Back

Establish, implement, and maintain a reporting methodology program.


CONTROL ID
02072
CONTROL TYPE
Business Processes
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Leadership and high level objectives, CC ID: 00597

This Control has the following implementation support Control(s):
  • Establish, implement, and maintain communication protocols., CC ID: 12245
  • Establish, implement, and maintain an internal reporting program., CC ID: 12409
  • Establish, implement, and maintain an external reporting program., CC ID: 12876


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • The organization should implement a management reporting system to oversee the performance of security management in meeting its stated objectives. The report might include incident analysis; exposure analysis; performance analysis; system capacity analysis; progress against strategy; infrastructure… (¶ 77, APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • IT security metrics can be useful mechanisms for assessing the success of the IT security risk management framework in maintaining confidentiality, integrity and availability, and are usually included in IT security reporting. In APRA's view, each dimension of the IT security risk management framewo… (¶ 78, The AD_offical_Name should be: APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • In APRA's view, there would normally be sufficient management reporting to enable effective oversight of the performance of the IT security management function in meeting its stated objectives. Reporting may include: risk profile(s); exposure analysis; progress against strategy; incident analysis; s… (¶ 77, The AD_offical_Name should be: APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • Whether ICT risk measurement, monitoring and reporting systems are appropriate.; and (Title 3 3.4 61.b(iii), Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • present information in a way that users can find the information they want without unreasonable effort, for example, through a table of contents, maps, or links; (Clarity Guidance ¶ 1 Bullet 2, GRI 1: Foundation 2021)
  • present information in a way that it can be understood by users who have reasonable knowledge of the organization and its activities; (Clarity Guidance ¶ 1 Bullet 3, GRI 1: Foundation 2021)
  • avoid abbreviations, technical terms, or other jargon likely to be unfamiliar to users or, if these are used, include relevant explanations in the appropriate sections or in a glossary; (Clarity Guidance ¶ 1 Bullet 4, GRI 1: Foundation 2021)
  • consider specific accessibility needs of information users, associated with abilities, language, and technology; (Clarity Guidance ¶ 1 Bullet 1, GRI 1: Foundation 2021)
  • use graphics and consolidated data tables to make information accessible and understandable. (Clarity Guidance ¶ 1 Bullet 6, GRI 1: Foundation 2021)
  • report information in a concise way and aggregate information where useful without omitting necessary details; (Clarity Guidance ¶ 1 Bullet 5, GRI 1: Foundation 2021)
  • report information about its impacts in relation to societal expectations and expectations of responsible business conduct set out in authoritative intergovernmental instruments with which the organization is expected to comply (e.g., Organisation for Economic Co-operation and Development [OECD] Gui… (Sustainability context Guidance ¶ 2 Bullet 3, GRI 1: Foundation 2021)
  • present information for the current reporting period and at least two previous periods, as well as any goals and targets that have been set (Comparability Guidance ¶ 2 Bullet 1, GRI 1: Foundation 2021)
  • maintain consistency in the methods used to measure and calculate data and in explaining the methods and assumptions used; (Comparability Guidance ¶ 2 Bullet 3, GRI 1: Foundation 2021)
  • maintain consistency in the manner of presenting the information; (Comparability Guidance ¶ 2 Bullet 4, GRI 1: Foundation 2021)
  • report total numbers or absolute data (e.g., metric tons of CO2 equivalent) as well as ratios or normalized data (e.g., CO2 emissions per unit produced) to enable comparisons, and provide explanatory notes when using ratios; (Comparability Guidance ¶ 2 Bullet 5, GRI 1: Foundation 2021)
  • provide contextual information (e.g., the organization's size, geographic location) to help information users understand the factors that contribute to differences between the organization's impacts and the impacts of other organizations; (Comparability Guidance ¶ 2 Bullet 6, GRI 1: Foundation 2021)
  • not omit information that is necessary for understanding the organization's impacts. (Completeness Guidance ¶ 1 Bullet 2, GRI 1: Foundation 2021)
  • If the organization consists of multiple entities (i.e., a parent entity and its subordinate entities), the organization is required to explain the approach used for consolidating the information under 2-2-c in GRI 2: General Disclosures 2021. (Completeness Guidance ¶ 2, GRI 1: Foundation 2021)
  • The organization shall report information on a regular schedule and make it available in time for information users to make decisions. (Timeliness ¶ 1(a), GRI 1: Foundation 2021)
  • find a balance between the need to make information available in a timely manner and ensuring that the information is of high quality and meets the requirements under the other reporting principles; (Timeliness Guidance ¶ 2 Bullet 1, GRI 1: Foundation 2021)
  • ensure consistency in the length of reporting periods; (Timeliness Guidance ¶ 2 Bullet 2, GRI 1: Foundation 2021)
  • set up internal controls and organize documentation in such a way that individuals other than those preparing the reported information (e.g., internal auditors, external assurance providers) can review them; (Verifiability Guidance ¶ 2 Bullet 1, GRI 1: Foundation 2021)
  • avoid including information that is not substantiated by evidence unless it is relevant for understanding the organization's impacts; (Verifiability Guidance ¶ 2 Bullet 6, GRI 1: Foundation 2021)
  • be able to identify the original sources of the reported information and provide reliable evidence to support assumptions or calculations; (Verifiability Guidance ¶ 2 Bullet 4, GRI 1: Foundation 2021)
  • Requirement 2-2-a includes those entities that the organization controls or has an interest in and are included in its sustainability reporting, such as subsidiaries, joint ventures, and affiliates, including minority interests. The organization should report information for the same group of entiti… (Guidance to 2-2-a ¶ 2, GRI 2: General Disclosures, 2021)
  • The organization should report the information for the same reporting period as covered in its financial reporting. The organization should also publish the information at the same time as its financial reporting, where this is possible. (Guidance to 2-3-a and 2-3-b ¶ 2, GRI 2: General Disclosures, 2021)
  • The organization should separately specify any additional entities included in the sustainability reporting that are not included in its financial reporting. (Guidance to 2-2-a and 2-2-b ¶ 2, GRI 2: General Disclosures, 2021)
  • report whether the highest governance body is responsible for reviewing and approving the reported information, including the organization's material topics, and if so, describe the process for reviewing and approving the information; (Disclosure 2-14 ¶ 1(a), GRI 2: General Disclosures, 2021)
  • Where significant, report EVG&D separately at country, regional, or market levels, and the criteria used for defining significance. (Disclosure 201-1 ¶ 1(b), GRI 201: Economic Performance, 2016)
  • When compiling the information specified in Disclosure 201-1, the reporting organization shall, if applicable, compile the EVG&D from data in the organization's audited financial or profit and loss (P&L) statement, or its internally audited management accounts. (Disclosure 201-1 ¶ 2 2.1, GRI 201: Economic Performance, 2016)
  • When compiling the information specified in Disclosure 207-4, the reporting organization shall report information for the time period covered by the most recent audited consolidated financial statements or financial information filed on public record. If information is not available for this time pe… (Disclosure 207-4 ¶ 2 2.1, GRI 207: Tax, 2019)
  • in cases where an entity is deemed not to be resident in any tax jurisdiction, provide the information for this stateless entity separately. (Disclosure 207-4 ¶ 2 2.2.3, GRI 207: Tax, 2019)
  • The approach for each step will vary according to the specific circumstances of the organization, such as its business model; sectors; geographic, cultural, and legal operating context; ownership structure; and the nature of its impacts. Given these specific circumstances, the steps should be system… (§ 1. ¶ 6, GRI 3: Material Topics 2021)
  • The organization should document its process of determining material topics. This includes documenting the approach taken, decisions, assumptions, and subjective judgments made, sources analyzed, and evidence gathered. Accurate records help the organization explain its chosen approach and report the… (§ 1. ¶ 5, GRI 3: Material Topics 2021)
  • The significance of an impact is the sole criterion to determine whether a topic is material for reporting. The organization cannot use difficulty in reporting on a topic or the fact that it does not yet manage the topic as criteria to determine whether or not to report on the topic. In cases where … (§ 1. Step 4. Setting a threshold to determine which topics are material ¶ 3, GRI 3: Material Topics 2021)
  • use the total weight or volume of materials used as specified in Disclosure 301-1; (Disclosure 301-2 ¶ 2 2.2.1, GRI 301: Materials 2016)
  • Standards, methodologies, assumptions, and/or calculation tools used. (Disclosure 302-5 ¶ 1(c), GRI 302: Energy 2016)
  • Standards, methodologies, assumptions, and/or calculation tools used. (Disclosure 302-1 ¶ 1(f), GRI 302: Energy 2016)
  • Standards, methodologies, assumptions, and/or calculation tools used. (Disclosure 302-2 ¶ 1(b), GRI 302: Energy 2016)
  • Standards, methodologies, assumptions, and/or calculation tools used. (Disclosure 302-4 ¶ 1(d), GRI 302: Energy 2016)
  • Any contextual information necessary to understand how the data have been compiled, such as any standards, methodologies, and assumptions used. (Disclosure 303-3 ¶ 1(d), GRI 303: Water and Effluents 2018)
  • Any contextual information necessary to understand how the data have been compiled, such as any standards, methodologies, and assumptions used. (Disclosure 303-4 ¶ 1(e), GRI 303: Water and Effluents 2018)
  • Any contextual information necessary to understand how the data have been compiled, such as any standards, methodologies, and assumptions used, including whether the information is calculated, estimated, modeled, or sourced from direct measurements, and the approach taken for this, such as the use o… (Disclosure 303-5 ¶ 1(d), GRI 303: Water and Effluents 2018)
  • Standards, methodologies, and assumptions used. (Disclosure 304-3 ¶ 1(d), GRI 304: Biodiversity, 2016)
  • Standards, methodologies, assumptions, and/or calculation tools used. (Disclosure 305-1 ¶ 1(g), GRI 305: Emissions, 2016)
  • report biogenic emissions of CO2 from the combustion or biodegradation of biomass separately from the gross direct (Scope 1) GHG emissions. Exclude biogenic emissions of other types of GHG (such as CH4 and N2O), and biogenic emissions of CO2 that occur in the life cycle of biomass other than from co… (Disclosure 305-1 ¶ 2 2.1.2, GRI 305: Emissions, 2016)
  • Standards, methodologies, assumptions, and/or calculation tools used. (Disclosure 305-2 ¶ 1(g), GRI 305: Emissions, 2016)
  • account and report energy indirect (Scope 2) GHG emissions based on both the location-based and market-based methods, if it has any operations in markets providing product or supplier-specific data in the form of contractual instruments. (Disclosure 305-2 ¶ 2 2.3.4, GRI 305: Emissions, 2016)
  • Standards, methodologies, assumptions, and/or calculation tools used. (Disclosure 305-3 ¶ 1(g), GRI 305: Emissions, 2016)
  • Standards, methodologies, assumptions, and/or calculation tools used. (Disclosure 305-5 ¶ 1(e), GRI 305: Emissions, 2016)
  • Standards, methodologies, assumptions, and/or calculation tools used. (Disclosure 305-6 ¶ 1(d), GRI 305: Emissions, 2016)
  • exclude ODS recycled and reused. (Disclosure 305-6 ¶ 2 2.11.2, GRI 305: Emissions, 2016)
  • Standards, methodologies, assumptions, and/or calculation tools used. (Disclosure 305-7 ¶ 1(c), GRI 305: Emissions, 2016)
  • report biogenic emissions of CO2 from the combustion or biodegradation of biomass that occur in its value chain separately from the gross other indirect (Scope 3) GHG emissions. Exclude biogenic emissions of other types of GHG (such as CH4 and N2O), and biogenic emissions of CO2 that occur in the li… (Disclosure 305-3 ¶ 2 2.5.3, GRI 305: Emissions, 2016)
  • if reporting an intensity ratio for other indirect (Scope 3) GHG emissions, report this intensity ratio separately from the intensity ratios for direct (Scope 1) and energy indirect (Scope 2) emissions. (Disclosure 305-4 ¶ 2 2.7.2, GRI 305: Emissions, 2016)
  • account and report energy indirect (Scope 2) GHG emissions based on the location-based method, if it has operations in markets without product or supplier-specific data; (Disclosure 305-2 ¶ 2 2.3.3, GRI 305: Emissions, 2016)
  • if reporting two or more Scope types, report the reductions for each separately; (Disclosure 305-5 ¶ 2 2.9.4, GRI 305: Emissions, 2016)
  • report reductions from offsets separately. (Disclosure 305-5 ¶ 2 2.9.5, GRI 305: Emissions, 2016)
  • Contextual information necessary to understand the data and how the data has been compiled. (Disclosure 306-3 ¶ 1(b), GRI 306: Waste)
  • Contextual information necessary to understand the data and how the data has been compiled. (Disclosure 306-4 ¶ 1(e), GRI 306: Waste)
  • Contextual information necessary to understand the data and how the data has been compiled. (Disclosure 306-5 ¶ 1(e), GRI 306: Waste)
  • Any contextual information necessary to understand how the data have been compiled, such as any standards, methodologies, and assumptions used. (Disclosure 403-8 ¶ 1(c), GRI 403: Occupational Health and Safety, 2018)
  • Any contextual information necessary to understand how the data have been compiled, such as any standards, methodologies, and assumptions used. (Disclosure 403-9 ¶ 1(g), GRI 403: Occupational Health and Safety, 2018)
  • include injuries as a result of commuting incidents only where the transport has been organized by the organization; (Disclosure 403-9 ¶ 2 2.1.3, GRI 403: Occupational Health and Safety, 2018)
  • Any contextual information necessary to understand how the data have been compiled, such as any standards, methodologies, and assumptions used. (Disclosure 403-10 ¶ 1(e), GRI 403: Occupational Health and Safety, 2018)
  • Customers can securely report security incidents and vulnerabilities to the provider. (A1.2.3 Bullet 1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Customers can securely report security incidents and vulnerabilities to the provider. (A1.23 Bullet 1, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Establish and maintain a process to accept and address reports of software vulnerabilities, including providing a means for external entities to report. The process is to include such items as: a vulnerability handling policy that identifies reporting process, responsible party for handling vulnerab… (CIS Control 16: Safeguard 16.2 Establish and Maintain a Process to Accept and Address Software Vulnerabilities ¶ 1, CIS Controls, V8)
  • reporting on the performance of the environmental management system, including environmental performance, to top management. (§ 5.3 ¶ 2 b), ISO 14001:2015 - Environmental management systems — Requirements with guidance for use, Third Edition)
  • ensure that effective and timely systems of reporting are in place; (§ 5.3.3 ¶ 2 Bullet 3, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • set an expectation of the appropriate quality and quantity of measurement and timeliness of delivery when establishing objectives; (§ 4.3.2 ¶ 2 c), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • determine the most appropriate reporting methodologies for the organization, given the expectations of its relevant stakeholders; (§ 6.5.3.2 ¶ 2 Bullet 1, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • reporting is coherent so that stakeholders can effectively assess the organization's governance arrangements (see 6.5.3). (§ 6.6.3 ¶ 3 f), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • report on historic actions and outcomes, as well as future intentions. (§ 6.5.3.2 ¶ 1 h), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • ensure that reported information and disclosed information are material, complete, understandable, responsive, accurate, balanced and timely; (§ 6.5.3.2 ¶ 2 Bullet 2, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • ensure that effective systems of timely reporting on compliance performance are in place; (§ 5.3.1 ¶ 4 bullet 2, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • ensure that effective systems of timely reporting on compliance performance are in place; (§ 5.3.1 ¶ 4 b), ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • All disclosure shall be sufficient such that it is specific to the risks the entity faces, but disclosure itself will not compromise the entity's ability to maintain data privacy and security. (Note to TC-IM-230a.1 2, Internet Media & Services Sustainability Accounting Standard, Version 2018-10, Version 2018-10)
  • All disclosure shall be sufficient such that it is specific to the risks the entity faces but disclosure itself would not compromise the entity's ability to maintain data privacy and security. (TC-IM-230a.2. 6, Internet Media & Services Sustainability Accounting Standard, Version 2018-10, Version 2018-10)
  • In the case that current reporting of GHG emissions to the CDP or other entity (e.g., a national regulatory disclosure program) differs in terms of the scope and consolidation approach used, the entity may disclose those emissions. However, primary disclosure shall be according to the guidelines des… (TC-SC-110a.1. 5, Semiconductors Sustainability Accounting Standard, Version 2018-10)
  • GHG emissions data shall be consolidated and disclosed according to the approach with which the entity consolidates its financial reporting data, which is generally aligned with the "financial control" approach defined by the GHG Protocol, and the approach published by the Climate Disclosure Standar… (TC-SC-110a.1. 3.2, Semiconductors Sustainability Accounting Standard, Version 2018-10)
  • All disclosure shall be sufficient such that it is specific to the risks the entity faces but disclosure itself would not compromise the entity's ability to maintain confidential information. (TC-SC-440a.1. 3, Semiconductors Sustainability Accounting Standard, Version 2018-10)
  • Disclosure of strategies, plans, and/or reduction targets shall be limited to activities that were ongoing (active) or reached completion during the reporting period. (TC-SC-110a.2. 6, Semiconductors Sustainability Accounting Standard, Version 2018-10)
  • All disclosure shall be sufficient such that it is specific to the risks the entity faces, but disclosure itself will not compromise the entity's ability to maintain data privacy and security. (Note to TC-SI-230a.1 2, Software & IT Services Sustainability Accounting Standard, Version 2018-10)
  • All disclosure shall be sufficient such that it is specific to the risks the entity faces but disclosure itself would not compromise the entity's ability to maintain data privacy and security. (TC-SI-230a.2. 6, Software & IT Services Sustainability Accounting Standard, Version 2018-10)
  • All disclosure shall be sufficient such that it is specific to the risks the entity faces but disclosure itself would not compromise the entity's ability to maintain data privacy and security. (TC-TL-230a.2. 6, Telecommunication Services Sustainability Accounting Standard, Version 2018-10)
  • All disclosure shall be sufficient such that it is specific to the risks the entity faces, but disclosure itself will not compromise the entity's ability to maintain data privacy and security. (Note to TC-TL-230a.1 2, Telecommunication Services Sustainability Accounting Standard, Version 2018-10)
  • The organization must measure and report on the a carefully chosen set of information security metrics for reports to management of information security status will clarify to operational units what management considers important and the topics on which management wishes to be informed. Management c… (ISPE17, CISWG Information Security Program Elements, 10-Jan-05)
  • Each consumer reporting agency should submit an annual report to the Federal Trade Commission "on consumer complaints received by the agency on identity theft or fraud alerts." . (§ 153, Fair and Accurate Credit Transactions Act of 2003 (FACT Act))
  • Each consumer reporting agency should submit an annual report to the Federal Trade Commission "on consumer complaints received by the agency on identity theft or fraud alerts." (§ 621(f), Fair Credit Reporting Act (FCRA), July 30, 2004)
  • The organization should measure and report the effectiveness of government threat reporting for critical DIB assets to the DoD and local law enforcement officials and first-responders. This metric is measured by the results of solicited DIB asset owner feedback. (§ 6.1.1 Table 6-2 Goal 7, Defense Industrial Base Information Assurance Standard)
  • Senior management and other stakeholders have input into the types of reports and metrics produced, and reports are understandable and useful to them. (App A Objective 17:1a, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Obtain and review the financial institution's policies and procedures for RDC. Assess whether they define the function, responsibilities, operational controls, vendor management, customer due diligence, BSA/AML compliance monitoring, and reporting functions, etc. Identify the date they were last rev… (App A Tier 2 Objectives and Procedures N.9 Bullet 1, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Statistics on demographics and locations served to evaluate whether the institution is meeting its strategy. (AppE.7 Objective 6:2 d., FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Reporting at Level 2 plays an important role in equipping mission and business process leaders with the context necessary to manage C-SCRM within the scope of their mission and business processes. Topics covered at Level 2 will reflect those covered at Level 1 but should be reshaped to focus on the … (2.3.3. ¶ 6, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • Reporting plays an important role in equipping Level 1 decision-makers with the context necessary to make informed decisions on how to manage cybersecurity risks throughout the supply chain. Reporting should focus on enterprise-wide trends and include coverage of the extent to which C-SCRM has been … (2.3.2. ¶ 11, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • The incident reporting procedure must define what a reportable incident is. (SG.IR-7 Requirement 1.a, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The incident reporting procedure must include the granularity of the reported information. (SG.IR-7 Requirement 1.b, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The incident reporting procedure must include who receives the report. (SG.IR-7 Requirement 1.c, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The incident reporting procedure must include the process to transmit the incident information. (SG.IR-7 Requirement 1.d, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization should use automated mechanisms to aid in security incident reporting. (SG.IR-7 Additional Considerations A1, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization should report annually to the appropriate authority what its actual performance was compared with its stated goals. (§ III (GPRA), § III (Clinger-Cohen Act of 1996), OMB Circular A-123, Management's Responsibility for Internal Control)