CPL-03.1: Independent Assessors
Mechanisms exist to utilize independent assessors to evaluate cybersecurity and data protection controls at planned intervals or when the Technology Asset, Application and/or Service (TAAS) undergoes significant changes.
Control Question: Does the organization utilize independent assessors to evaluate cybersecurity and data protection controls at planned intervals or when the Technology Asset, Application and/or Service (TAAS) undergoes significant changes?
General (20)
| Framework | Mapping Values |
|---|---|
| COBIT 2019 | MEA03.03 MEA03.04 MEA04.01 |
| CSA CCM 4 | A&A-05 CEK-09 |
| GovRAMP Low+ | CA-07(01) |
| GovRAMP Moderate | CA-07(01) |
| GovRAMP High | CA-07(01) |
| ISO/SAE 21434 2021 | RQ-05-17 |
| ISO 27002 2022 | 5.35 |
| ISO 27017 2015 | 18.2.1 |
| ISO 42001 2023 | 9.2.2(b) |
| NIST 800-53 R4 | CA-7(1) |
| NIST 800-53 R4 (moderate) | CA-7(1) |
| NIST 800-53 R4 (high) | CA-7(1) |
| NIST 800-53 R5 (source) | CA-7(1) |
| NIST 800-53B R5 (moderate) (source) | CA-7(1) |
| NIST 800-53B R5 (high) (source) | CA-7(1) |
| NIST 800-82 R3 MODERATE OT Overlay | CA-7(1) |
| NIST 800-82 R3 HIGH OT Overlay | CA-7(1) |
| NIST 800-160 | 3.4.9 |
| NIST 800-171 R2 (source) | NFO-CA-7(1) |
| SCF CORE Mergers, Acquisitions & Divestitures (MA&D) | CPL-03.1 |
US (7)
| Framework | Mapping Values |
|---|---|
| US CJIS Security Policy 5.9.3 (source) | 5.11 5.11.1.1 5.11.1.2 5.11.2 5.11.3 |
| US FCA CRM | 609.930(c)(6)(ii) |
| US SSA EIESR 8.0 | 5.11 |
| US - AK PIPA | 45.48.520 |
| US - CA CCPA 2025 | 7122(a)(2) |
| US - NV NOGE Reg 5 | 5.260.3 |
| US - NY DFS 23 NYCRR500 2023 Amd 2 | 500.2(c) |
EMEA (14)
| Framework | Mapping Values |
|---|---|
| EMEA EU Cyber Resiliency Act Annexes | Annex 6 Module H.3.1 Annex 6 Module H.3.5 |
| EMEA EU EBA GL/2019/04 | 3.3.6(25) 3.4.6(41) 3.4.6(42) 3.4.6(42) 3.4.6(43)(a) 3.4.6(43)(b) |
| EMEA EU NIS2 Annex | 2.3.1 |
| EMEA EU PSD2 | 3 |
| EMEA Germany C5 2020 | COM-03 |
| EMEA Saudi Arabia CSCC-1 2019 | 1-4-2 |
| EMEA Saudi Arabia IoT CGIoT-1 2024 | 1-7-2 |
| EMEA Saudi Arabia ECC-1 2018 | 1-8-2 |
| EMEA Saudi Arabia OTCC-1 2022 | 1-6-1 1-6-2 |
| EMEA Saudi Arabia SACS-002 | TPC-20 TPC-21 |
| EMEA South Africa | 60 |
| EMEA Spain BOE-A-2022-7191 | 38.1 |
| EMEA Spain 311/2022 | 38.1 |
| EMEA Spain CCN-STIC 825 | 9 |
APAC (8)
| Framework | Mapping Values |
|---|---|
| APAC Australia ISM June 2024 | ISM-0100 |
| APAC Australia Prudential Standard CPS234 | 30 |
| APAC China Cybersecurity Law | 38 |
| APAC China Privacy Law | 38(1) 38(2) 40 |
| APAC India DPDPA 2023 | 10(2)(b) |
| APAC India SEBI CSCRF | PR.IP.S14 |
| APAC Japan ISMAP | 4.6.1 4.6.2.5 18.2.1 |
| APAC New Zealand NZISM 3.6 | 6.1.8.C.01 |
Americas (1)
| Framework | Mapping Values |
|---|---|
| Americas Canada CSAG | 6.13 6.25 |
Capability Maturity Model
Level 0 — Not Performed
There is no evidence of a capability to utilize independent assessors to evaluate cybersecurity and data protection controls at planned intervals or when the Technology Asset, Application and/or Service (TAAS) undergoes significant changes.
Level 1 — Performed Informally
Compliance (CPL) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- IT personnel use an informal process to govern statutory, regulatory and contractual compliance obligations.
- IT personnel self-identify a set of controls that are used to conduct cybersecurity and data privacy control assessments.
- IT personnel perform internal assessments of cybersecurity and data protection controls to determine compliance status.
- F or specific statutory, regulatory and/ or contractual obligations, stakeholders may contract with a third-party auditor/assessor to perform an independent assessment of cybersecurity and data protection controls.
Level 2 — Planned & Tracked
Compliance (CPL) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Compliance activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
- IT/cybersecurity personnel identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for compliance activities.
- Cybersecurity personnel use a defined set of controls to conduct cybersecurity and data privacy control assessments, as defined by the applicable statutory, regulatory and contractual requirements.
- Cybersecurity personnel either use an impartial member of its team or a third-party assessor to perform an independent assessment of cybersecurity and data protection controls.
Level 3 — Well Defined
Compliance (CPL) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Ensures data/process owners understand their requirements to manage applicable cybersecurity and data protection controls through oversight and written guidance. o Provides applicable stakeholders with status reports on control execution to enable security controls oversight. o Works with data/process owners and asset custodians to document and validate the scope of cybersecurity and data protection controls to ensure statutory, regulatory and/ or contractual compliance obligations are met. o Conducts cybersecurity and data privacy control assessments, on a regular cadence that is defined by the applicable statutory, regulatory and contractual requirements.
- A Governance, Risk & Compliance (GRC) function, or similar function, provides governance oversight for the implementation of applicable statutory, regulatory and contractual cybersecurity and data protection controls to ensure compliance requirements are identified and documented.
- The GRC function, or similar function:
- Cybersecurity and data privacy controls are centrally managed through a technology solution (e.g., GRC solution) to assign controls, track control activities and report on compliance efforts.
- Cybersecurity personnel either use an impartial member of its team or a third-party assessor to perform an independent assessment of cybersecurity and data protection controls.
Level 4 — Quantitatively Controlled
See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to utilize independent assessors to evaluate cybersecurity and data protection controls at planned intervals or when the Technology Asset, Application and/or Service (TAAS) undergoes significant changes.
Level 5 — Continuously Improving
See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to utilize independent assessors to evaluate cybersecurity and data protection controls at planned intervals or when the Technology Asset, Application and/or Service (TAAS) undergoes significant changes.
Assessment Objectives
- CPL-03.1_A01 independent assessors or assessment teams are employed to monitor in-scope controls on an ongoing basis.
Evidence Requirements
- E-CPL-07 Control Assessments
-
Documented evidence of internal or third-party control assessments to provide governance oversight of cybersecurity & data privacy controls.
Compliance
Technology Recommendations
Micro/Small
- Information Assurance Program (IAP)
- Control Validation Testing (CVT) / Security Test & Evaluation (STE)
Small
- Information Assurance Program (IAP)
- Control Validation Testing (CVT) / Security Test & Evaluation (STE)
Medium
- Information Assurance Program (IAP)
- Control Validation Testing (CVT) / Security Test & Evaluation (STE)
Large
- Information Assurance Program (IAP)
- Control Validation Testing (CVT) / Security Test & Evaluation (STE)
Enterprise
- Information Assurance Program (IAP)
- Control Validation Testing (CVT) / Security Test & Evaluation (STE)