preventive
    Report on the percentage of organizational units that have an established Business Continuity Plan. CC ID 01676 Monitoring and measurement Detective
    Report on the percentage of organizational units with a documented Business Continuity Plan for which specific responsibilities have been assigned. CC ID 02057 Monitoring and measurement Detective
    Report on the percentage of Business Continuity Plans that have been reviewed, tested, and updated. CC ID 02058 Monitoring and measurement Detective
    Report on the percentage of needed internal audits that have been completed and reviewed. CC ID 01677 Monitoring and measurement Detective
    Report on the percentage of Information Security requirements from applicable laws and regulations that are included in the audit program. CC ID 02069 Monitoring and measurement Detective
    Report on the percentage of needed external audits that have been completed and reviewed. CC ID 11632 Monitoring and measurement Detective
    Report on the percentage of Information Security audits conducted in compliance with the approved audit program. CC ID 02070 Monitoring and measurement Detective
    Report on the percentage of audit findings that have been resolved since the last audit. CC ID 01678 Monitoring and measurement Detective
    Report on the percentage of management actions in response to audit findings and audit recommendations that were implemented in a timely way. CC ID 02071
    [{corrective action} The management review shall include consideration of: the status of actions from previous management reviews; § 9.3 ¶ 2 a)]
    Monitoring and measurement Detective
    Monitor compliance with the Quality Control system. CC ID 01023 Monitoring and measurement Preventive
    Report on the percentage of complaints received about products or delivered services. CC ID 07199 Monitoring and measurement Preventive
    Report on the percentage of Quality Assurance attained by Quality Improvement practices. CC ID 07202 Monitoring and measurement Preventive
    Report on the percentage of total controls for which policies, standards, and procedures exist and for which approval has been granted. CC ID 01679 Monitoring and measurement Detective
    Report on the percentage of personnel who are assigned and acknowledged responsibilities for approved policies, standards, and procedures. CC ID 01680 Monitoring and measurement Detective
    Report on the percentage of policy compliance reviews for which no compliance violations were noted. CC ID 01681 Monitoring and measurement Detective
    Report on the percentage of senior management or business unit heads who have implemented operational compliance procedures. CC ID 01682 Monitoring and measurement Detective
    Report on the percentage of role descriptions that define the Information Awareness roles for Security Managers and administrators. CC ID 01685 Monitoring and measurement Detective
    Report on the percentage of role descriptions that define the information awareness roles for interested personnel. CC ID 01686 Monitoring and measurement Detective
    Report on the percentage of role descriptions that define the information awareness roles for end users. CC ID 01687 Monitoring and measurement Detective
    Report on the percentage of performance reviews that include the evaluation of Information Assurance responsibilities and policy compliance. CC ID 01688 Monitoring and measurement Detective
    Report on the percentage of individuals who have access to security software, are trained, and authorized Security Administrators. CC ID 01691 Monitoring and measurement Detective
    Report on the percentage of individuals who are able to assign security privileges, are trained, and authorized Security Administrators. CC ID 01692 Monitoring and measurement Detective
    Report on the percentage of new hires who completed training ahead of being granted network access or system access. CC ID 01683 Monitoring and measurement Detective
    Report on the percentage of personnel who have completed periodic Information Assurance refresher training. CC ID 01684 Monitoring and measurement Detective
    Report on the percentage of user roles, systems, and applications that comply with the segregation of duties principle. CC ID 01689 Monitoring and measurement Detective
    Report on the percentage of individuals whose access rights have been reviewed. CC ID 01690 Monitoring and measurement Detective
    Report on the percentage of users who have access to restricted data or restricted information and have undergone a background check. CC ID 01693 Monitoring and measurement Detective
    Report on the percentage of critical information assets and information-dependent functions. CC ID 02040 Monitoring and measurement Detective
    Report on the percentage of critical assets and functions for which the cost of compromise has been quantified. CC ID 02041 Monitoring and measurement Detective
    Report on the percentage of identified risks that have a defined risk mitigation plan. CC ID 02042 Monitoring and measurement Detective
    Report on the percentage of systems with approved System Security Plans. CC ID 02145 Monitoring and measurement Detective
    Report on the percentage of known Information Security risks that are related to supply chain relationships. CC ID 02044 Monitoring and measurement Detective
    Report on the percentage of critical information assets or critical functions for which access by supply chain personnel is disallowed. CC ID 02045 Monitoring and measurement Detective
    Report on the percentage of supply chain personnel who have current information asset user privileges. CC ID 02046 Monitoring and measurement Detective
    Report on the percentage of systems with critical information assets or functions for which electronic connection by supply chain assets is disallowed. CC ID 02047 Monitoring and measurement Detective
    Report on the percentage of security incidents that involved supply chain personnel. CC ID 02048 Monitoring and measurement Detective
    Report on the percentage of third party contracts that include a requirement to externally verify policies and procedures. CC ID 02049 Monitoring and measurement Detective
    Report on the percentage of supply chain relationships that have been reviewed for compliance with information security requirements. CC ID 02050 Monitoring and measurement Detective
    Report on the percentage of information assets that have been reviewed and classified. CC ID 02053 Monitoring and measurement Detective
    Report on the percentage of information assets with defined user privileges that have been assigned based on role and according to policy. CC ID 02054 Monitoring and measurement Detective
    Report on the percentage of scheduled Information Technology inventory processes that occurred on time. CC ID 02055 Monitoring and measurement Detective
    Report on the percentage of recently identified information security risks related to systems architecture that have been adequately mitigated. CC ID 02060 Monitoring and measurement Detective
    Report on the percentage of system architecture changes that were approved through appropriate change requests. CC ID 02061 Monitoring and measurement Detective
    Report on the percentage of critical information assets or functions residing on systems that are currently in compliance with the approved systems architecture. CC ID 02062 Monitoring and measurement Detective
    Report on the percentage of systems that have been recertified if security controls were updated after the system was developed. CC ID 02142 Monitoring and measurement Detective
    Report on the percentage of systems that have completed Certification and Accreditation. CC ID 02143 Monitoring and measurement Detective
    Report on the percentage of critical organizational information assets and functions that have been reviewed from the risk to physical security perspective. CC ID 02064 Monitoring and measurement Detective
    Report on the percentage of critical organizational information assets and functions exposed to physical risks for which risk mitigation actions have been implemented. CC ID 02065 Monitoring and measurement Detective
    Report on the percentage of critical assets that have been reviewed from the environmental risk perspective. CC ID 02066 Monitoring and measurement Detective
    Report on the percentage of servers located in controlled access areas. CC ID 02067 Monitoring and measurement Detective
    Establish, implement, and maintain environmental management system performance metrics. CC ID 15191
    [The management review shall include consideration of: information on the organization's environmental performance, including trends in: monitoring and measurement results; § 9.3 ¶ 2 d) 2)
    The organization shall monitor, measure, analyse and evaluate its environmental performance. § 9.1.1 ¶ 1
    The organization shall determine: the criteria against which the organization will evaluate its environmental performance, and appropriate indicators; § 9.1.1 ¶ 2 c)
    {be measurable}The environmental objectives shall be: measurable (if practicable); § 6.2.1 ¶ 2 b)]
    Monitoring and measurement Preventive
    Establish, implement, and maintain waste management metrics. CC ID 16152 Monitoring and measurement Preventive
    Establish, implement, and maintain emissions management metrics. CC ID 16145 Monitoring and measurement Preventive
    Establish, implement, and maintain financial management metrics. CC ID 16749 Monitoring and measurement Preventive
    Report on the percentage of unique active user identifiers. CC ID 02074 Monitoring and measurement Detective
    Report on the percentage of systems and applications that perform authenticator policy verification. CC ID 02086 Monitoring and measurement Detective
    Report on the percentage of active user passwords that are set to expire. CC ID 02087 Monitoring and measurement Detective
    Report on the percentage of systems with critical information assets that use stronger authentication than user identifiers and passwords. CC ID 02088 Monitoring and measurement Detective
    Report on the percentage of systems for which default accounts and default passwords have been disabled or reset. CC ID 02089 Monitoring and measurement Detective
    Report on the percentage of inactive user accounts that are assigned to personnel who have left or no longer need access. CC ID 02090 Monitoring and measurement Detective
    Report on the percentage of systems with account lockout thresholds set. CC ID 02091 Monitoring and measurement Detective
    Report on the percentage of inactive user accounts that have been disabled. CC ID 02092 Monitoring and measurement Detective
    Report on the percentage of workstations with session timeout or automatic logoff controls set. CC ID 02093 Monitoring and measurement Detective
    Report on the percentage of users with access to shared accounts. CC ID 04573 Monitoring and measurement Detective
    Establish, implement, and maintain a user and administrator privilege management metrics program. CC ID 02076 Monitoring and measurement Preventive
    Report on the percentage of active computer accounts that have had the current user privileges reviewed. CC ID 02094 Monitoring and measurement Detective
    Report on the percentage of systems where permission to install nonstandard software is limited. CC ID 02095 Monitoring and measurement Detective
    Report on the percentage of systems and applications that have user privileges and administrator privileges assigned in compliance with Role-Based Access Controls. CC ID 02096 Monitoring and measurement Detective
    Report on the percentage of systems for which approved configuration settings have been implemented. CC ID 02097 Monitoring and measurement Detective
    Report on the percentage of systems with configurations that do not deviate from approved standards. CC ID 02098 Monitoring and measurement Detective
    Report on the percentage of systems that are continuously monitored for compliance with the configuration standard with out-of-compliance alarms or out-of-compliance reports. CC ID 02099 Monitoring and measurement Detective
    Report on the percentage of systems whose configuration is compared with a previously established trusted configuration baseline. CC ID 02100 Monitoring and measurement Detective
    Report on the percentage of systems where the authority to make configuration changes are limited. CC ID 02101 Monitoring and measurement Detective
    Report on the percentage of system components that undergo maintenance as scheduled. CC ID 04562 Monitoring and measurement Detective
    Report on the percentage of systems that generate warnings about anomalous activity or potentially unauthorized activity. CC ID 02105 Monitoring and measurement Detective
    Report on the percentage of laptops and mobile devices that are needing to be in compliance with the approved configuration standard before granting network access. CC ID 02106 Monitoring and measurement Detective
    Report on the percentage of organizationally controlled communications channels that have been secured. CC ID 02107 Monitoring and measurement Detective
    Report on the percentage of host servers that are protected from becoming relay hosts. CC ID 02108 Monitoring and measurement Detective
    Report on the percentage of mobile users who access organizational facilities using secure communications methods. CC ID 02109 Monitoring and measurement Detective
    Report on the percentage of workstations and laptops that employ automated system security tools. CC ID 02110 Monitoring and measurement Detective
    Report on the percentage of servers that employ automated system security tools. CC ID 02111 Monitoring and measurement Detective
    Report on the percentage of mobile devices that employ automated system security tools. CC ID 02112 Monitoring and measurement Detective
    Report on the percentage of software changes that have been documented and approved through change request forms. CC ID 02152 Monitoring and measurement Detective
    Report on the percentage of systems with all approved patches installed. CC ID 02113 Monitoring and measurement Detective
    Report on the mean time from patch availability to patch installation. CC ID 02114 Monitoring and measurement Detective
    Report on the percentage of software changes that were reviewed for security impacts before the software configuration is updated. CC ID 02115 Monitoring and measurement Detective
    Report on the percentage of systems configured according to the configuration standard. CC ID 02116 Monitoring and measurement Detective
    Report on the percentage of network access controls used to gain unauthorized access. CC ID 04572 Monitoring and measurement Detective
    Report on the percentage of critical information assets stored on network accessible devices that are encrypted with widely tested and published cryptographic algorithms. CC ID 02117 Monitoring and measurement Detective
    Report on the percentage of mobile devices that use encryption for critical information assets. CC ID 02118 Monitoring and measurement Detective
    Report on the percentage of passwords and Personal Identification Numbers that are encrypted. CC ID 02119 Monitoring and measurement Detective
    Report on the percentage of media that passes sanitization procedure testing. CC ID 04574 Monitoring and measurement Detective
    Report on the percentage of systems with critical information assets or critical business functions that have been backed up in accordance with the backup policy and the system's continuity plan. CC ID 02120 Monitoring and measurement Detective
    Report on the percentage of systems with critical information assets or critical functions where restoration from a backup has been successfully demonstrated. CC ID 02121 Monitoring and measurement Detective
    Report on the percentage of backup media stored off site in secure storage. CC ID 02122 Monitoring and measurement Detective
    Report on the percentage of used backup media or archive media sanitized prior to reuse or disposal. CC ID 02123 Monitoring and measurement Detective
    Report on the estimated damage or loss resulting from all security incidents. CC ID 01674 Monitoring and measurement Detective
    Report on the percentage of security incidents that did not cause confidentiality, integrity, or availability losses beyond the Service Level Agreement thresholds. CC ID 01673 Monitoring and measurement Detective
    Report on the percentage of operational time that critical services were unavailable due to security incidents. CC ID 02124 Monitoring and measurement Detective
    Report on the percentage of security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02125 Monitoring and measurement Detective
    Report on the percentage of systems affected by security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02126 Monitoring and measurement Detective
    Report on the percentage of security incidents that were managed according to established policies, procedures, and processes. CC ID 02127 Monitoring and measurement Detective
    Report on the number of security incidents reported to FedCIRC, NIPC, the Payment Card Industry, or local law enforcement. CC ID 02154 Monitoring and measurement Detective
    Report on the percentage of systems with critical information assets or critical functions that have been assessed for security vulnerabilities. CC ID 02128 Monitoring and measurement Detective
    Report on the percentage of vulnerability assessment findings that have been addressed since the last reporting period. CC ID 02129 Monitoring and measurement Detective
    Report on the average elapsed time between the discovery of a new vulnerability and implementing corrective action. CC ID 02140 Monitoring and measurement Detective
    Report on the percentage of physical security incidents that involved entry into a facility containing Information Systems. CC ID 04564 Monitoring and measurement Detective
    Report on the percentage of unique patients who had at least one medication entered using the Computerized Provider Order Entry system. CC ID 06222 Monitoring and measurement Preventive
    Report on the percentage of unique patients who have diagnoses recorded as structured data into the current and active diagnoses problem list. CC ID 06223 Monitoring and measurement Preventive
    Report on the percentage of permissible prescriptions that are transmitted electronically. CC ID 06224 Monitoring and measurement Preventive
    Report on the percentage of unique patients who have at least one entry recorded as structured data into the active medication list. CC ID 06225 Monitoring and measurement Preventive
    Report on the percentage of unique patients who have at least one entry recorded as structured data into the active medication allergy list. CC ID 06226 Monitoring and measurement Preventive
    Report on the percentage of unique patients who have demographics recorded as structured data. CC ID 06227 Monitoring and measurement Preventive
    Report on the percentage of unique patients over the age of 2 who have their height, weight, and blood pressure recorded as structured data. CC ID 06228 Monitoring and measurement Preventive
    Report on the percentage of unique patients over the age of 13 who have their smoking status recorded as structured data. CC ID 06229 Monitoring and measurement Preventive
    Report on the percentage of patients who are given an electronic copy of their Individually Identifiable Health Information not later than three business days after Individually Identifiable Health Information is requested. CC ID 06230 Monitoring and measurement Preventive
    Report on the percentage of patients who are given clinical summaries not later than three business days after a physician office visit. CC ID 06231 Monitoring and measurement Preventive
    Report on the percentage of lab test results that are incorporated into the Electronic Health Records as structured data. CC ID 06232 Monitoring and measurement Preventive
    Report on the percentage of patients sixty-five years of age or older or five years of age or younger who were sent a reminder. CC ID 06233 Monitoring and measurement Preventive
    Report on the percentage of unique patients who are given electronic access to their Individually Identifiable Health Information not later than four business days after their Individually Identifiable Health Information is updated. CC ID 06234 Monitoring and measurement Preventive
    Report on the percentage of unique patients who are given patient-specific education resources. CC ID 06235 Monitoring and measurement Preventive
    Report on the percentage of medication reconciliations that are performed if a patient is received from another setting or healthcare provider. CC ID 06236 Monitoring and measurement Preventive
    Report on the percentage of summary of care records that are provided for transitions of care or referrals for patients who are transitioned or referred to another setting or healthcare provider. CC ID 06237 Monitoring and measurement Preventive
    Report on the percentage of patients who receive their discharge instructions if discharge instructions are requested. CC ID 06238 Monitoring and measurement Preventive
    Report on the percentage of patients 65 years of age or older who have an indication of advance directive status recorded as structured data. CC ID 06239 Monitoring and measurement Preventive
    Collect all work papers for the audit and audit report into an engagement file. CC ID 07001
    [The organization shall retain documented information as evidence of the implementation of the audit programme and the audit results. § 9.2.2 ¶ 4]
    Audits and risk management Preventive
    Include the word independent in the title of audit reports. CC ID 07003 Audits and risk management Preventive
    Include the date of the audit in the audit report. CC ID 07024 Audits and risk management Preventive
    Include information about the organization being audited and the auditor performing the audit in the audit report. CC ID 07004 Audits and risk management Preventive
    Include a statement that access to the report is restricted based on least privilege in the audit report. CC ID 07023 Audits and risk management Preventive
    Include the organization's audit assertion of the in scope system in the audit report. CC ID 07005 Audits and risk management Preventive
    Disclose any audit irregularities in the audit report. CC ID 06995 Audits and risk management Preventive
    Monitor and report on the status of mitigation actions in the corrective action plan. CC ID 15250 Audits and risk management Corrective
    Measure policy compliance when reviewing the internal control framework. CC ID 06442 Operational management Corrective
    Provide the patient with a summary of care record, as necessary. CC ID 14441 Records management Preventive
  • Audits and Risk Management
    69
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Identify information being used to support performance reviews for risk optimization. CC ID 12865 Monitoring and measurement Preventive
    Provide cross-organizational audit information based on the cross-organizational audit sharing agreement. CC ID 10596 Monitoring and measurement Preventive
    Manage supply chain audits. CC ID 01203 Audits and risk management Preventive
    Review the external auditors involvement in assessing Information Technology controls. CC ID 01204 Audits and risk management Preventive
    Rotate auditors, as necessary. CC ID 15589 Audits and risk management Preventive
    Engage auditors who have adequate knowledge of the subject matter. CC ID 07102 Audits and risk management Preventive
    Review the external audit scope, as necessary. CC ID 01202 Audits and risk management Preventive
    Include nondisclosure agreements in external auditor outsourcing contracts. CC ID 10014 Audits and risk management Detective
    Review the external auditor's qualifications. CC ID 01197 Audits and risk management Preventive
    Conduct a performance review of the external auditor's performance during the audit process. CC ID 01198 Audits and risk management Preventive
    Define what constitutes a threat to independence. CC ID 16824 Audits and risk management Preventive
    Determine if requested services create a threat to independence. CC ID 16823 Audits and risk management Detective
    Include provisions for legislative plurality and legislative domain in the audit program. CC ID 06959 Audits and risk management Preventive
    Include in scope procedures in the audit assertion's in scope system description. CC ID 16551 Audits and risk management Preventive
    Include roles and responsibilities in the audit assertion's in scope system description. CC ID 16558 Audits and risk management Preventive
    Include the audit criteria in the audit assertion's in scope system description. CC ID 16548 Audits and risk management Preventive
    Include third party data in the audit assertion's in scope system description. CC ID 16554 Audits and risk management Preventive
    Include third party personnel in the audit assertion's in scope system description. CC ID 16552 Audits and risk management Preventive
    Include compliance requirements in the audit assertion's in scope system description. CC ID 16506 Audits and risk management Preventive
    Include third party assets in the audit assertion's in scope system description. CC ID 16550 Audits and risk management Preventive
    Include deviations and the corrective actions taken in the audit assertion's in scope system description. CC ID 16549 Audits and risk management Preventive
    Determine the appropriateness of the audit assertion's in scope system description. CC ID 16449 Audits and risk management Detective
    Hold an opening meeting with interested personnel and affected parties prior to an audit. CC ID 15256 Audits and risk management Preventive
    Confirm audit requirements during the opening meeting. CC ID 15255 Audits and risk management Detective
    Include discussions about how particular situations will be handled in the opening meeting. CC ID 15254 Audits and risk management Preventive
    Include third party assets in the audit scope. CC ID 16504 Audits and risk management Preventive
    Determine the appropriateness of the audit subject matter. CC ID 16505 Audits and risk management Preventive
    Include the in scope material or in scope products in the audit program. CC ID 08961 Audits and risk management Preventive
    Include the date of the audit in the representation letter. CC ID 16517 Audits and risk management Preventive
    Include the criteria for determining the desired level of assurance in the audit program. CC ID 12795
    [{audit scope} The organization shall: define the audit criteria and scope for each audit; § 9.2.2 ¶ 3 a)]
    Audits and risk management Preventive
    Refrain from performing an attestation engagement under defined conditions. CC ID 13952 Audits and risk management Detective
    Refrain from accepting an attestation engagement when all parties disagree on the procedures. CC ID 13951 Audits and risk management Preventive
    Audit in scope audit items and compliance documents. CC ID 06730
    [The organization shall: select auditors and conduct audits to ensure objectivity and the "term_primary-noun">impartiality of the audit process; § 9.2.2 ¶ 3 b)
    The organization shall conduct internal audits at planned intervals to provide information on whether the environmental management system: § 9.2.1 ¶ 1]
    Audits and risk management Preventive
    Identify hypothetical assumptions in forecasts and projections during an audit. CC ID 13946 Audits and risk management Detective
    Refrain from examining forecasts and projections which refrain from disclosing assumptions during an audit. CC ID 13932 Audits and risk management Detective
    Audit policies, standards, and procedures. CC ID 12927
    [The organization shall conduct internal audits at planned intervals to provide information on whether the environmental management system: conforms to: the requirements of this International Standard; § 9.2.1 ¶ 1 a) 2)
    The organization shall conduct internal audits at planned intervals to provide information on whether the environmental management system: conforms to: the organization's own requirements for its environmental management system; § 9.2.1 ¶ 1 a) 1)]
    Audits and risk management Preventive
    Investigate the nature and causes of misstatements in the audit assertion's in scope system description. CC ID 16557 Audits and risk management Detective
    Review incident management audit logs to determine the effectiveness of in scope controls. CC ID 12157 Audits and risk management Detective
    Review audit reports to determine the effectiveness of in scope controls. CC ID 12156 Audits and risk management Detective
    Observe processes to determine the effectiveness of in scope controls. CC ID 12155 Audits and risk management Detective
    Interview stakeholders to determine the effectiveness of in scope controls. CC ID 12154 Audits and risk management Detective
    Review policies and procedures to determine the effectiveness of in scope controls. CC ID 12144
    [{be effective}The organization shall conduct internal audits at planned intervals to provide information on whether the environmental management system: is effectively implemented and maintained. § 9.2.1 ¶ 1 b)]
    Audits and risk management Detective
    Evaluate personnel status changes to determine the effectiveness of in scope controls. CC ID 16556 Audits and risk management Detective
    Determine whether individuals performing a control have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 16555 Audits and risk management Detective
    Implement procedures that collect sufficient audit evidence. CC ID 07153 Audits and risk management Preventive
    Collect evidence about the in scope audit items of the audit assertion. CC ID 07154 Audits and risk management Preventive
    Collect audit evidence sufficient to avoid misstatements. CC ID 07155 Audits and risk management Preventive
    Collect audit evidence at the level of the organization's competence in the subject matter. CC ID 07156 Audits and risk management Preventive
    Collect audit evidence sufficient to overcome inadequacies in the organization's attestation. CC ID 07157 Audits and risk management Preventive
    Include audit evidence obtained from previous engagements in the work papers. CC ID 16518 Audits and risk management Preventive
    Include if the audit evidence has identified in scope control deficiencies in the work papers. CC ID 07152 Audits and risk management Detective
    Include any subsequent events related to the audit assertion or audit subject matter in the work papers. CC ID 07177 Audits and risk management Preventive
    Review the subject matter expert's findings. CC ID 16559 Audits and risk management Detective
    Provide auditors access to all in scope records, in scope assets, personnel and in scope procedures. CC ID 06966 Audits and risk management Preventive
    Solve any access problems auditors encounter during the audit. CC ID 08959 Audits and risk management Corrective
    Notify interested personnel and affected parties when an auditee refuses to provide access or participate in the audit. CC ID 08960 Audits and risk management Preventive
    Include the justification for not following the applicable requirements in the audit report. CC ID 16822 Audits and risk management Preventive
    Include a statement that the applicable requirements were not followed in the audit report. CC ID 16821 Audits and risk management Preventive
    Refrain from referencing previous engagements in the audit report. CC ID 16516 Audits and risk management Preventive
    Identify the participants from the organization being audited in the audit report. CC ID 15258 Audits and risk management Detective
    Include the timing of controls in the description of tests of controls and results in the audit report. CC ID 16553 Audits and risk management Preventive
    Include the organization's in scope system description in the audit report. CC ID 11626 Audits and risk management Preventive
    Include the scope and work performed in the audit report. CC ID 11621 Audits and risk management Preventive
    Review the adequacy of the internal auditor's work papers. CC ID 01146 Audits and risk management Detective
    Review the adequacy of the internal auditor's audit reports. CC ID 11620 Audits and risk management Detective
    Review management's response to issues raised in past audit reports. CC ID 01149 Audits and risk management Detective
    Review the audit program scope as it relates to the organization's profile. CC ID 01159 Audits and risk management Detective
    Assess the quality of the audit program in regards to its documentation. CC ID 11622 Audits and risk management Preventive
    Analyze the effect of the Governance, Risk, and Compliance capability to achieve organizational objectives. CC ID 12809
    [{external and internal issues}and determine the risks and opportunities, related to its environmental aspects (see 6.1.2), compliance obligations (see 6.1.3) and other issues and requirements, identified in 4.1 and 4.2, that need to be addressed to: prevent or reduce undesired effects, including the potential for external environmental conditions to affect the organization; § 6.1.1 ¶ 3 Bullet 2
    The organization shall plan: how to: evaluate the effectiveness of these actions (see 9.1). § 6.1.4 ¶ 1 b) 2)
    When planning how to achieve its environmental objectives, the organization shall determine: how the results will be evaluated, including indicators for monitoring progress toward achievement of its measurable environmental objectives (see 9.1.1). § 6.2.2 ¶ 1 e)
    The organization shall evaluate its environmental performance and the effectiveness of the environmental management system. § 9.1.1 ¶ 4
    The outputs of the management review shall include: actions, if needed, when environmental objectives have not been achieved; § 9.3 ¶ 3 Bullet 4
    The outputs of the management review shall include: any implications for the strategic direction of the organization. § 9.3 ¶ 3 Bullet 6]
    Operational management Preventive
  • Behavior
    45
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Take into account the need for protecting information confidentiality during infrastructure planning. CC ID 06486 Leadership and high level objectives Preventive
    Disseminate and communicate compliance documents to all interested personnel and affected parties. CC ID 06282 Leadership and high level objectives Preventive
    Disseminate and communicate any compliance document changes when the documents are updated to interested personnel and affected parties. CC ID 06283 Leadership and high level objectives Preventive
    Involve knowledgeable and experienced individuals in the decision-making process. CC ID 06915 Leadership and high level objectives Preventive
    Establish and maintain a rapport with business and technical communities throughout the organization to promote the value and importance of Information Security. CC ID 06493 Leadership and high level objectives Preventive
    Carry out disciplinary actions when a compliance violation is detected. CC ID 06675
    [When a nonconformity occurs, the organization shall: react to the nonconformity and, as applicable: § 10.2 ¶ 1 a)]
    Monitoring and measurement Corrective
    Question external auditors about how audits were conducted and what is in the audit reports. CC ID 04587 Audits and risk management Preventive
    Disseminate and communicate with the organization about any missing audit documentation. CC ID 06992 Audits and risk management Preventive
    Exercise due professional care during the planning and performance of the audit. CC ID 07119
    [{environmental process} When establishing the internal audit programme, the organization shall take into consideration the environmental importance of the processes concerned, changes affecting the organization and the results of previous audits. § 9.2.2 ¶ 2]
    Audits and risk management Preventive
    Refrain from accepting an attestation engagement unless the prospective financial information includes a summary of significant assumptions. CC ID 13954 Audits and risk management Preventive
    Verify statements made by interviewees are correct. CC ID 16299 Audits and risk management Detective
    Explain the goals of the interview to the interviewee. CC ID 07189 Audits and risk management Detective
    Resolve disputes before creating the audit summary. CC ID 08964 Audits and risk management Preventive
    Disseminate and communicate to the organization that access and use of audit reports are based on least privilege. CC ID 07171 Audits and risk management Preventive
    Refrain from adopting impromptu measures when continuity procedures exist. CC ID 13093 Operational and Systems Continuity Preventive
    Train personnel on the continuity plan. CC ID 00759
    [The organization shall: provide relevant information and training related to emergency preparedness and response, as appropriate, to relevant interested parties, including persons working under its control. § 8.2 ¶ 2 f)]
    Operational and Systems Continuity Preventive
    Utilize automated mechanisms for more realistic continuity plan training. CC ID 01387 Operational and Systems Continuity Preventive
    Incorporate simulated events into the continuity plan training. CC ID 01402 Operational and Systems Continuity Preventive
    Limit the activities performed as a proxy to an organizational leader. CC ID 12054 Human Resources management Preventive
    Use rewards and career development to motivate personnel. CC ID 06906 Human Resources management Preventive
    Train all personnel and third parties, as necessary. CC ID 00785
    [The organization shall: where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken. § 7.2 ¶ 1 d)]
    Human Resources management Preventive
    Retrain all personnel, as necessary. CC ID 01362 Human Resources management Preventive
    Tailor training to meet published guidance on the subject being taught. CC ID 02217 Human Resources management Preventive
    Tailor training to be taught at each person's level of responsibility. CC ID 06674 Human Resources management Preventive
    Conduct cross-training or staff backup training to minimize dependency on critical individuals. CC ID 00786 Human Resources management Preventive
    Use automated mechanisms in the training environment, where appropriate. CC ID 06752 Human Resources management Preventive
    Conduct Archives and Records Management training. CC ID 00975 Human Resources management Preventive
    Disseminate and communicate the security awareness program to all interested personnel and affected parties. CC ID 00823 Human Resources management Preventive
    Train all personnel and third parties on how to recognize and report security incidents. CC ID 01211 Human Resources management Preventive
    Conduct secure coding and development training for developers. CC ID 06822 Human Resources management Corrective
    Conduct crime prevention training. CC ID 06350 Human Resources management Preventive
    Disseminate and communicate updates to the Governance, Risk, and Compliance framework to interested personnel and affected parties. CC ID 06955
    [{internal communication}{be relevant}The organization shall: internally communicate information relevant to the environmental management system among the various levels and functions of the organization, including changes to the environmental management system, as appropriate; § 7.4.2 ¶ 1 a)]
    Operational management Preventive
    Make compliance and governance decisions in a timely manner. CC ID 06490 Operational management Preventive
    Refrain from accepting instant messages from unknown senders. CC ID 12537 Operational management Preventive
    Include employee engagement in the analysis of the organizational culture. CC ID 12914 Operational management Preventive
    Include skill development in the analysis of the organizational culture. CC ID 12913 Operational management Preventive
    Include employee turnover rates in the analysis of the organizational culture. CC ID 12912 Operational management Preventive
    Include employee loyalty in the analysis of the organizational culture. CC ID 12911 Operational management Preventive
    Include employee satisfaction in the analysis of the organizational culture. CC ID 12910 Operational management Preventive
    Disseminate and communicate the Governance, Risk, and Compliance framework to all interested personnel and affected parties. CC ID 00815
    [{internal communication}{be relevant}The organization shall: internally communicate information relevant to the environmental management system among the various levels and functions of the organization, including changes to the environmental management system, as appropriate; § 7.4.2 ¶ 1 a)
    {external communication}{be relevant} The organization shall externally communicate information relevant to the environmental management system, as established by the organization's communication process(es) and as required by its compliance obligations. § 7.4.3 ¶ 1
    {external communication}{be relevant} The organization shall externally communicate information relevant to the environmental management system, as established by the organization's communication process(es) and as required by its compliance obligations. § 7.4.3 ¶ 1
    The organization shall: maintain knowledge and understanding of its compliance status. § 9.1.2 ¶ 2 c)
    The organization shall communicate relevant environmental performance information both internally and externally, as identified in its communication process(es) and as required by its compliance obligations. § 9.1.1 ¶ 5]
    Operational management Preventive
    Notify interested personnel and affected parties prior to when the system is redeployed or the system is disposed. CC ID 06400 Operational management Preventive
    Maintain contact with the device manufacturer or component manufacturer for maintenance requests. CC ID 06388 Operational management Preventive
    Respond to maintenance requests inside the organizationally established time frame. CC ID 04878 Operational management Preventive
    Perform periodic maintenance according to organizational standards. CC ID 01435 Operational management Preventive
    Prohibit the use of Personal Electronic Devices, absent approval. CC ID 04599 Acquisition or sale of facilities, technology, and services Detective
  • Business Processes
    138
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Establish, implement, and maintain a reporting methodology program. CC ID 02072
    [Top management shall assign the responsibility and authority for: reporting on the performance of the environmental management system, including environmental performance, to top management. § 5.3 ¶ 2 b)]
    Leadership and high level objectives Preventive
    Use secure communication protocols for telecommunications. CC ID 16458 Leadership and high level objectives Preventive
    Analyze the flow of information to ensure it is being received by the correct processes. CC ID 12860 Leadership and high level objectives Preventive
    Establish, implement, and maintain an internal reporting program. CC ID 12409 Leadership and high level objectives Preventive
    Include transactions and events as a part of internal reporting. CC ID 12413 Leadership and high level objectives Preventive
    Identify the material topics required to be reported on. CC ID 15654 Leadership and high level objectives Preventive
    Analyze the business environment in which the organization operates. CC ID 12798
    [{financial requirement}{operational requirement} When planning these actions, the organization shall consider its technological options and its financial, operational and business requirements. § 6.1.4 ¶ 2]
    Leadership and high level objectives Preventive
    Align assets with business functions and the business environment. CC ID 13681 Leadership and high level objectives Preventive
    Analyze the external environment in which the organization operates. CC ID 12799
    [The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcomes of its environmental management system. Such issues shall include environmental conditions being affected by or capable of affecting the organization. § 4.1 ¶ 1]
    Leadership and high level objectives Preventive
    Include environmental requirements in the analysis of the external environment. CC ID 12965
    [Top management shall demonstrate leadership and commitment with respect to the environmental management system by: ensuring the integration of the environmental management system requirements into the organization's business processes; § 5.1 ¶ 1 c)]
    Leadership and high level objectives Preventive
    Include regulatory requirements in the analysis of the external environment. CC ID 12964 Leadership and high level objectives Preventive
    Include society in the analysis of the external environment. CC ID 12963 Leadership and high level objectives Preventive
    Include opportunities in the analysis of the external environment. CC ID 12954 Leadership and high level objectives Preventive
    Include third party relationships in the analysis of the external environment. CC ID 12952 Leadership and high level objectives Preventive
    Include industry forces in the analysis of the external environment. CC ID 12904 Leadership and high level objectives Preventive
    Include threats in the analysis of the external environment. CC ID 12898 Leadership and high level objectives Preventive
    Include geopolitics in the analysis of the external environment. CC ID 12897 Leadership and high level objectives Preventive
    Include legal requirements in the analysis of the external environment. CC ID 12896 Leadership and high level objectives Preventive
    Include technology in the analysis of the external environment. CC ID 12837 Leadership and high level objectives Preventive
    Include analyzing the market in the analysis of the external environment. CC ID 12836 Leadership and high level objectives Preventive
    Conduct a context analysis to define objectives and strategies. CC ID 12864 Leadership and high level objectives Preventive
    Identify requirements that could affect achieving organizational objectives. CC ID 12828 Leadership and high level objectives Preventive
    Identify opportunities that could affect achieving organizational objectives. CC ID 12826 Leadership and high level objectives Preventive
    Prioritize organizational objectives. CC ID 09960 Leadership and high level objectives Preventive
    Select financial reporting objectives consistent with accounting principles available to the organization. CC ID 12400 Leadership and high level objectives Preventive
    Identify threats that could affect achieving organizational objectives. CC ID 12827 Leadership and high level objectives Preventive
    Review the organization's approach to managing information security, as necessary. CC ID 12005 Leadership and high level objectives Preventive
    Analyze and prioritize the requirements of interested personnel and affected parties. CC ID 12796
    [The organization shall determine: the relevant needs and expectations (i.e. requirements) of these interested parties; § 4.2 ¶ 1 b)]
    Leadership and high level objectives Preventive
    Enforce a continuous Quality Control system. CC ID 01005 Leadership and high level objectives Detective
    Correct errors and deficiencies in a timely manner. CC ID 13501 Leadership and high level objectives Corrective
    Establish and maintain time frames for correcting deficiencies found during Quality Control. CC ID 07206 Leadership and high level objectives Detective
    Review and analyze any quality improvement goals that were missed. CC ID 07204 Leadership and high level objectives Detective
    Identify roles, tasks, information, systems, and assets that fall under the organization's mandated Authority Documents. CC ID 00688 Leadership and high level objectives Preventive
    Assess the impact of changes to organizational policies, standards, and procedures, as necessary. CC ID 14824 Leadership and high level objectives Preventive
    Review the compliance exceptions in the exceptions document, as necessary. CC ID 01632 Leadership and high level objectives Preventive
    Estimate the costs of implementing the compliance framework. CC ID 07191 Leadership and high level objectives Preventive
    Align the reporting methodology with the decision management strategy. CC ID 15659 Leadership and high level objectives Preventive
    Establish, implement, and maintain a Governance, Risk, and Compliance awareness and training program. CC ID 06492
    [The organization shall ensure that persons doing work under the organization's control are aware of: the implications of not conforming with the environmental management system requirements, including not fulfilling the organization's compliance obligations. § 7.3 ¶ 1 d)]
    Leadership and high level objectives Preventive
    Return the funds from a funds transfer when required information is not received or discrepancies resolved. CC ID 16760 Leadership and high level objectives Preventive
    Delay the funds transfer until all required information has been received or discrepancies resolved. CC ID 16759 Leadership and high level objectives Preventive
    Refrain from making funds from a funds transfer available to the interested personnel until all required information is received. CC ID 16758 Leadership and high level objectives Preventive
    Attach the required information to each funds transfer. CC ID 16756 Leadership and high level objectives Preventive
    Verify all required information is attached to each funds transfer. CC ID 16755 Leadership and high level objectives Detective
    Establish, implement, and maintain protective measures for customers from a bank's insolvency or default. CC ID 16738 Leadership and high level objectives Preventive
    Refrain from setting up anonymous financial accounts. CC ID 16721 Leadership and high level objectives Preventive
    Identify and maintain positions in financial accounts. CC ID 16751 Leadership and high level objectives Preventive
    Supplement financial resources, as necessary. CC ID 16685 Leadership and high level objectives Preventive
    Limit the types of assets accepted as collateral. CC ID 16602 Leadership and high level objectives Preventive
    Avoid the use of concentrated holdings of assets. CC ID 16651 Leadership and high level objectives Preventive
    Establish, implement, and maintain a securities trading program. CC ID 16626 Leadership and high level objectives Preventive
    Include investment information in approval requests for investments. CC ID 16590 Leadership and high level objectives Preventive
    Review and approve lending policies. CC ID 16607 Leadership and high level objectives Preventive
    Establish, implement, and maintain margin systems. CC ID 16601 Leadership and high level objectives Preventive
    Establish, implement, and maintain capital adequacy measures. CC ID 16568 Leadership and high level objectives Preventive
    Identify information being used to support the performance of the governance, risk, and compliance capability. CC ID 12866
    [The organization's environmental management system shall include: documented information determined by the organization as being necessary for the effectiveness of the environmental management system. § 7.5.1 ¶ 1 b)
    The management review shall include consideration of: information on the organization's environmental performance, including trends in: § 9.3 ¶ 2 d)]
    Monitoring and measurement Preventive
    Align enforcement reviews for non-compliance with organizational risk tolerance. CC ID 13063
    [When a nonconformity occurs, the organization shall: evaluate the need for action to eliminate the causes of the nonconformity, in order that it does not recur or occur elsewhere, by: § 10.2 ¶ 1 b)]
    Monitoring and measurement Detective
    Establish, implement, and maintain an identification and classification of information assets metrics program. CC ID 02052 Monitoring and measurement Preventive
    Establish, implement, and maintain an Information Systems architecture metrics program. CC ID 02059 Monitoring and measurement Preventive
    Establish, implement, and maintain a physical environment metrics program. CC ID 02063 Monitoring and measurement Preventive
    Establish, implement, and maintain a user identification and authentication metrics program. CC ID 02073 Monitoring and measurement Preventive
    Establish, implement, and maintain a user account management metrics program. CC ID 02075 Monitoring and measurement Preventive
    Establish, implement, and maintain a Configuration Management metrics program. CC ID 02077 Monitoring and measurement Preventive
    Establish, implement, and maintain a communications, e-mail, and remote access security management metrics program. CC ID 02079 Monitoring and measurement Preventive
    Establish, implement, and maintain a malicious code protection management metrics program. CC ID 02080 Monitoring and measurement Preventive
    Establish, implement, and maintain a software change management metrics program. CC ID 02081 Monitoring and measurement Preventive
    Establish, implement, and maintain a network management and firewall management metrics program. CC ID 02082 Monitoring and measurement Preventive
    Establish, implement, and maintain a data encryption management metrics program. CC ID 02083 Monitoring and measurement Preventive
    Establish, implement, and maintain a backup management and recovery management metrics program. CC ID 02084 Monitoring and measurement Preventive
    Establish, implement, and maintain an incident management and vulnerability management metrics program. CC ID 02085 Monitoring and measurement Preventive
    Align corrective actions with the level of environmental impact. CC ID 15193
    [Corrective actions shall be appropriate to the significance of the effects of the nonconformities encountered, including the environmental impact(s). § 10.2 ¶ 2]
    Monitoring and measurement Preventive
    Identify personnel who should attend the closing meeting. CC ID 15261 Audits and risk management Preventive
    Schedule attestation engagement meetings with interested personnel and affected parties, as necessary. CC ID 15263 Audits and risk management Preventive
    Refrain from accepting an attestation engagement when the engaging party refuses to sign the engagement letter. CC ID 14912 Audits and risk management Preventive
    Accept the attestation engagement when all preconditions are met. CC ID 13933 Audits and risk management Preventive
    Respond to questions or clarification requests regarding the audit. CC ID 08902 Audits and risk management Preventive
    Review the need for organizational efficiency as balanced against the needs of compliance and security. CC ID 07111 Audits and risk management Preventive
    Provide auditors access to affected parties during the audit, as necessary. CC ID 07187 Audits and risk management Preventive
    Disclaim the audit opinion in the audit report, as necessary. CC ID 13901 Audits and risk management Corrective
    Notify interested personnel and affected parties after bribes are offered during the audit. CC ID 08872 Audits and risk management Preventive
    Define and assign the assessment team's roles and responsibilities. CC ID 08890 Human Resources management Preventive
    Evaluate the staffing requirements regularly. CC ID 00775
    [The organization shall: determine the necessary competence of person(s) doing work under its control that affects its environmental performance and its ability to fulfil its compliance obligations; § 7.2 ¶ 1 a)]
    Human Resources management Detective
    Establish, implement, and maintain an education methodology. CC ID 06671 Human Resources management Preventive
    Plan for business process conversions, as necessary. CC ID 13678
    [The organization shall plan: how to: integrate and implement the actions into its environmental management system processes (se e 6.2, Clause 7, Clause 8 and 9.1), or other business processes; § 6.1.4 ¶ 1 b) 1)]
    Operational management Corrective
    Establish, implement, and maintain a positive information control environment. CC ID 00813 Operational management Preventive
    Define the scope for the internal control framework. CC ID 16325 Operational management Preventive
    Review the relevance of information supporting internal controls. CC ID 12420 Operational management Detective
    Assign resources to implement the internal control framework. CC ID 00816 Operational management Preventive
    Establish, implement, and maintain a baseline of internal controls. CC ID 12415 Operational management Preventive
    Leverage actionable information to support internal controls. CC ID 12414 Operational management Preventive
    Align the information security policy with the organization's risk acceptance level. CC ID 13042 Operational management Preventive
    Establish, implement, and maintain information security procedures. CC ID 12006 Operational management Preventive
    Refrain from requiring supervision when users are accessing social media applications. CC ID 14011 Operational management Preventive
    Refrain from requiring users to disclose social media account usernames or authenticators. CC ID 14009 Operational management Preventive
    Establish, implement, and maintain information sharing agreements. CC ID 15645 Operational management Preventive
    Adhere to operating procedures as defined in the Standard Operating Procedures Manual. CC ID 06328 Operational management Preventive
    Establish, implement, and maintain domain name registration and renewal procedures. CC ID 07075 Operational management Preventive
    Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 Operational management Preventive
    Include contractual relationships with workforce members in the analysis of the organizational culture. CC ID 15674 Operational management Preventive
    Include the number of workforce members who are not employees in the analysis of the organizational culture. CC ID 15673 Operational management Preventive
    Include the type of work performed by workforce members in the analysis of the organizational culture. CC ID 15675 Operational management Preventive
    Include demographic characteristics of employees in the analysis of the organizational culture. CC ID 15671 Operational management Preventive
    Review systems for compliance with organizational information security policies. CC ID 12004 Operational management Preventive
    Establish, implement, and maintain an Asset Management program. CC ID 06630
    [Consistent with a life cycle perspective, the organization shall: consider the need to provide information about potential significant environmental impacts associated with the transportation or delivery, use, end-of-life treatment and final disposal of its products and services. § 8.1 ¶ 4 d)]
    Operational management Preventive
    Include coordination amongst entities in the asset management policy. CC ID 16424 Operational management Preventive
    Define and prioritize the importance of each asset in the asset management program. CC ID 16837 Operational management Preventive
    Establish, implement, and maintain administrative controls over all assets. CC ID 16400 Operational management Preventive
    Classify virtual systems by type and purpose. CC ID 16332 Operational management Preventive
    Establish, implement, and maintain an asset inventory. CC ID 06631 Operational management Preventive
    Destroy systems in accordance with the system disposal program. CC ID 16457 Operational management Preventive
    Approve the release of systems and waste material into the public domain. CC ID 16461 Operational management Preventive
    Obtain approval before removing maintenance tools from the facility. CC ID 14298 Operational management Preventive
    Disassemble and shut down unnecessary systems or unused systems. CC ID 06280 Operational management Preventive
    Dispose of hardware and software at their life cycle end. CC ID 06278 Operational management Preventive
    Refrain from placing assets being disposed into organizational dumpsters. CC ID 12200 Operational management Preventive
    Remove asset tags prior to disposal of an asset. CC ID 12198 Operational management Preventive
    Implement changes according to the change control program. CC ID 11776
    [The organization shall control "term_primary-noun">planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary. § 8.1 ¶ 2]
    Operational management Preventive
    Mitigate the adverse effects of unauthorized changes. CC ID 12244
    [The organization shall control planned changes and review the consequences of unintended changes, taking action to mitigate any -color:#F0BBBC;" class="term_primary-noun">adverse effects, as necessary. § 8.1 ¶ 2]
    Operational management Corrective
    Manage the creation of products and services, as necessary. CC ID 13497
    [Consistent with a life cycle perspective, the organization shall: establish controls, as appropriate, to ensure that its environmental requirement(s) is (are) addressed in the design and development process for the product or service, considering each life cycle stage; § 8.1 ¶ 4 a)]
    Operational management Preventive
    Define the processing activities to meet products and services creation requirements. CC ID 13499 Operational management Preventive
    Establish, implement, and maintain an environmental management system. CC ID 14945
    [The organization shall consider the knowledge gained in 4.1 and 4.2 when establishing and maintaining the environmental management system. § 4.4 ¶ 2
    Top management shall demonstrate leadership and commitment with respect to the environmental management system by: ensuring that the environmental management system achieves its intended outcomes; § 5.1 ¶ 1 f)
    To achieve the intended outcomes, including enhancing its environmental performance, the organization shall establish, implement, maintain and continually improve an environmental management system, including the processes needed and their interactions, in accordance with the requirements of this International Standard. § 4.4 ¶ 1
    To achieve the intended outcomes, including enhancing its environmental performance, the organization shall establish, implement, maintain and continually improve an environmental management system, including the processes needed and their interactions, in accordance with the requirements of this International Standard. § 4.4 ¶ 1
    The organization shall continually improve the suitability, adequacy and effectiveness of the environmental management system to enhance environmental performance. § 10.3 ¶ 1
    The outputs of the management review shall include: conclusions on the continuing suitability, adequacy and effectiveness of the environmental management system; § 9.3 ¶ 3 Bullet 1
    {environmental objectives}{compliance obligations} The organization shall establish, implement, control and maintain the processes needed to meet environmental management system requirements, and to implement the actions identified in 6.1 and 6.2, by: § 8.1 ¶ 1
    When a nonconformity occurs, the organization shall: make changes to the environmental management system, if necessary. § 10.2 ¶ 1 e)
    Top management shall review the organization's environmental management system, at planned intervals, to ensure its continuing suitability, adequacy and effectiveness. § 9.3 ¶ 1]
    Operational management Preventive
    Establish, implement, and maintain an approach for environmental performance monitoring. CC ID 15220
    [The organization shall determine: when the results from monitoring and measurement shall be analysed and evaluated. § 9.1.1 ¶ 2 e)]
    Operational management Preventive
    Integrate environmental objectives into the business process. CC ID 15192
    [The organization shall consider how actions to achieve its environmental objectives can be integrated into the organization's business processes. § 6.2.2 ¶ 2]
    Operational management Preventive
    Provide management direction and support for the environmental management system. CC ID 14968
    [Top management shall demonstrate leadership and commitment with respect to the environmental management system by: directing and supporting persons to contribute to the effectiveness of the environmental management system; § 5.1 ¶ 1 g)]
    Operational management Preventive
    Provide assurance that the environmental management system meets all compliance requirements. CC ID 14958
    [{external and internal issues}and determine the risks and opportunities, related to its environmental aspects (see 6.1.2), compliance obligations (see 6.1.3) and other issues and requirements, identified in 4.1 and 4.2, that need to be addressed to: give assurance that the environmental management system can achieve its intended outcomes; § 6.1.1 ¶ 3 Bullet 1]
    Operational management Preventive
    Analyze activities, products, and services within the scope of the environmental management system to determine the environmental aspects. CC ID 15183
    [Within the defined scope of the environmental management system, the organization shall determine the environmental aspects of its activities, products and services that it can control and those that it can influence, and their associated environmental impacts, considering a life cycle perspective. § 6.1.2 ¶ 1]
    Operational management Detective
    Implement a signature revocation service. CC ID 14417 Records management Preventive
    Supervise media destruction in accordance with organizational standards. CC ID 16456 Records management Preventive
    Use approved media sanitization equipment for destruction. CC ID 16459 Records management Preventive
    Establish, implement, and maintain decision support interventions. CC ID 14443 Records management Preventive
    Obtain authorization for marketing new products. CC ID 16805 Acquisition or sale of facilities, technology, and services Preventive
    Assess the effectiveness of third party services provided to the organization. CC ID 13142
    [The organization shall ensure that outsourced processes are controlled or influenced. The type and extent of control or influence to be applied to the process(es) shall be defined within the environmental management system. § 8.1 ¶ 3]
    Third Party and supply chain oversight Detective
    Review the supply chain's service delivery on a regular basis. CC ID 12010 Third Party and supply chain oversight Preventive
    Identify red flags in the supply chain. CC ID 08873 Third Party and supply chain oversight Preventive
    Detect red flags in the supply chain. CC ID 08874 Third Party and supply chain oversight Preventive
    Notify interested personnel and affected parties when critical components or materials are not obtained from an authorized source. CC ID 11516 Third Party and supply chain oversight Preventive
    Review third party red flag locations to identify facts for the supply chain risk assessment. CC ID 08875 Third Party and supply chain oversight Preventive
    Establish and maintain an interactive map of third party red flag locations. CC ID 08876 Third Party and supply chain oversight Preventive
    Collect information on red-flagged supply chains. CC ID 08877 Third Party and supply chain oversight Preventive
  • Communicate
    74
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Include disseminating and communicating events surrounding instances of desirable conduct and undesirable conduct in the communication protocols. CC ID 12824 Leadership and high level objectives Preventive
    Identify alternative measures for collecting stakeholder input, as necessary. CC ID 15672 Leadership and high level objectives Preventive
    Include disseminating and communicating conditions surrounding instances of desirable conduct and undesirable conduct in the communication protocols. CC ID 12804 Leadership and high level objectives Preventive
    Include disseminating and communicating desirable conduct in the communication protocols. CC ID 12803 Leadership and high level objectives Preventive
    Include disseminating and communicating undesirable conduct in communication protocols. CC ID 12802 Leadership and high level objectives Preventive
    Disseminate and communicate internal controls with supply chain members. CC ID 12416 Leadership and high level objectives Preventive
    Disseminate and communicate management's choices for managing the organization as a part of internal reporting. CC ID 12412 Leadership and high level objectives Preventive
    Establish, implement, and maintain an external reporting program. CC ID 12876 Leadership and high level objectives Preventive
    Provide identifying information about the organization to the responsible party. CC ID 16715 Leadership and high level objectives Preventive
    Prioritize material topics used in reporting. CC ID 15678 Leadership and high level objectives Preventive
    Include time requirements in the external reporting program. CC ID 16566 Leadership and high level objectives Preventive
    Include reporting to governing bodies in the external reporting plan. CC ID 12923 Leadership and high level objectives Preventive
    Submit confidential treatment applications to interested personnel and affected parties. CC ID 16592 Leadership and high level objectives Preventive
    Disseminate and communicate the organization's business environment and place in its industry sector. CC ID 13200 Leadership and high level objectives Preventive
    Disseminate and communicate the value generation model to all interested personnel and affected parties. CC ID 15607 Leadership and high level objectives Preventive
    Disseminate and communicate the Mission, Vision, and Values Statement to all interested personnel and affected parties. CC ID 15585 Leadership and high level objectives Preventive
    Disseminate and communicate organizational objectives, functions, and activities to all interested personnel and affected parties. CC ID 13191 Leadership and high level objectives Preventive
    Disseminate and communicate the data classification scheme to interested personnel and affected parties. CC ID 16804 Leadership and high level objectives Preventive
    Disseminate and communicate the data dictionary to interested personnel and affected parties. CC ID 13516 Leadership and high level objectives Preventive
    Disseminate and communicate emerging threats to all interested personnel and affected parties. CC ID 12185 Leadership and high level objectives Preventive
    Disseminate and communicate updated guidance documentation to interested personnel and affected parties upon discovery of a new threat. CC ID 12191 Leadership and high level objectives Corrective
    Disseminate and communicate the Quality Management policy to all interested personnel and affected parties. CC ID 13695 Leadership and high level objectives Preventive
    Disseminate and communicate the Quality Management framework to all stakeholders. CC ID 13680 Leadership and high level objectives Preventive
    Notify affected parties and interested personnel of quality management system approvals that have been refused, suspended, or withdrawn. CC ID 15045 Leadership and high level objectives Preventive
    Notify affected parties and interested personnel of quality management system approvals that have been issued. CC ID 15036 Leadership and high level objectives Preventive
    Disseminate and communicate the organization’s policies, standards, and procedures to all interested personnel and affected parties. CC ID 12901
    [The scope shall be maintained as documented information and be available to interested parties. § 4.3 ¶ 4]
    Leadership and high level objectives Preventive
    Disseminate and communicate the decision management strategy to all interested personnel and affected parties. CC ID 13991 Leadership and high level objectives Preventive
    Provide required information that is missing from a funds transfer to the responsible party. CC ID 16761 Leadership and high level objectives Preventive
    Disseminate and communicate the results of stress testing to interested personnel and affected parties. CC ID 16630 Leadership and high level objectives Preventive
    Disseminate and communicate the escrow procedures to interested personnel and affected parties. CC ID 16565 Leadership and high level objectives Preventive
    Disseminate and communicate securities transaction notifications to interested personnel and affected parties. CC ID 16621 Leadership and high level objectives Preventive
    Disseminate and communicate the financial report to interested personnel and affected parties. CC ID 16342 Leadership and high level objectives Preventive
    Disseminate and communicate the call report to interested personnel and affected parties. CC ID 16727 Leadership and high level objectives Preventive
    Disseminate and communicate the disciplinary action notice to interested personnel and affected parties. CC ID 16585 Monitoring and measurement Preventive
    Delay the reporting of incident management metrics, as necessary. CC ID 15501 Monitoring and measurement Preventive
    Include the scope for the desired level of assurance in the audit program. CC ID 12793 Audits and risk management Preventive
    Hold a closing meeting following an audit to present audit findings and conclusions. CC ID 15248 Audits and risk management Preventive
    Report that audit evidence collected was not sufficient to the proper authorities. CC ID 16847 Audits and risk management Preventive
    Disseminate and communicate the reasons the audit report was delayed to interested personnel and affected parties. CC ID 15257 Audits and risk management Preventive
    Notify auditees if disclosure of audit documentation is required by law. CC ID 15249 Audits and risk management Preventive
    Disseminate and communicate the audit plan to interested personnel and affected parties. CC ID 15238 Audits and risk management Preventive
    Disseminate and communicate the physical and environmental protection procedures to interested personnel and affected parties. CC ID 14175 Physical and environmental protection Preventive
    Report changes in the continuity plan to senior management. CC ID 12757 Operational and Systems Continuity Corrective
    Notify interested personnel and affected parties upon activation of the continuity plan. CC ID 16777 Operational and Systems Continuity Preventive
    Disseminate and communicate the continuity procedures to interested personnel and affected parties. CC ID 14055 Operational and Systems Continuity Preventive
    Notify interested personnel and affected parties of updates to the recovery plan. CC ID 13302 Operational and Systems Continuity Preventive
    Disseminate and communicate the recovery plan to interested personnel and affected parties. CC ID 14859 Operational and Systems Continuity Preventive
    Disseminate and communicate the recovery status of the contingency plan to interested personnel and affected parties. CC ID 12758 Operational and Systems Continuity Preventive
    Disseminate and communicate screening results to interested personnel and affected parties. CC ID 16445 Human Resources management Preventive
    Disseminate and communicate the compensation, reward, and recognition program to interested personnel and affected parties. CC ID 14800 Human Resources management Preventive
    Disseminate and communicate the security awareness and training procedures to interested personnel and affected parties. CC ID 14138 Human Resources management Preventive
    Disseminate and communicate the compliance policy to interested personnel and affected parties. CC ID 14809 Operational management Preventive
    Disseminate and communicate the governance policy to all interested personnel and affected parties. CC ID 15625 Operational management Preventive
    Share security information with interested personnel and affected parties. CC ID 11732 Operational management Preventive
    Disseminate and communicate the internal control framework to all interested personnel and affected parties. CC ID 15229 Operational management Preventive
    Disseminate and communicate the cybersecurity policy to interested personnel and affected parties. CC ID 16835 Operational management Preventive
    Disseminate and communicate the information security procedures to all interested personnel and affected parties. CC ID 16303 Operational management Preventive
    Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739 Operational management Preventive
    Disseminate and communicate the Standard Operating Procedures Manual to all interested personnel and affected parties. CC ID 12026 Operational management Preventive
    Disseminate and communicate the Acceptable Use Policy to all interested personnel and affected parties. CC ID 12431 Operational management Preventive
    Disseminate and communicate nondisclosure agreements to interested personnel and affected parties. CC ID 16191 Operational management Preventive
    Provide assurance to interested personnel and affected parties that the Governance, Risk, and Compliance capability is reliable, effective, efficient, and responsive. CC ID 12788 Operational management Preventive
    Disseminate and communicate the Asset Classification Policy to interested personnel and affected parties. CC ID 14851 Operational management Preventive
    Disseminate and communicate the system maintenance policy to interested personnel and affected parties. CC ID 14213 Operational management Preventive
    Disseminate and communicate the system maintenance procedures to interested personnel and affected parties. CC ID 14194 Operational management Preventive
    Disseminate and communicate environmental requirements to interested personnel and affected parties. CC ID 15196
    [Consistent with a life cycle perspective, the organization shall: communicate its relevant environmental requirement(s) to external providers, including contractors; § 8.1 ¶ 4 c)]
    Operational management Preventive
    Disseminate and communicate the environmental objectives to interested personnel and affected parties. CC ID 15190
    [The environmental objectives shall be: communicated; § 6.2.1 ¶ 2 d)]
    Operational management Preventive
    Disseminate and communicate the environmental aspects to interested personnel and affected parties. CC ID 14983
    [The organization shall communicate its significant environmental aspects among the various levels and functions of the organization, as appropriate. § 6.1.2 ¶ 4]
    Operational management Preventive
    Disseminate and communicate the environmental management system to interested personnel and affected parties. CC ID 14976
    [{be effective}Top management shall demonstrate leadership and commitment with respect to the environmental management system by: communicating the importance of effective environmental management and of conforming to the environmental management system requirements; § 5.1 ¶ 1 e)]
    Operational management Preventive
    Disseminate and communicate the environmental policy to all interested personnel and affected parties. CC ID 14956
    [The environmental policy shall: be communicated within the organization; § 5.2 ¶ 2 Bullet 2
    The environmental policy shall: be available to interested parties. § 5.2 ¶ 2 Bullet 3]
    Operational management Preventive
    Notify the supervisory authority of any changes to the required data elements. CC ID 14366 Records management Corrective
    Disseminate and communicate the product and services acquisition policy to interested personnel and affected parties. CC ID 14157 Acquisition or sale of facilities, technology, and services Preventive
    Disseminate and communicate the product and services acquisition procedures to interested personnel and affected parties. CC ID 14152 Acquisition or sale of facilities, technology, and services Preventive
    Disseminate and communicate acquisition approval requirements to all affected parties. CC ID 13706 Acquisition or sale of facilities, technology, and services Preventive
  • Configuration
    12
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Enforce dual authorization as a part of information flow control for logs. CC ID 10098 Monitoring and measurement Preventive
    Establish, implement, and maintain redundant systems. CC ID 16354 Operational and Systems Continuity Preventive
    Install an Uninterruptible Power Supply sized to support all critical systems. CC ID 00725 Operational and Systems Continuity Preventive
    Install a generator sized to support the facility. CC ID 06709 Operational and Systems Continuity Preventive
    Automate threat assessments, as necessary. CC ID 06877 Operational management Preventive
    Automate vulnerability management, as necessary. CC ID 11730 Operational management Preventive
    Disallow systems from processing information, disseminating and communicating information, or storing information that is above the system's assigned asset classification. CC ID 06606 Operational management Preventive
    Separate remote maintenance sessions from other network sessions with a logically separate communications path based upon encryption. CC ID 10614 Operational management Preventive
    Reconfigure the security attributes of records as the information changes. CC ID 06765 Records management Preventive
    Implement electronic storage media integrity controls. CC ID 00946 Records management Preventive
    Automate electronic storage media integrity check controls. CC ID 00948 Records management Preventive
    Provide capacity for indexes on electronic storage media, as necessary. CC ID 00950 Records management Preventive
  • Data and Information Management
    55
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Take into account the accessibility to and location of the data or information when establishing information impact levels. CC ID 04787 Leadership and high level objectives Preventive
    Take into account the organization's obligation to protect data or information when establishing information impact levels. CC ID 04786 Leadership and high level objectives Preventive
    Take into account the context of use for data or information when establishing information impact levels. CC ID 04785 Leadership and high level objectives Preventive
    Take into account the potential aggregation of restricted data fields when establishing information impact levels. CC ID 04784 Leadership and high level objectives Preventive
    Classify the sensitivity to unauthorized disclosure or modification of information in the information classification standard. CC ID 11997 Leadership and high level objectives Preventive
    Take into account the distinguishability factor when establishing information impact levels. CC ID 04783 Leadership and high level objectives Preventive
    Classify the criticality to unauthorized disclosure or modification of information in the information classification standard. CC ID 11996 Leadership and high level objectives Preventive
    Classify the value of information in the information classification standard. CC ID 11995 Leadership and high level objectives Preventive
    Classify the legal requirements of information in the information classification standard. CC ID 11994 Leadership and high level objectives Preventive
    Take into account the characteristics of the geographical, behavioral and functional setting for all datasets. CC ID 15046 Leadership and high level objectives Preventive
    Define the scope of the security policy. CC ID 07145 Leadership and high level objectives Preventive
    Include valuation models in the margin system. CC ID 16663 Leadership and high level objectives Preventive
    Include procedures for collecting price data in the margin system. CC ID 16662 Leadership and high level objectives Preventive
    Include reliable sources for price data in the margin system. CC ID 16661 Leadership and high level objectives Preventive
    Include order tickets in the recordkeeping system for securities transactions. CC ID 16640 Leadership and high level objectives Preventive
    Include receipts and deliveries of securities in the recordkeeping system for securities transactions. CC ID 16650 Leadership and high level objectives Preventive
    Include debits and credits in the recordkeeping system for securities transactions. CC ID 16639 Leadership and high level objectives Preventive
    Include a description of the transaction in the recordkeeping system for securities transactions. CC ID 16645 Leadership and high level objectives Preventive
    Include chronological records of transactions in the recordkeeping system for securities transactions. CC ID 16638 Leadership and high level objectives Preventive
    Include the name of the dealer in the recordkeeping system for securities transactions. CC ID 16637 Leadership and high level objectives Preventive
    Include the execution price in the recordkeeping system for securities transactions. CC ID 16636 Leadership and high level objectives Preventive
    Include the date and time of the transaction in the recordkeeping system for securities transactions. CC ID 16635 Leadership and high level objectives Preventive
    Include the type of transaction in the recordkeeping system for securities transactions. CC ID 16633 Leadership and high level objectives Preventive
    Include account information In the recordkeeping system for securities transactions. CC ID 16632 Leadership and high level objectives Preventive
    Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772 Operational management Preventive
    Identify the sender in all electronic messages. CC ID 13996 Operational management Preventive
    Identify processes, Information Systems, and third parties that transmit, process, or store restricted data. CC ID 06289 Operational management Preventive
    Record a unique name for each asset in the asset inventory. CC ID 16305 Operational management Preventive
    Record the status of information systems in the asset inventory. CC ID 16304 Operational management Preventive
    Record the communication interfaces for applicable assets in the asset inventory. CC ID 16301 Operational management Preventive
    Record software license information for each asset in the asset inventory. CC ID 11736 Operational management Preventive
    Record the operating system version for applicable assets in the asset inventory. CC ID 11748 Operational management Preventive
    Record rooms at external locations in the asset inventory. CC ID 16302 Operational management Preventive
    Record trusted keys and certificates in the asset inventory. CC ID 15486 Operational management Preventive
    Record cipher suites and protocols in the asset inventory. CC ID 15489 Operational management Preventive
    Wipe all data on systems prior to when the system is redeployed or the system is disposed. CC ID 06401 Operational management Preventive
    Store records and data in accordance with organizational standards. CC ID 16439 Records management Preventive
    Select the appropriate format for archived data and records. CC ID 06320
    [When creating and updating documented information the organization should ensuren> appropriate: style="background-color:#F0BBBC;" class="term_primary-noun">format (e.g. language, software version, graphics) and media (e.g. paper, electronic); § 7.5.2 ¶ 1 b)]
    Records management Preventive
    Archive document metadata in a fashion that allows for future reading of the metadata. CC ID 10060 Records management Preventive
    Store personal data that is retained for long periods after use on a separate server or media. CC ID 12314 Records management Preventive
    Sanitize electronic storage media in accordance with organizational standards. CC ID 16464 Records management Preventive
    Sanitize all electronic storage media before disposing a system or redeploying a system. CC ID 01643 Records management Preventive
    Use a second person to confirm and sign-off that manually deleted data was deleted. CC ID 12313 Records management Preventive
    Automate a programmatic process to remove stored data and records that exceed retention requirements. CC ID 06082 Records management Preventive
    Assign the appropriate information classification to records imported into the Records Management system. CC ID 04555 Records management Detective
    Establish, implement, and maintain electronic health records. CC ID 14436 Records management Preventive
    Include Individually Identifiable Health Information in the patient's electronic health record. CC ID 14437 Records management Preventive
    Import data files into a patient's electronic health record. CC ID 14448 Records management Preventive
    Export requested sections of the electronic health record. CC ID 14447 Records management Preventive
    Display the implantable device list to authorized users. CC ID 14445 Records management Preventive
    Include attributes in the decision support intervention. CC ID 16766 Records management Preventive
    Classify restricted data or restricted information in Records Management systems according to the data or information's sensitivity. CC ID 04720 Records management Detective
    Label restricted storage media appropriately. CC ID 00966 Records management Preventive
    Mark all forms of electronic messages that contain restricted data or restricted information with the appropriate classification. CC ID 01896 Records management Preventive
    Reproduce materials containing restricted data or restricted information in accordance with compliance requirements. CC ID 02202 Records management Preventive
  • Establish Roles
    39
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Assign legislative body jurisdiction to the organization's assets, as necessary. CC ID 06956 Leadership and high level objectives Preventive
    Assign the appropriate roles to all applicable compliance documents. CC ID 06284 Leadership and high level objectives Preventive
    Assign the approval of compliance exceptions to the appropriate roles inside the organization. CC ID 06443 Leadership and high level objectives Preventive
    Define the roles and responsibilities for personnel assigned to tasks in the Audit function. CC ID 00678
    [The organization shall establish, implement and maintain (an) internal audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting of its internal audits. § 9.2.2 ¶ 1]
    Audits and risk management Preventive
    Assign the roles and responsibilities for the Board of Directors and senior management in the Audit function. CC ID 00679 Audits and risk management Preventive
    Assign the internal audit staff to be independent from business units reporting to the Board of Directors. CC ID 01184 Audits and risk management Preventive
    Define and assign the internal audit manager's roles and responsibilities. CC ID 00680 Audits and risk management Preventive
    Assign the internal audit manager's compensation and performance review to the Board of Directors or audit committee. CC ID 01186 Audits and risk management Preventive
    Define and assign the internal audit staff's roles and responsibilities. CC ID 00681 Audits and risk management Preventive
    Assign the responsibility for operating an internal control system to the internal audit staff. CC ID 01187 Audits and risk management Preventive
    Define and assign the external auditor's roles and responsibilities. CC ID 00683 Audits and risk management Preventive
    Assign the audit to impartial auditors. CC ID 07118
    [The organization shall: select auditors and conduct audits to ensure objectivity and the "term_primary-noun">impartiality of the audit process; § 9.2.2 ¶ 3 b)]
    Audits and risk management Preventive
    Notify interested personnel and affected parties participating in the audit of their roles and responsibilities during the audit. CC ID 07151 Audits and risk management Preventive
    Include the roles and responsibilities of the organization's legal counsel in the continuity plan. CC ID 16233 Operational and Systems Continuity Preventive
    Include restoration procedures in the continuity plan. CC ID 01169 Operational and Systems Continuity Preventive
    Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806
    [Top management shall ensure that the responsibilities and authorities for relevant roles are <condary-verb">span style="background-color:#B7D8ED;" class="term_primary-verb">assigned and communicated within the organization. § 5.3 ¶ 1]
    Human Resources management Preventive
    Define and assign the head of Information Security's roles and responsibilities. CC ID 06091 Human Resources management Preventive
    Define and assign the Board of Directors roles and responsibilities and senior management roles and responsibilities, including signing off on key policies and procedures. CC ID 00807 Human Resources management Preventive
    Assign senior management to the role of authorizing official. CC ID 14238 Human Resources management Preventive
    Define and assign the Chief Information Officer's roles and responsibilities. CC ID 00808 Human Resources management Preventive
    Define and assign the Information Technology staff's roles and responsibilities. CC ID 00809 Human Resources management Preventive
    Define and assign the business unit manager's roles and responsibilities. CC ID 00810 Human Resources management Preventive
    Define and assign the Facility Security Officer's roles and responsibilities. CC ID 01887 Human Resources management Preventive
    Define and assign the technology security leader's roles and responsibilities. CC ID 01897 Human Resources management Preventive
    Define and assign the property management leader's roles and responsibilities. CC ID 00669 Human Resources management Preventive
    Define and assign the Archives and Records Management oversight's roles and responsibilities. CC ID 00697 Human Resources management Preventive
    Define and assign the Privacy Officer's roles and responsibilities. CC ID 00714 Human Resources management Preventive
    Define and assign critical facility management personnel's roles and responsibilities. CC ID 06381 Human Resources management Preventive
    Define and assign the Chief Security Officer's roles and responsibilities. CC ID 06431 Human Resources management Preventive
    Assign a contact person to all business units. CC ID 07144 Human Resources management Preventive
    Assign security clearance procedures to qualified personnel. CC ID 06812 Human Resources management Preventive
    Assign personnel screening procedures to qualified personnel. CC ID 11699 Human Resources management Preventive
    Establish and maintain the staff structure in line with the strategic plan. CC ID 00764 Human Resources management Preventive
    Assign ownership of the internal control framework to the appropriate organizational role. CC ID 06437 Operational management Preventive
    Define and assign the roles and responsibilities for interested personnel and affected parties when establishing, implementing, and maintaining the internal control framework. CC ID 07146 Operational management Preventive
    Assign ownership of the information security program to the appropriate role. CC ID 00814 Operational management Preventive
    Classify assets according to the Asset Classification Policy. CC ID 07186 Operational management Preventive
    Apply asset protection mechanisms for all assets according to their assigned Asset Classification Policy. CC ID 07184 Operational management Preventive
    Assign accountability for the effectiveness of the environmental management system. CC ID 14966
    [Top management shall demonstrate leadership and commitment with respect to the environmental management system by: taking accountability for the effectiveness of the environmental management system; § 5.1 ¶ 1 a)]
    Operational management Preventive
  • Establish/Maintain Documentation
    954
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Establish, implement, and maintain communication protocols. CC ID 12245
    [When establishing its communication process(es), the organization shall: take into account its compliance obligations; § 7.4.1 ¶ 2 Bullet 1
    {internal communications}The organization shall establish, implement and maintain the process(es) needed for internal and external communications relevant to the environmental management system, including: on what it will communicate; § 7.4.1 ¶ 1 a)
    {internal communications}The organization shall establish, implement and maintain the process(es) needed for internal and external communications relevant to the environmental management system, including: on what it will communicate; § 7.4.1 ¶ 1 a)
    {internal communications}The organization shall establish, implement and maintain the process(es) needed for internal and external communications relevant to the environmental management system, including: when to communicate; § 7.4.1 ¶ 1 b)
    {internal communications}The organization shall establish, implement and maintain the process(es) needed for internal and external communications relevant to the environmental management system, including: when to communicate; § 7.4.1 ¶ 1 b)
    {subject}{internal communications}The organization shall establish, implement and maintain the process(es) needed for internal and external communications relevant to the environmental management system, including: with whom to communicate; § 7.4.1 ¶ 1 c)
    {subject}{internal communications}The organization shall establish, implement and maintain the process(es) needed for internal and external communications relevant to the environmental management system, including: with whom to communicate; § 7.4.1 ¶ 1 c)
    {internal communications}The organization shall establish, implement and maintain the process(es) needed for internal and external communications relevant to the environmental management system, including: how to communicate. § 7.4.1 ¶ 1 d)
    {internal communications}The organization shall establish, implement and maintain the process(es) needed for internal and external communications relevant to the environmental management system, including: how to communicate. § 7.4.1 ¶ 1 d)
    {be relevant} The organization shall respond to relevant communications on its environmental management system. § 7.4.1 ¶ 3]
    Leadership and high level objectives Preventive
    Align the information being disseminated and communicated with the communication requirements according to the organization's communication protocol. CC ID 12419
    [When establishing its communication process(es), the organization shall: ensure that environmental information communicated is consistent with information generated within the environmental management system, and is reliable. § 7.4.1 ¶ 2 Bullet 2
    When establishing its communication process(es), the organization shall: ensure that environmental information communicated is consistent with information generated within the environmental management system, and is reliable. § 7.4.1 ¶ 2 Bullet 2]
    Leadership and high level objectives Preventive
    Include external requirements in the organization's communication protocol. CC ID 12418 Leadership and high level objectives Preventive
    Include input from interested personnel and affected parties as a part of the organization’s communication protocol. CC ID 12417
    [The management review shall include consideration of: changes in: the needs and expectations of interested parties, including compliance obligations; § 9.3 ¶ 2 b) 2)
    The management review shall include consideration of: relevant communication(s) from interested parties, including complaints; § 9.3 ¶ 2 f)
    The management review shall include consideration of: relevant communication(s) from interested parties, including complaints; § 9.3 ¶ 2 f)]
    Leadership and high level objectives Preventive
    Document the findings from surveys. CC ID 16309 Leadership and high level objectives Preventive
    Establish, implement, and maintain warning procedures that follow the organization's communication protocol. CC ID 12407 Leadership and high level objectives Preventive
    Establish, implement, and maintain alert procedures that follow the organization's communication protocol. CC ID 12406 Leadership and high level objectives Preventive
    Enforce a precision level for non-financial reporting based on user need and appropriate supply chain criteria. CC ID 12399 Leadership and high level objectives Preventive
    Define the thresholds for escalation in the internal reporting program. CC ID 14332 Leadership and high level objectives Preventive
    Define the thresholds for reporting in the internal reporting program. CC ID 14331 Leadership and high level objectives Preventive
    Define the thresholds for reporting in the external reporting program. CC ID 15679 Leadership and high level objectives Preventive
    Include information about the organizational culture in the external reporting program. CC ID 15610 Leadership and high level objectives Preventive
    Include the reasons for objections to public disclosure in confidential treatment applications. CC ID 16594 Leadership and high level objectives Preventive
    Include contact information for the interested personnel and affected parties the report was filed with in the confidential treatment application. CC ID 16595 Leadership and high level objectives Preventive
    Include the information that was omitted in the confidential treatment application. CC ID 16593 Leadership and high level objectives Preventive
    Develop instructions for setting organizational objectives and strategies. CC ID 12931
    [The organization shall determine: which of these needs and expectations become its compliance obligations. § 4.2 ¶ 1 c)]
    Leadership and high level objectives Preventive
    Establish, implement, and maintain organizational objectives. CC ID 09959 Leadership and high level objectives Preventive
    Establish, implement, and maintain a value generation model. CC ID 15591 Leadership and high level objectives Preventive
    Include value distribution in the value generation model. CC ID 15603 Leadership and high level objectives Preventive
    Include value retention in the value generation model. CC ID 15600 Leadership and high level objectives Preventive
    Include value generation procedures in the value generation model. CC ID 15599 Leadership and high level objectives Preventive
    Establish, implement, and maintain value generation objectives. CC ID 15583 Leadership and high level objectives Preventive
    Establish, implement, and maintain social responsibility objectives. CC ID 15611 Leadership and high level objectives Preventive
    Establish and maintain a Mission, Vision, and Values Statement. CC ID 12783 Leadership and high level objectives Preventive
    Include the vision statement in the Mission, Vision, and Values Statement. CC ID 12839 Leadership and high level objectives Preventive
    Include the mission statement in the Mission, Vision, and Values Statement. CC ID 12838 Leadership and high level objectives Preventive
    Include management commitment in the Mission, Vision, and Values Statement. CC ID 12808 Leadership and high level objectives Preventive
    Include the value statement in the Mission, Vision, and Values Statement. CC ID 12807 Leadership and high level objectives Preventive
    Include environmental factors in the Mission, Vision, and Values Statement. CC ID 15590 Leadership and high level objectives Preventive
    Include societal factors in the Mission, Vision, and Values Statement. CC ID 15605 Leadership and high level objectives Preventive
    Include stakeholder requirements in the Mission, Vision, and Values Statement. CC ID 15586 Leadership and high level objectives Preventive
    Document and communicate the linkage between organizational objectives, functions, activities, and general controls. CC ID 12398
    [The management review shall include consideration of: changes in: external and internal issues that are relevant to the environmental management system; § 9.3 ¶ 2 b) 1)]
    Leadership and high level objectives Preventive
    Establish, implement, and maintain data governance and management practices. CC ID 14998 Leadership and high level objectives Preventive
    Address shortcomings of the data sets in the data governance and management practices. CC ID 15087 Leadership and high level objectives Preventive
    Include any shortcomings of the data sets in the data governance and management practices. CC ID 15086 Leadership and high level objectives Preventive
    Include bias for data sets in the data governance and management practices. CC ID 15085 Leadership and high level objectives Preventive
    Include a data strategy in the data governance and management practices. CC ID 15304 Leadership and high level objectives Preventive
    Include data monitoring in the data governance and management practices. CC ID 15303 Leadership and high level objectives Preventive
    Include an assessment of the data sets in the data governance and management practices. CC ID 15084 Leadership and high level objectives Preventive
    Include assumptions for the formulation of data sets in the data governance and management practices. CC ID 15083 Leadership and high level objectives Preventive
    Include data collection for data sets in the data governance and management practices. CC ID 15082 Leadership and high level objectives Preventive
    Include data preparations for data sets in the data governance and management practices. CC ID 15081 Leadership and high level objectives Preventive
    Include design choices for data sets in the data governance and management practices. CC ID 15080 Leadership and high level objectives Preventive
    Establish, implement, and maintain an information classification standard. CC ID 00601 Leadership and high level objectives Preventive
    Establish, implement, and maintain a data classification scheme. CC ID 11628 Leadership and high level objectives Preventive
    Approve the data classification scheme. CC ID 13858 Leadership and high level objectives Detective
    Establish and maintain an organizational data dictionary, including data syntax rules. CC ID 00600 Leadership and high level objectives Preventive
    Refrain from including metadata in the data dictionary. CC ID 13529 Leadership and high level objectives Preventive
    Refrain from allowing incompatible data elements in the data dictionary. CC ID 13624 Leadership and high level objectives Preventive
    Include information needed to understand each data element and population in the data dictionary. CC ID 13528 Leadership and high level objectives Preventive
    Include the factors to determine what is included or excluded from the data element in the data dictionary. CC ID 13525 Leadership and high level objectives Preventive
    Include the date or time period the data was observed in the data dictionary. CC ID 13524 Leadership and high level objectives Preventive
    Include the uncertainty in the population of each data element in the data dictionary. CC ID 13522 Leadership and high level objectives Preventive
    Include the uncertainty of each data element in the data dictionary. CC ID 13521 Leadership and high level objectives Preventive
    Include the measurement units for each data element in the data dictionary. CC ID 13534 Leadership and high level objectives Preventive
    Include the precision of the measurement in the data dictionary. CC ID 13520 Leadership and high level objectives Preventive
    Include the data source in the data dictionary. CC ID 13519 Leadership and high level objectives Preventive
    Include the nature of each element in the data dictionary. CC ID 13518 Leadership and high level objectives Preventive
    Include the population of events or instances in the data dictionary. CC ID 13517 Leadership and high level objectives Preventive
    Establish, implement, and maintain an Information and Infrastructure Architecture model. CC ID 00599 Leadership and high level objectives Preventive
    Establish, implement, and maintain sustainable infrastructure planning. CC ID 00603 Leadership and high level objectives Preventive
    Establish, implement, and maintain an organizational structure. CC ID 16310 Leadership and high level objectives Preventive
    Establish, implement, and maintain a Quality Management framework. CC ID 07196 Leadership and high level objectives Preventive
    Include supply chain management standards in the Quality Management framework. CC ID 13701 Leadership and high level objectives Preventive
    Establish, implement, and maintain a Quality Management policy. CC ID 13694 Leadership and high level objectives Preventive
    Include a commitment to satisfy applicable requirements in the Quality Management policy. CC ID 13700 Leadership and high level objectives Preventive
    Tailor the Quality Management policy to support the organization's strategic direction. CC ID 13699 Leadership and high level objectives Preventive
    Include a commitment to continual improvement of the Quality Management system in the Quality Management policy. CC ID 13698 Leadership and high level objectives Preventive
    Include critical Information Technology processes in the Quality Management framework. CC ID 13645 Leadership and high level objectives Preventive
    Align the quality objectives with the Quality Management policy. CC ID 13697 Leadership and high level objectives Preventive
    Establish, implement, and maintain a Quality Management standard. CC ID 01006 Leadership and high level objectives Preventive
    Document the measurements used by Quality Assurance and Quality Control testing. CC ID 07200 Leadership and high level objectives Preventive
    Establish, implement, and maintain a Quality Management program. CC ID 07201 Leadership and high level objectives Preventive
    Include quality objectives in the Quality Management program. CC ID 13693 Leadership and high level objectives Preventive
    Include records management in the quality management system. CC ID 15055 Leadership and high level objectives Preventive
    Include risk management in the quality management system. CC ID 15054 Leadership and high level objectives Preventive
    Include data management procedures in the quality management system. CC ID 15052 Leadership and high level objectives Preventive
    Include a post-market monitoring system in the quality management system. CC ID 15027 Leadership and high level objectives Preventive
    Include operational roles and responsibilities in the quality management system. CC ID 15028 Leadership and high level objectives Preventive
    Include resource management in the quality management system. CC ID 15026 Leadership and high level objectives Preventive
    Include communication protocols in the quality management system. CC ID 15025 Leadership and high level objectives Preventive
    Include incident reporting procedures in the quality management system. CC ID 15023 Leadership and high level objectives Preventive
    Include technical specifications in the quality management system. CC ID 15021 Leadership and high level objectives Preventive
    Document the deficiencies in a deficiency report that were found during Quality Control and corrected during Quality Improvement. CC ID 07203 Leadership and high level objectives Preventive
    Include program documentation standards in the Quality Management program. CC ID 01016 Leadership and high level objectives Preventive
    Include program testing standards in the Quality Management program. CC ID 01017 Leadership and high level objectives Preventive
    Include system testing standards in the Quality Management program. CC ID 01018 Leadership and high level objectives Preventive
    Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241
    [When determining this scope, the organization shall consider: the "background-color:#F0BBBC;" class="term_primary-noun">external and internal issues referred to in 4.1; § 4.3 ¶ 2 a)
    {interested parties}{environmental management system}When determining this scope, the organization shall consider: the compliance obligations referred to in 4.2; § 4.3 ¶ 2 b)]
    Leadership and high level objectives Preventive
    Establish and maintain an Information Systems Assurance Categories Definitions document. CC ID 01608 Leadership and high level objectives Preventive
    Correlate Information Systems with applicable controls. CC ID 01621 Leadership and high level objectives Preventive
    Establish, implement, and maintain a policy and procedure management program. CC ID 06285 Leadership and high level objectives Preventive
    Include requirements in the organization’s policies, standards, and procedures. CC ID 12956 Leadership and high level objectives Preventive
    Include the effective date on all organizational policies. CC ID 06820 Leadership and high level objectives Preventive
    Analyze organizational policies, as necessary. CC ID 14037 Leadership and high level objectives Detective
    Include threats in the organization’s policies, standards, and procedures. CC ID 12953 Leadership and high level objectives Preventive
    Include opportunities in the organization’s policies, standards, and procedures. CC ID 12945 Leadership and high level objectives Preventive
    Establish and maintain an Authority Document list. CC ID 07113
    [The organization shall: determine and have access to the compliance obligations related to its environmental aspects; § 6.1.3 ¶ 1 a)]
    Leadership and high level objectives Preventive
    Map in scope assets and in scope records to external requirements. CC ID 12189 Leadership and high level objectives Detective
    Document organizational procedures that harmonize external requirements, including all legal requirements. CC ID 00623 Leadership and high level objectives Preventive
    Establish, implement, and maintain full documentation of all policies, standards, and procedures that support the organization's compliance framework. CC ID 01636
    [When creating and updating documented information, the organization shall ensuren> appropriate: style="background-color:#F0BBBC;" class="term_primary-noun">review and approval for suitability and adequacy. § 7.5.2 ¶ 1 c)
    The scope shall be maintained as documented information and be available to interested parties. § 4.3 ¶ 4
    The organization shall maintain documented information of its compliance obligations. § 6.1.3 ¶ 2
    The organization's environmental management system shall include: documented information required by this International Standard; § 7.5.1 ¶ 1 a)]
    Leadership and high level objectives Preventive
    Disseminate and communicate the list of Authority Documents that support the organization's compliance framework to interested personnel and affected parties. CC ID 01312 Leadership and high level objectives Preventive
    Classify controls according to their preventive, detective, or corrective status. CC ID 06436 Leadership and high level objectives Preventive
    Publish, disseminate, and communicate a Statement on Internal Control, as necessary. CC ID 06727 Leadership and high level objectives Preventive
    Include signatures of c-level executives in the Statement on Internal Control. CC ID 14778 Leadership and high level objectives Preventive
    Include management's assertions on the effectiveness of internal control in the Statement on Internal Control. CC ID 14771 Leadership and high level objectives Corrective
    Include confirmation of any significant weaknesses in the Statement on Internal Control. CC ID 06861 Leadership and high level objectives Preventive
    Include roles and responsibilities in the Statement on Internal Control. CC ID 14774 Leadership and high level objectives Preventive
    Include an assurance statement regarding the counterterror protective security plan in the Statement on Internal Control. CC ID 06866 Leadership and high level objectives Preventive
    Include limitations of internal control systems in the Statement on Internal Control. CC ID 14773 Leadership and high level objectives Preventive
    Include a description of the methodology used to evaluate internal controls in the Statement on Internal Control. CC ID 14772 Leadership and high level objectives Preventive
    Include the counterterror protective security plan test results in the Statement on Internal Control. CC ID 06867 Leadership and high level objectives Detective
    Approve all compliance documents. CC ID 06286 Leadership and high level objectives Preventive
    Align the Authority Document list with external requirements. CC ID 06288
    [The organization shall: determine how these compliance obligations apply to the organization; § 6.1.3 ¶ 1 b)
    Documented information of external origin determined by the organization to be necessary for the planning and operation of the environmental management system shall be identified, as appropriate, and controlled. § 7.5.3 ¶ 3
    Documented information of external origin determined by the organization to be necessary for the planning and operation of the environmental management system shall be identified, as appropriate, and controlled. § 7.5.3 ¶ 3
    The organization shall: determine and have access to the compliance obligations related to its environmental aspects; § 6.1.3 ¶ 1 a)]
    Leadership and high level objectives Preventive
    Identify and document the Designated Approval Authority for compliance documents. CC ID 07114 Leadership and high level objectives Preventive
    Establish, implement, and maintain a compliance exception standard. CC ID 01628 Leadership and high level objectives Preventive
    Include the authority for granting exemptions in the compliance exception standard. CC ID 14329 Leadership and high level objectives Preventive
    Include all compliance exceptions in the compliance exception standard. CC ID 01630 Leadership and high level objectives Detective
    Include explanations, compensating controls, or risk acceptance in the compliance exceptions Exceptions document. CC ID 01631 Leadership and high level objectives Preventive
    Include when exemptions expire in the compliance exception standard. CC ID 14330 Leadership and high level objectives Preventive
    Include management of the exemption register in the compliance exception standard. CC ID 14328 Leadership and high level objectives Preventive
    Establish, implement, and maintain a strategic plan. CC ID 12784 Leadership and high level objectives Preventive
    Establish, implement, and maintain a decision management strategy. CC ID 06913
    [When determining this scope, the organization shall consider: its authority and ability to exercise control and influence. § 4.3 ¶ 2 e)]
    Leadership and high level objectives Preventive
    Include an economic impact analysis in the decision management strategy. CC ID 14015 Leadership and high level objectives Preventive
    Include cost benefit analysis in the decision management strategy. CC ID 14014 Leadership and high level objectives Preventive
    Include criteria for compliance in the decision-making criteria. CC ID 12951 Leadership and high level objectives Preventive
    Include criteria for risk tolerance in the decision-making criteria. CC ID 12950 Leadership and high level objectives Preventive
    Include criteria for selecting objectives and strategies in the decision-making criteria. CC ID 12949 Leadership and high level objectives Preventive
    Include criteria for setting priorities in the decision-making criteria. CC ID 12938 Leadership and high level objectives Preventive
    Identify and document the events that initiate the decision management strategy. CC ID 06914 Leadership and high level objectives Detective
    Document and evaluate the decision outcomes from the decision-making process. CC ID 06918 Leadership and high level objectives Preventive
    Establish, implement, and maintain a financial management program. CC ID 13228
    [{financial requirement}{operational requirement} When planning these actions, the organization shall consider its technological options and its financial, operational and business requirements. § 6.1.4 ¶ 2]
    Leadership and high level objectives Preventive
    Establish, implement, and maintain funds transfer procedures. CC ID 16754 Leadership and high level objectives Preventive
    Include communication protocols in the financial management program. CC ID 16763 Leadership and high level objectives Preventive
    Establish, implement, and maintain a financial products and services disclosure policy. CC ID 16717 Leadership and high level objectives Preventive
    Require acknowledgment of receipt from the customer in the financial products and services disclosure policy. CC ID 16725 Leadership and high level objectives Preventive
    Establish, implement, and maintain financial resource management procedures. CC ID 16642 Leadership and high level objectives Preventive
    Document the rationale for the amount of financial resources being held. CC ID 16688 Leadership and high level objectives Preventive
    Establish, implement, and maintain collateral procedures. CC ID 16653 Leadership and high level objectives Preventive
    Include the use of appropriate models in the collateral procedures. CC ID 16687 Leadership and high level objectives Preventive
    Define the collateral requirements in the collateral procedures. CC ID 16686 Leadership and high level objectives Preventive
    Identify and document the financial resources available for use. CC ID 16643 Leadership and high level objectives Preventive
    Establish, implement, and maintain credit loss procedures. CC ID 16683 Leadership and high level objectives Preventive
    Include the allocation of credit losses in the credit loss procedures. CC ID 16684 Leadership and high level objectives Preventive
    Include fairness and equitability standards in the securities trading program. CC ID 16690 Leadership and high level objectives Preventive
    Include roles and responsibilities in the securities trading program. CC ID 16689 Leadership and high level objectives Preventive
    Establish, implement, and maintain a capital restoration plan. CC ID 16613 Leadership and high level objectives Preventive
    Include performance guarantees in the capital restoration plan. CC ID 16616 Leadership and high level objectives Preventive
    Include corrective actions taken in the capital restoration plan. CC ID 16612 Leadership and high level objectives Preventive
    Include required information in the capital restoration plan. CC ID 16609 Leadership and high level objectives Preventive
    Establish, implement, and maintain valuation procedures. CC ID 16634 Leadership and high level objectives Preventive
    Establish, implement, and maintain capital withdrawal requirements. CC ID 16576 Leadership and high level objectives Preventive
    Establish, implement, and maintain lending policies. CC ID 16608 Leadership and high level objectives Preventive
    Include the requirements for risk assessments in the lending policy. CC ID 16730 Leadership and high level objectives Preventive
    Include the requirements for sensitivity analyses in the lending policy. CC ID 16728 Leadership and high level objectives Preventive
    Include the requirements for feasibility studies in the lending policy. CC ID 16726 Leadership and high level objectives Preventive
    Include pricing structures in the lending policy. CC ID 16724 Leadership and high level objectives Preventive
    Include monitoring requirements in the lending policy. CC ID 16710 Leadership and high level objectives Preventive
    Include loan origination procedures in the lending policy. CC ID 16709 Leadership and high level objectives Preventive
    Include review procedures and approval procedures for exception loans in the lending policy. CC ID 16708 Leadership and high level objectives Preventive
    Include loan requirements in the lending policy. CC ID 16706 Leadership and high level objectives Preventive
    Include appraisals and evaluations in the lending policy. CC ID 16705 Leadership and high level objectives Preventive
    Include terms and conditions in the lending policy. CC ID 16695 Leadership and high level objectives Preventive
    Include the scope and distribution of loans in the lending policy. CC ID 16693 Leadership and high level objectives Preventive
    Include geographic areas in the lending policy. CC ID 16691 Leadership and high level objectives Preventive
    Include underwriting guidelines in the lending policy. CC ID 16619 Leadership and high level objectives Preventive
    Include credit review in the underwriting guidelines. CC ID 16765 Leadership and high level objectives Preventive
    Include loan-to-value ratio limits in the lending policy. CC ID 16618 Leadership and high level objectives Preventive
    Include documentation requirements in the lending policy. CC ID 16617 Leadership and high level objectives Preventive
    Include the purpose of the loan in the loan documentation. CC ID 16747 Leadership and high level objectives Preventive
    Include the source of repayment in the loan documentation. CC ID 16746 Leadership and high level objectives Preventive
    Include approval requirements in the lending policy. CC ID 16615 Leadership and high level objectives Preventive
    Include reporting requirements in the lending policy. CC ID 16614 Leadership and high level objectives Preventive
    Include loan portfolio diversification standards in the lending policy. CC ID 16611 Leadership and high level objectives Preventive
    Include loan administration procedures in the lending policy. CC ID 16610 Leadership and high level objectives Preventive
    Include loan participation agreements in the loan administration procedures. CC ID 16745 Leadership and high level objectives Preventive
    Include termination procedures in the loan participation agreement. CC ID 16753 Leadership and high level objectives Preventive
    Justify the safety and efficiency of the participation requirements in the loan participation agreement. CC ID 16752 Leadership and high level objectives Preventive
    Include servicing agreements in the loan administration procedures. CC ID 16744 Leadership and high level objectives Preventive
    Include claims processing in the loan administration procedures. CC ID 16742 Leadership and high level objectives Preventive
    Include forbearance management in the loan administration procedures. CC ID 16741 Leadership and high level objectives Preventive
    Include foreclosure management in the loan administration procedures. CC ID 16740 Leadership and high level objectives Preventive
    Include delinquency management in the loan administration procedures. CC ID 16739 Leadership and high level objectives Preventive
    Include the requirements for financial statements in the loan administration procedures. CC ID 16735 Leadership and high level objectives Preventive
    Include loan closing in the loan administration procedures. CC ID 16734 Leadership and high level objectives Preventive
    Include payoff statements in the loan administration procedures. CC ID 16733 Leadership and high level objectives Preventive
    Include payment processing in the loan administration procedures. CC ID 16732 Leadership and high level objectives Preventive
    Include loan reviews in the loan administration procedures. CC ID 16703 Leadership and high level objectives Preventive
    Include collections in the loan administration procedures. CC ID 16701 Leadership and high level objectives Preventive
    Include collateral inspections in the loan administration procedures. CC ID 16699 Leadership and high level objectives Preventive
    Include disbursements in the loan administration procedures. CC ID 16697 Leadership and high level objectives Preventive
    Establish, implement, and maintain a dividend policy. CC ID 16569 Leadership and high level objectives Preventive
    Include compliance requirements in the dividend policy. CC ID 16570 Leadership and high level objectives Preventive
    Establish, implement, and maintain escrow procedures for financial transactions. CC ID 16564 Leadership and high level objectives Preventive
    Establish, implement, and maintain a Capital Planning and Investment Control policy. CC ID 06279 Leadership and high level objectives Preventive
    Include risk management in the Capital Planning and Investment Control policy. CC ID 16764 Leadership and high level objectives Preventive
    Include debt rating requirements in the Capital Planning and Investment Control policy. CC ID 16692 Leadership and high level objectives Preventive
    Include divestiture requirements in the Capital Planning and Investment Control policy. CC ID 16591 Leadership and high level objectives Preventive
    Establish, implement, and maintain a recordkeeping system for securities transactions. CC ID 16631 Leadership and high level objectives Preventive
    Establish, implement, and maintain securities transaction notifications. CC ID 16600 Leadership and high level objectives Preventive
    Include the call date in the securities transaction notification. CC ID 16680 Leadership and high level objectives Preventive
    Include service charges and commissions in the securities transaction notification. CC ID 16702 Leadership and high level objectives Preventive
    Include the funds and securities in the possession of the organization in the securities transaction notification. CC ID 16679 Leadership and high level objectives Preventive
    Include the call price in the securities transaction notification. CC ID 16678 Leadership and high level objectives Preventive
    Include debits and credits in the securities transaction notification. CC ID 16677 Leadership and high level objectives Preventive
    Include transactions in the securities transaction notification. CC ID 16676 Leadership and high level objectives Preventive
    Include the credit rating of securities in the securities transaction notification. CC ID 16674 Leadership and high level objectives Preventive
    Include yield information in the securities transaction notification. CC ID 16673 Leadership and high level objectives Preventive
    Include redemption information in the securities transaction notification. CC ID 16672 Leadership and high level objectives Preventive
    Include the price calculated from the yield in the securities transaction notification. CC ID 16669 Leadership and high level objectives Preventive
    Include the type of call in the securities transaction notification. CC ID 16668 Leadership and high level objectives Preventive
    Include an account statement in the securities transaction notification. CC ID 16666 Leadership and high level objectives Preventive
    Include the yield to maturity in the securities transaction notification. CC ID 16665 Leadership and high level objectives Preventive
    Include the execution price in the securities transaction notification. CC ID 16664 Leadership and high level objectives Preventive
    Include the organization's role in the securities transaction notification. CC ID 16646 Leadership and high level objectives Preventive
    Include the name of the broker in the securities transaction notification. CC ID 16647 Leadership and high level objectives Preventive
    Include the name of the customer in the securities transaction notification. CC ID 16625 Leadership and high level objectives Preventive
    Include the organization's name in the securities transaction notification. CC ID 16624 Leadership and high level objectives Preventive
    Include confirmations in the securities transaction notification. CC ID 16623 Leadership and high level objectives Preventive
    Include remunerations in the securities transaction notification. CC ID 16622 Leadership and high level objectives Preventive
    Include requested information in the securities transaction notification. CC ID 16641 Leadership and high level objectives Preventive
    Include the execution date in the securities transaction notification. CC ID 16620 Leadership and high level objectives Preventive
    Establish, implement, and maintain financial reports. CC ID 14770 Leadership and high level objectives Preventive
    Structure financial reports in accordance with external requirements, as necessary. CC ID 14776 Leadership and high level objectives Preventive
    Include the report of independent Certified Public Accountants in the financial report. CC ID 14779 Leadership and high level objectives Preventive
    Include the business need justification for lost value in the financial report. CC ID 15588 Leadership and high level objectives Preventive
    Include financial statements in the financial report, as necessary. CC ID 14775 Leadership and high level objectives Preventive
    Include capital deductions and adjustments in the financial statement. CC ID 16667 Leadership and high level objectives Preventive
    Include earnings per share or loss per share in the financial statement. CC ID 16597 Leadership and high level objectives Preventive
    Include material contingencies in the financial statement. CC ID 16596 Leadership and high level objectives Preventive
    Include notes to financial statements in the financial report, as necessary. CC ID 14780 Leadership and high level objectives Preventive
    Include information on loans to small businesses and small farms in the call report. CC ID 16731 Leadership and high level objectives Preventive
    Include assets and liabilities in the call report. CC ID 16729 Leadership and high level objectives Preventive
    Establish, implement, and maintain a compliance monitoring policy. CC ID 00671
    [{what needs to be measured} The organization shall determine: what needs to be monitored and measured; § 9.1.1 ¶ 2 a)
    The organization shall determine: when the monitoring and measuring shall be performed; § 9.1.1 ¶ 2 d)]
    Monitoring and measurement Preventive
    Establish, implement, and maintain a metrics policy. CC ID 01654 Monitoring and measurement Preventive
    Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653
    [The organization shall: determine the frequency that compliance will be evaluated; § 9.1.2 ¶ 2 a)]
    Monitoring and measurement Preventive
    Establish, implement, and maintain risk management metrics. CC ID 01656 Monitoring and measurement Preventive
    Identify and document instances of non-compliance with the compliance framework. CC ID 06499
    [The organization shall retain documented information as evidence of: the nature of the nonconformities and any subsequent actions taken; § 10.2 ¶ 3 Bullet 1
    The management review shall include consideration of: information on the organization's environmental performance, including trends in: nonconformities and corrective actions; § 9.3 ¶ 2 d) 1)]
    Monitoring and measurement Preventive
    Identify and document events surrounding non-compliance with the organizational compliance framework. CC ID 12935 Monitoring and measurement Preventive
    Establish, implement, and maintain disciplinary action notices. CC ID 16577 Monitoring and measurement Preventive
    Include a copy of the order in the disciplinary action notice. CC ID 16606 Monitoring and measurement Preventive
    Include the sanctions imposed in the disciplinary action notice. CC ID 16599 Monitoring and measurement Preventive
    Include the effective date of the sanctions in the disciplinary action notice. CC ID 16589 Monitoring and measurement Preventive
    Include the requirements that were violated in the disciplinary action notice. CC ID 16588 Monitoring and measurement Preventive
    Include responses to charges from interested personnel and affected parties in the disciplinary action notice. CC ID 16587 Monitoring and measurement Preventive
    Include the reasons for imposing sanctions in the disciplinary action notice. CC ID 16586 Monitoring and measurement Preventive
    Include required information in the disciplinary action notice. CC ID 16584 Monitoring and measurement Preventive
    Include a justification for actions taken in the disciplinary action notice. CC ID 16583 Monitoring and measurement Preventive
    Include a statement on the conclusions of the investigation in the disciplinary action notice. CC ID 16582 Monitoring and measurement Preventive
    Include the investigation results in the disciplinary action notice. CC ID 16581 Monitoring and measurement Preventive
    Include a description of the causes of the actions taken in the disciplinary action notice. CC ID 16580 Monitoring and measurement Preventive
    Include the name of the person responsible for the charges in the disciplinary action notice. CC ID 16579 Monitoring and measurement Preventive
    Include contact information in the disciplinary action notice. CC ID 16578 Monitoring and measurement Preventive
    Establish, implement, and maintain a security program metrics program. CC ID 01660 Monitoring and measurement Preventive
    Establish, implement, and maintain a key management roles metrics standard. CC ID 11631 Monitoring and measurement Preventive
    Establish, implement, and maintain a key stakeholder metrics program. CC ID 01661 Monitoring and measurement Preventive
    Establish, implement, and maintain a supply chain member metrics program. CC ID 01662 Monitoring and measurement Preventive
    Establish, implement, and maintain a Business Continuity metrics program. CC ID 01663 Monitoring and measurement Preventive
    Establish, implement, and maintain an audit metrics program. CC ID 01664 Monitoring and measurement Preventive
    Establish, implement, and maintain an Information Security metrics program. CC ID 01665 Monitoring and measurement Preventive
    Establish, implement, and maintain a metrics standard and template. CC ID 02157 Monitoring and measurement Preventive
    Establish, implement, and maintain occupational health and safety management metrics program. CC ID 15915 Monitoring and measurement Preventive
    Establish, implement, and maintain a policies and controls metrics program. CC ID 01666 Monitoring and measurement Preventive
    Establish, implement, and maintain a security roles and responsibilities metrics program. CC ID 01667 Monitoring and measurement Preventive
    Establish, implement, and maintain a role-based information access metrics program. CC ID 01668 Monitoring and measurement Preventive
    Establish, implement, and maintain an information risk threshold metrics program. CC ID 01694 Monitoring and measurement Preventive
    Monitor the supply chain for Information Assurance effectiveness. CC ID 02043 Monitoring and measurement Preventive
    Establish, implement, and maintain a privacy metrics program. CC ID 15494 Monitoring and measurement Preventive
    Establish, implement, and maintain a technical measurement metrics policy. CC ID 01655 Monitoring and measurement Preventive
    Establish, implement, and maintain an Electronic Health Records measurement metrics program. CC ID 06221 Monitoring and measurement Preventive
    Establish, implement, and maintain a log management program. CC ID 00673 Monitoring and measurement Preventive
    Establish, implement, and maintain a cross-organizational audit sharing agreement. CC ID 10595 Monitoring and measurement Preventive
    Include risks and opportunities in the corrective action plan. CC ID 15178
    [{environmental aspect}The organization shall plan: to take actions to address its: risks and opportunities identified in 6.1.1; § 6.1.4 ¶ 1 a) 3)]
    Monitoring and measurement Preventive
    Include environmental aspects in the corrective action plan. CC ID 15177
    [The organization shall plan: to take actions to address its: significant environmental aspects; § 6.1.4 ¶ 1 a) 1)]
    Monitoring and measurement Preventive
    Include the completion date in the corrective action plan. CC ID 13272 Monitoring and measurement Preventive
    Retain copies of external auditor outsourcing contracts and engagement letters. CC ID 01188 Audits and risk management Preventive
    Review external auditor outsourcing contracts and engagement letters. CC ID 01189 Audits and risk management Preventive
    Include roles and responsibilities in external auditor outsourcing contracts. CC ID 16523 Audits and risk management Preventive
    Include a change control clause in external auditor outsourcing contracts. CC ID 01192 Audits and risk management Preventive
    Include procedures for resolving problems in external auditor outsourcing contracts. CC ID 01196 Audits and risk management Preventive
    Include procedures for controlling the use of restricted information in external auditor outsourcing contracts. CC ID 01194 Audits and risk management Preventive
    Include reports and work paper Records Management practices in external auditor outsourcing contracts. CC ID 01195 Audits and risk management Preventive
    Include communication protocols in external auditor outsourcing contracts. CC ID 01201 Audits and risk management Preventive
    Include the scope and work to be performed in external auditor outsourcing contracts. CC ID 01190 Audits and risk management Preventive
    Include work status reporting requirements in the external auditor outsourcing contracts. CC ID 01191 Audits and risk management Preventive
    Include access to work papers in external auditor outsourcing contracts. CC ID 01193 Audits and risk management Preventive
    Review the adequacy of the external auditor's work papers and audit reports. CC ID 01199 Audits and risk management Preventive
    Review the conclusions of the external auditor's work papers and audit reports. CC ID 01200 Audits and risk management Preventive
    Evaluate any refusal by the organization to provide missing audit documentation. CC ID 06993 Audits and risk management Preventive
    Take appropriate action if missing audit documentation compromises the audit. CC ID 06994 Audits and risk management Preventive
    Establish, implement, and maintain an audit program. CC ID 00684
    [The organization shall establish, implement and maintain (an) internal audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting of its internal audits. § 9.2.2 ¶ 1]
    Audits and risk management Preventive
    Establish, implement, and maintain audit policies. CC ID 13166 Audits and risk management Preventive
    Include resource requirements in the audit program. CC ID 15237 Audits and risk management Preventive
    Include risks and opportunities in the audit program. CC ID 15236 Audits and risk management Preventive
    Establish and maintain audit terms. CC ID 13880 Audits and risk management Preventive
    Include a statement about the inherent limitations of the audit in the audit terms. CC ID 13883 Audits and risk management Preventive
    Include a statement that the audit will be conducted in accordance with attestation standards in the audit terms. CC ID 13882 Audits and risk management Preventive
    Establish, implement, and maintain agreed upon procedures that are in scope for the audit. CC ID 13893 Audits and risk management Preventive
    Establish, implement, and maintain an in scope system description. CC ID 14873 Audits and risk management Preventive
    Include third party services in the audit assertion's in scope system description. CC ID 16503 Audits and risk management Preventive
    Include monitoring controls in the audit assertion's in scope system description. CC ID 16501 Audits and risk management Preventive
    Include availability commitments in the audit assertion's in scope system description. CC ID 14914 Audits and risk management Preventive
    Include changes in the audit assertion's in scope system description. CC ID 14894 Audits and risk management Preventive
    Include external communications in the audit assertion's in scope system description. CC ID 14913 Audits and risk management Preventive
    Include a section regarding incidents related to the system in the audit assertion’s in scope system description. CC ID 14878 Audits and risk management Preventive
    Include the function performed by the in scope system in the audit assertion's in scope system description. CC ID 14911 Audits and risk management Preventive
    Include the disposition of the incident in the audit assertion's in scope system description. CC ID 14896 Audits and risk management Preventive
    Include the extent of the incident in the audit assertion's in scope system description. CC ID 14895 Audits and risk management Preventive
    Include the timing of each incident in the audit assertion's in scope system description. CC ID 14891 Audits and risk management Preventive
    Include the nature of each incident in the audit assertion's in scope system description. CC ID 14889 Audits and risk management Preventive
    Include a section regarding in scope controls related to the system in the audit assertion's in scope system description. CC ID 14897 Audits and risk management Preventive
    Include how the in scope system meets external requirements in the audit assertion's in scope system description. CC ID 16502 Audits and risk management Preventive
    Include the timing of each control in the audit assertion's in scope system description. CC ID 14916 Audits and risk management Preventive
    Include the nature of the control in the audit assertion's in scope system description. CC ID 14910 Audits and risk management Preventive
    Include the information sources used in performing the control in the audit assertion's in scope system description. CC ID 14909 Audits and risk management Preventive
    Include the responsible party for performing the control in the audit assertion's in scope system description. CC ID 14907 Audits and risk management Preventive
    Include the subject matter to which the control is applied in the audit assertion's in scope system description. CC ID 14904 Audits and risk management Preventive
    Refrain from omitting or distorting information in the audit assertion's in scope system description. CC ID 14893 Audits and risk management Preventive
    Include the timing of each change in the audit assertion's in scope system description. CC ID 14892 Audits and risk management Preventive
    Include the system boundaries in the audit assertion's in scope system description. CC ID 14887 Audits and risk management Preventive
    Determine the presentation method of the audit assertion's in scope system description. CC ID 14885 Audits and risk management Detective
    Include the time frame covered by the description in the audit assertion's in scope system description. CC ID 14884 Audits and risk management Preventive
    Include commitments to third parties in the audit assertion. CC ID 14899 Audits and risk management Preventive
    Determine the completeness of the audit assertion's in scope system description. CC ID 14883 Audits and risk management Preventive
    Include system requirements in the audit assertion's in scope system description. CC ID 14881 Audits and risk management Preventive
    Include third party controls in the audit assertion's in scope system description. CC ID 14880 Audits and risk management Preventive
    Include agreement to the audit scope and audit terms in the audit program. CC ID 06965
    [{audit scope} The organization shall: define the audit criteria and scope for each audit; § 9.2.2 ¶ 3 a)]
    Audits and risk management Preventive
    Establish and maintain a bespoke audit scope for each audit being performed. CC ID 13077
    [The organization shall establish, implement and maintain (an) internal audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting of its internal audits. § 9.2.2 ¶ 1]
    Audits and risk management Preventive
    Include audit subject matter in the audit program. CC ID 07103 Audits and risk management Preventive
    Examine the objectivity of the audit criteria in the audit program. CC ID 07104 Audits and risk management Preventive
    Examine the measurability of the audit criteria in the audit program. CC ID 07105 Audits and risk management Preventive
    Examine the completeness of the audit criteria in the audit program. CC ID 07106 Audits and risk management Preventive
    Examine the relevance of the audit criteria in the audit program. CC ID 07107 Audits and risk management Preventive
    Disseminate and communicate the audit program with the audit subject matter and audit criteria to all interested personnel and affected parties. CC ID 07116 Audits and risk management Preventive
    Include in scope information in the audit program. CC ID 16198 Audits and risk management Preventive
    Include the out of scope material or out of scope products in the audit program. CC ID 08962 Audits and risk management Preventive
    Provide a representation letter in support of the audit assertion. CC ID 07158 Audits and risk management Preventive
    Include a statement that management has evaluated compliance with external requirements in the representation letter. CC ID 13942 Audits and risk management Preventive
    Include a statement that the assumptions used for estimates are reasonable in the representation letter. CC ID 13934 Audits and risk management Preventive
    Include a statement that uncorrected misstatements are believed to be immaterial in the representation letter. CC ID 13884 Audits and risk management Preventive
    Include a statement that system incidents have been disclosed to the auditor in the representation letter. CC ID 16772 Audits and risk management Preventive
    Include a statement that incidents of fraud and non-compliance have been disclosed to the auditor in the representation letter. CC ID 16769 Audits and risk management Preventive
    Include a statement of responsibility for the subject matter in the representation letter. CC ID 07159 Audits and risk management Preventive
    Include a statement of responsibility for selecting the audit criteria in the representation letter. CC ID 07160 Audits and risk management Preventive
    Include a statement of responsibility regarding the appropriateness of the audit criteria in the representation letter. CC ID 07161 Audits and risk management Preventive
    Include an assertion about the subject matter based on the selected audit criteria in the representation letter. CC ID 07162 Audits and risk management Preventive
    Include a statement that all known matters contradicting the audit assertion have been disclosed to the auditor in the representation letter. CC ID 07163 Audits and risk management Preventive
    Include the availability of all in scope records relevant to the subject matter in the representation letter. CC ID 07164 Audits and risk management Preventive
    Include a statement that any known subsequent events have been disclosed to the auditor in the representation letter. CC ID 07165 Audits and risk management Preventive
    Include a statement that deficiencies in internal controls have been disclosed to the auditor in the representation letter. CC ID 13899 Audits and risk management Preventive
    Establish and maintain audit assertions, as necessary. CC ID 14871 Audits and risk management Detective
    Include an in scope system description in the audit assertion. CC ID 14872 Audits and risk management Preventive
    Include any assumptions that are improbable in the audit assertion. CC ID 13950 Audits and risk management Preventive
    Include investigations and legal proceedings in the audit assertion. CC ID 16846 Audits and risk management Preventive
    Include how the audit scope matches in scope controls in the audit assertion. CC ID 06969 Audits and risk management Preventive
    Include why specific criteria are ignored by in scope controls in the audit assertion. CC ID 07027 Audits and risk management Preventive
    Include how the in scope system is designed and implemented in the audit assertion. CC ID 06970 Audits and risk management Preventive
    Include the responsible party's opinion of the quality of the evidence in the audit assertion. CC ID 13949 Audits and risk management Preventive
    Include the end users and affected parties of the in scope system in the audit assertion. CC ID 07028 Audits and risk management Preventive
    Include the in scope services offered or in scope transactions processed in the audit assertion. CC ID 06971 Audits and risk management Preventive
    Include the in scope procedures in the audit assertion. CC ID 06972 Audits and risk management Preventive
    Include the in scope records produced in the audit assertion. CC ID 06968 Audits and risk management Preventive
    Include how in scope material events are monitored and logged in the audit assertion. CC ID 06973 Audits and risk management Preventive
    Include any in scope material events that might affect the assertion in the audit assertion. CC ID 06991 Audits and risk management Preventive
    Include the in scope controls and compliance documents in the audit assertion. CC ID 06974 Audits and risk management Preventive
    Include the in scope risk assessment processes in the audit assertion. CC ID 06975 Audits and risk management Preventive
    Include in scope change controls in the audit assertion. CC ID 06976 Audits and risk management Preventive
    Include any in scope uncorrected errors or non-compliance issues in the audit assertion. CC ID 06989 Audits and risk management Preventive
    Disseminate and communicate a written audit assertion of the audit scope and audit terms to interested personnel and affected parties. CC ID 06967 Audits and risk management Preventive
    Include conditions that might require modification of the audit program in the audit terms. CC ID 07149 Audits and risk management Preventive
    Include how access to in scope systems, personnel and in scope records are provided to the auditor in the audit terms. CC ID 06988 Audits and risk management Preventive
    Establish, implement, and maintain procedures for determining the desired level of assurance in the audit program. CC ID 12794
    [The organization shall establish, implement and maintain (an) internal audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting of its internal audits. § 9.2.2 ¶ 1]
    Audits and risk management Preventive
    Include the expectations for the audit report in the audit terms. CC ID 07148 Audits and risk management Preventive
    Establish and maintain a practitioner’s report on management’s assertions, as necessary. CC ID 13888 Audits and risk management Preventive
    Refrain from changing the date of the practitioner's report on agreed-upon procedures when reissuing it. CC ID 13896 Audits and risk management Corrective
    Include materiality levels in the audit terms. CC ID 01238 Audits and risk management Preventive
    Include material changes in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01239 Audits and risk management Preventive
    Include material weaknesses, material failures, and material errors in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01240 Audits and risk management Preventive
    Document any after the fact changes to the engagement file. CC ID 07002 Audits and risk management Preventive
    Protect access to the engagement file and all associated audit documentation in compliance with Authority Documents the organization must follow. CC ID 07179 Audits and risk management Preventive
    Disclose work papers in the engagement file in compliance with legal requirements. CC ID 07180 Audits and risk management Preventive
    Edit the audit assertion for accuracy. CC ID 07030 Audits and risk management Preventive
    Determine if the audit assertion's in scope procedures are accurately documented. CC ID 06982 Audits and risk management Preventive
    Include the process of using evidential matter to test in scope controls in the test plan. CC ID 06996 Audits and risk management Preventive
    Establish, implement, and maintain interview procedures. CC ID 16282 Audits and risk management Preventive
    Establish and maintain work papers, as necessary. CC ID 13891 Audits and risk management Preventive
    Include the auditor's conclusions on work performed by individuals assigned to the audit in the work papers. CC ID 16775 Audits and risk management Preventive
    Include audit irregularities in the work papers. CC ID 16774 Audits and risk management Preventive
    Include corrective actions in the work papers. CC ID 16771 Audits and risk management Preventive
    Include information about the organization being audited and the auditor performing the audit in the work papers. CC ID 16770 Audits and risk management Preventive
    Include discussions with interested personnel and affected parties in the work papers. CC ID 16768 Audits and risk management Preventive
    Include justification for departing from mandatory requirements in the work papers. CC ID 13935 Audits and risk management Preventive
    Include the reviewer, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06998 Audits and risk management Preventive
    Include the tests, examinations, interviews and observations performed during the audit in the work papers. CC ID 07190 Audits and risk management Preventive
    Include if any subject matter experts or additional research had to be undertaken to test in scope controls in the work papers. CC ID 07026 Audits and risk management Preventive
    Include the tester, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06997 Audits and risk management Preventive
    Include the causes of identified in scope control deficiencies in the work papers. CC ID 07000 Audits and risk management Preventive
    Include discussions regarding the causes of identified in scope control deficiencies in the work papers. CC ID 06999 Audits and risk management Preventive
    Establish, implement, and maintain a practitioner’s report on agreed-upon procedures. CC ID 13894 Audits and risk management Preventive
    Establish and maintain a practitioner's examination report on pro forma financial information. CC ID 13968 Audits and risk management Preventive
    Include references to where financial information was derived in the practitioner's review report on pro forma financial information. CC ID 13982 Audits and risk management Preventive
    Include a statement that the financial statements used were audited by other practitioners in the practitioner's examination report on pro forma financial information, as necessary. CC ID 13981 Audits and risk management Preventive
    Establish and maintain organizational audit reports. CC ID 06731
    [The organization shall establish, implement and maintain (an) internal audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting of its internal audits. § 9.2.2 ¶ 1]
    Audits and risk management Preventive
    Determine what disclosures are required in the audit report. CC ID 14888 Audits and risk management Detective
    Include audit subject matter in the audit report. CC ID 14882 Audits and risk management Preventive
    Include an other-matter paragraph in the audit report. CC ID 14901 Audits and risk management Preventive
    Include that the auditee did not provide comments in the audit report. CC ID 16849 Audits and risk management Preventive
    Write the audit report using clear and conspicuous language. CC ID 13948 Audits and risk management Preventive
    Include a statement that the sufficiency of the agreed upon procedures is the responsibility of the specified parties in the audit report. CC ID 13936 Audits and risk management Preventive
    Include a statement that the financial statements were audited in the audit report. CC ID 13963 Audits and risk management Preventive
    Include the criteria that financial information was measured against in the audit report. CC ID 13966 Audits and risk management Preventive
    Include a description of the financial information being reported on in the audit report. CC ID 13965 Audits and risk management Preventive
    Include references to any adjustments of financial information in the audit report. CC ID 13964 Audits and risk management Preventive
    Include in the audit report that audit opinions are not dependent on references to subject matter experts, as necessary. CC ID 13953 Audits and risk management Preventive
    Include references to historical financial information used in the audit report. CC ID 13961 Audits and risk management Preventive
    Include a statement about the inherent limitations of the audit in the audit report. CC ID 14900 Audits and risk management Preventive
    Include a description of the limitations on the usefulness of hypothetical assumptions in the audit report. CC ID 13958 Audits and risk management Preventive
    Structure the audit report to be in the form of procedures and findings. CC ID 13940 Audits and risk management Preventive
    Include any discussions of significant findings in the audit report. CC ID 13955 Audits and risk management Preventive
    Include the date and with whom discussions about significant findings took place in the audit report. CC ID 13962 Audits and risk management Preventive
    Include the audit criteria in the audit report. CC ID 13945 Audits and risk management Preventive
    Include a statement in the audit report that the agreed upon procedures were potentially insufficient in identifying material risks, as necessary. CC ID 13957 Audits and risk management Preventive
    Include all hypothetical assumptions in the audit report. CC ID 13947 Audits and risk management Preventive
    Include a statement that identifies the distribution list for the report in the audit report. CC ID 07172 Audits and risk management Preventive
    Include a statement that identifies the use restrictions for the report in the audit report. CC ID 07173 Audits and risk management Preventive
    Include a statement that the agreed upon procedures involves collecting evidence in the audit report. CC ID 13956 Audits and risk management Preventive
    Include all of the facts and demonstrated plausibility in the audit report. CC ID 08929 Audits and risk management Preventive
    Include a statement that the agreed upon procedures were performed by all parties in the audit report. CC ID 13931 Audits and risk management Preventive
    Include references to subject matter experts in the audit report when citing qualified opinions. CC ID 13929 Audits and risk management Preventive
    Include a description of the assistance provided by Subject Matter Experts in the audit report. CC ID 13939 Audits and risk management Preventive
    Include a review of the subject matter expert's findings in the audit report. CC ID 13972 Audits and risk management Preventive
    Include a statement of the character of the engagement in the audit report. CC ID 07166 Audits and risk management Preventive
    Include the nature and scope of the audit performed in the statement of the character of the engagement in the audit report. CC ID 07167 Audits and risk management Preventive
    Include the professional standards governing the audit in the statement of the character of the engagement in the audit report. CC ID 07168 Audits and risk management Preventive
    Include all restrictions on the audit in the audit report. CC ID 13930 Audits and risk management Preventive
    Include a statement that the auditor has no responsibility to update the audit report after its submission. CC ID 13943 Audits and risk management Preventive
    Include a statement on the auditor's ethical requirements in the audit report. CC ID 16767 Audits and risk management Preventive
    Include a statement that the responsible party refused to provide a written assertion in the audit report. CC ID 13887 Audits and risk management Preventive
    Include a statement that the examination involves procedures for collecting evidence in the audit report. CC ID 13941 Audits and risk management Preventive
    Express an adverse opinion in the audit report when significant assumptions are not suitably supported. CC ID 13944 Audits and risk management Preventive
    Include a statement that modifications to historical evidence accurately reflect current evidence in the audit report. CC ID 13938 Audits and risk management Preventive
    Refrain from referencing other auditor's work in the audit report. CC ID 13881 Audits and risk management Preventive
    Include that the audit findings are not a predictive analysis of future compliance in the audit report. CC ID 07018 Audits and risk management Preventive
    Include how in scope controls meet external requirements in the audit report. CC ID 16450 Audits and risk management Preventive
    Include the in scope records used to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14915 Audits and risk management Preventive
    Include recommended corrective actions in the audit report. CC ID 16197 Audits and risk management Preventive
    Include risks and opportunities in the audit report. CC ID 16196 Audits and risk management Preventive
    Include the description of tests of controls and results in the audit report. CC ID 14898 Audits and risk management Preventive
    Include the nature of the tests performed in the description of tests of controls and results in the audit report. CC ID 14908 Audits and risk management Preventive
    Include the test scope in the description of tests of controls and results in the audit report. CC ID 14906 Audits and risk management Preventive
    Identify the stakeholders interviewed to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14905 Audits and risk management Preventive
    Include the controls that were tested in the description of tests of controls and results in the audit report. CC ID 14902 Audits and risk management Preventive
    Include subsequent events related to the audit assertion or audit subject matter in the audit report. CC ID 16773 Audits and risk management Preventive
    Include that the organization is the responsible party for the content of its audit assertion and in scope system description in the audit report. CC ID 07010 Audits and risk management Preventive
    Include that the organization is the responsible party for providing in scope services in the audit report. CC ID 14903 Audits and risk management Preventive
    Include that the organization is the responsible party for specifying in scope controls not defined by law or contractual obligation in the audit report. CC ID 07011 Audits and risk management Preventive
    Include that the organization is the responsible party for designing and implementing the in scope controls it identified in the audit scope in the audit report. CC ID 07014 Audits and risk management Preventive
    Include the audit opinion regarding the accurateness of the in scope system description in the audit report. CC ID 07019 Audits and risk management Preventive
    Include the attestation standards the auditor follows in the audit report. CC ID 07015 Audits and risk management Preventive
    Include the audit opinion about the audit assertion in relation to the audit criteria used for evaluation in the audit report. CC ID 07169 Audits and risk management Preventive
    Include the auditor's significant reservations about the engagement, the audit assertion, or the audit subject matter in the audit report. CC ID 07170 Audits and risk management Preventive
    Include an emphasis-of-matter paragraph in the audit report. CC ID 14890 Audits and risk management Preventive
    Include any out of scope components of in scope systems in the audit report. CC ID 07006 Audits and risk management Preventive
    Include that the organization is the responsible party for identifying material risks in the audit report. CC ID 07012 Audits and risk management Preventive
    Include that the organization is the responsible party for selecting the audit criteria in the audit report. CC ID 07013 Audits and risk management Preventive
    Compare the evaluations completed by the internal auditors and the external auditors in past audit reports. CC ID 01158 Audits and risk management Detective
    Review past audit reports. CC ID 01155
    [{environmental process} When establishing the internal audit programme, the organization shall take into consideration the environmental importance of the processes concerned, changes affecting the organization and the results of previous audits. § 9.2.2 ¶ 2
    The management review shall include consideration of: information on the organization's environmental performance, including trends in: audit results; § 9.3 ¶ 2 d) 4)]
    Audits and risk management Detective
    Review past audit reports for specific process steps and calculations that were stated to support the audit report's conclusions. CC ID 01160 Audits and risk management Detective
    Review the reporting of material weaknesses and risks in past audit reports. CC ID 01161 Audits and risk management Detective
    Refrain from including the description of the audit in the audit report when the auditor is disclaiming an audit opinion. CC ID 13975 Audits and risk management Preventive
    Refrain from including scope limitations from changed attestation engagements in the audit report. CC ID 13983 Audits and risk management Preventive
    Refrain from including in the audit report any procedures that were performed that the auditor is disclaiming in an audit opinion. CC ID 13974 Audits and risk management Preventive
    Include deficiencies and non-compliance in the audit report. CC ID 14879 Audits and risk management Corrective
    Include an audit opinion in the audit report. CC ID 07017 Audits and risk management Preventive
    Include qualified opinions in the audit report. CC ID 13928 Audits and risk management Preventive
    Include that the auditor is the responsible party to express an opinion on the audit subject matter based on examination of evidence in the audit report. CC ID 07174 Audits and risk management Preventive
    Include a description of the reasons for modifying the audit opinion in the audit report. CC ID 13898 Audits and risk management Corrective
    Include that the auditor did not express an opinion in the audit report, as necessary. CC ID 13886 Audits and risk management Preventive
    Include items that were excluded from the audit report in the audit report. CC ID 07007 Audits and risk management Preventive
    Include the organization's privacy practices in the audit report. CC ID 07029 Audits and risk management Preventive
    Include items that pertain to third parties in the audit report. CC ID 07008 Audits and risk management Preventive
    Refrain from including reference to procedures performed in previous attestation engagements in the audit report. CC ID 13970 Audits and risk management Preventive
    Include a statement in the audit report that no procedures were performed subsequent to the date of the practitioner's review report on pro forma financial information, as necessary. CC ID 13969 Audits and risk management Preventive
    Include any of the organization's use of compensating controls that were not audited in the audit report. CC ID 07009 Audits and risk management Preventive
    Include whether the use of compensating controls are necessary in the audit report. CC ID 07020 Audits and risk management Preventive
    Include the pass or fail test status of all in scope controls in the audit report. CC ID 07016 Audits and risk management Preventive
    Include the process of using evidential matter to test in scope controls in the audit report. CC ID 07021 Audits and risk management Preventive
    Include the nature and causes of identified in scope control deviations in the audit report. CC ID 07022 Audits and risk management Preventive
    Modify the audit opinion in the audit report under defined conditions. CC ID 13937 Audits and risk management Corrective
    Include the written signature of the auditor's organization in the audit report. CC ID 13897 Audits and risk management Preventive
    Include a statement that additional reports are being submitted in the audit report. CC ID 16848 Audits and risk management Preventive
    Disseminate and communicate the audit report to all interested personnel and affected parties identified in the distribution list. CC ID 07117 Audits and risk management Preventive
    Disseminate and communicate documents that contain information in support of the audit report. CC ID 07175 Audits and risk management Preventive
    Correct any material misstatements in documents that contain information in support of the audit report. CC ID 07176 Audits and risk management Preventive
    Review the issues of non-compliance from past audit reports. CC ID 01148 Audits and risk management Detective
    Accept the audit report. CC ID 07025 Audits and risk management Preventive
    Implement a corrective action plan in response to the audit report. CC ID 06777
    [{environmental process} When establishing the internal audit programme, the organization shall take into consideration the environmental importance of the processes concerned, changes affecting the organization and the results of previous audits. § 9.2.2 ¶ 2]
    Audits and risk management Corrective
    Define penalties for uncorrected audit findings or remaining non-compliant with the audit report. CC ID 08963 Audits and risk management Preventive
    Include the audit criteria in the audit plan. CC ID 15262 Audits and risk management Preventive
    Include a list of reference documents in the audit plan. CC ID 15260 Audits and risk management Preventive
    Include the languages to be used for the audit in the audit plan. CC ID 15252 Audits and risk management Preventive
    Include the allocation of resources in the audit plan. CC ID 15251 Audits and risk management Preventive
    Include communication protocols in the audit plan. CC ID 15247 Audits and risk management Preventive
    Include the level of audit sampling necessary to collect sufficient audit evidence in the audit plan. CC ID 15246 Audits and risk management Preventive
    Include meeting schedules in the audit plan. CC ID 15245 Audits and risk management Preventive
    Include the time frames for the audit in the audit plan. CC ID 15244 Audits and risk management Preventive
    Include the time frames for conducting the audit in the audit plan. CC ID 15243 Audits and risk management Preventive
    Include the locations to be audited in the audit plan. CC ID 15242 Audits and risk management Preventive
    Include the processes to be audited in the audit plan. CC ID 15241 Audits and risk management Preventive
    Include audit objectives in the audit plan. CC ID 15240 Audits and risk management Preventive
    Include the risks associated with audit activities in the audit plan. CC ID 15239 Audits and risk management Preventive
    Establish, implement, and maintain an audit schedule for the audit program. CC ID 13158
    [The organization shall establish, implement and maintain (an) internal audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting of its internal audits. § 9.2.2 ¶ 1]
    Audits and risk management Preventive
    Establish, implement, and maintain a physical and environmental protection policy. CC ID 14030 Physical and environmental protection Preventive
    Include the scope in the physical and environmental protection policy. CC ID 14170
    [The organization shall determine the boundaries and applicability of the environmental management system to establish its scope. § 4.3 ¶ 1]
    Physical and environmental protection Preventive
    Establish, implement, and maintain physical and environmental protection procedures. CC ID 14061
    [Once the scope is defined, all activities, products and services of the organization within that scope need to be included in the environmental management system. § 4.3 ¶ 3]
    Physical and environmental protection Preventive
    Establish, implement, and maintain a business continuity program. CC ID 13210 Operational and Systems Continuity Preventive
    Establish, implement, and maintain a continuity plan. CC ID 00752
    [{response}{adverse impact}The organization shall: prepare to respond by planning actions to prevent or mitigate adverse environmental impacts from emergency situations; § 8.2 ¶ 2 a)]
    Operational and Systems Continuity Preventive
    Identify all stakeholders in the continuity plan. CC ID 13256 Operational and Systems Continuity Preventive
    Include a business continuity testing policy in the continuity plan, as necessary. CC ID 13234 Operational and Systems Continuity Preventive
    Allocate financial resources to implement the continuity plan, as necessary. CC ID 12993 Operational and Systems Continuity Preventive
    Include identification procedures in the continuity plan, as necessary. CC ID 14372 Operational and Systems Continuity Preventive
    Include the continuity strategy in the continuity plan. CC ID 13189 Operational and Systems Continuity Preventive
    Document and use the lessons learned to update the continuity plan. CC ID 10037 Operational and Systems Continuity Preventive
    Include roles and responsibilities in the continuity plan, as necessary. CC ID 13254 Operational and Systems Continuity Preventive
    Coordinate and incorporate supply chain members' continuity plans, as necessary. CC ID 13242 Operational and Systems Continuity Preventive
    Include incident management procedures in the continuity plan. CC ID 13244 Operational and Systems Continuity Preventive
    Include the use of virtual meeting tools in the continuity plan. CC ID 14390 Operational and Systems Continuity Preventive
    Include scenario analyses of various contingency scenarios in the continuity plan. CC ID 13057 Operational and Systems Continuity Preventive
    Include the annual statement based on the continuity plan review in the continuity plan. CC ID 12775 Operational and Systems Continuity Preventive
    Establish, implement, and maintain the continuity procedures. CC ID 14236
    [The organization shall establish, implement and maintain the process(es) needed to prepare for and respond to potential emergency situations identified in 6.1.1. § 8.2 ¶ 1]
    Operational and Systems Continuity Corrective
    Document the uninterrupted power requirements for all in scope systems. CC ID 06707 Operational and Systems Continuity Preventive
    Document all supporting information in the continuity plan, such as purpose, scope, and requirements. CC ID 01371 Operational and Systems Continuity Preventive
    Include notifications to alternate facilities in the continuity plan. CC ID 13220 Operational and Systems Continuity Preventive
    Document the concept of operations in the continuity plan, including a line of succession. CC ID 01372 Operational and Systems Continuity Preventive
    Establish, implement, and maintain damage assessment procedures. CC ID 01267 Operational and Systems Continuity Preventive
    Establish, implement, and maintain a recovery plan. CC ID 13288
    [The organization shall: periodically review and revise the process(es) and planned response actions, in particular after the occurrence of emergency situations or tests; § 8.2 ¶ 2 e)
    {be appropriate}The organization shall: take action to prevent or mitigate the consequences of emergency situations, appropriate to the magnitude of the emergency and the potential environmental impact; § 8.2 ¶ 2 c)]
    Operational and Systems Continuity Preventive
    Include procedures to restore network connectivity in the recovery plan. CC ID 16250 Operational and Systems Continuity Preventive
    Include addressing backup failures in the recovery plan. CC ID 13298 Operational and Systems Continuity Preventive
    Include procedures to verify completion of the data backup procedure in the recovery plan. CC ID 13297 Operational and Systems Continuity Preventive
    Include the procedures for the storage of information necessary to recover functionality in the recovery plan. CC ID 13295 Operational and Systems Continuity Preventive
    Include the backup procedures for information necessary to recover functionality in the recovery plan. CC ID 13294 Operational and Systems Continuity Preventive
    Include the criteria for activation in the recovery plan. CC ID 13293 Operational and Systems Continuity Preventive
    Include escalation procedures in the recovery plan. CC ID 16248 Operational and Systems Continuity Preventive
    Include procedures to preserve data before beginning the recovery process in the recovery plan. CC ID 13292 Operational and Systems Continuity Preventive
    Document lessons learned from testing the recovery plan or an actual event. CC ID 13301 Operational and Systems Continuity Detective
    Include risk prioritized recovery procedures for each business unit in the recovery plan. CC ID 01166 Operational and Systems Continuity Preventive
    Include the recovery plan in the continuity plan. CC ID 01377 Operational and Systems Continuity Preventive
    Define the scope for the security operations center. CC ID 15713 Human Resources management Preventive
    Define and assign the roles and responsibilities of the chairman of the board. CC ID 14786 Human Resources management Preventive
    Establish, implement, and maintain candidate selection procedures to the board of directors. CC ID 14782 Human Resources management Preventive
    Include the criteria of mixed experiences and skills in the candidate selection procedures. CC ID 14791 Human Resources management Preventive
    Establish, implement, and maintain a board committee charter, as necessary. CC ID 14802 Human Resources management Preventive
    Define and assign the security staff roles and responsibilities. CC ID 11750 Human Resources management Preventive
    Define the objectives and extent of outsourcing operational roles and responsibilities. CC ID 06383 Human Resources management Preventive
    Establish, implement, and maintain a personnel management program. CC ID 14018 Human Resources management Preventive
    Establish, implement, and maintain a personnel security program. CC ID 10628 Human Resources management Preventive
    Establish, implement, and maintain personnel screening procedures. CC ID 11700 Human Resources management Preventive
    Perform a criminal records check during personnel screening. CC ID 06643 Human Resources management Preventive
    Document any reasons a full criminal records check could not be performed. CC ID 13305 Human Resources management Preventive
    Perform an academic records check during personnel screening. CC ID 06647 Human Resources management Preventive
    Document the personnel risk assessment results. CC ID 11764 Human Resources management Detective
    Establish, implement, and maintain security clearance procedures. CC ID 00783 Human Resources management Preventive
    Document the security clearance procedure results. CC ID 01635 Human Resources management Detective
    Establish job categorization criteria, job recruitment criteria, and promotion criteria. CC ID 00781
    [The organization shall: determine the necessary competence of person(s) doing work under its control that affects its environmental performance and its ability to fulfil its compliance obligations; § 7.2 ¶ 1 a)]
    Human Resources management Preventive
    Establish and maintain an annual report on compensation. CC ID 14801 Human Resources management Preventive
    Include the design characteristics of the remuneration system in the annual report on compensation. CC ID 14804 Human Resources management Preventive
    Establish, implement, and maintain roles and responsibilities in the compensation, reward, and recognition program. CC ID 14798 Human Resources management Preventive
    Align the compensation, reward, and recognition program with the risk management program. CC ID 14797 Human Resources management Preventive
    Establish, implement, and maintain remuneration standards, as necessary. CC ID 14794 Human Resources management Preventive
    Establish, implement, and maintain job applications. CC ID 16180 Human Resources management Preventive
    Include evidence of experience in applications for professional certification. CC ID 16193 Human Resources management Preventive
    Include supporting documentation in applications for professional certification. CC ID 16195 Human Resources management Preventive
    Document all training in a training record. CC ID 01423
    [The organization shall retain appropriate documented information as evidence of competence. § 7.2 ¶ 2]
    Human Resources management Detective
    Review the current published guidance and awareness and training programs. CC ID 01245 Human Resources management Preventive
    Establish, implement, and maintain training plans. CC ID 00828
    [The organization shall: determine training needs associated with its environmental aspects and its environmental management system; § 7.2 ¶ 1 c)]
    Human Resources management Preventive
    Include portions of the visitor control program in the training plan. CC ID 13287 Human Resources management Preventive
    Establish, implement, and maintain a security awareness program. CC ID 11746 Human Resources management Preventive
    Establish, implement, and maintain a security awareness and training policy. CC ID 14022 Human Resources management Preventive
    Include compliance requirements in the security awareness and training policy. CC ID 14092 Human Resources management Preventive
    Include coordination amongst entities in the security awareness and training policy. CC ID 14091 Human Resources management Preventive
    Establish, implement, and maintain security awareness and training procedures. CC ID 14054 Human Resources management Preventive
    Include management commitment in the security awareness and training policy. CC ID 14049 Human Resources management Preventive
    Include roles and responsibilities in the security awareness and training policy. CC ID 14048 Human Resources management Preventive
    Include the scope in the security awareness and training policy. CC ID 14047 Human Resources management Preventive
    Include the purpose in the security awareness and training policy. CC ID 14045 Human Resources management Preventive
    Include configuration management procedures in the security awareness program. CC ID 13967 Human Resources management Preventive
    Document security awareness requirements. CC ID 12146 Human Resources management Preventive
    Include safeguards for information systems in the security awareness program. CC ID 13046 Human Resources management Preventive
    Include security policies and security standards in the security awareness program. CC ID 13045 Human Resources management Preventive
    Include mobile device security guidelines in the security awareness program. CC ID 11803 Human Resources management Preventive
    Include training based on the participants' level of responsibility and access level in the security awareness program. CC ID 11802 Human Resources management Preventive
    Include a requirement to train all new hires and interested personnel in the security awareness program. CC ID 11800 Human Resources management Preventive
    Include remote access in the security awareness program. CC ID 13892 Human Resources management Preventive
    Document the goals of the security awareness program. CC ID 12145 Human Resources management Preventive
    Compare current security awareness assessment reports to the security awareness baseline. CC ID 12150 Human Resources management Preventive
    Document the scope of the security awareness program. CC ID 12148 Human Resources management Preventive
    Establish, implement, and maintain a security awareness baseline. CC ID 12147 Human Resources management Preventive
    Require personnel to acknowledge, through writing their signature, that they have read and understand the organization's security policies. CC ID 01363 Human Resources management Preventive
    Establish, implement, and maintain an environmental management system awareness program. CC ID 15200
    [The organization shall ensure that persons doing work under the organization's control are aware of: the significant environmental aspects and related actual or potential environmental impacts associated with their work; § 7.3 ¶ 1 b)
    The organization shall ensure that persons doing work under the organization's control are aware of: the environmental policy; § 7.3 ¶ 1 a)
    The organization shall ensure that persons doing work under the organization's control are aware of: the implications of not conforming with the environmental management system requirements, including not fulfilling the organization's compliance obligations. § 7.3 ¶ 1 d)
    The organization shall ensure that persons doing work under the organization's control are aware of: their contribution to the effectiveness of the environmental management system, including the benefits of enhanced environmental performance; § 7.3 ¶ 1 c)
    The organization shall ensure that persons doing work under the organization's control are aware of: their contribution to the effectiveness of the environmental management system, including the benefits of enhanced environmental performance; § 7.3 ¶ 1 c)]
    Human Resources management Preventive
    Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406
    [The organization shall plan: to take actions to address its: compliance obligations; § 6.1.4 ¶ 1 a) 2)
    The organization shall establish, implement and maintain the process(es) needed to evaluate fulfilment of its compliance obligations. § 9.1.2 ¶ 1]
    Operational management Preventive
    Include enterprise architecture in the Governance, Risk, and Compliance framework. CC ID 13266 Operational management Preventive
    Establish, implement, and maintain security requirements based on applicable regulations. CC ID 16283 Operational management Preventive
    Establish, implement, and maintain a prioritized plan for updating the Governance, Risk, and Compliance framework. CC ID 12853
    [{financial requirement}{operational requirement} When planning these actions, the organization shall consider its technological options and its financial, operational and business requirements. § 6.1.4 ¶ 2
    The management review shall include consideration of: changes in: its significant environmental aspects; § 9.3 ¶ 2 b) 3)
    The management review shall include consideration of: changes in: risks and opportunities; § 9.3 ¶ 2 b) 4)
    The outputs of the management review shall include: decisions related to any need for changes to the environmental management system, including resources; § 9.3 ¶ 3 Bullet 3]
    Operational management Preventive
    Establish, implement, and maintain a compliance policy. CC ID 14807 Operational management Preventive
    Include the standard of conduct and accountability in the compliance policy. CC ID 14813 Operational management Preventive
    Include the scope in the compliance policy. CC ID 14812 Operational management Preventive
    Include roles and responsibilities in the compliance policy. CC ID 14811 Operational management Preventive
    Include a commitment to continual improvement in the compliance policy. CC ID 14810 Operational management Preventive
    Include management commitment in the compliance policy. CC ID 14808 Operational management Preventive
    Establish, implement, and maintain a governance policy. CC ID 15587 Operational management Preventive
    Include a commitment to continuous improvement in the governance policy. CC ID 15595 Operational management Preventive
    Include roles and responsibilities in the governance policy. CC ID 15594 Operational management Preventive
    Establish, implement, and maintain an internal control framework. CC ID 00820 Operational management Preventive
    Include the business need justification for excluding controls in the baseline of internal controls. CC ID 16129 Operational management Preventive
    Include the implementation status of controls in the baseline of internal controls. CC ID 16128 Operational management Preventive
    Include procedures for continuous quality improvement in the internal control framework. CC ID 00819
    [The management review shall include consideration of opportunities for style="background-color:#F0BBBC;" class="term_primary-noun">continual improvement. § 9.3 ¶ 2 g)
    The outputs of the management review shall include: decisions related to continual improvement opportunities; § 9.3 ¶ 3 Bullet 2]
    Operational management Preventive
    Include continuous service account management procedures in the internal control framework. CC ID 13860 Operational management Preventive
    Include threat assessment in the internal control framework. CC ID 01347 Operational management Preventive
    Include vulnerability management and risk assessment in the internal control framework. CC ID 13102 Operational management Preventive
    Include personnel security procedures in the internal control framework. CC ID 01349 Operational management Preventive
    Include continuous security warning monitoring procedures in the internal control framework. CC ID 01358 Operational management Preventive
    Include incident alert thresholds in the continuous security warning monitoring procedures. CC ID 13205 Operational management Preventive
    Include security information sharing procedures in the internal control framework. CC ID 06489 Operational management Preventive
    Include security incident response procedures in the internal control framework. CC ID 01359 Operational management Preventive
    Include incident response escalation procedures in the internal control framework. CC ID 11745 Operational management Preventive
    Include continuous user account management procedures in the internal control framework. CC ID 01360 Operational management Preventive
    Include emergency response procedures in the internal control framework. CC ID 06779 Operational management Detective
    Authorize and document all exceptions to the internal control framework. CC ID 06781 Operational management Preventive
    Establish, implement, and maintain a cybersecurity policy. CC ID 16833 Operational management Preventive
    Establish, implement, and maintain an information security program. CC ID 00812 Operational management Preventive
    Include physical safeguards in the information security program. CC ID 12375 Operational management Preventive
    Include technical safeguards in the information security program. CC ID 12374 Operational management Preventive
    Include administrative safeguards in the information security program. CC ID 12373 Operational management Preventive
    Include system development in the information security program. CC ID 12389 Operational management Preventive
    Include system maintenance in the information security program. CC ID 12388 Operational management Preventive
    Include system acquisition in the information security program. CC ID 12387 Operational management Preventive
    Include access control in the information security program. CC ID 12386 Operational management Preventive
    Include operations management in the information security program. CC ID 12385 Operational management Preventive
    Include communication management in the information security program. CC ID 12384 Operational management Preventive
    Include environmental security in the information security program. CC ID 12383 Operational management Preventive
    Include physical security in the information security program. CC ID 12382 Operational management Preventive
    Include human resources security in the information security program. CC ID 12381 Operational management Preventive
    Include asset management in the information security program. CC ID 12380 Operational management Preventive
    Include a continuous monitoring program in the information security program. CC ID 14323 Operational management Preventive
    Include change management procedures in the continuous monitoring plan. CC ID 16227 Operational management Preventive
    include recovery procedures in the continuous monitoring plan. CC ID 16226 Operational management Preventive
    Include mechanisms for decommissioning a system in the continuous monitoring plan. CC ID 16225 Operational management Preventive
    Include mechanisms for appeal and override in the continuous monitoring plan. CC ID 16223 Operational management Preventive
    Include how the information security department is organized in the information security program. CC ID 12379 Operational management Preventive
    Include risk management in the information security program. CC ID 12378 Operational management Preventive
    Include mitigating supply chain risks in the information security program. CC ID 13352 Operational management Preventive
    Establish, implement, and maintain an information security policy. CC ID 11740 Operational management Preventive
    Include business processes in the information security policy. CC ID 16326 Operational management Preventive
    Include the information security strategy in the information security policy. CC ID 16125 Operational management Preventive
    Include a commitment to continuous improvement in the information security policy. CC ID 16123 Operational management Preventive
    Include roles and responsibilities in the information security policy. CC ID 16120 Operational management Preventive
    Include a commitment to the information security requirements in the information security policy. CC ID 13496 Operational management Preventive
    Include information security objectives in the information security policy. CC ID 13493 Operational management Preventive
    Include the use of Cloud Services in the information security policy. CC ID 13146 Operational management Preventive
    Include notification procedures in the information security policy. CC ID 16842 Operational management Preventive
    Describe the group activities that protect restricted data in the information security procedures. CC ID 12294 Operational management Preventive
    Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304 Operational management Preventive
    Assign information security responsibilities to interested personnel and affected parties in the information security program. CC ID 11885 Operational management Preventive
    Establish, implement, and maintain a social media governance program. CC ID 06536 Operational management Preventive
    Include instant messaging, texting, and tweeting in the social media acceptable use policy. CC ID 04578 Operational management Preventive
    Include explicit restrictions in the social media acceptable use policy. CC ID 06655 Operational management Preventive
    Include contributive content sites in the social media acceptable use policy. CC ID 06656 Operational management Preventive
    Establish, implement, and maintain operational control procedures. CC ID 00831 Operational management Preventive
    Include assigning and approving operations in operational control procedures. CC ID 06382 Operational management Preventive
    Include startup processes in operational control procedures. CC ID 00833 Operational management Preventive
    Include change control processes in the operational control procedures. CC ID 16793 Operational management Preventive
    Establish and maintain a data processing run manual. CC ID 00832 Operational management Preventive
    Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826 Operational management Preventive
    Include metrics in the standard operating procedures manual. CC ID 14988 Operational management Preventive
    Include maintenance measures in the standard operating procedures manual. CC ID 14986 Operational management Preventive
    Include the expected lifetime of the system in the standard operating procedures manual. CC ID 14984 Operational management Preventive
    Include technical measures used to interpret output in the standard operating procedures manual. CC ID 14982 Operational management Preventive
    Include predetermined changes in the standard operating procedures manual. CC ID 14977 Operational management Preventive
    Include specifications for input data in the standard operating procedures manual. CC ID 14975 Operational management Preventive
    Include risks to health and safety or fundamental rights in the standard operating procedures manual. CC ID 14973 Operational management Preventive
    Include circumstances that may impact the system in the standard operating procedures manual. CC ID 14972 Operational management Preventive
    Include what the system was tested and validated for in the standard operating procedures manual. CC ID 14969 Operational management Preventive
    Include the intended purpose in the standard operating procedures manual. CC ID 14967 Operational management Preventive
    Include information on system performance in the standard operating procedures manual. CC ID 14965 Operational management Preventive
    Include contact details in the standard operating procedures manual. CC ID 14962 Operational management Preventive
    Update operating procedures that contribute to user errors. CC ID 06935 Operational management Corrective
    Establish, implement, and maintain a job scheduling methodology. CC ID 00834 Operational management Preventive
    Establish and maintain a job schedule exceptions list. CC ID 00835 Operational management Preventive
    Establish, implement, and maintain a data processing continuity plan. CC ID 00836 Operational management Preventive
    Establish, implement, and maintain Voice over Internet Protocol operating procedures. CC ID 04583 Operational management Preventive
    Establish, implement, and maintain the Acceptable Use Policy. CC ID 01350 Operational management Preventive
    Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy. CC ID 01351 Operational management Preventive
    Include requiring users to protect restricted data in accordance with the Governance, Risk, and Compliance framework in the Acceptable Use Policy. CC ID 11894 Operational management Preventive
    Include Bring Your Own Device agreements in the Acceptable Use Policy. CC ID 15703 Operational management Preventive
    Include the obligations of users in the Bring Your Own Device agreement. CC ID 15708 Operational management Preventive
    Include the rights of the organization in the Bring Your Own Device agreement. CC ID 15707 Operational management Preventive
    Include the circumstances in which the organization may confiscate, audit, or inspect assets in the Bring Your Own Device agreement. CC ID 15706 Operational management Preventive
    Include the circumstances in which the organization may manage assets in the Bring Your Own Device agreement. CC ID 15705 Operational management Preventive
    Include Bring Your Own Device usage in the Acceptable Use Policy. CC ID 12293 Operational management Preventive
    Include a web usage policy in the Acceptable Use Policy. CC ID 16496 Operational management Preventive
    Include Bring Your Own Device security guidelines in the Acceptable Use Policy. CC ID 01352 Operational management Preventive
    Include asset tags in the Acceptable Use Policy. CC ID 01354 Operational management Preventive
    Specify the owner of applicable assets in the Acceptable Use Policy. CC ID 15699 Operational management Preventive
    Include asset use policies in the Acceptable Use Policy. CC ID 01355 Operational management Preventive
    Include authority for access authorization lists for assets in all relevant Acceptable Use Policies. CC ID 11872 Operational management Preventive
    Include access control mechanisms in the Acceptable Use Policy. CC ID 01353 Operational management Preventive
    Include prohibiting the copying or moving of restricted data from its original source onto local hard drives or removable storage media in the Acceptable Use Policy. CC ID 11893 Operational management Preventive
    Correlate the Acceptable Use Policy with the network security policy. CC ID 01356 Operational management Preventive
    Include appropriate network locations for each technology in the Acceptable Use Policy. CC ID 11881 Operational management Preventive
    Correlate the Acceptable Use Policy with the approved product list. CC ID 01357 Operational management Preventive
    Include facility access and facility use in the Acceptable Use Policy. CC ID 06441 Operational management Preventive
    Include disciplinary actions in the Acceptable Use Policy. CC ID 00296 Operational management Corrective
    Include the usage restrictions of mobile code technologies in the Acceptable Use Policy. CC ID 15311 Operational management Preventive
    Include a software installation policy in the Acceptable Use Policy. CC ID 06749 Operational management Preventive
    Document idle session termination and logout for remote access technologies in the Acceptable Use Policy. CC ID 12472 Operational management Preventive
    Require interested personnel and affected parties to sign Acceptable Use Policies. CC ID 06661 Operational management Preventive
    Require interested personnel and affected parties to re-sign Acceptable Use Policies, as necessary. CC ID 06663 Operational management Preventive
    Establish, implement, and maintain an Intellectual Property Right program. CC ID 00821 Operational management Preventive
    Establish, implement, and maintain Intellectual Property Rights protection procedures. CC ID 11512 Operational management Preventive
    Protect against circumvention of the organization's Intellectual Property Rights. CC ID 11513 Operational management Preventive
    Establish, implement, and maintain an e-mail policy. CC ID 06439 Operational management Preventive
    Include business use of personal e-mail in the e-mail policy. CC ID 14381 Operational management Preventive
    Protect policies, standards, and procedures from unauthorized modification or disclosure. CC ID 10603 Operational management Preventive
    Establish, implement, and maintain nondisclosure agreements. CC ID 04536 Operational management Preventive
    Require interested personnel and affected parties to sign nondisclosure agreements. CC ID 06667 Operational management Preventive
    Require interested personnel and affected parties to re-sign nondisclosure agreements, as necessary. CC ID 06669 Operational management Preventive
    Establish, implement, and maintain a use of information agreement. CC ID 06215 Operational management Preventive
    Include use limitations in the use of information agreement. CC ID 06244 Operational management Preventive
    Include disclosure requirements in the use of information agreement. CC ID 11735 Operational management Preventive
    Include information recipients in the use of information agreement. CC ID 06245 Operational management Preventive
    Include reporting out of scope use of information in the use of information agreement. CC ID 06246 Operational management Preventive
    Include disclosure of information in the use of information agreement. CC ID 11830 Operational management Preventive
    Include information security procedures assigned to the information recipient in the use of information agreement. CC ID 07130 Operational management Preventive
    Include information security procedures assigned to the originator in the use of information agreement. CC ID 14418 Operational management Preventive
    Include a do not contact rule for the individuals identified in a data set in the use of information agreement. CC ID 07131 Operational management Preventive
    Include the information recipient's third parties accepting the agreement in the use of information agreement. CC ID 07132 Operational management Preventive
    Comply with all implemented policies in the organization's compliance framework. CC ID 06384
    [Top management shall assign the responsibility and authority for: ensuring that the environmental management system conforms to the requirements of this International Standard; § 5.3 ¶ 2 a)
    The outputs of the management review shall include: opportunities to improve integration of the environmental management system with other business processes, if needed; § 9.3 ¶ 3 Bullet 5]
    Operational management Preventive
    Establish, implement, and maintain an asset management policy. CC ID 15219 Operational management Preventive
    Establish, implement, and maintain asset management procedures. CC ID 16748 Operational management Preventive
    Include life cycle requirements in the security management program. CC ID 16392 Operational management Preventive
    Include program objectives in the asset management program. CC ID 14413 Operational management Preventive
    Include a commitment to continual improvement in the asset management program. CC ID 14412 Operational management Preventive
    Include compliance with applicable requirements in the asset management program. CC ID 14411 Operational management Preventive
    Establish, implement, and maintain classification schemes for all systems and assets. CC ID 01902 Operational management Preventive
    Establish, implement, and maintain the systems' confidentiality level. CC ID 01904 Operational management Preventive
    Define confidentiality controls. CC ID 01908 Operational management Preventive
    Establish, implement, and maintain the systems' availability level. CC ID 01905 Operational management Preventive
    Define integrity controls. CC ID 01909 Operational management Preventive
    Establish, implement, and maintain the systems' integrity level. CC ID 01906 Operational management Preventive
    Define availability controls. CC ID 01911 Operational management Preventive
    Establish safety classifications for systems according to their potential harmful effects to operators or end users. CC ID 06603 Operational management Preventive
    Establish, implement, and maintain an asset safety classification scheme. CC ID 06604 Operational management Preventive
    Establish, implement, and maintain the Asset Classification Policy. CC ID 06642 Operational management Preventive
    Document the decision for assigning an asset to a specific asset classification in the Asset Classification Policy. CC ID 07185 Operational management Preventive
    Assign decomposed system components the same asset classification as the originating system. CC ID 06605 Operational management Preventive
    Establish, implement, and maintain an Information Technology inventory with asset discovery audit trails. CC ID 00689 Operational management Preventive
    Include all account types in the Information Technology inventory. CC ID 13311 Operational management Preventive
    Include each Information System's major applications in the Information Technology inventory. CC ID 01407 Operational management Preventive
    Categorize all major applications according to the business information they process. CC ID 07182 Operational management Preventive
    Document the resources, hazards, and Evaluation Assurance Levels for each major application. CC ID 01164 Operational management Preventive
    Include the General Support Systems and security support structure in the Information Technology inventory. CC ID 01408 Operational management Preventive
    Include each Information System's minor applications in the Information Technology inventory. CC ID 01409 Operational management Preventive
    Categorize facilities in the Information Technology inventory according to their environmental risks. CC ID 06729 Operational management Preventive
    Establish, implement, and maintain a hardware asset inventory. CC ID 00691 Operational management Preventive
    Include network equipment in the Information Technology inventory. CC ID 00693 Operational management Preventive
    Include mobile devices that store restricted data or restricted information in the Information Technology inventory. CC ID 04719 Operational management Preventive
    Include software in the Information Technology inventory. CC ID 00692 Operational management Preventive
    Establish and maintain a list of authorized software and versions required for each system. CC ID 12093 Operational management Preventive
    Establish, implement, and maintain a storage media inventory. CC ID 00694 Operational management Preventive
    Include all electronic storage media containing restricted data or restricted information in the storage media inventory. CC ID 00962 Operational management Detective
    Establish, implement, and maintain a records inventory and database inventory. CC ID 01260 Operational management Preventive
    Add inventoried assets to the asset register database, as necessary. CC ID 07051 Operational management Preventive
    Organize the asset register database by grouping objects according to an organizational information classification standard. CC ID 07181 Operational management Preventive
    Record the decommission date for applicable assets in the asset inventory. CC ID 14920 Operational management Preventive
    Record the Uniform Resource Locator for applicable assets in the asset inventory. CC ID 14918 Operational management Preventive
    Record the review date for applicable assets in the asset inventory. CC ID 14919 Operational management Preventive
    Record services for applicable assets in the asset inventory. CC ID 13733 Operational management Preventive
    Record protocols for applicable assets in the asset inventory. CC ID 13734 Operational management Preventive
    Record the software version in the asset inventory. CC ID 12196 Operational management Preventive
    Record the publisher for applicable assets in the asset inventory. CC ID 13725 Operational management Preventive
    Record the authentication system in the asset inventory. CC ID 13724 Operational management Preventive
    Tag unsupported assets in the asset inventory. CC ID 13723 Operational management Preventive
    Record the install date for applicable assets in the asset inventory. CC ID 13720 Operational management Preventive
    Record the make, model of device for applicable assets in the asset inventory. CC ID 12465 Operational management Preventive
    Record the asset tag for physical assets in the asset inventory. CC ID 06632 Operational management Preventive
    Record the host name of applicable assets in the asset inventory. CC ID 13722 Operational management Preventive
    Record network ports for applicable assets in the asset inventory. CC ID 13730 Operational management Preventive
    Record the MAC address for applicable assets in the asset inventory. CC ID 13721 Operational management Preventive
    Record the operating system type for applicable assets in the asset inventory. CC ID 06633 Operational management Preventive
    Record the department associated with the asset in the asset inventory. CC ID 12084 Operational management Preventive
    Record the physical location for applicable assets in the asset inventory. CC ID 06634 Operational management Preventive
    Record the manufacturer's serial number for applicable assets in the asset inventory. CC ID 06635 Operational management Preventive
    Record the firmware version for applicable assets in the asset inventory. CC ID 12195 Operational management Preventive
    Record the related business function for applicable assets in the asset inventory. CC ID 06636 Operational management Preventive
    Record the deployment environment for applicable assets in the asset inventory. CC ID 06637 Operational management Preventive
    Record the Internet Protocol address for applicable assets in the asset inventory. CC ID 06638 Operational management Preventive
    Link the software asset inventory to the hardware asset inventory. CC ID 12085 Operational management Preventive
    Record the owner for applicable assets in the asset inventory. CC ID 06640 Operational management Preventive
    Record all compliance requirements for applicable assets in the asset inventory. CC ID 15696 Operational management Preventive
    Record all changes to assets in the asset inventory. CC ID 12190 Operational management Preventive
    Record cloud service derived data in the asset inventory. CC ID 13007 Operational management Preventive
    Include cloud service customer data in the asset inventory. CC ID 13006 Operational management Preventive
    Establish, implement, and maintain a software accountability policy. CC ID 00868 Operational management Preventive
    Establish, implement, and maintain software asset management procedures. CC ID 00895 Operational management Preventive
    Establish, implement, and maintain software archives procedures. CC ID 00866 Operational management Preventive
    Establish, implement, and maintain software distribution procedures. CC ID 00894 Operational management Preventive
    Establish, implement, and maintain software documentation management procedures. CC ID 06395 Operational management Preventive
    Establish, implement, and maintain software license management procedures. CC ID 06639 Operational management Preventive
    Establish, implement, and maintain digital legacy procedures. CC ID 16524 Operational management Preventive
    Establish, implement, and maintain a system redeployment program. CC ID 06276 Operational management Preventive
    Document the staff's operating knowledge of the system prior to a personnel status change. CC ID 06937 Operational management Preventive
    Redeploy systems to other organizational units, as necessary. CC ID 11452 Operational management Preventive
    Establish, implement, and maintain a system disposal program. CC ID 14431 Operational management Preventive
    Establish, implement, and maintain disposal procedures. CC ID 16513 Operational management Preventive
    Establish, implement, and maintain asset sanitization procedures. CC ID 16511 Operational management Preventive
    Establish, implement, and maintain system destruction procedures. CC ID 16474 Operational management Preventive
    Establish, implement, and maintain printer and multifunction device disposition procedures. CC ID 15216 Operational management Preventive
    Establish, implement, and maintain a system preventive maintenance program. CC ID 00885 Operational management Preventive
    Establish and maintain maintenance reports. CC ID 11749 Operational management Preventive
    Establish and maintain system inspection reports. CC ID 06346 Operational management Preventive
    Establish, implement, and maintain a system maintenance policy. CC ID 14032 Operational management Preventive
    Include compliance requirements in the system maintenance policy. CC ID 14217 Operational management Preventive
    Include management commitment in the system maintenance policy. CC ID 14216 Operational management Preventive
    Include roles and responsibilities in the system maintenance policy. CC ID 14215 Operational management Preventive
    Include the scope in the system maintenance policy. CC ID 14214 Operational management Preventive
    Include the purpose in the system maintenance policy. CC ID 14187 Operational management Preventive
    Include coordination amongst entities in the system maintenance policy. CC ID 14181 Operational management Preventive
    Establish, implement, and maintain system maintenance procedures. CC ID 14059 Operational management Preventive
    Establish, implement, and maintain a technology refresh plan. CC ID 13061 Operational management Preventive
    Establish and maintain an archive of maintenance reports in a maintenance log. CC ID 06202 Operational management Preventive
    Post calibration limits or calibration tolerances on or near assets requiring calibration. CC ID 06204 Operational management Preventive
    Establish, implement, and maintain an end-of-life management process. CC ID 16540 Operational management Preventive
    Establish, implement, and maintain disposal contracts. CC ID 12199 Operational management Preventive
    Include disposal procedures in disposal contracts. CC ID 13905 Operational management Preventive
    Document the storage information for all systems that are stored instead of being disposed or redeployed. CC ID 06936 Operational management Preventive
    Establish, implement, and maintain a data stewardship policy. CC ID 06657 Operational management Preventive
    Establish and maintain an unauthorized software list. CC ID 10601 Operational management Preventive
    Establish, implement, and maintain a change control program. CC ID 00886 Operational management Preventive
    Include potential consequences of unintended changes in the change control program. CC ID 12243
    [The organization shall control planned changes and review the ckground-color:#F0BBBC;" class="term_primary-noun">consequences of unintended changes, taking action to mitigate any adverse effects, as necessary. § 8.1 ¶ 2]
    Operational management Preventive
    Include version control in the change control program. CC ID 13119
    [For the control of documented information, the organization shall address the following activities, as applicable: control of changes (e.g. version control); § 7.5.3 ¶ 2 Bullet 3]
    Operational management Preventive
    Provide audit trails for all approved changes. CC ID 13120 Operational management Preventive
    Define the processing specifications for products and services creation requirements. CC ID 13523 Operational management Preventive
    Establish, implement, and maintain procedures to manage age-restricted content. CC ID 15448 Operational management Preventive
    Include risks and opportunities in the environmental management system. CC ID 15201
    [{external and internal issues} and determine the risks and opportunities, related to its environmental aspects (see 6.1.2), compliance obligations (see 6.1.3) and other issues and requirements, identified in 4.1 and 4.2, that need to be addressed to: § 6.1.1 ¶ 3
    The organization shall maintain documented information of its: risks and opportunities that need to be addressed; § 6.1.1 ¶ 5 Bullet 1
    {external and internal issues} and determine the risks and opportunities, related to its environmental aspects (see 6.1.2), compliance obligations (see 6.1.3) and other issues and requirements, identified in 4.1 and 4.2, that need to be addressed to: § 6.1.1 ¶ 3
    {external and internal issues} and determine the risks and opportunities, related to its environmental aspects (see 6.1.2), compliance obligations (see 6.1.3) and other issues and requirements, identified in 4.1 and 4.2, that need to be addressed to: § 6.1.1 ¶ 3
    {external and internal issues} and determine the risks and opportunities, related to its environmental aspects (see 6.1.2), compliance obligations (see 6.1.3) and other issues and requirements, identified in 4.1 and 4.2, that need to be addressed to: § 6.1.1 ¶ 3]
    Operational management Preventive
    Include communications in the environmental management system. CC ID 15199
    [{internal communications} The organization shall establish, implement and maintain the process(es) needed for internal and external communications relevant to the environmental management system, including: § 7.4.1 ¶ 1
    {internal communications} The organization shall establish, implement and maintain the process(es) needed for internal and external communications relevant to the environmental management system, including: § 7.4.1 ¶ 1]
    Operational management Preventive
    Establish, implement, and maintain environmental performance monitoring procedures. CC ID 15222
    [The organization shall determine: the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results; § 9.1.1 ¶ 2 b)]
    Operational management Preventive
    Disseminate and communicate environmental information to interested personnel and affected parties. CC ID 15195
    [The organization shall communicate relevant environmental performance information both internally and externally, as identified in its communication process(es) and as required by its compliance obligations. § 9.1.1 ¶ 5]
    Operational management Preventive
    Include compliance obligations in the environmental management system. CC ID 15185
    [{take into account}The organization shall: take these compliance obligations into account when establishing, implementing, maintaining and continually improving its environmental management system. § 6.1.3 ¶ 1 c)]
    Operational management Preventive
    Establish, implement, and maintain environmental objectives. CC ID 15186
    [Top management shall establish, implement and maintain an environmental policy that, within the defined scope of its environmental management system: provides a framework for setting environmental objectives; § 5.2 ¶ 1 b)
    The organization shall establish environmental objectives at relevant functions and levels, taking into account the organization's significant environmental aspects and associated compliance obligations, and considering its risks and opportunities. § 6.2.1 ¶ 1
    {be consistent}The environmental objectives shall be: consistent with the environmental policy; § 6.2.1 ¶ 2 a)
    The organization shall maintain documented information on the environmental objectives. § 6.2.1 ¶ 3
    When planning how to achieve its environmental objectives, the organization shall determine: when it will be completed; § 6.2.2 ¶ 1 d)
    When planning how to achieve its environmental objectives, the organization shall determine: what will be done; § 6.2.2 ¶ 1 a)
    The environmental objectives shall be: updated as appropriate. § 6.2.1 ¶ 2 e)]
    Operational management Preventive
    Include risks and opportunities in the environmental objectives. CC ID 15188
    [The organization shall establish environmental objectives at relevant functions and levels, taking into account the organization's significant environmental aspects and associated compliance obligations, and considering its risks and opportunities. § 6.2.1 ¶ 1]
    Operational management Preventive
    Include the required resources in the environmental objectives. CC ID 15221
    [When planning how to achieve its environmental objectives, the organization shall determine: what resources will be required; § 6.2.2 ¶ 1 b)]
    Operational management Preventive
    Include compliance requirements in the environmental objectives. CC ID 15187
    [The organization shall establish environmental objectives at relevant functions and levels, taking into account the organization's significant environmental aspects and associated compliance obligations, and considering its risks and opportunities. § 6.2.1 ¶ 1]
    Operational management Preventive
    Document the criteria used to determine the environmental aspects. CC ID 15181
    [The organization shall maintain documented information of its: criteria used to determine its significant environmental aspects; § 6.1.2 ¶ 5 Bullet 2]
    Operational management Preventive
    Take into account emergency situations when determining environmental aspects. CC ID 15180
    [When determining environmental aspects, the organization shall take into account: abnormal conditions and reasonably foreseeable emergency situations. § 6.1.2 ¶ 2 b)]
    Operational management Preventive
    Take into account abnormal conditions when determining environmental aspects. CC ID 15179
    [When determining environmental aspects, the organization shall take into account: abnormal conditions and reasonably foreseeable emergency situations. § 6.1.2 ¶ 2 b)]
    Operational management Preventive
    Include the organization's significant environmental aspects in the environmental management system. CC ID 15176
    [The organization shall maintain documented information of its: significant environmental aspects. § 6.1.2 ¶ 5 Bullet 3]
    Operational management Preventive
    Include the environmental management system requirements in the environmental management system. CC ID 14978
    [{be effective}Top management shall demonstrate leadership and commitment with respect to the environmental management system by: communicating the importance of effective environmental management and of conforming to the environmental management system requirements; § 5.1 ¶ 1 e)
    {environmental objective}{compliance obligation}{operating process}The organization shall establish, implement, control and maintain the processes needed to meet environmental management system requirements, and to implement the actions identified in 6.1 and 6.2, by: establishing operating criteria for the process(es); § 8.1 ¶ 1 Bullet 1]
    Operational management Preventive
    Include environmental impacts in the environmental management system. CC ID 15175
    [The organization shall maintain documented information of its: environmental aspects and associated environmental impacts; § 6.1.2 ¶ 5 Bullet 1]
    Operational management Preventive
    Include a commitment to continuous improvement in the environmental management system. CC ID 14970
    [Top management shall demonstrate leadership and commitment with respect to the environmental management system by: promoting continual improvement; § 5.1 ¶ 1 h)
    {external and internal issues}and determine the risks and opportunities, related to its environmental aspects (see 6.1.2), compliance obligations (see 6.1.3) and other issues and requirements, identified in 4.1 and 4.2, that need to be addressed to: achieve continual improvement. § 6.1.1 ¶ 3 Bullet 3]
    Operational management Preventive
    Include third party requirements in the environmental management system. CC ID 14964
    [{interested parties}{compliance obligations}When planning for the environmental management system, the organization shall consider: the requirements referred to in 4.2; § 6.1.1 ¶ 2 b)
    {interested parties}{compliance obligations}When planning for the environmental management system, the organization shall consider: the requirements referred to in 4.2; § 6.1.1 ¶ 2 b)]
    Operational management Preventive
    Include environmental conditions in the environmental management system. CC ID 14952
    [{external and internal issues}{environmental conditions}When planning for the environmental management system, the organization shall consider: the issues referred to in 4.1; § 6.1.1 ¶ 2 a)]
    Operational management Preventive
    Include the scope in the environmental management system. CC ID 14950
    [When planning for the environmental management system, the organization shall consider: the scope of its environmental management system; § 6.1.1 ¶ 2 c)
    The organization shall determine the boundaries and applicability of the environmental management system to ass="term_primary-verb">establish its scope. § 4.3 ¶ 1]
    Operational management Preventive
    Include emergency situations in the scope of the environmental management system. CC ID 14995
    [Within the scope of the environmental management system, the organization shall determine potential emergency situations, including those that can have an environmental impact. § 6.1.1 ¶ 4]
    Operational management Preventive
    Include the environmental impact of activities, products, and services in the scope of the environmental management system. CC ID 15184
    [Within the defined scope of the environmental management system, the organization shall determine the environmental aspects of its activities, products and services that it can control and those that it can influence, and their associated environmental impacts, considering a life cycle perspective. § 6.1.2 ¶ 1]
    Operational management Preventive
    Include activities, products, and services in the scope of the environmental management system. CC ID 15182
    [Within the defined scope of the environmental management system, the organization shall determine the environmental aspects of its activities, products and services that it can control and those that it can influence, and their associated environmental impacts, considering a life cycle perspective. § 6.1.2 ¶ 1]
    Operational management Preventive
    Establish, implement, and maintain an environmental policy. CC ID 14947
    [Top management shall establish, implement and maintain an environmental policy that, within the defined scope of its environmental management system: § 5.2 ¶ 1
    Top management shall demonstrate leadership and commitment with respect to the environmental management system by: ensuring that the environmental policy and environmental objectives are established and are compatible with the strategic direction and the context of the organization; § 5.1 ¶ 1 b)
    The environmental policy shall: be maintained as documented information; § 5.2 ¶ 2 Bullet 1]
    Operational management Preventive
    Include continuous improvement of environmental performance in the environmental policy. CC ID 14994
    [Top management shall establish, implement and maintain an environmental policy that, within the defined scope of its environmental management system: includes a commitment to continual improvement of the environmental management system to enhance environmental performance. § 5.2 ¶ 1 e)]
    Operational management Preventive
    Include compliance obligations in the environmental policy. CC ID 14993
    [Top management shall establish, implement and maintain an environmental policy that, within the defined scope of its environmental management system: includes a commitment to fulfil its compliance obligations; § 5.2 ¶ 1 d)]
    Operational management Preventive
    Include a commitment to the protection of the environment in the environmental policy. CC ID 14991
    [Top management shall establish, implement and maintain an environmental policy that, within the defined scope of its environmental management system: includes a commitment to the protection of the environment, including prevention of pollution and other specific commitment(s) relevant to the context of the organization; § 5.2 ¶ 1 c)
    Top management shall establish, implement and maintain an environmental policy that, within the defined scope of its environmental management system: includes a commitment to the protection of the environment, including prevention of pollution and other specific commitment(s) relevant to the context of the organization; § 5.2 ¶ 1 c)]
    Operational management Preventive
    Include the scope in the environmental policy. CC ID 14987
    [Top management shall establish, implement and maintain an environmental policy that, within the defined scope of its environmental management system: is appropriate to the purpose and context of the organization, including the nature, scale and environmental impacts of its activities, products and services; § 5.2 ¶ 1 a)]
    Operational management Preventive
    Include purpose and context in the environmental policy. CC ID 14985
    [Top management shall establish, implement and maintain an environmental policy that, within the defined scope of its environmental management system: is appropriate to the purpose and context of the organization, including the nature, scale and environmental impacts of its activities, products and services; § 5.2 ¶ 1 a)]
    Operational management Preventive
    Tailor the environmental policy to be compatible with the organization's strategic direction. CC ID 14974
    [Top management shall demonstrate leadership and commitment with respect to the environmental management system by: ensuring that the environmental policy and environmental objectives are established and are compatible with the strategic direction and the context of the organization; § 5.1 ¶ 1 b)]
    Operational management Preventive
    Establish, implement, and maintain records management policies. CC ID 00903
    [{place}{time}Documented information required by the environmental management system and by this International Standard shall be controlled to ensure: it is available and suitable for use, where and when it is needed; § 7.5.3 ¶ 1 a)]
    Records management Preventive
    Establish, implement, and maintain a record classification scheme for forms. CC ID 00911 Records management Detective
    Establish, implement, and maintain form creation, management, and distribution procedures. CC ID 06393 Records management Preventive
    Establish, implement, and maintain form disposition procedures. CC ID 06394 Records management Preventive
    Establish, implement, and maintain a record classification scheme. CC ID 00914 Records management Preventive
    Establish, implement, and maintain a business activity classification standard. CC ID 00915 Records management Preventive
    Establish, implement, and maintain records registration procedures. CC ID 00913 Records management Detective
    Define the terms used in the record classification scheme. CC ID 00916 Records management Detective
    Establish, implement, and maintain a records authentication system. CC ID 11648 Records management Preventive
    Establish and maintain an index of all official records. CC ID 00918 Records management Preventive
    Establish, implement, and maintain electronic signature requirements. CC ID 06219 Records management Preventive
    Define each system's preservation requirements for records and logs. CC ID 00904 Records management Detective
    Establish, implement, and maintain a data retention program. CC ID 00906 Records management Detective
    Establish, implement, and maintain storage media retention procedures. CC ID 16277 Records management Preventive
    Define which documents and records the organization may capture. CC ID 00905 Records management Detective
    Capture and maintain all business records, including supporting temporary files. CC ID 06622 Records management Preventive
    Establish, implement, and maintain storage media disposition and destruction procedures. CC ID 11657 Records management Preventive
    Establish, implement, and maintain records disposition procedures. CC ID 00971
    [For the control of documented information, the organization shall address the following activities, as applicable: retention and disposition. § 7.5.3 ¶ 2 Bullet 4]
    Records management Preventive
    Include methods to identify records that meet or exceed the record's retention event in the records disposition procedures. CC ID 11962 Records management Preventive
    Maintain disposal records or redeployment records. CC ID 01644 Records management Preventive
    Include the name of the signing officer in the disposal record. CC ID 15710 Records management Preventive
    Establish, implement, and maintain secure record transaction standards with third parties. CC ID 06093 Records management Preventive
    Include transfer agreements in the secure record transaction standards. CC ID 14821 Records management Preventive
    Include date and time stamp requirements for delivery receipt in the transfer agreements. CC ID 14823 Records management Preventive
    Include receipt of electronic records in the transfer agreement. CC ID 14822 Records management Preventive
    Include standards for each data element in the secure record transaction standard. CC ID 06094 Records management Preventive
    Establish, implement, and maintain records management procedures. CC ID 11619 Records management Preventive
    Establish, implement, and maintain authorization records. CC ID 14367 Records management Preventive
    Include the reasons for granting the authorization in the authorization records. CC ID 14371 Records management Preventive
    Include the date and time the authorization was granted in the authorization records. CC ID 14370 Records management Preventive
    Include the person's name who approved the authorization in the authorization records. CC ID 14369 Records management Preventive
    Create summary of care records in accordance with applicable standards. CC ID 14440 Records management Preventive
    Log the number of routine items received into the recordkeeping system. CC ID 11701 Records management Preventive
    Establish, implement, and maintain electronic storage media management procedures. CC ID 00931
    [When creating and updating documented information the organization should ensuren> appropriate: format (e.g. language, software version, graphics) and media (e.g. paper, electronic); § 7.5.2 ¶ 1 b)]
    Records management Preventive
    Establish, implement, and maintain security label procedures. CC ID 06747 Records management Preventive
    Establish, implement, and maintain restricted material identification procedures. CC ID 01889 Records management Preventive
    Conspicuously locate the restricted record's overall classification. CC ID 01890 Records management Preventive
    Mark a restricted record's displayed pages or printed pages with the appropriate classification. CC ID 01891 Records management Preventive
    Mark a restricted record's components (appendices, annexes) with the appropriate classification. CC ID 01892 Records management Preventive
    Mark a restricted record's portions (paragraphs, sections) with the appropriate classification. CC ID 01893 Records management Preventive
    Mark a restricted record's subject line or title with the appropriate classification. CC ID 01894 Records management Preventive
    Establish the minimum originator requirements for security labels. CC ID 06579 Records management Preventive
    Establish the minimum intermediate system requirements for security labels. CC ID 06581 Records management Preventive
    Establish the minimum receiver requirements for records or electronic storage media marked with security labels. CC ID 06580 Records management Preventive
    Establish policy based processing rules to process incoming records or electronic storage media marked with security labels. CC ID 06582 Records management Preventive
    Establish, implement, and maintain a records lifecycle management program. CC ID 00951 Records management Preventive
    Establish, implement, and maintain an information preservation policy. CC ID 16483 Records management Preventive
    Establish, implement, and maintain information preservation procedures. CC ID 06277
    [For the control of documented information, the organization shall address the following activities, as applicable: storage and :#F0BBBC;" class="term_primary-noun">preservation, including preservation of legibility; § 7.5.3 ¶ 2 Bullet 2]
    Records management Preventive
    Establish, implement, and maintain an online availability plan that is commensurate with the electronic storage media. CC ID 00934 Records management Preventive
    Provide audit trails for all pertinent records. CC ID 00372 Records management Detective
    Include a unique identifier for each removable storage media asset in the removable storage media log. CC ID 12320 Records management Preventive
    Include the date and time in the removable storage media log. CC ID 12318 Records management Preventive
    Include the name and signature of the current custodian in the removable storage media log. CC ID 12315 Records management Preventive
    Include the number of physical media used for the data transfer in the removable storage media log. CC ID 12754 Records management Preventive
    Include the recipient's name for the data transfer in the removable storage media log. CC ID 12753 Records management Preventive
    Include the sender's name in the removable storage media log. CC ID 12752 Records management Preventive
    Include the type of physical media being used for the data transfer in the removable storage media log. CC ID 12751 Records management Preventive
    Include the reason for transfer in the removable storage media log. CC ID 12316 Records management Preventive
    Document all actions taken when downgrading electronic storage media. CC ID 10622 Records management Preventive
    Establish, implement, and maintain output distribution procedures. CC ID 00927
    [For the control of documented information, the organization shall address the following activities, as applicable: distribution, access, retrieval and use; § 7.5.3 ¶ 2 Bullet 1]
    Records management Preventive
    Include printed output in output distribution procedures. CC ID 13477 Records management Preventive
    Establish, implement, and maintain document retention procedures. CC ID 11660
    [For the control of documented information, the organization shall address the following activities, as applicable: retention and disposition. § 7.5.3 ¶ 2 Bullet 4
    The organization shall retain documented information as evidence of: § 10.2 ¶ 3]
    Records management Preventive
    Establish, implement, and maintain a product and services acquisition program. CC ID 01136
    [Consistent with a life cycle perspective, the organization shall: determine its environmental requirement(s) for the procurement of products and services, as appropriate; § 8.1 ¶ 4 b)]
    Acquisition or sale of facilities, technology, and services Preventive
    Establish, implement, and maintain a product and services acquisition policy. CC ID 14028 Acquisition or sale of facilities, technology, and services Preventive
    Include compliance requirements in the product and services acquisition policy. CC ID 14163 Acquisition or sale of facilities, technology, and services Preventive
    Include coordination amongst entities in the product and services acquisition policy. CC ID 14162 Acquisition or sale of facilities, technology, and services Preventive
    Include management commitment in the product and services acquisition policy. CC ID 14161 Acquisition or sale of facilities, technology, and services Preventive
    Include roles and responsibilities in the product and services acquisition policy. CC ID 14160 Acquisition or sale of facilities, technology, and services Preventive
    Include the scope in the product and services acquisition policy. CC ID 14159 Acquisition or sale of facilities, technology, and services Preventive
    Include the purpose in the product and services acquisition policy. CC ID 14158 Acquisition or sale of facilities, technology, and services Preventive
    Establish, implement, and maintain product and services acquisition procedures. CC ID 14065 Acquisition or sale of facilities, technology, and services Preventive
    Establish, implement, and maintain acquisition approval requirements. CC ID 13704 Acquisition or sale of facilities, technology, and services Preventive
    Include preventive maintenance contracts in system acquisition contracts. CC ID 06658 Acquisition or sale of facilities, technology, and services Preventive
    Establish, implement, and maintain organizational documents. CC ID 16202 Harmonization Methods and Manual of Style Preventive
    Organize all compliance documents. CC ID 06096 Harmonization Methods and Manual of Style Preventive
    Organize all compliance documents to fit the message. CC ID 06097 Harmonization Methods and Manual of Style Preventive
    Define the structure for compliance documents and governance documents. CC ID 06111
    [When creating and updating documented information the organization shall ensure appropriate: y-noun">identification and e="background-color:#F0BBBC;" class="term_primary-noun">description (e.g. a title, date, author, or reference number); § 7.5.2 ¶ 1 a)]
    Harmonization Methods and Manual of Style Preventive
    Subordinate the structure of the compliance document to fit the topic. CC ID 06109 Harmonization Methods and Manual of Style Preventive
    Define visual and formatting styles for all structured headings. CC ID 06110 Harmonization Methods and Manual of Style Preventive
    Define the section heading style, if section headings are being used. CC ID 06112 Harmonization Methods and Manual of Style Preventive
    Use a table of contents to show sections and headings, if section headings are being used. CC ID 06113 Harmonization Methods and Manual of Style Preventive
    Place the table of contents at the document's beginning. CC ID 06114 Harmonization Methods and Manual of Style Preventive
    Add term definitions to the document's end. CC ID 06115 Harmonization Methods and Manual of Style Preventive
  • Human Resources Management
    82
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Align disciplinary actions with the level of compliance violation. CC ID 12404
    [Corrective actions shall be appropriate to the significance of the effects of the nonconformities encountered, including the environmental impact(s). § 10.2 ¶ 2]
    Monitoring and measurement Preventive
    Assign the Board of Directors to address audit findings. CC ID 12396 Audits and risk management Corrective
    Include roles and responsibilities in the interview procedures. CC ID 16297 Audits and risk management Preventive
    Identify the audit team members in the audit report. CC ID 15259 Audits and risk management Detective
    Define the roles and responsibilities for distributing the audit report. CC ID 16845 Audits and risk management Preventive
    Assign responsibility for remediation actions. CC ID 13622 Audits and risk management Preventive
    Evaluate the competency of auditors. CC ID 15253 Audits and risk management Detective
    Lead or manage business continuity and system continuity, as necessary. CC ID 12240 Operational and Systems Continuity Preventive
    Allocate personnel to implement the continuity plan, as necessary. CC ID 12992 Operational and Systems Continuity Preventive
    Include the roles and responsibilities of responders in the recovery plan. CC ID 13296 Operational and Systems Continuity Preventive
    Establish, implement, and maintain a security operations center. CC ID 14762 Human Resources management Preventive
    Designate an alternate for each organizational leader. CC ID 12053 Human Resources management Preventive
    Assign the roles and responsibilities of management in establishing, implementing, and maintaining the information security program. CC ID 13112 Human Resources management Preventive
    Establish and maintain board committees, as necessary. CC ID 14789 Human Resources management Preventive
    Assign oversight of C-level executives to the Board of Directors. CC ID 14784 Human Resources management Preventive
    Assign oversight of the financial management program to the board of directors. CC ID 14781 Human Resources management Preventive
    Assign senior management to the role of supporting Quality Management. CC ID 13692 Human Resources management Preventive
    Assign members who are independent from management to the Board of Directors. CC ID 12395 Human Resources management Preventive
    Assign ownership of risks to the Board of Directors or senior management. CC ID 13662 Human Resources management Preventive
    Assign the organization's board and senior management to oversee the continuity planning process. CC ID 12991 Human Resources management Preventive
    Rotate members of the board of directors, as necessary. CC ID 14803 Human Resources management Corrective
    Define and assign board committees, as necessary. CC ID 14787 Human Resources management Preventive
    Define and assign risk committees, as necessary. CC ID 14795 Human Resources management Preventive
    Define and assign audit committees, as necessary. CC ID 14788 Human Resources management Preventive
    Include members with experience in audit practices, financial reporting, and accounting in the audit committee. CC ID 14796 Human Resources management Preventive
    Define and assign compensation committees, as necessary. CC ID 14793 Human Resources management Preventive
    Define and assign the network administrator's roles and responsibilities. CC ID 16363 Human Resources management Preventive
    Define and assign the Data Protection Officer's roles and responsibilities. CC ID 16525 Human Resources management Preventive
    Define and assign the Chief Risk Officer's roles and responsibilities. CC ID 14333 Human Resources management Preventive
    Define and assign roles and responsibilities for network management. CC ID 13128 Human Resources management Preventive
    Define and assign the authorized representatives roles and responsibilities. CC ID 15033 Human Resources management Preventive
    Establish and maintain an Information Technology steering committee. CC ID 12706 Human Resources management Preventive
    Assign the Information Technology steering committee to report to senior management. CC ID 12731 Human Resources management Preventive
    Convene the Information Technology steering committee, as necessary. CC ID 12730 Human Resources management Preventive
    Assign reviewing investments to the Information Technology steering committee, as necessary. CC ID 13625 Human Resources management Preventive
    Assign the role of Risk Assessment Manager to applicable controls. CC ID 12143 Human Resources management Preventive
    Assign the Risk Assessment manager the duty of reporting risk assessment results to organizational management. CC ID 12152 Human Resources management Preventive
    Refrain from allocating temporary staff to perform sensitive jobs absent the presence and control of authorized permanent staff. CC ID 12299 Human Resources management Preventive
    Perform security skills assessments for all critical employees. CC ID 12102 Human Resources management Detective
    Perform a background check during personnel screening. CC ID 11758 Human Resources management Detective
    Perform a personal identification check during personnel screening. CC ID 06721 Human Resources management Preventive
    Perform a personal references check during personnel screening. CC ID 06645 Human Resources management Preventive
    Perform a credit check during personnel screening. CC ID 06646 Human Resources management Preventive
    Perform a resume check during personnel screening. CC ID 06659 Human Resources management Preventive
    Perform a curriculum vitae check during personnel screening. CC ID 06660 Human Resources management Preventive
    Allow personnel being screened to appeal findings and appeal decisions. CC ID 06720 Human Resources management Preventive
    Perform personnel screening procedures, as necessary. CC ID 11763 Human Resources management Preventive
    Perform periodic background checks on designated roles, as necessary. CC ID 11759 Human Resources management Detective
    Perform security clearance procedures, as necessary. CC ID 06644 Human Resources management Preventive
    Establish and maintain security clearances. CC ID 01634 Human Resources management Preventive
    Establish, implement, and maintain a compensation, reward, and recognition program. CC ID 12806 Human Resources management Preventive
    Refrain from using employees' privacy choices to restrict employment. CC ID 12425 Human Resources management Preventive
    Refrain from using employees' privacy choices to take punitive actions. CC ID 16815 Human Resources management Preventive
    Disseminate and communicate the organization’s ethical culture in job recruitment criteria and promotion criteria. CC ID 12825 Human Resources management Preventive
    Recognize personnel who reinforce desirable conduct with incentives. CC ID 12815 Human Resources management Preventive
    Include a space for the applicant's name on the job application. CC ID 16190 Human Resources management Preventive
    Include a space for the applicant's current address on the job application. CC ID 16189 Human Resources management Preventive
    Include a space for the applicant's social security number on the job application. CC ID 16188 Human Resources management Preventive
    Include a space for the applicant's date of birth on the job application. CC ID 16186 Human Resources management Preventive
    Include a space for previous employers and business relationships on the job application. CC ID 16185 Human Resources management Preventive
    Include a space to explain formal disciplinary actions and sanctions on the job application. CC ID 16184 Human Resources management Preventive
    Include a space for the start date on the job application. CC ID 16187 Human Resources management Preventive
    Include a space to explain legal penalties on the job application. CC ID 16183 Human Resources management Preventive
    Approve the wording of job applications. CC ID 16182 Human Resources management Preventive
    Include a space for past aliases and other used names on job applications. CC ID 12301 Human Resources management Preventive
    Include a space for previous addresses and previous residences on the job application. CC ID 12302 Human Resources management Preventive
    Include a space to explain employment gaps on the job application. CC ID 12303 Human Resources management Preventive
    Support certification programs as viable training programs. CC ID 13268 Human Resources management Preventive
    Hire third parties to conduct training, as necessary. CC ID 13167 Human Resources management Preventive
    Include ethical culture in the training plan, as necessary. CC ID 12801 Human Resources management Preventive
    Include duties and responsibilities in the training plan, as necessary. CC ID 12800 Human Resources management Preventive
    Establish and maintain management's commitment to supporting the security awareness program. CC ID 12151 Human Resources management Preventive
    Establish and maintain a steering committee to guide the security awareness program. CC ID 12149 Human Resources management Preventive
    Encourage interested personnel to obtain security certification. CC ID 11804 Human Resources management Preventive
    Assign accountability for maintaining the Governance, Risk, and Compliance framework. CC ID 12523 Operational management Preventive
    Assign defining the program for disseminating and communicating the Governance, Risk, and Compliance framework. CC ID 12524 Operational management Preventive
    Assign the responsibility for establishing, implementing, and maintaining the information security program to the appropriate role. CC ID 11884 Operational management Preventive
    Assign the responsibility for distributing the information security program to the appropriate role. CC ID 11883 Operational management Preventive
    Assign an information owner to organizational assets, as necessary. CC ID 12729 Operational management Preventive
    Assign ownership of maintaining the asset inventory, as necessary. CC ID 12344 Operational management Preventive
    Control granting access to appropriate parties performing maintenance on organizational assets. CC ID 11873 Operational management Preventive
    Include roles and responsibilities in the environmental management system. CC ID 14971
    [Top management shall demonstrate leadership and commitment with respect to the environmental management system by: supporting other relevant management roles to demonstrate their leadership as it applies to their areas of responsibility. § 5.1 ¶ 1 i)
    {responsible party}When planning how to achieve its environmental objectives, the organization shall determine: who will be responsible; § 6.2.2 ¶ 1 c)]
    Operational management Preventive
  • IT Impact Zone
    11
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Leadership and high level objectives CC ID 00597 Leadership and high level objectives IT Impact Zone
    Monitoring and measurement CC ID 00636 Monitoring and measurement IT Impact Zone
    Audits and risk management CC ID 00677 Audits and risk management IT Impact Zone
    Physical and environmental protection CC ID 00709 Physical and environmental protection IT Impact Zone
    Operational and Systems Continuity CC ID 00731 Operational and Systems Continuity IT Impact Zone
    Human Resources management CC ID 00763 Human Resources management IT Impact Zone
    Operational management CC ID 00805 Operational management IT Impact Zone
    Records management CC ID 00902 Records management IT Impact Zone
    Acquisition or sale of facilities, technology, and services CC ID 01123 Acquisition or sale of facilities, technology, and services IT Impact Zone
    Harmonization Methods and Manual of Style CC ID 06095 Harmonization Methods and Manual of Style IT Impact Zone
    Third Party and supply chain oversight CC ID 08807 Third Party and supply chain oversight IT Impact Zone
  • Investigate
    15
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Check the list of material topics for completeness. CC ID 15692 Leadership and high level objectives Preventive
    Ensure the data dictionary is complete and accurate. CC ID 13527 Leadership and high level objectives Detective
    Investigate discrepancies between the information received and the information verified for each funds transfer. CC ID 16757 Leadership and high level objectives Detective
    Determine the amount of assets to be held in escrow. CC ID 16575 Leadership and high level objectives Detective
    Determine the causes of compliance violations. CC ID 12401
    [When a nonconformity occurs, the organization shall: evaluate the need for action to eliminate the causes of the nonconformity in order that it does not recur or occur elsewhere by: ground-color:#B7D8ED;" class="tendary-verb">rm_primary-verb">reviewing the nonconformity; § 10.2 ¶ 1 b) 1)
    When a nonconformity occurs, the organization shall: evaluate the need for action to eliminate the causes of the nonconformity in order that it does not recur or occur elsewhere by: determining the <span style="background-color:#F0ndary-verb">BBBC;" class="term_primary-noun">causes of the nonconformity; § 10.2 ¶ 1 b) 2)]
    Monitoring and measurement Corrective
    Determine if multiple compliance violations of the same type could occur. CC ID 12402
    [When a nonconformity occurs, the organization shall: evaluate the need for action to eliminate the causes of the nonconformity in order that it does not recur or occur elsewhere by: ground-color:#B7D8ED;" class="term_primary-verb">determining if similar nonconformitiespan> n style="background-color:#CBD0E5;" class="term_secondary-verb">exist, or could potentially occur; § 10.2 ¶ 1 b) 3)]
    Monitoring and measurement Detective
    Review the effectiveness of disciplinary actions carried out for compliance violations. CC ID 12403
    [When a nonconformity occurs, the organization shall: review the effectiveness of any -verb">le="background-color:#F0BBBC;" class="term_primary-noun">corrective action taken; § 10.2 ¶ 1 d)]
    Monitoring and measurement Detective
    Examine the availability of the audit criteria in the audit program. CC ID 16520 Audits and risk management Preventive
    Audit cybersecurity risk management within the policies, standards, and procedures of the organization. CC ID 13011 Audits and risk management Detective
    Audit information systems, as necessary. CC ID 13010 Audits and risk management Detective
    Audit the potential costs of compromise to information systems. CC ID 13012 Audits and risk management Detective
    Permit assessment teams to conduct audits, as necessary. CC ID 16430 Audits and risk management Detective
    Determine the effect of deficiencies on the audit report, as necessary. CC ID 14886 Audits and risk management Detective
    Determine the cause for the activation of the recovery plan. CC ID 13291 Operational and Systems Continuity Detective
    Perform social network analysis, as necessary. CC ID 14864 Operational management Detective
  • Log Management
    42
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Establish, implement, and maintain a Security Information and Event Management metrics program. CC ID 02078 Monitoring and measurement Preventive
    Report on the percentage of systems for which event logging has been implemented. CC ID 02102 Monitoring and measurement Detective
    Report on the percentage of systems for which event logs are monitored and reviewed. CC ID 02103 Monitoring and measurement Detective
    Report on the percentage of systems for which log capacity and log retention schedules have been implemented. CC ID 02104 Monitoring and measurement Detective
    Restrict access to logs to authorized individuals. CC ID 01342 Monitoring and measurement Preventive
    Refrain from recording unnecessary restricted data in logs. CC ID 06318 Monitoring and measurement Preventive
    Back up logs according to backup procedures. CC ID 01344 Monitoring and measurement Preventive
    Copy logs from all predefined hosts onto a log management infrastructure. CC ID 01346 Monitoring and measurement Preventive
    Identify hosts with logs that are not being stored. CC ID 06314 Monitoring and measurement Preventive
    Identify hosts with logs that are being stored at the system level only. CC ID 06315 Monitoring and measurement Preventive
    Identify hosts with logs that should be stored at both the system level and the infrastructure level. CC ID 06316 Monitoring and measurement Preventive
    Identify hosts with logs that are being stored at the infrastructure level only. CC ID 06317 Monitoring and measurement Preventive
    Protect logs from unauthorized activity. CC ID 01345 Monitoring and measurement Preventive
    Perform testing and validating activities on all logs. CC ID 06322 Monitoring and measurement Preventive
    Archive the audit trail in accordance with compliance requirements. CC ID 00674 Monitoring and measurement Preventive
    Preserve the identity of individuals in audit trails. CC ID 10594 Monitoring and measurement Preventive
    Disseminate and communicate the reviews of audit reports to organizational management. CC ID 00653 Audits and risk management Detective
    Log the performance of all remote maintenance. CC ID 13202 Operational management Preventive
    Capture and maintain logs as official records. CC ID 06319 Records management Preventive
    Log the date and time each item is received into the recordkeeping system. CC ID 11709 Records management Preventive
    Log the date and time each item is made available into the recordkeeping system. CC ID 11710 Records management Preventive
    Log the number of routine items in the organization's possession at the close of business for the month in the recordkeeping system. CC ID 11707 Records management Preventive
    Log the number of routine items received during the month that were turned around in the recordkeeping system. CC ID 11705 Records management Preventive
    Log the number of routine items received during the month that were not turned around within three business days of receipt in the recordkeeping system. CC ID 11703 Records management Preventive
    Log the date and time when a notice of refusal to perform the registrar function is received in the recordkeeping system. CC ID 11711 Records management Preventive
    Log inquiries concerning items in the recordkeeping system, annotating the date received. CC ID 11718 Records management Preventive
    Log responses to inquiries, annotating the send date for each response into the recordkeeping system. CC ID 11719 Records management Preventive
    Log the number of non-routine items received into the recordkeeping system. CC ID 11706 Records management Preventive
    Log the documentation of determination that items received are not routine into the recordkeeping system. CC ID 11716 Records management Preventive
    Log the number of non-routine items in the organization's possession at the close of business for the month in the recordkeeping system. CC ID 11708 Records management Preventive
    Log the number of non-routine items received during the month that were turned around in the recordkeeping system. CC ID 11704 Records management Preventive
    Log performance monitoring into the recordkeeping system. CC ID 11724 Records management Preventive
    Log the number of inquiries pending as of the close of business into the recordkeeping system. CC ID 11728 Records management Preventive
    Log the number of inquiries received but not responded to within the required time frame into the recordkeeping system. CC ID 11727 Records management Preventive
    Log any notices filed by the organization into the recordkeeping system. CC ID 11725 Records management Preventive
    Log telephone responses into a telephone log, annotating the date of each response, in the recordkeeping system. CC ID 11723 Records management Preventive
    Log the date each certificate is made available to interested personnel and affected parties into the recordkeeping system. CC ID 11720 Records management Preventive
    Log the number of items not processed within the required time frame into the recordkeeping system. CC ID 11717 Records management Preventive
    Log the appointments and termination of appointments of registered transfer agents into the recordkeeping system. CC ID 11712 Records management Preventive
    Log any stop orders or notices of adverse claims into the recordkeeping system. CC ID 11726 Records management Preventive
    Log the number of items processed within the required time frame into the recordkeeping system. CC ID 11715 Records management Preventive
    Establish, implement, and maintain a removable storage media log. CC ID 12317 Records management Preventive
  • Maintenance
    7
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Use system components only when third party support is available. CC ID 10644 Operational management Preventive
    Obtain justification for the continued use of system components when third party support is no longer available. CC ID 10645 Operational management Preventive
    Conduct offsite maintenance in authorized facilities. CC ID 16473 Operational management Preventive
    Disconnect non-volatile media from information systems prior to performing maintenance with uncleared personnel. CC ID 14295 Operational management Preventive
    Sanitize volatile media in information systems prior to performing maintenance with uncleared personnel. CC ID 14291 Operational management Preventive
    Restart systems on a periodic basis. CC ID 16498 Operational management Preventive
    Remove components being serviced from the information system prior to performing maintenance. CC ID 14251 Operational management Preventive
  • Monitor and Evaluate Occurrences
    32
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Include the capturing and alerting of compliance violations in the notification system. CC ID 12962 Leadership and high level objectives Preventive
    Include the capturing and alerting of unethical conduct in the notification system. CC ID 12932 Leadership and high level objectives Preventive
    Include the capturing and alerting of performance variances in the notification system. CC ID 12929 Leadership and high level objectives Preventive
    Include the capturing and alerting of weaknesses in the notification system. CC ID 12928 Leadership and high level objectives Preventive
    Include the capturing and alerting of account activity in the notification system. CC ID 15314 Leadership and high level objectives Preventive
    Analyze organizational objectives, functions, and activities. CC ID 00598
    [{external and internal issues}and determine the risks and opportunities, related to its environmental aspects (see 6.1.2), compliance obligations (see 6.1.3) and other issues and requirements, identified in 4.1 and 4.2, that need to be addressed to: prevent or reduce undesired effects, including the potential for external environmental conditions to affect the organization; § 6.1.1 ¶ 3 Bullet 2
    When determining this scope, the organization shall consider: its activities, products and services; § 4.3 ¶ 2 d)
    The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcomesan> of its <span style="bary-verb">ackground-color:#F0BBBC;" class="term_primary-noun">environmental management system. Such issues shall include environmental conditions being affected by or capable of affecting the organization. § 4.1 ¶ 1]
    Leadership and high level objectives Preventive
    Monitor for changes which affect organizational strategies in the internal business environment. CC ID 12863 Leadership and high level objectives Preventive
    Monitor for changes which affect organizational objectives in the internal business environment. CC ID 12862 Leadership and high level objectives Preventive
    Monitor for changes which affect organizational strategies in the external environment. CC ID 12880 Leadership and high level objectives Preventive
    Monitor for changes which affect organizational objectives in the external environment. CC ID 12879
    [The management review shall include consideration of: changes in: the needs and expectations of interested parties, including compliance obligations; § 9.3 ¶ 2 b) 2)]
    Leadership and high level objectives Preventive
    Monitor regulatory trends to maintain compliance. CC ID 00604
    [The management review shall include consideration of: information on the organization's environmental performance, including trends in: fulfilment of its compliance obligations; § 9.3 ¶ 2 d) 3)]
    Leadership and high level objectives Detective
    Monitor for new Information Security solutions. CC ID 07078 Leadership and high level objectives Detective
    Monitor the performance of the margin system. CC ID 16655 Leadership and high level objectives Detective
    Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726 Monitoring and measurement Detective
    Establish, implement, and maintain compliance program metrics. CC ID 11625 Monitoring and measurement Preventive
    Monitor the performance of the governance, risk, and compliance capability. CC ID 12857
    [When planning how to achieve its environmental objectives, the organization shall determine: how the results will be evaluated, including indicators for monitoring progress toward achievement of its measurable environmental objectives (see 9.1.1). § 6.2.2 ¶ 1 e)]
    Monitoring and measurement Preventive
    Establish, implement, and maintain a corrective action plan. CC ID 00675
    [When a nonconformity occurs, the organization shall: react to the nonconformity and, as applicable: deal with the consequences, including mitigating adverse environmental impacts; § 10.2 ¶ 1 a) 2)
    The organization shall determine opportunities for improvement (see 9.1, 9.2 and 9.3) and implement necessary actions to achieve the intended outcomes of its environmental management system. § 10.1 ¶ 1]
    Monitoring and measurement Detective
    Include monitoring in the corrective action plan. CC ID 11645 Monitoring and measurement Detective
    Supervise interested personnel and affected parties participating in the audit. CC ID 07150 Audits and risk management Preventive
    Track and measure the implementation of the organizational compliance framework. CC ID 06445 Audits and risk management Preventive
    Monitor and evaluate business continuity management system performance. CC ID 12410 Operational and Systems Continuity Detective
    Record business continuity management system performance for posterity. CC ID 12411 Operational and Systems Continuity Preventive
    Monitor and measure the effectiveness of security awareness. CC ID 06262 Human Resources management Detective
    Analyze and evaluate training records to improve the training program. CC ID 06380 Human Resources management Detective
    Monitor and review the effectiveness of the information security program. CC ID 12744 Operational management Preventive
    Identify discrepancies between the asset register database and the Information Technology inventory, as necessary. CC ID 07052 Operational management Corrective
    Investigate and resolve discrepancies between the asset register database and the Information Technology inventory. CC ID 07053 Operational management Corrective
    Automate software license monitoring, as necessary. CC ID 07057 Operational management Preventive
    Monitor environmental objectives. CC ID 15189
    [The environmental objectives shall be: monitored; § 6.2.1 ¶ 2 c)]
    Operational management Detective
    Establish, implement, and maintain online storage monitoring and reporting capabilities. CC ID 00935 Records management Detective
    Monitor third parties for performance and effectiveness, as necessary. CC ID 00799
    [The organization shall ensure that outsourced processes are controlled or influenced. The type and extent of control or influence to be applied to the process(es) shall be defined within the environmental management system. § 8.1 ¶ 3]
    Third Party and supply chain oversight Detective
    Monitor third parties' financial conditions. CC ID 13170 Third Party and supply chain oversight Detective
  • Physical and Environmental Protection
    8
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Conduct environmental surveys. CC ID 00690 Operational management Preventive
    Plan and conduct maintenance so that it does not interfere with scheduled operations. CC ID 06389 Operational management Preventive
    Control and monitor all maintenance tools. CC ID 01432 Operational management Detective
    Identify and authenticate appropriate parties prior to granting access to maintain assets. CC ID 11874 Operational management Preventive
    Refrain from protecting physical assets when no longer required. CC ID 13484 Operational management Corrective
    Place printed records awaiting destruction into secure containers. CC ID 12464 Records management Preventive
    Destroy printed records so they cannot be reconstructed. CC ID 11779 Records management Preventive
    Sign a forfeiture statement acknowledging unapproved Personal Electronic Devices will be confiscated. CC ID 11667 Acquisition or sale of facilities, technology, and services Preventive
  • Process or Activity
    99
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Assess the effectiveness of the communication methods used in the communication protocol. CC ID 12691
    [{internal communication}The organization shall: ensure its communication process(es) enable(s) persons doing work under the organization's control to contribute to continual improvement. § 7.4.2 ¶ 1 b)]
    Leadership and high level objectives Detective
    Establish, implement, and maintain a corrective action plan to address barriers to stakeholder engagement. CC ID 15677 Leadership and high level objectives Preventive
    Identify barriers to stakeholder engagement. CC ID 15676 Leadership and high level objectives Preventive
    Include methods to obtain information from interested personnel and affected parties about performance variances in the communication protocol. CC ID 12856 Leadership and high level objectives Preventive
    Route notifications, as necessary. CC ID 12832 Leadership and high level objectives Preventive
    Substantiate notifications, as necessary. CC ID 12831 Leadership and high level objectives Preventive
    Prioritize notifications, as necessary. CC ID 12830 Leadership and high level objectives Preventive
    Establish and maintain the organization's survey method. CC ID 12869 Leadership and high level objectives Preventive
    Provide a consolidated view of information in the organization's survey method. CC ID 12894 Leadership and high level objectives Preventive
    Review and approve the material topics, as necessary. CC ID 15670 Leadership and high level objectives Preventive
    Identify the internal factors that may affect organizational objectives. CC ID 12957 Leadership and high level objectives Preventive
    Include key processes in the analysis of the internal business environment. CC ID 12947 Leadership and high level objectives Preventive
    Include existing information in the analysis of the internal business environment. CC ID 12943 Leadership and high level objectives Preventive
    Include resources in the analysis of the internal business environment. CC ID 12942
    [The management review shall include consideration of: adequacy of resources; § 9.3 ¶ 2 e)]
    Leadership and high level objectives Preventive
    Include the operating plan in the analysis of the internal business environment. CC ID 12941 Leadership and high level objectives Preventive
    Include incentives in the analysis of the internal business environment. CC ID 12940 Leadership and high level objectives Preventive
    Include organizational structures in the analysis of the internal business environment. CC ID 12939
    [When determining this scope, the organization shall consider: its organizational units, functions and physical boundaries; § 4.3 ¶ 2 c)]
    Leadership and high level objectives Preventive
    Include the strategic plan in the analysis of the internal business environment. CC ID 12937 Leadership and high level objectives Preventive
    Include strengths and weaknesses in the analysis of the internal business environment. CC ID 12936 Leadership and high level objectives Preventive
    Identify the external forces that may affect organizational objectives. CC ID 12960 Leadership and high level objectives Preventive
    Evaluate organizational objectives to determine impact on other organizational objectives. CC ID 12814 Leadership and high level objectives Preventive
    Identify events that may affect organizational objectives. CC ID 12961 Leadership and high level objectives Preventive
    Identify conditions that may affect organizational objectives. CC ID 12958 Leadership and high level objectives Preventive
    Identify how opportunities, threats, and external requirements are trending. CC ID 12829 Leadership and high level objectives Preventive
    Identify relationships between opportunities, threats, and external requirements. CC ID 12805 Leadership and high level objectives Preventive
    Identify all interested personnel and affected parties. CC ID 12845
    [The organization shall determine: the interested parties that are relevant to the environmental management system; § 4.2 ¶ 1 a)]
    Leadership and high level objectives Detective
    Establish, implement, and maintain criteria for grouping stakeholders. CC ID 15584 Leadership and high level objectives Preventive
    Determine progress toward the objectives of the strategic plan. CC ID 12944
    [The management review shall include consideration of: the extent to which environmental objectives have been achieved; § 9.3 ¶ 2 c)]
    Leadership and high level objectives Preventive
    Align organizational objectives with compliance objectives in the decision-making criteria. CC ID 12847 Leadership and high level objectives Preventive
    Align organizational objectives with performance targets in the decision-making criteria. CC ID 12843 Leadership and high level objectives Preventive
    Align organizational objectives with the acceptable residual risk in the decision-making criteria. CC ID 12841 Leadership and high level objectives Preventive
    Create additional decision-making criteria to achieve organizational objectives, as necessary. CC ID 12948 Leadership and high level objectives Preventive
    Take actions in accordance with the decision-making criteria. CC ID 12909 Leadership and high level objectives Preventive
    Include ongoing monitoring in the financial management program. CC ID 16762 Leadership and high level objectives Preventive
    Employ tools to manage settlement and funding flows. CC ID 16743 Leadership and high level objectives Preventive
    Establish, implement, and maintain a subsidiary compliance program. CC ID 16694 Leadership and high level objectives Preventive
    Analyze the effectiveness of the stress test plan. CC ID 16657 Leadership and high level objectives Detective
    Align the lending policy with the organization's risk acceptance level. CC ID 16716 Leadership and high level objectives Preventive
    Include customer due diligence in the loan administration procedures. CC ID 16736 Leadership and high level objectives Preventive
    Assess the properties of the margin model used in the margin system. CC ID 16658 Leadership and high level objectives Detective
    Analyze the performance of the margin system. CC ID 16654 Leadership and high level objectives Detective
    Correct compliance violations. CC ID 13515
    [When a nonconformity occurs, the organization shall: react to the nonconformity, and as applicable: take action to primary-verb">control and correct it; § 10.2 ¶ 1 a) 1)
    When a nonconformity occurs, the organization shall: implement any -verb">or:#F0BBBC;" class="term_primary-noun">action needed; § 10.2 ¶ 1 c)
    The organization shall: evaluate compliance and take action if needed; § 9.1.2 ¶ 2 b)
    The management review shall include consideration of: information on the organization's environmental performance, including trends in: nonconformities and corrective actions; § 9.3 ¶ 2 d) 1)]
    Monitoring and measurement Corrective
    Convert data into standard units before reporting metrics. CC ID 15507 Monitoring and measurement Corrective
    Refrain from approving changes to the audit terms absent reasonable justification. CC ID 13973 Audits and risk management Preventive
    Determine the effect of fraud and non-compliance on the description of the system in the audit assertion, as necessary. CC ID 13977 Audits and risk management Detective
    Determine the effect of fraud and non-compliance on the achievement of in scope controls in the audit assertion, as necessary. CC ID 13978 Audits and risk management Detective
    Review documentation to determine the effectiveness of in scope controls. CC ID 16522 Audits and risk management Preventive
    Coordinate the scheduling of interviews. CC ID 16293 Audits and risk management Preventive
    Create a schedule for the interviews. CC ID 16292 Audits and risk management Preventive
    Identify interviewees. CC ID 16290 Audits and risk management Preventive
    Discuss unsolved questions with the interviewee. CC ID 16298 Audits and risk management Detective
    Allow interviewee to respond to explanations. CC ID 16296 Audits and risk management Detective
    Explain the requirements being discussed to the interviewee. CC ID 16294 Audits and risk management Detective
    Explain the testing results to the interviewee. CC ID 16291 Audits and risk management Preventive
    Withdraw from the audit, when defined conditions exist. CC ID 13885 Audits and risk management Corrective
    Engage subject matter experts when the auditor requires additional expertise during an attestation engagement, as necessary. CC ID 13971 Audits and risk management Preventive
    Determine the effect of fraud and non-compliance on the audit report, as necessary. CC ID 13979 Audits and risk management Detective
    Coordinate continuity planning with governmental entities, as necessary. CC ID 13258 Operational and Systems Continuity Preventive
    Coordinate continuity planning with community organizations, as necessary. CC ID 13259 Operational and Systems Continuity Preventive
    Include all residences in the criminal records check. CC ID 13306 Human Resources management Preventive
    Integrate the use of technology in supporting the Governance, Risk, and Compliance capabilities. CC ID 12915 Operational management Preventive
    Evaluate the use of technology in supporting Governance, Risk, and Compliance capabilities. CC ID 12895
    [{financial requirement}{operational requirement} When planning these actions, the organization shall consider its technological options and its financial, operational and business requirements. § 6.1.4 ¶ 2]
    Operational management Preventive
    Evaluate information sharing partners, as necessary. CC ID 12749 Operational management Preventive
    Review and approve access controls, as necessary. CC ID 13074 Operational management Detective
    Provide management direction and support for the information security program. CC ID 11999 Operational management Preventive
    Approve the information security policy at the organization's management level or higher. CC ID 11737 Operational management Preventive
    Define thresholds for approving information security activities in the information security program. CC ID 15702 Operational management Preventive
    Use systems in accordance with the standard operating procedures manual. CC ID 15049 Operational management Preventive
    Provide support for information sharing activities. CC ID 15644 Operational management Preventive
    Analyze how policies used to create management boundaries relates to the Governance, Risk, and Compliance approach. CC ID 12821 Operational management Preventive
    Analyze how the organization sets limits in policies relating to the Governance, Risk, and Compliance approach. CC ID 12819 Operational management Preventive
    Analyze how the Board of Directors' and senior management's tone influences the Governance, Risk, and Compliance approach. CC ID 12818
    [Top management shall demonstrate leadership and commitment with respect to the environmental management system by: § 5.1 ¶ 1]
    Operational management Preventive
    Analyze the degree to which the governing body is engaged in the Governance, Risk, and Compliance approach. CC ID 12817 Operational management Preventive
    Analyze the Governance, Risk, and Compliance approach. CC ID 12816 Operational management Preventive
    Analyze the organizational culture. CC ID 12899 Operational management Preventive
    Include individual commitment to the organization's Governance, Risk, and Compliance framework in the analysis of the organizational culture. CC ID 12922 Operational management Detective
    Include the organizational climate in the analysis of the organizational culture. CC ID 12921 Operational management Detective
    Include consistency of leadership actions to mission, vision, and values in the analysis of the organizational culture. CC ID 12920 Operational management Detective
    Establish, implement, and maintain consequences for non-compliance with the organizational compliance framework. CC ID 11747 Operational management Corrective
    Restrict unscheduled downtime in order to maintain high availability for critical systems. CC ID 12742 Operational management Preventive
    Include interconnected systems and Software as a Service in the Information Technology inventory. CC ID 04885 Operational management Preventive
    Implement automated mechanisms to transfer predictive maintenance data to a maintenance management system. CC ID 10616 Operational management Preventive
    Delete age-restricted content, as necessary. CC ID 15450 Operational management Preventive
    Control the distribution of media containing age-restricted content, as necessary. CC ID 15446 Operational management Preventive
    Establish, implement, and maintain environmental management system processes. CC ID 14954
    [The organization shall establish, implement and maintain the process(es) needed to meet the requirements in 6.1.1 to 6.1.4. § 6.1.1 ¶ 1
    The organization shall plan: how to: integrate and implement the actions into its environmental management system processes (se e 6.2, Clause 7, Clause 8 and 9.1), or other business processes; § 6.1.4 ¶ 1 b) 1)
    {environmental objectives}{compliance obligations} The organization shall establish, implement, control and maintain the processes needed to meet environmental management system requirements, and to implement the actions identified in 6.1 and 6.2, by: § 8.1 ¶ 1
    {environmental objective}{compliance obligation}{operating process}The organization shall establish, implement, control and maintain the processes needed to meet environmental management system requirements, and to implement the actions identified in 6.1 and 6.2, by: establishing operating criteria for the process(es); § 8.1 ¶ 1 Bullet 1]
    Operational management Preventive
    Prioritize and select controls based on environmental management system requirements. CC ID 15197
    [{environmental objective}{compliance obligation}{process control}{operating standard}The organization shall establish, implement, control and maintain the processes needed to meet environmental management system requirements, and to implement the actions identified in 6.1 and 6.2, by: implementing control of the process(es), in accordance with the operating criteria. § 8.1 ¶ 1 Bullet 2
    {environmental objective}{compliance obligation}{process control}{operating standard}The organization shall establish, implement, control and maintain the processes needed to meet environmental management system requirements, and to implement the actions identified in 6.1 and 6.2, by: implementing control of the process(es), in accordance with the operating criteria. § 8.1 ¶ 1 Bullet 2]
    Operational management Preventive
    Analyze environmental aspects using established criteria. CC ID 15230
    [{be significant} The organization shall determine those aspects that have or can have a significant environmental impact, i.e. significant environmental aspects, by using established criteria. § 6.1.2 ¶ 3]
    Operational management Detective
    Analyze the environmental impact of organizational changes. CC ID 14979
    [When determining environmental aspects, the organization shall take into account: change, including planned or new developments, and new or modified activities, products and services; § 6.1.2 ¶ 2 a)]
    Operational management Detective
    Analyze the environmental impact of changes in developments, activities, products, and services. CC ID 14980
    [When determining environmental aspects, the organization shall take into account: change, including planned or new developments, and new or modified activities, products and services; § 6.1.2 ¶ 2 a)]
    Operational management Detective
    Remove dormant data from systems, as necessary. CC ID 13726 Records management Preventive
    Determine how long to keep records and logs before disposing them. CC ID 11661 Records management Preventive
    Manage waste materials in accordance with the storage media disposition and destruction procedures. CC ID 16485 Records management Preventive
    Define each system's disposition requirements for records and logs. CC ID 11651 Records management Preventive
    Display required information automatically in electronic health records. CC ID 14442 Records management Preventive
    Create export summaries, as necessary. CC ID 14446 Records management Preventive
    Identify patient-specific education resources. CC ID 14439 Records management Detective
    Establish, implement, and maintain storage media downgrading procedures. CC ID 10619 Records management Preventive
    Identify electronic storage media that require downgrading. CC ID 10620 Records management Detective
    Downgrade electronic storage media, as necessary. CC ID 10621 Records management Corrective
  • Records Management
    35
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Archive the engagement file and all work papers for the period prescribed by law or contract. CC ID 10038 Audits and risk management Preventive
    Include information sharing procedures in standard operating procedures. CC ID 12974 Operational management Preventive
    Include source code in the asset inventory. CC ID 14858 Operational management Preventive
    Allocate record identifiers to reference the records as a part of document tracking. CC ID 11662 Records management Preventive
    Allocate document serial numbers to reference the records as a part of document tracking. CC ID 00917 Records management Detective
    Associate records with their security attributes. CC ID 06764 Records management Preventive
    Allow electronic signatures to satisfy requirements for written signatures, as necessary. CC ID 11807 Records management Preventive
    Archive appropriate records, logs, and database tables. CC ID 06321 Records management Preventive
    Retain records in accordance with applicable requirements. CC ID 00968
    [The organization shall retain documented information as evidence of the results of management reviews. § 9.3 ¶ 4
    The organization shall retain documented information as evidence of: the nature of the nonconformities and any rm_primary-noun">subsequent actions taken; § 10.2 ¶ 3 Bullet 1
    The organization shall retain documented information as evidence of: the results of any corrective action. § 10.2 ¶ 3 Bullet 2
    The organization shall retain documented information as evidence of its communications, as appropriate. § 7.4.1 ¶ 4
    The organization shall maintain documented information to the extent necessary to have confidence that the processes have been carried out as planned. § 8.1 ¶ 5
    The organization shall retain appropriate documented information as evidence of the monitoring, measurement, analysis and evaluation results. § 9.1.1 ¶ 6
    The organization shall retain documented information as evidence of the compliance evaluation result(s). § 9.1.2 ¶ 3]
    Records management Preventive
    Obtain and retain documentation of the number of shares authorized, issued, and outstanding pursuant to the issuer's authorization. CC ID 11714 Records management Preventive
    Retain all evidence of indebtedness. CC ID 11713 Records management Preventive
    Capture and maintain distribution records. CC ID 06205 Records management Preventive
    Capture and maintain Device Master Records. CC ID 06206 Records management Preventive
    Capture and maintain Device History Records. CC ID 06207 Records management Preventive
    Capture and maintain Quality System Records. CC ID 06208 Records management Preventive
    Degauss as a method of sanitizing electronic storage media. CC ID 00973 Records management Preventive
    Manage the disposition status for all records. CC ID 00972 Records management Preventive
    Remove and/or destroy records according to the records' retention event and retention period schedule. CC ID 06621 Records management Preventive
    Protect records from loss in accordance with applicable requirements. CC ID 12007
    [Documented information required by the environmental management system and by this International Standard shall be controlled to ensure: it is adequately protected (e.g. from loss of confidentiality, improper use, or loss of integrity). § 7.5.3 ¶ 1 b)]
    Records management Preventive
    Capture the records required by organizational compliance requirements. CC ID 00912
    [Documented information required by the environmental management system and by this International Standard shall be controlled to ensure: § 7.5.3 ¶ 1
    The organization shall maintain documented information to the extent necessary to have confidence that the process(es) is (are) carried out as planned. § 8.2 ¶ 3]
    Records management Detective
    Review and update Individually Identifiable Health Information in the patient's electronic health records, as necessary. CC ID 14438 Records management Preventive
    Establish and maintain an implantable device list. CC ID 14444 Records management Preventive
    Establish, implement, and maintain a recordkeeping system. CC ID 15709 Records management Preventive
    Log the termination date in the recordkeeping system. CC ID 16181 Records management Preventive
    Log the name of the requestor in the recordkeeping system. CC ID 15712 Records management Preventive
    Log the date and time each item is accessed in the recordkeeping system. CC ID 15711 Records management Preventive
    Log records as being received into the recordkeeping system. CC ID 11696 Records management Preventive
    Establish, implement, and maintain a transfer journal. CC ID 11729 Records management Preventive
    Provide a receipt of records logged into the recordkeeping system. CC ID 11697 Records management Preventive
    Label printed output for specific record categories as directed by the organization's information classification standard. CC ID 01420 Records management Detective
    Establish and maintain access controls for all records. CC ID 00371
    [For the control of documented information, the organization shall address the following activities, as applicable: distribution, access, retrieval and use; § 7.5.3 ¶ 2 Bullet 1]
    Records management Preventive
    Implement and maintain backups and duplicate copies of organizational records. CC ID 00953 Records management Preventive
    Establish, implement, and maintain the duplicate original of record indexes. CC ID 00954 Records management Preventive
    Establish, implement, and maintain a transparent storage media strategy. CC ID 00932 Records management Preventive
    Establish, implement, and maintain security controls appropriate to the record types and electronic storage media. CC ID 00943
    [For the control of documented information, the organization shall address the following activities, as applicable: storage and preservation, including preservation of legibility; § 7.5.3 ¶ 2 Bullet 2]
    Records management Preventive
  • Systems Continuity
    12
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Back up audit trails according to backup procedures. CC ID 11642 Monitoring and measurement Preventive
    Activate the continuity plan if the damage assessment report indicates the activation criterion has been met. CC ID 01373
    [The organization shall: respond to actual emergency situations; § 8.2 ¶ 2 b)]
    Operational and Systems Continuity Corrective
    Maintain normal security levels when an emergency occurs. CC ID 06377 Operational and Systems Continuity Preventive
    Execute fail-safe procedures when an emergency occurs. CC ID 07108 Operational and Systems Continuity Preventive
    Include the in scope system's location in the continuity plan. CC ID 16246 Operational and Systems Continuity Preventive
    Include the system description in the continuity plan. CC ID 16241 Operational and Systems Continuity Preventive
    Restore systems and environments to be operational. CC ID 13476 Operational and Systems Continuity Corrective
    Approve the continuity plan requirements before documenting the continuity plan. CC ID 12778 Operational and Systems Continuity Preventive
    Disseminate and communicate business functions across multiple facilities separated by geographic separation. CC ID 10662 Operational and Systems Continuity Preventive
    Disseminate and communicate processing activities across multiple facilities using geographic separation. CC ID 10663 Operational and Systems Continuity Preventive
    Disseminate and communicate electronic media storage devices across multiple facilities using geographic separation. CC ID 10664 Operational and Systems Continuity Preventive
    Use out-of-band channels for the physical delivery or electronic transmission of information, as necessary. CC ID 10665 Operational and Systems Continuity Corrective
  • Systems Design, Build, and Implementation
    5
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Include quality gates and testing milestones in the Quality Management program. CC ID 06825 Leadership and high level objectives Preventive
    Include an issue tracking system in the Quality Management program. CC ID 06824 Leadership and high level objectives Preventive
    Apply security controls to each level of the information classification standard. CC ID 01903 Operational management Preventive
    Include each Information System's system boundaries in the Information Technology inventory. CC ID 00695 Operational management Preventive
    Review each system's operational readiness. CC ID 06275 Operational management Preventive
  • Technical Security
    22
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Subscribe to a threat intelligence service to receive notification of emerging threats. CC ID 12135 Leadership and high level objectives Detective
    Establish, implement, and maintain a network activity baseline. CC ID 13188 Monitoring and measurement Detective
    Deploy log normalization tools, as necessary. CC ID 12141 Monitoring and measurement Preventive
    Restrict access to audit trails to a need to know basis. CC ID 11641 Monitoring and measurement Preventive
    Protect against misusing automated audit tools. CC ID 04547 Monitoring and measurement Preventive
    Implement alternate security mechanisms when the means of implementing the security function is unavailable. CC ID 10605 Operational and Systems Continuity Preventive
    Include temporary activation of remote access technologies for third parties in the Acceptable Use Policy. CC ID 11892 Operational management Preventive
    Use automated tools to collect Information Technology inventory information, as necessary. CC ID 07054 Operational management Preventive
    Link the authentication system to the asset inventory. CC ID 13718 Operational management Preventive
    Employ Dynamic Host Configuration Protocol server logging to detect systems not in the asset inventory. CC ID 12110 Operational management Detective
    Prevent users from disabling required software. CC ID 16417 Operational management Preventive
    Control remote maintenance according to the system's asset classification. CC ID 01433 Operational management Preventive
    Approve all remote maintenance sessions. CC ID 10615 Operational management Preventive
    Terminate remote maintenance sessions when the remote maintenance is complete. CC ID 12083 Operational management Preventive
    Employ dedicated systems during system maintenance. CC ID 12108 Operational management Preventive
    Isolate dedicated systems used for system maintenance from Internet access. CC ID 12114 Operational management Preventive
    Allow authorized parties to authenticate electronic records with electronic signatures. CC ID 11964 Records management Preventive
    Allow authorized parties to authenticate transactions with electronic signatures. CC ID 11963 Records management Preventive
    Establish, implement, and maintain label inheritance mechanisms for aggregate data sets. CC ID 06957 Records management Preventive
    Implement and maintain high availability storage, as necessary. CC ID 00952 Records management Preventive
    Establish, implement, and maintain online storage controls. CC ID 00942 Records management Preventive
    Provide encryption for different types of electronic storage media. CC ID 00945 Records management Preventive
  • Testing
    42
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Conduct Quality Control to ensure adherence to Information Technology policies, standards, and procedures. CC ID 01008 Leadership and high level objectives Detective
    Test the protective measures for effectiveness to prevent financial impact to responsible parties. CC ID 16750 Leadership and high level objectives Preventive
    Test the collateral requirements for appropriateness. CC ID 16681 Leadership and high level objectives Preventive
    Establish, implement, and maintain stress test plans for financial resources. CC ID 16644 Leadership and high level objectives Preventive
    Include stress scenarios in the stress test plan. CC ID 16659 Leadership and high level objectives Preventive
    Perform stress testing in accordance with the stress test plan. CC ID 16652 Leadership and high level objectives Preventive
    Validate the margin system on a regular basis. CC ID 16660 Leadership and high level objectives Detective
    Evaluate the measurement process used for metrics. CC ID 06920
    [{what needs to be measured} The organization shall determine: what needs to be monitored and measured; § 9.1.1 ¶ 2 a)]
    Monitoring and measurement Detective
    Report audit findings by the internal audit manager directly to senior management. CC ID 01152
    [The organization shall: ensure that the results of the audits are reported to relevant management. § 9.2.2 ¶ 3 c)]
    Audits and risk management Detective
    Review the external audit assertion for accuracy. CC ID 06977 Audits and risk management Detective
    Review the risk assessments as compared to the in scope controls. CC ID 06978 Audits and risk management Detective
    Conduct onsite inspections, as necessary. CC ID 16199 Audits and risk management Preventive
    Determine the accurateness of the audit assertion's in scope system description. CC ID 06979 Audits and risk management Detective
    Determine if the in scope system has been implemented as described in the audit assertion. CC ID 06983 Audits and risk management Detective
    Determine if the audit assertion's in scope controls are reasonable. CC ID 06980 Audits and risk management Detective
    Document test plans for auditing in scope controls. CC ID 06985 Audits and risk management Detective
    Determine the implementation status of the audit assertion's in scope controls. CC ID 06981 Audits and risk management Detective
    Determine the effectiveness of in scope controls. CC ID 06984 Audits and risk management Detective
    Determine any errors or material omissions in the audit assertion that affect in scope control implementations. CC ID 06990 Audits and risk management Detective
    Audit the in scope system according to the test plan using relevant evidence. CC ID 07112 Audits and risk management Preventive
    Provide transactional walkthrough procedures for external auditors. CC ID 00672 Audits and risk management Preventive
    Conduct interviews, as necessary. CC ID 07188 Audits and risk management Detective
    Include if in scope control deviations allow in scope controls to be performed acceptably in the work papers. CC ID 06987 Audits and risk management Detective
    Investigate the nature and causes of identified in scope control deviations. CC ID 06986 Audits and risk management Detective
    Submit an audit report that is complete. CC ID 01145 Audits and risk management Detective
    Assess the quality of the audit program in regards to the staff and their qualifications. CC ID 01150 Audits and risk management Detective
    Establish, implement, and maintain the audit plan. CC ID 01156 Audits and risk management Detective
    Establish, implement, and maintain the organization's call tree. CC ID 01167 Operational and Systems Continuity Detective
    Test the recovery plan, as necessary. CC ID 13290
    [The organization shall: periodically test the planned response actions, where practicable; § 8.2 ¶ 2 d)]
    Operational and Systems Continuity Detective
    Test the backup information, as necessary. CC ID 13303 Operational and Systems Continuity Detective
    Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 00782
    [The organization shall: ensure that these persons are competent on the basis of appropriate education, training or experience; § 7.2 ¶ 1 b)]
    Human Resources management Detective
    Perform a drug test during personnel screening. CC ID 06648 Human Resources management Preventive
    Conduct tests and evaluate training. CC ID 06672
    [The organization shall: where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken. § 7.2 ¶ 1 d)]
    Human Resources management Detective
    Test systems for malicious code prior to when the system will be redeployed. CC ID 06339 Operational management Detective
    Conduct maintenance with authorized personnel. CC ID 01434 Operational management Detective
    Calibrate assets according to the calibration procedures for the asset. CC ID 06203
    [The organization shall ensure that calibrated or verified monitoring and measurement equipment is used and maintained, as appropriate. § 9.1.1 ¶ 3]
    Operational management Detective
    Test for detrimental environmental factors after a system is disposed. CC ID 06938 Operational management Detective
    Maintain continued integrity for all stored data and stored records. CC ID 00969 Records management Detective
    Destroy electronic storage media following the storage media disposition and destruction procedures. CC ID 00970 Records management Detective
    Maintain media sanitization equipment in operational condition. CC ID 00721 Records management Detective
    Store records on non-rewritable, non-erasable storage media formats, as necessary. CC ID 00944 Records management Detective
    Test the storage media downgrade for correct performance. CC ID 10623 Records management Detective
  • Training
    31
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Include cross-team coordination in continuity plan training. CC ID 16235 Operational and Systems Continuity Preventive
    Include stay at home order training in the continuity plan training. CC ID 14382 Operational and Systems Continuity Preventive
    Include avoiding unnecessary travel in the stay at home order training. CC ID 14388 Operational and Systems Continuity Preventive
    Include personal protection in continuity plan training. CC ID 14394 Operational and Systems Continuity Preventive
    Submit applications for professional certification. CC ID 16192 Human Resources management Preventive
    Train personnel to recognize conditions of diseases or sicknesses, as necessary. CC ID 14383 Human Resources management Detective
    Include prevention techniques in training regarding diseases or sicknesses. CC ID 14387 Human Resources management Preventive
    Include the concept of disease clusters when training to recognize conditions of diseases or sicknesses. CC ID 14386 Human Resources management Preventive
    Train personnel to identify and communicate symptoms of exposure to disease or sickness. CC ID 14385 Human Resources management Detective
    Develop or acquire content to update the training plans. CC ID 12867 Human Resources management Preventive
    Designate training facilities in the training plan. CC ID 16200 Human Resources management Preventive
    Include in scope external requirements in the training plan, as necessary. CC ID 13041 Human Resources management Preventive
    Conduct bespoke roles and responsibilities training, as necessary. CC ID 13192 Human Resources management Preventive
    Include risk management in the training plan, as necessary. CC ID 13040 Human Resources management Preventive
    Conduct personal data processing training. CC ID 13757 Human Resources management Preventive
    Include in personal data processing training how to provide the contact information for the categories of personal data the organization may disclose. CC ID 13758 Human Resources management Preventive
    Include the cloud service usage standard in the training plan. CC ID 13039 Human Resources management Preventive
    Include media protection in the security awareness program. CC ID 16368 Human Resources management Preventive
    Include physical security in the security awareness program. CC ID 16369 Human Resources management Preventive
    Include updates on emerging issues in the security awareness program. CC ID 13184 Human Resources management Preventive
    Include cybersecurity in the security awareness program. CC ID 13183 Human Resources management Preventive
    Include implications of non-compliance in the security awareness program. CC ID 16425 Human Resources management Preventive
    Include the acceptable use policy in the security awareness program. CC ID 15487 Human Resources management Preventive
    Train all personnel and third parties on how to recognize and report system failures. CC ID 13475 Human Resources management Preventive
    Conduct tampering prevention training. CC ID 11875 Human Resources management Preventive
    Include the mandate to refrain from installing, refrain from replacing, and refrain from returning any asset absent verification in the tampering prevention training. CC ID 11877 Human Resources management Preventive
    Include how to identify and authenticate third parties claiming to be maintenance personnel in the tampering prevention training. CC ID 11876 Human Resources management Preventive
    Include how to report tampering and unauthorized substitution in the tampering prevention training. CC ID 11879 Human Resources management Preventive
    Include how to prevent physical tampering in the tampering prevention training. CC ID 11878 Human Resources management Preventive
    Include procedures on how to inspect devices in the tampering prevention training. CC ID 11990 Human Resources management Preventive
    Train interested personnel and affected parties to collect digital forensic evidence. CC ID 08658 Human Resources management Preventive
Common Controls and
mandates by Classification
161 Mandated Controls - bold    
48 Implied Controls - italic     1772 Implementation

There are three types of Common Control classifications; corrective, detective, and preventive. Common Controls at the top level have the default assignment of Impact Zone.

Number of Controls
1981 Total
  • Corrective
    36
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE TYPE
    Disseminate and communicate updated guidance documentation to interested personnel and affected parties upon discovery of a new threat. CC ID 12191 Leadership and high level objectives Communicate
    Correct errors and deficiencies in a timely manner. CC ID 13501 Leadership and high level objectives Business Processes
    Include management's assertions on the effectiveness of internal control in the Statement on Internal Control. CC ID 14771 Leadership and high level objectives Establish/Maintain Documentation
    Determine the causes of compliance violations. CC ID 12401
    [When a nonconformity occurs, the organization shall: evaluate the need for action to eliminate the causes of the nonconformity in order that it does not recur or occur elsewhere by: ground-color:#B7D8ED;" class="tendary-verb">rm_primary-verb">reviewing the nonconformity; § 10.2 ¶ 1 b) 1)
    When a nonconformity occurs, the organization shall: evaluate the need for action to eliminate the causes of the nonconformity in order that it does not recur or occur elsewhere by: determining the <span style="background-color:#F0ndary-verb">BBBC;" class="term_primary-noun">causes of the nonconformity; § 10.2 ¶ 1 b) 2)]
    Monitoring and measurement Investigate
    Correct compliance violations. CC ID 13515
    [When a nonconformity occurs, the organization shall: react to the nonconformity, and as applicable: take action to primary-verb">control and correct it; § 10.2 ¶ 1 a) 1)
    When a nonconformity occurs, the organization shall: implement any -verb">or:#F0BBBC;" class="term_primary-noun">action needed; § 10.2 ¶ 1 c)
    The organization shall: evaluate compliance and take action if needed; § 9.1.2 ¶ 2 b)
    The management review shall include consideration of: information on the organization's environmental performance, including trends in: nonconformities and corrective actions; § 9.3 ¶ 2 d) 1)]
    Monitoring and measurement Process or Activity
    Carry out disciplinary actions when a compliance violation is detected. CC ID 06675
    [When a nonconformity occurs, the organization shall: react to the nonconformity and, as applicable: § 10.2 ¶ 1 a)]
    Monitoring and measurement Behavior
    Convert data into standard units before reporting metrics. CC ID 15507 Monitoring and measurement Process or Activity
    Assign the Board of Directors to address audit findings. CC ID 12396 Audits and risk management Human Resources Management
    Refrain from changing the date of the practitioner's report on agreed-upon procedures when reissuing it. CC ID 13896 Audits and risk management Establish/Maintain Documentation
    Withdraw from the audit, when defined conditions exist. CC ID 13885 Audits and risk management Process or Activity
    Solve any access problems auditors encounter during the audit. CC ID 08959 Audits and risk management Audits and Risk Management
    Include deficiencies and non-compliance in the audit report. CC ID 14879 Audits and risk management Establish/Maintain Documentation
    Include a description of the reasons for modifying the audit opinion in the audit report. CC ID 13898 Audits and risk management Establish/Maintain Documentation
    Disclaim the audit opinion in the audit report, as necessary. CC ID 13901 Audits and risk management Business Processes
    Modify the audit opinion in the audit report under defined conditions. CC ID 13937 Audits and risk management Establish/Maintain Documentation
    Implement a corrective action plan in response to the audit report. CC ID 06777
    [{environmental process} When establishing the internal audit programme, the organization shall take into consideration the environmental importance of the processes concerned, changes affecting the organization and the results of previous audits. § 9.2.2 ¶ 2]
    Audits and risk management Establish/Maintain Documentation
    Monitor and report on the status of mitigation actions in the corrective action plan. CC ID 15250 Audits and risk management Actionable Reports or Measurements
    Report changes in the continuity plan to senior management. CC ID 12757 Operational and Systems Continuity Communicate
    Activate the continuity plan if the damage assessment report indicates the activation criterion has been met. CC ID 01373
    [The organization shall: respond to actual emergency situations; § 8.2 ¶ 2 b)]
    Operational and Systems Continuity Systems Continuity
    Restore systems and environments to be operational. CC ID 13476 Operational and Systems Continuity Systems Continuity
    Establish, implement, and maintain the continuity procedures. CC ID 14236
    [The organization shall establish, implement and maintain the process(es) needed to prepare for and respond to potential emergency situations identified in 6.1.1. § 8.2 ¶ 1]
    Operational and Systems Continuity Establish/Maintain Documentation
    Use out-of-band channels for the physical delivery or electronic transmission of information, as necessary. CC ID 10665 Operational and Systems Continuity Systems Continuity
    Rotate members of the board of directors, as necessary. CC ID 14803 Human Resources management Human Resources Management
    Conduct secure coding and development training for developers. CC ID 06822 Human Resources management Behavior
    Plan for business process conversions, as necessary. CC ID 13678
    [The organization shall plan: how to: integrate and implement the actions into its environmental management system processes (se e 6.2, Clause 7, Clause 8 and 9.1), or other business processes; § 6.1.4 ¶ 1 b) 1)]
    Operational management Business Processes
    Measure policy compliance when reviewing the internal control framework. CC ID 06442 Operational management Actionable Reports or Measurements
    Update operating procedures that contribute to user errors. CC ID 06935 Operational management Establish/Maintain Documentation
    Include disciplinary actions in the Acceptable Use Policy. CC ID 00296 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain consequences for non-compliance with the organizational compliance framework. CC ID 11747 Operational management Process or Activity
    Identify discrepancies between the asset register database and the Information Technology inventory, as necessary. CC ID 07052 Operational management Monitor and Evaluate Occurrences
    Investigate and resolve discrepancies between the asset register database and the Information Technology inventory. CC ID 07053 Operational management Monitor and Evaluate Occurrences
    Refrain from protecting physical assets when no longer required. CC ID 13484 Operational management Physical and Environmental Protection
    Mitigate the adverse effects of unauthorized changes. CC ID 12244
    [The organization shall control planned changes and review the consequences of unintended changes, taking action to mitigate any -color:#F0BBBC;" class="term_primary-noun">adverse effects, as necessary. § 8.1 ¶ 2]
    Operational management Business Processes
    Notify the supervisory authority of any changes to the required data elements. CC ID 14366 Records management Communicate
    Downgrade electronic storage media, as necessary. CC ID 10621 Records management Process or Activity
    Review and update the acquisition contracts, as necessary. CC ID 14279 Acquisition or sale of facilities, technology, and services Acquisition/Sale of Assets or Services
  • Detective
    266
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE TYPE
    Assess the effectiveness of the communication methods used in the communication protocol. CC ID 12691
    [{internal communication}The organization shall: ensure its communication process(es) enable(s) persons doing work under the organization's control to contribute to continual improvement. § 7.4.2 ¶ 1 b)]
    Leadership and high level objectives Process or Activity
    Identify all interested personnel and affected parties. CC ID 12845
    [The organization shall determine: the interested parties that are relevant to the environmental management system; § 4.2 ¶ 1 a)]
    Leadership and high level objectives Process or Activity
    Approve the data classification scheme. CC ID 13858 Leadership and high level objectives Establish/Maintain Documentation
    Ensure the data dictionary is complete and accurate. CC ID 13527 Leadership and high level objectives Investigate
    Monitor regulatory trends to maintain compliance. CC ID 00604
    [The management review shall include consideration of: information on the organization's environmental performance, including trends in: fulfilment of its compliance obligations; § 9.3 ¶ 2 d) 3)]
    Leadership and high level objectives Monitor and Evaluate Occurrences
    Monitor for new Information Security solutions. CC ID 07078 Leadership and high level objectives Monitor and Evaluate Occurrences
    Subscribe to a threat intelligence service to receive notification of emerging threats. CC ID 12135 Leadership and high level objectives Technical Security
    Enforce a continuous Quality Control system. CC ID 01005 Leadership and high level objectives Business Processes
    Conduct Quality Control to ensure adherence to Information Technology policies, standards, and procedures. CC ID 01008 Leadership and high level objectives Testing
    Establish and maintain time frames for correcting deficiencies found during Quality Control. CC ID 07206 Leadership and high level objectives Business Processes
    Review and analyze any quality improvement goals that were missed. CC ID 07204 Leadership and high level objectives Business Processes
    Analyze organizational policies, as necessary. CC ID 14037 Leadership and high level objectives Establish/Maintain Documentation
    Map in scope assets and in scope records to external requirements. CC ID 12189 Leadership and high level objectives Establish/Maintain Documentation
    Include the counterterror protective security plan test results in the Statement on Internal Control. CC ID 06867 Leadership and high level objectives Establish/Maintain Documentation
    Include all compliance exceptions in the compliance exception standard. CC ID 01630 Leadership and high level objectives Establish/Maintain Documentation
    Identify and document the events that initiate the decision management strategy. CC ID 06914 Leadership and high level objectives Establish/Maintain Documentation
    Investigate discrepancies between the information received and the information verified for each funds transfer. CC ID 16757 Leadership and high level objectives Investigate
    Verify all required information is attached to each funds transfer. CC ID 16755 Leadership and high level objectives Business Processes
    Analyze the effectiveness of the stress test plan. CC ID 16657 Leadership and high level objectives Process or Activity
    Validate the margin system on a regular basis. CC ID 16660 Leadership and high level objectives Testing
    Assess the properties of the margin model used in the margin system. CC ID 16658 Leadership and high level objectives Process or Activity
    Monitor the performance of the margin system. CC ID 16655 Leadership and high level objectives Monitor and Evaluate Occurrences
    Analyze the performance of the margin system. CC ID 16654 Leadership and high level objectives Process or Activity
    Determine the amount of assets to be held in escrow. CC ID 16575 Leadership and high level objectives Investigate
    Report on the percentage of critical assets for which an assurance strategy is implemented. CC ID 01657 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of key organizational functions for which an assurance strategy is implemented. CC ID 01658 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of key compliance requirements for which an assurance strategy has been implemented. CC ID 01659 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of the Information System budget allocated to Information Security. CC ID 04571 Monitoring and measurement Actionable Reports or Measurements
    Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726 Monitoring and measurement Monitor and Evaluate Occurrences
    Align enforcement reviews for non-compliance with organizational risk tolerance. CC ID 13063
    [When a nonconformity occurs, the organization shall: evaluate the need for action to eliminate the causes of the nonconformity, in order that it does not recur or occur elsewhere, by: § 10.2 ¶ 1 b)]
    Monitoring and measurement Business Processes
    Determine if multiple compliance violations of the same type could occur. CC ID 12402
    [When a nonconformity occurs, the organization shall: evaluate the need for action to eliminate the causes of the nonconformity in order that it does not recur or occur elsewhere by: ground-color:#B7D8ED;" class="term_primary-verb">determining if similar nonconformitiespan> n style="background-color:#CBD0E5;" class="term_secondary-verb">exist, or could potentially occur; § 10.2 ¶ 1 b) 3)]
    Monitoring and measurement Investigate
    Review the effectiveness of disciplinary actions carried out for compliance violations. CC ID 12403
    [When a nonconformity occurs, the organization shall: review the effectiveness of any -verb">le="background-color:#F0BBBC;" class="term_primary-noun">corrective action taken; § 10.2 ¶ 1 d)]
    Monitoring and measurement Investigate
    Report on the policies and controls that have been implemented by management. CC ID 01670 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of security management roles that have been assigned. CC ID 01671 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of board meetings or committee meetings at which Information Assurance was on the agenda. CC ID 01672 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of supply chain members for which all Information Assurance requirements have been implemented. CC ID 01675 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of organizational units that have an established Business Continuity Plan. CC ID 01676 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of organizational units with a documented Business Continuity Plan for which specific responsibilities have been assigned. CC ID 02057 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of Business Continuity Plans that have been reviewed, tested, and updated. CC ID 02058 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of needed internal audits that have been completed and reviewed. CC ID 01677 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of Information Security requirements from applicable laws and regulations that are included in the audit program. CC ID 02069 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of needed external audits that have been completed and reviewed. CC ID 11632 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of Information Security audits conducted in compliance with the approved audit program. CC ID 02070 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of audit findings that have been resolved since the last audit. CC ID 01678 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of management actions in response to audit findings and audit recommendations that were implemented in a timely way. CC ID 02071
    [{corrective action} The management review shall include consideration of: the status of actions from previous management reviews; § 9.3 ¶ 2 a)]
    Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of total controls for which policies, standards, and procedures exist and for which approval has been granted. CC ID 01679 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of personnel who are assigned and acknowledged responsibilities for approved policies, standards, and procedures. CC ID 01680 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of policy compliance reviews for which no compliance violations were noted. CC ID 01681 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of senior management or business unit heads who have implemented operational compliance procedures. CC ID 01682 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of role descriptions that define the Information Awareness roles for Security Managers and administrators. CC ID 01685 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of role descriptions that define the information awareness roles for interested personnel. CC ID 01686 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of role descriptions that define the information awareness roles for end users. CC ID 01687 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of performance reviews that include the evaluation of Information Assurance responsibilities and policy compliance. CC ID 01688 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of individuals who have access to security software, are trained, and authorized Security Administrators. CC ID 01691 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of individuals who are able to assign security privileges, are trained, and authorized Security Administrators. CC ID 01692 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of new hires who completed training ahead of being granted network access or system access. CC ID 01683 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of personnel who have completed periodic Information Assurance refresher training. CC ID 01684 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of user roles, systems, and applications that comply with the segregation of duties principle. CC ID 01689 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of individuals whose access rights have been reviewed. CC ID 01690 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of users who have access to restricted data or restricted information and have undergone a background check. CC ID 01693 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of critical information assets and information-dependent functions. CC ID 02040 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of critical assets and functions for which the cost of compromise has been quantified. CC ID 02041 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of identified risks that have a defined risk mitigation plan. CC ID 02042 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of systems with approved System Security Plans. CC ID 02145 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of known Information Security risks that are related to supply chain relationships. CC ID 02044 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of critical information assets or critical functions for which access by supply chain personnel is disallowed. CC ID 02045 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of supply chain personnel who have current information asset user privileges. CC ID 02046 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of systems with critical information assets or functions for which electronic connection by supply chain assets is disallowed. CC ID 02047 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of security incidents that involved supply chain personnel. CC ID 02048 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of third party contracts that include a requirement to externally verify policies and procedures. CC ID 02049 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of supply chain relationships that have been reviewed for compliance with information security requirements. CC ID 02050 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of information assets that have been reviewed and classified. CC ID 02053 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of information assets with defined user privileges that have been assigned based on role and according to policy. CC ID 02054 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of scheduled Information Technology inventory processes that occurred on time. CC ID 02055 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of recently identified information security risks related to systems architecture that have been adequately mitigated. CC ID 02060 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of system architecture changes that were approved through appropriate change requests. CC ID 02061 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of critical information assets or functions residing on systems that are currently in compliance with the approved systems architecture. CC ID 02062 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of systems that have been recertified if security controls were updated after the system was developed. CC ID 02142 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of systems that have completed Certification and Accreditation. CC ID 02143 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of critical organizational information assets and functions that have been reviewed from the risk to physical security perspective. CC ID 02064 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of critical organizational information assets and functions exposed to physical risks for which risk mitigation actions have been implemented. CC ID 02065 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of critical assets that have been reviewed from the environmental risk perspective. CC ID 02066 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of servers located in controlled access areas. CC ID 02067 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of unique active user identifiers. CC ID 02074 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of systems and applications that perform authenticator policy verification. CC ID 02086 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of active user passwords that are set to expire. CC ID 02087 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of systems with critical information assets that use stronger authentication than user identifiers and passwords. CC ID 02088 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of systems for which default accounts and default passwords have been disabled or reset. CC ID 02089 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of inactive user accounts that are assigned to personnel who have left or no longer need access. CC ID 02090 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of systems with account lockout thresholds set. CC ID 02091 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of inactive user accounts that have been disabled. CC ID 02092 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of workstations with session timeout or automatic logoff controls set. CC ID 02093 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of users with access to shared accounts. CC ID 04573 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of active computer accounts that have had the current user privileges reviewed. CC ID 02094 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of systems where permission to install nonstandard software is limited. CC ID 02095 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of systems and applications that have user privileges and administrator privileges assigned in compliance with Role-Based Access Controls. CC ID 02096 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of systems for which approved configuration settings have been implemented. CC ID 02097 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of systems with configurations that do not deviate from approved standards. CC ID 02098 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of systems that are continuously monitored for compliance with the configuration standard with out-of-compliance alarms or out-of-compliance reports. CC ID 02099 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of systems whose configuration is compared with a previously established trusted configuration baseline. CC ID 02100 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of systems where the authority to make configuration changes are limited. CC ID 02101 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of system components that undergo maintenance as scheduled. CC ID 04562 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of systems for which event logging has been implemented. CC ID 02102 Monitoring and measurement Log Management
    Report on the percentage of systems for which event logs are monitored and reviewed. CC ID 02103 Monitoring and measurement Log Management
    Report on the percentage of systems for which log capacity and log retention schedules have been implemented. CC ID 02104 Monitoring and measurement Log Management
    Report on the percentage of systems that generate warnings about anomalous activity or potentially unauthorized activity. CC ID 02105 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of laptops and mobile devices that are needing to be in compliance with the approved configuration standard before granting network access. CC ID 02106 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of organizationally controlled communications channels that have been secured. CC ID 02107 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of host servers that are protected from becoming relay hosts. CC ID 02108 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of mobile users who access organizational facilities using secure communications methods. CC ID 02109 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of workstations and laptops that employ automated system security tools. CC ID 02110 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of servers that employ automated system security tools. CC ID 02111 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of mobile devices that employ automated system security tools. CC ID 02112 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of software changes that have been documented and approved through change request forms. CC ID 02152 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of systems with all approved patches installed. CC ID 02113 Monitoring and measurement Actionable Reports or Measurements
    Report on the mean time from patch availability to patch installation. CC ID 02114 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of software changes that were reviewed for security impacts before the software configuration is updated. CC ID 02115 Monitoring and measurement Actionable Reports or Measurements
    Establish, implement, and maintain a network activity baseline. CC ID 13188 Monitoring and measurement Technical Security
    Report on the percentage of systems configured according to the configuration standard. CC ID 02116 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of network access controls used to gain unauthorized access. CC ID 04572 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of critical information assets stored on network accessible devices that are encrypted with widely tested and published cryptographic algorithms. CC ID 02117 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of mobile devices that use encryption for critical information assets. CC ID 02118 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of passwords and Personal Identification Numbers that are encrypted. CC ID 02119 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of media that passes sanitization procedure testing. CC ID 04574 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of systems with critical information assets or critical business functions that have been backed up in accordance with the backup policy and the system's continuity plan. CC ID 02120 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of systems with critical information assets or critical functions where restoration from a backup has been successfully demonstrated. CC ID 02121 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of backup media stored off site in secure storage. CC ID 02122 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of used backup media or archive media sanitized prior to reuse or disposal. CC ID 02123 Monitoring and measurement Actionable Reports or Measurements
    Report on the estimated damage or loss resulting from all security incidents. CC ID 01674 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of security incidents that did not cause confidentiality, integrity, or availability losses beyond the Service Level Agreement thresholds. CC ID 01673 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of operational time that critical services were unavailable due to security incidents. CC ID 02124 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02125 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of systems affected by security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02126 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of security incidents that were managed according to established policies, procedures, and processes. CC ID 02127 Monitoring and measurement Actionable Reports or Measurements
    Report on the number of security incidents reported to FedCIRC, NIPC, the Payment Card Industry, or local law enforcement. CC ID 02154 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of systems with critical information assets or critical functions that have been assessed for security vulnerabilities. CC ID 02128 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of vulnerability assessment findings that have been addressed since the last reporting period. CC ID 02129 Monitoring and measurement Actionable Reports or Measurements
    Report on the average elapsed time between the discovery of a new vulnerability and implementing corrective action. CC ID 02140 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of physical security incidents that involved entry into a facility containing Information Systems. CC ID 04564 Monitoring and measurement Actionable Reports or Measurements
    Establish, implement, and maintain a corrective action plan. CC ID 00675
    [When a nonconformity occurs, the organization shall: react to the nonconformity and, as applicable: deal with the consequences, including mitigating adverse environmental impacts; § 10.2 ¶ 1 a) 2)
    The organization shall determine opportunities for improvement (see 9.1, 9.2 and 9.3) and implement necessary actions to achieve the intended outcomes of its environmental management system. § 10.1 ¶ 1]
    Monitoring and measurement Monitor and Evaluate Occurrences
    Include monitoring in the corrective action plan. CC ID 11645 Monitoring and measurement Monitor and Evaluate Occurrences
    Evaluate the measurement process used for metrics. CC ID 06920
    [{what needs to be measured} The organization shall determine: what needs to be monitored and measured; § 9.1.1 ¶ 2 a)]
    Monitoring and measurement Testing
    Report audit findings by the internal audit manager directly to senior management. CC ID 01152
    [The organization shall: ensure that the results of the audits are reported to relevant management. § 9.2.2 ¶ 3 c)]
    Audits and risk management Testing
    Review the external audit assertion for accuracy. CC ID 06977 Audits and risk management Testing
    Review the risk assessments as compared to the in scope controls. CC ID 06978 Audits and risk management Testing
    Include nondisclosure agreements in external auditor outsourcing contracts. CC ID 10014 Audits and risk management Audits and Risk Management
    Determine if requested services create a threat to independence. CC ID 16823 Audits and risk management Audits and Risk Management
    Determine the presentation method of the audit assertion's in scope system description. CC ID 14885 Audits and risk management Establish/Maintain Documentation
    Determine the appropriateness of the audit assertion's in scope system description. CC ID 16449 Audits and risk management Audits and Risk Management
    Confirm audit requirements during the opening meeting. CC ID 15255 Audits and risk management Audits and Risk Management
    Establish and maintain audit assertions, as necessary. CC ID 14871 Audits and risk management Establish/Maintain Documentation
    Refrain from performing an attestation engagement under defined conditions. CC ID 13952 Audits and risk management Audits and Risk Management
    Identify hypothetical assumptions in forecasts and projections during an audit. CC ID 13946 Audits and risk management Audits and Risk Management
    Refrain from examining forecasts and projections which refrain from disclosing assumptions during an audit. CC ID 13932 Audits and risk management Audits and Risk Management
    Audit cybersecurity risk management within the policies, standards, and procedures of the organization. CC ID 13011 Audits and risk management Investigate
    Audit information systems, as necessary. CC ID 13010 Audits and risk management Investigate
    Audit the potential costs of compromise to information systems. CC ID 13012 Audits and risk management Investigate
    Determine the accurateness of the audit assertion's in scope system description. CC ID 06979 Audits and risk management Testing
    Determine if the in scope system has been implemented as described in the audit assertion. CC ID 06983 Audits and risk management Testing
    Investigate the nature and causes of misstatements in the audit assertion's in scope system description. CC ID 16557 Audits and risk management Audits and Risk Management
    Determine the effect of fraud and non-compliance on the description of the system in the audit assertion, as necessary. CC ID 13977 Audits and risk management Process or Activity
    Determine if the audit assertion's in scope controls are reasonable. CC ID 06980 Audits and risk management Testing
    Determine the effect of fraud and non-compliance on the achievement of in scope controls in the audit assertion, as necessary. CC ID 13978 Audits and risk management Process or Activity
    Document test plans for auditing in scope controls. CC ID 06985 Audits and risk management Testing
    Determine the implementation status of the audit assertion's in scope controls. CC ID 06981 Audits and risk management Testing
    Determine the effectiveness of in scope controls. CC ID 06984 Audits and risk management Testing
    Review incident management audit logs to determine the effectiveness of in scope controls. CC ID 12157 Audits and risk management Audits and Risk Management
    Review audit reports to determine the effectiveness of in scope controls. CC ID 12156 Audits and risk management Audits and Risk Management
    Observe processes to determine the effectiveness of in scope controls. CC ID 12155 Audits and risk management Audits and Risk Management
    Interview stakeholders to determine the effectiveness of in scope controls. CC ID 12154 Audits and risk management Audits and Risk Management
    Review policies and procedures to determine the effectiveness of in scope controls. CC ID 12144
    [{be effective}The organization shall conduct internal audits at planned intervals to provide information on whether the environmental management system: is effectively implemented and maintained. § 9.2.1 ¶ 1 b)]
    Audits and risk management Audits and Risk Management
    Evaluate personnel status changes to determine the effectiveness of in scope controls. CC ID 16556 Audits and risk management Audits and Risk Management
    Determine whether individuals performing a control have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 16555 Audits and risk management Audits and Risk Management
    Determine any errors or material omissions in the audit assertion that affect in scope control implementations. CC ID 06990 Audits and risk management Testing
    Conduct interviews, as necessary. CC ID 07188 Audits and risk management Testing
    Verify statements made by interviewees are correct. CC ID 16299 Audits and risk management Behavior
    Discuss unsolved questions with the interviewee. CC ID 16298 Audits and risk management Process or Activity
    Allow interviewee to respond to explanations. CC ID 16296 Audits and risk management Process or Activity
    Explain the requirements being discussed to the interviewee. CC ID 16294 Audits and risk management Process or Activity
    Explain the goals of the interview to the interviewee. CC ID 07189 Audits and risk management Behavior
    Include if the audit evidence has identified in scope control deficiencies in the work papers. CC ID 07152 Audits and risk management Audits and Risk Management
    Include if in scope control deviations allow in scope controls to be performed acceptably in the work papers. CC ID 06987 Audits and risk management Testing
    Investigate the nature and causes of identified in scope control deviations. CC ID 06986 Audits and risk management Testing
    Review the subject matter expert's findings. CC ID 16559 Audits and risk management Audits and Risk Management
    Permit assessment teams to conduct audits, as necessary. CC ID 16430 Audits and risk management Investigate
    Determine what disclosures are required in the audit report. CC ID 14888 Audits and risk management Establish/Maintain Documentation
    Identify the audit team members in the audit report. CC ID 15259 Audits and risk management Human Resources Management
    Identify the participants from the organization being audited in the audit report. CC ID 15258 Audits and risk management Audits and Risk Management
    Review the adequacy of the internal auditor's work papers. CC ID 01146 Audits and risk management Audits and Risk Management
    Compare the evaluations completed by the internal auditors and the external auditors in past audit reports. CC ID 01158 Audits and risk management Establish/Maintain Documentation
    Review the adequacy of the internal auditor's audit reports. CC ID 11620 Audits and risk management Audits and Risk Management
    Review past audit reports. CC ID 01155
    [{environmental process} When establishing the internal audit programme, the organization shall take into consideration the environmental importance of the processes concerned, changes affecting the organization and the results of previous audits. § 9.2.2 ¶ 2
    The management review shall include consideration of: information on the organization's environmental performance, including trends in: audit results; § 9.3 ¶ 2 d) 4)]
    Audits and risk management Establish/Maintain Documentation
    Review past audit reports for specific process steps and calculations that were stated to support the audit report's conclusions. CC ID 01160 Audits and risk management Establish/Maintain Documentation
    Review the reporting of material weaknesses and risks in past audit reports. CC ID 01161 Audits and risk management Establish/Maintain Documentation
    Determine the effect of deficiencies on the audit report, as necessary. CC ID 14886 Audits and risk management Investigate
    Determine the effect of fraud and non-compliance on the audit report, as necessary. CC ID 13979 Audits and risk management Process or Activity
    Disseminate and communicate the reviews of audit reports to organizational management. CC ID 00653 Audits and risk management Log Management
    Review the issues of non-compliance from past audit reports. CC ID 01148 Audits and risk management Establish/Maintain Documentation
    Submit an audit report that is complete. CC ID 01145 Audits and risk management Testing
    Review management's response to issues raised in past audit reports. CC ID 01149 Audits and risk management Audits and Risk Management
    Assess the quality of the audit program in regards to the staff and their qualifications. CC ID 01150 Audits and risk management Testing
    Evaluate the competency of auditors. CC ID 15253 Audits and risk management Human Resources Management
    Review the audit program scope as it relates to the organization's profile. CC ID 01159 Audits and risk management Audits and Risk Management
    Establish, implement, and maintain the audit plan. CC ID 01156 Audits and risk management Testing
    Monitor and evaluate business continuity management system performance. CC ID 12410 Operational and Systems Continuity Monitor and Evaluate Occurrences
    Establish, implement, and maintain the organization's call tree. CC ID 01167 Operational and Systems Continuity Testing
    Determine the cause for the activation of the recovery plan. CC ID 13291 Operational and Systems Continuity Investigate
    Test the recovery plan, as necessary. CC ID 13290
    [The organization shall: periodically test the planned response actions, where practicable; § 8.2 ¶ 2 d)]
    Operational and Systems Continuity Testing
    Test the backup information, as necessary. CC ID 13303 Operational and Systems Continuity Testing
    Document lessons learned from testing the recovery plan or an actual event. CC ID 13301 Operational and Systems Continuity Establish/Maintain Documentation
    Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 00782
    [The organization shall: ensure that these persons are competent on the basis of appropriate education, training or experience; § 7.2 ¶ 1 b)]
    Human Resources management Testing
    Perform security skills assessments for all critical employees. CC ID 12102 Human Resources management Human Resources Management
    Perform a background check during personnel screening. CC ID 11758 Human Resources management Human Resources Management
    Document the personnel risk assessment results. CC ID 11764 Human Resources management Establish/Maintain Documentation
    Perform periodic background checks on designated roles, as necessary. CC ID 11759 Human Resources management Human Resources Management
    Document the security clearance procedure results. CC ID 01635 Human Resources management Establish/Maintain Documentation
    Evaluate the staffing requirements regularly. CC ID 00775
    [The organization shall: determine the necessary competence of person(s) doing work under its control that affects its environmental performance and its ability to fulfil its compliance obligations; § 7.2 ¶ 1 a)]
    Human Resources management Business Processes
    Document all training in a training record. CC ID 01423
    [The organization shall retain appropriate documented information as evidence of competence. § 7.2 ¶ 2]
    Human Resources management Establish/Maintain Documentation
    Conduct tests and evaluate training. CC ID 06672
    [The organization shall: where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken. § 7.2 ¶ 1 d)]
    Human Resources management Testing
    Train personnel to recognize conditions of diseases or sicknesses, as necessary. CC ID 14383 Human Resources management Training
    Train personnel to identify and communicate symptoms of exposure to disease or sickness. CC ID 14385 Human Resources management Training
    Monitor and measure the effectiveness of security awareness. CC ID 06262 Human Resources management Monitor and Evaluate Occurrences
    Analyze and evaluate training records to improve the training program. CC ID 06380 Human Resources management Monitor and Evaluate Occurrences
    Review the relevance of information supporting internal controls. CC ID 12420 Operational management Business Processes
    Include emergency response procedures in the internal control framework. CC ID 06779 Operational management Establish/Maintain Documentation
    Review and approve access controls, as necessary. CC ID 13074 Operational management Process or Activity
    Perform social network analysis, as necessary. CC ID 14864 Operational management Investigate
    Include individual commitment to the organization's Governance, Risk, and Compliance framework in the analysis of the organizational culture. CC ID 12922 Operational management Process or Activity
    Include the organizational climate in the analysis of the organizational culture. CC ID 12921 Operational management Process or Activity
    Include consistency of leadership actions to mission, vision, and values in the analysis of the organizational culture. CC ID 12920 Operational management Process or Activity
    Include all electronic storage media containing restricted data or restricted information in the storage media inventory. CC ID 00962 Operational management Establish/Maintain Documentation
    Employ Dynamic Host Configuration Protocol server logging to detect systems not in the asset inventory. CC ID 12110 Operational management Technical Security
    Test systems for malicious code prior to when the system will be redeployed. CC ID 06339 Operational management Testing
    Control and monitor all maintenance tools. CC ID 01432 Operational management Physical and Environmental Protection
    Conduct maintenance with authorized personnel. CC ID 01434 Operational management Testing
    Calibrate assets according to the calibration procedures for the asset. CC ID 06203
    [The organization shall ensure that calibrated or verified monitoring and measurement equipment is used and maintained, as appropriate. § 9.1.1 ¶ 3]
    Operational management Testing
    Test for detrimental environmental factors after a system is disposed. CC ID 06938 Operational management Testing
    Monitor environmental objectives. CC ID 15189
    [The environmental objectives shall be: monitored; § 6.2.1 ¶ 2 c)]
    Operational management Monitor and Evaluate Occurrences
    Analyze environmental aspects using established criteria. CC ID 15230
    [{be significant} The organization shall determine those aspects that have or can have a significant environmental impact, i.e. significant environmental aspects, by using established criteria. § 6.1.2 ¶ 3]
    Operational management Process or Activity
    Analyze the environmental impact of organizational changes. CC ID 14979
    [When determining environmental aspects, the organization shall take into account: change, including planned or new developments, and new or modified activities, products and services; § 6.1.2 ¶ 2 a)]
    Operational management Process or Activity
    Analyze the environmental impact of changes in developments, activities, products, and services. CC ID 14980
    [When determining environmental aspects, the organization shall take into account: change, including planned or new developments, and new or modified activities, products and services; § 6.1.2 ¶ 2 a)]
    Operational management Process or Activity
    Analyze activities, products, and services within the scope of the environmental management system to determine the environmental aspects. CC ID 15183
    [Within the defined scope of the environmental management system, the organization shall determine the environmental aspects of its activities, products and services that it can control and those that it can influence, and their associated environmental impacts, considering a life cycle perspective. § 6.1.2 ¶ 1]
    Operational management Business Processes
    Establish, implement, and maintain a record classification scheme for forms. CC ID 00911 Records management Establish/Maintain Documentation
    Establish, implement, and maintain records registration procedures. CC ID 00913 Records management Establish/Maintain Documentation
    Define the terms used in the record classification scheme. CC ID 00916 Records management Establish/Maintain Documentation
    Allocate document serial numbers to reference the records as a part of document tracking. CC ID 00917 Records management Records Management
    Define each system's preservation requirements for records and logs. CC ID 00904 Records management Establish/Maintain Documentation
    Establish, implement, and maintain a data retention program. CC ID 00906 Records management Establish/Maintain Documentation
    Maintain continued integrity for all stored data and stored records. CC ID 00969 Records management Testing
    Define which documents and records the organization may capture. CC ID 00905 Records management Establish/Maintain Documentation
    Destroy electronic storage media following the storage media disposition and destruction procedures. CC ID 00970 Records management Testing
    Maintain media sanitization equipment in operational condition. CC ID 00721 Records management Testing
    Capture the records required by organizational compliance requirements. CC ID 00912
    [Documented information required by the environmental management system and by this International Standard shall be controlled to ensure: § 7.5.3 ¶ 1
    The organization shall maintain documented information to the extent necessary to have confidence that the process(es) is (are) carried out as planned. § 8.2 ¶ 3]
    Records management Records Management
    Assign the appropriate information classification to records imported into the Records Management system. CC ID 04555 Records management Data and Information Management
    Identify patient-specific education resources. CC ID 14439 Records management Process or Activity
    Classify restricted data or restricted information in Records Management systems according to the data or information's sensitivity. CC ID 04720 Records management Data and Information Management
    Label printed output for specific record categories as directed by the organization's information classification standard. CC ID 01420 Records management Records Management
    Establish, implement, and maintain online storage monitoring and reporting capabilities. CC ID 00935 Records management Monitor and Evaluate Occurrences
    Store records on non-rewritable, non-erasable storage media formats, as necessary. CC ID 00944 Records management Testing
    Provide audit trails for all pertinent records. CC ID 00372 Records management Establish/Maintain Documentation
    Identify electronic storage media that require downgrading. CC ID 10620 Records management Process or Activity
    Test the storage media downgrade for correct performance. CC ID 10623 Records management Testing
    Prohibit the use of Personal Electronic Devices, absent approval. CC ID 04599 Acquisition or sale of facilities, technology, and services Behavior
    Assess the effectiveness of third party services provided to the organization. CC ID 13142
    [The organization shall ensure that outsourced processes are controlled or influenced. The type and extent of control or influence to be applied to the process(es) shall be defined within the environmental management system. § 8.1 ¶ 3]
    Third Party and supply chain oversight Business Processes
    Monitor third parties for performance and effectiveness, as necessary. CC ID 00799
    [The organization shall ensure that outsourced processes are controlled or influenced. The type and extent of control or influence to be applied to the process(es) shall be defined within the environmental management system. § 8.1 ¶ 3]
    Third Party and supply chain oversight Monitor and Evaluate Occurrences
    Monitor third parties' financial conditions. CC ID 13170 Third Party and supply chain oversight Monitor and Evaluate Occurrences
  • IT Impact Zone
    11
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE TYPE
    Leadership and high level objectives CC ID 00597 Leadership and high level objectives IT Impact Zone
    Monitoring and measurement CC ID 00636 Monitoring and measurement IT Impact Zone
    Audits and risk management CC ID 00677 Audits and risk management IT Impact Zone
    Physical and environmental protection CC ID 00709 Physical and environmental protection IT Impact Zone
    Operational and Systems Continuity CC ID 00731 Operational and Systems Continuity IT Impact Zone
    Human Resources management CC ID 00763 Human Resources management IT Impact Zone
    Operational management CC ID 00805 Operational management IT Impact Zone
    Records management CC ID 00902 Records management IT Impact Zone
    Acquisition or sale of facilities, technology, and services CC ID 01123 Acquisition or sale of facilities, technology, and services IT Impact Zone
    Harmonization Methods and Manual of Style CC ID 06095 Harmonization Methods and Manual of Style IT Impact Zone
    Third Party and supply chain oversight CC ID 08807 Third Party and supply chain oversight IT Impact Zone
  • Preventive
    1668
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE TYPE
    Establish, implement, and maintain a reporting methodology program. CC ID 02072
    [Top management shall assign the responsibility and authority for: reporting on the performance of the environmental management system, including environmental performance, to top management. § 5.3 ¶ 2 b)]
    Leadership and high level objectives Business Processes
    Establish, implement, and maintain communication protocols. CC ID 12245
    [When establishing its communication process(es), the organization shall: take into account its compliance obligations; § 7.4.1 ¶ 2 Bullet 1
    {internal communications}The organization shall establish, implement and maintain the process(es) needed for internal and external communications relevant to the environmental management system, including: on what it will communicate; § 7.4.1 ¶ 1 a)
    {internal communications}The organization shall establish, implement and maintain the process(es) needed for internal and external communications relevant to the environmental management system, including: on what it will communicate; § 7.4.1 ¶ 1 a)
    {internal communications}The organization shall establish, implement and maintain the process(es) needed for internal and external communications relevant to the environmental management system, including: when to communicate; § 7.4.1 ¶ 1 b)
    {internal communications}The organization shall establish, implement and maintain the process(es) needed for internal and external communications relevant to the environmental management system, including: when to communicate; § 7.4.1 ¶ 1 b)
    {subject}{internal communications}The organization shall establish, implement and maintain the process(es) needed for internal and external communications relevant to the environmental management system, including: with whom to communicate; § 7.4.1 ¶ 1 c)
    {subject}{internal communications}The organization shall establish, implement and maintain the process(es) needed for internal and external communications relevant to the environmental management system, including: with whom to communicate; § 7.4.1 ¶ 1 c)
    {internal communications}The organization shall establish, implement and maintain the process(es) needed for internal and external communications relevant to the environmental management system, including: how to communicate. § 7.4.1 ¶ 1 d)
    {internal communications}The organization shall establish, implement and maintain the process(es) needed for internal and external communications relevant to the environmental management system, including: how to communicate. § 7.4.1 ¶ 1 d)
    {be relevant} The organization shall respond to relevant communications on its environmental management system. § 7.4.1 ¶ 3]
    Leadership and high level objectives Establish/Maintain Documentation
    Use secure communication protocols for telecommunications. CC ID 16458 Leadership and high level objectives Business Processes
    Align the information being disseminated and communicated with the communication requirements according to the organization's communication protocol. CC ID 12419
    [When establishing its communication process(es), the organization shall: ensure that environmental information communicated is consistent with information generated within the environmental management system, and is reliable. § 7.4.1 ¶ 2 Bullet 2
    When establishing its communication process(es), the organization shall: ensure that environmental information communicated is consistent with information generated within the environmental management system, and is reliable. § 7.4.1 ¶ 2 Bullet 2]
    Leadership and high level objectives Establish/Maintain Documentation
    Include external requirements in the organization's communication protocol. CC ID 12418 Leadership and high level objectives Establish/Maintain Documentation
    Include disseminating and communicating events surrounding instances of desirable conduct and undesirable conduct in the communication protocols. CC ID 12824 Leadership and high level objectives Communicate
    Include input from interested personnel and affected parties as a part of the organization’s communication protocol. CC ID 12417
    [The management review shall include consideration of: changes in: the needs and expectations of interested parties, including compliance obligations; § 9.3 ¶ 2 b) 2)
    The management review shall include consideration of: relevant communication(s) from interested parties, including complaints; § 9.3 ¶ 2 f)
    The management review shall include consideration of: relevant communication(s) from interested parties, including complaints; § 9.3 ¶ 2 f)]
    Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain a corrective action plan to address barriers to stakeholder engagement. CC ID 15677 Leadership and high level objectives Process or Activity
    Identify barriers to stakeholder engagement. CC ID 15676 Leadership and high level objectives Process or Activity
    Identify alternative measures for collecting stakeholder input, as necessary. CC ID 15672 Leadership and high level objectives Communicate
    Include disseminating and communicating conditions surrounding instances of desirable conduct and undesirable conduct in the communication protocols. CC ID 12804 Leadership and high level objectives Communicate
    Include methods to obtain information from interested personnel and affected parties about performance variances in the communication protocol. CC ID 12856 Leadership and high level objectives Process or Activity
    Include disseminating and communicating desirable conduct in the communication protocols. CC ID 12803 Leadership and high level objectives Communicate
    Include disseminating and communicating undesirable conduct in communication protocols. CC ID 12802 Leadership and high level objectives Communicate
    Route notifications, as necessary. CC ID 12832 Leadership and high level objectives Process or Activity
    Substantiate notifications, as necessary. CC ID 12831 Leadership and high level objectives Process or Activity
    Analyze the flow of information to ensure it is being received by the correct processes. CC ID 12860 Leadership and high level objectives Business Processes
    Prioritize notifications, as necessary. CC ID 12830 Leadership and high level objectives Process or Activity
    Report to management and stakeholders on the findings and information gathered from all types of inquiries. CC ID 12797 Leadership and high level objectives Actionable Reports or Measurements
    Disseminate and communicate internal controls with supply chain members. CC ID 12416 Leadership and high level objectives Communicate
    Establish and maintain the organization's survey method. CC ID 12869 Leadership and high level objectives Process or Activity
    Document the findings from surveys. CC ID 16309 Leadership and high level objectives Establish/Maintain Documentation
    Provide a consolidated view of information in the organization's survey method. CC ID 12894 Leadership and high level objectives Process or Activity
    Establish, implement, and maintain warning procedures that follow the organization's communication protocol. CC ID 12407 Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain alert procedures that follow the organization's communication protocol. CC ID 12406 Leadership and high level objectives Establish/Maintain Documentation
    Include the capturing and alerting of compliance violations in the notification system. CC ID 12962 Leadership and high level objectives Monitor and Evaluate Occurrences
    Include the capturing and alerting of unethical conduct in the notification system. CC ID 12932 Leadership and high level objectives Monitor and Evaluate Occurrences
    Include the capturing and alerting of performance variances in the notification system. CC ID 12929 Leadership and high level objectives Monitor and Evaluate Occurrences
    Include the capturing and alerting of weaknesses in the notification system. CC ID 12928 Leadership and high level objectives Monitor and Evaluate Occurrences
    Include the capturing and alerting of account activity in the notification system. CC ID 15314 Leadership and high level objectives Monitor and Evaluate Occurrences
    Establish, implement, and maintain an internal reporting program. CC ID 12409 Leadership and high level objectives Business Processes
    Include transactions and events as a part of internal reporting. CC ID 12413 Leadership and high level objectives Business Processes
    Disseminate and communicate management's choices for managing the organization as a part of internal reporting. CC ID 12412 Leadership and high level objectives Communicate
    Enforce a precision level for non-financial reporting based on user need and appropriate supply chain criteria. CC ID 12399 Leadership and high level objectives Establish/Maintain Documentation
    Define the thresholds for escalation in the internal reporting program. CC ID 14332 Leadership and high level objectives Establish/Maintain Documentation
    Define the thresholds for reporting in the internal reporting program. CC ID 14331 Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain an external reporting program. CC ID 12876 Leadership and high level objectives Communicate
    Provide identifying information about the organization to the responsible party. CC ID 16715 Leadership and high level objectives Communicate
    Identify the material topics required to be reported on. CC ID 15654 Leadership and high level objectives Business Processes
    Check the list of material topics for completeness. CC ID 15692 Leadership and high level objectives Investigate
    Prioritize material topics used in reporting. CC ID 15678 Leadership and high level objectives Communicate
    Review and approve the material topics, as necessary. CC ID 15670 Leadership and high level objectives Process or Activity
    Define the thresholds for reporting in the external reporting program. CC ID 15679 Leadership and high level objectives Establish/Maintain Documentation
    Include time requirements in the external reporting program. CC ID 16566 Leadership and high level objectives Communicate
    Include information about the organizational culture in the external reporting program. CC ID 15610 Leadership and high level objectives Establish/Maintain Documentation
    Include reporting to governing bodies in the external reporting plan. CC ID 12923 Leadership and high level objectives Communicate
    Submit confidential treatment applications to interested personnel and affected parties. CC ID 16592 Leadership and high level objectives Communicate
    Include the reasons for objections to public disclosure in confidential treatment applications. CC ID 16594 Leadership and high level objectives Establish/Maintain Documentation
    Include contact information for the interested personnel and affected parties the report was filed with in the confidential treatment application. CC ID 16595 Leadership and high level objectives Establish/Maintain Documentation
    Include the information that was omitted in the confidential treatment application. CC ID 16593 Leadership and high level objectives Establish/Maintain Documentation
    Analyze organizational objectives, functions, and activities. CC ID 00598
    [{external and internal issues}and determine the risks and opportunities, related to its environmental aspects (see 6.1.2), compliance obligations (see 6.1.3) and other issues and requirements, identified in 4.1 and 4.2, that need to be addressed to: prevent or reduce undesired effects, including the potential for external environmental conditions to affect the organization; § 6.1.1 ¶ 3 Bullet 2
    When determining this scope, the organization shall consider: its activities, products and services; § 4.3 ¶ 2 d)
    The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcomesan> of its <span style="bary-verb">ackground-color:#F0BBBC;" class="term_primary-noun">environmental management system. Such issues shall include environmental conditions being affected by or capable of affecting the organization. § 4.1 ¶ 1]
    Leadership and high level objectives Monitor and Evaluate Occurrences
    Develop instructions for setting organizational objectives and strategies. CC ID 12931
    [The organization shall determine: which of these needs and expectations become its compliance obligations. § 4.2 ¶ 1 c)]
    Leadership and high level objectives Establish/Maintain Documentation
    Analyze the business environment in which the organization operates. CC ID 12798
    [{financial requirement}{operational requirement} When planning these actions, the organization shall consider its technological options and its financial, operational and business requirements. § 6.1.4 ¶ 2]
    Leadership and high level objectives Business Processes
    Identify the internal factors that may affect organizational objectives. CC ID 12957 Leadership and high level objectives Process or Activity
    Include key processes in the analysis of the internal business environment. CC ID 12947 Leadership and high level objectives Process or Activity
    Include existing information in the analysis of the internal business environment. CC ID 12943 Leadership and high level objectives Process or Activity
    Include resources in the analysis of the internal business environment. CC ID 12942
    [The management review shall include consideration of: adequacy of resources; § 9.3 ¶ 2 e)]
    Leadership and high level objectives Process or Activity
    Include the operating plan in the analysis of the internal business environment. CC ID 12941 Leadership and high level objectives Process or Activity
    Include incentives in the analysis of the internal business environment. CC ID 12940 Leadership and high level objectives Process or Activity
    Include organizational structures in the analysis of the internal business environment. CC ID 12939
    [When determining this scope, the organization shall consider: its organizational units, functions and physical boundaries; § 4.3 ¶ 2 c)]
    Leadership and high level objectives Process or Activity
    Include the strategic plan in the analysis of the internal business environment. CC ID 12937 Leadership and high level objectives Process or Activity
    Include strengths and weaknesses in the analysis of the internal business environment. CC ID 12936 Leadership and high level objectives Process or Activity
    Align assets with business functions and the business environment. CC ID 13681 Leadership and high level objectives Business Processes
    Disseminate and communicate the organization's business environment and place in its industry sector. CC ID 13200 Leadership and high level objectives Communicate
    Monitor for changes which affect organizational strategies in the internal business environment. CC ID 12863 Leadership and high level objectives Monitor and Evaluate Occurrences
    Monitor for changes which affect organizational objectives in the internal business environment. CC ID 12862 Leadership and high level objectives Monitor and Evaluate Occurrences
    Analyze the external environment in which the organization operates. CC ID 12799
    [The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcomes of its environmental management system. Such issues shall include environmental conditions being affected by or capable of affecting the organization. § 4.1 ¶ 1]
    Leadership and high level objectives Business Processes
    Identify the external forces that may affect organizational objectives. CC ID 12960 Leadership and high level objectives Process or Activity
    Monitor for changes which affect organizational strategies in the external environment. CC ID 12880 Leadership and high level objectives Monitor and Evaluate Occurrences
    Include environmental requirements in the analysis of the external environment. CC ID 12965
    [Top management shall demonstrate leadership and commitment with respect to the environmental management system by: ensuring the integration of the environmental management system requirements into the organization's business processes; § 5.1 ¶ 1 c)]
    Leadership and high level objectives Business Processes
    Monitor for changes which affect organizational objectives in the external environment. CC ID 12879
    [The management review shall include consideration of: changes in: the needs and expectations of interested parties, including compliance obligations; § 9.3 ¶ 2 b) 2)]
    Leadership and high level objectives Monitor and Evaluate Occurrences
    Include regulatory requirements in the analysis of the external environment. CC ID 12964 Leadership and high level objectives Business Processes
    Include society in the analysis of the external environment. CC ID 12963 Leadership and high level objectives Business Processes
    Include opportunities in the analysis of the external environment. CC ID 12954 Leadership and high level objectives Business Processes
    Include third party relationships in the analysis of the external environment. CC ID 12952 Leadership and high level objectives Business Processes
    Include industry forces in the analysis of the external environment. CC ID 12904 Leadership and high level objectives Business Processes
    Include threats in the analysis of the external environment. CC ID 12898 Leadership and high level objectives Business Processes
    Include geopolitics in the analysis of the external environment. CC ID 12897 Leadership and high level objectives Business Processes
    Include legal requirements in the analysis of the external environment. CC ID 12896 Leadership and high level objectives Business Processes
    Include technology in the analysis of the external environment. CC ID 12837 Leadership and high level objectives Business Processes
    Include analyzing the market in the analysis of the external environment. CC ID 12836 Leadership and high level objectives Business Processes
    Conduct a context analysis to define objectives and strategies. CC ID 12864 Leadership and high level objectives Business Processes
    Establish, implement, and maintain organizational objectives. CC ID 09959 Leadership and high level objectives Establish/Maintain Documentation
    Evaluate organizational objectives to determine impact on other organizational objectives. CC ID 12814 Leadership and high level objectives Process or Activity
    Identify events that may affect organizational objectives. CC ID 12961 Leadership and high level objectives Process or Activity
    Identify conditions that may affect organizational objectives. CC ID 12958 Leadership and high level objectives Process or Activity
    Identify requirements that could affect achieving organizational objectives. CC ID 12828 Leadership and high level objectives Business Processes
    Identify opportunities that could affect achieving organizational objectives. CC ID 12826 Leadership and high level objectives Business Processes
    Prioritize organizational objectives. CC ID 09960 Leadership and high level objectives Business Processes
    Select financial reporting objectives consistent with accounting principles available to the organization. CC ID 12400 Leadership and high level objectives Business Processes
    Establish, implement, and maintain a value generation model. CC ID 15591 Leadership and high level objectives Establish/Maintain Documentation
    Disseminate and communicate the value generation model to all interested personnel and affected parties. CC ID 15607 Leadership and high level objectives Communicate
    Include value distribution in the value generation model. CC ID 15603 Leadership and high level objectives Establish/Maintain Documentation
    Include value retention in the value generation model. CC ID 15600 Leadership and high level objectives Establish/Maintain Documentation
    Include value generation procedures in the value generation model. CC ID 15599 Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain value generation objectives. CC ID 15583 Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain social responsibility objectives. CC ID 15611 Leadership and high level objectives Establish/Maintain Documentation
    Establish and maintain a Mission, Vision, and Values Statement. CC ID 12783 Leadership and high level objectives Establish/Maintain Documentation
    Include the vision statement in the Mission, Vision, and Values Statement. CC ID 12839 Leadership and high level objectives Establish/Maintain Documentation
    Include the mission statement in the Mission, Vision, and Values Statement. CC ID 12838 Leadership and high level objectives Establish/Maintain Documentation
    Include management commitment in the Mission, Vision, and Values Statement. CC ID 12808 Leadership and high level objectives Establish/Maintain Documentation
    Include the value statement in the Mission, Vision, and Values Statement. CC ID 12807 Leadership and high level objectives Establish/Maintain Documentation
    Include environmental factors in the Mission, Vision, and Values Statement. CC ID 15590 Leadership and high level objectives Establish/Maintain Documentation
    Include societal factors in the Mission, Vision, and Values Statement. CC ID 15605 Leadership and high level objectives Establish/Maintain Documentation
    Include stakeholder requirements in the Mission, Vision, and Values Statement. CC ID 15586 Leadership and high level objectives Establish/Maintain Documentation
    Disseminate and communicate the Mission, Vision, and Values Statement to all interested personnel and affected parties. CC ID 15585 Leadership and high level objectives Communicate
    Disseminate and communicate organizational objectives, functions, and activities to all interested personnel and affected parties. CC ID 13191 Leadership and high level objectives Communicate
    Document and communicate the linkage between organizational objectives, functions, activities, and general controls. CC ID 12398
    [The management review shall include consideration of: changes in: external and internal issues that are relevant to the environmental management system; § 9.3 ¶ 2 b) 1)]
    Leadership and high level objectives Establish/Maintain Documentation
    Identify threats that could affect achieving organizational objectives. CC ID 12827 Leadership and high level objectives Business Processes
    Identify how opportunities, threats, and external requirements are trending. CC ID 12829 Leadership and high level objectives Process or Activity
    Identify relationships between opportunities, threats, and external requirements. CC ID 12805 Leadership and high level objectives Process or Activity
    Review the organization's approach to managing information security, as necessary. CC ID 12005 Leadership and high level objectives Business Processes
    Establish, implement, and maintain criteria for grouping stakeholders. CC ID 15584 Leadership and high level objectives Process or Activity
    Analyze and prioritize the requirements of interested personnel and affected parties. CC ID 12796
    [The organization shall determine: the relevant needs and expectations (i.e. requirements) of these interested parties; § 4.2 ¶ 1 b)]
    Leadership and high level objectives Business Processes
    Establish, implement, and maintain data governance and management practices. CC ID 14998 Leadership and high level objectives Establish/Maintain Documentation
    Address shortcomings of the data sets in the data governance and management practices. CC ID 15087 Leadership and high level objectives Establish/Maintain Documentation
    Include any shortcomings of the data sets in the data governance and management practices. CC ID 15086 Leadership and high level objectives Establish/Maintain Documentation
    Include bias for data sets in the data governance and management practices. CC ID 15085 Leadership and high level objectives Establish/Maintain Documentation
    Include a data strategy in the data governance and management practices. CC ID 15304 Leadership and high level objectives Establish/Maintain Documentation
    Include data monitoring in the data governance and management practices. CC ID 15303 Leadership and high level objectives Establish/Maintain Documentation
    Include an assessment of the data sets in the data governance and management practices. CC ID 15084 Leadership and high level objectives Establish/Maintain Documentation
    Include assumptions for the formulation of data sets in the data governance and management practices. CC ID 15083 Leadership and high level objectives Establish/Maintain Documentation
    Include data collection for data sets in the data governance and management practices. CC ID 15082 Leadership and high level objectives Establish/Maintain Documentation
    Include data preparations for data sets in the data governance and management practices. CC ID 15081 Leadership and high level objectives Establish/Maintain Documentation
    Include design choices for data sets in the data governance and management practices. CC ID 15080 Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain an information classification standard. CC ID 00601 Leadership and high level objectives Establish/Maintain Documentation
    Take into account the accessibility to and location of the data or information when establishing information impact levels. CC ID 04787 Leadership and high level objectives Data and Information Management
    Take into account the organization's obligation to protect data or information when establishing information impact levels. CC ID 04786 Leadership and high level objectives Data and Information Management
    Take into account the context of use for data or information when establishing information impact levels. CC ID 04785 Leadership and high level objectives Data and Information Management
    Take into account the potential aggregation of restricted data fields when establishing information impact levels. CC ID 04784 Leadership and high level objectives Data and Information Management
    Classify the sensitivity to unauthorized disclosure or modification of information in the information classification standard. CC ID 11997 Leadership and high level objectives Data and Information Management
    Take into account the distinguishability factor when establishing information impact levels. CC ID 04783 Leadership and high level objectives Data and Information Management
    Classify the criticality to unauthorized disclosure or modification of information in the information classification standard. CC ID 11996 Leadership and high level objectives Data and Information Management
    Classify the value of information in the information classification standard. CC ID 11995 Leadership and high level objectives Data and Information Management
    Classify the legal requirements of information in the information classification standard. CC ID 11994 Leadership and high level objectives Data and Information Management
    Establish, implement, and maintain a data classification scheme. CC ID 11628 Leadership and high level objectives Establish/Maintain Documentation
    Take into account the characteristics of the geographical, behavioral and functional setting for all datasets. CC ID 15046 Leadership and high level objectives Data and Information Management
    Disseminate and communicate the data classification scheme to interested personnel and affected parties. CC ID 16804 Leadership and high level objectives Communicate
    Establish and maintain an organizational data dictionary, including data syntax rules. CC ID 00600 Leadership and high level objectives Establish/Maintain Documentation
    Refrain from including metadata in the data dictionary. CC ID 13529 Leadership and high level objectives Establish/Maintain Documentation
    Refrain from allowing incompatible data elements in the data dictionary. CC ID 13624 Leadership and high level objectives Establish/Maintain Documentation
    Include information needed to understand each data element and population in the data dictionary. CC ID 13528 Leadership and high level objectives Establish/Maintain Documentation
    Include the factors to determine what is included or excluded from the data element in the data dictionary. CC ID 13525 Leadership and high level objectives Establish/Maintain Documentation
    Include the date or time period the data was observed in the data dictionary. CC ID 13524 Leadership and high level objectives Establish/Maintain Documentation
    Include the uncertainty in the population of each data element in the data dictionary. CC ID 13522 Leadership and high level objectives Establish/Maintain Documentation
    Include the uncertainty of each data element in the data dictionary. CC ID 13521 Leadership and high level objectives Establish/Maintain Documentation
    Include the measurement units for each data element in the data dictionary. CC ID 13534 Leadership and high level objectives Establish/Maintain Documentation
    Include the precision of the measurement in the data dictionary. CC ID 13520 Leadership and high level objectives Establish/Maintain Documentation
    Include the data source in the data dictionary. CC ID 13519 Leadership and high level objectives Establish/Maintain Documentation
    Include the nature of each element in the data dictionary. CC ID 13518 Leadership and high level objectives Establish/Maintain Documentation
    Include the population of events or instances in the data dictionary. CC ID 13517 Leadership and high level objectives Establish/Maintain Documentation
    Disseminate and communicate the data dictionary to interested personnel and affected parties. CC ID 13516 Leadership and high level objectives Communicate
    Establish, implement, and maintain an Information and Infrastructure Architecture model. CC ID 00599 Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain sustainable infrastructure planning. CC ID 00603 Leadership and high level objectives Establish/Maintain Documentation
    Take into account the need for protecting information confidentiality during infrastructure planning. CC ID 06486 Leadership and high level objectives Behavior
    Establish, implement, and maintain an organizational structure. CC ID 16310 Leadership and high level objectives Establish/Maintain Documentation
    Disseminate and communicate emerging threats to all interested personnel and affected parties. CC ID 12185 Leadership and high level objectives Communicate
    Establish, implement, and maintain a Quality Management framework. CC ID 07196 Leadership and high level objectives Establish/Maintain Documentation
    Include supply chain management standards in the Quality Management framework. CC ID 13701 Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain a Quality Management policy. CC ID 13694 Leadership and high level objectives Establish/Maintain Documentation
    Include a commitment to satisfy applicable requirements in the Quality Management policy. CC ID 13700 Leadership and high level objectives Establish/Maintain Documentation
    Tailor the Quality Management policy to support the organization's strategic direction. CC ID 13699 Leadership and high level objectives Establish/Maintain Documentation
    Include a commitment to continual improvement of the Quality Management system in the Quality Management policy. CC ID 13698 Leadership and high level objectives Establish/Maintain Documentation
    Include critical Information Technology processes in the Quality Management framework. CC ID 13645 Leadership and high level objectives Establish/Maintain Documentation
    Disseminate and communicate the Quality Management policy to all interested personnel and affected parties. CC ID 13695 Leadership and high level objectives Communicate
    Disseminate and communicate the Quality Management framework to all stakeholders. CC ID 13680 Leadership and high level objectives Communicate
    Align the quality objectives with the Quality Management policy. CC ID 13697 Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain a Quality Management standard. CC ID 01006 Leadership and high level objectives Establish/Maintain Documentation
    Document the measurements used by Quality Assurance and Quality Control testing. CC ID 07200 Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain a Quality Management program. CC ID 07201 Leadership and high level objectives Establish/Maintain Documentation
    Notify affected parties and interested personnel of quality management system approvals that have been refused, suspended, or withdrawn. CC ID 15045 Leadership and high level objectives Communicate
    Notify affected parties and interested personnel of quality management system approvals that have been issued. CC ID 15036 Leadership and high level objectives Communicate
    Include quality objectives in the Quality Management program. CC ID 13693 Leadership and high level objectives Establish/Maintain Documentation
    Include records management in the quality management system. CC ID 15055 Leadership and high level objectives Establish/Maintain Documentation
    Include risk management in the quality management system. CC ID 15054 Leadership and high level objectives Establish/Maintain Documentation
    Include data management procedures in the quality management system. CC ID 15052 Leadership and high level objectives Establish/Maintain Documentation
    Include a post-market monitoring system in the quality management system. CC ID 15027 Leadership and high level objectives Establish/Maintain Documentation
    Include operational roles and responsibilities in the quality management system. CC ID 15028 Leadership and high level objectives Establish/Maintain Documentation
    Include quality gates and testing milestones in the Quality Management program. CC ID 06825 Leadership and high level objectives Systems Design, Build, and Implementation
    Include resource management in the quality management system. CC ID 15026 Leadership and high level objectives Establish/Maintain Documentation
    Include communication protocols in the quality management system. CC ID 15025 Leadership and high level objectives Establish/Maintain Documentation
    Include incident reporting procedures in the quality management system. CC ID 15023 Leadership and high level objectives Establish/Maintain Documentation
    Include technical specifications in the quality management system. CC ID 15021 Leadership and high level objectives Establish/Maintain Documentation
    Document the deficiencies in a deficiency report that were found during Quality Control and corrected during Quality Improvement. CC ID 07203 Leadership and high level objectives Establish/Maintain Documentation
    Include program documentation standards in the Quality Management program. CC ID 01016 Leadership and high level objectives Establish/Maintain Documentation
    Include program testing standards in the Quality Management program. CC ID 01017 Leadership and high level objectives Establish/Maintain Documentation
    Include system testing standards in the Quality Management program. CC ID 01018 Leadership and high level objectives Establish/Maintain Documentation
    Include an issue tracking system in the Quality Management program. CC ID 06824 Leadership and high level objectives Systems Design, Build, and Implementation
    Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241
    [When determining this scope, the organization shall consider: the "background-color:#F0BBBC;" class="term_primary-noun">external and internal issues referred to in 4.1; § 4.3 ¶ 2 a)
    {interested parties}{environmental management system}When determining this scope, the organization shall consider: the compliance obligations referred to in 4.2; § 4.3 ¶ 2 b)]
    Leadership and high level objectives Establish/Maintain Documentation
    Define the scope of the security policy. CC ID 07145 Leadership and high level objectives Data and Information Management
    Identify roles, tasks, information, systems, and assets that fall under the organization's mandated Authority Documents. CC ID 00688 Leadership and high level objectives Business Processes
    Establish and maintain an Information Systems Assurance Categories Definitions document. CC ID 01608 Leadership and high level objectives Establish/Maintain Documentation
    Correlate Information Systems with applicable controls. CC ID 01621 Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain a policy and procedure management program. CC ID 06285 Leadership and high level objectives Establish/Maintain Documentation
    Include requirements in the organization’s policies, standards, and procedures. CC ID 12956 Leadership and high level objectives Establish/Maintain Documentation
    Include the effective date on all organizational policies. CC ID 06820 Leadership and high level objectives Establish/Maintain Documentation
    Include threats in the organization’s policies, standards, and procedures. CC ID 12953 Leadership and high level objectives Establish/Maintain Documentation
    Assess the impact of changes to organizational policies, standards, and procedures, as necessary. CC ID 14824 Leadership and high level objectives Business Processes
    Include opportunities in the organization’s policies, standards, and procedures. CC ID 12945 Leadership and high level objectives Establish/Maintain Documentation
    Establish and maintain an Authority Document list. CC ID 07113
    [The organization shall: determine and have access to the compliance obligations related to its environmental aspects; § 6.1.3 ¶ 1 a)]
    Leadership and high level objectives Establish/Maintain Documentation
    Document organizational procedures that harmonize external requirements, including all legal requirements. CC ID 00623 Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain full documentation of all policies, standards, and procedures that support the organization's compliance framework. CC ID 01636
    [When creating and updating documented information, the organization shall ensuren> appropriate: style="background-color:#F0BBBC;" class="term_primary-noun">review and approval for suitability and adequacy. § 7.5.2 ¶ 1 c)
    The scope shall be maintained as documented information and be available to interested parties. § 4.3 ¶ 4
    The organization shall maintain documented information of its compliance obligations. § 6.1.3 ¶ 2
    The organization's environmental management system shall include: documented information required by this International Standard; § 7.5.1 ¶ 1 a)]
    Leadership and high level objectives Establish/Maintain Documentation
    Disseminate and communicate the organization’s policies, standards, and procedures to all interested personnel and affected parties. CC ID 12901
    [The scope shall be maintained as documented information and be available to interested parties. § 4.3 ¶ 4]
    Leadership and high level objectives Communicate
    Disseminate and communicate the list of Authority Documents that support the organization's compliance framework to interested personnel and affected parties. CC ID 01312 Leadership and high level objectives Establish/Maintain Documentation
    Classify controls according to their preventive, detective, or corrective status. CC ID 06436 Leadership and high level objectives Establish/Maintain Documentation
    Publish, disseminate, and communicate a Statement on Internal Control, as necessary. CC ID 06727 Leadership and high level objectives Establish/Maintain Documentation
    Include signatures of c-level executives in the Statement on Internal Control. CC ID 14778 Leadership and high level objectives Establish/Maintain Documentation
    Include confirmation of any significant weaknesses in the Statement on Internal Control. CC ID 06861 Leadership and high level objectives Establish/Maintain Documentation
    Include roles and responsibilities in the Statement on Internal Control. CC ID 14774 Leadership and high level objectives Establish/Maintain Documentation
    Include an assurance statement regarding the counterterror protective security plan in the Statement on Internal Control. CC ID 06866 Leadership and high level objectives Establish/Maintain Documentation
    Include limitations of internal control systems in the Statement on Internal Control. CC ID 14773 Leadership and high level objectives Establish/Maintain Documentation
    Include a description of the methodology used to evaluate internal controls in the Statement on Internal Control. CC ID 14772 Leadership and high level objectives Establish/Maintain Documentation
    Assign legislative body jurisdiction to the organization's assets, as necessary. CC ID 06956 Leadership and high level objectives Establish Roles
    Approve all compliance documents. CC ID 06286 Leadership and high level objectives Establish/Maintain Documentation
    Align the Authority Document list with external requirements. CC ID 06288
    [The organization shall: determine how these compliance obligations apply to the organization; § 6.1.3 ¶ 1 b)
    Documented information of external origin determined by the organization to be necessary for the planning and operation of the environmental management system shall be identified, as appropriate, and controlled. § 7.5.3 ¶ 3
    Documented information of external origin determined by the organization to be necessary for the planning and operation of the environmental management system shall be identified, as appropriate, and controlled. § 7.5.3 ¶ 3
    The organization shall: determine and have access to the compliance obligations related to its environmental aspects; § 6.1.3 ¶ 1 a)]
    Leadership and high level objectives Establish/Maintain Documentation
    Assign the appropriate roles to all applicable compliance documents. CC ID 06284 Leadership and high level objectives Establish Roles
    Identify and document the Designated Approval Authority for compliance documents. CC ID 07114 Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain a compliance exception standard. CC ID 01628 Leadership and high level objectives Establish/Maintain Documentation
    Include the authority for granting exemptions in the compliance exception standard. CC ID 14329 Leadership and high level objectives Establish/Maintain Documentation
    Include explanations, compensating controls, or risk acceptance in the compliance exceptions Exceptions document. CC ID 01631 Leadership and high level objectives Establish/Maintain Documentation
    Review the compliance exceptions in the exceptions document, as necessary. CC ID 01632 Leadership and high level objectives Business Processes
    Include when exemptions expire in the compliance exception standard. CC ID 14330 Leadership and high level objectives Establish/Maintain Documentation
    Assign the approval of compliance exceptions to the appropriate roles inside the organization. CC ID 06443 Leadership and high level objectives Establish Roles
    Include management of the exemption register in the compliance exception standard. CC ID 14328 Leadership and high level objectives Establish/Maintain Documentation
    Disseminate and communicate compliance documents to all interested personnel and affected parties. CC ID 06282 Leadership and high level objectives Behavior
    Disseminate and communicate any compliance document changes when the documents are updated to interested personnel and affected parties. CC ID 06283 Leadership and high level objectives Behavior
    Estimate the costs of implementing the compliance framework. CC ID 07191 Leadership and high level objectives Business Processes
    Establish, implement, and maintain a strategic plan. CC ID 12784 Leadership and high level objectives Establish/Maintain Documentation
    Determine progress toward the objectives of the strategic plan. CC ID 12944
    [The management review shall include consideration of: the extent to which environmental objectives have been achieved; § 9.3 ¶ 2 c)]
    Leadership and high level objectives Process or Activity
    Establish, implement, and maintain a decision management strategy. CC ID 06913
    [When determining this scope, the organization shall consider: its authority and ability to exercise control and influence. § 4.3 ¶ 2 e)]
    Leadership and high level objectives Establish/Maintain Documentation
    Align the reporting methodology with the decision management strategy. CC ID 15659 Leadership and high level objectives Business Processes
    Include an economic impact analysis in the decision management strategy. CC ID 14015 Leadership and high level objectives Establish/Maintain Documentation
    Include cost benefit analysis in the decision management strategy. CC ID 14014 Leadership and high level objectives Establish/Maintain Documentation
    Include criteria for compliance in the decision-making criteria. CC ID 12951 Leadership and high level objectives Establish/Maintain Documentation
    Include criteria for risk tolerance in the decision-making criteria. CC ID 12950 Leadership and high level objectives Establish/Maintain Documentation
    Include criteria for selecting objectives and strategies in the decision-making criteria. CC ID 12949 Leadership and high level objectives Establish/Maintain Documentation
    Include criteria for setting priorities in the decision-making criteria. CC ID 12938 Leadership and high level objectives Establish/Maintain Documentation
    Align organizational objectives with compliance objectives in the decision-making criteria. CC ID 12847 Leadership and high level objectives Process or Activity
    Align organizational objectives with performance targets in the decision-making criteria. CC ID 12843 Leadership and high level objectives Process or Activity
    Align organizational objectives with the acceptable residual risk in the decision-making criteria. CC ID 12841 Leadership and high level objectives Process or Activity
    Create additional decision-making criteria to achieve organizational objectives, as necessary. CC ID 12948 Leadership and high level objectives Process or Activity
    Involve knowledgeable and experienced individuals in the decision-making process. CC ID 06915 Leadership and high level objectives Behavior
    Take actions in accordance with the decision-making criteria. CC ID 12909 Leadership and high level objectives Process or Activity
    Document and evaluate the decision outcomes from the decision-making process. CC ID 06918 Leadership and high level objectives Establish/Maintain Documentation
    Disseminate and communicate the decision management strategy to all interested personnel and affected parties. CC ID 13991 Leadership and high level objectives Communicate
    Establish, implement, and maintain a Governance, Risk, and Compliance awareness and training program. CC ID 06492
    [The organization shall ensure that persons doing work under the organization's control are aware of: the implications of not conforming with the environmental management system requirements, including not fulfilling the organization's compliance obligations. § 7.3 ¶ 1 d)]
    Leadership and high level objectives Business Processes
    Establish and maintain a rapport with business and technical communities throughout the organization to promote the value and importance of Information Security. CC ID 06493 Leadership and high level objectives Behavior
    Establish, implement, and maintain a financial management program. CC ID 13228
    [{financial requirement}{operational requirement} When planning these actions, the organization shall consider its technological options and its financial, operational and business requirements. § 6.1.4 ¶ 2]
    Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain funds transfer procedures. CC ID 16754 Leadership and high level objectives Establish/Maintain Documentation
    Provide required information that is missing from a funds transfer to the responsible party. CC ID 16761 Leadership and high level objectives Communicate
    Return the funds from a funds transfer when required information is not received or discrepancies resolved. CC ID 16760 Leadership and high level objectives Business Processes
    Delay the funds transfer until all required information has been received or discrepancies resolved. CC ID 16759 Leadership and high level objectives Business Processes
    Refrain from making funds from a funds transfer available to the interested personnel until all required information is received. CC ID 16758 Leadership and high level objectives Business Processes
    Attach the required information to each funds transfer. CC ID 16756 Leadership and high level objectives Business Processes
    Establish, implement, and maintain protective measures for customers from a bank's insolvency or default. CC ID 16738 Leadership and high level objectives Business Processes
    Test the protective measures for effectiveness to prevent financial impact to responsible parties. CC ID 16750 Leadership and high level objectives Testing
    Include communication protocols in the financial management program. CC ID 16763 Leadership and high level objectives Establish/Maintain Documentation
    Include ongoing monitoring in the financial management program. CC ID 16762 Leadership and high level objectives Process or Activity
    Employ tools to manage settlement and funding flows. CC ID 16743 Leadership and high level objectives Process or Activity
    Refrain from setting up anonymous financial accounts. CC ID 16721 Leadership and high level objectives Business Processes
    Identify and maintain positions in financial accounts. CC ID 16751 Leadership and high level objectives Business Processes
    Establish, implement, and maintain a financial products and services disclosure policy. CC ID 16717 Leadership and high level objectives Establish/Maintain Documentation
    Require acknowledgment of receipt from the customer in the financial products and services disclosure policy. CC ID 16725 Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain a subsidiary compliance program. CC ID 16694 Leadership and high level objectives Process or Activity
    Establish, implement, and maintain financial resource management procedures. CC ID 16642 Leadership and high level objectives Establish/Maintain Documentation
    Document the rationale for the amount of financial resources being held. CC ID 16688 Leadership and high level objectives Establish/Maintain Documentation
    Supplement financial resources, as necessary. CC ID 16685 Leadership and high level objectives Business Processes
    Establish, implement, and maintain collateral procedures. CC ID 16653 Leadership and high level objectives Establish/Maintain Documentation
    Include the use of appropriate models in the collateral procedures. CC ID 16687 Leadership and high level objectives Establish/Maintain Documentation
    Define the collateral requirements in the collateral procedures. CC ID 16686 Leadership and high level objectives Establish/Maintain Documentation
    Test the collateral requirements for appropriateness. CC ID 16681 Leadership and high level objectives Testing
    Limit the types of assets accepted as collateral. CC ID 16602 Leadership and high level objectives Business Processes
    Avoid the use of concentrated holdings of assets. CC ID 16651 Leadership and high level objectives Business Processes
    Establish, implement, and maintain stress test plans for financial resources. CC ID 16644 Leadership and high level objectives Testing
    Include stress scenarios in the stress test plan. CC ID 16659 Leadership and high level objectives Testing
    Perform stress testing in accordance with the stress test plan. CC ID 16652 Leadership and high level objectives Testing
    Disseminate and communicate the results of stress testing to interested personnel and affected parties. CC ID 16630 Leadership and high level objectives Communicate
    Identify and document the financial resources available for use. CC ID 16643 Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain credit loss procedures. CC ID 16683 Leadership and high level objectives Establish/Maintain Documentation
    Include the allocation of credit losses in the credit loss procedures. CC ID 16684 Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain a securities trading program. CC ID 16626 Leadership and high level objectives Business Processes
    Include fairness and equitability standards in the securities trading program. CC ID 16690 Leadership and high level objectives Establish/Maintain Documentation
    Include roles and responsibilities in the securities trading program. CC ID 16689 Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain a capital restoration plan. CC ID 16613 Leadership and high level objectives Establish/Maintain Documentation
    Include performance guarantees in the capital restoration plan. CC ID 16616 Leadership and high level objectives Establish/Maintain Documentation
    Include corrective actions taken in the capital restoration plan. CC ID 16612 Leadership and high level objectives Establish/Maintain Documentation
    Include required information in the capital restoration plan. CC ID 16609 Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain valuation procedures. CC ID 16634 Leadership and high level objectives Establish/Maintain Documentation
    Include investment information in approval requests for investments. CC ID 16590 Leadership and high level objectives Business Processes
    Establish, implement, and maintain capital withdrawal requirements. CC ID 16576 Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain lending policies. CC ID 16608 Leadership and high level objectives Establish/Maintain Documentation
    Align the lending policy with the organization's risk acceptance level. CC ID 16716 Leadership and high level objectives Process or Activity
    Include the requirements for risk assessments in the lending policy. CC ID 16730 Leadership and high level objectives Establish/Maintain Documentation
    Include the requirements for sensitivity analyses in the lending policy. CC ID 16728 Leadership and high level objectives Establish/Maintain Documentation
    Include the requirements for feasibility studies in the lending policy. CC ID 16726 Leadership and high level objectives Establish/Maintain Documentation
    Include pricing structures in the lending policy. CC ID 16724 Leadership and high level objectives Establish/Maintain Documentation
    Include monitoring requirements in the lending policy. CC ID 16710 Leadership and high level objectives Establish/Maintain Documentation
    Include loan origination procedures in the lending policy. CC ID 16709 Leadership and high level objectives Establish/Maintain Documentation
    Include review procedures and approval procedures for exception loans in the lending policy. CC ID 16708 Leadership and high level objectives Establish/Maintain Documentation
    Include loan requirements in the lending policy. CC ID 16706 Leadership and high level objectives Establish/Maintain Documentation
    Include appraisals and evaluations in the lending policy. CC ID 16705 Leadership and high level objectives Establish/Maintain Documentation
    Include terms and conditions in the lending policy. CC ID 16695 Leadership and high level objectives Establish/Maintain Documentation
    Include the scope and distribution of loans in the lending policy. CC ID 16693 Leadership and high level objectives Establish/Maintain Documentation
    Include geographic areas in the lending policy. CC ID 16691 Leadership and high level objectives Establish/Maintain Documentation
    Include underwriting guidelines in the lending policy. CC ID 16619 Leadership and high level objectives Establish/Maintain Documentation
    Include credit review in the underwriting guidelines. CC ID 16765 Leadership and high level objectives Establish/Maintain Documentation
    Include loan-to-value ratio limits in the lending policy. CC ID 16618 Leadership and high level objectives Establish/Maintain Documentation
    Include documentation requirements in the lending policy. CC ID 16617 Leadership and high level objectives Establish/Maintain Documentation
    Include the purpose of the loan in the loan documentation. CC ID 16747 Leadership and high level objectives Establish/Maintain Documentation
    Include the source of repayment in the loan documentation. CC ID 16746 Leadership and high level objectives Establish/Maintain Documentation
    Include approval requirements in the lending policy. CC ID 16615 Leadership and high level objectives Establish/Maintain Documentation
    Include reporting requirements in the lending policy. CC ID 16614 Leadership and high level objectives Establish/Maintain Documentation
    Include loan portfolio diversification standards in the lending policy. CC ID 16611 Leadership and high level objectives Establish/Maintain Documentation
    Include loan administration procedures in the lending policy. CC ID 16610 Leadership and high level objectives Establish/Maintain Documentation
    Include loan participation agreements in the loan administration procedures. CC ID 16745 Leadership and high level objectives Establish/Maintain Documentation
    Include termination procedures in the loan participation agreement. CC ID 16753 Leadership and high level objectives Establish/Maintain Documentation
    Justify the safety and efficiency of the participation requirements in the loan participation agreement. CC ID 16752 Leadership and high level objectives Establish/Maintain Documentation
    Include servicing agreements in the loan administration procedures. CC ID 16744 Leadership and high level objectives Establish/Maintain Documentation
    Include claims processing in the loan administration procedures. CC ID 16742 Leadership and high level objectives Establish/Maintain Documentation
    Include forbearance management in the loan administration procedures. CC ID 16741 Leadership and high level objectives Establish/Maintain Documentation
    Include foreclosure management in the loan administration procedures. CC ID 16740 Leadership and high level objectives Establish/Maintain Documentation
    Include delinquency management in the loan administration procedures. CC ID 16739 Leadership and high level objectives Establish/Maintain Documentation
    Include customer due diligence in the loan administration procedures. CC ID 16736 Leadership and high level objectives Process or Activity
    Include the requirements for financial statements in the loan administration procedures. CC ID 16735 Leadership and high level objectives Establish/Maintain Documentation
    Include loan closing in the loan administration procedures. CC ID 16734 Leadership and high level objectives Establish/Maintain Documentation
    Include payoff statements in the loan administration procedures. CC ID 16733 Leadership and high level objectives Establish/Maintain Documentation
    Include payment processing in the loan administration procedures. CC ID 16732 Leadership and high level objectives Establish/Maintain Documentation
    Include loan reviews in the loan administration procedures. CC ID 16703 Leadership and high level objectives Establish/Maintain Documentation
    Include collections in the loan administration procedures. CC ID 16701 Leadership and high level objectives Establish/Maintain Documentation
    Include collateral inspections in the loan administration procedures. CC ID 16699 Leadership and high level objectives Establish/Maintain Documentation
    Include disbursements in the loan administration procedures. CC ID 16697 Leadership and high level objectives Establish/Maintain Documentation
    Review and approve lending policies. CC ID 16607 Leadership and high level objectives Business Processes
    Establish, implement, and maintain a dividend policy. CC ID 16569 Leadership and high level objectives Establish/Maintain Documentation
    Include compliance requirements in the dividend policy. CC ID 16570 Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain margin systems. CC ID 16601 Leadership and high level objectives Business Processes
    Include valuation models in the margin system. CC ID 16663 Leadership and high level objectives Data and Information Management
    Include procedures for collecting price data in the margin system. CC ID 16662 Leadership and high level objectives Data and Information Management
    Include reliable sources for price data in the margin system. CC ID 16661 Leadership and high level objectives Data and Information Management
    Establish, implement, and maintain capital adequacy measures. CC ID 16568 Leadership and high level objectives Business Processes
    Establish, implement, and maintain escrow procedures for financial transactions. CC ID 16564 Leadership and high level objectives Establish/Maintain Documentation
    Disseminate and communicate the escrow procedures to interested personnel and affected parties. CC ID 16565 Leadership and high level objectives Communicate
    Establish, implement, and maintain a Capital Planning and Investment Control policy. CC ID 06279 Leadership and high level objectives Establish/Maintain Documentation
    Include risk management in the Capital Planning and Investment Control policy. CC ID 16764 Leadership and high level objectives Establish/Maintain Documentation
    Include debt rating requirements in the Capital Planning and Investment Control policy. CC ID 16692 Leadership and high level objectives Establish/Maintain Documentation
    Include divestiture requirements in the Capital Planning and Investment Control policy. CC ID 16591 Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain a recordkeeping system for securities transactions. CC ID 16631 Leadership and high level objectives Establish/Maintain Documentation
    Include order tickets in the recordkeeping system for securities transactions. CC ID 16640 Leadership and high level objectives Data and Information Management
    Include receipts and deliveries of securities in the recordkeeping system for securities transactions. CC ID 16650 Leadership and high level objectives Data and Information Management
    Include debits and credits in the recordkeeping system for securities transactions. CC ID 16639 Leadership and high level objectives Data and Information Management
    Include a description of the transaction in the recordkeeping system for securities transactions. CC ID 16645 Leadership and high level objectives Data and Information Management
    Include chronological records of transactions in the recordkeeping system for securities transactions. CC ID 16638 Leadership and high level objectives Data and Information Management
    Include the name of the dealer in the recordkeeping system for securities transactions. CC ID 16637 Leadership and high level objectives Data and Information Management
    Include the execution price in the recordkeeping system for securities transactions. CC ID 16636 Leadership and high level objectives Data and Information Management
    Include the date and time of the transaction in the recordkeeping system for securities transactions. CC ID 16635 Leadership and high level objectives Data and Information Management
    Include the type of transaction in the recordkeeping system for securities transactions. CC ID 16633 Leadership and high level objectives Data and Information Management
    Include account information In the recordkeeping system for securities transactions. CC ID 16632 Leadership and high level objectives Data and Information Management
    Establish, implement, and maintain securities transaction notifications. CC ID 16600 Leadership and high level objectives Establish/Maintain Documentation
    Include the call date in the securities transaction notification. CC ID 16680 Leadership and high level objectives Establish/Maintain Documentation
    Include service charges and commissions in the securities transaction notification. CC ID 16702 Leadership and high level objectives Establish/Maintain Documentation
    Include the funds and securities in the possession of the organization in the securities transaction notification. CC ID 16679 Leadership and high level objectives Establish/Maintain Documentation
    Include the call price in the securities transaction notification. CC ID 16678 Leadership and high level objectives Establish/Maintain Documentation
    Include debits and credits in the securities transaction notification. CC ID 16677 Leadership and high level objectives Establish/Maintain Documentation
    Include transactions in the securities transaction notification. CC ID 16676 Leadership and high level objectives Establish/Maintain Documentation
    Include the credit rating of securities in the securities transaction notification. CC ID 16674 Leadership and high level objectives Establish/Maintain Documentation
    Include yield information in the securities transaction notification. CC ID 16673 Leadership and high level objectives Establish/Maintain Documentation
    Include redemption information in the securities transaction notification. CC ID 16672 Leadership and high level objectives Establish/Maintain Documentation
    Include the price calculated from the yield in the securities transaction notification. CC ID 16669 Leadership and high level objectives Establish/Maintain Documentation
    Include the type of call in the securities transaction notification. CC ID 16668 Leadership and high level objectives Establish/Maintain Documentation
    Include an account statement in the securities transaction notification. CC ID 16666 Leadership and high level objectives Establish/Maintain Documentation
    Include the yield to maturity in the securities transaction notification. CC ID 16665 Leadership and high level objectives Establish/Maintain Documentation
    Include the execution price in the securities transaction notification. CC ID 16664 Leadership and high level objectives Establish/Maintain Documentation
    Include the organization's role in the securities transaction notification. CC ID 16646 Leadership and high level objectives Establish/Maintain Documentation
    Include the name of the broker in the securities transaction notification. CC ID 16647 Leadership and high level objectives Establish/Maintain Documentation
    Include the name of the customer in the securities transaction notification. CC ID 16625 Leadership and high level objectives Establish/Maintain Documentation
    Include the organization's name in the securities transaction notification. CC ID 16624 Leadership and high level objectives Establish/Maintain Documentation
    Include confirmations in the securities transaction notification. CC ID 16623 Leadership and high level objectives Establish/Maintain Documentation
    Include remunerations in the securities transaction notification. CC ID 16622 Leadership and high level objectives Establish/Maintain Documentation
    Include requested information in the securities transaction notification. CC ID 16641 Leadership and high level objectives Establish/Maintain Documentation
    Disseminate and communicate securities transaction notifications to interested personnel and affected parties. CC ID 16621 Leadership and high level objectives Communicate
    Include the execution date in the securities transaction notification. CC ID 16620 Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain financial reports. CC ID 14770 Leadership and high level objectives Establish/Maintain Documentation
    Structure financial reports in accordance with external requirements, as necessary. CC ID 14776 Leadership and high level objectives Establish/Maintain Documentation
    Include the report of independent Certified Public Accountants in the financial report. CC ID 14779 Leadership and high level objectives Establish/Maintain Documentation
    Include the business need justification for lost value in the financial report. CC ID 15588 Leadership and high level objectives Establish/Maintain Documentation
    Disseminate and communicate the financial report to interested personnel and affected parties. CC ID 16342 Leadership and high level objectives Communicate
    Include financial statements in the financial report, as necessary. CC ID 14775 Leadership and high level objectives Establish/Maintain Documentation
    Include capital deductions and adjustments in the financial statement. CC ID 16667 Leadership and high level objectives Establish/Maintain Documentation
    Include earnings per share or loss per share in the financial statement. CC ID 16597 Leadership and high level objectives Establish/Maintain Documentation
    Include material contingencies in the financial statement. CC ID 16596 Leadership and high level objectives Establish/Maintain Documentation
    Include notes to financial statements in the financial report, as necessary. CC ID 14780 Leadership and high level objectives Establish/Maintain Documentation
    Include information on loans to small businesses and small farms in the call report. CC ID 16731 Leadership and high level objectives Establish/Maintain Documentation
    Include assets and liabilities in the call report. CC ID 16729 Leadership and high level objectives Establish/Maintain Documentation
    Disseminate and communicate the call report to interested personnel and affected parties. CC ID 16727 Leadership and high level objectives Communicate
    Establish, implement, and maintain a compliance monitoring policy. CC ID 00671
    [{what needs to be measured} The organization shall determine: what needs to be monitored and measured; § 9.1.1 ¶ 2 a)
    The organization shall determine: when the monitoring and measuring shall be performed; § 9.1.1 ¶ 2 d)]
    Monitoring and measurement Establish/Maintain Documentation
    Establish, implement, and maintain a metrics policy. CC ID 01654 Monitoring and measurement Establish/Maintain Documentation
    Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653
    [The organization shall: determine the frequency that compliance will be evaluated; § 9.1.2 ¶ 2 a)]
    Monitoring and measurement Establish/Maintain Documentation
    Establish, implement, and maintain risk management metrics. CC ID 01656 Monitoring and measurement Establish/Maintain Documentation
    Identify information being used to support the performance of the governance, risk, and compliance capability. CC ID 12866
    [The organization's environmental management system shall include: documented information determined by the organization as being necessary for the effectiveness of the environmental management system. § 7.5.1 ¶ 1 b)
    The management review shall include consideration of: information on the organization's environmental performance, including trends in: § 9.3 ¶ 2 d)]
    Monitoring and measurement Business Processes
    Identify information being used to support performance reviews for risk optimization. CC ID 12865 Monitoring and measurement Audits and Risk Management
    Identify and document instances of non-compliance with the compliance framework. CC ID 06499
    [The organization shall retain documented information as evidence of: the nature of the nonconformities and any subsequent actions taken; § 10.2 ¶ 3 Bullet 1
    The management review shall include consideration of: information on the organization's environmental performance, including trends in: nonconformities and corrective actions; § 9.3 ¶ 2 d) 1)]
    Monitoring and measurement Establish/Maintain Documentation
    Identify and document events surrounding non-compliance with the organizational compliance framework. CC ID 12935 Monitoring and measurement Establish/Maintain Documentation
    Align disciplinary actions with the level of compliance violation. CC ID 12404
    [Corrective actions shall be appropriate to the significance of the effects of the nonconformities encountered, including the environmental impact(s). § 10.2 ¶ 2]
    Monitoring and measurement Human Resources Management
    Establish, implement, and maintain disciplinary action notices. CC ID 16577 Monitoring and measurement Establish/Maintain Documentation
    Include a copy of the order in the disciplinary action notice. CC ID 16606 Monitoring and measurement Establish/Maintain Documentation
    Include the sanctions imposed in the disciplinary action notice. CC ID 16599 Monitoring and measurement Establish/Maintain Documentation
    Include the effective date of the sanctions in the disciplinary action notice. CC ID 16589 Monitoring and measurement Establish/Maintain Documentation
    Include the requirements that were violated in the disciplinary action notice. CC ID 16588 Monitoring and measurement Establish/Maintain Documentation
    Include responses to charges from interested personnel and affected parties in the disciplinary action notice. CC ID 16587 Monitoring and measurement Establish/Maintain Documentation
    Include the reasons for imposing sanctions in the disciplinary action notice. CC ID 16586 Monitoring and measurement Establish/Maintain Documentation
    Disseminate and communicate the disciplinary action notice to interested personnel and affected parties. CC ID 16585 Monitoring and measurement Communicate
    Include required information in the disciplinary action notice. CC ID 16584 Monitoring and measurement Establish/Maintain Documentation
    Include a justification for actions taken in the disciplinary action notice. CC ID 16583 Monitoring and measurement Establish/Maintain Documentation
    Include a statement on the conclusions of the investigation in the disciplinary action notice. CC ID 16582 Monitoring and measurement Establish/Maintain Documentation
    Include the investigation results in the disciplinary action notice. CC ID 16581 Monitoring and measurement Establish/Maintain Documentation
    Include a description of the causes of the actions taken in the disciplinary action notice. CC ID 16580 Monitoring and measurement Establish/Maintain Documentation
    Include the name of the person responsible for the charges in the disciplinary action notice. CC ID 16579 Monitoring and measurement Establish/Maintain Documentation
    Include contact information in the disciplinary action notice. CC ID 16578 Monitoring and measurement Establish/Maintain Documentation
    Establish, implement, and maintain compliance program metrics. CC ID 11625 Monitoring and measurement Monitor and Evaluate Occurrences
    Establish, implement, and maintain a security program metrics program. CC ID 01660 Monitoring and measurement Establish/Maintain Documentation
    Establish, implement, and maintain a key management roles metrics standard. CC ID 11631 Monitoring and measurement Establish/Maintain Documentation
    Establish, implement, and maintain a key stakeholder metrics program. CC ID 01661 Monitoring and measurement Establish/Maintain Documentation
    Establish, implement, and maintain a supply chain member metrics program. CC ID 01662 Monitoring and measurement Establish/Maintain Documentation
    Report on the Service Level Agreement performance of supply chain members. CC ID 06838 Monitoring and measurement Actionable Reports or Measurements
    Establish, implement, and maintain a Business Continuity metrics program. CC ID 01663 Monitoring and measurement Establish/Maintain Documentation
    Establish, implement, and maintain an audit metrics program. CC ID 01664 Monitoring and measurement Establish/Maintain Documentation
    Establish, implement, and maintain an Information Security metrics program. CC ID 01665 Monitoring and measurement Establish/Maintain Documentation
    Establish, implement, and maintain a metrics standard and template. CC ID 02157 Monitoring and measurement Establish/Maintain Documentation
    Monitor compliance with the Quality Control system. CC ID 01023 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of complaints received about products or delivered services. CC ID 07199 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of Quality Assurance attained by Quality Improvement practices. CC ID 07202 Monitoring and measurement Actionable Reports or Measurements
    Establish, implement, and maintain occupational health and safety management metrics program. CC ID 15915 Monitoring and measurement Establish/Maintain Documentation
    Establish, implement, and maintain a policies and controls metrics program. CC ID 01666 Monitoring and measurement Establish/Maintain Documentation
    Establish, implement, and maintain a security roles and responsibilities metrics program. CC ID 01667 Monitoring and measurement Establish/Maintain Documentation
    Establish, implement, and maintain a role-based information access metrics program. CC ID 01668 Monitoring and measurement Establish/Maintain Documentation
    Establish, implement, and maintain an information risk threshold metrics program. CC ID 01694 Monitoring and measurement Establish/Maintain Documentation
    Monitor the supply chain for Information Assurance effectiveness. CC ID 02043 Monitoring and measurement Establish/Maintain Documentation
    Establish, implement, and maintain an identification and classification of information assets metrics program. CC ID 02052 Monitoring and measurement Business Processes
    Establish, implement, and maintain an Information Systems architecture metrics program. CC ID 02059 Monitoring and measurement Business Processes
    Establish, implement, and maintain a physical environment metrics program. CC ID 02063 Monitoring and measurement Business Processes
    Establish, implement, and maintain a privacy metrics program. CC ID 15494 Monitoring and measurement Establish/Maintain Documentation
    Establish, implement, and maintain environmental management system performance metrics. CC ID 15191
    [The management review shall include consideration of: information on the organization's environmental performance, including trends in: monitoring and measurement results; § 9.3 ¶ 2 d) 2)
    The organization shall monitor, measure, analyse and evaluate its environmental performance. § 9.1.1 ¶ 1
    The organization shall determine: the criteria against which the organization will evaluate its environmental performance, and appropriate indicators; § 9.1.1 ¶ 2 c)
    {be measurable}The environmental objectives shall be: measurable (if practicable); § 6.2.1 ¶ 2 b)]
    Monitoring and measurement Actionable Reports or Measurements
    Establish, implement, and maintain waste management metrics. CC ID 16152 Monitoring and measurement Actionable Reports or Measurements
    Establish, implement, and maintain emissions management metrics. CC ID 16145 Monitoring and measurement Actionable Reports or Measurements
    Establish, implement, and maintain financial management metrics. CC ID 16749 Monitoring and measurement Actionable Reports or Measurements
    Establish, implement, and maintain a technical measurement metrics policy. CC ID 01655 Monitoring and measurement Establish/Maintain Documentation
    Establish, implement, and maintain a user identification and authentication metrics program. CC ID 02073 Monitoring and measurement Business Processes
    Establish, implement, and maintain a user account management metrics program. CC ID 02075 Monitoring and measurement Business Processes
    Establish, implement, and maintain a user and administrator privilege management metrics program. CC ID 02076 Monitoring and measurement Actionable Reports or Measurements
    Establish, implement, and maintain a Configuration Management metrics program. CC ID 02077 Monitoring and measurement Business Processes
    Establish, implement, and maintain a Security Information and Event Management metrics program. CC ID 02078 Monitoring and measurement Log Management
    Establish, implement, and maintain a communications, e-mail, and remote access security management metrics program. CC ID 02079 Monitoring and measurement Business Processes
    Establish, implement, and maintain a malicious code protection management metrics program. CC ID 02080 Monitoring and measurement Business Processes
    Establish, implement, and maintain a software change management metrics program. CC ID 02081 Monitoring and measurement Business Processes
    Establish, implement, and maintain a network management and firewall management metrics program. CC ID 02082 Monitoring and measurement Business Processes
    Establish, implement, and maintain a data encryption management metrics program. CC ID 02083 Monitoring and measurement Business Processes
    Establish, implement, and maintain a backup management and recovery management metrics program. CC ID 02084 Monitoring and measurement Business Processes
    Establish, implement, and maintain an incident management and vulnerability management metrics program. CC ID 02085 Monitoring and measurement Business Processes
    Delay the reporting of incident management metrics, as necessary. CC ID 15501 Monitoring and measurement Communicate
    Establish, implement, and maintain an Electronic Health Records measurement metrics program. CC ID 06221 Monitoring and measurement Establish/Maintain Documentation
    Report on the percentage of unique patients who had at least one medication entered using the Computerized Provider Order Entry system. CC ID 06222 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of unique patients who have diagnoses recorded as structured data into the current and active diagnoses problem list. CC ID 06223 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of permissible prescriptions that are transmitted electronically. CC ID 06224 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of unique patients who have at least one entry recorded as structured data into the active medication list. CC ID 06225 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of unique patients who have at least one entry recorded as structured data into the active medication allergy list. CC ID 06226 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of unique patients who have demographics recorded as structured data. CC ID 06227 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of unique patients over the age of 2 who have their height, weight, and blood pressure recorded as structured data. CC ID 06228 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of unique patients over the age of 13 who have their smoking status recorded as structured data. CC ID 06229 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of patients who are given an electronic copy of their Individually Identifiable Health Information not later than three business days after Individually Identifiable Health Information is requested. CC ID 06230 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of patients who are given clinical summaries not later than three business days after a physician office visit. CC ID 06231 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of lab test results that are incorporated into the Electronic Health Records as structured data. CC ID 06232 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of patients sixty-five years of age or older or five years of age or younger who were sent a reminder. CC ID 06233 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of unique patients who are given electronic access to their Individually Identifiable Health Information not later than four business days after their Individually Identifiable Health Information is updated. CC ID 06234 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of unique patients who are given patient-specific education resources. CC ID 06235 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of medication reconciliations that are performed if a patient is received from another setting or healthcare provider. CC ID 06236 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of summary of care records that are provided for transitions of care or referrals for patients who are transitioned or referred to another setting or healthcare provider. CC ID 06237 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of patients who receive their discharge instructions if discharge instructions are requested. CC ID 06238 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of patients 65 years of age or older who have an indication of advance directive status recorded as structured data. CC ID 06239 Monitoring and measurement Actionable Reports or Measurements
    Establish, implement, and maintain a log management program. CC ID 00673 Monitoring and measurement Establish/Maintain Documentation
    Deploy log normalization tools, as necessary. CC ID 12141 Monitoring and measurement Technical Security
    Restrict access to logs to authorized individuals. CC ID 01342 Monitoring and measurement Log Management
    Restrict access to audit trails to a need to know basis. CC ID 11641 Monitoring and measurement Technical Security
    Refrain from recording unnecessary restricted data in logs. CC ID 06318 Monitoring and measurement Log Management
    Back up audit trails according to backup procedures. CC ID 11642 Monitoring and measurement Systems Continuity
    Back up logs according to backup procedures. CC ID 01344 Monitoring and measurement Log Management
    Copy logs from all predefined hosts onto a log management infrastructure. CC ID 01346 Monitoring and measurement Log Management
    Identify hosts with logs that are not being stored. CC ID 06314 Monitoring and measurement Log Management
    Identify hosts with logs that are being stored at the system level only. CC ID 06315 Monitoring and measurement Log Management
    Identify hosts with logs that should be stored at both the system level and the infrastructure level. CC ID 06316 Monitoring and measurement Log Management
    Identify hosts with logs that are being stored at the infrastructure level only. CC ID 06317 Monitoring and measurement Log Management
    Protect logs from unauthorized activity. CC ID 01345 Monitoring and measurement Log Management
    Perform testing and validating activities on all logs. CC ID 06322 Monitoring and measurement Log Management
    Archive the audit trail in accordance with compliance requirements. CC ID 00674 Monitoring and measurement Log Management
    Enforce dual authorization as a part of information flow control for logs. CC ID 10098 Monitoring and measurement Configuration
    Preserve the identity of individuals in audit trails. CC ID 10594 Monitoring and measurement Log Management
    Establish, implement, and maintain a cross-organizational audit sharing agreement. CC ID 10595 Monitoring and measurement Establish/Maintain Documentation
    Provide cross-organizational audit information based on the cross-organizational audit sharing agreement. CC ID 10596 Monitoring and measurement Audits and Risk Management
    Monitor the performance of the governance, risk, and compliance capability. CC ID 12857
    [When planning how to achieve its environmental objectives, the organization shall determine: how the results will be evaluated, including indicators for monitoring progress toward achievement of its measurable environmental objectives (see 9.1.1). § 6.2.2 ¶ 1 e)]
    Monitoring and measurement Monitor and Evaluate Occurrences
    Align corrective actions with the level of environmental impact. CC ID 15193
    [Corrective actions shall be appropriate to the significance of the effects of the nonconformities encountered, including the environmental impact(s). § 10.2 ¶ 2]
    Monitoring and measurement Business Processes
    Include risks and opportunities in the corrective action plan. CC ID 15178
    [{environmental aspect}The organization shall plan: to take actions to address its: risks and opportunities identified in 6.1.1; § 6.1.4 ¶ 1 a) 3)]
    Monitoring and measurement Establish/Maintain Documentation
    Include environmental aspects in the corrective action plan. CC ID 15177
    [The organization shall plan: to take actions to address its: significant environmental aspects; § 6.1.4 ¶ 1 a) 1)]
    Monitoring and measurement Establish/Maintain Documentation
    Include the completion date in the corrective action plan. CC ID 13272 Monitoring and measurement Establish/Maintain Documentation
    Protect against misusing automated audit tools. CC ID 04547 Monitoring and measurement Technical Security
    Define the roles and responsibilities for personnel assigned to tasks in the Audit function. CC ID 00678
    [The organization shall establish, implement and maintain (an) internal audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting of its internal audits. § 9.2.2 ¶ 1]
    Audits and risk management Establish Roles
    Manage supply chain audits. CC ID 01203 Audits and risk management Audits and Risk Management
    Review the external auditors involvement in assessing Information Technology controls. CC ID 01204 Audits and risk management Audits and Risk Management
    Rotate auditors, as necessary. CC ID 15589 Audits and risk management Audits and Risk Management
    Assign the roles and responsibilities for the Board of Directors and senior management in the Audit function. CC ID 00679 Audits and risk management Establish Roles
    Assign the internal audit staff to be independent from business units reporting to the Board of Directors. CC ID 01184 Audits and risk management Establish Roles
    Define and assign the internal audit manager's roles and responsibilities. CC ID 00680 Audits and risk management Establish Roles
    Assign the internal audit manager's compensation and performance review to the Board of Directors or audit committee. CC ID 01186 Audits and risk management Establish Roles
    Define and assign the internal audit staff's roles and responsibilities. CC ID 00681 Audits and risk management Establish Roles
    Assign the responsibility for operating an internal control system to the internal audit staff. CC ID 01187 Audits and risk management Establish Roles
    Define and assign the external auditor's roles and responsibilities. CC ID 00683 Audits and risk management Establish Roles
    Engage auditors who have adequate knowledge of the subject matter. CC ID 07102 Audits and risk management Audits and Risk Management
    Retain copies of external auditor outsourcing contracts and engagement letters. CC ID 01188 Audits and risk management Establish/Maintain Documentation
    Review external auditor outsourcing contracts and engagement letters. CC ID 01189 Audits and risk management Establish/Maintain Documentation
    Include roles and responsibilities in external auditor outsourcing contracts. CC ID 16523 Audits and risk management Establish/Maintain Documentation
    Include a change control clause in external auditor outsourcing contracts. CC ID 01192 Audits and risk management Establish/Maintain Documentation
    Include procedures for resolving problems in external auditor outsourcing contracts. CC ID 01196 Audits and risk management Establish/Maintain Documentation
    Include procedures for controlling the use of restricted information in external auditor outsourcing contracts. CC ID 01194 Audits and risk management Establish/Maintain Documentation
    Include reports and work paper Records Management practices in external auditor outsourcing contracts. CC ID 01195 Audits and risk management Establish/Maintain Documentation
    Include communication protocols in external auditor outsourcing contracts. CC ID 01201 Audits and risk management Establish/Maintain Documentation
    Review the external audit scope, as necessary. CC ID 01202 Audits and risk management Audits and Risk Management
    Include the scope and work to be performed in external auditor outsourcing contracts. CC ID 01190 Audits and risk management Establish/Maintain Documentation
    Include work status reporting requirements in the external auditor outsourcing contracts. CC ID 01191 Audits and risk management Establish/Maintain Documentation
    Include access to work papers in external auditor outsourcing contracts. CC ID 01193 Audits and risk management Establish/Maintain Documentation
    Review the external auditor's qualifications. CC ID 01197 Audits and risk management Audits and Risk Management
    Conduct a performance review of the external auditor's performance during the audit process. CC ID 01198 Audits and risk management Audits and Risk Management
    Review the adequacy of the external auditor's work papers and audit reports. CC ID 01199 Audits and risk management Establish/Maintain Documentation
    Review the conclusions of the external auditor's work papers and audit reports. CC ID 01200 Audits and risk management Establish/Maintain Documentation
    Question external auditors about how audits were conducted and what is in the audit reports. CC ID 04587 Audits and risk management Behavior
    Disseminate and communicate with the organization about any missing audit documentation. CC ID 06992 Audits and risk management Behavior
    Evaluate any refusal by the organization to provide missing audit documentation. CC ID 06993 Audits and risk management Establish/Maintain Documentation
    Take appropriate action if missing audit documentation compromises the audit. CC ID 06994 Audits and risk management Establish/Maintain Documentation
    Establish, implement, and maintain an audit program. CC ID 00684
    [The organization shall establish, implement and maintain (an) internal audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting of its internal audits. § 9.2.2 ¶ 1]
    Audits and risk management Establish/Maintain Documentation
    Establish, implement, and maintain audit policies. CC ID 13166 Audits and risk management Establish/Maintain Documentation
    Assign the audit to impartial auditors. CC ID 07118
    [The organization shall: select auditors and conduct audits to ensure objectivity and the "term_primary-noun">impartiality of the audit process; § 9.2.2 ¶ 3 b)]
    Audits and risk management Establish Roles
    Define what constitutes a threat to independence. CC ID 16824 Audits and risk management Audits and Risk Management
    Exercise due professional care during the planning and performance of the audit. CC ID 07119
    [{environmental process} When establishing the internal audit programme, the organization shall take into consideration the environmental importance of the processes concerned, changes affecting the organization and the results of previous audits. § 9.2.2 ¶ 2]
    Audits and risk management Behavior
    Include resource requirements in the audit program. CC ID 15237 Audits and risk management Establish/Maintain Documentation
    Include risks and opportunities in the audit program. CC ID 15236 Audits and risk management Establish/Maintain Documentation
    Include provisions for legislative plurality and legislative domain in the audit program. CC ID 06959 Audits and risk management Audits and Risk Management
    Establish and maintain audit terms. CC ID 13880 Audits and risk management Establish/Maintain Documentation
    Refrain from approving changes to the audit terms absent reasonable justification. CC ID 13973 Audits and risk management Process or Activity
    Include a statement about the inherent limitations of the audit in the audit terms. CC ID 13883 Audits and risk management Establish/Maintain Documentation
    Include a statement that the audit will be conducted in accordance with attestation standards in the audit terms. CC ID 13882 Audits and risk management Establish/Maintain Documentation
    Establish, implement, and maintain agreed upon procedures that are in scope for the audit. CC ID 13893 Audits and risk management Establish/Maintain Documentation
    Establish, implement, and maintain an in scope system description. CC ID 14873 Audits and risk management Establish/Maintain Documentation
    Include in scope procedures in the audit assertion's in scope system description. CC ID 16551 Audits and risk management Audits and Risk Management
    Include roles and responsibilities in the audit assertion's in scope system description. CC ID 16558 Audits and risk management Audits and Risk Management
    Include the audit criteria in the audit assertion's in scope system description. CC ID 16548 Audits and risk management Audits and Risk Management
    Include third party data in the audit assertion's in scope system description. CC ID 16554 Audits and risk management Audits and Risk Management
    Include third party personnel in the audit assertion's in scope system description. CC ID 16552 Audits and risk management Audits and Risk Management
    Include compliance requirements in the audit assertion's in scope system description. CC ID 16506 Audits and risk management Audits and Risk Management
    Include third party assets in the audit assertion's in scope system description. CC ID 16550 Audits and risk management Audits and Risk Management
    Include third party services in the audit assertion's in scope system description. CC ID 16503 Audits and risk management Establish/Maintain Documentation
    Include monitoring controls in the audit assertion's in scope system description. CC ID 16501 Audits and risk management Establish/Maintain Documentation
    Include availability commitments in the audit assertion's in scope system description. CC ID 14914 Audits and risk management Establish/Maintain Documentation
    Include deviations and the corrective actions taken in the audit assertion's in scope system description. CC ID 16549 Audits and risk management Audits and Risk Management
    Include changes in the audit assertion's in scope system description. CC ID 14894 Audits and risk management Establish/Maintain Documentation
    Include external communications in the audit assertion's in scope system description. CC ID 14913 Audits and risk management Establish/Maintain Documentation
    Include a section regarding incidents related to the system in the audit assertion’s in scope system description. CC ID 14878 Audits and risk management Establish/Maintain Documentation
    Include the function performed by the in scope system in the audit assertion's in scope system description. CC ID 14911 Audits and risk management Establish/Maintain Documentation
    Include the disposition of the incident in the audit assertion's in scope system description. CC ID 14896 Audits and risk management Establish/Maintain Documentation
    Include the extent of the incident in the audit assertion's in scope system description. CC ID 14895 Audits and risk management Establish/Maintain Documentation
    Include the timing of each incident in the audit assertion's in scope system description. CC ID 14891 Audits and risk management Establish/Maintain Documentation
    Include the nature of each incident in the audit assertion's in scope system description. CC ID 14889 Audits and risk management Establish/Maintain Documentation
    Include a section regarding in scope controls related to the system in the audit assertion's in scope system description. CC ID 14897 Audits and risk management Establish/Maintain Documentation
    Include how the in scope system meets external requirements in the audit assertion's in scope system description. CC ID 16502 Audits and risk management Establish/Maintain Documentation
    Include the timing of each control in the audit assertion's in scope system description. CC ID 14916 Audits and risk management Establish/Maintain Documentation
    Include the nature of the control in the audit assertion's in scope system description. CC ID 14910 Audits and risk management Establish/Maintain Documentation
    Include the information sources used in performing the control in the audit assertion's in scope system description. CC ID 14909 Audits and risk management Establish/Maintain Documentation
    Include the responsible party for performing the control in the audit assertion's in scope system description. CC ID 14907 Audits and risk management Establish/Maintain Documentation
    Include the subject matter to which the control is applied in the audit assertion's in scope system description. CC ID 14904 Audits and risk management Establish/Maintain Documentation
    Refrain from omitting or distorting information in the audit assertion's in scope system description. CC ID 14893 Audits and risk management Establish/Maintain Documentation
    Include the timing of each change in the audit assertion's in scope system description. CC ID 14892 Audits and risk management Establish/Maintain Documentation
    Include the system boundaries in the audit assertion's in scope system description. CC ID 14887 Audits and risk management Establish/Maintain Documentation
    Include the time frame covered by the description in the audit assertion's in scope system description. CC ID 14884 Audits and risk management Establish/Maintain Documentation
    Include commitments to third parties in the audit assertion. CC ID 14899 Audits and risk management Establish/Maintain Documentation
    Determine the completeness of the audit assertion's in scope system description. CC ID 14883 Audits and risk management Establish/Maintain Documentation
    Include system requirements in the audit assertion's in scope system description. CC ID 14881 Audits and risk management Establish/Maintain Documentation
    Include third party controls in the audit assertion's in scope system description. CC ID 14880 Audits and risk management Establish/Maintain Documentation
    Hold an opening meeting with interested personnel and affected parties prior to an audit. CC ID 15256 Audits and risk management Audits and Risk Management
    Identify personnel who should attend the closing meeting. CC ID 15261 Audits and risk management Business Processes
    Include discussions about how particular situations will be handled in the opening meeting. CC ID 15254 Audits and risk management Audits and Risk Management
    Include agreement to the audit scope and audit terms in the audit program. CC ID 06965
    [{audit scope} The organization shall: define the audit criteria and scope for each audit; § 9.2.2 ¶ 3 a)]
    Audits and risk management Establish/Maintain Documentation
    Establish and maintain a bespoke audit scope for each audit being performed. CC ID 13077
    [The organization shall establish, implement and maintain (an) internal audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting of its internal audits. § 9.2.2 ¶ 1]
    Audits and risk management Establish/Maintain Documentation
    Include third party assets in the audit scope. CC ID 16504 Audits and risk management Audits and Risk Management
    Include audit subject matter in the audit program. CC ID 07103 Audits and risk management Establish/Maintain Documentation
    Examine the availability of the audit criteria in the audit program. CC ID 16520 Audits and risk management Investigate
    Examine the objectivity of the audit criteria in the audit program. CC ID 07104 Audits and risk management Establish/Maintain Documentation
    Examine the measurability of the audit criteria in the audit program. CC ID 07105 Audits and risk management Establish/Maintain Documentation
    Examine the completeness of the audit criteria in the audit program. CC ID 07106 Audits and risk management Establish/Maintain Documentation
    Examine the relevance of the audit criteria in the audit program. CC ID 07107 Audits and risk management Establish/Maintain Documentation
    Determine the appropriateness of the audit subject matter. CC ID 16505 Audits and risk management Audits and Risk Management
    Disseminate and communicate the audit program with the audit subject matter and audit criteria to all interested personnel and affected parties. CC ID 07116 Audits and risk management Establish/Maintain Documentation
    Include the in scope material or in scope products in the audit program. CC ID 08961 Audits and risk management Audits and Risk Management
    Include in scope information in the audit program. CC ID 16198 Audits and risk management Establish/Maintain Documentation
    Include the out of scope material or out of scope products in the audit program. CC ID 08962 Audits and risk management Establish/Maintain Documentation
    Provide a representation letter in support of the audit assertion. CC ID 07158 Audits and risk management Establish/Maintain Documentation
    Include the date of the audit in the representation letter. CC ID 16517 Audits and risk management Audits and Risk Management
    Include a statement that management has evaluated compliance with external requirements in the representation letter. CC ID 13942 Audits and risk management Establish/Maintain Documentation
    Include a statement that the assumptions used for estimates are reasonable in the representation letter. CC ID 13934 Audits and risk management Establish/Maintain Documentation
    Include a statement that uncorrected misstatements are believed to be immaterial in the representation letter. CC ID 13884 Audits and risk management Establish/Maintain Documentation
    Include a statement that system incidents have been disclosed to the auditor in the representation letter. CC ID 16772 Audits and risk management Establish/Maintain Documentation
    Include a statement that incidents of fraud and non-compliance have been disclosed to the auditor in the representation letter. CC ID 16769 Audits and risk management Establish/Maintain Documentation
    Include a statement of responsibility for the subject matter in the representation letter. CC ID 07159 Audits and risk management Establish/Maintain Documentation
    Include a statement of responsibility for selecting the audit criteria in the representation letter. CC ID 07160 Audits and risk management Establish/Maintain Documentation
    Include a statement of responsibility regarding the appropriateness of the audit criteria in the representation letter. CC ID 07161 Audits and risk management Establish/Maintain Documentation
    Include an assertion about the subject matter based on the selected audit criteria in the representation letter. CC ID 07162 Audits and risk management Establish/Maintain Documentation
    Include a statement that all known matters contradicting the audit assertion have been disclosed to the auditor in the representation letter. CC ID 07163 Audits and risk management Establish/Maintain Documentation
    Include the availability of all in scope records relevant to the subject matter in the representation letter. CC ID 07164 Audits and risk management Establish/Maintain Documentation
    Include a statement that any known subsequent events have been disclosed to the auditor in the representation letter. CC ID 07165 Audits and risk management Establish/Maintain Documentation
    Include a statement that deficiencies in internal controls have been disclosed to the auditor in the representation letter. CC ID 13899 Audits and risk management Establish/Maintain Documentation
    Include an in scope system description in the audit assertion. CC ID 14872 Audits and risk management Establish/Maintain Documentation
    Include any assumptions that are improbable in the audit assertion. CC ID 13950 Audits and risk management Establish/Maintain Documentation
    Include investigations and legal proceedings in the audit assertion. CC ID 16846 Audits and risk management Establish/Maintain Documentation
    Include how the audit scope matches in scope controls in the audit assertion. CC ID 06969 Audits and risk management Establish/Maintain Documentation
    Include why specific criteria are ignored by in scope controls in the audit assertion. CC ID 07027 Audits and risk management Establish/Maintain Documentation
    Include how the in scope system is designed and implemented in the audit assertion. CC ID 06970 Audits and risk management Establish/Maintain Documentation
    Include the responsible party's opinion of the quality of the evidence in the audit assertion. CC ID 13949 Audits and risk management Establish/Maintain Documentation
    Include the end users and affected parties of the in scope system in the audit assertion. CC ID 07028 Audits and risk management Establish/Maintain Documentation
    Include the in scope services offered or in scope transactions processed in the audit assertion. CC ID 06971 Audits and risk management Establish/Maintain Documentation
    Include the in scope procedures in the audit assertion. CC ID 06972 Audits and risk management Establish/Maintain Documentation
    Include the in scope records produced in the audit assertion. CC ID 06968 Audits and risk management Establish/Maintain Documentation
    Include how in scope material events are monitored and logged in the audit assertion. CC ID 06973 Audits and risk management Establish/Maintain Documentation
    Include any in scope material events that might affect the assertion in the audit assertion. CC ID 06991 Audits and risk management Establish/Maintain Documentation
    Include the in scope controls and compliance documents in the audit assertion. CC ID 06974 Audits and risk management Establish/Maintain Documentation
    Include the in scope risk assessment processes in the audit assertion. CC ID 06975 Audits and risk management Establish/Maintain Documentation
    Include in scope change controls in the audit assertion. CC ID 06976 Audits and risk management Establish/Maintain Documentation
    Include any in scope uncorrected errors or non-compliance issues in the audit assertion. CC ID 06989 Audits and risk management Establish/Maintain Documentation
    Disseminate and communicate a written audit assertion of the audit scope and audit terms to interested personnel and affected parties. CC ID 06967 Audits and risk management Establish/Maintain Documentation
    Include the scope for the desired level of assurance in the audit program. CC ID 12793 Audits and risk management Communicate
    Include conditions that might require modification of the audit program in the audit terms. CC ID 07149 Audits and risk management Establish/Maintain Documentation
    Include how access to in scope systems, personnel and in scope records are provided to the auditor in the audit terms. CC ID 06988 Audits and risk management Establish/Maintain Documentation
    Include the criteria for determining the desired level of assurance in the audit program. CC ID 12795
    [{audit scope} The organization shall: define the audit criteria and scope for each audit; § 9.2.2 ¶ 3 a)]
    Audits and risk management Audits and Risk Management
    Establish, implement, and maintain procedures for determining the desired level of assurance in the audit program. CC ID 12794
    [The organization shall establish, implement and maintain (an) internal audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting of its internal audits. § 9.2.2 ¶ 1]
    Audits and risk management Establish/Maintain Documentation
    Include the expectations for the audit report in the audit terms. CC ID 07148 Audits and risk management Establish/Maintain Documentation
    Establish and maintain a practitioner’s report on management’s assertions, as necessary. CC ID 13888 Audits and risk management Establish/Maintain Documentation
    Hold a closing meeting following an audit to present audit findings and conclusions. CC ID 15248 Audits and risk management Communicate
    Include materiality levels in the audit terms. CC ID 01238 Audits and risk management Establish/Maintain Documentation
    Include material changes in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01239 Audits and risk management Establish/Maintain Documentation
    Include material weaknesses, material failures, and material errors in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01240 Audits and risk management Establish/Maintain Documentation
    Schedule attestation engagement meetings with interested personnel and affected parties, as necessary. CC ID 15263 Audits and risk management Business Processes
    Refrain from accepting an attestation engagement when the engaging party refuses to sign the engagement letter. CC ID 14912 Audits and risk management Business Processes
    Refrain from accepting an attestation engagement unless the prospective financial information includes a summary of significant assumptions. CC ID 13954 Audits and risk management Behavior
    Refrain from accepting an attestation engagement when all parties disagree on the procedures. CC ID 13951 Audits and risk management Audits and Risk Management
    Accept the attestation engagement when all preconditions are met. CC ID 13933 Audits and risk management Business Processes
    Audit in scope audit items and compliance documents. CC ID 06730
    [The organization shall: select auditors and conduct audits to ensure objectivity and the "term_primary-noun">impartiality of the audit process; § 9.2.2 ¶ 3 b)
    The organization shall conduct internal audits at planned intervals to provide information on whether the environmental management system: § 9.2.1 ¶ 1]
    Audits and risk management Audits and Risk Management
    Collect all work papers for the audit and audit report into an engagement file. CC ID 07001
    [The organization shall retain documented information as evidence of the implementation of the audit programme and the audit results. § 9.2.2 ¶ 4]
    Audits and risk management Actionable Reports or Measurements
    Document any after the fact changes to the engagement file. CC ID 07002 Audits and risk management Establish/Maintain Documentation
    Protect access to the engagement file and all associated audit documentation in compliance with Authority Documents the organization must follow. CC ID 07179 Audits and risk management Establish/Maintain Documentation
    Disclose work papers in the engagement file in compliance with legal requirements. CC ID 07180 Audits and risk management Establish/Maintain Documentation
    Archive the engagement file and all work papers for the period prescribed by law or contract. CC ID 10038 Audits and risk management Records Management
    Conduct onsite inspections, as necessary. CC ID 16199 Audits and risk management Testing
    Audit policies, standards, and procedures. CC ID 12927
    [The organization shall conduct internal audits at planned intervals to provide information on whether the environmental management system: conforms to: the requirements of this International Standard; § 9.2.1 ¶ 1 a) 2)
    The organization shall conduct internal audits at planned intervals to provide information on whether the environmental management system: conforms to: the organization's own requirements for its environmental management system; § 9.2.1 ¶ 1 a) 1)]
    Audits and risk management Audits and Risk Management
    Edit the audit assertion for accuracy. CC ID 07030 Audits and risk management Establish/Maintain Documentation
    Determine if the audit assertion's in scope procedures are accurately documented. CC ID 06982 Audits and risk management Establish/Maintain Documentation
    Review documentation to determine the effectiveness of in scope controls. CC ID 16522 Audits and risk management Process or Activity
    Include the process of using evidential matter to test in scope controls in the test plan. CC ID 06996 Audits and risk management Establish/Maintain Documentation
    Audit the in scope system according to the test plan using relevant evidence. CC ID 07112 Audits and risk management Testing
    Implement procedures that collect sufficient audit evidence. CC ID 07153 Audits and risk management Audits and Risk Management
    Collect evidence about the in scope audit items of the audit assertion. CC ID 07154 Audits and risk management Audits and Risk Management
    Collect audit evidence sufficient to avoid misstatements. CC ID 07155 Audits and risk management Audits and Risk Management
    Collect audit evidence at the level of the organization's competence in the subject matter. CC ID 07156 Audits and risk management Audits and Risk Management
    Collect audit evidence sufficient to overcome inadequacies in the organization's attestation. CC ID 07157 Audits and risk management Audits and Risk Management
    Report that audit evidence collected was not sufficient to the proper authorities. CC ID 16847 Audits and risk management Communicate
    Provide transactional walkthrough procedures for external auditors. CC ID 00672 Audits and risk management Testing
    Establish, implement, and maintain interview procedures. CC ID 16282 Audits and risk management Establish/Maintain Documentation
    Include roles and responsibilities in the interview procedures. CC ID 16297 Audits and risk management Human Resources Management
    Coordinate the scheduling of interviews. CC ID 16293 Audits and risk management Process or Activity
    Create a schedule for the interviews. CC ID 16292 Audits and risk management Process or Activity
    Identify interviewees. CC ID 16290 Audits and risk management Process or Activity
    Explain the testing results to the interviewee. CC ID 16291 Audits and risk management Process or Activity
    Establish and maintain work papers, as necessary. CC ID 13891 Audits and risk management Establish/Maintain Documentation
    Include the auditor's conclusions on work performed by individuals assigned to the audit in the work papers. CC ID 16775 Audits and risk management Establish/Maintain Documentation
    Include audit irregularities in the work papers. CC ID 16774 Audits and risk management Establish/Maintain Documentation
    Include corrective actions in the work papers. CC ID 16771 Audits and risk management Establish/Maintain Documentation
    Include information about the organization being audited and the auditor performing the audit in the work papers. CC ID 16770 Audits and risk management Establish/Maintain Documentation
    Include discussions with interested personnel and affected parties in the work papers. CC ID 16768 Audits and risk management Establish/Maintain Documentation
    Include justification for departing from mandatory requirements in the work papers. CC ID 13935 Audits and risk management Establish/Maintain Documentation
    Include audit evidence obtained from previous engagements in the work papers. CC ID 16518 Audits and risk management Audits and Risk Management
    Include the reviewer, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06998 Audits and risk management Establish/Maintain Documentation
    Include the tests, examinations, interviews and observations performed during the audit in the work papers. CC ID 07190 Audits and risk management Establish/Maintain Documentation
    Include if any subject matter experts or additional research had to be undertaken to test in scope controls in the work papers. CC ID 07026 Audits and risk management Establish/Maintain Documentation
    Include the tester, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06997 Audits and risk management Establish/Maintain Documentation
    Include any subsequent events related to the audit assertion or audit subject matter in the work papers. CC ID 07177 Audits and risk management Audits and Risk Management
    Include the causes of identified in scope control deficiencies in the work papers. CC ID 07000 Audits and risk management Establish/Maintain Documentation
    Include discussions regarding the causes of identified in scope control deficiencies in the work papers. CC ID 06999 Audits and risk management Establish/Maintain Documentation
    Supervise interested personnel and affected parties participating in the audit. CC ID 07150 Audits and risk management Monitor and Evaluate Occurrences
    Notify interested personnel and affected parties participating in the audit of their roles and responsibilities during the audit. CC ID 07151 Audits and risk management Establish Roles
    Respond to questions or clarification requests regarding the audit. CC ID 08902 Audits and risk management Business Processes
    Track and measure the implementation of the organizational compliance framework. CC ID 06445 Audits and risk management Monitor and Evaluate Occurrences
    Review the need for organizational efficiency as balanced against the needs of compliance and security. CC ID 07111 Audits and risk management Business Processes
    Engage subject matter experts when the auditor requires additional expertise during an attestation engagement, as necessary. CC ID 13971 Audits and risk management Process or Activity
    Establish, implement, and maintain a practitioner’s report on agreed-upon procedures. CC ID 13894 Audits and risk management Establish/Maintain Documentation
    Provide auditors access to all in scope records, in scope assets, personnel and in scope procedures. CC ID 06966 Audits and risk management Audits and Risk Management
    Provide auditors access to affected parties during the audit, as necessary. CC ID 07187 Audits and risk management Business Processes
    Notify interested personnel and affected parties when an auditee refuses to provide access or participate in the audit. CC ID 08960 Audits and risk management Audits and Risk Management
    Establish and maintain a practitioner's examination report on pro forma financial information. CC ID 13968 Audits and risk management Establish/Maintain Documentation
    Include references to where financial information was derived in the practitioner's review report on pro forma financial information. CC ID 13982 Audits and risk management Establish/Maintain Documentation
    Include a statement that the financial statements used were audited by other practitioners in the practitioner's examination report on pro forma financial information, as necessary. CC ID 13981 Audits and risk management Establish/Maintain Documentation
    Establish and maintain organizational audit reports. CC ID 06731
    [The organization shall establish, implement and maintain (an) internal audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting of its internal audits. § 9.2.2 ¶ 1]
    Audits and risk management Establish/Maintain Documentation
    Include the justification for not following the applicable requirements in the audit report. CC ID 16822 Audits and risk management Audits and Risk Management
    Include a statement that the applicable requirements were not followed in the audit report. CC ID 16821 Audits and risk management Audits and Risk Management
    Include audit subject matter in the audit report. CC ID 14882 Audits and risk management Establish/Maintain Documentation
    Include an other-matter paragraph in the audit report. CC ID 14901 Audits and risk management Establish/Maintain Documentation
    Include that the auditee did not provide comments in the audit report. CC ID 16849 Audits and risk management Establish/Maintain Documentation
    Write the audit report using clear and conspicuous language. CC ID 13948 Audits and risk management Establish/Maintain Documentation
    Include a statement that the sufficiency of the agreed upon procedures is the responsibility of the specified parties in the audit report. CC ID 13936 Audits and risk management Establish/Maintain Documentation
    Include a statement that the financial statements were audited in the audit report. CC ID 13963 Audits and risk management Establish/Maintain Documentation
    Include the criteria that financial information was measured against in the audit report. CC ID 13966 Audits and risk management Establish/Maintain Documentation
    Include a description of the financial information being reported on in the audit report. CC ID 13965 Audits and risk management Establish/Maintain Documentation
    Include references to any adjustments of financial information in the audit report. CC ID 13964 Audits and risk management Establish/Maintain Documentation
    Include in the audit report that audit opinions are not dependent on references to subject matter experts, as necessary. CC ID 13953 Audits and risk management Establish/Maintain Documentation
    Include references to historical financial information used in the audit report. CC ID 13961 Audits and risk management Establish/Maintain Documentation
    Include a statement about the inherent limitations of the audit in the audit report. CC ID 14900 Audits and risk management Establish/Maintain Documentation
    Include a description of the limitations on the usefulness of hypothetical assumptions in the audit report. CC ID 13958 Audits and risk management Establish/Maintain Documentation
    Include the word independent in the title of audit reports. CC ID 07003 Audits and risk management Actionable Reports or Measurements
    Include the date of the audit in the audit report. CC ID 07024 Audits and risk management Actionable Reports or Measurements
    Structure the audit report to be in the form of procedures and findings. CC ID 13940 Audits and risk management Establish/Maintain Documentation
    Include information about the organization being audited and the auditor performing the audit in the audit report. CC ID 07004 Audits and risk management Actionable Reports or Measurements
    Include any discussions of significant findings in the audit report. CC ID 13955 Audits and risk management Establish/Maintain Documentation
    Include the date and with whom discussions about significant findings took place in the audit report. CC ID 13962 Audits and risk management Establish/Maintain Documentation
    Include the audit criteria in the audit report. CC ID 13945 Audits and risk management Establish/Maintain Documentation
    Include a statement in the audit report that the agreed upon procedures were potentially insufficient in identifying material risks, as necessary. CC ID 13957 Audits and risk management Establish/Maintain Documentation
    Include all hypothetical assumptions in the audit report. CC ID 13947 Audits and risk management Establish/Maintain Documentation
    Include a statement that access to the report is restricted based on least privilege in the audit report. CC ID 07023 Audits and risk management Actionable Reports or Measurements
    Include a statement that identifies the distribution list for the report in the audit report. CC ID 07172 Audits and risk management Establish/Maintain Documentation
    Include a statement that identifies the use restrictions for the report in the audit report. CC ID 07173 Audits and risk management Establish/Maintain Documentation
    Include a statement that the agreed upon procedures involves collecting evidence in the audit report. CC ID 13956 Audits and risk management Establish/Maintain Documentation
    Include all of the facts and demonstrated plausibility in the audit report. CC ID 08929 Audits and risk management Establish/Maintain Documentation
    Include a statement that the agreed upon procedures were performed by all parties in the audit report. CC ID 13931 Audits and risk management Establish/Maintain Documentation
    Include references to subject matter experts in the audit report when citing qualified opinions. CC ID 13929 Audits and risk management Establish/Maintain Documentation
    Include a description of the assistance provided by Subject Matter Experts in the audit report. CC ID 13939 Audits and risk management Establish/Maintain Documentation
    Include a review of the subject matter expert's findings in the audit report. CC ID 13972 Audits and risk management Establish/Maintain Documentation
    Include a statement of the character of the engagement in the audit report. CC ID 07166 Audits and risk management Establish/Maintain Documentation
    Include the nature and scope of the audit performed in the statement of the character of the engagement in the audit report. CC ID 07167 Audits and risk management Establish/Maintain Documentation
    Include the professional standards governing the audit in the statement of the character of the engagement in the audit report. CC ID 07168 Audits and risk management Establish/Maintain Documentation
    Include all restrictions on the audit in the audit report. CC ID 13930 Audits and risk management Establish/Maintain Documentation
    Include a statement that the auditor has no responsibility to update the audit report after its submission. CC ID 13943 Audits and risk management Establish/Maintain Documentation
    Include a statement on the auditor's ethical requirements in the audit report. CC ID 16767 Audits and risk management Establish/Maintain Documentation
    Include a statement that the responsible party refused to provide a written assertion in the audit report. CC ID 13887 Audits and risk management Establish/Maintain Documentation
    Include a statement that the examination involves procedures for collecting evidence in the audit report. CC ID 13941 Audits and risk management Establish/Maintain Documentation
    Express an adverse opinion in the audit report when significant assumptions are not suitably supported. CC ID 13944 Audits and risk management Establish/Maintain Documentation
    Include a statement that modifications to historical evidence accurately reflect current evidence in the audit report. CC ID 13938 Audits and risk management Establish/Maintain Documentation
    Refrain from referencing previous engagements in the audit report. CC ID 16516 Audits and risk management Audits and Risk Management
    Refrain from referencing other auditor's work in the audit report. CC ID 13881 Audits and risk management Establish/Maintain Documentation
    Include that the audit findings are not a predictive analysis of future compliance in the audit report. CC ID 07018 Audits and risk management Establish/Maintain Documentation
    Include how in scope controls meet external requirements in the audit report. CC ID 16450 Audits and risk management Establish/Maintain Documentation
    Include the in scope records used to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14915 Audits and risk management Establish/Maintain Documentation
    Include recommended corrective actions in the audit report. CC ID 16197 Audits and risk management Establish/Maintain Documentation
    Include risks and opportunities in the audit report. CC ID 16196 Audits and risk management Establish/Maintain Documentation
    Include the description of tests of controls and results in the audit report. CC ID 14898 Audits and risk management Establish/Maintain Documentation
    Include the nature of the tests performed in the description of tests of controls and results in the audit report. CC ID 14908 Audits and risk management Establish/Maintain Documentation
    Include the test scope in the description of tests of controls and results in the audit report. CC ID 14906 Audits and risk management Establish/Maintain Documentation
    Identify the stakeholders interviewed to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14905 Audits and risk management Establish/Maintain Documentation
    Include the timing of controls in the description of tests of controls and results in the audit report. CC ID 16553 Audits and risk management Audits and Risk Management
    Include the controls that were tested in the description of tests of controls and results in the audit report. CC ID 14902 Audits and risk management Establish/Maintain Documentation
    Include subsequent events related to the audit assertion or audit subject matter in the audit report. CC ID 16773 Audits and risk management Establish/Maintain Documentation
    Include the organization's audit assertion of the in scope system in the audit report. CC ID 07005 Audits and risk management Actionable Reports or Measurements
    Include that the organization is the responsible party for the content of its audit assertion and in scope system description in the audit report. CC ID 07010 Audits and risk management Establish/Maintain Documentation
    Include that the organization is the responsible party for providing in scope services in the audit report. CC ID 14903 Audits and risk management Establish/Maintain Documentation
    Include that the organization is the responsible party for specifying in scope controls not defined by law or contractual obligation in the audit report. CC ID 07011 Audits and risk management Establish/Maintain Documentation
    Include that the organization is the responsible party for designing and implementing the in scope controls it identified in the audit scope in the audit report. CC ID 07014 Audits and risk management Establish/Maintain Documentation
    Include the audit opinion regarding the accurateness of the in scope system description in the audit report. CC ID 07019 Audits and risk management Establish/Maintain Documentation
    Include the attestation standards the auditor follows in the audit report. CC ID 07015 Audits and risk management Establish/Maintain Documentation
    Include the audit opinion about the audit assertion in relation to the audit criteria used for evaluation in the audit report. CC ID 07169 Audits and risk management Establish/Maintain Documentation
    Include the auditor's significant reservations about the engagement, the audit assertion, or the audit subject matter in the audit report. CC ID 07170 Audits and risk management Establish/Maintain Documentation
    Include an emphasis-of-matter paragraph in the audit report. CC ID 14890 Audits and risk management Establish/Maintain Documentation
    Include the organization's in scope system description in the audit report. CC ID 11626 Audits and risk management Audits and Risk Management
    Include any out of scope components of in scope systems in the audit report. CC ID 07006 Audits and risk management Establish/Maintain Documentation
    Include that the organization is the responsible party for identifying material risks in the audit report. CC ID 07012 Audits and risk management Establish/Maintain Documentation
    Include that the organization is the responsible party for selecting the audit criteria in the audit report. CC ID 07013 Audits and risk management Establish/Maintain Documentation
    Include the scope and work performed in the audit report. CC ID 11621 Audits and risk management Audits and Risk Management
    Resolve disputes before creating the audit summary. CC ID 08964 Audits and risk management Behavior
    Refrain from including the description of the audit in the audit report when the auditor is disclaiming an audit opinion. CC ID 13975 Audits and risk management Establish/Maintain Documentation
    Refrain from including scope limitations from changed attestation engagements in the audit report. CC ID 13983 Audits and risk management Establish/Maintain Documentation
    Refrain from including in the audit report any procedures that were performed that the auditor is disclaiming in an audit opinion. CC ID 13974 Audits and risk management Establish/Maintain Documentation
    Include an audit opinion in the audit report. CC ID 07017 Audits and risk management Establish/Maintain Documentation
    Include qualified opinions in the audit report. CC ID 13928 Audits and risk management Establish/Maintain Documentation
    Include that the auditor is the responsible party to express an opinion on the audit subject matter based on examination of evidence in the audit report. CC ID 07174 Audits and risk management Establish/Maintain Documentation
    Include that the auditor did not express an opinion in the audit report, as necessary. CC ID 13886 Audits and risk management Establish/Maintain Documentation
    Include items that were excluded from the audit report in the audit report. CC ID 07007 Audits and risk management Establish/Maintain Documentation
    Include the organization's privacy practices in the audit report. CC ID 07029 Audits and risk management Establish/Maintain Documentation
    Include items that pertain to third parties in the audit report. CC ID 07008 Audits and risk management Establish/Maintain Documentation
    Refrain from including reference to procedures performed in previous attestation engagements in the audit report. CC ID 13970 Audits and risk management Establish/Maintain Documentation
    Include a statement in the audit report that no procedures were performed subsequent to the date of the practitioner's review report on pro forma financial information, as necessary. CC ID 13969 Audits and risk management Establish/Maintain Documentation
    Include any of the organization's use of compensating controls that were not audited in the audit report. CC ID 07009 Audits and risk management Establish/Maintain Documentation
    Include whether the use of compensating controls are necessary in the audit report. CC ID 07020 Audits and risk management Establish/Maintain Documentation
    Include the pass or fail test status of all in scope controls in the audit report. CC ID 07016 Audits and risk management Establish/Maintain Documentation
    Include the process of using evidential matter to test in scope controls in the audit report. CC ID 07021 Audits and risk management Establish/Maintain Documentation
    Include the nature and causes of identified in scope control deviations in the audit report. CC ID 07022 Audits and risk management Establish/Maintain Documentation
    Disclose any audit irregularities in the audit report. CC ID 06995 Audits and risk management Actionable Reports or Measurements
    Include the written signature of the auditor's organization in the audit report. CC ID 13897 Audits and risk management Establish/Maintain Documentation
    Include a statement that additional reports are being submitted in the audit report. CC ID 16848 Audits and risk management Establish/Maintain Documentation
    Disseminate and communicate the audit report to all interested personnel and affected parties identified in the distribution list. CC ID 07117 Audits and risk management Establish/Maintain Documentation
    Define the roles and responsibilities for distributing the audit report. CC ID 16845 Audits and risk management Human Resources Management
    Disseminate and communicate the reasons the audit report was delayed to interested personnel and affected parties. CC ID 15257 Audits and risk management Communicate
    Notify auditees if disclosure of audit documentation is required by law. CC ID 15249 Audits and risk management Communicate
    Disseminate and communicate to the organization that access and use of audit reports are based on least privilege. CC ID 07171 Audits and risk management Behavior
    Disseminate and communicate documents that contain information in support of the audit report. CC ID 07175 Audits and risk management Establish/Maintain Documentation
    Correct any material misstatements in documents that contain information in support of the audit report. CC ID 07176 Audits and risk management Establish/Maintain Documentation
    Notify interested personnel and affected parties after bribes are offered during the audit. CC ID 08872 Audits and risk management Business Processes
    Accept the audit report. CC ID 07025 Audits and risk management Establish/Maintain Documentation
    Assign responsibility for remediation actions. CC ID 13622 Audits and risk management Human Resources Management
    Define penalties for uncorrected audit findings or remaining non-compliant with the audit report. CC ID 08963 Audits and risk management Establish/Maintain Documentation
    Assess the quality of the audit program in regards to its documentation. CC ID 11622 Audits and risk management Audits and Risk Management
    Include the audit criteria in the audit plan. CC ID 15262 Audits and risk management Establish/Maintain Documentation
    Include a list of reference documents in the audit plan. CC ID 15260 Audits and risk management Establish/Maintain Documentation
    Include the languages to be used for the audit in the audit plan. CC ID 15252 Audits and risk management Establish/Maintain Documentation
    Include the allocation of resources in the audit plan. CC ID 15251 Audits and risk management Establish/Maintain Documentation
    Include communication protocols in the audit plan. CC ID 15247 Audits and risk management Establish/Maintain Documentation
    Include the level of audit sampling necessary to collect sufficient audit evidence in the audit plan. CC ID 15246 Audits and risk management Establish/Maintain Documentation
    Include meeting schedules in the audit plan. CC ID 15245 Audits and risk management Establish/Maintain Documentation
    Include the time frames for the audit in the audit plan. CC ID 15244 Audits and risk management Establish/Maintain Documentation
    Include the time frames for conducting the audit in the audit plan. CC ID 15243 Audits and risk management Establish/Maintain Documentation
    Include the locations to be audited in the audit plan. CC ID 15242 Audits and risk management Establish/Maintain Documentation
    Include the processes to be audited in the audit plan. CC ID 15241 Audits and risk management Establish/Maintain Documentation
    Include audit objectives in the audit plan. CC ID 15240 Audits and risk management Establish/Maintain Documentation
    Include the risks associated with audit activities in the audit plan. CC ID 15239 Audits and risk management Establish/Maintain Documentation
    Disseminate and communicate the audit plan to interested personnel and affected parties. CC ID 15238 Audits and risk management Communicate
    Establish, implement, and maintain an audit schedule for the audit program. CC ID 13158
    [The organization shall establish, implement and maintain (an) internal audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting of its internal audits. § 9.2.2 ¶ 1]
    Audits and risk management Establish/Maintain Documentation
    Establish, implement, and maintain a physical and environmental protection policy. CC ID 14030 Physical and environmental protection Establish/Maintain Documentation
    Include the scope in the physical and environmental protection policy. CC ID 14170
    [The organization shall determine the boundaries and applicability of the environmental management system to establish its scope. § 4.3 ¶ 1]
    Physical and environmental protection Establish/Maintain Documentation
    Establish, implement, and maintain physical and environmental protection procedures. CC ID 14061
    [Once the scope is defined, all activities, products and services of the organization within that scope need to be included in the environmental management system. § 4.3 ¶ 3]
    Physical and environmental protection Establish/Maintain Documentation
    Disseminate and communicate the physical and environmental protection procedures to interested personnel and affected parties. CC ID 14175 Physical and environmental protection Communicate
    Establish, implement, and maintain a business continuity program. CC ID 13210 Operational and Systems Continuity Establish/Maintain Documentation
    Establish, implement, and maintain a continuity plan. CC ID 00752
    [{response}{adverse impact}The organization shall: prepare to respond by planning actions to prevent or mitigate adverse environmental impacts from emergency situations; § 8.2 ¶ 2 a)]
    Operational and Systems Continuity Establish/Maintain Documentation
    Identify all stakeholders in the continuity plan. CC ID 13256 Operational and Systems Continuity Establish/Maintain Documentation
    Notify interested personnel and affected parties upon activation of the continuity plan. CC ID 16777 Operational and Systems Continuity Communicate
    Maintain normal security levels when an emergency occurs. CC ID 06377 Operational and Systems Continuity Systems Continuity
    Execute fail-safe procedures when an emergency occurs. CC ID 07108 Operational and Systems Continuity Systems Continuity
    Include a business continuity testing policy in the continuity plan, as necessary. CC ID 13234 Operational and Systems Continuity Establish/Maintain Documentation
    Lead or manage business continuity and system continuity, as necessary. CC ID 12240 Operational and Systems Continuity Human Resources Management
    Allocate financial resources to implement the continuity plan, as necessary. CC ID 12993 Operational and Systems Continuity Establish/Maintain Documentation
    Allocate personnel to implement the continuity plan, as necessary. CC ID 12992 Operational and Systems Continuity Human Resources Management
    Include the in scope system's location in the continuity plan. CC ID 16246 Operational and Systems Continuity Systems Continuity
    Include the system description in the continuity plan. CC ID 16241 Operational and Systems Continuity Systems Continuity
    Establish, implement, and maintain redundant systems. CC ID 16354 Operational and Systems Continuity Configuration
    Include identification procedures in the continuity plan, as necessary. CC ID 14372 Operational and Systems Continuity Establish/Maintain Documentation
    Refrain from adopting impromptu measures when continuity procedures exist. CC ID 13093 Operational and Systems Continuity Behavior
    Include the continuity strategy in the continuity plan. CC ID 13189 Operational and Systems Continuity Establish/Maintain Documentation
    Implement alternate security mechanisms when the means of implementing the security function is unavailable. CC ID 10605 Operational and Systems Continuity Technical Security
    Document and use the lessons learned to update the continuity plan. CC ID 10037 Operational and Systems Continuity Establish/Maintain Documentation
    Include roles and responsibilities in the continuity plan, as necessary. CC ID 13254 Operational and Systems Continuity Establish/Maintain Documentation
    Coordinate continuity planning with governmental entities, as necessary. CC ID 13258 Operational and Systems Continuity Process or Activity
    Record business continuity management system performance for posterity. CC ID 12411 Operational and Systems Continuity Monitor and Evaluate Occurrences
    Coordinate continuity planning with community organizations, as necessary. CC ID 13259 Operational and Systems Continuity Process or Activity
    Coordinate and incorporate supply chain members' continuity plans, as necessary. CC ID 13242 Operational and Systems Continuity Establish/Maintain Documentation
    Include incident management procedures in the continuity plan. CC ID 13244 Operational and Systems Continuity Establish/Maintain Documentation
    Include the use of virtual meeting tools in the continuity plan. CC ID 14390 Operational and Systems Continuity Establish/Maintain Documentation
    Include scenario analyses of various contingency scenarios in the continuity plan. CC ID 13057 Operational and Systems Continuity Establish/Maintain Documentation
    Include the annual statement based on the continuity plan review in the continuity plan. CC ID 12775 Operational and Systems Continuity Establish/Maintain Documentation
    Include the roles and responsibilities of the organization's legal counsel in the continuity plan. CC ID 16233 Operational and Systems Continuity Establish Roles
    Disseminate and communicate the continuity procedures to interested personnel and affected parties. CC ID 14055 Operational and Systems Continuity Communicate
    Document the uninterrupted power requirements for all in scope systems. CC ID 06707 Operational and Systems Continuity Establish/Maintain Documentation
    Install an Uninterruptible Power Supply sized to support all critical systems. CC ID 00725 Operational and Systems Continuity Configuration
    Install a generator sized to support the facility. CC ID 06709 Operational and Systems Continuity Configuration
    Establish, implement, and maintain a fuel supply large enough to support the generators during an emergency. CC ID 06376 Operational and Systems Continuity Acquisition/Sale of Assets or Services
    Document all supporting information in the continuity plan, such as purpose, scope, and requirements. CC ID 01371 Operational and Systems Continuity Establish/Maintain Documentation
    Include notifications to alternate facilities in the continuity plan. CC ID 13220 Operational and Systems Continuity Establish/Maintain Documentation
    Approve the continuity plan requirements before documenting the continuity plan. CC ID 12778 Operational and Systems Continuity Systems Continuity
    Document the concept of operations in the continuity plan, including a line of succession. CC ID 01372 Operational and Systems Continuity Establish/Maintain Documentation
    Establish, implement, and maintain damage assessment procedures. CC ID 01267 Operational and Systems Continuity Establish/Maintain Documentation
    Establish, implement, and maintain a recovery plan. CC ID 13288
    [The organization shall: periodically review and revise the process(es) and planned response actions, in particular after the occurrence of emergency situations or tests; § 8.2 ¶ 2 e)
    {be appropriate}The organization shall: take action to prevent or mitigate the consequences of emergency situations, appropriate to the magnitude of the emergency and the potential environmental impact; § 8.2 ¶ 2 c)]
    Operational and Systems Continuity Establish/Maintain Documentation
    Notify interested personnel and affected parties of updates to the recovery plan. CC ID 13302 Operational and Systems Continuity Communicate
    Include procedures to restore network connectivity in the recovery plan. CC ID 16250 Operational and Systems Continuity Establish/Maintain Documentation
    Include addressing backup failures in the recovery plan. CC ID 13298 Operational and Systems Continuity Establish/Maintain Documentation
    Include procedures to verify completion of the data backup procedure in the recovery plan. CC ID 13297 Operational and Systems Continuity Establish/Maintain Documentation
    Include the roles and responsibilities of responders in the recovery plan. CC ID 13296 Operational and Systems Continuity Human Resources Management
    Include the procedures for the storage of information necessary to recover functionality in the recovery plan. CC ID 13295 Operational and Systems Continuity Establish/Maintain Documentation
    Include the backup procedures for information necessary to recover functionality in the recovery plan. CC ID 13294 Operational and Systems Continuity Establish/Maintain Documentation
    Include the criteria for activation in the recovery plan. CC ID 13293 Operational and Systems Continuity Establish/Maintain Documentation
    Include escalation procedures in the recovery plan. CC ID 16248 Operational and Systems Continuity Establish/Maintain Documentation
    Include procedures to preserve data before beginning the recovery process in the recovery plan. CC ID 13292 Operational and Systems Continuity Establish/Maintain Documentation
    Disseminate and communicate the recovery plan to interested personnel and affected parties. CC ID 14859 Operational and Systems Continuity Communicate
    Include restoration procedures in the continuity plan. CC ID 01169 Operational and Systems Continuity Establish Roles
    Include risk prioritized recovery procedures for each business unit in the recovery plan. CC ID 01166 Operational and Systems Continuity Establish/Maintain Documentation
    Include the recovery plan in the continuity plan. CC ID 01377 Operational and Systems Continuity Establish/Maintain Documentation
    Disseminate and communicate the recovery status of the contingency plan to interested personnel and affected parties. CC ID 12758 Operational and Systems Continuity Communicate
    Disseminate and communicate business functions across multiple facilities separated by geographic separation. CC ID 10662 Operational and Systems Continuity Systems Continuity
    Disseminate and communicate processing activities across multiple facilities using geographic separation. CC ID 10663 Operational and Systems Continuity Systems Continuity
    Disseminate and communicate electronic media storage devices across multiple facilities using geographic separation. CC ID 10664 Operational and Systems Continuity Systems Continuity
    Train personnel on the continuity plan. CC ID 00759
    [The organization shall: provide relevant information and training related to emergency preparedness and response, as appropriate, to relevant interested parties, including persons working under its control. § 8.2 ¶ 2 f)]
    Operational and Systems Continuity Behavior
    Utilize automated mechanisms for more realistic continuity plan training. CC ID 01387 Operational and Systems Continuity Behavior
    Incorporate simulated events into the continuity plan training. CC ID 01402 Operational and Systems Continuity Behavior
    Include cross-team coordination in continuity plan training. CC ID 16235 Operational and Systems Continuity Training
    Include stay at home order training in the continuity plan training. CC ID 14382 Operational and Systems Continuity Training
    Include avoiding unnecessary travel in the stay at home order training. CC ID 14388 Operational and Systems Continuity Training
    Include personal protection in continuity plan training. CC ID 14394 Operational and Systems Continuity Training
    Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806
    [Top management shall ensure that the responsibilities and authorities for relevant roles are <condary-verb">span style="background-color:#B7D8ED;" class="term_primary-verb">assigned and communicated within the organization. § 5.3 ¶ 1]
    Human Resources management Establish Roles
    Define and assign the head of Information Security's roles and responsibilities. CC ID 06091 Human Resources management Establish Roles
    Establish, implement, and maintain a security operations center. CC ID 14762 Human Resources management Human Resources Management
    Define the scope for the security operations center. CC ID 15713 Human Resources management Establish/Maintain Documentation
    Designate an alternate for each organizational leader. CC ID 12053 Human Resources management Human Resources Management
    Limit the activities performed as a proxy to an organizational leader. CC ID 12054 Human Resources management Behavior
    Assign the roles and responsibilities of management in establishing, implementing, and maintaining the information security program. CC ID 13112 Human Resources management Human Resources Management
    Define and assign the Board of Directors roles and responsibilities and senior management roles and responsibilities, including signing off on key policies and procedures. CC ID 00807 Human Resources management Establish Roles
    Establish and maintain board committees, as necessary. CC ID 14789 Human Resources management Human Resources Management
    Define and assign the roles and responsibilities of the chairman of the board. CC ID 14786 Human Resources management Establish/Maintain Documentation
    Assign oversight of C-level executives to the Board of Directors. CC ID 14784 Human Resources management Human Resources Management
    Establish, implement, and maintain candidate selection procedures to the board of directors. CC ID 14782 Human Resources management Establish/Maintain Documentation
    Include the criteria of mixed experiences and skills in the candidate selection procedures. CC ID 14791 Human Resources management Establish/Maintain Documentation
    Assign oversight of the financial management program to the board of directors. CC ID 14781 Human Resources management Human Resources Management
    Assign senior management to the role of supporting Quality Management. CC ID 13692 Human Resources management Human Resources Management
    Assign senior management to the role of authorizing official. CC ID 14238 Human Resources management Establish Roles
    Assign members who are independent from management to the Board of Directors. CC ID 12395 Human Resources management Human Resources Management
    Assign ownership of risks to the Board of Directors or senior management. CC ID 13662 Human Resources management Human Resources Management
    Assign the organization's board and senior management to oversee the continuity planning process. CC ID 12991 Human Resources management Human Resources Management
    Define and assign board committees, as necessary. CC ID 14787 Human Resources management Human Resources Management
    Define and assign risk committees, as necessary. CC ID 14795 Human Resources management Human Resources Management
    Establish, implement, and maintain a board committee charter, as necessary. CC ID 14802 Human Resources management Establish/Maintain Documentation
    Define and assign audit committees, as necessary. CC ID 14788 Human Resources management Human Resources Management
    Include members with experience in audit practices, financial reporting, and accounting in the audit committee. CC ID 14796 Human Resources management Human Resources Management
    Define and assign compensation committees, as necessary. CC ID 14793 Human Resources management Human Resources Management
    Define and assign the Chief Information Officer's roles and responsibilities. CC ID 00808 Human Resources management Establish Roles
    Define and assign the network administrator's roles and responsibilities. CC ID 16363 Human Resources management Human Resources Management
    Define and assign the Information Technology staff's roles and responsibilities. CC ID 00809 Human Resources management Establish Roles
    Define and assign the Data Protection Officer's roles and responsibilities. CC ID 16525 Human Resources management Human Resources Management
    Define and assign the business unit manager's roles and responsibilities. CC ID 00810 Human Resources management Establish Roles
    Define and assign the Facility Security Officer's roles and responsibilities. CC ID 01887 Human Resources management Establish Roles
    Define and assign the Chief Risk Officer's roles and responsibilities. CC ID 14333 Human Resources management Human Resources Management
    Define and assign roles and responsibilities for network management. CC ID 13128 Human Resources management Human Resources Management
    Define and assign the technology security leader's roles and responsibilities. CC ID 01897 Human Resources management Establish Roles
    Define and assign the security staff roles and responsibilities. CC ID 11750 Human Resources management Establish/Maintain Documentation
    Define and assign the authorized representatives roles and responsibilities. CC ID 15033 Human Resources management Human Resources Management
    Define and assign the property management leader's roles and responsibilities. CC ID 00669 Human Resources management Establish Roles
    Define and assign the Archives and Records Management oversight's roles and responsibilities. CC ID 00697 Human Resources management Establish Roles
    Define and assign the Privacy Officer's roles and responsibilities. CC ID 00714 Human Resources management Establish Roles
    Define and assign critical facility management personnel's roles and responsibilities. CC ID 06381 Human Resources management Establish Roles
    Define the objectives and extent of outsourcing operational roles and responsibilities. CC ID 06383 Human Resources management Establish/Maintain Documentation
    Define and assign the Chief Security Officer's roles and responsibilities. CC ID 06431 Human Resources management Establish Roles
    Establish and maintain an Information Technology steering committee. CC ID 12706 Human Resources management Human Resources Management
    Assign the Information Technology steering committee to report to senior management. CC ID 12731 Human Resources management Human Resources Management
    Convene the Information Technology steering committee, as necessary. CC ID 12730 Human Resources management Human Resources Management
    Assign reviewing investments to the Information Technology steering committee, as necessary. CC ID 13625 Human Resources management Human Resources Management
    Assign a contact person to all business units. CC ID 07144 Human Resources management Establish Roles
    Define and assign the assessment team's roles and responsibilities. CC ID 08890 Human Resources management Business Processes
    Assign the role of Risk Assessment Manager to applicable controls. CC ID 12143 Human Resources management Human Resources Management
    Assign the Risk Assessment manager the duty of reporting risk assessment results to organizational management. CC ID 12152 Human Resources management Human Resources Management
    Refrain from allocating temporary staff to perform sensitive jobs absent the presence and control of authorized permanent staff. CC ID 12299 Human Resources management Human Resources Management
    Establish, implement, and maintain a personnel management program. CC ID 14018 Human Resources management Establish/Maintain Documentation
    Establish, implement, and maintain a personnel security program. CC ID 10628 Human Resources management Establish/Maintain Documentation
    Assign security clearance procedures to qualified personnel. CC ID 06812 Human Resources management Establish Roles
    Assign personnel screening procedures to qualified personnel. CC ID 11699 Human Resources management Establish Roles
    Establish, implement, and maintain personnel screening procedures. CC ID 11700 Human Resources management Establish/Maintain Documentation
    Perform a personal identification check during personnel screening. CC ID 06721 Human Resources management Human Resources Management
    Perform a criminal records check during personnel screening. CC ID 06643 Human Resources management Establish/Maintain Documentation
    Include all residences in the criminal records check. CC ID 13306 Human Resources management Process or Activity
    Document any reasons a full criminal records check could not be performed. CC ID 13305 Human Resources management Establish/Maintain Documentation
    Perform a personal references check during personnel screening. CC ID 06645 Human Resources management Human Resources Management
    Perform a credit check during personnel screening. CC ID 06646 Human Resources management Human Resources Management
    Perform an academic records check during personnel screening. CC ID 06647 Human Resources management Establish/Maintain Documentation
    Perform a drug test during personnel screening. CC ID 06648 Human Resources management Testing
    Perform a resume check during personnel screening. CC ID 06659 Human Resources management Human Resources Management
    Perform a curriculum vitae check during personnel screening. CC ID 06660 Human Resources management Human Resources Management
    Allow personnel being screened to appeal findings and appeal decisions. CC ID 06720 Human Resources management Human Resources Management
    Disseminate and communicate screening results to interested personnel and affected parties. CC ID 16445 Human Resources management Communicate
    Perform personnel screening procedures, as necessary. CC ID 11763 Human Resources management Human Resources Management
    Establish, implement, and maintain security clearance procedures. CC ID 00783 Human Resources management Establish/Maintain Documentation
    Perform security clearance procedures, as necessary. CC ID 06644 Human Resources management Human Resources Management
    Establish and maintain security clearances. CC ID 01634 Human Resources management Human Resources Management
    Establish and maintain the staff structure in line with the strategic plan. CC ID 00764 Human Resources management Establish Roles
    Establish job categorization criteria, job recruitment criteria, and promotion criteria. CC ID 00781
    [The organization shall: determine the necessary competence of person(s) doing work under its control that affects its environmental performance and its ability to fulfil its compliance obligations; § 7.2 ¶ 1 a)]
    Human Resources management Establish/Maintain Documentation
    Establish, implement, and maintain a compensation, reward, and recognition program. CC ID 12806 Human Resources management Human Resources Management
    Establish and maintain an annual report on compensation. CC ID 14801 Human Resources management Establish/Maintain Documentation
    Include the design characteristics of the remuneration system in the annual report on compensation. CC ID 14804 Human Resources management Establish/Maintain Documentation
    Disseminate and communicate the compensation, reward, and recognition program to interested personnel and affected parties. CC ID 14800 Human Resources management Communicate
    Establish, implement, and maintain roles and responsibilities in the compensation, reward, and recognition program. CC ID 14798 Human Resources management Establish/Maintain Documentation
    Align the compensation, reward, and recognition program with the risk management program. CC ID 14797 Human Resources management Establish/Maintain Documentation
    Establish, implement, and maintain remuneration standards, as necessary. CC ID 14794 Human Resources management Establish/Maintain Documentation
    Refrain from using employees' privacy choices to restrict employment. CC ID 12425 Human Resources management Human Resources Management
    Refrain from using employees' privacy choices to take punitive actions. CC ID 16815 Human Resources management Human Resources Management
    Use rewards and career development to motivate personnel. CC ID 06906 Human Resources management Behavior
    Disseminate and communicate the organization’s ethical culture in job recruitment criteria and promotion criteria. CC ID 12825 Human Resources management Human Resources Management
    Recognize personnel who reinforce desirable conduct with incentives. CC ID 12815 Human Resources management Human Resources Management
    Establish, implement, and maintain job applications. CC ID 16180 Human Resources management Establish/Maintain Documentation
    Include a space for the applicant's name on the job application. CC ID 16190 Human Resources management Human Resources Management
    Include a space for the applicant's current address on the job application. CC ID 16189 Human Resources management Human Resources Management
    Include a space for the applicant's social security number on the job application. CC ID 16188 Human Resources management Human Resources Management
    Include a space for the applicant's date of birth on the job application. CC ID 16186 Human Resources management Human Resources Management
    Include a space for previous employers and business relationships on the job application. CC ID 16185 Human Resources management Human Resources Management
    Include a space to explain formal disciplinary actions and sanctions on the job application. CC ID 16184 Human Resources management Human Resources Management
    Include a space for the start date on the job application. CC ID 16187 Human Resources management Human Resources Management
    Include a space to explain legal penalties on the job application. CC ID 16183 Human Resources management Human Resources Management
    Approve the wording of job applications. CC ID 16182 Human Resources management Human Resources Management
    Include a space for past aliases and other used names on job applications. CC ID 12301 Human Resources management Human Resources Management
    Include a space for previous addresses and previous residences on the job application. CC ID 12302 Human Resources management Human Resources Management
    Include a space to explain employment gaps on the job application. CC ID 12303 Human Resources management Human Resources Management
    Train all personnel and third parties, as necessary. CC ID 00785
    [The organization shall: where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken. § 7.2 ¶ 1 d)]
    Human Resources management Behavior
    Establish, implement, and maintain an education methodology. CC ID 06671 Human Resources management Business Processes
    Support certification programs as viable training programs. CC ID 13268 Human Resources management Human Resources Management
    Include evidence of experience in applications for professional certification. CC ID 16193 Human Resources management Establish/Maintain Documentation
    Include supporting documentation in applications for professional certification. CC ID 16195 Human Resources management Establish/Maintain Documentation
    Submit applications for professional certification. CC ID 16192 Human Resources management Training
    Retrain all personnel, as necessary. CC ID 01362 Human Resources management Behavior
    Tailor training to meet published guidance on the subject being taught. CC ID 02217 Human Resources management Behavior
    Tailor training to be taught at each person's level of responsibility. CC ID 06674 Human Resources management Behavior
    Conduct cross-training or staff backup training to minimize dependency on critical individuals. CC ID 00786 Human Resources management Behavior
    Use automated mechanisms in the training environment, where appropriate. CC ID 06752 Human Resources management Behavior
    Hire third parties to conduct training, as necessary. CC ID 13167 Human Resources management Human Resources Management
    Review the current published guidance and awareness and training programs. CC ID 01245 Human Resources management Establish/Maintain Documentation
    Establish, implement, and maintain training plans. CC ID 00828
    [The organization shall: determine training needs associated with its environmental aspects and its environmental management system; § 7.2 ¶ 1 c)]
    Human Resources management Establish/Maintain Documentation
    Include prevention techniques in training regarding diseases or sicknesses. CC ID 14387 Human Resources management Training
    Include the concept of disease clusters when training to recognize conditions of diseases or sicknesses. CC ID 14386 Human Resources management Training
    Develop or acquire content to update the training plans. CC ID 12867 Human Resources management Training
    Designate training facilities in the training plan. CC ID 16200 Human Resources management Training
    Include portions of the visitor control program in the training plan. CC ID 13287 Human Resources management Establish/Maintain Documentation
    Include ethical culture in the training plan, as necessary. CC ID 12801 Human Resources management Human Resources Management
    Include in scope external requirements in the training plan, as necessary. CC ID 13041 Human Resources management Training
    Include duties and responsibilities in the training plan, as necessary. CC ID 12800 Human Resources management Human Resources Management
    Conduct bespoke roles and responsibilities training, as necessary. CC ID 13192 Human Resources management Training
    Include risk management in the training plan, as necessary. CC ID 13040 Human Resources management Training
    Conduct Archives and Records Management training. CC ID 00975 Human Resources management Behavior
    Conduct personal data processing training. CC ID 13757 Human Resources management Training
    Include in personal data processing training how to provide the contact information for the categories of personal data the organization may disclose. CC ID 13758 Human Resources management Training
    Include the cloud service usage standard in the training plan. CC ID 13039 Human Resources management Training
    Establish, implement, and maintain a security awareness program. CC ID 11746 Human Resources management Establish/Maintain Documentation
    Establish, implement, and maintain a security awareness and training policy. CC ID 14022 Human Resources management Establish/Maintain Documentation
    Include compliance requirements in the security awareness and training policy. CC ID 14092 Human Resources management Establish/Maintain Documentation
    Include coordination amongst entities in the security awareness and training policy. CC ID 14091 Human Resources management Establish/Maintain Documentation
    Establish, implement, and maintain security awareness and training procedures. CC ID 14054 Human Resources management Establish/Maintain Documentation
    Disseminate and communicate the security awareness and training procedures to interested personnel and affected parties. CC ID 14138 Human Resources management Communicate
    Include management commitment in the security awareness and training policy. CC ID 14049 Human Resources management Establish/Maintain Documentation
    Include roles and responsibilities in the security awareness and training policy. CC ID 14048 Human Resources management Establish/Maintain Documentation
    Include the scope in the security awareness and training policy. CC ID 14047 Human Resources management Establish/Maintain Documentation
    Include the purpose in the security awareness and training policy. CC ID 14045 Human Resources management Establish/Maintain Documentation
    Include configuration management procedures in the security awareness program. CC ID 13967 Human Resources management Establish/Maintain Documentation
    Include media protection in the security awareness program. CC ID 16368 Human Resources management Training
    Document security awareness requirements. CC ID 12146 Human Resources management Establish/Maintain Documentation
    Include safeguards for information systems in the security awareness program. CC ID 13046 Human Resources management Establish/Maintain Documentation
    Include security policies and security standards in the security awareness program. CC ID 13045 Human Resources management Establish/Maintain Documentation
    Include physical security in the security awareness program. CC ID 16369 Human Resources management Training
    Include mobile device security guidelines in the security awareness program. CC ID 11803 Human Resources management Establish/Maintain Documentation
    Include updates on emerging issues in the security awareness program. CC ID 13184 Human Resources management Training
    Include cybersecurity in the security awareness program. CC ID 13183 Human Resources management Training
    Include implications of non-compliance in the security awareness program. CC ID 16425 Human Resources management Training
    Include the acceptable use policy in the security awareness program. CC ID 15487 Human Resources management Training
    Include training based on the participants' level of responsibility and access level in the security awareness program. CC ID 11802 Human Resources management Establish/Maintain Documentation
    Include a requirement to train all new hires and interested personnel in the security awareness program. CC ID 11800 Human Resources management Establish/Maintain Documentation
    Include remote access in the security awareness program. CC ID 13892 Human Resources management Establish/Maintain Documentation
    Document the goals of the security awareness program. CC ID 12145 Human Resources management Establish/Maintain Documentation
    Compare current security awareness assessment reports to the security awareness baseline. CC ID 12150 Human Resources management Establish/Maintain Documentation
    Establish and maintain management's commitment to supporting the security awareness program. CC ID 12151 Human Resources management Human Resources Management
    Establish and maintain a steering committee to guide the security awareness program. CC ID 12149 Human Resources management Human Resources Management
    Document the scope of the security awareness program. CC ID 12148 Human Resources management Establish/Maintain Documentation
    Establish, implement, and maintain a security awareness baseline. CC ID 12147 Human Resources management Establish/Maintain Documentation
    Encourage interested personnel to obtain security certification. CC ID 11804 Human Resources management Human Resources Management
    Disseminate and communicate the security awareness program to all interested personnel and affected parties. CC ID 00823 Human Resources management Behavior
    Train all personnel and third parties on how to recognize and report security incidents. CC ID 01211 Human Resources management Behavior
    Train all personnel and third parties on how to recognize and report system failures. CC ID 13475 Human Resources management Training
    Require personnel to acknowledge, through writing their signature, that they have read and understand the organization's security policies. CC ID 01363 Human Resources management Establish/Maintain Documentation
    Establish, implement, and maintain an environmental management system awareness program. CC ID 15200
    [The organization shall ensure that persons doing work under the organization's control are aware of: the significant environmental aspects and related actual or potential environmental impacts associated with their work; § 7.3 ¶ 1 b)
    The organization shall ensure that persons doing work under the organization's control are aware of: the environmental policy; § 7.3 ¶ 1 a)
    The organization shall ensure that persons doing work under the organization's control are aware of: the implications of not conforming with the environmental management system requirements, including not fulfilling the organization's compliance obligations. § 7.3 ¶ 1 d)
    The organization shall ensure that persons doing work under the organization's control are aware of: their contribution to the effectiveness of the environmental management system, including the benefits of enhanced environmental performance; § 7.3 ¶ 1 c)
    The organization shall ensure that persons doing work under the organization's control are aware of: their contribution to the effectiveness of the environmental management system, including the benefits of enhanced environmental performance; § 7.3 ¶ 1 c)]
    Human Resources management Establish/Maintain Documentation
    Conduct tampering prevention training. CC ID 11875 Human Resources management Training
    Include the mandate to refrain from installing, refrain from replacing, and refrain from returning any asset absent verification in the tampering prevention training. CC ID 11877 Human Resources management Training
    Include how to identify and authenticate third parties claiming to be maintenance personnel in the tampering prevention training. CC ID 11876 Human Resources management Training
    Include how to report tampering and unauthorized substitution in the tampering prevention training. CC ID 11879 Human Resources management Training
    Include how to prevent physical tampering in the tampering prevention training. CC ID 11878 Human Resources management Training
    Include procedures on how to inspect devices in the tampering prevention training. CC ID 11990 Human Resources management Training
    Train interested personnel and affected parties to collect digital forensic evidence. CC ID 08658 Human Resources management Training
    Conduct crime prevention training. CC ID 06350 Human Resources management Behavior
    Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406
    [The organization shall plan: to take actions to address its: compliance obligations; § 6.1.4 ¶ 1 a) 2)
    The organization shall establish, implement and maintain the process(es) needed to evaluate fulfilment of its compliance obligations. § 9.1.2 ¶ 1]
    Operational management Establish/Maintain Documentation
    Include enterprise architecture in the Governance, Risk, and Compliance framework. CC ID 13266 Operational management Establish/Maintain Documentation
    Disseminate and communicate updates to the Governance, Risk, and Compliance framework to interested personnel and affected parties. CC ID 06955
    [{internal communication}{be relevant}The organization shall: internally communicate information relevant to the environmental management system among the various levels and functions of the organization, including changes to the environmental management system, as appropriate; § 7.4.2 ¶ 1 a)]
    Operational management Behavior
    Establish, implement, and maintain security requirements based on applicable regulations. CC ID 16283 Operational management Establish/Maintain Documentation
    Acquire resources necessary to support Governance, Risk, and Compliance. CC ID 12861
    [Top management shall demonstrate leadership and commitment with respect to the environmental management system by: ensuring that the resources needed for the environmental management system are available; § 5.1 ¶ 1 d)
    The organization shall determine and provide the resources needed for the establishment, implementation, maintenance and continual improvement of the environmental management system. § 7.1 ¶ 1
    The outputs of the management review shall include: decisions related to any need for changes to the environmental management system, including resources; § 9.3 ¶ 3 Bullet 3]
    Operational management Acquisition/Sale of Assets or Services
    Establish, implement, and maintain a prioritized plan for updating the Governance, Risk, and Compliance framework. CC ID 12853
    [{financial requirement}{operational requirement} When planning these actions, the organization shall consider its technological options and its financial, operational and business requirements. § 6.1.4 ¶ 2
    The management review shall include consideration of: changes in: its significant environmental aspects; § 9.3 ¶ 2 b) 3)
    The management review shall include consideration of: changes in: risks and opportunities; § 9.3 ¶ 2 b) 4)
    The outputs of the management review shall include: decisions related to any need for changes to the environmental management system, including resources; § 9.3 ¶ 3 Bullet 3]
    Operational management Establish/Maintain Documentation
    Integrate the use of technology in supporting the Governance, Risk, and Compliance capabilities. CC ID 12915 Operational management Process or Activity
    Evaluate the use of technology in supporting Governance, Risk, and Compliance capabilities. CC ID 12895
    [{financial requirement}{operational requirement} When planning these actions, the organization shall consider its technological options and its financial, operational and business requirements. § 6.1.4 ¶ 2]
    Operational management Process or Activity
    Analyze the effect of the Governance, Risk, and Compliance capability to achieve organizational objectives. CC ID 12809
    [{external and internal issues}and determine the risks and opportunities, related to its environmental aspects (see 6.1.2), compliance obligations (see 6.1.3) and other issues and requirements, identified in 4.1 and 4.2, that need to be addressed to: prevent or reduce undesired effects, including the potential for external environmental conditions to affect the organization; § 6.1.1 ¶ 3 Bullet 2
    The organization shall plan: how to: evaluate the effectiveness of these actions (see 9.1). § 6.1.4 ¶ 1 b) 2)
    When planning how to achieve its environmental objectives, the organization shall determine: how the results will be evaluated, including indicators for monitoring progress toward achievement of its measurable environmental objectives (see 9.1.1). § 6.2.2 ¶ 1 e)
    The organization shall evaluate its environmental performance and the effectiveness of the environmental management system. § 9.1.1 ¶ 4
    The outputs of the management review shall include: actions, if needed, when environmental objectives have not been achieved; § 9.3 ¶ 3 Bullet 4
    The outputs of the management review shall include: any implications for the strategic direction of the organization. § 9.3 ¶ 3 Bullet 6]
    Operational management Audits and Risk Management
    Assign accountability for maintaining the Governance, Risk, and Compliance framework. CC ID 12523 Operational management Human Resources Management
    Assign defining the program for disseminating and communicating the Governance, Risk, and Compliance framework. CC ID 12524 Operational management Human Resources Management
    Establish, implement, and maintain a compliance policy. CC ID 14807 Operational management Establish/Maintain Documentation
    Include the standard of conduct and accountability in the compliance policy. CC ID 14813 Operational management Establish/Maintain Documentation
    Include the scope in the compliance policy. CC ID 14812 Operational management Establish/Maintain Documentation
    Include roles and responsibilities in the compliance policy. CC ID 14811 Operational management Establish/Maintain Documentation
    Include a commitment to continual improvement in the compliance policy. CC ID 14810 Operational management Establish/Maintain Documentation
    Disseminate and communicate the compliance policy to interested personnel and affected parties. CC ID 14809 Operational management Communicate
    Include management commitment in the compliance policy. CC ID 14808 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain a governance policy. CC ID 15587 Operational management Establish/Maintain Documentation
    Disseminate and communicate the governance policy to all interested personnel and affected parties. CC ID 15625 Operational management Communicate
    Include a commitment to continuous improvement in the governance policy. CC ID 15595 Operational management Establish/Maintain Documentation
    Include roles and responsibilities in the governance policy. CC ID 15594 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain a positive information control environment. CC ID 00813 Operational management Business Processes
    Make compliance and governance decisions in a timely manner. CC ID 06490 Operational management Behavior
    Establish, implement, and maintain an internal control framework. CC ID 00820 Operational management Establish/Maintain Documentation
    Define the scope for the internal control framework. CC ID 16325 Operational management Business Processes
    Assign ownership of the internal control framework to the appropriate organizational role. CC ID 06437 Operational management Establish Roles
    Assign resources to implement the internal control framework. CC ID 00816 Operational management Business Processes
    Define and assign the roles and responsibilities for interested personnel and affected parties when establishing, implementing, and maintaining the internal control framework. CC ID 07146 Operational management Establish Roles
    Establish, implement, and maintain a baseline of internal controls. CC ID 12415 Operational management Business Processes
    Include the business need justification for excluding controls in the baseline of internal controls. CC ID 16129 Operational management Establish/Maintain Documentation
    Include the implementation status of controls in the baseline of internal controls. CC ID 16128 Operational management Establish/Maintain Documentation
    Leverage actionable information to support internal controls. CC ID 12414 Operational management Business Processes
    Include procedures for continuous quality improvement in the internal control framework. CC ID 00819
    [The management review shall include consideration of opportunities for style="background-color:#F0BBBC;" class="term_primary-noun">continual improvement. § 9.3 ¶ 2 g)
    The outputs of the management review shall include: decisions related to continual improvement opportunities; § 9.3 ¶ 3 Bullet 2]
    Operational management Establish/Maintain Documentation
    Include continuous service account management procedures in the internal control framework. CC ID 13860 Operational management Establish/Maintain Documentation
    Include threat assessment in the internal control framework. CC ID 01347 Operational management Establish/Maintain Documentation
    Automate threat assessments, as necessary. CC ID 06877 Operational management Configuration
    Include vulnerability management and risk assessment in the internal control framework. CC ID 13102 Operational management Establish/Maintain Documentation
    Automate vulnerability management, as necessary. CC ID 11730 Operational management Configuration
    Include personnel security procedures in the internal control framework. CC ID 01349 Operational management Establish/Maintain Documentation
    Include continuous security warning monitoring procedures in the internal control framework. CC ID 01358 Operational management Establish/Maintain Documentation
    Include incident alert thresholds in the continuous security warning monitoring procedures. CC ID 13205 Operational management Establish/Maintain Documentation
    Include security information sharing procedures in the internal control framework. CC ID 06489 Operational management Establish/Maintain Documentation
    Share security information with interested personnel and affected parties. CC ID 11732 Operational management Communicate
    Evaluate information sharing partners, as necessary. CC ID 12749 Operational management Process or Activity
    Include security incident response procedures in the internal control framework. CC ID 01359 Operational management Establish/Maintain Documentation
    Include incident response escalation procedures in the internal control framework. CC ID 11745 Operational management Establish/Maintain Documentation
    Include continuous user account management procedures in the internal control framework. CC ID 01360 Operational management Establish/Maintain Documentation
    Authorize and document all exceptions to the internal control framework. CC ID 06781 Operational management Establish/Maintain Documentation
    Disseminate and communicate the internal control framework to all interested personnel and affected parties. CC ID 15229 Operational management Communicate
    Disseminate and communicate the cybersecurity policy to interested personnel and affected parties. CC ID 16835 Operational management Communicate
    Establish, implement, and maintain a cybersecurity policy. CC ID 16833 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain an information security program. CC ID 00812 Operational management Establish/Maintain Documentation
    Include physical safeguards in the information security program. CC ID 12375 Operational management Establish/Maintain Documentation
    Include technical safeguards in the information security program. CC ID 12374 Operational management Establish/Maintain Documentation
    Include administrative safeguards in the information security program. CC ID 12373 Operational management Establish/Maintain Documentation
    Include system development in the information security program. CC ID 12389 Operational management Establish/Maintain Documentation
    Include system maintenance in the information security program. CC ID 12388 Operational management Establish/Maintain Documentation
    Include system acquisition in the information security program. CC ID 12387 Operational management Establish/Maintain Documentation
    Include access control in the information security program. CC ID 12386 Operational management Establish/Maintain Documentation
    Include operations management in the information security program. CC ID 12385 Operational management Establish/Maintain Documentation
    Include communication management in the information security program. CC ID 12384 Operational management Establish/Maintain Documentation
    Include environmental security in the information security program. CC ID 12383 Operational management Establish/Maintain Documentation
    Include physical security in the information security program. CC ID 12382 Operational management Establish/Maintain Documentation
    Include human resources security in the information security program. CC ID 12381 Operational management Establish/Maintain Documentation
    Include asset management in the information security program. CC ID 12380 Operational management Establish/Maintain Documentation
    Include a continuous monitoring program in the information security program. CC ID 14323 Operational management Establish/Maintain Documentation
    Include change management procedures in the continuous monitoring plan. CC ID 16227 Operational management Establish/Maintain Documentation
    include recovery procedures in the continuous monitoring plan. CC ID 16226 Operational management Establish/Maintain Documentation
    Include mechanisms for decommissioning a system in the continuous monitoring plan. CC ID 16225 Operational management Establish/Maintain Documentation
    Include mechanisms for appeal and override in the continuous monitoring plan. CC ID 16223 Operational management Establish/Maintain Documentation
    Include how the information security department is organized in the information security program. CC ID 12379 Operational management Establish/Maintain Documentation
    Include risk management in the information security program. CC ID 12378 Operational management Establish/Maintain Documentation
    Include mitigating supply chain risks in the information security program. CC ID 13352 Operational management Establish/Maintain Documentation
    Provide management direction and support for the information security program. CC ID 11999 Operational management Process or Activity
    Monitor and review the effectiveness of the information security program. CC ID 12744 Operational management Monitor and Evaluate Occurrences
    Establish, implement, and maintain an information security policy. CC ID 11740 Operational management Establish/Maintain Documentation
    Align the information security policy with the organization's risk acceptance level. CC ID 13042 Operational management Business Processes
    Include business processes in the information security policy. CC ID 16326 Operational management Establish/Maintain Documentation
    Include the information security strategy in the information security policy. CC ID 16125 Operational management Establish/Maintain Documentation
    Include a commitment to continuous improvement in the information security policy. CC ID 16123 Operational management Establish/Maintain Documentation
    Include roles and responsibilities in the information security policy. CC ID 16120 Operational management Establish/Maintain Documentation
    Include a commitment to the information security requirements in the information security policy. CC ID 13496 Operational management Establish/Maintain Documentation
    Include information security objectives in the information security policy. CC ID 13493 Operational management Establish/Maintain Documentation
    Include the use of Cloud Services in the information security policy. CC ID 13146 Operational management Establish/Maintain Documentation
    Include notification procedures in the information security policy. CC ID 16842 Operational management Establish/Maintain Documentation
    Approve the information security policy at the organization's management level or higher. CC ID 11737 Operational management Process or Activity
    Establish, implement, and maintain information security procedures. CC ID 12006 Operational management Business Processes
    Describe the group activities that protect restricted data in the information security procedures. CC ID 12294 Operational management Establish/Maintain Documentation
    Disseminate and communicate the information security procedures to all interested personnel and affected parties. CC ID 16303 Operational management Communicate
    Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304 Operational management Establish/Maintain Documentation
    Define thresholds for approving information security activities in the information security program. CC ID 15702 Operational management Process or Activity
    Assign ownership of the information security program to the appropriate role. CC ID 00814 Operational management Establish Roles
    Assign the responsibility for establishing, implementing, and maintaining the information security program to the appropriate role. CC ID 11884 Operational management Human Resources Management
    Assign information security responsibilities to interested personnel and affected parties in the information security program. CC ID 11885 Operational management Establish/Maintain Documentation
    Assign the responsibility for distributing the information security program to the appropriate role. CC ID 11883 Operational management Human Resources Management
    Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739 Operational management Communicate
    Establish, implement, and maintain a social media governance program. CC ID 06536 Operational management Establish/Maintain Documentation
    Refrain from requiring supervision when users are accessing social media applications. CC ID 14011 Operational management Business Processes
    Refrain from requiring users to disclose social media account usernames or authenticators. CC ID 14009 Operational management Business Processes
    Refrain from accepting instant messages from unknown senders. CC ID 12537 Operational management Behavior
    Include instant messaging, texting, and tweeting in the social media acceptable use policy. CC ID 04578 Operational management Establish/Maintain Documentation
    Include explicit restrictions in the social media acceptable use policy. CC ID 06655 Operational management Establish/Maintain Documentation
    Include contributive content sites in the social media acceptable use policy. CC ID 06656 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain operational control procedures. CC ID 00831 Operational management Establish/Maintain Documentation
    Include assigning and approving operations in operational control procedures. CC ID 06382 Operational management Establish/Maintain Documentation
    Include startup processes in operational control procedures. CC ID 00833 Operational management Establish/Maintain Documentation
    Include change control processes in the operational control procedures. CC ID 16793 Operational management Establish/Maintain Documentation
    Establish and maintain a data processing run manual. CC ID 00832 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826 Operational management Establish/Maintain Documentation
    Use systems in accordance with the standard operating procedures manual. CC ID 15049 Operational management Process or Activity
    Include metrics in the standard operating procedures manual. CC ID 14988 Operational management Establish/Maintain Documentation
    Include maintenance measures in the standard operating procedures manual. CC ID 14986 Operational management Establish/Maintain Documentation
    Include the expected lifetime of the system in the standard operating procedures manual. CC ID 14984 Operational management Establish/Maintain Documentation
    Include technical measures used to interpret output in the standard operating procedures manual. CC ID 14982 Operational management Establish/Maintain Documentation
    Include predetermined changes in the standard operating procedures manual. CC ID 14977 Operational management Establish/Maintain Documentation
    Include specifications for input data in the standard operating procedures manual. CC ID 14975 Operational management Establish/Maintain Documentation
    Include risks to health and safety or fundamental rights in the standard operating procedures manual. CC ID 14973 Operational management Establish/Maintain Documentation
    Include circumstances that may impact the system in the standard operating procedures manual. CC ID 14972 Operational management Establish/Maintain Documentation
    Include what the system was tested and validated for in the standard operating procedures manual. CC ID 14969 Operational management Establish/Maintain Documentation
    Include the intended purpose in the standard operating procedures manual. CC ID 14967 Operational management Establish/Maintain Documentation
    Include information on system performance in the standard operating procedures manual. CC ID 14965 Operational management Establish/Maintain Documentation
    Include contact details in the standard operating procedures manual. CC ID 14962 Operational management Establish/Maintain Documentation
    Include information sharing procedures in standard operating procedures. CC ID 12974 Operational management Records Management
    Establish, implement, and maintain information sharing agreements. CC ID 15645 Operational management Business Processes
    Provide support for information sharing activities. CC ID 15644 Operational management Process or Activity
    Adhere to operating procedures as defined in the Standard Operating Procedures Manual. CC ID 06328 Operational management Business Processes
    Disseminate and communicate the Standard Operating Procedures Manual to all interested personnel and affected parties. CC ID 12026 Operational management Communicate
    Establish, implement, and maintain a job scheduling methodology. CC ID 00834 Operational management Establish/Maintain Documentation
    Establish and maintain a job schedule exceptions list. CC ID 00835 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain a data processing continuity plan. CC ID 00836 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain Voice over Internet Protocol operating procedures. CC ID 04583 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain the Acceptable Use Policy. CC ID 01350 Operational management Establish/Maintain Documentation
    Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy. CC ID 01351 Operational management Establish/Maintain Documentation
    Include requiring users to protect restricted data in accordance with the Governance, Risk, and Compliance framework in the Acceptable Use Policy. CC ID 11894 Operational management Establish/Maintain Documentation
    Include Bring Your Own Device agreements in the Acceptable Use Policy. CC ID 15703 Operational management Establish/Maintain Documentation
    Include the obligations of users in the Bring Your Own Device agreement. CC ID 15708 Operational management Establish/Maintain Documentation
    Include the rights of the organization in the Bring Your Own Device agreement. CC ID 15707 Operational management Establish/Maintain Documentation
    Include the circumstances in which the organization may confiscate, audit, or inspect assets in the Bring Your Own Device agreement. CC ID 15706 Operational management Establish/Maintain Documentation
    Include the circumstances in which the organization may manage assets in the Bring Your Own Device agreement. CC ID 15705 Operational management Establish/Maintain Documentation
    Include Bring Your Own Device usage in the Acceptable Use Policy. CC ID 12293 Operational management Establish/Maintain Documentation
    Include a web usage policy in the Acceptable Use Policy. CC ID 16496 Operational management Establish/Maintain Documentation
    Include Bring Your Own Device security guidelines in the Acceptable Use Policy. CC ID 01352 Operational management Establish/Maintain Documentation
    Include asset tags in the Acceptable Use Policy. CC ID 01354 Operational management Establish/Maintain Documentation
    Specify the owner of applicable assets in the Acceptable Use Policy. CC ID 15699 Operational management Establish/Maintain Documentation
    Include asset use policies in the Acceptable Use Policy. CC ID 01355 Operational management Establish/Maintain Documentation
    Include authority for access authorization lists for assets in all relevant Acceptable Use Policies. CC ID 11872 Operational management Establish/Maintain Documentation
    Include access control mechanisms in the Acceptable Use Policy. CC ID 01353 Operational management Establish/Maintain Documentation
    Include temporary activation of remote access technologies for third parties in the Acceptable Use Policy. CC ID 11892 Operational management Technical Security
    Include prohibiting the copying or moving of restricted data from its original source onto local hard drives or removable storage media in the Acceptable Use Policy. CC ID 11893 Operational management Establish/Maintain Documentation
    Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772 Operational management Data and Information Management
    Correlate the Acceptable Use Policy with the network security policy. CC ID 01356 Operational management Establish/Maintain Documentation
    Include appropriate network locations for each technology in the Acceptable Use Policy. CC ID 11881 Operational management Establish/Maintain Documentation
    Correlate the Acceptable Use Policy with the approved product list. CC ID 01357 Operational management Establish/Maintain Documentation
    Include facility access and facility use in the Acceptable Use Policy. CC ID 06441 Operational management Establish/Maintain Documentation
    Include the usage restrictions of mobile code technologies in the Acceptable Use Policy. CC ID 15311 Operational management Establish/Maintain Documentation
    Include a software installation policy in the Acceptable Use Policy. CC ID 06749 Operational management Establish/Maintain Documentation
    Document idle session termination and logout for remote access technologies in the Acceptable Use Policy. CC ID 12472 Operational management Establish/Maintain Documentation
    Disseminate and communicate the Acceptable Use Policy to all interested personnel and affected parties. CC ID 12431 Operational management Communicate
    Require interested personnel and affected parties to sign Acceptable Use Policies. CC ID 06661 Operational management Establish/Maintain Documentation
    Require interested personnel and affected parties to re-sign Acceptable Use Policies, as necessary. CC ID 06663 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain an Intellectual Property Right program. CC ID 00821 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain domain name registration and renewal procedures. CC ID 07075 Operational management Business Processes
    Establish, implement, and maintain Intellectual Property Rights protection procedures. CC ID 11512 Operational management Establish/Maintain Documentation
    Protect against circumvention of the organization's Intellectual Property Rights. CC ID 11513 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain an e-mail policy. CC ID 06439 Operational management Establish/Maintain Documentation
    Include business use of personal e-mail in the e-mail policy. CC ID 14381 Operational management Establish/Maintain Documentation
    Identify the sender in all electronic messages. CC ID 13996 Operational management Data and Information Management
    Protect policies, standards, and procedures from unauthorized modification or disclosure. CC ID 10603 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain nondisclosure agreements. CC ID 04536 Operational management Establish/Maintain Documentation
    Disseminate and communicate nondisclosure agreements to interested personnel and affected parties. CC ID 16191 Operational management Communicate
    Require interested personnel and affected parties to sign nondisclosure agreements. CC ID 06667 Operational management Establish/Maintain Documentation
    Require interested personnel and affected parties to re-sign nondisclosure agreements, as necessary. CC ID 06669 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain a use of information agreement. CC ID 06215 Operational management Establish/Maintain Documentation
    Include use limitations in the use of information agreement. CC ID 06244 Operational management Establish/Maintain Documentation
    Include disclosure requirements in the use of information agreement. CC ID 11735 Operational management Establish/Maintain Documentation
    Include information recipients in the use of information agreement. CC ID 06245 Operational management Establish/Maintain Documentation
    Include reporting out of scope use of information in the use of information agreement. CC ID 06246 Operational management Establish/Maintain Documentation
    Include disclosure of information in the use of information agreement. CC ID 11830 Operational management Establish/Maintain Documentation
    Include information security procedures assigned to the information recipient in the use of information agreement. CC ID 07130 Operational management Establish/Maintain Documentation
    Include information security procedures assigned to the originator in the use of information agreement. CC ID 14418 Operational management Establish/Maintain Documentation
    Include a do not contact rule for the individuals identified in a data set in the use of information agreement. CC ID 07131 Operational management Establish/Maintain Documentation
    Include the information recipient's third parties accepting the agreement in the use of information agreement. CC ID 07132 Operational management Establish/Maintain Documentation
    Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 Operational management Business Processes
    Analyze how policies used to create management boundaries relates to the Governance, Risk, and Compliance approach. CC ID 12821 Operational management Process or Activity
    Analyze how the organization sets limits in policies relating to the Governance, Risk, and Compliance approach. CC ID 12819 Operational management Process or Activity
    Analyze how the Board of Directors' and senior management's tone influences the Governance, Risk, and Compliance approach. CC ID 12818
    [Top management shall demonstrate leadership and commitment with respect to the environmental management system by: § 5.1 ¶ 1]
    Operational management Process or Activity
    Analyze the degree to which the governing body is engaged in the Governance, Risk, and Compliance approach. CC ID 12817 Operational management Process or Activity
    Analyze the Governance, Risk, and Compliance approach. CC ID 12816 Operational management Process or Activity
    Analyze the organizational culture. CC ID 12899 Operational management Process or Activity
    Include employee engagement in the analysis of the organizational culture. CC ID 12914 Operational management Behavior
    Include contractual relationships with workforce members in the analysis of the organizational culture. CC ID 15674 Operational management Business Processes
    Include the number of workforce members who are not employees in the analysis of the organizational culture. CC ID 15673 Operational management Business Processes
    Include the type of work performed by workforce members in the analysis of the organizational culture. CC ID 15675 Operational management Business Processes
    Include skill development in the analysis of the organizational culture. CC ID 12913 Operational management Behavior
    Include employee turnover rates in the analysis of the organizational culture. CC ID 12912 Operational management Behavior
    Include demographic characteristics of employees in the analysis of the organizational culture. CC ID 15671 Operational management Business Processes
    Include employee loyalty in the analysis of the organizational culture. CC ID 12911 Operational management Behavior
    Include employee satisfaction in the analysis of the organizational culture. CC ID 12910 Operational management Behavior
    Comply with all implemented policies in the organization's compliance framework. CC ID 06384
    [Top management shall assign the responsibility and authority for: ensuring that the environmental management system conforms to the requirements of this International Standard; § 5.3 ¶ 2 a)
    The outputs of the management review shall include: opportunities to improve integration of the environmental management system with other business processes, if needed; § 9.3 ¶ 3 Bullet 5]
    Operational management Establish/Maintain Documentation
    Provide assurance to interested personnel and affected parties that the Governance, Risk, and Compliance capability is reliable, effective, efficient, and responsive. CC ID 12788 Operational management Communicate
    Review systems for compliance with organizational information security policies. CC ID 12004 Operational management Business Processes
    Disseminate and communicate the Governance, Risk, and Compliance framework to all interested personnel and affected parties. CC ID 00815
    [{internal communication}{be relevant}The organization shall: internally communicate information relevant to the environmental management system among the various levels and functions of the organization, including changes to the environmental management system, as appropriate; § 7.4.2 ¶ 1 a)
    {external communication}{be relevant} The organization shall externally communicate information relevant to the environmental management system, as established by the organization's communication process(es) and as required by its compliance obligations. § 7.4.3 ¶ 1
    {external communication}{be relevant} The organization shall externally communicate information relevant to the environmental management system, as established by the organization's communication process(es) and as required by its compliance obligations. § 7.4.3 ¶ 1
    The organization shall: maintain knowledge and understanding of its compliance status. § 9.1.2 ¶ 2 c)
    The organization shall communicate relevant environmental performance information both internally and externally, as identified in its communication process(es) and as required by its compliance obligations. § 9.1.1 ¶ 5]
    Operational management Behavior
    Establish, implement, and maintain an Asset Management program. CC ID 06630
    [Consistent with a life cycle perspective, the organization shall: consider the need to provide information about potential significant environmental impacts associated with the transportation or delivery, use, end-of-life treatment and final disposal of its products and services. § 8.1 ¶ 4 d)]
    Operational management Business Processes
    Establish, implement, and maintain an asset management policy. CC ID 15219 Operational management Establish/Maintain Documentation
    Include coordination amongst entities in the asset management policy. CC ID 16424 Operational management Business Processes
    Establish, implement, and maintain asset management procedures. CC ID 16748 Operational management Establish/Maintain Documentation
    Assign an information owner to organizational assets, as necessary. CC ID 12729 Operational management Human Resources Management
    Define and prioritize the importance of each asset in the asset management program. CC ID 16837 Operational management Business Processes
    Include life cycle requirements in the security management program. CC ID 16392 Operational management Establish/Maintain Documentation
    Include program objectives in the asset management program. CC ID 14413 Operational management Establish/Maintain Documentation
    Include a commitment to continual improvement in the asset management program. CC ID 14412 Operational management Establish/Maintain Documentation
    Include compliance with applicable requirements in the asset management program. CC ID 14411 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain administrative controls over all assets. CC ID 16400 Operational management Business Processes
    Establish, implement, and maintain classification schemes for all systems and assets. CC ID 01902 Operational management Establish/Maintain Documentation
    Apply security controls to each level of the information classification standard. CC ID 01903 Operational management Systems Design, Build, and Implementation
    Establish, implement, and maintain the systems' confidentiality level. CC ID 01904 Operational management Establish/Maintain Documentation
    Define confidentiality controls. CC ID 01908 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain the systems' availability level. CC ID 01905 Operational management Establish/Maintain Documentation
    Restrict unscheduled downtime in order to maintain high availability for critical systems. CC ID 12742 Operational management Process or Activity
    Define integrity controls. CC ID 01909 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain the systems' integrity level. CC ID 01906 Operational management Establish/Maintain Documentation
    Define availability controls. CC ID 01911 Operational management Establish/Maintain Documentation
    Establish safety classifications for systems according to their potential harmful effects to operators or end users. CC ID 06603 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain an asset safety classification scheme. CC ID 06604 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain the Asset Classification Policy. CC ID 06642 Operational management Establish/Maintain Documentation
    Disseminate and communicate the Asset Classification Policy to interested personnel and affected parties. CC ID 14851 Operational management Communicate
    Classify assets according to the Asset Classification Policy. CC ID 07186 Operational management Establish Roles
    Classify virtual systems by type and purpose. CC ID 16332 Operational management Business Processes
    Document the decision for assigning an asset to a specific asset classification in the Asset Classification Policy. CC ID 07185 Operational management Establish/Maintain Documentation
    Apply asset protection mechanisms for all assets according to their assigned Asset Classification Policy. CC ID 07184 Operational management Establish Roles
    Disallow systems from processing information, disseminating and communicating information, or storing information that is above the system's assigned asset classification. CC ID 06606 Operational management Configuration
    Assign decomposed system components the same asset classification as the originating system. CC ID 06605 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain an asset inventory. CC ID 06631 Operational management Business Processes
    Establish, implement, and maintain an Information Technology inventory with asset discovery audit trails. CC ID 00689 Operational management Establish/Maintain Documentation
    Include all account types in the Information Technology inventory. CC ID 13311 Operational management Establish/Maintain Documentation
    Include each Information System's system boundaries in the Information Technology inventory. CC ID 00695 Operational management Systems Design, Build, and Implementation
    Identify processes, Information Systems, and third parties that transmit, process, or store restricted data. CC ID 06289 Operational management Data and Information Management
    Include each Information System's major applications in the Information Technology inventory. CC ID 01407 Operational management Establish/Maintain Documentation
    Categorize all major applications according to the business information they process. CC ID 07182 Operational management Establish/Maintain Documentation
    Document the resources, hazards, and Evaluation Assurance Levels for each major application. CC ID 01164 Operational management Establish/Maintain Documentation
    Include the General Support Systems and security support structure in the Information Technology inventory. CC ID 01408 Operational management Establish/Maintain Documentation
    Include each Information System's minor applications in the Information Technology inventory. CC ID 01409 Operational management Establish/Maintain Documentation
    Conduct environmental surveys. CC ID 00690 Operational management Physical and Environmental Protection
    Categorize facilities in the Information Technology inventory according to their environmental risks. CC ID 06729 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain a hardware asset inventory. CC ID 00691 Operational management Establish/Maintain Documentation
    Include network equipment in the Information Technology inventory. CC ID 00693 Operational management Establish/Maintain Documentation
    Include mobile devices that store restricted data or restricted information in the Information Technology inventory. CC ID 04719 Operational management Establish/Maintain Documentation
    Include interconnected systems and Software as a Service in the Information Technology inventory. CC ID 04885 Operational management Process or Activity
    Include software in the Information Technology inventory. CC ID 00692 Operational management Establish/Maintain Documentation
    Establish and maintain a list of authorized software and versions required for each system. CC ID 12093 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain a storage media inventory. CC ID 00694 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain a records inventory and database inventory. CC ID 01260 Operational management Establish/Maintain Documentation
    Add inventoried assets to the asset register database, as necessary. CC ID 07051 Operational management Establish/Maintain Documentation
    Organize the asset register database by grouping objects according to an organizational information classification standard. CC ID 07181 Operational management Establish/Maintain Documentation
    Use automated tools to collect Information Technology inventory information, as necessary. CC ID 07054 Operational management Technical Security
    Link the authentication system to the asset inventory. CC ID 13718 Operational management Technical Security
    Record a unique name for each asset in the asset inventory. CC ID 16305 Operational management Data and Information Management
    Record the decommission date for applicable assets in the asset inventory. CC ID 14920 Operational management Establish/Maintain Documentation
    Record the status of information systems in the asset inventory. CC ID 16304 Operational management Data and Information Management
    Record the communication interfaces for applicable assets in the asset inventory. CC ID 16301 Operational management Data and Information Management
    Record the Uniform Resource Locator for applicable assets in the asset inventory. CC ID 14918 Operational management Establish/Maintain Documentation
    Include source code in the asset inventory. CC ID 14858 Operational management Records Management
    Assign ownership of maintaining the asset inventory, as necessary. CC ID 12344 Operational management Human Resources Management
    Record the review date for applicable assets in the asset inventory. CC ID 14919 Operational management Establish/Maintain Documentation
    Record software license information for each asset in the asset inventory. CC ID 11736 Operational management Data and Information Management
    Record services for applicable assets in the asset inventory. CC ID 13733 Operational management Establish/Maintain Documentation
    Record protocols for applicable assets in the asset inventory. CC ID 13734 Operational management Establish/Maintain Documentation
    Record the software version in the asset inventory. CC ID 12196 Operational management Establish/Maintain Documentation
    Record the publisher for applicable assets in the asset inventory. CC ID 13725 Operational management Establish/Maintain Documentation
    Record the authentication system in the asset inventory. CC ID 13724 Operational management Establish/Maintain Documentation
    Tag unsupported assets in the asset inventory. CC ID 13723 Operational management Establish/Maintain Documentation
    Record the install date for applicable assets in the asset inventory. CC ID 13720 Operational management Establish/Maintain Documentation
    Record the make, model of device for applicable assets in the asset inventory. CC ID 12465 Operational management Establish/Maintain Documentation
    Record the asset tag for physical assets in the asset inventory. CC ID 06632 Operational management Establish/Maintain Documentation
    Record the host name of applicable assets in the asset inventory. CC ID 13722 Operational management Establish/Maintain Documentation
    Record network ports for applicable assets in the asset inventory. CC ID 13730 Operational management Establish/Maintain Documentation
    Record the MAC address for applicable assets in the asset inventory. CC ID 13721 Operational management Establish/Maintain Documentation
    Record the operating system version for applicable assets in the asset inventory. CC ID 11748 Operational management Data and Information Management
    Record the operating system type for applicable assets in the asset inventory. CC ID 06633 Operational management Establish/Maintain Documentation
    Record rooms at external locations in the asset inventory. CC ID 16302 Operational management Data and Information Management
    Record the department associated with the asset in the asset inventory. CC ID 12084 Operational management Establish/Maintain Documentation
    Record the physical location for applicable assets in the asset inventory. CC ID 06634 Operational management Establish/Maintain Documentation
    Record the manufacturer's serial number for applicable assets in the asset inventory. CC ID 06635 Operational management Establish/Maintain Documentation
    Record the firmware version for applicable assets in the asset inventory. CC ID 12195 Operational management Establish/Maintain Documentation
    Record the related business function for applicable assets in the asset inventory. CC ID 06636 Operational management Establish/Maintain Documentation
    Record the deployment environment for applicable assets in the asset inventory. CC ID 06637 Operational management Establish/Maintain Documentation
    Record the Internet Protocol address for applicable assets in the asset inventory. CC ID 06638 Operational management Establish/Maintain Documentation
    Record trusted keys and certificates in the asset inventory. CC ID 15486 Operational management Data and Information Management
    Record cipher suites and protocols in the asset inventory. CC ID 15489 Operational management Data and Information Management
    Link the software asset inventory to the hardware asset inventory. CC ID 12085 Operational management Establish/Maintain Documentation
    Record the owner for applicable assets in the asset inventory. CC ID 06640 Operational management Establish/Maintain Documentation
    Record all compliance requirements for applicable assets in the asset inventory. CC ID 15696 Operational management Establish/Maintain Documentation
    Record all changes to assets in the asset inventory. CC ID 12190 Operational management Establish/Maintain Documentation
    Record cloud service derived data in the asset inventory. CC ID 13007 Operational management Establish/Maintain Documentation
    Include cloud service customer data in the asset inventory. CC ID 13006 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain a software accountability policy. CC ID 00868 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain software asset management procedures. CC ID 00895 Operational management Establish/Maintain Documentation
    Prevent users from disabling required software. CC ID 16417 Operational management Technical Security
    Establish, implement, and maintain software archives procedures. CC ID 00866 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain software distribution procedures. CC ID 00894 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain software documentation management procedures. CC ID 06395 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain software license management procedures. CC ID 06639 Operational management Establish/Maintain Documentation
    Automate software license monitoring, as necessary. CC ID 07057 Operational management Monitor and Evaluate Occurrences
    Establish, implement, and maintain digital legacy procedures. CC ID 16524 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain a system redeployment program. CC ID 06276 Operational management Establish/Maintain Documentation
    Notify interested personnel and affected parties prior to when the system is redeployed or the system is disposed. CC ID 06400 Operational management Behavior
    Wipe all data on systems prior to when the system is redeployed or the system is disposed. CC ID 06401 Operational management Data and Information Management
    Transfer legal ownership of assets when the system is redeployed to a third party. CC ID 06698 Operational management Acquisition/Sale of Assets or Services
    Document the staff's operating knowledge of the system prior to a personnel status change. CC ID 06937 Operational management Establish/Maintain Documentation
    Redeploy systems to other organizational units, as necessary. CC ID 11452 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain a system disposal program. CC ID 14431 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain disposal procedures. CC ID 16513 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain asset sanitization procedures. CC ID 16511 Operational management Establish/Maintain Documentation
    Destroy systems in accordance with the system disposal program. CC ID 16457 Operational management Business Processes
    Approve the release of systems and waste material into the public domain. CC ID 16461 Operational management Business Processes
    Establish, implement, and maintain system destruction procedures. CC ID 16474 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain printer and multifunction device disposition procedures. CC ID 15216 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain a system preventive maintenance program. CC ID 00885 Operational management Establish/Maintain Documentation
    Establish and maintain maintenance reports. CC ID 11749 Operational management Establish/Maintain Documentation
    Establish and maintain system inspection reports. CC ID 06346 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain a system maintenance policy. CC ID 14032 Operational management Establish/Maintain Documentation
    Include compliance requirements in the system maintenance policy. CC ID 14217 Operational management Establish/Maintain Documentation
    Include management commitment in the system maintenance policy. CC ID 14216 Operational management Establish/Maintain Documentation
    Include roles and responsibilities in the system maintenance policy. CC ID 14215 Operational management Establish/Maintain Documentation
    Include the scope in the system maintenance policy. CC ID 14214 Operational management Establish/Maintain Documentation
    Disseminate and communicate the system maintenance policy to interested personnel and affected parties. CC ID 14213 Operational management Communicate
    Include the purpose in the system maintenance policy. CC ID 14187 Operational management Establish/Maintain Documentation
    Include coordination amongst entities in the system maintenance policy. CC ID 14181 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain system maintenance procedures. CC ID 14059 Operational management Establish/Maintain Documentation
    Disseminate and communicate the system maintenance procedures to interested personnel and affected parties. CC ID 14194 Operational management Communicate
    Establish, implement, and maintain a technology refresh plan. CC ID 13061 Operational management Establish/Maintain Documentation
    Plan and conduct maintenance so that it does not interfere with scheduled operations. CC ID 06389 Operational management Physical and Environmental Protection
    Maintain contact with the device manufacturer or component manufacturer for maintenance requests. CC ID 06388 Operational management Behavior
    Use system components only when third party support is available. CC ID 10644 Operational management Maintenance
    Obtain justification for the continued use of system components when third party support is no longer available. CC ID 10645 Operational management Maintenance
    Obtain approval before removing maintenance tools from the facility. CC ID 14298 Operational management Business Processes
    Control remote maintenance according to the system's asset classification. CC ID 01433 Operational management Technical Security
    Separate remote maintenance sessions from other network sessions with a logically separate communications path based upon encryption. CC ID 10614 Operational management Configuration
    Approve all remote maintenance sessions. CC ID 10615 Operational management Technical Security
    Log the performance of all remote maintenance. CC ID 13202 Operational management Log Management
    Terminate remote maintenance sessions when the remote maintenance is complete. CC ID 12083 Operational management Technical Security
    Conduct offsite maintenance in authorized facilities. CC ID 16473 Operational management Maintenance
    Disconnect non-volatile media from information systems prior to performing maintenance with uncleared personnel. CC ID 14295 Operational management Maintenance
    Sanitize volatile media in information systems prior to performing maintenance with uncleared personnel. CC ID 14291 Operational management Maintenance
    Respond to maintenance requests inside the organizationally established time frame. CC ID 04878 Operational management Behavior
    Establish and maintain an archive of maintenance reports in a maintenance log. CC ID 06202 Operational management Establish/Maintain Documentation
    Acquire spare parts prior to when maintenance requests are scheduled. CC ID 11833 Operational management Acquisition/Sale of Assets or Services
    Perform periodic maintenance according to organizational standards. CC ID 01435 Operational management Behavior
    Restart systems on a periodic basis. CC ID 16498 Operational management Maintenance
    Remove components being serviced from the information system prior to performing maintenance. CC ID 14251 Operational management Maintenance
    Employ dedicated systems during system maintenance. CC ID 12108 Operational management Technical Security
    Isolate dedicated systems used for system maintenance from Internet access. CC ID 12114 Operational management Technical Security
    Control granting access to appropriate parties performing maintenance on organizational assets. CC ID 11873 Operational management Human Resources Management
    Identify and authenticate appropriate parties prior to granting access to maintain assets. CC ID 11874 Operational management Physical and Environmental Protection
    Post calibration limits or calibration tolerances on or near assets requiring calibration. CC ID 06204 Operational management Establish/Maintain Documentation
    Implement automated mechanisms to transfer predictive maintenance data to a maintenance management system. CC ID 10616 Operational management Process or Activity
    Disassemble and shut down unnecessary systems or unused systems. CC ID 06280 Operational management Business Processes
    Establish, implement, and maintain an end-of-life management process. CC ID 16540 Operational management Establish/Maintain Documentation
    Dispose of hardware and software at their life cycle end. CC ID 06278 Operational management Business Processes
    Refrain from placing assets being disposed into organizational dumpsters. CC ID 12200 Operational management Business Processes
    Establish, implement, and maintain disposal contracts. CC ID 12199 Operational management Establish/Maintain Documentation
    Include disposal procedures in disposal contracts. CC ID 13905 Operational management Establish/Maintain Documentation
    Remove asset tags prior to disposal of an asset. CC ID 12198 Operational management Business Processes
    Document the storage information for all systems that are stored instead of being disposed or redeployed. CC ID 06936 Operational management Establish/Maintain Documentation
    Review each system's operational readiness. CC ID 06275 Operational management Systems Design, Build, and Implementation
    Establish, implement, and maintain a data stewardship policy. CC ID 06657 Operational management Establish/Maintain Documentation
    Establish and maintain an unauthorized software list. CC ID 10601 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain a change control program. CC ID 00886 Operational management Establish/Maintain Documentation
    Include potential consequences of unintended changes in the change control program. CC ID 12243
    [The organization shall control planned changes and review the ckground-color:#F0BBBC;" class="term_primary-noun">consequences of unintended changes, taking action to mitigate any adverse effects, as necessary. § 8.1 ¶ 2]
    Operational management Establish/Maintain Documentation
    Include version control in the change control program. CC ID 13119
    [For the control of documented information, the organization shall address the following activities, as applicable: control of changes (e.g. version control); § 7.5.3 ¶ 2 Bullet 3]
    Operational management Establish/Maintain Documentation
    Implement changes according to the change control program. CC ID 11776
    [The organization shall control "term_primary-noun">planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary. § 8.1 ¶ 2]
    Operational management Business Processes
    Provide audit trails for all approved changes. CC ID 13120 Operational management Establish/Maintain Documentation
    Manage the creation of products and services, as necessary. CC ID 13497
    [Consistent with a life cycle perspective, the organization shall: establish controls, as appropriate, to ensure that its environmental requirement(s) is (are) addressed in the design and development process for the product or service, considering each life cycle stage; § 8.1 ¶ 4 a)]
    Operational management Business Processes
    Define the processing specifications for products and services creation requirements. CC ID 13523 Operational management Establish/Maintain Documentation
    Define the processing activities to meet products and services creation requirements. CC ID 13499 Operational management Business Processes
    Delete age-restricted content, as necessary. CC ID 15450 Operational management Process or Activity
    Establish, implement, and maintain procedures to manage age-restricted content. CC ID 15448 Operational management Establish/Maintain Documentation
    Control the distribution of media containing age-restricted content, as necessary. CC ID 15446 Operational management Process or Activity
    Establish, implement, and maintain an environmental management system. CC ID 14945
    [The organization shall consider the knowledge gained in 4.1 and 4.2 when establishing and maintaining the environmental management system. § 4.4 ¶ 2
    Top management shall demonstrate leadership and commitment with respect to the environmental management system by: ensuring that the environmental management system achieves its intended outcomes; § 5.1 ¶ 1 f)
    To achieve the intended outcomes, including enhancing its environmental performance, the organization shall establish, implement, maintain and continually improve an environmental management system, including the processes needed and their interactions, in accordance with the requirements of this International Standard. § 4.4 ¶ 1
    To achieve the intended outcomes, including enhancing its environmental performance, the organization shall establish, implement, maintain and continually improve an environmental management system, including the processes needed and their interactions, in accordance with the requirements of this International Standard. § 4.4 ¶ 1
    The organization shall continually improve the suitability, adequacy and effectiveness of the environmental management system to enhance environmental performance. § 10.3 ¶ 1
    The outputs of the management review shall include: conclusions on the continuing suitability, adequacy and effectiveness of the environmental management system; § 9.3 ¶ 3 Bullet 1
    {environmental objectives}{compliance obligations} The organization shall establish, implement, control and maintain the processes needed to meet environmental management system requirements, and to implement the actions identified in 6.1 and 6.2, by: § 8.1 ¶ 1
    When a nonconformity occurs, the organization shall: make changes to the environmental management system, if necessary. § 10.2 ¶ 1 e)
    Top management shall review the organization's environmental management system, at planned intervals, to ensure its continuing suitability, adequacy and effectiveness. § 9.3 ¶ 1]
    Operational management Business Processes
    Establish, implement, and maintain environmental management system processes. CC ID 14954
    [The organization shall establish, implement and maintain the process(es) needed to meet the requirements in 6.1.1 to 6.1.4. § 6.1.1 ¶ 1
    The organization shall plan: how to: integrate and implement the actions into its environmental management system processes (se e 6.2, Clause 7, Clause 8 and 9.1), or other business processes; § 6.1.4 ¶ 1 b) 1)
    {environmental objectives}{compliance obligations} The organization shall establish, implement, control and maintain the processes needed to meet environmental management system requirements, and to implement the actions identified in 6.1 and 6.2, by: § 8.1 ¶ 1
    {environmental objective}{compliance obligation}{operating process}The organization shall establish, implement, control and maintain the processes needed to meet environmental management system requirements, and to implement the actions identified in 6.1 and 6.2, by: establishing operating criteria for the process(es); § 8.1 ¶ 1 Bullet 1]
    Operational management Process or Activity
    Include risks and opportunities in the environmental management system. CC ID 15201
    [{external and internal issues} and determine the risks and opportunities, related to its environmental aspects (see 6.1.2), compliance obligations (see 6.1.3) and other issues and requirements, identified in 4.1 and 4.2, that need to be addressed to: § 6.1.1 ¶ 3
    The organization shall maintain documented information of its: risks and opportunities that need to be addressed; § 6.1.1 ¶ 5 Bullet 1
    {external and internal issues} and determine the risks and opportunities, related to its environmental aspects (see 6.1.2), compliance obligations (see 6.1.3) and other issues and requirements, identified in 4.1 and 4.2, that need to be addressed to: § 6.1.1 ¶ 3
    {external and internal issues} and determine the risks and opportunities, related to its environmental aspects (see 6.1.2), compliance obligations (see 6.1.3) and other issues and requirements, identified in 4.1 and 4.2, that need to be addressed to: § 6.1.1 ¶ 3
    {external and internal issues} and determine the risks and opportunities, related to its environmental aspects (see 6.1.2), compliance obligations (see 6.1.3) and other issues and requirements, identified in 4.1 and 4.2, that need to be addressed to: § 6.1.1 ¶ 3]
    Operational management Establish/Maintain Documentation
    Include communications in the environmental management system. CC ID 15199
    [{internal communications} The organization shall establish, implement and maintain the process(es) needed for internal and external communications relevant to the environmental management system, including: § 7.4.1 ¶ 1
    {internal communications} The organization shall establish, implement and maintain the process(es) needed for internal and external communications relevant to the environmental management system, including: § 7.4.1 ¶ 1]
    Operational management Establish/Maintain Documentation
    Establish, implement, and maintain environmental performance monitoring procedures. CC ID 15222
    [The organization shall determine: the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results; § 9.1.1 ¶ 2 b)]
    Operational management Establish/Maintain Documentation
    Establish, implement, and maintain an approach for environmental performance monitoring. CC ID 15220
    [The organization shall determine: when the results from monitoring and measurement shall be analysed and evaluated. § 9.1.1 ¶ 2 e)]
    Operational management Business Processes
    Prioritize and select controls based on environmental management system requirements. CC ID 15197
    [{environmental objective}{compliance obligation}{process control}{operating standard}The organization shall establish, implement, control and maintain the processes needed to meet environmental management system requirements, and to implement the actions identified in 6.1 and 6.2, by: implementing control of the process(es), in accordance with the operating criteria. § 8.1 ¶ 1 Bullet 2
    {environmental objective}{compliance obligation}{process control}{operating standard}The organization shall establish, implement, control and maintain the processes needed to meet environmental management system requirements, and to implement the actions identified in 6.1 and 6.2, by: implementing control of the process(es), in accordance with the operating criteria. § 8.1 ¶ 1 Bullet 2]
    Operational management Process or Activity
    Disseminate and communicate environmental information to interested personnel and affected parties. CC ID 15195
    [The organization shall communicate relevant environmental performance information both internally and externally, as identified in its communication process(es) and as required by its compliance obligations. § 9.1.1 ¶ 5]
    Operational management Establish/Maintain Documentation
    Disseminate and communicate environmental requirements to interested personnel and affected parties. CC ID 15196
    [Consistent with a life cycle perspective, the organization shall: communicate its relevant environmental requirement(s) to external providers, including contractors; § 8.1 ¶ 4 c)]
    Operational management Communicate
    Include compliance obligations in the environmental management system. CC ID 15185
    [{take into account}The organization shall: take these compliance obligations into account when establishing, implementing, maintaining and continually improving its environmental management system. § 6.1.3 ¶ 1 c)]
    Operational management Establish/Maintain Documentation
    Establish, implement, and maintain environmental objectives. CC ID 15186
    [Top management shall establish, implement and maintain an environmental policy that, within the defined scope of its environmental management system: provides a framework for setting environmental objectives; § 5.2 ¶ 1 b)
    The organization shall establish environmental objectives at relevant functions and levels, taking into account the organization's significant environmental aspects and associated compliance obligations, and considering its risks and opportunities. § 6.2.1 ¶ 1
    {be consistent}The environmental objectives shall be: consistent with the environmental policy; § 6.2.1 ¶ 2 a)
    The organization shall maintain documented information on the environmental objectives. § 6.2.1 ¶ 3
    When planning how to achieve its environmental objectives, the organization shall determine: when it will be completed; § 6.2.2 ¶ 1 d)
    When planning how to achieve its environmental objectives, the organization shall determine: what will be done; § 6.2.2 ¶ 1 a)
    The environmental objectives shall be: updated as appropriate. § 6.2.1 ¶ 2 e)]
    Operational management Establish/Maintain Documentation
    Include risks and opportunities in the environmental objectives. CC ID 15188
    [The organization shall establish environmental objectives at relevant functions and levels, taking into account the organization's significant environmental aspects and associated compliance obligations, and considering its risks and opportunities. § 6.2.1 ¶ 1]
    Operational management Establish/Maintain Documentation
    Integrate environmental objectives into the business process. CC ID 15192
    [The organization shall consider how actions to achieve its environmental objectives can be integrated into the organization's business processes. § 6.2.2 ¶ 2]
    Operational management Business Processes
    Include the required resources in the environmental objectives. CC ID 15221
    [When planning how to achieve its environmental objectives, the organization shall determine: what resources will be required; § 6.2.2 ¶ 1 b)]
    Operational management Establish/Maintain Documentation
    Include compliance requirements in the environmental objectives. CC ID 15187
    [The organization shall establish environmental objectives at relevant functions and levels, taking into account the organization's significant environmental aspects and associated compliance obligations, and considering its risks and opportunities. § 6.2.1 ¶ 1]
    Operational management Establish/Maintain Documentation
    Disseminate and communicate the environmental objectives to interested personnel and affected parties. CC ID 15190
    [The environmental objectives shall be: communicated; § 6.2.1 ¶ 2 d)]
    Operational management Communicate
    Document the criteria used to determine the environmental aspects. CC ID 15181
    [The organization shall maintain documented information of its: criteria used to determine its significant environmental aspects; § 6.1.2 ¶ 5 Bullet 2]
    Operational management Establish/Maintain Documentation
    Take into account emergency situations when determining environmental aspects. CC ID 15180
    [When determining environmental aspects, the organization shall take into account: abnormal conditions and reasonably foreseeable emergency situations. § 6.1.2 ¶ 2 b)]
    Operational management Establish/Maintain Documentation
    Take into account abnormal conditions when determining environmental aspects. CC ID 15179
    [When determining environmental aspects, the organization shall take into account: abnormal conditions and reasonably foreseeable emergency situations. § 6.1.2 ¶ 2 b)]
    Operational management Establish/Maintain Documentation
    Include the organization's significant environmental aspects in the environmental management system. CC ID 15176
    [The organization shall maintain documented information of its: significant environmental aspects. § 6.1.2 ¶ 5 Bullet 3]
    Operational management Establish/Maintain Documentation
    Disseminate and communicate the environmental aspects to interested personnel and affected parties. CC ID 14983
    [The organization shall communicate its significant environmental aspects among the various levels and functions of the organization, as appropriate. § 6.1.2 ¶ 4]
    Operational management Communicate
    Include the environmental management system requirements in the environmental management system. CC ID 14978
    [{be effective}Top management shall demonstrate leadership and commitment with respect to the environmental management system by: communicating the importance of effective environmental management and of conforming to the environmental management system requirements; § 5.1 ¶ 1 e)
    {environmental objective}{compliance obligation}{operating process}The organization shall establish, implement, control and maintain the processes needed to meet environmental management system requirements, and to implement the actions identified in 6.1 and 6.2, by: establishing operating criteria for the process(es); § 8.1 ¶ 1 Bullet 1]
    Operational management Establish/Maintain Documentation
    Include environmental impacts in the environmental management system. CC ID 15175
    [The organization shall maintain documented information of its: environmental aspects and associated environmental impacts; § 6.1.2 ¶ 5 Bullet 1]
    Operational management Establish/Maintain Documentation
    Disseminate and communicate the environmental management system to interested personnel and affected parties. CC ID 14976
    [{be effective}Top management shall demonstrate leadership and commitment with respect to the environmental management system by: communicating the importance of effective environmental management and of conforming to the environmental management system requirements; § 5.1 ¶ 1 e)]
    Operational management Communicate
    Include roles and responsibilities in the environmental management system. CC ID 14971
    [Top management shall demonstrate leadership and commitment with respect to the environmental management system by: supporting other relevant management roles to demonstrate their leadership as it applies to their areas of responsibility. § 5.1 ¶ 1 i)
    {responsible party}When planning how to achieve its environmental objectives, the organization shall determine: who will be responsible; § 6.2.2 ¶ 1 c)]
    Operational management Human Resources Management
    Include a commitment to continuous improvement in the environmental management system. CC ID 14970
    [Top management shall demonstrate leadership and commitment with respect to the environmental management system by: promoting continual improvement; § 5.1 ¶ 1 h)
    {external and internal issues}and determine the risks and opportunities, related to its environmental aspects (see 6.1.2), compliance obligations (see 6.1.3) and other issues and requirements, identified in 4.1 and 4.2, that need to be addressed to: achieve continual improvement. § 6.1.1 ¶ 3 Bullet 3]
    Operational management Establish/Maintain Documentation
    Provide management direction and support for the environmental management system. CC ID 14968
    [Top management shall demonstrate leadership and commitment with respect to the environmental management system by: directing and supporting persons to contribute to the effectiveness of the environmental management system; § 5.1 ¶ 1 g)]
    Operational management Business Processes
    Assign accountability for the effectiveness of the environmental management system. CC ID 14966
    [Top management shall demonstrate leadership and commitment with respect to the environmental management system by: taking accountability for the effectiveness of the environmental management system; § 5.1 ¶ 1 a)]
    Operational management Establish Roles
    Include third party requirements in the environmental management system. CC ID 14964
    [{interested parties}{compliance obligations}When planning for the environmental management system, the organization shall consider: the requirements referred to in 4.2; § 6.1.1 ¶ 2 b)
    {interested parties}{compliance obligations}When planning for the environmental management system, the organization shall consider: the requirements referred to in 4.2; § 6.1.1 ¶ 2 b)]
    Operational management Establish/Maintain Documentation
    Provide assurance that the environmental management system meets all compliance requirements. CC ID 14958
    [{external and internal issues}and determine the risks and opportunities, related to its environmental aspects (see 6.1.2), compliance obligations (see 6.1.3) and other issues and requirements, identified in 4.1 and 4.2, that need to be addressed to: give assurance that the environmental management system can achieve its intended outcomes; § 6.1.1 ¶ 3 Bullet 1]
    Operational management Business Processes
    Include environmental conditions in the environmental management system. CC ID 14952
    [{external and internal issues}{environmental conditions}When planning for the environmental management system, the organization shall consider: the issues referred to in 4.1; § 6.1.1 ¶ 2 a)]
    Operational management Establish/Maintain Documentation
    Include the scope in the environmental management system. CC ID 14950
    [When planning for the environmental management system, the organization shall consider: the scope of its environmental management system; § 6.1.1 ¶ 2 c)
    The organization shall determine the boundaries and applicability of the environmental management system to ass="term_primary-verb">establish its scope. § 4.3 ¶ 1]
    Operational management Establish/Maintain Documentation
    Include emergency situations in the scope of the environmental management system. CC ID 14995
    [Within the scope of the environmental management system, the organization shall determine potential emergency situations, including those that can have an environmental impact. § 6.1.1 ¶ 4]
    Operational management Establish/Maintain Documentation
    Include the environmental impact of activities, products, and services in the scope of the environmental management system. CC ID 15184
    [Within the defined scope of the environmental management system, the organization shall determine the environmental aspects of its activities, products and services that it can control and those that it can influence, and their associated environmental impacts, considering a life cycle perspective. § 6.1.2 ¶ 1]
    Operational management Establish/Maintain Documentation
    Include activities, products, and services in the scope of the environmental management system. CC ID 15182
    [Within the defined scope of the environmental management system, the organization shall determine the environmental aspects of its activities, products and services that it can control and those that it can influence, and their associated environmental impacts, considering a life cycle perspective. § 6.1.2 ¶ 1]
    Operational management Establish/Maintain Documentation
    Establish, implement, and maintain an environmental policy. CC ID 14947
    [Top management shall establish, implement and maintain an environmental policy that, within the defined scope of its environmental management system: § 5.2 ¶ 1
    Top management shall demonstrate leadership and commitment with respect to the environmental management system by: ensuring that the environmental policy and environmental objectives are established and are compatible with the strategic direction and the context of the organization; § 5.1 ¶ 1 b)
    The environmental policy shall: be maintained as documented information; § 5.2 ¶ 2 Bullet 1]
    Operational management Establish/Maintain Documentation
    Include continuous improvement of environmental performance in the environmental policy. CC ID 14994
    [Top management shall establish, implement and maintain an environmental policy that, within the defined scope of its environmental management system: includes a commitment to continual improvement of the environmental management system to enhance environmental performance. § 5.2 ¶ 1 e)]
    Operational management Establish/Maintain Documentation
    Include compliance obligations in the environmental policy. CC ID 14993
    [Top management shall establish, implement and maintain an environmental policy that, within the defined scope of its environmental management system: includes a commitment to fulfil its compliance obligations; § 5.2 ¶ 1 d)]
    Operational management Establish/Maintain Documentation
    Include a commitment to the protection of the environment in the environmental policy. CC ID 14991
    [Top management shall establish, implement and maintain an environmental policy that, within the defined scope of its environmental management system: includes a commitment to the protection of the environment, including prevention of pollution and other specific commitment(s) relevant to the context of the organization; § 5.2 ¶ 1 c)
    Top management shall establish, implement and maintain an environmental policy that, within the defined scope of its environmental management system: includes a commitment to the protection of the environment, including prevention of pollution and other specific commitment(s) relevant to the context of the organization; § 5.2 ¶ 1 c)]
    Operational management Establish/Maintain Documentation
    Include the scope in the environmental policy. CC ID 14987
    [Top management shall establish, implement and maintain an environmental policy that, within the defined scope of its environmental management system: is appropriate to the purpose and context of the organization, including the nature, scale and environmental impacts of its activities, products and services; § 5.2 ¶ 1 a)]
    Operational management Establish/Maintain Documentation
    Include purpose and context in the environmental policy. CC ID 14985
    [Top management shall establish, implement and maintain an environmental policy that, within the defined scope of its environmental management system: is appropriate to the purpose and context of the organization, including the nature, scale and environmental impacts of its activities, products and services; § 5.2 ¶ 1 a)]
    Operational management Establish/Maintain Documentation
    Tailor the environmental policy to be compatible with the organization's strategic direction. CC ID 14974
    [Top management shall demonstrate leadership and commitment with respect to the environmental management system by: ensuring that the environmental policy and environmental objectives are established and are compatible with the strategic direction and the context of the organization; § 5.1 ¶ 1 b)]
    Operational management Establish/Maintain Documentation
    Disseminate and communicate the environmental policy to all interested personnel and affected parties. CC ID 14956
    [The environmental policy shall: be communicated within the organization; § 5.2 ¶ 2 Bullet 2
    The environmental policy shall: be available to interested parties. § 5.2 ¶ 2 Bullet 3]
    Operational management Communicate
    Establish, implement, and maintain records management policies. CC ID 00903
    [{place}{time}Documented information required by the environmental management system and by this International Standard shall be controlled to ensure: it is available and suitable for use, where and when it is needed; § 7.5.3 ¶ 1 a)]
    Records management Establish/Maintain Documentation
    Establish, implement, and maintain form creation, management, and distribution procedures. CC ID 06393 Records management Establish/Maintain Documentation
    Establish, implement, and maintain form disposition procedures. CC ID 06394 Records management Establish/Maintain Documentation
    Establish, implement, and maintain a record classification scheme. CC ID 00914 Records management Establish/Maintain Documentation
    Establish, implement, and maintain a business activity classification standard. CC ID 00915 Records management Establish/Maintain Documentation
    Establish, implement, and maintain a records authentication system. CC ID 11648 Records management Establish/Maintain Documentation
    Allocate record identifiers to reference the records as a part of document tracking. CC ID 11662 Records management Records Management
    Establish and maintain an index of all official records. CC ID 00918 Records management Establish/Maintain Documentation
    Associate records with their security attributes. CC ID 06764 Records management Records Management
    Reconfigure the security attributes of records as the information changes. CC ID 06765 Records management Configuration
    Establish, implement, and maintain electronic signature requirements. CC ID 06219 Records management Establish/Maintain Documentation
    Implement a signature revocation service. CC ID 14417 Records management Business Processes
    Allow electronic signatures to satisfy requirements for written signatures, as necessary. CC ID 11807 Records management Records Management
    Allow authorized parties to authenticate electronic records with electronic signatures. CC ID 11964 Records management Technical Security
    Allow authorized parties to authenticate transactions with electronic signatures. CC ID 11963 Records management Technical Security
    Store records and data in accordance with organizational standards. CC ID 16439 Records management Data and Information Management
    Remove dormant data from systems, as necessary. CC ID 13726 Records management Process or Activity
    Select the appropriate format for archived data and records. CC ID 06320
    [When creating and updating documented information the organization should ensuren> appropriate: style="background-color:#F0BBBC;" class="term_primary-noun">format (e.g. language, software version, graphics) and media (e.g. paper, electronic); § 7.5.2 ¶ 1 b)]
    Records management Data and Information Management
    Archive appropriate records, logs, and database tables. CC ID 06321 Records management Records Management
    Archive document metadata in a fashion that allows for future reading of the metadata. CC ID 10060 Records management Data and Information Management
    Store personal data that is retained for long periods after use on a separate server or media. CC ID 12314 Records management Data and Information Management
    Establish, implement, and maintain storage media retention procedures. CC ID 16277 Records management Establish/Maintain Documentation
    Determine how long to keep records and logs before disposing them. CC ID 11661 Records management Process or Activity
    Retain records in accordance with applicable requirements. CC ID 00968
    [The organization shall retain documented information as evidence of the results of management reviews. § 9.3 ¶ 4
    The organization shall retain documented information as evidence of: the nature of the nonconformities and any rm_primary-noun">subsequent actions taken; § 10.2 ¶ 3 Bullet 1
    The organization shall retain documented information as evidence of: the results of any corrective action. § 10.2 ¶ 3 Bullet 2
    The organization shall retain documented information as evidence of its communications, as appropriate. § 7.4.1 ¶ 4
    The organization shall maintain documented information to the extent necessary to have confidence that the processes have been carried out as planned. § 8.1 ¶ 5
    The organization shall retain appropriate documented information as evidence of the monitoring, measurement, analysis and evaluation results. § 9.1.1 ¶ 6
    The organization shall retain documented information as evidence of the compliance evaluation result(s). § 9.1.2 ¶ 3]
    Records management Records Management
    Obtain and retain documentation of the number of shares authorized, issued, and outstanding pursuant to the issuer's authorization. CC ID 11714 Records management Records Management
    Retain all evidence of indebtedness. CC ID 11713 Records management Records Management
    Capture and maintain distribution records. CC ID 06205 Records management Records Management
    Capture and maintain Device Master Records. CC ID 06206 Records management Records Management
    Capture and maintain Device History Records. CC ID 06207 Records management Records Management
    Capture and maintain Quality System Records. CC ID 06208 Records management Records Management
    Capture and maintain logs as official records. CC ID 06319 Records management Log Management
    Capture and maintain all business records, including supporting temporary files. CC ID 06622 Records management Establish/Maintain Documentation
    Establish, implement, and maintain storage media disposition and destruction procedures. CC ID 11657 Records management Establish/Maintain Documentation
    Supervise media destruction in accordance with organizational standards. CC ID 16456 Records management Business Processes
    Sanitize electronic storage media in accordance with organizational standards. CC ID 16464 Records management Data and Information Management
    Sanitize all electronic storage media before disposing a system or redeploying a system. CC ID 01643 Records management Data and Information Management
    Degauss as a method of sanitizing electronic storage media. CC ID 00973 Records management Records Management
    Manage waste materials in accordance with the storage media disposition and destruction procedures. CC ID 16485 Records management Process or Activity
    Use approved media sanitization equipment for destruction. CC ID 16459 Records management Business Processes
    Define each system's disposition requirements for records and logs. CC ID 11651 Records management Process or Activity
    Establish, implement, and maintain records disposition procedures. CC ID 00971
    [For the control of documented information, the organization shall address the following activities, as applicable: retention and disposition. § 7.5.3 ¶ 2 Bullet 4]
    Records management Establish/Maintain Documentation
    Manage the disposition status for all records. CC ID 00972 Records management Records Management
    Use a second person to confirm and sign-off that manually deleted data was deleted. CC ID 12313 Records management Data and Information Management
    Remove and/or destroy records according to the records' retention event and retention period schedule. CC ID 06621 Records management Records Management
    Place printed records awaiting destruction into secure containers. CC ID 12464 Records management Physical and Environmental Protection
    Destroy printed records so they cannot be reconstructed. CC ID 11779 Records management Physical and Environmental Protection
    Automate a programmatic process to remove stored data and records that exceed retention requirements. CC ID 06082 Records management Data and Information Management
    Include methods to identify records that meet or exceed the record's retention event in the records disposition procedures. CC ID 11962 Records management Establish/Maintain Documentation
    Maintain disposal records or redeployment records. CC ID 01644 Records management Establish/Maintain Documentation
    Include the name of the signing officer in the disposal record. CC ID 15710 Records management Establish/Maintain Documentation
    Establish, implement, and maintain secure record transaction standards with third parties. CC ID 06093 Records management Establish/Maintain Documentation
    Include transfer agreements in the secure record transaction standards. CC ID 14821 Records management Establish/Maintain Documentation
    Include date and time stamp requirements for delivery receipt in the transfer agreements. CC ID 14823 Records management Establish/Maintain Documentation
    Include receipt of electronic records in the transfer agreement. CC ID 14822 Records management Establish/Maintain Documentation
    Include standards for each data element in the secure record transaction standard. CC ID 06094 Records management Establish/Maintain Documentation
    Establish, implement, and maintain records management procedures. CC ID 11619 Records management Establish/Maintain Documentation
    Protect records from loss in accordance with applicable requirements. CC ID 12007
    [Documented information required by the environmental management system and by this International Standard shall be controlled to ensure: it is adequately protected (e.g. from loss of confidentiality, improper use, or loss of integrity). § 7.5.3 ¶ 1 b)]
    Records management Records Management
    Establish, implement, and maintain authorization records. CC ID 14367 Records management Establish/Maintain Documentation
    Include the reasons for granting the authorization in the authorization records. CC ID 14371 Records management Establish/Maintain Documentation
    Include the date and time the authorization was granted in the authorization records. CC ID 14370 Records management Establish/Maintain Documentation
    Include the person's name who approved the authorization in the authorization records. CC ID 14369 Records management Establish/Maintain Documentation
    Establish, implement, and maintain electronic health records. CC ID 14436 Records management Data and Information Management
    Include Individually Identifiable Health Information in the patient's electronic health record. CC ID 14437 Records management Data and Information Management
    Review and update Individually Identifiable Health Information in the patient's electronic health records, as necessary. CC ID 14438 Records management Records Management
    Display required information automatically in electronic health records. CC ID 14442 Records management Process or Activity
    Create summary of care records in accordance with applicable standards. CC ID 14440 Records management Establish/Maintain Documentation
    Provide the patient with a summary of care record, as necessary. CC ID 14441 Records management Actionable Reports or Measurements
    Create export summaries, as necessary. CC ID 14446 Records management Process or Activity
    Import data files into a patient's electronic health record. CC ID 14448 Records management Data and Information Management
    Export requested sections of the electronic health record. CC ID 14447 Records management Data and Information Management
    Establish and maintain an implantable device list. CC ID 14444 Records management Records Management
    Display the implantable device list to authorized users. CC ID 14445 Records management Data and Information Management
    Establish, implement, and maintain decision support interventions. CC ID 14443 Records management Business Processes
    Include attributes in the decision support intervention. CC ID 16766 Records management Data and Information Management
    Establish, implement, and maintain a recordkeeping system. CC ID 15709 Records management Records Management
    Log the termination date in the recordkeeping system. CC ID 16181 Records management Records Management
    Log the name of the requestor in the recordkeeping system. CC ID 15712 Records management Records Management
    Log the date and time each item is accessed in the recordkeeping system. CC ID 15711 Records management Records Management
    Log records as being received into the recordkeeping system. CC ID 11696 Records management Records Management
    Log the date and time each item is received into the recordkeeping system. CC ID 11709 Records management Log Management
    Log the date and time each item is made available into the recordkeeping system. CC ID 11710 Records management Log Management
    Log the number of routine items received into the recordkeeping system. CC ID 11701 Records management Establish/Maintain Documentation
    Log the number of routine items in the organization's possession at the close of business for the month in the recordkeeping system. CC ID 11707 Records management Log Management
    Log the number of routine items received during the month that were turned around in the recordkeeping system. CC ID 11705 Records management Log Management
    Log the number of routine items received during the month that were not turned around within three business days of receipt in the recordkeeping system. CC ID 11703 Records management Log Management
    Log the date and time when a notice of refusal to perform the registrar function is received in the recordkeeping system. CC ID 11711 Records management Log Management
    Log inquiries concerning items in the recordkeeping system, annotating the date received. CC ID 11718 Records management Log Management
    Log responses to inquiries, annotating the send date for each response into the recordkeeping system. CC ID 11719 Records management Log Management
    Log the number of non-routine items received into the recordkeeping system. CC ID 11706 Records management Log Management
    Log the documentation of determination that items received are not routine into the recordkeeping system. CC ID 11716 Records management Log Management
    Log the number of non-routine items in the organization's possession at the close of business for the month in the recordkeeping system. CC ID 11708 Records management Log Management
    Log the number of non-routine items received during the month that were turned around in the recordkeeping system. CC ID 11704 Records management Log Management
    Log performance monitoring into the recordkeeping system. CC ID 11724 Records management Log Management
    Log the number of inquiries pending as of the close of business into the recordkeeping system. CC ID 11728 Records management Log Management
    Log the number of inquiries received but not responded to within the required time frame into the recordkeeping system. CC ID 11727 Records management Log Management
    Establish, implement, and maintain a transfer journal. CC ID 11729 Records management Records Management
    Log any notices filed by the organization into the recordkeeping system. CC ID 11725 Records management Log Management
    Log telephone responses into a telephone log, annotating the date of each response, in the recordkeeping system. CC ID 11723 Records management Log Management
    Log the date each certificate is made available to interested personnel and affected parties into the recordkeeping system. CC ID 11720 Records management Log Management
    Log the number of items not processed within the required time frame into the recordkeeping system. CC ID 11717 Records management Log Management
    Provide a receipt of records logged into the recordkeeping system. CC ID 11697 Records management Records Management
    Log the appointments and termination of appointments of registered transfer agents into the recordkeeping system. CC ID 11712 Records management Log Management
    Log any stop orders or notices of adverse claims into the recordkeeping system. CC ID 11726 Records management Log Management
    Log the number of items processed within the required time frame into the recordkeeping system. CC ID 11715 Records management Log Management
    Establish, implement, and maintain electronic storage media management procedures. CC ID 00931
    [When creating and updating documented information the organization should ensuren> appropriate: format (e.g. language, software version, graphics) and media (e.g. paper, electronic); § 7.5.2 ¶ 1 b)]
    Records management Establish/Maintain Documentation
    Establish, implement, and maintain security label procedures. CC ID 06747 Records management Establish/Maintain Documentation
    Label restricted storage media appropriately. CC ID 00966 Records management Data and Information Management
    Establish, implement, and maintain restricted material identification procedures. CC ID 01889 Records management Establish/Maintain Documentation
    Conspicuously locate the restricted record's overall classification. CC ID 01890 Records management Establish/Maintain Documentation
    Mark a restricted record's displayed pages or printed pages with the appropriate classification. CC ID 01891 Records management Establish/Maintain Documentation
    Mark a restricted record's components (appendices, annexes) with the appropriate classification. CC ID 01892 Records management Establish/Maintain Documentation
    Mark a restricted record's portions (paragraphs, sections) with the appropriate classification. CC ID 01893 Records management Establish/Maintain Documentation
    Mark a restricted record's subject line or title with the appropriate classification. CC ID 01894 Records management Establish/Maintain Documentation
    Mark all forms of electronic messages that contain restricted data or restricted information with the appropriate classification. CC ID 01896 Records management Data and Information Management
    Establish, implement, and maintain label inheritance mechanisms for aggregate data sets. CC ID 06957 Records management Technical Security
    Establish the minimum originator requirements for security labels. CC ID 06579 Records management Establish/Maintain Documentation
    Establish the minimum intermediate system requirements for security labels. CC ID 06581 Records management Establish/Maintain Documentation
    Establish the minimum receiver requirements for records or electronic storage media marked with security labels. CC ID 06580 Records management Establish/Maintain Documentation
    Establish policy based processing rules to process incoming records or electronic storage media marked with security labels. CC ID 06582 Records management Establish/Maintain Documentation
    Establish and maintain access controls for all records. CC ID 00371
    [For the control of documented information, the organization shall address the following activities, as applicable: distribution, access, retrieval and use; § 7.5.3 ¶ 2 Bullet 1]
    Records management Records Management
    Reproduce materials containing restricted data or restricted information in accordance with compliance requirements. CC ID 02202 Records management Data and Information Management
    Establish, implement, and maintain a records lifecycle management program. CC ID 00951 Records management Establish/Maintain Documentation
    Establish, implement, and maintain an information preservation policy. CC ID 16483 Records management Establish/Maintain Documentation
    Establish, implement, and maintain information preservation procedures. CC ID 06277
    [For the control of documented information, the organization shall address the following activities, as applicable: storage and :#F0BBBC;" class="term_primary-noun">preservation, including preservation of legibility; § 7.5.3 ¶ 2 Bullet 2]
    Records management Establish/Maintain Documentation
    Implement and maintain high availability storage, as necessary. CC ID 00952 Records management Technical Security
    Implement and maintain backups and duplicate copies of organizational records. CC ID 00953 Records management Records Management
    Establish, implement, and maintain the duplicate original of record indexes. CC ID 00954 Records management Records Management
    Establish, implement, and maintain a transparent storage media strategy. CC ID 00932 Records management Records Management
    Establish, implement, and maintain an online availability plan that is commensurate with the electronic storage media. CC ID 00934 Records management Establish/Maintain Documentation
    Establish, implement, and maintain online storage controls. CC ID 00942 Records management Technical Security
    Establish, implement, and maintain security controls appropriate to the record types and electronic storage media. CC ID 00943
    [For the control of documented information, the organization shall address the following activities, as applicable: storage and preservation, including preservation of legibility; § 7.5.3 ¶ 2 Bullet 2]
    Records management Records Management
    Provide encryption for different types of electronic storage media. CC ID 00945 Records management Technical Security
    Implement electronic storage media integrity controls. CC ID 00946 Records management Configuration
    Automate electronic storage media integrity check controls. CC ID 00948 Records management Configuration
    Provide capacity for indexes on electronic storage media, as necessary. CC ID 00950 Records management Configuration
    Establish, implement, and maintain a removable storage media log. CC ID 12317 Records management Log Management
    Include a unique identifier for each removable storage media asset in the removable storage media log. CC ID 12320 Records management Establish/Maintain Documentation
    Include the date and time in the removable storage media log. CC ID 12318 Records management Establish/Maintain Documentation
    Include the name and signature of the current custodian in the removable storage media log. CC ID 12315 Records management Establish/Maintain Documentation
    Include the number of physical media used for the data transfer in the removable storage media log. CC ID 12754 Records management Establish/Maintain Documentation
    Include the recipient's name for the data transfer in the removable storage media log. CC ID 12753 Records management Establish/Maintain Documentation
    Include the sender's name in the removable storage media log. CC ID 12752 Records management Establish/Maintain Documentation
    Include the type of physical media being used for the data transfer in the removable storage media log. CC ID 12751 Records management Establish/Maintain Documentation
    Include the reason for transfer in the removable storage media log. CC ID 12316 Records management Establish/Maintain Documentation
    Establish, implement, and maintain storage media downgrading procedures. CC ID 10619 Records management Process or Activity
    Document all actions taken when downgrading electronic storage media. CC ID 10622 Records management Establish/Maintain Documentation
    Establish, implement, and maintain output distribution procedures. CC ID 00927
    [For the control of documented information, the organization shall address the following activities, as applicable: distribution, access, retrieval and use; § 7.5.3 ¶ 2 Bullet 1]
    Records management Establish/Maintain Documentation
    Include printed output in output distribution procedures. CC ID 13477 Records management Establish/Maintain Documentation
    Establish, implement, and maintain document retention procedures. CC ID 11660
    [For the control of documented information, the organization shall address the following activities, as applicable: retention and disposition. § 7.5.3 ¶ 2 Bullet 4
    The organization shall retain documented information as evidence of: § 10.2 ¶ 3]
    Records management Establish/Maintain Documentation
    Plan for acquiring facilities, technology, or services. CC ID 06892 Acquisition or sale of facilities, technology, and services Acquisition/Sale of Assets or Services
    Establish, implement, and maintain a product and services acquisition program. CC ID 01136
    [Consistent with a life cycle perspective, the organization shall: determine its environmental requirement(s) for the procurement of products and services, as appropriate; § 8.1 ¶ 4 b)]
    Acquisition or sale of facilities, technology, and services Establish/Maintain Documentation
    Establish, implement, and maintain a product and services acquisition policy. CC ID 14028 Acquisition or sale of facilities, technology, and services Establish/Maintain Documentation
    Obtain authorization for marketing new products. CC ID 16805 Acquisition or sale of facilities, technology, and services Business Processes
    Include compliance requirements in the product and services acquisition policy. CC ID 14163 Acquisition or sale of facilities, technology, and services Establish/Maintain Documentation
    Include coordination amongst entities in the product and services acquisition policy. CC ID 14162 Acquisition or sale of facilities, technology, and services Establish/Maintain Documentation
    Include management commitment in the product and services acquisition policy. CC ID 14161 Acquisition or sale of facilities, technology, and services Establish/Maintain Documentation
    Include roles and responsibilities in the product and services acquisition policy. CC ID 14160 Acquisition or sale of facilities, technology, and services Establish/Maintain Documentation
    Include the scope in the product and services acquisition policy. CC ID 14159 Acquisition or sale of facilities, technology, and services Establish/Maintain Documentation
    Include the purpose in the product and services acquisition policy. CC ID 14158 Acquisition or sale of facilities, technology, and services Establish/Maintain Documentation
    Disseminate and communicate the product and services acquisition policy to interested personnel and affected parties. CC ID 14157 Acquisition or sale of facilities, technology, and services Communicate
    Establish, implement, and maintain product and services acquisition procedures. CC ID 14065 Acquisition or sale of facilities, technology, and services Establish/Maintain Documentation
    Disseminate and communicate the product and services acquisition procedures to interested personnel and affected parties. CC ID 14152 Acquisition or sale of facilities, technology, and services Communicate
    Establish, implement, and maintain acquisition approval requirements. CC ID 13704 Acquisition or sale of facilities, technology, and services Establish/Maintain Documentation
    Disseminate and communicate acquisition approval requirements to all affected parties. CC ID 13706 Acquisition or sale of facilities, technology, and services Communicate
    Include preventive maintenance contracts in system acquisition contracts. CC ID 06658 Acquisition or sale of facilities, technology, and services Establish/Maintain Documentation
    Sign a forfeiture statement acknowledging unapproved Personal Electronic Devices will be confiscated. CC ID 11667 Acquisition or sale of facilities, technology, and services Physical and Environmental Protection
    Include chain of custody procedures in the product and services acquisition program. CC ID 10058 Acquisition or sale of facilities, technology, and services Acquisition/Sale of Assets or Services
    Establish, implement, and maintain organizational documents. CC ID 16202 Harmonization Methods and Manual of Style Establish/Maintain Documentation
    Organize all compliance documents. CC ID 06096 Harmonization Methods and Manual of Style Establish/Maintain Documentation
    Organize all compliance documents to fit the message. CC ID 06097 Harmonization Methods and Manual of Style Establish/Maintain Documentation
    Define the structure for compliance documents and governance documents. CC ID 06111
    [When creating and updating documented information the organization shall ensure appropriate: y-noun">identification and e="background-color:#F0BBBC;" class="term_primary-noun">description (e.g. a title, date, author, or reference number); § 7.5.2 ¶ 1 a)]
    Harmonization Methods and Manual of Style Establish/Maintain Documentation
    Subordinate the structure of the compliance document to fit the topic. CC ID 06109 Harmonization Methods and Manual of Style Establish/Maintain Documentation
    Define visual and formatting styles for all structured headings. CC ID 06110 Harmonization Methods and Manual of Style Establish/Maintain Documentation
    Define the section heading style, if section headings are being used. CC ID 06112 Harmonization Methods and Manual of Style Establish/Maintain Documentation
    Use a table of contents to show sections and headings, if section headings are being used. CC ID 06113 Harmonization Methods and Manual of Style Establish/Maintain Documentation
    Place the table of contents at the document's beginning. CC ID 06114 Harmonization Methods and Manual of Style Establish/Maintain Documentation
    Add term definitions to the document's end. CC ID 06115 Harmonization Methods and Manual of Style Establish/Maintain Documentation
    Review the supply chain's service delivery on a regular basis. CC ID 12010 Third Party and supply chain oversight Business Processes
    Identify red flags in the supply chain. CC ID 08873 Third Party and supply chain oversight Business Processes
    Detect red flags in the supply chain. CC ID 08874 Third Party and supply chain oversight Business Processes
    Notify interested personnel and affected parties when critical components or materials are not obtained from an authorized source. CC ID 11516 Third Party and supply chain oversight Business Processes
    Review third party red flag locations to identify facts for the supply chain risk assessment. CC ID 08875 Third Party and supply chain oversight Business Processes
    Establish and maintain an interactive map of third party red flag locations. CC ID 08876 Third Party and supply chain oversight Business Processes
    Collect information on red-flagged supply chains. CC ID 08877 Third Party and supply chain oversight Business Processes