Back

Analyze the external environment in which the organization operates.


CONTROL ID
12799
CONTROL TYPE
Business Processes
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Analyze organizational objectives, functions, and activities., CC ID: 00598

This Control has the following implementation support Control(s):
  • Identify the external forces that may affect organizational objectives., CC ID: 12960
  • Monitor for changes which affect organizational strategies in the external environment., CC ID: 12880
  • Include environmental requirements in the analysis of the external environment., CC ID: 12965
  • Monitor for changes which affect organizational objectives in the external environment., CC ID: 12879
  • Include regulatory requirements in the analysis of the external environment., CC ID: 12964
  • Include society in the analysis of the external environment., CC ID: 12963
  • Include opportunities in the analysis of the external environment., CC ID: 12954
  • Include third party relationships in the analysis of the external environment., CC ID: 12952
  • Include industry forces in the analysis of the external environment., CC ID: 12904
  • Include threats in the analysis of the external environment., CC ID: 12898
  • Include geopolitics in the analysis of the external environment., CC ID: 12897
  • Include legal requirements in the analysis of the external environment., CC ID: 12896
  • Include technology in the analysis of the external environment., CC ID: 12837
  • Include analyzing the market in the analysis of the external environment., CC ID: 12836


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • In addition, all external framework conditions having an impact on information security must be determined, such as (§ 3.2.1 Subsection 3 ¶ 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • The sectors in which the organization is active and their characteristics (e.g., whether they involve informal work, whether they are labor or resource intensive). (§ 1. Step 1. Activities ¶ 1 Bullet 4, GRI 3: Material Topics 2021)
  • Analyze influencing factors in the external context including: - Industry forces - Market - Technology - Societal - Regulatory and legal - Geopolitical - Environmental - Third-party relationships - External opportunities and threats (as part of SWOT (OCEG GRC Capability Model, v. 3.0, L1.1 Analyze the External Context, OCEG GRC Capability Model, v 3.0)
  • Understand the external business context in which the organization operates. (OCEG GRC Capability Model, v. 3.0, L1 External Context, OCEG GRC Capability Model, v 3.0)
  • The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcomes of its environmental management system. Such issues shall include environmental conditions being affected by or capable of affecting the organiz… (§ 4.1 ¶ 1, ISO 14001:2015 - Environmental management systems — Requirements with guidance for use, Third Edition)
  • external issues, e.g. regulatory and technological circumstances; (§ 5.3 ¶ 3 Bullet 2, ISO 14005:2019, Environmental management systems — Guidelines for a flexible approach to phased implementation, Second Edition)
  • specific international, regional, or local obligations; (§ 5.2.2 ¶ 1 a), ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • considers the global context; (§ 5 ¶ 2 b) 3), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • the interdependence between the natural environment, social and economic context – the organization's material impact on the context and its material impact on the organization; (§ 6.3.3.1.1 ¶ 2 e), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • review the external environment to identify relevant external issues; and (§ 4.1 Guidance ¶ 1 Bullet 1, ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • Reputation and Trust. The perspective of risk considered here is to the organization itself. However, the organization does not exist in isolation and therefore consideration shall be given to its stakeholders and the environment in which it operates. Consequences and likelihood of risks affecting s… (§ 6.7.3 ¶ 1 Bullet 2, ISO/IEC 38507:2022, Information technology — Governance of IT — Governance implications of the use of artificial intelligence by organizations)
  • Conduct rapid behaviour assessment to understand key target audience, perceptions, concerns, influencers and preferred communication channels (Pillar 2 Step 1 Action 2, COVID-19 Strategic Preparedness and Response Plan, OPERATIONAL PLANNING GUIDELINES TO SUPPORT COUNTRY PREPAREDNESS AND RESPONSE, Draft as of 12 February 2020)
  • Conduct regular operational reviews to assess implementation success and epidemiological situation, and adjust operational plans as necessary (Pillar 1 Step 3 Action 1, COVID-19 Strategic Preparedness and Response Plan, OPERATIONAL PLANNING GUIDELINES TO SUPPORT COUNTRY PREPAREDNESS AND RESPONSE, Draft as of 12 February 2020)
  • Assess IPC capacity at all levels of healthcare system, including public, private, traditional practices and pharmacies. Minimum requirements include functional triage system and isolation rooms, trained staff (for early detection and standard principles for IPC); and sufficient IPC materials, inclu… (Pillar 6 Step 1 Action 1, COVID-19 Strategic Preparedness and Response Plan, OPERATIONAL PLANNING GUIDELINES TO SUPPORT COUNTRY PREPAREDNESS AND RESPONSE, Draft as of 12 February 2020)
  • The organization's cyber risk management strategy identifies and documents the organization's role as it relates to other critical infrastructures outside of the financial services sector and the risk that the organization may pose to them. (GV.SF-1.3, CRI Profile, v1.2)
  • The organization's cyber risk management strategy identifies and documents the organization's role as it relates to other critical infrastructures outside of the financial services sector and the risk that the organization may pose to them. (GV.SF-1.3, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • Define and integrate current and future mission environments. (T0441, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Define and integrate current and future mission environments. (T0441, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)