IDSecurity objectiveDescriptionRelated domain name
SO1Information security policyEstablish and maintain an appropriate information security policyD1: GOVERNANCE AND RISK MANAGEMENT
SO2Governance and risk managementEstablish and maintain an appropriate governance and risk management framework, to identify and address risks for the communications networks and servicesD1: GOVERNANCE AND RISK MANAGEMENT
SO3Security roles and responsibilitiesEstablish and maintain an appropriate structure of security roles and responsibilitiesD1: GOVERNANCE AND RISK MANAGEMENT
SO4Security of third party dependenciesEstablish and maintain a policy, with security requirements for contracts with third parties, to ensure that dependencies on third parties do not negatively affect security of networks and/or servicesD1: GOVERNANCE AND RISK MANAGEMENT
SO5Background checksPerform appropriate background checks on personnel if required for their duties and responsibilitiesD2: HUMAN RESOURCES SECURITY
SO6Security knowledge and trainingEnsure that personnel have sufficient security knowledge and that they are provided with regular security trainingD2: HUMAN RESOURCES SECURITY
SO7Personnel changesEstablish and maintain an appropriate process for managing changes in personnel or changes in their roles and responsibilitiesD2: HUMAN RESOURCES SECURITY
SO8Handling violationsEstablish and maintain a disciplinary process for personnel who violate security policies and have a broader process that covers security incidents caused violations personnelD2: HUMAN RESOURCES SECURITY
SO9Physical and environmental securityEstablish and maintain the appropriate physical and environmental security of network and information systems and facilitiesD3: SECURITY OF SYSTEMS AND FACILITIES
SO10Security of suppliesEstablish and maintain appropriate security of critical supplies (for example electric power, fuel, cooling etc.)D3: SECURITY OF SYSTEMS AND FACILITIES
SO11Access control to network and information systemsEstablish and maintain appropriate (logical) access controls for access to network and information systemsD3: SECURITY OF SYSTEMS AND FACILITIES
SO12Integrity of network and information systemsEstablish and maintain integrity of network and information systems and protect from viruses, code injections, and other malware that can alter the functionality of systemsD3: SECURITY OF SYSTEMS AND FACILITIES
SO13Use of encryptionEnsure adequate use of encryption to prevent and/or minimise the impact of security incidents on users and on other networks and servicesD3: SECURITY OF SYSTEMS AND FACILITIES
SO14Protection of security critical dataEnsure that cryptographic key material and secret authentication information are adequately protectedD3: SECURITY OF SYSTEMS AND FACILITIES
SO15Operational proceduresEstablish and maintain operational procedures for the operation of critical network and information systems personnelD4: OPERATIONS MANAGEMENT
SO16Change managementEstablish change management procedures for critical network and information systems in order to minimise the likelihood of incidents resulting from changesD4: OPERATIONS MANAGEMENT
SO17Asset managementEstablish and maintain asset management procedures and configuration controls in order to manage availability of critical assets and configurations of critical network and information systemsD4: OPERATIONS MANAGEMENT
SO18Incident management proceduresEstablish and maintain procedures for managing incidents, and forwarding them to the appropriate personnel (triage)D5: INCIDENT MANAGEMENT
SO19Incident detection capabilityEstablish and maintain an incident detection capability that detects incidents. Measures to detect incidents should be understood in a broader sense as to be able to also detect serious events that may lead to incidentsD5: INCIDENT MANAGEMENT
SO20Incident reporting and communicationEstablish and maintain appropriate incident reporting and communication procedures, taking into account national legislation on incident reporting to government authoritiesD5: INCIDENT MANAGEMENT
SO21Service continuity strategy and contingency plansEstablish and maintain contingency plans and a strategy for ensuring continuity of networks and communication services providedD6: BUSINESS CONTINUITY MANAGEMENT
SO22Disaster recovery capabilitiesEstablish and maintain an appropriate disaster recovery capability for restoring network and communication services in case of natural and/or major disastersD6: BUSINESS CONTINUITY MANAGEMENT
SO23Monitoring and logging policiesEstablish and maintain systems and functions for monitoring and logging of relevant security events in critical network and communication systemsD7: MONITORING, AUDITING AND TESTING
SO24Exercise contingency plansEstablish and maintain policies for testing and exercising backup and contingency plans, where needed in collaboration with third partiesD7: MONITORING, AUDITING AND TESTING
SO25Network and information systems testingEstablish and maintain policies for testing network and information systems, particularly when connecting to new networks or systems. Testing refers primarily to testing of security related functionality, rather than to general ICT functionality testingD7: MONITORING, AUDITING AND TESTING
SO26Security assessmentsEstablish and maintain an appropriate policy for performing security assessments of network and information systemsD7: MONITORING, AUDITING AND TESTING
SO27Compliance monitoringEstablish and maintain a policy for monitoring compliance to standards and legal requirementsD7: MONITORING, AUDITING AND TESTING
SO28Threat intelligenceEstablish and maintain appropriate mechanisms for monitoring and collecting information about relevant threats to the security of networks and servicesD8: THREAT AWARENESS
SO29Informing users about threatsInform users of particular and significant security threats to network or service that may affect the end-user and of the measures they can take to protect the security of their communicationsD8: THREAT AWARENESS