7 organizational controls

There are 7 Organizational Controls you should be expected to have in place. They are defined in the Baseline Cyber Security Controls for Canadian SMOs.

The framework is divided in 2.

The baseline controls are the countermeasures you might want to put in place.

Once you've scoped your program, there are 41 countermeasures you can leverage to control different risks.

The organizational controls are ways to scope your risk treatment plan. The document says:

The goal [of the organizational controls] is to help an organization determine whether the baseline controls are appropriate for its circumstances.

The 7 organizational controls can shortened to:

1. List the assets in scope
2. Identify the main threat
3. Assess risk
4. Assign responsibility
5. Identify the budget required for IT security investment
6. Identify the staffing level required for IT security
7. Commit to progressive improvements

And it really comes down to these 4 steps:

1. Determine what information technology is in scope
2. Determine the value of information systems and assets
3. Confirm the cyber security threat level
4. Confirm the cyber security investment levels

Don't skip these controls. Scoping your security program early in the process will help you avoid spending time on the wrong thing. These controls will save you time and energy.