Content library
SOC 2 (Systems and Organization Controls)
CC3.1: Sufficient specifying of objectives

Requirement description

COSO Principle 6: The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.

Points of focus:

Operations Objectives:
- Reflects Management's Choices
- Considers Tolerances for Risk
- Includes Operations and Financial Performance Goals
- Forms a Basis for Committing of Resources
External Financial Reporting Objectives:
- Complies With Applicable Accounting Standards
- Considers Materiality
- Reflects Entity Activities
External Nonfinancial Reporting Objectives:
- Complies With Externally Established Frameworks
- Considers the Required Level of Precision
- Reflects Entity Activities
Internal Reporting Objectives:
- Reflects Management's Choices
- Considers the Required Level of Precision
- Reflects Entity Activities
Compliance Objectives:
- Reflects External Laws and Regulations
- Considers Tolerances for Risk
- Establishes Sub- objectives to Support Objectives

How to fill the requirement

SOC 2 (Systems and Organization Controls)

CC3.1: Sufficient specifying of objectives

Task name
Priority
Status
Theme
Policy
Other requirements
Defining and documenting security objectives
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Cyber security management
23
requirements

Examples of other requirements this task affects

5.1.1: Policies for information security
ISO 27001
ID.BE-3: Organizational mission, objectives, and activities
NIST
ID.GV-1: Cybersecurity policy
NIST
HAL-01: Periaatteet
Julkri
5.1: Leadership and commitment
ISO 27001
See all related requirements and other information from tasks own page.
Go to >
Defining and documenting security objectives
1. Task description

Organization's top management sets security objectives. Security objectives meet the following requirements:

  • they shall take into account applicable data security and data protection requirements and the results of risk assessment and treatment
  • they are clearly communicated to key security and data protection personnel, staff and other relevant stakeholders
  • they are updated as necessary (e.g. when the risk landscape changes or periodically when the objectives are met)
  • they are documented and (if possible) measurable

In connection with the documentation of security objectives, the necessary top-level improvements and tasks, needed resources, responsible persons, due dates and methods for evaluating the results in order to achieve the objectives are also defined.

Identification, documentation and management of other information security requirements
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Cyber security management
16
requirements

Examples of other requirements this task affects

18.1.1: Identification of applicable legislation and contractual requirements
ISO 27001
ID.GV-3: Legal and regulatory requirements
NIST
HAL-05: Vaatimukset
Julkri
5.31: Legal, statutory, regulatory and contractual requirements
ISO 27001
2: Lainsäädäntö ja velvoitteet
Digiturvan kokonaiskuvapalvelu
See all related requirements and other information from tasks own page.
Go to >
Identification, documentation and management of other information security requirements
1. Task description

Compliance with required laws, regulations, standards, and contractual obligations can be as challenging as dealing with an ever-changing threat environment and new forms of cyber-attacks.

The organization shall document the information security requirements and the organisation's operating model for meeting them.

It is important to note that a large part of the requirements (e.g. laws, standards) are evolving entities. It is recommended to define a review interval for the documentation to describe the frequency at which changes in the requirements should at least be checked.

Defining the frameworks that serve as the basis of the management system
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Cyber security management
1
requirements

Examples of other requirements this task affects

CC3.1: Sufficient specifying of objectives
SOC 2
See all related requirements and other information from tasks own page.
Go to >
Defining the frameworks that serve as the basis of the management system
1. Task description

The organization must define the frameworks that are used as the basis of the management system. Requirements frameworks should address:

Internal reporting goals:

  • Reports that support decision-making for management
  • Reporting accuracy and details not related to financial reports

Requirement fulfillment goals:

  • Fulfillment of laws and regulations
  • Setting sub-goals so that the security, availability, processing integrity, confidentiality and privacy criteria support adequate reporting, the organization's operation and compliance with the requirements
Implementation and documentation of management reviews
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Cyber security management
24
requirements

Examples of other requirements this task affects

18.1.1: Identification of applicable legislation and contractual requirements
ISO 27001
ID.GV-3: Legal and regulatory requirements
NIST
9.3: Management review
ISO 27001
12: Digiturvan tilan seuraaminen
Digiturvan kokonaiskuvapalvelu
13: Digiturvan kokonaistilanteen raportointi
Digiturvan kokonaiskuvapalvelu
See all related requirements and other information from tasks own page.
Go to >
Implementation and documentation of management reviews
1. Task description

Top management shall review the organization's information security management system at planned intervals to ensure that it remains appropriate, relevant and effective.

The management review shall address and comment on at least the following:

  • Status of improvements (or other actions) initiated as a result of previous management reviews
  • Future changes relevant to the security management system
  • Performance of the ISMS (problem areas, metering, audit results and fulfillment of management security objectives)
  • Stakeholder feedback on data security
  • Operation of the risk assessment and treatment process

Documented information on the execution and results of reviews must be maintained.

Consideration of external goals when setting information security objectives
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Cyber security management
1
requirements

Examples of other requirements this task affects

CC3.1: Sufficient specifying of objectives
SOC 2
See all related requirements and other information from tasks own page.
Go to >
Consideration of external goals when setting information security objectives
1. Task description

When setting the organization's information security objectives, external objectives must be taken into account. This means, for example:

  • Externally set requirement frameworks, such as laws and regulations or requirements set by other external stakeholders
  • The reporting takes into account a sufficient amount of detail in the reports to demonstrate the fulfillment of the external requirements

Tasks included in the policy

Task name
Priority
Status
Theme
Policy
Other requirements
No items found.

Never duplicate effort. Do it once - improve compliance across frameworks.

Reach multi-framework compliance in the simplest possible way
Security frameworks tend to share the same core requirements - like risk management, backup, malware, personnel awareness or access management.
Cyberday maps all frameworks’ requirements into shared tasks - one single plan that improves all frameworks’ compliance.
Do it once - we automatically apply it to all current and future frameworks.
Get to know Cyberday
Start your free trial
Cyberday is your all-in-one solution for building a secure and compliant organization. Whether you're setting up a cyber security plan, evaluating policies, implementing tasks, or generating automated reports, Cyberday simplifies the entire process.
With AI-driven insights and a user-friendly interface, it's easier than ever to stay ahead of compliance requirements and focus on continuous improvement.
Clear framework compliance plans
Activate relevant frameworks and turn them into actionable policies tailored to your needs.
Credible reports to proof your compliance
Use guided tasks to ensure secure implementations and create professional reports with just a few clicks.
AI-powered improvement suggestions
Focus on the most impactful improvements in your compliance with help from Cyberday AI.