Description
The organization reviews the security plan for the information system [Assignment: organization-defined frequency, at least annually] and revises the plan to address system/organizational changes or problems identified during plan implementation or security control assessments.
Supplemental Guidance
Significant changes are defined in advance by the organization and identified in the configuration management process. NIST Special Publication 800-18 provides guidance on security plan updates.
Enhancements
(0) None.
Compliance Mappings
ISO 42001:2023
A.2.4
ANSSI
Hygiene.36SecNumCloud.6.2
FINMA Circular 2023/1
IV.A(23)IV.A(25)
OSFI B-13
B-13.1.2B-13.1.3
EU GDPR
Art.25(1)
EU DORA
Art.6(4)
IOSCO Cyber Resilience
LE-2
FFIEC IS
II.C.1
NYDFS 500
500.3
NAIC Insurance Data Security
4E
ISO 17799 (legacy)
6.1
COBIT 4.1 (legacy)
PO1.4