Back

Acquire resources necessary to support Governance, Risk, and Compliance.


CONTROL ID
12861
CONTROL TYPE
Acquisition/Sale of Assets or Services
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a Governance, Risk, and Compliance framework., CC ID: 01406

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Establish multi-disciplinary outsourcing management groups with members from different risk and internal control functions including legal, compliance and finance, to ensure that all relevant technical issues and legal and regulatory requirements are met. The institution should allocate sufficient r… (5.8.2 (b), Guidelines on Outsourcing)
  • allocate sufficient resources to ensure compliance with all legal and regulatory requirements, including these guidelines and the documentation and monitoring of all outsourcing arrangements; (4.6 38(b), Final Report on EBA Guidelines on outsourcing arrangements)
  • have sufficient resources and capacities to ensure compliance with points (a) to (c). (4.6 39(d), Final Report on EBA Guidelines on outsourcing arrangements)
  • The manner in which risks should be dealt with must be documented, assigned to a risk owner, and approved by the topmost management level. The resources necessary for implementing the strategy must be planned and made available. (§ 8.1 Subsection 4 ¶ 2, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
  • First acquisition should also only include the essential objects and not every single IT component. For example, first acquisition should not include typical office rooms; however, server rooms with their special and mainly higher security level should be included. (§ 3.2.4 ¶ 7, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Business process or specialised task: Name and (if needed) description, responsible specialised body (§ 3.2.4 Subsection 1 ¶ 1 Bullet 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • IT, ICS systems and other objects: Name, platform and, if reasonable, place of installation (§ 3.2.4 Subsection 1 ¶ 1 Bullet 3, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Acquiring of the business processes, applications and information belonging to the scope (§ 8.1 ¶ 5 Bullet 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • For this, the business processes as well as the business-critical information and applications must be determined, and the affected IT, ICS or IoT systems, rooms and networks must be acquired. The classical approach is to first determine the applications and, based on this, the further affected obje… (§ 8.1 ¶ 3, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Take decision on which resources are to be used to implement the safeguards (§ 9.5 Subsection 2 Bullet 5, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • The required resources are available. (1.2.2 Requirements (must) Bullet 3, Information Security Assessment, Version 5.1)
  • You design the network and information systems supporting your essential function to be resilient to cyber security incidents. Systems are appropriately segregated and resource limitations are mitigated. (B5.b ¶ 1, NCSC CAF guidance, 3.1)
  • Develop a plan and acquire resources to govern, assure and manage changes to approaches to addressing reward, risk and compliance. (OCEG GRC Capability Model, v 3.0, A5.9 Develop Integrated Plan, OCEG GRC Capability Model, v 3.0)
  • ensuring that the resources needed for the environmental management system are available; (§ 5.1 ¶ 1 d), ISO 14001:2015 - Environmental management systems — Requirements with guidance for use, Third Edition)
  • The organization shall determine and provide the resources needed for the establishment, implementation, maintenance and continual improvement of the environmental management system. (§ 7.1 ¶ 1, ISO 14001:2015 - Environmental management systems — Requirements with guidance for use, Third Edition)
  • decisions related to any need for changes to the environmental management system, including resources; (§ 9.3 ¶ 3 Bullet 3, ISO 14001:2015 - Environmental management systems — Requirements with guidance for use, Third Edition)
  • Appropriate resources should be provided to support establishment, implementation, maintenance and continual improvement. Resources can be internal and external. They can include infrastructure, information systems, competence, technology, financial, human and other resources specific to an organiza… (§ 5.7 ¶ 2, ISO 14005:2019, Environmental management systems — Guidelines for a flexible approach to phased implementation, Second Edition)
  • appropriate authority and adequate resources allocated to the compliance function. (§ 4.4 ¶ 1 Bullet 3, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • ensuring that the resources needed for the compliance management system are available, allocated and assigned; (§ 5.1 ¶ 1 d), ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • expert advice on relevant laws, regulations, codes and organizational standards; (§ 5.3.3 ¶ 1 d) 3) Bullet 4, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • allocate adequate and appropriate resources to establish, develop, implement, evaluate, maintain and improve the compliance management system and performance outcomes; (§ 5.3.3 ¶ 2 Bullet 1, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • use available compliance resources as a part of the compliance management system; (§ 5.3.6 ¶ 1 c), ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • what resources will be required; (§ 6.2 ¶ 3 Bullet 2, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • The organization should determine and provide the resources needed for the establishment, development, implementation, evaluation, maintenance and continual improvement of the compliance management system appropriate to its size, complexity, structure and operations. (§ 7.1 ¶ 1, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • Top management and all other levels of management should ensure that the necessary resources are deployed effectively to ensure that the compliance management system meets its objectives, and that compliance is achieved. (§ 7.1 ¶ 2, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • provide for the availability of adequate resources. (§ 8.3.2 ¶ 1 f), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • The organization shall determine and provide the resources needed for the establishment, implementation, maintenance and continual improvement of the information security management system. (§ 7.1 ¶ 1, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • Top management and oversight bodies, where applicable, should ensure allocation of appropriate resources for risk management, which can include, but are not limited to: - people, skills, experience and competence; - the organization's processes, methods and tools to be used for managing risk; - doc… (§ 5.4.4 ¶ 1, ISO 31000 Risk management - Guidelines, 2018)
  • The organization should consider the capabilities of, and constraints on, existing resources. (§ 5.4.4 ¶ 2, ISO 31000 Risk management - Guidelines, 2018)
  • Top management and oversight bodies, where applicable, should ensure that risk management is integrated into all organizational activities and should demonstrate leadership and commitment by: - customizing and implementing all components of the framework; - issuing a statement or policy that establi… (§ 5.2 ¶ 1, ISO 31000 Risk management - Guidelines, 2018)
  • When planning the approach, considerations include: - objectives and decisions that need to be made; - outcomes expected from the steps to be taken in the process; - time, location, specific inclusions and exclusions; - appropriate risk assessment tools and techniques; - resources required, responsi… (§ 6.3.2 ¶ 3, ISO 31000 Risk management - Guidelines, 2018)
  • Top management and oversight bodies, where applicable, should demonstrate and articulate their continual commitment to risk management through a policy, a statement or other forms that clearly convey an organization's objectives and commitment to risk management. The commitment should include, but i… (§ 5.4.2 ¶ 1, ISO 31000 Risk management - Guidelines, 2018)
  • establishes and maintains adequate resourcing; (§ 6.9.3.2 ¶ 2 f), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • ensuring that the resources needed for the compliance management system are available; (§ 5.1.1 ¶ 1 bullet 3, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • what resources will be required; (§ 6.2 ¶ 3 bullet 2, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • allocate adequate and appropriate resources to establish, develop, implement, evaluate, maintain and improve the compliance management system; (§ 5.3.1 ¶ 4 bullet 1, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • the availability of adequate resources; (§ 6.3 ¶ 2 bullet 3, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • The organization shall determine and provide the resources needed for the establishment, implementation, maintenance and continual improvement of the compliance management system. (§ 7.1 ¶ 1, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • expert advice on relevant laws, regulations, codes and organizational standards. (§ 5.3.2 ¶ 4 bullet 4, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • provide mechanisms, time, training and resources necessary for consultation and participation; (§ 5.4 ¶ 2 a), ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • The organization shall determine and provide the resources needed for the establishment, implementation, maintenance and continual improvement of the quality management system. (7.1.1 ¶ 1, ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • The organization shall determine and provide the resources needed to ensure valid and reliable results when monitoring or measuring is used to verify the conformity of products and services to requirements. (7.1.5.1 ¶ 1, ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • ensuring that the resources needed for the compliance management system are available; (§ 5.1.1 ¶ 1 bullet 3, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • allocate adequate and appropriate resources to establish, develop, implement, evaluate, maintain and improve the compliance management system; (§ 5.3.1 ¶ 4 a), ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • what resources will be required; (§ 6.2 ¶ 4 bullet 2, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • The organization shall determine and provide the resources needed for the establishment, implementation, maintenance and continual improvement of the compliance management system. (§ 7.1 ¶ 1, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • the availability of adequate resources; (§ 10.2 ¶ 3 bullet 3, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • expert advice on relevant laws, regulations, codes and organizational standards. (§ 5.3.2 ¶ 6 bullet 4, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • Top management should also be aware of the specialized resources that can be needed to manage AI risk, and allocate those resources appropriately. (§ 5.2 ¶ 5, ISO/IEC 23894:2023, Information technology — Artificial intelligence — Guidance on risk management)
  • acquire the resources as needed; (§ 7.1 Guidance ¶ 1(g), ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • Risk appetite guides how an organization allocates resources, both through the entire entity and in individual operating units. The goal is to align resource allocation with the entity's mission, vision, and core values. Therefore, when management allocates resources across operating units, it consi… (Using Risk Appetite ¶ 1, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • Adopt quantitative risk analyses that apply probabilistic approaches (e.g., Bayesian analysis) to reduce uncertainty about the likelihood and impact of cybersecurity risks throughout the supply chain, optimize the allocation of resources to risk response, and measure return on investment (i.e., resp… (3.4.3. ¶ 1 Bullet 2, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • Acquire and manage the necessary resources, including leadership support, financial resources, and key security personnel, to support information technology (IT) security goals and objectives and reduce overall organizational risk. (T0001, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Advocate for adequate funding for cyber training resources, to include both internal and industry-provided courses, instructors, and related materials. (T0341, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Coordinate resource allocation of collection assets against prioritized collection requirements with collection discipline leads. (T0631, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Ensure that the continuous monitoring staff have the training and resources (e.g., staff and budget) needed to perform assigned duties. (T0973, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Acquire and manage the necessary resources, including leadership support, financial resources, and key security personnel, to support information technology (IT) security goals and objectives and reduce overall organizational risk. (T0001, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Advocate for adequate funding for cyber training resources, to include both internal and industry-provided courses, instructors, and related materials. (T0341, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Support necessary compliance activities (e.g., ensure that system security configuration guidelines are followed, compliance monitoring occurs). (T0275, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Ensure that the continuous monitoring staff have the training and resources (e.g., staff and budget) needed to perform assigned duties. (T0973, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • relating to the effective and efficient use of the Agency's resources related to administrative and major program operations, including financial and fraud objectives (Refer to Section III, Establishing And Operating An Effective System Of Internal Control). (Section II (B1) ¶ 1 Bullet 2 Operations Objectives, OMB Circular No. A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control)