Authority Doc - Citation - Policy - Control Objective

dev_K
Tera Contributor

Hi all,

 

 

I the Authority Doc is a summary and reference to external legislation/regulation that breaks down into citations that are smaller parts, that describe in detail specific parts of the Authority Doc, The Policy is an adaptation of the regulation and breaks down into control objectives that answer the question what has to be done to comply with a policy? Is my understanding correct?

Any examples?

1 ACCEPTED SOLUTION
5 REPLIES 5

Community Alums
Not applicable

Hi @dev_K ,

Policy is your internal Regulation and it does not breaks down to Control Objective.

The correct statement is that Policy is added to the control objective record or control objective records are added to a certain policy to be compliant.

 

So, let's consider you have a policy called  "Business Records and Media Management"

Now, to adhere and Compliant to this policy we need certain controls such as :

1. Establish and maintain records management policies used to manage organizational records.

2. Capture the records required by organizational compliance requirements.

etc..

Now you will need above two controls to be applied on your policy to be compliant.

 

in laymen language you need to follow the 2 controls such that your company will comply to the policy and be compliant.

 

Hi Sandeep,

 

 

Thanks for your explanation however, are you certain about the control objectives?

I followed the GRC training and it is clearly stated that control objectives are a breakdown of a policy:

dev_K_0-1713275480431.png

"just like the citation is a breakdown of the authority document, control objectives are breakdown of the policy"

 

And I feel like the link between them is not well explained, at least in this video.

 

Thanks in advance!

Community Alums
Not applicable

Hi @dev_K ,

NOt really as i explained on my previous answer.

As you get control objectives for Citations too which you get from Authority Document coming from third party like UCF.

So that's a wrong statement that control objectives are breakdown of the policy.

 

Community Alums
Not applicable

Hi @dev_K ,