Citation Tagging Best Practices

Mandates are calls to action that are often buried within sentences, within paragraphs in Citations. These mandates fall into 3 categories: those that call for documentation about an action, those that call for the performing of the action, and those that call for testing for the action to have taken place.


How to differentiate between the three?



Citations that refer to a process, procedure, policy, etc. are calling for documentation of an action.

For example “Determine if the organization has a process for implementing access control” references “a process” therefore the mandate is about documentation. The primary nouns are process and access control and the primary verb is implement.

This Citation would match to a Common Control about establishing and maintaining access control procedures.


Perform Action

When no explicit reference to documentation is made, the citation is calling for the performing of an action.

For example, if the Citation were written as “Implement access control”, then the mandate would be about performing an action. The primary noun is access control and the primary verb is implement. This Citation would match to a Common Control about implementing access controls.


Test for Action

These are usually pretty easy to determine; they start with “ensure”, “does the”, “evaluate”, “test”, “observe”, “interview”. 

For example, if the Citation were written as “Ensure the organization implements access controls”, this focuses on the testing of the implementation of the access control. Ensure is now the primary verb and access control is the primary noun, with implement being a secondary verb.


Real world examples[1]


  1. App A Objective 6.20: Determine whether management has an effective process to administer logical security access rights for the network, operating systems, applications, databases, and network devices. The primary verb in this case is administer and the primary nouns are process and logical security access rights. The main idea of this citation is the documentation of the action for administering logical security access rights.
  2. App A Objective 6.18.g: Has policies restricting the use of unsanctioned or unapproved IT resources (e.g. online storage services, unapproved mobile device applications, and unapproved devices). The primary verb in this citation is restricting and the primary nouns are process and unapproved IT resources
  3. App A Objective 7.4.c: Uses metrics to measure security policy implementation, the adequacy of security services delivery, and the impact of security events on business processes. The citation can be broken down into three mandates:
    1. The primary verb here is measure and the primary noun is security policy implementation. The secondary noun is metrics.
    2. The primary verb is measure and the primary noun is security services delivery. The secondary noun is metrics.
    3. The primary verb is measure and the primary nouns are impact and security events. The secondary nouns are metrics.


[1] 1 Excerpts from FFIEC Information Technology Examination Handbook – Information Security, September 2016