← Controls / SA

SA-05 Information System Documentation

System and Services Acquisition

Low Moderate High

Description

The organization obtains, protects as required, and makes available to authorized personnel, adequate documentation for the information system.\n

Supplemental Guidance

Documentation includes administrator and user guides with information on: (i) configuring, installing, and operating the information system; and (ii) effectively using the system’s security features. When adequate information system documentation is either unavailable or non existent (e.g., due to the age of the system or lack of support from the vendor/manufacturer), the organization documents attempts to obtain such documentation and provides compensating security controls, if needed.\n

Changes from Rev 4

Adds "or develop" regarding documentation; adds privacy reference

Enhancements

\n

Compliance Mappings

ISO 27001:2022

4.3

ISO 27002:2022

5.12

NIST CSF 2.0

ID.AM-05

SOC 2 TSC

CC2.1-POF7CC2.2-POF11CC6.1-POF1

ISO 17799 (legacy)

10.7.4

COBIT 4.1 (legacy)

DS5.7