← Controls / PL

PL-02 System Security Plan

Planning

Low Moderate High Privacy

Description

The organization develops and implements a security plan for the information system that provides an overview of the security requirements for the system and a description of the security controls in place or planned for meeting those requirements. Designated officials within the organization review and approve the plan.

Supplemental Guidance

The security plan is aligned with the organization’s information system architecture and information security architecture. NIST Special Publication 800-18 provides guidance on security planning.

Changes from Rev 4

Title changed from 'System Security Plan' Adds requirements to identify individuals and information types; adds requirement to describe specific threats; adds requirement to provide results of privacy risk assessment for systems processing PII Numerous changes to control text wording New parameter for specifying individuals or groups for coordination Discussion significantly expanded; reference to CNSSI No. 1253 removed Incorporates withdrawn control PL-02(3)

Enhancements

(0) None.

Compliance Mappings

ISO 27001:2022

7.58.1A.5.37

ISO 27002:2022

5.37

COBIT 2019

APO13BAI02

CIS Controls v8

CIS 12.4

NIST CSF 2.0

GV.PO-01

SOC 2 TSC

C1.1-POF1CC2.1CC4.1

PCI DSS v4.0.1

12.5

CSA CCM v4

BCR-05CCC-08CEK-02DSP-05GRC-04GRC-06GRC-07HRS-09IVS-08

CSA AICM v1

BCR-05CCC-08CEK-02DSP-05GRC-04GRC-06GRC-07HRS-09I&S-08

ISO 42001:2023

A.2.2A.6.2.7

ANSSI

Hygiene.2Hygiene.36Hygiene.5SecNumCloud.6.2

FINMA Circular 2023/1

IV.A(23)IV.A(24)IV.A(25)IV.B.a(48)

OSFI B-13

B-13.1.2B-13.1.3

EU GDPR

Art.25(1)Art.35(1)Art.35(7)

EU DORA

Art.6(1)Art.6(2)

BIO2

5.37

RBI CSF

ITGRCA.4ITGRCA.24

FISC Security Guidelines

FISC.T1

LGPD + BCB 4893

LGPD.Art.37-38LGPD.Art.50LGPD.BCB.Integration

HKMA TM-E-1

TME1.7.1

MLPS 2.0

8.1.68.1.9.2

DNB Good Practice

DNB.1.1DNB.19.3DNB.6.1

EU CRA

CRA.Info.4CRA.Info.8a

UAE IA

T3

CBB TM

TM-2TM-3

Qatar NIA

GVRM

CBUAE

CR-14

CBE CSF

GOV-1GOV-3

SA JS2

JS2-5JS2-9

CBN CSF

Part1.3Part3.1Part6.2

BoG CISD

CISD-COMPCISD-ICISD-ISMS

POPIA

s17s19

BoM CTRM

1.33.1

IOSCO Cyber Resilience

GOV-1PFMI-3

BCBS 239

Principle 1Principle 8Principle 9

CPMI-IOSCO PFMI

PFMI.P15PFMI.P17PFMI.P3

FFIEC IS

I.BII.C.1II.C.3II.C.4IV.A.4

NYDFS 500

500.19500.2500.3

HIPAA Security Rule

§164.308(a)(1)(i)§164.308(a)(1)(ii)(B)§164.310(a)(2)(ii)§164.316(a)§164.316(b)(1)§164.316(b)(2)(ii)§164.316(b)(2)(iii)

ECB CROE

CROE.2.1.1

EBA ICT Guidelines

3.2.23.6.1

SEBI CSCRF

CLASSIFYGV.PO

CMMC 2.0

CA

NERC CIP

CIP-003-9

10 CFR 73.54

73.54(b)RG5.71-C-PL

TSA Pipeline SD

SD-2 Sec E

FERC CIP Orders

Order 706

DOE C2M2 v2.1

PROGRAM

AWIA

AWWA Sec 1

IAEA NSS 17-T

Sec 3

CBEST

CBEST.1

TIBER-EU

TIBER.PREP

PCI HSM

1

Common Criteria

CC Part 1 — PPCC Part 1 — ST

ISAE 3402

Clause 1Clause 2Clause 3Clause 8Clause 9

Solvency II

EIOPA-ICT-4.1

Lloyd's Minimum Standards

MS8.1

NAIC Insurance Data Security

44B4E9

PRA SS1/23

P1.1P1.3P2.3P3.5P5.1

FCA SYSC 13

SYSC 13.1-2SYSC 13.6.5

HITRUST CSF v11

00.a00.c03.b04.a04.b06.a

FDA 21 CFR Part 11

§11.1§11.10(j)§11.10(k)

FDA Cybersecurity Guidance

524B-4CRA-3SPDF-1SPDF-3TM-3TR-1TR-3

ISO 27799

12.1H.1

NHS DSPT

NDG-5.1NDG-9.1

MiCA

Art.34(5)

Basel SCO60

SCO60.1SCO60.3SCO60.60

BSSC Standards

NOS-01TIS-08GSP-01

ISO 17799 (legacy)

6.1

COBIT 4.1 (legacy)

PO1.4DS5.2