Back

Establish, implement, and maintain a prioritized plan for updating the Governance, Risk, and Compliance framework.


CONTROL ID
12853
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a Governance, Risk, and Compliance framework., CC ID: 01406

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • reviewing regularly the effectiveness of, and appropriately adjusting, policies, standards and procedures to reflect changes in the institution's overall risk profile and risk environment; (5.2.3 (c), Guidelines on Outsourcing)
  • Having an effective governance framework will ensure that procedure, personnel, physical and technical controls continue to work through the lifetime of a service. It should also respond to changes in the service, technological developments and the appearance of new threats. (4. ¶ 2, Cloud Security Guidance, 1.0)
  • An effective governance framework will ensure that procedural, personnel, physical and technical controls continue to work through the lifetime of a service. It should also respond to changes in the service, technological developments, and the appearance of new threats. (4. ¶ 2, Cloud Security Guidance, 2)
  • Implement the specific action plans and initiatives intended to improve the capability. (OCEG GRC Capability Model, v. 3.0, R3.2 Implement Improvement Initiatives, OCEG GRC Capability Model, v 3.0)
  • Develop a prioritized plan for implementing improvements to the capability. (OCEG GRC Capability Model, v. 3.0, R3.1 Develop Improvement Plan, OCEG GRC Capability Model, v 3.0)
  • When planning these actions, the organization shall consider its technological options and its financial, operational and business requirements. (§ 6.1.4 ¶ 2, ISO 14001:2015 - Environmental management systems — Requirements with guidance for use, Third Edition)
  • its significant environmental aspects; (§ 9.3 ¶ 2 b) 3), ISO 14001:2015 - Environmental management systems — Requirements with guidance for use, Third Edition)
  • risks and opportunities; (§ 9.3 ¶ 2 b) 4), ISO 14001:2015 - Environmental management systems — Requirements with guidance for use, Third Edition)
  • decisions related to any need for changes to the environmental management system, including resources; (§ 9.3 ¶ 3 Bullet 3, ISO 14001:2015 - Environmental management systems — Requirements with guidance for use, Third Edition)
  • The outputs of the management review should include decisions related to continual improvement opportunities and any need for changes to the compliance management system. (§ 9.3 ¶ 3, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • the need for changes to the compliance policy, its associated objectives, systems, structure and personnel; (§ 9.3 ¶ 4 a), ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • changes to compliance processes to ensure effective integration with operational practices and systems; (§ 9.3 ¶ 4 b), ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • Communication and consultation should be timely and ensure that relevant information is collected, collated, synthesised and shared, as appropriate, and that feedback is provided and improvements are made. (§ 5.4.5 ¶ 2, ISO 31000 Risk management - Guidelines, 2018)
  • Governing body members should continuously improve their competency regarding the organization's activities, legal requirements and, more broadly, the organization's context. This improving capability, together with regular reviews of governance practices, should ensure a continually improving gover… (§ 4.3.2 ¶ 1, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • The governing body should ensure that the responsibilities for developing and approving all policies are clear and that governance policies are not open to change without the governing body's agreement. (§ 6.3.3.1.2 ¶ 4, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • The governing body should ensure that those to whom they delegate are empowered to create management policies, which are consistent with the governance policies, and are also empowered to provide proposals for changes to the governance policies. (§ 6.3.3.1.2 ¶ 3, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • the composition and functioning of the governing body itself, and its committees, ensuring they are continually able to understand and meet the changing needs of the organization (see 4.3.2), including recommending ways for closing anticipated gaps; (§ 6.3.3.2.2 ¶ 2 c), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • When the organization determines the need for changes to the compliance management system, the changes shall be carried out in a planned manner. (§ 6.3 ¶ 1, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • be updated as appropriate; (§ 6.2 ¶ 2 f), ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • ensuring the compliance management system is reviewed at planned intervals (see 9.2 and 9.3); (§ 5.3.2 ¶ 1 bullet 7, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • The results of the management review shall include decisions related to continual improvement opportunities and any need for changes to the compliance management system. (§ 9.3.3 ¶ 1, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • The organization shall continually improve the suitability, adequacy and effectiveness of the compliance management system. (§ 10.1 ¶ 1, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • any need for changes to the OH&S management system; (§ 9.3 ¶ 3 Bullet 3, ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • When the organization determines the need for changes to the compliance management system, the changes shall be carried out in a planned manner. (§ 10.2 ¶ 2, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • The outputs of the management review shall include decisions related to continual improvement opportunities and any need for changes to the compliance management system. (§ 9.3 ¶ 4, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)