GRC-07: Information System Regulatory Mapping

CSF v1.1 References:

PF v1.0 References:

Previous Version:

Control Statement

Identify and document all relevant standards, regulations, legal/contractual, and statutory requirements, which are applicable to your organization.

Implementation Guidance

Documentation should reflect the requirements relevant to the organization and be updated regularly to reflect changes in the internal and external operational environments. Communicate requirement changes to management and other personnel, and implement them promptly.

Auditing Guidance

  1. Confirm that policy and procedures include provisions to identify and document all relevant standards, regulations, legal/contractual, and statutory requirements.
  2. Establish that the organization maintains an inventory of CCM controls and relevant regulatory information is mapped across to the CCM inventory.
  3. Identify and examine any metrics and supporting evidence to provide assurance that the information system regulatory mapping is reviewed on a periodic basis, and that any gaps in the mapping are appropriately actioned.

[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.