← Controls / PL

PL-09 Central Management

Planning

Privacy New in Rev 5

Description

Centrally manage [Assignment: organization-defined parameters].

Supplemental Guidance

Central management refers to organization-wide management and implementation of selected controls and processes. This includes planning, implementing, assessing, authorizing, and monitoring the organization-defined, centrally managed controls and processes. As the central management of controls is generally associated with the concept of common (inherited) controls, such management promotes and facilitates standardization of control implementations and management and the judicious use of organizational resources. Centrally managed controls and processes may also meet independence requirements for assessments in support of initial and ongoing authorizations to operate and as part of organizational continuous monitoring. Automated tools (e.g., security information and event management tools or enterprise security monitoring and management tools) can improve the accuracy, consistency, and availability of information associated with centrally managed controls and processes. Automation can also provide data aggregation and data correlation capabilities; alerting mechanisms; and dashboards to support risk-based decision-making within the organization. As part of the control selection processes, organizations determine the controls that may be suitable for central management based on resources and capabilities. It is not always possible to centrally manage every aspect of a control. In such cases, the control can be treated as a hybrid control with the control managed and implemented centrally or at the system level. The controls and control enhancements that are candidates for full or partial central management include but are not limited to: AC-02(1), AC-02(2), AC-02(3), AC-02(4), [AC-04(all)](#ac-4), AC-17(1), AC-17(2), AC-17(3), AC-17(9), AC-18(1), AC-18(3), AC-18(4), AC-18(5), AC-19(4), AC-22, AC-23, AT-02(1), AT-02(2), AT-03(1), AT-03(2), AT-03(3), AT-04, AU-03, AU-06(1), AU-06(3), AU-06(5), AU-06(6), AU-06(9), AU-07(1), AU-07(2), AU-11, AU-13, AU-16, CA-02(1), CA-02(2), CA-02(3), CA-03(1), CA-03(2), CA-03(3), CA-07(1), CA-09, CM-02(2), CM-03(1), CM-03(4), CM-04, CM-06, CM-06(1), CM-07(2), CM-07(4), CM-07(5), [CM-08(all)](#cm-8), CM-09(1), CM-10, CM-11, [CP-07(all)](#cp-7), [CP-08(all)](#cp-8), SC-43, SI-02, SI-03, [SI-04(all)](#si-4), SI-07, SI-08.

Changes from Rev 4

New control in Rev 5.

Compliance Mappings

ISO 27001:2022

4.48.1

COBIT 2019

APO01APO13EDM01

NIST CSF 2.0

DE.AE-03PR.PS-01

SOC 2 TSC

CC1.1CC5.3

PCI DSS v4.0.1

12.1

ISO 42001:2023

A.2.2

IEC 62443

2-1 4.2

NIS2 Directive

Art. 21(2)(a)

MAS TRM

4

APRA CPS 234

Para 15

BSI IT-Grundschutz

ISMS.1ORP.1

ANSSI

Hygiene.36RGS.1.3

FINMA Circular 2023/1

IV.A(23)IV.A(24)IV.A(31)

OSFI B-13

B-13.1.2B-13.1.3

EU GDPR

Art.24(1)Art.24(2)

EU DORA

Art.5(1)Art.5(2)Art.6(1)

RBI CSF

ITGRCA.4

FISC Security Guidelines

FISC.O1FISC.T1

LGPD + BCB 4893

BCB.Art.17BCB.Art.2LGPD.Art.50LGPD.BCB.Integration

HKMA TM-E-1

TME1.2.1TME1.2.3TME1.2.4TME1.7.1

SAMA CSF

1.11.31.8

NCA ECC

1-11-2

UAE IA

T1

CBB TM

TM-1TM-2TM-3TM-4

Qatar NIA

GV

CBUAE

CR-1

CBE CSF

GOV-1

SA JS2

JS2-4JS2-5

CBN CSF

Part1.1Part1.3

BoG CISD

CISD-II

BoM CTRM

1.11.4

IOSCO Cyber Resilience

GOV-1GOV-2PFMI-2PFMI-3

BCBS 239

Principle 1

CPMI-IOSCO PFMI

CG.GOVPFMI.P2PFMI.P3

FFIEC IS

II.C.2

ECB CROE

CROE.2.1.1

EBA ICT Guidelines

3.2.13.2.23.3.1

SEBI CSCRF

GV.RM

BOT Cyber Resilience

Ch1.2

Common Criteria

CC Part 2 — FMT

Solvency II

Art.41(1)Art.44(1)DR.258EIOPA-ICT-4.1EIOPA-ICT-4.2

Lloyd's Minimum Standards

CRM.1GOV.1MS8.1

NAIC Insurance Data Security

4B

FCA SYSC 13

SYSC 13.1-2SYSC 13.G.1

HITRUST CSF v11

05.a

NHS DSPT

NDG-9.1