“Security” as a topic or category can be confusing without additional context. This document attempts to categorize information security topics using industry standard groupings.
My internal cloud security group has created a plan which lists cloud security controls required, along with their ISO 27001 mappings. ISO 27001 groups security controls into various sections that we use in our policy framework as categories. This list appears more Enterprise IT focused and includes:
5: Information security policies
6: Organization of information security
7: Human resource security
8: Asset management
9: Access control
11: Physical and environmental security
12: Operations management
13: Communications security
14: System acquisition, development and maintenance
15: Supplier relationships
16: Information security incident management
17: Information security aspects of business continuity management
Another way to classify information security topics is with the 8 CISSP Domains, which are standard knowledge groupings for Information Security professionals.
- Security and Risk Management
- Asset Security
- Security Architecture and Engineering
- Communications and Network Security
- Identity and Access Management
- Security Assessment and Testing
- Security Operations
- Software Development Security
A web application developer might think more in terms of the Software Assurance Maturity Model (SAMM) from OWASP when thinking about security related to building products for customers.
SAMM is built upon a collection of Security Practices that are tied back into the core Business Functions involved in software development.
- Governance (Strategy & Metrics; Policy & Compliance; Education & Guidance)
- Construction (Threat Assessment; Security Requirements; Secure Architecture)
- Verification (Design Review; Implementation Review; Security Testing)
- Operations (Issue Management; Environment Hardening; Operational Enablement)
The SAMM groupings might be the best mental modal for product teams. However, these is still work in understanding how ISO 27001 controls fit into the responsibility matrix.