1 Scope
2 References
3 Definitions
3.1 Terms defined elsewhere
3.2 Terms defined in this Supplement
4 Abbreviations and acronyms
5 Conventions
6 Methodology
6.1 Organization context
6.2 Risk management
6.3 Information and network security objectives and planning to achieve them
7 Roles and responsibilities
7.1 Leadership and commitment
7.2 Policy
8 Support
8.1 Resources
8.2 Competence
8.3 Awareness
8.4 Communication
8.5 Documented information
9 Operation
9.1 Operational planning and control
10 Performance evaluation
10.1 Monitoring, measurement, analysis and evaluation
10.2 Internal audit
10.3 Management review
11 Improvement
11.1 Nonconformity and corrective action
11.2 Continual improvement
Appendix I – Reference to applicable controls and how they can be applied
I.1 Organization
I.2 Infrastructure
I.3 People
I.4 Environment
Appendix II – Additional controls for consideration
II.1 CSIRT and SOC
II.2 Cybersecurity information exchange (CYBEX)
Bibliography