Create additional decision-making criteria to achieve organizational objectives, as necessary.

Back

CONTROL ID
12948

CONTROL TYPE
Process or Activity

CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS

This Control directly supports the implied Control(s):

Establish, implement, and maintain a decision management strategy., CC ID: 06913

There are no implementation support Controls.

SELECTED AUTHORITY DOCUMENTS COMPLIED WITH

In some instances, additional decision-making criteria will be required to guide action in achieving objectives. (OCEG GRC Capability Model, v. 3.0, A2.2 Develop Additional Decision-Making Criteria, OCEG GRC Capability Model, v 3.0)
The organization can use a range of techniques for identifying uncertainties that may affect one or more objectives. The following factors, and the relationship between these factors, should be considered: - tangible and intangible sources of risk; - causes and events; - threats and opportunities; -… (§ 6.4.2 ¶ 2, ISO 31000 Risk management - Guidelines, 2018)
the impact of quality, availability and management of information on organizational decision making; (Section 7.5 ¶ 1(a) bullet 7, ISO/IEC 19770-1, Information technology â IT asset management â Part 1: IT asset management systems â Requirements, Third Edition, 2017-12)
customers, users and other interested parties; (§ 8.5.1.3 ¶ 1(b), ISO/IEC 20000-1:2018, Information technology â Service management âPart 1: Service management system requirements, Third Edition)
Use continuous monitoring scoring and grading metrics to make information security investment decisions to address persistent issues. (T0972, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
Use continuous monitoring scoring and grading metrics to make information security investment decisions to address persistent issues. (T0972, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)â, July 7, 2020)