Interdependency indicator -
ISO IEC 27002 control name EXAMPLE OF IMPLEMENTATION
Information backup
Control ID:
12.3.1
Domain:
12Operations Security
Subdomain:
12.3Backup

Backup copies of information, software and system images should be taken and tested regularly in accordance with an agreed backup policy.

Review the backup policy and procedures. Calculate the percentage of services that do not have backup solutions implemented.
Change management
Control ID:
12.1.2
Domain:
12Operations Security
Subdomain:
12.1Operational procedures and responsibliities

Changes to the organisation, business processes, information processing facilities and systems that affect information security should be controlled.

Measure the number of changes that involve the implementation and management of redundancies that have not been implemented or have failed.
Capacity management
Control ID:
12.1.3
Domain:
12Operations Security
Subdomain:
12.1Operational procedures and responsibliities

The use of resources should be monitored, tuned and projections made of future capacity requirements to ensure the required system performance.

Measure the number of systems that have capacity or near capacity issues (e.g. have reached 80%).
Documented operating procedures
Control ID:
12.1.1
Domain:
12Operations Security
Subdomain:
12.1Operational procedures and responsibliities

Operating procedures should be documented and made available to all users who need them.

Measure the percentage of documented operationg procedures to the sum of operating procedures implemented by the organisation.
Separation of development, testing and operational environmets
Control ID:
12.1.4
Domain:
12Operations Security
Subdomain:
12.1Operational procedures and responsibliities

Development, testing, and operational environments should be separated to reduce the risks of unauthorized access or changes to the operational environment.

Calculate the number of systems that do not have a fully seperated development, testing and operational environment in comparison to the sum of the systems.
Managing changes to supplier services
Control ID:
15.2.2
Domain:
15Supplier Relationships
Subdomain:
15.2Supplier service delivery management

Changes to the provision of services by suppliers, including maintaining and improving existing information security policies, procedures and controls, should be managed, taking account of the criticality of business information, systems and processes involved and re-assessment of risks.

Count the number of changes connected to suppliers that are related to the implementation of redundacies.
Monitoring and review of supplier services
Control ID:
15.2.1
Domain:
15Supplier Relationships
Subdomain:
15.2Supplier service delivery management

Organisations should regularly monitor, review and audit supplier service delivery.

Review the results of the monitoring of the suppliers and count the number of incidents that affected the organisation, and were due to the lack of redundancies.
Information security policy for supplier relationships
Control ID:
15.1.1
Domain:
15Supplier Relationships
Subdomain:
15.1Information security in supplier relatinships

Information security requirements for mitigating the risks associated with supplier’s access to the organisation’s assets should be agreed with the supplier and documented.

Review the relevant policy and measure the amount of controls enforced on suppliers with focus to redundancy.
Information and communication technology supply chain
Control ID:
15.1.3
Domain:
15Supplier Relationships
Subdomain:
15.1Information security in supplier relatinships

Agreements with suppliers should include requirements to address the information security risks associated with information and communications technology services and product supply chain.

Review the agreements with suppliers that contain critical components and sub suppliers and measure the percentage that do not have redundacies implemented.
Addressing security within supplier agreements
Control ID:
15.1.2
Domain:
15Supplier Relationships
Subdomain:
15.1Information security in supplier relatinships

All relevant information security requirements should be established and agreed with each supplier that may access, process, store, communicate, or provide IT infrastructure components for, the organisation’s information.

Review the supplier agreements and related information and measure the percentage having redundancies implemented.
Planning information security continuity
Control ID:
17.1.1
Domain:
17Information Security Aspects of Business Continuity Management
Subdomain:
17.1Information security continuity

The organisation should determine its requirements for information security and the continuity of information security management in adverse situations, e.g. during a crisis or disaster.

Review the information continuity plans and count the percentage of systems that have identified alternative paths of implementation.
Availability of information processing facilities
Control ID:
17.2.1
Domain:
17Information Security Aspects of Business Continuity Management
Subdomain:
17.2Redundancies

Information processing facilities should be implemented with redundancy sufficient to meet availability requirements.

Review the information continuity plans and count the percentage of systems that have identified alternative paths of implementation.
Implementing information security continuity
Control ID:
17.1.2
Domain:
17Information Security Aspects of Business Continuity Management
Subdomain:
17.1Information security continuity

The organisation should establish, document, implement and maintain processes, procedures and controls to ensure the required level of continuity for information security during an adverse situation.

Review the information continuity plans and count the percentage of systems that have identified alternative paths of implementation.
Verify, review and evaluate information security continuity
Control ID:
17.1.3
Domain:
17Information Security Aspects of Business Continuity Management
Subdomain:
17.1Information security continuity

The organisation should verify the established and implemented information security continuity controls at regular intervals in order to ensure that they are valid and effective during adverse situations.

Review the information continuity test reports and extract the pecentage of alternative implementation paths successfully tested.

We use cookies on our website to support technical features that enhance your user experience.
We also use analytics. To opt-out from analytics, click for more information.

I've read it More information