Function Category Subcategory Guidance Artefacts to evidence

Document and implement a formal Asset Management

Policy that establishes assets inventory and methods of
Asset Management Policy
inventory whether it is conducted manually or with help
of automatic tools.
For each asset organization must document sufficient
information to identify the asset, its physical (or logical) Asset Inventory
ID.AM-1: Physical devices and location, and information security classification.
systems within the organization are The organization will maintain a current inventory of all
inventoried hardware (including operating systems) including type, Comprehensive network diagram
publisher, version, location or workforce members- that includes allowed ports,
assignment, in-service date, and retirement/disposal protocols and services.
date.
Inventories should be reviewed to ensure that all
Asset Inventory with versions of
firmware versions are current and supported by the
Asset Management (ID.AM): firmware
publisher with security updates.
The data, personnel, devices,
Define, document and implement procedures for
systems, and facilities that
handling unauthorized software. The software should be Software Asset Management Policy
enable the organization to
either approved or eliminated by the administrator.
achieve business purposes are
IDENTIFY (ID) The organization will maintain a current inventory of all
identified and managed
ID.AM-2: Software platforms and software (including operating systems) including type,
consistent with their relative
applications within the organization publisher, version, location or workforce members- Software Asset Inventory
importance to business
are inventoried assignment, in-service date, and retirement/disposal
objectives and the
date.
organization’s risk strategy.
Inventories should be reviewed to ensure that all
software versions are current and supported by the Software Asset Inventory
publisher with security updates.
Document all connections within the organization, and
between departments. All connections must be
documented, authorized, and reviewed. Connection
information includes, for example, the interface Data Flow diagram
ID.AM-3: Organizational characteristics, data characteristics, ports, protocols,
communication and data flows are addresses, description of the data, security
mapped requirements, and the nature of the connection.
Establish and document guidelines for electronic
messaging usage which make users aware of what
End user policy & guidelines
deems as acceptable and unacceptable use of its
corporate messaging process.
 Create and implement Acceptable Use Policy, include
Acceptable Use Policy
these guidelines into the policy.

Diagram organizational communications flows, including Network and Logical diagram / Data
cloud services. Flow Diagrams

ID.AM-4: External information

Inventory cloud services and other external systems. Cloud Asset Inventory
systems are catalogued
Develop and implement information classification based
on impact level classification. Information should be Information Classification Standard
ID.AM-5: Resources (e.g., hardware, classified based on its value.
devices, data, and software) are Classification guidelines should take into account impact
prioritized based on their from loss of integrity, availability and confidentiality of Information Classification Standard
classification, criticality, and the information.
business value Implement formal procedures describing prioritization of
Asset Classification & Valuation
organizational assets based on their importance to
Procedure
organizational systems
Establish strict requirements that obligates each policy
to contain cybersecurity roles. Information Security Roles &
ID.AM-6: Cybersecurity roles and
Roles have to be widely communicated to all relevant Responsibilities
responsibilities for the entire
parties.
workforce and third-party
Third-party providers are required to notify the
stakeholders (e.g., suppliers,
organization of any personnel transition (including
customers, partners) are Security Awareness and Training
transfers or terminations) involving personnel with
established Policy
physical or logical access to the production system
components.
Supplier Security Management
Ensure the supplier management policy is defined.
ID.BE-1: The organization’s role in Policy
the supply chain is identified and
Define information security requirements to apply to
Business Environment (ID.BE): communicated Supplier Security Management
product or service acquisition in addition to the general
The organization’s mission, Procedure
requirements for supplier relationships
objectives, stakeholders, and
Define, document and communicate critical
activities are understood and
ID.BE-2: The organization’s place in infrastructure and key resources relevant to the BC-DR Recovery Document
prioritized; this information is
critical infrastructure and its company’s production activity.
used to inform cybersecurity
industry sector is identified and
roles, responsibilities, and risk Develop, document, and maintain a critical
communicated BC-DR Recovery Document
management decisions. infrastructure and key resources protection plan.
ID.BE-3: Priorities for organizational Information security policy aligned
Establish and communicate priorities for production
mission, objectives, and activities with the organization's vision and
activities, missions, objectives, with consideration for
are established and communicated mission.
 security. Make sure cybersecurity priorities align with
business needs and priorities.

ID.BE-4: Dependencies and critical Write down procedures describing all alternate power
functions for delivery of critical support services. Establish regular ability and capacity BC-DR procedure
services are established testing of alternative support services.
Conduct contingency planning for the continuance of
essential production functions and services with little or
BC-DR Plan
ID.BE-5: Resilience requirements to no loss of operational continuity, and sustain that
support delivery of critical services continuity until full system restoration.
are established Communicate that planning to all relevant parties, so
Email Communication Artifacts with
that they are aware of their roles, responsibilities and
R&R
procedures.

Establish an organizational information security policy Information Security Policy

Divide security rules into several policies like Access

Control Policy, Classification Policy, Backup Policy,
Acceptable Use Policy, etc. – this way such policies will
be shorter (and therefore easier to read and
ID.GV-1: Organizational information
understand), and easier to maintain. Policies must Information Security Policy
security policy is established
include, for example, the identification and assignment
Governance (ID.GV): The
of roles, responsibilities, management commitment,
policies, procedures, and
coordination among organizational entities, and
processes to manage and
compliance.
monitor the organization’s
regulatory, legal, risk, Establish and communicate existing cybersecurity Email Communication Artifacts with
environmental, and policies to all relevant parties. R&R
operational requirements are
ID.GV-2: Information security roles
understood and inform the Describe and establish cybersecurity roles,
& responsibilities are coordinated Roles & Responsibilities for internal
management of cybersecurity responsibilities and procedures related to internal roles
and aligned with internal roles and & external stakeholders
risk. within the whole organization and external partners.
external partners
Identify and document all legal and regulatory Legal & regulatory requirements as
ID.GV-3: Legal and regulatory requirements regarding cybersecurity. captured in InfoSec policy
requirements regarding
Make sure that requirements related to legal and
cybersecurity, including privacy and
regulatory requirements affecting the production
civil liberties obligations, are
operations regarding cybersecurity are understood, Artifacts of communication
understood and managed
managed and widely communicated between all
relevant departments.
 Establish Risk Management Process;
Create a Risk Management Framework document that
would contain risk factors: threats, vulnerabilities,
ID.GV-4: Governance and risk impacts, likelihoods, risk levels matrix. These factors are
management processes address important for the organization to document prior to Risk Management Process
cybersecurity risks conducting risk assessment because the assessment
relies upon well-defined attributes of threats,
vulnerabilities, impact, and other risk factors to
effectively determine risk.
ID.RA-1: Asset vulnerabilities are Define and document Vulnerability Management
Vulnerability Management Process
identified and documented process for assets defining roles & responsibilities.
Consider the possibility of receiving cyber threat
intelligence.
ID.RA-2: Threat and vulnerability
Threat intelligence feeds take security data from
information is received from Artifacts of subscription to
vendors, analysts and other sources about threats and
information sharing forums and forums/newsletters etc
unusual activity happening all around the world.
sources
Risk Assessment (ID.RA): The Malicious IP addresses, domains, file hashes and other
organization understands the data stream in constantly from external parties.
cybersecurity risk to Conduct Vulnerability Scanning against internal
organizational operations ID.RA-3: Threats, both internal and environment(ESXi servers, users laptops: Windows OS,
(including mission, functions, external, are identified and Mac OS, GNU/Linux) VA-PT reports
image, or reputation), documented Conduct Penetration test and remediation testing of
organizational assets, and both infrastructure and web applications annually.
individuals.
ID.RA-4: Potential business impacts Develop potential business impacts and likelihood
Risk Assessment Methodology
and likelihoods are identified ranges within the risk assessment process.
ID.RA-5: Threats, vulnerabilities,
Define, document and implement a formal risk
likelihoods, and impacts are used to Risk Assessment Methodology
assessment process.
determine risk
ID.RA-6: Risk responses are Identify and prioritize risk responses within the risk
Risk Assessment Methodology
identified and prioritized assessment process.
Risk Management Strategy Establish Risk Management Process;
(ID.RM): The organization’s Create Risk Management Framework document that
ID.RM-1: Risk management
priorities, constraints, risk would contain risk factors: threats, vulnerabilities,
processes are established,
tolerances, and assumptions impacts, likelihoods, risk levels matrix. These factors are Risk Management Process
managed, and agreed to by
are established and used to important for the organization to document prior to
organizational stakeholders
support operational risk conducting risk assessment because the assessment rely
decisions. upon well-defined attributes of threats, vulnerabilities,
 impact, and other risk factors to effectively determine
risk.

Adjust Risk Assessment Framework so that it includes

the criteria for accepting risk and identifying the
acceptable level of (e.g. at what level can risk Risk Assessment Framework
ID.RM-2: Organizational risk
automatically be accepted and under what
tolerance is determined and clearly
circumstances).
expressed
Approval should be obtained from top management for
the decision to accept residual risks, and authorization Management Approval/MoM
obtained for the actual operation of the ISMS.
To maximize the benefit of risk assessments, the
ID.RM-3: The organization’s
organization should establish policies, procedures, and
determination of risk tolerance is
implementing mechanisms to ensure that the
informed by its role in critical Risk Assessment Framework
information produced during such assessments is
infrastructure and sector specific
effectively communicated and shared across all risk
risk analysis
management tiers.
Define, document and implement a process for asset
PR.AC-1: Identities and credentials
owners to review access rights to their assets on a
are managed for authorized devices Access Control Policy
regular basis. Review and verify processes with all
and users
relevant parties.
Define, document and implement procedures in Access
PR.AC-2: Physical access to assets is
Control Policy that would describe roles and Access Control Policy
managed and protected
responsibilities related to physical access.

Define and establish remote working/teleworking policy Teleworking policy

Access Control (PR.AC): Access
to assets and associated Allow remote access only through approved and User Access Management Policy for
facilities is limited to managed access points; Remote Access
PROTECT (PR)
authorized users, processes,
or devices, and to authorized User Access Management Policy for
activities and transactions. PR.AC-3: Remote access is managed Monitor remote access to the production system.
Remote Access

Allow only authorized use of privileged functions from User Access Management Policy for
remote access. Remote Access

Establish agreements and verify security for connections User Access Management Policy for
with external systems. Remote Access

PR.AC-4: Access permissions are Incorporate principle of least privilege, segregation of

User Access Management Policy
managed, incorporating the duties, role based access
 principles of least privilege and
Regularly review user access rights of all critical assets
separation of duties User Access Management Policy
and other assets of the organization
PR.AC-5: Network integrity is
Incorporate network segmentation where applicable via Network Security Policy & Network
protected, incorporating network
VLAN, DMZ. Diagram
segregation where appropriate
Define, document and implement Security Awareness
and Training Policy that defines scope, procedures,
Security awareness presentation
topics, roles and responsibilities in terms of Security
Awareness and Training Program.
Implement an information security workforce
development and improvement programs which include,
PR.AT-1: All users are informed and
for example: defining the knowledge and skill levels Security assessment results
Awareness and Training trained
needed to perform information security duties and
(PR.AT): The organization’s
tasks;
personnel and partners are
Use anecdotes from actual information security
provided cybersecurity
incidents in user awareness training as examples of what
awareness education and are Security awareness presentation
could happen, how to respond to such incidents and
adequately trained to perform
how to avoid them in the future.
their information security-
related duties and Establish specific cybersecurity awareness and training
responsibilities consistent PR.AT-2: Privileged users procedures for privileged users (e.g. developers)
Roles & Responsibilities
with related policies, understand roles & responsibilities describing acceptable and unacceptable activities at the
procedures, and agreements. workplace.
PR.AT-3: Third-party stakeholders
(e.g., suppliers, customers, Define cybersecurity roles and responsibilities within
Roles & Responsibilities
partners) understand roles & Security Awareness and Training Policy.
responsibilities
PR.AT-4: Senior executives Define cybersecurity roles and responsibilities within
Roles & Responsibilities
understand roles & responsibilities Security Awareness and Training Policy.

Create and implement procedures which describe how

Data Security (PR.DS): PR.DS-1: Data-at-rest is protected Data encryption process
to encrypt all data of the organization.
Information and records
(data) are managed consistent Create and implement procedures which will describe
with the organization’s risk how data should be transferred. For example which
strategy to protect the corporate messenger employees should use for Data transfer procedure/Data
PR.DS-2: Data-in-transit is protected
confidentiality, integrity, and communication or how to correct obfuscated data protection policy
availability of information. before transfer or how to choose a protected way for
transferring data.
 Conduct trade-off analysis of data protection solutions
with policies that enable user prompting, blocking, or
automatic encryption for sensitive data in transit, such Data Protection Policy
as when files are attached to an email message or Encryption in Data in Transit
moved to cloud storage, removable drives, or
transferred elsewhere.
Ensure your Information Classification Policy requires
classifying all company data, no matter where it resides,
in order to ensure that the appropriate data protection Information Classification policy
measures are applied while data remains at rest and
triggered when data is accessed, used, or transferred.
Network Security Policy
Implement SSL/TLS encryption for all HTTP transactions.
Encryption in Data in Transit

Document roles, responsibilities and procedures within

Asset disposal process
PR.DS-3: Assets are formally Asset Disposal Process.
managed throughout removal,
transfers, and disposition Create procedures that describe the secure formatting Asset disposal process
of data from each media drive. Asset Destruction Certificates
Create and implement procedures which will describe
how to monitor and maintain the capacity and Capacity Management Policy
PR.DS-4: Adequate capacity to availability of both internal and external infrastructure.
ensure availability is maintained
Conduct regular performance and load tests for both
Capacity Management Records
internal and external infrastructure.

Conduct incorporating DLP solutions to implement Data Protection Policy

protections against data leaks DLP Implementation
Create and document procedures defining correct
PR.DS-5: Protections against data
equipment maintenance outside the organization's Equipment Maintenance SOP
leaks are implemented
premises
Confidential information must be protected with Full
Disk Encryption. You can include these procedures into Acceptable Use Policy
Acceptable Usage Policy.
PR.DS-6: Integrity checking
Define, document and implement procedures for
mechanisms are used to verify Secure Software Development
handling unauthorized software. The software should be
software, firmware, and Policy
whether approved or eliminated by the administrator;
information integrity
PR.DS-7: The development and Implement fully functional testing environments, so that Secure Software Development
testing environment(s) are separate test cases can be performed without fear of causing Policy
from the production environment damage to the production environment. Test Environment
 Develop, document, and maintain a baseline
Baseline configuration document
configuration for the organization.
Configure the production to provide only essential Secure Software Development
PR.IP-1: A baseline configuration of capabilities; Policy
information technology/industrial Review and update the baseline configuration and Secure Software Development
control systems is created and disable unnecessary capabilities; Policy
maintained
Focus on securing the highest privilege accounts and
groups. You should do so because they can be leveraged
User Access Management Policy
by attackers to compromise and even destroy your
Active Directory installation.
Consider use of Secure Code Development practices
Secure code development guidelines
Information Protection where appropriate.
PR.IP-2: A System Development Life
Processes and Procedures Cycle to manage systems is Create and implement Software Development Life Cycle
(PR.IP): Security policies (that (SDLC) Policy that would describe the requirements for
implemented
address purpose, scope, roles, SDLC policy
developing and/or implementing new software and
responsibilities, management systems.
commitment, and Develop a change management policy along with
coordination among detailed procedures describing:
organizational entities), - Conduct security impact analysis in connection with
processes, and procedures are change control reviews.
maintained and used to PR.IP-3: Configuration change - Conduct security impact analysis in a separate test
manage protection of Change Management policy
control processes are in place environment before implementation into an operational
information systems and environment for planned changes to the production.
assets. - Review and authorize proposed configuration-
controlled changes prior to implementing them in the
production environment.
Create and implement Backup Policy which will describe
PR.IP-4: Backups of information are backup procedures, retention periods, types of backups, Backup policy
conducted, maintained, and tested scope, roles and responsibilities.
periodically
Conduct periodic Backup restoration testing Backup restoration testing reports
Define, implement, and enforce policy and regulations
PR.IP-5: Policy and regulations regarding emergency and safety systems, fire protection Physical Security Policy
regarding the physical operating systems, and environment controls.
environment for organizational
Implement secondary commercial power supply like UPS Physical Security Policy
assets are met
and/or diesel generators. Secondary Source of Power
 Ensure that organization system data is destroyed
Data destruction policy
according to policy.
PR.IP-6: Data is destroyed according
to policy Implement regular testing of effectiveness of technical
data destruction mechanisms, how they are measured Data destruction procedures
and evaluated.
Implement The Follow-up Phase within your Incident
Response policies that would represent the review of
the Security Incident to look for “lessons learned” and to Incident Response Procedure
PR.IP-7: Protection processes are determine whether the process that was followed could
continuously improved have been improved in any way.
Security Events and Security Incidents should be
reviewed after identification resolution to determine Incident Response Procedure
where response could be improved.
Share information about security incidents and
Incident Communication Plan
PR.IP-8: Effectiveness of protection mitigation measures with designated sharing partners;
technologies is shared with
appropriate parties Use automated mechanisms where feasible to assist in
Incident Communication Plan
information collaboration.
Plans must incorporate recovery objectives, restoration
PR.IP-9: Response plans (Incident Incident Response Plan / Business
priorities, metrics, contingency roles, personnel
Response and Business Continuity) Continuity Plan
assignments and contact information.
and recovery plans (Incident
Recovery and Disaster Recovery) Conduct regular (quarterly) review of Incident Response IR/BCP/DR Test Calendar
are in place and managed and Disaster Recovery plans to keep them up-to-date. IR/BCP/DR Test Records
PR.IP-10: Response and recovery Conduct regular testing of response and recovery plans,
Test reports of the DR plans
plans are tested make records, evaluate effectiveness.
PR.IP-11: Cybersecurity is included
Define, document and implement Onboarding Policy. HR policy/Onboarding policy
in human resources practices (e.g.,
deprovisioning, personnel Include personnel screening procedures within the
screening) BGV policy
policy.
PR.MA-1: Maintenance and repair Document and communicate procedures of
Maintenance (PR.MA): of organizational assets is maintenance and repairs to all relevant stakeholders.
Maintenance and repairs of performed and logged in a timely For example, to prevent data leakage check whether full Equipment Maintenance SOP
industrial control and manner, with approved and disk encryption is enabled or hard drive is removed
information system controlled tools before sending the laptop to repair service.
components is performed PR.MA-2: Remote maintenance of Establish, implement and communicate formal
consistent with policies and organizational assets is approved, procedures which would describe how the organization:
Remote Access Policy
procedures. logged, and performed in a manner - Approves and monitors nonlocal maintenance and
that prevents unauthorized access diagnostic activities;
 - Allows the use of nonlocal maintenance and diagnostic
tools only as consistent with organizational policy and
documented in the security plan for the information
system;
- Employs strong authenticators in the establishment of
nonlocal maintenance and diagnostic sessions;
- Maintains records for nonlocal maintenance and
diagnostic activities;
- Terminates session and network connections when
nonlocal maintenance is completed.
Unify procedures into Remote Maintenance Policy or
Acceptable Use Policy
include them into Acceptable Use Policy.
Create and implement a policy which will describe how
PR.PT-1: Audit/log records are to contain information that establishes what type of
determined, documented, event occurred, when the event occurred, where the
Log Monitoring Policy
implemented, and reviewed in event occurred, the source of the event, the outcome of
accordance with policy the event, and the identity of any individuals or
organizational components associated with the event.
Create and implement a policy which would describe
how to protect and control portable storage devices Removable media policy
containing critical data while in transit and in storage.
PR.PT-2: Removable media is
protected and its use restricted Scan all portable storage devices for malicious content Asset Management policy with
Protective Technology (PR.PT):
according to policy before they are used within the organization. Removable Media Security
Technical security solutions
are managed to ensure the
Consider restricting the use of portable storage devices Asset Management policy with
security and resilience of
within the departments where appropriate. Removable Media Security
systems and assets, consistent
with related policies, Ensure criteria used for granting access privileges is
procedures, and agreements. based on the principle of “least privilege” whereby
authorized users will only be granted access to
Access Control Policy
information system and network domains which are
necessary for them to carry out the responsibilities of
PR.PT-3: Access to systems and
their company role or function.
assets is controlled, incorporating
Relying on CI/CD best practices, developers are not
the principle of least functionality
expected to be experts at operations concerns. Assign
one Application Operator who would have permissions Secure Software Development
to manage the continuous delivery process for apps. Policy
Deny collective decision-making in the process of a
release.
 Follow the least functionality principle. Document
User Access Control Policy
procedures within Access Control Policy.
Continuously monitor the communications and control
Log Monitoring Policy
networks and ensure they are always updated with best
Network Monitoring Records
practices and controls.
PR.PT-4: Communications and Eliminate incoming or outgoing traffic if it doesn’t align Log Monitoring Policy
control networks are protected with business goals. Network Monitoring Records

Ensure that there are no publicly accessible cloud

Log Monitoring Policy
instances
Implement automated mechanisms that help the
DE.AE-1: A baseline of network organization maintain consistent baseline configurations
operations and expected data flows for information systems include, for example:
IS Baseline Documents
for users and systems is established - hardware and software inventory tools,
and managed - configuration management tools,
- network management tools.
Events should be collected and forwarded to log
Log Monitoring Policy
management solutions so that administrators can
Log Monitoring Rules
DE.AE-2: Detected events are analyse suspicious events.
analysed to understand attack Events should be collected from internal Windows
targets and methods Servers, Domain Controllers, etc and also from external Log Monitoring Policy
facing servers and applications and customer Log Monitoring Rules
Anomalies and Events (DE.AE): applications.
Anomalous activity is detected Consider implementing correlation rules within your log
Log Monitoring Policy
DETECT (DE) in a timely manner and the management solutions to automate threat detection
Log Monitoring Rules
potential impact of events is and log analysis. Consider acquiring a SIEM solution.
understood. Ensure that event data is compiled and correlated across
the organization system using various sources such as
Log Monitoring Policy
DE.AE-3: Event data are aggregated event reports, audit monitoring, network monitoring,
Log Monitoring Rules
and correlated from multiple physical access monitoring, and user/administrator
sources and sensors reports.
Integrate analysis of events where feasible with the
analysis of vulnerability scanning information;
Log Monitoring Policy
performance data; production systems monitoring, and
Log Monitoring Rules
facility monitoring to further enhance the ability to
identify inappropriate or unusual activity.
Test ability and effectiveness of Priority Matrix to
DE.AE-4: Impact of events is
measure the influence on the business on a regular Incident Priority Matrix
determined
basis.
 Share effectiveness with relevant stakeholders. Incident Reporting

Establish the incident threshold matrix along with the

Incident Priority Matrix
expected time of resolution.
DE.AE-5: Incident alert thresholds
are established
Monitor and optimize Expected time to resolution. Incident Management Policy

DE.CM-1: The network is monitored Implement correlation rules within the log management
Log Monitoring Policy
to detect potential cybersecurity solutions to automate threat detection and log analysis.
Log Monitoring Rules
events Consider acquiring a SIEM solution.
DE.CM-2: The physical environment Define, document and implement procedures in Access
is monitored to detect potential Control Policy that would describe roles and Access Control Policy
cybersecurity events responsibilities related to physical access.
Implement correlation rules within the log management
DE.CM-3: Personnel activity is solutions to automate threat detection and log analysis.
Log Monitoring Policy
monitored to detect potential Consider acquiring a SIEM solution. SIEM solution
Log Monitoring Rules
cybersecurity events involves installing forwarders on users workstation. Logs
are forwarded from workstation to SIEM.
Regularly update the anti-virus. Testing of antivirus
DE.CM-4: Malicious code is Endpoint Security Policy
Security Continuous endpoint protection must be conducted based on
detected Antivirus Monitoring Records
Monitoring (DE.CM): The conventional criteria.
information system and assets Create and implement a policy which will describe how
are monitored at discrete Endpoint Security Policy
to use Mobile Code Security.
intervals to identify DE.CM-5: Unauthorized mobile
cybersecurity events and code is detected Establish a process for secure code developing and
Secure Software Development
verify the effectiveness of secure data during all development processes in the
Policy
protective measures. organization.
Create and implement procedures that would describe
how to:
- conduct ongoing security status monitoring of external
DE.CM-6: External service provider service provider activity;
activity is monitored to detect - detect attacks and indicators of potential attacks from Supplier Security Policy
potential cybersecurity events external service providers;
- monitor compliance of external providers with
personnel security policies and procedures, and
contract security requirements.
Implement correlation rules within the log management
DE.CM-7: Monitoring for Log Monitoring Policy
solutions to automate threat detection and log analysis.
unauthorized personnel, Log Monitoring Rules
Consider acquiring a SIEM solution. SIEM solution
 connections, devices, and software involves installing forwarders on users workstation. Logs
is performed are forwarded from workstation to SIEM.

DE.CM-8: Vulnerability scans are Document and implement vulnerability management

Vulnerability Management Plan
performed plan;
DE.DP-1: Roles and responsibilities Roles and responsibilities shall be well documented for
Roles and Responsibilities of
for detection are well defined to the SOC team and ensure there is proper escalation and
Incident management team
ensure accountability delegation matrix.
Define, document, implement and communicate
DE.DP-2: Detection activities comply
procedures describing configuring monitoring of services Configuration SOP, Monitoring SOP
with all applicable requirements
before deploying into production
Implement formal procedures which would describe
how the organization:
- Creates a process for ensuring that organizational plans
for conducting security testing, monitoring activities and
training associated with organizational information
DE.DP-3: Detection processes are
systems; Testing SOP
tested
- Ensures that detection testing is executed in a timely
manner
Detection Processes (DE.DP):
- Reviews detection testing and monitoring plans for
Detection processes and
consistency with
procedures are maintained
the organizational risk strategy.
and tested to ensure timely
and adequate awareness of Ensure that event detection information is
Log Monitoring Policy
anomalous events. communicated to defined personnel.
Update list of events which must be detected on a
regular basis. Event detection information includes for
DE.DP-4: Event detection example, alerts on atypical account usage, unauthorized
information is communicated to remote access, wireless connectivity, mobile device
appropriate parties connection, altered configuration settings, contrasting
Log Monitoring Policy
system component inventory, use of maintenance tools
and nonlocal maintenance, physical access, temperature
and humidity, equipment delivery and removal,
communications at the information system boundaries,
use of mobile code, use of VoIP, and malware disclosure.
Incorporate improvements derived from the monitoring,
DE.DP-5: Detection processes are Incident Management Policy with
measurements, assessments, and lessons learned into
continuously improved Lessons Learned
detection process revisions.
 Ensure the security plan for the production system
Incident Management Policy with
provides for the review, testing, and continual
Lessons Learned
improvement of the security detection processes;
Employ independent teams to assess the detection Incident Management Policy with
process; Lessons Learned

Try to enrich your detection assessments including:

- vulnerability scanning;
- malicious user testing; Incident Management Policy with
- insider threat assessment; Lessons Learned
- performance/load testing;.
- verification and validation testing.

Incident Response, Incident Management processes,

plans, policies should include:
- Roles and Responsibilities employees
- Detection Phase
- Analysis Phase
- Containment Phase IS Incident management Policy
Response Planning (RS.RP): - Mitigation Phase
Response processes and - Eradication Phase
procedures are executed and RS.RP-1: Response plan is executed - Recovery Phase
maintained, to ensure timely during or after an event - Post-Incident Activities Ensure above mentioned
response to detected activities are executed during or after an incident;
RESPOND cybersecurity events.
(RS) Create a detailed IT Incident Management Process
highlighting roles & responsibilities of each personnel IT Incident management Policy
involved.
Implement Incident Handling Checklists within your
Incident Management processes, plans and policies, so
Incident Handling Checklists
that each team will take the appropriate sequence of
actions depending on the type of incident.
Ensure personnel understand objectives, restoration
Communications (RS.CO): IT Security team composition
priorities, task sequences and assignment
Response activities are RS.CO-1: Personnel know their roles document
responsibilities for event or incident response.
coordinated with internal and and order of operations when a
external stakeholders, as response is needed Communicate procedures relevant to event or incident
Incident Communication procedures
appropriate, to include response to all relevant parties.
 external support from law Revision history of Incident
Update Incident Management and IT Security Incident
enforcement agencies. Management and IT Security
Response policies on a regular basis.
Incident Response policies
Create Security Incident Response Report Form to
RS.CO-2: Events are reported support the reporting action and to help the person
Security Incident Response Form
consistent with established criteria reporting to remember all necessary actions in case of
an information security event.
RS.CO-3: Information is shared Share cybersecurity incident information with relevant
Security Incident Response Form
consistent with response plans stakeholders per the response plan drafted initially.
Coordinate cybersecurity incident response actions with
all relevant stakeholders.
Stakeholders for incident response include, for example,
RS.CO-4: Coordination with
mission/business owners, manufacturing system
stakeholders occurs consistent with Security Incident Response Plan
owners, integrators, vendors, human resources offices,
response plans
physical and personnel security offices, legal
departments, operations personnel, and procurement
offices.
Share cybersecurity event information voluntarily, as
RS.CO-5: Voluntary information appropriate, with industry security groups to achieve
sharing occurs with external broader cybersecurity awareness. Based on risk Incident Communication procedures
stakeholders to achieve broader assessment, decide whether cooperation and & Security Incident Response Plan
cybersecurity situational awareness information sharing with Cyber Police and other relevant
regulatory bodies are needed.
Create and document formal procedures of events
investigation, define roles and responsibilities, IS Incident management Policy
RS.AN-1: Notifications from
implement metrics, determine effectiveness.
detection systems are investigated
Consider implementation of security orchestration
Log Monitoring Policy
solutions to automate decision making.
Conduct quantitative and qualitive risk analysis of
impacted assets. Correlate detected event information
Analysis (RS.AN): Analysis is RS.AN-2: The impact of the incident
and incident responses with risk assessment outcomes Security Incident Policy
conducted to ensure adequate is understood
to achieve perspective on incident impact across the
response and support
organization.
recovery activities.
Conduct forensic analysis on collected cybersecurity
event information to determine root cause. Consider Security Incident Policy with
RS.AN-3: Forensics are performed
outsourcing on-demand audit reviews, analysis, and Forensics
reporting for investigations of cybersecurity incidents.
Develop severity categories to assess cybersecurity
RS.AN-4: Incidents are categorized IS Incident management Plan with
incidents within each Incident Response plan, policy or
consistent with response plans severity categories
process.
 Describe and include Containment Phase that limits the
root cause of the Security Incident to prevent further
damage or exposure.
Detailed Incident Management plan
RS.MI-1: Incidents are contained Containment Phase might include following steps:
with all phases
- Short-term Containment;
- System Back-Up;
- Long-term containment.
The organization must describe metrics which need to
be collected to mitigate future incidents. The
organization should decide what incident data to collect
Mitigation (RS.MI): Activities based on reporting requirements and on the expected
are performed to prevent return on investment from the data (e.g., identifying a
expansion of an event, new threat and mitigating the related vulnerabilities Incident Response Plan
mitigate its effects, and RS.MI-2: Incidents are mitigated
before they can be exploited.) Possible metrics for Incident Management Metrics
eradicate the incident. incident-related data include:
- Number of Incidents Handled;
- Time Per Incident;
- Objective Assessment of Each Incident;
- Subjective Assessment of Each Incident.
Create Vulnerability Management Policy procedures
which will describe how to document and mitigate
RS.MI-3: Newly identified
accepted risks and new vulnerabilities. For example, Vulnerability Management Policy
vulnerabilities are mitigated or
how to isolate a vulnerable environment if there doesn’t procedures
documented as accepted risks
exist a solution to fix vulnerability and how to handle
acceptable risks.
Incorporate lessons learned from ongoing incident
handling activities into incident response procedures,
RS.IM-1: Response plans training, and testing, and implement the resulting Incident Response Plan with Lessons
Improvements (RS.IM):
incorporate lessons learned changes accordingly; Learned
Organizational response
Write down lessons learned procedures into each
activities are improved by
incident response policy, procedure or process.
incorporating lessons learned
from current and previous Regularly update "Incident management" and "IT
detection/response activities. RS.IM-2: Response strategies are security incident response team composition"
Incident Response Plan
updated Updates may include, for example, responses to
disruptions or failures, and predetermined procedures.
Recovery Planning (RC.RP): Document a detailed Disaster recovery plan that
Recovery processes and RC.RP-1: Recovery plan is executed describes recovery procedures of internal infrastructure,
RECOVER (RC) Disaster recovery plan
procedures are executed and during or after an event cloud infrastructure, roles and responsibilities,
maintained to ensure timely escalation matrix, DRP timelines.
 restoration of systems or
Make a checklist of all your critical assets which can
assets affected by DRP Checklist
include the applications, processes, servers etc.
cybersecurity events.
Conduct the DR drill on a regular basis and capture all
the drill activities step by step. Applicable lessons
Disaster recovery plan
learned from previous incidents should be continuously
RC.IM-1: Recovery plans incorporated and also shared with the users.
incorporate lessons learned Improving user awareness regarding incidents should
reduce the frequency of incidents, particularly those
DR User awareness
Improvements (RC.IM): involving malicious code and violations of acceptable use
Recovery planning and policies.
processes are improved by The Disaster Recovery Plan should be reviewed for
incorporating lessons learned accuracy and completeness at least annually, as well as
into future activities. upon significant changes to any element of the DRP
system, mission/business processes supported by the
RC.IM-2: Recovery strategies are
system, or resources used for recovery procedures. Disaster recovery plan
updated
Elements of the plan subject to frequent changes, such
as contact lists, should be reviewed and updated more
frequently. Update schedules should be stated in the
DRP.
Create a procedures which will include follows things:
managing media interactions, coordinating and logging
all requests for interviews, handling and ‘triaging’ phone
RC.CO-1: Public relations are calls and e-mail requests, matching media requests with
External communication policy
managed appropriate and available internal experts who are ready
Communications (RC.CO):
to be interviewed, screening all of the information
Restoration activities are
provided to the media, ensuring personnel are familiar
coordinated with internal and
with public relations and privacy policies.
external parties, such as
Implement and document crisis response strategies
coordinating centers, Internet
RC.CO-2: Reputation after an event which will include actions to shape attributions of the Crisis response plan/Data breach
Service Providers, owners of
is repaired crisis, change perceptions of the organization in crisis, response plan
attacking systems, victims,
and reduce the negative effect generated by the crisis.
other CSIRTs, and vendors.
Write down detailed descriptions of each procedure
RC.CO-3: Recovery activities are
related to recovery communication(e.g. Notify SA, Notify
communicated to internal
data subjects, Input data in data breach register, etc.) to Internal Communication Policy
stakeholders and executive and
make sure each stakeholder is aware of his/her
management teams
responsibilities.