myctrl.tools
Compare

PM-1Information Security Program Plan

>Control Description

a

Develop and disseminate an organization-wide information security program plan that:

1.

Provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements;

2.

Includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance;

3.

Reflects the coordination among organizational entities responsible for information security; and

4.

Is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation;

b

Review and update the organization-wide information security program plan organization-defined frequency and following organization-defined events; and

c

Protect the information security program plan from unauthorized disclosure and modification.

>Cross-Framework Mappings

SOC 2 TSC

CC1.2
Compare
CC1.3
Compare
CC5.3
Compare

SCF

GOV-01
Compare
GOV-02
Compare
GOV-03
Compare

>Supplemental Guidance

An information security program plan is a formal document that provides an overview of the security requirements for an organization-wide information security program and describes the program management controls and common controls in place or planned for meeting those requirements. An information security program plan can be represented in a single document or compilations of documents. Privacy program plans and supply chain risk management plans are addressed separately in PM-18 and SR-2, respectively.An information security program plan documents implementation details about program management and common controls.

The plan provides sufficient information about the controls (including specification of parameters for assignment and selection operations, explicitly or by reference) to enable implementations that are unambiguously compliant with the intent of the plan and a determination of the risk to be incurred if the plan is implemented as intended. Updates to information security program plans include organizational changes and problems identified during plan implementation or control assessments.Program management controls may be implemented at the organization level or the mission or business process level, and are essential for managing the organization's information security program. Program management controls are distinct from common, system-specific, and hybrid controls because program management controls are independent of any particular system.

Together, the individual system security plans and the organization-wide information security program plan provide complete coverage for the security controls employed within the organization.Common controls available for inheritance by organizational systems are documented in an appendix to the organization's information security program plan unless the controls are included in a separate security plan for a system. The organization-wide information security program plan indicates which separate security plans contain descriptions of common controls.Events that may precipitate an update to the information security program plan include, but are not limited to, organization-wide assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines.

>Related Controls

PL-2
PM-18
PM-30
RA-9
SI-2
SI-12
SR-2

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What is the structure and authority of the information security program within the organization?
  • How does the information security program coordinate with privacy, risk management, and other organizational programs?
  • What resources (budget, personnel, tools) are allocated to the information security program?
  • How does senior leadership demonstrate commitment and support for the information security program?
  • What governance exists for measuring and reporting on information security program effectiveness?

Technical Implementation:

  • What systems or tools support information security program management?
  • How are program metrics and performance data collected and analyzed?
  • What collaboration platforms support program coordination activities?

Evidence & Documentation:

  • Provide the information security program charter or establishing documentation.
  • Provide organizational charts showing information security program structure and authority.
  • Provide evidence of information security program budget and resource allocation.
  • Provide security program performance metrics and reports to senior leadership.
  • Provide documentation of coordination between security and other organizational programs.

Ask AI

Configure your API key to use AI features.