Security (Common Criteria)
CC1–CC9 — controls common to all engagements: governance, risk, access, change management, monitoring.
COSO Principle 1
COSO Principle 1: Demonstrates commitment to integrity and ethical values.
COSO Principle 2
COSO Principle 2: Board exercises oversight of internal control.
COSO Principle 3
COSO Principle 3: Management establishes structures, reporting lines, authorities, and responsibilities.
COSO Principle 4
COSO Principle 4: Demonstrates commitment to attract, develop, and retain competent individuals.
COSO Principle 5
COSO Principle 5: Holds individuals accountable for internal control responsibilities.
Information requirements identified to support the functioning of internal contr
Information requirements identified to support the functioning of internal control.
Internally communicates information necessary to support internal control.
Internally communicates information necessary to support internal control.
Communicates with external parties regarding matters affecting internal control.
Communicates with external parties regarding matters affecting internal control.
Specifies suitable objectives to enable identification and assessment of risk.
Specifies suitable objectives to enable identification and assessment of risk.
Identifies risks to the achievement of objectives and analyzes them as a basis f
Identifies risks to the achievement of objectives and analyzes them as a basis for risk management.
Considers potential for fraud in assessing risks to objectives.
Considers potential for fraud in assessing risks to objectives.
Identifies and assesses changes that could significantly impact the system of in
Identifies and assesses changes that could significantly impact the system of internal control.
Selects, develops, and performs ongoing/separate evaluations to ascertain whethe
Selects, develops, and performs ongoing/separate evaluations to ascertain whether components of internal control are present and functioning.
Evaluates and communicates internal control deficiencies to those responsible fo
Evaluates and communicates internal control deficiencies to those responsible for taking corrective action.
Selects and develops control activities that contribute to the mitigation of ris
Selects and develops control activities that contribute to the mitigation of risks.
Selects and develops general control activities over technology to support objec
Selects and develops general control activities over technology to support objectives.
Deploys control activities through policies and procedures.
Deploys control activities through policies and procedures.
Implements logical access security software, infrastructure, and architectures o
Implements logical access security software, infrastructure, and architectures over protected information assets.
Authorizes, modifies, or removes access based on roles, responsibilities, or sys
Authorizes, modifies, or removes access based on roles, responsibilities, or system design and changes.
Authorizes, modifies, or removes access to data, software, functions, and other
Authorizes, modifies, or removes access to data, software, functions, and other protected information assets.
Restricts physical access to facilities and protected information assets.
Restricts physical access to facilities and protected information assets.
Discontinues logical and physical protections over physical assets only after th
Discontinues logical and physical protections over physical assets only after the ability to read or recover data has been diminished.
Implements logical access security measures to protect against threats from sour
Implements logical access security measures to protect against threats from sources outside its system boundaries.
Restricts the transmission, movement, and removal of information to authorized i
Restricts the transmission, movement, and removal of information to authorized internal/external users and processes.
Implements controls to prevent or detect and act upon the introduction of unauth
Implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software.
Uses detection and monitoring procedures to identify changes to configurations t
Uses detection and monitoring procedures to identify changes to configurations that introduce new vulnerabilities.
Monitors system components and operation for anomalies indicative of malicious a
Monitors system components and operation for anomalies indicative of malicious acts, natural disasters, and errors.
Evaluates security events to determine whether they could or have resulted in a
Evaluates security events to determine whether they could or have resulted in a failure to meet objectives.
Responds to identified security incidents by executing a defined incident respon
Responds to identified security incidents by executing a defined incident response program.
Identifies, develops, and implements activities to recover from identified secur
Identifies, develops, and implements activities to recover from identified security incidents.
Authorizes, designs, develops or acquires, configures, documents, tests, approve
Authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures.
Identifies, selects, and develops risk mitigation activities for risks arising f
Identifies, selects, and develops risk mitigation activities for risks arising from potential business disruptions.
Assesses and manages risks associated with vendors and business partners.
Assesses and manages risks associated with vendors and business partners.