Interdependency indicator -
ISO IEC 27002 control name EXAMPLE OF IMPLEMENTATION
Information backup
Control ID:
12.3.1
Domain:
12Operations Security
Subdomain:
12.3Backup

Backup copies of information, software and system images should be taken and tested regularly in accordance with an agreed backup policy.

Measure the amount of time needed for the restoration of the backup sets per service.
Controls against malware
Control ID:
12.2.1
Domain:
12Operations Security
Subdomain:
12.2Protection from malware

Detection, prevention and recovery controls to protect against malware should be implemented, combined with appropriate user awareness.

Measure the mean recovery time of a service after a malware incident, by reviewing relevant past incidents.
Event logging
Control ID:
12.4.1
Domain:
12Operations Security
Subdomain:
12.4Logging and monitoring

Event logs recording user activities, exceptions, faults and information security events should be produced, kept and regularly reviewed.

Review the logs of relevant systems and measure the mean downlime (time period between system down to system up).
Learning from information security incidents
Control ID:
16.1.6
Domain:
16Information Security Incident Management
Subdomain:
16.1Management of information security incidents and improvements

Knowledge gained from analysing and resolving information security incidents should be used to reduce the likelihood or impact of future incidents.

Review the changes that resulted from information security incidents and the impact of those changes on the recovery time objective.
Collection of evidence
Control ID:
16.1.7
Domain:
16Information Security Incident Management
Subdomain:
16.1Management of information security incidents and improvements

The organisation should define and apply procedures for the identification, collection, acquisition and preservation of information, which can serve as evidence.

Review existing legislation regarding collection of evidence and measure the amount of time that will be needed for the relevant processes.
Assessment of and decision on information secuirty events
Control ID:
16.1.4
Domain:
16Information Security Incident Management
Subdomain:
16.1Management of information security incidents and improvements

Information security events should be assessed and it should be decided if they are to be classified as information security incidents.

Review past information security incident reports and measure time spent in reaching a decision regarding the classification of the event to incident.
Response to information security incidents
Control ID:
16.1.5
Domain:
16Information Security Incident Management
Subdomain:
16.1Management of information security incidents and improvements

Information security incidents should be responded to in accordance with the documented procedures.

Review past information security incident reports and measure time spent for the response actions (collection of evidence, conducting forensics, logging, communicating etc).
Reporting information security events
Control ID:
16.1.2
Domain:
16Information Security Incident Management
Subdomain:
16.1Management of information security incidents and improvements

Information security events should be reported through appropriate management channels as quickly as possible.

Review past information security incident reports and measure the impact in terms of time of different types of incidents.
Reporting information security weaknesses
Control ID:
16.1.3
Domain:
16Information Security Incident Management
Subdomain:
16.1Management of information security incidents and improvements

Employees and contractors using the organisation’s information systems and services should be required to note and report any observed or suspected information security weaknesses in systems or services.

Review reported information security weaknesses that are still unresolved. Determine the impact of these weaknesses in the achievement of Recovery time objective per service.
Responsibilites and procedures
Control ID:
16.1.1
Domain:
16Information Security Incident Management
Subdomain:
16.1Management of information security incidents and improvements

Management responsibilities and procedures should be established to ensure a quick, effective and orderly response to information security incidents.

Measure the amount of time needed in the various incident response procedures before reaching the point of resolution of the incident.
Availability of information processing facilities
Control ID:
17.2.1
Domain:
17Information Security Aspects of Business Continuity Management
Subdomain:
17.2Redundancies

Information processing facilities should be implemented with redundancy sufficient to meet availability requirements.

Measure the degree of implementation of the redundancies planned for by the organisation.
Verify, review and evaluate information security continuity
Control ID:
17.1.3
Domain:
17Information Security Aspects of Business Continuity Management
Subdomain:
17.1Information security continuity

The organisation should verify the established and implemented information security continuity controls at regular intervals in order to ensure that they are valid and effective during adverse situations.

Review the tests reports of the information continuity plans and measure the achieved RTO per service.
Implementing information security continuity
Control ID:
17.1.2
Domain:
17Information Security Aspects of Business Continuity Management
Subdomain:
17.1Information security continuity

The organisation should establish, document, implement and maintain processes, procedures and controls to ensure the required level of continuity for information security during an adverse situation.

Review the plans for information security continuity and measure the RTO.
Planning information security continuity
Control ID:
17.1.1
Domain:
17Information Security Aspects of Business Continuity Management
Subdomain:
17.1Information security continuity

The organisation should determine its requirements for information security and the continuity of information security management in adverse situations, e.g. during a crisis or disaster.

Review the plans for information security continuity and measure the RTO.

We use cookies on our website to support technical features that enhance your user experience.
We also use analytics. To opt-out from analytics, click for more information.

I've read it More information