NIST Cybersecurity Framework ISACA IS Audit/Assurance Program

IS Audit/Assurance Program
Column Name
Process Sub-area
Cybersecurity: Based on the NIST Cybersecurity Framework
Description
An activity within an overall process influenced by the
enterprise's policies and procedures that takes inputs from
a number of sources, manipulates the inputs and produces
outputs
Instructions
To make the audit program manageable, it is recommended to
break out the scope of the audit into sub-areas. The auditor
can modify this field to entity-specific names and terms. ISACA
has used the most commonly used terms as the basis to
develop this audit program.

Ref. Risk Specifies the risk this control is intended to address This field can be used to input a reference/link to risk
described in the entity's risk register or enterprise risk
management (ERM) system or to input a description of the risk
a particular control is intended to address.

Control Objectives A statement of the desired result or purpose that must be in This field should describe the behaviors, technologies,
place to address the inherent risk in the review areas within documents or processes expected to be in place to address the
scope inherent risk that is part of the audit scope.

An IS audit manager can review this information to determine

whether the review will meet the audit objectives based on
the risk and control objectives included in the audit program.

Controls The means of managing risk, including policies, procedures,
guidelines, practices or organizational structures, which can
be of an administrative, technical, management or legal
nature
This field should describe in detail the control activities
expected to be in place to meet the control objective. Control
activities can be in roles and responsibilities, documentation,
forms, reports, system configuration, segregation of duties,
approval matrices, etc.

An IS audit manager performing a quality control review must

decide whether an auditor has planned to identify enough
controls on which to base an assessment and whether the
planned evidence is sufficiently objective.

Copyright 2016 ISACA Page 1 of 18

NIST Cybersecurity Framework
Control Type
Control Classification
Copyright 2016
ISACA IS Audit/Assurance Program
IS Audit/Assurance Program
Cybersecurity: Based on the NIST Cybersecurity Framework
Controls can be automated (technical), manual Specify whether the control under review is automated,
(administrative) or physical. manual, physical or a combination. This information is useful in
determining the testing steps necessary to obtain assessment
Automated/technical controls are things managed or evidence.
performed by computer systems.
Manual/administrative controls are usually things that
employees can or cannot do.
Physical controls include locks, fences, mantraps and even
geographic specific controls.
Another way to classify controls is by the way they address Specify whether the control under review is preventive,
a risk exposure. detective, corrective or compensating. This information will be
helpful when defining testing steps and requesting evidence.
Preventive controls should stop an event from happening.
Detective controls should identify an event when it is
happening and generate an alert that prompts a corrective
control to act.
Corrective controls should limit the impact of an event and
help resume normal operations within a reasonable time
frame.
Compensating controls are alternate controls designed to
accomplish the intent of the original controls as closely as
possible when the originally designed controls cannot be
used due to limitations of the environment.
ISACA Page 2 of 18
NIST Cybersecurity Framework ISACA IS Audit/Assurance Program

Control Frequency
IS Audit/Assurance Program
Cybersecurity: Based on the NIST Cybersecurity Framework
Control activities can occur in real-time, daily, weekly, Specify whether the control under review occurs in real-time,
monthly, annually, etc. daily, weekly, monthly, annually, etc. This information will be
helpful when defining testing steps and requesting evidence.

Testing Step Identifies the steps being tested to evaluate the
effectiveness of the control under review
This field should describe in detail the steps necessary to test
control activities and collect supporting documentation. The
auditor can modify this field to meet entity-specific needs.
ISACA has used a set of generic steps to develop this audit
program.

An IS audit manager may determine if the proposed steps are

adequate to review a particular control.

NIST Ref. to COBIT 5 Identifies the COBIT 5 processes related to the control
objective or control activities as defined by the NIST
Cybersecurity Framework
Additional Ref. COBIT 5 Identifies additional COBIT 5 processes related to the
control objective or control activities
Ref. Framework/Standards Specifies frameworks and/or standards that relate to the
control under review (e.g., NIST, HIPAA, SOX, ISO)
Ref. Workpaper The evidence column usually contains a reference to other Specify the location of supporting documentation detailing the
documents that contain the evidence supporting the
pass/fail mark for the audit step.
Input the COBIT 5 process or practice that relates to this
control.
Input references to other frameworks used by the entity as
part of their compliance program.
audit steps and evidence obtained.
An IS audit manager performing a quality control review must
decide whether an auditor has tested enough controls on
which to base an assessment and whether the obtained
evidence is sufficiently objective to support a pass or fail
conclusion.

Pass/Fail Document preliminary conclusions regarding the Specify whether the overall control is effective (Pass) or not
effectiveness of controls. effective (Fail) based on the results of the testing.
Comments Free format field Document any notes related to the review of this Process Sub-
area or specific control activities.

Copyright 2016 ISACA Page 3 of 18

NIST Cybersecurity Framework - Identify ISACA IS Audit/Assurance Program

IS Audit/Assurance Progam
Cybersecurity: Based on the NIST Cybersecurity Framework - Identify

Process Ref. Control Control Control NIST Ref. to Additional Ref. Ref. Framework/ Ref. Pass/
Sub-Area Risk Control Objectives Controls Type Classification Frequency Testing Step COBIT 5 COBIT 5 Standards Workpaper Fail Comments

1. Obtain a copy of physical devices and systems inventory. Review the

Physical devices and systems inventory considering the following:
within the organization are a. Scope of physical devices and systems is based on the organization's risk
inventoried. appetite (e.g., systems that contain sensitive information, allow access to the
network, or are critical to business objectives)
b. Completeness of inventory (e.g., location, asset number, owner)
c. Inventory collection process ensures new devices are collected accurately
and in a timely manner (e.g., automated software to detect and/or store the ISO/IEC
inventory) BAI09.01; 27001:2013
d. Frequency of inventory reviews BAI09.02 A.8.1.1; A.8.1.2

1. Obtain a copy of software inventory. Review the inventory considering the

following:
Software platforms and a. Scope of software inventory is based on the organization's risk appetite
applications within the (e.g., software that processes, stores or accesses sensitive information or is
organization are inventoried. critical to business objectives)
b. Completeness of inventory (e.g., version, system, vendor, owner)
c. Inventory collection process ensures new software is collected accurately
and in a timely manner (e.g., automated software to detect and/or store the BAI09.01; ISO/IEC
inventory) BAI09.02; 27001:2013
The data, personnel, d. Frequency of inventory reviews BAI09.05 A.8.1.1; A.8.1.2
Asset Management

devices, systems, and

facilities that enable the Organizational communication 1. Ensure the organization maintains accurate and current copies of data flow ISO/IEC
organization to achieve and data flows are mapped. diagram(s) (DFD), logical network diagram(s) (LND), and/or other diagrams to 27001:2013
business purposes are show organizational communication and data flow. DSS05.02 APO01.04 A.13.2.1
identified and managed
consistent with their relative
importance to business
objectives and the
organization’s risk strategy. 1. If the organization relies on information systems hosted by third parties,
obtain a copy of the external systems inventory. Review the third-party
inventory considering the following:
External information systems a. Scope of external systems is based on the organization's risk appetite (e.g.,
are cataloged. systems that store, process or access sensitive information or are critical to
business objectives).
b. Completeness of inventory (e.g., location, third party, owner, etc.)
c. Inventory collection process ensures new systems are collected accurately
and in a timely manner (e.g,. automated software to detect and/or store the
inventory) ISO/IEC
d. Frequency of inventory reviews 27001:2013
APO02.02 A.11.2.6

Resources (e.g., hardware, 1. Obtain a copy of the organization's data classification program
devices, data and software) are (classification may also be identified in the risk assessment or business impact
prioritized based on their analysis).
classification, criticality and 2. Review the program to determine if key resources (e.g., hardware, devices, APO03.03;
business value. data, software) are classified and prioritized based on criticality and business APO03.04; ISO/IEC
value. BAI09.02 27001:2013 A.8.2.1

Cybersecurity roles and

responsibilities for the entire
workforce and third-party
stakeholders (e.g., suppliers, 1. Review cybersecurity policies, information security policies, job
customers, partners) are descriptions, agreements, RACI charts, service level agreements (SLAs) and/or
established. contracts to determine if they include cybersecurity roles and responsibilities. APO01.02; ISO/IEC
DSS06.03 27001:2013 A.6.1.1

1. Obtain documentation or evidence (e.g., cybersecurity strategy, business

The organization’s role in the continuity plan, information system acquisition procedures, business impact APO08.04;
supply chain is identified and analysis, acquisition/procurement process, key supplier reviews, supplier APO08.05; ISO/IEC
communicated. relationship management, supplier due diligence reports) to determine APO10.03; 27001:2013
whether the organization has clearly defined and understands its role in the APO10.04; A.15.1.3; A.15.2.1;
supply chain. APO10.05 A.15.2.2

The organization’s place in

critical infrastructure and its 1. Obtain documentation or evidence (e.g., mission statement, business
industry sector is identified and continuity policy, strategic plan) that the organization has clearly defined and
communicated. understands its role in its industry sector and its role within national critical
infrastructure, as defined by the Department of Homeland Security APO02.06;
(https://www.dhs.gov/what-critical-infrastructure). APO03.01
Environment

The organization’s mission,

Copyright 2016 objectives, stakeholders, ISACA Page 4 of 18
and activities are
understood and prioritized;
this information is used to
NIST Cybersecurity Framework - Identify ISACA IS Audit/Assurance Program

IS Audit/Assurance Progam
Cybersecurity: Based on the NIST Cybersecurity Framework - Identify

Process Ref. Control Control Control NIST Ref. to Additional Ref. Ref. Framework/ Ref. Pass/
Sub-Area Risk Control Objectives Controls Type Classification Frequency Testing Step COBIT 5 COBIT 5 Standards Workpaper Fail Comments
Business Environment

Priorities for organizational 1. Determine if the organization has a strategic plan defining enterprise goals.
The organization’s mission, mission, objectives and
objectives, stakeholders, Ensure enterprise goals are aligned with stakeholder interests.
activities are established and 2. Determine if the organization's mission statement and objectives are
and activities are communicated.
understood and prioritized; clearly published in a way employees can easily see or access them.
this information is used to 3. Determine if an IT strategic plan is documented, defines goals and is
inform cybersecurity roles, mapped to enterprise goals. APO02.01;
responsibilities, and risk 4. Determine if employees are educated on the organization's mission and APO02.06;
management decisions. objectives. APO03.01

Dependencies and critical

functions for delivery of critical 1. Obtain the organization's business continuity plan, disaster recovery plan,
services are established. business impact analysis and risk assessments and review for the following:
a. Information systems and software supporting critical business functions are ISO/IEC
identified and prioritized based on maximum allowable downtime. BAI04.02; 27001:2013
b. Third parties who support critical business functions and information BAI09.01; A.11.2.2; A.11.2.3;
systems/software are identified and prioritized. BAI09.02 A.12.1.3

Resilience requirements to 1. Determine if the organization's business continuity and disaster recovery
support delivery of critical plans (including business impact analysis) support resilience of critical
services are established. services.
2. Determine if appropriate due diligence (e.g., business continuity plans ISO/IEC
(BCP), service level agreements (SLA), Service Organization Control (SOC) 27001:2013
reports) information is in place and reviewed to ensure resilience A.11.1.4; A.17.1.1;
requirements of the organization can be met by critical third-party services. DSS04.02 A.17.1.2; A.17.2.1

Organizational information 1. Obtain a copy of the information security policy.

security policy is established. 2. Determine if the policy is complete and has been approved by a APO01.03;
governance structure within the organization. EDM01.01; ISO/IEC
3. Determine if the policy is communicated to employees. EDM01.02 27001:2013 A.5.1.1

Information security roles and 1. Determine if information security roles and responsibilities are defined.
responsibilities are coordinated Roles and responsibilities may be defined in policies, job descriptions,
and aligned with internal roles agreements, RACI charts, hierarchy charts and/or contracts.
and external partners. 2. Determine if there is sufficient independence within the information
security roles in order to provide adequate separation of duties for critical
functions.
3. Review contracts, nondisclosure agreements (NDAs) and service level ISO/IEC
The policies, procedures, agreements (SLAs) with critical vendors to determine if cybersecurity controls APO01.02; 27001:2013
and processes to manage and incident notification are addressed appropriately. APO13.12 DSS06.03 A.6.1.1; A.7.2.1
and monitor the
Governance

organization’s regulatory,
legal, risk, environmental,
and operational
requirements are 1. Obtain a list of all relevant legal and regulatory requirements for the
understood and inform the Legal and regulatory organization.
management of requirements regarding 2. Determine if the cybersecurity program is mapped to legal and regulatory
cybersecurity risk. cybersecurity, including privacy requirements.
and civil liberties obligations, 3. Review any recent regulatory cybersecurity exams or audits. If any
are understood and managed. exceptions were noted in audits, determine how the organization responded
to exceptions.
4. Determine if critical third-party contracts are reviewed by legal counsel
prior to execution.
5. Determine if there is a formalized process in place to monitor and review MEA03.01; ISO/IEC
changes in cybersecurity laws and regulations. MEA03.04 27001:2013 A.18.1

1. Determine the adequacy of executive or board oversight and

Governance and risk understanding of cybersecurity. Consider the following:
management processes address a. Risk Management
cybersecurity risk. b. Governance Structures EDM01.01;
c. Security Oversight EDM01.02;
d. Training EDM01.03;
e. Accountability EDM03.01;
f. Reporting DSS04.02 EDM03.03

Copyright 2016 ISACA Page 5 of 18

NIST Cybersecurity Framework - Identify
IS Audit/Assurance Progam
Cybersecurity: Based on the NIST Cybersecurity Framework - Identify
Process Ref.
Sub-Area Risk Control Objectives
The organization
Risk Assessment
understands the
cybersecurity risk to
organizational operations
(including mission,
functions, image, or
reputation), organizational
assets, and individuals.
Risk Management Strategy
The organization’s priorities,
constraints, risk tolerances,
and assumptions are
established and used to
support operational risk
decisions.
Copyright 2016
ISACA IS Audit/Assurance Program
Control Control Control NIST Ref. to Additional Ref. Ref. Framework/ Ref. Pass/
Controls Type Classification Frequency Testing Step COBIT 5 COBIT 5 Standards Workpaper Fail Comments
Asset vulnerabilities are APO12.01;
identified and documented. 1. Determine if vulnerability testing is conducted and analyzed on critical APO12.02; ISO/IEC
organizational assets (e.g., assets important to business objectives and the APO12.03; 27001:2013
organization's risk strategy). APO12.04 A.12.6.1; A.18.2.3
1. Determine if the organization is a member of or subscribes to a threat and
Threat and vulnerability
information is received from vulnerability information sharing organization (e.g,. United States Computer
information sharing forums and Emergency Readiness Team [US-CERT]).
sources. 2. Determine if the organization has a formal process in place for
disseminating threat and vulnerability information to individuals with the
expertise to review the information and the authority to mitigate risk posed APO12.01; ISO/IEC
to the organization. BAI08.04 27001:2013 A.6.1.4
Threats, both internal and 1. Review risk assessments to determine if internal and external threats are APO12.01;
external, are identified and identified and documented. APO12.02;
documented. 2. Determine if the organization has developed processes to actively monitor APO12.03;
and report potential threats. APO12.04
Potential business impacts and
likelihoods are identified. 1. Review risk assessments and business impact analysis to determine if APO12.02;
likelihood and potential impacts are identified and analyzed for threats. DSS04.02 BAI04.02
Threats, vulnerabilities, 1. Determine if the risk assessment process identifies reasonably foreseeable
likelihoods and impacts are internal and external threats and vulnerabilities, the likelihood and potential ISO/IEC
used to determine risk. damage of those threats, and the sufficiency of controls to mitigate the risk 27001:2013
associated with those threats. APO12.02 A.12.6.1
1. Obtain the organization's risk management plan and/or other
Risk responses are identified documentation showing the organization's response to risk levels identified in
and prioritized. the risk assessment. Determine if the risk management plan is designed to
accept or reduce risk level in accordance with the organization's risk appetite.
2. Obtain copies of management responses to recent cybersecurity-related
audits and assessments to determine if exceptions noted in audits or APO12.05;
assessments are identified and prioritized. APO13.02
Risk management processes are 1. Evaluate the framework or process used for risk management. Consider
established, managed and the following:
a. Is the process formally documented? APO12.04;
agreed to by organizational
stakeholders. b. Is the process regularly updated? APO12.05;
b. Is the process repeatable and measurable? APO13.02;
c. Does the process have an owner? BAI02.03;
d. Are stakeholders involved or informed of the process? BAI04.02
Organizational risk tolerance is
determined and clearly
1. Determine if the organization has defined and approved a cyberrisk APO12.03;
expressed. appetite statement. APO12.06 EDM03.01
The organization’s
determination of risk tolerance 1. Obtain a copy of the organization's risk management strategy and risk
is informed by its role in critical appetite statement to determine if these align with its role in critical
infrastructure and sector- infrastructure (as defined by national infrastructure protection plan [NIPP]
specific risk analysis. and sector-specific plans).
APO04.03
ISACA Page 6 of 18
NIST Cybersecurity Framework - Protect ISACA IS Audit/Assurance Program

IS Audit/Assurance Progam
Cybersecurity: Based on the NIST Cybersecurity Framework - Protect

Process Ref. Control Control Control NIST Ref. to Additional Ref. Ref. Framework/ Ref. Pass/
Sub-Area Risk Control Objectives Controls Type Classification Frequency Testing Step COBIT 5 COBIT 5 Standards Workpaper Fail Comments

1. Determine whether access to network devices (e.g., servers, workstations,

mobile devices, firewalls) are restricted by:
a. Unique user logon IDs
b. Complex passwords
c. Multifactor authentication
d. Automatic timeout if left unattended
e. Automatic lockout after repeated failed access attempts
Identities and credentials are d. Changing default administrative account names and passwords
managed for authorized devices 2. Determine whether password parameters comply with organization policy
and users. and/or applicable industry requirements. Consider the following:
a. Length, complexity, change requirements, history
b. Are passwords suppressed from all output?
c. Are password files encrypted and restricted?
3. Review termination procedures to ensure credentials are revoked or
changed when an employee leaves.
a. Spot-check accounts to ensure user access is revoked following termination ISO/IEC
and accounts are deleted according to policy. 27001:2013
A.9.2.1; A.9.2.2;
DSS05.04; A.9.2.4; A.9.3.1;
DSS06.03 A.9.4.2; A.9.4.3

1. Determine whether physical access to key assets (e.g., server rooms,

network closets, zones) are physically restricted:
a. Locked doors
b. Surveillance
c. Fences or walls
Physical access to assets is d. Logs
managed and protected. e. Visitor escorts
2. Determine whether policies and procedures allow only authorized
personnel access to sensitive areas. ISO/IEC
3. Review termination procedures to ensure physical access is removed once 27001:2013
an employee leaves. A.11.1.1; A.11.1.2;
DSS01.04; A.11.1.4; A.11.1.6;
DSS05.05 A.11.2.3
Access Control

Access to assets and 1. Determine whether policies and procedures related to remote users'
associated facilities is access capabilities are formalized. Consider the following:
limited to authorized users, a. Remote users (e.g., employees, contractors, third parties) with access to
processes, or devices, and to critical systems are approved and documented.
authorized activities and b. Remote connections are only opened as required.
transactions. c. Remote connections are logged and monitored.
Remote access is managed. d. Remote connections are encrypted.
e. Strong authentication is in place (e.g., multifactor, strong password
parameters).
f. The ability to wipe data remotely on mobile devices when data are missing
or stolen is enabled.
g. Institution security controls (e.g., antivirus, patch management) are ISO/IEC
required on remote devices connecting to the network. APO13.01; 27001:2013
DSS01.04; A.6.2.2; A.13.1.1;
DSS05.03 A.13.2.1

1. Review access rights and permissions for the network and any critical
applications.
2. Determine if user access profiles are consistent with their job functions
(based on least privilege). Compare a sample of users' access authority with
their assigned duties and responsibilities.
3. Determine if access is granted for mission critical functions and
Access permissions are information system support functions in order to reduce the risk of
managed, incorporating the malevolent activity without collusion (e.g., critical processes require two
principles of least privilege and people to perform the function).
separation of duties. 4. Determine if users with local administrative privilege on workstations
require this level of access.
5. Review how the organization restricts and/or monitors access to sensitive
data by users with elevated network privilege.
6. Determine if role-based access controls are implemented (e.g., roles vs. ISO/IEC
users are assigned access rights). 27001:2013
7. Determine if there are regular reviews of access. A.6.1.2; A.9.1.2;
DSS05.04; A.9.2.3; A.9.4.1;
DSS06.03 A.9.4.4

1. Review network diagrams and data flow diagrams.

Network integrity is protected, 2. Determine if high-value/critical systems are separated from high-risk
incorporating network systems (e.g., VLAN, DMZ, hard backups, air-gapping) where possible. ISO/IEC
segregation where appropriate. 3. Determine if the organization has a formal process to approve data flows 27001:2013
and/or connections between networks and/or systems. A.13.1.1; A.13.1.3;
DSS05.02 A.13.2.1

Copyright 2016 ISACA Page 7 of 18

NIST Cybersecurity Framework - Protect ISACA IS Audit/Assurance Program

IS Audit/Assurance Progam
Cybersecurity: Based on the NIST Cybersecurity Framework - Protect

Process Ref. Control Control Control NIST Ref. to Additional Ref. Ref. Framework/ Ref. Pass/
Sub-Area Risk Control Objectives Controls Type Classification Frequency Testing Step COBIT 5 COBIT 5 Standards Workpaper Fail Comments

1. Review acceptable use policy and/or training materials to ensure content is

adequate.
All users are informed and 2. Review user training reports and/or documentation to ensure users are
trained. trained in accordance with applicable policy, guidance, and/or requirement
(e.g., annual cybersecurity training of all employees).
3. Determine whether training materials are updated based on changes in
cyberthreat environment. APO07.03; ISO/IEC
BAI05.07 27001:2013 A.7.2.2

1. Determine if the organization has a process to identify privileged users.

2. Determine if privileged users' roles are well defined and if privileged users
Privileged users understand are trained based on their responsibilities.
roles and responsibilities. 3. Review training material and/or user agreements to ensure users with
elevated privileges are taught security roles and responsibilities associated
with elevated privileges. ISO/IEC
APO07.02; 27001:2013
DSS06.03 APO07.03 A.6.1.1; A.7.2.2

Third-party stakeholders (e.g., 1. Review applicable third-party contracts, customer agreements, and partner
suppliers, customers, partners) agreements to ensure security roles and responsibilities are clearly defined.
The organization’s personnel understand roles and 2. Review the organization's vendor management program to ensure third
parties are complying with cybersecurity responsibilities defined in contracts APO07.03;
Awareness Training

and partners are provided responsibilities. ISO/IEC

cybersecurity awareness and agreements. APO10.04; 27001:2013
education and are APO10.05 A.6.1.1; A.7.2.2
adequately trained to
perform their information
security-related duties and 1. Review training and continuing education programs for senior executives.
responsibilities consistent Consider the following:
with related policies, a. Cybersecurity knowledge and skill levels needed to perform their duties
procedures, and are defined.
agreements. Senior executives understand b. Specific role-based training is assigned based on cybersecurity roles and
roles and responsibilities. responsibilities.
c. A method is in place to measure senior executives' cybersecurity
knowledge and understanding against organization requirements.
d. Training and education materials are updated to reflect changes in the ISO/IEC
threat environment. 27001:2013
APO07.03 EDM01.03 A.6.1.1; A.7.2.2

1. Review training and continuing education programs for physical and

information security personnel. Consider the following:
a. Knowledge and skill levels needed to perform physical and information
security duties are defined.
b. Specific role-based training is assigned based on physical and information
Physical and information security roles and responsibilities.
security personnel understand c. A method is in place to measure physical and information security
roles and responsibilities. personnel's cybersecurity knowledge and understanding against organization
requirements.
d. Training and education materials are updated to reflect changes in the
threat environment.
ISO/IEC
27001:2013
APO07.03 DSS06.03 A.6.1.1; A.7.2.2

1. Determine if confidential or sensitive data is identified on the

organization's network (e.g., data classification, risk assessment).
Data-at-rest is protected. 2. Determine if confidential data is secured (e.g., strong encryption as defined
by industry best practices) at rest.
3. Determine if mobile devices (e.g., laptops, tablets, removable media) that APO01.06;
are used to store confidential data are encrypted. BAI02.01;
4. Review contracts with third parties storing confidential data to ensure BAI06.01; ISO/IEC
appropriate security controls are in place for sensitive data at rest. DSS06.06 27001:2013 A.8.2.3

1. Determine if sensitive information is secured (e.g., strong encryption as

defined by industry best practices) when transmitted across publicly-
Data-in-transit is protected. accessible networks.
2. Determine if adequate policies are in place regarding transmission of
confidential or sensitive information via email.
3. Review training materials and/or acceptable use policy to determine ISO/IEC
whether employees are instructed on organization policy regarding data 27001:2013
transmission. A.8.2.3; A.13.1.1;
4. Review contracts with third parties transmitting confidential data to ensure APO01.06; A.13.2.1; A.13.2.3;
appropriate security controls are in place for transmission of sensitive data. DSS06.06 A.14.1.2; A.14.1.3

Copyright 2016 ISACA Page 8 of 18

Information and records

NIST Cybersecurity Framework - Protect ISACA IS Audit/Assurance Program

IS Audit/Assurance Progam
Cybersecurity: Based on the NIST Cybersecurity Framework - Protect

Process Ref. Control Control Control NIST Ref. to Additional Ref. Ref. Framework/ Ref. Pass/
Sub-Area Risk Control Objectives Controls Type Classification Frequency Testing Step COBIT 5 COBIT 5 Standards Workpaper Fail Comments

Assets are formally managed 1. Review asset inventory policies and procedures. Consider the following: ISO/IEC
throughout removal, transfers a. Formalized processes in place 27001:2013
and disposition. b. Accuracy of asset tracking A.8.2.3; A.8.3.1;
c. Secure removal or destruction of confidential information from A.8.3.2; A.8.3.3;
Information and records decommissioned assets BAI09.03 DSS05.06 A.11.2.7
Data Security

(data) are managed

consistent with the
organization’s risk strategy BAI02.01;
to protect the Adequate capacity to ensure 1. Review sample of capacity management monitoring reports used to BAI03.05;
confidentiality, integrity, availability is maintained. monitor critical resources such as network bandwidth, CPU, disk utilization, BAI04.01;
and availability of etc. BAI04.02;
information. 2. Determine if resources have adequate capacity (e.g., disk space, CPU). BAI04.03; ISO/IEC
3. Determine if the risk of distributed denial-of-service (DDoS) has been BAI04.04; 27001:2013
addressed and is in line with the organization's risk appetite. APO13.01 BAI04.05 A.12.3.1

ISO/IEC
27001:2013
Protections against data leaks A.6.1.2; A.7.1.1;
are implemented. A.7.1.2; A.7.3.1;
A.8.2.2; A.8.2.3;
1. Review risk assessments, information security meeting minutes and A.9.1.1; A.9.1.2;
information security strategies to determine if the risk of data loss prevention A.9.2.3; A.9.4.1;
or exfiltration of confidential data is being considered. A.9.4.4; A.9.4.5;
2. Ensure controls or tools (e.g., data loss prevention) are in place to detect or A.13.1.3; A.13.2.1;
block potential unauthorized or unintentional transmission or removal of A.13.2.3; A.13.2.4;
confidential data (e.g., email, FTP, USB devices, Telnet) APO01.06 DSS05.06 A.14.1.2; A.14.1.3

Integrity checking mechanisms

are used to verify software, 1. Determine if the organization employs integrity verification tools (e.g.,
firmware and information parity checks, cyclical redundancy checks, cryptographic hashes) to detect
unauthorized changes to software (e.g., middleware, applications and ISO/IEC
integrity. operating systems with key internal components such as kernels, drivers), 27001:2013
firmware (e.g., Basic Input Output System [BIOS]), and information (e.g., A.12.2.1; A.12.5.1;
metadata such as security attributes associated with information). APO01.06 A.14.1.2; A.14.1.3
The development and testing
environment(s) are separate 1. If the organization maintains a software development or testing
from the production environment, review network diagrams, database connections and applicable ISO/IEC
environment. firewall/router configurations to determine sufficiency of separation between 27001:2013
these environments and the production network. BAI07.04 A.12.1.4

A baseline configuration of
information 1. Determine if the organization has created or adopted baseline
technology/industrial control configurations (e.g., Center for Internet Security [CIS] benchmarks, Security ISO/IEC
systems is created and Technical Implementation Guides [STIG]) for systems (e.g., servers, desktops, BAI10.01; 27001:2013
maintained. routers). BAI10.02; A.12.1.2; A.12.5.1;
2. Sample systems against the organization's baseline configurations to BAI10.03; A.12.6.2; A.14.2.2;
ensure standards are followed and enforced. BAI10.05 A.14.2.3; A.14.2.4

A system development life cycle 1. Obtain and review a copy of the organization's system development life ISO/IEC
(SDLC) to manage systems is cycle. 27001:2013
implemented. 2. Obtain samples of rollout documentation and rollout schedule to ensure BAI07.04; A.6.1.5; A.14.1.1;
compliance with policy. APO13.01 BAI07.06 A.14.2.1; A.14.2.5

1. Determine if configuration change control processes for information

Configuration change control systems are in place. Consider the following:
processes are in place. a. Proposed changes are documented and approved. ISO/IEC
b. Changes are prohibited until designated approvals are received. 27001:2013
c. Changes are tested and validated before implementation. A.12.1.2; A.12.5.1;
d. Changes are documented and reported upon completion. BAI06.01; A.12.6.;, A.14.2.2;
BAI01.06 A.14.2.3; A.14.2.4

Backups of information are

conducted, maintained and ISO/IEC
tested periodically. 1. Determine if a formal backup and recovery plan exists. 27001:2013
2. Review backup procedures. Ensure periodic backup testing is performed to A.12.3.1; A.17.1.2;
verify data are accessible and readable. APO13.01 DSS04.07 A.17.1.3; A.18.1.3

Copyright 2016 ISACA Page 9 of 18

NIST Cybersecurity Framework - Protect ISACA IS Audit/Assurance Program

IS Audit/Assurance Progam
Cybersecurity: Based on the NIST Cybersecurity Framework - Protect

Process Ref. Control Control Control NIST Ref. to Additional Ref. Ref. Framework/ Ref. Pass/
Sub-Area Risk Control Objectives Controls Type Classification Frequency Testing Step COBIT 5 COBIT 5 Standards Workpaper Fail Comments

1. Review physical security operating environment policies, procedures and

Policy and regulations regarding plans. Ensure the following are addressed:
the physical operating a. Emergency shutoff
environment for organizational b. Emergency lighting
assets are met. c. Emergency power
d. Fire protection ISO/IEC
e. Temperature and humidity control 27001:2013
f. Water damage protection DSS01.04; A.11.1.4; A.11.2.1;
g. Location of information system components (to minimize damage) DSS05.05 A.11.2.2; A.11.2.3
Information Protection Processes and Procedures

1. Review media sanitization (data destruction) policies.

Data is destroyed according to 2. Ensure sanitization techniques and procedures are commensurate with the
policy. security category or classification of the information or asset and in
accordance with applicable federal and organizational standards and policies.
3. Spot-check trash cans, dumpsters, shred bin and/or shredders to ensure ISO/IEC
Security policies (that compliance with policy. 27001:2013
address purpose, scope, 4. Obtain proof (e.g., destruction certificates) that media sanitization is A.8.2.3; A.8.3.1;
roles, responsibilities, occurring according to policy. BAI09.03 DSS05.06 A.8.3.2; A.11.2.7
management commitment,
and coordination among
organizational entities),
processes, and procedures
are maintained and used to
manage protection of
information systems and 1. Review the organization's policies and procedures related to continually
assets. Protection processes are improving protection processes. Consider the following:
continuously improved. a. Ongoing audits, assessments and vulnerability scanning are conducted,
reviewed and responded to.
b. Plans, processes and policies are updated based on lessons learned from
tests (e.g., business continuity, disaster recovery, incident response).
c. Designated position and/or committee responsible for continuous
evaluation of the organization's information security needs and posture
d. Threat information gathering and responses to changes in the threat APO11.06;
environment DSS04.05

Effectiveness of protection
technologies is shared with 1. Determine if the organization participates in information sharing and
appropriate parties. analysis groups. ISO/IEC
2. Determine if the organization facilitates information sharing by enabling BAI08.01; 27001:2013
authorized users to share authorized information to sharing partners. MEA02.03 A.16.1.6

Response plans (incident

response and business
continuity) and recovery plans
(incident recovery and disaster 1. Review incident response and business continuity plans to determine if the ISO/IEC
recovery) are in place and institution has documented how it will respond to a cyberincident. 27001:2013
managed. 2. Evaluate plans to determine how frequently they are updated and A.16.1.1; A.17.1.1;
approved. DSS04.03 A.17.1.2

Response and recovery plans ISO/IEC

are tested. 1. Determine whether business continuity and incident response tests are 27001:2013
performed according to policy and any applicable guidance. DSS04.04 A.17.1.3

Cybersecurity is included in 1. Review hiring procedures to determine whether background

human resources practices. checks/screenings are performed for all employees. APO07.01;
(e.g., deprovisioning, personnel 2. Review hiring procedures for positions with access to sensitive information APO07.02; ISO/IEC
screening)
to determine if they are commensurate with a higher level of risk. APO07.03; 27001:2013
3. Review termination procedures to determine whether accounts/access are APO07.04; A.7.1.1; A.7.3.1;
disabled in a timely manner. APO07.05 A.8.1.4

1. Obtain the organization's vulnerability management plan and ensure it

includes the following:
A vulnerability management a. Frequency of vulnerability scanning
plan is developed and b. Method for measuring the impact of vulnerabilities identified (e.g.,
implemented. Common Vulnerability Scoring System [CVSS])
c. Incorporation of vulnerabilities identified in other security control
assessments (e.g., external audits, penetration tests)
d. Procedures for developing remediation of identified vulnerabilities
2. Obtain a copy of the organization's risk assessment to ensure ISO/IEC
vulnerabilities identified during the vulnerability management process are 27001:2013
included. APO04.03 A.12.6.1; A.18.2.2

Copyright 2016 ISACA Page 10 of 18

NIST Cybersecurity Framework - Protect ISACA IS Audit/Assurance Program

IS Audit/Assurance Progam
Cybersecurity: Based on the NIST Cybersecurity Framework - Protect

Process Ref. Control Control Control NIST Ref. to Additional Ref. Ref. Framework/ Ref. Pass/
Sub-Area Risk Control Objectives Controls Type Classification Frequency Testing Step COBIT 5 COBIT 5 Standards Workpaper Fail Comments

Maintenance and repair of 1. Review controlled maintenance processes. Consider the following:
organizational assets is a. Maintenance activities are approved, scheduled and documented (e.g.,
performed and logged in a date and time, name of individual(s) performing maintenance, description of
timely manner, with approved maintenance performed, systems removed/replaced)
and controlled tools. b. Maintenance staff or vendors are approved, authorized and supervised (if ISO/IEC
required). 27001:2013
c. Maintenance tools and media are approved and inspected for improper or A.11.1.2; A.11.2.4;
Maintenance

Maintenance and repairs of

industrial control and unauthorized modifications prior to use. BAI09.03 DSS03.05 A.11.2.5
information system
components is performed
consistent with policies and
procedures.
Remote maintenance of
organizational assets is 1. Determine whether remote maintenance on servers, workstations and
approved, logged and other systems is performed. Consider the following:
performed in a manner that a. Who is allowed to connect to systems (e.g. internal employees, third
prevents unauthorized access. parties)
b. What software/version or service is used to connect ISO/IEC
c. Whether end users have to take some action prior to allowing remote 27001:2013
control of their workstation and/or whether access is logged and monitored A.11.2.4; A.15.1.1;
d. Adequacy of authentication requirements (e.g., multifactor authentication) DSS05.04 A.15.2.1

1. Determine if audit logs (e.g., security, activity) are maintained and

reviewed in a timely manner. Verify the adequacy of the logs to monitor and
Audit/log records are evaluate IT activities and security events. Consider the following:
determined, documented, a. Audit records contain appropriate content (e.g., type of event, when the
implemented and reviewed in event occurred, where the event occurred, source of the event, outcome of
accordance with policy. the event, identity of any individuals or subjects associated with the event).
b. Log files are sized such that logs are not deleted prior to review and/or
being backed up.
c. Audit logs and tools are protected from unauthorized access, modification
and deletion.
2. Determine if logs for the following parts of the network are monitored and
reviewed: ISO/IEC
a. Network perimeter (e.g., intrusion dectection systems [IDS], firewalls) 27001:2013
b. Microsoft systems (e.g., Windows event logs) A.12.4.1; A.12.4.2;
c. Non-Microsoft systems (e.g., syslog files for Unix/Linux servers, routers, A.12.4.3; A.12.4.4;
switches) APO11.04 DSS05.07 A.12.7.1
Protective Technology

Technical security solutions

are managed to ensure the
security and resilience of 1. Obtain a copy of the removable media policy. Review controls defined in
systems and assets, the policy. Controls may include:
Removable media is protected a. User training
consistent with related and its use restricted according
policies, procedures, and b. Encryption of removable media
to policy. c. Restricted access to removable media (e.g., USB restrictions) ISO/IEC
agreements.
d. Sanitization procedures for decommissioned media 27001:2013
2. Perform spot-checks on systems with removable media restrictions to A.8.2.2; A.8.2.3;
ensure restrictions are working as expected and comply with the DSS05.02; A.8.3.1; A.8.3.3;
organization's policy. APO13.01 A.11.2.9

1. Review information systems to determine if unnecessary and/or non-

secure functions, ports, protocols and services are disabled.
Access to systems and assets is 2. Where feasible, the organization limits component functionality to a single
controlled, incorporating the function per device (e.g., dedicated email server).
principle of least functionality. 3. Determine if the organization reviews functions and services provided by
information systems or individual components of information systems to
determine which functions and services are candidates for elimination.
ISO/IEC
DSS05.02 DSS06.03 27001:2013 A.9.1.2

1. Evaluate controls related to communications to ensure the network is

Communications and control secure. Consider:
networks are protected. a. Network perimeter defenses are in place (e.g., border router, firewall).
b. Physical security controls are used to prevent unauthorized access to
telecommunication systems, etc.
c. Logical network access controls (e.g., VLAN) and technical controls (e.g., ISO/IEC
encrypting traffic) are in place to protect and/or segregate communications DSS05.02; 27001:2013
networks (e.g., wireless, WAN, LAN, VoIP). APO13.01 DSS06.03 A.13.1.1; A.13.2.1

Copyright 2016 ISACA Page 11 of 18

NIST Cybersecurity Framework - Detect ISACA IS Audit/Assurance Program

IS Audit/Assurance Progam
Cybersecurity: Based on the NIST Cybersecurity Framework - Detect

Process Ref. Control Control Control NIST Ref. to Additional Ref. Ref. Framework/ Ref. Pass/
Sub-Area Risk Control Objectives Controls Type Classification Frequency Testing Step COBIT 5 COBIT 5 Standards Workpaper Fail Comments

1. Obtain a copy of the organization's logical network diagram (LND), data

flow diagrams, and other network and communications diagrams.
2. Review the diagrams for the following:
a. Frequency of updates to diagrams
b. Accuracy and completeness of diagrams
A baseline of network c. Scope of diagrams is adequate to identify both domains of different risk
operations and expected data
flows for users and systems is and control levels (i.e., high-risk, publicly-accessible portions of a network vs.
high-value, restricted access portions of the network) and the control points
established and managed. (e.g., firewalls, routers, intrusion detection/prevention systems) between
them.
2. Determine if tools (e.g., security event and information management
systems [SIEMs]) are used to establish typical (baseline) traffic so abnormal
traffic can be detected.
DSS03.01

1. Obtain a copy of policies and procedures regarding system and network

monitoring.
Detected events are analyzed to a. Determine if policies and procedures require monitoring for anomalous
understand attack targets and activity at identified control points.
methods. 2. Obtain a copy of detected events (e.g., alerts from IDS) and the
organization's response to them. Review the events and responses to ensure ISO/IEC
Anomalies and Events

thorough analysis of detected events is performed. 27001:2013

DSS05.02 A.16.1.1; A.16.1.4
Anomalous activity is 1. Obtain a listing of event aggregation and monitoring systems in use at the
detected in a timely manner organization (e.g., SIEMs, event log correlation systems).
and the potential impact of Event data are aggregated and 2. Obtain a list of sources that provide data to each event aggregation and
events is understood. correlated from multiple monitoring system (e.g., firewalls, routers, servers).
sources and sensors. 3. Compare the sources to identified control points between domains of
different risk and control levels and determine if they provide adequate
monitoring coverage of the organization's environment.
APO12.01

1. Obtain a copy of detected events and the organization's responses to

them.
2. Review the events, tickets and responses in order to ensure the
Impact of events is determined. organization is documenting the impact of anomalous activity using metrics
that are applicable to the organization (e.g., compliance impact, operational
impact, accurate reporting impact).
APO12.06

1. Obtain a copy of alert messages, meeting minutes, reports and other

documentation where detected events were escalated.
2. Review the documentation and determine the following:
a. Detected events are reported in a timely manner to someone with the
Incident alert thresholds are knowledge and expertise to resolve or escalate the event.
established. b. Escalated events are reported to individuals or groups with the appropriate
authority to make decisions about the organization's response.
c. Thresholds are defined such that an event triggers the appropriate
response (e.g., business continuity response, disaster recovery response,
incident response, legal response).

APO12.06

1. Obtain a list of the monitoring control implemented by the organization at

the following levels:
a. Network (e.g., firewall, router, switch)
The network is monitored to b. Operating system (e.g., server platforms, workstation platforms,
appliances)
detect potential cybersecurity c. Application (e.g., account management, file and database access).
events.
2. Determine if monitoring at each level includes detection of cybersecurity
events (e.g., denial-of-service [DoS] attacks, unauthorized account access,
unauthorized file/system access, privilege escalation attacks, SQL injection
attacks).
DSS05.07

1. Obtain an inventory of critical facilities (e.g., data centers, network closets,

operations centers, critical control centers).
The physical environment is 2. Determine if physical security monitoring controls are implemented and
monitored to detect potential appropriate to detect potential cybersecurity events (e.g., sign in/out logs,
cybersecurity events. motion detectors, security cameras, security lighting, security guards,
door/window locks, automatic system lock when idle, restricted physical
access to servers, workstations, network devices, network ports).
DSS05.05

Copyright 2016 ISACA Page 12 of 18

NIST Cybersecurity Framework - Detect
IS Audit/Assurance Progam
Cybersecurity: Based on the NIST Cybersecurity Framework - Detect
Process Ref.
Sub-Area Risk Control Objectives
Personnel activity is monitored
to detect potential
cybersecurity events.
Malicious code is detected.
Security Continuous Monitoring
The information system and
assets are monitored at
discrete intervals to identify
cybersecurity events and
verify the effectiveness of
protective measures.
External service provider
activity is monitored to detect
potential cybersecurity events.
Copyright 2016
ISACA IS Audit/Assurance Program
Control Control Control NIST Ref. to Additional Ref. Ref. Framework/ Ref. Pass/
Controls Type Classification Frequency Testing Step COBIT 5 COBIT 5 Standards Workpaper Fail Comments
1. Obtain a list of the monitoring controls implemented by the organization at
the application/user account level (e.g., account management, user access
roles, user activity monitoring, file and database access).
2. Determine if monitoring includes detection and alerting of cybersecurity
events (e.g., unauthorized account access, unauthorized file/system access,
access out of hours, access to sensitive data, unusual access, unauthorized
physical access, privilege escalation attacks). ISO/IEC
DSS05.04; 27001:2013
DSS05.05 A.12.4.1
1. Obtain a copy of processes and procedures used to detect malicious code
on the network and servers/workstations (e.g., anti-malware software on
servers and workstations, phishing filters on email systems, intrusion
prevention/detection systems on the network [IDS/IPS], endpoint security
products on workstations and/or servers).
2. Determine if malicious code controls are:
a. Installed on all applicable systems and network control points
b. Updated on a regular basis
c. Configured to perform real-time scanning or periodic scans at regular
intervals
3. Spot-check workstations and other user endpoint devices to verify the
following:
a. Malicious code controls are installed.
b. Malicious code controls are updated.
c. Malicious code controls are capable of detecting test code (e.g., the EICAR
test virus). ISO/IEC
27001:2013
DSS05.01 A.12.2.1
1. Obtain documented processes and procedures used to detect
unauthorized mobile code (e.g., Java, JavaScript, ActiveX, Flash, VBScript) that
is run on the organization's servers, workstations and devices.
2. Determine if detective mobile code controls block unauthorized mobile
code when detected (e.g., quarantine, execution blocking, download
blocking).
Unauthorized mobile code is *Examples of mobile code controls include:
detected. a. Detecting and blocking mobile code attachments in emails (e.g., .exe files,
.js files)
b. Detecting and blocking mobile code portions of websites
c. Removing the ability to run mobile code on systems that do not require this
functionality (e.g., uninstalling Java from workstations without a need for it)
d. Configuring systems to generate alerts and block execution when mobile
code that is not signed with an approved code-signing certificate attempts to
execute
ISO/IEC
DSS05.03; 27001:2013
DSS05.07 A.12.5.1
1. Obtain and review contracts executed with external service providers.
2. Determine if external service provider contracts require the service
providers to:
a. Notify the organization as soon as possible of any known or suspected
cybersecurity event.
b. Notify the organization as soon as possible of termination of any employee
who possesses credentials to access the organization's systems or facilities.
c. Implement security controls equivalent to or exceeding the level of security
required of the organization.
3. Obtain a copy of the organization's logical network diagram (LND) to
determine how external service provider networks are connected to the
organization's network to determine if monitoring controls (e.g.. firewalls,
routers, intrusion detection/prevention systems) are implemented at these
connection points.
4. Obtain and analyze a copy of system configurations for monitoring controls
used to detect cybersecurity events originating on external service providers'
networks.
ISO/IEC
APO10.04; 27001:2013
APO07.06 APO10.05 A.14.2.7; A.15.2.1
ISACA Page 13 of 18
NIST Cybersecurity Framework - Detect ISACA IS Audit/Assurance Program

IS Audit/Assurance Progam
Cybersecurity: Based on the NIST Cybersecurity Framework - Detect

Process Ref. Control Control Control NIST Ref. to Additional Ref. Ref. Framework/ Ref. Pass/
Sub-Area Risk Control Objectives Controls Type Classification Frequency Testing Step COBIT 5 COBIT 5 Standards Workpaper Fail Comments

1. Obtain a copy of processes and procedures designed to detect

unauthorized access to the organization's facilities and systems (e.g., sign-
in/out logs, video surveillance, break-in alarms, network port blocking, USB
Monitoring for unauthorized device restrictions on workstations and user devices, monitoring of excessive
personnel, connections, devices failed logins indicating a password-guessing attack).
and software is performed. 2. Spot-check unauthorized access controls by accessing facilities and systems
with permission to test, but not standard authorization. Request the
organization provide the alert notifications generated by the simulated
unauthorized access.
DSS05.05

1. Obtain a copy of the organization's schedule for performing internal and

external vulnerability scans and the results of the most recent internal and
external vulnerability scans.
2. Review the schedule and results for the following:
Vulnerability scans are a. Frequency
performed. b. Successful completion
c. Documented resolution or mitigation of identified vulnerabilities
d. Scope of testing includes all critical systems
3. Determine whether vulnerability scan results were reported to individuals ISO/IEC
or teams with appropriate authority to ensure resolution. 27001:2013
BAI03.10 A.12.6.1

Roles and responsibilities for 1. Obtain a copy of processes and procedures for monitoring physical and
electronic anomalous events.
detection are well defined to 2. Determine if the organization's processes and procedures assign key
ensure accountability. ISO/IEC
responsibilities to specific individuals or positions.
DSS05.01 27001:2013 A.6.1.1
1. Obtain a copy of laws and regulations (e.g., federal, state, local), industry
standards, internal security requirements and risk appetite applicable to the
Detection activities comply with organization.
all applicable requirements. ISO/IEC
2. Determine if the organization is performing audits/testing to ensure their
detection activities comply with these requirements. 27001:2013
MEA03.03 A.18.1.4

1. Obtain a copy of the organization's schedule of incident response tests, the

results of recent incident response tests, and documented processes and
procedures requiring tests of anomalous activity controls (e.g., periodic tests
Detection Processes

of intrusion detection/prevention systems, endpoint anti-malware software).

Detection processes are tested. 2. Review the documentation for the following:
Detection processes and a. Completeness in testing implemented anomalous activity detection
procedures are maintained controls
and tested to ensure timely b. Frequency of testing
and adequate awareness of c. Documented resolution or mitigation of negative testing results ISO/IEC
anomalous events. 27001:2013
APO13.02 A.14.2.8

1. Obtain a copy of meeting minutes where physical and electronic

anomalous activity is reported (e.g., information security committee
Event detection information is meetings, board/management meetings, risk management meetings).
communicated to appropriate 2. Obtain a copy of documented responses to recent physical and electronic
parties. anomalous activity incidents.
3. Compare meeting minutes to documented incidents and determine if
detected events are consistently reported and appropriately handled. ISO/IEC
27001:2013
APO12.06 A.16.1.2

1. Obtain a copy of documented responses to recent physical and electronic

Detection processes are anomalous activity incidents. Determine if responses include the following:
continuously improved. a. Lessons learned and analysis of failed or missing controls ISO/IEC
b. Action items to detect/prevent similar incidents in the future APO11.06; 27001:2013
DSS04.05 A.16.1.6

Copyright 2016 ISACA Page 14 of 18

NIST Cybersecurity Framework - Respond ISACA IS Audit/Assurance Program

IS Audit/Assurance Progam
Cybersecurity: Based on the NIST Cybersecurity Framework - Respond

Process Ref. Control Control Control NIST Ref. to Additional Ref. Ref. Framework/ Ref. Pass/
Sub-Area Risk Control Objectives Controls Type Classification Frequency Testing Step COBIT 5 COBIT 5 Standards Workpaper Fail Comments

Response processes and

Response
Planning

procedures are executed

and maintained, to ensure Response plan is executed 1. Determine if the organization has approved incident response and business DSS02.04;
during or after an event.
timely response to detected continuity plans. DSS02.05; ISO/IEC
cybersecurity events. 2. Obtain copies of reports from recent incidents to validate the plans are DSS02.06; 27001:2013
executed. BAI01.10 DSS02.07 A.16.1.5

1. Review the incident response plan to determine if roles and responsibilities

Personnel know their roles and are defined for employees.
order of operations when a 2. Interview employees to determine if employees know their roles and
response is needed. responsibilities as defined by the plan.
3. Review any incident response tests or training provided to employees to ISO/IEC
determine if they support educating employees on their roles and 27001:2013
responsibilities. DSS02.04 A.6.1.1; A.16.1.1

Events are reported consistent 1. Review the incident response plan to determine if reporting structure and
with established criteria. communication channels are clearly defined.
2. Determine if employees are trained to report suspected security incidents. ISO/IEC
3. Obtain copies of reports from recent incidents to validate reporting is 27001:2013
consistent and follows the plan. DSS02.05 A.6.1.3; A.16.1.2
Communications

Response activities are

coordinated with internal
and external stakeholders, 1. Review the incident response plan to determine if information sharing is
as appropriate, to include clearly defined as it relates to the following (if applicable):
external support from law Information is shared consistent a. Customers
enforcement agencies. with response plans. b. Law enforcement
c. Regulators
d. Media
e. Information sharing organizations ISO/IEC
2. Obtain copies of reports from recent incidents to validate sharing is 27001:2013
consistent and follows the plan. DSS02.05 A.16.1.2

Coordination with stakeholders 1. Review the incident response plan to determine if a process is in place to
occurs consistent with response communicate with internal and external stakeholders during and/or following
plans. an incident.
2. Obtain copies of reports from recent incidents to validate reporting is DSS02.05;
consistent and follows the plan. DSS02.07
Voluntary information sharing
occurs with external
stakeholders to achieve broader
cybersecurity situational 1. Review the incident response plan to determine if a process is in place to
awareness. communicate with external stakeholders (e.g., end users, suppliers, third
parties, customers) following an incident. BAI08.01

1. Obtain evidence of event notifications (e.g., detection alerts, reports) from

information systems (e.g., account usage, remote access, wireless
Notifications from detection connectivity, mobile device connection, configuration settings, system
systems are investigated. component inventory, use of maintenance tools, physical access,
temperature and humidity, anomalous activity, use of mobile code).
2. Determine who receives alerts or reports from detection systems and what ISO/IEC
actions are taken once reports are received. 27001:2013
3. Review the incident response plan to determine if actions taken follow the A.12.4.1; A.12.4.3;
plan. DSS02.07 DSS02.04 A.16.1.5

1. Review the incident response plan to determine if there is a process to

The impact of the incident is
Analysis is conducted to understood. formally analyze and classify incidents based on their potential impact.
Analysis

ensure adequate response 2. Review resume and education of incident response team members ISO/IEC
and support recovery responsible for determining incident impact to determine if they have the 27001:2013
activities. knowledge and experience to adequately understand potential impact. DSS02.04 A.16.1.6

1. Review the incident response plan as it relates to forensics. Consider the

following:
Forensics are performed. a. There is a process in place to ensure forensics will be performed when
needed.
b. Determine if security investigations and forensic analysis are performed by
qualified staff or third parties. ISO/IEC
c. Review forensics procedures to ensure they include controls, such as chain 27001:2013
of custody, to support potential legal action. DSS02.04 A.16.1.7

Copyright 2016 ISACA Page 15 of 18

 ensure adequate response

Analy
and support recovery
activities.
NIST Cybersecurity Framework - Respond ISACA IS Audit/Assurance Program

IS Audit/Assurance Progam
Cybersecurity: Based on the NIST Cybersecurity Framework - Respond

Process Ref. Control Control Control NIST Ref. to Additional Ref. Ref. Framework/ Ref. Pass/
Sub-Area Risk Control Objectives Controls Type Classification Frequency Testing Step COBIT 5 COBIT 5 Standards Workpaper Fail Comments

1. Review the incident response plan to determine if it is designed to

Incidents are categorized prioritize incidents, enabling a rapid response for significant incidents or
consistent with response plans. vulnerabilities. ISO/IEC
2. Obtain copies of reports from recent incidents to validate reporting is DSS02.01; 27001:2013
consistent and follows the plan. DSS02.02 A.16.1.4

1. Review the incident response plan to determine if appropriate steps are in

place to contain an incident. Consider the following:
Incidents are contained. a. Steps to contain and control the incident to prevent further harm
b. Procedures to notify potentially impacted third parties ISO/IEC
c. Strategies to control different types of incidents (e.g., distributed denial-of- 27001:2013
service [DDoS], malware, etc.) DSS02.05 A.16.1.5

1. Review the incident response plan to determine if appropriate steps are in

place to mitigate the impact of an incident. Consider the following:
Activities are performed to Incidents are mitigated.
Mitigation

a. Steps to mitigate the incident to prevent further harm

prevent expansion of an b. Procedures to notify potentially impacted third parties
event, mitigate its effects c. Strategies to mitigate impact different types of incidents (e.g., distributed
and eradicate the incident. denial-of-service [DDoS], malware, etc.) ISO/IEC
2. Review any documented incidents to determine whether mitigation efforts 27001:2013
were implemented and effective. DSS02.05 A.12.2.1; A.16.1.5

1. Determine if the organization's continuous monitoring programs (e.g., risk

Newly identified vulnerabilities assessments, vulnerability scanning) facilitate ongoing awareness of threats,
are mitigated or documented as vulnerabilities and information security to support organizational risk
accepted risk. management decisions. Consider the following:
a. Is the process continuous (at a frequency sufficient to support
organizational risk-based decisions) ISO/IEC
b. Results generate appropriate risk response (e.g., mitigation strategy, DSS03.01; 27001:2013
acceptance) based on the organization's risk appetite EDM03.03 A.12.6.1

Response plans incorporate 1. Review the organization's incident handling reports and incident testing
lessons learned. documentation for action items and lessons learned.
Improvements

Organizational response 2. Evaluate the incident response plan to determine if results (e.g., action ISO/IEC
activities are improved by items, lessons learned) from real-world incidents and incident testing have 27001:2013
incorporating lessons been used to update incident response procedures, training and testing. BAI01.13 DSS02.07 A.16.1.6
learned from current and
previous detection/response
activities. 1. Review the organization's incident response and business continuity
Response strategies are strategies and plans. Consider the following:
updated. a. There is a mechanism in place to regularly review, improve, approve and
communicate the plans.
b. The organization's response capability is informed by actual incidents, tests
and current threats. DSS02.07

Copyright 2016 ISACA Page 16 of 18

NIST Cybersecurity Framework - Recover ISACA IS Audit/Assurance Program

IS Audit/Assurance Progam
Cybersecurity: Based on the NIST Cybersecurity Framework - Recover

Process Ref. Control Control Control NIST Ref. to Additional Ref. Framework/ Ref. Pass/
Sub-Area Risk Control Objectives Controls Type Classification Frequency Testing Step COBIT 5 Ref. COBIT 5 Standards Workpaper Fail Comments

1. Obtain a copy of the organization's recovery plans and procedures (e.g.,

business continuity plan, incident response plan, disaster recovery plan,
Recovery Planning

Recovery processes and cybersecurity incident plan) and the documented results of recent
procedures are executed cybersecurity events or event tests.
and maintained to ensure Recovery plan is executed 2. Evaluate documentation for the following:
timely restoration of during or after an event. a. Frequency of testing
systems or assets affected b. Coverage of critical pieces of the organization's recovery plans and
by cybersecurity events. procedures
c. Documentation of incidents (e.g. power outages, communication failures,
system outages, attempted and successful malicious or careless unauthorized
access or disruption). ISO/IEC
DSS02.05; 27001:2013
DSS03.04 A.16.1.5

1. Obtain a copy of results of recent cybersecurity events or event tests.

2. Evaluate documentation for the following:
Recovery plans incorporate a. Documented lessons learned and analysis of failed or missing controls
lessons learned. b. Action items designed to improve recovery plans and procedures based on
the lessons learned and analysis
DSS04.05;
Improvements

BAI05.07 DSS04.08
Recovery planning and
processes are improved by
incorporating lessons
learned into future 1. Obtain a copy of the organization's recovery plans and procedures (e.g.,
activities. business continuity plan, incident response plan, disaster recovery plan,
cybersecurity incident plan) and the documented results of recent
cybersecurity events or event tests.
Recovery strategies are 2. Determine if recovery plans and procedures are reviewed, updated and
updated. approved on a regular basis or as changes are made to systems and controls.
3. Review recovery plans and procedures to determine if action items
resulting from lessons learned during cybersecurity events and event tests
have been implemented.
DSS04.05;
BAI07.08 DSS04.08

1. Obtain a copy of the organization's recovery plans and procedures (e.g.,

business continuity plan, incident response plan, disaster recovery plan,
cybersecurity incident plan).
2. Determine if the plans and procedures include the following:
a. Designation of points of contact within the organization to communicate
Public relations are managed. with customers, partners, media, regulators and law enforcement
b. Training for employees regarding where to refer questions about
cybersecurity incidents
c. Order of succession of key positions responsible for managing the
organization's reputation risk during cybersecurity incidents
d. Timely and responsible notification of customers, partners, regulators and
law enforcement of a cybersecurity incident
Restoration activities are
Communications

coordinated with internal EDM03.02 DSS04.03

and external parties, such as
coordinating centers, 1. Obtain documented results of recent cybersecurity events. Determine
Internet Service Providers, whether the following are included:
owners of attacking systems, Reputation after an event is a. Informing customers, partners, media, regulators and law enforcement, as
victims, other CSIRTs and repaired.
applicable, of ongoing efforts to correct identified issues and final resolution
vendors. b. Specific efforts or plans to address reputation repair
MEA03.02

Copyright 2016 ISACA Page 17 of 18

 Restoration activities are

Communications
NIST Cybersecurity Framework - Recover ISACA IS Audit/Assurance Program
coordinated with internal
and external parties, such as
coordinating centers,
IS Audit/Assurance
Internet Progam
Service Providers,
Cybersecurity:owners
Based on thesystems,
of attacking NIST Cybersecurity Framework - Recover
victims, other CSIRTs and
vendors.
Process Ref. Control Control Control NIST Ref. to Additional Ref. Framework/ Ref. Pass/
Sub-Area Risk Control Objectives Controls Type Classification Frequency Testing Step COBIT 5 Ref. COBIT 5 Standards Workpaper Fail Comments

1. Obtain a copy of meeting minutes where cybersecurity events are reported

(e.g. Information Security Committee meetings, Board/management
Recovery activities are meetings, risk management meetings, Compliance Committee meetings).
communicated to internal 2. Obtain a copy of documented results of recent cybersecurity events.
stakeholders and executive and 3. Compare meeting minutes to documented cybersecurity events and
management teams. determine if recovery activities notified applicable stakeholders and
management members (e.g. Board members, stockholders, C-level
executives, risk management managers, affected department managers).
DSS04.06;
EDM05.03

Copyright 2016 ISACA Page 18 of 18