Good morning John, v.4 has been very fundamental for many organizations and its exciting that v.5 will build upon that. I think option #2 is very well aligned to how most companies align their security practices/programs. It will allow for both strategic alignment to overarching risk reduction efforts as well as tactical areas of focus on a team/program level. Cloud concepts and cloud related technologies could be subsections for each of the 5 high level areas since each of those would be unique per area of focus.
Happy to provide any additional information/feedback if it is valuable.
From a GRC and Policy viewpoint, Option 2 headings/categories make a sound logical construct of the whole landscape.
Option 3 concerns me in that the 'Infrastructure and Platforms' components have been hidden away somewhere; but the Application component gets a top-level mention. Why?I also agree with the various comments around DevSecOps (which is a better topic than just DevOps) being well covered by other organisations that specialise in those disciplines; and the comments around including the SSRM viewpoint somehwere in the structure.