Back

Document and evaluate the decision outcomes from the decision-making process.


CONTROL ID
06918
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a decision management strategy., CC ID: 06913

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The management level must regularly check the performance and assess the security process (management assessment). If required (e.g. if a number of security incidents occur or there are significant changes to the framework conditions), corresponding audits and assessments must be performed between t… (§ 4.3 ¶ 1, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
  • The management level must record and justify the selected security strategy. Furthermore, decisions affecting aspects relevant to security that are taken on all the other levels must also be recorded to ensure they can be comprehended and repeated at any time. (§ 4.2 Bullet 4(3) ¶ 1, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
  • Participation of the level of management in the brainstorming is not mandatory. However, it is much more important that each participant is capable of providing information on the area represented by such participant, and that such participant is able to name the essential business processes of the … (§ 3.2.1 Subsection 4 ¶ 3, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • If required, obtain decisions on the necessary corrective measures (§ 5.2.4 Subsection 2 Bullet 3, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • The following principle applies in terms of the level of detail in the individual documents: "According to the goal and purpose of the document". Strategy documents such as policies should be brief and concise, but should still be informative. The documents created during the conception phase should… (§ 5.2.3 Subsection 2 ¶ 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • To enable the maintenance and continuous improvement of the information security process, you not only need to implement appropriate security safeguards and update documents continuously, but also need to test the IS process itself regularly in terms of its effectiveness and efficiency. In this case… (§ 10 ¶ 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Plan and conduct routine incident response exercises and scenarios for the workforce involved in the incident response to maintain awareness and comfort in responding to real world threats. Exercises should test communication channels, decision making, and incident responder's technical capabilities… (CIS Control 19: Sub-Control 19.7 Conduct Periodic Incident Scenario Sessions for Personnel, CIS Controls, 7.1)
  • Plan and conduct routine incident response exercises and scenarios for the workforce involved in the incident response to maintain awareness and comfort in responding to real world threats. Exercises should test communication channels, decision making, and incident responder's technical capabilities… (CIS Control 19: Sub-Control 19.7 Conduct Periodic Incident Scenario Sessions for Personnel, CIS Controls, V7)
  • Plan and conduct routine incident response exercises and scenarios for key personnel involved in the incident response process to prepare for responding to real-world incidents. Exercises need to test communication channels, decision-making, and workflows. Conduct testing on an annual basis, at a mi… (CIS Control 17: Safeguard 17.7 Conduct Routine Incident Response Exercises, CIS Controls, V8)
  • The organization shall evaluate the decision outcomes to verify that all problems are resolved, opportunities are taken, and adverse trends are reversed. (§ 6.3.3.3(c)(1), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • The organization shall track the decision outcomes to verify all problems are resolved, opportunities are taken, and adverse trends are reversed. (§ 6.3.3.3(c)(1), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • The organization shall record the decision outcomes to verify all problems are resolved, opportunities are taken, and adverse trends are reversed. (§ 6.3.3.3(c)(1), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • The organization shall decide, using life safety as the first priority and in consultation with relevant interested parties, whether to communicate externally about its significant risks and impacts and document its decision. If the decision is to communicate then the organization shall establish an… (§ 8.4.2 ¶ 3, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • ensure that there is commitment to support the collective decision, to clearly record it and to act on it; (§ 6.8.3.2.1 ¶ 1 b), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • expected outcomes are negotiated, specified and agreed; (§ 4.2.2 ¶ 2 a), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • Management shall document and make available upon financial condition examination the basis upon which its assertions, required in Subsection D above, are made. Management may base its assertions, in part, upon its review, monitoring and testing of internal controls undertaken in the normal course o… (Section 17.E., Annual Financial Reporting Model Regulation, NAIC MDL-205, 3rd Quarter 2015)
  • Executing on-the-scene coordination and decision-making roles. (App A Objective 10:17d, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Validating management response and decision-making capability. (App A Objective 10:16d, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)