The entity demonstrates a commitment to integrity and ethical values.

• Demonstrates Commitment to Integrity and Ethical Values - CC1.1

  The entity demonstrates a commitment to integrity and ethical values (CC1.1).

• Demonstrate Importance of Values - CC1.1.1

  Management's actions reinforce the established standards of conduct and ethical values (CC1.1.1).

• Define Standards of Conduct - CC1.1.2

  A formal written Code of Conduct clearly defines expected behavior (CC1.1.2).

• Evaluate Performance Against Standards - CC1.1.3

  The entity evaluates performance against the standards of conduct (CC1.1.3).

• Remedy Deviations Timely and Consistently - CC1.1.4

  Deviations from standards are identified and remedied (CC1.1.4).

• Individuals Adhere to Standards - CC1.1.5

  Individuals adhere to the standards of conduct (CC1.1.5).

• Board Exercises Oversight - CC1.2

  The board demonstrates independence and exercises oversight (CC1.2).

• Demonstrate Board Independence and Expertise - CC1.2.1

  The board is independent and includes members with requisite expertise (CC1.2.1).

• Define and Carry Out Oversight Responsibilities - CC1.2.2

  Oversight responsibilities are defined and carried out (CC1.2.2).

• Monitor the System of Internal Control - CC1.2.3

  The board monitors the operation of the system of internal control (CC1.2.3).

• Engages in Oversight of External Auditor - CC1.2.4

  The board engages in oversight of the external auditor (CC1.2.4).

• Establishes Structures and Authority - CC1.3

  Management establishes structures, reporting lines, authorities, and responsibilities (CC1.3).

• Consider All Aspects of the Entity - CC1.3.1

  Management considers all aspects of the entity in establishing structures (CC1.3.1).

• Define and Communicate Roles - CC1.3.2

  Defines and communicates roles, responsibilities, and authorities (CC1.3.2).

• Limits Authority - CC1.3.3

  Limits the authority to manage system objectives to competent individuals (CC1.3.3).

• Define Reporting Lines - CC1.3.4

  Defines and communicates reporting lines for control and security (CC1.3.4).

• Authorize Transactions and Access - CC1.3.5

  Management and the board authorize transactions, procedures, and access (CC1.3.5).

• Demonstrates Commitment to Competence - CC1.4

  The entity commits to attracting, developing, and retaining competent individuals (CC1.4).

• Specifies Competence Levels - CC1.4.1

  Management specifies the competence levels for roles (CC1.4.1).

• Translates Competence into Required Skills - CC1.4.2

  Translates required competence levels into knowledge and skills (CC1.4.2).

• Acquires and Develops Personnel - CC1.4.3

  Acquires and develops individuals with the necessary knowledge and skills (CC1.4.3).

• Provides Training - CC1.4.4

  Provides training and other resources to address competency needs (CC1.4.4).

• Assesses Competence - CC1.4.5

  Assesses competence through formal evaluations (CC1.4.5).

• Plans for Succession - CC1.4.6

  Plans for succession in the control environment (CC1.4.6).

• Contracts for Outsourced Expertise - CC1.4.7

  Contracts for outsourced expertise to meet objectives (CC1.4.7).

• Enforces Accountability - CC1.5

  The entity holds individuals accountable for internal control responsibilities (CC1.5).

• Enforces Accountability Through Performance Measures - CC1.5.1

  Accountability is enforced through performance measures (CC1.5.1).

• Evaluates Performance Against Controls - CC1.5.2

  Evaluates performance against controls (CC1.5.2).

• Provides Incentives and Rewards - CC1.5.3

  Provides incentives and rewards for internal control performance (CC1.5.3).

• Considers Pressure on Individuals - CC1.5.4

  Considers pressures on individuals to violate controls (CC1.5.4).

• Considers Excessive Compensation - CC1.5.5

  Considers excessive compensation and inadequate consequences (CC1.5.5).

The entity obtains or generates and uses relevant, quality information to support the functioning of internal control; internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control; and communicates with external parties regarding matters affecting the functioning of internal control.

• Communication and Information Principle - CC2

  The entity uses quality information and communicates internally and externally (CC2).

• Uses Quality Information - CC2.1

  The entity obtains or generates and uses relevant, quality information (CC2.1).

• Identifies Information Requirements - CC2.1.1

  Identifies information requirements for control (CC2.1.1).

• Identifies Information Sources - CC2.1.2

  Identifies information sources (CC2.1.2).

• Processes Relevant Data - CC2.1.3

  Processes relevant data into information (CC2.1.3).

• Stores and Protects Information - CC2.1.4

  Stores and protects information (CC2.1.4).

• Internally Communicates Information - CC2.2

  The entity internally communicates information and responsibilities (CC2.2).

• Communicates Control Responsibilities - CC2.2.1

  Communicates control responsibilities to appropriate individuals (CC2.2.1).

• Communicates Objectives - CC2.2.2

  Communicates objectives related to security and controls (CC2.2.2).

• Communicates the System of Internal Control - CC2.2.3

  Communicates the entire system of internal control (CC2.2.3).

• Selects Appropriate Communication Methods - CC2.2.4

  Selects appropriate internal communication methods (CC2.2.4).

• Communicates Information Needs - CC2.2.5

  Communicates relevant information needs of the entity (CC2.2.5).

• Establishes Communication Lines to the Board - CC2.2.6

  Establishes communication lines to the board (CC2.2.6).

• Considers Information Needs of External Service Providers - CC2.2.7

  Considers information needs of external service providers (CC2.2.7).

• Communicates Information Needs to External Service Providers - CC2.2.8

  Communicates information needs to external service providers (CC2.2.8).

• Provides Information to External Service Providers - CC2.2.9

  Provides information to external service providers (CC2.2.9).

• Communicates Accountability for System Use - CC2.2.10

  Communicates accountability for system use (CC2.2.10).

• Communicates External Service Provider Activities - CC2.2.11

  Communicates external service provider activities (CC2.2.11).

• Communicates with External Parties - CC2.3

  The entity communicates with external parties (CC2.3).

• Communicates Relevant Control Information - CC2.3.1

  Communicates relevant control information to external parties (CC2.3.1).

• Uses Appropriate External Communication Methods - CC2.3.2

  Uses external communication methods that are appropriate (CC2.3.2).

• Communicates Relevant Information Needs - CC2.3.3

  Communicates relevant information needs to external parties (CC2.3.3).

• Communicates Accountability to External Parties - CC2.3.4

  Communicates accountability for system use to external parties (CC2.3.4).

• Communicates Relevant Security Responsibilities - CC2.3.5

  Communicates relevant security responsibilities to external parties (CC2.3.5).

• Communicates Responsibilities of External Providers - CC2.3.6

  Communicates responsibilities of external providers (CC2.3.6).

• Communicates Expectations for Confidentiality or Privacy - CC2.3.7

  Communicates expectations for confidentiality or privacy to external parties (CC2.3.7).

• Communicates Expectations for Availability and Processing Integrity - CC2.3.8

  Communicates expectations for availability and processing integrity to external parties (CC2.3.8).

• Communicates Control Deficiencies to External Parties - CC2.3.9

  Communicates information regarding control deficiencies to external parties (CC2.3.9).

• Communicates Information Needed by External Parties - CC2.3.10

  Communicates information needed by external parties (CC2.3.10).

• Communicates Information Needs to External Service Providers - CC2.3.11

  Communicates information needs to external service providers (CC2.3.11).

The entity identifies and analyzes risks to the achievement of its objectives to determine how the risks should be managed; the entity considers the potential for fraud; and the entity identifies and assesses changes that could significantly impact the system of internal control.

• Risk Assessment Principle - CC3

  The entity identifies and analyzes risks, considers fraud, and assesses changes (CC3).

• Identifies and Analyzes Risks - CC3.1

  The entity identifies and analyzes risks to objectives (CC3.1).

• Considers the Impact of Risks - CC3.1.1

  Considers the impact of identified risks on objectives (CC3.1.1).

• Considers the Risk of Data Compromise - CC3.1.2

  Considers the risk of data compromise (CC3.1.2).

• Considers the Risk of Failure in Availability - CC3.1.3

  Considers the risk of failure in availability (CC3.1.3).

• Considers the Risk of Erroneous Processing - CC3.1.4

  Considers the risk of erroneous processing (CC3.1.4).

• Considers Risks from Technology Implementation - CC3.1.5

  Considers risks arising from technology implementation (CC3.1.5).

• Considers Risks from the Use of Technology - CC3.1.6

  Considers risks arising from the use of technology (CC3.1.6).

• Considers the Risk of Fraud - CC3.1.7

  Considers the risk of fraud (CC3.1.7).

• Considers the Inherent Risk of Errors - CC3.1.8

  Considers the inherent risk of errors (CC3.1.8).

• Considers Risk from Noncompliance - CC3.1.9

  Considers the risk from noncompliance with laws and external commitments (CC3.1.9).

• Considers External and Internal Factors - CC3.1.10

  Considers external factors and internal factors (CC3.1.10).

• Involves Relevant Personnel - CC3.1.11

  Involves relevant personnel (CC3.1.11).

• Specifies How Risks Should Be Managed - CC3.1.12

  Specifies how risks should be managed (CC3.1.12).

• Documents the Risk Assessment - CC3.1.13

  Documents the risk assessment (CC3.1.13).

• Considers the Risk of Material Omission or Misstatement - CC3.1.14

  Considers the risk of material omission or misstatement (CC3.1.14).

• Considers the Risk of Management Override - CC3.1.15

  Considers the risk of management override of controls (CC3.1.15).

• Considers Risks Related to Processing Personal Data - CC3.1.16

  Considers risks that relate to the processing of personal data (CC3.1.16).

• Considers Potential for Fraud - CC3.2

  The entity considers the potential for fraud (CC3.2).

• Considers Incentives and Pressures - CC3.2.1

  Considers the incentives and pressures to commit fraud (CC3.2.1).

• Considers Opportunities to Commit Fraud - CC3.2.2

  Considers opportunities to commit fraud (CC3.2.2).

• Considers Attitudes and Rationalizations - CC3.2.3

  Considers attitudes and rationalizations that could justify fraud (CC3.2.3).

• Considers Fraud in All Levels - CC3.2.4

  Considers fraud in all levels of the entity (CC3.2.4).

• Considers the Risk of Management Override of Controls - CC3.2.5

  Considers the risk of management override of controls (CC3.2.5).

• Considers the Impact of Fraud on Objectives - CC3.2.6

  Considers the impact of fraud on objectives (CC3.2.6).

• Documents the Fraud Risk Assessment - CC3.2.7

  Documents the fraud risk assessment (CC3.2.7).

• Considers Fraud Risk Related to External Service Providers - CC3.2.8

  Considers fraud risk related to external service providers (CC3.2.8).

• Identifies and Assesses Changes - CC3.3

  The entity identifies and assesses changes that could significantly impact internal control (CC3.3).

• Assesses Changes in the External Environment - CC3.3.1

  Assesses changes in the external environment (CC3.3.1).

• Assesses Changes in the Business Model - CC3.3.2

  Assesses changes in the business model (CC3.3.2).

• Assesses Changes in Leadership - CC3.3.3

  Assesses changes in leadership (CC3.3.3).

• Assesses Changes in Technology - CC3.3.4

  Assesses changes in technology (CC3.3.4).

• Considers the Significance of Changes - CC3.3.5

  Considers the significance of changes (CC3.3.5).

• Identifies and Assesses Changes in Control Components - CC3.4

  The entity identifies and assesses changes in the control components (CC3.4).

• Assesses Changes in the Control Environment - CC3.4.1

  Assesses changes in the control environment (CC3.4.1).

• Assesses Changes in Risk Assessment - CC3.4.2

  Assesses changes in risk assessment (CC3.4.2).

• Assesses Changes in Control Activities - CC3.4.3

  Assesses changes in control activities (CC3.4.3).

• Assesses Changes in Information and Communication - CC3.4.4

  Assesses changes in information and communication (CC3.4.4).

• Assesses Changes in Monitoring Activities - CC3.4.5

  Assesses changes in monitoring activities (CC3.4.5).

The entity selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to an acceptable level; and the entity selects and develops general control activities over technology to support the achievement of objectives.

• Control Activities Principle - CC4

  The entity selects and develops control activities and general technology controls (CC4).

• Selects and Develops Control Activities - CC4.1

  The entity selects and develops control activities to mitigate risks (CC4.1).

• Integrates Control Activities with Risk Assessment - CC4.1.1

  Integrates control activities with risk assessment (CC4.1.1).

• Considers the Entity's Organizational Structure - CC4.1.2

  Considers the entity's organizational structure (CC4.1.2).

• Considers the Segregation of Duties - CC4.1.3

  Considers the segregation of duties (CC4.1.3).

• Determines the Appropriate Mix of Control Activity Types - CC4.1.4

  Determines the appropriate mix of control activity types (CC4.1.4).

• Designs and Implements Controls over Outsourced Functions - CC4.1.5

  Designs and implements control activities over outsourced functions (CC4.1.5).

• Designs and Implements Controls over Completeness and Accuracy - CC4.1.6

  Designs and implements control activities over completeness and accuracy (CC4.1.6).

• Designs and Implements Controls to Restrict Access - CC4.1.7

  Designs and implements control activities to restrict access (CC4.1.7).

• Designs and Implements Controls to Prevent and Detect Unauthorized Changes - CC4.1.8

  Designs and implements controls to prevent and detect unauthorized changes (CC4.1.8).

• Selects and Develops General Control Activities over Technology - CC4.2

  The entity selects and develops general control activities over technology (CC4.2).

• Establishes Technology Controls for General IT Processes - CC4.2.1

  Establishes technology controls for general IT processes (CC4.2.1).

• Establishes Controls over the Infrastructure - CC4.2.2

  Establishes controls over the infrastructure (CC4.2.2).

• Establishes Controls over Trust Services Categories - CC4.2.3

  Establishes controls over security, availability, processing integrity, confidentiality, and privacy objectives (CC4.2.3).

The entity selects and develops ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning; and the entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.

• Monitoring Activities Principle - CC5

  The entity selects and develops evaluations and communicates deficiencies (CC5).

• Selects and Develops Evaluations - CC5.1

  The entity selects and develops ongoing and/or separate evaluations (CC5.1).

• Considers the Results of Risk Assessments - CC5.1.1

  Considers the results of risk assessments (CC5.1.1).

• Considers the Control Activities - CC5.1.2

  Considers the control activities (CC5.1.2).

• Considers the Entity's Organizational Structure - CC5.1.3

  Considers the entity's organizational structure (CC5.1.3).

• Considers the Use of Technology - CC5.1.4

  Considers the use of technology (CC5.1.4).

• Considers the Effectiveness of the Control Environment - CC5.1.5

  Considers the effectiveness of the control environment (CC5.1.5).

• Considers the Overall Effectiveness of Internal Control - CC5.1.6

  Considers the overall effectiveness of the system of internal control (CC5.1.6).

• Develops Ongoing and/or Separate Evaluations - CC5.2

  The entity develops ongoing and/or separate evaluations (CC5.2).

• Considers the Degree of Integration - CC5.2.1

  Considers the degree of integration of ongoing and separate evaluations (CC5.2.1).

• Considers the Frequency and Extent of Separate Evaluations - CC5.2.2

  Considers the frequency and extent of separate evaluations (CC5.2.2).

• Considers the Qualifications and Objectivity of Evaluators - CC5.2.3

  Considers the qualifications and objectivity of the evaluators (CC5.2.3).

• Considers the Scope of Evaluations - CC5.2.4

  Considers the scope of ongoing and separate evaluations (CC5.2.4).

• Evaluates and Communicates Deficiencies - CC5.3

  The entity evaluates and communicates internal control deficiencies (CC5.3).

• Assesses Control Deficiencies - CC5.3.1

  Assesses control deficiencies (CC5.3.1).

• Communicates Deficiencies for Corrective Action - CC5.3.2

  Communicates deficiencies to parties responsible for corrective action (CC5.3.2).

• Communicates Deficiencies to Senior Management and Board - CC5.3.3

  Communicates deficiencies to senior management and the board of directors (CC5.3.3).

• Communicates Deficiencies to External Parties - CC5.3.4

  Communicates deficiencies to external parties, as appropriate (CC5.3.4).

• Monitors Corrective Action - CC5.3.5

  Monitors corrective action (CC5.3.5).

• Considers the Impact of Deficiencies on Objectives - CC5.3.6

  Considers the impact of deficiencies on the system objectives (CC5.3.6).

The entity implements control activities related to security to meet the entity's objectives.

• Security Control Activities - CC6

  The entity implements control activities related to security (CC6).

• Logical Access Security - CC6.1

  Logical access security is implemented over protected information assets (CC6.1).

• Restricts Logical Access to Authorized Users - CC6.1.1

  Restricts logical access to authorized users (CC6.1.1).

• Establishes, Modifies, and Removes User Access - CC6.1.2

  Establishes, modifies, and removes user access (CC6.1.2).

• Uses Authentication Methods - CC6.1.3

  Uses authentication methods (CC6.1.3).

• Manages and Controls Privileged Access - CC6.1.4

  Manages and controls privileged access (CC6.1.4).

• Implements Controls over Access to Data and Software - CC6.1.5

  Implements controls over access to data and software (CC6.1.5).

• Reviews User Access Rights - CC6.1.6

  Reviews user access rights (CC6.1.6).

• Segregates Duties and Controls Access - CC6.1.7

  Segregates duties and controls access to programs and data (CC6.1.7).

• Restricts Physical Access to Assets - CC6.1.8

  Restricts physical access to assets (CC6.1.8).

• Controls Physical Access to Facilities and Data Centers - CC6.1.9

  Controls physical access to facilities and data centers (CC6.1.9).

• Monitors and Controls Physical Access - CC6.1.10

  Monitors and controls physical access (CC6.1.10).

• Change Management - CC6.2

  Changes to infrastructure, data, software, and configuration are authorized, developed, tested, approved, and implemented (CC6.2).

• Authorizes Changes - CC6.2.1

  Authorizes changes (CC6.2.1).

• Develops and Tests Changes - CC6.2.2

  Develops and tests changes (CC6.2.2).

• Approves and Implements Changes - CC6.2.3

  Approves and implements changes (CC6.2.3).

• Risk Management Controls - CC6.3

  Controls are in place over the risk management process (CC6.3).

• Identifies Risks - CC6.3.1

  Identifies risks (CC6.3.1).

• Analyzes Risks - CC6.3.2

  Analyzes risks (CC6.3.2).

• Responds to Risks - CC6.3.3

  Responds to risks (CC6.3.3).

• Data Protection - CC6.4

  Data is protected during transmission and at rest (CC6.4).

• Protects Data During Transmission - CC6.4.1

  Protects data during transmission (CC6.4.1).

• Protects Data at Rest - CC6.4.2

  Protects data at rest (CC6.4.2).

• Controls Data Backup and Recovery - CC6.4.3

  Controls data backup and recovery (CC6.4.3).

• System Configuration and Maintenance - CC6.5

  System components are configured and maintained (CC6.5).

• Configures System Components - CC6.5.1

  Configures system components (CC6.5.1).

• Maintains System Components - CC6.5.2

  Maintains system components (CC6.5.2).

• Threat Prevention, Detection, and Response - CC6.6

  Processes are in place to prevent, detect, and respond to threats (CC6.6).

• Prevents Threats - CC6.6.1

  Prevents threats (CC6.6.1).

• Detects Threats - CC6.6.2

  Detects threats (CC6.6.2).

• Responds to Threats - CC6.6.3

  Responds to threats (CC6.6.3).

• Manages Vulnerabilities - CC6.6.4

  Manages vulnerabilities (CC6.6.4).

• Security Event Management - CC6.7

  Controls are in place to identify and respond to security events (CC6.7).

• Identifies Security Events - CC6.7.1

  Identifies security events (CC6.7.1).

• Analyzes Security Events - CC6.7.2

  Analyzes security events (CC6.7.2).

• Responds to Security Events - CC6.7.3

  Responds to security events (CC6.7.3).

• Communicates Security Events - CC6.7.4

  Communicates security events (CC6.7.4).

• Network and Device Controls - CC6.8

  Controls are in place over the entity's network and computing devices (CC6.8).

• Controls Network Security - CC6.8.1

  Controls network security (CC6.8.1).

• Controls Endpoint Security - CC6.8.2

  Controls endpoint security (CC6.8.2).

• Controls Mobile Device Security - CC6.8.3

  Controls mobile device security (CC6.8.3).

• Controls Configuration Management - CC6.8.4

  Controls configuration management (CC6.8.4).

• Controls Patch Management - CC6.8.5

  Controls patch management (CC6.8.5).

The entity implements control activities related to availability to meet the entity's objectives.

• Availability Control Activities - CC7

  The entity implements control activities related to availability (CC7).

• Infrastructure and Software Maintenance - CC7.1

  The entity maintains, monitors, and evaluates infrastructure and software (CC7.1).

• Maintains Infrastructure - CC7.1.1

  Maintains infrastructure (CC7.1.1).

• Monitors Infrastructure - CC7.1.2

  Monitors infrastructure (CC7.1.2).

• Evaluates Infrastructure - CC7.1.3

  Evaluates infrastructure (CC7.1.3).

• Maintains Software - CC7.1.4

  Maintains software (CC7.1.4).

• Monitors and Evaluates Software - CC7.1.5

  Monitors and evaluates software (CC7.1.5).

• Disaster Recovery Planning - CC7.2

  The entity develops and maintains a disaster recovery plan (CC7.2).

• Develops the Disaster Recovery Plan - CC7.2.1

  Develops the disaster recovery plan (CC7.2.1).

• Maintains the Disaster Recovery Plan - CC7.2.2

  Maintains the disaster recovery plan (CC7.2.2).

• Tests the Disaster Recovery Plan - CC7.2.3

  Tests the disaster recovery plan (CC7.2.3).

• Updates the Disaster Recovery Plan - CC7.2.4

  Updates the disaster recovery plan (CC7.2.4).

• Physical Access Controls - CC7.3

  The entity provides controls to restrict access to physical assets (CC7.3).

• Restricts Physical Access to Assets - CC7.3.1

  Restricts physical access to assets (CC7.3.1).

• Controls Physical Access to Facilities and Data Centers - CC7.3.2

  Controls physical access to facilities and data centers (CC7.3.2).

• Monitors and Controls Physical Access - CC7.3.3

  Monitors and controls physical access (CC7.3.3).

• Controls Environmental Factors - CC7.3.4

  Controls environmental factors (CC7.3.4).

• Controls Power Protection - CC7.3.5

  Controls power protection (CC7.3.5).

• Availability Risk Assessment - CC7.4

  The entity identifies and assesses risks to availability (CC7.4).

• Identifies Risks to Availability - CC7.4.1

  Identifies risks to availability (CC7.4.1).

• Assesses Risks to Availability - CC7.4.2

  Assesses risks to availability (CC7.4.2).

• Considers Risks Related to System Components - CC7.4.3

  Considers risks related to system components (CC7.4.3).

• Considers Risks Related to the Use of Technology - CC7.4.4

  Considers risks related to the use of technology (CC7.4.4).

• Considers Risks Related to the Physical Environment - CC7.4.5

  Considers risks related to the physical environment (CC7.4.5).

• Considers Risks Related to Personnel - CC7.4.6

  Considers risks related to personnel (CC7.4.6).

• Considers Risks Related to External Service Providers - CC7.4.7

  Considers risks related to external service providers (CC7.4.7).

• Considers the Risk of Data Compromise - CC7.4.8

  Considers the risk of data compromise (CC7.4.8).

• Considers the Risk of Failure in Availability - CC7.4.9

  Considers the risk of failure in availability (CC7.4.9).

• Considers the Risk of Erroneous Processing - CC7.4.10

  Considers the risk of erroneous processing (CC7.4.10).

• Considers the Risk of Noncompliance - CC7.4.11

  Considers the risk of noncompliance (CC7.4.11).

• Considers the Impact of Risks on Objectives - CC7.4.12

  Considers the impact of risks on objectives (CC7.4.12).

• Specifies How Risks Should Be Managed - CC7.4.13

  Specifies how risks should be managed (CC7.4.13).

• Business Continuity Planning - CC7.5

  The entity develops and maintains a business continuity plan (CC7.5).

• Develops the Business Continuity Plan - CC7.5.1

  Develops the business continuity plan (CC7.5.1).

• Maintains the Business Continuity Plan - CC7.5.2

  Maintains the business continuity plan (CC7.5.2).

• Tests the Business Continuity Plan - CC7.5.3

  Tests the business continuity plan (CC7.5.3).

• Updates the Business Continuity Plan - CC7.5.4

  Updates the business continuity plan (CC7.5.4).

• Communicates the Business Continuity Plan - CC7.5.5

  Communicates the business continuity plan (CC7.5.5).

• Controls Business Continuity for External Service Providers - CC7.5.6

  Controls business continuity for external service providers (CC7.5.6).

The entity implements control activities related to processing integrity to meet the entity's objectives.

• Processing Integrity Control Activities - CC8

  The entity implements control activities related to processing integrity (CC8).

• Processing Controls - CC8.1

  The entity designs and implements controls over accuracy, completeness, and authorization of processing (CC8.1).

• Controls over Accuracy - CC8.1.1

  Designs and implements controls over processing for accuracy (CC8.1.1).

• Controls over Completeness - CC8.1.2

  Designs and implements controls over processing for completeness (CC8.1.2).

• Controls over Authorization - CC8.1.3

  Designs and implements controls over processing for authorization (CC8.1.3).

• Establishes Input Validation Controls - CC8.1.4

  Establishes input validation controls (CC8.1.4).

• Establishes Controls over Output Processing - CC8.1.5

  Establishes controls over output processing (CC8.1.5).

• Establishes Controls over Data Integrity - CC8.1.6

  Establishes controls over data integrity (CC8.1.6).

• Establishes Controls over Data Retention and Destruction - CC8.1.7

  Establishes controls over data retention and destruction (CC8.1.7).

• Establishes Controls over Interfaces and Data Conversion - CC8.1.8

  Establishes controls over interfaces and data conversion (CC8.1.8).

• Establishes Controls over System Processing - CC8.1.9

  Establishes controls over system processing (CC8.1.9).

• Establishes Controls over Manual Processing - CC8.1.10

  Establishes controls over manual processing (CC8.1.10).

• Designs and Implements Controls to Restrict Access - CC8.1.11

  Designs and implements controls to restrict access (CC8.1.11).

• Establishes Controls over Configuration Integrity - CC8.1.12

  Establishes controls over the integrity of configuration settings (CC8.1.12).

• Establishes Controls over Data Entry - CC8.1.13

  Establishes controls over data entry (CC8.1.13).

• Establishes Controls over Data Conversion and Migration - CC8.1.14

  Establishes controls over data conversion and migration (CC8.1.14).

• Establishes Controls over Interfaces - CC8.1.15

  Establishes controls over interfaces (CC8.1.15).

The entity implements control activities related to confidentiality to meet the entity's objectives.

• Confidentiality Control Activities - CC9

  The entity implements control activities related to confidentiality (CC9).

• Identifies and Protects Confidential Information - CC9.1

  The entity identifies and protects confidential information (CC9.1).

• Identifies Confidential Information - CC9.1.1

  Identifies confidential information (CC9.1.1).

• Protects Confidential Information - CC9.1.2

  Protects confidential information (CC9.1.2).

• Confidentiality Commitments and Requirements - CC9.2

  The entity implements controls to meet confidentiality commitments and requirements (CC9.2).

• Restricts Access to Confidential Information - CC9.2.1

  Restricts access to confidential information (CC9.2.1).

• Protects Confidential Information During Transmission - CC9.2.2

  Protects confidential information during transmission (CC9.2.2).

• Protects Confidential Information At Rest - CC9.2.3

  Protects confidential information at rest (CC9.2.3).

• Controls the Use of Confidential Information - CC9.2.4

  Controls the use of confidential information (CC9.2.4).

• Controls Removal of Confidential Information - CC9.2.5

  Controls the removal of confidential information from the entity's custody (CC9.2.5).

• Controls the Destruction of Confidential Information - CC9.2.6

  Controls the destruction of confidential information (CC9.2.6).

• Controls the Disclosure of Confidential Information - CC9.2.7

  Controls the disclosure of confidential information (CC9.2.7).

• Communicates Confidentiality Commitments and Requirements - CC9.2.8

  Communicates confidentiality commitments and requirements (CC9.2.8).

• Monitors Compliance with Confidentiality Commitments - CC9.2.9

  Monitors compliance with confidentiality commitments (CC9.2.9).

• Responds to Breaches of Confidentiality - CC9.2.10

  Responds to breaches of confidentiality (CC9.2.10).

• Considers Risks to Confidentiality - CC9.2.11

  Considers risks to confidentiality (CC9.2.11).

• Implements Controls for Disposal of Confidential Information - CC9.2.12

  Implements controls for the disposal of confidential information (CC9.2.12).

The entity manages the risks associated with assets.

• Asset Management Principle - A0

  The entity manages the risks associated with assets.

• User Entity Logical Access - A1.1

  User entity implements logical access security to restrict access (A1.1).

• User Entity Restricts Logical Access - A1.1.1

  User entity restricts logical access (A1.1.1).

• User Entity Establishes, Modifies, and Removes User Access - A1.1.2

  User entity establishes, modifies, and removes user access (A1.1.2).

• User Entity Uses Authentication Methods - A1.1.3

  User entity uses authentication methods (A1.1.3).

• User Entity Physical Access - A1.2

  User entity implements physical access security to restrict access (A1.2).

• User Entity Restricts Physical Access to Assets - A1.2.1

  User entity restricts physical access to assets (A1.2.1).

• User Entity Controls Physical Access to Facilities and Data Centers - A1.2.2

  User entity controls physical access to facilities and data centers (A1.2.2).

• User Entity Monitors and Controls Physical Access - A1.2.3

  User entity monitors and controls physical access (A1.2.3).

• User Entity Controls Environmental Factors - A1.2.4

  User entity controls environmental factors (A1.2.4).

• User Entity Controls Power Protection - A1.2.5

  User entity controls power protection (A1.2.5).

• User Entity Controls Physical Access to Workstations and Mobile Devices - A1.2.6

  User entity controls physical access to workstations and mobile devices (A1.2.6).

• User Entity Controls Access to Physical Assets Not in Data Centers - A1.2.7

  User entity controls access to physical assets not in data centers (A1.2.7).

• User Entity Controls Physical Media Storage - A1.2.8

  User entity controls physical media storage (A1.2.8).

• User Entity Controls Physical Media Transfer - A1.2.9

  User entity controls physical media transfer (A1.2.9).

• User Entity Controls Physical Media Disposal - A1.2.10

  User entity controls physical media disposal (A1.2.10).

• User Entity Controls Software and Data Updates - A1.3

  User entity controls software and data updates (A1.3).

• User Entity Controls Software Updates - A1.3.1

  User entity controls software updates (A1.3.1).

• User Entity Controls Data Updates - A1.3.2

  User entity controls data updates (A1.3.2).

• Data Flows and Data Access Principle - C0

  The entity controls data flows and data access.

• User Entity Protects Confidential Information During Transmission - C1.1

  User entity protects confidential information during transmission (C1.1).

• User Entity Uses Encryption for Data in Transit - C1.1.1

  User entity uses encryption for data in transit (C1.1.1).

• User Entity Controls External Media - C1.1.2

  User entity controls external media (C1.1.2).

• User Entity Protects Confidential Information At Rest - C1.2

  User entity protects confidential information at rest (C1.2).

• User Entity Uses Encryption for Data At Rest - C1.2.1

  User entity uses encryption for data at rest (C1.2.1).

• User Entity Controls Access to Cryptographic Keys - C1.2.2

  User entity controls access to cryptographic keys (C1.2.2).

• Processing Integrity Control Activities - PI1

  The entity implements control activities related to processing integrity (PI1).

• User Entity Data Processing Accuracy and Completeness - PI1.1

  User entity ensures data is accurately and completely processed (PI1.1).

• User Entity Reviews and Reconciles Data - PI1.1.1

  User entity reviews and reconciles data (PI1.1.1).

• User Entity Performs Periodic Testing of Process Controls - PI1.1.2

  User entity performs periodic testing of process controls (PI1.1.2).

• User Entity Processing Authorization - PI1.2

  User entity ensures the authorization of processing (PI1.2).

• User Entity Approves and Authorizes Transactions - PI1.2.1

  User entity approves and authorizes transactions (PI1.2.1).

• User Entity Defines and Communicates Authorization Levels - PI1.2.2

  User entity defines and communicates authorization levels (PI1.2.2).

• User Entity Implements Controls over Authorization - PI1.2.3

  User entity implements controls over authorization (PI1.2.3).

• User Entity Data Completeness and Accuracy - PI1.3

  User entity ensures the completeness and accuracy of data (PI1.3).

• User Entity Monitors Data Completeness - PI1.3.1

  User entity monitors data completeness (PI1.3.1).

• User Entity Monitors Data Accuracy - PI1.3.2

  User entity monitors data accuracy (PI1.3.2).

• User Entity Reconciles Data - PI1.3.3

  User entity reconciles data (PI1.3.3).

• User Entity Validates Data Integrity - PI1.3.4

  User entity validates data integrity (PI1.3.4).

• User Entity Manages Data Retention and Disposal - PI1.3.5

  User entity manages data retention and disposal (PI1.3.5).

• User Entity Input Processing Controls - PI1.4

  User entity implements controls over input processing (PI1.4).

• User Entity Establishes Input Validation Controls - PI1.4.1

  User entity establishes input validation controls (PI1.4.1).

• User Entity Monitors Input Data - PI1.4.2

  User entity monitors input data (PI1.4.2).

• User Entity Controls Data Entry - PI1.4.3

  User entity controls data entry (PI1.4.3).

• User Entity Controls Data Conversion and Migration - PI1.4.4

  User entity controls data conversion and migration (PI1.4.4).

• User Entity Output Processing Controls - PI1.5

  User entity implements controls over output processing (PI1.5).

• User Entity Controls Output Processing - PI1.5.1

  User entity controls output processing (PI1.5.1).

• User Entity Reviews and Validates Output - PI1.5.2

  User entity reviews and validates output (PI1.5.2).

• User Entity Controls the Distribution of Output - PI1.5.3

  User entity controls the distribution of output (PI1.5.3).

• User Entity Controls the Retention and Disposal of Output - PI1.5.4

  User entity controls the retention and disposal of output (PI1.5.4).

The entity implements control activities related to privacy to meet the entity's objectives.

• Privacy Control Activities - P0

  The entity implements control activities related to privacy.

• Privacy Risk Management - P1.1

  The entity identifies and manages privacy risks (P1.1).

• Identifies Risks Related to Privacy - P1.1.1

  Identifies risks related to privacy (P1.1.1).

• Assesses Risks Related to Privacy - P1.1.2

  Assesses risks related to privacy (P1.1.2).

• Considers the Impact of Risks on Privacy Objectives - P1.1.3

  Considers the impact of risks on privacy objectives (P1.1.3).

• Specifies How Privacy Risks Should Be Managed - P1.1.4

  Specifies how privacy risks should be managed (P1.1.4).

• Personal Data Collection - P2.1

  The entity collects personal data in accordance with its privacy commitments (P2.1).

• Collects Personal Data in Accordance with Commitments - P2.1.1

  Collects personal data in accordance with commitments (P2.1.1).

• Obtains Consent for Collection - P2.1.2

  Obtains consent for collection (P2.1.2).

• Collects Minimum Necessary Data - P2.1.3

  Collects minimum necessary data (P2.1.3).

• Provides Notice About Collection - P2.1.4

  Provides notice about collection (P2.1.4).

• Controls Data Entry - P2.1.5

  Controls data entry (P2.1.5).

• Controls Data Conversion and Migration - P2.1.6

  Controls data conversion and migration (P2.1.6).

• Personal Data Use, Retention, and Disposal - P3.1

  The entity uses, retains, and disposes of personal data in accordance with its privacy commitments (P3.1).

• Uses Personal Data in Accordance with Commitments - P3.1.1

  Uses personal data in accordance with commitments (P3.1.1).

• Retains Personal Data in Accordance with Commitments - P3.1.2

  Retains personal data in accordance with commitments (P3.1.2).

• Disposes of Personal Data in Accordance with Commitments - P3.1.3

  Disposes of personal data in accordance with commitments (P3.1.3).

• Controls Data Destruction - P3.1.4

  Controls data destruction (P3.1.4).

• Data Quality - P3.2

  The entity ensures data quality to meet privacy commitments (P3.2).

• Ensures Data Quality for Intended Use - P3.2.1

  Ensures data quality for its intended use (P3.2.1).

• Implements Controls over Data Accuracy and Completeness - P3.2.2

  Implements controls over data accuracy and completeness (P3.2.2).

• Personal Data Disclosure - P4.1

  The entity discloses personal data in accordance with its privacy commitments (P4.1).

• Discloses Personal Data in Accordance with Commitments - P4.1.1

  Discloses personal data in accordance with commitments (P4.1.1).

• Notice of Privacy Practices - P4.2

  The entity provides notice of its privacy practices (P4.2).

• Provides Notice of Privacy Practices - P4.2.1

  Provides notice of privacy practices (P4.2.1).

• Updates and Revises Privacy Notice - P4.2.2

  Updates and revises privacy notice (P4.2.2).

• Choice Regarding Personal Data - P4.3

  The entity provides choices regarding the collection, use, and disclosure of personal data (P4.3).

• Provides Choices Regarding Collection - P4.3.1

  Provides choices regarding collection (P4.3.1).

• Provides Choices Regarding Use - P4.3.2

  Provides choices regarding use (P4.3.2).

• Provides Choices Regarding Disclosure - P4.3.3

  Provides choices regarding disclosure (P4.3.3).

• Data Subject Access - P5.1

  The entity provides data subjects with access to their personal data (P5.1).

• Provides Access to Personal Data - P5.1.1

  Provides access to personal data (P5.1.1).

• Allows for Correction and Amendment - P5.1.2

  Allows for correction and amendment (P5.1.2).

• Provides Notice of Access and Correction Policies - P5.1.3

  Provides notice of access and correction policies (P5.1.3).

• Establishes Controls over Access and Correction Requests - P5.1.4

  Establishes controls over access and correction requests (P5.1.4).

• Privacy Compliance Monitoring - P5.2

  The entity monitors privacy compliance (P5.2).

• Monitors Privacy Compliance - P5.2.1

  Monitors privacy compliance (P5.2.1).

• Assesses and Addresses Privacy Deficiencies - P5.2.2

  Assesses and addresses privacy deficiencies (P5.2.2).

• Communicates Privacy Deficiencies - P5.2.3

  Communicates privacy deficiencies (P5.2.3).

• Security Controls over Personal Data - P6.1

  The entity implements control activities related to security over personal data (P6.1).

• Controls Logical Access to Personal Data - P6.1.1

  Controls logical access to personal data (P6.1.1).

• Controls Physical Access to Personal Data - P6.1.2

  Controls physical access to personal data (P6.1.2).

• Controls Data At Rest and In Transit - P6.1.3

  Controls data at rest and in transit (P6.1.3).

• Controls System Configuration and Maintenance - P6.1.4

  Controls system configuration and maintenance (P6.1.4).

• Availability Controls over Personal Data - P6.2

  The entity implements control activities related to availability over personal data (P6.2).

• Maintains, Monitors, and Evaluates Infrastructure and Software - P6.2.1

  Maintains, monitors, and evaluates infrastructure and software (P6.2.1).

• Processing Integrity Controls over Personal Data - P6.3

  The entity implements control activities related to processing integrity over personal data (P6.3).

• Controls Accuracy, Completeness, and Authorization of Processing - P6.3.1

  Controls accuracy, completeness, and authorization of processing (P6.3.1).

• Confidentiality Controls over Personal Data - P6.4

  The entity implements control activities related to confidentiality over personal data (P6.4).

• Identifies and Protects Personal Data - P6.4.1

  Identifies and protects personal data (P6.4.1).

• Controls Access, Use, and Removal of Personal Data - P6.4.2

  Controls access, use, and removal of personal data (P6.4.2).

• Notice and Choice Controls - P6.5

  The entity implements control activities related to privacy notice and choice (P6.5).

• Provides Notice of Privacy Practices - P6.5.1

  Provides notice of privacy practices (P6.5.1).

• Provides Choices Regarding Personal Data - P6.5.2

  Provides choices regarding personal data (P6.5.2).

• Access and Correction Controls - P6.6

  The entity implements control activities related to personal data access and correction (P6.6).

• Provides Access to Personal Data - P6.6.1

  Provides access to personal data (P6.6.1).

• Allows for Correction and Amendment - P6.6.2

  Allows for correction and amendment (P6.6.2).

• Provides Notice of Access and Correction Policies - P6.6.3

  Provides notice of access and correction policies (P6.6.3).

• Establishes Controls over Access and Correction Requests - P6.6.4

  Establishes controls over access and correction requests (P6.6.4).

• Monitoring and Enforcement Controls - P6.7

  The entity implements control activities related to monitoring and enforcement (P6.7).

• Monitors Privacy Compliance - P6.7.1

  Monitors privacy compliance (P6.7.1).

• Assesses and Addresses Privacy Deficiencies - P6.7.2

  Assesses and addresses privacy deficiencies (P6.7.2).

• External Service Provider Privacy Risk Management - P7.1

  The entity identifies and manages privacy risks related to external service providers (P7.1).

• Identifies and Assesses Privacy Risks Related to External Service Providers - P7.1.1

  Identifies and assesses privacy risks related to external service providers (P7.1.1).

• Specifies Privacy Requirements for External Service Providers - P7.1.2

  Specifies privacy requirements for external service providers (P7.1.2).

• External Service Provider Privacy Monitoring - P8.1

  The entity monitors privacy compliance by external service providers (P8.1).

• Monitors Privacy Compliance by External Service Providers - P8.1.1

  Monitors privacy compliance by external service providers (P8.1.1).

• Assesses and Addresses Privacy Deficiencies by External Service Providers - P8.1.2

  Assesses and addresses privacy deficiencies by external service providers (P8.1.2).

• Communicates Privacy Deficiencies to External Service Providers - P8.1.3

  Communicates privacy deficiencies to external service providers (P8.1.3).

• Communicates Privacy Deficiencies to Senior Management and the Board - P8.1.4

  Communicates privacy deficiencies to senior management and the board (P8.1.4).

• Monitors Corrective Action by External Service Providers - P8.1.5

  Monitors corrective action by external service providers (P8.1.5).

• Considers the Impact of Deficiencies on Privacy Objectives - P8.1.6

  Considers the impact of deficiencies on privacy objectives (P8.1.6).