In this step, security plans are developed that determine security requirements for the information systems and contain the information pertaining to a selection of security controls, how these controls have to be implemented, and so on. Security controls are commonly of three types—administrative, logical, or technical and physical controls:

• Administrative controls are the policies, standards, or guidelines specifying and governing the security requirements of a program
• Technical controls are virtual controls, such as firewalls, anti-virus software, identification, and authentication mechanisms and passwords
• Physical controls may refer to a key that can give access to buildings or rooms, monitoring systems such as surveillance systems, gates, and even security personnel who monitor access to offices