A structured set of security controls organized into categories that provides a systematic approach to managing cybersecurity risk.