Interdependencies between essential and important entities
ENISA Interdependencies Indicators Tool
ISO IEC 27002 control name | EXAMPLE OF IMPLEMENTATION |
---|---|
Review of the policies for information security
The policies for information security should be reviewed at planned intervals or if significant changes occur to ensure their continuing suitability, adequacy and effectiveness. |
Count the time elapsed between a major change or incident and the review of the relavant information security policies. |
Management of technical vulnerabilities
Information about technical vulnerabilities of information systems being used should be obtained in a timely fashion, the organisation’s exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk. |
Review the procedure for identification of technical vulnerabilities. Count the systems with a non automatic identification process. |
Administrator and operator logs
System administrator and system operator activities should be logged and the logs protected and regularly reviewed. |
Review the log settings per system. Count the instances where administrator and operator log information is relayed less often that once a minute. |
Capacity management
The use of resources should be monitored, tuned and projections made of future capacity requirements to ensure the required system performance. |
Review the system for monitoring capacity status. Count the instances where capacity information is relayed less often that once a minute. |
Event logging
Event logs recording user activities, exceptions, faults and information security events should be produced, kept and regularly reviewed. |
Review the log settings per system. Count the instances where event log information is relayed less often that once a minute. |
Clock synchronisation
The clocks of all relevant information processing systems within an organisation or security domain should be synchronised to a single reference time source. |
Review clock synchronization settings per system. Count systems with a greater period of synchronization than 12 hours. |
Change management
Changes to the organisation, business processes, information processing facilities and systems that affect information security should be controlled. |
Count the systems that have an emergency change management procedure. |
Technical review of applications after operating platform changes
When operating platforms are changed, business critical applications should be reviewed and tested to ensure there is no adverse impact on organisational operations or security. |
Count the time needed to perform technical review of an application. |
System change control procedures
Changes to systems within the development lifecycle should be controlled by the use of formal change control procedures. |
Count the systems that have an emergency change management procedure. |
Restrictions on changes to software packages
Modifications to software packages should be discouraged, limited to necessary changes and all changes should be strictly controlled. |
Count the systems that have an emergency change management procedure. |
Managing changes to supplier services
Changes to the provision of services by suppliers, including maintaining and improving existing information security policies, procedures and controls, should be managed, taking account of the criticality of business information, systems and processes involved and re-assessment of risks. |
Count the number of supplier services that have an emergency change procedure. |
Monitoring and review of supplier services
Organisations should regularly monitor, review and audit supplier service delivery. |
Count the number of system / services dependend on suppliers that are monitored with less frequency than 12 hours. |
Learning from information security incidents
Knowledge gained from analysing and resolving information security incidents should be used to reduce the likelihood or impact of future incidents. |
Review the documented information security incidents. Count the number of incidents that have a difference between the reported impact and the actual. |
Collection of evidence
The organisation should define and apply procedures for the identification, collection, acquisition and preservation of information, which can serve as evidence. |
Review the documented information security incidnets. Count the number of incidents where evidence was missing because of the volatility of electronic traces. |
Assessment of and decision on information secuirty events
Information security events should be assessed and it should be decided if they are to be classified as information security incidents. |
Review the documented information security incidents. Measure the amount of time elapsed between reported an event and classifiying it as incident. |
Response to information security incidents
Information security incidents should be responded to in accordance with the documented procedures. |
Review the documented information security incidents. Measure the amount of time elapsed between reported an event and the completion of the response. |
Reporting information security events
Information security events should be reported through appropriate management channels as quickly as possible. |
Review the documented information security incident reports. Measure the amount of time elapsed between the event happening and being reported. |
Reporting information security weaknesses
Employees and contractors using the organisation’s information systems and services should be required to note and report any observed or suspected information security weaknesses in systems or services. |
Review the documented information security weaknesses reports. Measure the amount of time elapsed between spoting a weakness and reporting. |
Verify, review and evaluate information security continuity
The organisation should verify the established and implemented information security continuity controls at regular intervals in order to ensure that they are valid and effective during adverse situations. |
Review the test reports. Count the amount of time needed to activate the plans. |
Implementing information security continuity
The organisation should establish, document, implement and maintain processes, procedures and controls to ensure the required level of continuity for information security during an adverse situation. |
Measure the amount of time between incident and activation of the plan. |
Planning information security continuity
The organisation should determine its requirements for information security and the continuity of information security management in adverse situations, e.g. during a crisis or disaster. |
Measure the estimated time of response per scenario. |
Availability of information processing facilities
Information processing facilities should be implemented with redundancy sufficient to meet availability requirements. |
Count the number of systems that are not ready to be used in case of incident. |
Independent review of information security
The organisation’s approach to managing information security and its implementation (i.e. control objectives, controls, policies, processes and procedures for information security) should be reviewed independently at planned intervals or when significant changes occur. |
Count the time elapsed between the reporting of a possible information security weakness / event / incident and the response of the organisation. |