Define and maintain appropriate business process controls to ensure that information related to and processed by in-house or outsourced business processes satisfies all relevant information control requirements. Identify the relevant information control requirements and manage and operate adequate controls to ensure that information and information processing satisfy these requirements.


Maintain information integrity and the security of information assets handled within business processes in the enterprise or outsourced.




  • Operation and use plan
  • Migration plan
  • Assigned responsibilities for resource management
  • QMS roles, responsibilities and decision rights
  • ISMS scope statement
  • Access logs


  • Results of processing effectiveness reviews
  • Root cause analyses and recommendations
  • Processing control reports
  • Allocated roles and responsibilities
  • Allocated levels of authority
  • Allocated access rights
  • Evidence of error correction and remediation
  • Error reports and root cause analysis
  • Retention requirements
  • Record of transactions
  • Reports of violations


  • Data integrity procedures
  • Data classification guidelines

Task Instructions:

Align Control Activities Embedded in Business Processes with Enterprise Objectives

    1. Identify and document control activities of key business processes to satisfy control requirements for strategic, operational, reporting, and compliance objectives
    2. Prioritize control activities based on the inherent risk to the business and identify key controls.
    3. Ensure ownership of key control activities.
    4. Continually monitor control activities on an end-to-end basis to identify opportunities for improvement.
    5. Continually improve the design and operation of business process controls.

Control the Processing of Information

    1. Create transactions by authorized individuals following established procedures, including, where appropriate, adequate segregation of duties regarding the origination and approval of these transactions.

    2. Authenticate the originator of transactions and verify that he/she has the authority to originate the transaction.

    3. Input transactions in a timely manner. Verify that transactions are accurate, complete, and valid. Validate input data and edit or, where applicable, send back for correction as close to the point of origination as possible.

    4. Correct and resubmit data that were erroneously inputted without compromising original transaction authorization levels. Where appropriate for reconstruction, retain original source documents for the appropriate amount of time.

    5. Maintain the integrity and validity of data throughout the processing cycle. Ensure that the detection of erroneous transactions does not disrupt the processing of valid transactions.

    6. Maintain the integrity of data during unexpected interruptions in business processing and confirm data integrity after processing failures.

    7. Handle output in an authorized manner, deliver to the appropriate recipient, and protect the information during transmission. Verify the accuracy and completeness of the output.

    8. Before passing transaction data between internal applications and business/operational functions (inside or outside the enterprise), check for proper addressing, the authenticity of origin and integrity of the content. Maintain authenticity and integrity during transmission or transport

Manage Roles, Responsibilities, access privileges and Levels of Authority

    1. Allocate roles and responsibilities based on approved job descriptions and allocated business process activities.

    2. Allocate levels of authority for approval of transactions, limits, and any other decisions relating to the business process, based on approved job roles.

    3. Allocate access rights and privileges based on only what is required to perform job activities based on predefined job roles. Remove or revise access rights immediately if the job role changes or a staff member leaves the business process area. Periodically review to ensure that the access is appropriate for the current threats, risk, technology, and business need.

    4. Allocate roles for sensitive activities so that there is a clear segregation of duties.

    5. Provide awareness and training regarding roles and responsibilities on a regular basis so that everyone understands their responsibilities; the importance of controls; and the integrity, confidentiality, and privacy of company information in all its forms.

    6. Periodically review access control definitions, logs, and exception reports to ensure that all access privileges are valid and aligned with current staff members and their allocated roles.

Manage Errors and Exceptions

    1. Define and maintain procedures to assign ownership, correct errors, override errors, and handle out-of-balance conditions.

    2. Review errors, exceptions, and deviations.
    3. Follow up, correct, approve, and resubmit source documents and transactions.
    4. Maintain evidence of remedial actions.
    5. Report relevant business information process errors in a timely manner to perform root cause and trending analysis.

Ensure Traceability of Information Events and Accountability

    1. Define retention requirements based on business requirements to meet operational, financial reporting, and compliance needs.

    2. Capture source information, supporting evidence, and the record of transactions.

    3. Dispose of source information, supporting evidence, and the record of transactions in accordance with the retention policy.

Secure Information Assets

    1. Apply data classification and acceptable use and security policies and procedures to protect information assets under the control of the business.

    2. Provide adequate use of awareness and training.

    3. Restrict use, distribution, and physical access to information according to its classification.

    4. Identify and implement processes, tools, and techniques to reasonably verify compliance.

    5. Report to business and other stakeholders on violations and deviations.