IMC 02 Dictionary of Cyber - INCIBE-CERT...IMPROVEMENT INDICATORS (CII) 6 1. OBJECT OF THE DOCUMENT...

IMC_02 – Dictionary of Cyber -

resilience Improvement Indicators (CII)

May 2019

imc_02_dictionary-indicators.pdf version 1.1

This publication is owned by INCIBE (Instituto Nacional de Ciberseguridad) and is licensed under a Creative Commons Attribution-Noncommercial 3.0 Spain license. For this reason it is permitted to copy, distribute and publicly communicate this work under the following conditions:

Acknowledgement. The content of this report may be reproduced in whole or in part by third parties, citing its origin and making express reference to both INCIBE or INCIBE-CERT and its website: https://www.incibe.es/. Such acknowledgement may in no case suggest that INCIBE supports such a third party or supports the use it makes of its work.

Non-Commercial Use. The original material and derivative works may be distributed, copied and exhibited as long as their use is not for commercial purposes.

When reusing or distributing the work, you must make clear the terms of the license of this work. Some of these conditions may not apply if you obtain permission from INCIBE-CERT as the copyright holder. Full text of the license: https://creativecommons.org/licenses/by-nc-sa/3.0/es/.

https://www.incibe.es/

3 DICTIONARY OF CYBER-RESILIENCE IMPROVEMENT INDICATORS (CII)

INDEX

1. OBJECT OF THE DOCUMENT ....................................................................... 6

2. Indicators ............................................................................... 7

2.1. Anticipate .................................................................................................. 8

2.1.1. Cybersecurity Policy (CP) ...................................................................... 8

2.1.2. Risk Management (RM) ....................................................................... 14

2.1.3. Cybersecurity Training (CT) ................................................................. 22

2.2. Resist ...................................................................................................... 26

2.2.1. Vulnerability Management (VM) ........................................................... 26

2.2.2. Continuous Supervision (CS) ............................................................... 44

2.3. Recover ................................................................................................... 52

2.3.1. Incident Management (IM) ................................................................... 52

2.3.2. Service Continuity Management (SCM) ............................................... 70

2.4. Evolve ..................................................................................................... 92

2.4.1. Configuration and Change Management (CCM) .................................. 92

2.4.2. Communication (CM) ........................................................................... 94

3. Acronyms ........................................................................... 100

4. References ........................................................................... 101


TABLE INDEX

Table 1: Metric A-PC-OE2-02: Identify cyber resilience requirements for the essential service

chosen. ............................................................................................................................................ 9 Table 2: Metric A-PC-OE4-01: Collaborate with public entities in the cyber resilience field. ........ 11 Table 3: Metric A-PC-OE4-02: Collaborate with other private entities in cyber resilience

matters. .......................................................................................................................................... 13 Table 4: Metric A-GR-OE1-03: Establish, implement and maintain a formal and documented

Business Impact Analysis (BIA) process on the activities and processes that support the essential

service. ........................................................................................................................................... 15 Table 5: Metric A-GR-OE1-04: Estimate the Maximum Tolerable Downtime (MTD) or time that an

essential service may be down before unacceptable effects occur. ............................................. 17 Table 6: Metric A-GR-OE1-05: Identify the Recovery Time Objective (RTO) and Recovery Point

Objective (RPO) of the essential service. ...................................................................................... 19 Table 7: Metric A-GR-OE2-02: Identify risks and risk tolerance levels. ........................................ 21 Table 8: Metric A-FO-OE2-01: Carry out training activities in cyber resilience. ............................ 23 Table 9: Metric A-FO-OE3-01: Carry out awareness activities in cyber resilience. ...................... 25 Table 10: Metric T-GV-OE1-03: Establish a vulnerability identification process. .......................... 27 Table 11: Metric T-GV-OE1-04: Establish and maintain a process of classification, categorization

and prioritization of vulnerabilities. ................................................................................................ 29 Table 12: Metric T-GV-OE1-05: Establish a vulnerability analysis process. ................................. 31 Table 13: Metric T-GV-OE1-06: Establish and maintain an updated vulnerability repository. ...... 33 Table 14: Metric T-GV-OE2-02: Initiate actions to manage exposure to identified vulnerabilities. 35 Table 15: Metric T-GV-OE2-04: Observe exposure to identified vulnerabilities. ........................... 37 Table 16: Metric T-GV-OE2-05: Estimate the average time from the identification of a vulnerability

to the notification to the responsible party. .................................................................................... 39 Table 17: Metric T-GV-OE2-06: Estimate the average time from when a security patch is

announced until it is applied to the targeted vulnerability. ............................................................. 41 Table 18: Metric T-GV-OE2-07: Estimate the average time to remediate identified vulnerabilities

that cannot be remediated through updates or patches. ............................................................... 43 Table 19: Metric T-SC-OE1-01: Permanently supervise essential services. ................................ 45 Table 20: Metric T-SC-OE1-02: Monitor the existence of unauthorized software and hardware in

systems that support essential services. ....................................................................................... 47 Table 21: Metric T-SC-OE1-03: Supervise communications networks to detect unauthorized

connections. ................................................................................................................................... 49 Table 22: Metric T-SC-OE1-04: Estimate the time between the identification of a cyber incident

and its escalation to those responsible for resolving it. ................................................................. 51 Table 23: Metric R-GI-OE1-01: Establish a process to detect, report and notify events. ............. 53 Table 24: Metric R-GI-OE1-02: Establish a process to estimate the time between an event

occurrence and its detection. ......................................................................................................... 55 Table 25: Metric R-GI-OE2-01: Procedure for classifying and assessing cyber incidents. ........... 57 Table 26: Metric R-GI-OE2-02: Document and convey the criteria for identifying and recognizing

cyber incidents. .............................................................................................................................. 59 Table 27: Metric R-GI-OE2-03: Analyze cyber incidents to determine an appropriate response. 61 Table 28: Metric R-GI-OE3-01: Establish a process of escalation to those responsible for

responding to and recovering from cyber incidents. ...................................................................... 63 Table 29: Metric R-GI-OE3-06: Establish a process for estimating the response and recovery

capacity of cyber incidents............................................................................................................. 65 Table 30: Metric R-GI-OE4-03: Establish a process for estimating the average time of a cyber

incident's impact on the essential service. .................................................................................... 67 Table 31: Metric R-GI-OE5-03: Coordination with other agencies in the response to cyber

incidents. ........................................................................................................................................ 69 Table 32: Metric R-CS-OE1-01: Develop a Continuity Plan to ensure the provision of essential

service. ........................................................................................................................................... 71


Table 33: Metric R-CS-OE1-06: Define RTO in the Continuity Plan. ............................................ 73 Table 34: Metric R-CS-OE2-04: Test the Continuity Plan. ............................................................ 75 Table 35: Metric R-CS-OE3-03: The average time elapsed from the interruption of essential

service until its recovery to an acceptable level. ........................................................................... 77 Table 36: Metric R-CS-OE3-04: The average time elapsed since the interruption of the essential

service and its recovery to the usual level of service. ................................................................... 79 Table 37: Metric R-CS-OE1-02: Identify and prioritize external dependencies related to the

provision of the essential service. .................................................................................................. 81 Table 38: Metric R-CS-OE2-01: Identify and manage risks associated with external dependencies.

....................................................................................................................................................... 83 Table 39: Metric R-CS-OE3-04: Establish specific cyber resilience agreements with those third

parties involved in the provision of the essential service. .............................................................. 85 Table 40: Metric R-CS-OE4-01: Supervise and manage the operation of external

dependencies. ............................................................................................................................... 87 Table 41: Metric R-CS-OE5-01: Identify and prioritize public service dependencies.................... 89 Table 42: Metric R-CS-OE5-02: Identify and prioritize the dependencies of basic utilities and

telecommunications suppliers........................................................................................................ 91 Table 43: Metric E-CC-OE1-01: Manage the configuration of information and technology

assets. ............................................................................................................................................ 93 Table 44: Metric E-CM-OE1-02: Establish communication mechanisms outside the organization

on cyber resilience issues. ............................................................................................................. 95 Table 45: Metric E-CM-OE2-02: Ensure the availability of internal or external communication

channels required by the essential service. ................................................................................... 97 Table 46: Metric E-CM-OE3-02: Communicate the continuity strategy to the entire organization.99


1. OBJECT OF THE DOCUMENT

This dictionary describes the Cyber resilience Improvement Indicators (CII) for

organizations and companies of industrial sectors and industrial critical infrastructures

with respect to the fields of IT (Information Technology) and OT (Operation Technology).

These indicators can be used to define maturity consultation surveys —for each

company, sector or group of companies— which determine the levels of resilience (for

the objectives anticipate, resist, recover and evolve) corresponding to the provision of its

essential services.

All indicators are valued according to the criteria indicated in the methodology

assessment described in the document: IMC_01 – Methodology for Assessing Cyber

resilience Improvement Indicators (CII).


2. INDICATORS

In this section is described, in independent tables, each of the Cyber resilience

improvement indicators.

The indicators are identified with a code (X-XX-OEN-NN) consisting of:

X: The letter that corresponds to the goal according to the methodology.

XX: The two letters that indicate the functional domain according to the

methodology.

OEN: The letters OE (specific objective, from Spanish Objetivo Específico)

followed by a number that identifies each of the specific objectives.

NN: The number that identifies each metric.

For the definition of “essential service1”, it is taken as a reference the Ley 8/2011

(Spanish Act 8/2011), of April 28th, by which establishes measures for the protection of

critical infrastructures.

Each table includes the following fields: identification, characterization, collection and

analysis.

The identification field contains the following subfields:

the indicator code, as described above;

the goal to which it belongs;

the functional domain in which it is been assessed;

the indicator’s objective;

the indicator’s description;

the question issued and

the correlation subfield that includes the guidelines, standards and rules on which

each indicator is based.

The characterization field establishes and describes the scale of levels on which the

organization identifies its compliance status for each indicator: L0, L1, L2, L3, L4 or L5.

The field of collection details the method of collection of the information for the

indicator, and the responsible in charge of carrying it.

Finally, the table includes the field of analysis, with two subfields:

Objective measure: where the optimum level that the organization must reach is

established.

Indicator with two elements: positive values and corrective measures. In the first

one, the justification on which the organization can be considered at a high level is

indicated. In the second element, the measures to be taken by the organization to

increase the level within the scale with respect to the indicator.

1 Service that is necessary for the maintenance of basic social functions, health, safety, social and economic welfare of

citizens, or the effective functioning of State Institutions and Public Administrations.


2.1. Anticipate

The tables below describe the nine (9) metrics corresponding to the goal Anticipate,

grouped by the corresponding functional domains as defined in the methodology.

2.1.1. Cybersecurity Policy (CP)

FIELD INFORMATION

IDENTIFICATION

Code A-PC-OE2-02

Goal ANTICIPATE

Functional Domain CYBERSECURITY POLICY

Indicator’s Objective

Identify cyber resilience requirements for the essential service

chosen.

Description

Cyber resilience requirements are established for the essential

service identified as having the highest impact. It deals with

knowing to what extent cyber resilience is conceived as

something different and specific within cybersecurity. To measure

cyber resilience, it is necessary to identify at least one essential

critical service.

This indicator measures the degree of commitment of the

organization to the definition of the specific objectives of cyber

resilience (for the essential service identified as having the

greatest impact) and the requirements to comply with them. In the

event that there are several essential services identified, a survey

can be made for each one of them. Different surveys can also be

made for the OT and IT fields.

If the essential service belongs to the OT field, the requirements

of cyber resilience should include, for example, protect the

remote access from Internet to elements that support the

essential service such as PLC, HMI, RTU, etc.

Question

Have cyber resilience requirements been established for an

essential service (choosing the one whose interruption or

alteration causes the greatest impact)?

Correlation

ISO/IEC 27001:2017 [A. 5.1.1], [A. 14.1.1]

NIST SP 800-53 R4 [PM-7], [SA-2], [SA-13]

ENS [org. 1]

Guía contenidos mínimos PSO (3.1, 3.3)

NIS (Directives 2, 24)


CHARACTERIZATION

Scale

L0- No cyber resilience requirements have been established.

L1- Cyber resilience requirements identification has been

initiated.

L2- Cyber resilience requirements have been established but

they have not been documented yet.

L3- Cyber resilience requirements have been documented and

they are kept up to date.

L4- Cyber resilience requirements are managed, updated and

verified.

L5- Improvement actions are applied in the definition of cyber -

resilience requirements.

COLLECTION

Method of Collection Manual

Responsible CSO or CISO

ANALYSIS

Objective measure L5

Indicator

Positive

values

Values close to L5 indicate that the

organization has identified and documented

the requirements of cyber resilience for the

essential service identified, that these

requirements are accurate and updated.

These requirements should allow to manage

risks, vulnerabilities, incidents, service

continuity, and configurations and changes,

reducing the impact or alteration of essential

services identified.

Corrective

measures

Identify, document and review the cyber

resilience requirements of the identified

essential service.

Update the documentation associated with

the cybersecurity policy.

Table 1: Metric A-PC-OE2-02: Identify cyber resilience requirements for the essential

service chosen.


FIELD INFORMATION

IDENTIFICATION

Code A-PC-OE4-01

Goal ANTICIPATE


Indicator’s Objective Collaborate with public entities in the cyber resilience field.

Description

Establish some formal agreement of mutual assistance,

cooperation or exchange of information with public entities in the

cyber resilience field, such as with some incident response

center, or CERT.

As a formal agreement it is understood the one that is embodied

in a document approved by the Directive Board.

Question

Has there been any formal agreement on mutual assistance,

cooperation or exchange of information with public entities in the

cyber resilience field?

Correlation

ISO/IEC 27001:2017 [A. 5.1.1], [A. 6.1.3]

NIST SP 800-53 R4 [PM-7], [AT-5], [PM-15]

ENS [org. 1]

Guía contenidos mínimos PSO (2.2.4)

NIS (Directives 24, 35, 47.59, 62, 67, article 8, point 7)

CHARACTERIZATION

Scale

L0- No agreement has been established with public entities.

L1- The establishment of an agreement with public entities has

been initiated.

L2- An agreement has been established, but it is not formal (it

has not been documented or approved by the Directive Board).

L3- An agreement has been documented and approved by the

Directive Board, and it is kept up to date.

L4- Formally established agreements are managed, updated or

verified.

L5- Improvement actions are applied in formally established

agreements with public entities.

COLLECTION




ANALYSIS


Indicator

Positive

values


organization has established mutual aid

agreements, collaboration or exchange of

information of cyber resilience with public

entities, to ensure the collaboration or support

of external entities, if necessary, in the event

of a cyberattack that may result in

unavailability of essential services. This

exchange of information improves

anticipation in incident and vulnerability

management, and in the essential service

continuity.

Corrective

measures

Establish, formalize and review agreements

with public entities to ensure mutual

cooperation in the event of a cyberattack.

Table 2: Metric A-PC-OE4-01: Collaborate with public entities in the cyber resilience field.


FIELD INFORMATION

IDENTIFICATION

Code A-PC-OE4-02

Goal ANTICIPATE


Indicator’s Objective Collaborate with other private entities in cyber resilience matters.

Description

Establish formal agreements for mutual assistance, cooperation

or exchange of information with some private entities in the field

of cyber resilience, such as with consultancy companies in

cybersecurity, suppliers, and other companies in the sector.

As a formal agreement it is understood the one that is embodied

in a document approved by the Directive Board.

Question

Has there been any formal agreement on mutual assistance,

cooperation or exchange of information with other private entities

in the field of cyber resilience?

Correlation

ISO/IEC 27001:2017 [A. 5.1.1], [A. 6.1.4]

NIST SP 800-53 R4 [PM-7], [AT-5], [PM-15]

ENS [org. 1]

NIS (Directive 35, article 13)

CHARACTERIZATION

Scale

L0- No agreement has been established with private entities.

L1- The establishment of an agreement with private entities has

been initiated.

L2- Some agreement has been established, but it is not formal (it

has not been documented or approved by the Directive Board).

L3- Some agreement has been documented and approved by

the Directive Board, and it is kept up to date.

L4- Formally established agreements are managed, updated and

verified.

L5- Improvement actions are applied in formally established

agreements/s with private entities.

COLLECTION




ANALYSIS


Indicator

Positive

values


organization has regularly established and

updated mutual aid agreements,

collaboration or exchange of information of

Cyber resilience with private entities, to

ensure collaboration or support of external

entities, if necessary, in the event of a

cyberattack that may result in unavailability of

essential services. This exchange of

information improves anticipation in incident

and vulnerability management, and in the

essential service continuity.

Corrective

measures

Establish, formalize and revise agreements

with private entities to ensure mutual

cooperation in the event of a cyberattack.

Table 3: Metric A-PC-OE4-02: Collaborate with other private entities in cyber resilience

matters.


2.1.2. Risk Management (RM)

FIELD INFORMATION

IDENTIFICATION

Code A-GR-OE1-03

Goal ANTICIPATE

Functional Domain RISK MANAGEMENT


Establish, implement and maintain a formal and documented

Business Impact Analysis (BIA) process on the activities and

processes that support the essential service.

Description

Identify the impact of disruption or alteration of the essential

service provision over its processes and activities valuing which

of them are most critical.

It deals with knowing if it is carried out a Business Impact Analysis

(BIA) that analyzes the consequences of an interruption of the

provision or alteration the essential service, in order to identify

which are the critical processes and activities that support this

service to prioritize their recovery.

It should be ensured that priority is given to the treatment of risks

in accordance with their critical nature for the organization or for

the society (people affected and economic, environmental, public

and social impact).

Question

Has the impact of disruption or alteration of the essential service

been identified on the processes and activities that support it?

And, which of these processes and activities are most critical in

terms of this impact?

Correlation

ISO/IEC 31000: 2018

NIST SP 800-53 R4 [RA-2], [RA-3], [PM-9], [PM-11], [SA-14]

ENS [op. pl. 1]


Guía contenidos mínimos PPE (4.2, 4.3)

NIS (Article 15-2, 3)

CHARACTERIZATION

Scale

L0- The impact analysis of the interruption of the provision or

alteration of the essential service has not been initiated.

L1- The impact analysis of the interruption on the provision or

alteration of the essential service has been initiated.

L2- The impact of interruption or alteration of the provision of the

essential service in its processes and activities has been

established, valuing which of them are more critical, but it hasn't

been documented yet.


L3- The impact analysis of the disruption of the provision or

alteration of the essential service has been documented, and it

is kept up to date.

L4- The impact analysis of the interruption of the provision or

alteration of the essential service is managed, updated and

verified.

L5- Improvement actions are applied in the impact analysis of the

interruption of the provision or alteration of the essential service.

COLLECTION



ANALYSIS


Indicator

Positive

values


organization has identified and prioritized the

possible impacts on the processes and

activities that support the essential service, in

the event of an interruption or alteration,

based on a Business Impact Analysis (BIA).

Corrective

measures

Identify the possible impact that would cause

an interruption in the different processes and

activities that support the essential services.

Categorize these impacts to prioritize their

treatment.

Table 4: Metric A-GR-OE1-03: Establish, implement and maintain a formal and

documented Business Impact Analysis (BIA) process on the activities and processes that

support the essential service.


FIELD INFORMATION

IDENTIFICATION

Code A-GR-OE1-04

Goal ANTICIPATE



Estimate the Maximum Tolerable Downtime (MTD) or time that

an essential service may be down before unacceptable effects

occur.

Description

Estimate the maximum duration of an interruption or alteration of

the provision of the essential service that is considered tolerable.

Internal procedures, guidelines and reference standards or

qualitative factors based on intuition can be used as a calculation

criteria.

Question

Has the maximum acceptable length of time for an interruption or

alteration of the essential service been estimated? Please

indicate in the comment box who has established that time and

what criteria has been used to determine it (CEO, CIO, CISO, IT

responsible or other).

Correlation

ISO/IEC 31000:2018


ENS [op. pl. 1]

Guía contenidos mínimos PPE (4.2)


CHARACTERIZATION

Scale

L0- The maximum duration of an interruption or alteration in the

provision of the essential service that is considered tolerable has

not been estimated.

L1- The estimation of the maximum duration of an interruption or

alteration in the provision of the essential service which is

considered tolerable has been initiated.

L2- It has been determined how to estimate the maximum

duration of an interruption or alteration of the provision of the

essential service that is considered tolerable, but, has not been

documented yet.

L3- The procedure to estimate the maximum duration of an

interruption or alteration in the provision of the essential service

that is considered tolerable has been documented and it is kept

up to date.

L4- The procedure to estimate the maximum length of time of an

interruption or alteration of the provision of the essential service

that is considered tolerable is managed, updated and verified.

L5- Improvement measures are applied in the procedure to

estimate the maximum length of time of an interruption or


alteration of the provision of the essential service which is

considered tolerable.

COLLECTION



ANALYSIS


Indicator

Positive

values


organization has estimated the maximum

tolerable period of an interruption for the

essential service. This estimate is based on

an objective criteria and is reviewed

periodically.

Corrective

measures

Establish the criteria to estimate the

maximum tolerable periods of interruption for

each process and activity of the essential

service for which we are conducting the

survey.

Document, review and manage the maximum

tolerable time of interruption for this essential

service.

Table 5: Metric A-GR-OE1-04: Estimate the Maximum Tolerable Downtime (MTD) or time

that an essential service may be down before unacceptable effects occur.


FIELD INFORMATION

IDENTIFICATION

Code A-GR-OE1-05

Goal ANTICIPATE



Identify the Recovery Time Objective (RTO) and Recovery Point

Objective (RPO) of the essential service.

Description

In case of interruption or alteration of the essential service and to

manage its recovery, it is necessary to establish the RTO and

RPO values, disaggregated for the processes and activities that

support this essential service.

The RTO is the objective time set as the maximum acceptable for

service recovery, even with a degraded level of functionality,

following a disaster affecting service provision; in other words,

without major consequences for the essential service. If recovery

is not achieved in that time, the consequences can be very

serious.

The RPO refers to the volume of data at risk of loss that the

organization considers tolerable. It determines the goal of

possible maximum loss of data introduced since the last backup

performed, until the collapse of the essential service. If the data

loss exceeds that volume, the consequences can be very serious.

Internal procedures, guidelines and reference standards or

qualitative factors based on intuition may be followed as criteria

for determining these values.

Question

Have the Recovery Time Objective (RTO) and Recovery Point

Objective (RPO) for the essential service (in the event of

interruption or alteration of the essential service) been identified?

Please indicate in the comments box what criteria have been

used to determine the RTO and RPO values.

Correlation

ISO/IEC 31000:2018


ENS [op. pl. 1]


NIS (Directive 69)


CHARACTERIZATION

Scale

L0 - RTO and RPO have not been identified for risk management

in the provision of the essential service.

L1 - Identification of RTO and RPO for risk management in the

provision of the essential service has been initiated.

L2 - RTO and RPO have been established for risk management

in the provision of the essential service but have not been

documented yet.

L3 - The RTO and RPO for risk management in the provision of

the essential service have been documented and are kept up to

date.

L4 - RTO and RPO for risk management in the provision of the

essential service are managed, updated and verified.

L5 - Improvement actions are implemented in the definition of

RTO and RPO for risk management in the provision of the

essential service.

COLLECTION



ANALYSIS


Indicator

Positive

values


organization has identified the Recovery Time

Objective (RTO) and Recovery Point

Objective (RPO) of the essential service for

which we are conducting the survey. This

estimate is based on objective criteria.

Corrective

measures

Establish Recovery Time Objective (RTO)

and Recovery Point Objective (RPO) for the

essential service for which we are conducting

the survey.

Document, review, and update the Recovery

Time Objective (RTO) and Recovery Point

Objective (RPO) of the essential service for

which we are conducting the survey.

Table 6: Metric A-GR-OE1-05: Identify the Recovery Time Objective (RTO) and Recovery

Point Objective (RPO) of the essential service.


FIELD INFORMATION

IDENTIFICATION

Code A-GR-OE2-02

Goal ANTICIPATE


Indicator’s Objective Identify risks and risk tolerance levels.

Description

Define risk tolerance thresholds that trigger the execution of the

different risk treatment actions: avoid, mitigate, transfer or accept.

The aim is to assess whether the risk management being carried

out by the organization triggers the aforementioned risk treatment

actions when the risk has exceeded the acceptable limits

established by the organization.

If the essential service belongs to the OT scope, it is a question

of defining the thresholds for the risks on assets related to the OT

infrastructures, for example default configurations or lack of

encryption and others inherent risks to SCADA systems.

Question

Have risk tolerance thresholds that would trigger the treatment of

risk in any of its variants (avoid, mitigate, transfer or accept) been

established?

Correlation

ISO/IEC 31000:2018


ENS [op. pl. 1]



CHARACTERIZATION

Scale

L0 - No risk tolerance thresholds have been identified.

L1 - Identification of risk tolerance thresholds has been initiated.

L2 - Risk tolerance thresholds have been established but not

documented.

L3 - Risk tolerance thresholds and associated treatment actions

have been documented. This information is kept up to date.

L4 - Risk tolerance thresholds and associated treatment actions

are managed, updated and verified.

L5 - Improvement actions are applied in the definition of risk

tolerance thresholds and their associated treatment.

COLLECTION




ANALYSIS


Indicator

Positive

values


organization has defined risk tolerance

thresholds for the essential service, which will

trigger the execution of risk treatment actions

(avoid, mitigate, transfer or accept) to prevent

the risk from exceeding this threshold.

Corrective

measures

Identify and establish risk tolerance

thresholds for the essential service for which

we are conducting the survey.

Document, manage and update risk tolerance

thresholds for the essential service for which

we are conducting the survey.

Table 7: Metric A-GR-OE2-02: Identify risks and risk tolerance levels.


2.1.3. Cybersecurity Training (CT)

FIELD INFORMATION

IDENTIFICATION

Code A-FO-OE2-01

Goal ANTICIPATE

Functional Domain CYBERSECURITY TRAINING

Indicator’s Objective Carry out training activities in cyber resilience.

Description

Define and implement a cyber resilience training plan for staff

involved in the essential service. It deals with knowing if

knowledge and skills development are promoted among users

directly or indirectly related to the provision of the essential

service, to support their functions for the achievement and

maintenance of cyber resilience.

The training plan may include any education initiative in cyber

resilience, aimed at these users, including their participation in

cyber-exercises.

Question

Has a cyber resilience training plan for staff involved in the

essential service been defined and implemented?

Correlation

ISO/IEC 27001:2017 [A. 7.2.2]

NIST SP 800-53 R4 [AT-1], [AT-3], [PM-13], [PM-14]

ENS [MP. Per. 4]



CHARACTERIZATION

Scale

L0 - No cyber resilience training plan is in place.

L1 - Definition of a training plan has begun.

L2 - A training plan has been established but not documented.

L3 - A training plan and associated activities have been

documented. This plan is kept up to date.

L4 - The training plan and associated activities are managed and

verified.

L5 - Improvement actions are implemented in the training plan

and associated activities.

COLLECTION




ANALYSIS


Indicator

Positive

values


organization carries out training activities or

cyber-exercises aimed at educate the staff of

the organization in cyber resilience. The

training plan should be addressed to the

organization's employees and, where

relevant, to third party contractors and users.

Corrective

measures

Plan, assign resources, inform staff and carry

out training activities in cyber resilience or

cyber-exercises aimed at educate the staff of

the organization in this area.

Update these plans periodically.

Table 8: Metric A-FO-OE2-01: Carry out training activities in cyber resilience.


FIELD INFORMATION

IDENTIFICATION

Code A-FO-OE3-01

Goal ANTICIPATE

Functional Domain CYBERSECURITY TRAINING

Indicator’s Objective Carry out awareness activities in cyber resilience.

Description

Define and implement an awareness raising plan in cyber

resilience. It deals with knowing if a culture of cyber resilience is

promoted within the organization that reaches all staff. This plan

incorporates any cyber resilience awareness raising initiative.

Question

Has a cyber resilience awareness plan been defined and

implemented for all staff involved in the essential service?

Correlation

ISO/IEC 27001:2017 [A. 7.2.2]

NIST SP 800-53 R4 [AT-1], [PM-16], [AT-2], [PM-15], [PM-16]

ENS [MP. Per. 3]



CHARACTERIZATION

Scale

L0 - No cyber resilience awareness plan is in place.

L1 - The definition of an awareness plan has been initiated.

L2 - An awareness plan has been established but not

documented.

L3 - An awareness plan and associated activities have been

documented. This plan is kept up to date.

L4 - The awareness plan and associated awareness activities

are managed and verified.

L5 - Improvement actions are implemented in the awareness

plan and associated awareness activities.

COLLECTION




ANALYSIS


Indicator

Positive

values


organization carries out awareness-raising

activities aimed at sensitizing the

organization's staff on cyber resilience.

Corrective

measures

Plan, assign resources, inform staff and carry

out awareness raising activities in cyber

resilience aimed at sensitizing the staff of the

organization on this matter.

Update these plans regularly.

Table 9: Metric A-FO-OE3-01: Carry out awareness activities in cyber resilience.


2.2. Resist

The tables below describe the thirteen (13) metrics corresponding to the goal Resist,


2.2.1. Vulnerability Management (VM)

FIELD INFORMATION

IDENTIFICATION

Code T-GV-OE1-03

Goal RESIST

Functional Domain VULNERABILITY MANAGEMENT

Indicator’s Objective Establish a vulnerability identification process.

Description

Proactively discover, by consulting the available sources of

information (manufacturers, CERT...), the vulnerabilities that

affect the provision of the essential service. It deals with knowing

if the organization has and check out regularly, updated sources

with information of vulnerabilities (manufacturers, CERT,

distribution lists, news groups, automatic tools...) adequate to the

software and hardware products that support to the provision of

the essential service.

If the essential service belongs to an OT environment, it deals

with investigating those vulnerabilities that may affect the OT

infrastructure components it (PLC, RTU, HMI, SCADA, Controller,

etc.).

Question

Are vulnerabilities that affect the provision of the essential service

discovered proactively by checking out the available sources of

information (manufacturers, CERT...)?

Correlation

ISO/IEC 27001:2017 [A. 12.6.1]

NIST SP 800-53 R4 [CA-8], [RA-5], [SA-11], [SI-2], [SI-3]

ENS [op. pl. 1] [MP. SW. 2] [Op. exp. 3]

CHARACTERIZATION

Scale

L0 - No source of vulnerability information has been identified.

L1 - Identification of sources of vulnerability information has been

initiated and is reviewed on a timely basis.

L2 - A list of vulnerability sources has been established and is

constantly reviewed, but is not documented yet.

L3 - A list of sources of vulnerability information has been

documented, and is kept up to date and constantly reviewed.

L4 - Vulnerability information sources are managed, updated,

and verified by reviewing the information they contain.

L5 - Improvement actions are applied in the definition of the list

of vulnerability sources and in the review of their information.


COLLECTION



ANALYSIS


Indicator

Positive

values


organization performs an active review of the

vulnerabilities that affect the essential service,

establishing and checking out sources of

information on vulnerabilities of

manufacturers, CERT, distribution lists,

newsgroups or automatic tools.

Corrective

measures

Identify and establish a list of vulnerability

information sources.

Document and review a list of vulnerability

information sources.

Table 10: Metric T-GV-OE1-03: Establish a vulnerability identification process.


FIELD INFORMATION

IDENTIFICATION

Code T-GV-OE1-04

Goal RESIST



Establish and maintain a process of classification,

categorization and prioritization of vulnerabilities.

Description

Classify, categorize and prioritize the vulnerability remediation,

of those that affect the provision of the essential service, so that

a level of criticality is assigned to each vulnerability. For

example, a vulnerability can be prioritized using the Common

Vulnerability Score System (CVSS).

Question

Are vulnerabilities that affect the provision of the essential

service classified, categorized and prioritized for its

remediation?

Correlation

ISO/IEC 27001:2017 [A. 12.6.1]

NIST SP 800-53 R4 [RA-5], [SA-10], [SA-11], [SC-38], [SI-2],

[SI-3]

ENS [op. pl. 1] [MP. SW. 2]

NIS (Directive 33)

CHARACTERIZATION

Scale

L0 - No categorization and prioritization of vulnerability

remediation has been established.

L1 - The definition of categories and priorities for vulnerabilities

has been initiated.

L2 - Vulnerability remediation categorization and prioritization

has been established, but not documented.

L3 - A vulnerability remediation categorization and prioritization

has been documented. It is kept up to date.

L4 - Vulnerability remediation categories and priorities are

managed, updated, and verified.

L5 - Improvement actions are applied in the categorization and

prioritization of vulnerability remediation.

COLLECTION




ANALYSIS


Indicator

Positive

values


organization categorizes and prioritizes the

remediation of vulnerabilities that affect the

essential service for which the survey is being

conducted. The level of criticality should be

based on objective criteria. For example,

establishing a matrix of criticality levels based

on the score obtained through the CVSS

system (or other system that has being

chosen).

Corrective

measures

Establish a mechanism to categorize and

prioritize the remediation of vulnerabilities

affecting essential services.

For example, the following actions can be

established based on priorities:

Take no action.

Fix immediately (typically for software or

firmware updates or manufacturer

changes).

Develop and implement a vulnerability

remediation strategy (when it involves

actions that require more effort than, for

example, a manufacturer update).

Conduct additional research or analysis.

Refer vulnerability to the risk

management process for formal risk

consideration.

Table 11: Metric T-GV-OE1-04: Establish and maintain a process of classification,

categorization and prioritization of vulnerabilities.


FIELD INFORMATION

IDENTIFICATION

Code T-GV-OE1-05

Goal RESIST


Indicator’s Objective Establish a vulnerability analysis process.

Description

It deals with knowing if the analysis of the vulnerabilities that can

affect the essential service is carried out with appropriate tools

and techniques to obtain an assessment of its impact, relevance

and scope in the organization.

Question

Are the vulnerabilities that affect the provision of the essential

service analyzed in order to assess their impact and relevance

for the organization?

Correlation

ISO/IEC 27001:2013 [A. 12.6.1]


[SI-3]


Guía contenidos mínimos PSO (1.5)

NIS (Directive 33)

CHARACTERIZATION

Scale

L0 - Vulnerability analysis is not performed to assess its impact.

L1 - Vulnerability analysis has been initiated to assess its

impact.

L2 - A procedure to assess the impact of vulnerabilities has

been established but is not documented.

L3 - A vulnerability analysis procedure has been documented to

assess their impact on the organization and is kept up to date.

L4 - Vulnerability analysis is managed, updated and verified to

assess their impact.

L5 - Vulnerability analysis improvement actions are applied.

COLLECTION




ANALYSIS


Indicator

Positive

values


organization includes in its processes the

analysis of vulnerabilities with appropriate

tools and techniques that facilitates to assess

their impact. As a result of this analysis, it will

be determined if the vulnerabilities are not

relevant, if they need to be addressed through

a simple solution or if they need the

application of a formal resolution strategy.

Corrective

measures

Establish a vulnerability analysis procedure,

which may include activities:

Understand the threat and exposure to it.

Review the vulnerability information to

seek if it existed previously and determine

what actions were taken to remediate or

eliminate it.

Identify and understand the underlying

causes of exposure to the vulnerability.

Prioritize and categorize vulnerabilities in

order to take appropriate measures for

their remediation.

Refer vulnerability to the risk

management process when it requires a

more in-depth analysis of the impact of

the potential threat.

Table 12: Metric T-GV-OE1-05: Establish a vulnerability analysis process.


FIELD INFORMATION

IDENTIFICATION

Code T-GV-OE1-06

Goal RESIST


Indicator’s Objective Establish and maintain an updated vulnerability repository.

Description

Maintain an updated repository of those vulnerabilities that

affect the provision of the essential service. This repository must

contain updated information on the life cycle of the

vulnerabilities, with specific information on each of them,

including the measures required to tackle them.

Question

Is there an updated repository of those vulnerabilities that affect

the provision of the essential service?

Correlation

ISO/IEC 27001:2013 [A. 12.6.1]


[SI-3]


CHARACTERIZATION

Scale

L0 - A vulnerability repository with vulnerability information is not

maintained.

L1 – The development of a vulnerability repository with

vulnerability information and remediation has been initiated.

L2 - A vulnerability repository has been established with

information about vulnerabilities and their remediation, but it is

not documented.

L3 - The use of a vulnerability repository with information about

vulnerabilities and their remediation has been documented.

L4 - A vulnerability repository with information about

vulnerabilities and their remediation is managed, updated and

verified.

L5 - Improvement actions are applied to the vulnerability

repository with information about the vulnerabilities and their

remediation.

COLLECTION




ANALYSIS


Indicator

Positive

values


organization maintains an updated repository

of all known vulnerabilities, storing

information about them and their remediation.

Corrective

measures

Establish a repository of vulnerabilities with

information on their life cycle. This repository

must contain basic information such as:

Unique identifier for internal reference of

the vulnerability within the organization.

Description of the vulnerability.

Date of entry into the repository.

Source references for the vulnerability.

Importance of the vulnerability for the

organization (critical, moderate, etc.).

People or teams assigned to analyze

and solve it.

Registry of the remediation actions taken

to reduce or eliminate the vulnerability.

Table 13: Metric T-GV-OE1-06: Establish and maintain an updated vulnerability

repository.


FIELD IINFORMATION

IDENTIFICATION

Code T-GV-OE2-02

Goal RESIST

Functional domain VULNERABILITY MANAGEMENT

Indicator’s Objective Initiate actions to manage exposure to identified vulnerabilities.

Description

Take action to manage exposure to known vulnerabilities that

affect the provision of the essential service. It deals with knowing

whether strategies to remediate vulnerabilities are defined and

implemented; particularly in the case of those that the

organization considers to be of the highest priority or critical.

In addition, it deals with assessing whether these strategies are

regularly reviewed in order to ensure their effective

implementation and the achievement of their specific objectives.

Question

Are actions taken to manage exposure to known vulnerabilities

affecting the provision of the essential service?

Correlation

ISO/IEC 27001:2013 [A. 12.6.1]

NIST SP 800-53 R4 [RA-5], [SA-10], [SA-11], [SI-2], [SI-3]

ENS [op. pl. 1] [MP. SW. 2], [Op. exp. 3]

Guía contenidos mínimos PSO (5)

Guía contenidos mínimos PPE (4.2, 5)


CHARACTERIZATION

Scale

L0 - No action is taken to manage exposure to vulnerabilities.

L1 - Actions have been initiated to manage exposure to known

vulnerabilities.

L2 - A strategy has been established to manage exposure to

known vulnerabilities, but it has not been documented yet.

L3 – A strategy for managing exposure to known vulnerabilities

has been documented.

L4 - The effectiveness of activities to remedy known

vulnerabilities is reviewed.

L5 - Improvement actions are applied to the strategy to remedy

known vulnerabilities.

COLLECTION




ANALYSIS


Indicator

Positive

values


organization has developed and implemented

a remediation strategy for those

vulnerabilities whose exposure must be

reduced or eliminated.

Corrective

measures

Develop and implement an appropriate

resolution strategy for those vulnerabilities

that it has determined should be eliminated or

reduced. This strategy may include actions

for:

Minimize the organization's exposure to

vulnerability (reduce the likelihood that

the vulnerability will be exploited).

Eliminate the organization's exposure to

the vulnerability (eliminate the threat, the

actor threat or the reason).

Table 14: Metric T-GV-OE2-02: Initiate actions to manage exposure to identified

vulnerabilities.


FIELD IINFORMATION

IDENTIFICATION

Code T-GV-OE2-04

Goal RESIST


Indicator’s Objective Observe exposure to identified vulnerabilities.

Description

Monitor the status of not remediated vulnerabilities affecting the

provision of the essential service. It deals with knowing if a

periodic follow-up is carried out and if those vulnerabilities that

have not been remediated are notified.

Question

Is the status of not remediated vulnerabilities affecting the

provision of the essential service that is being monitored?

Correlation

ISO/IEC 27001:2013 [A. 12.6.1]



Guía contenidos mínimos SO (1.4)


NIS (Directive 69)

CHARACTERIZATION

Scale

L0 - The status of not remediated vulnerabilities is not monitored.

L1 - Monitoring of not remediated vulnerabilities has started.

L2 - A procedure for monitoring not remediated vulnerabilities

has been established but is not documented.

L3 - The procedure for monitoring not remediated vulnerabilities

has been documented and is kept up to date.

L4 - Monitoring of not remediated vulnerabilities is managed,

updated and verified.

L5 - Improved actions are applied to monitor not remediated

vulnerabilities.

COLLECTION

Method of Collection

Manual

A personal or telephone interview is recommended in order to be

able to interpret the results in greater detail.



ANALYSIS


Indicator

Positive

values

Values close to L5 indicate that not remediated

vulnerabilities are monitored and reported

regularly.

Corrective

measures

Monitor not remediated vulnerabilities and

report them to those responsible.

Document and update a not remediated

vulnerability procedure.

Table 15: Metric T-GV-OE2-04: Observe exposure to identified vulnerabilities.


FIELD INFORMATION

IDENTIFICATION

Code T-GV-OE2-05

Goal RESIST



Estimate the average time from the identification of a

vulnerability to the notification to the responsible party.

Description

Estimate the average time since a vulnerability is discovered

(through logs, alerts, etc.) that affects the provision of the

essential service, until those who are responsible for its

resolution are notified. For example, indicate whether alerts are

generated and stored from a system that sends automatic

notifications.

Please quantify (in hours) this time in the comments field and

indicate how this value has been obtained.

Question

Is the average time between the discovery of a vulnerability

affecting the provision of the essential service and the

notification of those who are responsible for its remediation

estimated?

Correlation

ISO/IEC 27001:2017 [A. 12.6.1]



NIS (Directive 33)

CHARACTERIZATION

Scale

L0 – There is no estimation of the average time elapsed since

a vulnerability is known, until it is communicated to those

responsible parties.

L1 - The definition of the procedure for estimating the average

time elapsed from when a vulnerability is known to when it is

communicated to those responsible has been initiated.

L2 - A procedure has been established for estimating the

average time elapsed from when a vulnerability is known until it

is communicated to those responsible, but these have not been

documented.

L3 - A procedure for estimating the average time elapsed from

when a vulnerability is known until it is communicated to those

responsible has been documented and is kept up to date.

L4 - The procedure to estimate the average time elapsed from

when a vulnerability is known until it is communicated to those

responsible is managed, updated and verified.

L5 - Improvement actions are applied in the procedure to

estimate the average time elapsed from when a vulnerability is

known until it is communicated to those responsible.


COLLECTION


Manual

A personal or telephone interview is recommended in order to

be able to interpret the results in greater detail.


ANALYSIS


Indicator

Positive

values

Values close to L5 indicate that there is an

improved process for estimating the number of

hours between the date of knowledge of a

vulnerability that affects the provision of the

essential service and the date of its

communication to those responsible.

Corrective

measures

Review and improve the implementation of

the procedure to estimate the average time in

the notification of vulnerabilities.

Document and update vulnerability

notification time.

Table 16: Metric T-GV-OE2-05: Estimate the average time from the identification of a

vulnerability to the notification to the responsible party.


FIELD INFORMATION

IDENTIFICATION

Code T-GV-OE2-06

Goal RESIST



Estimate the average time from when a security patch is

announced until it is applied to the targeted vulnerability.

Description

This is the average time resulting from the number of hours

between the date of availability of a patch or a security update

affecting an essential service and the date of its installation. For

example, indicate whether there is a person responsible for

reviewing the patch release date and application date, whether

an automated system is used, etc.



Question

Is the average time between the announcement of a security

patch and its application to the system supporting the essential

service estimated?

Correlation

ISO/IEC 27001:2017 [A. 12.6.1]



CHARACTERIZATION

Scale

L0 - The average time from the announcement of a patch or

security update until it is applied to the system that supports the

essential service is not estimated.

L1 - The definition of the procedure for estimating the average

time from the announcement of a patch or security update until

it is applied to the system supporting the essential service has

been initiated.

L2 - A procedure to estimate the average time from the

announcement of a patch or security update until it is applied in

the system, has been established but it has not been

documented.

L3 - A procedure for estimating the average time from when a

patch or security update is announced to when it is applied to

the system has been documented and it is kept up to date.

L4 - The procedure for estimating the average time from the

announcement of a patch or security update until it is applied in

the system is managed, updated and verified.

L5 - Improvement actions are applied to the procedure for

managing the average time from the announcement of a patch

or security update until it is applied in the system.


COLLECTION


Manual




ANALYSIS


Indicator

Positive

values

Values tending to L5 indicate that there is an

improved process to reduce the number of

hours between the date of availability of a

patch or security update that affects an

essential service and the date of installation.

Corrective

measures

Review and improve the implementation of the

patch and update management procedure.

Table 17: Metric T-GV-OE2-06: Estimate the average time from when a security patch is

announced until it is applied to the targeted vulnerability.


FIELD INFORMATION

IDENTIFICATION

Code T-GV-OE2-07

Goal RESIST



Estimate the average time to remediate identified vulnerabilities

that cannot be remediated through updates or patches.

Description

Estimate the average time spent on remediating known or

identified vulnerabilities that affect the provision of the essential

service, when the remediation is not possible by means of an

update or patch. In this case, different measures will have to be

applied, for example isolation of the system, protection of its

perimeter or simply its elimination.


indicate how this value was obtained.

Question

Is the average time spent on tackling known or identified

vulnerabilities affecting the provision of the essential service

estimated when an upgrade or patch solution is not possible?

Correlation

ISO/IEC 27001:2017 [A. 12.6.1]



NIS (Directive 33)

CHARACTERIZATION

Scale

L0 - The average time to remediate identified vulnerabilities is

not estimated when a patch or update remediation is not

possible.

L1 - The definition of the procedure to estimate the average time

to remediate identified vulnerabilities when the remediation is

not possible by means of an update or patch has been initiated.

L2 - The procedure has been established to estimate the

average time to remediate identified vulnerabilities when an

update or patch remediation is not possible but has not been

documented.

L3 - The procedure is documented and updated to estimate the

average time to remediate identified vulnerabilities when the

remediation through an update or patch is not possible.

L4 - The procedure for estimating the average time to remediate

identified vulnerabilities when a patch or update remediation is

not possible is managed, updated, and verified.


estimating the average time to remediate identified

vulnerabilities when the remediation by means of an update or

patch is not possible.


COLLECTION


Manual




ANALYSIS


Indicator

Positive

values


improved process to estimate the number of

hours between the date of detection of a

vulnerability that affects the essential service,

when the remediation by means of an update

or patch is not possible, and the date to

remediate it.

Corrective

measures

Establish a documented procedure describing

actions for improvements in the management

of vulnerabilities that affect the provision of the

essential service, for those in which the

remediation by means of an update or patch is

not possible:

Do not take any action.

Notify the responsible person

immediately.

Develop and implement a remediation

strategy that minimally affects the

provision of the essential service.

Table 18: Metric T-GV-OE2-07: Estimate the average time to remediate identified

vulnerabilities that cannot be remediated through updates or patches.


2.2.2. Continuous Supervision (CS)

FIELD INFORMATION

IDENTIFICATION

Code T-SC-OE1-01

Goal RESIST

Functional Domain CONTINUOUS SUPERVISION

Indicator’s Objective Permanently supervise essential services.

Description

It deals with knowing if a continuous supervision is carried out

(24x7) or if there is a strategy of continuous monitoring of the

provision of the essential service to detect potential cyber

incidents.

Question

Is the provision of the essential service permanently (24x7)

supervised to detect potential cyber incidents?

Correlation

ISO/IEC 27001:2017 [A. 12.1.3]

NIST SP 800-53 R4 [RA-5], [CA-7], [PM-6], [SI-4]

ENS [Op. Mon]


Guía contenidos mínimos PPE (4.2.2)

CHARACTERIZATION

Scale

L0 - 24x7 monitoring of essential service provision is not

performed.

L1 - 24x7 monitoring of essential service provision has been

initiated.

L2 - A 24x7 monitoring procedure of the provision of the

essential service has been established but not documented yet.

L3 - A 24x7 monitoring procedure for the provision of the

essential service has been documented and is kept up to date.

L4 - The procedure for 24x7 monitoring of essential service

provision is managed, updated and verified.

L5 - Improvement actions are implemented in the procedure for

24x7 monitoring of the essential service provision.

COLLECTION


Responsible CSO or CISO or Director of physical security


ANALYSIS


Indicator

Positive

values


organization monitors (24x7) the essential

service to detect potential cyberattacks.

Corrective

measures

Establish a continuous monitoring procedure

on the assets and processes that support

essential services (communications networks,

systems, access, physical environment,

personnel, etc.) to detect potential

cyberattacks.

Table 19: Metric T-SC-OE1-01: Permanently supervise essential services.


FIELD INFORMATION

IDENTIFICATION

Code T-SC-OE1-02

Goal RESIST



Supervise the existence of unauthorized software and hardware

in systems that support essential services.

Description

Supervise the system supporting the essential service looking

for unauthorized software or hardware. Indicate if there is, for

example, a tool that periodically scans the system that supports

the essential service.

Question

Is the system supporting the essential service supervised for

unauthorized software or hardware?

Correlation

ISO/IEC 27001:2017 [A. 12.1.3], [A. 14.2.7]


ENS [Op. Mon]

CHARACTERIZATION

Scale

L0 - System monitoring to detect unauthorized software or

hardware is not performed.

L1 – System monitoring to detect unauthorized software or

hardware has been initiated.

L2 - A system monitoring procedure to detect unauthorized

software or hardware has been established but has not been

documented.

L3 - The system monitoring procedure to detect unauthorized

software or hardware has been documented and is kept up to

date.

L4 - The procedure for monitoring the system to detect

unauthorized software or hardware is managed, updated, and

verified.


monitoring the system to detect unauthorized software or

hardware.

COLLECTION




ANALYSIS


Indicator

Positive

values


organization monitors systems that support

essential services looking for unauthorized

software or hardware.

Corrective

measures

Document, update, verify, and improve a

continuous monitoring procedure on systems

supporting essential services looking for

unauthorized software or hardware.

Table 20: Metric T-SC-OE1-02: Monitor the existence of unauthorized software and

hardware in systems that support essential services.


FIELD INFORMATION

IDENTIFICATION

Code T-SC-OE1-03

Goal RESIST



Supervise communications networks to detect unauthorized

connections.

Description

Supervise communications networks that support the essential

service to detect unauthorized connections. For example,

through an intrusion detection system or a firewall.

Question

Are communications networks that support the essential service

monitored to detect unauthorized connections?

Correlation

ISO/IEC 27001:2017 [A. 12.1.3], [A. 14.2.7]


ENS [Op. Mon]


CHARACTERIZATION

Scale

L0 - Communication networks are not monitored to detect

unauthorized connections.

L1 - Monitoring of communications networks to detect

unauthorized connections has been initiated.

L2 - A communications network monitoring procedure to detect

unauthorized connections has been established, but it has not

been documented.

L3 - A communications network monitoring procedure to detect

unauthorized connections has been documented and is kept up

to date.

L4 - The procedure for monitoring communications networks to

detect unauthorized connections is managed, updated and

verified.


monitoring communications networks to detect unauthorized

connections.

COLLECTION




ANALYSIS


Indicator

Positive

values


organization monitors communications

networks to detect unauthorized connections.

Corrective

measures

Document, update, verify and improve a

procedure for continuous monitoring of

communications networks.

Table 21: Metric T-SC-OE1-03: Supervise communications networks to detect

unauthorized connections.


FIELD INFORMATION

IDENTIFICATION

Code T-SC-OE1-04

Goal RESIST



Estimate the time between the identification of a cyber incident and

its escalation to those responsible for handling it.

Description

Estimate the average time between the occurrence of a cyber

incident (affecting an essential service) and the notification of those

responsible for handling to it.


indicate how this value has been obtained. You can obtain an

estimate of this time as a result, for example, of the continuity plan

tests.

Question

Is there an estimation of the average time between the occurrence

of a cyber incident and the notification of those responsible for

handling it?

Correlation

ISO/IEC 27001:2017 [A. 12.6.1]



NIS (Directive 27)

CHARACTERIZATION

Scale

L0 - The average time between the occurrence of a cyber incident

and the notification of those responsible for handling it has not

been identified.

L1 - The establishment of a procedure for the identification of the

average time from the time a cyber incident occurs until it is

notified to those responsible for handling it has been initiated.

L2 - A procedure to estimate or measure the time from when a

cyber incident occurs until it is notified to those responsible for

handling it but has not been documented.

L3 - The procedure for estimating or measuring the average time

from when a cyber incident occurs until it is notified to those

responsible for handling it has been documented.

L4 - The procedure for estimating or measuring the average time

from when a cyber incident occurs until it is notified to those

responsible for handling it is managed, updated and verified.

L5 - Improvement actions are applied to the definition of the

procedure to estimate the average time from when a cyber

incident occurs until it is notified to those responsible for handling

it.


COLLECTION


Manual




ANALYSIS


Indicator

Positive

values


improved process for estimating the number of

hours between the date of occurrence of an

attack on the provision of an essential service

and the date of its communication to those

responsible.

Corrective

measures

Identify, document and keep up to date a

procedure to estimate the average time from

when a cyber incident occurs until it is notified

to those responsible.

Implement improvement actions to reduce this

average time.

Table 22: Metric T-SC-OE1-04: Estimate the time between the identification of a cyber

incident and its escalation to those responsible for resolving it.


2.3. Recover

The tables below describe the twenty (20) metrics corresponding to the goal Recover,


2.3.1. Incident Management (IM)

FIELD INFORMATION

IDENTIFICATION

Code R-GI-OE1-01

Goal RECOVER

Functional Domain INCIDENT MANAGEMENT

Indicator’s Objective Establish a process to detect, report and notify events.

Description

There should be a procedure for event detection and notification

to the incident management team.

It deals with knowing if events, that is, unexpected or unwanted

situations (for example, attempts at unauthorized access, high

response times, and increase in the volume of files) in the

infrastructures that support the essential service are identified

and whether those who are responsible for its response are

notified, who then will proceed to their immediate or subsequent

analysis. For example, indicate if there are tools or services with

mechanisms for automatic detection of events in real time.

Question Are events detected and reported to incident management team?

Correlation

ISO/IEC 27001:2017 [A. 16.1.2], [A. 16.1.3], [A. 16.1.4]

NIST SP 800-53 R4 [AR-4], [IR-4], [GO-5], [IR-6], [PE-6]

ENS [Op. exp. 7]


NIS (Directive 4, 69)

CHARACTERIZATION

Scale

L0 - Event detection and notification are not performed.

L1 - Event detection and notification has been initiated.

L2 - An event detection and notification procedure has been

established, but not documented.

L3 - An event detection and notification procedure has been

documented and is kept up to date.

L4 - The procedure for event detection and notification is

managed, updated and verified.

L5 - Improvement actions are applied to the procedure for event

detection and notification.


COLLECTION



ANALYSIS


Indicator

Positive

values


organization has an updated procedure for

capturing and analyzing events, so that it can

determine whether the event will become (or

has become) a cyber incident that requires

the action of the organization and notify those

who are responsible to proceed to its

analysis.

Corrective

measures

Establish an event reporting procedure to

detect events and provide reports to incident

management staff and stakeholders.

Emphasize in the Awareness Plan to users on

the need to communicate to those who are

responsible, as soon as possible, any

anomaly or security event detected, teaching

them to recognize anomalous situations that

may initiate an incident (malfunction, slow

processes, abnormal behavior,..).

Table 23: Metric R-GI-OE1-01: Establish a process to detect, report and notify events.


FIELD INFORMATION

IDENTIFICATION

Code R-GI-OE1-02

Goal RECOVER



Establish a process to estimate the time between an event

occurrence and it is detection.

Description

Estimate the average time elapsed between the moment an event

occurs (e.g., unauthorized access attempts, high response times,

increase in file volume) and the moment it is detected. This time

can be measured, for example, as the date of the first alert in the

log of the affected system until detection by the user or

technician. Do not mistook this indicator with the time required to

report an incident.

Please quantify (in hours) this time, in the field dedicated to

comments, and indicate how this value has been obtained.

Question

Is there an estimate of the average time elapsed between the

moment an event occurs and the moment it is detected?

Correlation

ISO/IEC 27001:2017 [A. 16.1.2], [A. 16.1.3], [A. 16.1.4]

NIST SP 800-53 R4 [AR-4], [AU-13], [IR-4], [GO-5], [PE-6], [RA-

6]

ENS [Op. exp. 7]

NIS (Directive 27)

CHARACTERIZATION

Scale

L0 - The average time between the moment events occurs and

when they are detected is not estimated.

L1 - The measurement of the mean time between the moment

events occurs and when they are detected has been started.

L2 - A procedure to estimate the mean time between the moment

events occurs and when they are detected, has been established

but is not been documented.

L3 - A procedure to estimate the average time between when

events occurs and when they are detected has been documented

and updated.

L4 - The procedure for estimating the average time between

when events occurs and when they are detected is managed,


L5 - Improvement actions are applied to the procedure for the

average time between the moment events occurs and when they

are detected.


COLLECTION


Manual




ANALYSIS


Indicator

Positive

values


improved process for estimating the number

of hours between the moment of occurrence

of events that affects the provision of the

essential service and the moment of their

detection. Surveillance and control should be

increased, especially if these detection

activities depend on third parties.

Corrective

measures

Establish and improve the process to

measure the time between events occurrence

and its detection.

Send periodic communications to users

emphasizing the need to communicate as

soon as possible any anomaly or security

event detected, teaching them to recognize

anomalous situations that may initiate an

incident (malfunction, slowness of processes,

abnormal behavior, etc.).

Provide communication channels to users for

incident detection reporting.

Table 24: Metric R-GI-OE1-02: Establish a process to estimate the time between an event

occurrence and its detection.


FIELD INFORMATION

IDENTIFICATION

Code R-GI-OE2-01

Goal RECOVER


Indicator’s Objective Procedure for classifying and assessing cyber incidents.

Description

Dispose a procedure to classify and assess cyber incidents,

based on a predefined categorization. This will make possible to

support the organization's regulatory compliance. For example,

provide cyber incident metrics such as detection date, notification

date, resolution date and closing date.

Question

Is there a procedure for the classification and assessment of

cyber incidents, based on a predefined characterization?

Correlation

ISO/IEC 27001:2017 [A. 16.1.2], [A. 16.1.3], [A. 16.1.4]

NIST SP 800-53 R4 [IR-4]

ENS [Op. exp. 7]


NIS (Directive 2)

CHARACTERIZATION

Scale

L0 - There is no procedure to classify and evaluate cyber

incidents according to a categorization.

L1 - The establishment of a procedure to classify and evaluate

cyber incidents based on a defined categorization has been

initiated.

L2 - A procedure to classify and evaluate cyber incidents based

on a cyber incident categorization has been established but has

not been documented.

L3 - A procedure for classifying and evaluating cyber incidents

based on a cyber incident categorization has been documented

and is kept up to date.

L4 - The procedure for classifying and assessing cyber incidents

based on their categorization is managed, updated and verified.


classification and assessment of cyber incidents based on their

categorization.

COLLECTION




ANALYSIS


Indicator

Positive

values


organization classifies and values cyber

incidents according to an established

process, using a defined incident

categorization, to obtain metrics to support

regulatory compliance.

Corrective

measures

Establish a procedure for the classification

and assessment of cyber incidents using a

predefined categorization, as proposed by

the ICT Security Guide CCN-STIC 817.

Table 25: Metric R-GI-OE2-01: Procedure for classifying and assessing cyber incidents.


FIELD INFORMATION

IDENTIFICATION

Code R-GI-OE2-02

Goal RECOVER



Document and convey the criteria for identifying and recognizing

cyber incidents.

Description

It deals with whether the criteria that enable members of the

organization's staff the identification and recognition of a cyber

incident for reporting it have been documented and conveyed.

Question

Have the criteria to identify and recognize the cyber incidents

been established? Are they accessible and known by all the staff?

Correlation

ISO/IEC 27001:2017 [A. 16.1.2], [A. 16.1.3], [A. 16.1.4]

NIST SP 800-53 R4 [IR-4]

ENS [Op. exp. 7]


NIS (Directive 2)

CHARACTERIZATION

Scale

L0 - Criteria for identification and recognition of cyber incidents

have not been established.

L1 - Definition of criteria for identification and recognition of cyber

incidents has being initiated.

L2 – The criteria for the identification and recognition of cyber

incidents have been established, but is not documented not

conveyed to all members of the organization.

L3 - The criteria for identification and recognition of cyber

incidents have been documented, and it is conveyed to all

members of the organization and kept up to date.

L4 - The criteria for identification and recognition of cyber

incidents are managed, updated and verified.

L5 - Improvement actions are applied in the definition of the

criteria for the identification and recognition of cyber incidents.

COLLECTION




ANALYSIS


Indicator

Positive

values


organization has defined and documented the

criteria for identification and recognition of

cyber incidents and this information is

available to all staff who may need it.

Corrective

measures

Define and document the criteria for

identification and recognition of cyber

incidents and make this information available

to all staff.

Table 26: Metric R-GI-OE2-02: Document and convey the criteria for identifying and

recognizing cyber incidents.


FIELD INFORMATION

IDENTIFICATION

Code R-GI-OE2-03

Goal RECOVER


Indicator’s Objective Analyze cyber incidents to determine an appropriate response.

Description

It is a question of knowing if any incident analysis procedure is

followed to identify the necessary actions for its resolution, in the

shortest possible time. For example, by answering the following

questions: What has happened? Who is affected

(users/customers/suppliers)? What should I say about it? Who

should I notify? Does it has legal or contractual consequences?

Do we have control over the affected services and systems?

Question

Are cyber incidents analyzed to determine the most appropriate

response in the shortest possible time?

Correlation

ISO/IEC 27001:2017 [A. 16.1.2], [A. 16.1.3], [A. 16.1.4]

NIST SP 800-53 R4 [AR-4], [IR-4], [GO-5], [IR-6], [PE-6]

ENS [Op. exp. 7]

Guía contenidos mínimos PSO (2.2.3, 4.1, 4.4)

Guía contenidos mínimos PPE (1.1, 4.2, 4.4)

NIS (Directive 27, 28, 34)

CHARACTERIZATION

Scale

L0 - An analysis of cyber incidents to determine the most

appropriate response is not carried out.

L1 - An analysis of cyber incidents to determine the most

appropriate response has been initiated.

L2 - A cyber incident analysis procedure to determine the most

appropriate response has been established, but is not

documented.

L3 - A cyber incident analysis procedure to determine the most

appropriate response has been documented and is updated.

L4 - The cyber incident analysis procedure to determine the most

appropriate response is managed, updated and verified.

L5 - Improvement actions are applied to the cyber incident

analysis procedure to determine the most appropriate response.

COLLECTION



ANALYSIS



Indicator

Positive

values


organization has a standardized cyber

incident analysis procedure to provide a

response in the shortest possible time.

Corrective

measures

Establish a cyber incident analysis procedure

to correctly define the type of incident and

provide the most appropriate response in the

shortest possible time. It should also help to

determine whether the incident has legal

consequences and to whom it should be

communicated.

Table 27: Metric R-GI-OE2-03: Analyze cyber incidents to determine an appropriate

response.


FIELD INFORMATION

IDENTIFICATION

Code R-GI-OE3-01

Goal RECOVER



Establish a process of escalation with those responsible for

responding to and recovering from cyber incidents.

Description

Establish an organizational structure for responding to cyber

incidents, as well as a formal protocol for escalating them to those

responsible. For example, indicate if there is documentation that

specifies who should be notified.

Question

Is there a structure for responding to cyber incidents that allows

them to be escalated to those responsible for their resolution?

Correlation

ISO/IEC 27001:2017 [A. 16.1.5]

NIST SP 800-53 R4 [IR-4], [GO-9], [SE-2]

ENS [Op. exp. 7]

Guía contenidos mínimos PSO (1.5)

NIS (article 4, point 1)

CHARACTERIZATION

Scale

L0 - There is no cyber incident response structure.

L1 - The definition of a cyber incident response structure has

been initiated.

L2 - A cyber incident response structure has been established,

but not documented.

L3 - A cyber incident response structure has been documented


L4 - The cyber incident response structure is managed, updated

and verified.

L5 - Improvement actions are applied in the design of the

response structure to cyber incidents.

COLLECTION




ANALYSIS


Indicator

Positive

values

Values close to L5 indicate that there is a

complete and clear escalating structure that

facilitates greater coordination, internal and

external, to respond to cyber incidents.

Corrective

measures

Establish an escalating protocol to ensure

that incidents are addressed as quickly as

possible by those responsible, otherwise the

organization's diligent response will be

impeded, thereby increasing the impact of the

cyber incident.

Table 28: Metric R-GI-OE3-01: Establish a process of escalation to those responsible for

responding to and recovering from cyber incidents.


FIELD INFORMATION

IDENTIFICATION

Code R-GI-OE3-06

Goal RECOVER



Establish a process for estimating the response and recovery

capacity of cyber incidents.

Description

Estimate the capacity to respond to a cyber incident through the

average time in responding to it. This is the average resulting

from the number of hours between the moment of the occurrence

of cyber incidents that affect an essential service and when they

are resolved. Do not confuse with the average time to notify the

existence of the cyber incident, which corresponds to a stage

prior to resolution.

Please quantify (in hours) this time, in the field dedicated to

comments, and indicate how this value has been obtained.

If you have never suffered a cyber incident, you can consider, for

example, the values obtained in business continuity tests

performed.

References such as the CCN-STIC 817 ICT Security Guide

provide more information on this subject.

Question

Is there an estimate of the average response time to a cyber

incident?

Correlation

ISO/IEC 27001:2017 [A. 16.1.5]

NIST SP 800-53 R4 [IR-4], [GO-9], [SE-2]

ENS [Op. exp. 7]



CHARACTERIZATION

Scale

L0 - The average response time to a cyber incident is not

estimated.

L1 - The procedure for estimating the average response time to

a cyber incident has been established.

L2 - A procedure to measure the average response time to a

cyber incident has been established, but it has not been

documented.


a cyber incident has been documented and is updated.


a cyber incident is managed, updated and verified.

L5 - Improvement actions are applied in the procedure for the

definition and estimation of the average response time to a cyber

incident.


COLLECTION


Manual




ANALYSIS


Indicator

Positive

values

Values close to L5 indicate that the number of

hours between the occurrence of a cyber

incident and its resolution has been

estimated.

Corrective

measures

Establish a procedure to estimate the

average response time to a cyber incident.

Document, update and verify the procedure

for estimating the average resolution time.

Table 29: Metric R-GI-OE3-06: Establish a process for estimating the response and

recovery capacity of cyber incidents.


FIELD INFORMATION

IDENTIFICATION

Code R-GI-OE4-03

Goal RECOVER



Establish a process for estimating the average time of a cyber

incident's impact on the essential service.

Description

Establish a process for estimating the average time of impact of

a cyber incident that affects the provision of the essential service.

This average is calculated from the number of hours between the

occurrence of the cyber incident and the time the provision of the

affected essential service is recovered.



If you have never suffered a cyber incident, you can consider, for

example, the average time obtained in business continuity tests

performed.

Question

Is the average time of impact of a cyber incident that affects the

provision of the essential service estimated?

Correlation

ISO/IEC 27001:2017 [A. 16.1.5]

NIST SP 800-53 R4 [IR-4], [GO-9], [SE-2]

ENS [Op. exp. 7]



CHARACTERIZATION

Scale

L0 - The average time of impact of a cyber incident on the

provision of the essential service is not estimated.

L1 - Estimation of the average time of impact of a cyber incident

on the provision of the essential service has been initiated.

L2 - A procedure has been established to estimate the time of

impact of a cyber incident on the provision of the essential service

but it has not been documented.

L3 - A procedure for estimating the average time of impact of a

cyber incident on the provision of the essential service has been

documented and is kept up to date.

L4 - A procedure for estimating the average time of impact of a

cyber incident on the provision of the essential service is

managed, updated and verified.

L5 - Improvement actions are applied to the procedure to

estimate the average time of impact of a cyber incident on the



COLLECTION


Manual


interpret the results in greater detail.


ANALYSIS


Indicator

Positive

values

Values close to L5 indicate that there is a

procedure to estimate the time of impact of

cyber incidents in the provision of essential

service.

Corrective

measures

Establish a procedure to measure the

average time of impact of a cyber incident.

Use, for example, guides such as the CCN-

STIC 817 ICT Security Guide.

Document, review and verify the procedure to

assess the average time of impact of a cyber

incident.

Table 30: Metric R-GI-OE4-03: Establish a process for estimating the average time of a

cyber incident's impact on the essential service.


FIELD INFORMATION

IDENTIFICATION

Code R-GI-OE5-03

Goal RECOVER



Coordination with other agencies in the response to cyber

incidents.

Description

It deals with finding out whether there are formal channels of

communication with the State Security Forces and Corps and

whether they are used to report serious incidents that have

occurred in the organization.

If the essential service is supported by an Industrial Control

System (ICS), special attention should be paid to incidents related

to the physical security of SCADA elements geographically

distributed outside the organization's headquarters (industrial

plants, outdoors, etc.).

Question

Are serious cyber incidents, occurring in the organization,

communicated to the State Security Forces and Corps?

Correlation

ISO/IEC 27001:2017 [A. 16.1.6], [A. 16.1.7]

NIST SP 800-53 R4 [IR-4], [GO-9]

ENS [Op. exp. 7]

Guía contenidos mínimos PSO (2.2.1, 2.2.4)

Guía contenidos mínimos PPE (2.1, 2.3, 4.2.1)

CHARACTERIZATION

Scale

L0 - There is no procedure for communicating cyber incidents to

the State Security Forces and Corps.

L1 - The procedure for communicating cyber incidents to the

State Security Forces and Corps has been initiated.

L2 - A procedure has been established to communicate cyber

incidents to the State Security Forces and Corps, but it is not been

documented.

L3 - A procedure for communicating cyber incidents to the State

Security Forces and Corps has been documented and is kept up

to date.

L4 - The procedure for reporting cyber incidents to the State

Security Forces and Corps is managed, updated and verified.


communication of cyber incidents to the State Security Forces

and Corps.


COLLECTION



ANALYSIS

Objective measure

All serious cyber incidents are communicated to the State

Security Forces and Corps.

Indicator

Positive

values


organization communicates all serious cyber

incidents to the state security forces (FCSE).

Corrective

measures

Promote coordination and communication

with the State Security Forces and Corps in

the response to cyber incidents.

Document, review and update the

communication procedure with the State

Security Forces and Corps.

Table 31: Metric R-GI-OE5-03: Coordination with other agencies in the response to cyber

incidents.


2.3.2. Service Continuity Management (SCM)

FIELD INFORMATION

IDENTIFICATION

Code R-CS-OE1-01

Goal RECOVER

Functional Domain SERVICE CONTINUITY MANAGEMENT


Develop a Continuity Plan to ensure the provision of essential

service.

Description

It deals with knowing if the provision of the essential service is

supported by a Continuity Plan that is periodically updated and if

it is also updated when new risks or changes in the organizational

or operational environment are known.

Question

Has a Continuity Plan been defined to guarantee the permanent

provision of the essential service?

Correlation

ISO/IEC 27001:2017 [A. 17.1.1], [A. 17.1.2]

NIST SP 800-53 R4 [CP-1], [CP-2], [CP-13], [PM-11]

ENS [Op. cont. 2]


NIS (Directive 69)

CHARACTERIZATION

Scale

L0 - There is no Continuity Plan to ensure the provision of the

essential service.

L1 - The development of a Continuity Plan to ensure the provision

of essential service has been initiated.

L2 - Continuity Plan actions have been established for the

provision of essential service, but are not documented yet.

L3 - The essential service Continuity Plan has been documented


L4 - The essential service Continuity Plan is managed, updated

and reviewed.

L5 - Improvement actions are implemented in the essential

service Continuity Plan.

COLLECTION




ANALYSIS


Indicator

Positive

values


organization develops the essential service

Continuity Plan, that is, it considers the

protection, dependencies or replacements of

the critical assets that intervene in the

provision of that service (people, information,

technology and facilities).

Corrective

measures

Develop, update and verify the actions of the

Continuity Plan of the essential service for

which we are conducting the survey.

Table 32: Metric R-CS-OE1-01: Develop a Continuity Plan to ensure the provision of

essential service.


FIELD INFORMATION

IDENTIFICATION

Code R-CS-OE1-06

Goal RECOVER


Indicator’s Objective Define RTO in the Continuity Plan.

Description

It deals with knowing if the Continuity Plan provides the RTO for

the provision of the essential service.

The RTO is the objective of maximum acceptable time for the

recovery of the service, even with a degraded level of

functionality, after a disaster that affects its provision; that is to

say, without important consequences for the organization or for a

specific business process. (If the recovery is not achieved in that

time, the consequences can be very serious).

Ensure that the recovery time (RTO) is not only documented but

is used to guarantee the service continuity. In addition, it is

verified that the RTO conforms to the essential service continuity

requirements.

Question

Do the continuity plans document the Recovery Time Objectives

(RTO) of the essential service?

Correlation

ISO/IEC 27001:2017 [A. 17.1.1], [A. 17.1.2]


ENS [Op. cont. 1]


NIS (Directives 69)

CHARACTERIZATION

Scale

L0 - The RTO has not been defined nor identified as necessary

for the continuity of essential service provision.

L1 - The need to establish the RTO for the provision of the

essential service has been identified and its definition has been

initiated.

L2 - A procedure for the RTO in the continuity of the provision of

the essential service has been established, but is not

documented.

L3 - A procedure for the RTO has been documented and is kept

up to date in all continuity plans for the provision of essential

service.

L4 - The procedure for the RTO defined in the continuity plans

for the provision of the essential service is managed, updated

and reviewed.


the definition of the RTO documented in the continuity plans for

the provision of the essential service.


COLLECTION



ANALYSIS


Indicator

Positive

values


organization documents the Recovery Time

Objectives (RTO) of the essential service in

its continuity plan.

Corrective

measures

Identify RTO for essential service continuity.

Table 33: Metric R-CS-OE1-06: Define RTO in the Continuity Plan.


FIELD INFORMATION

IDENTIFICATION

Code R-CS-OE2-04

Goal RECOVER


Indicator’s Objective Test the Continuity Plan.

Description

Test the Continuity Plan for the provision of essential service. It

deals with knowing whether test protocols are available for the

essential service continuity plan and whether it is regularly

verified in order to:

Determine the feasibility, completeness and accuracy of

the Continuity Plan with respect to the essential service.

Collect information on the degree of preparedness of the

organization.

If the essential service is based on an Industrial Control System

(ICS), which does not allow a complete shutdown for the

execution of continuity plan tests, partial or phased shutdowns

may be considered; tests on a replica; or even simulation.

Question

Has the Continuity Plan been tested for the provision of the

essential service?

Correlation

ISO/IEC 27001:2017 [A. 17.1.3]

NIST SP 800-53 R4 [CP-3], [CP-4]

ENS [Op. cont. 3]


NIS (Directive 69)

CHARACTERIZATION

Scale

L0 - No continuity plans are tested for any essential service.

L1 - The definition of the Continuity Plan tests for the essential

service has been initiated.

L2 - Periodic continuity tests have been established for the

essential service, but are not documented.

L3 - All essential service continuity test plans are documented

and kept up to date.

L4 - Essential service continuity test plans are managed, updated

and reviewed.

L5 - Actions to improve the continuity plans are implemented as

a result of their testing.

COLLECTION




ANALYSIS


Indicator

Positive

values


organization tests the essential service

Continuity Plan for which we are conducting

the survey.

Corrective

measures

Establish a test procedure for the essential

service Continuity Plan identified.

Table 34: Metric R-CS-OE2-04: Test the Continuity Plan.


FIELD INFORMATION

IDENTIFICATION

Code R-CS-OE3-03

Goal RECOVER



The average time elapsed from the interruption of essential

service until its recovery to an acceptable level.

Description

Estimate the average time elapsed between when an outage

occurs in the provision of the essential service and the moment

when the essential service becomes available again with a

minimum acceptable level of functionality.


indicate how this value was obtained. For example, it can be

obtained by adding the time invested in the backup of data from

external and internal dependencies and the time needed for the

services to be operational again.

Question

Is it estimated the average time between the moment in which

there is an interruption in the provision of the essential service

and the instant in which it becomes available again with a

minimum acceptable level of functionality?

Correlation

ISO/IEC 27001:2017 [A. 17.1.1], [A. 17.1.2]


ENS [Op. cont. 1]



CHARACTERIZATION

Scale

L0 - The average time between the occurrence of an outage and

the return of the essential service with a minimum level of

functionality is not measured.

L1 - The definition of the procedure for measuring the average

time between the occurrences of outages and the return of the

essential service with a minimum level of functionality has been

initiated.

L2 - The procedure for measuring the average time between

when outages occurs, and the essential service becomes

available again with a minimum level of functionality, has been

established but is not documented.

L3 - The procedure for measuring the average time between

when an outage occurs, and the essential service becomes

available again with a minimum level of functionality and is kept

up to date has been documented.

L4 - The procedure for measuring the average time between the

occurrence of an outage and the return of the essential service


with a minimum level of functionality is managed, updated and

verified.


reduction of the average time between the occurrence of an

interruption and the essential service becoming available again

with a minimum level of functionality.

COLLECTION



ANALYSIS


Indicator

Positive

values

Values close to L5 indicate that a procedure

is available, updated and improved to

estimate the number of hours between an

interruption in the provision of the service and

when it is again available with a minimum

level of functionality.

Corrective

measures

Establish the necessary mechanisms to make

the essential service (technological, logistic

and physical) available again in the shortest

possible time after the interruption event.

Table 35: Metric R-CS-OE3-03: The average time elapsed from the interruption of

essential service until its recovery to an acceptable level.


FIELD INFORMATION

IDENTIFICATION

Code R-CS-OE3-04

Goal RECOVER



The average time elapsed since the interruption of the essential

service and its recovery to the usual level of service.

Description

Estimate the average time elapsed between the moment in which

an interruption occurs in the provision of the essential service and

the instant in which it recovers its habitual functionality.


indicate how this value was obtained.

Question

Is the average time between the moment when the essential

service is interrupted and the moment when it recovers its normal

functionality estimated?

Correlation

ISO/IEC 27001:2017 [A. 17.1.1], [A. 17.1.2]


ENS [Op. cont. 1]



CHARACTERIZATION

Scale

L0 - The average time between the occurrence of an interruption

and the restoration of the essential service to its normal operation

is not measured.

L1 - The definition of the procedure for measuring the average

time between the occurrence of an interruption and the

restoration of the essential service to its normal operation has

been initiated.

L2 - A procedure to measure the average time between the

occurrence of an interruption and the restoration of essential

service to its normal operation has been established but is not

documented.

L3 - The procedure for estimating the average time between the


service to its normal operation has been documented. It is kept

up to date.

L4 - The procedure for estimating the average time between the


service to its normal operation is managed, updated and verified.


reduction of the average time between the occurrence of an

interruption and the restoration of the essential service to its

normal operation.


COLLECTION



ANALYSIS


Indicator

Positive

values

Values close to L5 indicate that an updated

and optimized procedure is available to

estimate the number of hours between the

interruption in the provision of the essential

service and the restoration of the essential

service to its normal operating level.

Corrective

measures

Establish the necessary mechanisms

(technological, logistical and physical) to

make the essential service available again in

the shortest possible time after the

interruption event.

Table 36: Metric R-CS-OE3-04: The average time elapsed since the interruption of the

essential service and its recovery to the usual level of service.


FIELD INFORMATION

IDENTIFICATION

Code R-CS-OE1-02

Goal RECOVER



Identify and prioritize external dependencies related to the


Description

Identify and prioritize external dependencies (third-party

dependencies) to ensure that the organization directs its cyber

resilience efforts primarily to those that contribute most, and

more directly, to the provision of the essential service.

Question

Are external dependencies related to the provision of the

essential service identified and prioritized?

Correlation

ISO/IEC 27001:2017 [A. 15.1.1], [A. 15.1.2], [A. 15.1.3]

NIST SP 800-53 R4 [PL-8]

ENS [Op. ext. 1]



CHARACTERIZATION

Scale

L0 - External dependencies related to the provision of the

essential service are not identified nor prioritized.

L1 - Identification and prioritization of external dependencies

related to the provision of the essential service has been

initiated.

L2 - External dependencies related to the provision of the

essential service are identified and prioritized, but not

documented.

L3 - A procedure for identifying and prioritizing external

dependencies related to the provision of essential service has

been documented and is kept up to date.

L4 - The procedure for identifying and prioritizing external

dependencies involved in the provision of the essential service

is managed, updated and reviewed.

L5 - Improvement actions are implemented in the procedure to

identify and prioritize external dependencies related to the


COLLECTION




ANALYSIS


Indicator

Positive

values


organization has a prioritized list of all

external dependencies that affect the

essential service and that this list is updated.

Corrective

measures

Establish criteria for identifying and

prioritizing external dependencies. Maintain

the criteria and priorities documented,

updated and reviewed periodically.

Table 37: Metric R-CS-OE1-02: Identify and prioritize external dependencies related to the



FIELD INFORMATION

IDENTIFICATION

Code R-CS-OE2-01

Goal RECOVER



Identify and manage risks associated with external

dependencies.

Description

Identify and properly manage the risks associated with external

dependencies that contribute, directly or indirectly, to the

provision of the essential service. Prioritize and update identified

risks.

Question

Are the risks associated with external dependencies related to

the provision of the essential service properly identified and

managed?

Correlation

ISO/IEC 27001:2017 [A. 15.1.1], [A. 15.1.2], [A. 15.1.3]

NIST SP 800-53 R4 [SA-21], [SC-38]

ENS [Op. ext. 1]



CHARACTERIZATION

Scale

L0 - No management of risks associated with external

dependencies is done.

L1 - Management of risks associated with external dependencies

has been initiated.


has been established but is not documented.


has been documented and is kept up to date.

L4 - Risks associated with external dependencies are managed,


L5 - Actions are implemented to improve the management of

risks associated with external dependencies.

COLLECTION




ANALYSIS


Indicator

Positive

values

Values close towards L5 indicate that the

organization has identified the risks

associated with external dependencies and

that this list has been prioritized and updated.

Corrective

measures

Identify and assess risks due to external

dependencies so that they can be managed

effectively and thus maintain the resilience of

the essential service provided by the

organization.

Table 38: Metric R-CS-OE2-01: Identify and manage risks associated with external

dependencies.


FIELD INFORMATION

IDENTIFICATION

Code R-CS-OE3-04

Goal RECOVER



Establish specific cyber resilience agreements with those third

parties involved in the provision of the essential service.

Description

It deals with knowing whether, for each external dependency (for

each third party that contributes directly or indirectly to the

provision of the essential service), the organization has

established and documented a detailed set of requirements that

it has to comply with in order to support and improve the

organization’s operations recovery capability.

In addition, it deals with knowing whether these requirements

have been included as part of the clauses that make up the

outsourced service provision agreements, or Service Level

Agreements (SLAs), reached with these entities. For example:

the maximum time of non-availability of server infrastructure or

penalties in the event of non-compliance.

Question

Are cyber resilience requirements included in agreements with

third parties that contribute, directly or indirectly, to the provision

of the essential service?

Correlation

ISO/IEC 27001:2017 [A. 15.1.1], [A. 15.1.2], [A. 15.1.3]

NIST SP 800-53 R4 [SA-12], [SA-13]

ENS [Op. ext. 1]


NIS (48, 50, 52, 54, 69)

CHARACTERIZATION

Scale

L0 - Cyber resilience requirements are not included in service

level agreements with providers (external dependencies).

L1 - The inclusion of cyber resilience requirements in

agreements with external dependencies has been initiated.

L2 - Cyber resilience requirements have been established for

relations with external dependencies but are not documented.

L3 - Cyber resilience requirements in agreements with external

dependencies have been documented and are kept up to date.

L4 – Cyber resilience requirements in agreements with external

dependencies are managed, updated and verified.

L5 - Actions to improve cyber resilience requirements in

agreements with external dependencies are implemented.


COLLECTION



ANALYSIS


Indicator

Positive

values


organization verifies and updates cyber

resilience requirements in all agreements with

external entities with which services

supporting the essential service are

contracted.

Corrective

measures

Define, update and review cyber resilience

requirements in Service Level Agreements

(SLAs) with external entities, so that:

Are enforceable by the organization.

Include detailed and complete

specifications of what must be met by the

external entity.

Include the required performance

standards.

Are updated as appropriate and

periodically to reflect necessary changes

during the life of the relationship.

Table 39: Metric R-CS-OE3-04: Establish specific cyber resilience agreements with those

third parties involved in the provision of the essential service.


FIELD INFORMATION

IDENTIFICATION

Code R-CS-OE4-01

Goal RECOVER


Indicator’s Objective Supervise and manage the operation of external dependencies.

Description

Supervise and manage the operation of external dependencies

that support the provision of essential service in accordance with

the cyber resilience requirements agreed with the organization. It

deals with knowing whether there is regular supervision of the

operations of third parties that contribute, directly or indirectly, to

the provision of the essential service, to verify compliance with

the cyber resilience requirements agreed between the parties.

In addition, this will make it possible to ascertain whether any

operational problems that may be encountered during the

provision of outsourced services are resolved.

Question

For those third parties that participate, directly or indirectly, in the

provision of the essential service, are their operations supervised

and managed in accordance with the cyber resilience

requirements agreed with the organization?

Correlation

ISO/IEC 27001:2017 [A. 15.2.1]

NIST SP 800-53 R4 [AR-4], [SA-3], [SA-9], [SA-12], [SA-13]

ENS [Op. ext. 2]


NIS (48, 50, 52, 54, 69)

CHARACTERIZATION

Scale

L0 - There is no supervision and management of the operation

of external dependencies.

L1 - Supervision and management of the operation of external

dependencies has been initiated.

L2 - A procedure has been established for the supervision and

management of the operation of external dependencies, but is

not documented.

L3 - The procedure for the supervision and management of the

operation of external dependencies has been documented and

is kept up to date.

L4 - The procedure for the supervision and management of the

operation of external dependencies is monitored and verified.


supervising and managing the operation of external

dependencies.


COLLECTION



ANALYSIS


Indicator

Positive

values


organization periodically monitors the

operation of the external dependencies that

support the essential service to verify that

they meet the established cyber resilience

requirements.

Corrective

actions

Establish a procedure, which will be updated

and improved, to periodically monitor the

operation of external dependencies to the

essential service and analyze deviations from

the cyber resilience requirements established

to understand the potential impact on the

organization.

Table 40: Metric R-CS-OE4-01: Supervise and manage the operation of external

dependencies.


FIELD INFORMATION

IDENTIFICATION

Code R-CS-OE5-01

Goal RECOVER


Indicator’s Objective Identify and prioritize public service dependencies.

Description

Identify and prioritize the external dependencies related to public

services (emergency services, law enforcement agencies, etc.)

that contribute, directly or indirectly, to the provision of the

essential service.

Question

Are external dependencies, linked to public services (emergency

services, law enforcement agencies, etc.) that contribute, directly

or indirectly, to the provision of the essential service, identified

and prioritized?

Correlation

ISO/IEC 27001:2017 [A. 15.2.2]

NIST SP 800-53 R4 [SA-3], [SA-12]

ENS [Op. ext. 2]



CHARACTERIZATION

Scale

L0 - Public service dependencies are not identified nor

prioritized.

L1 - Identification of public service dependencies has begun.

L2 - Public service dependencies have been identified and

prioritized, but are not documented.

L3 - A procedure has been documented with the public service

dependencies, they are prioritized, and this list is kept up to date.

L4 - The procedure for identifying and prioritizing public service

dependencies is managed, updated and verified.

L5 - Improvement actions are applied to the procedure to identify

and prioritize public service dependencies.

COLLECTION




ANALYSIS


Indicator

Positive

values


organization has a procedure in which public

service dependencies that support critical

services (emergency services, law

enforcement, etc.) have been identified,

prioritized and documented, and that this list

is kept up to date.

Corrective

measures

Conduct an in-depth check of public services

that may be vital to the continuity of essential

services in the event of a disruption.

Document, review and update the

dependencies found in the periodical review.

Table 41: Metric R-CS-OE5-01: Identify and prioritize public service dependencies.


FIELD INFORMATION

IDENTIFICATION

Code R-CS-OE5-02

Goal RECOVER



Identify and prioritize the dependencies of basic utilities and

telecommunications suppliers.

Description

Identify and prioritize external dependencies, related to basic

utilities and telecommunication suppliers (telecommunication

operators, basic utilities, etc.), that contribute, directly or

indirectly, to the provision of the essential service.

Question

Are external dependencies, related to suppliers of basic utilities

and telecommunications (telecommunication operators, energy

supply, water, etc.), that contribute, directly or indirectly, to the

provision of the essential service, identified and prioritized?

Correlation

ISO/IEC 27001:2017 [A. 15.2.2]

NIST SP 800-53 R4 [SA-3], [SA-12]

ENS [Op. ext. 2]



CHARACTERIZATION

Scale

L0 - Dependencies of suppliers of basic utilities and

telecommunications are not identified nor prioritized.

L1 - Identification and prioritization of basic utilities and

telecommunications supplier dependencies has been initiated.

L2 - Dependencies of suppliers of basic utilities and

telecommunications have been identified and prioritized, but are

not documented.

L3 - The identification, prioritization and updating of utilities and

telecommunications suppliers dependencies has been

documented in a procedure.

L4 - A procedure to identify and prioritize the utilities and

telecommunications supplier dependencies is managed,


L5 - Improvement actions are implemented on a procedure for

the identification and prioritization of utilities and

telecommunications supplier dependencies.

COLLECTION




ANALYSIS


Indicator

Positive

values


organization has developed, maintains and

updates a procedure to identify, prioritize and

document dependencies of basic utilities and

telecommunication providers supporting

essential services (telecommunication

operators, energy, etc.). This list is kept up to

date.

Corrective

measures

Undertake a thorough review of the providers

of basic utilities and telecommunications that

may be vital to the continuity of essential

services and incorporate them as cyber

resilience requirements in continuity plans.

Table 42: Metric R-CS-OE5-02: Identify and prioritize the dependencies of basic utilities

and telecommunications suppliers.


2.4. Evolve

The tables below describe the four (4) metrics corresponding to the goal Evolve, grouped

by the corresponding functional domains as defined in the methodology.

2.4.1. Configuration and Change Management (CCM)

FIELD INFORMATION

IDENTIFICATION

Code E-CC-OE1-01

Goal EVOLVE

Functional Domain CONFIGURATION AND CHANGE MANAGEMENT

Indicator’s Objective Manage the configuration of information and technology assets.

Description

Establish a procedure for managing the configuration of computer

or technological components and equipment associated with the

system that makes it possible to provide the essential service in

such a way as to facilitate its acceptable re-establishment after a

cyber incident with serious consequences. In addition, the

management of changes in those components and equipment

must be guaranteed in order to prevent potential negative impacts

on the provision of the essential service due to those changes.

Question

Is there a configuration management procedure for the

equipment associated with the system that makes it possible to

provide the essential service?

Correlation

ISO/IEC 27001:2017 [A. 12.1.2]

NIST SP 800-53 R4 [CM-1], [CM-2], [CM-3], [CM-6], [CM-9], [SA-

5], [SA-10]

ENS [Op. exp. 2]


CHARACTERIZATION

Scale

L0 - There is no procedure for managing the configuration of

computer and technological equipment.

L1 - The establishment of a procedure for configuration

management of IT and technological equipment has been

initiated.

L2 - The procedure for managing the configuration of IT

equipment has been established but is not documented.

L3 - The procedure for managing the configuration of computer

and technological equipment has been documented and is kept

up to date.

L4 - The procedure for managing the configuration of IT and

technological equipment is managed, updated and revised.


L5 - Actions are implemented to improve the procedure for

managing the configuration of IT and technological equipment.

COLLECTION



ANALYSIS


Indicator

Positive

values


organization carries out configuration

management of computer and technological

equipment supporting essential services.

This provides a level of control to avoid

altering the support it gives to essential

services. The procedure must ensure that the

service is restored in an acceptable manner

following a cyber incident with serious

consequences.

Corrective

measures

Establish a procedure for configuration

management of the technological assets that

support the essential service.

Table 43: Metric E-CC-OE1-01: Manage the configuration of information and technology

assets.


2.4.2. Communication (CM)

FIELD INFORMATION

IDENTIFICATION

Code E-CM-OE1-02

Goal EVOLVE

Functional Domain COMMUNICATION


Establish communication mechanisms outside the organization,

on cyber resilience issues.

Description

Define and establish external communication mechanisms in the

area of cyber resilience with, among others: customers,

suppliers, media, State Security Forces and Corps, emergency

services, etc. It must be evaluated whether these mechanisms

are effective and whether they are used regularly.

Question

Have effective outside communication mechanisms for cyber

resilience been defined and established? For example, with

clients, suppliers, media, State Security Forces and Corps,

emergency services...

Correlation

NIST SP 800-53 R4 [IR-7], [SA-9]


Guía contenidos mínimos PPE (2.1, 2.3, 4.2.1)

CHARACTERIZATION

Scale

L0 - No communication is established with external entities

regarding cyber resilience.

L1 - Communication with external entities on cyber resilience has

been initiated.

L2 - Communication mechanisms have been established with

external entities on cyber resilience but have not been

documented.

L3 - Communication mechanisms with external entities on cyber

resilience have been documented in a procedure and are kept up

to date.

L4 - The procedure for communication with external entities on

cyber resilience is managed, updated and verified.

L5 - Actions are implemented to improve the procedure for

communication with external entities on cyber resilience.

COLLECTION




ANALYSIS


Indicator

Positive

values


organization establishes procedures, updates

them and improves them, in order to manage

outside communication mechanisms formally

and regularly with, among others: customers,

suppliers, media, State Forces and Corps,

emergency services, etc.

Corrective

measures

Establish effective mechanisms for external

communication through authorized channels.

Create good practices for communicating

cyber incidents.

Table 44: Metric E-CM-OE1-02: Establish communication mechanisms outside the

organization on cyber resilience issues.


FIELD INFORMATION

IDENTIFICATION

Code E-CM-OE2-02

Goal EVOLVE



Ensure the availability of internal or external communication

channels required by the essential service.

Description

The objective is to ensure that, in the event of an interruption,

mechanisms exist and function to establish the appropriate

communications with the actors necessary to recover the

provision of the essential service. This includes verifying, for

example, that the incident can be communicated to the

appropriate party for its resolution.

In any case, there will be alternative communication channels in

the event that the usual ones fail, which offer the same

guarantees of protection of the communication as the usual

channel; and guarantee a maximum time of entry into operation.

Question

Has the availability of the internal or external communication

channels required by the essential service been verified?

Correlation

NIST SP 800-53 R4 CP-2 (2) [2], CP-8, SC-1

ENS [MP. com. 9]


Guía contenidos mínimos PPE (2.1, 4.2.1)

CHARACTERIZATION

Scale

L0 - The availability of the internal or external communication

channels required by the essential service is not verified.

L1 - Tests have been initiated for the availability of the internal or

external communication channels required by the essential

service.

L2 - A procedure has been established to verify the availability of

internal or external communication channels required by the

essential service but is not documented.

L3 - A procedure for verifying the availability of internal or


service has been documented and is kept up to date.

L4 - The procedure for verifying the availability of internal or


service is managed, updated and verified.

L5 - Improvement actions are applied to the procedure to verify

the availability of internal or external communication channels

required by the essential service.


COLLECTION



ANALYSIS


Indicator

Positive

values


organization has a procedure to verify the

availability of internal or external

communication channels required by the

essential service. For example, it is verified

that the cyber incident can be communicated

to the appropriate party, in case of

interruption of the normal operation of the

essential services.

Corrective

measures

Establish a procedure to verify that the cyber

incident can be communicated to the

appropriate party in the event of interruption

of the normal operation of the essential

service for which we are conducting the

survey.

Table 45: Metric E-CM-OE2-02: Ensure the availability of internal or external

communication channels required by the essential service.


FIELD INFORMATION

IDENTIFICATION

Code E-CM-OE3-02

Goal EVOLVE


Indicator’s Objective Communicate the continuity strategy to the entire organization.

Description

It deals with knowing whether the delegations of authority and

assignments of responsibility (both internal and external) that

may have been established within the framework of the cyber

resilience program have been made with the required publicity

and transparency, so that all staff involved in the program know

their particular role and recognize who or whom the authority is

assigned at any given time.

Question

Does the essential service continuity plan include the allocation

of the respective delegations of authority and communicate these

responsibilities to all those involved (both internal and external)?

Correlation

ISO/IEC 27001:2017 [A. 17.1.3]

NIST SP 800-53 R4 [CP-2 (a) (3)], [CP-3]

ENS [Op. cont. 2]


Guía contenidos mínimos PPE (4.2, 4.2.2)

CHARACTERIZATION

Scale

L0 - Responsibilities are not assigned and communicated to staff

involved in continuity plans.

L1 - Assignment and communication of responsibilities to staff

involved in continuity plans has been initiated.

L2 - A procedure has been established to assign and

communicate responsibilities to staff involved in continuity plans,

but is not documented.

L3 - The procedure for assigning and communicating

responsibilities to the staff involved in the continuity plans has

been documented and is kept up to date.

L4 - The procedure for assigning and communicating

responsibilities to staff involved in continuity plans is managed,



assigning and communicating responsibilities to staff involved in

continuity plans.


COLLECTION



ANALYSIS


Indicator

Positive

values


organization guarantees the assignment and

communication of responsibilities and

authorities within the Continuity Plan to all the

staff involved, both internal and from

suppliers concerned, with the aim of making

them aware of their functions and

responsibilities.

Corrective

measures

Establish, verify and improve a procedure for

the assignment and communication of

responsibilities and authorities within the

Continuity Plan to all staff involved.

Table 46: Metric E-CM-OE3-02: Communicate the continuity strategy to the entire

organization.


3. ACRONYMS

BIA: Business Impact Analysis.

CISO: Chief Information Security Officer.

CSO: Chief Security Officer.

CVSS: Common Vulnerability Score System.

ENS: Esquema Nacional de Seguridad (Spanish National Security Scheme).

ISO: International Organization for Standardization.

MTD: Maximum Tolerable Downtime.

NIST: National Institute of Standards and Technology.

PPE: Planes de Protección Específicos.

PSO: Planes de Seguridad de Operador.

RPO: Recovery Point Objective.

RTO: Recovery Time Objective.


4. REFERENCES

Guía de buenas prácticas - Plan de protección específico (PPE)

http://www.cnpic.es/Biblioteca/Noticias/GUIA_BUENAS_PRACTICAS_PPE.pdf

NIST. Special Publication 800-53 Rev. 4

https://nvd.nist.gov/800-53

AENOR (2017). UNE-EN ISO: 27001:2017 Tecnología de la información. Técnicas

de seguridad. Sistemas de Gestión de la Seguridad de la Información.

https://www.iso.org/isoiec-27001-information-security.html

https://www.une.org/encuentra-tu-norma/busca-tu-norma/norma?c=N0058428

ISO (2018). ISO/IEC 27005:2018 Information technology – Security techniques –

Information security risk management

https://www.aenor.com/normas-y-libros/buscador-de-normas/ISO?c=075281

AENOR (2018). UNE ISO: 31000:2018 Gestión del riesgo. Directrices

https://www.iso.org/iso-31000-risk-management.html

https://www.une.org/encuentra-tu-norma/busca-tu-norma/norma/?c=N0059900

ISO (2015). ISO/TS 22317:2015 Societal Security – Business continuity

management Systems – Guidelines for Business Impact Analysis (BIA)

https://www.aenor.com/normas-y-libros/buscador-de-normas/iso?c=050054

España. BOE. Código de Derecho de la Ciberseguridad

https://www.boe.es/legislacion/codigos/codigo.php?id=173&modo=1&nota=0&tab=2

Includes (among others):

Spain (2017). National Security Strategy.

Law 8/2011, of 28 April, establishing measures for the protection of the

critical infrastructures.

Real Decree 3/2010, of 8 of January, regulating the National Security Scheme

in the field of Electronic Administration.

Resolution of September 8, 2015, of the Secretary of State for Security,

approving the new minimum contents of the Operator Security Plans and the

Specific Protection Plans.

Real Decree-Law 12/2018, of 7 September, on the security of the networks

and information systems.

https://nvd.nist.gov/800-53

https://www.iso.org/isoiec-27001-information-security.html

https://www.une.org/encuentra-tu-norma/busca-tu-norma/norma?c=N0058428

https://www.aenor.com/normas-y-libros/buscador-de-normas/ISO?c=075281

https://www.iso.org/iso-31000-risk-management.html

https://www.une.org/encuentra-tu-norma/busca-tu-norma/norma/?c=N0059900

https://www.aenor.com/normas-y-libros/buscador-de-normas/iso?c=050054

https://www.boe.es/legislacion/codigos/codigo.php?id=173&modo=1&nota=0&tab=2


EU (2016). Directive 2016/1148 of the European Parliament and of the Council of

6 July 2016 on measures to ensure a high common level of security of networks

and information systems within the Union.

https://eur-lex.europa.eu/legal-

content/ES/TXT/?uri=uriserv:OJ.L_.2016.194.01.0001.01.SPA&toc=OJ:L:2016:194:TO

C

Spain (2019). Guía Nacional de Notificación y Gestión de Ciberincidentes

http://www.interior.gob.es/documents/10180/9814700/Gu%C3%ADa+Nacional+de+noti

ficaci%C3%B3n+y+gesti%C3%B3n+de+ciberincidentes/f01d9ed6-2e14-4fb0-b585-

9b0df20f2906

https://eur-lex.europa.eu/legal-content/ES/TXT/?uri=uriserv:OJ.L_.2016.194.01.0001.01.SPA&toc=OJ:L:2016:194:TOC



http://www.interior.gob.es/documents/10180/9814700/Gu%C3%ADa+Nacional+de+notificaci%C3%B3n+y+gesti%C3%B3n+de+ciberincidentes/f01d9ed6-2e14-4fb0-b585-9b0df20f2906



IMC_02 – Dictionary of Cyber -resilience Improvement Indicators (CII)

IMC 02 Dictionary of Cyber - INCIBE-CERT...IMPROVEMENT INDICATORS (CII) 6 1. OBJECT OF THE DOCUMENT...

Documents

Transcript of IMC 02 Dictionary of Cyber - INCIBE-CERT...IMPROVEMENT INDICATORS (CII) 6 1. OBJECT OF THE DOCUMENT...