Include criteria for setting priorities in the decision-making criteria.

Establish/Maintain Documentation


This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a decision management strategy., CC ID: 06913

There are no implementation support Controls.


  • Define criteria for selecting objectives and strategies, guidance on priorities, risk/reward trade-off (e.g., risk appetite, tolerance, thresholds, and capacity) and compliance. (OCEG GRC Capability Model, v. 3.0, A1.5 Define Decision-Making Criteria, OCEG GRC Capability Model, v 3.0)
  • When planning the approach, considerations include: - objectives and decisions that need to be made; - outcomes expected from the steps to be taken in the process; - time, location, specific inclusions and exclusions; - appropriate risk assessment tools and techniques; - resources required, responsi… (§ 6.3.2 ¶ 3, ISO 31000 Risk management - Guidelines, 2018)
  • identifying the advantages and disadvantages of each; (§ ¶ 2 c), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • the method and criteria for decision making and prioritizing of the activities and resources to achieve its IT asset management plan(s) and IT asset management objectives; (Section 6.2.4 ¶ 4(a), ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: (§ ¶ 1, ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • Healthcare facilities should prepare for large increases in the number of suspected cases of COVID-19. Staff should be familiar with the suspected COVID-19 case definition, and able to deliver the appropriate care pathway. Patients with, or at risk of, severe illness should be given priority over mi… (Pillar 7: Case management, COVID-19 Strategic Preparedness and Response Plan, OPERATIONAL PLANNING GUIDELINES TO SUPPORT COUNTRY PREPAREDNESS AND RESPONSE, Draft as of 12 February 2020)
  • CIOs and/or CISOs may form a C-SCRM oriented-body to provide in-depth analysis to inform the executive board's ERM council. The C-SCRM council serves as a forum for setting priorities and managing cybersecurity risk in the supply chain for the enterprise. The C-SCRM council or other C-SCRM-oriented … (2.3.2. ¶ 5, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)