Back

Monitor for changes which affect organizational strategies in the external environment.


CONTROL ID
12880
CONTROL TYPE
Monitor and Evaluate Occurrences
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Analyze the external environment in which the organization operates., CC ID: 12799

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The management must ensure it is kept up-to-date about problems, the results of reviews and audits, but also the latest developments, altered framework conditions, or opportunities for improvement at regular intervals so that it can fulfil its management function. In order for the management level t… (§ 4.2 Bullet 1 ¶ 1, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
  • The maintenance of information security is also an important point for small and medium-sized organisations. Although the audits will be less extensive than in large organisations, they must not be omitted in any case. Within the context of the annual management assessment, the topmost management le… (§ 7.4 ¶ 4, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
  • Create and maintain a technology infrastructure plan that is in accordance with the IT strategic and tactical plans. The plan should be based on the technological direction and include contingency arrangements and direction for acquisition of technology resources. It should consider changes in the c… (PO3.2 Technology Infrastructure Plan, CobiT, Version 4.1)
  • Continually look for changes in the external context that may have a direct, indirect, or cumulative effect on objectives or strategies. (OCEG GRC Capability Model, v. 3.0, L1.3 Watch the External Context, OCEG GRC Capability Model, v 3.0)
  • changes in external and internal issues that are relevant to the BCMS; (§ 9.3.2 ¶ 1 b), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • changes in the external and internal issues that are relevant to the quality management system; (9.3.2 ¶ 1(b), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • reflect (where appropriate) the likelihood of high rates of change in technology and in the business environment; (Section 6.2.3 ¶ 3 bullet 8, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • changes in external and internal issues that are relevant to the information security management system; (§ 9.3.2 ¶ 1 b), ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection — Information security management systems — Requirements)
  • Monitor the information system and its environment of operation for changes that impact the security and privacy posture of the system. (TASK M-1, Risk Management Framework for Information Systems and Organizations, A System Life Cycle Approach for Security and Privacy, NIST SP 800-37, Revision 2)
  • Organizations consider how change can affect enterprise risk management and the achievement of strategy and business objectives. This requires identifying internal and external environmental changes related to the business context as well as changes in culture. Some examples of substantial change in… (Integrating Reviews into Business Practices ¶ 3, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • If a TSP has weak risk management controls requiring corrective action, the TSP's serviced institutions may also have to take remedial actions because the institutions have the ultimate responsibility to properly manage their risks. Management of TSPs and financial institutions should monitor change… (Risk Management ¶ 3, FFIEC IT Examination Handbook - Supervision of Technology Service Providers, October 2012)