SA-02 Allocation Of Resources
System and Services Acquisition
Low Moderate High Privacy
Description
The organization determines, documents, and allocates as part of its capital planning and investment control process, the resources required to adequately protect the information system.\n
Supplemental Guidance
The organization includes the determination of security requirements for the information system in mission/business case planning and establishes a discrete line item for information system security in the organization’s programming and budgeting documentation. NIST Special Publication 800-65 provides guidance on integrating security into the capital planning and investment control process.\n
Changes from Rev 4
Control text adds reference to privacy Discussion adds reference to supply chain-related risks
Enhancements
(0) None.\n
Compliance Mappings
COBIT 2019
APO06.01APO06.02APO06.03APO06.04APO06.05EDM02.01EDM02.02EDM02.03EDM02.04EDM04.01EDM04.02EDM04.03
NIST CSF 2.0
GV.RR-03
SOC 2 TSC
CC1.4CC3.1-POF4CC4.1
ISO 17799 (legacy)
10.3.1
COBIT 4.1 (legacy)
PO1.1PO5.2