Jump to Navigation


3.3 Simplified Accountability Control Framework

Our investigation on best practices for accountability has led us to define a simplified control framework, associated with the more detailed measures presented in Section 3.4. In this section, we examine the key control objectives which are associated with operating an accountable organisation.

We have grouped the control objectives according to the main concerns they address. These groups map to the accountability lifecycle according to the phase in which they are primarily addressed. Most are addressed both in the Governance (and associated Program Office) phase of the lifecycle –typically to define the processes that will be used to address the concern in another phase of the lifecycle- and in one of the four phases of the “accountable solution” lifecycle, as shown in Figure 12[11]. In several cases, a process group maps to several areas.


  Figure 12: Key Processes in the accountability lifecycle.

Table 3 provides more details on the concerns corresponding to each of these groups:

Process Group

Description of Concern

(1) Identify and Accept Responsibility

Understand and accept responsibility for fulfilling obligations in an accountable and responsible manner; commitment to accountability.

(2) Staff Commitment

Adopt an accountability-driven culture for the whole organisation; ensure individual commitment to responsibilities

(3) Assess Risks and Impact

Identify and assess risks and impact for the organisation and its service offerings.

(4) Identify and Implement Controls 

Mitigate risks and implement controls to ensure continuous compliance with obligations in an accountable and responsible manner.

(5) Select and Manage Sub-providers

Ensure that all third-party services are compliant with relevant obligations and can be properly accounted for.

(6) Offering and Contracts

Define the object of accountability, both in terms of documentation and of commitment to stakeholders. Establish contracts.

(7) Operate and Monitor System

Operate the system as intended and execute the processes to meet obligations.

(8) Responsiveness to Stakeholders

Take into account input from external stakeholders and respond to queries of these stakeholders; enable individual participation

(9) Handle Exceptions

Handle incidents related to obligations for which the organisation is accountable

(10) Remedy and Redress

Take corrective action and/or provide a remedy for any party harmed in case of failure to comply with its governing norms

(11) Perform External Verification

Regularly review the status in regards to accountability and compliance to the obligations; also includes the certification of the organisation.

(12) Provide Account

Provide an account to report what happened, what has happened, or what might happen and to demonstrate accountability.

Table 3: Process groups.

We recognise that there is a significant overlap between the controls we have identified and those listed in widely-accepted control frameworks, such as ISO 27002 [17], COBIT [14], or CSA’s CCM [18]. To be accountable, an organisation must start by operating in compliance with a baseline set of practices expected from leading organisations, which is the object of these control frameworks. Accountability cannot be achieved independently, as a separate property; it mandates a baseline set of controls which are required as part of state-of-practice behaviours. We have found that the commonly-adopted control frameworks do not necessarily fully address a number of key behaviours which are at the core of accountability, most notably:

  • Behave ethically: while the above control frameworks require operation in compliance with laws and regulations, organisation adopting a culture of accountability will also be guided by a strong set of ethical values. This is not consistently addressed by control frameworks.
  • Comply with social norms: accountable organisations must accept the obligation to act as a responsible steward with respect to assets of others. This obligation is not only legally prescribed, but also implied by requirements or promises derived from social norms. Most control frameworks do not make provisions related on this topic.
  • Perform due diligence: accountable organisations cannot simply transfer responsibilities and liabilities through the chain; the organisation remains accountable no matter where the information is processed. The acceptable level of risk and due diligence are key criteria for the associated liability. Most control frameworks do not model the transfer of responsibilities in this manner.
  • Involve stakeholders: accountable organisations are bound to take into account input from external stakeholders and respond to queries of these stakeholders. Furthermore, the audience for an organisation’s account should somehow be involved with the process by which the account is produced, and not only with the product. Most control frameworks cater to handling customer problems, not to the active involvement of stakeholders.
  • Inform stakeholders transparently: accountable organisations are required to provide visibility of its governing norms, behaviour and compliance of behaviour to the norms, both in the context of incidents and of normal operations. While all control frameworks address incident management and resolution, most do not require informing stakeholders in a transparent manner, except if required by law.
  • Accept liability and cover with insurance: accountable service providers must provide an appropriate remedy to customers in case of failure to achieve agreed service levels. While subject to contractual clauses limiting liability, behaving in an accountable manner requires that the liability be commensurate with expected usage. The associated liability is often beyond the organisation financial capabilities, and must therefore be covered by insurance.
  • Explain and demonstrate compliance to stakeholders: the provision of an account to explain and demonstrate compliance to stakeholders is central to the concept of accountability. While most control frameworks mention accountability, they typically only address individual responsibility or keeping track of assets.

The control frameworks are intended to be used as a guide for the implementation of a coherent set of controls for providers and users of IT services. They are often coupled with a certification or attestation scheme, where certificates are delivered by accredited third-parties (e.g. certified auditors) after a detailed audit procedure. The certified organisation can then demonstrate compliance to the provisions of the control framework to third-parties (e.g. its customers or authorities). To achieve this, the provisions of the control framework have to be interpreted, both for the implementation (by the provider) and for the certification (by the auditor). The words which seem to be calling for an accountable behaviour by some, may be understood (and, hence, operationalised) quite differently by practitioners. In fact, one could argue that most of the accountability controls are already addressed in the control frameworks, including on the points above, while observation of the behaviour of certified parties shows the opposite conclusion.

A further discussion on this topic can be found in section 4.8 related to the Accountability Maturity Model.


[11] Although in many cases evidence may include machine-generated logs, they can have different uses as well as different requirements for creation and handling. As such we consider them as two distinct classes of artifacts.