{"catalog":{"uuid":"6687232b-326c-4595-84f3-7b3260e51e6f","metadata":{"links":[{"rel":"source-profile","href":"https://api.dev.comply0.com/v1/profiles/d4db684b-1371-4aa6-99e5-2516a7ca2e72"}],"props":[{"name":"resolution-tool","value":"Comply0"}],"title":"CyFun 2025 IMPORTANT Resolved","version":"2025-12-12","document-ids":[{"scheme":"http://oscal.io/oscal/identifier/content-uuid","identifier":"3ba503ec-a0bb-42be-b989-6c3be9b28db5"}],"last-modified":"2025-12-16T22:17:20.088Z","oscal-version":"1.1.3"},"groups":[{"id":"GV","props":[{"name":"sort-id","value":"01"}],"title":"GOVERN","groups":[{"id":"GV.OC","parts":[{"name":"overview","prose":"The circumstances - mission, stakeholder expectations, dependencies, and legal, regulatory, and contractual requirements - surrounding the organisation's cybersecurity risk management decisions are understood."}],"props":[{"name":"label","value":"GV.OC"},{"name":"sort-id","value":"01-001"}],"title":"Organisational Context","groups":[{"id":"GV.OC-01","props":[{"name":"label","value":"GV.OC-01"},{"name":"sort-id","value":"01-001-001"}],"title":"The organisational mission is understood and informs cybersecurity risk management.","controls":[{"id":"GV.OC-01.1","parts":[{"id":"GV.OC-01.1_smt","name":"statement","prose":"The organisation's mission shall be established, communicated and shall form the basis for information and cybersecurity risk management."}],"props":[{"name":"label","value":"GV.OC-01.1"},{"name":"sort-id","value":"01-001-001-001"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"},{"ns":"http://cyfun.eu/ns/oscal","name":"governance-measures","value":"true"}],"title":"Requirement GV.OC-01.1"}]},{"id":"GV.OC-03","props":[{"name":"label","value":"GV.OC-03"},{"name":"sort-id","value":"01-001-003"}],"title":"Legal, regulatory, and contractual requirements regarding cybersecurity are understood and managed.","controls":[{"id":"GV.OC-03.1","parts":[{"id":"GV.OC-03.1_smt","name":"statement","prose":"Legal and regulatory requirements regarding information and cybersecurity shall be identified and implemented."}],"props":[{"name":"label","value":"GV.OC-03.1"},{"name":"sort-id","value":"01-001-003-003"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"}],"title":"Requirement GV.OC-03.1"},{"id":"GV.OC-03.2","parts":[{"id":"GV.OC-03.2_smt","name":"statement","prose":"Legal, regulatory, and contractual obligations related to information and cybersecurity shall be continuously managed to ensure they remain accurate, up-to-date, and effectively applied."}],"props":[{"name":"label","value":"GV.OC-03.2"},{"name":"sort-id","value":"01-001-003-004"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"},{"ns":"http://cyfun.eu/ns/oscal","name":"governance-measures","value":"true"}],"title":"Requirement GV.OC-03.2"}]},{"id":"GV.OC-04","props":[{"name":"label","value":"GV.OC-04"},{"name":"sort-id","value":"01-001-004"}],"title":"Critical objectives, capabilities, and services that external stakeholders depend on or expect from the organisation are understood and communicated.","controls":[{"id":"GV.OC-04.1","parts":[{"id":"GV.OC-04.1_smt","name":"statement","prose":"The organisation shall identify, document, and communicate the critical objectives, capabilities, and services relied upon by external stakeholders, prioritise them based on criticality, and integrate this prioritisation into the risk assessment process."}],"props":[{"name":"label","value":"GV.OC-04.1"},{"name":"sort-id","value":"01-001-004-005"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement GV.OC-04.1"},{"id":"GV.OC-04.2","parts":[{"id":"GV.OC-04.2_smt","name":"statement","prose":"The organisation shall define and document cybersecurity requirements for essential operations, validate them through testing and audits, keep records of results and corrective actions, and regularly update requirements based on evolving risks."}],"props":[{"name":"label","value":"GV.OC-04.2"},{"name":"sort-id","value":"01-001-004-006"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement GV.OC-04.2"}]},{"id":"GV.OC-05","props":[{"name":"label","value":"GV.OC-05"},{"name":"sort-id","value":"01-001-005"}],"title":"Outcomes, capabilities, and services that the organization depends on are understood and communicated.","controls":[{"id":"GV.OC-05.1","parts":[{"id":"GV.OC-05.1_smt","name":"statement","prose":"The organization shall identify, document, and communicate its role in the supply chain, including the external capabilities, services, and dependencies it relies on (upstream), as well as its interactions with downstream stakeholders."}],"props":[{"name":"label","value":"GV.OC-05.1"},{"name":"sort-id","value":"01-001-005-009"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement GV.OC-05.1"}]}]},{"id":"GV.RM","parts":[{"name":"overview","prose":"The organisation's priorities, constraints, risk tolerance and appetite statements, and assumptions, are established, communicated, and used to support operational risk decisions."}],"props":[{"name":"label","value":"GV.RM"},{"name":"sort-id","value":"01-002"}],"title":"Risk Management Strategy","groups":[{"id":"GV.RM-01","props":[{"name":"label","value":"GV.RM-01"},{"name":"sort-id","value":"01-002-006"}],"title":"Risk management objectives are established and agreed to by organisational stakeholders.","controls":[{"id":"GV.RM-01.1","parts":[{"id":"GV.RM-01.1_smt","name":"statement","prose":"Information/cybersecurity objectives shall be identified, agreed to by organisational stakeholders and approved by senior management"}],"props":[{"name":"label","value":"GV.RM-01.1"},{"name":"sort-id","value":"01-002-006-010"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"},{"ns":"http://cyfun.eu/ns/oscal","name":"governance-measures","value":"true"}],"title":"Requirement GV.RM-01.1"}]},{"id":"GV.RM-02","props":[{"name":"label","value":"GV.RM-02"},{"name":"sort-id","value":"01-002-007"}],"title":"Risk appetite and risk tolerance statements are established, communicated, and maintained.","controls":[{"id":"GV.RM-02.1","parts":[{"id":"GV.RM-02.1_smt","name":"statement","prose":"Risk appetite and risk tolerance statements shall be defined, documented, approved by senior management, communicated, and maintained."}],"props":[{"name":"label","value":"GV.RM-02.1"},{"name":"sort-id","value":"01-002-007-011"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement GV.RM-02.1"}]},{"id":"GV.RM-03","props":[{"name":"label","value":"GV.RM-03"},{"name":"sort-id","value":"01-002-008"}],"title":"Cybersecurity risk management activities and outcomes are included in enterprise risk management processes.","controls":[{"id":"GV.RM-03.1","parts":[{"id":"GV.RM-03.1_smt","name":"statement","prose":"As part of the organisation-wide risk management strategy, a comprehensive strategy to manage information and cybersecurity risks shall be developed and updated when changes occur."}],"props":[{"name":"label","value":"GV.RM-03.1"},{"name":"sort-id","value":"01-002-008-012"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"}],"title":"Requirement GV.RM-03.1"},{"id":"GV.RM-03.2","parts":[{"id":"GV.RM-03.2_smt","name":"statement","prose":"Information and cybersecurity risks shall be documented, as part of the enterprise risk management processes, formally approved by senior management, and updated when changes occur."}],"props":[{"name":"label","value":"GV.RM-03.2"},{"name":"sort-id","value":"01-002-008-013"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"},{"ns":"http://cyfun.eu/ns/oscal","name":"governance-measures","value":"true"}],"title":"Requirement GV.RM-03.2"}]},{"id":"GV.RM-04","props":[{"name":"label","value":"GV.RM-04"},{"name":"sort-id","value":"01-002-009"}],"title":"Strategic direction that describes appropriate risk response options is established and communicated.","controls":[{"id":"GV.RM-04.1","parts":[{"id":"GV.RM-04.1_smt","name":"statement","prose":"A high-level plan or vision shall be formally established and clearly communicated to everyone involved on how to manage risks, including the different strategies the organisation can employ to deal with identified risks based on risk appetite or risk tolerance level."}],"props":[{"name":"label","value":"GV.RM-04.1"},{"name":"sort-id","value":"01-002-009-014"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement GV.RM-04.1"}]},{"id":"GV.RM-05","props":[{"name":"label","value":"GV.RM-05"},{"name":"sort-id","value":"01-002-010"}],"title":"Lines of communication across the organisation are established for cybersecurity risks, including risks from suppliers and other third parties.","controls":[{"id":"GV.RM-05.1","parts":[{"id":"GV.RM-05.1_smt","name":"statement","prose":"To support the high-level risk management vision, the organisation shall establish clear lines of communication for cybersecurity risks, including those arising from suppliers and third parties."}],"props":[{"name":"label","value":"GV.RM-05.1"},{"name":"sort-id","value":"01-002-010-015"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement GV.RM-05.1"}]}]},{"id":"GV.RR","parts":[{"name":"overview","prose":"Cybersecurity roles, responsibilities, and authorities to foster accountability, performance assessment, and continuous improvement are established and communicated."}],"props":[{"name":"label","value":"GV.RR"},{"name":"sort-id","value":"01-003"}],"title":"Roles, Responsibilities and Authorities","groups":[{"id":"GV.RR-02","props":[{"name":"label","value":"GV.RR-02"},{"name":"sort-id","value":"01-003-012"}],"title":"Roles, responsibilities, and authorities related to cybersecurity risk management are established, communicated, understood, and enforced.","controls":[{"id":"GV.RR-02.1","parts":[{"id":"GV.RR-02.1_smt","name":"statement","prose":"Information security and Cyber security roles, responsibilities and authorities for employees, suppliers, customers, and partners shall be documented, reviewed, authorised, kept up-to-date, communicated, and coordinated internally and externally.."}],"props":[{"name":"label","value":"GV.RR-02.1"},{"name":"sort-id","value":"01-003-012-017"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"},{"ns":"http://cyfun.eu/ns/oscal","name":"key-measures","value":"true"}],"title":"Requirement GV.RR-02.1"}]},{"id":"GV.RR-03","props":[{"name":"label","value":"GV.RR-03"},{"name":"sort-id","value":"01-003-013"}],"title":"Adequate resources are allocated commensurate with the cybersecurity risk strategy, roles, responsibilities, and policies.","controls":[{"id":"GV.RR-03-1","parts":[{"id":"GV.RR-03-1_smt","name":"statement","prose":"Sufficient resources shall be allocated in line with the cybersecurity risk strategy, roles, responsibilities and policies."}],"props":[{"name":"label","value":"GV.RR-03-1"},{"name":"sort-id","value":"01-003-013-019"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"},{"ns":"http://cyfun.eu/ns/oscal","name":"governance-measures","value":"true"}],"title":"Requirement GV.RR-03-1"},{"id":"GV.RR-03-2","parts":[{"id":"GV.RR-03-2_smt","name":"statement","prose":"The organisation shall assign roles and responsibilities for reviewing and updating response and recovery plans, ensuring they reflect changes in the risk environment and remain effective."}],"props":[{"name":"label","value":"GV.RR-03-2"},{"name":"sort-id","value":"01-003-013-020"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement GV.RR-03-2"}]},{"id":"GV.RR-04","props":[{"name":"label","value":"GV.RR-04"},{"name":"sort-id","value":"01-003-014"}],"title":"Cybersecurity is included in human resources practices.","controls":[{"id":"GV.RR-04.1","parts":[{"id":"GV.RR-04.1_smt","name":"statement","prose":"Personnel with access to the organisation’s most critical information or technology shall be authenticated.."}],"props":[{"name":"label","value":"GV.RR-04.1"},{"name":"sort-id","value":"01-003-014-021"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"}],"title":"Requirement GV.RR-04.1"},{"id":"GV.RR-04.2","parts":[{"id":"GV.RR-04.2_smt","name":"statement","prose":"A cybersecurity process for human resources shall be developed and maintained applicable at recruitment, during employment and at termination of employment."}],"props":[{"name":"label","value":"GV.RR-04.2"},{"name":"sort-id","value":"01-003-014-022"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement GV.RR-04.2"}]}]},{"id":"GV.PO","parts":[{"name":"overview","prose":"Organisational cybersecurity policy is established, communicated, and enforced."}],"props":[{"name":"label","value":"GV.PO"},{"name":"sort-id","value":"01-004"}],"title":"Policy","groups":[{"id":"GV.PO-01","props":[{"name":"label","value":"GV.PO-01"},{"name":"sort-id","value":"01-004-015"}],"title":"Policy for managing cybersecurity risks is established based on Organisational context, cybersecurity strategy, and priorities and is communicated and enforced.","controls":[{"id":"GV.PO-01.1","parts":[{"id":"GV.PO-01.1_smt","name":"statement","prose":"Policies and procedures for managing information and cybersecurity shall be established, documented, reviewed, approved, updated when changes occur, communicated and enforced."}],"props":[{"name":"label","value":"GV.PO-01.1"},{"name":"sort-id","value":"01-004-015-023"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"}],"title":"Requirement GV.PO-01.1"},{"id":"GV.PO-01.2","parts":[{"id":"GV.PO-01.2_smt","name":"statement","prose":"Organisational-wide information and cyber security policies and procedures shall include the use of cryptography and, where appropriate, encryption, reflect changes in requirements, threats, technology and organisational roles, and be approved by senior management, who oversee implementation."}],"props":[{"name":"label","value":"GV.PO-01.2"},{"name":"sort-id","value":"01-004-015-024"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement GV.PO-01.2"}]}]},{"id":"GV.SC","parts":[{"name":"overview","prose":"Cyber supply chain risk management processes are identified, established, managed, monitored, and improved by organisational stakeholders."}],"props":[{"name":"label","value":"GV.SC"},{"name":"sort-id","value":"01-006"}],"title":"Cybersecurity Supply Chain Risk Management","groups":[{"id":"GV.SC-02","props":[{"name":"label","value":"GV.SC-02"},{"name":"sort-id","value":"01-006-019"}],"title":"Cybersecurity roles and responsibilities for suppliers, customers, and partners are established, communicated, and coordinated internally and externally.","controls":[{"id":"GV.SC-02.1","parts":[{"id":"GV.SC-02.1_smt","name":"statement","prose":"Third-party providers shall notify any transfer, termination or transition of personnel with physical or logical access to business-critical system elements of the organisation."}],"props":[{"name":"label","value":"GV.SC-02.1"},{"name":"sort-id","value":"01-006-019-028"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement GV.SC-02.1"}]},{"id":"GV.SC-05","props":[{"name":"label","value":"GV.SC-05"},{"name":"sort-id","value":"01-006-021"}],"title":"Requirements to address cybersecurity risks in supply chains are established, prioritised, and integrated into contracts and other types of agreements with suppliers and other relevant third parties.","controls":[{"id":"GV.SC-05.1","parts":[{"id":"GV.SC-05.1_smt","name":"statement","prose":"Requirements for addressing cybersecurity risks and the sharing of sensitive information in supply chains shall be established, prioritised, integrated into contracts and other types of formal agreements, and enforced."}],"props":[{"name":"label","value":"GV.SC-05.1"},{"name":"sort-id","value":"01-006-021-030"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement GV.SC-05.1"}]},{"id":"GV.SC-07","props":[{"name":"label","value":"GV.SC-07"},{"name":"sort-id","value":"01-006-023"}],"title":"The risks posed by a supplier, their products and services, and other third parties are understood, recorded, prioritised, assessed, responded to, and monitored over the course of the relationship.","controls":[{"id":"GV.SC-07.1","parts":[{"id":"GV.SC-07.1_smt","name":"statement","prose":"The risks posed by a supplier, its products and services and other third parties shall be identified, documented, prioritised, mitigated and assessed at least annually and when changes occur during the relationship."}],"props":[{"name":"label","value":"GV.SC-07.1"},{"name":"sort-id","value":"01-006-023-034"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"},{"ns":"http://cyfun.eu/ns/oscal","name":"governance-measures","value":"true"}],"title":"Requirement GV.SC-07.1"}]},{"id":"GV.SC-08","props":[{"name":"label","value":"GV.SC-08"},{"name":"sort-id","value":"01-006-024"}],"title":"Relevant suppliers and other third parties are included in incident planning, response, and recovery activities.","controls":[{"id":"GV.SC-08.1","parts":[{"id":"GV.SC-08.1_smt","name":"statement","prose":"The organisation shall identify and document key personnel from relevant suppliers and other third parties to include them in incident planning, response, and recovery activities."}],"props":[{"name":"label","value":"GV.SC-08.1"},{"name":"sort-id","value":"01-006-024-038"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement GV.SC-08.1"}]}]}]},{"id":"ID","props":[{"name":"sort-id","value":"02"}],"title":"IDENTIFY","groups":[{"id":"ID.AM","parts":[{"name":"overview","prose":"Assets (e.g., data, hardware, software, systems, facilities, services, people) that enable the organisation to achieve business purposes are identified and managed consistent with their relative importance to organisational objectives and the organisation's risk strategy."}],"props":[{"name":"label","value":"ID.AM"},{"name":"sort-id","value":"02-001"}],"title":"Asset Management","groups":[{"id":"ID.AM-01","props":[{"name":"label","value":"ID.AM-01"},{"name":"sort-id","value":"02-001-001"}],"title":"Inventories of hardware managed by the organisation are maintained.","controls":[{"id":"ID.AM-01.1","parts":[{"id":"ID.AM-01.1_smt","name":"statement","prose":"An inventory of physical and virtual infrastructure assets—such as hardware, network devices, and cloud-hosted environments—that support information processing shall be documented, reviewed, and updated as changes occur."}],"props":[{"name":"label","value":"ID.AM-01.1"},{"name":"sort-id","value":"02-001-001-001"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"}],"title":"Requirement ID.AM-01.1"},{"id":"ID.AM-01.2","parts":[{"id":"ID.AM-01.2_smt","name":"statement","prose":"The inventory of enterprise assets associated with information and information processing facilities shall reflect changes in the organisation’s context and include all information necessary for effective accountability."}],"props":[{"name":"label","value":"ID.AM-01.2"},{"name":"sort-id","value":"02-001-001-002"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement ID.AM-01.2"},{"id":"ID.AM-01.3","parts":[{"id":"ID.AM-01.3_smt","name":"statement","prose":"When unauthorised hardware is detected, it shall be quarantined for possible exception handling, removed, or replaced, and the inventory shall be updated accordingly."}],"props":[{"name":"label","value":"ID.AM-01.3"},{"name":"sort-id","value":"02-001-001-003"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement ID.AM-01.3"}]},{"id":"ID.AM-02","props":[{"name":"label","value":"ID.AM-02"},{"name":"sort-id","value":"02-001-002"}],"title":"Inventories of software, services, and systems managed by the organisation are maintained.","controls":[{"id":"ID.AM-02.1","parts":[{"id":"ID.AM-02.1_smt","name":"statement","prose":"An inventory of software, digital services, and business systems used within the organisation shall be documented, reviewed, and updated as changes occur."}],"props":[{"name":"label","value":"ID.AM-02.1"},{"name":"sort-id","value":"02-001-002-005"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"}],"title":"Requirement ID.AM-02.1"},{"id":"ID.AM-02.2","parts":[{"id":"ID.AM-02.2_smt","name":"statement","prose":"The inventory reflecting which software, services and systems are used in the organisation shall reflect changes in the organisation’s context and include all information necessary for effective accountability."}],"props":[{"name":"label","value":"ID.AM-02.2"},{"name":"sort-id","value":"02-001-002-006"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement ID.AM-02.2"},{"id":"ID.AM-02.3","parts":[{"id":"ID.AM-02.3_smt","name":"statement","prose":"The people responsible and accountable for managing software platforms and applications within the organisation shall be formally identified."}],"props":[{"name":"label","value":"ID.AM-02.3"},{"name":"sort-id","value":"02-001-002-007"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement ID.AM-02.3"},{"id":"ID.AM-02.4","parts":[{"id":"ID.AM-02.4_smt","name":"statement","prose":"When unauthorised software is detected, it shall be quarantined for possible exception handling, removed, or replaced, and the inventory shall be updated accordingly."}],"props":[{"name":"label","value":"ID.AM-02.4"},{"name":"sort-id","value":"02-001-002-008"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement ID.AM-02.4"}]},{"id":"ID.AM-3","props":[{"name":"label","value":"ID.AM-3"},{"name":"sort-id","value":"02-001-003"}],"title":"Representations of the organisation's authorised network communication and internal and external network data flows are maintained.","controls":[{"id":"ID.AM-03-2","parts":[{"id":"ID.AM-03-2_smt","name":"statement","prose":"The organisation's network communication and internal data flows shall be mapped, documented, authorised, and updated when changes occur."}],"props":[{"name":"label","value":"ID.AM-03-2"},{"name":"sort-id","value":"02-001-003-010"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement ID.AM-03-2"}]},{"id":"ID.AM-4","props":[{"name":"label","value":"ID.AM-4"},{"name":"sort-id","value":"02-001-004"}],"title":"Inventories of services provided by suppliers are maintained.","controls":[{"id":"ID.AM-04.1","parts":[{"id":"ID.AM-04.1_smt","name":"statement","prose":"Organisations shall keep a clear and up-to-date list of all external services it uses, including how they connect to their systems. These services shall be reviewed and approved before use, and the list shall be updated whenever changes happen."}],"props":[{"name":"label","value":"ID.AM-04.1"},{"name":"sort-id","value":"02-001-004-012"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement ID.AM-04.1"}]},{"id":"ID.AM-5","props":[{"name":"label","value":"ID.AM-5"},{"name":"sort-id","value":"02-001-005"}],"title":"Assets are prioritised based on classification, criticality, resources, and impact on the mission","controls":[{"id":"ID.AM-5.1","parts":[{"id":"ID.AM-5.1_smt","name":"statement","prose":"The organisation’s assets shall be prioritised based on classification, criticality, and business value."}],"props":[{"name":"label","value":"ID.AM-5.1"},{"name":"sort-id","value":"02-001-005-014"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement ID.AM-5.1"}]},{"id":"ID.AM-07","props":[{"name":"label","value":"ID.AM-07"},{"name":"sort-id","value":"02-001-006"}],"title":"Inventories of data and corresponding metadata for designated data types are maintained","controls":[{"id":"ID.AM-07.1","parts":[{"id":"ID.AM-07.1_smt","name":"statement","prose":"Data that the organisation stores and uses shall be identified.."}],"props":[{"name":"label","value":"ID.AM-07.1"},{"name":"sort-id","value":"02-001-006-015"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"}],"title":"Requirement ID.AM-07.1"},{"id":"ID.AM-07.2","parts":[{"id":"ID.AM-07.2_smt","name":"statement","prose":"Inventories of data and associated metadata shall be maintained for designated data types."}],"props":[{"name":"label","value":"ID.AM-07.2"},{"name":"sort-id","value":"02-001-006-016"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement ID.AM-07.2"}]},{"id":"ID.AM-08","props":[{"name":"label","value":"ID.AM-08"},{"name":"sort-id","value":"02-001-007"}],"title":"Systems, hardware, software, services, and data are managed throughout their life cycles.","controls":[{"id":"ID.AM-08.2","parts":[{"id":"ID.AM-08.2_smt","name":"statement","prose":"Patches and security updates for operating systems and critical system components shall be installed."}],"props":[{"name":"label","value":"ID.AM-08.2"},{"name":"sort-id","value":"02-001-007-017"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"},{"ns":"http://cyfun.eu/ns/oscal","name":"key-measures","value":"true"}],"title":"Requirement ID.AM-08.2"},{"id":"ID.AM-08.3","parts":[{"id":"ID.AM-08.3_smt","name":"statement","prose":"The organisation shall enforce accountability for all its business-critical assets throughout the system lifecycle, including removal, transfers, and disposal."}],"props":[{"name":"label","value":"ID.AM-08.3"},{"name":"sort-id","value":"02-001-007-018"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement ID.AM-08.3"},{"id":"ID.AM-08.4","parts":[{"id":"ID.AM-08.4_smt","name":"statement","prose":"The organisation shall ensure that the necessary measures are taken to deal with loss, misuse, damage, or theft of assets."}],"props":[{"name":"label","value":"ID.AM-08.4"},{"name":"sort-id","value":"02-001-007-019"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement ID.AM-08.4"},{"id":"ID.AM-08.6","parts":[{"id":"ID.AM-08.6_smt","name":"statement","prose":"The organisation shall plan, perform and document preventive maintenance and repairs on its critical system components according to approved processes and tools."}],"props":[{"name":"label","value":"ID.AM-08.6"},{"name":"sort-id","value":"02-001-007-021"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement ID.AM-08.6"},{"id":"ID.AM-08.8","parts":[{"id":"ID.AM-08.8_smt","name":"statement","prose":"The organisation should pre-approve, monitor and enforce maintenance tools for use on its critical systems."}],"props":[{"name":"label","value":"ID.AM-08.8"},{"name":"sort-id","value":"02-001-007-023"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement ID.AM-08.8"},{"id":"ID.AM-08.11","parts":[{"id":"ID.AM-08.11_smt","name":"statement","prose":"Remote maintenance and diagnostic activities of organisational assets shall be pre-approved and the performance logged."}],"props":[{"name":"label","value":"ID.AM-08.11"},{"name":"sort-id","value":"02-001-007-026"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement ID.AM-08.11"},{"id":"ID.AM-08.12","parts":[{"id":"ID.AM-08.12_smt","name":"statement","prose":"Setting up non-local maintenance and diagnostic sessions over remote network connections shall require strong authenticators and these connections shall be terminated when non-local maintenance is completed."}],"props":[{"name":"label","value":"ID.AM-08.12"},{"name":"sort-id","value":"02-001-007-027"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement ID.AM-08.12"}]}]},{"id":"ID.RA","parts":[{"name":"overview","prose":"The cybersecurity risk to the organisation, assets, and individuals is understood by the organisation."}],"props":[{"name":"label","value":"ID.RA"},{"name":"sort-id","value":"02-002"}],"title":"Risk Assessment","groups":[{"id":"ID.RA-01","props":[{"name":"label","value":"ID.RA-01"},{"name":"sort-id","value":"02-002-008"}],"title":"Vulnerabilities in assets are identified, validated, and recorded.","controls":[{"id":"ID.RA-01.1","parts":[{"id":"ID.RA-01.1_smt","name":"statement","prose":"Threats and vulnerabilities shall be identified in all relevant assets, including software, network and system architectures, and facilities that house critical computing assets."}],"props":[{"name":"label","value":"ID.RA-01.1"},{"name":"sort-id","value":"02-002-008-029"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"}],"title":"Requirement ID.RA-01.1"},{"id":"ID.RA-01.2","parts":[{"id":"ID.RA-01.2_smt","name":"statement","prose":"A process shall be established to continuously monitor, identify, and document vulnerabilities of the organisation's business critical systems."}],"props":[{"name":"label","value":"ID.RA-01.2"},{"name":"sort-id","value":"02-002-008-030"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement ID.RA-01.2"},{"id":"ID.RA-01.3","parts":[{"id":"ID.RA-01.3_smt","name":"statement","prose":"The organisation shall establish and maintain a documented process that enables continuous review, analysis and remediation of vulnerabilities and makes information sharing possible, where applicable."}],"props":[{"name":"label","value":"ID.RA-01.3"},{"name":"sort-id","value":"02-002-008-031"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement ID.RA-01.3"},{"id":"ID.RA-01.5","parts":[{"id":"ID.RA-01.5_smt","name":"statement","prose":"Vulnerability scanning shall not adversely impact system functions."}],"props":[{"name":"label","value":"ID.RA-01.5"},{"name":"sort-id","value":"02-002-008-033"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement ID.RA-01.5"},{"id":"ID.RA-01.6","parts":[{"id":"ID.RA-01.6_smt","name":"statement","prose":"Vulnerabilities shall be identified and managed in all relevant assets, including software, network and system architectures, and facilities."}],"props":[{"name":"label","value":"ID.RA-01.6"},{"name":"sort-id","value":"02-002-008-034"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement ID.RA-01.6"}]},{"id":"ID.RA-02","props":[{"name":"label","value":"ID.RA-02"},{"name":"sort-id","value":"02-002-009"}],"title":"Cyber threat intelligence is received from information sharing forums and sources.","controls":[{"id":"ID.RA-02.1","parts":[{"id":"ID.RA-02.1_smt","name":"statement","prose":"A threat and vulnerability awareness programme that includes a cross-organisation information-sharing capability shall be implemented."}],"props":[{"name":"label","value":"ID.RA-02.1"},{"name":"sort-id","value":"02-002-009-035"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement ID.RA-02.1"}]},{"id":"ID.RA-03","props":[{"name":"label","value":"ID.RA-03"},{"name":"sort-id","value":"02-002-010"}],"title":"Internal and external threats to the organisation are identified and recorded","controls":[{"id":"ID.RA-03.1","parts":[{"id":"ID.RA-03.1_smt","name":"statement","prose":"Threats shall be identified and assessed in relation to all relevant assets, including software, network and system architectures, and facilities."}],"props":[{"name":"label","value":"ID.RA-03.1"},{"name":"sort-id","value":"02-002-010-037"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement ID.RA-03.1"}]},{"id":"ID.RA-05","props":[{"name":"label","value":"ID.RA-05"},{"name":"sort-id","value":"02-002-011"}],"title":"Threats, vulnerabilities, likelihoods, and impacts are used to understand inherent risk and inform risk response prioritisation.","controls":[{"id":"ID.RA-05.1","parts":[{"id":"ID.RA-05.1_smt","name":"statement","prose":"The organisation shall conduct risk assessments in which risk is determined by threats, vulnerabilities and the impact on business processes and assets."}],"props":[{"name":"label","value":"ID.RA-05.1"},{"name":"sort-id","value":"02-002-011-038"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"}],"title":"Requirement ID.RA-05.1"},{"id":"ID.RA-05.2","parts":[{"id":"ID.RA-05.2_smt","name":"statement","prose":"The organisation shall conduct and document risk assessments in which risk is determined by threats, vulnerabilities, impact on business processes and assets, and likelihood of their occurrence."}],"props":[{"name":"label","value":"ID.RA-05.2"},{"name":"sort-id","value":"02-002-011-039"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"},{"ns":"http://cyfun.eu/ns/oscal","name":"governance-measures","value":"true"}],"title":"Requirement ID.RA-05.2"}]},{"id":"ID.RA-06","props":[{"name":"label","value":"ID.RA-06"},{"name":"sort-id","value":"02-002-012"}],"title":"Risk responses are chosen, prioritised, planned, tracked, and communicated.","controls":[{"id":"ID.RA-06.1","parts":[{"id":"ID.RA-06.1_smt","name":"statement","prose":"Risk responses shall be identified, prioritised, planned, tracked and communicated."}],"props":[{"name":"label","value":"ID.RA-06.1"},{"name":"sort-id","value":"02-002-012-041"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement ID.RA-06.1"}]},{"id":"ID.RA-08","props":[{"name":"label","value":"ID.RA-08"},{"name":"sort-id","value":"02-002-013"}],"title":"Processes for receiving, analysing, and responding to vulnerability disclosures are established.","controls":[{"id":"ID.RA-08.1","parts":[{"id":"ID.RA-08.1_smt","name":"statement","prose":"The organisation shall establish and implement a vulnerability management plan to identify, analyse, assess, mitigate and communicate all types of vulnerabilities including in the form of a Coordinated Vulnerability Disclosure (CVD) according to applicable legal modalities."}],"props":[{"name":"label","value":"ID.RA-08.1"},{"name":"sort-id","value":"02-002-013-042"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"},{"ns":"http://cyfun.eu/ns/oscal","name":"key-measures","value":"true"}],"title":"Requirement ID.RA-08.1"}]}]},{"id":"ID.IM","parts":[{"name":"overview","prose":"Improvements to organisational cybersecurity risk management processes, procedures and activities are identified across all CyFun® functions."}],"props":[{"name":"label","value":"ID.IM"},{"name":"sort-id","value":"02-003"}],"title":"Improvement","groups":[{"id":"ID.IM-02","props":[{"name":"label","value":"ID.IM-02"},{"name":"sort-id","value":"02-003-014"}],"title":"Improvements are identified from security tests and exercises, including those made in coordination with suppliers and relevant third parties.","controls":[{"id":"ID.IM-02.1","parts":[{"id":"ID.IM-02.1_smt","name":"statement","prose":"Security tests and exercises, including those conducted with suppliers and relevant third parties, shall be used to identify areas for improvement."}],"props":[{"name":"label","value":"ID.IM-02.1"},{"name":"sort-id","value":"02-003-014-044"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement ID.IM-02.1"}]},{"id":"ID.IM-03","props":[{"name":"label","value":"ID.IM-03"},{"name":"sort-id","value":"02-003-015"}],"title":"Improvements are identified from execution of operational processes, procedures, and activities.","controls":[{"id":"ID.IM-03.1","parts":[{"id":"ID.IM-03.1_smt","name":"statement","prose":"The organisation shall conduct risk assessments in which risk is determined by threats, vulnerabilities and the impact on business processes and assets."}],"props":[{"name":"label","value":"ID.IM-03.1"},{"name":"sort-id","value":"02-003-015-045"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"}],"title":"Requirement ID.IM-03.1"},{"id":"ID.IM-03.2","parts":[{"id":"ID.IM-03.2_smt","name":"statement","prose":"The organisation shall incorporate lessons learned from incident handling activities into updated or new incident handling processes and/or procedures that are framed by appropriate training after review, approval and testing."}],"props":[{"name":"label","value":"ID.IM-03.2"},{"name":"sort-id","value":"02-003-015-046"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement ID.IM-03.2"},{"id":"ID.IM-03.3","parts":[{"id":"ID.IM-03.3_smt","name":"statement","prose":"The organisation shall identify improvements derived from the monitoring, measurements, assessments, and lessons learned and consequently translate this into improved processes / procedures / technologies to enhance its cyber resilience (continuous improvement)."}],"props":[{"name":"label","value":"ID.IM-03.3"},{"name":"sort-id","value":"02-003-015-047"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"},{"ns":"http://cyfun.eu/ns/oscal","name":"governance-measures","value":"true"}],"title":"Requirement ID.IM-03.3"},{"id":"ID.IM-03.4","parts":[{"id":"ID.IM-03.4_smt","name":"statement","prose":"The organisation shall collaborate and share information about its critical system's related security incidents and mitigation measures with designated partners."}],"props":[{"name":"label","value":"ID.IM-03.4"},{"name":"sort-id","value":"02-003-015-048"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement ID.IM-03.4"},{"id":"ID.IM-03.5","parts":[{"id":"ID.IM-03.5_smt","name":"statement","prose":"Communication of effectiveness of protection technologies shall be shared with relevant stakeholders."}],"props":[{"name":"label","value":"ID.IM-03.5"},{"name":"sort-id","value":"02-003-015-049"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement ID.IM-03.5"},{"id":"ID.IM-03.6","parts":[{"id":"ID.IM-03.6_smt","name":"statement","prose":"The organisation shall implement, where feasible, automated mechanisms to facilitate the process of information sharing and collaboration."}],"props":[{"name":"label","value":"ID.IM-03.6"},{"name":"sort-id","value":"02-003-015-050"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement ID.IM-03.6"}]},{"id":"ID.IM-04","props":[{"name":"label","value":"ID.IM-04"},{"name":"sort-id","value":"02-003-016"}],"title":"Incident response plans and other cybersecurity plans that affect operations are established, communicated, maintained, and improved.","controls":[{"id":"ID.IM-04.1","parts":[{"id":"ID.IM-04.1_smt","name":"statement","prose":"Contingency and continuity plans shall be established, communicated, maintained, tested, validated, and improved."}],"props":[{"name":"label","value":"ID.IM-04.1"},{"name":"sort-id","value":"02-003-016-054"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"},{"ns":"http://cyfun.eu/ns/oscal","name":"governance-measures","value":"true"}],"title":"Requirement ID.IM-04.1"}]}]}]},{"id":"PR","props":[{"name":"sort-id","value":"03"}],"title":"PROTECT","groups":[{"id":"PR.AA","parts":[{"name":"overview","prose":"Access to physical and logical assets is limited to authorised users, services, and hardware and managed commensurate with the assessed risk of unauthorised access."}],"props":[{"name":"label","value":"PR.AA"},{"name":"sort-id","value":"03-001"}],"title":"Identity Management, Authentication, and Access Control","groups":[{"id":"PR.AA-01","props":[{"name":"label","value":"PR.AA-01"},{"name":"sort-id","value":"03-001-001"}],"title":"Identities and credentials for authorised users, services, and hardware are managed by the organisation.","controls":[{"id":"PR.AA-01.1","parts":[{"id":"PR.AA-01.1_smt","name":"statement","prose":"Identities and credentials for authorised users, services, and hardware shall be managed."}],"props":[{"name":"label","value":"PR.AA-01.1"},{"name":"sort-id","value":"03-001-001-001"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"},{"ns":"http://cyfun.eu/ns/oscal","name":"key-measures","value":"true"}],"title":"Requirement PR.AA-01.1"},{"id":"PR.AA-01.2","parts":[{"id":"PR.AA-01.2_smt","name":"statement","prose":"Identities and credentials for authorised users, services and hardware shall be managed through automated mechanisms whenever feasible."}],"props":[{"name":"label","value":"PR.AA-01.2"},{"name":"sort-id","value":"03-001-001-002"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement PR.AA-01.2"}]},{"id":"PR.AA-02","props":[{"name":"label","value":"PR.AA-02"},{"name":"sort-id","value":"03-001-002"}],"title":"Identities are proofed and bound to credentials based on the context of interactions.","controls":[{"id":"PR.AA-02.1","parts":[{"id":"PR.AA-02.1_smt","name":"statement","prose":"The organisation shall implement documented procedures for verifying the identity of individuals before issuing credentials that provide access to the organisation's systems."}],"props":[{"name":"label","value":"PR.AA-02.1"},{"name":"sort-id","value":"03-001-002-006"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement PR.AA-02.1"}]},{"id":"PR.AA-03","props":[{"name":"label","value":"PR.AA-03"},{"name":"sort-id","value":"03-001-003"}],"title":"Users, services, and hardware are authenticated.","controls":[{"id":"PR.AA-03.1","parts":[{"id":"PR.AA-03.1_smt","name":"statement","prose":"All wireless access points used by the organisation, including those providing guest access, shall be securely configured, managed, and monitored to prevent unauthorised access and ensure network integrity."}],"props":[{"name":"label","value":"PR.AA-03.1"},{"name":"sort-id","value":"03-001-003-008"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"}],"title":"Requirement PR.AA-03.1"},{"id":"PR.AA-03.2","parts":[{"id":"PR.AA-03.2_smt","name":"statement","prose":"Multi-Factor Authentication (MFA) shall be required to access the organisation's networks remotely."}],"props":[{"name":"label","value":"PR.AA-03.2"},{"name":"sort-id","value":"03-001-003-009"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"},{"ns":"http://cyfun.eu/ns/oscal","name":"key-measures","value":"true"}],"title":"Requirement PR.AA-03.2"},{"id":"PR.AA-03.3","parts":[{"id":"PR.AA-03.3_smt","name":"statement","prose":"The organisation shall define, document, and implement usage restrictions, connection requirements, and authorisation procedures for remote access to its critical systems. These controls shall ensure that only approved users can connect, using secure methods, with access limited to what is necessary for their role."}],"props":[{"name":"label","value":"PR.AA-03.3"},{"name":"sort-id","value":"03-001-003-010"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"},{"ns":"http://cyfun.eu/ns/oscal","name":"key-measures","value":"true"}],"title":"Requirement PR.AA-03.3"}]},{"id":"PR.AA-05","props":[{"name":"label","value":"PR.AA-05"},{"name":"sort-id","value":"03-001-005"}],"title":"Access permissions, entitlements, and authorisations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties.","controls":[{"id":"PR.AA-05.1","parts":[{"id":"PR.AA-05.1_smt","name":"statement","prose":"Access permissions, rights, and authorisations shall be defined, managed, enforced and reviewed."}],"props":[{"name":"label","value":"PR.AA-05.1"},{"name":"sort-id","value":"03-001-005-014"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"},{"ns":"http://cyfun.eu/ns/oscal","name":"key-measures","value":"true"}],"title":"Requirement PR.AA-05.1"},{"id":"PR.AA-05.2","parts":[{"id":"PR.AA-05.2_smt","name":"statement","prose":"It shall be determined who needs access to the organisation's business-critical information and technology and the means to gain access."}],"props":[{"name":"label","value":"PR.AA-05.2"},{"name":"sort-id","value":"03-001-005-015"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"},{"ns":"http://cyfun.eu/ns/oscal","name":"key-measures","value":"true"}],"title":"Requirement PR.AA-05.2"},{"id":"PR.AA-05.3","parts":[{"id":"PR.AA-05.3_smt","name":"statement","prose":"Access rights, privileges and authorisations must be restricted to the systems and specific information needed to perform the tasks (the principle of Least Privilege)."}],"props":[{"name":"label","value":"PR.AA-05.3"},{"name":"sort-id","value":"03-001-005-016"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"},{"ns":"http://cyfun.eu/ns/oscal","name":"key-measures","value":"true"}],"title":"Requirement PR.AA-05.3"},{"id":"PR.AA-05.4","parts":[{"id":"PR.AA-05.4_smt","name":"statement","prose":"No-one shall have administrative privileges for routine day-to-day tasks."}],"props":[{"name":"label","value":"PR.AA-05.4"},{"name":"sort-id","value":"03-001-005-017"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"},{"ns":"http://cyfun.eu/ns/oscal","name":"key-measures","value":"true"}],"title":"Requirement PR.AA-05.4"},{"id":"PR.AA-05.5","parts":[{"id":"PR.AA-05.5_smt","name":"statement","prose":"Where technically, operationally, and economically feasible—without compromising system integrity, safety, or compliance—automated mechanisms shall be implemented to manage user accounts on critical ICT and OT systems. Feasibility shall be determined based on system capabilities, integration potential, risk assessment, and business impact."}],"props":[{"name":"label","value":"PR.AA-05.5"},{"name":"sort-id","value":"03-001-005-018"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement PR.AA-05.5"},{"id":"PR.AA-05.6","parts":[{"id":"PR.AA-05.6_smt","name":"statement","prose":"Separation of duties (SoD) shall be ensured in the management of access rights."}],"props":[{"name":"label","value":"PR.AA-05.6"},{"name":"sort-id","value":"03-001-005-019"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement PR.AA-05.6"},{"id":"PR.AA-05.7","parts":[{"id":"PR.AA-05.7_smt","name":"statement","prose":"Privileged users shall be managed and monitored."}],"props":[{"name":"label","value":"PR.AA-05.7"},{"name":"sort-id","value":"03-001-005-020"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement PR.AA-05.7"}]},{"id":"PR.AA-06","props":[{"name":"label","value":"PR.AA-06"},{"name":"sort-id","value":"03-001-006"}],"title":"Physical access to assets is managed, monitored, and enforced commensurate with risk.","controls":[{"id":"PR.AA-06.1","parts":[{"id":"PR.AA-06.1_smt","name":"statement","prose":"Physical access to all organisational assets, including critical zones, should be managed, monitored, and enforced based on risk."}],"props":[{"name":"label","value":"PR.AA-06.1"},{"name":"sort-id","value":"03-001-006-023"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"}],"title":"Requirement PR.AA-06.1"},{"id":"PR.AA-06.2","parts":[{"id":"PR.AA-06.2_smt","name":"statement","prose":"Physical access controls should include specific procedures for emergency situations, ensuring continued protection of critical and non-critical assets during such events."}],"props":[{"name":"label","value":"PR.AA-06.2"},{"name":"sort-id","value":"03-001-006-024"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement PR.AA-06.2"}]}]},{"id":"PR.AT","parts":[{"name":"overview","prose":"The organisation's personnel are provided with cybersecurity awareness and training, so that they can perform their cybersecurity-related tasks"}],"props":[{"name":"label","value":"PR.AT"},{"name":"sort-id","value":"03-002"}],"title":"Awareness and Training","groups":[{"id":"PR.AT-01","props":[{"name":"label","value":"PR.AT-01"},{"name":"sort-id","value":"03-002-007"}],"title":"Personnel are provided with awareness and training so that they possess the knowledge and skills to perform general tasks with cybersecurity risks in mind","controls":[{"id":"PR.AT-01.1","parts":[{"id":"PR.AT-01.1_smt","name":"statement","prose":"The organisation shall establish and maintain a cybersecurity awareness and training programme to ensure that all personnel understand how to perform their tasks securely and responsibly."}],"props":[{"name":"label","value":"PR.AT-01.1"},{"name":"sort-id","value":"03-002-007-027"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"}],"title":"Requirement PR.AT-01.1"},{"id":"PR.AT-01.2","parts":[{"id":"PR.AT-01.2_smt","name":"statement","prose":"The organisation shall include insider threat awareness and reporting in its cybersecurity training to help personnel recognise and respond to potential internal risks."}],"props":[{"name":"label","value":"PR.AT-01.2"},{"name":"sort-id","value":"03-002-007-028"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement PR.AT-01.2"},{"id":"PR.AT-01.3","parts":[{"id":"PR.AT-01.3_smt","name":"statement","prose":"Personnel shall receive training to understand their specific roles, responsibilities, and priorities during a cybersecurity or information security incident, including the steps they need to follow to respond effectively."}],"props":[{"name":"label","value":"PR.AT-01.3"},{"name":"sort-id","value":"03-002-007-029"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement PR.AT-01.3"}]},{"id":"PR.AT-02","props":[{"name":"label","value":"PR.AT-02"},{"name":"sort-id","value":"03-002-008"}],"title":"Individuals in specialised roles are provided with awareness and training so that they possess the knowledge and skills to perform relevant tasks with cybersecurity risks in mind.","controls":[{"id":"PR.AT-02.1","parts":[{"id":"PR.AT-02.1_smt","name":"statement","prose":"Members of management bodies shall be able to demonstrate that they have completed training that gives them a solid understanding of information and cybersecurity and risk management so that they can assess information and cyber security risks and their consequences and propose the necessary risk mitigation, considering their roles, responsibilities and authorities."}],"props":[{"name":"label","value":"PR.AT-02.1"},{"name":"sort-id","value":"03-002-008-031"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement PR.AT-02.1"},{"id":"PR.AT-02.2","parts":[{"id":"PR.AT-02.2_smt","name":"statement","prose":"Individuals in specialised roles shall be provided with awareness and training before privileges are granted, so that they possess the knowledge and skills to perform relevant tasks with cybersecurity risks in mind."}],"props":[{"name":"label","value":"PR.AT-02.2"},{"name":"sort-id","value":"03-002-008-032"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement PR.AT-02.2"},{"id":"PR.AT-02.3","parts":[{"id":"PR.AT-02.3_smt","name":"statement","prose":"Privileged users shall be qualified before privileges are granted, and these users shall be able to demonstrate the understanding of their roles, responsibilities, and authorities."}],"props":[{"name":"label","value":"PR.AT-02.3"},{"name":"sort-id","value":"03-002-008-033"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement PR.AT-02.3"}]}]},{"id":"PR.DS","parts":[{"name":"overview","prose":"Data are managed consistent with the organisation's risk strategy to protect the confidentiality, integrity, and availability of information"}],"props":[{"name":"label","value":"PR.DS"},{"name":"sort-id","value":"03-003"}],"title":"Data Security","groups":[{"id":"PR.DS-01","props":[{"name":"label","value":"PR.DS-01"},{"name":"sort-id","value":"03-003-009"}],"title":"The confidentiality, integrity, and availability of data-at-rest are protected.","controls":[{"id":"PR.DS-01.1","parts":[{"id":"PR.DS-01.1_smt","name":"statement","prose":"The organisation shall implement software, firmware, and information integrity checks to detect unauthorised changes to its critical system components during storage, transport, start-up and when determined necessary."}],"props":[{"name":"label","value":"PR.DS-01.1"},{"name":"sort-id","value":"03-003-009-034"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement PR.DS-01.1"},{"id":"PR.DS-01.4","parts":[{"id":"PR.DS-01.4_smt","name":"statement","prose":"The organisation shall define and enforce clear policies and practical safeguards to manage and restrict the use of portable storage media, in order to reduce the risk of data leakage, unauthorised access, and malware introduction."}],"props":[{"name":"label","value":"PR.DS-01.4"},{"name":"sort-id","value":"03-003-009-037"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement PR.DS-01.4"},{"id":"PR.DS-01.5","parts":[{"id":"PR.DS-01.5_smt","name":"statement","prose":"The organisation shall only allow the use of removable media when absolutely necessary, and shall put technical measures in place to block automatic execution of files from these devices."}],"props":[{"name":"label","value":"PR.DS-01.5"},{"name":"sort-id","value":"03-003-009-038"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement PR.DS-01.5"},{"id":"PR.DS-01.9","parts":[{"id":"PR.DS-01.9_smt","name":"statement","prose":"Enterprise assets shall be disposed of safely."}],"props":[{"name":"label","value":"PR.DS-01.9"},{"name":"sort-id","value":"03-003-009-040"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"}],"title":"Requirement PR.DS-01.9"}]},{"id":"PR.DS-11","props":[{"name":"label","value":"PR.DS-11"},{"name":"sort-id","value":"03-003-012"}],"title":"Backups of data are created, protected, maintained, and tested.","controls":[{"id":"PR.DS-11.1","parts":[{"id":"PR.DS-11.1_smt","name":"statement","prose":"Backups for the organisation's business critical data shall be performed and stored on a different system from the device on which the original data resides."}],"props":[{"name":"label","value":"PR.DS-11.1"},{"name":"sort-id","value":"03-003-012-044"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"},{"ns":"http://cyfun.eu/ns/oscal","name":"key-measures","value":"true"}],"title":"Requirement PR.DS-11.1"},{"id":"PR.DS-11.2","parts":[{"id":"PR.DS-11.2_smt","name":"statement","prose":"The reliability and integrity of backups shall be verified and tested regularly."}],"props":[{"name":"label","value":"PR.DS-11.2"},{"name":"sort-id","value":"03-003-012-045"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement PR.DS-11.2"},{"id":"PR.DS-11.3","parts":[{"id":"PR.DS-11.3_smt","name":"statement","prose":"The organisation shall maintain secure backups of business-critical data in a separate storage location to ensure data availability in case of system failure or data loss. Backup storage shall apply equivalent security controls as the primary environment."}],"props":[{"name":"label","value":"PR.DS-11.3"},{"name":"sort-id","value":"03-003-012-046"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement PR.DS-11.3"}]}]},{"id":"PR.PS","parts":[{"name":"overview","prose":"The hardware, software (e.g., firmware, operating systems, applications), and services of physical and virtual platforms are managed consistent with the organisation's risk strategy to protect their confidentiality, integrity, and availability."}],"props":[{"name":"label","value":"PR.PS"},{"name":"sort-id","value":"03-004"}],"title":"Platform Security","groups":[{"id":"PR.PS-01","props":[{"name":"label","value":"PR.PS-01"},{"name":"sort-id","value":"03-004-013"}],"title":"Configuration management practices are established and applied.","controls":[{"id":"PR.PS-01.1","parts":[{"id":"PR.PS-01.1_smt","name":"statement","prose":"The organisation shall develop, document, and maintain a baseline configuration for its business-critical systems."}],"props":[{"name":"label","value":"PR.PS-01.1"},{"name":"sort-id","value":"03-004-013-049"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"},{"ns":"http://cyfun.eu/ns/oscal","name":"key-measures","value":"true"}],"title":"Requirement PR.PS-01.1"}]},{"id":"PR.PS-02","props":[{"name":"label","value":"PR.PS-02"},{"name":"sort-id","value":"03-004-014"}],"title":"Software is maintained, replaced, and removed commensurate with risk.","controls":[{"id":"PR.PS-02.1","parts":[{"id":"PR.PS-02.1_smt","name":"statement","prose":"The organisation shall enforce restrictions on software usage and installation, and ensure that software is maintained, replaced, or removed based on its associated risk."}],"props":[{"name":"label","value":"PR.PS-02.1"},{"name":"sort-id","value":"03-004-014-054"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement PR.PS-02.1"}]},{"id":"PR.PS-03","props":[{"name":"label","value":"PR.PS-03"},{"name":"sort-id","value":"03-004-015"}],"title":"Hardware is maintained, replaced, and removed commensurate with risk.","controls":[{"id":"PR.PS-03.1","parts":[{"id":"PR.PS-03.1_smt","name":"statement","prose":"Hardware used in business-critical environments shall be maintained, replaced, or removed based on its associated security and operational risk."}],"props":[{"name":"label","value":"PR.PS-03.1"},{"name":"sort-id","value":"03-004-015-055"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement PR.PS-03.1"}]},{"id":"PR.PS-04","props":[{"name":"label","value":"PR.PS-04"},{"name":"sort-id","value":"03-004-016"}],"title":"Log records are generated and made available for continuous monitoring.","controls":[{"id":"PR.PS-04.1","parts":[{"id":"PR.PS-04.1_smt","name":"statement","prose":"Logs shall be maintained, documented, and rmonitored."}],"props":[{"name":"label","value":"PR.PS-04.1"},{"name":"sort-id","value":"03-004-016-056"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"},{"ns":"http://cyfun.eu/ns/oscal","name":"key-measures","value":"true"},{"ns":"http://cyfun.eu/ns/oscal","name":"governance-measures","value":"true"}],"title":"Requirement PR.PS-04.1"},{"id":"PR.PS-04.2","parts":[{"id":"PR.PS-04.2_smt","name":"statement","prose":"The organisation shall ensure that logbook records contain an authoritative time source or internal clock time stamp that is compared and synchronised with an authoritative time source."}],"props":[{"name":"label","value":"PR.PS-04.2"},{"name":"sort-id","value":"03-004-016-057"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement PR.PS-04.2"},{"id":"PR.PS-04.3","parts":[{"id":"PR.PS-04.3_smt","name":"statement","prose":"Audit data from the organisation's critical systems shall be moved to an alternative system."}],"props":[{"name":"label","value":"PR.PS-04.3"},{"name":"sort-id","value":"03-004-016-058"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement PR.PS-04.3"}]},{"id":"PR.PS-05","props":[{"name":"label","value":"PR.PS-05"},{"name":"sort-id","value":"03-004-017"}],"title":"Installation and execution of unauthorised software are prevented.","controls":[{"id":"PR.PS-05.1","parts":[{"id":"PR.PS-05.1_smt","name":"statement","prose":"Web and e-mail filters shall be installed and used."}],"props":[{"name":"label","value":"PR.PS-05.1"},{"name":"sort-id","value":"03-004-017-061"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"}],"title":"Requirement PR.PS-05.1"},{"id":"PR.PS-05.2","parts":[{"id":"PR.PS-05.2_smt","name":"statement","prose":"Installation and execution of unauthorised software shall be prevented."}],"props":[{"name":"label","value":"PR.PS-05.2"},{"name":"sort-id","value":"03-004-017-062"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement PR.PS-05.2"}]},{"id":"PR.PS-06","props":[{"name":"label","value":"PR.PS-06"},{"name":"sort-id","value":"03-004-018"}],"title":"Secure software development practices are integrated, and their performance is monitored throughout the software development life cycle.","controls":[{"id":"PR.PS-06.1","parts":[{"id":"PR.PS-06.1_smt","name":"statement","prose":"Security shall be considered throughout the lifecycle of systems and applications, whether developed internally or acquired externally."}],"props":[{"name":"label","value":"PR.PS-06.1"},{"name":"sort-id","value":"03-004-018-063"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement PR.PS-06.1"},{"id":"PR.PS-06.2","parts":[{"id":"PR.PS-06.2_smt","name":"statement","prose":"Changes and exceptions shall be tested and validated before being implemented into operational systems."}],"props":[{"name":"label","value":"PR.PS-06.2"},{"name":"sort-id","value":"03-004-018-064"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement PR.PS-06.2"}]}]},{"id":"PR.IR","parts":[{"name":"overview","prose":"Security architectures are managed with the organisation's risk strategy to protect asset confidentiality, integrity, and availability, and organisational resilience."}],"props":[{"name":"label","value":"PR.IR"},{"name":"sort-id","value":"03-005"}],"title":"Technology Infrastructure Resilience","groups":[{"id":"PR.IR-01","props":[{"name":"label","value":"PR.IR-01"},{"name":"sort-id","value":"03-005-019"}],"title":"Networks and environments are protected from unauthorised logical access and usage.","controls":[{"id":"PR.IR-01.1","parts":[{"id":"PR.IR-01.1_smt","name":"statement","prose":"Firewalls shall be installed, configured, and actively maintained on all networks used by the organisation to protect against unauthorised access and cyber threats."}],"props":[{"name":"label","value":"PR.IR-01.1"},{"name":"sort-id","value":"03-005-019-067"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"},{"ns":"http://cyfun.eu/ns/oscal","name":"key-measures","value":"true"}],"title":"Requirement PR.IR-01.1"},{"id":"PR.IR-01.2","parts":[{"id":"PR.IR-01.2_smt","name":"statement","prose":"To safeguard critical systems, organisations shall implement network segmentation and segregation aligned with trust boundaries and asset criticality, thereby limiting threat propagation and enforcing strict access control."}],"props":[{"name":"label","value":"PR.IR-01.2"},{"name":"sort-id","value":"03-005-019-068"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"},{"ns":"http://cyfun.eu/ns/oscal","name":"key-measures","value":"true"}],"title":"Requirement PR.IR-01.2"},{"id":"PR.IR-01.3","parts":[{"id":"PR.IR-01.3_smt","name":"statement","prose":"To ensure operational stability and security, the organisation shall, without exception, identify, document, and control connections between components of its critical systems."}],"props":[{"name":"label","value":"PR.IR-01.3"},{"name":"sort-id","value":"03-005-019-069"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"},{"ns":"http://cyfun.eu/ns/oscal","name":"key-measures","value":"true"}],"title":"Requirement PR.IR-01.3"},{"id":"PR.IR-01.4","parts":[{"id":"PR.IR-01.4_smt","name":"statement","prose":"The organisation shall implement appropriate boundary protection measures to monitor and control communications at external and key internal boundaries of its critical systems, across both IT and OT environments, to ensure secure and reliable operations."}],"props":[{"name":"label","value":"PR.IR-01.4"},{"name":"sort-id","value":"03-005-019-070"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"},{"ns":"http://cyfun.eu/ns/oscal","name":"key-measures","value":"true"}],"title":"Requirement PR.IR-01.4"}]},{"id":"PR.IR-02","props":[{"name":"label","value":"PR.IR-02"},{"name":"sort-id","value":"03-005-020"}],"title":"The organisation's technology assets are protected from environmental threats.","controls":[{"id":"PR.IR-02.1","parts":[{"id":"PR.IR-02.1_smt","name":"statement","prose":"The organisation shall define, implement and maintain policies and procedures related to emergency and safety systems, fire protection systems and environmental controls for its critical systems."}],"props":[{"name":"label","value":"PR.IR-02.1"},{"name":"sort-id","value":"03-005-020-076"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement PR.IR-02.1"}]},{"id":"PR.IR-04","props":[{"name":"label","value":"PR.IR-04"},{"name":"sort-id","value":"03-005-022"}],"title":"Adequate resource capacity to ensure availability is maintained.","controls":[{"id":"PR.IR-04.1","parts":[{"id":"PR.IR-04.1_smt","name":"statement","prose":"Adequate resource capacity planning shall ensure that availability of organisation's critical system information processing, networking, telecommunications, and data storage is maintained."}],"props":[{"name":"label","value":"PR.IR-04.1"},{"name":"sort-id","value":"03-005-022-079"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement PR.IR-04.1"}]}]}]},{"id":"DE","props":[{"name":"sort-id","value":"04"}],"title":"DETECT","groups":[{"id":"DE.CM","parts":[{"name":"overview","prose":"Assets are monitored to find anomalies, indicators of compromise, and other potentially adverse events."}],"props":[{"name":"label","value":"DE.CM"},{"name":"sort-id","value":"04-001"}],"title":"Continuous Monitoring","groups":[{"id":"DE.CM-01","props":[{"name":"label","value":"DE.CM-01"},{"name":"sort-id","value":"04-001-001"}],"title":"Networks and network services are monitored to find potentially adverse events.","controls":[{"id":"DE.CM-01.1","parts":[{"id":"DE.CM-01.1_smt","name":"statement","prose":"Firewalls shall be installed and operated at the network boundaries, including endpoint firewalls."}],"props":[{"name":"label","value":"DE.CM-01.1"},{"name":"sort-id","value":"04-001-001-001"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"}],"title":"Requirement DE.CM-01.1"},{"id":"DE.CM-01.2","parts":[{"id":"DE.CM-01.2_smt","name":"statement","prose":"Anti-virus, -spyware, and other -malware programs shall be installed and updated."}],"props":[{"name":"label","value":"DE.CM-01.2"},{"name":"sort-id","value":"04-001-001-002"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"},{"ns":"http://cyfun.eu/ns/oscal","name":"key-measures","value":"true"}],"title":"Requirement DE.CM-01.2"},{"id":"DE.CM-01.3","parts":[{"id":"DE.CM-01.3_smt","name":"statement","prose":"The organisation shall monitor and identify unauthorised use of its business-critical systems through the detection of unauthorised local connections, network connections and remote connections."}],"props":[{"name":"label","value":"DE.CM-01.3"},{"name":"sort-id","value":"04-001-001-003"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"},{"ns":"http://cyfun.eu/ns/oscal","name":"key-measures","value":"true"}],"title":"Requirement DE.CM-01.3"}]},{"id":"DE.CM-02","props":[{"name":"label","value":"DE.CM-02"},{"name":"sort-id","value":"04-001-002"}],"title":"The physical environment is monitored to find potentially adverse events.","controls":[{"id":"DE.CM-02.1","parts":[{"id":"DE.CM-02.1_smt","name":"statement","prose":"The physical environment shall be monitored to find potentially adverse events."}],"props":[{"name":"label","value":"DE.CM-02.1"},{"name":"sort-id","value":"04-001-002-005"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement DE.CM-02.1"}]},{"id":"DE.CM-03","props":[{"name":"label","value":"DE.CM-03"},{"name":"sort-id","value":"04-001-003"}],"title":"Personnel activity and technology usage are monitored to find potentially adverse events.","controls":[{"id":"DE.CM-03-1","parts":[{"id":"DE.CM-03-1_smt","name":"statement","prose":"End point and network protection tools to monitor end-user behaviour for dangerous activity shall be implemented."}],"props":[{"name":"label","value":"DE.CM-03-1"},{"name":"sort-id","value":"04-001-003-007"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"}],"title":"Requirement DE.CM-03-1"},{"id":"DE.CM-03.2","parts":[{"id":"DE.CM-03.2_smt","name":"statement","prose":"End point and network protection tools that monitor end-user behaviour for dangerous activity shall be managed."}],"props":[{"name":"label","value":"DE.CM-03.2"},{"name":"sort-id","value":"04-001-003-008"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement DE.CM-03.2"}]},{"id":"DE.CM-06","props":[{"name":"label","value":"DE.CM-06"},{"name":"sort-id","value":"04-001-004"}],"title":"External service provider activities and services are monitored to find potentially adverse events.","controls":[{"id":"DE.CM-06.1","parts":[{"id":"DE.CM-06.1_smt","name":"statement","prose":"External service provider activities and services shall be secured and monitored to find potentially adverse events."}],"props":[{"name":"label","value":"DE.CM-06.1"},{"name":"sort-id","value":"04-001-004-009"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement DE.CM-06.1"},{"id":"DE.CM-06.2","parts":[{"id":"DE.CM-06.2_smt","name":"statement","prose":"External service providers' conformance with personnel security policies and procedures and contract security requirements shall be monitored relative to their cybersecurity risks."}],"props":[{"name":"label","value":"DE.CM-06.2"},{"name":"sort-id","value":"04-001-004-010"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement DE.CM-06.2"}]},{"id":"DE.CM-09","props":[{"name":"label","value":"DE.CM-09"},{"name":"sort-id","value":"04-001-005"}],"title":"Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events.","controls":[{"id":"DE.CM-09.1","parts":[{"id":"DE.CM-09.1_smt","name":"statement","prose":"The organisation shall monitor computing hardware, software, runtime environments, and their data to detect potentially adverse events."}],"props":[{"name":"label","value":"DE.CM-09.1"},{"name":"sort-id","value":"04-001-005-011"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement DE.CM-09.1"}]}]},{"id":"DE.AE","parts":[{"name":"overview","prose":"Anomalies, indicators of compromise, and other potentially adverse events are analysed to characterise the events and detect cybersecurity incidents."}],"props":[{"name":"label","value":"DE.AE"},{"name":"sort-id","value":"04-002"}],"title":"Adverse Event Analysis","groups":[{"id":"DE.AE-02","props":[{"name":"label","value":"DE.AE-02"},{"name":"sort-id","value":"04-002-006"}],"title":"Potentially adverse events are analysed to better understand associated activities.","controls":[{"id":"DE.AE-02.1","parts":[{"id":"DE.AE-02.1_smt","name":"statement","prose":"Cybersecurity and information security events must be reviewed and analysed to identify potential attack targets and methods, in accordance with applicable laws, regulations, standards, and policies."}],"props":[{"name":"label","value":"DE.AE-02.1"},{"name":"sort-id","value":"04-002-006-015"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement DE.AE-02.1"}]},{"id":"DE.AE-03","props":[{"name":"label","value":"DE.AE-03"},{"name":"sort-id","value":"04-002-007"}],"title":"Information is correlated from multiple sources.","controls":[{"id":"DE.AE-03.1","parts":[{"id":"DE.AE-03.1_smt","name":"statement","prose":"The logging functionality of protection and detection tools shall be enabled. Logs shall be backed up and retained for a predefined period, and regularly reviewed to identify unusual or potentially harmful activity."}],"props":[{"name":"label","value":"DE.AE-03.1"},{"name":"sort-id","value":"04-002-007-017"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"},{"ns":"http://cyfun.eu/ns/oscal","name":"key-measures","value":"true"}],"title":"Requirement DE.AE-03.1"},{"id":"DE.AE-03.2","parts":[{"id":"DE.AE-03.2_smt","name":"statement","prose":"The organisation shall ensure that event data from critical systems is collected and correlated using information from multiple relevant sources."}],"props":[{"name":"label","value":"DE.AE-03.2"},{"name":"sort-id","value":"04-002-007-018"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement DE.AE-03.2"}]},{"id":"DE.AE-06","props":[{"name":"label","value":"DE.AE-06"},{"name":"sort-id","value":"04-002-009"}],"title":"Information on adverse events is provided to authorised staff and tools.","controls":[{"id":"DE.AE-06.1","parts":[{"id":"DE.AE-06.1_smt","name":"statement","prose":"Information about adverse events must be promptly delivered to authorised personnel and systems to enable timely detection, investigation, and response."}],"props":[{"name":"label","value":"DE.AE-06.1"},{"name":"sort-id","value":"04-002-009-021"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement DE.AE-06.1"}]},{"id":"DE.AE-08","props":[{"name":"label","value":"DE.AE-08"},{"name":"sort-id","value":"04-002-010"}],"title":"Incidents are declared when adverse events meet the defined incident criteria.","controls":[{"id":"DE.AE-08.1","parts":[{"id":"DE.AE-08.1_smt","name":"statement","prose":"Incidents shall be reported when adverse events meet defined and documented incident criteria."}],"props":[{"name":"label","value":"DE.AE-08.1"},{"name":"sort-id","value":"04-002-010-022"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement DE.AE-08.1"}]}]}]},{"id":"RS","props":[{"name":"sort-id","value":"05"}],"title":"RESPOND","groups":[{"id":"RS.MA","parts":[{"name":"overview","prose":"Responses to detected cybersecurity incidents are managed."}],"props":[{"name":"label","value":"RS.MA"},{"name":"sort-id","value":"05-001"}],"title":"Incident Management","groups":[{"id":"RS.MA-01","props":[{"name":"label","value":"RS.MA-01"},{"name":"sort-id","value":"05-001-001"}],"title":"The incident response plan is executed in coordination with relevant third parties once an incident is declared.","controls":[{"id":"RS.MA-01.1","parts":[{"id":"RS.MA-01.1_smt","name":"statement","prose":"An incident response plan, including defined roles, responsibilities, and authorities, shall be executed during or after a cybersecurity event affecting the organisation's critical systems."}],"props":[{"name":"label","value":"RS.MA-01.1"},{"name":"sort-id","value":"05-001-001-001"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"}],"title":"Requirement RS.MA-01.1"},{"id":"RS.MA-01.2","parts":[{"id":"RS.MA-01.2_smt","name":"statement","prose":"The organisation shall coordinate information/cybersecurity incident response actions with all predefined stakeholders."}],"props":[{"name":"label","value":"RS.MA-01.2"},{"name":"sort-id","value":"05-001-001-002"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement RS.MA-01.2"}]},{"id":"RS.MA-02","props":[{"name":"label","value":"RS.MA-02"},{"name":"sort-id","value":"05-001-002"}],"title":"Incident reports are triaged and validated.","controls":[{"id":"RS.MA-02.1","parts":[{"id":"RS.MA-02.1_smt","name":"statement","prose":"Information/cybersecurity incident reports shall be triaged and validated in accordance with the organisation’s incident response procedures."}],"props":[{"name":"label","value":"RS.MA-02.1"},{"name":"sort-id","value":"05-001-002-003"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement RS.MA-02.1"}]},{"id":"RS.MA-03","props":[{"name":"label","value":"RS.MA-03"},{"name":"sort-id","value":"05-001-003"}],"title":"Incidents are categorised and prioritised.","controls":[{"id":"RS.MA-03.1","parts":[{"id":"RS.MA-03.1_smt","name":"statement","prose":"Information/cybersecurity incidents shall be categorised, prioritised and escalated as specified in the incident response plan."}],"props":[{"name":"label","value":"RS.MA-03.1"},{"name":"sort-id","value":"05-001-003-005"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement RS.MA-03.1"}]},{"id":"RS.MA-05","props":[{"name":"label","value":"RS.MA-05"},{"name":"sort-id","value":"05-001-004"}],"title":"The criteria for initiating incident recovery are applied.","controls":[{"id":"RS.MA-05.1","parts":[{"id":"RS.MA-05.1_smt","name":"statement","prose":"Clear criteria shall be defined and applied to determine when incident recovery processes need to be initiated."}],"props":[{"name":"label","value":"RS.MA-05.1"},{"name":"sort-id","value":"05-001-004-006"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement RS.MA-05.1"}]}]},{"id":"RS.AN","parts":[{"name":"overview","prose":"Investigations are conducted to ensure effective response and support forensics and recovery activities."}],"props":[{"name":"label","value":"RS.AN"},{"name":"sort-id","value":"05-002"}],"title":"Incident Analysis","groups":[{"id":"RS.AN-06","props":[{"name":"label","value":"RS.AN-06"},{"name":"sort-id","value":"05-002-006"}],"title":"Actions performed during an investigation are recorded, and the records’ integrity and provenance are preserved","controls":[{"id":"RS.AN-06.1","parts":[{"id":"RS.AN-06.1_smt","name":"statement","prose":"Actions performed during an investigation shall be recorded, and the records' integrity and provenance shall be preserved."}],"props":[{"name":"label","value":"RS.AN-06.1"},{"name":"sort-id","value":"05-002-006-008"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement RS.AN-06.1"}]},{"id":"RS.AN-07","props":[{"name":"label","value":"RS.AN-07"},{"name":"sort-id","value":"05-002-007"}],"title":"Incident data and metadata are collected, and their integrity and provenance are preserved.","controls":[{"id":"RS.AN-07.1","parts":[{"id":"RS.AN-07.1_smt","name":"statement","prose":"Incident data and metadata should be collected and protected to ensure their accuracy, authenticity, and traceability."}],"props":[{"name":"label","value":"RS.AN-07.1"},{"name":"sort-id","value":"05-002-007-009"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement RS.AN-07.1"}]},{"id":"RS.AN-08","props":[{"name":"label","value":"RS.AN-08"},{"name":"sort-id","value":"05-002-008"}],"title":"An incident's magnitude is estimated and validated.","controls":[{"id":"RS.AN-08.1","parts":[{"id":"RS.AN-08.1_smt","name":"statement","prose":"An incident’s magnitude shall be estimated and validated."}],"props":[{"name":"label","value":"RS.AN-08.1"},{"name":"sort-id","value":"05-002-008-010"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement RS.AN-08.1"}]}]},{"id":"RS.CO","parts":[{"name":"overview","prose":"Response activities are coordinated with internal and external stakeholders as required by laws, regulations, or policies."}],"props":[{"name":"label","value":"RS.CO"},{"name":"sort-id","value":"05-003"}],"title":"Incident Response Reporting and Communication","groups":[{"id":"RS.CO-02","props":[{"name":"label","value":"RS.CO-02"},{"name":"sort-id","value":"05-003-009"}],"title":"Internal and external stakeholders are notified of incidents.","controls":[{"id":"RS.CO-02.1","parts":[{"id":"RS.CO-02.1_smt","name":"statement","prose":"Information about cybersecurity incidents shall be communicated to employees in a way that is clear and easy to understand."}],"props":[{"name":"label","value":"RS.CO-02.1"},{"name":"sort-id","value":"05-003-009-011"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"}],"title":"Requirement RS.CO-02.1"},{"id":"RS.CO-02.2","parts":[{"id":"RS.CO-02.2_smt","name":"statement","prose":"Cybersecurity incidents shall be shared with relevant external stakeholders within the timeframes defined in the Incident Response Plan, including reporting significant incidents to authorities as required by law."}],"props":[{"name":"label","value":"RS.CO-02.2"},{"name":"sort-id","value":"05-003-009-012"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"},{"ns":"http://cyfun.eu/ns/oscal","name":"key-measures","value":"true"}],"title":"Requirement RS.CO-02.2"}]}]},{"id":"RS.MI","parts":[{"name":"overview","prose":"Activities are performed to prevent expansion of an event and mitigate its effects."}],"props":[{"name":"label","value":"RS.MI"},{"name":"sort-id","value":"05-004"}],"title":"Incident Mitigation","groups":[{"id":"RS.MI-01","props":[{"name":"label","value":"RS.MI-01"},{"name":"sort-id","value":"05-004-010"}],"title":"Incidents are contained.","controls":[{"id":"RS.MI-01.1","parts":[{"id":"RS.MI-01.1_smt","name":"statement","prose":"Cybersecurity incidents shall be contained and eliminated. Any decision to accept and retain certain cybersecurity risks shall be formally documented."}],"props":[{"name":"label","value":"RS.MI-01.1"},{"name":"sort-id","value":"05-004-010-013"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement RS.MI-01.1"},{"id":"RS.MI-01.2","parts":[{"id":"RS.MI-01.2_smt","name":"statement","prose":"The organisation shall detect unauthorised access or data leakage and take appropriate mitigation actions, including monitoring of critical systems at external boundaries and key internal points."}],"props":[{"name":"label","value":"RS.MI-01.2"},{"name":"sort-id","value":"05-004-010-014"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"},{"ns":"http://cyfun.eu/ns/oscal","name":"key-measures","value":"true"}],"title":"Requirement RS.MI-01.2"}]}]}]},{"id":"RC","props":[{"name":"sort-id","value":"06"}],"title":"RECOVER","groups":[{"id":"RC.RP","parts":[{"name":"overview","prose":"Restoration activities are performed to ensure operational availability of systems and services affected by cybersecurity incidents."}],"props":[{"name":"label","value":"RC.RP"},{"name":"sort-id","value":"06-001"}],"title":"Incident Recovery Plan Execution","groups":[{"id":"RC.RP-01","props":[{"name":"label","value":"RC.RP-01"},{"name":"sort-id","value":"06-001-001"}],"title":"The recovery portion of the incident response plan is executed once initiated from the incident response process.","controls":[{"id":"RC.RP-01.1","parts":[{"id":"RC.RP-01.1_smt","name":"statement","prose":"A recovery process for disasters and information/cybersecurity incidents shall be developed and executed."}],"props":[{"name":"label","value":"RC.RP-01.1"},{"name":"sort-id","value":"06-001-001-001"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"}],"title":"Requirement RC.RP-01.1"}]},{"id":"RC.RP-05","props":[{"name":"label","value":"RC.RP-05"},{"name":"sort-id","value":"06-001-003"}],"title":"The integrity of restored assets is verified, systems and services are restored, and normal operating status is confirmed.","controls":[{"id":"RC.RP-05.1","parts":[{"id":"RC.RP-05.1_smt","name":"statement","prose":"The integrity of restored systems and assets shall be verified before they are returned to service. Systems and services shall be fully restored, and normal operations shall be confirmed."}],"props":[{"name":"label","value":"RC.RP-05.1"},{"name":"sort-id","value":"06-001-003-003"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement RC.RP-05.1"}]},{"id":"RC.RP-06","props":[{"name":"label","value":"RC.RP-06"},{"name":"sort-id","value":"06-001-004"}],"title":"The end of incident recovery is declared based on criteria, and incident-related documentation is completed.","controls":[{"id":"RC.RP-06.1","parts":[{"id":"RC.RP-06.1_smt","name":"statement","prose":"The end of incident recovery shall be formally declared based on predefined criteria, and all incident-related documentation shall be completed and reviewed."}],"props":[{"name":"label","value":"RC.RP-06.1"},{"name":"sort-id","value":"06-001-004-004"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement RC.RP-06.1"}]}]},{"id":"RC.CO","parts":[{"name":"overview","prose":"Restoration activities are coordinated with internal and external parties."}],"props":[{"name":"label","value":"RC.CO"},{"name":"sort-id","value":"06-002"}],"title":"Incident Recovery Communication","groups":[{"id":"RC.CO-03","props":[{"name":"label","value":"RC.CO-03"},{"name":"sort-id","value":"06-002-005"}],"title":"Recovery activities and progress in restoring operational capabilities are communicated to designated internal and external stakeholders.","controls":[{"id":"RC.CO-03.1","parts":[{"id":"RC.CO-03.1_smt","name":"statement","prose":"Recovery activities and progress in restoring operational capabilities shall be communicated to designated internal and external stakeholders in accordance with established communication procedures."}],"props":[{"name":"label","value":"RC.CO-03.1"},{"name":"sort-id","value":"06-002-005-005"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"},{"ns":"http://cyfun.eu/ns/oscal","name":"governance-measures","value":"true"}],"title":"Requirement RC.CO-03.1"}]},{"id":"RC.CO-04","props":[{"name":"label","value":"RC.CO-04"},{"name":"sort-id","value":"06-002-006"}],"title":"Public updates on incident recovery are shared using approved methods and messaging.","controls":[{"id":"RC.CO-04.1","parts":[{"id":"RC.CO-04.1_smt","name":"statement","prose":"Public updates on incident recovery shall be shared using approved communication methods and messaging, in accordance with established procedures."}],"props":[{"name":"label","value":"RC.CO-04.1"},{"name":"sort-id","value":"06-002-006-006"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement RC.CO-04.1"}]}]}]}]}}