Control: The organization develops and implements a security plan for the information system that provides an overview of the security requirements for the system and a description of the security controls in place or planned for meeting those requirements. Designated officials within the organization review and approve the plan.

Supplemental Guidance: The security plan is aligned with the organization’s information system architecture and information security architecture. NIST Special Publication 800-18 provides guidance on security planning.

Control Enhancements: (0) None.

Baseline: LOW PL-2 MOD PL-2 HIGH PL-2

Family: Planning

Class: Management

ISO 17799 mapping: 6.1

COBIT 4.1 mapping: PO1.4, DS5.2