Framework hub

NIST 800-53 — Low

NIST · Rev 5

Lowest control baseline when loss of sensitive data would have minor business impact.

In scope — controls active

HLD Group maintains policies and controls mapped to this framework as part of our security and compliance programme. This hub describes programme alignment — not a third-party certification or attestation unless separately agreed in your contract.

Programme focus areas

Low baseline
Tailored overlays

Policies meeting this framework

The following published policies and programme documents are mapped to NIST 800-53 — Low. Status: published and under periodic review.

Information security policy
Enterprise information security programme and control framework.
v3.0 · review every 365 days
Published
Acceptable use policy
Permitted and prohibited use of company systems, devices, and data.
v2.0 · review every 365 days
Published
Access control policy
Granting, reviewing, and revoking access to systems and data.
v2.0 · review every 180 days
Published
Privileged access management policy
Administrative and break-glass access controls.
v1.0 · review every 180 days
Published
Data classification policy
Classification levels and handling requirements for information assets.
v1.3 · review every 365 days
Published
Data retention & disposal policy
Retention schedules and secure destruction of information.
v1.0 · review every 365 days
Published
Incident response plan
Detecting, responding to, and recovering from security incidents.
v3.0 · review every 180 days
Published
Breach notification policy
Notifying regulators, customers, and individuals of data breaches.
v1.0 · review every 365 days
Published
Encryption policy
Requirements for encryption at rest and in transit.
v1.2 · review every 365 days
Published
Password & authentication policy
Password complexity, MFA, and credential management.
v2.0 · review every 180 days
Published
Network security policy
Segmentation, remote access, and perimeter controls.
v1.0 · review every 365 days
Published
Logging & monitoring policy
Security logging, SIEM, and alerting requirements.
v1.0 · review every 365 days
Published
Vulnerability management policy
Discovery, prioritisation, and remediation of vulnerabilities.
v1.0 · review every 365 days
Published
Patch management policy
Security patching cadence and emergency patch process.
v1.0 · review every 365 days
Published
Asset management policy
Inventory and lifecycle of information assets.
v1.0 · review every 365 days
Published
Risk management policy
Identifying, assessing, and treating organizational risks.
v1.5 · review every 365 days
Published
Vendor & third-party risk policy
Assessment and ongoing management of suppliers and subprocessors.
v1.4 · review every 365 days
Published
Change management policy
Managing changes to systems, infrastructure, and applications.
v2.2 · review every 365 days
Published
Physical security policy
Physical access to facilities, equipment, and media.
v1.1 · review every 365 days
Published
Secure development policy
Secure SDLC, code review, and dependency management.
v1.0 · review every 365 days
Published
Cloud security policy
Cloud governance, hardening, and identity in IaaS/PaaS.
v1.0 · review every 365 days
Published
Email & messaging security policy
Anti-phishing, SPF/DKIM/DMARC, and acceptable email use.
v1.0 · review every 365 days
Published
Compliance & GRC policy
Compliance programme, audits, and control ownership.
v1.0 · review every 365 days
Published
Security assessment policy
Penetration testing, scans, and customer audit coordination.
v1.0 · review every 365 days
Published
Personnel security policy
Screening, employment terms, and termination procedures.
v1.0 · review every 365 days
Published
Security awareness & training policy
Mandatory security training and phishing simulations.
v1.0 · review every 365 days
Published
CUI handling policy
Handling Controlled Unclassified Information per CMMC and NIST 800-171.
v1.1 · review every 180 days
Published

Assurance note

Programme alignment means HLD maintains controls, policies, and monitoring mapped to NIST 800-53 — Low requirements appropriate to our services and risk profile. It does not by itself constitute certification, authorization, or a SOC/ISO audit report. Customers requiring formal attestations should contact [email protected].