Back

Establish, implement, and maintain a decision management strategy.


CONTROL ID
06913
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a strategic plan., CC ID: 12784

This Control has the following implementation support Control(s):
  • Align the reporting methodology with the decision management strategy., CC ID: 15659
  • Include an economic impact analysis in the decision management strategy., CC ID: 14015
  • Include cost benefit analysis in the decision management strategy., CC ID: 14014
  • Include criteria for compliance in the decision-making criteria., CC ID: 12951
  • Include criteria for risk tolerance in the decision-making criteria., CC ID: 12950
  • Include criteria for selecting objectives and strategies in the decision-making criteria., CC ID: 12949
  • Include criteria for setting priorities in the decision-making criteria., CC ID: 12938
  • Align organizational objectives with compliance objectives in the decision-making criteria., CC ID: 12847
  • Align organizational objectives with performance targets in the decision-making criteria., CC ID: 12843
  • Align organizational objectives with the acceptable residual risk in the decision-making criteria., CC ID: 12841
  • Identify and document the events that initiate the decision management strategy., CC ID: 06914
  • Create additional decision-making criteria to achieve organizational objectives, as necessary., CC ID: 12948
  • Involve knowledgeable and experienced individuals in the decision-making process., CC ID: 06915
  • Take actions in accordance with the decision-making criteria., CC ID: 12909
  • Document and evaluate the decision outcomes from the decision-making process., CC ID: 06918
  • Disseminate and communicate the decision management strategy to all interested personnel and affected parties., CC ID: 13991


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • they can take and implement decisions related to their business activities and critical or important functions, including with regard to those that have been outsourced; (4.6 40(a), Final Report on EBA Guidelines on outsourcing arrangements)
  • the oversight role of the management body in its supervisory function, including overseeing and monitoring management decision-making. (4.6 36(f), Final Report on EBA Guidelines on outsourcing arrangements)
  • Elaboration of a management submittal for decision-making (§ 3.3.5 Subsection 4 Bullet 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • In practice, brainstorming involving all employees involved has proven effective in identifying additional threats. Information security officers, specialists responsible, administrators and users of the target object under review as well as external experts, if appropriate, should be involved. The … (§ 4.2 ¶ 10, The Federal Office for Information Security, BSI-Standard 200-3, Risk Analysis based on IT-Grundschutz, Version 1.0)
  • You have the capability to enact your incident response plan, including effective limitation of impact on the operation of your essential function. During an incident, you have access to timely information on which to base your response decisions. (D1.b ¶ 1, NCSC CAF guidance, 3.1)
  • Provide direction by establishing clear mission, vision and values statements, high-level objectives, as well as guidance about how decisions will be made. (OCEG GRC Capability Model, v. 3.0, A1 Direction, OCEG GRC Capability Model, v 3.0)
  • Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. (§ 3 Principle 3 ¶ 1, COSO Internal Control - Integrated Framework (2013))
  • its authority and ability to exercise control and influence. (§ 4.3 ¶ 2 e), ISO 14001:2015 - Environmental management systems — Requirements with guidance for use, Third Edition)
  • The organization shall define a strategy for decision management. (§ 6.3.3.3(a)(1), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • The organization should implement the risk management framework by: - developing an appropriate plan including time and resources; - identifying where, when and how different types of decisions are made across the organization, and by whom; - modifying the applicable decision-making processes wher… (§ 5.5 ¶ 1, ISO 31000 Risk management - Guidelines, 2018)
  • The governing body should ensure that the organization's stakeholders are identified, prioritized, appropriately engaged, consulted and their expectations understood. The governing body should do this to ensure that stakeholder relationships are effective and appropriate decisions about expectations… (§ 6.6.3 ¶ 1, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: (§ 6.8.3.2.1 ¶ 1, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • ensure that there is commitment to support the collective decision, to clearly record it and to act on it; (§ 6.8.3.2.1 ¶ 1 b), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • The governing body should ensure that decisions are transparent and aligned with broader societal expectations. (Table 1 Column 4 Row 11, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • competence and probity in the manner in which it makes decisions. (§ 5 ¶ 2 c) 5), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • maintain an appropriate balance between guiding discussions to a decision and ensuring that every member has the opportunity to express their independent assessment; (§ 6.8.3.2.1 ¶ 1 a), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • Act with due care, skill, diligence and loyalty, and take reasonable steps to become informed about particular matters for decision-making. (Table 2 Column 2 Row 3 Bullet 2, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • The governing body should ensure that decisions are transparent and aligned with broader societal expectations. (§ 6.10.1 ¶ 1, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • identifies the key resources (e.g. capitals such as human, social and relational, intellectual, the natural environmental, financial and manufactured), structures, processes, relationships, information, decision-making, reporting and other aspects of the organization that allow it to create sustaine… (§ 6.11.3.2 ¶ 1 a), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • reserving some decisions for the governing body (those which materially or fundamentally impact the organization as a whole) and delegating others; (§ 6.3.3.2.2 ¶ 2 e), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • decision-making, specifically, the strategic deployment of resources. (§ 6.3.3.2.2 ¶ 2 j), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • reconciling the perspectives, considering how each position can support the other; (§ 6.7.3.4 ¶ 2 d), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • The governing body should hold to account those to whom it has delegated (see 4.2.2). The governing body should ask questions, exercise its judgement, implement consequences, affect improvements and ensure that is equipped to do so. When doing so, the governing body should practise integrity, fairne… (§ 6.5.3.3 ¶ 1, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • provides competitive differentiation for stakeholders by providing clarity against which evaluators can assess the organization's behaviour, decisions and activities; (§ 6.7.3.3 ¶ 3 Bullet 4, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • monitoring and responding to the behaviour, decisions and activities of the organization, e.g. values-driven behaviours pertaining to sustainability; (§ 6.3.3.2.2 ¶ 2 b), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • The outputs of the management review shall include decisions related to: (§ 9.3 ¶ 3, ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • the criteria for IT asset management decision making; (Section 4.2 ¶ 1 bullet 3, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • Any decision or action of the organization should align with its culture and values. However, much of an organization's culture and values are implicitly embedded in the behaviour of its staff and processes. An AI system has no equivalent of human understanding of context, of common sense, morality … (§ 6.5 ¶ 2, ISO/IEC 38507:2022, Information technology — Governance of IT — Governance implications of the use of artificial intelligence by organizations)
  • Decision-making oversight. The governing body should ensure that there is adequate oversight, that controls are implemented to ensure effective decision-making capabilities and that there is appropriate visibility of both conformity of decision-making to organizational policies and any exceptions. F… (§ 6.3 ¶ 6 Bullet 5, ISO/IEC 38507:2022, Information technology — Governance of IT — Governance implications of the use of artificial intelligence by organizations)
  • Level of responsibility. Ensuring that the level of decision-making matches the authority granted and responsibility associated to the decision is a critical element of good governance. Defining the scope and impact of possible decisions and matching those to the levels of responsibility is necessar… (§ 6.3 ¶ 6 Bullet 2, ISO/IEC 38507:2022, Information technology — Governance of IT — Governance implications of the use of artificial intelligence by organizations)
  • Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. (CC1.3 ¶ 1 COSO Principle 3:, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • The organization establishes an operating structure and designs reporting lines to carry out the strategy and business objectives. It is important for the organization to clearly define responsibilities when designing reporting lines. The organization may also enter into relationships with external … (Operating Structure and Reporting Lines ¶ 1, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. (CC1.3 COSO Principle 3:, Trust Services Criteria)
  • Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. (CC1.3 ¶ 1 COSO Principle 3:, Trust Services Criteria, (includes March 2020 updates))
  • Independence – In order to ensure that internal auditors remain objective, the internal audit function must be organizationally independent. Specifically, the internal audit function will not defer ultimate judgment on audit matters to others, and shall appoint an individual to head the internal a… (Section 15.C., Annual Financial Reporting Model Regulation, NAIC MDL-205, 3rd Quarter 2015)
  • Definition of responsibilities and decision-making. (App A Objective 12:2a, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Evaluate that management's AIO decisions align with the entity's business strategy, security, and resilience needs. (App A Objective 2:11e Bullet 1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Bases improvement decisions on the potential benefit and ease of implementation, with a focus on important IT processes and core competencies. (App A Objective 17:4b, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Has decision-making authority. (App A Objective 2:6 c., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Describe the process, the financial institution staff involved, and the decision criteria the financial institution uses to conduct a due diligence review to qualify potential customers for the RDC delivery system. Consider the following: (App A Tier 2 Objectives and Procedures N.3 Bullet 1, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Implementing C-SCRM requires enterprises to establish a coordinated team-based approach and a shared responsibility model to effectively manage cybersecurity risks throughout the supply chain. Enterprises should establish and adhere to C-SCRM-related policies, develop and follow processes (often cro… (2.3.1. ¶ 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • Contribute to the development of the organization's decision support tools if necessary. (T0628, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Each team is led by a team leader who directs overall team operations, acts as the team's representative to management, and liaises with other team leaders. The team leader disseminates information to team members and approves any decisions that must be made within the team. Team leaders should have… (§ 3.4.6 ¶ 4, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Contribute to the development of the organization's decision support tools if necessary. (T0628, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)