graphgrc

SOC2 - CC3.4

COSO Principle 9: The entity identifies and assesses changes that could significantly impact the system of internal control

Assesses Changes in the External Environment

The risk identification process considers changes to the regulatory, economic, and physical environment in which the entity operates

Assesses Changes in the Business Model

The entity considers the potential impacts of new business lines, dramatically altered compositions of existing business lines, acquired or divested business operations on the system of internal control, rapid growth, changing reliance on foreign geographies, and new technologies

Assesses Changes in Leadership

The entity considers changes in management and respective attitudes and philosophies on the system of internal control

Assess Changes in Systems and Technology

The risk identification process considers changes arising from changes in the entity’s systems and changes in the technology environment

Assess Changes in Vendor and Business Partner Relationships

The risk identification process considers changes in vendor and business partner relationships.

Mapped SCF controls

• CHG-01 - Change Management Program
• CHG-02 - Configuration Change Control
• CHG-02.2 - Test, Validate & Document Changes
• CHG-02.3 - Cybersecurity & Data Privacy Representative for Asset Lifecycle Changes
• CHG-03 - Security Impact Analysis for Changes
• PRM-01 - Cybersecurity & Data Privacy Portfolio Management
• PRM-06 - Business Process Definition
• TPM-04.1 - Third-Party Risk Assessments & Approvals
• TPM-08 - Review of Third-Party Services
• TPM-10 - Managing Changes To Third-Party Services

This site is open source. Improve this page.