edm01 ensure governance framework setting and ... · web view(for external auditors) verify...

European CybersecurityAudit/Assurance Program

About ISACA®

With more than 115,000 constituents in 180 countries, ISACA (www.isaca.org) helps business and IT leaders build trust in, and value from, information and information systems. Established in 1969, ISACA is the trusted source of knowledge, standards, networking, and career development for information systems audit, assurance, security, risk, privacy and governance professionals. ISACA offers the Cybersecurity Nexus™, a comprehensive set of resources for cybersecurity professionals, and COBIT®, a business framework that helps enterprises govern and manage their information and technology. ISACA also advances and validates business-critical skills and knowledge through the globally respected Certified Information Systems Auditor® (CISA®), Certified Information Security Manager® (CISM®), Certified in the Governance of Enterprise IT® (CGEIT®) and Certified in Risk and Information Systems Control™ (CRISC™) credentials. The association has more than 200 chapters worldwide.

DisclaimerISACA has designed and created European Cybersecurity Audit/Assurance Program white paper (the “Work”) primarily as an educational resource for assurance, governance, risk and security professionals. ISACA makes no claim that use of any of the Work will assure a successful outcome. The Work should not be considered inclusive of all proper information, procedures and tests or exclusive of other information, procedures and tests that are reasonably directed to obtaining the same results. In determining the propriety of any specific information, procedure or test, assurance, governance, risk and security professionals should apply their own professional judgement to the specific circumstances presented by the particular systems or information technology environment.

Reservation of Rights© 2014 ISACA. All rights reserved.

ISACA3701 Algonquin Road, Suite 1010Rolling Meadows, IL 60008 USAPhone: +1.847.253.1545Fax: +1.847.253.1443Email: [email protected] Web site: www.isaca.org

Provide feedback: www.isaca.org/EU-cyber-implementation Participate in the ISACA Knowledge Center: www.isaca.org/knowledge-center Follow ISACA on Twitter: https://twitter.com/ISACANews Join ISACA on LinkedIn: ISACA (Official), http://linkd.in/ISACAOfficial Like ISACA on Facebook: www.facebook.com/ISACAHQ

ISBN 978-1-60420-469-8

© ISACA 2014 All rights reserved 2

http://www.facebook.com/ISACAHQ

http://linkd.in/ISACAOfficial

https://twitter.com/ISACANews

http://www.isaca.org/knowledge-center

http://www.isaca.org/EU-cyber-implementation

http://www.isaca.org/

mailto:[email protected]


European Cybersecurity Audit/Assurance Program



AcknowledgementsDevelopment Team: Rolf M. von Roessing, CISA, CISM, CGEIT, CISSP, FBCI, Forfa AG, Switzerland, Lead DeveloperVilius Benetis, Ph.D., CISA, CRISC, NRDCS, LithuaniaChristos K. Dimitriadis, Ph.D., CISA, CISM, CRISC, INTRALOT S.A., GreeceIvo Ivanovs, CISA, CISM, MCSE, Ernst & Young Baltic SIA, LatviaSamuel Linares, CISA, CISM, CGEIT, CRISC, CISSP, GICSP, Industrial Cybersecurity Center (CCI), SpainCharlie McMurdie, PricewaterhouseCoopers, UKAndreas Teuscher, CISA, CGEIT, CRISC, Sick AG, Germany

Expert Reviewers:Jesper Hansen, CISM, CRISC, CISSP, ESL, PFA Pension, Denmark Martins Kalkis, CISM, Latvian Mobile Telephone, Latvia Aare Reintam, CISA, Estonian Information System Authority, EstoniaAndrea Rigoni, Global Cyber Security Center, Italy Marc Vael, Ph.D.,CISA, CISM, CGEIT, CRISC, CISSP, Valuendo, Belgium

ISACA Board of Directors:Robert E Stroud, CGEIT, CRISC, CA, USA, International PresidentSteven A. Babb, CGEIT, CRISC, ITIL, Vodafone, UK, Vice PresidentGarry J. Barnes, CISA, CISM, CGEIT, CRISC, BAE Systems Detica, Australia, Vice PresidentRobert A. Clyde, CISM, Adaptive Computing, USA, Vice PresidentRamses Gallego, CISM, CGEIT, CCSK, CISSP, SCPM, Six Sigma Black Belt, Dell, Spain, Vice PresidentTheresa Grafenstine, CISA, CGEIT, CRISC, CGAP, CGMA, CIA, CPA, US House of Representatives, USA, Vice PresidentVittal R. Raj, CISA, CISM, CGEIT, CRISC, CFE, CIA, CISSP, FCA, Kumar & Raj, India, Vice PresidentTony Hayes, CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA, Queensland Government, Australia, Past International PresidentGregory T. Grocholski, CISA, SABIC, Saudi Arabia, Past International PresidentDebbie A. Lew, CISA, CRISC, Ernst & Young LLP, USA, DirectorFrank K.M. Yam, CISA, CIA, FHKCS, FHKIoD, Focus Strategic Group Inc., Hong Kong, DirectorAlexander Zapata Lenis, CISA, CGEIT, CRISC, ITIL, PMP, Grupo Cynthus S.A. de C.V., Mexico, Director

Knowledge Board:Steven A. Babb, CGEIT, CRISC, ITIL, Vodafone, UK, ChairmanRosemary M. Amato, CISA, CMA, CPA, Deloitte Touche Tohmatsu Ltd., The NetherlandsNeil Patrick Barlow, CISA, CISM, CRISC, CISSP, IntercontinentalExchange, Inc. NYSE, UKCharlie Blanchard, CISA, CISM, CRISC, ACA, CIPP/E, CIPP/US, CISSP, FBCS, Amgen Inc., USASushil Chatterji, CGEIT, Edutech Enterprises, SingaporePhil J. Lageschulte, CGEIT, CPA, KPMG LLP, USAAnthony P. Noble, CISA, Viacom, USAJamie Pasfield, CGEIT, ITIL V3, MSP, PRINCE2, Pfizer, UKIvan Sanchez Lopez, CISA, CISM, CISSP, ISO 27001 LA, DHL Global Forwarding & Freight, Germany

Cybersecurity Task Force:Eddie Schwartz, CISA, CISM, CISSP, MCSE, PMP, USA, ChairmanManuel Aceves, CISA, CISM, CGEIT, CRISC, CISSP, FCITSM, Cerberian Consulting, SA de CV, MexicoSanjay Bahl, CISM, CIPP, IndiaNeil Patrick Barlow, CISA, CISM, CRISC, CISSP, IntercontinentalExchange, Inc. NYSE, UK Brent Conran, CISA, CISM, CISSP, USADerek Grocke, HAMBS, AustraliaSamuel Linares, CISA, CISM, CGEIT, CRISC, CISSP, GICSP, Industrial Cybersecurity Center (CCI), SpainMarc Sachs, Verizon, USA



Introduction

OverviewISACA developed the IT Assurance Framework (ITAF) as a comprehensive and good-practice-setting model. ITAF provides standards that are designed to be mandatory and that are the guiding principles under which the IS audit and assurance profession operates. The guidelines provide information and direction for the practice of IS audit and assurance.

PurposeThe audit/assurance program is a tool and template to be used as a road map for the completion of a specific assurance process. ISACA has commissioned assurance programs to be developed for use by IS audit and assurance practitioners. This assurance program is intended to be used by IS audit and assurance professionals with the requisite knowledge of the subject matter under review, as described in ITAF standard 2006 Proficiency.

Control FrameworkThe audit/assurance programs have been developed in alignment with the ISACA COBIT 5 framework, using generally applicable and accepted good practices. The generic assurance program is presented in COBIT 5 for Assurance and ensures integration of all seven enablers in the assurance approach.

Governance, Risk and Control of ITGovernance, risk and control of IT are critical in the performance of any assurance management process. Governance of the process under review is evaluated as part of the policies and management oversight controls. Risk plays an important role in evaluating what to audit and how management approaches and manages risk. Both issues are evaluated in the assurance program. Enablers are the primary evaluation point in the process. The assurance program identifies the enablers and the steps to determine their design and operating effectiveness.

Responsibilities of IS Audit and Assurance ProfessionalsIS audit and assurance professionals are expected to customize the “IT Audit/Assurance Program for European Cybersecurity” for the environment in which they are performing the assurance engagement. This document is to be used as a review tool and starting point and may be modified by the IS audit and assurance professional; it is not intended to be a checklist or questionnaire. It is assumed that the IS audit and assurance professional has the necessary subject matter expertise that is required to conduct the work (see following paragraph) and is supervised by a professional with the Certified Information Systems Auditor (CISA) designation and/or necessary subject matter expertise to adequately review the work performed.

Minimum Audit SkillsCybersecurity incorporates many IT processes. Because the focus is on information governance, IT management, network, data, contingency and encryption controls, the audit and assurance professional should have requisite knowledge of these issues. In addition, proficiency in risk assessment, information security components of IT architecture, risk management, and the threats and vulnerabilities of cloud computing and Internet-based data processing is required. Therefore, it is recommended that the audit and assurance professional who is conducting the assessment has the requisite experience and organisational relationships to effectively execute the assurance processes.

Assurance Program ApproachThe assurance program table is a template for a detailed assurance work program, which is based on COBIT 5.



The assurance work program structures an assurance engagement into three major phases, as depicted in figure 1.

Figure 1—Generic COBIT 5-based Assurance Engagement Approach1

Assurance Engagement Approach Based on COBIT 5

As shown in figure 1, the proposed audit/assurance engagement approach refers explicitly to all COBIT 5 enabler categories. The COBIT 5 framework explains that the enablers are interconnected, e.g., Processes use Organisational Structures as well as Information items (inputs [I] and outputs [O]). When developing the audit/assurance program, it will become clear that when all possible entities of all enablers are included in the scope and reviewed in detail, there is potential for duplication.

In the development of this audit/assurance program, care has been taken to avoid or minimize duplication, meaning that: Some aspects of a process also relate to another enabler and are classified there, e.g.,

inputs and outputs can also be classified under the Information enabler heading and treated in detail there.

1 See www.isaca.org/COBIT/Pages/Assurance-product-page.aspx for more information on COBIT 5 for Assurance.



Some aspects relating to Skills and Competencies are to a large extent covered by process APO07 Manage human resources.

In practice, assurance professionals will have to use their own professional judgement when developing their own customized audit/assurance programs, to avoid duplication of work.

In addition, while audit/assurance programs will be available for each process, in practice, a group of processes are often selected for audit. Therefore, a relevant set of audit/assurance programs of the applicable processes will need to be selected for conducting assurance. The assurance approach depicted in figure 1 is described in more detail and developed into a generic audit/assurance program—including guidance on how to proceed during each step—in section 2B of COBIT 5 for Assurance. The European Cybersecurity Audit/Assurance Program is: Fully aligned with COBIT 5:

– It explicitly references all seven enablers. In other words, it is no longer exclusively process-focused; it also uses the different dimensions of the enabler model to cover all aspects contributing to the performance of the enablers.

– It references the COBIT 5 goals cascade to ensure that detailed objectives of the assurance engagement can be put into the enterprise and IT context, and concurrently it enables linkage of the assurance objectives to enterprise and IT risk and benefits.

Comprehensive yet flexible:- The generic program is comprehensive because it contains assurance steps covering

all enablers in quite some detail, yet it is also flexible because this detailed structure allows clear and well-understood scoping decisions to be made. That is, the assurance professional can decide to not cover a set of enablers or some enabler instances and, while the decision will reduce the scope and related assurance engagement effort, the issue of what is or is not covered will be quite transparent to the assurance engagement user.

Easy to understand, follow and apply because of its clear structure:– The table follows the flow described in figure 1, but splits each phase into different

steps and substeps.– For each step, a short description is included, as is guidance for the assurance

professional on how to proceed with the step (text in italics).

Additional guidance on how to use other IT assurance-related standards for performing assurance can be found in section 3 of COBIT 5 for Assurance.

Customization of the Audit/Assurance ProgramCustomization and completion of the European Cybersecurity Audit/Assurance Program will still be required, and consists of refining the scope by selecting goals and enabler instances—the lists included in the example are comprehensive, yet still are examples (i.e., different strategic priorities of the enterprise may dictate a different scope). The lists can also be considered prohibitive by some, as they can lead to a very broad scope, and therefore a very expensive assurance engagement; selection and prioritization will be required. The assurance professional will need to consider the following steps: Determine the stakeholders of the assurance initiative and their stake. Determine the assurance objectives based on assessment of the internal and external

environment/context, including the strategic objectives, goals (figures 40 and 41 of COBIT 5 for Assurance) and priorities of the enterprise.

Determine the enablers in scope and the instance(s) of the enablers in scope.



In each phase, one or two enabler examples are fully elaborated, to illustrate and demonstrate the suggested approach. The audit/assurance program phases for the other processes and other enablers in scope need to be detailed to the required level of detail.

Using the Assurance Program

In the following section, the European Cybersecurity assurance topic is fully developed based on the generic audit/assurance program. This detailed program contains the following additional information: In the Guidance column, the shaded text is specific to the example and provides

practical guidance, e.g., examples on which processes to include in scope, on which organisational structures to include in scope, on how to set assessment criteria for the different enablers, on how to actually assess the different enablers.

Two additional columns, allowing the audit and assurance professional to identify and cross-reference issues and to record comments:– Issue Cross-reference—This column can be used to flag a finding/issue that the IT

assurance professional wants to further investigate or establish as a potential finding. The potential findings should be documented in a work paper that indicates the disposition of the findings (formally reported, reported as a memo or verbal finding, or waived).

– Comment—This column can be used to document any further notes.

For most of the enablers, there are several instances in scope. However, the assurance professional must complete the list to meet the environment in scope. The remaining instances can be deduced very similarly to those described in this program, using the COBIT 5 framework and the COBIT 5: Enabling Processes guides.

Assurance Engagement: European CybersecurityAssurance TopicThe topic covered by this assurance engagement is Cybersecurity.

Goal of the ReviewThe primary objective of the audit/assurance review is to provide management with an impartial and independent assessment relating to the effectiveness of cybersecurity and related governance, management and assurance.

ScopingThe review will focus on cybersecurity standards, guidelines and procedures as well as on the implementation and governance of these activities. Traditional information security at lower levels is outside the scope of this review.

The following ISACA publications apply to cybersecurity: COBIT 5 for Information Security Transforming Cybersecurity Using COBIT 5 Responding to Targeted Cyberattacks ISACA European Cybersecurity Series Securing Mobile Devices Using COBIT 5

From a process reference model (PRM) perspective, the following domains and processes apply to this audit and assurance programme: EDM03 Ensure Risk Optimisation—Governance in the widest sense should address the

intrinsic risk within cybersecurity and set policies and steps accordingly. APO12 Manage Risk—Management in IT should adequately address risk issues related

to cybersecurity.



APO13 Manage Security—The information security management system (ISMS) should incorporate adequate provisions for cybersecurity.

DSS02 Manage Service Requests and Incidents—Incidents in cybersecurity should be identified and managed.

DSS04 Manage Continuity—Organisational functions and IT should be resilient with regard to cybersecurity.

DSS05 Manage Security Services—There should be comprehensive and adequate security services in place to ensure the desired level of cybersecurity.

Refer to the above-mentioned detailed publications for guidance on controls and good practice in cybersecurity.



IT Audit and Assurance Program for European Cybersecurity

Phase A—Determine Scope of the Assurance Initiative

Ref. Assurance Step Guidance Issue Cross-reference Comment

A-1 Determine the stakeholders of the assurance initiative and their stakes.

A-1.1 Identify the intended user(s) of the assurance report and their stake in the assurance engagement. This is the assurance objective.

Intended user(s) of the assurance report

Board/audit committee: Needs assurance over the effectiveness and efficiency of cybersecurity processes within the enterprise

Works Council/Union Representation: Needs assurance in terms of cybersecurity facts affecting industrial relations

Owners / shareholders: In Europe, part or all of the cybersecurity assurance report may be included in statutory reporting

Regulators: In Europe, part or all of cybersecurity reporting may need to be disclosed to respective authorities

A-1.2 Identify the interested parties, accountable and responsible for the subject matter over which assurance needs to be provided.

Accountable and responsible parties for the subject matter

Steering committee: Accountable for guidance of the cybersecurity processes and services, including management and monitoring, allocation of resources, delivery of benefits and value, and management of risk

Business executives: The individuals responsible for identifying requirements, approving design and managing performance. These people are, together with IT management, responsible for managing the correct and controlled use of cybersecurity services—in line with good practices.

IT management: Responsible for managing the correct and controlled use of cybersecurity services—together with the business executives

A-2

Determine the assurance objectives based on assessment of the internal and external environment/context and of the relevant risk and related opportunities (i.e., not achieving the enterprise goals).

Assurance objectives are essentially a more detailed and tangible expression of those enterprise objectives relevant to the subject of the assurance engagement.

Enterprise objectives can be formulated in terms of the generic enterprise goals (COBIT 5 framework) or they can be expressed more specifically.

Objectives of the assurance engagement can be expressed using the COBIT 5 enterprise goals, the IT-related goals (which relate more to technology), information goals or any other set of specific goals.

Objectives of the assurance engagement will consider all three value objective components, i.e., delivering benefits that support strategic objectives, optimizing the risk that strategic objectives are not achieved and optimizing resource levels required to achieve the strategic objectives.






A-2.1 Understand the enterprise strategy and priorities. Perform a high-level walk-through of cybersecurity arrangements, including goals, strategy, policy and processes.

A-2.2 Understand the internal context of the enterprise. Establish any prior cybersecurity incidents that serve as trigger events for the audit Ascertain any prior audit findings relating to cybersecurity. Obtain and understand any specific risk scenarios relating to the cybersecurity audit (e.g.,

crime, cyberwarfare, end-user-based attacks). Determine the applications and operating environments affected by these cybersecurity

arrangements. Obtain and review the organisation’s definition of cybersecurity and the organisational

scope attributed to it. Delineate cybersecurity from traditional information security. Obtain and review all IT services, applications, platforms and infrastructure elements

covered by cybersecurity arrangements. Identify and document the relevant business risk in respect to cybersecurity, attacks and

breaches. Identify the technology risk associated with cybersecurity. Identify the social risk associated with cybersecurity. Discuss the risk with management of IT, business and operational audit, and adjust the risk

assessment as appropriate (Based on the risk assessment, revise the scope). Verify that the cybersecurity function has an established and clear interface with the

assurance / compliance function. Verify that all relevant European laws, regulations and recommendations for cybersecurity

are communicated between the assurance / compliance function, audit and the cybersecurity function.

Obtain and analyze documentation of previous cybersecurity-related audits (if done by other auditors).

(For internal auditors) Verify that the enterprise has incorporated and adopted all external rulings, directives or other binding provisions related to cybersecurity.

(For external auditors) Verify that the enterprise operates a comprehensive internal audit regime with regard to cybersecurity.

A-2.3 Understand the external context of the enterprise. Identify any limitations and/or constraints affecting the audit of specific systems and subsystems.

Identify any third-party services, applications, platforms and infrastructure elements that may not be accessible or are only partially accessible.

Identify any legal, regulatory or contractual constraints on audit. Identify any industrial relations-based or end-user-based audit constraints.

A-2.4 Given the overall assurance objective, translate the identified strategic priorities into concrete objectives for the assurance engagement.

The following goals are retained as key goals to be supported, in reflection of enterprise strategy and priorities:

Key goals Enterprise goals: EG03 Managed business risk (safeguarding of assets) EG04 Compliance with externals laws and regulations

IT-related goals: ITG02 IT compliance and support for business compliance






A-2.4Cont.

with external laws and regulations ITG04 Managed IT-related business risk ITG10 Security of information, processing infrastructure and

applicationsAdditional goals Enterprise goals:

EG01 Stakeholder value of business investments EG08 Agile responses to a changing business environment EG10 Optimisation of service delivery costs

IT-related goals: ITG05 Realised benefits from IT-enabled investments and

services portfolio ITG07 Delivery of IT services in line with business

requirements

A-2.5 Define the organisational boundaries of the assurance initiative.

Describe the organisational boundaries of the assurance engagement, i.e., to which organisational entities the review is limited. All other aspects of scope limitation are identified during phase A-3.

The review must have a defined scope. The reviewer must understand the operating environment and prepare a proposed scope, subject to a later risk assessment.

Obtain information and form an understanding of the business reasons underlying the audit.

Identify the senior business resources responsible for the review. Identify the senior IT audit/assurance resource responsible for the review. Establish the process for suggesting and implementing changes to the audit/assurance

program, and list the authorizations required. Identify any limitations and/or constraints affecting the audit of specific systems and

subsystems. Identify and third-party services, applications, platforms and infrastructure elements that

may not be accessible or are only partially accessible. Identify any legal, regulatory or contractual constraints on audit. Identify any industrial relations-based or end-user-based audit constraints.

A-3 Determine the enablers in scope and the instance(s) of the enablers in scope.

COBIT 5 identifies seven enabler categories. In this section all seven are covered, and the assurance professional has the opportunity to select enablers from all categories to obtain the most comprehensive scope for the assurance engagement.

A-3.1 Define the Principles, Policies and Frameworks in scope.

Guiding principles and policies include: Cybersecurity policy and standards documentation. Security management framework, such as ISO/IEC 27001 with ISO 27032, or the NIST

800 series, will be used as a good-practice reference. SANS 20 Critical Controls ISMS policy Information architecture model Legal and regulatory compliance requirements






A-3.2 Define which Processes are in scope of the review.

Processes will be assessed during phase B of the assurance engagement against the criteria defined in phase A, and assessments will typically focus on: Achievement of process goals Application of process good practices Existence and quality of work products (inputs

and outputs) (insofar not covered by the information items assessments)

COBIT 5: Enabling Processes distinguishes a governance domain with a set of processes and a management domain, with four sets of processes. The processes in scope are identified using the goals cascade and subsequent customization. The resulting lists contain key processes and additional processes to be considered during this assurance engagement. Available resources will determine whether they can all be effectively assessed.Key processes EDM03 Ensure Risk Optimisation—Governance in the widest

sense should address the intrinsic risk within cybersecurity and set policies and steps accordingly.

APO12 Manage Risk—Management in IT should adequately address risk issues related to cybersecurity.

APO13 Manage Security—The information security management system (ISMS) should incorporate adequate provisions for cybersecurity.

DSS02 Manage Incidents and Service Requests—Incidents in cybersecurity should be identified and managed.

DSS04 Manage Continuity—Organisational functions and IT should be resilient with regard to cybersecurity.

DSS05 Manage Security Services—There should be comprehensive and adequate security services in place to ensure the desired level of cybersecurity.

Additional processes EDM01 Ensure Governance Framework Setting and Maintenance

APO01 Manage the IT Management Framework APO07 Manage Human Resources APO09 Manage Service Agreements APO10 Manage Quality BAI08 Manage Knowledge BAI09 Manage Assets BAI10 Manage Configuration

A-3.3

A-3.3Cont.

Define which Organisational Structures will be in scope. Organisational Structures will be assessed during phase B of the assurance engagement against the criteria defined in phase A, and assessments will typically focus on: Achievement of Organisational Structure goals,

i.e., decisions Application of Organisational Structures good

practices

Based on the key processes identified in A-3.2, the following Organisational Structures and functions are considered to be in scope of this assurance engagement, and available resources will determine which ones will be reviewed in detail.Key Organisational Structures

Cybersecurity teamBusiness executivesService managerChief information officer (CIO)Business process ownersChief information security officer (CISO)

Additional Organisational Structures

Chief executive officer (CEO)Head IT operationsRisk functionPrivacy officerComplianceAudit






A-3.4 Define the Culture, Ethics and Behaviour aspects in scope.

In the context of this engagement, the following enterprisewide culture and behaviours are in scope: Integrity and Reliability Personal and Professional Reliability

A-3.5

A-3.5Cont.

Define the Information items in scope.

Information items will be assessed during phase B of the assurance engagement against the criteria defined in phase A, and assessments will typically focus on: Achievement of Information goals, i.e., quality

criteria of the information items Application of Information good practices

(Information attributes)

COBIT 5: Enabling Processes defines a number of inputs and outputs between processes. Based on the fact that BAI02, BAI03, DSS05 and DSS06 were defined as key processes in scope, the related inputs and outputs are considered in this section. Key priorities and availability of resources will determine how many and which ones will be reviewed in detail. The following items are considered for this example.Key Information Items Formal Cybersecurity Policy

Code of ConductThird-party access policiesVirtual architecture documentationVirtualization policiesCybersecurity technical standardsTechnical guidelines and procedures at the IT service level,

including services partially or fully provided by third parties Technical guidelines and procedures at the IT application levelTechnical guidelines and procedures at the IT platform level,

including remotely controlled and administered platforms (rental virtual servers etc.)

Technical guidelines and procedures at the autonomous IT hardware level (including stand-alone servers and clusters, end user PC devices etc.)

Technical guidelines and procedures for critical or particularly exposed hardware items, notably mobile devices such as smartphones or tablets

Technical and administrative guidelines and procedures around BYOD

Technical and administrative guidelines and procedures for industrial control systems and IT interfaces

Technical and administrative guidelines and procedures for building and facilities management systems

Incident management, disaster recovery and service / business continuity procedures for critical IT assets

Guidelines and procedures concerning the identification, documentation and safeguarding of informational evidence, e.g. logs

Virtualization controls assessment resultsThird-party access controls assessment results

Additional Information Items

Cybersecurity attributes in data and information classificationEvidence of cybersecurity inclusion in data and information

classificationA-3.6 Define the Services, Infrastructure and In the context of this assignment, and taking into account the goals identified in A-2.4, the






Applications in scope. following services and related applications or infrastructure could be considered in scope of the review: Cybersecurity training Change management Human resources Help desk Incident tracking system

A-3.7 Define the People, Skills and Competencies in scope.Skill sets and competencies will be assessed during phase B of the assurance engagement against the criteria defined in phase A, and assessments will typically focus on: Achievement of skills set goals Application of skills set and competencies good

practices

In the context of this engagement, taking into account key processes and key roles, the following skill sets are included in scope: Cybersecurity Personnel Skills Enterprisewide Cybersecurity Awareness




Phase B—Understand Enablers, Setting Suitable Assessment Criteria and Perform the Assessment Metrics

Ref. Assurance Steps and Guidance IssueCross-reference Comment

B-1 Agree on metrics and criteria for enterprise goals and IT-related goals. Assess enterprise goals and IT-related goals.

B-1.1 Obtain (and agree on) metrics for enterprise goals and expected values of the metrics. Assess whether enterprise goals in scope are achieved.

Leverage the list of suggested metrics for the enterprise goals to define, discuss and agree on a set of relevant, customized metrics for the enterprise goals, taking care that the suggested metrics are driven by the performance of the topic of this assurance initiative.

Next, agree on the expected values for these metrics, i.e., the values against which the assessment will take place.The following metrics and expected values are agreed on for the key enterprise goals defined in step A-2.4.

Enterprise Goal Metric Expected Outcome (Ex) Assessment StepEG03 Managed business risk (safeguarding of assets)

Percent of critical business objectives and services covered by risk assessment

Frequency of update of risk profile

Agree on the expected values for the Enterprise goal metrics, i.e., the values against which the assessment will take place

In this step, the related metrics for each goal will be reviewed and an assessment will be made whether the defined criteria are achieved.

EG04 Compliance with externals laws and regulations

Number of regulatory non-compliance issues relating to cyber incidents

Agree on the expected values for the Enterprise goal metrics, i.e., the values against which the assessment will take place


B-1.2

B-1.2

Obtain (and agree on) metrics for IT-related goals and expected values of the metrics and assess whether IT-related goals in scope are achieved.The following metrics and expected values are agreed for the key IT-related goals defined in step A-2.4.

IT-related Goal Metric Expected Outcome (Ex) Assessment StepITG02 IT compliance and support for business compliance with external laws and regulations

Number of cybersecurity-related non-compliance issues reported to the board or causing public comment or embarrassment

Agree on the expected values for the IT-related goal metrics, i.e., the values against which the assessment will take place.


ITG04 Managed IT-related business risk

Percent of critical business processes, IT services and IT-enabled business programmes covered by risk assessment

Number of significant IT-related incidents that were not identified in risk assessment

Percent of enterprise risk assessments including IT-related risk

Frequency of update of risk profile

Agree on the expected values for the IT-related goal metrics, i.e., the values against which the assessment will take place.


ITG10 Security of information, processing

Number of security incidents related to cybersecurity

Agree on the expected values for the IT-related goal metrics,

In this step, the related metrics for each goal will be reviewed and an assessment




Phase B—Understand Enablers, Setting Suitable Assessment Criteria and Perform the Assessment Metrics


Cont. infrastructure and applications

weaknesses causing financial loss, business disruption or public embarrassment

Frequency of cybersecurity assessment against latest standards and guidelines

i.e., the values against which the assessment will take place.

will be made whether the defined criteria are achieved.




Phase B—Understand Enablers, Setting Suitable Assessment Criteria and Perform the AssessmentPrinciples, Policies and Frameworks

Ref. Assurance Steps and Guidance Issue Cross-reference Comment

B-2 Obtain an understanding of the Principles, Policies and Frameworks in scope and set suitable assessment criteria.Assess Principles, Policies and Frameworks.

Principles, policies and frameworks: Cybersecurity policy and standards documentation

B-2.1a Understand the Principles, Policies and Frameworks context.Obtain and understanding of the overall system of internal control and the associated Principles, Policies and Frameworks

B-2.2a Understand the stakeholders of the Principles, Policies and Frameworks: Cybersecurity policy and standards documentationUnderstand the stakeholders in the policies. The stakeholders for the policies include those setting the policies and those who need to be in compliance with the policies.

B-2.3a Understand the goals for the Principles, Policies and Frameworks, and the related metrics and agree on expected values.Assess whether the Principles, Policies and Frameworks goals (outcomes) are achieved, i.e., assess the effectiveness of the Principles, Policies and Frameworks.Goal: Describe the goal of the Cybersecurity policy and standards documentation Perform the assurance steps using the example

criteria described below.Goal Criteria Assessment Step

Comprehensiveness The set of policies is comprehensive in its coverage.

Verify that the set of policies is comprehensive in its coverage.

Currency The set of policies is up to date. This at least requires: A regular validation of all

policies whether they are still up to date

An indication of the policies’ expiration date or date of last update

Verify that the set of policies is up to date. This at least requires: A regular validation of all policies whether they are still up to date An indication of the policies’ expiration date or date of last update Verification of compliance with cycle dates for policies

Flexibility The set of policies is flexible. It is structured in such a way that it is easy to add or update policies as circumstances require.

Verify the flexibility of the set of policies, i.e., that it is structured in such a way that it is easy to add or update policies as circumstances require.

Availability Policies are available to all stakeholders.

Policies are easy to navigate and have a logical and hierarchical structure.

Verify that policies are available to all stakeholders. Verify that policies are easy to navigate and have a logical and

hierarchical structure.

B-2.4a Understand the life cycle stages of the Principles, Policies and Frameworks, and agree on the relevant criteria.Assess to what extent the Principles, Policies and Frameworks life cycle is managed.The life cycle of the IT-related policies is managed by the Process APO01. The review of this life cycle is therefore equivalent to a process review of process APO01 Manage the IT management framework.

B-2.5a Understand good practices related to the Principles, Policies and Frameworks and expected values. Assess the Principles, Policies and Frameworks design, i.e., assess the extent to which expected good practices are applied.






B-2.5aCont.

The assurance professional will, by using appropriate auditing techniques assess the following aspects.Good Practice Criteria Assessment Step

Scope and validity The scope is described and the validity date is indicated.

Verify that the scope of the framework is described and the validity date is indicated.

Exception and escalation The exception and escalation procedure is explained and commonly known.

The exception and escalation procedure has not become the de facto standard procedure.

Exemptions from cybersecurity policy are applied for, reviewed and authorized in conformance with the organisation’s Exceptions to Policy procedures. (APO13)

Verify that the exception and escalation procedure is described, explained and commonly known.

Through observation of a representative sample, verify that the exception and escalation procedure has not become de facto standard procedure.

If the organisation grants exemptions from cybersecurity policy, obtain a copy of the list of currently authorized exemptions and a copy of the procedure for Exemptions to Policy.

Determine that exemptions are granted only for a limited time period, maximum one year.

Determine that each cybersecurity exemption is regularly reviewed for continuing applicability.

Determine whether a risk assessment was performed before any exemption is granted and compensating controls are in place, if necessary.

Compliance The compliance checking mechanism and non-compliance consequences are clearly described and enforced.

Verify that the compliance checking mechanism and non-compliance consequences are clearly described and enforced.

Communication The cybersecurity policies have been defined by management, documented, approved at an appropriate senior level, disseminated to all relevant employees and third parties, and deployed across the organisation. (APO13)

Verify that an appropriate cybersecurity policy was drafted and deployed before the cybersecurity program was deployed into production.

Verify that senior business management formally approved the cybersecurity policy.

Verify that all employees are appropriately informed of the cybersecurity policy, e.g., during initial orientation and in information security training.

HR Support Cybersecurity processes are integrated into HR services, policies and compliance. (APO13)

Obtain a copy of the organisation’s Code of Conduct and determine whether it specifically states that a violation of the cybersecurity policy is considered a violation of the Code of Conduct with applicable sanctions

Determine whether disciplinary policies and supporting processes are in effect for violations of cybersecurity policy. These should include:- Established penalties for infringements- Uniform application of penalty policy

Establish whether awareness campaigns are conducted periodically






B-2.5aCont.

Third-party compliance Third parties, such as contractors, are contractually required to comply with the organisation’s cybersecurity policies. (APO09, APO10)

Determine the policies in effect to permit third parties to use the organisation’s IT resources, and to protect the organisation’s assets and intellectual property from unauthorized access.

Evaluate the effectiveness of cybersecurity controls upon third parties and determine whether additional controls, policies or procedures are required to protect the organisation’s assets.

Cloud services and virtualized environments

The enterprise’s architecture extends cybersecurity arrangements to cover all cloud-based and/or virtualised services, applications and information assets. (APO03, APO09, APO10, DSS05)

Obtain and review architecture elements and components involving cloud or virtualised elements.

Determine the policies in effect to govern cloud and virtualisation use, and establish the level of protection with regard to cybersecurity.

Evaluate the effectiveness of cybersecurity controls on cloud services and virtualised environments and identify any gaps.

Principles, policies and frameworks: Cybersecurity Frameworks and Standards

B-2.1b Understand the Principles, Policies and Frameworks context.Obtain and understanding of the overall system of internal control and the associated Principles, Policies and Frameworks

B-2.2b Understand the stakeholders of the Principles, Policies and Frameworks: Cybersecurity Frameworks and StandardsUnderstand the stakeholders in the policies. The stakeholders for the policies include those setting the policies and those who need to be in compliance with the policies.

B-2.3b Understand the goals for the Principles, Policies and Frameworks, and the related metrics and agree on expected values.Assess whether the Principles, Policies and Frameworks goals (outcomes) are achieved, i.e., assess the effectiveness of the Principles, Policies and Frameworks. Goal: Cybersecurity Frameworks and Standards Security management frameworks,

such as ISO/IEC 27001 with ISO 27032, or the NIST 800 series, will be used as a good-practice reference.

Perform the assurance steps using the example criteria described below.

Goal Criteria Assessment StepComprehensiveness The set of frameworks are

comprehensive in its coverage.

Verify that the set of frameworks are comprehensive in its coverage.

Currency The set of frameworks are up to date. This at least requires: A regular validation of all

frameworks whether they are still up to date

An indication of the frameworks expiration date or date of last update

Verify that the set of frameworks are up to date. This at least requires: A regular validation of all frameworks whether they are still up to date An indication of the frameworks expiration date or date of last update Verification of compliance with cycle dates for frameworks

Flexibility The set of frameworks are flexible. It is structured in such a way that it is easy to add or update controls as

Verify the flexibility of the set of frameworks, i.e., that it is structured in such a way that it is easy to add or update controls as circumstances require.






B-2.3bCont.

circumstances require.Availability Frameworks are available

to all stakeholders.Frameworks are easy to navigate and have a logical and hierarchical structure.

Verify that frameworks are available to all stakeholders. Verify that frameworks are easy to navigate and have a logical and


B-2.4b Understand the life cycle stages of the Principles, Policies and Frameworks, and agree on the relevant criteria.Assess to what extent the Principles, Policies and Frameworks life cycle is managed.The life cycle of the IT-related policies is managed by the Process APO01. The review of this life cycle is therefore equivalent to a process review of process APO01 Manage the IT management framework.

B-2.5b Understand good practices related to the Principles, Policies and Frameworks and expected values. Assess the Principles, Policies and Frameworks design, i.e., assess the extent to which expected good practices are applied.The assurance professional will, by using appropriate auditing techniques assess the following aspects.

Good Practice Criteria Assessment StepScope and validity The scope is described and

the validity date is indicated.Verify that the scope of the framework is described and the validity date is indicated.







Alignment with internal policies Cybersecurity technical standards are aligned with the organisation’s standards. (APO13, DSS04, DSS05)

Obtain and review the current set of applicable technical or technology-related standards.

Determine whether these standards include appropriate references to cybersecurity requirements and measures.

Evaluate (drill down) for critical services, applications, platforms or infrastructure elements as well as information assets to ensure that technical standards are comprehensive enough to encompass the needs of cybersecurity.

Obtain a copy of each of the following:- Technical guidelines and procedures at the IT service level,

including services partially or fully provided by third parties - Technical guidelines and procedures at the IT application level- Technical guidelines and procedures at the IT platform level,






B-2.5bCont.

including remotely controlled and administered platforms (rental virtual servers etc.)

- Technical guidelines and procedures at the autonomous IT hardware level (including stand-alone servers and clusters, end user PC devices etc.)

- Technical guidelines and procedures for critical or particularly exposed hardware items, notably mobile devices such as smartphones or tablets

- Technical and administrative guidelines and procedures around BYOD

- Technical and administrative guidelines and procedures for industrial control systems and IT interfaces

- Technical and administrative guidelines and procedures for building and facilities management systems

- Incident management, disaster recovery and service / business continuity procedures for critical IT assets

- Guidelines and procedures concerning the identification, documentation and safeguarding of informational evidence, e.g., logs

Identify and document any gaps, inconsistencies and potential weaknesses in the documentation

Standards of good practice are applied to cybersecurity

Recognised standards of good practice in cybersecurity are applied within the enterprise.

COBIT 5 and related documents—Cybersecurity is subject to COBIT 5 as a framework. Detailed guidance using COBIT 5 is applied throughout the enterprise: Determine if COBIT 5 has been accepted and implemented as the guiding

framework for cybersecurity. Determine if COBIT 5 for Information Security and related documents on

cybersecurity are implementedISO Standards--Relevant ISO standards are applied to cybersecurity. Determine if the ISO 27000 series has been accepted and implemented

as guidance for cybersecurity.Determine if the ISO 22300 series has been accepted and implemented as guidance for the resilience aspects of cybersecurity

Critical infrastructure protection standards are applied to cybersecurity

Where organisations are deemed part of critical information infrastructures, cybersecurity arrangements are aligned with existing regulations and good practice

Incident reporting (Art. 13a): Incidents are identified, documented and reported in line with applicable regulations and/or good practice recommendations. (DSS02) Determine whether the enterprise is subject to the regulations for

electronic communications operators and therefore subject to Article 13a Verify that all applicable incident reporting regulations and

recommendations are being adhered to






B-2.5bCont.

Systems-related recommendations and guidelines: Critical applications and systems are managed in line with good practice and recognised recommendations for cybersecurity. Determine whether critical systems (such as industrial control systems)

are adequately covered by existing cybersecurity arrangements. Verify that mobile devices are adequately covered by existing

cybersecurity arrangements.

Principles, policies and frameworks: SANS 20 Critical Controls

B-2.1c Understand the Principles, Policies and Frameworks context.Obtain and understanding of the overall system of internal control and the associated Principles, Policies and Frameworks

B-2.2c Understand the stakeholders of the Principles, Policies and Frameworks: SANS 20 Critical ControlsUnderstand the stakeholders in the policies. The stakeholders for the policies include those setting the policies and those who need to be in compliance with the policies.

B-2.3c Understand the goals for the Principles, Policies and Frameworks, and the related metrics and agree on expected values.Assess whether the Principles, Policies and Frameworks goals (outcomes) are achieved, i.e., assess the effectiveness of the Principles, Policies and Frameworks. Goal: SANS 20 Critical Controls should be used to ensure that critical controls are

included in the cybersecurity program.Perform the assurance steps using the example criteria described below.

Goal Criteria Assessment StepComprehensiveness Documentation about SANS

20 Critical Controls is comprehensive in its coverage.

Verify that Documentation about SANS 20 Critical Controls is comprehensive in its coverage.

Currency Documentation about SANS 20 Critical Controls is up to date. This at least requires: A regular validation of all

documents whether they are still up to date

An indication of the documents expiration date or date of last update

Verify that Documentation about SANS 20 Critical Controls is up to date. This at least requires: A regular validation of all documentation whether they are still up to date An indication of the documentation expiration date or date of last update Verification of compliance with cycle dates

Flexibility Documentation about SANS 20 Critical Controls is flexible. It is structured in such a way that it is easy to add or update controls as circumstances require.

Verify the flexibility of the documentation about SANS 20 Critical Controls is, i.e., that it is structured in such a way that it is easy to add or update controls as circumstances require.

Availability Documentation about SANS 20 Critical Controls is available to all

Verify that documents are available to all stakeholders. Verify that documents are easy to navigate and have a logical and







B-2.3c

stakeholders. Documentation about

SANS 20 Critical Controls is easy to navigate and have a logical and hierarchical structure.

B-2.4c Understand the life cycle stages of the Principles, Policies and Frameworks, and agree on the relevant criteria.Assess to what extent the Principles, Policies and Frameworks life cycle is managed.The life cycle of the IT-related policies is managed by the Process APO01. The review of this life cycle is therefore equivalent to a process review of process APO01 Manage the IT management framework.

B-2.5c Understand good practices related to the Principles, Policies and Frameworks and expected values. Assess the Principles, Policies and Frameworks design, i.e., assess the extent to which expected good practices are applied.The assurance professional will, by using appropriate auditing techniques assess the following aspects.









Completeness Critical control sets have been incorporated into cybersecurity arrangements

The SANS 20 critical controls have been incorporated and embedded into the enterprise’s cybersecurity arrangements.Determine if the enterprise has formally accepted and adopted the 20 critical controls as guidance for cybersecurity.

Principles, policies and frameworks: ISMS Policy

B-2.1d Understand the Principles, Policies and Frameworks context.Obtain and understanding of the overall system of internal control and the associated Principles, Policies and Frameworks

B-2.2d Understand the stakeholders of the Principles, Policies and Frameworks: ISMS PolicyUnderstand the stakeholders in the policies. The stakeholders for the policies include those setting the policies and those who need to be in compliance with the policies.

B-2.3d Understand the goals for the Principles, Policies and Frameworks, and the related metrics and agree on expected values.Assess whether the Principles, Policies and Frameworks goals (outcomes) are achieved, i.e., assess the effectiveness of the Principles,






B-2.3dCont.

Policies and Frameworks. Goal: ISMS Policy: The cybersecurity policies have been defined by management,

documented, approved at an appropriate senior level, disseminated to all relevant employees and third parties, and deployed across the organisation.

Perform the assurance steps using the example criteria described below.

Goal Criteria Assessment StepComprehensiveness The set of frameworks are

comprehensive in its coverage.

Verify that the set of frameworks are comprehensive in its coverage.

Currency The set of frameworks are up to date. This at least requires: A regular validation of all

frameworks whether they are still up to date

An indication of the frameworks expiration date or date of last update

Verify that the set of frameworks are up to date. This at least requires: A regular validation of all frameworks whether they are still up to date An indication of the frameworks expiration date or date of last update Verification of compliance with cycle dates for frameworks

Flexibility The set of frameworks are flexible. It is structured in such a way that it is easy to add or update controls as circumstances require.

Verify the flexibility of the set of frameworks, i.e., that it is structured in such a way that it is easy to add or update controls as circumstances require.

Availability Frameworks are available to all stakeholders.

Frameworks are easy to navigate and have a logical and hierarchical structure.

Verify that frameworks are available to all stakeholders. Verify that frameworks are easy to navigate and have a logical and


B-2.4d Understand the life cycle stages of the Principles, Policies and Frameworks, and agree on the relevant criteria.Assess to what extent the Principles, Policies and Frameworks life cycle is managed.The life cycle of the IT-related policies is managed by the Process APO01. The review of this life cycle is therefore equivalent to a process review of process APO01 Manage the IT management framework.

B-2.5d Understand good practices related to the Principles, Policies and Frameworks and expected values. Assess the Principles, Policies and Frameworks design, i.e., assess the extent to which expected good practices are applied.The assurance professional will, by using appropriate auditing techniques assess the following aspects.




The exception and








B-2.5dCont.

escalation procedure has not become the de facto standard procedure.



Principles, policies and frameworks: Information architecture model

B-2.1e Understand the Principles, Policies and Frameworks context.Obtain and understanding of the overall system of internal control and the associated Principles, Policies and Frameworks

B-2.2e Understand the stakeholders of the Principles, Policies and Frameworks: Information architecture modelUnderstand the stakeholders in the policies. The stakeholders for the policies include those setting the policies and those who need to be in compliance with the policies.

B-2.3e Understand the goals for the Principles, Policies and Frameworks, and the related metrics and agree on expected values.Assess whether the Principles, Policies and Frameworks goals (outcomes) are achieved, i.e., assess the effectiveness of the Principles, Policies and Frameworks. Goal: Information architecture model. Perform the assurance steps using the example


Comprehensiveness The architecture model is comprehensive in its coverage.

Verify that documentation is comprehensive in its coverage.

Currency The architecture model is up to date. This at least requires: A regular validation of the

architecture model whether it is still up to date

An indication of the architecture model expiration date or date of last update

Verify that documentation is up to date. This at least requires: A regular validation of the document whether it is still up to date An indication of the document’s expiration date or date of last update Verification of compliance with cycle dates

Flexibility The architecture model is flexible. It is structured in such a way that it is easy to update as circumstances require.

Verify the flexibility of the documentation, i.e., that it is structured in such a way that it is easy to update as circumstances require.

Availability The architecture model is available to all stakeholders.

The architecture model is easy to navigate and have

Verify that documentation is available to all stakeholders. Verify that documentation is easy to navigate and have a logical and







a logical and hierarchical structure.

B-2.4e

B-2.4eCont.

Understand the life cycle stages of the Principles, Policies and Frameworks, and agree on the relevant criteria.Assess to what extent the Principles, Policies and Frameworks life cycle is managed.The life cycle of the IT-related policies is managed by the Process APO01. The review of this life cycle is therefore equivalent to a process review of process APO01 Manage the IT management framework.

B-2.5e Understand good practices related to the Principles, Policies and Frameworks and expected values. Assess the Principles, Policies and Frameworks design, i.e., assess the extent to which expected good practices are applied.The assurance professional will, by using appropriate auditing techniques assess the following aspects.









Principles, policies and frameworks: Legal and regulatory compliance requirements

B-2.1f Understand the Principles, Policies and Frameworks context.Obtain and understanding of the overall system of internal control and the associated Principles, Policies and Frameworks

B-2.2f Understand the stakeholders of the Principles, Policies and Frameworks: Legal and regulatory compliance requirementsUnderstand the stakeholders in the policies. The stakeholders for the policies include those setting the policies and those who need to be in compliance with the policies.

B-2.3f Understand the goals for the Principles, Policies and Frameworks, and the related metrics and agree on expected values.Assess whether the Principles, Policies and Frameworks goals (outcomes) are achieved, i.e., assess the effectiveness of the Principles, Policies and Frameworks. Goal: Legal and regulatory compliance requirements Perform the assurance steps using the example


Comprehensiveness The legal and regulatory compliance requirements documentation is comprehensive in its

Verify that documentation is comprehensive in its coverage.






B-2.3fCont.

coverage.Currency The legal and regulatory

compliance requirements documentation is up to date. This at least requires: A regular validation of the

documentation whether it is still up to date

An indication of the documentation expiration date or date of last update

Verify that documentation is up to date. This at least requires: A regular validation of the document whether it is still up to date An indication of the document’s expiration date or date of last update Verification of compliance with cycle dates

Flexibility The legal and regulatory compliance requirements documentation is flexible. It is structured in such a way that it is easy to update as circumstances require.

Verify the flexibility of the documentation, i.e., that it is structured in such a way that it is easy to update as circumstances require.

Availability The legal and regulatory compliance requirements documentation is available to all stakeholders.

The legal and regulatory compliance requirements documentation is easy to navigate and have a logical and hierarchical structure.

Verify that documentation is available to all stakeholders. Verify that documentation is easy to navigate and have a logical and


B-2.4f Understand the life cycle stages of the Principles, Policies and Frameworks, and agree on the relevant criteria.Assess to what extent the Principles, Policies and Frameworks life cycle is managed.The life cycle of the IT-related policies is managed by the Process APO01. The review of this life cycle is therefore equivalent to a process review of process APO01 Manage the IT management framework.

B-2.5f Understand good practices related to the Principles, Policies and Frameworks and expected values. Assess the Principles, Policies and Frameworks design, i.e., assess the extent to which expected good practices are applied.The assurance professional will, by using appropriate auditing techniques assess the following aspects.




The exception and escalation procedure has not become the de facto








B-2.5fCont.

standard procedure.Compliance The compliance checking

mechanism and non-compliance consequences are clearly described and enforced.





Phase B—Understand Enablers, Setting Suitable Assessment Criteria and Perform the AssessmentProcesses


B-3 Obtain understanding of the Processes in scope and set suitable assessment criteria: for each process in scope (as determined in step A-3.2), additional information is collected and assessment criteria are defined. Assess the Processes.

EDM03 Ensure risk optimisation

B-3.1a Understand the Process context.Risk optimization refers to governance in the widest sense should address the intrinsic risk within cybersecurity and set policies and steps accordingly.

B-3.2a Understand the Process purpose.Ensure that IT-related enterprise risk does not exceed risk appetite and risk tolerance, the impact of IT risk to enterprise value is identified and managed, and the potential for compliance failures is minimised.

B-3.3a Understand all process stakeholders and their roles. This is equivalent to understanding the real RACI chart of the process COBIT 5: Enabling Processes page 39.Leverage the COBIT 5 RACI charts for the processes in scope to identify any additional stakeholders that will need to be involved in the assessment. In this assurance step, the translation is made between the theoretical RACI chart entry and the real enterprise.The stakeholders of the process are already defined in the RACI chart as a result of step A-3.3. In addition to those stakeholders, this process relies also on the following function(s), which therefore will need to be involved during the assurance engagement:

EDM03 Ensure risk optimization stakeholders:B-3.4a

B-3.4a

Understand the Process goals and related metrics2 and define expected Process values (criteria), and assess whether the Process goals are achieved, i.e., assess the effectiveness of the process.The Process EDM03 Ensure risk optimization has 3 defined process goals. The following activities can be performed to

assess whether the goals are achieved.Process Goal Related Metrics Criteria/Expected Value Assessment Step

Risk thresholds are defined and communicated and key IT-related risk is known.

Level of alignment between IT risk and enterprise risk

Number of potential IT risk identified and managed

Refreshment rate of risk factor evaluation

Number of potential cybersecurity risk factors identified and managed

Agree on the expected values for the Process goal metrics, i.e., the values against which the assessment will take place.


The enterprise is managing critical IT-related enterprise risk effectively and efficiently.

Percent of enterprise projects that consider IT risk

Percent of IT risk action plans executed on time

Percent of critical risk that



2 For COBIT 5 processes, a set of goals and metrics are identified in COBIT 5: Enabling Processes.





Cont. has been effectively mitigated

Percent of critical risk that has been mitigated effectively

IT-related enterprise risk does not exceed risk appetite and the impact of IT risk to enterprise value is identified and managed.

Level of unexpected enterprise impact

Percent of IT risk that exceeds enterprise risk tolerance

Percent of cybersecurity risk that exceeds enterprise risk tolerance



B-3.5a Agree on suitable criteria to evaluate all processes in scope of the assurance engagement: Define and agree on the reference process, i.e., determine which base practices a process should at least include. (This usually is just a confirmation of the COBIT 5 processes already identified, unless there is reason for using a different reference process.)

Agree on the process practices that should be in place (process design).Assess the process design, i.e., assess to what extent: Expected process practices are applied. Accountability and responsibility are assigned and assumed.COBIT 5 Processes are described in COBIT 5: Enabling Processes. Each Process requires a number of management practices to be implemented, as described in the process description in the same guide. These are: A sound process design The reference against which the process will be assessed in

phase B with the criteria as mentioned, i.e., all management practices are expected to be fully implemented.

Each practice is typically implemented through a number of activities, and a well-designed process will implement all these practices and activities.

ReferenceProcess

EDM03 Ensure risk optimisation Criteria: Governance practices to optimise risk are established

Reference Process Practices

Good Practice Assessment Step





B-3.5aCont.

EDM03.01 Evaluate risk management.

Continually examine and make judgment on the effect of risk on the current and future use of IT in the enterprise. Consider whether the enterprise’s risk appetite is appropriate and that risk to enterprise value related to the use of IT is identified and managed.

Assess by applying appropriate audit techniques (interview, observation, testing) whether the management practices are effectively implemented through the following, typical (control) activities:

1. Determine the level of IT-related risk that the enterprise is willing to take to meet its objectives (risk appetite).2. Evaluate and approve proposed IT risk tolerance thresholds against the enterprise’s acceptable risk and opportunity levels.3. Determine the extent of alignment of the IT risk strategy to enterprise risk strategy.4. Proactively evaluate IT risk factors in advance of pending strategic enterprise decisions and ensure that risk-aware enterprise decisions are made.5. Determine that IT use is subject to appropriate risk assessment and evaluation, as described in relevant international and national standards.6. Evaluate risk management activities to ensure alignment with the enterprise’s capacity for IT-related loss and leadership’s tolerance of it.

EDM03.02 Direct risk management.

Direct the establishment of risk management practices to provide reasonable assurance that IT risk management practices are appropriate to ensure that the actual IT risk does not exceed the board’s risk appetite.


1. Promote an IT risk-aware culture and empower the enterprise to proactively identify IT risk, opportunity and potential business impacts.2. Direct the integration of the IT risk strategy and operations with the enterprise strategic risk decisions and operations.3. Direct the development of risk communication plans (covering all levels of the enterprise) as well as risk action plans.4. Direct implementation of the appropriate mechanisms to respond quickly to changing risk and report immediately to appropriate levels of management, supported by agreed-on principles of escalation (what to





report, when, where and how).5. Direct that risk, opportunities, issues and concerns may be identified and reported by anyone at any time. Risk should be managed in accordance with published policies and procedures and escalated to the relevant decision makers.6. Identify key goals and metrics of risk governance and management processes to be monitored, and approve the approaches, methods, techniques and processes for capturing and reporting the measurement information.

EDM03.03 Monitor risk management.

Monitor the key goals and metrics of the risk management processes and establish how deviations or problems will be identified, tracked and reported for remediation.


1. Monitor the extent to which the risk profile is managed within the risk appetite thresholds.2. Monitor key goals and metrics of risk governance and management processes against targets, analyse the cause of any deviations, and initiate remedial actions to address the underlying causes.3. Enable key stakeholders’ review of the enterprise’s progress towards identified goals.4. Report any risk management issues to the board or executive committee.

B-3.6a

B-3.6aCont.

Agree on the process work products3 (inputs and outputs as defined in the process practices description) that are expected to be present (process design).Assess to what extent the process work products are available.Process EDM03 Ensure risk optimization inputs and outputs. The most relevant (and not assessed as Information items in scope in section A-3.5) of these work products are identified as follows, as well as the criteria against which they will be assessed, i.e., existence and usage.

Criteria: All listed work products should demonstrably exist and be used.

Process Practice Work Products Assessment Step<Process or Practice List work products no included in the information items section. Apply appropriate audit

3 For COBIT 5 processes, a set of inputs and outputs for the different management practices are identified in COBIT 5: Enabling Processes.





Name> techniques to determine the existence and appropriate use of each work product.

B-3.7a Agree on the process capability level to be achieved by the process.This step is warranted only if the process under review is a standard COBIT 5 governance or management process to which the ISO/IEC 15504 PAM can be applied. Any other processes, for which no reference practices, work products or outcomes are approved, cannot use this assessment method; therefore, the concept capability level does not apply.

APO12 Manage risk

B-3.1b Understand the Process context.Management in IT should adequately address risk issues related to cybersecurity.

B-3.2b Understand the Process purpose.Integrate the management of IT-related enterprise risk with overall ERM, and balance the costs and benefits of managing IT-related enterprise risk.

B-3.3b Understand all process stakeholders and their roles. This is equivalent to understanding the real RACI chart of the process in COBIT 5: Enabling Processes page 108.Leverage the COBIT 5 RACI charts for the processes in scope to identify any additional stakeholders that will need to be involved in the assessment. In this assurance step, the translation is made between the theoretical RACI chart entry and the real enterprise.The stakeholders of the process are already defined in the RACI chart as a result of step A-3.3. In addition to those stakeholders, this process relies also on the following function(s), which therefore will need to be involved during the assurance engagement:

APO12 Manage risk stakeholders: B-3.4b Understand the Process goals and related metrics4 and define expected Process values (criteria), and assess whether the Process goals are

achieved, i.e., assess the effectiveness of the process.The Process APO12 Manage risk has 4 defined process goals. The following activities can be performed to


IT-related risk is identified, analysed,

Degree of visibility and recognition in the

Agree on the expected values for the Process goal metrics, i.e., the values

In this step, the related metrics for each goal will be reviewed and an assessment will be made






B-3.4bCont.

managed and reported.

current environment Number of loss events

with key characteristics captured in repositories

Percent of audits, events and trends captured in repositories

against which the assessment will take place.

whether the defined criteria are achieved.

A current and complete risk profile exists.

Percent of key business processes included in the risk profile

Completeness of attributes and values in the risk profile



All significant risk management actions are managed and under control.

Percent of risk management proposals rejected due to lack of consideration of other related risk

Number of significant incidents not identified and included in the risk management portfolio



Risk management actions are implemented effectively.

Percent of IT risk action plans executed as designed

Number of measures not reducing residual risk



B-3.5b Agree on suitable criteria to evaluate all processes in scope of the assurance engagement: Define and agree on the reference process, i.e., determine which base practices a process should at least include. (This usually is just a confirmation of the COBIT 5 processes already identified, unless there is reason for using a different reference process.)

Agree on the process practices that should be in place (process design).Assess the process design, i.e., assess to what extent: Expected process practices are applied.Accountability and responsibility are assigned and assumed.





B-3.5bCont.

COBIT 5 Processes are described in COBIT 5: Enabling Processes. Each Process requires a number of management practices to be implemented, as described in the process description in the same guide. These are: A sound process design The reference against which the process will be

assessed in phase B with the criteria as mentioned, i.e., all management practices are expected to be fully implemented.


ReferenceProcess

APO12 Manage risk Criteria: Control activities to manage risk are properly implemented..



Data Classification Cybersecurity parameters and criteria have been included in the general data classification.

Business critical information assets are adequately classified with regard to cybersecurity.

Inspect and review the general data classification method and scheme used within the enterprise.

Review the cybersecurity-related classification parameters used in the data classification.

Information Asset Inventory

The enterprise maintains an information asset inventory with adequate cybersecurity criteria.

Inspect and review the information asset inventory for completeness and accuracy. Review the cybersecurity-related criteria and parameters for information assets

recorded in the inventory.

Attack History and Lessons Learned

The enterprise has duly recorded and analysed all previous attacks. Lessons learned have been documented and are applied

Obtain and review samples of previous attacks and incidents. Determine, on a high-level basis, whether all attacks and incidents have been

identified, recorded and documented.





B-3.5bCont.

to critical information assets.Attack and Incident Analysis

Attacks and incidents are analysed in a formal and comprehensive manner.

Examine the methods of analysis applied to the attack and incident history. Obtain and review samples of attack and incident analysis.

Key Learnings Lessons learned and potential improvements are identified and adequately documented.

Based on the samples for documentation and analysis, review the method of identifying lessons learnt and potential improvements to cybersecurity.

Determine whether potential improvements are formulated in a reasonable, comprehensive and understandable manner.

Improvements in Information Asset Protection

Key learnings and improvements are implemented in a continuous and consistent manner.

Based on the samples for documentation and analysis, determine whether improvements have been implemented.

Determine whether improvements are implemented continuously and consistently throughout the enterprise.

APO12.01 Collect data

Identify and collect relevant data to enable effective IT-related risk identification, analysis and reporting.

Cybersecurity is subject to routine risk assessment processes. Management performed a risk assessment prior to implementing cybersecurity

arrangements. Determine whether a risk assessment of cyberthreats, vulnerabilities and business

related risk (TVRA) was performed before acceptance of the program. Obtain and review risk assessment documentation, if available, to determine whether

the control level is adequate to support the cybersecurity program. Obtain board minutes or other documentation to support the approval of the risk

assessment and any formal risk acceptances. Obtain and review the relevant risk assessment documentation to determine whether

the risk assessment scope is: (a) adequate to support the changes in the cybersecurity program, and (b) sufficient to protect the organisation appropriately and in line with business risk appetite.

APO12.02 Analyse risk

Develop useful information to support risk decisions that take into account the business relevance of risk factors.

APO12.03 Maintain a risk profile

Maintain an inventory of known risk and risk attributes (including expected frequency, potential impact and responses) and of related resources, capabilities and current control activities.

A risk assessment is performed and approved by management to initiate changes and improvements to the cybersecurity program or to reaffirm the previous risk assessment.

Determine whether any subsequent risk assessment has been performed as per the planned cycle (annually/biannually) on a regularly scheduled frequency.

APO12.04 Articulate risk

Provide information on the current state of IT-related exposures and opportunities in a timely manner to all required stakeholders for appropriate response.

Assess by applying appropriate audit techniques (interview, observation, testing) whether the management practice is effectively implemented.

1. Report the results of risk analysis to all affected stakeholders in terms and formats useful to support enterprise decisions. Wherever possible, include probabilities and ranges of loss or gain along with confidence levels that enable management to balance risk-return.2. Provide decision makers with an understanding of worst-case and most-probable scenarios, due diligence exposures, and significant reputation, legal or regulatory considerations.3. Report the current risk profile to all stakeholders, including effectiveness of the risk management process, control effectiveness, gaps, inconsistencies, redundancies, remediation status, and their impacts on the risk profile.4. Review the results of objective third-party assessments, internal audit and quality





assurance reviews, and map them to the risk profile. Review identified gaps and exposures to determine the need for additional risk analysis.5. On a periodic basis, for areas with relative risk and risk capacity parity, identify IT-related opportunities that would allow the acceptance of greater risk and enhanced growth and return.

APO12.05 Define a risk managementaction portfolio

Manage opportunities to reduce risk to an acceptable level as a portfolio.


APO12.06 Respond to risk

Respond in a timely manner with effective measures to limit the magnitude of loss from IT-related events.

Risk assessments are conducted after incidents. Determine whether any subsequent risk assessment has been performed as a result

of actual cyberattacks or breaches, including near misses.

B-3.6b Agree on the process work products5 (inputs and outputs as defined in the process practices description) that are expected to be present (process design).Assess to what extent the process work products are available.APO12 Manage risk inputs and outputs. The most relevant (and not assessed as Information items in scope in section A-3.5) of these work products are identified as follows, as well as the criteria against which they will be assessed, i.e., existence and usage.


Process Practice Work Products Assessment Step<Process or Practice

Name> List work products no included in the information items section. Apply appropriate audit

techniques to determine the existence and appropriate use of each work product.

B-3.7b Agree on the process capability level to be achieved by the process.This step is warranted only if the process under review is a standard COBIT 5 governance or management process to which the ISO/IEC 15504 PAM can be applied. Any other processes, for which no reference practices, work products or outcomes are approved, cannot use this assessment method; therefore, the concept capability level does not apply.

APO13 Manage security

B-3.1c Understand the Process context.The information security management system (ISMS) should incorporate adequate provisions for cybersecurity.

B-3.2c Understand the Process purpose.Keep the impact and occurrence of information security incidents within the enterprise’s risk appetite levels.

B-3.3c Understand all process stakeholders and their roles. This is equivalent to understanding the real RACI chart of the process in COBIT 5: Enabling Processes page 114.Leverage the COBIT 5 RACI charts for the processes in scope to identify any additional stakeholders that will need to be involved in the assessment. In this assurance step, the translation is made between the theoretical RACI chart entry and the real enterprise.

The stakeholders of the process are already defined in the RACI chart as a result of step A-3.3. In addition to those stakeholders, this process relies also on the following function(s), which therefore will need to be involved during the assurance engagement:

APO13 Manage security stakeholders:






B-3.4c

B-3.4cCont.

Understand the Process goals and related metrics6 and define expected Process values (criteria), and assess whether the Process goals are achieved, i.e., assess the effectiveness of the process.

The Process APO13 Manage security has 3 defined process goals. The following activities can be performed to assess whether the goals are achieved.

Process Goal Related Metrics Criteria/Expected Value Assessment StepA system is in place that considers and effectively addresses enterprise information security requirements.

Number of key security roles clearly defined

Number of security related incidents



A security plan has been established, accepted and communicated throughout the enterprise.

Level of stakeholder satisfaction with the security plan throughout the enterprise

Number of security solutions deviating from the plan

Number of security solutions deviating from the enterprise architecture



Information security solutions are implemented and operated consistently throughout the enterprise.

Number of services with confirmed alignment to the security plan

Number of security incidents caused by non-adherence to the security plan

Number of solutions developed with confirmed alignment to the security plan



B-3.5c Agree on suitable criteria to evaluate all processes in scope of the assurance engagement: Define and agree on the reference process, i.e., determine which base practices a process should at least include. (This usually is just a confirmation of the COBIT 5 processes already identified, unless there is reason for using a different reference process.)







B-3.5cCont.




ReferenceProcess

APO13 Manage security Criteria: Control activities to manage security are properly implemented.



Target Accessibility Critical targets are properly protected.

For all critical information assets, review the identity and access management arrangements.

Determine whether access privileges for potential targets are aligned with business needs and asset criticality

Target Value The business value (or other value) attributed to information assets is known and measured.

Obtain and review the inventory of business critical information assets. Determine whether the enterprise has identified potential target information assets

that may be exposed to cybercrime and cyberwarfare.

Target Attractiveness

The enterprise has implemented mechanisms for recognizing, measuring and controlling target attractiveness.


APO13.01 Establish and maintain an information security management system (ISMS).

Establish and maintain an ISMS that provides a standard, formal and continuous approach to security management for information, enabling secure technology and business

Cybersecurity is subject to a comprehensive cycle of Plan-Do-Check-Act (PDCA) Determine whether cybersecurity processes are integrated with the overarching

ISMS process. Establish the presence of PDCA in all cybersecurity processes.





processes that are aligned with business requirements and enterprise security management.

APO13.02 Define and manage an informationsecurity risk treatment plan

Maintain an information security plan that describeshow information security risk is to be managed and aligned with the enterprise strategy and enterprise architecture. Ensure that recommendations for implementing security improvements are based on approved business cases and implemented as an integral part of services and solutions development, then operated as an integral part of business operation.

Cybersecurity Risk Treatment Plan: All cybersecurity risk is subject to formal treatment.

Obtain and review the enterprise’s plans for cybersecurity risk treatment. Determine whether all cybersecurity risk scenarios have been included in the risk

treatment plan. Determine whether cybersecurity risk treatment options are adequate and in line with

overall organisational (business) risk appetite.

APO13.03 Monitor and review the ISMS

Maintain and regularly communicate the need for, and benefits of, continuous information security improvement. Collect and analyse data about the ISMS, and improve the effectiveness of the ISMS. Correct non-conformities to prevent recurrence. Promote a culture of security and continual improvement.

Compare the RACI chart as included in the reference process in COBIT 5 with the actual accountability and responsibility for this practice and assess whether:

Cybersecurity Monitoring Process: All cybersecurity-related events are monitored in an appropriate manner.

Determine whether the enterprise operates an adequate and comprehensive monitoring process for cybersecurity-related events and incidents.

Obtain and review samples of operational monitoring.

B-3.6c

B-3.6cCont.

Agree on the process work products7 (inputs and outputs as defined in the process practices description) that are expected to be present (process design).Assess to what extent the process work products are available.

Process APO13 Manage security inputs and outputs. The most relevant (and not assessed as Information items in scope in section A-3.5) of these work products are identified as follows, as well as the criteria against which they will be assessed, i.e., existence and usage.










B-3.7c Agree on the process capability level to be achieved by the process.This step is warranted only if the process under review is a standard COBIT 5 governance or management process to which the ISO/IEC 15504 PAM can be applied. Any other processes, for which no reference practices, work products or outcomes are approved, cannot use this assessment method; therefore, the concept capability level does not apply.

DSS02 Manage Incidents and Service Requests

B-3.1d Understand the Process context.Incidents in cybersecurity should be identified and managed.

B-3.2d Understand the Process purpose.Achieve increased productivity and minimise disruptions through quick resolution of user queries and incidents.

B-3.3d Understand all process stakeholders and their roles. This is equivalent to understanding the real RACI chart of the process in COBIT 5: Enabling Processes page 178.Leverage the COBIT 5 RACI charts for the processes in scope to identify any additional stakeholders that will need to be involved in the assessment. In this assurance step, the translation is made between the theoretical RACI chart entry and the real enterprise.


DSS02 Manage Incidents and Service Requests stakeholders: B-3.4d

B-3.4d

Understand the Process goals and related metrics8 and define expected Process values (criteria), and assess whether the Process goals are achieved, i.e., assess the effectiveness of the process.The Process DSS02 Manage Incidents and Service Requests has 3 defined process goals.

The following activities can be performed to assess whether the goals are achieved.

Process Goal Related Metrics Criteria/Expected Value Assessment StepIT-related services are available for use.

Number and percent of incidents causing disruption to business-critical processes

Mean time between incidents according to IT-enabled service



Incidents are resolved according to agreed-on service levels.

Percent of incidents resolved within an agreed-on/acceptable period of time








Cont. Service requests are dealt with according to agreed-on service levels and to the satisfaction of users.

Level of user satisfaction with service request fulfilment

Mean elapsed time for handling each type of service request



B-3.5d Agree on suitable criteria to evaluate all processes in scope of the assurance engagement: Define and agree on the reference process, i.e., determine which base practices a process should at least include. (This usually is just a confirmation of the COBIT 5 processes already identified, unless there is reason for using a different reference process.)





ReferenceProcess

DSS02 Manage Incidents and Service Requests

Criteria: Control activities to manage incidents and service requests are properly implemented.



DSS02.01 Define incident and service requestclassification schemes

Define incident and service request classification schemes and models.

Incident Classification and Escalation: Cybersecurity incidents are adequately classified and appropriately escalated in line with the classification.

Obtain and review procedures and samples of incidents, and ascertain that all incidents are classified in a formal and consistent manner.

Review the escalation path and stages for incidents, based on the existing classification.

DSS02.02 Record, Identify, record and classify Incident Classification and Escalation: Cybersecurity incidents are adequately





B-3.5dCont.

classify and prioritise requests and incidents

service requests and incidents, and assign a priority according to business criticality and service agreements.

classified and appropriately escalated in line with the classification. Review the escalation path and stages for incidents, based on the existing

classification.

DSS02.03 Verify, approve and fulfil service requests

Select the appropriate request procedures and verify that the service requests fulfil defined request criteria. Obtain approval, if required, and fulfil the requests.

Verify entitlement for service requests using, where possible, a predefined process flow and standard changes.

Obtain financial and functional approval or sign-off, if required, or predefined approvals for agreed-on standard changes.

Fulfil the requests by performing the selected request procedure, using, where possible, self-help automated menus and predefined request models for frequently requested items.

DSS02.04 Investigate, diagnose and allocate incidents

Identify and record incident symptoms, determine possible causes, and allocate for resolution.

Cybersecurity incidents are investigated and diagnosed in line with the classification. Determine whether any and all incidents are duly investigated, based on the

classification and severity of each incident. Obtain and review the method and samples of incident diagnostics (irrespective of

investigative work). Determine whether incident diagnostics are performed at an adequate level of

technical depth and understanding. Where third-party services are used in incident investigation and diagnostics,

determine whether the enterprise has adequate control over these providersDSS02.05 Resolve and recover from incidents

Document, apply and test the identified solutions or workarounds and perform recovery actions to restore the IT-related service.

Assess by applying appropriate audit techniques (interview, observation, testing) whether the management practice is effectively implemented

1. Select and apply the most appropriate incident resolutions (temporary workaround and/or permanent solution).2. Record whether workarounds were used for incident resolution.3. Perform recovery actions, if required.4. Document incident resolution and assess if the resolution can be used as a future knowledge source.

DSS02.06 Close service requests and incidents

Verify satisfactory incident resolution and/or request fulfilment, and close.


1. Verify with the affected users (if agreed on) that the service request has been satisfactory fulfilled or the incident has been satisfactory resolved.2. Close service requests and incidents.

DSS02.07 Track status and produce reports

Regularly track, analyse and report incident and request fulfilment trends to provide information for continual improvement.


1. Monitor and track incident escalations and resolutions and request handling procedures to progress towards resolution or completion.2. Identify information stakeholders and their needs for data or reports. Identify reporting frequency and medium.3. Analyse incidents and service requests by category and type to establish trends and identify patterns of recurring issues, SLA breaches or inefficiencies. Use the information as input to continual improvement planning.





4. Produce and distribute timely reports or provide controlled access to online data.B-3.6d Agree on the process work products9 (inputs and outputs as defined in the process practices description) that are expected to be present

(process design).Assess to what extent the process work products are available.

Process DSS02 Manage Incidents and Service Requests inputs and outputs. The most relevant (and not assessed as Information items in scope in section A-3.5) of these work products are identified as follows, as well as the criteria against which they will be assessed, i.e., existence and usage.





B-3.7d Agree on the process capability level to be achieved by the process.This step is warranted only if the process under review is a standard COBIT 5 governance or management process to which the ISO/IEC 15504 PAM can be applied. Any other processes, for which no reference practices, work products or outcomes are approved, cannot use this assessment method; therefore, the concept capability level does not apply.

DSS04 Manage Continuity

B-3.1e Understand the Process context.Organisational functions and IT should be resilient with regard to cybersecurity

B-3.2e Understand the Process purpose.Continue critical business operations and maintain availability of information at a level acceptable to the enterprise in the event of a significant disruption.

B-3.3e Understand all process stakeholders and their roles. This is equivalent to understanding the real RACI chart of the process in COBIT 5: Enabling Processes page 186.Leverage the COBIT 5 RACI charts for the processes in scope to identify any additional stakeholders that will need to be involved in the assessment. In this assurance step, the translation is made between the theoretical RACI chart entry and the real enterprise.


DSS04 Manage Continuity stakeholders: B-3.4e

B-3.4e

Understand the Process goals and related metrics10 and define expected Process values (criteria), and assess whether the Process goals are achieved, i.e., assess the effectiveness of the process.The Process DSS04 Manage Continuity has 5 defined process goals. The following activities can be performed to


Business-critical information is available to the business in line with minimum

Percent of IT services meeting uptime requirements

Percent of successful and timely restoration from backup or alternate








Cont. required service levels.

media copies Percent of backup

media transferred and stored securely

Sufficient resilience is in place for critical services.

Number of critical business systems not covered by the plan



Service continuity tests have verified the effectiveness of the plan.

Number of exercises and tests that have achieved recovery objectives

Frequency of tests



An up-to-date continuity plan reflects current business requirements.

Percent of agreed-on improvements to the plan that have been reflected in the plan

Percent of issues identified that have been subsequently addressed in the plan



Internal and external parties have been trained in the continuity plan.

Percent of internal and external stakeholders that have received training

Percent of issues identified that have been subsequently addressed in the training materials



B-3.5e Agree on suitable criteria to evaluate all processes in scope of the assurance engagement: Define and agree on the reference process, i.e., determine which base practices a process should at least include. (This usually is just a confirmation of the COBIT 5 processes already identified, unless there is reason for using a different reference process.)


COBIT 5 Processes are described in COBIT 5: Enabling Processes. Each Process requires a number of management practices to be implemented, as described in the process description in the same guide. These are: A sound process design







B-3.5eCont.

The reference against which the process will be assessed in phase B with the criteria as mentioned, i.e., all management practices are expected to be fully implemented.ReferenceProcess

DSS04 Manage Continuity Criteria: Control activities to manage continuity are properly implemented.



DSS04.01 Define the business continuity policy, objectives and scope

Define business continuity policy and scope aligned with enterprise and stakeholder objectives.

The continuity and resilience objectives and scope have been adequately defined and implemented.

Obtain and review the cybersecurity resilience or business continuity objectives as stated by the enterprise.

Obtain and review the cybersecurity resilience scope as stated by the enterprise. Determine whether the enterprise’s cybersecurity resilience scope and objectives are

aligned with good practice and that there are no significant gaps. Confirm that the cybersecurity resilience scope and objectives cover the European

recommendations on resilience, particularly if part of the enterprise’s activities is or is related to a critical infrastructure.

DSS04.02 Maintain a continuity strategy

Evaluate business continuity management options and choose a cost-effective and viable continuity strategy that will ensure enterprise recovery and continuity in the face of a disaster or other major incident or disruption.

Cybersecurity resilience strategy Obtain and review the cybersecurity resilience or business continuity strategy. Determine whether the resilience or business continuity strategic options adequately

cover cybersecurity needs and requirements.

DSS04.03 Develop and implement a business continuity response

Develop a business continuity plan (BCP) based on the strategy that documents the procedures and information in readiness for use in an incident to enable the enterprise to continue its critical activities.

Continuity and recovery planning and response Verify that all strategic objectives and provisions have been fully implemented as

continuity / resilience plans and related solutions. Obtain and review samples of cybersecurity-related resilience or continuity plans and

related solutions.

DSS04.04 Exercise, test and review the BCP

Test the continuity arrangements on a regular basis to exercise the recovery plans against predetermined outcomes and to allow innovative solutions to be developed and help to verify over time that the plan will work as anticipated.

Cybersecurity testing and exercising Obtain and review the enterprise’s cybersecurity testing and exercising strategy. Obtain and review the enterprise’s cybersecurity test and exercise plan. Determine whether the testing and exercising regime is sufficiently comprehensive to

cover the needs and requirements of cybersecurity. Determine whether the testing and exercise regime is adequate in terms of the

enterprise’s cybersecurity process capability levels (maturity levels). Obtain and review samples of test and exercise documentation and reports.

DSS04.05 Review, maintain and

Conduct a management review of the continuity

Review the continuity plan and capability on a regular basis against any assumptions made and current business operational and strategic objectives.





B-3.5eCont.

improve thecontinuity plan

capability at regular intervals to ensure its continued suitability, adequacy and effectiveness. Manage changes to the plan in accordance with the change control process to ensure that the continuity plan is kept up to date and continually reflects actual business requirements.

Consider whether a revised business impact assessment may be required, depending on the nature of the change.

Recommend and communicate changes in policy, plans, procedures, infrastructure, and roles and responsibilities for management approval and processing via the change management process.

Review the continuity plan on a regular basis to consider the impact of new or major changes to: enterprise, business processes, outsourcing arrangements, technologies, infrastructure, operating systems and application systems.

DSS04.06 Conduct continuity plan training

Provide all concerned internal and external parties with regular training sessions regarding the procedures and their roles and responsibilities in case of disruption.

Cybersecurity resilience training Obtain and review any relevant training and education materials used by the

enterprise. Determine whether training contents, frequency and operational success are

adequate.

DSS04.07 Manage backup arrangements

Maintain availability of business-critical information.

Backup systems, applications, data and documentation according to a defined schedule, considering:

o Frequency (monthly, weekly, daily, etc.)o Mode of backup (e.g., disk mirroring for real-time backups vs. DVD-

ROM for long-term retention)o Type of backup (e.g., full vs. incremental)o Type of mediao Automated online backupso Data types (e.g., voice, optical)o Creation of logso Critical end-user computing data (e.g., spreadsheets)o Physical and logical location of data sourceso Security and access rightso Encryption

Ensure that systems, applications, data and documentation maintained or processed by third parties are adequately backed up or otherwise secured. Consider requiring return of backups from third parties. Consider escrow or deposit arrangements.

Define requirements for on-site and off-site storage of backup data that meet the business requirements. Consider the accessibility required to back up data.

Roll out BCP awareness and training. Periodically test and refresh archived and backup data.

DSS04.08 Conduct post-resumption review

Assess the adequacy of the BCP following the successful resumption of business processes and services after a disruption.

Post-resumption reviews Verify that for all invocations of resilience plans and measures, post-resumption

reviews have been performed by the enterprise. Obtain and review samples of post-resumption review documents

B-3.6e Agree on the process work products11 (inputs and outputs as defined in the process practices description) that are expected to be present (process design).





Assess to what extent the process work products are available.Process DSS04 Manage Continuity inputs and outputs. The most relevant (and not assessed as Information items in scope in section A-3.5) of these work products are identified as follows, as well as the criteria against which they will be assessed, i.e., existence and usage.





B-3.7e Agree on the process capability level to be achieved by the process.This step is warranted only if the process under review is a standard COBIT 5 governance or management process to which the ISO/IEC 15504 PAM can be applied. Any other processes, for which no reference practices, work products or outcomes are approved, cannot use this assessment method; therefore, the concept capability level does not apply.

DSS05 Manage Security Services

B-3.1f Understand the Process context.Protect enterprise information to maintain the level of information security risk acceptable to the enterprise in accordance with the security policy. Establish and maintain information security roles and access privileges and perform security monitoring.

B-3.2f Understand the Process purpose.Minimise the business impact of operational information security vulnerabilities and incidents.

B-3.3f Understand all process stakeholders and their roles. This is equivalent to understanding the real RACI chart of the process.Leverage the COBIT 5 RACI charts for the processes in scope to identify any additional stakeholders that will need to be involved in the assessment. In this assurance step, the translation is made between the theoretical RACI chart entry and the real enterprise.


DSS05 Manage Security Services stakeholders: B-3.4f

B-3.4fCont.

Understand the Process goals and related metrics12 and define expected Process values (criteria), and assess whether the Process goals are achieved, i.e., assess the effectiveness of the process.The Process DSS05 Manage Security Services has 5 defined process goals. The following activities can be performed to


Networks and communications security meet business needs.

Number of vulnerabilities discoveredNumber of firewall breaches



Information processed on, stored on and transmitted by

Percent of individuals receiving awareness training relating to use of endpoint devices



11 For COBIT 5 processes, a set of inputs and outputs for the different management practices are identified in COBIT 5: Enabling Processes.12 For COBIT 5 processes, a set of goals and metrics are identified in COBIT 5: Enabling Processes.





endpoint devices is protected.

Number of incidents involving endpoint devices

Number of unauthorised devices detected on the network or in the end-user environment

All users are uniquely identifiable and have access rights in accordance with their business role.

Average time between change and update of accounts

Number of accounts (vs. number of authorised users/staff)



Physical measures have been implemented to protect information from unauthorised access, damage and interference when being processed, stored or transmitted.

Percent of periodic tests of environmental security devices

Average rating for physical security assessments

Number of physical security-related incidents



Electronic information is properly secured when stored, transmittedor destroyed.

Number of incidents relating to unauthorised access to information



B-3.5f

B-3.5f

Agree on suitable criteria to evaluate all processes in scope of the assurance engagement: Define and agree on the reference process, i.e., determine which base practices a process should at least include. (This usually is just a confirmation of the COBIT 5 processes already identified, unless there is reason for using a different reference process.)


COBIT 5 Processes are described in COBIT 5: Each practice is typically implemented through a number of activities, and a well-





Cont. Enabling Processes. Each Process requires a number of management practices to be implemented, as described in the process description in the same guide. These are: A sound process design The reference against which the process will be


designed process will implement all these practices and activities.

ReferenceProcess

DSS05 Manage Security Services

Criteria: Control activities to manage security services are properly implemented.



DSS05.01 Protect against malware

All relevant cybersecurity services have been implemented and are performed in a controlled and adequate manner.

The enterprise’s IT environment is adequately protected against malware.

Implement and maintain preventive, detective and corrective measures in place (especially up-to-date security patches and virus control) across the enterprise to protect information systems and technology from malware (e.g., viruses, worms, spyware, spam).

Obtain and review the methods, tools and processes that the enterprise operates to protect against malware.

Verify that malware protection tools and solutions are up to date and continuously maintained.

Verify that any previous malware infections were analyzed and used as key learnings for organisational improvement.

Verify that the enterprise uses local (owned and operated) as well as third-party malware protection mechanisms to achieve independent protection.

Verify that the enterprise is performing the following practices: Malware protection is integrated with central software distribution and change

management, and local deployment is enforced Malware advisories are read, implemented and verified Incidental (user, mail) traffic is filtered against malware Experts and end users are trained and informed about malware on a regular basis

Cybersecurity testing

Cybersecurity arrangements are tested at regular intervals and using adequate methods and techniques

Obtain and review the testing arrangements and objectives as stated by the enterprise.

Verify that external penetration testing (black and white box) is performed at regular intervals.

Verify that internal penetration testing (black and white box) is performed at regular intervals, including simulated collusion and sleeper attacks.

Determine whether the enterprise is using (or planning on using) social attack techniques including impersonation, social engineering etc.

Verify that in testing, the enterprise adheres to European laws and regulations that represent constraints on test scope and methods. Consult appropriate legal





B-3.5fCont.

assistance where appropriateDSS05.02 Manage network and connectivity security

Use security measures and related management procedures to protect information over all methods of connectivity.


1. Based on risk assessments and business requirements, establish and maintain a policy for security of connectivity.2. Allow only authorised devices to have access to corporate information and the enterprise network. Configure these devices to force password entry.3. Implement network filtering mechanisms, such as firewalls and intrusion detection software, with appropriate policies to control inbound and outbound traffic.4. Encrypt information in transit according to its classification.5. Apply approved security protocols to network connectivity.6. Configure network equipment in a secure manner.7. Establish trusted mechanisms to support the secure transmission and receipt of information.8. Carry out periodic penetration testing to determine adequacy of network protection.9. Carry out periodic testing of system security to determine adequacy of system protection.

DSS05.03 Manage endpoint security

Ensure that endpoints (e.g., laptop, desktop, server, and other mobile and network devices or software) are secured at a level that is equal to or greater than the defined security requirements of the information processed, stored or transmitted.

Sensitive information outputs and related devices are protected against attacks and breaches.

Information processed on, stored on and transmitted by endpoint devices is protected.

Verify that the enterprise has a complete inventory of connected end points, including BYOD.

Obtain and review methods, techniques, tools and solutions that the enterprise uses to control and manage end point devices.

Verify that end point vendor, software and app / service advisories are read, internalized and implemented on a regular basis.

Verify that adequate protection exists against: Proximity attacks, e.g. NFC, Bluetooth, WLAN Lower level, operating system attacks (SIM, text-based service commands etc.) Physical duplication of media Physical tampering or modification Theft or destruction Known app or mobile opsys issues and remediation latency Low level mass attacks, e.g. hardware-based disabling of whole classes of devices Determine whether the enterprise performs end point hardening to the desired level

of protection and in line with cybersecurity needs and requirements. Determine whether the enterprise utilizes specialized / hardened end points for

exposed use cases or high-risk users. Determine whether the enterprise has implemented end-to-end encryption (data at

rest, data in flow) for end point devices. Determine whether the enterprise has identified sensitive outputs in line with the data

/ information classification. Obtain and review the enterprise’s protective arrangements for sensitive outputs and

devices, including: Protection of printed output against casual photography Perimeter countermeasures against Van Eck attack vector (screen output) Network-attached printer vulnerabilities (operating system and printer firmware

levels) including redirect attacks





B-3.5fCont.

Control, wiping and purging of autonomous output device cache memory, e.g. transient sensitive document images (temp files) in printer queue

Inventory, control and containment of popular virtual output devices (such as PDF generators) with known issues and side channel risk

DSS05.04 Manage user identity and logical access

Ensure that all users have information access rights in accordance with their business requirements and co-ordinate with business units that manage their own access rights within business processes.

User identities are managed in line with cybersecurity needs and requirements.

Logical access is restricted to afford the desired level of protection against attacks and breaches. Asymmetric or unconventional attacks are prevented or contained.

All users are uniquely identifiable and have access rights in accordance with their business role.

Obtain and review the identity and logical access arrangements for critical information assets.

Verify that cybersecurity requirements, parameters and criteria are incorporated in the overall identity and access management process.

Verify that the principles of “least privilege” and “need to know” have been implemented and are enforced.

Determine whether the enterprise extends its identity and logical access management regime to third parties with access to critical information assets.

Obtain and review social control and verification mechanisms that the enterprise has established (e.g. verifying identities, telephone behavior etc.)

Verify that logging and monitoring of logical access events and attempts is sufficiently comprehensive to meet the needs and requirements of cybersecurity

DSS05.05 Manage physical access to IT assets

Define and implement procedures to grant, limit and revoke access to premises, buildings and areas according to business needs, including emergencies.Access to premises, buildings and areas should be justified, authorised, logged and monitored. This should apply to all persons entering the premises, including staff, temporary staff, clients, vendors, visitors or any other third party.

Building and facilities management systems and

Obtain and review the enterprise’s inventory of critical physical IT assets. Verify that physical access is controlled in line with logical access, including access

rights of third parties or vendors. Obtain and review the enterprise’s inventory of known and defined interfaces

between standard IT and BMS / FMS. Determine whether the enterprise has taken adequate steps to protect BMS / FMS,

for instance through: Restricting the IT to BMS / FMS interface to a limited command set Restricting data transmission between BMS / FMS to simple file formats Applying restrictive access and user privileges to the IT side and the BMS / FMS side

of the overall system Introducing a particularly conservative configuration of the BMS / FMS that errs on

the side of caution and will require manual override if in doubt Restricting vendor (maintenance) remote access to BMS / FMS





B-3.5fCont.

their IT interfaces are adequately protected against attacks and breaches.

Physical IT assets are adequately protected against loss or hijacking.

Physical measures have been implemented to protect information from unauthorized access, damage and interference when being processed, stored or transmitted.

DSS05.06 Manage sensitive documents andoutput devices

Establish appropriate physical safeguards, accounting practices and inventory management over sensitive IT assets, such as special forms, negotiable instruments, special-purpose printers or security tokens.


1. Establish procedures to govern the receipt, use, removal and disposal of special forms and output devices into, within and out of the enterprise.2. Assign access privileges to sensitive documents and output devices based on the least-privilege principle, balancing risk and business requirements.3. Establish an inventory of sensitive documents and output devices, and conduct regular reconciliations.4. Establish appropriate physical safeguards over special forms and sensitive devices.5. Destroy sensitive information and protect output devices (e.g., degaussing of electronic media, physical destruction of memory devices, making shredders or locked paper baskets available to destroy special forms and other confidential papers).

DSS05.07 Monitor the infrastructure forsecurity-related events

Using intrusion detection tools, monitor the infrastructure for unauthorised access and ensure that any events are integrated with general event monitoring and incident management.


1. Log security-related events reported by infrastructure security monitoring tools, identifying the level of information to be recorded based on a consideration of risk. Retain them for an appropriate period to assist in future investigations.2. Define and communicate the nature and characteristics of potential security-related incidents so they can be easily recognised and their impacts understood to enable a commensurate response.3. Regularly review the event logs for potential incidents.4. Maintain a procedure for evidence collection in line with local forensic evidence rules and ensure that all staff are made aware of the requirements.5. Ensure that security incident tickets are created in a timely manner when monitoring identifies potential security incidents.

Contract Terms and Conditions, Jurisdiction

Contract terms with the third party clearly state levels of cybersecurity to be delivered. Contract jurisdiction is known

Obtain and review the contract documents as well as any terms and conditions for third-party services / applications relevant to cybersecurity.

Determine whether the enterprise has adequately documented the level of protection, and that any exceptions are supported by a formal risk acceptance.





B-3.5fCont.

and controlled Verify that contract and delivery jurisdictions provide an adequate level of predictability and reliability with regard to cybersecurity and potential litigation. Consult with legal assistance where appropriate.

Forced Cloud Utilization

Where cloud use is compulsory or enforced by third parties, adequate protection mechanisms are in place to prevent attacks or breaches

Obtain and review the enterprise’s list of cloud services and apps that are mandated by vendors or operating system distributors.

Determine whether the enterprise has taken adequate steps to mitigate the risk and threats arising from forced cloud utilization, both at the enterprise and at the end user level.

Industrial Control Systems

Industrial control systems and their IT interfaces are adequately protected against attacks and breaches.

Obtain and review the enterprise’s inventory of known and defined interfaces between standard IT and industrial control systems.

Determine whether the enterprise has taken adequate steps to protect industrial control systems, for instance through:

Restricting access to ICS to read-only Restricting data transmission between ICS and standard IT to flat file formats, e.g.

ASCII, CSV etc. Defining a restricted dataset (field mapping) to be made available by the ICS Applying restrictive access and no privileges when remotely accessing ICS;

restricting full access to ICS to local (LAN) proximity connections Restricting vendor (maintenance) remote access to ICS

Critical Applications in Production

Productive critical applications are adequately protected against attacks and breaches

Obtain and review the list of applications classified as critical with regard to cybersecurity.

Obtain and review the documented cybersecurity arrangements for critical applications as stated by the enterprise.

Determine whether the enterprise has encapsulated and segregated critical applications, for instance through:

Separation from non-critical network topology Separation from network segments with external network connectivity Dedicated / hardened server platform Independent or non-standard operating systems with hardened security features (e.g.

specific Unix distributions) Virtualized (sandboxed) runtime environment for application, segregated data

storage facilityCritical Application Development

Critical applications development is adequately designed to protect against attacks and breaches.

Obtain and review the list of applications for which the enterprise undertakes (or contracts) development activities.

Obtain and review the documented cybersecurity arrangements for critical application development as stated by the enterprise.

Determine whether the enterprise has implemented appropriate controls over development, for instance:

Secure development lifecycle Peer-reviewed and non-proprietary coding Built-in monitoring and “self-healing” processes

Electronic information is properly secured when stored,

Number of incidents relating to unauthorized access to information






B-3.5fCont.

transmitted or destroyed.

B-3.6f Agree on the process work products13 (inputs and outputs as defined in the process practices description) that are expected to be present (process design).Assess to what extent the process work products are available.

Process DSS05 Manage Security Services inputs and outputs. The most relevant (and not assessed as Information items in scope in section A-3.5) of these work products are identified as follows, as well as the criteria against which they will be assessed, i.e., existence and usage.





B-3.7f Agree on the process capability level to be achieved by the process.This step is warranted only if the process under review is a standard COBIT 5 governance or management process to which the ISO/IEC 15504 PAM can be applied. Any other processes, for which no reference practices, work products or outcomes are approved, cannot use this assessment method; therefore, the concept capability level does not apply.





Phase B—Understand Enablers, Setting Suitable Assessment Criteria and Perform the Assessment Organisational Structures


B-4Obtain understanding of each Organisational Structure in scope and set suitable assessment criteria: For each Organisational Structure in scope (as determined in step A-3.3), additional information is collected and assessment criteria are defined. Assess the Organisational Structure.

Organisational Structure: Cybersecurity team B-4.1a Understand the Organisational Structure context.

Identify and document all elements that can help to understand the context in which the Cybersecurity team organisation has to operate, including: The overall organisation Management/process framework History of the role/structure Contribution of the Organisational Structure to achievement of goals

B-4.2a Understand all stakeholders of the Organisational Structure/function.Determine through documentation review (policies, management communications, etc.) the key stakeholders of the Cybersecurity team organisation. Incumbent of the role and/or members of the Organisational Structure Other key stakeholders affected by the decisions of the Organisational Structure/role

B-4.3a Understand the goals of the Organisational Structure, the related metrics and agree on expected values. Understand how these goals contribute to the achievement of the enterprise goals and IT-related goals.

Organisational Structure Goal Assessment StepDetermine through interviews with key stakeholders and documentation review the goals of the Cybersecurity team, i.e., the decisions for which they are accountable14,15.

This step only applies if specific goals are defined. In that case, the assurance professional will use appropriate auditing techniques to: Identify the decisions made by the Organisational Structure. Assess whether decisions are appropriately documented and

communicated. Evaluate the decisions by, assessing whether:- They have contributed to the achievement of the IT-related

and enterprise goals as anticipated.- Decisions are duly executed on a timely basis.

B-4.4a

B-4.4aCont.

Agree on the expected good practices for the Organisational Structure against which it will be assessed. Assess the Organisational Structure design, i.e., assess the extent to which expected good practices are applied.

Good Practice Criteria Assessment StepOperating principles Operating principles are

documented. Regular meetings take place as

defined in operating principles. Meeting reports/minutes are

available and are meaningful.

Verify whether operating principles are appropriately documented. Verify that regular meetings take place as defined in the operating

principles. Verify that meeting reports/minutes are available and are meaningful.

14 The RACI charts in COBIT 5: Enabling Processes can be leveraged as a starting point for the expected goals of a role or Organisational Structure.15 The Organisational Structure/role as described may not exist under the same name in the enterprise; in that case, the closest Organisational Structure assuming the same responsibilities and accountability

should be considered.






B-4.4aCont.

Composition The Organisational Structure’s composition is balanced and complete, i.e., all required stakeholders are sufficiently represented.

Cybersecurity resources are adequate.

Assess whether the Organisational Structure’s composition is balanced and complete, i.e., all required stakeholders are sufficiently represented.

Obtain and review a list of resources allocated to cybersecurity (people, technology, other).

Determine whether the general and specific level of resource allocation is sufficient to meet the needs and requirements of cybersecurity.

Assess the formal remit of resources within the cybersecurity function (RACI, span of control etc.) and its adequacy with regard to cybersecurity tasks.

Span of control The span of control of The Organisational Structure is defined.

The span of control is adequate, i.e., the Organisational Structure has the right to make all decisions it should.

The span of control is in line with the overall enterprise governance arrangements.

Cybersecurity is considered in business continuity and resilience.

Verify whether the span of control of the Organisational Structure is defined.

Assess whether the span of control is adequate, i.e., the Organisational Structure has the right to make all decisions it should.

Verify and assess whether the span of control is in line with the overall enterprise governance arrangements.

Obtain and review the organisational interfaces between cybersecurity and business continuity management or resilience management, including crisis management.

Verify that the organisational relationship between these disciplines is fully defined and adequate in terms of cybersecurity needs and requirements.

Determine whether the relationship between incident management and the cybersecurity function has clearly assigned RACI and no inconsistencies.

Determine whether the relationship between crisis management and the cybersecurity function has clearly assigned RACI and no inconsistencies, particularly where escalation and invocation of crisis mode are concerned.

Determine whether the relationship between resilience / business continuity and the cybersecurity function has clearly assigned RACI and no inconsistencies, particularly where recovery / resumption plans and solutions are concerned.

Obtain and review the organisational interfaces between cybersecurity and general information security.

Obtain and review the organisational interfaces between cybersecurity and corporate security.

Verify that the organisational interfaces and deliverables are fully defined and adequate in terms of cybersecurity needs and requirements.

Level of authority/decision rights

Decision rights of the Organisation Structure are defined and documented.

Verify that decision rights of the Organisation Structure are defined and documented.

Verify whether decision rights of the Organisational Structure are






Decision rights of the Organisational Structure are respected and complied with (also a culture/behaviour issue).

The cybersecurity function is positioned at an appropriate organisational level.

complied with and respected. Determine whether the cybersecurity function is adequately

positioned to perform its tasks and discharge its responsibilities.

Delegation of authority Delegation of authority is implemented in a meaningful way.

Verify whether delegation of authority is implemented in a meaningful way.

Escalation procedures Escalation procedures are defined and applied.

Verify the existence and application of escalation procedures.

B-4.5a Understand the life cycle and agree on expected values. Assess the extent to which the Organisational Structure life cycle is managed.

Life-Cycle Element Criteria Assessment StepMandate The Organisational Structure is

formally established. The Organisational Structure has a

clear, documented and well-understood mandate.

There is a dedicated cybersecurity function with adequate resources and an appropriate remit.

Cybersecurity is clearly delineated from other organisational functions.

Verify through interviews and observations that the Organisational Structure is formally established.

Verify through interviews and observations that the Organisational Structure has a clear, documented and well understood mandate.

Obtain and review organisational charts and other relevant documentation for the cybersecurity function.

Defined interfaces exist between cybersecurity and other relevant organisational functions.

Monitoring The performance of the Organisational Structure and its members should be regularly monitored and evaluated by competent and independent assessors.

The regular evaluations should result in the required continuous improvements to the Organisational Structure, either in its composition, mandate or any other parameter.

Verify whether the performance of the Organisational Structure and its members is regularly monitored and evaluated by competent and independent assessors.

Verify whether the regular evaluations have resulted in improvements to the Organisational Structure, in its composition, mandate or any other parameter.

B-4.1 to B-4.5 Repeat steps B-4.1 through B-4.5 for all remaining Organisational structures in scope.Repeat the steps described above for the remaining Organisational structures: Business executives Service manager Chief information officer (CIO) Business process owners Chief information security officer (CISO)






Chief executive officer (CEO) Head IT operations Risk function Privacy officer Compliance Audit




Phase B—Understand Enablers, Setting Suitable Assessment Criteria and Perform the AssessmentCulture, Ethics and Behaviour

Ref. Assurance Step and Guidance Issue Cross-reference

Comment

B-5 Obtain understanding of the Culture, Ethics and Behaviour in scope.Assess Culture, Ethics and Behaviour.

Culture, Ethics and Behaviour: Integrity and Reliability

B-5.1a Understand the Culture, Ethics and Behaviour context. What the overall corporate Culture is like Understand the interconnection with other enablers in scope:

- Identify roles and structures that could be affected by the Culture.- Identify processes that could be affected by Culture, Ethics and Behaviour, including any processes in scope of the review.

B-5.2a Understand the major stakeholders of the Culture, Ethics and Behaviour: Integrity and ReliabilityUnderstand to whom the behaviour requirements will apply, i.e., understand who embodies the roles/structures expected to demonstrate the correct set of Behaviours. This is usually linked to the roles and Organisational Structures identified in scope.

B-5.3a Understand the goals for the Culture, Ethics and Behaviour, and the related metrics and agree on expected values. Assess whether the Culture, Ethics and Behaviour goals (outcomes) are achieved, i.e., assess the effectiveness of the Culture, Ethics and Behaviour.In the context of Integrity and Reliability the following Culture, Ethics and Behaviour are desired:

Culture and especially Behaviours are associated to individuals and the Organisational Structures of which they are a part, therefore, by using appropriate auditing techniques, the assurance professional will: Identify individuals who must comply with the Behaviours under

review. Identify the Organisational Structures involved. Assess whether desired Behaviours can be observed. Assess whether undesirable Behaviours are absent. For a representative sample of individuals, perform the following

assessment steps.Desired Behaviour (Culture, Ethics and Behaviour Goal) Assessment Step

Organisational Culture: The process of deploying cybersecurity solutions is controlled and monitored in full compliance with the relevant policy and procedures.

Organisational Values and Beliefs: Values and beliefs within the organisation are realistic and appropriately reflect current cybersecurity facts and knowledge

Obtain and review the organisation’s stated set of values that have an impact on cybersecurity.

Conduct randomised (informal) interviews to gain an understanding of commonly held beliefs and assumptions regarding cybersecurity.

Identify and informally report any inconsistencies between formal values and actual beliefs or assumptions, particularly where these inconsistencies might be “weak signals” indicating systemic weaknesses in cybersecurity.

Cybersecurity Target Culture: The organisation has defined and implemented a target culture that is conducive to cybersecurity governance, management and compliance.

Obtain the organisation’s statement (if any) and related materials on the desired cybersecurity culture.

Determine whether the organisation has adopted cybersecurity as a sufficiently important element of corporate culture.

Organisational Ethics; Code of Ethics: The organisation has established cybersecurity good practice as part of their code of ethics.

Verify that cybersecurity values and culture have been included as part of the general code of ethics, including clear and unambiguous guidance on cybercrime and other illegal acts.

Verify that any related issues (such as BYOD) have been fully incorporated into the general code of ethics and any subsidiary




Phase B—Understand Enablers, Setting Suitable Assessment Criteria and Perform the AssessmentCulture, Ethics and Behaviour

Ref. Assurance Step and Guidance Issue Cross-reference

Comment

B-5.3aCont.

guidance on cybersecurity.Ethical Enforcement: The organisation follows up on any and all instances of cybercrime or other illegal acts.

Enquire of management whether any and all illegal acts are prosecuted, and note any exceptions.

Verify that all European provisions on cybercrime, investigation and prosecution are adhered to. Consult appropriate legal assistance where needed.

Organisational Behavior Patterns; Desirable Behaviours: The organisation has clearly defined desirable behaviours with regard to cybersecurity

Determine whether the organisation has formulated model / desirable behaviours in terms of cybersecurity.

Determine whether the organisation has introduced, and is living by, guiding principles in cybersecurity.

B-5.4a Understand the life cycle stages of the Culture, Ethics and Behaviour, and agree on the relevant criteria.Assess to what extent the Culture, Ethics and Behaviour life cycle is managed.(This aspect is already covered by the assessment of the good practices, hence no additional separate assurance steps are defined here.)

B-5.5a Understand good practice when dealing with Culture, Ethics and Behaviour, and agree on relevant criteria. Assess the Culture, Ethics and Behaviour design, i.e., assess to what extent expected good practices are applied.

Good Practice Criteria Assessment StepCommunication, enforcement and rules

Existence and quality of the communication

Apply appropriate auditing techniques to assess whether the good practice is adequately applied, i.e., assessment criteria are met.

Incentives and rewards Existence and application of appropriate rewards and incentives

Awareness Awareness of desired Behaviours

B-5.1 to B-5.5

Repeat steps B-5.1 through B-5.5 for all remaining Culture, Ethics and Behaviour in scope.Repeat the steps described above for the remaining Culture, Ethics and Behaviour:

Personal and Professional Reliability



IT Audit and Assurance Program for European CybersecurityPhase B—Understand Enablers, Setting Suitable Assessment Criteria and Perform the Assessment

Information Items


B-6 Obtain understanding of the Information Items in scope.Assess Information Items.

Information Item: Formal Cybersecurity Policy

B-6.1a Understand the Information item context: Where and when is it used? For what purpose is it used? Understand the connection with other enablers in scope, e.g.:

- Used by which processes?- Which Organisational Structures are involved?- Which services/applications are involved?

B-6.2a Understand the major stakeholders of the Information item: Formal Cybersecurity PolicyUnderstand the stakeholders for the Information item, i.e., identify the: Information producer Information custodian Information consumer

Stakeholders should be at the appropriate organisational level.B-6.3a

B-6.3a

Understand the major quality criteria for the Information item, the related metrics and agree on expected values. Assess whether the Information item quality criteria (outcomes) are achieved, i.e., assess the effectiveness of the Information item.Leverage the COBIT 5 Information enabler model16 focusing on the quality goals description to select the most relevant Information quality criteria for the Information item at hand. Document expectations regarding information criteria. The COBIT 5 Information enabler model identifies 15 different quality criteria—although all of them are relevant, it is nonetheless possible and recommended to focus on a subset of the most important criteria for the Information item at hand.

Mark the quality dimensions with a ‘’ that are deemed most important (key criteria), and by consequence will be assessed against the described criteria.

The assurance professional will, by using appropriate auditing techniques, verify all quality criteria in scope and assess whether the criteria are met.

Quality Dimension Key Criteria Description Assessment StepAccuracy

Objectivity

BelievabilityReputation

Relevancy

Completeness

Currency

Amount of information

Concise representation

Consistent

16 COBIT 5 framework, Appendix G, p.81-84




Information Items


Cont.

representationInterpretabilityUnderstandability

Manipulation

Availability

Restricted access

B-6.4a Understand the life cycle stages of the Information item, and agree on the relevant criteria. Assess to what extent the Information item life cycle is managed.The life cycle of any Information item is managed through several business and IT-related processes. The scope of this review already includes a review of (IT-related) processes so this aspect does not need to be duplicated here. When the Information item is internal to IT, the process review will have covered the life cycle aspects sufficiently. When the Information item also involves other stakeholders outside IT or other non-IT processes, some of the life cycle aspects need to be

assessed.

Mark the life cycle stages with a ‘’ that are deemed most important (key criteria), and by consequence will be assessed against the described criteria.

Life Cycle Stage Key Criteria Description Assessment StepPlan

Design

Build/acquire

Use/operate

Evaluate/monitor

Update/dispose

B-6.5a Understand important attributes of the Information item and expected values.Assess the Information item design, i.e., assess the extent to which expected good practices are applied.Good practices for Information items are defined as a series of attributes for the Information item17. The assurance professional will, by using appropriate audit techniques, verify all attributes in scope and assess whether the attributes are adequately defined.

Mark the attributes with a ‘’ that are deemed most important (key criteria), and by consequence will be assessed against the described criteria.Attribute Key Criteria Description Assessment Step

PhysicalEmpiricalSyntacticSemanticPragmatic

SocialB-6.1 to B-6.5

Repeat steps B-6.1 through B-6.5 for all remaining Information items in scope.Repeat the steps described above for the remaining Information items: Code of Conduct

17 COBIT 5 framework, appendix G, p. 81-84




Information Items


Third-party access policies Virtual architecture documentation Virtualization policies Cybersecurity technical standards Technical guidelines and procedures at the IT service level, including services partially or fully provided by third parties Technical guidelines and procedures at the IT application level Technical guidelines and procedures at the IT platform level, including remotely controlled and administered platforms (rental virtual servers

etc.) Technical guidelines and procedures at the autonomous IT hardware level (including stand-alone servers and clusters, end user PC devices

etc.) Technical guidelines and procedures for critical or particularly exposed hardware items, notably mobile devices such as smartphones or

tablets Technical and administrative guidelines and procedures around BYOD Technical and administrative guidelines and procedures for industrial control systems and IT interfaces Technical and administrative guidelines and procedures for building and facilities management systems Incident management, disaster recovery and service / business continuity procedures for critical IT assets Guidelines and procedures concerning the identification, documentation and safeguarding of informational evidence, e.g. logs Virtualization controls assessment results Third-party access controls assessment results Cybersecurity attributes in data and information classification Evidence of cybersecurity inclusion in data and information classification




Phase B—Understand Enablers, Setting Suitable Assessment Criteria and Perform the Assessment Services, Infrastructures and Applications


B-7 Obtain understanding of the Services, Infrastructure and Applications in scope.Assess Services, Infrastructure and Applications.

Services, Infrastructure and Applications: Cybersecurity training

B-7.1a Understand the Services, Infrastructure and Applications context.Understand the organisational and technological context of this service. Refer to step A-2.2 and A-2.3 and re-use that information to understand the significance of this Service, Infrastructure and Application.

B-7.2a Understand the major stakeholders of the Services, Infrastructure and Applications: Cybersecurity trainingUnderstand who will be the major stakeholders of the service, i.e., the sponsor, provider and users. Stakeholders will include a number of organisational roles but could also link to Processes.

B-7.3a Understand the major goals for the Services, Infrastructure and Applications, the related metrics and agree on expected values. Assess whether the Services, Infrastructure and Applications goals (outcomes) are achieved, i.e., assess the effectiveness of the Services, Infrastructure and Applications.

Goal Criteria Assessment StepService description The Service is clearly

described. Roles and responsibilities are

clearly defined The Service is available to all

potential stakeholders

Verify that the Service exists and is clearly described. Verify that roles and responsibilities are clearly defined. Assess the quality of the Service description and of the Service offered. Verify the accessibility of the Service to all potential stakeholders.

Service level definition Service levels are defined for : Quality of the service

deliverables Ease to request the service Timeliness

Verify that the following aspects are dealt with in the Service level definitions: - Quality of the Service deliverables- Ease to request the service- Timeliness

Verify to what extent Service levels are achieved.Contribution to related enablers, IT and enterprise goals

The Service contributes to the achievement of related enabler and IT-related and enterprise goals.

Assess to what extent the Service contributes to the achievement of the related enabler goals and to the overall IT-related and enterprise goals.

B-7.4a

B-7.4a

Understand good practice related to the Services, Infrastructure and Applications and expected values. Assess the Services, Infrastructure and Applications design, i.e., assess to what extent expected good practices are applied.Leverage the description of Services, Infrastructure and Applications in the COBIT 5 framework18 to identify good practices related to Services, Infrastructure And Applications. In general the following practices need to be implemented: Buy/build decision needs to be taken. Use of the Service needs to be clear.

Good Practice Criteria Assessment StepSourcing (buy/build) A formal decision—based on a

business case—needs to be taken regarding the sourcing of the Service.

Verify that a formal decision—based on a business case—was taken regarding the sourcing of the Service.

Verify the validity and quality of the business case. Verify that the sourcing decision has been duly executed.

18 COBIT 5 framework, appendix G, p.85-86




Phase B—Understand Enablers, Setting Suitable Assessment Criteria and Perform the Assessment Services, Infrastructures and Applications


Cont.

Use The use of the Service needs to be clear: When it needs to be used and

by whom The required compliance

levels with the Service’s output

Verify that the use of the Service is clear, i.e., it is known when and by whom the service needs to be used.

Verify that actual use is in line with requirement above. Verify that the actual Service output is adequately used. Verify that Service levels are monitored and achieved.

B-7.1 to B-7.4

Repeat steps B-7.1 through B-7.4 for all remaining Services, Infrastructure and Applications in scope.Repeat the steps described above for the remaining Services, Infrastructure and Applications: Change management Human resources Help desk Incident tracking system




People, Skills and Competencies


B-8 Obtain understanding of the People, Skills and Competencies in scope.Assess People, Skills and Competencies.

People, Skill and Competency: Cybersecurity Personnel Skills

B-8.1a Understand the People, Skills and Competencies context.Understand the context of the Skill/Competency, i.e.,: Where and when is it used? For what purpose is it used? Understand the connection with other enablers in scope, e.g.:

- In which roles and structures is the Skill/Competency used? (See also B-4.1.)Which behaviours are associated with the Skill/Competency?

B-8.2a Understand the major stakeholders for the People, Skills and Competencies: Cybersecurity Personnel SkillsIdentify to whom in the organisation the skill requirement applies.

B-8.3a Understand the major goals for the People, Skills and Competencies, the related metrics and agree on expected values.Assess whether the People, Skills and Competencies goals (outcomes) are achieved, i.e., assess the effectiveness of the People, Skills and Competencies.

For the People, Skills and Competencies: Cybersecurity Personnel Skills, the following goals and associated criteria can be addressed. Goal Criteria Assessment Step

Experience All cybersecurity personnel possess the necessary experience to meet the needs and requirements of cybersecurity.

Skills and experience requirements for new hires or side entries are aligned with the organisation’s cybersecurity needs and requirements.

Determine whether the organisation has defined and documented minimum skills and experience requirements, for instance in job descriptions or job offers.

Verify that these minimum requirements are in line with good practice and the cybersecurity needs and requirements of the organisation.

Education The enterprise enables, operates and encourages adequate training, education and awareness measures for all employees and relevant third parties. Specifically, employees or third parties with cybersecurity tasks and responsibilities are subject to compulsory training and awareness.

The organisation offers, and mandates, the appropriate level of cybersecurity training to cybersecurity practitioners as well as end users.

The organisation is fully aware and informed about independent cybersecurity educational opportunities. The organisation encourages, and mandates, the appropriate level of education to cybersecurity practitioners and end users.

QualificationKnowledge The enterprise enables,

operates and encourages The organisation creates and maintains an adequate level of cybersecurity awareness among all employees, and specifically high-risk users.






B-8.3aCont.

adequate awareness measures for all employees and relevant third parties. Specifically, employees or third parties with cybersecurity tasks and responsibilities are subject to compulsory awareness.

Technical skills All cybersecurity personnel are adequately skilled and supported in acquiring the requisite skills to perform their tasks.

Obtain and review sample professional skill sets for employees with cybersecurity tasks.

Obtain and review lists of individual training needs and training requests.

Behavioural skills All personnel with cybersecurity tasks and responsibilities meet the required standard of personal and professional integrity.

Determine whether the organisation performs appropriate background checks when hiring cybersecurity personnel

Verify that background checking is conformant with laws and regulations. Consult legal assistance where appropriate.

Number of people with appropriate skill level

All personnel with cybersecurity tasks and responsibilities are personally and professionally reliable, and able to continue their job.

Determine whether the organisation performs repeated and frequent background checks on employees with tasks and responsibilities in cybersecurity.

Verify that background checking is conformant with European laws and regulations. Consult legal assistance where appropriate.

Verify that employees have given explicit consent to having their backgrounds checked.

B-8.4a Understand the life cycle stages of the People, Skills and Competencies, and agree the relevant criteria.Assess to what extent the People, Skills and Competencies life cycle is managed.For the People, Skills and Competencies at hand, the life cycle phases and associated criteria can be expressed in function of the process APO07.

For the People, Skills and Competencies at hand the assurance professional will perform the following assessment steps.

Life Cycle Element Criteria Assessment StepPlan Practice APO07.03, activity 1 (Define the required and

currently available skills and competencies of internal and external resources to achieve enterprise, IT and process goals.) is implemented in relation to this skill.

Assess whether practice APO07.03 activity 1 is implemented in relation to this skill.

Design Practice APO07.03 activity 2 (Provide formal career planning and professional development to encourage competency development, opportunities for personal advancement and reduced dependence on key individuals.) is implemented in relation to this skill.

Practice APO07.03 activity 3 (Provide access to knowledge repositories to support the development of skills and competencies.) is implemented in relation to this skill.



Build Practice APO07.03 activity 4 (Identify gaps between Assess whether practice APO07.03 activity 4 is






B-8.4aCont.

required and available skills and develop action plans to address them on an individual and collective basis, such as training [technical and behavioural skills], recruitment, redeployment and changed sourcing strategies.) is implemented in relation to this skill.

implemented in relation to this skill.

Operate Practice APO07.03 activity 5 (Develop and deliver training programmes based on organisational and process requirements, including requirements for enterprise knowledge, internal control, ethical conduct and security.) is implemented in relation to this skill.


Evaluate Practice APO07.03 activity 6 (Conduct regular reviews to assess the evolution of the skills and competencies of the internal and external resources. Review succession planning.) is implemented in relation to this skill.


Update/dispose Practice APO07.03 activity 7 (Review training materials and programmes on a regular basis to ensure adequacy with respect to changing enterprise requirements and their impact on necessary knowledge, skills and abilities.) is implemented in relation to this skill.


B-8.5a Understand good practice related to the People, Skills and Competencies and expected values.Assess the People, Skills and Competencies design, i.e., assess to what extent expected good practices are applied.

Good Practice Criteria Assessment StepSkill set and Competencies are defined.

Determine that an inventory of Skills and Competencies is maintained by organisational unit, job function and individual.

Evaluate the relevance and the contribution of the Skills and Competencies to the achievement of the goals of the Organisational Structure, and by consequence, IT-related goals and enterprise goals.

Evaluate the gap analysis between necessary portfolio of Skills and Competencies and current inventory of skills and capabilities.

Skill levels are defined. Assess the flexibility and performance of meeting Skills development to address identified gaps between necessary and current Skill levels.

Assess the process for 360-degree performance evaluations.

B-8.1 to B-8.5

Repeat steps B-8.1 through B-8.5 for all remaining People, Skills and Competencies in scope.Repeat the steps described above for the remaining People, Skills and Competencies: Enterprisewide Cybersecurity Awareness




Phase C—Communicate the Results of the Assessment

Ref. Assurance Step Guidance

C-1 Document exceptions and gaps.C-1.1 Understand and document weaknesses and their impact on the achievement of process

goals.• Illustrate the impact of enabler failures or weaknesses with numbers and scenarios of errors,

inefficiencies and misuse.• Clarify vulnerabilities, threats and missed opportunities that are likely to occur if enablers do not

perform effectively.C-1.2 Understand and document weaknesses and their impact on enterprise goals. • Illustrate what the weaknesses would affect (e.g., business goals and objectives, enterprise

architecture elements, capabilities, resources). Relate the impact of not achieving the enabler goals to actual cases in the same industry and leverage industry benchmarks.

• Document the impact of actual enabler weaknesses in terms of bottom-line impact, integrity of financial reporting, hours lost in staff time, loss of sales, ability to manage and react to the market, customer and shareholder requirements, etc.

• Point out the consequence of non-compliance with regulatory requirements and contractual agreements.

• Measure the actual impact of disruptions and outages on business processes and objectives, and on customers (e.g., number, effort, downtime, customer satisfaction, cost).

C-2 Communicate the work performed and findings.C-2.1 Communicate the work performed. Communicate regularly to the stakeholders identified in A-1 on progress of the work performed.C-2.2 Communicate preliminary findings to the assurance engagement stakeholders defined

in A-1.• Document the impact (i.e., customer and financial impact) of errors that could have been caught by

effective enablers.• Measure and document the impact of rework (e.g., ratio of rework to normal work) as an efficiency

measure affected by enabler weaknesses.• Measure the actual business benefits and illustrate cost savings of effective enablers after the fact.• Use benchmarking and survey results to compare the enterprise’s performance with others.• Use extensive graphics to illustrate the issues.• Inform the person responsible for the assurance activity about the preliminary findings and verify

his/her correct understanding of those findings.C-2.3 Deliver a report (aligned with the terms of reference, scope and agreed-on reporting

standards) that supports the results of the initiative and enables a clear focus on key issues and important actions.



Appendix A. Other ISACA Sources

The Business Model for Information Security

COBIT 5

COBIT 5: Enabling Processes

COBIT 5 for Assurance

COBIT 5 for Information Security

COBIT 5 for Risk

Responding to Targeted Cyberattacks

Securing Mobile Devices Using COBIT 5

Transforming Cybersecurity Using COBIT 5


edm01 ensure governance framework setting and ... · web view(for external auditors) verify...

Documents