cc41.md

SOC2 - CC4.1

COSO Principle 16: The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning

Considers a Mix of Ongoing and Separate Evaluations

Management includes a balance of ongoing and separate evaluations

Considers Rate of Change

Management considers the rate of change in business and business processes when selecting and developing ongoing and separate evaluations

Establishes Baseline Understanding

The design and current state of an internal control system are used to establish a baseline for ongoing and separate evaluations

Uses Knowledgeable Personnel

Evaluators performing ongoing and separate evaluations have sufficient knowledge to understand what is being evaluated

Integrates With Business Processes

Ongoing evaluations are built into the business processes and adjust to changing conditions. Adjusts Scope and Frequency—Management varies the scope and frequency of separate evaluations depending on risk.

Objectively Evaluates

Separate evaluations are performed periodically to provide objective feedback

Considers Different Types of Ongoing and Separate Evaluations

Management uses a variety of different types of ongoing and separate evaluations, including penetration testing, independent certification made against established specifications (for example, ISO certifications), and internal audit assessments.

Mapped SCF controls

• CPL-03 - Cybersecurity & Data Protection Assessments
• CPL-03.2 - Functional Review Of Cybersecurity & Data Protection Controls
• CPL-04 - Audit Activities
• GOV-05 - Measures of Performance
• GOV-05.1 - Key Performance Indicators (KPIs)
• GOV-05.2 - Key Risk Indicators (KRIs)
• IAO-01 - Information Assurance (IA) Operations
• IAO-02 - Assessments
• IAO-02.1 - Assessor Independence
• IAO-02.2 - Specialized Assessments
• IAO-03.1 - Plan / Coordinate with Other Organizational Entities
• IAO-04 - Threat Analysis & Flaw Remediation During Development
• IAO-06 - Technical Verification
• PRM-03 - Allocation of Resources
• PRM-04 - Cybersecurity & Data Privacy In Project Management
• PRM-05 - Cybersecurity & Data Privacy Requirements Definition
• PRM-06 - Business Process Definition
• RSK-01 - Risk Management Program
• RSK-09 - Supply Chain Risk Management (SCRM) Plan
• SEA-02 - Alignment With Enterprise Architecture