Entity-level policies and procedures -- Access-control policies and procedures -- Change control and change management -- System information integrity and monitoring -- System services acquisition and protection -- Informational asset management -- Continuity of operations.