cc5-3 High priority Security / Control Activities

Controls are deployed through policies and procedures

Controls that exist only in someone's head or as informal practices are not reliable. This criterion requires that controls are codified in documented policies and operational procedures so that they can be followed consistently, trained on, and audited. A control that depends on one specific person knowing what to do is a single point of failure.

12h estimated effort

policies procedures documentation governance

Complete first: cc5-1

Implementation steps

1

Document operational procedures for key controls

For each significant control, write a procedure that describes exactly how it is performed: who does it, when, what steps they follow, and what evidence they produce. Examples: access provisioning procedure (how to request and approve new access), patch management procedure (how vulnerabilities are triaged, patched, and verified), incident response procedure (how incidents are detected, contained, and documented).

confluence notion google-docs
2

Review and update procedures at least annually

Procedures that are never updated quickly become out of date and create gaps between what is documented and what is actually done. Review all security procedures at least annually, update them to reflect current practice, and record the review date.

confluence notion
3

Ensure procedures are accessible and trained on

Procedures that nobody can find or does not know exist cannot be followed. Ensure all security procedures are published in a known location. Include references to key procedures in security training. For new hires in relevant roles, include procedure walkthrough in onboarding.

confluence notion rippling workday