Name (This fiDescription (Th

Documentation
Status (Manda
Related ProjeTags (Optiona
de la
organización

Y sus
políticas
específicas
de cada
tema están
actualizadas
, aprobadas
por la alta
dirección,
comunicada
s de manera
efectiva y
revisadas
periódicame
nte para
reflejar los
cambios en
la estrategia
comercial,
las
regulaciones
, los riesgos
de
seguridad
de la
información
y el entorno
de
Information Samenazas. 4
Information SGarantizar que las funcion 4
Management Para
R garantizar que la gere 4
Authority ConGarantizar el contacto opo 4
Engagement wi
Garantizar el contacto opo 4
Threat Intel Garantizar la recopilación, 4
Information SGarantizar la recopilación, 4
Asset Invent Garantice un inventario com 4
Information aGarantizar que todas las pe 4
Information CAsegurar que la información 4
Information TPara garantizar que la tran 4
Access and IdPara garantizar una gestión 4
Supplier SecuGarantizar que los proveedo 4
Cloud Servic Para garantizar que la adqu 4
Incident Man To ensure that the organiza 4
ICT Continuit To ensure that the ICT ser 4
Information STo ensure the maintenance o 4
Legal CompliaTo ensure continuous alignm 4
Intellectual To ensure that the organiza 4
Records Prot To ensure the authenticity, 4
PII Privacy C To ensure that the organiza 4
Compliance RTo ensure regular review of 4
Documented E
Pnsure that all information 4
Personnel ScrTo ensure thorough and ongo 4
Employment Ensure all employees, contr 4
Information STo ensure all personnel rec 4
Disciplinary To ensure adherence to the 4
Post-TerminatTo ensure that information 4
Confidentiali Ensure that all employees, 4
Remote WorkTo ensure that all aspects 4
Security EvenEnsure timely and accurate 4
Physical SecuTo ensure that the physical 4
Physical EntryTo ensure secure areas are 4
Secure Facil Ensure effective physical s 4
Physical SecuEnsure continuous monitori 4
Secure Area ATo ensure that access to an 4
Clear Desk a To ensure adherence to the 4
Equipment Sec
Ensure secure siting and p 4
Off-Premises To ensure that all devices 4
Storage MediEnsure the secure managemen 4
Utility Protec To ensure that information 4
Cabling SecurTo ensure the security of c 4
Equipment Ma
To ensure all organizationa 4
Secure Equipm
Ensure all equipment contai 4
Endpoint DeviTo ensure that all user end 4
Privileged A Ensure that the allocation, 4
Sensitive In To ensure that access to se 4
Source Code To ensure that read and wri 4
Secure Authen
To ensure that secure authe 4
Capacity ManTo ensure effective monitor 4
Malware Prot To ensure that malware pro 4
Vulnerability To ensure that all technica 4
Configuratio To ensure that the configu 4
Information De
Ensure the secure and comp 4
Data MaskingEnsure that sensitive data, 4
Data LeakageEnsure the implementation 4
Information BTo ensure that backups of 4
Redundancy fo
To ensure that information 4
Logging Man To ensure comprehensive log 4
Anomalous Act
To ensure continuous monit 4
Clock SynchroEnsure all information pro 4
Privileged Ut To ensure the restricted an 4
Software Inst To ensure that all software 4
Network SecuEnsure the security of inf 4
Network ServiEnsure the security mechan 4
Network SegrEnsure that network domains 4
Web FilteringEnsure that access to exter 4
CryptographyTo ensure effective use of 4
Secure DevelEnsure that all software a 4
Application S Ensure that all applicatio 4
Secure Syste Ensure that all informatio 4
Secure CodinTo ensure that secure codin 4
Secure DevelTo ensure that all new inf 4
Outsourced DTo ensure that outsourced 4
Environment T
So ensure that development 4
Change Manag
Ensure that all changes to 4
Test Informa Ensure that test informatio 4
Audit Testing To ensure that audit testin 4
Segregation oTo ensure that duties and r 4
Cybersecurit To ensure that cybersecurit 4
ICS/OT Secur To ensure robust security 4
UnauthorizedTo ensure that all assets 4
Active NetworEnsure all assets connected 4
DHCP InventoEnsure that DHCP logging is 4
Passive AssetTo ensure all assets connec 4
Automated SoEnsure comprehensive and a 4
Script Allowli Ensure that only authorized 4
Secure Asset Ensure secure management a 4
Trusted DNS S
Ensure all enterprise asset 4
GRC Contact (Control OperaCost (OPEX) (O
Cost (CAPEX) Resource
( UtiliRelated Polic

Group-AdminGroup-Admin Information Se
Group-AdminGroup-Admin Information Se
Group-AdminGroup-Admin Information Se
Group-AdminGroup-Admin Information Se
Group-AdminGroup-Admin Information Se
Group-AdminGroup-Admin Hardening Pol
Group-AdminGroup-Admin Secure Devel
Group-AdminGroup-Admin Política de ge
Group-AdminGroup-Admin Política de ge
Group-AdminGroup-Admin Documents an
Group-AdminGroup-Admin Communication
Group-AdminGroup-Admin Política de ge
Group-AdminGroup-Admin Supplier Man
Group-AdminGroup-Admin Cloud Service
Group-AdminGroup-Admin Incident Man
Group-AdminGroup-Admin Business Cont
Group-AdminGroup-Admin Business Cont
Group-AdminGroup-Admin Compliance M
Group-AdminGroup-Admin Information Se
Group-AdminGroup-Admin Documents an
Group-AdminGroup-Admin Privacy Policy
Group-AdminGroup-Admin Compliance M
Group-AdminGroup-Admin Information Se
Group-AdminGroup-Admin Human Resourc
Group-AdminGroup-Admin Human Resourc
Group-AdminGroup-Admin Política de ge
Group-AdminGroup-Admin Information Se
Group-AdminGroup-Admin Human Resourc
Group-AdminGroup-Admin Human Resourc
Group-AdminGroup-Admin IT Security Po
Group-AdminGroup-Admin Incident Man
Group-AdminGroup-Admin Physical Secur
Group-AdminGroup-Admin Physical Secur
Group-AdminGroup-Admin Physical Secur
Group-AdminGroup-Admin Physical Secur
Group-AdminGroup-Admin Physical Secur
Group-AdminGroup-Admin IT Security Po
Group-AdminGroup-Admin Physical Secur
Group-AdminGroup-Admin Physical Secur
Group-AdminGroup-Admin Physical Secur
Group-AdminGroup-Admin Business Cont
Group-AdminGroup-Admin Physical Secur
Group-AdminGroup-Admin IT Security Po
Group-AdminGroup-Admin IT Security Po
Group-AdminGroup-Admin IT Security Po
Group-AdminGroup-Admin Política de ge
Group-AdminGroup-Admin Política de ge
Group-AdminGroup-Admin Política de ge
Group-AdminGroup-Admin Política de ge
Group-AdminGroup-Admin Cloud Service
Group-AdminGroup-Admin IT Security Po
Group-AdminGroup-Admin Hardening Pol
Group-AdminGroup-Admin Change and C
Group-AdminGroup-Admin Cloud Service
Group-AdminGroup-Admin Hardening Po
Group-AdminGroup-Admin Hardening Po
Group-AdminGroup-Admin Política de re
Group-AdminGroup-Admin Business Cont
Group-AdminGroup-Admin Logging and M
Group-AdminGroup-Admin Logging and M
Group-AdminGroup-Admin IT Security Po
Group-AdminGroup-Admin Política de ge
Group-AdminGroup-Admin Change and C
Group-AdminGroup-Admin Hardening Pol
Group-AdminGroup-Admin Hardening Pol
Group-AdminGroup-Admin Hardening Pol
Group-AdminGroup-Admin IT Security Po
Group-AdminGroup-Admin Hardening Pol
Group-AdminGroup-Admin Secure Devel
Group-AdminGroup-Admin Secure Devel
Group-AdminGroup-Admin Secure Devel
Group-AdminGroup-Admin Secure Devel
Group-AdminGroup-Admin Secure Devel
Group-AdminGroup-Admin Supplier Man
Group-AdminGroup-Admin Secure Devel
Group-AdminGroup-Admin Change and C
Group-AdminGroup-Admin Secure Devel
Group-AdminGroup-Admin Hardening Pol
Group-AdminGroup-Admin Política de ge
Group-AdminGroup-Admin Risk Managem
Group-AdminGroup-Admin ICS/OT Securit
Group-AdminGroup-Admin Política de ge
Group-AdminGroup-Admin Política de ge
Group-AdminGroup-Admin Política de ge
Group-AdminGroup-Admin Política de ge
Group-AdminGroup-Admin Política de ge
Group-AdminGroup-Admin IT Security Po
Group-AdminGroup-Admin Hardening Pol
Group-AdminGroup-Admin Hardening Pol
Audit Owner (Audit EvidencAudit MethodolAudit SuccessAudit Date (OMaintenance O
Output: reflect
A report organization
verifying the al needs,
current and are
status and approved by
alignment of top
the managemen
Information t.
Security Evidence of
Policy and effective
topic- communicati
specific on and
policies. acknowledg
A ment of
compliance these
checklist for policies by
each policy, relevant
indicating personnel.
approval, Regular
communicati reviews and
on, and updates of
acknowledg policies
ment status. following
Summary of changes in
findings business
from the strategy,
review of regulatory
managemen environment
t audits and , and
their impact information
on policy security
Group-AdminGroup-Admin updates. landscape. 22-Jan
 es are communicati
current and on and
relevant. training
regarding
Output: these roles
A report and
detailing the responsibiliti
allocation es.
and A record of
definition of adherence
information to the
security information
roles and security
responsibiliti policy, with
es. appropriate
A disciplinary
compliance actions
assessment taken where
report based necessary.
on training Managemen
records and t reviews
disciplinary reflect
actions. active and
A review effective
report on oversight in
the the
effectivenes allocation of
s of information
managemen security
t’s oversight roles and
on role responsibiliti
Group-AdminGroup-Admin allocations. es. 22-Jan
 ty, .
accessibility, Comprehens
and ive Staff
effectivenes Guidelines
s of the and
reporting Briefings: All
channels. staff have
Staff received
Guidelines appropriate
and Briefing guidelines
Compliance and
Report: briefings on
Documentati their
on showing information
compliance security
with the roles and
provision of responsibiliti
guidelines es.
and Adequate
briefings to Resource
staff. Allocation:
Resource Sufficient
Allocation resources
Evaluation and
Report: planning
Assessment time are
of resources allocated for
and time implementin
allocation g security-
for security related
processes processes
Group-AdminGroup-Admin and controls. and controls. 22-Jan
 and in response
upcoming to
regulatory information
expectations security
. incidents are
made in
Output: accordance
A report with the
listing all established
reviewed policy.
incidents Regular and
and the effective
correspondi communicati
ng actions on with
taken. special
Documentati interest
on verifying groups is
communicati maintained.
ons with The
authorities organization
and special demonstrate
interest s awareness
groups. and
An understandi
assessment ng of current
report on and
the upcoming
adherence information
to the policy security
for regulations
contacting as
Group-AdminGroup-Admin authorities. applicable. 22-Jan
 improve
information Active and
security relevant
practices. participation
in identified
Output: special
A report interest
detailing the groups and
organization' forums.
s Regular and
engagement effective
with each internal
group or disseminatio
forum. n of
An information
assessment and best
report on practices
the acquired
effectivenes from these
s of groups.
information Demonstrabl
disseminatio e impact of
n within the the
organization information
. acquired on
Recommend the
ations for organization'
improving s
engagement information
and security
information posture and
Group-AdminGroup-Admin utilization. practices. 22-Jan
 identified
threats.

Output: Threat
A report intelligence
summarizing sources and
the methods
evaluation comprehensi
of threat vely cover
intelligence strategic,
sources and tactical, and
methods. operational
A aspects.
spreadsheet Threat
or document intelligence
assessing reports are
the quality relevant,
of threat insightful,
intelligence contextual,
reports. and
An actionable.
assessment Effective
report on integration
the of threat
integration intelligence
of threat into the
intelligence organization'
into risk s risk
managemen managemen
t and t and
security security
Group-AdminGroup-Admin processes. processes. 22-Jan
 security in information
project security
managemen risks are
t for each considered
reviewed and treated
project. as part of
A project
compliance managemen
matrix t.
indicating Clear
how each definition
project and
aligns with allocation of
the information
organization security
’s roles and
information responsibiliti
security es in all
policies and projects.
procedures. Compliance
Recommend with
ations for organization
improvemen al
t in cases information
where security
projects fall policies,
short of the regulations,
required and best
information practices in
security project
integration managemen
Group-AdminGroup-Admin standards. t processes. 22-Jan
 policy. status.
Ownership is
Output: correctly
A assigned
comprehensi and
ve report documented
detailing for all listed
findings assets, with
from the additional
inventory details
and asset accurately
return recorded.
review. Asset return
A forms are
spreadsheet complete
or database and comply
capturing with policy
the requirement
alignment of s.
ownership Asset
records with tracking logs
the asset confirm
inventory timely and
and proper
returned return of
assets. assets, with
Summary of all additional
discrepancie asset details
s or gaps appropriatel
identified y
during the documented
Group-AdminGroup-Admin analysis. . 22-Jan
 including
the
verification
of additional
asset
details.
A
spreadsheet All users
or database comply with
capturing the
the acceptable
alignment of use
ownership standards as
records with per the
the Acceptable
enhanced Use Policy.
asset Effective
inventory monitoring
and mechanisms
returned are in place
assets. to detect
Summary of and report
discrepancie non-
s or gaps compliant
identified activities.
during the Incidents of
analysis, policy
especially in violations
regards to are minimal
the newly and
added asset appropriatel
Group-AdminGroup-Admin details. y addressed. 22-Jan
 A report information
detailing the classification
classification and labeling
and labeling policies.
review of Documentati
each on of
sampled classification
document, decisions
record, and and labeling
digital file. practices is
A summary complete
of and
compliance demonstrate
or non- s adherence
compliance to the
with the policies.
classification Any
and labeling identified
policies for misclassifica
each tions,
examined mislabeling,
item. or process
Recommend gaps are
ations for addressed
any promptly to
reclassificati maintain the
on, integrity of
relabeling, the
or process information
improvemen classification
ts where and labeling
Group-AdminGroup-Admin necessary. system. 22-Jan
 compliance. organization'
s encryption,
Output: authenticati
A report on, and
detailing the classification
compliance standards.
status of Third-party
each transfer
information agreements
transfer are in full
method. compliance
An with the
assessment organization'
report of s security
third-party policies.
transfer No incidents
agreements. of
A information
compliance transfer
matrix breaches or
aligning policy non-
transfer logs compliance
with are found.
company Adequate
policies. remedial
A summary actions are
of any in place for
incidents any
and identified
remedial non-
actions compliance
Group-AdminGroup-Admin taken. issues. 22-Jan
 roles or y.
employment Authenticati
status. on
information
Output: is allocated,
A managed,
comprehensi and
ve report protected
detailing securely,
compliance with user
and compliance
adherence to
to policies guidelines.
across all Access
areas. rights are
Summaries provisioned,
of identity reviewed,
managemen and
t, modified in
authenticati accordance
on with
information organization
practices, al needs and
and access security
rights requirement
governance. s, with
Analysis of special
logs and attention to
records for changes in
irregularities roles or
or non- employment
Group-AdminGroup-Admin compliance. status. 22-Jan
 ess to
issues. All suppliers
have clearly
Output: documented
Compiled security
list of requirement
suppliers s in their
with contracts/ag
associated reements.
security Suppliers
requirement demonstrate
s from compliance
contracts. with the
Comparison organization'
spreadsheet s security
of supplier standards.
compliance Effective
vs. monitoring
organization' and
s security managemen
standards. t of supplier-
Summary related
report of security
incidents incidents.
and non- Prompt and
compliance appropriate
issues. action taken
Evaluation in response
report on to non-
the supplier compliance
monitoring or security
Group-AdminGroup-Admin process. issues. 22-Jan
 service and Cloud
its service
compliance acquisition
status with and exit
selection processes
criteria and comply with
usage the
scope. organization'
A s policies
compliance and
assessment procedures.
report for Effective
cloud managemen
service t of
acquisition information
and exit security
processes. risks
An associated
evaluation with cloud
report of services.
cloud Proper
service handling
managemen and
t activities. response to
An analysis security
report of incidents in
incident cloud
managemen services as
t logs per the
related to incident
cloud managemen
Group-AdminGroup-Admin services. t policy. 22-Jan
 and contractual
resolution. timeframes.
Documentati Post-incident
on of analyses
communicati lead to
on and continuous
notification improvemen
actions ts in the
taken during incident
incidents. managemen
Analysis of t process.
post- Incident
incident response
reviews and personnel
implemente receive
d adequate
improvemen and up-to-
ts. date training
Records of and
training and professional
professional developmen
developmen t.
t activities Evidence
for incident collection
response and
personnel. handling
Audit trail of procedures
evidence are legally
collection compliant
and and adhere
handling to internal
Group-AdminGroup-Admin procedures. standards. 22-Jan
 compliance plans are
report on comprehensi
the ICT ve, up-to-
continuity date, and in
plans, alignment
including with the BIA
assessments outcomes.
of RTOs, Regular
RPOs, and testing or
strategies. drills of the
Test and ICT
drill continuity
evaluation plans
report demonstrate
demonstrati their
ng the effectivenes
effectivenes s and
s of the ICT readiness.
continuity The
plans. organization
An al structure
organization adequately
al structure supports
review and is
report competent
focusing on in managing
ICT ICT service
continuity disruptions
managemen in line with
t roles and the business
responsibiliti continuity
Group-AdminGroup-Admin es. objectives. 22-Jan
 s of currentPlans
security adequately
measures address
and identifyinformation
any security
potential requirement
gaps. s during
disruptions.
Output: The
A detailed implemente
report on d security
the controls and
evaluation compensatin
of the BCP g controls
and ICT are effective
Continuity and comply
Plans. with
A industry
compliance best
matrix practices.
comparing Response
current actions
controls with taken during
industry disruptions
best align with
practices. the planned
A gap procedures
analysis and
report from effectively
recent maintain
disruption information
Group-AdminGroup-Admin responses. security. 22-Jan
 cryptograph All legal,
y. statutory,
regulatory,
Output: and
A report contractual
detailing the requirement
status of s are
compliance identified,
with each documented
legal, , and
statutory, regularly
regulatory, updated.
and Compliance
contractual actions,
requirement policies, and
. training are
A effectively
compliance aligned with
matrix these
aligning requirement
obligations s.
with specific Any specific
actions and legal advice
policies. or
A summary consultation
of legal s are
consultation adequately
s and addressing
advice, the relevant
highlighting legal
any areas of complexities
Group-AdminGroup-Admin concern. . 22-Jan
 Output: intellectual
A verified property
spreadsheet assets are
of all properly
intellectual documented
property , licensed,
assets with and used in
correspondi compliance
ng licenses with
and relevant
ownership laws and
proofs. internal
A report on policies.
the There are no
compliance instances of
status of unauthorize
each asset d use,
with regards duplication,
to or transfer
intellectual of
property intellectual
laws and property
policies. assets.
A summary Staff are
of staff adequately
training and trained and
contractual contractuall
commitment y bound to
s concerning uphold
intellectual intellectual
property property
Group-AdminGroup-Admin rights. rights. 22-Jan
 managemen retention
t guidelines. schedule is
A strictly
spreadsheet followed for
or document all record
comparing types.
each No
sampled unauthorize
record d access or
against its manipulatio
retention n of records
schedule is detected.
and Electronic
handling storage
requirement systems are
s. adequate to
An analysis ensure
report on record
the security availability
and and integrity
adequacy of over time.
electronic Effective
storage managemen
systems. t of
A review cryptographi
report on c keys and
the programs for
managemen the duration
t of of the
cryptographi records’
c keys and retention
Group-AdminGroup-Admin programs. period. 22-Jan
 complaint All systems
records to and
evaluate processes
how privacy comply with
breaches the
are organization'
managed s Privacy
and Policy.
resolved. PII handling
procedures
Output: are
A report effectively
detailing the implemente
compliance d and align
of each with
system and regulatory
process with requirement
the Privacy s.
Policy. Privacy
A summary incidents
of the and
effectivenes complaints
s of PII are
handling managed
procedures. promptly
An analysis and
of incident effectively,
and with
complaint measures in
handling place to
related to prevent
Group-AdminGroup-Admin PII. recurrence. 22-Jan
 findings of of the
the information
compliance security
review. policy and
A list of any specific
current non- policies are
compliances regularly
and reviewed
recommend and
ations for complied
corrective with.
actions. Effective
An corrective
evaluation actions are
report on implemente
the d in
effectivenes response to
s of identified
previously non-
implemente compliances
d corrective .
actions. Continuous
Recommend improvemen
ations for t in the
improvemen compliance
ts in the review
compliance process with
review effective
process or utilization of
policy automatic
adjustments tools, where
Group-AdminGroup-Admin , if needed. applicable. 22-Jan
 adhered to
the
documented
procedures.

Output:
A
comprehensi
ve report
comparing All
the actual operational
operational activities
practices conform to
against the the
documented documented
procedures. operating
A log of procedures.
updates and Documented
changes to procedures
the are regularly
operating reviewed,
procedures, updated,
along with and
authorizatio authorized.
n records. Responses
An analysis to errors and
report of system
error failures are
handling in line with
and system the
failure documented
Group-AdminGroup-Admin incidents. procedures. 22-Jan
 and criteria
for periodic
re-
verification
of personnel
suitability. All
personnel
Output: have
A report undergone
detailing the the required
compliance level of
status of screening
each before and
personnel’s during their
background employment
verification. .
A Screening
compliance processes
matrix are in line
comparing with legal,
screening ethical, and
requirement business
s against requirement
actual s.
checks Continuous
performed. suitability of
An analysis personnel is
of supplier periodically
contracts reassessed,
regarding especially
screening for those in
Group-AdminGroup-Admin clauses. critical roles. 22-Jan
 Output: comprehensi
A report ve
summarizing information
the review security
of responsibiliti
employment es and legal
contracts obligations.
and Actual
confidentiali practices of
ty handling
agreements. information
A security and
compliance legal
matrix responsibiliti
comparing es are in full
stated compliance
responsibiliti with the
es in terms stated
agreements in the
with actual agreements.
practices. Disciplinary
A summary actions for
of non-
disciplinary compliance
actions are
taken, consistently
correlated applied in
with the accordance
respective with the
breaches of terms of
employment employment
Group-AdminGroup-Admin terms. . 22-Jan
 relevant All
procedures. personnel
Assess the have
effectivenes completed
s of training the required
by analyzing information
the results security
of post- training.
training Training
assessments materials
or quizzes. adequately
cover the
Output: organization'
A report s
detailing the information
completion security
status of policy,
training for specific
all policies, and
personnel. procedures.
A review Post-training
summary of assessments
the training indicate
materials for effective
completenes knowledge
s and transfer and
relevance. understandi
An analysis ng of
report of information
post-training security
assessment responsibiliti
Group-AdminGroup-Admin results. es. 22-Jan
 disciplinary
Output: process for
A report each
summarizing reported
each violation
violation and aligns with
the the
correspondi Information
ng Security
disciplinary Policy.
action. Actions
A taken in
comparison response to
matrix violations
showing the are
alignment appropriate
between based on
each case's the nature
specifics and and severity
the of the
response as breach, as
per the well as the
policy. training and
A summary intent of the
of violator.
discrepancie Consistent
s, if any, application
between the of the
policy and disciplinary
its process
implementat across all
Group-AdminGroup-Admin ion. cases. 22-Jan
 responsibiliti include
es were required
communicat clauses on
ed and post-
understood employment
by the information
departing security
employees. responsibiliti
es.
Output: Documented
A report evidence
detailing the shows that
review of departing
termination/ employees
change of were made
employment aware of
agreements. their
A ongoing
compliance information
matrix security
comparing responsibiliti
agreement es.
clauses The
against compliance
policy matrix
standards. demonstrate
Summary of s full
findings alignment of
from exit agreement
interview clauses with
document policy
Group-AdminGroup-Admin reviews. standards. 22-Jan
 Output:
A
spreadsheet Every
listing all individual on
individuals the list has a
with a signed
column agreement
indicating that is
whether current and
they have a compliant
correspondi with the
ng signed organization'
agreement. s standards.
A report All
summarizing agreements
any reflect the
discrepancie latest
s between template in
individual terms of
agreements clauses and
and the legal
current enforceabilit
template. y.
Documentati Evidence of
on of the regular
last review review and
and update updating of
of the the
confidentiali confidentiali
ty ty
agreement agreement
Group-AdminGroup-Admin template. template. 22-Jan
 spreadsheet Security
detailing the Policy
security standards.
configuratio Remote
n of each workers
remote have
device. completed
Documentati necessary
on on training and
training are aware of
completion secure
and working
awareness practices.
levels Adequate
among physical
remote security
workers. measures
An are in place
assessment at remote
of physical work
security locations.
measures at Effective
remote backup and
locations. emergency
An analysis procedures
of backup are
and established
emergency and followed
procedures in remote
in place for working
remote environment
Group-AdminGroup-Admin work. s. 22-Jan
 with the All
actual information
reporting security
practice. events are
reported in
Output: accordance
A detailed with the
report defined
summarizing timelines in
the findings the Incident
from the Managemen
security t Policy.
events Complete
records. alignment
A between
comparison reported
matrix of security
reported events and
events communicati
versus on logs or
communicati emails.
on logs to Incident
identify any Managemen
discrepancie t Policy and
s. procedures
An are
assessment effectively
report of the guiding and
Incident aligning with
Managemen the actual
t Policy and reporting
Group-AdminGroup-Admin procedures. practices. 22-Jan
 unauthorize All physical
d access security
attempts or perimeters
security are in good
breaches. condition
and provide
Output: adequate
A detailed protection.
report on All
the state surveillance
and and access
effectivenes control
s of each systems are
security functioning
perimeter. as intended,
A log with no
analysis unauthorize
report d access or
highlighting breaches
any security identified.
incidents or Regular
unusual maintenanc
activities. e and
A testing of
maintenanc physical
e and security
testing systems are
compliance being
report for conducted in
physical compliance
security with the
Group-AdminGroup-Admin systems. policy. 22-Jan
 analysis logs.
highlighting All physical
any access
discrepancie control
s or systems are
unauthorize operational
d access and properly
incidents. maintained.
A summary Visitor
of physical managemen
access t is
control consistent
systems' with policy
status and requirement
maintenanc s, with all
e checks. visitors
A report on authorized
visitor log and logged
analysis, appropriatel
indicating y.
compliance Inspection
with visitor procedures
managemen for personal
t belongings
procedures. at entry and
An exit points
evaluation comply with
report on legal
personal requirement
belongings s and are
inspection effectively
Group-AdminGroup-Admin procedures. enforced. 22-Jan
 tests to
identify any
gaps or
areas for
improvemen The physical
t. security plan
comprehensi
Output: vely
A report on addresses
the all identified
effectivenes risks and
s of the complies
physical with internal
security standards.
plan. No
A log unauthorize
analysis d access or
report security
highlighting breaches
any security are evident
incidents. in the logs
A summary and footage.
of findings Recent
from the audits and
review of tests show
recent continuous
security improvemen
audits and t and
tests. alignment
Audit with
Success emerging
Group-AdminGroup-Admin Criteria: threats. 22-Jan
 and No evidence
retention of
periods. unauthorize
d access or
Output: suspicious
A report behavior in
detailing the the review
surveillance period.
system and Compliance
alarm with
coverage. relevant
Summary of standards
findings for system
from the testing and
analysis of maintenanc
access logs e.
and video Full
footage. adherence
Compliance to local laws
report with and
local laws regulations
and regarding
regulations. surveillance
Records of and data
system protection.
testing and All physical
maintenanc access to
e. sensitive
Physical areas
access log accounted
audit for and
Group-AdminGroup-Admin results. authorized. 22-Jan
 to-know d or
basis. unsupervise
d activities
Output: are
A report occurring
summarizing within
findings secure
from access areas.
log and Recording
surveillance and
footage endpoint
analysis. devices are
A used in
compliance compliance
assessment with
report organization
regarding al policies.
the use of Emergency
recording procedures
and are
endpoint appropriatel
devices. y posted and
An accessible in
evaluation all secure
of the areas.
visibility and Information
accessibility about
of secure areas
emergency is only
procedures disclosed on
in secure a need-to-
Group-AdminGroup-Admin areas. know basis. 22-Jan
 Output: endpoint
A report with devices).
photographs All printers
of the comply with
workspaces the
assessed. authenticati
A on
spreadsheet requirement
or document of the clear
detailing screen
each policy.
printer's System
configuratio configuratio
n and ns adhere to
compliance the
status. automatic
A report on logout and
system screen lock
configuratio requirement
ns regarding s.
automatic Effective
logout and disseminatio
screen lock n and
features. understandi
A summary ng of the
of training clear desk
and and clear
communicati screen
on policy across
effectivenes the
s regarding organization
Group-AdminGroup-Admin the policy. . 22-Jan
 An Only
assessment authorized
report on personnel
the have access
adequacy of to sensitive
physical and equipment
environment areas.
al protection Environment
measures. al conditions
A summary are
of consistently
environment monitored
al condition and
monitoring maintained
results and within safe
any parameters
identified for
risks. equipment
An analysis operation.
of access Compliance
control with policies
effectivenes and
s. procedures
Compliance for handling
report sensitive
regarding data and
data protecting
handling equipment
and from
equipment information
protection leakage and
Group-AdminGroup-Admin guidelines. other risks. 22-Jan
 Output: t System.
A report Complete
detailing the and
authorizatio accurate
n status of chain of
each off- custody
premises records for
device. all off-
Documentati premises
on verifying devices.
the chain of All devices
custody for have
each device. functional
Evidence of location
functional tracking and
location remote wipe
tracking and capabilities.
remote wipe Full
capabilities. adherence
Compliance to physical
report for and
physical and environment
environment al protection
al protection guidelines.
measures. Accurate
An audit trail and
of all comprehensi
equipment ve logs of all
and media equipment
removed and media
from taken off-
Group-AdminGroup-Admin premises. premises. 22-Jan
 compliance documented
of storage and
media authorized.
managemen Usage and
t with the removal of
policy. storage
A media are
spreadsheet properly
summarizing logged and
acquisitions, aligned with
disposals, the audit
transportatio trail
ns, and requirement
usage of s.
storage Cryptograph
media. ic measures
Documentati and
on environment
evidencing al
cryptographi protections
c measures are
and adequately
environment implemente
al d.
protections. Regular data
Audit transfers to
findings on new storage
the periodic media are
data transfer conducted
practices for to prevent
storage data
Group-AdminGroup-Admin media. degradation. 22-Jan
 manufacture equipment
r are
specification conducted
s. and
A documented
compliance .
checklist Effective
against the network
regular segregation
maintenanc is in place
e and for utility
inspection of support
utility systems.
support Emergency
equipment. response
A review plans are
report on comprehensi
network ve, up-to-
segregation date, and
and security effective in
measures handling
for utility utility
support disruptions.
systems. Redundant
An and diverse
evaluation utility feeds
report of are
emergency implemente
response d where
plans and necessary
redundancy for critical
Group-AdminGroup-Admin measures. utilities. 22-Jan
 use of fiber-
effectively
optic cablessegregated.
where Additional
necessary. security
Ensure that measures
cables are for sensitive
labeled at systems are
each end implemente
with source d as
and required.
destination Periodical
details for inspections
physical and sweeps
identificatio
are
n and documented
inspection. and
effective.
Output: Controlled
Documentati access is
on detailing maintained
the status of for patch
each cable panels and
and its cable rooms.
security Fiber-optic
measures. cables are
Records of used where
inspections necessary.
and sweeps. Cables are
Confirmation labeled for
of cable easy
labeling and identificatio
Group-AdminGroup-Admin segregation. n. 22-Jan
 authorizatio premises
n and maintenanc
qualification e, including
s of confidentiali
maintenanc ty
e personnel. agreements.
A report on Compliance
the security with all
measures maintenanc
for off- e
premises requirement
maintenanc s imposed
e. by insurance
Compliance is achieved.
reports with Equipment
insurance- inspection
imposed post-
maintenanc maintenanc
e e confirms
requirement no
s. tampering
Inspection and proper
reports for functionality
post- .
maintenanc Secure
e equipment disposal or
checks. re-use of
Records of equipment
secure is conducted
disposal or as per
re-use of organization
Group-AdminGroup-Admin equipment. al standards. 22-Jan
 from the disposal or
equipment reuse has
as per undergone
policy. appropriate
data
Output: sanitization.
A Physical
comprehensi destruction
ve report of storage
detailing media is
each conducted
equipment's where
sanitization necessary,
and label with
removal adequate
process. documentati
A checklist on.
verifying the All
completion organization
of data al labels and
destruction markings
or are removed
overwriting from the
for each equipment.
item. Compliance
Photographi with secure
c evidence disposal and
or reuse policy
certificates is fully
of documented
destruction, and
Group-AdminGroup-Admin if applicable. verifiable. 22-Jan
 A compiled
inventory
and
configuratio
n report for
the sampled
devices.
A All user
compliance endpoint
matrix devices in
showing the sample
each are
device's registered
adherence and comply
to the with
policy's physical
requirement protection,
s. software,
A summary encryption,
of security and security
updates and update
patch requirement
managemen s as per
t status for policy.
these Users have
devices. acknowledg
Documentati ed and
on of user adhere to
acknowledg the endpoint
ments or device
compliance security
Group-AdminGroup-Admin attestations. policy. 22-Jan
 each Access
privileged Control
account with Matrix.
the Access All change
Control requests for
Matrix. privileged
A access have
spreadsheet followed the
detailing established
and procedure
verifying and policy.
each The
privileged authorizatio
access n process for
change privileged
request and access
its rights is
compliance robust and
with the compliant
policy. with
A report on organization
the al standards.
assessment Effective
of the measures
authorizatio are in place
n process for the
and awareness,
managemen managemen
t of t, and expiry
privileged of privileged
access access
Group-AdminGroup-Admin rights. rights. 22-Jan
 referencing All user
each user accounts
account with and their
the Access respective
Matrix to access
validate levels
proper conform to
access the
levels. specification
A detailed s in the
review of Access
each change Matrix.
request, All change
confirming requests
adherence related to
to the access
access permissions
modification are properly
procedures. documented
Anomalies and
or executed
irregularities following
report established
highlighting procedures.
any No evidence
unauthorize of
d access or unauthorize
deviations d access or
from improper
expected modification
access of access
Group-AdminGroup-Admin patterns. levels. 22-Jan
 access
patterns,
focusing on
write access
to source All instances
code. of access to
source code,
Output: developmen
A report t tools, and
detailing software
compliance libraries
with the align with
Access the
Control permissions
Matrix. defined in
A the Access
spreadsheet Control
or database Matrix.
cross- All change
referencing requests
each access related to
instance source code
against the access have
Access been
Control executed
Matrix. following
Compiled established
documentati procedures
on and and with
analysis of appropriate
change authorizatio
Group-AdminGroup-Admin requests. ns. 22-Jan
 of system systems
authenticati effectively
on settings. protect
A report against
detailing the unauthorize
comparison d access and
of current minimize
authenticati security
on settings risks.
against Change
policy requests
requirement related to
s. authenticati
An analysis on settings
spreadsheet adhere to
of access the policy
logs, and
focusing on maintain or
authenticati enhance the
on success security
and failure posture.
patterns. Measures to
A summary protect
of reviewed against
change brute force
requests attacks and
with an unauthorize
assessment d access are
of effectively in
adherence place and
to the functioning
Group-AdminGroup-Admin policy. as intended. 22-Jan
 and aligned
Output: with the
A compiled organization
report ’s capacity
detailing requirement
findings s.
from the Historical
Capacity trends and
Managemen future
t Plan and projections
utilization of resource
reports. usage are
A realistic and
comparative actively
analysis of managed.
historical vs. Stress-tests
projected confirm
resource system
usage. readiness
Summary of for peak
stress-test demands.
results and Managemen
their t
implications. demonstrate
Overview of s proactive
managemen engagement
t discussions and
and decision-
decisions on making in
capacity capacity
managemen managemen
Group-AdminGroup-Admin t. t matters. 22-Jan
 user malware
awareness protection
training training.
related to Any
malware instances of
protection. disabled
An malware
assessment protection
report on measures
the are fully
authorizatio compliant
n and with the
justification organization
of disabled al policy,
malware including
protection proper
measures. authorizatio
An n and
evaluation justification.
report on Procedures
the for obtaining
procedures files and
for external software
file and from
software external
acquisition sources are
and their robust and
compliance effectively
with mitigate
malware risks of
protection malware
Group-AdminGroup-Admin standards. introduction. 22-Jan
 information
Output: systems are
A regularly
comprehensi scanned for
ve vulnerabiliti
spreadsheet es, and
or report identified
detailing the vulnerabiliti
findings es are
from the promptly
vulnerability addressed.
scans and Updates and
assessments patches are
. effectively
Documentati applied to
on verifying mitigate
the identified
successful vulnerabiliti
application es.
of updates Third-party
and patches. libraries and
A report on source
the status of codes are
third-party regularly
libraries and reviewed
source and updated
codes, to ensure
highlighting they do not
any introduce
potential vulnerabiliti
vulnerabiliti es into the
Group-AdminGroup-Admin es. system. 22-Jan
 detailing the and network
comparison configuratio
between ns align with
each asset's the
configuratio established
n and the standard
standard templates.
templates. All
A configuratio
spreadsheet n changes
or similar are properly
document documented
listing each , approved,
configuratio and comply
n change, its with the
compliance change
with the managemen
standard t process.
process, and The
approval standard
status. configuratio
An n templates
evaluation are up-to-
report on date and
the effectively
currentness address
and current
comprehensi security
veness of requirement
the standard s and
configuratio technologica
Group-AdminGroup-Admin n templates. l changes. 22-Jan
 s. All sensitive
information
Output: is deleted in
A report accordance
detailing the with the
deletion organization'
methods s data
used and retention
their policy and
compliance relevant
with policies laws.
and Proper
regulations. documentati
A log or on and
spreadsheet evidence of
verifying deletion are
each maintained
deletion for all
activity and deletion
its activities.
adherence Third-party
to the service
policy. providers (if
A summary used)
of third- comply with
party the
compliance organization'
with the s
information requirement
deletion s for secure
requirement information
Group-AdminGroup-Admin . deletion. 22-Jan
 databases and
containing databases
sensitive containing
data and sensitive
their data employ
respective adequate
data data
protection masking,
techniques. pseudonymi
A zation, or
compliance anonymizati
assessment on
report techniques
evaluating as per policy
the requirement
implementat s.
ion of data Recent
masking, changes or
pseudonymi updates to
zation, or data
anonymizati protection
on techniques
techniques. are in
A change compliance
log analysis with
report organization
highlighting al policies
any recent and do not
modification compromise
s and their the integrity
compliance of data
Group-AdminGroup-Admin status. protection. 22-Jan
 system, response
network, and
and device. remediation
Analysis actions.
report of Strict
DLP tool adherence
effectivenes to user
s and access
incident controls and
handling. data transfer
Assessment policies is
report on maintained.
user access Training and
controls and awareness
compliance programs
with data are effective
transfer in educating
restrictions. employees
Training and about data
awareness leakage
program risks and
effectivenes prevention.
s report. Backups of
Backup sensitive
policy information
compliance are
report, with adequately
a focus on protected
encryption with robust
and access encryption
control and access
Group-AdminGroup-Admin measures. controls. 22-Jan
 restoration.

Output:
A All backups
comprehensi are
ve report conducted in
summarizing accordance
the findings with the set
from the schedule
backup and backup
schedule, policy.
logs, and Backup logs
testing confirm the
exercises. completion
A of scheduled
spreadsheet backups
or checklist without
comparing significant
scheduled failures.
backups Backup
with actual testing
backup logs. exercises
A summary demonstrate
of backup the
testing reliability
exercises, and
indicating effectivenes
successes s of the
and areas backups in
for data
improvemen restoration
Group-AdminGroup-Admin t. scenarios. 22-Jan
 detailing the availability
redundancy requirement
implementat s.
ions for each Redundancy
critical implementat
information ions are
processing verified to
facility. be effective
A summary and
of findings maintain
from the equivalent
analysis of security
the levels to
redundancy primary
architecture systems.
and its Failover and
effectivenes redundancy
s. mechanisms
A report on are tested
the and proven
outcomes of functional.
redundancy Incident
system responses
tests. involving the
A review of activation of
incident redundant
reports systems are
concerning timely and
the effective in
activation of ensuring
redundant continued
Group-AdminGroup-Admin systems. operations. 22-Jan
 adherence
to retention All audited
schedules. systems are
logging
Output: events as
A report per policy
summarizing requirement
the logging s, capturing
configuratio necessary
ns and details.
practices of Log data is
each securely
audited stored,
system. protected
A from
compliance unauthorize
matrix d access or
comparing manipulatio
current n, and
practices retained
against according to
policy the defined
requirement policies.
s. Regular log
Analysis reviews are
reports of conducted,
log reviews, with
highlighting anomalies
any investigated
discrepancie and
s or appropriatel
Group-AdminGroup-Admin concerns. y actioned. 22-Jan
 ’s inventoryand
to ensure applications
complete are being
coverage. effectively
monitored
Output: for
Report anomalies.
detailing the Established
configuratio baseline of
ns of normal
monitoring behavior is
tools. consistently
Analysis applied, and
report of the deviations
monitoring are
logs. accurately
Documentati detected
on review and alerted.
report Response
regarding procedures
the to alerts are
established effective
baseline and and timely.
response to No
alerts. significant
Compliance gaps in
matrix monitoring
indicating coverage of
coverage of networks,
all systems systems,
and and
Group-AdminGroup-Admin applications. applications. 22-Jan
 for reliability
and manage
any variance
observed. All systems
are
Output: synchronize
A d to the
comprehensi approved
ve report standard
detailing the reference
time time.
settings and Time
synchronizat synchronizat
ion status of ion
each configuratio
system. ns comply
An analysis with
document organization
comparing al policies
actual and best
settings practices.
against Discrepancie
policy s in time
requirement settings,
s and best especially in
practices. cloud and
A summary hybrid
of environment
discrepancie s, are
s or issues identified
found during and
Group-AdminGroup-Admin the audit. addressed. 22-Jan
 privileged programs
utility are
programs authorized,
and their necessary,
authorizatio and used
n status. only by
Spreadsheet authorized
or database personnel.
entries Authorizatio
correlating n levels and
user access
activities rights are
with properly
authorized defined,
access lists. documented
Compiled , and
documentati adhered to.
on of Ad hoc use
authorizatio of utility
n levels, programs is
access adequately
rights, and controlled
ad hoc and
authorizatio documented
ns. .
Analysis Effective
report on segregation
segregation of utility
measures programs is
and their implemente
effectivenes d and
Group-AdminGroup-Admin s. maintained. 22-Jan
 testing in a for in the IT
controlled Asset
environment Inventory
. and have
correspondi
Output: ng,
A approved
comprehensi change
ve list of all records.
software Each
installations software
and updates installation
with or update
correspondi has been
ng change subjected to
records. thorough
A report testing as
detailing the per the
approval organization'
status for s standards.
each The
software organization'
installation s process for
or update. software
A summary installation
of testing and updates
procedures is
and results consistently
for each followed,
software minimizing
installation security
Group-AdminGroup-Admin or update. risks. 22-Jan
 organization
Output: al policies.
Compiled Network
network security
diagrams monitoring
and indicates no
configuratio unauthorize
n files. d access and
Report on proper
the review handling of
of network security
security incidents.
procedures Controls for
and controls. virtualized
Analysis of networks
network are robust
security and comply
monitoring with security
logs. standards.
Evaluation All change
report of requests
virtualized and
network executed
controls. changes are
Spreadsheet in
or report accordance
correlating with the
change organization
requests ’s change
with managemen
executed t
Group-AdminGroup-Admin changes. procedures. 22-Jan
 service. compliance
A with the
compliance established
matrix procedures.
showing the Third-party
alignment of attestations
each service are valid,
with its current, and
respective in line with
security organization
requirement al security
s. standards.
Documentati Network and
on or network
records of service
monitoring usage rules
activities are
and third- comprehensi
party ve, up-to-
attestations. date, and
A summary effectively
of findings enforced.
on the Network
review of service
network usage logs
usage rules align with
and policies. established
An analysis authenticati
report of on and
network authorizatio
service n
Group-AdminGroup-Admin usage logs. procedures. 22-Jan
 architecture sensitivity,
diagrams and
with criticality.
annotations Gateways
on domain are correctly
segregations configured
. to control
Configuratio access
ns report of between
gateways network
showing domains.
access Wireless
control networks for
settings. guests are
Analysis segregated
report of from
wireless internal
network networks
settings, with
focusing on appropriate
segregation security
and security measures.
measures. All inter-
Compliance domain
report communicati
detailing the ons comply
review of with the
access established
control logs access
and control
communicati policies and
Group-AdminGroup-Admin on records. procedures. 22-Jan
 appropriate
training on
web filtering
and secure
online
resource
usage.
Web filtering
Output: tools are
A report configured
detailing the in
configuratio compliance
n settings of with the
web filtering organization
tools. al policy.
A No
spreadsheet unauthorize
comparing d access to
blocked blocked
websites/cat websites or
egories with categories is
user access detected.
logs. All
A summary personnel
of training have
records and received and
materials completed
related to training on
web filtering web filtering
and online and secure
resource use of online
Group-AdminGroup-Admin usage. resources. 22-Jan
 ensure they
address
liability, Cryptograph
reliability, ic practices
and and key
response managemen
times. t procedures
are fully
Output: compliant
A report on with the
the organization
compliance ’s policy.
of the All
cryptographi cryptographi
c systems c keys are
and managed
practices securely and
with the effectively,
organization with proper
’s policy. logs and
A detailed records
analysis of maintained.
key Agreements
managemen with
t processes external
and suppliers
activities. meet
An organization
evaluation al and
of external regulatory
supplier requirement
Group-AdminGroup-Admin agreements. s. 22-Jan
 t practices.
All projects
Output: strictly
A detailed follow the
report of established
SDLC SDLC steps
adherence and
for each guidelines.
project. Secure
A coding
comparison practices are
table in line with
matching organization
secure al
coding guidelines.
practices Third-party
with components
organization are used in
al compliance
guidelines. with security
A summary assessments
of third- and
party updates.
component Developers
usage and are
compliance. adequately
A trained and
compliance demonstrate
report on capability in
developer secure
training and developmen
Group-AdminGroup-Admin capabilities. t practices. 22-Jan
 applications have
meet the documented
desired security
security requirement
standards. s aligned
with the
Output: organization'
A report s application
detailing the security
security policy.
requirement Security
s testing and
documentati code
on for each reviews
application. have been
A conducted
comparison for all
matrix of applications,
identified vs. with
implemente documented
d security resolution of
measures identified
for each vulnerabiliti
application. es.
A summary No critical
of security security
testing vulnerabiliti
outcomes es remain
and any unaddressed
outstanding in the
vulnerabiliti reviewed
Group-AdminGroup-Admin es or issues. applications. 22-Jan
 threats and demonstrate
technologica adherence
l advances. to
established
Output: secure
A report system
detailing the engineering
application principles.
of secure Security
system principles
engineering are
principles in consistently
each applied
reviewed across all
project. layers of
A system
comparison architecture.
matrix Documentati
correlating on reflects
project ongoing
documentati updates and
on with reviews of
established security
security engineering
engineering principles,
guidelines. aligning with
Summaries current
of any security
discrepancie challenges
s or areas of and
non- technologies
Group-AdminGroup-Admin compliance. . 22-Jan
 detailing the s secure
adherence coding
to secure standards.
coding Developers
practices in involved in
each software
project. developmen
A t are
compliance adequately
matrix trained in
comparing secure
actual coding
practices practices.
against the Third-party
organization' and open-
s secure source
coding components
standards. are used
A summary and
of training managed in
completion compliance
for with the
developers. organization'
An s policies.
assessment No critical
report on vulnerabiliti
third-party es are found
and open- during the
source security
software testing of
component the
Group-AdminGroup-Admin usage. software. 22-Jan
 Output: security
A report functions,
detailing the secure
findings of coding, and
the security secure
testing configuratio
documentati ns.
on review. Effective
A managemen
compliance t and
matrix security
aligning the assessment
actual of third-
security party
testing components
activities are evident.
with the The
organization' existence
s secure and
developmen effectivenes
t policy. s of WAF
An implementat
assessment ions and
report on distinct
the environment
effectivenes s for
s of the WAF developmen
and third- t, testing,
party and
component production
managemen are
Group-AdminGroup-Admin t. confirmed. 22-Jan
 t processes s.
comply with Acceptance
the testing and
contractual assurance
requirement reports
s. demonstrate
compliance
Output: with security
A and privacy
comprehensi standards.
ve report Intellectual
detailing the property
compliance rights,
status of threat
each models, and
outsourced escrow
developmen agreements
t project. are properly
A checklist managed
verifying the and
presence documented
and .
adequacy of Supplier
contracts, developmen
testing t processes
reports, have been
intellectual audited and
property found
documentati compliant
on, threat with the
models, and organization'
Group-AdminGroup-Admin audit logs. s standards. 22-Jan
 into the t, testing,
developmen and
t and testing production
system environment
environment s.
s and if Access
equivalent controls and
controls are change
in place. managemen
t procedures
Output: are in
A report compliance
detailing the with the
segregation segregation
and security policy.
measures of No
each unauthorize
environment d access or
. changes in
A the
spreadsheet production
analyzing environment
access .
controls and Sensitive
compliance information
with the in
segregation developmen
policy. t and testing
A change environment
managemen s is
t review adequately
Group-AdminGroup-Admin report. protected. 22-Jan
 per the information
changes processing
made. facilities and
information
Output: systems are
A detailed fully
report documented
outlining the , authorized,
compliance and comply
of each with the
change established
record with change
the change managemen
managemen t
t procedures.
procedures. Operating
A summary documentati
of on and ICT
discrepancie continuity
s or non- plans are
compliance updated in
issues, if accordance
any. with the
An updated changes
list of all made.
changes, There are no
categorizing instances of
them into non-
minor, compliance
major, and or
emergency unauthorize
Group-AdminGroup-Admin changes. d changes. 22-Jan
 summarizing deletion of
the access operational
control information
measures in in test
test environment
environment s.
s. Effective
A data
spreadsheet protection
or document measures
listing all (removal or
authorizatio masking)
ns for are
copying implemente
operational d when
information. sensitive
A detailed information
log review is used for
report. testing.
An Test
assessment information
report of is securely
data stored and
protection strictly used
measures. for testing
A security purposes,
analysis with no
report of the evidence of
storage and tampering
usage of or
test unauthorize
Group-AdminGroup-Admin information. d use. 22-Jan
 audits are
met.
Review logs
to ensure
that auditor
access is
properly
monitored
and All audit
recorded. tests are
conducted
Output: within the
A report agreed
detailing the scope and
adherence access
of each limitations.
audit test to Devices
the agreed used for
terms. audit
Verification purposes
documentati meet
on for the established
security security
status of requirement
devices s.
used in Auditor
audits. access to
A systems and
comprehensi data is
ve log appropriatel
review y monitored
Group-AdminGroup-Admin report. and logged. 22-Jan
 for changes.

Output:
Compiled
screenshots
or system
reports of All accounts
current and their
account roles must
roles and comply with
access the
levels. segregation
A of duties as
spreadsheet outlined in
or report the Access
verifying Control
each Matrix.
account All change
against the requests
Access must follow
Control the
Matrix. established
A detailed process and
analysis have proper
report of authorizatio
change n and
requests, justification,
highlighting ensuring no
compliance conflicts of
or deviations interest or
from the policy
Group-AdminGroup-Admin policy. breaches. 22-Jan
 are properly are
approved conducted in
and accordance
documented with the
. specified
stages and
Output: scenarios.
A report The
detailing the cybersecurit
findings of y risk
the Risk managemen
Assessment t
documentati methodolog
on review. y and
A summary procedures
of are
compliance reviewed
with periodic and updated
review at planned
requirement intervals or
s based on upon
Risk changes in
Managemen relevant
t Committee laws and
records. regulations.
An audit trail All changes
of approvals and reviews
and are
documentati approved
on for and properly
changes and documented
Group-AdminGroup-Admin reviews. . 22-Jan
 Output: implemente
Compiled d and
network operational.
architecture External
diagrams. storage
Configuratio media and
n files and mobile
settings device
documentati usage are
on. strictly
Monitoring controlled
system logs. and
Lists and monitored.
logs of Systems are
external regularly
storage reviewed,
media and securely
mobile configured,
device and
usage. hardened
System against
review, vulnerabiliti
hardening, es.
and Vulnerability
configuratio and patch
n managemen
documentati t processes
on. are
Vulnerability comprehensi
and patch ve, up-to-
managemen date, and
Group-AdminGroup-Admin t reports. effective. 22-Jan
 d asset
activity.
Determine
the status All
(active/inacti unauthorize
ve) and risk d assets are
level of each accurately
identified identified
unauthorize and
d asset. reported.
Each
Output: unauthorize
A report d asset is
listing all assessed for
unauthorize risk and
d assets appropriate
identified action is
during the taken (e.g.,
scan. removal
A log from the
analysis network,
report denial of
highlighting remote
unauthorize access, or
d asset quarantine).
activities. Documentati
A risk on of actions
assessment taken for
report for each
each unauthorize
unauthorize d asset is
Group-AdminGroup-Admin d asset. maintained. 22-Jan
 Cross-check
identified
assets with
the The Active
enterprise's Discovery
asset Tool
inventory to identifies all
identify any known
unregistered assets and
or rogue potential
devices. rogue
devices
Output: daily.
Daily Active The tool's
Discovery operation
Tool reports. aligns with
Comparison the
spreadsheet configured
matching schedule
discovered without any
assets missed
against the executions.
official asset Discrepancie
inventory. s between
Log analysis the tool’s
report findings and
confirming the asset
the tool's inventory
operational are
frequency investigated
and and
Group-AdminGroup-Admin accuracy. resolved. 22-Jan
 inventory to enterprise
verify asset
updates. inventory is
Review the updated at
frequency least
and weekly,
comprehensi incorporatin
veness of g new and
asset changed
inventory assets
updates. identified in
DHCP logs.
Output: The updated
Compiled asset
list of assets inventory
identified accurately
from DHCP reflects the
logs. current state
Comparison of enterprise
report assets as
between determined
DHCP from DHCP
identified logs.
assets and Asset
enterprise inventory
asset update
inventory. processes
Documentati are
on of asset consistently
inventory followed and
update documented
Group-AdminGroup-Admin records. . 22-Jan
 new or
changed
assets are
accurately The passive
reflected. asset
Review the discovery
change logs tool is
or update configured
records to and
confirm that functioning
the asset to scan the
inventory is network at
updated least
following weekly.
each scan. All assets
identified in
Output: the scans
Latest asset are
inventory accurately
report. reflected in
Configuratio the updated
n settings or asset
logs from inventory.
the passive Asset
asset inventory
discovery updates are
tool. consistently
Change logs logged and
or update align with
records of the scans
the asset conducted
Group-AdminGroup-Admin inventory. by the tool. 22-Jan
 the software
inventory is The
regularly automated
updated and software
reflects any inventory
changes in tool is active
installed and
software. functional
on all
Output: systems.
Comprehens All installed
ive report of software is
all installed accurately
software. documented
Verification and
report reflected in
confirming the
the inventory
presence reports.
and Regular
functioning updates and
of the changes in
inventory software
tool on all installations
systems. are
Analysis consistently
document tracked and
detailing the reflected in
review of the
change logs inventory
or update tool's logs or
Group-AdminGroup-Admin histories. histories. 22-Jan
 have been with valid
properly digital
authorized signatures
and and correct
documented version
. control.
No evidence
Output: of
List of all IT unauthorize
systems d script
reviewed. executions
Spreadsheet on the
or report systems.
detailing System
each script configuratio
execution ns
against the effectively
allowlist. block
System unauthorize
configuratio d scripts.
n snapshots All changes
demonstrati to the script
ng script allowlist
blocking have been
controls. properly
Compiled authorized,
change documented
managemen , and
t records aligned with
related to the IT
the script Security
Group-AdminGroup-Admin allowlist. Policy. 22-Jan
 usage of infrastructur
insecure e-as-code.
protocols Secure
(Telnet and network
HTTP). protocols
Compare (SSH and
current HTTPS) are
network and exclusively
device used for
configuratio accessing
ns against administrati
documented ve
standards to interfaces.
verify No evidence
compliance. of insecure
protocols
Output: (Telnet and
Compiled HTTP) usage
inventory unless
and version justified as
control logs. operationall
Network y essential.
traffic log Complete
analysis alignment of
report. asset and
Compliance software
report managemen
comparing t practices
current with
configuratio documented
ns with standards
Group-AdminGroup-Admin standards. and policies. 22-Jan
 were
properly
authorized
and All audited
documented assets use
. the
designated
Output: trusted DNS
A report servers as
detailing per the
DNS enterprise
configuratio standards.
ns for each Any
sampled deviations
asset. from the
A standard
compliance DNS
matrix configuratio
comparing ns are
current DNS properly
settings justified and
against the documented
enterprise .
standard. DNS
A summary configuratio
of change n changes
managemen have
t records followed the
related to established
DNS change
configuratio managemen
Group-AdminGroup-Admin n changes. t process. 22-Jan
Maintenance M
T aintenance Date (Optional, you can insert date with the format DD-MM, bare in mind th
format DD-MM, bare in mind the delimiter is a "-", Accepts multiple values separated by "|". For example "22-0
rated by "|". For example "22-01|15-10".)