Governance

Establishes the oversight structures to support the execution of information security management.

A1Information Security Strategy: Develop, communicate, and support the organization’s information security objectives.
A2Security Policies and Controls: Establish and maintain security policies and controls, taking into account relevant security standards, regulatory and legislative security requirements, and the organization’s security objectives.
A3Security Roles, Responsibilities, and Accountabilities: Establish responsibilities and accountabilities for information security roles, and check enforcement.
A4Communication and Training: Disseminate security approaches, policies, and other relevant information to develop security awareness and skills.
A5Security Performance Reporting: Report on the effectiveness and efficiency of information security policies and activities, and the level of compliance with them.
A6Supplier Security: Define security requirements pertaining to the procurement and supply of hardware, software, services, and data.