Back

Establish, implement, and maintain a strategic plan.


CONTROL ID
12784
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Leadership and high level objectives, CC ID: 00597

This Control has the following implementation support Control(s):
  • Determine progress toward the objectives of the strategic plan., CC ID: 12944
  • Include acting with integrity in the strategic plan., CC ID: 12870
  • Disseminate and communicate the strategic plan to all interested personnel and affected parties., CC ID: 15592
  • Include the outsource partners in the strategic plan, as necessary., CC ID: 13960
  • Align the cybersecurity program strategy with the organization's strategic plan., CC ID: 14322
  • Establish, implement, and maintain a planning policy., CC ID: 14673
  • Establish, implement, and maintain a security planning policy., CC ID: 14027
  • Establish, implement, and maintain a decision management strategy., CC ID: 06913
  • Establish, implement, and maintain an information technology process framework., CC ID: 13648
  • Establish, implement, and maintain a tactical plan., CC ID: 12785
  • Establish, implement, and maintain a Strategic Information Technology Plan., CC ID: 00628


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • In general, the IT planning or steering committee should also be responsible for developing an IT strategy to cover longer and short-term technology-related initiatives, taking into account new business initiatives, organisational changes, technological evolution, regulatory requirements, staffing a… (2.2.4, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 – 24.06.03)
  • Under this section competent authorities should assess whether the institution has an ICT strategy in place: that is subject to adequate oversight from the institution's management body; that is consistent with the business strategy, particularly for keeping its ICT up-to-date and planning or implem… (Title 2 2.2 25., Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • the ICT strategy is documented and supported by concrete implementation plans, in particular regarding the important milestones and resource planning (including financial and human resources) to ensure that they are realistic and enable the delivery of the ICT strategy, (Title 2 2.2.1 26.b, Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • the institution periodically updates its ICT strategy, in particular when changing the business strategy, to ensure continued alignment between the ICT and business medium-term to long- term objectives, plans and activities; and (Title 2 2.2.1 26.c, Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • The IT strategy shall fulfil the requirements set out in AT 4.2 of MaRisk. This includes in particular the requirement for the management board to define a sustainable IT strategy outlining the institution's objectives and the measures to be taken to achieve these objectives. (II.1.1, Circular 10/2017 (BA): Supervisory Requirements for IT in Financial Institutions, 14.09.2018)
  • The purpose of the strategy management practice is to formulate the goals of the organization and adopt the courses of action and allocation of resources necessary for achieving those goals. Strategy management establishes the organization's direction, focuses effort, defines or clarifies the organi… (5.1.12 ¶ 1, ITIL Foundation, 4 Edition)
  • ensuring the information security policy and the information security objectives are established and are compatible with the strategic direction of the organization; (§ 5.1 ¶ 1 a), ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • directing and engaging with strategy to generate value; (§ 4.1 ¶ 3 c), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • The governing body should direct and engage with the organizational strategy, in accordance with the value generation model, to fulfil the organizational purpose. (Table 1 Column 4 Row 4, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • Having defined the organizational values, the governing body should ensure that these organizational values are being demonstrated and are an active part of decision-making. The governing body should use these organizational values to determine the manner in which the organizational purpose is to be… (§ 6.1.3.3 ¶ 2, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • The governing body should direct and engage with the organizational strategy, in accordance with the value generation model, to fulfil the organizational purpose. (§ 6.3.1 ¶ 1, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • reviewing, assessing and approving the plans developed by those to whom they have delegated; (§ 6.3.3.2.1 ¶ 1 c), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • overseeing (see 6.4) the implementation of these plans and ensuring that they meet the agreed strategic outcomes. (§ 6.3.3.2.1 ¶ 1 d), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • The governing body should actively and dynamically steer the implementation of the organizational strategy, within the defined governance policies, including organizational values, and changing risk context, to fulfil the organizational purpose. The governing body should also steer the strategy so t… (§ 6.3.3.2.2 ¶ 1, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • The governing body should steer the organizational strategy by means of: (§ 6.3.3.2.2 ¶ 2, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • provides competitive differentiation for stakeholders by providing clarity against which evaluators can assess the organization's behaviour, decisions and activities; (§ 6.7.3.3 ¶ 3 Bullet 4, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • monitoring and responding to the behaviour, decisions and activities of the organization, e.g. values-driven behaviours pertaining to sustainability; (§ 6.3.3.2.2 ¶ 2 b), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • The organization shall plan, implement, control and maintain the processes needed to meet requirements of the OH&S management system, and to implement the actions determined in Clause 6, by: (§ 8.1.1 ¶ 1, ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • The organization shall plan, implement and control the processes needed to meet requirements and to implement the actions determined in Clause 6 by: (§ 8.1 ¶ 1, ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • The organization shall plan, implement and control the processes needed to meet requirements, and to implement the actions determined in Clause 6, by: (§ 8.1 ¶ 1, ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection — Information security management systems — Requirements)
  • Management plans, organizes, and carries out the entity's strategy and business objectives in accordance with the entity's mission, vision, and core values. Consequently, management needs information on how risk associated with the strategy occurs across the entity. One example of a commonly used me… (Enterprise Risk Management Structures ¶ 1, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • Strategy must support mission and vision and align with the entity's core values and risk appetite. If it does not, the entire entity may not achieve its mission and vision. (The Importance of Aligning Strategy ¶ 1, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • An organization should expect that the strategy it selects can be carried out within the entity's risk appetite; that is, strategy must align with risk appetite. If the risk associated with a specific strategy is inconsistent with the entity's risk appetite or risk capacity, it needs to be revised, … (Aligning Strategy with Risk Appetite ¶ 1, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • If an organization finds that it cannot establish business objectives that support the achievement of strategy while remaining within its risk appetite or capabilities, a review of either the strategy or the risk profile is required. (Aligning Business Objectives ¶ 4, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • A service organization adopts a mission and vision, sets strategies, and establishes objectives to help it achieve its mission and vision based on its strategies. Management designs and implements various systems to achieve specific objectives and designs and implements controls within the systems t… (¶ 1.30, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • the time periods; and (§ 3554(d)(1)(A), Federal Information Security Modernization Act of 2014)
  • Aligning AIO principles and practices with the board's strategic plans and risk appetite. (App A Objective 2:3a, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Assess whether IT management maintains an active role in the institution's strategic planning to align IT with established business goals and strategies. Assess whether effective IT controls exist throughout the institution, either through direct oversight or by holding lines of business accountable… (App A Objective 8:3, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • The adequacy of strategic planning and risk management practices to identify, measure, monitor, and control risks, including management's ability to perform self assessments; and (TIER II OBJECTIVES AND PROCEDURES A.1 Bullet 9, FFIEC IT Examination Handbook - Audit, April 2012)
  • Financial institution's overall risk assessment and strategic plan. (AppE.7 Objective 1:1 e., FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Strategic plans relating to the introduction of new retail payment system products and services. (App A Tier 1 Objectives and Procedures Objective 9:1 Bullet 1, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Assess the RDC strategic planning and the risk assessment process. (App A Tier 2 Objectives and Procedures N.2, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Level 2 roles include representatives of each mission and business process, such as program managers, research and development, and acquisitions/procurement. Level 2 C-SCRM activities address C-SCRM within the context of the enterprise's mission and business process. Specific strategies, policies, a… (2.3.3. ¶ 2, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • Develop and maintain strategic plans. (T0066, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Develop potential courses of action. (T0667, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Develop strategic insights from large data sets. (T0366, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Review and comprehend organizational leadership objectives and guidance for planning. (T0808, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Provide aim point and reengagement recommendations. (T0781, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Provide time sensitive targeting support. (T0799, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Provide input to the administrative and logistical elements of an operational support plan. (T0791, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Provide planning support between internal and external partners. (T0795, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Recommend refinement, adaption, termination, and execution of operational plans as appropriate. (T0801, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Interface with Senior Management to develop strategic plans for the collection, use and sharing of information in a manner that maximizes its value while complying with applicable privacy regulations (T0873, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Develop and maintain strategic plans. (T0066, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Develop strategic insights from large data sets. (T0366, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Develop potential courses of action. (T0667, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Provide input to the administrative and logistical elements of an operational support plan. (T0791, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Provide planning support between internal and external partners. (T0795, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Review and comprehend organizational leadership objectives and guidance for planning. (T0808, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Interface with Senior Management to develop strategic plans for the collection, use and sharing of information in a manner that maximizes its value while complying with applicable privacy regulations (T0873, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Recommend refinement, adaption, termination, and execution of operational plans as appropriate. (T0801, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)