1 |
Information Security Governance |
A |
Enterprise Governance |
1A1 |
Organizational Culture |
1A2 |
Legal, Regulatory, and Contractual Requirements |
1A3 |
Organizational Structures, Roles, and Responsibilities |
B |
Information Security Strategy |
1B1 |
Information Security Strategy Development |
1B2 |
Information Governance Frameworks and Standards |
1B3 |
Strategic Planning (e.g., budgets, resources, business case). |
2 |
Information Security Risk Management |
A |
Information Security Risk Assessment |
2A1 |
Emerging Risk and Threat Landscape |
2A2 |
Vulnerability and Control Deficiency Analysis |
2A3 |
Risk Assessment and Analysis |
B |
Information Security Risk Response |
2B1 |
Risk Treatment / Risk Response Options |
2B2 |
Risk and Control Ownership |
2B3 |
Risk Monitoring and Reporting |
3 |
Information Security Program |
A |
Information Security Program Development |
3A1 |
Information Security Program Resources (e.g., people, tools, technologies) |
3A2 |
Information Asset Identification and Classification |
3A3 |
Industry Standards and Frameworks for Information Security |
3A4 |
Information Security Policies, Procedures, and Guidelines |
3A5 |
Information Security Program Metrics |
B |
Information Security Program Management |
3B1 |
Information Security Control Design and Selection |
3B2 |
Information Security Control Implementation and Integrations |
3B3 |
Information Security Control Testing and Evaluation |
3B4 |
Information Security Awareness and Training/td> |
3B5 |
Management of External Services (e.g., providers, suppliers, third parties, fourth parties) |
3B6 |
Information Security Program Communications and Reporting |
4 |
Incident Management |
A |
Incident Management Readiness |
4A1 |
Incident Response Plan |
4A2 |
Business Impact Analysis (BIA) |
4A3 |
Business Continuity Plan (BCP) |
4A4 |
Disaster Recovery Plan (DRP) |
4A5 |
Incident Classification/Categorization |
4A6 |
Incident Management Training, Testing, and Evaluation |
B |
Incident Management Operations |
4B1 |
Incident Management Tools and Techniques |
4B2 |
Incident Investigation and Evaluation |
4B3 |
Incident Containment Methods |
4B4 |
Incident Response Communications (e.g., reporting, notification, escalation) |
4B5 |
Incident Eradication and Recovery |
4B6 |
Post-incident Review Practices |