Information Security Controls Framework

Information Security Controls Framework Matrix
November 2023

In UVA’s distributed computing environment, schools, departments units, and central information technology (ITS) must work together to help accomplish the University’s primary missions of teaching, learning, research, and patient care.

Per IRM-011: University Information Technology Security Program, the University uses the ISO 27000 framework as the basis for its information technology policies. All UVA organizations are required to abide by the University’s policies, standards, and procedures, including:

By adopting the Center for Internet Security (CIS)’s Critical Security Controls (CSC), the University has a prioritized and organized plan for implementing the ISO framework. 

With input of various groups at the University, including Internal Audit and the Security Advisory Committee, UVA Information Security has put together an information security controls matrix.  This matrix uses the CIS Critical Security Controls as the base.  The matrix also contains the following:

  • ISO 27000 references
  • References to related University policies, standards, or procedures
  • Responsible party for implementing the control

The information security controls framework can be downloaded as an Excel file or a PDF.

If you have questions or concerns about this matrix, please email: [email protected].