Control criterion
Definition
The standard against which a control is evaluated. Criteria may come from an external standard (ISO 27001 Annex A, NIST CSF, PCI-DSS), a regulation (GDPR Article 32, HIPAA Security Rule), or the organisation's own documented policy. A finding requires a stated criterion: a control cannot be deficient unless there is a defined expectation it fails to meet.
Related terms
- Audit chain of custody
- The documented record of when audit evidence was collected, by whom, from what source, and how it has been stored and accessed...
- Design effectiveness
- The assessment of whether a control is designed in a way that would prevent or detect the risk it targets, if it...
- Evidence sufficiency
- The standard that evidence must meet to support an audit conclusion. Evidence must be relevant to the control being tested, reliable in...
- Fieldwork
- The active evidence-gathering phase of an audit, during which the auditor applies testing procedures to specific controls and collects the evidence that...
- Operating effectiveness
- The assessment of whether a control has consistently functioned as designed over the audit period. Requires evidence of actual operation, such as...
Explained in
- Fieldwork, Evidence Collection, and Control TestingThe standard against which a control is evaluated. Criteria may come from an external standard (ISO 27001 Annex A, NIST CSF, PCI-DSS), a regulation (GDPR Artic...