Back

Include regulatory requirements in the analysis of the external environment.


CONTROL ID
12964
CONTROL TYPE
Business Processes
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Analyze the external environment in which the organization operates., CC ID: 12799

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • legal reviews are performed to ensure that any applicable local or overseas legal and regulatory requirements have been observed, especially if AIs partner with overseas institutions. Separately, adequate safeguards against the risk of money laundering and terrorist financing are in place if cross-b… (§ 6.3.3(ii), Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, v.2)
  • If the online financial services offered by an AI involve activities regulated by the Securities and Futures Commission (SFC), AIs should have regard to the relevant regulatory requirements issued by the SFC and the HKMA (see also "SB-1 Supervision of Regulated Activities of SFC-Registered Authorize… (§ 6.4.2, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, V.3)
  • The creation of information security is not an end in itself, but information security contributes to the objectives of an organisation being achieved and being able to reliably execute business processes and tasks. For this, it is required that the organisation identifies and analyses all framework… (§ 7.1 Subsection 1 ¶ 1, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
  • legal requirements and regulations such as regarding data privacy, (§ 7.1 Subsection 2 ¶ 2 Bullet 2, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
  • Analyze influencing factors in the external context including: - Industry forces - Market - Technology - Societal - Regulatory and legal - Geopolitical - Environmental - Third-party relationships - External opportunities and threats (as part of SWOT (OCEG GRC Capability Model, v. 3.0, L1.1 Analyze the External Context, OCEG GRC Capability Model, v 3.0)
  • legal, regulatory, natural environment, social and economic context; (§ 5 ¶ 5 Bullet 2, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • In determining the value generation model, the governing body should understand the context in which the organization operates over time, including stakeholder expectations, regulatory frameworks, technological change, and the present and potential future natural environment, social and economic iss… (§ 6.2.3.1 ¶ 3, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • the legal and regulatory context; (§ 4.1 ¶ 2 bullet 3, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • the legal and regulatory context; (§ 4.1 ¶ 2 bullet 1, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • regulators; (§ 6.3.3 ¶ 3 Bullet 5, ISO/IEC 23894:2023, Information technology — Artificial intelligence — Guidance on risk management)
  • Reading documents describing laws, regulations, or industry standards relevant to the service organization's service commitments and system requirements (¶ 3.20 Bullet 7, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Liaise with regulatory and accrediting bodies. (T0864, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Liaise with regulatory and accrediting bodies. (T0864, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)