Back

Establish, implement, and maintain organizational objectives.


CONTROL ID
09959
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Analyze organizational objectives, functions, and activities., CC ID: 00598

This Control has the following implementation support Control(s):
  • Evaluate organizational objectives to determine impact on other organizational objectives., CC ID: 12814
  • Prioritize organizational objectives., CC ID: 09960
  • Select financial reporting objectives consistent with accounting principles available to the organization., CC ID: 12400
  • Establish, implement, and maintain a value generation model., CC ID: 15591
  • Establish, implement, and maintain value generation objectives., CC ID: 15583
  • Establish, implement, and maintain social responsibility objectives., CC ID: 15611
  • Establish and maintain a Mission, Vision, and Values Statement., CC ID: 12783
  • Disseminate and communicate organizational objectives, functions, and activities to all interested personnel and affected parties., CC ID: 13191
  • Document and communicate the linkage between organizational objectives, functions, activities, and general controls., CC ID: 12398


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • A business plan. (Article 53(1)(4), Act On Promotion of Information and Communications Network Utilization and Information Protection, Amended by Act No. 14080, Mar. 22, 2016)
  • define the objectives of the exit strategy; (4.15 108(a), Final Report on EBA Guidelines on outsourcing arrangements)
  • the objectives and priorities of the national strategy on the security of network and information systems; (Art. 7.1(a), Directive (EU) 2016/1148 OF The European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union)
  • Based on the business impact analysis, a uniform framework for planning the business continuity and business plan is introduced, documented and applied in order to ensure that all plans (e. g. of the different sites of the cloud provider) are consistent. The planning depends on established standards… (Section 5.14 BCM-03 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • Confirm that agreed-upon IT objectives have been met or exceeded, or that progress toward IT goals meets expectations. Where agreed-upon objectives have been missed or progress is not as expected, review management's remedial action. Report to the board relevant portfolios, programme and IT performa… (ME4.6 Performance Measurement, CobiT, Version 4.1)
  • Define a balanced set of measurable objectives that are consistent with decision-making criteria and appropriate for the established frame of reference. (OCEG GRC Capability Model, v. 3.0, A2 Objectives, OCEG GRC Capability Model, v 3.0)
  • Provide direction by establishing clear mission, vision and values statements, high-level objectives, as well as guidance about how decisions will be made. (OCEG GRC Capability Model, v. 3.0, A1 Direction, OCEG GRC Capability Model, v 3.0)
  • Define high-level goals and related indicators that management can use in setting detailed objectives and strategies (OCEG GRC Capability Model, v. 3.0, A1.3 Define High-Level Goals, OCEG GRC Capability Model, v 3.0)
  • Clearly state and document objectives so they can be viewed and used by all relevant parties including internal managers responsible for attainment of objectives and internal/external stakeholders. (OCEG GRC Capability Model, v. 3.0, A2.4 Document Objectives, OCEG GRC Capability Model, v 3.0)
  • Management establishes objectives consistent with laws and regulations, or standards and frameworks of recognized external organizations. (§ 3 Principle 6 Points of Focus: External Non-Financial Reporting Objectives - Complies with Externally Established Standards and Frameworks, COSO Internal Control - Integrated Framework (2013))
  • ensuring that the compliance policy and compliance objectives are established and are consistent with the values, objectives and strategic direction of the organization (see 6.2); (§ 5.1 ¶ 1 b), ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • be updated and/or revised as appropriate. (§ 6.2 ¶ 2 f), ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • articulate its objectives, including those concerned with business continuity, (§ 4.1 ¶ 4 1), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • Top management shall ensure that business continuity objectives are established and communicated for relevant functions and levels within the organization. (§ 6.2 ¶ 1, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • its mission, goals, and internal and external obligations. (§ 4.3.1 ¶ 2 c), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • The organization shall establish information security objectives at relevant functions and levels. (§ 6.2 ¶ 1, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • be consistent with the information security policy; (§ 6.2 ¶ 2 a), ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • when it will be completed; and (§ 6.2 ¶ 4 i), ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • ensuring the information security policy and the information security objectives are established and are compatible with the strategic direction of the organization; (§ 5.1 ¶ 1 a), ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • be updated as appropriate. (§ 6.2 ¶ 2 e), ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • take into account applicable information security requirements, and results from risk assessment and risk treatment; (§ 6.2 ¶ 2 c), ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • Leadership styles can differ, but they all involve the setting of expectations which others follow. Since the governing body is accountable for the whole organization, including its behaviour, decisions and activities, the governing body should set those expectations it requires the organization to … (§ 6.7.3.1 ¶ 1, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • Within the organization: The organization should fulfil the expectations set by the governing body. (§ 6.7.3.2 ¶ 1 b), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • The governing body should define the organization's value generation objectives such that they fulfil the organizational purpose in accordance with the organizational values and the natural environment, social and economic context within which it operates. This should include iterations of identifyi… (§ 6.2.3.2 ¶ 1, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • The governing body should provide the organization with an understanding of its intentions by setting clear strategic outcomes and guidance on the organizational strategy to achieve these outcomes, which it has determined will fulfil the organizational purpose and value generation objectives. (§ 6.3.3.1.1 ¶ 1, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • Within the governing body: The governing body should set expectations for itself and the organization, including parameters within which these expectations are to be fulfilled. The governing body should fulfil these expectations (internal alignment). (§ 6.7.3.2 ¶ 1 a), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • The organization shall establish compliance objectives at relevant functions and levels. (§ 6.2 ¶ 1, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • its compliance objectives (see 6.2); (§ 6.1 ¶ 2 bullet 1, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • its compliance objectives (see 6.2); (§ 6.1 ¶ 2 bullet 1, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • The organization shall establish compliance objectives at relevant functions and levels. (§ 6.2 ¶ 1, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • be updated as appropriate. (§ 6.2 ¶ 2 f), ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • be established and updated using IT asset management decision-making criteria (see 4.2); (Section 6.2.3 ¶ 3 bullet 3, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • be reviewed and updated as appropriate (Section 6.2.3 ¶ 3 bullet 11, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • The organization shall establish IT asset management objectives at relevant functions and levels. (Section 6.2.3 ¶ 1, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • be monitored; (Section 6.2.3 ¶ 3 bullet 9, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • what will be done; (Section 6.2.4 ¶ 4(c), ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • the review period for the IT asset management plan(s) (see 9.1); (Section 6.2.4 ¶ 4(j), ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • be established and updated as part of the strategic IT asset management plan; (Section 6.2.3 ¶ 3 bullet 4, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • ensuring that the IT asset management policy, the strategic IT asset management plan and IT asset management objectives are established and are compatible with the strategic direction of the organization and organizational objectives; (Section 5.1 ¶ 1 bullet 1, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • when it will be completed; and (§ 6.2 ¶ 4 k), ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection — Information security management systems — Requirements)
  • The organization should plan how to achieve its information security objectives. The organisation may use any methodology or mechanism it chooses to plan for the achievement of its information security objectives. There may be a single information security plan, one or more project plans, or actions… (§ 6.2 Guidance ¶ 5, ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • Management establishes objectives consistent with laws and regulations or standards and frameworks of recognized external organizations. (CC3.1 ¶ 6 Bullet 1 Complies With Externally Established Frameworks, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • The organization considers risk while establishing the business objectives at various levels that align and support strategy. (Principle 9: Formulates Business Objectives, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • Management plans, organizes, and carries out the entity's strategy and business objectives in accordance with the entity's mission, vision, and core values. Consequently, management needs information on how risk associated with the strategy occurs across the entity. One example of a commonly used me… (Enterprise Risk Management Structures ¶ 1, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • The organization develops business objectives that are specific, measurable or observable, attainable, and relevant. Business objectives provide the link to practices within the entity to support the achievement of the strategy. For example, business objectives may relate to: (Establishing Business Objectives ¶ 1, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • The organization establishes specific objectives, performance criteria, benchmarks, and tolerance limits to identify areas that have improved or are in need of improvement over time. (GV.SP-2.3, CRI Profile, v1.2)
  • The organization establishes specific objectives, performance criteria, benchmarks, and tolerance limits to identify areas that have improved or are in need of improvement over time. (GV.SP-2.3, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • A service organization adopts a mission and vision, sets strategies, and establishes objectives to help it achieve its mission and vision based on its strategies. Management designs and implements various systems to achieve specific objectives and designs and implements controls within the systems t… (¶ 1.30, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Management establishes objectives consistent with laws and regulations or standards and frameworks of recognized external organizations. (CC3.1 Complies With Externally Established Frameworks, Trust Services Criteria)
  • Management establishes objectives consistent with laws and regulations or standards and frameworks of recognized external organizations. (CC3.1 ¶ 6 Bullet 1 Complies With Externally Established Frameworks, Trust Services Criteria, (includes March 2020 updates))
  • Defined objectives for IT, operations, and key performance indicators (KPI). (VI.D Action Summary ¶ 2 Bullet 3, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Board and senior management consideration of the entity's business objectives, including functions performed by affiliates and third-party service providers. (App A Objective 2:2a, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Management identification and evaluation of AIO-related risks, definition of short- and long-term objectives, and creation of policies and procedures to mitigate those risks. (App A Objective 2:2b, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Determine whether management defines objectives for IT and operations and KPIs to help management measure those objectives. Additionally, evaluate whether management does the following: (App A Objective 17:2, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Financial institution boards should oversee, while senior management should implement, an IT planning process with the following elements: - Long-term goals and the allocation of IT resources to achieve them, usually within a three- to five-year horizon. - Alignment of the IT strategic plan with the… (I.B.6 Planning IT Operations and Investment, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Define high-level implementation plan, policy, goals, and objectives. (Level 1 Enterprise Activities Bullet 4, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • Review and comprehend organizational leadership objectives and guidance for planning. (T0808, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Review and comprehend organizational leadership objectives and guidance for planning. (T0808, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)