This Tactical Tier control triangle seeks to design, maintain, and optimise the organisation’s structure, roles, and resources, ensuring alignment with the strategic goals and enabling effective execution of business and technology functions.

This control rolls down from the Manage Demand Domain and cascades into: 1.1.2.1-Business Structure, 1.1.2.2-Technology Structure, and 1.1.2.3-Governance Structure controls.

---

Control Mappings:
Cobit:2019 ➡️ APO01; APO01.04
PCI:DSSv4.01 ➡️ 1.1.2; 12.4.1
GDPR:2024 ➡️ Art.25; Art.47; Art.48
ISO27001:2022 ➡️ 4; 4.1; 5; 5.3
ISO27005:2022 ➡️ 6; 6.1
ISO31000:2018 ➡️ 5; 5.3; 5.4; 5.4.1; 6; 6.3; 6.3.1
ISO38500:2024 ➡️ 4; 4.2; 5; 5.2; 5.4.2; 6; 6.4; 7; 7.1; 7.2.1
ITIL:v4 ➡️ GM1; GM6; GM12; SM16
NIST:CSFv2 ➡️ GV; GV.OC; GV.OC-05
MaRisk:2024 ➡️ AT 4.3(a); AT 4.3.1(2); AT 5(1); AT 5(3a); AT 9(3); BT 2.2(2)