Back

Establish, implement, and maintain an approach for compliance monitoring.


CONTROL ID
01653
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a metrics policy., CC ID: 01654

This Control has the following implementation support Control(s):
  • Establish, implement, and maintain risk management metrics., CC ID: 01656
  • Identify information being used to support the performance of the governance, risk, and compliance capability., CC ID: 12866
  • Identify information being used to support performance reviews for risk optimization., CC ID: 12865
  • Monitor personnel and third parties for compliance to the organizational compliance framework., CC ID: 04726
  • Establish, implement, and maintain compliance program metrics., CC ID: 11625
  • Establish, implement, and maintain a security program metrics program., CC ID: 01660
  • Establish, implement, and maintain a key management roles metrics standard., CC ID: 11631
  • Establish, implement, and maintain a key stakeholder metrics program., CC ID: 01661
  • Establish, implement, and maintain a supply chain member metrics program., CC ID: 01662
  • Establish, implement, and maintain a Business Continuity metrics program., CC ID: 01663
  • Establish, implement, and maintain an audit metrics program., CC ID: 01664
  • Establish, implement, and maintain an Information Security metrics program., CC ID: 01665


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Conduct regular ICT security audits, scans and tests to detect vulnerabilities and non-compliance with organisational standards. (Annex A1: Compliance, Testing and Audits 14, Singapore(PDPC) Guide to Securing Personal Data in Electronic Medium, Revised 20 January 2017)
  • A regulated institution would normally implement processes that ensure compliance with regulatory and prudential requirements and the internal IT security risk management framework. APRA envisages that this would include ongoing checks by the compliance function (or equivalent), supported by reporti… (¶ 28, APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • In APRA's view, the IT security risk management framework would encapsulate the expectations of the Board and senior management, have a designated owner(s), and outline the roles and responsibilities of staff to ensure the achievement of effective IT security risk management outcomes. The framework … (¶ 25, APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • Member States shall designate competent authorities to ensure and monitor effective compliance with this Directive. Those competent authorities shall take all appropriate measures to ensure such compliance. (Art 100(1), DIRECTIVE (EU) 2015/2366 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC)
  • Integrate measurements of the achievement of objectives into the security strategy. (6.1 Bullet 2, BSI-Standard 100-2 IT-Grundschutz Methodology, Version 2.0)
  • Firms must identify their customers and, where applicable, their beneficial owners, and then verify their identities. Firms must also understand the purpose and intended nature of the customer's relationship with the firm and collect information about the customer and, where relevant, beneficial own… (3.2.4 ¶ 1, Financial Crime Guide: A Firm’s Guide to Countering Financial Crime Risks, Release 11)
  • The entity has processes for assuring adherence to information privacy policies and procedures through ongoing and separate evaluations. Refer to Component M9.0. (M1.0 Monitoring and enforcement, Privacy Management Framework, Updated March 1, 2020)
  • The entity has an overall governance and legal structure that defines and establishes responsibility and authority for the entity's oversight processes, policy setting and ongoing monitoring activities. (M1.2 Responsibility and authority, Privacy Management Framework, Updated March 1, 2020)
  • Obtain and report assurance of compliance and adherence to all internal policies derived from internal directives or external legal, regulatory or contractual requirements, confirming that any corrective actions to address any compliance gaps have been taken by the responsible process owner in a tim… (ME3.4 Positive Assurance of Compliance, CobiT, Version 4.1)
  • Definition of activities for maintaining and monitoring overall PCI DSS compliance, including business-as-usual activities (A3.1.2 Bullet 1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Perform reviews at least quarterly to verify BAU activities are being followed. Reviews must be performed by personnel assigned to the PCI DSS compliance program (as identified in A3.1.3), and include the following: (A3.3.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • A program is implemented to monitor TPSPs' PCI DSS compliance status at least once every 12 months. (12.8.4, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Confirmation that all BAU activities, including A3.2.2, A3.2.6, and A3.3.1, are being performed. (A3.3.3 Bullet 1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Reviews are performed at least once every three months to verify BAU activities are being followed. Reviews are performed by personnel assigned to the PCI DSS compliance program (as identified in A3.1.3), and include: (A3.3.3, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Examine policies and procedures to verify that processes are defined to monitor TPSPs' PCI DSS compliance status at least once every 12 months. (12.8.4.a, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Examine documentation and interview responsible personnel to verify that the PCI DSS compliance status of each TPSP is monitored at least once every 12 months. (12.8.4.b, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • A program is implemented to monitor TPSPs' PCI DSS compliance status at least once every 12 months. (12.8.4, Self-Assessment Questionnaire A and Attestation of Compliance for use with PCI DSS Version 4.0)
  • A program is implemented to monitor TPSPs' PCI DSS compliance status at least once every 12 months. (12.8.4, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • A program is implemented to monitor TPSPs' PCI DSS compliance status at least once every 12 months. (12.8.4, Self-Assessment Questionnaire B and Attestation of Compliance for use with PCI DSS Version 4.0)
  • A program is implemented to monitor TPSPs' PCI DSS compliance status at least once every 12 months. (12.8.4, Self-Assessment Questionnaire B-IP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • A program is implemented to monitor TPSPs' PCI DSS compliance status at least once every 12 months. (12.8.4, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
  • A program is implemented to monitor TPSPs' PCI DSS compliance status at least once every 12 months. (12.8.4, Self-Assessment Questionnaire C-VT and Attestation of Compliance for use with PCI DSS Version 4.0)
  • A program is implemented to monitor TPSPs' PCI DSS compliance status at least once every 12 months. (12.8.4, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • A program is implemented to monitor TPSPs' PCI DSS compliance status at least once every 12 months. (12.8.4, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • A program is implemented to monitor TPSPs' PCI DSS compliance status at least once every 12 months. (12.8.4, Self-Assessment Questionnaire P2PE and Attestation of Compliance for use with PCI DSS Version 4.0)
  • An enterprise-wide approach for monitoring the performance of the Information Assurance program should be agreed by executive management, which includes monitoring the security condition of the organization based on quantitative techniques (for example, using recognized Information Security metrics)… (SG.02.03.05a, The Standard of Good Practice for Information Security)
  • An enterprise-wide approach for monitoring the performance of the Information Assurance program should be agreed by executive management, which includes presentation of results against Key Performance Indicators that can be clearly understood by those without a detailed knowledge of Information Secu… (SG.02.03.05b, The Standard of Good Practice for Information Security)
  • An enterprise-wide approach for monitoring the performance of the Information Assurance program should be agreed by executive management, which includes the requirement for exception reporting to the governing body and stakeholders, for example where the organization experiences a major information … (SG.02.03.05d, The Standard of Good Practice for Information Security)
  • An enterprise-wide approach for monitoring the performance of the Information Assurance program should be agreed by executive management, which includes monitoring the security condition of the organization based on quantitative techniques (for example, using recognized Information Security metrics)… (SG.02.03.05a, The Standard of Good Practice for Information Security, 2013)
  • An enterprise-wide approach for monitoring the performance of the Information Assurance program should be agreed by executive management, which includes presentation of results against Key Performance Indicators that can be clearly understood by those without a detailed knowledge of Information Secu… (SG.02.03.05b, The Standard of Good Practice for Information Security, 2013)
  • An enterprise-wide approach for monitoring the performance of the Information Assurance program should be agreed by executive management, which includes the requirement for exception reporting to the governing body and stakeholders, for example where the organization experiences a major information … (SG.02.03.05d, The Standard of Good Practice for Information Security, 2013)
  • determine the frequency that compliance will be evaluated; (§ 9.1.2 ¶ 2 a), ISO 14001:2015 - Environmental management systems — Requirements with guidance for use, Third Edition)
  • An organization should establish a process to evaluate the extent to which its compliance obligations are fulfilled, by monitoring, measuring, analysing and reviewing its performance against its compliance obligations, as determined in 4.2 and 6.1.3. This process can help the organization demonstrat… (9.1.2 ¶ 1, ISO 14004:2016, Environmental management systems — General guidelines on implementation, Third Edition)
  • establishing and maintaining accountability mechanisms, including timely reporting on compliance matters, including noncompliance; (§ 5.1 ¶ 1 j), ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • The organization should analyse compliance risks by considering causes and sources of noncompliance and the severity of their consequences, as well as the likelihood that noncompliance and associated consequences can occur. Consequences can include, for example, personal and environmental harm, econ… (§ 4.6 ¶ 3, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • setting in place a compliance reporting and documenting system; (§ 5.3.4 ¶ 2 e), ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • on-going monitoring and measurement; (§ 8.2 ¶ 5 c), ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • specific arrangements for identifying, reporting and escalating instances of noncompliance and risks of noncompliance. (§ 8.2 ¶ 5 e), ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • when the monitoring and measuring should be performed; (§ 9.1.1 ¶ 1 c), ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • when the results from monitoring and measurement should be analysed, evaluated and reported. (§ 9.1.1 ¶ 1 d), ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • The compliance management system should be monitored to ensure compliance performance is achieved. A plan for continual monitoring should be established, setting out monitoring processes, schedules, resources and the information to be collected. (§ 9.1.2 ¶ 1, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • Effective controls are needed to ensure that the organization's compliance obligations are met and that noncompliances are prevented or detected and corrected. The types and levels of controls should be designed with sufficient rigour to facilitate achieving the compliance obligations that are parti… (§ 8.2 ¶ 2, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • - the setting of performance metrics appropriate to the needs of the organization, - monitoring the extent to which the organization’s business continuity policy, objectives and targets are met, - performance of the processes, procedures and functions that protect its prioritized activities, - mon… (§ 9.1.1 ¶ 5, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results; (§ 9.1 ¶ 1 b), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • when and by whom the results from monitoring and measurement shall be analysed and evaluated. (§ 9.1 ¶ 1 d), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • information structures, including access to information, monitoring and potential mitigation of incorrect decisions are sufficient to ensure compliance with organizational requirements. (§ 6.8.3.2.2 ¶ 1 c), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • establishing a compliance reporting and documenting system; (§ 5.3.2 ¶ 1 bullet 6, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • The organization shall develop, establish, implement and maintain processes to assess, evaluate, investigate and close reports on suspected or actual instances of noncompliance. These processes shall ensure fair and impartial decision-making. (§ 8.4 ¶ 1, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results; (§ 9.1.1 ¶ 2 bullet 2, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • The organization shall establish, implement and maintain a process(es), including reporting, investigating and taking action, to determine and manage incidents and nonconformities. (§ 10.2 ¶ 1, ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • determining if similar incidents have occurred, if nonconformities exist, or if they could potentially occur; (§ 10.2 ¶ 2 b) 3), ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • when the results from monitoring and measurement shall be analysed, evaluated and reported. (§ 9.1.1 ¶ 2 d), ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • establishing a compliance reporting and documenting system; (§ 5.3.2 ¶ 2 bullet 4, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • monitoring and measurement results; (§ 9.3 Guidance ¶ 4(c)(2), ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • When assessing the risks of material misstatement, paragraph .15 of AT-C section 205 states that the service auditor should obtain an understanding of internal control, which, in the case of a SOC 2® examination, focuses on obtaining an understanding of controls over the preparation of the descript… (¶ 2.121, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Designing, implementing, operating, monitoring, and documenting controls that are suitably designed and, in a type 2 examination, operating effectively to provide reasonable assurance that the service organization's service commitments and system requirements were achieved based on the applicable tr… (¶ 2.04 Bullet 5, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Controls at the subservice organization may also include aspects of the subservice organization's control environment, risk assessment process, information and communications, and monitoring activities to the extent that they are relevant to controls at the service organization. The description shou… (¶ 3.44, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Designing, implementing, monitoring, and documenting effective controls to provide reasonable assurance of achieving the service organization's service commitments and system requirements based on the applicable trust services criteria (¶ 2.168 Bullet 4, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Obtaining an understanding of the procedures in place at the service organization to evaluate and monitor the implementation, suitability of design, and, in a type 2 examination, the operating effectiveness of the controls at the subservice organization (for example, evaluation of a service auditor'… (¶ 3.99 Bullet 2, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Designing, implementing, operating, monitoring, and documenting controls that are suitably designed and, in a type 2 examination, operating effectively to provide reasonable assurance that the service organization's service commitments and system requirements were achieved based on the applicable tr… (¶ 2.05 Bullet 5, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Designing, implementing, monitoring, and documenting effective controls to provide reasonable assurance of achieving the service organization's service commitments and system requirements based on the applicable trust services criteria (¶ 2.191 Bullet 4, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • In evaluating whether the entity has complied with the specified requirements, in all material respects, (or whether management's assertion about its compliance with the specified requirements is fairly stated, in all material respects), the practitioner should evaluate (a) the nature and frequency … (AT-C Section 315.19, SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • The organization must establish metrics for the Board for use in connection with its information assurance responsibilities. (§ VI, CISWG Information Security Program Elements, 10-Jan-05)
  • Tracking mechanisms and processes are in place to monitor issues related to AIO to their resolution. (II.A Action Summary ¶ 2 Bullet 3, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Automates the collection of KPIs, where possible. (App A Objective 17:2c, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Methods to track and report on nonconformance to entity policies and the timeliness and remediation progress of all identified vulnerabilities, including those related to security procedures, physical layout, or internal controls. (App A Objective 15:3a Bullet 7, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Regularly reviews KPI reports and provides appropriate reporting up to the board. (App A Objective 17:2e, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Include a process to monitor policy compliance. (App A Tier 2 Objectives and Procedures K.1 Bullet 4, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Develop methods to monitor and measure risk, compliance, and assurance efforts. (T0072, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Monitor and evaluate a system's compliance with information technology (IT) security, resilience, and dependability requirements. (T0150, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Conduct periodic information privacy impact assessments and ongoing compliance monitoring activities in coordination with the organization's other compliance and operational assessment functions (T0904, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Develop methods to monitor and measure risk, compliance, and assurance efforts. (T0072, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Monitor and evaluate a system's compliance with information technology (IT) security, resilience, and dependability requirements. (T0150, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Conduct periodic information privacy impact assessments and ongoing compliance monitoring activities in coordination with the organization's other compliance and operational assessment functions (T0904, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Collect metrics and trending data. (T0349, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Banks must establish clearly defined measurement objectives and conduct periodic reviews to ensure that goals and standards established by bank management are met. Goals and standards should include an emphasis on data integrity, which is essential to any effective use of technology. Information sho… (¶ 45, Technology Risk Management Guide for Bank Examiners - OCC Bulletin 98-3)