Back

Take actions in accordance with the decision-making criteria.


CONTROL ID
12909
CONTROL TYPE
Process or Activity
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a decision management strategy., CC ID: 06913

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Approve the initiation of each major project phase and communicate it to all stakeholders. Base the approval of the initial phase on programme governance decisions. Approval of subsequent phases should be based on review and acceptance of the deliverables of the previous phase, and approval of an up… (PO10.6 Project Phase Initiation, CobiT, Version 4.1)
  • Create and maintain a technology infrastructure plan that is in accordance with the IT strategic and tactical plans. The plan should be based on the technological direction and include contingency arrangements and direction for acquisition of technology resources. It should consider changes in the c… (PO3.2 Technology Infrastructure Plan, CobiT, Version 4.1)
  • Ensure action and control owners in the same, or related, processes deliver and receive the necessary communication to execute their duties and take actions consistent with the decision-making criteria. (OCEG GRC Capability Model, v. 3.0, P3.2 Process Architecture, OCEG GRC Capability Model, v 3.0)
  • ensure that there is commitment to support the collective decision, to clearly record it and to act on it; (§ 6.8.3.2.1 ¶ 1 b), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • ensure that diverse inputs are provided to a rigorous, open and transparent decision-making process and that the results that can be achieved, options for achieving them and their implications are understood. (§ 6.8.3.2.1 ¶ 1 h), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • mapping an associated action plan. (§ 6.7.3.4 ¶ 2 e), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • Crisis management decision process; (TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 6 Bullet 3, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Determine whether the institution has processes within enterprise-wide risk management to assist IT management in making risk mitigation decisions, and determine which entities should be involved in the decision-making process. (App A Objective 12:1, FFIEC Information Technology Examination Handbook - Management, November 2015)