Security Questionnaire

Cyber-Security Assessment
Your Company has been asked to complete this questionnaire for the purpose of Cybersecurity Risk Assessment wit
impact to our Business relationship.
The representative(s) responding to this questionnaire should have the appropriate authority and knowhow to com
questionnaire on behalf of your Company. Your answers to the questionnaire will be treated as your Company's Pro
Information by Schlumberger and its affiliates and can only be changed by your Company.
Please do not include any Competitively Sensitive information or Proprietary information of any customer including
Company in your answers in the questionnaire. The questionnaire may be amended without notice.
For scoping purposes, this questionnaire must cover your Company’s entire Enterprise IT infrastructure, People and
long as all elements are governed by the same security policies and are directly /non-directly related to the Busines
with Schlumberger, which in the case of a Cyber Security incident can affect Schlumberger business.
If your company affiliates infrastructure, employees, third parties are governed by differing security policies, separa
questionnaires may be required. In that case, please contact your Point of Contact at Schlumberger who has provide
Questionnaire for additional guidance.
The Assessment is expected to be returned by the date shown in this page
Company Name
Company Address
Company ASL ID
Company Representative
Title
Email
Telephone
SLB Representative
Title
Email
Telephone
Assessment Start Date
# Schlumberger-Private
Assessment Required Return Date
Company representative completing the

assessment
Title
Email
Telephone
Best contact in case of a Cybersecurity

incident
Title
Email
Telephone
Cyber-Security Assessment
mplete this questionnaire for the purpose of Cybersecurity Risk Assessment with potential
this questionnaire should have the appropriate authority and knowhow to complete the
mpany. Your answers to the questionnaire will be treated as your Company's Proprietary
s affiliates and can only be changed by your Company.
vely Sensitive information or Proprietary information of any customer including any Subscriber
estionnaire. The questionnaire may be amended without notice.
naire must cover your Company’s entire Enterprise IT infrastructure, People and Governance as
y the same security policies and are directly /non-directly related to the Business relationship
e of a Cyber Security incident can affect Schlumberger business.
ture, employees, third parties are governed by differing security policies, separate
that case, please contact your Point of Contact at Schlumberger who has provided this
ce.
eturned by the date shown in this page
name
Number
Sanjay Verma
[email protected]
+91-9540937829
Purpose: This questionnaire is offered as a means for determining the degree to which threats and associated vulne
The purpose of the risk analysis effort is to gauge the security practices within the context of your organization doin
Steps for Using the Assessment Questions Tab:

Question # Category Topic Topic
1 Governance
2 Governance
Governance
3 Governance
Risk Management
4 Governance
5 Risk Assessment
6 Risk Assessment Risk Assessment
7 Risk Assessment
8 IT Security Compliance Security Compliance

Compliance Management
Compliance with Legal Compliance with Legal
9 Requirements Requirements
10 Training & Awareness

Training & Awareness Training & Awareness
Prior to Employment -
Prior to Employment - Terms and
15 Terms and Conditions
Conditions of Employment
of Employment
Personnel Security Termination or Change in
16 Employment
Termination or Change
in Employment
17 Termination of employment
18 Access Control
Physical Security Access Control

19 Physical Security Access Control Access Control
20 Access Control
Information Access Control -

21 Sensitive System Isolation
22 Information Access Sensitive System Isolation
Control - Sensitive
System Isolation Information Access Control -
Networks Security
25 Vulnerability Assessment
Vulnerability
Assessment
26 Vulnerability Assessment
27 Monitoring Monitoring
28 Software qualification Software qualification
29 Identity & Access Management

Identity & Access
Management
Logical Security
36 Remote connectivity Remote connectivity
37 Use of Mobile devices Use of Mobile devices
38 Data Security
Data Security
Data Security
39 Data Security
40 Roles & Responsibilities Roles & Responsibilities
41 Asset Management
42 Asset Management Asset Management
43 Asset Management
44 Antivirus Antivirus
45 Security Monitoring Security Monitoring
46 Media Protection Media Protection
47 Secure Disposal Secure Disposal

Operations Management
Segregation of
Segregation of Computing
48 Computing
Environment
Environment
49 Segregation of Duties Segregation of Duties
50 Change Management Change Management
51 External Parties
External Parties
52 External Parties
53 Process & Procedures
Process & Procedures

Incident Management
57 Test and Drill Test and Drill
58 Lessons Learned Lessons Learned
59 Contingency Planning Contingency Planning
Disaster Recovery Plan &

60 Backups

61 Backups
Business Continuity/ Disaster Disaster Recovery Plan &

62 Recovery Management Backups
Disaster Recovery Plan
& Backups
63 Backups

64 Backups

65 Backups
threats and associated vulnerabilities poses a risk to the Joint Venture and/or Cybersecurity
xt of your organization doing business with Schlumberger and where to best direct resources to remediate the areas of greates
Questions Company
Response
Has your organization adopted a Cyber Security Governance Framework or Standard on
which you base your Cyber Security program on? if so, which one did you adopt? (e.g.
NIST CSF, ISO 27001, etc.)
Has your organization established and documented cyber security policies and
procedures?
Do you have both a formal process in place for the maintenance of the Cyber Security
policies, and a process to manage any deviation from the policies?
Have you achieved any Cyber Security independent accreditation by a 3rd party
validating your Cyber Security maturity?
Have you completed a corporate wide Cyber Security risk assessment in the last 12
months?
Do you have a formal process to identify, measure, prioritize, mitigate and exempt Cyber
Security risks?
Do you have process to formally identify and protect critical assets (i.e. Systems,
Applications, Locations, People, etc.…)
Is compliance, with the controls defined in your Cyber Security standards and policies,
regularly evaluated?
Do you have processes to identify, understand and comply with any new laws or
regulations that have Cyber Security implications for the jurisdictions in which you
operate?
Do you provide communication and regular updates of your Cyber Security Standards
and Policies to all employees and contractors?
Do you have specific regular (at least annual) Cyber Security training for Senior
Executives and/or Board of Directors?
Do you have regular (at least annual) and formal Cyber Security awareness training for
all employees and contractors?
Do you have an internal phishing awareness training program for all employees and
contractors?
Does the organization have a training program on how to develop secure applications
including threat modeling, secure coding, etc.?
If this question is not applicable, please answer "Yes" and add "N/A" in the comments
Are all your employees and contractors required to sign a Non-Disclosure and/or
Confidentiality Agreement before starting to work for your organization?
Do you have a formal process to manage/update security access due to role change of
employees and contractors?
Do you timely revoke security access (less than 24hrs) for all employees and contractors
on termination?
Do you have effective physical access controls (e.g., door locks, badge access, etc.) in
place that prevent unauthorized access to facilities and secure areas?
Is there an approval and provisioning process for physical access to facilities and secure
areas based on an individuals Roles and Responsibilities?
Do you timely revoke the physical access to employees and contractors on role change
or termination?
Are all systems and networks that host and process sensitive information ‘protected’
(isolated or separated) from other systems and or networks?
Are internal, external and DMZ networks segmented, segregated and separated by
firewalls with access policies and rules?
Does the security for the network systems prevent unauthorized access related to
attacks and data-theft?
Do you monitor your network to detect and protect against cyber security threats?
Do you have a vulnerability practice that regularly scans all networks and systems?
Are detected vulnerabilities managed and mitigated in a timely manner based on

host/application risk profile?
Is inbound and outbound network traffic monitored for unusual or unauthorized
activities or conditions?
Does the organization have an application security qualification program to assess the
security of applications hosted by the organization (both internally developed or
purchased from 3rd party vendors), or hosted by 3rd party vendors including Web,
Mobile, Thick Client and IoT applications
Do you have a formal access authorization process based on 'least privilege' (employees
are granted the least amount of access possible in order to perform their assigned
duties) and need to know (access permissions are granted based upon the legitimate
business need of the user to access the information)?
Does the organization have process for managing life cycle of Identity and Credentials?
Are the external suppliers and contractors that have a corporate user credentials held to
the same security policies, procedures and controls as the organization's own personnel?
Are your user corporate credentials uniquely identifiable?
Is the use of shared personal accounts allowed?
Do you have a process to review privileged user accounts and related access?
Do you use multi-factor authentication for accessing critical systems?
Are unauthorized remote connections to the network monitored, including scanning for
unauthorized mobile and is appropriate action taken if an unauthorized connection is
discovered?
If you allow BYOD (Bring Your Own Device), do you have the mechanisms in place to
prevent Data Loss?
Do you classify data in levels related to Corporate Sensitivity confidentiality?
Do you protect data at different level according to the classification level?
Do you have a maintained inventory containing your critical information assets, such as
People, Systems, Locations, Applications, Data, Intellectual Property, etc....? Yes
Do you know what your critical information assets are?

Do you have a formal information assets classification procedure?
Are all your information assets tracked in an appropriate system?
Has antivirus software been installed on your computers and supporting systems (e.g.,
desktops, servers and gateways) with regular automatic signature definitions updates? Yes
Are systems and corporate networks monitored for anomalous activity with appropriate
alerting?
Do you have a policy in place to protect or prevent storage of sensitive information in
external/removable media?
Are there security procedures for the decommissioning (replacement) of information
assets formally managed covering removal, transfer, erasure and disposal?
Are IT production, development, test and QA environments segregated to protect

business applications from inadvertent changes or disruption?
Are duties separated, where appropriate, to reduce the opportunity for unauthorized
and/or unintentional modification or misuse of the organization's IT assets?
Do formal change management procedures exist for networks, systems, desktops,

software releases, deployments, and software vulnerability (e.g., Virus or Spyware)
patching activities?
Are third parties information systems, components, and services properly identified,
prioritized, and assessed using a cyber supply chain risk assessment process to
determine they are not at risk of not meeting their contractual obligations?
Do your contracts with third-party specify measures designed to meet the objectives of
your organization’s IT security program and Cyber Supply Chain Risk Management Plan?
Does the organization have a Cyber Security Incident Response Plan?

Do you detect, identify and categorize Cyber Security incidents consistent with the
response plan?
During the investigation of an Cyber Security incident, is evidence properly collected,

analyzed and maintained?
Are detected Cyber Security incidents promptly reported, escalated, and communicated
to internal and external stakeholders, executive and management teams, and affected
Customers, depending upon incident severity?
Are there Cyber Security incident response drill procedures, and these are tested at least
once a year?
Are incident debrief sessions carried out after incident or drill closure, with lessons
identified incorporated into updated incident response procedures?
Is there a documented Business Continuity Plan including cyber security incidents for
Services or Products Provided to SLBs?
Do you make immutable back up of critical IT systems and sensitive data?
Are the IT recovery processes annually tested?
Does a Disaster Recovery plan exist for the organization and does it consider
interruption to, or failure of, critical IT systems?
Is the Disaster Recovery plan reviewed and updated as required at least annually?
Are Cyber Security drills used to thoroughly and effectively test and drill the disaster
recovery plan for critical IT systems and data ?
Do you perform Cyber Security drills with Third Parties (i.e. major customers or
suppliers)?
remediate the areas of greatest concern.
Example
Existing Control Measures Company Comments/examples
Included
response.
There will be a NIST Control*
(Column K) reference for each
question; no action is required for
this cell, and more details about the
reference anc be found in the NIST
controls TAB.
3. Existing Control Measures - The

respondent should share the
Existing Control Measures by
populating NIST
this controls
cell with what the
practitioner is doing, if any
corrective actions are being taken,
to mitigate and reduce the risk.
ID.GV-4
If no action is taken, please indicate
'No Action Taken'. There is no
ID.GV-1,orRC.CO-1,
correct incorrect response, this is
merely a sampling of what
practitioners are doing to mitigate
ID.GV-1, ID.RA-2
threats and/or minimize
vulnerabilities.
ID.GV-4
4. Examples Included: Yes/No -
Select from drop down menu for
tracking purposes on documentaion
ID.RA-3
or information provide for the
existing control measures
ID.GV-4, ID.RA-2, on each
ID.RA-3, ID.RA-4,
question.
ID.RA-5, ID.RA-6, ID.RM-1, ID.RM-2,
ID.RM-3,RS.IM-1
5. Company Comments/Examples -
Company can add comments or
ID.AM-5
expand on information related to
the evidence provided.
PR.IP-5, PR.PT-1
NEXT STEP: After completing the
questions on this tab, please stamp
the date of completion in the Intro
ID.GV-3
Tab and return to Schlumberger
representative
PR.AT-1,
Company RS.CO-1
Response (Column G):
- Yes: If in full compliance with
PR.AT-2, PR.AT-3, topic;
PR.AT-4,PR.AT-5
- No: If not in compliance with
topic;
PR.AT-1,
- N/A:RS.CO-1,ID.AM-3, RS.CO-1,
Requires Schlumberger
acknowledgment and approval that
Company
DE.DP-1, is exempt of a given
PR.AT-1
topic.
*Additional tab "NIST Controls"

provides
PR.AT-1, the details and
DE.CM-8
informative reference, and direct
link to NIST Framework v1.1
PR.IP-11
PR.IP-11
PR.IP-11
PR.AC-7,ID.AM-5, DE.CM-2
PR.IP-3, PR.AT-5, DE.CM-2,
PR.AC-1, PR.AC-7
PR.AC-5, PR.DS-7, PR.PT-4
PR.AC-5, PR.DS-7
DE.CM-3, DE.CM-7, PR.PT-4, PR.DS-

5
DE.CM-3, DE.CM-7 , DE.DP-2
ID.RA-1, DE.CM-8, PR.IP-12, RS.AN-

5
ID.RA-1, DE.CM-8
PR.PT-4, DE.AE-1, DE.CM-7
ID.AM-2
PR.AC-4, PR.PT-3
PR.AC-1
ID.AM-6, ID.SC-2, PR.AT-4,
PR.AC-1, PR.AC-7, PAR.AT-2
PR.AC-1, PR.AC-7
ID.SC-4, DE.CM-6
PR.AC-7
PR.AC-3, DE.CM-5
ID.RA-1, PR.AC-2,PR.IP-5
ID.AM-5
ID.AM-5
ID.AM-6, ID-GV-2, DE.DP-1, RS.CO-

1, RS.CO-4, PR.AT-2, PR.AT-3,
PR.AT-5,
ID.AM-5, ID.BE-2
ID.AM-5, ID.BE-2
ID.AM-1, ID-AM-2,
DE.CM-4, PR.IP-7
DE.AE-1~ through 5, DE.CM-1,

DE.DP-2
PR.PT-2
PR.DS-3, PR.IP-6,
PR.AC-5
PR.AC-7
PR.IP-3
ID.SC-1, ID.SC-2, ID.SC-4,
ID-SC-3, ID.BE-1
PR.IP-9,
DE.AE-2, DE.AE-3, DE.AE-4, RS.AN-
1, RS.AN-2, RS.AN-4, RS.MI-1,
RS.MI-2,RS.MI-3, DE.DP-2
DE.AE-3, DE.AE-4, RS.AN-3,
DE.DP-4,RS.CO-3, RS.CO-5, DE.DP-2,

RC.CO-1, RC.CO-3
ID.SC-5, PR.IP-4, DE.DP-3,
RS.IM-1, RC.IM-1, RC.IM-2
PR.IP-9, RS.RP-1, RS.CO-4
PR.IP-4
ID.SC-5, PR.IP-4
RS.RP-1, RD.RP-1, RC.IM-1,
DE.DP-5, RS.IM-2, RC.IM-2, PR.IP-7
PR.IP-10
ID.SC-5, PR.IP-10
FOR REFERENCE
National Institute of Standards and Technology (NIST)Framework for Improving Critical Infrastructure Cybersecurity
The assessment questions controls are referenced to the Framework for Improving Critical Infrastructure Cybersecu
The Framework focuses on using business drivers to guide cybersecurity activities and considering cybersecurity risk
The Framework offers a flexible way to address cybersecurity, including cybersecurity’s effect on physical, cyber, an
Function Category
Asset Management (ID.AM): The data,

personnel, devices, systems, and facilities that
enable the organization to achieve business
purposes are identified and managed consistent
with their relative importance to organizational
objectives and the organization’s risk strategy.
#Schlumberger-Private
Business Environment (ID.BE): The
organization’s mission, objectives, stakeholders,
and activities are understood and prioritized; this
Business Environment (ID.BE): The
organization’s mission, objectives, stakeholders,
and activities are understood and prioritized; this
information is used to inform cybersecurity roles,
responsibilities, and risk management decisions.
Governance (ID.GV): The policies, procedures,

and processes to manage and monitor the
organization’s regulatory, legal, risk,
environmental, and operational requirements are
understood and inform the management of
cybersecurity risk.
IDENTIFY (ID)
Risk Assessment (ID.RA): The organization

understands the cybersecurity risk to
organizational operations (including mission,
functions, image, or reputation), organizational
assets, and individuals.
Risk Assessment (ID.RA): The organization
understands the cybersecurity risk to
organizational operations (including mission,
functions, image, or reputation), organizational
assets, and individuals.
Risk Management Strategy (ID.RM): The

organization’s priorities, constraints, risk
tolerances, and assumptions are established and
used to support operational risk decisions.
Supply Chain Risk Management (ID.SC):

The organization’s priorities, constraints, risk
tolerances, and assumptions are established and
used to support risk decisions associated with
managing supply chain risk. The organization has
established and implemented the processes to
identify, assess and manage supply chain risks.
Identity Management, Authentication and
Access Control (PR.AC): Access to physical
and logical assets and associated facilities is
limited to authorized users, processes, and
devices, and is managed consistent with the
assessed risk of unauthorized access to
authorized activities and transactions.
Awareness and Training (PR.AT): The
organization’s personnel and partners are
provided cybersecurity awareness education and
are trained to perform their cybersecurity-related
duties and responsibilities consistent with related
policies, procedures, and agreements.
Data Security (PR.DS): Information and records

(data) are managed consistent with the
organization’s risk strategy to protect the
confidentiality, integrity, and availability of
information. Schlumberger-Private
#
Data Security (PR.DS): Information and records
(data) are managed consistent with the
organization’s risk strategy to protect the
confidentiality, integrity, and availability of
information.
PROTECT (PR)
Information Protection Processes and
Procedures (PR.IP): Security policies (that
address purpose, scope, roles, responsibilities,
Information Protection Processes and
Procedures (PR.IP): Security policies (that
address purpose, scope, roles, responsibilities,
management commitment, and coordination
among organizational entities), processes, and
procedures are maintained and used to manage
protection of information systems and assets.
Maintenance (PR.MA): Maintenance and

repairs of industrial control and information
system components are performed consistent
with policies and procedures.
Protective Technology (PR.PT): Technical
security solutions are managed to ensure the
security and resilience of systems and assets,
consistent with related policies, procedures, and
agreements.
Anomalies and Events (DE.AE): Anomalous

activity is detected and the potential impact of
events is understood.
Security Continuous Monitoring (DE.CM):
DETECT (DE) The information system and assets are monitored
to identify cybersecurity events and verify the
effectiveness of protective measures.
Detection Processes (DE.DP): Detection
processes and procedures are maintained and
tested to ensure awareness of anomalous events.
Response Planning (RS.RP): Response

processes and procedures are executed and
maintained, to ensure response to detected
cybersecurity incidents.
Communications (RS.CO): Response activities

are coordinated with internal and external
stakeholders (e.g. external support from law
enforcement agencies).
RESPOND (RS)
Analysis (RS.AN): Analysis is conducted to

ensure effective response and support recovery
activities.
Mitigation (RS.MI): Activities are performed to

prevent expansion of an event, mitigate its
effects, and resolve the incident.
Improvements (RS.IM): Organizational

response activities are improved by incorporating
lessons learned from current and previous
detection/response activities.
Recovery Planning (RC.RP): Recovery

maintained to ensure restoration of systems or
assets affected by cybersecurity incidents.
Recovery Planning (RC.RP): Recovery
maintained to ensure restoration of systems or
assets affected by cybersecurity incidents.
Improvements (RC.IM): Recovery planning

and processes are improved by incorporating
lessons learned into future activities.
RECOVER (RC)
Communications (RC.CO): Restoration

activities are coordinated with internal and
external parties (e.g. coordinating centers,
Internet Service Providers, owners of attacking
systems, victims, other CSIRTs, and vendors).
FOR REFERENCE ONLY
(NIST)Framework for Improving Critical Infrastructure Cybersecurity , Version 1.1
ced to the Framework for Improving Critical Infrastructure Cybersecurity , Version 1.1, proposed by the National Institute of Sta
ers to guide cybersecurity activities and considering cybersecurity risks as part of the organization’s risk management processes
s cybersecurity, including cybersecurity’s effect on physical, cyber, and people dimensions
Subcategory
ID.AM-1: Physical devices and systems within the organization are inventoried
ID.AM-2: Software platforms and applications within the organization are inventoried
ID.AM-3: Organizational communication and data flows are mapped
ID.AM-4: External information systems are catalogued
ID.AM-5: Resources (e.g., hardware, devices, data, time, personnel, and software) are
prioritized based on their classification, criticality, and business value
ID.AM-6: Cybersecurity roles and responsibilities for the entire workforce and third-
party stakeholders (e.g., suppliers, customers, partners) are established
ID.BE-1: The organization’s role in the supply chain is identified and communicated
ID.BE-2: The organization’s place in critical infrastructure and its industry sector is
identified and communicated
ID.BE-3: Priorities for organizational mission, objectives, and activities are

established and communicated
ID.BE-4: Dependencies and critical functions for delivery of critical services are
established
ID.BE-5: Resilience requirements to support delivery of critical services are

established for all operating states (e.g. under duress/attack, during recovery, normal
operations)
ID.GV-1: Organizational cybersecurity policy is established and communicated
ID.GV-2: Cybersecurity roles and responsibilities are coordinated and aligned with
internal roles and external partners
ID.GV-3: Legal and regulatory requirements regarding cybersecurity, including

privacy and civil liberties obligations, are understood and managed
ID.GV-4: Governance and risk management processes address cybersecurity risks
ID.RA-1: Asset vulnerabilities are identified and documented
ID.RA-2: Cyber threat intelligence is received from information sharing forums and
sources
ID.RA-3: Threats, both internal and external, are identified and documented
ID.RA-4: Potential business impacts and likelihoods are identified
ID.RA-5: Threats, vulnerabilities, likelihoods, and impacts are used to determine risk
ID.RA-6: Risk responses are identified and prioritized
ID.RM-1: Risk management processes are established, managed, and agreed to by

organizational stakeholders
ID.RM-2: Organizational risk tolerance is determined and clearly expressed
ID.RM-3: The organization’s determination of risk tolerance is informed by its role in

critical infrastructure and sector specific risk analysis
ID.SC-1: Cyber supply chain risk management processes are identified, established,
assessed, managed, and agreed to by organizational stakeholders
ID.SC-2: Suppliers and third party partners of information systems, components, and
services are identified, prioritized, and assessed using a cyber supply chain risk
assessment process
ID.SC-3: Contracts with suppliers and third-party partners are used to implement
appropriate measures designed to meet the objectives of an organization’s
cybersecurity program and Cyber Supply Chain Risk Management Plan.
ID.SC-4: Suppliers and third-party partners are routinely assessed using audits, test
results, or other forms of evaluations to confirm they are meeting their contractual
obligations.
ID.SC-5: Response and recovery planning and testing are conducted with suppliers
and third-party providers Schlumberger-Private
#
ID.SC-5: Response and recovery planning and testing are conducted with suppliers
and third-party providers
PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and
audited for authorized devices, users and processes
PR.AC-2: Physical access to assets is managed and protected
PR.AC-3: Remote access is managed
PR.AC-4: Access permissions and authorizations are managed, incorporating the

principles of least privilege and separation of duties
PR.AC-5: Network integrity is protected (e.g., network segregation, network

segmentation)
PR.AC-6: Identities are proofed and bound to credentials and asserted in interactions
PR.AC-7: Users, devices, and other assets are authenticated (e.g., single-factor, multi-
factor) commensurate with the risk of the transaction (e.g., individuals’ security and
privacy risks and other organizational risks)
PR.AC-7: Users, devices, and other assets are authenticated (e.g., single-factor, multi-
factor) commensurate with the risk of the transaction (e.g., individuals’ security and
privacy risks and other organizational risks)
PR.AT-1: All users are informed and trained
PR.AT-2: Privileged users understand their roles and responsibilities
PR.AT-3: Third-party stakeholders (e.g., suppliers, customers, partners) understand

their roles and responsibilities
PR.AT-4: Senior executives understand their roles and responsibilities
PR.AT-5: Physical and cybersecurity personnel understand their roles and

responsibilities
PR.DS-1: Data-at-rest is protected
PR.DS-2: Data-in-transit is protected
PR.DS-3: Assets are formally managed throughout removal, transfers, and disposition
PR.DS-4: Adequate capacity to ensure availability is maintained
PR.DS-4: Adequate capacity to ensure availability is maintained
PR.DS-5: Protections against data leaks are implemented
PR.DS-6: Integrity checking mechanisms are used to verify software, firmware, and
information integrity
PR.DS-7: The development and testing environment(s) are separate from the
production environment
PR.DS-8: Integrity checking mechanisms are used to verify hardware integrity
PR.IP-1: A baseline configuration of information technology/industrial control

systems is created and maintained incorporating security principles (e.g. concept of
least functionality)
PR.IP-2: A System Development Life Cycle to manage systems is implemented
PR.IP-3: Configuration change control processes are in place
PR.IP-4: Backups of information are conducted, maintained, and tested
PR.IP-5: Policy and regulations regarding the physical operating environment for
organizational assets are met
PR.IP-5: Policy and regulations regarding the physical operating environment for
organizational assets are met
PR.IP-6: Data is destroyed according to policy
PR.IP-7: Protection processes are improved
PR.IP-8: Effectiveness of protection technologies is shared
PR.IP-9: Response plans (Incident Response and Business Continuity) and recovery
plans (Incident Recovery and Disaster Recovery) are in place and managed
PR.IP-10: Response and recovery plans are tested
PR.IP-11: Cybersecurity is included in human resources practices (e.g.,

deprovisioning, personnel screening)
PR.IP-12: A vulnerability management plan is developed and implemented
PR.MA-1: Maintenance and repair of organizational assets are performed and logged,
with approved and controlled tools
PR.MA-2: Remote maintenance of organizational assets is approved, logged, and

performed in a manner that prevents unauthorized access
PR.PT-1: Audit/log records are determined, documented, implemented, and reviewed

in accordance with policy
PR.PT-1: Audit/log records are determined, documented, implemented, and reviewed
in accordance with policy
PR.PT-2: Removable media is protected and its use restricted according to policy
PR.PT-3: The principle of least functionality is incorporated by configuring systems to

provide only essential capabilities
PR.PT-4: Communications and control networks are protected
PR.PT-5: Mechanisms (e.g., failsafe, load balancing, hot swap) are implemented to
achieve resilience requirements in normal and adverse situations
DE.AE-1: A baseline of network operations and expected data flows for users and
systems is established and managed
DE.AE-2: Detected events are analyzed to understand attack targets and methods
DE.AE-3: Event data are collected and correlated from multiple sources and sensors
DE.AE-4: Impact of events is determined
DE.AE-4: Impact of events is determined
DE.AE-5: Incident alert thresholds are established
DE.CM-1: The network is monitored to detect potential cybersecurity events
DE.CM-2: The physical environment is monitored to detect potential cybersecurity

events
DE.CM-3: Personnel activity is monitored to detect potential cybersecurity events
DE.CM-4: Malicious code is detected
DE.CM-5: Unauthorized mobile code is detected
DE.CM-6: External service provider activity is monitored to detect potential

cybersecurity events
DE.CM-7: Monitoring for unauthorized personnel, connections, devices, and software

is performed
DE.CM-8: Vulnerability scans are performed
DE.DP-1: Roles and responsibilities for detection are well defined to ensure
accountability
DE.DP-2: Detection activities comply with all applicable requirements
DE.DP-3: Detection processes are tested
DE.DP-4: Event detection information is communicated
DE.DP-5: Detection processes are continuously improved
RS.RP-1: Response plan is executed during or after an incident
RS.CO-1: Personnel know their roles and order of operations when a response is
needed
RS.CO-2: Incidents are reported consistent with established criteria
RS.CO-3: Information is shared consistent with response plans
RS.CO-4: Coordination with stakeholders occurs consistent with response plans
RS.CO-5: Voluntary information sharing occurs with external stakeholders to achieve

broader cybersecurity situational awareness
RS.CO-5: Voluntary information sharing occurs with external stakeholders to achieve
broader cybersecurity situational awareness
RS.AN-1: Notifications from detection systems are investigated
RS.AN-2: The impact of the incident is understood
RS.AN-3: Forensics are performed
RS.AN-4: Incidents are categorized consistent with response plans
RS.AN-5: Processes are established to receive, analyze and respond to vulnerabilities

disclosed to the organization from internal and external sources (e.g. internal testing,
security bulletins, or security researchers)
RS.MI-1: Incidents are contained
RS.MI-2: Incidents are mitigated
RS.MI-3: Newly identified vulnerabilities are mitigated or documented as accepted

risks
RS.IM-1: Response plans incorporate lessons learned
RS.IM-2: Response strategies are updated
RC.RP-1: Recovery plan is executed during or after a cybersecurity incident
RC.RP-1: Recovery plan is executed during or after a cybersecurity incident
RC.IM-1: Recovery plans incorporate lessons learned
RC.IM-2: Recovery strategies are updated
RC.CO-1: Public relations are managed
RC.CO-2: Reputation is repaired after an incident
RC.CO-3: Recovery activities are communicated to internal and external stakeholders

as well as executive and management teams
NLY
ersion 1.1
, Version 1.1, proposed by the National Institute of Standards and Technology (NIST).
s part of the organization’s risk management processes.
eople dimensions
Informative References
· CIS CSC 1
· COBIT 5 BAI09.01, BAI09.02
· ISA 62443-2-1:2009 4.2.3.4
· ISA 62443-3-3:2013 SR 7.8
· ISO/IEC 27001:2013 A.8.1.1, A.8.1.2
· NIST SP 800-53 Rev. 4 CM-8, PM-5
· CIS CSC 2
· COBIT 5 BAI09.01, BAI09.02, BAI09.05
· ISA 62443-2-1:2009 4.2.3.4
· ISA 62443-3-3:2013 SR 7.8
· ISO/IEC 27001:2013 A.8.1.1, A.8.1.2, A.12.5.1
· NIST SP 800-53 Rev. 4 CM-8, PM-5
· CIS CSC 12
· COBIT 5 DSS05.02
· ISA 62443-2-1:2009 4.2.3.4
· ISO/IEC 27001:2013 A.13.2.1, A.13.2.2
· NIST SP 800-53 Rev. 4 AC-4, CA-3, CA-9, PL-8
· CIS CSC 12
· COBIT 5 APO02.02, APO10.04, DSS01.02
· ISO/IEC 27001:2013 A.11.2.6
· NIST SP 800-53 Rev. 4 AC-20, SA-9
· CIS CSC 13, 14
· COBIT 5 APO03.03, APO03.04, APO12.01, BAI04.02, BAI09.02
· ISA 62443-2-1:2009 4.2.3.6
· ISO/IEC 27001:2013 A.8.2.1
· NIST SP 800-53 Rev. 4 CP-2, RA-2, SA-14, SC-6
· CIS CSC 17, 19
· COBIT 5 APO01.02, APO07.06, APO13.01, DSS06.03
· ISA 62443-2-1:2009 4.3.2.3.3
· ISO/IEC 27001:2013 A.6.1.1
· NIST SP 800-53 Rev. 4 CP-2, PS-7, PM-11
· COBIT 5 APO08.01, APO08.04, APO08.05, APO10.03, APO10.04, APO10.05
· ISO/IEC 27001:2013 A.15.1.1, A.15.1.2, A.15.1.3, A.15.2.1, A.15.2.2
· NIST SP 800-53 Rev. 4 CP-2, SA-12
· COBIT 5 APO02.06, APO03.01
· ISO/IEC 27001:2013 Clause 4.1
· NIST SP 800-53 Rev. 4 PM-8
· COBIT 5 APO02.01, APO02.06, APO03.01
· ISA 62443-2-1:2009 4.2.2.1, 4.2.3.6
· NIST SP 800-53 Rev. 4 PM-11, SA-14
· COBIT 5 APO10.01, BAI04.02, BAI09.02
· ISO/IEC 27001:2013 A.11.2.2, A.11.2.3, A.12.1.3
· NIST SP 800-53 Rev. 4 CP-8, PE-9, PE-11, PM-8, SA-14
· COBIT 5 BAI03.02, DSS04.02
· ISO/IEC 27001:2013 A.11.1.4, A.17.1.1, A.17.1.2, A.17.2.1
· NIST SP 800-53 Rev. 4 CP-2, CP-11, SA-13, SA-14
· CIS CSC 19
· COBIT 5 APO01.03, APO13.01, EDM01.01, EDM01.02
· ISA 62443-2-1:2009 4.3.2.6
· ISO/IEC 27001:2013 A.5.1.1
· NIST SP 800-53 Rev. 4 -1 controls from all security control families
· CIS CSC 19
· COBIT 5 APO01.02, APO10.03, APO13.02, DSS05.04 / COBIT 5 APO13.12
· ISA 62443-2-1:2009 4.3.2.3.3
· ISO/IEC 27001:2013 A.6.1.1, A.7.2.1, A.15.1.1
· NIST SP 800-53 Rev. 4 PS-7, PM-1, PM-2
· CIS CSC 19
· COBIT 5 BAI02.01, MEA03.01, MEA03.04
· ISA 62443-2-1:2009 4.4.3.7
· ISO/IEC 27001:2013 A.18.1.1, A.18.1.2, A.18.1.3, A.18.1.4, A.18.1.5 / A.18.1
· NIST SP 800-53 Rev. 4 -1 controls from all security control families / (except PM-1)
· COBIT 5 EDM03.02, APO12.02, APO12.05, DSS04.02
· ISA 62443-2-1:2009 4.2.3.1, 4.2.3.3, 4.2.3.8, 4.2.3.9, 4.2.3.11, 4.3.2.4.3, 4.3.2.6.3
· ISO/IEC 27001:2013 Clause 6
· NIST SP 800-53 Rev. 4 SA-2, PM-3, PM-7, PM-9, PM-10, PM-11
· CIS CSC 4
· COBIT 5 APO12.01, APO12.02, APO12.03, APO12.04, DSS05.01, DSS05.02
· ISA 62443-2-1:2009 4.2.3, 4.2.3.7, 4.2.3.9, 4.2.3.12
· ISO/IEC 27001:2013 A.12.6.1, A.18.2.3
· NIST SP 800-53 Rev. 4 CA-2, CA-7, CA-8, RA-3, RA-5, SA-5, SA-11, SI-2, SI-4, SI-5
· CIS CSC 4
· COBIT 5 BAI08.01
· ISA 62443-2-1:2009 4.2.3, 4.2.3.9, 4.2.3.12
· ISO/IEC 27001:2013 A.6.1.4
· NIST SP 800-53 Rev. 4 SI-5, PM-15, PM-16
· CIS CSC 4
· COBIT 5 APO12.01, APO12.02, APO12.03, APO12.04
· ISA 62443-2-1:2009 4.2.3, 4.2.3.9, 4.2.3.12
· ISO/IEC 27001:2013 Clause 6.1.2
· NIST SP 800-53 Rev. 4 RA-3, SI-5, PM-12, PM-16
· CIS CSC 4
· COBIT 5 DSS04.02
· ISA 62443-2-1:2009 4.2.3, 4.2.3.9, 4.2.3.12
· ISO/IEC 27001:2013 A.16.1.6, Clause 6.1.2
· NIST SP 800-53 Rev. 4 RA-2, RA-3, SA-14, PM-9, PM-11
· CIS CSC 4
· COBIT 5 APO12.02
· ISO/IEC 27001:2013 A.12.6.1
· NIST SP 800-53 Rev. 4 RA-2, RA-3, PM-16
· CIS CSC 4
· COBIT 5 APO12.05, APO13.02
· ISO/IEC 27001:2013 Clause 6.1.3
· NIST SP 800-53 Rev. 4 PM-4, PM-9
· CIS CSC 4
· COBIT 5 APO12.04, APO12.05, APO13.02, BAI02.03, BAI04.02
· ISA 62443-2-1:2009 4.3.4.2
· ISO/IEC 27001:2013 Clause 6.1.3, Clause 8.3, Clause 9.3
· NIST SP 800-53 Rev. 4 PM-9
· COBIT 5 APO12.06
· ISA 62443-2-1:2009 4.3.2.6.5
· ISO/IEC 27001:2013 Clause 6.1.3, Clause 8.3
· NIST SP 800-53 Rev. 4 PM-9
· COBIT 5 APO12.02
· ISO/IEC 27001:2013 Clause 6.1.3, Clause 8.3
· NIST SP 800-53 Rev. 4 SA-14, PM-8, PM-9, PM-11
· CIS CSC 4
· COBIT 5 APO10.01, APO10.04, APO12.04, APO12.05, APO13.02, BAI01.03, BAI02.03,
BAI04.02
· ISA 62443-2-1:2009 4.3.4.2
· ISO/IEC 27001:2013 A.15.1.1, A.15.1.2, A.15.1.3, A.15.2.1, A.15.2.2
· NIST SP 800-53 Rev. 4 SA-9, SA-12, PM-9
· COBIT 5 APO10.01, APO10.02, APO10.04, APO10.05, APO12.01, APO12.02, APO12.03,
APO12.04, APO12.05, APO12.06, APO13.02, BAI02.03
· ISA 62443-2-1:2009 4.2.3.1, 4.2.3.2, 4.2.3.3, 4.2.3.4, 4.2.3.6, 4.2.3.8, 4.2.3.9, 4.2.3.10, 4.2.3.12,
4.2.3.13, 4.2.3.14
· ISO/IEC 27001:2013 A.15.2.1, A.15.2.2
· NIST SP 800-53 Rev. 4 RA-2, RA-3, SA-12, SA-14, SA-15, PM-9
· COBIT 5 APO10.01, APO10.02, APO10.03, APO10.04, APO10.05
· ISA 62443-2-1:2009 4.3.2.6.4, 4.3.2.6.7
· ISO/IEC 27001:2013 A.15.1.1, A.15.1.2, A.15.1.3
· NIST SP 800-53 Rev. 4 SA-9, SA-11, SA-12, PM-9
· COBIT 5 APO10.01, APO10.03, APO10.04, APO10.05, MEA01.01, MEA01.02, MEA01.03,
MEA01.04, MEA01.05
· ISA 62443-2-1:2009 4.3.2.6.7
· ISA 62443-3-3:2013 SR 6.1
· ISO/IEC 27001:2013 A.15.2.1, A.15.2.2
· NIST SP 800-53 Rev. 4 AU-2, AU-6, AU-12, AU-16, PS-7, SA-9, SA-12
· CIS CSC 19, 20
· COBIT 5 DSS04.04
· ISA 62443-2-1:2009 4.3.2.5.7, 4.3.4.5.11
· ISA 62443-3-3:2013 SR 2.8, SR 3.3, SR.6.1, SR 7.3, SR 7.4
· ISO/IEC 27001:2013 A.17.1.3
· NIST SP 800-53 Rev. 4 CP-2, CP-4, IR-3, IR-4, IR-6, IR-8, IR-9
· CIS CSC 1, 5, 15, 16
· COBIT 5 DSS05.04, DSS06.03
· ISA 62443-2-1:2009 4.3.3.5.1
· ISA 62443-3-3:2013 SR 1.1, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9
· ISO/IEC 27001:2013 A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3
· NIST SP 800-53 Rev. 4 AC-1, AC-2, IA-1, IA-2, IA-3, IA-4, IA-5, IA-6, IA-7, IA-8, IA-9, IA-10,
IA-11 / IA Family
· COBIT 5 DSS01.04, DSS05.05
· ISA 62443-2-1:2009 4.3.3.3.2, 4.3.3.3.8
· ISO/IEC 27001:2013 A.11.1.1, A.11.1.2, A.11.1.3, A.11.1.4, A.11.1.5, A.11.1.6, A.11.2.1,
A.11.2.3, A.11.2.5, A.11.2.6, A.11.2.7, A.11.2.8
· NIST SP 800-53 Rev. 4 PE-2, PE-3, PE-4, PE-5, PE-6, PE-8 / PE-9
· CIS CSC 12
· COBIT 5 APO13.01, DSS01.04, DSS05.03
· ISA 62443-2-1:2009 4.3.3.6.6
· ISA 62443-3-3:2013 SR 1.13, SR 2.6
· ISO/IEC 27001:2013 A.6.2.1, A.6.2.2, A.11.2.6, A.13.1.1, A.13.2.1
· NIST SP 800-53 Rev. 4 AC-1, AC-17, AC-19, AC-20, SC-15
· CIS CSC 3, 5, 12, 14, 15, 16, 18
· COBIT 5 DSS05.04
· ISA 62443-2-1:2009 4.3.3.7.3
· ISA 62443-3-3:2013 SR 2.1
· ISO/IEC 27001:2013 A.6.1.2, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
· NIST SP 800-53 Rev. 4 AC-1, AC-2, AC-3, AC-5, AC-6, AC-14, AC-16, AC-24
· CIS CSC 9, 14, 15, 18
· COBIT 5 DSS01.05, DSS05.02
· ISA 62443-2-1:2009 4.3.3.4
· ISA 62443-3-3:2013 SR 3.1, SR 3.8
· ISO/IEC 27001:2013 A.13.1.1, A.13.1.3, A.13.2.1, A.14.1.2, A.14.1.3
· NIST SP 800-53 Rev. 4 AC-4, AC-10, SC-7
· CIS CSC, 16
· COBIT 5 DSS05.04, DSS05.05, DSS05.07, DSS06.03
· ISA 62443-2-1:2009 4.3.3.2.2, 4.3.3.5.2, 4.3.3.7.2, 4.3.3.7.4
· ISA 62443-3-3:2013 SR 1.1, SR 1.2, SR 1.4, SR 1.5, SR 1.9, SR 2.1
· ISO/IEC 27001:2013, A.7.1.1, A.9.2.1
· NIST SP 800-53 Rev. 4 AC-1, AC-2, AC-3, AC-16, AC-19, AC-24, IA-1, IA-2, IA-4, IA-5, IA-8,
PE-2, PS-3
· CIS CSC 1, 12, 15, 16
· COBIT 5 DSS05.04, DSS05.10, DSS06.10
· ISA 62443-2-1:2009 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7,
4.3.3.6.8, 4.3.3.6.9
· ISA 62443-3-3:2013 SR 1.1, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 1.10
· ISO/IEC 27001:2013 A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, A.18.1.4
· NIST SP 800-53 Rev. 4 AC-7, AC-8, AC-9, AC-11, AC-12, AC-14, IA-1, IA-2, IA-3, IA-4, IA-5,
IA-8, IA-9, IA-10, IA-11
· CIS CSC 17, 18 / 9
· COBIT 5 APO07.03, BAI05.07
· ISA 62443-2-1:2009 4.3.2.4.2
· ISO/IEC 27001:2013 A.7.2.2, A.12.2.1
· NIST SP 800-53 Rev. 4 AT-2, PM-13
· CIS CSC 5, 17, 18 / 9
· COBIT 5 APO07.02, DSS05.04, DSS06.03
· ISA 62443-2-1:2009 4.3.2.4.2, 4.3.2.4.3
· ISO/IEC 27001:2013 A.6.1.1, A.7.2.2
· NIST SP 800-53 Rev. 4 AT-3, PM-13
· CIS CSC 17 / 9
· COBIT 5 APO07.03, APO07.06, APO10.04, APO10.05
· ISA 62443-2-1:2009 4.3.2.4.2
· ISO/IEC 27001:2013 A.6.1.1, A.7.2.1, A.7.2.2
· NIST SP 800-53 Rev. 4 PS-7, SA-9, SA-16
· CIS CSC 17, 19 / 9
· COBIT 5 EDM01.01, APO01.02, APO07.03
· ISA 62443-2-1:2009 4.3.2.4.2
· ISO/IEC 27001:2013 A.6.1.1, A.7.2.2
· NIST SP 800-53 Rev. 4 AT-3, PM-13
· CIS CSC 17 / 9
· COBIT 5 APO07.03
· ISA 62443-2-1:2009 4.3.2.4.2
· ISO/IEC 27001:2013 A.6.1.1, A.7.2.2
· NIST SP 800-53 Rev. 4 AT-3, IR-2, PM-13
· CIS CSC 13, 14 / 17
· COBIT 5 APO01.06, BAI02.01, BAI06.01, DSS04.07, DSS05.03, DSS06.06
· ISA 62443-3-3:2013 SR 3.4, SR 4.1
· ISO/IEC 27001:2013 A.8.2.3
· NIST SP 800-53 Rev. 4 MP-8, SC-12, SC-28
· CIS CSC 13, 14 / 17
· COBIT 5 APO01.06, DSS05.02, DSS06.06
· ISA 62443-3-3:2013 SR 3.1, SR 3.8, SR 4.1, SR 4.2
· ISO/IEC 27001:2013 A.8.2.3, A.13.1.1, A.13.2.1, A.13.2.3, A.14.1.2, A.14.1.3
· NIST SP 800-53 Rev. 4 SC-8, SC-11, SC-12
· CIS CSC 1
· COBIT 5 BAI09.03
· ISA 62443-2-1:2009 4.3.3.3.9, 4.3.4.4.1
· ISA 62443-3-3:2013 SR 4.2
· ISO/IEC 27001:2013 A.8.2.3, A.8.3.1, A.8.3.2, A.8.3.3, A.11.2.5, A.11.2.7
· NIST SP 800-53 Rev. 4 CM-8, MP-6, PE-16
· CIS CSC 1, 2, 13
· COBIT 5 APO13.01, BAI04.04
· ISA 62443-3-3:2013 SR 7.1, SR 7.2
· ISO/IEC 27001:2013 A.12.1.3, A.17.2.1
· NIST SP 800-53 Rev. 4 AU-4, CP-2, SC-5
· CIS CSC 13 / 17
· COBIT 5 APO01.06, DSS05.04, DSS05.07, DSS06.02
· ISA 62443-3-3:2013 SR 5.2
· ISO/IEC 27001:2013 A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2,
A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1,
A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3
· NIST SP 800-53 Rev. 4 AC-4, AC-5, AC-6, PE-19, PS-3, PS-6, SC-7, SC-8, SC-13, SC-31, SI-4
· CIS CSC 2, 3
· COBIT 5 APO01.06, BAI06.01, DSS06.02
· ISA 62443-3-3:2013 SR 3.1, SR 3.3, SR 3.4, SR 3.8
· ISO/IEC 27001:2013 A.12.2.1, A.12.5.1, A.14.1.2, A.14.1.3, A.14.2.4
· NIST SP 800-53 Rev. 4 SC-16, SI-7
· CIS CSC 18, 20
· COBIT 5 BAI03.08, BAI07.04
· ISO/IEC 27001:2013 A.12.1.4
· NIST SP 800-53 Rev. 4 CM-2
· COBIT 5 BAI03.05
· ISA 62443-2-1:2009 4.3.4.4.4
· ISO/IEC 27001:2013 A.11.2.4
· NIST SP 800-53 Rev. 4 SA-10, SI-7
· CIS CSC 3, 9, 11 / 10
· COBIT 5 BAI10.01, BAI10.02, BAI10.03, BAI10.05
· ISA 62443-2-1:2009 4.3.4.3.2, 4.3.4.3.3
· ISA 62443-3-3:2013 SR 7.6
· ISO/IEC 27001:2013 A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4
· NIST SP 800-53 Rev. 4 CM-2, CM-3, CM-4, CM-5, CM-6, CM-7, CM-9, SA-10
· CIS CSC 18
· COBIT 5 APO13.01, BAI03.01, BAI03.02, BAI03.03
· ISA 62443-2-1:2009 4.3.4.3.3
· ISO/IEC 27001:2013 A.6.1.5, A.14.1.1, A.14.2.1, A.14.2.5
· NIST SP 800-53 Rev. 4 PL-8, SA-3, SA-4, SA-8, SA-10, SA-11, SA-12, SA-15, SA-17, SI-12,
SI-13, SI-14, SI-16, SI-17
· CIS CSC 3, 11
· COBIT 5 BAI01.06, BAI06.01
· ISA 62443-2-1:2009 4.3.4.3.2, 4.3.4.3.3
· ISA 62443-3-3:2013 SR 7.6
· ISO/IEC 27001:2013 A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4
· NIST SP 800-53 Rev. 4 CM-3, CM-4, SA-10
· CIS CSC 10
· COBIT 5 APO13.01, DSS01.01, DSS04.07
· ISA 62443-2-1:2009 4.3.4.3.9
· ISA 62443-3-3:2013 SR 7.3, SR 7.4
· ISO/IEC 27001:2013 A.12.3.1, A.17.1.2, A.17.1.3, A.18.1.3
· NIST SP 800-53 Rev. 4 CP-4, CP-6, CP-9
· COBIT 5 DSS01.04, DSS05.05
· ISA 62443-2-1:2009 4.3.3.3.1, 4.3.3.3.2, 4.3.3.3.3, 4.3.3.3.5, 4.3.3.3.6
· ISO/IEC 27001:2013 A.11.1.4, A.11.2.1, A.11.2.2, A.11.2.3
· NIST SP 800-53 Rev. 4 PE-10, PE-12, PE-13, PE-14, PE-15, PE-18
· COBIT 5 BAI09.03, DSS05.06
· ISA 62443-2-1:2009 4.3.4.4.4
· ISA 62443-3-3:2013 SR 4.2
· ISO/IEC 27001:2013 A.8.2.3, A.8.3.1, A.8.3.2, A.11.2.7
· NIST SP 800-53 Rev. 4 MP-6
· COBIT 5 APO11.06, APO12.06, DSS04.05
· ISA 62443-2-1:2009 4.4.3.1, 4.4.3.2, 4.4.3.3, 4.4.3.4, 4.4.3.5, 4.4.3.6, 4.4.3.7, 4.4.3.8
· ISO/IEC 27001:2013 A.16.1.6, Clause 9, Clause 10
· NIST SP 800-53 Rev. 4 CA-2, CA-7, CP-2, IR-8, PL-2, PM-6
· COBIT 5 BAI08.04, DSS03.04
· ISO/IEC 27001:2013 A.16.1.6
· NIST SP 800-53 Rev. 4 AC-21, CA-7, SI-4
· CIS CSC 19
· COBIT 5 APO12.06, DSS04.03
· ISA 62443-2-1:2009 4.3.2.5.3, 4.3.4.5.1
· ISO/IEC 27001:2013 A.16.1.1, A.17.1.1, A.17.1.2, A.17.1.3
· NIST SP 800-53 Rev. 4 CP-2, CP-7, CP-12, CP-13, IR-7, IR-8, IR-9, PE-17
· CIS CSC 19, 20
· COBIT 5 DSS04.04
· ISA 62443-2-1:2009 4.3.2.5.7, 4.3.4.5.11
· ISA 62443-3-3:2013 SR 3.3
· ISO/IEC 27001:2013 A.17.1.3
· NIST SP 800-53 Rev. 4 CP-4, IR-3, PM-14
· CIS CSC 5, 16
· COBIT 5 APO07.01, APO07.02, APO07.03, APO07.04, APO07.05
· ISA 62443-2-1:2009 4.3.3.2.1, 4.3.3.2.2, 4.3.3.2.3
· ISO/IEC 27001:2013 A.7.1.1, A.7.1.2, A.7.2.1, A.7.2.2, A.7.2.3, A.7.3.1, A.8.1.4
· NIST SP 800-53 Rev. 4 PS-1, PS-2, PS-3, PS-4, PS-5, PS-6, PS-7, PS-8, SA-21 / PS Family
· CIS CSC 4, 18, 20
· COBIT 5 BAI03.10, DSS05.01, DSS05.02
· ISO/IEC 27001:2013 A.12.6.1, A.14.2.3, A.16.1.3, A.18.2.2, A.18.2.3
· NIST SP 800-53 Rev. 4 RA-3, RA-5, SI-2
· COBIT 5 BAI03.10, BAI09.02, BAI09.03, DSS01.05
· ISA 62443-2-1:2009 4.3.3.3.7
· ISO/IEC 27001:2013 A.11.1.2, A.11.2.4, A.11.2.5, A.11.2.6
· NIST SP 800-53 Rev. 4 MA-2, MA-3, MA-5, MA-6
· CIS CSC 3, 5
· COBIT 5 DSS05.04
· ISA 62443-2-1:2009 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8
· ISO/IEC 27001:2013 A.11.2.4, A.15.1.1, A.15.2.1
· NIST SP 800-53 Rev. 4 MA-4
· CIS CSC 1, 3, 5, 6, 14, 15, 16
· COBIT 5 APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01
· ISA 62443-2-1:2009 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4
· ISA 62443-3-3:2013 SR 2.8, SR 2.9, SR 2.10, SR 2.11, SR 2.12
· ISO/IEC 27001:2013 A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1
· NIST SP 800-53 Rev. 4 AU Family
· CIS CSC 8, 13
· COBIT 5 APO13.01, DSS05.02, DSS05.06
· ISA 62443-3-3:2013 SR 2.3
· ISO/IEC 27001:2013 A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.11.2.9
· NIST SP 800-53 Rev. 4 MP-2, MP-3, MP-4, MP-5, MP-7, MP-8
· CIS CSC 3, 11, 14
· COBIT 5 DSS05.02, DSS05.05, DSS06.06
· ISA 62443-2-1:2009 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7,
4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9,
4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4
· ISA 62443-3-3:2013 SR 1.1, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR
1.10, SR 1.11, SR 1.12, SR 1.13, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7
· ISO/IEC 27001:2013 A.9.1.2
· NIST SP 800-53 Rev. 4 AC-3, CM-7
· CIS CSC 8, 12, 15 / 7
· COBIT 5 DSS05.02, APO13.01
· ISA 62443-3-3:2013 SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR
7.6
· ISO/IEC 27001:2013 A.13.1.1, A.13.2.1, A.14.1.3
· NIST SP 800-53 Rev. 4 AC-4, AC-17, AC-18, CP-8, SC-7, SC-19, SC-20, SC-21, SC-22, SC-23,
SC-24, SC-25, SC-29, SC-32, SC-36, SC-37, SC-38, SC-39, SC-40, SC-41, SC-43
· COBIT 5 BAI04.01, BAI04.02, BAI04.03, BAI04.04, BAI04.05, DSS01.05
· ISA 62443-2-1:2009 4.3.2.5.2
· ISA 62443-3-3:2013 SR 7.1, SR 7.2
· ISO/IEC 27001:2013 A.17.1.2, A.17.2.1
· NIST SP 800-53 Rev. 4 CP-7, CP-8, CP-11, CP-13, PL-8, SA-14, SC-6
· CIS CSC 1, 4, 6, 12, 13, 15, 16
· COBIT 5 DSS03.01
· ISA 62443-2-1:2009 4.4.3.3
· ISO/IEC 27001:2013 A.12.1.1, A.12.1.2, A.13.1.1, A.13.1.2
· NIST SP 800-53 Rev. 4 AC-4, CA-3, CM-2, SI-4
· CIS CSC 3, 6, 13, 15
· COBIT 5 DSS05.07
· ISA 62443-2-1:2009 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8
· ISA 62443-3-3:2013 SR 2.8, SR 2.9, SR 2.10, SR 2.11, SR 2.12, SR 3.9, SR 6.1, SR 6.2
· ISO/IEC 27001:2013 A.12.4.1, A.16.1.1, A.16.1.4
· NIST SP 800-53 Rev. 4 AU-6, CA-7, IR-4, SI-4
· CIS CSC 1, 3, 4, 5, 6, 7, 8, 11, 12, 13, 14, 15, 16
· COBIT 5 BAI08.02
· ISA 62443-3-3:2013 SR 6.1
· ISO/IEC 27001:2013 A.12.4.1, A.16.1.7
· NIST SP 800-53 Rev. 4 AU-6, CA-7, IR-4, IR-5, IR-8, SI-4
· CIS CSC 4, 6
· COBIT 5 APO12.06, DSS03.01
· ISO/IEC 27001:2013 A.16.1.4
· NIST SP 800-53 Rev. 4 CP-2, IR-4, RA-3, SI-4
· CIS CSC 6, 19
· COBIT 5 APO12.06, DSS03.01
· ISA 62443-2-1:2009 4.2.3.10
· ISO/IEC 27001:2013 A.16.1.4
· NIST SP 800-53 Rev. 4 IR-4, IR-5, IR-8
· CIS CSC 1, 7, 8, 12, 13, 15, 16 / 14
· COBIT 5 DSS01.03, DSS03.05, DSS05.07
· ISA 62443-3-3:2013 SR 6.2
· NIST SP 800-53 Rev. 4 AC-2, AU-12, CA-7, CM-3, SC-5, SC-7, SI-4
· COBIT 5 DSS01.04, DSS01.05
· ISA 62443-2-1:2009 4.3.3.3.8
· ISO/IEC 27001:2013 A.11.1.1, A.11.1.2
· NIST SP 800-53 Rev. 4 CA-7, PE-3, PE-6, PE-20
· CIS CSC 5, 7, 14, 16
· COBIT 5 DSS05.07
· ISA 62443-3-3:2013 SR 6.2
· ISO/IEC 27001:2013 A.12.4.1, A.12.4.3
· NIST SP 800-53 Rev. 4 AC-2, AU-12, AU-13, CA-7, CM-10, CM-11
· CIS CSC 4, 7, 8, 12 / 5
· COBIT 5 DSS05.01
· ISA 62443-2-1:2009 4.3.4.3.8
· ISA 62443-3-3:2013 SR 3.2
· ISO/IEC 27001:2013 A.12.2.1
· NIST SP 800-53 Rev. 4 SI-3, SI-8
· CIS CSC 7, 8
· COBIT 5 DSS05.01
· ISA 62443-3-3:2013 SR 2.4
· ISO/IEC 27001:2013 A.12.5.1, A.12.6.2
· NIST SP 800-53 Rev. 4 SC-18, SI-4, SC-44
· COBIT 5 APO07.06, APO10.05
· ISO/IEC 27001:2013 A.14.2.7, A.15.2.1
· NIST SP 800-53 Rev. 4 CA-7, PS-7, SA-4, SA-9, SI-4
· CIS CSC 1, 2, 3, 5, 9, 12, 13, 15, 16
· COBIT 5 DSS05.02, DSS05.05
· ISO/IEC 27001:2013 A.12.4.1, A.14.2.7, A.15.2.1
· NIST SP 800-53 Rev. 4 AU-12, CA-7, CM-3, CM-8, PE-3, PE-6, PE-20, SI-4
· CIS CSC 4, 20
· COBIT 5 BAI03.10, DSS05.01
· ISA 62443-2-1:2009 4.2.3.1, 4.2.3.7
· ISO/IEC 27001:2013 A.12.6.1
· NIST SP 800-53 Rev. 4 RA-5
· CIS CSC 19 / 5
· COBIT 5 APO01.02, DSS05.01, DSS06.03
· ISA 62443-2-1:2009 4.4.3.1
· ISO/IEC 27001:2013 A.6.1.1, A.7.2.2
· NIST SP 800-53 Rev. 4 CA-2, CA-7, PM-14
· COBIT 5 DSS06.01, MEA03.03, MEA03.04
· ISA 62443-2-1:2009 4.4.3.2
· ISO/IEC 27001:2013 A.18.1.4, A.18.2.2, A.18.2.3
· NIST SP 800-53 Rev. 4 AC-25, CA-2, CA-7, SA-18, SI-4, PM-14
· COBIT 5 APO13.02, DSS05.02
· ISA 62443-2-1:2009 4.4.3.2
· ISA 62443-3-3:2013 SR 3.3
· ISO/IEC 27001:2013 A.14.2.8
· NIST SP 800-53 Rev. 4 CA-2, CA-7, PE-3, SI-3, SI-4, PM-14
· CIS CSC 19
· COBIT 5 APO08.04, APO12.06, DSS02.05
· ISA 62443-2-1:2009 4.3.4.5.9
· ISA 62443-3-3:2013 SR 6.1
· ISO/IEC 27001:2013 A.16.1.2, A.16.1.3
· NIST SP 800-53 Rev. 4 AU-6, CA-2, CA-7, RA-5, SI-4
· COBIT 5 APO11.06, APO12.06, DSS04.05
· ISA 62443-2-1:2009 4.4.3.4
· ISO/IEC 27001:2013 A.16.1.6
· NIST SP 800-53 Rev. 4, CA-2, CA-7, PL-2, RA-5, SI-4, PM-14
· CIS CSC 19
· COBIT 5 APO12.06, BAI01.10
· ISA 62443-2-1:2009 4.3.4.5.1
· ISO/IEC 27001:2013 A.16.1.5
· NIST SP 800-53 Rev. 4 CP-2, CP-10, IR-4, IR-8
· CIS CSC 19
· COBIT 5 EDM03.02, APO01.02, APO12.03
· ISA 62443-2-1:2009 4.3.4.5.2, 4.3.4.5.3, 4.3.4.5.4
· ISO/IEC 27001:2013 A.6.1.1, A.7.2.2, A.16.1.1
· NIST SP 800-53 Rev. 4 CP-2, CP-3, IR-3, IR-8
· CIS CSC 19
· COBIT 5 DSS01.03
· ISA 62443-2-1:2009 4.3.4.5.5
· ISO/IEC 27001:2013 A.6.1.3, A.16.1.2
· NIST SP 800-53 Rev. 4 AU-6, IR-6, IR-8
· CIS CSC 19
· COBIT 5 DSS03.04
· ISA 62443-2-1:2009 4.3.4.5.2
· ISO/IEC 27001:2013 A.16.1.2, Clause 7.4, Clause 16.1.2
· NIST SP 800-53 Rev. 4 CA-2, CA-7, CP-2, IR-4, IR-8, PE-6, RA-5, SI-4
· CIS CSC 19
· COBIT 5 DSS03.04
· ISA 62443-2-1:2009 4.3.4.5.5
· ISO/IEC 27001:2013 Clause 7.4
· NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-8
· CIS CSC 19
· COBIT 5 BAI08.04
· ISO/IEC 27001:2013 A.6.1.4
· NIST SP 800-53 Rev. 4 SI-5, PM-15
· CIS CSC 4, 6, 8, 19
· COBIT 5 DSS02.04, DSS02.07
· ISA 62443-2-1:2009 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8
· ISA 62443-3-3:2013 SR 6.1
· ISO/IEC 27001:2013 A.12.4.1, A.12.4.3, A.16.1.5
· NIST SP 800-53 Rev. 4 AU-6, CA-7, IR-4, IR-5, PE-6, SI-4
· COBIT 5 DSS02.02
· ISA 62443-2-1:2009 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8
· ISO/IEC 27001:2013 A.16.1.4, A.16.1.6
· NIST SP 800-53 Rev. 4 CP-2, IR-4
· COBIT 5 APO12.06, DSS03.02, DSS05.07
· ISA 62443-3-3:2013 SR 2.8, SR 2.9, SR 2.10, SR 2.11, SR 2.12, SR 3.9, SR 6.1
· ISO/IEC 27001:2013 A.16.1.7
· NIST SP 800-53 Rev. 4 AU-7, IR-4
· CIS CSC 19
· COBIT 5 DSS02.02
· ISA 62443-2-1:2009 4.3.4.5.6
· ISO/IEC 27001:2013 A.16.1.4
· NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-5, IR-8
· CIS CSC 4, 19
· COBIT 5 EDM03.02, DSS05.07
· NIST SP 800-53 Rev. 4 SI-5, PM-15
· CIS CSC 19
· COBIT 5 APO12.06
· ISA 62443-2-1:2009 4.3.4.5.6
· ISA 62443-3-3:2013 SR 5.1, SR 5.2, SR 5.4
· ISO/IEC 27001:2013 A.12.2.1, A.16.1.5
· NIST SP 800-53 Rev. 4 IR-4
· CIS CSC 4, 19
· COBIT 5 APO12.06
· ISA 62443-2-1:2009 4.3.4.5.6, 4.3.4.5.10
· ISO/IEC 27001:2013 A.12.2.1, A.16.1.5
· NIST SP 800-53 Rev. 4 IR-4
· CIS CSC 4
· COBIT 5 APO12.06
· ISO/IEC 27001:2013 A.12.6.1
· NIST SP 800-53 Rev. 4 CA-7, RA-3, RA-5
· COBIT 5 BAI01.13
· ISA 62443-2-1:2009 4.3.4.5.10, 4.4.3.4
· ISO/IEC 27001:2013 A.16.1.6, Clause 10
· COBIT 5 BAI01.13, DSS04.08
· ISO/IEC 27001:2013 A.16.1.6, Clause 10
· CIS CSC 10 / 8
· COBIT 5 APO12.06, DSS02.05, DSS03.04
· ISO/IEC 27001:2013 A.16.1.5
· COBIT 5 APO12.06, BAI05.07, DSS04.08
· ISA 62443-2-1:2009 4.4.3.4
· ISO/IEC 27001:2013 A.16.1.6, Clause 10
· COBIT 5 APO12.06, BAI07.08
· ISO/IEC 27001:2013 A.16.1.6, Clause 10
· COBIT 5 EDM03.02
· ISO/IEC 27001:2013 A.6.1.4, Clause 7.4
· COBIT 5 MEA03.02
· ISO/IEC 27001:2013 Clause 7.4
· COBIT 5 APO12.06
· ISO/IEC 27001:2013 Clause 7.4
· NIST SP 800-53 Rev. 4 CP-2, IR-4

Security Questionnaire

Uploaded by

Copyright:

Available Formats

Security Questionnaire

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Security Questionnaire

Uploaded by

Copyright:

Available Formats

Cyber-Security Assessment

The Assessment is expected to be returned by the date shown in this page

Assessment Start Date

Company representative completing the

Best contact in case of a Cybersecurity

eturned by the date shown in this page

Steps for Using the Assessment Questions Tab:

6 Risk Assessment Risk Assessment

8 IT Security Compliance Security Compliance

10 Training & Awareness

11 Training & Awareness

12 Training & Awareness

14 Training & Awareness

Physical Security Access Control

Information Access Control -

28 Software qualification Software qualification

29 Identity & Access Management

30 Identity & Access Management

31 Identity & Access Management

33 Identity & Access Management

34 Identity & Access Management

35 Identity & Access Management

36 Remote connectivity Remote connectivity

37 Use of Mobile devices Use of Mobile devices

40 Roles & Responsibilities Roles & Responsibilities

45 Security Monitoring Security Monitoring

46 Media Protection Media Protection

47 Secure Disposal Secure Disposal

49 Segregation of Duties Segregation of Duties

50 Change Management Change Management

53 Process & Procedures

54 Process & Procedures

Process & Procedures

57 Test and Drill Test and Drill

58 Lessons Learned Lessons Learned

Disaster Recovery Plan &

Disaster Recovery Plan &

Business Continuity/ Disaster Disaster Recovery Plan &

Disaster Recovery Plan &

Disaster Recovery Plan &

Are detected vulnerabilities managed and mitigated in a timely manner based on

Are your user corporate credentials uniquely identifiable?

Is the use of shared personal accounts allowed?

Do you use multi-factor authentication for accessing critical systems?

Do you know what your critical information assets are?

Are IT production, development, test and QA environments segregated to protect

Do formal change management procedures exist for networks, systems, desktops,

Does the organization have a Cyber Security Incident Response Plan?

During the investigation of an Cyber Security incident, is evidence properly collected,

Do you make immutable back up of critical IT systems and sensitive data?

Are the IT recovery processes annually tested?

3. Existing Control Measures - The

*Additional tab "NIST Controls"

PR.AC-5, PR.DS-7, PR.PT-4

DE.CM-3, DE.CM-7, PR.PT-4, PR.DS-

DE.CM-3, DE.CM-7 , DE.DP-2

ID.RA-1, DE.CM-8, PR.IP-12, RS.AN-

PR.PT-4, DE.AE-1, DE.CM-7

ID.AM-6, ID.SC-2, PR.AT-4,

PR.AC-1, PR.AC-7, PAR.AT-2