How we keep your data safe.

Develop an organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities.

• BASIC_ID.AM-01.1: An inventory of physical and virtual infrastructure assets — such as hardware, network devices, and cloud-hosted environments — that support information processing shall be documented, reviewed, and updated as changes occur.
• BASIC_ID.AM-02.1: An inventory of software, digital services, and business systems used within the organisation shall be documented, reviewed, and updated as changes occur
• BASIC_ID.AM-07.1: Data that the organisation stores and uses shall be identified.
• BASIC_ID.AM-05.1: The organisation’s assets shall be prioritised based on classification, criticality, and business value.
• BASIC_ID.AM-08.2: Patches and security updates for operating systems and critical system components shall be installed.
• BASIC_ID.RA-01.1: Threats and vulnerabilities shall be identified in all relevant assets, including software, network and system architectures, and facilities that house critical computing assets
• BASIC_ID.RA-05.1: The organisation shall conduct risk assessments in which risk is determined by threats, vulnerabilities and the impact on business processes and assets.
• BASIC_ID.IM-03.1: The organisation shall conduct post-incident evaluations to analyse lessons learned from incident response and recovery, and consequently improve processes / procedures / technologies to enhance its cyber resilience.
• IMPORTANT_ID.AM-01.2: The inventory of enterprise assets associated with information and information processing facilities shall reflect changes in the organisation’s context and include all information necessary for effective accountability.
• IMPORTANT_ID.AM-02.2: The inventory reflecting which software, services and systems are used in the organisation shall reflect changes in the organisation’s context and include all information necessary for effective accountability.
• IMPORTANT_ID.AM-02.3: The people responsible and accountable for managing software platforms and applications within the organisation shall be formally identified.
• IMPORTANT_ID.AM-02.4: When unauthorised software is detected, it shall be quarantined for possible exception handling, removed, or replaced, and the inventory shall be updated accordingly.
• IMPORTANT_ID.AM-03.2: The organisation's network communication and internal data flows shall be mapped, documented, authorised, and updated when changes occur.
• IMPORTANT_ID.AM-04.1: Organisations shall keep a clear and up-to-date list of all external services it uses, including how they connect to their systems. These services shall be reviewed and approved before use, and the list shall be updated whenever changes happen.
• IMPORTANT_ID.AM-08.3: The organisation shall enforce accountability for all its business-critical assets throughout the system lifecycle, including removal, transfers, and disposition.
• IMPORTANT_ID.AM-08.6: The organisation shall plan, perform and document preventive maintenance and repairs on its critical system components according to approved processes and tools.
• IMPORTANT_ID.AM-08.8: The organisation should pre-approve, monitor and enforce maintenance tools for use on its critical systems.
• IMPORTANT_ID.RA-01.2: A process shall be established to continuously monitor, identify, and document vulnerabilities of the organisation's business critical systems.
• IMPORTANT_ID.RA-01.3: The organisation shall establish and maintain a documented process that enables continuous review, analysis and remediation of vulnerabilities and provides for information sharing where applicable.
• IMPORTANT_ID.RA-01.5: Vulnerability scanning shall not adversely impact system functions.
• IMPORTANT_ID.RA-02.1: A threat and vulnerability awareness program that includes a cross-organisation information-sharing capability shall be implemented.
• IMPORTANT_ID.RA-05.2: The organisation shall conduct and document risk assessments in which risk is determined by threats, vulnerabilities, impact on business processes and assets, and likelihood of their occurrence.
• IMPORTANT_ID.RA-08.1: The organisation shall establish and implement a vulnerability management plan to identify, analyse, assess, mitigate and communicate all types of vulnerabilities including in the form of a Coordinated Vulnerability Disclosure (CVD) according to applicable legal modalities.
• IMPORTANT_ID.RA-06.1: Risk responses shall be identified, prioritised, planned, tracked and communicated.
• IMPORTANT_ID.IM-03.2: The organisation shall incorporate lessons learned from incident handling activities into updated or new incident handling processes and/or procedures that are framed by appropriate training after review, approval and testing.
• IMPORTANT_ID.IM-03.3: The organisation shall identify improvements derived from the monitoring, measurements, assessments, and lessons learned and consequently translate this into improved processes / procedures / technologies to enhance its cyber resilience (continuous improvement).
• IMPORTANT_ID.IM-03.4: The organisation shall collaborate and share information about its critical system's related security incidents and mitigation measures with designated partners.
• IMPORTANT_ID.IM-03.5: Communication of effectiveness of protection technologies shall be shared with relevant stakeholders.
• IMPORTANT_ID.IM-03.6: The organisation shall implement, where feasible, automated mechanisms to facilitate the process of information sharing and collaboration.
• IMPORTANT_ID.IM-04.1: Contingency and continuity plans shall be established, communicated, maintained, tested, validated, and improved.

Develop and implement appropriate safeguards to ensure delivery of critical infrastructure services.

• BASIC_PR.AA-01.1: Identities and credentials for authorised users, services, and hardware shall be managed.
• BASIC_PR.AA-03.1: All wireless access points used by the organisation, including those providing guest access, shall be securely configured, managed, and monitored to prevent unauthorised access and ensure network integrity.
• BASIC_PR.AA-03.2: Multi-Factor Authentication (MFA) shall be required to access the organisation's networks remotely.
• BASIC_PR.AA-05.1: Access permissions, rights, and authorisations shall be defined, managed, enforced and reviewed.
• BASIC_PR.AA-05.2: It shall be determined who needs access to the organisation's business-critical information and technology and the means to gain access.
• BASIC_PR.AA-05.4: No one shall have administrative privileges for routine day-to-day tasks.
• BASIC_PR.AA-06.1: Physical access to all organisational assets, including critical zones, should be managed, monitored, and enforced based on risk.
• BASIC_PR.AT-01.1: The organisation shall establish and maintain a cybersecurity awareness and training programme to ensure that all personnel understand how to perform their tasks securely and responsibly.
• BASIC_PR.DS-01.9: Enterprise assets shall be disposed of safely.
• BASIC_PR.DS-11.1: Backups for the organisation's business-critical data shall be performed and stored on a different system from the device on which the original data resides.
• BASIC_PR.PS-04.1: Log records shall be generated and made available for continuous monitoring.
• BASIC_PR.PS-05.1: Installation and execution of unauthorised software shall be prevented.
• BASIC_PR.IR-01.1: Firewalls shall be installed, configured, and actively maintained on all networks used by the organisation to protect against unauthorised access and cyber threats.
• BASIC_PR.IR-01.2: To safeguard critical systems, organisations shall implement network segmentation and segregation aligned with trust boundaries and asset criticality, thereby limiting threat propagation and enforcing strict access control.
• IMPORTANT_PR.AA-02.1: The organisation shall implement documented procedures for verifying the identity of individuals before issuing credentials that provide access to the organisation's systems.
• IMPORTANT_PR.AA-03.3: The organisation shall define, document, and implement usage restrictions, connection requirements, and authorisation procedures for remote access to its critical systems. These controls shall ensure that only approved users can connect, using secure methods, with access limited to what is necessary for their role.
• IMPORTANT_PR.AA-05.5:: Where technically, operationally, and economically feasible—without compromising system integrity, safety, or compliance—automated mechanisms shall be implemented to manage user accounts on critical ICT and OT systems. Feasibility shall be determined based on system capabilities, integration potential, risk assessment, and business impact.
• IMPORTANT_PR.AA-05.6: Separation of duties (SoD) shall be ensured in the management of access rights.
• IMPORTANT_PR.AA-05.7: Privileged users shall be managed and monitored.
• IMPORTANT_PR.AA-06.2: Physical access controls should include specific procedures for emergency situations, ensuring continued protection of critical and non-critical assets during such events.
• IMPORTANT_PR.AT-01.2: The organisation shall include insider threat awareness and reporting in its cybersecurity training to help personnel recognise and respond to potential internal risks.
• IMPORTANT_PR.AT-01.3: Personnel shall receive training to understand their specific roles, responsibilities, and priorities during a cybersecurity or information security incident, including the steps they need to follow to respond effectively.
• IMPORTANT_PR.AT-02.1: Members of management bodies shall be able to demonstrate that they have completed training that gives them a solid understanding of information and cybersecurity and risk management so that they can assess information and cyber security risks and their consequences and propose the necessary risk mitigation, considering their roles, responsibilities and authorities.
• IMPORTANT_PR.AT-02.3: Privileged users shall be qualified before privileges are granted, and these users shall be able to demonstrate the understanding of their roles, responsibilities, and authorities.
• IMPORTANT_PR.DS-01.1: The organisation shall implement software, firmware, and information integrity checks to detect unauthorised changes to its critical system components during storage, transport, start-up and when determined necessary.
• IMPORTANT_PR.DS-01.4: The organisation shall define and enforce clear policies and practical safeguards to manage and restrict the use of portable storage media, in order to reduce the risk of data leakage, unauthorised access, and malware introduction.
• IMPORTANT_PR.DS-01.5: The organisation shall only allow the use of removable media when absolutely necessary, and shall put technical measures in place to block automatic execution of files from these devices.
• IMPORTANT_PR.DS-11.2: The reliability and integrity of backups shall be verified and tested regularly.
• IMPORTANT_PR.DS-11.3: The organisation shall maintain secure backups of business-critical data in a separate storage location to ensure data availability in case of system failure or data loss. Backup storage shall apply equivalent security controls as the primary environment.
• IMPORTANT_PR.PS-03.1: Hardware used in business-critical environments shall be maintained, replaced, or removed based on its associated security and operational risk.
• IMPORTANT_PR.PS-04.2: The organisation shall ensure that logbook records contain an authoritative time source or internal clock time stamp that is compared and synchronised with an authoritative time source.
• IMPORTANT_PR.PS-06.1: Security shall be considered throughout the lifecycle of systems and applications, whether developed internally or acquired externally.
• IMPORTANT_PR.PS-06.2: Changes and exceptions shall be tested and validated before being implemented into operational systems.
• IMPORTANT_PR.IR-01.3: To ensure operational stability and security, the organisation shall, without exception, identify, document, and control connections between components of its critical systems.
• IMPORTANT_PR.IR-01.4: The organisation shall implement appropriate boundary protection measures to monitor and control communications at external and key internal boundaries of its critical systems, across both IT and OT environments, to ensure secure and reliable operations.
• IMPORTANT_PR.IR-02.1: The organisation shall define, implement and maintain policies and procedures related to emergency and safety systems, fire protection systems and environmental controls for its critical systems.
• IMPORTANT_PR.IR-04.1: Adequate resource capacity planning shall ensure that availability of organisation's critical system information processing, networking, telecommunications, and data storage is maintained.

Develop and implement appropriate activities to identify the occurrence of a cybersecurity event.

• BASIC_DE.CM-01.1: Firewalls shall be installed and operated at the network boundaries, including endpoint firewalls.
• BASIC_DE.CM-01.2: Anti-virus, -spyware, and other -malware programs shall be installed and updated.
• BASIC_DE.CM-03-1: End point and network protection tools to monitor end-user behaviour for dangerous activity shall be implemented.
• BASIC_DE.AE-03.1: The logging functionality of protection and detection tools shall be enabled. Logs shall be backed up and retained for a predefined period and regularly reviewed to identify unusual or potentially harmful activity.
• IMPORTANT_DE.CM-01.3: The organisation shall monitor and identify unauthorised use of its business critical systems through the detection of unauthorised local connections, network connections and remote connections.
• IMPORTANT_DE.CM-02.1: The physical environment shall be monitored to find potentially adverse events.
• IMPORTANT_DE.CM-03.2: End point and network protection tools that monitor end-user behaviour for dangerous activity shall be managed.
• IMPORTANT_DE.CM-06.1: External service provider activities and services shall be secured and monitored to find potentially adverse events.
• IMPORTANT_DE.CM-06.2: External service providers' conformance with personnel security policies and procedures and contract security requirements shall be monitored relative to their cybersecurity risks.
• IMPORTANT_DE.CM-09.1: The organisation shall monitor computing hardware, software, runtime environments, and their data to detect potentially adverse events
• IMPORTANT_DE.AE-02.1: Cybersecurity and information security events shall be reviewed and analysed to identify potential attack targets and methods, in accordance with applicable laws, regulations, standards, and policies.
• IMPORTANT_DE.AE-03.2: The organisation shall ensure that event data from critical systems is collected and correlated using information from multiple relevant sources.
• IMPORTANT_DE.AE-06.1: Information about adverse events shall be promptly delivered to authorised personnel and systems to enable timely detection, investigation, and response.
• IMPORTANT_DE.AE-08.1: Incidents shall be reported when adverse events meet defined and documented incident criteria.

Develop and implement appropriate activities to take action regarding a detected cybersecurity incident.

• BASIC_RS.MA-01.1: The incident response plan is executed in coordination with relevant third parties once an incident is declared.
• BASIC_RS.CO-02.1: Internal and external stakeholders shall be notified of incidents.
• IMPORTANT_RS.MA-02.1: Information/cybersecurity incidentreports shall be triaged and validated in accordance with the organisation’s incident response procedures.
• IMPORTANT_RS.MA-03.1: Information/cybersecurity incidents shall be categorised, prioritised and escalated as determined in the incident response plan.
• IMPORTANT_RS.CO-02.2: Cybersecurity incidents shall be shared with relevant external stakeholders within the timeframes defined in the Incident Response Plan, including reporting significant incidents to authorities as required by law.
• IMPORTANT_RS.MI-01.2: The organisation shall detect unauthorised access or data leakage and take appropriate mitigation actions, including monitoring of critical systems at external boundaries and key internal points.

Develop and implement appropriate activities to maintain plans for resilience and to restore capabilities impaired by cybersecurity incidents.

• BASIC_RC.RP-01.1: A recovery process for disasters and information/cybersecurity incidents shall be developed and executed.

Cybersecurity framework category for governance functions and controls.

• BASIC_GV.PO-01.1: Policies and procedures for managing information and cybersecurity shall be established, documented, reviewed, approved, updated when changes occur, communicated and enforced.
• BASIC_GV.OC-03.1: Legal and regulatory requirements regarding information and cybersecurity shall be identified and implemented.
• BASIC_GV.RM-03.1: As part of the organisation-wide risk management strategy, a comprehensive strategy to manage information and cybersecurity risks shall be developed and updated when changes occur.
• BASIC_GV.RR-04.1: Personnel with access to the organisation’s most critical information or technology shall be authenticated.
• IMPORTANT_GV.OC-03.2: Legal, regulatory, and contractual obligations related to information and cybersecurity shall be continuously managed to ensure they remain accurate, up to date, and effectively applied.
• IMPORTANT_GV.OC-04.2: The organisation shall define and document cybersecurity requirements for essential operations, validate them through testing and audits, maintain records of results and corrective actions, and regularly update requirements based on evolving risks.
• IMPORTANT_GV.OC-05.1: The organisation shall identify, document, and communicate its role in the supply chain, including the external capabilities, services, and dependencies it relies on (upstream), as well as its interactions with downstream stakeholders.
• IMPORTANT_GV.RM-02.1: Risk appetite and risk tolerance statements shall be defined, documented, approved by senior management, communicated, and maintained.
• IMPORTANT_GV.RM-03.2: Information and Cybersecurity risks shall be documented, as part of the enterprise risk management processes, formally approved by senior management, and updated when changes occur.
• IMPORTANT_GV.RR-02.1: Information security and cybersecurity roles, responsibilities and authorities for employees, suppliers, customers, and partners shall be documented, reviewed, authorised, kept up to date, communicated, and coordinated internally and externally.
• IMPORTANT_GV.RR-03.2: The organisation shall assign roles and responsibilities for reviewing and updating response and recovery plans, ensuring they reflect changes in the risk environment and remain effective.
• IMPORTANT_GV.RR-04.2: A cybersecurity process for human resources shall be developed and maintained applicable at recruitment, during employment and at termination of employment.
• IMPORTANT_GV.PO-01.2: Organisational-wide information and cybersecurity policies and procedures shall include the use of cryptography and, where appropriate, encryption,reflect changes in requirements, threats, technology and organisational roles, and be approved by senior management, who oversee its implementation.
• IMPORTANT_GV.SC-02.1: Third-party providers shall notify any transfer, termination or transition of personnel with physical or logical access to business-critical system elements of the organisation.
• IMPORTANT_GV.SC-05.1: Requirements for addressing cybersecurity risks and the sharing of sensitive information in supply chains shall be established, prioritised, integrated into contracts and other types of formal agreements, and enforced.
• IMPORTANT_GV.SC-07.1: The risks posed by a supplier, its products and services and other third parties shall be identified, documented, prioritised, mitigated and assessed at least annually and when changes occur during the relationship.
• IMPORTANT_GV.SC-08.1: The organisation shall identify and document key personnel from relevant suppliers and other third parties to include them in incident planning, response, and recovery activities.