Mandates

Owned by Vicki McEwen
Last updated: May 18, 2023 by Steven Murawski

A mandate is an official order or commission to perform a task. Mandates are often buried within sentences and within paragraphs in citations. A simple example of a mandate would be 'turn off the faucet' or 'feed the dog,' although you, as a member of the Mapping Team, are more likely to encounter a mandate like 'Ensure that your organization has an information security program in place' than 'feed the dog.'


As stated above, mandates are actions that an organization must perform. When determining if a citation contains a mandate or is informational, look for consistencies within the writing. A citation's wording will indicate whether an action is required for compliance, is highly recommended, or is considered good practice. For example, if a citation reads 'the organization must or will', or contains imperative sentences (i.e. ensure that packets transmitted over insecure networks are encrypted) then the action is required and failing to performing said action is considered an instance of noncompliance. If a citation reads 'the organization should', then experts highly recommend that said action is performed (sometimes as a failsafe), but failing to perform the action is not considered a compliance violation. If a citation reads 'the organization may, can, or could' then the action is considered to be good practice, but optional. You will find that the majority of Authority Documents follow the above conventions, at least to a degree. There are a few outliers however. For example, if you encounter a document where the requirements are loosely defined (i.e. words like must or will don't appear at all), look over the structure of the document for patterns such as the citation assuming that the action is completed (i.e. personal data is returned to the customer when it is no longer needed). 


There can be one or multiple mandates in a citation. In the case of multiple mandates, each mandate must be tagged separately. These mandates fall into three categories: those that call for documentation about an action, the performing of the action, or testing for the action to have taken place.


How do you differentiate between the three? Glad you asked:

Documentation

Citations that refer to a process, procedure, policy, etc., call for documentation of an action.

For example, "Determine if the organization has a process for implementing access control" references "a process"; therefore, the mandate is about documentation.

Perform Action

When no explicit reference to documentation is made, the citation calls for the performance of an action.

For example, if the citation were written as "Implement access control," then the mandate would be about performing an action.

Test for Action

These are usually pretty easy to determine; they start with "ensure," "does the," "evaluate," "test," "observe," and "interview."