Asset management
The data, personnel, devices, systems and facilities that enable the organisation to achieve its business objectives are identified and managed according to their relative importance to the organisation's business objectives and risk strategy.

Physical devices and systems within the organisation are inventoried
Software platforms and applications within the organisation are inventoried
Communication and data flows within the organisation are mapped
External information systems are catalogued
Resources (e.g. hardware, devices, data and software) are prioritised according to their classification, and business value
Cybersecurity roles and responsibilities for all staff and external stakeholders (e.g. suppliers, customers, partners) are defined.

Business environment
The organisation's mission, objectives, stakeholders and activities are understood and prioritised; this information is used to make decisions about cybersecurity roles, responsibilities and risk management.

The organisation's role in the supply chain is identified and communicated
The organisation's place in the critical infrastructure and business sector is identified and communicated
The priorities for the organisation's mission, objectives and activities are identified and communicated
The dependencies and critical functions for the delivery of critical services are identified
Resilience requirements to support the delivery of critical services are identified

Governance
The policies, procedures and processes for managing and monitoring the organisation's regulatory, legal, risk, environmental and operational requirements are understood and form the basis for cyber security risk management.

The organisation's information security policy is in place.
Information security roles and responsibilities are coordinated and aligned with internal roles and external partners.
Legal and regulatory cyber security requirements, including privacy and civil liberties obligations, are understood and addressed.
Governance and risk management processes address cybersecurity risks

Access control
Access to assets and associated facilities is limited to authorised users, processes or devices, and to authorised activities and transactions.

Identities and credentials are managed for authorised devices and users
Physical access to assets is managed and protected
Remote access is managed
Access rights are managed, respecting the principles of least privilege and segregation of duties
Network integrity is protected, including network segregation where appropriate

Awareness
The organisation's staff and partners receive cyber security education and are adequately trained to perform their information security-related duties and responsibilities in accordance with relevant policies, procedures and agreements.

All users are informed and trained
Authorised users understand roles and responsibilities
External stakeholders (e.g. suppliers, customers, partners) understand roles and responsibilities
Senior managers understand roles and responsibilities
Physical and information security staff understand roles and responsibilities

Data security
Information and records (data) are managed in line with the organisation's risk strategy to protect the confidentiality, integrity and availability of information.

Data at rest are protected
Data in transit are protected
Assets are formally managed during disposal, transfer and disposition
Sufficient capacity is maintained to ensure availability
Protective measures against data leakage are implemented
Integrity control mechanisms are used to verify the integrity of software, firmware and information
The development and test environment(s) are separated from the production environment

Information security process and procedures
Information security processes and procedures (PR.IP): Security policies (covering purpose, scope, roles, responsibilities, management commitment and coordination between organisational entities), processes and procedures are maintained and used to manage the protection of information systems and assets.

A basic configuration of information technology/industrial control systems is established and maintained.
A system development cycle for managing systems is implemented.
There are control processes for configuration changes.
Backups of information are established, maintained and periodically tested.
Policies and regulations regarding the organisation's physical operating environment for assets are complied with.
Data is destroyed according to policy
Security processes are continuously improved
The effectiveness of protection technologies is shared with appropriate parties response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed
Response and recovery plans are tested
Cyber security is included in personnel policies (e.g. personnel screening)
A vulnerability management plan is developed and implemented

Maintenance
Maintenance and repairs of industrial control and information system components are carried out in accordance with policies and procedures.

Maintenance and repair of organisational assets are performed and recorded in a timely manner, using approved and controlled tools.
Remote maintenance of organisational assets is approved, recorded and performed in a manner that prevents unauthorised access

Protective technology
Technical security solutions are managed to ensure the security and resilience of systems and assets, in accordance with related policies, procedures and agreements.

Audit/log records are determined, documented, implemented and reviewed in accordance with policy
Removable media are protected and their use restricted in accordance with policy
Access to systems and assets is controlled, respecting the principle of least functionality
Communication and control networks are protected

Anomalies and events
Anomalies are detected in a timely manner and the potential impact of events is understood.

A baseline of network operations and expected data flows for users and systems is established and managed
Observed events are analysed to understand attack targets and methods
Event data is aggregated and correlated from multiple sources and sensors
The impact of events is determined and thresholds for incident alerts are set

Continuous monitoring of security
The information system and assets are monitored at discrete intervals to identify cyber security events and verify the effectiveness of protection measures.

The network is monitored to detect potential cyber security events
The physical environment is monitored to detect potential cyber security events
Staff activities are monitored to detect potential cyber security events
Malicious code is detected
Unauthorised mobile code is detected
External service providers' activity is monitored to detect potential cyber security events
Checks are made for unauthorised personnel, unauthorised connections, unauthorised devices and unauthorised software
Scans for vulnerabilities are performed

Detection processes
Detection processes and procedures are maintained and tested to ensure timely and adequate awareness of anomalous events.

Response planning
Response processes and procedures are implemented and maintained, to ensure timely response to detected cyber security events.

Response plan is implemented during or after an event

Communications
Response activities are coordinated with internal and external stakeholders as appropriate, including external support from law enforcement agencies.

Personnel know their role and the sequence of operations when a response is required
Events are reported in accordance with established criteria
Information is shared in accordance with response plans
Coordination with stakeholders is done in accordance with response plans
Voluntary information sharing with external stakeholders to achieve broader situational awareness of cybersecurity

Analysis
Analysis is carried out to ensure adequate response and support recovery activities.

Reports from detection systems are investigated
The impact of the incident is understood
Forensic investigations are carried out
Incidents are categorised in accordance with response plans

Recovery planning
Recovery processes and procedures are implemented and maintained to ensure timely recovery of systems or assets affected by cyber security events.

The recovery plan will be implemented during or after an event

Improvements
Recovery planning and processes will be improved by incorporating lessons learned into future activities.

Recovery plans incorporate lessons learned.
Recovery strategies are updated

Communications
Recovery activities are coordinated with internal and external parties, such as coordination centres, Internet Service Providers, owners of attacking systems, victims, other CSIRTs and vendors.

Public relations are managed
Post-event reputation is restored
Recovery activities are communicated to internal stakeholders and executive and management teams