Back

Analyze organizational objectives, functions, and activities.


CONTROL ID
00598
CONTROL TYPE
Monitor and Evaluate Occurrences
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Leadership and high level objectives, CC ID: 00597

This Control has the following implementation support Control(s):
  • Develop instructions for setting organizational objectives and strategies., CC ID: 12931
  • Analyze the business environment in which the organization operates., CC ID: 12798
  • Analyze the external environment in which the organization operates., CC ID: 12799
  • Conduct a context analysis to define objectives and strategies., CC ID: 12864
  • Establish, implement, and maintain organizational objectives., CC ID: 09959
  • Identify all interested personnel and affected parties., CC ID: 12845
  • Establish, implement, and maintain criteria for grouping stakeholders., CC ID: 15584
  • Analyze and prioritize the requirements of interested personnel and affected parties., CC ID: 12796
  • Establish, implement, and maintain data governance and management practices., CC ID: 14998
  • Establish, implement, and maintain an information classification standard., CC ID: 00601
  • Establish, implement, and maintain a data classification scheme., CC ID: 11628
  • Establish and maintain an organizational data dictionary, including data syntax rules., CC ID: 00600
  • Establish, implement, and maintain an Information and Infrastructure Architecture model., CC ID: 00599
  • Establish, implement, and maintain sustainable infrastructure planning., CC ID: 00603
  • Establish, implement, and maintain an organizational structure., CC ID: 16310
  • Monitor regulatory trends to maintain compliance., CC ID: 00604
  • Establish, implement, and maintain a Quality Management framework., CC ID: 07196


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • the relevant business models are acceptable so as to mitigate the relevant reputation and legal risk involved; (§ 6.3.3(i), Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, v.2)
  • Internal controls have the following inherent limitations and, thereby, cannot provide absolute assurance to achieving objectives. However, with organized and integrated functions of the individual components as a whole, it aims to achieve the objectives to a reasonable extent. The internal control … (Standard § I.3, On the Setting of the Standards and Practice Standards for Management Assessment and Audit concerning Internal Control Over Financial Reporting, Provisional Translation)
  • The organization should not consider individual business unit objectives alone, but should consider the objectives in terms of the entire organization. (¶ 16, APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • § B.1 covers the development of a conceptual model that describes what your organization does and how it does it by examining business activities and processes. This analysis provides a core foundation for the development of record keeping tools and contributes to the decisions made regarding the c… (§ B.1, § B.3, § B.4, The DIRKS Manual: A Strategic Approach to Managing Business Information, rev. July 2003)
  • conduct a thorough risk-based analysis of the functions and related data and systems that are being considered for outsourcing or have been outsourced and address the potential risks, in particular the operational risks, including legal, ICT, compliance and reputational risks, and the oversight limi… (4.12.2 68(b), Final Report on EBA Guidelines on outsourcing arrangements)
  • that the institution's or payment institution's framework for outsourcing, including the outsourcing policy, is correctly and effectively implemented and is in line with the applicable laws and regulation, the risk strategy and the decisions of the management body; (4.10 51(a), Final Report on EBA Guidelines on outsourcing arrangements)
  • When designing and planning the security process the organization should specify the general information security objectives. (3.2 Bullet 5, BSI-Standard 100-2 IT-Grundschutz Methodology, Version 2.0)
  • In order to be able to define the security objectives, estimates should first be made on which business processes, specialised procedures and information are essential to meet the objective and which value these are assigned. Here it is important to make clear how strong the fulfilment of tasks with… (§ 3.2.2 ¶ 3, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • the applications operated for Core Protection in the limited information domain, and the correspondingly supported business processes, (§ 7.4 ¶ 1 Bullet 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • To draw up a security concept in accordance with the Standard Protection approach, and especially to apply the IT-Grundschutz Compendium it is necessary to analyse and document the interaction of the business processes, applications and existing information technology. Since IT systems today are hig… (§ 8 Subsection 2 ¶ 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • applications operated in the information domain and the correspondingly supported business processes, (§ 8 Subsection 2 ¶ 1 Bullet 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • the existing infrastructure. (§ 8 Subsection 2 ¶ 1 Bullet 5, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • It should be noted that the objects and data acquired within the scope of structure analysis are not only required for the security process, but also for operational aspects and for administration in most cases. Thus, it should be checked whether databases or summaries that can be used as data sourc… (§ 8.1 ¶ 4, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • A BCP review should be conducted. It enables an auditor to gain an overall understanding of the business environment, which includes understanding the organization's mission, business objectives, relevant business processes, the information requirements for those processes, and the strategic value o… (§ 4.1.4, ISACA IS Standards, Guidelines, and Procedures for Auditing and Control Professionals, May 15, 2009)
  • Analyze the results of monitoring activities to identify weaknesses and opportunities for systemic improvements. (OCEG GRC Capability Model, v. 3.0, R1.4 Analyze and Report Monitoring Results, OCEG GRC Capability Model, v 3.0)
  • Identify forces that may cause desirable (opportunity) or undesirable (threat) effects on the achievement of objectives, as well as those that may compel the organization to conduct itself in a particular way (requirement). (OCEG GRC Capability Model, v 3.0, A3 Identification, OCEG GRC Capability Model, v 3.0)
  • Identify methods and processes that are adequate and appropriate for the particular environment—for example, a centrally managed wireless IDS/IPS may be useful in a large, distributed environment, while a combination of manual wireless scans and physical inspections may be appropriate for a smalle… (3.2.4 A, Information Supplement: PCI DSS Wireless Guidelines, Version 2.0)
  • Management determines which relevant business processes require control activities. (§ 3 Principle 10 Points of Focus: Determines Relevant Business Processes, COSO Internal Control - Integrated Framework (2013))
  • Before the auditors can define the annual IT audit plan, he/she must understand the business. To understand the business, the auditor needs to identify company objectives, business models, and strategies to help him/her understand unique business risks. The audit team must understand how existing IT… (§ 2.1 ¶ 2, IIA Global Technology Audit Guide (GTAG) 11: Developing the IT Audit Plan)
  • The organisation's governing body (e.g., board of directors or equivalent) should define the objectives of the information security governance framework, which include delivering value to stakeholders (e.g., reduced cost and enhanced reputation). (SG.01.01.03b, The Standard of Good Practice for Information Security)
  • The organisation's governing body (e.g., board of directors or equivalent) should define the objectives of the information security governance framework, which include delivering value to stakeholders (e.g., reduced cost and enhanced reputation). (SG.01.01.03b, The Standard of Good Practice for Information Security, 2013)
  • § 4.0 Objectives, strategies and policies. An organization must develop corporate security objectives, strategies and policies. These objectives, strategies and policies should be included as part of security training and awareness programs. Objectives (what is to be achieved), strategies (how to a… (§ 4.0, § 5.1.1, ISO 13335-1 Information technology - Security techniques - Management of information and communications technology security - Part 1: Concepts and models for information and communications technology security management, 2004)
  • The management of IT security includes the analysis of the requirements for security, the establishment of a plan for satisfying these requirements, the implementation of this plan, as well as maintenance and administration of the implemented security. This process starts with establishing the organ… (¶ 6, ISO 13335-3 Information technology - Guidelines for the management of IT Security - Part 3: Techniques for the management of IT Security, 1998)
  • ¶ 7.2 Identification Process. A recommended process for the identification and analysis of the communications related factors that should be taken into account to establish network security requirements, and the provision of an indication of the potential safeguard areas. When considering network c… (¶ 7.2, ¶ 8, ¶ 9, ¶ 9.1, ¶ 9.2, ¶ 9.3, ¶ 9.4, ¶ 9.5, ¶ 10, ¶ 11, ¶ 11.1, ¶ 11.2, ISO 13335-5 Information technology - Guidelines for the management of IT Security - Part 5: Management guidance on network security, 2001)
  • prevent or reduce undesired effects, including the potential for external environmental conditions to affect the organization; (§ 6.1.1 ¶ 3 Bullet 2, ISO 14001:2015 - Environmental management systems — Requirements with guidance for use, Third Edition)
  • its activities, products and services; (§ 4.3 ¶ 2 d), ISO 14001:2015 - Environmental management systems — Requirements with guidance for use, Third Edition)
  • The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcomes of its environmental management system. Such issues shall include environmental conditions being affected by or capable of affecting the organiz… (§ 4.1 ¶ 1, ISO 14001:2015 - Environmental management systems — Requirements with guidance for use, Third Edition)
  • any possible consequences for business processes or the organizational structure; (§ 6.7 ¶ 2 Bullet 7, ISO 14005:2019, Environmental management systems — Guidelines for a flexible approach to phased implementation, Second Edition)
  • The security objectives should address all security concerns and declare the security aspects directly addressed by the product or the product's environment. (§ 6.3.2, ISO 15408-1 Common Criteria for Information Technology Security Evaluation Part 1, 2005)
  • (§ 4.1(b), ISO 15489-1:2001, Information and Documentation: Records management: Part 1: General)
  • "The purpose of this step is to develop a conceptual model of what an organization does and how it does it. It will demonstrate how records relate to both the organization's business and its business processes. It will contribute to decisions in subsequent steps about the creation, capture, control,… (§ 3.2.3, § 3.2.4, § 6.4.1, ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • The organization should analyze the business activity as part of the records management process. (§ 3.2.3, ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • The organization should assess their existing systems to determine the extent that it captures and maintains records of business activities. (§ 3.2.5, ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • ensuring that the information security management system achieves its intended outcome(s); (§ 5.1 ¶ 1 e), ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • how the results will be evaluated. (§ 6.2 ¶ 4 j), ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • characteristics of the organization such as organizational type, structure, size, interdependencies, complexity, culture and its expected future progression; (§ 5 ¶ 5 Bullet 4, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • the historic, current and aspirational core identity of the organization, including the organizational values and expected ethical behaviour; (§ 6.1.3.2 ¶ 1 b), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended result(s) of its compliance management system. (§ 4.1 ¶ 1, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • the business model, including strategy, nature, size and scale complexity and sustainability of the organization's activities and operations; (§ 4.1 ¶ 2 bullet 1, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • take into account the planned or performed work-related activities. (§ 4.3 ¶ 2 c), ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • When planning for the OH&S management system, the organization shall consider the issues referred to in 4.1 (context), the requirements referred to in 4.2 (interested parties) and 4.3 (the scope of its OH&S management system) and determine the risks and opportunities that need to be addressed to: (§ 6.1.1 ¶ 1, ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • how the results will be evaluated, including indicators for monitoring; (§ 6.2.2 ¶ 1 e), ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • business model, including strategy, nature, size and scale complexity and sustainability of the organization's activities and operations; (§ 4.1 ¶ 2 bullet 6, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • the organization (itself); (§ 6.3.3 ¶ 3 Bullet 1, ISO/IEC 23894:2023, Information technology — Artificial intelligence — Guidance on risk management)
  • the interaction with other management systems, if used. (Section 4.3 ¶ 1 bullet 3, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • be measurable (if practicable); (Section 6.2.3 ¶ 3 bullet 5, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • the size of organization and its type of activities, processes, products and services; (Section 7.6.1 ¶ 1 bullet 4, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • the implications of the mixed responsibilities involved (including the associated risks and how the mixed responsibilities can be effectively discharged with accountability for those responsible); (Section 8.8 ¶ 3(b), ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • how the results will be evaluated; (Section 6.2.4 ¶ 4(g), ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • The organization shall determine and document how these activities will be controlled and integrated into the organization's IT asset management system. The organization shall determine: (Section 8.8 ¶ 3, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • IT asset management activity; (Section 9.3 ¶ 2(d), ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • be measurable; (§ 6.2.1 ¶ 1(b), ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • how the results will be evaluated. (§ 6.2 ¶ 4 l), ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection — Information security management systems — Requirements)
  • Management determines which relevant business processes require control activities. (CC5.1 ¶ 2 Bullet 3 Determines Relevant Business Processes, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • It is important that the board understands the complexity of the entity and how integrating enterprise risk management capabilities and practices will enhance value. The board engages in conversations with management to determine whether enterprise risk management is suitably designed to enhance val… (Suitability of Enterprise Risk Management ¶ 1, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • The organization develops business objectives that are specific, measurable or observable, attainable, and relevant. Business objectives provide the link to practices within the entity to support the achievement of the strategy. For example, business objectives may relate to: (Establishing Business Objectives ¶ 1, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • Review business objectives: An organization may choose to change or abandon a business objective if the performance of the entity is not achieved within acceptable variation. (Integrating Reviews into Business Practices ¶ 2 Bullet 1, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • A process exists to identify and address potential impairments to the entity's ongoing ability to achieve its objectives in accordance with the system security policies. (Security Prin. and Criteria Table § 4.2, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • A process exists to identify and address potential impairments to the entity's ongoing ability to achieve its objectives in accordance with the system availability and related security policies. (Availability Prin. and Criteria Table § 4.2, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • A process exists to identify and address potential impairments to the entity's ongoing ability to achieve its objectives in accordance with the system processing integrity and related security policies. (Processing Integrity Prin. and Criteria Table § 4.2, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • A process exists to identify and address potential impairments to the entity's ongoing ability to achieve its objectives in accordance with the system confidentiality and related security policies. (Confidentiality Prin. and Criteria Table § 4.2, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • the nature of the service organization's operations and the types of services offered to user entities and business partners, (¶ 3.59 Bullet 2 Sub-Bullet 1, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • As previously discussed, the trust services criteria presented in TSP section 100 are used to evaluate the effectiveness (suitability of design and operating effectiveness) of controls in a SOC 2 examination. These criteria are based on the COSO framework, which notes that "an organization adopts a … (¶ 1.55, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Management determines which relevant business processes require control activities. (CC5.1 Determines Relevant Business Processes, Trust Services Criteria)
  • Management determines which relevant business processes require control activities. (CC5.1 ¶ 2 Bullet 3 Determines Relevant Business Processes, Trust Services Criteria, (includes March 2020 updates))
  • An organization should ensure efficiency and effectiveness of operations by implementing controls that include policies and procedures for carrying out organizational objectives such as planning, productivity, programmatic, quality, economy, efficiency, and effectiveness objectives. (§ 260.06, GAO/PCIE Financial Audit Manual (FAM))
  • Enterprises should validate identified C-SCRM goals and objectives with their targeted stakeholder groups prior to beginning an effort to develop specific measures. When developing C-SCRM measures, enterprises should focus on the stakeholder's highest priorities and target measures based on data tha… (3.5.1. ¶ 3, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • The organization's mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cybersecurity roles, responsibilities, and risk management decisions. (ID.BE Business Environment, Framework for Improving Critical Infrastructure Cybersecurity, v1.1)
  • The organization's mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cybersecurity roles, responsibilities, and risk management decisions. (ID.BE Business Environment, Framework for Improving Critical Infrastructure Cybersecurity, v1.1 (Draft))
  • Organizational records and documents should be examined before any security-related activities are conducted to ensure planning and coordination between the organizational elements has occurred, planning and coordination occur continuously before any security-related events are begun, and specific r… (PL-6, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • The organization's mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform privacy roles, responsibilities, and risk management decisions. (Business Environment (ID.BE-P), NIST Privacy Framework: A Tool For Improving Privacy Through Enterprise Risk Management, Version 1.0)
  • The organization must plan and coordinate security-related activities that affect the system before the activities are conducted to reduce the impact on organizational operations, assets, and individuals. (App F § PL-6, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • ¶ 21 A bank should assess how it will use the technology within the context of its overall strategic goals and its market. ¶ 29 Assess Needs and Review Options. (¶ 21, ¶ 29, Technology Risk Management Guide for Bank Examiners - OCC Bulletin 98-3)