Controls that an organization needs to implement for protecting the confidentiality, availability, and integrity of assets from threats and vulnerabilities.