| ID | SO | SO-level | Measure |
|---|---|---|---|
| M1 | SO1 | SO1-1 | a) Set a high level security policy addressing the security of networks and services |
| M2 | SO1 | SO1-1 | b) Make key personnel aware of the security policy |
| M3 | SO1 | SO1-2 | c) Set detailed information security policies for critical assets and business processes |
| M4 | SO1 | SO1-2 | d) Make all personnel aware of the security policy and what it implies for their work |
| M5 | SO1 | SO1-2 | e) Review the security policy following incidents |
| M6 | SO1 | SO1-3 | f) Review the information security policies periodically, and take into account violations, exceptions, past incidents, past tests/exercises, and incidents affecting other (similar) providers in the sector |
| M7 | SO2 | SO2-1 | a) Make a list of the main risks for security of networks and services, taking into account main threats for the critical assets |
| M8 | SO2 | SO2-1 | b) Make key personnel aware of the main risks and how they are mitigated |
| M9 | SO2 | SO2-2 | c) Set up a risk management methodology and/or tools based on industry standards |
| M10 | SO2 | SO2-2 | d) Ensure that key personnel use the risk management methodology and tools |
| M11 | SO2 | SO2-2 | e) Review the risk assessments following changes or incidents |
| M12 | SO2 | SO2-2 | f) Ensure residual risks are accepted management |
| M13 | SO2 | SO2-3 | g) Review the risk management methodology and/or tools, periodically, taking into account changes and past incidents |
| M14 | SO3 | SO3-1 | a) Assign security roles and responsibilities to personnel |
| M15 | SO3 | SO3-1 | b) Make sure the security roles are reachable in case of security incidents |
| M16 | SO3 | SO3-2 | c) Personnel is formally appointed in security roles |
| M17 | SO3 | SO3-2 | d) Make personnel aware of the security roles in your organisation and when they should be contacted |
| M18 | SO3 | SO3-3 | e) Structure of security roles and responsibilities is regularly reviewed and revised, based on changes and/or past incidents |
| M19 | SO4 | SO4-1 | a) Include security requirements in contracts with third-parties, including confidentiality and secure transfer of information |
| M20 | SO4 | SO4-2 | b) Set a security policy for contracts with third-parties |
| M21 | SO4 | SO4-2 | c) Ensure that all procurement of services/products from third-parties follows the policy |
| M22 | SO4 | SO4-2 | d) Review security policy for third parties, following incidents or changes |
| M23 | SO4 | SO4-2 | e) Demand specific security standards in third-party supplier’s processes during procurement |
| M24 | SO4 | SO4-2 | f) Mitigate residual risks that are not addressed the third party |
| M25 | SO4 | SO4-3 | g) Keep track of security incidents related to or caused third-parties |
| M26 | SO4 | SO4-3 | h) Periodically review and update security policy for third parties at regular intervals, taking into account past incidents, changes, etc. |
| M27 | SO5 | SO5-1 | a) Check professional references of key personnel (system administrators, security officers, guards, etc.) |
| M28 | SO5 | SO5-2 | b) Perform background checks/screening for key personnel, when needed and legally permitted |
| M29 | SO5 | SO5-2 | c) Set up a policy and procedure for background checks |
| M30 | SO5 | SO5-3 | d) Review and update policy/procedures for background checks and reference checks at regular intervals, taking into account changes and past incidents |
| M31 | SO6 | SO6-1 | a) Provide key personnel with relevant training and material on security issues |
| M32 | SO6 | SO6-2 | b) Implement a program for training, making sure that key personnel have sufficient and up-to-date security knowledge |
| M33 | SO6 | SO6-2 | c) Organise trainings and awareness sessions for personnel on security topics important for your organisation |
| M34 | SO6 | SO6-3 | d) Review and update the training program periodically, taking into account changes and past incidents |
| M35 | SO6 | SO6-3 | e) Test the security knowledge of personnel |
| M36 | SO7 | SO7-1 | a) Following changes in personnel revoke access rights, badges, equipment, etc., if no longer necessary or permitted |
| M37 | SO7 | SO7-1 | b) Brief and educate new personnel on the policies and procedures in place |
| M38 | SO7 | SO7-2 | c) Implement policy/procedures for personnel changes, taking into account timely revocation of access rights, badges and equipment |
| M39 | SO7 | SO7-2 | d) Implement policy/procedures for education and training for personnel in new roles |
| M40 | SO7 | SO7-3 | e) Periodically check that the policy/procedures are effective |
| M41 | SO7 | SO7-3 | f) Review and evaluate policy/procedures for personnel changes, taking into account changes or past incidents |
| M42 | SO8 | SO8-1 | a) Hold personnel accountable for security incidents caused violations of policies, for example via the employment contract |
| M43 | SO8 | SO8-2 | b) Set up procedures for violations of policies personnel |
| M44 | SO8 | SO8-3 | c) Periodically review and update the disciplinary process, based on changes and past incidents |
| M45 | SO9 | SO9-1 | a) Prevent unauthorized physical access to facilities and infrastructure and set up adequate environmental controls, to protect provider assets (including third party assets, where applicable) against unauthorized access, burglary, fire, flooding, etc. Security controls should be selected based on the risk assessment, which should also take in consideration current and forecasted environmental security risks – e.g. related to climate change |
| M46 | SO9 | SO9-2 | b) Implement a policy for physical security measures and environmental controls |
| M47 | SO9 | SO9-2 | c) Industry standard implementation of physical and environmental controls |
| M48 | SO9 | SO9-2 | d) Apply reinforced controls for physical access to critical assets. For example, physical access to such assets should only be granted to a limited number of security-vetted, trained and qualified personnel. Access third-parties, contractors, and employees of suppliers/vendors, integrators, should be limited and monitored |
| M49 | SO9 | SO9-3 | e) Evaluate the effectiveness of physical and environmental controls periodically |
| M50 | SO9 | SO9-3 | f) Review and update the policy for physical security measures and environmental controls taking into account changes and past incidents |
| M51 | SO10 | SO10-1 | a) Ensure security of critical supplies |
| M52 | SO10 | SO10-2 | b) Implement a policy for security of critical supplies |
| M53 | SO10 | SO10-2 | c) Implement industry standard security measures to protect critical supplies and supporting facilities (e.g. passive cooling, automatic restart after power interruption, battery backup power, diesel generators, backup fuel, etc.) |
| M54 | SO10 | SO10-3 | d) Implement state of the art security measures to protect critical supplies (such as active cooling, UP, hot stand power generators, SLAs with fuel delivery companies, redundant cooling and power backup systems) |
| M55 | SO10 | SO10-3 | e) Review and update policy and procedures to secure critical supplies regularly, taking into account changes and past incidents |
| M56 | SO11 | SO11-1 | a) Users and systems have unique ID’s and are authenticated before accessing services or systems |
| M57 | SO11 | SO11-1 | b) Implement logical access control mechanism for network and information systems to allow only authorized use |
| M58 | SO11 | SO11-2 | c) Implement policy for protecting access to network and information systems, addressing for example roles, rights, responsibilities and procedures for assigning and revoking access rights |
| M59 | SO11 | SO11-2 | d) Choose appropriate authentication mechanisms, depending on the type of access |
| M60 | SO11 | SO11-2 | e) Monitor access to network and information systems, have a process for approving exceptions and registering access violations |
| M61 | SO11 | SO11-2 | f) Reinforce controls for remote access to critical assets of network and information systems third parties |
| M62 | SO11 | SO11-3 | g) Evaluate the effectiveness of access control policies and procedures and implement cross checks on access control mechanisms |
| M63 | SO11 | SO11-3 | h) Access control policy and access control mechanisms are reviewed and when needed revised |
| M64 | SO12 | SO12-1 | a) Make sure software of network and information systems is not tampered with or altered, for instance using input controls and firewalls |
| M65 | SO12 | SO12-1 | b) Check for malware on (internal) network and information systems |
| M66 | SO12 | SO12-2 | c) Implement industry standard security measures, providing defence-in-depth against tampering and altering of systems |
| M67 | SO12 | SO12-2 | d) Apply reinforced software integrity, update and patch management controls for critical assets in virtualised networks |
| M68 | SO12 | SO12-3 | e) Set up state of the art controls to protect integrity of systems |
| M69 | SO12 | SO12-3 | f) Evaluate and review the effectiveness of measures to protect integrity of systems |
| M70 | SO13 | SO13-1 | a) Where appropriate to prevent and/or minimise the impact of security incidents on users and on other networks and services, encrypt data during its storage in and/or transmission via networks. The type and scope of data to be encrypted should be determined based on the risk assessment performed and will typically include communication data, customer critical data (e.g. unique identifiers), relevant management and signalling traffic and any other data or metadata, the disclosure or tampering of which may cause security incidents |
| M71 | SO13 | SO13-2 | b) Implement encryption policy |
| M72 | SO13 | SO13-2 | c) Use industry standard encryption algorithms and the corresponding recommended lengths of encryption keys |
| M73 | SO13 | SO13-3 | d) Review and update encryption policy |
| M74 | SO13 | SO13-3 | e) Use state of the art encryption algorithms |
| M75 | SO14 | SO14-1 | a) Make sure that cryptographic key material and secret authentication information (including cryptographic key material used for authentication) are not disclosed or tampered with |
| M76 | SO14 | SO14-2 | c) Implement policy for management of cryptographic keys |
| M77 | SO14 | SO14-2 | d) Implement policy for management of user passwords |
| M78 | SO14 | SO14-3 | e) Review and update of key management policy |
| M79 | SO14 | SO14-3 | f) Review and update of user password management policy |
| M80 | SO15 | SO15-1 | a) Set up operational procedures and assign responsibilities for operation of critical systems |
| M81 | SO15 | SO15-2 | b) Implement a policy for operation of systems to make sure all critical systems are operated and managed in line with predefined procedures |
| M82 | SO15 | SO15-3 | c) Review and update the policy/procedures for operation of critical systems, taking into account incidents and/or changes |
| M83 | SO16 | SO16-1 | a) Follow predefined methods or procedures when making changes to critical systems |
| M84 | SO16 | SO16-2 | b) Implement policy/procedures for change management, to make sure that changes of critical systems are always done following a predefined way |
| M85 | SO16 | SO16-2 | c) Document change management procedures, and record for each change the steps of the followed procedure |
| M86 | SO16 | SO16-3 | d) Review and update change management procedures regularly, taking into account changes and past incidents |
| M87 | SO17 | SO17-1 | a) Identify critical assets and configurations of critical systems |
| M88 | SO17 | SO17-2 | b) Implement policy/procedures for asset management and configuration control |
| M89 | SO17 | SO17-3 | c) Review and update the asset management policy regularly, based on changes and past incidents |
| M90 | SO18 | SO18-1 | a) Make sure personnel is available and prepared to manage and handle incidents |
| M91 | SO18 | SO18-1 | b) Keep a record of all major incidents |
| M92 | SO18 | SO18-2 | c) Implement policy/procedures for managing incidents |
| M93 | SO18 | SO18-3 | d) Investigate major incidents and draft final incident reports, including actions taken and recommendations to mitigate future occurrence of this type of incident |
| M94 | SO18 | SO18-3 | e) Evaluate incident management policy/procedures based on past incidents |
| M95 | SO19 | SO19-1 | a) Set up processes or systems for incident detection |
| M96 | SO19 | SO19-2 | b) Implement industry standard systems and procedures for incident detection |
| M97 | SO19 | SO19-2 | c) Implement systems and procedures for registering and forwarding incidents timely to the appropriate people |
| M98 | SO19 | SO19-3 | d) Review systems and processes for incident detection regularly and update them taking into account changes and past incidents |
| M99 | SO19 | SO19-3 | e) Implement state of the art systems and procedures for incident detection |
| M100 | SO20 | SO20-1 | a) Communicate and report about on-going or past incidents to third parties, customers, and/or government authorities, when necessary |
| M101 | SO20 | SO20-2 | b) Implement policy and procedures for communicating and reporting about incidents |
| M102 | SO20 | SO20-3 | c) Evaluate past communications and reporting about incidents |
| M103 | SO20 | SO20-3 | d) Review and update the reporting and communication plans, based on changes or past incidents |
| M104 | SO21 | SO21-1 | a) Implement a service continuity strategy for the communications networks and/or services provided |
| M105 | SO21 | SO21-2 | b) Implement contingency plans for critical systems |
| M106 | SO21 | SO21-2 | c) Monitor activation and execution of contingency plans, registering successful and failed recovery times |
| M107 | SO21 | SO21-2 | d) Implement contingency plans for dependent and inter-dependent critical sectors and services. When determining dependent critical sectors and services, providers may take into account those services that are dependent on the continuity of the network and service operation which are essential for the maintenance of critical societal and/or economic activities and for which an incident would have significant disruptive effects on the provision of that service. One possible way for identifying such dependent services may be to pass the obligation to service consumers to inform the providers if their service is considered critical |
| M108 | SO21 | SO21-3 | e) Review and revise service continuity strategy periodically |
| M109 | SO21 | SO21-3 | f) Review and revise contingency plans, based on past incidents and changes |
| M110 | SO22 | SO22-1 | a) Prepare for recovery and restoration of services following disasters |
| M111 | SO22 | SO22-2 | b) Implement policy/procedures for deploying disaster recovery capabilities |
| M112 | SO22 | SO22-2 | c) Implement industry standard disaster recovery capabilities, or be assured they are available from third parties (such as national emergency networks) |
| M113 | SO22 | SO22-3 | d) Set up state of the art disaster recovery capabilities to mitigate natural and/major disasters |
| M114 | SO22 | SO22-3 | e) Review and update disaster recovery capabilities regularly, taking into account changes, past incidents, and results of tests and exercises |
| M115 | SO23 | SO23-1 | a) Implement monitoring and logging of critical systems |
| M116 | SO23 | SO23-2 | b) Implement policy for logging and monitoring of critical systems |
| M117 | SO23 | SO23-2 | c) Set up tools for monitoring critical systems |
| M118 | SO23 | SO23-2 | d) Set up tools to collect and store logs of critical systems |
| M119 | SO23 | SO23-3 | e) Set up tools for automated collection and analysis of monitoring data and logs |
| M120 | SO23 | SO23-3 | f) Review and update logging and monitoring policy/procedures, taking into account changes and past incidents |
| M121 | SO24 | SO24-1 | a) Exercise and test backup and contingency plans to make sure systems and processes work and personnel is prepared for large failures and contingencies |
| M122 | SO24 | SO24-2 | b) Implement a program for exercising backup and contingency plans regularly, using realistic scenarios covering a range of different scenarios over time |
| M123 | SO24 | SO24-2 | c) Make sure that the issues and lessons learnt from exercises are addressed the responsible people and that the relevant processes and systems are updated accordingly |
| M124 | SO24 | SO24-3 | d) Review and update the exercise plans, taking into account changes, past incidents and contingencies which were not covered the exercise program |
| M125 | SO24 | SO24-3 | e) Involve suppliers and other third parties in exercises, for example business partners and customers |
| M126 | SO25 | SO25-1 | a) Test networks and information systems before using them or connecting them to existing systems |
| M127 | SO25 | SO25-2 | b) Implement policy/procedures for testing network and information systems |
| M128 | SO25 | SO25-2 | c) Implement tools for automated testing |
| M129 | SO25 | SO25-3 | d) Review and update the policy/procedures for testing, taking into account changes and past incidents |
| M130 | SO26 | SO26-1 | a) Ensure critical systems undergo security scans and security testing regularly, particularly when new systems are introduced and following changes |
| M131 | SO26 | SO26-2 | b) Implement policy/procedures for security assessments and security testing |
| M132 | SO26 | SO26-3 | c) Evaluate the effectiveness of policy/procedures for security assessments and security testing |
| M133 | SO26 | SO26-3 | d) Review and update policy/procedures for security assessments and security testing, taking into account changes and past incidents |
| M134 | SO27 | SO27-1 | a) Monitor compliance to standards and legal requirements |
| M135 | SO27 | SO27-2 | b) Implement policy/procedures for compliance monitoring and auditing |
| M136 | SO27 | SO27-3 | c) Evaluate the policy/procedures for compliance and auditing |
| M137 | SO27 | SO27-3 | d) Review and update the policy/procedures for compliance and auditing, taking into account changes and past incidents |
| M138 | SO28 | SO28-1 | a) Perform regular threat monitoring |
| M139 | SO28 | SO28-2 | b) Implement threat intelligence program |
| M140 | SO28 | SO28-3 | c) Review and update the threat intelligence program |
| M141 | SO28 | SO28-3 | d) Threat intelligence program makes use of state of the art threat intelligence systems |
| M142 | SO29 | SO29-1 | a) Inform end-users of communication networks and services about particular and significant security threats to network or service that may affect them |
| M143 | SO29 | SO29-2 | b) Implement policy/procedures for regular update of end-users about security threats to network or service that may affect them |
| M144 | SO29 | SO29-3 | c) Review and update the policy/procedures for regular update of end-users about security threats to network or service that may affect them |
Measures