Include criteria for selecting objectives and strategies in the decision-making criteria.

Establish/Maintain Documentation


This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a decision management strategy., CC ID: 06913

There are no implementation support Controls.


  • Primarily, business-critical information and core processes should be determined and the corresponding applications, IT systems, networks and rooms should be identified. Here, the essential supporting processes and the mainly affected objects should be determined on the basis of the core processes o… (§ 3.2.1 Subsection 4 ¶ 2, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • In practice, brainstorming involving all employees involved has proven effective in identifying additional threats. Information security officers, specialists responsible, administrators and users of the target object under review as well as external experts, if appropriate, should be involved. The … (§ 4.2 ¶ 10, The Federal Office for Information Security, BSI-Standard 200-3, Risk Analysis based on IT-Grundschutz, Version 1.0)
  • The management board shall define appropriate quantitative or qualitative criteria for managing those areas responsible for operations and for the further development of IT systems, and compliance with them shall be monitored. (II.2.7, Circular 10/2017 (BA): Supervisory Requirements for IT in Financial Institutions, 14.09.2018)
  • The purpose of the strategy management practice is to formulate the goals of the organization and adopt the courses of action and allocation of resources necessary for achieving those goals. Strategy management establishes the organization's direction, focuses effort, defines or clarifies the organi… (5.1.12 ¶ 1, ITIL Foundation, 4 Edition)
  • Define criteria for selecting objectives and strategies, guidance on priorities, risk/reward trade-off (e.g., risk appetite, tolerance, thresholds, and capacity) and compliance. (OCEG GRC Capability Model, v. 3.0, A1.5 Define Decision-Making Criteria, OCEG GRC Capability Model, v 3.0)
  • ensure that diverse inputs are provided to a rigorous, open and transparent decision-making process and that the results that can be achieved, options for achieving them and their implications are understood. (§ ¶ 1 h), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • the method and criteria for decision making and prioritizing of the activities and resources to achieve its IT asset management plan(s) and IT asset management objectives; (Section 6.2.4 ¶ 4(a), ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)