Business Cases and Controls
Business Case Selection and Controls in Scope
Purpose of Business Case Selection
Business Case selection determines which exposures are introduced by a third party and therefore which controls must be evaluated. The objective is to identify meaningful exposure efficiently while avoiding unnecessary analysis.
Business Cases are evaluated in a defined sequence. At specific points in that sequence, stopping rules determine whether further Business Case consideration is necessary.
Each Business Case follows the same evaluation pattern:
Business Case → Resulting Exposure → Controls in Scope → What to Do Next
Core Business Cases (Always Evaluated)
Data Transfer
Resulting Exposure
When company data passes through, is stored on, or is processed on systems controlled by a third party, that data falls under the third party’s access and operational control. Exposure extends across the vendor’s technology infrastructure, operations, and personnel.
Controls in Scope
Most controls are in scope, including controls related to data protection, access management, security operations, resilience, personnel security, and governance.
What to Do Next
Proceed to Software/Hardware Supplier.
Software/Hardware Supplier
Resulting Exposure
When a third party develops or supplies software or hardware used by the organization or its customers, exposure includes the possibility of vulnerabilities, malicious code, or backdoors being introduced into the environment. Exposure extends across the vendor’s technology infrastructure, operations, personnel, development practices, and product security posture.
Controls in Scope
A broad set of controls is in scope, including controls related to technology infrastructure, operations, personnel, secure development practices, and product security.
What to Do Next
Proceed to Privacy.
Privacy
Resulting Exposure
When a third party processes, accesses, stores, or otherwise handles personal, sensitive, or regulated information on behalf of the organization or its customers, exposure includes privacy, regulatory, and data protection obligations. This most commonly occurs when the vendor operates as a subprocessor.
Controls in Scope
Controls related to privacy governance, privacy compliance, and the handling of regulated personal information are brought into scope.
What to Do Next
Apply the Privacy Stopping Rule.
Stopping Rule (Privacy)
- If Data Transfer or Software/Hardware Supplier is selected, Business Case evaluation is complete.
Proceed to Data Impact selections.
- NOTE: If Data Transfer, Software/Hardware Supplier, and Privacy are all selected, all controls are in scope.
If the stopping rule is not triggered, proceed to Network Connection.
Conditional Business Cases
Network Connection
Resulting Exposure
A network connection between the organization and a third party expands exposure to include access control weaknesses, network security risks, and geographic considerations associated with interconnected environments.
Controls in Scope
All controls are in scope except controls related to data protection, privacy, resilience, and artificial intelligence.
What to Do Next
Proceed to Artificial Intelligence (AI).
Artificial Intelligence (AI)
Resulting Exposure
When a third party develops, deploys, integrates, or uses artificial intelligence or machine-learning systems that may affect the organization’s products, operations, customers, or data, exposure includes risks related to model behavior, data usage, accuracy, transparency, and downstream effects.
Controls in Scope
Controls related specifically to the governance, oversight, and responsible use of artificial intelligence systems are brought into scope.
What to Do Next
Apply the Network Connection Stopping Rule.
Stopping Rule (Network Connection)
- If Network Connection is selected, Business Case evaluation is complete. Proceed to Data Impact selections.
If the stopping rule is not triggered, proceed to Data Storage.
Edge Case Business Cases
Data Storage
Resulting Exposure
When data or equipment containing data is stored at a third-party facility without logical access, exposure is primarily physical and related to the protection and administration of that environment.
Controls in Scope
Controls related to physical security, personnel security, and endpoint security are brought into scope.
What to Do Next
Proceed to Personnel Data Access.
Personnel Data Access
Resulting Exposure
Logical access by third-party personnel introduces exposure related to misuse or inappropriate handling of systems and information.
Controls in Scope
Controls related to personnel security and security awareness are brought into scope.
What to Do Next
Apply the Data Storage Stopping Rule.
Stopping Rule (Data Storage)
- If Data Storage is selected, Business Case evaluation is complete. Proceed to Data Impact selections.
If the stopping rule is not triggered, proceed to Physical Access.
Physical Access
Resulting Exposure
Physical access by third-party personnel to facilities containing systems or infrastructure introduces exposure related to abuse of trusted physical access.
Controls in Scope
Controls related to personnel security are brought into scope.
What to Do Next
Proceed to Data Impact selections.
Business Case FAQ
Do API integrations count as Network Connection?
No. Standard API integrations are covered under Data Transfer. Network Connection applies only to network-layer connectivity such as VPNs or dedicated circuits.
Does Personnel Data Access include SaaS support staff?
No. For SaaS providers, vendor personnel access is covered under Data Transfer.
Does Data Storage apply to cloud-hosted SaaS providers?
No. Cloud-hosted SaaS solutions are covered under Data Transfer. Data Storage applies only to physical-only edge cases.
Final Business Case Logic Summary
- Business Cases define exposure
- Privacy is evaluated before the first stopping rule
- Network Connection becomes terminal only after AI
- Data Storage becomes terminal only after Personnel Data Access
- All controls are in scope only when Data Transfer + Software/Hardware Supplier + Privacy are selected
- Impact is evaluated separately via Data Types
