Back

Document the organization's business processes.


CONTROL ID
13035
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Operational management, CC ID: 00805

This Control has the following implementation support Control(s):
  • Disseminate and communicate the business process documentation to interested personnel and affected parties., CC ID: 13038


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • Financial institutions should manage their ICT operations based on documented and implemented processes and procedures (which, for PSPs, include the security policy document in accordance with Article 5(1)(j) of PSD2) that are approved by the management body. This set of documents should define how … (3.5 50, Final Report EBA Guidelines on ICT and security risk management)
  • Define an IT process framework to execute the IT strategic plan. This framework should include an IT process structure and relationships (e.g., to manage process gaps and overlaps), ownership, maturity, performance measurement, improvement, compliance, quality targets and plans to achieve them. It s… (PO4.1 IT Process Framework, CobiT, Version 4.1)
  • An organization's business processes and activities, including its information governance program, shall be documented in an open and verifiable manner, and that documentation shall be available to all personnel and appropriate, interested parties. (Principle of Transparency:, Generally Accepted Recordkeeping Principles®, For the Web)
  • promoting the use of the process approach and risk-based thinking; (5.1.1 ¶ 1(d), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • The organization shall plan, implement and control the processes needed to meet requirements, and to implement the actions determined in 6.1, the IT asset management plan(s) determined in 6.2, and the corrective and preventive actions determined in 10.1 and 10.2 by: (Section 8.1 ¶ 1, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • The organization establishes operating structures in the pursuit of strategy and business objectives. (Principle 2: Establishes Operating Structures, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • The organization establishes an operating structure and designs reporting lines to carry out the strategy and business objectives. It is important for the organization to clearly define responsibilities when designing reporting lines. The organization may also enter into relationships with external … (Operating Structure and Reporting Lines ¶ 1, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • Due care requires a member to plan and supervise adequately any professional activity for which he or she is responsible. (0.300.060.06, AICPA Code of Professional Conduct, August 31, 2016)
  • Determine whether management documents and maintains accurate representations (e.g., network diagrams, data flow diagrams, business process flow diagrams, and business process narratives) of the current IT and business environments and employs processes to update the representations. (App A Objective 5:1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • People and processes supporting the entity's missions and business functions. (App A Objective 14:2e, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Services offered and SLA, OLA, or contractual provisions. (App A Objective 16:1a Bullet 1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Management understands the documentation maintained to represent the entity's IT and business environment. (III.C, "IT and Business Environment Representations") (App A Objective 5, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Effective planning processes for service management that consider services offered, SLAs and contractual provisions, known limitations, and metrics and measurements. (VI.C Action Summary ¶ 2 Bullet 1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Directs management to maintain an institution-wide view of technology and the business processes supported by technology. (App A Objective 2:3 d., FFIEC Information Technology Examination Handbook - Management, November 2015)