Search This Site


Main menu

Information Security Controls Framework

Information Security Controls Framework Matrix
November 2020

In UVA’s distributed computing environment, schools, departments units, and central information technology (ITS) must work together to help accomplish the University’s primary missions of teaching, learning, research, and patient care.

Per IRM-011: University Information Technology Security Program, the University uses the ISO 27000 framework as the basis for its information technology policies. All UVA organizations are required to abide by the University’s policies, standards, and procedures, including:

By adopting the Center for Internet Security (CIS)’s Critical Security Controls (CSC), the University has a prioritized and organized plan for implementing the ISO framework. 

With input of various groups at the University, including Internal Audit and the Security Advisory Committee, UVA Information Security has put together an information security controls matrix.  This matrix uses the CIS Critical Security Controls as the base.  The matrix also contains the following:

  • ISO 27000 references
  • References to related University policies, standards, or procedures
  • Responsible party for implementing the control

The information security controls framework can be downloaded as an Excel file or a PDF.   We recommend the Excel spreadsheet version.  
You can also download a PDF version of this webpage

If you have questions or concerns about this matrix, please email: [email protected].


Report an Information
Security Incident

Please report any level of incident, no matter how small. The Information
Security office will evaluate the report and provide a full investigation if appropriate.

Complete Report Form