| Access Control | Minimises potential damage on a misused or stolen staff account by giving permissions on a least privileged basis. Extra permissions given by request. | Details |
|---|
| Accountability and Governance | Demonstration of GDPR compliance by implementing data protection measures/safeguards for reducing the risks to people's privacy in an organisation. | Details |
|---|
| Administrative Accounts | Privileged user accounts with access to sensitive information, applications and computers within an organisation, resulting in high risk of attack. | Details |
|---|
| Asset Management | Identification and classification of all data, people and systems (assets) for delivery, maintenance or support of networks/ information systems. | Details |
|---|
| Assurance | Gaining confidence in the effectiveness of security of technology, people and processes relevant to essential functions. | Details |
|---|
| Authentication and Authorisation | Authentication confirms that users are who they say they are. Authorization gives those users permission to access a resource. | Details |
|---|
| Backup and Restore | Key information should be backed up regularly and the backups preferably kept in a secure location away from the business premises. | Details |
|---|
| Backups | You hold accessible and secured current backups of data and information needed to recover operation of your essential function | Details |
|---|
| Board Direction | You have effective organisational security management led at board level and articulated clearly in corresponding policies. | Details |
|---|
| Breach response and monitoring | You need to be able to detect, investigate, risk-assess and record any breaches. | Details |
|---|
| Build and Maintain a Secure Network and Systems | Ensure Network and Systems are build and secured in a secure manner. | Details |
|---|
| Business Continuity | Plans for recovery and continuity should be drawn up and reviewed regularly, and tested in whole or in part. | Details |
|---|
| Business Continuity Management | Creating systems of prevention and recovery to deal with potential threats. | Details |
|---|
| Cloud Services | Some organisations use cloud services to store or share files between employees, suppliers and customers. | Details |
|---|
| Communications security | Prevention of unauthorised access to telecommunications traffic/ written information, including encryption and physical protection. | Details |
|---|
| Compliance | Compliance with legal requirements, security policies and stamdards, technical compliance and audit considerations. | Details |
|---|
| Compliance | The ability to act according to an order, set of rules or request. | Details |
|---|
| Contracts and data sharing | It is good practice for you to have written data sharing agreements when controllers share personal data. | Details |
|---|
| Cryptography | Processes and technologies involved in the encryption and key management used to protect an organisation's information | Details |
|---|
| Cyber Security Culture | Developing and pursuing a positive cyber security culture lead by board example. | Details |
|---|
| Cyber Security Training | Employment of a range of approaches to cyber security training, awareness and communication for people supporting the operation of essential function. | Details |
|---|
| Data Protection | The organisation should have a policy to manage personal data as defined by your country's data protection legislation. | Details |
|---|
| Data Security | Protection of unauthorised modification, destruction or disclosure of data through physical and logical accessibility controls. | Details |
|---|
| Data security, international transfers and breaches | Security measures to protect personal data, procedures for reporting data breaches and restrictions on transfers outwith the EU. | Details |
|---|
| Data in Transit | Protection of data in transit, including the transfer of data to third parties through a combination of network protection and encryption. | Details |
|---|
| Decision-making | Restrictions from making solely automated decisions, including those based on profiling, that have a legal/similarly significant effect on individuals | Details |
|---|
| Design for Resilience | Designing network and information systems to be resilient to cyber security incidents, by segregating systems and mitigating resource limitation. | Details |
|---|
| Device Management | Understanding and trusting the devcies used to access networks, information systems and data that supports an organisations function. | Details |
|---|
| Education and Training | Education of Cyber Security risks and risk mitigating behaviours, and supporting staff to make a positive contribution to Cyber security. | Details |
|---|
| External Communications | Transmission of information between an organisation and another person or entity outwith the internal environment. | Details |
|---|
| Firewalls | A network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules. | Details |
|---|
| Generating Alerts | Defining rules within information security monitoring systems which trigger alerts where suspicious activity is identified. | Details |
|---|
| Human resources security | Processes to ensure employees are qualified for and understand their roles/responsibilities, and that access is removed once employment is terminated. | Details |
|---|
| Identifying Security Incidents | Implementation of monitoring tools to detect security events, incidents and weaknesses consistently. | Details |
|---|
| Identity and Access Control | Understanding, documenting and controlling access to networks and information systems supporting essential functions. | Details |
|---|
| Identity and Access Management | Policies, processes and systems which enable the right individuals to access the right resources at the right time. | Details |
|---|
| Implement Strong Access Control Measures | Systems and processes must be in place to limit access based on need to
know and according to job responsibilities. | Details |
|---|
| Incident Management | All organisations should have security incident management procedures to allow any incidents to be dealt with successfully. | Details |
|---|
| Incident Root Cause Analysis | Discovering the underlying or systemic causes of an information security incident. | Details |
|---|
| Individuals' rights | The policies, processes and technologies used within an organisation to detect alerts, events and warning which lead to an security incident. | Details |
|---|
| Information Assets | Risk assessment and recovery from cyber security incidents both rely on having a good understanding of your key information assets. | Details |
|---|
| Information security aspects of business continuity management | Identification of vulnerabilities, priorities, dependencies, and plans to facilitate continuity and recovery before, during, and after disruption. | Details |
|---|
| Information security incident management | Procedures to manage (report, assess, respond to and learn from) security events, incidents and weaknesses consistently. | Details |
|---|
| Information security policies | A set of policies to clarify an organisation's direction of, and support for, information security, including a top level information security policy. | Details |
|---|
| Insurance | All organisations with a head office domiciled in the UK and a turnover of less than £20 million get automatic cyber insurance if they achieve CE. | Details |
|---|
| Internal Processes | Processes defined and conducted internally to protect the confidentiality, integrity and availability of an organisation's data | Details |
|---|
| Lawfulness, fairness and transparency | GDPR principle that requires personal data to be processed in a lawful, fair and transparent manner in relation to the subjects of the data held. | Details |
|---|
| Leadership and oversight | Making sure that staff have clear responsibilities for data protection-related activities at a strategic and operational level. | Details |
|---|
| Maintain a Vulnerability Management Program | Anti-virus software must be used on all systems commonly affected by malware. | Details |
|---|
| Maintain an Information Security Policy | A strong security policy sets the security tone for the whole entity and informs personnel what is expected of them. | Details |
|---|
| Malware protection | Minimising risk of malware through processed and technologies including anti-malware software, application whitelisting and application sandboxing. | Details |
|---|
| Managing Security | In this section, we need you to tell us about how you manage security within your organisation. | Details |
|---|
| Measurement Analysis and Improvement | The measurement of a system to analyse a process and to identify improvement. | Details |
|---|
| Media / Equipment Sanitisation | Appropriate sanitisation of media and equipment holding data important to the operation of an organisations essential function. | Details |
|---|
| Mobile Data | Protectiong data important to the operation of the essential function on mobile devices, through policies and protection technologies including MDM. | Details |
|---|
| Monitoring | Monitoring can help identify suspicious activity on your systems. | Details |
|---|
| Monitoring Coverage | Data sources used for monitoring allow for timely identification of security events which might affect the operation of essential function. | Details |
|---|
| Monitoring Tools and Skills | Monitoring staff skills, tools and roles against governance and reporting requirements, threats and network complexities. | Details |
|---|
| Network Security | Policies and practices adopted to prevent and monitor unauthorized access, misuse, modification, or denial of a computer network. | Details |
|---|
| Office firewalls and internet gateways | Firewall is the generic name for software or hardware which provides technical protection between your systems and the outside world. | Details |
|---|
| Office Firewalls and Internet Gateways | Configuration of boundary firewalls and internet gateways to prevent unauthorised access and protect against cyber threats through firewall rules. | Details |
|---|
| Operating System Security | OS security encompasses all preventive-control techniques, which safeguard any computer assets capable of being stolen, edited or deleted. | Details |
|---|
| Operational Controls - Change & Incident Management | Change management is the process of modifying the IT infrastructure of an organization in a standardized and systematic manner. | Details |
|---|
| Operations and Management | Your organisation needs to ensure that management of computers, networks and devices is carried out in a controlled manner | Details |
|---|
| Operations security | Procedures for correct and secure operations of processing facilities, including change and capacity managementand seperation of environments. | Details |
|---|
| Organisation | In this section we need to know a little about how your organisation is set up so we can ask you the most appropriate questions. | Details |
|---|
| Organisation of information security | The assignment of responsibilities for managing information security within the organisation and the information accessed by external parties. | Details |
|---|
| Patch management | Patch management consists of keeping information systems and network devices up to date and secure by acquiring, testing and installing patches. | Details |
|---|
| Patches and Updates | To protect your organisation you should ensure that your software is always up-to-date with the latest patches. | Details |
|---|
| People | People are your greatest allies in protecting your organisation's information. They can also present a risk due to privileged access to information | Details |
|---|
| Physical and Environmental Protection | Protection of your information and cyber security extends to the physical protection of information assets, to prevent theft, loss, or damage. | Details |
|---|
| Physical and environmental security | Measures implemented to control physical premises and equipment and protect against physical threats including access, damage and interference. | Details |
|---|
| Physical Security | Physical security is the protection of personnel, hardware, software, networks and data from physical actions and events that could cause serious loss | Details |
|---|
| Policies and procedures | Policies and procedures provide clarity and consistency, by communicating what people need to do and why. | Details |
|---|
| Policy & Awareness | Policy awareness is an automated process within information systems that provides users with simplified versions of policies contained in information. | Details |
|---|
| Policy and Process | | Details |
|---|
| Policy and Process Development | Development of the security processes and policies within an organisations to protect the confidentiality, availability and integrity of assets. | Details |
|---|
| Policy and Process Implementation | Successful implementation of security policies and processes, with ability to demonstrate the security benefits achieved. | Details |
|---|
| Privileged User Management | Managing privileged user access to networks and information systems through access control policies, processes and technologies. | Details |
|---|
| Proactive Attack Discovery | Detecting anomalous events in relevant network and information systems to discover attack attempts. | Details |
|---|
| Product Realisation | Documents used to identify that there a clear idea of what the product will be eg drawings, statements of work, product specs etc. | Details |
|---|
| Protect Cardholder Data | Protection methods such as encryption, truncation, masking, and hashing are critical components of cardholder data protection. | Details |
|---|
| Quality Management System (QMS) | The QMS identifies the documentation and requirements identified in ISO13485. | Details |
|---|
| Records management and security | Records management and security | Details |
|---|
| Records of processing activities and lawful basis | Taking stock of what information you have, where it is and what you do with it. Defining appropriate lawful basis for processing. | Details |
|---|
| Regularly Monitor and Test Networks | Logging mechanisms and the ability to track user activities are critical in preventing, detecting, or minimizing the impact of a data compromise. | Details |
|---|
| Resilience Preparation | The activities and processes designed to build resilience capabilities for protecting against a cyber security attack. | Details |
|---|
| Resource Management | Resource management is acquiring, allocating and managing the resources, such as individuals and their skills, finances, technology, materials, etc | Details |
|---|
| Response and Recovery Capability | Implementing incident management and mitigation process to allow recovery from Cyber attack. | Details |
|---|
| Response Plan | Up-to-date incident response plan based on a thorough risk assessment taking account of essential functions and covering a range of scenarios. | Details |
|---|
| Risk Assessment & Asset Management | Risk assessment is the combined effort of identifying and analysing potential events. | Details |
|---|
| Risk Management | It is important to identify the threats to the organisation and assess the resulting risk. | Details |
|---|
| Risk Management Process | Identification and assessment of security risks and the governance and technical processes within an organisation to manage these risks. | Details |
|---|
| Risks and data protection impact assessments | Risks and data protection impact assessments | Details |
|---|
| Roles and Responsibilities | Roles and responsibilities for all levels of security of networks and information systems with clear communication and escalation channels. | Details |
|---|
| SANS - Basic Controls | SANS - Basic Controls | Details |
|---|
| SANS - Foundational Controls | SANS - Foundational Controls | Details |
|---|
| SANS - Organisational Controls | SANS - Organisational Controls | Details |
|---|
| Scope of Assessment | Description of the elements of the organisation within the scope of the accreditation. | Details |
|---|
| Secure configuration | Computers are often not secure upon default installation. It's essential organisations implement secure configurations to reduce cyber vulnerabilities | Details |
|---|
| Secure Configuration | Building and installing information systems and network devices in order to reduce cyber vulnerabilities and attack vectors. | Details |
|---|
| Secure by Design | Designing systems with established context which make compromise and disruption difficult, easy compromise detection and reduced compromise impact. | Details |
|---|
| Secure Management | Controls implemented in order to protect the confidentiality, availability and integrity of assets from threats and vulnerabilities. | Details |
|---|
| Securing Logs | Restricting and securing access to logging data to prevent unaothorised modification or deletion of logs before the retention period is completed. | Details |
|---|
| Security Policy | The organisation must have an implemented security policy to match its risk profile. This is usually the ultimate responsibility of the CIO/Director. | Details |
|---|
| Segregation of Information Between Clients | Segregation of Information Between Clients | Details |
|---|
| Software Patching | Software patching means applying updates to devices or software to improve security and/or enhance functionality. | Details |
|---|
| Stored Data | Technologies and processes in place for protected stored data on hard disks, removable media or backups. | Details |
|---|
| Sub-contractors | Sub-contractor management and governance | Details |
|---|
| Supplier Relationships | The agreements set with an organisation's suppliers contract and the measurement of compliance against these agreements. | Details |
|---|
| Supply Chain | The understanding and management of security risks to networks and information systems which arise from dependies on suppliers. | Details |
|---|
| System acquisition, development and maintenance | Defining security requirements of information systems, incorporating securirty in development and support processes and protecting test data. | Details |
|---|
| System Abnormalities for Attack Detection | Define examples of abnormalities in system behaviour that provide practical ways of detecting malicious activity that is otherwise hard to identify. | Details |
|---|
| Systems Development | The Secure Systems Development Lifecycle (SSDLC) defines security requirements and tasks that must be considered and addressed. | Details |
|---|
| Testing and Exercising | Conducting exercises to test response plans, using past incidents, and scenarios that draw on threat intelligence and internal risk assessment. | Details |
|---|
| Training and awareness | Employees receive appropriate training about your privacy programme, including what its goals are and what it requires people to do. | Details |
|---|
| Transparency | Transparency facilitates the exercise of individuals’ rights and gives people greater control. | Details |
|---|
| User Accounts | Securely managing user access to information systems and network through the assignment of unique user accounts with controlled access privileges. | Details |
|---|
| Using Incidents to Drive Improvements | Using lessons learned from incidents to improve security measures and response capabilities. | Details |
|---|
| Vulnerability Scanning | A vulnerability scan is a technical examination of the security status of your IT system. | Details |
|---|
| Vulnerability Management | The management of known vulnerabilities in networks and information systems to prevent adverse impact on the organisations function. | Details |
|---|