GOV-004 Information Security Program
Description
A formal information security program exists with documented scope, objectives, and resource allocation. The program covers all relevant security domains, is aligned with business risk, and is reviewed at planned intervals by management.
Rationale
An undocumented or resource-starved security program cannot systematically implement or maintain controls across the organization. The program plan is the master reference for scope and coverage.
Framework Mappings (4)
| GRC-05 | Information Security Program | full |
| 5.1 | Policies for information security | partial |
| PM-1 | Information Security Program Plan | full |
| CC1.3 | COSO Principle 3: Establishes Structure, Authority, and Responsibility | partial |
Evidence (2)
Formal information security program plan documenting scope, objectives, covered domains, resource allocation, and review schedule.
Example: Information Security Program Plan (Confluence / Google Drive), including: scope boundary, list of covered security domains (access, incident response, third-party, etc.), approved budget or headcount, and a defined annual review date.
Test: Request the information security program plan. Verify: (1) a defined scope statement is present, (2) all security domains covered are listed, (3) resource allocation (budget or FTE) is referenced, (4) a review interval is stated and the last review date is within that interval, (5) the document carries a management approval signature or equivalent.
Security program status report showing management review of program health and coverage against plan.
Example: Quarterly or annual security program status report (PDF or Confluence page) submitted to the executive sponsor, showing domain coverage, metrics, and open issues.
Test: Request the most recent security program status report. Verify: (1) the report was produced within the defined reporting cadence, (2) it is addressed to or has been reviewed by a named executive, (3) it covers all domains listed in the program plan, (4) open issues and remediation status are included.
Questions (2)
Does a formal, documented information security program plan exist that defines scope, objectives, covered domains, and resource allocation?
The program plan should be a living document approved by management, listing all security domains in scope and referencing budget or headcount allocation.
How is progress against the information security program plan reported to management?
A documented status report (quarterly or annually) addressed to or acknowledged by a named executive is the expected evidence.