Cybersecurity NIST Audit Program - revST-3

NIST Cybersecurity Framework ISACA IS Audit/Assurance Program
IS Audit/Assurance Program
Cybersecurity: Based on the NIST Cybersecurity Framework
Column Name Description Instructions
Process Sub-area An activity within an overall process influenced by the To make the audit program manageable, it is recommended to
enterprise's policies and procedures that takes inputs from break out the scope of the audit into sub-areas. The auditor
a number of sources, manipulates the inputs and produces can modify this field to entity-specific names and terms. ISACA
outputs has used the most commonly used terms as the basis to
develop this audit program.
Ref. Risk Specifies the risk this control is intended to address This field can be used to input a reference/link to risk
described in the entity's risk register or enterprise risk
management (ERM) system or to input a description of the risk
a particular control is intended to address.
Control Objectives A statement of the desired result or purpose that must be in This field should describe the behaviors, technologies,
place to address the inherent risk in the review areas within documents or processes expected to be in place to address the
scope inherent risk that is part of the audit scope.
An IS audit manager can review this information to determine

whether the review will meet the audit objectives based on
the risk and control objectives included in the audit program.
Controls The means of managing risk, including policies, procedures, This field should describe in detail the control activities
guidelines, practices or organizational structures, which can expected to be in place to meet the control objective. Control
be of an administrative, technical, management or legal activities can be in roles and responsibilities, documentation,
nature forms, reports, system configuration, segregation of duties,
approval matrices, etc.
An IS audit manager performing a quality control review must

decide whether an auditor has planned to identify enough
controls on which to base an assessment and whether the
planned evidence is sufficiently objective.
Copyright 2016 ISACA Page 1 of 16

Control Type Controls can be automated (technical), manual Specify whether the control under review is automated,
(administrative) or physical. manual, physical or a combination. This information is useful
in determining the testing steps necessary to obtain
Automated/technical controls are things managed or assessment evidence.
performed by computer systems.
Manual/administrative controls are usually things that
employees can or cannot do.
Physical controls include locks, fences, mantraps and even
geographic specific controls.
Control Classification Another way to classify controls is by the way they address Specify whether the control under review is preventive,
a risk exposure. detective, corrective or compensating. This information will be
helpful when defining testing steps and requesting evidence.
Preventive controls should stop an event from happening.
Detective controls should identify an event when it is
happening and generate an alert that prompts a corrective
control to act.
Corrective controls should limit the impact of an event and
help resume normal operations within a reasonable time
frame.
Compensating controls are alternate controls designed to
accomplish the intent of the original controls as closely as
possible when the originally designed controls cannot be
used due to limitations of the environment.
Control Frequency Control activities can occur in real-time, daily, weekly, Specify whether the control under review occurs in real-time,
monthly, annually, etc. daily, weekly, monthly, annually, etc. This information will be
helpful when defining testing steps and requesting evidence.

Testing Step Identifies the steps being tested to evaluate the This field should describe in detail the steps necessary to test
effectiveness of the control under review control activities and collect supporting documentation. The
auditor can modify this field to meet entity-specific needs.
ISACA has used a set of generic steps to develop this audit
program.
An IS audit manager may determine if the proposed steps are

adequate to review a particular control.
NIST Ref. to COBIT 5 Identifies the COBIT 5 processes related to the control
objective or control activities as defined by the NIST
Cybersecurity Framework
Additional Ref. COBIT 5 Identifies additional COBIT 5 processes related to the Input the COBIT 5 process or practice that relates to this
control objective or control activities control.
Ref. Framework/Standards Specifies frameworks and/or standards that relate to the Input references to other frameworks used by the entity as
control under review (e.g., NIST, HIPAA, SOX, ISO) part of their compliance program.
Ref. Workpaper The evidence column usually contains a reference to other Specify the location of supporting documentation detailing the
documents that contain the evidence supporting the audit steps and evidence obtained.
pass/fail mark for the audit step.
An IS audit manager performing a quality control review must
decide whether an auditor has tested enough controls on
which to base an assessment and whether the obtained
evidence is sufficiently objective to support a pass or fail
conclusion.
Pass/Fail Document preliminary conclusions regarding the Specify whether the overall control is effective (Pass) or not
effectiveness of controls. effective (Fail) based on the results of the testing.
Comments Free format field Document any notes related to the review of this Process Sub-
area or specific control activities.

NIST Cybersecurity Framework - Identify ISACA IS Audit/Assurance Program
IS Audit/Assurance Progam
Cybersecurity: Based on the NIST Cybersecurity Framework - Identify
Process Ref. Control Control Control NIST Ref. to Additional Ref. Ref. Framework/ Ref. Pass/
Sub-Area Risk Control Objectives Controls Questions for clients FR Type Classification Frequency Testing Step COBIT 5 COBIT 5 Standards Workpaper Fail Comments
1. Obtain a copy of physical devices and systems inventory. Review the

inventory considering the following:
Physical devices and systems Have the physical devices and Faire inventorier les appareils et a. Scope of physical devices and systems is based on the organization's risk
within the organization are systems within the organization les systèmes physiques au sein appetite (e.g., systems that contain sensitive information, allow access to the
inventoried. are inventoried ? de l'organisation ? network, or are critical to business objectives)
b. Completeness of inventory (e.g., location, asset number, owner)
c. Inventory collection process ensures new devices are collected accurately
and in a timely manner (e.g., automated software to detect and/or store the ISO/IEC
inventory) BAI09.01; 27001:2013
d. Frequency of inventory reviews BAI09.02 A.8.1.1; A.8.1.2
1. Obtain a copy of software inventory. Review the inventory considering the

following:
Les plateformes logicielles et les a. Scope of software inventory is based on the organization's risk appetite
Software platforms and Have the software platforms
applications au sein de (e.g., software that processes, stores or accesses sensitive information or is
applications within the and applications within the
l'organisation sont-elles critical to business objectives)
organization are inventoried. organization are inventoried ?
inventoriées ? b. Completeness of inventory (e.g., version, system, vendor, owner)
c. Inventory collection process ensures new software is collected accurately
and in a timely manner (e.g., automated software to detect and/or store the BAI09.01; ISO/IEC
inventory) BAI09.02; 27001:2013
d. Frequency of inventory reviews BAI09.05 A.8.1.1; A.8.1.2
La communication
The data, personnel, Have the organizational
Organizational communication organisationnelle et les flux de
Asset Management
devices, systems, and communication and data flows 1. Ensure the organization maintains accurate and current copies of data flow ISO/IEC
and data flows are mapped. données sont-ils diagram(s) (DFD), logical network diagram(s) (LND), and/or other diagrams to 27001:2013
facilities that enable the are mapped ?
cartographiés ? show organizational communication and data flow. DSS05.02 APO01.04 A.13.2.1
organization to achieve
business purposes are
identified and managed
consistent with their relative
importance to business 1. If the organization relies on information systems hosted by third parties,
objectives and the obtain a copy of the external systems inventory. Review the third-party
organization’s risk strategy. inventory considering the following:
External information systems Does the external informations Les systèmes d'information a. Scope of external systems is based on the organization's risk appetite (e.g.,
are cataloged. systems are cataloged ? externes sont-ils catalogués ? systems that store, process or access sensitive information or are critical to
business objectives).
b. Completeness of inventory (e.g., location, third party, owner, etc.)
c. Inventory collection process ensures new systems are collected accurately
and in a timely manner (e.g,. automated software to detect and/or store the
inventory) ISO/IEC
d. Frequency of inventory reviews 27001:2013
APO02.02 A.11.2.6
Les ressources (p. ex., matériel,

Resources (e.g., hardware, Do the esources (e.g.,
appareils, données et logiciels) 1. Obtain a copy of the organization's data classification program
devices, data and software) are hardware, devices, data and
sont-elles classées par ordre de (classification may also be identified in the risk assessment or business
prioritized based on their software) are prioritized based
priorité en fonction de leur impact analysis).
classification, criticality and on their classification, criticality
classification, de leur criticité et 2. Review the program to determine if key resources (e.g., hardware, devices, APO03.03;
business value. and business value ?
de leur valeur commerciale ? data, software) are classified and prioritized based on criticality and business APO03.04; ISO/IEC
value. BAI09.02 27001:2013 A.8.2.1
Les rôles et responsabilités en

Cybersecurity roles and Have the Cybersecurity roles
matière de cybersécurité pour
responsibilities for the entire and responsibilities for the
l'ensemble de la main-d'oeuvre
workforce and third-party entire workforce and third-
et les parties prenantes tierces (
stakeholders (e.g., suppliers, party stakeholders (e.g., 1. Review cybersecurity policies, information security policies, job
par exemple, fournisseurs,
customers, partners) are suppliers, customers, partners) descriptions, agreements, RACI charts, service level agreements (SLAs) and/or
clients, partenaires) sont-ils
established. are established ? contracts to determine if they include cybersecurity roles and responsibilities. APO01.02; ISO/IEC
établis ?
DSS06.03 27001:2013 A.6.1.1
1. Obtain documentation or evidence (e.g., cybersecurity strategy, business

The organization’s role in the Does the organization’s role in Le rôle de l'organisation dans la continuity plan, information system acquisition procedures, business impact APO08.04;
supply chain is identified and the supply chain is identified chaîne d'approvisionnement analysis, acquisition/procurement process, key supplier reviews, supplier APO08.05; ISO/IEC
communicated. and communicated ? est-il identifié et communiqué ? relationship management, supplier due diligence reports) to determine APO10.03; 27001:2013
whether the organization has clearly defined and understands its role in the APO10.04; A.15.1.3; A.15.2.1;
supply chain. APO10.05 A.15.2.2
The organization’s place in 1. Obtain documentation or evidence (e.g., mission statement, business
critical infrastructure and its La place de l'organisation dans continuity policy, strategic plan) that the organization has clearly defined and
industry sector is identified and les infrastructures essentielles understands its role in its industry sector and its role within national critical
communicated. et son secteur industriel est-elle infrastructure, as defined by the Department of Homeland Security APO02.06;
Does the organization’s place in cidentifiée et communiquée? (https://www.dhs.gov/what-critical-infrastructure). APO03.01
Has the priorities for

Business Environment
Priorities for organizational Les priorités de la mission, des 1. Determine if the organization has a strategic plan defining enterprise goals.
The organization’s mission, mission, objectives and organizational mission,
objectifs et des activités de Ensure enterprise goals are aligned with stakeholder interests.
objectives, stakeholders, objectives and activities are
activities are established and l'organisation ont-ils été établis 2. Determine if the organization's mission statement and objectives are
and activities are established and
communicated. et communiqués ? clearly published in a way employees can easily see or access them.
understood and prioritized; communicated ?
this information is used to 3. Determine if an IT strategic plan is documented, defines goals and is
inform cybersecurity roles, mapped to enterprise goals. APO02.01;
responsibilities, and risk 4. Determine if employees are educated on the organization's mission and APO02.06;
management decisions. objectives. APO03.01
Have the dependencies and Les dépendances et les 1. Obtain the organization's business continuity plan, disaster recovery plan,
Dependencies and critical
critical functions for delivery of fonctions critiques pour la business impact analysis and risk assessments and review for the following:
functions for delivery of critical
critical services are prestation des services critiques a. Information systems and software supporting critical business functions ISO/IEC
services are established.
established ? ont-elles été établis ? are identified and prioritized based on maximum allowable downtime. BAI04.02; 27001:2013
b. Third parties who support critical business functions and information BAI09.01; A.11.2.2; A.11.2.3;
systems/software are identified and prioritized. BAI09.02 A.12.1.3

understood and prioritized;
Business Env
this information is used to
inform cybersecurity roles,
responsibilities, and risk
management
NIST Cybersecurity Framework - Identifydecisions. ISACA IS Audit/Assurance Program
Cybersecurity: Based on the NIST Cybersecurity Framework - Identify
Des exigences de résilience 1. Determine if the organization's business continuity and disaster recovery
Resilience requirements to Does resilience requirements to
pour soutenir la prestation de plans (including business impact analysis) support resilience of critical
support delivery of critical support delivery of critical
services essentiels sont-elles services.
services are established. services are established ?
établies ? 2. Determine if appropriate due diligence (e.g., business continuity plans ISO/IEC
(BCP), service level agreements (SLA), Service Organization Control (SOC) 27001:2013
reports) information is in place and reviewed to ensure resilience A.11.1.4; A.17.1.1;
requirements of the organization can be met by critical third-party services. DSS04.02 A.17.1.2; A.17.2.1
Has the organizational La politique organisationnelle 1. Obtain a copy of the information security policy.
Organizational information 2. Determine if the policy is complete and has been approved by a APO01.03;
information security policy is de sécurité de l'information est-
security policy is established. governance structure within the organization. EDM01.01; ISO/IEC
established ? elle établie ?
3. Determine if the policy is communicated to employees. EDM01.02 27001:2013 A.5.1.1
1. Determine if information security roles and responsibilities are defined.

Roles and responsibilities may be defined in policies, job descriptions,
organization’s role in the supply Does the organization’s role in Le rôle de l'organisation dans la agreements, RACI charts, hierarchy charts and/or contracts.
chain is identified and the supply chain is identified chaine d'approvisionnement 2. Determine if there is sufficient independence within the information
communicated and communicated ? est-il identifié et communiqué ? security roles in order to provide adequate separation of duties for critical
functions.
3. Review contracts, nondisclosure agreements (NDAs) and service level ISO/IEC
agreements (SLAs) with critical vendors to determine if cybersecurity controls APO01.02; 27001:2013
The policies, procedures, and incident notification are addressed appropriately. APO13.12 DSS06.03 A.6.1.1; A.7.2.1
and processes to manage
and monitor the
Governance
organization’s regulatory,
legal, risk, environmental, 1. Obtain a list of all relevant legal and regulatory requirements for the
and operational Les exigences légales et
organization.
requirements are Legal and regulatory Have legal and regulatory réglementaires en matière de
2. Determine if the cybersecurity program is mapped to legal and regulatory
understood and inform the requirements regarding requirements regarding cybersécurité, y compris les
requirements.
management of cybersecurity, including privacy cybersecurity, including privacy obligations en matière de
3. Review any recent regulatory cybersecurity exams or audits. If any
cybersecurity risk. and civil liberties obligations, and civil liberties obligations, protection de la vie privée et de
exceptions were noted in audits, determine how the organization responded
are understood and managed. are understood and managed ? libertés civiles, sont-elles
to exceptions.
comprises et gérées ?
4. Determine if critical third-party contracts are reviewed by legal counsel
prior to execution.
5. Determine if there is a formalized process in place to monitor and review MEA03.01; ISO/IEC
changes in cybersecurity laws and regulations. MEA03.04 27001:2013 A.18.1
1. Determine the adequacy of executive or board oversight and

Les processus de gouvernance understanding of cybersecurity. Consider the following:
Governance and risk Have the Governance and risk
et de gestion des risques a. Risk Management
management processes address management processes address
traitent-ils des risques de b. Governance Structures EDM01.01;
cybersecurity risk. cybersecurity risk ?
cybersécurité ? c. Security Oversight EDM01.02;
d. Training EDM01.03;
e. Accountability EDM03.01;
f. Reporting DSS04.02 EDM03.03
Have the asset vulnerabilities Les vulnérabilités des actifs APO12.01;

Asset vulnerabilities are 1. Determine if vulnerability testing is conducted and analyzed on critical APO12.02; ISO/IEC
are identified and sont-elles identifiées et
identified and documented. organizational assets (e.g., assets important to business objectives and the APO12.03; 27001:2013
documented ? documentées ?
organization's risk strategy). APO12.04 A.12.6.1; A.18.2.3
Des informations sur les 1. Determine if the organization is a member of or subscribes to a threat and
Threat and vulnerability Have threat and vulnerability vulnerability information sharing organization (e.g,. United States Computer
menaces et les vulnérabilités
information is received from information is received from Emergency Readiness Team [US-CERT]).
sont-elles reçues de forums et
information sharing forums and information sharing forums and 2. Determine if the organization has a formal process in place for
de sources de partage
sources. sources ? disseminating threat and vulnerability information to individuals with the
d'informations ?
expertise to review the information and the authority to mitigate risk posed APO12.01; ISO/IEC
to the organization. BAI08.04 27001:2013 A.6.1.4
The organization Threats, both internal and Have threats, both internal and Les menaces, internes et 1. Review risk assessments to determine if internal and external threats are APO12.01;
Risk Assessment
understands the external, are identified and external, are identified and externes, sont-elles identifiées identified and documented. APO12.02;
cybersecurity risk to documented. documented ? et documentées ? 2. Determine if the organization has developed processes to actively monitor APO12.03;
organizational operations and report potential threats. APO12.04
(including mission, Les impacts commerciaux
functions, image, or Potential business impacts and Does potential business impacts
potentiels et les probabilités 1. Review risk assessments and business impact analysis to determine if APO12.02;
reputation), organizational likelihoods are identified. and likelihoods are identified ?
sont-ils identifiés ? likelihood and potential impacts are identified and analyzed for threats. DSS04.02 BAI04.02
assets, and individuals.
Les menaces, les vulnérabilités, 1. Determine if the risk assessment process identifies reasonably foreseeable
Threats, vulnerabilities, Have threats, vulnerabilities,
les probabilités et les impacts internal and external threats and vulnerabilities, the likelihood and potential ISO/IEC
likelihoods and impacts are likelihoods and impacts are
son-tils utilisés pour déterminer damage of those threats, and the sufficiency of controls to mitigate the risk 27001:2013
used to determine risk. used to determine risk ?
les risques ? associated with those threats. APO12.02 A.12.6.1
Les réponses aux risques sont- 1. Obtain the organization's risk management plan and/or other
Risk responses are identified Have Risk responses are documentation showing the organization's response to risk levels identified
elles identifiées et hiérarchisées
and prioritized. identified and prioritized ? in the risk assessment. Determine if the risk management plan is designed to
?
accept or reduce risk level in accordance with the organization's risk appetite.
2. Obtain copies of management responses to recent cybersecurity-related
audits and assessments to determine if exceptions noted in audits or APO12.05;
assessments are identified and prioritized. APO13.02
1. Evaluate the framework or process used for risk management. Consider

Risk management processes are Have Risk management Les processus de gestion des the following:
established, managed and processes are established, risques ont-ils été établis, gérés a. Is the process formally documented? APO12.04;
agreed to by organizational managed and agreed to by et approuvés par les b. Is the process regularly updated? APO12.05;
Risk Management Strategy
stakeholders. organizational stakeholders ? intervenants organisationnels ? b. Is the process repeatable and measurable? APO13.02;
c. Does the process have an owner? BAI02.03;
d. Are stakeholders involved or informed of the process? BAI04.02
The organization’s priorities,
constraints, risk tolerances, La tolérance au risque de
Organizational risk tolerance is Does the organizational risk
and assumptions are l'organisation est-elle
determined and clearly tolerance is determined and
established and used to déterminée et clairement 1. Determine if the organization has defined and approved a cyberrisk APO12.03;
expressed. clearly expressed ?
support operational risk exprimée ? appetite statement. APO12.06 EDM03.01
decisions.

NIST Cybersecurity Framework - Identify ISACA IS Audit/Assurance Program
Risk Management Strategy

IS Audit/Assurance Progampriorities,
The organization’s
Cybersecurity: Based risk
constraints, on tolerances,
the NIST Cybersecurity Framework - Identify
and assumptions are
established and used to
Process Ref. support operational risk Control Control Control NIST Ref. to Additional Ref. Ref. Framework/ Ref. Pass/
decisions.
La détermination de la
The organization’s Does the organization’s tolérance au risque par
determination of risk tolerance determination of risk tolerance l'organisation dépend-elle de
is informed by its role in critical is informed by its role in critical son rôle dans l'analyse des 1. Obtain a copy of the organization's risk management strategy and risk
infrastructure and sector- infrastructure and sector- infrastructures essentielles et appetite statement to determine if these align with its role in critical
specific risk analysis. specific risk analysis ? des risques propres à un infrastructure (as defined by national infrastructure protection plan [NIPP]
secteur ? and sector-specific plans).
APO04.03

NIST Cybersecurity Framework - Protect ISACA IS Audit/Assurance Program
Cybersecurity: Based on the NIST Cybersecurity Framework - Protect
1. Determine whether access to network devices (e.g., servers, workstations,

mobile devices, firewalls) are restricted by:
a. Unique user logon IDs
b. Complex passwords
c. Multifactor authentication
d. Automatic timeout if left unattended
e. Automatic lockout after repeated failed access attempts
Les identités et les informations
Identities and credentials are Have the identities and d. Changing default administrative account names and passwords
d'identification sont-elles
managed for authorized devices credentials are managed for 2. Determine whether password parameters comply with organization policy
gérées pour les appareils et les
and users. authorized devices and users ? and/or applicable industry requirements. Consider the following:
utilisateurs ?
a. Length, complexity, change requirements, history
b. Are passwords suppressed from all output?
c. Are password files encrypted and restricted?
3. Review termination procedures to ensure credentials are revoked or
changed when an employee leaves. ISO/IEC
a. Spot-check accounts to ensure user access is revoked following 27001:2013
termination and accounts are deleted according to policy. A.9.2.1; A.9.2.2;
DSS05.04; A.9.2.4; A.9.3.1;
DSS06.03 A.9.4.2; A.9.4.3
1. Determine whether physical access to key assets (e.g., server rooms,

network closets, zones) are physically restricted:
a. Locked doors
b. Surveillance
Does the physical access to c. Fences or walls
Physical access to assets is L'accès physique aux actifs est-il
assets is managed and d. Logs
managed and protected. géré et protégé ?
protected? e. Visitor escorts
2. Determine whether policies and procedures allow only authorized
ISO/IEC
personnel access to sensitive areas.
27001:2013
3. Review termination procedures to ensure physical access is removed once
A.11.1.1; A.11.1.2;
an employee leaves.
DSS01.04; A.11.1.4; A.11.1.6;
DSS05.05 A.11.2.3
Access Control
Access to assets and

associated facilities is 1. Determine whether policies and procedures related to remote users'
limited to authorized users, access capabilities are formalized. Consider the following:
processes, or devices, and to a. Remote users (e.g., employees, contractors, third parties) with access to
authorized activities and critical systems are approved and documented.
transactions. b. Remote connections are only opened as required.
c. Remote connections are logged and monitored.
Does the remote access is
Remote access is managed. L'accès a distance est-il géré ? d. Remote connections are encrypted.
managed ?
e. Strong authentication is in place (e.g., multifactor, strong password
parameters).
f. The ability to wipe data remotely on mobile devices when data are missing
or stolen is enabled.
g. Institution security controls (e.g., antivirus, patch management) are ISO/IEC
required on remote devices connecting to the network. APO13.01; 27001:2013
DSS01.04; A.6.2.2; A.13.1.1;
DSS05.03 A.13.2.1
1. Review access rights and permissions for the network and any critical
applications.
2. Determine if user access profiles are consistent with their job functions
(based on least privilege). Compare a sample of users' access authority with
their assigned duties and responsibilities.
3. Determine if access is granted for mission critical functions and
Access permissions are Do access permissions are Les autorisations d'accès sont- information system support functions in order to reduce the risk of
managed, incorporating the managed, incorporating the elles gérées en intégrant les malevolent activity without collusion (e.g., critical processes require two
principles of least privilege and principles of least privilege and principes de moindre privilège people to perform the function).
separation of duties. separation of duties ? et de séparation des tâches ? 4. Determine if users with local administrative privilege on workstations
require this level of access.
5. Review how the organization restricts and/or monitors access to sensitive
data by users with elevated network privilege.
6. Determine if role-based access controls are implemented (e.g., roles vs. ISO/IEC
users are assigned access rights). 27001:2013
7. Determine if there are regular reviews of access. A.6.1.2; A.9.1.2;
DSS05.04; A.9.2.3; A.9.4.1;
DSS06.03 A.9.4.4
1. Review network diagrams and data flow diagrams.
Does the network integrity is L'integrite du réseau est-elle
Network integrity is protected, 2. Determine if high-value/critical systems are separated from high-risk
protected, incorporating protegée, en incorporant la ISO/IEC
incorporating network systems (e.g., VLAN, DMZ, hard backups, air-gapping) where possible.
network segregation where ségrégation du réseau le cas 27001:2013
segregation where appropriate. 3. Determine if the organization has a formal process to approve data flows
appropriate ? échéant ? A.13.1.1; A.13.1.3;
and/or connections between networks and/or systems.
DSS05.02 A.13.2.1
1. Review acceptable use policy and/or training materials to ensure content is

adequate.
2. Review user training reports and/or documentation to ensure users are
All users are informed and Have all users are informed and Tous les utilisateurs sont-ils
trained in accordance with applicable policy, guidance, and/or requirement
trained. trained ? informés et formés ?
(e.g., annual cybersecurity training of all employees).
3. Determine whether training materials are updated based on changes in
cyberthreat environment. APO07.03; ISO/IEC
BAI05.07 27001:2013 A.7.2.2
1. Determine if the organization has a process to identify privileged users.
2. Determine if privileged users' roles are well defined and if privileged users
Does the privileged users Les utilisateurs privilégiés
Privileged users understand are trained based on their responsibilities.
understand roles and comprennent-ils les rôles et les
roles and responsibilities. 3. Review training material and/or user agreements to ensure users with
responsibilities ? responsabilités ? ISO/IEC
elevated privileges are taught security roles and responsibilities associated
with elevated privileges. APO07.02; 27001:2013
DSS06.03 APO07.03 A.6.1.1; A.7.2.2
1. Review applicable third-party contracts, customer agreements, and
Does the third-party
Third-party stakeholders (e.g., partner agreements to ensure security roles and responsibilities are clearly
stakeholders (e.g., suppliers, Les parties prenantes tierces
suppliers, customers, partners) defined.
customers, partners) (par exemple, les fournisseurs,
The organization’s understand roles and 2. Review the organization's vendor management program to ensure third
understand roles and les clients, les partenaires)
personnel and partners are responsibilities. parties are complying with cybersecurity responsibilities defined in contracts APO07.03; ISO/IEC
Awareness Training
responsibilities ? comprennent-elles les rôles et APO10.04; 27001:2013

provided cybersecurity and agreements.
les responsabilités ? APO10.05 A.6.1.1; A.7.2.2
awareness education and
are adequately trained to
perform their information
Copyright 2016 security-related duties and ISACA Page 7 of 16
responsibilities consistent
with related policies,
procedures, and
agreements.
The organization’s
Ref. personnel and partners are
Awareness Training
Process Control Control Control NIST Ref. to Additional Ref. Ref. Framework/ Ref. Pass/
Sub-Area Risk provided cybersecurity
Control Objectives Controls Questions for clients FR Type Classification Frequency Testing Step COBIT 5 COBIT 5 Standards Workpaper Fail Comments
awareness education and
are adequately trained to
perform their information 1. Review training and continuing education programs for senior executives.
security-related duties and Consider the following:
responsibilities consistent a. Cybersecurity knowledge and skill levels needed to perform their duties
with related policies, are defined.
Do the senior executives Les cadres supérieurs
procedures, and Senior executives understand b. Specific role-based training is assigned based on cybersecurity roles and
understand roles and comprennent-ils les rôles et
agreements. roles and responsibilities. responsibilities.
responsibilities? responsabilités ?
c. A method is in place to measure senior executives' cybersecurity
knowledge and understanding against organization requirements.
d. Training and education materials are updated to reflect changes in the ISO/IEC
threat environment. 27001:2013
APO07.03 EDM01.03 A.6.1.1; A.7.2.2
1. Review training and continuing education programs for physical and

information security personnel. Consider the following:
a. Knowledge and skill levels needed to perform physical and information
security duties are defined.
Le personnel de sécurité b. Specific role-based training is assigned based on physical and information
Physical and information Do the physical and information
physique et de l'information security roles and responsibilities.
security personnel understand security personnel understand
comprend-il les rôles et les c. A method is in place to measure physical and information security
roles and responsibilities. roles and responsibilities ?
responsabilités ? personnel's cybersecurity knowledge and understanding against organization
requirements.
d. Training and education materials are updated to reflect changes in the
threat environment.
ISO/IEC
27001:2013
APO07.03 DSS06.03 A.6.1.1; A.7.2.2
1. Determine if confidential or sensitive data is identified on the

organization's network (e.g., data classification, risk assessment).
Does the Data-at-rest is Les données au repos sont-elles 2. Determine if confidential data is secured (e.g., strong encryption as defined
Data-at-rest is protected.
protected ? protégées ? by industry best practices) at rest.
3. Determine if mobile devices (e.g., laptops, tablets, removable media) that APO01.06;
are used to store confidential data are encrypted. BAI02.01;
4. Review contracts with third parties storing confidential data to ensure BAI06.01; ISO/IEC
appropriate security controls are in place for sensitive data at rest. DSS06.06 27001:2013 A.8.2.3
1. Determine if sensitive information is secured (e.g., strong encryption as

defined by industry best practices) when transmitted across publicly-
Does the Data-in-transit is Les données en transit sont- accessible networks.
Data-in-transit is protected.
protected ? elles protégées? 2. Determine if adequate policies are in place regarding transmission of
confidential or sensitive information via email.
3. Review training materials and/or acceptable use policy to determine ISO/IEC
whether employees are instructed on organization policy regarding data 27001:2013
transmission. A.8.2.3; A.13.1.1;
4. Review contracts with third parties transmitting confidential data to ensure APO01.06; A.13.2.1; A.13.2.3;
appropriate security controls are in place for transmission of sensitive data. DSS06.06 A.14.1.2; A.14.1.3
Les actifs sont-ils gérés de 1. Review asset inventory policies and procedures. Consider the following: ISO/IEC
Assets are formally managed Have the assets are formally
manière formelle tout au long a. Formalized processes in place 27001:2013
throughout removal, transfers managed throughout removal,
du déménagement, des b. Accuracy of asset tracking A.8.2.3; A.8.3.1;
and disposition. transfers and disposition ?
transferts et de la disposition ? c. Secure removal or destruction of confidential information from A.8.3.2; A.8.3.3;
Information and records decommissioned assets BAI09.03 DSS05.06 A.11.2.7
(data) are managed
Data Security
consistent with the

organization’s risk strategy BAI02.01;
to protect the Does the adequate capacity to La capacité adéquate pour 1. Review sample of capacity management monitoring reports used to BAI03.05;
Adequate capacity to ensure monitor critical resources such as network bandwidth, CPU, disk utilization, BAI04.01;
confidentiality, integrity, ensure availability is maintained assurer la disponibilité est-elle
availability is maintained. etc. BAI04.02;
and availability of ? maintenue ?
information. 2. Determine if resources have adequate capacity (e.g., disk space, CPU). BAI04.03; ISO/IEC
3. Determine if the risk of distributed denial-of-service (DDoS) has been BAI04.04; 27001:2013
addressed and is in line with the organization's risk appetite. APO13.01 BAI04.05 A.12.3.1
ISO/IEC
27001:2013
A.6.1.2; A.7.1.1;
Les protections contre les fuites
Protections against data leaks Has the protections against A.7.1.2; A.7.3.1;
de données ont-elles été mises
are implemented. data leaks are implemented ? A.8.2.2; A.8.2.3;
en place?
1. Review risk assessments, information security meeting minutes and A.9.1.1; A.9.1.2;
information security strategies to determine if the risk of data loss prevention A.9.2.3; A.9.4.1;
or exfiltration of confidential data is being considered. A.9.4.4; A.9.4.5;
2. Ensure controls or tools (e.g., data loss prevention) are in place to detect or A.13.1.3; A.13.2.1;
block potential unauthorized or unintentional transmission or removal of A.13.2.3; A.13.2.4;
confidential data (e.g., email, FTP, USB devices, Telnet) APO01.06 DSS05.06 A.14.1.2; A.14.1.3
Les mécanismes de vérification 1. Determine if the organization employs integrity verification tools (e.g.,
Integrity checking mechanisms Does the Integrity checking
de l'intégrité sont-ils utilisés parity checks, cyclical redundancy checks, cryptographic hashes) to detect
are used to verify software, mechanisms are used to verify
pour vérifier l'intégrité des unauthorized changes to software (e.g., middleware, applications and ISO/IEC
firmware and information software, firmware and
logiciels, des micrologiciels et operating systems with key internal components such as kernels, drivers), 27001:2013
integrity. information integrity ?
des informations ? firmware (e.g., Basic Input Output System [BIOS]), and information (e.g., A.12.2.1; A.12.5.1;
metadata such as security attributes associated with information). APO01.06 A.14.1.2; A.14.1.3
The development and testing Have the development and Les environnements de
environment(s) are separate testing environment(s) are développement et de test sont- 1. If the organization maintains a software development or testing
from the production separate from the production ils distincts de l'environnement environment, review network diagrams, database connections and applicable ISO/IEC
environment. environment ? de production ? firewall/router configurations to determine sufficiency of separation between 27001:2013
these environments and the production network. BAI07.04 A.12.1.4
A baseline configuration of Does a baseline configuration of Une configuration de base des 1. Determine if the organization has created or adopted baseline
information information systèmes de contrôle des configurations (e.g., Center for Internet Security [CIS] benchmarks, Security ISO/IEC
technology/industrial control technology/industrial control technologies de l’information et Technical Implementation Guides [STIG]) for systems (e.g., servers, desktops, BAI10.01; 27001:2013
systems is created and systems is created and de l’industrie est-elle créée et routers). BAI10.02; A.12.1.2; A.12.5.1;
maintained. maintained ? maintenue ? 2. Sample systems against the organization's baseline configurations to BAI10.03; A.12.6.2; A.14.2.2;
ensure standards are followed and enforced. BAI10.05 A.14.2.3; A.14.2.4

Un cycle de vie de 1. Obtain and review a copy of the organization's system development life ISO/IEC
A system development life cycle Does a system development life
développement système (SDLC) cycle. 27001:2013
(SDLC) to manage systems is cycle (SDLC) to manage systems
pour gérer les systèmes est-il 2. Obtain samples of rollout documentation and rollout schedule to ensure BAI07.04; A.6.1.5; A.14.1.1;
implemented. is implemented ?
mis en œuvre ? compliance with policy. APO13.01 BAI07.06 A.14.2.1; A.14.2.5
1. Determine if configuration change control processes for information

Les processus de contrôle des systems are in place. Consider the following:
Configuration change control Has the configuration change a. Proposed changes are documented and approved. ISO/IEC
changements de configuration
processes are in place. control processes are in place ? b. Changes are prohibited until designated approvals are received. 27001:2013
sont-ils en place ?
c. Changes are tested and validated before implementation. A.12.1.2; A.12.5.1;
d. Changes are documented and reported upon completion. BAI06.01; A.12.6.;, A.14.2.2;
BAI01.06 A.14.2.3; A.14.2.4
Have the backups of Les sauvegardes d'informations ISO/IEC
Backups of information are
information are conducted, sont-elles effectuées, 1. Determine if a formal backup and recovery plan exists. 27001:2013
conducted, maintained and
maintained and tested maintenues et testées 2. Review backup procedures. Ensure periodic backup testing is performed to A.12.3.1; A.17.1.2;
tested periodically.
periodically ? périodiquement ? verify data are accessible and readable. APO13.01 DSS04.07 A.17.1.3; A.18.1.3
1. Review physical security operating environment policies, procedures and

La politique et les règlements plans. Ensure the following are addressed:
Policy and regulations regarding Have the policy and regulations
concernant l'environnement a. Emergency shutoff
the physical operating regarding the physical operating
d'exploitation physique des b. Emergency lighting
environment for organizational environment for organizational
actifs organisationnels sont-ils c. Emergency power
assets are met. assets are met ?
respectés ? d. Fire protection ISO/IEC
e. Temperature and humidity control 27001:2013
f. Water damage protection DSS01.04; A.11.1.4; A.11.2.1;
g. Location of information system components (to minimize damage) DSS05.05 A.11.2.2; A.11.2.3
Information Protection Processes and Procedures
1. Review media sanitization (data destruction) policies.

Data is destroyed according to Has the data is destroyed Les données sont-elles détruites 2. Ensure sanitization techniques and procedures are commensurate with the
policy. according to policy ? conforméments à la politique ? security category or classification of the information or asset and in
accordance with applicable federal and organizational standards and policies.
3. Spot-check trash cans, dumpsters, shred bin and/or shredders to ensure ISO/IEC
Security policies (that compliance with policy. 27001:2013
address purpose, scope, 4. Obtain proof (e.g., destruction certificates) that media sanitization is A.8.2.3; A.8.3.1;
roles, responsibilities, occurring according to policy. BAI09.03 DSS05.06 A.8.3.2; A.11.2.7
management commitment,
and coordination among
organizational entities),
processes, and procedures 1. Review the organization's policies and procedures related to continually
are maintained and used to improving protection processes. Consider the following:
manage protection of Les processus de protection a. Ongoing audits, assessments and vulnerability scanning are conducted,
Protection processes are Does the protection processes reviewed and responded to.
information systems and sont-ils continuellemnt
continuously improved. are continuously improved ? b. Plans, processes and policies are updated based on lessons learned from
assets. améliorés ?
tests (e.g., business continuity, disaster recovery, incident response).
c. Designated position and/or committee responsible for continuous
evaluation of the organization's information security needs and posture
d. Threat information gathering and responses to changes in the threat APO11.06;
environment DSS04.05
Does the effectiveness of

Effectiveness of protection L'efficacité des technologies de
protection technologies is 1. Determine if the organization participates in information sharing and
technologies is shared with protection est-elle partagée
shared with appropriate analysis groups. ISO/IEC
appropriate parties. avec les parties concernées ?
parties ? 2. Determine if the organization facilitates information sharing by enabling BAI08.01; 27001:2013
authorized users to share authorized information to sharing partners. MEA02.03 A.16.1.6
Les plans d’intervention

Response plans (incident Have the response plans
(réponse aux incidents et
response and business (incident response and business
continuité des activités) et les
continuity) and recovery plans continuity) and recovery plans
plans de reprise (reprise après
(incident recovery and disaster (incident recovery and disaster 1. Review incident response and business continuity plans to determine if the ISO/IEC
incident et reprise après
recovery) are in place and recovery) are in place and institution has documented how it will respond to a cyberincident. 27001:2013
sinistre) sont-ils en place et
managed. managed ? 2. Evaluate plans to determine how frequently they are updated and A.16.1.1; A.17.1.1;
gérés ?
approved. DSS04.03 A.17.1.2
Response and recovery plans Have the response and recovery Les plans d'interventions et de ISO/IEC
are tested. plans are tested ? relance ont-ils été testés ? 1. Determine whether business continuity and incident response tests are 27001:2013
performed according to policy and any applicable guidance. DSS04.04 A.17.1.3
La cybersécurité est-elle incluse

Cybersecurity is included in Does the cybersecurity is 1. Review hiring procedures to determine whether background
dans les pratiques de
human resources practices. included in human resources checks/screenings are performed for all employees. APO07.01;
ressources humaines (p. ex.,
(e.g., deprovisioning, personnel practices. (e.g., deprovisioning, 2. Review hiring procedures for positions with access to sensitive information APO07.02; ISO/IEC
déprovisionnement, filtrage du
screening) personnel screening) ? to determine if they are commensurate with a higher level of risk. APO07.03; 27001:2013
personnel) ?
3. Review termination procedures to determine whether accounts/access are APO07.04; A.7.1.1; A.7.3.1;
disabled in a timely manner. APO07.05 A.8.1.4
1. Obtain the organization's vulnerability management plan and ensure it

includes the following:
a. Frequency of vulnerability scanning
A vulnerability management Has a vulnerability Un plan de gestion des
b. Method for measuring the impact of vulnerabilities identified (e.g.,
plan is developed and management plan is developed vulnérabilité a-t-il été élaboré
Common Vulnerability Scoring System [CVSS])
implemented. and implemented ? et mis en oeuvre ?
c. Incorporation of vulnerabilities identified in other security control
assessments (e.g., external audits, penetration tests)
d. Procedures for developing remediation of identified vulnerabilities
2. Obtain a copy of the organization's risk assessment to ensure ISO/IEC
vulnerabilities identified during the vulnerability management process are 27001:2013
included. APO04.03 A.12.6.1; A.18.2.2

Maintenance and repair of Have the maintenance and L'entretien et la réparation des 1. Review controlled maintenance processes. Consider the following:
organizational assets is repair of organizational assets is actifs organisationnels sont-ils a. Maintenance activities are approved, scheduled and documented (e.g.,
performed and logged in a performed and logged in a effectués et enregistrés en date and time, name of individual(s) performing maintenance, description of
timely manner, with approved timely manner, with approved temps opportun, avec des outils maintenance performed, systems removed/replaced)
and controlled tools. and controlled tools ? approuvés et contrôlés ? b. Maintenance staff or vendors are approved, authorized and supervised (if ISO/IEC
required). 27001:2013
Maintenance and repairs of c. Maintenance tools and media are approved and inspected for improper or A.11.1.2; A.11.2.4;
Maintenance
industrial control and unauthorized modifications prior to use. BAI09.03 DSS03.05 A.11.2.5
information system
components is performed
consistent with policies and
procedures. La maintenance à distance des
Remote maintenance of Does the remote maintenance
actifs organisationnels est-elle 1. Determine whether remote maintenance on servers, workstations and
organizational assets is of organizational assets is
approuvée, consignée et other systems is performed. Consider the following:
approved, logged and approved, logged and
effectuée de manière à a. Who is allowed to connect to systems (e.g. internal employees, third
performed in a manner that performed in a manner that
empêcher tout accès non parties)
prevents unauthorized access. prevents unauthorized access ?
autorisé ? b. What software/version or service is used to connect ISO/IEC
c. Whether end users have to take some action prior to allowing remote 27001:2013
control of their workstation and/or whether access is logged and monitored A.11.2.4; A.15.1.1;
d. Adequacy of authentication requirements (e.g., multifactor authentication) DSS05.04 A.15.2.1
1. Determine if audit logs (e.g., security, activity) are maintained and

reviewed in a timely manner. Verify the adequacy of the logs to monitor and
evaluate IT activities and security events. Consider the following:
Les enregistrements a. Audit records contain appropriate content (e.g., type of event, when the
Audit/log records are Have the Audit/log records are
d'audit/journaux sont-ils event occurred, where the event occurred, source of the event, outcome of
determined, documented, determined, documented,
déterminés, documentés, mis the event, identity of any individuals or subjects associated with the event).
implemented and reviewed in implemented and reviewed in
en ouvre et examinés b. Log files are sized such that logs are not deleted prior to review and/or
accordance with policy. accordance with policy ?
conformément à la politique ? being backed up.
c. Audit logs and tools are protected from unauthorized access, modification
and deletion.
2. Determine if logs for the following parts of the network are monitored and
reviewed: ISO/IEC
a. Network perimeter (e.g., intrusion dectection systems [IDS], firewalls) 27001:2013
b. Microsoft systems (e.g., Windows event logs) A.12.4.1; A.12.4.2;
c. Non-Microsoft systems (e.g., syslog files for Unix/Linux servers, routers, A.12.4.3; A.12.4.4;
switches) APO11.04 DSS05.07 A.12.7.1
Protective Technology
Technical security solutions

are managed to ensure the
security and resilience of 1. Obtain a copy of the removable media policy. Review controls defined in
systems and assets, Le support amovible est-il the policy. Controls may include:
Removable media is protected Does the removable media is a. User training
consistent with related protégé et son utilisation
and its use restricted according protected and its use restricted b. Encryption of removable media
policies, procedures, and restreinte conformément à la
to policy. according to policy ? c. Restricted access to removable media (e.g., USB restrictions) ISO/IEC
agreements. politique ?
d. Sanitization procedures for decommissioned media 27001:2013
2. Perform spot-checks on systems with removable media restrictions to A.8.2.2; A.8.2.3;
ensure restrictions are working as expected and comply with the DSS05.02; A.8.3.1; A.8.3.3;
organization's policy. APO13.01 A.11.2.9
1. Review information systems to determine if unnecessary and/or non-

secure functions, ports, protocols and services are disabled.
Have the access to systems and L'accès aux systèmes et aux
Access to systems and assets is 2. Where feasible, the organization limits component functionality to a single
assets is controlled, actifs est-il contrôlé, en
controlled, incorporating the function per device (e.g., dedicated email server).
incorporating the principle of intégrant le principe de
principle of least functionality. 3. Determine if the organization reviews functions and services provided by
least functionality ? moindre fonctionnalité ?
information systems or individual components of information systems to
determine which functions and services are candidates for elimination. ISO/IEC
DSS05.02 DSS06.03 27001:2013 A.9.1.2
1. Evaluate controls related to communications to ensure the network is

Have the communications and Les réseaux de communication secure. Consider:
Communications and control a. Network perimeter defenses are in place (e.g., border router, firewall).
control networks are et de contrôle sont-ils
networks are protected. b. Physical security controls are used to prevent unauthorized access to
protected ? protégés ?
telecommunication systems, etc.
c. Logical network access controls (e.g., VLAN) and technical controls (e.g., ISO/IEC
encrypting traffic) are in place to protect and/or segregate communications DSS05.02; 27001:2013
networks (e.g., wireless, WAN, LAN, VoIP). APO13.01 DSS06.03 A.13.1.1; A.13.2.1

NIST Cybersecurity Framework - Detect ISACA IS Audit/Assurance Program
Cybersecurity: Based on the NIST Cybersecurity Framework - Detect
1. Obtain a copy of the organization's logical network diagram (LND), data

flow diagrams, and other network and communications diagrams.
2. Review the diagrams for the following:
a. Frequency of updates to diagrams
Une base de référence des b. Accuracy and completeness of diagrams
A baseline of network Does a baseline of network
opérations réseau et des flux de c. Scope of diagrams is adequate to identify both domains of different risk
operations and expected data operations and expected data
données attendus pour les and control levels (i.e., high-risk, publicly-accessible portions of a network vs.
flows for users and systems is flows for users and systems is
utilisateurs et les systèmes est- high-value, restricted access portions of the network) and the control points
established and managed. established and managed ?
elle établie et gérée ? (e.g., firewalls, routers, intrusion detection/prevention systems) between
them.
2. Determine if tools (e.g., security event and information management
systems [SIEMs]) are used to establish typical (baseline) traffic so abnormal
traffic can be detected.
DSS03.01
1. Obtain a copy of policies and procedures regarding system and network

monitoring.
Les événements détectés sont-
Detected events are analyzed to Have detected events are a. Determine if policies and procedures require monitoring for anomalous
ils analysés pour comprendre
understand attack targets and analyzed to understand attack activity at identified control points.
les cibles et les méthodes
methods. targets and methods ? 2. Obtain a copy of detected events (e.g., alerts from IDS) and the
d'attaque ? ISO/IEC
organization's response to them. Review the events and responses to ensure
Anomalies and Events
thorough analysis of detected events is performed. 27001:2013

DSS05.02 A.16.1.1; A.16.1.4
Anomalous activity is 1. Obtain a listing of event aggregation and monitoring systems in use at the
detected in a timely manner organization (e.g., SIEMs, event log correlation systems).
and the potential impact of Event data are aggregated and Does the event data are Les données d'événement sont-
2. Obtain a list of sources that provide data to each event aggregation and
events is understood. elles agrégées et corrélées à
correlated from multiple aggregated and correlated from monitoring system (e.g., firewalls, routers, servers).
partir de sources et de capteurs
sources and sensors. multiple sources and sensors ? 3. Compare the sources to identified control points between domains of
multiples ?
different risk and control levels and determine if they provide adequate
monitoring coverage of the organization's environment.
APO12.01
1. Obtain a copy of detected events and the organization's responses to
them.
Does the impact of event is L'impact de l'événement est-il 2. Review the events, tickets and responses in order to ensure the
Impact of event is determined.
determined ? determiné ? organization is documenting the impact of anomalous activity using metrics
that are applicable to the organization (e.g., compliance impact, operational
impact, accurate reporting impact).
APO12.06
1. Obtain a copy of alert messages, meeting minutes, reports and other

documentation where detected events were escalated.
2. Review the documentation and determine the following:
a. Detected events are reported in a timely manner to someone with the
Incident alert thresholds are Have the incident alert Les seuils d'alerte d'incident knowledge and expertise to resolve or escalate the event.
established. thresholds are established ? sont-ils établis ? b. Escalated events are reported to individuals or groups with the appropriate
authority to make decisions about the organization's response.
c. Thresholds are defined such that an event triggers the appropriate
response (e.g., business continuity response, disaster recovery response,
incident response, legal response).
APO12.06
1. Obtain a list of the monitoring control implemented by the organization at

the following levels:
a. Network (e.g., firewall, router, switch)
b. Operating system (e.g., server platforms, workstation platforms,
The network is monitored to Does the network is monitored Le réseau est-il surveillé pour
appliances)
detect potential cybersecurity to detect potential détecter d'éventuels
c. Application (e.g., account management, file and database access).
events. cybersecurity events ? événements de cybersécurité ?
2. Determine if monitoring at each level includes detection of cybersecurity
events (e.g., denial-of-service [DoS] attacks, unauthorized account access,
unauthorized file/system access, privilege escalation attacks, SQL injection
attacks).
DSS05.07
1. Obtain an inventory of critical facilities (e.g., data centers, network closets,

operations centers, critical control centers).
L'environnement physique est-il
The physical environment is Does the physical environment 2. Determine if physical security monitoring controls are implemented and
surveillé pour détecter
monitored to detect potential is monitored to detect potential appropriate to detect potential cybersecurity events (e.g., sign in/out logs,
d'éventuels évémenents de
cybersecurity events. cybersecurity events ? motion detectors, security cameras, security lighting, security guards,
cybersécurité ?
door/window locks, automatic system lock when idle, restricted physical
access to servers, workstations, network devices, network ports).
DSS05.05
1. Obtain a list of the monitoring controls implemented by the organization at

the application/user account level (e.g., account management, user access
Personnel activity is monitored Has the personnel activity is roles, user activity monitoring, file and database access).
to detect potential monitored to detect potential 2. Determine if monitoring includes detection and alerting of cybersecurity
cybersecurity events. cybersecurity events ? events (e.g., unauthorized account access, unauthorized file/system access,
access out of hours, access to sensitive data, unusual access, unauthorized
physical access, privilege escalation attacks). ISO/IEC
DSS05.04; 27001:2013
L'activité du personnel est-elle surveillée pour détecter d'éventuels év DSS05.05 A.12.4.1

ring
1. Obtain a copy of processes and procedures used to detect malicious code

on the network and servers/workstations (e.g., anti-malware software on
servers and workstations, phishing filters on email systems, intrusion
prevention/detection systems on the network [IDS/IPS], endpoint security
products on workstations and/or servers).
2. Determine if malicious code controls are:
a. Installed on all applicable systems and network control points
Does the malicious code is Le code malveillant est-il b. Updated on a regular basis
Malicious code is detected.
detected ? détecté ? c. Configured to perform real-time scanning or periodic scans at regular
intervals
3. Spot-check workstations and other user endpoint devices to verify the
following:
a. Malicious code controls are installed.
b. Malicious code controls are updated.
c. Malicious code controls are capable of detecting test code (e.g., the EICAR
test virus). ISO/IEC
27001:2013
DSS05.01 A.12.2.1
Security Continuous Monitoring
1. Obtain documented processes and procedures used to detect

unauthorized mobile code (e.g., Java, JavaScript, ActiveX, Flash, VBScript) that
is run on the organization's servers, workstations and devices.
The information system and 2. Determine if detective mobile code controls block unauthorized mobile
assets are monitored at code when detected (e.g., quarantine, execution blocking, download
discrete intervals to identify blocking).
cybersecurity events and
verify the effectiveness of *Examples of mobile code controls include:
protective measures. Unauthorized mobile code is Has unauthorized mobile code Un code mobile non autorisé a-
a. Detecting and blocking mobile code attachments in emails (e.g., .exe
detected. is detected ? t-il été détecté ?
files, .js files)
b. Detecting and blocking mobile code portions of websites
c. Removing the ability to run mobile code on systems that do not require
this functionality (e.g., uninstalling Java from workstations without a need for
it)
d. Configuring systems to generate alerts and block execution when mobile
code that is not signed with an approved code-signing certificate attempts to
execute ISO/IEC
DSS05.03; 27001:2013
DSS05.07 A.12.5.1
1. Obtain and review contracts executed with external service providers.

2. Determine if external service provider contracts require the service
providers to:
a. Notify the organization as soon as possible of any known or suspected
cybersecurity event.
b. Notify the organization as soon as possible of termination of any employee
who possesses credentials to access the organization's systems or facilities.
Has the external service L'activité du prestataire externe
External service provider c. Implement security controls equivalent to or exceeding the level of security
provider activity is monitored to est-elle surveillée pour détecter
activity is monitored to detect required of the organization.
detect potential cybersecurity d'éventuels événements de
potential cybersecurity events. 3. Obtain a copy of the organization's logical network diagram (LND) to
events ? cybersécurité ?
determine how external service provider networks are connected to the
organization's network to determine if monitoring controls (e.g.. firewalls,
routers, intrusion detection/prevention systems) are implemented at these
connection points.
4. Obtain and analyze a copy of system configurations for monitoring controls
used to detect cybersecurity events originating on external service providers'
networks.
ISO/IEC
APO10.04; 27001:2013
APO07.06 APO10.05 A.14.2.7; A.15.2.1
1. Obtain a copy of processes and procedures designed to detect

unauthorized access to the organization's facilities and systems (e.g., sign-
in/out logs, video surveillance, break-in alarms, network port blocking, USB
Does the monitoring for La surveillance du personnel,
Monitoring for unauthorized device restrictions on workstations and user devices, monitoring of excessive
unauthorized personnel, des connexions, des appareils
personnel, connections, devices failed logins indicating a password-guessing attack).
connections, devices and et des logiciels non autorisés
and software is performed. 2. Spot-check unauthorized access controls by accessing facilities and systems
software is performed ? est-elle effectuée ?
with permission to test, but not standard authorization. Request the
organization provide the alert notifications generated by the simulated
unauthorized access.
DSS05.05
1. Obtain a copy of the organization's schedule for performing internal and

external vulnerability scans and the results of the most recent internal and
external vulnerability scans.
2. Review the schedule and results for the following:
Vulnerability scans are Have the vulnerability scans are Les analyses de vulnérabilité a. Frequency
performed. performed ? ont-elles été effectuées ? b. Successful completion
c. Documented resolution or mitigation of identified vulnerabilities
d. Scope of testing includes all critical systems
3. Determine whether vulnerability scan results were reported to individuals ISO/IEC
or teams with appropriate authority to ensure resolution. 27001:2013
BAI03.10 A.12.6.1
Have the roles and Les rôles et les responsabilités 1. Obtain a copy of processes and procedures for monitoring physical and
Roles and responsibilities for
responsibilities for detection en matière de détection sont-ils electronic anomalous events.
detection are well defined to
are well defined to ensure bien définis pour assurer la 2. Determine if the organization's processes and procedures assign key ISO/IEC
ensure accountability.
accountability ? responsabilisation ? responsibilities to specific individuals or positions. DSS05.01 27001:2013 A.6.1.1
1. Obtain a copy of laws and regulations (e.g., federal, state, local), industry
Does the detection activities Les activités de détection sont- standards, internal security requirements and risk appetite applicable to the
Detection activities comply with
comply with all applicable elles conformes à toutes les organization.
all applicable requirements. ISO/IEC
requirements ? exigences applicables ? 2. Determine if the organization is performing audits/testing to ensure their
detection activities comply with these requirements. 27001:2013
MEA03.03 A.18.1.4
tion Processes

Detection processes and
procedures are maintained
and tested to ensure timely
and adequate awareness of
1. Obtain a copy of the organization's schedule of incident response tests, the

results of recent incident response tests, and documented processes and
Detection Processes
procedures requiring tests of anomalous activity controls (e.g., periodic tests

of intrusion detection/prevention systems, endpoint anti-malware software).
Detection processes and Have the detection processes Les processus de détection ont-
Detection processes are tested. 2. Review the documentation for the following:
procedures are maintained are tested ? ils été testés ?
a. Completeness in testing implemented anomalous activity detection
and tested to ensure timely controls
and adequate awareness of b. Frequency of testing
anomalous events. c. Documented resolution or mitigation of negative testing results ISO/IEC
27001:2013
APO13.02 A.14.2.8
1. Obtain a copy of meeting minutes where physical and electronic

anomalous activity is reported (e.g., information security committee
Les informations de détection
Event detection information is Does the event detection meetings, board/management meetings, risk management meetings).
d'ébénements sont-elles
communicated to appropriate information is communicated to 2. Obtain a copy of documented responses to recent physical and electronic
communiquées aux parties
parties. appropriate parties ? anomalous activity incidents.
concernées ? ISO/IEC
3. Compare meeting minutes to documented incidents and determine if
detected events are consistently reported and appropriately handled. 27001:2013
APO12.06 A.16.1.2
1. Obtain a copy of documented responses to recent physical and electronic

Les processus de détection
Detection processes are Have the detection processes anomalous activity incidents. Determine if responses include the following:
sont-ils continuellement
continuously improved. are continuously improved ? a. Lessons learned and analysis of failed or missing controls ISO/IEC
améliorés ?
b. Action items to detect/prevent similar incidents in the future APO11.06; 27001:2013
DSS04.05 A.16.1.6

NIST Cybersecurity Framework - Respond ISACA IS Audit/Assurance Program
Cybersecurity: Based on the NIST Cybersecurity Framework - Respond
Response Planning
Response processes and

procedures are executed Does the response plan is Le plan d'intervention est-il
Response plan is executed
and maintained, to ensure executed during or after an exécuté pendant ou après un
during or after an event.
timely response to detected event ? événement ? 1. Determine if the organization has approved incident response and business DSS02.04;
cybersecurity events. continuity plans. DSS02.05; ISO/IEC
2. Obtain copies of reports from recent incidents to validate the plans are DSS02.06; 27001:2013
executed. BAI01.10 DSS02.07 A.16.1.5
1. Review the incident response plan to determine if roles and responsibilities

Le personnel connait-il ses rôles are defined for employees.
Personnel know their roles and Do the personnel know their
et l'ordre des opérations 2. Interview employees to determine if employees know their roles and
order of operations when a roles and order of operations
lorsqu'une intervention est responsibilities as defined by the plan.
response is needed. when a response is needed ?
nécessaire ? 3. Review any incident response tests or training provided to employees to ISO/IEC
determine if they support educating employees on their roles and 27001:2013
responsibilities. DSS02.04 A.6.1.1; A.16.1.1
Have events are reported Les événenments sont-ils 1. Review the incident response plan to determine if reporting structure and
Events are reported consistent
consistent with established siganlés conformément aux communication channels are clearly defined.
with established criteria.
criteria ? critères établis ? 2. Determine if employees are trained to report suspected security incidents. ISO/IEC
3. Obtain copies of reports from recent incidents to validate reporting is 27001:2013
consistent and follows the plan. DSS02.05 A.6.1.3; A.16.1.2
Communications
Response activities are

coordinated with internal 1. Review the incident response plan to determine if information sharing is
and external stakeholders, clearly defined as it relates to the following (if applicable):
as appropriate, to include Does the information is shared L'information est-elle partagée a. Customers
Information is shared consistent
external support from law consistent with response conformément aux plans b. Law enforcement
with response plans.
enforcement agencies. plans ? d'intervention ? c. Regulators
d. Media
e. Information sharing organizations ISO/IEC
2. Obtain copies of reports from recent incidents to validate sharing is 27001:2013
consistent and follows the plan. DSS02.05 A.16.1.2
La coordination avec les parties 1. Review the incident response plan to determine if a process is in place to
Coordination with stakeholders Does the coordination with
prenantes se déroul-t-elle communicate with internal and external stakeholders during and/or following
occurs consistent with response stakeholders occurs consistent
conformément aux plans an incident.
plans. with response plans ?
d'intervention ? 2. Obtain copies of reports from recent incidents to validate reporting is DSS02.05;
consistent and follows the plan. DSS02.07
Le partage volontaire
Voluntary information sharing Has the voluntary information
d'informations a-t-il lieu avec
occurs with external sharing occurs with external
des parties prenantes externes
stakeholders to achieve broader stakeholders to achieve broader
afin de mieux faire connaitre la
cybersecurity situational cybersecurity situational 1. Review the incident response plan to determine if a process is in place to
situation en matière de
awareness. awareness ? communicate with external stakeholders (e.g., end users, suppliers, third
cybersécurité ?
parties, customers) following an incident. BAI08.01
1. Obtain evidence of event notifications (e.g., detection alerts, reports) from

information systems (e.g., account usage, remote access, wireless
Do the notifications from Les notifications des systèmes connectivity, mobile device connection, configuration settings, system
Notifications from detection
detection systems are de détection sont-elles étudiées component inventory, use of maintenance tools, physical access,
systems are investigated.
investigated ? ? temperature and humidity, anomalous activity, use of mobile code).
2. Determine who receives alerts or reports from detection systems and what ISO/IEC
actions are taken once reports are received. 27001:2013
3. Review the incident response plan to determine if actions taken follow the A.12.4.1; A.12.4.3;
plan. DSS02.07 DSS02.04 A.16.1.5
The impact of the incident is Has the impact of the incident is 1. Review the incident response plan to determine if there is a process to
understood. understood ? formally analyze and classify incidents based on their potential impact.
Analysis is conducted to 2. Review resume and education of incident response team members ISO/IEC
Analysis
ensure adequate response responsible for determining incident impact to determine if they have the 27001:2013
and support recovery L'impact de l'incident est-il compris ? knowledge and experience to adequately understand potential impact. DSS02.04 A.16.1.6
activities.
1. Review the incident response plan as it relates to forensics. Consider the

following:
Have the forensics are La criminalistique a-t-elle été a. There is a process in place to ensure forensics will be performed when
Forensics are performed.
performed ? effectuée ? needed.
b. Determine if security investigations and forensic analysis are performed by
qualified staff or third parties. ISO/IEC
c. Review forensics procedures to ensure they include controls, such as chain 27001:2013
of custody, to support potential legal action. DSS02.04 A.16.1.7
Have the incidents are Les incidents sont-ils classés 1. Review the incident response plan to determine if it is designed to
Incidents are categorized prioritize incidents, enabling a rapid response for significant incidents or
categorized consistent with conformrément aux plans
consistent with response plans. vulnerabilities. ISO/IEC
response plans ? d'intervention ?
2. Obtain copies of reports from recent incidents to validate reporting is DSS02.01; 27001:2013
consistent and follows the plan. DSS02.02 A.16.1.4
1. Review the incident response plan to determine if appropriate steps are in

Have the Incidents are place to contain an incident. Consider the following:
Incidents are contained. Les incidents sont-ils contenus ? a. Steps to contain and control the incident to prevent further harm
contained ?
b. Procedures to notify potentially impacted third parties ISO/IEC
c. Strategies to control different types of incidents (e.g., distributed denial-of- 27001:2013
service [DDoS], malware, etc.) DSS02.05 A.16.1.5
1. Review the incident response plan to determine if appropriate steps are in

place to mitigate the impact of an incident. Consider the following:
Have the incidents are Les incidents ont-ils été
Mitigation
Activities are performed to Incidents are mitigated. a. Steps to mitigate the incident to prevent further harm
prevent expansion of an mitigated ? atténués ? b. Procedures to notify potentially impacted third parties
event, mitigate its effects c. Strategies to mitigate impact different types of incidents (e.g., distributed
and eradicate the incident. denial-of-service [DDoS], malware, etc.) ISO/IEC
2. Review any documented incidents to determine whether mitigation efforts 27001:2013
were implemented and effective. DSS02.05 A.12.2.1; A.16.1.5

NIST Cybersecurity Framework - Respond ISACA IS Audit/Assurance Program
Mitigation
Activities are performed to
IS Audit/Assurance Progamof an
prevent expansion
Cybersecurity:event,
Basedmitigate
onitsthe
effects
NIST Cybersecurity Framework - Respond
and eradicate the incident.
1. Determine if the organization's continuous monitoring programs (e.g., risk

Les vulnérabilités nouvellement assessments, vulnerability scanning) facilitate ongoing awareness of threats,
Newly identified vulnerabilities Have the newly identified
identifiées sont-elles atténuées vulnerabilities and information security to support organizational risk
are mitigated or documented as vulnerabilities are mitigated or
ou documentées en tant que management decisions. Consider the following:
accepted risk. documented as accepted risk ?
risque accepté ? a. Is the process continuous (at a frequency sufficient to support
organizational risk-based decisions) ISO/IEC
b. Results generate appropriate risk response (e.g., mitigation strategy, DSS03.01; 27001:2013
acceptance) based on the organization's risk appetite EDM03.03 A.12.6.1
Les plans d'intervention 1. Review the organization's incident handling reports and incident testing
Response plans incorporate Does the response plans documentation for action items and lessons learned.
intègrent-t-ils les
lessons learned. incorporate lessons learned ? 2. Evaluate the incident response plan to determine if results (e.g., action ISO/IEC
enseignements tirés ?
Improvements
Organizational response items, lessons learned) from real-world incidents and incident testing have 27001:2013
activities are improved by been used to update incident response procedures, training and testing. BAI01.13 DSS02.07 A.16.1.6
incorporating lessons
learned from current and
previous detection/response 1. Review the organization's incident response and business continuity
activities. Response strategies are Have the response strategies Les stratégies d'intervention strategies and plans. Consider the following:
updated. are updated ? ont-elles été mises à jour ? a. There is a mechanism in place to regularly review, improve, approve and
communicate the plans.
b. The organization's response capability is informed by actual incidents, tests
and current threats. DSS02.07

NIST Cybersecurity Framework - Recover ISACA IS Audit/Assurance Program
Cybersecurity: Based on the NIST Cybersecurity Framework - Recover
Process Ref. Control Control Control NIST Ref. to Additional Ref. Framework/ Ref. Pass/
Sub-Area Risk Control Objectives Controls Questions for clients FR Type Classification Frequency Testing Step COBIT 5 Ref. COBIT 5 Standards Workpaper Fail Comments
1. Obtain a copy of the organization's recovery plans and procedures (e.g.,

business continuity plan, incident response plan, disaster recovery plan,
Recovery Planning
Recovery processes and cybersecurity incident plan) and the documented results of recent
procedures are executed cybersecurity events or event tests.
and maintained to ensure Recovery plan is executed Does recovery plan is executed Le plan de récupération est-il
exécuté pendant ou aprs un
2. Evaluate documentation for the following:
a. Frequency of testing
timely restoration of during or after an event. during or after an event ? événement ? b. Coverage of critical pieces of the organization's recovery plans and
systems or assets affected procedures
by cybersecurity events. c. Documentation of incidents (e.g. power outages, communication failures,
system outages, attempted and successful malicious or careless unauthorized ISO/IEC
access or disruption). DSS02.05; 27001:2013
DSS03.04 A.16.1.5
1. Obtain a copy of results of recent cybersecurity events or event tests.
Recovery plans incorporate Does recovery plans Les plan de rétablissement 2. Evaluate documentation for the following:
lessons learned. incorporate lessons learned. intègrent-ils les leçons ? a. Documented lessons learned and analysis of failed or missing controls
b. Action items designed to improve recovery plans and procedures based on
the lessons learned and analysis DSS04.05;
BAI05.07 DSS04.08
Improvements
Recovery planning and

processes are improved by 1. Obtain a copy of the organization's recovery plans and procedures (e.g.,
incorporating lessons business continuity plan, incident response plan, disaster recovery plan,
learned into future cybersecurity incident plan) and the documented results of recent
activities. cybersecurity events or event tests.
Recovery strategies are Have the recovery strategies Les stratégies de récupération 2. Determine if recovery plans and procedures are reviewed, updated and
updated. are updated ? sont-elles mises à jour ? approved on a regular basis or as changes are made to systems and controls.
3. Review recovery plans and procedures to determine if action items
resulting from lessons learned during cybersecurity events and event tests
have been implemented.
DSS04.05;
BAI07.08 DSS04.08
1. Obtain a copy of the organization's recovery plans and procedures (e.g.,

business continuity plan, incident response plan, disaster recovery plan,
cybersecurity incident plan).
2. Determine if the plans and procedures include the following:
a. Designation of points of contact within the organization to communicate
Public relations are managed. Have the public relations are Les relations publiques sont- with customers, partners, media, regulators and law enforcement
managed ? elles gérées ? b. Training for employees regarding where to refer questions about
cybersecurity incidents
c. Order of succession of key positions responsible for managing the
organization's reputation risk during cybersecurity incidents
d. Timely and responsible notification of customers, partners, regulators and
law enforcement of a cybersecurity incident
Restoration activities are
Communications
coordinated with internal

and external parties, such as EDM03.02 DSS04.03
coordinating centers,
Internet Service Providers, 1. Obtain documented results of recent cybersecurity events. Determine
owners of attacking systems, whether the following are included:
victims, other CSIRTs and Reputation after an event is Does the reputation after an La réputation après un a. Informing customers, partners, media, regulators and law enforcement, as
vendors. repaired. event is repaired ? événement est-elle réparée ? applicable, of ongoing efforts to correct identified issues and final resolution
b. Specific efforts or plans to address reputation repair
MEA03.02
1. Obtain a copy of meeting minutes where cybersecurity events are reported

Les activités de redressement (e.g. Information Security Committee meetings, Board/management
Recovery activities are Have the recovery activities are sont-elles communiquées aux meetings, risk management meetings, Compliance Committee meetings).
communicated to internal communicated to internal parties prenantes internes et 2. Obtain a copy of documented results of recent cybersecurity events.
stakeholders and executive and stakeholders and executive and aux équipes de direction et de 3. Compare meeting minutes to documented cybersecurity events and
management teams. management teams ? direction ? determine if recovery activities notified applicable stakeholders and
management members (e.g. Board members, stockholders, C-level
executives, risk management managers, affected department managers).
DSS04.06;
EDM05.03

Cybersecurity NIST Audit Program - revST-3

Uploaded by

Copyright:

Available Formats

Cybersecurity NIST Audit Program - revST-3

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cybersecurity NIST Audit Program - revST-3

Uploaded by

Copyright:

Available Formats

NIST Cybersecurity Framework ISACA IS Audit/Assurance Program

An IS audit manager can review this information to determine

An IS audit manager performing a quality control review must

Copyright 2016 ISACA Page 1 of 16

Copyright 2016 ISACA Page 2 of 16

An IS audit manager may determine if the proposed steps are

Copyright 2016 ISACA Page 3 of 16

1. Obtain a copy of physical devices and systems inventory. Review the

1. Obtain a copy of software inventory. Review the inventory considering the

Les ressources (p. ex., matériel,

Les rôles et responsabilités en

1. Obtain documentation or evidence (e.g., cybersecurity strategy, business

Has the priorities for

Copyright 2016 ISACA Page 4 of 16

1. Determine if information security roles and responsibilities are defined.

1. Determine the adequacy of executive or board oversight and

Have the asset vulnerabilities Les vulnérabilités des actifs APO12.01;

1. Evaluate the framework or process used for risk management. Consider

Copyright 2016 ISACA Page 5 of 16

Risk Management Strategy

Copyright 2016 ISACA Page 6 of 16

1. Determine whether access to network devices (e.g., servers, workstations,

1. Determine whether physical access to key assets (e.g., server rooms,

Access to assets and

1. Review acceptable use policy and/or training materials to ensure content is

responsibilities ? comprennent-elles les rôles et APO10.04; 27001:2013

1. Review training and continuing education programs for physical and

1. Determine if confidential or sensitive data is identified on the

1. Determine if sensitive information is secured (e.g., strong encryption as

consistent with the

Copyright 2016 ISACA Page 8 of 16

1. Determine if configuration change control processes for information

1. Review physical security operating environment policies, procedures and

1. Review media sanitization (data destruction) policies.

Does the effectiveness of

Les plans d’intervention

La cybersécurité est-elle incluse

1. Obtain the organization's vulnerability management plan and ensure it

Copyright 2016 ISACA Page 9 of 16

1. Determine if audit logs (e.g., security, activity) are maintained and

Technical security solutions

1. Review information systems to determine if unnecessary and/or non-

1. Evaluate controls related to communications to ensure the network is

Copyright 2016 ISACA Page 10 of 16

1. Obtain a copy of the organization's logical network diagram (LND), data

1. Obtain a copy of policies and procedures regarding system and network

thorough analysis of detected events is performed. 27001:2013

1. Obtain a copy of alert messages, meeting minutes, reports and other

1. Obtain a list of the monitoring control implemented by the organization at

1. Obtain an inventory of critical facilities (e.g., data centers, network closets,

1. Obtain a list of the monitoring controls implemented by the organization at

Copyright 2016 ISACA Page 11 of 16

1. Obtain a copy of processes and procedures used to detect malicious code

1. Obtain documented processes and procedures used to detect

1. Obtain and review contracts executed with external service providers.

1. Obtain a copy of processes and procedures designed to detect

1. Obtain a copy of the organization's schedule for performing internal and

Copyright 2016 ISACA Page 12 of 16

1. Obtain a copy of the organization's schedule of incident response tests, the