opexxx

##Governance
#Evaluate, Direct and Monitor
EDM01  Ensured Governance Framework Setting and Maintenance
EDM02  Ensured Benefits Delivery
EDM03  Ensured Risk Optimization
EDM04  Ensured Resource Optimization
EDM05  Ensured Stakeholder Engagement
##Management
#Align, Plan and Organize
APO01  Managed I&T Management Framework

opexxx

Response Planning
RS.RP-1: Response plan is executed during or after an incident
Communications 
RS.CO-1: Personnel know their roles and order of operations when a response is needed
RS.CO-2: Incidents are reported consistent with established criteria
RS.CO-3: Information is shared consistent with response plans
RS.CO-4: Coordination with stakeholders occurs consistent with response plans
RS.CO-5: Voluntary information sharing occurs with external stakeholders to achieve broader cybersecurity situational awareness 
Analysis
RS.AN-1: Notifications from detection systems are investigated 

opexxx

Recovery Planning
RC.RP-1: Recovery plan is executed during or after a cybersecurity incident
Improvements
RC.IM-1: Recovery plans incorporate lessons learned
RC.IM-2: Recovery strategies are updated
Communications
RC.CO-1: Public relations are managed
RC.CO-2: Reputation after an event is repaired
RC.CO-3: Recovery activities are communicated to internal stakeholders and executive and management teams

opexxx

Anomalies and Events
DE.AE-1: A baseline of network operations and expected data flows for users and systems is established and managed
DE.AE-2: Detected events are analyzed to understand attack targets and methods
DE.AE-3: Event data are collected and correlated from multiple sources and sensors
DE.AE-4: Impact of events is determined
DE.AE-5: Incident alert thresholds are established
Continous Monitoring
DE.CM-1: The network is monitored to detect potential cybersecurity events
DE.CM-2: The physical environment is monitored to detect potential cybersecurity events
DE.CM-3: Personnel activity is monitored to detect potential cybersecurity events

opexxx

Identity Management
PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes
PR.AC-2: Physical access to assets is managed and protected
PR.AC-3: Remote access is managed
PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties
PR.AC-5: Network integrity is protected, incorporating network segregation where appropriate
PR.AC-6: Identities are proofed and bound to credentials, and asserted in interactions when appropriate
PR.AC-7: Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks)
Awareness and Training
PR.AT-1: All users are informed and trained 

opexxx

Asset Management
ID.AM-1: Physical devices and systems within the organization are inventoried
ID.AM-2: Software platforms and applications within the organization are inventoried
ID.AM-3: Organizational communication and data flows are mapped
ID.AM-4: External information systems are catalogued
ID.AM-5: Resources (e.g., hardware, devices, data, time, and software) are prioritized based on their classification, criticality, and business value
ID.AM-6: Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established
Business Environment
ID.BE-1: The organization’s role in the supply chain is identified and communicated
ID.BE-2: The organization’s place in critical infrastructure and its industry sector is identified and communicated

opexxx

Code of practice for information security controls based on ISO/IEC 27002 for cloud services		
Note: Only those controls that are listed in the ISO/IEC 27017 standard that apply to Cloud Service Customers (CSCs) are shown here.		
		
 AREA/SECTION	SUB-SECTION	ISO/IEC 27017 CSC REQUIREMENTS
		
A.5 Information security policies		
A.5.1 Management direction for information security	
A.5.1.1 Policies for information security	Is there an information security policy for cloud computing?
Does the policy consider the specific risks associated with using cloud services?
		

opexxx

Ques Num	SIG Question Text	Domain
C.1	Are responsibilities for asset protection and for carrying out specific information security processes clearly identified and communicated to the relevant parties?	Organizational Security
C.1.7	Do the processes include residual risk acceptance responsibilities?	Organizational Security
C.2	Does the organization's executive leadership ensure information security policy is established and aligned with organizational strategy, and communicated to the entire organization?	Organizational Security
C.2.1	Does the organization's executive leadership communicate the mandate of information security awareness, compliance and effectiveness to the entire organization?	Organizational Security
C.2.2	Does the organization's board of directors or ownership ensure information security programs are funded sufficiently to meet the organization's objectives?	Organizational Security
C.2.3	Does the organization's board of directors or ownership require management to regularly demonstrate that th

opexxx

CID	Criteria	Points of Focus
CC1.1	COSO Principle 1: The entity demonstrates a commitment to integrity and ethical values.	
		Sets the Tone at the Top—The board of directors and management, at all levels, demonstrate through their directives, actions, and behavior the importance of integrity and ethical values to support the functioning of the system of internal control.
		Establishes Standards of Conduct—The expectations of the board of directors and senior management concerning integrity and ethical values are defined in the entity’s standards of conduct and understood at all levels of the entity and by outsourced service providers and business partners.
		Evaluates Adherence to Standards of Conduct—Processes are in place to evaluate the performance of individuals and teams against the entity’s expected standards of conduct.
		Addresses Deviations in a Timely Manner—Deviations from the entity’s expected standards of conduct are identified and remedied in a timely and consistent manner.
		Considers Contracto

opexxx

FID	FUNCTION	CID	CATEGORY	CATEGORY_DESCRIPTION	SID	SUBCATEGORY
ID	IDENTIFY (ID)	ID.AM	Asset Management (ID.AM)	Asset Management (ID.AM): The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to business objectives and the organization’s risk strategy.	ID.AM-1	ID.AM-1: Physical devices and systems within the organization are inventoried
					ID.AM-2	ID.AM-2: Software platforms and applications within the organization are inventoried
					ID.AM-3	ID.AM-3: Organizational communication and data flows are mapped
					ID.AM-4	ID.AM-4: External information systems are catalogued
					ID.AM-5	ID.AM-5: Resources (e.g., hardware, devices, data, and software) are prioritized based on their classification, criticality, and business value 
					ID.AM-6	ID.AM-6: Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are