Control Responsibility: Assign & Define Ownership
      Back to home
      1. Trustero Support
      2. Phase 1: Define Audit Scope & Risk Profile
      3. Control Responsibility: Assign & Define Ownership

      Scoping - Determining Control Responsibility

      A guide to identifying which controls you are directly responsible for, and which are outsourced, inherited, or not applicable (N/A).

      Objective

      • Purpose: This guide helps you identify the controls within your compliance framework that you are directly responsible for, and which are outsourced, inherited, or not applicable (N/A). By clearly understanding and documenting these classifications, you can better manage your responsibilities and efforts during the audit. 
      • Target Audience: Compliance officers, GRC managers, and others involved in compliance and risk management, specifically within companies undergoing or preparing for information security regulatory audits (e.g., SOC 2, ISO 27001, PCI DSS).

      Sections below:

      Control Classification and Definitions

      Key differences between “Outsourced” and “Inherited” controls

      How to Integrate Classifications into Your Policies and Controls

      Introduction

      To manage your compliance requirements, it is crucial to clearly distinguish between types of control responsibilities. This guide will help you navigate these classifications, enabling a smoother audit process with defined expectations.


      High-Level Questions for You to Consider

      Before you can sort your many controls into the proper classification, you must answer these questions:

      • Do you outsource to third parties any services that might impact your compliance standing?
      • Does your operational model result in inheriting controls from any service providers?
      • Are there any controls that are clearly not applicable to your business model?

      Control Classifications and Definitions

      1. Outsourced controls
        • Definition: The company hires a third party to perform specific functions or processes on its behalf.
        • Responsibility: The company remains responsible for ensuring that the third party effectively implements and manages these controls. The company typically retains accountability for the security and compliance outcomes.
        • Examples: Using a Managed Security Service Provider (MSSP) to provide IT services (e.g., mobile device management, or a colocation data center). 
        • Monitoring and Verification: The company needs to continuously monitor and verify the third party's performance and adherence to agreed-upon controls. This requires regular assessments, audits, and reports.
      2. Inherited controls
        • Definition: Inherited controls are those that a company relies on, which are implemented and managed by another entity (often a service provider or parent company) as part of a shared responsibility model.
        • Responsibility: The company relies on the third party’s controls and typically does not have direct management or oversight of these controls. However, the third party (e.g., cloud service provider) is responsible for the implementation and management of these controls.
        • Example: If a company uses a cloud-hosting provider (e.g., AWS or Azure), the physical security controls of the data centers are inherited from the cloud-hosting provider. 
        • Monitoring and Verification: The company relies on attestations, certifications, audit reports (e.g., SOC 2 or ISO 27001), and other forms of assurance provided by the third party to ensure that the inherited controls are effective and compliant.
      3. Not applicable (N/A) Controls
        • Definition: Controls that do not apply to your company, based on your specific industry or business activities.
        • Note: To ease the audit process, clearly justify and document in writing why these controls are non-applicable.
        • Example: Suppose your company specializes in digital marketing services with a focus on front-end website development. Controls related to backend development security, such as secure server configuration and database encryption, are not applicable because your business activities do not involve server-side processing or data storage. In this case, documenting these controls as N/A would involve detailing the absence of backend development work and justifying why specific security controls do not apply.

      Key differences between “Outsourced” and “Inherited” controls 

      Understanding these differences is crucial for managing third-party risks and ensuring compliance with information security standards.

      1. Control and Oversight:
        • Outsourced to a vendor: The company has more control and oversight over how the controls are implemented and managed.
        • Inherited (like AWS or Azure): The company relies on the third party’s existing controls and has less direct oversight.
      2. Accountability:
        • Outsourced: The company is accountable for ensuring the controls meet compliance requirements and must actively manage and monitor the third party’s performance.
        • Inherited: The third party is primarily accountable for the effectiveness of the controls, with the company relying on provided assurances and certifications.
      3. Implementation:
        • Outsourced: The company contracts a third party to perform specific security functions.
        • Inherited: The company leverages existing controls provided by a third-party service provider as part of a broader service offering.

      How to Integrate Classifications into Your Policies and Controls

      Actions Required in Your Trustero Account

      • Accurately document the classification of each control (outsourced, inherited, N/A) to maintain a clear audit trail. A control can have only one responsibility classification.
      • Example “Reasons” for each classification:
        • Example for Outsourced Controls
          "Outsourced to TechSupport Ltd.: Our company has an agreement in place with TechSupport Ltd. to manage IT support services including day-to-day IT operations and maintenance. We remain responsible for verifying their compliance with our information security standards."
        • Example for Inherited Controls
          "Inherited from CloudCorp: Our company relies on CloudCorp for cloud-hosting services, including the physical security measures provided at their data centers. These measures cover access controls, surveillance, and environmental protections that are essential for the security of our hosted data. It is our responsibility to ensure these measures meet our specific security requirements."
        • Example for N/A Controls
          "This control is Not Applicable (N/A) for our company because our operations focus on digital marketing and front-end website development. Backend development security controls, such as server configuration and database encryption, are not applicable as our services do not involve server-side processing or data storage. We document these as N/A to clarify the scope of our compliance responsibilities and prevent audit scope creep."

      Policy Documentation Adjustments

      Clearly identify and document within your policies which control topic sections are outsourced, inherited, or not applicable. Clarify why or identify who is responsible for each control.

      When using the set of templated policies provided by Trustero, the control topic sections are under the “Responsibilities and Scope” section within each policy. Here is an example using the Asset Management Policy

      Responsibilities and Scope

      This policy applies to all employees who manage, oversee or carry out any of the defined policy requirements within this Asset Management Policy. 

      To meet asset management requirements, the following control topics must be followed: 

        • Inventory of Information and other associated Assets
        • Return of Assets
        • Laptop Protection and Management
          • Outsourced to: [Vendor Name], who provides comprehensive protection and management services for all company laptops.
            NOTE: It remains our responsibility under Supplier Relationship/Vendor Management to ensure [Vendor Name] is meeting contractual obligations, to cover all outsourced control requirements. 
        • Secure Disposal or Reuse

      Conclusion

      Proper classification of your security controls is key to managing your compliance effectively. Document the classification of each control. This clarity will help ensure that you are well-prepared for audits, with a well-defined scope of your responsibilities.

      ℹ️ For more on adding a statement as evidence, see: What are the best practices for manual evidence?