Control Objective 1 Countermeasure/Control 1
(Goal) (Requirement)
Control Measure is realised by separate Business Process
Primary Business Process Execute Control Unit
Control Measure 1 (Business Role)
Internal Control Statement (Business Process)
(Business Object)
Process 1
(Business Process)
Execute
Control Measure 1a
Internal Control System (Business Process)
(Business Processes)
Risk X
(Concern)
Risk Y
(Concern) Control Objective 2 Countermeasure/Control 2
(Goal) (Requirement)
Process Description
(Business Object) Risk Z
Sub 1.a (Concern)
(Business Process)
Control Measure is integral part of Business Process
Execute
Security Control Measure 2
(Concern) (Business Process)
Sub 1.b
(Business Process)
Control Objective 3 Countermeasure/Control 3
(Goal) (Requirement)
Subject Matter
(Business Object)
Control Measure is realised by using separate Control Data
Sub 1.c Execute
(Business Process) Control Measure 3
(Business Process)
Control Data Process Requirements
e.g. Allowed Counterparties e.g. separation of duties
(Business Object) (Business Object)
Control Measure is realized by Infrastructure Architecture Control Measure is realized by Application Architecture
Countermeasure/Control Control Objective Control Objective
e.g. 99.99% uptime arch. e.g. Availability e.g. Confidentiality
(Infrastructure Service) (Requirement) (Goal) (Goal) Countermeasure/Control (Application Service)
e.g. access control
Countermeasure/Control Control Objective (Requirement)
e.g. Intusion Detection e.g. Integrity
(Requirement) (Goal)
