Owner: Security Architecture · Frameworks: NIST CSF 2.0, CIS Controls v8, ISO 27001:2022
The organisation's security programme is structured around the NIST Cybersecurity Framework 2.0 (CSF 2.0). This provides a common language for communicating security maturity, identifying gaps, and prioritising investment. CIS Controls v8 is used as the implementation guide, and ISO 27001:2022 provides the certification structure.
The Govern function is new in CSF 2.0 and addresses organisational context, risk strategy, supply chain risk, and accountability.
| Category |
Control |
Status |
Notes |
| GV.OC |
Organisational context established |
✅ |
Annual review by board |
| GV.RM |
Risk management strategy defined |
✅ |
Risk appetite statement approved |
| GV.SC |
Supply chain risk managed |
🟡 |
Vendor assessment programme in progress |
| GV.PO |
Policy framework current |
✅ |
All policies reviewed annually |
| GV.OV |
Oversight — metrics reported to leadership |
✅ |
Monthly CISO dashboard |
| Category |
Description |
Maturity |
| ID.AM |
Asset Management |
4 — CMDB enforced, cloud assets tagged |
| ID.RA |
Risk Assessment |
3 — Annual formal assessment + continuous |
| ID.IM |
Improvement |
3 — Lessons learned process exists |
| Category |
Description |
Maturity |
Key Controls |
| PR.AA |
Identity Management & Authentication |
4 |
Entra ID, MFA, PIM |
| PR.AT |
Awareness & Training |
3 |
Annual security training, phishing sims |
| PR.DS |
Data Security |
3 |
DLP, encryption at rest/transit, DSPM |
| PR.PS |
Platform Security |
4 |
CIS hardening, Intune, VM baselines |
| PR.IR |
Technology Infrastructure Resilience |
3 |
HA/DR, backup, BCP |
| Category |
Description |
Maturity |
Key Controls |
| DE.AE |
Adverse Event Analysis |
3 |
SIEM (Sentinel), UEBA |
| DE.CM |
Continuous Monitoring |
3 |
Sentinel, Defender, Falco, Umbrella |
| Category |
Description |
Maturity |
Key Controls |
| RS.MA |
Incident Management |
3 |
IR Plan, playbooks, SOC |
| RS.AN |
Incident Analysis |
3 |
DFIR capability, MDR partner |
| RS.CO |
Incident Response Reporting |
3 |
Regulatory notification playbook |
| RS.MI |
Incident Mitigation |
3 |
Containment playbooks, EDR isolation |
| Category |
Description |
Maturity |
Key Controls |
| RC.RP |
Incident Recovery Plan Execution |
3 |
BCP/DRP, tested annually |
| RC.CO |
Recovery Communication |
2 |
Crisis communications plan exists |
The organisation targets Implementation Group 2 (IG2) controls as the minimum standard. IG3 controls are targeted for high-risk environments (PCI, finance systems).
| CIS Control |
Title |
IG Target |
Status |
| 1 |
Inventory of Enterprise Assets |
IG1 |
✅ CMDB + Intune |
| 2 |
Inventory of Software Assets |
IG1 |
✅ SAM Pro |
| 3 |
Data Protection |
IG2 |
🟡 DSPM in progress |
| 4 |
Secure Configuration |
IG1 |
✅ CIS baselines enforced |
| 5 |
Account Management |
IG1 |
✅ Entra ID, PAM |
| 6 |
Access Control Management |
IG2 |
✅ RBAC + PIM |
| 7 |
Continuous Vulnerability Management |
IG2 |
🟡 Maturing scan coverage |
| 8 |
Audit Log Management |
IG2 |
🟡 Sentinel SIEM upgrade |
| 9 |
Email & Web Browser Protection |
IG2 |
✅ Defender for O365, Edge hardening |
| 10 |
Malware Defences |
IG2 |
✅ MDE on all endpoints |
| 11 |
Data Recovery |
IG2 |
✅ Veeam, Azure Backup |
| 12 |
Network Infrastructure Management |
IG2 |
✅ Cisco standard, Palo Alto |
| 13 |
Network Monitoring & Defence |
IG2 |
🟡 NDR evaluation underway |
| 14 |
Security Awareness & Skill Training |
IG2 |
✅ KnowBe4, quarterly campaigns |
| 16 |
Application Software Security |
IG2 |
🟡 SAST/DAST expanding to all teams |
| 17 |
Incident Response Management |
IG2 |
✅ IR Plan, tested annually |
| 18 |
Penetration Testing |
IG2 |
✅ Annual external pentest + red team |
The organisation has a low appetite for risks that could:
- Result in a notifiable data breach under GDPR/DPA 2018
- Cause operational disruption >4 hours for Tier 1 systems
- Lead to regulatory sanctions or loss of certification
The organisation has a moderate appetite for risks relating to:
- Adoption of emerging technologies in non-production environments
- Acceptable third-party integration risks with compensating controls
The Security Risk Register is maintained in ServiceNow GRC. Risks are rated using a 5x5 likelihood/impact matrix.
| Risk ID |
Risk |
Likelihood |
Impact |
Rating |
Owner |
| SR-001 |
Ransomware via phishing |
Medium |
Critical |
High |
CISO |
| SR-002 |
Supply chain software compromise |
Low |
Critical |
Medium |
Sec Arch |
| SR-003 |
Cloud misconfiguration |
Medium |
High |
High |
Cloud Arch |
| SR-004 |
Insider threat (privileged) |
Low |
High |
Medium |
IAM Lead |
| SR-005 |
MFA bypass / SIM swap |
Low |
Critical |
Medium |
IAM Lead |
All security policies are approved by the CISO and reviewed annually.
| Policy |
Last Review |
Next Review |
| Information Security Policy |
Jan 2026 |
Jan 2027 |
| Acceptable Use Policy |
Jan 2026 |
Jan 2027 |
| Access Control Policy |
Mar 2026 |
Mar 2027 |
| Incident Response Policy |
Feb 2026 |
Feb 2027 |
| Data Classification Policy |
Jan 2026 |
Jan 2027 |
| Cryptography Policy |
Jan 2026 |
Jan 2027 |
| Third-Party Security Policy |
Feb 2026 |
Feb 2027 |
| Vulnerability Management Policy |
Mar 2026 |
Mar 2027 |
- NIST CSF 2.0
- CIS Controls v8
- ISO 27001:2022 Statement of Applicability (SharePoint — restricted)
- ServiceNow GRC Risk Register:
https://itsm.internal/grc