Interdependencies between essential and important entities
ENISA Interdependencies Indicators Tool
| ISO IEC 27002 control name | EXAMPLE OF IMPLEMENTATION |
|---|---|
Classification of information
Information should be classified in terms of legal requirements, value, criticality and sensitivity to unauthorised disclosure or modification. |
Create a list of information assets with their respective identified classification level. Measure the criticality of the services based on the assets they are dependent of. |
Managing changes to supplier services
Changes to the provision of services by suppliers, including maintaining and improving existing information security policies, procedures and controls, should be managed, taking account of the criticality of business information, systems and processes involved and re-assessment of risks. |
Review changes related to suppliers. Count the number of changes reuqested per supplier but not implemented yet. |
Monitoring and review of supplier services
Organisations should regularly monitor, review and audit supplier service delivery. |
Review the results of monitoring of supplier services. Measure the number of deviations from requirements identified per supplier. |
Information and communication technology supply chain
Agreements with suppliers should include requirements to address the information security risks associated with information and communications technology services and product supply chain. |
Review the services and components provided by suppliers. Assign a criticality index to each supplier based on the propability of failure. |
Addressing security within supplier agreements
All relevant information security requirements should be established and agreed with each supplier that may access, process, store, communicate, or provide IT infrastructure components for, the organisation’s information. |
Review existing agreements with suppliers. Count the number of agreements per service that contain specific legal and regulatory requirements, right to audit clauses and penalties. |
Information security policy for supplier relationships
Information security requirements for mitigating the risks associated with supplier’s access to the organisation’s assets should be agreed with the supplier and documented. |
Review the services provided by suppliers that are single points of failure. |
Availability of information processing facilities
Information processing facilities should be implemented with redundancy sufficient to meet availability requirements. |
Calculate the systems / services that have a fully functional alternative solution. |
Verify, review and evaluate information security continuity
The organisation should verify the established and implemented information security continuity controls at regular intervals in order to ensure that they are valid and effective during adverse situations. |
Review the tests of the information security continuity plans. Use the achieved RTO. |
Implementing information security continuity
The organisation should establish, document, implement and maintain processes, procedures and controls to ensure the required level of continuity for information security during an adverse situation. |
Review the information continuity plans. Use the accepted RTO per service. |
Planning information security continuity
The organisation should determine its requirements for information security and the continuity of information security management in adverse situations, e.g. during a crisis or disaster. |
Review the information continuity plans. Use the value of MTPD per service. |
Identification of applicable legislation and contractual requirements
All relevant legislative statutory, regulatory, contractual requirements and the organisation’s approach to meet these requirements should be explicitly identified, documented and kept up to date for each information system and the organisation. |
Review the list of applicable legislation. Correlate the applicable legislation and contractual requirements to each service. Count the number of requirements per service. |
Technical compliance review
Information systems should be regularly reviewed for compliance with the organisation’s information security policies and standards. |
Review the results / reports of vulnerability assessments and penetration tests. Count the number of open issues identified per service. |
Compliance with security policies and standards
Managers should regularly review the compliance of information processing and procedures within their area of responsibility with the appropriate security policies, standards and any other security requirements. |
Review the results / reports of internal monitoring functions regarding information security. Count the number of deviations identified per service. |
Independent review of information security
The organisation’s approach to managing information security and its implementation (i.e. control objectives, controls, policies, processes and procedures for information security) should be reviewed independently at planned intervals or when significant changes occur. |
Review the results / reports of independent reviews of information security. Count the number of deviations identified per service. |
Intellectual property rights
Appropriate procedures should be implemented to ensure compliance with legislative, regulatory and contractual requirements related to intellectual property rights and use of proprietary software products. |
Count the number of services related to IPR compliance. |
Protection of records
Records should be protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with legislatory, regulatory, contractual and business requirements. |
Indentify in a list the records that have legislatory, regulatory, contractual and business requirements for their protection. Estimate the loss of revenue from the violation of these requirements. |
Privacy and protection of personnally identifiable information
Privacy and protection of personally identifiable information should be ensured as required in relevant legislation and regulation where applicable. |
Review the record of processing activities and connect the records to the respective services. Estimate the amount of money lost from a violation of the requirements regarding protection of PII per service. |
Regulation of cryptographic controls
Cryptographic controls should be used in compliance with all relevant agreements, legislation and regulations. |
Calculate the number of services implementing cryptographic controls. |