Interdependencies between essential and important entities
ENISA Interdependencies Indicators Tool
ISO IEC 27002 control name | EXAMPLE OF IMPLEMENTATION |
---|---|
Protecting against external and environmental attacks
Physical protection against natural disasters, malicious attack or accidents should be designed and applied. |
Keep a list of different physical locations reachable through a cyber attack to determine geographical distribution. |
Managing changes to supplier services
Changes to the provision of services by suppliers, including maintaining and improving existing information security policies, procedures and controls, should be managed, taking account of the criticality of business information, systems and processes involved and re-assessment of risks. |
Review change requests related to supplier services. Focus on changes of geographical distribution and sub suppliers and their location. |
Monitoring and review of supplier services
Organisations should regularly monitor, review and audit supplier service delivery. |
Review supply chain contracts to determine suppliers' exposure to cyber security risks; emphasise on supplier's dependencies, force majoure terms and governing law. |
Information security policy for supplier relationships
Information security requirements for mitigating the risks associated with supplier’s access to the organisation’s assets should be agreed with the supplier and documented. |
Review supply chain contracts to determine the suppliers and their geographical location. |
Information and communication technology supply chain
Agreements with suppliers should include requirements to address the information security risks associated with information and communications technology services and product supply chain. |
Review supply chain contracts to determine suppliers' exposure to cyber security risks; emphasise on supplier's dependencies. |
Addressing security within supplier agreements
All relevant information security requirements should be established and agreed with each supplier that may access, process, store, communicate, or provide IT infrastructure components for, the organisation’s information. |
Review supply chain contracts to determine suppliers' exposure to cyber security risks; emphasise on supplier's security controls in place. |
Availability of information processing facilities
Information processing facilities should be implemented with redundancy sufficient to meet availability requirements. |
Keep a list of different physical locations reachable through a cyber attack to determine geographical distribution. This list should include also the location of redundant components, architectures and systems. |