Back

Identify the external forces that may affect organizational objectives.


CONTROL ID
12960
CONTROL TYPE
Process or Activity
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Analyze the external environment in which the organization operates., CC ID: 12799

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Determine internal and external framework conditions (§ 3.2.4 Subsection 4 Bullet 3, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Identify external and internal forces, events, and conditions that may produce a requirement or cause a desirable or undesirable effect on objectives, taking into consideration the possible need to revise objectives or strategic direction. (OCEG GRC Capability Model, v 3.0, A3.2 Identify Forces, OCEG GRC Capability Model, v 3.0)
  • the relevant external systems on which the organization depends; (§ 6.11.3.3 ¶ 1 a), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • consider the external and internal issues referred to in 4.1; (§ 4.3 ¶ 2 a), ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its OH&S management system. (§ 4.1 ¶ 1, ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • When establishing its IT asset management objectives, the organization shall consider the requirements of relevant stakeholders and of other financial, technical, legal, regulatory and organizational requirements in the IT asset management planning process. (Section 6.2.3 ¶ 2, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its information security management system. (§ 4.1 ¶ 1, ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection — Information security management systems — Requirements)
  • the external and internal issues referred to in 4.1; (§ 4.3 ¶ 2 a), ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection — Information security management systems — Requirements)
  • Identification of the entity's IT assets, external constraints, industry IT architecture trends, and the entity's needs for the desired future state. (App A Objective 12:1d, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Addressing internal and external factors. (App A Objective 15:6b, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Advise managers and operators on language and cultural issues that impact organization objectives. (T0837, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Advise managers and operators on language and cultural issues that impact organization objectives. (T0837, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)