Back

Determine progress toward the objectives of the strategic plan.


CONTROL ID
12944
CONTROL TYPE
Process or Activity
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a strategic plan., CC ID: 12784

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • Integrate measurement of the achievement of objectives into the security strategy (§ 10.3 Subsection 1 Bullet 2, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Thus, the information security strategy should also make key statements on measuring the achievement of objectives; here, at least the following should be defined: (§ 10.1 ¶ 3, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Performance review and/or monitoring the achievement of objectives (Section 5.1 OIS-01 Basic requirement ¶ 1 Bullet 2, Cloud Computing Compliance Controls Catalogue (C5))
  • present information for the current reporting period and at least two previous periods, as well as any goals and targets that have been set (Comparability Guidance ¶ 2 Bullet 1, GRI 1: Foundation 2021)
  • Confirm that agreed-upon IT objectives have been met or exceeded, or that progress toward IT goals meets expectations. Where agreed-upon objectives have been missed or progress is not as expected, review management's remedial action. Report to the board relevant portfolios, programme and IT performa… (ME4.6 Performance Measurement, CobiT, Version 4.1)
  • Periodically analyze data and seek input about progress towards objectives; and the existence of undesirable conduct, conditions and events. (OCEG GRC Capability Model, v. 3.0, P7 Inquiry, OCEG GRC Capability Model, v 3.0)
  • Determine progress toward objectives and identify the actual or potential occurrence of desirable and undesirable conduct, conditions, and events. (OCEG GRC Capability Model, v 3.0, P1.2 Establish Detective Actions and Controls, OCEG GRC Capability Model, v 3.0)
  • the extent to which environmental objectives have been achieved; (§ 9.3 ¶ 2 c), ISO 14001:2015 - Environmental management systems — Requirements with guidance for use, Third Edition)
  • the extent to which the compliance objectives have been met; (§ 9.3 ¶ 2 c), ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • develop, and competently use, appropriate criteria for measurement that will indicate progress towards the fulfilment of the organizational purpose, within the set parameters, via the organizational strategy; (§ 4.3.2 ¶ 2 b), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • ensures that the organization is, and is seen to be, following the expectations as set. (§ 6.7.3.1 ¶ 3 Bullet 3, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • The outcomes, whether positive or negative, are determined by the expectations which have been set. Leadership determines whether these expectations are fulfilled. (§ 6.7.3.2 ¶ 2, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • the organization's management of plans, organizational changes and other substantial transformations as well as responses to unplanned events and incidents. (§ 6.4.3.2 ¶ 1 j), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • the envisaged time scales of the strategic outcomes and of the organizational strategy; (§ 6.3.3.1.1 ¶ 2 b), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • the extent to which the compliance objectives have been met; (§ 9.3.2 ¶ 2 bullet 3, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • progress towards achievement of the organization's OH&S objectives; (§ 9.1.1 ¶ 2 a) 3), ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • any implications for the strategic direction of the organization. (§ 9.3 ¶ 3 Bullet 7, ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • the extent to which the compliance objectives have been met; (§ 9.3 ¶ 3 bullet 2, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • be monitored; (§ 6.2.1 ¶ 1(d), ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • achievement of service management objectives; (§ 9.3 ¶ 2(g), ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • The plan addresses long-term (three- to five-year horizon) goals and allocation of resources. (App A Objective 4:2 c., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • The ability of management to monitor the services delivered and to measure the institution's progress toward identified goals in an effective and efficient manner; (TIER II OBJECTIVES AND PROCEDURES A.1 Bullet 7, FFIEC IT Examination Handbook - Audit, April 2012)
  • Management of technology. The planning and oversight of technology resources and services, ensuring they support the strategic goals and objectives of the TSP and its serviced financial institutions. (Risk-Based Supervision ¶ 2 Bullet 1, FFIEC IT Examination Handbook - Supervision of Technology Service Providers, October 2012)
  • Enterprises should validate identified C-SCRM goals and objectives with their targeted stakeholder groups prior to beginning an effort to develop specific measures. When developing C-SCRM measures, enterprises should focus on the stakeholder's highest priorities and target measures based on data tha… (3.5.1. ¶ 3, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • Perform content and/or metadata analysis to meet organization objectives. (T0767, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Determine indicators (e.g., measures of effectiveness) that are best suited to specific cyber operation objectives. (T0648, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Determine indicators (e.g., measures of effectiveness) that are best suited to specific cyber operation objectives. (T0648, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Perform content and/or metadata analysis to meet organization objectives. (T0767, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)