If an organisation desires certification, then various documents must be created and updated for auditing. These documents are handed over to the auditors and to the certification body at BSI, are assessed, and then the decision in favour or against certification is made on such basis. The documents… (§ 5.2.2 ¶ 2 Bullet 6 ¶ 2, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
The following principle applies in terms of the level of detail in the individual documents: "According to the goal and purpose of the document". Strategy documents such as policies should be brief and concise, but should still be informative. The documents created during the conception phase should… (§ 5.2.3 Subsection 2 ¶ 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
Detailed documents on the structure of the information domain and the protection needs of its included target objects are a prerequisite for application of the IT-Grundschutz Compendium. Such information should be determined by using the work steps described above. Then, the modules of the IT-Grunds… (§ 7.6 ¶ 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
All documents on change management should be updated regularly. For this, it is recommended to apply a change management procedure to record, assess, approve and understand all changes. Clear change management instructions must be specified in writing for all documents for this purpose. The procedur… (§ 5.2.3 Subsection 3 ¶ 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
If later certification of ISMS is desired, creation of certain documents will be mandatory (see Section 11 Certification according to ISO 27001 on the basis of IT-Grundschutz). Besides, documentation efforts should be minimised as much as possible. If IT-Grundschutz states that something must be doc… (§ 5 ¶ 3, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
Many of the documents on information security from the field of IT area can be taken over to the field of industrial control. However, some of the documents from the field of IT cannot be transferred to the field of industrial control without further ado. Here, documents for the field of ICS must be… (§ 5.2.2 ¶ 2 Bullet 7 ¶ 2, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
A multitude of different documents and descriptions is created before and during the security process. In this respect, it should always be ensured that the time involved in the preparation of documentations remains within reasonable limits. The documentation of the security process should be expres… (§ 5 ¶ 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
Where the organization has chosen self-assessment, such verification must demonstrate that its privacy policy regarding personal information received from the EU is accurate, comprehensive, readily available, conforms to the Principles, and is completely implemented (i.e., is being complied with). I… (III.7.c., EU-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
Where the organization has chosen self-assessment, such verification must demonstrate that its privacy policy regarding personal information received from Switzerland is accurate, comprehensive, readily available, conforms to the Principles, and is completely implemented (i.e., is being complied wit… (iii.7.c., SWISS-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
Where the organization has chosen self-assessment, such verification must demonstrate that its privacy policy regarding personal information received from the EU is accurate, comprehensive, readily available, conforms to the Principles, and is completely implemented (i.e., is being complied with). I… (III.7.c., UK EXTENSION TO THE EU-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
Information about the AI system's knowledge limits and how system output may be utilized and overseen by humans is documented. Documentation provides sufficient information to assist relevant AI actors when making decisions and taking subsequent actions. (MAP 2.2, Artificial Intelligence Risk Management Framework, NIST AI 100-1)
Agency management must determine the appropriate level of documentation needed to support this assessment. The Green Book provides documentation requirements that are a necessary part of an effective internal control system. The level and nature of documentation vary based on the size of the entity … (Section IV (A) ¶ 1, OMB Circular No. A-123, Managementâs Responsibility for Enterprise Risk Management and Internal Control)
