NIST Cybersecurity Framework - Identify ISACA IS Audit/Assurance Program

IS Audit/Assurance Progam
Cybersecurity: Based on the NIST Cybersecurity Framework - Identify
Process Ref. Control Control Control NIST Ref. to Additional Ref. Ref. Framework/ Ref. Pass/
Control Objectives Controls Testing Step Comments
Sub-Area Risk Type Classification Frequency COBIT 5 COBIT 5 Standards Workpaper Fail

1. Obtain a copy of physical devices and systems inventory. Review the

inventory considering the following:
a. Scope of physical devices and systems is based on the organization's risk
appetite (e.g., systems that contain sensitive information, allow access to the
Physical devices and systems ISO/IEC
network, or are critical to business objectives) BAI09.01;
within the organization are 27001:2013
b. Completeness of inventory (e.g., location, asset number, owner) BAI09.02
inventoried. A.8.1.1; A.8.1.2
c. Inventory collection process ensures new devices are collected accurately
and in a timely manner (e.g., automated software to detect and/or store the
inventory)
d. Frequency of inventory reviews

1. Obtain a copy of software inventory. Review the inventory considering the

following:
a. Scope of software inventory is based on the organization's risk appetite
(e.g., software that processes, stores or accesses sensitive information or is
Software platforms and BAI09.01; ISO/IEC
critical to business objectives)
applications within the BAI09.02; 27001:2013
b. Completeness of inventory (e.g., version, system, vendor, owner)
organization are inventoried. BAI09.05 A.8.1.1; A.8.1.2
c. Inventory collection process ensures new software is collected accurately
and in a timely manner (e.g., automated software to detect and/or store the
inventory)
d. Frequency of inventory reviews
The data, personnel,
Asset Management

devices, systems, and

facilities that enable the Organizational communication 1. Ensure the organization maintains accurate and current copies of data flow ISO/IEC
organization to achieve diagram(s) (DFD), logical network diagram(s) (LND), and/or other diagrams to DSS05.02 APO01.04 27001:2013
and data flows are mapped.
business purposes are show organizational communication and data flow. A.13.2.1
identified and managed
consistent with their relative
importance to business 1. If the organization relies on information systems hosted by third parties,
objectives and the obtain a copy of the external systems inventory. Review the third-party
organization’s risk strategy. inventory considering the following:
a. Scope of external systems is based on the organization's risk appetite (e.g.,
systems that store, process or access sensitive information or are critical to
ISO/IEC
External information systems business objectives).
APO02.02 27001:2013
are cataloged. b. Completeness of inventory (e.g., location, third party, owner, etc.)
A.11.2.6
c. Inventory collection process ensures new systems are collected accurately
and in a timely manner (e.g,. automated software to detect and/or store the
inventory)
d. Frequency of inventory reviews

1. Obtain a copy of the organization's data classification program

Resources (e.g., hardware,
(classification may also be identified in the risk assessment or business
devices, data and software) are APO03.03;
impact analysis). ISO/IEC
prioritized based on their APO03.04;
2. Review the program to determine if key resources (e.g., hardware, devices, 27001:2013 A.8.2.1
classification, criticality and BAI09.02
data, software) are classified and prioritized based on criticality and business
business value.
value.

Cybersecurity roles and

responsibilities for the entire 1. Review cybersecurity policies, information security policies, job
workforce and third-party descriptions, agreements, RACI charts, service level agreements (SLAs) and/or APO01.02; ISO/IEC
stakeholders (e.g., suppliers, contracts to determine if they include cybersecurity roles and responsibilities. DSS06.03 27001:2013 A.6.1.1
customers, partners) are
established.

1. Obtain documentation or evidence (e.g., cybersecurity strategy, business

APO08.04;
continuity plan, information system acquisition procedures, business impact ISO/IEC
The organization’s role in the APO08.05;
analysis, acquisition/procurement process, key supplier reviews, supplier 27001:2013
supply chain is identified and APO10.03;
relationship management, supplier due diligence reports) to determine A.15.1.3; A.15.2.1;
communicated. APO10.04;
whether the organization has clearly defined and understands its role in the A.15.2.2
APO10.05
supply chain.

1. Obtain documentation or evidence (e.g., mission statement, business

The organization’s place in
continuity policy, strategic plan) that the organization has clearly defined and
critical infrastructure and its APO02.06;
understands its role in its industry sector and its role within national critical
industry sector is identified and APO03.01
infrastructure, as defined by the Department of Homeland Security
communicated.
(https://www.dhs.gov/what-critical-infrastructure).
Environment

The organization’s mission,

Copyright 2016 objectives, stakeholders, ISACA Page 1 of 15
and activities are
understood and prioritized;
this information is used to
NIST Cybersecurity Framework - Identify ISACA IS Audit/Assurance Program

IS Audit/Assurance Progam
Cybersecurity: Based on the NIST Cybersecurity Framework - Identify
Process Ref. Control Control Control NIST Ref. to Additional Ref. Ref. Framework/ Ref. Pass/
Control Objectives Controls Testing Step Comments
Sub-Area Risk Type Classification Frequency COBIT 5 COBIT 5 Standards Workpaper Fail

1. Determine if the organization has a strategic plan defining enterprise goals.

Ensure enterprise goals are aligned with stakeholder interests.
Business Environment

Priorities for organizational 2. Determine if the organization's mission statement and objectives are
The organization’s mission, APO02.01;
mission, objectives and clearly published in a way employees can easily see or access them.
objectives, stakeholders, APO02.06;
activities are established and 3. Determine if an IT strategic plan is documented, defines goals and is
and activities are APO03.01
communicated. mapped to enterprise goals.
understood and prioritized; 4. Determine if employees are educated on the organization's mission and
this information is used to objectives.
inform cybersecurity roles,
responsibilities, and risk
management decisions.

1. Obtain the organization's business continuity plan, disaster recovery plan,

business impact analysis and risk assessments and review for the following: ISO/IEC
Dependencies and critical BAI04.02;
a. Information systems and software supporting critical business functions 27001:2013
functions for delivery of critical BAI09.01;
are identified and prioritized based on maximum allowable downtime. A.11.2.2; A.11.2.3;
services are established. BAI09.02
b. Third parties who support critical business functions and information A.12.1.3
systems/software are identified and prioritized.

1. Determine if the organization's business continuity and disaster recovery

plans (including business impact analysis) support resilience of critical
ISO/IEC
Resilience requirements to services.
27001:2013
support delivery of critical 2. Determine if appropriate due diligence (e.g., business continuity plans DSS04.02
A.11.1.4; A.17.1.1;
services are established. (BCP), service level agreements (SLA), Service Organization Control (SOC)
A.17.1.2; A.17.2.1
reports) information is in place and reviewed to ensure resilience
requirements of the organization can be met by critical third-party services.

1. Obtain a copy of the information security policy.

APO01.03;
Organizational information 2. Determine if the policy is complete and has been approved by a ISO/IEC
EDM01.01;
security policy is established. governance structure within the organization. 27001:2013 A.5.1.1
EDM01.02
3. Determine if the policy is communicated to employees.

1. Determine if information security roles and responsibilities are defined.

Roles and responsibilities may be defined in policies, job descriptions,
agreements, RACI charts, hierarchy charts and/or contracts.
Information security roles and
2. Determine if there is sufficient independence within the information ISO/IEC
responsibilities are coordinated APO01.02;
security roles in order to provide adequate separation of duties for critical APO13.12 27001:2013
and aligned with internal roles DSS06.03
functions. A.6.1.1; A.7.2.1
and external partners.
3. Review contracts, nondisclosure agreements (NDAs) and service level
agreements (SLAs) with critical vendors to determine if cybersecurity controls
and incident notification are addressed appropriately.
The policies, procedures,
and processes to manage
and monitor the
Governance

organization’s regulatory,
legal, risk, environmental,
and operational 1. Obtain a list of all relevant legal and regulatory requirements for the
requirements are organization.
understood and inform the 2. Determine if the cybersecurity program is mapped to legal and regulatory
management of Legal and regulatory requirements.
cybersecurity risk. requirements regarding 3. Review any recent regulatory cybersecurity exams or audits. If any
MEA03.01; ISO/IEC
cybersecurity, including privacy exceptions were noted in audits, determine how the organization responded
MEA03.04 27001:2013 A.18.1
and civil liberties obligations, to exceptions.
are understood and managed. 4. Determine if critical third-party contracts are reviewed by legal counsel
prior to execution.
5. Determine if there is a formalized process in place to monitor and review
changes in cybersecurity laws and regulations.

Copyright 2016 ISACA Page 2 of 15

 requirements are
understood and inform the

G
management of
cybersecurity risk.
NIST Cybersecurity Framework - Identify ISACA IS Audit/Assurance Program

IS Audit/Assurance Progam
Cybersecurity: Based on the NIST Cybersecurity Framework - Identify
Process Ref. Control Control Control NIST Ref. to Additional Ref. Ref. Framework/ Ref. Pass/
Control Objectives Controls Testing Step Comments
Sub-Area Risk Type Classification Frequency COBIT 5 COBIT 5 Standards Workpaper Fail

1. Determine the adequacy of executive or board oversight and

understanding of cybersecurity. Consider the following:
EDM01.01;
a. Risk Management
Governance and risk EDM01.02;
b. Governance Structures
management processes address DSS04.02 EDM01.03;
c. Security Oversight
cybersecurity risk. EDM03.01;
d. Training
EDM03.03
e. Accountability
f. Reporting

APO12.01;
1. Determine if vulnerability testing is conducted and analyzed on critical ISO/IEC
Asset vulnerabilities are APO12.02;
organizational assets (e.g., assets important to business objectives and the 27001:2013
identified and documented. APO12.03;
organization's risk strategy). A.12.6.1; A.18.2.3
APO12.04

1. Determine if the organization is a member of or subscribes to a threat and

vulnerability information sharing organization (e.g,. United States Computer
Threat and vulnerability
Emergency Readiness Team [US-CERT]).
information is received from APO12.01; ISO/IEC
2. Determine if the organization has a formal process in place for
information sharing forums and BAI08.04 27001:2013 A.6.1.4
disseminating threat and vulnerability information to individuals with the
sources.
expertise to review the information and the authority to mitigate risk posed
to the organization.

1. Review risk assessments to determine if internal and external threats are APO12.01;
Threats, both internal and
identified and documented. APO12.02;
The organization external, are identified and
2. Determine if the organization has developed processes to actively monitor APO12.03;
Risk Assessment

understands the documented.

and report potential threats. APO12.04
cybersecurity risk to
organizational operations
(including mission, Potential business impacts and 1. Review risk assessments and business impact analysis to determine if APO12.02;
functions, image, or DSS04.02
likelihoods are identified. likelihood and potential impacts are identified and analyzed for threats. BAI04.02
reputation), organizational
assets, and individuals.

1. Determine if the risk assessment process identifies reasonably foreseeable

Threats, vulnerabilities, ISO/IEC
internal and external threats and vulnerabilities, the likelihood and potential
likelihoods and impacts are APO12.02 27001:2013
damage of those threats, and the sufficiency of controls to mitigate the risk
used to determine risk. A.12.6.1
associated with those threats.

1. Obtain the organization's risk management plan and/or other

documentation showing the organization's response to risk levels identified
in the risk assessment. Determine if the risk management plan is designed to
Risk responses are identified APO12.05;
accept or reduce risk level in accordance with the organization's risk appetite.
and prioritized. APO13.02
2. Obtain copies of management responses to recent cybersecurity-related
audits and assessments to determine if exceptions noted in audits or
assessments are identified and prioritized.

1. Evaluate the framework or process used for risk management. Consider

the following: APO12.04;
Risk management processes are
a. Is the process formally documented? APO12.05;
established, managed and
b. Is the process regularly updated? APO13.02;
Risk Management Strategy

agreed to by organizational
b. Is the process repeatable and measurable? BAI02.03;
stakeholders.
c. Does the process have an owner? BAI04.02
The organization’s priorities, d. Are stakeholders involved or informed of the process?
constraints, risk tolerances,
and assumptions are Organizational risk tolerance is
established and used to 1. Determine if the organization has defined and approved a cyberrisk APO12.03;
determined and clearly APO12.06
support operational risk appetite statement. EDM03.01
expressed.
decisions.

The organization’s 1. Obtain a copy of the organization's risk management strategy and risk
determination of risk tolerance appetite statement to determine if these align with its role in critical
is informed by its role in critical infrastructure (as defined by national infrastructure protection plan [NIPP] APO04.03
infrastructure and sector- and sector-specific plans).
specific risk analysis.

Copyright 2016 ISACA Page 3 of 15

NIST Cybersecurity Framework - Protect ISACA IS Audit/Assurance Program

IS Audit/Assurance Progam
Cybersecurity: Based on the NIST Cybersecurity Framework - Protect

Process Ref. Control Control Control NIST Ref. to Additional Ref. Ref. Framework/ Ref. Pass/
Control Objectives Controls Testing Step Comments
Sub-Area Risk Type Classification Frequency COBIT 5 COBIT 5 Standards Workpaper Fail

1. Determine whether access to network devices (e.g., servers, workstations,

mobile devices, firewalls) are restricted by:
a. Unique user logon IDs
b. Complex passwords
c. Multifactor authentication
d. Automatic timeout if left unattended
e. Automatic lockout after repeated failed access attempts ISO/IEC
Identities and credentials are d. Changing default administrative account names and passwords 27001:2013
DSS05.04;
managed for authorized devices 2. Determine whether password parameters comply with organization policy A.9.2.1; A.9.2.2;
DSS06.03
and users. and/or applicable industry requirements. Consider the following: A.9.2.4; A.9.3.1;
a. Length, complexity, change requirements, history A.9.4.2; A.9.4.3
b. Are passwords suppressed from all output?
c. Are password files encrypted and restricted?
3. Review termination procedures to ensure credentials are revoked or
changed when an employee leaves.
a. Spot-check accounts to ensure user access is revoked following
termination and accounts are deleted according to policy.

1. Determine whether physical access to key assets (e.g., server rooms,

network closets, zones) are physically restricted:
a. Locked doors
b. Surveillance ISO/IEC
c. Fences or walls 27001:2013
Physical access to assets is DSS01.04;
d. Logs A.11.1.1; A.11.1.2;
managed and protected. DSS05.05
e. Visitor escorts A.11.1.4; A.11.1.6;
2. Determine whether policies and procedures allow only authorized A.11.2.3
personnel access to sensitive areas.
3. Review termination procedures to ensure physical access is removed once
an employee leaves.
Access Control

1. Determine whether policies and procedures related to remote users'

Access to assets and associated facilities access capabilities are formalized. Consider the following:
is limited to authorized users, processes, a. Remote users (e.g., employees, contractors, third parties) with access to
or devices, and to authorized activities critical systems are approved and documented.
and transactions. b. Remote connections are only opened as required.
ISO/IEC
c. Remote connections are logged and monitored. APO13.01;
27001:2013
Remote access is managed. d. Remote connections are encrypted. DSS01.04;
A.6.2.2; A.13.1.1;
e. Strong authentication is in place (e.g., multifactor, strong password DSS05.03
A.13.2.1
parameters).
f. The ability to wipe data remotely on mobile devices when data are missing
or stolen is enabled.
g. Institution security controls (e.g., antivirus, patch management) are
required on remote devices connecting to the network.

1. Review access rights and permissions for the network and any critical
applications.
2. Determine if user access profiles are consistent with their job functions
(based on least privilege). Compare a sample of users' access authority with
their assigned duties and responsibilities.
3. Determine if access is granted for mission critical functions and
ISO/IEC
Access permissions are information system support functions in order to reduce the risk of
27001:2013
managed, incorporating the malevolent activity without collusion (e.g., critical processes require two DSS05.04;
A.6.1.2; A.9.1.2;
principles of least privilege and people to perform the function). DSS06.03
A.9.2.3; A.9.4.1;
separation of duties. 4. Determine if users with local administrative privilege on workstations
A.9.4.4
require this level of access.
5. Review how the organization restricts and/or monitors access to sensitive
data by users with elevated network privilege.
6. Determine if role-based access controls are implemented (e.g., roles vs.
users are assigned access rights).
7. Determine if there are regular reviews of access.

1. Review network diagrams and data flow diagrams.

ISO/IEC
Network integrity is protected, 2. Determine if high-value/critical systems are separated from high-risk
27001:2013
incorporating network systems (e.g., VLAN, DMZ, hard backups, air-gapping) where possible. DSS05.02
A.13.1.1; A.13.1.3;
segregation where appropriate. 3. Determine if the organization has a formal process to approve data flows
A.13.2.1
and/or connections between networks and/or systems.

Copyright 2016 ISACA Page 4 of 15

NIST Cybersecurity Framework - Protect ISACA IS Audit/Assurance Program

IS Audit/Assurance Progam
Cybersecurity: Based on the NIST Cybersecurity Framework - Protect

Process Ref. Control Control Control NIST Ref. to Additional Ref. Ref. Framework/ Ref. Pass/
Control Objectives Controls Testing Step Comments
Sub-Area Risk Type Classification Frequency COBIT 5 COBIT 5 Standards Workpaper Fail

1. Review acceptable use policy and/or training materials to ensure content is

adequate.
2. Review user training reports and/or documentation to ensure users are
All users are informed and APO07.03; ISO/IEC
trained in accordance with applicable policy, guidance, and/or requirement
trained. BAI05.07 27001:2013 A.7.2.2
(e.g., annual cybersecurity training of all employees).
3. Determine whether training materials are updated based on changes in
cyberthreat environment.

1. Determine if the organization has a process to identify privileged users.

2. Determine if privileged users' roles are well defined and if privileged users
ISO/IEC
Privileged users understand are trained based on their responsibilities. APO07.02;
APO07.03 27001:2013
roles and responsibilities. 3. Review training material and/or user agreements to ensure users with DSS06.03
A.6.1.1; A.7.2.2
elevated privileges are taught security roles and responsibilities associated
with elevated privileges.

1. Review applicable third-party contracts, customer agreements, and

Third-party stakeholders (e.g., partner agreements to ensure security roles and responsibilities are clearly
APO07.03; ISO/IEC
suppliers, customers, partners) defined.
APO10.04; 27001:2013
understand roles and 2. Review the organization's vendor management program to ensure third
APO10.05 A.6.1.1; A.7.2.2
Awareness Training

responsibilities. parties are complying with cybersecurity responsibilities defined in contracts

The organization’s personnel and and agreements.
partners are provided cybersecurity
awareness education and are adequately
trained to perform their information
security-related duties and 1. Review training and continuing education programs for senior executives.
responsibilities consistent with related Consider the following:
policies, procedures, and agreements. a. Cybersecurity knowledge and skill levels needed to perform their duties
are defined.
ISO/IEC
Senior executives understand b. Specific role-based training is assigned based on cybersecurity roles and
APO07.03 EDM01.03 27001:2013
roles and responsibilities. responsibilities.
A.6.1.1; A.7.2.2
c. A method is in place to measure senior executives' cybersecurity
knowledge and understanding against organization requirements.
d. Training and education materials are updated to reflect changes in the
threat environment.

1. Review training and continuing education programs for physical and

information security personnel. Consider the following:
a. Knowledge and skill levels needed to perform physical and information
security duties are defined.
b. Specific role-based training is assigned based on physical and information
Physical and information ISO/IEC
security roles and responsibilities.
security personnel understand APO07.03 DSS06.03 27001:2013
c. A method is in place to measure physical and information security
roles and responsibilities. A.6.1.1; A.7.2.2
personnel's cybersecurity knowledge and understanding against organization
requirements.
d. Training and education materials are updated to reflect changes in the
threat environment.

1. Determine if confidential or sensitive data is identified on the

organization's network (e.g., data classification, risk assessment).
2. Determine if confidential data is secured (e.g., strong encryption as defined APO01.06;
by industry best practices) at rest. BAI02.01; ISO/IEC
Data-at-rest is protected.
3. Determine if mobile devices (e.g., laptops, tablets, removable media) that BAI06.01; 27001:2013 A.8.2.3
are used to store confidential data are encrypted. DSS06.06
4. Review contracts with third parties storing confidential data to ensure
appropriate security controls are in place for sensitive data at rest.

1. Determine if sensitive information is secured (e.g., strong encryption as

defined by industry best practices) when transmitted across publicly-
accessible networks.
ISO/IEC
2. Determine if adequate policies are in place regarding transmission of
27001:2013
confidential or sensitive information via email. APO01.06;
Data-in-transit is protected. A.8.2.3; A.13.1.1;
3. Review training materials and/or acceptable use policy to determine DSS06.06
A.13.2.1; A.13.2.3;
whether employees are instructed on organization policy regarding data
A.14.1.2; A.14.1.3
transmission.
4. Review contracts with third parties transmitting confidential data to ensure
appropriate security controls are in place for transmission of sensitive data.

Copyright 2016 ISACA Page 5 of 15

rity

Information and records (data) are

NIST Cybersecurity Framework - Protect ISACA IS Audit/Assurance Program

IS Audit/Assurance Progam
Cybersecurity: Based on the NIST Cybersecurity Framework - Protect

Process Ref. Control Control Control NIST Ref. to Additional Ref. Ref. Framework/ Ref. Pass/
Control Objectives Controls Testing Step Comments
Sub-Area Risk Type Classification Frequency COBIT 5 COBIT 5 Standards Workpaper Fail

1. Review asset inventory policies and procedures. Consider the following: ISO/IEC
Assets are formally managed a. Formalized processes in place 27001:2013
throughout removal, transfers b. Accuracy of asset tracking BAI09.03 DSS05.06 A.8.2.3; A.8.3.1;
and disposition. c. Secure removal or destruction of confidential information from A.8.3.2; A.8.3.3;
decommissioned assets A.11.2.7

BAI02.01;
1. Review sample of capacity management monitoring reports used to
BAI03.05;
Data Security

Information and records (data) are monitor critical resources such as network bandwidth, CPU, disk utilization,
BAI04.01; ISO/IEC
managed consistent with the Adequate capacity to ensure etc.
APO13.01 BAI04.02; 27001:2013
organization’s risk strategy to protect the availability is maintained. 2. Determine if resources have adequate capacity (e.g., disk space, CPU).
BAI04.03; A.12.3.1
confidentiality, integrity, and availability 3. Determine if the risk of distributed denial-of-service (DDoS) has been
BAI04.04;
of information. addressed and is in line with the organization's risk appetite.
BAI04.05

ISO/IEC
27001:2013
A.6.1.2; A.7.1.1;
1. Review risk assessments, information security meeting minutes and
A.7.1.2; A.7.3.1;
information security strategies to determine if the risk of data loss prevention
A.8.2.2; A.8.2.3;
Protections against data leaks or exfiltration of confidential data is being considered.
APO01.06 DSS05.06 A.9.1.1; A.9.1.2;
are implemented. 2. Ensure controls or tools (e.g., data loss prevention) are in place to detect or
A.9.2.3; A.9.4.1;
block potential unauthorized or unintentional transmission or removal of
A.9.4.4; A.9.4.5;
confidential data (e.g., email, FTP, USB devices, Telnet)
A.13.1.3; A.13.2.1;
A.13.2.3; A.13.2.4;
A.14.1.2; A.14.1.3

1. Determine if the organization employs integrity verification tools (e.g.,

Integrity checking mechanisms parity checks, cyclical redundancy checks, cryptographic hashes) to detect ISO/IEC
are used to verify software, unauthorized changes to software (e.g., middleware, applications and 27001:2013
APO01.06
firmware and information operating systems with key internal components such as kernels, drivers), A.12.2.1; A.12.5.1;
integrity. firmware (e.g., Basic Input Output System [BIOS]), and information (e.g., A.14.1.2; A.14.1.3
metadata such as security attributes associated with information).

The development and testing 1. If the organization maintains a software development or testing
ISO/IEC
environment(s) are separate environment, review network diagrams, database connections and applicable
BAI07.04 27001:2013
from the production firewall/router configurations to determine sufficiency of separation between
A.12.1.4
environment. these environments and the production network.

1. Determine if the organization has created or adopted baseline

A baseline configuration of ISO/IEC
configurations (e.g., Center for Internet Security [CIS] benchmarks, Security BAI10.01;
information 27001:2013
Technical Implementation Guides [STIG]) for systems (e.g., servers, desktops, BAI10.02;
technology/industrial control A.12.1.2; A.12.5.1;
routers). BAI10.03;
systems is created and A.12.6.2; A.14.2.2;
2. Sample systems against the organization's baseline configurations to BAI10.05
maintained. A.14.2.3; A.14.2.4
ensure standards are followed and enforced.

1. Obtain and review a copy of the organization's system development life ISO/IEC
A system development life cycle
cycle. BAI07.04; 27001:2013
(SDLC) to manage systems is APO13.01
2. Obtain samples of rollout documentation and rollout schedule to ensure BAI07.06 A.6.1.5; A.14.1.1;
implemented.
compliance with policy. A.14.2.1; A.14.2.5

1. Determine if configuration change control processes for information

systems are in place. Consider the following: ISO/IEC
a. Proposed changes are documented and approved. 27001:2013
Configuration change control BAI06.01;
b. Changes are prohibited until designated approvals are received. A.12.1.2; A.12.5.1;
processes are in place. BAI01.06
c. Changes are tested and validated before implementation. A.12.6.;, A.14.2.2;
d. Changes are documented and reported upon completion. A.14.2.3; A.14.2.4

ISO/IEC
Backups of information are 1. Determine if a formal backup and recovery plan exists.
27001:2013
conducted, maintained and 2. Review backup procedures. Ensure periodic backup testing is performed to APO13.01 DSS04.07
A.12.3.1; A.17.1.2;
tested periodically. verify data are accessible and readable.
A.17.1.3; A.18.1.3

Copyright 2016 ISACA Page 6 of 15

NIST Cybersecurity Framework - Protect ISACA IS Audit/Assurance Program

IS Audit/Assurance Progam
Cybersecurity: Based on the NIST Cybersecurity Framework - Protect

Process Ref. Control Control Control NIST Ref. to Additional Ref. Ref. Framework/ Ref. Pass/
Control Objectives Controls Testing Step Comments
Sub-Area Risk Type Classification Frequency COBIT 5 COBIT 5 Standards Workpaper Fail

1. Review physical security operating environment policies, procedures and

plans. Ensure the following are addressed:
a. Emergency shutoff
Policy and regulations regarding ISO/IEC
b. Emergency lighting
the physical operating DSS01.04; 27001:2013
c. Emergency power
environment for organizational DSS05.05 A.11.1.4; A.11.2.1;
d. Fire protection
assets are met. A.11.2.2; A.11.2.3
e. Temperature and humidity control
f. Water damage protection
g. Location of information system components (to minimize damage)

1. Review media sanitization (data destruction) policies.

Information Protection Processes and Procedures

2. Ensure sanitization techniques and procedures are commensurate with the

security category or classification of the information or asset and in ISO/IEC
Data is destroyed according to accordance with applicable federal and organizational standards and policies. 27001:2013
BAI09.03 DSS05.06
policy. 3. Spot-check trash cans, dumpsters, shred bin and/or shredders to ensure A.8.2.3; A.8.3.1;
compliance with policy. A.8.3.2; A.11.2.7
4. Obtain proof (e.g., destruction certificates) that media sanitization is
occurring according to policy.
Security policies (that address purpose,
scope, roles, responsibilities,
management commitment, and
coordination among organizational
entities), processes, and procedures are
maintained and used to manage 1. Review the organization's policies and procedures related to continually
protection of information systems and improving protection processes. Consider the following:
assets. a. Ongoing audits, assessments and vulnerability scanning are conducted,
reviewed and responded to.
Protection processes are b. Plans, processes and policies are updated based on lessons learned from APO11.06;
continuously improved. tests (e.g., business continuity, disaster recovery, incident response). DSS04.05
c. Designated position and/or committee responsible for continuous
evaluation of the organization's information security needs and posture
d. Threat information gathering and responses to changes in the threat
environment

1. Determine if the organization participates in information sharing and

Effectiveness of protection ISO/IEC
analysis groups. BAI08.01;
technologies is shared with 27001:2013
2. Determine if the organization facilitates information sharing by enabling MEA02.03
appropriate parties. A.16.1.6
authorized users to share authorized information to sharing partners.

Response plans (incident

response and business 1. Review incident response and business continuity plans to determine if the ISO/IEC
continuity) and recovery plans institution has documented how it will respond to a cyberincident. 27001:2013
DSS04.03
(incident recovery and disaster 2. Evaluate plans to determine how frequently they are updated and A.16.1.1; A.17.1.1;
recovery) are in place and approved. A.17.1.2
managed.

ISO/IEC
Response and recovery plans 1. Determine whether business continuity and incident response tests are
DSS04.04 27001:2013
are tested. performed according to policy and any applicable guidance.
A.17.1.3

1. Review hiring procedures to determine whether background

APO07.01;
Cybersecurity is included in checks/screenings are performed for all employees. ISO/IEC
APO07.02;
human resources practices. 2. Review hiring procedures for positions with access to sensitive information 27001:2013
APO07.03;
(e.g., deprovisioning, personnel to determine if they are commensurate with a higher level of risk. A.7.1.1; A.7.3.1;
APO07.04;
screening) 3. Review termination procedures to determine whether accounts/access are A.8.1.4
APO07.05
disabled in a timely manner.

1. Obtain the organization's vulnerability management plan and ensure it

includes the following:
a. Frequency of vulnerability scanning
b. Method for measuring the impact of vulnerabilities identified (e.g.,
A vulnerability management Common Vulnerability Scoring System [CVSS]) ISO/IEC
plan is developed and c. Incorporation of vulnerabilities identified in other security control APO04.03 27001:2013
implemented. assessments (e.g., external audits, penetration tests) A.12.6.1; A.18.2.2
d. Procedures for developing remediation of identified vulnerabilities
2. Obtain a copy of the organization's risk assessment to ensure
vulnerabilities identified during the vulnerability management process are
included.

Copyright 2016 ISACA Page 7 of 15

NIST Cybersecurity Framework - Protect ISACA IS Audit/Assurance Program

IS Audit/Assurance Progam
Cybersecurity: Based on the NIST Cybersecurity Framework - Protect

Process Ref. Control Control Control NIST Ref. to Additional Ref. Ref. Framework/ Ref. Pass/
Control Objectives Controls Testing Step Comments
Sub-Area Risk Type Classification Frequency COBIT 5 COBIT 5 Standards Workpaper Fail

1. Review controlled maintenance processes. Consider the following:

a. Maintenance activities are approved, scheduled and documented (e.g.,
Maintenance and repair of
date and time, name of individual(s) performing maintenance, description of ISO/IEC
organizational assets is
maintenance performed, systems removed/replaced) 27001:2013
performed and logged in a BAI09.03 DSS03.05
b. Maintenance staff or vendors are approved, authorized and supervised (if A.11.1.2; A.11.2.4;
timely manner, with approved
required). A.11.2.5
and controlled tools.
c. Maintenance tools and media are approved and inspected for improper or
unauthorized modifications prior to use.
Maintenance

Maintenance and repairs of industrial

control and information system
components is performed consistent
with policies and procedures. 1. Determine whether remote maintenance on servers, workstations and
other systems is performed. Consider the following:
Remote maintenance of
a. Who is allowed to connect to systems (e.g. internal employees, third ISO/IEC
organizational assets is
parties) 27001:2013
approved, logged and DSS05.04
b. What software/version or service is used to connect A.11.2.4; A.15.1.1;
performed in a manner that
c. Whether end users have to take some action prior to allowing remote A.15.2.1
prevents unauthorized access.
control of their workstation and/or whether access is logged and monitored
d. Adequacy of authentication requirements (e.g., multifactor authentication)

1. Determine if audit logs (e.g., security, activity) are maintained and

reviewed in a timely manner. Verify the adequacy of the logs to monitor and
evaluate IT activities and security events. Consider the following:
a. Audit records contain appropriate content (e.g., type of event, when the
event occurred, where the event occurred, source of the event, outcome of
the event, identity of any individuals or subjects associated with the event).
ISO/IEC
Audit/log records are b. Log files are sized such that logs are not deleted prior to review and/or
27001:2013
determined, documented, being backed up.
APO11.04 DSS05.07 A.12.4.1; A.12.4.2;
implemented and reviewed in c. Audit logs and tools are protected from unauthorized access, modification
A.12.4.3; A.12.4.4;
accordance with policy. and deletion.
A.12.7.1
2. Determine if logs for the following parts of the network are monitored and
reviewed:
a. Network perimeter (e.g., intrusion dectection systems [IDS], firewalls)
b. Microsoft systems (e.g., Windows event logs)
c. Non-Microsoft systems (e.g., syslog files for Unix/Linux servers, routers,
switches)
Protective Technology

1. Obtain a copy of the removable media policy. Review controls defined in

Technical security solutions are managed the policy. Controls may include:
to ensure the security and resilience of a. User training ISO/IEC
systems and assets, consistent with Removable media is protected b. Encryption of removable media 27001:2013
related policies, procedures, and DSS05.02;
and its use restricted according c. Restricted access to removable media (e.g., USB restrictions) A.8.2.2; A.8.2.3;
agreements. APO13.01
to policy. d. Sanitization procedures for decommissioned media A.8.3.1; A.8.3.3;
2. Perform spot-checks on systems with removable media restrictions to A.11.2.9
ensure restrictions are working as expected and comply with the
organization's policy.

1. Review information systems to determine if unnecessary and/or non-

secure functions, ports, protocols and services are disabled.
Access to systems and assets is 2. Where feasible, the organization limits component functionality to a single
ISO/IEC
controlled, incorporating the function per device (e.g., dedicated email server). DSS05.02 DSS06.03
27001:2013 A.9.1.2
principle of least functionality. 3. Determine if the organization reviews functions and services provided by
information systems or individual components of information systems to
determine which functions and services are candidates for elimination.

1. Evaluate controls related to communications to ensure the network is

secure. Consider:
a. Network perimeter defenses are in place (e.g., border router, firewall).
ISO/IEC
Communications and control b. Physical security controls are used to prevent unauthorized access to DSS05.02;
DSS06.03 27001:2013
networks are protected. telecommunication systems, etc. APO13.01
A.13.1.1; A.13.2.1
c. Logical network access controls (e.g., VLAN) and technical controls (e.g.,
encrypting traffic) are in place to protect and/or segregate communications
networks (e.g., wireless, WAN, LAN, VoIP).

Copyright 2016 ISACA Page 8 of 15

NIST Cybersecurity Framework - Detect ISACA IS Audit/Assurance Program

IS Audit/Assurance Progam
Cybersecurity: Based on the NIST Cybersecurity Framework - Detect

Process Ref. Control Control Control NIST Ref. to Additional Ref. Ref. Framework/ Ref. Pass/
Control Objectives Controls Testing Step Comments
Sub-Area Risk Type Classification Frequency COBIT 5 COBIT 5 Standards Workpaper Fail

1. Obtain a copy of the organization's logical network diagram (LND), data

flow diagrams, and other network and communications diagrams.
2. Review the diagrams for the following:
a. Frequency of updates to diagrams
b. Accuracy and completeness of diagrams
A baseline of network
c. Scope of diagrams is adequate to identify both domains of different risk
operations and expected data
and control levels (i.e., high-risk, publicly-accessible portions of a network vs. DSS03.01
flows for users and systems is
high-value, restricted access portions of the network) and the control points
established and managed.
(e.g., firewalls, routers, intrusion detection/prevention systems) between
them.
2. Determine if tools (e.g., security event and information management
systems [SIEMs]) are used to establish typical (baseline) traffic so abnormal
traffic can be detected.

1. Obtain a copy of policies and procedures regarding system and network

monitoring.
Detected events are analyzed to a. Determine if policies and procedures require monitoring for anomalous ISO/IEC
understand attack targets and activity at identified control points. DSS05.02 27001:2013
methods. 2. Obtain a copy of detected events (e.g., alerts from IDS) and the A.16.1.1; A.16.1.4
organization's response to them. Review the events and responses to ensure
Anomalies and Events

thorough analysis of detected events is performed.

Anomalous activity is 1. Obtain a listing of event aggregation and monitoring systems in use at the
detected in a timely manner organization (e.g., SIEMs, event log correlation systems).
and the potential impact of Event data are aggregated and 2. Obtain a list of sources that provide data to each event aggregation and
events is understood. correlated from multiple monitoring system (e.g., firewalls, routers, servers). APO12.01
sources and sensors. 3. Compare the sources to identified control points between domains of
different risk and control levels and determine if they provide adequate
monitoring coverage of the organization's environment.

1. Obtain a copy of detected events and the organization's responses to

them.
2. Review the events, tickets and responses in order to ensure the
Impact of events is determined. APO12.06
organization is documenting the impact of anomalous activity using metrics
that are applicable to the organization (e.g., compliance impact, operational
impact, accurate reporting impact).

1. Obtain a copy of alert messages, meeting minutes, reports and other

documentation where detected events were escalated.
2. Review the documentation and determine the following:
a. Detected events are reported in a timely manner to someone with the
Incident alert thresholds are knowledge and expertise to resolve or escalate the event.
APO12.06
established. b. Escalated events are reported to individuals or groups with the appropriate
authority to make decisions about the organization's response.
c. Thresholds are defined such that an event triggers the appropriate
response (e.g., business continuity response, disaster recovery response,
incident response, legal response).

1. Obtain a list of the monitoring control implemented by the organization at

the following levels:
a. Network (e.g., firewall, router, switch)
b. Operating system (e.g., server platforms, workstation platforms,
The network is monitored to
appliances)
detect potential cybersecurity DSS05.07
c. Application (e.g., account management, file and database access).
events.
2. Determine if monitoring at each level includes detection of cybersecurity
events (e.g., denial-of-service [DoS] attacks, unauthorized account access,
unauthorized file/system access, privilege escalation attacks, SQL injection
attacks).

1. Obtain an inventory of critical facilities (e.g., data centers, network closets,

operations centers, critical control centers).
The physical environment is 2. Determine if physical security monitoring controls are implemented and
monitored to detect potential appropriate to detect potential cybersecurity events (e.g., sign in/out logs, DSS05.05
cybersecurity events. motion detectors, security cameras, security lighting, security guards,
door/window locks, automatic system lock when idle, restricted physical
access to servers, workstations, network devices, network ports).

Copyright 2016 ISACA Page 9 of 15

NIST Cybersecurity Framework - Detect ISACA IS Audit/Assurance Program

IS Audit/Assurance Progam
Cybersecurity: Based on the NIST Cybersecurity Framework - Detect

Process Ref. Control Control Control NIST Ref. to Additional Ref. Ref. Framework/ Ref. Pass/
Control Objectives Controls Testing Step Comments
Sub-Area Risk Type Classification Frequency COBIT 5 COBIT 5 Standards Workpaper Fail

1. Obtain a list of the monitoring controls implemented by the organization at

the application/user account level (e.g., account management, user access
Personnel activity is monitored roles, user activity monitoring, file and database access). ISO/IEC
DSS05.04;
to detect potential 2. Determine if monitoring includes detection and alerting of cybersecurity 27001:2013
DSS05.05
cybersecurity events. events (e.g., unauthorized account access, unauthorized file/system access, A.12.4.1
access out of hours, access to sensitive data, unusual access, unauthorized
physical access, privilege escalation attacks).

1. Obtain a copy of processes and procedures used to detect malicious code

on the network and servers/workstations (e.g., anti-malware software on
servers and workstations, phishing filters on email systems, intrusion
prevention/detection systems on the network [IDS/IPS], endpoint security
products on workstations and/or servers).
2. Determine if malicious code controls are:
a. Installed on all applicable systems and network control points
ISO/IEC
b. Updated on a regular basis
Malicious code is detected. DSS05.01 27001:2013
c. Configured to perform real-time scanning or periodic scans at regular
A.12.2.1
intervals
3. Spot-check workstations and other user endpoint devices to verify the
following:
a. Malicious code controls are installed.
b. Malicious code controls are updated.
c. Malicious code controls are capable of detecting test code (e.g., the EICAR
test virus).
Security Continuous Monitoring

1. Obtain documented processes and procedures used to detect

unauthorized mobile code (e.g., Java, JavaScript, ActiveX, Flash, VBScript) that
is run on the organization's servers, workstations and devices.
The information system and 2. Determine if detective mobile code controls block unauthorized mobile
assets are monitored at code when detected (e.g., quarantine, execution blocking, download
discrete intervals to identify blocking).
cybersecurity events and
verify the effectiveness of *Examples of mobile code controls include: ISO/IEC
protective measures. Unauthorized mobile code is DSS05.03;
a. Detecting and blocking mobile code attachments in emails (e.g., .exe 27001:2013
detected. DSS05.07
files, .js files) A.12.5.1
b. Detecting and blocking mobile code portions of websites
c. Removing the ability to run mobile code on systems that do not require
this functionality (e.g., uninstalling Java from workstations without a need for
it)
d. Configuring systems to generate alerts and block execution when mobile
code that is not signed with an approved code-signing certificate attempts to
execute

1. Obtain and review contracts executed with external service providers.

2. Determine if external service provider contracts require the service
providers to:
a. Notify the organization as soon as possible of any known or suspected
cybersecurity event.
b. Notify the organization as soon as possible of termination of any employee
who possesses credentials to access the organization's systems or facilities.
External service provider c. Implement security controls equivalent to or exceeding the level of security ISO/IEC
APO10.04;
activity is monitored to detect required of the organization. APO07.06 27001:2013
APO10.05
potential cybersecurity events. 3. Obtain a copy of the organization's logical network diagram (LND) to A.14.2.7; A.15.2.1
determine how external service provider networks are connected to the
organization's network to determine if monitoring controls (e.g.. firewalls,
routers, intrusion detection/prevention systems) are implemented at these
connection points.
4. Obtain and analyze a copy of system configurations for monitoring controls
used to detect cybersecurity events originating on external service providers'
networks.

Copyright 2016 ISACA Page 10 of 15

NIST Cybersecurity Framework - Detect ISACA IS Audit/Assurance Program

IS Audit/Assurance Progam
Cybersecurity: Based on the NIST Cybersecurity Framework - Detect

Process Ref. Control Control Control NIST Ref. to Additional Ref. Ref. Framework/ Ref. Pass/
Control Objectives Controls Testing Step Comments
Sub-Area Risk Type Classification Frequency COBIT 5 COBIT 5 Standards Workpaper Fail

1. Obtain a copy of processes and procedures designed to detect

unauthorized access to the organization's facilities and systems (e.g., sign-
in/out logs, video surveillance, break-in alarms, network port blocking, USB
Monitoring for unauthorized device restrictions on workstations and user devices, monitoring of excessive
personnel, connections, devices failed logins indicating a password-guessing attack). DSS05.05
and software is performed. 2. Spot-check unauthorized access controls by accessing facilities and systems
with permission to test, but not standard authorization. Request the
organization provide the alert notifications generated by the simulated
unauthorized access.

1. Obtain a copy of the organization's schedule for performing internal and

external vulnerability scans and the results of the most recent internal and
external vulnerability scans.
2. Review the schedule and results for the following:
ISO/IEC
Vulnerability scans are a. Frequency
BAI03.10 27001:2013
performed. b. Successful completion
A.12.6.1
c. Documented resolution or mitigation of identified vulnerabilities
d. Scope of testing includes all critical systems
3. Determine whether vulnerability scan results were reported to individuals
or teams with appropriate authority to ensure resolution.

1. Obtain a copy of processes and procedures for monitoring physical and

Roles and responsibilities for
electronic anomalous events. ISO/IEC
detection are well defined to DSS05.01
2. Determine if the organization's processes and procedures assign key 27001:2013 A.6.1.1
ensure accountability.
responsibilities to specific individuals or positions.

1. Obtain a copy of laws and regulations (e.g., federal, state, local), industry
standards, internal security requirements and risk appetite applicable to the ISO/IEC
Detection activities comply with
organization. MEA03.03 27001:2013
all applicable requirements.
2. Determine if the organization is performing audits/testing to ensure their A.18.1.4
detection activities comply with these requirements.

1. Obtain a copy of the organization's schedule of incident response tests, the

results of recent incident response tests, and documented processes and
procedures requiring tests of anomalous activity controls (e.g., periodic tests
Detection Processes

of intrusion detection/prevention systems, endpoint anti-malware software). ISO/IEC

Detection processes are tested. 2. Review the documentation for the following: APO13.02 27001:2013
Detection processes and a. Completeness in testing implemented anomalous activity detection A.14.2.8
procedures are maintained controls
and tested to ensure timely b. Frequency of testing
and adequate awareness of c. Documented resolution or mitigation of negative testing results
anomalous events.

1. Obtain a copy of meeting minutes where physical and electronic

anomalous activity is reported (e.g., information security committee
Event detection information is meetings, board/management meetings, risk management meetings). ISO/IEC
communicated to appropriate 2. Obtain a copy of documented responses to recent physical and electronic APO12.06 27001:2013
parties. anomalous activity incidents. A.16.1.2
3. Compare meeting minutes to documented incidents and determine if
detected events are consistently reported and appropriately handled.

1. Obtain a copy of documented responses to recent physical and electronic

ISO/IEC
Detection processes are anomalous activity incidents. Determine if responses include the following: APO11.06;
27001:2013
continuously improved. a. Lessons learned and analysis of failed or missing controls DSS04.05
A.16.1.6
b. Action items to detect/prevent similar incidents in the future

Copyright 2016 ISACA Page 11 of 15

NIST Cybersecurity Framework - Respond ISACA IS Audit/Assurance Program

IS Audit/Assurance Progam
Cybersecurity: Based on the NIST Cybersecurity Framework - Respond
Process Ref. Control Control Control NIST Ref. to Additional Ref. Ref. Framework/ Ref. Pass/
Control Objectives Controls Testing Step Comments
Sub-Area Risk Type Classification Frequency COBIT 5 COBIT 5 Standards Workpaper Fail

Response processes and

Response

1. Determine if the organization has approved incident response and business DSS02.04;
Planning

procedures are executed ISO/IEC

Response plan is executed continuity plans. DSS02.05;
and maintained, to ensure BAI01.10 27001:2013
during or after an event. 2. Obtain copies of reports from recent incidents to validate the plans are DSS02.06;
timely response to detected A.16.1.5
executed. DSS02.07
cybersecurity events.

1. Review the incident response plan to determine if roles and responsibilities

are defined for employees.
Personnel know their roles and 2. Interview employees to determine if employees know their roles and ISO/IEC
order of operations when a responsibilities as defined by the plan. DSS02.04 27001:2013
response is needed. 3. Review any incident response tests or training provided to employees to A.6.1.1; A.16.1.1
determine if they support educating employees on their roles and
responsibilities.

1. Review the incident response plan to determine if reporting structure and

communication channels are clearly defined. ISO/IEC
Events are reported consistent
2. Determine if employees are trained to report suspected security incidents. DSS02.05 27001:2013
with established criteria.
3. Obtain copies of reports from recent incidents to validate reporting is A.6.1.3; A.16.1.2
consistent and follows the plan.
Communications

Response activities are 1. Review the incident response plan to determine if information sharing is
coordinated with internal clearly defined as it relates to the following (if applicable):
and external stakeholders, a. Customers
as appropriate, to include b. Law enforcement ISO/IEC
external support from law Information is shared consistent c. Regulators DSS02.05 27001:2013
enforcement agencies. with response plans.
d. Media A.16.1.2
e. Information sharing organizations
2. Obtain copies of reports from recent incidents to validate sharing is
consistent and follows the plan.

1. Review the incident response plan to determine if a process is in place to

Coordination with stakeholders communicate with internal and external stakeholders during and/or following
DSS02.05;
occurs consistent with response an incident.
DSS02.07
plans. 2. Obtain copies of reports from recent incidents to validate reporting is
consistent and follows the plan.

Voluntary information sharing

occurs with external 1. Review the incident response plan to determine if a process is in place to
stakeholders to achieve broader communicate with external stakeholders (e.g., end users, suppliers, third BAI08.01
cybersecurity situational parties, customers) following an incident.
awareness.

1. Obtain evidence of event notifications (e.g., detection alerts, reports) from

information systems (e.g., account usage, remote access, wireless
connectivity, mobile device connection, configuration settings, system
ISO/IEC
component inventory, use of maintenance tools, physical access,
Notifications from detection 27001:2013
temperature and humidity, anomalous activity, use of mobile code). DSS02.07 DSS02.04
systems are investigated. A.12.4.1; A.12.4.3;
2. Determine who receives alerts or reports from detection systems and what
A.16.1.5
actions are taken once reports are received.
3. Review the incident response plan to determine if actions taken follow the
plan.

1. Review the incident response plan to determine if there is a process to

formally analyze and classify incidents based on their potential impact. ISO/IEC
The impact of the incident is
Analysis is conducted to 2. Review resume and education of incident response team members DSS02.04 27001:2013
understood.
Analysis

ensure adequate response responsible for determining incident impact to determine if they have the A.16.1.6
and support recovery knowledge and experience to adequately understand potential impact.
activities.
1. Review the incident response plan as it relates to forensics. Consider the
following:
a. There is a process in place to ensure forensics will be performed when
ISO/IEC
needed.
Forensics are performed. DSS02.04 27001:2013
b. Determine if security investigations and forensic analysis are performed by
A.16.1.7
qualified staff or third parties.
c. Review forensics procedures to ensure they include controls, such as chain
of custody, to support potential legal action.

Copyright 2016 ISACA Page 12 of 15

 ensure adequate response

Analy
and support recovery
activities.
NIST Cybersecurity Framework - Respond ISACA IS Audit/Assurance Program

IS Audit/Assurance Progam
Cybersecurity: Based on the NIST Cybersecurity Framework - Respond
Process Ref. Control Control Control NIST Ref. to Additional Ref. Ref. Framework/ Ref. Pass/
Control Objectives Controls Testing Step Comments
Sub-Area Risk Type Classification Frequency COBIT 5 COBIT 5 Standards Workpaper Fail

1. Review the incident response plan to determine if it is designed to

prioritize incidents, enabling a rapid response for significant incidents or ISO/IEC
Incidents are categorized DSS02.01;
vulnerabilities. 27001:2013
consistent with response plans. DSS02.02
2. Obtain copies of reports from recent incidents to validate reporting is A.16.1.4
consistent and follows the plan.

1. Review the incident response plan to determine if appropriate steps are in

place to contain an incident. Consider the following:
ISO/IEC
a. Steps to contain and control the incident to prevent further harm
Incidents are contained. DSS02.05 27001:2013
b. Procedures to notify potentially impacted third parties
A.16.1.5
c. Strategies to control different types of incidents (e.g., distributed denial-of-
service [DDoS], malware, etc.)

1. Review the incident response plan to determine if appropriate steps are in

place to mitigate the impact of an incident. Consider the following:
a. Steps to mitigate the incident to prevent further harm
ISO/IEC
b. Procedures to notify potentially impacted third parties
Incidents are mitigated. DSS02.05 27001:2013
Mitigation

Activities are performed to c. Strategies to mitigate impact different types of incidents (e.g., distributed
prevent expansion of an A.12.2.1; A.16.1.5
denial-of-service [DDoS], malware, etc.)
event, mitigate its effects 2. Review any documented incidents to determine whether mitigation efforts
and eradicate the incident. were implemented and effective.

1. Determine if the organization's continuous monitoring programs (e.g., risk

assessments, vulnerability scanning) facilitate ongoing awareness of threats,
vulnerabilities and information security to support organizational risk
Newly identified vulnerabilities ISO/IEC
management decisions. Consider the following: DSS03.01;
are mitigated or documented as 27001:2013
a. Is the process continuous (at a frequency sufficient to support EDM03.03
accepted risk. A.12.6.1
organizational risk-based decisions)
b. Results generate appropriate risk response (e.g., mitigation strategy,
acceptance) based on the organization's risk appetite

1. Review the organization's incident handling reports and incident testing

documentation for action items and lessons learned. ISO/IEC
Response plans incorporate
2. Evaluate the incident response plan to determine if results (e.g., action BAI01.13 DSS02.07 27001:2013
lessons learned.
items, lessons learned) from real-world incidents and incident testing have A.16.1.6
Improvements

Organizational response
activities are improved by been used to update incident response procedures, training and testing.
incorporating lessons
learned from current and
previous detection/response 1. Review the organization's incident response and business continuity
activities. strategies and plans. Consider the following:
Response strategies are a. There is a mechanism in place to regularly review, improve, approve and
DSS02.07
updated. communicate the plans.
b. The organization's response capability is informed by actual incidents, tests
and current threats.

Copyright 2016 ISACA Page 13 of 15

NIST Cybersecurity Framework - Recover ISACA IS Audit/Assurance Program

IS Audit/Assurance Progam
Cybersecurity: Based on the NIST Cybersecurity Framework - Recover
Process Ref. Control Objectives Controls Control Control Control Testing Step NIST Ref. to Additional Ref. Framework/ Ref. Pass/ Comments
Sub-Area Risk Type Classification Frequency COBIT 5 Ref. COBIT 5 Standards Workpaper Fail

1. Obtain a copy of the organization's recovery plans and procedures (e.g.,

business continuity plan, incident response plan, disaster recovery plan,
Recovery Planning

Recovery processes and cybersecurity incident plan) and the documented results of recent
procedures are executed cybersecurity events or event tests.
and maintained to ensure Recovery plan is executed 2. Evaluate documentation for the following: DSS02.05; ISO/IEC
timely restoration of during or after an event. a. Frequency of testing DSS03.04 27001:2013
systems or assets affected b. Coverage of critical pieces of the organization's recovery plans and A.16.1.5
by cybersecurity events. procedures
c. Documentation of incidents (e.g. power outages, communication failures,
system outages, attempted and successful malicious or careless unauthorized
access or disruption).

1. Obtain a copy of results of recent cybersecurity events or event tests.

Recovery plans incorporate 2. Evaluate documentation for the following: DSS04.05;
lessons learned. a. Documented lessons learned and analysis of failed or missing controls BAI05.07 DSS04.08
b. Action items designed to improve recovery plans and procedures based on
the lessons learned and analysis
Improvements

Recovery planning and

processes are improved by
incorporating lessons
learned into future 1. Obtain a copy of the organization's recovery plans and procedures (e.g.,
activities. business continuity plan, incident response plan, disaster recovery plan,
cybersecurity incident plan) and the documented results of recent
Recovery strategies are cybersecurity events or event tests. DSS04.05;
updated. 2. Determine if recovery plans and procedures are reviewed, updated and BAI07.08 DSS04.08
approved on a regular basis or as changes are made to systems and controls.
3. Review recovery plans and procedures to determine if action items
resulting from lessons learned during cybersecurity events and event tests
have been implemented.

1. Obtain a copy of the organization's recovery plans and procedures (e.g.,

business continuity plan, incident response plan, disaster recovery plan,
cybersecurity incident plan).
2. Determine if the plans and procedures include the following:
a. Designation of points of contact within the organization to communicate
with customers, partners, media, regulators and law enforcement
Public relations are managed. b. Training for employees regarding where to refer questions about EDM03.02 DSS04.03
cybersecurity incidents
c. Order of succession of key positions responsible for managing the
organization's reputation risk during cybersecurity incidents
d. Timely and responsible notification of customers, partners, regulators and
law enforcement of a cybersecurity incident

Restoration activities are

Communications

coordinated with internal

and external parties, such as
coordinating centers, 1. Obtain documented results of recent cybersecurity events. Determine
Internet Service Providers, Reputation after an event is whether the following are included:
owners of attacking systems, repaired. a. Informing customers, partners, media, regulators and law enforcement, as MEA03.02
victims, other CSIRTs and applicable, of ongoing efforts to correct identified issues and final resolution
vendors. b. Specific efforts or plans to address reputation repair

Copyright 2016 ISACA Page 14 of 15

NIST Cybersecurity Framework - Recover ISACA IS Audit/Assurance Program
Restoration activities are

Communications
coordinated with internal
and external parties, such as
coordinating centers, IS Audit/Assurance Progam
Internet Service Providers, Cybersecurity: Based on the NIST Cybersecurity Framework - Recover
owners of attacking systems,
Process Ref. victims, other CSIRTs and
Control Objectives Controls Control Control Control Testing Step NIST Ref. to Additional Ref. Framework/ Ref. Pass/ Comments
Sub-Area Risk vendors. Type Classification Frequency COBIT 5 Ref. COBIT 5 Standards Workpaper Fail

1. Obtain a copy of meeting minutes where cybersecurity events are reported

(e.g. Information Security Committee meetings, Board/management
Recovery activities are meetings, risk management meetings, Compliance Committee meetings).
communicated to internal 2. Obtain a copy of documented results of recent cybersecurity events. DSS04.06;
stakeholders and executive and 3. Compare meeting minutes to documented cybersecurity events and EDM05.03
management teams. determine if recovery activities notified applicable stakeholders and
management members (e.g. Board members, stockholders, C-level
executives, risk management managers, affected department managers).

Copyright 2016 ISACA Page 15 of 15