5. Requirements and Controls

Before executing the Risk Management Framework, it is important to understand the concept of security and privacy requirements and the relationship between requirements and controls.

📄️ Requirements

The term requirements can be used in various contexts. In the context of information security and privacy policies compliance, it typically refers to the obligations imposed on organizations regarding information security and privacy.

📄️ Controls

Controls can be viewed as descriptions of the safeguards and protection capabilities appropriate for achieving the particular security and privacy objectives of the organization and reflecting the protection needs of organizational stakeholders.