SA-02 Allocation Of Resources
System and Services Acquisition
Low Moderate High Privacy
Description
The organization determines, documents, and allocates as part of its capital planning and investment control process, the resources required to adequately protect the information system.
Supplemental Guidance
The organization includes the determination of security requirements for the information system in mission/business case planning and establishes a discrete line item for information system security in the organization’s programming and budgeting documentation. NIST Special Publication 800-65 provides guidance on integrating security into the capital planning and investment control process.
Changes from Rev 4
Control text adds reference to privacy Discussion adds reference to supply chain-related risks
Enhancements
(0) None.
Compliance Mappings
ISO 27001:2022
7.1
NIST CSF 2.0
GV.RR-03
SOC 2 TSC
CC1.4CC4.1
ISO 42001:2023
A.4.5
ANSSI
Hygiene.36SecNumCloud.15.1
FINMA Circular 2023/1
IV.A(23)IV.A(24)IV.A(25)
OSFI B-13
B-13.1.2
EU GDPR
Art.25(1)Art.32(1)
EU DORA
Art.6(1)
RBI CSF
ITGRCA.11
FISC Security Guidelines
FISC.T1
HKMA TM-E-1
TME1.2.2TME1.5.3
DNB Good Practice
DNB.1.1
EU CRA
CRA.I.1
NCA ECC
1-6
UAE IA
T10
CBB TM
TM-5
Qatar NIA
GVSD
BoG CISD
CISD-SDLC
BoM CTRM
1.33.7
CPMI-IOSCO PFMI
PFMI.P15
FFIEC IS
I.C
EBA ICT Guidelines
3.2.23.6.1
Solvency II
EIOPA-ICT-4.1
Lloyd's Minimum Standards
MS8.1
HITRUST CSF v11
10.a
MiCA
Art.34(5)Art.35(1)Art.41(1)Art.54(1)Art.62(1)
ISO 17799 (legacy)
10.3.1
COBIT 4.1 (legacy)
PO1.1PO5.2