Back

Analyze the effect of the Governance, Risk, and Compliance capability to achieve organizational objectives.


CONTROL ID
12809
CONTROL TYPE
Audits and Risk Management
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a Governance, Risk, and Compliance framework., CC ID: 01406

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Alignment of information security with business strategy to support organizational objectives (Information Security Governance ¶ 2 Bullet 1, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • An important goal of IT security risk management (as with the broader set of IT risks) is to ensure that the business objectives of the institution continue to be met. It is important that an individual business unit's objectives are not considered in isolation but rather in the context of the objec… (¶ 16, APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • High-risk AI systems shall be designed and developed in such a way to ensure that their operation is sufficiently transparent to enable users to interpret the system's output and use it appropriately. An appropriate type and degree of transparency shall be ensured, with a view to achieving complianc… (Article 13 1., Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • Do the counteractions match the security objectives? (§ 7 ¶ 2 Bullet 2, The Federal Office for Information Security, BSI-Standard 200-3, Risk Analysis based on IT-Grundschutz, Version 1.0)
  • Is an effective entity produced by the interaction of the safeguards? (§ 7 ¶ 3 Bullet 2, The Federal Office for Information Security, BSI-Standard 200-3, Risk Analysis based on IT-Grundschutz, Version 1.0)
  • Define, establish and align the IT governance framework with the overall enterprise governance and control environment. Base the framework on a suitable IT process and control model and provide for unambiguous accountability and practices to avoid a breakdown in internal control and oversight. Confi… (ME4.1 Establishment of an IT Governance Framework, CobiT, Version 4.1)
  • Identify and evaluate the existing capability (people, process, and technology) and how it affects ability to achieve objectives. (OCEG GRC Capability Model, v 3.0, A3.1 Review Capability, OCEG GRC Capability Model, v 3.0)
  • prevent or reduce undesired effects, including the potential for external environmental conditions to affect the organization; (§ 6.1.1 ¶ 3 Bullet 2, ISO 14001:2015 - Environmental management systems — Requirements with guidance for use, Third Edition)
  • evaluate the effectiveness of these actions (see 9.1). (§ 6.1.4 ¶ 1 b) 2), ISO 14001:2015 - Environmental management systems — Requirements with guidance for use, Third Edition)
  • how the results will be evaluated, including indicators for monitoring progress toward achievement of its measurable environmental objectives (see 9.1.1). (§ 6.2.2 ¶ 1 e), ISO 14001:2015 - Environmental management systems — Requirements with guidance for use, Third Edition)
  • The organization shall evaluate its environmental performance and the effectiveness of the environmental management system. (§ 9.1.1 ¶ 4, ISO 14001:2015 - Environmental management systems — Requirements with guidance for use, Third Edition)
  • actions, if needed, when environmental objectives have not been achieved; (§ 9.3 ¶ 3 Bullet 4, ISO 14001:2015 - Environmental management systems — Requirements with guidance for use, Third Edition)
  • any implications for the strategic direction of the organization. (§ 9.3 ¶ 3 Bullet 6, ISO 14001:2015 - Environmental management systems — Requirements with guidance for use, Third Edition)
  • The compliance management system should reflect the organization's values, objectives, strategy and compliance risks. (§ 4.4 ¶ 2, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • ensuring that policies, procedures and processes are developed and implemented to achieve compliance objectives; (§ 5.1 ¶ 1 c), ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • ensuring that the compliance management system achieves its intended outcome(s); (§ 5.1 ¶ 1 k), ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • ensuring that the compliance policy and compliance objectives are established and are consistent with the values, objectives and strategic direction of the organization (see 6.2); (§ 5.1 ¶ 1 b), ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • The compliance policy should be established in alignment with the organization's values, objectives and strategy, and should be endorsed by the governing body. (§ 5.2.1 ¶ 4, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • the organization's strategy, objectives and values; (§ 5.2.2 ¶ 1 b), ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • an ability and standing to command acceptance of advice and guidance; (§ 5.3.4 ¶ 3 Bullet 3, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • The organization should evaluate the compliance management system performance and the effectiveness of the compliance management system. (§ 9.1.1 ¶ 3, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • the adequacy of the compliance policy; (§ 9.3 ¶ 2 b), ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • Effective controls are needed to ensure that the organization's compliance obligations are met and that noncompliances are prevented or detected and corrected. The types and levels of controls should be designed with sufficient rigour to facilitate achieving the compliance obligations that are parti… (§ 8.2 ¶ 2, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • In order to evaluate the effectiveness of the risk management framework, the organization should: - periodically measure risk management framework performance against its purpose, implementation plans, indicators and expected behaviour; - determine whether it remains suitable to support achieving t… (§ 5.6 ¶ 1, ISO 31000 Risk management - Guidelines, 2018)
  • Top management is accountable for managing risk while oversight bodies are accountable for overseeing risk management. Oversight bodies are often expected or required to: - ensure that risks are adequately considered when setting the organization's objectives; - understand the risks facing the organ… (§ 5.2 ¶ 3, ISO 31000 Risk management - Guidelines, 2018)
  • When planning the approach, considerations include: - objectives and decisions that need to be made; - outcomes expected from the steps to be taken in the process; - time, location, specific inclusions and exclusions; - appropriate risk assessment tools and techniques; - resources required, responsi… (§ 6.3.2 ¶ 3, ISO 31000 Risk management - Guidelines, 2018)
  • The organization shall evaluate the compliance performance and the effectiveness of the compliance management system. (§ 9.1.1 ¶ 4, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • be aligned with the organization's values, objectives and strategy; (§ 5.2 ¶ 2 bullet 1, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • the adequacy of the compliance policy; (§ 9.3.2 ¶ 2 bullet 1, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • ensuring that the compliance policy and compliance objectives are established and are compatible with the strategic direction of the organization; (§ 5.1.1 ¶ 1 bullet 1, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • how the results will be evaluated. (§ 6.2 ¶ 3 bullet 5, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • ensuring that the compliance management system achieves its intended result(s); (§ 5.1.1 ¶ 1 bullet 5, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • ensure that policies, processes and procedures are developed and implemented to achieve compliance objectives; (§ 5.1.1 ¶ 2 bullet 2, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • The compliance management system shall reflect the organization's values, objectives, strategy and compliance risks, taking into account the context of the organization (see 4.1). (§ 4.4 ¶ 2, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • the design and operational effectiveness of the compliance management system; (§ 6.3 ¶ 2 bullet 2, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • adequacy of the compliance risks assessment; (§ 9.3.2 ¶ 2 bullet 5, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • ensure that policies, procedures and processes are developed and implemented to achieve compliance objectives; (§ 5.1.1 ¶ 2 bullet 2, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • ensuring that the compliance management system achieves its intended outcome(s); (§ 5.1.1 ¶ 1 bullet 5, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • how the results will be evaluated. (§ 6.2 ¶ 4 bullet 5, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • The organization shall evaluate the compliance performance and the effectiveness of the compliance management system. (§ 9.1.1 ¶ 4, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • the adequacy of the compliance policy; (§ 9.3 ¶ 3 bullet 1, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • the design and operational effectiveness of the compliance management system; (§ 10.2 ¶ 3 bullet 2, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • ensuring that the compliance policy and compliance objectives are established and are compatible with the strategic direction of the organization; (§ 5.1.1 ¶ 1 bullet 1, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • be aligned with the organization's values, objectives and strategy; (§ 5.2 ¶ 2 a), ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • The compliance management system shall reflect the organization's values, objectives, strategy and compliance risks taking into account the context of the organization (see 4.1). (§ 4.4 ¶ 2, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)