Organizational Controls

governance-focused controls ,set the stage for the more actionable controls defined within the other three themes,cover information security policies, use of assets, and cloud service use. This category covers everything that doesn’t fit under the people, technological, or physical themes such as identity management, the responsibilities of management and information security professionals, and evidence collection. 

The Organizational Controls section aggregates: 

1. • Management direction for information security

   • Asset management

   • Information classification

   • Supplier relationships

   • Access control

   • Incident management

   • Business continuity management

   • Compliance with legal and contractual requirements

   • Information security reviews