In the context of good cybersecurity documentation, components are hierarchical and build on each other to build a strong governance structure that utilizes an integrated approach to managing requirements. Well-designed documentation is generally comprised of six (6) main parts:
- Policies establish management’s intent;
- Control Objectives identify leading practices (mapped to requirements from laws, regulations and frameworks);
- Standards provide quantifiable requirements;
- Controls identify desired conditions that are expected to be met (requirements from laws, regulations and frameworks);
- Procedures / Control Activities establish how tasks are performed to meet the requirements established in standards and to meet controls; and
- Guidelines are recommended, but not mandatory.
Often times, individuals use the term “control standard” to describe a “control framework”:
- NIST Cybersecurity Framework (NIST CSF);
- ISO 27001/27002;
- NIST SP 800-53;
- NIST 800-171; or
- Secure Controls Framework (SCF) (or a similar metaframework).
