Back

Establish, implement, and maintain a conceptual model of the organization's business activities prior to developing systems.


CONTROL ID
01028
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a system design project management framework., CC ID: 00990

This Control has the following implementation support Control(s):
  • Analyze business activities to ensure systems are categorized for system design projects., CC ID: 01029
  • Analyze business activities to ensure information is categorized for system design projects., CC ID: 11794
  • Analyze the business activity risk for system design projects., CC ID: 01034
  • Obtain approval from appropriate parties for system design projects., CC ID: 01033


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The current state of the information system operations must be analyzed by personnel in charge from the user, system development, operation, and application maintenance departments who have a good knowledge of the daily operations of the system. This is a control item that constitutes a relatively s… (App 2-1 Item Number II.2(3), Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards)
  • An analysis of business activity and everything it entails is called for, going into further detail for each control objective, and is also reflected (though less detailed) in ISO 15489. (§ B.4, The DIRKS Manual: A Strategic Approach to Managing Business Information, rev. July 2003)
  • The Chief Audit Executive and the internal audit team should understand the project management methodology and best practices, controls, and risks associated with systems development and project management before they conduct a project audit. If this relationship is not understood, the full range of… (§ 3.2 (Auditors and Project Management Methodologies) ¶ 2, IIA Global Technology Audit Guide (GTAG) 12: Auditing IT Projects)
  • The organization shall define the infrastructure requirements and the business constraints for the project. (§ 6.2.2.3(a)(1), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • Analysis of business activity is defined as collecting information from documentary sources and interviews, identifying and documenting each business function, activity and transaction and establishing a hierarchy of them – a business classification system that identifies and documents the flow of… (§ 8.4(b), ISO 15489-1:2001, Information and Documentation: Records management: Part 1: General)
  • Organizations should develop a conceptual model of what an organization does and how it does it. This includes how records relate to both the organization's business and business processes. It contributes decisions in subsequent steps about creation, capture, control, storage and disposition of reco… (§ 3.2.3 ¶ b, ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • The missions of the executive agency must be analyzed, and based on this analysis, the mission-related and administrative processes must be revised, as needed, prior to significant investments in information technology to support these missions. (§ 5113(b)(2)(C), § 5123(5), Clinger-Cohen Act (Information Technology Management Reform Act))