IVI Framework Viewer

Governance

Capability Building Blocks

A1Information Security Principles, Policies, and Controls
Define the principles that underpin the organization's approach to information security management. Define the information security policies and controls to be put in place, taking into account relevant information security standards, legislative and regulatory compliance requirements, contractual obligations, information security objectives, and incident reports.
A2Information Security Strategy
Develop an information security strategic plan to define how the organization's information security objectives can be achieved, and put the plan into operation.
A3Governance Structures
Establish governance structures for information security management. Define the scope of information security management governance bodies, and outline decision rights and authorizations. Establish reporting arrangements, audit log designs, issue escalation protocols, and rules to govern and control the application of information security management authority within the organization.
A4Roles, Responsibilities, and Accountabilities
Identify the roles required for information security management tasks, and assign employees with the requisite knowledge and experience to those roles. Define the associated responsibilities and assign these to employees who will be accountable for ensuring that information security management objectives are met.
A5Skills and Competence Development
Put in place an information security management training curriculum and other employee developmental mechanisms to enhance the skills and competences of employees in this area.
A6Culture and Stakeholder Management
Establish an information security management aware culture. Motivate stakeholders, secure their support for key information security management initiatives, and create a shared understanding of how they can help ensure that information security management objectives are met.
A7Security Performance Measurement
Monitor and report on the effectiveness/efficiency of the information security principles, policies, controls, strategy, and activities.
A8Supplier Security Requirements
Define security requirements for the procurement and supply of hardware, software, data, and cloud and other IT services to satisfy the information security strategy and objectives of the organization.