Domain 5.1

Guidelines

Recommended security practices

Policies

Rules for protecting systems and data

Acceptable use policy (AUP)

Rules for proper system use

Information security policies

Rules for protecting information

Business continuity

Plan to keep business running

Disaster recovery

Plan to restore systems after disaster

Incident response

Plan for handling security incidents

Software development lifecycle (SDLC)

Process for building secure software

Change management

Process for controlling system changes

Standards

Mandatory security requirements

Password standards

Rules for strong passwords

Access control standards

Rules for managing access

Physical security standards

Rules protecting physical assets

Encryption standards

Rules for using encryption

Procedures

Step-by-step task instructions

Change management procedures

Steps for approving changes

Onboarding/offboarding

Adding or removing user access

Playbooks

Step-by-step incident guides

External considerations

Outside rules affecting security

Regulatory

Government regulations

Legal

Laws that must be followed

Industry

Security practices in an industry

Local/regional

Local area regulations

National

Country-level regulations

Global

International regulations

Monitoring and revision

Reviewing and updating policies

Governance structures

System for managing authority and accountability

Boards

Top leadership making decisions

Committees

groups handling specific tasks

Government entities

Public authorities setting and enforcing rules.

Centralized governance

One authority makes decisions

Decentralized governance

Multiple groups make decisions

Roles and responsibilities

Who manages systems and data

Owners

Responsible for systems or data

Controllers

Decide how data is used

Processors

Handles data on behalf of controller

Custodians/stewards

Manages and protects the data