| 5 criteria | Integrity and ethics, board/owner oversight, org structure with defined authority, commitment to competence, and individual accountability: the COSO tone-at-the-top set. | Code of conduct, org chart, role descriptions, security accountability in reviews. | |
|---|
| 3 criteria | Quality information supports controls; objectives and responsibilities communicated internally; commitments and incidents communicated externally. | Policy portal with attestations, customer status page, security contact channel. | |
|---|
| 4 criteria | Specified objectives, risks identified and analyzed (including fraud), and changes that could impact controls assessed. | Annual risk assessment plus a living risk register with treatments. | |
|---|
| 2 criteria | Ongoing and/or separate evaluations of controls; deficiencies evaluated and communicated to those responsible for action. | Internal control reviews, the GRC dashboard, a tracked findings-to-fix loop. | |
|---|
| 3 criteria | Control activities selected and developed to mitigate risks, including over technology, and deployed through policies and procedures. | The documented control set itself, policies mapped to controls mapped to criteria. | |
|---|
| 8 criteria | The biggest series: identity and authentication, access provisioning and timely removal, least privilege, physical access, media disposal, boundary protection, and prevention of malicious software via access paths. | SSO + MFA, JML workflow, quarterly access reviews, encryption, device management. | |
|---|
| 5 criteria | Vulnerability detection and monitoring, anomaly detection, incident evaluation and response, and recovery from incidents, including disaster recovery. | Vulnerability scanning, EDR/SIEM with alerting, IR plan plus post-mortems, tested backups. | |
|---|
| 1 criterion | One criterion, big surface: infrastructure, data, and software changes are authorized, designed, developed, tested, approved, and implemented in a controlled way. | PR reviews and CI/CD gates for code; ticketed infra changes with approval trails. | |
|---|
| 2 criteria | Risk mitigation for business disruption (insurance, BCP) and management of vendor and business-partner risk. | Vendor register with diligence and their SOC 2s on file; cyber insurance; BCP. | |
|---|