Back

Include criteria for compliance in the decision-making criteria.


CONTROL ID
12951
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a decision management strategy., CC ID: 06913

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • ICT strategy - whether the institution has an ICT strategy that is adequately governed and is in line with the institution's business strategy; (Title 2 2.1 22.a, Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • When applying the principle of proportionality, institutions, payment institutions 31 and competent authorities should take into account the criteria specified in Title I of the EBA Guidelines on internal governance in line with Article 74(2) of Directive 2013/36/EU. (4.1 20, Final Report on EBA Guidelines on outsourcing arrangements)
  • Define criteria for selecting objectives and strategies, guidance on priorities, risk/reward trade-off (e.g., risk appetite, tolerance, thresholds, and capacity) and compliance. (OCEG GRC Capability Model, v. 3.0, A1.5 Define Decision-Making Criteria, OCEG GRC Capability Model, v 3.0)
  • ensuring alignment between operational targets and compliance obligations; (§ 5.1 ¶ 1 i), ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • what will be done; (§ 6.2 ¶ 3 Bullet 1, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • ensure alignment between strategic and operational targets and compliance obligations; (§ 5.3.1 ¶ 4 bullet 3, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • ensure alignment between strategic and operational targets and compliance obligations; (§ 5.3.1 ¶ 4 d), ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • The organization ensures appropriate oversight of and compliance with the internal dependency management strategy implementation. (DM.ID-1.3, CRI Profile, v1.2)
  • The organization ensures appropriate oversight of and compliance with the internal dependency management strategy implementation. (DM.ID-1.3, Financial Services Sector Cybersecurity Profile, Version 1.0.0)