Spring Cleaning

New Control Type 

Description 

Change 

Acquisition, Sale and Transfer of Assets 

Covers the acquisition, divestiture, and transfer of physical, digital, or service-based assets to ensure continuity, security, and compliance. 

Renamed (was “Acquisition/Sale of Assets or Services”) 

Auditing 

Formal evaluation of controls and processes. 

New

Communication and Disclosure 

Covers internal and external communication of policies, risks, changes, incidents, and required legal or public disclosures to meet transparency expectations. 

Renamed (was “Communicate”) 

Configuration Management 

Focuses on the setup, control, and modification of hardware, software, and system configurations. 

Renamed (was “Configuration” 

Continuity and Recovery 

Ensures organizational resilience and recovery capabilities in the event of disruption. 

Renamed (was “Systems Continuity”) 

Data Governance 

Defines data classification, ownership, integrity, and lifecycle controls for information assets. 

Renamed (was “Data and Information Management”) 

Documentation Requirements 

Covers the creation, maintenance, and review of policies, procedures, and governance documentation. 

Renamed (was “Establish/Maintain Documentation”) 

Ethics and Organizational Culture 

Encompasses ethical standards, organizational values, leadership tone, and mechanisms such as whistleblower protections to promote a culture of integrity. 

New 

Human Resources Management 

Recruitment, termination, onboarding, background checks, and employment policies. 

No Change 

Identity and Access Management 

Covers how users, systems, and processes are authenticated, authorized, and managed. 

New 

Incident Investigation and Enforcement 

Focuses on identifying, responding to, and enforcing corrective action around incidents and violations. 

Renamed (was “Investigate”) 

IT Impact Zone 

Defines the top level Common Control categories based on the scope of an audit. 

No Change 

Maintenance and Operational Support 

Covers upkeep, repair, and technical support needed to sustain systems and infrastructure. 

Renamed (was “Maintenance”) 

Metrics and Reporting 

Covers how performance, risk, and compliance metrics are tracked, measured, and reported. 

Renamed (was “Actionable Reports or Measurements”) 

Monitoring, Logging and Alerting 

Covers detection, audit logging, and monitoring mechanisms for ongoing compliance and threat identification. 

Renamed (was “Log Management”) 

Physical and Environmental Security 

Protects physical infrastructure, personnel, and environmental conditions from risk or harm. 

Renamed (was “Physical and Environmental Protection”) 

Privacy and Personal Data Protection 

Encompasses the protection of personal data, including consent management, data subject rights, data minimization, and transparency in the collection, use, and sharing of personal information. 

New 

Process and Operations 

Daily procedural steps, workflows, and control implementation through standard business activities. 

Renamed (was “Process or Activity”) 

Records Management 

Involves the classification, retention, protection, and secure disposal of records in accordance with compliance requirements. 

No Change 

Risk Management 

Covers the identification, evaluation, mitigation, and ongoing monitoring of risks to business operations, assets, and individuals, in alignment with organizational risk appetite. 

New 

Role Definition and Assignment 

Defines who is responsible for what within an organization, including segregation of duties and accountability structures. 

Renamed (was “Establish Roles”) 

System Lifecycle and Development 

Covers the planning, design, development, testing, deployment, and retirement of systems and software — including APIs, applications, and infrastructure code — to ensure they meet compliance, quality, and performance standards. 

Renamed (was “Systems Design, Build, and Implementation”) 

Technical Security 

Covers system, network, and endpoint security protections, including encryption, authentication, anti-malware, etc. 

No Change 

Testing 

Covers verification, validation, and performance testing of systems, applications, and controls to ensure they function as intended and meet compliance requirements. 

No Change 

Training and Awareness 

Ensures staff are aware of policies and practices through onboarding, education, and awareness campaigns. 

Renamed (was “Training”) 

User Conduct and Acceptable Use 

Defines expected behaviors, prohibitions, and acceptable use of organizational resources. 

New 

Old Type 

Reason 

Duplicate 

No longer used 

Behavior 

Merged into more precise categories 

Monitor and Evaluate Occurrences 

Merged into “Monitoring, Logging and Alerting” 

Business Processes 

Merged into “Process and Operations” 

Audits and Risk Management 

Split into “Auditing” and “Risk Management”