Cybersecurity Supporting Documentation

Cybersecurity Supporting Documentation

In previous posts, I outlined the required topics for cybersecurity policies and procedures. In this post, I will cover cybersecurity-related supporting documents.

The table below lists items or topics, that should be addressed either in supporting documentation. That means that these are not policies or procedures. This list is based on NIST standards, including the Risk Management Framework, Cybersecurity Framework, and PCI DSS.

This table covers required supporting documentation, the type, along with references to industry standards and guidelines. One notable item missing from the table is a system security plan (SSP). It is part of the NIST Risk Management Framework and is required for Federal Government agencies. It is a good idea to document how you have implemented controls, but most organizations outside of the Federal Government may use some sort of GRC to document how controls are in place. I should also note these items do not need to be in a document per se; they can be in a database. For example, an Inventory is better off in a database than a document.

Table 1