← Controls / SA

SA-05 Information System Documentation

System and Services Acquisition

Low Moderate High

Description

The organization obtains, protects as required, and makes available to authorized personnel, adequate documentation for the information system.

Supplemental Guidance

Documentation includes administrator and user guides with information on: (i) configuring, installing, and operating the information system; and (ii) effectively using the system’s security features. When adequate information system documentation is either unavailable or non existent (e.g., due to the age of the system or lack of support from the vendor/manufacturer), the organization documents attempts to obtain such documentation and provides compensating security controls, if needed.

Changes from Rev 4

Adds "or develop" regarding documentation; adds privacy reference

Compliance Mappings

ISO 27001:2022

A.5.37

ISO 27002:2022

5.37

COBIT 2019

BAI08

SOC 2 TSC

CC6.1-POF1

ISO 42001:2023

A.6.2.3A.6.2.7A.8.2

ANSSI

Hygiene.5SecNumCloud.15.2

FINMA Circular 2023/1

IV.A(28)IV.A(36)

OSFI B-13

B-13.2.2

EU GDPR

Art.30(1)

EU DORA

Art.8(1)Art.8(4)

BIO2

5.37

RBI CSF

Annex1.6

HKMA TM-E-1

TME1.3.4

MLPS 2.0

8.1.9.5

EU CRA

CRA.Info.4CRA.Info.5CRA.Info.8aCRA.Info.8bCRA.Info.8cCRA.Info.8dCRA.Info.8eCRA.Info.8f

UAE IA

T10

Qatar NIA

SD

BoG CISD

CISD-SDLC

IOSCO Cyber Resilience

ID-1

BCBS 239

Principle 2

CPMI-IOSCO PFMI

PFMI.P17

HIPAA Security Rule

§164.316(b)(1)§164.316(b)(2)(ii)

EBA ICT Guidelines

3.3.2

ISAE 3402

Clause 9

Solvency II

EIOPA-ICT-4.3

PRA SS1/23

P3.1P3.5

FCA SYSC 13

SYSC 13.6.5

FDA 21 CFR Part 11

§11.10(k)

FDA Cybersecurity Guidance

SPDF-3TR-1TR-2TR-3

ISO 27799

12.1

MiCA

Art.84(1)

ISO 17799 (legacy)

10.7.4

COBIT 4.1 (legacy)

DS5.7