graphgrc

SCF - RSK-02 - Risk-Based Security Categorization

Mechanisms exist to categorize systems and data in accordance with applicable local, state and Federal laws that:

• Document the security categorization results (including supporting rationale) in the security plan for systems; and
• Ensure the security categorization decision is reviewed and approved by the asset owner.

  Mapped framework controls

  ISO 27001

• 6.1.2.d.3

NIST 800-53

• RA-2

SOC 2

• CC3.2

Control questions

Does the organization categorize systems and data in accordance with applicable local, state and Federal laws that:

• Document the security categorization results (including supporting rationale) in the security plan for systems; and
• Ensure the security categorization decision is reviewed and approved by the asset owner?

This site is open source. Improve this page.