Objective A

Managing security risk

A.1 Governance

Acceptable policies and processes to approach the security of network and information systems.

A.2 Risk management

Recognition, evaluation and awareness of security risks to approach risk management.

A.3 Asset management

Regulating and awareness of all critical systems and/or services required for support

A.4 Supply chain

Awareness and control of the security risks for the systems that have external dependencies

Objective B

Protecting against cyber attack

B.1 Service protection policies and processes

Measuring and communicating acceptable policies and processes to secure critical systems operations.

B.2 Identity and access control

Awareness, verifying and regulating access to networks and information systems supporting essential functions.

B.3 Data security

Safeguarding data used in essential functions from adverse actions.

B.4 System security

Safeguarding critical network and information systems and technology from cyberattack.

B.5 Resilient networks and systems

Developing resilience against adverse actions.

B.6 Staff awareness and training

Involving staff to make a positive contribution to the cybersecurity of essential functions.

Objective C

Detecting cyber security events

C.1 Security monitoring

Observing and monitoring the potential security problems and the effectiveness of existing security measures.

C.2 Proactive security event discovery

Identifying anomalous incidents in relevant network and information systems.

Objective D

Minimizing the impact of cyber security incidents

D.1 Response and recovery planning

Placing suitable incident management and mitigation processes.