Svelto Logo
← Back to Methodology Qualify for Paid Pilot
Methodology/ Exclusion Taxonomy v1.0
Companion Document Version 1.0 — 2026-03-12

Exclusion Taxonomy v1.0

The complete, versioned list of explicitly excluded concepts used by Svelto's Dual-Vector Disqualification engine (§2.1 of the Methodology Framework). For each control across all supported frameworks, this taxonomy defines what the control is not — the concepts that, when found in a policy text, programmatically disqualify the control from being mapped.

Purpose and Validation

This taxonomy is systematically validated through a multi-layer review process combining automated semantic verification and human expert spot-checking. Each entry is versioned and auditable. Every exclusion term represents a concept that a given control explicitly does not govern — preventing the Dual-Vector Disqualification engine from making false-positive control mappings when analyzing customer policy documents.

The mathematical mechanism is described in §2.1 of the Methodology Framework: during policy ingestion, each candidate control is scored against two embeddings — the inclusion vector (what the control is) and the exclusion vector (what the control is not). If the policy text scores higher against the exclusion vector than the inclusion vector, the control is programmatically disqualified:

not_for_similarity > similarity → control disqualified

Canonical Example: The SOC 2 control CC1.1 covers organizational ethics, conduct standards, and ethical governance. It evaluates whether leadership sets the tone for ethical behavior, whether standards of conduct are formally established and communicated to employees, contractors, and vendors, and whether deviations are identified and addressed in a timely manner. Its scope is strictly behavioral and organizational — it applies to how people act within and on behalf of the entity.

Its exclusion vector prevents it from being mapped to policy text about IT system data integrity, automated data processing, input validation, ETL pipelines, technical data accuracy, system processing integrity, database consistency, or software integrity. These concepts share the word "integrity" but belong to an entirely different compliance domain — Processing Integrity (PI1.x criteria) — and must not be confused with ethical or organizational integrity as defined by this control.

Versioning Rule: Any addition, removal, or modification to any entry in this taxonomy increments both the taxonomy version and the Methodology Framework version. This ensures the audit artifact always references the exact exclusion rules in effect during a given compliance period.

443
Total Controls
5082
Exclusion Entries
3
Frameworks
1.0
Taxonomy Version
How to read this page: Each row represents one compliance control. The amber tags are the concepts explicitly excluded from that control's scope. Click any category header to expand or collapse it. Use the search box to filter across all controls and exclusion entries.
ISO 27001:2022 93 controls — 1064 exclusion entries
Organizational Controls 37 controls
A.5.1 Policies for information security
IT system configurationtechnical security controlsdata processing proceduresnetwork security implementationapplication security testingphysical security measuresincident response proceduresbusiness continuity planningrisk assessment methodologypolicy review schedulespolicy communication methodstopic-specific security policiesconducting security awareness trainingexecuting disciplinary processes
A.5.2 Information security roles and responsibilities
technical system accessIT system configurationautomated security processessystem user permissionstechnical security implementationsecurity awareness training programsincident response procedurestechnical access provisioningsecurity policy content
A.5.3 Segregation of duties
IT system access controltechnical access provisioningautomated access managementsystem performance monitoringnetwork security configurationphysical security controlsuser authentication mechanismspassword policy managementencryption key management proceduresincident response team structurebackup and recovery operations
A.5.4 Management responsibilities
IT system access controltechnical security configurationsdata processing integritynetwork security implementationsecurity incident response procedurestechnical vulnerability managementautomated security monitoringinformation security policy developmentsegregation of duties implementationcontact with authorities proceduressecurity awareness training programsphysical security controls
A.5.5 Contact with authorities
internal communicationIT system reportingbusiness continuity planningauditor communicationvendor communicationcustomer communication channelsinternal escalation proceduresautomated compliance monitoringthird-party certification bodiesinternal audit processes
A.5.6 Contact with special interest groups
internal employee communicationcustomer supporttechnical system monitoringdata processing integrityaccess control managementsecurity incident response proceduresinternal audit processesvendor managementcontact with authoritiesmedia relationscustomer relationship managementsupplier communications
A.5.7 Threat intelligence
internal audit proceduresfinancial risk assessmentemployee background checksphysical security surveillancebusiness continuity planningdisaster recovery testingpenetration testing reportssecurity event log analysisincident response procedurestechnical vulnerability assessmentssecurity configuration managementaccess control monitoring
A.5.8 Information security in project management
IT system security patchingnetwork security configurationapplication vulnerability scanningdata backup and recovery processesincident response proceduresphysical security of data centerscloud security configurationsoperational security monitoring activitiestechnical security architecture designsecurity policy documentationaccess control implementationcryptographic key management operations
A.5.9 Inventory of information and other associated assets
IT system data integrityautomated data processinginput validationETL data integritybusiness process mappingfinancial reportingsoftware development lifecycleasset disposal proceduresacceptable use policiesmedia handling proceduresphysical asset maintenanceconfiguration management databaseschange management processes
A.5.10 Acceptable use of information and other associated assets
technical system configurationnetwork architecture designsoftware development lifecycledatabase administrationcloud infrastructure managementpenetration testingvulnerability scanningincident response proceduresasset inventory managementtechnical access control implementationcryptographic key managementbackup and recovery proceduressecurity awareness training programs
A.5.11 Return of assets
asset inventory managementasset depreciationasset acquisitionsoftware license managementphysical security of assetsongoing asset monitoring during employmentasset maintenance and repairasset allocation procedurespermanent asset disposal methodsasset valuation and financial reporting
A.5.12 Classification of information
technical data validationsystem processing integrityinput validationautomated data transformationdatabase integrity checksapplication performance metricstechnical access control implementationcryptographic key managementphysical security controlsincident response proceduresvulnerability scanning
A.5.13 Labelling of information
IT system data integrityautomated data processinginput validationETL data integritytechnical data validationsystem processing accuracydatabase consistencysoftware version labellinginformation classification levels definitionasset inventory managementcryptographic key labellingnetwork segmentation taggingcode repository tagging
A.5.14 Information transfer
storage of informationdata processing integritysystem access controlsdata classificationinformation disposaltechnical data validationinformation backup proceduresdata retention policiesuser authentication mechanismsapplication security controlsincident response procedures
A.5.15 Access control
physical security accessbuilding accessbiometric access controlnetwork intrusion detectiondata loss preventionsystem loggingaudit trailssecurity incident responseuser registration processpassword managementprivileged access management toolsaccess review proceduresauthentication mechanisms
A.5.16 Identity management
physical access controlsnetwork access controldata encryptiondata integritysystem processing integritybusiness ethicsorganizational integritytechnical system configurationsecurity awareness trainingaccess rights assignmentauthentication mechanismspassword policiesprivileged access managementaccess review processes
A.5.17 Authentication information
data processing integritysystem availabilitynetwork securityphysical access controlsbusiness continuitydisaster recoveryorganizational ethicsfinancial reportingtechnical authentication mechanismsbiometric authentication systemsaccess rights provisioninguser account lifecycle managementprivileged access management tools
A.5.18 Access rights
physical access controlsfirewall rulesdata encryptionauthentication mechanismsbiometric accessaccess logs analysistechnical authentication controlspassword management systemsmulti-factor authentication implementationphysical security badgesautomated intrusion detection
A.5.19 Information security in supplier relationships
internal IT system securityemployee security awareness trainingphysical security of company premisessoftware development lifecycle securitynetwork infrastructure securitydata encryption at restaccess control policies for employeesinternal procurement processes without security requirementsemployee background verificationincident response procedures for internal systemsbusiness continuity planning for internal operationsasset management for company-owned equipment
A.5.20 Addressing information security within supplier agreements
internal employee agreementsIT system configurationtechnical vulnerability managementnetwork security architecturephysical security of facilitiesdata backup and recovery proceduressupplier selection processessupplier performance monitoringinternal policy developmentemployee security trainingtechnical security testing of supplier systems
A.5.21 Managing information security in the ICT supply chain
internal IT system securitysoftware development lifecycle securityemployee security awareness trainingphysical security of data centersnetwork infrastructure securityinternal software development processesemployee onboarding securitytechnical vulnerability managementincident response proceduresaccess control implementation
A.5.22 Monitoring, review and change management of supplier services
internal IT system monitoringemployee performance reviewsoftware development lifecycleinternal change control processestechnical vulnerability scanningnetwork traffic analysisdata integrity of internal systemsphysical security of internal facilitiesinitial supplier selection processsupplier onboarding proceduressupplier contract negotiationinternal vendor risk assessmentsupplier security audits (A.5.23)
A.5.23 Information security for use of cloud services
on-premises infrastructure securityinternal IT system securityendpoint device securitysoftware development lifecycle securitybusiness continuity planning for internal systemsinternal application security testingemployee access management for internal systemson-premises backup and recoveryinternal network architecture designproprietary software licensing
A.5.24 Information security incident management planning and preparation
technical system vulnerability scanningautomated security monitoringpenetration testingsoftware development lifecycle securitynetwork security configurationphysical security access controlsuser access provisioningactual incident response executionreal-time incident detection and alertingforensic evidence collection proceduresbusiness continuity plan activationpost-incident lessons learned reviews
A.5.25 Assessment and decision on information security events
technical data integritysystem processing accuracyautomated data validationinput validationETL integritybusiness ethicsorganizational integrityfinancial reportingcode of conductcontinuous monitoring toolsSIEM configurationlog aggregation platformsautomated incident responsethreat intelligence feedsvulnerability management processes
A.5.26 Response to information security incidents
proactive risk assessmentvulnerability managementsecurity awareness trainingdata backup and restore proceduresnetwork intrusion detection systemsfirewall configurationaccess control managementpost-incident lessons learnedforensic evidence collection procedurespreventive security controlssecurity monitoring tool configurationthreat intelligence gathering
A.5.27 Learning from information security incidents
technical data integritysystem processing accuracyinput validationautomated data processingnetwork intrusion detectionvulnerability scanningreal-time incident detection systemsimmediate incident containment procedurestechnical incident response toolsautomated security monitoringoperational incident handling procedures
A.5.28 Collection of evidence
IT system data integrityautomated data processinginput validationETL data integritybusiness ethicsorganizational integrityfinancial reportingcode of conductbooks and recordsoperational logging (A.8.15)security event monitoring (A.8.16)backup proceduresgeneral compliance documentationroutine audit records
A.5.29 Information security during disruption
IT system data integrityautomated data processinginput validationETL data integritydatabase backup and restoresecurity incident detection and monitoringvulnerability management processesaccess control during normal operationsroutine security patch managementday-to-day security operations
A.5.30 ICT readiness for business continuity
IT system data integrityautomated data processinginput validationETL data integrityphysical security controlsaccess control managementorganizational policy developmenthuman resource securitysupplier relationship managementinformation classification schemescryptographic key management
A.5.31 Legal, statutory, regulatory and contractual requirements
IT system data integrityautomated data processingsoftware validationnetwork security configurationdatabase access controlsbusiness process automationtechnical vulnerability managementphysical security implementationcryptographic algorithm selectionincident response proceduresbackup scheduling
A.5.32 Intellectual property rights
IT system data integrityautomated data processinginput validationsystem processing accuracyfinancial reporting integrityphysical asset managementhardware inventory controlnetwork security controlsaccess control mechanismscryptographic key management
A.5.33 Protection of records
IT system data integrityautomated data processinginput validationETL data integritytechnical data archivingdatabase record managementsystem logssoftware version controlapplication data backupreal-time data replicationtransactional database records
A.5.34 Privacy and protection of PII
IT system data integrityinput validationETL data integritytechnical data accuracysystem processing completenessdatabase consistencybusiness ethicsorganizational integrityfinancial reporting integritynetwork security controlsphysical access controlcryptographic key managementincident response proceduresbusiness continuity planning
A.5.35 Independent review of information security
technical security implementationIT system configurationautomated security testingpenetration testingvulnerability scanningsecurity incident response proceduresaccess control provisioningoperational security monitoringreal-time threat detectionsecurity tool deploymentday-to-day security operationstechnical vulnerability assessment
A.5.36 Compliance with policies, rules and standards for information security
technical system configurationIT infrastructure securitysoftware development standardsnetwork security protocolsautomated security controlspenetration testingvulnerability managementlegal compliance requirementscontractual compliance obligationsthird-party security assessmentstechnical security testing procedures
A.5.37 Documented operating procedures
IT system data integrityautomated data processinginput validationETL data integritybusiness ethicsorganizational integrityfinancial reportingcode of conducttechnical system configurationsecurity policy development
People Controls 5 controls
A.6.1 Screening
IT system access controldata integrity checkssystem access provisioningsoftware vulnerability screeninguser access reviewsprivileged access managementsecurity awareness trainingcode review processesnetwork security monitoringapplication security testingtermination procedures
A.6.2 Terms and conditions of employment
IT system access controlstechnical data processingsystem security configurationsnetwork access policiessoftware development lifecycletechnical performance metricssecurity awareness program deliverybackground verification processesdisciplinary procedures implementationtechnical user provisioningorganizational security policy developmentphysical access badge issuance
A.6.3 Information security awareness, education and training
technical system configurationIT infrastructure securitynetwork security hardeningsoftware development securitypenetration testingvulnerability managementaccess control implementationdata encryption algorithmspersonnel screening proceduresbackground verification processesdisciplinary procedures for security breachestechnical security testingsecurity policy authoring
A.6.5 Responsibilities after termination or change of employment
IT system data integrityautomated data processinginput validationETL data integritybusiness ethicsorganizational integrityfinancial reportingcode of conductinitial employee onboardingpre-employment screeningongoing access reviewsperiodic access recertificationidentity lifecycle management automation
A.6.8 Information security event reporting
technical vulnerability scanningautomated security monitoringsystem intrusion detectionnetwork security alertsdata loss prevention systemssecurity log analysispenetration testingincident response planningforensic investigation proceduresautomated threat intelligencesecurity operations center (SOC) operationsincident containment procedures
Organizational controls 3 controls
A.6.4 Disciplinary process
IT system data integrityautomated data processingtechnical system errorssoftware bugsnetwork intrusion detectiondata corruptionsystem performance issuesautomated access control violationstechnical security incident responsesystem-generated security alertsorganizational policy developmenttechnical vulnerability management
A.6.6 Confidentiality or non-disclosure agreements
IT system data integrityautomated data processingtechnical data securitynetwork access controlsdatabase encryptionsystem loggingphysical security measuressoftware development lifecyclebackground screening proceduressecurity awareness training programsaccess control policiesincident response proceduresdata classification schemes
A.6.7 Remote working
physical office securityon-premises network securitydata center operationssoftware development lifecycledisaster recovery testingvisitor access managementphysical access control systemsserver room securitynetwork infrastructure hardeningincident response procedures
Physical Controls 14 controls
A.7.1 Physical security perimeters
logical access controlnetwork securitydata encryptioninformation security policycybersecuritysoftware accessdigital perimetervisitor management procedurespersonnel screeningworking in secure areas proceduresdelivery and loading area controlsequipment security
A.7.2 Physical entry
logical access controlnetwork securitydata accessuser authenticationsoftware accesssystem permissionsdigital securityperimeter fencingbuilding exterior securityworking in secure areas proceduresclear desk policiesequipment security controlsremote access authentication
A.7.3 Securing offices, rooms and facilities
logical access controlsnetwork securityinformation security policiescybersecurityIT system accesssoftware securitycloud securitydigital securityperimeter access control systemsvisitor management systemselectronic access badgesbiometric authentication
A.7.4 Physical security monitoring
logical access controlsnetwork security monitoringsoftware securitycybersecurity threatsphysical access control systemsvisitor management proceduressecure area designapplication security monitoringendpoint security monitoring
A.7.5 Protecting against physical and environmental threats
logical access controlsnetwork securitydata encryptionsoftware vulnerabilitiesIT system integritycybersecurity threatsinformation security policiesperimeter security controlsphysical entry access controlsvisitor managementworking in secure areasequipment siting decisionsclear desk policy
A.7.6 Working in secure areas
logical access controlsnetwork securitydata encryptionsoftware accesssystem permissionsremote accessuser authenticationfirewall configurationcloud securityphysical entry systemsperimeter fencingbuilding access badgesbiometric door lockssecurity guard operations
A.7.7 Clear desk and clear screen
IT system data integrityautomated data processinginput validationETL data integritynetwork securitydatabase access controlsoftware development lifecyclecloud security configurationlogical access managementencryption controlsbackup and recovery proceduressystem hardeningmobile device management
A.7.8 Equipment siting and protection
logical access controlssoftware securitynetwork securitycloud infrastructure securitysystem configurationdata encryptionvulnerability managementpersonnel access control systemsvisitor management proceduresequipment maintenance schedulessecure disposal of equipment
A.7.9 Security of assets off-premises
on-premises physical securitydata center securityserver room access controlsnetwork infrastructure securitycloud service provider securitysoftware security vulnerabilitiesapplication access controlspermanent facility physical securityorganizational premises perimeter controlsfixed location security monitoringbring your own device (BYOD) policies
A.7.10 Storage media
cloud storage securitynetwork attached storagevirtual machine storagedata encryption at restlogical access controlsdatabase storage managementSAN infrastructure controlsfile server access controlselectronic document management systemsautomated backup software configuration
A.7.11 Supporting utilities
IT system data integritysoftware processingnetwork securityapplication availabilitydata backup and recoverylogical access controlsorganizational business continuity proceduresIT disaster recovery proceduresperimeter access control systemsvisitor management systemsequipment disposal procedures
A.7.12 Cabling security
logical access controlssoftware securitysystem configurationnetwork protocolswireless securitydata encryptionnetwork segmentation controlsfirewall configurationsserver room access controls (A.7.2)equipment maintenance proceduresbackup power systemsenvironmental monitoring systems
A.7.13 Equipment maintenance
system patchingsecurity vulnerability managementcloud infrastructure maintenanceapplication updateslogical access control maintenancesoftware license managementconfiguration management activitiescapacity management planningIT service management processes
A.7.14 Secure disposal or re-use of equipment
cloud data deletiondata backup policiesdata retention policiessoftware licensingnetwork equipment configurationactive data archivingoperational data wiping for system refreshdigital asset lifecycle managementprocurement of new equipment
Technological Controls 34 controls
A.8.1 User endpoint devices
server endpoint securitynetwork device securitysoftware development lifecycleserver hardening proceduresnetwork infrastructure managementapplication access control policiesidentity and authentication managementdata center physical securityIoT device security
A.8.2 Privileged access rights
standard user accessgeneral employee accessphysical access controlsnetwork access controluser authentication methodspassword policiesdata encryptionregular user provisioning workflowsguest access managementapplication user roles (non-privileged)end-user device accesscustomer-facing access controls
A.8.3 Information access restriction
physical access controlsuser identity lifecycle management (A.5.18)privileged access rights management (A.8.2)secure authentication procedures (A.5.17)physical security perimeter controls (A.7.2)network segregation architecture (A.8.22)cryptographic key management (A.8.24)access logging and monitoring (A.8.15)
A.8.4 Access to source code
production system accessdatabase access controlnetwork access controlphysical access to facilitiesapplication runtime securitysystem processing integrityend-user application accesscompiled code executionbusiness user account provisioningoperational data accessinfrastructure configuration management
A.8.5 Secure authentication
authorization policiesrole-based access controlphysical access controlsdata encryptionuser provisioningaccess rights assignmentprivilege escalation controlsnetwork segmentationsecure software developmentorganizational access policies
A.8.6 Capacity management
business process capacityhuman resource capacityorganizational capacity planningfinancial capacityproject capacity managementtechnical debt managementincident response capacitychange management processesconfiguration managementpatch management schedulingbackup scheduling
A.8.7 Protection against malware
business continuity planningdisaster recoveryphysical securityinsider threat detectionpatch management processesnetwork firewall configurationcryptographic key managementidentity and access managementsecure software development lifecyclepenetration testing activities
A.8.8 Management of technical vulnerabilities
organizational policy managementbusiness process integrityfinancial reporting controlsemployee training on ethicsphysical security vulnerabilitieshuman error preventiondata privacy regulationssecure software development lifecycleapplication security testing in developmentnetwork architecture designaccess control configurationcryptographic key managementbackup and recovery procedures
A.8.9 Configuration management
organizational policy managementbusiness process definitionrisk assessment methodologypersonnel security proceduresphysical security controlsdata backup strategyincident response planningsoftware development lifecyclevendor risk managementpatch management processesvulnerability assessment activitiesaccess control policycryptographic key managementcapacity planning
A.8.10 Information deletion
data backup and recoverydata archiving for historical purposesdata integrity checksdata processing accuracydata classificationdata maskingdata anonymization techniqueslogical deletion or soft deletedata retention schedule creationbackup tape rotationaccess control policies for data
A.8.11 Data masking
real-time data validationinput validationfinancial reportingaudit trailsdata encryption in transitdata encryption at restaccess control policiesdata classification schemesbackup and recovery proceduresnetwork security controls
A.8.12 Data leakage prevention
data validationaccess control policydata classificationrisk assessmentbusiness continuitydisaster recoveryencryption at restuser access provisioningbackup and restore proceduresvulnerability managementsecurity awareness training programs
A.8.13 Information backup
system processingsecurity awareness trainingapplication developmentbusiness continuity planningdisaster recovery planningincident response procedurescapacity managementchange management processesvulnerability managementcryptographic key management
A.8.14 Redundancy of information processing facilities
access control policiesnetwork security configurationsoftware development lifecyclebackup and restore procedurescomponent-level redundancysingle system high availabilitynetwork redundancy onlydata replication without facility redundancybusiness continuity planning documentationincident response procedures
A.8.15 Logging
business process loggingmanual record keepingorganizational policy documentationapplication performance metricsbusiness intelligence reportingcustomer transaction recordsnetwork traffic content inspectionreal-time monitoring dashboardslog aggregation tools (as distinct from logs themselves)compliance attestation documents
A.8.16 Monitoring activities
business process monitoringfinancial transaction monitoringorganizational performance monitoringmanual data entry verificationuser behavior analytics (UBA) for non-security purposesquality assurance testingevent logging configuration (A.8.15)incident response procedures (A.5.24-A.5.27)vulnerability scanning activities (A.8.8)access control monitoring for authorization decisions (A.5.15-A.5.18)backup monitoring for data recovery purposes
A.8.17 Clock synchronization
business process timingproject schedulingorganizational workflowmanual time recordingcalendar managementscheduling meetingshuman perception of timeapplication performance timingdatabase transaction timestamps (A.8.24)backup scheduling (A.8.13)certificate validity periods (A.8.3)user session timeouts (A.8.5)
A.8.18 Use of privileged utility programs
general software installationend-user applicationsstandard user permissionsbusiness process automationdata entry validationorganizational ethicsfinancial reporting controlsregular user account managementapplication-level access controlsnetwork security toolsbackup and recovery softwarestandard operating system functions
A.8.19 Installation of software on operational systems
software developmentsource code managementtesting environmentsdata processing integrityorganizational ethicssoftware development lifecycleapplication security testingsecure coding practicesconfiguration management processeschange management proceduresvulnerability scanning activitiesnetwork security controls
A.8.20 Networks security
physical security of network devicesemployee network usage policyapplication security testingbusiness continuity planning for networksorganizational network access rightsendpoint security controlsidentity and access management systemssecurity logging and monitoring systemsvulnerability management programsincident response procedures
A.8.21 Security of network services
application layer securityendpoint securitydata encryption at restphysical network securitybusiness continuity planningdisaster recoverysoftware development lifecycle securitydatabase security controlscloud infrastructure security (non-network)identity and access management policiessecurity awareness trainingincident response proceduresvulnerability management programs
A.8.22 Segregation of networks
application segregationdata segregationuser segregationphysical segregation of equipmentdata classificationsystem hardeningendpoint security controlsidentity and access management systemswireless network security policiescloud tenant isolationorganizational segregation of duties
A.8.23 Web filtering
email filteringdata loss preventionendpoint protectionnetwork intrusion detectionemail spam filteringmalware detection systemsnetwork firewall configurationapplication whitelistingsecure web gateway threat prevention
A.8.24 Use of cryptography
business process integrityorganizational policy enforcementfinancial record keepinghuman resource managementphysical security measuresnon-cryptographic access controlsorganizational security awareness trainingincident response proceduresvulnerability management programsbackup and recovery operationsphysical media disposalsupplier security assessments
A.8.25 Secure development life cycle
organizational integritybusiness ethicsfinancial reporting integritycode of conductbooks and records integrityETL data integritygeneral IT security policiesproduction environment securityoperational vulnerability scanningnetwork security controlsinfrastructure security hardeningsecurity incident responsethird-party security assessmentssecurity awareness training
A.8.26 Application security requirements
organizational security policiesphysical security controlsnetwork security infrastructurebusiness continuity planningpersonnel security proceduresthird-party risk managementincident response managementinfrastructure security controlsoperational vulnerability scanningsecurity monitoring and logging operationspatch management processesendpoint security controls
A.8.27 Secure system architecture and engineering principles
organizational ethicsbusiness process integrityfinancial reporting integritycode of conductmanual process securityphysical security controlsdata privacy policiesapplication source code reviewsecure coding implementationsoftware testing procedurespatch management processesincident response procedures
A.8.28 Secure coding
organizational integritybusiness ethicsfinancial reportingcode of conductIT system data integrityautomated data processingETL data integritysystem processing accuracymanual process security
A.8.29 Security testing in development and acceptance
business continuity testingdisaster recovery testingorganizational policy testingfinancial audit proceduresuser acceptance testing (functional)performance testingoperational security monitoringproduction security testingsecurity awareness trainingthird-party security assessments (vendor audits)security architecture review (design phase only)
A.8.30 Outsourced development
in-house developmentinternal development processesinternal software development lifecycleorganizational secure coding policiesgeneral supplier relationship managementsupplier selection and onboarding processesnon-development outsourcing servicesinfrastructure outsourcingmanaged service providers (non-development)
A.8.31 Separation of development, test and production environments
business continuitydisaster recoverysecurity awareness trainingincident response proceduresvendor management processesphysical security controlscryptographic key managementbackup and recovery operationssecurity monitoring and loggingpatch management processes
A.8.32 Change management
organizational change managementbusiness process reengineeringstrategic planningpersonnel changesrisk assessment methodologysecurity incident responseasset inventory managementcapacity planningbusiness continuity planninguser access provisioningvulnerability managementbackup and recovery procedures
A.8.33 Test information
business process testingorganizational policy testingfinancial audit testingcompliance audit procedureshuman resource testingsecurity testing activities (A.8.29)change testing procedures (A.8.32)operational test executiontest planning documentation
A.8.34 Protection of information systems during audit testing
general data integritybusiness process integrityfinancial reporting integrityorganizational ethicscode of conductsystem processing accuracyautomated data validationinput validationETL data integritypenetration testing methodologycontinuous monitoring systemsoperational system maintenanceroutine backup testingperformance testing proceduressecurity assessment frameworks
SOC 2 (2017) 51 controls — 593 exclusion entries
Control Environment 6 controls
CC1.1 Demonstrates commitment to integrity and ethical values
IT system data integrityautomated data processinginput validationETL data integritytechnical data accuracysystem processing integritydatabase consistencysoftware integritytechnical competence requirementsrole-based access controlssegregation of duties implementation
CC1.2 Exercises oversight responsibility
IT system oversighttechnical system monitoringautomated process oversightdata processing oversightsystem configuration managementapplication security oversightnetwork infrastructure oversightday-to-day operational managementemployee performance managementtechnical control implementationoperational policy enforcementmanagement-level decision making
CC1.3 Establishes structure, authority, and responsibility
IT system architectureautomated process ownershipsystem access permissionstechnical system configurationcode-level ownershipautomated workflow designinfrastructure topologycompetency assessment criteriaperformance evaluation metrics
CC1.4 Demonstrates commitment to competence
IT system processingdata validationtechnical system configurationautomated controlssoftware development lifecyclenetwork securitysystem access controlsphysical security measuresorganizational structure designboard oversight activitiesethical values communicationaccountability mechanismstechnical security monitoring
CC1.5 Enforces accountability
IT system access controltechnical system accountabilityautomated process responsibilityindividual user accesssystem configuration responsibilitytechnical audit loggingorganizational structure designcompetency assessmentboard governance oversight
CC3.3 Considers potential for fraud
IT system data integrityautomated data processinginput validationETL data integritysystem processing accuracytechnical vulnerability assessmentsecurity incident responsebusiness continuity planningdisaster recoveryorganizational structure designcompetency and capability assessmentperformance measurement systemsgeneral risk identification processes
Communication and Information 3 controls
CC2.1 The entity obtains or generates and uses relevant, quality information to support the functioning of internal control
IT system data integrityautomated data processinginput validationETL data integritytechnical data accuracysystem processing completenessdatabase consistencynetwork traffic analysisvulnerability scanning resultsinternal communication channelsexternal communication methodsrisk assessment processesorganizational structure designsystem change management
CC2.2 Internal communication of objectives and responsibilities for control environment
IT system communication protocolsnetwork trafficdata transmissiontechnical documentationsoftware updatessystem alertsautomated notificationsexternal stakeholder communicationscustomer-facing communicationsthird-party vendor communicationspublic disclosure requirementsmarketing communications
CC2.3 Internal Control Information Communicated to External Parties
internal communicationemployee trainingtechnical system logsdata processing logsIT system alertstechnical documentationsoftware development communicationinternal control documentationemployee policy manualsoperational procedure guidesinternal audit reportsmanagement review meetings
Entity-Level Controls 1 controls
CC3.1 Specifies suitable objectives
IT system risk assessmenttechnical vulnerability assessmentsecurity incident riskoperational risk metricsautomated risk scoringpenetration testing objectivessoftware development riskrisk identification proceduresrisk analysis methodologiescontrol implementation objectivesthreat modeling activities
Risk Assessment 1 controls
CC3.2 Identifies and analyzes risk
IT system vulnerability scanningtechnical penetration testingsecurity incident responseautomated risk scoringnetwork security assessmentapplication security testingcompliance auditsrisk response planningrisk monitoring activitiescontrol effectiveness testingthird-party audit proceduresoperational incident management
Change Management 3 controls
CC3.4 Identifies and assesses changes that could affect the system
IT system data integrityautomated data processinginput validationETL data integritybusiness ethicsorganizational integrityfinancial reportingcode of conductbooks and recordstechnical system vulnerabilities
CC8.1 The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives
business process changesorganizational restructuringstrategic planningfinancial reporting changesethical conduct changesuser access provisioningsecurity incident responsebusiness continuity planning activitiesvendor contract managementdata classification schemes
CC9.1 Identifies and Manages the Risk of Change
risk acceptancerisk avoidancerisk transfertechnical vulnerability scanningsecurity awareness trainingbusiness continuity planningdisaster recovery planningcompliance auditsincident response proceduresaccess control managementvendor risk assessmentdata classification processessecurity monitoring activities
Monitoring Activities 2 controls
CC4.1 Selects, develops, and performs ongoing and/or separate evaluations to ascertain whether components of internal control are present and functioning
IT system monitoringsecurity event loggingtechnical vulnerability scanningautomated system checksreal-time security alertsnetwork traffic analysisapplication performance monitoringdata integrity checkscontinuous control monitoring toolsautomated compliance scanningpolicy documentation reviewsincident response activitieschange management approvals
CC4.2 Evaluates and communicates internal control deficiencies
technical system monitoringautomated log analysisnetwork intrusion detectionapplication performance monitoringdatabase integrity checkscode reviewvulnerability scanningpenetration testinginitial deficiency identification processesoperational incident responsetechnical control implementationday-to-day monitoring executionautomated alerting systems
Control Activities 3 controls
CC5.1 Selects and develops control activities
control monitoring and evaluation activities (CC4 focus)risk assessment methodology (CC3 focus)organizational governance structure (CC2 focus)control environment culture and values (CC1 focus)information and communication systems design (CC6 focus)third-party vendor selection criteriastrategic planning processes
CC5.2 Selects and develops general IT controls over technology
specific application logicbusiness process controlsorganizational ethicsfinancial reporting integritypersonnel securitydata privacy regulationsapplication-level validation controlsbusiness continuity planning strategyvendor management processesend-user computing applications
CC5.3 Deploys control activities through policies and procedures
technical system configurationautomated security controlsindividual user accessdata encryption methodsnetwork security protocolsvulnerability scanningincident response executionsoftware development lifecycle
Logical and Physical Access Controls 8 controls
CC6.1 Implements logical access security software, infrastructure, and architectures
physical access controlssecurity awareness trainingintrusion detection systemsorganizational access policiesmanual access reviewsdata encryption at restsecurity incident response proceduresvulnerability management processeschange management proceduresbackup and recovery systems
CC6.2 Manages credentials and secrets for authentication
physical access controlsuser provisioningrole-based access control policiesnetwork access controlorganizational access policieslogical access reviewuser authentication methods selectionaccess request workflowsauthorization rule configurationsession management controlsuser deprovisioning processes
CC6.3 Authorizes access based on role and least privilege
physical access controlssystem configurationdata encryptionpassword complexitysecurity awareness trainingincident responsevulnerability managementauthentication mechanismsmulti-factor authenticationpassword managementaccess logging and monitoring
CC6.4 Restricts physical access to facilities and assets
logical access controlnetwork securitydata accessuser authenticationsystem permissionsremote accesssoftware accesscloud access
CC6.5 Removes and destroys system components containing sensitive information
logical access controluser account managementdata encryption at restdata backup and recoveryphysical security of active assetsactive system monitoringdata retention policy managementasset procurement processespreventive maintenance of equipmentlogical data archiving
CC6.6 Implements logical access security for external threats
physical access controlsinternal threatsemployee access managementuser provisioningrole-based access control (RBAC) implementation detailsdata encryption at restdata backup and recoverybusiness continuity planningdisaster recoveryinternal user authentication mechanismsprivileged access management for administratorsapplication-level access controlsdata encryption in transit (internal)security awareness training programs
CC6.7 Restricts the transmission, movement, and removal of information to authorized internal and external users and processes
user authenticationpassword managementdata encryption at restdata integrity validationsystem processing accuracyorganizational ethicsbusiness continuitydisaster recoveryuser provisioning processesrole-based access control (RBAC)encryption key managementdata classification schemessystem change management
CC6.8 Restriction of Access to System Components and Data
system configuration managementdata backup and recoveryincident response proceduressoftware development lifecycleuser authentication mechanismspassword policy managementnetwork security controlsencryption key managementvulnerability management processessecurity awareness training programsvendor contract negotiations
System Monitoring 1 controls
CC7.1 To meet its objectives, the entity uses detection and monitoring procedures to identify anomalies; indicators of unauthorized access, modification, or destruction of information; non-compliance with policies; and other system and information integrity issues
business process vulnerabilitiesorganizational risk assessmentstrategic threat analysiscode of conduct violationsphysical security monitoringpersonnel background screeningvendor risk assessment programsbusiness continuity planningdata classification proceduresapplication development security testingpatch management processes
System Operations 4 controls
CC7.2 The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives
risk assessmentvulnerability scanningpenetration testingbusiness process monitoringfinancial anomaly detectioncompliance auditinguser access reviewsstatic code analysisconfiguration compliance scanningscheduled backup verificationuser behavior analytics for access patternsapplication-level data validation
CC7.3 Evaluates security events
vulnerability managementpenetration testingsecurity awareness trainingpolicy developmentbusiness continuity planningdisaster recoveryaccess control reviewsorganizational risk assessmentsecurity incident remediationchange management processessecurity architecture designcompliance auditing
CC7.4 Responds to security incidents
risk assessment methodologyvulnerability managementpenetration testingsecurity awareness trainingaccess control policysystem configuration managementsecurity architecture designproactive threat huntingsecurity monitoring infrastructurepreventive security controlsroutine system maintenancecompliance audit procedures
CC7.5 The entity identifies, develops, and implements activities to recover from identified security incidents
risk assessmentsecurity awareness trainingaccess control policiesvulnerability managementorganizational ethicsfinancial reportinginitial incident detectionincident classification procedurespreventive security controlsthreat intelligence gatheringbusiness continuity planning activitiespre-incident preparedness training
Risk Mitigation 1 controls
CC9.2 Assesses and manages risks from vendors and business partners
IT system data integrityautomated data processinginput validationETL data integrityinternal process riskemployee risktechnical vulnerability assessmentinternal change managementsystem development lifecyclelogical access controlsnetwork security monitoringincident response procedures
Availability 3 controls
A1.1 Maintains, monitors, and evaluates current processing capacity and use of system components to manage capacity demand
security vulnerability assessmentbusiness continuity planningdisaster recoveryapplication performance tuningdatabase performance optimizationincident response proceduresaccess control managementchange management processesbackup and recovery operations
A1.2 Environmental Protections, Software, Data Backup, and Recovery Infrastructure
organizational integrityfinancial reportingcode of conductinput validationdata processing accuracysystem completenessaccess control policiessecurity awareness trainingrisk assessment methodologylogical access controlsuser authentication mechanismsdata encryption at restnetwork security monitoringvulnerability management programschange management approval workflows
A1.3 Tests recovery plan procedures supporting system recovery to meet availability commitments and requirements
security incident responsedata backup strategynetwork infrastructure designapplication development lifecycleorganizational ethicsfinancial reportingaccess control policiesrisk assessment methodologybackup execution procedurescapacity planning activitiesperformance monitoring toolschange management processesvulnerability scanning
Processing Integrity 5 controls
PI1.1 Obtains, generates, uses, and communicates quality information regarding processing objectives, data definitions, and product specifications
organizational integritybusiness ethicscode of conductfinancial reportingbooks and records integrityIT system securityaccess controlsphysical securitynetwork security controlschange management proceduresincident responsesystem availability monitoringconfidentiality controls
PI1.2 Implements policies and procedures over system inputs, including controls over completeness and accuracy
organizational integritybusiness ethicsfinancial reporting integritycode of conductbooks and records integrityhuman decision-making processesstrategic risk assessmentphysical access controlsoutput validation controlsdata processing transformationdata storage integritysystem output completenessreport generation accuracy
PI1.3 Implements policies and procedures over system processing to ensure processing is complete, valid, accurate, timely, and authorized
organizational integritybusiness ethicscode of conductfinancial reporting integritybooks and records integritydatabase referential integritystorage data integrity controlsnetwork data transmission integrityphysical access integritysource code integritybackup data integritycryptographic data integrity
PI1.4 Implements policies and procedures to make available or deliver output completely, accurately, and timely in accordance with specifications
IT system data integrityautomated data processinginput validationETL data integritybusiness ethicsorganizational integritycode of conductsystem availabilitydata processing logicinternal data transformationsystem performance monitoringaccess control mechanismsdata retention policies
PI1.5 Implements policies and procedures to store inputs, items in processing, and outputs completely, accurately, and timely in accordance with system specifications
business ethicsorganizational integrityfinancial reporting integritycode of conductmanual data entry accuracyhuman decision-makingstrategic data governancedata transmission integritynetwork data transferdata validation logicinput validation controlsdata transformation accuracyaccess control policies
Confidentiality 2 controls
C1.1 Identifies and maintains confidential information to meet the objectives related to confidentiality
IT system data integrityautomated data processinginput validationETL data integritysystem processing accuracytechnical data validationbusiness process integrityorganizational ethicsavailability monitoringsystem uptime requirementsprivacy consent managementpersonal data subject rights
C1.2 Disposes of confidential information to meet the objectives related to confidentiality
data retention policiesdata access controlsdata encryption at restdata backup and recoverydata classificationdata transmission securityorganizational ethicsIT system integrityprocessing integritydata archiving proceduresdata masking techniquesdata loss prevention controlssecure data transfer protocolsdata anonymization methods
Privacy 8 controls
P1.1 Provides notice to data subjects about its privacy practices to meet the objectives related to privacy
IT system data integrityautomated data processinginput validationETL data integritysystem processing accuracytechnical data handlingsecurity incident notificationdata breach reportingaccess control mechanismsencryption implementationdata retention executionconsent opt-in mechanismsdata subject access request processing
P1.2 Communicates choices available regarding the collection, use, retention, disclosure, and disposal of personal information to data subjects
IT system data integrityautomated data processingtechnical data validationsystem access controlssecurity incident responseorganizational ethicsfinancial reporting integritybusiness process automationtechnical privacy engineeringdata breach notification proceduresinternal privacy training programs
P1.3 Collects personal information only for the purposes identified in the notice to meet the objectives related to privacy
data storage securitydata processing accuracyIT system integritydata retention policiesdata deletion processestechnical data validationautomated data processingaccess control to datadata breach notification
P1.4 Limits the use of personal information to the purposes identified in the notice and for which the data subject has provided implicit or explicit consent
IT system data integrityinput validationETL data integritytechnical data accuracysystem processing completenessdatabase consistencytechnical access controlssecurity incident responsedata retention policiesprivacy notice content requirementsdata subject access requestsorganizational security policiesnetwork security controls
P1.5 Retains personal information consistent with the objectives related to privacy
IT system data integrityautomated data processinginput validationETL data integritytechnical data accuracysystem processing completenessbusiness ethicsorganizational integrityfinancial reportingcode of conductdata collection proceduresconsent managementaccess control mechanismsencryption at restprivacy notice requirements
P1.6 Disposes of personal information to meet the objectives related to privacy
IT system data integrityautomated data processinginput validationETL data integritydata processing accuracysystem completenessbusiness ethicsorganizational integrityfinancial reportingcode of conduct
P1.7 Discloses personal information to third parties with appropriate consent and only for identified purposes to meet the objectives related to privacy
IT system data integrityautomated data processingtechnical data validationsystem access controlsnetwork securitysoftware development lifecyclebusiness continuityphysical securityinternal data transfersdata retention policiesencryption in transitdata collection practicesanonymization techniques
P1.8 Provides data subjects with access to their personal information for review and correction and informs data subjects of denied requests
IT system access controltechnical data integritysystem processing accuracydatabase access managementnetwork securityapplication securitydata encryptionsecurity incident responsedata retention policiesautomated data processingthird-party data sharing
NIST 800-53 Rev5 299 controls — 3425 exclusion entries
Access Control 23 controls
AC-1 Policy and Procedures
technical access control implementationfirewall rule configurationnetwork access controlsystem authentication mechanismspassword complexity settingsbiometric authenticationphysical access controlsdata encryptionintrusion detection systemsaccount provisioning workflowsaccess request approval processesprivileged access management toolssession management configurationaudit log generation
AC-2 Account Management
physical access controlbiometric authenticationpassword complexity policiesnetwork access controlsecurity awareness trainingaccess enforcement mechanismsauthentication methodssession managementauthorization policiescryptographic key management
AC-3 Access Enforcement
identity proofingauthentication mechanismspassword managementuser provisioningaccess review frequencyphysical access controlsaccount creation procedurescredential lifecycle managementaccess certification processessession management controlsaudit log review procedures
AC-4 Information Flow Enforcement
processing accuracybusiness continuitydisaster recoveryorganizational ethicsfinancial reportinguser authenticationpassword managementlogical access permissionsidentity verification processesaudit log generationencryption key managementphysical access controls
AC-5 Separation of Duties
IT system data integrityautomated data processinginput validationETL data integritytechnical system configurationsystem performance monitoringnetwork security protocolspassword complexity requirementsencryption key management technical controlsfirewall rule configurationpatch management schedulinglog file format specificationsbackup retention periods
AC-6 Least Privilege
identity managementauthentication mechanismspassword policiesmulti-factor authenticationaccess loggingaudit trailsphysical access controlsnetwork access control listsdata encryptionuser account creation processescredential managementsession management controlsaccess control policy documentationsecurity awareness training
AC-7 Unsuccessful Logon Attempts
successful logon eventsuser authentication methodspassword complexity requirementsmulti-factor authentication implementationaccess control policy definitionnetwork intrusion preventionpassword reset proceduressession timeout configurationprivilege escalation controlsbiometric authentication systems
AC-8 System Use Notification
technical system integritydata processing accuracyinput validationautomated data processinguser authentication mechanismssystem configuration managementvulnerability scanningsecurity incident responsetechnical access enforcement mechanismsidentity verification processespassword managementsession management controlsauthorization rule implementationaccount provisioning workflows
AC-9 Previous Logon Notification
system access provisioninguser account creationpassword policy enforcementmulti-factor authentication implementationaccess control list managementphysical access controlssecurity incident response proceduresdata breach notificationsession timeout configurationaudit log generationuser authentication mechanismsaccess authorization decisionsaccount lockout policies
AC-10 Concurrent Session Control
unauthenticated sessionsnetwork session managementapplication performance tuningload balancinguser account provisioningpassword managementsession timeout configurationidle session terminationsession token managementsingle sign-on implementation
AC-11 Device Lock
server access controlnetwork device configurationdata encryption at restremote access securitypassword policy enforcementuser provisioningsystem auditingapplication-level timeout configurationnetwork session terminationautomatic logoff proceduresscreensaver aesthetics
AC-12 Session Termination
session persistencesession hijacking preventionphysical access terminationconcurrent session control (AC-10)session authenticity verification (SC-23)remote session encryption (SC-8)session auditing and logging (AU-2)password-based authentication (IA-5)device session managementsession token generation
AC-14 Permitted Actions Without Identification or Authentication
authenticated accessprivileged accesssensitive data accessuser authentication mechanismsrole-based access controlmulti-factor authenticationsecure login procedurespassword managementcredential lifecycle managementsession management controlsaccount provisioning processesbiometric authentication systems
AC-16 Security and Privacy Attributes
technical system data integrityautomated data processing accuracyinput validationETL data integritybusiness ethicsorganizational integrityfinancial reporting integritycode of conductbooks and records integritysystem processing completeness
AC-17 Remote Access
physical access controlson-premises access managementinternal network accessuser account provisioningdata encryption at restlocal wireless LAN security (AC-18)mobile device management policiesprivileged local accesssession lock mechanismspassword complexity requirements aloneorganizational access agreements without remote component
AC-18 Wireless Access
wired network securityphysical access controldata encryption at restapplication-level securityfirewall configurationcloud network securityremote access policy (non-wireless)Bluetooth device managementcellular network securitywired 802.1X authentication
AC-19 Access Control for Mobile Devices
server access controldesktop computer securitynetwork infrastructure accessphysical access to data centersapplication-level permissionsdatabase access managementuser account provisioningwireless network authentication (AC-18)remote access VPN configuration (AC-17)workstation security policies for fixed devicesIoT device managementstationary endpoint protection
AC-20 Use of External Systems
internal system accessuser authenticationpassword managementrole-based accessphysical access to facilitiesnetwork segmentationfirewall configurationdata encryption for internal storageVPN technical configurationinternal network access controlsprivileged user account management
AC-21 Information Sharing
IT system data integrityautomated data processinginput validationETL data integritytechnical data transfer protocolsuser authenticationdata encryption for transitrole-based access control (RBAC)mandatory access control (MAC)least privilege enforcementaccount provisioning workflowsnetwork segmentation controls
AC-22 Publicly Accessible Content
internal system accessconfidential data protectionsensitive information handlingemployee access controlssystem authenticationnetwork segmentationprivate data securityuser authentication mechanismsinternal document managementprivileged access managementencrypted data transmission
AC-23 Data Mining Protection
IT system data integrityautomated data processinginput validationETL data integritybusiness ethicsorganizational integrityfinancial reportingcode of conductbooks and recordstechnical data validation
AC-24 Access Control Decisions (Transmitted Between Systems)
access control hardwarephysical access controlsbiometric authenticationpassword policiessystem loggingaudit trailsinitial access authorization processesuser account provisioningaccess control list configurationsingle-system access enforcementauthentication credential management
AC-25 Reference Monitor
user access provisioningrole-based access control implementationphysical access controlsidentity and access managementsecurity awareness trainingdiscretionary access control policiesmandatory access control policiesuser authentication mechanismsaccess control list managementprivilege escalation procedures
Awareness and Training 5 controls
AT-1 Policy and Procedures
IT system configurationtechnical vulnerability managementnetwork security protocolssoftware development lifecycledata processing integrityphysical security measuresaccess control implementationtraining content developmenttraining delivery methodssecurity awareness campaign executionrole-based training implementationtraining effectiveness measurement
AT-2 Security Awareness Training
technical system configurationnetwork security protocolssoftware development lifecyclepenetration testingvulnerability managementdata encryption algorithmsaccess control list managementphysical security measuresrole-based security trainingspecialized security trainingtechnical security implementationsecurity control implementationincident response procedures
AT-3 Role-Based Training
technical system configurationnetwork security architecturesoftware development lifecyclepenetration testingvulnerability managementdata encryption algorithmscloud infrastructure securityphysical security access controlsgeneral security awareness campaignsliteracy training programsautomated security testingtechnical security assessments
AT-4 Training Records
training contenttraining delivery methodstraining curriculum developmentIT system access logssecurity incident reportspersonnel performance reviewstechnical skills assessmenttraining needs assessmenttraining program designtraining budget allocationlearning management system configurationtraining instructor qualificationstraining material developmentpost-training knowledge testing
AT-6 Training Feedback
technical system performanceIT infrastructure monitoringsoftware bug reportingnetwork security incident responsedata processing integritysystem availability metricsapplication vulnerability assessment
Audit and Accountability 15 controls
AU-1 Policy and Procedures
IT system data integrityautomated data processinginput validationETL data integritybusiness ethicsorganizational integrityfinancial reportingcode of conducttechnical system configurationnetwork traffic analysisoperational audit log generationreal-time security monitoringincident response proceduresaccess control policy implementationtechnical audit tool configuration
AU-2 Audit Events
business process logginguser experience loggingapplication performance monitoringmarketing analytics loggingmanual log entrynetwork traffic logging (SI-4)continuous monitoring dashboards (CA-7)vulnerability scanning logs (RA-5)backup and recovery logs (CP-9)configuration change logs (CM-3)
AU-3 Content of Audit Records
log storage durationlog analysis techniqueslog retention policieslog integrity verificationlog aggregationlog management system configurationdata processing integrityaudit event selection criteriaautomated log response actionslog correlation toolsaudit capacity planningreal-time alerting mechanisms
AU-4 Audit Log Storage Capacity
audit log contentlog analysis techniqueslog generation frequencylog format standardizationreal-time log monitoringaudit record protection mechanismsautomated log analysis toolslog correlation techniquesaudit event selection criterialog transmission protocolscryptographic log integrity verification
AU-5 Response to Audit Processing Failures
audit logging contentlog analysis techniqueslog data retention policieslog aggregationlog forwardingdata processing accuracybusiness process continuityaudit record generation requirementsaudit log protection mechanismstime-stamp synchronizationaudit reduction and report generation
AU-6 Audit Record Review, Analysis, and Reporting
IT system data integrityautomated data processinginput validationETL data integritybusiness process automationfinancial reporting accuracyorganizational ethicscode of conducttechnical system configurationuser access provisioning
AU-7 Audit Record Reduction and Report Generation
audit record creationaudit record storagereal-time audit monitoringsystem performance monitoringlog forwardingautomated audit response (AU-5)continuous audit monitoring (AU-6)audit record protection mechanisms (AU-9)audit record retention periods (AU-11)centralized audit log collection (AU-4)
AU-8 Time Stamps
business process timingproject deadlinesmanual time trackingapplication performance timingreal-time data processing latencyhuman response timestask scheduling systemsapplication-level timestamps for business transactionsuser interface display time formatting
AU-9 Protection of Audit Information
business process integrityorganizational ethicsfinancial reporting integritycode of conductautomated data processinginput validationETL data integrityuser access provisioningapplication data integritydatabase transaction integrityaudit log generationaudit event content definitionaudit review and analysissystem monitoring
AU-10 Non-Repudiation
system availabilityconfidentialityaccess controlbusiness continuitydisaster recoveryorganizational ethicsfinancial reportingtechnical system processinginput validationgeneral audit loggingaudit record retentionaudit review and analysisreal-time alertingautomated monitoring
AU-11 Audit Record Retention
real-time log analysislog monitoring toolslog aggregation platformssystem performance logsapplication error logsaudit record generation processeslog rotation mechanismsactive audit review proceduresaudit capacity planninglog transmission protocols
AU-12 Audit Record Generation
audit record contentlog retention policieslog analysislog storageaudit event selection criteria (AU-2)audit record review processes (AU-6)audit log protection mechanisms (AU-9)audit capacity planning (AU-4)audit reduction and reporting (AU-7)time stamp correlation (AU-8)
AU-13 Monitoring for Information Disclosure
data entry validationinput data integrityautomated data processing accuracysystem configuration integritybusiness process integrityorganizational ethicsfinancial reporting controlstechnical system access controlinternal audit log reviewnetwork traffic analysisendpoint monitoringreal-time intrusion detectionsystem performance monitoring
AU-14 Session Audit
system configuration auditingdata processing integrityfinancial transaction auditingapplication code auditingnetwork traffic analysisphysical access logsbusiness process auditinggeneral audit record generation (AU-2)audit record content requirements (AU-3)audit log storage capacity (AU-4)session lock mechanisms (AC-11)continuous monitoring programs (CA-7)
AU-16 Cross-Organizational Audit Logging
internal audit loggingsingle system audit trailsinput validationsingle-organization security monitoringstandalone SIEM deploymentinternal-only log managementapplication-level audit eventsnetwork traffic logginghost-based audit generation
Assessment, Authorization, and Monitoring 6 controls
CA-1 Policy and Procedures
IT system configurationtechnical security controlsnetwork security proceduresdata encryption policiesvulnerability management proceduresincident response technical stepssoftware development lifecycle policiescontinuous monitoring implementationsecurity assessment executionauthorization decision-makingplan of action and milestones trackingsecurity control testing procedures
CA-2 Control Assessments
IT system configurationvulnerability scanningsecurity awareness trainingincident response proceduresdata backup and recoverynetwork security monitoringsoftware development lifecyclecontinuous monitoring automationreal-time security monitoringauthorization decision documentationrisk assessment methodologysecurity control selection
CA-3 Information Exchange
internal data processing integrityIT system data validationautomated data handlingdata at rest securityorganizational ethicsbusiness process integritytechnical system configurationuser access controlstransmission encryption mechanismscryptographic protocol selectioninternal network communicationsuser authentication methodsapplication-level data validation
CA-5 Plan of Action and Milestones
technical system configurationautomated vulnerability scanningpenetration testing resultssecurity incident responsebusiness process mappingorganizational risk appetitesoftware development lifecyclenetwork security architecture
CA-8 Penetration Testing
vulnerability scanningstatic code analysisdynamic code analysissecurity awareness trainingcompliance auditsrisk assessmentsbusiness continuity testingdisaster recovery testingautomated security scanning toolsconfiguration compliance checkingsecurity control assessments (CA-2)continuous monitoring activities (CA-7)flaw remediation processes (SI-2)
CA-9 Internal System Connections
external system connectionsinternet connectivitypublic network accessthird-party integrationscloud service provider connectionsremote access solutionsuser access controlsexternal system interconnections (CA-3)user authentication mechanismswireless network connectionsvendor-managed service connectionsinformation flow enforcement policies (AC-4)
Security Assessment and Authorization 2 controls
CA-6 Security Authorization
technical system configurationdata input validationautomated data processingIT system vulnerability scanningnetwork security monitoringbusiness process re-engineeringsoftware development lifecyclesecurity control assessment proceduressecurity plan documentationpenetration testing activities
CA-7 Continuous Monitoring
initial security assessmentperiodic security auditspenetration testingsecurity awareness trainingincident response planningbusiness continuity planningdisaster recovery testingorganizational policy developmentone-time security control assessmentsmanual-only security reviewsvulnerability scanning tools selection
Configuration Management 14 controls
CM-1 Policy and Procedures
software development lifecycleincident response proceduresdisaster recovery planningbusiness continuity managementdata integrity validationaccess control policiessecurity awareness trainingtechnical configuration implementationbaseline configuration establishmentconfiguration change control processvulnerability management procedurespatch management operations
CM-2 Baseline Configuration
change management processvulnerability managementsecurity incident responseaccess control policysystem patchingsoftware development lifecycleconfiguration settings enforcementautomated configuration monitoringconfiguration change approvalsecurity configuration benchmarks
CM-3 Configuration Change Control
software development lifecyclebusiness process re-engineeringorganizational structurerisk assessment methodologyincident response proceduresuser access provisioningnetwork topology designbaseline configuration establishmentconfiguration settings managementsystem component inventoryleast functionality restrictions
CM-4 Impact Analyses
application code reviewvulnerability scanningpenetration testingsystem performance tuningbaseline configuration documentation (CM-2)configuration change control process (CM-3)security testing execution (CA-8)initial risk assessment activities (RA-3)routine system monitoring (SI-4)
CM-5 Access Restrictions for Change
network access controldata access policiesuser authenticationpassword managementsystem hardeningvulnerability managementsoftware development lifecyclegeneral user account provisioningroutine access certification processesapplication-level authorizationidentity management systemsautomated configuration management without access controls
CM-6 Configuration Settings
organizational ethicsbusiness process integrityfinancial reporting integritycode of conducthuman resource policiesrisk assessment methodologysecurity awareness trainingdata processing accuracyautomated data validationchange control proceduresconfiguration change managementincident response proceduresvulnerability scanning activitiespatch management processes
CM-7 Least Functionality
least privilege accessuser account permissionsdata processing integrityapplication functionality testingbusiness process optimizationsoftware development lifecyclesystem performance tuningconfiguration change control processespatch management activitiessecurity settings documentationuser role definitionsnetwork segmentation design
CM-8 System Component Inventory
software development lifecyclesource code managementuser access provisioningdata classificationsecurity awareness trainingphysical security accessconfiguration change control processessecurity configuration settingspatch management procedureslicense compliance management
CM-9 Configuration Management Plan
business process documentationorganizational policy developmentrisk assessment methodologyincident response proceduressecurity awareness trainingdata privacy policiesfinancial record keepingethical conduct guidelinesbaseline configuration implementationconfiguration settings documentationchange management executionsystem inventory managementsecurity configuration benchmarks
CM-10 Software Usage Restrictions
software development lifecyclesource code integrityuser account provisioningnetwork access controlvulnerability managementtechnical application whitelistingunauthorized software installation preventionleast functionality enforcementsoftware inventory managementpatch management processes
CM-11 User-Installed Software
system software installationoperating system patchingserver application deploymentcloud service provisioningIT-managed software deploymentautomated software updatescentralized software distributionenterprise application catalog managementmobile device management (MDM) policies
CM-12 Information Location
IT system data integrityautomated data processinginput validationETL data integritytechnical data accuracysystem processing completenessbusiness process mappingorganizational structurefinancial record keeping
CM-13 Data Action Mapping
IT system data integrityautomated data processinginput validationETL data integritytechnical data validationsystem processing accuracydatabase consistencynetwork traffic analysisaccess control policy enforcementcryptographic data protectionaudit log data collectionbackup and recovery proceduresincident response data handling
CM-14 Signed Components
data processing integritybusiness process integrityorganizational integrityfinancial reporting integritysystem availabilitydata-at-rest integrity controlsdatabase integrity constraintsnetwork traffic integrity (without component verification)user access managementphysical security controlsbackup integrity verificationlog integrity monitoring
Contingency Planning 11 controls
CP-1 Policy and Procedures
technical disaster recovery implementationIT system recovery proceduresnetwork infrastructure restorationdata backup and restore technical detailsspecific system configurationsapplication recovery processescloud service provider contingencyphysical security measures for data centersactual contingency plan contentcontingency plan testing executionalternate processing site operationsinformation system backup operationscontingency training delivery
CP-2 Contingency Plan
technical system data integrityinput validationautomated data processingETL data integritybusiness ethicsorganizational integrityfinancial reportingcode of conductnetwork security monitoringreal-time incident detectionvulnerability scanningpenetration testingaccess control policiescryptographic key management
CP-3 Contingency Training
technical system configurationnetwork infrastructure hardeningsoftware development lifecyclesecurity awareness trainingphysical security measurespenetration testingvulnerability managementgeneral security awareness programsincident response plan developmentcontingency plan documentationautomated failover mechanismstechnical disaster recovery toolsbackup system implementation
CP-4 Contingency Plan Testing
IT system data integrityautomated data processinginput validationETL data integrityrisk assessment methodologytechnical system configurationsecurity awareness trainingcontingency plan creationbackup policy developmentinformation system recovery procedures documentationorganizational continuity strategyalternate storage site selection
CP-6 Alternate Storage Site
primary site operationsdata entry validationsoftware development lifecyclephysical security of primary siteorganizational ethicsalternate processing site operationsincident response proceduressystem backup procedures (CP-9)configuration management activitiesreal-time system monitoring
CP-7 Alternate Processing Site
primary processing sitedata backup proceduresphysical security of primary sitedisaster recovery plan testingbackup media storage onlyincident response proceduresprimary site physical security controlscontingency plan documentationpersonnel evacuation proceduressystem component backup
CP-8 Telecommunications Services
IT system data integrityautomated data processinginput validationETL data integrityfinancial reportingcode of conductsystem processing accuracyphysical access control systemsapplication security testinguser authentication mechanismsdatabase backup proceduresendpoint protection software
CP-9 System Backup
processing integrityinput validationautomated data processingETL data integritybusiness continuity planningrisk assessmentsecurity awareness trainingsystem restoration proceduresfailover mechanismshigh availability configurationredundant system componentsincident response planning
CP-10 System Recovery and Reconstitution
initial system designproactive risk assessmentsecurity awareness trainingpersonnel securityphysical securitysoftware development lifecyclenetwork architecturedata entry validationinitial contingency plan developmentalternate processing site selectionpreventive system hardeningreal-time system monitoring
CP-12 Safe Mode
organizational ethicsfinancial reportingrisk assessment methodologysecurity awareness trainingphysical security measuressoftware development lifecyclebackup and restoration proceduresincident response planningsystem and information integrity monitoring
CP-13 Alternative Security Mechanisms
primary security controlsstandard operating proceduresdata backup and restoreincident response plan executionsecurity policy developmentnormal security operationsprimary control implementationsystem recovery procedures (CP-10)information system backup (CP-9)
Identification and Authentication 12 controls
IA-1 Policy and Procedures
technical implementation of authentication protocolsspecific cryptographic algorithmsnetwork access control listsphysical access controlsdata encryption standardssystem logging and auditingvulnerability management proceduresauthenticator lifecycle management implementationspecific authentication mechanismsdevice identification technical controls
IA-2 Identification and Authentication (Organizational Users)
physical access controlsystem configuration managementbusiness process automationuser behavior analyticssystem loggingvulnerability managementdevice authenticationnon-organizational user authenticationauthorization policy enforcementaccount provisioning processessession management
IA-3 Device Identification and Authentication
user identificationuser authenticationpersonnel securitysoftware authenticationapplication identitynetwork intrusion detectionuser account managementpassword policiesbiometric authenticationmulti-factor authentication for usersservice account authentication
IA-4 Identifier Management
password managementmulti-factor authenticationbiometric authenticationphysical access controlnetwork access controldata encryptionsecurity awareness trainingauthenticator lifecycle managementcredential managementsession managementauthorization policiesattribute-based access control policies
IA-5 Authenticator Management
organizational integritybusiness ethicsfinancial reportingcode of conductsystem processing accuracyinput validationphysical access controlsnetwork security policiesaccount creation proceduresauthorization policiessession managementaudit log authentication eventsidentity proofing processes
IA-6 Authentication Feedback
system performance feedbackdata processing statusnetwork connectivity statusgeneral system notificationsuser account creation confirmationpassword reset confirmationnon-authentication application errorssession timeout notificationsmulti-factor authentication device enrollmentbiometric enrollment feedbackaccount lockout notifications (AC-7)
IA-7 Cryptographic Module Authentication
data encryption at restdata encryption in transitpassword policiesnetwork security protocolsgeneral user authentication policiesnetwork authentication protocolsdatabase authenticationoperating system authenticationbiometric authentication systems for user login
IA-8 Identification and Authentication (Non-Organizational Users)
organizational user identificationemployee authenticationinternal access controlsorganizational employee access managementinternal user credential managementdevice authentication (IA-3)identifier management for organizational users (IA-4)authenticator management for employees (IA-5)service account authenticationsystem-to-system authentication
IA-9 Service Identification and Authentication
user identificationuser authenticationhuman identity verificationphysical access controlsemployee onboardingrole-based access control for usersdevice authentication (IA-3)user session managementpassword policies for usersbiometric authentication
IA-10 Adaptive Authentication
static authenticationpassword policiesuser provisioningrole-based access controlphysical access controlsdata encryptionvulnerability scanningstatic MFA policiesinitial identity proofingcredential lifecycle managementauthorization policy enforcement
IA-11 Re-Authentication
initial authenticationpassword resetaccount lockoutmulti-factor authentication setupsingle sign-onuser provisioningautomatic session lockdevice unlock proceduresnetwork timeout disconnectioncredential rotation policiesbiometric enrollment
IA-12 Identity Proofing
password policiesmulti-factor authenticationbiometric authenticationsystem access logsauthorization levelsrole-based access controltechnical authentication mechanismsnetwork access controlphysical access controls
Incident Response 10 controls
IR-1 Policy and Procedures
technical incident response toolsspecific incident detection mechanismsautomated incident response playbooksforensic analysis techniquesvulnerability managementpenetration testingdata backup and restore proceduresnetwork security monitoringoperational incident response plan contentincident response training materialsincident response testing proceduresspecific incident categorization schemes
IR-2 Incident Response Training
technical system configurationnetwork security hardeningsoftware development lifecycledata backup proceduresvulnerability scanningpenetration testingsystem architecture designIT asset inventorygeneral security awareness trainingincident response plan developmentincident response policy documentationautomated incident detection toolssecurity operations center staffing
IR-3 Incident Response Testing
incident response plan developmentincident response policy creationtechnical incident detectionsecurity monitoring toolslog analysisvulnerability managementsecurity awareness training contentbusiness continuity planningdisaster recovery strategyactual incident handlingincident response training deliveryforensic analysis proceduresautomated incident detection systemsincident reporting mechanisms
IR-4 Incident Handling
preventive security controlsvulnerability managementpenetration testingsecurity awareness trainingdata backup proceduresphysical securityaccess control managementsoftware development lifecyclerisk assessment methodology
IR-5 Incident Monitoring
incident response plan developmentincident containment proceduresincident recovery processesvulnerability assessmentpenetration testingsecurity awareness trainingpolicy developmentrisk management frameworkinitial incident detection systemsautomated security alertingintrusion detection systems (IDS)security information and event management (SIEM) configurationincident analysis procedures
IR-6 Incident Reporting
incident investigation detailstechnical root cause analysisforensic analysisincident remediation stepsvulnerability scanningpenetration testingsystem configuration managementdata backup and recoveryincident response plan developmentincident handling proceduresautomated incident detection toolssecurity monitoring operationsthreat intelligence analysis
IR-7 Incident Response Assistance
incident detectionvulnerability managementsecurity awareness trainingpenetration testingsecurity policy developmenttechnical system configurationdata backup and restore proceduresphysical security controlsincident response plan developmentincident response testing and exercisesautomated incident response toolsincident monitoring systemssecurity information and event management
IR-8 Incident Response Plan
technical system configurationsoftware development lifecyclephysical security controlsuser access managementpenetration testingcontinuous monitoring toolscontingency plan activationsystem recovery time objectivesautomated incident detection systemssecurity control assessmentsgeneral security training programs
IR-9 Information Spillage Response
intentional data exfiltrationdata loss prevention system configurationnetwork intrusion detectionvulnerability scanningaccess control policydata encryption standardssystem backup and recoverygeneral incident response planningmalware incident handlingdenial of service responsephishing incident proceduresroutine security monitoring
IR-10 Integrated Information Security Analysis Team
technical incident detectionautomated alert generationnetwork intrusion detectionvulnerability scanningendpoint security monitoringfirewall managementsecurity awareness trainingphysical security access
Maintenance 7 controls
MA-1 Policy and Procedures
software development lifecyclesystem design documentationuser training proceduresincident response plansdata backup and recoveryaccess control policiesdisaster recovery planningoperational maintenance executionmaintenance tool managementremote maintenance sessionsmaintenance records and logstechnical maintenance procedures
MA-2 Controlled Maintenance
unauthorized maintenancead hoc system changesmaintenance without documentationunapproved toolsend-user system updatessoftware development lifecyclesystem designinitial system installationsystem procurement activitiesroutine system monitoringuser-initiated repairsconfiguration baseline establishment
MA-3 Maintenance Tools
software development toolstesting toolsdevelopment environmentsdata analysis toolssecurity scanning toolsgeneral maintenance activitiesmaintenance scheduling processespreventive maintenance programscorrective maintenance proceduressystem configuration management toolspatch management processes
MA-4 Nonlocal Maintenance
physical maintenancehardware repairuser account managementapplication developmenton-site maintenance activitiesautomated patch managementlocal system administrationgeneral remote access for business operationsroutine help desk password resets
MA-5 Maintenance Personnel
IT system data integrityautomated data processinginput validationETL data integritybusiness ethicsorganizational integrityfinancial reportingcode of conductsoftware development lifecyclepersonnel screening processesemployee training programsgeneral access control policiesphysical security personnelcontractor management programs
MA-6 Timely Maintenance
maintenance execution procedurescontrolled maintenance sessionsmaintenance personnel authorizationnonlocal maintenance connectionsremote maintenance authenticationmaintenance tools managementmaintenance activity logging
MA-7 Maintenance in Controlled Environments
software maintenancecode updatespatch managementsystem configurationbusiness process maintenanceorganizational policy updatesIT system security patchingremote maintenance sessionsautomated system maintenanceroutine system administrationnetwork configuration changes
Media Protection 8 controls
MP-1 Policy and Procedures
IT system data integrityautomated data processinginput validationETL data integritysoftware development lifecyclenetwork security configurationsapplication security testingdatabase access controlsphysical media handling operationsmedia sanitization techniquesmedia transport proceduresbackup media rotation schedulesincident response procedures
MP-2 Media Access
IT system access controllogical access controlsuser authenticationnetwork accessapplication accesssoftware accessmedia sanitization proceduresmedia disposal methodsbackup media managementmedia tracking systemsautomated access logging
MP-3 Media Marking
IT system data integrityautomated data processinginput validationETL data integritytechnical system loggingsoftware version controldatabase schema markingelectronic transmission labelingmetadata tagging for searchorganizational policy documentationaccess control listsencryption key management
MP-4 Media Storage
software media installationmedia streaming servicesdigital media content creationsoftware licensingmedia player functionalitynetwork data transmissionmedia transport proceduresmedia sanitization methodscryptographic key storageapplication data storagedatabase storage managementvirtual media provisioning
MP-5 Media Transport
digital data transmissionnetwork securitycloud data transfervirtual mediadata processing integritysystem access controlselectronic file transfersmedia storage proceduresmedia sanitization methodsbackup tape rotation scheduleslogical access to stored data
MP-6 Media Sanitization
IT system data integrityautomated data processinginput validationETL data integritybusiness ethicsorganizational integrityfinancial reportingcode of conductsystem access controlsnetwork security
MP-7 Media Use
software media installationmedia player functionalitybroadcast mediasocial media policyIT system configurationnetwork traffic analysisapplication data integritymedia physical access control (MP-2)media marking requirements (MP-3)media storage facilities (MP-4)media transport procedures (MP-5)streaming media services
MP-8 Media Downgrading
software downgradingsystem version controlapplication rollbackfirmware updatesnetwork security configurationsmedia sanitization procedurespermanent data deletioncryptographic key destructionbackup media rotation
Physical and Environmental Protection 22 controls
PE-1 Policy and Procedures
logical access controlsdata encryptionnetwork securitysoftware development lifecyclepersonnel security proceduressystem configuration managementincident response planorganizational security policy (general PM family)technical access control implementationcybersecurity incident handling procedures
PE-2 Physical Access Authorizations
logical access controlnetwork accesssystem authenticationdata access permissionssoftware access controlsremote access policiesuser account managementdigital identity verification
PE-3 Physical Access Control
logical access controlnetwork accesssystem authenticationdata access permissionsuser accountssoftware accessremote accessapplication securitycybersecurity controlsdigital identity verificationenvironmental monitoring systemsfire suppression systemspower and telecommunications protection
PE-4 Access Control for Transmission
logical access to endpointsuser authenticationdata at rest encryptionorganizational access policiespersonnel securitysystem configuration integritydata processing integritycryptographic data protection in transitnetwork firewall controlsperimeter access control for facilitieslogical network segmentationwireless network security
PE-5 Access Control for Output Devices
logical access controlsnetwork securitydata encryptionsoftware access permissionsremote access securitycloud storage securityelectronic document management systemsdigital output formatsscreen display controlsmedia sanitization proceduresbackup and recovery operations
PE-6 Monitoring Physical Access
logical access controlsnetwork accessuser authenticationpassword policiesdata encryptionsoftware accessremote accesssystem permissionsphysical access authorization processesbadge issuance proceduresvisitor escort requirementsenvironmental monitoring systemsfire suppression controls
PE-8 Visitor Access Records
logical access controlsIT system accessnetwork access logsdata access recordsremote access managementuser authentication logssystem user recordsapplication access logsemployee badge access logsautomated physical access control systemsbiometric access records
PE-9 Power Equipment and Cabling
IT system data integritysoftware processing integritynetwork traffic securitylogical access controlsdata backup and recoveryorganizational ethicsfirewall configurationHVAC system controlsfire suppression systemsemergency lighting systemstelecommunications cablingredundant power supply configurationpower capacity planning
PE-10 Emergency Shutoff
IT system data integrityautomated data processinginput validationETL data integritysoftware emergency exitapplication crash handlinglogical system shutdown proceduresgraceful system shutdownplanned maintenance shutdownUPS battery backup systemsgenerator failover systemsorderly system halt procedures
PE-11 Emergency Power
IT system data integrityautomated data processinginput validationETL data integritysoftware resilienceapplication availabilityphysical security accessfire suppression systemslogical access controlnetwork redundancy protocolsHVAC environmental controlswater damage protectionsystem failover clustering
PE-12 Emergency Lighting
IT system power backupdata center UPSserver room emergency powersoftware emergency modesfire alarm systemsgenerator power systemsHVAC emergency systemsemergency communication systemsautomated door release systems
PE-13 Fire Protection
IT system firewallssoftware securitynetwork intrusion detectiondata backup and recoverycybersecurity incident responselogical access controlselectronic access control systemsHVAC temperature controlsflood detection systemspower distribution monitoring
PE-14 Environmental Controls
logical access controlssoftware configuration managementpersonnel security policiesdata encryption standardsnetwork security protocolsorganizational ethicsfinancial reporting integrityphysical access control systemsvisitor management proceduresperimeter security controlscybersecurity incident responseapplication security testing
PE-15 Water Damage Protection
data backup and recoverycloud service water damagefire suppression systemslogical data corruptioncybersecurity incident responsefire detection and suppression procedurestemperature and humidity controlelectromagnetic interference protectionpower supply and electrical systemsorganizational policy documentation
PE-16 Delivery and Removal
IT system data transferlogical access controlssoftware deploymentcloud data migrationnetwork traffic monitoringdigital information securityautomated inventory managementvirtual asset managementpersonnel background screeningvisitor access management systemselectronic access badge systems
PE-17 Alternate Work Site
IT system data integritynetwork infrastructure securityapplication processing accuracydatabase backup and recoveryaccess control to primary sitedata center operationscloud service availabilityalternate processing site disaster recoveryprimary facility environmental controlsautomated system failovervirtual desktop infrastructuremobile device management policies
PE-18 Location of System Components
logical access controlssoftware configuration managementdata encryptionapplication securitypersonnel securityphysical access authentication mechanismsvisitor management systemsenvironmental monitoring systems operationfire suppression system configurationHVAC system managementpower distribution technical controlscable management and labeling
PE-19 Information Leakage
logical access controlsnetwork securitysoftware vulnerabilitiesdata encryptionapplication securitysystem integrityprocessing integritydigital data loss preventionendpoint security softwareintrusion detection systemsmalware protectionauthentication mechanisms
PE-20 Asset Monitoring and Tracking
IT system data integrityautomated data processinginput validationETL data integritybusiness ethicsorganizational integrityfinancial reportingcode of conductsystem processing accuracytechnical validationconfiguration management inventorysoftware license managementIT asset catalogingsystem component inventorynetwork device discovery
PE-21 Electromagnetic Pulse Protection
IT system data integrityautomated data processinginput validationETL data integritybusiness ethicsorganizational integrityfinancial reportingcode of conductphysical security accessnetwork security protocols
PE-22 Component Marking
software component markingdata element labelinglogical asset identificationdigital asset taggingcode versioningsoftware configuration managementfacility infrastructure markingbuilding component identificationinformation labeling and handlingmedia marking and handlingpersonnel identification badgesvisitor badges and access cards
PE-23 Facility Location
IT system data integritylogical access controlsnetwork securitysoftware vulnerabilitiesdata encryptionpersonnel security clearancesorganizational ethicsfacility access control systemsvisitor management proceduresperimeter intrusion detectionenvironmental monitoring systemsfire suppression systems
Planning 8 controls
PL-1 Policy and Procedures
IT system configurationtechnical implementation detailssoftware development lifecyclenetwork security protocolsdata encryption standardsspecific security toolsautomated security controlsincident response proceduresaccess control implementationrisk assessment executionaudit log configurationcontingency plan activation
PL-2 System Security and Privacy Plans
technical system configurationnetwork security implementationdata encryption methodsvulnerability scanningpenetration testingincident response proceduresbusiness continuity planningdisaster recovery planningsecurity awareness trainingsecurity control assessment procedurescontinuous monitoring strategy implementationtechnical security architecture designoperational security procedures executionsecurity policy development
PL-4 Rules of Behavior
IT system configurationtechnical vulnerability managementnetwork security protocolssoftware development lifecycleautomated data processingsystem access control implementationphysical security measures
PL-7 Concept of Operations
technical system processingdata validation rulesinput data integrityautomated system functionsnetwork configurationsoftware coding standardsdatabase schema designdetailed system architecture diagramstechnical security control specificationsincident response proceduressystem development methodology
PL-8 Security and Privacy Architectures
implementation detailsspecific code reviewpenetration testingvulnerability scanningincident response proceduresuser access managementdata backup and recoveryphysical security measuresnetwork configurationsoftware development practices
PL-9 Central Management
decentralized security managementindividual system security configurationspecific security tool managementend-user security responsibilitiessecurity incident response at the system leveldistributed control implementationsystem-specific control tailoringindividual security tool configuration
PL-10 Baseline Selection
business process definitionpersonnel securityphysical security controlssoftware development lifecyclenetwork architecture designtechnical configuration baselinessystem hardening proceduresconfiguration management processessecurity assessment procedurescontinuous monitoring implementation
PL-11 Baseline Tailoring
technical control implementationautomated control executionsystem configuration managementsecurity policy developmentprivacy impact assessmentrisk assessment methodologycontrol testing proceduresinitial baseline selectioncontrol effectiveness monitoringcontinuous monitoring strategy
Program Management 32 controls
PM-1 Information Security Program Plan
technical security controlssystem configuration managementincident response proceduresvulnerability managementdata encryption standardsnetwork security architecturephysical security measuressoftware development lifecycle securityaccess control implementationaudit log configurationbackup and recovery proceduressecurity awareness training deliverypenetration testing execution
PM-2 Senior Information Security Officer
technical security controlssecurity tool implementationvulnerability managementincident response proceduressecurity awareness training contentdata loss prevention configurationnetwork security architectureapplication security testingsecurity policy development proceduresrisk assessment methodologiessecurity control implementation detailsbudget allocation processes
PM-3 Information Security and Privacy Resources
technical system configurationdata processing integritynetwork security implementationsoftware development lifecyclephysical security controlsincident response proceduresvulnerability managementaccess control mechanismssecurity awareness training contentrisk assessment methodologiesaudit logging technical specificationscryptographic algorithm selectioncontingency plan activation procedures
PM-4 Plan of Action and Milestones Process
IT system data integrityautomated data processinginput validationtechnical system configurationbusiness process automationfinancial reporting integrityorganizational ethicscode of conductcontinuous monitoring implementationsecurity assessment executionaudit performance activitiesincident response procedurestechnical vulnerability scanning
PM-5 System Inventory
data inventorydata classificationdata lifecycle managementdata processing integritybusiness process inventoryorganizational structurepersonnel inventorysoftware development lifecyclesystem component inventory (CM-8)hardware component trackingsoftware component catalogconfiguration item inventorynetwork topology mapping
PM-6 Measures of Performance
IT system data integrityautomated data processinginput validationETL data integritytechnical system performancenetwork performanceapplication performancedatabase performanceincident response metricsvulnerability scanning resultspatch management statisticsaccess control logsaudit log analysis
PM-7 Enterprise Architecture
IT system data integrityautomated data processinginput validationETL data integritytechnical system configurationsoftware development lifecycledatabase schema designtactical solution designproject-level architecturecode-level design patternsinfrastructure provisioningapplication deployment configuration
PM-8 Critical Infrastructure Plan
IT system data integrityautomated data processinginput validationETL data integrityfinancial reporting integritycode of conductorganizational integritybusiness ethicstechnical system configurationsoftware development lifecycle
PM-9 Risk Management Strategy
IT system risk assessmenttechnical vulnerability assessmentsecurity incident response plansystem-level risk assessment proceduresoperational risk treatment planstactical vulnerability remediationindividual system authorization decisionssecurity control implementation detailstechnical risk analysis methodologiesincident-specific risk calculations
PM-10 Security and Privacy Authorization Process
technical system configurationIT system data integrityautomated data processinginput validationETL data integrityorganizational ethicscode of conductfinancial reporting integritysecurity control assessment proceduresvulnerability scanning operationsincident response proceduresaccess control policy enforcement
PM-11 Mission and Business Process Definition
IT system architecturetechnical process automationsoftware development lifecyclenetwork configurationdatabase designtechnical implementation detailsincident response procedurestechnical risk assessment methodologiesaccess control implementationsecurity awareness training contentvulnerability scanning processes
PM-12 Insider Threat Program
external threat actorsthird-party risk managementnetwork intrusion detectionmalware analysisvulnerability scanningpenetration testingphysical security breachesexternal vulnerability managementautomated patch managementnetwork perimeter defensecryptographic key managementsupplier security assessments
PM-13 Security and Privacy Workforce
technical system access controlsIT system configuration managementautomated security monitoringnetwork security devicesdata encryption algorithmsphysical security measuressoftware development lifecyclevulnerability scanningpenetration testingindividual personnel screening processesemployee background investigationssecurity awareness training deliveryrole-based training programsincident response procedures
PM-14 Testing, Training, and Monitoring
IT system data integrityautomated data processinginput validationETL data integritybusiness ethicsorganizational integrityfinancial reportingcode of conductbooks and recordstechnical system configuration
PM-15 Security and Privacy Groups and Associations
IT system access controltechnical permissionsuser provisioningrole-based access control (RBAC) implementationdata access policiesnetwork segmentationfirewall rulessecurity group configuration in cloud platformsapplication-level rolesinternal organizational structureworkforce planningposition descriptionsinternal team formationorganizational chart managementpersonnel security controls
PM-16 Threat Awareness Program
technical vulnerability scanningpenetration testingsecurity control implementationnetwork intrusion detectionmalware analysissecurity architecture designsecurity policy enforcementrisk assessment methodologiespersonnel security awareness trainingsecurity literacy programsrole-based security traininginsider threat program management
PM-17 Protecting Controlled Unclassified Information on External Systems
internal system data integritytechnical vulnerability managementbusiness continuity planningphysical security of internal facilitiessoftware development lifecycle securityinternal-only information classificationorganizational risk assessment processesemployee security awareness trainingsystem and communications protection technical controls
PM-18 Privacy Program Plan
IT system data privacytechnical privacy controlsdata encryptionnetwork securityapplication privacy settingsautomated data anonymizationprivacy by design implementationdata breach response proceduresprivacy impact assessment technical detailssystem-level privacy requirementsprivacy training curriculum contentindividual privacy rights requestsprivacy monitoring tools configurationprivacy audit procedures
PM-19 Privacy Program Leadership Role
IT system data privacytechnical data protectiondata encryption standardsnetwork security controlsapplication privacy settingsautomated data anonymizationoperational privacy controlsprivacy impact assessment executiontechnical privacy engineeringprivacy training deliverysystem-level privacy requirements
PM-20 Dissemination of Privacy Program Information
technical data processing integritysystem access controlssecurity incident response proceduresfinancial reporting integrityIT system configuration managementnetwork security monitoringsoftware development lifecyclephysical security measuresprivacy training program deliveryprivacy impact assessment executiontechnical privacy controls implementation
PM-21 Accounting of Disclosures
internal data access logssystem processing logstechnical data integrityautomated data validationIT system audit trailssecurity event loggingfinancial transaction records
PM-22 Personally Identifiable Information Quality Management
IT system data integrityautomated data processinginput validationETL data integritytechnical data accuracysystem processing completenessdatabase consistencybusiness ethicsorganizational integrityfinancial reporting
PM-23 Data Governance Body
IT system data integrityautomated data processingdatabase administrationtechnical data validationsystem data qualitydata pipeline integritydata warehousing operationsdata security implementationoperational data management taskstechnical data architecture designdata backup and recovery operations
PM-24 Data Integrity Board
IT system data integrityinput validationETL data integritytechnical data accuracydatabase consistencysystem processing integrityapplication data validationgeneral data governance programsenterprise data quality initiativesnon-Privacy Act data sharingorganizational data stewardshiproutine data exchange agreements
PM-25 Minimization of Personally Identifiable Information Used in Testing, Training, and Research
production data processinglive system operationsIT system integritydata validation in productiontechnical data processing accuracybusiness process integrityfinancial data reportingproduction PII processingoperational privacy controlsgeneral data classificationincident response for PII breachesPII inventory management
PM-26 Complaint Management
IT system error reportingtechnical bug trackingsoftware defect managementautomated customer servicesystem performance complaintsinternal audit findingsvulnerability assessment resultsaccess request processingroutine security monitoring alerts
PM-27 Privacy Reporting
IT system data integritytechnical data processingautomated data validationsystem security reportingnetwork performance metricssoftware development lifecycle reportingfinancial reportingorganizational ethics reportingprivacy impact assessment documentationindividual privacy notice communicationstechnical privacy control testingprivacy training materials
PM-28 Risk Framing
IT system risk assessmenttechnical risk evaluationvulnerability assessmentpenetration testingsecurity control effectivenessautomated risk scoringsystem configuration risknetwork security risk
PM-29 Risk Management Program Leadership Roles
IT system risk managementtechnical risk assessmentsecurity control implementationoperational risk proceduresindividual risk assessmenttechnical vulnerability managementautomated risk scoring
PM-30 Supply Chain Risk Management Strategy
network securitydata privacyphysical securityfinancial risk managementincident response procedurestechnical vulnerability scanninguser access managementconfiguration management baselinesaudit log analysispersonnel security screeningbusiness continuity planning
PM-31 Continuous Monitoring Strategy
IT system data integrityautomated data processinginput validationETL data integritytechnical system securitynetwork securitysoftware development lifecycleaccess control policiesphysical security controlsincident response proceduresconfiguration management processessupply chain vendor assessmenttechnical vulnerability scanningpenetration testing activities
PM-32 Purposing
IT system data integrityautomated data processinginput validationETL data integritytechnical system operationsbusiness process automationsoftware development lifecyclenetwork configuration managementgeneral security program planningtechnical privacy controls implementationaccess control policy definitionincident response proceduressystem security categorization
Personnel Security 9 controls
PS-1 Policy and Procedures
IT system access controlstechnical security configurationsnetwork security policiesdata encryption proceduresautomated security monitoringvulnerability managementsoftware development securitypersonnel screening implementationposition risk designation processespersonnel termination executionaccess agreement signingrole-based security training deliveryincident response procedures
PS-2 Position Risk Designation
IT system access controltechnical access provisioningautomated user provisioningdata access permissionssystem configuration managementnetwork security controlsapplication security testingphysical security of IT infrastructurepersonnel termination procedurespersonnel transfer processesbackground check executionsecurity clearance adjudicationemployee onboarding workflows
PS-3 Personnel Screening
IT system access controlsdata processing integritysystem user authenticationnetwork access permissionsorganizational role assignment (not screening)position categorization processestechnical skills assessment (non-security)performance evaluationcompensation verificationlogical access provisioningsecurity awareness training content
PS-4 Personnel Termination
hiring proceduresperformance reviewsemployee trainingIT system configurationsoftware development lifecycledata backup and recoveryphysical security system designnetwork access provisioninginitial personnel screeningongoing personnel assessmentpersonnel sanctions (PS-8)position categorizationuser account creationrole-based access assignment
PS-5 Personnel Transfer
IT system access controlstechnical access provisioningautomated user provisioningnetwork access managementdatabase permissionssoftware license managementsystem configuration changesemployee termination processesinitial hiring procedurescontractor onboardingseparation proceduresnew employee screening
PS-6 Access Agreements
technical access controlslogical access controlsauthentication mechanismssystem configurationnetwork securitydata encryptionphysical security measuressecurity incident responseautomated access enforcementtechnical authorization mechanismspersonnel screening processessecurity training deliveryposition risk designation
PS-7 External Personnel Security
internal employee securitytechnical security controlsphysical security of facilitiesemployee onboarding proceduressoftware development lifecycle securitynetwork security configurationsorganizational personnel screening (PS-3)general access agreements without external personnel contextsupply chain risk assessment processes (SR family)automated identity management systems
PS-8 Personnel Sanctions
technical system sanctionsautomated enforcementsoftware license violationssecurity incident responsetechnical access revocationsystem-level enforcement mechanismsorganizational risk managementincident investigation proceduresbackground screening processes
PS-9 Position Descriptions
IT system access controlsautomated job processingpersonnel screening proceduresbackground investigation processestechnical access control implementationautomated HR systemsperformance evaluation criteriaorganizational policy developmentsecurity awareness training content
PII Processing and Transparency 8 controls
PT-1 Policy and Procedures
IT system data integrityinput validationETL data integritytechnical data security controlsnetwork access controlssystem configuration managementdatabase performance tuningapplication security testingprivacy impact assessment executionspecific consent mechanismsdata minimization implementationindividual redress processesPII inventory management
PT-2 Authority to Process Personally Identifiable Information
technical data validationIT system data integritydata processing accuracysystem completenessETL data integrityinput validationtechnical access controlsencryption implementationnetwork security measuresPII minimization techniquesdata anonymization methodssystem audit logging
PT-3 Personally Identifiable Information Processing Purposes
technical data validationsystem processing accuracyIT system integrityautomated data transformationdatabase consistencynetwork securityaccess control mechanismssecurity incident responsebusiness continuity planning
PT-4 Consent
IT system data integrityinput validationETL data integritysystem access controlsecurity authenticationdata encryptiontechnical data processing accuracyprivacy notice requirementsdata minimization practicesautomated decision-making logicdata retention schedules
PT-5 Privacy Notice
technical data validationsystem processing accuracyIT system security controlsnetwork access controlsautomated data anonymizationdatabase integritysecurity incident responsephysical security measuresconsent management mechanismstechnical privacy controls implementationdata minimization proceduresprivacy impact assessment execution
PT-6 System of Records Notice
IT system data integrityautomated data processinginput validationETL data integritytechnical data securitysystem access controlsnetwork securitysoftware development lifecyclegeneral privacy policiesconsent managementbreach notification proceduresdata minimization techniquesprivacy impact assessments
PT-7 Specific Categories of Personally Identifiable Information
technical data validationsystem processing accuracyinput validationIT system data integritydatabase consistencynetwork security controlsaccess control mechanismssecurity logging and monitoringgeneral privacy notice requirementsauthority to collect PIIorganizational privacy policy developmentdata breach notification procedures
PT-8 Computer Matching Requirements
IT system data integrityinput validationETL data integritydatabase consistencytechnical system performancenetwork securitysoftware development lifecyclegeneral record matching for deduplicationtechnical data quality checksnon-PII data correlationinternal system synchronization
Risk Assessment 9 controls
RA-1 Policy and Procedures
technical risk assessmentsystem vulnerability assessmentpenetration testingnetwork security proceduresapplication securityrisk assessment execution activitiesvulnerability scanning toolsthreat modeling activitiessecurity control assessment proceduresincident response proceduresbusiness impact analysis
RA-2 Security Categorization
technical data integritysystem processing accuracyinput validationautomated data processingETL data integritybusiness process integrityorganizational ethicsfinancial reporting integrity
RA-3 Risk Assessment
technical vulnerability scanningpenetration testingsecurity incident responsebusiness continuity planningdisaster recovery planningcompliance auditssystem configuration managementautomated vulnerability remediationreal-time threat monitoringsecurity control implementationrisk register maintenance toolscontinuous diagnostics and mitigation (CDM) programs
RA-5 Vulnerability Monitoring and Scanning
business process risk assessmentorganizational risk managementstrategic risk analysisfinancial risk assessmentcompliance risk managementhuman error preventionpolicy developmentsecurity control assessment (CA-2)penetration testing activities (CA-8)continuous monitoring strategy (CA-7)incident detection and response (IR family)configuration baseline management (CM-2)
RA-6 Technical Surveillance Countermeasures Survey
organizational ethicsbusiness process integrityfinancial reportingpersonnel securitysoftware development lifecycledata privacy policiesnetwork access controlscloud security configurationlogical access controlsvulnerability scanning toolspenetration testing methodologiesincident response proceduressecurity awareness trainingcryptographic key management
RA-7 Risk Response
risk assessment methodologyvulnerability scanningpenetration testingsecurity awareness trainingincident response planbusiness continuity planningdisaster recoverytechnical vulnerability managementsystem configuration hardeningthreat modeling activitiesrisk identification processsecurity control assessment proceduressupply chain risk assessment
RA-8 Privacy Impact Assessments
security risk assessmentvulnerability assessmentpenetration testingtechnical system securitynetwork securityapplication security testingbusiness continuity planningdisaster recovery planninggeneral risk managementcybersecurity assessmentcompliance audit activities
RA-9 Criticality Analysis
technical system configurationnetwork vulnerability scanningsoftware development lifecyclepenetration testingincident response proceduresphysical security controlspersonnel security screeningthreat modeling activitiesvulnerability assessment executionsecurity control implementationrisk treatment plan developmenttechnical security testing
RA-10 Threat Hunting
automated security alertssignature-based detectionvulnerability scanningcompliance auditsregular system patchingroutine log reviewbusiness process integrityorganizational ethicspassive security monitoringautomated intrusion detectionrisk assessment documentation
System and Services Acquisition 17 controls
SA-1 Policy and Procedures
IT system data integrityautomated data processinginput validationETL data integritysoftware development practicessystem configuration managementnetwork security implementationdatabase administrationapplication security testingoperational procurement executiontechnical security requirements specificationvendor selection criteriacontract negotiation activitiessupply chain risk assessment execution
SA-2 Allocation of Resources
technical system configurationdata processing integritynetwork security implementationaccess control mechanismsincident response proceduresvulnerability managementsecurity awareness training contenttechnical security controls implementationsystem hardening procedurescryptographic implementationaudit log configurationpatch management processes
SA-3 System Development Life Cycle
IT system data integrityautomated data processinginput validationETL data integritybusiness ethicsorganizational integrityfinancial reportingcode of conductnetwork security configurationoperational security monitoringincident response proceduresaccess control implementationvulnerability scanning operationspatch management operations
SA-4 Acquisition Process
software codingdata processing integritynetwork configurationdatabase managementcloud service configurationIT system security testingvulnerability managementinternal system development processespost-deployment system operationsongoing vendor performance monitoringsupply chain threat intelligencetechnical security architecture design
SA-5 System Documentation
business process documentationorganizational policiesfinancial reporting documentationmarketing materialssales documentationlegal agreementsorganizational training programsinternal operational procedures (not vendor-provided)audit documentationincident response plansrisk assessment documentationcompliance assessment reportspenetration testing reports
SA-8 Security and Privacy Engineering Principles
organizational ethicscode of conductfinancial reporting integrityETL data integritybusiness process securitymanual security proceduressecurity awareness trainingincident response proceduresphysical security controlspersonnel security screeningsecurity policy documentation
SA-9 External System Services
internal system developmentsoftware development lifecyclesystem configuration managementemployee onboardinginternal IT service deliverycomponent and system acquisition (non-service)developer security testingorganizational training programsphysical access control systems
SA-10 Developer Configuration Management
organizational integritybusiness ethicsfinancial reportingcode of conductIT system data integrityautomated data processinginput validationETL data integrityrisk assessmentincident responseoperational system configuration managementproduction baseline configurationsecurity hardening proceduresruntime configuration settingsnetwork configuration management
SA-11 Developer Testing and Evaluation
production system monitoringlive incident responseend-user acceptancethird-party vendor auditsbusiness process validationorganizational policy reviewsecurity incident managementpenetration testing of live systemsoperational security assessmentscontinuous monitoring activitiesindependent verification and validation
SA-12 Supply Chain Protection
internal system securityemployee access controlsdata privacy policiesnetwork security configurationsphysical security of facilitiesbusiness continuity planningdisaster recovery proceduresinternal software development practicesendpoint security managementuser authentication mechanismsincident response proceduressecurity awareness training programs
SA-15 Development Process, Standards, and Tools
system operationsnetwork securitydata backup and recoveryphysical securityincident responsebusiness continuitypersonnel securitysecurity awareness trainingproduction system configurationoperational change managementsecurity testing executionvendor contract managementsystem deployment operationsruntime security monitoring
SA-16 Developer-Provided Training
security awareness trainingcompliance trainingpenetration testingdata privacy trainingethical hacking trainingrole-based security training programsorganizational security training curriculumthird-party security certification traininggeneral IT skills training
SA-17 Developer Security and Privacy Architecture and Design
operational security monitoringincident response proceduresuser access managementphysical security controlsdata backup and recoveryvulnerability scanningpenetration testingsecurity awareness trainingdeveloper security testingcode review activitiesimplementation phase codingconfiguration management proceduressupply chain risk operational monitoring
SA-20 Customized Development of Critical Components
system configurationsystem maintenanceinternal system updatesgeneral procurement processesvendor selection criteria (SA-9)supply chain risk management (SR family)developer security testing (SA-11)acquisition contracts (SA-4)system integration activitiesroutine software patches
SA-21 Developer Screening
IT system data integrityautomated data processinginput validationETL data integritysoftware code qualitytechnical vulnerability scanningsystem performance testingdeveloper coding standards
SA-22 Unsupported System Components
business process integrityorganizational ethicsfinancial reportingcode of conductmanual data entryuser access managementphysical security controlsinitial system procurement decisionssoftware license managementnetwork architecture designincident response proceduressecurity awareness training programs
SA-23 Specialization
IT system data integrityautomated data processinginput validationETL data integritybusiness ethicsorganizational integrityfinancial reportingcode of conductbooks and recordssystem configurationgeneral personnel screeningbackground investigationspersonnel termination proceduresgeneral training programsvendor personnel requirements
System and Communications Protection 47 controls
SC-1 Policy and Procedures
technical system configurationnetwork security implementationdata encryption algorithmsvulnerability scanning proceduresincident response technical stepsaccess control list managementsoftware development lifecycle securityphysical security measuresboundary protection implementationcryptographic key management operationstransmission confidentiality technical controls
SC-2 Separation of System and User Functionality
input validationbusiness ethicsorganizational integrityfinancial reportingcode of conductnetwork segmentation controlsaccess control mechanismsaccount provisioning processesauthentication methodsauthorization policies
SC-3 Security Function Isolation
application data integritybusiness process segregationorganizational role separationuser access provisioningtechnical data validationsystem configuration managementsoftware development lifecyclephysical facility access control
SC-4 Information in Shared System Resources
physical resource sharingnetwork bandwidth managementapplication-level data sharing agreementsuser account provisioningdata backup and recoverybusiness process segregationorganizational role separationnetwork traffic isolation (SC-7)information flow enforcement policies (AC-4)virtualization platform managementencryption of data at rest (SC-28)system partitioning architecture (SC-32)
SC-5 Denial-of-Service Protection
access control policiesbusiness continuity planningdisaster recoverymalware protectionvulnerability managementencryption mechanismsuser authentication systemssystem monitoring and alertingpatch management processesphysical security controls
SC-6 Resource Availability
access controluser authenticationaudit loggingvulnerability managementdenial of service attack preventionincident response proceduresbackup and recovery operationssystem hardening configurationscryptographic protection mechanisms
SC-7 Boundary Protection
application-level access controluser authenticationpassword policiesdata encryption at restphysical security of data centersinsider threat mitigationsoftware vulnerability managementsystem configuration hardeningendpoint security controlshost-based firewallsapplication security testingidentity federationsecurity awareness trainingincident response procedures
SC-8 Transmission Confidentiality and Integrity
data at rest confidentialitydata at rest integritysystem processing integritydatabase integrityorganizational integritybusiness ethicsphysical security of data centersapplication-level data validationboundary protection mechanismsstored data encryptionuser authentication protocolssession management controls
SC-10 Network Disconnect
physical network cable removalsoftware firewall rulesaccess control listsuser authenticationdata encryptionnetwork monitoring toolssystem patchingvulnerability scanningmanual user logout proceduresre-authentication mechanismscontinuous session monitoringsession encryption protocolsincident-triggered isolation
SC-11 Trusted Path
business process integrityorganizational ethicsfinancial reporting integritycode of conductmanual data entry validationapplication logic integrityphysical access controlsgeneral network encryptionVPN tunnelsSSL/TLS certificate managementdata at rest protectiongeneral transmission confidentiality
SC-12 Cryptographic Key Establishment and Management
physical access controlspersonnel securityorganizational ethicsbusiness continuity planningdisaster recoverysoftware development lifecyclenetwork intrusion detectionvulnerability scanningcryptographic algorithm selectioncryptographic module validationdata encryption implementationcertificate authority operations without key management focusgeneral access control policies
SC-13 Cryptographic Protection
physical securitypersonnel securitybusiness continuitydisaster recoveryaccess control policiessecurity awareness trainingrisk assessment methodologiescryptographic key establishment (SC-12)transmission confidentiality controls (SC-8)protection of information at rest (SC-28)session authenticity (SC-23)network security controls
SC-15 Collaborative Computing Devices and Applications
server infrastructure securitydatabase access controlsnetwork perimeter securitysoftware development lifecyclephysical security of data centerscloud service provider securitymalware analysispenetration testinggeneral endpoint protectionnetwork access control mechanismsauthentication and authorization systemsdata encryption at restmobile device management policies
SC-16 Transmission of Security and Privacy Attributes
organizational integritybusiness ethicsfinancial reportingcode of conductinput validationETL data integritysystem processing accuracyinformation flow enforcement policiesnetwork boundary protectioncryptographic key managementsession authentication
SC-17 Public Key Infrastructure Certificates
organizational integritybusiness ethicsfinancial reportingcode of conductIT system data integrityautomated data processinginput validationETL data integrityaccess control policiesphysical security controlssymmetric key cryptographypassword-based authenticationnetwork encryption protocols (non-PKI)biometric authenticationhardware security modules (general cryptographic operations)
SC-18 Mobile Code
software development lifecyclesource code reviewcompiled code securityfirmware updatesoperating system patchingapplication vulnerability scanningstatic application security testingbinary executable deploymentserver-side code executioncompiled application installationnative mobile application securitycontainer image security
SC-20 Secure Name / Address Resolution Service (Authoritative Source)
business process integrityorganizational ethicsfinancial reportingcode of conductmanual data entry validationapplication-level data validationaccess control policiesuser identity authenticationapplication firewall rulesendpoint security controlsphysical network securitywireless network authentication
SC-21 Secure Name/Address Resolution Service (Recursive or Caching Resolver)
application data integritydatabase integritybusiness process integrityfinancial reporting integrityorganizational ethicscode of conductmanual data entry validationuser authenticationauthoritative DNS server configurationDNS zone file managementweb application securityemail security protocolsTLS certificate validationnetwork firewall rules
SC-22 Architecture and Provisioning for Name/Address Resolution Service
organizational ethicscode of conductfinancial reporting integritybusiness process automationmanual data entry validationuser access provisioningapplication software developmentphysical security controlsDNS cryptographic authentication (SC-20)DNS cache poisoning protection (SC-21)session authenticity (SC-23)general network segmentationendpoint security controls
SC-23 Session Authenticity
organizational integritybusiness ethicsfinancial reporting integritycode of conducthuman resource policiesphysical access controlsdata processing accuracyinput validationinitial user authenticationpassword policiescryptographic key managementtransmission encryptionnetwork segmentation
SC-24 Fail in Known State
disaster recovery planninghigh availability architecturebackup and recovery proceduresincident response planningsystem performance monitoringcapacity planningorganizational continuity planningfailover clustering mechanisms
SC-25 Thin Nodes
thick client securitylocal data storagefull desktop operating systempersonal device securitymobile device managementapplication installation on endpointsfat client architecturestandalone workstation securitylocal endpoint processingfull-featured desktop environments
SC-26 Decoys
production system data integritylegitimate user access controlsvulnerability scanningpenetration testing executionsecurity awareness trainingincident response planningsystem configuration managementdata loss prevention
SC-27 Platform-Independent Applications
user interface designlegacy system integrationphysical security controlsaccess control mechanisms (AC family)cryptographic protection (SC-28)incident response procedurespersonnel security requirementsnetwork segmentation architecturedata backup and recovery operations
SC-28 Protection of Information at Rest
information in transitdata processing integritysystem access controlnetwork securityapplication securitydata deletionuser authenticationbusiness continuitydisaster recoverydata in motion encryptiontransmission layer securityreal-time data processingkey management proceduresphysical media destruction
SC-29 Heterogeneity
homogeneitysingle vendor solutionsvendor lock-inplatform standardizationsystem redundancy for availabilitybackup and recovery proceduresconfiguration standardization for managementnetwork segmentation alonesingle operating system deployment
SC-30 Concealment and Misdirection
data encryptionaccess control policiesauthentication mechanismsvulnerability managementpenetration testingnetwork segmentationphysical security measuresincident response planningfirewall configurationintrusion detection signaturessecurity awareness trainingbackup and recovery procedurescryptographic key management
SC-31 Covert Channel Analysis
explicit data transferauthorized communication protocolsvulnerability scanningpenetration testingmalware analysisphysical security breachescryptographic implementation testingnetwork traffic monitoring toolsovert information flow controls
SC-32 System Partitioning
application data integrityorganizational structureuser access provisioningsoftware development lifecyclephysical security of buildingsdata backup and recoveryinformation flow enforcement policiesuser authentication mechanismscryptographic key managementaudit log analysisvulnerability scanning procedures
SC-34 Non-Modifiable Executable Programs
data modificationconfiguration file changesuser data editingsource code modificationbusiness process changesdocument editingdatabase record updatessoftware integrity verification (SI-7)configuration change control (CM-3)access restrictions for change (CM-5)malware protection mechanisms
SC-35 External Malicious Code Identification
internal malicious codeuser-generated content scanningapplication vulnerability scanningcode reviewsoftware development securityinsider threat detectiondata loss preventionperimeter-based malware scanningemail attachment scanningnetwork intrusion detection systems (NIDS)host-based malicious code protectionorganizational boundary filtering
SC-36 Distributed Processing and Storage
single system data integritylocal storage securitycentralized database controlsbusiness process distributionorganizational decentralizationphysical data segregationdata backup and recovery (as a primary focus)logical data partitioning without physical distributionload balancing within a single data centervirtual machine distribution on shared infrastructuredata classification and labelingnetwork segmentation within a facility
SC-37 Out-of-Band Channels
in-band communicationprimary network channelsdata transmission over main networkgeneral user communicationapplication-level communicationproduction data trafficuser application trafficbusiness process communicationencrypted tunnels over primary networkvirtual private networks over operational channels
SC-38 Operations Security
organizational integritybusiness ethicsfinancial reporting integritycode of conductIT system data integrityautomated data processinginput validationETL data integritystrategic risk assessmentaccess control policynetwork security monitoringintrusion detection systemsvulnerability scanningpatch managementincident response procedures
SC-39 Process Isolation
organizational integrityfinancial reportingbusiness process isolationhuman process separationcode of conductethical behaviorlogical separation of dutiesnetwork segmentationdata classificationphysical security controlsuser account separation
SC-40 Wireless Link Protection
wired network securityphysical security of network devicesdata at rest encryptionapplication-level securityuser authentication for wired systemswireless access authorization policies (AC-18)general transmission confidentiality (SC-8)endpoint device configuration managementuser identity verification mechanismsorganizational wireless usage policies
SC-41 Port and I/O Device Access
software port scanningapplication programming interface (API) securityuser authentication methodsnetwork traffic analysisfirewall rule managementnetwork port filteringTCP/UDP port managementwireless network access controlmobile device management (MDM) policies
SC-42 Sensor Capability and Data
business process integrityorganizational ethicsfinancial reporting accuracycode of conductmanual data entry validationhuman decision-making processesstrategic risk assessmentsecurity audit loggingnetwork intrusion detectionapplication security monitoringsystem performance monitoringvulnerability scanning
SC-43 Usage Restrictions
software development lifecyclevulnerability managementpenetration testingdata backup and recoveryphysical security controlsbusiness continuity planningdisaster recoveryincident response proceduresasset managementuser access provisioningauthentication mechanismsauthorization policiesacceptable use policy documentationsecurity awareness training
SC-44 Detonation Chambers
production system integritygeneral system hardeningdata backup and recoveryuser access controlsoftware development lifecyclevulnerability scanningpenetration testingendpoint protection platformsantivirus signature developmentintrusion detection systemsemail filtering systemsweb content filtering
SC-45 System Time Synchronization
business process timingproject schedulingmanual time trackingorganizational schedulingcalendar synchronizationapplication performance monitoring timingdatabase transaction orderingemployee time and attendance systemsSLA response time measurementnetwork latency measurement
SC-46 Cross Domain Policy Enforcement
internal system data integrityapplication-level access controluser authenticationorganizational policy developmentgeneral network securitydata encryption within a domainphysical security of serverssingle-domain access controlintra-network traffic filteringendpoint security controlsgeneral boundary firewalls without cross-domain enforcement
SC-47 Alternate Communications Paths
system processingsoftware developmentorganizational ethicsfinancial reportingapplication layer securityendpoint protectionorganizational policy developmentpersonnel security screeningcryptographic key managementdata backup procedures
SC-48 Sensor Relocation
IT system data integrityautomated data processinginput validationETL data integritybusiness ethicsorganizational integrityfinancial reportingcode of conductsoftware updatesphysical facility relocationhardware asset trackingsensor calibration proceduresnetwork topology documentation
SC-49 Hardware-Enforced Separation and Policy Enforcement
software-defined separationlogical access controlsapplication-level securitynetwork segmentation policiesfirewall rulesuser authentication mechanismsorganizational security policiessoftware-based memory isolationoperating system access controlshypervisor-only separationnetwork-based isolationcontainer isolation without hardware support
SC-50 Software-Based Protection
physical separationmanual access controlorganizational policy developmentbusiness process separationhuman resource policiesfirewall rule managementnetwork architecture designhardware security modulesphysical access controlscryptographic key managementnetwork perimeter defenseorganizational security policies
SC-51 Hardware-Based Protection
software-based securityapplication-level controlsoperating system securitydata encryption at rest (software)access control lists (software)network protocol securityorganizational security policiesuser authentication mechanisms (software)
System and Information Integrity 22 controls
SI-1 Policy and Procedures
IT system configurationtechnical vulnerability managementnetwork security implementationsoftware development lifecycledata backup and recovery proceduresphysical security measuresincident response technical stepspenetration testingsecurity control testing
SI-2 Flaw Remediation
business process integrityorganizational ethicsfinancial reporting accuracycode of conductmanual data entry validationhuman error preventionstrategic risk identificationnetwork architecture designaccess control policiesincident response proceduressecurity awareness trainingphysical security controls
SI-3 Malicious Code Protection
business continuitydisaster recoverydata backupphysical securityaccess controluser authenticationorganizational ethicsfinancial reportingpenetration testingnetwork intrusion detection systemsvulnerability scanning toolspatch management processessoftware integrity verificationsystem monitoring dashboards
SI-4 System Monitoring
business process monitoringorganizational performance metricsfinancial transaction monitoringemployee productivity trackingapplication performance monitoringcompliance auditing (as a primary function)system performance optimizationcapacity planning metricssoftware development monitoringquality assurance testingbackup and recovery monitoring (unless detecting security incidents)
SI-5 Security Alerts, Advisories, and Directives
organizational ethicsbusiness process integrityfinancial reporting integritycode of conductphysical security accessdata backup proceduresautomated vulnerability scanningpenetration testing activitiessecurity incident investigationaccess control policiesconfiguration management baselinesaudit log analysis
SI-6 Security and Privacy Function Verification
organizational integritybusiness ethicsfinancial reporting integritycode of conductautomated data processinginput validationETL data integrityrisk assessmentpolicy developmentpenetration testingvulnerability scanningsecurity assessment and authorizationdevelopmental security testingflaw remediation
SI-7 Software, Firmware, and Information Integrity
business process integrityorganizational ethicsfinancial reporting integritycode of conducthuman decision-making integritylegal compliance integritypolicy adherence integritysecure software development lifecycleaccess control mechanismsconfiguration management processesvulnerability managementincident response procedures
SI-8 Spam Protection
organizational integritybusiness ethicsfinancial reporting integritycode of conductinput validationdata processing accuracysystem completenessautomated data validationETL integrityaccess control policies
SI-10 Information Input Validation
organizational integritybusiness ethicsfinancial reporting integritycode of conductbooks and records integritypolicy validationstrategic planning integritysoftware integrity verificationfile integrity monitoringcryptographic integrity checksoutput validationdata quality assurance programs
SI-11 Error Handling
business process errorsorganizational policy errorshuman error managementfinancial reporting errorsstrategic decision errorscustomer service errorsmanual process errorsaudit log generationincident response proceduresvulnerability scanning resultssystem availability monitoringdata validation errors in applications
SI-12 Information Management and Retention
IT system data integrityautomated data processinginput validationETL data integritytechnical data accuracysystem processing completenessbusiness ethicsorganizational integrityfinancial reporting integrity
SI-13 Predictable Failure Prevention
business continuity planningdisaster recoveryorganizational ethicscode of conductfinancial reporting integrityinput validationautomated data validationsecurity incident responsereal-time fault detectionpost-failure recovery proceduressystem performance monitoringnetwork redundancy architecturebackup and restore operations
SI-14 Non-Persistence
persistent system state maintenancetraditional server deployment modelssystem configuration persistencelong-lived virtual machine instancesstateful application architecturespermanent system installationsdata retention requirements (AU family)session management controls (SC-23)
SI-15 Information Output Filtering
input validationbusiness ethicsorganizational integrityfinancial reportingcode of conductdata storage securitynetwork egress controlsdata-at-rest encryptiondatabase query validationapplication input sanitization
SI-16 Memory Protection
disk encryptionnetwork traffic encryptiondata at rest protectiondata in transit protectionfile system integritydatabase integrityuser authenticationbusiness process integritysource code vulnerability scanningapplication input validationsecure software development lifecyclecryptographic key storagephysical memory devices
SI-17 Fail-Safe Procedures
input validationETL data integritybusiness ethicsorganizational integrityfinancial reportingcode of conductbooks and recordsperformance monitoringroutine system monitoringcapacity planninggeneral availability requirementsnormal operations securityproactive threat detection
SI-18 Personally Identifiable Information Quality Operations
IT system data integrityinput validationETL data integritybusiness ethicsorganizational integrityfinancial reportingcode of conductbooks and recordstechnical data validationsystem log integritycryptographic data integrity checksnon-PII data qualitydatabase referential integritygeneral privacy policy
SI-19 De-Identification
IT system data integrityautomated data validationinput validationETL data integrityorganizational integritybusiness ethicsfinancial reporting integrityaccess control policiessystem configuration managementaudit logging
SI-20 Tainting
business ethicsorganizational integrityfinancial reporting integritycode of conductbooks and records integrityaccounting integrityhuman decision-making processesstrategic risk assessmentpolicy developmentmalware detection toolsantivirus softwareintrusion detection systemsfile integrity monitoringcryptographic integrity verification
SI-21 Information Refresh
business ethicsorganizational integrityfinancial reporting integritycode of conductinput validationautomated data processingETL data integritytechnical system data integritymanual data entry accuracyreal-time data synchronizationdatabase replication integrityconfiguration management version controlpatch management updatescontinuous data integration
SI-22 Information Diversity
organizational integritybusiness ethicsfinancial reporting integritycode of conductbooks and records integrityIT system data integrityautomated data processinginput validationETL data integritytechnical processing integrity
SI-23 Information Fragmentation
organizational integritybusiness ethicsfinancial reporting integritycode of conductbooks and records integrityIT system data integrityinput validationETL data integritybusiness process fragmentationdatabase normalizationfile system defragmentationnetwork packet fragmentationdata deduplicationbackup and recovery fragmentation
Supply Chain Risk Management 12 controls
SR-1 Policy and Procedures
IT system configuration managementsoftware development lifecycle securitynetwork security protocolsdata encryption standardsemployee background checksphysical security access controlsbusiness continuity planningdisaster recovery proceduresoperational risk assessment activitiestechnical vulnerability scanningincident response proceduresaudit and accountability loggingidentity and access management policies
SR-2 Supply Chain Risk Management Plan
IT system configurationdata processing integritynetwork security controlsphysical security measuresemployee background checksinternal operational riskfinancial transaction integrityinternal software development processesincident response planningaccess control policycryptographic key managementaudit log configuration
SR-3 Supply Chain Controls and Processes
internal IT system securitydata privacy regulationsemployee background checksdisaster recovery proceduresorganizational ethicsfinancial reporting integrityinternal software development processesnetwork security architectureendpoint protection controlsidentity and access management systemsorganizational training programs
SR-4 Provenance
data integrityprocessing integritysystem configurationsoftware development lifecyclevulnerability managementdata lineageincident response proceduresaccess control mechanismsnetwork security monitoringpersonnel security screeningphysical security controlsbackup and recovery operationscryptographic key management
SR-5 Acquisition Strategies, Tools, and Methods
software development lifecyclesystem testingdata validationIT system configurationnetwork securityincident responsebusiness continuity planningphysical securityemployee trainingpost-delivery system integrationoperational system maintenancesupplier performance monitoringtechnical vulnerability assessmentorganizational policy development
SR-6 Supplier Assessments and Reviews
IT system configurationsoftware development lifecycledata encryption standardsnetwork security architectureinternal employee background checksphysical security controlsautomated vulnerability scanninginternal audit proceduresincident response planningsystem authorization processes
SR-7 Supply Chain Operations Security
IT system data integrityautomated data processinginput validationETL data integritybusiness ethicsorganizational integrityfinancial reportingcode of conductsystem access controlnetwork security configurationphysical security controlspersonnel security screeningincident response proceduresvulnerability managementcryptographic key management
SR-8 Notification Agreements
internal system notificationsautomated alertsuser notificationstechnical system monitoringbusiness process notificationsinternal incident reporting proceduresorganizational change management notificationsemployee communication protocolscustomer service notificationsroutine vendor status updates
SR-9 Tamper Resistance and Detection
IT system data integrityautomated data processinginput validationETL data integritybusiness ethicsorganizational integrityfinancial reportingcode of conductaccess control policiesvulnerability scanningruntime integrity monitoringapplication security testingnetwork intrusion detectionoperational system hardeningsoftware configuration management
SR-10 Inspection of Systems or Components
internal system developmentpenetration testingvulnerability scanning of existing systemsasset inventory managementsoftware licensing complianceongoing system monitoringpost-deployment vulnerability assessmentsupplier capability assessmentsinternal software development lifecycleconfiguration management of deployed systems
SR-11 Component Authenticity
IT system data integrityautomated data processinginput validationETL data integritybusiness ethicsorganizational integrityfinancial reportingcode of conductsystem processing accuracynetwork data integritycryptographic key integrityconfiguration management version controlsoftware code quality assuranceapplication security testing
SR-12 Component Disposal
software development lifecycledata backup and recoverysystem configuration managementnetwork security monitoringaccess control policiesbusiness continuity planningsoftware licensingdata archivingmedia sanitization techniquesincident response proceduressupply chain acquisition processescomponent vulnerability assessmentsystem maintenance activities

Versioning Record

Field Value
Taxonomy Version1.0
Publication Date2026-03-12
Canonical URLdocs.svelto.io/methodology/exclusion-taxonomy/v1
AuthorshipSystematically validated — multi-layer automated + human expert review
Frameworks CoveredISO 27001:2022 — SOC 2 (2017) — NIST 800-53 Rev5
Total Controls443
Total Exclusion Entries5082
Governing MethodologyMethodology Framework v1.0
Versioning RuleAny change to any entry increments both taxonomy version and Methodology version
StatusPublic — Approved for External Audit Review