Interdependencies between essential and important entities
ENISA Interdependencies Indicators Tool
| ISO IEC 27002 control name | EXAMPLE OF IMPLEMENTATION |
|---|---|
Capacity management
The use of resources should be monitored, tuned and projections made of future capacity requirements to ensure the required system performance. |
Review the utilization of key system resources through the capacity management system of the organisation. Identify trends and measure the minimum and maximum value for each critical resource vs time. |
Event logging
Event logs recording user activities, exceptions, faults and information security events should be produced, kept and regularly reviewed. |
Review the information security incidents and the relevant event logs. Count the number of times per system that an indicative log entry is missing. |
Managing changes to supplier services
Changes to the provision of services by suppliers, including maintaining and improving existing information security policies, procedures and controls, should be managed, taking account of the criticality of business information, systems and processes involved and re-assessment of risks. |
Review the change requests related to suppliers. Count the number of change requests per period of time. |
Monitoring and review of supplier services
Organisations should regularly monitor, review and audit supplier service delivery. |
Review the results of the evalutation of suppliers. Count the number of deviations per period of time. |
Learning from information security incidents
Knowledge gained from analysing and resolving information security incidents should be used to reduce the likelihood or impact of future incidents. |
Review Incident Reports. Count the number of reported incidents per service per period of time. |
Collection of evidence
The organisation should define and apply procedures for the identification, collection, acquisition and preservation of information, which can serve as evidence. |
Review Incident reports with focus on those that require the activation of the collection of evidence procedure. Count the number of activations of the procedure per period of time. |
Availability of information processing facilities
Information processing facilities should be implemented with redundancy sufficient to meet availability requirements. |
Review existing architecture. Count the number of redundant (unused) resources per period of time. |
Verify, review and evaluate information security continuity
The organisation should verify the established and implemented information security continuity controls at regular intervals in order to ensure that they are valid and effective during adverse situations. |
Review the tests of business continuity and disaster recovery plans. Measure the time needed for the successful conclusion of the tests in different periods of time. |
Implementing information security continuity
The organisation should establish, document, implement and maintain processes, procedures and controls to ensure the required level of continuity for information security during an adverse situation. |
Estimate the amount of personnel employed by the organisation per period of time, that have been informed regarding their role in the business continuity and disaster recover plans. |
Planning information security continuity
The organisation should determine its requirements for information security and the continuity of information security management in adverse situations, e.g. during a crisis or disaster. |
Review the business continuity plans. Estimate the impact per period of time from a disruption to the service provision. |