A- Developing an Information Security Program
• Information security program resources (e.g., people, tools,
technologies)
• Identification and classification of information assets
• Industry standards and frameworks for information security
• Information security policies, procedures and guidelines
• Information security program measures

B– Information Security Program Management
• Information security control design and selection
• Information security control implementation and integrations
• Information security control testing and evaluation
• Information security awareness and training
• Management of external services (e.g., vendors, suppliers, third parties, fourth parties)
• Information Security Program, Communications and Reporting