Mohamad Mahjoub

Mar-23
Function Category

Asset Management (ID.AM): The data, personnel,

devices, systems, and facilities that enable the
organization to achieve business purposes are
identified and managed consistent with their relative
importance to business objectives and the
organization’s risk strategy.
 Business Environment (ID.BE): The organization’s
mission, objectives, stakeholders, and activities are
understood and prioritized; this information is used to
inform cybersecurity roles, responsibilities, and risk
management decisions.

Governance (ID.GV): The policies, procedures, and

processes to manage and monitor the organization’s
regulatory, legal, risk, environmental, and operational
requirements are understood and inform the
IDENTIFY (ID) management of cybersecurity risk.
 Risk Assessment (ID.RA): The organization
understands the cybersecurity risk to organizational
operations (including mission, functions, image, or
reputation), organizational assets, and individuals.

Risk Management Strategy (ID.RM): The

organization’s priorities, constraints, risk tolerances,
and assumptions are established and used to support
operational risk decisions.

Supply Chain Risk Management (ID.SC): The

organization’s priorities, constraints, risk tolerances,
and assumptions are established and used to support
risk decisions associated with managing supply chain
 Supply Chain Risk Management (ID.SC): The
organization’s priorities, constraints, risk tolerances,
and assumptions are established and used to support
risk decisions associated with managing supply chain
risk. The organization has in place the processes to
identify, assess and manage supply chain risks.

Identity Management and Access Control (PR.AC):

Access to physical and logical assets and associated
facilities is limited to authorized users, processes, and
devices, and is managed consistent with the assessed
risk of unauthorized access.
Awareness and Training (PR.AT): The organization’s
personnel and partners are provided cybersecurity
awareness education and are adequately trained to
perform their information security-related duties and
responsibilities consistent with related policies,
procedures, and agreements.
 Data Security (PR.DS): Information and records (data)
are managed consistent with the organization’s risk
strategy to protect the confidentiality, integrity, and
availability of information.

PROTECT (PR)
 Information Protection Processes and Procedures
(PR.IP): Security policies (that address purpose, scope,
roles, responsibilities, management commitment, and
coordination among organizational entities), processes,
and procedures are maintained and used to manage
protection of information systems and assets.
 Maintenance (PR.MA): Maintenance and repairs of
industrial control and information system components is
performed consistent with policies and procedures.

Protective Technology (PR.PT): Technical security

solutions are managed to ensure the security and
resilience of systems and assets, consistent with
related policies, procedures, and agreements.
 Protective Technology (PR.PT): Technical security
solutions are managed to ensure the security and
resilience of systems and assets, consistent with
related policies, procedures, and agreements.

Anomalies and Events (DE.AE): Anomalous activity is

detected in a timely manner and the potential impact of
events is understood.
 Security Continuous Monitoring (DE.CM): The
information system and assets are monitored at
discrete intervals to identify cybersecurity events and
verify the effectiveness of protective measures.

DETECT (DE)

Detection Processes (DE.DP): Detection processes

and procedures are maintained and tested to ensure
timely and adequate awareness of anomalous events.
 Response Planning (RS.RP): Response processes
and procedures are executed and maintained, to
ensure timely response to detected cybersecurity
events.

Communications (RS.CO): Response activities are

coordinated with internal and external stakeholders, as
appropriate, to include external support from law
enforcement agencies.

RESPOND (RS)

Analysis (RS.AN): Analysis is conducted to ensure

adequate response and support recovery activities.
 Mitigation (RS.MI): Activities are performed to prevent
expansion of an event, mitigate its effects, and
eradicate the incident.

Improvements (RS.IM): Organizational response

activities are improved by incorporating lessons learned
from current and previous detection/response activities.

Recovery Planning (RC.RP): Recovery processes

and procedures are executed and maintained to ensure
timely restoration of systems or assets affected by
cybersecurity events.

RECOVER (RC) Improvements (RC.IM): Recovery planning and

processes are improved by incorporating lessons
learned into future activities.

Communications (RC.CO): Restoration activities are

coordinated with internal and external parties, such as
coordinating centers, Internet Service Providers,
owners of attacking systems, victims, other CSIRTs,
and vendors.
 Subcategory ISO 270012013 Control Reference

ID.AM-1: Physical devices and systems within the organization

are inventoried (HW Assets inventory with owner and other A.8.1.1, A.8.1.2
details)

ID.AM-2: Software platforms and applications within the

A.8.1.1, A.8.1.2
organization are inventoried (SW Assets inventory)

ID.AM-3: Organizational communication and data flows are

mapped (Internal and extermal formal transfer policies,
A.13.2.1
procedures and controls shall be in place to protect the transfer
of information) (Information transfer security policy)

ID.AM-4: External information systems are catalogued (External

A.11.2.6
SW Assets inventory)

ID.AM-5: Resources (e.g., hardware, devices, data, time, and

software) are prioritized based on their classification, criticality, A.8.2.1
and business value (HW and SW classified)

ID.AM-6: Cybersecurity roles and responsibilities for the entire

workforce and third-party stakeholders (e.g., suppliers, A.6.1.1
customers, partners) are established (Cybersecurity roles)

ID.BE-1: The organization’s role in the supply chain is identified

and communicated (Agreements with suppliers shall include
requirements to address the information security risks A.15.1.3, A.15.2.1, A.15.2.2
associated with information and communications technology
services and product supply chain.)

ID.BE-2: The organization’s place in critical infrastructure and its

industry sector is identified and communicated

ID.BE-3: Priorities for organizational mission, objectives, and

activities are established and communicated
ID.BE-3: Priorities for organizational mission, objectives, and
activities are established and communicated

ID.BE-4: Dependencies and critical functions for delivery of

critical services are established (Physical security of cabling, A.11.2.2, A.11.2.3, A.12.1.3
servers, assets displosal, location of servers, etc)

ID.BE-5: Resilience requirements to support delivery of critical

services are established for all operating states (e.g. under
A.11.1.4, A.17.1.1, A.17.1.2, A.17.2.1
duress/attack, during recovery, normal operations) (BCP, cricis
management, incident management)

ID.GV-1: Organizational information security policy is

A.5.1.1
established

ID.GV-2: Information security roles & responsibilities are

A.6.1.1, A.7.2.1
coordinated and aligned with internal roles and external partners

ID.GV-3: Legal and regulatory requirements regarding

cybersecurity, including privacy and civil liberties obligations, are A.18.1
understood and managed

ID.GV-4: Governance and risk management processes

address cybersecurity risks

ID.RA-1: Asset vulnerabilities are identified and documented

A.12.6.1, A.18.2.3
(Threat Modelling)
ID.RA-1: Asset vulnerabilities are identified and documented
A.12.6.1, A.18.2.3
(Threat Modelling)

ID.RA-2: Cyber threat intelligence and vulnerability information is

received from information sharing forums and sources (CTI from A.6.1.4
Forums)

ID.RA-3: Threats, both internal and external, are identified and

documented (Risk Register)

ID.RA-4: Potential business impacts and likelihoods are

identified

ID.RA-5: Threats, vulnerabilities, likelihoods, and impacts are

A.12.6.1
used to determine risk

ID.RA-6: Risk responses are identified and prioritized (Risk

Treatment Plan)

ID.RM-1: Risk management processes are established,

managed, and agreed to by organizational stakeholders (Risk
Management Process is communicated)

ID.RM-2: Organizational risk tolerance is determined and clearly

expressed (Risk appetite)

ID.RM-3: The organization’s determination of risk tolerance is

informed by its role in critical infrastructure and sector specific
risk analysis

ID.SC-1: Cyber supply chain risk management processes

A.15.1.1, A.15.1.2, A.15.1.3, A.15.2.1,
are identified, established, assessed, managed, and agreed to
A.15.2.2
by organizational stakeholders

ID.SC-2: Identify, prioritize and assess suppliers and partners of

critical information systems, components and services using a
A.15.2.1, A.15.2.2
cyber supply chain risk assessment process (Onboarding
for Critical Suppliers and Due Diligence)
ID.SC-3: Suppliers and partners are required by contract to
implement appropriate measures designed to meet the
A.15.1.1, A.15.1.2, A.15.1.3
objectives of the Information Security program or Cyber Supply
Chain Risk Management Plan.

ID.SC-4: Suppliers and partners are monitored to confirm that

they have satisfied their obligations as required. Reviews of
A.15.2.1, A.15.2.2
audits, summaries of test results, or other equivalent evaluations
of suppliers/providers are conducted (Right toe Audit and NDA)

ID.SC-5: Response and recovery planning and testing are

A.17.1.3
conducted with critical suppliers/providers

PR.AC-1: Identities and credentials are issued, managed,

A.9.2.1, A.9.2.2, A.9.2.4, A.9.3.1,
revoked, and audited for authorized devices, users, and
A.9.4.2, A.9.4.3
processes (Access Control Policy)

PR.AC-2: Physical access to assets is managed and protected A.11.1.1, A.11.1.2, A.11.1.4, A.11.1.6,
(Physical Security) A.11.2.3

PR.AC-3: Remote access is managed (Access Control Policy

A.6.2.2, A.13.1.1, A.13.2.1
to include remote access VPN, RDP, MFA, vendor access)

PR.AC-4: Access permissions and authorizations are managed,

A.6.1.2, A.9.1.2, A.9.2.3, A.9.4.1,
incorporating the principles of least privilege and separation of
A.9.4.4
duties (SOD and least privilege)

PR.AC-5: Network integrity is protected, incorporating network

segregation where appropriate (Network Policy, Segmentation A.13.1.1, A.13.1.3, A.13.2.1
and VLANS)
PR.AC-5: Network integrity is protected, incorporating network
segregation where appropriate (Network Policy, Segmentation A.13.1.1, A.13.1.3, A.13.2.1
and VLANS)

PR.AC-6: Identities are proofed and bound to credentials, and A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.2,
asserted in interactions when appropriate (Unique accounts, no A.9.2.3, A.9.2.5, A.9.2.6, A.9.4.1,
sharing) A.9.4.4

PR.AT-1: All users are informed and trained (Awareness

A.7.2.2
training for all employees and suppliers)

PR.AT-2: Privileged users understand roles & responsibilities A.6.1.1, A.7.2.2

PR.AT-3: Third-party stakeholders (e.g., suppliers, customers,

A.6.1.1, A.7.2.2
partners) understand roles & responsibilities

PR.AT-4: Senior executives understand roles & responsibilities A.6.1.1, A.7.2.2,

PR.AT-5: Physical and information security personnel

A.6.1.1, A.7.2.2,
understand roles & responsibilities

PR.DS-1: Data-at-rest is protected (Data Handling Policy to

A.8.2.3
protect data at all stages)
PR.DS-1: Data-at-rest is protected (Data Handling Policy to
A.8.2.3
protect data at all stages)

A.8.2.3, A.13.1.1, A.13.2.1, A.13.2.3,

PR.DS-2: Data-in-transit is protected
A.14.1.2, A.14.1.3

PR.DS-3: Assets are formally managed throughout removal, A.8.2.3, A.8.3.1, A.8.3.2, A.8.3.3,
transfers, and disposition (Assets Disposal Policy) A.11.2.7

PR.DS-4: Adequate capacity to ensure availability is maintained

A.12.3.1
(Backup Policy)

A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1,

PR.DS-5: Protections against data leaks are implemented (DLP, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2,
Email Security, EDR, AV, NDAs, onBoarding and A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5,
Offboarding, Password Policy) A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4,
A.14.1.2, A.14.1.3

PR.DS-6: Integrity checking mechanisms are used to verify

software, firmware, and information integrity (AntiMalware A.12.2.1, A.12.5.1, A.14.1.2, A.14.1.3
Policy)

PR.DS-7: The development and testing environment(s) are

A.12.1.4
separate from the production environment

PR.DS-8: Integrity checking mechanisms are used to verify

A.11.2.4
hardware integrity (Equipment preventive maintenance)

PR.IP-1: A baseline configuration of information

technology/industrial control systems is created and A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2,
maintained incorporating appropriate security principles (e.g. A.14.2.3, A.14.2.4
PR.IP-1: A baseline configuration of information
technology/industrial control systems is created and A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2,
maintained incorporating appropriate security principles (e.g. A.14.2.3, A.14.2.4
concept of least functionality)

PR.IP-2: A System Development Life Cycle to manage systems

A.6.1.5, A.14.1.1, A.14.2.1, A.14.2.5
is implemented (SDLC, Secure Development Policy)

PR.IP-3: Configuration change control processes are in place A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2,
(Change Management, restriction of software installed) A.14.2.3, A.14.2.4

PR.IP-4: Backups of information are conducted, maintained, and

A.12.3.1, A.17.1.2A.17.1.3, A.18.1.3
tested periodically (Backup and Restore Tests)

PR.IP-5: Policy and regulations regarding the physical operating

environment for organizational assets are met (Physical A.11.1.4, A.11.2.1, A.11.2.2, A.11.2.3
Protection of Assets)

PR.IP-6: Data is destroyed according to policy (Sanitization

A.8.2.3, A.8.3.1, A.8.3.2, A.11.2.7
Policy)

PR.IP-7: Protection processes are continuously improved

PR.IP-8: Effectiveness of protection technologies is shared with

appropriate parties (Effectiveness matrix and lessons A.16.1.6
learned)

PR.IP-9: Response plans (Incident Response and Business

Continuity) and recovery plans (Incident Recovery and Disaster A.16.1.1, A.17.1.1, A.17.1.2
Recovery) are in place and managed
PR.IP-9: Response plans (Incident Response and Business
Continuity) and recovery plans (Incident Recovery and Disaster A.16.1.1, A.17.1.1, A.17.1.2
Recovery) are in place and managed

PR.IP-10: Response and recovery plans are tested A.17.1.3

PR.IP-11: Cybersecurity is included in human resources

A.7.1.1, A.7.3.1, A.8.1.4
practices (e.g., deprovisioning, personnel screening)

PR.IP-12: A vulnerability management plan is developed and

A.12.6.1, A.18.2.2
implemented (Policy, frequency, remediation,etc)

PR.MA-1: Maintenance and repair of organizational assets is

performed and logged in a timely manner, with approved and A.11.1.2, A.11.2.4, A.11.2.5
controlled tools

PR.MA-2: Remote maintenance of organizational assets is

approved, logged, and performed in a manner that prevents A.11.2.4, A.15.1.1, A.15.2.1
unauthorized access

PR.PT-1: Audit/log records are determined, documented, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4,
implemented, and reviewed in accordance with policy A.12.7.1

PR.PT-2: Removable media is protected and its use A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3,
restricted according to policy (Removable Media Policy) A.11.2.9

PR.PT-3: The principle of least functionality is incorporated by

configuring systems to provide only essential capabilities A.9.1.2
(Workstation and Server Hardening Guidelines)
PR.PT-3: The principle of least functionality is incorporated by
configuring systems to provide only essential capabilities A.9.1.2
(Workstation and Server Hardening Guidelines)

PR.PT-4: Communications and control networks are protected

A.13.1.1, A.13.2.1
(Network Security Policy)

PR.PT-5: Systems operate in pre-defined functional states to

achieve availability (e.g. under duress, under attack, during A.17.1.2, A.17.2.1
recovery, normal operations). (Redundancy and HA)

DE.AE-1: A baseline of network operations and expected data

flows for users and systems is established and managed
(Monitor network and events)

DE.AE-2: Detected events are analyzed to understand attack

A.16.1.1, A.16.1.4
targets and methods

DE.AE-3: Event data are aggregated and correlated from

multiple sources and sensors (Agrregate logs from different
sources)

DE.AE-4: Impact of events is determined

DE.AE-5: Incident alert thresholds are established

DE.CM-1: The network is monitored to detect potential

cybersecurity events

DE.CM-2: The physical environment is monitored to detect

potential cybersecurity events

DE.CM-3: Personnel activity is monitored to detect potential

A.12.4.1
cybersecurity events (Logs are stored and reviewed)
DE.CM-3: Personnel activity is monitored to detect potential
A.12.4.1
cybersecurity events (Logs are stored and reviewed)

DE.CM-4: Malicious code is detected (Malware, EDR policy

A.12.2.1
and control)

DE.CM-5: Unauthorized mobile code is detected (Detect

A.12.5.1
software installed)

DE.CM-6: External service provider activity is monitored to

A.14.2.7, A.15.2.1
detect potential cybersecurity events (PAM)

DE.CM-7: Monitoring for unauthorized personnel, connections,

devices, and software is performed

DE.CM-8: Vulnerability scans are performed A.12.6.1

DE.DP-1: Roles and responsibilities for detection are well

A.6.1.1
defined to ensure accountability

DE.DP-2: Detection activities comply with all applicable

A.18.1.4
requirements

DE.DP-3: Detection processes are tested A.14.2.8

DE.DP-4: Event detection information is communicated to

A.16.1.2
appropriate parties
DE.DP-5: Detection processes are continuously improved A.16.1.6

RS.RP-1: Response plan is executed during or after an

event.Information security incidents shall be responded to in
A.16.1.5
accordance with the documented procedures. (BCP, Incident
Response Plan in place. Incidents shall be recorded)

RS.CO-1: Personnel know their roles and order of operations

A.6.1.1, A.16.1.1
when a response is needed (Roles in BCP)

RS.CO-2: Events are reported consistent with established

A.6.1.3, A.16.1.2
criteria

RS.CO-3: Information is shared consistent with response plans A.16.1.2

RS.CO-4: Coordination with stakeholders occurs consistent with

response plans

RS.CO-5: Voluntary information sharing occurs with external

stakeholders to achieve broader cybersecurity situational
awareness

RS.AN-1: Notifications from detection systems are

A.12.4.1, A.12.4.3, A.16.1.5
investigated (Notifications from monitoring systems)

RS.AN-2: The impact of the incident is understood (Risk

A.16.1.6
Register Impact and Liklihood)

RS.AN-3: Forensics are performed (incident investigation) A.16.1.7

RS.AN-4: Incidents are categorized consistent with response

A.16.1.4
plans (Incidents are categorized)
RS.AN-4: Incidents are categorized consistent with response
A.16.1.4
plans (Incidents are categorized)

RS.MI-1: Incidents are contained (Incident Management) A.16.1.5

RS.MI-2: Incidents are mitigated (Incident Management) A.12.2.1, A.16.1.5

RS.MI-3: Newly identified vulnerabilities are mitigated or

A.12.6.1
documented as accepted risks (Risk Register)

RS.IM-1: Response plans incorporate lessons learned A.16.1.6

RS.IM-2: Response strategies are updated

RC.RP-1: Recovery plan is executed during or after an event

A.16.1.5
(BCP and incident management)

RC.IM-1: Recovery plans incorporate lessons learned

RC.IM-2: Recovery strategies are updated

RC.CO-1: Public relations are managed

RC.CO-2: Reputation after an event is repaired
RC.CO-3: Recovery activities are communicated to internal
stakeholders and executive and management teams
ISO 27001:2022 Control Reference

5.9

5.9

5.14

7.9

5.12

5.2

5.21, 5.22
7.4, 7.11, 7.12, 8.6

7.5, 5.29, 8.14

5.1

5.2, 5.4

5.31,5.32,5.33

8.8
 8.8

8.16, 5.7

8.8

5.19, 5.20,5.21, 5.22

5.22
 5.19, 5.20,5.21

5.22

5.29

5.16, 5.17, 5.18, 8.5

7.1,7.2,7.3,7.4, 7.12

5.14, 6.7, 8.20

5.15, 6.8, 8.2, 8.3, 8.18

5.14, 8.20, 8.22

 5.14, 8.20, 8.22

5.29, 6.8, 5.15, 5.18, 8.2, 8.3, 8.18

6.3

5.2, 6.3

5.2, 6.3

5.2, 6.3

7.4

8.8
 8.8

5.10, 8.20, 5.14, 8.26

8.8, 7.10, 7.14

8.13

5.3, 6.1, 6.2, 6.5, 5.13, 5.10, 5.15, 8.2,

8.3, 8.17, 8.4, 8.22, 5.14, 8.26

8.7, 8.19, 8.26

8.31

7.13

8.32, 8.9, 8.19

 8.32, 8.9, 8.19

5.8, 825, 8.27

8.32, 8.9, 8.19

8.13, 5.29, 5.33

7.4, 7.5, 7.11, 7.12

8.8, 7.10, 7.14

5.27

5.24, 5.29, 5.3

 5.24, 5.29, 5.3

5.3

6.1, 6.5, 5.34

8.8, 5.36

7.2, 7.10, 7.13

7.13, 5.19, 5.22

8.15, 8.17, 8.34

5.1, 5.10, 7.7, 7.10

5.15
 5.15

8.20, 5.14

5.29, 8.14

8.16

5.24, 5.25

8.16

7.4

8.15
 8.15

8.7

8.16, 8.19

8.30, 5.22

8.16

8.8

5.2

5.34

8.29

6.8
 5.27

5.26

5.2, 5.24

6.8,

6.8

8.15, 8.16,5.26

5.27

5.28

5.25
 5.25

5.26

8.7, 5.26

8.8

5.27

5.26