Interdependency indicator -
ISO IEC 27002 control name EXAMPLE OF IMPLEMENTATION
Review of the policies for information security
Control ID:
5.1.2
Domain:
5Information Security Policies
Subdomain:
5.1Management direction for information security

The policies for information security should be reviewed at planned intervals or if significant changes occur to ensure their continuing suitability, adequacy and effectiveness.

Count the time elapsed between a major change or incident and the review of the relavant information security policies.
Management of technical vulnerabilities
Control ID:
12.6.1
Domain:
12Operations Security
Subdomain:
12.6Techincal vulnerability management

Information about technical vulnerabilities of information systems being used should be obtained in a timely fashion, the organisation’s exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk.

Review the procedure for identification of technical vulnerabilities. Count the systems with a non automatic identification process.
Administrator and operator logs
Control ID:
12.4.3
Domain:
12Operations Security
Subdomain:
12.4Logging and monitoring

System administrator and system operator activities should be logged and the logs protected and regularly reviewed.

Review the log settings per system. Count the instances where administrator and operator log information is relayed less often that once a minute.
Capacity management
Control ID:
12.1.3
Domain:
12Operations Security
Subdomain:
12.1Operational procedures and responsibliities

The use of resources should be monitored, tuned and projections made of future capacity requirements to ensure the required system performance.

Review the system for monitoring capacity status. Count the instances where capacity information is relayed less often that once a minute.
Event logging
Control ID:
12.4.1
Domain:
12Operations Security
Subdomain:
12.4Logging and monitoring

Event logs recording user activities, exceptions, faults and information security events should be produced, kept and regularly reviewed.

Review the log settings per system. Count the instances where event log information is relayed less often that once a minute.
Clock synchronisation
Control ID:
12.4.4
Domain:
12Operations Security
Subdomain:
12.4Logging and monitoring

The clocks of all relevant information processing systems within an organisation or security domain should be synchronised to a single reference time source.

Review clock synchronization settings per system. Count systems with a greater period of synchronization than 12 hours.
Change management
Control ID:
12.1.2
Domain:
12Operations Security
Subdomain:
12.1Operational procedures and responsibliities

Changes to the organisation, business processes, information processing facilities and systems that affect information security should be controlled.

Count the systems that have an emergency change management procedure.
Technical review of applications after operating platform changes
Control ID:
14.2.3
Domain:
14System Acquisition, Development and Maintenance
Subdomain:
14.2Security in development and support processes

When operating platforms are changed, business critical applications should be reviewed and tested to ensure there is no adverse impact on organisational operations or security.

Count the time needed to perform technical review of an application.
System change control procedures
Control ID:
14.2.2
Domain:
14System Acquisition, Development and Maintenance
Subdomain:
14.2Security in development and support processes

Changes to systems within the development lifecycle should be controlled by the use of formal change control procedures.

Count the systems that have an emergency change management procedure.
Restrictions on changes to software packages
Control ID:
14.2.4
Domain:
14System Acquisition, Development and Maintenance
Subdomain:
14.2Security in development and support processes

Modifications to software packages should be discouraged, limited to necessary changes and all changes should be strictly controlled.

Count the systems that have an emergency change management procedure.
Managing changes to supplier services
Control ID:
15.2.2
Domain:
15Supplier Relationships
Subdomain:
15.2Supplier service delivery management

Changes to the provision of services by suppliers, including maintaining and improving existing information security policies, procedures and controls, should be managed, taking account of the criticality of business information, systems and processes involved and re-assessment of risks.

Count the number of supplier services that have an emergency change procedure.
Monitoring and review of supplier services
Control ID:
15.2.1
Domain:
15Supplier Relationships
Subdomain:
15.2Supplier service delivery management

Organisations should regularly monitor, review and audit supplier service delivery.

Count the number of system / services dependend on suppliers that are monitored with less frequency than 12 hours.
Learning from information security incidents
Control ID:
16.1.6
Domain:
16Information Security Incident Management
Subdomain:
16.1Management of information security incidents and improvements

Knowledge gained from analysing and resolving information security incidents should be used to reduce the likelihood or impact of future incidents.

Review the documented information security incidents. Count the number of incidents that have a difference between the reported impact and the actual.
Collection of evidence
Control ID:
16.1.7
Domain:
16Information Security Incident Management
Subdomain:
16.1Management of information security incidents and improvements

The organisation should define and apply procedures for the identification, collection, acquisition and preservation of information, which can serve as evidence.

Review the documented information security incidnets. Count the number of incidents where evidence was missing because of the volatility of electronic traces.
Assessment of and decision on information secuirty events
Control ID:
16.1.4
Domain:
16Information Security Incident Management
Subdomain:
16.1Management of information security incidents and improvements

Information security events should be assessed and it should be decided if they are to be classified as information security incidents.

Review the documented information security incidents. Measure the amount of time elapsed between reported an event and classifiying it as incident.
Response to information security incidents
Control ID:
16.1.5
Domain:
16Information Security Incident Management
Subdomain:
16.1Management of information security incidents and improvements

Information security incidents should be responded to in accordance with the documented procedures.

Review the documented information security incidents. Measure the amount of time elapsed between reported an event and the completion of the response.
Reporting information security events
Control ID:
16.1.2
Domain:
16Information Security Incident Management
Subdomain:
16.1Management of information security incidents and improvements

Information security events should be reported through appropriate management channels as quickly as possible.

Review the documented information security incident reports. Measure the amount of time elapsed between the event happening and being reported.
Reporting information security weaknesses
Control ID:
16.1.3
Domain:
16Information Security Incident Management
Subdomain:
16.1Management of information security incidents and improvements

Employees and contractors using the organisation’s information systems and services should be required to note and report any observed or suspected information security weaknesses in systems or services.

Review the documented information security weaknesses reports. Measure the amount of time elapsed between spoting a weakness and reporting.
Verify, review and evaluate information security continuity
Control ID:
17.1.3
Domain:
17Information Security Aspects of Business Continuity Management
Subdomain:
17.1Information security continuity

The organisation should verify the established and implemented information security continuity controls at regular intervals in order to ensure that they are valid and effective during adverse situations.

Review the test reports. Count the amount of time needed to activate the plans.
Implementing information security continuity
Control ID:
17.1.2
Domain:
17Information Security Aspects of Business Continuity Management
Subdomain:
17.1Information security continuity

The organisation should establish, document, implement and maintain processes, procedures and controls to ensure the required level of continuity for information security during an adverse situation.

Measure the amount of time between incident and activation of the plan.
Planning information security continuity
Control ID:
17.1.1
Domain:
17Information Security Aspects of Business Continuity Management
Subdomain:
17.1Information security continuity

The organisation should determine its requirements for information security and the continuity of information security management in adverse situations, e.g. during a crisis or disaster.

Measure the estimated time of response per scenario.
Availability of information processing facilities
Control ID:
17.2.1
Domain:
17Information Security Aspects of Business Continuity Management
Subdomain:
17.2Redundancies

Information processing facilities should be implemented with redundancy sufficient to meet availability requirements.

Count the number of systems that are not ready to be used in case of incident.
Independent review of information security
Control ID:
18.2.1
Domain:
18Compliance
Subdomain:
18.2Information security reviews

The organisation’s approach to managing information security and its implementation (i.e. control objectives, controls, policies, processes and procedures for information security) should be reviewed independently at planned intervals or when significant changes occur.

Count the time elapsed between the reporting of a possible information security weakness / event / incident and the response of the organisation.

We use cookies on our website to support technical features that enhance your user experience.
We also use analytics. To opt-out from analytics, click for more information.

I've read it More information