| SECURITY DOMAIN | SECURITY SUB-DOMAIN | SECURITY MEASURE | DESCRIPTION | ISO 27001 | NIST CSF | ISA/IEC 62443 |
| Defence | Computer Security Incident Management | Incident Report | The operator creates and keeps up-to-date and implements procedures for incidents’ reporting. | 7.5 Documented information A.12.1.1 Documented operating procedures A.16.1.1 Responsibilities and procedures A.16.1.2 Reporting information security events A.16.1.3 Reporting information security weaknesses | RS.CO - 2, 3, 4, 5 DE.DP-4 | SR 2.8 SR 2.9 SR 2.10 SR 2.11 SR 2.12 SR 3.9 SR 6.1 SR 6.2 |
| Defence | Computer Security Incident Management | Communication with competent authorities | The operator implements a service that enables it to take note, without undue delay, of information sent out by its national competent authority concerning incidents, vulnerabilities, threats and relevant mappings (up-to-date inventory of CIS, interconnections of CIS with third-party networks, etc.). | 7.4 Communication 7.5 Documented information A.6.1.3 Contact with authorities A.6.1.4 Contact with special interest groups A.8.2.2 Labelling of information | RS.CO - 2, 3, 4, 5 DE.DP-4 | SR 2.8 SR 2.9 SR 2.10 SR 2.11 SR 2.12 SR 3.9 SR 6.1 SR 6.2 |
| Defence | Detection | Logging | The operator sets up a logging system on each CIS in order to record events relating, at least, to user authentication, management of accounts and access rights, modifications to security rules, and the functioning of the CIS. | 9.1 Monitoring, measurement, analysis and evaluation A.12.4 Logging and monitoring A.14.1.2 Securing application services on public networks A.15.2.1 Monitoring and review of supplier services A.18.1.3 Protection of records | ID.RA-1 ID.SC-1 PR.MA-1, 2 DE.CM- 1, 2, 3, 6, 7 DE.AE – 3 RS.MI-3 PR.PT-1 | SR 2.8 SR 2.9 SR 2.10 SR 2.11 SR 2.12 SR 3.9 SR 6.1 SR 6.2 |
| Defence | Detection | Logs correlation and analysis | The operator creates a log correlation and analysis system that mines the events recorded by the logging system installed on each of the CIS in order to detect events that affects CIS security. | 9.1 Monitoring, measurement, analysis and evaluation 9.3 Management review A.16.1.4 Assessment of and decision on information security events A.16.1.7 Collection of evidence | ID.RA-4, 5, PR.PT-1 DE.AE – 2,3,4, DE.DP-3,4,5 PR.IP-7 RS.AN-1, 5 | SR 2.8 SR 2.9 SR 2.10 SR 2.11 SR 2.12 SR 3.9 SR 6.1 SR 6.2 |
| Defence | Computer Security Incident Management | Communication with competent authorities and CSIRTs | 7.4 Communication 7.5 Documented information A.6.1.3 Contact with authorities A.6.1.4 Contact with special interest groups A.8.2.2 Labelling of information | RS.CO - 2, 3, 4, 5 DE.DP-4 | SR 2.8 SR 2.9 SR 2.10 SR 2.11 SR 2.12 SR 3.9 SR 6.1 SR 6.2 |
|
| Defence | Detection | Detection | The operator sets up a security incident detection system of the “analysis probe for files and protocols” type. The analysis probes for files and protocols analyses the data flows transiting through those probes in order to seek out events likely to affect the security of CIS. | 9.1 Monitoring, measurement, analysis and evaluation A.12.2 Protection from malware A.12.4 Logging and monitoring A.12.6.1 Management of technical vulnerabilities A.15.2.1 Monitoring and review of supplier services | PR.DS-6, 8 DE.AE-1,5 DE.CM-1, 2, 3, 4, 5, 6 7 DE.DP – 1, 2, 3, PR.PT-1 | SR 2.8 SR 2.9 SR 2.10 SR 2.11 SR 2.12 SR 3.1 SR 3.3 SR 3.4 SR 3.8 SR 3.9 SR 5.1 SR 5.2 SR 5.4 SR 6.1 SR 6.2 |
| Defence | Computer Security Incident Management | Information system security incident response | The operator creates and keeps up-to-date and implements a procedure for handling, response to and analyses of incidents that affect the functioning or the security of its CIS, in accordance with its ISSP. | A.16.1.1 Responsibilities and procedures A.16.1.4Assessment of and decision on information security events A.16.1.5 Response to information security incidents A.16.1.6 Learning from information security incidents A.16.1.7 Collection of evidence | ID.RA- 3, 4, 5, 6 ID.SC-5 PR.IP-9, 10 RS.AN-1, 2, 3, 4, 5 RS.MI-1, 2, 3 RS.IM-1, 2 RS.CO-1, 3, 4, 5 RS.RP-1 RC.RP-1 RC.CO-2 | SR 2.8 SR 2.9 SR 2.10 SR 2.11 SR 2.12 SR 3.9 SR 5.1 SR 5.2 SR 5.4 SR 6.1 SR 6.2 |
| Governance and Ecosystem | Information System Security Governance & Risk Management | Human resource security | The established information system security policies set up a CIS security awareness raising program for all staff and a security training program for employees with CIS related responsibilities. | 4.1 Understanding the organization and its context 4.2 Understanding the needs and expectations of interested parties 5.3 Organizational roles, responsibilities, and authorities 6.2 Information security objectives and planning to achieve them 7 Support 9.1 Monitoring, measurement, analysis and evaluation A.6.1.1 Information security roles and responsibilities A.6.1.2 Segregation of duties A.7 Human resource security A.9.3 User responsibilities | ID.AM-6 ID.GV-2, 3 RS.CO-1, PR.IP-7, 11 DE.DP-1 PR.AT-1, 2, 3, 4, 5 | SR 1.1, SR 1.2 SR 1.4, SR 1.5, SR 1.9, SR 2.1 SR 2.1 SR 5.2 |
| Governance and Ecosystem | Information System Security Governance & Risk Management | Information system security indicators | For each CIS and according to a number of indicators and assessment methods, the operator evaluates its compliance with its ISSP. Indicators may relate to the risk management organization’s performance, the maintaining of resources in secure conditions, users’ access rights, authenticating access to resources, and resource administration. | 6.2 Information security objectives and planning to achieve them 7.1 Resources 7.2 Competence 9 Performance evaluation A.12.1.3.Capacity Management | ID.AM-5 ID.RM-2, 3 PR.IP-7,8 PR.DS-4 ID.BE-5 | SR 3.4 SR 4.1 |
| Governance and Ecosystem | Information System Security Governance & Risk Management | Information system security risk analysis | The operator conducts and regularly updates a risk analysis, identifying its Critical Information Systems (CIS) underpinning the provision of the essential services of OES and identifies the main risks to these CIS. | 6 Planning 8 Operation 9.3 Management review 10 Improvement A.8.1.1 Inventory of assets A.12.6.1 Management of technical vulnerabilities A.18.2.1 Independent review of information security | ID.GV-4 ID.RA-1, 3, 4, 5, 6 ID.RM-1, 2, 3 RS.IM-1, 2 ID.SC-1, 2 PR.IP 12 RC.IM-1, 2 ID.AM-1, 2, 4, 5 DE.CM-8 RS.MI-3 RS.AN-5 | SR 7.8 |
| Governance and Ecosystem | Information System Security Governance & Risk Management | Information system security audit | The operator establishes and updates a policy and procedures for performing information system security assessments and audits of critical assets and CIS, taking into account the regularly updated risks analysis. | 6 Planning 8 Operation 9.2 Internal audit 9.3 Management review 10 Improvement A.5.1.2 Review of the policies for information security A.12.7.1 Information systems audit controls A.18.2 Information security reviews | ID.GV-3, 4 ID.RA-1, 3, 4, 5, 6 ID.RM-1, 2, 3 DE.CM-8 DE.DP-5 ID.SC-4 PR.AC-1 PR.PT-1 PR.IP-7, 12 RS.IM-1, 2 RC.IM-1, 2 | SR 2.8 SR 2.9 SR 2.10 SR 2.11 SR 2.12 |
| Governance and Ecosystem | Ecosystem Management | Ecosystem mapping | The operator establishes a mapping of its ecosystem, including internal and external stakeholders, including but not limited to suppliers, in particular those with access to or managing operator’s critical assets. | 4.1 Understanding the organization and its context 4.2 Understanding the needs and expectations of interested parties 4.3 Determining the scope of the information security management system 5.2 Policy 8.1 Operational planning and control | ID.AM-3, 4, 6 ID.BE-1, 2, 4 ID.AM-6 | |
| Governance and Ecosystem | Information System Security Governance & Risk Management | Information system security accreditation | Building on the risk analysis and according to an accreditation process referred to in the ISSP, the operator accredits the CIS identified in its information system risk analysis, including inter alia the inventory and architecture of the administration components of the CIS. | 6.1 Actions to address risks and opportunities 8 Operation 9.2 Internal audit 10.1 Nonconformity and corrective action A.12.1.1 Documented operating procedures A.12.7.1 Information systems audit controls | ID.RA-1, 3, 4, 6 ID.RM-1, 2, 3 ID.SC -1 RS.IM-1, 2 PR.IP-7, 12 PR.PT-1 DE.CM-8 RS.MI-3 | SR 2.8 SR 2.9 SR 2.10 SR 2.11 SR 2.12 |
| Governance and Ecosystem | Information System Security Governance & Risk Management | Information system security policy | Building upon the risks analysis, the operator establishes, maintains up-to-date and implements an information system security policy (ISSP) approved by senior management, guaranteeing high level endorsement of the policy. | 4.3 Determining the scope of the information security management system 4.4 Information security management system 5.1 Leadership and commitment 5.2 Policy 5.3 Organizational roles, responsibilities and authorities 6.2 Information security objectives and planning to achieve them 9.3 Management review A.5.1.1 Policies for information security A.5.1.2 Review of the policies for information security A.6.1.1 Information security roles and responsibilities A.7.2.1 Management responsibilities A.18.1.1 Identification of applicable legislation and contractual requirements A.18.1.2 Intellectual property rights A.18.2.2 Compliance with security policies and standards | ID.GV-1, 2, 3, 4 ID.BE-1, 2 3, 4 PR.AT-2, 3, 4, 5 DE.DP-1 ID.AM-6 | |
| Governance and Ecosystem | Ecosystem Management | Ecosystem relations | The operator establishes a policy towards its relations with its ecosystem in order to mitigate the potential risks identified. This includes in particular but is not limited to interfaces between the CIS and third parties. | 4.2 Understanding the needs and expectations of interested parties 5.2 Policy 7.4 Communication 7.5 Documented information 8.1 Operational planning and control 9.3 Management review A.5.1.1 Policies for information Security A.7.1.2 Terms and conditions of employment A.7.2 During employment A.7.3 Termination and change of employment A.12.7 Information systems audit considerations A.13.2 Information transfer A.14.2.7 Outsourced development A.15 Supplier relationships A.18.1.1 Identification of applicable legislation and contractual requirements | RS.CO-4, 5 ID.RM-1 ID.GV 2 ID.SC-1, 2, 3, 4,5 RC.CO-3 | SR 1.13 SR 2.6 SR 2.8 SR 2.9 SR 2.10 SR 2.11 SR 2.12 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.2 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 |
| Protection | Identity and access management | Authentication and identification | For identification, the operator sets up unique accounts for users or for automated processes that need to access resources of its CIS . Unused or no longer needed accounts are to be deactivated. A regular review process should be established. | A.9.1 Business requirements of access control A.9.3 User responsibilities A.9.4.1 Information access restriction A.9.4.2 Secure log-on procedures A.9.4.3 Password management system | PR.AC-1, 4,6, 7 PR.DS-5 | SR 1.1 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 5.2 |
| Protection | IT Security Maintenance | IT security maintenance procedure | The operator develops and implements a procedure for security maintenance in accordance with its ISSP. To this purpose, the procedure defines the conditions enabling the minimum security level to be maintained for CIS resources. | 7.5.3 Control of documented information 8.1 Operational planning and control 10.1 Nonconformity and corrective action A.11.2.4 Equipment maintenance A.12.1.2 Change management A.12.6.1 Management of technical vulnerabilities A.14.1.1 Information security requirements analysis and specification A 14.2 Security in development and support processes A.15.2.2 Managing changes to supplier services | PR.MA-1, 2 PR.IP-1, 2, 3,4, 7, PR.DS-3, 4 ID.SC-4 | SR 3.1 SR 3.3 SR 3.4 SR 3.8 SR 6.1 SR 7.6 |
| Protection | IT Security Architecture | System segregation | The operator segregates its systems in order to limit the propagation of IT security incidents within its systems or subsystems. | A.12.1.4 Separation of development, testing and operational environments A.13.1 Network security management | PR.DS-5, 7 PR.PT-3, 4 PR.AC- 5, 6 | SR 1.13 SR 2.6 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.2 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 |
| Protection | IT Security Architecture | Cryptography | In its ISSP, the operator establishes and implements a policy and procedures related to cryptography, in view of ensuring adequate and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of information in its CIS. | A.10.1 Cryptographic controls A.18.1.5 Regulation of cryptographic controls | ID.GV-3 PR.DS-1, 2, 5, 6, 8 PR.PT-4 | SR 5.2 |
| Protection | IT Security Maintenance | Industrial control systems | 4 Context of the organization 5.2 Policy 5.3 Organizational roles, responsibilities and authorities 7 Support 8 Operation 9.1 Monitoring, measurement, analysis and evaluation A.6.1.1 Information security roles and responsibilities A.8.1.1 Inventory of assets A.8.2.3 Handling of assets A.9 Access control A.11 Physical and environmental security A.12 Operations security A.14 System acquisition, development and maintenance A.15 Supplier relationships A.17 Information security aspects of business continuity management | ID.BE-1, 2, 3, 4, ID.AM-1, 2, 4, 6 ID.GV-2 ID.SC-1, 2, 3, 4, 5 PR.AC -5 PR.PT-4 | SR 1.10 SR 1.13 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 2.8 SR 2.9 SR 2.10 SR 2.11 SR 2.12 SR 3.1 SR 3.2 SR 3.3 SR 3.4 SR 3.5 SR 3.8 SR 3.9 SR 4.1 SR 4.2 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 5.4 SR.6.1 SR 6.2 SR 7.1 SR 7.2 SR 7.3 SR 7.4 SR 7.6 SR 7.8 |
|
| Protection | IT Security Administration | Administration accounts | The operator sets up specific accounts for the administration, to be used only for administrators that are carrying out administration operations (installation, configuration, management, maintenance, etc.) on its CIS. These accounts are kept on an up-to-date list. | A.9.2.3 Management of privileged access rights A.9.2.5 Review of user access rights A.9.2.6 Removal or adjustment of access rights A.12.4.3 Administrator and operator logs | PR. AC-1, 4, 7 PR.AT-2,4 | SR 1.1 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 |
| Protection | Physical and environmental security | Physical and environmental security | The operator prevents unauthorized physical access, damage and interference to the organization’s information and information processing facilities. | A.8.1 Responsibility for assets A.11 Physical and environmental security | ID.AM-1, 4 DE.CM-2, 3, 6 PR.IP-5, 6, PR.AC-2, 3 PR.DS-3 PR.PT-2,5 | SR 1.13 SR 2.6 SR 2.8 SR 2.9 SR 2.10 SR 2.11 SR 2.12 SR 4.2 SR 5.2 SR 7.8 |
| Protection | Identity and access management | Access rights | Among the rules defined in its systems security policy, the operator grants access rights to a user or an automated process only when that access is strictly necessary for the user to carry out their mission or for the automated process to carry out its technical operations. | A.9.2 User access management A.9.4.4 Use of privileged utility programs A.9.4.5 Access control to program source code | ID.AM-5,6 PR.AC-1, 4, 6, 7 PR.DS-5 PR.PT-3 | SR 1.1 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 1.10 SR 2.1 |
| Protection | IT Security Architecture | Traffic filtering | The operator filters traffic flows circulating in its Critical Information Systems (CIS). The operator therefore forbids traffic flows that are not needed for the functioning of its systems and that are likely to facilitate an attack. | 8.1 Operational planning and control A.13.1 Network security management A.13.2.1 Information transfer policies and procedures A.13.2.2 Agreements on information transfer | PR.PT-4 PR.AC-3, 5 PR.DS-2 DE.CM-6, 7 | SR 1.13 SR 2.6 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.2 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 |
| Protection | IT Security Administration | Administration information systems | Hardware and software resources used for administration purposes are managed and configured by the operator, or, where appropriate, by the service provider that the operator has authorised to carry out administration operations. | A.9.3.1 Use of secret authentication information A.9.4 System and application access control A.12.1.4 Separation of development, testing and operational environments A.12.4.3 Administrator and operator logs | PR.AC-1, 3, 4, 6, 7 PR.DS-5,6, 7 PR.AT-2, 3, 4 PR.PT-4 | SR 1.1 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 1.10 SR 2.1 SR 5.2 SR 6.1 |
| Protection | IT Security Architecture | Systems configuration | The operator only installs services and functionalities or connects equipment which are essential for the functioning and the security of its CIS. | 4.3 Determining the scope of the information security management system A.6.2.1 Mobile device policy A.8.3.1 Management of removable media A.12.1 Operational procedures and responsibilities A.12.5 Control of operational software A.12.6.2 Restrictions on software installation A.13.1.2 Security of network services A.14.1 Security requirements of information systems A.14.2.1 Secure development policy A.14.2.2 System change control procedures A.14.2.3 Technical review of applications after operating platform changes A.14.2.4 Restrictions on changes to software packages A.14.2.5 Secure system engineering principles A.14.2.6 Secure development environment | PR.IP-1, 2, 3 DE.AE-1 PR.PT-3 | SR 1.13 SR 2.3 SR 2.4 SR 2.6 SR 3.1 SR 3.3 SR 3.4 SR 3.5 SR 3.8 SR 4.1 SR 4.2 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.2 SR 7.6 SR 7.8 |
| Resilience | Continuity of operations | Disaster recovery management | In accordance with its ISSP, the operator defines objectives and strategic guidelines regarding disaster recovery management, in case of a severe IT security incident. | A.17.2 Redundancies | ID.BE-5 PR.PT-5 PR.IP-9, 10 PR.DS-4 RC.IM-1, 2 RC.RP-1 | SR 5.2 SR 7.1 SR 7.2 |
| Resilience | Crisis management | Crisis management organisation | The operator defines in its ISSP the organization for crisis management in case of IT security incidents and the continuity of organization’s activities. | 5.3 Organizational roles, responsibilities and authorities A.6.1.1 Information security roles and responsibilities A.11.2.4 Equipment maintenance A.17.1 Information security continuity | PR.DS-4 PR.IP-10 ID.BE-5 | SR 3.3 SR 7.1 SR 7.2 |
| Resilience | Crisis management | Crisis management organization | 5.3 Organizational roles, responsibilities and authorities A.6.1.1 Information security roles and responsibilities A.11.2.4 Equipment maintenance A.17.1 Information security continuity | PR.DS-4 PR.IP-10 ID.BE-5 | SR 3.3 SR 7.1 SR 7.2 |
|
| Resilience | Continuity of operations | Business continuity management | In accordance with its ISSP, the operator defines objectives and strategic guidelines regarding business continuity management, in case of IT security incident. | 9.3 Management review 10.2 Continual improvement A.5.1.2 Review of the policies for information security A.11.2.4 Equipment maintenance A.17.1 Information security continuity A.17.2 Redundancies | ID.RM-1, 2, 3 RP.IP-4, 7, 9, 10 RS.IM- 2 RC.IM-1, 2 RC.RP-1 RC.CO-1,2,3 PR.PT-5 PR.DS-4 ID.BE-5 ID.SC-5 | SR 2.8 SR 3.3 SR 5.2 SR.6.1 SR 7.1, SR 7.2 SR 7.3 SR 7.4 |
| Resilience | Crisis management | Crisis management process | The operator defines in its ISSP the processes for crisis management which the crisis management organization will implement in case of IT security incidents and the continuity of an organization’s activities. | 7.4 Communication 9.3 Management review 10.2 Continual improvement A.5.1.2 Review of the policies for information security A.6.1.3 Contact with authorities A.11.2.4 Equipment maintenance A.17.1 Information security continuity | RC.CO-1, 2, 3 RC.RP-1 RS.IM-1, 2 ID.SC-5 PR.IP-4, 9, 10 PR.PT-5 | SR 2.8 SR 3.3 SR.6.1 SR 7.1 SR 7.2 SR 7.3 SR 7.4 |
Protezione dati – Consulenza – Formazione
