Interdependencies between essential and important entities
ENISA Interdependencies Indicators Tool
ISO IEC 27002 control name | EXAMPLE OF IMPLEMENTATION |
---|---|
Terms and conditions of employment
The contractual agreements with employees and contractors should state their and the organisation’s responsibilities for information security. |
Measure the number of signed contracts held by the organisation. This number will indicate the social impact of a NIS incident. |
Screening
Background verification checks on all candidates for employment should be carried out in accordance with relevant laws, regulations and ethics and should be proportional to the business requirements, the classification of the information to be accessed and the perceived risks. |
Measure the number of applicants that successfully passed the screening phase within a predetermined period of time. This number will indicate the social impact of a NIS incident. |
Management responsibilities
Management should require all employees and contractors to apply information security in accordance with the established policies and procedures of the organisation. |
Measure the number of people that participated in security awareness and briefing. Review the expectations of the participants regarding security. |
Information secuirty awareness, education and training
All employees of the organisation and, where relevant, contractors should receive appropriate awareness education and training and regular updates in organisational policies and procedures, as relevant for their job function. |
Measure the number of employees and contractors and other parties that participated in the training / awareness programs. |
Disciplinary process
There should be a formal and communicated disciplinary process in place to take action against employees who have committed an information security breach. |
Review the incidents that led to the activation of the disciplinary process. Measure the social impact of the incidents and the activations of the disciplinary process. |
Termination or change of employment responsiblities
Information security responsibilities and duties that remain valid after termination or change of employment should be defined, communicated to the employee or contractor and enforced. |
Count the parties (internal and external) that need to be involved during the invocation of the Termination or change of employment procedure. |