Control 1: Requirement Repository Confirmation and Usage Attestation (XXXX-x§§1024)
Summary
Ensures requirements are maintained in an approved repository and that its correct usage is periodically attested.
Map to related risks
• Risk 1: Ungoverned or inconsistent requirements repositories • Risk 2: Requirements progressing without minimum readiness
Description
This control establishes a single, governed source of truth for requirements and requires periodic confirmation that the repository is actively used and that requirements meet agreed readiness criteria.
Requirements (Expectations)
• An approved requirements repository is designated for the application • Usage of the repository is periodically attested • Requirements meet an agreed Definition of Ready before development
Examples
The control supports a “shift left” approach by embedding quality and clarity at the point requirements enter development, rather than relying on downstream inspection.
Links to external standards for controls
• ISO/IEC 27001 – information integrity and governance • IREB / IIBA requirements management standards
Control 2: Requirements for Release – Reviewed and Agreed (XXXX-01068)
Summary
Ensures all business, functional, and non functional requirements for a release are formally reviewed and agreed.
Map to related risks
• Risk 2: Insufficiently defined requirements • Risk 3: Lack of stakeholder agreement • Risk 4: Missing non functional or regulatory requirements
Description
This control establishes a formal approval baseline for requirements, confirming that what is being delivered has been explicitly reviewed and authorised prior to release. Requirements (Expectations)
• Requirements for the release are documented • Business, functional, and non functional requirements are included • Evidence of review and agreement is retained
Examples
RCTLDEF0001068 provides the authoritative confirmation that requirements are approved inputs into testing, release, and deployment decisions rather than informal guidance. Links to external standards for controls
Links to external standards for controls
• ISO 9001 – requirements review and approval • COBIT – governance and assurance over requirements