| 💼 A1 Additional Criteria for Availability | 3 | | | |
| 💼 A1.1 The entity maintains, monitors, and evaluates current processing capacity and use of system components to manage capacity demand and to enable the implementation of additional capacity to help meet its objectives. | 3 | | | |
| 💼 A1.1-1 Measures Current Usage | | | | |
| 💼 A1.1-2 Forecasts Capacity | | | | |
| 💼 A1.1-3 Makes Changes Based on Forecasts | | | | |
| 💼 A1.2 The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data backup processes, and recovery infrastructure to meet its objectives. | 10 | | | |
| 💼 A1.2-1 Identifies Environmental Threats | | | | |
| 💼 A1.2-2 Designs Detection Measures | | | | |
| 💼 A1.2-3 Implements and Maintains Environmental Protection Mechanisms | | | | |
| 💼 A1.2-4 Implements Alerts to Analyze Anomalies | | | | |
| 💼 A1.2-5 Responds to Environmental Threat Events | | | | |
| 💼 A1.2-6 Communicates and Reviews Detected Environmental Threat Events | | | | |
| 💼 A1.2-7 Determines Data Requiring Backup | | | | |
| 💼 A1.2-8 Performs Data Backup | | | | |
| 💼 A1.2-9 Addresses Offsite Storage | | | | |
| 💼 A1.2-10 Implements Alternate Processing Infrastructure | | | | |
| 💼 A1.3 The entity tests recovery plan procedures supporting system recovery\ \ to meet its objectives. | 2 | | | |
| 💼 A1.3-1 Implements Business Continuity Plan Testing | | | | |
| 💼 A1.3-2 Tests Integrity and Completeness of Back-Up Data | | | | |
| 💼 C1 Additional Criteria for Confidentiality | 2 | | | |
| 💼 C1.1 The entity identifies and maintains confidential information to meet\ \ the entity's objectives related to confidentiality. | 2 | | | |
| 💼 C1.1-1 Identifies Confidential Information | | | | |
| 💼 C1.1-2 Protects Confidential Information from Destruction | | | | |
| 💼 C1.2 The entity disposes of confidential information to meet the entity's\ \ objectives related to confidentiality. | 2 | | | |
| 💼 C1.2-1 Identifies Confidential Information for Destruction | | | | |
| 💼 C1.2-2 Destroys Confidential Information | | | | |
| 💼 CC1 Control Environments | 5 | | | |
| 💼 CC1.1 The entity demonstrates a commitment to integrity and ethical values. | 5 | | | |
| 💼 CC1.1-1 Considers Contractors and Vendor Employees in Demonstrating Its Commitment | | | | |
| 💼 CC1.1-2 Sets the Tone at the Top | | | | |
| 💼 CC1.1-3 Evaluates Adherence to Standards of Conduct | | | | |
| 💼 CC1.1-4 Establishes Standards of Conduct | | | | |
| 💼 CC1.1-5 Addresses Deviations in a Timely Manner | | | | |
| 💼 CC1.2 The board of directors demonstrates independence from management and\ \ exercises oversight of the development and performance of internal control. | 4 | | | |
| 💼 CC1.2-1 Establishes Oversight Responsibilities | | | | |
| 💼 CC1.2-2 Applies Relevant Expertise | | | | |
| 💼 CC1.2-3 Operates Independently | | | | |
| 💼 CC1.2-4 Supplements Board Expertise | | | | |
| 💼 CC1.3 Management establishes, with board oversight, structures, reporting lines,\ \ and appropriate authorities and responsibilities in the pursuit of objectives. | 5 | | | |
| 💼 CC1.3-1 Considers All Structures of the Entity | | | | |
| 💼 CC1.3-2 Establishes Reporting Lines | | | | |
| 💼 CC1.3-3 Defines, Assigns, and Limits Authorities and Responsibilities | | | | |
| 💼 CC1.3-4 Addresses Specific Requirements When Defining Authorities and Responsibilities | | | | |
| 💼 CC1.3-5 Considers Interactions With External Parties When Establishing Structures, Reporting Lines, Authorities, and Responsibilities | | | | |
| 💼 CC1.4 The entity demonstrates a commitment to attract, develop, and retain\ \ competent individuals in alignment with objectives. | 7 | | | |
| 💼 CC1.4-1 Establishes Policies and Practices | | | | |
| 💼 CC1.4-2 Evaluates Competence and Addresses Shortcomings | | | | |
| 💼 CC1.4-3 Attracts, Develops, and Retains Individuals | | | | |
| 💼 CC1.4-4 Plans and Prepares for Succession | | | | |
| 💼 CC1.4-5 Considers the Background of Individuals | | | | |
| 💼 CC1.4-6 Considers the Technical Competency of Individuals | | | | |
| 💼 CC1.4-7 Provides Training to Maintain Technical Competencies | | | | |
| 💼 CC1.5 The entity holds individuals accountable for their internal control\ \ responsibilities in the pursuit of objectives. | 5 | | | |
| 💼 CC1.5-1 Enforces Accountability Through Structures, Authorities, and Responsibilities | | | | |
| 💼 CC1.5-2 Establishes Performance Measures, Incentives, and Rewards | | | | |
| 💼 CC1.5-3 Evaluates Performance Measures, Incentives, and Rewards for Ongoing Relevance | | | | |
| 💼 CC1.5-4 Considers Excessive Pressures | | | | |
| 💼 CC1.5-5 Evaluates Performance and Rewards or Disciplines Individuals | | | | |
| 💼 CC2 Communication and Information | 3 | | | |
| 💼 CC2.1 The entity obtains or generates and uses relevant, quality information to\ \ support the functioning of internal control. | 4 | | | |
| 💼 CC2.1-1 Identifies Information Requirements | | | | |
| 💼 CC2.1-2 Captures Internal and External Sources of Data | | | | |
| 💼 CC2.1-3 Processes Relevant Data Into Information | | | | |
| 💼 CC2.1-4 Maintains Quality Throughout Processing | | | | |
| 💼 CC2.2 The entity internally communicates information, including objectives and\ \ responsibilities for internal control, necessary to support the functioning\ \ of internal control. | 13 | | | |
| 💼 CC2.2-1 Communicates Internal Control Information | | | | |
| 💼 CC2.2-2 Communicates With the Board of Directors | | | | |
| 💼 CC2.2-3 Provides Separate Communication Lines | | | | |
| 💼 CC2.2-4 Selects Relevant Method of Communication | | | | |
| 💼 CC2.2-5 Communicates Responsibilities | | | | |
| 💼 CC2.2-6 Communicates Information on Reporting Failures, Incidents, Concerns, and Other Matters | | | | |
| 💼 CC2.2-7 Communicates Objectives and Changes to Objectives | | | | |
| 💼 CC2.2-8 Communicates Information to Improve Security Knowledge and Awareness | | | | |
| 💼 CC2.2-9 Communicates Information to Improve Privacy Knowledge and Awareness | | | | |
| 💼 CC2.2-10 Communicates Incident Reporting Methods | | | | |
| 💼 CC2.2-11 Communicates Information About System Operation and Boundaries | | | | |
| 💼 CC2.2-12 Communicates System Objectives | | | | |
| 💼 CC2.2-13 Communicates System Changes | | | | |
| 💼 CC2.3 The entity communicates with external parties regarding matters affecting\ \ the functioning of internal control. | 12 | | | |
| 💼 CC2.3-1 Communicates to External Parties | | | | |
| 💼 CC2.3-2 Enables Inbound Communications | | | | |
| 💼 CC2.3-3 Communicates With the Board of Directors | | | | |
| 💼 CC2.3-4 Provides Separate Communication Lines | | | | |
| 💼 CC2.3-5 Selects Relevant Method of Communication | | | | |
| 💼 CC2.3-6 Communicates Objectives Related to Confidentiality and Changes to Those Objectives | | | | |
| 💼 CC2.3-7 Communicates Objectives Related to Privacy and Changes to Those Objectives | | | | |
| 💼 CC2.3-8 Communicates Incident Reporting Methods | | | | |
| 💼 CC2.3-9 Communicates Information About System Operation and Boundaries | | | | |
| 💼 CC2.3-10 Communicates System Objectives | | | | |
| 💼 CC2.3-11 Communicates System Responsibilities | | | | |
| 💼 CC2.3-12 Communicates Information on Reporting System Failures, Incidents, Concerns, and Other Matters | | | | |
| 💼 CC3 Risk Assessment | 4 | | | |
| 💼 CC3.1 The entity specifies objectives with sufficient clarity to enable\ \ the identification and assessment of risks relating to objectives. | 16 | | | |
| 💼 CC3.1-1 Reflects Management's Choices | | | | |
| 💼 CC3.1-2 Considers Tolerances for Risk | | | | |
| 💼 CC3.1-3 Includes Operations and Financial Performance Goals | | | | |
| 💼 CC3.1-4 Forms a Basis for Committing of Resources | | | | |
| 💼 CC3.1-5 Complies With Applicable Accounting Standards | | | | |
| 💼 CC3.1-6 Considers Materiality | | | | |
| 💼 CC3.1-7 Reflects Entity Activities | | | | |
| 💼 CC3.1-8 Complies With Externally Established Frameworks | | | | |
| 💼 CC3.1-9 Considers the Required Level of Precision | | | | |
| 💼 CC3.1-10 Reflects Entity Activities | | | | |
| 💼 CC3.1-11 Reflects Management's Choices | | | | |
| 💼 CC3.1-12 Considers the Required Level of Precision | | | | |
| 💼 CC3.1-13 Reflects Entity Activities | | | | |
| 💼 CC3.1-14 Reflects External Laws and Regulations | | | | |
| 💼 CC3.1-15 Considers Tolerances for Risk | | | | |
| 💼 CC3.1-16 Establishes Sub-Objectives for Risk Assessment | | | | |
| 💼 CC3.2 The entity identifies risks to the achievement of its objectives\ \ across the entity and analyzes risks as a basis for determining how the\ \ risks should be managed. | 9 | | | |
| 💼 CC3.2-1 Includes Entity, Subsidiary, Division, Operating Unit, and Functional Levels | | | | |
| 💼 CC3.2-2 Analyzes Internal and External Factors | | | | |
| 💼 CC3.2-3 Involves Appropriate Levels of Management | | | | |
| 💼 CC3.2-4 Estimates Significance of Risks Identified | | | | |
| 💼 CC3.2-5 Determines How to Respond to Risks | | | | |
| 💼 CC3.2-6 Identifies Threats to Objectives | | | | |
| 💼 CC3.2-7 Identifies Vulnerability of System Components | | | | |
| 💼 CC3.2-8 Analyzes Threats and Vulnerabilities From Vendors, Business Partners, and Other Parties | | | | |
| 💼 CC3.2-9 Assesses the Significance of the Risks | | | | |
| 💼 CC3.3 The entity considers the potential for fraud in assessing risks to\ \ the achievement of objectives. | 5 | | | |
| 💼 CC3.3-1 Considers Various Types of Fraud | | | | |
| 💼 CC3.3-2 Assesses Incentives and Pressures | | | | |
| 💼 CC3.3-3 Assesses Opportunities | | | | |
| 💼 CC3.3-4 Assesses Attitudes and Rationalizations | | | | |
| 💼 CC3.3-5 Considers the Risks Related to the Use of IT and Access to Information | | | | |
| 💼 CC3.4 The entity identifies and assesses changes that could significantly\ \ impact the system of internal control. | 6 | | | |
| 💼 CC3.4-1 Assesses Changes in the External Environment | | | | |
| 💼 CC3.4-2 Assesses Changes in the Business Model | | | | |
| 💼 CC3.4-3 Assesses Changes in Leadership | | | | |
| 💼 CC3.4-4 Assess Changes in Systems and Technology | | | | |
| 💼 CC3.4-5 Assess Changes in Vendor and Business Partner Relationships | | | | |
| 💼 CC3.4-6 Assesses Changes in Threats and Vulnerabilities | | | | |
| 💼 CC4 Monitoring Activities | 2 | | | |
| 💼 CC4.1 The entity selects, develops, and performs ongoing and/or separate\ \ evaluations to ascertain whether the components of internal control are\ \ present and functioning. | 8 | | | |
| 💼 CC4.1-1 Considers a Mix of Ongoing and Separate Evaluations | | | | |
| 💼 CC4.1-2 Considers Rate of Change | | | | |
| 💼 CC4.1-3 Establishes Baseline Understanding | | | | |
| 💼 CC4.1-4 Uses Knowledgeable Personnel | | | | |
| 💼 CC4.1-5 Integrates With Business Processes | | | | |
| 💼 CC4.1-6 Adjusts Scope and Frequency | | | | |
| 💼 CC4.1-7 Objectively Evaluates | | | | |
| 💼 CC4.1-8 Considers Different Types of Ongoing and Separate Evaluations | | | | |
| 💼 CC4.2 The entity evaluates and communicates internal control deficiencies\ \ in a timely manner to those parties responsible for taking corrective action,\ \ including senior management and the board of directors, as appropriate. | 3 | | | |
| 💼 CC4.2-1 Assesses Results | | | | |
| 💼 CC4.2-2 Communicates Deficiencies | | | | |
| 💼 CC4.2-3 Monitors Corrective Action | | 7 | 7 | |
| 💼 CC5 Control Activities | 3 | | | |
| 💼 CC5.1 The entity selects and develops control activities that contribute\ \ to the mitigation of risks to the achievement of objectives to acceptable levels. | 6 | | | |
| 💼 CC5.1-1 Integrates With Risk Assessment | | | | |
| 💼 CC5.1-2 Considers Entity-Specific Factors | | | | |
| 💼 CC5.1-3 Determines Relevant Business Processes | | | | |
| 💼 CC5.1-4 Evaluates a Mix of Control Activity Types | | | | |
| 💼 CC5.1-5 Considers at What Level Activities Are Applied | | | | |
| 💼 CC5.1-6 Addresses Segregation of Duties | | | | |
| 💼 CC5.2 The entity also selects and develops general control activities over\ \ technology to support the achievement of objectives. | 4 | | | |
| 💼 CC5.2-1 Determines Dependency Between the Use of Technology in Business Processes and Technology General Controls | | | | |
| 💼 CC5.2-2 Establishes Relevant Technology Infrastructure Control Activities | | | | |
| 💼 CC5.2-3 Establishes Relevant Security Management Process Controls Activities | | 16 | 17 | |
| 💼 CC5.2-4 Establishes Relevant Technology Acquisition, Development, and Maintenance Process Control Activities | | | | |
| 💼 CC5.3 The entity deploys control activities through policies that establish\ \ what is expected and in procedures that put policies into action. | 6 | | | |
| 💼 CC5.3-1 Establishes Policies and Procedures to Support Deployment of\ \ Management's Directives | | | | |
| 💼 CC5.3-2 Establishes Responsibility and Accountability for Executing Policies and Procedures | | | | |
| 💼 CC5.3-3 Performs in a Timely Manner | | | | |
| 💼 CC5.3-4 Takes Corrective Action | | | | |
| 💼 CC5.3-5 Performs Using Competent Personnel | | | | |
| 💼 CC5.3-6 Reassesses Policies and Procedures | | | | |
| 💼 CC6 Logical and Physical Access Controls | 8 | | | |
| 💼 CC6.1 The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. | 13 | | | |
| 💼 CC6.1-1 Identifies and Manages the Inventory of Information Assets | | | | |
| 💼 CC6.1-2 Assesses New Architectures | | | | |
| 💼 CC6.1-3 Restricts Logical Access | | 1 | 2 | |
| 💼 CC6.1-4 Identifies and Authenticates Users | | 4 | 4 | |
| 💼 CC6.1-5 Considers Network Segmentation | | 1 | 1 | |
| 💼 CC6.1-6 Manages Points of Access | | 5 | 6 | |
| 💼 CC6.1-7 Restricts Access to Information Assets | | 12 | 12 | |
| 💼 CC6.1-8 Manages Identification and Authentication | | 18 | 21 | |
| 💼 CC6.1-9 Manages Credentials for Infrastructure and Software | | 3 | 3 | |
| 💼 CC6.1-10 Uses Encryption to Protect Data | | 6 | 6 | |
| 💼 CC6.1-11 Protects Encryption Keys | | 6 | 8 | |
| 💼 CC6.1-12 Restricts Access to and Use of Confidential Information for Identified Purposes | | | | |
| 💼 CC6.1-13 Restricts Access to and the Use of Personal Information | | | | |
| 💼 CC6.2 Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. | 3 | | | |
| 💼 CC6.2-1 Creates Access Credentials to Protected Information Assets | | | | |
| 💼 CC6.2-2 Reviews Appropriateness of Access Credentials | | | | |
| 💼 CC6.2-3 Prevents the Use of Credentials When No Longer Valid | | | | |
| 💼 CC6.3 The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity's objectives. | 4 | | | |
| 💼 CC6.3-1 Creates or Modifies Access to Protected Information Assets | | | | |
| 💼 CC6.3-2 Removes Access to Protected Information Assets | | | | |
| 💼 CC6.3-3 Uses Access Control Structures | | 1 | 1 | |
| 💼 CC6.3-4 Reviews Access Roles and Rules | | | | |
| 💼 CC6.4 The entity restricts physical access to facilities and protected information assets (for example, data center facilities, backup media storage, and other sensitive locations) to authorized personnel to meet the entity's objectives. | 4 | | | |
| 💼 CC6.4-1 Creates or Modifies Physical Access | | | | |
| 💼 CC6.4-2 Removes Physical Access | | | | |
| 💼 CC6.4-3 Recovers Physical Devices | | | | |
| 💼 CC6.4-4 Reviews Physical Access | | | | |
| 💼 CC6.5 The entity discontinues logical and physical protections over physical assets only after the ability to read or recover data and software from those assets has been diminished and is no longer required to meet the entity's objectives. | 1 | | | |
| 💼 CC6.5-1 Removes Data and Software From Entity Control | | | | |
| 💼 CC6.6 The entity implements logical access security measures to protect against threats from sources outside its system boundaries. | 4 | | | |
| 💼 CC6.6-1 Restricts Access | | 15 | 15 | |
| 💼 CC6.6-2 Protects Identification and Authentication Credentials | | | | |
| 💼 CC6.6-3 Requires Additional Authentication or Credentials | | 4 | 4 | |
| 💼 CC6.6-4 Implements Boundary Protection Systems | | | | |
| 💼 CC6.7 The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity's objectives. | 4 | | | |
| 💼 CC6.7-1 Restricts the Ability to Perform Transmission | | | | |
| 💼 CC6.7-2 Uses Encryption Technologies or Secure Communication Channels to Protect Data | | 3 | 4 | |
| 💼 CC6.7-3 Protects Removal Media | | | | |
| 💼 CC6.7-4 Protects Endpoint Devices | | | | |
| 💼 CC6.8 The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity's objectives. | 5 | | | |
| 💼 CC6.8-1 Restricts Installation and Modification of Application and Software | | | | |
| 💼 CC6.8-2 Detects Unauthorized Changes to Software and Configuration Parameters | | | | |
| 💼 CC6.8-3 Uses a Defined Change Control Process | | | | |
| 💼 CC6.8-4 Uses Antivirus and Anti-Malware Software | | | | |
| 💼 CC6.8-5 Scans Information Assets from Outside the Entity for Malware and Other Unauthorized Software | | | | |
| 💼 CC7 System Operations | 5 | | | |
| 💼 CC7.1 To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities. | 5 | | | |
| 💼 CC7.1-1 Uses Defined Configuration Standards | | 4 | 5 | |
| 💼 CC7.1-2 Monitors Infrastructure and Software | | 9 | 9 | |
| 💼 CC7.1-3 Implements Change-Detection Mechanisms | | | | |
| 💼 CC7.1-4 Detects Unknown or Unauthorized Components | | | | |
| 💼 CC7.1-5 Conducts Vulnerability Scans | | | | |
| 💼 CC7.2 The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analyzed to determine whether they represent security events. | 4 | | | |
| 💼 CC7.2-1 Implements Detection Policies, Procedures, and Tools | | | | |
| 💼 CC7.2-2 Designs Detection Measures | | | | |
| 💼 CC7.2-3 Implements Filters to Analyze Anomalies | | 9 | 11 | |
| 💼 CC7.2-4 Monitors Detection Tools for Effective Operation | | | | |
| 💼 CC7.3 The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures. | 7 | | | |
| 💼 CC7.3-1 Responds to Security Incidents | | | | |
| 💼 CC7.3-2 Communicates and Reviews Detected Security Events | | | | |
| 💼 CC7.3-3 Develops and Implements Procedures to Analyze Security Incidents | | | | |
| 💼 CC7.3-4 Assesses the Impact on Confidential Information | | | | |
| 💼 CC7.3-5 Determines Confidential Information Used or Disclosed | | | | |
| 💼 CC7.3-6 Assesses the Impact on Personal Information | | | | |
| 💼 CC7.3-7 Determines Personal Information Used or Disclosed | | | | |
| 💼 CC7.4 The entity responds to identified security incidents by executing a defined incident-response program to understand, contain, remediate, and communicate security incidents, as appropriate. | 14 | | | |
| 💼 CC7.4-1 Assigns Roles and Responsibilities | | | | |
| 💼 CC7.4-2 Contains and Responds to Security Incidents | | | | |
| 💼 CC7.4-3 Mitigates Ongoing Security Incidents | | | | |
| 💼 CC7.4-4 Resolves Security Incidents | | | | |
| 💼 CC7.4-5 Restores Operations | | | | |
| 💼 CC7.4-6 Develops and Implements Communication Protocols for Security Incidents | | | | |
| 💼 CC7.4-7 Obtains Understanding of Nature of Incident and Determines Containment Strategy | | | | |
| 💼 CC7.4-8 Remediates Identified Vulnerabilities | | | | |
| 💼 CC7.4-9 Communicates Remediation Activities | | | | |
| 💼 CC7.4-10 Evaluates the Effectiveness of Incident Response | | | | |
| 💼 CC7.4-11 Periodically Evaluates Incidents | | | | |
| 💼 CC7.4-12 Applies Breach Response Procedures | | | | |
| 💼 CC7.4-13 Communicates Unauthorized Use and Disclosure | | | | |
| 💼 CC7.4-14 Application of Sanctions | | | | |
| 💼 CC7.5 The entity identifies, develops, and implements activities to recover from identified security incidents. | 6 | | | |
| 💼 CC7.5-1 Restores the Affected Environment | | | | |
| 💼 CC7.5-2 Communicates Information About the Incident | | | | |
| 💼 CC7.5-3 Determines Root Cause of the Incident | | | | |
| 💼 CC7.5-4 Implements Changes to Prevent and Detect Recurrences | | | | |
| 💼 CC7.5-5 Improves Response and Recovery Procedures | | | | |
| 💼 CC7.5-6 Implements Incident Recovery Plan Testing | | | | |
| 💼 CC8 Change Management | 1 | | | |
| 💼 CC8.1 The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives. | 18 | | | |
| 💼 CC8.1-1 Manages Changes Throughout the System Lifecycle | | | | |
| 💼 CC8.1-2 Authorizes Changes | | | | |
| 💼 CC8.1-3 Designs and Develops Changes | | | | |
| 💼 CC8.1-4 Documents Changes | | | | |
| 💼 CC8.1-5 Tracks System Changes | | | | |
| 💼 CC8.1-6 Configures Software | | | | |
| 💼 CC8.1-7 Tests System Changes | | | | |
| 💼 CC8.1-8 Approves System Changes | | | | |
| 💼 CC8.1-9 Deploys System Changes | | | | |
| 💼 CC8.1-10 Identifies and Evaluates System Changes | | | | |
| 💼 CC8.1-11 Identifies Changes in Infrastructure, Data, Software, and Procedures Required to Remediate Incidents | | | | |
| 💼 CC8.1-12 Creates Baseline Configuration of IT Technology | | | | |
| 💼 CC8.1-13 Provides for Changes Necessary in Emergency Situations | | | | |
| 💼 CC8.1-14 Manages Patch Changes | | | | |
| 💼 CC8.1-15 Considers System Resilience | | | | |
| 💼 CC8.1-16 Protects Confidential Information | | | | |
| 💼 CC8.1-17 Protects Personal Information | | | | |
| 💼 CC8.1-18 Privacy by Design | | | | |
| 💼 CC9 Risk Mitigation | 2 | | | |
| 💼 CC9.1 The entity identifies, selects, and develops risk mitigation activities for risks arising from potential business disruptions. | 2 | | | |
| 💼 CC9.1-1 Considers Mitigation of Risks of Business Disruption | | | | |
| 💼 CC9.1-2 Considers the Use of Insurance to Mitigate Financial Impact Risks | | | | |
| 💼 CC9.2 The entity assesses and manages risks associated with vendors and business partners. | 13 | | | |
| 💼 CC9.2-1 Establishes Requirements for Vendor and Business Partner Engagements | | | | |
| 💼 CC9.2-2 Identifies Vulnerabilities | | | | |
| 💼 CC9.2-3 Assesses Vendor and Business Partner Risks | | | | |
| 💼 CC9.2-4 Assigns Responsibility and Accountability for Managing Vendors and Business Partners | | | | |
| 💼 CC9.2-5 Establishes Communication Protocols for Vendors and Business Partners | | | | |
| 💼 CC9.2-6 Establishes Exception Handling Procedures From Vendors and Business Partners | | | | |
| 💼 CC9.2-7 Assesses Vendor and Business Partner Performance | | | | |
| 💼 CC9.2-8 Implements Procedures for Addressing Issues Identified During Vendor and Business Partner Assessments | | | | |
| 💼 CC9.2-9 Implements Procedures for Terminating Vendor and Business Partner Relationships | | | | |
| 💼 CC9.2-10 Obtains Confidentiality Commitments from Vendors and Business Partners | | | | |
| 💼 CC9.2-11 Assesses Compliance With Confidentiality Commitments of Vendors and Business Partners | | | | |
| 💼 CC9.2-12 Obtains Privacy Commitments from Vendors and Business Partners | | | | |
| 💼 CC9.2-13 Assesses Compliance with Privacy Commitments of Vendors and Business Partners | | | | |
| 💼 P1.0 Privacy Criteria Related to Notice and Communication of Objectives Related to Privacy | 1 | | | |
| 💼 P1.1 The entity provides notice to data subjects about its privacy practices to meet the entity's objectives related to privacy. | 7 | | | |
| 💼 P1.1-1 Communicates to Data Subjects | | | | |
| 💼 P1.1-2 Provides Notice to Data Subjects | | | | |
| 💼 P1.1-3 Covers Entities and Activities in Notice | | | | |
| 💼 P1.1-4 Uses Clear Language and Presents a Current Privacy Notice in a Location Easily Found by Data Subjects | | | | |
| 💼 P1.1-5 Reviews the Privacy Notice | | | | |
| 💼 P1.1-6 Communicates Changes to Notice | | | | |
| 💼 P1.1-7 Retains Prior Notices | | | | |
| 💼 P2.0 Privacy Criteria Related to Choice and Consent | 1 | | | |
| 💼 P2.1 The entity communicates choices available regarding the collection, use, retention, disclosure, and disposal of personal information to the data subjects and the consequences, if any, of each choice. | 6 | | | |
| 💼 P2.1-1 Communicates to Data Subjects | | | | |
| 💼 P2.1-2 Communicates Consequences of Denying or Withdrawing Consent | | | | |
| 💼 P2.1-3 Obtains Implicit or Explicit Consent | | | | |
| 💼 P2.1-4 Documents and Obtains Consent for New Purposes and Uses | | | | |
| 💼 P2.1-5 Obtains Explicit Consent for Sensitive Information | | | | |
| 💼 P2.1-6 Obtains Consent for Data Transfers | | | | |
| 💼 P3.0 Privacy Criteria Related to Collection | 2 | | | |
| 💼 P3.1 Personal information is collected consistent with the entity's objectives related to privacy. | 4 | | | |
| 💼 P3.1-1 Limits the Collection of Personal Information | | | | |
| 💼 P3.1-2 Collects Information by Fair and Lawful Means | | | | |
| 💼 P3.1-3 Collects Information From Reliable Sources | | | | |
| 💼 P3.1-4 Informs Data Subjects When Additional Information Is Acquired | | | | |
| 💼 P3.2 For information requiring explicit consent, the entity communicates the need for such consent as well as the consequences of a failure to provide consent for the request for personal information and obtains the consent prior to the collection of the information to meet the entity's objectives related to privacy. | 2 | | | |
| 💼 P3.2-1 Informs Data Subjects of Consequences of Failure to Provide Consent | | | | |
| 💼 P3.2-2 Documents Explicit Consent to Retain Information | | | | |
| 💼 P4.0 Privacy Criteria Related to Use, Retention, and Disposal | 3 | | | |
| 💼 P4.1 The entity limits the use of personal information to the purposes identified in the entity's objectives related to privacy. | 1 | | | |
| 💼 P4.1-1 Uses Personal Information for Intended Purposes | | | | |
| 💼 P4.2 The entity retains personal information consistent with the entity's objectives related to privacy. | 2 | | | |
| 💼 P4.2-1 Retains Personal Information | | | | |
| 💼 P4.2-2 Protects Personal Information | | | | |
| 💼 P4.3 The entity securely disposes of personal information to meet the entity's objectives related to privacy. | 3 | | | |
| 💼 P4.3-1 Captures, Identifies, and Flags Requests for Deletion | | | | |
| 💼 P4.3-2 Disposes of, Destroys, and Redacts Personal Information | | | | |
| 💼 P4.3-3 Destroys Personal Information | | | | |
| 💼 P5.0 Privacy Criteria Related to Access | 2 | | | |
| 💼 P5.1 The entity grants identified and authenticated data subjects the ability to access their stored personal information for review and, upon request, provides physical or electronic copies of that information to data subjects to meet the entity's objectives related to privacy. | 5 | | | |
| 💼 P5.1-1 Responds to Data Controller Requests | | | | |
| 💼 P5.1-2 Authenticates Data Subjects' Identity | | | | |
| 💼 P5.1-3 Permits Data Subjects Access to Their Personal Information | | | | |
| 💼 P5.1-4 Provides Understandable Personal Information Within Reasonable Time | | | | |
| 💼 P5.1-5 Informs Data Subjects If Access Is Denied | | | | |
| 💼 P5.2 The entity corrects, amends, or appends personal information based on information provided by data subjects and communicates such information to third parties, as committed or required, to meet the entity's objectives related to privacy. | 4 | | | |
| 💼 P5.2-1 Responds to Data Controller Requests | | | | |
| 💼 P5.2-2 Communicates Denial of Access Requests | | | | |
| 💼 P5.2-3 Permits Data Subjects to Update or Correct Personal Information | | | | |
| 💼 P5.2-4 Communicates Denial of Correction Requests | | | | |
| 💼 P6.0 Privacy Criteria Related to Disclosure and Notification | 7 | | | |
| 💼 P6.1 The entity discloses personal information to third parties with the explicit consent of data subjects and such consent is obtained prior to disclosure to meet the entity's objectives related to privacy. | 4 | | | |
| 💼 P6.1-1 Communicates Privacy Policies to Third Parties | | | | |
| 💼 P6.1-2 Discloses Personal Information Only When Appropriate | | | | |
| 💼 P6.1-3 Discloses Personal Information Only to Appropriate Third Parties | | | | |
| 💼 P6.1-4 Discloses Information to Third Parties for New Purposes and Uses | | | | |
| 💼 P6.2 The entity creates and retains a complete, accurate, and timely record of authorized disclosures of personal information to meet the entity's objectives related to privacy. | 1 | | | |
| 💼 P6.2-1 Creates and Retains Record of Authorized Disclosures | | | | |
| 💼 P6.3 The entity creates and retains a complete, accurate, and timely record of detected or reported unauthorized disclosures (including breaches) of personal information to meet the entity's objectives related to privacy. | 1 | | | |
| 💼 P6.3-1 Creates and Retains Record of Detected or Reported Unauthorized Disclosures | | | | |
| 💼 P6.4 The entity obtains privacy commitments from vendors and other third parties who have access to personal information to meet the entity's objectives related to privacy. | 3 | | | |
| 💼 P6.4-1 Evaluates Third-Party Compliance With Privacy Commitments | | | | |
| 💼 P6.4-2 Remediates Misuse of Personal Information by a Third Party | | | | |
| 💼 P6.4-3 Obtains Commitments to Report Unauthorized Disclosures | | | | |
| 💼 P6.5 The entity obtains commitments from vendors and other third parties with access to personal information to notify the entity in the event of actual or suspected unauthorized disclosures of personal information. | 2 | | | |
| 💼 P6.5-1 Remediates Misuse of Personal Information by a Third Party | | | | |
| 💼 P6.5-2 Reports Actual or Suspected Unauthorized Disclosures | | | | |
| 💼 P6.6 The entity provides notification of breaches and incidents to affected data subjects, regulators, and others to meet the entity's objectives related to privacy. | 2 | | | |
| 💼 P6.6-1 Identifies Reporting Requirements | | | | |
| 💼 P6.6-2 Provides Notice of Breaches and Incidents | | | | |
| 💼 P6.7 The entity provides data subjects with an accounting of the personal information held and disclosure of the data subjects' personal information, upon the data subjects' request, to meet the entity's objectives related to privacy. | 3 | | | |
| 💼 P6.7-1 Responds to Data Controller Requests | | | | |
| 💼 P6.7-2 Identifies Types of Personal Information and Handling Process | | | | |
| 💼 P6.7-3 Captures, Identifies, and Communicates Requests for Information | | | | |
| 💼 P7.0 Privacy Criteria Related to Quality | 1 | | | |
| 💼 P7.1 The entity collects and maintains accurate, up-to-date, complete, and relevant personal information to meet the entity's objectives related to privacy. | 2 | | | |
| 💼 P7.1-1 Ensures Accuracy and Completeness of Personal Information | | | | |
| 💼 P7.1-2 Ensures Relevance of Personal Information | | | | |
| 💼 P8.0 Privacy Criteria Related to Monitoring and Enforcement | 1 | | | |
| 💼 P8.1 The entity implements a process for receiving, addressing, resolving, and communicating the resolution of inquiries, complaints, and disputes from data subjects and others and periodically monitors compliance to meet the entity's objectives related to privacy. | 6 | | | |
| 💼 P8.1-1 Communicates to Data Subjects or Data Controllers | | | | |
| 💼 P8.1-2 Addresses Inquiries, Complaints, and Disputes | | | | |
| 💼 P8.1-3 Documents and Communicates Dispute Resolution and Recourse | | | | |
| 💼 P8.1-4 Documents and Reports Compliance Review Results | | | | |
| 💼 P8.1-5 Documents and Reports Instances of Noncompliance | | | | |
| 💼 P8.1-6 Performs Ongoing Monitoring | | | | |
| 💼 PI1 Additional Criteria for Processing Intergrity | 5 | | | |
| 💼 PI1.1 The entity obtains or generates, uses, and communicates relevant, quality information regarding the objectives related to processing, including definitions of data processed and product and service specifications, to support the use of products and services. | 3 | | | |
| 💼 PI1.1-1 Identifies Functional and Nonfunctional Requirements and Information Specifications | | | | |
| 💼 PI1.1-2 Defines Data Necessary to Support a Product or Service | | | | |
| 💼 PI1.1-3 Defines Information Necessary to Support the Use of a Good or Product | | | | |
| 💼 PI1.2 The entity implements policies and procedures over system inputs, including controls over completeness and accuracy, to result in products, services, and reporting to meet the entity's objectives. | 3 | | | |
| 💼 PI1.2-1 Defines Characteristics of Processing Inputs | | | | |
| 💼 PI1.2-2 Evaluates Processing Inputs | | | | |
| 💼 PI1.2-3 Creates and Maintains Records of System Inputs | | | | |
| 💼 PI1.3 The entity implements policies and procedures over system processing to result in products, services, and reporting to meet the entity's objectives. | 5 | | | |
| 💼 PI1.3-1 Defines Processing Specifications | | | | |
| 💼 PI1.3-2 Defines Processing Activities | | | | |
| 💼 PI1.3-3 Detects and Corrects Processing or Production Activity Errors | | | | |
| 💼 PI1.3-4 Records System Processing Activities | | | | |
| 💼 PI1.3-5 Processes Inputs | | | | |
| 💼 PI1.4 The entity implements policies and procedures to make available or deliver output completely, accurately, and timely in accordance with specifications to meet the entity's objectives. | 4 | | | |
| 💼 PI1.4-1 Protects Output | | | | |
| 💼 PI1.4-2 Distributes Output Only to Intended Parties | | | | |
| 💼 PI1.4-3 Distributes Output Completely and Accurately | | | | |
| 💼 PI1.4-4 Creates and Maintains Records of System Output Activities | | | | |
| 💼 PI1.5 The entity implements policies and procedures to store inputs, items in processing, and outputs completely, accurately, and timely in accordance with system specifications to meet the entity's objectives. | 4 | | | |
| 💼 PI1.5-1 Protects Stored Items | | | | |
| 💼 PI1.5-2 Archives and Protects System Records | | | | |
| 💼 PI1.5-3 Stores Data Completely and Accurately | | | | |
| 💼 PI1.5-4 Creates and Maintains Records of System Storage Activities | | | | |