An information security strategy shall be defined and operating model developed to adhere to the strategy. In addition, information security plans shall be developed for each major service to identify and mitigate the risks corresponding to each service
M1.1 ENTITY CONTEXT AND LEADERSHIP
OBJECTIVE
To establish leadership and a management framework to initiate and control the implementation of information security within the entity.
PERFORMANCE INDICATOR
Measurement of the knowledge regarding information security roles and responsibilities, role of top management, etc., e.g. by using a test.
AUTOMATION GUIDANCE
Not applicable
RELEVANT THREATS AND VULNERABILITIES
- Insufficient resources
- Non-compliance with information security controls
- Incompetent information security personnel
- Incomplete or not up to date documentation
APPLICABLE CONTROLS
Followings are controls applicable for this control family.
- M1.1.1 - P1 - UNDERSTANDING THE ENTITY AND ITS CONTEXT
- M.1.1.2 - P1 - LEADERSHIP AND MANAGEMENT COMMITMENT
- M1.1.3 - P1 - ROLES AND RESPONSIBILITIES FOR INFORMATION SECURITY
M1.2 INFORMATION SECURITY POLICY
OBJECTIVE
To provide a framework and management direction and support for information security in the entity, in accordance with business requirements and relevant laws and regulations.
PERFORMANCE INDICATOR
Percentage of incidents that have been identified within the last month, which are related to non-compliances with any of the existing information security policies and procedures.
AUTOMATION GUIDANCE
Not applicable
RELEVANT THREATS AND VULNERABILITIES
- Breaches of information security
- Unawareness of policies and procedures
- Non-compliance with information security controls
APPLICABLE CONTROLS
Followings are controls applicable for this control family.
M1.3 ORGANIZATION INFORMATION SECURITY
OBJECTIVE
To establish a management framework to initiate and control the implementation of information security within the entity.
PERFORMANCE INDICATOR
Percentage of Top Management/Business Owners involved in the Information Security program. Measure the percentage of strategic information security decisions submitted and reviewed by the top management.
AUTOMATION GUIDANCE
Not applicable
RELEVANT THREATS AND VULNERABILITIES
- Breaches of information security
- Unawareness of policies and procedures
- Non-compliance with information security controls
- Insufficient resources
APPLICABLE CONTROLS
Followings are controls applicable for this control family.
- M1.3.1 - P2 - AUTHORIZATION PROCESS FOR INFORMATION SYSTEMS
- M1.3.2 - P2 - CONFIDENTIALITY AGREEMENTS
- M1.3.3 - P4 - CONTACT WITH AUTHORITIES
- M1.3.4 - P4 - CONTACT WITH SPECIAL INTEREST GROUPS
- M1.3.5 - P1 - IDENTIFICATION OF RISKS RELATED TO EXTERNAL PARTIES
- M1.3.6 - P2 - ADRESSING SECURITY WHEN DEALING WITH CUSTOMERS
- M1.3.7 - P2 - ADDRESSING SECURITY IN THIRD PARTY AGREEMENTS
M1.4 SUPPORT
OBJECTIVE
To provide sufficient resources, appropriate communication and documentation for the Entity Information Security Program.
PERFORMANCE INDICATOR
Percentage of incidents that are caused by a lack of qualified resources for information security.
AUTOMATION GUIDANCE
Not applicable
RELEVANT THREATS AND VULNERABILITIES
- Insufficient resources
- Non-compliance with information security controls
- Incompetent information security personnel
- Incomplete or not up to date documentation
APPLICABLE CONTROLS
Followings are controls applicable for this control family.
