Interdependency indicator -
ISO IEC 27002 control name EXAMPLE OF IMPLEMENTATION
Management of technical vulnerabilities
Control ID:
12.6.1
Domain:
12Operations Security
Subdomain:
12.6Techincal vulnerability management

Information about technical vulnerabilities of information systems being used should be obtained in a timely fashion, the organisation’s exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk.

Review information security incident reports focusing on the root cause of the incident. Count the number of vulnerabilities that caused an incident and were not identified during the management of technical vulnerabilities.
Administrator and operator logs
Control ID:
12.4.3
Domain:
12Operations Security
Subdomain:
12.4Logging and monitoring

System administrator and system operator activities should be logged and the logs protected and regularly reviewed.

Review the information security incidents and the collected evidence related administrator and operator logs. Count the number of times per system that an indicative log entry is missing.
Event logging
Control ID:
12.4.1
Domain:
12Operations Security
Subdomain:
12.4Logging and monitoring

Event logs recording user activities, exceptions, faults and information security events should be produced, kept and regularly reviewed.

Review the information security incidents and the relevant event logs. Count the number of times per system that an indicative log entry is missing.
Clock synchronisation
Control ID:
12.4.4
Domain:
12Operations Security
Subdomain:
12.4Logging and monitoring

The clocks of all relevant information processing systems within an organisation or security domain should be synchronised to a single reference time source.

Compare the time stamp of all critical components to a reliable and reputable time source. Count the number of diviations.
Technical review of applications after operating platform changes
Control ID:
14.2.3
Domain:
14System Acquisition, Development and Maintenance
Subdomain:
14.2Security in development and support processes

When operating platforms are changed, business critical applications should be reviewed and tested to ensure there is no adverse impact on organisational operations or security.

Review the test reports of applications after operating plarform changes. Measure the mean amount of time needed to perfom the test and fix possible subsequent problems per system.
Restrictions on changes to software packages
Control ID:
14.2.4
Domain:
14System Acquisition, Development and Maintenance
Subdomain:
14.2Security in development and support processes

Modifications to software packages should be discouraged, limited to necessary changes and all changes should be strictly controlled.

Review existing software components and compare their version to the latests available. Count the number of system currently not up-to-date.
System change control procedures
Control ID:
14.2.2
Domain:
14System Acquisition, Development and Maintenance
Subdomain:
14.2Security in development and support processes

Changes to systems within the development lifecycle should be controlled by the use of formal change control procedures.

Review the change requests and relevant documentation and measure the mean amount of time needed for a change to be performed in a system, per system.
Monitoring and review of supplier services
Control ID:
15.2.1
Domain:
15Supplier Relationships
Subdomain:
15.2Supplier service delivery management

Organisations should regularly monitor, review and audit supplier service delivery.

Review the monitoring and evaluation reports of suppliers focusing on the incident reports. Measure the mean amount of time for the conclusion of the incident.
Managing changes to supplier services
Control ID:
15.2.2
Domain:
15Supplier Relationships
Subdomain:
15.2Supplier service delivery management

Changes to the provision of services by suppliers, including maintaining and improving existing information security policies, procedures and controls, should be managed, taking account of the criticality of business information, systems and processes involved and re-assessment of risks.

Measure the mean amount of time needed by the supplier to implement an emergency change.
Learning from information security incidents
Control ID:
16.1.6
Domain:
16Information Security Incident Management
Subdomain:
16.1Management of information security incidents and improvements

Knowledge gained from analysing and resolving information security incidents should be used to reduce the likelihood or impact of future incidents.

Review the types, volumes and costs of information security incidents. Identify the number of controls implemented that changes some aspect of similar future incidents.
Collection of evidence
Control ID:
16.1.7
Domain:
16Information Security Incident Management
Subdomain:
16.1Management of information security incidents and improvements

The organisation should define and apply procedures for the identification, collection, acquisition and preservation of information, which can serve as evidence.

Measure the mean amount of time for the collection of evidence.
Assessment of and decision on information secuirty events
Control ID:
16.1.4
Domain:
16Information Security Incident Management
Subdomain:
16.1Management of information security incidents and improvements

Information security events should be assessed and it should be decided if they are to be classified as information security incidents.

Review information security incident reports and measure the mean amount of time needed to reach a decision per system / service.
Response to information security incidents
Control ID:
16.1.5
Domain:
16Information Security Incident Management
Subdomain:
16.1Management of information security incidents and improvements

Information security incidents should be responded to in accordance with the documented procedures.

Review information security incident reports and measure the mean amount of time needed for the responce to security incidents per system and service.
Reporting information security events
Control ID:
16.1.2
Domain:
16Information Security Incident Management
Subdomain:
16.1Management of information security incidents and improvements

Information security events should be reported through appropriate management channels as quickly as possible.

Review the information security events and measure the mean time needed for the resolution of an incident per system / service.
Reporting information security weaknesses
Control ID:
16.1.3
Domain:
16Information Security Incident Management
Subdomain:
16.1Management of information security incidents and improvements

Employees and contractors using the organisation’s information systems and services should be required to note and report any observed or suspected information security weaknesses in systems or services.

Measure the mean amount of time between the reporting of a critical weakness and its resolution.
Implementing information security continuity
Control ID:
17.1.2
Domain:
17Information Security Aspects of Business Continuity Management
Subdomain:
17.1Information security continuity

The organisation should establish, document, implement and maintain processes, procedures and controls to ensure the required level of continuity for information security during an adverse situation.

Count the number of time dependent services/sysetms/components, per service.

We use cookies on our website to support technical features that enhance your user experience.
We also use analytics. To opt-out from analytics, click for more information.

I've read it More information