Interdependency indicator -
ISO IEC 27002 control name EXAMPLE OF IMPLEMENTATION
Access control policy
Control ID:
9.1.1
Domain:
9Access Control
Subdomain:
9.1Business requirements of acess control

An access control policy should be established, documented and reviewed based on business and information security requirements.

Access control elements (e.g ACLs, whitelists) provide information on the number of potential affected users; especially focus on connected users to an interdependent service.
Management of privileged access rights
Control ID:
9.2.3
Domain:
9Access Control
Subdomain:
9.2User access management

The allocation and use of privileged access rights should be restricted and controlled.

Check the number of requests for privileged access to a service / system / software.
Removal or adjustment of access rights
Control ID:
9.2.6
Domain:
9Access Control
Subdomain:
9.2User access management

The access rights of all employees and external party users to information and information processing facilities should be removed upon termination of their employment, contract or agreement, or adjusted upon change.

Check the number of the users that a adjustement of access rights is requested, especially for an external service.
Management of secret authentication information of users
Control ID:
9.2.4
Domain:
9Access Control
Subdomain:
9.2User access management

The allocation of secret authentication information should be controlled through a formal management process.

Check the number of signed user statements for keeping personal secret authentication information by the corporate IT system. Take into account external users as well as users of shared or common accounts.
Review of user access rights
Control ID:
9.2.5
Domain:
9Access Control
Subdomain:
9.2User access management

Asset owners should review users’ access rights at regular intervals.

The review of access rights provides information on the number of potential affected users per system / service / software.
User access provisioning
Control ID:
9.2.2
Domain:
9Access Control
Subdomain:
9.2User access management

A formal user access provisioning process should be implemented to assign or revoke access rights for all user types to all systems and services.

User Access Management provides information on the number of potential affected users; especially focus on connected users to an interdependent service.
Use of secret authentication information
Control ID:
9.3.1
Domain:
9Access Control
Subdomain:
9.3User responsiblities

Users should be required to follow the organisation’s practices in the use of secret authentication information.

Check the number of signed user statements for keeping personal secret authentication information by the corporate IT system. Take into account external users as well as users of shared or common accounts.
User registration and de-registration
Control ID:
9.2.1
Domain:
9Access Control
Subdomain:
9.2User access management

A formal user registration and de-registration process should be implemented to enable assignment of access rights.

Check the number of requests for access to an interdependent service
Restrictions on software installation
Control ID:
12.6.2
Domain:
12Operations Security
Subdomain:
12.6Techincal vulnerability management

Rules governing the installation of software by users should be established and implemented.

By reviewing the number of users that have access to speicific software, the organisation may determine the number of affected users in a NIS incident.
Controls against malware
Control ID:
12.2.1
Domain:
12Operations Security
Subdomain:
12.2Protection from malware

Detection, prevention and recovery controls to protect against malware should be implemented, combined with appropriate user awareness.

Use network traffic (registeres IPs) or registered users of antimalware systems (e.g. IDS, centrally managed antivirus, DLP) to figure out the number of potential incident affected users of an interdependent service.
Event logging
Control ID:
12.4.1
Domain:
12Operations Security
Subdomain:
12.4Logging and monitoring

Event logs recording user activities, exceptions, faults and information security events should be produced, kept and regularly reviewed.

Check the logs of a service to figure out the number of potential affected users.
Documented operating procedures
Control ID:
12.1.1
Domain:
12Operations Security
Subdomain:
12.1Operational procedures and responsibliities

Operating procedures should be documented and made available to all users who need them.

Use network traffic (registeres IPs) or registered users of antimalware systems (e.g. IDS, centrally managed antivirus, DLP) to figure out the number of potential incident affected users of an interdependent service.

We use cookies on our website to support technical features that enhance your user experience.
We also use analytics. To opt-out from analytics, click for more information.

I've read it More information