Adopt a framework to manage information security
Your organisation should establish a framework to direct and coordinate the management of your information security.
Your framework must:
- be appropriate to the level of security risk in your information environment
- be consistent with your business needs and legal obligations
- integrate with any other frameworks governing your organisation’s security.
Your framework should also cover how you’ll ensure that your organisation:
- understands and follows security policies and processes
- is alerted to changes to systems, risks, or standards
- marks, accesses, and declassifies protected information correctly
- manages and controls access to information.
Examples of best practice frameworks include:
- ISO/IEC 27001:2013 Information technology -- Security techniques -- Information security management systems -- Requirements
- US National Institute of Standards and Technology (NIST) Cyber Security Framework
Page last modified: 4/05/2022