Interdependencies between essential and important entities
ENISA Interdependencies Indicators Tool
ISO IEC 27002 control name | EXAMPLE OF IMPLEMENTATION |
---|---|
Labelling of information
An appropriate set of procedures for information labelling should be developed and implemented in accordance with the information classification scheme adopted by the organisation. |
In a system implementing metadata labelling of information (for the implemention of the classification scheme) count the number of information assets per category. |
Classification of information
Information should be classified in terms of legal requirements, value, criticality and sensitivity to unauthorised disclosure or modification. |
Create a list of information assets with their respective identified classification level. Count the number of information assets per classification level. |
Access control policy
An access control policy should be established, documented and reviewed based on business and information security requirements. |
Count the number of systems that are governed by the access control policy. |
Information access restriction
Access to information and application system functions should be restricted in accordance with the access control policy. |
Create a list with access rights for the users. Review the list and count the number of resources being accessed. |
Access to networks and network services
Users should only be provided with access to the network and network services that they have been specifically authorized to use. |
Count the number of network and network services under the control of Access Management. |
Secure system engineering principles
Principles for engineering secure systems should be established, documented, maintained and applied to any information system implementation efforts. |
Count the number of secure system engineering principles recorded by the organisation. (Note: Each programming language should have at least one). |
Information security requirements analysis and specification
The information security related requirements should be included in the requirements for new information systems or enhancements to existing information systems. |
Review development efforts for new systems. Count the number of information security requirements identified. |
Managing changes to supplier services
Changes to the provision of services by suppliers, including maintaining and improving existing information security policies, procedures and controls, should be managed, taking account of the criticality of business information, systems and processes involved and re-assessment of risks. |
Review the change management documentation. Measure the mean amount of time needed for a supplier to successfully to implement changes. |
Monitoring and review of supplier services
Organisations should regularly monitor, review and audit supplier service delivery. |
Count the number of characteristics / items being monitored per supplier. |
Information security policy for supplier relationships
Information security requirements for mitigating the risks associated with supplier’s access to the organisation’s assets should be agreed with the supplier and documented. |
Review the information security policy for supplier relationships. |
Information and communication technology supply chain
Agreements with suppliers should include requirements to address the information security risks associated with information and communications technology services and product supply chain. |
Review the relevant agreements and count the number of suppliers and subsuppliers connected with the provision of critical services. |
Addressing security within supplier agreements
All relevant information security requirements should be established and agreed with each supplier that may access, process, store, communicate, or provide IT infrastructure components for, the organisation’s information. |
Review the relevant agreements and count the number of suppliers connected with the provision of critical services. |