IMC 02 Dictionary of Cyber - INCIBE-CERT...IMPROVEMENT INDICATORS (CII) 6 1. OBJECT OF THE DOCUMENT...
Transcript of IMC 02 Dictionary of Cyber - INCIBE-CERT...IMPROVEMENT INDICATORS (CII) 6 1. OBJECT OF THE DOCUMENT...
IMC_02 – Dictionary of Cyber -
resilience Improvement Indicators (CII)
May 2019
imc_02_dictionary-indicators.pdf version 1.1
This publication is owned by INCIBE (Instituto Nacional de Ciberseguridad) and is licensed under a Creative Commons Attribution-Noncommercial 3.0 Spain license. For this reason it is permitted to copy, distribute and publicly communicate this work under the following conditions:
Acknowledgement. The content of this report may be reproduced in whole or in part by third parties, citing its origin and making express reference to both INCIBE or INCIBE-CERT and its website: https://www.incibe.es/. Such acknowledgement may in no case suggest that INCIBE supports such a third party or supports the use it makes of its work.
Non-Commercial Use. The original material and derivative works may be distributed, copied and exhibited as long as their use is not for commercial purposes.
When reusing or distributing the work, you must make clear the terms of the license of this work. Some of these conditions may not apply if you obtain permission from INCIBE-CERT as the copyright holder. Full text of the license: https://creativecommons.org/licenses/by-nc-sa/3.0/es/.
3 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
INDEX
1. OBJECT OF THE DOCUMENT ....................................................................... 6
2. Indicators ............................................................................... 7
2.1. Anticipate .................................................................................................. 8
2.1.1. Cybersecurity Policy (CP) ...................................................................... 8
2.1.2. Risk Management (RM) ....................................................................... 14
2.1.3. Cybersecurity Training (CT) ................................................................. 22
2.2. Resist ...................................................................................................... 26
2.2.1. Vulnerability Management (VM) ........................................................... 26
2.2.2. Continuous Supervision (CS) ............................................................... 44
2.3. Recover ................................................................................................... 52
2.3.1. Incident Management (IM) ................................................................... 52
2.3.2. Service Continuity Management (SCM) ............................................... 70
2.4. Evolve ..................................................................................................... 92
2.4.1. Configuration and Change Management (CCM) .................................. 92
2.4.2. Communication (CM) ........................................................................... 94
3. Acronyms ........................................................................... 100
4. References ........................................................................... 101
4 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
TABLE INDEX
Table 1: Metric A-PC-OE2-02: Identify cyber resilience requirements for the essential service
chosen. ............................................................................................................................................ 9 Table 2: Metric A-PC-OE4-01: Collaborate with public entities in the cyber resilience field. ........ 11 Table 3: Metric A-PC-OE4-02: Collaborate with other private entities in cyber resilience
matters. .......................................................................................................................................... 13 Table 4: Metric A-GR-OE1-03: Establish, implement and maintain a formal and documented
Business Impact Analysis (BIA) process on the activities and processes that support the essential
service. ........................................................................................................................................... 15 Table 5: Metric A-GR-OE1-04: Estimate the Maximum Tolerable Downtime (MTD) or time that an
essential service may be down before unacceptable effects occur. ............................................. 17 Table 6: Metric A-GR-OE1-05: Identify the Recovery Time Objective (RTO) and Recovery Point
Objective (RPO) of the essential service. ...................................................................................... 19 Table 7: Metric A-GR-OE2-02: Identify risks and risk tolerance levels. ........................................ 21 Table 8: Metric A-FO-OE2-01: Carry out training activities in cyber resilience. ............................ 23 Table 9: Metric A-FO-OE3-01: Carry out awareness activities in cyber resilience. ...................... 25 Table 10: Metric T-GV-OE1-03: Establish a vulnerability identification process. .......................... 27 Table 11: Metric T-GV-OE1-04: Establish and maintain a process of classification, categorization
and prioritization of vulnerabilities. ................................................................................................ 29 Table 12: Metric T-GV-OE1-05: Establish a vulnerability analysis process. ................................. 31 Table 13: Metric T-GV-OE1-06: Establish and maintain an updated vulnerability repository. ...... 33 Table 14: Metric T-GV-OE2-02: Initiate actions to manage exposure to identified vulnerabilities. 35 Table 15: Metric T-GV-OE2-04: Observe exposure to identified vulnerabilities. ........................... 37 Table 16: Metric T-GV-OE2-05: Estimate the average time from the identification of a vulnerability
to the notification to the responsible party. .................................................................................... 39 Table 17: Metric T-GV-OE2-06: Estimate the average time from when a security patch is
announced until it is applied to the targeted vulnerability. ............................................................. 41 Table 18: Metric T-GV-OE2-07: Estimate the average time to remediate identified vulnerabilities
that cannot be remediated through updates or patches. ............................................................... 43 Table 19: Metric T-SC-OE1-01: Permanently supervise essential services. ................................ 45 Table 20: Metric T-SC-OE1-02: Monitor the existence of unauthorized software and hardware in
systems that support essential services. ....................................................................................... 47 Table 21: Metric T-SC-OE1-03: Supervise communications networks to detect unauthorized
connections. ................................................................................................................................... 49 Table 22: Metric T-SC-OE1-04: Estimate the time between the identification of a cyber incident
and its escalation to those responsible for resolving it. ................................................................. 51 Table 23: Metric R-GI-OE1-01: Establish a process to detect, report and notify events. ............. 53 Table 24: Metric R-GI-OE1-02: Establish a process to estimate the time between an event
occurrence and its detection. ......................................................................................................... 55 Table 25: Metric R-GI-OE2-01: Procedure for classifying and assessing cyber incidents. ........... 57 Table 26: Metric R-GI-OE2-02: Document and convey the criteria for identifying and recognizing
cyber incidents. .............................................................................................................................. 59 Table 27: Metric R-GI-OE2-03: Analyze cyber incidents to determine an appropriate response. 61 Table 28: Metric R-GI-OE3-01: Establish a process of escalation to those responsible for
responding to and recovering from cyber incidents. ...................................................................... 63 Table 29: Metric R-GI-OE3-06: Establish a process for estimating the response and recovery
capacity of cyber incidents............................................................................................................. 65 Table 30: Metric R-GI-OE4-03: Establish a process for estimating the average time of a cyber
incident's impact on the essential service. .................................................................................... 67 Table 31: Metric R-GI-OE5-03: Coordination with other agencies in the response to cyber
incidents. ........................................................................................................................................ 69 Table 32: Metric R-CS-OE1-01: Develop a Continuity Plan to ensure the provision of essential
service. ........................................................................................................................................... 71
5 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
Table 33: Metric R-CS-OE1-06: Define RTO in the Continuity Plan. ............................................ 73 Table 34: Metric R-CS-OE2-04: Test the Continuity Plan. ............................................................ 75 Table 35: Metric R-CS-OE3-03: The average time elapsed from the interruption of essential
service until its recovery to an acceptable level. ........................................................................... 77 Table 36: Metric R-CS-OE3-04: The average time elapsed since the interruption of the essential
service and its recovery to the usual level of service. ................................................................... 79 Table 37: Metric R-CS-OE1-02: Identify and prioritize external dependencies related to the
provision of the essential service. .................................................................................................. 81 Table 38: Metric R-CS-OE2-01: Identify and manage risks associated with external dependencies.
....................................................................................................................................................... 83 Table 39: Metric R-CS-OE3-04: Establish specific cyber resilience agreements with those third
parties involved in the provision of the essential service. .............................................................. 85 Table 40: Metric R-CS-OE4-01: Supervise and manage the operation of external
dependencies. ............................................................................................................................... 87 Table 41: Metric R-CS-OE5-01: Identify and prioritize public service dependencies.................... 89 Table 42: Metric R-CS-OE5-02: Identify and prioritize the dependencies of basic utilities and
telecommunications suppliers........................................................................................................ 91 Table 43: Metric E-CC-OE1-01: Manage the configuration of information and technology
assets. ............................................................................................................................................ 93 Table 44: Metric E-CM-OE1-02: Establish communication mechanisms outside the organization
on cyber resilience issues. ............................................................................................................. 95 Table 45: Metric E-CM-OE2-02: Ensure the availability of internal or external communication
channels required by the essential service. ................................................................................... 97 Table 46: Metric E-CM-OE3-02: Communicate the continuity strategy to the entire organization.99
6 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
1. OBJECT OF THE DOCUMENT
This dictionary describes the Cyber resilience Improvement Indicators (CII) for
organizations and companies of industrial sectors and industrial critical infrastructures
with respect to the fields of IT (Information Technology) and OT (Operation Technology).
These indicators can be used to define maturity consultation surveys —for each
company, sector or group of companies— which determine the levels of resilience (for
the objectives anticipate, resist, recover and evolve) corresponding to the provision of its
essential services.
All indicators are valued according to the criteria indicated in the methodology
assessment described in the document: IMC_01 – Methodology for Assessing Cyber
resilience Improvement Indicators (CII).
7 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
2. INDICATORS
In this section is described, in independent tables, each of the Cyber resilience
improvement indicators.
The indicators are identified with a code (X-XX-OEN-NN) consisting of:
X: The letter that corresponds to the goal according to the methodology.
XX: The two letters that indicate the functional domain according to the
methodology.
OEN: The letters OE (specific objective, from Spanish Objetivo Específico)
followed by a number that identifies each of the specific objectives.
NN: The number that identifies each metric.
For the definition of “essential service1”, it is taken as a reference the Ley 8/2011
(Spanish Act 8/2011), of April 28th, by which establishes measures for the protection of
critical infrastructures.
Each table includes the following fields: identification, characterization, collection and
analysis.
The identification field contains the following subfields:
the indicator code, as described above;
the goal to which it belongs;
the functional domain in which it is been assessed;
the indicator’s objective;
the indicator’s description;
the question issued and
the correlation subfield that includes the guidelines, standards and rules on which
each indicator is based.
The characterization field establishes and describes the scale of levels on which the
organization identifies its compliance status for each indicator: L0, L1, L2, L3, L4 or L5.
The field of collection details the method of collection of the information for the
indicator, and the responsible in charge of carrying it.
Finally, the table includes the field of analysis, with two subfields:
Objective measure: where the optimum level that the organization must reach is
established.
Indicator with two elements: positive values and corrective measures. In the first
one, the justification on which the organization can be considered at a high level is
indicated. In the second element, the measures to be taken by the organization to
increase the level within the scale with respect to the indicator.
1 Service that is necessary for the maintenance of basic social functions, health, safety, social and economic welfare of
citizens, or the effective functioning of State Institutions and Public Administrations.
8 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
2.1. Anticipate
The tables below describe the nine (9) metrics corresponding to the goal Anticipate,
grouped by the corresponding functional domains as defined in the methodology.
2.1.1. Cybersecurity Policy (CP)
FIELD INFORMATION
IDENTIFICATION
Code A-PC-OE2-02
Goal ANTICIPATE
Functional Domain CYBERSECURITY POLICY
Indicator’s Objective
Identify cyber resilience requirements for the essential service
chosen.
Description
Cyber resilience requirements are established for the essential
service identified as having the highest impact. It deals with
knowing to what extent cyber resilience is conceived as
something different and specific within cybersecurity. To measure
cyber resilience, it is necessary to identify at least one essential
critical service.
This indicator measures the degree of commitment of the
organization to the definition of the specific objectives of cyber
resilience (for the essential service identified as having the
greatest impact) and the requirements to comply with them. In the
event that there are several essential services identified, a survey
can be made for each one of them. Different surveys can also be
made for the OT and IT fields.
If the essential service belongs to the OT field, the requirements
of cyber resilience should include, for example, protect the
remote access from Internet to elements that support the
essential service such as PLC, HMI, RTU, etc.
Question
Have cyber resilience requirements been established for an
essential service (choosing the one whose interruption or
alteration causes the greatest impact)?
Correlation
ISO/IEC 27001:2017 [A. 5.1.1], [A. 14.1.1]
NIST SP 800-53 R4 [PM-7], [SA-2], [SA-13]
ENS [org. 1]
Guía contenidos mínimos PSO (3.1, 3.3)
NIS (Directives 2, 24)
9 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
CHARACTERIZATION
Scale
L0- No cyber resilience requirements have been established.
L1- Cyber resilience requirements identification has been
initiated.
L2- Cyber resilience requirements have been established but
they have not been documented yet.
L3- Cyber resilience requirements have been documented and
they are kept up to date.
L4- Cyber resilience requirements are managed, updated and
verified.
L5- Improvement actions are applied in the definition of cyber -
resilience requirements.
COLLECTION
Method of Collection Manual
Responsible CSO or CISO
ANALYSIS
Objective measure L5
Indicator
Positive
values
Values close to L5 indicate that the
organization has identified and documented
the requirements of cyber resilience for the
essential service identified, that these
requirements are accurate and updated.
These requirements should allow to manage
risks, vulnerabilities, incidents, service
continuity, and configurations and changes,
reducing the impact or alteration of essential
services identified.
Corrective
measures
Identify, document and review the cyber
resilience requirements of the identified
essential service.
Update the documentation associated with
the cybersecurity policy.
Table 1: Metric A-PC-OE2-02: Identify cyber resilience requirements for the essential
service chosen.
10 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
FIELD INFORMATION
IDENTIFICATION
Code A-PC-OE4-01
Goal ANTICIPATE
Functional Domain CYBERSECURITY POLICY
Indicator’s Objective Collaborate with public entities in the cyber resilience field.
Description
Establish some formal agreement of mutual assistance,
cooperation or exchange of information with public entities in the
cyber resilience field, such as with some incident response
center, or CERT.
As a formal agreement it is understood the one that is embodied
in a document approved by the Directive Board.
Question
Has there been any formal agreement on mutual assistance,
cooperation or exchange of information with public entities in the
cyber resilience field?
Correlation
ISO/IEC 27001:2017 [A. 5.1.1], [A. 6.1.3]
NIST SP 800-53 R4 [PM-7], [AT-5], [PM-15]
ENS [org. 1]
Guía contenidos mínimos PSO (2.2.4)
NIS (Directives 24, 35, 47.59, 62, 67, article 8, point 7)
CHARACTERIZATION
Scale
L0- No agreement has been established with public entities.
L1- The establishment of an agreement with public entities has
been initiated.
L2- An agreement has been established, but it is not formal (it
has not been documented or approved by the Directive Board).
L3- An agreement has been documented and approved by the
Directive Board, and it is kept up to date.
L4- Formally established agreements are managed, updated or
verified.
L5- Improvement actions are applied in formally established
agreements with public entities.
COLLECTION
Method of Collection Manual
Responsible CSO or CISO
11 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
ANALYSIS
Objective measure L5
Indicator
Positive
values
Values close to L5 indicate that the
organization has established mutual aid
agreements, collaboration or exchange of
information of cyber resilience with public
entities, to ensure the collaboration or support
of external entities, if necessary, in the event
of a cyberattack that may result in
unavailability of essential services. This
exchange of information improves
anticipation in incident and vulnerability
management, and in the essential service
continuity.
Corrective
measures
Establish, formalize and review agreements
with public entities to ensure mutual
cooperation in the event of a cyberattack.
Table 2: Metric A-PC-OE4-01: Collaborate with public entities in the cyber resilience field.
12 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
FIELD INFORMATION
IDENTIFICATION
Code A-PC-OE4-02
Goal ANTICIPATE
Functional Domain CYBERSECURITY POLICY
Indicator’s Objective Collaborate with other private entities in cyber resilience matters.
Description
Establish formal agreements for mutual assistance, cooperation
or exchange of information with some private entities in the field
of cyber resilience, such as with consultancy companies in
cybersecurity, suppliers, and other companies in the sector.
As a formal agreement it is understood the one that is embodied
in a document approved by the Directive Board.
Question
Has there been any formal agreement on mutual assistance,
cooperation or exchange of information with other private entities
in the field of cyber resilience?
Correlation
ISO/IEC 27001:2017 [A. 5.1.1], [A. 6.1.4]
NIST SP 800-53 R4 [PM-7], [AT-5], [PM-15]
ENS [org. 1]
NIS (Directive 35, article 13)
CHARACTERIZATION
Scale
L0- No agreement has been established with private entities.
L1- The establishment of an agreement with private entities has
been initiated.
L2- Some agreement has been established, but it is not formal (it
has not been documented or approved by the Directive Board).
L3- Some agreement has been documented and approved by
the Directive Board, and it is kept up to date.
L4- Formally established agreements are managed, updated and
verified.
L5- Improvement actions are applied in formally established
agreements/s with private entities.
COLLECTION
Method of Collection Manual
Responsible CSO or CISO
13 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
ANALYSIS
Objective measure L5
Indicator
Positive
values
Values close to L5 indicate that the
organization has regularly established and
updated mutual aid agreements,
collaboration or exchange of information of
Cyber resilience with private entities, to
ensure collaboration or support of external
entities, if necessary, in the event of a
cyberattack that may result in unavailability of
essential services. This exchange of
information improves anticipation in incident
and vulnerability management, and in the
essential service continuity.
Corrective
measures
Establish, formalize and revise agreements
with private entities to ensure mutual
cooperation in the event of a cyberattack.
Table 3: Metric A-PC-OE4-02: Collaborate with other private entities in cyber resilience
matters.
14 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
2.1.2. Risk Management (RM)
FIELD INFORMATION
IDENTIFICATION
Code A-GR-OE1-03
Goal ANTICIPATE
Functional Domain RISK MANAGEMENT
Indicator’s Objective
Establish, implement and maintain a formal and documented
Business Impact Analysis (BIA) process on the activities and
processes that support the essential service.
Description
Identify the impact of disruption or alteration of the essential
service provision over its processes and activities valuing which
of them are most critical.
It deals with knowing if it is carried out a Business Impact Analysis
(BIA) that analyzes the consequences of an interruption of the
provision or alteration the essential service, in order to identify
which are the critical processes and activities that support this
service to prioritize their recovery.
It should be ensured that priority is given to the treatment of risks
in accordance with their critical nature for the organization or for
the society (people affected and economic, environmental, public
and social impact).
Question
Has the impact of disruption or alteration of the essential service
been identified on the processes and activities that support it?
And, which of these processes and activities are most critical in
terms of this impact?
Correlation
ISO/IEC 31000: 2018
NIST SP 800-53 R4 [RA-2], [RA-3], [PM-9], [PM-11], [SA-14]
ENS [op. pl. 1]
Guía contenidos mínimos PSO (4.1, 4.4)
Guía contenidos mínimos PPE (4.2, 4.3)
NIS (Article 15-2, 3)
CHARACTERIZATION
Scale
L0- The impact analysis of the interruption of the provision or
alteration of the essential service has not been initiated.
L1- The impact analysis of the interruption on the provision or
alteration of the essential service has been initiated.
L2- The impact of interruption or alteration of the provision of the
essential service in its processes and activities has been
established, valuing which of them are more critical, but it hasn't
been documented yet.
15 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
L3- The impact analysis of the disruption of the provision or
alteration of the essential service has been documented, and it
is kept up to date.
L4- The impact analysis of the interruption of the provision or
alteration of the essential service is managed, updated and
verified.
L5- Improvement actions are applied in the impact analysis of the
interruption of the provision or alteration of the essential service.
COLLECTION
Method of Collection Manual
Responsible CSO or CISO
ANALYSIS
Objective measure L5
Indicator
Positive
values
Values close to L5 indicate that the
organization has identified and prioritized the
possible impacts on the processes and
activities that support the essential service, in
the event of an interruption or alteration,
based on a Business Impact Analysis (BIA).
Corrective
measures
Identify the possible impact that would cause
an interruption in the different processes and
activities that support the essential services.
Categorize these impacts to prioritize their
treatment.
Table 4: Metric A-GR-OE1-03: Establish, implement and maintain a formal and
documented Business Impact Analysis (BIA) process on the activities and processes that
support the essential service.
16 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
FIELD INFORMATION
IDENTIFICATION
Code A-GR-OE1-04
Goal ANTICIPATE
Functional Domain RISK MANAGEMENT
Indicator’s Objective
Estimate the Maximum Tolerable Downtime (MTD) or time that
an essential service may be down before unacceptable effects
occur.
Description
Estimate the maximum duration of an interruption or alteration of
the provision of the essential service that is considered tolerable.
Internal procedures, guidelines and reference standards or
qualitative factors based on intuition can be used as a calculation
criteria.
Question
Has the maximum acceptable length of time for an interruption or
alteration of the essential service been estimated? Please
indicate in the comment box who has established that time and
what criteria has been used to determine it (CEO, CIO, CISO, IT
responsible or other).
Correlation
ISO/IEC 31000:2018
NIST SP 800-53 R4 [RA-2], [RA-3], [PM-9], [PM-11], [SA-14]
ENS [op. pl. 1]
Guía contenidos mínimos PPE (4.2)
NIS (Directives 27, 33)
CHARACTERIZATION
Scale
L0- The maximum duration of an interruption or alteration in the
provision of the essential service that is considered tolerable has
not been estimated.
L1- The estimation of the maximum duration of an interruption or
alteration in the provision of the essential service which is
considered tolerable has been initiated.
L2- It has been determined how to estimate the maximum
duration of an interruption or alteration of the provision of the
essential service that is considered tolerable, but, has not been
documented yet.
L3- The procedure to estimate the maximum duration of an
interruption or alteration in the provision of the essential service
that is considered tolerable has been documented and it is kept
up to date.
L4- The procedure to estimate the maximum length of time of an
interruption or alteration of the provision of the essential service
that is considered tolerable is managed, updated and verified.
L5- Improvement measures are applied in the procedure to
estimate the maximum length of time of an interruption or
17 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
alteration of the provision of the essential service which is
considered tolerable.
COLLECTION
Method of Collection Manual
Responsible CSO or CISO
ANALYSIS
Objective measure L5
Indicator
Positive
values
Values close to L5 indicate that the
organization has estimated the maximum
tolerable period of an interruption for the
essential service. This estimate is based on
an objective criteria and is reviewed
periodically.
Corrective
measures
Establish the criteria to estimate the
maximum tolerable periods of interruption for
each process and activity of the essential
service for which we are conducting the
survey.
Document, review and manage the maximum
tolerable time of interruption for this essential
service.
Table 5: Metric A-GR-OE1-04: Estimate the Maximum Tolerable Downtime (MTD) or time
that an essential service may be down before unacceptable effects occur.
18 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
FIELD INFORMATION
IDENTIFICATION
Code A-GR-OE1-05
Goal ANTICIPATE
Functional Domain RISK MANAGEMENT
Indicator’s Objective
Identify the Recovery Time Objective (RTO) and Recovery Point
Objective (RPO) of the essential service.
Description
In case of interruption or alteration of the essential service and to
manage its recovery, it is necessary to establish the RTO and
RPO values, disaggregated for the processes and activities that
support this essential service.
The RTO is the objective time set as the maximum acceptable for
service recovery, even with a degraded level of functionality,
following a disaster affecting service provision; in other words,
without major consequences for the essential service. If recovery
is not achieved in that time, the consequences can be very
serious.
The RPO refers to the volume of data at risk of loss that the
organization considers tolerable. It determines the goal of
possible maximum loss of data introduced since the last backup
performed, until the collapse of the essential service. If the data
loss exceeds that volume, the consequences can be very serious.
Internal procedures, guidelines and reference standards or
qualitative factors based on intuition may be followed as criteria
for determining these values.
Question
Have the Recovery Time Objective (RTO) and Recovery Point
Objective (RPO) for the essential service (in the event of
interruption or alteration of the essential service) been identified?
Please indicate in the comments box what criteria have been
used to determine the RTO and RPO values.
Correlation
ISO/IEC 31000:2018
NIST SP 800-53 R4 [RA-2], [RA-3], [PM-9], [PM-11], [SA-14]
ENS [op. pl. 1]
Guía contenidos mínimos PPE (4.2)
NIS (Directive 69)
19 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
CHARACTERIZATION
Scale
L0 - RTO and RPO have not been identified for risk management
in the provision of the essential service.
L1 - Identification of RTO and RPO for risk management in the
provision of the essential service has been initiated.
L2 - RTO and RPO have been established for risk management
in the provision of the essential service but have not been
documented yet.
L3 - The RTO and RPO for risk management in the provision of
the essential service have been documented and are kept up to
date.
L4 - RTO and RPO for risk management in the provision of the
essential service are managed, updated and verified.
L5 - Improvement actions are implemented in the definition of
RTO and RPO for risk management in the provision of the
essential service.
COLLECTION
Method of Collection Manual
Responsible CSO or CISO
ANALYSIS
Objective measure L5
Indicator
Positive
values
Values close to L5 indicate that the
organization has identified the Recovery Time
Objective (RTO) and Recovery Point
Objective (RPO) of the essential service for
which we are conducting the survey. This
estimate is based on objective criteria.
Corrective
measures
Establish Recovery Time Objective (RTO)
and Recovery Point Objective (RPO) for the
essential service for which we are conducting
the survey.
Document, review, and update the Recovery
Time Objective (RTO) and Recovery Point
Objective (RPO) of the essential service for
which we are conducting the survey.
Table 6: Metric A-GR-OE1-05: Identify the Recovery Time Objective (RTO) and Recovery
Point Objective (RPO) of the essential service.
20 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
FIELD INFORMATION
IDENTIFICATION
Code A-GR-OE2-02
Goal ANTICIPATE
Functional Domain RISK MANAGEMENT
Indicator’s Objective Identify risks and risk tolerance levels.
Description
Define risk tolerance thresholds that trigger the execution of the
different risk treatment actions: avoid, mitigate, transfer or accept.
The aim is to assess whether the risk management being carried
out by the organization triggers the aforementioned risk treatment
actions when the risk has exceeded the acceptable limits
established by the organization.
If the essential service belongs to the OT scope, it is a question
of defining the thresholds for the risks on assets related to the OT
infrastructures, for example default configurations or lack of
encryption and others inherent risks to SCADA systems.
Question
Have risk tolerance thresholds that would trigger the treatment of
risk in any of its variants (avoid, mitigate, transfer or accept) been
established?
Correlation
ISO/IEC 31000:2018
NIST SP 800-53 R4 [RA-2], [RA-3], [PM-9], [PM-11], [SA-14]
ENS [op. pl. 1]
Guía contenidos mínimos PSO (4.1, 4.4)
NIS (Directives 49, 57)
CHARACTERIZATION
Scale
L0 - No risk tolerance thresholds have been identified.
L1 - Identification of risk tolerance thresholds has been initiated.
L2 - Risk tolerance thresholds have been established but not
documented.
L3 - Risk tolerance thresholds and associated treatment actions
have been documented. This information is kept up to date.
L4 - Risk tolerance thresholds and associated treatment actions
are managed, updated and verified.
L5 - Improvement actions are applied in the definition of risk
tolerance thresholds and their associated treatment.
COLLECTION
Method of Collection Manual
Responsible CSO or CISO
21 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
ANALYSIS
Objective measure L5
Indicator
Positive
values
Values close to L5 indicate that the
organization has defined risk tolerance
thresholds for the essential service, which will
trigger the execution of risk treatment actions
(avoid, mitigate, transfer or accept) to prevent
the risk from exceeding this threshold.
Corrective
measures
Identify and establish risk tolerance
thresholds for the essential service for which
we are conducting the survey.
Document, manage and update risk tolerance
thresholds for the essential service for which
we are conducting the survey.
Table 7: Metric A-GR-OE2-02: Identify risks and risk tolerance levels.
22 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
2.1.3. Cybersecurity Training (CT)
FIELD INFORMATION
IDENTIFICATION
Code A-FO-OE2-01
Goal ANTICIPATE
Functional Domain CYBERSECURITY TRAINING
Indicator’s Objective Carry out training activities in cyber resilience.
Description
Define and implement a cyber resilience training plan for staff
involved in the essential service. It deals with knowing if
knowledge and skills development are promoted among users
directly or indirectly related to the provision of the essential
service, to support their functions for the achievement and
maintenance of cyber resilience.
The training plan may include any education initiative in cyber
resilience, aimed at these users, including their participation in
cyber-exercises.
Question
Has a cyber resilience training plan for staff involved in the
essential service been defined and implemented?
Correlation
ISO/IEC 27001:2017 [A. 7.2.2]
NIST SP 800-53 R4 [AT-1], [AT-3], [PM-13], [PM-14]
ENS [MP. Per. 4]
Guía contenidos mínimos PSO (2.2.2)
NIS (Directives 36, 38)
CHARACTERIZATION
Scale
L0 - No cyber resilience training plan is in place.
L1 - Definition of a training plan has begun.
L2 - A training plan has been established but not documented.
L3 - A training plan and associated activities have been
documented. This plan is kept up to date.
L4 - The training plan and associated activities are managed and
verified.
L5 - Improvement actions are implemented in the training plan
and associated activities.
COLLECTION
Method of Collection Manual
Responsible CSO or CISO
23 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
ANALYSIS
Objective measure L5
Indicator
Positive
values
Values close to L5 indicate that the
organization carries out training activities or
cyber-exercises aimed at educate the staff of
the organization in cyber resilience. The
training plan should be addressed to the
organization's employees and, where
relevant, to third party contractors and users.
Corrective
measures
Plan, assign resources, inform staff and carry
out training activities in cyber resilience or
cyber-exercises aimed at educate the staff of
the organization in this area.
Update these plans periodically.
Table 8: Metric A-FO-OE2-01: Carry out training activities in cyber resilience.
24 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
FIELD INFORMATION
IDENTIFICATION
Code A-FO-OE3-01
Goal ANTICIPATE
Functional Domain CYBERSECURITY TRAINING
Indicator’s Objective Carry out awareness activities in cyber resilience.
Description
Define and implement an awareness raising plan in cyber
resilience. It deals with knowing if a culture of cyber resilience is
promoted within the organization that reaches all staff. This plan
incorporates any cyber resilience awareness raising initiative.
Question
Has a cyber resilience awareness plan been defined and
implemented for all staff involved in the essential service?
Correlation
ISO/IEC 27001:2017 [A. 7.2.2]
NIST SP 800-53 R4 [AT-1], [PM-16], [AT-2], [PM-15], [PM-16]
ENS [MP. Per. 3]
Guía contenidos mínimos PSO (2.2.2)
NIS (Directives 36, 38)
CHARACTERIZATION
Scale
L0 - No cyber resilience awareness plan is in place.
L1 - The definition of an awareness plan has been initiated.
L2 - An awareness plan has been established but not
documented.
L3 - An awareness plan and associated activities have been
documented. This plan is kept up to date.
L4 - The awareness plan and associated awareness activities
are managed and verified.
L5 - Improvement actions are implemented in the awareness
plan and associated awareness activities.
COLLECTION
Method of Collection Manual
Responsible CSO or CISO
25 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
ANALYSIS
Objective measure L5
Indicator
Positive
values
Values close to L5 indicate that the
organization carries out awareness-raising
activities aimed at sensitizing the
organization's staff on cyber resilience.
Corrective
measures
Plan, assign resources, inform staff and carry
out awareness raising activities in cyber
resilience aimed at sensitizing the staff of the
organization on this matter.
Update these plans regularly.
Table 9: Metric A-FO-OE3-01: Carry out awareness activities in cyber resilience.
26 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
2.2. Resist
The tables below describe the thirteen (13) metrics corresponding to the goal Resist,
grouped by the corresponding functional domains as defined in the methodology.
2.2.1. Vulnerability Management (VM)
FIELD INFORMATION
IDENTIFICATION
Code T-GV-OE1-03
Goal RESIST
Functional Domain VULNERABILITY MANAGEMENT
Indicator’s Objective Establish a vulnerability identification process.
Description
Proactively discover, by consulting the available sources of
information (manufacturers, CERT...), the vulnerabilities that
affect the provision of the essential service. It deals with knowing
if the organization has and check out regularly, updated sources
with information of vulnerabilities (manufacturers, CERT,
distribution lists, news groups, automatic tools...) adequate to the
software and hardware products that support to the provision of
the essential service.
If the essential service belongs to an OT environment, it deals
with investigating those vulnerabilities that may affect the OT
infrastructure components it (PLC, RTU, HMI, SCADA, Controller,
etc.).
Question
Are vulnerabilities that affect the provision of the essential service
discovered proactively by checking out the available sources of
information (manufacturers, CERT...)?
Correlation
ISO/IEC 27001:2017 [A. 12.6.1]
NIST SP 800-53 R4 [CA-8], [RA-5], [SA-11], [SI-2], [SI-3]
ENS [op. pl. 1] [MP. SW. 2] [Op. exp. 3]
CHARACTERIZATION
Scale
L0 - No source of vulnerability information has been identified.
L1 - Identification of sources of vulnerability information has been
initiated and is reviewed on a timely basis.
L2 - A list of vulnerability sources has been established and is
constantly reviewed, but is not documented yet.
L3 - A list of sources of vulnerability information has been
documented, and is kept up to date and constantly reviewed.
L4 - Vulnerability information sources are managed, updated,
and verified by reviewing the information they contain.
L5 - Improvement actions are applied in the definition of the list
of vulnerability sources and in the review of their information.
27 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
COLLECTION
Method of Collection Manual
Responsible CSO or CISO
ANALYSIS
Objective measure L5
Indicator
Positive
values
Values close to L5 indicate that the
organization performs an active review of the
vulnerabilities that affect the essential service,
establishing and checking out sources of
information on vulnerabilities of
manufacturers, CERT, distribution lists,
newsgroups or automatic tools.
Corrective
measures
Identify and establish a list of vulnerability
information sources.
Document and review a list of vulnerability
information sources.
Table 10: Metric T-GV-OE1-03: Establish a vulnerability identification process.
28 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
FIELD INFORMATION
IDENTIFICATION
Code T-GV-OE1-04
Goal RESIST
Functional Domain VULNERABILITY MANAGEMENT
Indicator’s Objective
Establish and maintain a process of classification,
categorization and prioritization of vulnerabilities.
Description
Classify, categorize and prioritize the vulnerability remediation,
of those that affect the provision of the essential service, so that
a level of criticality is assigned to each vulnerability. For
example, a vulnerability can be prioritized using the Common
Vulnerability Score System (CVSS).
Question
Are vulnerabilities that affect the provision of the essential
service classified, categorized and prioritized for its
remediation?
Correlation
ISO/IEC 27001:2017 [A. 12.6.1]
NIST SP 800-53 R4 [RA-5], [SA-10], [SA-11], [SC-38], [SI-2],
[SI-3]
ENS [op. pl. 1] [MP. SW. 2]
NIS (Directive 33)
CHARACTERIZATION
Scale
L0 - No categorization and prioritization of vulnerability
remediation has been established.
L1 - The definition of categories and priorities for vulnerabilities
has been initiated.
L2 - Vulnerability remediation categorization and prioritization
has been established, but not documented.
L3 - A vulnerability remediation categorization and prioritization
has been documented. It is kept up to date.
L4 - Vulnerability remediation categories and priorities are
managed, updated, and verified.
L5 - Improvement actions are applied in the categorization and
prioritization of vulnerability remediation.
COLLECTION
Method of Collection Manual
Responsible CSO or CISO
29 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
ANALYSIS
Objective measure L5
Indicator
Positive
values
Values close to L5 indicate that the
organization categorizes and prioritizes the
remediation of vulnerabilities that affect the
essential service for which the survey is being
conducted. The level of criticality should be
based on objective criteria. For example,
establishing a matrix of criticality levels based
on the score obtained through the CVSS
system (or other system that has being
chosen).
Corrective
measures
Establish a mechanism to categorize and
prioritize the remediation of vulnerabilities
affecting essential services.
For example, the following actions can be
established based on priorities:
Take no action.
Fix immediately (typically for software or
firmware updates or manufacturer
changes).
Develop and implement a vulnerability
remediation strategy (when it involves
actions that require more effort than, for
example, a manufacturer update).
Conduct additional research or analysis.
Refer vulnerability to the risk
management process for formal risk
consideration.
Table 11: Metric T-GV-OE1-04: Establish and maintain a process of classification,
categorization and prioritization of vulnerabilities.
30 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
FIELD INFORMATION
IDENTIFICATION
Code T-GV-OE1-05
Goal RESIST
Functional Domain VULNERABILITY MANAGEMENT
Indicator’s Objective Establish a vulnerability analysis process.
Description
It deals with knowing if the analysis of the vulnerabilities that can
affect the essential service is carried out with appropriate tools
and techniques to obtain an assessment of its impact, relevance
and scope in the organization.
Question
Are the vulnerabilities that affect the provision of the essential
service analyzed in order to assess their impact and relevance
for the organization?
Correlation
ISO/IEC 27001:2013 [A. 12.6.1]
NIST SP 800-53 R4 [RA-5], [SA-10], [SA-11], [SC-38], [SI-2],
[SI-3]
ENS [op. pl. 1] [MP. SW. 2]
Guía contenidos mínimos PSO (1.5)
NIS (Directive 33)
CHARACTERIZATION
Scale
L0 - Vulnerability analysis is not performed to assess its impact.
L1 - Vulnerability analysis has been initiated to assess its
impact.
L2 - A procedure to assess the impact of vulnerabilities has
been established but is not documented.
L3 - A vulnerability analysis procedure has been documented to
assess their impact on the organization and is kept up to date.
L4 - Vulnerability analysis is managed, updated and verified to
assess their impact.
L5 - Vulnerability analysis improvement actions are applied.
COLLECTION
Method of Collection Manual
Responsible CSO or CISO
31 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
ANALYSIS
Objective measure L5
Indicator
Positive
values
Values close to L5 indicate that the
organization includes in its processes the
analysis of vulnerabilities with appropriate
tools and techniques that facilitates to assess
their impact. As a result of this analysis, it will
be determined if the vulnerabilities are not
relevant, if they need to be addressed through
a simple solution or if they need the
application of a formal resolution strategy.
Corrective
measures
Establish a vulnerability analysis procedure,
which may include activities:
Understand the threat and exposure to it.
Review the vulnerability information to
seek if it existed previously and determine
what actions were taken to remediate or
eliminate it.
Identify and understand the underlying
causes of exposure to the vulnerability.
Prioritize and categorize vulnerabilities in
order to take appropriate measures for
their remediation.
Refer vulnerability to the risk
management process when it requires a
more in-depth analysis of the impact of
the potential threat.
Table 12: Metric T-GV-OE1-05: Establish a vulnerability analysis process.
32 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
FIELD INFORMATION
IDENTIFICATION
Code T-GV-OE1-06
Goal RESIST
Functional Domain VULNERABILITY MANAGEMENT
Indicator’s Objective Establish and maintain an updated vulnerability repository.
Description
Maintain an updated repository of those vulnerabilities that
affect the provision of the essential service. This repository must
contain updated information on the life cycle of the
vulnerabilities, with specific information on each of them,
including the measures required to tackle them.
Question
Is there an updated repository of those vulnerabilities that affect
the provision of the essential service?
Correlation
ISO/IEC 27001:2013 [A. 12.6.1]
NIST SP 800-53 R4 [RA-5], [SA-10], [SA-11], [SC-38], [SI-2],
[SI-3]
ENS [op. pl. 1] [MP. SW. 2]
CHARACTERIZATION
Scale
L0 - A vulnerability repository with vulnerability information is not
maintained.
L1 – The development of a vulnerability repository with
vulnerability information and remediation has been initiated.
L2 - A vulnerability repository has been established with
information about vulnerabilities and their remediation, but it is
not documented.
L3 - The use of a vulnerability repository with information about
vulnerabilities and their remediation has been documented.
L4 - A vulnerability repository with information about
vulnerabilities and their remediation is managed, updated and
verified.
L5 - Improvement actions are applied to the vulnerability
repository with information about the vulnerabilities and their
remediation.
COLLECTION
Method of Collection Manual
Responsible CSO or CISO
33 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
ANALYSIS
Objective measure L5
Indicator
Positive
values
Values close to L5 indicate that the
organization maintains an updated repository
of all known vulnerabilities, storing
information about them and their remediation.
Corrective
measures
Establish a repository of vulnerabilities with
information on their life cycle. This repository
must contain basic information such as:
Unique identifier for internal reference of
the vulnerability within the organization.
Description of the vulnerability.
Date of entry into the repository.
Source references for the vulnerability.
Importance of the vulnerability for the
organization (critical, moderate, etc.).
People or teams assigned to analyze
and solve it.
Registry of the remediation actions taken
to reduce or eliminate the vulnerability.
Table 13: Metric T-GV-OE1-06: Establish and maintain an updated vulnerability
repository.
34 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
FIELD IINFORMATION
IDENTIFICATION
Code T-GV-OE2-02
Goal RESIST
Functional domain VULNERABILITY MANAGEMENT
Indicator’s Objective Initiate actions to manage exposure to identified vulnerabilities.
Description
Take action to manage exposure to known vulnerabilities that
affect the provision of the essential service. It deals with knowing
whether strategies to remediate vulnerabilities are defined and
implemented; particularly in the case of those that the
organization considers to be of the highest priority or critical.
In addition, it deals with assessing whether these strategies are
regularly reviewed in order to ensure their effective
implementation and the achievement of their specific objectives.
Question
Are actions taken to manage exposure to known vulnerabilities
affecting the provision of the essential service?
Correlation
ISO/IEC 27001:2013 [A. 12.6.1]
NIST SP 800-53 R4 [RA-5], [SA-10], [SA-11], [SI-2], [SI-3]
ENS [op. pl. 1] [MP. SW. 2], [Op. exp. 3]
Guía contenidos mínimos PSO (5)
Guía contenidos mínimos PPE (4.2, 5)
NIS (Directives 44, 46)
CHARACTERIZATION
Scale
L0 - No action is taken to manage exposure to vulnerabilities.
L1 - Actions have been initiated to manage exposure to known
vulnerabilities.
L2 - A strategy has been established to manage exposure to
known vulnerabilities, but it has not been documented yet.
L3 – A strategy for managing exposure to known vulnerabilities
has been documented.
L4 - The effectiveness of activities to remedy known
vulnerabilities is reviewed.
L5 - Improvement actions are applied to the strategy to remedy
known vulnerabilities.
COLLECTION
Method of Collection Manual
Responsible CSO or CISO
35 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
ANALYSIS
Objective measure L5
Indicator
Positive
values
Values close to L5 indicate that the
organization has developed and implemented
a remediation strategy for those
vulnerabilities whose exposure must be
reduced or eliminated.
Corrective
measures
Develop and implement an appropriate
resolution strategy for those vulnerabilities
that it has determined should be eliminated or
reduced. This strategy may include actions
for:
Minimize the organization's exposure to
vulnerability (reduce the likelihood that
the vulnerability will be exploited).
Eliminate the organization's exposure to
the vulnerability (eliminate the threat, the
actor threat or the reason).
Table 14: Metric T-GV-OE2-02: Initiate actions to manage exposure to identified
vulnerabilities.
36 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
FIELD IINFORMATION
IDENTIFICATION
Code T-GV-OE2-04
Goal RESIST
Functional Domain VULNERABILITY MANAGEMENT
Indicator’s Objective Observe exposure to identified vulnerabilities.
Description
Monitor the status of not remediated vulnerabilities affecting the
provision of the essential service. It deals with knowing if a
periodic follow-up is carried out and if those vulnerabilities that
have not been remediated are notified.
Question
Is the status of not remediated vulnerabilities affecting the
provision of the essential service that is being monitored?
Correlation
ISO/IEC 27001:2013 [A. 12.6.1]
NIST SP 800-53 R4 [RA-5], [SA-10], [SA-11], [SI-2], [SI-3]
ENS [op. pl. 1] [MP. SW. 2], [Op. exp. 3]
Guía contenidos mínimos SO (1.4)
Guía contenidos mínimos PPE (1.4, 2.4)
NIS (Directive 69)
CHARACTERIZATION
Scale
L0 - The status of not remediated vulnerabilities is not monitored.
L1 - Monitoring of not remediated vulnerabilities has started.
L2 - A procedure for monitoring not remediated vulnerabilities
has been established but is not documented.
L3 - The procedure for monitoring not remediated vulnerabilities
has been documented and is kept up to date.
L4 - Monitoring of not remediated vulnerabilities is managed,
updated and verified.
L5 - Improved actions are applied to monitor not remediated
vulnerabilities.
COLLECTION
Method of Collection
Manual
A personal or telephone interview is recommended in order to be
able to interpret the results in greater detail.
Responsible CSO or CISO
37 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
ANALYSIS
Objective measure L5
Indicator
Positive
values
Values close to L5 indicate that not remediated
vulnerabilities are monitored and reported
regularly.
Corrective
measures
Monitor not remediated vulnerabilities and
report them to those responsible.
Document and update a not remediated
vulnerability procedure.
Table 15: Metric T-GV-OE2-04: Observe exposure to identified vulnerabilities.
38 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
FIELD INFORMATION
IDENTIFICATION
Code T-GV-OE2-05
Goal RESIST
Functional Domain VULNERABILITY MANAGEMENT
Indicator’s Objective
Estimate the average time from the identification of a
vulnerability to the notification to the responsible party.
Description
Estimate the average time since a vulnerability is discovered
(through logs, alerts, etc.) that affects the provision of the
essential service, until those who are responsible for its
resolution are notified. For example, indicate whether alerts are
generated and stored from a system that sends automatic
notifications.
Please quantify (in hours) this time in the comments field and
indicate how this value has been obtained.
Question
Is the average time between the discovery of a vulnerability
affecting the provision of the essential service and the
notification of those who are responsible for its remediation
estimated?
Correlation
ISO/IEC 27001:2017 [A. 12.6.1]
NIST SP 800-53 R4 [RA-5], [SA-10], [SA-11], [SI-2], [SI-3]
ENS [op. pl. 1] [MP. SW. 2], [Op. exp. 3]
NIS (Directive 33)
CHARACTERIZATION
Scale
L0 – There is no estimation of the average time elapsed since
a vulnerability is known, until it is communicated to those
responsible parties.
L1 - The definition of the procedure for estimating the average
time elapsed from when a vulnerability is known to when it is
communicated to those responsible has been initiated.
L2 - A procedure has been established for estimating the
average time elapsed from when a vulnerability is known until it
is communicated to those responsible, but these have not been
documented.
L3 - A procedure for estimating the average time elapsed from
when a vulnerability is known until it is communicated to those
responsible has been documented and is kept up to date.
L4 - The procedure to estimate the average time elapsed from
when a vulnerability is known until it is communicated to those
responsible is managed, updated and verified.
L5 - Improvement actions are applied in the procedure to
estimate the average time elapsed from when a vulnerability is
known until it is communicated to those responsible.
39 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
COLLECTION
Method of Collection
Manual
A personal or telephone interview is recommended in order to
be able to interpret the results in greater detail.
Responsible CSO or CISO
ANALYSIS
Objective measure L5
Indicator
Positive
values
Values close to L5 indicate that there is an
improved process for estimating the number of
hours between the date of knowledge of a
vulnerability that affects the provision of the
essential service and the date of its
communication to those responsible.
Corrective
measures
Review and improve the implementation of
the procedure to estimate the average time in
the notification of vulnerabilities.
Document and update vulnerability
notification time.
Table 16: Metric T-GV-OE2-05: Estimate the average time from the identification of a
vulnerability to the notification to the responsible party.
40 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
FIELD INFORMATION
IDENTIFICATION
Code T-GV-OE2-06
Goal RESIST
Functional Domain VULNERABILITY MANAGEMENT
Indicator’s Objective
Estimate the average time from when a security patch is
announced until it is applied to the targeted vulnerability.
Description
This is the average time resulting from the number of hours
between the date of availability of a patch or a security update
affecting an essential service and the date of its installation. For
example, indicate whether there is a person responsible for
reviewing the patch release date and application date, whether
an automated system is used, etc.
Please quantify (in hours) this time in the comments field and
indicate how this value has been obtained.
Question
Is the average time between the announcement of a security
patch and its application to the system supporting the essential
service estimated?
Correlation
ISO/IEC 27001:2017 [A. 12.6.1]
NIST SP 800-53 R4 [RA-5], [SA-10], [SA-11], [SI-2], [SI-3]
ENS [op. pl. 1] [MP. SW. 2], [Op. exp. 3]
CHARACTERIZATION
Scale
L0 - The average time from the announcement of a patch or
security update until it is applied to the system that supports the
essential service is not estimated.
L1 - The definition of the procedure for estimating the average
time from the announcement of a patch or security update until
it is applied to the system supporting the essential service has
been initiated.
L2 - A procedure to estimate the average time from the
announcement of a patch or security update until it is applied in
the system, has been established but it has not been
documented.
L3 - A procedure for estimating the average time from when a
patch or security update is announced to when it is applied to
the system has been documented and it is kept up to date.
L4 - The procedure for estimating the average time from the
announcement of a patch or security update until it is applied in
the system is managed, updated and verified.
L5 - Improvement actions are applied to the procedure for
managing the average time from the announcement of a patch
or security update until it is applied in the system.
41 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
COLLECTION
Method of Collection
Manual
A personal or telephone interview is recommended in order to
be able to interpret the results in greater detail.
Responsible CSO or CISO
ANALYSIS
Objective measure L5
Indicator
Positive
values
Values tending to L5 indicate that there is an
improved process to reduce the number of
hours between the date of availability of a
patch or security update that affects an
essential service and the date of installation.
Corrective
measures
Review and improve the implementation of the
patch and update management procedure.
Table 17: Metric T-GV-OE2-06: Estimate the average time from when a security patch is
announced until it is applied to the targeted vulnerability.
42 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
FIELD INFORMATION
IDENTIFICATION
Code T-GV-OE2-07
Goal RESIST
Functional Domain VULNERABILITY MANAGEMENT
Indicator’s Objective
Estimate the average time to remediate identified vulnerabilities
that cannot be remediated through updates or patches.
Description
Estimate the average time spent on remediating known or
identified vulnerabilities that affect the provision of the essential
service, when the remediation is not possible by means of an
update or patch. In this case, different measures will have to be
applied, for example isolation of the system, protection of its
perimeter or simply its elimination.
Please quantify (in hours) this time in the comments field and
indicate how this value was obtained.
Question
Is the average time spent on tackling known or identified
vulnerabilities affecting the provision of the essential service
estimated when an upgrade or patch solution is not possible?
Correlation
ISO/IEC 27001:2017 [A. 12.6.1]
NIST SP 800-53 R4 [RA-5], [SA-10], [SA-11], [SI-2], [SI-3]
ENS [op. pl. 1] [MP. SW. 2], [Op. exp. 3]
NIS (Directive 33)
CHARACTERIZATION
Scale
L0 - The average time to remediate identified vulnerabilities is
not estimated when a patch or update remediation is not
possible.
L1 - The definition of the procedure to estimate the average time
to remediate identified vulnerabilities when the remediation is
not possible by means of an update or patch has been initiated.
L2 - The procedure has been established to estimate the
average time to remediate identified vulnerabilities when an
update or patch remediation is not possible but has not been
documented.
L3 - The procedure is documented and updated to estimate the
average time to remediate identified vulnerabilities when the
remediation through an update or patch is not possible.
L4 - The procedure for estimating the average time to remediate
identified vulnerabilities when a patch or update remediation is
not possible is managed, updated, and verified.
L5 - Improvement actions are applied to the procedure for
estimating the average time to remediate identified
vulnerabilities when the remediation by means of an update or
patch is not possible.
43 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
COLLECTION
Method of Collection
Manual
A personal or telephone interview is recommended in order to
be able to interpret the results in greater detail.
Responsible CSO or CISO
ANALYSIS
Objective measure L5
Indicator
Positive
values
Values close to L5 indicate that there is an
improved process to estimate the number of
hours between the date of detection of a
vulnerability that affects the essential service,
when the remediation by means of an update
or patch is not possible, and the date to
remediate it.
Corrective
measures
Establish a documented procedure describing
actions for improvements in the management
of vulnerabilities that affect the provision of the
essential service, for those in which the
remediation by means of an update or patch is
not possible:
Do not take any action.
Notify the responsible person
immediately.
Develop and implement a remediation
strategy that minimally affects the
provision of the essential service.
Table 18: Metric T-GV-OE2-07: Estimate the average time to remediate identified
vulnerabilities that cannot be remediated through updates or patches.
44 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
2.2.2. Continuous Supervision (CS)
FIELD INFORMATION
IDENTIFICATION
Code T-SC-OE1-01
Goal RESIST
Functional Domain CONTINUOUS SUPERVISION
Indicator’s Objective Permanently supervise essential services.
Description
It deals with knowing if a continuous supervision is carried out
(24x7) or if there is a strategy of continuous monitoring of the
provision of the essential service to detect potential cyber
incidents.
Question
Is the provision of the essential service permanently (24x7)
supervised to detect potential cyber incidents?
Correlation
ISO/IEC 27001:2017 [A. 12.1.3]
NIST SP 800-53 R4 [RA-5], [CA-7], [PM-6], [SI-4]
ENS [Op. Mon]
Guía contenidos mínimos PSO (2.2.3)
Guía contenidos mínimos PPE (4.2.2)
CHARACTERIZATION
Scale
L0 - 24x7 monitoring of essential service provision is not
performed.
L1 - 24x7 monitoring of essential service provision has been
initiated.
L2 - A 24x7 monitoring procedure of the provision of the
essential service has been established but not documented yet.
L3 - A 24x7 monitoring procedure for the provision of the
essential service has been documented and is kept up to date.
L4 - The procedure for 24x7 monitoring of essential service
provision is managed, updated and verified.
L5 - Improvement actions are implemented in the procedure for
24x7 monitoring of the essential service provision.
COLLECTION
Method of Collection Manual
Responsible CSO or CISO or Director of physical security
45 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
ANALYSIS
Objective measure L5
Indicator
Positive
values
Values close to L5 indicate that the
organization monitors (24x7) the essential
service to detect potential cyberattacks.
Corrective
measures
Establish a continuous monitoring procedure
on the assets and processes that support
essential services (communications networks,
systems, access, physical environment,
personnel, etc.) to detect potential
cyberattacks.
Table 19: Metric T-SC-OE1-01: Permanently supervise essential services.
46 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
FIELD INFORMATION
IDENTIFICATION
Code T-SC-OE1-02
Goal RESIST
Functional Domain CONTINUOUS SUPERVISION
Indicator’s Objective
Supervise the existence of unauthorized software and hardware
in systems that support essential services.
Description
Supervise the system supporting the essential service looking
for unauthorized software or hardware. Indicate if there is, for
example, a tool that periodically scans the system that supports
the essential service.
Question
Is the system supporting the essential service supervised for
unauthorized software or hardware?
Correlation
ISO/IEC 27001:2017 [A. 12.1.3], [A. 14.2.7]
NIST SP 800-53 R4 [RA-5], [CA-7], [PM-6], [SI-4]
ENS [Op. Mon]
CHARACTERIZATION
Scale
L0 - System monitoring to detect unauthorized software or
hardware is not performed.
L1 – System monitoring to detect unauthorized software or
hardware has been initiated.
L2 - A system monitoring procedure to detect unauthorized
software or hardware has been established but has not been
documented.
L3 - The system monitoring procedure to detect unauthorized
software or hardware has been documented and is kept up to
date.
L4 - The procedure for monitoring the system to detect
unauthorized software or hardware is managed, updated, and
verified.
L5 - Improvement actions are applied to the procedure for
monitoring the system to detect unauthorized software or
hardware.
COLLECTION
Method of Collection Manual
Responsible CSO or CISO
47 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
ANALYSIS
Objective measure L5
Indicator
Positive
values
Values close to L5 indicate that the
organization monitors systems that support
essential services looking for unauthorized
software or hardware.
Corrective
measures
Document, update, verify, and improve a
continuous monitoring procedure on systems
supporting essential services looking for
unauthorized software or hardware.
Table 20: Metric T-SC-OE1-02: Monitor the existence of unauthorized software and
hardware in systems that support essential services.
48 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
FIELD INFORMATION
IDENTIFICATION
Code T-SC-OE1-03
Goal RESIST
Functional Domain CONTINUOUS SUPERVISION
Indicator’s Objective
Supervise communications networks to detect unauthorized
connections.
Description
Supervise communications networks that support the essential
service to detect unauthorized connections. For example,
through an intrusion detection system or a firewall.
Question
Are communications networks that support the essential service
monitored to detect unauthorized connections?
Correlation
ISO/IEC 27001:2017 [A. 12.1.3], [A. 14.2.7]
NIST SP 800-53 R4 [RA-5], [CA-7], [PM-6], [SI-4]
ENS [Op. Mon]
Guía contenidos mínimos PPE (4.2.2)
CHARACTERIZATION
Scale
L0 - Communication networks are not monitored to detect
unauthorized connections.
L1 - Monitoring of communications networks to detect
unauthorized connections has been initiated.
L2 - A communications network monitoring procedure to detect
unauthorized connections has been established, but it has not
been documented.
L3 - A communications network monitoring procedure to detect
unauthorized connections has been documented and is kept up
to date.
L4 - The procedure for monitoring communications networks to
detect unauthorized connections is managed, updated and
verified.
L5 - Improvement actions are applied to the procedure for
monitoring communications networks to detect unauthorized
connections.
COLLECTION
Method of Collection Manual
Responsible CSO or CISO
49 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
ANALYSIS
Objective measure L5
Indicator
Positive
values
Values close to L5 indicate that the
organization monitors communications
networks to detect unauthorized connections.
Corrective
measures
Document, update, verify and improve a
procedure for continuous monitoring of
communications networks.
Table 21: Metric T-SC-OE1-03: Supervise communications networks to detect
unauthorized connections.
50 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
FIELD INFORMATION
IDENTIFICATION
Code T-SC-OE1-04
Goal RESIST
Functional Domain CONTINUOUS SUPERVISION
Indicator’s Objective
Estimate the time between the identification of a cyber incident and
its escalation to those responsible for handling it.
Description
Estimate the average time between the occurrence of a cyber
incident (affecting an essential service) and the notification of those
responsible for handling to it.
Please quantify (in hours) this time in the comments field and
indicate how this value has been obtained. You can obtain an
estimate of this time as a result, for example, of the continuity plan
tests.
Question
Is there an estimation of the average time between the occurrence
of a cyber incident and the notification of those responsible for
handling it?
Correlation
ISO/IEC 27001:2017 [A. 12.6.1]
NIST SP 800-53 R4 [RA-5], [SA-10], [SA-11], [SI-2], [SI-3]
ENS [op. pl. 1] [MP. SW. 2], [Op. exp. 3]
NIS (Directive 27)
CHARACTERIZATION
Scale
L0 - The average time between the occurrence of a cyber incident
and the notification of those responsible for handling it has not
been identified.
L1 - The establishment of a procedure for the identification of the
average time from the time a cyber incident occurs until it is
notified to those responsible for handling it has been initiated.
L2 - A procedure to estimate or measure the time from when a
cyber incident occurs until it is notified to those responsible for
handling it but has not been documented.
L3 - The procedure for estimating or measuring the average time
from when a cyber incident occurs until it is notified to those
responsible for handling it has been documented.
L4 - The procedure for estimating or measuring the average time
from when a cyber incident occurs until it is notified to those
responsible for handling it is managed, updated and verified.
L5 - Improvement actions are applied to the definition of the
procedure to estimate the average time from when a cyber
incident occurs until it is notified to those responsible for handling
it.
51 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
COLLECTION
Method of Collection
Manual
A personal or telephone interview is recommended in order to be
able to interpret the results in greater detail.
Responsible CSO or CISO
ANALYSIS
Objective measure L5
Indicator
Positive
values
Values close to L5 indicate that there is an
improved process for estimating the number of
hours between the date of occurrence of an
attack on the provision of an essential service
and the date of its communication to those
responsible.
Corrective
measures
Identify, document and keep up to date a
procedure to estimate the average time from
when a cyber incident occurs until it is notified
to those responsible.
Implement improvement actions to reduce this
average time.
Table 22: Metric T-SC-OE1-04: Estimate the time between the identification of a cyber
incident and its escalation to those responsible for resolving it.
52 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
2.3. Recover
The tables below describe the twenty (20) metrics corresponding to the goal Recover,
grouped by the corresponding functional domains as defined in the methodology.
2.3.1. Incident Management (IM)
FIELD INFORMATION
IDENTIFICATION
Code R-GI-OE1-01
Goal RECOVER
Functional Domain INCIDENT MANAGEMENT
Indicator’s Objective Establish a process to detect, report and notify events.
Description
There should be a procedure for event detection and notification
to the incident management team.
It deals with knowing if events, that is, unexpected or unwanted
situations (for example, attempts at unauthorized access, high
response times, and increase in the volume of files) in the
infrastructures that support the essential service are identified
and whether those who are responsible for its response are
notified, who then will proceed to their immediate or subsequent
analysis. For example, indicate if there are tools or services with
mechanisms for automatic detection of events in real time.
Question Are events detected and reported to incident management team?
Correlation
ISO/IEC 27001:2017 [A. 16.1.2], [A. 16.1.3], [A. 16.1.4]
NIST SP 800-53 R4 [AR-4], [IR-4], [GO-5], [IR-6], [PE-6]
ENS [Op. exp. 7]
Guía contenidos mínimos PPE (2.3)
NIS (Directive 4, 69)
CHARACTERIZATION
Scale
L0 - Event detection and notification are not performed.
L1 - Event detection and notification has been initiated.
L2 - An event detection and notification procedure has been
established, but not documented.
L3 - An event detection and notification procedure has been
documented and is kept up to date.
L4 - The procedure for event detection and notification is
managed, updated and verified.
L5 - Improvement actions are applied to the procedure for event
detection and notification.
53 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
COLLECTION
Method of Collection Manual
Responsible CSO or CISO
ANALYSIS
Objective measure L5
Indicator
Positive
values
Values close to L5 indicate that the
organization has an updated procedure for
capturing and analyzing events, so that it can
determine whether the event will become (or
has become) a cyber incident that requires
the action of the organization and notify those
who are responsible to proceed to its
analysis.
Corrective
measures
Establish an event reporting procedure to
detect events and provide reports to incident
management staff and stakeholders.
Emphasize in the Awareness Plan to users on
the need to communicate to those who are
responsible, as soon as possible, any
anomaly or security event detected, teaching
them to recognize anomalous situations that
may initiate an incident (malfunction, slow
processes, abnormal behavior,..).
Table 23: Metric R-GI-OE1-01: Establish a process to detect, report and notify events.
54 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
FIELD INFORMATION
IDENTIFICATION
Code R-GI-OE1-02
Goal RECOVER
Functional Domain INCIDENT MANAGEMENT
Indicator’s Objective
Establish a process to estimate the time between an event
occurrence and it is detection.
Description
Estimate the average time elapsed between the moment an event
occurs (e.g., unauthorized access attempts, high response times,
increase in file volume) and the moment it is detected. This time
can be measured, for example, as the date of the first alert in the
log of the affected system until detection by the user or
technician. Do not mistook this indicator with the time required to
report an incident.
Please quantify (in hours) this time, in the field dedicated to
comments, and indicate how this value has been obtained.
Question
Is there an estimate of the average time elapsed between the
moment an event occurs and the moment it is detected?
Correlation
ISO/IEC 27001:2017 [A. 16.1.2], [A. 16.1.3], [A. 16.1.4]
NIST SP 800-53 R4 [AR-4], [AU-13], [IR-4], [GO-5], [PE-6], [RA-
6]
ENS [Op. exp. 7]
NIS (Directive 27)
CHARACTERIZATION
Scale
L0 - The average time between the moment events occurs and
when they are detected is not estimated.
L1 - The measurement of the mean time between the moment
events occurs and when they are detected has been started.
L2 - A procedure to estimate the mean time between the moment
events occurs and when they are detected, has been established
but is not been documented.
L3 - A procedure to estimate the average time between when
events occurs and when they are detected has been documented
and updated.
L4 - The procedure for estimating the average time between
when events occurs and when they are detected is managed,
updated and verified.
L5 - Improvement actions are applied to the procedure for the
average time between the moment events occurs and when they
are detected.
55 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
COLLECTION
Method of Collection
Manual
A personal or telephone interview is recommended in order to be
able to interpret the results in greater detail.
Responsible CSO or CISO
ANALYSIS
Objective measure L5
Indicator
Positive
values
Values close to L5 indicate that there is an
improved process for estimating the number
of hours between the moment of occurrence
of events that affects the provision of the
essential service and the moment of their
detection. Surveillance and control should be
increased, especially if these detection
activities depend on third parties.
Corrective
measures
Establish and improve the process to
measure the time between events occurrence
and its detection.
Send periodic communications to users
emphasizing the need to communicate as
soon as possible any anomaly or security
event detected, teaching them to recognize
anomalous situations that may initiate an
incident (malfunction, slowness of processes,
abnormal behavior, etc.).
Provide communication channels to users for
incident detection reporting.
Table 24: Metric R-GI-OE1-02: Establish a process to estimate the time between an event
occurrence and its detection.
56 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
FIELD INFORMATION
IDENTIFICATION
Code R-GI-OE2-01
Goal RECOVER
Functional Domain INCIDENT MANAGEMENT
Indicator’s Objective Procedure for classifying and assessing cyber incidents.
Description
Dispose a procedure to classify and assess cyber incidents,
based on a predefined categorization. This will make possible to
support the organization's regulatory compliance. For example,
provide cyber incident metrics such as detection date, notification
date, resolution date and closing date.
Question
Is there a procedure for the classification and assessment of
cyber incidents, based on a predefined characterization?
Correlation
ISO/IEC 27001:2017 [A. 16.1.2], [A. 16.1.3], [A. 16.1.4]
NIST SP 800-53 R4 [IR-4]
ENS [Op. exp. 7]
Guía contenidos mínimos PPE (4.2.2)
NIS (Directive 2)
CHARACTERIZATION
Scale
L0 - There is no procedure to classify and evaluate cyber
incidents according to a categorization.
L1 - The establishment of a procedure to classify and evaluate
cyber incidents based on a defined categorization has been
initiated.
L2 - A procedure to classify and evaluate cyber incidents based
on a cyber incident categorization has been established but has
not been documented.
L3 - A procedure for classifying and evaluating cyber incidents
based on a cyber incident categorization has been documented
and is kept up to date.
L4 - The procedure for classifying and assessing cyber incidents
based on their categorization is managed, updated and verified.
L5 - Improvement actions are applied to the procedure for the
classification and assessment of cyber incidents based on their
categorization.
COLLECTION
Method of Collection Manual
Responsible CSO or CISO
57 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
ANALYSIS
Objective measure L5
Indicator
Positive
values
Values close to L5 indicate that the
organization classifies and values cyber
incidents according to an established
process, using a defined incident
categorization, to obtain metrics to support
regulatory compliance.
Corrective
measures
Establish a procedure for the classification
and assessment of cyber incidents using a
predefined categorization, as proposed by
the ICT Security Guide CCN-STIC 817.
Table 25: Metric R-GI-OE2-01: Procedure for classifying and assessing cyber incidents.
58 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
FIELD INFORMATION
IDENTIFICATION
Code R-GI-OE2-02
Goal RECOVER
Functional Domain INCIDENT MANAGEMENT
Indicator’s Objective
Document and convey the criteria for identifying and recognizing
cyber incidents.
Description
It deals with whether the criteria that enable members of the
organization's staff the identification and recognition of a cyber
incident for reporting it have been documented and conveyed.
Question
Have the criteria to identify and recognize the cyber incidents
been established? Are they accessible and known by all the staff?
Correlation
ISO/IEC 27001:2017 [A. 16.1.2], [A. 16.1.3], [A. 16.1.4]
NIST SP 800-53 R4 [IR-4]
ENS [Op. exp. 7]
Guía contenidos mínimos PPE (4.2.2)
NIS (Directive 2)
CHARACTERIZATION
Scale
L0 - Criteria for identification and recognition of cyber incidents
have not been established.
L1 - Definition of criteria for identification and recognition of cyber
incidents has being initiated.
L2 – The criteria for the identification and recognition of cyber
incidents have been established, but is not documented not
conveyed to all members of the organization.
L3 - The criteria for identification and recognition of cyber
incidents have been documented, and it is conveyed to all
members of the organization and kept up to date.
L4 - The criteria for identification and recognition of cyber
incidents are managed, updated and verified.
L5 - Improvement actions are applied in the definition of the
criteria for the identification and recognition of cyber incidents.
COLLECTION
Method of Collection Manual
Responsible CSO or CISO
59 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
ANALYSIS
Objective measure L5
Indicator
Positive
values
Values close to L5 indicate that the
organization has defined and documented the
criteria for identification and recognition of
cyber incidents and this information is
available to all staff who may need it.
Corrective
measures
Define and document the criteria for
identification and recognition of cyber
incidents and make this information available
to all staff.
Table 26: Metric R-GI-OE2-02: Document and convey the criteria for identifying and
recognizing cyber incidents.
60 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
FIELD INFORMATION
IDENTIFICATION
Code R-GI-OE2-03
Goal RECOVER
Functional Domain INCIDENT MANAGEMENT
Indicator’s Objective Analyze cyber incidents to determine an appropriate response.
Description
It is a question of knowing if any incident analysis procedure is
followed to identify the necessary actions for its resolution, in the
shortest possible time. For example, by answering the following
questions: What has happened? Who is affected
(users/customers/suppliers)? What should I say about it? Who
should I notify? Does it has legal or contractual consequences?
Do we have control over the affected services and systems?
Question
Are cyber incidents analyzed to determine the most appropriate
response in the shortest possible time?
Correlation
ISO/IEC 27001:2017 [A. 16.1.2], [A. 16.1.3], [A. 16.1.4]
NIST SP 800-53 R4 [AR-4], [IR-4], [GO-5], [IR-6], [PE-6]
ENS [Op. exp. 7]
Guía contenidos mínimos PSO (2.2.3, 4.1, 4.4)
Guía contenidos mínimos PPE (1.1, 4.2, 4.4)
NIS (Directive 27, 28, 34)
CHARACTERIZATION
Scale
L0 - An analysis of cyber incidents to determine the most
appropriate response is not carried out.
L1 - An analysis of cyber incidents to determine the most
appropriate response has been initiated.
L2 - A cyber incident analysis procedure to determine the most
appropriate response has been established, but is not
documented.
L3 - A cyber incident analysis procedure to determine the most
appropriate response has been documented and is updated.
L4 - The cyber incident analysis procedure to determine the most
appropriate response is managed, updated and verified.
L5 - Improvement actions are applied to the cyber incident
analysis procedure to determine the most appropriate response.
COLLECTION
Method of Collection Manual
Responsible CSO or CISO
ANALYSIS
61 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
Objective measure L5
Indicator
Positive
values
Values close to L5 indicate that the
organization has a standardized cyber
incident analysis procedure to provide a
response in the shortest possible time.
Corrective
measures
Establish a cyber incident analysis procedure
to correctly define the type of incident and
provide the most appropriate response in the
shortest possible time. It should also help to
determine whether the incident has legal
consequences and to whom it should be
communicated.
Table 27: Metric R-GI-OE2-03: Analyze cyber incidents to determine an appropriate
response.
62 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
FIELD INFORMATION
IDENTIFICATION
Code R-GI-OE3-01
Goal RECOVER
Functional Domain INCIDENT MANAGEMENT
Indicator’s Objective
Establish a process of escalation with those responsible for
responding to and recovering from cyber incidents.
Description
Establish an organizational structure for responding to cyber
incidents, as well as a formal protocol for escalating them to those
responsible. For example, indicate if there is documentation that
specifies who should be notified.
Question
Is there a structure for responding to cyber incidents that allows
them to be escalated to those responsible for their resolution?
Correlation
ISO/IEC 27001:2017 [A. 16.1.5]
NIST SP 800-53 R4 [IR-4], [GO-9], [SE-2]
ENS [Op. exp. 7]
Guía contenidos mínimos PSO (1.5)
NIS (article 4, point 1)
CHARACTERIZATION
Scale
L0 - There is no cyber incident response structure.
L1 - The definition of a cyber incident response structure has
been initiated.
L2 - A cyber incident response structure has been established,
but not documented.
L3 - A cyber incident response structure has been documented
and is kept up to date.
L4 - The cyber incident response structure is managed, updated
and verified.
L5 - Improvement actions are applied in the design of the
response structure to cyber incidents.
COLLECTION
Method of Collection Manual
Responsible CSO or CISO
63 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
ANALYSIS
Objective measure L5
Indicator
Positive
values
Values close to L5 indicate that there is a
complete and clear escalating structure that
facilitates greater coordination, internal and
external, to respond to cyber incidents.
Corrective
measures
Establish an escalating protocol to ensure
that incidents are addressed as quickly as
possible by those responsible, otherwise the
organization's diligent response will be
impeded, thereby increasing the impact of the
cyber incident.
Table 28: Metric R-GI-OE3-01: Establish a process of escalation to those responsible for
responding to and recovering from cyber incidents.
64 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
FIELD INFORMATION
IDENTIFICATION
Code R-GI-OE3-06
Goal RECOVER
Functional Domain INCIDENT MANAGEMENT
Indicator’s Objective
Establish a process for estimating the response and recovery
capacity of cyber incidents.
Description
Estimate the capacity to respond to a cyber incident through the
average time in responding to it. This is the average resulting
from the number of hours between the moment of the occurrence
of cyber incidents that affect an essential service and when they
are resolved. Do not confuse with the average time to notify the
existence of the cyber incident, which corresponds to a stage
prior to resolution.
Please quantify (in hours) this time, in the field dedicated to
comments, and indicate how this value has been obtained.
If you have never suffered a cyber incident, you can consider, for
example, the values obtained in business continuity tests
performed.
References such as the CCN-STIC 817 ICT Security Guide
provide more information on this subject.
Question
Is there an estimate of the average response time to a cyber
incident?
Correlation
ISO/IEC 27001:2017 [A. 16.1.5]
NIST SP 800-53 R4 [IR-4], [GO-9], [SE-2]
ENS [Op. exp. 7]
Guía contenidos mínimos PPE (4.2)
NIS (Directives 27, 33)
CHARACTERIZATION
Scale
L0 - The average response time to a cyber incident is not
estimated.
L1 - The procedure for estimating the average response time to
a cyber incident has been established.
L2 - A procedure to measure the average response time to a
cyber incident has been established, but it has not been
documented.
L3 - The procedure for estimating the average response time to
a cyber incident has been documented and is updated.
L4 - The procedure for estimating the average response time to
a cyber incident is managed, updated and verified.
L5 - Improvement actions are applied in the procedure for the
definition and estimation of the average response time to a cyber
incident.
65 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
COLLECTION
Method of Collection
Manual
A personal or telephone interview is recommended in order to be
able to interpret the results in greater detail.
Responsible CSO or CISO
ANALYSIS
Objective measure L5
Indicator
Positive
values
Values close to L5 indicate that the number of
hours between the occurrence of a cyber
incident and its resolution has been
estimated.
Corrective
measures
Establish a procedure to estimate the
average response time to a cyber incident.
Document, update and verify the procedure
for estimating the average resolution time.
Table 29: Metric R-GI-OE3-06: Establish a process for estimating the response and
recovery capacity of cyber incidents.
66 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
FIELD INFORMATION
IDENTIFICATION
Code R-GI-OE4-03
Goal RECOVER
Functional Domain INCIDENT MANAGEMENT
Indicator’s Objective
Establish a process for estimating the average time of a cyber
incident's impact on the essential service.
Description
Establish a process for estimating the average time of impact of
a cyber incident that affects the provision of the essential service.
This average is calculated from the number of hours between the
occurrence of the cyber incident and the time the provision of the
affected essential service is recovered.
Please quantify (in hours) this time in the comments field and
indicate how this value has been obtained.
If you have never suffered a cyber incident, you can consider, for
example, the average time obtained in business continuity tests
performed.
Question
Is the average time of impact of a cyber incident that affects the
provision of the essential service estimated?
Correlation
ISO/IEC 27001:2017 [A. 16.1.5]
NIST SP 800-53 R4 [IR-4], [GO-9], [SE-2]
ENS [Op. exp. 7]
Guía contenidos mínimos PPE (4.2)
NIS (Directives 27, 33)
CHARACTERIZATION
Scale
L0 - The average time of impact of a cyber incident on the
provision of the essential service is not estimated.
L1 - Estimation of the average time of impact of a cyber incident
on the provision of the essential service has been initiated.
L2 - A procedure has been established to estimate the time of
impact of a cyber incident on the provision of the essential service
but it has not been documented.
L3 - A procedure for estimating the average time of impact of a
cyber incident on the provision of the essential service has been
documented and is kept up to date.
L4 - A procedure for estimating the average time of impact of a
cyber incident on the provision of the essential service is
managed, updated and verified.
L5 - Improvement actions are applied to the procedure to
estimate the average time of impact of a cyber incident on the
provision of the essential service.
67 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
COLLECTION
Method of Collection
Manual
A personal or telephone interview is recommended in order to
interpret the results in greater detail.
Responsible CSO or CISO
ANALYSIS
Objective measure L5
Indicator
Positive
values
Values close to L5 indicate that there is a
procedure to estimate the time of impact of
cyber incidents in the provision of essential
service.
Corrective
measures
Establish a procedure to measure the
average time of impact of a cyber incident.
Use, for example, guides such as the CCN-
STIC 817 ICT Security Guide.
Document, review and verify the procedure to
assess the average time of impact of a cyber
incident.
Table 30: Metric R-GI-OE4-03: Establish a process for estimating the average time of a
cyber incident's impact on the essential service.
68 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
FIELD INFORMATION
IDENTIFICATION
Code R-GI-OE5-03
Goal RECOVER
Functional Domain INCIDENT MANAGEMENT
Indicator’s Objective
Coordination with other agencies in the response to cyber
incidents.
Description
It deals with finding out whether there are formal channels of
communication with the State Security Forces and Corps and
whether they are used to report serious incidents that have
occurred in the organization.
If the essential service is supported by an Industrial Control
System (ICS), special attention should be paid to incidents related
to the physical security of SCADA elements geographically
distributed outside the organization's headquarters (industrial
plants, outdoors, etc.).
Question
Are serious cyber incidents, occurring in the organization,
communicated to the State Security Forces and Corps?
Correlation
ISO/IEC 27001:2017 [A. 16.1.6], [A. 16.1.7]
NIST SP 800-53 R4 [IR-4], [GO-9]
ENS [Op. exp. 7]
Guía contenidos mínimos PSO (2.2.1, 2.2.4)
Guía contenidos mínimos PPE (2.1, 2.3, 4.2.1)
CHARACTERIZATION
Scale
L0 - There is no procedure for communicating cyber incidents to
the State Security Forces and Corps.
L1 - The procedure for communicating cyber incidents to the
State Security Forces and Corps has been initiated.
L2 - A procedure has been established to communicate cyber
incidents to the State Security Forces and Corps, but it is not been
documented.
L3 - A procedure for communicating cyber incidents to the State
Security Forces and Corps has been documented and is kept up
to date.
L4 - The procedure for reporting cyber incidents to the State
Security Forces and Corps is managed, updated and verified.
L5 - Improvement actions are applied to the procedure for the
communication of cyber incidents to the State Security Forces
and Corps.
69 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
COLLECTION
Method of Collection Manual
Responsible CSO or CISO
ANALYSIS
Objective measure
All serious cyber incidents are communicated to the State
Security Forces and Corps.
Indicator
Positive
values
Values close to L5 indicate that the
organization communicates all serious cyber
incidents to the state security forces (FCSE).
Corrective
measures
Promote coordination and communication
with the State Security Forces and Corps in
the response to cyber incidents.
Document, review and update the
communication procedure with the State
Security Forces and Corps.
Table 31: Metric R-GI-OE5-03: Coordination with other agencies in the response to cyber
incidents.
70 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
2.3.2. Service Continuity Management (SCM)
FIELD INFORMATION
IDENTIFICATION
Code R-CS-OE1-01
Goal RECOVER
Functional Domain SERVICE CONTINUITY MANAGEMENT
Indicator’s Objective
Develop a Continuity Plan to ensure the provision of essential
service.
Description
It deals with knowing if the provision of the essential service is
supported by a Continuity Plan that is periodically updated and if
it is also updated when new risks or changes in the organizational
or operational environment are known.
Question
Has a Continuity Plan been defined to guarantee the permanent
provision of the essential service?
Correlation
ISO/IEC 27001:2017 [A. 17.1.1], [A. 17.1.2]
NIST SP 800-53 R4 [CP-1], [CP-2], [CP-13], [PM-11]
ENS [Op. cont. 2]
Guía contenidos mínimos PPE (2.3)
NIS (Directive 69)
CHARACTERIZATION
Scale
L0 - There is no Continuity Plan to ensure the provision of the
essential service.
L1 - The development of a Continuity Plan to ensure the provision
of essential service has been initiated.
L2 - Continuity Plan actions have been established for the
provision of essential service, but are not documented yet.
L3 - The essential service Continuity Plan has been documented
and is kept up to date.
L4 - The essential service Continuity Plan is managed, updated
and reviewed.
L5 - Improvement actions are implemented in the essential
service Continuity Plan.
COLLECTION
Method of Collection Manual
Responsible CSO or CISO
71 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
ANALYSIS
Objective measure L5
Indicator
Positive
values
Values close to L5 indicate that the
organization develops the essential service
Continuity Plan, that is, it considers the
protection, dependencies or replacements of
the critical assets that intervene in the
provision of that service (people, information,
technology and facilities).
Corrective
measures
Develop, update and verify the actions of the
Continuity Plan of the essential service for
which we are conducting the survey.
Table 32: Metric R-CS-OE1-01: Develop a Continuity Plan to ensure the provision of
essential service.
72 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
FIELD INFORMATION
IDENTIFICATION
Code R-CS-OE1-06
Goal RECOVER
Functional Domain SERVICE CONTINUITY MANAGEMENT
Indicator’s Objective Define RTO in the Continuity Plan.
Description
It deals with knowing if the Continuity Plan provides the RTO for
the provision of the essential service.
The RTO is the objective of maximum acceptable time for the
recovery of the service, even with a degraded level of
functionality, after a disaster that affects its provision; that is to
say, without important consequences for the organization or for a
specific business process. (If the recovery is not achieved in that
time, the consequences can be very serious).
Ensure that the recovery time (RTO) is not only documented but
is used to guarantee the service continuity. In addition, it is
verified that the RTO conforms to the essential service continuity
requirements.
Question
Do the continuity plans document the Recovery Time Objectives
(RTO) of the essential service?
Correlation
ISO/IEC 27001:2017 [A. 17.1.1], [A. 17.1.2]
NIST SP 800-53 R4 [CP-1], [CP-2], [CP-13], [PM-11]
ENS [Op. cont. 1]
Guía contenidos mínimos PPE (4.2)
NIS (Directives 69)
CHARACTERIZATION
Scale
L0 - The RTO has not been defined nor identified as necessary
for the continuity of essential service provision.
L1 - The need to establish the RTO for the provision of the
essential service has been identified and its definition has been
initiated.
L2 - A procedure for the RTO in the continuity of the provision of
the essential service has been established, but is not
documented.
L3 - A procedure for the RTO has been documented and is kept
up to date in all continuity plans for the provision of essential
service.
L4 - The procedure for the RTO defined in the continuity plans
for the provision of the essential service is managed, updated
and reviewed.
L5 - Improvement actions are implemented in the procedure for
the definition of the RTO documented in the continuity plans for
the provision of the essential service.
73 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
COLLECTION
Method of Collection Manual
Responsible CSO or CISO
ANALYSIS
Objective measure L5
Indicator
Positive
values
Values close to L5 indicate that the
organization documents the Recovery Time
Objectives (RTO) of the essential service in
its continuity plan.
Corrective
measures
Identify RTO for essential service continuity.
Table 33: Metric R-CS-OE1-06: Define RTO in the Continuity Plan.
74 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
FIELD INFORMATION
IDENTIFICATION
Code R-CS-OE2-04
Goal RECOVER
Functional Domain SERVICE CONTINUITY MANAGEMENT
Indicator’s Objective Test the Continuity Plan.
Description
Test the Continuity Plan for the provision of essential service. It
deals with knowing whether test protocols are available for the
essential service continuity plan and whether it is regularly
verified in order to:
Determine the feasibility, completeness and accuracy of
the Continuity Plan with respect to the essential service.
Collect information on the degree of preparedness of the
organization.
If the essential service is based on an Industrial Control System
(ICS), which does not allow a complete shutdown for the
execution of continuity plan tests, partial or phased shutdowns
may be considered; tests on a replica; or even simulation.
Question
Has the Continuity Plan been tested for the provision of the
essential service?
Correlation
ISO/IEC 27001:2017 [A. 17.1.3]
NIST SP 800-53 R4 [CP-3], [CP-4]
ENS [Op. cont. 3]
Guía contenidos mínimos PPE (2.3)
NIS (Directive 69)
CHARACTERIZATION
Scale
L0 - No continuity plans are tested for any essential service.
L1 - The definition of the Continuity Plan tests for the essential
service has been initiated.
L2 - Periodic continuity tests have been established for the
essential service, but are not documented.
L3 - All essential service continuity test plans are documented
and kept up to date.
L4 - Essential service continuity test plans are managed, updated
and reviewed.
L5 - Actions to improve the continuity plans are implemented as
a result of their testing.
COLLECTION
Method of Collection Manual
Responsible CSO or CISO
75 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
ANALYSIS
Objective measure L5
Indicator
Positive
values
Values close to L5 indicate that the
organization tests the essential service
Continuity Plan for which we are conducting
the survey.
Corrective
measures
Establish a test procedure for the essential
service Continuity Plan identified.
Table 34: Metric R-CS-OE2-04: Test the Continuity Plan.
76 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
FIELD INFORMATION
IDENTIFICATION
Code R-CS-OE3-03
Goal RECOVER
Functional Domain SERVICE CONTINUITY MANAGEMENT
Indicator’s Objective
The average time elapsed from the interruption of essential
service until its recovery to an acceptable level.
Description
Estimate the average time elapsed between when an outage
occurs in the provision of the essential service and the moment
when the essential service becomes available again with a
minimum acceptable level of functionality.
Please quantify (in hours) this time in the comments field and
indicate how this value was obtained. For example, it can be
obtained by adding the time invested in the backup of data from
external and internal dependencies and the time needed for the
services to be operational again.
Question
Is it estimated the average time between the moment in which
there is an interruption in the provision of the essential service
and the instant in which it becomes available again with a
minimum acceptable level of functionality?
Correlation
ISO/IEC 27001:2017 [A. 17.1.1], [A. 17.1.2]
NIST SP 800-53 R4 [CP-1], [CP-2], [CP-13], [PM-11]
ENS [Op. cont. 1]
Guía contenidos mínimos PPE (4.2)
NIS (Directives 27, 33)
CHARACTERIZATION
Scale
L0 - The average time between the occurrence of an outage and
the return of the essential service with a minimum level of
functionality is not measured.
L1 - The definition of the procedure for measuring the average
time between the occurrences of outages and the return of the
essential service with a minimum level of functionality has been
initiated.
L2 - The procedure for measuring the average time between
when outages occurs, and the essential service becomes
available again with a minimum level of functionality, has been
established but is not documented.
L3 - The procedure for measuring the average time between
when an outage occurs, and the essential service becomes
available again with a minimum level of functionality and is kept
up to date has been documented.
L4 - The procedure for measuring the average time between the
occurrence of an outage and the return of the essential service
77 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
with a minimum level of functionality is managed, updated and
verified.
L5 - Improvement actions are applied to the procedure for the
reduction of the average time between the occurrence of an
interruption and the essential service becoming available again
with a minimum level of functionality.
COLLECTION
Method of Collection Manual
Responsible CSO or CISO
ANALYSIS
Objective measure L5
Indicator
Positive
values
Values close to L5 indicate that a procedure
is available, updated and improved to
estimate the number of hours between an
interruption in the provision of the service and
when it is again available with a minimum
level of functionality.
Corrective
measures
Establish the necessary mechanisms to make
the essential service (technological, logistic
and physical) available again in the shortest
possible time after the interruption event.
Table 35: Metric R-CS-OE3-03: The average time elapsed from the interruption of
essential service until its recovery to an acceptable level.
78 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
FIELD INFORMATION
IDENTIFICATION
Code R-CS-OE3-04
Goal RECOVER
Functional Domain SERVICE CONTINUITY MANAGEMENT
Indicator’s Objective
The average time elapsed since the interruption of the essential
service and its recovery to the usual level of service.
Description
Estimate the average time elapsed between the moment in which
an interruption occurs in the provision of the essential service and
the instant in which it recovers its habitual functionality.
Please quantify (in hours) this time in the comments field and
indicate how this value was obtained.
Question
Is the average time between the moment when the essential
service is interrupted and the moment when it recovers its normal
functionality estimated?
Correlation
ISO/IEC 27001:2017 [A. 17.1.1], [A. 17.1.2]
NIST SP 800-53 R4 [CP-1], [CP-2], [CP-13], [PM-11]
ENS [Op. cont. 1]
Guía contenidos mínimos PPE (4.2)
NIS (Directives 27, 33)
CHARACTERIZATION
Scale
L0 - The average time between the occurrence of an interruption
and the restoration of the essential service to its normal operation
is not measured.
L1 - The definition of the procedure for measuring the average
time between the occurrence of an interruption and the
restoration of the essential service to its normal operation has
been initiated.
L2 - A procedure to measure the average time between the
occurrence of an interruption and the restoration of essential
service to its normal operation has been established but is not
documented.
L3 - The procedure for estimating the average time between the
occurrence of an interruption and the restoration of essential
service to its normal operation has been documented. It is kept
up to date.
L4 - The procedure for estimating the average time between the
occurrence of an interruption and the restoration of essential
service to its normal operation is managed, updated and verified.
L5 - Improvement actions are applied to the procedure for the
reduction of the average time between the occurrence of an
interruption and the restoration of the essential service to its
normal operation.
79 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
COLLECTION
Method of Collection Manual
Responsible CSO or CISO
ANALYSIS
Objective measure L5
Indicator
Positive
values
Values close to L5 indicate that an updated
and optimized procedure is available to
estimate the number of hours between the
interruption in the provision of the essential
service and the restoration of the essential
service to its normal operating level.
Corrective
measures
Establish the necessary mechanisms
(technological, logistical and physical) to
make the essential service available again in
the shortest possible time after the
interruption event.
Table 36: Metric R-CS-OE3-04: The average time elapsed since the interruption of the
essential service and its recovery to the usual level of service.
80 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
FIELD INFORMATION
IDENTIFICATION
Code R-CS-OE1-02
Goal RECOVER
Functional Domain SERVICE CONTINUITY MANAGEMENT
Indicator’s Objective
Identify and prioritize external dependencies related to the
provision of the essential service.
Description
Identify and prioritize external dependencies (third-party
dependencies) to ensure that the organization directs its cyber
resilience efforts primarily to those that contribute most, and
more directly, to the provision of the essential service.
Question
Are external dependencies related to the provision of the
essential service identified and prioritized?
Correlation
ISO/IEC 27001:2017 [A. 15.1.1], [A. 15.1.2], [A. 15.1.3]
NIST SP 800-53 R4 [PL-8]
ENS [Op. ext. 1]
Guía contenidos mínimos PSO (3.4, 4.3)
Guía contenidos mínimos PPE (3.2, 3.3)
CHARACTERIZATION
Scale
L0 - External dependencies related to the provision of the
essential service are not identified nor prioritized.
L1 - Identification and prioritization of external dependencies
related to the provision of the essential service has been
initiated.
L2 - External dependencies related to the provision of the
essential service are identified and prioritized, but not
documented.
L3 - A procedure for identifying and prioritizing external
dependencies related to the provision of essential service has
been documented and is kept up to date.
L4 - The procedure for identifying and prioritizing external
dependencies involved in the provision of the essential service
is managed, updated and reviewed.
L5 - Improvement actions are implemented in the procedure to
identify and prioritize external dependencies related to the
provision of the essential service.
COLLECTION
Method of Collection Manual
Responsible CSO or CISO
81 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
ANALYSIS
Objective measure L5
Indicator
Positive
values
Values close to L5 indicate that the
organization has a prioritized list of all
external dependencies that affect the
essential service and that this list is updated.
Corrective
measures
Establish criteria for identifying and
prioritizing external dependencies. Maintain
the criteria and priorities documented,
updated and reviewed periodically.
Table 37: Metric R-CS-OE1-02: Identify and prioritize external dependencies related to the
provision of the essential service.
82 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
FIELD INFORMATION
IDENTIFICATION
Code R-CS-OE2-01
Goal RECOVER
Functional Domain SERVICE CONTINUITY MANAGEMENT
Indicator’s Objective
Identify and manage risks associated with external
dependencies.
Description
Identify and properly manage the risks associated with external
dependencies that contribute, directly or indirectly, to the
provision of the essential service. Prioritize and update identified
risks.
Question
Are the risks associated with external dependencies related to
the provision of the essential service properly identified and
managed?
Correlation
ISO/IEC 27001:2017 [A. 15.1.1], [A. 15.1.2], [A. 15.1.3]
NIST SP 800-53 R4 [SA-21], [SC-38]
ENS [Op. ext. 1]
Guía contenidos mínimos PSO (3.4, 4.3)
Guía contenidos mínimos PPE (3.2, 3.3)
CHARACTERIZATION
Scale
L0 - No management of risks associated with external
dependencies is done.
L1 - Management of risks associated with external dependencies
has been initiated.
L2 - Management of risks associated with external dependencies
has been established but is not documented.
L3 - Management of risks associated with external dependencies
has been documented and is kept up to date.
L4 - Risks associated with external dependencies are managed,
updated and verified.
L5 - Actions are implemented to improve the management of
risks associated with external dependencies.
COLLECTION
Method of Collection Manual
Responsible CSO or CISO
83 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
ANALYSIS
Objective measure L5
Indicator
Positive
values
Values close towards L5 indicate that the
organization has identified the risks
associated with external dependencies and
that this list has been prioritized and updated.
Corrective
measures
Identify and assess risks due to external
dependencies so that they can be managed
effectively and thus maintain the resilience of
the essential service provided by the
organization.
Table 38: Metric R-CS-OE2-01: Identify and manage risks associated with external
dependencies.
84 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
FIELD INFORMATION
IDENTIFICATION
Code R-CS-OE3-04
Goal RECOVER
Functional Domain SERVICE CONTINUITY MANAGEMENT
Indicator’s Objective
Establish specific cyber resilience agreements with those third
parties involved in the provision of the essential service.
Description
It deals with knowing whether, for each external dependency (for
each third party that contributes directly or indirectly to the
provision of the essential service), the organization has
established and documented a detailed set of requirements that
it has to comply with in order to support and improve the
organization’s operations recovery capability.
In addition, it deals with knowing whether these requirements
have been included as part of the clauses that make up the
outsourced service provision agreements, or Service Level
Agreements (SLAs), reached with these entities. For example:
the maximum time of non-availability of server infrastructure or
penalties in the event of non-compliance.
Question
Are cyber resilience requirements included in agreements with
third parties that contribute, directly or indirectly, to the provision
of the essential service?
Correlation
ISO/IEC 27001:2017 [A. 15.1.1], [A. 15.1.2], [A. 15.1.3]
NIST SP 800-53 R4 [SA-12], [SA-13]
ENS [Op. ext. 1]
Guía contenidos mínimos PPE (2.3, 3.2)
NIS (48, 50, 52, 54, 69)
CHARACTERIZATION
Scale
L0 - Cyber resilience requirements are not included in service
level agreements with providers (external dependencies).
L1 - The inclusion of cyber resilience requirements in
agreements with external dependencies has been initiated.
L2 - Cyber resilience requirements have been established for
relations with external dependencies but are not documented.
L3 - Cyber resilience requirements in agreements with external
dependencies have been documented and are kept up to date.
L4 – Cyber resilience requirements in agreements with external
dependencies are managed, updated and verified.
L5 - Actions to improve cyber resilience requirements in
agreements with external dependencies are implemented.
85 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
COLLECTION
Method of Collection Manual
Responsible CSO or CISO
ANALYSIS
Objective measure L5
Indicator
Positive
values
Values close to L5 indicate that the
organization verifies and updates cyber
resilience requirements in all agreements with
external entities with which services
supporting the essential service are
contracted.
Corrective
measures
Define, update and review cyber resilience
requirements in Service Level Agreements
(SLAs) with external entities, so that:
Are enforceable by the organization.
Include detailed and complete
specifications of what must be met by the
external entity.
Include the required performance
standards.
Are updated as appropriate and
periodically to reflect necessary changes
during the life of the relationship.
Table 39: Metric R-CS-OE3-04: Establish specific cyber resilience agreements with those
third parties involved in the provision of the essential service.
86 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
FIELD INFORMATION
IDENTIFICATION
Code R-CS-OE4-01
Goal RECOVER
Functional Domain SERVICE CONTINUITY MANAGEMENT
Indicator’s Objective Supervise and manage the operation of external dependencies.
Description
Supervise and manage the operation of external dependencies
that support the provision of essential service in accordance with
the cyber resilience requirements agreed with the organization. It
deals with knowing whether there is regular supervision of the
operations of third parties that contribute, directly or indirectly, to
the provision of the essential service, to verify compliance with
the cyber resilience requirements agreed between the parties.
In addition, this will make it possible to ascertain whether any
operational problems that may be encountered during the
provision of outsourced services are resolved.
Question
For those third parties that participate, directly or indirectly, in the
provision of the essential service, are their operations supervised
and managed in accordance with the cyber resilience
requirements agreed with the organization?
Correlation
ISO/IEC 27001:2017 [A. 15.2.1]
NIST SP 800-53 R4 [AR-4], [SA-3], [SA-9], [SA-12], [SA-13]
ENS [Op. ext. 2]
Guía contenidos mínimos PPE (2.3, 3.2)
NIS (48, 50, 52, 54, 69)
CHARACTERIZATION
Scale
L0 - There is no supervision and management of the operation
of external dependencies.
L1 - Supervision and management of the operation of external
dependencies has been initiated.
L2 - A procedure has been established for the supervision and
management of the operation of external dependencies, but is
not documented.
L3 - The procedure for the supervision and management of the
operation of external dependencies has been documented and
is kept up to date.
L4 - The procedure for the supervision and management of the
operation of external dependencies is monitored and verified.
L5 - Improvement actions are applied to the procedure for
supervising and managing the operation of external
dependencies.
87 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
COLLECTION
Method of Collection Manual
Responsible CSO or CISO
ANALYSIS
Objective measure L5
Indicator
Positive
values
Values close to L5 indicate that the
organization periodically monitors the
operation of the external dependencies that
support the essential service to verify that
they meet the established cyber resilience
requirements.
Corrective
actions
Establish a procedure, which will be updated
and improved, to periodically monitor the
operation of external dependencies to the
essential service and analyze deviations from
the cyber resilience requirements established
to understand the potential impact on the
organization.
Table 40: Metric R-CS-OE4-01: Supervise and manage the operation of external
dependencies.
88 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
FIELD INFORMATION
IDENTIFICATION
Code R-CS-OE5-01
Goal RECOVER
Functional Domain SERVICE CONTINUITY MANAGEMENT
Indicator’s Objective Identify and prioritize public service dependencies.
Description
Identify and prioritize the external dependencies related to public
services (emergency services, law enforcement agencies, etc.)
that contribute, directly or indirectly, to the provision of the
essential service.
Question
Are external dependencies, linked to public services (emergency
services, law enforcement agencies, etc.) that contribute, directly
or indirectly, to the provision of the essential service, identified
and prioritized?
Correlation
ISO/IEC 27001:2017 [A. 15.2.2]
NIST SP 800-53 R4 [SA-3], [SA-12]
ENS [Op. ext. 2]
Guía contenidos mínimos PSO (3.4, 4.3)
Guía contenidos mínimos PPE (3.2, 3.3)
CHARACTERIZATION
Scale
L0 - Public service dependencies are not identified nor
prioritized.
L1 - Identification of public service dependencies has begun.
L2 - Public service dependencies have been identified and
prioritized, but are not documented.
L3 - A procedure has been documented with the public service
dependencies, they are prioritized, and this list is kept up to date.
L4 - The procedure for identifying and prioritizing public service
dependencies is managed, updated and verified.
L5 - Improvement actions are applied to the procedure to identify
and prioritize public service dependencies.
COLLECTION
Method of Collection Manual
Responsible CSO or CISO
89 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
ANALYSIS
Objective measure L5
Indicator
Positive
values
Values close to L5 indicate that the
organization has a procedure in which public
service dependencies that support critical
services (emergency services, law
enforcement, etc.) have been identified,
prioritized and documented, and that this list
is kept up to date.
Corrective
measures
Conduct an in-depth check of public services
that may be vital to the continuity of essential
services in the event of a disruption.
Document, review and update the
dependencies found in the periodical review.
Table 41: Metric R-CS-OE5-01: Identify and prioritize public service dependencies.
90 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
FIELD INFORMATION
IDENTIFICATION
Code R-CS-OE5-02
Goal RECOVER
Functional Domain SERVICE CONTINUITY MANAGEMENT
Indicator’s Objective
Identify and prioritize the dependencies of basic utilities and
telecommunications suppliers.
Description
Identify and prioritize external dependencies, related to basic
utilities and telecommunication suppliers (telecommunication
operators, basic utilities, etc.), that contribute, directly or
indirectly, to the provision of the essential service.
Question
Are external dependencies, related to suppliers of basic utilities
and telecommunications (telecommunication operators, energy
supply, water, etc.), that contribute, directly or indirectly, to the
provision of the essential service, identified and prioritized?
Correlation
ISO/IEC 27001:2017 [A. 15.2.2]
NIST SP 800-53 R4 [SA-3], [SA-12]
ENS [Op. ext. 2]
Guía contenidos mínimos PSO (3.4, 4.3)
Guía contenidos mínimos PPE (3.2, 3.3)
CHARACTERIZATION
Scale
L0 - Dependencies of suppliers of basic utilities and
telecommunications are not identified nor prioritized.
L1 - Identification and prioritization of basic utilities and
telecommunications supplier dependencies has been initiated.
L2 - Dependencies of suppliers of basic utilities and
telecommunications have been identified and prioritized, but are
not documented.
L3 - The identification, prioritization and updating of utilities and
telecommunications suppliers dependencies has been
documented in a procedure.
L4 - A procedure to identify and prioritize the utilities and
telecommunications supplier dependencies is managed,
updated and verified.
L5 - Improvement actions are implemented on a procedure for
the identification and prioritization of utilities and
telecommunications supplier dependencies.
COLLECTION
Method of Collection Manual
Responsible CSO or CISO
91 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
ANALYSIS
Objective measure L5
Indicator
Positive
values
Values close to L5 indicate that the
organization has developed, maintains and
updates a procedure to identify, prioritize and
document dependencies of basic utilities and
telecommunication providers supporting
essential services (telecommunication
operators, energy, etc.). This list is kept up to
date.
Corrective
measures
Undertake a thorough review of the providers
of basic utilities and telecommunications that
may be vital to the continuity of essential
services and incorporate them as cyber
resilience requirements in continuity plans.
Table 42: Metric R-CS-OE5-02: Identify and prioritize the dependencies of basic utilities
and telecommunications suppliers.
92 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
2.4. Evolve
The tables below describe the four (4) metrics corresponding to the goal Evolve, grouped
by the corresponding functional domains as defined in the methodology.
2.4.1. Configuration and Change Management (CCM)
FIELD INFORMATION
IDENTIFICATION
Code E-CC-OE1-01
Goal EVOLVE
Functional Domain CONFIGURATION AND CHANGE MANAGEMENT
Indicator’s Objective Manage the configuration of information and technology assets.
Description
Establish a procedure for managing the configuration of computer
or technological components and equipment associated with the
system that makes it possible to provide the essential service in
such a way as to facilitate its acceptable re-establishment after a
cyber incident with serious consequences. In addition, the
management of changes in those components and equipment
must be guaranteed in order to prevent potential negative impacts
on the provision of the essential service due to those changes.
Question
Is there a configuration management procedure for the
equipment associated with the system that makes it possible to
provide the essential service?
Correlation
ISO/IEC 27001:2017 [A. 12.1.2]
NIST SP 800-53 R4 [CM-1], [CM-2], [CM-3], [CM-6], [CM-9], [SA-
5], [SA-10]
ENS [Op. exp. 2]
Guía contenidos mínimos PPE (4.2.3)
CHARACTERIZATION
Scale
L0 - There is no procedure for managing the configuration of
computer and technological equipment.
L1 - The establishment of a procedure for configuration
management of IT and technological equipment has been
initiated.
L2 - The procedure for managing the configuration of IT
equipment has been established but is not documented.
L3 - The procedure for managing the configuration of computer
and technological equipment has been documented and is kept
up to date.
L4 - The procedure for managing the configuration of IT and
technological equipment is managed, updated and revised.
93 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
L5 - Actions are implemented to improve the procedure for
managing the configuration of IT and technological equipment.
COLLECTION
Method of Collection Manual
Responsible CSO or CISO
ANALYSIS
Objective measure L5
Indicator
Positive
values
Values close to L5 indicate that the
organization carries out configuration
management of computer and technological
equipment supporting essential services.
This provides a level of control to avoid
altering the support it gives to essential
services. The procedure must ensure that the
service is restored in an acceptable manner
following a cyber incident with serious
consequences.
Corrective
measures
Establish a procedure for configuration
management of the technological assets that
support the essential service.
Table 43: Metric E-CC-OE1-01: Manage the configuration of information and technology
assets.
94 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
2.4.2. Communication (CM)
FIELD INFORMATION
IDENTIFICATION
Code E-CM-OE1-02
Goal EVOLVE
Functional Domain COMMUNICATION
Indicator’s Objective
Establish communication mechanisms outside the organization,
on cyber resilience issues.
Description
Define and establish external communication mechanisms in the
area of cyber resilience with, among others: customers,
suppliers, media, State Security Forces and Corps, emergency
services, etc. It must be evaluated whether these mechanisms
are effective and whether they are used regularly.
Question
Have effective outside communication mechanisms for cyber
resilience been defined and established? For example, with
clients, suppliers, media, State Security Forces and Corps,
emergency services...
Correlation
NIST SP 800-53 R4 [IR-7], [SA-9]
Guía contenidos mínimos PSO (2.2.1, 2.2.4)
Guía contenidos mínimos PPE (2.1, 2.3, 4.2.1)
CHARACTERIZATION
Scale
L0 - No communication is established with external entities
regarding cyber resilience.
L1 - Communication with external entities on cyber resilience has
been initiated.
L2 - Communication mechanisms have been established with
external entities on cyber resilience but have not been
documented.
L3 - Communication mechanisms with external entities on cyber
resilience have been documented in a procedure and are kept up
to date.
L4 - The procedure for communication with external entities on
cyber resilience is managed, updated and verified.
L5 - Actions are implemented to improve the procedure for
communication with external entities on cyber resilience.
COLLECTION
Method of Collection Manual
Responsible CSO or CISO
95 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
ANALYSIS
Objective measure L5
Indicator
Positive
values
Values close to L5 indicate that the
organization establishes procedures, updates
them and improves them, in order to manage
outside communication mechanisms formally
and regularly with, among others: customers,
suppliers, media, State Forces and Corps,
emergency services, etc.
Corrective
measures
Establish effective mechanisms for external
communication through authorized channels.
Create good practices for communicating
cyber incidents.
Table 44: Metric E-CM-OE1-02: Establish communication mechanisms outside the
organization on cyber resilience issues.
96 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
FIELD INFORMATION
IDENTIFICATION
Code E-CM-OE2-02
Goal EVOLVE
Functional Domain COMMUNICATION
Indicator’s Objective
Ensure the availability of internal or external communication
channels required by the essential service.
Description
The objective is to ensure that, in the event of an interruption,
mechanisms exist and function to establish the appropriate
communications with the actors necessary to recover the
provision of the essential service. This includes verifying, for
example, that the incident can be communicated to the
appropriate party for its resolution.
In any case, there will be alternative communication channels in
the event that the usual ones fail, which offer the same
guarantees of protection of the communication as the usual
channel; and guarantee a maximum time of entry into operation.
Question
Has the availability of the internal or external communication
channels required by the essential service been verified?
Correlation
NIST SP 800-53 R4 CP-2 (2) [2], CP-8, SC-1
ENS [MP. com. 9]
Guía contenidos mínimos PSO (2.2.1, 2.2.4)
Guía contenidos mínimos PPE (2.1, 4.2.1)
CHARACTERIZATION
Scale
L0 - The availability of the internal or external communication
channels required by the essential service is not verified.
L1 - Tests have been initiated for the availability of the internal or
external communication channels required by the essential
service.
L2 - A procedure has been established to verify the availability of
internal or external communication channels required by the
essential service but is not documented.
L3 - A procedure for verifying the availability of internal or
external communication channels required by the essential
service has been documented and is kept up to date.
L4 - The procedure for verifying the availability of internal or
external communication channels required by the essential
service is managed, updated and verified.
L5 - Improvement actions are applied to the procedure to verify
the availability of internal or external communication channels
required by the essential service.
97 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
COLLECTION
Method of Collection Manual
Responsible CSO or CISO
ANALYSIS
Objective measure L5
Indicator
Positive
values
Values close to L5 indicate that the
organization has a procedure to verify the
availability of internal or external
communication channels required by the
essential service. For example, it is verified
that the cyber incident can be communicated
to the appropriate party, in case of
interruption of the normal operation of the
essential services.
Corrective
measures
Establish a procedure to verify that the cyber
incident can be communicated to the
appropriate party in the event of interruption
of the normal operation of the essential
service for which we are conducting the
survey.
Table 45: Metric E-CM-OE2-02: Ensure the availability of internal or external
communication channels required by the essential service.
98 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
FIELD INFORMATION
IDENTIFICATION
Code E-CM-OE3-02
Goal EVOLVE
Functional Domain COMMUNICATION
Indicator’s Objective Communicate the continuity strategy to the entire organization.
Description
It deals with knowing whether the delegations of authority and
assignments of responsibility (both internal and external) that
may have been established within the framework of the cyber
resilience program have been made with the required publicity
and transparency, so that all staff involved in the program know
their particular role and recognize who or whom the authority is
assigned at any given time.
Question
Does the essential service continuity plan include the allocation
of the respective delegations of authority and communicate these
responsibilities to all those involved (both internal and external)?
Correlation
ISO/IEC 27001:2017 [A. 17.1.3]
NIST SP 800-53 R4 [CP-2 (a) (3)], [CP-3]
ENS [Op. cont. 2]
Guía contenidos mínimos PSO (2.2.1)
Guía contenidos mínimos PPE (4.2, 4.2.2)
CHARACTERIZATION
Scale
L0 - Responsibilities are not assigned and communicated to staff
involved in continuity plans.
L1 - Assignment and communication of responsibilities to staff
involved in continuity plans has been initiated.
L2 - A procedure has been established to assign and
communicate responsibilities to staff involved in continuity plans,
but is not documented.
L3 - The procedure for assigning and communicating
responsibilities to the staff involved in the continuity plans has
been documented and is kept up to date.
L4 - The procedure for assigning and communicating
responsibilities to staff involved in continuity plans is managed,
updated and verified.
L5 - Improvement actions are implemented in the procedure for
assigning and communicating responsibilities to staff involved in
continuity plans.
99 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
COLLECTION
Method of Collection Manual
Responsible CSO or CISO
ANALYSIS
Objective measure L5
Indicator
Positive
values
Values close to L5 indicate that the
organization guarantees the assignment and
communication of responsibilities and
authorities within the Continuity Plan to all the
staff involved, both internal and from
suppliers concerned, with the aim of making
them aware of their functions and
responsibilities.
Corrective
measures
Establish, verify and improve a procedure for
the assignment and communication of
responsibilities and authorities within the
Continuity Plan to all staff involved.
Table 46: Metric E-CM-OE3-02: Communicate the continuity strategy to the entire
organization.
100 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
3. ACRONYMS
BIA: Business Impact Analysis.
CISO: Chief Information Security Officer.
CSO: Chief Security Officer.
CVSS: Common Vulnerability Score System.
ENS: Esquema Nacional de Seguridad (Spanish National Security Scheme).
ISO: International Organization for Standardization.
MTD: Maximum Tolerable Downtime.
NIST: National Institute of Standards and Technology.
PPE: Planes de Protección Específicos.
PSO: Planes de Seguridad de Operador.
RPO: Recovery Point Objective.
RTO: Recovery Time Objective.
101 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
4. REFERENCES
Guía de buenas prácticas - Plan de protección específico (PPE)
http://www.cnpic.es/Biblioteca/Noticias/GUIA_BUENAS_PRACTICAS_PPE.pdf
NIST. Special Publication 800-53 Rev. 4
https://nvd.nist.gov/800-53
AENOR (2017). UNE-EN ISO: 27001:2017 Tecnología de la información. Técnicas
de seguridad. Sistemas de Gestión de la Seguridad de la Información.
https://www.iso.org/isoiec-27001-information-security.html
https://www.une.org/encuentra-tu-norma/busca-tu-norma/norma?c=N0058428
ISO (2018). ISO/IEC 27005:2018 Information technology – Security techniques –
Information security risk management
https://www.aenor.com/normas-y-libros/buscador-de-normas/ISO?c=075281
AENOR (2018). UNE ISO: 31000:2018 Gestión del riesgo. Directrices
https://www.iso.org/iso-31000-risk-management.html
https://www.une.org/encuentra-tu-norma/busca-tu-norma/norma/?c=N0059900
ISO (2015). ISO/TS 22317:2015 Societal Security – Business continuity
management Systems – Guidelines for Business Impact Analysis (BIA)
https://www.aenor.com/normas-y-libros/buscador-de-normas/iso?c=050054
España. BOE. Código de Derecho de la Ciberseguridad
https://www.boe.es/legislacion/codigos/codigo.php?id=173&modo=1¬a=0&tab=2
Includes (among others):
Spain (2017). National Security Strategy.
Law 8/2011, of 28 April, establishing measures for the protection of the
critical infrastructures.
Real Decree 3/2010, of 8 of January, regulating the National Security Scheme
in the field of Electronic Administration.
Resolution of September 8, 2015, of the Secretary of State for Security,
approving the new minimum contents of the Operator Security Plans and the
Specific Protection Plans.
Real Decree-Law 12/2018, of 7 September, on the security of the networks
and information systems.
102 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)
EU (2016). Directive 2016/1148 of the European Parliament and of the Council of
6 July 2016 on measures to ensure a high common level of security of networks
and information systems within the Union.
https://eur-lex.europa.eu/legal-
content/ES/TXT/?uri=uriserv:OJ.L_.2016.194.01.0001.01.SPA&toc=OJ:L:2016:194:TO
C
Spain (2019). Guía Nacional de Notificación y Gestión de Ciberincidentes
http://www.interior.gob.es/documents/10180/9814700/Gu%C3%ADa+Nacional+de+noti
ficaci%C3%B3n+y+gesti%C3%B3n+de+ciberincidentes/f01d9ed6-2e14-4fb0-b585-
9b0df20f2906
IMC_02 – Dictionary of Cyber -resilience Improvement Indicators (CII)