According to the CRISC Review Manual (Digital Version), establishing an organizational code of conduct is an example of a directive control, which is a type of control that guides or steers the behavior of individuals or processes to achieve desired outcomes. A directive control aims toinfluence or encourage compliance with the organization’s policies, standards, procedures, and guidelines. A directive control can also communicate the organization’s values, ethics, and expectations to its stakeholders. A directive control can take various forms, such as:
Codes of conduct or ethics
Policies or manuals
Training or awareness programs
Job descriptions or roles and responsibilities
Performance appraisals or incentives
Supervision or oversight
References = CRISC Review Manual (Digital Version), Chapter 2: IT Risk Assessment, Section 2.4: IT Risk Scenarios, pp. 105-1061
