Skip to main content

Controls Content Release Notes

Emily Makroy
Updated
VersionDateRelease Details
V 2026-1

Upcoming - 

March 25 2026

V 2026-1 includes a new Artificial Intelligence risk domain with 8 controls, 8 new controls throughout existing risk domains, and 6 existing control names updated.

 

Risk Domain: Artificial Intelligence

Addition of an "Artificial Intelligence" Risk Domain with the following controls, as well as Control Strength, Coverage and Timeliness Metrics and Control Mitigations

  • Control Name: AI Model Validation and Change Management
    • Control Prompt: Is there a process in place to log all AI model versions, with changes documented and auditable through a version control system?
  • Control Name: AI Data Privacy and Retention
    • Control Prompt: Do you have controls in place to ensure that AI systems enforce retention and security policies aligned with data privacy regulations?
  • Control Name: Access Control for AI Systems
    • Control Prompt: Is role-based access control (RBAC) enforced for all AI development, training, and deployment environments to restrict access to authorized personnel only?
  • Control Name: Ethical Use and Accountability of AI
    • Control Prompt: Has your organization implemented documented policies, procedures, and accountability mechanisms to ensure AI systems are used ethically and in alignment with fairness, transparency, and non-discrimination principles?
  • Control Name: Audit Trail for Human Review in AI Decisions
    • Control Prompt: Does your organization maintain secure, tamper-resistant audit trails that document AI decision-making processes and include evidence of human review or oversight where required?
  • Control Name: Incident Response Procedures for AI Failures
    • Control Prompt: Does your organization have documented and tested incident response procedures in place to detect, respond to, and recover from AI system failures or adverse events?
  • Control Name: Security Patch Management for AI Infrastructure
    • Control Prompt: Does your organization have a documented and enforced process to monitor, test, and apply security patches in a timely manner across all AI infrastructure components?
  • Control Name: Input Validation and Filtering
    • Control Prompt: Has your organization implemented documented and enforced input validation and filtering mechanisms to prevent adversarial or invalid data from compromising AI systems?

Risk Domain: Endpoint & Device Security

  • H7AHR Control Name Updated
    • Previous: Asset Acquisition
    • Current: Asset Procurement
  • I7cXM Control Name Updated
    • Previous: Virtualized Endpoint Security
    • Current: Virtualized Component Hardening
  • My2nq Control Name Updated
    • Previous: Desktop and Laptop Secure Browsing
    • Current: Web Browser Security

Risk Domain: Threat Management

  • tGAKl Control Name Updated
    • Previous: Customer Notifications
    • Current: Breach Notification

Risk Domain: Data Protection & Privacy

  • Addition of 3 controls as well as Control Strength, Coverage and Timeliness Metrics and Control Mitigations
  • Control Name: Records Retention
    • Control Prompt: Do you adhere to record retention requirements set by compliance /regulatory requirements
  • Control Name: Record Disposal
    • Control Prompt: Do you have a capability to securely disposal of data records (whether electronic or paper) and provide proof of disposal?
  • Control Name: Data Soverignity
    • Control Prompt: Do you have the capability to host organizational data based on your customer or compliance /regulatory directive?
  • vA2FX Control Name Updated
    • Previous: Cloud Document Protection
    • Current: Cloud Storage Protection
  • wbMbg Control Name Updated
    • Previous: Information Sharing Planning
    • Current: Internal Communication on Threats

Risk Domain: Identity & Access Management

  • Addition of 1 control as well as Control Strength, Coverage and Timeliness Metrics and Control Mitigations
  • Control Name: Multi-Factor Authentication
    • Control Prompt: Is Multi-Factor Authentication actively used within your Enterprise?

Risk Domain: Incident Response & Business Continuity

  • Addition of 4 controls as well as Control Strength, Coverage and Timeliness Metrics and Control Mitigations
  • Control Name: Disaster Recovery Plan
    • Control Prompt: Have you built a Disaster Recovery plan to support the technical recovery of applications, networks and other technical infrastructue as Identified in your Business /Technology Impact Analysis?
  • Control Name: Disaster Recovery Testing
    • Control Prompt: Do you regularly test your Disaster Recovery plan to ensure it meets the redundancy requirements and availability requirements?
  • Control Name: Disaster Recovery Plan Updates
    • Control Prompt: Do you regularly update your Disaster Recovery Plans based on testing results?
  • Control Name: Capacity and Performance Management
    • Control Prompt: Do you have a process to manage capacity and performance to ensure that services achieve agreed and expected performance, satisfying current and future demand?

V 2025

Live Assessment

2025-Feb

Flatten the question hierarchy and shorten the assessment

  • Reduce overhead for Third Parties answering questions
  • Focus on the most valuable information in the Sub-Controls and supporting Metric Questions
  • Maturity questions removed 
  • Family level questions removed 
  • Control level (Tier 3) questions removed 

Reorganize the questions categories to align with NIST Risk Domains

  • Scoring at the risk domain level aligns with industry standards and will make assessment results more understandable and valuable for security professionals

11 Sub-Control level questions not as valuable or duplicative and do not align with NIST domains removed 

  • 3.2.2.2 - Customer Activity Monitoring
  • 3.2.3.1 - Secure Traveler Preventative Controls
  • 3.2.3.2 - Secure Traveler Detective Controls
  • 3.2.3.3 - Secure Traveler Response Controls
  • 3.4.3.1 - Application and Services Security Preventative Controls
  • 3.4.3.3 - Application and Services Security Response Controls
  • 3.6.2.2 - Server Application Control
  • 3.6.2.4 - Server Secure Browsing
  • 3.6.3.2 - Hypervisor Security
  • 3.6.3.3 - Virtualized Endpoint Application Control
  • 4.5.1.1 - Security Performance Management

Going forward, the term "Control" will be what was previously called "Sub-Control"

CR 412023-Feb

Attack Surface questions (Section A) moved outside the assessment into a standalone Attack Surface Questionnaire

  • Attack Surface information now part of a Company Profile, not behind authentication
  • Moves value earlier since ASQ answers feed into Inherent Risk calculation
CR 412022-OctUpdated wording in "evidence and technology examples" provided during evidence collection phase of the Validation Workflow.
No changes to controls content.
CR 402022-AugBusiness Background section (Section B) questions removed from Assessment
CR 402022-Aug

2.5.2.1.Strength answer option word misspelling correction:
Previous: Could snapshots, distributed copies 
Updated: Cloud snapshots, distributed copies


4.7.4.1.Timeliness answer option word change:
Previous: How long have most security staff...
Updated: How long have most junior security staff...

 

3.3.2.7.Timeliness answer options word change:
Previous: No defined period is now

Updated: No defined period or less than 5 minutes
Previous: < 15 minutes is now

Updated: 5-15 minutes


Added new control 2.5.5 around security incident response.

Was this article helpful?

0 out of 0 found this helpful
Return to top

Related articles