Policies vs Standards - Are supposed to check the compliance of standards?

ShafrazMubarak · ‎10-02-2024

I have a doubt to be cleared from the GRC community.

Usually, we draft the policies and every policy statement in the policy are created as control objectives under the policy. Similarly, Standards, Procedures, Operational Manuals also can be created in the same 'Policy' screen.

1. Do we need to create every statement in the standard,procedures or operational manuals as control objectives?

2. Are we supposed to check the compliance of standards, procedures and operational manuals? Isn't compliance score is only for Policies?

Community Alums · ‎10-02-2024

Hi @ShafrazMubarak ,

It's a great question !! Appreciate it.

You will have Control objective for all those standards, procedures and operational manuals and relate these Control Objectives to policies, in a policy record , scroll down to related list :

Then run control attestations and create indicators for the same.

Now, for your last question, "Isn't compliance score is only for Policies"??

So, the compliance score calculated on those controls for a respective Standard, procedures, operational manuals, will be rolled up and will show on Policy record:

ShafrazMubarak · ‎10-05-2024

Lets say, we have a policy talking about 'IT Service Recovery and Continuity' (policy type = policy) and it has a control objective as 'BIA and Risk Assessment: Cybersecurity Department shall provide cybersecurity risks and IT DRT shall provide all other technology related risks, in accordance with procedure IT-XXX-XX Business Impact Analysis'

In this control objective, they are referring to a procedure.

Now, we need to create this procedure 'IT-XXX-XX Business Impact Analysis' as a policy record (policy type = procedure) in system.

Now, do we need to cross map the control objective to this procedure record in addition to its parent policy?

In that case, whenever the control objective's compliance score is updated, the procedure also will get the compliance score updated?

I have read once somewhere where it says we should check the compliance score of policies only (type = policy) and standards, manuals and procedures are not supposed to be check for the compliance. (policy type <> policy). I cannot recall where this is mentioned and therefore, I need to check from you whether this statement is correct

Phil Swann · ‎10-08-2024

I don't think that is strictly correct.

The 'type' field on the policy table has no material impact on the compliance score %.

A control objective will determine its compliance % from its underlying controls, and child control objectives - which take their compliance % from their underlying controls and child control objectives.

Policy to Control Objective relationship is M2M - so the same control objective will influence the % of any policy to which it is related, regardless of type.

Policy will determine its compliance % from its associated control objectives and child policies (again, regardless of type).

The question for you is:

- what do you want to achieve?

And, as @Mehernosh Amrol says - how granular do you want to get?

ShafrazMubarak · ‎10-14-2024

Thanks for the clarification @Phil Swann and @Mehernosh Amrol

I think in our case, they will stop at checking the compliance at policies level and no need to granualar into associated standards, procedures and operating manuals.