Back

Include input from interested personnel and affected parties as a part of the organization’s communication protocol.


CONTROL ID
12417
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain communication protocols., CC ID: 12245

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • effective internal communication plans, including incident notification and escalation procedures — also covering security-related customer complaints — to ensure that: (3.5.1 60(d), Final Report EBA Guidelines on ICT and security risk management)
  • The first three steps in the process to determine material topics relate to the organization's ongoing identification and assessment of impacts. During these steps, the organization identifies and assesses its impacts regularly, as part of its day-to-day activities, and while engaging with relevant … (§ 1. ¶ 3, GRI 3: Material Topics 2021)
  • The organization should identify who its stakeholders are across its activities and business relationships and engage with them to help identify its impacts. (§ 1. Step 1. Stakeholders ¶ 1, GRI 3: Material Topics 2021)
  • In addition, the organization should seek to understand the concerns of its stakeholders (see Box 2 in this Standard) and consult internal and external experts, such as civil society organizations or academics. (§ 1. Step 2. ¶ 4, GRI 3: Material Topics 2021)
  • Assessing the significance of the impacts involves quantitative and qualitative analysis. How significant an impact is will be specific to the organization and will be influenced by the sectors in which it operates, and its business relationships, among other factors. In some instances, this may nee… (§ 1. Step 3. ¶ 2, GRI 3: Material Topics 2021)
  • Define opportunities for obtaining stakeholder views about action and control weaknesses, performance variances, incidents or suspicions of legal noncompliance, violations of company policies, and concerns or perceptions about perceived unethical conduct. (OCEG GRC Capability Model, v. 3.0, P7.1 Establish Multiple Pathways to Obtain Information, OCEG GRC Capability Model, v 3.0)
  • Establish informal methods of gathering views through observations, group meetings, focus groups, and individual conversations. (OCEG GRC Capability Model, v. 3.0, P7.4 Gather Information Through Observations and Conversations, OCEG GRC Capability Model, v 3.0)
  • Interact with stakeholders to understand expectations, requirements, and perspectives that impact the organization. (OCEG GRC Capability Model, v. 3.0, L4 Stakeholders, OCEG GRC Capability Model, v 3.0)
  • Open communication channels allow input from customers, consumers, suppliers, external auditors, regulators, financial analysts, and others, providing management and the board of directors with relevant information. (§ 3 Principle 15 Points of Focus: Enables Inbound Communications, COSO Internal Control - Integrated Framework (2013))
  • Establish and maintain a process to accept and address reports of software vulnerabilities, including providing a means for external entities to report. The process is to include such items as: a vulnerability handling policy that identifies reporting process, responsible party for handling vulnerab… (CIS Control 16: Safeguard 16.2 Establish and Maintain a Process to Accept and Address Software Vulnerabilities ¶ 1, CIS Controls, V8)
  • the needs and expectations of interested parties, including compliance obligations; (§ 9.3 ¶ 2 b) 2), ISO 14001:2015 - Environmental management systems — Requirements with guidance for use, Third Edition)
  • relevant communication(s) from interested parties, including complaints; (§ 9.3 ¶ 2 f), ISO 14001:2015 - Environmental management systems — Requirements with guidance for use, Third Edition)
  • if there were other costs and benefits related to the project, including possible feedback from interested parties. (§ 6.7 ¶ 2 Bullet 8, ISO 14005:2019, Environmental management systems — Guidelines for a flexible approach to phased implementation, Second Edition)
  • The organization should establish, implement, evaluate and maintain procedures for seeking and receiving feedback on its compliance performance from a range of sources, including: (§ 9.1.3 ¶ 1, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • who will communicate. (§ 7.4 ¶ 1 e), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • communicating internally and externally to relevant interested parties, including what, when, with whom and how to communicate; (§ 8.4.3.1 a), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • feedback from interested parties; (§ 9.3.2 ¶ 1 d), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • When selecting risk treatment options, the organization should consider the values, perceptions and potential involvement of stakeholders and the most appropriate ways to communicate and consult with them. Though equally effective, some risk treatments can be more acceptable to some stakeholders tha… (§ 6.5.2 ¶ 4, ISO 31000 Risk management - Guidelines, 2018)
  • all relevant stakeholders are engaged; (§ 6.1.3.3 ¶ 1 a), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • For accountability to be effective, it relies on effective stakeholder engagement (see 6.6) as this is the basis for effective dialogue, value generation and improvement. The governing body should be available to answer to relevant stakeholders about decisions made and have responses evaluated. Impr… (§ 6.5.3.2 ¶ 3, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • The governing body should ensure that the organization's stakeholders are appropriately engaged and their expectations considered. (§ 6.6.1 ¶ 1, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • The governing body should ensure that the organization's stakeholders are identified, prioritized, appropriately engaged, consulted and their expectations understood. The governing body should do this to ensure that stakeholder relationships are effective and appropriate decisions about expectations… (§ 6.6.3 ¶ 1, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • ensure that the expectations of stakeholders are clearly understood; this includes continually engaging relevant stakeholders through an engagement process and a highly developed approach to accountability (see 6.5); (§ 6.10.3 ¶ 1 a), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • engage with all relevant stakeholders when establishing and reviewing governance policies; (§ 6.10.3 ¶ 1 e), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • The governing body should ensure that the organization's stakeholders are appropriately engaged and their expectations considered. (Table 1 Column 4 Row 7, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • mandates that relevant stakeholders are engaged responsibly and accurately, and considers the organization's positive and negative risk impacts on them (see 6.6). (§ 6.9.3.2 ¶ 2 h), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • relevant stakeholders are engaged in achieving the organizational purpose via its organizational strategy; (§ 6.6.3 ¶ 3 a), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • engage with all relevant stakeholders when determining and reviewing the organizational values and promote the organizational values to stakeholders; (§ 6.10.3 ¶ 1 d), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • The governing body should ensure that the organization protects and restores those systems on which it depends. In this regard, the governing body should consider and manage risk associated with those decisions it makes that can impact the natural environmental, social and economic systems (see 6.9)… (§ 6.11.3.4 ¶ 1, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • communication from persons raising concerns, interested parties, including feedback (see 9.1.2) and complaints; (§ 9.3.2 ¶ 2 bullet 7, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • ensure that the views of interested parties are considered in establishing its communication process(es). (§ 7.4 ¶ 2 bullet 2, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • consider aspects of diversity and potential barriers when considering its communication needs; (§ 7.4 ¶ 2 bullet 1, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • The organization shall establish, implement, evaluate and maintain processes for seeking and receiving feedback on its compliance performance from a range of sources. The information shall be analysed and critically assessed to identify root causes for noncompliance, ensure appropriate actions are t… (§ 9.1.2 ¶ 1, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • changes in needs and expectations of interested parties that are relevant to the compliance management system; (§ 9.3.2 ¶ 1 c), ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • customer satisfaction and feedback from relevant interested parties; (9.3.2 ¶ 1(c)(1), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • customer feedback. (8.5.5 ¶ 2(e), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • The organization shall monitor customers' perceptions of the degree to which their needs and expectations have been fulfilled. The organization shall determine the methods for obtaining, monitoring and reviewing this information. (9.1.2 ¶ 1, ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • obtaining customer feedback relating to products and services, including customer complaints; (8.2.1 ¶ 1(c), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • The organization shall ensure that the views of interested parties are considered in establishing its communication process(es). (§ 7.4 ¶ 3, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • communication from persons raising concerns, interested parties, including feedback (see 9.1.2) and complaints; (§ 9.3 ¶ 3 bullet 5, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • The organization shall establish, implement, evaluate and maintain processes for seeking and receiving feedback on its compliance performance from a range of sources. The information shall be analysed and critically assessed to identify root causes for noncompliance, ensure appropriate actions are t… (§ 9.1.2 ¶ 1, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • The organization shall consider aspects of diversity and potential barriers when considering its communication needs. (§ 7.4 ¶ 2, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • promoting cross-functional collaboration within the organization; (Section 5.1 ¶ 1 bullet 7, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • Holding periodic discussions with the subservice organization personnel and evaluating subservice organization performance against established service level objectives and agreements (¶ 2.53 Bullet 3, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Coordination between the service auditor and the internal audit function is effective when discussions take place at appropriate intervals throughout the period to which management's assertion pertains. It is important that the service auditor inform the internal audit function of significant matter… (¶ 2.150, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Discussing the matter with service organization senior management (and the engaging party, if different) and other appropriate parties, unless senior management is suspected to have committed the fraud (¶ 3.191 Bullet 1, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Discussion with appropriate individuals within the entity (for example, the chief financial officer, internal auditors, legal counsel, compliance officer, or grant or contract administrators) (AT-C Section 315.24 c., SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • Open communication channels allow input from customers, consumers, suppliers, external auditors, regulators, financial analysts, and others, providing management and the board of directors with relevant information. (CC2.3 Enables Inbound Communications, Trust Services Criteria)
  • Open communication channels allow input from customers, consumers, suppliers, external auditors, regulators, financial analysts, and others, providing management and the board of directors with relevant information. (CC2.3 ¶ 3 Bullet 2 Enables Inbound Communications, Trust Services Criteria, (includes March 2020 updates))
  • Determine whether the IT environment and its products and services, whether internally or externally provided, are adaptable to change, and stakeholders from across the entity have input into the change process. (App A Objective 6:1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Coordinates meetings between process owners from both business and technology functions to discuss known issues, changes in progress, and future changes. (App A Objective 16:1d, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Stakeholder input into the types of reports and metrics produced. (VI.D Action Summary ¶ 2 Bullet 2, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Senior management and other stakeholders have input into the types of reports and metrics produced, and reports are understandable and useful to them. (App A Objective 17:1a, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Operations management meets periodically with senior management and other stakeholders on monitoring and reporting. (App A Objective 17:1c, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Meets with stakeholders to review IT and operations KPIs to determine whether they are appropriate indicators of the ability to meet the entity's strategic objectives. (App A Objective 17:2g, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Enterprises should validate identified C-SCRM goals and objectives with their targeted stakeholder groups prior to beginning an effort to develop specific measures. When developing C-SCRM measures, enterprises should focus on the stakeholder's highest priorities and target measures based on data tha… (3.5.1. ¶ 3, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • Mechanisms for obtaining feedback from individuals (e.g.,surveys or focus groups) about data processing and associated privacy risks are established and in place. (CM.AW-P2, NIST Privacy Framework: A Tool For Improving Privacy Through Enterprise Risk Management, Version 1.0)