What control ensures that an organization recognizes the importance of trustworthiness?

Recognizing the importance of trustworthiness is addressed by the control in the System and Services Acquisition area. This control requires that the organization consider trustworthiness as part of acquiring systems and services, and that supplier selection, procurement decisions, and ongoing integration are guided by defined trust and security criteria. It means you vet vendors and components for their security posture, require evidence of assurance, and ensure that trustworthiness is built into contracts, development, and maintenance processes. This keeps security considerations front and center from the moment a system or service is selected through its entire lifecycle. Why this fits better than the others: the other controls focus on how users access resources (who can log in and how), how authenticators are managed, or how audits are reviewed and reported. They are important for security operations and identity management, but they don’t specifically mandate that trustworthiness be recognized and embedded in the acquisition and integration of systems and services.