Cybersecurity Supporting Documentation

Cybersecurity Supporting Documentation

In previous posts I outlined the required topics for cybersecurity policies and procedures. In this post I will cover the cybersecurity related supporting documents.


The table below lists items or topics, that should be address either in supporting documentation. That means that these are not policies or procedures. This list is based on NIST standards including the Risk Management Framework, Cybersecurity Framework and PCI DSS.

This table covers required supporting documentation, the type along with references to industry standards and guidelines. One notable item missing form the table is a system security plan (SSP). It is part of the NIST Risk Management Framework and required for Federal Government agencies. It is a good idea to document how you have implemented controls but most organization outside of the Federal Government may use some sort of GRC to document how controls are in place. I should also note these items do not need to be in a document per se, they can be in a database. For example, an Inventory is better off in a database then a document.

Table 1

#ITControlEnvironment #ITManagement #ITOperations #ITGovernance

Featured Posts
Recent Posts