Control: The organisation:
A. Implements a process for ensuring that organisational plans for conducting security testing, training, and monitoring activities associated with organisational information systems:
- Are developed and maintained; and
- Continue to be executed in a timely manner;
Testing, Training, and Monitoring Supplemental Guidance:
This control ensures that organisations provide oversight for the security testing, training, and monitoring activities conducted organisation-wide and that those activities are coordinated. With the importance of continuous monitoring programs, the implementation of information security across the three tiers of the risk management hierarchy, and the widespread use of common controls, organisations coordinate and consolidate the testing and monitoring activities that are routinely conducted as part of ongoing organisational assessments supporting a variety of security controls. Security training activities, while typically focused on individual information systems and specific roles, also necessitate coordination across all organisational elements. Testing, training, and monitoring plans and activities are informed by current threat and vulnerability assessments.
Related controls: AT-3, CA-7, CP-4, IR-3, SI-4.