| Objectives | Principles | Description |
| Objective A Managing security risk | A.1 Governance | Acceptable policies and processes to approach the security of network and information systems. |
| A.2 Risk management | Recognition, evaluation and awareness of security risks to approach risk management. | |
| A.3 Asset management | Regulating and awareness of all critical systems and/or services required for support | |
| A.4 Supply chain | Awareness and control of the security risks for the systems that have external dependencies | |
| Objective B Protecting against cyber attack | B.1 Service protection policies and processes | Measuring and communicating acceptable policies and processes to secure critical systems operations. |
| B.2 Identity and access control | Awareness, verifying and regulating access to networks and information systems supporting essential functions. | |
| B.3 Data security | Safeguarding data used in essential functions from adverse actions. | |
| B.4 System security | Safeguarding critical network and information systems and technology from cyberattack. | |
| B.5 Resilient networks and systems | Developing resilience against adverse actions. | |
| B.6 Staff awareness and training | Involving staff to make a positive contribution to the cybersecurity of essential functions. | |
| Objective C Detecting cyber security events | C.1 Security monitoring | Observing and monitoring the potential security problems and the effectiveness of existing security measures. |
| C.2 Proactive security event discovery | Identifying anomalous incidents in relevant network and information systems. | |
| Objective D Minimizing the impact of cyber security incidents | D.1 Response and recovery planning | Placing suitable incident management and mitigation processes. |