Authority Doc - Citation - Policy - Control Objective

Go to solution
dev_K
Tera Contributor

‎04-16-2024 05:37 AM

Hi all,

 

 

I the Authority Doc is a summary and reference to external legislation/regulation that breaks down into citations that are smaller parts, that describe in detail specific parts of the Authority Doc, The Policy is an adaptation of the regulation and breaks down into control objectives that answer the question what has to be done to comply with a policy? Is my understanding correct?

Any examples?

0 Helpfuls
  • 1,602 Views
1 ACCEPTED SOLUTION
5 REPLIES 5

Go to solution
Community Alums
Not applicable

‎04-16-2024 06:27 AM

Hi @dev_K ,

Policy is your internal Regulation and it does not breaks down to Control Objective.

The correct statement is that Policy is added to the control objective record or control objective records are added to a certain policy to be compliant.

 

So, let's consider you have a policy called  "Business Records and Media Management"

Now, to adhere and Compliant to this policy we need certain controls such as :

1. Establish and maintain records management policies used to manage organizational records.

2. Capture the records required by organizational compliance requirements.

etc..

Now you will need above two controls to be applied on your policy to be compliant.

 

in laymen language you need to follow the 2 controls such that your company will comply to the policy and be compliant.

 

Go to solution
dev_K
Tera Contributor
In response to Community Alums

‎04-16-2024 06:52 AM

Hi Sandeep,

 

 

Thanks for your explanation however, are you certain about the control objectives?

I followed the GRC training and it is clearly stated that control objectives are a breakdown of a policy:

dev_K_0-1713275480431.png

"just like the citation is a breakdown of the authority document, control objectives are breakdown of the policy"

 

And I feel like the link between them is not well explained, at least in this video.

 

Thanks in advance!

0 Helpfuls

Go to solution
Community Alums
Not applicable
In response to dev_K

‎04-17-2024 12:23 AM

Hi @dev_K ,

NOt really as i explained on my previous answer.

As you get control objectives for Citations too which you get from Authority Document coming from third party like UCF.

So that's a wrong statement that control objectives are breakdown of the policy.

 

Go to solution
Community Alums
Not applicable
In response to Community Alums

‎04-17-2024 11:33 PM

Hi @dev_K ,