Access ControlMinimises potential damage on a misused or stolen staff account by giving permissions on a least privileged basis. Extra permissions given by request.Details
Accountability and GovernanceDemonstration of GDPR compliance by implementing data protection measures/safeguards for reducing the risks to people's privacy in an organisation.Details
Administrative AccountsPrivileged user accounts with access to sensitive information, applications and computers within an organisation, resulting in high risk of attack.Details
Asset ManagementIdentification and classification of all data, people and systems (assets) for delivery, maintenance or support of networks/ information systems.Details
AssuranceGaining confidence in the effectiveness of security of technology, people and processes relevant to essential functions.Details
Authentication and AuthorisationAuthentication confirms that users are who they say they are. Authorization gives those users permission to access a resource.Details
Backup and RestoreKey information should be backed up regularly and the backups preferably kept in a secure location away from the business premises.Details
BackupsYou hold accessible and secured current backups of data and information needed to recover operation of your essential function Details
Board DirectionYou have effective organisational security management led at board level and articulated clearly in corresponding policies. Details
Breach response and monitoringYou need to be able to detect, investigate, risk-assess and record any breaches.Details
Build and Maintain a Secure Network and SystemsEnsure Network and Systems are build and secured in a secure manner.Details
Business ContinuityPlans for recovery and continuity should be drawn up and reviewed regularly, and tested in whole or in part.Details
Business Continuity ManagementCreating systems of prevention and recovery to deal with potential threats.Details
Cloud ServicesSome organisations use cloud services to store or share files between employees, suppliers and customers.Details
Communications securityPrevention of unauthorised access to telecommunications traffic/ written information, including encryption and physical protection.Details
ComplianceCompliance with legal requirements, security policies and stamdards, technical compliance and audit considerations.Details
ComplianceThe ability to act according to an order, set of rules or request.Details
Contracts and data sharingIt is good practice for you to have written data sharing agreements when controllers share personal data.Details
CryptographyProcesses and technologies involved in the encryption and key management used to protect an organisation's informationDetails
Cyber Security CultureDeveloping and pursuing a positive cyber security culture lead by board example.Details
Cyber Security TrainingEmployment of a range of approaches to cyber security training, awareness and communication for people supporting the operation of essential function.Details
Data ProtectionThe organisation should have a policy to manage personal data as defined by your country's data protection legislation.Details
Data SecurityProtection of unauthorised modification, destruction or disclosure of data through physical and logical accessibility controls.Details
Data security, international transfers and breachesSecurity measures to protect personal data, procedures for reporting data breaches and restrictions on transfers outwith the EU.Details
Data in TransitProtection of data in transit, including the transfer of data to third parties through a combination of network protection and encryption.Details
Decision-makingRestrictions from making solely automated decisions, including those based on profiling, that have a legal/similarly significant effect on individualsDetails
Design for ResilienceDesigning network and information systems to be resilient to cyber security incidents, by segregating systems and mitigating resource limitation.Details
Device ManagementUnderstanding and trusting the devcies used to access networks, information systems and data that supports an organisations function.Details
Education and TrainingEducation of Cyber Security risks and risk mitigating behaviours, and supporting staff to make a positive contribution to Cyber security.Details
External CommunicationsTransmission of information between an organisation and another person or entity outwith the internal environment.Details
FirewallsA network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules.Details
Generating AlertsDefining rules within information security monitoring systems which trigger alerts where suspicious activity is identified.Details
Human resources securityProcesses to ensure employees are qualified for and understand their roles/responsibilities, and that access is removed once employment is terminated.Details
Identifying Security IncidentsImplementation of monitoring tools to detect security events, incidents and weaknesses consistently.Details
Identity and Access ControlUnderstanding, documenting and controlling access to networks and information systems supporting essential functions.Details
Identity and Access ManagementPolicies, processes and systems which enable the right individuals to access the right resources at the right time.Details
Implement Strong Access Control MeasuresSystems and processes must be in place to limit access based on need to know and according to job responsibilities.Details
Incident ManagementAll organisations should have security incident management procedures to allow any incidents to be dealt with successfully.Details
Incident Root Cause AnalysisDiscovering the underlying or systemic causes of an information security incident. Details
Individuals' rightsThe policies, processes and technologies used within an organisation to detect alerts, events and warning which lead to an security incident.Details
Information AssetsRisk assessment and recovery from cyber security incidents both rely on having a good understanding of your key information assets.Details
Information security aspects of business continuity managementIdentification of vulnerabilities, priorities, dependencies, and plans to facilitate continuity and recovery before, during, and after disruption.Details
Information security incident managementProcedures to manage (report, assess, respond to and learn from) security events, incidents and weaknesses consistently.Details
Information security policiesA set of policies to clarify an organisation's direction of, and support for, information security, including a top level information security policy.Details
InsuranceAll organisations with a head office domiciled in the UK and a turnover of less than £20 million get automatic cyber insurance if they achieve CE.Details
Internal ProcessesProcesses defined and conducted internally to protect the confidentiality, integrity and availability of an organisation's dataDetails
Lawfulness, fairness and transparencyGDPR principle that requires personal data to be processed in a lawful, fair and transparent manner in relation to the subjects of the data held.Details
Leadership and oversightMaking sure that staff have clear responsibilities for data protection-related activities at a strategic and operational level.Details
Maintain a Vulnerability Management ProgramAnti-virus software must be used on all systems commonly affected by malware.Details
Maintain an Information Security PolicyA strong security policy sets the security tone for the whole entity and informs personnel what is expected of them.Details
Malware protectionMinimising risk of malware through processed and technologies including anti-malware software, application whitelisting and application sandboxing.Details
Managing SecurityIn this section, we need you to tell us about how you manage security within your organisation.Details
Measurement Analysis and ImprovementThe measurement of a system to analyse a process and to identify improvement.Details
Media / Equipment SanitisationAppropriate sanitisation of media and equipment holding data important to the operation of an organisations essential function.Details
Mobile DataProtectiong data important to the operation of the essential function on mobile devices, through policies and protection technologies including MDM.Details
MonitoringMonitoring can help identify suspicious activity on your systems.Details
Monitoring CoverageData sources used for monitoring allow for timely identification of security events which might affect the operation of essential function.Details
Monitoring Tools and SkillsMonitoring staff skills, tools and roles against governance and reporting requirements, threats and network complexities.Details
Network SecurityPolicies and practices adopted to prevent and monitor unauthorized access, misuse, modification, or denial of a computer network.Details
Office firewalls and internet gatewaysFirewall is the generic name for software or hardware which provides technical protection between your systems and the outside world.Details
Office Firewalls and Internet GatewaysConfiguration of boundary firewalls and internet gateways to prevent unauthorised access and protect against cyber threats through firewall rules.Details
Operating System SecurityOS security encompasses all preventive-control techniques, which safeguard any computer assets capable of being stolen, edited or deleted.Details
Operational Controls - Change & Incident ManagementChange management is the process of modifying the IT infrastructure of an organization in a standardized and systematic manner.Details
Operations and ManagementYour organisation needs to ensure that management of computers, networks and devices is carried out in a controlled mannerDetails
Operations securityProcedures for correct and secure operations of processing facilities, including change and capacity managementand seperation of environments.Details
OrganisationIn this section we need to know a little about how your organisation is set up so we can ask you the most appropriate questions.Details
Organisation of information securityThe assignment of responsibilities for managing information security within the organisation and the information accessed by external parties.Details
Patch managementPatch management consists of keeping information systems and network devices up to date and secure by acquiring, testing and installing patches.Details
Patches and UpdatesTo protect your organisation you should ensure that your software is always up-to-date with the latest patches.Details
PeoplePeople are your greatest allies in protecting your organisation's information. They can also present a risk due to privileged access to informationDetails
Physical and Environmental ProtectionProtection of your information and cyber security extends to the physical protection of information assets, to prevent theft, loss, or damage.Details
Physical and environmental securityMeasures implemented to control physical premises and equipment and protect against physical threats including access, damage and interference.Details
Physical SecurityPhysical security is the protection of personnel, hardware, software, networks and data from physical actions and events that could cause serious lossDetails
Policies and proceduresPolicies and procedures provide clarity and consistency, by communicating what people need to do and why.Details
Policy & AwarenessPolicy awareness is an automated process within information systems that provides users with simplified versions of policies contained in information.Details
Policy and ProcessDetails
Policy and Process DevelopmentDevelopment of the security processes and policies within an organisations to protect the confidentiality, availability and integrity of assets.Details
Policy and Process ImplementationSuccessful implementation of security policies and processes, with ability to demonstrate the security benefits achieved.Details
Privileged User ManagementManaging privileged user access to networks and information systems through access control policies, processes and technologies.Details
Proactive Attack DiscoveryDetecting anomalous events in relevant network and information systems to discover attack attempts.Details
Product RealisationDocuments used to identify that there a clear idea of what the product will be eg drawings, statements of work, product specs etc.Details
Protect Cardholder DataProtection methods such as encryption, truncation, masking, and hashing are critical components of cardholder data protection.Details
Quality Management System (QMS)The QMS identifies the documentation and requirements identified in ISO13485.Details
Records management and securityRecords management and securityDetails
Records of processing activities and lawful basisTaking stock of what information you have, where it is and what you do with it. Defining appropriate lawful basis for processing.Details
Regularly Monitor and Test NetworksLogging mechanisms and the ability to track user activities are critical in preventing, detecting, or minimizing the impact of a data compromise.Details
Resilience PreparationThe activities and processes designed to build resilience capabilities for protecting against a cyber security attack.Details
Resource ManagementResource management is acquiring, allocating and managing the resources, such as individuals and their skills, finances, technology, materials, etcDetails
Response and Recovery CapabilityImplementing incident management and mitigation process to allow recovery from Cyber attack.Details
Response PlanUp-to-date incident response plan based on a thorough risk assessment taking account of essential functions and covering a range of scenarios. Details
Risk Assessment & Asset ManagementRisk assessment is the combined effort of identifying and analysing potential events.Details
Risk ManagementIt is important to identify the threats to the organisation and assess the resulting risk.Details
Risk Management ProcessIdentification and assessment of security risks and the governance and technical processes within an organisation to manage these risks.Details
Risks and data protection impact assessmentsRisks and data protection impact assessmentsDetails
Roles and Responsibilities Roles and responsibilities for all levels of security of networks and information systems with clear communication and escalation channels.Details
SANS - Basic ControlsSANS - Basic ControlsDetails
SANS - Foundational ControlsSANS - Foundational ControlsDetails
SANS - Organisational ControlsSANS - Organisational ControlsDetails
Scope of AssessmentDescription of the elements of the organisation within the scope of the accreditation.Details
Secure configurationComputers are often not secure upon default installation. It's essential organisations implement secure configurations to reduce cyber vulnerabilitiesDetails
Secure ConfigurationBuilding and installing information systems and network devices in order to reduce cyber vulnerabilities and attack vectors.Details
Secure by DesignDesigning systems with established context which make compromise and disruption difficult, easy compromise detection and reduced compromise impact.Details
Secure ManagementControls implemented in order to protect the confidentiality, availability and integrity of assets from threats and vulnerabilities.Details
Securing LogsRestricting and securing access to logging data to prevent unaothorised modification or deletion of logs before the retention period is completed.Details
Security PolicyThe organisation must have an implemented security policy to match its risk profile. This is usually the ultimate responsibility of the CIO/Director.Details
Segregation of Information Between ClientsSegregation of Information Between ClientsDetails
Software PatchingSoftware patching means applying updates to devices or software to improve security and/or enhance functionality.Details
Stored DataTechnologies and processes in place for protected stored data on hard disks, removable media or backups.Details
Sub-contractorsSub-contractor management and governanceDetails
Supplier RelationshipsThe agreements set with an organisation's suppliers contract and the measurement of compliance against these agreements.Details
Supply ChainThe understanding and management of security risks to networks and information systems which arise from dependies on suppliers.Details
System acquisition, development and maintenanceDefining security requirements of information systems, incorporating securirty in development and support processes and protecting test data.Details
System Abnormalities for Attack DetectionDefine examples of abnormalities in system behaviour that provide practical ways of detecting malicious activity that is otherwise hard to identify. Details
Systems DevelopmentThe Secure Systems Development Lifecycle (SSDLC) defines security requirements and tasks that must be considered and addressed.Details
Testing and ExercisingConducting exercises to test response plans, using past incidents, and scenarios that draw on threat intelligence and internal risk assessment.Details
Training and awarenessEmployees receive appropriate training about your privacy programme, including what its goals are and what it requires people to do.Details
TransparencyTransparency facilitates the exercise of individuals’ rights and gives people greater control.Details
User AccountsSecurely managing user access to information systems and network through the assignment of unique user accounts with controlled access privileges.Details
Using Incidents to Drive ImprovementsUsing lessons learned from incidents to improve security measures and response capabilities.Details
Vulnerability ScanningA vulnerability scan is a technical examination of the security status of your IT system.Details
Vulnerability ManagementThe management of known vulnerabilities in networks and information systems to prevent adverse impact on the organisations function.Details