Back

Establish, implement, and maintain a governance policy.


CONTROL ID
15587
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a Governance, Risk, and Compliance framework., CC ID: 01406

This Control has the following implementation support Control(s):
  • Disseminate and communicate the governance policy to all interested personnel and affected parties., CC ID: 15625
  • Include a commitment to continuous improvement in the governance policy., CC ID: 15595
  • Include roles and responsibilities in the governance policy., CC ID: 15594


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The governing body should establish governance policies and ensure that these: (§ 6.3.3.1.2 ¶ 1, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • The governing body should ensure that the governance policies are effectively applied across the organization and that they achieve the governing body's intentions. (§ 6.3.3.1.2 ¶ 2, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • positions risk as a key consideration in the setting of governance policies (see 6.3); (§ 6.9.3.2 ¶ 2 c), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • are regularly reviewed, and updated as necessary, to ensure that they remain aligned with the organization's constituting documents, and the organization's changing context, and are based on relevant guidance and best practices such as standards and codes. (§ 6.3.3.1.2 ¶ 1 h), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • clarify the governing body's intentions and expectations with respect to the organizational purpose, organizational values and the organization's value generation objectives; (§ 6.3.3.1.2 ¶ 1 a), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • governance policies, to ensure that they remain aligned with the organization's changing internal and external context and are current with common or best practice; (§ 6.3.3.2.2 ¶ 2 d), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • innovation processes to ensure that changes in information technology can quickly be assessed and, if necessary and appropriate, governance policies can be updated to leverage new opportunities; (§ 6.8.3.4 ¶ 2 d), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • Governance. The Predictive Decision Support Intervention(s) must be subject to policies and implemented controls for governance, including how data are acquired, managed, and used. (§ 170.315 (b) (11) (vi) (C), 45 CFR Part 170 Health Information Technology Standards, Implementation Specifications, and Certification Criteria and Certification Programs for Health Information Technology, current as of January 2024)