Conduct external audits of risk assessments, as necessary.
CONTROL ID 13308
CONTROL TYPE Audits and Risk Management
CLASSIFICATION Detective
SUPPORTING AND SUPPORTED CONTROLS
This Control directly supports the implied Control(s):
Perform risk assessments for all target environments, as necessary., CC ID: 06452
This Control has the following implementation support Control(s):
Notify the organization upon completion of the external audits of the organization's risk assessment., CC ID: 13313
SELECTED AUTHORITY DOCUMENTS COMPLIED WITH
Conduct independent audit and assurance assessments according to relevant standards at least annually. (A&A-02, Cloud Controls Matrix, v4.0)
The unaffiliated third party verification shall verify the Transmission Owner's risk assessment performed under Requirement R1, which may include recommendations for the addition or deletion of a Transmission station(s) or Transmission substation(s). The Transmission Owner shall ensure the verificat… (B. R2. 2.2., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Physical Security CIP-014-2, Version 2)
Each Transmission Owner that identified a Transmission station, Transmission substation, or primary control center in Requirement R1 and verified according to Requirement R2, and each Transmission Operator notified by a Transmission Owner according to Requirement R3, shall have an unaffiliated third… (B. R6., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Physical Security CIP-014-2, Version 2)
Each Transmission Owner that identified a Transmission station, Transmission substation, or primary control center in Requirement R1 and verified according to Requirement R2, and each Transmission Operator notified by a Transmission Owner according to Requirement R3, shall have an unaffiliated third… (B. R6., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Physical Security CIP-014-3, Version 3)
The unaffiliated third party verification shall verify the Transmission Owner's risk assessment performed under Requirement R1, which may include recommendations for the addition or deletion of a Transmission station(s) or Transmission substation(s). The Transmission Owner shall ensure the verificat… (B. R2. 2.2., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Physical Security CIP-014-3, Version 3)
Internal audit, independent reviews, and certifications. (App A Objective 2:1f, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)