What roles should I have job descriptions for?

To meet this requirement, an organization should define the roles and responsibilities for all existing, upcoming, and C-Suite roles.

What should the job descriptions include?

A job description needs to include basic role requirements and expected responsibilities. Job descriptions should also be freely available to everyone at the organization. If this is not facilitated through an HR platform, we suggest creating a shared document (e.g., Google Docs) for existing roles and updating the document as new roles get added. 

When there are multiple individuals in the same role, a single job description is adequate. For example, if there are three senior software engineers within your organization, you'll only need one job description outlining the basic requirements and expected responsibilities of that position. 

How do I evidence the following control: "COMPANY maintains awareness of relevant applicable statutory, regulatory and contractual obligations"?

Auditors will be looking for a document (which can be MSWord or a spreadsheet) that your organization maintains outlining any statutory, regulatory, or contractual requirements it must adhere to and maintain.

Statutory: Any obligations related to a statute, specifically an obligation to perform or refrain from performing an action as set out by state or federal law. Examples of statutory obligation come from rules of law, such as the Sarbanes-Oxley act or trademark protections. 

Regulatory: Any obligation that comes from a government agency rule. Examples of regulatory obligations come from rules set by government agencies, such as OSHA or the EPA.

Contractual: Any obligation related to a commitment made by the company via contract. An example would be if your organization has a contractual agreement to provide a SOC 2 report to certain customers.

Secureframe can provide a template, but customers must fill it out with their own obligations. Often these obligations are based on the state, country, continent or the industry that your company is in. For example, European data companies can be subject to GDPR, while American financial companies are often subject to FDIC or SEC regulations. This is especially important if those additional obligations affect your cybersecurity posture.