The Organization is splitted in 5 main functions (identity,protect,detect,respond,recover)
Identify
ID.AM Asset Management
ID.BE Business Environment
ID ID.GV Governance
ID.RA Risk Assessment
ID.RM Risk Management Strategy
Protect
PR.AC Access Control
PR.AT Awareness and Training
PR.DS Data Security PR
PR.IP Information Protection Processes and Procedures
PR.MA Maintenance
PR.PT Protective Technology
Detect
DE.AE Anomalies and Events
DE.CM Security Continuous Monitoring
DE.DP Detection Processes
Respond
RS.RP Response Planning
RS.CO Communications
RS RS.AN Analysis
RS.MI Mitigation
RS.IM Improvements
Recover
RC.RP Recovery Planning
RC RC.IM Improvements
RC.CO Communications
And each sub function is described by Norms and Standards from (CCS,Cobit, ISA, ISO, IEC, NIST)
For example, for the function
Asset Management (ID.AM):
The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to business objectives and the organization’s risk strategy.
ID.AM-1: Physical devices and systems within the organization are inventoried
• CCS CSC 1
• COBIT 5 BAI09.01, BAI09.02
• ISA 62443-2-1:2009 4.2.3.4
• ISA 62443-3-3:2013 SR 7.8
• ISO/IEC 27001:2013 A.8.1.1, A.8.1.2
• NIST SP 800-53 Rev. 4 CM-8
ID.AM-2: Software platforms and applications within the organization are inventoried
• CCS CSC 2
• COBIT 5 BAI09.01, BAI09.02, BAI09.05
• ISA 62443-2-1:2009 4.2.3.4
• ISA 62443-3-3:2013 SR 7.8
• ISO/IEC 27001:2013 A.8.1.1, A.8.1.2
• NIST SP 800-53 Rev. 4 CM-8
ID.AM-3: Organizational communication and data flows are mapped
• CCS CSC 1
• COBIT 5 DSS05.02
• ISA 62443-2-1:2009 4.2.3.4
• ISO/IEC 27001:2013 A.13.2.1
• NIST SP 800-53 Rev. 4 AC-4, CA-3, CA-9, PL-8
ID.AM-4: External information systems are catalogued
• COBIT 5 APO02.02
• ISO/IEC 27001:2013 A.11.2.6
• NIST SP 800-53 Rev. 4 AC-20, SA-9
ID.AM-5: Resources
• COBIT 5 APO03.03, APO03.04, BAI09.02 devices, data, and software) are prioritized
• ISA 62443-2-1:2009 4.2.3.6 based on their classification, criticality, and
• ISO/IEC 27001:2013 A.8.2.1 business value
• NIST SP 800-53 Rev. 4 CP-2, RA-2, SA-14
ID.AM-6: Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established
• COBIT 5 APO01.02, DSS06.03
• ISA 62443-2-1:2009 4.3.2.3.3
• ISO/IEC 27001:2013 A.6.1.1
• NIST SP 800-53 Rev. 4 CP-2, PS-7, PM-11
• NIST SP 800-53 Rev. 4 CP-2, PS-7, PM-11
where :
CCS Council on CyberSecurity
CCS Council on CyberSecurity
COBIT Control Objectives for Information and Related Technology
IEC International Electrotechnical Commission
ISA International Society of Automation
ISAC Information Sharing and Analysis Center
ISO International Organization for Standardization
NIST National Institute of Standards and Technology
No comments:
Post a Comment