european cybersecurity audit assurance program res eng 0914
TRANSCRIPT
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 1/105
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 2/105
European Cybersecurity
Audit/Assurance Program
About ISACA®
With more than 115,000 constituents in 180 countries, ISACA (www.isaca.org ) helps business and IT leaders buildtrust in, and value rom, inormation and inormation s!stems" #stablished in 1$%$, ISACA is the trusted source o
&no'lede, standards, net'or&in, and career development or inormation s!stems audit, assurance, securit!, ris&,
privac! and overnance proessionals" ISACA oers the C!bersecurit! e*us+, a comprehensive set o resources or
c!bersecurit! proessionals, and C-IT., a business rame'or& that helps enterprises overn and manae their
inormation and technolo!" ISACA also advances and validates business/critical s&ills and &no'lede throuh the
loball! respected Certiied Inormation S!stems Auditor . (CISA.), Certiied Inormation Securit! anaer .
(CIS.), Certiied in the overnance o #nterprise IT. (C#IT.) and Certiied in 2is& and Inormation S!stems
Control+ (C2ISC+) credentials" The association has more than 300 chapters 'orld'ide"
Disclaimer
ISACA has desined and created European Cybersecurity Audit/Assurance Program 'hite paper (the 4Wor&)
primaril! as an educational resource or assurance, overnance, ris& and securit! proessionals" ISACA ma&es no
claim that use o an! o the Wor& 'ill assure a successul outcome" The Wor& should not be considered inclusive o
all proper inormation, procedures and tests or e*clusive o other inormation, procedures and tests that are
reasonabl! directed to obtainin the same results" In determinin the propriet! o an! speciic inormation, procedure
or test, assurance, overnance, ris& and securit! proessionals should appl! their o'n proessional 6udement to the
speciic circumstances presented b! the particular s!stems or inormation technolo! environment"
Reservation of Rights7 301 ISACA" All rihts reserved"
ISACA
9:01 Alon;uin 2oad, Suite 1010
2ollin eado's, I< %0008 =SA
>hone? @1"8:"359"155a*? @1"8:"359"19
#mail? inoBisaca"or
Web site? '''"isaca"or
>rovide eedbac&? www.isaca.org/EU-cyber-implementation
>articipate in the ISACA no'lede Center? www.isaca.org/knowledge-center
ollo' ISACA on T'itter? https://twitter.com/ISACANews Doin ISACA on <in&edIn? ISACA (icial), http://linkd.in/ISACA!!icial <i&e ISACA on aceboo&? www.!acebook.com/ISACA"#
IS- $:8/1/%030/%$/8
© ISACA 2014 All rights reserved 2
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 3/105
European Cybersecurity
Audit/Assurance Program
E$ropean Cybersec$rity A$dit/Ass$rance %rogram
© ISACA 2014 All rights reserved 3
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 4/105
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 5/105
European Cybersecurity
Audit/Assurance Program
Introduction
OverviewISACA developed the IT Assurance Framework (ITAF) as a comprehensive and good-practice-settingmodel. ITAF provides standards that are designed to be mandator and that are the guiding principlesunder which the IS audit and assurance pro!ession operates. The guidelines provide in!ormation anddirection !or the practice o! IS audit and assurance.
PurposeThe audit"assurance program is a tool and template to be used as a road map !or the completion o! aspeci!ic assurance process. ISACA has commissioned assurance programs to be developed !or use b ISaudit and assurance practitioners. This assurance program is intended to be used b IS audit andassurance pro!essionals with the re#uisite knowledge o! the sub$ect matter under review% as described inITAF standard &'' ro!icienc.
Control FrameworkThe audit"assurance programs have been developed in alignment with the ISACA C*+IT , !ramework%using generall applicable and accepted good practices. The generic assurance program is presented inCOBIT 5 for Assurance and ensures integration o! all seven enablers in the assurance approach.
Governance, Risk and Control of IT overnance% risk and control o! IT are critical in the per!ormance o! an assurance management process.overnance o! the process under review is evaluated as part o! the policies and management oversightcontrols. isk plas an important role in evaluating what to audit and how management approaches andmanages risk. +oth issues are evaluated in the assurance program. /nablers are the primar evaluationpoint in the process. The assurance program identi!ies the enablers and the steps to determine their designand operating e!!ectiveness.
Responsiilities of I! Audit and Assurance ProfessionalsIS audit and assurance pro!essionals are e0pected to customi1e the 2IT Audit"Assurance rogram !or/uropean Cbersecurit3 !or the environment in which the are per!orming the assurance engagement.This document is to be used as a review tool and starting point and ma be modi!ied b the IS audit andassurance pro!essional4 it is not intended to be a checklist or #uestionnaire. It is assumed that the IS auditand assurance pro!essional has the necessar sub$ect matter e0pertise that is re#uired to conduct the work(see !ollowing paragraph) and is supervised b a pro!essional with the Certi!ied In!ormation Sstems
Auditor (CISA) designation and"or necessar sub$ect matter e0pertise to ade#uatel review the workper!ormed.
"inimum Audit !killsCbersecurit incorporates man IT processes. +ecause the !ocus is on in!ormation governance% ITmanagement% network% data% contingenc and encrption controls% the audit and assurance pro!essionalshould have re#uisite knowledge o! these issues. In addition% pro!icienc in risk assessment% in!ormationsecurit components o! IT architecture% risk management% and the threats and vulnerabilities o! cloudcomputing and Internet-based data processing is re#uired. There!ore% it is recommended that the auditand assurance pro!essional who is conducting the assessment has the re#uisite e0perience andorganisational relationships to e!!ectivel e0ecute the assurance processes.
Assurance Program ApproachThe assurance program table is a template !or a detailed assurance work program% which is based onC*+IT ,.
The assurance work program structures an assurance engagement into three ma$or phases% as depicted infigure 1.
Figure 1—Generic COBIT 5-ased Assurance !ngagement Approach&
1 See www.isaca.org/C&I'/%ages/Ass$rance-prod$ct-page.asp( for more information on COBIT 5 for Assurance.
© ISACA 2014 All rights reserved 5
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 6/105
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 7/105
European Cybersecurity
Audit/Assurance Program
In addition% while audit"assurance programs will be available !or each process% in practice% a group o!processes are o!ten selected !or audit. There!ore% a relevant set o! audit"assurance programs o! theapplicable processes will need to be selected !or conducting assurance. The assurance approach depicted infigure 1 is described in more detail and developed into a generic audit"assurance program:including guidance on how to proceed during each step:in section &+ o! COBIT 5 for Assurance. The
%uropean C&ersecurit& Audit'Assurance Pro#ram is8
Full aligned with C*+IT ,8; It e0plicitl re!erences all seven enablers. In other words% it is no longer e0clusivel process-
!ocused4 it also uses the di!!erent dimensions o! the enabler model to cover all aspects contributingto the per!ormance o! the enablers.
; It re!erences the C*+IT , goals cascade to ensure that detailed ob$ectives o! the assuranceengagement can be put into the enterprise and IT conte0t% and concurrentl it enables linkage o!the assurance ob$ectives to enterprise and IT risk and bene!its.
Comprehensive et !le0ible8
The generic program is comprehensive because it contains assurance steps covering all
enablers in #uite some detail% et it is also !le0ible because this detailed structure allows clear and well-understood scoping decisions to be made. That is% the assurance pro!essional can decide tonot cover a set o! enablers or some enabler instances and% while the decision will reduce the scope
and related assurance engagement e!!ort% the issue o! what is or is not covered will be #uitetransparent to the assurance engagement user.
/as to understand% !ollow and appl because o! its clear structure8
; The table !ollows the !low described in figure 1% but splits each phase into di!!erent steps andsubsteps.
; For each step% a short description is included% as is guidance !or the assurance pro!essional on how to proceed with the step (te0t in italics).
Additional guidance on how to use other IT assurance-related standards !or per!orming assurance can be!ound in section < o! COBIT 5 for Assurance.
Customi(ation of t$e Audit'Assurance Pro#ramCustomi1ation and completion o! the %uropean C&ersecurit& Audit'Assurance Pro#ram will still bere#uired% and consists o! re!ining the scope b selecting goals and enabler instances:the lists included inthe e0ample are comprehensive% et still are e0amples (i.e.% di!!erent strategic priorities o! the enterprisema dictate a di!!erent scope). The lists can also be considered prohibitive b some% as the can lead to a
ver broad scope% and there!ore a ver e0pensive assurance engagement4 selection and prioriti1ation will be re#uired. The assurance pro!essional will need to consider the !ollowing steps8
=etermine the stakeholders o! the assurance initiative and their stake.
=etermine the assurance ob$ectives based on assessment o! the internal and e0ternalenvironment"conte0t% including the strategic ob$ectives% goals (!igures >' and >? o! COBIT 5 for
Assurance) and priorities o! the enterprise.
=etermine the ena#ers in scope and the instance(s) o! the enablers in scope.
In each phase% one or two enabler e0amples are !ull elaborated% to illustrate and demonstrate thesuggested approach. The audit"assurance program phases !or the other processes and other enablers inscope need to be detailed to the re#uired level o! detail.
$sing the Assurance Program
© ISACA 2014 All rights reserved 7
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 8/105
European Cybersecurity
Audit/Assurance Program
In the !ollowing section% the /uropean Cbersecurit assurance topic is !ull developed based on thegeneric audit"assurance program. This detailed program contains the !ollowing additional in!ormation8
In the uidance column% the shaded te0t is speci!ic to the e0ample and provides practical guidance%e.g.% e0amples on which processes to include in scope% on which organisational structures to include inscope% on how to set assessment criteria !or the di!!erent enablers% on how to actuall assess thedi!!erent enablers.
Two additional columns% allowing the audit and assurance pro!essional to identi! and cross-re!erenceissues and to record comments8
; Issue Cross-reference:This column can be used to !lag a !inding"issue that the IT assurancepro!essional wants to !urther investigate or establish as a potential !inding. The potential !indingsshould be documented in a work paper that indicates the disposition o! the !indings (!ormallreported% reported as a memo or verbal !inding% or waived).
; Comment:This column can be used to document an !urther notes.
For most o! the enablers% there are several instances in scope. @owever% the assurance pro!essional mustcomplete the list to meet the environment in scope. The remaining instances can be deduced ver similarl to those described in this program% using the C*+IT , !ramework and the COBIT 5) %nalin# Processes
guides.
Assurance Engagement: European Cybersecurity Assurance TopicThe topic covered b this assurance engagement is Cbersecurit.
Goal of t$e ReviewThe primar ob$ective o! the audit"assurance review is to provide management with an impartial andindependent assessment relating to the e!!ectiveness o! cbersecurit and related governance%management and assurance.
!copin#The review will !ocus on cbersecurit standards% guidelines and procedures as well as on theimplementation and governance o! these activities. Traditional in!ormation securit at lower levels isoutside the scope o! this review.
The !ollowing ISACA publications appl to cbersecurit8
COBIT 5 for Information !ecurit&
Transformin# C&ersecurit& *sin# COBIT 5
Respondin# to Tar#eted C&erattacks
ISACA /uropean Cbersecurit Series
!ecurin# "oile +evices *sin# COBIT 5
From a process re!erence model () perspective% the !ollowing domains and processes appl to thisaudit and assurance programme8
/='< /nsure isk *ptimisation:overnance in the widest sense should address the intrinsicrisk within cbersecurit and set policies and steps accordingl.
A*?& anage isk:anagement in IT should ade#uatel address risk issues related tocbersecurit.
A*?< anage Securit:The in!ormation securit management sstem (ISS) shouldincorporate ade#uate provisions !or cbersecurit.
=SS'& anage Service e#uests and Incidents:Incidents in cbersecurit should be identi!iedand managed.
=SS'> anage Continuit:*rganisational !unctions and IT should be resilient with regard tocbersecurit.
© ISACA 2014 All rights reserved 8
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 9/105
European Cybersecurity
Audit/Assurance Program
=SS', anage Securit Services:There should be comprehensive and ade#uate securit servicesin place to ensure the desired level o! cbersecurit.
e!er to the above-mentioned detailed publications !or guidance on controls and good practice incbersecurit.
IT Audit and Assurance Program for European Cybersecurity
Phase A—Determine cope of the Assurance Initiati!e
"ef# Assurance tep $uidanceC
A%&Determine the sta'eho(ders of the assurance initiativeand their sta'es#
A-1.1 Identify the intended users! of the assurance re"ortand their sta#e in the assurance engagement. $his isthe assurance o%&ective.
Intended user)s* of theassurance report
Board+audit committee' (eeds effectiveness and efficiency of cy%)ithin the enter"rise
,or's Counci(+-nion "epresenassurance in terms of cy%ersecurindustrial relations
O.ners + shareho(ders' In *uro
cy%ersecurity assurance re"ort mstatutory re"orting
"egu(ators' In *uro"e+ "art or alre"orting may need to %e discloseauthorities
A-1.2 Identify the interested "arties+ accounta%le andres"onsi%le for the su%&ect matter over )hich assuranceneeds to %e "rovided.
Accountab(e and responsib(eparties for the sub/ect matter
teering committee: Accounta%cy%ersecurity "rocesses and servmanagement and monitoring+ allodelivery of %enefits and value+ and
Business e0ecuti!es: $he individentifying re,uirements+ a""rovinmanaging "erformance. $hese "e)ith I$ management+ res"onsi%le correct and controlled use of cy%ein line )ith good "ractices.
IT management: es"onsi%le focorrect and controlled use of cy%etogether )ith the %usiness e/ecut
A%1 Determine the assurance ob/ecti!es %ased onassessment of the internal and e/ternalenvironmentconte/t and of the relevant ris' andrelated opportunities i.e.+ not achieving the enter"risegoals!.
Assurance ob/ecti!es areessentially a more detailed andtangi%le e/"ression of thoseenter"rise o%&ectives relevant tothe su%&ect of the assuranceengagement.
Enterprise ob/ecti!es can %eformulated in terms of thegeneric enter"rise goals CI$3 frame)or#! or they can %ee/"ressed more s"ecifically.
Ob/ecti!es of the assuranceengagement can %e e/"ressedusing the CI$ 3 enter"risegoals+ the I$-related goals)hich relate more totechnology!+ information goals or any other set of s"ecific goals.
Ob/ecti!es of the assuranceengagement )ill consider allthree value o%&ective
© ISACA 2014 All rights reserved 9
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 10/105
European Cybersecurity
Audit/Assurance Program
IT Audit and Assurance Program for European Cybersecurity
Phase A—Determine cope of the Assurance Initiati!e
"ef# Assurance tep $uidanceC
com"onents+ i.e.+ delivering%enefits that su""ort strategic
o%&ectives+ o"timiing the ris#that strategic o%&ectives are notachieved and o"timiingresource levels re,uired toachieve the strategic o%&ectives.
A-2.1 5nderstand the enter"rise strategy and "riorities.
6erform a high-level )al#-through of cy%ersecurityarrangements+ including goals+strategy+ "olicy and "rocesses.
A-2.2 5nderstand the internal conte/t of the enter"rise. *sta%lish any "rior
cy%ersecurity incidents thatserve as trigger events for theaudit
Ascertain any "rior audit
findings relating tocy%ersecurity.
%tain and understand any
s"ecific ris# scenarios relatingto the cy%ersecurity audite.g.+ crime+ cy%er)arfare+end-user-%ased attac#s!.
Determine the a""lications
and o"erating environmentsaffected %y thesecy%ersecurity arrangements.
%tain and revie) the
organisation7s definition ofcy%ersecurity and theorganisational sco"eattri%uted to it. Delineatecy%ersecurity from traditionalinformation security.
%tain and revie) all I$
services+ a""lications+"latforms and infrastructureelements covered %ycy%ersecurity arrangements.
Identify and document the
relevant %usiness ris# inres"ect to cy%ersecurity+attac#s and %reaches.
Identify the technology ris#
associated )ith cy%ersecurity.
Identify the social ris#
associated )ith cy%ersecurity.
Discuss the ris# )ith
management of I$+ %usinessand o"erational audit+ andad&ust the ris# assessment asa""ro"riate ased on the ris#assessment+ revise thesco"e!.
8erify that the cy%ersecurity
function has an esta%lishedand clear interface )ith theassurance com"liancefunction.
8erify that all relevant
© ISACA 2014 All rights reserved 10
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 11/105
European Cybersecurity
Audit/Assurance Program
IT Audit and Assurance Program for European Cybersecurity
Phase A—Determine cope of the Assurance Initiati!e
"ef# Assurance tep $uidanceC
*uro"ean la)s+ regulationsand recommendations for
cy%ersecurity arecommunicated %et)een theassurance com"liancefunction+ audit and thecy%ersecurity function.
%tain and analye
documentation of "reviouscy%ersecurity-related audits if done %y other auditors!.
9or internal auditors! 8erify
that the enter"rise hasincor"orated and ado"ted alle/ternal rulings+ directives orother %inding "rovisionsrelated to cy%ersecurity.
9or e/ternal auditors! 8erify
that the enter"rise o"erates acom"rehensive internal auditregime )ith regard tocy%ersecurity.
A-2.: 5nderstand the e/ternal conte/t of the enter"rise. Identify any limitations andor
constraints affecting the auditof s"ecific systems andsu%systems.
Identify any third-"arty
services+ a""lications+"latforms and infrastructureelements that may not %eaccessi%le or are only "artiallyaccessi%le.
Identify any legal+ regulatory
or contractual constraints onaudit.
Identify any industrial
relations-%ased or end-user-%ased audit constraints.
A-2.4
A-2.4Cont.
;iven the overall assurance o%&ective+ translate theidentified strategic "riorities into concrete o%&ectives forthe assurance engagement.
$he follo)ing goals are retainedas #ey goals to %e su""orted+ inreflection of enter"rise strategyand "riorities'
2ey goa(s Enterprise goa(s:
*;0: <anaged %usiness ris#
assets!
*;04 Com"liance )ith e/terna
regulations
IT%re(ated goa(s:
I$;02 I$ com"liance and su""
com"liance )ith e/ternal la)s a
I$;04 <anaged I$-related %us
I$;10 Security of information+ "
infrastructure and a""lications
Additiona( goa(s Enterprise goa(s:
*;01 Sta#eholder value of %us
*;0= Agile res"onses to a cha
environment
© ISACA 2014 All rights reserved 11
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 12/105
European Cybersecurity
Audit/Assurance Program
IT Audit and Assurance Program for European Cybersecurity
Phase A—Determine cope of the Assurance Initiati!e
"ef# Assurance tep $uidanceC
*;10 "timisation of service d
IT%re(ated goa(s:
I$;03 ealised %enefits from I$
investments and services "ortfo
I$;0> Delivery of I$ services in
re,uirements
A-2.3 Define the organisational %oundaries of the assuranceinitiative.
Describe the organisationalboundaries of the assuranceengagement i!e! to "hichorganisational entities the re#ie" is limited! All other aspects ofscope limitation are identifiedduring phase A$%!
$he revie) must have a
defined sco"e. $he revie)ermust understand the o"eratingenvironment and "re"are a"ro"osed sco"e+ su%&ect to alater ris# assessment.
%tain information and form
an understanding of the%usiness reasons underlyingthe audit.
Identify the senior %usiness
resources res"onsi%le for therevie).
Identify the senior I$
auditassurance resourceres"onsi%le for the revie).
*sta%lish the "rocess for
suggesting and im"lementingchanges to theauditassurance "rogram+ andlist the authoriationsre,uired.
Identify any limitations andor
constraints affecting the auditof s"ecific systems andsu%systems.
Identify and third-"arty
services+ a""lications+"latforms and infrastructureelements that may not %eaccessi%le or are only "artiallyaccessi%le.
Identify any legal+ regulatoryor contractual constraints onaudit.
Identify any industrial
relations-%ased or end-user-%ased audit constraints.
A%3 Determine the enab(ers in sco"e and the instances! ofthe ena%lers in sco"e.
CI$ 3 identifies sevenena%ler categories. In thissection all seven are covered+and the assurance "rofessionalhas the o""ortunity to selectena%lers from all categories to
© ISACA 2014 All rights reserved 12
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 13/105
European Cybersecurity
Audit/Assurance Program
IT Audit and Assurance Program for European Cybersecurity
Phase A—Determine cope of the Assurance Initiati!e
"ef# Assurance tep $uidanceC
o%tain the most com"rehensivesco"e for the assurance
engagement. A-:.1 Define the Princip(es4 Po(icies and rame.or's in
sco"e.;uiding "rinci"les and "oliciesinclude'
Cy%ersecurity "olicy and
standards documentation.
Security management
frame)or#+ such as ISI*C2>001 )ith IS 2>0:2+ or the(IS$ =00 series+ )ill %e usedas a good-"ractice reference.
SA(S 20 Critical Controls
IS<S "olicy
Information architecture model
?egal and regulatory
com"liance re,uirements
A-:.2 Define )hich Processes are in sco"e of the revie).
6rocesses )ill %e assessed during "hase of theassurance engagement against the criteria defined in"hase A+ and assessments )ill ty"ically focus on'
Achievement of "rocess goals
A""lication of "rocess good "ractices
*/istence and ,uality of )or# "roducts in"uts and
out"uts! insofar not covered %y the informationitems assessments!
COBIT 5& Enabling Processes distinguishes a governancedomain )ith a set of "rocessesand a management domain+ )ithfour sets of "rocesses. $he"rocesses in sco"e are identifiedusing the goals cascade andsu%se,uent customiation. $heresulting lists contain #ey"rocesses and additional"rocesses to %e consideredduring this assuranceengagement. Availa%leresources )ill determine )hether they can all %e effectivelyassessed.
2ey processes *D<0: *nsure is# "timisatiothe )idest sense should address)ithin cy%ersecurity and set "olicaccordingly.
A612 <anage is#<anagem
ade,uately address ris# issues rcy%ersecurity.
A61: <anage Security$he i
management system IS<S! shoade,uate "rovisions for cy%erse
DSS02 <anage Incidents and S
Incidents in cy%ersecurity shouldmanaged.
DSS04 <anage Continuityrg
and I$ should %e resilient )ith re
cy%ersecurity.DSS03 <anage Security Service
com"rehensive and ade,uate se"lace to ensure the desired leve
Additiona( processes*D<01 *nsure ;overnance 9ra
<aintenance
A601 <anage the I$ <anagem
A60> <anage @uman esour
A60 <anage Service Agreem
A610 <anage Buality
© ISACA 2014 All rights reserved 13
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 14/105
European Cybersecurity
Audit/Assurance Program
IT Audit and Assurance Program for European Cybersecurity
Phase A—Determine cope of the Assurance Initiati!e
"ef# Assurance tep $uidanceC
AI0= <anage no)ledge
AI0 <anage Assets
AI10 <anage Configuration
A-:.:
A-:.:Cont.
Define )hich Organisationa( tructures )ill %e insco"e.rganisational Structures )ill %e assessed during"hase of the assurance engagement against thecriteria defined in "hase A+ and assessments )illty"ically focus on'
Achievement of rganisational Structure goals+ i.e.+
decisions
A""lication of rganisational Structures good
"ractices
ased on the #ey "rocessesidentified in A-:.2+ the follo)ingrganisational Structures andfunctions are considered to %e insco"e of this assuranceengagement+ and availa%leresources )ill determine )hichones )ill %e revie)ed in detail.
2ey Organisationa( tructures Cy%ersecurity team
usiness e/ecutives
Service manager
Chief information officer
usiness "rocess o)ne
Chief information securi
Additiona( Organisationa(tructures
Chief e/ecutive officer
@ead I$ o"erations
is# function
6rivacy officer
Com"liance
Audit
A-:.4 Define the Cu(ture4 Ethics and Beha!iour as"ects insco"e.
In the conte/t of thisengagement+ the follo)ingenter"rise)ide cu(ture andbeha!iours are in sco"e'
Integrity and elia%ility
6ersonal and 6rofessional
elia%ility A-:.3
A-:.3Cont.
Define the Information items in sco"e.
Information items )ill %e assessed during "hase ofthe assurance engagement against the criteria definedin "hase A+ and assessments )ill ty"ically focus on'
Achievement of Information goals+ i.e.+ ,uality
criteria of the information items
A""lication of Information good "ractices
Information attri%utes!
COBIT 5& Enabling Processes defines a num%er of in"uts andout"uts %et)een "rocesses.ased on the fact that AI02+AI0:+ DSS03 and DSS0 )eredefined as #ey "rocesses insco"e+ the related in"uts andout"uts are considered in thissection. ey "riorities andavaila%ility of resources )illdetermine ho) many and )hichones )ill %e revie)ed in detail.$he follo)ing items areconsidered for this e/am"le.
2ey Information Items 9ormal Cy%ersecurity 6
Code of Conduct
$hird-"arty access "olic
8irtual architecture docu
8irtualiation "olicies
Cy%ersecurity technical
$echnical guidelines an
I$ service level+ including service"rovided %y third "arties
$echnical guidelines an
I$ a""lication level
© ISACA 2014 All rights reserved 14
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 15/105
European Cybersecurity
Audit/Assurance Program
IT Audit and Assurance Program for European Cybersecurity
Phase A—Determine cope of the Assurance Initiati!e
"ef# Assurance tep $uidanceC
$echnical guidelines an
I$ "latform level+ including remot
administered "latforms rental vi $echnical guidelines an
autonomous I$ hard)are level iservers and clusters+ end user 6
$echnical guidelines an
critical or "articularly e/"osed hanota%ly mo%ile devices such as sta%lets
$echnical and administr
"rocedures around ED
$echnical and administr
"rocedures for industrial control interfaces
$echnical and administr
"rocedures for %uilding and facili
systems
Incident management+ d
service %usiness continuity "rocassets
;uidelines and "rocedu
identification+ documentation andinformational evidence+ e.g. logs
8irtualiation controls as
$hird-"arty access cont
results
Additiona( Information Items Cy%ersecurity attri%utes
information classification
*vidence of cy%ersecur
and information classification
A-:. Define the er!ices4 Infrastructure and App(ications in sco"e.
In the conte/t of this assignment+and ta#ing into account the goalsidentified in A-2.4+ the follo)ingservices and related a""licationsor infrastructure could %econsidered in sco"e of therevie)'
Cy%ersecurity training
Change management
@uman resources
@el" des#
Incident trac#ing system
A-:.> Define the Peop(e4 'i((s and Competencies in sco"e.S#ill sets and com"etencies )ill %e assessed during"hase of the assurance engagement against the
criteria defined in "hase A+ and assessments )illty"ically focus on'
Achievement of s#ills set goals
A""lication of s#ills set and com"etencies good
"ractices
In the conte/t of thisengagement+ ta#ing into account#ey "rocesses and #ey roles+ the
follo)ing s#ill sets are includedin sco"e'
Cy%ersecurity 6ersonnel S#ills
*nter"rise)ide Cy%ersecurity
A)areness
© ISACA 2014 All rights reserved 15
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 16/105
European Cybersecurity
Audit/Assurance Program
IT Audit and Assurance Program for European Cybersecurity
Phase B—-nderstand Enab(ers4 etting uitab(e Assessment Criteria and Perform 6etrics
"ef# Assurance teps and $uidanceIssue
Cross%reference
B%&
Agree on metrics and criteria forenterprise goa(s and IT%re(ated goa(s#
Assess enterprise goa(s and IT%re(atedgoa(s#
-1.1 %tain and agree on! metrics for enter"risegoals and e/"ected values of the metrics.
Assess )hether enter"rise goals in sco"eare achieved.
'e#erage the list of suggested metrics for theenterprise goals to define discuss and agreeon a set of rele#ant customi(ed metrics forthe enterprise goals ta)ing care that thesuggested metrics are dri#en by the
performance of the topic of this assuranceinitiati#e!
*e+t agree on the e+pected #alues for
these metrics i!e! the #alues against "hichthe assessment "ill ta)e place!
$he follo)ing metrics and e/"ected valuesare agreed on for the #ey enter"rise goalsdefined in ste" A-2.4.
Enterprise $oa( 6etric E0pected Outcome )E0* Assessm
*;0: <anaged %usiness ris# safeguardingof assets!
6ercent of
critical%usinesso%&ectivesandservicescovered%y ris#assessment
9re,uency ofu"date ofris# "rofile
Agree on the e+pected #alues for theEnterprise goal metrics i!e! the #aluesagainst "hich the assessment "ill ta)e
place
In this step the releach goal "ill be rassessment "ill bethe defined criteria
*;04 Com"liance )ith e/ternals la)s andregulations
(um%er ofregulatorynon-com"lianceissuesrelating tocy%erincidents
Agree on the e+pected #alues for theEnterprise goal metrics i!e! the #aluesagainst "hich the assessment "ill ta)e
place
In this step the releach goal "ill be rassessment "ill bethe defined criteria
-1.2 %tain and agree on! metrics for I$-relatedgoals and e/"ected values of the metrics andassess )hether I$-related goals in sco"e areachieved.
$he follo)ing metrics and e/"ected valuesare agreed for the #ey I$-related goalsdefined in ste" A-2.4.
IT%re(ated $oa( 6etric E0pected Outcome )E0* Assessm
I$;02 I$ com"liance and su""ort for%usiness com"liance )ith e/ternal la)s andregulations
(um%er ofcy%ersecurity-relatednon-com"lianceissuesre"orted to
Agree on the e+pected #alues for the IT$related goal metrics i!e! the #aluesagainst "hich the assessment "ill ta)e
place!
In this step the releach goal "ill be rassessment "ill bethe defined criteria
© ISACA 2014 All rights reserved 16
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 17/105
European Cybersecurity
Audit/Assurance Program
IT Audit and Assurance Program for European Cybersecurity
Phase B—-nderstand Enab(ers4 etting uitab(e Assessment Criteria and Perform 6etrics
"ef# Assurance teps and $uidanceIssue
Cross%reference
-1.2Cont.
the %oard orcausing
"u%liccomment orem%arrassment
I$;04 <anaged I$-related %usiness ris# 6ercent of
critical%usiness"rocesses+ I$servicesand I$-ena%led%usiness"rogrammescovered
%y ris#assessment
(um%er
ofsignificantI$-relatedincidentsthat )erenotidentifiedin ris#assessment
6ercent of
enter"rise
ris#assessmentsincludingI$-relatedris#
9re,uenc
y ofu"date ofris# "rofile
Agree on the e+pected #alues for the IT$related goal metrics i!e! the #aluesagainst "hich the assessment "ill ta)e
place!
In this step the releach goal "ill be rassessment "ill bethe defined criteria
I$;10 Security of information+ "rocessinginfrastructure and a""lications
(um%er
of securityincidentsrelated tocy%ersecurity)ea#nessescausingfinancialloss+%usinessdisru"tionor "u%licem%arrassment
9re,uenc
Agree on the e+pected #alues for the IT$related goal metrics i!e! the #aluesagainst "hich the assessment "ill ta)e
place!
In this step the releach goal "ill be rassessment "ill bethe defined criteria
© ISACA 2014 All rights reserved 17
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 18/105
European Cybersecurity
Audit/Assurance Program
IT Audit and Assurance Program for European Cybersecurity
Phase B—-nderstand Enab(ers4 etting uitab(e Assessment Criteria and Perform 6etrics
"ef# Assurance teps and $uidanceIssue
Cross%reference
y ofcy%ersecu
rityassessment againstlateststandardsandguidelines
© ISACA 2014 All rights reserved 18
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 19/105
European Cybersecurity
Audit/Assurance Program
IT Audit and Assurance Program for European Cybersecurity
Phase B—-nderstand Enab(ers4 etting uitab(e Assessment Criteria and PerformPrincip(es4 Po(icies and rame.or's
"ef . Assurance teps and $uidance
B%1%tain an understanding of the Princip(es4 Po(icies and rame.or's in sco"e and set suita%le assessment criteria.
Assess 6rinci"les+ 6olicies and 9rame)or#s#
Princip(es4 po(icies and frame.or's: Cybersecurity po(icy and standards documentation
-2.1a 5nderstand the Princip(es4 Po(icies and rame.or's conte0t.Obtain and understanding of the o#erall system of internal control and the associated Principles Policies and ,rame"or)s
-2.2a 5nderstand the sta#eholders of the Princip(es4 Po(icies and rame.or's' Cybersecurity po(icy and standards documentat-nderstand the sta)eholders in the policies! The sta)eholders for the policies include those setting the policies and those "ho neecompliance "ith the policies!
-2.:a 5nderstand the goa(s for the Princip(es4 Po(icies and rame.or's+ and the related metrics and agree on e/"ected values. Assess )hether the Princip(es4 Po(icies and rame.or's goals outcomes! are achieved+ i.e.+ assess the effectiveness of the Pand rame.or's.
;oal' Descri%e the goal of the Cybersecurity po(icy and standards documentation 6erform the assurance ste"s ucriteria descri%ed %elo).
$oa( Criteria Assessment tep
Com"rehensiveness $he set of "olicies iscom"rehensive in its
coverage.
8erify that the set of "olicies is com"rehensive in its cover
Currency $he set of "olicies is u" todate. $his at least re,uires'
A regular validation of all
"olicies )hether they arestill u" to date
An indication of the "olicies7
e/"iration date or date oflast u"date
8erify that the set of "olicies is u" to date. $his at least re,
A regular validation of all "olicies )hether they are still u
An indication of the "olicies7 e/"iration date or date of la
8erification of com"liance )ith cycle dates for "olicies
9le/i%ility $he set of "olicies is fle/i%le. Itis structured in such a )ay thatit is easy to add or u"date"olicies as circumstancesre,uire.
8erify the fle/i%ility of the set of "olicies+ i.e.+ that it is structhat it is easy to add or u"date "olicies as circumstances r
Availa%ility 6olicies are availa%le to all
sta#eholders. 6olicies are easy to
navigate and have a logicaland hierarchical structure.
8erify that "olicies are availa%le to all sta#eholders.
8erify that "olicies are easy to navigate and have a logicstructure.
-2.4a 5nderstand the life cycle stages of the Princip(es4 Po(icies and rame.or's+ and agree on the relevant criteria. Assess to )hat e/tent the Princip(es4 Po(icies and rame.or's life cycle is managed.The life cycle of the IT$related policies is managed by the Process APO.! The re#ie" of this life cycle is therefore e0ui#alent to a
process APO. <anage the I$ management frame)or#!
-2.3a
-2.3aCont.
5nderstand good "ractices related to the Princip(es4 Po(icies and rame.or's and e/"ected values. Assess the 6rinci"les+ 6o9rame)or#s design+ i.e.+ assess the e/tent to )hich e/"ected good "ractices are a""lied.The assurance professional "ill by using appropriate auditing techni0ues assess the follo"ing aspects!
$ood Practice Criteria Assessment tep
Sco"e and validity $he sco"e is descri%ed andthe validity date is indicated.
8erify that the sco"e of the frame)or# is descri%ed and theindicated.
*/ce"tion and escalation $he e/ce"tion and
escalation "rocedure ise/"lained and commonly#no)n.
$he e/ce"tion and
escalation "rocedure hasnot %ecome the de facto standard "rocedure.
*/em"tions from
cy%ersecurity "olicy area""lied for+ revie)ed andauthoried in conformance
8erify that the e/ce"tion and escalation "rocedure is de
and commonly #no)n.
$hrough o%servation of a re"resentative sam"le+ verify thaescalation "rocedure has not %ecome de facto standard "r
If the organisation grants e/em"tions from cy%ersecurity
co"y of the list of currently authoried e/em"tions and a"rocedure for */em"tions to 6olicy.
Determine that e/em"tions are granted only for a limited
ma/imum one year.
Determine that each cy%ersecurity e/em"tion is regularl
© ISACA 2014 All rights reserved 19
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 20/105
European Cybersecurity
Audit/Assurance Program
IT Audit and Assurance Program for European Cybersecurity
Phase B—-nderstand Enab(ers4 etting uitab(e Assessment Criteria and PerformPrincip(es4 Po(icies and rame.or's
"ef . Assurance teps and $uidance
-2.3aCont.
)ith the organisation7s*/ce"tions to 6olicy"rocedures. A61:!
continuing a""lica%ility.
Determine )hether a ris# assessment )as "erformed %ee/em"tion is granted and com"ensating controls are in "
Com"liance $he com"liance chec#ingmechanism and non-com"liance conse,uences areclearly descri%ed andenforced.
8erify that the com"liance chec#ing mechanism and non-cconse,uences are clearly descri%ed and enforced.
Communication $he cy%ersecurity "olicieshave %een defined %ymanagement+ documented+a""roved at an a""ro"riatesenior level+ disseminated toall relevant em"loyees andthird "arties+ and de"loyedacross the organisation.A61:!
8erify that an a""ro"riate cy%ersecurity "olicy )as draft
%efore the cy%ersecurity "rogram )as de"loyed into "ro
8erify that senior %usiness management formally a""rov
cy%ersecurity "olicy.
8erify that all em"loyees are a""ro"riately informed of th
"olicy+ e.g.+ during initial orientation and in information s
@ Su""ort Cy%ersecurity "rocesses areintegrated into @ services+"olicies and com"liance.A61:!
%tain a co"y of the organisation7s Code of Conduct an)hether it s"ecifically states that a violation of the cy%erconsidered a violation of the Code of Conduct )ith a""li
Determine )hether disci"linary "olicies and su""orting "
effect for violations of cy%ersecurity "olicy. $hese should
*sta%lished "enalties for infringements
5niform a""lication of "enalty "olicy
*sta%lish )hether a)areness cam"aigns are conducted
$hird-"arty com"liance $hird "arties+ such ascontractors+ are contractuallyre,uired to com"ly )ith theorganisation7s cy%ersecurity"olicies. A60+ A610!
Determine the "olicies in effect to "ermit third "arties to
organisation7s I$ resources+ and to "rotect the organisatintellectual "ro"erty from unauthoried access.
*valuate the effectiveness of cy%ersecurity controls u"o
determine )hether additional controls+ "olicies or "rocedto "rotect the organisation7s assets.
Cloud services and virtualiedenvironments
$he enter"rise7s architecturee/tends cy%ersecurityarrangements to cover allcloud-%ased andor virtualisedservices+ a""lications andinformation assets. A60:+
A60+ A610+ DSS03!
%tain and revie) architecture elements and com"onenor virtualised elements.
Determine the "olicies in effect to govern cloud and virtu
esta%lish the level of "rotection )ith regard to cy%ersecu
*valuate the effectiveness of cy%ersecurity controls on c
virtualised environments and identify any ga"s.
Princip(es4 po(icies and frame.or's: Cybersecurity rame.or's and tandards
-2.1% 5nderstand the Princip(es4 Po(icies and rame.or's conte0t.Obtain and understanding of the o#erall system of internal control and the associated Principles Policies and ,rame"or)s
-2.2% 5nderstand the sta#eholders of the Princip(es4 Po(icies and rame.or's' Cybersecurity rame.or's and tandards-nderstand the sta)eholders in the policies! The sta)eholders for the policies include those setting the policies and those "ho neecompliance "ith the policies!
-2.:% 5nderstand the goa(s for the Princip(es4 Po(icies and rame.or's+ and the related metrics and agree on e/"ected values. Assess )hether the Princip(es4 Po(icies and rame.or's goals outcomes! are achieved+ i.e.+ assess the effectiveness of the P
and rame.or's. ;oal' Cybersecurity rame.or's and tandards Security management frame)or#s+
such as ISI*C 2>001 )ith IS 2>0:2+ or the (IS$ =00 series+ )ill %e used as a good-"ractice reference.
6erform the assurance ste"s ucriteria descri%ed %elo).
$oa( Criteria Assessment tep
Com"rehensiveness $he set of frame)or#s arecom"rehensive in itscoverage.
8erify that the set of frame)or#s are com"rehensive in its
Currency $he set of frame)or#s are u"to date. $his at least re,uires'
A regular validation of all
8erify that the set of frame)or#s are u" to date. $his at lea
A regular validation of all frame)or#s )hether they are s
© ISACA 2014 All rights reserved 20
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 21/105
European Cybersecurity
Audit/Assurance Program
IT Audit and Assurance Program for European Cybersecurity
Phase B—-nderstand Enab(ers4 etting uitab(e Assessment Criteria and PerformPrincip(es4 Po(icies and rame.or's
"ef . Assurance teps and $uidance
-2.:%
Cont.
frame)or#s )hether theyare still u" to date
An indication of the
frame)or#s e/"iration dateor date of last u"date
An indication of the frame)or#s e/"iration date or date o
8erification of com"liance )ith cycle dates for frame)or
9le/i%ility $he set of frame)or#s arefle/i%le. It is structured in sucha )ay that it is easy to add oru"date controls ascircumstances re,uire.
8erify the fle/i%ility of the set of frame)or#s+ i.e.+ that it is s)ay that it is easy to add or u"date controls as circumstan
Availa%ility 9rame)or#s are availa%le to
all sta#eholders.9rame)or#s are easy tonavigate and have a logicaland hierarchical structure.
8erify that frame)or#s are availa%le to all sta#eholders.
8erify that frame)or#s are easy to navigate and have a
hierarchical structure.
-2.4% 5nderstand the life cycle stages of the Princip(es4 Po(icies and rame.or's+ and agree on the relevant criteria. Assess to )hat e/tent the Princip(es4 Po(icies and rame.or's life cycle is managed.
The life cycle of the IT$related policies is managed by the Process APO.! The re#ie" of this life cycle is therefore e0ui#alent to a process APO. <anage the I$ management frame)or#!
-2.3%
-2.3%Cont.
5nderstand good "ractices related to the Princip(es4 Po(icies and rame.or's and e/"ected values. Assess the 6rinci"les+ 6o9rame)or#s design+ i.e.+ assess the e/tent to )hich e/"ected good "ractices are a""lied.The assurance professional "ill by using appropriate auditing techni0ues assess the follo"ing aspects!
$ood Practice Criteria Assessment tep
Sco"e and validity $he sco"e is descri%ed andthe validity date is indicated.
8erify that the sco"e of the frame)or# is descri%ed and theindicated.
*/ce"tion and escalation $he e/ce"tion and
escalation "rocedure ise/"lained and commonly#no)n.
$he e/ce"tion and
escalation "rocedure hasnot %ecome the de facto
standard "rocedure.
8erify that the e/ce"tion and escalation "rocedure is de
and commonly #no)n.
$hrough o%servation of a re"resentative sam"le+ verify t
and escalation "rocedure has not %ecome de facto stan
Com"liance $he com"liance chec#ingmechanism and non-com"liance conse,uences areclearly descri%ed andenforced.
8erify that the com"liance chec#ing mechanism and non-cconse,uences are clearly descri%ed and enforced.
Alignment )ith internal "olicies Cy%ersecurity technicalstandards are aligned )ith theorganisation7s standards.A61:+ DSS04+ DSS03!
%tain and revie) the current set of a""lica%le technica
related standards.
Determine )hether these standards include a""ro"riate
cy%ersecurity re,uirements and measures.
*valuate drill do)n! for critical services+ a""lications+ "l
infrastructure elements as )ell as information assets to technical standards are com"rehensive enough to encocy%ersecurity.
%tain a co"y of each of the follo)ing'
$echnical guidelines and "rocedures at the I$ seincluding services "artially or fully "rovided %y th
$echnical guidelines and "rocedures at the I$ a
$echnical guidelines and "rocedures at the I$ "
including remotely controlled and administered "virtual servers etc.!
$echnical guidelines and "rocedures at the auto
hard)are level including stand-alone servers anuser 6C devices etc.!
$echnical guidelines and "rocedures for critical
© ISACA 2014 All rights reserved 21
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 22/105
European Cybersecurity
Audit/Assurance Program
IT Audit and Assurance Program for European Cybersecurity
Phase B—-nderstand Enab(ers4 etting uitab(e Assessment Criteria and PerformPrincip(es4 Po(icies and rame.or's
"ef . Assurance teps and $uidance
-2.3%Cont.
e/"osed hard)are items+ nota%ly mo%ile devicesmart"hones or ta%lets
$echnical and administrative guidelines and "ro
ED
$echnical and administrative guidelines and "ro
industrial control systems and I$ interfaces
$echnical and administrative guidelines and "ro
and facilities management systems
Incident management+ disaster recovery and se
continuity "rocedures for critical I$ assets
;uidelines and "rocedures concerning the ident
documentation and safeguarding of informationalogs
Identify and document any ga"s+ inconsistencies and "o
in the documentation
Standards of good "ractice are
a""lied to cy%ersecurity
ecognised standards of good
"ractice in cy%ersecurity area""lied )ithin the enter"rise.
COBIT 5 and related documentsCy%ersecurity is su%&ec
frame)or#. Detailed guidance using CI$ 3 is a""lied thenter"rise'
Determine if CI$ 3 has %een acce"ted and im"lemen
frame)or# for cy%ersecurity.
Determine if COBIT 5 for Information 1ecurity and relate
cy%ersecurity are im"lementedIO tandards--elevant IS standards are a""lied to cy
Determine if the IS 2>000 series has %een acce"ted a
guidance for cy%ersecurity.Determine if the IS 22:00 series has %een acce"ted andguidance for the resilience as"ects of cy%ersecurity
Critical infrastructure "rotectionstandards are a""lied tocy%ersecurity
Fhere organisations aredeemed "art of criticalinformation infrastructures+cy%ersecurity arrangements
are aligned )ith e/istingregulations and good "ractice
Incident reporting )Art# &3a*: Incidents are identified+ dore"orted in line )ith a""lica%le regulations andor good "rarecommendations. DSS02!
Determine )hether the enter"rise is su%&ect to the regula
communications o"erators and therefore su%&ect to Artic 8erify that all a""lica%le incident re"orting regulations an
recommendations are %eing adhered to
ystems%re(ated recommendations and guide(ines: Cand systems are managed in line )ith good "ractice and rerecommendations for cy%ersecurity.
Determine )hether critical systems such as industrial c
ade,uately covered %y e/isting cy%ersecurity arrangeme
8erify that mo%ile devices are ade,uately covered %y e/
arrangements.
Princip(es4 po(icies and frame.or's: A7 18 Critica( Contro(s
-2.1c 5nderstand the Princip(es4 Po(icies and rame.or's conte0t.Obtain and understanding of the o#erall system of internal control and the associated Principles Policies and ,rame"or)s
-2.2c 5nderstand the sta#eholders of the Princip(es4 Po(icies and rame.or's' A7 18 Critica( Contro(s-nderstand the sta)eholders in the policies! The sta)eholders for the policies include those setting the policies and those "ho neecompliance "ith the policies!
-2.:c 5nderstand the goa(s for the Princip(es4 Po(icies and rame.or's+ and the related metrics and agree on e/"ected values. Assess )hether the Princip(es4 Po(icies and rame.or's goals outcomes! are achieved+ i.e.+ assess the effectiveness of the Pand rame.or's.
;oal' A7 18 Critica( Contro(s should %e used to ensure that critical controls are
included in the cy%ersecurity "rogram.
6erform the assurance ste"s ucriteria descri%ed %elo).
$oa( Criteria Assessment tep
Com"rehensiveness Documentation a%out SA(S20 Critical Controls is
8erify that Documentation a%out SA(S 20 Critical Controlsin its coverage.
© ISACA 2014 All rights reserved 22
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 23/105
European Cybersecurity
Audit/Assurance Program
IT Audit and Assurance Program for European Cybersecurity
Phase B—-nderstand Enab(ers4 etting uitab(e Assessment Criteria and PerformPrincip(es4 Po(icies and rame.or's
"ef . Assurance teps and $uidance
-2.:cCont.
com"rehensive in itscoverage.
Currency Documentation a%out SA(S20 Critical Controls is u" todate. $his at least re,uires'
A regular validation of all
documents )hether they arestill u" to date
An indication of the
documents e/"iration dateor date of last u"date
8erify that Documentation a%out SA(S 20 Critical Controlsat least re,uires'
A regular validation of all documentation )hether they a
An indication of the documentation e/"iration date or da
8erification of com"liance )ith cycle dates
9le/i%ility Documentation a%out SA(S20 Critical Controls is fle/i%le.It is structured in such a )aythat it is easy to add or u"datecontrols as circumstancesre,uire.
8erify the fle/i%ility of the documentation a%out SA(S 20 Ci.e.+ that it is structured in such a )ay that it is easy to add as circumstances re,uire.
Availa%ility Documentation a%out SA(S20 Critical Controls isavaila%le to all sta#eholders.
Documentation a%out SA(S
20 Critical Controls is easyto navigate and have alogical and hierarchicalstructure.
8erify that documents are availa%le to all sta#eholders.
8erify that documents are easy to navigate and have a l
hierarchical structure.
-2.4c 5nderstand the life cycle stages of the Princip(es4 Po(icies and rame.or's+ and agree on the relevant criteria. Assess to )hat e/tent the Princip(es4 Po(icies and rame.or's life cycle is managed.The life cycle of the IT$related policies is managed by the Process APO.! The re#ie" of this life cycle is therefore e0ui#alent to a
process APO. <anage the I$ management frame)or#!
-2.3c 5nderstand good "ractices related to the Princip(es4 Po(icies and rame.or's and e/"ected values. Assess the 6rinci"les+ 6o9rame)or#s design+ i.e.+ assess the e/tent to )hich e/"ected good "ractices are a""lied.The assurance professional "ill by using appropriate auditing techni0ues assess the follo"ing aspects!
$ood Practice Criteria Assessment tepSco"e and validity $he sco"e is descri%ed andthe validity date is indicated.
8erify that the sco"e of the frame)or# is descri%ed and theindicated.
*/ce"tion and escalation $he e/ce"tion and
escalation "rocedure ise/"lained and commonly#no)n.
$he e/ce"tion and
escalation "rocedure hasnot %ecome the de facto standard "rocedure.
8erify that the e/ce"tion and escalation "rocedure is de
and commonly #no)n.
$hrough o%servation of a re"resentative sam"le+ verify t
and escalation "rocedure has not %ecome de facto stan
Com"liance $he com"liance chec#ingmechanism and non-com"liance conse,uences areclearly descri%ed andenforced.
8erify that the com"liance chec#ing mechanism and non-cconse,uences are clearly descri%ed and enforced.
Com"leteness Critical control sets have %eenincor"orated into cy%ersecurityarrangements
$he SA(S 20 critical controls have %een incor"orated andenter"rise7s cy%ersecurity arrangements.Determine if the enter"rise has formally acce"ted and adocontrols as guidance for cy%ersecurity.
Princip(es4 po(icies and frame.or's: I6 Po(icy
-2.1d 5nderstand the Princip(es4 Po(icies and rame.or's conte0t.Obtain and understanding of the o#erall system of internal control and the associated Principles Policies and ,rame"or)s
-2.2d 5nderstand the sta#eholders of the Princip(es4 Po(icies and rame.or's' I6 Po(icy-nderstand the sta)eholders in the policies! The sta)eholders for the policies include those setting the policies and those "ho neecompliance "ith the policies!
© ISACA 2014 All rights reserved 23
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 24/105
European Cybersecurity
Audit/Assurance Program
IT Audit and Assurance Program for European Cybersecurity
Phase B—-nderstand Enab(ers4 etting uitab(e Assessment Criteria and PerformPrincip(es4 Po(icies and rame.or's
"ef . Assurance teps and $uidance
-2.:d
-2.:dCont.
5nderstand the goa(s for the Princip(es4 Po(icies and rame.or's+ and the related metrics and agree on e/"ected values. Assess )hether the Princip(es4 Po(icies and rame.or's goals outcomes! are achieved+ i.e.+ assess the effectiveness of the Pand rame.or's.
;oal' I6 Po(icy' $he cy%ersecurity "olicies have %een defined %y management+
documented+ a""roved at an a""ro"riate senior level+ disseminated to all relevantem"loyees and third "arties+ and de"loyed across the organisation.
6erform the assurance ste"s ucriteria descri%ed %elo).
$oa( Criteria Assessment tep
Com"rehensiveness $he set of frame)or#s arecom"rehensive in itscoverage.
8erify that the set of frame)or#s are com"rehensive in its
Currency $he set of frame)or#s are u"to date. $his at least re,uires'
A regular validation of all
frame)or#s )hether theyare still u" to date
An indication of the
frame)or#s e/"iration dateor date of last u"date
8erify that the set of frame)or#s are u" to date. $his at lea
A regular validation of all frame)or#s )hether they are s
An indication of the frame)or#s e/"iration date or date o
8erification of com"liance )ith cycle dates for frame)or
9le/i%ility $he set of frame)or#s arefle/i%le. It is structured in sucha )ay that it is easy to add oru"date controls ascircumstances re,uire.
8erify the fle/i%ility of the set of frame)or#s+ i.e.+ that it is s)ay that it is easy to add or u"date controls as circumstan
Availa%ility 9rame)or#s are availa%le to
all sta#eholders.
9rame)or#s are easy to
navigate and have a logicaland hierarchical structure.
8erify that frame)or#s are availa%le to all sta#eholders.
8erify that frame)or#s are easy to navigate and have a
hierarchical structure.
-2.4d 5nderstand the life cycle stages of the Princip(es4 Po(icies and rame.or's+ and agree on the relevant criteria. Assess to )hat e/tent the Princip(es4 Po(icies and rame.or's life cycle is managed.The life cycle of the IT$related policies is managed by the Process APO.! The re#ie" of this life cycle is therefore e0ui#alent to a
process APO. <anage the I$ management frame)or#!
-2.3d
-2.3dCont.
5nderstand good "ractices related to the Princip(es4 Po(icies and rame.or's and e/"ected values. Assess the 6rinci"les+ 6o9rame)or#s design+ i.e.+ assess the e/tent to )hich e/"ected good "ractices are a""lied.The assurance professional "ill by using appropriate auditing techni0ues assess the follo"ing aspects!
$ood Practice Criteria Assessment tep
Sco"e and validity $he sco"e is descri%ed andthe validity date is indicated.
8erify that the sco"e of the frame)or# is descri%ed and theindicated.
*/ce"tion and escalation $he e/ce"tion and
escalation "rocedure ise/"lained and commonly#no)n.
$he e/ce"tion and
escalation "rocedure hasnot %ecome the de facto standard "rocedure.
8erify that the e/ce"tion and escalation "rocedure is de
and commonly #no)n.
$hrough o%servation of a re"resentative sam"le+ verify t
and escalation "rocedure has not %ecome de facto stan
Com"liance $he com"liance chec#ing
mechanism and non-com"liance conse,uences areclearly descri%ed andenforced.
8erify that the com"liance chec#ing mechanism and non-c
conse,uences are clearly descri%ed and enforced.
Princip(es4 po(icies and frame.or's: Information architecture mode(
-2.1e 5nderstand the Princip(es4 Po(icies and rame.or's conte0t.Obtain and understanding of the o#erall system of internal control and the associated Principles Policies and ,rame"or)s
-2.2e 5nderstand the sta#eholders of the Princip(es4 Po(icies and rame.or's: Information architecture mode(-nderstand the sta)eholders in the policies! The sta)eholders for the policies include those setting the policies and those "ho neecompliance "ith the policies!
© ISACA 2014 All rights reserved 24
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 25/105
European Cybersecurity
Audit/Assurance Program
IT Audit and Assurance Program for European Cybersecurity
Phase B—-nderstand Enab(ers4 etting uitab(e Assessment Criteria and PerformPrincip(es4 Po(icies and rame.or's
"ef . Assurance teps and $uidance
-2.:e 5nderstand the goa(s for the Princip(es4 Po(icies and rame.or's+ and the related metrics and agree on e/"ected values. Assess )hether the Princip(es4 Po(icies and rame.or's goals outcomes! are achieved+ i.e.+ assess the effectiveness of the Pand rame.or's.
;oal' Information architecture mode(. 6erform the assurance ste"s ucriteria descri%ed %elo).
$oa( Criteria Assessment tep
Com"rehensiveness $he architecture model iscom"rehensive in itscoverage.
8erify that documentation is com"rehensive in its coverag
Currency $he architecture model is u" todate. $his at least re,uires'
A regular validation of the
architecture model )hetherit is still u" to date
An indication of the
architecture modele/"iration date or date of
last u"date
8erify that documentation is u" to date. $his at least re,uir
A regular validation of the document )hether it is still u"
An indication of the document7s e/"iration date or date o
8erification of com"liance )ith cycle dates
9le/i%ility $he architecture model isfle/i%le. It is structured in sucha )ay that it is easy to u"dateas circumstances re,uire.
8erify the fle/i%ility of the documentation+ i.e.+ that it is stru)ay that it is easy to u"date as circumstances re,uire.
Availa%ility $he architecture model is
availa%le to all sta#eholders.
$he architecture model is
easy to navigate and have alogical and hierarchicalstructure.
8erify that documentation is availa%le to all sta#eholders
8erify that documentation is easy to navigate and have
hierarchical structure.
-2.4e
-2.4eCont.
5nderstand the life cycle stages of the Princip(es4 Po(icies and rame.or's+ and agree on the relevant criteria. Assess to )hat e/tent the Princip(es4 Po(icies and rame.or's life cycle is managed.The life cycle of the IT$related policies is managed by the Process APO.! The re#ie" of this life cycle is therefore e0ui#alent to a
process APO. <anage the I$ management frame)or#!
-2.3e 5nderstand good "ractices related to the Princip(es4 Po(icies and rame.or's and e/"ected values. Assess the 6rinci"les+ 6o9rame)or#s design+ i.e.+ assess the e/tent to )hich e/"ected good "ractices are a""lied.The assurance professional "ill by using appropriate auditing techni0ues assess the follo"ing aspects!
$ood Practice Criteria Assessment tep
Sco"e and validity $he sco"e is descri%ed andthe validity date is indicated.
8erify that the sco"e of the frame)or# is descri%ed and theindicated.
*/ce"tion and escalation $he e/ce"tion and
escalation "rocedure ise/"lained and commonly#no)n.
$he e/ce"tion and
escalation "rocedure hasnot %ecome the de facto standard "rocedure.
8erify that the e/ce"tion and escalation "rocedure is de
and commonly #no)n.
$hrough o%servation of a re"resentative sam"le+ verify t
and escalation "rocedure has not %ecome de facto stan
Com"liance $he com"liance chec#ing
mechanism and non-com"liance conse,uences areclearly descri%ed andenforced.
8erify that the com"liance chec#ing mechanism and non-c
conse,uences are clearly descri%ed and enforced.
Princip(es4 po(icies and frame.or's: 9ega( and regu(atory comp(iance reuirements
-2.1f 5nderstand the Princip(es4 Po(icies and rame.or's conte0t.Obtain and understanding of the o#erall system of internal control and the associated Principles Policies and ,rame"or)s
-2.2f 5nderstand the sta#eholders of the Princip(es4 Po(icies and rame.or's: 9ega( and regu(atory comp(iance reuirements-nderstand the sta)eholders in the policies! The sta)eholders for the policies include those setting the policies and those "ho neecompliance "ith the policies!
© ISACA 2014 All rights reserved 25
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 26/105
European Cybersecurity
Audit/Assurance Program
IT Audit and Assurance Program for European Cybersecurity
Phase B—-nderstand Enab(ers4 etting uitab(e Assessment Criteria and PerformPrincip(es4 Po(icies and rame.or's
"ef . Assurance teps and $uidance
-2.:f
-2.:f Cont.
5nderstand the goa(s for the Princip(es4 Po(icies and rame.or's+ and the related metrics and agree on e/"ected values. Assess )hether the Princip(es4 Po(icies and rame.or's goals outcomes! are achieved+ i.e.+ assess the effectiveness of the Pand rame.or's.
;oal' 9ega( and regu(atory comp(iance reuirements 6erform the assurance ste"s ucriteria descri%ed %elo).
$oa( Criteria Assessment tep
Com"rehensiveness $he legal and regulatorycom"liance re,uirementsdocumentation iscom"rehensive in itscoverage.
8erify that documentation is com"rehensive in its coverag
Currency $he legal and regulatorycom"liance re,uirementsdocumentation is u" to date.$his at least re,uires'
A regular validation of the
documentation )hether it is
still u" to date An indication of the
documentation e/"irationdate or date of last u"date
8erify that documentation is u" to date. $his at least re,uir
A regular validation of the document )hether it is still u"
An indication of the document7s e/"iration date or date o
8erification of com"liance )ith cycle dates
9le/i%ility $he legal and regulatorycom"liance re,uirementsdocumentation is fle/i%le. It isstructured in such a )ay that itis easy to u"date ascircumstances re,uire.
8erify the fle/i%ility of the documentation+ i.e.+ that it is stru)ay that it is easy to u"date as circumstances re,uire.
Availa%ility $he legal and regulatory
com"liance re,uirementsdocumentation is availa%leto all sta#eholders.
$he legal and regulatory
com"liance re,uirementsdocumentation is easy tonavigate and have a logicaland hierarchical structure.
8erify that documentation is availa%le to all sta#eholders
8erify that documentation is easy to navigate and have
hierarchical structure.
-2.4f 5nderstand the life cycle stages of the Princip(es4 Po(icies and rame.or's+ and agree on the relevant criteria. Assess to )hat e/tent the Princip(es4 Po(icies and rame.or's life cycle is managed.The life cycle of the IT$related policies is managed by the Process APO.! The re#ie" of this life cycle is therefore e0ui#alent to a
process APO. <anage the I$ management frame)or#!
-2.3f 5nderstand good "ractices related to the Princip(es4 Po(icies and rame.or's and e/"ected values. Assess the 6rinci"les+ 6o9rame)or#s design+ i.e.+ assess the e/tent to )hich e/"ected good "ractices are a""lied.The assurance professional "ill by using appropriate auditing techni0ues assess the follo"ing aspects!
$ood Practice Criteria Assessment tep
Sco"e and validity $he sco"e is descri%ed andthe validity date is indicated.
8erify that the sco"e of the frame)or# is descri%ed and theindicated.
*/ce"tion and escalation $he e/ce"tion and
escalation "rocedure is
e/"lained and commonly#no)n.
$he e/ce"tion and
escalation "rocedure hasnot %ecome the de facto standard "rocedure.
8erify that the e/ce"tion and escalation "rocedure is de
and commonly #no)n.
$hrough o%servation of a re"resentative sam"le+ verify t
and escalation "rocedure has not %ecome de facto stan
Com"liance $he com"liance chec#ingmechanism and non-com"liance conse,uences areclearly descri%ed andenforced.
8erify that the com"liance chec#ing mechanism and non-cconse,uences are clearly descri%ed and enforced.
© ISACA 2014 All rights reserved 26
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 27/105
European Cybersecurity
Audit/Assurance Program
IT Audit and Assurance Program for European Cybersecurity
Phase B—-nderstand Enab(ers4 etting uitab(e Assessment Criteria and PerformPrincip(es4 Po(icies and rame.or's
"ef . Assurance teps and $uidance
© ISACA 2014 All rights reserved 27
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 28/105
European Cybersecurity
Audit/Assurance Program
IT Audit and Assurance Program for European Cybersecurity
Phase B—-nderstand Enab(ers4 etting uitab(e Assessment Criteria and Perform Processes
"ef . Assurance teps and $uidance Issue Cross%reference
B%3
%tain understanding of the Processes insco"e and set suita%le assessment criteria'for each "rocess in sco"e as determined in
ste" A-:.2!+ additional information iscollected and assessment criteria aredefined. Assess the 6rocesses.
ED683 Ensure ris' optimisation
-:.1a 5nderstand the Process conte0t#
is# o"timiation refers to governance in the)idest sense should address the intrinsicris# )ithin cy%ersecurity and set "olicies andste"s accordingly.
-:.2a 5nderstand the Process purpose#
*nsure that I$-related enter"rise ris# doesnot e/ceed ris# a""etite and ris# tolerance+the im"act of I$ ris# to enter"rise value isidentified and managed+ and the "otential for com"liance failures is minimised.
-:.:a 5nderstand all "rocess sta'eho(ders andtheir roles. $his is e,uivalent tounderstanding the real ACI chart of the"rocess COBIT 5& Enabling Processes
page %2!'e#erage the COBIT 5 3ACI charts for the
processes in scope to identify any additional sta)eholders that "ill need to be in#ol#ed inthe assessment! In this assurance step thetranslation is made bet"een the theoretical3ACI chart entry and the real enterprise!
$he sta#eholders of the "rocess are alreadydefined in the ACI chart as a result of ste"
A-:.:. In addition to those sta#eholders+ this"rocess relies also on the follo)ingfunctions!+ )hich therefore )ill need to %e
involved during the assurance engagement'
ED683 Ensure ris' optimi;ationsta#eholders'
-:.4a 5nderstand the Process goa(s and related
metrics3 and define e/"ected 6rocess
values criteria!+ and assess )hether the6rocess goals are achieved+ i.e.+ assess theeffectiveness of the "rocess.
$he 6rocess ED683 Ensure ris'optimi;ation has : defined "rocess goals.
$he follo)ing activities can %e "erformed to assess )hether the goals are achieve
Process $oa( "e(ated6etrics
Criteria+E0pected <a(ue Assessment
is# thresholds are defined andcommunicated and #ey I$-related ris# is#no)n.
?evel
of
alignment%et)een I$ris#andenter"riseris#
Agree on the e+pected #alues forthe Process goal metrics i!e! the#alues against "hich the
assessment "ill ta)e place!
In this step the related met"ill be re#ie"ed and an assmade "hether the defined c
achie#ed!
3 9or CI$ 3 "rocesses+ a set of goals and metrics are identified in COBIT 5& Enabling Processes.
© ISACA 2014 All rights reserved 28
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 29/105
European Cybersecurity
Audit/Assurance Program
IT Audit and Assurance Program for European Cybersecurity
Phase B—-nderstand Enab(ers4 etting uitab(e Assessment Criteria and Perform Processes
-:.4aCont.
(um%
er of"otential I$
ris#identified andmanaged
efres
hmentrate of ris#factorevaluation
(um%
er of"otential
cy%ersecurityris#factorsidentified andmanaged
$he enter"rise is managing critical I$-relatedenter"rise ris# effectively and efficiently.
6erce
nt ofenter"rise"ro&ects thatconsider I$
ris#
6erce
nt ofI$ ris#action"lans
Agree on the e+pected #alues forthe Process goal metrics i!e! the#alues against "hich theassessment "ill ta)e place!
In this step the related met"ill be re#ie"ed and an assmade "hether the defined cachie#ed!
© ISACA 2014 All rights reserved 29
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 30/105
European Cybersecurity
Audit/Assurance Program
IT Audit and Assurance Program for European Cybersecurity
Phase B—-nderstand Enab(ers4 etting uitab(e Assessment Criteria and Perform Processes
e/ecuted ontime
6erce
nt ofcriticalris#thathas%eeneffectivelymitigated
6erce
nt ofcriticalris#thathas
%eenmitigatedeffectively
I$-related enter"rise ris# does not e/ceedris# a""etite and the im"act of I$ ris# toenter"rise value is identified and managed.
?evel
ofune/"ectedenter"riseim"act
6erce
nt ofI$ ris#that
e/ceedsenter"riseris#tolerance
6erce
Agree on the e+pected #alues forthe Process goal metrics i!e! the#alues against "hich theassessment "ill ta)e place!
In this step the related met"ill be re#ie"ed and an assmade "hether the defined cachie#ed!
© ISACA 2014 All rights reserved 30
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 31/105
European Cybersecurity
Audit/Assurance Program
IT Audit and Assurance Program for European Cybersecurity
Phase B—-nderstand Enab(ers4 etting uitab(e Assessment Criteria and Perform Processes
nt ofcy%ersecurityris#
thate/ceedsenter"riseris#tolerance
-:.3a
-:.3aCont.
Agree on suita%le criteria to evaluate all"rocesses in sco"e of the assuranceengagement' Define and agree on thereference "rocess+ i.e.+ determine )hich%ase "ractices a "rocess should at leastinclude. $his usually is &ust a confirmation of the CI$ 3 "rocesses already identified+unless there is reason for using a differentreference "rocess.!
Agree on the "rocess "ractices that should%e in "lace "rocess design!.
Assess the process design+ i.e.+ assess to)hat e/tent'
*/"ected "rocess "ractices are a""lied.
Accounta%ility and res"onsi%ility are
assigned and assumed.
COBIT 5 Processes are descri%ed inCOBIT 5& Enabling Processes. *ach6rocess re,uires a num%er of management"ractices to %e im"lemented+ as descri%ed inthe "rocess descri"tion in the same guide.$hese are'
A sound "rocess design
$he reference against )hich the"rocess )ill %e assessed in "hase )ith the criteria as mentioned+ i.e.+ allmanagement "ractices are e/"ected to%e fully im"lemented.
*ach "ractice is ty"ically im"lemented through a num%er of activities+ and a )ell-)ill im"lement all these "ractices and activities.
"eferenceProcess
*D<0: *nsureris# o"timisation
Criteria' ;overnance "ractices to o"timise ris# are esta%lis
"eferenceProcess Practices
$ood Practice Assessment tep
*D<0:.01 *valuate ris# management. Continuallye/amine andma#e &udgment onthe effect of ris#on the current andfuture use of I$ inthe enter"rise.
Consider )hetherthe enter"rise7sris# a""etite isa""ro"riate andthat ris# toenter"rise valuerelated to the useof I$ is identifiedand managed.
Assess %y a""lying a""ro"riate audit techni,ues intervie)testing! )hether the management "ractices are effectively through the follo)ing+ ty"ical control! activities'
1. Determine the level of I$-related ris# that the enter"rise imeet its o%&ectives ris# a""etite!.2. *valuate and a""rove "ro"osed I$ ris# tolerance thresho
enter"rise7s acce"ta%le ris# and o""ortunity levels.:. Determine the e/tent of alignment of the I$ ris# strategy strategy.4. 6roactively evaluate I$ ris# factors in advance of "endingenter"rise decisions and ensure that ris#-a)are enter"rise made.3. Determine that I$ use is su%&ect to a""ro"riate ris# assesevaluation+ as descri%ed in relevant international and nation. *valuate ris# management activities to ensure alignmententer"rise7s ca"acity for I$-related loss and leadershi"7s tol
© ISACA 2014 All rights reserved 31
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 32/105
European Cybersecurity
Audit/Assurance Program
IT Audit and Assurance Program for European Cybersecurity
Phase B—-nderstand Enab(ers4 etting uitab(e Assessment Criteria and Perform Processes
*D<0:.02 Direct ris# management. Direct theesta%lishment ofris# management"ractices to
"rovidereasona%leassurance that I$ris# management"ractices area""ro"riate toensure that theactual I$ ris# doesnot e/ceed the%oard7s ris#a""etite.
Assess %y a""lying a""ro"riate audit techni,ues intervie)testing! )hether the management "ractices are effectively through the follo)ing+ ty"ical control! activities'
1. 6romote an I$ ris#-a)are culture and em"o)er the enteridentify I$ ris#+ o""ortunity and "otential %usiness im"acts.2. Direct the integration of the I$ ris# strategy and o"erationenter"rise strategic ris# decisions and o"erations.:. Direct the develo"ment of ris# communication "lans covthe enter"rise! as )ell as ris# action "lans.4. Direct im"lementation of the a""ro"riate mechanisms to changing ris# and re"ort immediately to a""ro"riate levels osu""orted %y agreed-on "rinci"les of escalation )hat to reand ho)!.3. Direct that ris#+ o""ortunities+ issues and concerns may %re"orted %y anyone at any time. is# should %e managed in"u%lished "olicies and "rocedures and escalated to the relema#ers.. Identify #ey goals and metrics of ris# governance and ma"rocesses to %e monitored+ and a""rove the a""roaches+ mtechni,ues and "rocesses for ca"turing and re"orting the m
information.
*D<0:.0: <onitor ris# management. <onitor the #eygoals and metricsof the ris#management"rocesses andesta%lish ho)deviations or"ro%lems )ill %eidentified+ trac#edand re"orted forremediation.
Assess %y a""lying a""ro"riate audit techni,ues intervie)testing! )hether the management "ractices are effectively through the follo)ing+ ty"ical control! activities'
1. <onitor the e/tent to )hich the ris# "rofile is managed )a""etite thresholds.2. <onitor #ey goals and metrics of ris# governance and ma"rocesses against targets+ analyse the cause of any deviatremedial actions to address the underlying causes.:. *na%le #ey sta#eholders7 revie) of the enter"rise7s "rogidentified goals.4. e"ort any ris# management issues to the %oard or e/ec
-:.a
-:.aCont.
Agree on the process .or' products9
in"uts and out"uts as defined in the"rocess "ractices descri"tion! that are
e/"ected to %e "resent "rocess design!. Assess to )hat e/tent the "rocess )or#"roducts are availa%le.
6rocess ED683 Ensure ris' optimi;ationin"uts and out"uts. $he most relevant andnot assessed as Information items in sco"e
Criteria' All listed )or# "roducts should demonstra%ly e/ist and %e used.
9 9or CI$ 3 "rocesses+ a set of in"uts and out"uts for the different management "ractices are identified in COBIT 5& Enabling
Processes.
© ISACA 2014 All rights reserved 32
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 33/105
European Cybersecurity
Audit/Assurance Program
IT Audit and Assurance Program for European Cybersecurity
Phase B—-nderstand Enab(ers4 etting uitab(e Assessment Criteria and Perform Processes
in section A-:.3! of these )or# "roducts areidentified as follo)s+ as )ell as the criteriaagainst )hich they )ill %e assessed+ i.e.+e/istence and usage.
Process Practice ,or' Products AssesG6rocess or 6ractice (ameH
?ist )or# "roducts no included in the information items
section.
A""ly a""ro"techni,ues toe/istence aneach )or# "r
-:.>a Agree on the process capabi(ity (e!e( to%e achieved %y the "rocess.
This step is "arranted only if the processunder re#ie" is a standard COBIT 5go#ernance or management process to"hich the I1O/IEC 55.4 PA can beapplied! Any other processes for "hich noreference practices "or) products oroutcomes are appro#ed cannot use thisassessment method6 therefore the concept capability le#el does not apply!
APO&1 6anage ris'
-:.1% 5nderstand the Process conte0t#
<anagement in I$ should ade,uatelyaddress ris# issues related to cy%ersecurity.
-:.2% 5nderstand the Process purpose#
Integrate the management of I$-relatedenter"rise ris# )ith overall *<+ and%alance the costs and %enefits of managingI$-related enter"rise ris#.
-:.:% 5nderstand all "rocess sta'eho(ders andtheir roles. $his is e,uivalent tounderstanding the real ACI chart of the"rocess in COBIT 5& Enabling Processes
page .7 .'e#erage the COBIT 5 3ACI charts for the
processes in scope to identify any additional sta)eholders that "ill need to be in#ol#ed inthe assessment! In this assurance step thetranslation is made bet"een the theoretical3ACI chart entry and the real enterprise!
$he sta#eholders of the "rocess are alreadydefined in the ACI chart as a result of ste"
A-:.:. In addition to those sta#eholders+ this"rocess relies also on the follo)ingfunctions!+ )hich therefore )ill need to %e
© ISACA 2014 All rights reserved 33
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 34/105
European Cybersecurity
Audit/Assurance Program
IT Audit and Assurance Program for European Cybersecurity
Phase B—-nderstand Enab(ers4 etting uitab(e Assessment Criteria and Perform Processes
involved during the assurance engagement'
APO&1 6anage ris' sta#eholders'
-:.4%
-:.4%Cont.
5nderstand the Process goa(s and related
metrics and define e/"ected 6rocessvalues criteria!+ and assess )hether the6rocess goals are achieved+ i.e.+ assess theeffectiveness of the "rocess.
$he 6rocess APO&1 6anage ris' has 4defined "rocess goals.
$he follo)ing activities can %e "erformed to assess )hether the goals are achieve
Process $oa( "e(ated
6etrics
Criteria+E0pected <a(ue Assessment
I$-related ris# is identified+ analysed+managed and re"orted.
D
egr eeofvisi%ilityandr ec
ognitionint
Agree on the e+pected #alues for theProcess goal metrics i!e! the #aluesagainst "hich the assessment "illta)e place!
In this step the related metricbe re#ie"ed and an assessme"hether the defined criteria ar
9or CI$ 3 "rocesses+ a set of goals and metrics are identified in COBIT 5& Enabling Processes.
© ISACA 2014 All rights reserved 34
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 35/105
European Cybersecurity
Audit/Assurance Program
IT Audit and Assurance Program for European Cybersecurity
Phase B—-nderstand Enab(ers4 etting uitab(e Assessment Criteria and Perform Processes
hecu
r r entenvir onment
(
um%eroflossevents
)ith#eychar
© ISACA 2014 All rights reserved 35
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 36/105
European Cybersecurity
Audit/Assurance Program
IT Audit and Assurance Program for European Cybersecurity
Phase B—-nderstand Enab(ers4 etting uitab(e Assessment Criteria and Perform Processes
acte
risticsca"tur edinr e
"ositories
6
er cento
faudits+eve
© ISACA 2014 All rights reserved 36
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 37/105
European Cybersecurity
Audit/Assurance Program
IT Audit and Assurance Program for European Cybersecurity
Phase B—-nderstand Enab(ers4 etting uitab(e Assessment Criteria and Perform Processes
ntsa
ndtr endsca"tur edin
r e"ositories
A current and com"lete ris# "rofile e/ists. 6
er cen
tof#ey%us
Agree on the e+pected #alues for theProcess goal metrics i!e! the #aluesagainst "hich the assessment "illta)e place!
In this step the related metricbe re#ie"ed and an assessme"hether the defined criteria ar
© ISACA 2014 All rights reserved 37
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 38/105
European Cybersecurity
Audit/Assurance Program
IT Audit and Assurance Program for European Cybersecurity
Phase B—-nderstand Enab(ers4 etting uitab(e Assessment Criteria and Perform Processes
ines
s"r ocessesinclude
dintheris#"r ofile
C
om"letenes
© ISACA 2014 All rights reserved 38
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 39/105
European Cybersecurity
Audit/Assurance Program
IT Audit and Assurance Program for European Cybersecurity
Phase B—-nderstand Enab(ers4 etting uitab(e Assessment Criteria and Perform Processes
sofa
ttri%utesandvaluesi
ntheris#"r ofile
All significant ris# management actions aremanaged and under control.
6
er
centofris#
Agree on the e+pected #alues for theProcess goal metrics i!e! the #aluesagainst "hich the assessment "ill
ta)e place!
In this step the related metricbe re#ie"ed and an assessme"hether the defined criteria ar
© ISACA 2014 All rights reserved 39
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 40/105
European Cybersecurity
Audit/Assurance Program
IT Audit and Assurance Program for European Cybersecurity
Phase B—-nderstand Enab(ers4 etting uitab(e Assessment Criteria and Perform Processes
mana
gement"r o"osalsr e
&ectedduetolac#o
fconsider a
© ISACA 2014 All rights reserved 40
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 41/105
European Cybersecurity
Audit/Assurance Program
IT Audit and Assurance Program for European Cybersecurity
Phase B—-nderstand Enab(ers4 etting uitab(e Assessment Criteria and Perform Processes
tiono
fotherr elatedris#
(
um%erofsignif ican
tincidents
© ISACA 2014 All rights reserved 41
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 42/105
European Cybersecurity
Audit/Assurance Program
IT Audit and Assurance Program for European Cybersecurity
Phase B—-nderstand Enab(ers4 etting uitab(e Assessment Criteria and Perform Processes
noti
dentifiedandinclude
dintheris#managem
ent"ortf olio
© ISACA 2014 All rights reserved 42
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 43/105
European Cybersecurity
Audit/Assurance Program
IT Audit and Assurance Program for European Cybersecurity
Phase B—-nderstand Enab(ers4 etting uitab(e Assessment Criteria and Perform Processes
is# management actions are im"lementedeffectively.
6
er c
entofI$ris#action"
lanse/ecutedasdes
igned
(
um%
Agree on the e+pected #alues for theProcess goal metrics i!e! the #aluesagainst "hich the assessment "illta)e place!
In this step the related metricbe re#ie"ed and an assessme"hether the defined criteria ar
© ISACA 2014 All rights reserved 43
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 44/105
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 45/105
European Cybersecurity
Audit/Assurance Program
IT Audit and Assurance Program for European Cybersecurity
Phase B—-nderstand Enab(ers4 etting uitab(e Assessment Criteria and Perform Processes
-:.3%Cont.
*/"ected "rocess "ractices are a""lied.
Accounta%ility and res"onsi%ility areassigned and assumed.
COBIT 5 Processes are descri%ed inCOBIT 5& Enabling Processes. *ach6rocess re,uires a num%er of management"ractices to %e im"lemented+ as descri%ed inthe "rocess descri"tion in the same guide.$hese are'
A sound "rocess design
$he reference against )hich the
"rocess )ill %e assessed in "hase )ith the criteria as mentioned+ i.e.+ allmanagement "ractices are e/"ected to%e fully im"lemented.
*ach "ractice is ty"ically im"lemented through a num%er of activities+ and a )ell-)ill im"lement all these "ractices and activities.
"eferenceProcess
A612<anage
ris#
Criteria' Control activities to manage ris# are "ro"erly im"lemented..
"eferenceProcess Practices
$oodPractice
Assessment tep
Data Classification Cy%er security"arametersandcriteriahave%eenincluded inthe
gener aldataclassif ication.
usiness
Ins"ect and revie) the general data classification method and sche
enter"rise.
evie) the cy%ersecurity-related classification "arameters used in t
classification.
© ISACA 2014 All rights reserved 45
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 46/105
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 47/105
European Cybersecurity
Audit/Assurance Program
IT Audit and Assurance Program for European Cybersecurity
Phase B—-nderstand Enab(ers4 etting uitab(e Assessment Criteria and Perform Processes
?essonslearned
have%eendocumented andarea""lied tocriticalinformationassets.
Attac# and Incident Analysis Attac#s andincidentsareanalysed inaformalandcom"r ehensivemanner.
*/amine the methods of analysis a""lied to the attac# and incident
%tain and revie) sam"les of attac# and incident analysis.
ey ?earnings ?essonslearned and"otent
ialim"rovementsareidentifiedandade,uately
ased on the sam"les for documentation and analysis+ revie) the m
identifying lessons learnt and "otential im"rovements to cy%ersecur
Determine )hether "otential im"rovements are formulated in a reas
com"rehensive and understanda%le manner.
© ISACA 2014 All rights reserved 47
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 48/105
European Cybersecurity
Audit/Assurance Program
IT Audit and Assurance Program for European Cybersecurity
Phase B—-nderstand Enab(ers4 etting uitab(e Assessment Criteria and Perform Processes
documented.
Im"rovements in Information Asset
6rotection
ey
learningsandim"rovementsareim"lemented in acontinuousandconsistentmanner.
ased on the sam"les for documentation and analysis+ determine )
im"rovements have %een im"lemented.
Determine )hether im"rovements are im"lemented continuously an
throughout the enter"rise.
A612.01 Collect data Identif y andcollectrelevantdatatoena%leeffective I$-related ris#identification+analys
is andre"orting.
Cy%ersecurity is su%&ect to routine ris# assessment "rocesses.
<anagement "erformed a ris# assessment "rior to im"lementing cy
arrangements.
Determine )hether a ris# assessment of cy%erthreats+ vulnera%ilitie
related ris# $8A! )as "erformed %efore acce"tance of the "rogra
%tain and revie) ris# assessment documentation+ if availa%le+ to d
the control level is ade,uate to su""ort the cy%ersecurity "rogram.
%tain %oard minutes or other documentation to su""ort the a""rov
assessment and any formal ris# acce"tances.
%tain and revie) the relevant ris# assessment documentation to d
the ris# assessment sco"e is' a! ade,uate to su""ort the changescy%ersecurity "rogram+ and %! sufficient to "rotect the organisationin line )ith %usiness ris# a""etite.
A612.02 Analyse ris# Develo"usefulinformationto
© ISACA 2014 All rights reserved 48
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 49/105
European Cybersecurity
Audit/Assurance Program
IT Audit and Assurance Program for European Cybersecurity
Phase B—-nderstand Enab(ers4 etting uitab(e Assessment Criteria and Perform Processes
su""ort ris#decisions
thatta#eintoaccount the%usinessrelevance of ris#factor s.
A612.0: <aintain a ris# "rofile <aintain aninventory of#no)nris#andris#attri%utesincludinge/"ectedfre,uency+"otentialim"actandres"o
nses!and of relatedresour ces+ca"a%ilitiesandcurren
A ris# assessment is "erformed and a""roved %y management to in
im"rovements to the cy%ersecurity "rogram or to reaffirm the "revioassessment.
Determine )hether any su%se,uent ris# assessment has %een "erf
"lanned cycle annually%iannually! on a regularly scheduled fre,ue
© ISACA 2014 All rights reserved 49
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 50/105
European Cybersecurity
Audit/Assurance Program
IT Audit and Assurance Program for European Cybersecurity
Phase B—-nderstand Enab(ers4 etting uitab(e Assessment Criteria and Perform Processes
tcontrolactiviti
es. A612.04 Articulate ris# 6rovid
einformationon thecurrent stateof I$-relatede/"osuresando""ortunitiesin atimelymanner toallre,uir edsta#eholdersfora""ro"riateres"onse.
Assess %y a""lying a""ro"riate audit techni,ues intervie)+ o%servatiothe management "ractice is effectively im"lemented.
1. e"ort the results of ris# analysis to all affected sta#eholders in termuseful to su""ort enter"rise decisions. Fherever "ossi%le+ include "ro%ranges of loss or gain along )ith confidence levels that ena%le manageris#-return.2. 6rovide decision ma#ers )ith an understanding of )orst-case and mscenarios+ due diligence e/"osures+ and significant re"utation+ legal orconsiderations.:. e"ort the current ris# "rofile to all sta#eholders+ including effectivenmanagement "rocess+ control effectiveness+ ga"s+ inconsistencies+ redremediation status+ and their im"acts on the ris# "rofile.4. evie) the results of o%&ective third-"arty assessments+ internal audassurance revie)s+ and ma" them to the ris# "rofile. evie) identified e/"osures to determine the need for additional ris# analysis.3. n a "eriodic %asis+ for areas )ith relative ris# and ris# ca"acity "arrelated o""ortunities that )ould allo) the acce"tance of greater ris# anand return.
A612.03 Define a ris# managementaction "ortfolio
<anageo""ort
unitiestoreduce ris#to anacce"ta%lelevelas a"ortfol
Assess %y a""lying a""ro"riate audit techni,ues intervie)+ o%servatiothe management "ractice is effectively im"lemented.
© ISACA 2014 All rights reserved 50
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 51/105
European Cybersecurity
Audit/Assurance Program
IT Audit and Assurance Program for European Cybersecurity
Phase B—-nderstand Enab(ers4 etting uitab(e Assessment Criteria and Perform Processes
io.
A612.0 es"ond to ris# es"ond ina
timelymanner )itheffectivemeasuresto limitthemagnitudeof lossfromI$-relatedevents.
is# assessments are conducted after incidents.
Determine )hether any su%se,uent ris# assessment has %een "erf
of actual cy%erattac#s or %reaches+ including near misses.
-:.% Agree on the process .or' products5
in"uts and out"uts as defined in the"rocess "ractices descri"tion! that aree/"ected to %e "resent "rocess design!.
Assess to )hat e/tent the "rocess )or#"roducts are availa%le.
APO&1 6anage ris' in"uts and out"uts.$he most relevant and not assessed asInformation items in sco"e in section A-:.3!of these )or# "roducts are identified asfollo)s+ as )ell as the criteria against )hichthey )ill %e assessed+ i.e.+ e/istence andusage.
Criteria' All listed )or# "roducts should demonstra%ly e/ist and %e used.
Process Practice ,or' Products Asses
G6rocess or 6ractice (ameH ?ist )or# "roducts no included in the information itemssection.
A""ly a""rotechni,ues te/istence anof each )or#
-:.>% Agree on the process capabi(ity (e!e( to%e achieved %y the "rocess.
This step is "arranted only if the processunder re#ie" is a standard COBIT 5go#ernance or management process to
5 9or CI$ 3 "rocesses+ a set of in"uts and out"uts for the different management "ractices are identified in COBIT 5& Enabling
Processes.
© ISACA 2014 All rights reserved 51
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 52/105
European Cybersecurity
Audit/Assurance Program
IT Audit and Assurance Program for European Cybersecurity
Phase B—-nderstand Enab(ers4 etting uitab(e Assessment Criteria and Perform Processes
"hich the I1O/IEC 55.4 PA can beapplied! Any other processes for "hich noreference practices "or) products oroutcomes are appro#ed cannot use this
assessment method6 therefore the concept capability le#el does not apply!
APO&3 6anage security
-:.1c 5nderstand the Process conte0t#
$he information security managementsystem IS<S! should incor"orateade,uate "rovisions for cy%ersecurity.
-:.2c 5nderstand the Process purpose#
ee" the im"act and occurrence ofinformation security incidents )ithin theenter"rise7s ris# a""etite levels.
-:.:c 5nderstand all "rocess sta'eho(ders andtheir roles. $his is e,uivalent tounderstanding the real ACI chart of the"rocess in COBIT 5& Enabling Processes
page 4.'e#erage the COBIT 5 3ACI charts for the
processes in scope to identify anyadditional sta)eholders that "ill need to bein#ol#ed in the assessment! In thisassurance step the translation is madebet"een the theoretical 3ACI chart entryand the real enterprise!
$he sta#eholders of the "rocess are alreadydefined in the ACI chart as a result of ste"
A-:.:. In addition to those sta#eholders+ this"rocess relies also on the follo)ingfunctions!+ )hich therefore )ill need to %einvolved during the assurance engagement'
APO&3 6anage security sta#eholders'
-:.4c 5nderstand the Process goa(s and relatedmetrics
% and define e/"ected 6rocess
values criteria!+ and assess )hether the6rocess goals are achieved+ i.e.+ assessthe effectiveness of the "rocess.
$he 6rocess APO&3 6anage security has: defined "rocess goals.
$he follo)ing activities can %e "erformed to assess )hether the goals are achieve
Process $oa( "e(ated
Criteria+E0pected <a(ue Assessment t
% 9or CI$ 3 "rocesses+ a set of goals and metrics are identified in COBIT 5& Enabling Processes.
© ISACA 2014 All rights reserved 52
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 53/105
European Cybersecurity
Audit/Assurance Program
IT Audit and Assurance Program for European Cybersecurity
Phase B—-nderstand Enab(ers4 etting uitab(e Assessment Criteria and Perform Processes
-:.4cCont.
6etrics
A system is in "lace that considers andeffectively addresses enter"rise informationsecurity re,uirements.
(
(
Agree on the e+pected #alues for theProcess goal metrics i!e! the #aluesagainst "hich the assessment "ill ta)e
place!
In this step the related metrics fore#ie"ed and an assessment "ilthe defined criteria are achie#ed
A security "lan has %een esta%lished+acce"ted and communicated throughout theenter"rise.
?e
(
(
Agree on the e+pected #alues for theProcess goal metrics i!e! the #aluesagainst "hich the assessment "ill ta)e
place!
In this step the related metrics fore#ie"ed and an assessment "ilthe defined criteria are achie#ed
Information security solutions areim"lemented and o"erated consistentlythroughout the enter"rise.
(
(
(
Agree on the e+pected #alues for theProcess goal metrics i!e! the #aluesagainst "hich the assessment "ill ta)e
place!
In this step the related metrics fore#ie"ed and an assessment "ilthe defined criteria are achie#ed
-:.3c Agree on suita%le criteria to evaluate all"rocesses in sco"e of the assuranceengagement' Define and agree on thereference "rocess+ i.e.+ determine )hich%ase "ractices a "rocess should at leastinclude. $his usually is &ust a confirmation of
the CI$ 3 "rocesses already identified+unless there is reason for using a differentreference "rocess.!
Agree on the "rocess "ractices that should%e in "lace "rocess design!.
Assess the process design+ i.e.+ assess to)hat e/tent'
*/"ected "rocess "ractices are a""lied.
Accounta%ility and res"onsi%ility areassigned and assumed.
COBIT 5 Processes are descri%ed inCOBIT 5& Enabling Processes. *ach
*ach "ractice is ty"ically im"lemented through a num%er of activities+ and a )ell-)ill im"lement all these "ractices and activities.
© ISACA 2014 All rights reserved 53
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 54/105
European Cybersecurity
Audit/Assurance Program
IT Audit and Assurance Program for European Cybersecurity
Phase B—-nderstand Enab(ers4 etting uitab(e Assessment Criteria and Perform Processes
-:.3cCont.
6rocess re,uires a num%er of management"ractices to %e im"lemented+ as descri%ed inthe "rocess descri"tion in the same guide.$hese are'
A sound "rocess design
$he reference against )hich the
"rocess )ill %e assessed in "hase )ith the criteria as mentioned+ i.e.+ allmanagement "ractices are e/"ected to%e fully im"lemented.
"eferenceProcess
A61:<anagesecurity
Criteria' Control activities to manage security are "ro"erly im"lemented
"eferenceProcess Practices
$oodPractice
Assessment tep
$arget Accessi%ility Criticaltargets are"ro"er ly"rotected.
9or all critical information assets+ revie) the identity and access maarrangements.
Determine )hether access "rivileges for "otential targets are aligne
needs and asset criticality
$arget 8alue $he%usinessvalueorothervalue!attri%uted to
informationassetsis#no)nandmeasured.
%tain and revie) the inventory of %usiness critical information ass
Determine )hether the enter"rise has identified "otential target info
may %e e/"osed to cy%ercrime and cy%er)arfare.
$arget Attractiveness $heenter"risehasim"lemented
Assess %y a""lying a""ro"riate audit techni,ues intervie)+ o%servationthe management "ractice is effectively im"lemented.
© ISACA 2014 All rights reserved 54
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 55/105
European Cybersecurity
Audit/Assurance Program
IT Audit and Assurance Program for European Cybersecurity
Phase B—-nderstand Enab(ers4 etting uitab(e Assessment Criteria and Perform Processes
mechanisms forrecog
niing+measuringandcontrollingtargetattractiveness.
A61:.01 *sta%lish and maintain aninformation security management systemIS<S!.
*sta%lishandmaintain anIS<Sthat"rovides astandard+formalandcontinuousa""roach tosecuritymanagement forinform
ation+ena%lingsecur etechnologyand%usiness"rocessesthat
Cy%ersecurity is su%&ect to a com"rehensive cycle of 6lan-Do-Chec
Determine )hether cy%ersecurity "rocesses are integrated )ith the
"rocess.
*sta%lish the "resence of 6DCA in all cy%ersecurity "rocesses.
© ISACA 2014 All rights reserved 55
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 56/105
European Cybersecurity
Audit/Assurance Program
IT Audit and Assurance Program for European Cybersecurity
Phase B—-nderstand Enab(ers4 etting uitab(e Assessment Criteria and Perform Processes
arealigned )ith%usine
ssre,uir ements andenter"risesecuritymanagement.
A61:.02 Define and manage aninformationsecurity ris# treatment "lan
<aintain aninformationsecurity "lanthatdescri%esho)informationsecurity ris#is to%emanagedandaligned )iththe
enter"risestrategyandenter"risearchitecture.*nsur e thatrecom
Cy%ersecurity is# $reatment 6lan' All cy%ersecurity ris# is su%&ect
treatment.
%tain and revie) the enter"rise7s "lans for cy%ersecurity ris# treat
Determine )hether all cy%ersecurity ris# scenarios have %een includ
treatment "lan.
Determine )hether cy%ersecurity ris# treatment o"tions are ade,ua
overall organisational %usiness! ris# a""etite.
© ISACA 2014 All rights reserved 56
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 57/105
European Cybersecurity
Audit/Assurance Program
IT Audit and Assurance Program for European Cybersecurity
Phase B—-nderstand Enab(ers4 etting uitab(e Assessment Criteria and Perform Processes
mendationsforim"le
mentingsecurityim"rovementsare%asedona""roved%usinesscasesandim"le
mented asanintegr al "artofservicesandsolutionsdevelo"ment+ theno"erated as
anintegr al "artof%usinesso"eration.
A61:.0: <onitor and revie) the IS<S <aintainandregularly
Com"are the ACI chart as included in the reference "rocess in C
actual accounta%ility and res"onsi%ility for this "ractice and assess
Cy%ersecurity <onitoring 6rocess' All cy%ersecurity-related events
a""ro"riate manner.
© ISACA 2014 All rights reserved 57
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 58/105
European Cybersecurity
Audit/Assurance Program
IT Audit and Assurance Program for European Cybersecurity
Phase B—-nderstand Enab(ers4 etting uitab(e Assessment Criteria and Perform Processes
communicate theneed
for+and%enefits of+continuousinformationsecurityim"rovement.Collect andanalyse data
a%outtheIS<S+andim"rove theeffectiveness oftheIS<S.Correctnon-confor mities
to"reventrecurr ence.6romote acultur e ofsecurity andcontinual
Determine )hether the enter"rise o"erates an ade,uate and com"r
monitoring "rocess for cy%ersecurity-related events and incidents.
%tain and revie) sam"les of o"erational monitoring.
© ISACA 2014 All rights reserved 58
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 59/105
European Cybersecurity
Audit/Assurance Program
IT Audit and Assurance Program for European Cybersecurity
Phase B—-nderstand Enab(ers4 etting uitab(e Assessment Criteria and Perform Processes
im"rovement.
-:.c
-:.cCont.
Agree on the process .or' products:
in"uts and out"uts as defined in the"rocess "ractices descri"tion! that aree/"ected to %e "resent "rocess design!. Assess to )hat e/tent the "rocess )or#"roducts are availa%le.
6rocess APO&3 6anage security in"utsand out"uts. $he most relevant and notassessed as Information items in sco"e insection A-:.3! of these )or# "roducts areidentified as follo)s+ as )ell as the criteriaagainst )hich they )ill %e assessed+ i.e.+e/istence and usage.
Criteria' All listed )or# "roducts should demonstra%ly e/ist and %e used.
Process Practice ,or' Products Assess
G6rocess or 6ractice (ameH ?ist )or# "roducts no included in the information items
section.
A""ly a""ro"rtechni,ues to de/istence and
each )or# "ro-:.>c Agree on the process capabi(ity (e!e( to
%e achieved %y the "rocess.
This step is "arranted only if the processunder re#ie" is a standard COBIT 5go#ernance or management process to"hich the I1O/IEC 55.4 PA can beapplied! Any other processes for "hich noreference practices "or) products oroutcomes are appro#ed cannot use thisassessment method6 therefore the concept capability le#el does not apply!
D81 6anage Incidents and er!ice "euests
-:.1d 5nderstand the Process conte0t#
Incidents in cy%ersecurity should %eidentified and managed.
-:.2d 5nderstand the Process purpose#
Achieve increased "roductivity andminimise disru"tions through ,uic#resolution of user ,ueries and incidents.
-:.:d 5nderstand all "rocess sta'eho(ders andtheir roles. $his is e,uivalent tounderstanding the real ACI chart of the"rocess in COBIT 5& Enabling Processes
page 87 .'e#erage the COBIT 5 3ACI charts for the
processes in scope to identify any
: 9or CI$ 3 "rocesses+ a set of in"uts and out"uts for the different management "ractices are identified in COBIT 5& Enabling
Processes.
© ISACA 2014 All rights reserved 59
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 60/105
European Cybersecurity
Audit/Assurance Program
IT Audit and Assurance Program for European Cybersecurity
Phase B—-nderstand Enab(ers4 etting uitab(e Assessment Criteria and Perform Processes
additional sta)eholders that "ill need to bein#ol#ed in the assessment! In thisassurance step the translation is madebet"een the theoretical 3ACI chart entry
and the real enterprise!$he sta#eholders of the "rocess are alreadydefined in the ACI chart as a result of ste"
A-:.:. In addition to those sta#eholders+ this"rocess relies also on the follo)ingfunctions!+ )hich therefore )ill need to %einvolved during the assurance engagement'
D81 6anage Incidents and er!ice"euests sta#eholders'
-:.4d
-:.4dCont.
5nderstand the Process goa(s and related
metrics8 and define e/"ected 6rocess
values criteria!+ and assess )hether the6rocess goals are achieved+ i.e.+ assessthe effectiveness of the "rocess.
$he 6rocess D81 6anage Incidents
and er!ice "euests has : defined"rocess goals.
$he follo)ing activities can %e "erformed to assess )hether the goals are achiev
Process $oa( "e(ated6etr ics
Criteria+E0pected <a(ue Assessment
I$-related services are availa%le for use.
(
<
Agree on the e+pected #alues for the
Process goal metrics i!e! the #aluesagainst "hich the assessment "ill ta)e place!
In this step the related metrics fo
re#ie"ed and an assessment "ilthe defined criteria are achie#ed
Incidents are resolved according to agreed-on service levels.
6e
Agree on the e+pected #alues for theProcess goal metrics i!e! the #aluesagainst "hich the assessment "ill ta)e
place!
In this step the related metrics fore#ie"ed and an assessment "ilthe defined criteria are achie#ed
Service re,uests are dealt )ith according toagreed-on service levels and to thesatisfaction of users.
?e
<
Agree on the e+pected #alues for theProcess goal metrics i!e! the #aluesagainst "hich the assessment "ill ta)e
place!
In this step the related metrics fore#ie"ed and an assessment "ilthe defined criteria are achie#ed
8 9or CI$ 3 "rocesses+ a set of goals and metrics are identified in COBIT 5& Enabling Processes.
© ISACA 2014 All rights reserved 60
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 61/105
European Cybersecurity
Audit/Assurance Program
IT Audit and Assurance Program for European Cybersecurity
Phase B—-nderstand Enab(ers4 etting uitab(e Assessment Criteria and Perform Processes
-:.3d
-:.3d
Cont.
Agree on suita%le criteria to evaluate all"rocesses in sco"e of the assuranceengagement' Define and agree on thereference "rocess+ i.e.+ determine )hich
%ase "ractices a "rocess should at leastinclude. $his usually is &ust a confirmation of the CI$ 3 "rocesses already identified+unless there is reason for using a differentreference "rocess.!
Agree on the "rocess "ractices that should%e in "lace "rocess design!.
Assess the process design+ i.e.+ assess to)hat e/tent'
*/"ected "rocess "ractices are a""lied.
Accounta%ility and res"onsi%ility areassigned and assumed.
COBIT 5 Processes are descri%ed inCOBIT 5& Enabling Processes. *ach6rocess re,uires a num%er of management
"ractices to %e im"lemented+ as descri%ed inthe "rocess descri"tion in the same guide.$hese are'
A sound "rocess design
$he reference against )hich the
"rocess )ill %e assessed in "hase )ith the criteria as mentioned+ i.e.+ allmanagement "ractices are e/"ected to%e fully im"lemented.
*ach "ractice is ty"ically im"lemented through a num%er of activities+ and a )ell-)ill im"lement all these "ractices and activities.
"eferenceProcess
DSS02<anageIncidentsand
Servicee,uests
Criteria' Control activities to manage incidents and service re,uests areim"lemented.
"eferenceProcess Practices
$oodPractice
Assessment tep
DSS02.01 Define incident and servicere,uestclassification schemes
Defineincident andservicere,uestclassif ication
schemes
Incident Classification and *scalation' Cy%ersecurity incidents are
classified and a""ro"riately escalated in line )ith the classification.
%tain and revie) "rocedures and sam"les of incidents+ and ascer
incidents are classified in a formal and consistent manner.
evie) the escalation "ath and stages for incidents+ %ased on the e
classification.
© ISACA 2014 All rights reserved 61
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 62/105
European Cybersecurity
Audit/Assurance Program
IT Audit and Assurance Program for European Cybersecurity
Phase B—-nderstand Enab(ers4 etting uitab(e Assessment Criteria and Perform Processes
andmodels.
DSS02.02 ecord+ classify and "rioritise
re,uests and incidents
Identif
y+recordandclassif yservicere,uestsandincidents+andassigna"riorityaccor dingto%usinesscriticality andserviceagreements.
Incident Classification and *scalation' Cy%ersecurity incidents are a
classified and a""ro"riately escalated in line )ith the classification.
evie) the escalation "ath and stages for incidents+ %ased on the e
classification.
DSS02.0: 8erify+ a""rove and fulfil servicere,uests
Selectthea""ro"riate
re,uest"roceduresandverifythattheservicere,uestsfulfildefinedre,uestcriteria.
8erify entitlement for service re,uests using+ )here "ossi%le+ a "red
flo) and standard changes.
%tain financial and functional a""roval or sign-off+ if re,uired+ or "r
for agreed-on standard changes. 9ulfil the re,uests %y "erforming the selected re,uest "rocedure+ us
"ossi%le+ self-hel" automated menus and "redefined re,uest modere,uested items.
© ISACA 2014 All rights reserved 62
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 63/105
European Cybersecurity
Audit/Assurance Program
IT Audit and Assurance Program for European Cybersecurity
Phase B—-nderstand Enab(ers4 etting uitab(e Assessment Criteria and Perform Processes
%taina""roval+ ifre,uir
ed+andfulfilthere,uests.
DSS02.04 Investigate+ diagnose andallocate incidents
Identif y andrecordincidentsym"toms+deter mine"ossi%lecauses+ andallocate forresolution.
Cy%ersecurity incidents are investigated and diagnosed in line )ith
Determine )hether any and all incidents are duly investigated+ %ase
classification and severity of each incident.
%tain and revie) the method and sam"les of incident diagnostics
investigative )or#!.
Determine )hether incident diagnostics are "erformed at an ade,ua
technical de"th and understanding.
Fhere third-"arty services are used in incident investigation and dia
determine )hether the enter"rise has ade,uate control over these "
DSS02.03 esolve and recover fromincidents
Document+a""lyandtesttheidentifiedsolutions or
)or#arounds and"erfor mrecoveryactions torestor e theI$-relatedservice.
Assess %y a""lying a""ro"riate audit techni,ues intervie)+ o%servationthe management "ractice is effectively im"lemented
1. Select and a""ly the most a""ro"riate incident resolutions tem"orarandor "ermanent solution!.2. ecord )hether )or#arounds )ere used for incident resolution.:. 6erform recovery actions+ if re,uired.4. Document incident resolution and assess if the resolution can %e use#no)ledge source.
DSS02.0 Close service re,uests andincidents
8erifysatisfa
Assess %y a""lying a""ro"riate audit techni,ues intervie)+ o%servationthe management "ractice is effectively im"lemented
© ISACA 2014 All rights reserved 63
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 64/105
European Cybersecurity
Audit/Assurance Program
IT Audit and Assurance Program for European Cybersecurity
Phase B—-nderstand Enab(ers4 etting uitab(e Assessment Criteria and Perform Processes
ctoryincidentresolu
tionandor re,uestfulfilment+andclose.
1. 8erify )ith the affected users if agreed on! that the service re,uest hsatisfactory fulfilled or the incident has %een satisfactory resolved.2. Close service re,uests and incidents.
DSS02.0> $rac# status and "roduce re"orts egularlytrac#+analyse andre"ortincident andre,uestfulfilmenttrendsto"rovideinformationforcontinualim"rovement.
Assess %y a""lying a""ro"riate audit techni,ues intervie)+ o%servationthe management "ractice is effectively im"lemented
1. <onitor and trac# incident escalations and resolutions and re,uest hato "rogress to)ards resolution or com"letion.2. Identify information sta#eholders and their needs for data or re"orts. fre,uency and medium.:. Analyse incidents and service re,uests %y category and ty"e to esta%identify "atterns of recurring issues+ S?A %reaches or inefficiencies. 5sein"ut to continual im"rovement "lanning.4. 6roduce and distri%ute timely re"orts or "rovide controlled access to
-:.d Agree on the process .or' products$
in"uts and out"uts as defined in the"rocess "ractices descri"tion! that aree/"ected to %e "resent "rocess design!. Assess to )hat e/tent the "rocess )or#"roducts are availa%le.
6rocess D81 6anage Incidents ander!ice "euests in"uts and out"uts. $hemost relevant and not assessed asInformation items in sco"e in section A-:.3!of these )or# "roducts are identified asfollo)s+ as )ell as the criteria against )hichthey )ill %e assessed+ i.e.+ e/istence andusage.
Criteria' All listed )or# "roducts should demonstra%ly e/ist and %e used.
Process Practice ,or' Products Assess
G6rocess or 6ractice (ameH ?ist )or# "roducts no included in the information items
section.
A""ly a""ro"rtechni,ues to d
e/istence and each )or# "ro
-:.>d Agree on the process capabi(ity (e!e( to%e achieved %y the "rocess.
$ 9or CI$ 3 "rocesses+ a set of in"uts and out"uts for the different management "ractices are identified in COBIT 5& Enabling
Processes.
© ISACA 2014 All rights reserved 64
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 65/105
European Cybersecurity
Audit/Assurance Program
IT Audit and Assurance Program for European Cybersecurity
Phase B—-nderstand Enab(ers4 etting uitab(e Assessment Criteria and Perform Processes
This step is "arranted only if the processunder re#ie" is a standard COBIT 5go#ernance or management process to"hich the I1O/IEC 55.4 PA can be
applied! Any other processes for "hich noreference practices "or) products oroutcomes are appro#ed cannot use thisassessment method6 therefore the concept capability le#el does not apply!
D8= 6anage Continuity
-:.1e 5nderstand the Process conte0t#
rganisational functions and I$ should %eresilient )ith regard to cy%ersecurity
-:.2e 5nderstand the Process purpose#
Continue critical %usiness o"erations andmaintain availa%ility of information at a levelacce"ta%le to the enter"rise in the event ofa significant disru"tion.
-:.:e 5nderstand all "rocess sta'eho(ders and
their roles. $his is e,uivalent tounderstanding the real ACI chart of the"rocess in COBIT 5& Enabling Processes
page 79 .'e#erage the COBIT 5 3ACI charts for the
processes in scope to identify anyadditional sta)eholders that "ill need to bein#ol#ed in the assessment! In thisassurance step the translation is madebet"een the theoretical 3ACI chart entryand the real enterprise!
$he sta#eholders of the "rocess are alreadydefined in the ACI chart as a result of ste"
A-:.:. In addition to those sta#eholders+ this"rocess relies also on the follo)ingfunctions!+ )hich therefore )ill need to %e
involved during the assurance engagement'
D8= 6anage Continuity sta#eholders'
-:.4e
-:.4eCont.
5nderstand the Process goa(s and related
metrics10
and define e/"ected 6rocess
values criteria!+ and assess )hether the6rocess goals are achieved+ i.e.+ assessthe effectiveness of the "rocess.
$he 6rocess D8= 6anage Continuity has 3 defined "rocess goals.
$he follo)ing activities can %e "erformed to assess )hether the goals are achiev
Process $oa( "e(ate
d6etr
Criteria+E0pected <a(ue Assessment
10 9or CI$ 3 "rocesses+ a set of goals and metrics are identified in COBIT 5& Enabling Processes.
© ISACA 2014 All rights reserved 65
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 66/105
European Cybersecurity
Audit/Assurance Program
IT Audit and Assurance Program for European Cybersecurity
Phase B—-nderstand Enab(ers4 etting uitab(e Assessment Criteria and Perform Processes
ics
usiness-critical information is availa%le to
the %usiness in line )ith minimum re,uiredservice levels.
6e
6e
6e
Agree on the e+pected #alues for the
Process goal metrics i!e! the #aluesagainst "hich the assessment "ill ta)e
place!
In this step the related metrics fo
re#ie"ed and an assessment "ilthe defined criteria are achie#ed
Sufficient resilience is in "lace for criticalservices.
(um%ero
fcritical%usinesssyste
msnotcover ed%ythe"lan
Agree on the e+pected #alues for theProcess goal metrics i!e! the #aluesagainst "hich the assessment "ill ta)e
place!
In this step the related metrics fore#ie"ed and an assessment "ilthe defined criteria are achie#ed
Service continuity tests have verified theeffectiveness of the "lan.
(
Agree on the e+pected #alues for theProcess goal metrics i!e! the #alues
In this step the related metrics fore#ie"ed and an assessment "il
© ISACA 2014 All rights reserved 66
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 67/105
European Cybersecurity
Audit/Assurance Program
IT Audit and Assurance Program for European Cybersecurity
Phase B—-nderstand Enab(ers4 etting uitab(e Assessment Criteria and Perform Processes
9r
against "hich the assessment "ill ta)e place!
the defined criteria are achie#ed
An u"-to-date continuity "lan reflectscurrent %usiness re,uirements.
6e
6e
Agree on the e+pected #alues for theProcess goal metrics i!e! the #aluesagainst "hich the assessment "ill ta)e
place!
In this step the related metrics fore#ie"ed and an assessment "ilthe defined criteria are achie#ed
Internal and e/ternal "arties have %eentrained in the continuity "lan.
6e
6e
Agree on the e+pected #alues for theProcess goal metrics i!e! the #aluesagainst "hich the assessment "ill ta)e
place!
In this step the related metrics fore#ie"ed and an assessment "ilthe defined criteria are achie#ed
-:.3e
-:.3eCont.
Agree on suita%le criteria to evaluate all"rocesses in sco"e of the assuranceengagement' Define and agree on thereference "rocess+ i.e.+ determine )hich%ase "ractices a "rocess should at leastinclude. $his usually is &ust a confirmation of the CI$ 3 "rocesses already identified+unless there is reason for using a differentreference "rocess.!
Agree on the "rocess "ractices that should%e in "lace "rocess design!.
Assess the process design+ i.e.+ assess to)hat e/tent'
*/"ected "rocess "ractices are a""lied.
Accounta%ility and res"onsi%ility areassigned and assumed.
COBIT 5 Processes are descri%ed inCOBIT 5& Enabling Processes. *ach
6rocess re,uires a num%er of management"ractices to %e im"lemented+ as descri%ed inthe "rocess descri"tion in the same guide.$hese are'
A sound "rocess design
$he reference against )hich the
"rocess )ill %e assessed in "hase )ith the criteria as mentioned+ i.e.+ allmanagement "ractices are e/"ected to%e fully im"lemented.
*ach "ractice is ty"ically im"lemented through a num%er of activities+ and a )ell-)ill im"lement all these "ractices and activities.
"eferenceProcess
DSS04<anageContinuity
Criteria' Control activities to manage continuity are "ro"erly im"lemente
"eferenceProcess Practices
$oodPractice
Assessment tep
DSS04.01 Define the %usiness continuity Define $he continuity and resilience o%&ectives and sco"e have %een ade,
© ISACA 2014 All rights reserved 67
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 68/105
European Cybersecurity
Audit/Assurance Program
IT Audit and Assurance Program for European Cybersecurity
Phase B—-nderstand Enab(ers4 etting uitab(e Assessment Criteria and Perform Processes
-:.3e
Cont.
"olicy+ o%&ectives and sco"e %usinesscontinuity
"olicyandsco"ealigned )ithenter"riseandsta#eholdero%&ectives.
im"lemented.
%tain and revie) the cy%ersecurity resilience or %usiness continuit
stated %y the enter"rise.
%tain and revie) the cy%ersecurity resilience sco"e as stated %y t
Determine )hether the enter"rise7s cy%ersecurity resilience sco"e a
aligned )ith good "ractice and that there are no significant ga"s.
Confirm that the cy%ersecurity resilience sco"e and o%&ectives cove
recommendations on resilience+ "articularly if "art of the enter"rise7related to a critical infrastructure.
DSS04.02 <aintain a continuity strategy *valuate%usinesscontinuitymanagemento"tions andchoose acost-effectiveandvia%lecontinuitystrate
gythat)illensur eenter"riserecoveryandcontinuity inthefaceof adisaster or
otherma&orincident ordisru"
Cy%ersecurity resilience strategy
%tain and revie) the cy%ersecurity resilience or %usiness continuit
Determine )hether the resilience or %usiness continuity strategic o"
cover cy%ersecurity needs and re,uirements.
© ISACA 2014 All rights reserved 68
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 69/105
European Cybersecurity
Audit/Assurance Program
IT Audit and Assurance Program for European Cybersecurity
Phase B—-nderstand Enab(ers4 etting uitab(e Assessment Criteria and Perform Processes
tion.
DSS04.0: Develo" and im"lement a%usiness continuity res"onse
Develo" a%usine
sscontinuity"lanC6!%asedon thestrategythatdocumentsthe"roceduresandinformationinreadinessforuse inanincident toena%le theenter"rise tocontinue itscritical
activities.
Continuity and recovery "lanning and res"onse
8erify that all strategic o%&ectives and "rovisions have %een fully im
continuity resilience "lans and related solutions. %tain and revie) sam"les of cy%ersecurity-related resilience or co
related solutions.
DSS04.04 */ercise+ test and revie) theC6
$estthecontinuityarrangements on aregular %asistoe/ercise therecovery"lansagainst"redetermined
Cy%ersecurity testing and e/ercising
%tain and revie) the enter"rise7s cy%ersecurity testing and e/ercis
%tain and revie) the enter"rise7s cy%ersecurity test and e/ercise "
Determine )hether the testing and e/ercising regime is sufficiently
cover the needs and re,uirements of cy%ersecurity.
Determine )hether the testing and e/ercise regime is ade,uate in t
enter"rise7s cy%ersecurity "rocess ca"a%ility levels maturity levels!
%tain and revie) sam"les of test and e/ercise documentation and
© ISACA 2014 All rights reserved 69
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 70/105
European Cybersecurity
Audit/Assurance Program
IT Audit and Assurance Program for European Cybersecurity
Phase B—-nderstand Enab(ers4 etting uitab(e Assessment Criteria and Perform Processes
outcomesand toallo)
innovativesolutions to%edevelo"edandhel"toverifyovertimethatthe"lan)ill
)or#asantici"ated.
DSS04.03 evie)+ maintain and im"rovethecontinuity "lan
Conduct amanagementrevie)of thecontinuityca"a%ility atregula
rintervals toensur e itscontinuedsuita%ility+ade,uacyandeffectiveness.<anage
changes tothe"lan inaccor
evie) the continuity "lan and ca"a%ility on a regular %asis against
made and current %usiness o"erational and strategic o%&ectives.
Consider )hether a revised %usiness im"act assessment may %e re
on the nature of the change.
ecommend and communicate changes in "olicy+ "lans+ "rocedure
and roles and res"onsi%ilities for management a""roval and "rocesmanagement "rocess.
evie) the continuity "lan on a regular %asis to consider the im"ac
changes to' enter"rise+ %usiness "rocesses+ outsourcing arrangemeinfrastructure+ o"erating systems and a""lication systems.
© ISACA 2014 All rights reserved 70
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 71/105
European Cybersecurity
Audit/Assurance Program
IT Audit and Assurance Program for European Cybersecurity
Phase B—-nderstand Enab(ers4 etting uitab(e Assessment Criteria and Perform Processes
dance)iththechang
econtrol"rocess toensur e thatthecontinuity"lan is#e"tu" todateandcontinually
reflectsactual%usinessre,uir ements.
DSS04.0 Conduct continuity "lan training 6rovide allconcernedinternal ande/ternal
"arties )ithregulartrainingsessionsregardingthe"roceduresandtheirrolesand
res"onsi%ilities incaseof
Cy%ersecurity resilience training
%tain and revie) any relevant training and education materials us
enter"rise.
Determine )hether training contents+ fre,uency and o"erational suc
ade,uate.
© ISACA 2014 All rights reserved 71
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 72/105
European Cybersecurity
Audit/Assurance Program
IT Audit and Assurance Program for European Cybersecurity
Phase B—-nderstand Enab(ers4 etting uitab(e Assessment Criteria and Perform Processes
disru"tion.
DSS04.0> <anage %ac#u" arrangements <aintain
availa%ilityof%usiness-criticalinformation.
ac#u" systems+ a""lications+ data and documentation according to
schedule+ considering'
o 9re,uency monthly+ )ee#ly+ daily+ etc.!
o <ode of %ac#u" e.g.+ dis# mirroring for real-time %a
< for long-term retention!
o $y"e of %ac#u" e.g.+ full vs. incremental!
o $y"e of media
o Automated online %ac#u"s
o Data ty"es e.g.+ voice+ o"tical!
o Creation of logs
o Critical end-user com"uting data e.g.+ s"readsheet
o 6hysical and logical location of data sources
o Security and access rights
o *ncry"tion
*nsure that systems+ a""lications+ data and documentation maintai
%y third "arties are ade,uately %ac#ed u" or other)ise secured. Coreturn of %ac#u"s from third "arties. Consider escro) or de"osit arra
Define re,uirements for on-site and off-site storage of %ac#u" data t
%usiness re,uirements. Consider the accessi%ility re,uired to %ac# u
oll out C6 a)areness and training.
6eriodically test and refresh archived and %ac#u" data.
DSS04.0= Conduct "ost-resum"tion revie) Assess theade,uacy oftheC6follo)ing thesuccessful
resum"tionof%usiness"rocessesandservicesafter adisru"tion.
6ost-resum"tion revie)s
8erify that for all invocations of resilience "lans and measures+ "ost
revie)s have %een "erformed %y the enter"rise.
%tain and revie) sam"les of "ost-resum"tion revie) documents
-:.e Agree on the process .or' products11
in"uts and out"uts as defined in the"rocess "ractices descri"tion! that are
e/"ected to %e "resent "rocess design!. Assess to )hat e/tent the "rocess )or#"roducts are availa%le.
6rocess D8= 6anage Continuity in"utsand out"uts. $he most relevant and not
Criteria' All listed )or# "roducts should demonstra%ly e/ist and %e used.
11 9or CI$ 3 "rocesses+ a set of in"uts and out"uts for the different management "ractices are identified in COBIT 5& Enabling
Processes.
© ISACA 2014 All rights reserved 72
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 73/105
European Cybersecurity
Audit/Assurance Program
IT Audit and Assurance Program for European Cybersecurity
Phase B—-nderstand Enab(ers4 etting uitab(e Assessment Criteria and Perform Processes
assessed as Information items in sco"e insection A-:.3! of these )or# "roducts areidentified as follo)s+ as )ell as the criteriaagainst )hich they )ill %e assessed+ i.e.+
e/istence and usage.Process Practice ,or' Products Assess
G6rocess or 6ractice (ameH ?ist )or# "roducts no included in the information items
section.
A""ly a""ro"rtechni,ues to de/istence and each )or# "ro
-:.>e Agree on the process capabi(ity (e!e( to%e achieved %y the "rocess.
This step is "arranted only if the processunder re#ie" is a standard COBIT 5go#ernance or management process to"hich the I1O/IEC 55.4 PA can beapplied! Any other processes for "hich noreference practices "or) products oroutcomes are appro#ed cannot use thisassessment method6 therefore the concept
capability le#el does not apply!D85 6anage ecurity er!ices
-:.1f 5nderstand the Process conte0t#
6rotect enter"rise information to maintainthe level of information security ris#acce"ta%le to the enter"rise in accordance)ith the security "olicy. *sta%lish andmaintain information security roles andaccess "rivileges and "erform securitymonitoring.
-:.2f 5nderstand the Process purpose#
<inimise the %usiness im"act of o"erationalinformation security vulnera%ilities andincidents.
-:.:f 5nderstand all "rocess sta'eho(ders and
their roles. $his is e,uivalent tounderstanding the real ACI chart of the"rocess.'e#erage the COBIT 5 3ACI charts for the
processes in scope to identify anyadditional sta)eholders that "ill need to bein#ol#ed in the assessment! In thisassurance step the translation is madebet"een the theoretical 3ACI chart entryand the real enterprise!
$he sta#eholders of the "rocess are alreadydefined in the ACI chart as a result of ste"
A-:.:. In addition to those sta#eholders+ this"rocess relies also on the follo)ingfunctions!+ )hich therefore )ill need to %einvolved during the assurance engagement'
D85 6anage ecurity er!icessta#eholders'
-:.4f 5nderstand the Process goa(s and related
metrics13
and define e/"ected 6rocess
values criteria!+ and assess )hether the6rocess goals are achieved+ i.e.+ assess
13 9or CI$ 3 "rocesses+ a set of goals and metrics are identified in COBIT 5& Enabling Processes.
© ISACA 2014 All rights reserved 73
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 74/105
European Cybersecurity
Audit/Assurance Program
IT Audit and Assurance Program for European Cybersecurity
Phase B—-nderstand Enab(ers4 etting uitab(e Assessment Criteria and Perform Processes
-:.4f Cont.
the effectiveness of the "rocess.
$he 6rocess D85 6anage ecurityer!ices has 3 defined "rocess goals.
$he follo)ing activities can %e "erformed to assess )hether the goals are achiev
Process $oa( "
e(ated6etr ics
Criteria+E0pected <a(ue Assessment
(et)or#s and communications securitymeet %usiness needs.
(um%
erofvulner a%ilitiesdisc
over ed(um%eroffir e)all%r eac
Agree on the e+pected #alues for theProcess goal metrics i!e! the #aluesagainst "hich the assessment "ill ta)e
place!
In this step the related metrics fore#ie"ed and an assessment "ilthe defined criteria are achie#ed
© ISACA 2014 All rights reserved 74
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 75/105
European Cybersecurity
Audit/Assurance Program
IT Audit and Assurance Program for European Cybersecurity
Phase B—-nderstand Enab(ers4 etting uitab(e Assessment Criteria and Perform Processes
hes
Information "rocessed on+ stored on and
transmitted %y end"oint devices is"rotected.
6e
(
(
Agree on the e+pected #alues for the
Process goal metrics i!e! the #aluesagainst "hich the assessment "ill ta)e
place!
In this step the related metrics fo
re#ie"ed and an assessment "ilthe defined criteria are achie#ed
All users are uni,uely identifia%le and haveaccess rights in accordance )ith their%usiness role.
Av
(
Agree on the e+pected #alues for theProcess goal metrics i!e! the #aluesagainst "hich the assessment "ill ta)e
place!
In this step the related metrics fore#ie"ed and an assessment "ilthe defined criteria are achie#ed
6hysical measures have %een im"lementedto "rotect information from unauthorisedaccess+ damage and interference )hen%eing "rocessed+ stored or transmitted.
6e
Av
(
Agree on the e+pected #alues for theProcess goal metrics i!e! the #aluesagainst "hich the assessment "ill ta)e
place!
In this step the related metrics fore#ie"ed and an assessment "ilthe defined criteria are achie#ed
*lectronic information is "ro"erly secured)hen stored+ transmittedor destroyed.
(um%ero
fincidentsr elatingtoun
authorise
Agree on the e+pected #alues for theProcess goal metrics i!e! the #aluesagainst "hich the assessment "ill ta)e
place!
In this step the related metrics fore#ie"ed and an assessment "ilthe defined criteria are achie#ed
© ISACA 2014 All rights reserved 75
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 76/105
European Cybersecurity
Audit/Assurance Program
IT Audit and Assurance Program for European Cybersecurity
Phase B—-nderstand Enab(ers4 etting uitab(e Assessment Criteria and Perform Processes
dacc
esstoinf or mation
-:.3f
-:.3f Cont.
Agree on suita%le criteria to evaluate all"rocesses in sco"e of the assuranceengagement' Define and agree on thereference "rocess+ i.e.+ determine )hich%ase "ractices a "rocess should at leastinclude. $his usually is &ust a confirmation of the CI$ 3 "rocesses already identified+unless there is reason for using a differentreference "rocess.!
Agree on the "rocess "ractices that should%e in "lace "rocess design!.
Assess the process design+ i.e.+ assess to)hat e/tent'
*/"ected "rocess "ractices are a""lied.
Accounta%ility and res"onsi%ility areassigned and assumed.
COBIT 5 Processes are descri%ed inCOBIT 5& Enabling Processes. *ach
6rocess re,uires a num%er of management"ractices to %e im"lemented+ as descri%ed inthe "rocess descri"tion in the same guide.$hese are'
A sound "rocess design
$he reference against )hich the
"rocess )ill %e assessed in "hase )ith the criteria as mentioned+ i.e.+ allmanagement "ractices are e/"ected to%e fully im"lemented.
*ach "ractice is ty"ically im"lemented through a num%er of activities+ and a )ell-)ill im"lement all these "ractices and activities.
"eferenceProcess
DSS03<anageSecurityServices
Criteria' Control activities to manage security services are "ro"erly im"l
"eferenceProcess Practices
$oodPractice
Assessment tep
DSS03.01 6rotect against mal)are Allreleva
%tain and revie) the methods+ tools and "rocesses that the enter"
"rotect against mal)are.
© ISACA 2014 All rights reserved 76
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 77/105
European Cybersecurity
Audit/Assurance Program
IT Audit and Assurance Program for European Cybersecurity
Phase B—-nderstand Enab(ers4 etting uitab(e Assessment Criteria and Perform Processes
-:.3f Cont.
-:.3f Cont.
ntcy%ersecurityservic
eshave%eenim"lemented andare"erfor medin acontrolledandade,uatemanner.
$heenter"rise7sI$environmentisade,uately"rotectedagainstmal)are.
Im"lementandmaintain"reventive+detectiveandcorrectivemeasuresin"lace
es"eciallyu"-to-datesecurity"atches
8erify that mal)are "rotection tools and solutions are u" to date and
maintained.
8erify that any "revious mal)are infections )ere analyed and used
for organisational im"rovement.
8erify that the enter"rise uses local o)ned and o"erated! as )ell a
mal)are "rotection mechanisms to achieve inde"endent "rotection
8erify that the enter"rise is "erforming the follo)ing "ractices'
<al)are "rotection is integrated )ith central soft)are distri%ution an
management+ and local de"loyment is enforced
<al)are advisories are read+ im"lemented and verified
Incidental user+ mail! traffic is filtered against mal)are
*/"erts and end users are trained and informed a%out mal)are on
© ISACA 2014 All rights reserved 77
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 78/105
European Cybersecurity
Audit/Assurance Program
IT Audit and Assurance Program for European Cybersecurity
Phase B—-nderstand Enab(ers4 etting uitab(e Assessment Criteria and Perform Processes
-:.3f Cont.
andviruscontrol!
acrosstheenter"rise to"rotectinformationsystemsandtechnologyfrommal)aree.g.+
viruses+)orms+s"y)are+s"am!.
Cy%ersecurity testing Cy%er securityarrangements aretestedat
regularintervalsandusingade,uatemethodsandtechni,ues
%tain and revie) the testing arrangements and o%&ectives as state
8erify that e/ternal "enetration testing %lac# and )hite %o/! is "erfo
intervals.
8erify that internal "enetration testing %lac# and )hite %o/! is "erfo
intervals+ including simulated collusion and slee"er attac#s.
Determine )hether the enter"rise is using or "lanning on using! so
techni,ues including im"ersonation+ social engineering etc.
8erify that in testing+ the enter"rise adheres to *uro"ean la)s and r
re"resent constraints on test sco"e and methods. Consult a""ro"ria)here a""ro"riate
DSS03.02 <anage net)or# and connectivitysecurity
5sesecuritymeasuresandrelatedmanagement"roce
Assess %y a""lying a""ro"riate audit techni,ues intervie)+ o%servationthe management "ractice is effectively im"lemented
1. ased on ris# assessments and %usiness re,uirements+ esta%lish anfor security of connectivity.2. Allo) only authorised devices to have access to cor"orate informatioenter"rise net)or#. Configure these devices to force "ass)ord entry.:. Im"lement net)or# filtering mechanisms+ such as fire)alls and intrussoft)are+ )ith a""ro"riate "olicies to control in%ound and out%ound traff4. *ncry"t information in transit according to its classification.3. A""ly a""roved security "rotocols to net)or# connectivity.. Configure net)or# e,ui"ment in a secure manner.
© ISACA 2014 All rights reserved 78
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 79/105
European Cybersecurity
Audit/Assurance Program
IT Audit and Assurance Program for European Cybersecurity
Phase B—-nderstand Enab(ers4 etting uitab(e Assessment Criteria and Perform Processes
-:.3f Cont.
duresto"rotect
informationoverallmethods ofconnectivity.
>. *sta%lish trusted mechanisms to su""ort the secure transmission andinformation.=. Carry out "eriodic "enetration testing to determine ade,uacy of net)o. Carry out "eriodic testing of system security to determine ade,uacy o
"rotection.
DSS03.0: <anage end"oint security *nsur e thatend"ointse.g.+la"to"+des#to"+server + andothermo%ileandnet)or#devices orsoft)are! aresecur ed ata levelthat ise,ual
to orgreater thanthedefinedsecurityre,uir ements oftheinformation"rocessed+stored
ortransmitted.
Sensitiveinformation
8erify that the enter"rise has a com"lete inventory of connected end
ED.
%tain and revie) methods+ techni,ues+ tools and solutions that the
control and manage end "oint devices.
8erify that end "oint vendor+ soft)are and a"" service advisories a
internalied and im"lemented on a regular %asis.
8erify that ade,uate "rotection e/ists against'
6ro/imity attac#s+ e.g. (9C+ luetooth+ F?A( ?o)er level+ o"erating system attac#s SI<+ te/t-%ased service com
6hysical du"lication of media
6hysical tam"ering or modification
$heft or destruction
no)n a"" or mo%ile o"sys issues and remediation latency
?o) level mass attac#s+ e.g. hard)are-%ased disa%ling of )hole cla
Determine )hether the enter"rise "erforms end "oint hardening to t
"rotection and in line )ith cy%ersecurity needs and re,uirements.
Determine )hether the enter"rise utilies s"ecialied hardened en
e/"osed use cases or high-ris# users.
Determine )hether the enter"rise has im"lemented end-to-end enc
rest+ data in flo)! for end "oint devices.
Determine )hether the enter"rise has identified sensitive out"uts ininformation classification.
%tain and revie) the enter"rise7s "rotective arrangements for sens
devices+ including'
6rotection of "rinted out"ut against casual "hotogra"hy
6erimeter countermeasures against 8an *c# attac# vector screen o
(et)or#-attached "rinter vulnera%ilities o"erating system and "rint
including redirect attac#s
Control+ )i"ing and "urging of autonomous out"ut device cache me
sensitive document images tem" files! in "rinter ,ueue
Inventory+ control and containment of "o"ular virtual out"ut devices
generators! )ith #no)n issues and side channel ris#
© ISACA 2014 All rights reserved 79
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 80/105
European Cybersecurity
Audit/Assurance Program
IT Audit and Assurance Program for European Cybersecurity
Phase B—-nderstand Enab(ers4 etting uitab(e Assessment Criteria and Perform Processes
-:.3f Cont.
out"uts andrelated
devices are"rotectedagainstattac#s and%reaches.
Information"rocessedon+stored
onandtransmitted%yend"ointdevices is"rotected.
DSS03.04 <anage user identity and logicalaccess
*nsur e thatallusershave
informationaccessrightsinaccor dance)iththeir%usinessre,uir ements andco-ordina
te )ith%usinessunitsthatmanagetheir
%tain and revie) the identity and logical access arrangements for
assets.
8erify that cy%ersecurity re,uirements+ "arameters and criteria are i
overall identity and access management "rocess.
8erify that the "rinci"les of least "rivilegeJ and need to #no)J haveim"lemented and are enforced.
Determine )hether the enter"rise e/tends its identity and logical ac
regime to third "arties )ith access to critical information assets.
%tain and revie) social control and verification mechanisms that th
esta%lished e.g. verifying identities+ tele"hone %ehavior etc.!
8erify that logging and monitoring of logical access events and atte
com"rehensive to meet the needs and re,uirements of cy%ersecurit
© ISACA 2014 All rights reserved 80
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 81/105
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 82/105
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 83/105
European Cybersecurity
Audit/Assurance Program
IT Audit and Assurance Program for European Cybersecurity
Phase B—-nderstand Enab(ers4 etting uitab(e Assessment Criteria and Perform Processes
logged andmonitored.
$hisshoulda""lyto all"ersonsentering the"remises+includingstaff+tem"orarystaff+clients
+vendors+visitor s oranyotherthird"arty.
uildingandfacilitiesmana
gementsystemsandtheirI$interfacesareade,uately"rotectedagainstattac#
s and%reaches.
6hysical I$assetsare
© ISACA 2014 All rights reserved 83
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 84/105
European Cybersecurity
Audit/Assurance Program
IT Audit and Assurance Program for European Cybersecurity
Phase B—-nderstand Enab(ers4 etting uitab(e Assessment Criteria and Perform Processes
ade,uately"rotected
against lossorhi&ac#ing.
6hysicalmeasureshave%eenim"lemented to"rotect
informationfromunauthoriedaccess+damageandinterference)hen%eing"roce
ssed+storedortransmitted.
DSS03.0 <anage sensitive documents andout"ut devices
*sta%lisha""ro"riate"hysicalsafeguards+accounting"ractic
esandinventorymanagementover
Assess %y a""lying a""ro"riate audit techni,ues intervie)+ o%servationthe management "ractice is effectively im"lemented
1. *sta%lish "rocedures to govern the recei"t+ use+ removal and dis"osaand out"ut devices into+ )ithin and out of the enter"rise.2. Assign access "rivileges to sensitive documents and out"ut devices %"rivilege "rinci"le+ %alancing ris# and %usiness re,uirements.:. *sta%lish an inventory of sensitive documents and out"ut devices+ anreconciliations.4. *sta%lish a""ro"riate "hysical safeguards over s"ecial forms and sen3. Destroy sensitive information and "rotect out"ut devices e.g.+ degau
media+ "hysical destruction of memory devices+ ma#ing shredders or locavaila%le to destroy s"ecial forms and other confidential "a"ers!.
© ISACA 2014 All rights reserved 84
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 85/105
European Cybersecurity
Audit/Assurance Program
IT Audit and Assurance Program for European Cybersecurity
Phase B—-nderstand Enab(ers4 etting uitab(e Assessment Criteria and Perform Processes
sensitive I$assets+ such
ass"ecialforms+negotia%leinstruments+s"ecial-"ur"ose"rinter s orsecurity
to#ens.
DSS03.0> <onitor the infrastructure for security-related events
5singintrusiondetectiontools+monitor theinfrastructur e forunauthorised
access andensur e thatanyeventsareintegr ated)ithgener aleventmonitoringandincide
ntmanagement.
Assess %y a""lying a""ro"riate audit techni,ues intervie)+ o%servationthe management "ractice is effectively im"lemented
1. ?og security-related events re"orted %y infrastructure security monitoidentifying the level of information to %e recorded %ased on a consideratthem for an a""ro"riate "eriod to assist in future investigations.2. Define and communicate the nature and characteristics of "otential sincidents so they can %e easily recognised and their im"acts understoodcommensurate res"onse.:. egularly revie) the event logs for "otential incidents.4. <aintain a "rocedure for evidence collection in line )ith local forensicand ensure that all staff are made a)are of the re,uirements.3. *nsure that security incident tic#ets are created in a timely manner )identifies "otential security incidents.
Contract $erms and Conditions+ Kurisdiction Contr actterms)ith
%tain and revie) the contract documents as )ell as any terms and
third-"arty services a""lications relevant to cy%ersecurity.
Determine )hether the enter"rise has ade,uately documented the l
© ISACA 2014 All rights reserved 85
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 86/105
European Cybersecurity
Audit/Assurance Program
IT Audit and Assurance Program for European Cybersecurity
Phase B—-nderstand Enab(ers4 etting uitab(e Assessment Criteria and Perform Processes
thethird"artyclearly
statelevelsofcy%ersecurityto %edeliver ed.Contr act
&urisdictionis#no)nandcontrolled
and that any e/ce"tions are su""orted %y a formal ris# acce"tance.
8erify that contract and delivery &urisdictions "rovide an ade,uate le
and relia%ility )ith regard to cy%ersecurity and "otential litigation. Coassistance )here a""ro"riate.
9orced Cloud 5tiliation Fhereclouduse iscom"ulsoryorenforced %ythird"arties+ade,uate"rotectionmech
anisms arein"laceto"reventattac#s or%reaches
%tain and revie) the enter"rise7s list of cloud services and a""s th
%y vendors or o"erating system distri%utors.
Determine )hether the enter"rise has ta#en ade,uate ste"s to mitig
threats arising from forced cloud utiliation+ %oth at the enter"rise anlevel.
Industrial Control Systems IndustrialcontrolsystemsandtheirI$interfacesareade,uately
%tain and revie) the enter"rise7s inventory of #no)n and defined i
standard I$ and industrial control systems.
Determine )hether the enter"rise has ta#en ade,uate ste"s to "rot
control systems+ for instance through'
estricting access to ICS to read-only
estricting data transmission %et)een ICS and standard I$ to flat fil
ASCII+ CS8 etc.
Defining a restricted dataset field ma""ing! to %e made availa%le %
A""lying restrictive access and no "rivileges )hen remotely access
full access to ICS to local ?A(! "ro/imity connections
estricting vendor maintenance! remote access to ICS
© ISACA 2014 All rights reserved 86
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 87/105
European Cybersecurity
Audit/Assurance Program
IT Audit and Assurance Program for European Cybersecurity
Phase B—-nderstand Enab(ers4 etting uitab(e Assessment Criteria and Perform Processes
"rotectedagainst
attac#s and%reaches.
Critical A""lications in 6roduction 6roductivecriticala""licationsareade,uately"rotectedagainstattac#s and%reaches
%tain and revie) the list of a""lications classified as critical )ith re
cy%ersecurity.
%tain and revie) the documented cy%ersecurity arrangements for
as stated %y the enter"rise.
Determine )hether the enter"rise has enca"sulated and segregated
a""lications+ for instance through'
Se"aration from non-critical net)or# to"ology
Se"aration from net)or# segments )ith e/ternal net)or# connectiv
Dedicated hardened server "latform
Inde"endent or non-standard o"erating systems )ith hardened sec
s"ecific 5ni/ distri%utions! 8irtualied sand%o/ed! runtime environment for a""lication+ segreg
facility
Critical A""lication Develo"ment Criticala""licationsdevelo"mentisade,uatelydesigned to"rotect
againstattac#s and%reaches.
%tain and revie) the list of a""lications for )hich the enter"rise un
contracts! develo"ment activities.
%tain and revie) the documented cy%ersecurity arrangements for
develo"ment as stated %y the enter"rise.
Determine )hether the enter"rise has im"lemented a""ro"riate con
develo"ment+ for instance'
Secure develo"ment lifecycle
6eer-revie)ed and non-"ro"rietary coding
uilt-in monitoring and self-healingJ "rocesses
*lectronic information is "ro"erly secured)hen stored+ transmitted or destroyed.
(um%er ofincidentsrelating tounauthoriedaccess toinformation
Assess %y a""lying a""ro"riate audit techni,ues intervie)+ o%servationthe management "ractice is effectively im"lemented.
-:.f Agree on the process .or' products19
in"uts and out"uts as defined in the"rocess "ractices descri"tion! that aree/"ected to %e "resent "rocess design!. Assess to )hat e/tent the "rocess )or#
19 9or CI$ 3 "rocesses+ a set of in"uts and out"uts for the different management "ractices are identified in COBIT 5& Enabling
Processes.
© ISACA 2014 All rights reserved 87
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 88/105
European Cybersecurity
Audit/Assurance Program
IT Audit and Assurance Program for European Cybersecurity
Phase B—-nderstand Enab(ers4 etting uitab(e Assessment Criteria and Perform Processes
"roducts are availa%le.
6rocess D85 6anage ecurity er!icesin"uts and out"uts. $he most relevant andnot assessed as Information items in sco"e
in section A-:.3! of these )or# "roducts areidentified as follo)s+ as )ell as the criteriaagainst )hich they )ill %e assessed+ i.e.+e/istence and usage.
Criteria' All listed )or# "roducts should demonstra%ly e/ist and %e used.
Process Practice ,or' Products Assess
G6rocess or 6ractice (ameH ?ist )or# "roducts no included in the information items
section.
A""ly a""ro"rtechni,ues to de/istence and each )or# "ro
-:.>f Agree on the process capabi(ity (e!e( to%e achieved %y the "rocess.
This step is "arranted only if the processunder re#ie" is a standard COBIT 5go#ernance or management process to"hich the I1O/IEC 55.4 PA can beapplied! Any other processes for "hich no
reference practices "or) products oroutcomes are appro#ed cannot use thisassessment method6 therefore the concept capability le#el does not apply!
© ISACA 2014 All rights reserved 88
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 89/105
European Cybersecurity
Audit/Assurance Program
IT Audit and Assurance Program for European Cybersecurity
Phase B—-nderstand Enab(ers4 etting uitab(e Assessment Criteria and PerformOrganisationa( tructures
"ef# Assurance teps and $uidance
B%=
%tain understanding of each Organisationa( tructure in sco"e and set suita%le assessment criteria'9or each Organisationa( tructure in sco"e as determined in ste" A-:.:!+ additional information is collected and assess
defined. Assess the Organisationa( tructure#
Organisationa( tructure: Cybersecurity team
-4.1a 5nderstand the Organisationa( tructure conte/t.Identify and document all elements that can help to understand the conte+t in "hich the Cybersecurity team organisatioincluding&
The o#erall organisation
anagement/process frame"or)
:istory of the role/structure
Contribution of the Organisational 1tructure to achie#ement of goals
-4.2a 5nderstand all sta'eho(ders of the Organisationa( tructurefunction.Determine through documentation re#ie" ;policies management communications etc!< the )ey sta)eholders of the Cybeorganisation!
Incumbent of the role and/or members of the Organisational 1tructure
Other )ey sta)eholders affected by the decisions of the Organisational 1tructure/role
-4.:a 5nderstand the goa(s of the Organisationa( tructure+ the related metrics and agree on e/"ected values. 5nderstand hcontri%ute to the achievement of the enter"rise goals and I$-related goals.
Organisationa( tructure $oa( Assessment tep
Determine through intervie)s )ith #ey sta#eholders and documentationrevie) the goals of the Cybersecurity team+ i.e.+ the decisions for
.hich they are accountab(e1415
.
$his ste" only a""lies if s"ecific goals are dethe assurance "rofessional )ill use a""ro"riatechni,ues to'
Identify the decisions made %y the rgani
Assess )hether decisions are a""ro"riate
communicated.
*valuate the decisions %y+ assessing )he
$hey have contri%uted to the achieveme
and enter"rise goals as antici"ated.
Decisions are duly e/ecuted on a timely
-4.4a
-4.4aCont.
Agree on the e/"ected good "ractices for the Organisationa( tructure against )hich it )ill %e assessed. Assess the Organisationa( tructure design+ i.e.+ assess the e/tent to )hich e/"ected good practices are a""lied.
$ood Practice Criteria Assessment tep
"erating "rinci"les "erating "rinci"les are
documented.
egular meetings ta#e "lace as
defined in o"erating "rinci"les.
<eeting re"ortsminutes are
availa%le and are meaningful.
8erify )hether o"erating "rinci"les are a""ro"riat
8erify that regular meetings ta#e "lace as defined
"rinci"les.
8erify that meeting re"ortsminutes are availa%le
Com"osition $he rganisational Structure7s
com"osition is %alanced andcom"lete+ i.e.+ all re,uiredsta#eholders are sufficientlyre"resented.
Cy%ersecurity resources are
ade,uate.
Assess )hether the rganisational Structure7s co
%alanced and com"lete+ i.e.+ all re,uired sta#eholre"resented.
%tain and revie) a list of resources allocated to
"eo"le+ technology+ other!.
Determine )hether the general and s"ecific level
allocation is sufficient to meet the needs and re,ucy%ersecurity.
Assess the formal remit of resources )ithin the cy
ACI+ s"an of control etc.! and its ade,uacy )ithcy%ersecurity tas#s.
S"an of control $he s"an of control of $he 8erify )hether the s"an of control of the rganisa
1 $he ACI charts in COBIT 5& Enabling Processes can %e leveraged as a starting "oint for the e/"ected goals of a role or
rganisational Structure.
15 $he rganisational Structurerole as descri%ed may not e/ist under the same name in the enter"riseL in that case+ the closest
rganisational Structure assuming the same res"onsi%ilities and accounta%ility should %e considered.
© ISACA 2014 All rights reserved 89
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 90/105
European Cybersecurity
Audit/Assurance Program
IT Audit and Assurance Program for European Cybersecurity
Phase B—-nderstand Enab(ers4 etting uitab(e Assessment Criteria and PerformOrganisationa( tructures
"ef# Assurance teps and $uidance
-4.4aCont.
rganisational Structure is defined.
$he s"an of control is ade,uate+ i.e.+
the rganisational Structure has theright to ma#e all decisions it should.
$he s"an of control is in line )ith the
overall enter"rise governancearrangements.
Cy%ersecurity is considered in
%usiness continuity and resilience.
defined.
Assess )hether the s"an of control is ade,uate+ i
rganisational Structure has the right to ma#e all
8erify and assess )hether the s"an of control is i
enter"rise governance arrangements.
%tain and revie) the organisational interfaces %
and %usiness continuity management or resiliencincluding crisis management.
8erify that the organisational relationshi" %et)een
fully defined and ade,uate in terms of cy%ersecurre,uirements.
Determine )hether the relationshi" %et)een incid
and the cy%ersecurity function has clearly assigneinconsistencies.
Determine )hether the relationshi" %et)een crisis
the cy%ersecurity function has clearly assigned inconsistencies+ "articularly )here escalation andmode are concerned.
Determine )hether the relationshi" %et)een resil
continuity and the cy%ersecurity function has cleaand no inconsistencies+ "articularly )here recoveand solutions are concerned.
%tain and revie) the organisational interfaces %
and general information security.
%tain and revie) the organisational interfaces %
and cor"orate security.
8erify that the organisational interfaces and delive
defined and ade,uate in terms of cy%ersecurity nere,uirements.
?evel of
authoritydecision rights Decision rights of the rganisation
Structure are defined anddocumented.
Decision rights of the rganisational
Structure are res"ected andcom"lied )ith also aculture%ehaviour issue!.
$he cy%ersecurity function is
"ositioned at an a""ro"riateorganisational level.
8erify that decision rights of the rganisation Stru
and documented.
8erify )hether decision rights of the rganisation
com"lied )ith and res"ected.
Determine )hether the cy%ersecurity function is a
to "erform its tas#s and discharge its res"onsi%ilit
Delegation of authority Delegation of authority is im"lementedin a meaningful )ay.
8erify )hether delegation of authority is im"lemente)ay.
*scalation "rocedures *scalation "rocedures are defined anda""lied.
8erify the e/istence and a""lication of escalation "r
-4.3a 5nderstand the life cycle and agree on e/"ected values. Assess the e/tent to )hich the Organisationa( tructure (ife cyc(e is managed.
9ife%Cyc(e E(ement Criteria Assessment tep
<andate $he rganisational Structure is
formally esta%lished.
$he rganisational Structure has a
clear+ documented and )ell-understood mandate.
$here is a dedicated cy%ersecurity
function )ith ade,uate resourcesand an a""ro"riate remit.
Cy%ersecurity is clearly delineated
8erify through intervie)s and o%servations that th
Structure is formally esta%lished.
8erify through intervie)s and o%servations that th
Structure has a clear+ documented and )ell unde
%tain and revie) organisational charts and othe
documentation for the cy%ersecurity function.
Defined interfaces e/ist %et)een cy%ersecurity an
organisational functions.
© ISACA 2014 All rights reserved 90
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 91/105
European Cybersecurity
Audit/Assurance Program
IT Audit and Assurance Program for European Cybersecurity
Phase B—-nderstand Enab(ers4 etting uitab(e Assessment Criteria and PerformOrganisationa( tructures
"ef# Assurance teps and $uidance
from other organisational functions.
<onitoring $he "erformance of the
rganisational Structure and itsmem%ers should %e regularlymonitored and evaluated %ycom"etent and inde"endentassessors.
$he regular evaluations should
result in the re,uired continuousim"rovements to the rganisationalStructure+ either in its com"osition+mandate or any other "arameter.
8erify )hether the "erformance of the rganisatio
mem%ers is regularly monitored and evaluated %yinde"endent assessors.
8erify )hether the regular evaluations have resul
to the rganisational Structure+ in its com"ositionother "arameter.
B%=#& to B%=#5
e"eat ste"s -4.1 through -4.3 for all remaining Organisationa( structures in sco"e.
e"eat the ste"s descri%ed a%ove for the remaining rganisational structures'
usiness e/ecutives
Service manager
Chief information officer CI!
usiness "rocess o)ners
Chief information security officer CIS!
Chief e/ecutive officer C*!
@ead I$ o"erations
is# function
6rivacy officer
Com"liance
Audit
© ISACA 2014 All rights reserved 91
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 92/105
European Cybersecurity
Audit/Assurance Program
IT Audit and Assurance Program for European Cybersecurity
Phase B—-nderstand Enab(ers4 etting uitab(e Assessment Criteria and PerformCu(ture4 Ethics and Beha!iour
"ef# Assurance tep and $uidanceIssue
Cross%reference
B%5%tain understanding of the Cu(ture4 Ethics andBeha!iour in sco"e.
Assess Culture+ *thics and ehaviour.Cu(ture4 Ethics and Beha!iour: Integrity and "e(iabi(ity
-3.1a 5nderstand the Cu(ture4 Ethics and Beha!iour conte0t.
=hat the o#erall corporate Culture is li)e
-nderstand the interconnection "ith other enablers
in scope&
Identify roles and structures that could be
affected by the Culture!
Identify processes that could be affected by
Culture Ethics and Beha#iour including any processes in scope of the re#ie"!
-3.2a 5nderstand the ma&or sta'eho(ders of the Cu(ture4Ethics and Beha!iour ' Integrity and "e(iabi(ity
-nderstand to "hom the beha#iour re0uirements "illapply i!e! understand "ho embodies theroles/structures e+pected to demonstrate the correctset of Beha#iours! This is usually lin)ed to the roles and Organisational 1tructures identified in scope!
-3.:a
-3.:aCont.
5nderstand the goa(s for the Cu(ture4 Ethics andBeha!iour + and the related metrics and agree one/"ected values.
Assess )hether the Cu(ture4 Ethics and Beha!iourgoa(s outcomes! are achieved+ i.e.+ assess theeffectiveness of the Culture+ *thics and ehaviour.
In the conte/t of Integrity and "e(iabi(ity the follo)ingCu(ture4 Ethics and Beha!iour are desired'
Culture and es"eciallyehaviours are associated toindividuals and therganisational Structures of)hich they are a "art+ therefore+
%y using a""ro"riate auditingtechni,ues+ the assurance"rofessional )ill'
Identify individuals )ho must
com"ly )ith the ehavioursunder revie).
Identify the rganisational
Structures involved.
Assess )hether desired
ehaviours can %e o%served.
Assess )hether undesira%le
ehaviours are a%sent.
9or a re"resentative sam"le
of individuals+ "erform thefollo)ing assessment ste"s.
Desired Beha!iour )Cu(ture4 Ethics and Beha!iour $oa(*
Assessment tep
rganisational Culture' $he "rocess of de"loyingcy%ersecurity solutions is controlled and monitored infull com"liance )ith the relevant "olicy and "rocedures.
rganisational 8alues and eliefs' 8alues and %eliefs)ithin the organisation are realistic and a""ro"riatelyreflect current cy%ersecurity facts and #no)ledge
%tain and revie) the
organisation7s stated set ofvalues that have an im"act oncy%ersecurity.
Conduct randomised
informal! intervie)s to gainan understanding ofcommonly held %eliefs andassum"tions regarding
© ISACA 2014 All rights reserved 92
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 93/105
European Cybersecurity
Audit/Assurance Program
IT Audit and Assurance Program for European Cybersecurity
Phase B—-nderstand Enab(ers4 etting uitab(e Assessment Criteria and PerformCu(ture4 Ethics and Beha!iour
"ef# Assurance tep and $uidanceIssue
Cross%reference
cy%ersecurity.
Identify and informally re"ortany inconsistencies %et)eenformal values and actual%eliefs or assum"tions+"articularly )here theseinconsistencies might %e)ea# signalsJ indicatingsystemic )ea#nesses incy%ersecurity.
Cy%ersecurity $arget Culture' $he organisation hasdefined and im"lemented a target culture that isconducive to cy%ersecurity governance+ managementand com"liance.
%tain the organisation7s
statement if any! and relatedmaterials on the desiredcy%ersecurity culture.
Determine )hether the
organisation has ado"tedcy%ersecurity as a sufficientlyim"ortant element ofcor"orate culture.
rganisational *thicsL Code of *thics' $heorganisation has esta%lished cy%ersecurity good"ractice as "art of their code of ethics.
8erify that cy%ersecurity
values and culture have %eenincluded as "art of thegeneral code of ethics+including clear andunam%iguous guidance oncy%ercrime and other illegalacts.
8erify that any related issues
such as ED! have %eenfully incor"orated into thegeneral code of ethics andany su%sidiary guidance on
cy%ersecurity.*thical *nforcement' $he organisation follo)s u" onany and all instances of cy%ercrime or other illegal acts.
*n,uire of management
)hether any and all illegalacts are "rosecuted+ and noteany e/ce"tions.
8erify that all *uro"ean
"rovisions on cy%ercrime+investigation and "rosecutionare adhered to. Consulta""ro"riate legal assistance)here needed.
rganisational ehavior 6atternsL Desira%leehaviours' $he organisation has clearly defineddesira%le %ehaviours )ith regard to cy%ersecurity
Determine )hether the
organisation has formulatedmodel desira%le %ehavioursin terms of cy%ersecurity.
Determine )hether the
organisation has introduced+and is living %y+ guiding"rinci"les in cy%ersecurity.
-3.4a 5nderstand the life cycle stages of the Cu(ture4 Ethicsand Beha!iour + and agree on the relevant criteria.
Assess to )hat e/tent the Culture+ *thics andehaviour life cycle is managed.
$his as"ect is already covered %y the assessment ofthe good "ractices+ hence no additional se"arateassurance ste"s are defined here.!
© ISACA 2014 All rights reserved 93
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 94/105
European Cybersecurity
Audit/Assurance Program
IT Audit and Assurance Program for European Cybersecurity
Phase B—-nderstand Enab(ers4 etting uitab(e Assessment Criteria and PerformCu(ture4 Ethics and Beha!iour
"ef# Assurance tep and $uidanceIssue
Cross%reference
-3.3a 5nderstand good "ractice )hen dealing )ith Cu(ture4Ethics and Beha!iour + and agree on relevant criteria.
Assess the Culture+ *thics and ehaviour design+ i.e.+assess to )hat e/tent e/"ected good "ractices area""lied.
$ood Practice Criteria Assessment t
Communication+ enforcement and rules */istence and ,uality of thecommunication
A""ly a""ro"riate auditing techni)hether the good "ractice is ade,assessment criteria are met.Incentives and re)ards */istence and a""lication of
a""ro"riate re)ards andincentives
A)areness A)areness of desiredehaviours
B%5#& toB%5#5
e"eat ste"s -3.1 through -3.3 for all remainingCu(ture4 Ethics and Beha!iour in sco"e.
e"eat the ste"s descri%ed a%ove for the remainingCulture+ *thics and ehaviour'
6ersonal and 6rofessional elia%ility
© ISACA 2014 All rights reserved 94
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 95/105
European Cybersecurity
Audit/Assurance Program
IT Audit and Assurance Program for European Cybersecurity
Phase B—-nderstand Enab(ers4 etting uitab(e Assessment Criteria and PerformInformation Items
"ef# Assurance teps and $uidanceIssue
Cross%reference
B%>%tain understanding of the InformationItems in sco"e.
Assess Information Items.Information Item: orma( Cybersecurity Po(icy
-.1a 5nderstand the Information item conte0t'
=here and "hen is it used>
,or "hat purpose is it used>
-nderstand the connection "ith other
enablers in scope e!g!&
-sed by "hich processes>
=hich Organisational 1tructures
are in#ol#ed>
=hich ser#ices/applications are
in#ol#ed>
-.2a 5nderstand the ma&or sta'eho(ders of the
Information item' orma( CybersecurityPo(icy-nderstand the sta)eholders for theInformation item i!e! identify the&
Information producer
Information custodian
Information consumer
1ta)eholders should be at the appropriateorganisational le#el!
-.:a
-.:a
Cont.
5nderstand the ma&or ,uality criteria for theInformation item+ the related metrics andagree on e/"ected values.
Assess )hether the Information itemua(ity criteria outcomes! are achieved+
i.e.+ assess the effectiveness of theInformation item.
?everage the CI$ 3 Information ena%ler
model1%
focusing on the ,uality goals
descri"tion to select the most relevantInformation ,uality criteria for the Informationitem at hand. Document e/"ectationsregarding information criteria. $he CI$ 3Information ena%ler model identifies 13different ,uality criteriaalthough all of themare relevant+ it is nonetheless "ossi%le andrecommended to focus on a su%set of themost im"ortant criteria for the Informationitem at hand.
<ar# the ,uality dimensions )ith a M7 that
are deemed most im"ortant #ey criteria!+and %y conse,uence )ill %e assessedagainst the descri%ed criteria.
$he assurance "rofessional )ill+ %y using a""ro"riate auditing techni,ues+ verifyin sco"e and assess )hether the criteria are met.
?ua(ity Dimension
2ey
Criter ia
Description Assessm
Accuracy
%&ectivity
1% CI$ 3 frame)or#+ A""endi/ ;+ ".=1-=4
© ISACA 2014 All rights reserved 95
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 96/105
European Cybersecurity
Audit/Assurance Program
IT Audit and Assurance Program for European Cybersecurity
Phase B—-nderstand Enab(ers4 etting uitab(e Assessment Criteria and PerformInformation Items
"ef# Assurance teps and $uidanceIssue
Cross%reference
elieva%ility
e"utation
elevancy Com"leteness
Currency
Amount of information
Concise re"resentation
Consistent re"resentation
Inter"reta%ility
5nderstanda%ility
<ani"ulation
Availa%ility
estricted access
-.4a 5nderstand the (ife cyc(e stages of theInformation item+ and agree on the relevantcriteria.
Assess to )hat e/tent the Information item
(ife cyc(e is managed.
$he life cycle of any Information item ismanaged through several %usiness and I$-related "rocesses. $he sco"e of this revie)already includes a revie) of I$-related!"rocesses so this as"ect does not need to%e du"licated here.
Fhen the Information item is internal to
I$+ the "rocess revie) )ill havecovered the life cycle as"ectssufficiently.
Fhen the Information item also
involves other sta#eholders outside I$or other non-I$ "rocesses+ some of thelife cycle as"ects need to %e assessed.
<ar# the life cycle stages )ith a M7 that aredeemed most im"ortant #ey criteria!+ and %yconse,uence )ill %e assessed against thedescri%ed criteria.
9ife Cyc(e tage 2ey
Criteria
Description Assessm
6lan
Design
uildac,uire
5seo"erate
*valuatemonitor
5"datedis"ose
-.3a 5nderstand im"ortant attri%utes of theInformation item and e/"ected values.
Assess the Information item design+ i.e.+assess the e/tent to )hich e/"ected goodpractices are a""lied.
;ood "ractices for Information items aredefined as a series of attri%utes for the
Information item1:
. $he assurance
"rofessional )ill+ %y using a""ro"riate audit
1: CI$ 3 frame)or#+ a""endi/ ;+ ". =1-=4
© ISACA 2014 All rights reserved 96
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 97/105
European Cybersecurity
Audit/Assurance Program
IT Audit and Assurance Program for European Cybersecurity
Phase B—-nderstand Enab(ers4 etting uitab(e Assessment Criteria and PerformInformation Items
"ef# Assurance teps and $uidanceIssue
Cross%reference
techni,ues+ verify all attri%utes in sco"e andassess )hether the attri%utes are ade,uately
defined.
<ar# the attri%utes )ith a M7 that aredeemed most im"ortant #ey criteria!+ and %yconse,uence )ill %e assessed against thedescri%ed criteria.
Attribute2ey
CriteriaDescription Assessm
6hysical
*m"irical
Syntactic
Semantic
6ragmatic
Social
B%>#& toB%>#5
e"eat ste"s -.1 through -.3 for allremaining Information items in sco"e.
e"eat the ste"s descri%ed a%ove for theremaining Information items'
Code of Conduct
$hird-"arty access "olicies
8irtual architecture documentation
8irtualiation "olicies
Cy%ersecurity technical standards
$echnical guidelines and "rocedures at
the I$ service level+ including services"artially or fully "rovided %y third "arties
$echnical guidelines and "rocedures at
the I$ a""lication level
$echnical guidelines and "rocedures at
the I$ "latform level+ including remotelycontrolled and administered "latformsrental virtual servers etc.!
$echnical guidelines and "rocedures at
the autonomous I$ hard)are levelincluding stand-alone servers andclusters+ end user 6C devices etc.!
$echnical guidelines and "rocedures for
critical or "articularly e/"osed hard)areitems+ nota%ly mo%ile devices such assmart"hones or ta%lets
$echnical and administrative guidelines
and "rocedures around ED
$echnical and administrative guidelines
and "rocedures for industrial controlsystems and I$ interfaces
$echnical and administrative guidelines
and "rocedures for %uilding and facilitiesmanagement systems
Incident management+ disaster recovery
and service %usiness continuity"rocedures for critical I$ assets
;uidelines and "rocedures concerning
the identification+ documentation andsafeguarding of informational evidence+e.g. logs
© ISACA 2014 All rights reserved 97
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 98/105
European Cybersecurity
Audit/Assurance Program
IT Audit and Assurance Program for European Cybersecurity
Phase B—-nderstand Enab(ers4 etting uitab(e Assessment Criteria and PerformInformation Items
"ef# Assurance teps and $uidanceIssue
Cross%reference
8irtualiation controls assessment results
$hird-"arty access controls assessment
results
Cy%ersecurity attri%utes in data and
information classification
*vidence of cy%ersecurity inclusion in
data and information classification
© ISACA 2014 All rights reserved 98
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 99/105
European Cybersecurity
Audit/Assurance Program
IT Audit and Assurance Program for European Cybersecurity
Phase B—-nderstand Enab(ers4 etting uitab(e Assessment Criteria and Performer!ices4 Infrastructures and App(ications
"ef# Assurance teps and $uidance
B%@%tain understanding of the er!ices4 Infrastructure and App(ications in sco"e.
Assess Services+ Infrastructure and A""lications.
er!ices4 Infrastructure and App(ications: Cybersecurity training
->.1a 5nderstand the er!ices4 Infrastructure and App(ications conte/t.-nderstand the organisational and technological conte+t of this ser#ice! 3efer to step A$?!? and A$?!% and re$use that informationthe significance of this 1er#ice Infrastructure and Application!
->.2a 5nderstand the ma&or sta'eho(ders of the er!ices4 Infrastructure and App(ications' Cybersecurity training-nderstand "ho "ill be the ma@or sta)eholders of the ser#ice i!e! the sponsor pro#ider and users! 1ta)eholders "ill include a nuorganisational roles but could also lin) to Processes!
->.:a 5nderstand the ma&or goa(s for the er!ices4 Infrastructure and App(ications+ the related metrics and agree on e/"ected valu Assess )hether the Services+ Infrastructure and A""lications goals outcomes! are achieved+ i.e.+ assess the effectiveness of theInfrastructure and A""lications.
$oa( Criteria Assessment tep
Service descri"tion $he Service is clearly
descri%ed.
oles and res"onsi%ilities are
clearly defined
$he Service is availa%le to all
"otential sta#eholders
8erify that the Service e/ists and is clearly descri%ed.
8erify that roles and res"onsi%ilities are clearly defined.
Assess the ,uality of the Service descri"tion and of the Servi 8erify the accessi%ility of the Service to all "otential sta#ehold
Service level definition Service levels are defined for '
Buality of the service
delivera%les
*ase to re,uest the service
$imeliness
8erify that the follo)ing as"ects are dealt )ith in the Service
Buality of the Service delivera%les
*ase to re,uest the service
$imeliness
8erify to )hat e/tent Service levels are achieved.
Contri%ution to relatedena%lers+ I$ andenter"rise goals
$he Service contri%utes to theachievement of related ena%lerand I$-related and enter"risegoals.
Assess to )hat e/tent the Service contri%utes to the achievemeena%ler goals and to the overall I$-related and enter"rise goals
->.4a
->.4aCont.
5nderstand good "ractice related to the Services+ Infrastructure and A""lications and e/"ected values. Assess the er!ices4 Infrastructure and App(ications design+ i.e.+ assess to )hat e/tent e/"ected good "ractices are a""lied.
'e#erage the description of 1er#ices Infrastructure and Applications in the COBIT 5 frame"or) 18 to identify good practices relateInfrastructure And Applications! In general the follo"ing practices need to be implemented&
Buy/build decision needs to be ta)en!
-se of the 1er#ice needs to be clear!
$ood Practice Criteria Assessment tep
Sourcing %uy%uild! A formal decision%ased on a%usiness caseneeds to %eta#en regarding the sourcing ofthe Service.
8erify that a formal decision%ased on a %usiness case)a
the sourcing of the Service.
8erify the validity and ,uality of the %usiness case.
8erify that the sourcing decision has %een duly e/ecuted.
5se $he use of the Service needs to%e clear'
Fhen it needs to %e used and
%y )hom
$he re,uired com"liance
levels )ith the Service7s out"ut
8erify that the use of the Service is clear+ i.e.+ it is #no)n )he
the service needs to %e used.
8erify that actual use is in line )ith re,uirement a%ove.
8erify that the actual Service out"ut is ade,uately used.
8erify that Service levels are monitored and achieved.
B%@#& toB%@#=
e"eat ste"s ->.1 through ->.4 for all remaining er!ices4 Infrastructure and App(ications in sco"e.
e"eat the ste"s descri%ed a%ove for the remaining Services+ Infrastructure and A""lications'
Change management
@uman resources
@el" des#
Incident trac#ing system
18 CI$ 3 frame)or#+ a""endi/ ;+ ".=3-=
© ISACA 2014 All rights reserved 99
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 100/105
European Cybersecurity
Audit/Assurance Program
© ISACA 2014 All rights reserved 100
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 101/105
European Cybersecurity
Audit/Assurance Program
IT Audit and Assurance Program for European Cybersecurity
Phase B—-nderstand Enab(ers4 etting uitab(e Assessment Criteria and PerformPeop(e4 'i((s and Competencies
"ef# Assurance teps and $uidance
B% %tain understanding of the Peop(e4 'i((s and Competencies in sco"e. Assess 6eo"le+ S#ills and Com"etencies.
Peop(e4 'i(( and Competency: Cybersecurity Personne( 'i((s
-=.1a 5nderstand the Peop(e4 'i((s and Competencies conte/t.-nderstand the conte+t of the 1)ill/Competency i!e!&
=here and "hen is it used>
,or "hat purpose is it used>
-nderstand the connection "ith other enablers in scope e!g!&
In "hich roles and structures is the 1)ill/Competency used> ;1ee also B$4!!<
=hich beha#iours are associated "ith the 1)ill/Competency>
-=.2a 5nderstand the ma&or sta'eho(ders for the Peop(e4 'i((s and Competencies: Cybersecurity Personne( 'i((sIdentify to "hom in the organisation the s)ill re0uirement applies!
-=.:a
-=.:aCont.
5nderstand the ma&or goa(s for the Peop(e4 'i((s and Competencies+ the related metrics and agree on e/"ected values. Assess )hether the Peop(e4 'i((s and Competencies goa(s outcomes! are achieved+ i.e.+ assess the effectiveness of the 6eoCom"etencies.
9or the 6eo"le+ S#ills and Com"etencies' Cybersecurity Personne( 'i((s+ the follo)ing goals and associated criteria can %e ad$oa( Criteria Assessment tep
*/"erience All cy%ersecurity "ersonnel"ossess the necessarye/"erience to meet the needsand re,uirements ofcy%ersecurity.
S#ills and e/"eriencere,uirements for ne) hires orside entries are aligned )ith theorganisation7s cy%ersecurityneeds and re,uirements.
Determine )hether the organisation has defined and docume
s#ills and e/"erience re,uirements+ for instance in &o% descrioffers.
8erify that these minimum re,uirements are in line )ith good
cy%ersecurity needs and re,uirements of the organisation.
*ducation $he enter"rise ena%les+ o"eratesand encourages ade,uatetraining+ education and
a)areness measures for allem"loyees and relevant third"arties. S"ecifically+ em"loyeesor third "arties )ith cy%ersecuritytas#s and res"onsi%ilities aresu%&ect to com"ulsory trainingand a)areness.
$he organisation offers+ and mandates+ the a""ro"riate level
training to cy%ersecurity "ractitioners as )ell as end users.
$he organisation is fully a)are and informed a%out inde"end
educational o""ortunities. $he organisation encourages+ anda""ro"riate level of education to cy%ersecurity "ractitioners a
Bualification
no)ledge $he enter"rise ena%les+ o"eratesand encourages ade,uatea)areness measures for allem"loyees and relevant third"arties. S"ecifically+ em"loyeesor third "arties )ith cy%ersecuritytas#s and res"onsi%ilities aresu%&ect to com"ulsorya)areness.
$he organisation creates and maintains an ade,uate level of cya)areness among all em"loyees+ and s"ecifically high-ris# user
$echnical s#ills All cy%ersecurity "ersonnel areade,uately s#illed and su""ortedin ac,uiring the re,uisite s#ills to"erform their tas#s.
%tain and revie) sam"le "rofessional s#ill sets for em"loye
cy%ersecurity tas#s.
%tain and revie) lists of individual training needs and trainin
ehavioural s#ills All "ersonnel )ith cy%ersecuritytas#s and res"onsi%ilities meetthe re,uired standard of "ersonaland "rofessional integrity.
Determine )hether the organisation "erforms a""ro"riate %ac
)hen hiring cy%ersecurity "ersonnel
8erify that %ac#ground chec#ing is conformant )ith la)s and
Consult legal assistance )here a""ro"riate.
(um%er of "eo"le )itha""ro"riate s#ill level
All "ersonnel )ith cy%ersecuritytas#s and res"onsi%ilities are
Determine )hether the organisation "erforms re"eated and f
%ac#ground chec#s on em"loyees )ith tas#s and res"onsi%il
© ISACA 2014 All rights reserved 101
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 102/105
European Cybersecurity
Audit/Assurance Program
IT Audit and Assurance Program for European Cybersecurity
Phase B—-nderstand Enab(ers4 etting uitab(e Assessment Criteria and PerformPeop(e4 'i((s and Competencies
"ef# Assurance teps and $uidance
"ersonally and "rofessionallyrelia%le+ and a%le to continue
their &o%.
cy%ersecurity.
8erify that %ac#ground chec#ing is conformant )ith *uro"ean
regulations. Consult legal assistance )here a""ro"riate. 8erify that em"loyees have given e/"licit consent to having th
chec#ed.
-=.4a
-=.4aCont.
5nderstand the (ife cyc(e stages of the Peop(e4 'i((s and Competencies+ and agree the relevant criteria. Assess to )hat e/tent the 6eo"le+ S#ills and Com"etencies life cycle is managed.
9or the 6eo"le+ S#ills and Com"etencies at hand+ the life cycle "hases and associatedcriteria can %e e/"ressed in function of the "rocess A60>.
9or the 6eo"le+ S#ills and Com"etenassurance "rofessional )ill "erform tassessment ste"s.
9ife Cyc(e E(ement Criteria Assessment tep
6lan 6ractice A60>.0:+ activity 1 Define the re,uired andcurrently availa%le s#ills and com"etencies of internal ande/ternal resources to achieve enter"rise+ I$ and "rocessgoals.! is im"lemented in relation to this s#ill.
Assess )hether "ractice A60>.0: aim"lemented in relation to this s#ill.
Design 6ractice A60>.0: activity 2 6rovide formal career"lanning and "rofessional develo"ment to encouragecom"etency develo"ment+ o""ortunities for "ersonaladvancement and reduced de"endence on #ey individuals.!is im"lemented in relation to this s#ill.
6ractice A60>.0: activity : 6rovide access to #no)ledgere"ositories to su""ort the develo"ment of s#ills andcom"etencies.! is im"lemented in relation to this s#ill.
Assess )hether "ractice A60>.0: aim"lemented in relation to this s#ill.
Assess )hether "ractice A60>.0: aim"lemented in relation to this s#ill.
uild 6ractice A60>.0: activity 4 Identify ga"s %et)eenre,uired and availa%le s#ills and develo" action "lans toaddress them on an individual and collective %asis+ such astraining Ntechnical and %ehavioural s#illsO+ recruitment+rede"loyment and changed sourcing strategies.! isim"lemented in relation to this s#ill.
Assess )hether "ractice A60>.0: aim"lemented in relation to this s#ill.
"erate 6ractice A60>.0: activity 3 Develo" and deliver training"rogrammes %ased on organisational and "rocessre,uirements+ including re,uirements for enter"rise#no)ledge+ internal control+ ethical conduct and security.! is
im"lemented in relation to this s#ill.
Assess )hether "ractice A60>.0: aim"lemented in relation to this s#ill.
*valuate 6ractice A60>.0: activity Conduct regular revie)s toassess the evolution of the s#ills and com"etencies of theinternal and e/ternal resources. evie) succession"lanning.! is im"lemented in relation to this s#ill.
Assess )hether "ractice A60>.0: aim"lemented in relation to this s#ill.
5"datedis"ose 6ractice A60>.0: activity > evie) training materials and"rogrammes on a regular %asis to ensure ade,uacy )ithres"ect to changing enter"rise re,uirements and theirim"act on necessary #no)ledge+ s#ills and a%ilities.! isim"lemented in relation to this s#ill.
Assess )hether "ractice A60>.0: aim"lemented in relation to this s#ill.
-=.3a 5nderstand good "ractice related to the Peop(e4 'i((s and Competencies and e/"ected values. Assess the 6eo"le+ S#ills and Com"etencies design+ i.e.+ assess to )hat e/tent e/"ected good "ractices are a""lied.
$ood Practice Criteria Assessment tep
S#ill set andCom"etencies aredefined.
Determine that an inventory of S#ills and
Com"etencies is maintained %y organisational unit+ &o%
function and individual. *valuate the relevance and the contri%ution of the
S#ills and Com"etencies to the achievement of thegoals of the rganisational Structure+ and %yconse,uence+ I$-related goals and enter"rise goals.
*valuate the ga" analysis %et)een necessary "ortfolio
of S#ills and Com"etencies and current inventory ofs#ills and ca"a%ilities.
S#ill levels are defined. Assess the fle/i%ility and "erformance of meeting S#ills
develo"ment to address identified ga"s %et)eennecessary and current S#ill levels.
© ISACA 2014 All rights reserved 102
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 103/105
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 104/105
European Cybersecurity
Audit/Assurance Program
IT Audit and Assurance Program for European Cybersecurity
Phase C—Communicate the "esu(ts of the Assessment
"ef# Assurance tep
C%& Document e0ceptions and gaps#
C-1.1 5nderstand and document )ea#nesses and their im"act on the achievement of "rocess
goals.
• Illustrate the im"act of ena%ler
inefficiencies and misuse.• Clarify vulnera%ilities+ threats a
"erform effectively.
C-1.2 5nderstand and document )ea#nesses and their im"act on enter"rise goals. • Illustrate )hat the )ea#nesses
architecture elements+ ca"a%ilactual cases in the same indus
• Document the im"act of actua
financial re"orting+ hours lost icustomer and shareholder re,
• 6oint out the conse,uence of n
agreements.
• <easure the actual im"act of d
customers e.g.+ num%er+ effor
C%1 Communicate the )or# "erformed and findings.
C-2.1 Communicate the )or# "erformed.
Communicate regularly to the sC-2.2 Communicate "reliminary findings to the assurance engagement sta#eholders defined in
A-1.• Document the im"act i.e.+ cus
effective ena%lers.
• <easure and document the im
measure affected %y ena%ler )
• <easure the actual %usiness %
• 5se %enchmar#ing and survey
• 5se e/tensive gra"hics to illus
• Inform the "erson res"onsi%le
hisher correct understanding o
C-2.: Deliver a re"ort aligned )ith the terms of reference+ sco"e and agreed-on re"ortingstandards! that su""orts the results of the initiative and ena%les a clear focus on #eyissues and im"ortant actions.
© ISACA 2014 All rights reserved 104
8/10/2019 European Cybersecurity Audit Assurance Program Res Eng 0914
http://slidepdf.com/reader/full/european-cybersecurity-audit-assurance-program-res-eng-0914 105/105
European Cybersecurity
Audit/Assurance Program
Appendi0 A# Other IACA ources
The Business odel for Information 1ecurity
CI$ 3
COBIT 5& Enabling Processes
COBIT 5 for Assurance
COBIT 5 for Information 1ecurity
COBIT 5 for 3is)
3esponding to Targeted Cyberattac)s
1ecuring obile De#ices -sing COBIT 5
Transforming Cybersecurity -sing COBIT 5