|
|
Description of review
|
Minimal
Frequency/Occurrence
|
Evidence
|
|
1
|
Assets Review covering:
- ID.AM-1: Review of physical devices and systems within the organization
- ID.AM-2: Review of software platforms and applications within the organization
- ID.AM-3: Review of organizational communication and data flows map
- ID.AM-4: Review of external information systems
- ID.AM-5: Review of available resources (e.g., hardware, devices, data, time, personnel, and software), establishing of priorities based on their classification, criticality, and business value.
|
every 12 months
|
- Results of the review in the form of report (can be short or detailed report)
- Screenshot/email with results of review
|
|
2
|
ID.AM-6: Review of cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners)
|
every 12 months
|
- Results of the review in the form of report (can be short or detailed report)
- Screenshot/email with results of review
|
|
3
|
Business Environment Review, covering:
- ID.BE-1: Identification and communication of the organization’s role in the supply chain
- ID.BE-2: Identification and communication of the organization’s place in critical infrastructure and its industry sector
- ID.BE-3: Review of priorities for organizational mission, objectives, and activities and their communication within the organization
- ID.BE-4: Review of dependencies and critical functions for delivery of critical services
- ID.BE-5: Review of resilience requirements to support delivery of critical services are established for all operating states (e.g. under duress/attack, during recovery, normal operations).
|
every 12 months
|
- Results of the review in the form of report (can be short or detailed report)
- Screenshot/email with results of review
|
|
4
|
Governance Review covering:
- ID.GV-1: Review of organizational cybersecurity policy is and its communication within the organization
- ID.GV-2: Review of cybersecurity roles and responsibilities coordination, their alignment with internal roles and external partners
- ID.GV-3: Review and management of legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations
- ID.GV-4: Review of governance and risk management processes addressing cybersecurity risks
|
every 12 months
|
- Results of the review in the form of report (can be short or detailed report)
- Screenshot/email with results of review
|
|
5
|
Risk Assessment Review covering:
- ID.RA-1: Identification and documentation of asset vulnerabilities
- ID.RA-2: Receiving of cyber threat intelligence information from information sharing forums and sources
- ID.RA-3: Identification and documentation of threats, both internal and external
- ID.RA-4: Identification of potential business impacts and likelihoods
- ID.RA-5: Usage of threats, vulnerabilities, likelihoods, and impacts for risk determination
- ID.RA-6: Identification and prioritization of risk responses.
|
every 12 months
|
- Results of the review in the form of report (can be short or detailed report)
- Screenshot/email with results of review
|
|
6
|
Risk Management Review covering:
- ID.RM-1: Establishment, management and acceptance by the organizational stakeholders of risk management processes
- ID.RM-2: Determination of organizational risk tolerance
- ID.RM-3: Determination of the organization’s risk tolerance by its role in critical infrastructure and sector specific risk analysis.
|
every 12 months
|
- Results of the review in the form of report (can be short or detailed report)
- Screenshot/email with results of review
|
|
7
|
Supply Chain Risk Management Review covering:
- ID.SC-1: Identification, establishment, assessment, management, and agreement to by organizational stakeholders of cyber supply chain risk management
- ID.SC-2: Identification, prioritization, and assessment using a cyber supply chain risk assessment process of suppliers and third party partners of information systems, components, and services
- ID.SC-3: Usage of contracts with suppliers and third-party partners to implement appropriate measures designed to meet the objectives of an organization’s cybersecurity program and Cyber Supply Chain Risk Management Plan
- ID.SC-4: Routine assessment (using audits, test results, or other forms of evaluations) of suppliers and third-party partners to confirm they are meeting their contractual obligations
- ID.SC-5: Conducting of response and recovery planning and testing with suppliers and third-party providers.
|
every 12 months
|
Results of the review in the form of memo or report (can be short or detailed report)
|
|
8
|
Identity Management, Authentication and Access Control Review checking whether:
- PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes
- PR.AC-3: Remote access is managed
- PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties
- PR.AC-6: Identities are proofed and bound to credentials and asserted in interactions
- PR.AC-7: Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks).
|
every 3 months
|
- Results of the review in the form of report (can be short or detailed report)
- Screenshot/email with results of review
|
- PR.AC-2: Physical access to assets is managed and protected
- PR.AC-5: Network integrity is protected (e.g., network segregation, network segmentation).
|
every 12 months
|
- Results of the review in the form of report (can be short or detailed report)
- Screenshot/email with results of review
|
|
9
|
Awareness and Training Review checking whether:
- PR.AT-1: All users are informed and trained
- PR.AT-2: Privileged users understand their roles and responsibilities
- PR.AT-3: Third-party stakeholders (e.g., suppliers, customers, partners) understand their roles and responsibilities
- PR.AT-4: Senior executives understand their roles and responsibilities
- PR.AT-5: Physical and cybersecurity personnel understand their roles and responsibilities.
|
every 12 months
|
- Results of the review in the form of report (can be short or detailed report)
- Screenshot/email with results of review
|
|
10
|
Data Security Review checking whether:
- PR.DS-1: Data-at-rest is protected
- PR.DS-2: Data-in-transit is protected
- PR.DS-3: Assets are formally managed throughout removal, transfers, and disposition
- PR.DS-4: Adequate capacity to ensure availability is maintained
- PR.DS-5: Protections against data leaks are implemented
- PR.DS-6: Integrity checking mechanisms are used to verify software, firmware, and information integrity
- PR.DS-7: The development and testing environment(s) are separate from the production environment
- PR.DS-8: Integrity checking mechanisms are used to verify hardware integrity.
|
every 12 months
|
- Results of the review in the form of report (can be short or detailed report)
- Screenshot/email with results of review
|
|
11
|
Information Protection Processes and Procedures Review checking whether:
- PR.IP-1: A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality)
- PR.IP-2: A System Development Life Cycle to manage systems is implemented
- PR.IP-3: Configuration change control processes are in place
- PR.IP-4: Backups of information are conducted, maintained, and tested
- PR.IP-5: Policy and regulations regarding the physical operating environment for organizational assets are met
- PR.IP-6: Data is destroyed according to policy
- PR.IP-7: Protection processes are improved
- PR.IP-8: Effectiveness of protection technologies is shared
- PR.IP-9: Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed
- PR.IP-10: Response and recovery plans are tested
- PR.IP-11: Cybersecurity is included in human resources practices (e.g., deprovisioning, personnel screening)
- PR.IP-12: A vulnerability management plan is developed and implemented.
|
every 12 months
|
- Results of the review in the form of report (can be short or detailed report)
- Screenshot/email with results of review
|
|
11
|
Maintenance Review checking whether:
- PR.MA-1: Maintenance and repair of organizational assets are performed and logged, with approved and controlled tools
- PR.MA-2: Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access.
|
every 12 months
|
- Results of the review in the form of report (can be short or detailed report)
- Screenshot/email with results of review
|
|
12
|
Protective Technology Review checking whether:
- PR.PT-2: Removable media is protected and its use restricted according to policy
- PR.PT-3: The principle of least functionality is incorporated by configuring systems to provide only essential capabilities
- PR.PT-4: Communications and control networks are protected
- PR.PT-5: Mechanisms (e.g., failsafe, load balancing, hot swap) are implemented to achieve resilience requirements in normal and adverse situations.
|
every 12 months
|
- Results of the review in the form of report (can be short or detailed report)
- Screenshot/email with results of review
|
- PR.PT-1: Audit/log records are determined, documented, implemented, and reviewed in accordance with policy
|
every 3 months
|
- Results of the review in the form of report (can be short or detailed report)
- Screenshot/email with results of review
|
|
13
|
Anomalies and Events Review checking whether:
- DE.AE-1: A baseline of network operations and expected data flows for users and systems is established and managed
- DE.AE-2: Detected events are analyzed to understand attack targets and methods
- DE.AE-3: Event data are collected and correlated from multiple sources and sensors
- DE.AE-4: Impact of events is determined
- DE.AE-5: Incident alert thresholds are established.
|
every 12 months
|
- Results of the review in the form of report (can be short or detailed report)
- Screenshot/email with results of review
|
|
14
|
Security Continuous Monitoring Review checking whether:
- DE.CM-1: The network is monitored to detect potential cybersecurity events
- DE.CM-3: Personnel activity is monitored to detect potential cybersecurity events
- DE.CM-4: Malicious code is detected
- DE.CM-5: Unauthorized mobile code is detected
- DE.CM-7: Monitoring for unauthorized personnel, connections, devices, and software is performed
|
every 3 months
|
- Results of the review in the form of report (can be short or detailed report)
- Screenshot/email with results of review
|
- DE.CM-2: The physical environment is monitored to detect potential cybersecurity events
- DE.CM-6: External service provider activity is monitored to detect potential cybersecurity events
- DE.CM-8: Vulnerability scans are performed.
|
every 12 months
|
- Results of the review in the form of report (can be short or detailed report)
- Screenshot/email with results of review
|
|
15
|
Detection Processes Review checking whether:
- DE.DP-1: Roles and responsibilities for detection are well defined to ensure accountability
- DE.DP-2: Detection activities comply with all applicable requirements
- DE.DP-3: Detection processes are tested
- DE.DP-4: Event detection information is communicated
- DE.DP-5: Detection processes are continuously improved.
|
every 12 months
|
- Results of the review in the form of report (can be short or detailed report)
- Screenshot/email with results of review
|
|
16
|
Response Plan Review checking whether:
RS.RP-1: Response plan is executed during or after an incident.
|
every 12 months
|
- Results of the review in the form of report (can be short or detailed report)
- Screenshot/email with results of review
|
|
17
|
Communications Review checking whether:
- RS.CO-1: Personnel know their roles and order of operations when a response is needed
- RS.CO-2: Incidents are reported consistent with established criteria
- RS.CO-3: Information is shared consistent with response plans
- RS.CO-4: Coordination with stakeholders occurs consistent with response plans
- RS.CO-5: Voluntary information sharing occurs with external stakeholders to achieve broader cybersecurity situational awareness.
|
every 12 months
|
- Results of the review in the form of report (can be short or detailed report)
- Screenshot/email with results of review
|
|
18
|
Analysis Review checking whether:
- RS.AN-1: Notifications from detection systems are investigated
- RS.AN-2: The impact of the incident is understood
- RS.AN-3: Forensics are performed
- RS.AN-4: Incidents are categorized consistent with response plans
- RS.AN-5: Processes are established to receive, analyze and respond to vulnerabilities disclosed to the organization from internal and external sources (e.g. internal testing, security bulletins, or security researchers).
|
every 12 months
|
- Results of the review in the form of report (can be short or detailed report)
- Screenshot/email with results of review
|
|
19
|
Mitigation Review checking whether:
- RS.MI-1: Incidents are contained
- RS.MI-2: Incidents are mitigated
- RS.MI-3: Newly identified vulnerabilities are mitigated or documented as accepted risks.
|
every 12 months
|
- Results of the review in the form of report (can be short or detailed report)
- Screenshot/email with results of review
|
|
20
|
Improvements Review checking whether:
- RS.IM-1: Response plans incorporate lessons learned
- RS.IM-2: Response strategies are updated.
|
every 12 months
|
- Results of the review in the form of report (can be short or detailed report)
- Screenshot/email with results of review
|
|
21
|
Recovery Planning Review checking whether:
- RC.IM-1: Recovery plans incorporate lessons learned
- RC.IM-2: Recovery strategies are updated.
|
every 12 months
|
- Results of the review in the form of report (can be short or detailed report)
- Screenshot/email with results of review
|
|
22
|
Communications Review checking whether:
- RC.CO-1: Public relations are managed
- RC.CO-2: Reputation is repaired after an incident
- RC.CO-3: Recovery activities are communicated to internal and external stakeholders as well as executive and management teams.
|
every 12 months
|
- Results of the review in the form of report (can be short or detailed report)
- Screenshot/email with results of review
|
