| ID | Control | Informative References | Assessment |
|---|---|---|---|
| DE.AE-1 | A baseline of network operations and expected data flows for users and systems is established and managed | A1 Analyse & Resolve IT Services Availability Performance Reports What is a Business Process You can link to an Essential View, Intranet Page or something else You can link to an image or document |
Last Assessment: 09/2021 Assessor: Alan Law Status: Pass |
| DE.AE-2 | Detected events are analyzed to understand attack targets and methods |
Last Assessment: 09/2016 Assessor: Alex Brown Status: Pass |
|
| DE.AE-3 | Event data are aggregated and correlated from multiple sources and sensors |
Last Assessment: 08/2017 Assessor: Alan Law Status: Fail |
|
| DE.AE-4 | Impact of events is determined |
Last Assessment: None Assessor: Status: |
|
| DE.AE-5 | Incident alert thresholds are established |
Last Assessment: None Assessor: Status: |
|
| DE.CM-1 | The network is monitored to detect potential cybersecurity events |
Last Assessment: None Assessor: Status: |
|
| DE.CM-2 | The physical environment is monitored to detect potential cybersecurity events |
Last Assessment: None Assessor: Status: |
|
| DE.CM-3 | Personnel activity is monitored to detect potential cybersecurity events |
Last Assessment: None Assessor: Status: |
|
| DE.CM-4 | Malicious code is detected |
Last Assessment: None Assessor: Status: |
|
| DE.CM-5 | Vnauthorized mobile code is detected |
Last Assessment: None Assessor: Status: |
|
| DE.CM-6 | External service provider activity is monitored to detect potential cybersecurity events |
Last Assessment: None Assessor: Status: |
|
| DE.CM-7 | Monitoring for unauthorized personnel, connections, devices, and software is performed |
Last Assessment: None Assessor: Status: |
|
| DE.CM-8 | Vulnerability scans are performed |
Last Assessment: None Assessor: Status: |
|
| DE.DP-1 | Roles and responsibilities for detection are well defined to ensure accountability |
Last Assessment: None Assessor: Status: |
|
| DE.DP-2 | Detection activities comply with all applicable requirements |
Last Assessment: None Assessor: Status: |
|
| DE.DP-3 | Detection processes are tested |
Last Assessment: None Assessor: Status: |
|
| DE.DP-4 | Event detection information is communicated to appropriate parties |
Last Assessment: None Assessor: Status: |
|
| DE.DP-5 | Detection processes are continuously improved |
Last Assessment: None Assessor: Status: |
|
| ID.AM-1 | Physical devices and systems within the organization are inventoried |
Last Assessment: None Assessor: Status: |
|
| ID.AM-2 | Software platforms and applications within the organization are inventoried |
Last Assessment: None Assessor: Status: |
|
| ID.AM-3 | 0rganizational communication and data flows are mapped |
Last Assessment: None Assessor: Status: |
|
| ID.AM-4 | External information systems are catalogued |
Last Assessment: None Assessor: Status: |
|
| ID.AM-5 | Resources (e.g., hardware, devices, data, and software) are prioritized based on their classification, criticality, and business value |
Last Assessment: None Assessor: Status: |
|
| ID.AM-6 | Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established |
Last Assessment: None Assessor: Status: |
|
| ID.BE-1 | The organizations role in the supply chain is identified and communicated |
Last Assessment: None Assessor: Status: |
|
| ID.BE-2 | The organizations place in critical infrastructure and its industry sector is identified and communicated |
Last Assessment: None Assessor: Status: |
|
| ID.BE-3 | Priorities for organizational mission, objectives, and activities are established and communicated |
Last Assessment: None Assessor: Status: |
|
| ID.BE-4 | Dependencies and critical functions for delivery of critical services are established |
Last Assessment: None Assessor: Status: |
|
| ID.BE-5 | Resilience requirements to support delivery of critical services are established |
Last Assessment: None Assessor: Status: |
|
| ID.GV-1 | 0rganizational information security policy is established |
Last Assessment: None Assessor: Status: |
|
| ID.GV-2 | Information security roles & responsibilities are coordinated and aligned with internal roles and external partners |
Last Assessment: None Assessor: Status: |
|
| ID.GV-3 | Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed |
Last Assessment: None Assessor: Status: |
|
| ID.GV-4 | Governance and risk management processes address cybersecurity risks |
Last Assessment: None Assessor: Status: |
|
| ID.RA-1 | Asset vulnerabilities are identified and documented |
Last Assessment: None Assessor: Status: |
|
| ID.RA-2 | Threat and vulnerability information is received from information sharing forums and sources |
Last Assessment: None Assessor: Status: |
|
| ID.RA-3 | Threats, both internal and external, are identified and documented |
Last Assessment: None Assessor: Status: |
|
| ID.RA-4 | Potential business impacts and likelihoods are identified |
Last Assessment: None Assessor: Status: |
|
| ID.RA-5 | Threats, vulnerabilities, likelihoods, and impacts are used to determine risk |
Last Assessment: None Assessor: Status: |
|
| ID.RA-6 | Risk responses are identified and prioritized |
Last Assessment: None Assessor: Status: |
|
| ID.RM-1 | Risk management processes are established, managed, and agreed to by organizational stakeholders |
Last Assessment: None Assessor: Status: |
|
| ID.RM-2 | 0rganizational risk tolerance is determined and clearly expressed |
Last Assessment: None Assessor: Status: |
|
| ID.RM-3 | The organizations determination of risk tolerance is informed by its role in critical infrastructure and sector specific risk analysis |
Last Assessment: None Assessor: Status: |
|
| PR.AT-1 | All users are informed and trained |
Last Assessment: None Assessor: Status: |
|
| PR.AT-2 | Privileged users understand roles & responsibilities |
Last Assessment: None Assessor: Status: |
|
| PR.AT-3 | Third-party stakeholders (e.g., suppliers, customers, partners) understand roles & responsibilities |
Last Assessment: None Assessor: Status: |
|
| PR.AT-4 | Senior executives understand roles & responsibilities |
Last Assessment: None Assessor: Status: |
|
| PR.AT-5 | Physical and information security personnel understand roles & responsibilities |
Last Assessment: None Assessor: Status: |
|
| PR.Ac-1 | Identities and credentials are managed for authorized devices and users |
Last Assessment: None Assessor: Status: |
|
| PR.Ac-2 | Physical access to assets is managed and protected |
Last Assessment: None Assessor: Status: |
|
| PR.Ac-3 | Remote access is managed |
Last Assessment: None Assessor: Status: |
|
| PR.Ac-4 | Access permissions are managed, incorporating the principles of least privilege and separation of duties |
Last Assessment: None Assessor: Status: |
|
| PR.Ac-5 | Network integrity is protected, incorporating network segregation where appropriate |
Last Assessment: None Assessor: Status: |
|
| PR.DS-1 | Data-at-rest is protected |
Last Assessment: None Assessor: Status: |
|
| PR.DS-2 | Data-in-transit is protected |
Last Assessment: None Assessor: Status: |
|
| PR.DS-3 | Assets are formally managed throughout removal, transfers, and disposition |
Last Assessment: None Assessor: Status: |
|
| PR.DS-4 | Adequate capacity to ensure availability is maintained |
Last Assessment: None Assessor: Status: |
|
| PR.DS-5 | Protections against data leaks are implemented |
Last Assessment: None Assessor: Status: |
|
| PR.DS-6 | Integrity checking mechanisms are used to verify software, firmware, and information integrity |
Last Assessment: None Assessor: Status: |
|
| PR.DS-7 | The development and testing environment(s) are separate from the production environment |
Last Assessment: None Assessor: Status: |
|
| PR.IP-1 | A baseline configuration of information technology/industrial control systems is created and maintained |
Last Assessment: None Assessor: Status: |
|
| PR.IP-10 | Response and recovery plans are tested |
Last Assessment: None Assessor: Status: |
|
| PR.IP-11 | Cybersecurity is included in human resources practices (e.g., deprovisioning, personnel screening) |
Last Assessment: None Assessor: Status: |
|
| PR.IP-12 | A vulnerability management plan is developed and implemented |
Last Assessment: None Assessor: Status: |
|
| PR.IP-2 | A System Development Life Cycle to manage systems is implemented |
Last Assessment: None Assessor: Status: |
|
| PR.IP-3 | Configuration change control processes are in place |
Last Assessment: None Assessor: Status: |
|
| PR.IP-4 | Backups of information are conducted, maintained, and tested periodically |
Last Assessment: None Assessor: Status: |
|
| PR.IP-5 | Policy and regulations regarding the physical operating environment for organizational assets are met |
Last Assessment: None Assessor: Status: |
|
| PR.IP-6 | Data is destroyed according to policy |
Last Assessment: None Assessor: Status: |
|
| PR.IP-7 | Protection processes are continuously improved |
Last Assessment: None Assessor: Status: |
|
| PR.IP-8 | Effectiveness of protection technologies is shared with appropriate parties |
Last Assessment: None Assessor: Status: |
|
| PR.IP-9 | Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed |
Last Assessment: None Assessor: Status: |
|
| PR.MA-1 | Maintenance and repair of organizational assets is performed and logged in a timely manner, with approved and controlled tools |
Last Assessment: None Assessor: Status: |
|
| PR.MA-2 | Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access |
Last Assessment: None Assessor: Status: |
|
| PR.PT-1 | Audit/log records are determined, documented, implemented, and reviewed in accordance with policy |
Last Assessment: None Assessor: Status: |
|
| PR.PT-2 | Removable media is protected and its use restricted according to policy |
Last Assessment: None Assessor: Status: |
|
| PR.PT-3 | Access to systems and assets is controlled, incorporating the principle of least functionality |
Last Assessment: None Assessor: Status: |
|
| PR.PT-4 | Communications and control networks are protected |
Last Assessment: None Assessor: Status: |
|
| RC.CO-2 | Reputation after an event is repaired |
Last Assessment: None Assessor: Status: |
|
| RC.CO-3 | Recovery activities are communicated to internal stakeholders and executive and management teams |
Last Assessment: None Assessor: Status: |
|
| RC.CO-l | Public relations are managed |
Last Assessment: None Assessor: Status: |
|
| RC.IM-2 | Recovery strategies are updated |
Last Assessment: None Assessor: Status: |
|
| RC.IM-l | Recovery plans incorporate lessons learned |
Last Assessment: None Assessor: Status: |
|
| RC.RP-1 | Recovery plan is executed during or after an event |
Last Assessment: None Assessor: Status: |
|
| RS.AN-1 | Notifications from detection systems are investigated |
Last Assessment: None Assessor: Status: |
|
| RS.AN-2 | The impact of the incident is understood |
Last Assessment: None Assessor: Status: |
|
| RS.AN-3 | Forensics are performed |
Last Assessment: None Assessor: Status: |
|
| RS.AN-4 | Incidents are categorized consistent with response plans |
Last Assessment: None Assessor: Status: |
|
| RS.CO-1 | Personnel know their roles and order of operations when a response is needed |
Last Assessment: None Assessor: Status: |
|
| RS.CO-2 | Events are reported consistent with established criteria |
Last Assessment: None Assessor: Status: |
|
| RS.CO-3 | Information is shared consistent with response plans |
Last Assessment: None Assessor: Status: |
|
| RS.CO-4 | Coordination with stakeholders occurs consistent with response plans |
Last Assessment: None Assessor: Status: |
|
| RS.CO-5 | Voluntary information sharing occurs with external stakeholders to achieve broader cybersecurity situational awareness |
Last Assessment: None Assessor: Status: |
|
| RS.IM-1 | Response plans incorporate lessons learned |
Last Assessment: None Assessor: Status: |
|
| RS.IM-2 | Response strategies are updated |
Last Assessment: None Assessor: Status: |
|
| RS.MI-1 | Incidents are contained |
Last Assessment: None Assessor: Status: |
|
| RS.MI-2 | Incidents are mitigated |
Last Assessment: None Assessor: Status: |
|
| RS.MI-3 | Newly identified vulnerabilities are mitigated or documented as accepted risks |
Last Assessment: None Assessor: Status: |
|
| RS.RP-1 | Response plan is executed during or after an event |
Last Assessment: None Assessor: Status: |
ID | Control | Informative References | Assessment |
