Interdependency indicator -
ISO IEC 27002 control name EXAMPLE OF IMPLEMENTATION
Classification of information
Control ID:
8.2.1
Domain:
8Asset Management
Subdomain:
8.2Information Classification

Information should be classified in terms of legal requirements, value, criticality and sensitivity to unauthorised disclosure or modification.

Create a list of information assets with their respective identified classification level. Measure the criticality of the services based on the assets they are dependent of.
Managing changes to supplier services
Control ID:
15.2.2
Domain:
15Supplier Relationships
Subdomain:
15.2Supplier service delivery management

Changes to the provision of services by suppliers, including maintaining and improving existing information security policies, procedures and controls, should be managed, taking account of the criticality of business information, systems and processes involved and re-assessment of risks.

Review changes related to suppliers. Count the number of changes reuqested per supplier but not implemented yet.
Monitoring and review of supplier services
Control ID:
15.2.1
Domain:
15Supplier Relationships
Subdomain:
15.2Supplier service delivery management

Organisations should regularly monitor, review and audit supplier service delivery.

Review the results of monitoring of supplier services. Measure the number of deviations from requirements identified per supplier.
Information security policy for supplier relationships
Control ID:
15.1.1
Domain:
15Supplier Relationships
Subdomain:
15.1Information security in supplier relatinships

Information security requirements for mitigating the risks associated with supplier’s access to the organisation’s assets should be agreed with the supplier and documented.

Review the services provided by suppliers that are single points of failure.
Information and communication technology supply chain
Control ID:
15.1.3
Domain:
15Supplier Relationships
Subdomain:
15.1Information security in supplier relatinships

Agreements with suppliers should include requirements to address the information security risks associated with information and communications technology services and product supply chain.

Review the services and components provided by suppliers. Assign a criticality index to each supplier based on the propability of failure.
Addressing security within supplier agreements
Control ID:
15.1.2
Domain:
15Supplier Relationships
Subdomain:
15.1Information security in supplier relatinships

All relevant information security requirements should be established and agreed with each supplier that may access, process, store, communicate, or provide IT infrastructure components for, the organisation’s information.

Review existing agreements with suppliers. Count the number of agreements per service that contain specific legal and regulatory requirements, right to audit clauses and penalties.
Availability of information processing facilities
Control ID:
17.2.1
Domain:
17Information Security Aspects of Business Continuity Management
Subdomain:
17.2Redundancies

Information processing facilities should be implemented with redundancy sufficient to meet availability requirements.

Calculate the systems / services that have a fully functional alternative solution.
Planning information security continuity
Control ID:
17.1.1
Domain:
17Information Security Aspects of Business Continuity Management
Subdomain:
17.1Information security continuity

The organisation should determine its requirements for information security and the continuity of information security management in adverse situations, e.g. during a crisis or disaster.

Review the information continuity plans. Use the value of MTPD per service.
Verify, review and evaluate information security continuity
Control ID:
17.1.3
Domain:
17Information Security Aspects of Business Continuity Management
Subdomain:
17.1Information security continuity

The organisation should verify the established and implemented information security continuity controls at regular intervals in order to ensure that they are valid and effective during adverse situations.

Review the tests of the information security continuity plans. Use the achieved RTO.
Implementing information security continuity
Control ID:
17.1.2
Domain:
17Information Security Aspects of Business Continuity Management
Subdomain:
17.1Information security continuity

The organisation should establish, document, implement and maintain processes, procedures and controls to ensure the required level of continuity for information security during an adverse situation.

Review the information continuity plans. Use the accepted RTO per service.
Technical compliance review
Control ID:
18.2.3
Domain:
18Compliance
Subdomain:
18.2Information security reviews

Information systems should be regularly reviewed for compliance with the organisation’s information security policies and standards.

Review the results / reports of vulnerability assessments and penetration tests. Count the number of open issues identified per service.
Compliance with security policies and standards
Control ID:
18.2.2
Domain:
18Compliance
Subdomain:
18.2Information security reviews

Managers should regularly review the compliance of information processing and procedures within their area of responsibility with the appropriate security policies, standards and any other security requirements.

Review the results / reports of internal monitoring functions regarding information security. Count the number of deviations identified per service.
Independent review of information security
Control ID:
18.2.1
Domain:
18Compliance
Subdomain:
18.2Information security reviews

The organisation’s approach to managing information security and its implementation (i.e. control objectives, controls, policies, processes and procedures for information security) should be reviewed independently at planned intervals or when significant changes occur.

Review the results / reports of independent reviews of information security. Count the number of deviations identified per service.
Identification of applicable legislation and contractual requirements
Control ID:
18.1.1
Domain:
18Compliance
Subdomain:
18.1Compliance with legal and contractual requirements

All relevant legislative statutory, regulatory, contractual requirements and the organisation’s approach to meet these requirements should be explicitly identified, documented and kept up to date for each information system and the organisation.

Review the list of applicable legislation. Correlate the applicable legislation and contractual requirements to each service. Count the number of requirements per service.
Intellectual property rights
Control ID:
18.1.2
Domain:
18Compliance
Subdomain:
18.1Compliance with legal and contractual requirements

Appropriate procedures should be implemented to ensure compliance with legislative, regulatory and contractual requirements related to intellectual property rights and use of proprietary software products.

Count the number of services related to IPR compliance.
Protection of records
Control ID:
18.1.3
Domain:
18Compliance
Subdomain:
18.1Compliance with legal and contractual requirements

Records should be protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with legislatory, regulatory, contractual and business requirements.

Indentify in a list the records that have legislatory, regulatory, contractual and business requirements for their protection. Estimate the loss of revenue from the violation of these requirements.
Privacy and protection of personnally identifiable information
Control ID:
18.1.4
Domain:
18Compliance
Subdomain:
18.1Compliance with legal and contractual requirements

Privacy and protection of personally identifiable information should be ensured as required in relevant legislation and regulation where applicable.

Review the record of processing activities and connect the records to the respective services. Estimate the amount of money lost from a violation of the requirements regarding protection of PII per service.
Regulation of cryptographic controls
Control ID:
18.1.5
Domain:
18Compliance
Subdomain:
18.1Compliance with legal and contractual requirements

Cryptographic controls should be used in compliance with all relevant agreements, legislation and regulations.

Calculate the number of services implementing cryptographic controls.

We use cookies on our website to support technical features that enhance your user experience.
We also use analytics. To opt-out from analytics, click for more information.

I've read it More information