Back

Analyze the business environment in which the organization operates.


CONTROL ID
12798
CONTROL TYPE
Business Processes
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Analyze organizational objectives, functions, and activities., CC ID: 00598

This Control has the following implementation support Control(s):
  • Identify the internal factors that may affect organizational objectives., CC ID: 12957
  • Include key processes in the analysis of the internal business environment., CC ID: 12947
  • Include existing information in the analysis of the internal business environment., CC ID: 12943
  • Include resources in the analysis of the internal business environment., CC ID: 12942
  • Include the operating plan in the analysis of the internal business environment., CC ID: 12941
  • Include incentives in the analysis of the internal business environment., CC ID: 12940
  • Include organizational structures in the analysis of the internal business environment., CC ID: 12939
  • Include the strategic plan in the analysis of the internal business environment., CC ID: 12937
  • Include strengths and weaknesses in the analysis of the internal business environment., CC ID: 12936
  • Align assets with business functions and the business environment., CC ID: 13681
  • Disseminate and communicate the organization's business environment and place in its industry sector., CC ID: 13200
  • Monitor for changes which affect organizational strategies in the internal business environment., CC ID: 12863
  • Monitor for changes which affect organizational objectives in the internal business environment., CC ID: 12862


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The creation of information security is not an end in itself, but information security contributes to the objectives of an organisation being achieved and being able to reliably execute business processes and tasks. For this, it is required that the organisation identifies and analyses all framework… (§ 7.1 Subsection 1 ¶ 1, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
  • internal framework conditions (e.g. pan-organisation risk management), analysis of the environment, (§ 7.1 Subsection 2 ¶ 2 Bullet 4, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
  • Which business processes depend on functional information technology, i.e. IT that meets the requirements and operates properly? (§ 3.2.1 Subsection 2 ¶ 3 Bullet 2, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Which business processes are present in the organisation, and how are they connected to the business goals? (§ 3.2.1 Subsection 2 ¶ 3 Bullet 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • The goal of security management is to reach the desired level of security and to permanently maintain and improve it. Therefore, the security process and the organisational structures for information security shall be checked at regular intervals for their adequateness, effectiveness and efficiency.… (§ 2.6 Subsection 6 ¶ 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • the organisational and personnel framework conditions for such information domains, (§ 7.4 ¶ 1 Bullet 2, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • The purpose of the infrastructure and platform management practice is to oversee the infrastructure and platforms used by an organization. When carried out properly, this practice enables the monitoring of technology solutions available to the organization, including the technology of external servi… (5.3.2 ¶ 1, ITIL Foundation, 4 Edition)
  • The organization's purpose, value or mission statements, business model, and strategies. (§ 1. Step 1. Activities ¶ 1 Bullet 1, GRI 3: Material Topics 2021)
  • The types of activities it carries out (e.g., sales, marketing, manufacturing, distribution) and the geographic locations of these activities. (§ 1. Step 1. Activities ¶ 1 Bullet 2, GRI 3: Material Topics 2021)
  • Economic, environmental, human rights, and other societal challenges at local, regional, and global levels related to the organization's sectors and the geographic location of its activities and business relationships (e.g., climate change, lack of law enforcement, poverty, political conflict, water… (§ 1. Step 1. Sustainability context ¶ 1 Bullet 1, GRI 3: Material Topics 2021)
  • Understand the internal business context in which the organization operates. (OCEG GRC Capability Model, v 3.0, L2 Internal Context, OCEG GRC Capability Model, v 3.0)
  • Analyze influencing factors in the internal context including: - Internal strengths and weaknesses (as part of SWOT) - Existing strategic plan - Existing operating plan - Existing organizational structures - Existing incentives (appropriate or perverse) for performance - Existing key processes and r… (OCEG GRC Capability Model, v 3.0, L2.1 Analyze the Internal Context, OCEG GRC Capability Model, v 3.0)
  • When planning these actions, the organization shall consider its technological options and its financial, operational and business requirements. (§ 6.1.4 ¶ 2, ISO 14001:2015 - Environmental management systems — Requirements with guidance for use, Third Edition)
  • internal issues, e.g. activities, products and services, and financial and other resources; (§ 5.3 ¶ 3 Bullet 1, ISO 14005:2019, Environmental management systems — Guidelines for a flexible approach to phased implementation, Second Edition)
  • The organization should determine external and internal issues, such as those related to compliance risks, that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its compliance management system. In doing so, the organization should consider a broad range … (§ 4.1 ¶ 1, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • The context of the risk management process should be established from the understanding of the external and internal environment in which the organization operates and should reflect the specific environment of the activity to which the risk management process is to be applied. (§ 6.3.3 ¶ 2, ISO 31000 Risk management - Guidelines, 2018)
  • When applying the governance principles and deciding how to appropriately implement the practices, the governing body should take into consideration the unique and dynamic nature of the organization and its context, including the following: (§ 5 ¶ 5, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • existing documentation relating to the organizational purpose and the scope of the organization's activities, such as constituting documents or other artefacts; (§ 6.1.3.2 ¶ 1 a), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • Take steps to become appropriately informed of all aspects of the organization and the context within which it operates (such as legal, natural environment, social, economic, technical and personnel). (Table 2 Column 2 Row 3 Bullet 1, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • internal structures, policies, processes, procedures and resources, including technology; (§ 4.1 ¶ 2 bullet 6, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • When planning its actions, the organization shall consider best practices, technological options and financial, operational and business requirements. (§ 6.1.4 ¶ 3, ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • internal structures, policies, procedures, processes and resources; (§ 4.1 ¶ 2 bullet 5, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • review the internal aspects to identify relevant internal issues. (§ 4.1 Guidance ¶ 1 Bullet 2, ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • the type(s) of business performed within the ISMS scope; (§ 7.2.1.2 b), ISO/IEC 27007:2020, Information security, cybersecurity and privacy protection — Guidelines for information security management systems auditing, Third Edition)
  • complexity of the ISMS (e.g. criticality of information systems within the ISMS, risk assessment results of the ISMS); (§ 7.2.1.2 a), ISO/IEC 27007:2020, Information security, cybersecurity and privacy protection — Guidelines for information security management systems auditing, Third Edition)
  • The entity identifies and communicates functional and nonfunctional requirements related to system processing and information specifications required to support the use of products and services. (PI1.1 ¶ 2 Bullet 1 Identifies Functional and Nonfunctional Requirements and Information Specifications, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • An organization considers business context when developing strategy to support its mission, vision, and core values. "Business context" refers to the trends, relationships, and other factors that influence an organization's current and future strategy and business objectives. Business context may be… (Understanding Business Context ¶ 1, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • The independent risk management function has appropriate understanding of the organization's structure, cybersecurity program, and relevant risks and threats. (GV.IR-1.3, CRI Profile, v1.2)
  • The independent risk management function has appropriate understanding of the organization's structure, cybersecurity program, and relevant risks and threats. (GV.IR-1.3, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • the nature of the service organization's operations and the types of services offered to user entities and business partners, (¶ 3.59 Bullet 2 Sub-Bullet 1, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Factors such as the size and complexity of the service organization are also important considerations when evaluating the suitability of the design of controls. A smaller, less complex service organization may be able to address risks that threaten the achievement of its service commitments and syst… (¶ 3.83, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Factors such as the size and complexity of the service organization are also important considerations when evaluating the suitability of the design of controls. A smaller, less complex service organization may be able to address risks that threaten the achievement of its service commitments and syst… (¶ 3.100, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • The entity identifies information specifications required to support the use of products and services. (PI1.1 Identifies Information Specifications, Trust Services Criteria)
  • The entity identifies information specifications required to support the use of products and services. (PI1.1 ¶ 2 Bullet 1 Identifies Information Specifications, Trust Services Criteria, (includes March 2020 updates))
  • The size, complexity, and capabilities of the covered entity or business associate. (§ 164.306(b)(2)(i), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
  • Standard: Policies and procedures. A covered entity must implement policies and procedures with respect to protected health information that are designed to comply with the standards, implementation specifications, or other requirements of this subpart and subpart D of this part. The policies and pr… (§ 164.530(i)(1), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
  • A financial institution's business continuity planning process should reflect the following objectives: - The business continuity planning process should include the recovery, resumption, and maintenance of all aspects of the business, not just recovery of the technology components; - Business conti… (Business Continuity Planning Process, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • IT environments and changes to configuration or components; (TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:3 Bullet 3, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Entity's processes commensurate with their significance to critical financial markets. (App A Objective 10:7h, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • The geographic service footprint (e.g., international usage) (App A Tier 1 Objectives and Procedures Objective 1:1 Bullet 2, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • The organization's place in critical infrastructure and its industry sector is identified and communicated (ID.BE-2, Framework for Improving Critical Infrastructure Cybersecurity, v1.1)
  • The organization's priorities, constraints, risk tolerances, and assumptions are established and used to support risk decisions associated with managing supply chain risk. The organization has established and implemented the processes to identify, assess and manage supply chain risks. (ID.SC Supply Chain Risk Management, Framework for Improving Critical Infrastructure Cybersecurity, v1.1)
  • The organization's place in critical infrastructure and its industry sector is identified and communicated (ID.BE-2, Framework for Improving Critical Infrastructure Cybersecurity, v1.1 (Draft))
  • The organization's priorities, constraints, risk tolerances, and assumptions are established and used to support risk decisions associated with managing supply chain risk. The organization has established and implemented the processes to identify, assess and manage supply chain risks. (ID.SC Supply Chain Risk Management, Framework for Improving Critical Infrastructure Cybersecurity, v1.1 (Draft))
  • Determine the current cyber threat environment on an ongoing basis using [Assignment: organization-defined means]. (RA-3(3) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Determine the current cyber threat environment on an ongoing basis using [Assignment: organization-defined means]. (RA-3(3) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • The licensee's own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to information systems. (§ 8604.(g)(4), Delaware Code, Title 18, Chapter 86, Sections 8601-8611, Insurance Data Security Act)