CAPs are required for all requirement statements that meet the criteria outlined within Chapter 13.9 CAPs and Gaps. A well-written CAP will include all the required information described in criteria 13.9.4 within that Chapter.
| Scenario #1 CAP as a result of the Implemented maturity score only. BUID: 1239.09aa1System.4 Retention policies for audit logs are specified by the organization and the audit logs are retained accordingly. Maturity Scores: Policy (100%), Procedure (100%), Implemented (50%) |
CAP Example #1
A well-written CAP will identify the point of contact (POC) or Owner, the scheduled completion date, the corrective action and provide the CAP status.
- Point of Contact (POC) / Owner: Name or Position (James Smith or Information Security Officer)
- Scheduled Completion Date: June 30, 2023
- Corrective Action: Organization XYZ will update the audit log configuration settings to ensure the system retains audit logs according to the organization established retention policy and log management standards.
- Status: Not Started
| Scenario #2 CAP as a result of the Process and Implemented maturity scores. BUID: 0943.09y1Organizational.1 Data involved in electronic commerce and online transactions is checked to determine if it contains covered information. Maturity Scores: Policy (100%), Procedure (0%), Implemented (0%) |
CAP Example #2
- Point of Contact (POC) / Owner: Name or Position (James Smith or Information Security Officer)
- Schedule Completion Date: December 31, 2023
- Corrective Action: Organization XYZ will review and update the procedures to check data involved in online transactions contains covered information. Organization XYZ will document monthly performance of the data checks in a log and Information Security Officer will review logs on a quarterly basis to validate the checks are occurring as expected.
- Status: Not Started
| Scenario #3 CAP as a result of the Policy, Process, and Implemented maturity scores. BUID: 11190.01t1organizational.3 Bring your own device (BYOD) and/or company-owned devices are configured to require an automatic lockout screen, and the requirement is enforced through technical controls. Maturity Scores: Policy (0%), Procedure (0%), Implemented (25%) |
CAP Example #3
- Point of Contact (POC) / Owner: Name or Position (James Smith or Information Security Officer)
- Schedule Completion Date: June 30, 2023
- Corrective Action: Organization XYZ will define a BYOD management policy and procedure that will include the requirement to configure an automatic screen lockout that is enforced through technical controls. The technical support team will review to ensure the configuration is applied on all BYOD devices utilized within the in-scope environment.
- Status: Started – On Track