Control catalog

The entity demonstrates a commitment to integrity and ethical values.

The board of directors demonstrates independence from management and exercises oversight of internal control.

Management establishes structures, reporting lines, and appropriate authorities and responsibilities.

The entity demonstrates a commitment to attract, develop, and retain competent individuals.

The entity holds individuals accountable for their internal control responsibilities.

The entity obtains or generates and uses relevant, quality information to support the functioning of internal control.

The entity internally communicates information necessary to support internal control.

The entity communicates with external parties about matters affecting internal control.

The entity specifies objectives with sufficient clarity to enable risk identification and assessment.

The entity identifies risks to the achievement of objectives and analyzes those risks as a basis for response.

The entity considers the potential for fraud when assessing risks to objectives.

The entity identifies and assesses changes that could significantly affect internal control.

The entity selects, develops, and performs ongoing and separate evaluations to determine whether controls are present and functioning.

The entity evaluates and communicates internal control deficiencies in a timely manner.

The entity selects and develops control activities that help mitigate risks to objectives.

The entity selects and develops general control activities over technology to support the achievement of objectives.

The entity deploys control activities through policies that establish expectations and procedures that put policies into action.

The entity implements logical access security software, infrastructure, and architectures over protected information assets.

Before issuing credentials, the entity authorizes and registers new internal and external users.

The entity authorizes, modifies, or removes access based on changes in user roles or termination.

The entity restricts physical access to facilities and protected information assets.

The entity prevents or detects unauthorized access to system resources.

The entity implements controls to prevent, detect, and act on malicious software.

The entity restricts the transmission, movement, and disposal of information to authorized channels.

The entity implements controls to identify and manage vulnerabilities in infrastructure and software.

The entity uses detection and monitoring procedures to identify events that may indicate security incidents.

The entity monitors system components and the operation of controls to detect anomalies indicative of malicious acts, natural disasters, and errors.

The entity evaluates security events to determine whether they could or did result in system failure or unauthorized activity.

The entity responds to identified security incidents by executing response procedures.

The entity identifies, develops, and implements activities to recover from identified security incidents.

The entity authorizes, designs, develops, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures.

The entity identifies, selects, and develops risk mitigation activities for business disruptions and vendor or third-party risks.

The entity assesses and manages risks associated with vendors and business partners.

Personal data must be processed lawfully, fairly, transparently, for specified purposes, with data minimisation, accuracy, storage limitation, integrity, confidentiality, and accountability.

Processing is only lawful if at least one of the six lawful bases applies.

Where processing is based on consent, the controller must be able to demonstrate valid consent and make withdrawal as easy as giving consent.

Controllers must provide transparent information at the point of collection, including identity, purposes, legal basis, retention, and rights.

Data subjects have the right to obtain confirmation of processing and a copy of their personal data.

Data subjects have the right to request erasure of personal data in defined circumstances, including withdrawn consent, objection, unlawful processing, or expired purpose.

Data subjects have the right to receive personal data they provided in a structured, commonly used, machine-readable format and transmit it to another controller.

Controllers must implement appropriate technical and organisational measures that embed data protection principles and default to only necessary processing.

Controllers may use only processors providing sufficient guarantees, and processing must be governed by a contract with required data protection terms.

Controllers and processors must maintain a written record of processing activities, including purposes, categories of data, and recipients.

Controllers and processors must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.

Personal data breaches must be reported to the supervisory authority within 72 hours of awareness, unless the breach is unlikely to result in a risk to rights and freedoms.

Where processing is likely to result in high risk to individuals, the controller must assess necessity, proportionality, risks, and risk mitigation before processing.

Controllers and processors must designate a data protection officer where required, including certain public authority, large-scale monitoring, or special-category processing contexts.

The data protection officer must be properly involved, supported, independent in duties, reachable by data subjects, and bound by confidentiality.

The data protection officer informs and advises, monitors compliance, advises on DPIAs, cooperates with supervisory authorities, and acts as a contact point.

Subliminal manipulation, exploitation of vulnerabilities, social scoring by public authorities, untargeted facial image scraping, emotion recognition in workplaces/schools, biometric categorisation on sensitive traits, and real-time remote biometric identification in public spaces (with narrow exceptions).

High-risk AI providers must establish, implement, document, and maintain a risk management system throughout the system's lifecycle.

Training, validation, and testing data sets must meet quality criteria including relevance, representativeness, and absence of errors, and must be examined for bias.

High-risk AI providers must prepare technical documentation before placing a system on the market and keep it up to date to demonstrate compliance.

High-risk AI systems must enable automatic recording of events over their lifetime to support traceability, monitoring, and incident investigation.

High-risk AI systems must be accompanied by instructions for use containing concise, accurate, and clear information relevant to deployers.

High-risk AI systems must be designed to be effectively overseen by humans, with measures proportionate to risk.

High-risk AI systems must be designed and developed to achieve appropriate accuracy, robustness, and cybersecurity throughout their lifecycle.

Providers of high-risk AI systems must ensure compliance, maintain quality management, keep documentation and logs, conduct conformity assessment, and take corrective action where needed.

Deployers of high-risk AI systems must use systems according to instructions, ensure human oversight, monitor operation, retain logs where required, and report serious incidents.

Users must be informed when interacting with an AI system. Deepfakes and AI-generated text on matters of public interest must be labelled.

Providers of high-risk AI systems must establish a post-market monitoring system to collect, document, and analyze performance and compliance data after deployment.

Information security policy and topic-specific policies must be defined, approved by management, published, and reviewed.

Information relating to threats must be collected and analyzed to produce actionable threat intelligence.

Information security must be integrated into project management practices for all projects.

Processes for acquisition, use, management, and exit from cloud services must address information security risks.

Background verification checks must be carried out on candidates before joining and on an ongoing basis where appropriate.

Employment agreements must state personnel responsibilities for information security.

Personnel and relevant interested parties must receive appropriate information security awareness, education, and training.

Personnel must be provided with a mechanism to report observed or suspected information security events promptly.

Security perimeters must be defined and used to protect areas containing information and associated assets.

Secure areas must be protected by appropriate entry controls and access points.

Premises must be continuously monitored for unauthorized physical access.

Equipment must be sited and protected to reduce risks from environmental threats and unauthorized access.

The allocation and use of privileged access rights must be restricted and managed.

Secure authentication technologies and procedures must be implemented based on access restrictions and the information classification.

Networks, systems, and applications must be monitored for anomalous behaviour, with appropriate actions taken to evaluate potential security incidents.

Rules for effective use of cryptography, including cryptographic key management, must be defined and implemented.