Back

Conduct a context analysis to define objectives and strategies.


CONTROL ID
12864
CONTROL TYPE
Business Processes
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Analyze organizational objectives, functions, and activities., CC ID: 00598

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Competent authorities should perform the assessment of ICT risk and the governance arrangement and ICT strategy as part of the SREP process following the minimum engagement model and proportionality criteria specified in Title 2 of the EBA SREP Guidelines. In particular, this means that: (Title 1 10., Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • The purpose of the business analysis practice is to analyse a business or some element of it, define its associated needs, and recommend solutions to address these needs and/or solve a business problem, which must facilitate value creation for stakeholders. Business analysis enables an organization … (5.2.2 ¶ 1, ITIL Foundation, 4 Edition)
  • Impacts may change over time as the organization's activities, business relationships, and context evolve. New activities, new business relationships, and major changes in operations or the operating context (e.g., new market entry, product launch, policy change, wider changes to the organization) c… (§ 1. Step 2. ¶ 6, GRI 3: Material Topics 2021)
  • Perform a high-level analysis of identified context opportunities, threats, and requirements for use in defining high-level objectives and strategies. (OCEG GRC Capability Model, v. 3.0, A1.2 Analyze Opportunities, Threats and Requirements, OCEG GRC Capability Model, v 3.0)
  • Leadership styles can differ, but they all involve the setting of expectations which others follow. Since the governing body is accountable for the whole organization, including its behaviour, decisions and activities, the governing body should set those expectations it requires the organization to … (§ 6.7.3.1 ¶ 1, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: (§ 6.3.3.1.1 ¶ 2, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • In determining the value generation model, the governing body should understand the context in which the organization operates over time, including stakeholder expectations, regulatory frameworks, technological change, and the present and potential future natural environment, social and economic iss… (§ 6.2.3.1 ¶ 3, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • what will be done; (6.2.2 ¶ 1(a), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • when it will be completed; (Section 6.2.4 ¶ 4(f), ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • The organization develops business objectives that are specific, measurable or observable, attainable, and relevant. Business objectives provide the link to practices within the entity to support the achievement of the strategy. For example, business objectives may relate to: (Establishing Business Objectives ¶ 1, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • The cyber risk strategy identifies and communicates the organization's role as it relates to other critical infrastructures and as a component of the financial services sector. (DM.BE-1.1, CRI Profile, v1.2)
  • Conduct in-depth research and analysis. (T0615, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Evaluate available capabilities against desired effects to recommend efficient solutions. (T0688, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Conduct research, analysis, and correlation across a wide variety of all source data sets (indications and warnings). (T0294, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Conduct in-depth research and analysis. (T0615, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Evaluate available capabilities against desired effects to recommend efficient solutions. (T0688, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)