0003329
ISO 14001:2015 - Environmental management systems — Requirements with guidance for use, Third Edition
International Organization for Standardization
International or National Standard
For Purchase
ISO 14001:2015
ISO 14001:2015 - Environmental management systems — Requirements with guidance for use
2015-09-15
The document as a whole was last reviewed and released on 2021-08-30T00:00:00-0700.
0003329
For Purchase
International Organization for Standardization
International or National Standard
ISO 14001:2015
ISO 14001:2015 - Environmental management systems — Requirements with guidance for use
2015-09-15
The document as a whole was last reviewed and released on 2021-08-30T00:00:00-0700.
This Authority Document In Depth Report is copyrighted - © 2024 - Network Frontiers LLC. All rights reserved. Copyright in the Authority Document analyzed herein is held by its authors. Network Frontiers makes no claims of copyright in this Authority Document.
This Authority Document In Depth Report is provided for informational purposes only and does not constitute, and should not be construed as, legal advice. The reader is encouraged to consult with an attorney experienced in these areas for further explanation and advice.
This Authority Document In Depth Report provides analysis and guidance for use and implementation of the Authority Document but it is not a substitute for the original authority document itself. Readers should refer to the original authority document as the definitive resource on obligations and compliance requirements.
This document has been mapped into the Unified Compliance Framework using a patented methodology and patented tools (you can research our patents HERE). The mapping team has taken every effort to ensure the quality of mapping is of the highest degree. To learn more about the process we use to map Authority Documents, or to become involved in that process, click HERE.
When the UCF Mapping Teams tag Citations and their associated mandates within an Authority Document, those Citations and Mandates are tied to Common Controls. In addition, and by virtue of those Citations and mandates being tied to Common Controls, there are three sets of meta data that are associated with each Citation; Controls by Impact Zone, Controls by Type, and Controls by Classification.
The online version of the mapping analysis you see here is just a fraction of the work the UCF Mapping Team has done. The downloadable version of this document, available within the Common Controls Hub (available HERE) contains the following:
Document implementation analysis – statistics about the document’s alignment with Common Controls as compared to other Authority Documents and statistics on usage of key terms and non-standard terms.
Citation and Mandate Tagging and Mapping – A complete listing of each and every Citation we found within ISO 14001:2015 - Environmental management systems — Requirements with guidance for use, Third Edition that have been tagged with their primary and secondary nouns and primary and secondary verbs in three column format. The first column shows the Citation (the marker within the Authority Document that points to where we found the guidance). The second column shows the Citation guidance per se, along with the tagging for the mandate we found within the Citation. The third column shows the Common Control ID that the mandate is linked to, and the final column gives us the Common Control itself.
Dictionary Terms – The dictionary terms listed for ISO 14001:2015 - Environmental management systems — Requirements with guidance for use, Third Edition are based upon terms either found within the Authority Document’s defined terms section(which most legal documents have), its glossary, and for the most part, as tagged within each mandate. The terms with links are terms that are the standardized version of the term.
An Impact Zone is a hierarchical way of organizing our suite of Common Controls — it is a taxonomy. The top levels of the UCF hierarchy are called Impact Zones. Common Controls are mapped within the UCF’s Impact Zones and are maintained in a legal hierarchy within that Impact Zone. Each Impact Zone deals with a separate area of policies, standards, and procedures: technology acquisition, physical security, continuity, records management, etc.
The UCF created its taxonomy by looking at the corpus of standards and regulations through the lens of unification and a view toward how the controls impact the organization. Thus, we created a hierarchical structure for each impact zone that takes into account regulatory and standards bodies, doctrines, and language.
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Acquisition or sale of facilities, technology, and services CC ID 01123 | IT Impact Zone | IT Impact Zone | |
Plan for acquiring facilities, technology, or services. CC ID 06892 | Acquisition/Sale of Assets or Services | Preventive | |
Establish, implement, and maintain a product and services acquisition program. CC ID 01136 [Consistent with a life cycle perspective, the organization shall: determine its environmental requirement(s) for the procurement of products and services, as appropriate; § 8.1 ¶ 4 b)] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a product and services acquisition policy. CC ID 14028 | Establish/Maintain Documentation | Preventive | |
Obtain authorization for marketing new products. CC ID 16805 | Business Processes | Preventive | |
Include compliance requirements in the product and services acquisition policy. CC ID 14163 | Establish/Maintain Documentation | Preventive | |
Include coordination amongst entities in the product and services acquisition policy. CC ID 14162 | Establish/Maintain Documentation | Preventive | |
Include management commitment in the product and services acquisition policy. CC ID 14161 | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in the product and services acquisition policy. CC ID 14160 | Establish/Maintain Documentation | Preventive | |
Include the scope in the product and services acquisition policy. CC ID 14159 | Establish/Maintain Documentation | Preventive | |
Include the purpose in the product and services acquisition policy. CC ID 14158 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the product and services acquisition policy to interested personnel and affected parties. CC ID 14157 | Communicate | Preventive | |
Establish, implement, and maintain product and services acquisition procedures. CC ID 14065 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the product and services acquisition procedures to interested personnel and affected parties. CC ID 14152 | Communicate | Preventive | |
Establish, implement, and maintain acquisition approval requirements. CC ID 13704 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate acquisition approval requirements to all affected parties. CC ID 13706 | Communicate | Preventive | |
Include preventive maintenance contracts in system acquisition contracts. CC ID 06658 | Establish/Maintain Documentation | Preventive | |
Prohibit the use of Personal Electronic Devices, absent approval. CC ID 04599 | Behavior | Detective | |
Sign a forfeiture statement acknowledging unapproved Personal Electronic Devices will be confiscated. CC ID 11667 | Physical and Environmental Protection | Preventive | |
Include chain of custody procedures in the product and services acquisition program. CC ID 10058 | Acquisition/Sale of Assets or Services | Preventive | |
Review and update the acquisition contracts, as necessary. CC ID 14279 | Acquisition/Sale of Assets or Services | Corrective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Audits and risk management CC ID 00677 | IT Impact Zone | IT Impact Zone | |
Define the roles and responsibilities for personnel assigned to tasks in the Audit function. CC ID 00678 [The organization shall establish, implement and maintain (an) internal audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting of its internal audits. § 9.2.2 ¶ 1] | Establish Roles | Preventive | |
Manage supply chain audits. CC ID 01203 | Audits and Risk Management | Preventive | |
Review the external auditors involvement in assessing Information Technology controls. CC ID 01204 | Audits and Risk Management | Preventive | |
Rotate auditors, as necessary. CC ID 15589 | Audits and Risk Management | Preventive | |
Assign the roles and responsibilities for the Board of Directors and senior management in the Audit function. CC ID 00679 | Establish Roles | Preventive | |
Assign the Board of Directors to address audit findings. CC ID 12396 | Human Resources Management | Corrective | |
Assign the internal audit staff to be independent from business units reporting to the Board of Directors. CC ID 01184 | Establish Roles | Preventive | |
Define and assign the internal audit manager's roles and responsibilities. CC ID 00680 | Establish Roles | Preventive | |
Report audit findings by the internal audit manager directly to senior management. CC ID 01152 [The organization shall: ensure that the results of the audits are reported to relevant management. § 9.2.2 ¶ 3 c)] | Testing | Detective | |
Assign the internal audit manager's compensation and performance review to the Board of Directors or audit committee. CC ID 01186 | Establish Roles | Preventive | |
Define and assign the internal audit staff's roles and responsibilities. CC ID 00681 | Establish Roles | Preventive | |
Assign the responsibility for operating an internal control system to the internal audit staff. CC ID 01187 | Establish Roles | Preventive | |
Define and assign the external auditor's roles and responsibilities. CC ID 00683 | Establish Roles | Preventive | |
Engage auditors who have adequate knowledge of the subject matter. CC ID 07102 | Audits and Risk Management | Preventive | |
Retain copies of external auditor outsourcing contracts and engagement letters. CC ID 01188 | Establish/Maintain Documentation | Preventive | |
Review external auditor outsourcing contracts and engagement letters. CC ID 01189 | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in external auditor outsourcing contracts. CC ID 16523 | Establish/Maintain Documentation | Preventive | |
Include a change control clause in external auditor outsourcing contracts. CC ID 01192 | Establish/Maintain Documentation | Preventive | |
Include procedures for resolving problems in external auditor outsourcing contracts. CC ID 01196 | Establish/Maintain Documentation | Preventive | |
Include procedures for controlling the use of restricted information in external auditor outsourcing contracts. CC ID 01194 | Establish/Maintain Documentation | Preventive | |
Include reports and work paper Records Management practices in external auditor outsourcing contracts. CC ID 01195 | Establish/Maintain Documentation | Preventive | |
Include communication protocols in external auditor outsourcing contracts. CC ID 01201 | Establish/Maintain Documentation | Preventive | |
Review the external audit scope, as necessary. CC ID 01202 | Audits and Risk Management | Preventive | |
Review the external audit assertion for accuracy. CC ID 06977 | Testing | Detective | |
Review the risk assessments as compared to the in scope controls. CC ID 06978 | Testing | Detective | |
Include nondisclosure agreements in external auditor outsourcing contracts. CC ID 10014 | Audits and Risk Management | Detective | |
Include the scope and work to be performed in external auditor outsourcing contracts. CC ID 01190 | Establish/Maintain Documentation | Preventive | |
Include work status reporting requirements in the external auditor outsourcing contracts. CC ID 01191 | Establish/Maintain Documentation | Preventive | |
Include access to work papers in external auditor outsourcing contracts. CC ID 01193 | Establish/Maintain Documentation | Preventive | |
Review the external auditor's qualifications. CC ID 01197 | Audits and Risk Management | Preventive | |
Conduct a performance review of the external auditor's performance during the audit process. CC ID 01198 | Audits and Risk Management | Preventive | |
Review the adequacy of the external auditor's work papers and audit reports. CC ID 01199 | Establish/Maintain Documentation | Preventive | |
Review the conclusions of the external auditor's work papers and audit reports. CC ID 01200 | Establish/Maintain Documentation | Preventive | |
Question external auditors about how audits were conducted and what is in the audit reports. CC ID 04587 | Behavior | Preventive | |
Disseminate and communicate with the organization about any missing audit documentation. CC ID 06992 | Behavior | Preventive | |
Evaluate any refusal by the organization to provide missing audit documentation. CC ID 06993 | Establish/Maintain Documentation | Preventive | |
Take appropriate action if missing audit documentation compromises the audit. CC ID 06994 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an audit program. CC ID 00684 [The organization shall establish, implement and maintain (an) internal audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting of its internal audits. § 9.2.2 ¶ 1] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain audit policies. CC ID 13166 | Establish/Maintain Documentation | Preventive | |
Assign the audit to impartial auditors. CC ID 07118 [The organization shall: select auditors and conduct audits to ensure objectivity and the "term_primary-noun">impartiality of the audit process; § 9.2.2 ¶ 3 b)] | Establish Roles | Preventive | |
Define what constitutes a threat to independence. CC ID 16824 | Audits and Risk Management | Preventive | |
Determine if requested services create a threat to independence. CC ID 16823 | Audits and Risk Management | Detective | |
Exercise due professional care during the planning and performance of the audit. CC ID 07119 [{environmental process} When establishing the internal audit programme, the organization shall take into consideration the environmental importance of the processes concerned, changes affecting the organization and the results of previous audits. § 9.2.2 ¶ 2] | Behavior | Preventive | |
Include resource requirements in the audit program. CC ID 15237 | Establish/Maintain Documentation | Preventive | |
Include risks and opportunities in the audit program. CC ID 15236 | Establish/Maintain Documentation | Preventive | |
Include provisions for legislative plurality and legislative domain in the audit program. CC ID 06959 | Audits and Risk Management | Preventive | |
Establish and maintain audit terms. CC ID 13880 | Establish/Maintain Documentation | Preventive | |
Refrain from approving changes to the audit terms absent reasonable justification. CC ID 13973 | Process or Activity | Preventive | |
Include a statement about the inherent limitations of the audit in the audit terms. CC ID 13883 | Establish/Maintain Documentation | Preventive | |
Include a statement that the audit will be conducted in accordance with attestation standards in the audit terms. CC ID 13882 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain agreed upon procedures that are in scope for the audit. CC ID 13893 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an in scope system description. CC ID 14873 | Establish/Maintain Documentation | Preventive | |
Include in scope procedures in the audit assertion's in scope system description. CC ID 16551 | Audits and Risk Management | Preventive | |
Include roles and responsibilities in the audit assertion's in scope system description. CC ID 16558 | Audits and Risk Management | Preventive | |
Include the audit criteria in the audit assertion's in scope system description. CC ID 16548 | Audits and Risk Management | Preventive | |
Include third party data in the audit assertion's in scope system description. CC ID 16554 | Audits and Risk Management | Preventive | |
Include third party personnel in the audit assertion's in scope system description. CC ID 16552 | Audits and Risk Management | Preventive | |
Include compliance requirements in the audit assertion's in scope system description. CC ID 16506 | Audits and Risk Management | Preventive | |
Include third party assets in the audit assertion's in scope system description. CC ID 16550 | Audits and Risk Management | Preventive | |
Include third party services in the audit assertion's in scope system description. CC ID 16503 | Establish/Maintain Documentation | Preventive | |
Include monitoring controls in the audit assertion's in scope system description. CC ID 16501 | Establish/Maintain Documentation | Preventive | |
Include availability commitments in the audit assertion's in scope system description. CC ID 14914 | Establish/Maintain Documentation | Preventive | |
Include deviations and the corrective actions taken in the audit assertion's in scope system description. CC ID 16549 | Audits and Risk Management | Preventive | |
Include changes in the audit assertion's in scope system description. CC ID 14894 | Establish/Maintain Documentation | Preventive | |
Include external communications in the audit assertion's in scope system description. CC ID 14913 | Establish/Maintain Documentation | Preventive | |
Include a section regarding incidents related to the system in the audit assertion’s in scope system description. CC ID 14878 | Establish/Maintain Documentation | Preventive | |
Include the function performed by the in scope system in the audit assertion's in scope system description. CC ID 14911 | Establish/Maintain Documentation | Preventive | |
Include the disposition of the incident in the audit assertion's in scope system description. CC ID 14896 | Establish/Maintain Documentation | Preventive | |
Include the extent of the incident in the audit assertion's in scope system description. CC ID 14895 | Establish/Maintain Documentation | Preventive | |
Include the timing of each incident in the audit assertion's in scope system description. CC ID 14891 | Establish/Maintain Documentation | Preventive | |
Include the nature of each incident in the audit assertion's in scope system description. CC ID 14889 | Establish/Maintain Documentation | Preventive | |
Include a section regarding in scope controls related to the system in the audit assertion's in scope system description. CC ID 14897 | Establish/Maintain Documentation | Preventive | |
Include how the in scope system meets external requirements in the audit assertion's in scope system description. CC ID 16502 | Establish/Maintain Documentation | Preventive | |
Include the timing of each control in the audit assertion's in scope system description. CC ID 14916 | Establish/Maintain Documentation | Preventive | |
Include the nature of the control in the audit assertion's in scope system description. CC ID 14910 | Establish/Maintain Documentation | Preventive | |
Include the information sources used in performing the control in the audit assertion's in scope system description. CC ID 14909 | Establish/Maintain Documentation | Preventive | |
Include the responsible party for performing the control in the audit assertion's in scope system description. CC ID 14907 | Establish/Maintain Documentation | Preventive | |
Include the subject matter to which the control is applied in the audit assertion's in scope system description. CC ID 14904 | Establish/Maintain Documentation | Preventive | |
Refrain from omitting or distorting information in the audit assertion's in scope system description. CC ID 14893 | Establish/Maintain Documentation | Preventive | |
Include the timing of each change in the audit assertion's in scope system description. CC ID 14892 | Establish/Maintain Documentation | Preventive | |
Include the system boundaries in the audit assertion's in scope system description. CC ID 14887 | Establish/Maintain Documentation | Preventive | |
Determine the presentation method of the audit assertion's in scope system description. CC ID 14885 | Establish/Maintain Documentation | Detective | |
Include the time frame covered by the description in the audit assertion's in scope system description. CC ID 14884 | Establish/Maintain Documentation | Preventive | |
Include commitments to third parties in the audit assertion. CC ID 14899 | Establish/Maintain Documentation | Preventive | |
Determine the completeness of the audit assertion's in scope system description. CC ID 14883 | Establish/Maintain Documentation | Preventive | |
Determine the appropriateness of the audit assertion's in scope system description. CC ID 16449 | Audits and Risk Management | Detective | |
Include system requirements in the audit assertion's in scope system description. CC ID 14881 | Establish/Maintain Documentation | Preventive | |
Include third party controls in the audit assertion's in scope system description. CC ID 14880 | Establish/Maintain Documentation | Preventive | |
Hold an opening meeting with interested personnel and affected parties prior to an audit. CC ID 15256 | Audits and Risk Management | Preventive | |
Identify personnel who should attend the closing meeting. CC ID 15261 | Business Processes | Preventive | |
Confirm audit requirements during the opening meeting. CC ID 15255 | Audits and Risk Management | Detective | |
Include discussions about how particular situations will be handled in the opening meeting. CC ID 15254 | Audits and Risk Management | Preventive | |
Include agreement to the audit scope and audit terms in the audit program. CC ID 06965 [{audit scope} The organization shall: define the audit criteria and scope for each audit; § 9.2.2 ¶ 3 a)] | Establish/Maintain Documentation | Preventive | |
Establish and maintain a bespoke audit scope for each audit being performed. CC ID 13077 [The organization shall establish, implement and maintain (an) internal audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting of its internal audits. § 9.2.2 ¶ 1] | Establish/Maintain Documentation | Preventive | |
Include third party assets in the audit scope. CC ID 16504 | Audits and Risk Management | Preventive | |
Include audit subject matter in the audit program. CC ID 07103 | Establish/Maintain Documentation | Preventive | |
Examine the availability of the audit criteria in the audit program. CC ID 16520 | Investigate | Preventive | |
Examine the objectivity of the audit criteria in the audit program. CC ID 07104 | Establish/Maintain Documentation | Preventive | |
Examine the measurability of the audit criteria in the audit program. CC ID 07105 | Establish/Maintain Documentation | Preventive | |
Examine the completeness of the audit criteria in the audit program. CC ID 07106 | Establish/Maintain Documentation | Preventive | |
Examine the relevance of the audit criteria in the audit program. CC ID 07107 | Establish/Maintain Documentation | Preventive | |
Determine the appropriateness of the audit subject matter. CC ID 16505 | Audits and Risk Management | Preventive | |
Disseminate and communicate the audit program with the audit subject matter and audit criteria to all interested personnel and affected parties. CC ID 07116 | Establish/Maintain Documentation | Preventive | |
Include the in scope material or in scope products in the audit program. CC ID 08961 | Audits and Risk Management | Preventive | |
Include in scope information in the audit program. CC ID 16198 | Establish/Maintain Documentation | Preventive | |
Include the out of scope material or out of scope products in the audit program. CC ID 08962 | Establish/Maintain Documentation | Preventive | |
Provide a representation letter in support of the audit assertion. CC ID 07158 | Establish/Maintain Documentation | Preventive | |
Include the date of the audit in the representation letter. CC ID 16517 | Audits and Risk Management | Preventive | |
Include a statement that management has evaluated compliance with external requirements in the representation letter. CC ID 13942 | Establish/Maintain Documentation | Preventive | |
Include a statement that the assumptions used for estimates are reasonable in the representation letter. CC ID 13934 | Establish/Maintain Documentation | Preventive | |
Include a statement that uncorrected misstatements are believed to be immaterial in the representation letter. CC ID 13884 | Establish/Maintain Documentation | Preventive | |
Include a statement that system incidents have been disclosed to the auditor in the representation letter. CC ID 16772 | Establish/Maintain Documentation | Preventive | |
Include a statement that incidents of fraud and non-compliance have been disclosed to the auditor in the representation letter. CC ID 16769 | Establish/Maintain Documentation | Preventive | |
Include a statement of responsibility for the subject matter in the representation letter. CC ID 07159 | Establish/Maintain Documentation | Preventive | |
Include a statement of responsibility for selecting the audit criteria in the representation letter. CC ID 07160 | Establish/Maintain Documentation | Preventive | |
Include a statement of responsibility regarding the appropriateness of the audit criteria in the representation letter. CC ID 07161 | Establish/Maintain Documentation | Preventive | |
Include an assertion about the subject matter based on the selected audit criteria in the representation letter. CC ID 07162 | Establish/Maintain Documentation | Preventive | |
Include a statement that all known matters contradicting the audit assertion have been disclosed to the auditor in the representation letter. CC ID 07163 | Establish/Maintain Documentation | Preventive | |
Include the availability of all in scope records relevant to the subject matter in the representation letter. CC ID 07164 | Establish/Maintain Documentation | Preventive | |
Include a statement that any known subsequent events have been disclosed to the auditor in the representation letter. CC ID 07165 | Establish/Maintain Documentation | Preventive | |
Include a statement that deficiencies in internal controls have been disclosed to the auditor in the representation letter. CC ID 13899 | Establish/Maintain Documentation | Preventive | |
Establish and maintain audit assertions, as necessary. CC ID 14871 | Establish/Maintain Documentation | Detective | |
Include an in scope system description in the audit assertion. CC ID 14872 | Establish/Maintain Documentation | Preventive | |
Include any assumptions that are improbable in the audit assertion. CC ID 13950 | Establish/Maintain Documentation | Preventive | |
Include investigations and legal proceedings in the audit assertion. CC ID 16846 | Establish/Maintain Documentation | Preventive | |
Include how the audit scope matches in scope controls in the audit assertion. CC ID 06969 | Establish/Maintain Documentation | Preventive | |
Include why specific criteria are ignored by in scope controls in the audit assertion. CC ID 07027 | Establish/Maintain Documentation | Preventive | |
Include how the in scope system is designed and implemented in the audit assertion. CC ID 06970 | Establish/Maintain Documentation | Preventive | |
Include the responsible party's opinion of the quality of the evidence in the audit assertion. CC ID 13949 | Establish/Maintain Documentation | Preventive | |
Include the end users and affected parties of the in scope system in the audit assertion. CC ID 07028 | Establish/Maintain Documentation | Preventive | |
Include the in scope services offered or in scope transactions processed in the audit assertion. CC ID 06971 | Establish/Maintain Documentation | Preventive | |
Include the in scope procedures in the audit assertion. CC ID 06972 | Establish/Maintain Documentation | Preventive | |
Include the in scope records produced in the audit assertion. CC ID 06968 | Establish/Maintain Documentation | Preventive | |
Include how in scope material events are monitored and logged in the audit assertion. CC ID 06973 | Establish/Maintain Documentation | Preventive | |
Include any in scope material events that might affect the assertion in the audit assertion. CC ID 06991 | Establish/Maintain Documentation | Preventive | |
Include the in scope controls and compliance documents in the audit assertion. CC ID 06974 | Establish/Maintain Documentation | Preventive | |
Include the in scope risk assessment processes in the audit assertion. CC ID 06975 | Establish/Maintain Documentation | Preventive | |
Include in scope change controls in the audit assertion. CC ID 06976 | Establish/Maintain Documentation | Preventive | |
Include any in scope uncorrected errors or non-compliance issues in the audit assertion. CC ID 06989 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate a written audit assertion of the audit scope and audit terms to interested personnel and affected parties. CC ID 06967 | Establish/Maintain Documentation | Preventive | |
Include the scope for the desired level of assurance in the audit program. CC ID 12793 | Communicate | Preventive | |
Include conditions that might require modification of the audit program in the audit terms. CC ID 07149 | Establish/Maintain Documentation | Preventive | |
Include how access to in scope systems, personnel and in scope records are provided to the auditor in the audit terms. CC ID 06988 | Establish/Maintain Documentation | Preventive | |
Include the criteria for determining the desired level of assurance in the audit program. CC ID 12795 [{audit scope} The organization shall: define the audit criteria and scope for each audit; § 9.2.2 ¶ 3 a)] | Audits and Risk Management | Preventive | |
Establish, implement, and maintain procedures for determining the desired level of assurance in the audit program. CC ID 12794 [The organization shall establish, implement and maintain (an) internal audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting of its internal audits. § 9.2.2 ¶ 1] | Establish/Maintain Documentation | Preventive | |
Include the expectations for the audit report in the audit terms. CC ID 07148 | Establish/Maintain Documentation | Preventive | |
Establish and maintain a practitioner’s report on management’s assertions, as necessary. CC ID 13888 | Establish/Maintain Documentation | Preventive | |
Refrain from changing the date of the practitioner's report on agreed-upon procedures when reissuing it. CC ID 13896 | Establish/Maintain Documentation | Corrective | |
Hold a closing meeting following an audit to present audit findings and conclusions. CC ID 15248 | Communicate | Preventive | |
Include materiality levels in the audit terms. CC ID 01238 | Establish/Maintain Documentation | Preventive | |
Include material changes in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01239 | Establish/Maintain Documentation | Preventive | |
Include material weaknesses, material failures, and material errors in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01240 | Establish/Maintain Documentation | Preventive | |
Schedule attestation engagement meetings with interested personnel and affected parties, as necessary. CC ID 15263 | Business Processes | Preventive | |
Refrain from performing an attestation engagement under defined conditions. CC ID 13952 | Audits and Risk Management | Detective | |
Refrain from accepting an attestation engagement when the engaging party refuses to sign the engagement letter. CC ID 14912 | Business Processes | Preventive | |
Refrain from accepting an attestation engagement unless the prospective financial information includes a summary of significant assumptions. CC ID 13954 | Behavior | Preventive | |
Refrain from accepting an attestation engagement when all parties disagree on the procedures. CC ID 13951 | Audits and Risk Management | Preventive | |
Accept the attestation engagement when all preconditions are met. CC ID 13933 | Business Processes | Preventive | |
Audit in scope audit items and compliance documents. CC ID 06730 [The organization shall: select auditors and conduct audits to ensure objectivity and the "term_primary-noun">impartiality of the audit process; § 9.2.2 ¶ 3 b) The organization shall conduct internal audits at planned intervals to provide information on whether the environmental management system: § 9.2.1 ¶ 1] | Audits and Risk Management | Preventive | |
Collect all work papers for the audit and audit report into an engagement file. CC ID 07001 [The organization shall retain documented information as evidence of the implementation of the audit programme and the audit results. § 9.2.2 ¶ 4] | Actionable Reports or Measurements | Preventive | |
Document any after the fact changes to the engagement file. CC ID 07002 | Establish/Maintain Documentation | Preventive | |
Protect access to the engagement file and all associated audit documentation in compliance with Authority Documents the organization must follow. CC ID 07179 | Establish/Maintain Documentation | Preventive | |
Disclose work papers in the engagement file in compliance with legal requirements. CC ID 07180 | Establish/Maintain Documentation | Preventive | |
Archive the engagement file and all work papers for the period prescribed by law or contract. CC ID 10038 | Records Management | Preventive | |
Conduct onsite inspections, as necessary. CC ID 16199 | Testing | Preventive | |
Identify hypothetical assumptions in forecasts and projections during an audit. CC ID 13946 | Audits and Risk Management | Detective | |
Refrain from examining forecasts and projections which refrain from disclosing assumptions during an audit. CC ID 13932 | Audits and Risk Management | Detective | |
Audit policies, standards, and procedures. CC ID 12927 [The organization shall conduct internal audits at planned intervals to provide information on whether the environmental management system: conforms to: the requirements of this International Standard; § 9.2.1 ¶ 1 a) 2) The organization shall conduct internal audits at planned intervals to provide information on whether the environmental management system: conforms to: the organization's own requirements for its environmental management system; § 9.2.1 ¶ 1 a) 1)] | Audits and Risk Management | Preventive | |
Audit cybersecurity risk management within the policies, standards, and procedures of the organization. CC ID 13011 | Investigate | Detective | |
Audit information systems, as necessary. CC ID 13010 | Investigate | Detective | |
Audit the potential costs of compromise to information systems. CC ID 13012 | Investigate | Detective | |
Determine the accurateness of the audit assertion's in scope system description. CC ID 06979 | Testing | Detective | |
Determine if the in scope system has been implemented as described in the audit assertion. CC ID 06983 | Testing | Detective | |
Investigate the nature and causes of misstatements in the audit assertion's in scope system description. CC ID 16557 | Audits and Risk Management | Detective | |
Determine the effect of fraud and non-compliance on the description of the system in the audit assertion, as necessary. CC ID 13977 | Process or Activity | Detective | |
Edit the audit assertion for accuracy. CC ID 07030 | Establish/Maintain Documentation | Preventive | |
Determine if the audit assertion's in scope procedures are accurately documented. CC ID 06982 | Establish/Maintain Documentation | Preventive | |
Determine if the audit assertion's in scope controls are reasonable. CC ID 06980 | Testing | Detective | |
Determine the effect of fraud and non-compliance on the achievement of in scope controls in the audit assertion, as necessary. CC ID 13978 | Process or Activity | Detective | |
Document test plans for auditing in scope controls. CC ID 06985 | Testing | Detective | |
Determine the implementation status of the audit assertion's in scope controls. CC ID 06981 | Testing | Detective | |
Determine the effectiveness of in scope controls. CC ID 06984 | Testing | Detective | |
Review incident management audit logs to determine the effectiveness of in scope controls. CC ID 12157 | Audits and Risk Management | Detective | |
Review audit reports to determine the effectiveness of in scope controls. CC ID 12156 | Audits and Risk Management | Detective | |
Observe processes to determine the effectiveness of in scope controls. CC ID 12155 | Audits and Risk Management | Detective | |
Interview stakeholders to determine the effectiveness of in scope controls. CC ID 12154 | Audits and Risk Management | Detective | |
Review documentation to determine the effectiveness of in scope controls. CC ID 16522 | Process or Activity | Preventive | |
Review policies and procedures to determine the effectiveness of in scope controls. CC ID 12144 [{be effective}The organization shall conduct internal audits at planned intervals to provide information on whether the environmental management system: is effectively implemented and maintained. § 9.2.1 ¶ 1 b)] | Audits and Risk Management | Detective | |
Evaluate personnel status changes to determine the effectiveness of in scope controls. CC ID 16556 | Audits and Risk Management | Detective | |
Determine whether individuals performing a control have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 16555 | Audits and Risk Management | Detective | |
Determine any errors or material omissions in the audit assertion that affect in scope control implementations. CC ID 06990 | Testing | Detective | |
Include the process of using evidential matter to test in scope controls in the test plan. CC ID 06996 | Establish/Maintain Documentation | Preventive | |
Audit the in scope system according to the test plan using relevant evidence. CC ID 07112 | Testing | Preventive | |
Implement procedures that collect sufficient audit evidence. CC ID 07153 | Audits and Risk Management | Preventive | |
Collect evidence about the in scope audit items of the audit assertion. CC ID 07154 | Audits and Risk Management | Preventive | |
Collect audit evidence sufficient to avoid misstatements. CC ID 07155 | Audits and Risk Management | Preventive | |
Collect audit evidence at the level of the organization's competence in the subject matter. CC ID 07156 | Audits and Risk Management | Preventive | |
Collect audit evidence sufficient to overcome inadequacies in the organization's attestation. CC ID 07157 | Audits and Risk Management | Preventive | |
Report that audit evidence collected was not sufficient to the proper authorities. CC ID 16847 | Communicate | Preventive | |
Provide transactional walkthrough procedures for external auditors. CC ID 00672 | Testing | Preventive | |
Establish, implement, and maintain interview procedures. CC ID 16282 | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in the interview procedures. CC ID 16297 | Human Resources Management | Preventive | |
Coordinate the scheduling of interviews. CC ID 16293 | Process or Activity | Preventive | |
Create a schedule for the interviews. CC ID 16292 | Process or Activity | Preventive | |
Identify interviewees. CC ID 16290 | Process or Activity | Preventive | |
Conduct interviews, as necessary. CC ID 07188 | Testing | Detective | |
Verify statements made by interviewees are correct. CC ID 16299 | Behavior | Detective | |
Discuss unsolved questions with the interviewee. CC ID 16298 | Process or Activity | Detective | |
Allow interviewee to respond to explanations. CC ID 16296 | Process or Activity | Detective | |
Explain the requirements being discussed to the interviewee. CC ID 16294 | Process or Activity | Detective | |
Explain the goals of the interview to the interviewee. CC ID 07189 | Behavior | Detective | |
Explain the testing results to the interviewee. CC ID 16291 | Process or Activity | Preventive | |
Withdraw from the audit, when defined conditions exist. CC ID 13885 | Process or Activity | Corrective | |
Establish and maintain work papers, as necessary. CC ID 13891 | Establish/Maintain Documentation | Preventive | |
Include the auditor's conclusions on work performed by individuals assigned to the audit in the work papers. CC ID 16775 | Establish/Maintain Documentation | Preventive | |
Include audit irregularities in the work papers. CC ID 16774 | Establish/Maintain Documentation | Preventive | |
Include corrective actions in the work papers. CC ID 16771 | Establish/Maintain Documentation | Preventive | |
Include information about the organization being audited and the auditor performing the audit in the work papers. CC ID 16770 | Establish/Maintain Documentation | Preventive | |
Include discussions with interested personnel and affected parties in the work papers. CC ID 16768 | Establish/Maintain Documentation | Preventive | |
Include justification for departing from mandatory requirements in the work papers. CC ID 13935 | Establish/Maintain Documentation | Preventive | |
Include audit evidence obtained from previous engagements in the work papers. CC ID 16518 | Audits and Risk Management | Preventive | |
Include the reviewer, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06998 | Establish/Maintain Documentation | Preventive | |
Include the tests, examinations, interviews and observations performed during the audit in the work papers. CC ID 07190 | Establish/Maintain Documentation | Preventive | |
Include if any subject matter experts or additional research had to be undertaken to test in scope controls in the work papers. CC ID 07026 | Establish/Maintain Documentation | Preventive | |
Include the tester, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06997 | Establish/Maintain Documentation | Preventive | |
Include if the audit evidence has identified in scope control deficiencies in the work papers. CC ID 07152 | Audits and Risk Management | Detective | |
Include any subsequent events related to the audit assertion or audit subject matter in the work papers. CC ID 07177 | Audits and Risk Management | Preventive | |
Include if in scope control deviations allow in scope controls to be performed acceptably in the work papers. CC ID 06987 | Testing | Detective | |
Include the causes of identified in scope control deficiencies in the work papers. CC ID 07000 | Establish/Maintain Documentation | Preventive | |
Include discussions regarding the causes of identified in scope control deficiencies in the work papers. CC ID 06999 | Establish/Maintain Documentation | Preventive | |
Investigate the nature and causes of identified in scope control deviations. CC ID 06986 | Testing | Detective | |
Supervise interested personnel and affected parties participating in the audit. CC ID 07150 | Monitor and Evaluate Occurrences | Preventive | |
Notify interested personnel and affected parties participating in the audit of their roles and responsibilities during the audit. CC ID 07151 | Establish Roles | Preventive | |
Respond to questions or clarification requests regarding the audit. CC ID 08902 | Business Processes | Preventive | |
Track and measure the implementation of the organizational compliance framework. CC ID 06445 | Monitor and Evaluate Occurrences | Preventive | |
Review the need for organizational efficiency as balanced against the needs of compliance and security. CC ID 07111 | Business Processes | Preventive | |
Engage subject matter experts when the auditor requires additional expertise during an attestation engagement, as necessary. CC ID 13971 | Process or Activity | Preventive | |
Review the subject matter expert's findings. CC ID 16559 | Audits and Risk Management | Detective | |
Establish, implement, and maintain a practitioner’s report on agreed-upon procedures. CC ID 13894 | Establish/Maintain Documentation | Preventive | |
Provide auditors access to all in scope records, in scope assets, personnel and in scope procedures. CC ID 06966 | Audits and Risk Management | Preventive | |
Permit assessment teams to conduct audits, as necessary. CC ID 16430 | Investigate | Detective | |
Provide auditors access to affected parties during the audit, as necessary. CC ID 07187 | Business Processes | Preventive | |
Solve any access problems auditors encounter during the audit. CC ID 08959 | Audits and Risk Management | Corrective | |
Notify interested personnel and affected parties when an auditee refuses to provide access or participate in the audit. CC ID 08960 | Audits and Risk Management | Preventive | |
Establish and maintain a practitioner's examination report on pro forma financial information. CC ID 13968 | Establish/Maintain Documentation | Preventive | |
Include references to where financial information was derived in the practitioner's review report on pro forma financial information. CC ID 13982 | Establish/Maintain Documentation | Preventive | |
Include a statement that the financial statements used were audited by other practitioners in the practitioner's examination report on pro forma financial information, as necessary. CC ID 13981 | Establish/Maintain Documentation | Preventive | |
Establish and maintain organizational audit reports. CC ID 06731 [The organization shall establish, implement and maintain (an) internal audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting of its internal audits. § 9.2.2 ¶ 1] | Establish/Maintain Documentation | Preventive | |
Determine what disclosures are required in the audit report. CC ID 14888 | Establish/Maintain Documentation | Detective | |
Include the justification for not following the applicable requirements in the audit report. CC ID 16822 | Audits and Risk Management | Preventive | |
Include a statement that the applicable requirements were not followed in the audit report. CC ID 16821 | Audits and Risk Management | Preventive | |
Include audit subject matter in the audit report. CC ID 14882 | Establish/Maintain Documentation | Preventive | |
Include an other-matter paragraph in the audit report. CC ID 14901 | Establish/Maintain Documentation | Preventive | |
Identify the audit team members in the audit report. CC ID 15259 | Human Resources Management | Detective | |
Include that the auditee did not provide comments in the audit report. CC ID 16849 | Establish/Maintain Documentation | Preventive | |
Write the audit report using clear and conspicuous language. CC ID 13948 | Establish/Maintain Documentation | Preventive | |
Include a statement that the sufficiency of the agreed upon procedures is the responsibility of the specified parties in the audit report. CC ID 13936 | Establish/Maintain Documentation | Preventive | |
Include a statement that the financial statements were audited in the audit report. CC ID 13963 | Establish/Maintain Documentation | Preventive | |
Include the criteria that financial information was measured against in the audit report. CC ID 13966 | Establish/Maintain Documentation | Preventive | |
Include a description of the financial information being reported on in the audit report. CC ID 13965 | Establish/Maintain Documentation | Preventive | |
Include references to any adjustments of financial information in the audit report. CC ID 13964 | Establish/Maintain Documentation | Preventive | |
Include in the audit report that audit opinions are not dependent on references to subject matter experts, as necessary. CC ID 13953 | Establish/Maintain Documentation | Preventive | |
Include references to historical financial information used in the audit report. CC ID 13961 | Establish/Maintain Documentation | Preventive | |
Include a statement about the inherent limitations of the audit in the audit report. CC ID 14900 | Establish/Maintain Documentation | Preventive | |
Include a description of the limitations on the usefulness of hypothetical assumptions in the audit report. CC ID 13958 | Establish/Maintain Documentation | Preventive | |
Include the word independent in the title of audit reports. CC ID 07003 | Actionable Reports or Measurements | Preventive | |
Include the date of the audit in the audit report. CC ID 07024 | Actionable Reports or Measurements | Preventive | |
Structure the audit report to be in the form of procedures and findings. CC ID 13940 | Establish/Maintain Documentation | Preventive | |
Include information about the organization being audited and the auditor performing the audit in the audit report. CC ID 07004 | Actionable Reports or Measurements | Preventive | |
Include any discussions of significant findings in the audit report. CC ID 13955 | Establish/Maintain Documentation | Preventive | |
Include the date and with whom discussions about significant findings took place in the audit report. CC ID 13962 | Establish/Maintain Documentation | Preventive | |
Include the audit criteria in the audit report. CC ID 13945 | Establish/Maintain Documentation | Preventive | |
Include a statement in the audit report that the agreed upon procedures were potentially insufficient in identifying material risks, as necessary. CC ID 13957 | Establish/Maintain Documentation | Preventive | |
Include all hypothetical assumptions in the audit report. CC ID 13947 | Establish/Maintain Documentation | Preventive | |
Include a statement that access to the report is restricted based on least privilege in the audit report. CC ID 07023 | Actionable Reports or Measurements | Preventive | |
Include a statement that identifies the distribution list for the report in the audit report. CC ID 07172 | Establish/Maintain Documentation | Preventive | |
Include a statement that identifies the use restrictions for the report in the audit report. CC ID 07173 | Establish/Maintain Documentation | Preventive | |
Include a statement that the agreed upon procedures involves collecting evidence in the audit report. CC ID 13956 | Establish/Maintain Documentation | Preventive | |
Include all of the facts and demonstrated plausibility in the audit report. CC ID 08929 | Establish/Maintain Documentation | Preventive | |
Include a statement that the agreed upon procedures were performed by all parties in the audit report. CC ID 13931 | Establish/Maintain Documentation | Preventive | |
Include references to subject matter experts in the audit report when citing qualified opinions. CC ID 13929 | Establish/Maintain Documentation | Preventive | |
Include a description of the assistance provided by Subject Matter Experts in the audit report. CC ID 13939 | Establish/Maintain Documentation | Preventive | |
Include a review of the subject matter expert's findings in the audit report. CC ID 13972 | Establish/Maintain Documentation | Preventive | |
Include a statement of the character of the engagement in the audit report. CC ID 07166 | Establish/Maintain Documentation | Preventive | |
Include the nature and scope of the audit performed in the statement of the character of the engagement in the audit report. CC ID 07167 | Establish/Maintain Documentation | Preventive | |
Include the professional standards governing the audit in the statement of the character of the engagement in the audit report. CC ID 07168 | Establish/Maintain Documentation | Preventive | |
Include all restrictions on the audit in the audit report. CC ID 13930 | Establish/Maintain Documentation | Preventive | |
Include a statement that the auditor has no responsibility to update the audit report after its submission. CC ID 13943 | Establish/Maintain Documentation | Preventive | |
Include a statement on the auditor's ethical requirements in the audit report. CC ID 16767 | Establish/Maintain Documentation | Preventive | |
Include a statement that the responsible party refused to provide a written assertion in the audit report. CC ID 13887 | Establish/Maintain Documentation | Preventive | |
Include a statement that the examination involves procedures for collecting evidence in the audit report. CC ID 13941 | Establish/Maintain Documentation | Preventive | |
Express an adverse opinion in the audit report when significant assumptions are not suitably supported. CC ID 13944 | Establish/Maintain Documentation | Preventive | |
Include a statement that modifications to historical evidence accurately reflect current evidence in the audit report. CC ID 13938 | Establish/Maintain Documentation | Preventive | |
Refrain from referencing previous engagements in the audit report. CC ID 16516 | Audits and Risk Management | Preventive | |
Refrain from referencing other auditor's work in the audit report. CC ID 13881 | Establish/Maintain Documentation | Preventive | |
Include that the audit findings are not a predictive analysis of future compliance in the audit report. CC ID 07018 | Establish/Maintain Documentation | Preventive | |
Identify the participants from the organization being audited in the audit report. CC ID 15258 | Audits and Risk Management | Detective | |
Include how in scope controls meet external requirements in the audit report. CC ID 16450 | Establish/Maintain Documentation | Preventive | |
Include the in scope records used to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14915 | Establish/Maintain Documentation | Preventive | |
Include recommended corrective actions in the audit report. CC ID 16197 | Establish/Maintain Documentation | Preventive | |
Include risks and opportunities in the audit report. CC ID 16196 | Establish/Maintain Documentation | Preventive | |
Include the description of tests of controls and results in the audit report. CC ID 14898 | Establish/Maintain Documentation | Preventive | |
Include the nature of the tests performed in the description of tests of controls and results in the audit report. CC ID 14908 | Establish/Maintain Documentation | Preventive | |
Include the test scope in the description of tests of controls and results in the audit report. CC ID 14906 | Establish/Maintain Documentation | Preventive | |
Identify the stakeholders interviewed to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14905 | Establish/Maintain Documentation | Preventive | |
Include the timing of controls in the description of tests of controls and results in the audit report. CC ID 16553 | Audits and Risk Management | Preventive | |
Include the controls that were tested in the description of tests of controls and results in the audit report. CC ID 14902 | Establish/Maintain Documentation | Preventive | |
Include subsequent events related to the audit assertion or audit subject matter in the audit report. CC ID 16773 | Establish/Maintain Documentation | Preventive | |
Include the organization's audit assertion of the in scope system in the audit report. CC ID 07005 | Actionable Reports or Measurements | Preventive | |
Include that the organization is the responsible party for the content of its audit assertion and in scope system description in the audit report. CC ID 07010 | Establish/Maintain Documentation | Preventive | |
Include that the organization is the responsible party for providing in scope services in the audit report. CC ID 14903 | Establish/Maintain Documentation | Preventive | |
Include that the organization is the responsible party for specifying in scope controls not defined by law or contractual obligation in the audit report. CC ID 07011 | Establish/Maintain Documentation | Preventive | |
Include that the organization is the responsible party for designing and implementing the in scope controls it identified in the audit scope in the audit report. CC ID 07014 | Establish/Maintain Documentation | Preventive | |
Include the audit opinion regarding the accurateness of the in scope system description in the audit report. CC ID 07019 | Establish/Maintain Documentation | Preventive | |
Include the attestation standards the auditor follows in the audit report. CC ID 07015 | Establish/Maintain Documentation | Preventive | |
Include the audit opinion about the audit assertion in relation to the audit criteria used for evaluation in the audit report. CC ID 07169 | Establish/Maintain Documentation | Preventive | |
Include the auditor's significant reservations about the engagement, the audit assertion, or the audit subject matter in the audit report. CC ID 07170 | Establish/Maintain Documentation | Preventive | |
Include an emphasis-of-matter paragraph in the audit report. CC ID 14890 | Establish/Maintain Documentation | Preventive | |
Include the organization's in scope system description in the audit report. CC ID 11626 | Audits and Risk Management | Preventive | |
Include any out of scope components of in scope systems in the audit report. CC ID 07006 | Establish/Maintain Documentation | Preventive | |
Include that the organization is the responsible party for identifying material risks in the audit report. CC ID 07012 | Establish/Maintain Documentation | Preventive | |
Include that the organization is the responsible party for selecting the audit criteria in the audit report. CC ID 07013 | Establish/Maintain Documentation | Preventive | |
Include the scope and work performed in the audit report. CC ID 11621 | Audits and Risk Management | Preventive | |
Review the adequacy of the internal auditor's work papers. CC ID 01146 | Audits and Risk Management | Detective | |
Compare the evaluations completed by the internal auditors and the external auditors in past audit reports. CC ID 01158 | Establish/Maintain Documentation | Detective | |
Review the adequacy of the internal auditor's audit reports. CC ID 11620 | Audits and Risk Management | Detective | |
Review past audit reports. CC ID 01155 [{environmental process} When establishing the internal audit programme, the organization shall take into consideration the environmental importance of the processes concerned, changes affecting the organization and the results of previous audits. § 9.2.2 ¶ 2 The management review shall include consideration of: information on the organization's environmental performance, including trends in: audit results; § 9.3 ¶ 2 d) 4)] | Establish/Maintain Documentation | Detective | |
Review past audit reports for specific process steps and calculations that were stated to support the audit report's conclusions. CC ID 01160 | Establish/Maintain Documentation | Detective | |
Review the reporting of material weaknesses and risks in past audit reports. CC ID 01161 | Establish/Maintain Documentation | Detective | |
Resolve disputes before creating the audit summary. CC ID 08964 | Behavior | Preventive | |
Refrain from including the description of the audit in the audit report when the auditor is disclaiming an audit opinion. CC ID 13975 | Establish/Maintain Documentation | Preventive | |
Refrain from including scope limitations from changed attestation engagements in the audit report. CC ID 13983 | Establish/Maintain Documentation | Preventive | |
Refrain from including in the audit report any procedures that were performed that the auditor is disclaiming in an audit opinion. CC ID 13974 | Establish/Maintain Documentation | Preventive | |
Include deficiencies and non-compliance in the audit report. CC ID 14879 | Establish/Maintain Documentation | Corrective | |
Determine the effect of deficiencies on the audit report, as necessary. CC ID 14886 | Investigate | Detective | |
Determine the effect of fraud and non-compliance on the audit report, as necessary. CC ID 13979 | Process or Activity | Detective | |
Include an audit opinion in the audit report. CC ID 07017 | Establish/Maintain Documentation | Preventive | |
Include qualified opinions in the audit report. CC ID 13928 | Establish/Maintain Documentation | Preventive | |
Include that the auditor is the responsible party to express an opinion on the audit subject matter based on examination of evidence in the audit report. CC ID 07174 | Establish/Maintain Documentation | Preventive | |
Include a description of the reasons for modifying the audit opinion in the audit report. CC ID 13898 | Establish/Maintain Documentation | Corrective | |
Include that the auditor did not express an opinion in the audit report, as necessary. CC ID 13886 | Establish/Maintain Documentation | Preventive | |
Disclaim the audit opinion in the audit report, as necessary. CC ID 13901 | Business Processes | Corrective | |
Include items that were excluded from the audit report in the audit report. CC ID 07007 | Establish/Maintain Documentation | Preventive | |
Include the organization's privacy practices in the audit report. CC ID 07029 | Establish/Maintain Documentation | Preventive | |
Include items that pertain to third parties in the audit report. CC ID 07008 | Establish/Maintain Documentation | Preventive | |
Refrain from including reference to procedures performed in previous attestation engagements in the audit report. CC ID 13970 | Establish/Maintain Documentation | Preventive | |
Include a statement in the audit report that no procedures were performed subsequent to the date of the practitioner's review report on pro forma financial information, as necessary. CC ID 13969 | Establish/Maintain Documentation | Preventive | |
Include any of the organization's use of compensating controls that were not audited in the audit report. CC ID 07009 | Establish/Maintain Documentation | Preventive | |
Include whether the use of compensating controls are necessary in the audit report. CC ID 07020 | Establish/Maintain Documentation | Preventive | |
Include the pass or fail test status of all in scope controls in the audit report. CC ID 07016 | Establish/Maintain Documentation | Preventive | |
Include the process of using evidential matter to test in scope controls in the audit report. CC ID 07021 | Establish/Maintain Documentation | Preventive | |
Include the nature and causes of identified in scope control deviations in the audit report. CC ID 07022 | Establish/Maintain Documentation | Preventive | |
Modify the audit opinion in the audit report under defined conditions. CC ID 13937 | Establish/Maintain Documentation | Corrective | |
Disclose any audit irregularities in the audit report. CC ID 06995 | Actionable Reports or Measurements | Preventive | |
Include the written signature of the auditor's organization in the audit report. CC ID 13897 | Establish/Maintain Documentation | Preventive | |
Include a statement that additional reports are being submitted in the audit report. CC ID 16848 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the audit report to all interested personnel and affected parties identified in the distribution list. CC ID 07117 | Establish/Maintain Documentation | Preventive | |
Define the roles and responsibilities for distributing the audit report. CC ID 16845 | Human Resources Management | Preventive | |
Disseminate and communicate the reviews of audit reports to organizational management. CC ID 00653 | Log Management | Detective | |
Disseminate and communicate the reasons the audit report was delayed to interested personnel and affected parties. CC ID 15257 | Communicate | Preventive | |
Notify auditees if disclosure of audit documentation is required by law. CC ID 15249 | Communicate | Preventive | |
Disseminate and communicate to the organization that access and use of audit reports are based on least privilege. CC ID 07171 | Behavior | Preventive | |
Disseminate and communicate documents that contain information in support of the audit report. CC ID 07175 | Establish/Maintain Documentation | Preventive | |
Correct any material misstatements in documents that contain information in support of the audit report. CC ID 07176 | Establish/Maintain Documentation | Preventive | |
Review the issues of non-compliance from past audit reports. CC ID 01148 | Establish/Maintain Documentation | Detective | |
Notify interested personnel and affected parties after bribes are offered during the audit. CC ID 08872 | Business Processes | Preventive | |
Submit an audit report that is complete. CC ID 01145 | Testing | Detective | |
Accept the audit report. CC ID 07025 | Establish/Maintain Documentation | Preventive | |
Implement a corrective action plan in response to the audit report. CC ID 06777 [{environmental process} When establishing the internal audit programme, the organization shall take into consideration the environmental importance of the processes concerned, changes affecting the organization and the results of previous audits. § 9.2.2 ¶ 2] | Establish/Maintain Documentation | Corrective | |
Assign responsibility for remediation actions. CC ID 13622 | Human Resources Management | Preventive | |
Monitor and report on the status of mitigation actions in the corrective action plan. CC ID 15250 | Actionable Reports or Measurements | Corrective | |
Review management's response to issues raised in past audit reports. CC ID 01149 | Audits and Risk Management | Detective | |
Define penalties for uncorrected audit findings or remaining non-compliant with the audit report. CC ID 08963 | Establish/Maintain Documentation | Preventive | |
Assess the quality of the audit program in regards to the staff and their qualifications. CC ID 01150 | Testing | Detective | |
Evaluate the competency of auditors. CC ID 15253 | Human Resources Management | Detective | |
Review the audit program scope as it relates to the organization's profile. CC ID 01159 | Audits and Risk Management | Detective | |
Assess the quality of the audit program in regards to its documentation. CC ID 11622 | Audits and Risk Management | Preventive | |
Establish, implement, and maintain the audit plan. CC ID 01156 | Testing | Detective | |
Include the audit criteria in the audit plan. CC ID 15262 | Establish/Maintain Documentation | Preventive | |
Include a list of reference documents in the audit plan. CC ID 15260 | Establish/Maintain Documentation | Preventive | |
Include the languages to be used for the audit in the audit plan. CC ID 15252 | Establish/Maintain Documentation | Preventive | |
Include the allocation of resources in the audit plan. CC ID 15251 | Establish/Maintain Documentation | Preventive | |
Include communication protocols in the audit plan. CC ID 15247 | Establish/Maintain Documentation | Preventive | |
Include the level of audit sampling necessary to collect sufficient audit evidence in the audit plan. CC ID 15246 | Establish/Maintain Documentation | Preventive | |
Include meeting schedules in the audit plan. CC ID 15245 | Establish/Maintain Documentation | Preventive | |
Include the time frames for the audit in the audit plan. CC ID 15244 | Establish/Maintain Documentation | Preventive | |
Include the time frames for conducting the audit in the audit plan. CC ID 15243 | Establish/Maintain Documentation | Preventive | |
Include the locations to be audited in the audit plan. CC ID 15242 | Establish/Maintain Documentation | Preventive | |
Include the processes to be audited in the audit plan. CC ID 15241 | Establish/Maintain Documentation | Preventive | |
Include audit objectives in the audit plan. CC ID 15240 | Establish/Maintain Documentation | Preventive | |
Include the risks associated with audit activities in the audit plan. CC ID 15239 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the audit plan to interested personnel and affected parties. CC ID 15238 | Communicate | Preventive | |
Establish, implement, and maintain an audit schedule for the audit program. CC ID 13158 [The organization shall establish, implement and maintain (an) internal audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting of its internal audits. § 9.2.2 ¶ 1] | Establish/Maintain Documentation | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Harmonization Methods and Manual of Style CC ID 06095 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain organizational documents. CC ID 16202 | Establish/Maintain Documentation | Preventive | |
Organize all compliance documents. CC ID 06096 | Establish/Maintain Documentation | Preventive | |
Organize all compliance documents to fit the message. CC ID 06097 | Establish/Maintain Documentation | Preventive | |
Define the structure for compliance documents and governance documents. CC ID 06111 [When creating and updating documented information the organization shall ensure appropriate: y-noun">identification and e="background-color:#F0BBBC;" class="term_primary-noun">description (e.g. a title, date, author, or reference number); § 7.5.2 ¶ 1 a)] | Establish/Maintain Documentation | Preventive | |
Subordinate the structure of the compliance document to fit the topic. CC ID 06109 | Establish/Maintain Documentation | Preventive | |
Define visual and formatting styles for all structured headings. CC ID 06110 | Establish/Maintain Documentation | Preventive | |
Define the section heading style, if section headings are being used. CC ID 06112 | Establish/Maintain Documentation | Preventive | |
Use a table of contents to show sections and headings, if section headings are being used. CC ID 06113 | Establish/Maintain Documentation | Preventive | |
Place the table of contents at the document's beginning. CC ID 06114 | Establish/Maintain Documentation | Preventive | |
Add term definitions to the document's end. CC ID 06115 | Establish/Maintain Documentation | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Human Resources management CC ID 00763 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806 [Top management shall ensure that the responsibilities and authorities for relevant roles are <condary-verb">span style="background-color:#B7D8ED;" class="term_primary-verb">assigned and communicated within the organization. § 5.3 ¶ 1] | Establish Roles | Preventive | |
Define and assign the head of Information Security's roles and responsibilities. CC ID 06091 | Establish Roles | Preventive | |
Establish, implement, and maintain a security operations center. CC ID 14762 | Human Resources Management | Preventive | |
Define the scope for the security operations center. CC ID 15713 | Establish/Maintain Documentation | Preventive | |
Designate an alternate for each organizational leader. CC ID 12053 | Human Resources Management | Preventive | |
Limit the activities performed as a proxy to an organizational leader. CC ID 12054 | Behavior | Preventive | |
Assign the roles and responsibilities of management in establishing, implementing, and maintaining the information security program. CC ID 13112 | Human Resources Management | Preventive | |
Define and assign the Board of Directors roles and responsibilities and senior management roles and responsibilities, including signing off on key policies and procedures. CC ID 00807 | Establish Roles | Preventive | |
Establish and maintain board committees, as necessary. CC ID 14789 | Human Resources Management | Preventive | |
Define and assign the roles and responsibilities of the chairman of the board. CC ID 14786 | Establish/Maintain Documentation | Preventive | |
Assign oversight of C-level executives to the Board of Directors. CC ID 14784 | Human Resources Management | Preventive | |
Establish, implement, and maintain candidate selection procedures to the board of directors. CC ID 14782 | Establish/Maintain Documentation | Preventive | |
Include the criteria of mixed experiences and skills in the candidate selection procedures. CC ID 14791 | Establish/Maintain Documentation | Preventive | |
Assign oversight of the financial management program to the board of directors. CC ID 14781 | Human Resources Management | Preventive | |
Assign senior management to the role of supporting Quality Management. CC ID 13692 | Human Resources Management | Preventive | |
Assign senior management to the role of authorizing official. CC ID 14238 | Establish Roles | Preventive | |
Assign members who are independent from management to the Board of Directors. CC ID 12395 | Human Resources Management | Preventive | |
Assign ownership of risks to the Board of Directors or senior management. CC ID 13662 | Human Resources Management | Preventive | |
Assign the organization's board and senior management to oversee the continuity planning process. CC ID 12991 | Human Resources Management | Preventive | |
Rotate members of the board of directors, as necessary. CC ID 14803 | Human Resources Management | Corrective | |
Define and assign board committees, as necessary. CC ID 14787 | Human Resources Management | Preventive | |
Define and assign risk committees, as necessary. CC ID 14795 | Human Resources Management | Preventive | |
Establish, implement, and maintain a board committee charter, as necessary. CC ID 14802 | Establish/Maintain Documentation | Preventive | |
Define and assign audit committees, as necessary. CC ID 14788 | Human Resources Management | Preventive | |
Include members with experience in audit practices, financial reporting, and accounting in the audit committee. CC ID 14796 | Human Resources Management | Preventive | |
Define and assign compensation committees, as necessary. CC ID 14793 | Human Resources Management | Preventive | |
Define and assign the Chief Information Officer's roles and responsibilities. CC ID 00808 | Establish Roles | Preventive | |
Define and assign the network administrator's roles and responsibilities. CC ID 16363 | Human Resources Management | Preventive | |
Define and assign the Information Technology staff's roles and responsibilities. CC ID 00809 | Establish Roles | Preventive | |
Define and assign the Data Protection Officer's roles and responsibilities. CC ID 16525 | Human Resources Management | Preventive | |
Define and assign the business unit manager's roles and responsibilities. CC ID 00810 | Establish Roles | Preventive | |
Define and assign the Facility Security Officer's roles and responsibilities. CC ID 01887 | Establish Roles | Preventive | |
Define and assign the Chief Risk Officer's roles and responsibilities. CC ID 14333 | Human Resources Management | Preventive | |
Define and assign roles and responsibilities for network management. CC ID 13128 | Human Resources Management | Preventive | |
Define and assign the technology security leader's roles and responsibilities. CC ID 01897 | Establish Roles | Preventive | |
Define and assign the security staff roles and responsibilities. CC ID 11750 | Establish/Maintain Documentation | Preventive | |
Define and assign the authorized representatives roles and responsibilities. CC ID 15033 | Human Resources Management | Preventive | |
Define and assign the property management leader's roles and responsibilities. CC ID 00669 | Establish Roles | Preventive | |
Define and assign the Archives and Records Management oversight's roles and responsibilities. CC ID 00697 | Establish Roles | Preventive | |
Define and assign the Privacy Officer's roles and responsibilities. CC ID 00714 | Establish Roles | Preventive | |
Define and assign critical facility management personnel's roles and responsibilities. CC ID 06381 | Establish Roles | Preventive | |
Define the objectives and extent of outsourcing operational roles and responsibilities. CC ID 06383 | Establish/Maintain Documentation | Preventive | |
Define and assign the Chief Security Officer's roles and responsibilities. CC ID 06431 | Establish Roles | Preventive | |
Establish and maintain an Information Technology steering committee. CC ID 12706 | Human Resources Management | Preventive | |
Assign the Information Technology steering committee to report to senior management. CC ID 12731 | Human Resources Management | Preventive | |
Convene the Information Technology steering committee, as necessary. CC ID 12730 | Human Resources Management | Preventive | |
Assign reviewing investments to the Information Technology steering committee, as necessary. CC ID 13625 | Human Resources Management | Preventive | |
Assign a contact person to all business units. CC ID 07144 | Establish Roles | Preventive | |
Define and assign the assessment team's roles and responsibilities. CC ID 08890 | Business Processes | Preventive | |
Assign the role of Risk Assessment Manager to applicable controls. CC ID 12143 | Human Resources Management | Preventive | |
Assign the Risk Assessment manager the duty of reporting risk assessment results to organizational management. CC ID 12152 | Human Resources Management | Preventive | |
Refrain from allocating temporary staff to perform sensitive jobs absent the presence and control of authorized permanent staff. CC ID 12299 | Human Resources Management | Preventive | |
Establish, implement, and maintain a personnel management program. CC ID 14018 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a personnel security program. CC ID 10628 | Establish/Maintain Documentation | Preventive | |
Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 00782 [The organization shall: ensure that these persons are competent on the basis of appropriate education, training or experience; § 7.2 ¶ 1 b)] | Testing | Detective | |
Perform security skills assessments for all critical employees. CC ID 12102 | Human Resources Management | Detective | |
Assign security clearance procedures to qualified personnel. CC ID 06812 | Establish Roles | Preventive | |
Assign personnel screening procedures to qualified personnel. CC ID 11699 | Establish Roles | Preventive | |
Establish, implement, and maintain personnel screening procedures. CC ID 11700 | Establish/Maintain Documentation | Preventive | |
Perform a background check during personnel screening. CC ID 11758 | Human Resources Management | Detective | |
Perform a personal identification check during personnel screening. CC ID 06721 | Human Resources Management | Preventive | |
Perform a criminal records check during personnel screening. CC ID 06643 | Establish/Maintain Documentation | Preventive | |
Include all residences in the criminal records check. CC ID 13306 | Process or Activity | Preventive | |
Document any reasons a full criminal records check could not be performed. CC ID 13305 | Establish/Maintain Documentation | Preventive | |
Perform a personal references check during personnel screening. CC ID 06645 | Human Resources Management | Preventive | |
Perform a credit check during personnel screening. CC ID 06646 | Human Resources Management | Preventive | |
Perform an academic records check during personnel screening. CC ID 06647 | Establish/Maintain Documentation | Preventive | |
Perform a drug test during personnel screening. CC ID 06648 | Testing | Preventive | |
Perform a resume check during personnel screening. CC ID 06659 | Human Resources Management | Preventive | |
Perform a curriculum vitae check during personnel screening. CC ID 06660 | Human Resources Management | Preventive | |
Allow personnel being screened to appeal findings and appeal decisions. CC ID 06720 | Human Resources Management | Preventive | |
Disseminate and communicate screening results to interested personnel and affected parties. CC ID 16445 | Communicate | Preventive | |
Perform personnel screening procedures, as necessary. CC ID 11763 | Human Resources Management | Preventive | |
Document the personnel risk assessment results. CC ID 11764 | Establish/Maintain Documentation | Detective | |
Establish, implement, and maintain security clearance procedures. CC ID 00783 | Establish/Maintain Documentation | Preventive | |
Perform periodic background checks on designated roles, as necessary. CC ID 11759 | Human Resources Management | Detective | |
Perform security clearance procedures, as necessary. CC ID 06644 | Human Resources Management | Preventive | |
Establish and maintain security clearances. CC ID 01634 | Human Resources Management | Preventive | |
Document the security clearance procedure results. CC ID 01635 | Establish/Maintain Documentation | Detective | |
Establish and maintain the staff structure in line with the strategic plan. CC ID 00764 | Establish Roles | Preventive | |
Evaluate the staffing requirements regularly. CC ID 00775 [The organization shall: determine the necessary competence of person(s) doing work under its control that affects its environmental performance and its ability to fulfil its compliance obligations; § 7.2 ¶ 1 a)] | Business Processes | Detective | |
Establish job categorization criteria, job recruitment criteria, and promotion criteria. CC ID 00781 [The organization shall: determine the necessary competence of person(s) doing work under its control that affects its environmental performance and its ability to fulfil its compliance obligations; § 7.2 ¶ 1 a)] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a compensation, reward, and recognition program. CC ID 12806 | Human Resources Management | Preventive | |
Establish and maintain an annual report on compensation. CC ID 14801 | Establish/Maintain Documentation | Preventive | |
Include the design characteristics of the remuneration system in the annual report on compensation. CC ID 14804 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the compensation, reward, and recognition program to interested personnel and affected parties. CC ID 14800 | Communicate | Preventive | |
Establish, implement, and maintain roles and responsibilities in the compensation, reward, and recognition program. CC ID 14798 | Establish/Maintain Documentation | Preventive | |
Align the compensation, reward, and recognition program with the risk management program. CC ID 14797 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain remuneration standards, as necessary. CC ID 14794 | Establish/Maintain Documentation | Preventive | |
Refrain from using employees' privacy choices to restrict employment. CC ID 12425 | Human Resources Management | Preventive | |
Refrain from using employees' privacy choices to take punitive actions. CC ID 16815 | Human Resources Management | Preventive | |
Use rewards and career development to motivate personnel. CC ID 06906 | Behavior | Preventive | |
Disseminate and communicate the organization’s ethical culture in job recruitment criteria and promotion criteria. CC ID 12825 | Human Resources Management | Preventive | |
Recognize personnel who reinforce desirable conduct with incentives. CC ID 12815 | Human Resources Management | Preventive | |
Establish, implement, and maintain job applications. CC ID 16180 | Establish/Maintain Documentation | Preventive | |
Include a space for the applicant's name on the job application. CC ID 16190 | Human Resources Management | Preventive | |
Include a space for the applicant's current address on the job application. CC ID 16189 | Human Resources Management | Preventive | |
Include a space for the applicant's social security number on the job application. CC ID 16188 | Human Resources Management | Preventive | |
Include a space for the applicant's date of birth on the job application. CC ID 16186 | Human Resources Management | Preventive | |
Include a space for previous employers and business relationships on the job application. CC ID 16185 | Human Resources Management | Preventive | |
Include a space to explain formal disciplinary actions and sanctions on the job application. CC ID 16184 | Human Resources Management | Preventive | |
Include a space for the start date on the job application. CC ID 16187 | Human Resources Management | Preventive | |
Include a space to explain legal penalties on the job application. CC ID 16183 | Human Resources Management | Preventive | |
Approve the wording of job applications. CC ID 16182 | Human Resources Management | Preventive | |
Include a space for past aliases and other used names on job applications. CC ID 12301 | Human Resources Management | Preventive | |
Include a space for previous addresses and previous residences on the job application. CC ID 12302 | Human Resources Management | Preventive | |
Include a space to explain employment gaps on the job application. CC ID 12303 | Human Resources Management | Preventive | |
Train all personnel and third parties, as necessary. CC ID 00785 [The organization shall: where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken. § 7.2 ¶ 1 d)] | Behavior | Preventive | |
Establish, implement, and maintain an education methodology. CC ID 06671 | Business Processes | Preventive | |
Support certification programs as viable training programs. CC ID 13268 | Human Resources Management | Preventive | |
Include evidence of experience in applications for professional certification. CC ID 16193 | Establish/Maintain Documentation | Preventive | |
Include supporting documentation in applications for professional certification. CC ID 16195 | Establish/Maintain Documentation | Preventive | |
Submit applications for professional certification. CC ID 16192 | Training | Preventive | |
Retrain all personnel, as necessary. CC ID 01362 | Behavior | Preventive | |
Tailor training to meet published guidance on the subject being taught. CC ID 02217 | Behavior | Preventive | |
Tailor training to be taught at each person's level of responsibility. CC ID 06674 | Behavior | Preventive | |
Conduct cross-training or staff backup training to minimize dependency on critical individuals. CC ID 00786 | Behavior | Preventive | |
Document all training in a training record. CC ID 01423 [The organization shall retain appropriate documented information as evidence of competence. § 7.2 ¶ 2] | Establish/Maintain Documentation | Detective | |
Use automated mechanisms in the training environment, where appropriate. CC ID 06752 | Behavior | Preventive | |
Conduct tests and evaluate training. CC ID 06672 [The organization shall: where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken. § 7.2 ¶ 1 d)] | Testing | Detective | |
Hire third parties to conduct training, as necessary. CC ID 13167 | Human Resources Management | Preventive | |
Review the current published guidance and awareness and training programs. CC ID 01245 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain training plans. CC ID 00828 [The organization shall: determine training needs associated with its environmental aspects and its environmental management system; § 7.2 ¶ 1 c)] | Establish/Maintain Documentation | Preventive | |
Train personnel to recognize conditions of diseases or sicknesses, as necessary. CC ID 14383 | Training | Detective | |
Include prevention techniques in training regarding diseases or sicknesses. CC ID 14387 | Training | Preventive | |
Include the concept of disease clusters when training to recognize conditions of diseases or sicknesses. CC ID 14386 | Training | Preventive | |
Train personnel to identify and communicate symptoms of exposure to disease or sickness. CC ID 14385 | Training | Detective | |
Develop or acquire content to update the training plans. CC ID 12867 | Training | Preventive | |
Designate training facilities in the training plan. CC ID 16200 | Training | Preventive | |
Include portions of the visitor control program in the training plan. CC ID 13287 | Establish/Maintain Documentation | Preventive | |
Include ethical culture in the training plan, as necessary. CC ID 12801 | Human Resources Management | Preventive | |
Include in scope external requirements in the training plan, as necessary. CC ID 13041 | Training | Preventive | |
Include duties and responsibilities in the training plan, as necessary. CC ID 12800 | Human Resources Management | Preventive | |
Conduct bespoke roles and responsibilities training, as necessary. CC ID 13192 | Training | Preventive | |
Include risk management in the training plan, as necessary. CC ID 13040 | Training | Preventive | |
Conduct Archives and Records Management training. CC ID 00975 | Behavior | Preventive | |
Conduct personal data processing training. CC ID 13757 | Training | Preventive | |
Include in personal data processing training how to provide the contact information for the categories of personal data the organization may disclose. CC ID 13758 | Training | Preventive | |
Include the cloud service usage standard in the training plan. CC ID 13039 | Training | Preventive | |
Establish, implement, and maintain a security awareness program. CC ID 11746 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a security awareness and training policy. CC ID 14022 | Establish/Maintain Documentation | Preventive | |
Include compliance requirements in the security awareness and training policy. CC ID 14092 | Establish/Maintain Documentation | Preventive | |
Include coordination amongst entities in the security awareness and training policy. CC ID 14091 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain security awareness and training procedures. CC ID 14054 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the security awareness and training procedures to interested personnel and affected parties. CC ID 14138 | Communicate | Preventive | |
Include management commitment in the security awareness and training policy. CC ID 14049 | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in the security awareness and training policy. CC ID 14048 | Establish/Maintain Documentation | Preventive | |
Include the scope in the security awareness and training policy. CC ID 14047 | Establish/Maintain Documentation | Preventive | |
Include the purpose in the security awareness and training policy. CC ID 14045 | Establish/Maintain Documentation | Preventive | |
Include configuration management procedures in the security awareness program. CC ID 13967 | Establish/Maintain Documentation | Preventive | |
Include media protection in the security awareness program. CC ID 16368 | Training | Preventive | |
Document security awareness requirements. CC ID 12146 | Establish/Maintain Documentation | Preventive | |
Include safeguards for information systems in the security awareness program. CC ID 13046 | Establish/Maintain Documentation | Preventive | |
Include security policies and security standards in the security awareness program. CC ID 13045 | Establish/Maintain Documentation | Preventive | |
Include physical security in the security awareness program. CC ID 16369 | Training | Preventive | |
Include mobile device security guidelines in the security awareness program. CC ID 11803 | Establish/Maintain Documentation | Preventive | |
Include updates on emerging issues in the security awareness program. CC ID 13184 | Training | Preventive | |
Include cybersecurity in the security awareness program. CC ID 13183 | Training | Preventive | |
Include implications of non-compliance in the security awareness program. CC ID 16425 | Training | Preventive | |
Include the acceptable use policy in the security awareness program. CC ID 15487 | Training | Preventive | |
Include training based on the participants' level of responsibility and access level in the security awareness program. CC ID 11802 | Establish/Maintain Documentation | Preventive | |
Include a requirement to train all new hires and interested personnel in the security awareness program. CC ID 11800 | Establish/Maintain Documentation | Preventive | |
Include remote access in the security awareness program. CC ID 13892 | Establish/Maintain Documentation | Preventive | |
Document the goals of the security awareness program. CC ID 12145 | Establish/Maintain Documentation | Preventive | |
Compare current security awareness assessment reports to the security awareness baseline. CC ID 12150 | Establish/Maintain Documentation | Preventive | |
Establish and maintain management's commitment to supporting the security awareness program. CC ID 12151 | Human Resources Management | Preventive | |
Establish and maintain a steering committee to guide the security awareness program. CC ID 12149 | Human Resources Management | Preventive | |
Document the scope of the security awareness program. CC ID 12148 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a security awareness baseline. CC ID 12147 | Establish/Maintain Documentation | Preventive | |
Encourage interested personnel to obtain security certification. CC ID 11804 | Human Resources Management | Preventive | |
Disseminate and communicate the security awareness program to all interested personnel and affected parties. CC ID 00823 | Behavior | Preventive | |
Train all personnel and third parties on how to recognize and report security incidents. CC ID 01211 | Behavior | Preventive | |
Train all personnel and third parties on how to recognize and report system failures. CC ID 13475 | Training | Preventive | |
Require personnel to acknowledge, through writing their signature, that they have read and understand the organization's security policies. CC ID 01363 | Establish/Maintain Documentation | Preventive | |
Monitor and measure the effectiveness of security awareness. CC ID 06262 | Monitor and Evaluate Occurrences | Detective | |
Establish, implement, and maintain an environmental management system awareness program. CC ID 15200 [The organization shall ensure that persons doing work under the organization's control are aware of: the significant environmental aspects and related actual or potential environmental impacts associated with their work; § 7.3 ¶ 1 b) The organization shall ensure that persons doing work under the organization's control are aware of: the environmental policy; § 7.3 ¶ 1 a) The organization shall ensure that persons doing work under the organization's control are aware of: the implications of not conforming with the environmental management system requirements, including not fulfilling the organization's compliance obligations. § 7.3 ¶ 1 d) The organization shall ensure that persons doing work under the organization's control are aware of: their contribution to the effectiveness of the environmental management system, including the benefits of enhanced environmental performance; § 7.3 ¶ 1 c) The organization shall ensure that persons doing work under the organization's control are aware of: their contribution to the effectiveness of the environmental management system, including the benefits of enhanced environmental performance; § 7.3 ¶ 1 c)] | Establish/Maintain Documentation | Preventive | |
Conduct secure coding and development training for developers. CC ID 06822 | Behavior | Corrective | |
Conduct tampering prevention training. CC ID 11875 | Training | Preventive | |
Include the mandate to refrain from installing, refrain from replacing, and refrain from returning any asset absent verification in the tampering prevention training. CC ID 11877 | Training | Preventive | |
Include how to identify and authenticate third parties claiming to be maintenance personnel in the tampering prevention training. CC ID 11876 | Training | Preventive | |
Include how to report tampering and unauthorized substitution in the tampering prevention training. CC ID 11879 | Training | Preventive | |
Include how to prevent physical tampering in the tampering prevention training. CC ID 11878 | Training | Preventive | |
Include procedures on how to inspect devices in the tampering prevention training. CC ID 11990 | Training | Preventive | |
Train interested personnel and affected parties to collect digital forensic evidence. CC ID 08658 | Training | Preventive | |
Conduct crime prevention training. CC ID 06350 | Behavior | Preventive | |
Analyze and evaluate training records to improve the training program. CC ID 06380 | Monitor and Evaluate Occurrences | Detective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Leadership and high level objectives CC ID 00597 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain a reporting methodology program. CC ID 02072 [Top management shall assign the responsibility and authority for: reporting on the performance of the environmental management system, including environmental performance, to top management. § 5.3 ¶ 2 b)] | Business Processes | Preventive | |
Establish, implement, and maintain communication protocols. CC ID 12245 [When establishing its communication process(es), the organization shall: take into account its compliance obligations; § 7.4.1 ¶ 2 Bullet 1 {internal communications}The organization shall establish, implement and maintain the process(es) needed for internal and external communications relevant to the environmental management system, including: on what it will communicate; § 7.4.1 ¶ 1 a) {internal communications}The organization shall establish, implement and maintain the process(es) needed for internal and external communications relevant to the environmental management system, including: on what it will communicate; § 7.4.1 ¶ 1 a) {internal communications}The organization shall establish, implement and maintain the process(es) needed for internal and external communications relevant to the environmental management system, including: when to communicate; § 7.4.1 ¶ 1 b) {internal communications}The organization shall establish, implement and maintain the process(es) needed for internal and external communications relevant to the environmental management system, including: when to communicate; § 7.4.1 ¶ 1 b) {subject}{internal communications}The organization shall establish, implement and maintain the process(es) needed for internal and external communications relevant to the environmental management system, including: with whom to communicate; § 7.4.1 ¶ 1 c) {subject}{internal communications}The organization shall establish, implement and maintain the process(es) needed for internal and external communications relevant to the environmental management system, including: with whom to communicate; § 7.4.1 ¶ 1 c) {internal communications}The organization shall establish, implement and maintain the process(es) needed for internal and external communications relevant to the environmental management system, including: how to communicate. § 7.4.1 ¶ 1 d) {internal communications}The organization shall establish, implement and maintain the process(es) needed for internal and external communications relevant to the environmental management system, including: how to communicate. § 7.4.1 ¶ 1 d) {be relevant} The organization shall respond to relevant communications on its environmental management system. § 7.4.1 ¶ 3] | Establish/Maintain Documentation | Preventive | |
Use secure communication protocols for telecommunications. CC ID 16458 | Business Processes | Preventive | |
Align the information being disseminated and communicated with the communication requirements according to the organization's communication protocol. CC ID 12419 [When establishing its communication process(es), the organization shall: ensure that environmental information communicated is consistent with information generated within the environmental management system, and is reliable. § 7.4.1 ¶ 2 Bullet 2 When establishing its communication process(es), the organization shall: ensure that environmental information communicated is consistent with information generated within the environmental management system, and is reliable. § 7.4.1 ¶ 2 Bullet 2] | Establish/Maintain Documentation | Preventive | |
Assess the effectiveness of the communication methods used in the communication protocol. CC ID 12691 [{internal communication}The organization shall: ensure its communication process(es) enable(s) persons doing work under the organization's control to contribute to continual improvement. § 7.4.2 ¶ 1 b)] | Process or Activity | Detective | |
Include external requirements in the organization's communication protocol. CC ID 12418 | Establish/Maintain Documentation | Preventive | |
Include disseminating and communicating events surrounding instances of desirable conduct and undesirable conduct in the communication protocols. CC ID 12824 | Communicate | Preventive | |
Include input from interested personnel and affected parties as a part of the organization’s communication protocol. CC ID 12417 [The management review shall include consideration of: changes in: the needs and expectations of interested parties, including compliance obligations; § 9.3 ¶ 2 b) 2) The management review shall include consideration of: relevant communication(s) from interested parties, including complaints; § 9.3 ¶ 2 f) The management review shall include consideration of: relevant communication(s) from interested parties, including complaints; § 9.3 ¶ 2 f)] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a corrective action plan to address barriers to stakeholder engagement. CC ID 15677 | Process or Activity | Preventive | |
Identify barriers to stakeholder engagement. CC ID 15676 | Process or Activity | Preventive | |
Identify alternative measures for collecting stakeholder input, as necessary. CC ID 15672 | Communicate | Preventive | |
Include disseminating and communicating conditions surrounding instances of desirable conduct and undesirable conduct in the communication protocols. CC ID 12804 | Communicate | Preventive | |
Include methods to obtain information from interested personnel and affected parties about performance variances in the communication protocol. CC ID 12856 | Process or Activity | Preventive | |
Include disseminating and communicating desirable conduct in the communication protocols. CC ID 12803 | Communicate | Preventive | |
Include disseminating and communicating undesirable conduct in communication protocols. CC ID 12802 | Communicate | Preventive | |
Route notifications, as necessary. CC ID 12832 | Process or Activity | Preventive | |
Substantiate notifications, as necessary. CC ID 12831 | Process or Activity | Preventive | |
Analyze the flow of information to ensure it is being received by the correct processes. CC ID 12860 | Business Processes | Preventive | |
Prioritize notifications, as necessary. CC ID 12830 | Process or Activity | Preventive | |
Report to management and stakeholders on the findings and information gathered from all types of inquiries. CC ID 12797 | Actionable Reports or Measurements | Preventive | |
Disseminate and communicate internal controls with supply chain members. CC ID 12416 | Communicate | Preventive | |
Establish and maintain the organization's survey method. CC ID 12869 | Process or Activity | Preventive | |
Document the findings from surveys. CC ID 16309 | Establish/Maintain Documentation | Preventive | |
Provide a consolidated view of information in the organization's survey method. CC ID 12894 | Process or Activity | Preventive | |
Establish, implement, and maintain warning procedures that follow the organization's communication protocol. CC ID 12407 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain alert procedures that follow the organization's communication protocol. CC ID 12406 | Establish/Maintain Documentation | Preventive | |
Include the capturing and alerting of compliance violations in the notification system. CC ID 12962 | Monitor and Evaluate Occurrences | Preventive | |
Include the capturing and alerting of unethical conduct in the notification system. CC ID 12932 | Monitor and Evaluate Occurrences | Preventive | |
Include the capturing and alerting of performance variances in the notification system. CC ID 12929 | Monitor and Evaluate Occurrences | Preventive | |
Include the capturing and alerting of weaknesses in the notification system. CC ID 12928 | Monitor and Evaluate Occurrences | Preventive | |
Include the capturing and alerting of account activity in the notification system. CC ID 15314 | Monitor and Evaluate Occurrences | Preventive | |
Establish, implement, and maintain an internal reporting program. CC ID 12409 | Business Processes | Preventive | |
Include transactions and events as a part of internal reporting. CC ID 12413 | Business Processes | Preventive | |
Disseminate and communicate management's choices for managing the organization as a part of internal reporting. CC ID 12412 | Communicate | Preventive | |
Enforce a precision level for non-financial reporting based on user need and appropriate supply chain criteria. CC ID 12399 | Establish/Maintain Documentation | Preventive | |
Define the thresholds for escalation in the internal reporting program. CC ID 14332 | Establish/Maintain Documentation | Preventive | |
Define the thresholds for reporting in the internal reporting program. CC ID 14331 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an external reporting program. CC ID 12876 | Communicate | Preventive | |
Provide identifying information about the organization to the responsible party. CC ID 16715 | Communicate | Preventive | |
Identify the material topics required to be reported on. CC ID 15654 | Business Processes | Preventive | |
Check the list of material topics for completeness. CC ID 15692 | Investigate | Preventive | |
Prioritize material topics used in reporting. CC ID 15678 | Communicate | Preventive | |
Review and approve the material topics, as necessary. CC ID 15670 | Process or Activity | Preventive | |
Define the thresholds for reporting in the external reporting program. CC ID 15679 | Establish/Maintain Documentation | Preventive | |
Include time requirements in the external reporting program. CC ID 16566 | Communicate | Preventive | |
Include information about the organizational culture in the external reporting program. CC ID 15610 | Establish/Maintain Documentation | Preventive | |
Include reporting to governing bodies in the external reporting plan. CC ID 12923 | Communicate | Preventive | |
Submit confidential treatment applications to interested personnel and affected parties. CC ID 16592 | Communicate | Preventive | |
Include the reasons for objections to public disclosure in confidential treatment applications. CC ID 16594 | Establish/Maintain Documentation | Preventive | |
Include contact information for the interested personnel and affected parties the report was filed with in the confidential treatment application. CC ID 16595 | Establish/Maintain Documentation | Preventive | |
Include the information that was omitted in the confidential treatment application. CC ID 16593 | Establish/Maintain Documentation | Preventive | |
Analyze organizational objectives, functions, and activities. CC ID 00598 [{external and internal issues}and determine the risks and opportunities, related to its environmental aspects (see 6.1.2), compliance obligations (see 6.1.3) and other issues and requirements, identified in 4.1 and 4.2, that need to be addressed to: prevent or reduce undesired effects, including the potential for external environmental conditions to affect the organization; § 6.1.1 ¶ 3 Bullet 2 When determining this scope, the organization shall consider: its activities, products and services; § 4.3 ¶ 2 d) The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcomesan> of its <span style="bary-verb">ackground-color:#F0BBBC;" class="term_primary-noun">environmental management system. Such issues shall include environmental conditions being affected by or capable of affecting the organization. § 4.1 ¶ 1] | Monitor and Evaluate Occurrences | Preventive | |
Develop instructions for setting organizational objectives and strategies. CC ID 12931 [The organization shall determine: which of these needs and expectations become its compliance obligations. § 4.2 ¶ 1 c)] | Establish/Maintain Documentation | Preventive | |
Analyze the business environment in which the organization operates. CC ID 12798 [{financial requirement}{operational requirement} When planning these actions, the organization shall consider its technological options and its financial, operational and business requirements. § 6.1.4 ¶ 2] | Business Processes | Preventive | |
Identify the internal factors that may affect organizational objectives. CC ID 12957 | Process or Activity | Preventive | |
Include key processes in the analysis of the internal business environment. CC ID 12947 | Process or Activity | Preventive | |
Include existing information in the analysis of the internal business environment. CC ID 12943 | Process or Activity | Preventive | |
Include resources in the analysis of the internal business environment. CC ID 12942 [The management review shall include consideration of: adequacy of resources; § 9.3 ¶ 2 e)] | Process or Activity | Preventive | |
Include the operating plan in the analysis of the internal business environment. CC ID 12941 | Process or Activity | Preventive | |
Include incentives in the analysis of the internal business environment. CC ID 12940 | Process or Activity | Preventive | |
Include organizational structures in the analysis of the internal business environment. CC ID 12939 [When determining this scope, the organization shall consider: its organizational units, functions and physical boundaries; § 4.3 ¶ 2 c)] | Process or Activity | Preventive | |
Include the strategic plan in the analysis of the internal business environment. CC ID 12937 | Process or Activity | Preventive | |
Include strengths and weaknesses in the analysis of the internal business environment. CC ID 12936 | Process or Activity | Preventive | |
Align assets with business functions and the business environment. CC ID 13681 | Business Processes | Preventive | |
Disseminate and communicate the organization's business environment and place in its industry sector. CC ID 13200 | Communicate | Preventive | |
Monitor for changes which affect organizational strategies in the internal business environment. CC ID 12863 | Monitor and Evaluate Occurrences | Preventive | |
Monitor for changes which affect organizational objectives in the internal business environment. CC ID 12862 | Monitor and Evaluate Occurrences | Preventive | |
Analyze the external environment in which the organization operates. CC ID 12799 [The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcomes of its environmental management system. Such issues shall include environmental conditions being affected by or capable of affecting the organization. § 4.1 ¶ 1] | Business Processes | Preventive | |
Identify the external forces that may affect organizational objectives. CC ID 12960 | Process or Activity | Preventive | |
Monitor for changes which affect organizational strategies in the external environment. CC ID 12880 | Monitor and Evaluate Occurrences | Preventive | |
Include environmental requirements in the analysis of the external environment. CC ID 12965 [Top management shall demonstrate leadership and commitment with respect to the environmental management system by: ensuring the integration of the environmental management system requirements into the organization's business processes; § 5.1 ¶ 1 c)] | Business Processes | Preventive | |
Monitor for changes which affect organizational objectives in the external environment. CC ID 12879 [The management review shall include consideration of: changes in: the needs and expectations of interested parties, including compliance obligations; § 9.3 ¶ 2 b) 2)] | Monitor and Evaluate Occurrences | Preventive | |
Include regulatory requirements in the analysis of the external environment. CC ID 12964 | Business Processes | Preventive | |
Include society in the analysis of the external environment. CC ID 12963 | Business Processes | Preventive | |
Include opportunities in the analysis of the external environment. CC ID 12954 | Business Processes | Preventive | |
Include third party relationships in the analysis of the external environment. CC ID 12952 | Business Processes | Preventive | |
Include industry forces in the analysis of the external environment. CC ID 12904 | Business Processes | Preventive | |
Include threats in the analysis of the external environment. CC ID 12898 | Business Processes | Preventive | |
Include geopolitics in the analysis of the external environment. CC ID 12897 | Business Processes | Preventive | |
Include legal requirements in the analysis of the external environment. CC ID 12896 | Business Processes | Preventive | |
Include technology in the analysis of the external environment. CC ID 12837 | Business Processes | Preventive | |
Include analyzing the market in the analysis of the external environment. CC ID 12836 | Business Processes | Preventive | |
Conduct a context analysis to define objectives and strategies. CC ID 12864 | Business Processes | Preventive | |
Establish, implement, and maintain organizational objectives. CC ID 09959 | Establish/Maintain Documentation | Preventive | |
Evaluate organizational objectives to determine impact on other organizational objectives. CC ID 12814 | Process or Activity | Preventive | |
Identify events that may affect organizational objectives. CC ID 12961 | Process or Activity | Preventive | |
Identify conditions that may affect organizational objectives. CC ID 12958 | Process or Activity | Preventive | |
Identify requirements that could affect achieving organizational objectives. CC ID 12828 | Business Processes | Preventive | |
Identify opportunities that could affect achieving organizational objectives. CC ID 12826 | Business Processes | Preventive | |
Prioritize organizational objectives. CC ID 09960 | Business Processes | Preventive | |
Select financial reporting objectives consistent with accounting principles available to the organization. CC ID 12400 | Business Processes | Preventive | |
Establish, implement, and maintain a value generation model. CC ID 15591 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the value generation model to all interested personnel and affected parties. CC ID 15607 | Communicate | Preventive | |
Include value distribution in the value generation model. CC ID 15603 | Establish/Maintain Documentation | Preventive | |
Include value retention in the value generation model. CC ID 15600 | Establish/Maintain Documentation | Preventive | |
Include value generation procedures in the value generation model. CC ID 15599 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain value generation objectives. CC ID 15583 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain social responsibility objectives. CC ID 15611 | Establish/Maintain Documentation | Preventive | |
Establish and maintain a Mission, Vision, and Values Statement. CC ID 12783 | Establish/Maintain Documentation | Preventive | |
Include the vision statement in the Mission, Vision, and Values Statement. CC ID 12839 | Establish/Maintain Documentation | Preventive | |
Include the mission statement in the Mission, Vision, and Values Statement. CC ID 12838 | Establish/Maintain Documentation | Preventive | |
Include management commitment in the Mission, Vision, and Values Statement. CC ID 12808 | Establish/Maintain Documentation | Preventive | |
Include the value statement in the Mission, Vision, and Values Statement. CC ID 12807 | Establish/Maintain Documentation | Preventive | |
Include environmental factors in the Mission, Vision, and Values Statement. CC ID 15590 | Establish/Maintain Documentation | Preventive | |
Include societal factors in the Mission, Vision, and Values Statement. CC ID 15605 | Establish/Maintain Documentation | Preventive | |
Include stakeholder requirements in the Mission, Vision, and Values Statement. CC ID 15586 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the Mission, Vision, and Values Statement to all interested personnel and affected parties. CC ID 15585 | Communicate | Preventive | |
Disseminate and communicate organizational objectives, functions, and activities to all interested personnel and affected parties. CC ID 13191 | Communicate | Preventive | |
Document and communicate the linkage between organizational objectives, functions, activities, and general controls. CC ID 12398 [The management review shall include consideration of: changes in: external and internal issues that are relevant to the environmental management system; § 9.3 ¶ 2 b) 1)] | Establish/Maintain Documentation | Preventive | |
Identify threats that could affect achieving organizational objectives. CC ID 12827 | Business Processes | Preventive | |
Identify how opportunities, threats, and external requirements are trending. CC ID 12829 | Process or Activity | Preventive | |
Identify relationships between opportunities, threats, and external requirements. CC ID 12805 | Process or Activity | Preventive | |
Review the organization's approach to managing information security, as necessary. CC ID 12005 | Business Processes | Preventive | |
Identify all interested personnel and affected parties. CC ID 12845 [The organization shall determine: the interested parties that are relevant to the environmental management system; § 4.2 ¶ 1 a)] | Process or Activity | Detective | |
Establish, implement, and maintain criteria for grouping stakeholders. CC ID 15584 | Process or Activity | Preventive | |
Analyze and prioritize the requirements of interested personnel and affected parties. CC ID 12796 [The organization shall determine: the relevant needs and expectations (i.e. requirements) of these interested parties; § 4.2 ¶ 1 b)] | Business Processes | Preventive | |
Establish, implement, and maintain data governance and management practices. CC ID 14998 | Establish/Maintain Documentation | Preventive | |
Address shortcomings of the data sets in the data governance and management practices. CC ID 15087 | Establish/Maintain Documentation | Preventive | |
Include any shortcomings of the data sets in the data governance and management practices. CC ID 15086 | Establish/Maintain Documentation | Preventive | |
Include bias for data sets in the data governance and management practices. CC ID 15085 | Establish/Maintain Documentation | Preventive | |
Include a data strategy in the data governance and management practices. CC ID 15304 | Establish/Maintain Documentation | Preventive | |
Include data monitoring in the data governance and management practices. CC ID 15303 | Establish/Maintain Documentation | Preventive | |
Include an assessment of the data sets in the data governance and management practices. CC ID 15084 | Establish/Maintain Documentation | Preventive | |
Include assumptions for the formulation of data sets in the data governance and management practices. CC ID 15083 | Establish/Maintain Documentation | Preventive | |
Include data collection for data sets in the data governance and management practices. CC ID 15082 | Establish/Maintain Documentation | Preventive | |
Include data preparations for data sets in the data governance and management practices. CC ID 15081 | Establish/Maintain Documentation | Preventive | |
Include design choices for data sets in the data governance and management practices. CC ID 15080 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an information classification standard. CC ID 00601 | Establish/Maintain Documentation | Preventive | |
Take into account the accessibility to and location of the data or information when establishing information impact levels. CC ID 04787 | Data and Information Management | Preventive | |
Take into account the organization's obligation to protect data or information when establishing information impact levels. CC ID 04786 | Data and Information Management | Preventive | |
Take into account the context of use for data or information when establishing information impact levels. CC ID 04785 | Data and Information Management | Preventive | |
Take into account the potential aggregation of restricted data fields when establishing information impact levels. CC ID 04784 | Data and Information Management | Preventive | |
Classify the sensitivity to unauthorized disclosure or modification of information in the information classification standard. CC ID 11997 | Data and Information Management | Preventive | |
Take into account the distinguishability factor when establishing information impact levels. CC ID 04783 | Data and Information Management | Preventive | |
Classify the criticality to unauthorized disclosure or modification of information in the information classification standard. CC ID 11996 | Data and Information Management | Preventive | |
Classify the value of information in the information classification standard. CC ID 11995 | Data and Information Management | Preventive | |
Classify the legal requirements of information in the information classification standard. CC ID 11994 | Data and Information Management | Preventive | |
Establish, implement, and maintain a data classification scheme. CC ID 11628 | Establish/Maintain Documentation | Preventive | |
Take into account the characteristics of the geographical, behavioral and functional setting for all datasets. CC ID 15046 | Data and Information Management | Preventive | |
Approve the data classification scheme. CC ID 13858 | Establish/Maintain Documentation | Detective | |
Disseminate and communicate the data classification scheme to interested personnel and affected parties. CC ID 16804 | Communicate | Preventive | |
Establish and maintain an organizational data dictionary, including data syntax rules. CC ID 00600 | Establish/Maintain Documentation | Preventive | |
Refrain from including metadata in the data dictionary. CC ID 13529 | Establish/Maintain Documentation | Preventive | |
Refrain from allowing incompatible data elements in the data dictionary. CC ID 13624 | Establish/Maintain Documentation | Preventive | |
Include information needed to understand each data element and population in the data dictionary. CC ID 13528 | Establish/Maintain Documentation | Preventive | |
Ensure the data dictionary is complete and accurate. CC ID 13527 | Investigate | Detective | |
Include the factors to determine what is included or excluded from the data element in the data dictionary. CC ID 13525 | Establish/Maintain Documentation | Preventive | |
Include the date or time period the data was observed in the data dictionary. CC ID 13524 | Establish/Maintain Documentation | Preventive | |
Include the uncertainty in the population of each data element in the data dictionary. CC ID 13522 | Establish/Maintain Documentation | Preventive | |
Include the uncertainty of each data element in the data dictionary. CC ID 13521 | Establish/Maintain Documentation | Preventive | |
Include the measurement units for each data element in the data dictionary. CC ID 13534 | Establish/Maintain Documentation | Preventive | |
Include the precision of the measurement in the data dictionary. CC ID 13520 | Establish/Maintain Documentation | Preventive | |
Include the data source in the data dictionary. CC ID 13519 | Establish/Maintain Documentation | Preventive | |
Include the nature of each element in the data dictionary. CC ID 13518 | Establish/Maintain Documentation | Preventive | |
Include the population of events or instances in the data dictionary. CC ID 13517 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the data dictionary to interested personnel and affected parties. CC ID 13516 | Communicate | Preventive | |
Establish, implement, and maintain an Information and Infrastructure Architecture model. CC ID 00599 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain sustainable infrastructure planning. CC ID 00603 | Establish/Maintain Documentation | Preventive | |
Take into account the need for protecting information confidentiality during infrastructure planning. CC ID 06486 | Behavior | Preventive | |
Establish, implement, and maintain an organizational structure. CC ID 16310 | Establish/Maintain Documentation | Preventive | |
Monitor regulatory trends to maintain compliance. CC ID 00604 [The management review shall include consideration of: information on the organization's environmental performance, including trends in: fulfilment of its compliance obligations; § 9.3 ¶ 2 d) 3)] | Monitor and Evaluate Occurrences | Detective | |
Monitor for new Information Security solutions. CC ID 07078 | Monitor and Evaluate Occurrences | Detective | |
Subscribe to a threat intelligence service to receive notification of emerging threats. CC ID 12135 | Technical Security | Detective | |
Disseminate and communicate emerging threats to all interested personnel and affected parties. CC ID 12185 | Communicate | Preventive | |
Disseminate and communicate updated guidance documentation to interested personnel and affected parties upon discovery of a new threat. CC ID 12191 | Communicate | Corrective | |
Establish, implement, and maintain a Quality Management framework. CC ID 07196 | Establish/Maintain Documentation | Preventive | |
Include supply chain management standards in the Quality Management framework. CC ID 13701 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a Quality Management policy. CC ID 13694 | Establish/Maintain Documentation | Preventive | |
Include a commitment to satisfy applicable requirements in the Quality Management policy. CC ID 13700 | Establish/Maintain Documentation | Preventive | |
Tailor the Quality Management policy to support the organization's strategic direction. CC ID 13699 | Establish/Maintain Documentation | Preventive | |
Include a commitment to continual improvement of the Quality Management system in the Quality Management policy. CC ID 13698 | Establish/Maintain Documentation | Preventive | |
Include critical Information Technology processes in the Quality Management framework. CC ID 13645 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the Quality Management policy to all interested personnel and affected parties. CC ID 13695 | Communicate | Preventive | |
Disseminate and communicate the Quality Management framework to all stakeholders. CC ID 13680 | Communicate | Preventive | |
Align the quality objectives with the Quality Management policy. CC ID 13697 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a Quality Management standard. CC ID 01006 | Establish/Maintain Documentation | Preventive | |
Document the measurements used by Quality Assurance and Quality Control testing. CC ID 07200 | Establish/Maintain Documentation | Preventive | |
Enforce a continuous Quality Control system. CC ID 01005 | Business Processes | Detective | |
Conduct Quality Control to ensure adherence to Information Technology policies, standards, and procedures. CC ID 01008 | Testing | Detective | |
Establish, implement, and maintain a Quality Management program. CC ID 07201 | Establish/Maintain Documentation | Preventive | |
Notify affected parties and interested personnel of quality management system approvals that have been refused, suspended, or withdrawn. CC ID 15045 | Communicate | Preventive | |
Notify affected parties and interested personnel of quality management system approvals that have been issued. CC ID 15036 | Communicate | Preventive | |
Include quality objectives in the Quality Management program. CC ID 13693 | Establish/Maintain Documentation | Preventive | |
Correct errors and deficiencies in a timely manner. CC ID 13501 | Business Processes | Corrective | |
Include records management in the quality management system. CC ID 15055 | Establish/Maintain Documentation | Preventive | |
Include risk management in the quality management system. CC ID 15054 | Establish/Maintain Documentation | Preventive | |
Include data management procedures in the quality management system. CC ID 15052 | Establish/Maintain Documentation | Preventive | |
Include a post-market monitoring system in the quality management system. CC ID 15027 | Establish/Maintain Documentation | Preventive | |
Include operational roles and responsibilities in the quality management system. CC ID 15028 | Establish/Maintain Documentation | Preventive | |
Include quality gates and testing milestones in the Quality Management program. CC ID 06825 | Systems Design, Build, and Implementation | Preventive | |
Include resource management in the quality management system. CC ID 15026 | Establish/Maintain Documentation | Preventive | |
Include communication protocols in the quality management system. CC ID 15025 | Establish/Maintain Documentation | Preventive | |
Include incident reporting procedures in the quality management system. CC ID 15023 | Establish/Maintain Documentation | Preventive | |
Include technical specifications in the quality management system. CC ID 15021 | Establish/Maintain Documentation | Preventive | |
Document the deficiencies in a deficiency report that were found during Quality Control and corrected during Quality Improvement. CC ID 07203 | Establish/Maintain Documentation | Preventive | |
Include program documentation standards in the Quality Management program. CC ID 01016 | Establish/Maintain Documentation | Preventive | |
Establish and maintain time frames for correcting deficiencies found during Quality Control. CC ID 07206 | Business Processes | Detective | |
Include program testing standards in the Quality Management program. CC ID 01017 | Establish/Maintain Documentation | Preventive | |
Review and analyze any quality improvement goals that were missed. CC ID 07204 | Business Processes | Detective | |
Include system testing standards in the Quality Management program. CC ID 01018 | Establish/Maintain Documentation | Preventive | |
Include an issue tracking system in the Quality Management program. CC ID 06824 | Systems Design, Build, and Implementation | Preventive | |
Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 [When determining this scope, the organization shall consider: the "background-color:#F0BBBC;" class="term_primary-noun">external and internal issues referred to in 4.1; § 4.3 ¶ 2 a) {interested parties}{environmental management system}When determining this scope, the organization shall consider: the compliance obligations referred to in 4.2; § 4.3 ¶ 2 b)] | Establish/Maintain Documentation | Preventive | |
Define the scope of the security policy. CC ID 07145 | Data and Information Management | Preventive | |
Identify roles, tasks, information, systems, and assets that fall under the organization's mandated Authority Documents. CC ID 00688 | Business Processes | Preventive | |
Establish and maintain an Information Systems Assurance Categories Definitions document. CC ID 01608 | Establish/Maintain Documentation | Preventive | |
Correlate Information Systems with applicable controls. CC ID 01621 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a policy and procedure management program. CC ID 06285 | Establish/Maintain Documentation | Preventive | |
Include requirements in the organization’s policies, standards, and procedures. CC ID 12956 | Establish/Maintain Documentation | Preventive | |
Include the effective date on all organizational policies. CC ID 06820 | Establish/Maintain Documentation | Preventive | |
Include threats in the organization’s policies, standards, and procedures. CC ID 12953 | Establish/Maintain Documentation | Preventive | |
Analyze organizational policies, as necessary. CC ID 14037 | Establish/Maintain Documentation | Detective | |
Assess the impact of changes to organizational policies, standards, and procedures, as necessary. CC ID 14824 | Business Processes | Preventive | |
Include opportunities in the organization’s policies, standards, and procedures. CC ID 12945 | Establish/Maintain Documentation | Preventive | |
Establish and maintain an Authority Document list. CC ID 07113 [The organization shall: determine and have access to the compliance obligations related to its environmental aspects; § 6.1.3 ¶ 1 a)] | Establish/Maintain Documentation | Preventive | |
Map in scope assets and in scope records to external requirements. CC ID 12189 | Establish/Maintain Documentation | Detective | |
Document organizational procedures that harmonize external requirements, including all legal requirements. CC ID 00623 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain full documentation of all policies, standards, and procedures that support the organization's compliance framework. CC ID 01636 [When creating and updating documented information, the organization shall ensuren> appropriate: style="background-color:#F0BBBC;" class="term_primary-noun">review and approval for suitability and adequacy. § 7.5.2 ¶ 1 c) The scope shall be maintained as documented information and be available to interested parties. § 4.3 ¶ 4 The organization shall maintain documented information of its compliance obligations. § 6.1.3 ¶ 2 The organization's environmental management system shall include: documented information required by this International Standard; § 7.5.1 ¶ 1 a)] | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the organization’s policies, standards, and procedures to all interested personnel and affected parties. CC ID 12901 [The scope shall be maintained as documented information and be available to interested parties. § 4.3 ¶ 4] | Communicate | Preventive | |
Disseminate and communicate the list of Authority Documents that support the organization's compliance framework to interested personnel and affected parties. CC ID 01312 | Establish/Maintain Documentation | Preventive | |
Classify controls according to their preventive, detective, or corrective status. CC ID 06436 | Establish/Maintain Documentation | Preventive | |
Publish, disseminate, and communicate a Statement on Internal Control, as necessary. CC ID 06727 | Establish/Maintain Documentation | Preventive | |
Include signatures of c-level executives in the Statement on Internal Control. CC ID 14778 | Establish/Maintain Documentation | Preventive | |
Include management's assertions on the effectiveness of internal control in the Statement on Internal Control. CC ID 14771 | Establish/Maintain Documentation | Corrective | |
Include confirmation of any significant weaknesses in the Statement on Internal Control. CC ID 06861 | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in the Statement on Internal Control. CC ID 14774 | Establish/Maintain Documentation | Preventive | |
Include an assurance statement regarding the counterterror protective security plan in the Statement on Internal Control. CC ID 06866 | Establish/Maintain Documentation | Preventive | |
Include limitations of internal control systems in the Statement on Internal Control. CC ID 14773 | Establish/Maintain Documentation | Preventive | |
Include a description of the methodology used to evaluate internal controls in the Statement on Internal Control. CC ID 14772 | Establish/Maintain Documentation | Preventive | |
Include the counterterror protective security plan test results in the Statement on Internal Control. CC ID 06867 | Establish/Maintain Documentation | Detective | |
Assign legislative body jurisdiction to the organization's assets, as necessary. CC ID 06956 | Establish Roles | Preventive | |
Approve all compliance documents. CC ID 06286 | Establish/Maintain Documentation | Preventive | |
Align the Authority Document list with external requirements. CC ID 06288 [The organization shall: determine how these compliance obligations apply to the organization; § 6.1.3 ¶ 1 b) Documented information of external origin determined by the organization to be necessary for the planning and operation of the environmental management system shall be identified, as appropriate, and controlled. § 7.5.3 ¶ 3 Documented information of external origin determined by the organization to be necessary for the planning and operation of the environmental management system shall be identified, as appropriate, and controlled. § 7.5.3 ¶ 3 The organization shall: determine and have access to the compliance obligations related to its environmental aspects; § 6.1.3 ¶ 1 a)] | Establish/Maintain Documentation | Preventive | |
Assign the appropriate roles to all applicable compliance documents. CC ID 06284 | Establish Roles | Preventive | |
Identify and document the Designated Approval Authority for compliance documents. CC ID 07114 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a compliance exception standard. CC ID 01628 | Establish/Maintain Documentation | Preventive | |
Include the authority for granting exemptions in the compliance exception standard. CC ID 14329 | Establish/Maintain Documentation | Preventive | |
Include all compliance exceptions in the compliance exception standard. CC ID 01630 | Establish/Maintain Documentation | Detective | |
Include explanations, compensating controls, or risk acceptance in the compliance exceptions Exceptions document. CC ID 01631 | Establish/Maintain Documentation | Preventive | |
Review the compliance exceptions in the exceptions document, as necessary. CC ID 01632 | Business Processes | Preventive | |
Include when exemptions expire in the compliance exception standard. CC ID 14330 | Establish/Maintain Documentation | Preventive | |
Assign the approval of compliance exceptions to the appropriate roles inside the organization. CC ID 06443 | Establish Roles | Preventive | |
Include management of the exemption register in the compliance exception standard. CC ID 14328 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate compliance documents to all interested personnel and affected parties. CC ID 06282 | Behavior | Preventive | |
Disseminate and communicate any compliance document changes when the documents are updated to interested personnel and affected parties. CC ID 06283 | Behavior | Preventive | |
Estimate the costs of implementing the compliance framework. CC ID 07191 | Business Processes | Preventive | |
Establish, implement, and maintain a strategic plan. CC ID 12784 | Establish/Maintain Documentation | Preventive | |
Determine progress toward the objectives of the strategic plan. CC ID 12944 [The management review shall include consideration of: the extent to which environmental objectives have been achieved; § 9.3 ¶ 2 c)] | Process or Activity | Preventive | |
Establish, implement, and maintain a decision management strategy. CC ID 06913 [When determining this scope, the organization shall consider: its authority and ability to exercise control and influence. § 4.3 ¶ 2 e)] | Establish/Maintain Documentation | Preventive | |
Align the reporting methodology with the decision management strategy. CC ID 15659 | Business Processes | Preventive | |
Include an economic impact analysis in the decision management strategy. CC ID 14015 | Establish/Maintain Documentation | Preventive | |
Include cost benefit analysis in the decision management strategy. CC ID 14014 | Establish/Maintain Documentation | Preventive | |
Include criteria for compliance in the decision-making criteria. CC ID 12951 | Establish/Maintain Documentation | Preventive | |
Include criteria for risk tolerance in the decision-making criteria. CC ID 12950 | Establish/Maintain Documentation | Preventive | |
Include criteria for selecting objectives and strategies in the decision-making criteria. CC ID 12949 | Establish/Maintain Documentation | Preventive | |
Include criteria for setting priorities in the decision-making criteria. CC ID 12938 | Establish/Maintain Documentation | Preventive | |
Align organizational objectives with compliance objectives in the decision-making criteria. CC ID 12847 | Process or Activity | Preventive | |
Align organizational objectives with performance targets in the decision-making criteria. CC ID 12843 | Process or Activity | Preventive | |
Align organizational objectives with the acceptable residual risk in the decision-making criteria. CC ID 12841 | Process or Activity | Preventive | |
Identify and document the events that initiate the decision management strategy. CC ID 06914 | Establish/Maintain Documentation | Detective | |
Create additional decision-making criteria to achieve organizational objectives, as necessary. CC ID 12948 | Process or Activity | Preventive | |
Involve knowledgeable and experienced individuals in the decision-making process. CC ID 06915 | Behavior | Preventive | |
Take actions in accordance with the decision-making criteria. CC ID 12909 | Process or Activity | Preventive | |
Document and evaluate the decision outcomes from the decision-making process. CC ID 06918 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the decision management strategy to all interested personnel and affected parties. CC ID 13991 | Communicate | Preventive | |
Establish, implement, and maintain a Governance, Risk, and Compliance awareness and training program. CC ID 06492 [The organization shall ensure that persons doing work under the organization's control are aware of: the implications of not conforming with the environmental management system requirements, including not fulfilling the organization's compliance obligations. § 7.3 ¶ 1 d)] | Business Processes | Preventive | |
Establish and maintain a rapport with business and technical communities throughout the organization to promote the value and importance of Information Security. CC ID 06493 | Behavior | Preventive | |
Establish, implement, and maintain a financial management program. CC ID 13228 [{financial requirement}{operational requirement} When planning these actions, the organization shall consider its technological options and its financial, operational and business requirements. § 6.1.4 ¶ 2] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain funds transfer procedures. CC ID 16754 | Establish/Maintain Documentation | Preventive | |
Provide required information that is missing from a funds transfer to the responsible party. CC ID 16761 | Communicate | Preventive | |
Return the funds from a funds transfer when required information is not received or discrepancies resolved. CC ID 16760 | Business Processes | Preventive | |
Delay the funds transfer until all required information has been received or discrepancies resolved. CC ID 16759 | Business Processes | Preventive | |
Refrain from making funds from a funds transfer available to the interested personnel until all required information is received. CC ID 16758 | Business Processes | Preventive | |
Investigate discrepancies between the information received and the information verified for each funds transfer. CC ID 16757 | Investigate | Detective | |
Attach the required information to each funds transfer. CC ID 16756 | Business Processes | Preventive | |
Verify all required information is attached to each funds transfer. CC ID 16755 | Business Processes | Detective | |
Establish, implement, and maintain protective measures for customers from a bank's insolvency or default. CC ID 16738 | Business Processes | Preventive | |
Test the protective measures for effectiveness to prevent financial impact to responsible parties. CC ID 16750 | Testing | Preventive | |
Include communication protocols in the financial management program. CC ID 16763 | Establish/Maintain Documentation | Preventive | |
Include ongoing monitoring in the financial management program. CC ID 16762 | Process or Activity | Preventive | |
Employ tools to manage settlement and funding flows. CC ID 16743 | Process or Activity | Preventive | |
Refrain from setting up anonymous financial accounts. CC ID 16721 | Business Processes | Preventive | |
Identify and maintain positions in financial accounts. CC ID 16751 | Business Processes | Preventive | |
Establish, implement, and maintain a financial products and services disclosure policy. CC ID 16717 | Establish/Maintain Documentation | Preventive | |
Require acknowledgment of receipt from the customer in the financial products and services disclosure policy. CC ID 16725 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a subsidiary compliance program. CC ID 16694 | Process or Activity | Preventive | |
Establish, implement, and maintain financial resource management procedures. CC ID 16642 | Establish/Maintain Documentation | Preventive | |
Document the rationale for the amount of financial resources being held. CC ID 16688 | Establish/Maintain Documentation | Preventive | |
Supplement financial resources, as necessary. CC ID 16685 | Business Processes | Preventive | |
Establish, implement, and maintain collateral procedures. CC ID 16653 | Establish/Maintain Documentation | Preventive | |
Include the use of appropriate models in the collateral procedures. CC ID 16687 | Establish/Maintain Documentation | Preventive | |
Define the collateral requirements in the collateral procedures. CC ID 16686 | Establish/Maintain Documentation | Preventive | |
Test the collateral requirements for appropriateness. CC ID 16681 | Testing | Preventive | |
Limit the types of assets accepted as collateral. CC ID 16602 | Business Processes | Preventive | |
Avoid the use of concentrated holdings of assets. CC ID 16651 | Business Processes | Preventive | |
Establish, implement, and maintain stress test plans for financial resources. CC ID 16644 | Testing | Preventive | |
Include stress scenarios in the stress test plan. CC ID 16659 | Testing | Preventive | |
Analyze the effectiveness of the stress test plan. CC ID 16657 | Process or Activity | Detective | |
Perform stress testing in accordance with the stress test plan. CC ID 16652 | Testing | Preventive | |
Disseminate and communicate the results of stress testing to interested personnel and affected parties. CC ID 16630 | Communicate | Preventive | |
Identify and document the financial resources available for use. CC ID 16643 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain credit loss procedures. CC ID 16683 | Establish/Maintain Documentation | Preventive | |
Include the allocation of credit losses in the credit loss procedures. CC ID 16684 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a securities trading program. CC ID 16626 | Business Processes | Preventive | |
Include fairness and equitability standards in the securities trading program. CC ID 16690 | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in the securities trading program. CC ID 16689 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a capital restoration plan. CC ID 16613 | Establish/Maintain Documentation | Preventive | |
Include performance guarantees in the capital restoration plan. CC ID 16616 | Establish/Maintain Documentation | Preventive | |
Include corrective actions taken in the capital restoration plan. CC ID 16612 | Establish/Maintain Documentation | Preventive | |
Include required information in the capital restoration plan. CC ID 16609 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain valuation procedures. CC ID 16634 | Establish/Maintain Documentation | Preventive | |
Include investment information in approval requests for investments. CC ID 16590 | Business Processes | Preventive | |
Establish, implement, and maintain capital withdrawal requirements. CC ID 16576 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain lending policies. CC ID 16608 | Establish/Maintain Documentation | Preventive | |
Align the lending policy with the organization's risk acceptance level. CC ID 16716 | Process or Activity | Preventive | |
Include the requirements for risk assessments in the lending policy. CC ID 16730 | Establish/Maintain Documentation | Preventive | |
Include the requirements for sensitivity analyses in the lending policy. CC ID 16728 | Establish/Maintain Documentation | Preventive | |
Include the requirements for feasibility studies in the lending policy. CC ID 16726 | Establish/Maintain Documentation | Preventive | |
Include pricing structures in the lending policy. CC ID 16724 | Establish/Maintain Documentation | Preventive | |
Include monitoring requirements in the lending policy. CC ID 16710 | Establish/Maintain Documentation | Preventive | |
Include loan origination procedures in the lending policy. CC ID 16709 | Establish/Maintain Documentation | Preventive | |
Include review procedures and approval procedures for exception loans in the lending policy. CC ID 16708 | Establish/Maintain Documentation | Preventive | |
Include loan requirements in the lending policy. CC ID 16706 | Establish/Maintain Documentation | Preventive | |
Include appraisals and evaluations in the lending policy. CC ID 16705 | Establish/Maintain Documentation | Preventive | |
Include terms and conditions in the lending policy. CC ID 16695 | Establish/Maintain Documentation | Preventive | |
Include the scope and distribution of loans in the lending policy. CC ID 16693 | Establish/Maintain Documentation | Preventive | |
Include geographic areas in the lending policy. CC ID 16691 | Establish/Maintain Documentation | Preventive | |
Include underwriting guidelines in the lending policy. CC ID 16619 | Establish/Maintain Documentation | Preventive | |
Include credit review in the underwriting guidelines. CC ID 16765 | Establish/Maintain Documentation | Preventive | |
Include loan-to-value ratio limits in the lending policy. CC ID 16618 | Establish/Maintain Documentation | Preventive | |
Include documentation requirements in the lending policy. CC ID 16617 | Establish/Maintain Documentation | Preventive | |
Include the purpose of the loan in the loan documentation. CC ID 16747 | Establish/Maintain Documentation | Preventive | |
Include the source of repayment in the loan documentation. CC ID 16746 | Establish/Maintain Documentation | Preventive | |
Include approval requirements in the lending policy. CC ID 16615 | Establish/Maintain Documentation | Preventive | |
Include reporting requirements in the lending policy. CC ID 16614 | Establish/Maintain Documentation | Preventive | |
Include loan portfolio diversification standards in the lending policy. CC ID 16611 | Establish/Maintain Documentation | Preventive | |
Include loan administration procedures in the lending policy. CC ID 16610 | Establish/Maintain Documentation | Preventive | |
Include loan participation agreements in the loan administration procedures. CC ID 16745 | Establish/Maintain Documentation | Preventive | |
Include termination procedures in the loan participation agreement. CC ID 16753 | Establish/Maintain Documentation | Preventive | |
Justify the safety and efficiency of the participation requirements in the loan participation agreement. CC ID 16752 | Establish/Maintain Documentation | Preventive | |
Include servicing agreements in the loan administration procedures. CC ID 16744 | Establish/Maintain Documentation | Preventive | |
Include claims processing in the loan administration procedures. CC ID 16742 | Establish/Maintain Documentation | Preventive | |
Include forbearance management in the loan administration procedures. CC ID 16741 | Establish/Maintain Documentation | Preventive | |
Include foreclosure management in the loan administration procedures. CC ID 16740 | Establish/Maintain Documentation | Preventive | |
Include delinquency management in the loan administration procedures. CC ID 16739 | Establish/Maintain Documentation | Preventive | |
Include customer due diligence in the loan administration procedures. CC ID 16736 | Process or Activity | Preventive | |
Include the requirements for financial statements in the loan administration procedures. CC ID 16735 | Establish/Maintain Documentation | Preventive | |
Include loan closing in the loan administration procedures. CC ID 16734 | Establish/Maintain Documentation | Preventive | |
Include payoff statements in the loan administration procedures. CC ID 16733 | Establish/Maintain Documentation | Preventive | |
Include payment processing in the loan administration procedures. CC ID 16732 | Establish/Maintain Documentation | Preventive | |
Include loan reviews in the loan administration procedures. CC ID 16703 | Establish/Maintain Documentation | Preventive | |
Include collections in the loan administration procedures. CC ID 16701 | Establish/Maintain Documentation | Preventive | |
Include collateral inspections in the loan administration procedures. CC ID 16699 | Establish/Maintain Documentation | Preventive | |
Include disbursements in the loan administration procedures. CC ID 16697 | Establish/Maintain Documentation | Preventive | |
Review and approve lending policies. CC ID 16607 | Business Processes | Preventive | |
Establish, implement, and maintain a dividend policy. CC ID 16569 | Establish/Maintain Documentation | Preventive | |
Include compliance requirements in the dividend policy. CC ID 16570 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain margin systems. CC ID 16601 | Business Processes | Preventive | |
Include valuation models in the margin system. CC ID 16663 | Data and Information Management | Preventive | |
Include procedures for collecting price data in the margin system. CC ID 16662 | Data and Information Management | Preventive | |
Include reliable sources for price data in the margin system. CC ID 16661 | Data and Information Management | Preventive | |
Validate the margin system on a regular basis. CC ID 16660 | Testing | Detective | |
Assess the properties of the margin model used in the margin system. CC ID 16658 | Process or Activity | Detective | |
Monitor the performance of the margin system. CC ID 16655 | Monitor and Evaluate Occurrences | Detective | |
Analyze the performance of the margin system. CC ID 16654 | Process or Activity | Detective | |
Establish, implement, and maintain capital adequacy measures. CC ID 16568 | Business Processes | Preventive | |
Establish, implement, and maintain escrow procedures for financial transactions. CC ID 16564 | Establish/Maintain Documentation | Preventive | |
Determine the amount of assets to be held in escrow. CC ID 16575 | Investigate | Detective | |
Disseminate and communicate the escrow procedures to interested personnel and affected parties. CC ID 16565 | Communicate | Preventive | |
Establish, implement, and maintain a Capital Planning and Investment Control policy. CC ID 06279 | Establish/Maintain Documentation | Preventive | |
Include risk management in the Capital Planning and Investment Control policy. CC ID 16764 | Establish/Maintain Documentation | Preventive | |
Include debt rating requirements in the Capital Planning and Investment Control policy. CC ID 16692 | Establish/Maintain Documentation | Preventive | |
Include divestiture requirements in the Capital Planning and Investment Control policy. CC ID 16591 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a recordkeeping system for securities transactions. CC ID 16631 | Establish/Maintain Documentation | Preventive | |
Include order tickets in the recordkeeping system for securities transactions. CC ID 16640 | Data and Information Management | Preventive | |
Include receipts and deliveries of securities in the recordkeeping system for securities transactions. CC ID 16650 | Data and Information Management | Preventive | |
Include debits and credits in the recordkeeping system for securities transactions. CC ID 16639 | Data and Information Management | Preventive | |
Include a description of the transaction in the recordkeeping system for securities transactions. CC ID 16645 | Data and Information Management | Preventive | |
Include chronological records of transactions in the recordkeeping system for securities transactions. CC ID 16638 | Data and Information Management | Preventive | |
Include the name of the dealer in the recordkeeping system for securities transactions. CC ID 16637 | Data and Information Management | Preventive | |
Include the execution price in the recordkeeping system for securities transactions. CC ID 16636 | Data and Information Management | Preventive | |
Include the date and time of the transaction in the recordkeeping system for securities transactions. CC ID 16635 | Data and Information Management | Preventive | |
Include the type of transaction in the recordkeeping system for securities transactions. CC ID 16633 | Data and Information Management | Preventive | |
Include account information In the recordkeeping system for securities transactions. CC ID 16632 | Data and Information Management | Preventive | |
Establish, implement, and maintain securities transaction notifications. CC ID 16600 | Establish/Maintain Documentation | Preventive | |
Include the call date in the securities transaction notification. CC ID 16680 | Establish/Maintain Documentation | Preventive | |
Include service charges and commissions in the securities transaction notification. CC ID 16702 | Establish/Maintain Documentation | Preventive | |
Include the funds and securities in the possession of the organization in the securities transaction notification. CC ID 16679 | Establish/Maintain Documentation | Preventive | |
Include the call price in the securities transaction notification. CC ID 16678 | Establish/Maintain Documentation | Preventive | |
Include debits and credits in the securities transaction notification. CC ID 16677 | Establish/Maintain Documentation | Preventive | |
Include transactions in the securities transaction notification. CC ID 16676 | Establish/Maintain Documentation | Preventive | |
Include the credit rating of securities in the securities transaction notification. CC ID 16674 | Establish/Maintain Documentation | Preventive | |
Include yield information in the securities transaction notification. CC ID 16673 | Establish/Maintain Documentation | Preventive | |
Include redemption information in the securities transaction notification. CC ID 16672 | Establish/Maintain Documentation | Preventive | |
Include the price calculated from the yield in the securities transaction notification. CC ID 16669 | Establish/Maintain Documentation | Preventive | |
Include the type of call in the securities transaction notification. CC ID 16668 | Establish/Maintain Documentation | Preventive | |
Include an account statement in the securities transaction notification. CC ID 16666 | Establish/Maintain Documentation | Preventive | |
Include the yield to maturity in the securities transaction notification. CC ID 16665 | Establish/Maintain Documentation | Preventive | |
Include the execution price in the securities transaction notification. CC ID 16664 | Establish/Maintain Documentation | Preventive | |
Include the organization's role in the securities transaction notification. CC ID 16646 | Establish/Maintain Documentation | Preventive | |
Include the name of the broker in the securities transaction notification. CC ID 16647 | Establish/Maintain Documentation | Preventive | |
Include the name of the customer in the securities transaction notification. CC ID 16625 | Establish/Maintain Documentation | Preventive | |
Include the organization's name in the securities transaction notification. CC ID 16624 | Establish/Maintain Documentation | Preventive | |
Include confirmations in the securities transaction notification. CC ID 16623 | Establish/Maintain Documentation | Preventive | |
Include remunerations in the securities transaction notification. CC ID 16622 | Establish/Maintain Documentation | Preventive | |
Include requested information in the securities transaction notification. CC ID 16641 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate securities transaction notifications to interested personnel and affected parties. CC ID 16621 | Communicate | Preventive | |
Include the execution date in the securities transaction notification. CC ID 16620 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain financial reports. CC ID 14770 | Establish/Maintain Documentation | Preventive | |
Structure financial reports in accordance with external requirements, as necessary. CC ID 14776 | Establish/Maintain Documentation | Preventive | |
Include the report of independent Certified Public Accountants in the financial report. CC ID 14779 | Establish/Maintain Documentation | Preventive | |
Include the business need justification for lost value in the financial report. CC ID 15588 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the financial report to interested personnel and affected parties. CC ID 16342 | Communicate | Preventive | |
Include financial statements in the financial report, as necessary. CC ID 14775 | Establish/Maintain Documentation | Preventive | |
Include capital deductions and adjustments in the financial statement. CC ID 16667 | Establish/Maintain Documentation | Preventive | |
Include earnings per share or loss per share in the financial statement. CC ID 16597 | Establish/Maintain Documentation | Preventive | |
Include material contingencies in the financial statement. CC ID 16596 | Establish/Maintain Documentation | Preventive | |
Include notes to financial statements in the financial report, as necessary. CC ID 14780 | Establish/Maintain Documentation | Preventive | |
Include information on loans to small businesses and small farms in the call report. CC ID 16731 | Establish/Maintain Documentation | Preventive | |
Include assets and liabilities in the call report. CC ID 16729 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the call report to interested personnel and affected parties. CC ID 16727 | Communicate | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Monitoring and measurement CC ID 00636 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 [{what needs to be measured} The organization shall determine: what needs to be monitored and measured; § 9.1.1 ¶ 2 a) The organization shall determine: when the monitoring and measuring shall be performed; § 9.1.1 ¶ 2 d)] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a metrics policy. CC ID 01654 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653 [The organization shall: determine the frequency that compliance will be evaluated; § 9.1.2 ¶ 2 a)] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain risk management metrics. CC ID 01656 | Establish/Maintain Documentation | Preventive | |
Report on the percentage of critical assets for which an assurance strategy is implemented. CC ID 01657 | Actionable Reports or Measurements | Detective | |
Report on the percentage of key organizational functions for which an assurance strategy is implemented. CC ID 01658 | Actionable Reports or Measurements | Detective | |
Report on the percentage of key compliance requirements for which an assurance strategy has been implemented. CC ID 01659 | Actionable Reports or Measurements | Detective | |
Report on the percentage of the Information System budget allocated to Information Security. CC ID 04571 | Actionable Reports or Measurements | Detective | |
Identify information being used to support the performance of the governance, risk, and compliance capability. CC ID 12866 [The organization's environmental management system shall include: documented information determined by the organization as being necessary for the effectiveness of the environmental management system. § 7.5.1 ¶ 1 b) The management review shall include consideration of: information on the organization's environmental performance, including trends in: § 9.3 ¶ 2 d)] | Business Processes | Preventive | |
Identify information being used to support performance reviews for risk optimization. CC ID 12865 | Audits and Risk Management | Preventive | |
Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726 | Monitor and Evaluate Occurrences | Detective | |
Identify and document instances of non-compliance with the compliance framework. CC ID 06499 [The organization shall retain documented information as evidence of: the nature of the nonconformities and any subsequent actions taken; § 10.2 ¶ 3 Bullet 1 The management review shall include consideration of: information on the organization's environmental performance, including trends in: nonconformities and corrective actions; § 9.3 ¶ 2 d) 1)] | Establish/Maintain Documentation | Preventive | |
Align enforcement reviews for non-compliance with organizational risk tolerance. CC ID 13063 [When a nonconformity occurs, the organization shall: evaluate the need for action to eliminate the causes of the nonconformity, in order that it does not recur or occur elsewhere, by: § 10.2 ¶ 1 b)] | Business Processes | Detective | |
Determine the causes of compliance violations. CC ID 12401 [When a nonconformity occurs, the organization shall: evaluate the need for action to eliminate the causes of the nonconformity in order that it does not recur or occur elsewhere by: ground-color:#B7D8ED;" class="tendary-verb">rm_primary-verb">reviewing the nonconformity; § 10.2 ¶ 1 b) 1) When a nonconformity occurs, the organization shall: evaluate the need for action to eliminate the causes of the nonconformity in order that it does not recur or occur elsewhere by: determining the <span style="background-color:#F0ndary-verb">BBBC;" class="term_primary-noun">causes of the nonconformity; § 10.2 ¶ 1 b) 2)] | Investigate | Corrective | |
Identify and document events surrounding non-compliance with the organizational compliance framework. CC ID 12935 | Establish/Maintain Documentation | Preventive | |
Determine if multiple compliance violations of the same type could occur. CC ID 12402 [When a nonconformity occurs, the organization shall: evaluate the need for action to eliminate the causes of the nonconformity in order that it does not recur or occur elsewhere by: ground-color:#B7D8ED;" class="term_primary-verb">determining if similar nonconformitiespan> | Investigate | Detective | |
Correct compliance violations. CC ID 13515 [When a nonconformity occurs, the organization shall: react to the nonconformity, and as applicable: take action to primary-verb">control and correct it; § 10.2 ¶ 1 a) 1) When a nonconformity occurs, the organization shall: implement any -verb">or:#F0BBBC;" class="term_primary-noun">action needed; § 10.2 ¶ 1 c) The organization shall: evaluate compliance and take action if needed; § 9.1.2 ¶ 2 b) The management review shall include consideration of: information on the organization's environmental performance, including trends in: nonconformities and corrective actions; § 9.3 ¶ 2 d) 1)] | Process or Activity | Corrective | |
Review the effectiveness of disciplinary actions carried out for compliance violations. CC ID 12403 [When a nonconformity occurs, the organization shall: review the effectiveness of any -verb">le="background-color:#F0BBBC;" class="term_primary-noun">corrective action taken; § 10.2 ¶ 1 d)] | Investigate | Detective | |
Carry out disciplinary actions when a compliance violation is detected. CC ID 06675 [When a nonconformity occurs, the organization shall: react to the nonconformity and, as applicable: § 10.2 ¶ 1 a)] | Behavior | Corrective | |
Align disciplinary actions with the level of compliance violation. CC ID 12404 [Corrective actions shall be appropriate to the significance of the effects of the nonconformities encountered, including the environmental impact(s). § 10.2 ¶ 2] | Human Resources Management | Preventive | |
Establish, implement, and maintain disciplinary action notices. CC ID 16577 | Establish/Maintain Documentation | Preventive | |
Include a copy of the order in the disciplinary action notice. CC ID 16606 | Establish/Maintain Documentation | Preventive | |
Include the sanctions imposed in the disciplinary action notice. CC ID 16599 | Establish/Maintain Documentation | Preventive | |
Include the effective date of the sanctions in the disciplinary action notice. CC ID 16589 | Establish/Maintain Documentation | Preventive | |
Include the requirements that were violated in the disciplinary action notice. CC ID 16588 | Establish/Maintain Documentation | Preventive | |
Include responses to charges from interested personnel and affected parties in the disciplinary action notice. CC ID 16587 | Establish/Maintain Documentation | Preventive | |
Include the reasons for imposing sanctions in the disciplinary action notice. CC ID 16586 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the disciplinary action notice to interested personnel and affected parties. CC ID 16585 | Communicate | Preventive | |
Include required information in the disciplinary action notice. CC ID 16584 | Establish/Maintain Documentation | Preventive | |
Include a justification for actions taken in the disciplinary action notice. CC ID 16583 | Establish/Maintain Documentation | Preventive | |
Include a statement on the conclusions of the investigation in the disciplinary action notice. CC ID 16582 | Establish/Maintain Documentation | Preventive | |
Include the investigation results in the disciplinary action notice. CC ID 16581 | Establish/Maintain Documentation | Preventive | |
Include a description of the causes of the actions taken in the disciplinary action notice. CC ID 16580 | Establish/Maintain Documentation | Preventive | |
Include the name of the person responsible for the charges in the disciplinary action notice. CC ID 16579 | Establish/Maintain Documentation | Preventive | |
Include contact information in the disciplinary action notice. CC ID 16578 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain compliance program metrics. CC ID 11625 | Monitor and Evaluate Occurrences | Preventive | |
Establish, implement, and maintain a security program metrics program. CC ID 01660 | Establish/Maintain Documentation | Preventive | |
Report on the policies and controls that have been implemented by management. CC ID 01670 | Actionable Reports or Measurements | Detective | |
Establish, implement, and maintain a key management roles metrics standard. CC ID 11631 | Establish/Maintain Documentation | Preventive | |
Report on the percentage of security management roles that have been assigned. CC ID 01671 | Actionable Reports or Measurements | Detective | |
Establish, implement, and maintain a key stakeholder metrics program. CC ID 01661 | Establish/Maintain Documentation | Preventive | |
Report on the percentage of board meetings or committee meetings at which Information Assurance was on the agenda. CC ID 01672 | Actionable Reports or Measurements | Detective | |
Establish, implement, and maintain a supply chain member metrics program. CC ID 01662 | Establish/Maintain Documentation | Preventive | |
Report on the percentage of supply chain members for which all Information Assurance requirements have been implemented. CC ID 01675 | Actionable Reports or Measurements | Detective | |
Report on the Service Level Agreement performance of supply chain members. CC ID 06838 | Actionable Reports or Measurements | Preventive | |
Establish, implement, and maintain a Business Continuity metrics program. CC ID 01663 | Establish/Maintain Documentation | Preventive | |
Report on the percentage of organizational units that have an established Business Continuity Plan. CC ID 01676 | Actionable Reports or Measurements | Detective | |
Report on the percentage of organizational units with a documented Business Continuity Plan for which specific responsibilities have been assigned. CC ID 02057 | Actionable Reports or Measurements | Detective | |
Report on the percentage of Business Continuity Plans that have been reviewed, tested, and updated. CC ID 02058 | Actionable Reports or Measurements | Detective | |
Establish, implement, and maintain an audit metrics program. CC ID 01664 | Establish/Maintain Documentation | Preventive | |
Report on the percentage of needed internal audits that have been completed and reviewed. CC ID 01677 | Actionable Reports or Measurements | Detective | |
Report on the percentage of Information Security requirements from applicable laws and regulations that are included in the audit program. CC ID 02069 | Actionable Reports or Measurements | Detective | |
Report on the percentage of needed external audits that have been completed and reviewed. CC ID 11632 | Actionable Reports or Measurements | Detective | |
Report on the percentage of Information Security audits conducted in compliance with the approved audit program. CC ID 02070 | Actionable Reports or Measurements | Detective | |
Report on the percentage of audit findings that have been resolved since the last audit. CC ID 01678 | Actionable Reports or Measurements | Detective | |
Report on the percentage of management actions in response to audit findings and audit recommendations that were implemented in a timely way. CC ID 02071 [{corrective action} The management review shall include consideration of: the status of actions from previous management reviews; § 9.3 ¶ 2 a)] | Actionable Reports or Measurements | Detective | |
Establish, implement, and maintain an Information Security metrics program. CC ID 01665 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a metrics standard and template. CC ID 02157 | Establish/Maintain Documentation | Preventive | |
Convert data into standard units before reporting metrics. CC ID 15507 | Process or Activity | Corrective | |
Monitor compliance with the Quality Control system. CC ID 01023 | Actionable Reports or Measurements | Preventive | |
Report on the percentage of complaints received about products or delivered services. CC ID 07199 | Actionable Reports or Measurements | Preventive | |
Report on the percentage of Quality Assurance attained by Quality Improvement practices. CC ID 07202 | Actionable Reports or Measurements | Preventive | |
Establish, implement, and maintain occupational health and safety management metrics program. CC ID 15915 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a policies and controls metrics program. CC ID 01666 | Establish/Maintain Documentation | Preventive | |
Report on the percentage of total controls for which policies, standards, and procedures exist and for which approval has been granted. CC ID 01679 | Actionable Reports or Measurements | Detective | |
Report on the percentage of personnel who are assigned and acknowledged responsibilities for approved policies, standards, and procedures. CC ID 01680 | Actionable Reports or Measurements | Detective | |
Report on the percentage of policy compliance reviews for which no compliance violations were noted. CC ID 01681 | Actionable Reports or Measurements | Detective | |
Report on the percentage of senior management or business unit heads who have implemented operational compliance procedures. CC ID 01682 | Actionable Reports or Measurements | Detective | |
Establish, implement, and maintain a security roles and responsibilities metrics program. CC ID 01667 | Establish/Maintain Documentation | Preventive | |
Report on the percentage of role descriptions that define the Information Awareness roles for Security Managers and administrators. CC ID 01685 | Actionable Reports or Measurements | Detective | |
Report on the percentage of role descriptions that define the information awareness roles for interested personnel. CC ID 01686 | Actionable Reports or Measurements | Detective | |
Report on the percentage of role descriptions that define the information awareness roles for end users. CC ID 01687 | Actionable Reports or Measurements | Detective | |
Report on the percentage of performance reviews that include the evaluation of Information Assurance responsibilities and policy compliance. CC ID 01688 | Actionable Reports or Measurements | Detective | |
Report on the percentage of individuals who have access to security software, are trained, and authorized Security Administrators. CC ID 01691 | Actionable Reports or Measurements | Detective | |
Report on the percentage of individuals who are able to assign security privileges, are trained, and authorized Security Administrators. CC ID 01692 | Actionable Reports or Measurements | Detective | |
Establish, implement, and maintain a role-based information access metrics program. CC ID 01668 | Establish/Maintain Documentation | Preventive | |
Report on the percentage of new hires who completed training ahead of being granted network access or system access. CC ID 01683 | Actionable Reports or Measurements | Detective | |
Report on the percentage of personnel who have completed periodic Information Assurance refresher training. CC ID 01684 | Actionable Reports or Measurements | Detective | |
Report on the percentage of user roles, systems, and applications that comply with the segregation of duties principle. CC ID 01689 | Actionable Reports or Measurements | Detective | |
Report on the percentage of individuals whose access rights have been reviewed. CC ID 01690 | Actionable Reports or Measurements | Detective | |
Report on the percentage of users who have access to restricted data or restricted information and have undergone a background check. CC ID 01693 | Actionable Reports or Measurements | Detective | |
Establish, implement, and maintain an information risk threshold metrics program. CC ID 01694 | Establish/Maintain Documentation | Preventive | |
Report on the percentage of critical information assets and information-dependent functions. CC ID 02040 | Actionable Reports or Measurements | Detective | |
Report on the percentage of critical assets and functions for which the cost of compromise has been quantified. CC ID 02041 | Actionable Reports or Measurements | Detective | |
Report on the percentage of identified risks that have a defined risk mitigation plan. CC ID 02042 | Actionable Reports or Measurements | Detective | |
Report on the percentage of systems with approved System Security Plans. CC ID 02145 | Actionable Reports or Measurements | Detective | |
Monitor the supply chain for Information Assurance effectiveness. CC ID 02043 | Establish/Maintain Documentation | Preventive | |
Report on the percentage of known Information Security risks that are related to supply chain relationships. CC ID 02044 | Actionable Reports or Measurements | Detective | |
Report on the percentage of critical information assets or critical functions for which access by supply chain personnel is disallowed. CC ID 02045 | Actionable Reports or Measurements | Detective | |
Report on the percentage of supply chain personnel who have current information asset user privileges. CC ID 02046 | Actionable Reports or Measurements | Detective | |
Report on the percentage of systems with critical information assets or functions for which electronic connection by supply chain assets is disallowed. CC ID 02047 | Actionable Reports or Measurements | Detective | |
Report on the percentage of security incidents that involved supply chain personnel. CC ID 02048 | Actionable Reports or Measurements | Detective | |
Report on the percentage of third party contracts that include a requirement to externally verify policies and procedures. CC ID 02049 | Actionable Reports or Measurements | Detective | |
Report on the percentage of supply chain relationships that have been reviewed for compliance with information security requirements. CC ID 02050 | Actionable Reports or Measurements | Detective | |
Establish, implement, and maintain an identification and classification of information assets metrics program. CC ID 02052 | Business Processes | Preventive | |
Report on the percentage of information assets that have been reviewed and classified. CC ID 02053 | Actionable Reports or Measurements | Detective | |
Report on the percentage of information assets with defined user privileges that have been assigned based on role and according to policy. CC ID 02054 | Actionable Reports or Measurements | Detective | |
Report on the percentage of scheduled Information Technology inventory processes that occurred on time. CC ID 02055 | Actionable Reports or Measurements | Detective | |
Establish, implement, and maintain an Information Systems architecture metrics program. CC ID 02059 | Business Processes | Preventive | |
Report on the percentage of recently identified information security risks related to systems architecture that have been adequately mitigated. CC ID 02060 | Actionable Reports or Measurements | Detective | |
Report on the percentage of system architecture changes that were approved through appropriate change requests. CC ID 02061 | Actionable Reports or Measurements | Detective | |
Report on the percentage of critical information assets or functions residing on systems that are currently in compliance with the approved systems architecture. CC ID 02062 | Actionable Reports or Measurements | Detective | |
Report on the percentage of systems that have been recertified if security controls were updated after the system was developed. CC ID 02142 | Actionable Reports or Measurements | Detective | |
Report on the percentage of systems that have completed Certification and Accreditation. CC ID 02143 | Actionable Reports or Measurements | Detective | |
Establish, implement, and maintain a physical environment metrics program. CC ID 02063 | Business Processes | Preventive | |
Report on the percentage of critical organizational information assets and functions that have been reviewed from the risk to physical security perspective. CC ID 02064 | Actionable Reports or Measurements | Detective | |
Report on the percentage of critical organizational information assets and functions exposed to physical risks for which risk mitigation actions have been implemented. CC ID 02065 | Actionable Reports or Measurements | Detective | |
Report on the percentage of critical assets that have been reviewed from the environmental risk perspective. CC ID 02066 | Actionable Reports or Measurements | Detective | |
Report on the percentage of servers located in controlled access areas. CC ID 02067 | Actionable Reports or Measurements | Detective | |
Establish, implement, and maintain a privacy metrics program. CC ID 15494 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain environmental management system performance metrics. CC ID 15191 [The management review shall include consideration of: information on the organization's environmental performance, including trends in: monitoring and measurement results; § 9.3 ¶ 2 d) 2) The organization shall monitor, measure, analyse and evaluate its environmental performance. § 9.1.1 ¶ 1 The organization shall determine: the criteria against which the organization will evaluate its environmental performance, and appropriate indicators; § 9.1.1 ¶ 2 c) {be measurable}The environmental objectives shall be: measurable (if practicable); § 6.2.1 ¶ 2 b)] | Actionable Reports or Measurements | Preventive | |
Establish, implement, and maintain waste management metrics. CC ID 16152 | Actionable Reports or Measurements | Preventive | |
Establish, implement, and maintain emissions management metrics. CC ID 16145 | Actionable Reports or Measurements | Preventive | |
Establish, implement, and maintain financial management metrics. CC ID 16749 | Actionable Reports or Measurements | Preventive | |
Establish, implement, and maintain a technical measurement metrics policy. CC ID 01655 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a user identification and authentication metrics program. CC ID 02073 | Business Processes | Preventive | |
Report on the percentage of unique active user identifiers. CC ID 02074 | Actionable Reports or Measurements | Detective | |
Report on the percentage of systems and applications that perform authenticator policy verification. CC ID 02086 | Actionable Reports or Measurements | Detective | |
Report on the percentage of active user passwords that are set to expire. CC ID 02087 | Actionable Reports or Measurements | Detective | |
Report on the percentage of systems with critical information assets that use stronger authentication than user identifiers and passwords. CC ID 02088 | Actionable Reports or Measurements | Detective | |
Establish, implement, and maintain a user account management metrics program. CC ID 02075 | Business Processes | Preventive | |
Report on the percentage of systems for which default accounts and default passwords have been disabled or reset. CC ID 02089 | Actionable Reports or Measurements | Detective | |
Report on the percentage of inactive user accounts that are assigned to personnel who have left or no longer need access. CC ID 02090 | Actionable Reports or Measurements | Detective | |
Report on the percentage of systems with account lockout thresholds set. CC ID 02091 | Actionable Reports or Measurements | Detective | |
Report on the percentage of inactive user accounts that have been disabled. CC ID 02092 | Actionable Reports or Measurements | Detective | |
Report on the percentage of workstations with session timeout or automatic logoff controls set. CC ID 02093 | Actionable Reports or Measurements | Detective | |
Report on the percentage of users with access to shared accounts. CC ID 04573 | Actionable Reports or Measurements | Detective | |
Establish, implement, and maintain a user and administrator privilege management metrics program. CC ID 02076 | Actionable Reports or Measurements | Preventive | |
Report on the percentage of active computer accounts that have had the current user privileges reviewed. CC ID 02094 | Actionable Reports or Measurements | Detective | |
Report on the percentage of systems where permission to install nonstandard software is limited. CC ID 02095 | Actionable Reports or Measurements | Detective | |
Report on the percentage of systems and applications that have user privileges and administrator privileges assigned in compliance with Role-Based Access Controls. CC ID 02096 | Actionable Reports or Measurements | Detective | |
Establish, implement, and maintain a Configuration Management metrics program. CC ID 02077 | Business Processes | Preventive | |
Report on the percentage of systems for which approved configuration settings have been implemented. CC ID 02097 | Actionable Reports or Measurements | Detective | |
Report on the percentage of systems with configurations that do not deviate from approved standards. CC ID 02098 | Actionable Reports or Measurements | Detective | |
Report on the percentage of systems that are continuously monitored for compliance with the configuration standard with out-of-compliance alarms or out-of-compliance reports. CC ID 02099 | Actionable Reports or Measurements | Detective | |
Report on the percentage of systems whose configuration is compared with a previously established trusted configuration baseline. CC ID 02100 | Actionable Reports or Measurements | Detective | |
Report on the percentage of systems where the authority to make configuration changes are limited. CC ID 02101 | Actionable Reports or Measurements | Detective | |
Report on the percentage of system components that undergo maintenance as scheduled. CC ID 04562 | Actionable Reports or Measurements | Detective | |
Establish, implement, and maintain a Security Information and Event Management metrics program. CC ID 02078 | Log Management | Preventive | |
Report on the percentage of systems for which event logging has been implemented. CC ID 02102 | Log Management | Detective | |
Report on the percentage of systems for which event logs are monitored and reviewed. CC ID 02103 | Log Management | Detective | |
Report on the percentage of systems for which log capacity and log retention schedules have been implemented. CC ID 02104 | Log Management | Detective | |
Report on the percentage of systems that generate warnings about anomalous activity or potentially unauthorized activity. CC ID 02105 | Actionable Reports or Measurements | Detective | |
Establish, implement, and maintain a communications, e-mail, and remote access security management metrics program. CC ID 02079 | Business Processes | Preventive | |
Report on the percentage of laptops and mobile devices that are needing to be in compliance with the approved configuration standard before granting network access. CC ID 02106 | Actionable Reports or Measurements | Detective | |
Report on the percentage of organizationally controlled communications channels that have been secured. CC ID 02107 | Actionable Reports or Measurements | Detective | |
Report on the percentage of host servers that are protected from becoming relay hosts. CC ID 02108 | Actionable Reports or Measurements | Detective | |
Report on the percentage of mobile users who access organizational facilities using secure communications methods. CC ID 02109 | Actionable Reports or Measurements | Detective | |
Establish, implement, and maintain a malicious code protection management metrics program. CC ID 02080 | Business Processes | Preventive | |
Report on the percentage of workstations and laptops that employ automated system security tools. CC ID 02110 | Actionable Reports or Measurements | Detective | |
Report on the percentage of servers that employ automated system security tools. CC ID 02111 | Actionable Reports or Measurements | Detective | |
Report on the percentage of mobile devices that employ automated system security tools. CC ID 02112 | Actionable Reports or Measurements | Detective | |
Establish, implement, and maintain a software change management metrics program. CC ID 02081 | Business Processes | Preventive | |
Report on the percentage of software changes that have been documented and approved through change request forms. CC ID 02152 | Actionable Reports or Measurements | Detective | |
Report on the percentage of systems with all approved patches installed. CC ID 02113 | Actionable Reports or Measurements | Detective | |
Report on the mean time from patch availability to patch installation. CC ID 02114 | Actionable Reports or Measurements | Detective | |
Report on the percentage of software changes that were reviewed for security impacts before the software configuration is updated. CC ID 02115 | Actionable Reports or Measurements | Detective | |
Establish, implement, and maintain a network management and firewall management metrics program. CC ID 02082 | Business Processes | Preventive | |
Establish, implement, and maintain a network activity baseline. CC ID 13188 | Technical Security | Detective | |
Report on the percentage of systems configured according to the configuration standard. CC ID 02116 | Actionable Reports or Measurements | Detective | |
Report on the percentage of network access controls used to gain unauthorized access. CC ID 04572 | Actionable Reports or Measurements | Detective | |
Establish, implement, and maintain a data encryption management metrics program. CC ID 02083 | Business Processes | Preventive | |
Report on the percentage of critical information assets stored on network accessible devices that are encrypted with widely tested and published cryptographic algorithms. CC ID 02117 | Actionable Reports or Measurements | Detective | |
Report on the percentage of mobile devices that use encryption for critical information assets. CC ID 02118 | Actionable Reports or Measurements | Detective | |
Report on the percentage of passwords and Personal Identification Numbers that are encrypted. CC ID 02119 | Actionable Reports or Measurements | Detective | |
Report on the percentage of media that passes sanitization procedure testing. CC ID 04574 | Actionable Reports or Measurements | Detective | |
Establish, implement, and maintain a backup management and recovery management metrics program. CC ID 02084 | Business Processes | Preventive | |
Report on the percentage of systems with critical information assets or critical business functions that have been backed up in accordance with the backup policy and the system's continuity plan. CC ID 02120 | Actionable Reports or Measurements | Detective | |
Report on the percentage of systems with critical information assets or critical functions where restoration from a backup has been successfully demonstrated. CC ID 02121 | Actionable Reports or Measurements | Detective | |
Report on the percentage of backup media stored off site in secure storage. CC ID 02122 | Actionable Reports or Measurements | Detective | |
Report on the percentage of used backup media or archive media sanitized prior to reuse or disposal. CC ID 02123 | Actionable Reports or Measurements | Detective | |
Establish, implement, and maintain an incident management and vulnerability management metrics program. CC ID 02085 | Business Processes | Preventive | |
Report on the estimated damage or loss resulting from all security incidents. CC ID 01674 | Actionable Reports or Measurements | Detective | |
Report on the percentage of security incidents that did not cause confidentiality, integrity, or availability losses beyond the Service Level Agreement thresholds. CC ID 01673 | Actionable Reports or Measurements | Detective | |
Report on the percentage of operational time that critical services were unavailable due to security incidents. CC ID 02124 | Actionable Reports or Measurements | Detective | |
Report on the percentage of security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02125 | Actionable Reports or Measurements | Detective | |
Report on the percentage of systems affected by security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02126 | Actionable Reports or Measurements | Detective | |
Report on the percentage of security incidents that were managed according to established policies, procedures, and processes. CC ID 02127 | Actionable Reports or Measurements | Detective | |
Report on the number of security incidents reported to FedCIRC, NIPC, the Payment Card Industry, or local law enforcement. CC ID 02154 | Actionable Reports or Measurements | Detective | |
Report on the percentage of systems with critical information assets or critical functions that have been assessed for security vulnerabilities. CC ID 02128 | Actionable Reports or Measurements | Detective | |
Report on the percentage of vulnerability assessment findings that have been addressed since the last reporting period. CC ID 02129 | Actionable Reports or Measurements | Detective | |
Report on the average elapsed time between the discovery of a new vulnerability and implementing corrective action. CC ID 02140 | Actionable Reports or Measurements | Detective | |
Report on the percentage of physical security incidents that involved entry into a facility containing Information Systems. CC ID 04564 | Actionable Reports or Measurements | Detective | |
Delay the reporting of incident management metrics, as necessary. CC ID 15501 | Communicate | Preventive | |
Establish, implement, and maintain an Electronic Health Records measurement metrics program. CC ID 06221 | Establish/Maintain Documentation | Preventive | |
Report on the percentage of unique patients who had at least one medication entered using the Computerized Provider Order Entry system. CC ID 06222 | Actionable Reports or Measurements | Preventive | |
Report on the percentage of unique patients who have diagnoses recorded as structured data into the current and active diagnoses problem list. CC ID 06223 | Actionable Reports or Measurements | Preventive | |
Report on the percentage of permissible prescriptions that are transmitted electronically. CC ID 06224 | Actionable Reports or Measurements | Preventive | |
Report on the percentage of unique patients who have at least one entry recorded as structured data into the active medication list. CC ID 06225 | Actionable Reports or Measurements | Preventive | |
Report on the percentage of unique patients who have at least one entry recorded as structured data into the active medication allergy list. CC ID 06226 | Actionable Reports or Measurements | Preventive | |
Report on the percentage of unique patients who have demographics recorded as structured data. CC ID 06227 | Actionable Reports or Measurements | Preventive | |
Report on the percentage of unique patients over the age of 2 who have their height, weight, and blood pressure recorded as structured data. CC ID 06228 | Actionable Reports or Measurements | Preventive | |
Report on the percentage of unique patients over the age of 13 who have their smoking status recorded as structured data. CC ID 06229 | Actionable Reports or Measurements | Preventive | |
Report on the percentage of patients who are given an electronic copy of their Individually Identifiable Health Information not later than three business days after Individually Identifiable Health Information is requested. CC ID 06230 | Actionable Reports or Measurements | Preventive | |
Report on the percentage of patients who are given clinical summaries not later than three business days after a physician office visit. CC ID 06231 | Actionable Reports or Measurements | Preventive | |
Report on the percentage of lab test results that are incorporated into the Electronic Health Records as structured data. CC ID 06232 | Actionable Reports or Measurements | Preventive | |
Report on the percentage of patients sixty-five years of age or older or five years of age or younger who were sent a reminder. CC ID 06233 | Actionable Reports or Measurements | Preventive | |
Report on the percentage of unique patients who are given electronic access to their Individually Identifiable Health Information not later than four business days after their Individually Identifiable Health Information is updated. CC ID 06234 | Actionable Reports or Measurements | Preventive | |
Report on the percentage of unique patients who are given patient-specific education resources. CC ID 06235 | Actionable Reports or Measurements | Preventive | |
Report on the percentage of medication reconciliations that are performed if a patient is received from another setting or healthcare provider. CC ID 06236 | Actionable Reports or Measurements | Preventive | |
Report on the percentage of summary of care records that are provided for transitions of care or referrals for patients who are transitioned or referred to another setting or healthcare provider. CC ID 06237 | Actionable Reports or Measurements | Preventive | |
Report on the percentage of patients who receive their discharge instructions if discharge instructions are requested. CC ID 06238 | Actionable Reports or Measurements | Preventive | |
Report on the percentage of patients 65 years of age or older who have an indication of advance directive status recorded as structured data. CC ID 06239 | Actionable Reports or Measurements | Preventive | |
Establish, implement, and maintain a log management program. CC ID 00673 | Establish/Maintain Documentation | Preventive | |
Deploy log normalization tools, as necessary. CC ID 12141 | Technical Security | Preventive | |
Restrict access to logs to authorized individuals. CC ID 01342 | Log Management | Preventive | |
Restrict access to audit trails to a need to know basis. CC ID 11641 | Technical Security | Preventive | |
Refrain from recording unnecessary restricted data in logs. CC ID 06318 | Log Management | Preventive | |
Back up audit trails according to backup procedures. CC ID 11642 | Systems Continuity | Preventive | |
Back up logs according to backup procedures. CC ID 01344 | Log Management | Preventive | |
Copy logs from all predefined hosts onto a log management infrastructure. CC ID 01346 | Log Management | Preventive | |
Identify hosts with logs that are not being stored. CC ID 06314 | Log Management | Preventive | |
Identify hosts with logs that are being stored at the system level only. CC ID 06315 | Log Management | Preventive | |
Identify hosts with logs that should be stored at both the system level and the infrastructure level. CC ID 06316 | Log Management | Preventive | |
Identify hosts with logs that are being stored at the infrastructure level only. CC ID 06317 | Log Management | Preventive | |
Protect logs from unauthorized activity. CC ID 01345 | Log Management | Preventive | |
Perform testing and validating activities on all logs. CC ID 06322 | Log Management | Preventive | |
Archive the audit trail in accordance with compliance requirements. CC ID 00674 | Log Management | Preventive | |
Enforce dual authorization as a part of information flow control for logs. CC ID 10098 | Configuration | Preventive | |
Preserve the identity of individuals in audit trails. CC ID 10594 | Log Management | Preventive | |
Establish, implement, and maintain a cross-organizational audit sharing agreement. CC ID 10595 | Establish/Maintain Documentation | Preventive | |
Provide cross-organizational audit information based on the cross-organizational audit sharing agreement. CC ID 10596 | Audits and Risk Management | Preventive | |
Monitor the performance of the governance, risk, and compliance capability. CC ID 12857 [When planning how to achieve its environmental objectives, the organization shall determine: how the results will be evaluated, including indicators for monitoring progress toward achievement of its measurable environmental objectives (see 9.1.1). § 6.2.2 ¶ 1 e)] | Monitor and Evaluate Occurrences | Preventive | |
Establish, implement, and maintain a corrective action plan. CC ID 00675 [When a nonconformity occurs, the organization shall: react to the nonconformity and, as applicable: deal with the consequences, including mitigating adverse environmental impacts; § 10.2 ¶ 1 a) 2) The organization shall determine opportunities for improvement (see 9.1, 9.2 and 9.3) and implement necessary actions to achieve the intended outcomes of its environmental management system. § 10.1 ¶ 1] | Monitor and Evaluate Occurrences | Detective | |
Align corrective actions with the level of environmental impact. CC ID 15193 [Corrective actions shall be appropriate to the significance of the effects of the nonconformities encountered, including the environmental impact(s). § 10.2 ¶ 2] | Business Processes | Preventive | |
Include risks and opportunities in the corrective action plan. CC ID 15178 [{environmental aspect}The organization shall plan: to take actions to address its: risks and opportunities identified in 6.1.1; § 6.1.4 ¶ 1 a) 3)] | Establish/Maintain Documentation | Preventive | |
Include environmental aspects in the corrective action plan. CC ID 15177 [The organization shall plan: to take actions to address its: significant environmental aspects; § 6.1.4 ¶ 1 a) 1)] | Establish/Maintain Documentation | Preventive | |
Include the completion date in the corrective action plan. CC ID 13272 | Establish/Maintain Documentation | Preventive | |
Include monitoring in the corrective action plan. CC ID 11645 | Monitor and Evaluate Occurrences | Detective | |
Protect against misusing automated audit tools. CC ID 04547 | Technical Security | Preventive | |
Evaluate the measurement process used for metrics. CC ID 06920 [{what needs to be measured} The organization shall determine: what needs to be monitored and measured; § 9.1.1 ¶ 2 a)] | Testing | Detective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Operational and Systems Continuity CC ID 00731 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain a business continuity program. CC ID 13210 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a continuity plan. CC ID 00752 [{response}{adverse impact}The organization shall: prepare to respond by planning actions to prevent or mitigate adverse environmental impacts from emergency situations; § 8.2 ¶ 2 a)] | Establish/Maintain Documentation | Preventive | |
Report changes in the continuity plan to senior management. CC ID 12757 | Communicate | Corrective | |
Identify all stakeholders in the continuity plan. CC ID 13256 | Establish/Maintain Documentation | Preventive | |
Activate the continuity plan if the damage assessment report indicates the activation criterion has been met. CC ID 01373 [The organization shall: respond to actual emergency situations; § 8.2 ¶ 2 b)] | Systems Continuity | Corrective | |
Notify interested personnel and affected parties upon activation of the continuity plan. CC ID 16777 | Communicate | Preventive | |
Maintain normal security levels when an emergency occurs. CC ID 06377 | Systems Continuity | Preventive | |
Execute fail-safe procedures when an emergency occurs. CC ID 07108 | Systems Continuity | Preventive | |
Lead or manage business continuity and system continuity, as necessary. CC ID 12240 | Human Resources Management | Preventive | |
Include a business continuity testing policy in the continuity plan, as necessary. CC ID 13234 | Establish/Maintain Documentation | Preventive | |
Allocate financial resources to implement the continuity plan, as necessary. CC ID 12993 | Establish/Maintain Documentation | Preventive | |
Allocate personnel to implement the continuity plan, as necessary. CC ID 12992 | Human Resources Management | Preventive | |
Include the in scope system's location in the continuity plan. CC ID 16246 | Systems Continuity | Preventive | |
Include the system description in the continuity plan. CC ID 16241 | Systems Continuity | Preventive | |
Establish, implement, and maintain redundant systems. CC ID 16354 | Configuration | Preventive | |
Refrain from adopting impromptu measures when continuity procedures exist. CC ID 13093 | Behavior | Preventive | |
Include identification procedures in the continuity plan, as necessary. CC ID 14372 | Establish/Maintain Documentation | Preventive | |
Restore systems and environments to be operational. CC ID 13476 | Systems Continuity | Corrective | |
Include the continuity strategy in the continuity plan. CC ID 13189 | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in the continuity plan, as necessary. CC ID 13254 | Establish/Maintain Documentation | Preventive | |
Implement alternate security mechanisms when the means of implementing the security function is unavailable. CC ID 10605 | Technical Security | Preventive | |
Document and use the lessons learned to update the continuity plan. CC ID 10037 | Establish/Maintain Documentation | Preventive | |
Monitor and evaluate business continuity management system performance. CC ID 12410 | Monitor and Evaluate Occurrences | Detective | |
Coordinate continuity planning with governmental entities, as necessary. CC ID 13258 | Process or Activity | Preventive | |
Record business continuity management system performance for posterity. CC ID 12411 | Monitor and Evaluate Occurrences | Preventive | |
Coordinate continuity planning with community organizations, as necessary. CC ID 13259 | Process or Activity | Preventive | |
Coordinate and incorporate supply chain members' continuity plans, as necessary. CC ID 13242 | Establish/Maintain Documentation | Preventive | |
Include incident management procedures in the continuity plan. CC ID 13244 | Establish/Maintain Documentation | Preventive | |
Include the use of virtual meeting tools in the continuity plan. CC ID 14390 | Establish/Maintain Documentation | Preventive | |
Include scenario analyses of various contingency scenarios in the continuity plan. CC ID 13057 | Establish/Maintain Documentation | Preventive | |
Include the annual statement based on the continuity plan review in the continuity plan. CC ID 12775 | Establish/Maintain Documentation | Preventive | |
Include the roles and responsibilities of the organization's legal counsel in the continuity plan. CC ID 16233 | Establish Roles | Preventive | |
Establish, implement, and maintain the continuity procedures. CC ID 14236 [The organization shall establish, implement and maintain the process(es) needed to prepare for and respond to potential emergency situations identified in 6.1.1. § 8.2 ¶ 1] | Establish/Maintain Documentation | Corrective | |
Disseminate and communicate the continuity procedures to interested personnel and affected parties. CC ID 14055 | Communicate | Preventive | |
Document the uninterrupted power requirements for all in scope systems. CC ID 06707 | Establish/Maintain Documentation | Preventive | |
Install an Uninterruptible Power Supply sized to support all critical systems. CC ID 00725 | Configuration | Preventive | |
Install a generator sized to support the facility. CC ID 06709 | Configuration | Preventive | |
Establish, implement, and maintain a fuel supply large enough to support the generators during an emergency. CC ID 06376 | Acquisition/Sale of Assets or Services | Preventive | |
Document all supporting information in the continuity plan, such as purpose, scope, and requirements. CC ID 01371 | Establish/Maintain Documentation | Preventive | |
Include notifications to alternate facilities in the continuity plan. CC ID 13220 | Establish/Maintain Documentation | Preventive | |
Approve the continuity plan requirements before documenting the continuity plan. CC ID 12778 | Systems Continuity | Preventive | |
Document the concept of operations in the continuity plan, including a line of succession. CC ID 01372 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain the organization's call tree. CC ID 01167 | Testing | Detective | |
Establish, implement, and maintain damage assessment procedures. CC ID 01267 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a recovery plan. CC ID 13288 [The organization shall: periodically review and revise the process(es) and planned response actions, in particular after the occurrence of emergency situations or tests; § 8.2 ¶ 2 e) {be appropriate}The organization shall: take action to prevent or mitigate the consequences of emergency situations, appropriate to the magnitude of the emergency and the potential environmental impact; § 8.2 ¶ 2 c)] | Establish/Maintain Documentation | Preventive | |
Notify interested personnel and affected parties of updates to the recovery plan. CC ID 13302 | Communicate | Preventive | |
Include procedures to restore network connectivity in the recovery plan. CC ID 16250 | Establish/Maintain Documentation | Preventive | |
Include addressing backup failures in the recovery plan. CC ID 13298 | Establish/Maintain Documentation | Preventive | |
Include procedures to verify completion of the data backup procedure in the recovery plan. CC ID 13297 | Establish/Maintain Documentation | Preventive | |
Include the roles and responsibilities of responders in the recovery plan. CC ID 13296 | Human Resources Management | Preventive | |
Include the procedures for the storage of information necessary to recover functionality in the recovery plan. CC ID 13295 | Establish/Maintain Documentation | Preventive | |
Include the backup procedures for information necessary to recover functionality in the recovery plan. CC ID 13294 | Establish/Maintain Documentation | Preventive | |
Include the criteria for activation in the recovery plan. CC ID 13293 | Establish/Maintain Documentation | Preventive | |
Include escalation procedures in the recovery plan. CC ID 16248 | Establish/Maintain Documentation | Preventive | |
Include procedures to preserve data before beginning the recovery process in the recovery plan. CC ID 13292 | Establish/Maintain Documentation | Preventive | |
Determine the cause for the activation of the recovery plan. CC ID 13291 | Investigate | Detective | |
Test the recovery plan, as necessary. CC ID 13290 [The organization shall: periodically test the planned response actions, where practicable; § 8.2 ¶ 2 d)] | Testing | Detective | |
Test the backup information, as necessary. CC ID 13303 | Testing | Detective | |
Document lessons learned from testing the recovery plan or an actual event. CC ID 13301 | Establish/Maintain Documentation | Detective | |
Disseminate and communicate the recovery plan to interested personnel and affected parties. CC ID 14859 | Communicate | Preventive | |
Include restoration procedures in the continuity plan. CC ID 01169 | Establish Roles | Preventive | |
Include risk prioritized recovery procedures for each business unit in the recovery plan. CC ID 01166 | Establish/Maintain Documentation | Preventive | |
Include the recovery plan in the continuity plan. CC ID 01377 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the recovery status of the contingency plan to interested personnel and affected parties. CC ID 12758 | Communicate | Preventive | |
Disseminate and communicate business functions across multiple facilities separated by geographic separation. CC ID 10662 | Systems Continuity | Preventive | |
Disseminate and communicate processing activities across multiple facilities using geographic separation. CC ID 10663 | Systems Continuity | Preventive | |
Disseminate and communicate electronic media storage devices across multiple facilities using geographic separation. CC ID 10664 | Systems Continuity | Preventive | |
Use out-of-band channels for the physical delivery or electronic transmission of information, as necessary. CC ID 10665 | Systems Continuity | Corrective | |
Train personnel on the continuity plan. CC ID 00759 [The organization shall: provide relevant information and training related to emergency preparedness and response, as appropriate, to relevant interested parties, including persons working under its control. § 8.2 ¶ 2 f)] | Behavior | Preventive | |
Utilize automated mechanisms for more realistic continuity plan training. CC ID 01387 | Behavior | Preventive | |
Incorporate simulated events into the continuity plan training. CC ID 01402 | Behavior | Preventive | |
Include cross-team coordination in continuity plan training. CC ID 16235 | Training | Preventive | |
Include stay at home order training in the continuity plan training. CC ID 14382 | Training | Preventive | |
Include avoiding unnecessary travel in the stay at home order training. CC ID 14388 | Training | Preventive | |
Include personal protection in continuity plan training. CC ID 14394 | Training | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Operational management CC ID 00805 | IT Impact Zone | IT Impact Zone | |
Plan for business process conversions, as necessary. CC ID 13678 [The organization shall plan: how to: integrate and implement the actions into its environmental management system processes (se e 6.2, Clause 7, Clause 8 and 9.1), or other business processes; § 6.1.4 ¶ 1 b) 1)] | Business Processes | Corrective | |
Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 [The organization shall plan: to take actions to address its: compliance obligations; § 6.1.4 ¶ 1 a) 2) The organization shall establish, implement and maintain the process(es) needed to evaluate fulfilment of its compliance obligations. § 9.1.2 ¶ 1] | Establish/Maintain Documentation | Preventive | |
Include enterprise architecture in the Governance, Risk, and Compliance framework. CC ID 13266 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate updates to the Governance, Risk, and Compliance framework to interested personnel and affected parties. CC ID 06955 [{internal communication}{be relevant}The organization shall: internally communicate information relevant to the environmental management system among the various levels and functions of the organization, including changes to the environmental management system, as appropriate; § 7.4.2 ¶ 1 a)] | Behavior | Preventive | |
Establish, implement, and maintain security requirements based on applicable regulations. CC ID 16283 | Establish/Maintain Documentation | Preventive | |
Acquire resources necessary to support Governance, Risk, and Compliance. CC ID 12861 [Top management shall demonstrate leadership and commitment with respect to the environmental management system by: ensuring that the resources needed for the environmental management system are available; § 5.1 ¶ 1 d) The organization shall determine and provide the resources needed for the establishment, implementation, maintenance and continual improvement of the environmental management system. § 7.1 ¶ 1 The outputs of the management review shall include: decisions related to any need for changes to the environmental management system, including resources; § 9.3 ¶ 3 Bullet 3] | Acquisition/Sale of Assets or Services | Preventive | |
Integrate the use of technology in supporting the Governance, Risk, and Compliance capabilities. CC ID 12915 | Process or Activity | Preventive | |
Establish, implement, and maintain a prioritized plan for updating the Governance, Risk, and Compliance framework. CC ID 12853 [{financial requirement}{operational requirement} When planning these actions, the organization shall consider its technological options and its financial, operational and business requirements. § 6.1.4 ¶ 2 The management review shall include consideration of: changes in: its significant environmental aspects; § 9.3 ¶ 2 b) 3) The management review shall include consideration of: changes in: risks and opportunities; § 9.3 ¶ 2 b) 4) The outputs of the management review shall include: decisions related to any need for changes to the environmental management system, including resources; § 9.3 ¶ 3 Bullet 3] | Establish/Maintain Documentation | Preventive | |
Evaluate the use of technology in supporting Governance, Risk, and Compliance capabilities. CC ID 12895 [{financial requirement}{operational requirement} When planning these actions, the organization shall consider its technological options and its financial, operational and business requirements. § 6.1.4 ¶ 2] | Process or Activity | Preventive | |
Analyze the effect of the Governance, Risk, and Compliance capability to achieve organizational objectives. CC ID 12809 [{external and internal issues}and determine the risks and opportunities, related to its environmental aspects (see 6.1.2), compliance obligations (see 6.1.3) and other issues and requirements, identified in 4.1 and 4.2, that need to be addressed to: prevent or reduce undesired effects, including the potential for external environmental conditions to affect the organization; § 6.1.1 ¶ 3 Bullet 2 The organization shall plan: how to: evaluate the effectiveness of these actions (see 9.1). § 6.1.4 ¶ 1 b) 2) When planning how to achieve its environmental objectives, the organization shall determine: how the results will be evaluated, including indicators for monitoring progress toward achievement of its measurable environmental objectives (see 9.1.1). § 6.2.2 ¶ 1 e) The organization shall evaluate its environmental performance and the effectiveness of the environmental management system. § 9.1.1 ¶ 4 The outputs of the management review shall include: actions, if needed, when environmental objectives have not been achieved; § 9.3 ¶ 3 Bullet 4 The outputs of the management review shall include: any implications for the strategic direction of the organization. § 9.3 ¶ 3 Bullet 6] | Audits and Risk Management | Preventive | |
Assign accountability for maintaining the Governance, Risk, and Compliance framework. CC ID 12523 | Human Resources Management | Preventive | |
Assign defining the program for disseminating and communicating the Governance, Risk, and Compliance framework. CC ID 12524 | Human Resources Management | Preventive | |
Establish, implement, and maintain a compliance policy. CC ID 14807 | Establish/Maintain Documentation | Preventive | |
Include the standard of conduct and accountability in the compliance policy. CC ID 14813 | Establish/Maintain Documentation | Preventive | |
Include the scope in the compliance policy. CC ID 14812 | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in the compliance policy. CC ID 14811 | Establish/Maintain Documentation | Preventive | |
Include a commitment to continual improvement in the compliance policy. CC ID 14810 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the compliance policy to interested personnel and affected parties. CC ID 14809 | Communicate | Preventive | |
Include management commitment in the compliance policy. CC ID 14808 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a governance policy. CC ID 15587 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the governance policy to all interested personnel and affected parties. CC ID 15625 | Communicate | Preventive | |
Include a commitment to continuous improvement in the governance policy. CC ID 15595 | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in the governance policy. CC ID 15594 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a positive information control environment. CC ID 00813 | Business Processes | Preventive | |
Make compliance and governance decisions in a timely manner. CC ID 06490 | Behavior | Preventive | |
Establish, implement, and maintain an internal control framework. CC ID 00820 | Establish/Maintain Documentation | Preventive | |
Define the scope for the internal control framework. CC ID 16325 | Business Processes | Preventive | |
Review the relevance of information supporting internal controls. CC ID 12420 | Business Processes | Detective | |
Measure policy compliance when reviewing the internal control framework. CC ID 06442 | Actionable Reports or Measurements | Corrective | |
Assign ownership of the internal control framework to the appropriate organizational role. CC ID 06437 | Establish Roles | Preventive | |
Assign resources to implement the internal control framework. CC ID 00816 | Business Processes | Preventive | |
Define and assign the roles and responsibilities for interested personnel and affected parties when establishing, implementing, and maintaining the internal control framework. CC ID 07146 | Establish Roles | Preventive | |
Establish, implement, and maintain a baseline of internal controls. CC ID 12415 | Business Processes | Preventive | |
Include the business need justification for excluding controls in the baseline of internal controls. CC ID 16129 | Establish/Maintain Documentation | Preventive | |
Include the implementation status of controls in the baseline of internal controls. CC ID 16128 | Establish/Maintain Documentation | Preventive | |
Leverage actionable information to support internal controls. CC ID 12414 | Business Processes | Preventive | |
Include procedures for continuous quality improvement in the internal control framework. CC ID 00819 [The management review shall include consideration of opportunities for style="background-color:#F0BBBC;" class="term_primary-noun">continual improvement. § 9.3 ¶ 2 g) The outputs of the management review shall include: decisions related to continual improvement opportunities; § 9.3 ¶ 3 Bullet 2] | Establish/Maintain Documentation | Preventive | |
Include continuous service account management procedures in the internal control framework. CC ID 13860 | Establish/Maintain Documentation | Preventive | |
Include threat assessment in the internal control framework. CC ID 01347 | Establish/Maintain Documentation | Preventive | |
Automate threat assessments, as necessary. CC ID 06877 | Configuration | Preventive | |
Include vulnerability management and risk assessment in the internal control framework. CC ID 13102 | Establish/Maintain Documentation | Preventive | |
Automate vulnerability management, as necessary. CC ID 11730 | Configuration | Preventive | |
Include personnel security procedures in the internal control framework. CC ID 01349 | Establish/Maintain Documentation | Preventive | |
Include continuous security warning monitoring procedures in the internal control framework. CC ID 01358 | Establish/Maintain Documentation | Preventive | |
Include incident alert thresholds in the continuous security warning monitoring procedures. CC ID 13205 | Establish/Maintain Documentation | Preventive | |
Include security information sharing procedures in the internal control framework. CC ID 06489 | Establish/Maintain Documentation | Preventive | |
Share security information with interested personnel and affected parties. CC ID 11732 | Communicate | Preventive | |
Evaluate information sharing partners, as necessary. CC ID 12749 | Process or Activity | Preventive | |
Include security incident response procedures in the internal control framework. CC ID 01359 | Establish/Maintain Documentation | Preventive | |
Include incident response escalation procedures in the internal control framework. CC ID 11745 | Establish/Maintain Documentation | Preventive | |
Include continuous user account management procedures in the internal control framework. CC ID 01360 | Establish/Maintain Documentation | Preventive | |
Include emergency response procedures in the internal control framework. CC ID 06779 | Establish/Maintain Documentation | Detective | |
Authorize and document all exceptions to the internal control framework. CC ID 06781 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the internal control framework to all interested personnel and affected parties. CC ID 15229 | Communicate | Preventive | |
Disseminate and communicate the cybersecurity policy to interested personnel and affected parties. CC ID 16835 | Communicate | Preventive | |
Establish, implement, and maintain a cybersecurity policy. CC ID 16833 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an information security program. CC ID 00812 | Establish/Maintain Documentation | Preventive | |
Include physical safeguards in the information security program. CC ID 12375 | Establish/Maintain Documentation | Preventive | |
Include technical safeguards in the information security program. CC ID 12374 | Establish/Maintain Documentation | Preventive | |
Include administrative safeguards in the information security program. CC ID 12373 | Establish/Maintain Documentation | Preventive | |
Include system development in the information security program. CC ID 12389 | Establish/Maintain Documentation | Preventive | |
Include system maintenance in the information security program. CC ID 12388 | Establish/Maintain Documentation | Preventive | |
Include system acquisition in the information security program. CC ID 12387 | Establish/Maintain Documentation | Preventive | |
Include access control in the information security program. CC ID 12386 | Establish/Maintain Documentation | Preventive | |
Review and approve access controls, as necessary. CC ID 13074 | Process or Activity | Detective | |
Include operations management in the information security program. CC ID 12385 | Establish/Maintain Documentation | Preventive | |
Include communication management in the information security program. CC ID 12384 | Establish/Maintain Documentation | Preventive | |
Include environmental security in the information security program. CC ID 12383 | Establish/Maintain Documentation | Preventive | |
Include physical security in the information security program. CC ID 12382 | Establish/Maintain Documentation | Preventive | |
Include human resources security in the information security program. CC ID 12381 | Establish/Maintain Documentation | Preventive | |
Include asset management in the information security program. CC ID 12380 | Establish/Maintain Documentation | Preventive | |
Include a continuous monitoring program in the information security program. CC ID 14323 | Establish/Maintain Documentation | Preventive | |
Include change management procedures in the continuous monitoring plan. CC ID 16227 | Establish/Maintain Documentation | Preventive | |
include recovery procedures in the continuous monitoring plan. CC ID 16226 | Establish/Maintain Documentation | Preventive | |
Include mechanisms for decommissioning a system in the continuous monitoring plan. CC ID 16225 | Establish/Maintain Documentation | Preventive | |
Include mechanisms for appeal and override in the continuous monitoring plan. CC ID 16223 | Establish/Maintain Documentation | Preventive | |
Include how the information security department is organized in the information security program. CC ID 12379 | Establish/Maintain Documentation | Preventive | |
Include risk management in the information security program. CC ID 12378 | Establish/Maintain Documentation | Preventive | |
Include mitigating supply chain risks in the information security program. CC ID 13352 | Establish/Maintain Documentation | Preventive | |
Provide management direction and support for the information security program. CC ID 11999 | Process or Activity | Preventive | |
Monitor and review the effectiveness of the information security program. CC ID 12744 | Monitor and Evaluate Occurrences | Preventive | |
Establish, implement, and maintain an information security policy. CC ID 11740 | Establish/Maintain Documentation | Preventive | |
Align the information security policy with the organization's risk acceptance level. CC ID 13042 | Business Processes | Preventive | |
Include business processes in the information security policy. CC ID 16326 | Establish/Maintain Documentation | Preventive | |
Include the information security strategy in the information security policy. CC ID 16125 | Establish/Maintain Documentation | Preventive | |
Include a commitment to continuous improvement in the information security policy. CC ID 16123 | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in the information security policy. CC ID 16120 | Establish/Maintain Documentation | Preventive | |
Include a commitment to the information security requirements in the information security policy. CC ID 13496 | Establish/Maintain Documentation | Preventive | |
Include information security objectives in the information security policy. CC ID 13493 | Establish/Maintain Documentation | Preventive | |
Include the use of Cloud Services in the information security policy. CC ID 13146 | Establish/Maintain Documentation | Preventive | |
Include notification procedures in the information security policy. CC ID 16842 | Establish/Maintain Documentation | Preventive | |
Approve the information security policy at the organization's management level or higher. CC ID 11737 | Process or Activity | Preventive | |
Establish, implement, and maintain information security procedures. CC ID 12006 | Business Processes | Preventive | |
Describe the group activities that protect restricted data in the information security procedures. CC ID 12294 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the information security procedures to all interested personnel and affected parties. CC ID 16303 | Communicate | Preventive | |
Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304 | Establish/Maintain Documentation | Preventive | |
Define thresholds for approving information security activities in the information security program. CC ID 15702 | Process or Activity | Preventive | |
Assign ownership of the information security program to the appropriate role. CC ID 00814 | Establish Roles | Preventive | |
Assign the responsibility for establishing, implementing, and maintaining the information security program to the appropriate role. CC ID 11884 | Human Resources Management | Preventive | |
Assign information security responsibilities to interested personnel and affected parties in the information security program. CC ID 11885 | Establish/Maintain Documentation | Preventive | |
Assign the responsibility for distributing the information security program to the appropriate role. CC ID 11883 | Human Resources Management | Preventive | |
Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739 | Communicate | Preventive | |
Establish, implement, and maintain a social media governance program. CC ID 06536 | Establish/Maintain Documentation | Preventive | |
Refrain from requiring supervision when users are accessing social media applications. CC ID 14011 | Business Processes | Preventive | |
Refrain from requiring users to disclose social media account usernames or authenticators. CC ID 14009 | Business Processes | Preventive | |
Refrain from accepting instant messages from unknown senders. CC ID 12537 | Behavior | Preventive | |
Include instant messaging, texting, and tweeting in the social media acceptable use policy. CC ID 04578 | Establish/Maintain Documentation | Preventive | |
Include explicit restrictions in the social media acceptable use policy. CC ID 06655 | Establish/Maintain Documentation | Preventive | |
Include contributive content sites in the social media acceptable use policy. CC ID 06656 | Establish/Maintain Documentation | Preventive | |
Perform social network analysis, as necessary. CC ID 14864 | Investigate | Detective | |
Establish, implement, and maintain operational control procedures. CC ID 00831 | Establish/Maintain Documentation | Preventive | |
Include assigning and approving operations in operational control procedures. CC ID 06382 | Establish/Maintain Documentation | Preventive | |
Include startup processes in operational control procedures. CC ID 00833 | Establish/Maintain Documentation | Preventive | |
Include change control processes in the operational control procedures. CC ID 16793 | Establish/Maintain Documentation | Preventive | |
Establish and maintain a data processing run manual. CC ID 00832 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826 | Establish/Maintain Documentation | Preventive | |
Use systems in accordance with the standard operating procedures manual. CC ID 15049 | Process or Activity | Preventive | |
Include metrics in the standard operating procedures manual. CC ID 14988 | Establish/Maintain Documentation | Preventive | |
Include maintenance measures in the standard operating procedures manual. CC ID 14986 | Establish/Maintain Documentation | Preventive | |
Include the expected lifetime of the system in the standard operating procedures manual. CC ID 14984 | Establish/Maintain Documentation | Preventive | |
Include technical measures used to interpret output in the standard operating procedures manual. CC ID 14982 | Establish/Maintain Documentation | Preventive | |
Include predetermined changes in the standard operating procedures manual. CC ID 14977 | Establish/Maintain Documentation | Preventive | |
Include specifications for input data in the standard operating procedures manual. CC ID 14975 | Establish/Maintain Documentation | Preventive | |
Include risks to health and safety or fundamental rights in the standard operating procedures manual. CC ID 14973 | Establish/Maintain Documentation | Preventive | |
Include circumstances that may impact the system in the standard operating procedures manual. CC ID 14972 | Establish/Maintain Documentation | Preventive | |
Include what the system was tested and validated for in the standard operating procedures manual. CC ID 14969 | Establish/Maintain Documentation | Preventive | |
Include the intended purpose in the standard operating procedures manual. CC ID 14967 | Establish/Maintain Documentation | Preventive | |
Include information on system performance in the standard operating procedures manual. CC ID 14965 | Establish/Maintain Documentation | Preventive | |
Include contact details in the standard operating procedures manual. CC ID 14962 | Establish/Maintain Documentation | Preventive | |
Include information sharing procedures in standard operating procedures. CC ID 12974 | Records Management | Preventive | |
Establish, implement, and maintain information sharing agreements. CC ID 15645 | Business Processes | Preventive | |
Provide support for information sharing activities. CC ID 15644 | Process or Activity | Preventive | |
Adhere to operating procedures as defined in the Standard Operating Procedures Manual. CC ID 06328 | Business Processes | Preventive | |
Update operating procedures that contribute to user errors. CC ID 06935 | Establish/Maintain Documentation | Corrective | |
Disseminate and communicate the Standard Operating Procedures Manual to all interested personnel and affected parties. CC ID 12026 | Communicate | Preventive | |
Establish, implement, and maintain a job scheduling methodology. CC ID 00834 | Establish/Maintain Documentation | Preventive | |
Establish and maintain a job schedule exceptions list. CC ID 00835 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a data processing continuity plan. CC ID 00836 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain Voice over Internet Protocol operating procedures. CC ID 04583 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain the Acceptable Use Policy. CC ID 01350 | Establish/Maintain Documentation | Preventive | |
Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy. CC ID 01351 | Establish/Maintain Documentation | Preventive | |
Include requiring users to protect restricted data in accordance with the Governance, Risk, and Compliance framework in the Acceptable Use Policy. CC ID 11894 | Establish/Maintain Documentation | Preventive | |
Include Bring Your Own Device agreements in the Acceptable Use Policy. CC ID 15703 | Establish/Maintain Documentation | Preventive | |
Include the obligations of users in the Bring Your Own Device agreement. CC ID 15708 | Establish/Maintain Documentation | Preventive | |
Include the rights of the organization in the Bring Your Own Device agreement. CC ID 15707 | Establish/Maintain Documentation | Preventive | |
Include the circumstances in which the organization may confiscate, audit, or inspect assets in the Bring Your Own Device agreement. CC ID 15706 | Establish/Maintain Documentation | Preventive | |
Include the circumstances in which the organization may manage assets in the Bring Your Own Device agreement. CC ID 15705 | Establish/Maintain Documentation | Preventive | |
Include Bring Your Own Device usage in the Acceptable Use Policy. CC ID 12293 | Establish/Maintain Documentation | Preventive | |
Include a web usage policy in the Acceptable Use Policy. CC ID 16496 | Establish/Maintain Documentation | Preventive | |
Include Bring Your Own Device security guidelines in the Acceptable Use Policy. CC ID 01352 | Establish/Maintain Documentation | Preventive | |
Include asset tags in the Acceptable Use Policy. CC ID 01354 | Establish/Maintain Documentation | Preventive | |
Specify the owner of applicable assets in the Acceptable Use Policy. CC ID 15699 | Establish/Maintain Documentation | Preventive | |
Include asset use policies in the Acceptable Use Policy. CC ID 01355 | Establish/Maintain Documentation | Preventive | |
Include authority for access authorization lists for assets in all relevant Acceptable Use Policies. CC ID 11872 | Establish/Maintain Documentation | Preventive | |
Include access control mechanisms in the Acceptable Use Policy. CC ID 01353 | Establish/Maintain Documentation | Preventive | |
Include temporary activation of remote access technologies for third parties in the Acceptable Use Policy. CC ID 11892 | Technical Security | Preventive | |
Include prohibiting the copying or moving of restricted data from its original source onto local hard drives or removable storage media in the Acceptable Use Policy. CC ID 11893 | Establish/Maintain Documentation | Preventive | |
Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772 | Data and Information Management | Preventive | |
Correlate the Acceptable Use Policy with the network security policy. CC ID 01356 | Establish/Maintain Documentation | Preventive | |
Include appropriate network locations for each technology in the Acceptable Use Policy. CC ID 11881 | Establish/Maintain Documentation | Preventive | |
Correlate the Acceptable Use Policy with the approved product list. CC ID 01357 | Establish/Maintain Documentation | Preventive | |
Include facility access and facility use in the Acceptable Use Policy. CC ID 06441 | Establish/Maintain Documentation | Preventive | |
Include disciplinary actions in the Acceptable Use Policy. CC ID 00296 | Establish/Maintain Documentation | Corrective | |
Include the usage restrictions of mobile code technologies in the Acceptable Use Policy. CC ID 15311 | Establish/Maintain Documentation | Preventive | |
Include a software installation policy in the Acceptable Use Policy. CC ID 06749 | Establish/Maintain Documentation | Preventive | |
Document idle session termination and logout for remote access technologies in the Acceptable Use Policy. CC ID 12472 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the Acceptable Use Policy to all interested personnel and affected parties. CC ID 12431 | Communicate | Preventive | |
Require interested personnel and affected parties to sign Acceptable Use Policies. CC ID 06661 | Establish/Maintain Documentation | Preventive | |
Require interested personnel and affected parties to re-sign Acceptable Use Policies, as necessary. CC ID 06663 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an Intellectual Property Right program. CC ID 00821 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain domain name registration and renewal procedures. CC ID 07075 | Business Processes | Preventive | |
Establish, implement, and maintain Intellectual Property Rights protection procedures. CC ID 11512 | Establish/Maintain Documentation | Preventive | |
Protect against circumvention of the organization's Intellectual Property Rights. CC ID 11513 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an e-mail policy. CC ID 06439 | Establish/Maintain Documentation | Preventive | |
Include business use of personal e-mail in the e-mail policy. CC ID 14381 | Establish/Maintain Documentation | Preventive | |
Identify the sender in all electronic messages. CC ID 13996 | Data and Information Management | Preventive | |
Protect policies, standards, and procedures from unauthorized modification or disclosure. CC ID 10603 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain nondisclosure agreements. CC ID 04536 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate nondisclosure agreements to interested personnel and affected parties. CC ID 16191 | Communicate | Preventive | |
Require interested personnel and affected parties to sign nondisclosure agreements. CC ID 06667 | Establish/Maintain Documentation | Preventive | |
Require interested personnel and affected parties to re-sign nondisclosure agreements, as necessary. CC ID 06669 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a use of information agreement. CC ID 06215 | Establish/Maintain Documentation | Preventive | |
Include use limitations in the use of information agreement. CC ID 06244 | Establish/Maintain Documentation | Preventive | |
Include disclosure requirements in the use of information agreement. CC ID 11735 | Establish/Maintain Documentation | Preventive | |
Include information recipients in the use of information agreement. CC ID 06245 | Establish/Maintain Documentation | Preventive | |
Include reporting out of scope use of information in the use of information agreement. CC ID 06246 | Establish/Maintain Documentation | Preventive | |
Include disclosure of information in the use of information agreement. CC ID 11830 | Establish/Maintain Documentation | Preventive | |
Include information security procedures assigned to the information recipient in the use of information agreement. CC ID 07130 | Establish/Maintain Documentation | Preventive | |
Include information security procedures assigned to the originator in the use of information agreement. CC ID 14418 | Establish/Maintain Documentation | Preventive | |
Include a do not contact rule for the individuals identified in a data set in the use of information agreement. CC ID 07131 | Establish/Maintain Documentation | Preventive | |
Include the information recipient's third parties accepting the agreement in the use of information agreement. CC ID 07132 | Establish/Maintain Documentation | Preventive | |
Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 | Business Processes | Preventive | |
Analyze how policies used to create management boundaries relates to the Governance, Risk, and Compliance approach. CC ID 12821 | Process or Activity | Preventive | |
Analyze how the organization sets limits in policies relating to the Governance, Risk, and Compliance approach. CC ID 12819 | Process or Activity | Preventive | |
Analyze how the Board of Directors' and senior management's tone influences the Governance, Risk, and Compliance approach. CC ID 12818 [Top management shall demonstrate leadership and commitment with respect to the environmental management system by: § 5.1 ¶ 1] | Process or Activity | Preventive | |
Analyze the degree to which the governing body is engaged in the Governance, Risk, and Compliance approach. CC ID 12817 | Process or Activity | Preventive | |
Analyze the Governance, Risk, and Compliance approach. CC ID 12816 | Process or Activity | Preventive | |
Analyze the organizational culture. CC ID 12899 | Process or Activity | Preventive | |
Include individual commitment to the organization's Governance, Risk, and Compliance framework in the analysis of the organizational culture. CC ID 12922 | Process or Activity | Detective | |
Include the organizational climate in the analysis of the organizational culture. CC ID 12921 | Process or Activity | Detective | |
Include consistency of leadership actions to mission, vision, and values in the analysis of the organizational culture. CC ID 12920 | Process or Activity | Detective | |
Include employee engagement in the analysis of the organizational culture. CC ID 12914 | Behavior | Preventive | |
Include contractual relationships with workforce members in the analysis of the organizational culture. CC ID 15674 | Business Processes | Preventive | |
Include the number of workforce members who are not employees in the analysis of the organizational culture. CC ID 15673 | Business Processes | Preventive | |
Include the type of work performed by workforce members in the analysis of the organizational culture. CC ID 15675 | Business Processes | Preventive | |
Include skill development in the analysis of the organizational culture. CC ID 12913 | Behavior | Preventive | |
Include employee turnover rates in the analysis of the organizational culture. CC ID 12912 | Behavior | Preventive | |
Include demographic characteristics of employees in the analysis of the organizational culture. CC ID 15671 | Business Processes | Preventive | |
Include employee loyalty in the analysis of the organizational culture. CC ID 12911 | Behavior | Preventive | |
Include employee satisfaction in the analysis of the organizational culture. CC ID 12910 | Behavior | Preventive | |
Establish, implement, and maintain consequences for non-compliance with the organizational compliance framework. CC ID 11747 | Process or Activity | Corrective | |
Comply with all implemented policies in the organization's compliance framework. CC ID 06384 [Top management shall assign the responsibility and authority for: ensuring that the environmental management system conforms to the requirements of this International Standard; § 5.3 ¶ 2 a) The outputs of the management review shall include: opportunities to improve integration of the environmental management system with other business processes, if needed; § 9.3 ¶ 3 Bullet 5] | Establish/Maintain Documentation | Preventive | |
Provide assurance to interested personnel and affected parties that the Governance, Risk, and Compliance capability is reliable, effective, efficient, and responsive. CC ID 12788 | Communicate | Preventive | |
Review systems for compliance with organizational information security policies. CC ID 12004 | Business Processes | Preventive | |
Disseminate and communicate the Governance, Risk, and Compliance framework to all interested personnel and affected parties. CC ID 00815 [{internal communication}{be relevant}The organization shall: internally communicate information relevant to the environmental management system among the various levels and functions of the organization, including changes to the environmental management system, as appropriate; § 7.4.2 ¶ 1 a) {external communication}{be relevant} The organization shall externally communicate information relevant to the environmental management system, as established by the organization's communication process(es) and as required by its compliance obligations. § 7.4.3 ¶ 1 {external communication}{be relevant} The organization shall externally communicate information relevant to the environmental management system, as established by the organization's communication process(es) and as required by its compliance obligations. § 7.4.3 ¶ 1 The organization shall: maintain knowledge and understanding of its compliance status. § 9.1.2 ¶ 2 c) The organization shall communicate relevant environmental performance information both internally and externally, as identified in its communication process(es) and as required by its compliance obligations. § 9.1.1 ¶ 5] | Behavior | Preventive | |
Establish, implement, and maintain an Asset Management program. CC ID 06630 [Consistent with a life cycle perspective, the organization shall: consider the need to provide information about potential significant environmental impacts associated with the transportation or delivery, use, end-of-life treatment and final disposal of its products and services. § 8.1 ¶ 4 d)] | Business Processes | Preventive | |
Establish, implement, and maintain an asset management policy. CC ID 15219 | Establish/Maintain Documentation | Preventive | |
Include coordination amongst entities in the asset management policy. CC ID 16424 | Business Processes | Preventive | |
Establish, implement, and maintain asset management procedures. CC ID 16748 | Establish/Maintain Documentation | Preventive | |
Assign an information owner to organizational assets, as necessary. CC ID 12729 | Human Resources Management | Preventive | |
Define and prioritize the importance of each asset in the asset management program. CC ID 16837 | Business Processes | Preventive | |
Include life cycle requirements in the security management program. CC ID 16392 | Establish/Maintain Documentation | Preventive | |
Include program objectives in the asset management program. CC ID 14413 | Establish/Maintain Documentation | Preventive | |
Include a commitment to continual improvement in the asset management program. CC ID 14412 | Establish/Maintain Documentation | Preventive | |
Include compliance with applicable requirements in the asset management program. CC ID 14411 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain administrative controls over all assets. CC ID 16400 | Business Processes | Preventive | |
Establish, implement, and maintain classification schemes for all systems and assets. CC ID 01902 | Establish/Maintain Documentation | Preventive | |
Apply security controls to each level of the information classification standard. CC ID 01903 | Systems Design, Build, and Implementation | Preventive | |
Establish, implement, and maintain the systems' confidentiality level. CC ID 01904 | Establish/Maintain Documentation | Preventive | |
Define confidentiality controls. CC ID 01908 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain the systems' availability level. CC ID 01905 | Establish/Maintain Documentation | Preventive | |
Restrict unscheduled downtime in order to maintain high availability for critical systems. CC ID 12742 | Process or Activity | Preventive | |
Define integrity controls. CC ID 01909 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain the systems' integrity level. CC ID 01906 | Establish/Maintain Documentation | Preventive | |
Define availability controls. CC ID 01911 | Establish/Maintain Documentation | Preventive | |
Establish safety classifications for systems according to their potential harmful effects to operators or end users. CC ID 06603 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an asset safety classification scheme. CC ID 06604 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain the Asset Classification Policy. CC ID 06642 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the Asset Classification Policy to interested personnel and affected parties. CC ID 14851 | Communicate | Preventive | |
Classify assets according to the Asset Classification Policy. CC ID 07186 | Establish Roles | Preventive | |
Classify virtual systems by type and purpose. CC ID 16332 | Business Processes | Preventive | |
Document the decision for assigning an asset to a specific asset classification in the Asset Classification Policy. CC ID 07185 | Establish/Maintain Documentation | Preventive | |
Apply asset protection mechanisms for all assets according to their assigned Asset Classification Policy. CC ID 07184 | Establish Roles | Preventive | |
Disallow systems from processing information, disseminating and communicating information, or storing information that is above the system's assigned asset classification. CC ID 06606 | Configuration | Preventive | |
Assign decomposed system components the same asset classification as the originating system. CC ID 06605 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an asset inventory. CC ID 06631 | Business Processes | Preventive | |
Establish, implement, and maintain an Information Technology inventory with asset discovery audit trails. CC ID 00689 | Establish/Maintain Documentation | Preventive | |
Include all account types in the Information Technology inventory. CC ID 13311 | Establish/Maintain Documentation | Preventive | |
Include each Information System's system boundaries in the Information Technology inventory. CC ID 00695 | Systems Design, Build, and Implementation | Preventive | |
Identify processes, Information Systems, and third parties that transmit, process, or store restricted data. CC ID 06289 | Data and Information Management | Preventive | |
Include each Information System's major applications in the Information Technology inventory. CC ID 01407 | Establish/Maintain Documentation | Preventive | |
Categorize all major applications according to the business information they process. CC ID 07182 | Establish/Maintain Documentation | Preventive | |
Document the resources, hazards, and Evaluation Assurance Levels for each major application. CC ID 01164 | Establish/Maintain Documentation | Preventive | |
Include the General Support Systems and security support structure in the Information Technology inventory. CC ID 01408 | Establish/Maintain Documentation | Preventive | |
Include each Information System's minor applications in the Information Technology inventory. CC ID 01409 | Establish/Maintain Documentation | Preventive | |
Conduct environmental surveys. CC ID 00690 | Physical and Environmental Protection | Preventive | |
Categorize facilities in the Information Technology inventory according to their environmental risks. CC ID 06729 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a hardware asset inventory. CC ID 00691 | Establish/Maintain Documentation | Preventive | |
Include network equipment in the Information Technology inventory. CC ID 00693 | Establish/Maintain Documentation | Preventive | |
Include mobile devices that store restricted data or restricted information in the Information Technology inventory. CC ID 04719 | Establish/Maintain Documentation | Preventive | |
Include interconnected systems and Software as a Service in the Information Technology inventory. CC ID 04885 | Process or Activity | Preventive | |
Include software in the Information Technology inventory. CC ID 00692 | Establish/Maintain Documentation | Preventive | |
Establish and maintain a list of authorized software and versions required for each system. CC ID 12093 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a storage media inventory. CC ID 00694 | Establish/Maintain Documentation | Preventive | |
Include all electronic storage media containing restricted data or restricted information in the storage media inventory. CC ID 00962 | Establish/Maintain Documentation | Detective | |
Establish, implement, and maintain a records inventory and database inventory. CC ID 01260 | Establish/Maintain Documentation | Preventive | |
Add inventoried assets to the asset register database, as necessary. CC ID 07051 | Establish/Maintain Documentation | Preventive | |
Identify discrepancies between the asset register database and the Information Technology inventory, as necessary. CC ID 07052 | Monitor and Evaluate Occurrences | Corrective | |
Investigate and resolve discrepancies between the asset register database and the Information Technology inventory. CC ID 07053 | Monitor and Evaluate Occurrences | Corrective | |
Organize the asset register database by grouping objects according to an organizational information classification standard. CC ID 07181 | Establish/Maintain Documentation | Preventive | |
Use automated tools to collect Information Technology inventory information, as necessary. CC ID 07054 | Technical Security | Preventive | |
Link the authentication system to the asset inventory. CC ID 13718 | Technical Security | Preventive | |
Record a unique name for each asset in the asset inventory. CC ID 16305 | Data and Information Management | Preventive | |
Record the decommission date for applicable assets in the asset inventory. CC ID 14920 | Establish/Maintain Documentation | Preventive | |
Record the status of information systems in the asset inventory. CC ID 16304 | Data and Information Management | Preventive | |
Record the communication interfaces for applicable assets in the asset inventory. CC ID 16301 | Data and Information Management | Preventive | |
Record the Uniform Resource Locator for applicable assets in the asset inventory. CC ID 14918 | Establish/Maintain Documentation | Preventive | |
Include source code in the asset inventory. CC ID 14858 | Records Management | Preventive | |
Assign ownership of maintaining the asset inventory, as necessary. CC ID 12344 | Human Resources Management | Preventive | |
Employ Dynamic Host Configuration Protocol server logging to detect systems not in the asset inventory. CC ID 12110 | Technical Security | Detective | |
Record the review date for applicable assets in the asset inventory. CC ID 14919 | Establish/Maintain Documentation | Preventive | |
Record software license information for each asset in the asset inventory. CC ID 11736 | Data and Information Management | Preventive | |
Record services for applicable assets in the asset inventory. CC ID 13733 | Establish/Maintain Documentation | Preventive | |
Record protocols for applicable assets in the asset inventory. CC ID 13734 | Establish/Maintain Documentation | Preventive | |
Record the software version in the asset inventory. CC ID 12196 | Establish/Maintain Documentation | Preventive | |
Record the publisher for applicable assets in the asset inventory. CC ID 13725 | Establish/Maintain Documentation | Preventive | |
Record the authentication system in the asset inventory. CC ID 13724 | Establish/Maintain Documentation | Preventive | |
Tag unsupported assets in the asset inventory. CC ID 13723 | Establish/Maintain Documentation | Preventive | |
Record the install date for applicable assets in the asset inventory. CC ID 13720 | Establish/Maintain Documentation | Preventive | |
Record the make, model of device for applicable assets in the asset inventory. CC ID 12465 | Establish/Maintain Documentation | Preventive | |
Record the asset tag for physical assets in the asset inventory. CC ID 06632 | Establish/Maintain Documentation | Preventive | |
Record the host name of applicable assets in the asset inventory. CC ID 13722 | Establish/Maintain Documentation | Preventive | |
Record network ports for applicable assets in the asset inventory. CC ID 13730 | Establish/Maintain Documentation | Preventive | |
Record the MAC address for applicable assets in the asset inventory. CC ID 13721 | Establish/Maintain Documentation | Preventive | |
Record the operating system version for applicable assets in the asset inventory. CC ID 11748 | Data and Information Management | Preventive | |
Record the operating system type for applicable assets in the asset inventory. CC ID 06633 | Establish/Maintain Documentation | Preventive | |
Record rooms at external locations in the asset inventory. CC ID 16302 | Data and Information Management | Preventive | |
Record the department associated with the asset in the asset inventory. CC ID 12084 | Establish/Maintain Documentation | Preventive | |
Record the physical location for applicable assets in the asset inventory. CC ID 06634 | Establish/Maintain Documentation | Preventive | |
Record the manufacturer's serial number for applicable assets in the asset inventory. CC ID 06635 | Establish/Maintain Documentation | Preventive | |
Record the firmware version for applicable assets in the asset inventory. CC ID 12195 | Establish/Maintain Documentation | Preventive | |
Record the related business function for applicable assets in the asset inventory. CC ID 06636 | Establish/Maintain Documentation | Preventive | |
Record the deployment environment for applicable assets in the asset inventory. CC ID 06637 | Establish/Maintain Documentation | Preventive | |
Record the Internet Protocol address for applicable assets in the asset inventory. CC ID 06638 | Establish/Maintain Documentation | Preventive | |
Record trusted keys and certificates in the asset inventory. CC ID 15486 | Data and Information Management | Preventive | |
Record cipher suites and protocols in the asset inventory. CC ID 15489 | Data and Information Management | Preventive | |
Link the software asset inventory to the hardware asset inventory. CC ID 12085 | Establish/Maintain Documentation | Preventive | |
Record the owner for applicable assets in the asset inventory. CC ID 06640 | Establish/Maintain Documentation | Preventive | |
Record all compliance requirements for applicable assets in the asset inventory. CC ID 15696 | Establish/Maintain Documentation | Preventive | |
Record all changes to assets in the asset inventory. CC ID 12190 | Establish/Maintain Documentation | Preventive | |
Record cloud service derived data in the asset inventory. CC ID 13007 | Establish/Maintain Documentation | Preventive | |
Include cloud service customer data in the asset inventory. CC ID 13006 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a software accountability policy. CC ID 00868 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain software asset management procedures. CC ID 00895 | Establish/Maintain Documentation | Preventive | |
Prevent users from disabling required software. CC ID 16417 | Technical Security | Preventive | |
Establish, implement, and maintain software archives procedures. CC ID 00866 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain software distribution procedures. CC ID 00894 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain software documentation management procedures. CC ID 06395 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain software license management procedures. CC ID 06639 | Establish/Maintain Documentation | Preventive | |
Automate software license monitoring, as necessary. CC ID 07057 | Monitor and Evaluate Occurrences | Preventive | |
Establish, implement, and maintain digital legacy procedures. CC ID 16524 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a system redeployment program. CC ID 06276 | Establish/Maintain Documentation | Preventive | |
Test systems for malicious code prior to when the system will be redeployed. CC ID 06339 | Testing | Detective | |
Notify interested personnel and affected parties prior to when the system is redeployed or the system is disposed. CC ID 06400 | Behavior | Preventive | |
Wipe all data on systems prior to when the system is redeployed or the system is disposed. CC ID 06401 | Data and Information Management | Preventive | |
Transfer legal ownership of assets when the system is redeployed to a third party. CC ID 06698 | Acquisition/Sale of Assets or Services | Preventive | |
Document the staff's operating knowledge of the system prior to a personnel status change. CC ID 06937 | Establish/Maintain Documentation | Preventive | |
Redeploy systems to other organizational units, as necessary. CC ID 11452 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a system disposal program. CC ID 14431 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain disposal procedures. CC ID 16513 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain asset sanitization procedures. CC ID 16511 | Establish/Maintain Documentation | Preventive | |
Destroy systems in accordance with the system disposal program. CC ID 16457 | Business Processes | Preventive | |
Approve the release of systems and waste material into the public domain. CC ID 16461 | Business Processes | Preventive | |
Establish, implement, and maintain system destruction procedures. CC ID 16474 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain printer and multifunction device disposition procedures. CC ID 15216 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a system preventive maintenance program. CC ID 00885 | Establish/Maintain Documentation | Preventive | |
Establish and maintain maintenance reports. CC ID 11749 | Establish/Maintain Documentation | Preventive | |
Establish and maintain system inspection reports. CC ID 06346 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a system maintenance policy. CC ID 14032 | Establish/Maintain Documentation | Preventive | |
Include compliance requirements in the system maintenance policy. CC ID 14217 | Establish/Maintain Documentation | Preventive | |
Include management commitment in the system maintenance policy. CC ID 14216 | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in the system maintenance policy. CC ID 14215 | Establish/Maintain Documentation | Preventive | |
Include the scope in the system maintenance policy. CC ID 14214 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the system maintenance policy to interested personnel and affected parties. CC ID 14213 | Communicate | Preventive | |
Include the purpose in the system maintenance policy. CC ID 14187 | Establish/Maintain Documentation | Preventive | |
Include coordination amongst entities in the system maintenance policy. CC ID 14181 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain system maintenance procedures. CC ID 14059 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the system maintenance procedures to interested personnel and affected parties. CC ID 14194 | Communicate | Preventive | |
Establish, implement, and maintain a technology refresh plan. CC ID 13061 | Establish/Maintain Documentation | Preventive | |
Plan and conduct maintenance so that it does not interfere with scheduled operations. CC ID 06389 | Physical and Environmental Protection | Preventive | |
Maintain contact with the device manufacturer or component manufacturer for maintenance requests. CC ID 06388 | Behavior | Preventive | |
Use system components only when third party support is available. CC ID 10644 | Maintenance | Preventive | |
Obtain justification for the continued use of system components when third party support is no longer available. CC ID 10645 | Maintenance | Preventive | |
Control and monitor all maintenance tools. CC ID 01432 | Physical and Environmental Protection | Detective | |
Obtain approval before removing maintenance tools from the facility. CC ID 14298 | Business Processes | Preventive | |
Control remote maintenance according to the system's asset classification. CC ID 01433 | Technical Security | Preventive | |
Separate remote maintenance sessions from other network sessions with a logically separate communications path based upon encryption. CC ID 10614 | Configuration | Preventive | |
Approve all remote maintenance sessions. CC ID 10615 | Technical Security | Preventive | |
Log the performance of all remote maintenance. CC ID 13202 | Log Management | Preventive | |
Terminate remote maintenance sessions when the remote maintenance is complete. CC ID 12083 | Technical Security | Preventive | |
Conduct offsite maintenance in authorized facilities. CC ID 16473 | Maintenance | Preventive | |
Conduct maintenance with authorized personnel. CC ID 01434 | Testing | Detective | |
Disconnect non-volatile media from information systems prior to performing maintenance with uncleared personnel. CC ID 14295 | Maintenance | Preventive | |
Sanitize volatile media in information systems prior to performing maintenance with uncleared personnel. CC ID 14291 | Maintenance | Preventive | |
Respond to maintenance requests inside the organizationally established time frame. CC ID 04878 | Behavior | Preventive | |
Establish and maintain an archive of maintenance reports in a maintenance log. CC ID 06202 | Establish/Maintain Documentation | Preventive | |
Acquire spare parts prior to when maintenance requests are scheduled. CC ID 11833 | Acquisition/Sale of Assets or Services | Preventive | |
Perform periodic maintenance according to organizational standards. CC ID 01435 | Behavior | Preventive | |
Restart systems on a periodic basis. CC ID 16498 | Maintenance | Preventive | |
Remove components being serviced from the information system prior to performing maintenance. CC ID 14251 | Maintenance | Preventive | |
Employ dedicated systems during system maintenance. CC ID 12108 | Technical Security | Preventive | |
Isolate dedicated systems used for system maintenance from Internet access. CC ID 12114 | Technical Security | Preventive | |
Control granting access to appropriate parties performing maintenance on organizational assets. CC ID 11873 | Human Resources Management | Preventive | |
Identify and authenticate appropriate parties prior to granting access to maintain assets. CC ID 11874 | Physical and Environmental Protection | Preventive | |
Calibrate assets according to the calibration procedures for the asset. CC ID 06203 [The organization shall ensure that calibrated or verified monitoring and measurement equipment is used and maintained, as appropriate. § 9.1.1 ¶ 3] | Testing | Detective | |
Post calibration limits or calibration tolerances on or near assets requiring calibration. CC ID 06204 | Establish/Maintain Documentation | Preventive | |
Implement automated mechanisms to transfer predictive maintenance data to a maintenance management system. CC ID 10616 | Process or Activity | Preventive | |
Refrain from protecting physical assets when no longer required. CC ID 13484 | Physical and Environmental Protection | Corrective | |
Disassemble and shut down unnecessary systems or unused systems. CC ID 06280 | Business Processes | Preventive | |
Establish, implement, and maintain an end-of-life management process. CC ID 16540 | Establish/Maintain Documentation | Preventive | |
Dispose of hardware and software at their life cycle end. CC ID 06278 | Business Processes | Preventive | |
Refrain from placing assets being disposed into organizational dumpsters. CC ID 12200 | Business Processes | Preventive | |
Establish, implement, and maintain disposal contracts. CC ID 12199 | Establish/Maintain Documentation | Preventive | |
Include disposal procedures in disposal contracts. CC ID 13905 | Establish/Maintain Documentation | Preventive | |
Remove asset tags prior to disposal of an asset. CC ID 12198 | Business Processes | Preventive | |
Document the storage information for all systems that are stored instead of being disposed or redeployed. CC ID 06936 | Establish/Maintain Documentation | Preventive | |
Test for detrimental environmental factors after a system is disposed. CC ID 06938 | Testing | Detective | |
Review each system's operational readiness. CC ID 06275 | Systems Design, Build, and Implementation | Preventive | |
Establish, implement, and maintain a data stewardship policy. CC ID 06657 | Establish/Maintain Documentation | Preventive | |
Establish and maintain an unauthorized software list. CC ID 10601 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a change control program. CC ID 00886 | Establish/Maintain Documentation | Preventive | |
Include potential consequences of unintended changes in the change control program. CC ID 12243 [The organization shall control planned changes and review the ckground-color:#F0BBBC;" class="term_primary-noun">consequences of unintended changes, taking action to mitigate any adverse effects, as necessary. § 8.1 ¶ 2] | Establish/Maintain Documentation | Preventive | |
Include version control in the change control program. CC ID 13119 [For the control of documented information, the organization shall address the following activities, as applicable: control of changes (e.g. version control); § 7.5.3 ¶ 2 Bullet 3] | Establish/Maintain Documentation | Preventive | |
Implement changes according to the change control program. CC ID 11776 [The organization shall control "term_primary-noun">planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary. § 8.1 ¶ 2] | Business Processes | Preventive | |
Provide audit trails for all approved changes. CC ID 13120 | Establish/Maintain Documentation | Preventive | |
Mitigate the adverse effects of unauthorized changes. CC ID 12244 [The organization shall control planned changes and review the consequences of unintended changes, taking action to mitigate any -color:#F0BBBC;" class="term_primary-noun">adverse effects, as necessary. § 8.1 ¶ 2] | Business Processes | Corrective | |
Manage the creation of products and services, as necessary. CC ID 13497 [Consistent with a life cycle perspective, the organization shall: establish controls, as appropriate, to ensure that its environmental requirement(s) is (are) addressed in the design and development process for the product or service, considering each life cycle stage; § 8.1 ¶ 4 a)] | Business Processes | Preventive | |
Define the processing specifications for products and services creation requirements. CC ID 13523 | Establish/Maintain Documentation | Preventive | |
Define the processing activities to meet products and services creation requirements. CC ID 13499 | Business Processes | Preventive | |
Delete age-restricted content, as necessary. CC ID 15450 | Process or Activity | Preventive | |
Establish, implement, and maintain procedures to manage age-restricted content. CC ID 15448 | Establish/Maintain Documentation | Preventive | |
Control the distribution of media containing age-restricted content, as necessary. CC ID 15446 | Process or Activity | Preventive | |
Establish, implement, and maintain an environmental management system. CC ID 14945 [The organization shall consider the knowledge gained in 4.1 and 4.2 when establishing and maintaining the environmental management system. § 4.4 ¶ 2 Top management shall demonstrate leadership and commitment with respect to the environmental management system by: ensuring that the environmental management system achieves its intended outcomes; § 5.1 ¶ 1 f) To achieve the intended outcomes, including enhancing its environmental performance, the organization shall establish, implement, maintain and continually improve an environmental management system, including the processes needed and their interactions, in accordance with the requirements of this International Standard. § 4.4 ¶ 1 To achieve the intended outcomes, including enhancing its environmental performance, the organization shall establish, implement, maintain and continually improve an environmental management system, including the processes needed and their interactions, in accordance with the requirements of this International Standard. § 4.4 ¶ 1 The organization shall continually improve the suitability, adequacy and effectiveness of the environmental management system to enhance environmental performance. § 10.3 ¶ 1 The outputs of the management review shall include: conclusions on the continuing suitability, adequacy and effectiveness of the environmental management system; § 9.3 ¶ 3 Bullet 1 {environmental objectives}{compliance obligations} The organization shall establish, implement, control and maintain the processes needed to meet environmental management system requirements, and to implement the actions identified in 6.1 and 6.2, by: § 8.1 ¶ 1 When a nonconformity occurs, the organization shall: make changes to the environmental management system, if necessary. § 10.2 ¶ 1 e) Top management shall review the organization's environmental management system, at planned intervals, to ensure its continuing suitability, adequacy and effectiveness. § 9.3 ¶ 1] | Business Processes | Preventive | |
Establish, implement, and maintain environmental management system processes. CC ID 14954 [The organization shall establish, implement and maintain the process(es) needed to meet the requirements in 6.1.1 to 6.1.4. § 6.1.1 ¶ 1 The organization shall plan: how to: integrate and implement the actions into its environmental management system processes (se e 6.2, Clause 7, Clause 8 and 9.1), or other business processes; § 6.1.4 ¶ 1 b) 1) {environmental objectives}{compliance obligations} The organization shall establish, implement, control and maintain the processes needed to meet environmental management system requirements, and to implement the actions identified in 6.1 and 6.2, by: § 8.1 ¶ 1 {environmental objective}{compliance obligation}{operating process}The organization shall establish, implement, control and maintain the processes needed to meet environmental management system requirements, and to implement the actions identified in 6.1 and 6.2, by: establishing operating criteria for the process(es); § 8.1 ¶ 1 Bullet 1] | Process or Activity | Preventive | |
Include risks and opportunities in the environmental management system. CC ID 15201 [{external and internal issues} and determine the risks and opportunities, related to its environmental aspects (see 6.1.2), compliance obligations (see 6.1.3) and other issues and requirements, identified in 4.1 and 4.2, that need to be addressed to: § 6.1.1 ¶ 3 The organization shall maintain documented information of its: risks and opportunities that need to be addressed; § 6.1.1 ¶ 5 Bullet 1 {external and internal issues} and determine the risks and opportunities, related to its environmental aspects (see 6.1.2), compliance obligations (see 6.1.3) and other issues and requirements, identified in 4.1 and 4.2, that need to be addressed to: § 6.1.1 ¶ 3 {external and internal issues} and determine the risks and opportunities, related to its environmental aspects (see 6.1.2), compliance obligations (see 6.1.3) and other issues and requirements, identified in 4.1 and 4.2, that need to be addressed to: § 6.1.1 ¶ 3 {external and internal issues} and determine the risks and opportunities, related to its environmental aspects (see 6.1.2), compliance obligations (see 6.1.3) and other issues and requirements, identified in 4.1 and 4.2, that need to be addressed to: § 6.1.1 ¶ 3] | Establish/Maintain Documentation | Preventive | |
Include communications in the environmental management system. CC ID 15199 [{internal communications} The organization shall establish, implement and maintain the process(es) needed for internal and external communications relevant to the environmental management system, including: § 7.4.1 ¶ 1 {internal communications} The organization shall establish, implement and maintain the process(es) needed for internal and external communications relevant to the environmental management system, including: § 7.4.1 ¶ 1] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain environmental performance monitoring procedures. CC ID 15222 [The organization shall determine: the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results; § 9.1.1 ¶ 2 b)] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an approach for environmental performance monitoring. CC ID 15220 [The organization shall determine: when the results from monitoring and measurement shall be analysed and evaluated. § 9.1.1 ¶ 2 e)] | Business Processes | Preventive | |
Prioritize and select controls based on environmental management system requirements. CC ID 15197 [{environmental objective}{compliance obligation}{process control}{operating standard}The organization shall establish, implement, control and maintain the processes needed to meet environmental management system requirements, and to implement the actions identified in 6.1 and 6.2, by: implementing control of the process(es), in accordance with the operating criteria. § 8.1 ¶ 1 Bullet 2 {environmental objective}{compliance obligation}{process control}{operating standard}The organization shall establish, implement, control and maintain the processes needed to meet environmental management system requirements, and to implement the actions identified in 6.1 and 6.2, by: implementing control of the process(es), in accordance with the operating criteria. § 8.1 ¶ 1 Bullet 2] | Process or Activity | Preventive | |
Disseminate and communicate environmental information to interested personnel and affected parties. CC ID 15195 [The organization shall communicate relevant environmental performance information both internally and externally, as identified in its communication process(es) and as required by its compliance obligations. § 9.1.1 ¶ 5] | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate environmental requirements to interested personnel and affected parties. CC ID 15196 [Consistent with a life cycle perspective, the organization shall: communicate its relevant environmental requirement(s) to external providers, including contractors; § 8.1 ¶ 4 c)] | Communicate | Preventive | |
Include compliance obligations in the environmental management system. CC ID 15185 [{take into account}The organization shall: take these compliance obligations into account when establishing, implementing, maintaining and continually improving its environmental management system. § 6.1.3 ¶ 1 c)] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain environmental objectives. CC ID 15186 [Top management shall establish, implement and maintain an environmental policy that, within the defined scope of its environmental management system: provides a framework for setting environmental objectives; § 5.2 ¶ 1 b) The organization shall establish environmental objectives at relevant functions and levels, taking into account the organization's significant environmental aspects and associated compliance obligations, and considering its risks and opportunities. § 6.2.1 ¶ 1 {be consistent}The environmental objectives shall be: consistent with the environmental policy; § 6.2.1 ¶ 2 a) The organization shall maintain documented information on the environmental objectives. § 6.2.1 ¶ 3 When planning how to achieve its environmental objectives, the organization shall determine: when it will be completed; § 6.2.2 ¶ 1 d) When planning how to achieve its environmental objectives, the organization shall determine: what will be done; § 6.2.2 ¶ 1 a) The environmental objectives shall be: updated as appropriate. § 6.2.1 ¶ 2 e)] | Establish/Maintain Documentation | Preventive | |
Monitor environmental objectives. CC ID 15189 [The environmental objectives shall be: monitored; § 6.2.1 ¶ 2 c)] | Monitor and Evaluate Occurrences | Detective | |
Include risks and opportunities in the environmental objectives. CC ID 15188 [The organization shall establish environmental objectives at relevant functions and levels, taking into account the organization's significant environmental aspects and associated compliance obligations, and considering its risks and opportunities. § 6.2.1 ¶ 1] | Establish/Maintain Documentation | Preventive | |
Integrate environmental objectives into the business process. CC ID 15192 [The organization shall consider how actions to achieve its environmental objectives can be integrated into the organization's business processes. § 6.2.2 ¶ 2] | Business Processes | Preventive | |
Include the required resources in the environmental objectives. CC ID 15221 [When planning how to achieve its environmental objectives, the organization shall determine: what resources will be required; § 6.2.2 ¶ 1 b)] | Establish/Maintain Documentation | Preventive | |
Include compliance requirements in the environmental objectives. CC ID 15187 [The organization shall establish environmental objectives at relevant functions and levels, taking into account the organization's significant environmental aspects and associated compliance obligations, and considering its risks and opportunities. § 6.2.1 ¶ 1] | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the environmental objectives to interested personnel and affected parties. CC ID 15190 [The environmental objectives shall be: communicated; § 6.2.1 ¶ 2 d)] | Communicate | Preventive | |
Analyze environmental aspects using established criteria. CC ID 15230 [{be significant} The organization shall determine those aspects that have or can have a significant environmental impact, i.e. significant environmental aspects, by using established criteria. § 6.1.2 ¶ 3] | Process or Activity | Detective | |
Document the criteria used to determine the environmental aspects. CC ID 15181 [The organization shall maintain documented information of its: criteria used to determine its significant environmental aspects; § 6.1.2 ¶ 5 Bullet 2] | Establish/Maintain Documentation | Preventive | |
Take into account emergency situations when determining environmental aspects. CC ID 15180 [When determining environmental aspects, the organization shall take into account: abnormal conditions and reasonably foreseeable emergency situations. § 6.1.2 ¶ 2 b)] | Establish/Maintain Documentation | Preventive | |
Take into account abnormal conditions when determining environmental aspects. CC ID 15179 [When determining environmental aspects, the organization shall take into account: abnormal conditions and reasonably foreseeable emergency situations. § 6.1.2 ¶ 2 b)] | Establish/Maintain Documentation | Preventive | |
Include the organization's significant environmental aspects in the environmental management system. CC ID 15176 [The organization shall maintain documented information of its: significant environmental aspects. § 6.1.2 ¶ 5 Bullet 3] | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the environmental aspects to interested personnel and affected parties. CC ID 14983 [The organization shall communicate its significant environmental aspects among the various levels and functions of the organization, as appropriate. § 6.1.2 ¶ 4] | Communicate | Preventive | |
Include the environmental management system requirements in the environmental management system. CC ID 14978 [{be effective}Top management shall demonstrate leadership and commitment with respect to the environmental management system by: communicating the importance of effective environmental management and of conforming to the environmental management system requirements; § 5.1 ¶ 1 e) {environmental objective}{compliance obligation}{operating process}The organization shall establish, implement, control and maintain the processes needed to meet environmental management system requirements, and to implement the actions identified in 6.1 and 6.2, by: establishing operating criteria for the process(es); § 8.1 ¶ 1 Bullet 1] | Establish/Maintain Documentation | Preventive | |
Include environmental impacts in the environmental management system. CC ID 15175 [The organization shall maintain documented information of its: environmental aspects and associated environmental impacts; § 6.1.2 ¶ 5 Bullet 1] | Establish/Maintain Documentation | Preventive | |
Analyze the environmental impact of organizational changes. CC ID 14979 [When determining environmental aspects, the organization shall take into account: change, including planned or new developments, and new or modified activities, products and services; § 6.1.2 ¶ 2 a)] | Process or Activity | Detective | |
Analyze the environmental impact of changes in developments, activities, products, and services. CC ID 14980 [When determining environmental aspects, the organization shall take into account: change, including planned or new developments, and new or modified activities, products and services; § 6.1.2 ¶ 2 a)] | Process or Activity | Detective | |
Disseminate and communicate the environmental management system to interested personnel and affected parties. CC ID 14976 [{be effective}Top management shall demonstrate leadership and commitment with respect to the environmental management system by: communicating the importance of effective environmental management and of conforming to the environmental management system requirements; § 5.1 ¶ 1 e)] | Communicate | Preventive | |
Include roles and responsibilities in the environmental management system. CC ID 14971 [Top management shall demonstrate leadership and commitment with respect to the environmental management system by: supporting other relevant management roles to demonstrate their leadership as it applies to their areas of responsibility. § 5.1 ¶ 1 i) {responsible party}When planning how to achieve its environmental objectives, the organization shall determine: who will be responsible; § 6.2.2 ¶ 1 c)] | Human Resources Management | Preventive | |
Include a commitment to continuous improvement in the environmental management system. CC ID 14970 [Top management shall demonstrate leadership and commitment with respect to the environmental management system by: promoting continual improvement; § 5.1 ¶ 1 h) {external and internal issues}and determine the risks and opportunities, related to its environmental aspects (see 6.1.2), compliance obligations (see 6.1.3) and other issues and requirements, identified in 4.1 and 4.2, that need to be addressed to: achieve continual improvement. § 6.1.1 ¶ 3 Bullet 3] | Establish/Maintain Documentation | Preventive | |
Provide management direction and support for the environmental management system. CC ID 14968 [Top management shall demonstrate leadership and commitment with respect to the environmental management system by: directing and supporting persons to contribute to the effectiveness of the environmental management system; § 5.1 ¶ 1 g)] | Business Processes | Preventive | |
Assign accountability for the effectiveness of the environmental management system. CC ID 14966 [Top management shall demonstrate leadership and commitment with respect to the environmental management system by: taking accountability for the effectiveness of the environmental management system; § 5.1 ¶ 1 a)] | Establish Roles | Preventive | |
Include third party requirements in the environmental management system. CC ID 14964 [{interested parties}{compliance obligations}When planning for the environmental management system, the organization shall consider: the requirements referred to in 4.2; § 6.1.1 ¶ 2 b) {interested parties}{compliance obligations}When planning for the environmental management system, the organization shall consider: the requirements referred to in 4.2; § 6.1.1 ¶ 2 b)] | Establish/Maintain Documentation | Preventive | |
Provide assurance that the environmental management system meets all compliance requirements. CC ID 14958 [{external and internal issues}and determine the risks and opportunities, related to its environmental aspects (see 6.1.2), compliance obligations (see 6.1.3) and other issues and requirements, identified in 4.1 and 4.2, that need to be addressed to: give assurance that the environmental management system can achieve its intended outcomes; § 6.1.1 ¶ 3 Bullet 1] | Business Processes | Preventive | |
Include environmental conditions in the environmental management system. CC ID 14952 [{external and internal issues}{environmental conditions}When planning for the environmental management system, the organization shall consider: the issues referred to in 4.1; § 6.1.1 ¶ 2 a)] | Establish/Maintain Documentation | Preventive | |
Include the scope in the environmental management system. CC ID 14950 [When planning for the environmental management system, the organization shall consider: the scope of its environmental management system; § 6.1.1 ¶ 2 c) The organization shall determine the boundaries and applicability of the environmental management system to ass="term_primary-verb">establish its scope. § 4.3 ¶ 1] | Establish/Maintain Documentation | Preventive | |
Include emergency situations in the scope of the environmental management system. CC ID 14995 [Within the scope of the environmental management system, the organization shall determine potential emergency situations, including those that can have an environmental impact. § 6.1.1 ¶ 4] | Establish/Maintain Documentation | Preventive | |
Include the environmental impact of activities, products, and services in the scope of the environmental management system. CC ID 15184 [Within the defined scope of the environmental management system, the organization shall determine the environmental aspects of its activities, products and services that it can control and those that it can influence, and their associated environmental impacts, considering a life cycle perspective. § 6.1.2 ¶ 1] | Establish/Maintain Documentation | Preventive | |
Analyze activities, products, and services within the scope of the environmental management system to determine the environmental aspects. CC ID 15183 [Within the defined scope of the environmental management system, the organization shall determine the environmental aspects of its activities, products and services that it can control and those that it can influence, and their associated environmental impacts, considering a life cycle perspective. § 6.1.2 ¶ 1] | Business Processes | Detective | |
Include activities, products, and services in the scope of the environmental management system. CC ID 15182 [Within the defined scope of the environmental management system, the organization shall determine the environmental aspects of its activities, products and services that it can control and those that it can influence, and their associated environmental impacts, considering a life cycle perspective. § 6.1.2 ¶ 1] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an environmental policy. CC ID 14947 [Top management shall establish, implement and maintain an environmental policy that, within the defined scope of its environmental management system: § 5.2 ¶ 1 Top management shall demonstrate leadership and commitment with respect to the environmental management system by: ensuring that the environmental policy and environmental objectives are established and are compatible with the strategic direction and the context of the organization; § 5.1 ¶ 1 b) The environmental policy shall: be maintained as documented information; § 5.2 ¶ 2 Bullet 1] | Establish/Maintain Documentation | Preventive | |
Include continuous improvement of environmental performance in the environmental policy. CC ID 14994 [Top management shall establish, implement and maintain an environmental policy that, within the defined scope of its environmental management system: includes a commitment to continual improvement of the environmental management system to enhance environmental performance. § 5.2 ¶ 1 e)] | Establish/Maintain Documentation | Preventive | |
Include compliance obligations in the environmental policy. CC ID 14993 [Top management shall establish, implement and maintain an environmental policy that, within the defined scope of its environmental management system: includes a commitment to fulfil its compliance obligations; § 5.2 ¶ 1 d)] | Establish/Maintain Documentation | Preventive | |
Include a commitment to the protection of the environment in the environmental policy. CC ID 14991 [Top management shall establish, implement and maintain an environmental policy that, within the defined scope of its environmental management system: includes a commitment to the protection of the environment, including prevention of pollution and other specific commitment(s) relevant to the context of the organization; § 5.2 ¶ 1 c) Top management shall establish, implement and maintain an environmental policy that, within the defined scope of its environmental management system: includes a commitment to the protection of the environment, including prevention of pollution and other specific commitment(s) relevant to the context of the organization; § 5.2 ¶ 1 c)] | Establish/Maintain Documentation | Preventive | |
Include the scope in the environmental policy. CC ID 14987 [Top management shall establish, implement and maintain an environmental policy that, within the defined scope of its environmental management system: is appropriate to the purpose and context of the organization, including the nature, scale and environmental impacts of its activities, products and services; § 5.2 ¶ 1 a)] | Establish/Maintain Documentation | Preventive | |
Include purpose and context in the environmental policy. CC ID 14985 [Top management shall establish, implement and maintain an environmental policy that, within the defined scope of its environmental management system: is appropriate to the purpose and context of the organization, including the nature, scale and environmental impacts of its activities, products and services; § 5.2 ¶ 1 a)] | Establish/Maintain Documentation | Preventive | |
Tailor the environmental policy to be compatible with the organization's strategic direction. CC ID 14974 [Top management shall demonstrate leadership and commitment with respect to the environmental management system by: ensuring that the environmental policy and environmental objectives are established and are compatible with the strategic direction and the context of the organization; § 5.1 ¶ 1 b)] | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the environmental policy to all interested personnel and affected parties. CC ID 14956 [The environmental policy shall: be communicated within the organization; § 5.2 ¶ 2 Bullet 2 The environmental policy shall: be available to interested parties. § 5.2 ¶ 2 Bullet 3] | Communicate | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Physical and environmental protection CC ID 00709 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain a physical and environmental protection policy. CC ID 14030 | Establish/Maintain Documentation | Preventive | |
Include the scope in the physical and environmental protection policy. CC ID 14170 [The organization shall determine the boundaries and applicability of the environmental management system to establish its scope. § 4.3 ¶ 1] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain physical and environmental protection procedures. CC ID 14061 [Once the scope is defined, all activities, products and services of the organization within that scope need to be included in the environmental management system. § 4.3 ¶ 3] | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the physical and environmental protection procedures to interested personnel and affected parties. CC ID 14175 | Communicate | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Records management CC ID 00902 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain records management policies. CC ID 00903 [{place}{time}Documented information required by the environmental management system and by this International Standard shall be controlled to ensure: it is available and suitable for use, where and when it is needed; § 7.5.3 ¶ 1 a)] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a record classification scheme for forms. CC ID 00911 | Establish/Maintain Documentation | Detective | |
Establish, implement, and maintain form creation, management, and distribution procedures. CC ID 06393 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain form disposition procedures. CC ID 06394 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a record classification scheme. CC ID 00914 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a business activity classification standard. CC ID 00915 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain records registration procedures. CC ID 00913 | Establish/Maintain Documentation | Detective | |
Define the terms used in the record classification scheme. CC ID 00916 | Establish/Maintain Documentation | Detective | |
Establish, implement, and maintain a records authentication system. CC ID 11648 | Establish/Maintain Documentation | Preventive | |
Allocate record identifiers to reference the records as a part of document tracking. CC ID 11662 | Records Management | Preventive | |
Allocate document serial numbers to reference the records as a part of document tracking. CC ID 00917 | Records Management | Detective | |
Establish and maintain an index of all official records. CC ID 00918 | Establish/Maintain Documentation | Preventive | |
Associate records with their security attributes. CC ID 06764 | Records Management | Preventive | |
Reconfigure the security attributes of records as the information changes. CC ID 06765 | Configuration | Preventive | |
Establish, implement, and maintain electronic signature requirements. CC ID 06219 | Establish/Maintain Documentation | Preventive | |
Implement a signature revocation service. CC ID 14417 | Business Processes | Preventive | |
Allow electronic signatures to satisfy requirements for written signatures, as necessary. CC ID 11807 | Records Management | Preventive | |
Allow authorized parties to authenticate electronic records with electronic signatures. CC ID 11964 | Technical Security | Preventive | |
Allow authorized parties to authenticate transactions with electronic signatures. CC ID 11963 | Technical Security | Preventive | |
Define each system's preservation requirements for records and logs. CC ID 00904 | Establish/Maintain Documentation | Detective | |
Establish, implement, and maintain a data retention program. CC ID 00906 | Establish/Maintain Documentation | Detective | |
Store records and data in accordance with organizational standards. CC ID 16439 | Data and Information Management | Preventive | |
Remove dormant data from systems, as necessary. CC ID 13726 | Process or Activity | Preventive | |
Select the appropriate format for archived data and records. CC ID 06320 [When creating and updating documented information the organization should ensuren> appropriate: style="background-color:#F0BBBC;" class="term_primary-noun">format (e.g. language, software version, graphics) and media (e.g. paper, electronic); § 7.5.2 ¶ 1 b)] | Data and Information Management | Preventive | |
Archive appropriate records, logs, and database tables. CC ID 06321 | Records Management | Preventive | |
Maintain continued integrity for all stored data and stored records. CC ID 00969 | Testing | Detective | |
Archive document metadata in a fashion that allows for future reading of the metadata. CC ID 10060 | Data and Information Management | Preventive | |
Store personal data that is retained for long periods after use on a separate server or media. CC ID 12314 | Data and Information Management | Preventive | |
Establish, implement, and maintain storage media retention procedures. CC ID 16277 | Establish/Maintain Documentation | Preventive | |
Determine how long to keep records and logs before disposing them. CC ID 11661 | Process or Activity | Preventive | |
Retain records in accordance with applicable requirements. CC ID 00968 [The organization shall retain documented information as evidence of the results of management reviews. § 9.3 ¶ 4 The organization shall retain documented information as evidence of: the nature of the nonconformities and any rm_primary-noun">subsequent actions taken; § 10.2 ¶ 3 Bullet 1 The organization shall retain documented information as evidence of: the results of any corrective action. § 10.2 ¶ 3 Bullet 2 The organization shall retain documented information as evidence of its communications, as appropriate. § 7.4.1 ¶ 4 The organization shall maintain documented information to the extent necessary to have confidence that the processes have been carried out as planned. § 8.1 ¶ 5 The organization shall retain appropriate documented information as evidence of the monitoring, measurement, analysis and evaluation results. § 9.1.1 ¶ 6 The organization shall retain documented information as evidence of the compliance evaluation result(s). § 9.1.2 ¶ 3] | Records Management | Preventive | |
Define which documents and records the organization may capture. CC ID 00905 | Establish/Maintain Documentation | Detective | |
Obtain and retain documentation of the number of shares authorized, issued, and outstanding pursuant to the issuer's authorization. CC ID 11714 | Records Management | Preventive | |
Retain all evidence of indebtedness. CC ID 11713 | Records Management | Preventive | |
Capture and maintain distribution records. CC ID 06205 | Records Management | Preventive | |
Capture and maintain Device Master Records. CC ID 06206 | Records Management | Preventive | |
Capture and maintain Device History Records. CC ID 06207 | Records Management | Preventive | |
Capture and maintain Quality System Records. CC ID 06208 | Records Management | Preventive | |
Capture and maintain logs as official records. CC ID 06319 | Log Management | Preventive | |
Capture and maintain all business records, including supporting temporary files. CC ID 06622 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain storage media disposition and destruction procedures. CC ID 11657 | Establish/Maintain Documentation | Preventive | |
Supervise media destruction in accordance with organizational standards. CC ID 16456 | Business Processes | Preventive | |
Sanitize electronic storage media in accordance with organizational standards. CC ID 16464 | Data and Information Management | Preventive | |
Sanitize all electronic storage media before disposing a system or redeploying a system. CC ID 01643 | Data and Information Management | Preventive | |
Degauss as a method of sanitizing electronic storage media. CC ID 00973 | Records Management | Preventive | |
Destroy electronic storage media following the storage media disposition and destruction procedures. CC ID 00970 | Testing | Detective | |
Manage waste materials in accordance with the storage media disposition and destruction procedures. CC ID 16485 | Process or Activity | Preventive | |
Maintain media sanitization equipment in operational condition. CC ID 00721 | Testing | Detective | |
Use approved media sanitization equipment for destruction. CC ID 16459 | Business Processes | Preventive | |
Define each system's disposition requirements for records and logs. CC ID 11651 | Process or Activity | Preventive | |
Establish, implement, and maintain records disposition procedures. CC ID 00971 [For the control of documented information, the organization shall address the following activities, as applicable: retention and disposition. § 7.5.3 ¶ 2 Bullet 4] | Establish/Maintain Documentation | Preventive | |
Manage the disposition status for all records. CC ID 00972 | Records Management | Preventive | |
Use a second person to confirm and sign-off that manually deleted data was deleted. CC ID 12313 | Data and Information Management | Preventive | |
Remove and/or destroy records according to the records' retention event and retention period schedule. CC ID 06621 | Records Management | Preventive | |
Place printed records awaiting destruction into secure containers. CC ID 12464 | Physical and Environmental Protection | Preventive | |
Destroy printed records so they cannot be reconstructed. CC ID 11779 | Physical and Environmental Protection | Preventive | |
Automate a programmatic process to remove stored data and records that exceed retention requirements. CC ID 06082 | Data and Information Management | Preventive | |
Include methods to identify records that meet or exceed the record's retention event in the records disposition procedures. CC ID 11962 | Establish/Maintain Documentation | Preventive | |
Maintain disposal records or redeployment records. CC ID 01644 | Establish/Maintain Documentation | Preventive | |
Include the name of the signing officer in the disposal record. CC ID 15710 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain secure record transaction standards with third parties. CC ID 06093 | Establish/Maintain Documentation | Preventive | |
Include transfer agreements in the secure record transaction standards. CC ID 14821 | Establish/Maintain Documentation | Preventive | |
Include date and time stamp requirements for delivery receipt in the transfer agreements. CC ID 14823 | Establish/Maintain Documentation | Preventive | |
Include receipt of electronic records in the transfer agreement. CC ID 14822 | Establish/Maintain Documentation | Preventive | |
Include standards for each data element in the secure record transaction standard. CC ID 06094 | Establish/Maintain Documentation | Preventive | |
Notify the supervisory authority of any changes to the required data elements. CC ID 14366 | Communicate | Corrective | |
Establish, implement, and maintain records management procedures. CC ID 11619 | Establish/Maintain Documentation | Preventive | |
Protect records from loss in accordance with applicable requirements. CC ID 12007 [Documented information required by the environmental management system and by this International Standard shall be controlled to ensure: it is adequately protected (e.g. from loss of confidentiality, improper use, or loss of integrity). § 7.5.3 ¶ 1 b)] | Records Management | Preventive | |
Capture the records required by organizational compliance requirements. CC ID 00912 [Documented information required by the environmental management system and by this International Standard shall be controlled to ensure: § 7.5.3 ¶ 1 The organization shall maintain documented information to the extent necessary to have confidence that the process(es) is (are) carried out as planned. § 8.2 ¶ 3] | Records Management | Detective | |
Establish, implement, and maintain authorization records. CC ID 14367 | Establish/Maintain Documentation | Preventive | |
Include the reasons for granting the authorization in the authorization records. CC ID 14371 | Establish/Maintain Documentation | Preventive | |
Include the date and time the authorization was granted in the authorization records. CC ID 14370 | Establish/Maintain Documentation | Preventive | |
Include the person's name who approved the authorization in the authorization records. CC ID 14369 | Establish/Maintain Documentation | Preventive | |
Assign the appropriate information classification to records imported into the Records Management system. CC ID 04555 | Data and Information Management | Detective | |
Establish, implement, and maintain electronic health records. CC ID 14436 | Data and Information Management | Preventive | |
Include Individually Identifiable Health Information in the patient's electronic health record. CC ID 14437 | Data and Information Management | Preventive | |
Review and update Individually Identifiable Health Information in the patient's electronic health records, as necessary. CC ID 14438 | Records Management | Preventive | |
Display required information automatically in electronic health records. CC ID 14442 | Process or Activity | Preventive | |
Create summary of care records in accordance with applicable standards. CC ID 14440 | Establish/Maintain Documentation | Preventive | |
Provide the patient with a summary of care record, as necessary. CC ID 14441 | Actionable Reports or Measurements | Preventive | |
Create export summaries, as necessary. CC ID 14446 | Process or Activity | Preventive | |
Import data files into a patient's electronic health record. CC ID 14448 | Data and Information Management | Preventive | |
Export requested sections of the electronic health record. CC ID 14447 | Data and Information Management | Preventive | |
Identify patient-specific education resources. CC ID 14439 | Process or Activity | Detective | |
Establish and maintain an implantable device list. CC ID 14444 | Records Management | Preventive | |
Display the implantable device list to authorized users. CC ID 14445 | Data and Information Management | Preventive | |
Establish, implement, and maintain decision support interventions. CC ID 14443 | Business Processes | Preventive | |
Include attributes in the decision support intervention. CC ID 16766 | Data and Information Management | Preventive | |
Establish, implement, and maintain a recordkeeping system. CC ID 15709 | Records Management | Preventive | |
Log the termination date in the recordkeeping system. CC ID 16181 | Records Management | Preventive | |
Log the name of the requestor in the recordkeeping system. CC ID 15712 | Records Management | Preventive | |
Log the date and time each item is accessed in the recordkeeping system. CC ID 15711 | Records Management | Preventive | |
Log records as being received into the recordkeeping system. CC ID 11696 | Records Management | Preventive | |
Log the date and time each item is received into the recordkeeping system. CC ID 11709 | Log Management | Preventive | |
Log the date and time each item is made available into the recordkeeping system. CC ID 11710 | Log Management | Preventive | |
Log the number of routine items received into the recordkeeping system. CC ID 11701 | Establish/Maintain Documentation | Preventive | |
Log the number of routine items in the organization's possession at the close of business for the month in the recordkeeping system. CC ID 11707 | Log Management | Preventive | |
Log the number of routine items received during the month that were turned around in the recordkeeping system. CC ID 11705 | Log Management | Preventive | |
Log the number of routine items received during the month that were not turned around within three business days of receipt in the recordkeeping system. CC ID 11703 | Log Management | Preventive | |
Log the date and time when a notice of refusal to perform the registrar function is received in the recordkeeping system. CC ID 11711 | Log Management | Preventive | |
Log inquiries concerning items in the recordkeeping system, annotating the date received. CC ID 11718 | Log Management | Preventive | |
Log responses to inquiries, annotating the send date for each response into the recordkeeping system. CC ID 11719 | Log Management | Preventive | |
Log the number of non-routine items received into the recordkeeping system. CC ID 11706 | Log Management | Preventive | |
Log the documentation of determination that items received are not routine into the recordkeeping system. CC ID 11716 | Log Management | Preventive | |
Log the number of non-routine items in the organization's possession at the close of business for the month in the recordkeeping system. CC ID 11708 | Log Management | Preventive | |
Log the number of non-routine items received during the month that were turned around in the recordkeeping system. CC ID 11704 | Log Management | Preventive | |
Log performance monitoring into the recordkeeping system. CC ID 11724 | Log Management | Preventive | |
Log the number of inquiries pending as of the close of business into the recordkeeping system. CC ID 11728 | Log Management | Preventive | |
Log the number of inquiries received but not responded to within the required time frame into the recordkeeping system. CC ID 11727 | Log Management | Preventive | |
Establish, implement, and maintain a transfer journal. CC ID 11729 | Records Management | Preventive | |
Log any notices filed by the organization into the recordkeeping system. CC ID 11725 | Log Management | Preventive | |
Log telephone responses into a telephone log, annotating the date of each response, in the recordkeeping system. CC ID 11723 | Log Management | Preventive | |
Log the date each certificate is made available to interested personnel and affected parties into the recordkeeping system. CC ID 11720 | Log Management | Preventive | |
Log the number of items not processed within the required time frame into the recordkeeping system. CC ID 11717 | Log Management | Preventive | |
Provide a receipt of records logged into the recordkeeping system. CC ID 11697 | Records Management | Preventive | |
Log the appointments and termination of appointments of registered transfer agents into the recordkeeping system. CC ID 11712 | Log Management | Preventive | |
Log any stop orders or notices of adverse claims into the recordkeeping system. CC ID 11726 | Log Management | Preventive | |
Log the number of items processed within the required time frame into the recordkeeping system. CC ID 11715 | Log Management | Preventive | |
Classify restricted data or restricted information in Records Management systems according to the data or information's sensitivity. CC ID 04720 | Data and Information Management | Detective | |
Establish, implement, and maintain electronic storage media management procedures. CC ID 00931 [When creating and updating documented information the organization should ensuren> appropriate: format (e.g. language, software version, graphics) and media (e.g. paper, electronic); § 7.5.2 ¶ 1 b)] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain security label procedures. CC ID 06747 | Establish/Maintain Documentation | Preventive | |
Label restricted storage media appropriately. CC ID 00966 | Data and Information Management | Preventive | |
Label printed output for specific record categories as directed by the organization's information classification standard. CC ID 01420 | Records Management | Detective | |
Establish, implement, and maintain restricted material identification procedures. CC ID 01889 | Establish/Maintain Documentation | Preventive | |
Conspicuously locate the restricted record's overall classification. CC ID 01890 | Establish/Maintain Documentation | Preventive | |
Mark a restricted record's displayed pages or printed pages with the appropriate classification. CC ID 01891 | Establish/Maintain Documentation | Preventive | |
Mark a restricted record's components (appendices, annexes) with the appropriate classification. CC ID 01892 | Establish/Maintain Documentation | Preventive | |
Mark a restricted record's portions (paragraphs, sections) with the appropriate classification. CC ID 01893 | Establish/Maintain Documentation | Preventive | |
Mark a restricted record's subject line or title with the appropriate classification. CC ID 01894 | Establish/Maintain Documentation | Preventive | |
Mark all forms of electronic messages that contain restricted data or restricted information with the appropriate classification. CC ID 01896 | Data and Information Management | Preventive | |
Establish, implement, and maintain label inheritance mechanisms for aggregate data sets. CC ID 06957 | Technical Security | Preventive | |
Establish the minimum originator requirements for security labels. CC ID 06579 | Establish/Maintain Documentation | Preventive | |
Establish the minimum intermediate system requirements for security labels. CC ID 06581 | Establish/Maintain Documentation | Preventive | |
Establish the minimum receiver requirements for records or electronic storage media marked with security labels. CC ID 06580 | Establish/Maintain Documentation | Preventive | |
Establish policy based processing rules to process incoming records or electronic storage media marked with security labels. CC ID 06582 | Establish/Maintain Documentation | Preventive | |
Establish and maintain access controls for all records. CC ID 00371 [For the control of documented information, the organization shall address the following activities, as applicable: distribution, access, retrieval and use; § 7.5.3 ¶ 2 Bullet 1] | Records Management | Preventive | |
Reproduce materials containing restricted data or restricted information in accordance with compliance requirements. CC ID 02202 | Data and Information Management | Preventive | |
Establish, implement, and maintain a records lifecycle management program. CC ID 00951 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an information preservation policy. CC ID 16483 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain information preservation procedures. CC ID 06277 [For the control of documented information, the organization shall address the following activities, as applicable: storage and :#F0BBBC;" class="term_primary-noun">preservation, including preservation of legibility; § 7.5.3 ¶ 2 Bullet 2] | Establish/Maintain Documentation | Preventive | |
Implement and maintain high availability storage, as necessary. CC ID 00952 | Technical Security | Preventive | |
Implement and maintain backups and duplicate copies of organizational records. CC ID 00953 | Records Management | Preventive | |
Establish, implement, and maintain the duplicate original of record indexes. CC ID 00954 | Records Management | Preventive | |
Establish, implement, and maintain a transparent storage media strategy. CC ID 00932 | Records Management | Preventive | |
Establish, implement, and maintain an online availability plan that is commensurate with the electronic storage media. CC ID 00934 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain online storage monitoring and reporting capabilities. CC ID 00935 | Monitor and Evaluate Occurrences | Detective | |
Establish, implement, and maintain online storage controls. CC ID 00942 | Technical Security | Preventive | |
Establish, implement, and maintain security controls appropriate to the record types and electronic storage media. CC ID 00943 [For the control of documented information, the organization shall address the following activities, as applicable: storage and preservation, including preservation of legibility; § 7.5.3 ¶ 2 Bullet 2] | Records Management | Preventive | |
Store records on non-rewritable, non-erasable storage media formats, as necessary. CC ID 00944 | Testing | Detective | |
Provide encryption for different types of electronic storage media. CC ID 00945 | Technical Security | Preventive | |
Implement electronic storage media integrity controls. CC ID 00946 | Configuration | Preventive | |
Automate electronic storage media integrity check controls. CC ID 00948 | Configuration | Preventive | |
Provide capacity for indexes on electronic storage media, as necessary. CC ID 00950 | Configuration | Preventive | |
Provide audit trails for all pertinent records. CC ID 00372 | Establish/Maintain Documentation | Detective | |
Establish, implement, and maintain a removable storage media log. CC ID 12317 | Log Management | Preventive | |
Include a unique identifier for each removable storage media asset in the removable storage media log. CC ID 12320 | Establish/Maintain Documentation | Preventive | |
Include the date and time in the removable storage media log. CC ID 12318 | Establish/Maintain Documentation | Preventive | |
Include the name and signature of the current custodian in the removable storage media log. CC ID 12315 | Establish/Maintain Documentation | Preventive | |
Include the number of physical media used for the data transfer in the removable storage media log. CC ID 12754 | Establish/Maintain Documentation | Preventive | |
Include the recipient's name for the data transfer in the removable storage media log. CC ID 12753 | Establish/Maintain Documentation | Preventive | |
Include the sender's name in the removable storage media log. CC ID 12752 | Establish/Maintain Documentation | Preventive | |
Include the type of physical media being used for the data transfer in the removable storage media log. CC ID 12751 | Establish/Maintain Documentation | Preventive | |
Include the reason for transfer in the removable storage media log. CC ID 12316 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain storage media downgrading procedures. CC ID 10619 | Process or Activity | Preventive | |
Identify electronic storage media that require downgrading. CC ID 10620 | Process or Activity | Detective | |
Downgrade electronic storage media, as necessary. CC ID 10621 | Process or Activity | Corrective | |
Document all actions taken when downgrading electronic storage media. CC ID 10622 | Establish/Maintain Documentation | Preventive | |
Test the storage media downgrade for correct performance. CC ID 10623 | Testing | Detective | |
Establish, implement, and maintain output distribution procedures. CC ID 00927 [For the control of documented information, the organization shall address the following activities, as applicable: distribution, access, retrieval and use; § 7.5.3 ¶ 2 Bullet 1] | Establish/Maintain Documentation | Preventive | |
Include printed output in output distribution procedures. CC ID 13477 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain document retention procedures. CC ID 11660 [For the control of documented information, the organization shall address the following activities, as applicable: retention and disposition. § 7.5.3 ¶ 2 Bullet 4 The organization shall retain documented information as evidence of: § 10.2 ¶ 3] | Establish/Maintain Documentation | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Third Party and supply chain oversight CC ID 08807 | IT Impact Zone | IT Impact Zone | |
Assess the effectiveness of third party services provided to the organization. CC ID 13142 [The organization shall ensure that outsourced processes are controlled or influenced. The type and extent of control or influence to be applied to the process(es) shall be defined within the environmental management system. § 8.1 ¶ 3] | Business Processes | Detective | |
Monitor third parties for performance and effectiveness, as necessary. CC ID 00799 [The organization shall ensure that outsourced processes are controlled or influenced. The type and extent of control or influence to be applied to the process(es) shall be defined within the environmental management system. § 8.1 ¶ 3] | Monitor and Evaluate Occurrences | Detective | |
Monitor third parties' financial conditions. CC ID 13170 | Monitor and Evaluate Occurrences | Detective | |
Review the supply chain's service delivery on a regular basis. CC ID 12010 | Business Processes | Preventive | |
Identify red flags in the supply chain. CC ID 08873 | Business Processes | Preventive | |
Detect red flags in the supply chain. CC ID 08874 | Business Processes | Preventive | |
Notify interested personnel and affected parties when critical components or materials are not obtained from an authorized source. CC ID 11516 | Business Processes | Preventive | |
Review third party red flag locations to identify facts for the supply chain risk assessment. CC ID 08875 | Business Processes | Preventive | |
Establish and maintain an interactive map of third party red flag locations. CC ID 08876 | Business Processes | Preventive | |
Collect information on red-flagged supply chains. CC ID 08877 | Business Processes | Preventive |
Each Common Control is assigned a meta-data type to help you determine the objective of the Control and associated Authority Document mandates aligned with it. These types include behavioral controls, process controls, records management, technical security, configuration management, etc. They are provided as another tool to dissect the Authority Document’s mandates and assign them effectively within your organization.
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Establish, implement, and maintain a fuel supply large enough to support the generators during an emergency. CC ID 06376 | Operational and Systems Continuity | Preventive | |
Acquire resources necessary to support Governance, Risk, and Compliance. CC ID 12861 [Top management shall demonstrate leadership and commitment with respect to the environmental management system by: ensuring that the resources needed for the environmental management system are available; § 5.1 ¶ 1 d) The organization shall determine and provide the resources needed for the establishment, implementation, maintenance and continual improvement of the environmental management system. § 7.1 ¶ 1 The outputs of the management review shall include: decisions related to any need for changes to the environmental management system, including resources; § 9.3 ¶ 3 Bullet 3] | Operational management | Preventive | |
Transfer legal ownership of assets when the system is redeployed to a third party. CC ID 06698 | Operational management | Preventive | |
Acquire spare parts prior to when maintenance requests are scheduled. CC ID 11833 | Operational management | Preventive | |
Plan for acquiring facilities, technology, or services. CC ID 06892 | Acquisition or sale of facilities, technology, and services | Preventive | |
Include chain of custody procedures in the product and services acquisition program. CC ID 10058 | Acquisition or sale of facilities, technology, and services | Preventive | |
Review and update the acquisition contracts, as necessary. CC ID 14279 | Acquisition or sale of facilities, technology, and services | Corrective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Report to management and stakeholders on the findings and information gathered from all types of inquiries. CC ID 12797 | Leadership and high level objectives | Preventive | |
Report on the percentage of critical assets for which an assurance strategy is implemented. CC ID 01657 | Monitoring and measurement | Detective | |
Report on the percentage of key organizational functions for which an assurance strategy is implemented. CC ID 01658 | Monitoring and measurement | Detective | |
Report on the percentage of key compliance requirements for which an assurance strategy has been implemented. CC ID 01659 | Monitoring and measurement | Detective | |
Report on the percentage of the Information System budget allocated to Information Security. CC ID 04571 | Monitoring and measurement | Detective | |
Report on the policies and controls that have been implemented by management. CC ID 01670 | Monitoring and measurement | Detective | |
Report on the percentage of security management roles that have been assigned. CC ID 01671 | Monitoring and measurement | Detective | |
Report on the percentage of board meetings or committee meetings at which Information Assurance was on the agenda. CC ID 01672 | Monitoring and measurement | Detective | |
Report on the percentage of supply chain members for which all Information Assurance requirements have been implemented. CC ID 01675 | Monitoring and measurement | Detective | |
Report on the Service Level Agreement performance of supply chain members. CC ID 06838 | Monitoring and measurement | Preventive | |
Report on the percentage of organizational units that have an established Business Continuity Plan. CC ID 01676 | Monitoring and measurement | Detective | |
Report on the percentage of organizational units with a documented Business Continuity Plan for which specific responsibilities have been assigned. CC ID 02057 | Monitoring and measurement | Detective | |
Report on the percentage of Business Continuity Plans that have been reviewed, tested, and updated. CC ID 02058 | Monitoring and measurement | Detective | |
Report on the percentage of needed internal audits that have been completed and reviewed. CC ID 01677 | Monitoring and measurement | Detective | |
Report on the percentage of Information Security requirements from applicable laws and regulations that are included in the audit program. CC ID 02069 | Monitoring and measurement | Detective | |
Report on the percentage of needed external audits that have been completed and reviewed. CC ID 11632 | Monitoring and measurement | Detective | |
Report on the percentage of Information Security audits conducted in compliance with the approved audit program. CC ID 02070 | Monitoring and measurement | Detective | |
Report on the percentage of audit findings that have been resolved since the last audit. CC ID 01678 | Monitoring and measurement | Detective | |
Report on the percentage of management actions in response to audit findings and audit recommendations that were implemented in a timely way. CC ID 02071 [{corrective action} The management review shall include consideration of: the status of actions from previous management reviews; § 9.3 ¶ 2 a)] | Monitoring and measurement | Detective | |
Monitor compliance with the Quality Control system. CC ID 01023 | Monitoring and measurement | Preventive | |
Report on the percentage of complaints received about products or delivered services. CC ID 07199 | Monitoring and measurement | Preventive | |
Report on the percentage of Quality Assurance attained by Quality Improvement practices. CC ID 07202 | Monitoring and measurement | Preventive | |
Report on the percentage of total controls for which policies, standards, and procedures exist and for which approval has been granted. CC ID 01679 | Monitoring and measurement | Detective | |
Report on the percentage of personnel who are assigned and acknowledged responsibilities for approved policies, standards, and procedures. CC ID 01680 | Monitoring and measurement | Detective | |
Report on the percentage of policy compliance reviews for which no compliance violations were noted. CC ID 01681 | Monitoring and measurement | Detective | |
Report on the percentage of senior management or business unit heads who have implemented operational compliance procedures. CC ID 01682 | Monitoring and measurement | Detective | |
Report on the percentage of role descriptions that define the Information Awareness roles for Security Managers and administrators. CC ID 01685 | Monitoring and measurement | Detective | |
Report on the percentage of role descriptions that define the information awareness roles for interested personnel. CC ID 01686 | Monitoring and measurement | Detective | |
Report on the percentage of role descriptions that define the information awareness roles for end users. CC ID 01687 | Monitoring and measurement | Detective | |
Report on the percentage of performance reviews that include the evaluation of Information Assurance responsibilities and policy compliance. CC ID 01688 | Monitoring and measurement | Detective | |
Report on the percentage of individuals who have access to security software, are trained, and authorized Security Administrators. CC ID 01691 | Monitoring and measurement | Detective | |
Report on the percentage of individuals who are able to assign security privileges, are trained, and authorized Security Administrators. CC ID 01692 | Monitoring and measurement | Detective | |
Report on the percentage of new hires who completed training ahead of being granted network access or system access. CC ID 01683 | Monitoring and measurement | Detective | |
Report on the percentage of personnel who have completed periodic Information Assurance refresher training. CC ID 01684 | Monitoring and measurement | Detective | |
Report on the percentage of user roles, systems, and applications that comply with the segregation of duties principle. CC ID 01689 | Monitoring and measurement | Detective | |
Report on the percentage of individuals whose access rights have been reviewed. CC ID 01690 | Monitoring and measurement | Detective | |
Report on the percentage of users who have access to restricted data or restricted information and have undergone a background check. CC ID 01693 | Monitoring and measurement | Detective | |
Report on the percentage of critical information assets and information-dependent functions. CC ID 02040 | Monitoring and measurement | Detective | |
Report on the percentage of critical assets and functions for which the cost of compromise has been quantified. CC ID 02041 | Monitoring and measurement | Detective | |
Report on the percentage of identified risks that have a defined risk mitigation plan. CC ID 02042 | Monitoring and measurement | Detective | |
Report on the percentage of systems with approved System Security Plans. CC ID 02145 | Monitoring and measurement | Detective | |
Report on the percentage of known Information Security risks that are related to supply chain relationships. CC ID 02044 | Monitoring and measurement | Detective | |
Report on the percentage of critical information assets or critical functions for which access by supply chain personnel is disallowed. CC ID 02045 | Monitoring and measurement | Detective | |
Report on the percentage of supply chain personnel who have current information asset user privileges. CC ID 02046 | Monitoring and measurement | Detective | |
Report on the percentage of systems with critical information assets or functions for which electronic connection by supply chain assets is disallowed. CC ID 02047 | Monitoring and measurement | Detective | |
Report on the percentage of security incidents that involved supply chain personnel. CC ID 02048 | Monitoring and measurement | Detective | |
Report on the percentage of third party contracts that include a requirement to externally verify policies and procedures. CC ID 02049 | Monitoring and measurement | Detective | |
Report on the percentage of supply chain relationships that have been reviewed for compliance with information security requirements. CC ID 02050 | Monitoring and measurement | Detective | |
Report on the percentage of information assets that have been reviewed and classified. CC ID 02053 | Monitoring and measurement | Detective | |
Report on the percentage of information assets with defined user privileges that have been assigned based on role and according to policy. CC ID 02054 | Monitoring and measurement | Detective | |
Report on the percentage of scheduled Information Technology inventory processes that occurred on time. CC ID 02055 | Monitoring and measurement | Detective | |
Report on the percentage of recently identified information security risks related to systems architecture that have been adequately mitigated. CC ID 02060 | Monitoring and measurement | Detective | |
Report on the percentage of system architecture changes that were approved through appropriate change requests. CC ID 02061 | Monitoring and measurement | Detective | |
Report on the percentage of critical information assets or functions residing on systems that are currently in compliance with the approved systems architecture. CC ID 02062 | Monitoring and measurement | Detective | |
Report on the percentage of systems that have been recertified if security controls were updated after the system was developed. CC ID 02142 | Monitoring and measurement | Detective | |
Report on the percentage of systems that have completed Certification and Accreditation. CC ID 02143 | Monitoring and measurement | Detective | |
Report on the percentage of critical organizational information assets and functions that have been reviewed from the risk to physical security perspective. CC ID 02064 | Monitoring and measurement | Detective | |
Report on the percentage of critical organizational information assets and functions exposed to physical risks for which risk mitigation actions have been implemented. CC ID 02065 | Monitoring and measurement | Detective | |
Report on the percentage of critical assets that have been reviewed from the environmental risk perspective. CC ID 02066 | Monitoring and measurement | Detective | |
Report on the percentage of servers located in controlled access areas. CC ID 02067 | Monitoring and measurement | Detective | |
Establish, implement, and maintain environmental management system performance metrics. CC ID 15191 [The management review shall include consideration of: information on the organization's environmental performance, including trends in: monitoring and measurement results; § 9.3 ¶ 2 d) 2) The organization shall monitor, measure, analyse and evaluate its environmental performance. § 9.1.1 ¶ 1 The organization shall determine: the criteria against which the organization will evaluate its environmental performance, and appropriate indicators; § 9.1.1 ¶ 2 c) {be measurable}The environmental objectives shall be: measurable (if practicable); § 6.2.1 ¶ 2 b)] | Monitoring and measurement | Preventive | |
Establish, implement, and maintain waste management metrics. CC ID 16152 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain emissions management metrics. CC ID 16145 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain financial management metrics. CC ID 16749 | Monitoring and measurement | Preventive | |
Report on the percentage of unique active user identifiers. CC ID 02074 | Monitoring and measurement | Detective | |
Report on the percentage of systems and applications that perform authenticator policy verification. CC ID 02086 | Monitoring and measurement | Detective | |
Report on the percentage of active user passwords that are set to expire. CC ID 02087 | Monitoring and measurement | Detective | |
Report on the percentage of systems with critical information assets that use stronger authentication than user identifiers and passwords. CC ID 02088 | Monitoring and measurement | Detective | |
Report on the percentage of systems for which default accounts and default passwords have been disabled or reset. CC ID 02089 | Monitoring and measurement | Detective | |
Report on the percentage of inactive user accounts that are assigned to personnel who have left or no longer need access. CC ID 02090 | Monitoring and measurement | Detective | |
Report on the percentage of systems with account lockout thresholds set. CC ID 02091 | Monitoring and measurement | Detective | |
Report on the percentage of inactive user accounts that have been disabled. CC ID 02092 | Monitoring and measurement | Detective | |
Report on the percentage of workstations with session timeout or automatic logoff controls set. CC ID 02093 | Monitoring and measurement | Detective | |
Report on the percentage of users with access to shared accounts. CC ID 04573 | Monitoring and measurement | Detective | |
Establish, implement, and maintain a user and administrator privilege management metrics program. CC ID 02076 | Monitoring and measurement | Preventive | |
Report on the percentage of active computer accounts that have had the current user privileges reviewed. CC ID 02094 | Monitoring and measurement | Detective | |
Report on the percentage of systems where permission to install nonstandard software is limited. CC ID 02095 | Monitoring and measurement | Detective | |
Report on the percentage of systems and applications that have user privileges and administrator privileges assigned in compliance with Role-Based Access Controls. CC ID 02096 | Monitoring and measurement | Detective | |
Report on the percentage of systems for which approved configuration settings have been implemented. CC ID 02097 | Monitoring and measurement | Detective | |
Report on the percentage of systems with configurations that do not deviate from approved standards. CC ID 02098 | Monitoring and measurement | Detective | |
Report on the percentage of systems that are continuously monitored for compliance with the configuration standard with out-of-compliance alarms or out-of-compliance reports. CC ID 02099 | Monitoring and measurement | Detective | |
Report on the percentage of systems whose configuration is compared with a previously established trusted configuration baseline. CC ID 02100 | Monitoring and measurement | Detective | |
Report on the percentage of systems where the authority to make configuration changes are limited. CC ID 02101 | Monitoring and measurement | Detective | |
Report on the percentage of system components that undergo maintenance as scheduled. CC ID 04562 | Monitoring and measurement | Detective | |
Report on the percentage of systems that generate warnings about anomalous activity or potentially unauthorized activity. CC ID 02105 | Monitoring and measurement | Detective | |
Report on the percentage of laptops and mobile devices that are needing to be in compliance with the approved configuration standard before granting network access. CC ID 02106 | Monitoring and measurement | Detective | |
Report on the percentage of organizationally controlled communications channels that have been secured. CC ID 02107 | Monitoring and measurement | Detective | |
Report on the percentage of host servers that are protected from becoming relay hosts. CC ID 02108 | Monitoring and measurement | Detective | |
Report on the percentage of mobile users who access organizational facilities using secure communications methods. CC ID 02109 | Monitoring and measurement | Detective | |
Report on the percentage of workstations and laptops that employ automated system security tools. CC ID 02110 | Monitoring and measurement | Detective | |
Report on the percentage of servers that employ automated system security tools. CC ID 02111 | Monitoring and measurement | Detective | |
Report on the percentage of mobile devices that employ automated system security tools. CC ID 02112 | Monitoring and measurement | Detective | |
Report on the percentage of software changes that have been documented and approved through change request forms. CC ID 02152 | Monitoring and measurement | Detective | |
Report on the percentage of systems with all approved patches installed. CC ID 02113 | Monitoring and measurement | Detective | |
Report on the mean time from patch availability to patch installation. CC ID 02114 | Monitoring and measurement | Detective | |
Report on the percentage of software changes that were reviewed for security impacts before the software configuration is updated. CC ID 02115 | Monitoring and measurement | Detective | |
Report on the percentage of systems configured according to the configuration standard. CC ID 02116 | Monitoring and measurement | Detective | |
Report on the percentage of network access controls used to gain unauthorized access. CC ID 04572 | Monitoring and measurement | Detective | |
Report on the percentage of critical information assets stored on network accessible devices that are encrypted with widely tested and published cryptographic algorithms. CC ID 02117 | Monitoring and measurement | Detective | |
Report on the percentage of mobile devices that use encryption for critical information assets. CC ID 02118 | Monitoring and measurement | Detective | |
Report on the percentage of passwords and Personal Identification Numbers that are encrypted. CC ID 02119 | Monitoring and measurement | Detective | |
Report on the percentage of media that passes sanitization procedure testing. CC ID 04574 | Monitoring and measurement | Detective | |
Report on the percentage of systems with critical information assets or critical business functions that have been backed up in accordance with the backup policy and the system's continuity plan. CC ID 02120 | Monitoring and measurement | Detective | |
Report on the percentage of systems with critical information assets or critical functions where restoration from a backup has been successfully demonstrated. CC ID 02121 | Monitoring and measurement | Detective | |
Report on the percentage of backup media stored off site in secure storage. CC ID 02122 | Monitoring and measurement | Detective | |
Report on the percentage of used backup media or archive media sanitized prior to reuse or disposal. CC ID 02123 | Monitoring and measurement | Detective | |
Report on the estimated damage or loss resulting from all security incidents. CC ID 01674 | Monitoring and measurement | Detective | |
Report on the percentage of security incidents that did not cause confidentiality, integrity, or availability losses beyond the Service Level Agreement thresholds. CC ID 01673 | Monitoring and measurement | Detective | |
Report on the percentage of operational time that critical services were unavailable due to security incidents. CC ID 02124 | Monitoring and measurement | Detective | |
Report on the percentage of security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02125 | Monitoring and measurement | Detective | |
Report on the percentage of systems affected by security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02126 | Monitoring and measurement | Detective | |
Report on the percentage of security incidents that were managed according to established policies, procedures, and processes. CC ID 02127 | Monitoring and measurement | Detective | |
Report on the number of security incidents reported to FedCIRC, NIPC, the Payment Card Industry, or local law enforcement. CC ID 02154 | Monitoring and measurement | Detective | |
Report on the percentage of systems with critical information assets or critical functions that have been assessed for security vulnerabilities. CC ID 02128 | Monitoring and measurement | Detective | |
Report on the percentage of vulnerability assessment findings that have been addressed since the last reporting period. CC ID 02129 | Monitoring and measurement | Detective | |
Report on the average elapsed time between the discovery of a new vulnerability and implementing corrective action. CC ID 02140 | Monitoring and measurement | Detective | |
Report on the percentage of physical security incidents that involved entry into a facility containing Information Systems. CC ID 04564 | Monitoring and measurement | Detective | |
Report on the percentage of unique patients who had at least one medication entered using the Computerized Provider Order Entry system. CC ID 06222 | Monitoring and measurement | Preventive | |
Report on the percentage of unique patients who have diagnoses recorded as structured data into the current and active diagnoses problem list. CC ID 06223 | Monitoring and measurement | Preventive | |
Report on the percentage of permissible prescriptions that are transmitted electronically. CC ID 06224 | Monitoring and measurement | Preventive | |
Report on the percentage of unique patients who have at least one entry recorded as structured data into the active medication list. CC ID 06225 | Monitoring and measurement | Preventive | |
Report on the percentage of unique patients who have at least one entry recorded as structured data into the active medication allergy list. CC ID 06226 | Monitoring and measurement | Preventive | |
Report on the percentage of unique patients who have demographics recorded as structured data. CC ID 06227 | Monitoring and measurement | Preventive | |
Report on the percentage of unique patients over the age of 2 who have their height, weight, and blood pressure recorded as structured data. CC ID 06228 | Monitoring and measurement | Preventive | |
Report on the percentage of unique patients over the age of 13 who have their smoking status recorded as structured data. CC ID 06229 | Monitoring and measurement | Preventive | |
Report on the percentage of patients who are given an electronic copy of their Individually Identifiable Health Information not later than three business days after Individually Identifiable Health Information is requested. CC ID 06230 | Monitoring and measurement | Preventive | |
Report on the percentage of patients who are given clinical summaries not later than three business days after a physician office visit. CC ID 06231 | Monitoring and measurement | Preventive | |
Report on the percentage of lab test results that are incorporated into the Electronic Health Records as structured data. CC ID 06232 | Monitoring and measurement | Preventive | |
Report on the percentage of patients sixty-five years of age or older or five years of age or younger who were sent a reminder. CC ID 06233 | Monitoring and measurement | Preventive | |
Report on the percentage of unique patients who are given electronic access to their Individually Identifiable Health Information not later than four business days after their Individually Identifiable Health Information is updated. CC ID 06234 | Monitoring and measurement | Preventive | |
Report on the percentage of unique patients who are given patient-specific education resources. CC ID 06235 | Monitoring and measurement | Preventive | |
Report on the percentage of medication reconciliations that are performed if a patient is received from another setting or healthcare provider. CC ID 06236 | Monitoring and measurement | Preventive | |
Report on the percentage of summary of care records that are provided for transitions of care or referrals for patients who are transitioned or referred to another setting or healthcare provider. CC ID 06237 | Monitoring and measurement | Preventive | |
Report on the percentage of patients who receive their discharge instructions if discharge instructions are requested. CC ID 06238 | Monitoring and measurement | Preventive | |
Report on the percentage of patients 65 years of age or older who have an indication of advance directive status recorded as structured data. CC ID 06239 | Monitoring and measurement | Preventive | |
Collect all work papers for the audit and audit report into an engagement file. CC ID 07001 [The organization shall retain documented information as evidence of the implementation of the audit programme and the audit results. § 9.2.2 ¶ 4] | Audits and risk management | Preventive | |
Include the word independent in the title of audit reports. CC ID 07003 | Audits and risk management | Preventive | |
Include the date of the audit in the audit report. CC ID 07024 | Audits and risk management | Preventive | |
Include information about the organization being audited and the auditor performing the audit in the audit report. CC ID 07004 | Audits and risk management | Preventive | |
Include a statement that access to the report is restricted based on least privilege in the audit report. CC ID 07023 | Audits and risk management | Preventive | |
Include the organization's audit assertion of the in scope system in the audit report. CC ID 07005 | Audits and risk management | Preventive | |
Disclose any audit irregularities in the audit report. CC ID 06995 | Audits and risk management | Preventive | |
Monitor and report on the status of mitigation actions in the corrective action plan. CC ID 15250 | Audits and risk management | Corrective | |
Measure policy compliance when reviewing the internal control framework. CC ID 06442 | Operational management | Corrective | |
Provide the patient with a summary of care record, as necessary. CC ID 14441 | Records management | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Identify information being used to support performance reviews for risk optimization. CC ID 12865 | Monitoring and measurement | Preventive | |
Provide cross-organizational audit information based on the cross-organizational audit sharing agreement. CC ID 10596 | Monitoring and measurement | Preventive | |
Manage supply chain audits. CC ID 01203 | Audits and risk management | Preventive | |
Review the external auditors involvement in assessing Information Technology controls. CC ID 01204 | Audits and risk management | Preventive | |
Rotate auditors, as necessary. CC ID 15589 | Audits and risk management | Preventive | |
Engage auditors who have adequate knowledge of the subject matter. CC ID 07102 | Audits and risk management | Preventive | |
Review the external audit scope, as necessary. CC ID 01202 | Audits and risk management | Preventive | |
Include nondisclosure agreements in external auditor outsourcing contracts. CC ID 10014 | Audits and risk management | Detective | |
Review the external auditor's qualifications. CC ID 01197 | Audits and risk management | Preventive | |
Conduct a performance review of the external auditor's performance during the audit process. CC ID 01198 | Audits and risk management | Preventive | |
Define what constitutes a threat to independence. CC ID 16824 | Audits and risk management | Preventive | |
Determine if requested services create a threat to independence. CC ID 16823 | Audits and risk management | Detective | |
Include provisions for legislative plurality and legislative domain in the audit program. CC ID 06959 | Audits and risk management | Preventive | |
Include in scope procedures in the audit assertion's in scope system description. CC ID 16551 | Audits and risk management | Preventive | |
Include roles and responsibilities in the audit assertion's in scope system description. CC ID 16558 | Audits and risk management | Preventive | |
Include the audit criteria in the audit assertion's in scope system description. CC ID 16548 | Audits and risk management | Preventive | |
Include third party data in the audit assertion's in scope system description. CC ID 16554 | Audits and risk management | Preventive | |
Include third party personnel in the audit assertion's in scope system description. CC ID 16552 | Audits and risk management | Preventive | |
Include compliance requirements in the audit assertion's in scope system description. CC ID 16506 | Audits and risk management | Preventive | |
Include third party assets in the audit assertion's in scope system description. CC ID 16550 | Audits and risk management | Preventive | |
Include deviations and the corrective actions taken in the audit assertion's in scope system description. CC ID 16549 | Audits and risk management | Preventive | |
Determine the appropriateness of the audit assertion's in scope system description. CC ID 16449 | Audits and risk management | Detective | |
Hold an opening meeting with interested personnel and affected parties prior to an audit. CC ID 15256 | Audits and risk management | Preventive | |
Confirm audit requirements during the opening meeting. CC ID 15255 | Audits and risk management | Detective | |
Include discussions about how particular situations will be handled in the opening meeting. CC ID 15254 | Audits and risk management | Preventive | |
Include third party assets in the audit scope. CC ID 16504 | Audits and risk management | Preventive | |
Determine the appropriateness of the audit subject matter. CC ID 16505 | Audits and risk management | Preventive | |
Include the in scope material or in scope products in the audit program. CC ID 08961 | Audits and risk management | Preventive | |
Include the date of the audit in the representation letter. CC ID 16517 | Audits and risk management | Preventive | |
Include the criteria for determining the desired level of assurance in the audit program. CC ID 12795 [{audit scope} The organization shall: define the audit criteria and scope for each audit; § 9.2.2 ¶ 3 a)] | Audits and risk management | Preventive | |
Refrain from performing an attestation engagement under defined conditions. CC ID 13952 | Audits and risk management | Detective | |
Refrain from accepting an attestation engagement when all parties disagree on the procedures. CC ID 13951 | Audits and risk management | Preventive | |
Audit in scope audit items and compliance documents. CC ID 06730 [The organization shall: select auditors and conduct audits to ensure objectivity and the "term_primary-noun">impartiality of the audit process; § 9.2.2 ¶ 3 b) The organization shall conduct internal audits at planned intervals to provide information on whether the environmental management system: § 9.2.1 ¶ 1] | Audits and risk management | Preventive | |
Identify hypothetical assumptions in forecasts and projections during an audit. CC ID 13946 | Audits and risk management | Detective | |
Refrain from examining forecasts and projections which refrain from disclosing assumptions during an audit. CC ID 13932 | Audits and risk management | Detective | |
Audit policies, standards, and procedures. CC ID 12927 [The organization shall conduct internal audits at planned intervals to provide information on whether the environmental management system: conforms to: the requirements of this International Standard; § 9.2.1 ¶ 1 a) 2) The organization shall conduct internal audits at planned intervals to provide information on whether the environmental management system: conforms to: the organization's own requirements for its environmental management system; § 9.2.1 ¶ 1 a) 1)] | Audits and risk management | Preventive | |
Investigate the nature and causes of misstatements in the audit assertion's in scope system description. CC ID 16557 | Audits and risk management | Detective | |
Review incident management audit logs to determine the effectiveness of in scope controls. CC ID 12157 | Audits and risk management | Detective | |
Review audit reports to determine the effectiveness of in scope controls. CC ID 12156 | Audits and risk management | Detective | |
Observe processes to determine the effectiveness of in scope controls. CC ID 12155 | Audits and risk management | Detective | |
Interview stakeholders to determine the effectiveness of in scope controls. CC ID 12154 | Audits and risk management | Detective | |
Review policies and procedures to determine the effectiveness of in scope controls. CC ID 12144 [{be effective}The organization shall conduct internal audits at planned intervals to provide information on whether the environmental management system: is effectively implemented and maintained. § 9.2.1 ¶ 1 b)] | Audits and risk management | Detective | |
Evaluate personnel status changes to determine the effectiveness of in scope controls. CC ID 16556 | Audits and risk management | Detective | |
Determine whether individuals performing a control have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 16555 | Audits and risk management | Detective | |
Implement procedures that collect sufficient audit evidence. CC ID 07153 | Audits and risk management | Preventive | |
Collect evidence about the in scope audit items of the audit assertion. CC ID 07154 | Audits and risk management | Preventive | |
Collect audit evidence sufficient to avoid misstatements. CC ID 07155 | Audits and risk management | Preventive | |
Collect audit evidence at the level of the organization's competence in the subject matter. CC ID 07156 | Audits and risk management | Preventive | |
Collect audit evidence sufficient to overcome inadequacies in the organization's attestation. CC ID 07157 | Audits and risk management | Preventive | |
Include audit evidence obtained from previous engagements in the work papers. CC ID 16518 | Audits and risk management | Preventive | |
Include if the audit evidence has identified in scope control deficiencies in the work papers. CC ID 07152 | Audits and risk management | Detective | |
Include any subsequent events related to the audit assertion or audit subject matter in the work papers. CC ID 07177 | Audits and risk management | Preventive | |
Review the subject matter expert's findings. CC ID 16559 | Audits and risk management | Detective | |
Provide auditors access to all in scope records, in scope assets, personnel and in scope procedures. CC ID 06966 | Audits and risk management | Preventive | |
Solve any access problems auditors encounter during the audit. CC ID 08959 | Audits and risk management | Corrective | |
Notify interested personnel and affected parties when an auditee refuses to provide access or participate in the audit. CC ID 08960 | Audits and risk management | Preventive | |
Include the justification for not following the applicable requirements in the audit report. CC ID 16822 | Audits and risk management | Preventive | |
Include a statement that the applicable requirements were not followed in the audit report. CC ID 16821 | Audits and risk management | Preventive | |
Refrain from referencing previous engagements in the audit report. CC ID 16516 | Audits and risk management | Preventive | |
Identify the participants from the organization being audited in the audit report. CC ID 15258 | Audits and risk management | Detective | |
Include the timing of controls in the description of tests of controls and results in the audit report. CC ID 16553 | Audits and risk management | Preventive | |
Include the organization's in scope system description in the audit report. CC ID 11626 | Audits and risk management | Preventive | |
Include the scope and work performed in the audit report. CC ID 11621 | Audits and risk management | Preventive | |
Review the adequacy of the internal auditor's work papers. CC ID 01146 | Audits and risk management | Detective | |
Review the adequacy of the internal auditor's audit reports. CC ID 11620 | Audits and risk management | Detective | |
Review management's response to issues raised in past audit reports. CC ID 01149 | Audits and risk management | Detective | |
Review the audit program scope as it relates to the organization's profile. CC ID 01159 | Audits and risk management | Detective | |
Assess the quality of the audit program in regards to its documentation. CC ID 11622 | Audits and risk management | Preventive | |
Analyze the effect of the Governance, Risk, and Compliance capability to achieve organizational objectives. CC ID 12809 [{external and internal issues}and determine the risks and opportunities, related to its environmental aspects (see 6.1.2), compliance obligations (see 6.1.3) and other issues and requirements, identified in 4.1 and 4.2, that need to be addressed to: prevent or reduce undesired effects, including the potential for external environmental conditions to affect the organization; § 6.1.1 ¶ 3 Bullet 2 The organization shall plan: how to: evaluate the effectiveness of these actions (see 9.1). § 6.1.4 ¶ 1 b) 2) When planning how to achieve its environmental objectives, the organization shall determine: how the results will be evaluated, including indicators for monitoring progress toward achievement of its measurable environmental objectives (see 9.1.1). § 6.2.2 ¶ 1 e) The organization shall evaluate its environmental performance and the effectiveness of the environmental management system. § 9.1.1 ¶ 4 The outputs of the management review shall include: actions, if needed, when environmental objectives have not been achieved; § 9.3 ¶ 3 Bullet 4 The outputs of the management review shall include: any implications for the strategic direction of the organization. § 9.3 ¶ 3 Bullet 6] | Operational management | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Take into account the need for protecting information confidentiality during infrastructure planning. CC ID 06486 | Leadership and high level objectives | Preventive | |
Disseminate and communicate compliance documents to all interested personnel and affected parties. CC ID 06282 | Leadership and high level objectives | Preventive | |
Disseminate and communicate any compliance document changes when the documents are updated to interested personnel and affected parties. CC ID 06283 | Leadership and high level objectives | Preventive | |
Involve knowledgeable and experienced individuals in the decision-making process. CC ID 06915 | Leadership and high level objectives | Preventive | |
Establish and maintain a rapport with business and technical communities throughout the organization to promote the value and importance of Information Security. CC ID 06493 | Leadership and high level objectives | Preventive | |
Carry out disciplinary actions when a compliance violation is detected. CC ID 06675 [When a nonconformity occurs, the organization shall: react to the nonconformity and, as applicable: § 10.2 ¶ 1 a)] | Monitoring and measurement | Corrective | |
Question external auditors about how audits were conducted and what is in the audit reports. CC ID 04587 | Audits and risk management | Preventive | |
Disseminate and communicate with the organization about any missing audit documentation. CC ID 06992 | Audits and risk management | Preventive | |
Exercise due professional care during the planning and performance of the audit. CC ID 07119 [{environmental process} When establishing the internal audit programme, the organization shall take into consideration the environmental importance of the processes concerned, changes affecting the organization and the results of previous audits. § 9.2.2 ¶ 2] | Audits and risk management | Preventive | |
Refrain from accepting an attestation engagement unless the prospective financial information includes a summary of significant assumptions. CC ID 13954 | Audits and risk management | Preventive | |
Verify statements made by interviewees are correct. CC ID 16299 | Audits and risk management | Detective | |
Explain the goals of the interview to the interviewee. CC ID 07189 | Audits and risk management | Detective | |
Resolve disputes before creating the audit summary. CC ID 08964 | Audits and risk management | Preventive | |
Disseminate and communicate to the organization that access and use of audit reports are based on least privilege. CC ID 07171 | Audits and risk management | Preventive | |
Refrain from adopting impromptu measures when continuity procedures exist. CC ID 13093 | Operational and Systems Continuity | Preventive | |
Train personnel on the continuity plan. CC ID 00759 [The organization shall: provide relevant information and training related to emergency preparedness and response, as appropriate, to relevant interested parties, including persons working under its control. § 8.2 ¶ 2 f)] | Operational and Systems Continuity | Preventive | |
Utilize automated mechanisms for more realistic continuity plan training. CC ID 01387 | Operational and Systems Continuity | Preventive | |
Incorporate simulated events into the continuity plan training. CC ID 01402 | Operational and Systems Continuity | Preventive | |
Limit the activities performed as a proxy to an organizational leader. CC ID 12054 | Human Resources management | Preventive | |
Use rewards and career development to motivate personnel. CC ID 06906 | Human Resources management | Preventive | |
Train all personnel and third parties, as necessary. CC ID 00785 [The organization shall: where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken. § 7.2 ¶ 1 d)] | Human Resources management | Preventive | |
Retrain all personnel, as necessary. CC ID 01362 | Human Resources management | Preventive | |
Tailor training to meet published guidance on the subject being taught. CC ID 02217 | Human Resources management | Preventive | |
Tailor training to be taught at each person's level of responsibility. CC ID 06674 | Human Resources management | Preventive | |
Conduct cross-training or staff backup training to minimize dependency on critical individuals. CC ID 00786 | Human Resources management | Preventive | |
Use automated mechanisms in the training environment, where appropriate. CC ID 06752 | Human Resources management | Preventive | |
Conduct Archives and Records Management training. CC ID 00975 | Human Resources management | Preventive | |
Disseminate and communicate the security awareness program to all interested personnel and affected parties. CC ID 00823 | Human Resources management | Preventive | |
Train all personnel and third parties on how to recognize and report security incidents. CC ID 01211 | Human Resources management | Preventive | |
Conduct secure coding and development training for developers. CC ID 06822 | Human Resources management | Corrective | |
Conduct crime prevention training. CC ID 06350 | Human Resources management | Preventive | |
Disseminate and communicate updates to the Governance, Risk, and Compliance framework to interested personnel and affected parties. CC ID 06955 [{internal communication}{be relevant}The organization shall: internally communicate information relevant to the environmental management system among the various levels and functions of the organization, including changes to the environmental management system, as appropriate; § 7.4.2 ¶ 1 a)] | Operational management | Preventive | |
Make compliance and governance decisions in a timely manner. CC ID 06490 | Operational management | Preventive | |
Refrain from accepting instant messages from unknown senders. CC ID 12537 | Operational management | Preventive | |
Include employee engagement in the analysis of the organizational culture. CC ID 12914 | Operational management | Preventive | |
Include skill development in the analysis of the organizational culture. CC ID 12913 | Operational management | Preventive | |
Include employee turnover rates in the analysis of the organizational culture. CC ID 12912 | Operational management | Preventive | |
Include employee loyalty in the analysis of the organizational culture. CC ID 12911 | Operational management | Preventive | |
Include employee satisfaction in the analysis of the organizational culture. CC ID 12910 | Operational management | Preventive | |
Disseminate and communicate the Governance, Risk, and Compliance framework to all interested personnel and affected parties. CC ID 00815 [{internal communication}{be relevant}The organization shall: internally communicate information relevant to the environmental management system among the various levels and functions of the organization, including changes to the environmental management system, as appropriate; § 7.4.2 ¶ 1 a) {external communication}{be relevant} The organization shall externally communicate information relevant to the environmental management system, as established by the organization's communication process(es) and as required by its compliance obligations. § 7.4.3 ¶ 1 {external communication}{be relevant} The organization shall externally communicate information relevant to the environmental management system, as established by the organization's communication process(es) and as required by its compliance obligations. § 7.4.3 ¶ 1 The organization shall: maintain knowledge and understanding of its compliance status. § 9.1.2 ¶ 2 c) The organization shall communicate relevant environmental performance information both internally and externally, as identified in its communication process(es) and as required by its compliance obligations. § 9.1.1 ¶ 5] | Operational management | Preventive | |
Notify interested personnel and affected parties prior to when the system is redeployed or the system is disposed. CC ID 06400 | Operational management | Preventive | |
Maintain contact with the device manufacturer or component manufacturer for maintenance requests. CC ID 06388 | Operational management | Preventive | |
Respond to maintenance requests inside the organizationally established time frame. CC ID 04878 | Operational management | Preventive | |
Perform periodic maintenance according to organizational standards. CC ID 01435 | Operational management | Preventive | |
Prohibit the use of Personal Electronic Devices, absent approval. CC ID 04599 | Acquisition or sale of facilities, technology, and services | Detective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Establish, implement, and maintain a reporting methodology program. CC ID 02072 [Top management shall assign the responsibility and authority for: reporting on the performance of the environmental management system, including environmental performance, to top management. § 5.3 ¶ 2 b)] | Leadership and high level objectives | Preventive | |
Use secure communication protocols for telecommunications. CC ID 16458 | Leadership and high level objectives | Preventive | |
Analyze the flow of information to ensure it is being received by the correct processes. CC ID 12860 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain an internal reporting program. CC ID 12409 | Leadership and high level objectives | Preventive | |
Include transactions and events as a part of internal reporting. CC ID 12413 | Leadership and high level objectives | Preventive | |
Identify the material topics required to be reported on. CC ID 15654 | Leadership and high level objectives | Preventive | |
Analyze the business environment in which the organization operates. CC ID 12798 [{financial requirement}{operational requirement} When planning these actions, the organization shall consider its technological options and its financial, operational and business requirements. § 6.1.4 ¶ 2] | Leadership and high level objectives | Preventive | |
Align assets with business functions and the business environment. CC ID 13681 | Leadership and high level objectives | Preventive | |
Analyze the external environment in which the organization operates. CC ID 12799 [The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcomes of its environmental management system. Such issues shall include environmental conditions being affected by or capable of affecting the organization. § 4.1 ¶ 1] | Leadership and high level objectives | Preventive | |
Include environmental requirements in the analysis of the external environment. CC ID 12965 [Top management shall demonstrate leadership and commitment with respect to the environmental management system by: ensuring the integration of the environmental management system requirements into the organization's business processes; § 5.1 ¶ 1 c)] | Leadership and high level objectives | Preventive | |
Include regulatory requirements in the analysis of the external environment. CC ID 12964 | Leadership and high level objectives | Preventive | |
Include society in the analysis of the external environment. CC ID 12963 | Leadership and high level objectives | Preventive | |
Include opportunities in the analysis of the external environment. CC ID 12954 | Leadership and high level objectives | Preventive | |
Include third party relationships in the analysis of the external environment. CC ID 12952 | Leadership and high level objectives | Preventive | |
Include industry forces in the analysis of the external environment. CC ID 12904 | Leadership and high level objectives | Preventive | |
Include threats in the analysis of the external environment. CC ID 12898 | Leadership and high level objectives | Preventive | |
Include geopolitics in the analysis of the external environment. CC ID 12897 | Leadership and high level objectives | Preventive | |
Include legal requirements in the analysis of the external environment. CC ID 12896 | Leadership and high level objectives | Preventive | |
Include technology in the analysis of the external environment. CC ID 12837 | Leadership and high level objectives | Preventive | |
Include analyzing the market in the analysis of the external environment. CC ID 12836 | Leadership and high level objectives | Preventive | |
Conduct a context analysis to define objectives and strategies. CC ID 12864 | Leadership and high level objectives | Preventive | |
Identify requirements that could affect achieving organizational objectives. CC ID 12828 | Leadership and high level objectives | Preventive | |
Identify opportunities that could affect achieving organizational objectives. CC ID 12826 | Leadership and high level objectives | Preventive | |
Prioritize organizational objectives. CC ID 09960 | Leadership and high level objectives | Preventive | |
Select financial reporting objectives consistent with accounting principles available to the organization. CC ID 12400 | Leadership and high level objectives | Preventive | |
Identify threats that could affect achieving organizational objectives. CC ID 12827 | Leadership and high level objectives | Preventive | |
Review the organization's approach to managing information security, as necessary. CC ID 12005 | Leadership and high level objectives | Preventive | |
Analyze and prioritize the requirements of interested personnel and affected parties. CC ID 12796 [The organization shall determine: the relevant needs and expectations (i.e. requirements) of these interested parties; § 4.2 ¶ 1 b)] | Leadership and high level objectives | Preventive | |
Enforce a continuous Quality Control system. CC ID 01005 | Leadership and high level objectives | Detective | |
Correct errors and deficiencies in a timely manner. CC ID 13501 | Leadership and high level objectives | Corrective | |
Establish and maintain time frames for correcting deficiencies found during Quality Control. CC ID 07206 | Leadership and high level objectives | Detective | |
Review and analyze any quality improvement goals that were missed. CC ID 07204 | Leadership and high level objectives | Detective | |
Identify roles, tasks, information, systems, and assets that fall under the organization's mandated Authority Documents. CC ID 00688 | Leadership and high level objectives | Preventive | |
Assess the impact of changes to organizational policies, standards, and procedures, as necessary. CC ID 14824 | Leadership and high level objectives | Preventive | |
Review the compliance exceptions in the exceptions document, as necessary. CC ID 01632 | Leadership and high level objectives | Preventive | |
Estimate the costs of implementing the compliance framework. CC ID 07191 | Leadership and high level objectives | Preventive | |
Align the reporting methodology with the decision management strategy. CC ID 15659 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a Governance, Risk, and Compliance awareness and training program. CC ID 06492 [The organization shall ensure that persons doing work under the organization's control are aware of: the implications of not conforming with the environmental management system requirements, including not fulfilling the organization's compliance obligations. § 7.3 ¶ 1 d)] | Leadership and high level objectives | Preventive | |
Return the funds from a funds transfer when required information is not received or discrepancies resolved. CC ID 16760 | Leadership and high level objectives | Preventive | |
Delay the funds transfer until all required information has been received or discrepancies resolved. CC ID 16759 | Leadership and high level objectives | Preventive | |
Refrain from making funds from a funds transfer available to the interested personnel until all required information is received. CC ID 16758 | Leadership and high level objectives | Preventive | |
Attach the required information to each funds transfer. CC ID 16756 | Leadership and high level objectives | Preventive | |
Verify all required information is attached to each funds transfer. CC ID 16755 | Leadership and high level objectives | Detective | |
Establish, implement, and maintain protective measures for customers from a bank's insolvency or default. CC ID 16738 | Leadership and high level objectives | Preventive | |
Refrain from setting up anonymous financial accounts. CC ID 16721 | Leadership and high level objectives | Preventive | |
Identify and maintain positions in financial accounts. CC ID 16751 | Leadership and high level objectives | Preventive | |
Supplement financial resources, as necessary. CC ID 16685 | Leadership and high level objectives | Preventive | |
Limit the types of assets accepted as collateral. CC ID 16602 | Leadership and high level objectives | Preventive | |
Avoid the use of concentrated holdings of assets. CC ID 16651 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a securities trading program. CC ID 16626 | Leadership and high level objectives | Preventive | |
Include investment information in approval requests for investments. CC ID 16590 | Leadership and high level objectives | Preventive | |
Review and approve lending policies. CC ID 16607 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain margin systems. CC ID 16601 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain capital adequacy measures. CC ID 16568 | Leadership and high level objectives | Preventive | |
Identify information being used to support the performance of the governance, risk, and compliance capability. CC ID 12866 [The organization's environmental management system shall include: documented information determined by the organization as being necessary for the effectiveness of the environmental management system. § 7.5.1 ¶ 1 b) The management review shall include consideration of: information on the organization's environmental performance, including trends in: § 9.3 ¶ 2 d)] | Monitoring and measurement | Preventive | |
Align enforcement reviews for non-compliance with organizational risk tolerance. CC ID 13063 [When a nonconformity occurs, the organization shall: evaluate the need for action to eliminate the causes of the nonconformity, in order that it does not recur or occur elsewhere, by: § 10.2 ¶ 1 b)] | Monitoring and measurement | Detective | |
Establish, implement, and maintain an identification and classification of information assets metrics program. CC ID 02052 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain an Information Systems architecture metrics program. CC ID 02059 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a physical environment metrics program. CC ID 02063 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a user identification and authentication metrics program. CC ID 02073 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a user account management metrics program. CC ID 02075 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a Configuration Management metrics program. CC ID 02077 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a communications, e-mail, and remote access security management metrics program. CC ID 02079 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a malicious code protection management metrics program. CC ID 02080 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a software change management metrics program. CC ID 02081 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a network management and firewall management metrics program. CC ID 02082 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a data encryption management metrics program. CC ID 02083 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a backup management and recovery management metrics program. CC ID 02084 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain an incident management and vulnerability management metrics program. CC ID 02085 | Monitoring and measurement | Preventive | |
Align corrective actions with the level of environmental impact. CC ID 15193 [Corrective actions shall be appropriate to the significance of the effects of the nonconformities encountered, including the environmental impact(s). § 10.2 ¶ 2] | Monitoring and measurement | Preventive | |
Identify personnel who should attend the closing meeting. CC ID 15261 | Audits and risk management | Preventive | |
Schedule attestation engagement meetings with interested personnel and affected parties, as necessary. CC ID 15263 | Audits and risk management | Preventive | |
Refrain from accepting an attestation engagement when the engaging party refuses to sign the engagement letter. CC ID 14912 | Audits and risk management | Preventive | |
Accept the attestation engagement when all preconditions are met. CC ID 13933 | Audits and risk management | Preventive | |
Respond to questions or clarification requests regarding the audit. CC ID 08902 | Audits and risk management | Preventive | |
Review the need for organizational efficiency as balanced against the needs of compliance and security. CC ID 07111 | Audits and risk management | Preventive | |
Provide auditors access to affected parties during the audit, as necessary. CC ID 07187 | Audits and risk management | Preventive | |
Disclaim the audit opinion in the audit report, as necessary. CC ID 13901 | Audits and risk management | Corrective | |
Notify interested personnel and affected parties after bribes are offered during the audit. CC ID 08872 | Audits and risk management | Preventive | |
Define and assign the assessment team's roles and responsibilities. CC ID 08890 | Human Resources management | Preventive | |
Evaluate the staffing requirements regularly. CC ID 00775 [The organization shall: determine the necessary competence of person(s) doing work under its control that affects its environmental performance and its ability to fulfil its compliance obligations; § 7.2 ¶ 1 a)] | Human Resources management | Detective | |
Establish, implement, and maintain an education methodology. CC ID 06671 | Human Resources management | Preventive | |
Plan for business process conversions, as necessary. CC ID 13678 [The organization shall plan: how to: integrate and implement the actions into its environmental management system processes (se e 6.2, Clause 7, Clause 8 and 9.1), or other business processes; § 6.1.4 ¶ 1 b) 1)] | Operational management | Corrective | |
Establish, implement, and maintain a positive information control environment. CC ID 00813 | Operational management | Preventive | |
Define the scope for the internal control framework. CC ID 16325 | Operational management | Preventive | |
Review the relevance of information supporting internal controls. CC ID 12420 | Operational management | Detective | |
Assign resources to implement the internal control framework. CC ID 00816 | Operational management | Preventive | |
Establish, implement, and maintain a baseline of internal controls. CC ID 12415 | Operational management | Preventive | |
Leverage actionable information to support internal controls. CC ID 12414 | Operational management | Preventive | |
Align the information security policy with the organization's risk acceptance level. CC ID 13042 | Operational management | Preventive | |
Establish, implement, and maintain information security procedures. CC ID 12006 | Operational management | Preventive | |
Refrain from requiring supervision when users are accessing social media applications. CC ID 14011 | Operational management | Preventive | |
Refrain from requiring users to disclose social media account usernames or authenticators. CC ID 14009 | Operational management | Preventive | |
Establish, implement, and maintain information sharing agreements. CC ID 15645 | Operational management | Preventive | |
Adhere to operating procedures as defined in the Standard Operating Procedures Manual. CC ID 06328 | Operational management | Preventive | |
Establish, implement, and maintain domain name registration and renewal procedures. CC ID 07075 | Operational management | Preventive | |
Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 | Operational management | Preventive | |
Include contractual relationships with workforce members in the analysis of the organizational culture. CC ID 15674 | Operational management | Preventive | |
Include the number of workforce members who are not employees in the analysis of the organizational culture. CC ID 15673 | Operational management | Preventive | |
Include the type of work performed by workforce members in the analysis of the organizational culture. CC ID 15675 | Operational management | Preventive | |
Include demographic characteristics of employees in the analysis of the organizational culture. CC ID 15671 | Operational management | Preventive | |
Review systems for compliance with organizational information security policies. CC ID 12004 | Operational management | Preventive | |
Establish, implement, and maintain an Asset Management program. CC ID 06630 [Consistent with a life cycle perspective, the organization shall: consider the need to provide information about potential significant environmental impacts associated with the transportation or delivery, use, end-of-life treatment and final disposal of its products and services. § 8.1 ¶ 4 d)] | Operational management | Preventive | |
Include coordination amongst entities in the asset management policy. CC ID 16424 | Operational management | Preventive | |
Define and prioritize the importance of each asset in the asset management program. CC ID 16837 | Operational management | Preventive | |
Establish, implement, and maintain administrative controls over all assets. CC ID 16400 | Operational management | Preventive | |
Classify virtual systems by type and purpose. CC ID 16332 | Operational management | Preventive | |
Establish, implement, and maintain an asset inventory. CC ID 06631 | Operational management | Preventive | |
Destroy systems in accordance with the system disposal program. CC ID 16457 | Operational management | Preventive | |
Approve the release of systems and waste material into the public domain. CC ID 16461 | Operational management | Preventive | |
Obtain approval before removing maintenance tools from the facility. CC ID 14298 | Operational management | Preventive | |
Disassemble and shut down unnecessary systems or unused systems. CC ID 06280 | Operational management | Preventive | |
Dispose of hardware and software at their life cycle end. CC ID 06278 | Operational management | Preventive | |
Refrain from placing assets being disposed into organizational dumpsters. CC ID 12200 | Operational management | Preventive | |
Remove asset tags prior to disposal of an asset. CC ID 12198 | Operational management | Preventive | |
Implement changes according to the change control program. CC ID 11776 [The organization shall control "term_primary-noun">planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary. § 8.1 ¶ 2] | Operational management | Preventive | |
Mitigate the adverse effects of unauthorized changes. CC ID 12244 [The organization shall control planned changes and review the consequences of unintended changes, taking action to mitigate any -color:#F0BBBC;" class="term_primary-noun">adverse effects, as necessary. § 8.1 ¶ 2] | Operational management | Corrective | |
Manage the creation of products and services, as necessary. CC ID 13497 [Consistent with a life cycle perspective, the organization shall: establish controls, as appropriate, to ensure that its environmental requirement(s) is (are) addressed in the design and development process for the product or service, considering each life cycle stage; § 8.1 ¶ 4 a)] | Operational management | Preventive | |
Define the processing activities to meet products and services creation requirements. CC ID 13499 | Operational management | Preventive | |
Establish, implement, and maintain an environmental management system. CC ID 14945 [The organization shall consider the knowledge gained in 4.1 and 4.2 when establishing and maintaining the environmental management system. § 4.4 ¶ 2 Top management shall demonstrate leadership and commitment with respect to the environmental management system by: ensuring that the environmental management system achieves its intended outcomes; § 5.1 ¶ 1 f) To achieve the intended outcomes, including enhancing its environmental performance, the organization shall establish, implement, maintain and continually improve an environmental management system, including the processes needed and their interactions, in accordance with the requirements of this International Standard. § 4.4 ¶ 1 To achieve the intended outcomes, including enhancing its environmental performance, the organization shall establish, implement, maintain and continually improve an environmental management system, including the processes needed and their interactions, in accordance with the requirements of this International Standard. § 4.4 ¶ 1 The organization shall continually improve the suitability, adequacy and effectiveness of the environmental management system to enhance environmental performance. § 10.3 ¶ 1 The outputs of the management review shall include: conclusions on the continuing suitability, adequacy and effectiveness of the environmental management system; § 9.3 ¶ 3 Bullet 1 {environmental objectives}{compliance obligations} The organization shall establish, implement, control and maintain the processes needed to meet environmental management system requirements, and to implement the actions identified in 6.1 and 6.2, by: § 8.1 ¶ 1 When a nonconformity occurs, the organization shall: make changes to the environmental management system, if necessary. § 10.2 ¶ 1 e) Top management shall review the organization's environmental management system, at planned intervals, to ensure its continuing suitability, adequacy and effectiveness. § 9.3 ¶ 1] | Operational management | Preventive | |
Establish, implement, and maintain an approach for environmental performance monitoring. CC ID 15220 [The organization shall determine: when the results from monitoring and measurement shall be analysed and evaluated. § 9.1.1 ¶ 2 e)] | Operational management | Preventive | |
Integrate environmental objectives into the business process. CC ID 15192 [The organization shall consider how actions to achieve its environmental objectives can be integrated into the organization's business processes. § 6.2.2 ¶ 2] | Operational management | Preventive | |
Provide management direction and support for the environmental management system. CC ID 14968 [Top management shall demonstrate leadership and commitment with respect to the environmental management system by: directing and supporting persons to contribute to the effectiveness of the environmental management system; § 5.1 ¶ 1 g)] | Operational management | Preventive | |
Provide assurance that the environmental management system meets all compliance requirements. CC ID 14958 [{external and internal issues}and determine the risks and opportunities, related to its environmental aspects (see 6.1.2), compliance obligations (see 6.1.3) and other issues and requirements, identified in 4.1 and 4.2, that need to be addressed to: give assurance that the environmental management system can achieve its intended outcomes; § 6.1.1 ¶ 3 Bullet 1] | Operational management | Preventive | |
Analyze activities, products, and services within the scope of the environmental management system to determine the environmental aspects. CC ID 15183 [Within the defined scope of the environmental management system, the organization shall determine the environmental aspects of its activities, products and services that it can control and those that it can influence, and their associated environmental impacts, considering a life cycle perspective. § 6.1.2 ¶ 1] | Operational management | Detective | |
Implement a signature revocation service. CC ID 14417 | Records management | Preventive | |
Supervise media destruction in accordance with organizational standards. CC ID 16456 | Records management | Preventive | |
Use approved media sanitization equipment for destruction. CC ID 16459 | Records management | Preventive | |
Establish, implement, and maintain decision support interventions. CC ID 14443 | Records management | Preventive | |
Obtain authorization for marketing new products. CC ID 16805 | Acquisition or sale of facilities, technology, and services | Preventive | |
Assess the effectiveness of third party services provided to the organization. CC ID 13142 [The organization shall ensure that outsourced processes are controlled or influenced. The type and extent of control or influence to be applied to the process(es) shall be defined within the environmental management system. § 8.1 ¶ 3] | Third Party and supply chain oversight | Detective | |
Review the supply chain's service delivery on a regular basis. CC ID 12010 | Third Party and supply chain oversight | Preventive | |
Identify red flags in the supply chain. CC ID 08873 | Third Party and supply chain oversight | Preventive | |
Detect red flags in the supply chain. CC ID 08874 | Third Party and supply chain oversight | Preventive | |
Notify interested personnel and affected parties when critical components or materials are not obtained from an authorized source. CC ID 11516 | Third Party and supply chain oversight | Preventive | |
Review third party red flag locations to identify facts for the supply chain risk assessment. CC ID 08875 | Third Party and supply chain oversight | Preventive | |
Establish and maintain an interactive map of third party red flag locations. CC ID 08876 | Third Party and supply chain oversight | Preventive | |
Collect information on red-flagged supply chains. CC ID 08877 | Third Party and supply chain oversight | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Include disseminating and communicating events surrounding instances of desirable conduct and undesirable conduct in the communication protocols. CC ID 12824 | Leadership and high level objectives | Preventive | |
Identify alternative measures for collecting stakeholder input, as necessary. CC ID 15672 | Leadership and high level objectives | Preventive | |
Include disseminating and communicating conditions surrounding instances of desirable conduct and undesirable conduct in the communication protocols. CC ID 12804 | Leadership and high level objectives | Preventive | |
Include disseminating and communicating desirable conduct in the communication protocols. CC ID 12803 | Leadership and high level objectives | Preventive | |
Include disseminating and communicating undesirable conduct in communication protocols. CC ID 12802 | Leadership and high level objectives | Preventive | |
Disseminate and communicate internal controls with supply chain members. CC ID 12416 | Leadership and high level objectives | Preventive | |
Disseminate and communicate management's choices for managing the organization as a part of internal reporting. CC ID 12412 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain an external reporting program. CC ID 12876 | Leadership and high level objectives | Preventive | |
Provide identifying information about the organization to the responsible party. CC ID 16715 | Leadership and high level objectives | Preventive | |
Prioritize material topics used in reporting. CC ID 15678 | Leadership and high level objectives | Preventive | |
Include time requirements in the external reporting program. CC ID 16566 | Leadership and high level objectives | Preventive | |
Include reporting to governing bodies in the external reporting plan. CC ID 12923 | Leadership and high level objectives | Preventive | |
Submit confidential treatment applications to interested personnel and affected parties. CC ID 16592 | Leadership and high level objectives | Preventive | |
Disseminate and communicate the organization's business environment and place in its industry sector. CC ID 13200 | Leadership and high level objectives | Preventive | |
Disseminate and communicate the value generation model to all interested personnel and affected parties. CC ID 15607 | Leadership and high level objectives | Preventive | |
Disseminate and communicate the Mission, Vision, and Values Statement to all interested personnel and affected parties. CC ID 15585 | Leadership and high level objectives | Preventive | |
Disseminate and communicate organizational objectives, functions, and activities to all interested personnel and affected parties. CC ID 13191 | Leadership and high level objectives | Preventive | |
Disseminate and communicate the data classification scheme to interested personnel and affected parties. CC ID 16804 | Leadership and high level objectives | Preventive | |
Disseminate and communicate the data dictionary to interested personnel and affected parties. CC ID 13516 | Leadership and high level objectives | Preventive | |
Disseminate and communicate emerging threats to all interested personnel and affected parties. CC ID 12185 | Leadership and high level objectives | Preventive | |
Disseminate and communicate updated guidance documentation to interested personnel and affected parties upon discovery of a new threat. CC ID 12191 | Leadership and high level objectives | Corrective | |
Disseminate and communicate the Quality Management policy to all interested personnel and affected parties. CC ID 13695 | Leadership and high level objectives | Preventive | |
Disseminate and communicate the Quality Management framework to all stakeholders. CC ID 13680 | Leadership and high level objectives | Preventive | |
Notify affected parties and interested personnel of quality management system approvals that have been refused, suspended, or withdrawn. CC ID 15045 | Leadership and high level objectives | Preventive | |
Notify affected parties and interested personnel of quality management system approvals that have been issued. CC ID 15036 | Leadership and high level objectives | Preventive | |
Disseminate and communicate the organization’s policies, standards, and procedures to all interested personnel and affected parties. CC ID 12901 [The scope shall be maintained as documented information and be available to interested parties. § 4.3 ¶ 4] | Leadership and high level objectives | Preventive | |
Disseminate and communicate the decision management strategy to all interested personnel and affected parties. CC ID 13991 | Leadership and high level objectives | Preventive | |
Provide required information that is missing from a funds transfer to the responsible party. CC ID 16761 | Leadership and high level objectives | Preventive | |
Disseminate and communicate the results of stress testing to interested personnel and affected parties. CC ID 16630 | Leadership and high level objectives | Preventive | |
Disseminate and communicate the escrow procedures to interested personnel and affected parties. CC ID 16565 | Leadership and high level objectives | Preventive | |
Disseminate and communicate securities transaction notifications to interested personnel and affected parties. CC ID 16621 | Leadership and high level objectives | Preventive | |
Disseminate and communicate the financial report to interested personnel and affected parties. CC ID 16342 | Leadership and high level objectives | Preventive | |
Disseminate and communicate the call report to interested personnel and affected parties. CC ID 16727 | Leadership and high level objectives | Preventive | |
Disseminate and communicate the disciplinary action notice to interested personnel and affected parties. CC ID 16585 | Monitoring and measurement | Preventive | |
Delay the reporting of incident management metrics, as necessary. CC ID 15501 | Monitoring and measurement | Preventive | |
Include the scope for the desired level of assurance in the audit program. CC ID 12793 | Audits and risk management | Preventive | |
Hold a closing meeting following an audit to present audit findings and conclusions. CC ID 15248 | Audits and risk management | Preventive | |
Report that audit evidence collected was not sufficient to the proper authorities. CC ID 16847 | Audits and risk management | Preventive | |
Disseminate and communicate the reasons the audit report was delayed to interested personnel and affected parties. CC ID 15257 | Audits and risk management | Preventive | |
Notify auditees if disclosure of audit documentation is required by law. CC ID 15249 | Audits and risk management | Preventive | |
Disseminate and communicate the audit plan to interested personnel and affected parties. CC ID 15238 | Audits and risk management | Preventive | |
Disseminate and communicate the physical and environmental protection procedures to interested personnel and affected parties. CC ID 14175 | Physical and environmental protection | Preventive | |
Report changes in the continuity plan to senior management. CC ID 12757 | Operational and Systems Continuity | Corrective | |
Notify interested personnel and affected parties upon activation of the continuity plan. CC ID 16777 | Operational and Systems Continuity | Preventive | |
Disseminate and communicate the continuity procedures to interested personnel and affected parties. CC ID 14055 | Operational and Systems Continuity | Preventive | |
Notify interested personnel and affected parties of updates to the recovery plan. CC ID 13302 | Operational and Systems Continuity | Preventive | |
Disseminate and communicate the recovery plan to interested personnel and affected parties. CC ID 14859 | Operational and Systems Continuity | Preventive | |
Disseminate and communicate the recovery status of the contingency plan to interested personnel and affected parties. CC ID 12758 | Operational and Systems Continuity | Preventive | |
Disseminate and communicate screening results to interested personnel and affected parties. CC ID 16445 | Human Resources management | Preventive | |
Disseminate and communicate the compensation, reward, and recognition program to interested personnel and affected parties. CC ID 14800 | Human Resources management | Preventive | |
Disseminate and communicate the security awareness and training procedures to interested personnel and affected parties. CC ID 14138 | Human Resources management | Preventive | |
Disseminate and communicate the compliance policy to interested personnel and affected parties. CC ID 14809 | Operational management | Preventive | |
Disseminate and communicate the governance policy to all interested personnel and affected parties. CC ID 15625 | Operational management | Preventive | |
Share security information with interested personnel and affected parties. CC ID 11732 | Operational management | Preventive | |
Disseminate and communicate the internal control framework to all interested personnel and affected parties. CC ID 15229 | Operational management | Preventive | |
Disseminate and communicate the cybersecurity policy to interested personnel and affected parties. CC ID 16835 | Operational management | Preventive | |
Disseminate and communicate the information security procedures to all interested personnel and affected parties. CC ID 16303 | Operational management | Preventive | |
Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739 | Operational management | Preventive | |
Disseminate and communicate the Standard Operating Procedures Manual to all interested personnel and affected parties. CC ID 12026 | Operational management | Preventive | |
Disseminate and communicate the Acceptable Use Policy to all interested personnel and affected parties. CC ID 12431 | Operational management | Preventive | |
Disseminate and communicate nondisclosure agreements to interested personnel and affected parties. CC ID 16191 | Operational management | Preventive | |
Provide assurance to interested personnel and affected parties that the Governance, Risk, and Compliance capability is reliable, effective, efficient, and responsive. CC ID 12788 | Operational management | Preventive | |
Disseminate and communicate the Asset Classification Policy to interested personnel and affected parties. CC ID 14851 | Operational management | Preventive | |
Disseminate and communicate the system maintenance policy to interested personnel and affected parties. CC ID 14213 | Operational management | Preventive | |
Disseminate and communicate the system maintenance procedures to interested personnel and affected parties. CC ID 14194 | Operational management | Preventive | |
Disseminate and communicate environmental requirements to interested personnel and affected parties. CC ID 15196 [Consistent with a life cycle perspective, the organization shall: communicate its relevant environmental requirement(s) to external providers, including contractors; § 8.1 ¶ 4 c)] | Operational management | Preventive | |
Disseminate and communicate the environmental objectives to interested personnel and affected parties. CC ID 15190 [The environmental objectives shall be: communicated; § 6.2.1 ¶ 2 d)] | Operational management | Preventive | |
Disseminate and communicate the environmental aspects to interested personnel and affected parties. CC ID 14983 [The organization shall communicate its significant environmental aspects among the various levels and functions of the organization, as appropriate. § 6.1.2 ¶ 4] | Operational management | Preventive | |
Disseminate and communicate the environmental management system to interested personnel and affected parties. CC ID 14976 [{be effective}Top management shall demonstrate leadership and commitment with respect to the environmental management system by: communicating the importance of effective environmental management and of conforming to the environmental management system requirements; § 5.1 ¶ 1 e)] | Operational management | Preventive | |
Disseminate and communicate the environmental policy to all interested personnel and affected parties. CC ID 14956 [The environmental policy shall: be communicated within the organization; § 5.2 ¶ 2 Bullet 2 The environmental policy shall: be available to interested parties. § 5.2 ¶ 2 Bullet 3] | Operational management | Preventive | |
Notify the supervisory authority of any changes to the required data elements. CC ID 14366 | Records management | Corrective | |
Disseminate and communicate the product and services acquisition policy to interested personnel and affected parties. CC ID 14157 | Acquisition or sale of facilities, technology, and services | Preventive | |
Disseminate and communicate the product and services acquisition procedures to interested personnel and affected parties. CC ID 14152 | Acquisition or sale of facilities, technology, and services | Preventive | |
Disseminate and communicate acquisition approval requirements to all affected parties. CC ID 13706 | Acquisition or sale of facilities, technology, and services | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Enforce dual authorization as a part of information flow control for logs. CC ID 10098 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain redundant systems. CC ID 16354 | Operational and Systems Continuity | Preventive | |
Install an Uninterruptible Power Supply sized to support all critical systems. CC ID 00725 | Operational and Systems Continuity | Preventive | |
Install a generator sized to support the facility. CC ID 06709 | Operational and Systems Continuity | Preventive | |
Automate threat assessments, as necessary. CC ID 06877 | Operational management | Preventive | |
Automate vulnerability management, as necessary. CC ID 11730 | Operational management | Preventive | |
Disallow systems from processing information, disseminating and communicating information, or storing information that is above the system's assigned asset classification. CC ID 06606 | Operational management | Preventive | |
Separate remote maintenance sessions from other network sessions with a logically separate communications path based upon encryption. CC ID 10614 | Operational management | Preventive | |
Reconfigure the security attributes of records as the information changes. CC ID 06765 | Records management | Preventive | |
Implement electronic storage media integrity controls. CC ID 00946 | Records management | Preventive | |
Automate electronic storage media integrity check controls. CC ID 00948 | Records management | Preventive | |
Provide capacity for indexes on electronic storage media, as necessary. CC ID 00950 | Records management | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Take into account the accessibility to and location of the data or information when establishing information impact levels. CC ID 04787 | Leadership and high level objectives | Preventive | |
Take into account the organization's obligation to protect data or information when establishing information impact levels. CC ID 04786 | Leadership and high level objectives | Preventive | |
Take into account the context of use for data or information when establishing information impact levels. CC ID 04785 | Leadership and high level objectives | Preventive | |
Take into account the potential aggregation of restricted data fields when establishing information impact levels. CC ID 04784 | Leadership and high level objectives | Preventive | |
Classify the sensitivity to unauthorized disclosure or modification of information in the information classification standard. CC ID 11997 | Leadership and high level objectives | Preventive | |
Take into account the distinguishability factor when establishing information impact levels. CC ID 04783 | Leadership and high level objectives | Preventive | |
Classify the criticality to unauthorized disclosure or modification of information in the information classification standard. CC ID 11996 | Leadership and high level objectives | Preventive | |
Classify the value of information in the information classification standard. CC ID 11995 | Leadership and high level objectives | Preventive | |
Classify the legal requirements of information in the information classification standard. CC ID 11994 | Leadership and high level objectives | Preventive | |
Take into account the characteristics of the geographical, behavioral and functional setting for all datasets. CC ID 15046 | Leadership and high level objectives | Preventive | |
Define the scope of the security policy. CC ID 07145 | Leadership and high level objectives | Preventive | |
Include valuation models in the margin system. CC ID 16663 | Leadership and high level objectives | Preventive | |
Include procedures for collecting price data in the margin system. CC ID 16662 | Leadership and high level objectives | Preventive | |
Include reliable sources for price data in the margin system. CC ID 16661 | Leadership and high level objectives | Preventive | |
Include order tickets in the recordkeeping system for securities transactions. CC ID 16640 | Leadership and high level objectives | Preventive | |
Include receipts and deliveries of securities in the recordkeeping system for securities transactions. CC ID 16650 | Leadership and high level objectives | Preventive | |
Include debits and credits in the recordkeeping system for securities transactions. CC ID 16639 | Leadership and high level objectives | Preventive | |
Include a description of the transaction in the recordkeeping system for securities transactions. CC ID 16645 | Leadership and high level objectives | Preventive | |
Include chronological records of transactions in the recordkeeping system for securities transactions. CC ID 16638 | Leadership and high level objectives | Preventive | |
Include the name of the dealer in the recordkeeping system for securities transactions. CC ID 16637 | Leadership and high level objectives | Preventive | |
Include the execution price in the recordkeeping system for securities transactions. CC ID 16636 | Leadership and high level objectives | Preventive | |
Include the date and time of the transaction in the recordkeeping system for securities transactions. CC ID 16635 | Leadership and high level objectives | Preventive | |
Include the type of transaction in the recordkeeping system for securities transactions. CC ID 16633 | Leadership and high level objectives | Preventive | |
Include account information In the recordkeeping system for securities transactions. CC ID 16632 | Leadership and high level objectives | Preventive | |
Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772 | Operational management | Preventive | |
Identify the sender in all electronic messages. CC ID 13996 | Operational management | Preventive | |
Identify processes, Information Systems, and third parties that transmit, process, or store restricted data. CC ID 06289 | Operational management | Preventive | |
Record a unique name for each asset in the asset inventory. CC ID 16305 | Operational management | Preventive | |
Record the status of information systems in the asset inventory. CC ID 16304 | Operational management | Preventive | |
Record the communication interfaces for applicable assets in the asset inventory. CC ID 16301 | Operational management | Preventive | |
Record software license information for each asset in the asset inventory. CC ID 11736 | Operational management | Preventive | |
Record the operating system version for applicable assets in the asset inventory. CC ID 11748 | Operational management | Preventive | |
Record rooms at external locations in the asset inventory. CC ID 16302 | Operational management | Preventive | |
Record trusted keys and certificates in the asset inventory. CC ID 15486 | Operational management | Preventive | |
Record cipher suites and protocols in the asset inventory. CC ID 15489 | Operational management | Preventive | |
Wipe all data on systems prior to when the system is redeployed or the system is disposed. CC ID 06401 | Operational management | Preventive | |
Store records and data in accordance with organizational standards. CC ID 16439 | Records management | Preventive | |
Select the appropriate format for archived data and records. CC ID 06320 [When creating and updating documented information the organization should ensuren> appropriate: style="background-color:#F0BBBC;" class="term_primary-noun">format (e.g. language, software version, graphics) and media (e.g. paper, electronic); § 7.5.2 ¶ 1 b)] | Records management | Preventive | |
Archive document metadata in a fashion that allows for future reading of the metadata. CC ID 10060 | Records management | Preventive | |
Store personal data that is retained for long periods after use on a separate server or media. CC ID 12314 | Records management | Preventive | |
Sanitize electronic storage media in accordance with organizational standards. CC ID 16464 | Records management | Preventive | |
Sanitize all electronic storage media before disposing a system or redeploying a system. CC ID 01643 | Records management | Preventive | |
Use a second person to confirm and sign-off that manually deleted data was deleted. CC ID 12313 | Records management | Preventive | |
Automate a programmatic process to remove stored data and records that exceed retention requirements. CC ID 06082 | Records management | Preventive | |
Assign the appropriate information classification to records imported into the Records Management system. CC ID 04555 | Records management | Detective | |
Establish, implement, and maintain electronic health records. CC ID 14436 | Records management | Preventive | |
Include Individually Identifiable Health Information in the patient's electronic health record. CC ID 14437 | Records management | Preventive | |
Import data files into a patient's electronic health record. CC ID 14448 | Records management | Preventive | |
Export requested sections of the electronic health record. CC ID 14447 | Records management | Preventive | |
Display the implantable device list to authorized users. CC ID 14445 | Records management | Preventive | |
Include attributes in the decision support intervention. CC ID 16766 | Records management | Preventive | |
Classify restricted data or restricted information in Records Management systems according to the data or information's sensitivity. CC ID 04720 | Records management | Detective | |
Label restricted storage media appropriately. CC ID 00966 | Records management | Preventive | |
Mark all forms of electronic messages that contain restricted data or restricted information with the appropriate classification. CC ID 01896 | Records management | Preventive | |
Reproduce materials containing restricted data or restricted information in accordance with compliance requirements. CC ID 02202 | Records management | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Assign legislative body jurisdiction to the organization's assets, as necessary. CC ID 06956 | Leadership and high level objectives | Preventive | |
Assign the appropriate roles to all applicable compliance documents. CC ID 06284 | Leadership and high level objectives | Preventive | |
Assign the approval of compliance exceptions to the appropriate roles inside the organization. CC ID 06443 | Leadership and high level objectives | Preventive | |
Define the roles and responsibilities for personnel assigned to tasks in the Audit function. CC ID 00678 [The organization shall establish, implement and maintain (an) internal audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting of its internal audits. § 9.2.2 ¶ 1] | Audits and risk management | Preventive | |
Assign the roles and responsibilities for the Board of Directors and senior management in the Audit function. CC ID 00679 | Audits and risk management | Preventive | |
Assign the internal audit staff to be independent from business units reporting to the Board of Directors. CC ID 01184 | Audits and risk management | Preventive | |
Define and assign the internal audit manager's roles and responsibilities. CC ID 00680 | Audits and risk management | Preventive | |
Assign the internal audit manager's compensation and performance review to the Board of Directors or audit committee. CC ID 01186 | Audits and risk management | Preventive | |
Define and assign the internal audit staff's roles and responsibilities. CC ID 00681 | Audits and risk management | Preventive | |
Assign the responsibility for operating an internal control system to the internal audit staff. CC ID 01187 | Audits and risk management | Preventive | |
Define and assign the external auditor's roles and responsibilities. CC ID 00683 | Audits and risk management | Preventive | |
Assign the audit to impartial auditors. CC ID 07118 [The organization shall: select auditors and conduct audits to ensure objectivity and the "term_primary-noun">impartiality of the audit process; § 9.2.2 ¶ 3 b)] | Audits and risk management | Preventive | |
Notify interested personnel and affected parties participating in the audit of their roles and responsibilities during the audit. CC ID 07151 | Audits and risk management | Preventive | |
Include the roles and responsibilities of the organization's legal counsel in the continuity plan. CC ID 16233 | Operational and Systems Continuity | Preventive | |
Include restoration procedures in the continuity plan. CC ID 01169 | Operational and Systems Continuity | Preventive | |
Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806 [Top management shall ensure that the responsibilities and authorities for relevant roles are <condary-verb">span style="background-color:#B7D8ED;" class="term_primary-verb">assigned and communicated within the organization. § 5.3 ¶ 1] | Human Resources management | Preventive | |
Define and assign the head of Information Security's roles and responsibilities. CC ID 06091 | Human Resources management | Preventive | |
Define and assign the Board of Directors roles and responsibilities and senior management roles and responsibilities, including signing off on key policies and procedures. CC ID 00807 | Human Resources management | Preventive | |
Assign senior management to the role of authorizing official. CC ID 14238 | Human Resources management | Preventive | |
Define and assign the Chief Information Officer's roles and responsibilities. CC ID 00808 | Human Resources management | Preventive | |
Define and assign the Information Technology staff's roles and responsibilities. CC ID 00809 | Human Resources management | Preventive | |
Define and assign the business unit manager's roles and responsibilities. CC ID 00810 | Human Resources management | Preventive | |
Define and assign the Facility Security Officer's roles and responsibilities. CC ID 01887 | Human Resources management | Preventive | |
Define and assign the technology security leader's roles and responsibilities. CC ID 01897 | Human Resources management | Preventive | |
Define and assign the property management leader's roles and responsibilities. CC ID 00669 | Human Resources management | Preventive | |
Define and assign the Archives and Records Management oversight's roles and responsibilities. CC ID 00697 | Human Resources management | Preventive | |
Define and assign the Privacy Officer's roles and responsibilities. CC ID 00714 | Human Resources management | Preventive | |
Define and assign critical facility management personnel's roles and responsibilities. CC ID 06381 | Human Resources management | Preventive | |
Define and assign the Chief Security Officer's roles and responsibilities. CC ID 06431 | Human Resources management | Preventive | |
Assign a contact person to all business units. CC ID 07144 | Human Resources management | Preventive | |
Assign security clearance procedures to qualified personnel. CC ID 06812 | Human Resources management | Preventive | |
Assign personnel screening procedures to qualified personnel. CC ID 11699 | Human Resources management | Preventive | |
Establish and maintain the staff structure in line with the strategic plan. CC ID 00764 | Human Resources management | Preventive | |
Assign ownership of the internal control framework to the appropriate organizational role. CC ID 06437 | Operational management | Preventive | |
Define and assign the roles and responsibilities for interested personnel and affected parties when establishing, implementing, and maintaining the internal control framework. CC ID 07146 | Operational management | Preventive | |
Assign ownership of the information security program to the appropriate role. CC ID 00814 | Operational management | Preventive | |
Classify assets according to the Asset Classification Policy. CC ID 07186 | Operational management | Preventive | |
Apply asset protection mechanisms for all assets according to their assigned Asset Classification Policy. CC ID 07184 | Operational management | Preventive | |
Assign accountability for the effectiveness of the environmental management system. CC ID 14966 [Top management shall demonstrate leadership and commitment with respect to the environmental management system by: taking accountability for the effectiveness of the environmental management system; § 5.1 ¶ 1 a)] | Operational management | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Establish, implement, and maintain communication protocols. CC ID 12245 [When establishing its communication process(es), the organization shall: take into account its compliance obligations; § 7.4.1 ¶ 2 Bullet 1 {internal communications}The organization shall establish, implement and maintain the process(es) needed for internal and external communications relevant to the environmental management system, including: on what it will communicate; § 7.4.1 ¶ 1 a) {internal communications}The organization shall establish, implement and maintain the process(es) needed for internal and external communications relevant to the environmental management system, including: on what it will communicate; § 7.4.1 ¶ 1 a) {internal communications}The organization shall establish, implement and maintain the process(es) needed for internal and external communications relevant to the environmental management system, including: when to communicate; § 7.4.1 ¶ 1 b) {internal communications}The organization shall establish, implement and maintain the process(es) needed for internal and external communications relevant to the environmental management system, including: when to communicate; § 7.4.1 ¶ 1 b) {subject}{internal communications}The organization shall establish, implement and maintain the process(es) needed for internal and external communications relevant to the environmental management system, including: with whom to communicate; § 7.4.1 ¶ 1 c) {subject}{internal communications}The organization shall establish, implement and maintain the process(es) needed for internal and external communications relevant to the environmental management system, including: with whom to communicate; § 7.4.1 ¶ 1 c) {internal communications}The organization shall establish, implement and maintain the process(es) needed for internal and external communications relevant to the environmental management system, including: how to communicate. § 7.4.1 ¶ 1 d) {internal communications}The organization shall establish, implement and maintain the process(es) needed for internal and external communications relevant to the environmental management system, including: how to communicate. § 7.4.1 ¶ 1 d) {be relevant} The organization shall respond to relevant communications on its environmental management system. § 7.4.1 ¶ 3] | Leadership and high level objectives | Preventive | |
Align the information being disseminated and communicated with the communication requirements according to the organization's communication protocol. CC ID 12419 [When establishing its communication process(es), the organization shall: ensure that environmental information communicated is consistent with information generated within the environmental management system, and is reliable. § 7.4.1 ¶ 2 Bullet 2 When establishing its communication process(es), the organization shall: ensure that environmental information communicated is consistent with information generated within the environmental management system, and is reliable. § 7.4.1 ¶ 2 Bullet 2] | Leadership and high level objectives | Preventive | |
Include external requirements in the organization's communication protocol. CC ID 12418 | Leadership and high level objectives | Preventive | |
Include input from interested personnel and affected parties as a part of the organization’s communication protocol. CC ID 12417 [The management review shall include consideration of: changes in: the needs and expectations of interested parties, including compliance obligations; § 9.3 ¶ 2 b) 2) The management review shall include consideration of: relevant communication(s) from interested parties, including complaints; § 9.3 ¶ 2 f) The management review shall include consideration of: relevant communication(s) from interested parties, including complaints; § 9.3 ¶ 2 f)] | Leadership and high level objectives | Preventive | |
Document the findings from surveys. CC ID 16309 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain warning procedures that follow the organization's communication protocol. CC ID 12407 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain alert procedures that follow the organization's communication protocol. CC ID 12406 | Leadership and high level objectives | Preventive | |
Enforce a precision level for non-financial reporting based on user need and appropriate supply chain criteria. CC ID 12399 | Leadership and high level objectives | Preventive | |
Define the thresholds for escalation in the internal reporting program. CC ID 14332 | Leadership and high level objectives | Preventive | |
Define the thresholds for reporting in the internal reporting program. CC ID 14331 | Leadership and high level objectives | Preventive | |
Define the thresholds for reporting in the external reporting program. CC ID 15679 | Leadership and high level objectives | Preventive | |
Include information about the organizational culture in the external reporting program. CC ID 15610 | Leadership and high level objectives | Preventive | |
Include the reasons for objections to public disclosure in confidential treatment applications. CC ID 16594 | Leadership and high level objectives | Preventive | |
Include contact information for the interested personnel and affected parties the report was filed with in the confidential treatment application. CC ID 16595 | Leadership and high level objectives | Preventive | |
Include the information that was omitted in the confidential treatment application. CC ID 16593 | Leadership and high level objectives | Preventive | |
Develop instructions for setting organizational objectives and strategies. CC ID 12931 [The organization shall determine: which of these needs and expectations become its compliance obligations. § 4.2 ¶ 1 c)] | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain organizational objectives. CC ID 09959 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a value generation model. CC ID 15591 | Leadership and high level objectives | Preventive | |
Include value distribution in the value generation model. CC ID 15603 | Leadership and high level objectives | Preventive | |
Include value retention in the value generation model. CC ID 15600 | Leadership and high level objectives | Preventive | |
Include value generation procedures in the value generation model. CC ID 15599 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain value generation objectives. CC ID 15583 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain social responsibility objectives. CC ID 15611 | Leadership and high level objectives | Preventive | |
Establish and maintain a Mission, Vision, and Values Statement. CC ID 12783 | Leadership and high level objectives | Preventive | |
Include the vision statement in the Mission, Vision, and Values Statement. CC ID 12839 | Leadership and high level objectives | Preventive | |
Include the mission statement in the Mission, Vision, and Values Statement. CC ID 12838 | Leadership and high level objectives | Preventive | |
Include management commitment in the Mission, Vision, and Values Statement. CC ID 12808 | Leadership and high level objectives | Preventive | |
Include the value statement in the Mission, Vision, and Values Statement. CC ID 12807 | Leadership and high level objectives | Preventive | |
Include environmental factors in the Mission, Vision, and Values Statement. CC ID 15590 | Leadership and high level objectives | Preventive | |
Include societal factors in the Mission, Vision, and Values Statement. CC ID 15605 | Leadership and high level objectives | Preventive | |
Include stakeholder requirements in the Mission, Vision, and Values Statement. CC ID 15586 | Leadership and high level objectives | Preventive | |
Document and communicate the linkage between organizational objectives, functions, activities, and general controls. CC ID 12398 [The management review shall include consideration of: changes in: external and internal issues that are relevant to the environmental management system; § 9.3 ¶ 2 b) 1)] | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain data governance and management practices. CC ID 14998 | Leadership and high level objectives | Preventive | |
Address shortcomings of the data sets in the data governance and management practices. CC ID 15087 | Leadership and high level objectives | Preventive | |
Include any shortcomings of the data sets in the data governance and management practices. CC ID 15086 | Leadership and high level objectives | Preventive | |
Include bias for data sets in the data governance and management practices. CC ID 15085 | Leadership and high level objectives | Preventive | |
Include a data strategy in the data governance and management practices. CC ID 15304 | Leadership and high level objectives | Preventive | |
Include data monitoring in the data governance and management practices. CC ID 15303 | Leadership and high level objectives | Preventive | |
Include an assessment of the data sets in the data governance and management practices. CC ID 15084 | Leadership and high level objectives | Preventive | |
Include assumptions for the formulation of data sets in the data governance and management practices. CC ID 15083 | Leadership and high level objectives | Preventive | |
Include data collection for data sets in the data governance and management practices. CC ID 15082 | Leadership and high level objectives | Preventive | |
Include data preparations for data sets in the data governance and management practices. CC ID 15081 | Leadership and high level objectives | Preventive | |
Include design choices for data sets in the data governance and management practices. CC ID 15080 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain an information classification standard. CC ID 00601 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a data classification scheme. CC ID 11628 | Leadership and high level objectives | Preventive | |
Approve the data classification scheme. CC ID 13858 | Leadership and high level objectives | Detective | |
Establish and maintain an organizational data dictionary, including data syntax rules. CC ID 00600 | Leadership and high level objectives | Preventive | |
Refrain from including metadata in the data dictionary. CC ID 13529 | Leadership and high level objectives | Preventive | |
Refrain from allowing incompatible data elements in the data dictionary. CC ID 13624 | Leadership and high level objectives | Preventive | |
Include information needed to understand each data element and population in the data dictionary. CC ID 13528 | Leadership and high level objectives | Preventive | |
Include the factors to determine what is included or excluded from the data element in the data dictionary. CC ID 13525 | Leadership and high level objectives | Preventive | |
Include the date or time period the data was observed in the data dictionary. CC ID 13524 | Leadership and high level objectives | Preventive | |
Include the uncertainty in the population of each data element in the data dictionary. CC ID 13522 | Leadership and high level objectives | Preventive | |
Include the uncertainty of each data element in the data dictionary. CC ID 13521 | Leadership and high level objectives | Preventive | |
Include the measurement units for each data element in the data dictionary. CC ID 13534 | Leadership and high level objectives | Preventive | |
Include the precision of the measurement in the data dictionary. CC ID 13520 | Leadership and high level objectives | Preventive | |
Include the data source in the data dictionary. CC ID 13519 | Leadership and high level objectives | Preventive | |
Include the nature of each element in the data dictionary. CC ID 13518 | Leadership and high level objectives | Preventive | |
Include the population of events or instances in the data dictionary. CC ID 13517 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain an Information and Infrastructure Architecture model. CC ID 00599 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain sustainable infrastructure planning. CC ID 00603 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain an organizational structure. CC ID 16310 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a Quality Management framework. CC ID 07196 | Leadership and high level objectives | Preventive | |
Include supply chain management standards in the Quality Management framework. CC ID 13701 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a Quality Management policy. CC ID 13694 | Leadership and high level objectives | Preventive | |
Include a commitment to satisfy applicable requirements in the Quality Management policy. CC ID 13700 | Leadership and high level objectives | Preventive | |
Tailor the Quality Management policy to support the organization's strategic direction. CC ID 13699 | Leadership and high level objectives | Preventive | |
Include a commitment to continual improvement of the Quality Management system in the Quality Management policy. CC ID 13698 | Leadership and high level objectives | Preventive | |
Include critical Information Technology processes in the Quality Management framework. CC ID 13645 | Leadership and high level objectives | Preventive | |
Align the quality objectives with the Quality Management policy. CC ID 13697 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a Quality Management standard. CC ID 01006 | Leadership and high level objectives | Preventive | |
Document the measurements used by Quality Assurance and Quality Control testing. CC ID 07200 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a Quality Management program. CC ID 07201 | Leadership and high level objectives | Preventive | |
Include quality objectives in the Quality Management program. CC ID 13693 | Leadership and high level objectives | Preventive | |
Include records management in the quality management system. CC ID 15055 | Leadership and high level objectives | Preventive | |
Include risk management in the quality management system. CC ID 15054 | Leadership and high level objectives | Preventive | |
Include data management procedures in the quality management system. CC ID 15052 | Leadership and high level objectives | Preventive | |
Include a post-market monitoring system in the quality management system. CC ID 15027 | Leadership and high level objectives | Preventive | |
Include operational roles and responsibilities in the quality management system. CC ID 15028 | Leadership and high level objectives | Preventive | |
Include resource management in the quality management system. CC ID 15026 | Leadership and high level objectives | Preventive | |
Include communication protocols in the quality management system. CC ID 15025 | Leadership and high level objectives | Preventive | |
Include incident reporting procedures in the quality management system. CC ID 15023 | Leadership and high level objectives | Preventive | |
Include technical specifications in the quality management system. CC ID 15021 | Leadership and high level objectives | Preventive | |
Document the deficiencies in a deficiency report that were found during Quality Control and corrected during Quality Improvement. CC ID 07203 | Leadership and high level objectives | Preventive | |
Include program documentation standards in the Quality Management program. CC ID 01016 | Leadership and high level objectives | Preventive | |
Include program testing standards in the Quality Management program. CC ID 01017 | Leadership and high level objectives | Preventive | |
Include system testing standards in the Quality Management program. CC ID 01018 | Leadership and high level objectives | Preventive | |
Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 [When determining this scope, the organization shall consider: the "background-color:#F0BBBC;" class="term_primary-noun">external and internal issues referred to in 4.1; § 4.3 ¶ 2 a) {interested parties}{environmental management system}When determining this scope, the organization shall consider: the compliance obligations referred to in 4.2; § 4.3 ¶ 2 b)] | Leadership and high level objectives | Preventive | |
Establish and maintain an Information Systems Assurance Categories Definitions document. CC ID 01608 | Leadership and high level objectives | Preventive | |
Correlate Information Systems with applicable controls. CC ID 01621 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a policy and procedure management program. CC ID 06285 | Leadership and high level objectives | Preventive | |
Include requirements in the organization’s policies, standards, and procedures. CC ID 12956 | Leadership and high level objectives | Preventive | |
Include the effective date on all organizational policies. CC ID 06820 | Leadership and high level objectives | Preventive | |
Analyze organizational policies, as necessary. CC ID 14037 | Leadership and high level objectives | Detective | |
Include threats in the organization’s policies, standards, and procedures. CC ID 12953 | Leadership and high level objectives | Preventive | |
Include opportunities in the organization’s policies, standards, and procedures. CC ID 12945 | Leadership and high level objectives | Preventive | |
Establish and maintain an Authority Document list. CC ID 07113 [The organization shall: determine and have access to the compliance obligations related to its environmental aspects; § 6.1.3 ¶ 1 a)] | Leadership and high level objectives | Preventive | |
Map in scope assets and in scope records to external requirements. CC ID 12189 | Leadership and high level objectives | Detective | |
Document organizational procedures that harmonize external requirements, including all legal requirements. CC ID 00623 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain full documentation of all policies, standards, and procedures that support the organization's compliance framework. CC ID 01636 [When creating and updating documented information, the organization shall ensuren> appropriate: style="background-color:#F0BBBC;" class="term_primary-noun">review and approval for suitability and adequacy. § 7.5.2 ¶ 1 c) The scope shall be maintained as documented information and be available to interested parties. § 4.3 ¶ 4 The organization shall maintain documented information of its compliance obligations. § 6.1.3 ¶ 2 The organization's environmental management system shall include: documented information required by this International Standard; § 7.5.1 ¶ 1 a)] | Leadership and high level objectives | Preventive | |
Disseminate and communicate the list of Authority Documents that support the organization's compliance framework to interested personnel and affected parties. CC ID 01312 | Leadership and high level objectives | Preventive | |
Classify controls according to their preventive, detective, or corrective status. CC ID 06436 | Leadership and high level objectives | Preventive | |
Publish, disseminate, and communicate a Statement on Internal Control, as necessary. CC ID 06727 | Leadership and high level objectives | Preventive | |
Include signatures of c-level executives in the Statement on Internal Control. CC ID 14778 | Leadership and high level objectives | Preventive | |
Include management's assertions on the effectiveness of internal control in the Statement on Internal Control. CC ID 14771 | Leadership and high level objectives | Corrective | |
Include confirmation of any significant weaknesses in the Statement on Internal Control. CC ID 06861 | Leadership and high level objectives | Preventive | |
Include roles and responsibilities in the Statement on Internal Control. CC ID 14774 | Leadership and high level objectives | Preventive | |
Include an assurance statement regarding the counterterror protective security plan in the Statement on Internal Control. CC ID 06866 | Leadership and high level objectives | Preventive | |
Include limitations of internal control systems in the Statement on Internal Control. CC ID 14773 | Leadership and high level objectives | Preventive | |
Include a description of the methodology used to evaluate internal controls in the Statement on Internal Control. CC ID 14772 | Leadership and high level objectives | Preventive | |
Include the counterterror protective security plan test results in the Statement on Internal Control. CC ID 06867 | Leadership and high level objectives | Detective | |
Approve all compliance documents. CC ID 06286 | Leadership and high level objectives | Preventive | |
Align the Authority Document list with external requirements. CC ID 06288 [The organization shall: determine how these compliance obligations apply to the organization; § 6.1.3 ¶ 1 b) Documented information of external origin determined by the organization to be necessary for the planning and operation of the environmental management system shall be identified, as appropriate, and controlled. § 7.5.3 ¶ 3 Documented information of external origin determined by the organization to be necessary for the planning and operation of the environmental management system shall be identified, as appropriate, and controlled. § 7.5.3 ¶ 3 The organization shall: determine and have access to the compliance obligations related to its environmental aspects; § 6.1.3 ¶ 1 a)] | Leadership and high level objectives | Preventive | |
Identify and document the Designated Approval Authority for compliance documents. CC ID 07114 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a compliance exception standard. CC ID 01628 | Leadership and high level objectives | Preventive | |
Include the authority for granting exemptions in the compliance exception standard. CC ID 14329 | Leadership and high level objectives | Preventive | |
Include all compliance exceptions in the compliance exception standard. CC ID 01630 | Leadership and high level objectives | Detective | |
Include explanations, compensating controls, or risk acceptance in the compliance exceptions Exceptions document. CC ID 01631 | Leadership and high level objectives | Preventive | |
Include when exemptions expire in the compliance exception standard. CC ID 14330 | Leadership and high level objectives | Preventive | |
Include management of the exemption register in the compliance exception standard. CC ID 14328 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a strategic plan. CC ID 12784 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a decision management strategy. CC ID 06913 [When determining this scope, the organization shall consider: its authority and ability to exercise control and influence. § 4.3 ¶ 2 e)] | Leadership and high level objectives | Preventive | |
Include an economic impact analysis in the decision management strategy. CC ID 14015 | Leadership and high level objectives | Preventive | |
Include cost benefit analysis in the decision management strategy. CC ID 14014 | Leadership and high level objectives | Preventive | |
Include criteria for compliance in the decision-making criteria. CC ID 12951 | Leadership and high level objectives | Preventive | |
Include criteria for risk tolerance in the decision-making criteria. CC ID 12950 | Leadership and high level objectives | Preventive | |
Include criteria for selecting objectives and strategies in the decision-making criteria. CC ID 12949 | Leadership and high level objectives | Preventive | |
Include criteria for setting priorities in the decision-making criteria. CC ID 12938 | Leadership and high level objectives | Preventive | |
Identify and document the events that initiate the decision management strategy. CC ID 06914 | Leadership and high level objectives | Detective | |
Document and evaluate the decision outcomes from the decision-making process. CC ID 06918 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a financial management program. CC ID 13228 [{financial requirement}{operational requirement} When planning these actions, the organization shall consider its technological options and its financial, operational and business requirements. § 6.1.4 ¶ 2] | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain funds transfer procedures. CC ID 16754 | Leadership and high level objectives | Preventive | |
Include communication protocols in the financial management program. CC ID 16763 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a financial products and services disclosure policy. CC ID 16717 | Leadership and high level objectives | Preventive | |
Require acknowledgment of receipt from the customer in the financial products and services disclosure policy. CC ID 16725 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain financial resource management procedures. CC ID 16642 | Leadership and high level objectives | Preventive | |
Document the rationale for the amount of financial resources being held. CC ID 16688 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain collateral procedures. CC ID 16653 | Leadership and high level objectives | Preventive | |
Include the use of appropriate models in the collateral procedures. CC ID 16687 | Leadership and high level objectives | Preventive | |
Define the collateral requirements in the collateral procedures. CC ID 16686 | Leadership and high level objectives | Preventive | |
Identify and document the financial resources available for use. CC ID 16643 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain credit loss procedures. CC ID 16683 | Leadership and high level objectives | Preventive | |
Include the allocation of credit losses in the credit loss procedures. CC ID 16684 | Leadership and high level objectives | Preventive | |
Include fairness and equitability standards in the securities trading program. CC ID 16690 | Leadership and high level objectives | Preventive | |
Include roles and responsibilities in the securities trading program. CC ID 16689 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a capital restoration plan. CC ID 16613 | Leadership and high level objectives | Preventive | |
Include performance guarantees in the capital restoration plan. CC ID 16616 | Leadership and high level objectives | Preventive | |
Include corrective actions taken in the capital restoration plan. CC ID 16612 | Leadership and high level objectives | Preventive | |
Include required information in the capital restoration plan. CC ID 16609 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain valuation procedures. CC ID 16634 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain capital withdrawal requirements. CC ID 16576 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain lending policies. CC ID 16608 | Leadership and high level objectives | Preventive | |
Include the requirements for risk assessments in the lending policy. CC ID 16730 | Leadership and high level objectives | Preventive | |
Include the requirements for sensitivity analyses in the lending policy. CC ID 16728 | Leadership and high level objectives | Preventive | |
Include the requirements for feasibility studies in the lending policy. CC ID 16726 | Leadership and high level objectives | Preventive | |
Include pricing structures in the lending policy. CC ID 16724 | Leadership and high level objectives | Preventive | |
Include monitoring requirements in the lending policy. CC ID 16710 | Leadership and high level objectives | Preventive | |
Include loan origination procedures in the lending policy. CC ID 16709 | Leadership and high level objectives | Preventive | |
Include review procedures and approval procedures for exception loans in the lending policy. CC ID 16708 | Leadership and high level objectives | Preventive | |
Include loan requirements in the lending policy. CC ID 16706 | Leadership and high level objectives | Preventive | |
Include appraisals and evaluations in the lending policy. CC ID 16705 | Leadership and high level objectives | Preventive | |
Include terms and conditions in the lending policy. CC ID 16695 | Leadership and high level objectives | Preventive | |
Include the scope and distribution of loans in the lending policy. CC ID 16693 | Leadership and high level objectives | Preventive | |
Include geographic areas in the lending policy. CC ID 16691 | Leadership and high level objectives | Preventive | |
Include underwriting guidelines in the lending policy. CC ID 16619 | Leadership and high level objectives | Preventive | |
Include credit review in the underwriting guidelines. CC ID 16765 | Leadership and high level objectives | Preventive | |
Include loan-to-value ratio limits in the lending policy. CC ID 16618 | Leadership and high level objectives | Preventive | |
Include documentation requirements in the lending policy. CC ID 16617 | Leadership and high level objectives | Preventive | |
Include the purpose of the loan in the loan documentation. CC ID 16747 | Leadership and high level objectives | Preventive | |
Include the source of repayment in the loan documentation. CC ID 16746 | Leadership and high level objectives | Preventive | |
Include approval requirements in the lending policy. CC ID 16615 | Leadership and high level objectives | Preventive | |
Include reporting requirements in the lending policy. CC ID 16614 | Leadership and high level objectives | Preventive | |
Include loan portfolio diversification standards in the lending policy. CC ID 16611 | Leadership and high level objectives | Preventive | |
Include loan administration procedures in the lending policy. CC ID 16610 | Leadership and high level objectives | Preventive | |
Include loan participation agreements in the loan administration procedures. CC ID 16745 | Leadership and high level objectives | Preventive | |
Include termination procedures in the loan participation agreement. CC ID 16753 | Leadership and high level objectives | Preventive | |
Justify the safety and efficiency of the participation requirements in the loan participation agreement. CC ID 16752 | Leadership and high level objectives | Preventive | |
Include servicing agreements in the loan administration procedures. CC ID 16744 | Leadership and high level objectives | Preventive | |
Include claims processing in the loan administration procedures. CC ID 16742 | Leadership and high level objectives | Preventive | |
Include forbearance management in the loan administration procedures. CC ID 16741 | Leadership and high level objectives | Preventive | |
Include foreclosure management in the loan administration procedures. CC ID 16740 | Leadership and high level objectives | Preventive | |
Include delinquency management in the loan administration procedures. CC ID 16739 | Leadership and high level objectives | Preventive | |
Include the requirements for financial statements in the loan administration procedures. CC ID 16735 | Leadership and high level objectives | Preventive | |
Include loan closing in the loan administration procedures. CC ID 16734 | Leadership and high level objectives | Preventive | |
Include payoff statements in the loan administration procedures. CC ID 16733 | Leadership and high level objectives | Preventive | |
Include payment processing in the loan administration procedures. CC ID 16732 | Leadership and high level objectives | Preventive | |
Include loan reviews in the loan administration procedures. CC ID 16703 | Leadership and high level objectives | Preventive | |
Include collections in the loan administration procedures. CC ID 16701 | Leadership and high level objectives | Preventive | |
Include collateral inspections in the loan administration procedures. CC ID 16699 | Leadership and high level objectives | Preventive | |
Include disbursements in the loan administration procedures. CC ID 16697 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a dividend policy. CC ID 16569 | Leadership and high level objectives | Preventive | |
Include compliance requirements in the dividend policy. CC ID 16570 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain escrow procedures for financial transactions. CC ID 16564 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a Capital Planning and Investment Control policy. CC ID 06279 | Leadership and high level objectives | Preventive | |
Include risk management in the Capital Planning and Investment Control policy. CC ID 16764 | Leadership and high level objectives | Preventive | |
Include debt rating requirements in the Capital Planning and Investment Control policy. CC ID 16692 | Leadership and high level objectives | Preventive | |
Include divestiture requirements in the Capital Planning and Investment Control policy. CC ID 16591 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a recordkeeping system for securities transactions. CC ID 16631 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain securities transaction notifications. CC ID 16600 | Leadership and high level objectives | Preventive | |
Include the call date in the securities transaction notification. CC ID 16680 | Leadership and high level objectives | Preventive | |
Include service charges and commissions in the securities transaction notification. CC ID 16702 | Leadership and high level objectives | Preventive | |
Include the funds and securities in the possession of the organization in the securities transaction notification. CC ID 16679 | Leadership and high level objectives | Preventive | |
Include the call price in the securities transaction notification. CC ID 16678 | Leadership and high level objectives | Preventive | |
Include debits and credits in the securities transaction notification. CC ID 16677 | Leadership and high level objectives | Preventive | |
Include transactions in the securities transaction notification. CC ID 16676 | Leadership and high level objectives | Preventive | |
Include the credit rating of securities in the securities transaction notification. CC ID 16674 | Leadership and high level objectives | Preventive | |
Include yield information in the securities transaction notification. CC ID 16673 | Leadership and high level objectives | Preventive | |
Include redemption information in the securities transaction notification. CC ID 16672 | Leadership and high level objectives | Preventive | |
Include the price calculated from the yield in the securities transaction notification. CC ID 16669 | Leadership and high level objectives | Preventive | |
Include the type of call in the securities transaction notification. CC ID 16668 | Leadership and high level objectives | Preventive | |
Include an account statement in the securities transaction notification. CC ID 16666 | Leadership and high level objectives | Preventive | |
Include the yield to maturity in the securities transaction notification. CC ID 16665 | Leadership and high level objectives | Preventive | |
Include the execution price in the securities transaction notification. CC ID 16664 | Leadership and high level objectives | Preventive | |
Include the organization's role in the securities transaction notification. CC ID 16646 | Leadership and high level objectives | Preventive | |
Include the name of the broker in the securities transaction notification. CC ID 16647 | Leadership and high level objectives | Preventive | |
Include the name of the customer in the securities transaction notification. CC ID 16625 | Leadership and high level objectives | Preventive | |
Include the organization's name in the securities transaction notification. CC ID 16624 | Leadership and high level objectives | Preventive | |
Include confirmations in the securities transaction notification. CC ID 16623 | Leadership and high level objectives | Preventive | |
Include remunerations in the securities transaction notification. CC ID 16622 | Leadership and high level objectives | Preventive | |
Include requested information in the securities transaction notification. CC ID 16641 | Leadership and high level objectives | Preventive | |
Include the execution date in the securities transaction notification. CC ID 16620 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain financial reports. CC ID 14770 | Leadership and high level objectives | Preventive | |
Structure financial reports in accordance with external requirements, as necessary. CC ID 14776 | Leadership and high level objectives | Preventive | |
Include the report of independent Certified Public Accountants in the financial report. CC ID 14779 | Leadership and high level objectives | Preventive | |
Include the business need justification for lost value in the financial report. CC ID 15588 | Leadership and high level objectives | Preventive | |
Include financial statements in the financial report, as necessary. CC ID 14775 | Leadership and high level objectives | Preventive | |
Include capital deductions and adjustments in the financial statement. CC ID 16667 | Leadership and high level objectives | Preventive | |
Include earnings per share or loss per share in the financial statement. CC ID 16597 | Leadership and high level objectives | Preventive | |
Include material contingencies in the financial statement. CC ID 16596 | Leadership and high level objectives | Preventive | |
Include notes to financial statements in the financial report, as necessary. CC ID 14780 | Leadership and high level objectives | Preventive | |
Include information on loans to small businesses and small farms in the call report. CC ID 16731 | Leadership and high level objectives | Preventive | |
Include assets and liabilities in the call report. CC ID 16729 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 [{what needs to be measured} The organization shall determine: what needs to be monitored and measured; § 9.1.1 ¶ 2 a) The organization shall determine: when the monitoring and measuring shall be performed; § 9.1.1 ¶ 2 d)] | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a metrics policy. CC ID 01654 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653 [The organization shall: determine the frequency that compliance will be evaluated; § 9.1.2 ¶ 2 a)] | Monitoring and measurement | Preventive | |
Establish, implement, and maintain risk management metrics. CC ID 01656 | Monitoring and measurement | Preventive | |
Identify and document instances of non-compliance with the compliance framework. CC ID 06499 [The organization shall retain documented information as evidence of: the nature of the nonconformities and any subsequent actions taken; § 10.2 ¶ 3 Bullet 1 The management review shall include consideration of: information on the organization's environmental performance, including trends in: nonconformities and corrective actions; § 9.3 ¶ 2 d) 1)] | Monitoring and measurement | Preventive | |
Identify and document events surrounding non-compliance with the organizational compliance framework. CC ID 12935 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain disciplinary action notices. CC ID 16577 | Monitoring and measurement | Preventive | |
Include a copy of the order in the disciplinary action notice. CC ID 16606 | Monitoring and measurement | Preventive | |
Include the sanctions imposed in the disciplinary action notice. CC ID 16599 | Monitoring and measurement | Preventive | |
Include the effective date of the sanctions in the disciplinary action notice. CC ID 16589 | Monitoring and measurement | Preventive | |
Include the requirements that were violated in the disciplinary action notice. CC ID 16588 | Monitoring and measurement | Preventive | |
Include responses to charges from interested personnel and affected parties in the disciplinary action notice. CC ID 16587 | Monitoring and measurement | Preventive | |
Include the reasons for imposing sanctions in the disciplinary action notice. CC ID 16586 | Monitoring and measurement | Preventive | |
Include required information in the disciplinary action notice. CC ID 16584 | Monitoring and measurement | Preventive | |
Include a justification for actions taken in the disciplinary action notice. CC ID 16583 | Monitoring and measurement | Preventive | |
Include a statement on the conclusions of the investigation in the disciplinary action notice. CC ID 16582 | Monitoring and measurement | Preventive | |
Include the investigation results in the disciplinary action notice. CC ID 16581 | Monitoring and measurement | Preventive | |
Include a description of the causes of the actions taken in the disciplinary action notice. CC ID 16580 | Monitoring and measurement | Preventive | |
Include the name of the person responsible for the charges in the disciplinary action notice. CC ID 16579 | Monitoring and measurement | Preventive | |
Include contact information in the disciplinary action notice. CC ID 16578 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a security program metrics program. CC ID 01660 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a key management roles metrics standard. CC ID 11631 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a key stakeholder metrics program. CC ID 01661 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a supply chain member metrics program. CC ID 01662 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a Business Continuity metrics program. CC ID 01663 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain an audit metrics program. CC ID 01664 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain an Information Security metrics program. CC ID 01665 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a metrics standard and template. CC ID 02157 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain occupational health and safety management metrics program. CC ID 15915 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a policies and controls metrics program. CC ID 01666 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a security roles and responsibilities metrics program. CC ID 01667 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a role-based information access metrics program. CC ID 01668 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain an information risk threshold metrics program. CC ID 01694 | Monitoring and measurement | Preventive | |
Monitor the supply chain for Information Assurance effectiveness. CC ID 02043 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a privacy metrics program. CC ID 15494 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a technical measurement metrics policy. CC ID 01655 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain an Electronic Health Records measurement metrics program. CC ID 06221 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a log management program. CC ID 00673 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a cross-organizational audit sharing agreement. CC ID 10595 | Monitoring and measurement | Preventive | |
Include risks and opportunities in the corrective action plan. CC ID 15178 [{environmental aspect}The organization shall plan: to take actions to address its: risks and opportunities identified in 6.1.1; § 6.1.4 ¶ 1 a) 3)] | Monitoring and measurement | Preventive | |
Include environmental aspects in the corrective action plan. CC ID 15177 [The organization shall plan: to take actions to address its: significant environmental aspects; § 6.1.4 ¶ 1 a) 1)] | Monitoring and measurement | Preventive | |
Include the completion date in the corrective action plan. CC ID 13272 | Monitoring and measurement | Preventive | |
Retain copies of external auditor outsourcing contracts and engagement letters. CC ID 01188 | Audits and risk management | Preventive | |
Review external auditor outsourcing contracts and engagement letters. CC ID 01189 | Audits and risk management | Preventive | |
Include roles and responsibilities in external auditor outsourcing contracts. CC ID 16523 | Audits and risk management | Preventive | |
Include a change control clause in external auditor outsourcing contracts. CC ID 01192 | Audits and risk management | Preventive | |
Include procedures for resolving problems in external auditor outsourcing contracts. CC ID 01196 | Audits and risk management | Preventive | |
Include procedures for controlling the use of restricted information in external auditor outsourcing contracts. CC ID 01194 | Audits and risk management | Preventive | |
Include reports and work paper Records Management practices in external auditor outsourcing contracts. CC ID 01195 | Audits and risk management | Preventive | |
Include communication protocols in external auditor outsourcing contracts. CC ID 01201 | Audits and risk management | Preventive | |
Include the scope and work to be performed in external auditor outsourcing contracts. CC ID 01190 | Audits and risk management | Preventive | |
Include work status reporting requirements in the external auditor outsourcing contracts. CC ID 01191 | Audits and risk management | Preventive | |
Include access to work papers in external auditor outsourcing contracts. CC ID 01193 | Audits and risk management | Preventive | |
Review the adequacy of the external auditor's work papers and audit reports. CC ID 01199 | Audits and risk management | Preventive | |
Review the conclusions of the external auditor's work papers and audit reports. CC ID 01200 | Audits and risk management | Preventive | |
Evaluate any refusal by the organization to provide missing audit documentation. CC ID 06993 | Audits and risk management | Preventive | |
Take appropriate action if missing audit documentation compromises the audit. CC ID 06994 | Audits and risk management | Preventive | |
Establish, implement, and maintain an audit program. CC ID 00684 [The organization shall establish, implement and maintain (an) internal audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting of its internal audits. § 9.2.2 ¶ 1] | Audits and risk management | Preventive | |
Establish, implement, and maintain audit policies. CC ID 13166 | Audits and risk management | Preventive | |
Include resource requirements in the audit program. CC ID 15237 | Audits and risk management | Preventive | |
Include risks and opportunities in the audit program. CC ID 15236 | Audits and risk management | Preventive | |
Establish and maintain audit terms. CC ID 13880 | Audits and risk management | Preventive | |
Include a statement about the inherent limitations of the audit in the audit terms. CC ID 13883 | Audits and risk management | Preventive | |
Include a statement that the audit will be conducted in accordance with attestation standards in the audit terms. CC ID 13882 | Audits and risk management | Preventive | |
Establish, implement, and maintain agreed upon procedures that are in scope for the audit. CC ID 13893 | Audits and risk management | Preventive | |
Establish, implement, and maintain an in scope system description. CC ID 14873 | Audits and risk management | Preventive | |
Include third party services in the audit assertion's in scope system description. CC ID 16503 | Audits and risk management | Preventive | |
Include monitoring controls in the audit assertion's in scope system description. CC ID 16501 | Audits and risk management | Preventive | |
Include availability commitments in the audit assertion's in scope system description. CC ID 14914 | Audits and risk management | Preventive | |
Include changes in the audit assertion's in scope system description. CC ID 14894 | Audits and risk management | Preventive | |
Include external communications in the audit assertion's in scope system description. CC ID 14913 | Audits and risk management | Preventive | |
Include a section regarding incidents related to the system in the audit assertion’s in scope system description. CC ID 14878 | Audits and risk management | Preventive | |
Include the function performed by the in scope system in the audit assertion's in scope system description. CC ID 14911 | Audits and risk management | Preventive | |
Include the disposition of the incident in the audit assertion's in scope system description. CC ID 14896 | Audits and risk management | Preventive | |
Include the extent of the incident in the audit assertion's in scope system description. CC ID 14895 | Audits and risk management | Preventive | |
Include the timing of each incident in the audit assertion's in scope system description. CC ID 14891 | Audits and risk management | Preventive | |
Include the nature of each incident in the audit assertion's in scope system description. CC ID 14889 | Audits and risk management | Preventive | |
Include a section regarding in scope controls related to the system in the audit assertion's in scope system description. CC ID 14897 | Audits and risk management | Preventive | |
Include how the in scope system meets external requirements in the audit assertion's in scope system description. CC ID 16502 | Audits and risk management | Preventive | |
Include the timing of each control in the audit assertion's in scope system description. CC ID 14916 | Audits and risk management | Preventive | |
Include the nature of the control in the audit assertion's in scope system description. CC ID 14910 | Audits and risk management | Preventive | |
Include the information sources used in performing the control in the audit assertion's in scope system description. CC ID 14909 | Audits and risk management | Preventive | |
Include the responsible party for performing the control in the audit assertion's in scope system description. CC ID 14907 | Audits and risk management | Preventive | |
Include the subject matter to which the control is applied in the audit assertion's in scope system description. CC ID 14904 | Audits and risk management | Preventive | |
Refrain from omitting or distorting information in the audit assertion's in scope system description. CC ID 14893 | Audits and risk management | Preventive | |
Include the timing of each change in the audit assertion's in scope system description. CC ID 14892 | Audits and risk management | Preventive | |
Include the system boundaries in the audit assertion's in scope system description. CC ID 14887 | Audits and risk management | Preventive | |
Determine the presentation method of the audit assertion's in scope system description. CC ID 14885 | Audits and risk management | Detective | |
Include the time frame covered by the description in the audit assertion's in scope system description. CC ID 14884 | Audits and risk management | Preventive | |
Include commitments to third parties in the audit assertion. CC ID 14899 | Audits and risk management | Preventive | |
Determine the completeness of the audit assertion's in scope system description. CC ID 14883 | Audits and risk management | Preventive | |
Include system requirements in the audit assertion's in scope system description. CC ID 14881 | Audits and risk management | Preventive | |
Include third party controls in the audit assertion's in scope system description. CC ID 14880 | Audits and risk management | Preventive | |
Include agreement to the audit scope and audit terms in the audit program. CC ID 06965 [{audit scope} The organization shall: define the audit criteria and scope for each audit; § 9.2.2 ¶ 3 a)] | Audits and risk management | Preventive | |
Establish and maintain a bespoke audit scope for each audit being performed. CC ID 13077 [The organization shall establish, implement and maintain (an) internal audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting of its internal audits. § 9.2.2 ¶ 1] | Audits and risk management | Preventive | |
Include audit subject matter in the audit program. CC ID 07103 | Audits and risk management | Preventive | |
Examine the objectivity of the audit criteria in the audit program. CC ID 07104 | Audits and risk management | Preventive | |
Examine the measurability of the audit criteria in the audit program. CC ID 07105 | Audits and risk management | Preventive | |
Examine the completeness of the audit criteria in the audit program. CC ID 07106 | Audits and risk management | Preventive | |
Examine the relevance of the audit criteria in the audit program. CC ID 07107 | Audits and risk management | Preventive | |
Disseminate and communicate the audit program with the audit subject matter and audit criteria to all interested personnel and affected parties. CC ID 07116 | Audits and risk management | Preventive | |
Include in scope information in the audit program. CC ID 16198 | Audits and risk management | Preventive | |
Include the out of scope material or out of scope products in the audit program. CC ID 08962 | Audits and risk management | Preventive | |
Provide a representation letter in support of the audit assertion. CC ID 07158 | Audits and risk management | Preventive | |
Include a statement that management has evaluated compliance with external requirements in the representation letter. CC ID 13942 | Audits and risk management | Preventive | |
Include a statement that the assumptions used for estimates are reasonable in the representation letter. CC ID 13934 | Audits and risk management | Preventive | |
Include a statement that uncorrected misstatements are believed to be immaterial in the representation letter. CC ID 13884 | Audits and risk management | Preventive | |
Include a statement that system incidents have been disclosed to the auditor in the representation letter. CC ID 16772 | Audits and risk management | Preventive | |
Include a statement that incidents of fraud and non-compliance have been disclosed to the auditor in the representation letter. CC ID 16769 | Audits and risk management | Preventive | |
Include a statement of responsibility for the subject matter in the representation letter. CC ID 07159 | Audits and risk management | Preventive | |
Include a statement of responsibility for selecting the audit criteria in the representation letter. CC ID 07160 | Audits and risk management | Preventive | |
Include a statement of responsibility regarding the appropriateness of the audit criteria in the representation letter. CC ID 07161 | Audits and risk management | Preventive | |
Include an assertion about the subject matter based on the selected audit criteria in the representation letter. CC ID 07162 | Audits and risk management | Preventive | |
Include a statement that all known matters contradicting the audit assertion have been disclosed to the auditor in the representation letter. CC ID 07163 | Audits and risk management | Preventive | |
Include the availability of all in scope records relevant to the subject matter in the representation letter. CC ID 07164 | Audits and risk management | Preventive | |
Include a statement that any known subsequent events have been disclosed to the auditor in the representation letter. CC ID 07165 | Audits and risk management | Preventive | |
Include a statement that deficiencies in internal controls have been disclosed to the auditor in the representation letter. CC ID 13899 | Audits and risk management | Preventive | |
Establish and maintain audit assertions, as necessary. CC ID 14871 | Audits and risk management | Detective | |
Include an in scope system description in the audit assertion. CC ID 14872 | Audits and risk management | Preventive | |
Include any assumptions that are improbable in the audit assertion. CC ID 13950 | Audits and risk management | Preventive | |
Include investigations and legal proceedings in the audit assertion. CC ID 16846 | Audits and risk management | Preventive | |
Include how the audit scope matches in scope controls in the audit assertion. CC ID 06969 | Audits and risk management | Preventive | |
Include why specific criteria are ignored by in scope controls in the audit assertion. CC ID 07027 | Audits and risk management | Preventive | |
Include how the in scope system is designed and implemented in the audit assertion. CC ID 06970 | Audits and risk management | Preventive | |
Include the responsible party's opinion of the quality of the evidence in the audit assertion. CC ID 13949 | Audits and risk management | Preventive | |
Include the end users and affected parties of the in scope system in the audit assertion. CC ID 07028 | Audits and risk management | Preventive | |
Include the in scope services offered or in scope transactions processed in the audit assertion. CC ID 06971 | Audits and risk management | Preventive | |
Include the in scope procedures in the audit assertion. CC ID 06972 | Audits and risk management | Preventive | |
Include the in scope records produced in the audit assertion. CC ID 06968 | Audits and risk management | Preventive | |
Include how in scope material events are monitored and logged in the audit assertion. CC ID 06973 | Audits and risk management | Preventive | |
Include any in scope material events that might affect the assertion in the audit assertion. CC ID 06991 | Audits and risk management | Preventive | |
Include the in scope controls and compliance documents in the audit assertion. CC ID 06974 | Audits and risk management | Preventive | |
Include the in scope risk assessment processes in the audit assertion. CC ID 06975 | Audits and risk management | Preventive | |
Include in scope change controls in the audit assertion. CC ID 06976 | Audits and risk management | Preventive | |
Include any in scope uncorrected errors or non-compliance issues in the audit assertion. CC ID 06989 | Audits and risk management | Preventive | |
Disseminate and communicate a written audit assertion of the audit scope and audit terms to interested personnel and affected parties. CC ID 06967 | Audits and risk management | Preventive | |
Include conditions that might require modification of the audit program in the audit terms. CC ID 07149 | Audits and risk management | Preventive | |
Include how access to in scope systems, personnel and in scope records are provided to the auditor in the audit terms. CC ID 06988 | Audits and risk management | Preventive | |
Establish, implement, and maintain procedures for determining the desired level of assurance in the audit program. CC ID 12794 [The organization shall establish, implement and maintain (an) internal audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting of its internal audits. § 9.2.2 ¶ 1] | Audits and risk management | Preventive | |
Include the expectations for the audit report in the audit terms. CC ID 07148 | Audits and risk management | Preventive | |
Establish and maintain a practitioner’s report on management’s assertions, as necessary. CC ID 13888 | Audits and risk management | Preventive | |
Refrain from changing the date of the practitioner's report on agreed-upon procedures when reissuing it. CC ID 13896 | Audits and risk management | Corrective | |
Include materiality levels in the audit terms. CC ID 01238 | Audits and risk management | Preventive | |
Include material changes in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01239 | Audits and risk management | Preventive | |
Include material weaknesses, material failures, and material errors in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01240 | Audits and risk management | Preventive | |
Document any after the fact changes to the engagement file. CC ID 07002 | Audits and risk management | Preventive | |
Protect access to the engagement file and all associated audit documentation in compliance with Authority Documents the organization must follow. CC ID 07179 | Audits and risk management | Preventive | |
Disclose work papers in the engagement file in compliance with legal requirements. CC ID 07180 | Audits and risk management | Preventive | |
Edit the audit assertion for accuracy. CC ID 07030 | Audits and risk management | Preventive | |
Determine if the audit assertion's in scope procedures are accurately documented. CC ID 06982 | Audits and risk management | Preventive | |
Include the process of using evidential matter to test in scope controls in the test plan. CC ID 06996 | Audits and risk management | Preventive | |
Establish, implement, and maintain interview procedures. CC ID 16282 | Audits and risk management | Preventive | |
Establish and maintain work papers, as necessary. CC ID 13891 | Audits and risk management | Preventive | |
Include the auditor's conclusions on work performed by individuals assigned to the audit in the work papers. CC ID 16775 | Audits and risk management | Preventive | |
Include audit irregularities in the work papers. CC ID 16774 | Audits and risk management | Preventive | |
Include corrective actions in the work papers. CC ID 16771 | Audits and risk management | Preventive | |
Include information about the organization being audited and the auditor performing the audit in the work papers. CC ID 16770 | Audits and risk management | Preventive | |
Include discussions with interested personnel and affected parties in the work papers. CC ID 16768 | Audits and risk management | Preventive | |
Include justification for departing from mandatory requirements in the work papers. CC ID 13935 | Audits and risk management | Preventive | |
Include the reviewer, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06998 | Audits and risk management | Preventive | |
Include the tests, examinations, interviews and observations performed during the audit in the work papers. CC ID 07190 | Audits and risk management | Preventive | |
Include if any subject matter experts or additional research had to be undertaken to test in scope controls in the work papers. CC ID 07026 | Audits and risk management | Preventive | |
Include the tester, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06997 | Audits and risk management | Preventive | |
Include the causes of identified in scope control deficiencies in the work papers. CC ID 07000 | Audits and risk management | Preventive | |
Include discussions regarding the causes of identified in scope control deficiencies in the work papers. CC ID 06999 | Audits and risk management | Preventive | |
Establish, implement, and maintain a practitioner’s report on agreed-upon procedures. CC ID 13894 | Audits and risk management | Preventive | |
Establish and maintain a practitioner's examination report on pro forma financial information. CC ID 13968 | Audits and risk management | Preventive | |
Include references to where financial information was derived in the practitioner's review report on pro forma financial information. CC ID 13982 | Audits and risk management | Preventive | |
Include a statement that the financial statements used were audited by other practitioners in the practitioner's examination report on pro forma financial information, as necessary. CC ID 13981 | Audits and risk management | Preventive | |
Establish and maintain organizational audit reports. CC ID 06731 [The organization shall establish, implement and maintain (an) internal audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting of its internal audits. § 9.2.2 ¶ 1] | Audits and risk management | Preventive | |
Determine what disclosures are required in the audit report. CC ID 14888 | Audits and risk management | Detective | |
Include audit subject matter in the audit report. CC ID 14882 | Audits and risk management | Preventive | |
Include an other-matter paragraph in the audit report. CC ID 14901 | Audits and risk management | Preventive | |
Include that the auditee did not provide comments in the audit report. CC ID 16849 | Audits and risk management | Preventive | |
Write the audit report using clear and conspicuous language. CC ID 13948 | Audits and risk management | Preventive | |
Include a statement that the sufficiency of the agreed upon procedures is the responsibility of the specified parties in the audit report. CC ID 13936 | Audits and risk management | Preventive | |
Include a statement that the financial statements were audited in the audit report. CC ID 13963 | Audits and risk management | Preventive | |
Include the criteria that financial information was measured against in the audit report. CC ID 13966 | Audits and risk management | Preventive | |
Include a description of the financial information being reported on in the audit report. CC ID 13965 | Audits and risk management | Preventive | |
Include references to any adjustments of financial information in the audit report. CC ID 13964 | Audits and risk management | Preventive | |
Include in the audit report that audit opinions are not dependent on references to subject matter experts, as necessary. CC ID 13953 | Audits and risk management | Preventive | |
Include references to historical financial information used in the audit report. CC ID 13961 | Audits and risk management | Preventive | |
Include a statement about the inherent limitations of the audit in the audit report. CC ID 14900 | Audits and risk management | Preventive | |
Include a description of the limitations on the usefulness of hypothetical assumptions in the audit report. CC ID 13958 | Audits and risk management | Preventive | |
Structure the audit report to be in the form of procedures and findings. CC ID 13940 | Audits and risk management | Preventive | |
Include any discussions of significant findings in the audit report. CC ID 13955 | Audits and risk management | Preventive | |
Include the date and with whom discussions about significant findings took place in the audit report. CC ID 13962 | Audits and risk management | Preventive | |
Include the audit criteria in the audit report. CC ID 13945 | Audits and risk management | Preventive | |
Include a statement in the audit report that the agreed upon procedures were potentially insufficient in identifying material risks, as necessary. CC ID 13957 | Audits and risk management | Preventive | |
Include all hypothetical assumptions in the audit report. CC ID 13947 | Audits and risk management | Preventive | |
Include a statement that identifies the distribution list for the report in the audit report. CC ID 07172 | Audits and risk management | Preventive | |
Include a statement that identifies the use restrictions for the report in the audit report. CC ID 07173 | Audits and risk management | Preventive | |
Include a statement that the agreed upon procedures involves collecting evidence in the audit report. CC ID 13956 | Audits and risk management | Preventive | |
Include all of the facts and demonstrated plausibility in the audit report. CC ID 08929 | Audits and risk management | Preventive | |
Include a statement that the agreed upon procedures were performed by all parties in the audit report. CC ID 13931 | Audits and risk management | Preventive | |
Include references to subject matter experts in the audit report when citing qualified opinions. CC ID 13929 | Audits and risk management | Preventive | |
Include a description of the assistance provided by Subject Matter Experts in the audit report. CC ID 13939 | Audits and risk management | Preventive | |
Include a review of the subject matter expert's findings in the audit report. CC ID 13972 | Audits and risk management | Preventive | |
Include a statement of the character of the engagement in the audit report. CC ID 07166 | Audits and risk management | Preventive | |
Include the nature and scope of the audit performed in the statement of the character of the engagement in the audit report. CC ID 07167 | Audits and risk management | Preventive | |
Include the professional standards governing the audit in the statement of the character of the engagement in the audit report. CC ID 07168 | Audits and risk management | Preventive | |
Include all restrictions on the audit in the audit report. CC ID 13930 | Audits and risk management | Preventive | |
Include a statement that the auditor has no responsibility to update the audit report after its submission. CC ID 13943 | Audits and risk management | Preventive | |
Include a statement on the auditor's ethical requirements in the audit report. CC ID 16767 | Audits and risk management | Preventive | |
Include a statement that the responsible party refused to provide a written assertion in the audit report. CC ID 13887 | Audits and risk management | Preventive | |
Include a statement that the examination involves procedures for collecting evidence in the audit report. CC ID 13941 | Audits and risk management | Preventive | |
Express an adverse opinion in the audit report when significant assumptions are not suitably supported. CC ID 13944 | Audits and risk management | Preventive | |
Include a statement that modifications to historical evidence accurately reflect current evidence in the audit report. CC ID 13938 | Audits and risk management | Preventive | |
Refrain from referencing other auditor's work in the audit report. CC ID 13881 | Audits and risk management | Preventive | |
Include that the audit findings are not a predictive analysis of future compliance in the audit report. CC ID 07018 | Audits and risk management | Preventive | |
Include how in scope controls meet external requirements in the audit report. CC ID 16450 | Audits and risk management | Preventive | |
Include the in scope records used to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14915 | Audits and risk management | Preventive | |
Include recommended corrective actions in the audit report. CC ID 16197 | Audits and risk management | Preventive | |
Include risks and opportunities in the audit report. CC ID 16196 | Audits and risk management | Preventive | |
Include the description of tests of controls and results in the audit report. CC ID 14898 | Audits and risk management | Preventive | |
Include the nature of the tests performed in the description of tests of controls and results in the audit report. CC ID 14908 | Audits and risk management | Preventive | |
Include the test scope in the description of tests of controls and results in the audit report. CC ID 14906 | Audits and risk management | Preventive | |
Identify the stakeholders interviewed to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14905 | Audits and risk management | Preventive | |
Include the controls that were tested in the description of tests of controls and results in the audit report. CC ID 14902 | Audits and risk management | Preventive | |
Include subsequent events related to the audit assertion or audit subject matter in the audit report. CC ID 16773 | Audits and risk management | Preventive | |
Include that the organization is the responsible party for the content of its audit assertion and in scope system description in the audit report. CC ID 07010 | Audits and risk management | Preventive | |
Include that the organization is the responsible party for providing in scope services in the audit report. CC ID 14903 | Audits and risk management | Preventive | |
Include that the organization is the responsible party for specifying in scope controls not defined by law or contractual obligation in the audit report. CC ID 07011 | Audits and risk management | Preventive | |
Include that the organization is the responsible party for designing and implementing the in scope controls it identified in the audit scope in the audit report. CC ID 07014 | Audits and risk management | Preventive | |
Include the audit opinion regarding the accurateness of the in scope system description in the audit report. CC ID 07019 | Audits and risk management | Preventive | |
Include the attestation standards the auditor follows in the audit report. CC ID 07015 | Audits and risk management | Preventive | |
Include the audit opinion about the audit assertion in relation to the audit criteria used for evaluation in the audit report. CC ID 07169 | Audits and risk management | Preventive | |
Include the auditor's significant reservations about the engagement, the audit assertion, or the audit subject matter in the audit report. CC ID 07170 | Audits and risk management | Preventive | |
Include an emphasis-of-matter paragraph in the audit report. CC ID 14890 | Audits and risk management | Preventive | |
Include any out of scope components of in scope systems in the audit report. CC ID 07006 | Audits and risk management | Preventive | |
Include that the organization is the responsible party for identifying material risks in the audit report. CC ID 07012 | Audits and risk management | Preventive | |
Include that the organization is the responsible party for selecting the audit criteria in the audit report. CC ID 07013 | Audits and risk management | Preventive | |
Compare the evaluations completed by the internal auditors and the external auditors in past audit reports. CC ID 01158 | Audits and risk management | Detective | |
Review past audit reports. CC ID 01155 [{environmental process} When establishing the internal audit programme, the organization shall take into consideration the environmental importance of the processes concerned, changes affecting the organization and the results of previous audits. § 9.2.2 ¶ 2 The management review shall include consideration of: information on the organization's environmental performance, including trends in: audit results; § 9.3 ¶ 2 d) 4)] | Audits and risk management | Detective | |
Review past audit reports for specific process steps and calculations that were stated to support the audit report's conclusions. CC ID 01160 | Audits and risk management | Detective | |
Review the reporting of material weaknesses and risks in past audit reports. CC ID 01161 | Audits and risk management | Detective | |
Refrain from including the description of the audit in the audit report when the auditor is disclaiming an audit opinion. CC ID 13975 | Audits and risk management | Preventive | |
Refrain from including scope limitations from changed attestation engagements in the audit report. CC ID 13983 | Audits and risk management | Preventive | |
Refrain from including in the audit report any procedures that were performed that the auditor is disclaiming in an audit opinion. CC ID 13974 | Audits and risk management | Preventive | |
Include deficiencies and non-compliance in the audit report. CC ID 14879 | Audits and risk management | Corrective | |
Include an audit opinion in the audit report. CC ID 07017 | Audits and risk management | Preventive | |
Include qualified opinions in the audit report. CC ID 13928 | Audits and risk management | Preventive | |
Include that the auditor is the responsible party to express an opinion on the audit subject matter based on examination of evidence in the audit report. CC ID 07174 | Audits and risk management | Preventive | |
Include a description of the reasons for modifying the audit opinion in the audit report. CC ID 13898 | Audits and risk management | Corrective | |
Include that the auditor did not express an opinion in the audit report, as necessary. CC ID 13886 | Audits and risk management | Preventive | |
Include items that were excluded from the audit report in the audit report. CC ID 07007 | Audits and risk management | Preventive | |
Include the organization's privacy practices in the audit report. CC ID 07029 | Audits and risk management | Preventive | |
Include items that pertain to third parties in the audit report. CC ID 07008 | Audits and risk management | Preventive | |
Refrain from including reference to procedures performed in previous attestation engagements in the audit report. CC ID 13970 | Audits and risk management | Preventive | |
Include a statement in the audit report that no procedures were performed subsequent to the date of the practitioner's review report on pro forma financial information, as necessary. CC ID 13969 | Audits and risk management | Preventive | |
Include any of the organization's use of compensating controls that were not audited in the audit report. CC ID 07009 | Audits and risk management | Preventive | |
Include whether the use of compensating controls are necessary in the audit report. CC ID 07020 | Audits and risk management | Preventive | |
Include the pass or fail test status of all in scope controls in the audit report. CC ID 07016 | Audits and risk management | Preventive | |
Include the process of using evidential matter to test in scope controls in the audit report. CC ID 07021 | Audits and risk management | Preventive | |
Include the nature and causes of identified in scope control deviations in the audit report. CC ID 07022 | Audits and risk management | Preventive | |
Modify the audit opinion in the audit report under defined conditions. CC ID 13937 | Audits and risk management | Corrective | |
Include the written signature of the auditor's organization in the audit report. CC ID 13897 | Audits and risk management | Preventive | |
Include a statement that additional reports are being submitted in the audit report. CC ID 16848 | Audits and risk management | Preventive | |
Disseminate and communicate the audit report to all interested personnel and affected parties identified in the distribution list. CC ID 07117 | Audits and risk management | Preventive | |
Disseminate and communicate documents that contain information in support of the audit report. CC ID 07175 | Audits and risk management | Preventive | |
Correct any material misstatements in documents that contain information in support of the audit report. CC ID 07176 | Audits and risk management | Preventive | |
Review the issues of non-compliance from past audit reports. CC ID 01148 | Audits and risk management | Detective | |
Accept the audit report. CC ID 07025 | Audits and risk management | Preventive | |
Implement a corrective action plan in response to the audit report. CC ID 06777 [{environmental process} When establishing the internal audit programme, the organization shall take into consideration the environmental importance of the processes concerned, changes affecting the organization and the results of previous audits. § 9.2.2 ¶ 2] | Audits and risk management | Corrective | |
Define penalties for uncorrected audit findings or remaining non-compliant with the audit report. CC ID 08963 | Audits and risk management | Preventive | |
Include the audit criteria in the audit plan. CC ID 15262 | Audits and risk management | Preventive | |
Include a list of reference documents in the audit plan. CC ID 15260 | Audits and risk management | Preventive | |
Include the languages to be used for the audit in the audit plan. CC ID 15252 | Audits and risk management | Preventive | |
Include the allocation of resources in the audit plan. CC ID 15251 | Audits and risk management | Preventive | |
Include communication protocols in the audit plan. CC ID 15247 | Audits and risk management | Preventive | |
Include the level of audit sampling necessary to collect sufficient audit evidence in the audit plan. CC ID 15246 | Audits and risk management | Preventive | |
Include meeting schedules in the audit plan. CC ID 15245 | Audits and risk management | Preventive | |
Include the time frames for the audit in the audit plan. CC ID 15244 | Audits and risk management | Preventive | |
Include the time frames for conducting the audit in the audit plan. CC ID 15243 | Audits and risk management | Preventive | |
Include the locations to be audited in the audit plan. CC ID 15242 | Audits and risk management | Preventive | |
Include the processes to be audited in the audit plan. CC ID 15241 | Audits and risk management | Preventive | |
Include audit objectives in the audit plan. CC ID 15240 | Audits and risk management | Preventive | |
Include the risks associated with audit activities in the audit plan. CC ID 15239 | Audits and risk management | Preventive | |
Establish, implement, and maintain an audit schedule for the audit program. CC ID 13158 [The organization shall establish, implement and maintain (an) internal audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting of its internal audits. § 9.2.2 ¶ 1] | Audits and risk management | Preventive | |
Establish, implement, and maintain a physical and environmental protection policy. CC ID 14030 | Physical and environmental protection | Preventive | |
Include the scope in the physical and environmental protection policy. CC ID 14170 [The organization shall determine the boundaries and applicability of the environmental management system to establish its scope. § 4.3 ¶ 1] | Physical and environmental protection | Preventive | |
Establish, implement, and maintain physical and environmental protection procedures. CC ID 14061 [Once the scope is defined, all activities, products and services of the organization within that scope need to be included in the environmental management system. § 4.3 ¶ 3] | Physical and environmental protection | Preventive | |
Establish, implement, and maintain a business continuity program. CC ID 13210 | Operational and Systems Continuity | Preventive | |
Establish, implement, and maintain a continuity plan. CC ID 00752 [{response}{adverse impact}The organization shall: prepare to respond by planning actions to prevent or mitigate adverse environmental impacts from emergency situations; § 8.2 ¶ 2 a)] | Operational and Systems Continuity | Preventive | |
Identify all stakeholders in the continuity plan. CC ID 13256 | Operational and Systems Continuity | Preventive | |
Include a business continuity testing policy in the continuity plan, as necessary. CC ID 13234 | Operational and Systems Continuity | Preventive | |
Allocate financial resources to implement the continuity plan, as necessary. CC ID 12993 | Operational and Systems Continuity | Preventive | |
Include identification procedures in the continuity plan, as necessary. CC ID 14372 | Operational and Systems Continuity | Preventive | |
Include the continuity strategy in the continuity plan. CC ID 13189 | Operational and Systems Continuity | Preventive | |
Document and use the lessons learned to update the continuity plan. CC ID 10037 | Operational and Systems Continuity | Preventive | |
Include roles and responsibilities in the continuity plan, as necessary. CC ID 13254 | Operational and Systems Continuity | Preventive | |
Coordinate and incorporate supply chain members' continuity plans, as necessary. CC ID 13242 | Operational and Systems Continuity | Preventive | |
Include incident management procedures in the continuity plan. CC ID 13244 | Operational and Systems Continuity | Preventive | |
Include the use of virtual meeting tools in the continuity plan. CC ID 14390 | Operational and Systems Continuity | Preventive | |
Include scenario analyses of various contingency scenarios in the continuity plan. CC ID 13057 | Operational and Systems Continuity | Preventive | |
Include the annual statement based on the continuity plan review in the continuity plan. CC ID 12775 | Operational and Systems Continuity | Preventive | |
Establish, implement, and maintain the continuity procedures. CC ID 14236 [The organization shall establish, implement and maintain the process(es) needed to prepare for and respond to potential emergency situations identified in 6.1.1. § 8.2 ¶ 1] | Operational and Systems Continuity | Corrective | |
Document the uninterrupted power requirements for all in scope systems. CC ID 06707 | Operational and Systems Continuity | Preventive | |
Document all supporting information in the continuity plan, such as purpose, scope, and requirements. CC ID 01371 | Operational and Systems Continuity | Preventive | |
Include notifications to alternate facilities in the continuity plan. CC ID 13220 | Operational and Systems Continuity | Preventive | |
Document the concept of operations in the continuity plan, including a line of succession. CC ID 01372 | Operational and Systems Continuity | Preventive | |
Establish, implement, and maintain damage assessment procedures. CC ID 01267 | Operational and Systems Continuity | Preventive | |
Establish, implement, and maintain a recovery plan. CC ID 13288 [The organization shall: periodically review and revise the process(es) and planned response actions, in particular after the occurrence of emergency situations or tests; § 8.2 ¶ 2 e) {be appropriate}The organization shall: take action to prevent or mitigate the consequences of emergency situations, appropriate to the magnitude of the emergency and the potential environmental impact; § 8.2 ¶ 2 c)] | Operational and Systems Continuity | Preventive | |
Include procedures to restore network connectivity in the recovery plan. CC ID 16250 | Operational and Systems Continuity | Preventive | |
Include addressing backup failures in the recovery plan. CC ID 13298 | Operational and Systems Continuity | Preventive | |
Include procedures to verify completion of the data backup procedure in the recovery plan. CC ID 13297 | Operational and Systems Continuity | Preventive | |
Include the procedures for the storage of information necessary to recover functionality in the recovery plan. CC ID 13295 | Operational and Systems Continuity | Preventive | |
Include the backup procedures for information necessary to recover functionality in the recovery plan. CC ID 13294 | Operational and Systems Continuity | Preventive | |
Include the criteria for activation in the recovery plan. CC ID 13293 | Operational and Systems Continuity | Preventive | |
Include escalation procedures in the recovery plan. CC ID 16248 | Operational and Systems Continuity | Preventive | |
Include procedures to preserve data before beginning the recovery process in the recovery plan. CC ID 13292 | Operational and Systems Continuity | Preventive | |
Document lessons learned from testing the recovery plan or an actual event. CC ID 13301 | Operational and Systems Continuity | Detective | |
Include risk prioritized recovery procedures for each business unit in the recovery plan. CC ID 01166 | Operational and Systems Continuity | Preventive | |
Include the recovery plan in the continuity plan. CC ID 01377 | Operational and Systems Continuity | Preventive | |
Define the scope for the security operations center. CC ID 15713 | Human Resources management | Preventive | |
Define and assign the roles and responsibilities of the chairman of the board. CC ID 14786 | Human Resources management | Preventive | |
Establish, implement, and maintain candidate selection procedures to the board of directors. CC ID 14782 | Human Resources management | Preventive | |
Include the criteria of mixed experiences and skills in the candidate selection procedures. CC ID 14791 | Human Resources management | Preventive | |
Establish, implement, and maintain a board committee charter, as necessary. CC ID 14802 | Human Resources management | Preventive | |
Define and assign the security staff roles and responsibilities. CC ID 11750 | Human Resources management | Preventive | |
Define the objectives and extent of outsourcing operational roles and responsibilities. CC ID 06383 | Human Resources management | Preventive | |
Establish, implement, and maintain a personnel management program. CC ID 14018 | Human Resources management | Preventive | |
Establish, implement, and maintain a personnel security program. CC ID 10628 | Human Resources management | Preventive | |
Establish, implement, and maintain personnel screening procedures. CC ID 11700 | Human Resources management | Preventive | |
Perform a criminal records check during personnel screening. CC ID 06643 | Human Resources management | Preventive | |
Document any reasons a full criminal records check could not be performed. CC ID 13305 | Human Resources management | Preventive | |
Perform an academic records check during personnel screening. CC ID 06647 | Human Resources management | Preventive | |
Document the personnel risk assessment results. CC ID 11764 | Human Resources management | Detective | |
Establish, implement, and maintain security clearance procedures. CC ID 00783 | Human Resources management | Preventive | |
Document the security clearance procedure results. CC ID 01635 | Human Resources management | Detective | |
Establish job categorization criteria, job recruitment criteria, and promotion criteria. CC ID 00781 [The organization shall: determine the necessary competence of person(s) doing work under its control that affects its environmental performance and its ability to fulfil its compliance obligations; § 7.2 ¶ 1 a)] | Human Resources management | Preventive | |
Establish and maintain an annual report on compensation. CC ID 14801 | Human Resources management | Preventive | |
Include the design characteristics of the remuneration system in the annual report on compensation. CC ID 14804 | Human Resources management | Preventive | |
Establish, implement, and maintain roles and responsibilities in the compensation, reward, and recognition program. CC ID 14798 | Human Resources management | Preventive | |
Align the compensation, reward, and recognition program with the risk management program. CC ID 14797 | Human Resources management | Preventive | |
Establish, implement, and maintain remuneration standards, as necessary. CC ID 14794 | Human Resources management | Preventive | |
Establish, implement, and maintain job applications. CC ID 16180 | Human Resources management | Preventive | |
Include evidence of experience in applications for professional certification. CC ID 16193 | Human Resources management | Preventive | |
Include supporting documentation in applications for professional certification. CC ID 16195 | Human Resources management | Preventive | |
Document all training in a training record. CC ID 01423 [The organization shall retain appropriate documented information as evidence of competence. § 7.2 ¶ 2] | Human Resources management | Detective | |
Review the current published guidance and awareness and training programs. CC ID 01245 | Human Resources management | Preventive | |
Establish, implement, and maintain training plans. CC ID 00828 [The organization shall: determine training needs associated with its environmental aspects and its environmental management system; § 7.2 ¶ 1 c)] | Human Resources management | Preventive | |
Include portions of the visitor control program in the training plan. CC ID 13287 | Human Resources management | Preventive | |
Establish, implement, and maintain a security awareness program. CC ID 11746 | Human Resources management | Preventive | |
Establish, implement, and maintain a security awareness and training policy. CC ID 14022 | Human Resources management | Preventive | |
Include compliance requirements in the security awareness and training policy. CC ID 14092 | Human Resources management | Preventive | |
Include coordination amongst entities in the security awareness and training policy. CC ID 14091 | Human Resources management | Preventive | |
Establish, implement, and maintain security awareness and training procedures. CC ID 14054 | Human Resources management | Preventive | |
Include management commitment in the security awareness and training policy. CC ID 14049 | Human Resources management | Preventive | |
Include roles and responsibilities in the security awareness and training policy. CC ID 14048 | Human Resources management | Preventive | |
Include the scope in the security awareness and training policy. CC ID 14047 | Human Resources management | Preventive | |
Include the purpose in the security awareness and training policy. CC ID 14045 | Human Resources management | Preventive | |
Include configuration management procedures in the security awareness program. CC ID 13967 | Human Resources management | Preventive | |
Document security awareness requirements. CC ID 12146 | Human Resources management | Preventive | |
Include safeguards for information systems in the security awareness program. CC ID 13046 | Human Resources management | Preventive | |
Include security policies and security standards in the security awareness program. CC ID 13045 | Human Resources management | Preventive | |
Include mobile device security guidelines in the security awareness program. CC ID 11803 | Human Resources management | Preventive | |
Include training based on the participants' level of responsibility and access level in the security awareness program. CC ID 11802 | Human Resources management | Preventive | |
Include a requirement to train all new hires and interested personnel in the security awareness program. CC ID 11800 | Human Resources management | Preventive | |
Include remote access in the security awareness program. CC ID 13892 | Human Resources management | Preventive | |
Document the goals of the security awareness program. CC ID 12145 | Human Resources management | Preventive | |
Compare current security awareness assessment reports to the security awareness baseline. CC ID 12150 | Human Resources management | Preventive | |
Document the scope of the security awareness program. CC ID 12148 | Human Resources management | Preventive | |
Establish, implement, and maintain a security awareness baseline. CC ID 12147 | Human Resources management | Preventive | |
Require personnel to acknowledge, through writing their signature, that they have read and understand the organization's security policies. CC ID 01363 | Human Resources management | Preventive | |
Establish, implement, and maintain an environmental management system awareness program. CC ID 15200 [The organization shall ensure that persons doing work under the organization's control are aware of: the significant environmental aspects and related actual or potential environmental impacts associated with their work; § 7.3 ¶ 1 b) The organization shall ensure that persons doing work under the organization's control are aware of: the environmental policy; § 7.3 ¶ 1 a) The organization shall ensure that persons doing work under the organization's control are aware of: the implications of not conforming with the environmental management system requirements, including not fulfilling the organization's compliance obligations. § 7.3 ¶ 1 d) The organization shall ensure that persons doing work under the organization's control are aware of: their contribution to the effectiveness of the environmental management system, including the benefits of enhanced environmental performance; § 7.3 ¶ 1 c) The organization shall ensure that persons doing work under the organization's control are aware of: their contribution to the effectiveness of the environmental management system, including the benefits of enhanced environmental performance; § 7.3 ¶ 1 c)] | Human Resources management | Preventive | |
Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 [The organization shall plan: to take actions to address its: compliance obligations; § 6.1.4 ¶ 1 a) 2) The organization shall establish, implement and maintain the process(es) needed to evaluate fulfilment of its compliance obligations. § 9.1.2 ¶ 1] | Operational management | Preventive | |
Include enterprise architecture in the Governance, Risk, and Compliance framework. CC ID 13266 | Operational management | Preventive | |
Establish, implement, and maintain security requirements based on applicable regulations. CC ID 16283 | Operational management | Preventive | |
Establish, implement, and maintain a prioritized plan for updating the Governance, Risk, and Compliance framework. CC ID 12853 [{financial requirement}{operational requirement} When planning these actions, the organization shall consider its technological options and its financial, operational and business requirements. § 6.1.4 ¶ 2 The management review shall include consideration of: changes in: its significant environmental aspects; § 9.3 ¶ 2 b) 3) The management review shall include consideration of: changes in: risks and opportunities; § 9.3 ¶ 2 b) 4) The outputs of the management review shall include: decisions related to any need for changes to the environmental management system, including resources; § 9.3 ¶ 3 Bullet 3] | Operational management | Preventive | |
Establish, implement, and maintain a compliance policy. CC ID 14807 | Operational management | Preventive | |
Include the standard of conduct and accountability in the compliance policy. CC ID 14813 | Operational management | Preventive | |
Include the scope in the compliance policy. CC ID 14812 | Operational management | Preventive | |
Include roles and responsibilities in the compliance policy. CC ID 14811 | Operational management | Preventive | |
Include a commitment to continual improvement in the compliance policy. CC ID 14810 | Operational management | Preventive | |
Include management commitment in the compliance policy. CC ID 14808 | Operational management | Preventive | |
Establish, implement, and maintain a governance policy. CC ID 15587 | Operational management | Preventive | |
Include a commitment to continuous improvement in the governance policy. CC ID 15595 | Operational management | Preventive | |
Include roles and responsibilities in the governance policy. CC ID 15594 | Operational management | Preventive | |
Establish, implement, and maintain an internal control framework. CC ID 00820 | Operational management | Preventive | |
Include the business need justification for excluding controls in the baseline of internal controls. CC ID 16129 | Operational management | Preventive | |
Include the implementation status of controls in the baseline of internal controls. CC ID 16128 | Operational management | Preventive | |
Include procedures for continuous quality improvement in the internal control framework. CC ID 00819 [The management review shall include consideration of opportunities for style="background-color:#F0BBBC;" class="term_primary-noun">continual improvement. § 9.3 ¶ 2 g) The outputs of the management review shall include: decisions related to continual improvement opportunities; § 9.3 ¶ 3 Bullet 2] | Operational management | Preventive | |
Include continuous service account management procedures in the internal control framework. CC ID 13860 | Operational management | Preventive | |
Include threat assessment in the internal control framework. CC ID 01347 | Operational management | Preventive | |
Include vulnerability management and risk assessment in the internal control framework. CC ID 13102 | Operational management | Preventive | |
Include personnel security procedures in the internal control framework. CC ID 01349 | Operational management | Preventive | |
Include continuous security warning monitoring procedures in the internal control framework. CC ID 01358 | Operational management | Preventive | |
Include incident alert thresholds in the continuous security warning monitoring procedures. CC ID 13205 | Operational management | Preventive | |
Include security information sharing procedures in the internal control framework. CC ID 06489 | Operational management | Preventive | |
Include security incident response procedures in the internal control framework. CC ID 01359 | Operational management | Preventive | |
Include incident response escalation procedures in the internal control framework. CC ID 11745 | Operational management | Preventive | |
Include continuous user account management procedures in the internal control framework. CC ID 01360 | Operational management | Preventive | |
Include emergency response procedures in the internal control framework. CC ID 06779 | Operational management | Detective | |
Authorize and document all exceptions to the internal control framework. CC ID 06781 | Operational management | Preventive | |
Establish, implement, and maintain a cybersecurity policy. CC ID 16833 | Operational management | Preventive | |
Establish, implement, and maintain an information security program. CC ID 00812 | Operational management | Preventive | |
Include physical safeguards in the information security program. CC ID 12375 | Operational management | Preventive | |
Include technical safeguards in the information security program. CC ID 12374 | Operational management | Preventive | |
Include administrative safeguards in the information security program. CC ID 12373 | Operational management | Preventive | |
Include system development in the information security program. CC ID 12389 | Operational management | Preventive | |
Include system maintenance in the information security program. CC ID 12388 | Operational management | Preventive | |
Include system acquisition in the information security program. CC ID 12387 | Operational management | Preventive | |
Include access control in the information security program. CC ID 12386 | Operational management | Preventive | |
Include operations management in the information security program. CC ID 12385 | Operational management | Preventive | |
Include communication management in the information security program. CC ID 12384 | Operational management | Preventive | |
Include environmental security in the information security program. CC ID 12383 | Operational management | Preventive | |
Include physical security in the information security program. CC ID 12382 | Operational management | Preventive | |
Include human resources security in the information security program. CC ID 12381 | Operational management | Preventive | |
Include asset management in the information security program. CC ID 12380 | Operational management | Preventive | |
Include a continuous monitoring program in the information security program. CC ID 14323 | Operational management | Preventive | |
Include change management procedures in the continuous monitoring plan. CC ID 16227 | Operational management | Preventive | |
include recovery procedures in the continuous monitoring plan. CC ID 16226 | Operational management | Preventive | |
Include mechanisms for decommissioning a system in the continuous monitoring plan. CC ID 16225 | Operational management | Preventive | |
Include mechanisms for appeal and override in the continuous monitoring plan. CC ID 16223 | Operational management | Preventive | |
Include how the information security department is organized in the information security program. CC ID 12379 | Operational management | Preventive | |
Include risk management in the information security program. CC ID 12378 | Operational management | Preventive | |
Include mitigating supply chain risks in the information security program. CC ID 13352 | Operational management | Preventive | |
Establish, implement, and maintain an information security policy. CC ID 11740 | Operational management | Preventive | |
Include business processes in the information security policy. CC ID 16326 | Operational management | Preventive | |
Include the information security strategy in the information security policy. CC ID 16125 | Operational management | Preventive | |
Include a commitment to continuous improvement in the information security policy. CC ID 16123 | Operational management | Preventive | |
Include roles and responsibilities in the information security policy. CC ID 16120 | Operational management | Preventive | |
Include a commitment to the information security requirements in the information security policy. CC ID 13496 | Operational management | Preventive | |
Include information security objectives in the information security policy. CC ID 13493 | Operational management | Preventive | |
Include the use of Cloud Services in the information security policy. CC ID 13146 | Operational management | Preventive | |
Include notification procedures in the information security policy. CC ID 16842 | Operational management | Preventive | |
Describe the group activities that protect restricted data in the information security procedures. CC ID 12294 | Operational management | Preventive | |
Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304 | Operational management | Preventive | |
Assign information security responsibilities to interested personnel and affected parties in the information security program. CC ID 11885 | Operational management | Preventive | |
Establish, implement, and maintain a social media governance program. CC ID 06536 | Operational management | Preventive | |
Include instant messaging, texting, and tweeting in the social media acceptable use policy. CC ID 04578 | Operational management | Preventive | |
Include explicit restrictions in the social media acceptable use policy. CC ID 06655 | Operational management | Preventive | |
Include contributive content sites in the social media acceptable use policy. CC ID 06656 | Operational management | Preventive | |
Establish, implement, and maintain operational control procedures. CC ID 00831 | Operational management | Preventive | |
Include assigning and approving operations in operational control procedures. CC ID 06382 | Operational management | Preventive | |
Include startup processes in operational control procedures. CC ID 00833 | Operational management | Preventive | |
Include change control processes in the operational control procedures. CC ID 16793 | Operational management | Preventive | |
Establish and maintain a data processing run manual. CC ID 00832 | Operational management | Preventive | |
Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826 | Operational management | Preventive | |
Include metrics in the standard operating procedures manual. CC ID 14988 | Operational management | Preventive | |
Include maintenance measures in the standard operating procedures manual. CC ID 14986 | Operational management | Preventive | |
Include the expected lifetime of the system in the standard operating procedures manual. CC ID 14984 | Operational management | Preventive | |
Include technical measures used to interpret output in the standard operating procedures manual. CC ID 14982 | Operational management | Preventive | |
Include predetermined changes in the standard operating procedures manual. CC ID 14977 | Operational management | Preventive | |
Include specifications for input data in the standard operating procedures manual. CC ID 14975 | Operational management | Preventive | |
Include risks to health and safety or fundamental rights in the standard operating procedures manual. CC ID 14973 | Operational management | Preventive | |
Include circumstances that may impact the system in the standard operating procedures manual. CC ID 14972 | Operational management | Preventive | |
Include what the system was tested and validated for in the standard operating procedures manual. CC ID 14969 | Operational management | Preventive | |
Include the intended purpose in the standard operating procedures manual. CC ID 14967 | Operational management | Preventive | |
Include information on system performance in the standard operating procedures manual. CC ID 14965 | Operational management | Preventive | |
Include contact details in the standard operating procedures manual. CC ID 14962 | Operational management | Preventive | |
Update operating procedures that contribute to user errors. CC ID 06935 | Operational management | Corrective | |
Establish, implement, and maintain a job scheduling methodology. CC ID 00834 | Operational management | Preventive | |
Establish and maintain a job schedule exceptions list. CC ID 00835 | Operational management | Preventive | |
Establish, implement, and maintain a data processing continuity plan. CC ID 00836 | Operational management | Preventive | |
Establish, implement, and maintain Voice over Internet Protocol operating procedures. CC ID 04583 | Operational management | Preventive | |
Establish, implement, and maintain the Acceptable Use Policy. CC ID 01350 | Operational management | Preventive | |
Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy. CC ID 01351 | Operational management | Preventive | |
Include requiring users to protect restricted data in accordance with the Governance, Risk, and Compliance framework in the Acceptable Use Policy. CC ID 11894 | Operational management | Preventive | |
Include Bring Your Own Device agreements in the Acceptable Use Policy. CC ID 15703 | Operational management | Preventive | |
Include the obligations of users in the Bring Your Own Device agreement. CC ID 15708 | Operational management | Preventive | |
Include the rights of the organization in the Bring Your Own Device agreement. CC ID 15707 | Operational management | Preventive | |
Include the circumstances in which the organization may confiscate, audit, or inspect assets in the Bring Your Own Device agreement. CC ID 15706 | Operational management | Preventive | |
Include the circumstances in which the organization may manage assets in the Bring Your Own Device agreement. CC ID 15705 | Operational management | Preventive | |
Include Bring Your Own Device usage in the Acceptable Use Policy. CC ID 12293 | Operational management | Preventive | |
Include a web usage policy in the Acceptable Use Policy. CC ID 16496 | Operational management | Preventive | |
Include Bring Your Own Device security guidelines in the Acceptable Use Policy. CC ID 01352 | Operational management | Preventive | |
Include asset tags in the Acceptable Use Policy. CC ID 01354 | Operational management | Preventive | |
Specify the owner of applicable assets in the Acceptable Use Policy. CC ID 15699 | Operational management | Preventive | |
Include asset use policies in the Acceptable Use Policy. CC ID 01355 | Operational management | Preventive | |
Include authority for access authorization lists for assets in all relevant Acceptable Use Policies. CC ID 11872 | Operational management | Preventive | |
Include access control mechanisms in the Acceptable Use Policy. CC ID 01353 | Operational management | Preventive | |
Include prohibiting the copying or moving of restricted data from its original source onto local hard drives or removable storage media in the Acceptable Use Policy. CC ID 11893 | Operational management | Preventive | |
Correlate the Acceptable Use Policy with the network security policy. CC ID 01356 | Operational management | Preventive | |
Include appropriate network locations for each technology in the Acceptable Use Policy. CC ID 11881 | Operational management | Preventive | |
Correlate the Acceptable Use Policy with the approved product list. CC ID 01357 | Operational management | Preventive | |
Include facility access and facility use in the Acceptable Use Policy. CC ID 06441 | Operational management | Preventive | |
Include disciplinary actions in the Acceptable Use Policy. CC ID 00296 | Operational management | Corrective | |
Include the usage restrictions of mobile code technologies in the Acceptable Use Policy. CC ID 15311 | Operational management | Preventive | |
Include a software installation policy in the Acceptable Use Policy. CC ID 06749 | Operational management | Preventive | |
Document idle session termination and logout for remote access technologies in the Acceptable Use Policy. CC ID 12472 | Operational management | Preventive | |
Require interested personnel and affected parties to sign Acceptable Use Policies. CC ID 06661 | Operational management | Preventive | |
Require interested personnel and affected parties to re-sign Acceptable Use Policies, as necessary. CC ID 06663 | Operational management | Preventive | |
Establish, implement, and maintain an Intellectual Property Right program. CC ID 00821 | Operational management | Preventive | |
Establish, implement, and maintain Intellectual Property Rights protection procedures. CC ID 11512 | Operational management | Preventive | |
Protect against circumvention of the organization's Intellectual Property Rights. CC ID 11513 | Operational management | Preventive | |
Establish, implement, and maintain an e-mail policy. CC ID 06439 | Operational management | Preventive | |
Include business use of personal e-mail in the e-mail policy. CC ID 14381 | Operational management | Preventive | |
Protect policies, standards, and procedures from unauthorized modification or disclosure. CC ID 10603 | Operational management | Preventive | |
Establish, implement, and maintain nondisclosure agreements. CC ID 04536 | Operational management | Preventive | |
Require interested personnel and affected parties to sign nondisclosure agreements. CC ID 06667 | Operational management | Preventive | |
Require interested personnel and affected parties to re-sign nondisclosure agreements, as necessary. CC ID 06669 | Operational management | Preventive | |
Establish, implement, and maintain a use of information agreement. CC ID 06215 | Operational management | Preventive | |
Include use limitations in the use of information agreement. CC ID 06244 | Operational management | Preventive | |
Include disclosure requirements in the use of information agreement. CC ID 11735 | Operational management | Preventive | |
Include information recipients in the use of information agreement. CC ID 06245 | Operational management | Preventive | |
Include reporting out of scope use of information in the use of information agreement. CC ID 06246 | Operational management | Preventive | |
Include disclosure of information in the use of information agreement. CC ID 11830 | Operational management | Preventive | |
Include information security procedures assigned to the information recipient in the use of information agreement. CC ID 07130 | Operational management | Preventive | |
Include information security procedures assigned to the originator in the use of information agreement. CC ID 14418 | Operational management | Preventive | |
Include a do not contact rule for the individuals identified in a data set in the use of information agreement. CC ID 07131 | Operational management | Preventive | |
Include the information recipient's third parties accepting the agreement in the use of information agreement. CC ID 07132 | Operational management | Preventive | |
Comply with all implemented policies in the organization's compliance framework. CC ID 06384 [Top management shall assign the responsibility and authority for: ensuring that the environmental management system conforms to the requirements of this International Standard; § 5.3 ¶ 2 a) The outputs of the management review shall include: opportunities to improve integration of the environmental management system with other business processes, if needed; § 9.3 ¶ 3 Bullet 5] | Operational management | Preventive | |
Establish, implement, and maintain an asset management policy. CC ID 15219 | Operational management | Preventive | |
Establish, implement, and maintain asset management procedures. CC ID 16748 | Operational management | Preventive | |
Include life cycle requirements in the security management program. CC ID 16392 | Operational management | Preventive | |
Include program objectives in the asset management program. CC ID 14413 | Operational management | Preventive | |
Include a commitment to continual improvement in the asset management program. CC ID 14412 | Operational management | Preventive | |
Include compliance with applicable requirements in the asset management program. CC ID 14411 | Operational management | Preventive | |
Establish, implement, and maintain classification schemes for all systems and assets. CC ID 01902 | Operational management | Preventive | |
Establish, implement, and maintain the systems' confidentiality level. CC ID 01904 | Operational management | Preventive | |
Define confidentiality controls. CC ID 01908 | Operational management | Preventive | |
Establish, implement, and maintain the systems' availability level. CC ID 01905 | Operational management | Preventive | |
Define integrity controls. CC ID 01909 | Operational management | Preventive | |
Establish, implement, and maintain the systems' integrity level. CC ID 01906 | Operational management | Preventive | |
Define availability controls. CC ID 01911 | Operational management | Preventive | |
Establish safety classifications for systems according to their potential harmful effects to operators or end users. CC ID 06603 | Operational management | Preventive | |
Establish, implement, and maintain an asset safety classification scheme. CC ID 06604 | Operational management | Preventive | |
Establish, implement, and maintain the Asset Classification Policy. CC ID 06642 | Operational management | Preventive | |
Document the decision for assigning an asset to a specific asset classification in the Asset Classification Policy. CC ID 07185 | Operational management | Preventive | |
Assign decomposed system components the same asset classification as the originating system. CC ID 06605 | Operational management | Preventive | |
Establish, implement, and maintain an Information Technology inventory with asset discovery audit trails. CC ID 00689 | Operational management | Preventive | |
Include all account types in the Information Technology inventory. CC ID 13311 | Operational management | Preventive | |
Include each Information System's major applications in the Information Technology inventory. CC ID 01407 | Operational management | Preventive | |
Categorize all major applications according to the business information they process. CC ID 07182 | Operational management | Preventive | |
Document the resources, hazards, and Evaluation Assurance Levels for each major application. CC ID 01164 | Operational management | Preventive | |
Include the General Support Systems and security support structure in the Information Technology inventory. CC ID 01408 | Operational management | Preventive | |
Include each Information System's minor applications in the Information Technology inventory. CC ID 01409 | Operational management | Preventive | |
Categorize facilities in the Information Technology inventory according to their environmental risks. CC ID 06729 | Operational management | Preventive | |
Establish, implement, and maintain a hardware asset inventory. CC ID 00691 | Operational management | Preventive | |
Include network equipment in the Information Technology inventory. CC ID 00693 | Operational management | Preventive | |
Include mobile devices that store restricted data or restricted information in the Information Technology inventory. CC ID 04719 | Operational management | Preventive | |
Include software in the Information Technology inventory. CC ID 00692 | Operational management | Preventive | |
Establish and maintain a list of authorized software and versions required for each system. CC ID 12093 | Operational management | Preventive | |
Establish, implement, and maintain a storage media inventory. CC ID 00694 | Operational management | Preventive | |
Include all electronic storage media containing restricted data or restricted information in the storage media inventory. CC ID 00962 | Operational management | Detective | |
Establish, implement, and maintain a records inventory and database inventory. CC ID 01260 | Operational management | Preventive | |
Add inventoried assets to the asset register database, as necessary. CC ID 07051 | Operational management | Preventive | |
Organize the asset register database by grouping objects according to an organizational information classification standard. CC ID 07181 | Operational management | Preventive | |
Record the decommission date for applicable assets in the asset inventory. CC ID 14920 | Operational management | Preventive | |
Record the Uniform Resource Locator for applicable assets in the asset inventory. CC ID 14918 | Operational management | Preventive | |
Record the review date for applicable assets in the asset inventory. CC ID 14919 | Operational management | Preventive | |
Record services for applicable assets in the asset inventory. CC ID 13733 | Operational management | Preventive | |
Record protocols for applicable assets in the asset inventory. CC ID 13734 | Operational management | Preventive | |
Record the software version in the asset inventory. CC ID 12196 | Operational management | Preventive | |
Record the publisher for applicable assets in the asset inventory. CC ID 13725 | Operational management | Preventive | |
Record the authentication system in the asset inventory. CC ID 13724 | Operational management | Preventive | |
Tag unsupported assets in the asset inventory. CC ID 13723 | Operational management | Preventive | |
Record the install date for applicable assets in the asset inventory. CC ID 13720 | Operational management | Preventive | |
Record the make, model of device for applicable assets in the asset inventory. CC ID 12465 | Operational management | Preventive | |
Record the asset tag for physical assets in the asset inventory. CC ID 06632 | Operational management | Preventive | |
Record the host name of applicable assets in the asset inventory. CC ID 13722 | Operational management | Preventive | |
Record network ports for applicable assets in the asset inventory. CC ID 13730 | Operational management | Preventive | |
Record the MAC address for applicable assets in the asset inventory. CC ID 13721 | Operational management | Preventive | |
Record the operating system type for applicable assets in the asset inventory. CC ID 06633 | Operational management | Preventive | |
Record the department associated with the asset in the asset inventory. CC ID 12084 | Operational management | Preventive | |
Record the physical location for applicable assets in the asset inventory. CC ID 06634 | Operational management | Preventive | |
Record the manufacturer's serial number for applicable assets in the asset inventory. CC ID 06635 | Operational management | Preventive | |
Record the firmware version for applicable assets in the asset inventory. CC ID 12195 | Operational management | Preventive | |
Record the related business function for applicable assets in the asset inventory. CC ID 06636 | Operational management | Preventive | |
Record the deployment environment for applicable assets in the asset inventory. CC ID 06637 | Operational management | Preventive | |
Record the Internet Protocol address for applicable assets in the asset inventory. CC ID 06638 | Operational management | Preventive | |
Link the software asset inventory to the hardware asset inventory. CC ID 12085 | Operational management | Preventive | |
Record the owner for applicable assets in the asset inventory. CC ID 06640 | Operational management | Preventive | |
Record all compliance requirements for applicable assets in the asset inventory. CC ID 15696 | Operational management | Preventive | |
Record all changes to assets in the asset inventory. CC ID 12190 | Operational management | Preventive | |
Record cloud service derived data in the asset inventory. CC ID 13007 | Operational management | Preventive | |
Include cloud service customer data in the asset inventory. CC ID 13006 | Operational management | Preventive | |
Establish, implement, and maintain a software accountability policy. CC ID 00868 | Operational management | Preventive | |
Establish, implement, and maintain software asset management procedures. CC ID 00895 | Operational management | Preventive | |
Establish, implement, and maintain software archives procedures. CC ID 00866 | Operational management | Preventive | |
Establish, implement, and maintain software distribution procedures. CC ID 00894 | Operational management | Preventive | |
Establish, implement, and maintain software documentation management procedures. CC ID 06395 | Operational management | Preventive | |
Establish, implement, and maintain software license management procedures. CC ID 06639 | Operational management | Preventive | |
Establish, implement, and maintain digital legacy procedures. CC ID 16524 | Operational management | Preventive | |
Establish, implement, and maintain a system redeployment program. CC ID 06276 | Operational management | Preventive | |
Document the staff's operating knowledge of the system prior to a personnel status change. CC ID 06937 | Operational management | Preventive | |
Redeploy systems to other organizational units, as necessary. CC ID 11452 | Operational management | Preventive | |
Establish, implement, and maintain a system disposal program. CC ID 14431 | Operational management | Preventive | |
Establish, implement, and maintain disposal procedures. CC ID 16513 | Operational management | Preventive | |
Establish, implement, and maintain asset sanitization procedures. CC ID 16511 | Operational management | Preventive | |
Establish, implement, and maintain system destruction procedures. CC ID 16474 | Operational management | Preventive | |
Establish, implement, and maintain printer and multifunction device disposition procedures. CC ID 15216 | Operational management | Preventive | |
Establish, implement, and maintain a system preventive maintenance program. CC ID 00885 | Operational management | Preventive | |
Establish and maintain maintenance reports. CC ID 11749 | Operational management | Preventive | |
Establish and maintain system inspection reports. CC ID 06346 | Operational management | Preventive | |
Establish, implement, and maintain a system maintenance policy. CC ID 14032 | Operational management | Preventive | |
Include compliance requirements in the system maintenance policy. CC ID 14217 | Operational management | Preventive | |
Include management commitment in the system maintenance policy. CC ID 14216 | Operational management | Preventive | |
Include roles and responsibilities in the system maintenance policy. CC ID 14215 | Operational management | Preventive | |
Include the scope in the system maintenance policy. CC ID 14214 | Operational management | Preventive | |
Include the purpose in the system maintenance policy. CC ID 14187 | Operational management | Preventive | |
Include coordination amongst entities in the system maintenance policy. CC ID 14181 | Operational management | Preventive | |
Establish, implement, and maintain system maintenance procedures. CC ID 14059 | Operational management | Preventive | |
Establish, implement, and maintain a technology refresh plan. CC ID 13061 | Operational management | Preventive | |
Establish and maintain an archive of maintenance reports in a maintenance log. CC ID 06202 | Operational management | Preventive | |
Post calibration limits or calibration tolerances on or near assets requiring calibration. CC ID 06204 | Operational management | Preventive | |
Establish, implement, and maintain an end-of-life management process. CC ID 16540 | Operational management | Preventive | |
Establish, implement, and maintain disposal contracts. CC ID 12199 | Operational management | Preventive | |
Include disposal procedures in disposal contracts. CC ID 13905 | Operational management | Preventive | |
Document the storage information for all systems that are stored instead of being disposed or redeployed. CC ID 06936 | Operational management | Preventive | |
Establish, implement, and maintain a data stewardship policy. CC ID 06657 | Operational management | Preventive | |
Establish and maintain an unauthorized software list. CC ID 10601 | Operational management | Preventive | |
Establish, implement, and maintain a change control program. CC ID 00886 | Operational management | Preventive | |
Include potential consequences of unintended changes in the change control program. CC ID 12243 [The organization shall control planned changes and review the ckground-color:#F0BBBC;" class="term_primary-noun">consequences of unintended changes, taking action to mitigate any adverse effects, as necessary. § 8.1 ¶ 2] | Operational management | Preventive | |
Include version control in the change control program. CC ID 13119 [For the control of documented information, the organization shall address the following activities, as applicable: control of changes (e.g. version control); § 7.5.3 ¶ 2 Bullet 3] | Operational management | Preventive | |
Provide audit trails for all approved changes. CC ID 13120 | Operational management | Preventive | |
Define the processing specifications for products and services creation requirements. CC ID 13523 | Operational management | Preventive | |
Establish, implement, and maintain procedures to manage age-restricted content. CC ID 15448 | Operational management | Preventive | |
Include risks and opportunities in the environmental management system. CC ID 15201 [{external and internal issues} and determine the risks and opportunities, related to its environmental aspects (see 6.1.2), compliance obligations (see 6.1.3) and other issues and requirements, identified in 4.1 and 4.2, that need to be addressed to: § 6.1.1 ¶ 3 The organization shall maintain documented information of its: risks and opportunities that need to be addressed; § 6.1.1 ¶ 5 Bullet 1 {external and internal issues} and determine the risks and opportunities, related to its environmental aspects (see 6.1.2), compliance obligations (see 6.1.3) and other issues and requirements, identified in 4.1 and 4.2, that need to be addressed to: § 6.1.1 ¶ 3 {external and internal issues} and determine the risks and opportunities, related to its environmental aspects (see 6.1.2), compliance obligations (see 6.1.3) and other issues and requirements, identified in 4.1 and 4.2, that need to be addressed to: § 6.1.1 ¶ 3 {external and internal issues} and determine the risks and opportunities, related to its environmental aspects (see 6.1.2), compliance obligations (see 6.1.3) and other issues and requirements, identified in 4.1 and 4.2, that need to be addressed to: § 6.1.1 ¶ 3] | Operational management | Preventive | |
Include communications in the environmental management system. CC ID 15199 [{internal communications} The organization shall establish, implement and maintain the process(es) needed for internal and external communications relevant to the environmental management system, including: § 7.4.1 ¶ 1 {internal communications} The organization shall establish, implement and maintain the process(es) needed for internal and external communications relevant to the environmental management system, including: § 7.4.1 ¶ 1] | Operational management | Preventive | |
Establish, implement, and maintain environmental performance monitoring procedures. CC ID 15222 [The organization shall determine: the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results; § 9.1.1 ¶ 2 b)] | Operational management | Preventive | |
Disseminate and communicate environmental information to interested personnel and affected parties. CC ID 15195 [The organization shall communicate relevant environmental performance information both internally and externally, as identified in its communication process(es) and as required by its compliance obligations. § 9.1.1 ¶ 5] | Operational management | Preventive | |
Include compliance obligations in the environmental management system. CC ID 15185 [{take into account}The organization shall: take these compliance obligations into account when establishing, implementing, maintaining and continually improving its environmental management system. § 6.1.3 ¶ 1 c)] | Operational management | Preventive | |
Establish, implement, and maintain environmental objectives. CC ID 15186 [Top management shall establish, implement and maintain an environmental policy that, within the defined scope of its environmental management system: provides a framework for setting environmental objectives; § 5.2 ¶ 1 b) The organization shall establish environmental objectives at relevant functions and levels, taking into account the organization's significant environmental aspects and associated compliance obligations, and considering its risks and opportunities. § 6.2.1 ¶ 1 {be consistent}The environmental objectives shall be: consistent with the environmental policy; § 6.2.1 ¶ 2 a) The organization shall maintain documented information on the environmental objectives. § 6.2.1 ¶ 3 When planning how to achieve its environmental objectives, the organization shall determine: when it will be completed; § 6.2.2 ¶ 1 d) When planning how to achieve its environmental objectives, the organization shall determine: what will be done; § 6.2.2 ¶ 1 a) The environmental objectives shall be: updated as appropriate. § 6.2.1 ¶ 2 e)] | Operational management | Preventive | |
Include risks and opportunities in the environmental objectives. CC ID 15188 [The organization shall establish environmental objectives at relevant functions and levels, taking into account the organization's significant environmental aspects and associated compliance obligations, and considering its risks and opportunities. § 6.2.1 ¶ 1] | Operational management | Preventive | |
Include the required resources in the environmental objectives. CC ID 15221 [When planning how to achieve its environmental objectives, the organization shall determine: what resources will be required; § 6.2.2 ¶ 1 b)] | Operational management | Preventive | |
Include compliance requirements in the environmental objectives. CC ID 15187 [The organization shall establish environmental objectives at relevant functions and levels, taking into account the organization's significant environmental aspects and associated compliance obligations, and considering its risks and opportunities. § 6.2.1 ¶ 1] | Operational management | Preventive | |
Document the criteria used to determine the environmental aspects. CC ID 15181 [The organization shall maintain documented information of its: criteria used to determine its significant environmental aspects; § 6.1.2 ¶ 5 Bullet 2] | Operational management | Preventive | |
Take into account emergency situations when determining environmental aspects. CC ID 15180 [When determining environmental aspects, the organization shall take into account: abnormal conditions and reasonably foreseeable emergency situations. § 6.1.2 ¶ 2 b)] | Operational management | Preventive | |
Take into account abnormal conditions when determining environmental aspects. CC ID 15179 [When determining environmental aspects, the organization shall take into account: abnormal conditions and reasonably foreseeable emergency situations. § 6.1.2 ¶ 2 b)] | Operational management | Preventive | |
Include the organization's significant environmental aspects in the environmental management system. CC ID 15176 [The organization shall maintain documented information of its: significant environmental aspects. § 6.1.2 ¶ 5 Bullet 3] | Operational management | Preventive | |
Include the environmental management system requirements in the environmental management system. CC ID 14978 [{be effective}Top management shall demonstrate leadership and commitment with respect to the environmental management system by: communicating the importance of effective environmental management and of conforming to the environmental management system requirements; § 5.1 ¶ 1 e) {environmental objective}{compliance obligation}{operating process}The organization shall establish, implement, control and maintain the processes needed to meet environmental management system requirements, and to implement the actions identified in 6.1 and 6.2, by: establishing operating criteria for the process(es); § 8.1 ¶ 1 Bullet 1] | Operational management | Preventive | |
Include environmental impacts in the environmental management system. CC ID 15175 [The organization shall maintain documented information of its: environmental aspects and associated environmental impacts; § 6.1.2 ¶ 5 Bullet 1] | Operational management | Preventive | |
Include a commitment to continuous improvement in the environmental management system. CC ID 14970 [Top management shall demonstrate leadership and commitment with respect to the environmental management system by: promoting continual improvement; § 5.1 ¶ 1 h) {external and internal issues}and determine the risks and opportunities, related to its environmental aspects (see 6.1.2), compliance obligations (see 6.1.3) and other issues and requirements, identified in 4.1 and 4.2, that need to be addressed to: achieve continual improvement. § 6.1.1 ¶ 3 Bullet 3] | Operational management | Preventive | |
Include third party requirements in the environmental management system. CC ID 14964 [{interested parties}{compliance obligations}When planning for the environmental management system, the organization shall consider: the requirements referred to in 4.2; § 6.1.1 ¶ 2 b) {interested parties}{compliance obligations}When planning for the environmental management system, the organization shall consider: the requirements referred to in 4.2; § 6.1.1 ¶ 2 b)] | Operational management | Preventive | |
Include environmental conditions in the environmental management system. CC ID 14952 [{external and internal issues}{environmental conditions}When planning for the environmental management system, the organization shall consider: the issues referred to in 4.1; § 6.1.1 ¶ 2 a)] | Operational management | Preventive | |
Include the scope in the environmental management system. CC ID 14950 [When planning for the environmental management system, the organization shall consider: the scope of its environmental management system; § 6.1.1 ¶ 2 c) The organization shall determine the boundaries and applicability of the environmental management system to ass="term_primary-verb">establish its scope. § 4.3 ¶ 1] | Operational management | Preventive | |
Include emergency situations in the scope of the environmental management system. CC ID 14995 [Within the scope of the environmental management system, the organization shall determine potential emergency situations, including those that can have an environmental impact. § 6.1.1 ¶ 4] | Operational management | Preventive | |
Include the environmental impact of activities, products, and services in the scope of the environmental management system. CC ID 15184 [Within the defined scope of the environmental management system, the organization shall determine the environmental aspects of its activities, products and services that it can control and those that it can influence, and their associated environmental impacts, considering a life cycle perspective. § 6.1.2 ¶ 1] | Operational management | Preventive | |
Include activities, products, and services in the scope of the environmental management system. CC ID 15182 [Within the defined scope of the environmental management system, the organization shall determine the environmental aspects of its activities, products and services that it can control and those that it can influence, and their associated environmental impacts, considering a life cycle perspective. § 6.1.2 ¶ 1] | Operational management | Preventive | |
Establish, implement, and maintain an environmental policy. CC ID 14947 [Top management shall establish, implement and maintain an environmental policy that, within the defined scope of its environmental management system: § 5.2 ¶ 1 Top management shall demonstrate leadership and commitment with respect to the environmental management system by: ensuring that the environmental policy and environmental objectives are established and are compatible with the strategic direction and the context of the organization; § 5.1 ¶ 1 b) The environmental policy shall: be maintained as documented information; § 5.2 ¶ 2 Bullet 1] | Operational management | Preventive | |
Include continuous improvement of environmental performance in the environmental policy. CC ID 14994 [Top management shall establish, implement and maintain an environmental policy that, within the defined scope of its environmental management system: includes a commitment to continual improvement of the environmental management system to enhance environmental performance. § 5.2 ¶ 1 e)] | Operational management | Preventive | |
Include compliance obligations in the environmental policy. CC ID 14993 [Top management shall establish, implement and maintain an environmental policy that, within the defined scope of its environmental management system: includes a commitment to fulfil its compliance obligations; § 5.2 ¶ 1 d)] | Operational management | Preventive | |
Include a commitment to the protection of the environment in the environmental policy. CC ID 14991 [Top management shall establish, implement and maintain an environmental policy that, within the defined scope of its environmental management system: includes a commitment to the protection of the environment, including prevention of pollution and other specific commitment(s) relevant to the context of the organization; § 5.2 ¶ 1 c) Top management shall establish, implement and maintain an environmental policy that, within the defined scope of its environmental management system: includes a commitment to the protection of the environment, including prevention of pollution and other specific commitment(s) relevant to the context of the organization; § 5.2 ¶ 1 c)] | Operational management | Preventive | |
Include the scope in the environmental policy. CC ID 14987 [Top management shall establish, implement and maintain an environmental policy that, within the defined scope of its environmental management system: is appropriate to the purpose and context of the organization, including the nature, scale and environmental impacts of its activities, products and services; § 5.2 ¶ 1 a)] | Operational management | Preventive | |
Include purpose and context in the environmental policy. CC ID 14985 [Top management shall establish, implement and maintain an environmental policy that, within the defined scope of its environmental management system: is appropriate to the purpose and context of the organization, including the nature, scale and environmental impacts of its activities, products and services; § 5.2 ¶ 1 a)] | Operational management | Preventive | |
Tailor the environmental policy to be compatible with the organization's strategic direction. CC ID 14974 [Top management shall demonstrate leadership and commitment with respect to the environmental management system by: ensuring that the environmental policy and environmental objectives are established and are compatible with the strategic direction and the context of the organization; § 5.1 ¶ 1 b)] | Operational management | Preventive | |
Establish, implement, and maintain records management policies. CC ID 00903 [{place}{time}Documented information required by the environmental management system and by this International Standard shall be controlled to ensure: it is available and suitable for use, where and when it is needed; § 7.5.3 ¶ 1 a)] | Records management | Preventive | |
Establish, implement, and maintain a record classification scheme for forms. CC ID 00911 | Records management | Detective | |
Establish, implement, and maintain form creation, management, and distribution procedures. CC ID 06393 | Records management | Preventive | |
Establish, implement, and maintain form disposition procedures. CC ID 06394 | Records management | Preventive | |
Establish, implement, and maintain a record classification scheme. CC ID 00914 | Records management | Preventive | |
Establish, implement, and maintain a business activity classification standard. CC ID 00915 | Records management | Preventive | |
Establish, implement, and maintain records registration procedures. CC ID 00913 | Records management | Detective | |
Define the terms used in the record classification scheme. CC ID 00916 | Records management | Detective | |
Establish, implement, and maintain a records authentication system. CC ID 11648 | Records management | Preventive | |
Establish and maintain an index of all official records. CC ID 00918 | Records management | Preventive | |
Establish, implement, and maintain electronic signature requirements. CC ID 06219 | Records management | Preventive | |
Define each system's preservation requirements for records and logs. CC ID 00904 | Records management | Detective | |
Establish, implement, and maintain a data retention program. CC ID 00906 | Records management | Detective | |
Establish, implement, and maintain storage media retention procedures. CC ID 16277 | Records management | Preventive | |
Define which documents and records the organization may capture. CC ID 00905 | Records management | Detective | |
Capture and maintain all business records, including supporting temporary files. CC ID 06622 | Records management | Preventive | |
Establish, implement, and maintain storage media disposition and destruction procedures. CC ID 11657 | Records management | Preventive | |
Establish, implement, and maintain records disposition procedures. CC ID 00971 [For the control of documented information, the organization shall address the following activities, as applicable: retention and disposition. § 7.5.3 ¶ 2 Bullet 4] | Records management | Preventive | |
Include methods to identify records that meet or exceed the record's retention event in the records disposition procedures. CC ID 11962 | Records management | Preventive | |
Maintain disposal records or redeployment records. CC ID 01644 | Records management | Preventive | |
Include the name of the signing officer in the disposal record. CC ID 15710 | Records management | Preventive | |
Establish, implement, and maintain secure record transaction standards with third parties. CC ID 06093 | Records management | Preventive | |
Include transfer agreements in the secure record transaction standards. CC ID 14821 | Records management | Preventive | |
Include date and time stamp requirements for delivery receipt in the transfer agreements. CC ID 14823 | Records management | Preventive | |
Include receipt of electronic records in the transfer agreement. CC ID 14822 | Records management | Preventive | |
Include standards for each data element in the secure record transaction standard. CC ID 06094 | Records management | Preventive | |
Establish, implement, and maintain records management procedures. CC ID 11619 | Records management | Preventive | |
Establish, implement, and maintain authorization records. CC ID 14367 | Records management | Preventive | |
Include the reasons for granting the authorization in the authorization records. CC ID 14371 | Records management | Preventive | |
Include the date and time the authorization was granted in the authorization records. CC ID 14370 | Records management | Preventive | |
Include the person's name who approved the authorization in the authorization records. CC ID 14369 | Records management | Preventive | |
Create summary of care records in accordance with applicable standards. CC ID 14440 | Records management | Preventive | |
Log the number of routine items received into the recordkeeping system. CC ID 11701 | Records management | Preventive | |
Establish, implement, and maintain electronic storage media management procedures. CC ID 00931 [When creating and updating documented information the organization should ensuren> appropriate: format (e.g. language, software version, graphics) and media (e.g. paper, electronic); § 7.5.2 ¶ 1 b)] | Records management | Preventive | |
Establish, implement, and maintain security label procedures. CC ID 06747 | Records management | Preventive | |
Establish, implement, and maintain restricted material identification procedures. CC ID 01889 | Records management | Preventive | |
Conspicuously locate the restricted record's overall classification. CC ID 01890 | Records management | Preventive | |
Mark a restricted record's displayed pages or printed pages with the appropriate classification. CC ID 01891 | Records management | Preventive | |
Mark a restricted record's components (appendices, annexes) with the appropriate classification. CC ID 01892 | Records management | Preventive | |
Mark a restricted record's portions (paragraphs, sections) with the appropriate classification. CC ID 01893 | Records management | Preventive | |
Mark a restricted record's subject line or title with the appropriate classification. CC ID 01894 | Records management | Preventive | |
Establish the minimum originator requirements for security labels. CC ID 06579 | Records management | Preventive | |
Establish the minimum intermediate system requirements for security labels. CC ID 06581 | Records management | Preventive | |
Establish the minimum receiver requirements for records or electronic storage media marked with security labels. CC ID 06580 | Records management | Preventive | |
Establish policy based processing rules to process incoming records or electronic storage media marked with security labels. CC ID 06582 | Records management | Preventive | |
Establish, implement, and maintain a records lifecycle management program. CC ID 00951 | Records management | Preventive | |
Establish, implement, and maintain an information preservation policy. CC ID 16483 | Records management | Preventive | |
Establish, implement, and maintain information preservation procedures. CC ID 06277 [For the control of documented information, the organization shall address the following activities, as applicable: storage and :#F0BBBC;" class="term_primary-noun">preservation, including preservation of legibility; § 7.5.3 ¶ 2 Bullet 2] | Records management | Preventive | |
Establish, implement, and maintain an online availability plan that is commensurate with the electronic storage media. CC ID 00934 | Records management | Preventive | |
Provide audit trails for all pertinent records. CC ID 00372 | Records management | Detective | |
Include a unique identifier for each removable storage media asset in the removable storage media log. CC ID 12320 | Records management | Preventive | |
Include the date and time in the removable storage media log. CC ID 12318 | Records management | Preventive | |
Include the name and signature of the current custodian in the removable storage media log. CC ID 12315 | Records management | Preventive | |
Include the number of physical media used for the data transfer in the removable storage media log. CC ID 12754 | Records management | Preventive | |
Include the recipient's name for the data transfer in the removable storage media log. CC ID 12753 | Records management | Preventive | |
Include the sender's name in the removable storage media log. CC ID 12752 | Records management | Preventive | |
Include the type of physical media being used for the data transfer in the removable storage media log. CC ID 12751 | Records management | Preventive | |
Include the reason for transfer in the removable storage media log. CC ID 12316 | Records management | Preventive | |
Document all actions taken when downgrading electronic storage media. CC ID 10622 | Records management | Preventive | |
Establish, implement, and maintain output distribution procedures. CC ID 00927 [For the control of documented information, the organization shall address the following activities, as applicable: distribution, access, retrieval and use; § 7.5.3 ¶ 2 Bullet 1] | Records management | Preventive | |
Include printed output in output distribution procedures. CC ID 13477 | Records management | Preventive | |
Establish, implement, and maintain document retention procedures. CC ID 11660 [For the control of documented information, the organization shall address the following activities, as applicable: retention and disposition. § 7.5.3 ¶ 2 Bullet 4 The organization shall retain documented information as evidence of: § 10.2 ¶ 3] | Records management | Preventive | |
Establish, implement, and maintain a product and services acquisition program. CC ID 01136 [Consistent with a life cycle perspective, the organization shall: determine its environmental requirement(s) for the procurement of products and services, as appropriate; § 8.1 ¶ 4 b)] | Acquisition or sale of facilities, technology, and services | Preventive | |
Establish, implement, and maintain a product and services acquisition policy. CC ID 14028 | Acquisition or sale of facilities, technology, and services | Preventive | |
Include compliance requirements in the product and services acquisition policy. CC ID 14163 | Acquisition or sale of facilities, technology, and services | Preventive | |
Include coordination amongst entities in the product and services acquisition policy. CC ID 14162 | Acquisition or sale of facilities, technology, and services | Preventive | |
Include management commitment in the product and services acquisition policy. CC ID 14161 | Acquisition or sale of facilities, technology, and services | Preventive | |
Include roles and responsibilities in the product and services acquisition policy. CC ID 14160 | Acquisition or sale of facilities, technology, and services | Preventive | |
Include the scope in the product and services acquisition policy. CC ID 14159 | Acquisition or sale of facilities, technology, and services | Preventive | |
Include the purpose in the product and services acquisition policy. CC ID 14158 | Acquisition or sale of facilities, technology, and services | Preventive | |
Establish, implement, and maintain product and services acquisition procedures. CC ID 14065 | Acquisition or sale of facilities, technology, and services | Preventive | |
Establish, implement, and maintain acquisition approval requirements. CC ID 13704 | Acquisition or sale of facilities, technology, and services | Preventive | |
Include preventive maintenance contracts in system acquisition contracts. CC ID 06658 | Acquisition or sale of facilities, technology, and services | Preventive | |
Establish, implement, and maintain organizational documents. CC ID 16202 | Harmonization Methods and Manual of Style | Preventive | |
Organize all compliance documents. CC ID 06096 | Harmonization Methods and Manual of Style | Preventive | |
Organize all compliance documents to fit the message. CC ID 06097 | Harmonization Methods and Manual of Style | Preventive | |
Define the structure for compliance documents and governance documents. CC ID 06111 [When creating and updating documented information the organization shall ensure appropriate: y-noun">identification and e="background-color:#F0BBBC;" class="term_primary-noun">description (e.g. a title, date, author, or reference number); § 7.5.2 ¶ 1 a)] | Harmonization Methods and Manual of Style | Preventive | |
Subordinate the structure of the compliance document to fit the topic. CC ID 06109 | Harmonization Methods and Manual of Style | Preventive | |
Define visual and formatting styles for all structured headings. CC ID 06110 | Harmonization Methods and Manual of Style | Preventive | |
Define the section heading style, if section headings are being used. CC ID 06112 | Harmonization Methods and Manual of Style | Preventive | |
Use a table of contents to show sections and headings, if section headings are being used. CC ID 06113 | Harmonization Methods and Manual of Style | Preventive | |
Place the table of contents at the document's beginning. CC ID 06114 | Harmonization Methods and Manual of Style | Preventive | |
Add term definitions to the document's end. CC ID 06115 | Harmonization Methods and Manual of Style | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Align disciplinary actions with the level of compliance violation. CC ID 12404 [Corrective actions shall be appropriate to the significance of the effects of the nonconformities encountered, including the environmental impact(s). § 10.2 ¶ 2] | Monitoring and measurement | Preventive | |
Assign the Board of Directors to address audit findings. CC ID 12396 | Audits and risk management | Corrective | |
Include roles and responsibilities in the interview procedures. CC ID 16297 | Audits and risk management | Preventive | |
Identify the audit team members in the audit report. CC ID 15259 | Audits and risk management | Detective | |
Define the roles and responsibilities for distributing the audit report. CC ID 16845 | Audits and risk management | Preventive | |
Assign responsibility for remediation actions. CC ID 13622 | Audits and risk management | Preventive | |
Evaluate the competency of auditors. CC ID 15253 | Audits and risk management | Detective | |
Lead or manage business continuity and system continuity, as necessary. CC ID 12240 | Operational and Systems Continuity | Preventive | |
Allocate personnel to implement the continuity plan, as necessary. CC ID 12992 | Operational and Systems Continuity | Preventive | |
Include the roles and responsibilities of responders in the recovery plan. CC ID 13296 | Operational and Systems Continuity | Preventive | |
Establish, implement, and maintain a security operations center. CC ID 14762 | Human Resources management | Preventive | |
Designate an alternate for each organizational leader. CC ID 12053 | Human Resources management | Preventive | |
Assign the roles and responsibilities of management in establishing, implementing, and maintaining the information security program. CC ID 13112 | Human Resources management | Preventive | |
Establish and maintain board committees, as necessary. CC ID 14789 | Human Resources management | Preventive | |
Assign oversight of C-level executives to the Board of Directors. CC ID 14784 | Human Resources management | Preventive | |
Assign oversight of the financial management program to the board of directors. CC ID 14781 | Human Resources management | Preventive | |
Assign senior management to the role of supporting Quality Management. CC ID 13692 | Human Resources management | Preventive | |
Assign members who are independent from management to the Board of Directors. CC ID 12395 | Human Resources management | Preventive | |
Assign ownership of risks to the Board of Directors or senior management. CC ID 13662 | Human Resources management | Preventive | |
Assign the organization's board and senior management to oversee the continuity planning process. CC ID 12991 | Human Resources management | Preventive | |
Rotate members of the board of directors, as necessary. CC ID 14803 | Human Resources management | Corrective | |
Define and assign board committees, as necessary. CC ID 14787 | Human Resources management | Preventive | |
Define and assign risk committees, as necessary. CC ID 14795 | Human Resources management | Preventive | |
Define and assign audit committees, as necessary. CC ID 14788 | Human Resources management | Preventive | |
Include members with experience in audit practices, financial reporting, and accounting in the audit committee. CC ID 14796 | Human Resources management | Preventive | |
Define and assign compensation committees, as necessary. CC ID 14793 | Human Resources management | Preventive | |
Define and assign the network administrator's roles and responsibilities. CC ID 16363 | Human Resources management | Preventive | |
Define and assign the Data Protection Officer's roles and responsibilities. CC ID 16525 | Human Resources management | Preventive | |
Define and assign the Chief Risk Officer's roles and responsibilities. CC ID 14333 | Human Resources management | Preventive | |
Define and assign roles and responsibilities for network management. CC ID 13128 | Human Resources management | Preventive | |
Define and assign the authorized representatives roles and responsibilities. CC ID 15033 | Human Resources management | Preventive | |
Establish and maintain an Information Technology steering committee. CC ID 12706 | Human Resources management | Preventive | |
Assign the Information Technology steering committee to report to senior management. CC ID 12731 | Human Resources management | Preventive | |
Convene the Information Technology steering committee, as necessary. CC ID 12730 | Human Resources management | Preventive | |
Assign reviewing investments to the Information Technology steering committee, as necessary. CC ID 13625 | Human Resources management | Preventive | |
Assign the role of Risk Assessment Manager to applicable controls. CC ID 12143 | Human Resources management | Preventive | |
Assign the Risk Assessment manager the duty of reporting risk assessment results to organizational management. CC ID 12152 | Human Resources management | Preventive | |
Refrain from allocating temporary staff to perform sensitive jobs absent the presence and control of authorized permanent staff. CC ID 12299 | Human Resources management | Preventive | |
Perform security skills assessments for all critical employees. CC ID 12102 | Human Resources management | Detective | |
Perform a background check during personnel screening. CC ID 11758 | Human Resources management | Detective | |
Perform a personal identification check during personnel screening. CC ID 06721 | Human Resources management | Preventive | |
Perform a personal references check during personnel screening. CC ID 06645 | Human Resources management | Preventive | |
Perform a credit check during personnel screening. CC ID 06646 | Human Resources management | Preventive | |
Perform a resume check during personnel screening. CC ID 06659 | Human Resources management | Preventive | |
Perform a curriculum vitae check during personnel screening. CC ID 06660 | Human Resources management | Preventive | |
Allow personnel being screened to appeal findings and appeal decisions. CC ID 06720 | Human Resources management | Preventive | |
Perform personnel screening procedures, as necessary. CC ID 11763 | Human Resources management | Preventive | |
Perform periodic background checks on designated roles, as necessary. CC ID 11759 | Human Resources management | Detective | |
Perform security clearance procedures, as necessary. CC ID 06644 | Human Resources management | Preventive | |
Establish and maintain security clearances. CC ID 01634 | Human Resources management | Preventive | |
Establish, implement, and maintain a compensation, reward, and recognition program. CC ID 12806 | Human Resources management | Preventive | |
Refrain from using employees' privacy choices to restrict employment. CC ID 12425 | Human Resources management | Preventive | |
Refrain from using employees' privacy choices to take punitive actions. CC ID 16815 | Human Resources management | Preventive | |
Disseminate and communicate the organization’s ethical culture in job recruitment criteria and promotion criteria. CC ID 12825 | Human Resources management | Preventive | |
Recognize personnel who reinforce desirable conduct with incentives. CC ID 12815 | Human Resources management | Preventive | |
Include a space for the applicant's name on the job application. CC ID 16190 | Human Resources management | Preventive | |
Include a space for the applicant's current address on the job application. CC ID 16189 | Human Resources management | Preventive | |
Include a space for the applicant's social security number on the job application. CC ID 16188 | Human Resources management | Preventive | |
Include a space for the applicant's date of birth on the job application. CC ID 16186 | Human Resources management | Preventive | |
Include a space for previous employers and business relationships on the job application. CC ID 16185 | Human Resources management | Preventive | |
Include a space to explain formal disciplinary actions and sanctions on the job application. CC ID 16184 | Human Resources management | Preventive | |
Include a space for the start date on the job application. CC ID 16187 | Human Resources management | Preventive | |
Include a space to explain legal penalties on the job application. CC ID 16183 | Human Resources management | Preventive | |
Approve the wording of job applications. CC ID 16182 | Human Resources management | Preventive | |
Include a space for past aliases and other used names on job applications. CC ID 12301 | Human Resources management | Preventive | |
Include a space for previous addresses and previous residences on the job application. CC ID 12302 | Human Resources management | Preventive | |
Include a space to explain employment gaps on the job application. CC ID 12303 | Human Resources management | Preventive | |
Support certification programs as viable training programs. CC ID 13268 | Human Resources management | Preventive | |
Hire third parties to conduct training, as necessary. CC ID 13167 | Human Resources management | Preventive | |
Include ethical culture in the training plan, as necessary. CC ID 12801 | Human Resources management | Preventive | |
Include duties and responsibilities in the training plan, as necessary. CC ID 12800 | Human Resources management | Preventive | |
Establish and maintain management's commitment to supporting the security awareness program. CC ID 12151 | Human Resources management | Preventive | |
Establish and maintain a steering committee to guide the security awareness program. CC ID 12149 | Human Resources management | Preventive | |
Encourage interested personnel to obtain security certification. CC ID 11804 | Human Resources management | Preventive | |
Assign accountability for maintaining the Governance, Risk, and Compliance framework. CC ID 12523 | Operational management | Preventive | |
Assign defining the program for disseminating and communicating the Governance, Risk, and Compliance framework. CC ID 12524 | Operational management | Preventive | |
Assign the responsibility for establishing, implementing, and maintaining the information security program to the appropriate role. CC ID 11884 | Operational management | Preventive | |
Assign the responsibility for distributing the information security program to the appropriate role. CC ID 11883 | Operational management | Preventive | |
Assign an information owner to organizational assets, as necessary. CC ID 12729 | Operational management | Preventive | |
Assign ownership of maintaining the asset inventory, as necessary. CC ID 12344 | Operational management | Preventive | |
Control granting access to appropriate parties performing maintenance on organizational assets. CC ID 11873 | Operational management | Preventive | |
Include roles and responsibilities in the environmental management system. CC ID 14971 [Top management shall demonstrate leadership and commitment with respect to the environmental management system by: supporting other relevant management roles to demonstrate their leadership as it applies to their areas of responsibility. § 5.1 ¶ 1 i) {responsible party}When planning how to achieve its environmental objectives, the organization shall determine: who will be responsible; § 6.2.2 ¶ 1 c)] | Operational management | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Leadership and high level objectives CC ID 00597 | Leadership and high level objectives | IT Impact Zone | |
Monitoring and measurement CC ID 00636 | Monitoring and measurement | IT Impact Zone | |
Audits and risk management CC ID 00677 | Audits and risk management | IT Impact Zone | |
Physical and environmental protection CC ID 00709 | Physical and environmental protection | IT Impact Zone | |
Operational and Systems Continuity CC ID 00731 | Operational and Systems Continuity | IT Impact Zone | |
Human Resources management CC ID 00763 | Human Resources management | IT Impact Zone | |
Operational management CC ID 00805 | Operational management | IT Impact Zone | |
Records management CC ID 00902 | Records management | IT Impact Zone | |
Acquisition or sale of facilities, technology, and services CC ID 01123 | Acquisition or sale of facilities, technology, and services | IT Impact Zone | |
Harmonization Methods and Manual of Style CC ID 06095 | Harmonization Methods and Manual of Style | IT Impact Zone | |
Third Party and supply chain oversight CC ID 08807 | Third Party and supply chain oversight | IT Impact Zone |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Check the list of material topics for completeness. CC ID 15692 | Leadership and high level objectives | Preventive | |
Ensure the data dictionary is complete and accurate. CC ID 13527 | Leadership and high level objectives | Detective | |
Investigate discrepancies between the information received and the information verified for each funds transfer. CC ID 16757 | Leadership and high level objectives | Detective | |
Determine the amount of assets to be held in escrow. CC ID 16575 | Leadership and high level objectives | Detective | |
Determine the causes of compliance violations. CC ID 12401 [When a nonconformity occurs, the organization shall: evaluate the need for action to eliminate the causes of the nonconformity in order that it does not recur or occur elsewhere by: ground-color:#B7D8ED;" class="tendary-verb">rm_primary-verb">reviewing the nonconformity; § 10.2 ¶ 1 b) 1) When a nonconformity occurs, the organization shall: evaluate the need for action to eliminate the causes of the nonconformity in order that it does not recur or occur elsewhere by: determining the <span style="background-color:#F0ndary-verb">BBBC;" class="term_primary-noun">causes of the nonconformity; § 10.2 ¶ 1 b) 2)] | Monitoring and measurement | Corrective | |
Determine if multiple compliance violations of the same type could occur. CC ID 12402 [When a nonconformity occurs, the organization shall: evaluate the need for action to eliminate the causes of the nonconformity in order that it does not recur or occur elsewhere by: ground-color:#B7D8ED;" class="term_primary-verb">determining if similar nonconformitiespan> | Monitoring and measurement | Detective | |
Review the effectiveness of disciplinary actions carried out for compliance violations. CC ID 12403 [When a nonconformity occurs, the organization shall: review the effectiveness of any -verb">le="background-color:#F0BBBC;" class="term_primary-noun">corrective action taken; § 10.2 ¶ 1 d)] | Monitoring and measurement | Detective | |
Examine the availability of the audit criteria in the audit program. CC ID 16520 | Audits and risk management | Preventive | |
Audit cybersecurity risk management within the policies, standards, and procedures of the organization. CC ID 13011 | Audits and risk management | Detective | |
Audit information systems, as necessary. CC ID 13010 | Audits and risk management | Detective | |
Audit the potential costs of compromise to information systems. CC ID 13012 | Audits and risk management | Detective | |
Permit assessment teams to conduct audits, as necessary. CC ID 16430 | Audits and risk management | Detective | |
Determine the effect of deficiencies on the audit report, as necessary. CC ID 14886 | Audits and risk management | Detective | |
Determine the cause for the activation of the recovery plan. CC ID 13291 | Operational and Systems Continuity | Detective | |
Perform social network analysis, as necessary. CC ID 14864 | Operational management | Detective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Establish, implement, and maintain a Security Information and Event Management metrics program. CC ID 02078 | Monitoring and measurement | Preventive | |
Report on the percentage of systems for which event logging has been implemented. CC ID 02102 | Monitoring and measurement | Detective | |
Report on the percentage of systems for which event logs are monitored and reviewed. CC ID 02103 | Monitoring and measurement | Detective | |
Report on the percentage of systems for which log capacity and log retention schedules have been implemented. CC ID 02104 | Monitoring and measurement | Detective | |
Restrict access to logs to authorized individuals. CC ID 01342 | Monitoring and measurement | Preventive | |
Refrain from recording unnecessary restricted data in logs. CC ID 06318 | Monitoring and measurement | Preventive | |
Back up logs according to backup procedures. CC ID 01344 | Monitoring and measurement | Preventive | |
Copy logs from all predefined hosts onto a log management infrastructure. CC ID 01346 | Monitoring and measurement | Preventive | |
Identify hosts with logs that are not being stored. CC ID 06314 | Monitoring and measurement | Preventive | |
Identify hosts with logs that are being stored at the system level only. CC ID 06315 | Monitoring and measurement | Preventive | |
Identify hosts with logs that should be stored at both the system level and the infrastructure level. CC ID 06316 | Monitoring and measurement | Preventive | |
Identify hosts with logs that are being stored at the infrastructure level only. CC ID 06317 | Monitoring and measurement | Preventive | |
Protect logs from unauthorized activity. CC ID 01345 | Monitoring and measurement | Preventive | |
Perform testing and validating activities on all logs. CC ID 06322 | Monitoring and measurement | Preventive | |
Archive the audit trail in accordance with compliance requirements. CC ID 00674 | Monitoring and measurement | Preventive | |
Preserve the identity of individuals in audit trails. CC ID 10594 | Monitoring and measurement | Preventive | |
Disseminate and communicate the reviews of audit reports to organizational management. CC ID 00653 | Audits and risk management | Detective | |
Log the performance of all remote maintenance. CC ID 13202 | Operational management | Preventive | |
Capture and maintain logs as official records. CC ID 06319 | Records management | Preventive | |
Log the date and time each item is received into the recordkeeping system. CC ID 11709 | Records management | Preventive | |
Log the date and time each item is made available into the recordkeeping system. CC ID 11710 | Records management | Preventive | |
Log the number of routine items in the organization's possession at the close of business for the month in the recordkeeping system. CC ID 11707 | Records management | Preventive | |
Log the number of routine items received during the month that were turned around in the recordkeeping system. CC ID 11705 | Records management | Preventive | |
Log the number of routine items received during the month that were not turned around within three business days of receipt in the recordkeeping system. CC ID 11703 | Records management | Preventive | |
Log the date and time when a notice of refusal to perform the registrar function is received in the recordkeeping system. CC ID 11711 | Records management | Preventive | |
Log inquiries concerning items in the recordkeeping system, annotating the date received. CC ID 11718 | Records management | Preventive | |
Log responses to inquiries, annotating the send date for each response into the recordkeeping system. CC ID 11719 | Records management | Preventive | |
Log the number of non-routine items received into the recordkeeping system. CC ID 11706 | Records management | Preventive | |
Log the documentation of determination that items received are not routine into the recordkeeping system. CC ID 11716 | Records management | Preventive | |
Log the number of non-routine items in the organization's possession at the close of business for the month in the recordkeeping system. CC ID 11708 | Records management | Preventive | |
Log the number of non-routine items received during the month that were turned around in the recordkeeping system. CC ID 11704 | Records management | Preventive | |
Log performance monitoring into the recordkeeping system. CC ID 11724 | Records management | Preventive | |
Log the number of inquiries pending as of the close of business into the recordkeeping system. CC ID 11728 | Records management | Preventive | |
Log the number of inquiries received but not responded to within the required time frame into the recordkeeping system. CC ID 11727 | Records management | Preventive | |
Log any notices filed by the organization into the recordkeeping system. CC ID 11725 | Records management | Preventive | |
Log telephone responses into a telephone log, annotating the date of each response, in the recordkeeping system. CC ID 11723 | Records management | Preventive | |
Log the date each certificate is made available to interested personnel and affected parties into the recordkeeping system. CC ID 11720 | Records management | Preventive | |
Log the number of items not processed within the required time frame into the recordkeeping system. CC ID 11717 | Records management | Preventive | |
Log the appointments and termination of appointments of registered transfer agents into the recordkeeping system. CC ID 11712 | Records management | Preventive | |
Log any stop orders or notices of adverse claims into the recordkeeping system. CC ID 11726 | Records management | Preventive | |
Log the number of items processed within the required time frame into the recordkeeping system. CC ID 11715 | Records management | Preventive | |
Establish, implement, and maintain a removable storage media log. CC ID 12317 | Records management | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Use system components only when third party support is available. CC ID 10644 | Operational management | Preventive | |
Obtain justification for the continued use of system components when third party support is no longer available. CC ID 10645 | Operational management | Preventive | |
Conduct offsite maintenance in authorized facilities. CC ID 16473 | Operational management | Preventive | |
Disconnect non-volatile media from information systems prior to performing maintenance with uncleared personnel. CC ID 14295 | Operational management | Preventive | |
Sanitize volatile media in information systems prior to performing maintenance with uncleared personnel. CC ID 14291 | Operational management | Preventive | |
Restart systems on a periodic basis. CC ID 16498 | Operational management | Preventive | |
Remove components being serviced from the information system prior to performing maintenance. CC ID 14251 | Operational management | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Include the capturing and alerting of compliance violations in the notification system. CC ID 12962 | Leadership and high level objectives | Preventive | |
Include the capturing and alerting of unethical conduct in the notification system. CC ID 12932 | Leadership and high level objectives | Preventive | |
Include the capturing and alerting of performance variances in the notification system. CC ID 12929 | Leadership and high level objectives | Preventive | |
Include the capturing and alerting of weaknesses in the notification system. CC ID 12928 | Leadership and high level objectives | Preventive | |
Include the capturing and alerting of account activity in the notification system. CC ID 15314 | Leadership and high level objectives | Preventive | |
Analyze organizational objectives, functions, and activities. CC ID 00598 [{external and internal issues}and determine the risks and opportunities, related to its environmental aspects (see 6.1.2), compliance obligations (see 6.1.3) and other issues and requirements, identified in 4.1 and 4.2, that need to be addressed to: prevent or reduce undesired effects, including the potential for external environmental conditions to affect the organization; § 6.1.1 ¶ 3 Bullet 2 When determining this scope, the organization shall consider: its activities, products and services; § 4.3 ¶ 2 d) The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcomesan> of its <span style="bary-verb">ackground-color:#F0BBBC;" class="term_primary-noun">environmental management system. Such issues shall include environmental conditions being affected by or capable of affecting the organization. § 4.1 ¶ 1] | Leadership and high level objectives | Preventive | |
Monitor for changes which affect organizational strategies in the internal business environment. CC ID 12863 | Leadership and high level objectives | Preventive | |
Monitor for changes which affect organizational objectives in the internal business environment. CC ID 12862 | Leadership and high level objectives | Preventive | |
Monitor for changes which affect organizational strategies in the external environment. CC ID 12880 | Leadership and high level objectives | Preventive | |
Monitor for changes which affect organizational objectives in the external environment. CC ID 12879 [The management review shall include consideration of: changes in: the needs and expectations of interested parties, including compliance obligations; § 9.3 ¶ 2 b) 2)] | Leadership and high level objectives | Preventive | |
Monitor regulatory trends to maintain compliance. CC ID 00604 [The management review shall include consideration of: information on the organization's environmental performance, including trends in: fulfilment of its compliance obligations; § 9.3 ¶ 2 d) 3)] | Leadership and high level objectives | Detective | |
Monitor for new Information Security solutions. CC ID 07078 | Leadership and high level objectives | Detective | |
Monitor the performance of the margin system. CC ID 16655 | Leadership and high level objectives | Detective | |
Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726 | Monitoring and measurement | Detective | |
Establish, implement, and maintain compliance program metrics. CC ID 11625 | Monitoring and measurement | Preventive | |
Monitor the performance of the governance, risk, and compliance capability. CC ID 12857 [When planning how to achieve its environmental objectives, the organization shall determine: how the results will be evaluated, including indicators for monitoring progress toward achievement of its measurable environmental objectives (see 9.1.1). § 6.2.2 ¶ 1 e)] | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a corrective action plan. CC ID 00675 [When a nonconformity occurs, the organization shall: react to the nonconformity and, as applicable: deal with the consequences, including mitigating adverse environmental impacts; § 10.2 ¶ 1 a) 2) The organization shall determine opportunities for improvement (see 9.1, 9.2 and 9.3) and implement necessary actions to achieve the intended outcomes of its environmental management system. § 10.1 ¶ 1] | Monitoring and measurement | Detective | |
Include monitoring in the corrective action plan. CC ID 11645 | Monitoring and measurement | Detective | |
Supervise interested personnel and affected parties participating in the audit. CC ID 07150 | Audits and risk management | Preventive | |
Track and measure the implementation of the organizational compliance framework. CC ID 06445 | Audits and risk management | Preventive | |
Monitor and evaluate business continuity management system performance. CC ID 12410 | Operational and Systems Continuity | Detective | |
Record business continuity management system performance for posterity. CC ID 12411 | Operational and Systems Continuity | Preventive | |
Monitor and measure the effectiveness of security awareness. CC ID 06262 | Human Resources management | Detective | |
Analyze and evaluate training records to improve the training program. CC ID 06380 | Human Resources management | Detective | |
Monitor and review the effectiveness of the information security program. CC ID 12744 | Operational management | Preventive | |
Identify discrepancies between the asset register database and the Information Technology inventory, as necessary. CC ID 07052 | Operational management | Corrective | |
Investigate and resolve discrepancies between the asset register database and the Information Technology inventory. CC ID 07053 | Operational management | Corrective | |
Automate software license monitoring, as necessary. CC ID 07057 | Operational management | Preventive | |
Monitor environmental objectives. CC ID 15189 [The environmental objectives shall be: monitored; § 6.2.1 ¶ 2 c)] | Operational management | Detective | |
Establish, implement, and maintain online storage monitoring and reporting capabilities. CC ID 00935 | Records management | Detective | |
Monitor third parties for performance and effectiveness, as necessary. CC ID 00799 [The organization shall ensure that outsourced processes are controlled or influenced. The type and extent of control or influence to be applied to the process(es) shall be defined within the environmental management system. § 8.1 ¶ 3] | Third Party and supply chain oversight | Detective | |
Monitor third parties' financial conditions. CC ID 13170 | Third Party and supply chain oversight | Detective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Conduct environmental surveys. CC ID 00690 | Operational management | Preventive | |
Plan and conduct maintenance so that it does not interfere with scheduled operations. CC ID 06389 | Operational management | Preventive | |
Control and monitor all maintenance tools. CC ID 01432 | Operational management | Detective | |
Identify and authenticate appropriate parties prior to granting access to maintain assets. CC ID 11874 | Operational management | Preventive | |
Refrain from protecting physical assets when no longer required. CC ID 13484 | Operational management | Corrective | |
Place printed records awaiting destruction into secure containers. CC ID 12464 | Records management | Preventive | |
Destroy printed records so they cannot be reconstructed. CC ID 11779 | Records management | Preventive | |
Sign a forfeiture statement acknowledging unapproved Personal Electronic Devices will be confiscated. CC ID 11667 | Acquisition or sale of facilities, technology, and services | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Assess the effectiveness of the communication methods used in the communication protocol. CC ID 12691 [{internal communication}The organization shall: ensure its communication process(es) enable(s) persons doing work under the organization's control to contribute to continual improvement. § 7.4.2 ¶ 1 b)] | Leadership and high level objectives | Detective | |
Establish, implement, and maintain a corrective action plan to address barriers to stakeholder engagement. CC ID 15677 | Leadership and high level objectives | Preventive | |
Identify barriers to stakeholder engagement. CC ID 15676 | Leadership and high level objectives | Preventive | |
Include methods to obtain information from interested personnel and affected parties about performance variances in the communication protocol. CC ID 12856 | Leadership and high level objectives | Preventive | |
Route notifications, as necessary. CC ID 12832 | Leadership and high level objectives | Preventive | |
Substantiate notifications, as necessary. CC ID 12831 | Leadership and high level objectives | Preventive | |
Prioritize notifications, as necessary. CC ID 12830 | Leadership and high level objectives | Preventive | |
Establish and maintain the organization's survey method. CC ID 12869 | Leadership and high level objectives | Preventive | |
Provide a consolidated view of information in the organization's survey method. CC ID 12894 | Leadership and high level objectives | Preventive | |
Review and approve the material topics, as necessary. CC ID 15670 | Leadership and high level objectives | Preventive | |
Identify the internal factors that may affect organizational objectives. CC ID 12957 | Leadership and high level objectives | Preventive | |
Include key processes in the analysis of the internal business environment. CC ID 12947 | Leadership and high level objectives | Preventive | |
Include existing information in the analysis of the internal business environment. CC ID 12943 | Leadership and high level objectives | Preventive | |
Include resources in the analysis of the internal business environment. CC ID 12942 [The management review shall include consideration of: adequacy of resources; § 9.3 ¶ 2 e)] | Leadership and high level objectives | Preventive | |
Include the operating plan in the analysis of the internal business environment. CC ID 12941 | Leadership and high level objectives | Preventive | |
Include incentives in the analysis of the internal business environment. CC ID 12940 | Leadership and high level objectives | Preventive | |
Include organizational structures in the analysis of the internal business environment. CC ID 12939 [When determining this scope, the organization shall consider: its organizational units, functions and physical boundaries; § 4.3 ¶ 2 c)] | Leadership and high level objectives | Preventive | |
Include the strategic plan in the analysis of the internal business environment. CC ID 12937 | Leadership and high level objectives | Preventive | |
Include strengths and weaknesses in the analysis of the internal business environment. CC ID 12936 | Leadership and high level objectives | Preventive | |
Identify the external forces that may affect organizational objectives. CC ID 12960 | Leadership and high level objectives | Preventive | |
Evaluate organizational objectives to determine impact on other organizational objectives. CC ID 12814 | Leadership and high level objectives | Preventive | |
Identify events that may affect organizational objectives. CC ID 12961 | Leadership and high level objectives | Preventive | |
Identify conditions that may affect organizational objectives. CC ID 12958 | Leadership and high level objectives | Preventive | |
Identify how opportunities, threats, and external requirements are trending. CC ID 12829 | Leadership and high level objectives | Preventive | |
Identify relationships between opportunities, threats, and external requirements. CC ID 12805 | Leadership and high level objectives | Preventive | |
Identify all interested personnel and affected parties. CC ID 12845 [The organization shall determine: the interested parties that are relevant to the environmental management system; § 4.2 ¶ 1 a)] | Leadership and high level objectives | Detective | |
Establish, implement, and maintain criteria for grouping stakeholders. CC ID 15584 | Leadership and high level objectives | Preventive | |
Determine progress toward the objectives of the strategic plan. CC ID 12944 [The management review shall include consideration of: the extent to which environmental objectives have been achieved; § 9.3 ¶ 2 c)] | Leadership and high level objectives | Preventive | |
Align organizational objectives with compliance objectives in the decision-making criteria. CC ID 12847 | Leadership and high level objectives | Preventive | |
Align organizational objectives with performance targets in the decision-making criteria. CC ID 12843 | Leadership and high level objectives | Preventive | |
Align organizational objectives with the acceptable residual risk in the decision-making criteria. CC ID 12841 | Leadership and high level objectives | Preventive | |
Create additional decision-making criteria to achieve organizational objectives, as necessary. CC ID 12948 | Leadership and high level objectives | Preventive | |
Take actions in accordance with the decision-making criteria. CC ID 12909 | Leadership and high level objectives | Preventive | |
Include ongoing monitoring in the financial management program. CC ID 16762 | Leadership and high level objectives | Preventive | |
Employ tools to manage settlement and funding flows. CC ID 16743 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a subsidiary compliance program. CC ID 16694 | Leadership and high level objectives | Preventive | |
Analyze the effectiveness of the stress test plan. CC ID 16657 | Leadership and high level objectives | Detective | |
Align the lending policy with the organization's risk acceptance level. CC ID 16716 | Leadership and high level objectives | Preventive | |
Include customer due diligence in the loan administration procedures. CC ID 16736 | Leadership and high level objectives | Preventive | |
Assess the properties of the margin model used in the margin system. CC ID 16658 | Leadership and high level objectives | Detective | |
Analyze the performance of the margin system. CC ID 16654 | Leadership and high level objectives | Detective | |
Correct compliance violations. CC ID 13515 [When a nonconformity occurs, the organization shall: react to the nonconformity, and as applicable: take action to primary-verb">control and correct it; § 10.2 ¶ 1 a) 1) When a nonconformity occurs, the organization shall: implement any -verb">or:#F0BBBC;" class="term_primary-noun">action needed; § 10.2 ¶ 1 c) The organization shall: evaluate compliance and take action if needed; § 9.1.2 ¶ 2 b) The management review shall include consideration of: information on the organization's environmental performance, including trends in: nonconformities and corrective actions; § 9.3 ¶ 2 d) 1)] | Monitoring and measurement | Corrective | |
Convert data into standard units before reporting metrics. CC ID 15507 | Monitoring and measurement | Corrective | |
Refrain from approving changes to the audit terms absent reasonable justification. CC ID 13973 | Audits and risk management | Preventive | |
Determine the effect of fraud and non-compliance on the description of the system in the audit assertion, as necessary. CC ID 13977 | Audits and risk management | Detective | |
Determine the effect of fraud and non-compliance on the achievement of in scope controls in the audit assertion, as necessary. CC ID 13978 | Audits and risk management | Detective | |
Review documentation to determine the effectiveness of in scope controls. CC ID 16522 | Audits and risk management | Preventive | |
Coordinate the scheduling of interviews. CC ID 16293 | Audits and risk management | Preventive | |
Create a schedule for the interviews. CC ID 16292 | Audits and risk management | Preventive | |
Identify interviewees. CC ID 16290 | Audits and risk management | Preventive | |
Discuss unsolved questions with the interviewee. CC ID 16298 | Audits and risk management | Detective | |
Allow interviewee to respond to explanations. CC ID 16296 | Audits and risk management | Detective | |
Explain the requirements being discussed to the interviewee. CC ID 16294 | Audits and risk management | Detective | |
Explain the testing results to the interviewee. CC ID 16291 | Audits and risk management | Preventive | |
Withdraw from the audit, when defined conditions exist. CC ID 13885 | Audits and risk management | Corrective | |
Engage subject matter experts when the auditor requires additional expertise during an attestation engagement, as necessary. CC ID 13971 | Audits and risk management | Preventive | |
Determine the effect of fraud and non-compliance on the audit report, as necessary. CC ID 13979 | Audits and risk management | Detective | |
Coordinate continuity planning with governmental entities, as necessary. CC ID 13258 | Operational and Systems Continuity | Preventive | |
Coordinate continuity planning with community organizations, as necessary. CC ID 13259 | Operational and Systems Continuity | Preventive | |
Include all residences in the criminal records check. CC ID 13306 | Human Resources management | Preventive | |
Integrate the use of technology in supporting the Governance, Risk, and Compliance capabilities. CC ID 12915 | Operational management | Preventive | |
Evaluate the use of technology in supporting Governance, Risk, and Compliance capabilities. CC ID 12895 [{financial requirement}{operational requirement} When planning these actions, the organization shall consider its technological options and its financial, operational and business requirements. § 6.1.4 ¶ 2] | Operational management | Preventive | |
Evaluate information sharing partners, as necessary. CC ID 12749 | Operational management | Preventive | |
Review and approve access controls, as necessary. CC ID 13074 | Operational management | Detective | |
Provide management direction and support for the information security program. CC ID 11999 | Operational management | Preventive | |
Approve the information security policy at the organization's management level or higher. CC ID 11737 | Operational management | Preventive | |
Define thresholds for approving information security activities in the information security program. CC ID 15702 | Operational management | Preventive | |
Use systems in accordance with the standard operating procedures manual. CC ID 15049 | Operational management | Preventive | |
Provide support for information sharing activities. CC ID 15644 | Operational management | Preventive | |
Analyze how policies used to create management boundaries relates to the Governance, Risk, and Compliance approach. CC ID 12821 | Operational management | Preventive | |
Analyze how the organization sets limits in policies relating to the Governance, Risk, and Compliance approach. CC ID 12819 | Operational management | Preventive | |
Analyze how the Board of Directors' and senior management's tone influences the Governance, Risk, and Compliance approach. CC ID 12818 [Top management shall demonstrate leadership and commitment with respect to the environmental management system by: § 5.1 ¶ 1] | Operational management | Preventive | |
Analyze the degree to which the governing body is engaged in the Governance, Risk, and Compliance approach. CC ID 12817 | Operational management | Preventive | |
Analyze the Governance, Risk, and Compliance approach. CC ID 12816 | Operational management | Preventive | |
Analyze the organizational culture. CC ID 12899 | Operational management | Preventive | |
Include individual commitment to the organization's Governance, Risk, and Compliance framework in the analysis of the organizational culture. CC ID 12922 | Operational management | Detective | |
Include the organizational climate in the analysis of the organizational culture. CC ID 12921 | Operational management | Detective | |
Include consistency of leadership actions to mission, vision, and values in the analysis of the organizational culture. CC ID 12920 | Operational management | Detective | |
Establish, implement, and maintain consequences for non-compliance with the organizational compliance framework. CC ID 11747 | Operational management | Corrective | |
Restrict unscheduled downtime in order to maintain high availability for critical systems. CC ID 12742 | Operational management | Preventive | |
Include interconnected systems and Software as a Service in the Information Technology inventory. CC ID 04885 | Operational management | Preventive | |
Implement automated mechanisms to transfer predictive maintenance data to a maintenance management system. CC ID 10616 | Operational management | Preventive | |
Delete age-restricted content, as necessary. CC ID 15450 | Operational management | Preventive | |
Control the distribution of media containing age-restricted content, as necessary. CC ID 15446 | Operational management | Preventive | |
Establish, implement, and maintain environmental management system processes. CC ID 14954 [The organization shall establish, implement and maintain the process(es) needed to meet the requirements in 6.1.1 to 6.1.4. § 6.1.1 ¶ 1 The organization shall plan: how to: integrate and implement the actions into its environmental management system processes (se e 6.2, Clause 7, Clause 8 and 9.1), or other business processes; § 6.1.4 ¶ 1 b) 1) {environmental objectives}{compliance obligations} The organization shall establish, implement, control and maintain the processes needed to meet environmental management system requirements, and to implement the actions identified in 6.1 and 6.2, by: § 8.1 ¶ 1 {environmental objective}{compliance obligation}{operating process}The organization shall establish, implement, control and maintain the processes needed to meet environmental management system requirements, and to implement the actions identified in 6.1 and 6.2, by: establishing operating criteria for the process(es); § 8.1 ¶ 1 Bullet 1] | Operational management | Preventive | |
Prioritize and select controls based on environmental management system requirements. CC ID 15197 [{environmental objective}{compliance obligation}{process control}{operating standard}The organization shall establish, implement, control and maintain the processes needed to meet environmental management system requirements, and to implement the actions identified in 6.1 and 6.2, by: implementing control of the process(es), in accordance with the operating criteria. § 8.1 ¶ 1 Bullet 2 {environmental objective}{compliance obligation}{process control}{operating standard}The organization shall establish, implement, control and maintain the processes needed to meet environmental management system requirements, and to implement the actions identified in 6.1 and 6.2, by: implementing control of the process(es), in accordance with the operating criteria. § 8.1 ¶ 1 Bullet 2] | Operational management | Preventive | |
Analyze environmental aspects using established criteria. CC ID 15230 [{be significant} The organization shall determine those aspects that have or can have a significant environmental impact, i.e. significant environmental aspects, by using established criteria. § 6.1.2 ¶ 3] | Operational management | Detective | |
Analyze the environmental impact of organizational changes. CC ID 14979 [When determining environmental aspects, the organization shall take into account: change, including planned or new developments, and new or modified activities, products and services; § 6.1.2 ¶ 2 a)] | Operational management | Detective | |
Analyze the environmental impact of changes in developments, activities, products, and services. CC ID 14980 [When determining environmental aspects, the organization shall take into account: change, including planned or new developments, and new or modified activities, products and services; § 6.1.2 ¶ 2 a)] | Operational management | Detective | |
Remove dormant data from systems, as necessary. CC ID 13726 | Records management | Preventive | |
Determine how long to keep records and logs before disposing them. CC ID 11661 | Records management | Preventive | |
Manage waste materials in accordance with the storage media disposition and destruction procedures. CC ID 16485 | Records management | Preventive | |
Define each system's disposition requirements for records and logs. CC ID 11651 | Records management | Preventive | |
Display required information automatically in electronic health records. CC ID 14442 | Records management | Preventive | |
Create export summaries, as necessary. CC ID 14446 | Records management | Preventive | |
Identify patient-specific education resources. CC ID 14439 | Records management | Detective | |
Establish, implement, and maintain storage media downgrading procedures. CC ID 10619 | Records management | Preventive | |
Identify electronic storage media that require downgrading. CC ID 10620 | Records management | Detective | |
Downgrade electronic storage media, as necessary. CC ID 10621 | Records management | Corrective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Archive the engagement file and all work papers for the period prescribed by law or contract. CC ID 10038 | Audits and risk management | Preventive | |
Include information sharing procedures in standard operating procedures. CC ID 12974 | Operational management | Preventive | |
Include source code in the asset inventory. CC ID 14858 | Operational management | Preventive | |
Allocate record identifiers to reference the records as a part of document tracking. CC ID 11662 | Records management | Preventive | |
Allocate document serial numbers to reference the records as a part of document tracking. CC ID 00917 | Records management | Detective | |
Associate records with their security attributes. CC ID 06764 | Records management | Preventive | |
Allow electronic signatures to satisfy requirements for written signatures, as necessary. CC ID 11807 | Records management | Preventive | |
Archive appropriate records, logs, and database tables. CC ID 06321 | Records management | Preventive | |
Retain records in accordance with applicable requirements. CC ID 00968 [The organization shall retain documented information as evidence of the results of management reviews. § 9.3 ¶ 4 The organization shall retain documented information as evidence of: the nature of the nonconformities and any rm_primary-noun">subsequent actions taken; § 10.2 ¶ 3 Bullet 1 The organization shall retain documented information as evidence of: the results of any corrective action. § 10.2 ¶ 3 Bullet 2 The organization shall retain documented information as evidence of its communications, as appropriate. § 7.4.1 ¶ 4 The organization shall maintain documented information to the extent necessary to have confidence that the processes have been carried out as planned. § 8.1 ¶ 5 The organization shall retain appropriate documented information as evidence of the monitoring, measurement, analysis and evaluation results. § 9.1.1 ¶ 6 The organization shall retain documented information as evidence of the compliance evaluation result(s). § 9.1.2 ¶ 3] | Records management | Preventive | |
Obtain and retain documentation of the number of shares authorized, issued, and outstanding pursuant to the issuer's authorization. CC ID 11714 | Records management | Preventive | |
Retain all evidence of indebtedness. CC ID 11713 | Records management | Preventive | |
Capture and maintain distribution records. CC ID 06205 | Records management | Preventive | |
Capture and maintain Device Master Records. CC ID 06206 | Records management | Preventive | |
Capture and maintain Device History Records. CC ID 06207 | Records management | Preventive | |
Capture and maintain Quality System Records. CC ID 06208 | Records management | Preventive | |
Degauss as a method of sanitizing electronic storage media. CC ID 00973 | Records management | Preventive | |
Manage the disposition status for all records. CC ID 00972 | Records management | Preventive | |
Remove and/or destroy records according to the records' retention event and retention period schedule. CC ID 06621 | Records management | Preventive | |
Protect records from loss in accordance with applicable requirements. CC ID 12007 [Documented information required by the environmental management system and by this International Standard shall be controlled to ensure: it is adequately protected (e.g. from loss of confidentiality, improper use, or loss of integrity). § 7.5.3 ¶ 1 b)] | Records management | Preventive | |
Capture the records required by organizational compliance requirements. CC ID 00912 [Documented information required by the environmental management system and by this International Standard shall be controlled to ensure: § 7.5.3 ¶ 1 The organization shall maintain documented information to the extent necessary to have confidence that the process(es) is (are) carried out as planned. § 8.2 ¶ 3] | Records management | Detective | |
Review and update Individually Identifiable Health Information in the patient's electronic health records, as necessary. CC ID 14438 | Records management | Preventive | |
Establish and maintain an implantable device list. CC ID 14444 | Records management | Preventive | |
Establish, implement, and maintain a recordkeeping system. CC ID 15709 | Records management | Preventive | |
Log the termination date in the recordkeeping system. CC ID 16181 | Records management | Preventive | |
Log the name of the requestor in the recordkeeping system. CC ID 15712 | Records management | Preventive | |
Log the date and time each item is accessed in the recordkeeping system. CC ID 15711 | Records management | Preventive | |
Log records as being received into the recordkeeping system. CC ID 11696 | Records management | Preventive | |
Establish, implement, and maintain a transfer journal. CC ID 11729 | Records management | Preventive | |
Provide a receipt of records logged into the recordkeeping system. CC ID 11697 | Records management | Preventive | |
Label printed output for specific record categories as directed by the organization's information classification standard. CC ID 01420 | Records management | Detective | |
Establish and maintain access controls for all records. CC ID 00371 [For the control of documented information, the organization shall address the following activities, as applicable: distribution, access, retrieval and use; § 7.5.3 ¶ 2 Bullet 1] | Records management | Preventive | |
Implement and maintain backups and duplicate copies of organizational records. CC ID 00953 | Records management | Preventive | |
Establish, implement, and maintain the duplicate original of record indexes. CC ID 00954 | Records management | Preventive | |
Establish, implement, and maintain a transparent storage media strategy. CC ID 00932 | Records management | Preventive | |
Establish, implement, and maintain security controls appropriate to the record types and electronic storage media. CC ID 00943 [For the control of documented information, the organization shall address the following activities, as applicable: storage and preservation, including preservation of legibility; § 7.5.3 ¶ 2 Bullet 2] | Records management | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Back up audit trails according to backup procedures. CC ID 11642 | Monitoring and measurement | Preventive | |
Activate the continuity plan if the damage assessment report indicates the activation criterion has been met. CC ID 01373 [The organization shall: respond to actual emergency situations; § 8.2 ¶ 2 b)] | Operational and Systems Continuity | Corrective | |
Maintain normal security levels when an emergency occurs. CC ID 06377 | Operational and Systems Continuity | Preventive | |
Execute fail-safe procedures when an emergency occurs. CC ID 07108 | Operational and Systems Continuity | Preventive | |
Include the in scope system's location in the continuity plan. CC ID 16246 | Operational and Systems Continuity | Preventive | |
Include the system description in the continuity plan. CC ID 16241 | Operational and Systems Continuity | Preventive | |
Restore systems and environments to be operational. CC ID 13476 | Operational and Systems Continuity | Corrective | |
Approve the continuity plan requirements before documenting the continuity plan. CC ID 12778 | Operational and Systems Continuity | Preventive | |
Disseminate and communicate business functions across multiple facilities separated by geographic separation. CC ID 10662 | Operational and Systems Continuity | Preventive | |
Disseminate and communicate processing activities across multiple facilities using geographic separation. CC ID 10663 | Operational and Systems Continuity | Preventive | |
Disseminate and communicate electronic media storage devices across multiple facilities using geographic separation. CC ID 10664 | Operational and Systems Continuity | Preventive | |
Use out-of-band channels for the physical delivery or electronic transmission of information, as necessary. CC ID 10665 | Operational and Systems Continuity | Corrective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Include quality gates and testing milestones in the Quality Management program. CC ID 06825 | Leadership and high level objectives | Preventive | |
Include an issue tracking system in the Quality Management program. CC ID 06824 | Leadership and high level objectives | Preventive | |
Apply security controls to each level of the information classification standard. CC ID 01903 | Operational management | Preventive | |
Include each Information System's system boundaries in the Information Technology inventory. CC ID 00695 | Operational management | Preventive | |
Review each system's operational readiness. CC ID 06275 | Operational management | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Subscribe to a threat intelligence service to receive notification of emerging threats. CC ID 12135 | Leadership and high level objectives | Detective | |
Establish, implement, and maintain a network activity baseline. CC ID 13188 | Monitoring and measurement | Detective | |
Deploy log normalization tools, as necessary. CC ID 12141 | Monitoring and measurement | Preventive | |
Restrict access to audit trails to a need to know basis. CC ID 11641 | Monitoring and measurement | Preventive | |
Protect against misusing automated audit tools. CC ID 04547 | Monitoring and measurement | Preventive | |
Implement alternate security mechanisms when the means of implementing the security function is unavailable. CC ID 10605 | Operational and Systems Continuity | Preventive | |
Include temporary activation of remote access technologies for third parties in the Acceptable Use Policy. CC ID 11892 | Operational management | Preventive | |
Use automated tools to collect Information Technology inventory information, as necessary. CC ID 07054 | Operational management | Preventive | |
Link the authentication system to the asset inventory. CC ID 13718 | Operational management | Preventive | |
Employ Dynamic Host Configuration Protocol server logging to detect systems not in the asset inventory. CC ID 12110 | Operational management | Detective | |
Prevent users from disabling required software. CC ID 16417 | Operational management | Preventive | |
Control remote maintenance according to the system's asset classification. CC ID 01433 | Operational management | Preventive | |
Approve all remote maintenance sessions. CC ID 10615 | Operational management | Preventive | |
Terminate remote maintenance sessions when the remote maintenance is complete. CC ID 12083 | Operational management | Preventive | |
Employ dedicated systems during system maintenance. CC ID 12108 | Operational management | Preventive | |
Isolate dedicated systems used for system maintenance from Internet access. CC ID 12114 | Operational management | Preventive | |
Allow authorized parties to authenticate electronic records with electronic signatures. CC ID 11964 | Records management | Preventive | |
Allow authorized parties to authenticate transactions with electronic signatures. CC ID 11963 | Records management | Preventive | |
Establish, implement, and maintain label inheritance mechanisms for aggregate data sets. CC ID 06957 | Records management | Preventive | |
Implement and maintain high availability storage, as necessary. CC ID 00952 | Records management | Preventive | |
Establish, implement, and maintain online storage controls. CC ID 00942 | Records management | Preventive | |
Provide encryption for different types of electronic storage media. CC ID 00945 | Records management | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Conduct Quality Control to ensure adherence to Information Technology policies, standards, and procedures. CC ID 01008 | Leadership and high level objectives | Detective | |
Test the protective measures for effectiveness to prevent financial impact to responsible parties. CC ID 16750 | Leadership and high level objectives | Preventive | |
Test the collateral requirements for appropriateness. CC ID 16681 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain stress test plans for financial resources. CC ID 16644 | Leadership and high level objectives | Preventive | |
Include stress scenarios in the stress test plan. CC ID 16659 | Leadership and high level objectives | Preventive | |
Perform stress testing in accordance with the stress test plan. CC ID 16652 | Leadership and high level objectives | Preventive | |
Validate the margin system on a regular basis. CC ID 16660 | Leadership and high level objectives | Detective | |
Evaluate the measurement process used for metrics. CC ID 06920 [{what needs to be measured} The organization shall determine: what needs to be monitored and measured; § 9.1.1 ¶ 2 a)] | Monitoring and measurement | Detective | |
Report audit findings by the internal audit manager directly to senior management. CC ID 01152 [The organization shall: ensure that the results of the audits are reported to relevant management. § 9.2.2 ¶ 3 c)] | Audits and risk management | Detective | |
Review the external audit assertion for accuracy. CC ID 06977 | Audits and risk management | Detective | |
Review the risk assessments as compared to the in scope controls. CC ID 06978 | Audits and risk management | Detective | |
Conduct onsite inspections, as necessary. CC ID 16199 | Audits and risk management | Preventive | |
Determine the accurateness of the audit assertion's in scope system description. CC ID 06979 | Audits and risk management | Detective | |
Determine if the in scope system has been implemented as described in the audit assertion. CC ID 06983 | Audits and risk management | Detective | |
Determine if the audit assertion's in scope controls are reasonable. CC ID 06980 | Audits and risk management | Detective | |
Document test plans for auditing in scope controls. CC ID 06985 | Audits and risk management | Detective | |
Determine the implementation status of the audit assertion's in scope controls. CC ID 06981 | Audits and risk management | Detective | |
Determine the effectiveness of in scope controls. CC ID 06984 | Audits and risk management | Detective | |
Determine any errors or material omissions in the audit assertion that affect in scope control implementations. CC ID 06990 | Audits and risk management | Detective | |
Audit the in scope system according to the test plan using relevant evidence. CC ID 07112 | Audits and risk management | Preventive | |
Provide transactional walkthrough procedures for external auditors. CC ID 00672 | Audits and risk management | Preventive | |
Conduct interviews, as necessary. CC ID 07188 | Audits and risk management | Detective | |
Include if in scope control deviations allow in scope controls to be performed acceptably in the work papers. CC ID 06987 | Audits and risk management | Detective | |
Investigate the nature and causes of identified in scope control deviations. CC ID 06986 | Audits and risk management | Detective | |
Submit an audit report that is complete. CC ID 01145 | Audits and risk management | Detective | |
Assess the quality of the audit program in regards to the staff and their qualifications. CC ID 01150 | Audits and risk management | Detective | |
Establish, implement, and maintain the audit plan. CC ID 01156 | Audits and risk management | Detective | |
Establish, implement, and maintain the organization's call tree. CC ID 01167 | Operational and Systems Continuity | Detective | |
Test the recovery plan, as necessary. CC ID 13290 [The organization shall: periodically test the planned response actions, where practicable; § 8.2 ¶ 2 d)] | Operational and Systems Continuity | Detective | |
Test the backup information, as necessary. CC ID 13303 | Operational and Systems Continuity | Detective | |
Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 00782 [The organization shall: ensure that these persons are competent on the basis of appropriate education, training or experience; § 7.2 ¶ 1 b)] | Human Resources management | Detective | |
Perform a drug test during personnel screening. CC ID 06648 | Human Resources management | Preventive | |
Conduct tests and evaluate training. CC ID 06672 [The organization shall: where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken. § 7.2 ¶ 1 d)] | Human Resources management | Detective | |
Test systems for malicious code prior to when the system will be redeployed. CC ID 06339 | Operational management | Detective | |
Conduct maintenance with authorized personnel. CC ID 01434 | Operational management | Detective | |
Calibrate assets according to the calibration procedures for the asset. CC ID 06203 [The organization shall ensure that calibrated or verified monitoring and measurement equipment is used and maintained, as appropriate. § 9.1.1 ¶ 3] | Operational management | Detective | |
Test for detrimental environmental factors after a system is disposed. CC ID 06938 | Operational management | Detective | |
Maintain continued integrity for all stored data and stored records. CC ID 00969 | Records management | Detective | |
Destroy electronic storage media following the storage media disposition and destruction procedures. CC ID 00970 | Records management | Detective | |
Maintain media sanitization equipment in operational condition. CC ID 00721 | Records management | Detective | |
Store records on non-rewritable, non-erasable storage media formats, as necessary. CC ID 00944 | Records management | Detective | |
Test the storage media downgrade for correct performance. CC ID 10623 | Records management | Detective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Include cross-team coordination in continuity plan training. CC ID 16235 | Operational and Systems Continuity | Preventive | |
Include stay at home order training in the continuity plan training. CC ID 14382 | Operational and Systems Continuity | Preventive | |
Include avoiding unnecessary travel in the stay at home order training. CC ID 14388 | Operational and Systems Continuity | Preventive | |
Include personal protection in continuity plan training. CC ID 14394 | Operational and Systems Continuity | Preventive | |
Submit applications for professional certification. CC ID 16192 | Human Resources management | Preventive | |
Train personnel to recognize conditions of diseases or sicknesses, as necessary. CC ID 14383 | Human Resources management | Detective | |
Include prevention techniques in training regarding diseases or sicknesses. CC ID 14387 | Human Resources management | Preventive | |
Include the concept of disease clusters when training to recognize conditions of diseases or sicknesses. CC ID 14386 | Human Resources management | Preventive | |
Train personnel to identify and communicate symptoms of exposure to disease or sickness. CC ID 14385 | Human Resources management | Detective | |
Develop or acquire content to update the training plans. CC ID 12867 | Human Resources management | Preventive | |
Designate training facilities in the training plan. CC ID 16200 | Human Resources management | Preventive | |
Include in scope external requirements in the training plan, as necessary. CC ID 13041 | Human Resources management | Preventive | |
Conduct bespoke roles and responsibilities training, as necessary. CC ID 13192 | Human Resources management | Preventive | |
Include risk management in the training plan, as necessary. CC ID 13040 | Human Resources management | Preventive | |
Conduct personal data processing training. CC ID 13757 | Human Resources management | Preventive | |
Include in personal data processing training how to provide the contact information for the categories of personal data the organization may disclose. CC ID 13758 | Human Resources management | Preventive | |
Include the cloud service usage standard in the training plan. CC ID 13039 | Human Resources management | Preventive | |
Include media protection in the security awareness program. CC ID 16368 | Human Resources management | Preventive | |
Include physical security in the security awareness program. CC ID 16369 | Human Resources management | Preventive | |
Include updates on emerging issues in the security awareness program. CC ID 13184 | Human Resources management | Preventive | |
Include cybersecurity in the security awareness program. CC ID 13183 | Human Resources management | Preventive | |
Include implications of non-compliance in the security awareness program. CC ID 16425 | Human Resources management | Preventive | |
Include the acceptable use policy in the security awareness program. CC ID 15487 | Human Resources management | Preventive | |
Train all personnel and third parties on how to recognize and report system failures. CC ID 13475 | Human Resources management | Preventive | |
Conduct tampering prevention training. CC ID 11875 | Human Resources management | Preventive | |
Include the mandate to refrain from installing, refrain from replacing, and refrain from returning any asset absent verification in the tampering prevention training. CC ID 11877 | Human Resources management | Preventive | |
Include how to identify and authenticate third parties claiming to be maintenance personnel in the tampering prevention training. CC ID 11876 | Human Resources management | Preventive | |
Include how to report tampering and unauthorized substitution in the tampering prevention training. CC ID 11879 | Human Resources management | Preventive | |
Include how to prevent physical tampering in the tampering prevention training. CC ID 11878 | Human Resources management | Preventive | |
Include procedures on how to inspect devices in the tampering prevention training. CC ID 11990 | Human Resources management | Preventive | |
Train interested personnel and affected parties to collect digital forensic evidence. CC ID 08658 | Human Resources management | Preventive |
There are three types of Common Control classifications; corrective, detective, and preventive. Common Controls at the top level have the default assignment of Impact Zone.
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
---|---|---|---|
Disseminate and communicate updated guidance documentation to interested personnel and affected parties upon discovery of a new threat. CC ID 12191 | Leadership and high level objectives | Communicate | |
Correct errors and deficiencies in a timely manner. CC ID 13501 | Leadership and high level objectives | Business Processes | |
Include management's assertions on the effectiveness of internal control in the Statement on Internal Control. CC ID 14771 | Leadership and high level objectives | Establish/Maintain Documentation | |
Determine the causes of compliance violations. CC ID 12401 [When a nonconformity occurs, the organization shall: evaluate the need for action to eliminate the causes of the nonconformity in order that it does not recur or occur elsewhere by: ground-color:#B7D8ED;" class="tendary-verb">rm_primary-verb">reviewing the nonconformity; § 10.2 ¶ 1 b) 1) When a nonconformity occurs, the organization shall: evaluate the need for action to eliminate the causes of the nonconformity in order that it does not recur or occur elsewhere by: determining the <span style="background-color:#F0ndary-verb">BBBC;" class="term_primary-noun">causes of the nonconformity; § 10.2 ¶ 1 b) 2)] | Monitoring and measurement | Investigate | |
Correct compliance violations. CC ID 13515 [When a nonconformity occurs, the organization shall: react to the nonconformity, and as applicable: take action to primary-verb">control and correct it; § 10.2 ¶ 1 a) 1) When a nonconformity occurs, the organization shall: implement any -verb">or:#F0BBBC;" class="term_primary-noun">action needed; § 10.2 ¶ 1 c) The organization shall: evaluate compliance and take action if needed; § 9.1.2 ¶ 2 b) The management review shall include consideration of: information on the organization's environmental performance, including trends in: nonconformities and corrective actions; § 9.3 ¶ 2 d) 1)] | Monitoring and measurement | Process or Activity | |
Carry out disciplinary actions when a compliance violation is detected. CC ID 06675 [When a nonconformity occurs, the organization shall: react to the nonconformity and, as applicable: § 10.2 ¶ 1 a)] | Monitoring and measurement | Behavior | |
Convert data into standard units before reporting metrics. CC ID 15507 | Monitoring and measurement | Process or Activity | |
Assign the Board of Directors to address audit findings. CC ID 12396 | Audits and risk management | Human Resources Management | |
Refrain from changing the date of the practitioner's report on agreed-upon procedures when reissuing it. CC ID 13896 | Audits and risk management | Establish/Maintain Documentation | |
Withdraw from the audit, when defined conditions exist. CC ID 13885 | Audits and risk management | Process or Activity | |
Solve any access problems auditors encounter during the audit. CC ID 08959 | Audits and risk management | Audits and Risk Management | |
Include deficiencies and non-compliance in the audit report. CC ID 14879 | Audits and risk management | Establish/Maintain Documentation | |
Include a description of the reasons for modifying the audit opinion in the audit report. CC ID 13898 | Audits and risk management | Establish/Maintain Documentation | |
Disclaim the audit opinion in the audit report, as necessary. CC ID 13901 | Audits and risk management | Business Processes | |
Modify the audit opinion in the audit report under defined conditions. CC ID 13937 | Audits and risk management | Establish/Maintain Documentation | |
Implement a corrective action plan in response to the audit report. CC ID 06777 [{environmental process} When establishing the internal audit programme, the organization shall take into consideration the environmental importance of the processes concerned, changes affecting the organization and the results of previous audits. § 9.2.2 ¶ 2] | Audits and risk management | Establish/Maintain Documentation | |
Monitor and report on the status of mitigation actions in the corrective action plan. CC ID 15250 | Audits and risk management | Actionable Reports or Measurements | |
Report changes in the continuity plan to senior management. CC ID 12757 | Operational and Systems Continuity | Communicate | |
Activate the continuity plan if the damage assessment report indicates the activation criterion has been met. CC ID 01373 [The organization shall: respond to actual emergency situations; § 8.2 ¶ 2 b)] | Operational and Systems Continuity | Systems Continuity | |
Restore systems and environments to be operational. CC ID 13476 | Operational and Systems Continuity | Systems Continuity | |
Establish, implement, and maintain the continuity procedures. CC ID 14236 [The organization shall establish, implement and maintain the process(es) needed to prepare for and respond to potential emergency situations identified in 6.1.1. § 8.2 ¶ 1] | Operational and Systems Continuity | Establish/Maintain Documentation | |
Use out-of-band channels for the physical delivery or electronic transmission of information, as necessary. CC ID 10665 | Operational and Systems Continuity | Systems Continuity | |
Rotate members of the board of directors, as necessary. CC ID 14803 | Human Resources management | Human Resources Management | |
Conduct secure coding and development training for developers. CC ID 06822 | Human Resources management | Behavior | |
Plan for business process conversions, as necessary. CC ID 13678 [The organization shall plan: how to: integrate and implement the actions into its environmental management system processes (se e 6.2, Clause 7, Clause 8 and 9.1), or other business processes; § 6.1.4 ¶ 1 b) 1)] | Operational management | Business Processes | |
Measure policy compliance when reviewing the internal control framework. CC ID 06442 | Operational management | Actionable Reports or Measurements | |
Update operating procedures that contribute to user errors. CC ID 06935 | Operational management | Establish/Maintain Documentation | |
Include disciplinary actions in the Acceptable Use Policy. CC ID 00296 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain consequences for non-compliance with the organizational compliance framework. CC ID 11747 | Operational management | Process or Activity | |
Identify discrepancies between the asset register database and the Information Technology inventory, as necessary. CC ID 07052 | Operational management | Monitor and Evaluate Occurrences | |
Investigate and resolve discrepancies between the asset register database and the Information Technology inventory. CC ID 07053 | Operational management | Monitor and Evaluate Occurrences | |
Refrain from protecting physical assets when no longer required. CC ID 13484 | Operational management | Physical and Environmental Protection | |
Mitigate the adverse effects of unauthorized changes. CC ID 12244 [The organization shall control planned changes and review the consequences of unintended changes, taking action to mitigate any -color:#F0BBBC;" class="term_primary-noun">adverse effects, as necessary. § 8.1 ¶ 2] | Operational management | Business Processes | |
Notify the supervisory authority of any changes to the required data elements. CC ID 14366 | Records management | Communicate | |
Downgrade electronic storage media, as necessary. CC ID 10621 | Records management | Process or Activity | |
Review and update the acquisition contracts, as necessary. CC ID 14279 | Acquisition or sale of facilities, technology, and services | Acquisition/Sale of Assets or Services |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
---|---|---|---|
Assess the effectiveness of the communication methods used in the communication protocol. CC ID 12691 [{internal communication}The organization shall: ensure its communication process(es) enable(s) persons doing work under the organization's control to contribute to continual improvement. § 7.4.2 ¶ 1 b)] | Leadership and high level objectives | Process or Activity | |
Identify all interested personnel and affected parties. CC ID 12845 [The organization shall determine: the interested parties that are relevant to the environmental management system; § 4.2 ¶ 1 a)] | Leadership and high level objectives | Process or Activity | |
Approve the data classification scheme. CC ID 13858 | Leadership and high level objectives | Establish/Maintain Documentation | |
Ensure the data dictionary is complete and accurate. CC ID 13527 | Leadership and high level objectives | Investigate | |
Monitor regulatory trends to maintain compliance. CC ID 00604 [The management review shall include consideration of: information on the organization's environmental performance, including trends in: fulfilment of its compliance obligations; § 9.3 ¶ 2 d) 3)] | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
Monitor for new Information Security solutions. CC ID 07078 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
Subscribe to a threat intelligence service to receive notification of emerging threats. CC ID 12135 | Leadership and high level objectives | Technical Security | |
Enforce a continuous Quality Control system. CC ID 01005 | Leadership and high level objectives | Business Processes | |
Conduct Quality Control to ensure adherence to Information Technology policies, standards, and procedures. CC ID 01008 | Leadership and high level objectives | Testing | |
Establish and maintain time frames for correcting deficiencies found during Quality Control. CC ID 07206 | Leadership and high level objectives | Business Processes | |
Review and analyze any quality improvement goals that were missed. CC ID 07204 | Leadership and high level objectives | Business Processes | |
Analyze organizational policies, as necessary. CC ID 14037 | Leadership and high level objectives | Establish/Maintain Documentation | |
Map in scope assets and in scope records to external requirements. CC ID 12189 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the counterterror protective security plan test results in the Statement on Internal Control. CC ID 06867 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include all compliance exceptions in the compliance exception standard. CC ID 01630 | Leadership and high level objectives | Establish/Maintain Documentation | |
Identify and document the events that initiate the decision management strategy. CC ID 06914 | Leadership and high level objectives | Establish/Maintain Documentation | |
Investigate discrepancies between the information received and the information verified for each funds transfer. CC ID 16757 | Leadership and high level objectives | Investigate | |
Verify all required information is attached to each funds transfer. CC ID 16755 | Leadership and high level objectives | Business Processes | |
Analyze the effectiveness of the stress test plan. CC ID 16657 | Leadership and high level objectives | Process or Activity | |
Validate the margin system on a regular basis. CC ID 16660 | Leadership and high level objectives | Testing | |
Assess the properties of the margin model used in the margin system. CC ID 16658 | Leadership and high level objectives | Process or Activity | |
Monitor the performance of the margin system. CC ID 16655 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
Analyze the performance of the margin system. CC ID 16654 | Leadership and high level objectives | Process or Activity | |
Determine the amount of assets to be held in escrow. CC ID 16575 | Leadership and high level objectives | Investigate | |
Report on the percentage of critical assets for which an assurance strategy is implemented. CC ID 01657 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of key organizational functions for which an assurance strategy is implemented. CC ID 01658 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of key compliance requirements for which an assurance strategy has been implemented. CC ID 01659 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of the Information System budget allocated to Information Security. CC ID 04571 | Monitoring and measurement | Actionable Reports or Measurements | |
Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
Align enforcement reviews for non-compliance with organizational risk tolerance. CC ID 13063 [When a nonconformity occurs, the organization shall: evaluate the need for action to eliminate the causes of the nonconformity, in order that it does not recur or occur elsewhere, by: § 10.2 ¶ 1 b)] | Monitoring and measurement | Business Processes | |
Determine if multiple compliance violations of the same type could occur. CC ID 12402 [When a nonconformity occurs, the organization shall: evaluate the need for action to eliminate the causes of the nonconformity in order that it does not recur or occur elsewhere by: ground-color:#B7D8ED;" class="term_primary-verb">determining if similar nonconformitiespan> | Monitoring and measurement | Investigate | |
Review the effectiveness of disciplinary actions carried out for compliance violations. CC ID 12403 [When a nonconformity occurs, the organization shall: review the effectiveness of any -verb">le="background-color:#F0BBBC;" class="term_primary-noun">corrective action taken; § 10.2 ¶ 1 d)] | Monitoring and measurement | Investigate | |
Report on the policies and controls that have been implemented by management. CC ID 01670 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of security management roles that have been assigned. CC ID 01671 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of board meetings or committee meetings at which Information Assurance was on the agenda. CC ID 01672 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of supply chain members for which all Information Assurance requirements have been implemented. CC ID 01675 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of organizational units that have an established Business Continuity Plan. CC ID 01676 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of organizational units with a documented Business Continuity Plan for which specific responsibilities have been assigned. CC ID 02057 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of Business Continuity Plans that have been reviewed, tested, and updated. CC ID 02058 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of needed internal audits that have been completed and reviewed. CC ID 01677 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of Information Security requirements from applicable laws and regulations that are included in the audit program. CC ID 02069 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of needed external audits that have been completed and reviewed. CC ID 11632 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of Information Security audits conducted in compliance with the approved audit program. CC ID 02070 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of audit findings that have been resolved since the last audit. CC ID 01678 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of management actions in response to audit findings and audit recommendations that were implemented in a timely way. CC ID 02071 [{corrective action} The management review shall include consideration of: the status of actions from previous management reviews; § 9.3 ¶ 2 a)] | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of total controls for which policies, standards, and procedures exist and for which approval has been granted. CC ID 01679 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of personnel who are assigned and acknowledged responsibilities for approved policies, standards, and procedures. CC ID 01680 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of policy compliance reviews for which no compliance violations were noted. CC ID 01681 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of senior management or business unit heads who have implemented operational compliance procedures. CC ID 01682 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of role descriptions that define the Information Awareness roles for Security Managers and administrators. CC ID 01685 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of role descriptions that define the information awareness roles for interested personnel. CC ID 01686 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of role descriptions that define the information awareness roles for end users. CC ID 01687 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of performance reviews that include the evaluation of Information Assurance responsibilities and policy compliance. CC ID 01688 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of individuals who have access to security software, are trained, and authorized Security Administrators. CC ID 01691 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of individuals who are able to assign security privileges, are trained, and authorized Security Administrators. CC ID 01692 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of new hires who completed training ahead of being granted network access or system access. CC ID 01683 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of personnel who have completed periodic Information Assurance refresher training. CC ID 01684 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of user roles, systems, and applications that comply with the segregation of duties principle. CC ID 01689 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of individuals whose access rights have been reviewed. CC ID 01690 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of users who have access to restricted data or restricted information and have undergone a background check. CC ID 01693 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of critical information assets and information-dependent functions. CC ID 02040 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of critical assets and functions for which the cost of compromise has been quantified. CC ID 02041 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of identified risks that have a defined risk mitigation plan. CC ID 02042 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of systems with approved System Security Plans. CC ID 02145 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of known Information Security risks that are related to supply chain relationships. CC ID 02044 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of critical information assets or critical functions for which access by supply chain personnel is disallowed. CC ID 02045 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of supply chain personnel who have current information asset user privileges. CC ID 02046 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of systems with critical information assets or functions for which electronic connection by supply chain assets is disallowed. CC ID 02047 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of security incidents that involved supply chain personnel. CC ID 02048 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of third party contracts that include a requirement to externally verify policies and procedures. CC ID 02049 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of supply chain relationships that have been reviewed for compliance with information security requirements. CC ID 02050 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of information assets that have been reviewed and classified. CC ID 02053 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of information assets with defined user privileges that have been assigned based on role and according to policy. CC ID 02054 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of scheduled Information Technology inventory processes that occurred on time. CC ID 02055 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of recently identified information security risks related to systems architecture that have been adequately mitigated. CC ID 02060 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of system architecture changes that were approved through appropriate change requests. CC ID 02061 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of critical information assets or functions residing on systems that are currently in compliance with the approved systems architecture. CC ID 02062 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of systems that have been recertified if security controls were updated after the system was developed. CC ID 02142 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of systems that have completed Certification and Accreditation. CC ID 02143 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of critical organizational information assets and functions that have been reviewed from the risk to physical security perspective. CC ID 02064 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of critical organizational information assets and functions exposed to physical risks for which risk mitigation actions have been implemented. CC ID 02065 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of critical assets that have been reviewed from the environmental risk perspective. CC ID 02066 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of servers located in controlled access areas. CC ID 02067 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of unique active user identifiers. CC ID 02074 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of systems and applications that perform authenticator policy verification. CC ID 02086 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of active user passwords that are set to expire. CC ID 02087 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of systems with critical information assets that use stronger authentication than user identifiers and passwords. CC ID 02088 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of systems for which default accounts and default passwords have been disabled or reset. CC ID 02089 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of inactive user accounts that are assigned to personnel who have left or no longer need access. CC ID 02090 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of systems with account lockout thresholds set. CC ID 02091 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of inactive user accounts that have been disabled. CC ID 02092 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of workstations with session timeout or automatic logoff controls set. CC ID 02093 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of users with access to shared accounts. CC ID 04573 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of active computer accounts that have had the current user privileges reviewed. CC ID 02094 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of systems where permission to install nonstandard software is limited. CC ID 02095 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of systems and applications that have user privileges and administrator privileges assigned in compliance with Role-Based Access Controls. CC ID 02096 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of systems for which approved configuration settings have been implemented. CC ID 02097 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of systems with configurations that do not deviate from approved standards. CC ID 02098 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of systems that are continuously monitored for compliance with the configuration standard with out-of-compliance alarms or out-of-compliance reports. CC ID 02099 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of systems whose configuration is compared with a previously established trusted configuration baseline. CC ID 02100 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of systems where the authority to make configuration changes are limited. CC ID 02101 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of system components that undergo maintenance as scheduled. CC ID 04562 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of systems for which event logging has been implemented. CC ID 02102 | Monitoring and measurement | Log Management | |
Report on the percentage of systems for which event logs are monitored and reviewed. CC ID 02103 | Monitoring and measurement | Log Management | |
Report on the percentage of systems for which log capacity and log retention schedules have been implemented. CC ID 02104 | Monitoring and measurement | Log Management | |
Report on the percentage of systems that generate warnings about anomalous activity or potentially unauthorized activity. CC ID 02105 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of laptops and mobile devices that are needing to be in compliance with the approved configuration standard before granting network access. CC ID 02106 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of organizationally controlled communications channels that have been secured. CC ID 02107 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of host servers that are protected from becoming relay hosts. CC ID 02108 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of mobile users who access organizational facilities using secure communications methods. CC ID 02109 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of workstations and laptops that employ automated system security tools. CC ID 02110 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of servers that employ automated system security tools. CC ID 02111 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of mobile devices that employ automated system security tools. CC ID 02112 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of software changes that have been documented and approved through change request forms. CC ID 02152 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of systems with all approved patches installed. CC ID 02113 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the mean time from patch availability to patch installation. CC ID 02114 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of software changes that were reviewed for security impacts before the software configuration is updated. CC ID 02115 | Monitoring and measurement | Actionable Reports or Measurements | |
Establish, implement, and maintain a network activity baseline. CC ID 13188 | Monitoring and measurement | Technical Security | |
Report on the percentage of systems configured according to the configuration standard. CC ID 02116 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of network access controls used to gain unauthorized access. CC ID 04572 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of critical information assets stored on network accessible devices that are encrypted with widely tested and published cryptographic algorithms. CC ID 02117 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of mobile devices that use encryption for critical information assets. CC ID 02118 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of passwords and Personal Identification Numbers that are encrypted. CC ID 02119 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of media that passes sanitization procedure testing. CC ID 04574 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of systems with critical information assets or critical business functions that have been backed up in accordance with the backup policy and the system's continuity plan. CC ID 02120 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of systems with critical information assets or critical functions where restoration from a backup has been successfully demonstrated. CC ID 02121 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of backup media stored off site in secure storage. CC ID 02122 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of used backup media or archive media sanitized prior to reuse or disposal. CC ID 02123 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the estimated damage or loss resulting from all security incidents. CC ID 01674 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of security incidents that did not cause confidentiality, integrity, or availability losses beyond the Service Level Agreement thresholds. CC ID 01673 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of operational time that critical services were unavailable due to security incidents. CC ID 02124 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02125 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of systems affected by security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02126 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of security incidents that were managed according to established policies, procedures, and processes. CC ID 02127 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the number of security incidents reported to FedCIRC, NIPC, the Payment Card Industry, or local law enforcement. CC ID 02154 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of systems with critical information assets or critical functions that have been assessed for security vulnerabilities. CC ID 02128 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of vulnerability assessment findings that have been addressed since the last reporting period. CC ID 02129 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the average elapsed time between the discovery of a new vulnerability and implementing corrective action. CC ID 02140 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of physical security incidents that involved entry into a facility containing Information Systems. CC ID 04564 | Monitoring and measurement | Actionable Reports or Measurements | |
Establish, implement, and maintain a corrective action plan. CC ID 00675 [When a nonconformity occurs, the organization shall: react to the nonconformity and, as applicable: deal with the consequences, including mitigating adverse environmental impacts; § 10.2 ¶ 1 a) 2) The organization shall determine opportunities for improvement (see 9.1, 9.2 and 9.3) and implement necessary actions to achieve the intended outcomes of its environmental management system. § 10.1 ¶ 1] | Monitoring and measurement | Monitor and Evaluate Occurrences | |
Include monitoring in the corrective action plan. CC ID 11645 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
Evaluate the measurement process used for metrics. CC ID 06920 [{what needs to be measured} The organization shall determine: what needs to be monitored and measured; § 9.1.1 ¶ 2 a)] | Monitoring and measurement | Testing | |
Report audit findings by the internal audit manager directly to senior management. CC ID 01152 [The organization shall: ensure that the results of the audits are reported to relevant management. § 9.2.2 ¶ 3 c)] | Audits and risk management | Testing | |
Review the external audit assertion for accuracy. CC ID 06977 | Audits and risk management | Testing | |
Review the risk assessments as compared to the in scope controls. CC ID 06978 | Audits and risk management | Testing | |
Include nondisclosure agreements in external auditor outsourcing contracts. CC ID 10014 | Audits and risk management | Audits and Risk Management | |
Determine if requested services create a threat to independence. CC ID 16823 | Audits and risk management | Audits and Risk Management | |
Determine the presentation method of the audit assertion's in scope system description. CC ID 14885 | Audits and risk management | Establish/Maintain Documentation | |
Determine the appropriateness of the audit assertion's in scope system description. CC ID 16449 | Audits and risk management | Audits and Risk Management | |
Confirm audit requirements during the opening meeting. CC ID 15255 | Audits and risk management | Audits and Risk Management | |
Establish and maintain audit assertions, as necessary. CC ID 14871 | Audits and risk management | Establish/Maintain Documentation | |
Refrain from performing an attestation engagement under defined conditions. CC ID 13952 | Audits and risk management | Audits and Risk Management | |
Identify hypothetical assumptions in forecasts and projections during an audit. CC ID 13946 | Audits and risk management | Audits and Risk Management | |
Refrain from examining forecasts and projections which refrain from disclosing assumptions during an audit. CC ID 13932 | Audits and risk management | Audits and Risk Management | |
Audit cybersecurity risk management within the policies, standards, and procedures of the organization. CC ID 13011 | Audits and risk management | Investigate | |
Audit information systems, as necessary. CC ID 13010 | Audits and risk management | Investigate | |
Audit the potential costs of compromise to information systems. CC ID 13012 | Audits and risk management | Investigate | |
Determine the accurateness of the audit assertion's in scope system description. CC ID 06979 | Audits and risk management | Testing | |
Determine if the in scope system has been implemented as described in the audit assertion. CC ID 06983 | Audits and risk management | Testing | |
Investigate the nature and causes of misstatements in the audit assertion's in scope system description. CC ID 16557 | Audits and risk management | Audits and Risk Management | |
Determine the effect of fraud and non-compliance on the description of the system in the audit assertion, as necessary. CC ID 13977 | Audits and risk management | Process or Activity | |
Determine if the audit assertion's in scope controls are reasonable. CC ID 06980 | Audits and risk management | Testing | |
Determine the effect of fraud and non-compliance on the achievement of in scope controls in the audit assertion, as necessary. CC ID 13978 | Audits and risk management | Process or Activity | |
Document test plans for auditing in scope controls. CC ID 06985 | Audits and risk management | Testing | |
Determine the implementation status of the audit assertion's in scope controls. CC ID 06981 | Audits and risk management | Testing | |
Determine the effectiveness of in scope controls. CC ID 06984 | Audits and risk management | Testing | |
Review incident management audit logs to determine the effectiveness of in scope controls. CC ID 12157 | Audits and risk management | Audits and Risk Management | |
Review audit reports to determine the effectiveness of in scope controls. CC ID 12156 | Audits and risk management | Audits and Risk Management | |
Observe processes to determine the effectiveness of in scope controls. CC ID 12155 | Audits and risk management | Audits and Risk Management | |
Interview stakeholders to determine the effectiveness of in scope controls. CC ID 12154 | Audits and risk management | Audits and Risk Management | |
Review policies and procedures to determine the effectiveness of in scope controls. CC ID 12144 [{be effective}The organization shall conduct internal audits at planned intervals to provide information on whether the environmental management system: is effectively implemented and maintained. § 9.2.1 ¶ 1 b)] | Audits and risk management | Audits and Risk Management | |
Evaluate personnel status changes to determine the effectiveness of in scope controls. CC ID 16556 | Audits and risk management | Audits and Risk Management | |
Determine whether individuals performing a control have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 16555 | Audits and risk management | Audits and Risk Management | |
Determine any errors or material omissions in the audit assertion that affect in scope control implementations. CC ID 06990 | Audits and risk management | Testing | |
Conduct interviews, as necessary. CC ID 07188 | Audits and risk management | Testing | |
Verify statements made by interviewees are correct. CC ID 16299 | Audits and risk management | Behavior | |
Discuss unsolved questions with the interviewee. CC ID 16298 | Audits and risk management | Process or Activity | |
Allow interviewee to respond to explanations. CC ID 16296 | Audits and risk management | Process or Activity | |
Explain the requirements being discussed to the interviewee. CC ID 16294 | Audits and risk management | Process or Activity | |
Explain the goals of the interview to the interviewee. CC ID 07189 | Audits and risk management | Behavior | |
Include if the audit evidence has identified in scope control deficiencies in the work papers. CC ID 07152 | Audits and risk management | Audits and Risk Management | |
Include if in scope control deviations allow in scope controls to be performed acceptably in the work papers. CC ID 06987 | Audits and risk management | Testing | |
Investigate the nature and causes of identified in scope control deviations. CC ID 06986 | Audits and risk management | Testing | |
Review the subject matter expert's findings. CC ID 16559 | Audits and risk management | Audits and Risk Management | |
Permit assessment teams to conduct audits, as necessary. CC ID 16430 | Audits and risk management | Investigate | |
Determine what disclosures are required in the audit report. CC ID 14888 | Audits and risk management | Establish/Maintain Documentation | |
Identify the audit team members in the audit report. CC ID 15259 | Audits and risk management | Human Resources Management | |
Identify the participants from the organization being audited in the audit report. CC ID 15258 | Audits and risk management | Audits and Risk Management | |
Review the adequacy of the internal auditor's work papers. CC ID 01146 | Audits and risk management | Audits and Risk Management | |
Compare the evaluations completed by the internal auditors and the external auditors in past audit reports. CC ID 01158 | Audits and risk management | Establish/Maintain Documentation | |
Review the adequacy of the internal auditor's audit reports. CC ID 11620 | Audits and risk management | Audits and Risk Management | |
Review past audit reports. CC ID 01155 [{environmental process} When establishing the internal audit programme, the organization shall take into consideration the environmental importance of the processes concerned, changes affecting the organization and the results of previous audits. § 9.2.2 ¶ 2 The management review shall include consideration of: information on the organization's environmental performance, including trends in: audit results; § 9.3 ¶ 2 d) 4)] | Audits and risk management | Establish/Maintain Documentation | |
Review past audit reports for specific process steps and calculations that were stated to support the audit report's conclusions. CC ID 01160 | Audits and risk management | Establish/Maintain Documentation | |
Review the reporting of material weaknesses and risks in past audit reports. CC ID 01161 | Audits and risk management | Establish/Maintain Documentation | |
Determine the effect of deficiencies on the audit report, as necessary. CC ID 14886 | Audits and risk management | Investigate | |
Determine the effect of fraud and non-compliance on the audit report, as necessary. CC ID 13979 | Audits and risk management | Process or Activity | |
Disseminate and communicate the reviews of audit reports to organizational management. CC ID 00653 | Audits and risk management | Log Management | |
Review the issues of non-compliance from past audit reports. CC ID 01148 | Audits and risk management | Establish/Maintain Documentation | |
Submit an audit report that is complete. CC ID 01145 | Audits and risk management | Testing | |
Review management's response to issues raised in past audit reports. CC ID 01149 | Audits and risk management | Audits and Risk Management | |
Assess the quality of the audit program in regards to the staff and their qualifications. CC ID 01150 | Audits and risk management | Testing | |
Evaluate the competency of auditors. CC ID 15253 | Audits and risk management | Human Resources Management | |
Review the audit program scope as it relates to the organization's profile. CC ID 01159 | Audits and risk management | Audits and Risk Management | |
Establish, implement, and maintain the audit plan. CC ID 01156 | Audits and risk management | Testing | |
Monitor and evaluate business continuity management system performance. CC ID 12410 | Operational and Systems Continuity | Monitor and Evaluate Occurrences | |
Establish, implement, and maintain the organization's call tree. CC ID 01167 | Operational and Systems Continuity | Testing | |
Determine the cause for the activation of the recovery plan. CC ID 13291 | Operational and Systems Continuity | Investigate | |
Test the recovery plan, as necessary. CC ID 13290 [The organization shall: periodically test the planned response actions, where practicable; § 8.2 ¶ 2 d)] | Operational and Systems Continuity | Testing | |
Test the backup information, as necessary. CC ID 13303 | Operational and Systems Continuity | Testing | |
Document lessons learned from testing the recovery plan or an actual event. CC ID 13301 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 00782 [The organization shall: ensure that these persons are competent on the basis of appropriate education, training or experience; § 7.2 ¶ 1 b)] | Human Resources management | Testing | |
Perform security skills assessments for all critical employees. CC ID 12102 | Human Resources management | Human Resources Management | |
Perform a background check during personnel screening. CC ID 11758 | Human Resources management | Human Resources Management | |
Document the personnel risk assessment results. CC ID 11764 | Human Resources management | Establish/Maintain Documentation | |
Perform periodic background checks on designated roles, as necessary. CC ID 11759 | Human Resources management | Human Resources Management | |
Document the security clearance procedure results. CC ID 01635 | Human Resources management | Establish/Maintain Documentation | |
Evaluate the staffing requirements regularly. CC ID 00775 [The organization shall: determine the necessary competence of person(s) doing work under its control that affects its environmental performance and its ability to fulfil its compliance obligations; § 7.2 ¶ 1 a)] | Human Resources management | Business Processes | |
Document all training in a training record. CC ID 01423 [The organization shall retain appropriate documented information as evidence of competence. § 7.2 ¶ 2] | Human Resources management | Establish/Maintain Documentation | |
Conduct tests and evaluate training. CC ID 06672 [The organization shall: where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken. § 7.2 ¶ 1 d)] | Human Resources management | Testing | |
Train personnel to recognize conditions of diseases or sicknesses, as necessary. CC ID 14383 | Human Resources management | Training | |
Train personnel to identify and communicate symptoms of exposure to disease or sickness. CC ID 14385 | Human Resources management | Training | |
Monitor and measure the effectiveness of security awareness. CC ID 06262 | Human Resources management | Monitor and Evaluate Occurrences | |
Analyze and evaluate training records to improve the training program. CC ID 06380 | Human Resources management | Monitor and Evaluate Occurrences | |
Review the relevance of information supporting internal controls. CC ID 12420 | Operational management | Business Processes | |
Include emergency response procedures in the internal control framework. CC ID 06779 | Operational management | Establish/Maintain Documentation | |
Review and approve access controls, as necessary. CC ID 13074 | Operational management | Process or Activity | |
Perform social network analysis, as necessary. CC ID 14864 | Operational management | Investigate | |
Include individual commitment to the organization's Governance, Risk, and Compliance framework in the analysis of the organizational culture. CC ID 12922 | Operational management | Process or Activity | |
Include the organizational climate in the analysis of the organizational culture. CC ID 12921 | Operational management | Process or Activity | |
Include consistency of leadership actions to mission, vision, and values in the analysis of the organizational culture. CC ID 12920 | Operational management | Process or Activity | |
Include all electronic storage media containing restricted data or restricted information in the storage media inventory. CC ID 00962 | Operational management | Establish/Maintain Documentation | |
Employ Dynamic Host Configuration Protocol server logging to detect systems not in the asset inventory. CC ID 12110 | Operational management | Technical Security | |
Test systems for malicious code prior to when the system will be redeployed. CC ID 06339 | Operational management | Testing | |
Control and monitor all maintenance tools. CC ID 01432 | Operational management | Physical and Environmental Protection | |
Conduct maintenance with authorized personnel. CC ID 01434 | Operational management | Testing | |
Calibrate assets according to the calibration procedures for the asset. CC ID 06203 [The organization shall ensure that calibrated or verified monitoring and measurement equipment is used and maintained, as appropriate. § 9.1.1 ¶ 3] | Operational management | Testing | |
Test for detrimental environmental factors after a system is disposed. CC ID 06938 | Operational management | Testing | |
Monitor environmental objectives. CC ID 15189 [The environmental objectives shall be: monitored; § 6.2.1 ¶ 2 c)] | Operational management | Monitor and Evaluate Occurrences | |
Analyze environmental aspects using established criteria. CC ID 15230 [{be significant} The organization shall determine those aspects that have or can have a significant environmental impact, i.e. significant environmental aspects, by using established criteria. § 6.1.2 ¶ 3] | Operational management | Process or Activity | |
Analyze the environmental impact of organizational changes. CC ID 14979 [When determining environmental aspects, the organization shall take into account: change, including planned or new developments, and new or modified activities, products and services; § 6.1.2 ¶ 2 a)] | Operational management | Process or Activity | |
Analyze the environmental impact of changes in developments, activities, products, and services. CC ID 14980 [When determining environmental aspects, the organization shall take into account: change, including planned or new developments, and new or modified activities, products and services; § 6.1.2 ¶ 2 a)] | Operational management | Process or Activity | |
Analyze activities, products, and services within the scope of the environmental management system to determine the environmental aspects. CC ID 15183 [Within the defined scope of the environmental management system, the organization shall determine the environmental aspects of its activities, products and services that it can control and those that it can influence, and their associated environmental impacts, considering a life cycle perspective. § 6.1.2 ¶ 1] | Operational management | Business Processes | |
Establish, implement, and maintain a record classification scheme for forms. CC ID 00911 | Records management | Establish/Maintain Documentation | |
Establish, implement, and maintain records registration procedures. CC ID 00913 | Records management | Establish/Maintain Documentation | |
Define the terms used in the record classification scheme. CC ID 00916 | Records management | Establish/Maintain Documentation | |
Allocate document serial numbers to reference the records as a part of document tracking. CC ID 00917 | Records management | Records Management | |
Define each system's preservation requirements for records and logs. CC ID 00904 | Records management | Establish/Maintain Documentation | |
Establish, implement, and maintain a data retention program. CC ID 00906 | Records management | Establish/Maintain Documentation | |
Maintain continued integrity for all stored data and stored records. CC ID 00969 | Records management | Testing | |
Define which documents and records the organization may capture. CC ID 00905 | Records management | Establish/Maintain Documentation | |
Destroy electronic storage media following the storage media disposition and destruction procedures. CC ID 00970 | Records management | Testing | |
Maintain media sanitization equipment in operational condition. CC ID 00721 | Records management | Testing | |
Capture the records required by organizational compliance requirements. CC ID 00912 [Documented information required by the environmental management system and by this International Standard shall be controlled to ensure: § 7.5.3 ¶ 1 The organization shall maintain documented information to the extent necessary to have confidence that the process(es) is (are) carried out as planned. § 8.2 ¶ 3] | Records management | Records Management | |
Assign the appropriate information classification to records imported into the Records Management system. CC ID 04555 | Records management | Data and Information Management | |
Identify patient-specific education resources. CC ID 14439 | Records management | Process or Activity | |
Classify restricted data or restricted information in Records Management systems according to the data or information's sensitivity. CC ID 04720 | Records management | Data and Information Management | |
Label printed output for specific record categories as directed by the organization's information classification standard. CC ID 01420 | Records management | Records Management | |
Establish, implement, and maintain online storage monitoring and reporting capabilities. CC ID 00935 | Records management | Monitor and Evaluate Occurrences | |
Store records on non-rewritable, non-erasable storage media formats, as necessary. CC ID 00944 | Records management | Testing | |
Provide audit trails for all pertinent records. CC ID 00372 | Records management | Establish/Maintain Documentation | |
Identify electronic storage media that require downgrading. CC ID 10620 | Records management | Process or Activity | |
Test the storage media downgrade for correct performance. CC ID 10623 | Records management | Testing | |
Prohibit the use of Personal Electronic Devices, absent approval. CC ID 04599 | Acquisition or sale of facilities, technology, and services | Behavior | |
Assess the effectiveness of third party services provided to the organization. CC ID 13142 [The organization shall ensure that outsourced processes are controlled or influenced. The type and extent of control or influence to be applied to the process(es) shall be defined within the environmental management system. § 8.1 ¶ 3] | Third Party and supply chain oversight | Business Processes | |
Monitor third parties for performance and effectiveness, as necessary. CC ID 00799 [The organization shall ensure that outsourced processes are controlled or influenced. The type and extent of control or influence to be applied to the process(es) shall be defined within the environmental management system. § 8.1 ¶ 3] | Third Party and supply chain oversight | Monitor and Evaluate Occurrences | |
Monitor third parties' financial conditions. CC ID 13170 | Third Party and supply chain oversight | Monitor and Evaluate Occurrences |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
---|---|---|---|
Leadership and high level objectives CC ID 00597 | Leadership and high level objectives | IT Impact Zone | |
Monitoring and measurement CC ID 00636 | Monitoring and measurement | IT Impact Zone | |
Audits and risk management CC ID 00677 | Audits and risk management | IT Impact Zone | |
Physical and environmental protection CC ID 00709 | Physical and environmental protection | IT Impact Zone | |
Operational and Systems Continuity CC ID 00731 | Operational and Systems Continuity | IT Impact Zone | |
Human Resources management CC ID 00763 | Human Resources management | IT Impact Zone | |
Operational management CC ID 00805 | Operational management | IT Impact Zone | |
Records management CC ID 00902 | Records management | IT Impact Zone | |
Acquisition or sale of facilities, technology, and services CC ID 01123 | Acquisition or sale of facilities, technology, and services | IT Impact Zone | |
Harmonization Methods and Manual of Style CC ID 06095 | Harmonization Methods and Manual of Style | IT Impact Zone | |
Third Party and supply chain oversight CC ID 08807 | Third Party and supply chain oversight | IT Impact Zone |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
---|---|---|---|
Establish, implement, and maintain a reporting methodology program. CC ID 02072 [Top management shall assign the responsibility and authority for: reporting on the performance of the environmental management system, including environmental performance, to top management. § 5.3 ¶ 2 b)] | Leadership and high level objectives | Business Processes | |
Establish, implement, and maintain communication protocols. CC ID 12245 [When establishing its communication process(es), the organization shall: take into account its compliance obligations; § 7.4.1 ¶ 2 Bullet 1 {internal communications}The organization shall establish, implement and maintain the process(es) needed for internal and external communications relevant to the environmental management system, including: on what it will communicate; § 7.4.1 ¶ 1 a) {internal communications}The organization shall establish, implement and maintain the process(es) needed for internal and external communications relevant to the environmental management system, including: on what it will communicate; § 7.4.1 ¶ 1 a) {internal communications}The organization shall establish, implement and maintain the process(es) needed for internal and external communications relevant to the environmental management system, including: when to communicate; § 7.4.1 ¶ 1 b) {internal communications}The organization shall establish, implement and maintain the process(es) needed for internal and external communications relevant to the environmental management system, including: when to communicate; § 7.4.1 ¶ 1 b) {subject}{internal communications}The organization shall establish, implement and maintain the process(es) needed for internal and external communications relevant to the environmental management system, including: with whom to communicate; § 7.4.1 ¶ 1 c) {subject}{internal communications}The organization shall establish, implement and maintain the process(es) needed for internal and external communications relevant to the environmental management system, including: with whom to communicate; § 7.4.1 ¶ 1 c) {internal communications}The organization shall establish, implement and maintain the process(es) needed for internal and external communications relevant to the environmental management system, including: how to communicate. § 7.4.1 ¶ 1 d) {internal communications}The organization shall establish, implement and maintain the process(es) needed for internal and external communications relevant to the environmental management system, including: how to communicate. § 7.4.1 ¶ 1 d) {be relevant} The organization shall respond to relevant communications on its environmental management system. § 7.4.1 ¶ 3] | Leadership and high level objectives | Establish/Maintain Documentation | |
Use secure communication protocols for telecommunications. CC ID 16458 | Leadership and high level objectives | Business Processes | |
Align the information being disseminated and communicated with the communication requirements according to the organization's communication protocol. CC ID 12419 [When establishing its communication process(es), the organization shall: ensure that environmental information communicated is consistent with information generated within the environmental management system, and is reliable. § 7.4.1 ¶ 2 Bullet 2 When establishing its communication process(es), the organization shall: ensure that environmental information communicated is consistent with information generated within the environmental management system, and is reliable. § 7.4.1 ¶ 2 Bullet 2] | Leadership and high level objectives | Establish/Maintain Documentation | |
Include external requirements in the organization's communication protocol. CC ID 12418 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include disseminating and communicating events surrounding instances of desirable conduct and undesirable conduct in the communication protocols. CC ID 12824 | Leadership and high level objectives | Communicate | |
Include input from interested personnel and affected parties as a part of the organization’s communication protocol. CC ID 12417 [The management review shall include consideration of: changes in: the needs and expectations of interested parties, including compliance obligations; § 9.3 ¶ 2 b) 2) The management review shall include consideration of: relevant communication(s) from interested parties, including complaints; § 9.3 ¶ 2 f) The management review shall include consideration of: relevant communication(s) from interested parties, including complaints; § 9.3 ¶ 2 f)] | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain a corrective action plan to address barriers to stakeholder engagement. CC ID 15677 | Leadership and high level objectives | Process or Activity | |
Identify barriers to stakeholder engagement. CC ID 15676 | Leadership and high level objectives | Process or Activity | |
Identify alternative measures for collecting stakeholder input, as necessary. CC ID 15672 | Leadership and high level objectives | Communicate | |
Include disseminating and communicating conditions surrounding instances of desirable conduct and undesirable conduct in the communication protocols. CC ID 12804 | Leadership and high level objectives | Communicate | |
Include methods to obtain information from interested personnel and affected parties about performance variances in the communication protocol. CC ID 12856 | Leadership and high level objectives | Process or Activity | |
Include disseminating and communicating desirable conduct in the communication protocols. CC ID 12803 | Leadership and high level objectives | Communicate | |
Include disseminating and communicating undesirable conduct in communication protocols. CC ID 12802 | Leadership and high level objectives | Communicate | |
Route notifications, as necessary. CC ID 12832 | Leadership and high level objectives | Process or Activity | |
Substantiate notifications, as necessary. CC ID 12831 | Leadership and high level objectives | Process or Activity | |
Analyze the flow of information to ensure it is being received by the correct processes. CC ID 12860 | Leadership and high level objectives | Business Processes | |
Prioritize notifications, as necessary. CC ID 12830 | Leadership and high level objectives | Process or Activity | |
Report to management and stakeholders on the findings and information gathered from all types of inquiries. CC ID 12797 | Leadership and high level objectives | Actionable Reports or Measurements | |
Disseminate and communicate internal controls with supply chain members. CC ID 12416 | Leadership and high level objectives | Communicate | |
Establish and maintain the organization's survey method. CC ID 12869 | Leadership and high level objectives | Process or Activity | |
Document the findings from surveys. CC ID 16309 | Leadership and high level objectives | Establish/Maintain Documentation | |
Provide a consolidated view of information in the organization's survey method. CC ID 12894 | Leadership and high level objectives | Process or Activity | |
Establish, implement, and maintain warning procedures that follow the organization's communication protocol. CC ID 12407 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain alert procedures that follow the organization's communication protocol. CC ID 12406 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the capturing and alerting of compliance violations in the notification system. CC ID 12962 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
Include the capturing and alerting of unethical conduct in the notification system. CC ID 12932 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
Include the capturing and alerting of performance variances in the notification system. CC ID 12929 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
Include the capturing and alerting of weaknesses in the notification system. CC ID 12928 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
Include the capturing and alerting of account activity in the notification system. CC ID 15314 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
Establish, implement, and maintain an internal reporting program. CC ID 12409 | Leadership and high level objectives | Business Processes | |
Include transactions and events as a part of internal reporting. CC ID 12413 | Leadership and high level objectives | Business Processes | |
Disseminate and communicate management's choices for managing the organization as a part of internal reporting. CC ID 12412 | Leadership and high level objectives | Communicate | |
Enforce a precision level for non-financial reporting based on user need and appropriate supply chain criteria. CC ID 12399 | Leadership and high level objectives | Establish/Maintain Documentation | |
Define the thresholds for escalation in the internal reporting program. CC ID 14332 | Leadership and high level objectives | Establish/Maintain Documentation | |
Define the thresholds for reporting in the internal reporting program. CC ID 14331 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain an external reporting program. CC ID 12876 | Leadership and high level objectives | Communicate | |
Provide identifying information about the organization to the responsible party. CC ID 16715 | Leadership and high level objectives | Communicate | |
Identify the material topics required to be reported on. CC ID 15654 | Leadership and high level objectives | Business Processes | |
Check the list of material topics for completeness. CC ID 15692 | Leadership and high level objectives | Investigate | |
Prioritize material topics used in reporting. CC ID 15678 | Leadership and high level objectives | Communicate | |
Review and approve the material topics, as necessary. CC ID 15670 | Leadership and high level objectives | Process or Activity | |
Define the thresholds for reporting in the external reporting program. CC ID 15679 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include time requirements in the external reporting program. CC ID 16566 | Leadership and high level objectives | Communicate | |
Include information about the organizational culture in the external reporting program. CC ID 15610 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include reporting to governing bodies in the external reporting plan. CC ID 12923 | Leadership and high level objectives | Communicate | |
Submit confidential treatment applications to interested personnel and affected parties. CC ID 16592 | Leadership and high level objectives | Communicate | |
Include the reasons for objections to public disclosure in confidential treatment applications. CC ID 16594 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include contact information for the interested personnel and affected parties the report was filed with in the confidential treatment application. CC ID 16595 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the information that was omitted in the confidential treatment application. CC ID 16593 | Leadership and high level objectives | Establish/Maintain Documentation | |
Analyze organizational objectives, functions, and activities. CC ID 00598 [{external and internal issues}and determine the risks and opportunities, related to its environmental aspects (see 6.1.2), compliance obligations (see 6.1.3) and other issues and requirements, identified in 4.1 and 4.2, that need to be addressed to: prevent or reduce undesired effects, including the potential for external environmental conditions to affect the organization; § 6.1.1 ¶ 3 Bullet 2 When determining this scope, the organization shall consider: its activities, products and services; § 4.3 ¶ 2 d) The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcomesan> of its <span style="bary-verb">ackground-color:#F0BBBC;" class="term_primary-noun">environmental management system. Such issues shall include environmental conditions being affected by or capable of affecting the organization. § 4.1 ¶ 1] | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
Develop instructions for setting organizational objectives and strategies. CC ID 12931 [The organization shall determine: which of these needs and expectations become its compliance obligations. § 4.2 ¶ 1 c)] | Leadership and high level objectives | Establish/Maintain Documentation | |
Analyze the business environment in which the organization operates. CC ID 12798 [{financial requirement}{operational requirement} When planning these actions, the organization shall consider its technological options and its financial, operational and business requirements. § 6.1.4 ¶ 2] | Leadership and high level objectives | Business Processes | |
Identify the internal factors that may affect organizational objectives. CC ID 12957 | Leadership and high level objectives | Process or Activity | |
Include key processes in the analysis of the internal business environment. CC ID 12947 | Leadership and high level objectives | Process or Activity | |
Include existing information in the analysis of the internal business environment. CC ID 12943 | Leadership and high level objectives | Process or Activity | |
Include resources in the analysis of the internal business environment. CC ID 12942 [The management review shall include consideration of: adequacy of resources; § 9.3 ¶ 2 e)] | Leadership and high level objectives | Process or Activity | |
Include the operating plan in the analysis of the internal business environment. CC ID 12941 | Leadership and high level objectives | Process or Activity | |
Include incentives in the analysis of the internal business environment. CC ID 12940 | Leadership and high level objectives | Process or Activity | |
Include organizational structures in the analysis of the internal business environment. CC ID 12939 [When determining this scope, the organization shall consider: its organizational units, functions and physical boundaries; § 4.3 ¶ 2 c)] | Leadership and high level objectives | Process or Activity | |
Include the strategic plan in the analysis of the internal business environment. CC ID 12937 | Leadership and high level objectives | Process or Activity | |
Include strengths and weaknesses in the analysis of the internal business environment. CC ID 12936 | Leadership and high level objectives | Process or Activity | |
Align assets with business functions and the business environment. CC ID 13681 | Leadership and high level objectives | Business Processes | |
Disseminate and communicate the organization's business environment and place in its industry sector. CC ID 13200 | Leadership and high level objectives | Communicate | |
Monitor for changes which affect organizational strategies in the internal business environment. CC ID 12863 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
Monitor for changes which affect organizational objectives in the internal business environment. CC ID 12862 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
Analyze the external environment in which the organization operates. CC ID 12799 [The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcomes of its environmental management system. Such issues shall include environmental conditions being affected by or capable of affecting the organization. § 4.1 ¶ 1] | Leadership and high level objectives | Business Processes | |
Identify the external forces that may affect organizational objectives. CC ID 12960 | Leadership and high level objectives | Process or Activity | |
Monitor for changes which affect organizational strategies in the external environment. CC ID 12880 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
Include environmental requirements in the analysis of the external environment. CC ID 12965 [Top management shall demonstrate leadership and commitment with respect to the environmental management system by: ensuring the integration of the environmental management system requirements into the organization's business processes; § 5.1 ¶ 1 c)] | Leadership and high level objectives | Business Processes | |
Monitor for changes which affect organizational objectives in the external environment. CC ID 12879 [The management review shall include consideration of: changes in: the needs and expectations of interested parties, including compliance obligations; § 9.3 ¶ 2 b) 2)] | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
Include regulatory requirements in the analysis of the external environment. CC ID 12964 | Leadership and high level objectives | Business Processes | |
Include society in the analysis of the external environment. CC ID 12963 | Leadership and high level objectives | Business Processes | |
Include opportunities in the analysis of the external environment. CC ID 12954 | Leadership and high level objectives | Business Processes | |
Include third party relationships in the analysis of the external environment. CC ID 12952 | Leadership and high level objectives | Business Processes | |
Include industry forces in the analysis of the external environment. CC ID 12904 | Leadership and high level objectives | Business Processes | |
Include threats in the analysis of the external environment. CC ID 12898 | Leadership and high level objectives | Business Processes | |
Include geopolitics in the analysis of the external environment. CC ID 12897 | Leadership and high level objectives | Business Processes | |
Include legal requirements in the analysis of the external environment. CC ID 12896 | Leadership and high level objectives | Business Processes | |
Include technology in the analysis of the external environment. CC ID 12837 | Leadership and high level objectives | Business Processes | |
Include analyzing the market in the analysis of the external environment. CC ID 12836 | Leadership and high level objectives | Business Processes | |
Conduct a context analysis to define objectives and strategies. CC ID 12864 | Leadership and high level objectives | Business Processes | |
Establish, implement, and maintain organizational objectives. CC ID 09959 | Leadership and high level objectives | Establish/Maintain Documentation | |
Evaluate organizational objectives to determine impact on other organizational objectives. CC ID 12814 | Leadership and high level objectives | Process or Activity | |
Identify events that may affect organizational objectives. CC ID 12961 | Leadership and high level objectives | Process or Activity | |
Identify conditions that may affect organizational objectives. CC ID 12958 | Leadership and high level objectives | Process or Activity | |
Identify requirements that could affect achieving organizational objectives. CC ID 12828 | Leadership and high level objectives | Business Processes | |
Identify opportunities that could affect achieving organizational objectives. CC ID 12826 | Leadership and high level objectives | Business Processes | |
Prioritize organizational objectives. CC ID 09960 | Leadership and high level objectives | Business Processes | |
Select financial reporting objectives consistent with accounting principles available to the organization. CC ID 12400 | Leadership and high level objectives | Business Processes | |
Establish, implement, and maintain a value generation model. CC ID 15591 | Leadership and high level objectives | Establish/Maintain Documentation | |
Disseminate and communicate the value generation model to all interested personnel and affected parties. CC ID 15607 | Leadership and high level objectives | Communicate | |
Include value distribution in the value generation model. CC ID 15603 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include value retention in the value generation model. CC ID 15600 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include value generation procedures in the value generation model. CC ID 15599 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain value generation objectives. CC ID 15583 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain social responsibility objectives. CC ID 15611 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish and maintain a Mission, Vision, and Values Statement. CC ID 12783 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the vision statement in the Mission, Vision, and Values Statement. CC ID 12839 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the mission statement in the Mission, Vision, and Values Statement. CC ID 12838 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include management commitment in the Mission, Vision, and Values Statement. CC ID 12808 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the value statement in the Mission, Vision, and Values Statement. CC ID 12807 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include environmental factors in the Mission, Vision, and Values Statement. CC ID 15590 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include societal factors in the Mission, Vision, and Values Statement. CC ID 15605 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include stakeholder requirements in the Mission, Vision, and Values Statement. CC ID 15586 | Leadership and high level objectives | Establish/Maintain Documentation | |
Disseminate and communicate the Mission, Vision, and Values Statement to all interested personnel and affected parties. CC ID 15585 | Leadership and high level objectives | Communicate | |
Disseminate and communicate organizational objectives, functions, and activities to all interested personnel and affected parties. CC ID 13191 | Leadership and high level objectives | Communicate | |
Document and communicate the linkage between organizational objectives, functions, activities, and general controls. CC ID 12398 [The management review shall include consideration of: changes in: external and internal issues that are relevant to the environmental management system; § 9.3 ¶ 2 b) 1)] | Leadership and high level objectives | Establish/Maintain Documentation | |
Identify threats that could affect achieving organizational objectives. CC ID 12827 | Leadership and high level objectives | Business Processes | |
Identify how opportunities, threats, and external requirements are trending. CC ID 12829 | Leadership and high level objectives | Process or Activity | |
Identify relationships between opportunities, threats, and external requirements. CC ID 12805 | Leadership and high level objectives | Process or Activity | |
Review the organization's approach to managing information security, as necessary. CC ID 12005 | Leadership and high level objectives | Business Processes | |
Establish, implement, and maintain criteria for grouping stakeholders. CC ID 15584 | Leadership and high level objectives | Process or Activity | |
Analyze and prioritize the requirements of interested personnel and affected parties. CC ID 12796 [The organization shall determine: the relevant needs and expectations (i.e. requirements) of these interested parties; § 4.2 ¶ 1 b)] | Leadership and high level objectives | Business Processes | |
Establish, implement, and maintain data governance and management practices. CC ID 14998 | Leadership and high level objectives | Establish/Maintain Documentation | |
Address shortcomings of the data sets in the data governance and management practices. CC ID 15087 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include any shortcomings of the data sets in the data governance and management practices. CC ID 15086 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include bias for data sets in the data governance and management practices. CC ID 15085 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include a data strategy in the data governance and management practices. CC ID 15304 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include data monitoring in the data governance and management practices. CC ID 15303 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include an assessment of the data sets in the data governance and management practices. CC ID 15084 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include assumptions for the formulation of data sets in the data governance and management practices. CC ID 15083 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include data collection for data sets in the data governance and management practices. CC ID 15082 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include data preparations for data sets in the data governance and management practices. CC ID 15081 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include design choices for data sets in the data governance and management practices. CC ID 15080 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain an information classification standard. CC ID 00601 | Leadership and high level objectives | Establish/Maintain Documentation | |
Take into account the accessibility to and location of the data or information when establishing information impact levels. CC ID 04787 | Leadership and high level objectives | Data and Information Management | |
Take into account the organization's obligation to protect data or information when establishing information impact levels. CC ID 04786 | Leadership and high level objectives | Data and Information Management | |
Take into account the context of use for data or information when establishing information impact levels. CC ID 04785 | Leadership and high level objectives | Data and Information Management | |
Take into account the potential aggregation of restricted data fields when establishing information impact levels. CC ID 04784 | Leadership and high level objectives | Data and Information Management | |
Classify the sensitivity to unauthorized disclosure or modification of information in the information classification standard. CC ID 11997 | Leadership and high level objectives | Data and Information Management | |
Take into account the distinguishability factor when establishing information impact levels. CC ID 04783 | Leadership and high level objectives | Data and Information Management | |
Classify the criticality to unauthorized disclosure or modification of information in the information classification standard. CC ID 11996 | Leadership and high level objectives | Data and Information Management | |
Classify the value of information in the information classification standard. CC ID 11995 | Leadership and high level objectives | Data and Information Management | |
Classify the legal requirements of information in the information classification standard. CC ID 11994 | Leadership and high level objectives | Data and Information Management | |
Establish, implement, and maintain a data classification scheme. CC ID 11628 | Leadership and high level objectives | Establish/Maintain Documentation | |
Take into account the characteristics of the geographical, behavioral and functional setting for all datasets. CC ID 15046 | Leadership and high level objectives | Data and Information Management | |
Disseminate and communicate the data classification scheme to interested personnel and affected parties. CC ID 16804 | Leadership and high level objectives | Communicate | |
Establish and maintain an organizational data dictionary, including data syntax rules. CC ID 00600 | Leadership and high level objectives | Establish/Maintain Documentation | |
Refrain from including metadata in the data dictionary. CC ID 13529 | Leadership and high level objectives | Establish/Maintain Documentation | |
Refrain from allowing incompatible data elements in the data dictionary. CC ID 13624 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include information needed to understand each data element and population in the data dictionary. CC ID 13528 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the factors to determine what is included or excluded from the data element in the data dictionary. CC ID 13525 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the date or time period the data was observed in the data dictionary. CC ID 13524 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the uncertainty in the population of each data element in the data dictionary. CC ID 13522 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the uncertainty of each data element in the data dictionary. CC ID 13521 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the measurement units for each data element in the data dictionary. CC ID 13534 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the precision of the measurement in the data dictionary. CC ID 13520 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the data source in the data dictionary. CC ID 13519 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the nature of each element in the data dictionary. CC ID 13518 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the population of events or instances in the data dictionary. CC ID 13517 | Leadership and high level objectives | Establish/Maintain Documentation | |
Disseminate and communicate the data dictionary to interested personnel and affected parties. CC ID 13516 | Leadership and high level objectives | Communicate | |
Establish, implement, and maintain an Information and Infrastructure Architecture model. CC ID 00599 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain sustainable infrastructure planning. CC ID 00603 | Leadership and high level objectives | Establish/Maintain Documentation | |
Take into account the need for protecting information confidentiality during infrastructure planning. CC ID 06486 | Leadership and high level objectives | Behavior | |
Establish, implement, and maintain an organizational structure. CC ID 16310 | Leadership and high level objectives | Establish/Maintain Documentation | |
Disseminate and communicate emerging threats to all interested personnel and affected parties. CC ID 12185 | Leadership and high level objectives | Communicate | |
Establish, implement, and maintain a Quality Management framework. CC ID 07196 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include supply chain management standards in the Quality Management framework. CC ID 13701 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain a Quality Management policy. CC ID 13694 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include a commitment to satisfy applicable requirements in the Quality Management policy. CC ID 13700 | Leadership and high level objectives | Establish/Maintain Documentation | |
Tailor the Quality Management policy to support the organization's strategic direction. CC ID 13699 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include a commitment to continual improvement of the Quality Management system in the Quality Management policy. CC ID 13698 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include critical Information Technology processes in the Quality Management framework. CC ID 13645 | Leadership and high level objectives | Establish/Maintain Documentation | |
Disseminate and communicate the Quality Management policy to all interested personnel and affected parties. CC ID 13695 | Leadership and high level objectives | Communicate | |
Disseminate and communicate the Quality Management framework to all stakeholders. CC ID 13680 | Leadership and high level objectives | Communicate | |
Align the quality objectives with the Quality Management policy. CC ID 13697 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain a Quality Management standard. CC ID 01006 | Leadership and high level objectives | Establish/Maintain Documentation | |
Document the measurements used by Quality Assurance and Quality Control testing. CC ID 07200 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain a Quality Management program. CC ID 07201 | Leadership and high level objectives | Establish/Maintain Documentation | |
Notify affected parties and interested personnel of quality management system approvals that have been refused, suspended, or withdrawn. CC ID 15045 | Leadership and high level objectives | Communicate | |
Notify affected parties and interested personnel of quality management system approvals that have been issued. CC ID 15036 | Leadership and high level objectives | Communicate | |
Include quality objectives in the Quality Management program. CC ID 13693 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include records management in the quality management system. CC ID 15055 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include risk management in the quality management system. CC ID 15054 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include data management procedures in the quality management system. CC ID 15052 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include a post-market monitoring system in the quality management system. CC ID 15027 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include operational roles and responsibilities in the quality management system. CC ID 15028 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include quality gates and testing milestones in the Quality Management program. CC ID 06825 | Leadership and high level objectives | Systems Design, Build, and Implementation | |
Include resource management in the quality management system. CC ID 15026 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include communication protocols in the quality management system. CC ID 15025 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include incident reporting procedures in the quality management system. CC ID 15023 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include technical specifications in the quality management system. CC ID 15021 | Leadership and high level objectives | Establish/Maintain Documentation | |
Document the deficiencies in a deficiency report that were found during Quality Control and corrected during Quality Improvement. CC ID 07203 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include program documentation standards in the Quality Management program. CC ID 01016 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include program testing standards in the Quality Management program. CC ID 01017 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include system testing standards in the Quality Management program. CC ID 01018 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include an issue tracking system in the Quality Management program. CC ID 06824 | Leadership and high level objectives | Systems Design, Build, and Implementation | |
Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 [When determining this scope, the organization shall consider: the "background-color:#F0BBBC;" class="term_primary-noun">external and internal issues referred to in 4.1; § 4.3 ¶ 2 a) {interested parties}{environmental management system}When determining this scope, the organization shall consider: the compliance obligations referred to in 4.2; § 4.3 ¶ 2 b)] | Leadership and high level objectives | Establish/Maintain Documentation | |
Define the scope of the security policy. CC ID 07145 | Leadership and high level objectives | Data and Information Management | |
Identify roles, tasks, information, systems, and assets that fall under the organization's mandated Authority Documents. CC ID 00688 | Leadership and high level objectives | Business Processes | |
Establish and maintain an Information Systems Assurance Categories Definitions document. CC ID 01608 | Leadership and high level objectives | Establish/Maintain Documentation | |
Correlate Information Systems with applicable controls. CC ID 01621 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain a policy and procedure management program. CC ID 06285 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include requirements in the organization’s policies, standards, and procedures. CC ID 12956 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the effective date on all organizational policies. CC ID 06820 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include threats in the organization’s policies, standards, and procedures. CC ID 12953 | Leadership and high level objectives | Establish/Maintain Documentation | |
Assess the impact of changes to organizational policies, standards, and procedures, as necessary. CC ID 14824 | Leadership and high level objectives | Business Processes | |
Include opportunities in the organization’s policies, standards, and procedures. CC ID 12945 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish and maintain an Authority Document list. CC ID 07113 [The organization shall: determine and have access to the compliance obligations related to its environmental aspects; § 6.1.3 ¶ 1 a)] | Leadership and high level objectives | Establish/Maintain Documentation | |
Document organizational procedures that harmonize external requirements, including all legal requirements. CC ID 00623 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain full documentation of all policies, standards, and procedures that support the organization's compliance framework. CC ID 01636 [When creating and updating documented information, the organization shall ensuren> appropriate: style="background-color:#F0BBBC;" class="term_primary-noun">review and approval for suitability and adequacy. § 7.5.2 ¶ 1 c) The scope shall be maintained as documented information and be available to interested parties. § 4.3 ¶ 4 The organization shall maintain documented information of its compliance obligations. § 6.1.3 ¶ 2 The organization's environmental management system shall include: documented information required by this International Standard; § 7.5.1 ¶ 1 a)] | Leadership and high level objectives | Establish/Maintain Documentation | |
Disseminate and communicate the organization’s policies, standards, and procedures to all interested personnel and affected parties. CC ID 12901 [The scope shall be maintained as documented information and be available to interested parties. § 4.3 ¶ 4] | Leadership and high level objectives | Communicate | |
Disseminate and communicate the list of Authority Documents that support the organization's compliance framework to interested personnel and affected parties. CC ID 01312 | Leadership and high level objectives | Establish/Maintain Documentation | |
Classify controls according to their preventive, detective, or corrective status. CC ID 06436 | Leadership and high level objectives | Establish/Maintain Documentation | |
Publish, disseminate, and communicate a Statement on Internal Control, as necessary. CC ID 06727 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include signatures of c-level executives in the Statement on Internal Control. CC ID 14778 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include confirmation of any significant weaknesses in the Statement on Internal Control. CC ID 06861 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include roles and responsibilities in the Statement on Internal Control. CC ID 14774 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include an assurance statement regarding the counterterror protective security plan in the Statement on Internal Control. CC ID 06866 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include limitations of internal control systems in the Statement on Internal Control. CC ID 14773 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include a description of the methodology used to evaluate internal controls in the Statement on Internal Control. CC ID 14772 | Leadership and high level objectives | Establish/Maintain Documentation | |
Assign legislative body jurisdiction to the organization's assets, as necessary. CC ID 06956 | Leadership and high level objectives | Establish Roles | |
Approve all compliance documents. CC ID 06286 | Leadership and high level objectives | Establish/Maintain Documentation | |
Align the Authority Document list with external requirements. CC ID 06288 [The organization shall: determine how these compliance obligations apply to the organization; § 6.1.3 ¶ 1 b) Documented information of external origin determined by the organization to be necessary for the planning and operation of the environmental management system shall be identified, as appropriate, and controlled. § 7.5.3 ¶ 3 Documented information of external origin determined by the organization to be necessary for the planning and operation of the environmental management system shall be identified, as appropriate, and controlled. § 7.5.3 ¶ 3 The organization shall: determine and have access to the compliance obligations related to its environmental aspects; § 6.1.3 ¶ 1 a)] | Leadership and high level objectives | Establish/Maintain Documentation | |
Assign the appropriate roles to all applicable compliance documents. CC ID 06284 | Leadership and high level objectives | Establish Roles | |
Identify and document the Designated Approval Authority for compliance documents. CC ID 07114 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain a compliance exception standard. CC ID 01628 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the authority for granting exemptions in the compliance exception standard. CC ID 14329 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include explanations, compensating controls, or risk acceptance in the compliance exceptions Exceptions document. CC ID 01631 | Leadership and high level objectives | Establish/Maintain Documentation | |
Review the compliance exceptions in the exceptions document, as necessary. CC ID 01632 | Leadership and high level objectives | Business Processes | |
Include when exemptions expire in the compliance exception standard. CC ID 14330 | Leadership and high level objectives | Establish/Maintain Documentation | |
Assign the approval of compliance exceptions to the appropriate roles inside the organization. CC ID 06443 | Leadership and high level objectives | Establish Roles | |
Include management of the exemption register in the compliance exception standard. CC ID 14328 | Leadership and high level objectives | Establish/Maintain Documentation | |
Disseminate and communicate compliance documents to all interested personnel and affected parties. CC ID 06282 | Leadership and high level objectives | Behavior | |
Disseminate and communicate any compliance document changes when the documents are updated to interested personnel and affected parties. CC ID 06283 | Leadership and high level objectives | Behavior | |
Estimate the costs of implementing the compliance framework. CC ID 07191 | Leadership and high level objectives | Business Processes | |
Establish, implement, and maintain a strategic plan. CC ID 12784 | Leadership and high level objectives | Establish/Maintain Documentation | |
Determine progress toward the objectives of the strategic plan. CC ID 12944 [The management review shall include consideration of: the extent to which environmental objectives have been achieved; § 9.3 ¶ 2 c)] | Leadership and high level objectives | Process or Activity | |
Establish, implement, and maintain a decision management strategy. CC ID 06913 [When determining this scope, the organization shall consider: its authority and ability to exercise control and influence. § 4.3 ¶ 2 e)] | Leadership and high level objectives | Establish/Maintain Documentation | |
Align the reporting methodology with the decision management strategy. CC ID 15659 | Leadership and high level objectives | Business Processes | |
Include an economic impact analysis in the decision management strategy. CC ID 14015 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include cost benefit analysis in the decision management strategy. CC ID 14014 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include criteria for compliance in the decision-making criteria. CC ID 12951 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include criteria for risk tolerance in the decision-making criteria. CC ID 12950 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include criteria for selecting objectives and strategies in the decision-making criteria. CC ID 12949 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include criteria for setting priorities in the decision-making criteria. CC ID 12938 | Leadership and high level objectives | Establish/Maintain Documentation | |
Align organizational objectives with compliance objectives in the decision-making criteria. CC ID 12847 | Leadership and high level objectives | Process or Activity | |
Align organizational objectives with performance targets in the decision-making criteria. CC ID 12843 | Leadership and high level objectives | Process or Activity | |
Align organizational objectives with the acceptable residual risk in the decision-making criteria. CC ID 12841 | Leadership and high level objectives | Process or Activity | |
Create additional decision-making criteria to achieve organizational objectives, as necessary. CC ID 12948 | Leadership and high level objectives | Process or Activity | |
Involve knowledgeable and experienced individuals in the decision-making process. CC ID 06915 | Leadership and high level objectives | Behavior | |
Take actions in accordance with the decision-making criteria. CC ID 12909 | Leadership and high level objectives | Process or Activity | |
Document and evaluate the decision outcomes from the decision-making process. CC ID 06918 | Leadership and high level objectives | Establish/Maintain Documentation | |
Disseminate and communicate the decision management strategy to all interested personnel and affected parties. CC ID 13991 | Leadership and high level objectives | Communicate | |
Establish, implement, and maintain a Governance, Risk, and Compliance awareness and training program. CC ID 06492 [The organization shall ensure that persons doing work under the organization's control are aware of: the implications of not conforming with the environmental management system requirements, including not fulfilling the organization's compliance obligations. § 7.3 ¶ 1 d)] | Leadership and high level objectives | Business Processes | |
Establish and maintain a rapport with business and technical communities throughout the organization to promote the value and importance of Information Security. CC ID 06493 | Leadership and high level objectives | Behavior | |
Establish, implement, and maintain a financial management program. CC ID 13228 [{financial requirement}{operational requirement} When planning these actions, the organization shall consider its technological options and its financial, operational and business requirements. § 6.1.4 ¶ 2] | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain funds transfer procedures. CC ID 16754 | Leadership and high level objectives | Establish/Maintain Documentation | |
Provide required information that is missing from a funds transfer to the responsible party. CC ID 16761 | Leadership and high level objectives | Communicate | |
Return the funds from a funds transfer when required information is not received or discrepancies resolved. CC ID 16760 | Leadership and high level objectives | Business Processes | |
Delay the funds transfer until all required information has been received or discrepancies resolved. CC ID 16759 | Leadership and high level objectives | Business Processes | |
Refrain from making funds from a funds transfer available to the interested personnel until all required information is received. CC ID 16758 | Leadership and high level objectives | Business Processes | |
Attach the required information to each funds transfer. CC ID 16756 | Leadership and high level objectives | Business Processes | |
Establish, implement, and maintain protective measures for customers from a bank's insolvency or default. CC ID 16738 | Leadership and high level objectives | Business Processes | |
Test the protective measures for effectiveness to prevent financial impact to responsible parties. CC ID 16750 | Leadership and high level objectives | Testing | |
Include communication protocols in the financial management program. CC ID 16763 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include ongoing monitoring in the financial management program. CC ID 16762 | Leadership and high level objectives | Process or Activity | |
Employ tools to manage settlement and funding flows. CC ID 16743 | Leadership and high level objectives | Process or Activity | |
Refrain from setting up anonymous financial accounts. CC ID 16721 | Leadership and high level objectives | Business Processes | |
Identify and maintain positions in financial accounts. CC ID 16751 | Leadership and high level objectives | Business Processes | |
Establish, implement, and maintain a financial products and services disclosure policy. CC ID 16717 | Leadership and high level objectives | Establish/Maintain Documentation | |
Require acknowledgment of receipt from the customer in the financial products and services disclosure policy. CC ID 16725 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain a subsidiary compliance program. CC ID 16694 | Leadership and high level objectives | Process or Activity | |
Establish, implement, and maintain financial resource management procedures. CC ID 16642 | Leadership and high level objectives | Establish/Maintain Documentation | |
Document the rationale for the amount of financial resources being held. CC ID 16688 | Leadership and high level objectives | Establish/Maintain Documentation | |
Supplement financial resources, as necessary. CC ID 16685 | Leadership and high level objectives | Business Processes | |
Establish, implement, and maintain collateral procedures. CC ID 16653 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the use of appropriate models in the collateral procedures. CC ID 16687 | Leadership and high level objectives | Establish/Maintain Documentation | |
Define the collateral requirements in the collateral procedures. CC ID 16686 | Leadership and high level objectives | Establish/Maintain Documentation | |
Test the collateral requirements for appropriateness. CC ID 16681 | Leadership and high level objectives | Testing | |
Limit the types of assets accepted as collateral. CC ID 16602 | Leadership and high level objectives | Business Processes | |
Avoid the use of concentrated holdings of assets. CC ID 16651 | Leadership and high level objectives | Business Processes | |
Establish, implement, and maintain stress test plans for financial resources. CC ID 16644 | Leadership and high level objectives | Testing | |
Include stress scenarios in the stress test plan. CC ID 16659 | Leadership and high level objectives | Testing | |
Perform stress testing in accordance with the stress test plan. CC ID 16652 | Leadership and high level objectives | Testing | |
Disseminate and communicate the results of stress testing to interested personnel and affected parties. CC ID 16630 | Leadership and high level objectives | Communicate | |
Identify and document the financial resources available for use. CC ID 16643 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain credit loss procedures. CC ID 16683 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the allocation of credit losses in the credit loss procedures. CC ID 16684 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain a securities trading program. CC ID 16626 | Leadership and high level objectives | Business Processes | |
Include fairness and equitability standards in the securities trading program. CC ID 16690 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include roles and responsibilities in the securities trading program. CC ID 16689 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain a capital restoration plan. CC ID 16613 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include performance guarantees in the capital restoration plan. CC ID 16616 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include corrective actions taken in the capital restoration plan. CC ID 16612 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include required information in the capital restoration plan. CC ID 16609 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain valuation procedures. CC ID 16634 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include investment information in approval requests for investments. CC ID 16590 | Leadership and high level objectives | Business Processes | |
Establish, implement, and maintain capital withdrawal requirements. CC ID 16576 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain lending policies. CC ID 16608 | Leadership and high level objectives | Establish/Maintain Documentation | |
Align the lending policy with the organization's risk acceptance level. CC ID 16716 | Leadership and high level objectives | Process or Activity | |
Include the requirements for risk assessments in the lending policy. CC ID 16730 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the requirements for sensitivity analyses in the lending policy. CC ID 16728 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the requirements for feasibility studies in the lending policy. CC ID 16726 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include pricing structures in the lending policy. CC ID 16724 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include monitoring requirements in the lending policy. CC ID 16710 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include loan origination procedures in the lending policy. CC ID 16709 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include review procedures and approval procedures for exception loans in the lending policy. CC ID 16708 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include loan requirements in the lending policy. CC ID 16706 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include appraisals and evaluations in the lending policy. CC ID 16705 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include terms and conditions in the lending policy. CC ID 16695 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the scope and distribution of loans in the lending policy. CC ID 16693 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include geographic areas in the lending policy. CC ID 16691 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include underwriting guidelines in the lending policy. CC ID 16619 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include credit review in the underwriting guidelines. CC ID 16765 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include loan-to-value ratio limits in the lending policy. CC ID 16618 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include documentation requirements in the lending policy. CC ID 16617 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the purpose of the loan in the loan documentation. CC ID 16747 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the source of repayment in the loan documentation. CC ID 16746 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include approval requirements in the lending policy. CC ID 16615 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include reporting requirements in the lending policy. CC ID 16614 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include loan portfolio diversification standards in the lending policy. CC ID 16611 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include loan administration procedures in the lending policy. CC ID 16610 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include loan participation agreements in the loan administration procedures. CC ID 16745 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include termination procedures in the loan participation agreement. CC ID 16753 | Leadership and high level objectives | Establish/Maintain Documentation | |
Justify the safety and efficiency of the participation requirements in the loan participation agreement. CC ID 16752 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include servicing agreements in the loan administration procedures. CC ID 16744 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include claims processing in the loan administration procedures. CC ID 16742 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include forbearance management in the loan administration procedures. CC ID 16741 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include foreclosure management in the loan administration procedures. CC ID 16740 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include delinquency management in the loan administration procedures. CC ID 16739 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include customer due diligence in the loan administration procedures. CC ID 16736 | Leadership and high level objectives | Process or Activity | |
Include the requirements for financial statements in the loan administration procedures. CC ID 16735 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include loan closing in the loan administration procedures. CC ID 16734 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include payoff statements in the loan administration procedures. CC ID 16733 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include payment processing in the loan administration procedures. CC ID 16732 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include loan reviews in the loan administration procedures. CC ID 16703 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include collections in the loan administration procedures. CC ID 16701 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include collateral inspections in the loan administration procedures. CC ID 16699 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include disbursements in the loan administration procedures. CC ID 16697 | Leadership and high level objectives | Establish/Maintain Documentation | |
Review and approve lending policies. CC ID 16607 | Leadership and high level objectives | Business Processes | |
Establish, implement, and maintain a dividend policy. CC ID 16569 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include compliance requirements in the dividend policy. CC ID 16570 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain margin systems. CC ID 16601 | Leadership and high level objectives | Business Processes | |
Include valuation models in the margin system. CC ID 16663 | Leadership and high level objectives | Data and Information Management | |
Include procedures for collecting price data in the margin system. CC ID 16662 | Leadership and high level objectives | Data and Information Management | |
Include reliable sources for price data in the margin system. CC ID 16661 | Leadership and high level objectives | Data and Information Management | |
Establish, implement, and maintain capital adequacy measures. CC ID 16568 | Leadership and high level objectives | Business Processes | |
Establish, implement, and maintain escrow procedures for financial transactions. CC ID 16564 | Leadership and high level objectives | Establish/Maintain Documentation | |
Disseminate and communicate the escrow procedures to interested personnel and affected parties. CC ID 16565 | Leadership and high level objectives | Communicate | |
Establish, implement, and maintain a Capital Planning and Investment Control policy. CC ID 06279 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include risk management in the Capital Planning and Investment Control policy. CC ID 16764 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include debt rating requirements in the Capital Planning and Investment Control policy. CC ID 16692 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include divestiture requirements in the Capital Planning and Investment Control policy. CC ID 16591 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain a recordkeeping system for securities transactions. CC ID 16631 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include order tickets in the recordkeeping system for securities transactions. CC ID 16640 | Leadership and high level objectives | Data and Information Management | |
Include receipts and deliveries of securities in the recordkeeping system for securities transactions. CC ID 16650 | Leadership and high level objectives | Data and Information Management | |
Include debits and credits in the recordkeeping system for securities transactions. CC ID 16639 | Leadership and high level objectives | Data and Information Management | |
Include a description of the transaction in the recordkeeping system for securities transactions. CC ID 16645 | Leadership and high level objectives | Data and Information Management | |
Include chronological records of transactions in the recordkeeping system for securities transactions. CC ID 16638 | Leadership and high level objectives | Data and Information Management | |
Include the name of the dealer in the recordkeeping system for securities transactions. CC ID 16637 | Leadership and high level objectives | Data and Information Management | |
Include the execution price in the recordkeeping system for securities transactions. CC ID 16636 | Leadership and high level objectives | Data and Information Management | |
Include the date and time of the transaction in the recordkeeping system for securities transactions. CC ID 16635 | Leadership and high level objectives | Data and Information Management | |
Include the type of transaction in the recordkeeping system for securities transactions. CC ID 16633 | Leadership and high level objectives | Data and Information Management | |
Include account information In the recordkeeping system for securities transactions. CC ID 16632 | Leadership and high level objectives | Data and Information Management | |
Establish, implement, and maintain securities transaction notifications. CC ID 16600 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the call date in the securities transaction notification. CC ID 16680 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include service charges and commissions in the securities transaction notification. CC ID 16702 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the funds and securities in the possession of the organization in the securities transaction notification. CC ID 16679 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the call price in the securities transaction notification. CC ID 16678 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include debits and credits in the securities transaction notification. CC ID 16677 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include transactions in the securities transaction notification. CC ID 16676 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the credit rating of securities in the securities transaction notification. CC ID 16674 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include yield information in the securities transaction notification. CC ID 16673 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include redemption information in the securities transaction notification. CC ID 16672 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the price calculated from the yield in the securities transaction notification. CC ID 16669 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the type of call in the securities transaction notification. CC ID 16668 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include an account statement in the securities transaction notification. CC ID 16666 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the yield to maturity in the securities transaction notification. CC ID 16665 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the execution price in the securities transaction notification. CC ID 16664 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the organization's role in the securities transaction notification. CC ID 16646 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the name of the broker in the securities transaction notification. CC ID 16647 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the name of the customer in the securities transaction notification. CC ID 16625 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the organization's name in the securities transaction notification. CC ID 16624 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include confirmations in the securities transaction notification. CC ID 16623 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include remunerations in the securities transaction notification. CC ID 16622 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include requested information in the securities transaction notification. CC ID 16641 | Leadership and high level objectives | Establish/Maintain Documentation | |
Disseminate and communicate securities transaction notifications to interested personnel and affected parties. CC ID 16621 | Leadership and high level objectives | Communicate | |
Include the execution date in the securities transaction notification. CC ID 16620 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain financial reports. CC ID 14770 | Leadership and high level objectives | Establish/Maintain Documentation | |
Structure financial reports in accordance with external requirements, as necessary. CC ID 14776 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the report of independent Certified Public Accountants in the financial report. CC ID 14779 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the business need justification for lost value in the financial report. CC ID 15588 | Leadership and high level objectives | Establish/Maintain Documentation | |
Disseminate and communicate the financial report to interested personnel and affected parties. CC ID 16342 | Leadership and high level objectives | Communicate | |
Include financial statements in the financial report, as necessary. CC ID 14775 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include capital deductions and adjustments in the financial statement. CC ID 16667 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include earnings per share or loss per share in the financial statement. CC ID 16597 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include material contingencies in the financial statement. CC ID 16596 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include notes to financial statements in the financial report, as necessary. CC ID 14780 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include information on loans to small businesses and small farms in the call report. CC ID 16731 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include assets and liabilities in the call report. CC ID 16729 | Leadership and high level objectives | Establish/Maintain Documentation | |
Disseminate and communicate the call report to interested personnel and affected parties. CC ID 16727 | Leadership and high level objectives | Communicate | |
Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 [{what needs to be measured} The organization shall determine: what needs to be monitored and measured; § 9.1.1 ¶ 2 a) The organization shall determine: when the monitoring and measuring shall be performed; § 9.1.1 ¶ 2 d)] | Monitoring and measurement | Establish/Maintain Documentation | |
Establish, implement, and maintain a metrics policy. CC ID 01654 | Monitoring and measurement | Establish/Maintain Documentation | |
Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653 [The organization shall: determine the frequency that compliance will be evaluated; § 9.1.2 ¶ 2 a)] | Monitoring and measurement | Establish/Maintain Documentation | |
Establish, implement, and maintain risk management metrics. CC ID 01656 | Monitoring and measurement | Establish/Maintain Documentation | |
Identify information being used to support the performance of the governance, risk, and compliance capability. CC ID 12866 [The organization's environmental management system shall include: documented information determined by the organization as being necessary for the effectiveness of the environmental management system. § 7.5.1 ¶ 1 b) The management review shall include consideration of: information on the organization's environmental performance, including trends in: § 9.3 ¶ 2 d)] | Monitoring and measurement | Business Processes | |
Identify information being used to support performance reviews for risk optimization. CC ID 12865 | Monitoring and measurement | Audits and Risk Management | |
Identify and document instances of non-compliance with the compliance framework. CC ID 06499 [The organization shall retain documented information as evidence of: the nature of the nonconformities and any subsequent actions taken; § 10.2 ¶ 3 Bullet 1 The management review shall include consideration of: information on the organization's environmental performance, including trends in: nonconformities and corrective actions; § 9.3 ¶ 2 d) 1)] | Monitoring and measurement | Establish/Maintain Documentation | |
Identify and document events surrounding non-compliance with the organizational compliance framework. CC ID 12935 | Monitoring and measurement | Establish/Maintain Documentation | |
Align disciplinary actions with the level of compliance violation. CC ID 12404 [Corrective actions shall be appropriate to the significance of the effects of the nonconformities encountered, including the environmental impact(s). § 10.2 ¶ 2] | Monitoring and measurement | Human Resources Management | |
Establish, implement, and maintain disciplinary action notices. CC ID 16577 | Monitoring and measurement | Establish/Maintain Documentation | |
Include a copy of the order in the disciplinary action notice. CC ID 16606 | Monitoring and measurement | Establish/Maintain Documentation | |
Include the sanctions imposed in the disciplinary action notice. CC ID 16599 | Monitoring and measurement | Establish/Maintain Documentation | |
Include the effective date of the sanctions in the disciplinary action notice. CC ID 16589 | Monitoring and measurement | Establish/Maintain Documentation | |
Include the requirements that were violated in the disciplinary action notice. CC ID 16588 | Monitoring and measurement | Establish/Maintain Documentation | |
Include responses to charges from interested personnel and affected parties in the disciplinary action notice. CC ID 16587 | Monitoring and measurement | Establish/Maintain Documentation | |
Include the reasons for imposing sanctions in the disciplinary action notice. CC ID 16586 | Monitoring and measurement | Establish/Maintain Documentation | |
Disseminate and communicate the disciplinary action notice to interested personnel and affected parties. CC ID 16585 | Monitoring and measurement | Communicate | |
Include required information in the disciplinary action notice. CC ID 16584 | Monitoring and measurement | Establish/Maintain Documentation | |
Include a justification for actions taken in the disciplinary action notice. CC ID 16583 | Monitoring and measurement | Establish/Maintain Documentation | |
Include a statement on the conclusions of the investigation in the disciplinary action notice. CC ID 16582 | Monitoring and measurement | Establish/Maintain Documentation | |
Include the investigation results in the disciplinary action notice. CC ID 16581 | Monitoring and measurement | Establish/Maintain Documentation | |
Include a description of the causes of the actions taken in the disciplinary action notice. CC ID 16580 | Monitoring and measurement | Establish/Maintain Documentation | |
Include the name of the person responsible for the charges in the disciplinary action notice. CC ID 16579 | Monitoring and measurement | Establish/Maintain Documentation | |
Include contact information in the disciplinary action notice. CC ID 16578 | Monitoring and measurement | Establish/Maintain Documentation | |
Establish, implement, and maintain compliance program metrics. CC ID 11625 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
Establish, implement, and maintain a security program metrics program. CC ID 01660 | Monitoring and measurement | Establish/Maintain Documentation | |
Establish, implement, and maintain a key management roles metrics standard. CC ID 11631 | Monitoring and measurement | Establish/Maintain Documentation | |
Establish, implement, and maintain a key stakeholder metrics program. CC ID 01661 | Monitoring and measurement | Establish/Maintain Documentation | |
Establish, implement, and maintain a supply chain member metrics program. CC ID 01662 | Monitoring and measurement | Establish/Maintain Documentation | |
Report on the Service Level Agreement performance of supply chain members. CC ID 06838 | Monitoring and measurement | Actionable Reports or Measurements | |
Establish, implement, and maintain a Business Continuity metrics program. CC ID 01663 | Monitoring and measurement | Establish/Maintain Documentation | |
Establish, implement, and maintain an audit metrics program. CC ID 01664 | Monitoring and measurement | Establish/Maintain Documentation | |
Establish, implement, and maintain an Information Security metrics program. CC ID 01665 | Monitoring and measurement | Establish/Maintain Documentation | |
Establish, implement, and maintain a metrics standard and template. CC ID 02157 | Monitoring and measurement | Establish/Maintain Documentation | |
Monitor compliance with the Quality Control system. CC ID 01023 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of complaints received about products or delivered services. CC ID 07199 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of Quality Assurance attained by Quality Improvement practices. CC ID 07202 | Monitoring and measurement | Actionable Reports or Measurements | |
Establish, implement, and maintain occupational health and safety management metrics program. CC ID 15915 | Monitoring and measurement | Establish/Maintain Documentation | |
Establish, implement, and maintain a policies and controls metrics program. CC ID 01666 | Monitoring and measurement | Establish/Maintain Documentation | |
Establish, implement, and maintain a security roles and responsibilities metrics program. CC ID 01667 | Monitoring and measurement | Establish/Maintain Documentation | |
Establish, implement, and maintain a role-based information access metrics program. CC ID 01668 | Monitoring and measurement | Establish/Maintain Documentation | |
Establish, implement, and maintain an information risk threshold metrics program. CC ID 01694 | Monitoring and measurement | Establish/Maintain Documentation | |
Monitor the supply chain for Information Assurance effectiveness. CC ID 02043 | Monitoring and measurement | Establish/Maintain Documentation | |
Establish, implement, and maintain an identification and classification of information assets metrics program. CC ID 02052 | Monitoring and measurement | Business Processes | |
Establish, implement, and maintain an Information Systems architecture metrics program. CC ID 02059 | Monitoring and measurement | Business Processes | |
Establish, implement, and maintain a physical environment metrics program. CC ID 02063 | Monitoring and measurement | Business Processes | |
Establish, implement, and maintain a privacy metrics program. CC ID 15494 | Monitoring and measurement | Establish/Maintain Documentation | |
Establish, implement, and maintain environmental management system performance metrics. CC ID 15191 [The management review shall include consideration of: information on the organization's environmental performance, including trends in: monitoring and measurement results; § 9.3 ¶ 2 d) 2) The organization shall monitor, measure, analyse and evaluate its environmental performance. § 9.1.1 ¶ 1 The organization shall determine: the criteria against which the organization will evaluate its environmental performance, and appropriate indicators; § 9.1.1 ¶ 2 c) {be measurable}The environmental objectives shall be: measurable (if practicable); § 6.2.1 ¶ 2 b)] | Monitoring and measurement | Actionable Reports or Measurements | |
Establish, implement, and maintain waste management metrics. CC ID 16152 | Monitoring and measurement | Actionable Reports or Measurements | |
Establish, implement, and maintain emissions management metrics. CC ID 16145 | Monitoring and measurement | Actionable Reports or Measurements | |
Establish, implement, and maintain financial management metrics. CC ID 16749 | Monitoring and measurement | Actionable Reports or Measurements | |
Establish, implement, and maintain a technical measurement metrics policy. CC ID 01655 | Monitoring and measurement | Establish/Maintain Documentation | |
Establish, implement, and maintain a user identification and authentication metrics program. CC ID 02073 | Monitoring and measurement | Business Processes | |
Establish, implement, and maintain a user account management metrics program. CC ID 02075 | Monitoring and measurement | Business Processes | |
Establish, implement, and maintain a user and administrator privilege management metrics program. CC ID 02076 | Monitoring and measurement | Actionable Reports or Measurements | |
Establish, implement, and maintain a Configuration Management metrics program. CC ID 02077 | Monitoring and measurement | Business Processes | |
Establish, implement, and maintain a Security Information and Event Management metrics program. CC ID 02078 | Monitoring and measurement | Log Management | |
Establish, implement, and maintain a communications, e-mail, and remote access security management metrics program. CC ID 02079 | Monitoring and measurement | Business Processes | |
Establish, implement, and maintain a malicious code protection management metrics program. CC ID 02080 | Monitoring and measurement | Business Processes | |
Establish, implement, and maintain a software change management metrics program. CC ID 02081 | Monitoring and measurement | Business Processes | |
Establish, implement, and maintain a network management and firewall management metrics program. CC ID 02082 | Monitoring and measurement | Business Processes | |
Establish, implement, and maintain a data encryption management metrics program. CC ID 02083 | Monitoring and measurement | Business Processes | |
Establish, implement, and maintain a backup management and recovery management metrics program. CC ID 02084 | Monitoring and measurement | Business Processes | |
Establish, implement, and maintain an incident management and vulnerability management metrics program. CC ID 02085 | Monitoring and measurement | Business Processes | |
Delay the reporting of incident management metrics, as necessary. CC ID 15501 | Monitoring and measurement | Communicate | |
Establish, implement, and maintain an Electronic Health Records measurement metrics program. CC ID 06221 | Monitoring and measurement | Establish/Maintain Documentation | |
Report on the percentage of unique patients who had at least one medication entered using the Computerized Provider Order Entry system. CC ID 06222 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of unique patients who have diagnoses recorded as structured data into the current and active diagnoses problem list. CC ID 06223 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of permissible prescriptions that are transmitted electronically. CC ID 06224 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of unique patients who have at least one entry recorded as structured data into the active medication list. CC ID 06225 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of unique patients who have at least one entry recorded as structured data into the active medication allergy list. CC ID 06226 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of unique patients who have demographics recorded as structured data. CC ID 06227 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of unique patients over the age of 2 who have their height, weight, and blood pressure recorded as structured data. CC ID 06228 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of unique patients over the age of 13 who have their smoking status recorded as structured data. CC ID 06229 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of patients who are given an electronic copy of their Individually Identifiable Health Information not later than three business days after Individually Identifiable Health Information is requested. CC ID 06230 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of patients who are given clinical summaries not later than three business days after a physician office visit. CC ID 06231 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of lab test results that are incorporated into the Electronic Health Records as structured data. CC ID 06232 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of patients sixty-five years of age or older or five years of age or younger who were sent a reminder. CC ID 06233 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of unique patients who are given electronic access to their Individually Identifiable Health Information not later than four business days after their Individually Identifiable Health Information is updated. CC ID 06234 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of unique patients who are given patient-specific education resources. CC ID 06235 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of medication reconciliations that are performed if a patient is received from another setting or healthcare provider. CC ID 06236 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of summary of care records that are provided for transitions of care or referrals for patients who are transitioned or referred to another setting or healthcare provider. CC ID 06237 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of patients who receive their discharge instructions if discharge instructions are requested. CC ID 06238 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of patients 65 years of age or older who have an indication of advance directive status recorded as structured data. CC ID 06239 | Monitoring and measurement | Actionable Reports or Measurements | |
Establish, implement, and maintain a log management program. CC ID 00673 | Monitoring and measurement | Establish/Maintain Documentation | |
Deploy log normalization tools, as necessary. CC ID 12141 | Monitoring and measurement | Technical Security | |
Restrict access to logs to authorized individuals. CC ID 01342 | Monitoring and measurement | Log Management | |
Restrict access to audit trails to a need to know basis. CC ID 11641 | Monitoring and measurement | Technical Security | |
Refrain from recording unnecessary restricted data in logs. CC ID 06318 | Monitoring and measurement | Log Management | |
Back up audit trails according to backup procedures. CC ID 11642 | Monitoring and measurement | Systems Continuity | |
Back up logs according to backup procedures. CC ID 01344 | Monitoring and measurement | Log Management | |
Copy logs from all predefined hosts onto a log management infrastructure. CC ID 01346 | Monitoring and measurement | Log Management | |
Identify hosts with logs that are not being stored. CC ID 06314 | Monitoring and measurement | Log Management | |
Identify hosts with logs that are being stored at the system level only. CC ID 06315 | Monitoring and measurement | Log Management | |
Identify hosts with logs that should be stored at both the system level and the infrastructure level. CC ID 06316 | Monitoring and measurement | Log Management | |
Identify hosts with logs that are being stored at the infrastructure level only. CC ID 06317 | Monitoring and measurement | Log Management | |
Protect logs from unauthorized activity. CC ID 01345 | Monitoring and measurement | Log Management | |
Perform testing and validating activities on all logs. CC ID 06322 | Monitoring and measurement | Log Management | |
Archive the audit trail in accordance with compliance requirements. CC ID 00674 | Monitoring and measurement | Log Management | |
Enforce dual authorization as a part of information flow control for logs. CC ID 10098 | Monitoring and measurement | Configuration | |
Preserve the identity of individuals in audit trails. CC ID 10594 | Monitoring and measurement | Log Management | |
Establish, implement, and maintain a cross-organizational audit sharing agreement. CC ID 10595 | Monitoring and measurement | Establish/Maintain Documentation | |
Provide cross-organizational audit information based on the cross-organizational audit sharing agreement. CC ID 10596 | Monitoring and measurement | Audits and Risk Management | |
Monitor the performance of the governance, risk, and compliance capability. CC ID 12857 [When planning how to achieve its environmental objectives, the organization shall determine: how the results will be evaluated, including indicators for monitoring progress toward achievement of its measurable environmental objectives (see 9.1.1). § 6.2.2 ¶ 1 e)] | Monitoring and measurement | Monitor and Evaluate Occurrences | |
Align corrective actions with the level of environmental impact. CC ID 15193 [Corrective actions shall be appropriate to the significance of the effects of the nonconformities encountered, including the environmental impact(s). § 10.2 ¶ 2] | Monitoring and measurement | Business Processes | |
Include risks and opportunities in the corrective action plan. CC ID 15178 [{environmental aspect}The organization shall plan: to take actions to address its: risks and opportunities identified in 6.1.1; § 6.1.4 ¶ 1 a) 3)] | Monitoring and measurement | Establish/Maintain Documentation | |
Include environmental aspects in the corrective action plan. CC ID 15177 [The organization shall plan: to take actions to address its: significant environmental aspects; § 6.1.4 ¶ 1 a) 1)] | Monitoring and measurement | Establish/Maintain Documentation | |
Include the completion date in the corrective action plan. CC ID 13272 | Monitoring and measurement | Establish/Maintain Documentation | |
Protect against misusing automated audit tools. CC ID 04547 | Monitoring and measurement | Technical Security | |
Define the roles and responsibilities for personnel assigned to tasks in the Audit function. CC ID 00678 [The organization shall establish, implement and maintain (an) internal audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting of its internal audits. § 9.2.2 ¶ 1] | Audits and risk management | Establish Roles | |
Manage supply chain audits. CC ID 01203 | Audits and risk management | Audits and Risk Management | |
Review the external auditors involvement in assessing Information Technology controls. CC ID 01204 | Audits and risk management | Audits and Risk Management | |
Rotate auditors, as necessary. CC ID 15589 | Audits and risk management | Audits and Risk Management | |
Assign the roles and responsibilities for the Board of Directors and senior management in the Audit function. CC ID 00679 | Audits and risk management | Establish Roles | |
Assign the internal audit staff to be independent from business units reporting to the Board of Directors. CC ID 01184 | Audits and risk management | Establish Roles | |
Define and assign the internal audit manager's roles and responsibilities. CC ID 00680 | Audits and risk management | Establish Roles | |
Assign the internal audit manager's compensation and performance review to the Board of Directors or audit committee. CC ID 01186 | Audits and risk management | Establish Roles | |
Define and assign the internal audit staff's roles and responsibilities. CC ID 00681 | Audits and risk management | Establish Roles | |
Assign the responsibility for operating an internal control system to the internal audit staff. CC ID 01187 | Audits and risk management | Establish Roles | |
Define and assign the external auditor's roles and responsibilities. CC ID 00683 | Audits and risk management | Establish Roles | |
Engage auditors who have adequate knowledge of the subject matter. CC ID 07102 | Audits and risk management | Audits and Risk Management | |
Retain copies of external auditor outsourcing contracts and engagement letters. CC ID 01188 | Audits and risk management | Establish/Maintain Documentation | |
Review external auditor outsourcing contracts and engagement letters. CC ID 01189 | Audits and risk management | Establish/Maintain Documentation | |
Include roles and responsibilities in external auditor outsourcing contracts. CC ID 16523 | Audits and risk management | Establish/Maintain Documentation | |
Include a change control clause in external auditor outsourcing contracts. CC ID 01192 | Audits and risk management | Establish/Maintain Documentation | |
Include procedures for resolving problems in external auditor outsourcing contracts. CC ID 01196 | Audits and risk management | Establish/Maintain Documentation | |
Include procedures for controlling the use of restricted information in external auditor outsourcing contracts. CC ID 01194 | Audits and risk management | Establish/Maintain Documentation | |
Include reports and work paper Records Management practices in external auditor outsourcing contracts. CC ID 01195 | Audits and risk management | Establish/Maintain Documentation | |
Include communication protocols in external auditor outsourcing contracts. CC ID 01201 | Audits and risk management | Establish/Maintain Documentation | |
Review the external audit scope, as necessary. CC ID 01202 | Audits and risk management | Audits and Risk Management | |
Include the scope and work to be performed in external auditor outsourcing contracts. CC ID 01190 | Audits and risk management | Establish/Maintain Documentation | |
Include work status reporting requirements in the external auditor outsourcing contracts. CC ID 01191 | Audits and risk management | Establish/Maintain Documentation | |
Include access to work papers in external auditor outsourcing contracts. CC ID 01193 | Audits and risk management | Establish/Maintain Documentation | |
Review the external auditor's qualifications. CC ID 01197 | Audits and risk management | Audits and Risk Management | |
Conduct a performance review of the external auditor's performance during the audit process. CC ID 01198 | Audits and risk management | Audits and Risk Management | |
Review the adequacy of the external auditor's work papers and audit reports. CC ID 01199 | Audits and risk management | Establish/Maintain Documentation | |
Review the conclusions of the external auditor's work papers and audit reports. CC ID 01200 | Audits and risk management | Establish/Maintain Documentation | |
Question external auditors about how audits were conducted and what is in the audit reports. CC ID 04587 | Audits and risk management | Behavior | |
Disseminate and communicate with the organization about any missing audit documentation. CC ID 06992 | Audits and risk management | Behavior | |
Evaluate any refusal by the organization to provide missing audit documentation. CC ID 06993 | Audits and risk management | Establish/Maintain Documentation | |
Take appropriate action if missing audit documentation compromises the audit. CC ID 06994 | Audits and risk management | Establish/Maintain Documentation | |
Establish, implement, and maintain an audit program. CC ID 00684 [The organization shall establish, implement and maintain (an) internal audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting of its internal audits. § 9.2.2 ¶ 1] | Audits and risk management | Establish/Maintain Documentation | |
Establish, implement, and maintain audit policies. CC ID 13166 | Audits and risk management | Establish/Maintain Documentation | |
Assign the audit to impartial auditors. CC ID 07118 [The organization shall: select auditors and conduct audits to ensure objectivity and the "term_primary-noun">impartiality of the audit process; § 9.2.2 ¶ 3 b)] | Audits and risk management | Establish Roles | |
Define what constitutes a threat to independence. CC ID 16824 | Audits and risk management | Audits and Risk Management | |
Exercise due professional care during the planning and performance of the audit. CC ID 07119 [{environmental process} When establishing the internal audit programme, the organization shall take into consideration the environmental importance of the processes concerned, changes affecting the organization and the results of previous audits. § 9.2.2 ¶ 2] | Audits and risk management | Behavior | |
Include resource requirements in the audit program. CC ID 15237 | Audits and risk management | Establish/Maintain Documentation | |
Include risks and opportunities in the audit program. CC ID 15236 | Audits and risk management | Establish/Maintain Documentation | |
Include provisions for legislative plurality and legislative domain in the audit program. CC ID 06959 | Audits and risk management | Audits and Risk Management | |
Establish and maintain audit terms. CC ID 13880 | Audits and risk management | Establish/Maintain Documentation | |
Refrain from approving changes to the audit terms absent reasonable justification. CC ID 13973 | Audits and risk management | Process or Activity | |
Include a statement about the inherent limitations of the audit in the audit terms. CC ID 13883 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement that the audit will be conducted in accordance with attestation standards in the audit terms. CC ID 13882 | Audits and risk management | Establish/Maintain Documentation | |
Establish, implement, and maintain agreed upon procedures that are in scope for the audit. CC ID 13893 | Audits and risk management | Establish/Maintain Documentation | |
Establish, implement, and maintain an in scope system description. CC ID 14873 | Audits and risk management | Establish/Maintain Documentation | |
Include in scope procedures in the audit assertion's in scope system description. CC ID 16551 | Audits and risk management | Audits and Risk Management | |
Include roles and responsibilities in the audit assertion's in scope system description. CC ID 16558 | Audits and risk management | Audits and Risk Management | |
Include the audit criteria in the audit assertion's in scope system description. CC ID 16548 | Audits and risk management | Audits and Risk Management | |
Include third party data in the audit assertion's in scope system description. CC ID 16554 | Audits and risk management | Audits and Risk Management | |
Include third party personnel in the audit assertion's in scope system description. CC ID 16552 | Audits and risk management | Audits and Risk Management | |
Include compliance requirements in the audit assertion's in scope system description. CC ID 16506 | Audits and risk management | Audits and Risk Management | |
Include third party assets in the audit assertion's in scope system description. CC ID 16550 | Audits and risk management | Audits and Risk Management | |
Include third party services in the audit assertion's in scope system description. CC ID 16503 | Audits and risk management | Establish/Maintain Documentation | |
Include monitoring controls in the audit assertion's in scope system description. CC ID 16501 | Audits and risk management | Establish/Maintain Documentation | |
Include availability commitments in the audit assertion's in scope system description. CC ID 14914 | Audits and risk management | Establish/Maintain Documentation | |
Include deviations and the corrective actions taken in the audit assertion's in scope system description. CC ID 16549 | Audits and risk management | Audits and Risk Management | |
Include changes in the audit assertion's in scope system description. CC ID 14894 | Audits and risk management | Establish/Maintain Documentation | |
Include external communications in the audit assertion's in scope system description. CC ID 14913 | Audits and risk management | Establish/Maintain Documentation | |
Include a section regarding incidents related to the system in the audit assertion’s in scope system description. CC ID 14878 | Audits and risk management | Establish/Maintain Documentation | |
Include the function performed by the in scope system in the audit assertion's in scope system description. CC ID 14911 | Audits and risk management | Establish/Maintain Documentation | |
Include the disposition of the incident in the audit assertion's in scope system description. CC ID 14896 | Audits and risk management | Establish/Maintain Documentation | |
Include the extent of the incident in the audit assertion's in scope system description. CC ID 14895 | Audits and risk management | Establish/Maintain Documentation | |
Include the timing of each incident in the audit assertion's in scope system description. CC ID 14891 | Audits and risk management | Establish/Maintain Documentation | |
Include the nature of each incident in the audit assertion's in scope system description. CC ID 14889 | Audits and risk management | Establish/Maintain Documentation | |
Include a section regarding in scope controls related to the system in the audit assertion's in scope system description. CC ID 14897 | Audits and risk management | Establish/Maintain Documentation | |
Include how the in scope system meets external requirements in the audit assertion's in scope system description. CC ID 16502 | Audits and risk management | Establish/Maintain Documentation | |
Include the timing of each control in the audit assertion's in scope system description. CC ID 14916 | Audits and risk management | Establish/Maintain Documentation | |
Include the nature of the control in the audit assertion's in scope system description. CC ID 14910 | Audits and risk management | Establish/Maintain Documentation | |
Include the information sources used in performing the control in the audit assertion's in scope system description. CC ID 14909 | Audits and risk management | Establish/Maintain Documentation | |
Include the responsible party for performing the control in the audit assertion's in scope system description. CC ID 14907 | Audits and risk management | Establish/Maintain Documentation | |
Include the subject matter to which the control is applied in the audit assertion's in scope system description. CC ID 14904 | Audits and risk management | Establish/Maintain Documentation | |
Refrain from omitting or distorting information in the audit assertion's in scope system description. CC ID 14893 | Audits and risk management | Establish/Maintain Documentation | |
Include the timing of each change in the audit assertion's in scope system description. CC ID 14892 | Audits and risk management | Establish/Maintain Documentation | |
Include the system boundaries in the audit assertion's in scope system description. CC ID 14887 | Audits and risk management | Establish/Maintain Documentation | |
Include the time frame covered by the description in the audit assertion's in scope system description. CC ID 14884 | Audits and risk management | Establish/Maintain Documentation | |
Include commitments to third parties in the audit assertion. CC ID 14899 | Audits and risk management | Establish/Maintain Documentation | |
Determine the completeness of the audit assertion's in scope system description. CC ID 14883 | Audits and risk management | Establish/Maintain Documentation | |
Include system requirements in the audit assertion's in scope system description. CC ID 14881 | Audits and risk management | Establish/Maintain Documentation | |
Include third party controls in the audit assertion's in scope system description. CC ID 14880 | Audits and risk management | Establish/Maintain Documentation | |
Hold an opening meeting with interested personnel and affected parties prior to an audit. CC ID 15256 | Audits and risk management | Audits and Risk Management | |
Identify personnel who should attend the closing meeting. CC ID 15261 | Audits and risk management | Business Processes | |
Include discussions about how particular situations will be handled in the opening meeting. CC ID 15254 | Audits and risk management | Audits and Risk Management | |
Include agreement to the audit scope and audit terms in the audit program. CC ID 06965 [{audit scope} The organization shall: define the audit criteria and scope for each audit; § 9.2.2 ¶ 3 a)] | Audits and risk management | Establish/Maintain Documentation | |
Establish and maintain a bespoke audit scope for each audit being performed. CC ID 13077 [The organization shall establish, implement and maintain (an) internal audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting of its internal audits. § 9.2.2 ¶ 1] | Audits and risk management | Establish/Maintain Documentation | |
Include third party assets in the audit scope. CC ID 16504 | Audits and risk management | Audits and Risk Management | |
Include audit subject matter in the audit program. CC ID 07103 | Audits and risk management | Establish/Maintain Documentation | |
Examine the availability of the audit criteria in the audit program. CC ID 16520 | Audits and risk management | Investigate | |
Examine the objectivity of the audit criteria in the audit program. CC ID 07104 | Audits and risk management | Establish/Maintain Documentation | |
Examine the measurability of the audit criteria in the audit program. CC ID 07105 | Audits and risk management | Establish/Maintain Documentation | |
Examine the completeness of the audit criteria in the audit program. CC ID 07106 | Audits and risk management | Establish/Maintain Documentation | |
Examine the relevance of the audit criteria in the audit program. CC ID 07107 | Audits and risk management | Establish/Maintain Documentation | |
Determine the appropriateness of the audit subject matter. CC ID 16505 | Audits and risk management | Audits and Risk Management | |
Disseminate and communicate the audit program with the audit subject matter and audit criteria to all interested personnel and affected parties. CC ID 07116 | Audits and risk management | Establish/Maintain Documentation | |
Include the in scope material or in scope products in the audit program. CC ID 08961 | Audits and risk management | Audits and Risk Management | |
Include in scope information in the audit program. CC ID 16198 | Audits and risk management | Establish/Maintain Documentation | |
Include the out of scope material or out of scope products in the audit program. CC ID 08962 | Audits and risk management | Establish/Maintain Documentation | |
Provide a representation letter in support of the audit assertion. CC ID 07158 | Audits and risk management | Establish/Maintain Documentation | |
Include the date of the audit in the representation letter. CC ID 16517 | Audits and risk management | Audits and Risk Management | |
Include a statement that management has evaluated compliance with external requirements in the representation letter. CC ID 13942 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement that the assumptions used for estimates are reasonable in the representation letter. CC ID 13934 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement that uncorrected misstatements are believed to be immaterial in the representation letter. CC ID 13884 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement that system incidents have been disclosed to the auditor in the representation letter. CC ID 16772 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement that incidents of fraud and non-compliance have been disclosed to the auditor in the representation letter. CC ID 16769 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement of responsibility for the subject matter in the representation letter. CC ID 07159 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement of responsibility for selecting the audit criteria in the representation letter. CC ID 07160 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement of responsibility regarding the appropriateness of the audit criteria in the representation letter. CC ID 07161 | Audits and risk management | Establish/Maintain Documentation | |
Include an assertion about the subject matter based on the selected audit criteria in the representation letter. CC ID 07162 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement that all known matters contradicting the audit assertion have been disclosed to the auditor in the representation letter. CC ID 07163 | Audits and risk management | Establish/Maintain Documentation | |
Include the availability of all in scope records relevant to the subject matter in the representation letter. CC ID 07164 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement that any known subsequent events have been disclosed to the auditor in the representation letter. CC ID 07165 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement that deficiencies in internal controls have been disclosed to the auditor in the representation letter. CC ID 13899 | Audits and risk management | Establish/Maintain Documentation | |
Include an in scope system description in the audit assertion. CC ID 14872 | Audits and risk management | Establish/Maintain Documentation | |
Include any assumptions that are improbable in the audit assertion. CC ID 13950 | Audits and risk management | Establish/Maintain Documentation | |
Include investigations and legal proceedings in the audit assertion. CC ID 16846 | Audits and risk management | Establish/Maintain Documentation | |
Include how the audit scope matches in scope controls in the audit assertion. CC ID 06969 | Audits and risk management | Establish/Maintain Documentation | |
Include why specific criteria are ignored by in scope controls in the audit assertion. CC ID 07027 | Audits and risk management | Establish/Maintain Documentation | |
Include how the in scope system is designed and implemented in the audit assertion. CC ID 06970 | Audits and risk management | Establish/Maintain Documentation | |
Include the responsible party's opinion of the quality of the evidence in the audit assertion. CC ID 13949 | Audits and risk management | Establish/Maintain Documentation | |
Include the end users and affected parties of the in scope system in the audit assertion. CC ID 07028 | Audits and risk management | Establish/Maintain Documentation | |
Include the in scope services offered or in scope transactions processed in the audit assertion. CC ID 06971 | Audits and risk management | Establish/Maintain Documentation | |
Include the in scope procedures in the audit assertion. CC ID 06972 | Audits and risk management | Establish/Maintain Documentation | |
Include the in scope records produced in the audit assertion. CC ID 06968 | Audits and risk management | Establish/Maintain Documentation | |
Include how in scope material events are monitored and logged in the audit assertion. CC ID 06973 | Audits and risk management | Establish/Maintain Documentation | |
Include any in scope material events that might affect the assertion in the audit assertion. CC ID 06991 | Audits and risk management | Establish/Maintain Documentation | |
Include the in scope controls and compliance documents in the audit assertion. CC ID 06974 | Audits and risk management | Establish/Maintain Documentation | |
Include the in scope risk assessment processes in the audit assertion. CC ID 06975 | Audits and risk management | Establish/Maintain Documentation | |
Include in scope change controls in the audit assertion. CC ID 06976 | Audits and risk management | Establish/Maintain Documentation | |
Include any in scope uncorrected errors or non-compliance issues in the audit assertion. CC ID 06989 | Audits and risk management | Establish/Maintain Documentation | |
Disseminate and communicate a written audit assertion of the audit scope and audit terms to interested personnel and affected parties. CC ID 06967 | Audits and risk management | Establish/Maintain Documentation | |
Include the scope for the desired level of assurance in the audit program. CC ID 12793 | Audits and risk management | Communicate | |
Include conditions that might require modification of the audit program in the audit terms. CC ID 07149 | Audits and risk management | Establish/Maintain Documentation | |
Include how access to in scope systems, personnel and in scope records are provided to the auditor in the audit terms. CC ID 06988 | Audits and risk management | Establish/Maintain Documentation | |
Include the criteria for determining the desired level of assurance in the audit program. CC ID 12795 [{audit scope} The organization shall: define the audit criteria and scope for each audit; § 9.2.2 ¶ 3 a)] | Audits and risk management | Audits and Risk Management | |
Establish, implement, and maintain procedures for determining the desired level of assurance in the audit program. CC ID 12794 [The organization shall establish, implement and maintain (an) internal audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting of its internal audits. § 9.2.2 ¶ 1] | Audits and risk management | Establish/Maintain Documentation | |
Include the expectations for the audit report in the audit terms. CC ID 07148 | Audits and risk management | Establish/Maintain Documentation | |
Establish and maintain a practitioner’s report on management’s assertions, as necessary. CC ID 13888 | Audits and risk management | Establish/Maintain Documentation | |
Hold a closing meeting following an audit to present audit findings and conclusions. CC ID 15248 | Audits and risk management | Communicate | |
Include materiality levels in the audit terms. CC ID 01238 | Audits and risk management | Establish/Maintain Documentation | |
Include material changes in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01239 | Audits and risk management | Establish/Maintain Documentation | |
Include material weaknesses, material failures, and material errors in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01240 | Audits and risk management | Establish/Maintain Documentation | |
Schedule attestation engagement meetings with interested personnel and affected parties, as necessary. CC ID 15263 | Audits and risk management | Business Processes | |
Refrain from accepting an attestation engagement when the engaging party refuses to sign the engagement letter. CC ID 14912 | Audits and risk management | Business Processes | |
Refrain from accepting an attestation engagement unless the prospective financial information includes a summary of significant assumptions. CC ID 13954 | Audits and risk management | Behavior | |
Refrain from accepting an attestation engagement when all parties disagree on the procedures. CC ID 13951 | Audits and risk management | Audits and Risk Management | |
Accept the attestation engagement when all preconditions are met. CC ID 13933 | Audits and risk management | Business Processes | |
Audit in scope audit items and compliance documents. CC ID 06730 [The organization shall: select auditors and conduct audits to ensure objectivity and the "term_primary-noun">impartiality of the audit process; § 9.2.2 ¶ 3 b) The organization shall conduct internal audits at planned intervals to provide information on whether the environmental management system: § 9.2.1 ¶ 1] | Audits and risk management | Audits and Risk Management | |
Collect all work papers for the audit and audit report into an engagement file. CC ID 07001 [The organization shall retain documented information as evidence of the implementation of the audit programme and the audit results. § 9.2.2 ¶ 4] | Audits and risk management | Actionable Reports or Measurements | |
Document any after the fact changes to the engagement file. CC ID 07002 | Audits and risk management | Establish/Maintain Documentation | |
Protect access to the engagement file and all associated audit documentation in compliance with Authority Documents the organization must follow. CC ID 07179 | Audits and risk management | Establish/Maintain Documentation | |
Disclose work papers in the engagement file in compliance with legal requirements. CC ID 07180 | Audits and risk management | Establish/Maintain Documentation | |
Archive the engagement file and all work papers for the period prescribed by law or contract. CC ID 10038 | Audits and risk management | Records Management | |
Conduct onsite inspections, as necessary. CC ID 16199 | Audits and risk management | Testing | |
Audit policies, standards, and procedures. CC ID 12927 [The organization shall conduct internal audits at planned intervals to provide information on whether the environmental management system: conforms to: the requirements of this International Standard; § 9.2.1 ¶ 1 a) 2) The organization shall conduct internal audits at planned intervals to provide information on whether the environmental management system: conforms to: the organization's own requirements for its environmental management system; § 9.2.1 ¶ 1 a) 1)] | Audits and risk management | Audits and Risk Management | |
Edit the audit assertion for accuracy. CC ID 07030 | Audits and risk management | Establish/Maintain Documentation | |
Determine if the audit assertion's in scope procedures are accurately documented. CC ID 06982 | Audits and risk management | Establish/Maintain Documentation | |
Review documentation to determine the effectiveness of in scope controls. CC ID 16522 | Audits and risk management | Process or Activity | |
Include the process of using evidential matter to test in scope controls in the test plan. CC ID 06996 | Audits and risk management | Establish/Maintain Documentation | |
Audit the in scope system according to the test plan using relevant evidence. CC ID 07112 | Audits and risk management | Testing | |
Implement procedures that collect sufficient audit evidence. CC ID 07153 | Audits and risk management | Audits and Risk Management | |
Collect evidence about the in scope audit items of the audit assertion. CC ID 07154 | Audits and risk management | Audits and Risk Management | |
Collect audit evidence sufficient to avoid misstatements. CC ID 07155 | Audits and risk management | Audits and Risk Management | |
Collect audit evidence at the level of the organization's competence in the subject matter. CC ID 07156 | Audits and risk management | Audits and Risk Management | |
Collect audit evidence sufficient to overcome inadequacies in the organization's attestation. CC ID 07157 | Audits and risk management | Audits and Risk Management | |
Report that audit evidence collected was not sufficient to the proper authorities. CC ID 16847 | Audits and risk management | Communicate | |
Provide transactional walkthrough procedures for external auditors. CC ID 00672 | Audits and risk management | Testing | |
Establish, implement, and maintain interview procedures. CC ID 16282 | Audits and risk management | Establish/Maintain Documentation | |
Include roles and responsibilities in the interview procedures. CC ID 16297 | Audits and risk management | Human Resources Management | |
Coordinate the scheduling of interviews. CC ID 16293 | Audits and risk management | Process or Activity | |
Create a schedule for the interviews. CC ID 16292 | Audits and risk management | Process or Activity | |
Identify interviewees. CC ID 16290 | Audits and risk management | Process or Activity | |
Explain the testing results to the interviewee. CC ID 16291 | Audits and risk management | Process or Activity | |
Establish and maintain work papers, as necessary. CC ID 13891 | Audits and risk management | Establish/Maintain Documentation | |
Include the auditor's conclusions on work performed by individuals assigned to the audit in the work papers. CC ID 16775 | Audits and risk management | Establish/Maintain Documentation | |
Include audit irregularities in the work papers. CC ID 16774 | Audits and risk management | Establish/Maintain Documentation | |
Include corrective actions in the work papers. CC ID 16771 | Audits and risk management | Establish/Maintain Documentation | |
Include information about the organization being audited and the auditor performing the audit in the work papers. CC ID 16770 | Audits and risk management | Establish/Maintain Documentation | |
Include discussions with interested personnel and affected parties in the work papers. CC ID 16768 | Audits and risk management | Establish/Maintain Documentation | |
Include justification for departing from mandatory requirements in the work papers. CC ID 13935 | Audits and risk management | Establish/Maintain Documentation | |
Include audit evidence obtained from previous engagements in the work papers. CC ID 16518 | Audits and risk management | Audits and Risk Management | |
Include the reviewer, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06998 | Audits and risk management | Establish/Maintain Documentation | |
Include the tests, examinations, interviews and observations performed during the audit in the work papers. CC ID 07190 | Audits and risk management | Establish/Maintain Documentation | |
Include if any subject matter experts or additional research had to be undertaken to test in scope controls in the work papers. CC ID 07026 | Audits and risk management | Establish/Maintain Documentation | |
Include the tester, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06997 | Audits and risk management | Establish/Maintain Documentation | |
Include any subsequent events related to the audit assertion or audit subject matter in the work papers. CC ID 07177 | Audits and risk management | Audits and Risk Management | |
Include the causes of identified in scope control deficiencies in the work papers. CC ID 07000 | Audits and risk management | Establish/Maintain Documentation | |
Include discussions regarding the causes of identified in scope control deficiencies in the work papers. CC ID 06999 | Audits and risk management | Establish/Maintain Documentation | |
Supervise interested personnel and affected parties participating in the audit. CC ID 07150 | Audits and risk management | Monitor and Evaluate Occurrences | |
Notify interested personnel and affected parties participating in the audit of their roles and responsibilities during the audit. CC ID 07151 | Audits and risk management | Establish Roles | |
Respond to questions or clarification requests regarding the audit. CC ID 08902 | Audits and risk management | Business Processes | |
Track and measure the implementation of the organizational compliance framework. CC ID 06445 | Audits and risk management | Monitor and Evaluate Occurrences | |
Review the need for organizational efficiency as balanced against the needs of compliance and security. CC ID 07111 | Audits and risk management | Business Processes | |
Engage subject matter experts when the auditor requires additional expertise during an attestation engagement, as necessary. CC ID 13971 | Audits and risk management | Process or Activity | |
Establish, implement, and maintain a practitioner’s report on agreed-upon procedures. CC ID 13894 | Audits and risk management | Establish/Maintain Documentation | |
Provide auditors access to all in scope records, in scope assets, personnel and in scope procedures. CC ID 06966 | Audits and risk management | Audits and Risk Management | |
Provide auditors access to affected parties during the audit, as necessary. CC ID 07187 | Audits and risk management | Business Processes | |
Notify interested personnel and affected parties when an auditee refuses to provide access or participate in the audit. CC ID 08960 | Audits and risk management | Audits and Risk Management | |
Establish and maintain a practitioner's examination report on pro forma financial information. CC ID 13968 | Audits and risk management | Establish/Maintain Documentation | |
Include references to where financial information was derived in the practitioner's review report on pro forma financial information. CC ID 13982 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement that the financial statements used were audited by other practitioners in the practitioner's examination report on pro forma financial information, as necessary. CC ID 13981 | Audits and risk management | Establish/Maintain Documentation | |
Establish and maintain organizational audit reports. CC ID 06731 [The organization shall establish, implement and maintain (an) internal audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting of its internal audits. § 9.2.2 ¶ 1] | Audits and risk management | Establish/Maintain Documentation | |
Include the justification for not following the applicable requirements in the audit report. CC ID 16822 | Audits and risk management | Audits and Risk Management | |
Include a statement that the applicable requirements were not followed in the audit report. CC ID 16821 | Audits and risk management | Audits and Risk Management | |
Include audit subject matter in the audit report. CC ID 14882 | Audits and risk management | Establish/Maintain Documentation | |
Include an other-matter paragraph in the audit report. CC ID 14901 | Audits and risk management | Establish/Maintain Documentation | |
Include that the auditee did not provide comments in the audit report. CC ID 16849 | Audits and risk management | Establish/Maintain Documentation | |
Write the audit report using clear and conspicuous language. CC ID 13948 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement that the sufficiency of the agreed upon procedures is the responsibility of the specified parties in the audit report. CC ID 13936 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement that the financial statements were audited in the audit report. CC ID 13963 | Audits and risk management | Establish/Maintain Documentation | |
Include the criteria that financial information was measured against in the audit report. CC ID 13966 | Audits and risk management | Establish/Maintain Documentation | |
Include a description of the financial information being reported on in the audit report. CC ID 13965 | Audits and risk management | Establish/Maintain Documentation | |
Include references to any adjustments of financial information in the audit report. CC ID 13964 | Audits and risk management | Establish/Maintain Documentation | |
Include in the audit report that audit opinions are not dependent on references to subject matter experts, as necessary. CC ID 13953 | Audits and risk management | Establish/Maintain Documentation | |
Include references to historical financial information used in the audit report. CC ID 13961 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement about the inherent limitations of the audit in the audit report. CC ID 14900 | Audits and risk management | Establish/Maintain Documentation | |
Include a description of the limitations on the usefulness of hypothetical assumptions in the audit report. CC ID 13958 | Audits and risk management | Establish/Maintain Documentation | |
Include the word independent in the title of audit reports. CC ID 07003 | Audits and risk management | Actionable Reports or Measurements | |
Include the date of the audit in the audit report. CC ID 07024 | Audits and risk management | Actionable Reports or Measurements | |
Structure the audit report to be in the form of procedures and findings. CC ID 13940 | Audits and risk management | Establish/Maintain Documentation | |
Include information about the organization being audited and the auditor performing the audit in the audit report. CC ID 07004 | Audits and risk management | Actionable Reports or Measurements | |
Include any discussions of significant findings in the audit report. CC ID 13955 | Audits and risk management | Establish/Maintain Documentation | |
Include the date and with whom discussions about significant findings took place in the audit report. CC ID 13962 | Audits and risk management | Establish/Maintain Documentation | |
Include the audit criteria in the audit report. CC ID 13945 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement in the audit report that the agreed upon procedures were potentially insufficient in identifying material risks, as necessary. CC ID 13957 | Audits and risk management | Establish/Maintain Documentation | |
Include all hypothetical assumptions in the audit report. CC ID 13947 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement that access to the report is restricted based on least privilege in the audit report. CC ID 07023 | Audits and risk management | Actionable Reports or Measurements | |
Include a statement that identifies the distribution list for the report in the audit report. CC ID 07172 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement that identifies the use restrictions for the report in the audit report. CC ID 07173 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement that the agreed upon procedures involves collecting evidence in the audit report. CC ID 13956 | Audits and risk management | Establish/Maintain Documentation | |
Include all of the facts and demonstrated plausibility in the audit report. CC ID 08929 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement that the agreed upon procedures were performed by all parties in the audit report. CC ID 13931 | Audits and risk management | Establish/Maintain Documentation | |
Include references to subject matter experts in the audit report when citing qualified opinions. CC ID 13929 | Audits and risk management | Establish/Maintain Documentation | |
Include a description of the assistance provided by Subject Matter Experts in the audit report. CC ID 13939 | Audits and risk management | Establish/Maintain Documentation | |
Include a review of the subject matter expert's findings in the audit report. CC ID 13972 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement of the character of the engagement in the audit report. CC ID 07166 | Audits and risk management | Establish/Maintain Documentation | |
Include the nature and scope of the audit performed in the statement of the character of the engagement in the audit report. CC ID 07167 | Audits and risk management | Establish/Maintain Documentation | |
Include the professional standards governing the audit in the statement of the character of the engagement in the audit report. CC ID 07168 | Audits and risk management | Establish/Maintain Documentation | |
Include all restrictions on the audit in the audit report. CC ID 13930 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement that the auditor has no responsibility to update the audit report after its submission. CC ID 13943 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement on the auditor's ethical requirements in the audit report. CC ID 16767 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement that the responsible party refused to provide a written assertion in the audit report. CC ID 13887 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement that the examination involves procedures for collecting evidence in the audit report. CC ID 13941 | Audits and risk management | Establish/Maintain Documentation | |
Express an adverse opinion in the audit report when significant assumptions are not suitably supported. CC ID 13944 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement that modifications to historical evidence accurately reflect current evidence in the audit report. CC ID 13938 | Audits and risk management | Establish/Maintain Documentation | |
Refrain from referencing previous engagements in the audit report. CC ID 16516 | Audits and risk management | Audits and Risk Management | |
Refrain from referencing other auditor's work in the audit report. CC ID 13881 | Audits and risk management | Establish/Maintain Documentation | |
Include that the audit findings are not a predictive analysis of future compliance in the audit report. CC ID 07018 | Audits and risk management | Establish/Maintain Documentation | |
Include how in scope controls meet external requirements in the audit report. CC ID 16450 | Audits and risk management | Establish/Maintain Documentation | |
Include the in scope records used to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14915 | Audits and risk management | Establish/Maintain Documentation | |
Include recommended corrective actions in the audit report. CC ID 16197 | Audits and risk management | Establish/Maintain Documentation | |
Include risks and opportunities in the audit report. CC ID 16196 | Audits and risk management | Establish/Maintain Documentation | |
Include the description of tests of controls and results in the audit report. CC ID 14898 | Audits and risk management | Establish/Maintain Documentation | |
Include the nature of the tests performed in the description of tests of controls and results in the audit report. CC ID 14908 | Audits and risk management | Establish/Maintain Documentation | |
Include the test scope in the description of tests of controls and results in the audit report. CC ID 14906 | Audits and risk management | Establish/Maintain Documentation | |
Identify the stakeholders interviewed to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14905 | Audits and risk management | Establish/Maintain Documentation | |
Include the timing of controls in the description of tests of controls and results in the audit report. CC ID 16553 | Audits and risk management | Audits and Risk Management | |
Include the controls that were tested in the description of tests of controls and results in the audit report. CC ID 14902 | Audits and risk management | Establish/Maintain Documentation | |
Include subsequent events related to the audit assertion or audit subject matter in the audit report. CC ID 16773 | Audits and risk management | Establish/Maintain Documentation | |
Include the organization's audit assertion of the in scope system in the audit report. CC ID 07005 | Audits and risk management | Actionable Reports or Measurements | |
Include that the organization is the responsible party for the content of its audit assertion and in scope system description in the audit report. CC ID 07010 | Audits and risk management | Establish/Maintain Documentation | |
Include that the organization is the responsible party for providing in scope services in the audit report. CC ID 14903 | Audits and risk management | Establish/Maintain Documentation | |
Include that the organization is the responsible party for specifying in scope controls not defined by law or contractual obligation in the audit report. CC ID 07011 | Audits and risk management | Establish/Maintain Documentation | |
Include that the organization is the responsible party for designing and implementing the in scope controls it identified in the audit scope in the audit report. CC ID 07014 | Audits and risk management | Establish/Maintain Documentation | |
Include the audit opinion regarding the accurateness of the in scope system description in the audit report. CC ID 07019 | Audits and risk management | Establish/Maintain Documentation | |
Include the attestation standards the auditor follows in the audit report. CC ID 07015 | Audits and risk management | Establish/Maintain Documentation | |
Include the audit opinion about the audit assertion in relation to the audit criteria used for evaluation in the audit report. CC ID 07169 | Audits and risk management | Establish/Maintain Documentation | |
Include the auditor's significant reservations about the engagement, the audit assertion, or the audit subject matter in the audit report. CC ID 07170 | Audits and risk management | Establish/Maintain Documentation | |
Include an emphasis-of-matter paragraph in the audit report. CC ID 14890 | Audits and risk management | Establish/Maintain Documentation | |
Include the organization's in scope system description in the audit report. CC ID 11626 | Audits and risk management | Audits and Risk Management | |
Include any out of scope components of in scope systems in the audit report. CC ID 07006 | Audits and risk management | Establish/Maintain Documentation | |
Include that the organization is the responsible party for identifying material risks in the audit report. CC ID 07012 | Audits and risk management | Establish/Maintain Documentation | |
Include that the organization is the responsible party for selecting the audit criteria in the audit report. CC ID 07013 | Audits and risk management | Establish/Maintain Documentation | |
Include the scope and work performed in the audit report. CC ID 11621 | Audits and risk management | Audits and Risk Management | |
Resolve disputes before creating the audit summary. CC ID 08964 | Audits and risk management | Behavior | |
Refrain from including the description of the audit in the audit report when the auditor is disclaiming an audit opinion. CC ID 13975 | Audits and risk management | Establish/Maintain Documentation | |
Refrain from including scope limitations from changed attestation engagements in the audit report. CC ID 13983 | Audits and risk management | Establish/Maintain Documentation | |
Refrain from including in the audit report any procedures that were performed that the auditor is disclaiming in an audit opinion. CC ID 13974 | Audits and risk management | Establish/Maintain Documentation | |
Include an audit opinion in the audit report. CC ID 07017 | Audits and risk management | Establish/Maintain Documentation | |
Include qualified opinions in the audit report. CC ID 13928 | Audits and risk management | Establish/Maintain Documentation | |
Include that the auditor is the responsible party to express an opinion on the audit subject matter based on examination of evidence in the audit report. CC ID 07174 | Audits and risk management | Establish/Maintain Documentation | |
Include that the auditor did not express an opinion in the audit report, as necessary. CC ID 13886 | Audits and risk management | Establish/Maintain Documentation | |
Include items that were excluded from the audit report in the audit report. CC ID 07007 | Audits and risk management | Establish/Maintain Documentation | |
Include the organization's privacy practices in the audit report. CC ID 07029 | Audits and risk management | Establish/Maintain Documentation | |
Include items that pertain to third parties in the audit report. CC ID 07008 | Audits and risk management | Establish/Maintain Documentation | |
Refrain from including reference to procedures performed in previous attestation engagements in the audit report. CC ID 13970 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement in the audit report that no procedures were performed subsequent to the date of the practitioner's review report on pro forma financial information, as necessary. CC ID 13969 | Audits and risk management | Establish/Maintain Documentation | |
Include any of the organization's use of compensating controls that were not audited in the audit report. CC ID 07009 | Audits and risk management | Establish/Maintain Documentation | |
Include whether the use of compensating controls are necessary in the audit report. CC ID 07020 | Audits and risk management | Establish/Maintain Documentation | |
Include the pass or fail test status of all in scope controls in the audit report. CC ID 07016 | Audits and risk management | Establish/Maintain Documentation | |
Include the process of using evidential matter to test in scope controls in the audit report. CC ID 07021 | Audits and risk management | Establish/Maintain Documentation | |
Include the nature and causes of identified in scope control deviations in the audit report. CC ID 07022 | Audits and risk management | Establish/Maintain Documentation | |
Disclose any audit irregularities in the audit report. CC ID 06995 | Audits and risk management | Actionable Reports or Measurements | |
Include the written signature of the auditor's organization in the audit report. CC ID 13897 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement that additional reports are being submitted in the audit report. CC ID 16848 | Audits and risk management | Establish/Maintain Documentation | |
Disseminate and communicate the audit report to all interested personnel and affected parties identified in the distribution list. CC ID 07117 | Audits and risk management | Establish/Maintain Documentation | |
Define the roles and responsibilities for distributing the audit report. CC ID 16845 | Audits and risk management | Human Resources Management | |
Disseminate and communicate the reasons the audit report was delayed to interested personnel and affected parties. CC ID 15257 | Audits and risk management | Communicate | |
Notify auditees if disclosure of audit documentation is required by law. CC ID 15249 | Audits and risk management | Communicate | |
Disseminate and communicate to the organization that access and use of audit reports are based on least privilege. CC ID 07171 | Audits and risk management | Behavior | |
Disseminate and communicate documents that contain information in support of the audit report. CC ID 07175 | Audits and risk management | Establish/Maintain Documentation | |
Correct any material misstatements in documents that contain information in support of the audit report. CC ID 07176 | Audits and risk management | Establish/Maintain Documentation | |
Notify interested personnel and affected parties after bribes are offered during the audit. CC ID 08872 | Audits and risk management | Business Processes | |
Accept the audit report. CC ID 07025 | Audits and risk management | Establish/Maintain Documentation | |
Assign responsibility for remediation actions. CC ID 13622 | Audits and risk management | Human Resources Management | |
Define penalties for uncorrected audit findings or remaining non-compliant with the audit report. CC ID 08963 | Audits and risk management | Establish/Maintain Documentation | |
Assess the quality of the audit program in regards to its documentation. CC ID 11622 | Audits and risk management | Audits and Risk Management | |
Include the audit criteria in the audit plan. CC ID 15262 | Audits and risk management | Establish/Maintain Documentation | |
Include a list of reference documents in the audit plan. CC ID 15260 | Audits and risk management | Establish/Maintain Documentation | |
Include the languages to be used for the audit in the audit plan. CC ID 15252 | Audits and risk management | Establish/Maintain Documentation | |
Include the allocation of resources in the audit plan. CC ID 15251 | Audits and risk management | Establish/Maintain Documentation | |
Include communication protocols in the audit plan. CC ID 15247 | Audits and risk management | Establish/Maintain Documentation | |
Include the level of audit sampling necessary to collect sufficient audit evidence in the audit plan. CC ID 15246 | Audits and risk management | Establish/Maintain Documentation | |
Include meeting schedules in the audit plan. CC ID 15245 | Audits and risk management | Establish/Maintain Documentation | |
Include the time frames for the audit in the audit plan. CC ID 15244 | Audits and risk management | Establish/Maintain Documentation | |
Include the time frames for conducting the audit in the audit plan. CC ID 15243 | Audits and risk management | Establish/Maintain Documentation | |
Include the locations to be audited in the audit plan. CC ID 15242 | Audits and risk management | Establish/Maintain Documentation | |
Include the processes to be audited in the audit plan. CC ID 15241 | Audits and risk management | Establish/Maintain Documentation | |
Include audit objectives in the audit plan. CC ID 15240 | Audits and risk management | Establish/Maintain Documentation | |
Include the risks associated with audit activities in the audit plan. CC ID 15239 | Audits and risk management | Establish/Maintain Documentation | |
Disseminate and communicate the audit plan to interested personnel and affected parties. CC ID 15238 | Audits and risk management | Communicate | |
Establish, implement, and maintain an audit schedule for the audit program. CC ID 13158 [The organization shall establish, implement and maintain (an) internal audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting of its internal audits. § 9.2.2 ¶ 1] | Audits and risk management | Establish/Maintain Documentation | |
Establish, implement, and maintain a physical and environmental protection policy. CC ID 14030 | Physical and environmental protection | Establish/Maintain Documentation | |
Include the scope in the physical and environmental protection policy. CC ID 14170 [The organization shall determine the boundaries and applicability of the environmental management system to establish its scope. § 4.3 ¶ 1] | Physical and environmental protection | Establish/Maintain Documentation | |
Establish, implement, and maintain physical and environmental protection procedures. CC ID 14061 [Once the scope is defined, all activities, products and services of the organization within that scope need to be included in the environmental management system. § 4.3 ¶ 3] | Physical and environmental protection | Establish/Maintain Documentation | |
Disseminate and communicate the physical and environmental protection procedures to interested personnel and affected parties. CC ID 14175 | Physical and environmental protection | Communicate | |
Establish, implement, and maintain a business continuity program. CC ID 13210 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Establish, implement, and maintain a continuity plan. CC ID 00752 [{response}{adverse impact}The organization shall: prepare to respond by planning actions to prevent or mitigate adverse environmental impacts from emergency situations; § 8.2 ¶ 2 a)] | Operational and Systems Continuity | Establish/Maintain Documentation | |
Identify all stakeholders in the continuity plan. CC ID 13256 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Notify interested personnel and affected parties upon activation of the continuity plan. CC ID 16777 | Operational and Systems Continuity | Communicate | |
Maintain normal security levels when an emergency occurs. CC ID 06377 | Operational and Systems Continuity | Systems Continuity | |
Execute fail-safe procedures when an emergency occurs. CC ID 07108 | Operational and Systems Continuity | Systems Continuity | |
Include a business continuity testing policy in the continuity plan, as necessary. CC ID 13234 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Lead or manage business continuity and system continuity, as necessary. CC ID 12240 | Operational and Systems Continuity | Human Resources Management | |
Allocate financial resources to implement the continuity plan, as necessary. CC ID 12993 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Allocate personnel to implement the continuity plan, as necessary. CC ID 12992 | Operational and Systems Continuity | Human Resources Management | |
Include the in scope system's location in the continuity plan. CC ID 16246 | Operational and Systems Continuity | Systems Continuity | |
Include the system description in the continuity plan. CC ID 16241 | Operational and Systems Continuity | Systems Continuity | |
Establish, implement, and maintain redundant systems. CC ID 16354 | Operational and Systems Continuity | Configuration | |
Include identification procedures in the continuity plan, as necessary. CC ID 14372 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Refrain from adopting impromptu measures when continuity procedures exist. CC ID 13093 | Operational and Systems Continuity | Behavior | |
Include the continuity strategy in the continuity plan. CC ID 13189 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Implement alternate security mechanisms when the means of implementing the security function is unavailable. CC ID 10605 | Operational and Systems Continuity | Technical Security | |
Document and use the lessons learned to update the continuity plan. CC ID 10037 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Include roles and responsibilities in the continuity plan, as necessary. CC ID 13254 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Coordinate continuity planning with governmental entities, as necessary. CC ID 13258 | Operational and Systems Continuity | Process or Activity | |
Record business continuity management system performance for posterity. CC ID 12411 | Operational and Systems Continuity | Monitor and Evaluate Occurrences | |
Coordinate continuity planning with community organizations, as necessary. CC ID 13259 | Operational and Systems Continuity | Process or Activity | |
Coordinate and incorporate supply chain members' continuity plans, as necessary. CC ID 13242 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Include incident management procedures in the continuity plan. CC ID 13244 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Include the use of virtual meeting tools in the continuity plan. CC ID 14390 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Include scenario analyses of various contingency scenarios in the continuity plan. CC ID 13057 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Include the annual statement based on the continuity plan review in the continuity plan. CC ID 12775 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Include the roles and responsibilities of the organization's legal counsel in the continuity plan. CC ID 16233 | Operational and Systems Continuity | Establish Roles | |
Disseminate and communicate the continuity procedures to interested personnel and affected parties. CC ID 14055 | Operational and Systems Continuity | Communicate | |
Document the uninterrupted power requirements for all in scope systems. CC ID 06707 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Install an Uninterruptible Power Supply sized to support all critical systems. CC ID 00725 | Operational and Systems Continuity | Configuration | |
Install a generator sized to support the facility. CC ID 06709 | Operational and Systems Continuity | Configuration | |
Establish, implement, and maintain a fuel supply large enough to support the generators during an emergency. CC ID 06376 | Operational and Systems Continuity | Acquisition/Sale of Assets or Services | |
Document all supporting information in the continuity plan, such as purpose, scope, and requirements. CC ID 01371 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Include notifications to alternate facilities in the continuity plan. CC ID 13220 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Approve the continuity plan requirements before documenting the continuity plan. CC ID 12778 | Operational and Systems Continuity | Systems Continuity | |
Document the concept of operations in the continuity plan, including a line of succession. CC ID 01372 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Establish, implement, and maintain damage assessment procedures. CC ID 01267 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Establish, implement, and maintain a recovery plan. CC ID 13288 [The organization shall: periodically review and revise the process(es) and planned response actions, in particular after the occurrence of emergency situations or tests; § 8.2 ¶ 2 e) {be appropriate}The organization shall: take action to prevent or mitigate the consequences of emergency situations, appropriate to the magnitude of the emergency and the potential environmental impact; § 8.2 ¶ 2 c)] | Operational and Systems Continuity | Establish/Maintain Documentation | |
Notify interested personnel and affected parties of updates to the recovery plan. CC ID 13302 | Operational and Systems Continuity | Communicate | |
Include procedures to restore network connectivity in the recovery plan. CC ID 16250 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Include addressing backup failures in the recovery plan. CC ID 13298 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Include procedures to verify completion of the data backup procedure in the recovery plan. CC ID 13297 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Include the roles and responsibilities of responders in the recovery plan. CC ID 13296 | Operational and Systems Continuity | Human Resources Management | |
Include the procedures for the storage of information necessary to recover functionality in the recovery plan. CC ID 13295 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Include the backup procedures for information necessary to recover functionality in the recovery plan. CC ID 13294 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Include the criteria for activation in the recovery plan. CC ID 13293 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Include escalation procedures in the recovery plan. CC ID 16248 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Include procedures to preserve data before beginning the recovery process in the recovery plan. CC ID 13292 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Disseminate and communicate the recovery plan to interested personnel and affected parties. CC ID 14859 | Operational and Systems Continuity | Communicate | |
Include restoration procedures in the continuity plan. CC ID 01169 | Operational and Systems Continuity | Establish Roles | |
Include risk prioritized recovery procedures for each business unit in the recovery plan. CC ID 01166 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Include the recovery plan in the continuity plan. CC ID 01377 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Disseminate and communicate the recovery status of the contingency plan to interested personnel and affected parties. CC ID 12758 | Operational and Systems Continuity | Communicate | |
Disseminate and communicate business functions across multiple facilities separated by geographic separation. CC ID 10662 | Operational and Systems Continuity | Systems Continuity | |
Disseminate and communicate processing activities across multiple facilities using geographic separation. CC ID 10663 | Operational and Systems Continuity | Systems Continuity | |
Disseminate and communicate electronic media storage devices across multiple facilities using geographic separation. CC ID 10664 | Operational and Systems Continuity | Systems Continuity | |
Train personnel on the continuity plan. CC ID 00759 [The organization shall: provide relevant information and training related to emergency preparedness and response, as appropriate, to relevant interested parties, including persons working under its control. § 8.2 ¶ 2 f)] | Operational and Systems Continuity | Behavior | |
Utilize automated mechanisms for more realistic continuity plan training. CC ID 01387 | Operational and Systems Continuity | Behavior | |
Incorporate simulated events into the continuity plan training. CC ID 01402 | Operational and Systems Continuity | Behavior | |
Include cross-team coordination in continuity plan training. CC ID 16235 | Operational and Systems Continuity | Training | |
Include stay at home order training in the continuity plan training. CC ID 14382 | Operational and Systems Continuity | Training | |
Include avoiding unnecessary travel in the stay at home order training. CC ID 14388 | Operational and Systems Continuity | Training | |
Include personal protection in continuity plan training. CC ID 14394 | Operational and Systems Continuity | Training | |
Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806 [Top management shall ensure that the responsibilities and authorities for relevant roles are <condary-verb">span style="background-color:#B7D8ED;" class="term_primary-verb">assigned and communicated within the organization. § 5.3 ¶ 1] | Human Resources management | Establish Roles | |
Define and assign the head of Information Security's roles and responsibilities. CC ID 06091 | Human Resources management | Establish Roles | |
Establish, implement, and maintain a security operations center. CC ID 14762 | Human Resources management | Human Resources Management | |
Define the scope for the security operations center. CC ID 15713 | Human Resources management | Establish/Maintain Documentation | |
Designate an alternate for each organizational leader. CC ID 12053 | Human Resources management | Human Resources Management | |
Limit the activities performed as a proxy to an organizational leader. CC ID 12054 | Human Resources management | Behavior | |
Assign the roles and responsibilities of management in establishing, implementing, and maintaining the information security program. CC ID 13112 | Human Resources management | Human Resources Management | |
Define and assign the Board of Directors roles and responsibilities and senior management roles and responsibilities, including signing off on key policies and procedures. CC ID 00807 | Human Resources management | Establish Roles | |
Establish and maintain board committees, as necessary. CC ID 14789 | Human Resources management | Human Resources Management | |
Define and assign the roles and responsibilities of the chairman of the board. CC ID 14786 | Human Resources management | Establish/Maintain Documentation | |
Assign oversight of C-level executives to the Board of Directors. CC ID 14784 | Human Resources management | Human Resources Management | |
Establish, implement, and maintain candidate selection procedures to the board of directors. CC ID 14782 | Human Resources management | Establish/Maintain Documentation | |
Include the criteria of mixed experiences and skills in the candidate selection procedures. CC ID 14791 | Human Resources management | Establish/Maintain Documentation | |
Assign oversight of the financial management program to the board of directors. CC ID 14781 | Human Resources management | Human Resources Management | |
Assign senior management to the role of supporting Quality Management. CC ID 13692 | Human Resources management | Human Resources Management | |
Assign senior management to the role of authorizing official. CC ID 14238 | Human Resources management | Establish Roles | |
Assign members who are independent from management to the Board of Directors. CC ID 12395 | Human Resources management | Human Resources Management | |
Assign ownership of risks to the Board of Directors or senior management. CC ID 13662 | Human Resources management | Human Resources Management | |
Assign the organization's board and senior management to oversee the continuity planning process. CC ID 12991 | Human Resources management | Human Resources Management | |
Define and assign board committees, as necessary. CC ID 14787 | Human Resources management | Human Resources Management | |
Define and assign risk committees, as necessary. CC ID 14795 | Human Resources management | Human Resources Management | |
Establish, implement, and maintain a board committee charter, as necessary. CC ID 14802 | Human Resources management | Establish/Maintain Documentation | |
Define and assign audit committees, as necessary. CC ID 14788 | Human Resources management | Human Resources Management | |
Include members with experience in audit practices, financial reporting, and accounting in the audit committee. CC ID 14796 | Human Resources management | Human Resources Management | |
Define and assign compensation committees, as necessary. CC ID 14793 | Human Resources management | Human Resources Management | |
Define and assign the Chief Information Officer's roles and responsibilities. CC ID 00808 | Human Resources management | Establish Roles | |
Define and assign the network administrator's roles and responsibilities. CC ID 16363 | Human Resources management | Human Resources Management | |
Define and assign the Information Technology staff's roles and responsibilities. CC ID 00809 | Human Resources management | Establish Roles | |
Define and assign the Data Protection Officer's roles and responsibilities. CC ID 16525 | Human Resources management | Human Resources Management | |
Define and assign the business unit manager's roles and responsibilities. CC ID 00810 | Human Resources management | Establish Roles | |
Define and assign the Facility Security Officer's roles and responsibilities. CC ID 01887 | Human Resources management | Establish Roles | |
Define and assign the Chief Risk Officer's roles and responsibilities. CC ID 14333 | Human Resources management | Human Resources Management | |
Define and assign roles and responsibilities for network management. CC ID 13128 | Human Resources management | Human Resources Management | |
Define and assign the technology security leader's roles and responsibilities. CC ID 01897 | Human Resources management | Establish Roles | |
Define and assign the security staff roles and responsibilities. CC ID 11750 | Human Resources management | Establish/Maintain Documentation | |
Define and assign the authorized representatives roles and responsibilities. CC ID 15033 | Human Resources management | Human Resources Management | |
Define and assign the property management leader's roles and responsibilities. CC ID 00669 | Human Resources management | Establish Roles | |
Define and assign the Archives and Records Management oversight's roles and responsibilities. CC ID 00697 | Human Resources management | Establish Roles | |
Define and assign the Privacy Officer's roles and responsibilities. CC ID 00714 | Human Resources management | Establish Roles | |
Define and assign critical facility management personnel's roles and responsibilities. CC ID 06381 | Human Resources management | Establish Roles | |
Define the objectives and extent of outsourcing operational roles and responsibilities. CC ID 06383 | Human Resources management | Establish/Maintain Documentation | |
Define and assign the Chief Security Officer's roles and responsibilities. CC ID 06431 | Human Resources management | Establish Roles | |
Establish and maintain an Information Technology steering committee. CC ID 12706 | Human Resources management | Human Resources Management | |
Assign the Information Technology steering committee to report to senior management. CC ID 12731 | Human Resources management | Human Resources Management | |
Convene the Information Technology steering committee, as necessary. CC ID 12730 | Human Resources management | Human Resources Management | |
Assign reviewing investments to the Information Technology steering committee, as necessary. CC ID 13625 | Human Resources management | Human Resources Management | |
Assign a contact person to all business units. CC ID 07144 | Human Resources management | Establish Roles | |
Define and assign the assessment team's roles and responsibilities. CC ID 08890 | Human Resources management | Business Processes | |
Assign the role of Risk Assessment Manager to applicable controls. CC ID 12143 | Human Resources management | Human Resources Management | |
Assign the Risk Assessment manager the duty of reporting risk assessment results to organizational management. CC ID 12152 | Human Resources management | Human Resources Management | |
Refrain from allocating temporary staff to perform sensitive jobs absent the presence and control of authorized permanent staff. CC ID 12299 | Human Resources management | Human Resources Management | |
Establish, implement, and maintain a personnel management program. CC ID 14018 | Human Resources management | Establish/Maintain Documentation | |
Establish, implement, and maintain a personnel security program. CC ID 10628 | Human Resources management | Establish/Maintain Documentation | |
Assign security clearance procedures to qualified personnel. CC ID 06812 | Human Resources management | Establish Roles | |
Assign personnel screening procedures to qualified personnel. CC ID 11699 | Human Resources management | Establish Roles | |
Establish, implement, and maintain personnel screening procedures. CC ID 11700 | Human Resources management | Establish/Maintain Documentation | |
Perform a personal identification check during personnel screening. CC ID 06721 | Human Resources management | Human Resources Management | |
Perform a criminal records check during personnel screening. CC ID 06643 | Human Resources management | Establish/Maintain Documentation | |
Include all residences in the criminal records check. CC ID 13306 | Human Resources management | Process or Activity | |
Document any reasons a full criminal records check could not be performed. CC ID 13305 | Human Resources management | Establish/Maintain Documentation | |
Perform a personal references check during personnel screening. CC ID 06645 | Human Resources management | Human Resources Management | |
Perform a credit check during personnel screening. CC ID 06646 | Human Resources management | Human Resources Management | |
Perform an academic records check during personnel screening. CC ID 06647 | Human Resources management | Establish/Maintain Documentation | |
Perform a drug test during personnel screening. CC ID 06648 | Human Resources management | Testing | |
Perform a resume check during personnel screening. CC ID 06659 | Human Resources management | Human Resources Management | |
Perform a curriculum vitae check during personnel screening. CC ID 06660 | Human Resources management | Human Resources Management | |
Allow personnel being screened to appeal findings and appeal decisions. CC ID 06720 | Human Resources management | Human Resources Management | |
Disseminate and communicate screening results to interested personnel and affected parties. CC ID 16445 | Human Resources management | Communicate | |
Perform personnel screening procedures, as necessary. CC ID 11763 | Human Resources management | Human Resources Management | |
Establish, implement, and maintain security clearance procedures. CC ID 00783 | Human Resources management | Establish/Maintain Documentation | |
Perform security clearance procedures, as necessary. CC ID 06644 | Human Resources management | Human Resources Management | |
Establish and maintain security clearances. CC ID 01634 | Human Resources management | Human Resources Management | |
Establish and maintain the staff structure in line with the strategic plan. CC ID 00764 | Human Resources management | Establish Roles | |
Establish job categorization criteria, job recruitment criteria, and promotion criteria. CC ID 00781 [The organization shall: determine the necessary competence of person(s) doing work under its control that affects its environmental performance and its ability to fulfil its compliance obligations; § 7.2 ¶ 1 a)] | Human Resources management | Establish/Maintain Documentation | |
Establish, implement, and maintain a compensation, reward, and recognition program. CC ID 12806 | Human Resources management | Human Resources Management | |
Establish and maintain an annual report on compensation. CC ID 14801 | Human Resources management | Establish/Maintain Documentation | |
Include the design characteristics of the remuneration system in the annual report on compensation. CC ID 14804 | Human Resources management | Establish/Maintain Documentation | |
Disseminate and communicate the compensation, reward, and recognition program to interested personnel and affected parties. CC ID 14800 | Human Resources management | Communicate | |
Establish, implement, and maintain roles and responsibilities in the compensation, reward, and recognition program. CC ID 14798 | Human Resources management | Establish/Maintain Documentation | |
Align the compensation, reward, and recognition program with the risk management program. CC ID 14797 | Human Resources management | Establish/Maintain Documentation | |
Establish, implement, and maintain remuneration standards, as necessary. CC ID 14794 | Human Resources management | Establish/Maintain Documentation | |
Refrain from using employees' privacy choices to restrict employment. CC ID 12425 | Human Resources management | Human Resources Management | |
Refrain from using employees' privacy choices to take punitive actions. CC ID 16815 | Human Resources management | Human Resources Management | |
Use rewards and career development to motivate personnel. CC ID 06906 | Human Resources management | Behavior | |
Disseminate and communicate the organization’s ethical culture in job recruitment criteria and promotion criteria. CC ID 12825 | Human Resources management | Human Resources Management | |
Recognize personnel who reinforce desirable conduct with incentives. CC ID 12815 | Human Resources management | Human Resources Management | |
Establish, implement, and maintain job applications. CC ID 16180 | Human Resources management | Establish/Maintain Documentation | |
Include a space for the applicant's name on the job application. CC ID 16190 | Human Resources management | Human Resources Management | |
Include a space for the applicant's current address on the job application. CC ID 16189 | Human Resources management | Human Resources Management | |
Include a space for the applicant's social security number on the job application. CC ID 16188 | Human Resources management | Human Resources Management | |
Include a space for the applicant's date of birth on the job application. CC ID 16186 | Human Resources management | Human Resources Management | |
Include a space for previous employers and business relationships on the job application. CC ID 16185 | Human Resources management | Human Resources Management | |
Include a space to explain formal disciplinary actions and sanctions on the job application. CC ID 16184 | Human Resources management | Human Resources Management | |
Include a space for the start date on the job application. CC ID 16187 | Human Resources management | Human Resources Management | |
Include a space to explain legal penalties on the job application. CC ID 16183 | Human Resources management | Human Resources Management | |
Approve the wording of job applications. CC ID 16182 | Human Resources management | Human Resources Management | |
Include a space for past aliases and other used names on job applications. CC ID 12301 | Human Resources management | Human Resources Management | |
Include a space for previous addresses and previous residences on the job application. CC ID 12302 | Human Resources management | Human Resources Management | |
Include a space to explain employment gaps on the job application. CC ID 12303 | Human Resources management | Human Resources Management | |
Train all personnel and third parties, as necessary. CC ID 00785 [The organization shall: where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken. § 7.2 ¶ 1 d)] | Human Resources management | Behavior | |
Establish, implement, and maintain an education methodology. CC ID 06671 | Human Resources management | Business Processes | |
Support certification programs as viable training programs. CC ID 13268 | Human Resources management | Human Resources Management | |
Include evidence of experience in applications for professional certification. CC ID 16193 | Human Resources management | Establish/Maintain Documentation | |
Include supporting documentation in applications for professional certification. CC ID 16195 | Human Resources management | Establish/Maintain Documentation | |
Submit applications for professional certification. CC ID 16192 | Human Resources management | Training | |
Retrain all personnel, as necessary. CC ID 01362 | Human Resources management | Behavior | |
Tailor training to meet published guidance on the subject being taught. CC ID 02217 | Human Resources management | Behavior | |
Tailor training to be taught at each person's level of responsibility. CC ID 06674 | Human Resources management | Behavior | |
Conduct cross-training or staff backup training to minimize dependency on critical individuals. CC ID 00786 | Human Resources management | Behavior | |
Use automated mechanisms in the training environment, where appropriate. CC ID 06752 | Human Resources management | Behavior | |
Hire third parties to conduct training, as necessary. CC ID 13167 | Human Resources management | Human Resources Management | |
Review the current published guidance and awareness and training programs. CC ID 01245 | Human Resources management | Establish/Maintain Documentation | |
Establish, implement, and maintain training plans. CC ID 00828 [The organization shall: determine training needs associated with its environmental aspects and its environmental management system; § 7.2 ¶ 1 c)] | Human Resources management | Establish/Maintain Documentation | |
Include prevention techniques in training regarding diseases or sicknesses. CC ID 14387 | Human Resources management | Training | |
Include the concept of disease clusters when training to recognize conditions of diseases or sicknesses. CC ID 14386 | Human Resources management | Training | |
Develop or acquire content to update the training plans. CC ID 12867 | Human Resources management | Training | |
Designate training facilities in the training plan. CC ID 16200 | Human Resources management | Training | |
Include portions of the visitor control program in the training plan. CC ID 13287 | Human Resources management | Establish/Maintain Documentation | |
Include ethical culture in the training plan, as necessary. CC ID 12801 | Human Resources management | Human Resources Management | |
Include in scope external requirements in the training plan, as necessary. CC ID 13041 | Human Resources management | Training | |
Include duties and responsibilities in the training plan, as necessary. CC ID 12800 | Human Resources management | Human Resources Management | |
Conduct bespoke roles and responsibilities training, as necessary. CC ID 13192 | Human Resources management | Training | |
Include risk management in the training plan, as necessary. CC ID 13040 | Human Resources management | Training | |
Conduct Archives and Records Management training. CC ID 00975 | Human Resources management | Behavior | |
Conduct personal data processing training. CC ID 13757 | Human Resources management | Training | |
Include in personal data processing training how to provide the contact information for the categories of personal data the organization may disclose. CC ID 13758 | Human Resources management | Training | |
Include the cloud service usage standard in the training plan. CC ID 13039 | Human Resources management | Training | |
Establish, implement, and maintain a security awareness program. CC ID 11746 | Human Resources management | Establish/Maintain Documentation | |
Establish, implement, and maintain a security awareness and training policy. CC ID 14022 | Human Resources management | Establish/Maintain Documentation | |
Include compliance requirements in the security awareness and training policy. CC ID 14092 | Human Resources management | Establish/Maintain Documentation | |
Include coordination amongst entities in the security awareness and training policy. CC ID 14091 | Human Resources management | Establish/Maintain Documentation | |
Establish, implement, and maintain security awareness and training procedures. CC ID 14054 | Human Resources management | Establish/Maintain Documentation | |
Disseminate and communicate the security awareness and training procedures to interested personnel and affected parties. CC ID 14138 | Human Resources management | Communicate | |
Include management commitment in the security awareness and training policy. CC ID 14049 | Human Resources management | Establish/Maintain Documentation | |
Include roles and responsibilities in the security awareness and training policy. CC ID 14048 | Human Resources management | Establish/Maintain Documentation | |
Include the scope in the security awareness and training policy. CC ID 14047 | Human Resources management | Establish/Maintain Documentation | |
Include the purpose in the security awareness and training policy. CC ID 14045 | Human Resources management | Establish/Maintain Documentation | |
Include configuration management procedures in the security awareness program. CC ID 13967 | Human Resources management | Establish/Maintain Documentation | |
Include media protection in the security awareness program. CC ID 16368 | Human Resources management | Training | |
Document security awareness requirements. CC ID 12146 | Human Resources management | Establish/Maintain Documentation | |
Include safeguards for information systems in the security awareness program. CC ID 13046 | Human Resources management | Establish/Maintain Documentation | |
Include security policies and security standards in the security awareness program. CC ID 13045 | Human Resources management | Establish/Maintain Documentation | |
Include physical security in the security awareness program. CC ID 16369 | Human Resources management | Training | |
Include mobile device security guidelines in the security awareness program. CC ID 11803 | Human Resources management | Establish/Maintain Documentation | |
Include updates on emerging issues in the security awareness program. CC ID 13184 | Human Resources management | Training | |
Include cybersecurity in the security awareness program. CC ID 13183 | Human Resources management | Training | |
Include implications of non-compliance in the security awareness program. CC ID 16425 | Human Resources management | Training | |
Include the acceptable use policy in the security awareness program. CC ID 15487 | Human Resources management | Training | |
Include training based on the participants' level of responsibility and access level in the security awareness program. CC ID 11802 | Human Resources management | Establish/Maintain Documentation | |
Include a requirement to train all new hires and interested personnel in the security awareness program. CC ID 11800 | Human Resources management | Establish/Maintain Documentation | |
Include remote access in the security awareness program. CC ID 13892 | Human Resources management | Establish/Maintain Documentation | |
Document the goals of the security awareness program. CC ID 12145 | Human Resources management | Establish/Maintain Documentation | |
Compare current security awareness assessment reports to the security awareness baseline. CC ID 12150 | Human Resources management | Establish/Maintain Documentation | |
Establish and maintain management's commitment to supporting the security awareness program. CC ID 12151 | Human Resources management | Human Resources Management | |
Establish and maintain a steering committee to guide the security awareness program. CC ID 12149 | Human Resources management | Human Resources Management | |
Document the scope of the security awareness program. CC ID 12148 | Human Resources management | Establish/Maintain Documentation | |
Establish, implement, and maintain a security awareness baseline. CC ID 12147 | Human Resources management | Establish/Maintain Documentation | |
Encourage interested personnel to obtain security certification. CC ID 11804 | Human Resources management | Human Resources Management | |
Disseminate and communicate the security awareness program to all interested personnel and affected parties. CC ID 00823 | Human Resources management | Behavior | |
Train all personnel and third parties on how to recognize and report security incidents. CC ID 01211 | Human Resources management | Behavior | |
Train all personnel and third parties on how to recognize and report system failures. CC ID 13475 | Human Resources management | Training | |
Require personnel to acknowledge, through writing their signature, that they have read and understand the organization's security policies. CC ID 01363 | Human Resources management | Establish/Maintain Documentation | |
Establish, implement, and maintain an environmental management system awareness program. CC ID 15200 [The organization shall ensure that persons doing work under the organization's control are aware of: the significant environmental aspects and related actual or potential environmental impacts associated with their work; § 7.3 ¶ 1 b) The organization shall ensure that persons doing work under the organization's control are aware of: the environmental policy; § 7.3 ¶ 1 a) The organization shall ensure that persons doing work under the organization's control are aware of: the implications of not conforming with the environmental management system requirements, including not fulfilling the organization's compliance obligations. § 7.3 ¶ 1 d) The organization shall ensure that persons doing work under the organization's control are aware of: their contribution to the effectiveness of the environmental management system, including the benefits of enhanced environmental performance; § 7.3 ¶ 1 c) The organization shall ensure that persons doing work under the organization's control are aware of: their contribution to the effectiveness of the environmental management system, including the benefits of enhanced environmental performance; § 7.3 ¶ 1 c)] | Human Resources management | Establish/Maintain Documentation | |
Conduct tampering prevention training. CC ID 11875 | Human Resources management | Training | |
Include the mandate to refrain from installing, refrain from replacing, and refrain from returning any asset absent verification in the tampering prevention training. CC ID 11877 | Human Resources management | Training | |
Include how to identify and authenticate third parties claiming to be maintenance personnel in the tampering prevention training. CC ID 11876 | Human Resources management | Training | |
Include how to report tampering and unauthorized substitution in the tampering prevention training. CC ID 11879 | Human Resources management | Training | |
Include how to prevent physical tampering in the tampering prevention training. CC ID 11878 | Human Resources management | Training | |
Include procedures on how to inspect devices in the tampering prevention training. CC ID 11990 | Human Resources management | Training | |
Train interested personnel and affected parties to collect digital forensic evidence. CC ID 08658 | Human Resources management | Training | |
Conduct crime prevention training. CC ID 06350 | Human Resources management | Behavior | |
Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 [The organization shall plan: to take actions to address its: compliance obligations; § 6.1.4 ¶ 1 a) 2) The organization shall establish, implement and maintain the process(es) needed to evaluate fulfilment of its compliance obligations. § 9.1.2 ¶ 1] | Operational management | Establish/Maintain Documentation | |
Include enterprise architecture in the Governance, Risk, and Compliance framework. CC ID 13266 | Operational management | Establish/Maintain Documentation | |
Disseminate and communicate updates to the Governance, Risk, and Compliance framework to interested personnel and affected parties. CC ID 06955 [{internal communication}{be relevant}The organization shall: internally communicate information relevant to the environmental management system among the various levels and functions of the organization, including changes to the environmental management system, as appropriate; § 7.4.2 ¶ 1 a)] | Operational management | Behavior | |
Establish, implement, and maintain security requirements based on applicable regulations. CC ID 16283 | Operational management | Establish/Maintain Documentation | |
Acquire resources necessary to support Governance, Risk, and Compliance. CC ID 12861 [Top management shall demonstrate leadership and commitment with respect to the environmental management system by: ensuring that the resources needed for the environmental management system are available; § 5.1 ¶ 1 d) The organization shall determine and provide the resources needed for the establishment, implementation, maintenance and continual improvement of the environmental management system. § 7.1 ¶ 1 The outputs of the management review shall include: decisions related to any need for changes to the environmental management system, including resources; § 9.3 ¶ 3 Bullet 3] | Operational management | Acquisition/Sale of Assets or Services | |
Establish, implement, and maintain a prioritized plan for updating the Governance, Risk, and Compliance framework. CC ID 12853 [{financial requirement}{operational requirement} When planning these actions, the organization shall consider its technological options and its financial, operational and business requirements. § 6.1.4 ¶ 2 The management review shall include consideration of: changes in: its significant environmental aspects; § 9.3 ¶ 2 b) 3) The management review shall include consideration of: changes in: risks and opportunities; § 9.3 ¶ 2 b) 4) The outputs of the management review shall include: decisions related to any need for changes to the environmental management system, including resources; § 9.3 ¶ 3 Bullet 3] | Operational management | Establish/Maintain Documentation | |
Integrate the use of technology in supporting the Governance, Risk, and Compliance capabilities. CC ID 12915 | Operational management | Process or Activity | |
Evaluate the use of technology in supporting Governance, Risk, and Compliance capabilities. CC ID 12895 [{financial requirement}{operational requirement} When planning these actions, the organization shall consider its technological options and its financial, operational and business requirements. § 6.1.4 ¶ 2] | Operational management | Process or Activity | |
Analyze the effect of the Governance, Risk, and Compliance capability to achieve organizational objectives. CC ID 12809 [{external and internal issues}and determine the risks and opportunities, related to its environmental aspects (see 6.1.2), compliance obligations (see 6.1.3) and other issues and requirements, identified in 4.1 and 4.2, that need to be addressed to: prevent or reduce undesired effects, including the potential for external environmental conditions to affect the organization; § 6.1.1 ¶ 3 Bullet 2 The organization shall plan: how to: evaluate the effectiveness of these actions (see 9.1). § 6.1.4 ¶ 1 b) 2) When planning how to achieve its environmental objectives, the organization shall determine: how the results will be evaluated, including indicators for monitoring progress toward achievement of its measurable environmental objectives (see 9.1.1). § 6.2.2 ¶ 1 e) The organization shall evaluate its environmental performance and the effectiveness of the environmental management system. § 9.1.1 ¶ 4 The outputs of the management review shall include: actions, if needed, when environmental objectives have not been achieved; § 9.3 ¶ 3 Bullet 4 The outputs of the management review shall include: any implications for the strategic direction of the organization. § 9.3 ¶ 3 Bullet 6] | Operational management | Audits and Risk Management | |
Assign accountability for maintaining the Governance, Risk, and Compliance framework. CC ID 12523 | Operational management | Human Resources Management | |
Assign defining the program for disseminating and communicating the Governance, Risk, and Compliance framework. CC ID 12524 | Operational management | Human Resources Management | |
Establish, implement, and maintain a compliance policy. CC ID 14807 | Operational management | Establish/Maintain Documentation | |
Include the standard of conduct and accountability in the compliance policy. CC ID 14813 | Operational management | Establish/Maintain Documentation | |
Include the scope in the compliance policy. CC ID 14812 | Operational management | Establish/Maintain Documentation | |
Include roles and responsibilities in the compliance policy. CC ID 14811 | Operational management | Establish/Maintain Documentation | |
Include a commitment to continual improvement in the compliance policy. CC ID 14810 | Operational management | Establish/Maintain Documentation | |
Disseminate and communicate the compliance policy to interested personnel and affected parties. CC ID 14809 | Operational management | Communicate | |
Include management commitment in the compliance policy. CC ID 14808 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain a governance policy. CC ID 15587 | Operational management | Establish/Maintain Documentation | |
Disseminate and communicate the governance policy to all interested personnel and affected parties. CC ID 15625 | Operational management | Communicate | |
Include a commitment to continuous improvement in the governance policy. CC ID 15595 | Operational management | Establish/Maintain Documentation | |
Include roles and responsibilities in the governance policy. CC ID 15594 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain a positive information control environment. CC ID 00813 | Operational management | Business Processes | |
Make compliance and governance decisions in a timely manner. CC ID 06490 | Operational management | Behavior | |
Establish, implement, and maintain an internal control framework. CC ID 00820 | Operational management | Establish/Maintain Documentation | |
Define the scope for the internal control framework. CC ID 16325 | Operational management | Business Processes | |
Assign ownership of the internal control framework to the appropriate organizational role. CC ID 06437 | Operational management | Establish Roles | |
Assign resources to implement the internal control framework. CC ID 00816 | Operational management | Business Processes | |
Define and assign the roles and responsibilities for interested personnel and affected parties when establishing, implementing, and maintaining the internal control framework. CC ID 07146 | Operational management | Establish Roles | |
Establish, implement, and maintain a baseline of internal controls. CC ID 12415 | Operational management | Business Processes | |
Include the business need justification for excluding controls in the baseline of internal controls. CC ID 16129 | Operational management | Establish/Maintain Documentation | |
Include the implementation status of controls in the baseline of internal controls. CC ID 16128 | Operational management | Establish/Maintain Documentation | |
Leverage actionable information to support internal controls. CC ID 12414 | Operational management | Business Processes | |
Include procedures for continuous quality improvement in the internal control framework. CC ID 00819 [The management review shall include consideration of opportunities for style="background-color:#F0BBBC;" class="term_primary-noun">continual improvement. § 9.3 ¶ 2 g) The outputs of the management review shall include: decisions related to continual improvement opportunities; § 9.3 ¶ 3 Bullet 2] | Operational management | Establish/Maintain Documentation | |
Include continuous service account management procedures in the internal control framework. CC ID 13860 | Operational management | Establish/Maintain Documentation | |
Include threat assessment in the internal control framework. CC ID 01347 | Operational management | Establish/Maintain Documentation | |
Automate threat assessments, as necessary. CC ID 06877 | Operational management | Configuration | |
Include vulnerability management and risk assessment in the internal control framework. CC ID 13102 | Operational management | Establish/Maintain Documentation | |
Automate vulnerability management, as necessary. CC ID 11730 | Operational management | Configuration | |
Include personnel security procedures in the internal control framework. CC ID 01349 | Operational management | Establish/Maintain Documentation | |
Include continuous security warning monitoring procedures in the internal control framework. CC ID 01358 | Operational management | Establish/Maintain Documentation | |
Include incident alert thresholds in the continuous security warning monitoring procedures. CC ID 13205 | Operational management | Establish/Maintain Documentation | |
Include security information sharing procedures in the internal control framework. CC ID 06489 | Operational management | Establish/Maintain Documentation | |
Share security information with interested personnel and affected parties. CC ID 11732 | Operational management | Communicate | |
Evaluate information sharing partners, as necessary. CC ID 12749 | Operational management | Process or Activity | |
Include security incident response procedures in the internal control framework. CC ID 01359 | Operational management | Establish/Maintain Documentation | |
Include incident response escalation procedures in the internal control framework. CC ID 11745 | Operational management | Establish/Maintain Documentation | |
Include continuous user account management procedures in the internal control framework. CC ID 01360 | Operational management | Establish/Maintain Documentation | |
Authorize and document all exceptions to the internal control framework. CC ID 06781 | Operational management | Establish/Maintain Documentation | |
Disseminate and communicate the internal control framework to all interested personnel and affected parties. CC ID 15229 | Operational management | Communicate | |
Disseminate and communicate the cybersecurity policy to interested personnel and affected parties. CC ID 16835 | Operational management | Communicate | |
Establish, implement, and maintain a cybersecurity policy. CC ID 16833 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain an information security program. CC ID 00812 | Operational management | Establish/Maintain Documentation | |
Include physical safeguards in the information security program. CC ID 12375 | Operational management | Establish/Maintain Documentation | |
Include technical safeguards in the information security program. CC ID 12374 | Operational management | Establish/Maintain Documentation | |
Include administrative safeguards in the information security program. CC ID 12373 | Operational management | Establish/Maintain Documentation | |
Include system development in the information security program. CC ID 12389 | Operational management | Establish/Maintain Documentation | |
Include system maintenance in the information security program. CC ID 12388 | Operational management | Establish/Maintain Documentation | |
Include system acquisition in the information security program. CC ID 12387 | Operational management | Establish/Maintain Documentation | |
Include access control in the information security program. CC ID 12386 | Operational management | Establish/Maintain Documentation | |
Include operations management in the information security program. CC ID 12385 | Operational management | Establish/Maintain Documentation | |
Include communication management in the information security program. CC ID 12384 | Operational management | Establish/Maintain Documentation | |
Include environmental security in the information security program. CC ID 12383 | Operational management | Establish/Maintain Documentation | |
Include physical security in the information security program. CC ID 12382 | Operational management | Establish/Maintain Documentation | |
Include human resources security in the information security program. CC ID 12381 | Operational management | Establish/Maintain Documentation | |
Include asset management in the information security program. CC ID 12380 | Operational management | Establish/Maintain Documentation | |
Include a continuous monitoring program in the information security program. CC ID 14323 | Operational management | Establish/Maintain Documentation | |
Include change management procedures in the continuous monitoring plan. CC ID 16227 | Operational management | Establish/Maintain Documentation | |
include recovery procedures in the continuous monitoring plan. CC ID 16226 | Operational management | Establish/Maintain Documentation | |
Include mechanisms for decommissioning a system in the continuous monitoring plan. CC ID 16225 | Operational management | Establish/Maintain Documentation | |
Include mechanisms for appeal and override in the continuous monitoring plan. CC ID 16223 | Operational management | Establish/Maintain Documentation | |
Include how the information security department is organized in the information security program. CC ID 12379 | Operational management | Establish/Maintain Documentation | |
Include risk management in the information security program. CC ID 12378 | Operational management | Establish/Maintain Documentation | |
Include mitigating supply chain risks in the information security program. CC ID 13352 | Operational management | Establish/Maintain Documentation | |
Provide management direction and support for the information security program. CC ID 11999 | Operational management | Process or Activity | |
Monitor and review the effectiveness of the information security program. CC ID 12744 | Operational management | Monitor and Evaluate Occurrences | |
Establish, implement, and maintain an information security policy. CC ID 11740 | Operational management | Establish/Maintain Documentation | |
Align the information security policy with the organization's risk acceptance level. CC ID 13042 | Operational management | Business Processes | |
Include business processes in the information security policy. CC ID 16326 | Operational management | Establish/Maintain Documentation | |
Include the information security strategy in the information security policy. CC ID 16125 | Operational management | Establish/Maintain Documentation | |
Include a commitment to continuous improvement in the information security policy. CC ID 16123 | Operational management | Establish/Maintain Documentation | |
Include roles and responsibilities in the information security policy. CC ID 16120 | Operational management | Establish/Maintain Documentation | |
Include a commitment to the information security requirements in the information security policy. CC ID 13496 | Operational management | Establish/Maintain Documentation | |
Include information security objectives in the information security policy. CC ID 13493 | Operational management | Establish/Maintain Documentation | |
Include the use of Cloud Services in the information security policy. CC ID 13146 | Operational management | Establish/Maintain Documentation | |
Include notification procedures in the information security policy. CC ID 16842 | Operational management | Establish/Maintain Documentation | |
Approve the information security policy at the organization's management level or higher. CC ID 11737 | Operational management | Process or Activity | |
Establish, implement, and maintain information security procedures. CC ID 12006 | Operational management | Business Processes | |
Describe the group activities that protect restricted data in the information security procedures. CC ID 12294 | Operational management | Establish/Maintain Documentation | |
Disseminate and communicate the information security procedures to all interested personnel and affected parties. CC ID 16303 | Operational management | Communicate | |
Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304 | Operational management | Establish/Maintain Documentation | |
Define thresholds for approving information security activities in the information security program. CC ID 15702 | Operational management | Process or Activity | |
Assign ownership of the information security program to the appropriate role. CC ID 00814 | Operational management | Establish Roles | |
Assign the responsibility for establishing, implementing, and maintaining the information security program to the appropriate role. CC ID 11884 | Operational management | Human Resources Management | |
Assign information security responsibilities to interested personnel and affected parties in the information security program. CC ID 11885 | Operational management | Establish/Maintain Documentation | |
Assign the responsibility for distributing the information security program to the appropriate role. CC ID 11883 | Operational management | Human Resources Management | |
Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739 | Operational management | Communicate | |
Establish, implement, and maintain a social media governance program. CC ID 06536 | Operational management | Establish/Maintain Documentation | |
Refrain from requiring supervision when users are accessing social media applications. CC ID 14011 | Operational management | Business Processes | |
Refrain from requiring users to disclose social media account usernames or authenticators. CC ID 14009 | Operational management | Business Processes | |
Refrain from accepting instant messages from unknown senders. CC ID 12537 | Operational management | Behavior | |
Include instant messaging, texting, and tweeting in the social media acceptable use policy. CC ID 04578 | Operational management | Establish/Maintain Documentation | |
Include explicit restrictions in the social media acceptable use policy. CC ID 06655 | Operational management | Establish/Maintain Documentation | |
Include contributive content sites in the social media acceptable use policy. CC ID 06656 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain operational control procedures. CC ID 00831 | Operational management | Establish/Maintain Documentation | |
Include assigning and approving operations in operational control procedures. CC ID 06382 | Operational management | Establish/Maintain Documentation | |
Include startup processes in operational control procedures. CC ID 00833 | Operational management | Establish/Maintain Documentation | |
Include change control processes in the operational control procedures. CC ID 16793 | Operational management | Establish/Maintain Documentation | |
Establish and maintain a data processing run manual. CC ID 00832 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826 | Operational management | Establish/Maintain Documentation | |
Use systems in accordance with the standard operating procedures manual. CC ID 15049 | Operational management | Process or Activity | |
Include metrics in the standard operating procedures manual. CC ID 14988 | Operational management | Establish/Maintain Documentation | |
Include maintenance measures in the standard operating procedures manual. CC ID 14986 | Operational management | Establish/Maintain Documentation | |
Include the expected lifetime of the system in the standard operating procedures manual. CC ID 14984 | Operational management | Establish/Maintain Documentation | |
Include technical measures used to interpret output in the standard operating procedures manual. CC ID 14982 | Operational management | Establish/Maintain Documentation | |
Include predetermined changes in the standard operating procedures manual. CC ID 14977 | Operational management | Establish/Maintain Documentation | |
Include specifications for input data in the standard operating procedures manual. CC ID 14975 | Operational management | Establish/Maintain Documentation | |
Include risks to health and safety or fundamental rights in the standard operating procedures manual. CC ID 14973 | Operational management | Establish/Maintain Documentation | |
Include circumstances that may impact the system in the standard operating procedures manual. CC ID 14972 | Operational management | Establish/Maintain Documentation | |
Include what the system was tested and validated for in the standard operating procedures manual. CC ID 14969 | Operational management | Establish/Maintain Documentation | |
Include the intended purpose in the standard operating procedures manual. CC ID 14967 | Operational management | Establish/Maintain Documentation | |
Include information on system performance in the standard operating procedures manual. CC ID 14965 | Operational management | Establish/Maintain Documentation | |
Include contact details in the standard operating procedures manual. CC ID 14962 | Operational management | Establish/Maintain Documentation | |
Include information sharing procedures in standard operating procedures. CC ID 12974 | Operational management | Records Management | |
Establish, implement, and maintain information sharing agreements. CC ID 15645 | Operational management | Business Processes | |
Provide support for information sharing activities. CC ID 15644 | Operational management | Process or Activity | |
Adhere to operating procedures as defined in the Standard Operating Procedures Manual. CC ID 06328 | Operational management | Business Processes | |
Disseminate and communicate the Standard Operating Procedures Manual to all interested personnel and affected parties. CC ID 12026 | Operational management | Communicate | |
Establish, implement, and maintain a job scheduling methodology. CC ID 00834 | Operational management | Establish/Maintain Documentation | |
Establish and maintain a job schedule exceptions list. CC ID 00835 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain a data processing continuity plan. CC ID 00836 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain Voice over Internet Protocol operating procedures. CC ID 04583 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain the Acceptable Use Policy. CC ID 01350 | Operational management | Establish/Maintain Documentation | |
Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy. CC ID 01351 | Operational management | Establish/Maintain Documentation | |
Include requiring users to protect restricted data in accordance with the Governance, Risk, and Compliance framework in the Acceptable Use Policy. CC ID 11894 | Operational management | Establish/Maintain Documentation | |
Include Bring Your Own Device agreements in the Acceptable Use Policy. CC ID 15703 | Operational management | Establish/Maintain Documentation | |
Include the obligations of users in the Bring Your Own Device agreement. CC ID 15708 | Operational management | Establish/Maintain Documentation | |
Include the rights of the organization in the Bring Your Own Device agreement. CC ID 15707 | Operational management | Establish/Maintain Documentation | |
Include the circumstances in which the organization may confiscate, audit, or inspect assets in the Bring Your Own Device agreement. CC ID 15706 | Operational management | Establish/Maintain Documentation | |
Include the circumstances in which the organization may manage assets in the Bring Your Own Device agreement. CC ID 15705 | Operational management | Establish/Maintain Documentation | |
Include Bring Your Own Device usage in the Acceptable Use Policy. CC ID 12293 | Operational management | Establish/Maintain Documentation | |
Include a web usage policy in the Acceptable Use Policy. CC ID 16496 | Operational management | Establish/Maintain Documentation | |
Include Bring Your Own Device security guidelines in the Acceptable Use Policy. CC ID 01352 | Operational management | Establish/Maintain Documentation | |
Include asset tags in the Acceptable Use Policy. CC ID 01354 | Operational management | Establish/Maintain Documentation | |
Specify the owner of applicable assets in the Acceptable Use Policy. CC ID 15699 | Operational management | Establish/Maintain Documentation | |
Include asset use policies in the Acceptable Use Policy. CC ID 01355 | Operational management | Establish/Maintain Documentation | |
Include authority for access authorization lists for assets in all relevant Acceptable Use Policies. CC ID 11872 | Operational management | Establish/Maintain Documentation | |
Include access control mechanisms in the Acceptable Use Policy. CC ID 01353 | Operational management | Establish/Maintain Documentation | |
Include temporary activation of remote access technologies for third parties in the Acceptable Use Policy. CC ID 11892 | Operational management | Technical Security | |
Include prohibiting the copying or moving of restricted data from its original source onto local hard drives or removable storage media in the Acceptable Use Policy. CC ID 11893 | Operational management | Establish/Maintain Documentation | |
Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772 | Operational management | Data and Information Management | |
Correlate the Acceptable Use Policy with the network security policy. CC ID 01356 | Operational management | Establish/Maintain Documentation | |
Include appropriate network locations for each technology in the Acceptable Use Policy. CC ID 11881 | Operational management | Establish/Maintain Documentation | |
Correlate the Acceptable Use Policy with the approved product list. CC ID 01357 | Operational management | Establish/Maintain Documentation | |
Include facility access and facility use in the Acceptable Use Policy. CC ID 06441 | Operational management | Establish/Maintain Documentation | |
Include the usage restrictions of mobile code technologies in the Acceptable Use Policy. CC ID 15311 | Operational management | Establish/Maintain Documentation | |
Include a software installation policy in the Acceptable Use Policy. CC ID 06749 | Operational management | Establish/Maintain Documentation | |
Document idle session termination and logout for remote access technologies in the Acceptable Use Policy. CC ID 12472 | Operational management | Establish/Maintain Documentation | |
Disseminate and communicate the Acceptable Use Policy to all interested personnel and affected parties. CC ID 12431 | Operational management | Communicate | |
Require interested personnel and affected parties to sign Acceptable Use Policies. CC ID 06661 | Operational management | Establish/Maintain Documentation | |
Require interested personnel and affected parties to re-sign Acceptable Use Policies, as necessary. CC ID 06663 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain an Intellectual Property Right program. CC ID 00821 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain domain name registration and renewal procedures. CC ID 07075 | Operational management | Business Processes | |
Establish, implement, and maintain Intellectual Property Rights protection procedures. CC ID 11512 | Operational management | Establish/Maintain Documentation | |
Protect against circumvention of the organization's Intellectual Property Rights. CC ID 11513 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain an e-mail policy. CC ID 06439 | Operational management | Establish/Maintain Documentation | |
Include business use of personal e-mail in the e-mail policy. CC ID 14381 | Operational management | Establish/Maintain Documentation | |
Identify the sender in all electronic messages. CC ID 13996 | Operational management | Data and Information Management | |
Protect policies, standards, and procedures from unauthorized modification or disclosure. CC ID 10603 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain nondisclosure agreements. CC ID 04536 | Operational management | Establish/Maintain Documentation | |
Disseminate and communicate nondisclosure agreements to interested personnel and affected parties. CC ID 16191 | Operational management | Communicate | |
Require interested personnel and affected parties to sign nondisclosure agreements. CC ID 06667 | Operational management | Establish/Maintain Documentation | |
Require interested personnel and affected parties to re-sign nondisclosure agreements, as necessary. CC ID 06669 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain a use of information agreement. CC ID 06215 | Operational management | Establish/Maintain Documentation | |
Include use limitations in the use of information agreement. CC ID 06244 | Operational management | Establish/Maintain Documentation | |
Include disclosure requirements in the use of information agreement. CC ID 11735 | Operational management | Establish/Maintain Documentation | |
Include information recipients in the use of information agreement. CC ID 06245 | Operational management | Establish/Maintain Documentation | |
Include reporting out of scope use of information in the use of information agreement. CC ID 06246 | Operational management | Establish/Maintain Documentation | |
Include disclosure of information in the use of information agreement. CC ID 11830 | Operational management | Establish/Maintain Documentation | |
Include information security procedures assigned to the information recipient in the use of information agreement. CC ID 07130 | Operational management | Establish/Maintain Documentation | |
Include information security procedures assigned to the originator in the use of information agreement. CC ID 14418 | Operational management | Establish/Maintain Documentation | |
Include a do not contact rule for the individuals identified in a data set in the use of information agreement. CC ID 07131 | Operational management | Establish/Maintain Documentation | |
Include the information recipient's third parties accepting the agreement in the use of information agreement. CC ID 07132 | Operational management | Establish/Maintain Documentation | |
Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 | Operational management | Business Processes | |
Analyze how policies used to create management boundaries relates to the Governance, Risk, and Compliance approach. CC ID 12821 | Operational management | Process or Activity | |
Analyze how the organization sets limits in policies relating to the Governance, Risk, and Compliance approach. CC ID 12819 | Operational management | Process or Activity | |
Analyze how the Board of Directors' and senior management's tone influences the Governance, Risk, and Compliance approach. CC ID 12818 [Top management shall demonstrate leadership and commitment with respect to the environmental management system by: § 5.1 ¶ 1] | Operational management | Process or Activity | |
Analyze the degree to which the governing body is engaged in the Governance, Risk, and Compliance approach. CC ID 12817 | Operational management | Process or Activity | |
Analyze the Governance, Risk, and Compliance approach. CC ID 12816 | Operational management | Process or Activity | |
Analyze the organizational culture. CC ID 12899 | Operational management | Process or Activity | |
Include employee engagement in the analysis of the organizational culture. CC ID 12914 | Operational management | Behavior | |
Include contractual relationships with workforce members in the analysis of the organizational culture. CC ID 15674 | Operational management | Business Processes | |
Include the number of workforce members who are not employees in the analysis of the organizational culture. CC ID 15673 | Operational management | Business Processes | |
Include the type of work performed by workforce members in the analysis of the organizational culture. CC ID 15675 | Operational management | Business Processes | |
Include skill development in the analysis of the organizational culture. CC ID 12913 | Operational management | Behavior | |
Include employee turnover rates in the analysis of the organizational culture. CC ID 12912 | Operational management | Behavior | |
Include demographic characteristics of employees in the analysis of the organizational culture. CC ID 15671 | Operational management | Business Processes | |
Include employee loyalty in the analysis of the organizational culture. CC ID 12911 | Operational management | Behavior | |
Include employee satisfaction in the analysis of the organizational culture. CC ID 12910 | Operational management | Behavior | |
Comply with all implemented policies in the organization's compliance framework. CC ID 06384 [Top management shall assign the responsibility and authority for: ensuring that the environmental management system conforms to the requirements of this International Standard; § 5.3 ¶ 2 a) The outputs of the management review shall include: opportunities to improve integration of the environmental management system with other business processes, if needed; § 9.3 ¶ 3 Bullet 5] | Operational management | Establish/Maintain Documentation | |
Provide assurance to interested personnel and affected parties that the Governance, Risk, and Compliance capability is reliable, effective, efficient, and responsive. CC ID 12788 | Operational management | Communicate | |
Review systems for compliance with organizational information security policies. CC ID 12004 | Operational management | Business Processes | |
Disseminate and communicate the Governance, Risk, and Compliance framework to all interested personnel and affected parties. CC ID 00815 [{internal communication}{be relevant}The organization shall: internally communicate information relevant to the environmental management system among the various levels and functions of the organization, including changes to the environmental management system, as appropriate; § 7.4.2 ¶ 1 a) {external communication}{be relevant} The organization shall externally communicate information relevant to the environmental management system, as established by the organization's communication process(es) and as required by its compliance obligations. § 7.4.3 ¶ 1 {external communication}{be relevant} The organization shall externally communicate information relevant to the environmental management system, as established by the organization's communication process(es) and as required by its compliance obligations. § 7.4.3 ¶ 1 The organization shall: maintain knowledge and understanding of its compliance status. § 9.1.2 ¶ 2 c) The organization shall communicate relevant environmental performance information both internally and externally, as identified in its communication process(es) and as required by its compliance obligations. § 9.1.1 ¶ 5] | Operational management | Behavior | |
Establish, implement, and maintain an Asset Management program. CC ID 06630 [Consistent with a life cycle perspective, the organization shall: consider the need to provide information about potential significant environmental impacts associated with the transportation or delivery, use, end-of-life treatment and final disposal of its products and services. § 8.1 ¶ 4 d)] | Operational management | Business Processes | |
Establish, implement, and maintain an asset management policy. CC ID 15219 | Operational management | Establish/Maintain Documentation | |
Include coordination amongst entities in the asset management policy. CC ID 16424 | Operational management | Business Processes | |
Establish, implement, and maintain asset management procedures. CC ID 16748 | Operational management | Establish/Maintain Documentation | |
Assign an information owner to organizational assets, as necessary. CC ID 12729 | Operational management | Human Resources Management | |
Define and prioritize the importance of each asset in the asset management program. CC ID 16837 | Operational management | Business Processes | |
Include life cycle requirements in the security management program. CC ID 16392 | Operational management | Establish/Maintain Documentation | |
Include program objectives in the asset management program. CC ID 14413 | Operational management | Establish/Maintain Documentation | |
Include a commitment to continual improvement in the asset management program. CC ID 14412 | Operational management | Establish/Maintain Documentation | |
Include compliance with applicable requirements in the asset management program. CC ID 14411 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain administrative controls over all assets. CC ID 16400 | Operational management | Business Processes | |
Establish, implement, and maintain classification schemes for all systems and assets. CC ID 01902 | Operational management | Establish/Maintain Documentation | |
Apply security controls to each level of the information classification standard. CC ID 01903 | Operational management | Systems Design, Build, and Implementation | |
Establish, implement, and maintain the systems' confidentiality level. CC ID 01904 | Operational management | Establish/Maintain Documentation | |
Define confidentiality controls. CC ID 01908 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain the systems' availability level. CC ID 01905 | Operational management | Establish/Maintain Documentation | |
Restrict unscheduled downtime in order to maintain high availability for critical systems. CC ID 12742 | Operational management | Process or Activity | |
Define integrity controls. CC ID 01909 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain the systems' integrity level. CC ID 01906 | Operational management | Establish/Maintain Documentation | |
Define availability controls. CC ID 01911 | Operational management | Establish/Maintain Documentation | |
Establish safety classifications for systems according to their potential harmful effects to operators or end users. CC ID 06603 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain an asset safety classification scheme. CC ID 06604 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain the Asset Classification Policy. CC ID 06642 | Operational management | Establish/Maintain Documentation | |
Disseminate and communicate the Asset Classification Policy to interested personnel and affected parties. CC ID 14851 | Operational management | Communicate | |
Classify assets according to the Asset Classification Policy. CC ID 07186 | Operational management | Establish Roles | |
Classify virtual systems by type and purpose. CC ID 16332 | Operational management | Business Processes | |
Document the decision for assigning an asset to a specific asset classification in the Asset Classification Policy. CC ID 07185 | Operational management | Establish/Maintain Documentation | |
Apply asset protection mechanisms for all assets according to their assigned Asset Classification Policy. CC ID 07184 | Operational management | Establish Roles | |
Disallow systems from processing information, disseminating and communicating information, or storing information that is above the system's assigned asset classification. CC ID 06606 | Operational management | Configuration | |
Assign decomposed system components the same asset classification as the originating system. CC ID 06605 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain an asset inventory. CC ID 06631 | Operational management | Business Processes | |
Establish, implement, and maintain an Information Technology inventory with asset discovery audit trails. CC ID 00689 | Operational management | Establish/Maintain Documentation | |
Include all account types in the Information Technology inventory. CC ID 13311 | Operational management | Establish/Maintain Documentation | |
Include each Information System's system boundaries in the Information Technology inventory. CC ID 00695 | Operational management | Systems Design, Build, and Implementation | |
Identify processes, Information Systems, and third parties that transmit, process, or store restricted data. CC ID 06289 | Operational management | Data and Information Management | |
Include each Information System's major applications in the Information Technology inventory. CC ID 01407 | Operational management | Establish/Maintain Documentation | |
Categorize all major applications according to the business information they process. CC ID 07182 | Operational management | Establish/Maintain Documentation | |
Document the resources, hazards, and Evaluation Assurance Levels for each major application. CC ID 01164 | Operational management | Establish/Maintain Documentation | |
Include the General Support Systems and security support structure in the Information Technology inventory. CC ID 01408 | Operational management | Establish/Maintain Documentation | |
Include each Information System's minor applications in the Information Technology inventory. CC ID 01409 | Operational management | Establish/Maintain Documentation | |
Conduct environmental surveys. CC ID 00690 | Operational management | Physical and Environmental Protection | |
Categorize facilities in the Information Technology inventory according to their environmental risks. CC ID 06729 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain a hardware asset inventory. CC ID 00691 | Operational management | Establish/Maintain Documentation | |
Include network equipment in the Information Technology inventory. CC ID 00693 | Operational management | Establish/Maintain Documentation | |
Include mobile devices that store restricted data or restricted information in the Information Technology inventory. CC ID 04719 | Operational management | Establish/Maintain Documentation | |
Include interconnected systems and Software as a Service in the Information Technology inventory. CC ID 04885 | Operational management | Process or Activity | |
Include software in the Information Technology inventory. CC ID 00692 | Operational management | Establish/Maintain Documentation | |
Establish and maintain a list of authorized software and versions required for each system. CC ID 12093 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain a storage media inventory. CC ID 00694 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain a records inventory and database inventory. CC ID 01260 | Operational management | Establish/Maintain Documentation | |
Add inventoried assets to the asset register database, as necessary. CC ID 07051 | Operational management | Establish/Maintain Documentation | |
Organize the asset register database by grouping objects according to an organizational information classification standard. CC ID 07181 | Operational management | Establish/Maintain Documentation | |
Use automated tools to collect Information Technology inventory information, as necessary. CC ID 07054 | Operational management | Technical Security | |
Link the authentication system to the asset inventory. CC ID 13718 | Operational management | Technical Security | |
Record a unique name for each asset in the asset inventory. CC ID 16305 | Operational management | Data and Information Management | |
Record the decommission date for applicable assets in the asset inventory. CC ID 14920 | Operational management | Establish/Maintain Documentation | |
Record the status of information systems in the asset inventory. CC ID 16304 | Operational management | Data and Information Management | |
Record the communication interfaces for applicable assets in the asset inventory. CC ID 16301 | Operational management | Data and Information Management | |
Record the Uniform Resource Locator for applicable assets in the asset inventory. CC ID 14918 | Operational management | Establish/Maintain Documentation | |
Include source code in the asset inventory. CC ID 14858 | Operational management | Records Management | |
Assign ownership of maintaining the asset inventory, as necessary. CC ID 12344 | Operational management | Human Resources Management | |
Record the review date for applicable assets in the asset inventory. CC ID 14919 | Operational management | Establish/Maintain Documentation | |
Record software license information for each asset in the asset inventory. CC ID 11736 | Operational management | Data and Information Management | |
Record services for applicable assets in the asset inventory. CC ID 13733 | Operational management | Establish/Maintain Documentation | |
Record protocols for applicable assets in the asset inventory. CC ID 13734 | Operational management | Establish/Maintain Documentation | |
Record the software version in the asset inventory. CC ID 12196 | Operational management | Establish/Maintain Documentation | |
Record the publisher for applicable assets in the asset inventory. CC ID 13725 | Operational management | Establish/Maintain Documentation | |
Record the authentication system in the asset inventory. CC ID 13724 | Operational management | Establish/Maintain Documentation | |
Tag unsupported assets in the asset inventory. CC ID 13723 | Operational management | Establish/Maintain Documentation | |
Record the install date for applicable assets in the asset inventory. CC ID 13720 | Operational management | Establish/Maintain Documentation | |
Record the make, model of device for applicable assets in the asset inventory. CC ID 12465 | Operational management | Establish/Maintain Documentation | |
Record the asset tag for physical assets in the asset inventory. CC ID 06632 | Operational management | Establish/Maintain Documentation | |
Record the host name of applicable assets in the asset inventory. CC ID 13722 | Operational management | Establish/Maintain Documentation | |
Record network ports for applicable assets in the asset inventory. CC ID 13730 | Operational management | Establish/Maintain Documentation | |
Record the MAC address for applicable assets in the asset inventory. CC ID 13721 | Operational management | Establish/Maintain Documentation | |
Record the operating system version for applicable assets in the asset inventory. CC ID 11748 | Operational management | Data and Information Management | |
Record the operating system type for applicable assets in the asset inventory. CC ID 06633 | Operational management | Establish/Maintain Documentation | |
Record rooms at external locations in the asset inventory. CC ID 16302 | Operational management | Data and Information Management | |
Record the department associated with the asset in the asset inventory. CC ID 12084 | Operational management | Establish/Maintain Documentation | |
Record the physical location for applicable assets in the asset inventory. CC ID 06634 | Operational management | Establish/Maintain Documentation | |
Record the manufacturer's serial number for applicable assets in the asset inventory. CC ID 06635 | Operational management | Establish/Maintain Documentation | |
Record the firmware version for applicable assets in the asset inventory. CC ID 12195 | Operational management | Establish/Maintain Documentation | |
Record the related business function for applicable assets in the asset inventory. CC ID 06636 | Operational management | Establish/Maintain Documentation | |
Record the deployment environment for applicable assets in the asset inventory. CC ID 06637 | Operational management | Establish/Maintain Documentation | |
Record the Internet Protocol address for applicable assets in the asset inventory. CC ID 06638 | Operational management | Establish/Maintain Documentation | |
Record trusted keys and certificates in the asset inventory. CC ID 15486 | Operational management | Data and Information Management | |
Record cipher suites and protocols in the asset inventory. CC ID 15489 | Operational management | Data and Information Management | |
Link the software asset inventory to the hardware asset inventory. CC ID 12085 | Operational management | Establish/Maintain Documentation | |
Record the owner for applicable assets in the asset inventory. CC ID 06640 | Operational management | Establish/Maintain Documentation | |
Record all compliance requirements for applicable assets in the asset inventory. CC ID 15696 | Operational management | Establish/Maintain Documentation | |
Record all changes to assets in the asset inventory. CC ID 12190 | Operational management | Establish/Maintain Documentation | |
Record cloud service derived data in the asset inventory. CC ID 13007 | Operational management | Establish/Maintain Documentation | |
Include cloud service customer data in the asset inventory. CC ID 13006 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain a software accountability policy. CC ID 00868 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain software asset management procedures. CC ID 00895 | Operational management | Establish/Maintain Documentation | |
Prevent users from disabling required software. CC ID 16417 | Operational management | Technical Security | |
Establish, implement, and maintain software archives procedures. CC ID 00866 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain software distribution procedures. CC ID 00894 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain software documentation management procedures. CC ID 06395 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain software license management procedures. CC ID 06639 | Operational management | Establish/Maintain Documentation | |
Automate software license monitoring, as necessary. CC ID 07057 | Operational management | Monitor and Evaluate Occurrences | |
Establish, implement, and maintain digital legacy procedures. CC ID 16524 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain a system redeployment program. CC ID 06276 | Operational management | Establish/Maintain Documentation | |
Notify interested personnel and affected parties prior to when the system is redeployed or the system is disposed. CC ID 06400 | Operational management | Behavior | |
Wipe all data on systems prior to when the system is redeployed or the system is disposed. CC ID 06401 | Operational management | Data and Information Management | |
Transfer legal ownership of assets when the system is redeployed to a third party. CC ID 06698 | Operational management | Acquisition/Sale of Assets or Services | |
Document the staff's operating knowledge of the system prior to a personnel status change. CC ID 06937 | Operational management | Establish/Maintain Documentation | |
Redeploy systems to other organizational units, as necessary. CC ID 11452 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain a system disposal program. CC ID 14431 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain disposal procedures. CC ID 16513 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain asset sanitization procedures. CC ID 16511 | Operational management | Establish/Maintain Documentation | |
Destroy systems in accordance with the system disposal program. CC ID 16457 | Operational management | Business Processes | |
Approve the release of systems and waste material into the public domain. CC ID 16461 | Operational management | Business Processes | |
Establish, implement, and maintain system destruction procedures. CC ID 16474 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain printer and multifunction device disposition procedures. CC ID 15216 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain a system preventive maintenance program. CC ID 00885 | Operational management | Establish/Maintain Documentation | |
Establish and maintain maintenance reports. CC ID 11749 | Operational management | Establish/Maintain Documentation | |
Establish and maintain system inspection reports. CC ID 06346 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain a system maintenance policy. CC ID 14032 | Operational management | Establish/Maintain Documentation | |
Include compliance requirements in the system maintenance policy. CC ID 14217 | Operational management | Establish/Maintain Documentation | |
Include management commitment in the system maintenance policy. CC ID 14216 | Operational management | Establish/Maintain Documentation | |
Include roles and responsibilities in the system maintenance policy. CC ID 14215 | Operational management | Establish/Maintain Documentation | |
Include the scope in the system maintenance policy. CC ID 14214 | Operational management | Establish/Maintain Documentation | |
Disseminate and communicate the system maintenance policy to interested personnel and affected parties. CC ID 14213 | Operational management | Communicate | |
Include the purpose in the system maintenance policy. CC ID 14187 | Operational management | Establish/Maintain Documentation | |
Include coordination amongst entities in the system maintenance policy. CC ID 14181 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain system maintenance procedures. CC ID 14059 | Operational management | Establish/Maintain Documentation | |
Disseminate and communicate the system maintenance procedures to interested personnel and affected parties. CC ID 14194 | Operational management | Communicate | |
Establish, implement, and maintain a technology refresh plan. CC ID 13061 | Operational management | Establish/Maintain Documentation | |
Plan and conduct maintenance so that it does not interfere with scheduled operations. CC ID 06389 | Operational management | Physical and Environmental Protection | |
Maintain contact with the device manufacturer or component manufacturer for maintenance requests. CC ID 06388 | Operational management | Behavior | |
Use system components only when third party support is available. CC ID 10644 | Operational management | Maintenance | |
Obtain justification for the continued use of system components when third party support is no longer available. CC ID 10645 | Operational management | Maintenance | |
Obtain approval before removing maintenance tools from the facility. CC ID 14298 | Operational management | Business Processes | |
Control remote maintenance according to the system's asset classification. CC ID 01433 | Operational management | Technical Security | |
Separate remote maintenance sessions from other network sessions with a logically separate communications path based upon encryption. CC ID 10614 | Operational management | Configuration | |
Approve all remote maintenance sessions. CC ID 10615 | Operational management | Technical Security | |
Log the performance of all remote maintenance. CC ID 13202 | Operational management | Log Management | |
Terminate remote maintenance sessions when the remote maintenance is complete. CC ID 12083 | Operational management | Technical Security | |
Conduct offsite maintenance in authorized facilities. CC ID 16473 | Operational management | Maintenance | |
Disconnect non-volatile media from information systems prior to performing maintenance with uncleared personnel. CC ID 14295 | Operational management | Maintenance | |
Sanitize volatile media in information systems prior to performing maintenance with uncleared personnel. CC ID 14291 | Operational management | Maintenance | |
Respond to maintenance requests inside the organizationally established time frame. CC ID 04878 | Operational management | Behavior | |
Establish and maintain an archive of maintenance reports in a maintenance log. CC ID 06202 | Operational management | Establish/Maintain Documentation | |
Acquire spare parts prior to when maintenance requests are scheduled. CC ID 11833 | Operational management | Acquisition/Sale of Assets or Services | |
Perform periodic maintenance according to organizational standards. CC ID 01435 | Operational management | Behavior | |
Restart systems on a periodic basis. CC ID 16498 | Operational management | Maintenance | |
Remove components being serviced from the information system prior to performing maintenance. CC ID 14251 | Operational management | Maintenance | |
Employ dedicated systems during system maintenance. CC ID 12108 | Operational management | Technical Security | |
Isolate dedicated systems used for system maintenance from Internet access. CC ID 12114 | Operational management | Technical Security | |
Control granting access to appropriate parties performing maintenance on organizational assets. CC ID 11873 | Operational management | Human Resources Management | |
Identify and authenticate appropriate parties prior to granting access to maintain assets. CC ID 11874 | Operational management | Physical and Environmental Protection | |
Post calibration limits or calibration tolerances on or near assets requiring calibration. CC ID 06204 | Operational management | Establish/Maintain Documentation | |
Implement automated mechanisms to transfer predictive maintenance data to a maintenance management system. CC ID 10616 | Operational management | Process or Activity | |
Disassemble and shut down unnecessary systems or unused systems. CC ID 06280 | Operational management | Business Processes | |
Establish, implement, and maintain an end-of-life management process. CC ID 16540 | Operational management | Establish/Maintain Documentation | |
Dispose of hardware and software at their life cycle end. CC ID 06278 | Operational management | Business Processes | |
Refrain from placing assets being disposed into organizational dumpsters. CC ID 12200 | Operational management | Business Processes | |
Establish, implement, and maintain disposal contracts. CC ID 12199 | Operational management | Establish/Maintain Documentation | |
Include disposal procedures in disposal contracts. CC ID 13905 | Operational management | Establish/Maintain Documentation | |
Remove asset tags prior to disposal of an asset. CC ID 12198 | Operational management | Business Processes | |
Document the storage information for all systems that are stored instead of being disposed or redeployed. CC ID 06936 | Operational management | Establish/Maintain Documentation | |
Review each system's operational readiness. CC ID 06275 | Operational management | Systems Design, Build, and Implementation | |
Establish, implement, and maintain a data stewardship policy. CC ID 06657 | Operational management | Establish/Maintain Documentation | |
Establish and maintain an unauthorized software list. CC ID 10601 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain a change control program. CC ID 00886 | Operational management | Establish/Maintain Documentation | |
Include potential consequences of unintended changes in the change control program. CC ID 12243 [The organization shall control planned changes and review the ckground-color:#F0BBBC;" class="term_primary-noun">consequences of unintended changes, taking action to mitigate any adverse effects, as necessary. § 8.1 ¶ 2] | Operational management | Establish/Maintain Documentation | |
Include version control in the change control program. CC ID 13119 [For the control of documented information, the organization shall address the following activities, as applicable: control of changes (e.g. version control); § 7.5.3 ¶ 2 Bullet 3] | Operational management | Establish/Maintain Documentation | |
Implement changes according to the change control program. CC ID 11776 [The organization shall control "term_primary-noun">planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary. § 8.1 ¶ 2] | Operational management | Business Processes | |
Provide audit trails for all approved changes. CC ID 13120 | Operational management | Establish/Maintain Documentation | |
Manage the creation of products and services, as necessary. CC ID 13497 [Consistent with a life cycle perspective, the organization shall: establish controls, as appropriate, to ensure that its environmental requirement(s) is (are) addressed in the design and development process for the product or service, considering each life cycle stage; § 8.1 ¶ 4 a)] | Operational management | Business Processes | |
Define the processing specifications for products and services creation requirements. CC ID 13523 | Operational management | Establish/Maintain Documentation | |
Define the processing activities to meet products and services creation requirements. CC ID 13499 | Operational management | Business Processes | |
Delete age-restricted content, as necessary. CC ID 15450 | Operational management | Process or Activity | |
Establish, implement, and maintain procedures to manage age-restricted content. CC ID 15448 | Operational management | Establish/Maintain Documentation | |
Control the distribution of media containing age-restricted content, as necessary. CC ID 15446 | Operational management | Process or Activity | |
Establish, implement, and maintain an environmental management system. CC ID 14945 [The organization shall consider the knowledge gained in 4.1 and 4.2 when establishing and maintaining the environmental management system. § 4.4 ¶ 2 Top management shall demonstrate leadership and commitment with respect to the environmental management system by: ensuring that the environmental management system achieves its intended outcomes; § 5.1 ¶ 1 f) To achieve the intended outcomes, including enhancing its environmental performance, the organization shall establish, implement, maintain and continually improve an environmental management system, including the processes needed and their interactions, in accordance with the requirements of this International Standard. § 4.4 ¶ 1 To achieve the intended outcomes, including enhancing its environmental performance, the organization shall establish, implement, maintain and continually improve an environmental management system, including the processes needed and their interactions, in accordance with the requirements of this International Standard. § 4.4 ¶ 1 The organization shall continually improve the suitability, adequacy and effectiveness of the environmental management system to enhance environmental performance. § 10.3 ¶ 1 The outputs of the management review shall include: conclusions on the continuing suitability, adequacy and effectiveness of the environmental management system; § 9.3 ¶ 3 Bullet 1 {environmental objectives}{compliance obligations} The organization shall establish, implement, control and maintain the processes needed to meet environmental management system requirements, and to implement the actions identified in 6.1 and 6.2, by: § 8.1 ¶ 1 When a nonconformity occurs, the organization shall: make changes to the environmental management system, if necessary. § 10.2 ¶ 1 e) Top management shall review the organization's environmental management system, at planned intervals, to ensure its continuing suitability, adequacy and effectiveness. § 9.3 ¶ 1] | Operational management | Business Processes | |
Establish, implement, and maintain environmental management system processes. CC ID 14954 [The organization shall establish, implement and maintain the process(es) needed to meet the requirements in 6.1.1 to 6.1.4. § 6.1.1 ¶ 1 The organization shall plan: how to: integrate and implement the actions into its environmental management system processes (se e 6.2, Clause 7, Clause 8 and 9.1), or other business processes; § 6.1.4 ¶ 1 b) 1) {environmental objectives}{compliance obligations} The organization shall establish, implement, control and maintain the processes needed to meet environmental management system requirements, and to implement the actions identified in 6.1 and 6.2, by: § 8.1 ¶ 1 {environmental objective}{compliance obligation}{operating process}The organization shall establish, implement, control and maintain the processes needed to meet environmental management system requirements, and to implement the actions identified in 6.1 and 6.2, by: establishing operating criteria for the process(es); § 8.1 ¶ 1 Bullet 1] | Operational management | Process or Activity | |
Include risks and opportunities in the environmental management system. CC ID 15201 [{external and internal issues} and determine the risks and opportunities, related to its environmental aspects (see 6.1.2), compliance obligations (see 6.1.3) and other issues and requirements, identified in 4.1 and 4.2, that need to be addressed to: § 6.1.1 ¶ 3 The organization shall maintain documented information of its: risks and opportunities that need to be addressed; § 6.1.1 ¶ 5 Bullet 1 {external and internal issues} and determine the risks and opportunities, related to its environmental aspects (see 6.1.2), compliance obligations (see 6.1.3) and other issues and requirements, identified in 4.1 and 4.2, that need to be addressed to: § 6.1.1 ¶ 3 {external and internal issues} and determine the risks and opportunities, related to its environmental aspects (see 6.1.2), compliance obligations (see 6.1.3) and other issues and requirements, identified in 4.1 and 4.2, that need to be addressed to: § 6.1.1 ¶ 3 {external and internal issues} and determine the risks and opportunities, related to its environmental aspects (see 6.1.2), compliance obligations (see 6.1.3) and other issues and requirements, identified in 4.1 and 4.2, that need to be addressed to: § 6.1.1 ¶ 3] | Operational management | Establish/Maintain Documentation | |
Include communications in the environmental management system. CC ID 15199 [{internal communications} The organization shall establish, implement and maintain the process(es) needed for internal and external communications relevant to the environmental management system, including: § 7.4.1 ¶ 1 {internal communications} The organization shall establish, implement and maintain the process(es) needed for internal and external communications relevant to the environmental management system, including: § 7.4.1 ¶ 1] | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain environmental performance monitoring procedures. CC ID 15222 [The organization shall determine: the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results; § 9.1.1 ¶ 2 b)] | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain an approach for environmental performance monitoring. CC ID 15220 [The organization shall determine: when the results from monitoring and measurement shall be analysed and evaluated. § 9.1.1 ¶ 2 e)] | Operational management | Business Processes | |
Prioritize and select controls based on environmental management system requirements. CC ID 15197 [{environmental objective}{compliance obligation}{process control}{operating standard}The organization shall establish, implement, control and maintain the processes needed to meet environmental management system requirements, and to implement the actions identified in 6.1 and 6.2, by: implementing control of the process(es), in accordance with the operating criteria. § 8.1 ¶ 1 Bullet 2 {environmental objective}{compliance obligation}{process control}{operating standard}The organization shall establish, implement, control and maintain the processes needed to meet environmental management system requirements, and to implement the actions identified in 6.1 and 6.2, by: implementing control of the process(es), in accordance with the operating criteria. § 8.1 ¶ 1 Bullet 2] | Operational management | Process or Activity | |
Disseminate and communicate environmental information to interested personnel and affected parties. CC ID 15195 [The organization shall communicate relevant environmental performance information both internally and externally, as identified in its communication process(es) and as required by its compliance obligations. § 9.1.1 ¶ 5] | Operational management | Establish/Maintain Documentation | |
Disseminate and communicate environmental requirements to interested personnel and affected parties. CC ID 15196 [Consistent with a life cycle perspective, the organization shall: communicate its relevant environmental requirement(s) to external providers, including contractors; § 8.1 ¶ 4 c)] | Operational management | Communicate | |
Include compliance obligations in the environmental management system. CC ID 15185 [{take into account}The organization shall: take these compliance obligations into account when establishing, implementing, maintaining and continually improving its environmental management system. § 6.1.3 ¶ 1 c)] | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain environmental objectives. CC ID 15186 [Top management shall establish, implement and maintain an environmental policy that, within the defined scope of its environmental management system: provides a framework for setting environmental objectives; § 5.2 ¶ 1 b) The organization shall establish environmental objectives at relevant functions and levels, taking into account the organization's significant environmental aspects and associated compliance obligations, and considering its risks and opportunities. § 6.2.1 ¶ 1 {be consistent}The environmental objectives shall be: consistent with the environmental policy; § 6.2.1 ¶ 2 a) The organization shall maintain documented information on the environmental objectives. § 6.2.1 ¶ 3 When planning how to achieve its environmental objectives, the organization shall determine: when it will be completed; § 6.2.2 ¶ 1 d) When planning how to achieve its environmental objectives, the organization shall determine: what will be done; § 6.2.2 ¶ 1 a) The environmental objectives shall be: updated as appropriate. § 6.2.1 ¶ 2 e)] | Operational management | Establish/Maintain Documentation | |
Include risks and opportunities in the environmental objectives. CC ID 15188 [The organization shall establish environmental objectives at relevant functions and levels, taking into account the organization's significant environmental aspects and associated compliance obligations, and considering its risks and opportunities. § 6.2.1 ¶ 1] | Operational management | Establish/Maintain Documentation | |
Integrate environmental objectives into the business process. CC ID 15192 [The organization shall consider how actions to achieve its environmental objectives can be integrated into the organization's business processes. § 6.2.2 ¶ 2] | Operational management | Business Processes | |
Include the required resources in the environmental objectives. CC ID 15221 [When planning how to achieve its environmental objectives, the organization shall determine: what resources will be required; § 6.2.2 ¶ 1 b)] | Operational management | Establish/Maintain Documentation | |
Include compliance requirements in the environmental objectives. CC ID 15187 [The organization shall establish environmental objectives at relevant functions and levels, taking into account the organization's significant environmental aspects and associated compliance obligations, and considering its risks and opportunities. § 6.2.1 ¶ 1] | Operational management | Establish/Maintain Documentation | |
Disseminate and communicate the environmental objectives to interested personnel and affected parties. CC ID 15190 [The environmental objectives shall be: communicated; § 6.2.1 ¶ 2 d)] | Operational management | Communicate | |
Document the criteria used to determine the environmental aspects. CC ID 15181 [The organization shall maintain documented information of its: criteria used to determine its significant environmental aspects; § 6.1.2 ¶ 5 Bullet 2] | Operational management | Establish/Maintain Documentation | |
Take into account emergency situations when determining environmental aspects. CC ID 15180 [When determining environmental aspects, the organization shall take into account: abnormal conditions and reasonably foreseeable emergency situations. § 6.1.2 ¶ 2 b)] | Operational management | Establish/Maintain Documentation | |
Take into account abnormal conditions when determining environmental aspects. CC ID 15179 [When determining environmental aspects, the organization shall take into account: abnormal conditions and reasonably foreseeable emergency situations. § 6.1.2 ¶ 2 b)] | Operational management | Establish/Maintain Documentation | |
Include the organization's significant environmental aspects in the environmental management system. CC ID 15176 [The organization shall maintain documented information of its: significant environmental aspects. § 6.1.2 ¶ 5 Bullet 3] | Operational management | Establish/Maintain Documentation | |
Disseminate and communicate the environmental aspects to interested personnel and affected parties. CC ID 14983 [The organization shall communicate its significant environmental aspects among the various levels and functions of the organization, as appropriate. § 6.1.2 ¶ 4] | Operational management | Communicate | |
Include the environmental management system requirements in the environmental management system. CC ID 14978 [{be effective}Top management shall demonstrate leadership and commitment with respect to the environmental management system by: communicating the importance of effective environmental management and of conforming to the environmental management system requirements; § 5.1 ¶ 1 e) {environmental objective}{compliance obligation}{operating process}The organization shall establish, implement, control and maintain the processes needed to meet environmental management system requirements, and to implement the actions identified in 6.1 and 6.2, by: establishing operating criteria for the process(es); § 8.1 ¶ 1 Bullet 1] | Operational management | Establish/Maintain Documentation | |
Include environmental impacts in the environmental management system. CC ID 15175 [The organization shall maintain documented information of its: environmental aspects and associated environmental impacts; § 6.1.2 ¶ 5 Bullet 1] | Operational management | Establish/Maintain Documentation | |
Disseminate and communicate the environmental management system to interested personnel and affected parties. CC ID 14976 [{be effective}Top management shall demonstrate leadership and commitment with respect to the environmental management system by: communicating the importance of effective environmental management and of conforming to the environmental management system requirements; § 5.1 ¶ 1 e)] | Operational management | Communicate | |
Include roles and responsibilities in the environmental management system. CC ID 14971 [Top management shall demonstrate leadership and commitment with respect to the environmental management system by: supporting other relevant management roles to demonstrate their leadership as it applies to their areas of responsibility. § 5.1 ¶ 1 i) {responsible party}When planning how to achieve its environmental objectives, the organization shall determine: who will be responsible; § 6.2.2 ¶ 1 c)] | Operational management | Human Resources Management | |
Include a commitment to continuous improvement in the environmental management system. CC ID 14970 [Top management shall demonstrate leadership and commitment with respect to the environmental management system by: promoting continual improvement; § 5.1 ¶ 1 h) {external and internal issues}and determine the risks and opportunities, related to its environmental aspects (see 6.1.2), compliance obligations (see 6.1.3) and other issues and requirements, identified in 4.1 and 4.2, that need to be addressed to: achieve continual improvement. § 6.1.1 ¶ 3 Bullet 3] | Operational management | Establish/Maintain Documentation | |
Provide management direction and support for the environmental management system. CC ID 14968 [Top management shall demonstrate leadership and commitment with respect to the environmental management system by: directing and supporting persons to contribute to the effectiveness of the environmental management system; § 5.1 ¶ 1 g)] | Operational management | Business Processes | |
Assign accountability for the effectiveness of the environmental management system. CC ID 14966 [Top management shall demonstrate leadership and commitment with respect to the environmental management system by: taking accountability for the effectiveness of the environmental management system; § 5.1 ¶ 1 a)] | Operational management | Establish Roles | |
Include third party requirements in the environmental management system. CC ID 14964 [{interested parties}{compliance obligations}When planning for the environmental management system, the organization shall consider: the requirements referred to in 4.2; § 6.1.1 ¶ 2 b) {interested parties}{compliance obligations}When planning for the environmental management system, the organization shall consider: the requirements referred to in 4.2; § 6.1.1 ¶ 2 b)] | Operational management | Establish/Maintain Documentation | |
Provide assurance that the environmental management system meets all compliance requirements. CC ID 14958 [{external and internal issues}and determine the risks and opportunities, related to its environmental aspects (see 6.1.2), compliance obligations (see 6.1.3) and other issues and requirements, identified in 4.1 and 4.2, that need to be addressed to: give assurance that the environmental management system can achieve its intended outcomes; § 6.1.1 ¶ 3 Bullet 1] | Operational management | Business Processes | |
Include environmental conditions in the environmental management system. CC ID 14952 [{external and internal issues}{environmental conditions}When planning for the environmental management system, the organization shall consider: the issues referred to in 4.1; § 6.1.1 ¶ 2 a)] | Operational management | Establish/Maintain Documentation | |
Include the scope in the environmental management system. CC ID 14950 [When planning for the environmental management system, the organization shall consider: the scope of its environmental management system; § 6.1.1 ¶ 2 c) The organization shall determine the boundaries and applicability of the environmental management system to ass="term_primary-verb">establish its scope. § 4.3 ¶ 1] | Operational management | Establish/Maintain Documentation | |
Include emergency situations in the scope of the environmental management system. CC ID 14995 [Within the scope of the environmental management system, the organization shall determine potential emergency situations, including those that can have an environmental impact. § 6.1.1 ¶ 4] | Operational management | Establish/Maintain Documentation | |
Include the environmental impact of activities, products, and services in the scope of the environmental management system. CC ID 15184 [Within the defined scope of the environmental management system, the organization shall determine the environmental aspects of its activities, products and services that it can control and those that it can influence, and their associated environmental impacts, considering a life cycle perspective. § 6.1.2 ¶ 1] | Operational management | Establish/Maintain Documentation | |
Include activities, products, and services in the scope of the environmental management system. CC ID 15182 [Within the defined scope of the environmental management system, the organization shall determine the environmental aspects of its activities, products and services that it can control and those that it can influence, and their associated environmental impacts, considering a life cycle perspective. § 6.1.2 ¶ 1] | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain an environmental policy. CC ID 14947 [Top management shall establish, implement and maintain an environmental policy that, within the defined scope of its environmental management system: § 5.2 ¶ 1 Top management shall demonstrate leadership and commitment with respect to the environmental management system by: ensuring that the environmental policy and environmental objectives are established and are compatible with the strategic direction and the context of the organization; § 5.1 ¶ 1 b) The environmental policy shall: be maintained as documented information; § 5.2 ¶ 2 Bullet 1] | Operational management | Establish/Maintain Documentation | |
Include continuous improvement of environmental performance in the environmental policy. CC ID 14994 [Top management shall establish, implement and maintain an environmental policy that, within the defined scope of its environmental management system: includes a commitment to continual improvement of the environmental management system to enhance environmental performance. § 5.2 ¶ 1 e)] | Operational management | Establish/Maintain Documentation | |
Include compliance obligations in the environmental policy. CC ID 14993 [Top management shall establish, implement and maintain an environmental policy that, within the defined scope of its environmental management system: includes a commitment to fulfil its compliance obligations; § 5.2 ¶ 1 d)] | Operational management | Establish/Maintain Documentation | |
Include a commitment to the protection of the environment in the environmental policy. CC ID 14991 [Top management shall establish, implement and maintain an environmental policy that, within the defined scope of its environmental management system: includes a commitment to the protection of the environment, including prevention of pollution and other specific commitment(s) relevant to the context of the organization; § 5.2 ¶ 1 c) Top management shall establish, implement and maintain an environmental policy that, within the defined scope of its environmental management system: includes a commitment to the protection of the environment, including prevention of pollution and other specific commitment(s) relevant to the context of the organization; § 5.2 ¶ 1 c)] | Operational management | Establish/Maintain Documentation | |
Include the scope in the environmental policy. CC ID 14987 [Top management shall establish, implement and maintain an environmental policy that, within the defined scope of its environmental management system: is appropriate to the purpose and context of the organization, including the nature, scale and environmental impacts of its activities, products and services; § 5.2 ¶ 1 a)] | Operational management | Establish/Maintain Documentation | |
Include purpose and context in the environmental policy. CC ID 14985 [Top management shall establish, implement and maintain an environmental policy that, within the defined scope of its environmental management system: is appropriate to the purpose and context of the organization, including the nature, scale and environmental impacts of its activities, products and services; § 5.2 ¶ 1 a)] | Operational management | Establish/Maintain Documentation | |
Tailor the environmental policy to be compatible with the organization's strategic direction. CC ID 14974 [Top management shall demonstrate leadership and commitment with respect to the environmental management system by: ensuring that the environmental policy and environmental objectives are established and are compatible with the strategic direction and the context of the organization; § 5.1 ¶ 1 b)] | Operational management | Establish/Maintain Documentation | |
Disseminate and communicate the environmental policy to all interested personnel and affected parties. CC ID 14956 [The environmental policy shall: be communicated within the organization; § 5.2 ¶ 2 Bullet 2 The environmental policy shall: be available to interested parties. § 5.2 ¶ 2 Bullet 3] | Operational management | Communicate | |
Establish, implement, and maintain records management policies. CC ID 00903 [{place}{time}Documented information required by the environmental management system and by this International Standard shall be controlled to ensure: it is available and suitable for use, where and when it is needed; § 7.5.3 ¶ 1 a)] | Records management | Establish/Maintain Documentation | |
Establish, implement, and maintain form creation, management, and distribution procedures. CC ID 06393 | Records management | Establish/Maintain Documentation | |
Establish, implement, and maintain form disposition procedures. CC ID 06394 | Records management | Establish/Maintain Documentation | |
Establish, implement, and maintain a record classification scheme. CC ID 00914 | Records management | Establish/Maintain Documentation | |
Establish, implement, and maintain a business activity classification standard. CC ID 00915 | Records management | Establish/Maintain Documentation | |
Establish, implement, and maintain a records authentication system. CC ID 11648 | Records management | Establish/Maintain Documentation | |
Allocate record identifiers to reference the records as a part of document tracking. CC ID 11662 | Records management | Records Management | |
Establish and maintain an index of all official records. CC ID 00918 | Records management | Establish/Maintain Documentation | |
Associate records with their security attributes. CC ID 06764 | Records management | Records Management | |
Reconfigure the security attributes of records as the information changes. CC ID 06765 | Records management | Configuration | |
Establish, implement, and maintain electronic signature requirements. CC ID 06219 | Records management | Establish/Maintain Documentation | |
Implement a signature revocation service. CC ID 14417 | Records management | Business Processes | |
Allow electronic signatures to satisfy requirements for written signatures, as necessary. CC ID 11807 | Records management | Records Management | |
Allow authorized parties to authenticate electronic records with electronic signatures. CC ID 11964 | Records management | Technical Security | |
Allow authorized parties to authenticate transactions with electronic signatures. CC ID 11963 | Records management | Technical Security | |
Store records and data in accordance with organizational standards. CC ID 16439 | Records management | Data and Information Management | |
Remove dormant data from systems, as necessary. CC ID 13726 | Records management | Process or Activity | |
Select the appropriate format for archived data and records. CC ID 06320 [When creating and updating documented information the organization should ensuren> appropriate: style="background-color:#F0BBBC;" class="term_primary-noun">format (e.g. language, software version, graphics) and media (e.g. paper, electronic); § 7.5.2 ¶ 1 b)] | Records management | Data and Information Management | |
Archive appropriate records, logs, and database tables. CC ID 06321 | Records management | Records Management | |
Archive document metadata in a fashion that allows for future reading of the metadata. CC ID 10060 | Records management | Data and Information Management | |
Store personal data that is retained for long periods after use on a separate server or media. CC ID 12314 | Records management | Data and Information Management | |
Establish, implement, and maintain storage media retention procedures. CC ID 16277 | Records management | Establish/Maintain Documentation | |
Determine how long to keep records and logs before disposing them. CC ID 11661 | Records management | Process or Activity | |
Retain records in accordance with applicable requirements. CC ID 00968 [The organization shall retain documented information as evidence of the results of management reviews. § 9.3 ¶ 4 The organization shall retain documented information as evidence of: the nature of the nonconformities and any rm_primary-noun">subsequent actions taken; § 10.2 ¶ 3 Bullet 1 The organization shall retain documented information as evidence of: the results of any corrective action. § 10.2 ¶ 3 Bullet 2 The organization shall retain documented information as evidence of its communications, as appropriate. § 7.4.1 ¶ 4 The organization shall maintain documented information to the extent necessary to have confidence that the processes have been carried out as planned. § 8.1 ¶ 5 The organization shall retain appropriate documented information as evidence of the monitoring, measurement, analysis and evaluation results. § 9.1.1 ¶ 6 The organization shall retain documented information as evidence of the compliance evaluation result(s). § 9.1.2 ¶ 3] | Records management | Records Management | |
Obtain and retain documentation of the number of shares authorized, issued, and outstanding pursuant to the issuer's authorization. CC ID 11714 | Records management | Records Management | |
Retain all evidence of indebtedness. CC ID 11713 | Records management | Records Management | |
Capture and maintain distribution records. CC ID 06205 | Records management | Records Management | |
Capture and maintain Device Master Records. CC ID 06206 | Records management | Records Management | |
Capture and maintain Device History Records. CC ID 06207 | Records management | Records Management | |
Capture and maintain Quality System Records. CC ID 06208 | Records management | Records Management | |
Capture and maintain logs as official records. CC ID 06319 | Records management | Log Management | |
Capture and maintain all business records, including supporting temporary files. CC ID 06622 | Records management | Establish/Maintain Documentation | |
Establish, implement, and maintain storage media disposition and destruction procedures. CC ID 11657 | Records management | Establish/Maintain Documentation | |
Supervise media destruction in accordance with organizational standards. CC ID 16456 | Records management | Business Processes | |
Sanitize electronic storage media in accordance with organizational standards. CC ID 16464 | Records management | Data and Information Management | |
Sanitize all electronic storage media before disposing a system or redeploying a system. CC ID 01643 | Records management | Data and Information Management | |
Degauss as a method of sanitizing electronic storage media. CC ID 00973 | Records management | Records Management | |
Manage waste materials in accordance with the storage media disposition and destruction procedures. CC ID 16485 | Records management | Process or Activity | |
Use approved media sanitization equipment for destruction. CC ID 16459 | Records management | Business Processes | |
Define each system's disposition requirements for records and logs. CC ID 11651 | Records management | Process or Activity | |
Establish, implement, and maintain records disposition procedures. CC ID 00971 [For the control of documented information, the organization shall address the following activities, as applicable: retention and disposition. § 7.5.3 ¶ 2 Bullet 4] | Records management | Establish/Maintain Documentation | |
Manage the disposition status for all records. CC ID 00972 | Records management | Records Management | |
Use a second person to confirm and sign-off that manually deleted data was deleted. CC ID 12313 | Records management | Data and Information Management | |
Remove and/or destroy records according to the records' retention event and retention period schedule. CC ID 06621 | Records management | Records Management | |
Place printed records awaiting destruction into secure containers. CC ID 12464 | Records management | Physical and Environmental Protection | |
Destroy printed records so they cannot be reconstructed. CC ID 11779 | Records management | Physical and Environmental Protection | |
Automate a programmatic process to remove stored data and records that exceed retention requirements. CC ID 06082 | Records management | Data and Information Management | |
Include methods to identify records that meet or exceed the record's retention event in the records disposition procedures. CC ID 11962 | Records management | Establish/Maintain Documentation | |
Maintain disposal records or redeployment records. CC ID 01644 | Records management | Establish/Maintain Documentation | |
Include the name of the signing officer in the disposal record. CC ID 15710 | Records management | Establish/Maintain Documentation | |
Establish, implement, and maintain secure record transaction standards with third parties. CC ID 06093 | Records management | Establish/Maintain Documentation | |
Include transfer agreements in the secure record transaction standards. CC ID 14821 | Records management | Establish/Maintain Documentation | |
Include date and time stamp requirements for delivery receipt in the transfer agreements. CC ID 14823 | Records management | Establish/Maintain Documentation | |
Include receipt of electronic records in the transfer agreement. CC ID 14822 | Records management | Establish/Maintain Documentation | |
Include standards for each data element in the secure record transaction standard. CC ID 06094 | Records management | Establish/Maintain Documentation | |
Establish, implement, and maintain records management procedures. CC ID 11619 | Records management | Establish/Maintain Documentation | |
Protect records from loss in accordance with applicable requirements. CC ID 12007 [Documented information required by the environmental management system and by this International Standard shall be controlled to ensure: it is adequately protected (e.g. from loss of confidentiality, improper use, or loss of integrity). § 7.5.3 ¶ 1 b)] | Records management | Records Management | |
Establish, implement, and maintain authorization records. CC ID 14367 | Records management | Establish/Maintain Documentation | |
Include the reasons for granting the authorization in the authorization records. CC ID 14371 | Records management | Establish/Maintain Documentation | |
Include the date and time the authorization was granted in the authorization records. CC ID 14370 | Records management | Establish/Maintain Documentation | |
Include the person's name who approved the authorization in the authorization records. CC ID 14369 | Records management | Establish/Maintain Documentation | |
Establish, implement, and maintain electronic health records. CC ID 14436 | Records management | Data and Information Management | |
Include Individually Identifiable Health Information in the patient's electronic health record. CC ID 14437 | Records management | Data and Information Management | |
Review and update Individually Identifiable Health Information in the patient's electronic health records, as necessary. CC ID 14438 | Records management | Records Management | |
Display required information automatically in electronic health records. CC ID 14442 | Records management | Process or Activity | |
Create summary of care records in accordance with applicable standards. CC ID 14440 | Records management | Establish/Maintain Documentation | |
Provide the patient with a summary of care record, as necessary. CC ID 14441 | Records management | Actionable Reports or Measurements | |
Create export summaries, as necessary. CC ID 14446 | Records management | Process or Activity | |
Import data files into a patient's electronic health record. CC ID 14448 | Records management | Data and Information Management | |
Export requested sections of the electronic health record. CC ID 14447 | Records management | Data and Information Management | |
Establish and maintain an implantable device list. CC ID 14444 | Records management | Records Management | |
Display the implantable device list to authorized users. CC ID 14445 | Records management | Data and Information Management | |
Establish, implement, and maintain decision support interventions. CC ID 14443 | Records management | Business Processes | |
Include attributes in the decision support intervention. CC ID 16766 | Records management | Data and Information Management | |
Establish, implement, and maintain a recordkeeping system. CC ID 15709 | Records management | Records Management | |
Log the termination date in the recordkeeping system. CC ID 16181 | Records management | Records Management | |
Log the name of the requestor in the recordkeeping system. CC ID 15712 | Records management | Records Management | |
Log the date and time each item is accessed in the recordkeeping system. CC ID 15711 | Records management | Records Management | |
Log records as being received into the recordkeeping system. CC ID 11696 | Records management | Records Management | |
Log the date and time each item is received into the recordkeeping system. CC ID 11709 | Records management | Log Management | |
Log the date and time each item is made available into the recordkeeping system. CC ID 11710 | Records management | Log Management | |
Log the number of routine items received into the recordkeeping system. CC ID 11701 | Records management | Establish/Maintain Documentation | |
Log the number of routine items in the organization's possession at the close of business for the month in the recordkeeping system. CC ID 11707 | Records management | Log Management | |
Log the number of routine items received during the month that were turned around in the recordkeeping system. CC ID 11705 | Records management | Log Management | |
Log the number of routine items received during the month that were not turned around within three business days of receipt in the recordkeeping system. CC ID 11703 | Records management | Log Management | |
Log the date and time when a notice of refusal to perform the registrar function is received in the recordkeeping system. CC ID 11711 | Records management | Log Management | |
Log inquiries concerning items in the recordkeeping system, annotating the date received. CC ID 11718 | Records management | Log Management | |
Log responses to inquiries, annotating the send date for each response into the recordkeeping system. CC ID 11719 | Records management | Log Management | |
Log the number of non-routine items received into the recordkeeping system. CC ID 11706 | Records management | Log Management | |
Log the documentation of determination that items received are not routine into the recordkeeping system. CC ID 11716 | Records management | Log Management | |
Log the number of non-routine items in the organization's possession at the close of business for the month in the recordkeeping system. CC ID 11708 | Records management | Log Management | |
Log the number of non-routine items received during the month that were turned around in the recordkeeping system. CC ID 11704 | Records management | Log Management | |
Log performance monitoring into the recordkeeping system. CC ID 11724 | Records management | Log Management | |
Log the number of inquiries pending as of the close of business into the recordkeeping system. CC ID 11728 | Records management | Log Management | |
Log the number of inquiries received but not responded to within the required time frame into the recordkeeping system. CC ID 11727 | Records management | Log Management | |
Establish, implement, and maintain a transfer journal. CC ID 11729 | Records management | Records Management | |
Log any notices filed by the organization into the recordkeeping system. CC ID 11725 | Records management | Log Management | |
Log telephone responses into a telephone log, annotating the date of each response, in the recordkeeping system. CC ID 11723 | Records management | Log Management | |
Log the date each certificate is made available to interested personnel and affected parties into the recordkeeping system. CC ID 11720 | Records management | Log Management | |
Log the number of items not processed within the required time frame into the recordkeeping system. CC ID 11717 | Records management | Log Management | |
Provide a receipt of records logged into the recordkeeping system. CC ID 11697 | Records management | Records Management | |
Log the appointments and termination of appointments of registered transfer agents into the recordkeeping system. CC ID 11712 | Records management | Log Management | |
Log any stop orders or notices of adverse claims into the recordkeeping system. CC ID 11726 | Records management | Log Management | |
Log the number of items processed within the required time frame into the recordkeeping system. CC ID 11715 | Records management | Log Management | |
Establish, implement, and maintain electronic storage media management procedures. CC ID 00931 [When creating and updating documented information the organization should ensuren> appropriate: format (e.g. language, software version, graphics) and media (e.g. paper, electronic); § 7.5.2 ¶ 1 b)] | Records management | Establish/Maintain Documentation | |
Establish, implement, and maintain security label procedures. CC ID 06747 | Records management | Establish/Maintain Documentation | |
Label restricted storage media appropriately. CC ID 00966 | Records management | Data and Information Management | |
Establish, implement, and maintain restricted material identification procedures. CC ID 01889 | Records management | Establish/Maintain Documentation | |
Conspicuously locate the restricted record's overall classification. CC ID 01890 | Records management | Establish/Maintain Documentation | |
Mark a restricted record's displayed pages or printed pages with the appropriate classification. CC ID 01891 | Records management | Establish/Maintain Documentation | |
Mark a restricted record's components (appendices, annexes) with the appropriate classification. CC ID 01892 | Records management | Establish/Maintain Documentation | |
Mark a restricted record's portions (paragraphs, sections) with the appropriate classification. CC ID 01893 | Records management | Establish/Maintain Documentation | |
Mark a restricted record's subject line or title with the appropriate classification. CC ID 01894 | Records management | Establish/Maintain Documentation | |
Mark all forms of electronic messages that contain restricted data or restricted information with the appropriate classification. CC ID 01896 | Records management | Data and Information Management | |
Establish, implement, and maintain label inheritance mechanisms for aggregate data sets. CC ID 06957 | Records management | Technical Security | |
Establish the minimum originator requirements for security labels. CC ID 06579 | Records management | Establish/Maintain Documentation | |
Establish the minimum intermediate system requirements for security labels. CC ID 06581 | Records management | Establish/Maintain Documentation | |
Establish the minimum receiver requirements for records or electronic storage media marked with security labels. CC ID 06580 | Records management | Establish/Maintain Documentation | |
Establish policy based processing rules to process incoming records or electronic storage media marked with security labels. CC ID 06582 | Records management | Establish/Maintain Documentation | |
Establish and maintain access controls for all records. CC ID 00371 [For the control of documented information, the organization shall address the following activities, as applicable: distribution, access, retrieval and use; § 7.5.3 ¶ 2 Bullet 1] | Records management | Records Management | |
Reproduce materials containing restricted data or restricted information in accordance with compliance requirements. CC ID 02202 | Records management | Data and Information Management | |
Establish, implement, and maintain a records lifecycle management program. CC ID 00951 | Records management | Establish/Maintain Documentation | |
Establish, implement, and maintain an information preservation policy. CC ID 16483 | Records management | Establish/Maintain Documentation | |
Establish, implement, and maintain information preservation procedures. CC ID 06277 [For the control of documented information, the organization shall address the following activities, as applicable: storage and :#F0BBBC;" class="term_primary-noun">preservation, including preservation of legibility; § 7.5.3 ¶ 2 Bullet 2] | Records management | Establish/Maintain Documentation | |
Implement and maintain high availability storage, as necessary. CC ID 00952 | Records management | Technical Security | |
Implement and maintain backups and duplicate copies of organizational records. CC ID 00953 | Records management | Records Management | |
Establish, implement, and maintain the duplicate original of record indexes. CC ID 00954 | Records management | Records Management | |
Establish, implement, and maintain a transparent storage media strategy. CC ID 00932 | Records management | Records Management | |
Establish, implement, and maintain an online availability plan that is commensurate with the electronic storage media. CC ID 00934 | Records management | Establish/Maintain Documentation | |
Establish, implement, and maintain online storage controls. CC ID 00942 | Records management | Technical Security | |
Establish, implement, and maintain security controls appropriate to the record types and electronic storage media. CC ID 00943 [For the control of documented information, the organization shall address the following activities, as applicable: storage and preservation, including preservation of legibility; § 7.5.3 ¶ 2 Bullet 2] | Records management | Records Management | |
Provide encryption for different types of electronic storage media. CC ID 00945 | Records management | Technical Security | |
Implement electronic storage media integrity controls. CC ID 00946 | Records management | Configuration | |
Automate electronic storage media integrity check controls. CC ID 00948 | Records management | Configuration | |
Provide capacity for indexes on electronic storage media, as necessary. CC ID 00950 | Records management | Configuration | |
Establish, implement, and maintain a removable storage media log. CC ID 12317 | Records management | Log Management | |
Include a unique identifier for each removable storage media asset in the removable storage media log. CC ID 12320 | Records management | Establish/Maintain Documentation | |
Include the date and time in the removable storage media log. CC ID 12318 | Records management | Establish/Maintain Documentation | |
Include the name and signature of the current custodian in the removable storage media log. CC ID 12315 | Records management | Establish/Maintain Documentation | |
Include the number of physical media used for the data transfer in the removable storage media log. CC ID 12754 | Records management | Establish/Maintain Documentation | |
Include the recipient's name for the data transfer in the removable storage media log. CC ID 12753 | Records management | Establish/Maintain Documentation | |
Include the sender's name in the removable storage media log. CC ID 12752 | Records management | Establish/Maintain Documentation | |
Include the type of physical media being used for the data transfer in the removable storage media log. CC ID 12751 | Records management | Establish/Maintain Documentation | |
Include the reason for transfer in the removable storage media log. CC ID 12316 | Records management | Establish/Maintain Documentation | |
Establish, implement, and maintain storage media downgrading procedures. CC ID 10619 | Records management | Process or Activity | |
Document all actions taken when downgrading electronic storage media. CC ID 10622 | Records management | Establish/Maintain Documentation | |
Establish, implement, and maintain output distribution procedures. CC ID 00927 [For the control of documented information, the organization shall address the following activities, as applicable: distribution, access, retrieval and use; § 7.5.3 ¶ 2 Bullet 1] | Records management | Establish/Maintain Documentation | |
Include printed output in output distribution procedures. CC ID 13477 | Records management | Establish/Maintain Documentation | |
Establish, implement, and maintain document retention procedures. CC ID 11660 [For the control of documented information, the organization shall address the following activities, as applicable: retention and disposition. § 7.5.3 ¶ 2 Bullet 4 The organization shall retain documented information as evidence of: § 10.2 ¶ 3] | Records management | Establish/Maintain Documentation | |
Plan for acquiring facilities, technology, or services. CC ID 06892 | Acquisition or sale of facilities, technology, and services | Acquisition/Sale of Assets or Services | |
Establish, implement, and maintain a product and services acquisition program. CC ID 01136 [Consistent with a life cycle perspective, the organization shall: determine its environmental requirement(s) for the procurement of products and services, as appropriate; § 8.1 ¶ 4 b)] | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
Establish, implement, and maintain a product and services acquisition policy. CC ID 14028 | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
Obtain authorization for marketing new products. CC ID 16805 | Acquisition or sale of facilities, technology, and services | Business Processes | |
Include compliance requirements in the product and services acquisition policy. CC ID 14163 | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
Include coordination amongst entities in the product and services acquisition policy. CC ID 14162 | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
Include management commitment in the product and services acquisition policy. CC ID 14161 | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
Include roles and responsibilities in the product and services acquisition policy. CC ID 14160 | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
Include the scope in the product and services acquisition policy. CC ID 14159 | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
Include the purpose in the product and services acquisition policy. CC ID 14158 | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
Disseminate and communicate the product and services acquisition policy to interested personnel and affected parties. CC ID 14157 | Acquisition or sale of facilities, technology, and services | Communicate | |
Establish, implement, and maintain product and services acquisition procedures. CC ID 14065 | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
Disseminate and communicate the product and services acquisition procedures to interested personnel and affected parties. CC ID 14152 | Acquisition or sale of facilities, technology, and services | Communicate | |
Establish, implement, and maintain acquisition approval requirements. CC ID 13704 | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
Disseminate and communicate acquisition approval requirements to all affected parties. CC ID 13706 | Acquisition or sale of facilities, technology, and services | Communicate | |
Include preventive maintenance contracts in system acquisition contracts. CC ID 06658 | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
Sign a forfeiture statement acknowledging unapproved Personal Electronic Devices will be confiscated. CC ID 11667 | Acquisition or sale of facilities, technology, and services | Physical and Environmental Protection | |
Include chain of custody procedures in the product and services acquisition program. CC ID 10058 | Acquisition or sale of facilities, technology, and services | Acquisition/Sale of Assets or Services | |
Establish, implement, and maintain organizational documents. CC ID 16202 | Harmonization Methods and Manual of Style | Establish/Maintain Documentation | |
Organize all compliance documents. CC ID 06096 | Harmonization Methods and Manual of Style | Establish/Maintain Documentation | |
Organize all compliance documents to fit the message. CC ID 06097 | Harmonization Methods and Manual of Style | Establish/Maintain Documentation | |
Define the structure for compliance documents and governance documents. CC ID 06111 [When creating and updating documented information the organization shall ensure appropriate: y-noun">identification and e="background-color:#F0BBBC;" class="term_primary-noun">description (e.g. a title, date, author, or reference number); § 7.5.2 ¶ 1 a)] | Harmonization Methods and Manual of Style | Establish/Maintain Documentation | |
Subordinate the structure of the compliance document to fit the topic. CC ID 06109 | Harmonization Methods and Manual of Style | Establish/Maintain Documentation | |
Define visual and formatting styles for all structured headings. CC ID 06110 | Harmonization Methods and Manual of Style | Establish/Maintain Documentation | |
Define the section heading style, if section headings are being used. CC ID 06112 | Harmonization Methods and Manual of Style | Establish/Maintain Documentation | |
Use a table of contents to show sections and headings, if section headings are being used. CC ID 06113 | Harmonization Methods and Manual of Style | Establish/Maintain Documentation | |
Place the table of contents at the document's beginning. CC ID 06114 | Harmonization Methods and Manual of Style | Establish/Maintain Documentation | |
Add term definitions to the document's end. CC ID 06115 | Harmonization Methods and Manual of Style | Establish/Maintain Documentation | |
Review the supply chain's service delivery on a regular basis. CC ID 12010 | Third Party and supply chain oversight | Business Processes | |
Identify red flags in the supply chain. CC ID 08873 | Third Party and supply chain oversight | Business Processes | |
Detect red flags in the supply chain. CC ID 08874 | Third Party and supply chain oversight | Business Processes | |
Notify interested personnel and affected parties when critical components or materials are not obtained from an authorized source. CC ID 11516 | Third Party and supply chain oversight | Business Processes | |
Review third party red flag locations to identify facts for the supply chain risk assessment. CC ID 08875 | Third Party and supply chain oversight | Business Processes | |
Establish and maintain an interactive map of third party red flag locations. CC ID 08876 | Third Party and supply chain oversight | Business Processes | |
Collect information on red-flagged supply chains. CC ID 08877 | Third Party and supply chain oversight | Business Processes |