european cybersecurity audit assurance program res eng 0914

8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914

http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 1/105



European Cybersecurity

Audit/Assurance Program

About ISACA®

With more than 115,000 constituents in 180 countries, ISACA (www.isaca.org ) helps business and IT leaders buildtrust in, and value rom, inormation and inormation s!stems" #stablished in 1$%$, ISACA is the trusted source o

&no'lede, standards, net'or&in, and career development or inormation s!stems audit, assurance, securit!, ris&,

privac! and overnance proessionals" ISACA oers the C!bersecurit! e*us+, a comprehensive set o resources or

c!bersecurit! proessionals, and C-IT., a business rame'or& that helps enterprises overn and manae their

inormation and technolo!" ISACA also advances and validates business/critical s&ills and &no'lede throuh the

loball! respected Certiied Inormation S!stems Auditor . (CISA.), Certiied Inormation Securit! anaer .

(CIS.), Certiied in the overnance o #nterprise IT. (C#IT.) and Certiied in 2is& and Inormation S!stems

Control+ (C2ISC+) credentials" The association has more than 300 chapters 'orld'ide"

Disclaimer

ISACA has desined and created European Cybersecurity Audit/Assurance Program 'hite paper (the 4Wor&)

primaril! as an educational resource or assurance, overnance, ris& and securit! proessionals" ISACA ma&es no

claim that use o an! o the Wor& 'ill assure a successul outcome" The Wor& should not be considered inclusive o

all proper inormation, procedures and tests or e*clusive o other inormation, procedures and tests that are

reasonabl! directed to obtainin the same results" In determinin the propriet! o an! speciic inormation, procedure

or test, assurance, overnance, ris& and securit! proessionals should appl! their o'n proessional 6udement to the

speciic circumstances presented b! the particular s!stems or inormation technolo! environment"

Reservation of Rights7 301 ISACA" All rihts reserved"

ISACA

9:01 Alon;uin 2oad, Suite 1010

2ollin eado's, I< %0008 =SA

>hone? @1"8:"359"155a*? @1"8:"359"19

#mail? inoBisaca"or

Web site? '''"isaca"or

>rovide eedbac&? www.isaca.org/EU-cyber-implementation

>articipate in the ISACA no'lede Center? www.isaca.org/knowledge-center

ollo' ISACA on T'itter? https://twitter.com/ISACANews Doin ISACA on <in&edIn? ISACA (icial), http://linkd.in/ISACA!!icial <i&e ISACA on aceboo&? www.!acebook.com/ISACA"#

IS- $:8/1/%030/%$/8

© ISACA 2014 All rights reserved 2

mailto:[email protected]


http://www.isaca.org/


http://www.isaca.org/EU-cyber-implementation


http://www.isaca.org/knowledge-center


https://twitter.com/ISACANews

http://linkd.in/ISACAOfficial


http://www.facebook.com/ISACAHQ





https://twitter.com/ISACANews








E$ropean Cybersec$rity A$dit/Ass$rance %rogram






Introduction

OverviewISACA developed the IT Assurance Framework (ITAF) as a comprehensive and good-practice-settingmodel. ITAF provides standards that are designed to be mandator and that are the guiding principlesunder which the IS audit and assurance pro!ession operates. The guidelines provide in!ormation anddirection !or the practice o! IS audit and assurance.

PurposeThe audit"assurance program is a tool and template to be used as a road map !or the completion o! aspeci!ic assurance process. ISACA has commissioned assurance programs to be developed !or use b ISaudit and assurance practitioners. This assurance program is intended to be used b IS audit andassurance pro!essionals with the re#uisite knowledge o! the sub$ect matter under review% as described inITAF standard &'' ro!icienc.

Control FrameworkThe audit"assurance programs have been developed in alignment with the ISACA C*+IT , !ramework%using generall applicable and accepted good practices. The generic assurance program is presented inCOBIT 5 for Assurance and ensures integration o! all seven enablers in the assurance approach.

Governance, Risk and Control of IT overnance% risk and control o! IT are critical in the per!ormance o! an assurance management process.overnance o! the process under review is evaluated as part o! the policies and management oversightcontrols. isk plas an important role in evaluating what to audit and how management approaches andmanages risk. +oth issues are evaluated in the assurance program. /nablers are the primar evaluationpoint in the process. The assurance program identi!ies the enablers and the steps to determine their designand operating e!!ectiveness.

Responsiilities of I! Audit and Assurance ProfessionalsIS audit and assurance pro!essionals are e0pected to customi1e the 2IT Audit"Assurance rogram !or/uropean Cbersecurit3 !or the environment in which the are per!orming the assurance engagement.This document is to be used as a review tool and starting point and ma be modi!ied b the IS audit andassurance pro!essional4 it is not intended to be a checklist or #uestionnaire. It is assumed that the IS auditand assurance pro!essional has the necessar sub$ect matter e0pertise that is re#uired to conduct the work(see !ollowing paragraph) and is supervised b a pro!essional with the Certi!ied In!ormation Sstems

Auditor (CISA) designation and"or necessar sub$ect matter e0pertise to ade#uatel review the workper!ormed.

"inimum Audit !killsCbersecurit incorporates man IT processes. +ecause the !ocus is on in!ormation governance% ITmanagement% network% data% contingenc and encrption controls% the audit and assurance pro!essionalshould have re#uisite knowledge o! these issues. In addition% pro!icienc in risk assessment% in!ormationsecurit components o! IT architecture% risk management% and the threats and vulnerabilities o! cloudcomputing and Internet-based data processing is re#uired. There!ore% it is recommended that the auditand assurance pro!essional who is conducting the assessment has the re#uisite e0perience andorganisational relationships to e!!ectivel e0ecute the assurance processes.

Assurance Program ApproachThe assurance program table is a template !or a detailed assurance work program% which is based onC*+IT ,.

The assurance work program structures an assurance engagement into three ma$or phases% as depicted infigure 1.

Figure 1—Generic COBIT 5-ased Assurance !ngagement Approach&

1 See www.isaca.org/C&I'/%ages/Ass$rance-prod$ct-page.asp( for more information on COBIT 5 for Assurance.






In addition% while audit"assurance programs will be available !or each process% in practice% a group o!processes are o!ten selected !or audit. There!ore% a relevant set o! audit"assurance programs o! theapplicable processes will need to be selected !or conducting assurance. The assurance approach depicted infigure 1 is described in more detail and developed into a generic audit"assurance program:including guidance on how to proceed during each step:in section &+ o! COBIT 5 for Assurance. The

%uropean C&ersecurit& Audit'Assurance Pro#ram is8

Full aligned with C*+IT ,8; It e0plicitl re!erences all seven enablers. In other words% it is no longer e0clusivel process-

!ocused4 it also uses the di!!erent dimensions o! the enabler model to cover all aspects contributingto the per!ormance o! the enablers.

; It re!erences the C*+IT , goals cascade to ensure that detailed ob$ectives o! the assuranceengagement can be put into the enterprise and IT conte0t% and concurrentl it enables linkage o!the assurance ob$ectives to enterprise and IT risk and bene!its.

Comprehensive et !le0ible8

The generic program is comprehensive because it contains assurance steps covering all

enablers in #uite some detail% et it is also !le0ible because this detailed structure allows clear and well-understood scoping decisions to be made. That is% the assurance pro!essional can decide tonot cover a set o! enablers or some enabler instances and% while the decision will reduce the scope

and related assurance engagement e!!ort% the issue o! what is or is not covered will be #uitetransparent to the assurance engagement user.

/as to understand% !ollow and appl because o! its clear structure8

; The table !ollows the !low described in figure 1% but splits each phase into di!!erent steps andsubsteps.

; For each step% a short description is included% as is guidance !or the assurance pro!essional on how to proceed with the step (te0t in italics).

Additional guidance on how to use other IT assurance-related standards !or per!orming assurance can be!ound in section < o! COBIT 5 for Assurance.

Customi(ation of t$e Audit'Assurance Pro#ramCustomi1ation and completion o! the %uropean C&ersecurit& Audit'Assurance Pro#ram will still bere#uired% and consists o! re!ining the scope b selecting goals and enabler instances:the lists included inthe e0ample are comprehensive% et still are e0amples (i.e.% di!!erent strategic priorities o! the enterprisema dictate a di!!erent scope). The lists can also be considered prohibitive b some% as the can lead to a

ver broad scope% and there!ore a ver e0pensive assurance engagement4 selection and prioriti1ation will be re#uired. The assurance pro!essional will need to consider the !ollowing steps8

=etermine the stakeholders o! the assurance initiative and their stake.

=etermine the assurance ob$ectives based on assessment o! the internal and e0ternalenvironment"conte0t% including the strategic ob$ectives% goals (!igures >' and >? o! COBIT 5 for

Assurance) and priorities o! the enterprise.

=etermine the ena#ers in scope and the instance(s) o! the enablers in scope.

In each phase% one or two enabler e0amples are !ull elaborated% to illustrate and demonstrate thesuggested approach. The audit"assurance program phases !or the other processes and other enablers inscope need to be detailed to the re#uired level o! detail.

$sing the Assurance Program






In the !ollowing section% the /uropean Cbersecurit assurance topic is !ull developed based on thegeneric audit"assurance program. This detailed program contains the !ollowing additional in!ormation8

In the uidance column% the shaded te0t is speci!ic to the e0ample and provides practical guidance%e.g.% e0amples on which processes to include in scope% on which organisational structures to include inscope% on how to set assessment criteria !or the di!!erent enablers% on how to actuall assess thedi!!erent enablers.

Two additional columns% allowing the audit and assurance pro!essional to identi! and cross-re!erenceissues and to record comments8

; Issue Cross-reference:This column can be used to !lag a !inding"issue that the IT assurancepro!essional wants to !urther investigate or establish as a potential !inding. The potential !indingsshould be documented in a work paper that indicates the disposition o! the !indings (!ormallreported% reported as a memo or verbal !inding% or waived).

; Comment:This column can be used to document an !urther notes.

For most o! the enablers% there are several instances in scope. @owever% the assurance pro!essional mustcomplete the list to meet the environment in scope. The remaining instances can be deduced ver similarl to those described in this program% using the C*+IT , !ramework and the COBIT 5) %nalin# Processes

guides.

Assurance Engagement: European Cybersecurity Assurance TopicThe topic covered b this assurance engagement is Cbersecurit.

Goal of t$e ReviewThe primar ob$ective o! the audit"assurance review is to provide management with an impartial andindependent assessment relating to the e!!ectiveness o! cbersecurit and related governance%management and assurance.

!copin#The review will !ocus on cbersecurit standards% guidelines and procedures as well as on theimplementation and governance o! these activities. Traditional in!ormation securit at lower levels isoutside the scope o! this review.

The !ollowing ISACA publications appl to cbersecurit8

COBIT 5 for Information !ecurit&

Transformin# C&ersecurit& *sin# COBIT 5

Respondin# to Tar#eted C&erattacks

ISACA /uropean Cbersecurit Series

!ecurin# "oile +evices *sin# COBIT 5

From a process re!erence model () perspective% the !ollowing domains and processes appl to thisaudit and assurance programme8

/='< /nsure isk *ptimisation:overnance in the widest sense should address the intrinsicrisk within cbersecurit and set policies and steps accordingl.

A*?& anage isk:anagement in IT should ade#uatel address risk issues related tocbersecurit.

A*?< anage Securit:The in!ormation securit management sstem (ISS) shouldincorporate ade#uate provisions !or cbersecurit.

=SS'& anage Service e#uests and Incidents:Incidents in cbersecurit should be identi!iedand managed.

=SS'> anage Continuit:*rganisational !unctions and IT should be resilient with regard tocbersecurit.






=SS', anage Securit Services:There should be comprehensive and ade#uate securit servicesin place to ensure the desired level o! cbersecurit.

e!er to the above-mentioned detailed publications !or guidance on controls and good practice incbersecurit.

IT Audit and Assurance Program for European Cybersecurity

Phase A—Determine cope of the Assurance Initiati!e

"ef# Assurance tep $uidanceC

A%&Determine the sta'eho(ders of the assurance initiativeand their sta'es#

A-1.1 Identify the intended users! of the assurance re"ortand their sta#e in the assurance engagement. $his isthe assurance o%&ective.

Intended user)s* of theassurance report

Board+audit committee' (eeds effectiveness and efficiency of cy%)ithin the enter"rise

,or's Counci(+-nion "epresenassurance in terms of cy%ersecurindustrial relations

O.ners + shareho(ders' In *uro

cy%ersecurity assurance re"ort mstatutory re"orting

"egu(ators' In *uro"e+ "art or alre"orting may need to %e discloseauthorities

A-1.2 Identify the interested "arties+ accounta%le andres"onsi%le for the su%&ect matter over )hich assuranceneeds to %e "rovided.

Accountab(e and responsib(eparties for the sub/ect matter

teering committee: Accounta%cy%ersecurity "rocesses and servmanagement and monitoring+ allodelivery of %enefits and value+ and

Business e0ecuti!es: $he individentifying re,uirements+ a""rovinmanaging "erformance. $hese "e)ith I$ management+ res"onsi%le correct and controlled use of cy%ein line )ith good "ractices.

IT management: es"onsi%le focorrect and controlled use of cy%etogether )ith the %usiness e/ecut

A%1 Determine the assurance ob/ecti!es %ased onassessment of the internal and e/ternalenvironmentconte/t and of the relevant ris' andrelated opportunities i.e.+ not achieving the enter"risegoals!.

Assurance ob/ecti!es areessentially a more detailed andtangi%le e/"ression of thoseenter"rise o%&ectives relevant tothe su%&ect of the assuranceengagement.

Enterprise ob/ecti!es can %eformulated in terms of thegeneric enter"rise goals CI$3 frame)or#! or they can %ee/"ressed more s"ecifically.

Ob/ecti!es of the assuranceengagement can %e e/"ressedusing the CI$ 3 enter"risegoals+ the I$-related goals)hich relate more totechnology!+ information goals or any other set of s"ecific goals.

Ob/ecti!es of the assuranceengagement )ill consider allthree value o%&ective









com"onents+ i.e.+ delivering%enefits that su""ort strategic

o%&ectives+ o"timiing the ris#that strategic o%&ectives are notachieved and o"timiingresource levels re,uired toachieve the strategic o%&ectives.

A-2.1 5nderstand the enter"rise strategy and "riorities.

6erform a high-level )al#-through of cy%ersecurityarrangements+ including goals+strategy+ "olicy and "rocesses.

A-2.2 5nderstand the internal conte/t of the enter"rise. *sta%lish any "rior

cy%ersecurity incidents thatserve as trigger events for theaudit

Ascertain any "rior audit

findings relating tocy%ersecurity.

%tain and understand any

s"ecific ris# scenarios relatingto the cy%ersecurity audite.g.+ crime+ cy%er)arfare+end-user-%ased attac#s!.

Determine the a""lications

and o"erating environmentsaffected %y thesecy%ersecurity arrangements.

%tain and revie) the

organisation7s definition ofcy%ersecurity and theorganisational sco"eattri%uted to it. Delineatecy%ersecurity from traditionalinformation security.

%tain and revie) all I$

services+ a""lications+"latforms and infrastructureelements covered %ycy%ersecurity arrangements.

Identify and document the

relevant %usiness ris# inres"ect to cy%ersecurity+attac#s and %reaches.

Identify the technology ris#

associated )ith cy%ersecurity.

Identify the social ris#

associated )ith cy%ersecurity.

Discuss the ris# )ith

management of I$+ %usinessand o"erational audit+ andad&ust the ris# assessment asa""ro"riate ased on the ris#assessment+ revise thesco"e!.

8erify that the cy%ersecurity

function has an esta%lishedand clear interface )ith theassurance com"liancefunction.

8erify that all relevant









*uro"ean la)s+ regulationsand recommendations for

cy%ersecurity arecommunicated %et)een theassurance com"liancefunction+ audit and thecy%ersecurity function.

%tain and analye

documentation of "reviouscy%ersecurity-related audits if done %y other auditors!.

9or internal auditors! 8erify

that the enter"rise hasincor"orated and ado"ted alle/ternal rulings+ directives orother %inding "rovisionsrelated to cy%ersecurity.

9or e/ternal auditors! 8erify

that the enter"rise o"erates acom"rehensive internal auditregime )ith regard tocy%ersecurity.

A-2.: 5nderstand the e/ternal conte/t of the enter"rise. Identify any limitations andor

constraints affecting the auditof s"ecific systems andsu%systems.

Identify any third-"arty

services+ a""lications+"latforms and infrastructureelements that may not %eaccessi%le or are only "artiallyaccessi%le.

Identify any legal+ regulatory

or contractual constraints onaudit.

Identify any industrial

relations-%ased or end-user-%ased audit constraints.

A-2.4

A-2.4Cont.

;iven the overall assurance o%&ective+ translate theidentified strategic "riorities into concrete o%&ectives forthe assurance engagement.

$he follo)ing goals are retainedas #ey goals to %e su""orted+ inreflection of enter"rise strategyand "riorities'

2ey goa(s Enterprise goa(s:

*;0: <anaged %usiness ris#

assets!

*;04 Com"liance )ith e/terna

regulations

IT%re(ated goa(s:

I$;02 I$ com"liance and su""

com"liance )ith e/ternal la)s a

I$;04 <anaged I$-related %us

I$;10 Security of information+ "

infrastructure and a""lications

Additiona( goa(s Enterprise goa(s:

*;01 Sta#eholder value of %us

*;0= Agile res"onses to a cha

environment









*;10 "timisation of service d

IT%re(ated goa(s:

I$;03 ealised %enefits from I$

investments and services "ortfo

I$;0> Delivery of I$ services in

re,uirements

A-2.3 Define the organisational %oundaries of the assuranceinitiative.

Describe the organisationalboundaries of the assuranceengagement i!e! to "hichorganisational entities the re#ie" is limited! All other aspects ofscope limitation are identifiedduring phase A$%!

$he revie) must have a

defined sco"e. $he revie)ermust understand the o"eratingenvironment and "re"are a"ro"osed sco"e+ su%&ect to alater ris# assessment.

%tain information and form

an understanding of the%usiness reasons underlyingthe audit.

Identify the senior %usiness

resources res"onsi%le for therevie).

Identify the senior I$

auditassurance resourceres"onsi%le for the revie).

*sta%lish the "rocess for

suggesting and im"lementingchanges to theauditassurance "rogram+ andlist the authoriationsre,uired.

Identify any limitations andor

constraints affecting the auditof s"ecific systems andsu%systems.

Identify and third-"arty

services+ a""lications+"latforms and infrastructureelements that may not %eaccessi%le or are only "artiallyaccessi%le.

Identify any legal+ regulatoryor contractual constraints onaudit.

Identify any industrial

relations-%ased or end-user-%ased audit constraints.

A%3 Determine the enab(ers in sco"e and the instances! ofthe ena%lers in sco"e.

CI$ 3 identifies sevenena%ler categories. In thissection all seven are covered+and the assurance "rofessionalhas the o""ortunity to selectena%lers from all categories to









o%tain the most com"rehensivesco"e for the assurance

engagement. A-:.1 Define the Princip(es4 Po(icies and rame.or's in

sco"e.;uiding "rinci"les and "oliciesinclude'

Cy%ersecurity "olicy and

standards documentation.

Security management

frame)or#+ such as ISI*C2>001 )ith IS 2>0:2+ or the(IS$ =00 series+ )ill %e usedas a good-"ractice reference.

SA(S 20 Critical Controls

IS<S "olicy

Information architecture model

?egal and regulatory

com"liance re,uirements

A-:.2 Define )hich Processes are in sco"e of the revie).

6rocesses )ill %e assessed during "hase of theassurance engagement against the criteria defined in"hase A+ and assessments )ill ty"ically focus on'

Achievement of "rocess goals

A""lication of "rocess good "ractices

*/istence and ,uality of )or# "roducts in"uts and

out"uts! insofar not covered %y the informationitems assessments!

COBIT 5& Enabling Processes distinguishes a governancedomain )ith a set of "rocessesand a management domain+ )ithfour sets of "rocesses. $he"rocesses in sco"e are identifiedusing the goals cascade andsu%se,uent customiation. $heresulting lists contain #ey"rocesses and additional"rocesses to %e consideredduring this assuranceengagement. Availa%leresources )ill determine )hether they can all %e effectivelyassessed.

2ey processes *D<0: *nsure is# "timisatiothe )idest sense should address)ithin cy%ersecurity and set "olicaccordingly.

A612 <anage is#<anagem

ade,uately address ris# issues rcy%ersecurity.

A61: <anage Security$he i

management system IS<S! shoade,uate "rovisions for cy%erse

DSS02 <anage Incidents and S

Incidents in cy%ersecurity shouldmanaged.

DSS04 <anage Continuityrg

and I$ should %e resilient )ith re

cy%ersecurity.DSS03 <anage Security Service

com"rehensive and ade,uate se"lace to ensure the desired leve

Additiona( processes*D<01 *nsure ;overnance 9ra

<aintenance

A601 <anage the I$ <anagem

A60> <anage @uman esour

A60 <anage Service Agreem

A610 <anage Buality









AI0= <anage no)ledge

AI0 <anage Assets

AI10 <anage Configuration

A-:.:

A-:.:Cont.

Define )hich Organisationa( tructures )ill %e insco"e.rganisational Structures )ill %e assessed during"hase of the assurance engagement against thecriteria defined in "hase A+ and assessments )illty"ically focus on'

Achievement of rganisational Structure goals+ i.e.+

decisions

A""lication of rganisational Structures good

"ractices

ased on the #ey "rocessesidentified in A-:.2+ the follo)ingrganisational Structures andfunctions are considered to %e insco"e of this assuranceengagement+ and availa%leresources )ill determine )hichones )ill %e revie)ed in detail.

2ey Organisationa( tructures Cy%ersecurity team

usiness e/ecutives

Service manager

Chief information officer

usiness "rocess o)ne

Chief information securi

Additiona( Organisationa(tructures

Chief e/ecutive officer

@ead I$ o"erations

is# function

6rivacy officer

Com"liance

Audit

A-:.4 Define the Cu(ture4 Ethics and Beha!iour as"ects insco"e.

In the conte/t of thisengagement+ the follo)ingenter"rise)ide cu(ture andbeha!iours are in sco"e'

Integrity and elia%ility

6ersonal and 6rofessional

elia%ility A-:.3

A-:.3Cont.

Define the Information items in sco"e.

Information items )ill %e assessed during "hase ofthe assurance engagement against the criteria definedin "hase A+ and assessments )ill ty"ically focus on'

Achievement of Information goals+ i.e.+ ,uality

criteria of the information items

A""lication of Information good "ractices

Information attri%utes!

COBIT 5& Enabling Processes defines a num%er of in"uts andout"uts %et)een "rocesses.ased on the fact that AI02+AI0:+ DSS03 and DSS0 )eredefined as #ey "rocesses insco"e+ the related in"uts andout"uts are considered in thissection. ey "riorities andavaila%ility of resources )illdetermine ho) many and )hichones )ill %e revie)ed in detail.$he follo)ing items areconsidered for this e/am"le.

2ey Information Items 9ormal Cy%ersecurity 6

Code of Conduct

$hird-"arty access "olic

8irtual architecture docu

8irtualiation "olicies

Cy%ersecurity technical

$echnical guidelines an

I$ service level+ including service"rovided %y third "arties


I$ a""lication level










I$ "latform level+ including remot

administered "latforms rental vi $echnical guidelines an

autonomous I$ hard)are level iservers and clusters+ end user 6


critical or "articularly e/"osed hanota%ly mo%ile devices such as sta%lets

$echnical and administr

"rocedures around ED


"rocedures for industrial control interfaces


"rocedures for %uilding and facili

systems

Incident management+ d

service %usiness continuity "rocassets

;uidelines and "rocedu

identification+ documentation andinformational evidence+ e.g. logs

8irtualiation controls as

$hird-"arty access cont

results

Additiona( Information Items Cy%ersecurity attri%utes

information classification

*vidence of cy%ersecur

and information classification

A-:. Define the er!ices4 Infrastructure and App(ications in sco"e.

In the conte/t of this assignment+and ta#ing into account the goalsidentified in A-2.4+ the follo)ingservices and related a""licationsor infrastructure could %econsidered in sco"e of therevie)'

Cy%ersecurity training

Change management

@uman resources

@el" des#

Incident trac#ing system

A-:.> Define the Peop(e4 'i((s and Competencies in sco"e.S#ill sets and com"etencies )ill %e assessed during"hase of the assurance engagement against the

criteria defined in "hase A+ and assessments )illty"ically focus on'

Achievement of s#ills set goals

A""lication of s#ills set and com"etencies good

"ractices

In the conte/t of thisengagement+ ta#ing into account#ey "rocesses and #ey roles+ the

follo)ing s#ill sets are includedin sco"e'

Cy%ersecurity 6ersonnel S#ills

*nter"rise)ide Cy%ersecurity

A)areness







Phase B—-nderstand Enab(ers4 etting uitab(e Assessment Criteria and Perform 6etrics

"ef# Assurance teps and $uidanceIssue

Cross%reference

B%&

Agree on metrics and criteria forenterprise goa(s and IT%re(ated goa(s#

Assess enterprise goa(s and IT%re(atedgoa(s#

-1.1 %tain and agree on! metrics for enter"risegoals and e/"ected values of the metrics.

Assess )hether enter"rise goals in sco"eare achieved.

'e#erage the list of suggested metrics for theenterprise goals to define discuss and agreeon a set of rele#ant customi(ed metrics forthe enterprise goals ta)ing care that thesuggested metrics are dri#en by the

performance of the topic of this assuranceinitiati#e!

*e+t agree on the e+pected #alues for

these metrics i!e! the #alues against "hichthe assessment "ill ta)e place!

$he follo)ing metrics and e/"ected valuesare agreed on for the #ey enter"rise goalsdefined in ste" A-2.4.

Enterprise $oa( 6etric E0pected Outcome )E0* Assessm

*;0: <anaged %usiness ris# safeguardingof assets!

6ercent of

critical%usinesso%&ectivesandservicescovered%y ris#assessment

9re,uency ofu"date ofris# "rofile

Agree on the e+pected #alues for theEnterprise goal metrics i!e! the #aluesagainst "hich the assessment "ill ta)e

place

In this step the releach goal "ill be rassessment "ill bethe defined criteria

*;04 Com"liance )ith e/ternals la)s andregulations

(um%er ofregulatorynon-com"lianceissuesrelating tocy%erincidents

Agree on the e+pected #alues for theEnterprise goal metrics i!e! the #aluesagainst "hich the assessment "ill ta)e

place


-1.2 %tain and agree on! metrics for I$-relatedgoals and e/"ected values of the metrics andassess )hether I$-related goals in sco"e areachieved.

$he follo)ing metrics and e/"ected valuesare agreed for the #ey I$-related goalsdefined in ste" A-2.4.

IT%re(ated $oa( 6etric E0pected Outcome )E0* Assessm

I$;02 I$ com"liance and su""ort for%usiness com"liance )ith e/ternal la)s andregulations

(um%er ofcy%ersecurity-relatednon-com"lianceissuesre"orted to

Agree on the e+pected #alues for the IT$related goal metrics i!e! the #aluesagainst "hich the assessment "ill ta)e

place!










Cross%reference

-1.2Cont.

the %oard orcausing

"u%liccomment orem%arrassment

I$;04 <anaged I$-related %usiness ris# 6ercent of

critical%usiness"rocesses+ I$servicesand I$-ena%led%usiness"rogrammescovered

%y ris#assessment

(um%er

ofsignificantI$-relatedincidentsthat )erenotidentifiedin ris#assessment

6ercent of

enter"rise

ris#assessmentsincludingI$-relatedris#

9re,uenc

y ofu"date ofris# "rofile


place!


I$;10 Security of information+ "rocessinginfrastructure and a""lications

(um%er

of securityincidentsrelated tocy%ersecurity)ea#nessescausingfinancialloss+%usinessdisru"tionor "u%licem%arrassment

9re,uenc


place!










Cross%reference

y ofcy%ersecu

rityassessment againstlateststandardsandguidelines







Phase B—-nderstand Enab(ers4 etting uitab(e Assessment Criteria and PerformPrincip(es4 Po(icies and rame.or's

"ef . Assurance teps and $uidance

B%1%tain an understanding of the Princip(es4 Po(icies and rame.or's in sco"e and set suita%le assessment criteria.

Assess 6rinci"les+ 6olicies and 9rame)or#s#

Princip(es4 po(icies and frame.or's: Cybersecurity po(icy and standards documentation

-2.1a 5nderstand the Princip(es4 Po(icies and rame.or's conte0t.Obtain and understanding of the o#erall system of internal control and the associated Principles Policies and ,rame"or)s

-2.2a 5nderstand the sta#eholders of the Princip(es4 Po(icies and rame.or's' Cybersecurity po(icy and standards documentat-nderstand the sta)eholders in the policies! The sta)eholders for the policies include those setting the policies and those "ho neecompliance "ith the policies!

-2.:a 5nderstand the goa(s for the Princip(es4 Po(icies and rame.or's+ and the related metrics and agree on e/"ected values. Assess )hether the Princip(es4 Po(icies and rame.or's goals outcomes! are achieved+ i.e.+ assess the effectiveness of the Pand rame.or's.

;oal' Descri%e the goal of the Cybersecurity po(icy and standards documentation 6erform the assurance ste"s ucriteria descri%ed %elo).

$oa( Criteria Assessment tep

Com"rehensiveness $he set of "olicies iscom"rehensive in its

coverage.

8erify that the set of "olicies is com"rehensive in its cover

Currency $he set of "olicies is u" todate. $his at least re,uires'

A regular validation of all

"olicies )hether they arestill u" to date

An indication of the "olicies7

e/"iration date or date oflast u"date

8erify that the set of "olicies is u" to date. $his at least re,

A regular validation of all "olicies )hether they are still u

An indication of the "olicies7 e/"iration date or date of la

8erification of com"liance )ith cycle dates for "olicies

9le/i%ility $he set of "olicies is fle/i%le. Itis structured in such a )ay thatit is easy to add or u"date"olicies as circumstancesre,uire.

8erify the fle/i%ility of the set of "olicies+ i.e.+ that it is structhat it is easy to add or u"date "olicies as circumstances r

Availa%ility 6olicies are availa%le to all

sta#eholders. 6olicies are easy to

navigate and have a logicaland hierarchical structure.

8erify that "olicies are availa%le to all sta#eholders.

8erify that "olicies are easy to navigate and have a logicstructure.

-2.4a 5nderstand the life cycle stages of the Princip(es4 Po(icies and rame.or's+ and agree on the relevant criteria. Assess to )hat e/tent the Princip(es4 Po(icies and rame.or's life cycle is managed.The life cycle of the IT$related policies is managed by the Process APO.! The re#ie" of this life cycle is therefore e0ui#alent to a

process APO. <anage the I$ management frame)or#!

-2.3a

-2.3aCont.

5nderstand good "ractices related to the Princip(es4 Po(icies and rame.or's and e/"ected values. Assess the 6rinci"les+ 6o9rame)or#s design+ i.e.+ assess the e/tent to )hich e/"ected good "ractices are a""lied.The assurance professional "ill by using appropriate auditing techni0ues assess the follo"ing aspects!

$ood Practice Criteria Assessment tep

Sco"e and validity $he sco"e is descri%ed andthe validity date is indicated.

8erify that the sco"e of the frame)or# is descri%ed and theindicated.

*/ce"tion and escalation $he e/ce"tion and

escalation "rocedure ise/"lained and commonly#no)n.

$he e/ce"tion and

escalation "rocedure hasnot %ecome the de facto standard "rocedure.

*/em"tions from

cy%ersecurity "olicy area""lied for+ revie)ed andauthoried in conformance

8erify that the e/ce"tion and escalation "rocedure is de

and commonly #no)n.

$hrough o%servation of a re"resentative sam"le+ verify thaescalation "rocedure has not %ecome de facto standard "r

If the organisation grants e/em"tions from cy%ersecurity

co"y of the list of currently authoried e/em"tions and a"rocedure for */em"tions to 6olicy.

Determine that e/em"tions are granted only for a limited

ma/imum one year.

Determine that each cy%ersecurity e/em"tion is regularl









-2.3aCont.

)ith the organisation7s*/ce"tions to 6olicy"rocedures. A61:!

continuing a""lica%ility.

Determine )hether a ris# assessment )as "erformed %ee/em"tion is granted and com"ensating controls are in "

Com"liance $he com"liance chec#ingmechanism and non-com"liance conse,uences areclearly descri%ed andenforced.

8erify that the com"liance chec#ing mechanism and non-cconse,uences are clearly descri%ed and enforced.

Communication $he cy%ersecurity "olicieshave %een defined %ymanagement+ documented+a""roved at an a""ro"riatesenior level+ disseminated toall relevant em"loyees andthird "arties+ and de"loyedacross the organisation.A61:!

8erify that an a""ro"riate cy%ersecurity "olicy )as draft

%efore the cy%ersecurity "rogram )as de"loyed into "ro

8erify that senior %usiness management formally a""rov

cy%ersecurity "olicy.

8erify that all em"loyees are a""ro"riately informed of th

"olicy+ e.g.+ during initial orientation and in information s

@ Su""ort Cy%ersecurity "rocesses areintegrated into @ services+"olicies and com"liance.A61:!

%tain a co"y of the organisation7s Code of Conduct an)hether it s"ecifically states that a violation of the cy%erconsidered a violation of the Code of Conduct )ith a""li

Determine )hether disci"linary "olicies and su""orting "

effect for violations of cy%ersecurity "olicy. $hese should

*sta%lished "enalties for infringements

5niform a""lication of "enalty "olicy

*sta%lish )hether a)areness cam"aigns are conducted

$hird-"arty com"liance $hird "arties+ such ascontractors+ are contractuallyre,uired to com"ly )ith theorganisation7s cy%ersecurity"olicies. A60+ A610!

Determine the "olicies in effect to "ermit third "arties to

organisation7s I$ resources+ and to "rotect the organisatintellectual "ro"erty from unauthoried access.

*valuate the effectiveness of cy%ersecurity controls u"o

determine )hether additional controls+ "olicies or "rocedto "rotect the organisation7s assets.

Cloud services and virtualiedenvironments

$he enter"rise7s architecturee/tends cy%ersecurityarrangements to cover allcloud-%ased andor virtualisedservices+ a""lications andinformation assets. A60:+

A60+ A610+ DSS03!

%tain and revie) architecture elements and com"onenor virtualised elements.

Determine the "olicies in effect to govern cloud and virtu

esta%lish the level of "rotection )ith regard to cy%ersecu

*valuate the effectiveness of cy%ersecurity controls on c

virtualised environments and identify any ga"s.

Princip(es4 po(icies and frame.or's: Cybersecurity rame.or's and tandards

-2.1% 5nderstand the Princip(es4 Po(icies and rame.or's conte0t.Obtain and understanding of the o#erall system of internal control and the associated Principles Policies and ,rame"or)s

-2.2% 5nderstand the sta#eholders of the Princip(es4 Po(icies and rame.or's' Cybersecurity rame.or's and tandards-nderstand the sta)eholders in the policies! The sta)eholders for the policies include those setting the policies and those "ho neecompliance "ith the policies!

-2.:% 5nderstand the goa(s for the Princip(es4 Po(icies and rame.or's+ and the related metrics and agree on e/"ected values. Assess )hether the Princip(es4 Po(icies and rame.or's goals outcomes! are achieved+ i.e.+ assess the effectiveness of the P

and rame.or's. ;oal' Cybersecurity rame.or's and tandards Security management frame)or#s+

such as ISI*C 2>001 )ith IS 2>0:2+ or the (IS$ =00 series+ )ill %e used as a good-"ractice reference.

6erform the assurance ste"s ucriteria descri%ed %elo).


Com"rehensiveness $he set of frame)or#s arecom"rehensive in itscoverage.

8erify that the set of frame)or#s are com"rehensive in its

Currency $he set of frame)or#s are u"to date. $his at least re,uires'


8erify that the set of frame)or#s are u" to date. $his at lea

A regular validation of all frame)or#s )hether they are s









-2.:%

Cont.

frame)or#s )hether theyare still u" to date

An indication of the

frame)or#s e/"iration dateor date of last u"date

An indication of the frame)or#s e/"iration date or date o

8erification of com"liance )ith cycle dates for frame)or

9le/i%ility $he set of frame)or#s arefle/i%le. It is structured in sucha )ay that it is easy to add oru"date controls ascircumstances re,uire.

8erify the fle/i%ility of the set of frame)or#s+ i.e.+ that it is s)ay that it is easy to add or u"date controls as circumstan

Availa%ility 9rame)or#s are availa%le to

all sta#eholders.9rame)or#s are easy tonavigate and have a logicaland hierarchical structure.

8erify that frame)or#s are availa%le to all sta#eholders.

8erify that frame)or#s are easy to navigate and have a

hierarchical structure.

-2.4% 5nderstand the life cycle stages of the Princip(es4 Po(icies and rame.or's+ and agree on the relevant criteria. Assess to )hat e/tent the Princip(es4 Po(icies and rame.or's life cycle is managed.

The life cycle of the IT$related policies is managed by the Process APO.! The re#ie" of this life cycle is therefore e0ui#alent to a process APO. <anage the I$ management frame)or#!

-2.3%

-2.3%Cont.







$he e/ce"tion and

escalation "rocedure hasnot %ecome the de facto

standard "rocedure.


and commonly #no)n.

$hrough o%servation of a re"resentative sam"le+ verify t

and escalation "rocedure has not %ecome de facto stan



Alignment )ith internal "olicies Cy%ersecurity technicalstandards are aligned )ith theorganisation7s standards.A61:+ DSS04+ DSS03!

%tain and revie) the current set of a""lica%le technica

related standards.

Determine )hether these standards include a""ro"riate

cy%ersecurity re,uirements and measures.

*valuate drill do)n! for critical services+ a""lications+ "l

infrastructure elements as )ell as information assets to technical standards are com"rehensive enough to encocy%ersecurity.

%tain a co"y of each of the follo)ing'

$echnical guidelines and "rocedures at the I$ seincluding services "artially or fully "rovided %y th

$echnical guidelines and "rocedures at the I$ a

$echnical guidelines and "rocedures at the I$ "

including remotely controlled and administered "virtual servers etc.!

$echnical guidelines and "rocedures at the auto

hard)are level including stand-alone servers anuser 6C devices etc.!

$echnical guidelines and "rocedures for critical









-2.3%Cont.

e/"osed hard)are items+ nota%ly mo%ile devicesmart"hones or ta%lets

$echnical and administrative guidelines and "ro

ED


industrial control systems and I$ interfaces


and facilities management systems

Incident management+ disaster recovery and se

continuity "rocedures for critical I$ assets

;uidelines and "rocedures concerning the ident

documentation and safeguarding of informationalogs

Identify and document any ga"s+ inconsistencies and "o

in the documentation

Standards of good "ractice are

a""lied to cy%ersecurity

ecognised standards of good

"ractice in cy%ersecurity area""lied )ithin the enter"rise.

COBIT 5 and related documentsCy%ersecurity is su%&ec

frame)or#. Detailed guidance using CI$ 3 is a""lied thenter"rise'

Determine if CI$ 3 has %een acce"ted and im"lemen

frame)or# for cy%ersecurity.

Determine if COBIT 5 for Information 1ecurity and relate

cy%ersecurity are im"lementedIO tandards--elevant IS standards are a""lied to cy

Determine if the IS 2>000 series has %een acce"ted a

guidance for cy%ersecurity.Determine if the IS 22:00 series has %een acce"ted andguidance for the resilience as"ects of cy%ersecurity

Critical infrastructure "rotectionstandards are a""lied tocy%ersecurity

Fhere organisations aredeemed "art of criticalinformation infrastructures+cy%ersecurity arrangements

are aligned )ith e/istingregulations and good "ractice

Incident reporting )Art# &3a*: Incidents are identified+ dore"orted in line )ith a""lica%le regulations andor good "rarecommendations. DSS02!

Determine )hether the enter"rise is su%&ect to the regula

communications o"erators and therefore su%&ect to Artic 8erify that all a""lica%le incident re"orting regulations an

recommendations are %eing adhered to

ystems%re(ated recommendations and guide(ines: Cand systems are managed in line )ith good "ractice and rerecommendations for cy%ersecurity.

Determine )hether critical systems such as industrial c

ade,uately covered %y e/isting cy%ersecurity arrangeme

8erify that mo%ile devices are ade,uately covered %y e/

arrangements.

Princip(es4 po(icies and frame.or's: A7 18 Critica( Contro(s

-2.1c 5nderstand the Princip(es4 Po(icies and rame.or's conte0t.Obtain and understanding of the o#erall system of internal control and the associated Principles Policies and ,rame"or)s

-2.2c 5nderstand the sta#eholders of the Princip(es4 Po(icies and rame.or's' A7 18 Critica( Contro(s-nderstand the sta)eholders in the policies! The sta)eholders for the policies include those setting the policies and those "ho neecompliance "ith the policies!

-2.:c 5nderstand the goa(s for the Princip(es4 Po(icies and rame.or's+ and the related metrics and agree on e/"ected values. Assess )hether the Princip(es4 Po(icies and rame.or's goals outcomes! are achieved+ i.e.+ assess the effectiveness of the Pand rame.or's.

;oal' A7 18 Critica( Contro(s should %e used to ensure that critical controls are

included in the cy%ersecurity "rogram.



Com"rehensiveness Documentation a%out SA(S20 Critical Controls is

8erify that Documentation a%out SA(S 20 Critical Controlsin its coverage.









-2.:cCont.

com"rehensive in itscoverage.

Currency Documentation a%out SA(S20 Critical Controls is u" todate. $his at least re,uires'


documents )hether they arestill u" to date


documents e/"iration dateor date of last u"date

8erify that Documentation a%out SA(S 20 Critical Controlsat least re,uires'

A regular validation of all documentation )hether they a

An indication of the documentation e/"iration date or da

8erification of com"liance )ith cycle dates

9le/i%ility Documentation a%out SA(S20 Critical Controls is fle/i%le.It is structured in such a )aythat it is easy to add or u"datecontrols as circumstancesre,uire.

8erify the fle/i%ility of the documentation a%out SA(S 20 Ci.e.+ that it is structured in such a )ay that it is easy to add as circumstances re,uire.

Availa%ility Documentation a%out SA(S20 Critical Controls isavaila%le to all sta#eholders.

Documentation a%out SA(S

20 Critical Controls is easyto navigate and have alogical and hierarchicalstructure.

8erify that documents are availa%le to all sta#eholders.

8erify that documents are easy to navigate and have a l


-2.4c 5nderstand the life cycle stages of the Princip(es4 Po(icies and rame.or's+ and agree on the relevant criteria. Assess to )hat e/tent the Princip(es4 Po(icies and rame.or's life cycle is managed.The life cycle of the IT$related policies is managed by the Process APO.! The re#ie" of this life cycle is therefore e0ui#alent to a


-2.3c 5nderstand good "ractices related to the Princip(es4 Po(icies and rame.or's and e/"ected values. Assess the 6rinci"les+ 6o9rame)or#s design+ i.e.+ assess the e/tent to )hich e/"ected good "ractices are a""lied.The assurance professional "ill by using appropriate auditing techni0ues assess the follo"ing aspects!

$ood Practice Criteria Assessment tepSco"e and validity $he sco"e is descri%ed andthe validity date is indicated.




$he e/ce"tion and



and commonly #no)n.





Com"leteness Critical control sets have %eenincor"orated into cy%ersecurityarrangements

$he SA(S 20 critical controls have %een incor"orated andenter"rise7s cy%ersecurity arrangements.Determine if the enter"rise has formally acce"ted and adocontrols as guidance for cy%ersecurity.

Princip(es4 po(icies and frame.or's: I6 Po(icy

-2.1d 5nderstand the Princip(es4 Po(icies and rame.or's conte0t.Obtain and understanding of the o#erall system of internal control and the associated Principles Policies and ,rame"or)s

-2.2d 5nderstand the sta#eholders of the Princip(es4 Po(icies and rame.or's' I6 Po(icy-nderstand the sta)eholders in the policies! The sta)eholders for the policies include those setting the policies and those "ho neecompliance "ith the policies!









-2.:d

-2.:dCont.

5nderstand the goa(s for the Princip(es4 Po(icies and rame.or's+ and the related metrics and agree on e/"ected values. Assess )hether the Princip(es4 Po(icies and rame.or's goals outcomes! are achieved+ i.e.+ assess the effectiveness of the Pand rame.or's.

;oal' I6 Po(icy' $he cy%ersecurity "olicies have %een defined %y management+

documented+ a""roved at an a""ro"riate senior level+ disseminated to all relevantem"loyees and third "arties+ and de"loyed across the organisation.



Com"rehensiveness $he set of frame)or#s arecom"rehensive in itscoverage.

8erify that the set of frame)or#s are com"rehensive in its

Currency $he set of frame)or#s are u"to date. $his at least re,uires'


frame)or#s )hether theyare still u" to date


frame)or#s e/"iration dateor date of last u"date

8erify that the set of frame)or#s are u" to date. $his at lea

A regular validation of all frame)or#s )hether they are s

An indication of the frame)or#s e/"iration date or date o

8erification of com"liance )ith cycle dates for frame)or

9le/i%ility $he set of frame)or#s arefle/i%le. It is structured in sucha )ay that it is easy to add oru"date controls ascircumstances re,uire.

8erify the fle/i%ility of the set of frame)or#s+ i.e.+ that it is s)ay that it is easy to add or u"date controls as circumstan

Availa%ility 9rame)or#s are availa%le to

all sta#eholders.

9rame)or#s are easy to

navigate and have a logicaland hierarchical structure.

8erify that frame)or#s are availa%le to all sta#eholders.

8erify that frame)or#s are easy to navigate and have a


-2.4d 5nderstand the life cycle stages of the Princip(es4 Po(icies and rame.or's+ and agree on the relevant criteria. Assess to )hat e/tent the Princip(es4 Po(icies and rame.or's life cycle is managed.The life cycle of the IT$related policies is managed by the Process APO.! The re#ie" of this life cycle is therefore e0ui#alent to a


-2.3d

-2.3dCont.







$he e/ce"tion and



and commonly #no)n.



Com"liance $he com"liance chec#ing

mechanism and non-com"liance conse,uences areclearly descri%ed andenforced.

8erify that the com"liance chec#ing mechanism and non-c

conse,uences are clearly descri%ed and enforced.

Princip(es4 po(icies and frame.or's: Information architecture mode(

-2.1e 5nderstand the Princip(es4 Po(icies and rame.or's conte0t.Obtain and understanding of the o#erall system of internal control and the associated Principles Policies and ,rame"or)s

-2.2e 5nderstand the sta#eholders of the Princip(es4 Po(icies and rame.or's: Information architecture mode(-nderstand the sta)eholders in the policies! The sta)eholders for the policies include those setting the policies and those "ho neecompliance "ith the policies!









-2.:e 5nderstand the goa(s for the Princip(es4 Po(icies and rame.or's+ and the related metrics and agree on e/"ected values. Assess )hether the Princip(es4 Po(icies and rame.or's goals outcomes! are achieved+ i.e.+ assess the effectiveness of the Pand rame.or's.

;oal' Information architecture mode(. 6erform the assurance ste"s ucriteria descri%ed %elo).


Com"rehensiveness $he architecture model iscom"rehensive in itscoverage.

8erify that documentation is com"rehensive in its coverag

Currency $he architecture model is u" todate. $his at least re,uires'

A regular validation of the

architecture model )hetherit is still u" to date


architecture modele/"iration date or date of

last u"date

8erify that documentation is u" to date. $his at least re,uir

A regular validation of the document )hether it is still u"

An indication of the document7s e/"iration date or date o


9le/i%ility $he architecture model isfle/i%le. It is structured in sucha )ay that it is easy to u"dateas circumstances re,uire.

8erify the fle/i%ility of the documentation+ i.e.+ that it is stru)ay that it is easy to u"date as circumstances re,uire.

Availa%ility $he architecture model is

availa%le to all sta#eholders.

$he architecture model is

easy to navigate and have alogical and hierarchicalstructure.

8erify that documentation is availa%le to all sta#eholders

8erify that documentation is easy to navigate and have


-2.4e

-2.4eCont.

5nderstand the life cycle stages of the Princip(es4 Po(icies and rame.or's+ and agree on the relevant criteria. Assess to )hat e/tent the Princip(es4 Po(icies and rame.or's life cycle is managed.The life cycle of the IT$related policies is managed by the Process APO.! The re#ie" of this life cycle is therefore e0ui#alent to a


-2.3e 5nderstand good "ractices related to the Princip(es4 Po(icies and rame.or's and e/"ected values. Assess the 6rinci"les+ 6o9rame)or#s design+ i.e.+ assess the e/tent to )hich e/"ected good "ractices are a""lied.The assurance professional "ill by using appropriate auditing techni0ues assess the follo"ing aspects!






$he e/ce"tion and



and commonly #no)n.



Com"liance $he com"liance chec#ing

mechanism and non-com"liance conse,uences areclearly descri%ed andenforced.

8erify that the com"liance chec#ing mechanism and non-c

conse,uences are clearly descri%ed and enforced.

Princip(es4 po(icies and frame.or's: 9ega( and regu(atory comp(iance reuirements

-2.1f 5nderstand the Princip(es4 Po(icies and rame.or's conte0t.Obtain and understanding of the o#erall system of internal control and the associated Principles Policies and ,rame"or)s

-2.2f 5nderstand the sta#eholders of the Princip(es4 Po(icies and rame.or's: 9ega( and regu(atory comp(iance reuirements-nderstand the sta)eholders in the policies! The sta)eholders for the policies include those setting the policies and those "ho neecompliance "ith the policies!









-2.:f

-2.:f Cont.

5nderstand the goa(s for the Princip(es4 Po(icies and rame.or's+ and the related metrics and agree on e/"ected values. Assess )hether the Princip(es4 Po(icies and rame.or's goals outcomes! are achieved+ i.e.+ assess the effectiveness of the Pand rame.or's.

;oal' 9ega( and regu(atory comp(iance reuirements 6erform the assurance ste"s ucriteria descri%ed %elo).


Com"rehensiveness $he legal and regulatorycom"liance re,uirementsdocumentation iscom"rehensive in itscoverage.

8erify that documentation is com"rehensive in its coverag

Currency $he legal and regulatorycom"liance re,uirementsdocumentation is u" to date.$his at least re,uires'

A regular validation of the

documentation )hether it is

still u" to date An indication of the

documentation e/"irationdate or date of last u"date

8erify that documentation is u" to date. $his at least re,uir

A regular validation of the document )hether it is still u"

An indication of the document7s e/"iration date or date o


9le/i%ility $he legal and regulatorycom"liance re,uirementsdocumentation is fle/i%le. It isstructured in such a )ay that itis easy to u"date ascircumstances re,uire.

8erify the fle/i%ility of the documentation+ i.e.+ that it is stru)ay that it is easy to u"date as circumstances re,uire.

Availa%ility $he legal and regulatory

com"liance re,uirementsdocumentation is availa%leto all sta#eholders.

$he legal and regulatory

com"liance re,uirementsdocumentation is easy tonavigate and have a logicaland hierarchical structure.

8erify that documentation is availa%le to all sta#eholders

8erify that documentation is easy to navigate and have


-2.4f 5nderstand the life cycle stages of the Princip(es4 Po(icies and rame.or's+ and agree on the relevant criteria. Assess to )hat e/tent the Princip(es4 Po(icies and rame.or's life cycle is managed.The life cycle of the IT$related policies is managed by the Process APO.! The re#ie" of this life cycle is therefore e0ui#alent to a


-2.3f 5nderstand good "ractices related to the Princip(es4 Po(icies and rame.or's and e/"ected values. Assess the 6rinci"les+ 6o9rame)or#s design+ i.e.+ assess the e/tent to )hich e/"ected good "ractices are a""lied.The assurance professional "ill by using appropriate auditing techni0ues assess the follo"ing aspects!





escalation "rocedure is

e/"lained and commonly#no)n.

$he e/ce"tion and



and commonly #no)n.











Phase B—-nderstand Enab(ers4 etting uitab(e Assessment Criteria and Perform Processes

"ef . Assurance teps and $uidance Issue Cross%reference

B%3

%tain understanding of the Processes insco"e and set suita%le assessment criteria'for each "rocess in sco"e as determined in

ste" A-:.2!+ additional information iscollected and assessment criteria aredefined. Assess the 6rocesses.

ED683 Ensure ris' optimisation

-:.1a 5nderstand the Process conte0t#

is# o"timiation refers to governance in the)idest sense should address the intrinsicris# )ithin cy%ersecurity and set "olicies andste"s accordingly.

-:.2a 5nderstand the Process purpose#

*nsure that I$-related enter"rise ris# doesnot e/ceed ris# a""etite and ris# tolerance+the im"act of I$ ris# to enter"rise value isidentified and managed+ and the "otential for com"liance failures is minimised.

-:.:a 5nderstand all "rocess sta'eho(ders andtheir roles. $his is e,uivalent tounderstanding the real ACI chart of the"rocess COBIT 5& Enabling Processes

page %2!'e#erage the COBIT 5 3ACI charts for the

processes in scope to identify any additional sta)eholders that "ill need to be in#ol#ed inthe assessment! In this assurance step thetranslation is made bet"een the theoretical3ACI chart entry and the real enterprise!

$he sta#eholders of the "rocess are alreadydefined in the ACI chart as a result of ste"

A-:.:. In addition to those sta#eholders+ this"rocess relies also on the follo)ingfunctions!+ )hich therefore )ill need to %e

involved during the assurance engagement'

ED683 Ensure ris' optimi;ationsta#eholders'

-:.4a 5nderstand the Process goa(s and related

metrics3 and define e/"ected 6rocess

values criteria!+ and assess )hether the6rocess goals are achieved+ i.e.+ assess theeffectiveness of the "rocess.

$he 6rocess ED683 Ensure ris'optimi;ation has : defined "rocess goals.

$he follo)ing activities can %e "erformed to assess )hether the goals are achieve

Process $oa( "e(ated6etrics

Criteria+E0pected <a(ue Assessment

is# thresholds are defined andcommunicated and #ey I$-related ris# is#no)n.

?evel

of

alignment%et)een I$ris#andenter"riseris#

Agree on the e+pected #alues forthe Process goal metrics i!e! the#alues against "hich the

assessment "ill ta)e place!

In this step the related met"ill be re#ie"ed and an assmade "hether the defined c

achie#ed!

3 9or CI$ 3 "rocesses+ a set of goals and metrics are identified in COBIT 5& Enabling Processes.








-:.4aCont.

(um%

er of"otential I$

ris#identified andmanaged

efres

hmentrate of ris#factorevaluation

(um%

er of"otential

cy%ersecurityris#factorsidentified andmanaged

$he enter"rise is managing critical I$-relatedenter"rise ris# effectively and efficiently.

6erce

nt ofenter"rise"ro&ects thatconsider I$

ris#

6erce

nt ofI$ ris#action"lans

Agree on the e+pected #alues forthe Process goal metrics i!e! the#alues against "hich theassessment "ill ta)e place!

In this step the related met"ill be re#ie"ed and an assmade "hether the defined cachie#ed!








e/ecuted ontime

6erce

nt ofcriticalris#thathas%eeneffectivelymitigated

6erce

nt ofcriticalris#thathas

%eenmitigatedeffectively

I$-related enter"rise ris# does not e/ceedris# a""etite and the im"act of I$ ris# toenter"rise value is identified and managed.

?evel

ofune/"ectedenter"riseim"act

6erce

nt ofI$ ris#that

e/ceedsenter"riseris#tolerance

6erce

Agree on the e+pected #alues forthe Process goal metrics i!e! the#alues against "hich theassessment "ill ta)e place!

In this step the related met"ill be re#ie"ed and an assmade "hether the defined cachie#ed!








nt ofcy%ersecurityris#

thate/ceedsenter"riseris#tolerance

-:.3a

-:.3aCont.

Agree on suita%le criteria to evaluate all"rocesses in sco"e of the assuranceengagement' Define and agree on thereference "rocess+ i.e.+ determine )hich%ase "ractices a "rocess should at leastinclude. $his usually is &ust a confirmation of the CI$ 3 "rocesses already identified+unless there is reason for using a differentreference "rocess.!

Agree on the "rocess "ractices that should%e in "lace "rocess design!.

Assess the process design+ i.e.+ assess to)hat e/tent'

*/"ected "rocess "ractices are a""lied.

Accounta%ility and res"onsi%ility are

assigned and assumed.

COBIT 5 Processes are descri%ed inCOBIT 5& Enabling Processes. *ach6rocess re,uires a num%er of management"ractices to %e im"lemented+ as descri%ed inthe "rocess descri"tion in the same guide.$hese are'

A sound "rocess design

$he reference against )hich the"rocess )ill %e assessed in "hase )ith the criteria as mentioned+ i.e.+ allmanagement "ractices are e/"ected to%e fully im"lemented.

*ach "ractice is ty"ically im"lemented through a num%er of activities+ and a )ell-)ill im"lement all these "ractices and activities.

"eferenceProcess

*D<0: *nsureris# o"timisation

Criteria' ;overnance "ractices to o"timise ris# are esta%lis

"eferenceProcess Practices

$ood Practice Assessment tep

*D<0:.01 *valuate ris# management. Continuallye/amine andma#e &udgment onthe effect of ris#on the current andfuture use of I$ inthe enter"rise.

Consider )hetherthe enter"rise7sris# a""etite isa""ro"riate andthat ris# toenter"rise valuerelated to the useof I$ is identifiedand managed.

Assess %y a""lying a""ro"riate audit techni,ues intervie)testing! )hether the management "ractices are effectively through the follo)ing+ ty"ical control! activities'

1. Determine the level of I$-related ris# that the enter"rise imeet its o%&ectives ris# a""etite!.2. *valuate and a""rove "ro"osed I$ ris# tolerance thresho

enter"rise7s acce"ta%le ris# and o""ortunity levels.:. Determine the e/tent of alignment of the I$ ris# strategy strategy.4. 6roactively evaluate I$ ris# factors in advance of "endingenter"rise decisions and ensure that ris#-a)are enter"rise made.3. Determine that I$ use is su%&ect to a""ro"riate ris# assesevaluation+ as descri%ed in relevant international and nation. *valuate ris# management activities to ensure alignmententer"rise7s ca"acity for I$-related loss and leadershi"7s tol








*D<0:.02 Direct ris# management. Direct theesta%lishment ofris# management"ractices to

"rovidereasona%leassurance that I$ris# management"ractices area""ro"riate toensure that theactual I$ ris# doesnot e/ceed the%oard7s ris#a""etite.


1. 6romote an I$ ris#-a)are culture and em"o)er the enteridentify I$ ris#+ o""ortunity and "otential %usiness im"acts.2. Direct the integration of the I$ ris# strategy and o"erationenter"rise strategic ris# decisions and o"erations.:. Direct the develo"ment of ris# communication "lans covthe enter"rise! as )ell as ris# action "lans.4. Direct im"lementation of the a""ro"riate mechanisms to changing ris# and re"ort immediately to a""ro"riate levels osu""orted %y agreed-on "rinci"les of escalation )hat to reand ho)!.3. Direct that ris#+ o""ortunities+ issues and concerns may %re"orted %y anyone at any time. is# should %e managed in"u%lished "olicies and "rocedures and escalated to the relema#ers.. Identify #ey goals and metrics of ris# governance and ma"rocesses to %e monitored+ and a""rove the a""roaches+ mtechni,ues and "rocesses for ca"turing and re"orting the m

information.

*D<0:.0: <onitor ris# management. <onitor the #eygoals and metricsof the ris#management"rocesses andesta%lish ho)deviations or"ro%lems )ill %eidentified+ trac#edand re"orted forremediation.


1. <onitor the e/tent to )hich the ris# "rofile is managed )a""etite thresholds.2. <onitor #ey goals and metrics of ris# governance and ma"rocesses against targets+ analyse the cause of any deviatremedial actions to address the underlying causes.:. *na%le #ey sta#eholders7 revie) of the enter"rise7s "rogidentified goals.4. e"ort any ris# management issues to the %oard or e/ec

-:.a

-:.aCont.

Agree on the process .or' products9

in"uts and out"uts as defined in the"rocess "ractices descri"tion! that are

e/"ected to %e "resent "rocess design!. Assess to )hat e/tent the "rocess )or#"roducts are availa%le.

6rocess ED683 Ensure ris' optimi;ationin"uts and out"uts. $he most relevant andnot assessed as Information items in sco"e

Criteria' All listed )or# "roducts should demonstra%ly e/ist and %e used.

9 9or CI$ 3 "rocesses+ a set of in"uts and out"uts for the different management "ractices are identified in COBIT 5& Enabling

Processes.








in section A-:.3! of these )or# "roducts areidentified as follo)s+ as )ell as the criteriaagainst )hich they )ill %e assessed+ i.e.+e/istence and usage.

Process Practice ,or' Products AssesG6rocess or 6ractice (ameH

?ist )or# "roducts no included in the information items

section.

A""ly a""ro"techni,ues toe/istence aneach )or# "r

-:.>a Agree on the process capabi(ity (e!e( to%e achieved %y the "rocess.

This step is "arranted only if the processunder re#ie" is a standard COBIT 5go#ernance or management process to"hich the I1O/IEC 55.4 PA can beapplied! Any other processes for "hich noreference practices "or) products oroutcomes are appro#ed cannot use thisassessment method6 therefore the concept capability le#el does not apply!

APO&1 6anage ris'

-:.1% 5nderstand the Process conte0t#

<anagement in I$ should ade,uatelyaddress ris# issues related to cy%ersecurity.

-:.2% 5nderstand the Process purpose#

Integrate the management of I$-relatedenter"rise ris# )ith overall *<+ and%alance the costs and %enefits of managingI$-related enter"rise ris#.

-:.:% 5nderstand all "rocess sta'eho(ders andtheir roles. $his is e,uivalent tounderstanding the real ACI chart of the"rocess in COBIT 5& Enabling Processes

page .7 .'e#erage the COBIT 5 3ACI charts for the

processes in scope to identify any additional sta)eholders that "ill need to be in#ol#ed inthe assessment! In this assurance step thetranslation is made bet"een the theoretical3ACI chart entry and the real enterprise!











APO&1 6anage ris' sta#eholders'

-:.4%

-:.4%Cont.

5nderstand the Process goa(s and related

metrics and define e/"ected 6rocessvalues criteria!+ and assess )hether the6rocess goals are achieved+ i.e.+ assess theeffectiveness of the "rocess.

$he 6rocess APO&1 6anage ris' has 4defined "rocess goals.


Process $oa( "e(ated

6etrics


I$-related ris# is identified+ analysed+managed and re"orted.

D

egr eeofvisi%ilityandr ec

ognitionint

Agree on the e+pected #alues for theProcess goal metrics i!e! the #aluesagainst "hich the assessment "illta)e place!

In this step the related metricbe re#ie"ed and an assessme"hether the defined criteria ar

9or CI$ 3 "rocesses+ a set of goals and metrics are identified in COBIT 5& Enabling Processes.








hecu

r r entenvir onment

(

um%eroflossevents

)ith#eychar








acte

risticsca"tur edinr e

"ositories

6

er cento

faudits+eve








ntsa

ndtr endsca"tur edin

r e"ositories

A current and com"lete ris# "rofile e/ists. 6

er cen

tof#ey%us










ines

s"r ocessesinclude

dintheris#"r ofile

C

om"letenes








sofa

ttri%utesandvaluesi

ntheris#"r ofile

All significant ris# management actions aremanaged and under control.

6

er

centofris#

Agree on the e+pected #alues for theProcess goal metrics i!e! the #aluesagainst "hich the assessment "ill

ta)e place!









mana

gement"r o"osalsr e

&ectedduetolac#o

fconsider a








tiono

fotherr elatedris#

(

um%erofsignif ican

tincidents








noti

dentifiedandinclude

dintheris#managem

ent"ortf olio








is# management actions are im"lementedeffectively.

6

er c

entofI$ris#action"

lanse/ecutedasdes

igned

(

um%










-:.3%Cont.


Accounta%ility and res"onsi%ility areassigned and assumed.

COBIT 5 Processes are descri%ed inCOBIT 5& Enabling Processes. *ach6rocess re,uires a num%er of management"ractices to %e im"lemented+ as descri%ed inthe "rocess descri"tion in the same guide.$hese are'


$he reference against )hich the

"rocess )ill %e assessed in "hase )ith the criteria as mentioned+ i.e.+ allmanagement "ractices are e/"ected to%e fully im"lemented.


"eferenceProcess

A612<anage

ris#

Criteria' Control activities to manage ris# are "ro"erly im"lemented..


$oodPractice

Assessment tep

Data Classification Cy%er security"arametersandcriteriahave%eenincluded inthe

gener aldataclassif ication.

usiness

Ins"ect and revie) the general data classification method and sche

enter"rise.

evie) the cy%ersecurity-related classification "arameters used in t

classification.








?essonslearned

have%eendocumented andarea""lied tocriticalinformationassets.

Attac# and Incident Analysis Attac#s andincidentsareanalysed inaformalandcom"r ehensivemanner.

*/amine the methods of analysis a""lied to the attac# and incident

%tain and revie) sam"les of attac# and incident analysis.

ey ?earnings ?essonslearned and"otent

ialim"rovementsareidentifiedandade,uately

ased on the sam"les for documentation and analysis+ revie) the m

identifying lessons learnt and "otential im"rovements to cy%ersecur

Determine )hether "otential im"rovements are formulated in a reas

com"rehensive and understanda%le manner.








documented.

Im"rovements in Information Asset

6rotection

ey

learningsandim"rovementsareim"lemented in acontinuousandconsistentmanner.

ased on the sam"les for documentation and analysis+ determine )

im"rovements have %een im"lemented.

Determine )hether im"rovements are im"lemented continuously an

throughout the enter"rise.

A612.01 Collect data Identif y andcollectrelevantdatatoena%leeffective I$-related ris#identification+analys

is andre"orting.

Cy%ersecurity is su%&ect to routine ris# assessment "rocesses.

<anagement "erformed a ris# assessment "rior to im"lementing cy

arrangements.

Determine )hether a ris# assessment of cy%erthreats+ vulnera%ilitie

related ris# $8A! )as "erformed %efore acce"tance of the "rogra

%tain and revie) ris# assessment documentation+ if availa%le+ to d

the control level is ade,uate to su""ort the cy%ersecurity "rogram.

%tain %oard minutes or other documentation to su""ort the a""rov

assessment and any formal ris# acce"tances.

%tain and revie) the relevant ris# assessment documentation to d

the ris# assessment sco"e is' a! ade,uate to su""ort the changescy%ersecurity "rogram+ and %! sufficient to "rotect the organisationin line )ith %usiness ris# a""etite.

A612.02 Analyse ris# Develo"usefulinformationto








su""ort ris#decisions

thatta#eintoaccount the%usinessrelevance of ris#factor s.

A612.0: <aintain a ris# "rofile <aintain aninventory of#no)nris#andris#attri%utesincludinge/"ectedfre,uency+"otentialim"actandres"o

nses!and of relatedresour ces+ca"a%ilitiesandcurren

A ris# assessment is "erformed and a""roved %y management to in

im"rovements to the cy%ersecurity "rogram or to reaffirm the "revioassessment.

Determine )hether any su%se,uent ris# assessment has %een "erf

"lanned cycle annually%iannually! on a regularly scheduled fre,ue








tcontrolactiviti

es. A612.04 Articulate ris# 6rovid

einformationon thecurrent stateof I$-relatede/"osuresando""ortunitiesin atimelymanner toallre,uir edsta#eholdersfora""ro"riateres"onse.

Assess %y a""lying a""ro"riate audit techni,ues intervie)+ o%servatiothe management "ractice is effectively im"lemented.

1. e"ort the results of ris# analysis to all affected sta#eholders in termuseful to su""ort enter"rise decisions. Fherever "ossi%le+ include "ro%ranges of loss or gain along )ith confidence levels that ena%le manageris#-return.2. 6rovide decision ma#ers )ith an understanding of )orst-case and mscenarios+ due diligence e/"osures+ and significant re"utation+ legal orconsiderations.:. e"ort the current ris# "rofile to all sta#eholders+ including effectivenmanagement "rocess+ control effectiveness+ ga"s+ inconsistencies+ redremediation status+ and their im"acts on the ris# "rofile.4. evie) the results of o%&ective third-"arty assessments+ internal audassurance revie)s+ and ma" them to the ris# "rofile. evie) identified e/"osures to determine the need for additional ris# analysis.3. n a "eriodic %asis+ for areas )ith relative ris# and ris# ca"acity "arrelated o""ortunities that )ould allo) the acce"tance of greater ris# anand return.

A612.03 Define a ris# managementaction "ortfolio

<anageo""ort

unitiestoreduce ris#to anacce"ta%lelevelas a"ortfol

Assess %y a""lying a""ro"riate audit techni,ues intervie)+ o%servatiothe management "ractice is effectively im"lemented.








io.

A612.0 es"ond to ris# es"ond ina

timelymanner )itheffectivemeasuresto limitthemagnitudeof lossfromI$-relatedevents.

is# assessments are conducted after incidents.

Determine )hether any su%se,uent ris# assessment has %een "erf

of actual cy%erattac#s or %reaches+ including near misses.

-:.% Agree on the process .or' products5

in"uts and out"uts as defined in the"rocess "ractices descri"tion! that aree/"ected to %e "resent "rocess design!.

Assess to )hat e/tent the "rocess )or#"roducts are availa%le.

APO&1 6anage ris' in"uts and out"uts.$he most relevant and not assessed asInformation items in sco"e in section A-:.3!of these )or# "roducts are identified asfollo)s+ as )ell as the criteria against )hichthey )ill %e assessed+ i.e.+ e/istence andusage.


Process Practice ,or' Products Asses

G6rocess or 6ractice (ameH ?ist )or# "roducts no included in the information itemssection.

A""ly a""rotechni,ues te/istence anof each )or#

-:.>% Agree on the process capabi(ity (e!e( to%e achieved %y the "rocess.

This step is "arranted only if the processunder re#ie" is a standard COBIT 5go#ernance or management process to


Processes.








"hich the I1O/IEC 55.4 PA can beapplied! Any other processes for "hich noreference practices "or) products oroutcomes are appro#ed cannot use this

assessment method6 therefore the concept capability le#el does not apply!

APO&3 6anage security

-:.1c 5nderstand the Process conte0t#

$he information security managementsystem IS<S! should incor"orateade,uate "rovisions for cy%ersecurity.

-:.2c 5nderstand the Process purpose#

ee" the im"act and occurrence ofinformation security incidents )ithin theenter"rise7s ris# a""etite levels.

-:.:c 5nderstand all "rocess sta'eho(ders andtheir roles. $his is e,uivalent tounderstanding the real ACI chart of the"rocess in COBIT 5& Enabling Processes

page 4.'e#erage the COBIT 5 3ACI charts for the

processes in scope to identify anyadditional sta)eholders that "ill need to bein#ol#ed in the assessment! In thisassurance step the translation is madebet"een the theoretical 3ACI chart entryand the real enterprise!


A-:.:. In addition to those sta#eholders+ this"rocess relies also on the follo)ingfunctions!+ )hich therefore )ill need to %einvolved during the assurance engagement'

APO&3 6anage security sta#eholders'

-:.4c 5nderstand the Process goa(s and relatedmetrics

% and define e/"ected 6rocess

values criteria!+ and assess )hether the6rocess goals are achieved+ i.e.+ assessthe effectiveness of the "rocess.

$he 6rocess APO&3 6anage security has: defined "rocess goals.


Process $oa( "e(ated

Criteria+E0pected <a(ue Assessment t

% 9or CI$ 3 "rocesses+ a set of goals and metrics are identified in COBIT 5& Enabling Processes.








-:.4cCont.

6etrics

A system is in "lace that considers andeffectively addresses enter"rise informationsecurity re,uirements.

(

(

Agree on the e+pected #alues for theProcess goal metrics i!e! the #aluesagainst "hich the assessment "ill ta)e

place!

In this step the related metrics fore#ie"ed and an assessment "ilthe defined criteria are achie#ed

A security "lan has %een esta%lished+acce"ted and communicated throughout theenter"rise.

?e

(

(


place!


Information security solutions areim"lemented and o"erated consistentlythroughout the enter"rise.

(

(

(


place!


-:.3c Agree on suita%le criteria to evaluate all"rocesses in sco"e of the assuranceengagement' Define and agree on thereference "rocess+ i.e.+ determine )hich%ase "ractices a "rocess should at leastinclude. $his usually is &ust a confirmation of

the CI$ 3 "rocesses already identified+unless there is reason for using a differentreference "rocess.!





COBIT 5 Processes are descri%ed inCOBIT 5& Enabling Processes. *ach









-:.3cCont.

6rocess re,uires a num%er of management"ractices to %e im"lemented+ as descri%ed inthe "rocess descri"tion in the same guide.$hese are'




"eferenceProcess

A61:<anagesecurity

Criteria' Control activities to manage security are "ro"erly im"lemented


$oodPractice

Assessment tep

$arget Accessi%ility Criticaltargets are"ro"er ly"rotected.

9or all critical information assets+ revie) the identity and access maarrangements.

Determine )hether access "rivileges for "otential targets are aligne

needs and asset criticality

$arget 8alue $he%usinessvalueorothervalue!attri%uted to

informationassetsis#no)nandmeasured.

%tain and revie) the inventory of %usiness critical information ass

Determine )hether the enter"rise has identified "otential target info

may %e e/"osed to cy%ercrime and cy%er)arfare.

$arget Attractiveness $heenter"risehasim"lemented

Assess %y a""lying a""ro"riate audit techni,ues intervie)+ o%servationthe management "ractice is effectively im"lemented.








mechanisms forrecog

niing+measuringandcontrollingtargetattractiveness.

A61:.01 *sta%lish and maintain aninformation security management systemIS<S!.

*sta%lishandmaintain anIS<Sthat"rovides astandard+formalandcontinuousa""roach tosecuritymanagement forinform

ation+ena%lingsecur etechnologyand%usiness"rocessesthat

Cy%ersecurity is su%&ect to a com"rehensive cycle of 6lan-Do-Chec

Determine )hether cy%ersecurity "rocesses are integrated )ith the

"rocess.

*sta%lish the "resence of 6DCA in all cy%ersecurity "rocesses.








arealigned )ith%usine

ssre,uir ements andenter"risesecuritymanagement.

A61:.02 Define and manage aninformationsecurity ris# treatment "lan

<aintain aninformationsecurity "lanthatdescri%esho)informationsecurity ris#is to%emanagedandaligned )iththe

enter"risestrategyandenter"risearchitecture.*nsur e thatrecom

Cy%ersecurity is# $reatment 6lan' All cy%ersecurity ris# is su%&ect

treatment.

%tain and revie) the enter"rise7s "lans for cy%ersecurity ris# treat

Determine )hether all cy%ersecurity ris# scenarios have %een includ

treatment "lan.

Determine )hether cy%ersecurity ris# treatment o"tions are ade,ua

overall organisational %usiness! ris# a""etite.








mendationsforim"le

mentingsecurityim"rovementsare%asedona""roved%usinesscasesandim"le

mented asanintegr al "artofservicesandsolutionsdevelo"ment+ theno"erated as

anintegr al "artof%usinesso"eration.

A61:.0: <onitor and revie) the IS<S <aintainandregularly

Com"are the ACI chart as included in the reference "rocess in C

actual accounta%ility and res"onsi%ility for this "ractice and assess

Cy%ersecurity <onitoring 6rocess' All cy%ersecurity-related events

a""ro"riate manner.








communicate theneed

for+and%enefits of+continuousinformationsecurityim"rovement.Collect andanalyse data

a%outtheIS<S+andim"rove theeffectiveness oftheIS<S.Correctnon-confor mities

to"reventrecurr ence.6romote acultur e ofsecurity andcontinual

Determine )hether the enter"rise o"erates an ade,uate and com"r

monitoring "rocess for cy%ersecurity-related events and incidents.

%tain and revie) sam"les of o"erational monitoring.








im"rovement.

-:.c

-:.cCont.

Agree on the process .or' products:

in"uts and out"uts as defined in the"rocess "ractices descri"tion! that aree/"ected to %e "resent "rocess design!. Assess to )hat e/tent the "rocess )or#"roducts are availa%le.

6rocess APO&3 6anage security in"utsand out"uts. $he most relevant and notassessed as Information items in sco"e insection A-:.3! of these )or# "roducts areidentified as follo)s+ as )ell as the criteriaagainst )hich they )ill %e assessed+ i.e.+e/istence and usage.


Process Practice ,or' Products Assess

G6rocess or 6ractice (ameH ?ist )or# "roducts no included in the information items

section.

A""ly a""ro"rtechni,ues to de/istence and

each )or# "ro-:.>c Agree on the process capabi(ity (e!e( to

%e achieved %y the "rocess.

This step is "arranted only if the processunder re#ie" is a standard COBIT 5go#ernance or management process to"hich the I1O/IEC 55.4 PA can beapplied! Any other processes for "hich noreference practices "or) products oroutcomes are appro#ed cannot use thisassessment method6 therefore the concept capability le#el does not apply!

D81 6anage Incidents and er!ice "euests

-:.1d 5nderstand the Process conte0t#

Incidents in cy%ersecurity should %eidentified and managed.

-:.2d 5nderstand the Process purpose#

Achieve increased "roductivity andminimise disru"tions through ,uic#resolution of user ,ueries and incidents.

-:.:d 5nderstand all "rocess sta'eho(ders andtheir roles. $his is e,uivalent tounderstanding the real ACI chart of the"rocess in COBIT 5& Enabling Processes

page 87 .'e#erage the COBIT 5 3ACI charts for the

processes in scope to identify any

: 9or CI$ 3 "rocesses+ a set of in"uts and out"uts for the different management "ractices are identified in COBIT 5& Enabling

Processes.








additional sta)eholders that "ill need to bein#ol#ed in the assessment! In thisassurance step the translation is madebet"een the theoretical 3ACI chart entry

and the real enterprise!$he sta#eholders of the "rocess are alreadydefined in the ACI chart as a result of ste"


D81 6anage Incidents and er!ice"euests sta#eholders'

-:.4d

-:.4dCont.


metrics8 and define e/"ected 6rocess


$he 6rocess D81 6anage Incidents

and er!ice "euests has : defined"rocess goals.

$he follo)ing activities can %e "erformed to assess )hether the goals are achiev

Process $oa( "e(ated6etr ics


I$-related services are availa%le for use.

(

<

Agree on the e+pected #alues for the

Process goal metrics i!e! the #aluesagainst "hich the assessment "ill ta)e place!

In this step the related metrics fo

re#ie"ed and an assessment "ilthe defined criteria are achie#ed

Incidents are resolved according to agreed-on service levels.

6e


place!


Service re,uests are dealt )ith according toagreed-on service levels and to thesatisfaction of users.

?e

<


place!










-:.3d

-:.3d

Cont.

Agree on suita%le criteria to evaluate all"rocesses in sco"e of the assuranceengagement' Define and agree on thereference "rocess+ i.e.+ determine )hich

%ase "ractices a "rocess should at leastinclude. $his usually is &ust a confirmation of the CI$ 3 "rocesses already identified+unless there is reason for using a differentreference "rocess.!





COBIT 5 Processes are descri%ed inCOBIT 5& Enabling Processes. *ach6rocess re,uires a num%er of management

"ractices to %e im"lemented+ as descri%ed inthe "rocess descri"tion in the same guide.$hese are'





"eferenceProcess

DSS02<anageIncidentsand

Servicee,uests

Criteria' Control activities to manage incidents and service re,uests areim"lemented.


$oodPractice

Assessment tep

DSS02.01 Define incident and servicere,uestclassification schemes

Defineincident andservicere,uestclassif ication

schemes

Incident Classification and *scalation' Cy%ersecurity incidents are

classified and a""ro"riately escalated in line )ith the classification.

%tain and revie) "rocedures and sam"les of incidents+ and ascer

incidents are classified in a formal and consistent manner.

evie) the escalation "ath and stages for incidents+ %ased on the e

classification.








andmodels.

DSS02.02 ecord+ classify and "rioritise

re,uests and incidents

Identif

y+recordandclassif yservicere,uestsandincidents+andassigna"riorityaccor dingto%usinesscriticality andserviceagreements.

Incident Classification and *scalation' Cy%ersecurity incidents are a

classified and a""ro"riately escalated in line )ith the classification.

evie) the escalation "ath and stages for incidents+ %ased on the e

classification.

DSS02.0: 8erify+ a""rove and fulfil servicere,uests

Selectthea""ro"riate

re,uest"roceduresandverifythattheservicere,uestsfulfildefinedre,uestcriteria.

8erify entitlement for service re,uests using+ )here "ossi%le+ a "red

flo) and standard changes.

%tain financial and functional a""roval or sign-off+ if re,uired+ or "r

for agreed-on standard changes. 9ulfil the re,uests %y "erforming the selected re,uest "rocedure+ us

"ossi%le+ self-hel" automated menus and "redefined re,uest modere,uested items.








%taina""roval+ ifre,uir

ed+andfulfilthere,uests.

DSS02.04 Investigate+ diagnose andallocate incidents

Identif y andrecordincidentsym"toms+deter mine"ossi%lecauses+ andallocate forresolution.

Cy%ersecurity incidents are investigated and diagnosed in line )ith

Determine )hether any and all incidents are duly investigated+ %ase

classification and severity of each incident.

%tain and revie) the method and sam"les of incident diagnostics

investigative )or#!.

Determine )hether incident diagnostics are "erformed at an ade,ua

technical de"th and understanding.

Fhere third-"arty services are used in incident investigation and dia

determine )hether the enter"rise has ade,uate control over these "

DSS02.03 esolve and recover fromincidents

Document+a""lyandtesttheidentifiedsolutions or

)or#arounds and"erfor mrecoveryactions torestor e theI$-relatedservice.

Assess %y a""lying a""ro"riate audit techni,ues intervie)+ o%servationthe management "ractice is effectively im"lemented

1. Select and a""ly the most a""ro"riate incident resolutions tem"orarandor "ermanent solution!.2. ecord )hether )or#arounds )ere used for incident resolution.:. 6erform recovery actions+ if re,uired.4. Document incident resolution and assess if the resolution can %e use#no)ledge source.

DSS02.0 Close service re,uests andincidents

8erifysatisfa









ctoryincidentresolu

tionandor re,uestfulfilment+andclose.

1. 8erify )ith the affected users if agreed on! that the service re,uest hsatisfactory fulfilled or the incident has %een satisfactory resolved.2. Close service re,uests and incidents.

DSS02.0> $rac# status and "roduce re"orts egularlytrac#+analyse andre"ortincident andre,uestfulfilmenttrendsto"rovideinformationforcontinualim"rovement.


1. <onitor and trac# incident escalations and resolutions and re,uest hato "rogress to)ards resolution or com"letion.2. Identify information sta#eholders and their needs for data or re"orts. fre,uency and medium.:. Analyse incidents and service re,uests %y category and ty"e to esta%identify "atterns of recurring issues+ S?A %reaches or inefficiencies. 5sein"ut to continual im"rovement "lanning.4. 6roduce and distri%ute timely re"orts or "rovide controlled access to

-:.d Agree on the process .or' products$

in"uts and out"uts as defined in the"rocess "ractices descri"tion! that aree/"ected to %e "resent "rocess design!. Assess to )hat e/tent the "rocess )or#"roducts are availa%le.

6rocess D81 6anage Incidents ander!ice "euests in"uts and out"uts. $hemost relevant and not assessed asInformation items in sco"e in section A-:.3!of these )or# "roducts are identified asfollo)s+ as )ell as the criteria against )hichthey )ill %e assessed+ i.e.+ e/istence andusage.




section.

A""ly a""ro"rtechni,ues to d

e/istence and each )or# "ro

-:.>d Agree on the process capabi(ity (e!e( to%e achieved %y the "rocess.

$ 9or CI$ 3 "rocesses+ a set of in"uts and out"uts for the different management "ractices are identified in COBIT 5& Enabling

Processes.








This step is "arranted only if the processunder re#ie" is a standard COBIT 5go#ernance or management process to"hich the I1O/IEC 55.4 PA can be

applied! Any other processes for "hich noreference practices "or) products oroutcomes are appro#ed cannot use thisassessment method6 therefore the concept capability le#el does not apply!

D8= 6anage Continuity

-:.1e 5nderstand the Process conte0t#

rganisational functions and I$ should %eresilient )ith regard to cy%ersecurity

-:.2e 5nderstand the Process purpose#

Continue critical %usiness o"erations andmaintain availa%ility of information at a levelacce"ta%le to the enter"rise in the event ofa significant disru"tion.

-:.:e 5nderstand all "rocess sta'eho(ders and

their roles. $his is e,uivalent tounderstanding the real ACI chart of the"rocess in COBIT 5& Enabling Processes

page 79 .'e#erage the COBIT 5 3ACI charts for the





D8= 6anage Continuity sta#eholders'

-:.4e

-:.4eCont.


metrics10

and define e/"ected 6rocess


$he 6rocess D8= 6anage Continuity has 3 defined "rocess goals.


Process $oa( "e(ate

d6etr










ics

usiness-critical information is availa%le to

the %usiness in line )ith minimum re,uiredservice levels.

6e

6e

6e


Process goal metrics i!e! the #aluesagainst "hich the assessment "ill ta)e

place!



Sufficient resilience is in "lace for criticalservices.

(um%ero

fcritical%usinesssyste

msnotcover ed%ythe"lan


place!


Service continuity tests have verified theeffectiveness of the "lan.

(

Agree on the e+pected #alues for theProcess goal metrics i!e! the #alues

In this step the related metrics fore#ie"ed and an assessment "il








9r

against "hich the assessment "ill ta)e place!

the defined criteria are achie#ed

An u"-to-date continuity "lan reflectscurrent %usiness re,uirements.

6e

6e


place!


Internal and e/ternal "arties have %eentrained in the continuity "lan.

6e

6e


place!


-:.3e

-:.3eCont.












"eferenceProcess

DSS04<anageContinuity

Criteria' Control activities to manage continuity are "ro"erly im"lemente


$oodPractice

Assessment tep

DSS04.01 Define the %usiness continuity Define $he continuity and resilience o%&ectives and sco"e have %een ade,








-:.3e

Cont.

"olicy+ o%&ectives and sco"e %usinesscontinuity

"olicyandsco"ealigned )ithenter"riseandsta#eholdero%&ectives.

im"lemented.

%tain and revie) the cy%ersecurity resilience or %usiness continuit

stated %y the enter"rise.

%tain and revie) the cy%ersecurity resilience sco"e as stated %y t

Determine )hether the enter"rise7s cy%ersecurity resilience sco"e a

aligned )ith good "ractice and that there are no significant ga"s.

Confirm that the cy%ersecurity resilience sco"e and o%&ectives cove

recommendations on resilience+ "articularly if "art of the enter"rise7related to a critical infrastructure.

DSS04.02 <aintain a continuity strategy *valuate%usinesscontinuitymanagemento"tions andchoose acost-effectiveandvia%lecontinuitystrate

gythat)illensur eenter"riserecoveryandcontinuity inthefaceof adisaster or

otherma&orincident ordisru"

Cy%ersecurity resilience strategy

%tain and revie) the cy%ersecurity resilience or %usiness continuit

Determine )hether the resilience or %usiness continuity strategic o"

cover cy%ersecurity needs and re,uirements.








tion.

DSS04.0: Develo" and im"lement a%usiness continuity res"onse

Develo" a%usine

sscontinuity"lanC6!%asedon thestrategythatdocumentsthe"roceduresandinformationinreadinessforuse inanincident toena%le theenter"rise tocontinue itscritical

activities.

Continuity and recovery "lanning and res"onse

8erify that all strategic o%&ectives and "rovisions have %een fully im

continuity resilience "lans and related solutions. %tain and revie) sam"les of cy%ersecurity-related resilience or co

related solutions.

DSS04.04 */ercise+ test and revie) theC6

$estthecontinuityarrangements on aregular %asistoe/ercise therecovery"lansagainst"redetermined

Cy%ersecurity testing and e/ercising

%tain and revie) the enter"rise7s cy%ersecurity testing and e/ercis

%tain and revie) the enter"rise7s cy%ersecurity test and e/ercise "

Determine )hether the testing and e/ercising regime is sufficiently

cover the needs and re,uirements of cy%ersecurity.

Determine )hether the testing and e/ercise regime is ade,uate in t

enter"rise7s cy%ersecurity "rocess ca"a%ility levels maturity levels!

%tain and revie) sam"les of test and e/ercise documentation and








outcomesand toallo)

innovativesolutions to%edevelo"edandhel"toverifyovertimethatthe"lan)ill

)or#asantici"ated.

DSS04.03 evie)+ maintain and im"rovethecontinuity "lan

Conduct amanagementrevie)of thecontinuityca"a%ility atregula

rintervals toensur e itscontinuedsuita%ility+ade,uacyandeffectiveness.<anage

changes tothe"lan inaccor

evie) the continuity "lan and ca"a%ility on a regular %asis against

made and current %usiness o"erational and strategic o%&ectives.

Consider )hether a revised %usiness im"act assessment may %e re

on the nature of the change.

ecommend and communicate changes in "olicy+ "lans+ "rocedure

and roles and res"onsi%ilities for management a""roval and "rocesmanagement "rocess.

evie) the continuity "lan on a regular %asis to consider the im"ac

changes to' enter"rise+ %usiness "rocesses+ outsourcing arrangemeinfrastructure+ o"erating systems and a""lication systems.








dance)iththechang

econtrol"rocess toensur e thatthecontinuity"lan is#e"tu" todateandcontinually

reflectsactual%usinessre,uir ements.

DSS04.0 Conduct continuity "lan training 6rovide allconcernedinternal ande/ternal

"arties )ithregulartrainingsessionsregardingthe"roceduresandtheirrolesand

res"onsi%ilities incaseof

Cy%ersecurity resilience training

%tain and revie) any relevant training and education materials us

enter"rise.

Determine )hether training contents+ fre,uency and o"erational suc

ade,uate.








disru"tion.

DSS04.0> <anage %ac#u" arrangements <aintain

availa%ilityof%usiness-criticalinformation.

ac#u" systems+ a""lications+ data and documentation according to

schedule+ considering'

o 9re,uency monthly+ )ee#ly+ daily+ etc.!

o <ode of %ac#u" e.g.+ dis# mirroring for real-time %a

< for long-term retention!

o $y"e of %ac#u" e.g.+ full vs. incremental!

o $y"e of media

o Automated online %ac#u"s

o Data ty"es e.g.+ voice+ o"tical!

o Creation of logs

o Critical end-user com"uting data e.g.+ s"readsheet

o 6hysical and logical location of data sources

o Security and access rights

o *ncry"tion

*nsure that systems+ a""lications+ data and documentation maintai

%y third "arties are ade,uately %ac#ed u" or other)ise secured. Coreturn of %ac#u"s from third "arties. Consider escro) or de"osit arra

Define re,uirements for on-site and off-site storage of %ac#u" data t

%usiness re,uirements. Consider the accessi%ility re,uired to %ac# u

oll out C6 a)areness and training.

6eriodically test and refresh archived and %ac#u" data.

DSS04.0= Conduct "ost-resum"tion revie) Assess theade,uacy oftheC6follo)ing thesuccessful

resum"tionof%usiness"rocessesandservicesafter adisru"tion.

6ost-resum"tion revie)s

8erify that for all invocations of resilience "lans and measures+ "ost

revie)s have %een "erformed %y the enter"rise.

%tain and revie) sam"les of "ost-resum"tion revie) documents

-:.e Agree on the process .or' products11

in"uts and out"uts as defined in the"rocess "ractices descri"tion! that are

e/"ected to %e "resent "rocess design!. Assess to )hat e/tent the "rocess )or#"roducts are availa%le.

6rocess D8= 6anage Continuity in"utsand out"uts. $he most relevant and not



Processes.








assessed as Information items in sco"e insection A-:.3! of these )or# "roducts areidentified as follo)s+ as )ell as the criteriaagainst )hich they )ill %e assessed+ i.e.+

e/istence and usage.Process Practice ,or' Products Assess


section.

A""ly a""ro"rtechni,ues to de/istence and each )or# "ro

-:.>e Agree on the process capabi(ity (e!e( to%e achieved %y the "rocess.

This step is "arranted only if the processunder re#ie" is a standard COBIT 5go#ernance or management process to"hich the I1O/IEC 55.4 PA can beapplied! Any other processes for "hich noreference practices "or) products oroutcomes are appro#ed cannot use thisassessment method6 therefore the concept

capability le#el does not apply!D85 6anage ecurity er!ices

-:.1f 5nderstand the Process conte0t#

6rotect enter"rise information to maintainthe level of information security ris#acce"ta%le to the enter"rise in accordance)ith the security "olicy. *sta%lish andmaintain information security roles andaccess "rivileges and "erform securitymonitoring.

-:.2f 5nderstand the Process purpose#

<inimise the %usiness im"act of o"erationalinformation security vulnera%ilities andincidents.

-:.:f 5nderstand all "rocess sta'eho(ders and

their roles. $his is e,uivalent tounderstanding the real ACI chart of the"rocess.'e#erage the COBIT 5 3ACI charts for the




D85 6anage ecurity er!icessta#eholders'

-:.4f 5nderstand the Process goa(s and related

metrics13

and define e/"ected 6rocess

values criteria!+ and assess )hether the6rocess goals are achieved+ i.e.+ assess









-:.4f Cont.

the effectiveness of the "rocess.

$he 6rocess D85 6anage ecurityer!ices has 3 defined "rocess goals.


Process $oa( "

e(ated6etr ics


(et)or#s and communications securitymeet %usiness needs.

(um%

erofvulner a%ilitiesdisc

over ed(um%eroffir e)all%r eac


place!









hes

Information "rocessed on+ stored on and

transmitted %y end"oint devices is"rotected.

6e

(

(


Process goal metrics i!e! the #aluesagainst "hich the assessment "ill ta)e

place!



All users are uni,uely identifia%le and haveaccess rights in accordance )ith their%usiness role.

Av

(


place!


6hysical measures have %een im"lementedto "rotect information from unauthorisedaccess+ damage and interference )hen%eing "rocessed+ stored or transmitted.

6e

Av

(


place!


*lectronic information is "ro"erly secured)hen stored+ transmittedor destroyed.

(um%ero

fincidentsr elatingtoun

authorise


place!









dacc

esstoinf or mation

-:.3f

-:.3f Cont.












"eferenceProcess

DSS03<anageSecurityServices

Criteria' Control activities to manage security services are "ro"erly im"l


$oodPractice

Assessment tep

DSS03.01 6rotect against mal)are Allreleva

%tain and revie) the methods+ tools and "rocesses that the enter"

"rotect against mal)are.








-:.3f Cont.

-:.3f Cont.

ntcy%ersecurityservic

eshave%eenim"lemented andare"erfor medin acontrolledandade,uatemanner.

$heenter"rise7sI$environmentisade,uately"rotectedagainstmal)are.

Im"lementandmaintain"reventive+detectiveandcorrectivemeasuresin"lace

es"eciallyu"-to-datesecurity"atches

8erify that mal)are "rotection tools and solutions are u" to date and

maintained.

8erify that any "revious mal)are infections )ere analyed and used

for organisational im"rovement.

8erify that the enter"rise uses local o)ned and o"erated! as )ell a

mal)are "rotection mechanisms to achieve inde"endent "rotection

8erify that the enter"rise is "erforming the follo)ing "ractices'

<al)are "rotection is integrated )ith central soft)are distri%ution an

management+ and local de"loyment is enforced

<al)are advisories are read+ im"lemented and verified

Incidental user+ mail! traffic is filtered against mal)are

*/"erts and end users are trained and informed a%out mal)are on








-:.3f Cont.

andviruscontrol!

acrosstheenter"rise to"rotectinformationsystemsandtechnologyfrommal)aree.g.+

viruses+)orms+s"y)are+s"am!.

Cy%ersecurity testing Cy%er securityarrangements aretestedat

regularintervalsandusingade,uatemethodsandtechni,ues

%tain and revie) the testing arrangements and o%&ectives as state

8erify that e/ternal "enetration testing %lac# and )hite %o/! is "erfo

intervals.

8erify that internal "enetration testing %lac# and )hite %o/! is "erfo

intervals+ including simulated collusion and slee"er attac#s.

Determine )hether the enter"rise is using or "lanning on using! so

techni,ues including im"ersonation+ social engineering etc.

8erify that in testing+ the enter"rise adheres to *uro"ean la)s and r

re"resent constraints on test sco"e and methods. Consult a""ro"ria)here a""ro"riate

DSS03.02 <anage net)or# and connectivitysecurity

5sesecuritymeasuresandrelatedmanagement"roce


1. ased on ris# assessments and %usiness re,uirements+ esta%lish anfor security of connectivity.2. Allo) only authorised devices to have access to cor"orate informatioenter"rise net)or#. Configure these devices to force "ass)ord entry.:. Im"lement net)or# filtering mechanisms+ such as fire)alls and intrussoft)are+ )ith a""ro"riate "olicies to control in%ound and out%ound traff4. *ncry"t information in transit according to its classification.3. A""ly a""roved security "rotocols to net)or# connectivity.. Configure net)or# e,ui"ment in a secure manner.








-:.3f Cont.

duresto"rotect

informationoverallmethods ofconnectivity.

>. *sta%lish trusted mechanisms to su""ort the secure transmission andinformation.=. Carry out "eriodic "enetration testing to determine ade,uacy of net)o. Carry out "eriodic testing of system security to determine ade,uacy o

"rotection.

DSS03.0: <anage end"oint security *nsur e thatend"ointse.g.+la"to"+des#to"+server + andothermo%ileandnet)or#devices orsoft)are! aresecur ed ata levelthat ise,ual

to orgreater thanthedefinedsecurityre,uir ements oftheinformation"rocessed+stored

ortransmitted.

Sensitiveinformation

8erify that the enter"rise has a com"lete inventory of connected end

ED.

%tain and revie) methods+ techni,ues+ tools and solutions that the

control and manage end "oint devices.

8erify that end "oint vendor+ soft)are and a"" service advisories a

internalied and im"lemented on a regular %asis.

8erify that ade,uate "rotection e/ists against'

6ro/imity attac#s+ e.g. (9C+ luetooth+ F?A( ?o)er level+ o"erating system attac#s SI<+ te/t-%ased service com

6hysical du"lication of media

6hysical tam"ering or modification

$heft or destruction

no)n a"" or mo%ile o"sys issues and remediation latency

?o) level mass attac#s+ e.g. hard)are-%ased disa%ling of )hole cla

Determine )hether the enter"rise "erforms end "oint hardening to t

"rotection and in line )ith cy%ersecurity needs and re,uirements.

Determine )hether the enter"rise utilies s"ecialied hardened en

e/"osed use cases or high-ris# users.

Determine )hether the enter"rise has im"lemented end-to-end enc

rest+ data in flo)! for end "oint devices.

Determine )hether the enter"rise has identified sensitive out"uts ininformation classification.

%tain and revie) the enter"rise7s "rotective arrangements for sens

devices+ including'

6rotection of "rinted out"ut against casual "hotogra"hy

6erimeter countermeasures against 8an *c# attac# vector screen o

(et)or#-attached "rinter vulnera%ilities o"erating system and "rint

including redirect attac#s

Control+ )i"ing and "urging of autonomous out"ut device cache me

sensitive document images tem" files! in "rinter ,ueue

Inventory+ control and containment of "o"ular virtual out"ut devices

generators! )ith #no)n issues and side channel ris#








-:.3f Cont.

out"uts andrelated

devices are"rotectedagainstattac#s and%reaches.

Information"rocessedon+stored

onandtransmitted%yend"ointdevices is"rotected.

DSS03.04 <anage user identity and logicalaccess

*nsur e thatallusershave

informationaccessrightsinaccor dance)iththeir%usinessre,uir ements andco-ordina

te )ith%usinessunitsthatmanagetheir

%tain and revie) the identity and logical access arrangements for

assets.

8erify that cy%ersecurity re,uirements+ "arameters and criteria are i

overall identity and access management "rocess.

8erify that the "rinci"les of least "rivilegeJ and need to #no)J haveim"lemented and are enforced.

Determine )hether the enter"rise e/tends its identity and logical ac

regime to third "arties )ith access to critical information assets.

%tain and revie) social control and verification mechanisms that th

esta%lished e.g. verifying identities+ tele"hone %ehavior etc.!

8erify that logging and monitoring of logical access events and atte

com"rehensive to meet the needs and re,uirements of cy%ersecurit








logged andmonitored.

$hisshoulda""lyto all"ersonsentering the"remises+includingstaff+tem"orarystaff+clients

+vendors+visitor s oranyotherthird"arty.

uildingandfacilitiesmana

gementsystemsandtheirI$interfacesareade,uately"rotectedagainstattac#

s and%reaches.

6hysical I$assetsare








ade,uately"rotected

against lossorhi&ac#ing.

6hysicalmeasureshave%eenim"lemented to"rotect

informationfromunauthoriedaccess+damageandinterference)hen%eing"roce

ssed+storedortransmitted.

DSS03.0 <anage sensitive documents andout"ut devices

*sta%lisha""ro"riate"hysicalsafeguards+accounting"ractic

esandinventorymanagementover


1. *sta%lish "rocedures to govern the recei"t+ use+ removal and dis"osaand out"ut devices into+ )ithin and out of the enter"rise.2. Assign access "rivileges to sensitive documents and out"ut devices %"rivilege "rinci"le+ %alancing ris# and %usiness re,uirements.:. *sta%lish an inventory of sensitive documents and out"ut devices+ anreconciliations.4. *sta%lish a""ro"riate "hysical safeguards over s"ecial forms and sen3. Destroy sensitive information and "rotect out"ut devices e.g.+ degau

media+ "hysical destruction of memory devices+ ma#ing shredders or locavaila%le to destroy s"ecial forms and other confidential "a"ers!.








sensitive I$assets+ such

ass"ecialforms+negotia%leinstruments+s"ecial-"ur"ose"rinter s orsecurity

to#ens.

DSS03.0> <onitor the infrastructure for security-related events

5singintrusiondetectiontools+monitor theinfrastructur e forunauthorised

access andensur e thatanyeventsareintegr ated)ithgener aleventmonitoringandincide

ntmanagement.


1. ?og security-related events re"orted %y infrastructure security monitoidentifying the level of information to %e recorded %ased on a consideratthem for an a""ro"riate "eriod to assist in future investigations.2. Define and communicate the nature and characteristics of "otential sincidents so they can %e easily recognised and their im"acts understoodcommensurate res"onse.:. egularly revie) the event logs for "otential incidents.4. <aintain a "rocedure for evidence collection in line )ith local forensicand ensure that all staff are made a)are of the re,uirements.3. *nsure that security incident tic#ets are created in a timely manner )identifies "otential security incidents.

Contract $erms and Conditions+ Kurisdiction Contr actterms)ith

%tain and revie) the contract documents as )ell as any terms and

third-"arty services a""lications relevant to cy%ersecurity.

Determine )hether the enter"rise has ade,uately documented the l








thethird"artyclearly

statelevelsofcy%ersecurityto %edeliver ed.Contr act

&urisdictionis#no)nandcontrolled

and that any e/ce"tions are su""orted %y a formal ris# acce"tance.

8erify that contract and delivery &urisdictions "rovide an ade,uate le

and relia%ility )ith regard to cy%ersecurity and "otential litigation. Coassistance )here a""ro"riate.

9orced Cloud 5tiliation Fhereclouduse iscom"ulsoryorenforced %ythird"arties+ade,uate"rotectionmech

anisms arein"laceto"reventattac#s or%reaches

%tain and revie) the enter"rise7s list of cloud services and a""s th

%y vendors or o"erating system distri%utors.

Determine )hether the enter"rise has ta#en ade,uate ste"s to mitig

threats arising from forced cloud utiliation+ %oth at the enter"rise anlevel.

Industrial Control Systems IndustrialcontrolsystemsandtheirI$interfacesareade,uately

%tain and revie) the enter"rise7s inventory of #no)n and defined i

standard I$ and industrial control systems.

Determine )hether the enter"rise has ta#en ade,uate ste"s to "rot

control systems+ for instance through'

estricting access to ICS to read-only

estricting data transmission %et)een ICS and standard I$ to flat fil

ASCII+ CS8 etc.

Defining a restricted dataset field ma""ing! to %e made availa%le %

A""lying restrictive access and no "rivileges )hen remotely access

full access to ICS to local ?A(! "ro/imity connections

estricting vendor maintenance! remote access to ICS








"rotectedagainst

attac#s and%reaches.

Critical A""lications in 6roduction 6roductivecriticala""licationsareade,uately"rotectedagainstattac#s and%reaches

%tain and revie) the list of a""lications classified as critical )ith re

cy%ersecurity.

%tain and revie) the documented cy%ersecurity arrangements for

as stated %y the enter"rise.

Determine )hether the enter"rise has enca"sulated and segregated

a""lications+ for instance through'

Se"aration from non-critical net)or# to"ology

Se"aration from net)or# segments )ith e/ternal net)or# connectiv

Dedicated hardened server "latform

Inde"endent or non-standard o"erating systems )ith hardened sec

s"ecific 5ni/ distri%utions! 8irtualied sand%o/ed! runtime environment for a""lication+ segreg

facility

Critical A""lication Develo"ment Criticala""licationsdevelo"mentisade,uatelydesigned to"rotect

againstattac#s and%reaches.

%tain and revie) the list of a""lications for )hich the enter"rise un

contracts! develo"ment activities.

%tain and revie) the documented cy%ersecurity arrangements for

develo"ment as stated %y the enter"rise.

Determine )hether the enter"rise has im"lemented a""ro"riate con

develo"ment+ for instance'

Secure develo"ment lifecycle

6eer-revie)ed and non-"ro"rietary coding

uilt-in monitoring and self-healingJ "rocesses

*lectronic information is "ro"erly secured)hen stored+ transmitted or destroyed.

(um%er ofincidentsrelating tounauthoriedaccess toinformation

Assess %y a""lying a""ro"riate audit techni,ues intervie)+ o%servationthe management "ractice is effectively im"lemented.

-:.f Agree on the process .or' products19

in"uts and out"uts as defined in the"rocess "ractices descri"tion! that aree/"ected to %e "resent "rocess design!. Assess to )hat e/tent the "rocess )or#


Processes.








"roducts are availa%le.

6rocess D85 6anage ecurity er!icesin"uts and out"uts. $he most relevant andnot assessed as Information items in sco"e

in section A-:.3! of these )or# "roducts areidentified as follo)s+ as )ell as the criteriaagainst )hich they )ill %e assessed+ i.e.+e/istence and usage.




section.

A""ly a""ro"rtechni,ues to de/istence and each )or# "ro

-:.>f Agree on the process capabi(ity (e!e( to%e achieved %y the "rocess.

This step is "arranted only if the processunder re#ie" is a standard COBIT 5go#ernance or management process to"hich the I1O/IEC 55.4 PA can beapplied! Any other processes for "hich no

reference practices "or) products oroutcomes are appro#ed cannot use thisassessment method6 therefore the concept capability le#el does not apply!







Phase B—-nderstand Enab(ers4 etting uitab(e Assessment Criteria and PerformOrganisationa( tructures

"ef# Assurance teps and $uidance

B%=

%tain understanding of each Organisationa( tructure in sco"e and set suita%le assessment criteria'9or each Organisationa( tructure in sco"e as determined in ste" A-:.:!+ additional information is collected and assess

defined. Assess the Organisationa( tructure#

Organisationa( tructure: Cybersecurity team

-4.1a 5nderstand the Organisationa( tructure conte/t.Identify and document all elements that can help to understand the conte+t in "hich the Cybersecurity team organisatioincluding&

The o#erall organisation

anagement/process frame"or)

:istory of the role/structure

Contribution of the Organisational 1tructure to achie#ement of goals

-4.2a 5nderstand all sta'eho(ders of the Organisationa( tructurefunction.Determine through documentation re#ie" ;policies management communications etc!< the )ey sta)eholders of the Cybeorganisation!

Incumbent of the role and/or members of the Organisational 1tructure

Other )ey sta)eholders affected by the decisions of the Organisational 1tructure/role

-4.:a 5nderstand the goa(s of the Organisationa( tructure+ the related metrics and agree on e/"ected values. 5nderstand hcontri%ute to the achievement of the enter"rise goals and I$-related goals.

Organisationa( tructure $oa( Assessment tep

Determine through intervie)s )ith #ey sta#eholders and documentationrevie) the goals of the Cybersecurity team+ i.e.+ the decisions for

.hich they are accountab(e1415

.

$his ste" only a""lies if s"ecific goals are dethe assurance "rofessional )ill use a""ro"riatechni,ues to'

Identify the decisions made %y the rgani

Assess )hether decisions are a""ro"riate

communicated.

*valuate the decisions %y+ assessing )he

$hey have contri%uted to the achieveme

and enter"rise goals as antici"ated.

Decisions are duly e/ecuted on a timely

-4.4a

-4.4aCont.

Agree on the e/"ected good "ractices for the Organisationa( tructure against )hich it )ill %e assessed. Assess the Organisationa( tructure design+ i.e.+ assess the e/tent to )hich e/"ected good practices are a""lied.


"erating "rinci"les "erating "rinci"les are

documented.

egular meetings ta#e "lace as

defined in o"erating "rinci"les.

<eeting re"ortsminutes are

availa%le and are meaningful.

8erify )hether o"erating "rinci"les are a""ro"riat

8erify that regular meetings ta#e "lace as defined

"rinci"les.

8erify that meeting re"ortsminutes are availa%le

Com"osition $he rganisational Structure7s

com"osition is %alanced andcom"lete+ i.e.+ all re,uiredsta#eholders are sufficientlyre"resented.

Cy%ersecurity resources are

ade,uate.

Assess )hether the rganisational Structure7s co

%alanced and com"lete+ i.e.+ all re,uired sta#eholre"resented.

%tain and revie) a list of resources allocated to

"eo"le+ technology+ other!.

Determine )hether the general and s"ecific level

allocation is sufficient to meet the needs and re,ucy%ersecurity.

Assess the formal remit of resources )ithin the cy

ACI+ s"an of control etc.! and its ade,uacy )ithcy%ersecurity tas#s.

S"an of control $he s"an of control of $he 8erify )hether the s"an of control of the rganisa

1 $he ACI charts in COBIT 5& Enabling Processes can %e leveraged as a starting "oint for the e/"ected goals of a role or

rganisational Structure.

15 $he rganisational Structurerole as descri%ed may not e/ist under the same name in the enter"riseL in that case+ the closest

rganisational Structure assuming the same res"onsi%ilities and accounta%ility should %e considered.









-4.4aCont.

rganisational Structure is defined.

$he s"an of control is ade,uate+ i.e.+

the rganisational Structure has theright to ma#e all decisions it should.

$he s"an of control is in line )ith the

overall enter"rise governancearrangements.

Cy%ersecurity is considered in

%usiness continuity and resilience.

defined.

Assess )hether the s"an of control is ade,uate+ i

rganisational Structure has the right to ma#e all

8erify and assess )hether the s"an of control is i

enter"rise governance arrangements.

%tain and revie) the organisational interfaces %

and %usiness continuity management or resiliencincluding crisis management.

8erify that the organisational relationshi" %et)een

fully defined and ade,uate in terms of cy%ersecurre,uirements.

Determine )hether the relationshi" %et)een incid

and the cy%ersecurity function has clearly assigneinconsistencies.

Determine )hether the relationshi" %et)een crisis

the cy%ersecurity function has clearly assigned inconsistencies+ "articularly )here escalation andmode are concerned.

Determine )hether the relationshi" %et)een resil

continuity and the cy%ersecurity function has cleaand no inconsistencies+ "articularly )here recoveand solutions are concerned.


and general information security.


and cor"orate security.

8erify that the organisational interfaces and delive

defined and ade,uate in terms of cy%ersecurity nere,uirements.

?evel of

authoritydecision rights Decision rights of the rganisation

Structure are defined anddocumented.

Decision rights of the rganisational

Structure are res"ected andcom"lied )ith also aculture%ehaviour issue!.

$he cy%ersecurity function is

"ositioned at an a""ro"riateorganisational level.

8erify that decision rights of the rganisation Stru

and documented.

8erify )hether decision rights of the rganisation

com"lied )ith and res"ected.

Determine )hether the cy%ersecurity function is a

to "erform its tas#s and discharge its res"onsi%ilit

Delegation of authority Delegation of authority is im"lementedin a meaningful )ay.

8erify )hether delegation of authority is im"lemente)ay.

*scalation "rocedures *scalation "rocedures are defined anda""lied.

8erify the e/istence and a""lication of escalation "r

-4.3a 5nderstand the life cycle and agree on e/"ected values. Assess the e/tent to )hich the Organisationa( tructure (ife cyc(e is managed.

9ife%Cyc(e E(ement Criteria Assessment tep

<andate $he rganisational Structure is

formally esta%lished.

$he rganisational Structure has a

clear+ documented and )ell-understood mandate.

$here is a dedicated cy%ersecurity

function )ith ade,uate resourcesand an a""ro"riate remit.

Cy%ersecurity is clearly delineated

8erify through intervie)s and o%servations that th

Structure is formally esta%lished.

8erify through intervie)s and o%servations that th

Structure has a clear+ documented and )ell unde

%tain and revie) organisational charts and othe

documentation for the cy%ersecurity function.

Defined interfaces e/ist %et)een cy%ersecurity an

organisational functions.









from other organisational functions.

<onitoring $he "erformance of the

rganisational Structure and itsmem%ers should %e regularlymonitored and evaluated %ycom"etent and inde"endentassessors.

$he regular evaluations should

result in the re,uired continuousim"rovements to the rganisationalStructure+ either in its com"osition+mandate or any other "arameter.

8erify )hether the "erformance of the rganisatio

mem%ers is regularly monitored and evaluated %yinde"endent assessors.

8erify )hether the regular evaluations have resul

to the rganisational Structure+ in its com"ositionother "arameter.

B%=#& to B%=#5

e"eat ste"s -4.1 through -4.3 for all remaining Organisationa( structures in sco"e.

e"eat the ste"s descri%ed a%ove for the remaining rganisational structures'

usiness e/ecutives

Service manager

Chief information officer CI!

usiness "rocess o)ners

Chief information security officer CIS!

Chief e/ecutive officer C*!

@ead I$ o"erations

is# function

6rivacy officer

Com"liance

Audit







Phase B—-nderstand Enab(ers4 etting uitab(e Assessment Criteria and PerformCu(ture4 Ethics and Beha!iour

"ef# Assurance tep and $uidanceIssue

Cross%reference

B%5%tain understanding of the Cu(ture4 Ethics andBeha!iour in sco"e.

Assess Culture+ *thics and ehaviour.Cu(ture4 Ethics and Beha!iour: Integrity and "e(iabi(ity

-3.1a 5nderstand the Cu(ture4 Ethics and Beha!iour conte0t.

=hat the o#erall corporate Culture is li)e

-nderstand the interconnection "ith other enablers

in scope&

Identify roles and structures that could be

affected by the Culture!

Identify processes that could be affected by

Culture Ethics and Beha#iour including any processes in scope of the re#ie"!

-3.2a 5nderstand the ma&or sta'eho(ders of the Cu(ture4Ethics and Beha!iour ' Integrity and "e(iabi(ity

-nderstand to "hom the beha#iour re0uirements "illapply i!e! understand "ho embodies theroles/structures e+pected to demonstrate the correctset of Beha#iours! This is usually lin)ed to the roles and Organisational 1tructures identified in scope!

-3.:a

-3.:aCont.

5nderstand the goa(s for the Cu(ture4 Ethics andBeha!iour + and the related metrics and agree one/"ected values.

Assess )hether the Cu(ture4 Ethics and Beha!iourgoa(s outcomes! are achieved+ i.e.+ assess theeffectiveness of the Culture+ *thics and ehaviour.

In the conte/t of Integrity and "e(iabi(ity the follo)ingCu(ture4 Ethics and Beha!iour are desired'

Culture and es"eciallyehaviours are associated toindividuals and therganisational Structures of)hich they are a "art+ therefore+

%y using a""ro"riate auditingtechni,ues+ the assurance"rofessional )ill'

Identify individuals )ho must

com"ly )ith the ehavioursunder revie).

Identify the rganisational

Structures involved.

Assess )hether desired

ehaviours can %e o%served.

Assess )hether undesira%le

ehaviours are a%sent.

9or a re"resentative sam"le

of individuals+ "erform thefollo)ing assessment ste"s.

Desired Beha!iour )Cu(ture4 Ethics and Beha!iour $oa(*

Assessment tep

rganisational Culture' $he "rocess of de"loyingcy%ersecurity solutions is controlled and monitored infull com"liance )ith the relevant "olicy and "rocedures.

rganisational 8alues and eliefs' 8alues and %eliefs)ithin the organisation are realistic and a""ro"riatelyreflect current cy%ersecurity facts and #no)ledge

%tain and revie) the

organisation7s stated set ofvalues that have an im"act oncy%ersecurity.

Conduct randomised

informal! intervie)s to gainan understanding ofcommonly held %eliefs andassum"tions regarding









Cross%reference

cy%ersecurity.

Identify and informally re"ortany inconsistencies %et)eenformal values and actual%eliefs or assum"tions+"articularly )here theseinconsistencies might %e)ea# signalsJ indicatingsystemic )ea#nesses incy%ersecurity.

Cy%ersecurity $arget Culture' $he organisation hasdefined and im"lemented a target culture that isconducive to cy%ersecurity governance+ managementand com"liance.

%tain the organisation7s

statement if any! and relatedmaterials on the desiredcy%ersecurity culture.

Determine )hether the

organisation has ado"tedcy%ersecurity as a sufficientlyim"ortant element ofcor"orate culture.

rganisational *thicsL Code of *thics' $heorganisation has esta%lished cy%ersecurity good"ractice as "art of their code of ethics.

8erify that cy%ersecurity

values and culture have %eenincluded as "art of thegeneral code of ethics+including clear andunam%iguous guidance oncy%ercrime and other illegalacts.

8erify that any related issues

such as ED! have %eenfully incor"orated into thegeneral code of ethics andany su%sidiary guidance on

cy%ersecurity.*thical *nforcement' $he organisation follo)s u" onany and all instances of cy%ercrime or other illegal acts.

*n,uire of management

)hether any and all illegalacts are "rosecuted+ and noteany e/ce"tions.

8erify that all *uro"ean

"rovisions on cy%ercrime+investigation and "rosecutionare adhered to. Consulta""ro"riate legal assistance)here needed.

rganisational ehavior 6atternsL Desira%leehaviours' $he organisation has clearly defineddesira%le %ehaviours )ith regard to cy%ersecurity


organisation has formulatedmodel desira%le %ehavioursin terms of cy%ersecurity.


organisation has introduced+and is living %y+ guiding"rinci"les in cy%ersecurity.

-3.4a 5nderstand the life cycle stages of the Cu(ture4 Ethicsand Beha!iour + and agree on the relevant criteria.

Assess to )hat e/tent the Culture+ *thics andehaviour life cycle is managed.

$his as"ect is already covered %y the assessment ofthe good "ractices+ hence no additional se"arateassurance ste"s are defined here.!









Cross%reference

-3.3a 5nderstand good "ractice )hen dealing )ith Cu(ture4Ethics and Beha!iour + and agree on relevant criteria.

Assess the Culture+ *thics and ehaviour design+ i.e.+assess to )hat e/tent e/"ected good "ractices area""lied.

$ood Practice Criteria Assessment t

Communication+ enforcement and rules */istence and ,uality of thecommunication

A""ly a""ro"riate auditing techni)hether the good "ractice is ade,assessment criteria are met.Incentives and re)ards */istence and a""lication of

a""ro"riate re)ards andincentives

A)areness A)areness of desiredehaviours

B%5#& toB%5#5

e"eat ste"s -3.1 through -3.3 for all remainingCu(ture4 Ethics and Beha!iour in sco"e.

e"eat the ste"s descri%ed a%ove for the remainingCulture+ *thics and ehaviour'

6ersonal and 6rofessional elia%ility







Phase B—-nderstand Enab(ers4 etting uitab(e Assessment Criteria and PerformInformation Items


Cross%reference

B%>%tain understanding of the InformationItems in sco"e.

Assess Information Items.Information Item: orma( Cybersecurity Po(icy

-.1a 5nderstand the Information item conte0t'

=here and "hen is it used>

,or "hat purpose is it used>

-nderstand the connection "ith other

enablers in scope e!g!&

-sed by "hich processes>

=hich Organisational 1tructures

are in#ol#ed>

=hich ser#ices/applications are

in#ol#ed>

-.2a 5nderstand the ma&or sta'eho(ders of the

Information item' orma( CybersecurityPo(icy-nderstand the sta)eholders for theInformation item i!e! identify the&

Information producer

Information custodian

Information consumer

1ta)eholders should be at the appropriateorganisational le#el!

-.:a

-.:a

Cont.

5nderstand the ma&or ,uality criteria for theInformation item+ the related metrics andagree on e/"ected values.

Assess )hether the Information itemua(ity criteria outcomes! are achieved+

i.e.+ assess the effectiveness of theInformation item.

?everage the CI$ 3 Information ena%ler

model1%

focusing on the ,uality goals

descri"tion to select the most relevantInformation ,uality criteria for the Informationitem at hand. Document e/"ectationsregarding information criteria. $he CI$ 3Information ena%ler model identifies 13different ,uality criteriaalthough all of themare relevant+ it is nonetheless "ossi%le andrecommended to focus on a su%set of themost im"ortant criteria for the Informationitem at hand.

<ar# the ,uality dimensions )ith a M7 that

are deemed most im"ortant #ey criteria!+and %y conse,uence )ill %e assessedagainst the descri%ed criteria.

$he assurance "rofessional )ill+ %y using a""ro"riate auditing techni,ues+ verifyin sco"e and assess )hether the criteria are met.

?ua(ity Dimension

2ey

Criter ia

Description Assessm

Accuracy

%&ectivity

1% CI$ 3 frame)or#+ A""endi/ ;+ ".=1-=4









Cross%reference

elieva%ility

e"utation

elevancy Com"leteness

Currency

Amount of information

Concise re"resentation

Consistent re"resentation

Inter"reta%ility

5nderstanda%ility

<ani"ulation

Availa%ility

estricted access

-.4a 5nderstand the (ife cyc(e stages of theInformation item+ and agree on the relevantcriteria.

Assess to )hat e/tent the Information item

(ife cyc(e is managed.

$he life cycle of any Information item ismanaged through several %usiness and I$-related "rocesses. $he sco"e of this revie)already includes a revie) of I$-related!"rocesses so this as"ect does not need to%e du"licated here.

Fhen the Information item is internal to

I$+ the "rocess revie) )ill havecovered the life cycle as"ectssufficiently.

Fhen the Information item also

involves other sta#eholders outside I$or other non-I$ "rocesses+ some of thelife cycle as"ects need to %e assessed.

<ar# the life cycle stages )ith a M7 that aredeemed most im"ortant #ey criteria!+ and %yconse,uence )ill %e assessed against thedescri%ed criteria.

9ife Cyc(e tage 2ey

Criteria

Description Assessm

6lan

Design

uildac,uire

5seo"erate

*valuatemonitor

5"datedis"ose

-.3a 5nderstand im"ortant attri%utes of theInformation item and e/"ected values.

Assess the Information item design+ i.e.+assess the e/tent to )hich e/"ected goodpractices are a""lied.

;ood "ractices for Information items aredefined as a series of attri%utes for the

Information item1:

. $he assurance

"rofessional )ill+ %y using a""ro"riate audit

1: CI$ 3 frame)or#+ a""endi/ ;+ ". =1-=4









Cross%reference

techni,ues+ verify all attri%utes in sco"e andassess )hether the attri%utes are ade,uately

defined.

<ar# the attri%utes )ith a M7 that aredeemed most im"ortant #ey criteria!+ and %yconse,uence )ill %e assessed against thedescri%ed criteria.

Attribute2ey

CriteriaDescription Assessm

6hysical

*m"irical

Syntactic

Semantic

6ragmatic

Social

B%>#& toB%>#5

e"eat ste"s -.1 through -.3 for allremaining Information items in sco"e.

e"eat the ste"s descri%ed a%ove for theremaining Information items'

Code of Conduct

$hird-"arty access "olicies

8irtual architecture documentation

8irtualiation "olicies

Cy%ersecurity technical standards

$echnical guidelines and "rocedures at

the I$ service level+ including services"artially or fully "rovided %y third "arties


the I$ a""lication level


the I$ "latform level+ including remotelycontrolled and administered "latformsrental virtual servers etc.!


the autonomous I$ hard)are levelincluding stand-alone servers andclusters+ end user 6C devices etc.!

$echnical guidelines and "rocedures for

critical or "articularly e/"osed hard)areitems+ nota%ly mo%ile devices such assmart"hones or ta%lets

$echnical and administrative guidelines

and "rocedures around ED


and "rocedures for industrial controlsystems and I$ interfaces


and "rocedures for %uilding and facilitiesmanagement systems

Incident management+ disaster recovery

and service %usiness continuity"rocedures for critical I$ assets

;uidelines and "rocedures concerning

the identification+ documentation andsafeguarding of informational evidence+e.g. logs









Cross%reference

8irtualiation controls assessment results

$hird-"arty access controls assessment

results

Cy%ersecurity attri%utes in data and

information classification

*vidence of cy%ersecurity inclusion in

data and information classification







Phase B—-nderstand Enab(ers4 etting uitab(e Assessment Criteria and Performer!ices4 Infrastructures and App(ications


B%@%tain understanding of the er!ices4 Infrastructure and App(ications in sco"e.

Assess Services+ Infrastructure and A""lications.

er!ices4 Infrastructure and App(ications: Cybersecurity training

->.1a 5nderstand the er!ices4 Infrastructure and App(ications conte/t.-nderstand the organisational and technological conte+t of this ser#ice! 3efer to step A$?!? and A$?!% and re$use that informationthe significance of this 1er#ice Infrastructure and Application!

->.2a 5nderstand the ma&or sta'eho(ders of the er!ices4 Infrastructure and App(ications' Cybersecurity training-nderstand "ho "ill be the ma@or sta)eholders of the ser#ice i!e! the sponsor pro#ider and users! 1ta)eholders "ill include a nuorganisational roles but could also lin) to Processes!

->.:a 5nderstand the ma&or goa(s for the er!ices4 Infrastructure and App(ications+ the related metrics and agree on e/"ected valu Assess )hether the Services+ Infrastructure and A""lications goals outcomes! are achieved+ i.e.+ assess the effectiveness of theInfrastructure and A""lications.


Service descri"tion $he Service is clearly

descri%ed.

oles and res"onsi%ilities are

clearly defined

$he Service is availa%le to all

"otential sta#eholders

8erify that the Service e/ists and is clearly descri%ed.

8erify that roles and res"onsi%ilities are clearly defined.

Assess the ,uality of the Service descri"tion and of the Servi 8erify the accessi%ility of the Service to all "otential sta#ehold

Service level definition Service levels are defined for '

Buality of the service

delivera%les

*ase to re,uest the service

$imeliness

8erify that the follo)ing as"ects are dealt )ith in the Service

Buality of the Service delivera%les

*ase to re,uest the service

$imeliness

8erify to )hat e/tent Service levels are achieved.

Contri%ution to relatedena%lers+ I$ andenter"rise goals

$he Service contri%utes to theachievement of related ena%lerand I$-related and enter"risegoals.

Assess to )hat e/tent the Service contri%utes to the achievemeena%ler goals and to the overall I$-related and enter"rise goals

->.4a

->.4aCont.

5nderstand good "ractice related to the Services+ Infrastructure and A""lications and e/"ected values. Assess the er!ices4 Infrastructure and App(ications design+ i.e.+ assess to )hat e/tent e/"ected good "ractices are a""lied.

'e#erage the description of 1er#ices Infrastructure and Applications in the COBIT 5 frame"or) 18 to identify good practices relateInfrastructure And Applications! In general the follo"ing practices need to be implemented&

Buy/build decision needs to be ta)en!

-se of the 1er#ice needs to be clear!


Sourcing %uy%uild! A formal decision%ased on a%usiness caseneeds to %eta#en regarding the sourcing ofthe Service.

8erify that a formal decision%ased on a %usiness case)a

the sourcing of the Service.

8erify the validity and ,uality of the %usiness case.

8erify that the sourcing decision has %een duly e/ecuted.

5se $he use of the Service needs to%e clear'

Fhen it needs to %e used and

%y )hom

$he re,uired com"liance

levels )ith the Service7s out"ut

8erify that the use of the Service is clear+ i.e.+ it is #no)n )he

the service needs to %e used.

8erify that actual use is in line )ith re,uirement a%ove.

8erify that the actual Service out"ut is ade,uately used.

8erify that Service levels are monitored and achieved.

B%@#& toB%@#=

e"eat ste"s ->.1 through ->.4 for all remaining er!ices4 Infrastructure and App(ications in sco"e.

e"eat the ste"s descri%ed a%ove for the remaining Services+ Infrastructure and A""lications'

Change management

@uman resources

@el" des#

Incident trac#ing system

18 CI$ 3 frame)or#+ a""endi/ ;+ ".=3-=







Phase B—-nderstand Enab(ers4 etting uitab(e Assessment Criteria and PerformPeop(e4 'i((s and Competencies


B% %tain understanding of the Peop(e4 'i((s and Competencies in sco"e. Assess 6eo"le+ S#ills and Com"etencies.

Peop(e4 'i(( and Competency: Cybersecurity Personne( 'i((s

-=.1a 5nderstand the Peop(e4 'i((s and Competencies conte/t.-nderstand the conte+t of the 1)ill/Competency i!e!&

=here and "hen is it used>

,or "hat purpose is it used>

-nderstand the connection "ith other enablers in scope e!g!&

In "hich roles and structures is the 1)ill/Competency used> ;1ee also B$4!!<

=hich beha#iours are associated "ith the 1)ill/Competency>

-=.2a 5nderstand the ma&or sta'eho(ders for the Peop(e4 'i((s and Competencies: Cybersecurity Personne( 'i((sIdentify to "hom in the organisation the s)ill re0uirement applies!

-=.:a

-=.:aCont.

5nderstand the ma&or goa(s for the Peop(e4 'i((s and Competencies+ the related metrics and agree on e/"ected values. Assess )hether the Peop(e4 'i((s and Competencies goa(s outcomes! are achieved+ i.e.+ assess the effectiveness of the 6eoCom"etencies.

9or the 6eo"le+ S#ills and Com"etencies' Cybersecurity Personne( 'i((s+ the follo)ing goals and associated criteria can %e ad$oa( Criteria Assessment tep

*/"erience All cy%ersecurity "ersonnel"ossess the necessarye/"erience to meet the needsand re,uirements ofcy%ersecurity.

S#ills and e/"eriencere,uirements for ne) hires orside entries are aligned )ith theorganisation7s cy%ersecurityneeds and re,uirements.

Determine )hether the organisation has defined and docume

s#ills and e/"erience re,uirements+ for instance in &o% descrioffers.

8erify that these minimum re,uirements are in line )ith good

cy%ersecurity needs and re,uirements of the organisation.

*ducation $he enter"rise ena%les+ o"eratesand encourages ade,uatetraining+ education and

a)areness measures for allem"loyees and relevant third"arties. S"ecifically+ em"loyeesor third "arties )ith cy%ersecuritytas#s and res"onsi%ilities aresu%&ect to com"ulsory trainingand a)areness.

$he organisation offers+ and mandates+ the a""ro"riate level

training to cy%ersecurity "ractitioners as )ell as end users.

$he organisation is fully a)are and informed a%out inde"end

educational o""ortunities. $he organisation encourages+ anda""ro"riate level of education to cy%ersecurity "ractitioners a

Bualification

no)ledge $he enter"rise ena%les+ o"eratesand encourages ade,uatea)areness measures for allem"loyees and relevant third"arties. S"ecifically+ em"loyeesor third "arties )ith cy%ersecuritytas#s and res"onsi%ilities aresu%&ect to com"ulsorya)areness.

$he organisation creates and maintains an ade,uate level of cya)areness among all em"loyees+ and s"ecifically high-ris# user

$echnical s#ills All cy%ersecurity "ersonnel areade,uately s#illed and su""ortedin ac,uiring the re,uisite s#ills to"erform their tas#s.

%tain and revie) sam"le "rofessional s#ill sets for em"loye

cy%ersecurity tas#s.

%tain and revie) lists of individual training needs and trainin

ehavioural s#ills All "ersonnel )ith cy%ersecuritytas#s and res"onsi%ilities meetthe re,uired standard of "ersonaland "rofessional integrity.

Determine )hether the organisation "erforms a""ro"riate %ac

)hen hiring cy%ersecurity "ersonnel

8erify that %ac#ground chec#ing is conformant )ith la)s and

Consult legal assistance )here a""ro"riate.

(um%er of "eo"le )itha""ro"riate s#ill level

All "ersonnel )ith cy%ersecuritytas#s and res"onsi%ilities are

Determine )hether the organisation "erforms re"eated and f

%ac#ground chec#s on em"loyees )ith tas#s and res"onsi%il







Phase B—-nderstand Enab(ers4 etting uitab(e Assessment Criteria and PerformPeop(e4 'i((s and Competencies


"ersonally and "rofessionallyrelia%le+ and a%le to continue

their &o%.

cy%ersecurity.

8erify that %ac#ground chec#ing is conformant )ith *uro"ean

regulations. Consult legal assistance )here a""ro"riate. 8erify that em"loyees have given e/"licit consent to having th

chec#ed.

-=.4a

-=.4aCont.

5nderstand the (ife cyc(e stages of the Peop(e4 'i((s and Competencies+ and agree the relevant criteria. Assess to )hat e/tent the 6eo"le+ S#ills and Com"etencies life cycle is managed.

9or the 6eo"le+ S#ills and Com"etencies at hand+ the life cycle "hases and associatedcriteria can %e e/"ressed in function of the "rocess A60>.

9or the 6eo"le+ S#ills and Com"etenassurance "rofessional )ill "erform tassessment ste"s.

9ife Cyc(e E(ement Criteria Assessment tep

6lan 6ractice A60>.0:+ activity 1 Define the re,uired andcurrently availa%le s#ills and com"etencies of internal ande/ternal resources to achieve enter"rise+ I$ and "rocessgoals.! is im"lemented in relation to this s#ill.

Assess )hether "ractice A60>.0: aim"lemented in relation to this s#ill.

Design 6ractice A60>.0: activity 2 6rovide formal career"lanning and "rofessional develo"ment to encouragecom"etency develo"ment+ o""ortunities for "ersonaladvancement and reduced de"endence on #ey individuals.!is im"lemented in relation to this s#ill.

6ractice A60>.0: activity : 6rovide access to #no)ledgere"ositories to su""ort the develo"ment of s#ills andcom"etencies.! is im"lemented in relation to this s#ill.



uild 6ractice A60>.0: activity 4 Identify ga"s %et)eenre,uired and availa%le s#ills and develo" action "lans toaddress them on an individual and collective %asis+ such astraining Ntechnical and %ehavioural s#illsO+ recruitment+rede"loyment and changed sourcing strategies.! isim"lemented in relation to this s#ill.


"erate 6ractice A60>.0: activity 3 Develo" and deliver training"rogrammes %ased on organisational and "rocessre,uirements+ including re,uirements for enter"rise#no)ledge+ internal control+ ethical conduct and security.! is

im"lemented in relation to this s#ill.


*valuate 6ractice A60>.0: activity Conduct regular revie)s toassess the evolution of the s#ills and com"etencies of theinternal and e/ternal resources. evie) succession"lanning.! is im"lemented in relation to this s#ill.


5"datedis"ose 6ractice A60>.0: activity > evie) training materials and"rogrammes on a regular %asis to ensure ade,uacy )ithres"ect to changing enter"rise re,uirements and theirim"act on necessary #no)ledge+ s#ills and a%ilities.! isim"lemented in relation to this s#ill.


-=.3a 5nderstand good "ractice related to the Peop(e4 'i((s and Competencies and e/"ected values. Assess the 6eo"le+ S#ills and Com"etencies design+ i.e.+ assess to )hat e/tent e/"ected good "ractices are a""lied.


S#ill set andCom"etencies aredefined.

Determine that an inventory of S#ills and

Com"etencies is maintained %y organisational unit+ &o%

function and individual. *valuate the relevance and the contri%ution of the

S#ills and Com"etencies to the achievement of thegoals of the rganisational Structure+ and %yconse,uence+ I$-related goals and enter"rise goals.

*valuate the ga" analysis %et)een necessary "ortfolio

of S#ills and Com"etencies and current inventory ofs#ills and ca"a%ilities.

S#ill levels are defined. Assess the fle/i%ility and "erformance of meeting S#ills

develo"ment to address identified ga"s %et)eennecessary and current S#ill levels.







Phase C—Communicate the "esu(ts of the Assessment

"ef# Assurance tep

C%& Document e0ceptions and gaps#

C-1.1 5nderstand and document )ea#nesses and their im"act on the achievement of "rocess

goals.

• Illustrate the im"act of ena%ler

inefficiencies and misuse.• Clarify vulnera%ilities+ threats a

"erform effectively.

C-1.2 5nderstand and document )ea#nesses and their im"act on enter"rise goals. • Illustrate )hat the )ea#nesses

architecture elements+ ca"a%ilactual cases in the same indus

• Document the im"act of actua

financial re"orting+ hours lost icustomer and shareholder re,

• 6oint out the conse,uence of n

agreements.

• <easure the actual im"act of d

customers e.g.+ num%er+ effor

C%1 Communicate the )or# "erformed and findings.

C-2.1 Communicate the )or# "erformed.

Communicate regularly to the sC-2.2 Communicate "reliminary findings to the assurance engagement sta#eholders defined in

A-1.• Document the im"act i.e.+ cus

effective ena%lers.

• <easure and document the im

measure affected %y ena%ler )

• <easure the actual %usiness %

• 5se %enchmar#ing and survey

• 5se e/tensive gra"hics to illus

• Inform the "erson res"onsi%le

hisher correct understanding o

C-2.: Deliver a re"ort aligned )ith the terms of reference+ sco"e and agreed-on re"ortingstandards! that su""orts the results of the initiative and ena%les a clear focus on #eyissues and im"ortant actions.






Appendi0 A# Other IACA ources

The Business odel for Information 1ecurity

CI$ 3

COBIT 5& Enabling Processes

COBIT 5 for Assurance

COBIT 5 for Information 1ecurity

COBIT 5 for 3is)

3esponding to Targeted Cyberattac)s

1ecuring obile De#ices -sing COBIT 5

Transforming Cybersecurity -sing COBIT 5

european cybersecurity audit assurance program res eng 0914

Documents