{"catalog":{"uuid":"cf5321f4-9e27-47bc-b882-fa4c1b0d1ff2","metadata":{"links":[{"rel":"source-profile","href":"https://api.dev.comply0.com/v1/profiles/8563aa26-72dc-4fc7-ba7f-9a2b7099a330"}],"props":[{"name":"resolution-tool","value":"Comply0"}],"title":"CyFun 2025 ESSENTIAL Resolved","version":"2025-12-12","document-ids":[{"scheme":"http://oscal.io/oscal/identifier/content-uuid","identifier":"76a668e8-6aef-4eaa-88fe-5224c4ea2171"}],"last-modified":"2025-12-16T22:17:34.795Z","oscal-version":"1.1.3"},"groups":[{"id":"GV","props":[{"name":"sort-id","value":"01"}],"title":"GOVERN","groups":[{"id":"GV.OC","parts":[{"name":"overview","prose":"The circumstances - mission, stakeholder expectations, dependencies, and legal, regulatory, and contractual requirements - surrounding the organisation's cybersecurity risk management decisions are understood."}],"props":[{"name":"label","value":"GV.OC"},{"name":"sort-id","value":"01-001"}],"title":"Organisational Context","groups":[{"id":"GV.OC-01","props":[{"name":"label","value":"GV.OC-01"},{"name":"sort-id","value":"01-001-001"}],"title":"The organisational mission is understood and informs cybersecurity risk management.","controls":[{"id":"GV.OC-01.1","parts":[{"id":"GV.OC-01.1_smt","name":"statement","prose":"The organisation's mission shall be established, communicated and shall form the basis for information and cybersecurity risk management."}],"props":[{"name":"label","value":"GV.OC-01.1"},{"name":"sort-id","value":"01-001-001-001"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"},{"ns":"http://cyfun.eu/ns/oscal","name":"governance-measures","value":"true"}],"title":"Requirement GV.OC-01.1"}]},{"id":"GV.OC-02","props":[{"name":"label","value":"GV.OC-02"},{"name":"sort-id","value":"01-001-002"}],"title":"Internal and external stakeholders are understood, and their needs and expectations regarding cybersecurity risk management are understood and considered.","controls":[{"id":"GV.OC-02.1","parts":[{"id":"GV.OC-02.1_smt","name":"statement","prose":"The organisation shall demonstrate it understands and considers the needs and expectations of both internal and external stakeholders regarding information and cybersecurity risk management."}],"props":[{"name":"label","value":"GV.OC-02.1"},{"name":"sort-id","value":"01-001-002-002"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"essential"},{"ns":"http://cyfun.eu/ns/oscal","name":"governance-measures","value":"true"}],"title":"Requirement GV.OC-02.1"}]},{"id":"GV.OC-03","props":[{"name":"label","value":"GV.OC-03"},{"name":"sort-id","value":"01-001-003"}],"title":"Legal, regulatory, and contractual requirements regarding cybersecurity are understood and managed.","controls":[{"id":"GV.OC-03.1","parts":[{"id":"GV.OC-03.1_smt","name":"statement","prose":"Legal and regulatory requirements regarding information and cybersecurity shall be identified and implemented."}],"props":[{"name":"label","value":"GV.OC-03.1"},{"name":"sort-id","value":"01-001-003-003"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"}],"title":"Requirement GV.OC-03.1"},{"id":"GV.OC-03.2","parts":[{"id":"GV.OC-03.2_smt","name":"statement","prose":"Legal, regulatory, and contractual obligations related to information and cybersecurity shall be continuously managed to ensure they remain accurate, up-to-date, and effectively applied."}],"props":[{"name":"label","value":"GV.OC-03.2"},{"name":"sort-id","value":"01-001-003-004"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"},{"ns":"http://cyfun.eu/ns/oscal","name":"governance-measures","value":"true"}],"title":"Requirement GV.OC-03.2"}]},{"id":"GV.OC-04","props":[{"name":"label","value":"GV.OC-04"},{"name":"sort-id","value":"01-001-004"}],"title":"Critical objectives, capabilities, and services that external stakeholders depend on or expect from the organisation are understood and communicated.","controls":[{"id":"GV.OC-04.1","parts":[{"id":"GV.OC-04.1_smt","name":"statement","prose":"The organisation shall identify, document, and communicate the critical objectives, capabilities, and services relied upon by external stakeholders, prioritise them based on criticality, and integrate this prioritisation into the risk assessment process."}],"props":[{"name":"label","value":"GV.OC-04.1"},{"name":"sort-id","value":"01-001-004-005"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement GV.OC-04.1"},{"id":"GV.OC-04.2","parts":[{"id":"GV.OC-04.2_smt","name":"statement","prose":"The organisation shall define and document cybersecurity requirements for essential operations, validate them through testing and audits, keep records of results and corrective actions, and regularly update requirements based on evolving risks."}],"props":[{"name":"label","value":"GV.OC-04.2"},{"name":"sort-id","value":"01-001-004-006"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement GV.OC-04.2"},{"id":"GV.OC-04.3","parts":[{"id":"GV.OC-04.3_smt","name":"statement","prose":"Redundancy shall be implemented to meet availability requirements as defined by the organisation, legislation and/or regulations."}],"props":[{"name":"label","value":"GV.OC-04.3"},{"name":"sort-id","value":"01-001-004-007"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"essential"}],"title":"Requirement GV.OC-04.3"},{"id":"GV.OC-04.4","parts":[{"id":"GV.OC-04.4_smt","name":"statement","prose":"Recovery time and recovery point objectives for the resumption of essential ICT/OT system processes shall be defined and monitored."}],"props":[{"name":"label","value":"GV.OC-04.4"},{"name":"sort-id","value":"01-001-004-008"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"essential"}],"title":"Requirement GV.OC-04.4"}]},{"id":"GV.OC-05","props":[{"name":"label","value":"GV.OC-05"},{"name":"sort-id","value":"01-001-005"}],"title":"Outcomes, capabilities, and services that the organization depends on are understood and communicated.","controls":[{"id":"GV.OC-05.1","parts":[{"id":"GV.OC-05.1_smt","name":"statement","prose":"The organization shall identify, document, and communicate its role in the supply chain, including the external capabilities, services, and dependencies it relies on (upstream), as well as its interactions with downstream stakeholders."}],"props":[{"name":"label","value":"GV.OC-05.1"},{"name":"sort-id","value":"01-001-005-009"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement GV.OC-05.1"}]}]},{"id":"GV.RM","parts":[{"name":"overview","prose":"The organisation's priorities, constraints, risk tolerance and appetite statements, and assumptions, are established, communicated, and used to support operational risk decisions."}],"props":[{"name":"label","value":"GV.RM"},{"name":"sort-id","value":"01-002"}],"title":"Risk Management Strategy","groups":[{"id":"GV.RM-01","props":[{"name":"label","value":"GV.RM-01"},{"name":"sort-id","value":"01-002-006"}],"title":"Risk management objectives are established and agreed to by organisational stakeholders.","controls":[{"id":"GV.RM-01.1","parts":[{"id":"GV.RM-01.1_smt","name":"statement","prose":"Information/cybersecurity objectives shall be identified, agreed to by organisational stakeholders and approved by senior management"}],"props":[{"name":"label","value":"GV.RM-01.1"},{"name":"sort-id","value":"01-002-006-010"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"},{"ns":"http://cyfun.eu/ns/oscal","name":"governance-measures","value":"true"}],"title":"Requirement GV.RM-01.1"}]},{"id":"GV.RM-02","props":[{"name":"label","value":"GV.RM-02"},{"name":"sort-id","value":"01-002-007"}],"title":"Risk appetite and risk tolerance statements are established, communicated, and maintained.","controls":[{"id":"GV.RM-02.1","parts":[{"id":"GV.RM-02.1_smt","name":"statement","prose":"Risk appetite and risk tolerance statements shall be defined, documented, approved by senior management, communicated, and maintained."}],"props":[{"name":"label","value":"GV.RM-02.1"},{"name":"sort-id","value":"01-002-007-011"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement GV.RM-02.1"}]},{"id":"GV.RM-03","props":[{"name":"label","value":"GV.RM-03"},{"name":"sort-id","value":"01-002-008"}],"title":"Cybersecurity risk management activities and outcomes are included in enterprise risk management processes.","controls":[{"id":"GV.RM-03.1","parts":[{"id":"GV.RM-03.1_smt","name":"statement","prose":"As part of the organisation-wide risk management strategy, a comprehensive strategy to manage information and cybersecurity risks shall be developed and updated when changes occur."}],"props":[{"name":"label","value":"GV.RM-03.1"},{"name":"sort-id","value":"01-002-008-012"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"}],"title":"Requirement GV.RM-03.1"},{"id":"GV.RM-03.2","parts":[{"id":"GV.RM-03.2_smt","name":"statement","prose":"Information and cybersecurity risks shall be documented, as part of the enterprise risk management processes, formally approved by senior management, and updated when changes occur."}],"props":[{"name":"label","value":"GV.RM-03.2"},{"name":"sort-id","value":"01-002-008-013"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"},{"ns":"http://cyfun.eu/ns/oscal","name":"governance-measures","value":"true"}],"title":"Requirement GV.RM-03.2"}]},{"id":"GV.RM-04","props":[{"name":"label","value":"GV.RM-04"},{"name":"sort-id","value":"01-002-009"}],"title":"Strategic direction that describes appropriate risk response options is established and communicated.","controls":[{"id":"GV.RM-04.1","parts":[{"id":"GV.RM-04.1_smt","name":"statement","prose":"A high-level plan or vision shall be formally established and clearly communicated to everyone involved on how to manage risks, including the different strategies the organisation can employ to deal with identified risks based on risk appetite or risk tolerance level."}],"props":[{"name":"label","value":"GV.RM-04.1"},{"name":"sort-id","value":"01-002-009-014"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement GV.RM-04.1"}]},{"id":"GV.RM-05","props":[{"name":"label","value":"GV.RM-05"},{"name":"sort-id","value":"01-002-010"}],"title":"Lines of communication across the organisation are established for cybersecurity risks, including risks from suppliers and other third parties.","controls":[{"id":"GV.RM-05.1","parts":[{"id":"GV.RM-05.1_smt","name":"statement","prose":"To support the high-level risk management vision, the organisation shall establish clear lines of communication for cybersecurity risks, including those arising from suppliers and third parties."}],"props":[{"name":"label","value":"GV.RM-05.1"},{"name":"sort-id","value":"01-002-010-015"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement GV.RM-05.1"}]}]},{"id":"GV.RR","parts":[{"name":"overview","prose":"Cybersecurity roles, responsibilities, and authorities to foster accountability, performance assessment, and continuous improvement are established and communicated."}],"props":[{"name":"label","value":"GV.RR"},{"name":"sort-id","value":"01-003"}],"title":"Roles, Responsibilities and Authorities","groups":[{"id":"GV.RR-01","props":[{"name":"label","value":"GV.RR-01"},{"name":"sort-id","value":"01-003-011"}],"title":"Organisational leadership is responsible and accountable for cybersecurity risk and fosters a culture that is risk-aware, ethical, and continually improving.","controls":[{"id":"GV.RR-01.1","parts":[{"id":"GV.RR-01.1_smt","name":"statement","prose":"The organisation's top management shall be responsible and accountable for cybersecurity risk and shall foster a culture that is risk-aware, ethical, and continually improving."}],"props":[{"name":"label","value":"GV.RR-01.1"},{"name":"sort-id","value":"01-003-011-016"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"essential"},{"ns":"http://cyfun.eu/ns/oscal","name":"governance-measures","value":"true"}],"title":"Requirement GV.RR-01.1"}]},{"id":"GV.RR-02","props":[{"name":"label","value":"GV.RR-02"},{"name":"sort-id","value":"01-003-012"}],"title":"Roles, responsibilities, and authorities related to cybersecurity risk management are established, communicated, understood, and enforced.","controls":[{"id":"GV.RR-02.1","parts":[{"id":"GV.RR-02.1_smt","name":"statement","prose":"Information security and Cyber security roles, responsibilities and authorities for employees, suppliers, customers, and partners shall be documented, reviewed, authorised, kept up-to-date, communicated, and coordinated internally and externally.."}],"props":[{"name":"label","value":"GV.RR-02.1"},{"name":"sort-id","value":"01-003-012-017"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"},{"ns":"http://cyfun.eu/ns/oscal","name":"key-measures","value":"true"}],"title":"Requirement GV.RR-02.1"},{"id":"GV.RR-02.2","parts":[{"id":"GV.RR-02.2_smt","name":"statement","prose":"The organisation shall appoint a senior-level executive information security officer."}],"props":[{"name":"label","value":"GV.RR-02.2"},{"name":"sort-id","value":"01-003-012-018"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"essential"},{"ns":"http://cyfun.eu/ns/oscal","name":"governance-measures","value":"true"}],"title":"Requirement GV.RR-02.2"}]},{"id":"GV.RR-03","props":[{"name":"label","value":"GV.RR-03"},{"name":"sort-id","value":"01-003-013"}],"title":"Adequate resources are allocated commensurate with the cybersecurity risk strategy, roles, responsibilities, and policies.","controls":[{"id":"GV.RR-03-1","parts":[{"id":"GV.RR-03-1_smt","name":"statement","prose":"Sufficient resources shall be allocated in line with the cybersecurity risk strategy, roles, responsibilities and policies."}],"props":[{"name":"label","value":"GV.RR-03-1"},{"name":"sort-id","value":"01-003-013-019"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"},{"ns":"http://cyfun.eu/ns/oscal","name":"governance-measures","value":"true"}],"title":"Requirement GV.RR-03-1"},{"id":"GV.RR-03-2","parts":[{"id":"GV.RR-03-2_smt","name":"statement","prose":"The organisation shall assign roles and responsibilities for reviewing and updating response and recovery plans, ensuring they reflect changes in the risk environment and remain effective."}],"props":[{"name":"label","value":"GV.RR-03-2"},{"name":"sort-id","value":"01-003-013-020"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement GV.RR-03-2"}]},{"id":"GV.RR-04","props":[{"name":"label","value":"GV.RR-04"},{"name":"sort-id","value":"01-003-014"}],"title":"Cybersecurity is included in human resources practices.","controls":[{"id":"GV.RR-04.1","parts":[{"id":"GV.RR-04.1_smt","name":"statement","prose":"Personnel with access to the organisation’s most critical information or technology shall be authenticated.."}],"props":[{"name":"label","value":"GV.RR-04.1"},{"name":"sort-id","value":"01-003-014-021"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"}],"title":"Requirement GV.RR-04.1"},{"id":"GV.RR-04.2","parts":[{"id":"GV.RR-04.2_smt","name":"statement","prose":"A cybersecurity process for human resources shall be developed and maintained applicable at recruitment, during employment and at termination of employment."}],"props":[{"name":"label","value":"GV.RR-04.2"},{"name":"sort-id","value":"01-003-014-022"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement GV.RR-04.2"}]}]},{"id":"GV.PO","parts":[{"name":"overview","prose":"Organisational cybersecurity policy is established, communicated, and enforced."}],"props":[{"name":"label","value":"GV.PO"},{"name":"sort-id","value":"01-004"}],"title":"Policy","groups":[{"id":"GV.PO-01","props":[{"name":"label","value":"GV.PO-01"},{"name":"sort-id","value":"01-004-015"}],"title":"Policy for managing cybersecurity risks is established based on Organisational context, cybersecurity strategy, and priorities and is communicated and enforced.","controls":[{"id":"GV.PO-01.1","parts":[{"id":"GV.PO-01.1_smt","name":"statement","prose":"Policies and procedures for managing information and cybersecurity shall be established, documented, reviewed, approved, updated when changes occur, communicated and enforced."}],"props":[{"name":"label","value":"GV.PO-01.1"},{"name":"sort-id","value":"01-004-015-023"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"}],"title":"Requirement GV.PO-01.1"},{"id":"GV.PO-01.2","parts":[{"id":"GV.PO-01.2_smt","name":"statement","prose":"Organisational-wide information and cyber security policies and procedures shall include the use of cryptography and, where appropriate, encryption, reflect changes in requirements, threats, technology and organisational roles, and be approved by senior management, who oversee implementation."}],"props":[{"name":"label","value":"GV.PO-01.2"},{"name":"sort-id","value":"01-004-015-024"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement GV.PO-01.2"}]}]},{"id":"GV.OV","parts":[{"name":"overview","prose":"Results of organisation-wide cybersecurity risk management activities and performance are used to inform, improve, and adjust the risk management strategy."}],"props":[{"name":"label","value":"GV.OV"},{"name":"sort-id","value":"01-005"}],"title":"Oversight","groups":[{"id":"GV.OV-02","props":[{"name":"label","value":"GV.OV-02"},{"name":"sort-id","value":"01-005-016"}],"title":"The cybersecurity risk management strategy is reviewed and adjusted to ensure coverage of organisational requirements and risks.","controls":[{"id":"GV.OV-02.1","parts":[{"id":"GV.OV-02.1_smt","name":"statement","prose":"The information and cybersecurity risk management strategy shall be reviewed and adjusted to ensure coverage of organisational requirements and risks."}],"props":[{"name":"label","value":"GV.OV-02.1"},{"name":"sort-id","value":"01-005-016-025"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"essential"},{"ns":"http://cyfun.eu/ns/oscal","name":"governance-measures","value":"true"}],"title":"Requirement GV.OV-02.1"}]},{"id":"GV.OV-03","props":[{"name":"label","value":"GV.OV-03"},{"name":"sort-id","value":"01-005-017"}],"title":"Organisational cybersecurity risk management performance is evaluated and reviewed for adjustments needed.","controls":[{"id":"GV.OV-03.1","parts":[{"id":"GV.OV-03.1_smt","name":"statement","prose":"The organisation's cybersecurity risk management performance shall be evaluated, reviewed and adapted when necessary."}],"props":[{"name":"label","value":"GV.OV-03.1"},{"name":"sort-id","value":"01-005-017-026"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"essential"},{"ns":"http://cyfun.eu/ns/oscal","name":"governance-measures","value":"true"}],"title":"Requirement GV.OV-03.1"}]}]},{"id":"GV.SC","parts":[{"name":"overview","prose":"Cyber supply chain risk management processes are identified, established, managed, monitored, and improved by organisational stakeholders."}],"props":[{"name":"label","value":"GV.SC"},{"name":"sort-id","value":"01-006"}],"title":"Cybersecurity Supply Chain Risk Management","groups":[{"id":"GV.SC-01","props":[{"name":"label","value":"GV.SC-01"},{"name":"sort-id","value":"01-006-018"}],"title":"A cybersecurity supply chain risk management programme, strategy, objectives, policies, and processes are established and agreed to by organisational stakeholders.","controls":[{"id":"GV.SC-01.1","parts":[{"id":"GV.SC-01.1_smt","name":"statement","prose":"A cybersecurity supply chain risk management program, strategy, objectives, policies, and processes shall be documented, reviewed, updated when changes occur, and approved by organisational stakeholders."}],"props":[{"name":"label","value":"GV.SC-01.1"},{"name":"sort-id","value":"01-006-018-027"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"essential"}],"title":"Requirement GV.SC-01.1"}]},{"id":"GV.SC-02","props":[{"name":"label","value":"GV.SC-02"},{"name":"sort-id","value":"01-006-019"}],"title":"Cybersecurity roles and responsibilities for suppliers, customers, and partners are established, communicated, and coordinated internally and externally.","controls":[{"id":"GV.SC-02.1","parts":[{"id":"GV.SC-02.1_smt","name":"statement","prose":"Third-party providers shall notify any transfer, termination or transition of personnel with physical or logical access to business-critical system elements of the organisation."}],"props":[{"name":"label","value":"GV.SC-02.1"},{"name":"sort-id","value":"01-006-019-028"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement GV.SC-02.1"}]},{"id":"GV.SC-03","props":[{"name":"label","value":"GV.SC-03"},{"name":"sort-id","value":"01-006-020"}],"title":"Cybersecurity supply chain risk management is integrated into cybersecurity and enterprise risk management, risk assessment, and improvement processes.","controls":[{"id":"GV.SC-03.1","parts":[{"id":"GV.SC-03.1_smt","name":"statement","prose":"Information- and Cybersecurity supply chain risk management shall be integrated into information/cybersecurity and enterprise risk management, risk assessment, and improvement processes."}],"props":[{"name":"label","value":"GV.SC-03.1"},{"name":"sort-id","value":"01-006-020-029"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"essential"},{"ns":"http://cyfun.eu/ns/oscal","name":"governance-measures","value":"true"}],"title":"Requirement GV.SC-03.1"}]},{"id":"GV.SC-05","props":[{"name":"label","value":"GV.SC-05"},{"name":"sort-id","value":"01-006-021"}],"title":"Requirements to address cybersecurity risks in supply chains are established, prioritised, and integrated into contracts and other types of agreements with suppliers and other relevant third parties.","controls":[{"id":"GV.SC-05.1","parts":[{"id":"GV.SC-05.1_smt","name":"statement","prose":"Requirements for addressing cybersecurity risks and the sharing of sensitive information in supply chains shall be established, prioritised, integrated into contracts and other types of formal agreements, and enforced."}],"props":[{"name":"label","value":"GV.SC-05.1"},{"name":"sort-id","value":"01-006-021-030"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement GV.SC-05.1"},{"id":"GV.SC-05.2","parts":[{"id":"GV.SC-05.2_smt","name":"statement","prose":"Contractual information/cybersecurity requirements for suppliers and external partners shall be implemented to ensure a verifiable flaw resolution process and to ensure that deficiencies identified during information/cybersecurity testing and evaluation are remedied."}],"props":[{"name":"label","value":"GV.SC-05.2"},{"name":"sort-id","value":"01-006-021-031"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"essential"},{"ns":"http://cyfun.eu/ns/oscal","name":"key-measures","value":"true"}],"title":"Requirement GV.SC-05.2"},{"id":"GV.SC-05.3","parts":[{"id":"GV.SC-05.3_smt","name":"statement","prose":"The organisation shall establish contractual requirements permitting the organisation to review the information/cybersecurity programmes implemented by suppliers and third-party partners."}],"props":[{"name":"label","value":"GV.SC-05.3"},{"name":"sort-id","value":"01-006-021-032"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"essential"},{"ns":"http://cyfun.eu/ns/oscal","name":"key-measures","value":"true"}],"title":"Requirement GV.SC-05.3"}]},{"id":"GV.SC-06","props":[{"name":"label","value":"GV.SC-06"},{"name":"sort-id","value":"01-006-022"}],"title":"Planning and due diligence are performed to reduce risks before entering into formal supplier or other third-party relationships.","controls":[{"id":"GV.SC-06.1","parts":[{"id":"GV.SC-06.1_smt","name":"statement","prose":"Planning and due diligence shall be carried out to reduce risks before entering into formal relationships with suppliers or other third parties."}],"props":[{"name":"label","value":"GV.SC-06.1"},{"name":"sort-id","value":"01-006-022-033"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"essential"}],"title":"Requirement GV.SC-06.1"}]},{"id":"GV.SC-07","props":[{"name":"label","value":"GV.SC-07"},{"name":"sort-id","value":"01-006-023"}],"title":"The risks posed by a supplier, their products and services, and other third parties are understood, recorded, prioritised, assessed, responded to, and monitored over the course of the relationship.","controls":[{"id":"GV.SC-07.1","parts":[{"id":"GV.SC-07.1_smt","name":"statement","prose":"The risks posed by a supplier, its products and services and other third parties shall be identified, documented, prioritised, mitigated and assessed at least annually and when changes occur during the relationship."}],"props":[{"name":"label","value":"GV.SC-07.1"},{"name":"sort-id","value":"01-006-023-034"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"},{"ns":"http://cyfun.eu/ns/oscal","name":"governance-measures","value":"true"}],"title":"Requirement GV.SC-07.1"},{"id":"GV.SC-07.2","parts":[{"id":"GV.SC-07.2_smt","name":"statement","prose":"A documented list of all critical suppliers, vendors and partners of the organisation that may be involved in a major incident shall be established, kept up-to-date and made available online and off-line with due regard to confidentiality and security."}],"props":[{"name":"label","value":"GV.SC-07.2"},{"name":"sort-id","value":"01-006-023-035"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"essential"}],"title":"Requirement GV.SC-07.2"},{"id":"GV.SC-07.3","parts":[{"id":"GV.SC-07.3_smt","name":"statement","prose":"The organisation shall audit business-critical third-party service providers for security compliance."}],"props":[{"name":"label","value":"GV.SC-07.3"},{"name":"sort-id","value":"01-006-023-036"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"essential"}],"title":"Requirement GV.SC-07.3"},{"id":"GV.SC-07.4","parts":[{"id":"GV.SC-07.4_smt","name":"statement","prose":"The organisation shall ensure conformity with information/cybersecurity contractual obligations by suppliers and third-party partners through regular reviews of independent audits, assessments, and third party evaluations."}],"props":[{"name":"label","value":"GV.SC-07.4"},{"name":"sort-id","value":"01-006-023-037"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"essential"}],"title":"Requirement GV.SC-07.4"}]},{"id":"GV.SC-08","props":[{"name":"label","value":"GV.SC-08"},{"name":"sort-id","value":"01-006-024"}],"title":"Relevant suppliers and other third parties are included in incident planning, response, and recovery activities.","controls":[{"id":"GV.SC-08.1","parts":[{"id":"GV.SC-08.1_smt","name":"statement","prose":"The organisation shall identify and document key personnel from relevant suppliers and other third parties to include them in incident planning, response, and recovery activities."}],"props":[{"name":"label","value":"GV.SC-08.1"},{"name":"sort-id","value":"01-006-024-038"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement GV.SC-08.1"}]},{"id":"GV.SC-09","props":[{"name":"label","value":"GV.SC-09"},{"name":"sort-id","value":"01-006-025"}],"title":"Supply chain security practices are integrated into cybersecurity and enterprise risk management programmes, and their performance is monitored throughout the technology product and service life cycle.","controls":[{"id":"GV.SC-09.1","parts":[{"id":"GV.SC-09.1_smt","name":"statement","prose":"Supply chain security practices shall be integrated into information/cybersecurity and enterprise risk management programs, and their performance shall be monitored throughout the product and service life cycle."}],"props":[{"name":"label","value":"GV.SC-09.1"},{"name":"sort-id","value":"01-006-025-039"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"essential"}],"title":"Requirement GV.SC-09.1"}]},{"id":"GV.SC-010","props":[{"name":"label","value":"GV.SC-010"},{"name":"sort-id","value":"01-006-026"}],"title":"Cybersecurity supply chain risk management plans include provisions for activities that occur after the conclusion of a partnership or service agreement.","controls":[{"id":"GV.SC-10.1","parts":[{"id":"GV.SC-10.1_smt","name":"statement","prose":"Cybersecurity supply chain risk management plans shall include actions and responsibilities for managing risks that may arise after a supplier relationship or service agreement has ended."}],"props":[{"name":"label","value":"GV.SC-10.1"},{"name":"sort-id","value":"01-006-026-040"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"essential"}],"title":"Requirement GV.SC-10.1"}]}]}]},{"id":"ID","props":[{"name":"sort-id","value":"02"}],"title":"IDENTIFY","groups":[{"id":"ID.AM","parts":[{"name":"overview","prose":"Assets (e.g., data, hardware, software, systems, facilities, services, people) that enable the organisation to achieve business purposes are identified and managed consistent with their relative importance to organisational objectives and the organisation's risk strategy."}],"props":[{"name":"label","value":"ID.AM"},{"name":"sort-id","value":"02-001"}],"title":"Asset Management","groups":[{"id":"ID.AM-01","props":[{"name":"label","value":"ID.AM-01"},{"name":"sort-id","value":"02-001-001"}],"title":"Inventories of hardware managed by the organisation are maintained.","controls":[{"id":"ID.AM-01.1","parts":[{"id":"ID.AM-01.1_smt","name":"statement","prose":"An inventory of physical and virtual infrastructure assets—such as hardware, network devices, and cloud-hosted environments—that support information processing shall be documented, reviewed, and updated as changes occur."}],"props":[{"name":"label","value":"ID.AM-01.1"},{"name":"sort-id","value":"02-001-001-001"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"}],"title":"Requirement ID.AM-01.1"},{"id":"ID.AM-01.2","parts":[{"id":"ID.AM-01.2_smt","name":"statement","prose":"The inventory of enterprise assets associated with information and information processing facilities shall reflect changes in the organisation’s context and include all information necessary for effective accountability."}],"props":[{"name":"label","value":"ID.AM-01.2"},{"name":"sort-id","value":"02-001-001-002"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement ID.AM-01.2"},{"id":"ID.AM-01.3","parts":[{"id":"ID.AM-01.3_smt","name":"statement","prose":"When unauthorised hardware is detected, it shall be quarantined for possible exception handling, removed, or replaced, and the inventory shall be updated accordingly."}],"props":[{"name":"label","value":"ID.AM-01.3"},{"name":"sort-id","value":"02-001-001-003"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement ID.AM-01.3"},{"id":"ID.AM-01.4","parts":[{"id":"ID.AM-01.4_smt","name":"statement","prose":"Mechanisms for detecting the presence of unauthorised hardware and firmware components within the organisation’s ICT/OT environment shall be identified."}],"props":[{"name":"label","value":"ID.AM-01.4"},{"name":"sort-id","value":"02-001-001-004"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"essential"}],"title":"Requirement ID.AM-01.4"}]},{"id":"ID.AM-02","props":[{"name":"label","value":"ID.AM-02"},{"name":"sort-id","value":"02-001-002"}],"title":"Inventories of software, services, and systems managed by the organisation are maintained.","controls":[{"id":"ID.AM-02.1","parts":[{"id":"ID.AM-02.1_smt","name":"statement","prose":"An inventory of software, digital services, and business systems used within the organisation shall be documented, reviewed, and updated as changes occur."}],"props":[{"name":"label","value":"ID.AM-02.1"},{"name":"sort-id","value":"02-001-002-005"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"}],"title":"Requirement ID.AM-02.1"},{"id":"ID.AM-02.2","parts":[{"id":"ID.AM-02.2_smt","name":"statement","prose":"The inventory reflecting which software, services and systems are used in the organisation shall reflect changes in the organisation’s context and include all information necessary for effective accountability."}],"props":[{"name":"label","value":"ID.AM-02.2"},{"name":"sort-id","value":"02-001-002-006"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement ID.AM-02.2"},{"id":"ID.AM-02.3","parts":[{"id":"ID.AM-02.3_smt","name":"statement","prose":"The people responsible and accountable for managing software platforms and applications within the organisation shall be formally identified."}],"props":[{"name":"label","value":"ID.AM-02.3"},{"name":"sort-id","value":"02-001-002-007"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement ID.AM-02.3"},{"id":"ID.AM-02.4","parts":[{"id":"ID.AM-02.4_smt","name":"statement","prose":"When unauthorised software is detected, it shall be quarantined for possible exception handling, removed, or replaced, and the inventory shall be updated accordingly."}],"props":[{"name":"label","value":"ID.AM-02.4"},{"name":"sort-id","value":"02-001-002-008"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement ID.AM-02.4"},{"id":"ID.AM-02.5","parts":[{"id":"ID.AM-02.5_smt","name":"statement","prose":"Mechanisms for detecting the presence of unauthorised software within the organisation’s ICT/OT environment shall be identified."}],"props":[{"name":"label","value":"ID.AM-02.5"},{"name":"sort-id","value":"02-001-002-009"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"essential"}],"title":"Requirement ID.AM-02.5"}]},{"id":"ID.AM-3","props":[{"name":"label","value":"ID.AM-3"},{"name":"sort-id","value":"02-001-003"}],"title":"Representations of the organisation's authorised network communication and internal and external network data flows are maintained.","controls":[{"id":"ID.AM-03-2","parts":[{"id":"ID.AM-03-2_smt","name":"statement","prose":"The organisation's network communication and internal data flows shall be mapped, documented, authorised, and updated when changes occur."}],"props":[{"name":"label","value":"ID.AM-03-2"},{"name":"sort-id","value":"02-001-003-010"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement ID.AM-03-2"},{"id":"ID.AM-03-3","parts":[{"id":"ID.AM-03-3_smt","name":"statement","prose":"The organisation's network communication and external data flows shall be mapped, documented , authorised, and updated when changes occur."}],"props":[{"name":"label","value":"ID.AM-03-3"},{"name":"sort-id","value":"02-001-003-011"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"essential"},{"ns":"http://cyfun.eu/ns/oscal","name":"key-measures","value":"true"}],"title":"Requirement ID.AM-03-3"}]},{"id":"ID.AM-4","props":[{"name":"label","value":"ID.AM-4"},{"name":"sort-id","value":"02-001-004"}],"title":"Inventories of services provided by suppliers are maintained.","controls":[{"id":"ID.AM-04.1","parts":[{"id":"ID.AM-04.1_smt","name":"statement","prose":"Organisations shall keep a clear and up-to-date list of all external services it uses, including how they connect to their systems. These services shall be reviewed and approved before use, and the list shall be updated whenever changes happen."}],"props":[{"name":"label","value":"ID.AM-04.1"},{"name":"sort-id","value":"02-001-004-012"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement ID.AM-04.1"},{"id":"ID.AM-04.2","parts":[{"id":"ID.AM-04.2_smt","name":"statement","prose":"The organisation shall map, document and authorise the flow of information to/from external systems and update the flow when changes occur."}],"props":[{"name":"label","value":"ID.AM-04.2"},{"name":"sort-id","value":"02-001-004-013"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"essential"}],"title":"Requirement ID.AM-04.2"}]},{"id":"ID.AM-5","props":[{"name":"label","value":"ID.AM-5"},{"name":"sort-id","value":"02-001-005"}],"title":"Assets are prioritised based on classification, criticality, resources, and impact on the mission","controls":[{"id":"ID.AM-5.1","parts":[{"id":"ID.AM-5.1_smt","name":"statement","prose":"The organisation’s assets shall be prioritised based on classification, criticality, and business value."}],"props":[{"name":"label","value":"ID.AM-5.1"},{"name":"sort-id","value":"02-001-005-014"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement ID.AM-5.1"}]},{"id":"ID.AM-07","props":[{"name":"label","value":"ID.AM-07"},{"name":"sort-id","value":"02-001-006"}],"title":"Inventories of data and corresponding metadata for designated data types are maintained","controls":[{"id":"ID.AM-07.1","parts":[{"id":"ID.AM-07.1_smt","name":"statement","prose":"Data that the organisation stores and uses shall be identified.."}],"props":[{"name":"label","value":"ID.AM-07.1"},{"name":"sort-id","value":"02-001-006-015"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"}],"title":"Requirement ID.AM-07.1"},{"id":"ID.AM-07.2","parts":[{"id":"ID.AM-07.2_smt","name":"statement","prose":"Inventories of data and associated metadata shall be maintained for designated data types."}],"props":[{"name":"label","value":"ID.AM-07.2"},{"name":"sort-id","value":"02-001-006-016"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement ID.AM-07.2"}]},{"id":"ID.AM-08","props":[{"name":"label","value":"ID.AM-08"},{"name":"sort-id","value":"02-001-007"}],"title":"Systems, hardware, software, services, and data are managed throughout their life cycles.","controls":[{"id":"ID.AM-08.2","parts":[{"id":"ID.AM-08.2_smt","name":"statement","prose":"Patches and security updates for operating systems and critical system components shall be installed."}],"props":[{"name":"label","value":"ID.AM-08.2"},{"name":"sort-id","value":"02-001-007-017"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"},{"ns":"http://cyfun.eu/ns/oscal","name":"key-measures","value":"true"}],"title":"Requirement ID.AM-08.2"},{"id":"ID.AM-08.3","parts":[{"id":"ID.AM-08.3_smt","name":"statement","prose":"The organisation shall enforce accountability for all its business-critical assets throughout the system lifecycle, including removal, transfers, and disposal."}],"props":[{"name":"label","value":"ID.AM-08.3"},{"name":"sort-id","value":"02-001-007-018"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement ID.AM-08.3"},{"id":"ID.AM-08.4","parts":[{"id":"ID.AM-08.4_smt","name":"statement","prose":"The organisation shall ensure that the necessary measures are taken to deal with loss, misuse, damage, or theft of assets."}],"props":[{"name":"label","value":"ID.AM-08.4"},{"name":"sort-id","value":"02-001-007-019"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement ID.AM-08.4"},{"id":"ID.AM-08.5","parts":[{"id":"ID.AM-08.5_smt","name":"statement","prose":"The organisation shall ensure that disposal actions are approved, tracked, documented, and verified."}],"props":[{"name":"label","value":"ID.AM-08.5"},{"name":"sort-id","value":"02-001-007-020"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"essential"}],"title":"Requirement ID.AM-08.5"},{"id":"ID.AM-08.6","parts":[{"id":"ID.AM-08.6_smt","name":"statement","prose":"The organisation shall plan, perform and document preventive maintenance and repairs on its critical system components according to approved processes and tools."}],"props":[{"name":"label","value":"ID.AM-08.6"},{"name":"sort-id","value":"02-001-007-021"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement ID.AM-08.6"},{"id":"ID.AM-08.7","parts":[{"id":"ID.AM-08.7_smt","name":"statement","prose":"The organisation should prevent unauthorised removal of maintenance equipment which contains critical system information of the organisation."}],"props":[{"name":"label","value":"ID.AM-08.7"},{"name":"sort-id","value":"02-001-007-022"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"essential"},{"ns":"http://cyfun.eu/ns/oscal","name":"key-measures","value":"true"}],"title":"Requirement ID.AM-08.7"},{"id":"ID.AM-08.8","parts":[{"id":"ID.AM-08.8_smt","name":"statement","prose":"The organisation should pre-approve, monitor and enforce maintenance tools for use on its critical systems."}],"props":[{"name":"label","value":"ID.AM-08.8"},{"name":"sort-id","value":"02-001-007-023"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement ID.AM-08.8"},{"id":"ID.AM-08.9","parts":[{"id":"ID.AM-08.9_smt","name":"statement","prose":"Maintenance tools and portable storage devices shall be inspected as they enter the facility and shall be protected by anti-malware solutions that scan them for malicious code before they are used on the organisation's systems."}],"props":[{"name":"label","value":"ID.AM-08.9"},{"name":"sort-id","value":"02-001-007-024"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"essential"},{"ns":"http://cyfun.eu/ns/oscal","name":"key-measures","value":"true"}],"title":"Requirement ID.AM-08.9"},{"id":"ID.AM-08.10","parts":[{"id":"ID.AM-08.10_smt","name":"statement","prose":"The organisation shall verify security controls following maintenance or repairs/patching, and take action as appropriate."}],"props":[{"name":"label","value":"ID.AM-08.10"},{"name":"sort-id","value":"02-001-007-025"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"essential"},{"ns":"http://cyfun.eu/ns/oscal","name":"key-measures","value":"true"}],"title":"Requirement ID.AM-08.10"},{"id":"ID.AM-08.11","parts":[{"id":"ID.AM-08.11_smt","name":"statement","prose":"Remote maintenance and diagnostic activities of organisational assets shall be pre-approved and the performance logged."}],"props":[{"name":"label","value":"ID.AM-08.11"},{"name":"sort-id","value":"02-001-007-026"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement ID.AM-08.11"},{"id":"ID.AM-08.12","parts":[{"id":"ID.AM-08.12_smt","name":"statement","prose":"Setting up non-local maintenance and diagnostic sessions over remote network connections shall require strong authenticators and these connections shall be terminated when non-local maintenance is completed."}],"props":[{"name":"label","value":"ID.AM-08.12"},{"name":"sort-id","value":"02-001-007-027"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement ID.AM-08.12"},{"id":"ID.AM-08.13","parts":[{"id":"ID.AM-08.13_smt","name":"statement","prose":"The organisation shall require remote maintenance diagnostic services to be performed from a system that implements security features similar to the security features implemented on the equivalent organisation's critical system."}],"props":[{"name":"label","value":"ID.AM-08.13"},{"name":"sort-id","value":"02-001-007-028"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"essential"}],"title":"Requirement ID.AM-08.13"}]}]},{"id":"ID.RA","parts":[{"name":"overview","prose":"The cybersecurity risk to the organisation, assets, and individuals is understood by the organisation."}],"props":[{"name":"label","value":"ID.RA"},{"name":"sort-id","value":"02-002"}],"title":"Risk Assessment","groups":[{"id":"ID.RA-01","props":[{"name":"label","value":"ID.RA-01"},{"name":"sort-id","value":"02-002-008"}],"title":"Vulnerabilities in assets are identified, validated, and recorded.","controls":[{"id":"ID.RA-01.1","parts":[{"id":"ID.RA-01.1_smt","name":"statement","prose":"Threats and vulnerabilities shall be identified in all relevant assets, including software, network and system architectures, and facilities that house critical computing assets."}],"props":[{"name":"label","value":"ID.RA-01.1"},{"name":"sort-id","value":"02-002-008-029"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"}],"title":"Requirement ID.RA-01.1"},{"id":"ID.RA-01.2","parts":[{"id":"ID.RA-01.2_smt","name":"statement","prose":"A process shall be established to continuously monitor, identify, and document vulnerabilities of the organisation's business critical systems."}],"props":[{"name":"label","value":"ID.RA-01.2"},{"name":"sort-id","value":"02-002-008-030"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement ID.RA-01.2"},{"id":"ID.RA-01.3","parts":[{"id":"ID.RA-01.3_smt","name":"statement","prose":"The organisation shall establish and maintain a documented process that enables continuous review, analysis and remediation of vulnerabilities and makes information sharing possible, where applicable."}],"props":[{"name":"label","value":"ID.RA-01.3"},{"name":"sort-id","value":"02-002-008-031"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement ID.RA-01.3"},{"id":"ID.RA-01.4","parts":[{"id":"ID.RA-01.4_smt","name":"statement","prose":"To ensure that organisation's operations are not adversely affected by the testing process, performance/load testing and penetration testing on the organisation’s systems shall be carried out with care."}],"props":[{"name":"label","value":"ID.RA-01.4"},{"name":"sort-id","value":"02-002-008-032"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"essential"}],"title":"Requirement ID.RA-01.4"},{"id":"ID.RA-01.5","parts":[{"id":"ID.RA-01.5_smt","name":"statement","prose":"Vulnerability scanning shall not adversely impact system functions."}],"props":[{"name":"label","value":"ID.RA-01.5"},{"name":"sort-id","value":"02-002-008-033"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement ID.RA-01.5"},{"id":"ID.RA-01.6","parts":[{"id":"ID.RA-01.6_smt","name":"statement","prose":"Vulnerabilities shall be identified and managed in all relevant assets, including software, network and system architectures, and facilities."}],"props":[{"name":"label","value":"ID.RA-01.6"},{"name":"sort-id","value":"02-002-008-034"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement ID.RA-01.6"}]},{"id":"ID.RA-02","props":[{"name":"label","value":"ID.RA-02"},{"name":"sort-id","value":"02-002-009"}],"title":"Cyber threat intelligence is received from information sharing forums and sources.","controls":[{"id":"ID.RA-02.1","parts":[{"id":"ID.RA-02.1_smt","name":"statement","prose":"A threat and vulnerability awareness programme that includes a cross-organisation information-sharing capability shall be implemented."}],"props":[{"name":"label","value":"ID.RA-02.1"},{"name":"sort-id","value":"02-002-009-035"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement ID.RA-02.1"},{"id":"ID.RA-02.2","parts":[{"id":"ID.RA-02.2_smt","name":"statement","prose":"Automated mechanisms shall be implemented to disseminate security alerts and advisories to relevant organisation stakeholders."}],"props":[{"name":"label","value":"ID.RA-02.2"},{"name":"sort-id","value":"02-002-009-036"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"essential"}],"title":"Requirement ID.RA-02.2"}]},{"id":"ID.RA-03","props":[{"name":"label","value":"ID.RA-03"},{"name":"sort-id","value":"02-002-010"}],"title":"Internal and external threats to the organisation are identified and recorded","controls":[{"id":"ID.RA-03.1","parts":[{"id":"ID.RA-03.1_smt","name":"statement","prose":"Threats shall be identified and assessed in relation to all relevant assets, including software, network and system architectures, and facilities."}],"props":[{"name":"label","value":"ID.RA-03.1"},{"name":"sort-id","value":"02-002-010-037"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement ID.RA-03.1"}]},{"id":"ID.RA-05","props":[{"name":"label","value":"ID.RA-05"},{"name":"sort-id","value":"02-002-011"}],"title":"Threats, vulnerabilities, likelihoods, and impacts are used to understand inherent risk and inform risk response prioritisation.","controls":[{"id":"ID.RA-05.1","parts":[{"id":"ID.RA-05.1_smt","name":"statement","prose":"The organisation shall conduct risk assessments in which risk is determined by threats, vulnerabilities and the impact on business processes and assets."}],"props":[{"name":"label","value":"ID.RA-05.1"},{"name":"sort-id","value":"02-002-011-038"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"}],"title":"Requirement ID.RA-05.1"},{"id":"ID.RA-05.2","parts":[{"id":"ID.RA-05.2_smt","name":"statement","prose":"The organisation shall conduct and document risk assessments in which risk is determined by threats, vulnerabilities, impact on business processes and assets, and likelihood of their occurrence."}],"props":[{"name":"label","value":"ID.RA-05.2"},{"name":"sort-id","value":"02-002-011-039"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"},{"ns":"http://cyfun.eu/ns/oscal","name":"governance-measures","value":"true"}],"title":"Requirement ID.RA-05.2"},{"id":"ID.RA-05.3","parts":[{"id":"ID.RA-05.3_smt","name":"statement","prose":"Risk assessment results shall be disseminated to relevant stakeholders."}],"props":[{"name":"label","value":"ID.RA-05.3"},{"name":"sort-id","value":"02-002-011-040"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"essential"},{"ns":"http://cyfun.eu/ns/oscal","name":"governance-measures","value":"true"}],"title":"Requirement ID.RA-05.3"}]},{"id":"ID.RA-06","props":[{"name":"label","value":"ID.RA-06"},{"name":"sort-id","value":"02-002-012"}],"title":"Risk responses are chosen, prioritised, planned, tracked, and communicated.","controls":[{"id":"ID.RA-06.1","parts":[{"id":"ID.RA-06.1_smt","name":"statement","prose":"Risk responses shall be identified, prioritised, planned, tracked and communicated."}],"props":[{"name":"label","value":"ID.RA-06.1"},{"name":"sort-id","value":"02-002-012-041"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement ID.RA-06.1"}]},{"id":"ID.RA-08","props":[{"name":"label","value":"ID.RA-08"},{"name":"sort-id","value":"02-002-013"}],"title":"Processes for receiving, analysing, and responding to vulnerability disclosures are established.","controls":[{"id":"ID.RA-08.1","parts":[{"id":"ID.RA-08.1_smt","name":"statement","prose":"The organisation shall establish and implement a vulnerability management plan to identify, analyse, assess, mitigate and communicate all types of vulnerabilities including in the form of a Coordinated Vulnerability Disclosure (CVD) according to applicable legal modalities."}],"props":[{"name":"label","value":"ID.RA-08.1"},{"name":"sort-id","value":"02-002-013-042"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"},{"ns":"http://cyfun.eu/ns/oscal","name":"key-measures","value":"true"}],"title":"Requirement ID.RA-08.1"},{"id":"ID.RA-08.2","parts":[{"id":"ID.RA-08.2_smt","name":"statement","prose":"The organisation shall implement automated mechanisms for disseminating and tracking remedial measures related to vulnerability information that automatically handles vulnerability data collection, disseminates information, tracks remedial measures, includes reporting and accountability, and enables continuous monitoring."}],"props":[{"name":"label","value":"ID.RA-08.2"},{"name":"sort-id","value":"02-002-013-043"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"essential"}],"title":"Requirement ID.RA-08.2"}]}]},{"id":"ID.IM","parts":[{"name":"overview","prose":"Improvements to organisational cybersecurity risk management processes, procedures and activities are identified across all CyFun® functions."}],"props":[{"name":"label","value":"ID.IM"},{"name":"sort-id","value":"02-003"}],"title":"Improvement","groups":[{"id":"ID.IM-02","props":[{"name":"label","value":"ID.IM-02"},{"name":"sort-id","value":"02-003-014"}],"title":"Improvements are identified from security tests and exercises, including those made in coordination with suppliers and relevant third parties.","controls":[{"id":"ID.IM-02.1","parts":[{"id":"ID.IM-02.1_smt","name":"statement","prose":"Security tests and exercises, including those conducted with suppliers and relevant third parties, shall be used to identify areas for improvement."}],"props":[{"name":"label","value":"ID.IM-02.1"},{"name":"sort-id","value":"02-003-014-044"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement ID.IM-02.1"}]},{"id":"ID.IM-03","props":[{"name":"label","value":"ID.IM-03"},{"name":"sort-id","value":"02-003-015"}],"title":"Improvements are identified from execution of operational processes, procedures, and activities.","controls":[{"id":"ID.IM-03.1","parts":[{"id":"ID.IM-03.1_smt","name":"statement","prose":"The organisation shall conduct risk assessments in which risk is determined by threats, vulnerabilities and the impact on business processes and assets."}],"props":[{"name":"label","value":"ID.IM-03.1"},{"name":"sort-id","value":"02-003-015-045"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"}],"title":"Requirement ID.IM-03.1"},{"id":"ID.IM-03.2","parts":[{"id":"ID.IM-03.2_smt","name":"statement","prose":"The organisation shall incorporate lessons learned from incident handling activities into updated or new incident handling processes and/or procedures that are framed by appropriate training after review, approval and testing."}],"props":[{"name":"label","value":"ID.IM-03.2"},{"name":"sort-id","value":"02-003-015-046"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement ID.IM-03.2"},{"id":"ID.IM-03.3","parts":[{"id":"ID.IM-03.3_smt","name":"statement","prose":"The organisation shall identify improvements derived from the monitoring, measurements, assessments, and lessons learned and consequently translate this into improved processes / procedures / technologies to enhance its cyber resilience (continuous improvement)."}],"props":[{"name":"label","value":"ID.IM-03.3"},{"name":"sort-id","value":"02-003-015-047"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"},{"ns":"http://cyfun.eu/ns/oscal","name":"governance-measures","value":"true"}],"title":"Requirement ID.IM-03.3"},{"id":"ID.IM-03.4","parts":[{"id":"ID.IM-03.4_smt","name":"statement","prose":"The organisation shall collaborate and share information about its critical system's related security incidents and mitigation measures with designated partners."}],"props":[{"name":"label","value":"ID.IM-03.4"},{"name":"sort-id","value":"02-003-015-048"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement ID.IM-03.4"},{"id":"ID.IM-03.5","parts":[{"id":"ID.IM-03.5_smt","name":"statement","prose":"Communication of effectiveness of protection technologies shall be shared with relevant stakeholders."}],"props":[{"name":"label","value":"ID.IM-03.5"},{"name":"sort-id","value":"02-003-015-049"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement ID.IM-03.5"},{"id":"ID.IM-03.6","parts":[{"id":"ID.IM-03.6_smt","name":"statement","prose":"The organisation shall implement, where feasible, automated mechanisms to facilitate the process of information sharing and collaboration."}],"props":[{"name":"label","value":"ID.IM-03.6"},{"name":"sort-id","value":"02-003-015-050"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement ID.IM-03.6"},{"id":"ID.IM-03.7","parts":[{"id":"ID.IM-03.7_smt","name":"statement","prose":"The organisation shall implement independent teams to assess its processes, best practices, and technology solutions to safeguard critical systems and assets."}],"props":[{"name":"label","value":"ID.IM-03.7"},{"name":"sort-id","value":"02-003-015-051"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"essential"}],"title":"Requirement ID.IM-03.7"},{"id":"ID.IM-03.8","parts":[{"id":"ID.IM-03.8_smt","name":"statement","prose":"The organisation shall ensure that the security plan for its critical systems facilitates the review, testing, and continual improvement of the security protection processes."}],"props":[{"name":"label","value":"ID.IM-03.8"},{"name":"sort-id","value":"02-003-015-052"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"essential"}],"title":"Requirement ID.IM-03.8"},{"id":"ID.IM-03.9","parts":[{"id":"ID.IM-03.9_smt","name":"statement","prose":"The organisation shall conduct specialised assessments including in-depth monitoring, vulnerability scanning, malicious user testing, insider threat assessment, performance/load testing, and verification and validation testing on the organisation's critical systems."}],"props":[{"name":"label","value":"ID.IM-03.9"},{"name":"sort-id","value":"02-003-015-053"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"essential"},{"ns":"http://cyfun.eu/ns/oscal","name":"governance-measures","value":"true"}],"title":"Requirement ID.IM-03.9"}]},{"id":"ID.IM-04","props":[{"name":"label","value":"ID.IM-04"},{"name":"sort-id","value":"02-003-016"}],"title":"Incident response plans and other cybersecurity plans that affect operations are established, communicated, maintained, and improved.","controls":[{"id":"ID.IM-04.1","parts":[{"id":"ID.IM-04.1_smt","name":"statement","prose":"Contingency and continuity plans shall be established, communicated, maintained, tested, validated, and improved."}],"props":[{"name":"label","value":"ID.IM-04.1"},{"name":"sort-id","value":"02-003-016-054"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"},{"ns":"http://cyfun.eu/ns/oscal","name":"governance-measures","value":"true"}],"title":"Requirement ID.IM-04.1"},{"id":"ID.IM-04.2","parts":[{"id":"ID.IM-04.2_smt","name":"statement","prose":"The organisation shall coordinate the development and testing of Incident Response Plans and other cybersecurity plans that affect operations with stakeholders to ensure that these plans align with overall organisational goals and enhance resilience."}],"props":[{"name":"label","value":"ID.IM-04.2"},{"name":"sort-id","value":"02-003-016-055"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"essential"},{"ns":"http://cyfun.eu/ns/oscal","name":"governance-measures","value":"true"}],"title":"Requirement ID.IM-04.2"}]}]}]},{"id":"PR","props":[{"name":"sort-id","value":"03"}],"title":"PROTECT","groups":[{"id":"PR.AA","parts":[{"name":"overview","prose":"Access to physical and logical assets is limited to authorised users, services, and hardware and managed commensurate with the assessed risk of unauthorised access."}],"props":[{"name":"label","value":"PR.AA"},{"name":"sort-id","value":"03-001"}],"title":"Identity Management, Authentication, and Access Control","groups":[{"id":"PR.AA-01","props":[{"name":"label","value":"PR.AA-01"},{"name":"sort-id","value":"03-001-001"}],"title":"Identities and credentials for authorised users, services, and hardware are managed by the organisation.","controls":[{"id":"PR.AA-01.1","parts":[{"id":"PR.AA-01.1_smt","name":"statement","prose":"Identities and credentials for authorised users, services, and hardware shall be managed."}],"props":[{"name":"label","value":"PR.AA-01.1"},{"name":"sort-id","value":"03-001-001-001"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"},{"ns":"http://cyfun.eu/ns/oscal","name":"key-measures","value":"true"}],"title":"Requirement PR.AA-01.1"},{"id":"PR.AA-01.2","parts":[{"id":"PR.AA-01.2_smt","name":"statement","prose":"Identities and credentials for authorised users, services and hardware shall be managed through automated mechanisms whenever feasible."}],"props":[{"name":"label","value":"PR.AA-01.2"},{"name":"sort-id","value":"03-001-001-002"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement PR.AA-01.2"},{"id":"PR.AA-01.3","parts":[{"id":"PR.AA-01.3_smt","name":"statement","prose":"System credentials shall be deactivated following a specified period of inactivity, unless this would compromise the safe operation of (critical) processes."}],"props":[{"name":"label","value":"PR.AA-01.3"},{"name":"sort-id","value":"03-001-001-003"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"essential"}],"title":"Requirement PR.AA-01.3"},{"id":"PR.AA-01.4","parts":[{"id":"PR.AA-01.4_smt","name":"statement","prose":"For transactions within the organisation's critical systems, the organisation shall implement Multi Factor Authentication (MFA), cryptographic certificates, identity tokens, cryptographic keys and other credentials as appropriate and where feasible."}],"props":[{"name":"label","value":"PR.AA-01.4"},{"name":"sort-id","value":"03-001-001-004"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"essential"}],"title":"Requirement PR.AA-01.4"},{"id":"PR.AA-01.5","parts":[{"id":"PR.AA-01.5_smt","name":"statement","prose":"The organisation’s critical systems shall be monitored for atypical use of system credentials. Credentials associated with significant risk shall be disabled."}],"props":[{"name":"label","value":"PR.AA-01.5"},{"name":"sort-id","value":"03-001-001-005"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"essential"}],"title":"Requirement PR.AA-01.5"}]},{"id":"PR.AA-02","props":[{"name":"label","value":"PR.AA-02"},{"name":"sort-id","value":"03-001-002"}],"title":"Identities are proofed and bound to credentials based on the context of interactions.","controls":[{"id":"PR.AA-02.1","parts":[{"id":"PR.AA-02.1_smt","name":"statement","prose":"The organisation shall implement documented procedures for verifying the identity of individuals before issuing credentials that provide access to the organisation's systems."}],"props":[{"name":"label","value":"PR.AA-02.1"},{"name":"sort-id","value":"03-001-002-006"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement PR.AA-02.1"},{"id":"PR.AA-02.2","parts":[{"id":"PR.AA-02.2_smt","name":"statement","prose":"TThe organisation shall ensure that unique credentials are used for each authenticated user, device, and process interacting with the organisation's critical systems. These credentials shall be verified, and the unique identifiers shall be captured during system interactions. Exceptions may be made for emergency access (\"break-glass\" procedures), provided such access is strictly controlled, logged, and reviewed."}],"props":[{"name":"label","value":"PR.AA-02.2"},{"name":"sort-id","value":"03-001-002-007"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"essential"}],"title":"Requirement PR.AA-02.2"}]},{"id":"PR.AA-03","props":[{"name":"label","value":"PR.AA-03"},{"name":"sort-id","value":"03-001-003"}],"title":"Users, services, and hardware are authenticated.","controls":[{"id":"PR.AA-03.1","parts":[{"id":"PR.AA-03.1_smt","name":"statement","prose":"All wireless access points used by the organisation, including those providing guest access, shall be securely configured, managed, and monitored to prevent unauthorised access and ensure network integrity."}],"props":[{"name":"label","value":"PR.AA-03.1"},{"name":"sort-id","value":"03-001-003-008"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"}],"title":"Requirement PR.AA-03.1"},{"id":"PR.AA-03.2","parts":[{"id":"PR.AA-03.2_smt","name":"statement","prose":"Multi-Factor Authentication (MFA) shall be required to access the organisation's networks remotely."}],"props":[{"name":"label","value":"PR.AA-03.2"},{"name":"sort-id","value":"03-001-003-009"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"},{"ns":"http://cyfun.eu/ns/oscal","name":"key-measures","value":"true"}],"title":"Requirement PR.AA-03.2"},{"id":"PR.AA-03.3","parts":[{"id":"PR.AA-03.3_smt","name":"statement","prose":"The organisation shall define, document, and implement usage restrictions, connection requirements, and authorisation procedures for remote access to its critical systems. These controls shall ensure that only approved users can connect, using secure methods, with access limited to what is necessary for their role."}],"props":[{"name":"label","value":"PR.AA-03.3"},{"name":"sort-id","value":"03-001-003-010"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"},{"ns":"http://cyfun.eu/ns/oscal","name":"key-measures","value":"true"}],"title":"Requirement PR.AA-03.3"},{"id":"PR.AA-03.4","parts":[{"id":"PR.AA-03.4_smt","name":"statement","prose":"Remote access to the organisation’s critical systems shall be monitored and cryptographic mechanisms shall be implemented where determined necessary."}],"props":[{"name":"label","value":"PR.AA-03.4"},{"name":"sort-id","value":"03-001-003-011"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"essential"}],"title":"Requirement PR.AA-03.4"},{"id":"PR.AA-03.5","parts":[{"id":"PR.AA-03.5_smt","name":"statement","prose":"The security for connections with external systems shall be verified and framed by documented agreements."}],"props":[{"name":"label","value":"PR.AA-03.5"},{"name":"sort-id","value":"03-001-003-012"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"essential"}],"title":"Requirement PR.AA-03.5"}]},{"id":"PR.AA-04","props":[{"name":"label","value":"PR.AA-04"},{"name":"sort-id","value":"03-001-004"}],"title":"Identity assertions are protected, conveyed, and verified.","controls":[{"id":"PR.AA-04.1","parts":[{"id":"PR.AA-04.1_smt","name":"statement","prose":"Identity assertions are protected, conveyed, and verified."}],"props":[{"name":"label","value":"PR.AA-04.1"},{"name":"sort-id","value":"03-001-004-013"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"essential"}],"title":"Requirement PR.AA-04.1"}]},{"id":"PR.AA-05","props":[{"name":"label","value":"PR.AA-05"},{"name":"sort-id","value":"03-001-005"}],"title":"Access permissions, entitlements, and authorisations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties.","controls":[{"id":"PR.AA-05.1","parts":[{"id":"PR.AA-05.1_smt","name":"statement","prose":"Access permissions, rights, and authorisations shall be defined, managed, enforced and reviewed."}],"props":[{"name":"label","value":"PR.AA-05.1"},{"name":"sort-id","value":"03-001-005-014"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"},{"ns":"http://cyfun.eu/ns/oscal","name":"key-measures","value":"true"}],"title":"Requirement PR.AA-05.1"},{"id":"PR.AA-05.2","parts":[{"id":"PR.AA-05.2_smt","name":"statement","prose":"It shall be determined who needs access to the organisation's business-critical information and technology and the means to gain access."}],"props":[{"name":"label","value":"PR.AA-05.2"},{"name":"sort-id","value":"03-001-005-015"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"},{"ns":"http://cyfun.eu/ns/oscal","name":"key-measures","value":"true"}],"title":"Requirement PR.AA-05.2"},{"id":"PR.AA-05.3","parts":[{"id":"PR.AA-05.3_smt","name":"statement","prose":"Access rights, privileges and authorisations must be restricted to the systems and specific information needed to perform the tasks (the principle of Least Privilege)."}],"props":[{"name":"label","value":"PR.AA-05.3"},{"name":"sort-id","value":"03-001-005-016"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"},{"ns":"http://cyfun.eu/ns/oscal","name":"key-measures","value":"true"}],"title":"Requirement PR.AA-05.3"},{"id":"PR.AA-05.4","parts":[{"id":"PR.AA-05.4_smt","name":"statement","prose":"No-one shall have administrative privileges for routine day-to-day tasks."}],"props":[{"name":"label","value":"PR.AA-05.4"},{"name":"sort-id","value":"03-001-005-017"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"},{"ns":"http://cyfun.eu/ns/oscal","name":"key-measures","value":"true"}],"title":"Requirement PR.AA-05.4"},{"id":"PR.AA-05.5","parts":[{"id":"PR.AA-05.5_smt","name":"statement","prose":"Where technically, operationally, and economically feasible—without compromising system integrity, safety, or compliance—automated mechanisms shall be implemented to manage user accounts on critical ICT and OT systems. Feasibility shall be determined based on system capabilities, integration potential, risk assessment, and business impact."}],"props":[{"name":"label","value":"PR.AA-05.5"},{"name":"sort-id","value":"03-001-005-018"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement PR.AA-05.5"},{"id":"PR.AA-05.6","parts":[{"id":"PR.AA-05.6_smt","name":"statement","prose":"Separation of duties (SoD) shall be ensured in the management of access rights."}],"props":[{"name":"label","value":"PR.AA-05.6"},{"name":"sort-id","value":"03-001-005-019"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement PR.AA-05.6"},{"id":"PR.AA-05.7","parts":[{"id":"PR.AA-05.7_smt","name":"statement","prose":"Privileged users shall be managed and monitored."}],"props":[{"name":"label","value":"PR.AA-05.7"},{"name":"sort-id","value":"03-001-005-020"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement PR.AA-05.7"},{"id":"PR.AA-05.8","parts":[{"id":"PR.AA-05.8_smt","name":"statement","prose":"Account usage restrictions for specific time periods and locations shall be taken into account in the organisation's security access policy and applied accordingly."}],"props":[{"name":"label","value":"PR.AA-05.8"},{"name":"sort-id","value":"03-001-005-021"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"essential"}],"title":"Requirement PR.AA-05.8"},{"id":"PR.AA-05.9","parts":[{"id":"PR.AA-05.9_smt","name":"statement","prose":"Privileged users shall be managed, monitored and audited."}],"props":[{"name":"label","value":"PR.AA-05.9"},{"name":"sort-id","value":"03-001-005-022"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"essential"}],"title":"Requirement PR.AA-05.9"}]},{"id":"PR.AA-06","props":[{"name":"label","value":"PR.AA-06"},{"name":"sort-id","value":"03-001-006"}],"title":"Physical access to assets is managed, monitored, and enforced commensurate with risk.","controls":[{"id":"PR.AA-06.1","parts":[{"id":"PR.AA-06.1_smt","name":"statement","prose":"Physical access to all organisational assets, including critical zones, should be managed, monitored, and enforced based on risk."}],"props":[{"name":"label","value":"PR.AA-06.1"},{"name":"sort-id","value":"03-001-006-023"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"}],"title":"Requirement PR.AA-06.1"},{"id":"PR.AA-06.2","parts":[{"id":"PR.AA-06.2_smt","name":"statement","prose":"Physical access controls should include specific procedures for emergency situations, ensuring continued protection of critical and non-critical assets during such events."}],"props":[{"name":"label","value":"PR.AA-06.2"},{"name":"sort-id","value":"03-001-006-024"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement PR.AA-06.2"},{"id":"PR.AA-06.3","parts":[{"id":"PR.AA-06.3_smt","name":"statement","prose":"Critical zones should have additional physical access controls beyond those applied to general facilities."}],"props":[{"name":"label","value":"PR.AA-06.3"},{"name":"sort-id","value":"03-001-006-025"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"essential"}],"title":"Requirement PR.AA-06.3"},{"id":"PR.AA-06.4","parts":[{"id":"PR.AA-06.4_smt","name":"statement","prose":"Assets located within critical zones should be physically protected against unauthorised access, damage, or interference."}],"props":[{"name":"label","value":"PR.AA-06.4"},{"name":"sort-id","value":"03-001-006-026"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"essential"}],"title":"Requirement PR.AA-06.4"}]}]},{"id":"PR.AT","parts":[{"name":"overview","prose":"The organisation's personnel are provided with cybersecurity awareness and training, so that they can perform their cybersecurity-related tasks"}],"props":[{"name":"label","value":"PR.AT"},{"name":"sort-id","value":"03-002"}],"title":"Awareness and Training","groups":[{"id":"PR.AT-01","props":[{"name":"label","value":"PR.AT-01"},{"name":"sort-id","value":"03-002-007"}],"title":"Personnel are provided with awareness and training so that they possess the knowledge and skills to perform general tasks with cybersecurity risks in mind","controls":[{"id":"PR.AT-01.1","parts":[{"id":"PR.AT-01.1_smt","name":"statement","prose":"The organisation shall establish and maintain a cybersecurity awareness and training programme to ensure that all personnel understand how to perform their tasks securely and responsibly."}],"props":[{"name":"label","value":"PR.AT-01.1"},{"name":"sort-id","value":"03-002-007-027"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"}],"title":"Requirement PR.AT-01.1"},{"id":"PR.AT-01.2","parts":[{"id":"PR.AT-01.2_smt","name":"statement","prose":"The organisation shall include insider threat awareness and reporting in its cybersecurity training to help personnel recognise and respond to potential internal risks."}],"props":[{"name":"label","value":"PR.AT-01.2"},{"name":"sort-id","value":"03-002-007-028"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement PR.AT-01.2"},{"id":"PR.AT-01.3","parts":[{"id":"PR.AT-01.3_smt","name":"statement","prose":"Personnel shall receive training to understand their specific roles, responsibilities, and priorities during a cybersecurity or information security incident, including the steps they need to follow to respond effectively."}],"props":[{"name":"label","value":"PR.AT-01.3"},{"name":"sort-id","value":"03-002-007-029"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement PR.AT-01.3"},{"id":"PR.AT-01.4","parts":[{"id":"PR.AT-01.4_smt","name":"statement","prose":"The organisation shall evaluate whether its cybersecurity awareness training is effective in improving knowledge, behaviour, and readiness across the organisation."}],"props":[{"name":"label","value":"PR.AT-01.4"},{"name":"sort-id","value":"03-002-007-030"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"essential"}],"title":"Requirement PR.AT-01.4"}]},{"id":"PR.AT-02","props":[{"name":"label","value":"PR.AT-02"},{"name":"sort-id","value":"03-002-008"}],"title":"Individuals in specialised roles are provided with awareness and training so that they possess the knowledge and skills to perform relevant tasks with cybersecurity risks in mind.","controls":[{"id":"PR.AT-02.1","parts":[{"id":"PR.AT-02.1_smt","name":"statement","prose":"Members of management bodies shall be able to demonstrate that they have completed training that gives them a solid understanding of information and cybersecurity and risk management so that they can assess information and cyber security risks and their consequences and propose the necessary risk mitigation, considering their roles, responsibilities and authorities."}],"props":[{"name":"label","value":"PR.AT-02.1"},{"name":"sort-id","value":"03-002-008-031"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement PR.AT-02.1"},{"id":"PR.AT-02.2","parts":[{"id":"PR.AT-02.2_smt","name":"statement","prose":"Individuals in specialised roles shall be provided with awareness and training before privileges are granted, so that they possess the knowledge and skills to perform relevant tasks with cybersecurity risks in mind."}],"props":[{"name":"label","value":"PR.AT-02.2"},{"name":"sort-id","value":"03-002-008-032"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement PR.AT-02.2"},{"id":"PR.AT-02.3","parts":[{"id":"PR.AT-02.3_smt","name":"statement","prose":"Privileged users shall be qualified before privileges are granted, and these users shall be able to demonstrate the understanding of their roles, responsibilities, and authorities."}],"props":[{"name":"label","value":"PR.AT-02.3"},{"name":"sort-id","value":"03-002-008-033"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement PR.AT-02.3"}]}]},{"id":"PR.DS","parts":[{"name":"overview","prose":"Data are managed consistent with the organisation's risk strategy to protect the confidentiality, integrity, and availability of information"}],"props":[{"name":"label","value":"PR.DS"},{"name":"sort-id","value":"03-003"}],"title":"Data Security","groups":[{"id":"PR.DS-01","props":[{"name":"label","value":"PR.DS-01"},{"name":"sort-id","value":"03-003-009"}],"title":"The confidentiality, integrity, and availability of data-at-rest are protected.","controls":[{"id":"PR.DS-01.1","parts":[{"id":"PR.DS-01.1_smt","name":"statement","prose":"The organisation shall implement software, firmware, and information integrity checks to detect unauthorised changes to its critical system components during storage, transport, start-up and when determined necessary."}],"props":[{"name":"label","value":"PR.DS-01.1"},{"name":"sort-id","value":"03-003-009-034"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement PR.DS-01.1"},{"id":"PR.DS-01.2","parts":[{"id":"PR.DS-01.2_smt","name":"statement","prose":"The organisation shall implement automated tools where feasible to provide notification upon discovering discrepancies during integrity verification."}],"props":[{"name":"label","value":"PR.DS-01.2"},{"name":"sort-id","value":"03-003-009-035"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"essential"}],"title":"Requirement PR.DS-01.2"},{"id":"PR.DS-01.3","parts":[{"id":"PR.DS-01.3_smt","name":"statement","prose":"The organisation shall define and implement automated responses to detected integrity violations, using predefined safeguards that are proportionate to the severity and impact of the violation."}],"props":[{"name":"label","value":"PR.DS-01.3"},{"name":"sort-id","value":"03-003-009-036"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"essential"}],"title":"Requirement PR.DS-01.3"},{"id":"PR.DS-01.4","parts":[{"id":"PR.DS-01.4_smt","name":"statement","prose":"The organisation shall define and enforce clear policies and practical safeguards to manage and restrict the use of portable storage media, in order to reduce the risk of data leakage, unauthorised access, and malware introduction."}],"props":[{"name":"label","value":"PR.DS-01.4"},{"name":"sort-id","value":"03-003-009-037"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement PR.DS-01.4"},{"id":"PR.DS-01.5","parts":[{"id":"PR.DS-01.5_smt","name":"statement","prose":"The organisation shall only allow the use of removable media when absolutely necessary, and shall put technical measures in place to block automatic execution of files from these devices."}],"props":[{"name":"label","value":"PR.DS-01.5"},{"name":"sort-id","value":"03-003-009-038"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement PR.DS-01.5"},{"id":"PR.DS-01.6","parts":[{"id":"PR.DS-01.6_smt","name":"statement","prose":"The organisation shall protect the confidentiality of its critical assets while at rest."}],"props":[{"name":"label","value":"PR.DS-01.6"},{"name":"sort-id","value":"03-003-009-039"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"essential"}],"title":"Requirement PR.DS-01.6"},{"id":"PR.DS-01.9","parts":[{"id":"PR.DS-01.9_smt","name":"statement","prose":"Enterprise assets shall be disposed of safely."}],"props":[{"name":"label","value":"PR.DS-01.9"},{"name":"sort-id","value":"03-003-009-040"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"}],"title":"Requirement PR.DS-01.9"}]},{"id":"PR.DS-02","props":[{"name":"label","value":"PR.DS-02"},{"name":"sort-id","value":"03-003-010"}],"title":"The confidentiality, integrity, and availability of data-in-transit are protected.","controls":[{"id":"PR.DS-02.1","parts":[{"id":"PR.DS-02.1_smt","name":"statement","prose":"Portable storage devices containing system data shall be controlled and protected while in transit and in storage."}],"props":[{"name":"label","value":"PR.DS-02.1"},{"name":"sort-id","value":"03-003-010-041"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"essential"},{"ns":"http://cyfun.eu/ns/oscal","name":"key-measures","value":"true"}],"title":"Requirement PR.DS-02.1"},{"id":"PR.DS-02.2","parts":[{"id":"PR.DS-02.2_smt","name":"statement","prose":"The organisation shall protect its critical and sensitive information while in transit."}],"props":[{"name":"label","value":"PR.DS-02.2"},{"name":"sort-id","value":"03-003-010-042"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"essential"}],"title":"Requirement PR.DS-02.2"}]},{"id":"PR.DS-10","props":[{"name":"label","value":"PR.DS-10"},{"name":"sort-id","value":"03-003-011"}],"title":"The confidentiality, integrity, and availability of data-in-use are protected.","controls":[{"id":"PR.DS-10.1","parts":[{"id":"PR.DS-10.1_smt","name":"statement","prose":"The organisation’s critical systems shall be protected against denial-of-service attacks or at least the effect of such attacks shall be limited."}],"props":[{"name":"label","value":"PR.DS-10.1"},{"name":"sort-id","value":"03-003-011-043"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"essential"}],"title":"Requirement PR.DS-10.1"}]},{"id":"PR.DS-11","props":[{"name":"label","value":"PR.DS-11"},{"name":"sort-id","value":"03-003-012"}],"title":"Backups of data are created, protected, maintained, and tested.","controls":[{"id":"PR.DS-11.1","parts":[{"id":"PR.DS-11.1_smt","name":"statement","prose":"Backups for the organisation's business critical data shall be performed and stored on a different system from the device on which the original data resides."}],"props":[{"name":"label","value":"PR.DS-11.1"},{"name":"sort-id","value":"03-003-012-044"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"},{"ns":"http://cyfun.eu/ns/oscal","name":"key-measures","value":"true"}],"title":"Requirement PR.DS-11.1"},{"id":"PR.DS-11.2","parts":[{"id":"PR.DS-11.2_smt","name":"statement","prose":"The reliability and integrity of backups shall be verified and tested regularly."}],"props":[{"name":"label","value":"PR.DS-11.2"},{"name":"sort-id","value":"03-003-012-045"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement PR.DS-11.2"},{"id":"PR.DS-11.3","parts":[{"id":"PR.DS-11.3_smt","name":"statement","prose":"The organisation shall maintain secure backups of business-critical data in a separate storage location to ensure data availability in case of system failure or data loss. Backup storage shall apply equivalent security controls as the primary environment."}],"props":[{"name":"label","value":"PR.DS-11.3"},{"name":"sort-id","value":"03-003-012-046"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement PR.DS-11.3"},{"id":"PR.DS-11.4","parts":[{"id":"PR.DS-11.4_smt","name":"statement","prose":"The organisation shall regularly verify the integrity and recoverability of backups through coordinated testing with all relevant continuity and incident response functions. Backup testing shall be integrated into broader resilience planning, including business continuity, disaster recovery, and cyber incident response."}],"props":[{"name":"label","value":"PR.DS-11.4"},{"name":"sort-id","value":"03-003-012-047"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"essential"}],"title":"Requirement PR.DS-11.4"},{"id":"PR.DS-11.5","parts":[{"id":"PR.DS-11.5_smt","name":"statement","prose":"Backups of critical systems (such as operating systems, configurations, and applications) shall be kept separate from backups of critical information (such as business data, documents, and databases) to support faster and more reliable recovery."}],"props":[{"name":"label","value":"PR.DS-11.5"},{"name":"sort-id","value":"03-003-012-048"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"essential"}],"title":"Requirement PR.DS-11.5"}]}]},{"id":"PR.PS","parts":[{"name":"overview","prose":"The hardware, software (e.g., firmware, operating systems, applications), and services of physical and virtual platforms are managed consistent with the organisation's risk strategy to protect their confidentiality, integrity, and availability."}],"props":[{"name":"label","value":"PR.PS"},{"name":"sort-id","value":"03-004"}],"title":"Platform Security","groups":[{"id":"PR.PS-01","props":[{"name":"label","value":"PR.PS-01"},{"name":"sort-id","value":"03-004-013"}],"title":"Configuration management practices are established and applied.","controls":[{"id":"PR.PS-01.1","parts":[{"id":"PR.PS-01.1_smt","name":"statement","prose":"The organisation shall develop, document, and maintain a baseline configuration for its business-critical systems."}],"props":[{"name":"label","value":"PR.PS-01.1"},{"name":"sort-id","value":"03-004-013-049"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"},{"ns":"http://cyfun.eu/ns/oscal","name":"key-measures","value":"true"}],"title":"Requirement PR.PS-01.1"},{"id":"PR.PS-01.2","parts":[{"id":"PR.PS-01.2_smt","name":"statement","prose":"The organisation shall configure its business-critical systems to operate with only the essential functions needed for the intended purpose. This includes reviewing and updating baseline configurations to disable any non-essential capabilities."}],"props":[{"name":"label","value":"PR.PS-01.2"},{"name":"sort-id","value":"03-004-013-050"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"essential"}],"title":"Requirement PR.PS-01.2"},{"id":"PR.PS-01.3","parts":[{"id":"PR.PS-01.3_smt","name":"statement","prose":"The organisation shall identify and disable specific functions, ports, protocols, and services within its critical systems that are not required for business operations."}],"props":[{"name":"label","value":"PR.PS-01.3"},{"name":"sort-id","value":"03-004-013-051"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"essential"}],"title":"Requirement PR.PS-01.3"},{"id":"PR.PS-01.4","parts":[{"id":"PR.PS-01.4_smt","name":"statement","prose":"The organisation shall implement technical safeguards to enforce a policy of ‘deny-all’ and ‘permit-by-exception’ so that only authorised software programmes are executed."}],"props":[{"name":"label","value":"PR.PS-01.4"},{"name":"sort-id","value":"03-004-013-052"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"essential"}],"title":"Requirement PR.PS-01.4"},{"id":"PR.PS-01.5","parts":[{"id":"PR.PS-01.5_smt","name":"statement","prose":"Unauthorised configuration changes to organisation's systems shall be monitored and addressed with the appropriate mitigation actions."}],"props":[{"name":"label","value":"PR.PS-01.5"},{"name":"sort-id","value":"03-004-013-053"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"essential"}],"title":"Requirement PR.PS-01.5"}]},{"id":"PR.PS-02","props":[{"name":"label","value":"PR.PS-02"},{"name":"sort-id","value":"03-004-014"}],"title":"Software is maintained, replaced, and removed commensurate with risk.","controls":[{"id":"PR.PS-02.1","parts":[{"id":"PR.PS-02.1_smt","name":"statement","prose":"The organisation shall enforce restrictions on software usage and installation, and ensure that software is maintained, replaced, or removed based on its associated risk."}],"props":[{"name":"label","value":"PR.PS-02.1"},{"name":"sort-id","value":"03-004-014-054"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement PR.PS-02.1"}]},{"id":"PR.PS-03","props":[{"name":"label","value":"PR.PS-03"},{"name":"sort-id","value":"03-004-015"}],"title":"Hardware is maintained, replaced, and removed commensurate with risk.","controls":[{"id":"PR.PS-03.1","parts":[{"id":"PR.PS-03.1_smt","name":"statement","prose":"Hardware used in business-critical environments shall be maintained, replaced, or removed based on its associated security and operational risk."}],"props":[{"name":"label","value":"PR.PS-03.1"},{"name":"sort-id","value":"03-004-015-055"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement PR.PS-03.1"}]},{"id":"PR.PS-04","props":[{"name":"label","value":"PR.PS-04"},{"name":"sort-id","value":"03-004-016"}],"title":"Log records are generated and made available for continuous monitoring.","controls":[{"id":"PR.PS-04.1","parts":[{"id":"PR.PS-04.1_smt","name":"statement","prose":"Logs shall be maintained, documented, and rmonitored."}],"props":[{"name":"label","value":"PR.PS-04.1"},{"name":"sort-id","value":"03-004-016-056"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"},{"ns":"http://cyfun.eu/ns/oscal","name":"key-measures","value":"true"},{"ns":"http://cyfun.eu/ns/oscal","name":"governance-measures","value":"true"}],"title":"Requirement PR.PS-04.1"},{"id":"PR.PS-04.2","parts":[{"id":"PR.PS-04.2_smt","name":"statement","prose":"The organisation shall ensure that logbook records contain an authoritative time source or internal clock time stamp that is compared and synchronised with an authoritative time source."}],"props":[{"name":"label","value":"PR.PS-04.2"},{"name":"sort-id","value":"03-004-016-057"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement PR.PS-04.2"},{"id":"PR.PS-04.3","parts":[{"id":"PR.PS-04.3_smt","name":"statement","prose":"Audit data from the organisation's critical systems shall be moved to an alternative system."}],"props":[{"name":"label","value":"PR.PS-04.3"},{"name":"sort-id","value":"03-004-016-058"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement PR.PS-04.3"},{"id":"PR.PS-04.4","parts":[{"id":"PR.PS-04.4_smt","name":"statement","prose":"The organisation shall ensure that audit processing failures on the organisation's systems generate alerts and trigger defined responses."}],"props":[{"name":"label","value":"PR.PS-04.4"},{"name":"sort-id","value":"03-004-016-059"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"essential"}],"title":"Requirement PR.PS-04.4"},{"id":"PR.PS-04.5","parts":[{"id":"PR.PS-04.5_smt","name":"statement","prose":"The organisation shall ensure that authorised personnel can extend or enhance audit logging and monitoring capabilities when needed to support investigations or incident response."}],"props":[{"name":"label","value":"PR.PS-04.5"},{"name":"sort-id","value":"03-004-016-060"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"essential"}],"title":"Requirement PR.PS-04.5"}]},{"id":"PR.PS-05","props":[{"name":"label","value":"PR.PS-05"},{"name":"sort-id","value":"03-004-017"}],"title":"Installation and execution of unauthorised software are prevented.","controls":[{"id":"PR.PS-05.1","parts":[{"id":"PR.PS-05.1_smt","name":"statement","prose":"Web and e-mail filters shall be installed and used."}],"props":[{"name":"label","value":"PR.PS-05.1"},{"name":"sort-id","value":"03-004-017-061"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"}],"title":"Requirement PR.PS-05.1"},{"id":"PR.PS-05.2","parts":[{"id":"PR.PS-05.2_smt","name":"statement","prose":"Installation and execution of unauthorised software shall be prevented."}],"props":[{"name":"label","value":"PR.PS-05.2"},{"name":"sort-id","value":"03-004-017-062"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement PR.PS-05.2"}]},{"id":"PR.PS-06","props":[{"name":"label","value":"PR.PS-06"},{"name":"sort-id","value":"03-004-018"}],"title":"Secure software development practices are integrated, and their performance is monitored throughout the software development life cycle.","controls":[{"id":"PR.PS-06.1","parts":[{"id":"PR.PS-06.1_smt","name":"statement","prose":"Security shall be considered throughout the lifecycle of systems and applications, whether developed internally or acquired externally."}],"props":[{"name":"label","value":"PR.PS-06.1"},{"name":"sort-id","value":"03-004-018-063"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement PR.PS-06.1"},{"id":"PR.PS-06.2","parts":[{"id":"PR.PS-06.2_smt","name":"statement","prose":"Changes and exceptions shall be tested and validated before being implemented into operational systems."}],"props":[{"name":"label","value":"PR.PS-06.2"},{"name":"sort-id","value":"03-004-018-064"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement PR.PS-06.2"},{"id":"PR.PS-06.3","parts":[{"id":"PR.PS-06.3_smt","name":"statement","prose":"Secure software development practices shall be integrated into all phases of the software development lifecycle, and their effectiveness should be regularly monitored and improved."}],"props":[{"name":"label","value":"PR.PS-06.3"},{"name":"sort-id","value":"03-004-018-065"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"essential"}],"title":"Requirement PR.PS-06.3"},{"id":"PR.PS-06-4","parts":[{"id":"PR.PS-06-4_smt","name":"statement","prose":"For planned changes to the organisation's critical systems, a security impact analysis shall be performed in a separate test environment before implementation in an operational environment."}],"props":[{"name":"label","value":"PR.PS-06-4"},{"name":"sort-id","value":"03-004-018-066"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"essential"}],"title":"Requirement PR.PS-06-4"}]}]},{"id":"PR.IR","parts":[{"name":"overview","prose":"Security architectures are managed with the organisation's risk strategy to protect asset confidentiality, integrity, and availability, and organisational resilience."}],"props":[{"name":"label","value":"PR.IR"},{"name":"sort-id","value":"03-005"}],"title":"Technology Infrastructure Resilience","groups":[{"id":"PR.IR-01","props":[{"name":"label","value":"PR.IR-01"},{"name":"sort-id","value":"03-005-019"}],"title":"Networks and environments are protected from unauthorised logical access and usage.","controls":[{"id":"PR.IR-01.1","parts":[{"id":"PR.IR-01.1_smt","name":"statement","prose":"Firewalls shall be installed, configured, and actively maintained on all networks used by the organisation to protect against unauthorised access and cyber threats."}],"props":[{"name":"label","value":"PR.IR-01.1"},{"name":"sort-id","value":"03-005-019-067"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"},{"ns":"http://cyfun.eu/ns/oscal","name":"key-measures","value":"true"}],"title":"Requirement PR.IR-01.1"},{"id":"PR.IR-01.2","parts":[{"id":"PR.IR-01.2_smt","name":"statement","prose":"To safeguard critical systems, organisations shall implement network segmentation and segregation aligned with trust boundaries and asset criticality, thereby limiting threat propagation and enforcing strict access control."}],"props":[{"name":"label","value":"PR.IR-01.2"},{"name":"sort-id","value":"03-005-019-068"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"},{"ns":"http://cyfun.eu/ns/oscal","name":"key-measures","value":"true"}],"title":"Requirement PR.IR-01.2"},{"id":"PR.IR-01.3","parts":[{"id":"PR.IR-01.3_smt","name":"statement","prose":"To ensure operational stability and security, the organisation shall, without exception, identify, document, and control connections between components of its critical systems."}],"props":[{"name":"label","value":"PR.IR-01.3"},{"name":"sort-id","value":"03-005-019-069"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"},{"ns":"http://cyfun.eu/ns/oscal","name":"key-measures","value":"true"}],"title":"Requirement PR.IR-01.3"},{"id":"PR.IR-01.4","parts":[{"id":"PR.IR-01.4_smt","name":"statement","prose":"The organisation shall implement appropriate boundary protection measures to monitor and control communications at external and key internal boundaries of its critical systems, across both IT and OT environments, to ensure secure and reliable operations."}],"props":[{"name":"label","value":"PR.IR-01.4"},{"name":"sort-id","value":"03-005-019-070"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"},{"ns":"http://cyfun.eu/ns/oscal","name":"key-measures","value":"true"}],"title":"Requirement PR.IR-01.4"},{"id":"PR.IR-01.5","parts":[{"id":"PR.IR-01.5_smt","name":"statement","prose":"The organisation shall implement, where feasible, authenticated proxy servers or firewalls with URL filtering and threat intelligence capabilities for defined communications traffic between its critical systems and external networks."}],"props":[{"name":"label","value":"PR.IR-01.5"},{"name":"sort-id","value":"03-005-019-071"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"essential"}],"title":"Requirement PR.IR-01.5"},{"id":"PR.IR-01.6","parts":[{"id":"PR.IR-01.6_smt","name":"statement","prose":"The organisation shall ensure that its critical systems are designed to fail securely and remain protected in the event of an operational failure of a border protection device."}],"props":[{"name":"label","value":"PR.IR-01.6"},{"name":"sort-id","value":"03-005-019-072"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"essential"}],"title":"Requirement PR.IR-01.6"},{"id":"PR.IR-01.7","parts":[{"id":"PR.IR-01.7_smt","name":"statement","prose":"The organisation shall ensure that development and test environments are strictly separated from the production environment, particularly in ICS/OT systems where any crossover could compromise security, endanger health, or disrupt essential operations."}],"props":[{"name":"label","value":"PR.IR-01.7"},{"name":"sort-id","value":"03-005-019-073"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"essential"}],"title":"Requirement PR.IR-01.7"},{"id":"PR.IR-01.8","parts":[{"id":"PR.IR-01.8_smt","name":"statement","prose":"The organisation shall define, monitor, and control the flow of information and data within and between its critical systems to ensure that only authorised and secure exchanges occur, regardless of network boundaries or system architecture."}],"props":[{"name":"label","value":"PR.IR-01.8"},{"name":"sort-id","value":"03-005-019-074"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"essential"}],"title":"Requirement PR.IR-01.8"},{"id":"PR.IR-01.9","parts":[{"id":"PR.IR-01.9_smt","name":"statement","prose":"The organisation shall manage interfaces with external telecommunications services as part of its broader network security policy, by defining how traffic is controlled, ensuring the confidentiality and integrity of transmitted information, and reviewing and documenting any exceptions to established rules."}],"props":[{"name":"label","value":"PR.IR-01.9"},{"name":"sort-id","value":"03-005-019-075"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"essential"}],"title":"Requirement PR.IR-01.9"}]},{"id":"PR.IR-02","props":[{"name":"label","value":"PR.IR-02"},{"name":"sort-id","value":"03-005-020"}],"title":"The organisation's technology assets are protected from environmental threats.","controls":[{"id":"PR.IR-02.1","parts":[{"id":"PR.IR-02.1_smt","name":"statement","prose":"The organisation shall define, implement and maintain policies and procedures related to emergency and safety systems, fire protection systems and environmental controls for its critical systems."}],"props":[{"name":"label","value":"PR.IR-02.1"},{"name":"sort-id","value":"03-005-020-076"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement PR.IR-02.1"},{"id":"PR.IR-02.2","parts":[{"id":"PR.IR-02.2_smt","name":"statement","prose":"The organisation shall implement fire detection devices that activate and notify key personnel automatically in the event of a fire."}],"props":[{"name":"label","value":"PR.IR-02.2"},{"name":"sort-id","value":"03-005-020-077"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"essential"}],"title":"Requirement PR.IR-02.2"}]},{"id":"PR.IR-03","props":[{"name":"label","value":"PR.IR-03"},{"name":"sort-id","value":"03-005-021"}],"title":"Mechanisms are implemented to achieve resilience requirements in normal and adverse situations.","controls":[{"id":"PR.IR-03.1","parts":[{"id":"PR.IR-03.1_smt","name":"statement","prose":"The organisation shall implement mechanisms to ensure that critical systems and services remain operational or can be quickly restored during both normal operations and adverse conditions."}],"props":[{"name":"label","value":"PR.IR-03.1"},{"name":"sort-id","value":"03-005-021-078"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"essential"}],"title":"Requirement PR.IR-03.1"}]},{"id":"PR.IR-04","props":[{"name":"label","value":"PR.IR-04"},{"name":"sort-id","value":"03-005-022"}],"title":"Adequate resource capacity to ensure availability is maintained.","controls":[{"id":"PR.IR-04.1","parts":[{"id":"PR.IR-04.1_smt","name":"statement","prose":"Adequate resource capacity planning shall ensure that availability of organisation's critical system information processing, networking, telecommunications, and data storage is maintained."}],"props":[{"name":"label","value":"PR.IR-04.1"},{"name":"sort-id","value":"03-005-022-079"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement PR.IR-04.1"}]}]}]},{"id":"DE","props":[{"name":"sort-id","value":"04"}],"title":"DETECT","groups":[{"id":"DE.CM","parts":[{"name":"overview","prose":"Assets are monitored to find anomalies, indicators of compromise, and other potentially adverse events."}],"props":[{"name":"label","value":"DE.CM"},{"name":"sort-id","value":"04-001"}],"title":"Continuous Monitoring","groups":[{"id":"DE.CM-01","props":[{"name":"label","value":"DE.CM-01"},{"name":"sort-id","value":"04-001-001"}],"title":"Networks and network services are monitored to find potentially adverse events.","controls":[{"id":"DE.CM-01.1","parts":[{"id":"DE.CM-01.1_smt","name":"statement","prose":"Firewalls shall be installed and operated at the network boundaries, including endpoint firewalls."}],"props":[{"name":"label","value":"DE.CM-01.1"},{"name":"sort-id","value":"04-001-001-001"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"}],"title":"Requirement DE.CM-01.1"},{"id":"DE.CM-01.2","parts":[{"id":"DE.CM-01.2_smt","name":"statement","prose":"Anti-virus, -spyware, and other -malware programs shall be installed and updated."}],"props":[{"name":"label","value":"DE.CM-01.2"},{"name":"sort-id","value":"04-001-001-002"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"},{"ns":"http://cyfun.eu/ns/oscal","name":"key-measures","value":"true"}],"title":"Requirement DE.CM-01.2"},{"id":"DE.CM-01.3","parts":[{"id":"DE.CM-01.3_smt","name":"statement","prose":"The organisation shall monitor and identify unauthorised use of its business-critical systems through the detection of unauthorised local connections, network connections and remote connections."}],"props":[{"name":"label","value":"DE.CM-01.3"},{"name":"sort-id","value":"04-001-001-003"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"},{"ns":"http://cyfun.eu/ns/oscal","name":"key-measures","value":"true"}],"title":"Requirement DE.CM-01.3"},{"id":"DE.CM-01.4","parts":[{"id":"DE.CM-01.4_smt","name":"statement","prose":"The organisation shall continuously monitor its network to spot signs of cyber threats or unusual activity, using clearly defined rules for what counts as a potential security incident."}],"props":[{"name":"label","value":"DE.CM-01.4"},{"name":"sort-id","value":"04-001-001-004"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"essential"}],"title":"Requirement DE.CM-01.4"}]},{"id":"DE.CM-02","props":[{"name":"label","value":"DE.CM-02"},{"name":"sort-id","value":"04-001-002"}],"title":"The physical environment is monitored to find potentially adverse events.","controls":[{"id":"DE.CM-02.1","parts":[{"id":"DE.CM-02.1_smt","name":"statement","prose":"The physical environment shall be monitored to find potentially adverse events."}],"props":[{"name":"label","value":"DE.CM-02.1"},{"name":"sort-id","value":"04-001-002-005"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement DE.CM-02.1"},{"id":"DE.CM-02.2","parts":[{"id":"DE.CM-02.2_smt","name":"statement","prose":"Physical access to the organisation's critical systems and devices, in addition to physical access monitoring to the facility, shall be supplemented by physical intrusion alarms, surveillance equipment, and independent monitoring teams."}],"props":[{"name":"label","value":"DE.CM-02.2"},{"name":"sort-id","value":"04-001-002-006"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"essential"}],"title":"Requirement DE.CM-02.2"}]},{"id":"DE.CM-03","props":[{"name":"label","value":"DE.CM-03"},{"name":"sort-id","value":"04-001-003"}],"title":"Personnel activity and technology usage are monitored to find potentially adverse events.","controls":[{"id":"DE.CM-03-1","parts":[{"id":"DE.CM-03-1_smt","name":"statement","prose":"End point and network protection tools to monitor end-user behaviour for dangerous activity shall be implemented."}],"props":[{"name":"label","value":"DE.CM-03-1"},{"name":"sort-id","value":"04-001-003-007"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"}],"title":"Requirement DE.CM-03-1"},{"id":"DE.CM-03.2","parts":[{"id":"DE.CM-03.2_smt","name":"statement","prose":"End point and network protection tools that monitor end-user behaviour for dangerous activity shall be managed."}],"props":[{"name":"label","value":"DE.CM-03.2"},{"name":"sort-id","value":"04-001-003-008"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement DE.CM-03.2"}]},{"id":"DE.CM-06","props":[{"name":"label","value":"DE.CM-06"},{"name":"sort-id","value":"04-001-004"}],"title":"External service provider activities and services are monitored to find potentially adverse events.","controls":[{"id":"DE.CM-06.1","parts":[{"id":"DE.CM-06.1_smt","name":"statement","prose":"External service provider activities and services shall be secured and monitored to find potentially adverse events."}],"props":[{"name":"label","value":"DE.CM-06.1"},{"name":"sort-id","value":"04-001-004-009"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement DE.CM-06.1"},{"id":"DE.CM-06.2","parts":[{"id":"DE.CM-06.2_smt","name":"statement","prose":"External service providers' conformance with personnel security policies and procedures and contract security requirements shall be monitored relative to their cybersecurity risks."}],"props":[{"name":"label","value":"DE.CM-06.2"},{"name":"sort-id","value":"04-001-004-010"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement DE.CM-06.2"}]},{"id":"DE.CM-09","props":[{"name":"label","value":"DE.CM-09"},{"name":"sort-id","value":"04-001-005"}],"title":"Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events.","controls":[{"id":"DE.CM-09.1","parts":[{"id":"DE.CM-09.1_smt","name":"statement","prose":"The organisation shall monitor computing hardware, software, runtime environments, and their data to detect potentially adverse events."}],"props":[{"name":"label","value":"DE.CM-09.1"},{"name":"sort-id","value":"04-001-005-011"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement DE.CM-09.1"},{"id":"DE.CM-09.2","parts":[{"id":"DE.CM-09.2_smt","name":"statement","prose":"The organisation shall implement hardware integrity checks to detect unauthorised tampering of critical system hardware. Controls shall be proportionate to the organisation’s risk profile and operational capacity."}],"props":[{"name":"label","value":"DE.CM-09.2"},{"name":"sort-id","value":"04-001-005-012"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"essential"}],"title":"Requirement DE.CM-09.2"},{"id":"DE.CM-09.3","parts":[{"id":"DE.CM-09.3_smt","name":"statement","prose":"The organisation's incident response plan shall include measures to detect unauthorised tampering with the hardware of critical systems."}],"props":[{"name":"label","value":"DE.CM-09.3"},{"name":"sort-id","value":"04-001-005-013"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"essential"}],"title":"Requirement DE.CM-09.3"},{"id":"DE.CM-09.4","parts":[{"id":"DE.CM-09.4_smt","name":"statement","prose":"The organisation shall establish a system to accurately distinguish between legitimate alerts and false positives, ensuring effective detection and removal of malicious code."}],"props":[{"name":"label","value":"DE.CM-09.4"},{"name":"sort-id","value":"04-001-005-014"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"essential"}],"title":"Requirement DE.CM-09.4"}]}]},{"id":"DE.AE","parts":[{"name":"overview","prose":"Anomalies, indicators of compromise, and other potentially adverse events are analysed to characterise the events and detect cybersecurity incidents."}],"props":[{"name":"label","value":"DE.AE"},{"name":"sort-id","value":"04-002"}],"title":"Adverse Event Analysis","groups":[{"id":"DE.AE-02","props":[{"name":"label","value":"DE.AE-02"},{"name":"sort-id","value":"04-002-006"}],"title":"Potentially adverse events are analysed to better understand associated activities.","controls":[{"id":"DE.AE-02.1","parts":[{"id":"DE.AE-02.1_smt","name":"statement","prose":"Cybersecurity and information security events must be reviewed and analysed to identify potential attack targets and methods, in accordance with applicable laws, regulations, standards, and policies."}],"props":[{"name":"label","value":"DE.AE-02.1"},{"name":"sort-id","value":"04-002-006-015"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement DE.AE-02.1"},{"id":"DE.AE-02.2","parts":[{"id":"DE.AE-02.2_smt","name":"statement","prose":"The organisation shall implement automated mechanisms where feasible to review and analyse detected events."}],"props":[{"name":"label","value":"DE.AE-02.2"},{"name":"sort-id","value":"04-002-006-016"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"essential"}],"title":"Requirement DE.AE-02.2"}]},{"id":"DE.AE-03","props":[{"name":"label","value":"DE.AE-03"},{"name":"sort-id","value":"04-002-007"}],"title":"Information is correlated from multiple sources.","controls":[{"id":"DE.AE-03.1","parts":[{"id":"DE.AE-03.1_smt","name":"statement","prose":"The logging functionality of protection and detection tools shall be enabled. Logs shall be backed up and retained for a predefined period, and regularly reviewed to identify unusual or potentially harmful activity."}],"props":[{"name":"label","value":"DE.AE-03.1"},{"name":"sort-id","value":"04-002-007-017"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"},{"ns":"http://cyfun.eu/ns/oscal","name":"key-measures","value":"true"}],"title":"Requirement DE.AE-03.1"},{"id":"DE.AE-03.2","parts":[{"id":"DE.AE-03.2_smt","name":"statement","prose":"The organisation shall ensure that event data from critical systems is collected and correlated using information from multiple relevant sources."}],"props":[{"name":"label","value":"DE.AE-03.2"},{"name":"sort-id","value":"04-002-007-018"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement DE.AE-03.2"},{"id":"DE.AE-03.3","parts":[{"id":"DE.AE-03.3_smt","name":"statement","prose":"The organisation shall combine event analysis with information from vulnerability scans, system performance data, monitoring of critical systems, and facility monitoring, where feasible."}],"props":[{"name":"label","value":"DE.AE-03.3"},{"name":"sort-id","value":"04-002-007-019"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"essential"}],"title":"Requirement DE.AE-03.3"}]},{"id":"DE.AE-04","props":[{"name":"label","value":"DE.AE-04"},{"name":"sort-id","value":"04-002-008"}],"title":"The estimated impact and scope of adverse events are understood.","controls":[{"id":"DE.AE-04.1","parts":[{"id":"DE.AE-04.1_smt","name":"statement","prose":"The organisation shall assess the negative impacts of detected events on its operations, assets, and individuals, and shall link these impacts to the results of its risk assessments."}],"props":[{"name":"label","value":"DE.AE-04.1"},{"name":"sort-id","value":"04-002-008-020"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"essential"},{"ns":"http://cyfun.eu/ns/oscal","name":"governance-measures","value":"true"}],"title":"Requirement DE.AE-04.1"}]},{"id":"DE.AE-06","props":[{"name":"label","value":"DE.AE-06"},{"name":"sort-id","value":"04-002-009"}],"title":"Information on adverse events is provided to authorised staff and tools.","controls":[{"id":"DE.AE-06.1","parts":[{"id":"DE.AE-06.1_smt","name":"statement","prose":"Information about adverse events must be promptly delivered to authorised personnel and systems to enable timely detection, investigation, and response."}],"props":[{"name":"label","value":"DE.AE-06.1"},{"name":"sort-id","value":"04-002-009-021"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement DE.AE-06.1"}]},{"id":"DE.AE-08","props":[{"name":"label","value":"DE.AE-08"},{"name":"sort-id","value":"04-002-010"}],"title":"Incidents are declared when adverse events meet the defined incident criteria.","controls":[{"id":"DE.AE-08.1","parts":[{"id":"DE.AE-08.1_smt","name":"statement","prose":"Incidents shall be reported when adverse events meet defined and documented incident criteria."}],"props":[{"name":"label","value":"DE.AE-08.1"},{"name":"sort-id","value":"04-002-010-022"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement DE.AE-08.1"}]}]}]},{"id":"RS","props":[{"name":"sort-id","value":"05"}],"title":"RESPOND","groups":[{"id":"RS.MA","parts":[{"name":"overview","prose":"Responses to detected cybersecurity incidents are managed."}],"props":[{"name":"label","value":"RS.MA"},{"name":"sort-id","value":"05-001"}],"title":"Incident Management","groups":[{"id":"RS.MA-01","props":[{"name":"label","value":"RS.MA-01"},{"name":"sort-id","value":"05-001-001"}],"title":"The incident response plan is executed in coordination with relevant third parties once an incident is declared.","controls":[{"id":"RS.MA-01.1","parts":[{"id":"RS.MA-01.1_smt","name":"statement","prose":"An incident response plan, including defined roles, responsibilities, and authorities, shall be executed during or after a cybersecurity event affecting the organisation's critical systems."}],"props":[{"name":"label","value":"RS.MA-01.1"},{"name":"sort-id","value":"05-001-001-001"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"}],"title":"Requirement RS.MA-01.1"},{"id":"RS.MA-01.2","parts":[{"id":"RS.MA-01.2_smt","name":"statement","prose":"The organisation shall coordinate information/cybersecurity incident response actions with all predefined stakeholders."}],"props":[{"name":"label","value":"RS.MA-01.2"},{"name":"sort-id","value":"05-001-001-002"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement RS.MA-01.2"}]},{"id":"RS.MA-02","props":[{"name":"label","value":"RS.MA-02"},{"name":"sort-id","value":"05-001-002"}],"title":"Incident reports are triaged and validated.","controls":[{"id":"RS.MA-02.1","parts":[{"id":"RS.MA-02.1_smt","name":"statement","prose":"Information/cybersecurity incident reports shall be triaged and validated in accordance with the organisation’s incident response procedures."}],"props":[{"name":"label","value":"RS.MA-02.1"},{"name":"sort-id","value":"05-001-002-003"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement RS.MA-02.1"},{"id":"RS.MA-02.2","parts":[{"id":"RS.MA-02.2_smt","name":"statement","prose":"Automated tools shall be used to support the investigation and impact assessment of validated cybersecurity incidents."}],"props":[{"name":"label","value":"RS.MA-02.2"},{"name":"sort-id","value":"05-001-002-004"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"essential"}],"title":"Requirement RS.MA-02.2"}]},{"id":"RS.MA-03","props":[{"name":"label","value":"RS.MA-03"},{"name":"sort-id","value":"05-001-003"}],"title":"Incidents are categorised and prioritised.","controls":[{"id":"RS.MA-03.1","parts":[{"id":"RS.MA-03.1_smt","name":"statement","prose":"Information/cybersecurity incidents shall be categorised, prioritised and escalated as specified in the incident response plan."}],"props":[{"name":"label","value":"RS.MA-03.1"},{"name":"sort-id","value":"05-001-003-005"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement RS.MA-03.1"}]},{"id":"RS.MA-05","props":[{"name":"label","value":"RS.MA-05"},{"name":"sort-id","value":"05-001-004"}],"title":"The criteria for initiating incident recovery are applied.","controls":[{"id":"RS.MA-05.1","parts":[{"id":"RS.MA-05.1_smt","name":"statement","prose":"Clear criteria shall be defined and applied to determine when incident recovery processes need to be initiated."}],"props":[{"name":"label","value":"RS.MA-05.1"},{"name":"sort-id","value":"05-001-004-006"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement RS.MA-05.1"}]}]},{"id":"RS.AN","parts":[{"name":"overview","prose":"Investigations are conducted to ensure effective response and support forensics and recovery activities."}],"props":[{"name":"label","value":"RS.AN"},{"name":"sort-id","value":"05-002"}],"title":"Incident Analysis","groups":[{"id":"RS.AN-03","props":[{"name":"label","value":"RS.AN-03"},{"name":"sort-id","value":"05-002-005"}],"title":"Analysis is performed to establish what has taken place during an incident and the root cause of the incident.","controls":[{"id":"RS.AN-03.1","parts":[{"id":"RS.AN-03.1_smt","name":"statement","prose":"Each incident shall be analysed to determine what occurred and to identify its root cause."}],"props":[{"name":"label","value":"RS.AN-03.1"},{"name":"sort-id","value":"05-002-005-007"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"essential"}],"title":"Requirement RS.AN-03.1"}]},{"id":"RS.AN-06","props":[{"name":"label","value":"RS.AN-06"},{"name":"sort-id","value":"05-002-006"}],"title":"Actions performed during an investigation are recorded, and the records’ integrity and provenance are preserved","controls":[{"id":"RS.AN-06.1","parts":[{"id":"RS.AN-06.1_smt","name":"statement","prose":"Actions performed during an investigation shall be recorded, and the records' integrity and provenance shall be preserved."}],"props":[{"name":"label","value":"RS.AN-06.1"},{"name":"sort-id","value":"05-002-006-008"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement RS.AN-06.1"}]},{"id":"RS.AN-07","props":[{"name":"label","value":"RS.AN-07"},{"name":"sort-id","value":"05-002-007"}],"title":"Incident data and metadata are collected, and their integrity and provenance are preserved.","controls":[{"id":"RS.AN-07.1","parts":[{"id":"RS.AN-07.1_smt","name":"statement","prose":"Incident data and metadata should be collected and protected to ensure their accuracy, authenticity, and traceability."}],"props":[{"name":"label","value":"RS.AN-07.1"},{"name":"sort-id","value":"05-002-007-009"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement RS.AN-07.1"}]},{"id":"RS.AN-08","props":[{"name":"label","value":"RS.AN-08"},{"name":"sort-id","value":"05-002-008"}],"title":"An incident's magnitude is estimated and validated.","controls":[{"id":"RS.AN-08.1","parts":[{"id":"RS.AN-08.1_smt","name":"statement","prose":"An incident’s magnitude shall be estimated and validated."}],"props":[{"name":"label","value":"RS.AN-08.1"},{"name":"sort-id","value":"05-002-008-010"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement RS.AN-08.1"}]}]},{"id":"RS.CO","parts":[{"name":"overview","prose":"Response activities are coordinated with internal and external stakeholders as required by laws, regulations, or policies."}],"props":[{"name":"label","value":"RS.CO"},{"name":"sort-id","value":"05-003"}],"title":"Incident Response Reporting and Communication","groups":[{"id":"RS.CO-02","props":[{"name":"label","value":"RS.CO-02"},{"name":"sort-id","value":"05-003-009"}],"title":"Internal and external stakeholders are notified of incidents.","controls":[{"id":"RS.CO-02.1","parts":[{"id":"RS.CO-02.1_smt","name":"statement","prose":"Information about cybersecurity incidents shall be communicated to employees in a way that is clear and easy to understand."}],"props":[{"name":"label","value":"RS.CO-02.1"},{"name":"sort-id","value":"05-003-009-011"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"}],"title":"Requirement RS.CO-02.1"},{"id":"RS.CO-02.2","parts":[{"id":"RS.CO-02.2_smt","name":"statement","prose":"Cybersecurity incidents shall be shared with relevant external stakeholders within the timeframes defined in the Incident Response Plan, including reporting significant incidents to authorities as required by law."}],"props":[{"name":"label","value":"RS.CO-02.2"},{"name":"sort-id","value":"05-003-009-012"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"},{"ns":"http://cyfun.eu/ns/oscal","name":"key-measures","value":"true"}],"title":"Requirement RS.CO-02.2"}]}]},{"id":"RS.MI","parts":[{"name":"overview","prose":"Activities are performed to prevent expansion of an event and mitigate its effects."}],"props":[{"name":"label","value":"RS.MI"},{"name":"sort-id","value":"05-004"}],"title":"Incident Mitigation","groups":[{"id":"RS.MI-01","props":[{"name":"label","value":"RS.MI-01"},{"name":"sort-id","value":"05-004-010"}],"title":"Incidents are contained.","controls":[{"id":"RS.MI-01.1","parts":[{"id":"RS.MI-01.1_smt","name":"statement","prose":"Cybersecurity incidents shall be contained and eliminated. Any decision to accept and retain certain cybersecurity risks shall be formally documented."}],"props":[{"name":"label","value":"RS.MI-01.1"},{"name":"sort-id","value":"05-004-010-013"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement RS.MI-01.1"},{"id":"RS.MI-01.2","parts":[{"id":"RS.MI-01.2_smt","name":"statement","prose":"The organisation shall detect unauthorised access or data leakage and take appropriate mitigation actions, including monitoring of critical systems at external boundaries and key internal points."}],"props":[{"name":"label","value":"RS.MI-01.2"},{"name":"sort-id","value":"05-004-010-014"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"},{"ns":"http://cyfun.eu/ns/oscal","name":"key-measures","value":"true"}],"title":"Requirement RS.MI-01.2"}]}]}]},{"id":"RC","props":[{"name":"sort-id","value":"06"}],"title":"RECOVER","groups":[{"id":"RC.RP","parts":[{"name":"overview","prose":"Restoration activities are performed to ensure operational availability of systems and services affected by cybersecurity incidents."}],"props":[{"name":"label","value":"RC.RP"},{"name":"sort-id","value":"06-001"}],"title":"Incident Recovery Plan Execution","groups":[{"id":"RC.RP-01","props":[{"name":"label","value":"RC.RP-01"},{"name":"sort-id","value":"06-001-001"}],"title":"The recovery portion of the incident response plan is executed once initiated from the incident response process.","controls":[{"id":"RC.RP-01.1","parts":[{"id":"RC.RP-01.1_smt","name":"statement","prose":"A recovery process for disasters and information/cybersecurity incidents shall be developed and executed."}],"props":[{"name":"label","value":"RC.RP-01.1"},{"name":"sort-id","value":"06-001-001-001"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"}],"title":"Requirement RC.RP-01.1"}]},{"id":"RC.RP-02","props":[{"name":"label","value":"RC.RP-02"},{"name":"sort-id","value":"06-001-002"}],"title":"Recovery actions are selected, scoped, prioritised, and performed.","controls":[{"id":"RC.RP-02.1","parts":[{"id":"RC.RP-02.1_smt","name":"statement","prose":"The organisation's essential functions and services shall be continued with little or no loss of operational continuity, and continuity shall be maintained until full system recovery."}],"props":[{"name":"label","value":"RC.RP-02.1"},{"name":"sort-id","value":"06-001-002-002"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"essential"}],"title":"Requirement RC.RP-02.1"}]},{"id":"RC.RP-05","props":[{"name":"label","value":"RC.RP-05"},{"name":"sort-id","value":"06-001-003"}],"title":"The integrity of restored assets is verified, systems and services are restored, and normal operating status is confirmed.","controls":[{"id":"RC.RP-05.1","parts":[{"id":"RC.RP-05.1_smt","name":"statement","prose":"The integrity of restored systems and assets shall be verified before they are returned to service. Systems and services shall be fully restored, and normal operations shall be confirmed."}],"props":[{"name":"label","value":"RC.RP-05.1"},{"name":"sort-id","value":"06-001-003-003"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement RC.RP-05.1"}]},{"id":"RC.RP-06","props":[{"name":"label","value":"RC.RP-06"},{"name":"sort-id","value":"06-001-004"}],"title":"The end of incident recovery is declared based on criteria, and incident-related documentation is completed.","controls":[{"id":"RC.RP-06.1","parts":[{"id":"RC.RP-06.1_smt","name":"statement","prose":"The end of incident recovery shall be formally declared based on predefined criteria, and all incident-related documentation shall be completed and reviewed."}],"props":[{"name":"label","value":"RC.RP-06.1"},{"name":"sort-id","value":"06-001-004-004"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement RC.RP-06.1"}]}]},{"id":"RC.CO","parts":[{"name":"overview","prose":"Restoration activities are coordinated with internal and external parties."}],"props":[{"name":"label","value":"RC.CO"},{"name":"sort-id","value":"06-002"}],"title":"Incident Recovery Communication","groups":[{"id":"RC.CO-03","props":[{"name":"label","value":"RC.CO-03"},{"name":"sort-id","value":"06-002-005"}],"title":"Recovery activities and progress in restoring operational capabilities are communicated to designated internal and external stakeholders.","controls":[{"id":"RC.CO-03.1","parts":[{"id":"RC.CO-03.1_smt","name":"statement","prose":"Recovery activities and progress in restoring operational capabilities shall be communicated to designated internal and external stakeholders in accordance with established communication procedures."}],"props":[{"name":"label","value":"RC.CO-03.1"},{"name":"sort-id","value":"06-002-005-005"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"},{"ns":"http://cyfun.eu/ns/oscal","name":"governance-measures","value":"true"}],"title":"Requirement RC.CO-03.1"}]},{"id":"RC.CO-04","props":[{"name":"label","value":"RC.CO-04"},{"name":"sort-id","value":"06-002-006"}],"title":"Public updates on incident recovery are shared using approved methods and messaging.","controls":[{"id":"RC.CO-04.1","parts":[{"id":"RC.CO-04.1_smt","name":"statement","prose":"Public updates on incident recovery shall be shared using approved communication methods and messaging, in accordance with established procedures."}],"props":[{"name":"label","value":"RC.CO-04.1"},{"name":"sort-id","value":"06-002-006-006"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement RC.CO-04.1"},{"id":"RC.CO-04.2","parts":[{"id":"RC.CO-04.2_smt","name":"statement","prose":"The organisation shall assign a Public Relations Officer (PRO) to manage public communications during information/cybersecurity incident recovery, ensuring that public updates are shared while maintaining the confidentiality, integrity, and accuracy of the information."}],"props":[{"name":"label","value":"RC.CO-04.2"},{"name":"sort-id","value":"06-002-006-007"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"essential"}],"title":"Requirement RC.CO-04.2"},{"id":"RC.CO-04.3","parts":[{"id":"RC.CO-04.3_smt","name":"statement","prose":"The organisation shall implement a crisis communication strategy to mitigate negative impacts during a crisis and help restore its reputation afterward."}],"props":[{"name":"label","value":"RC.CO-04.3"},{"name":"sort-id","value":"06-002-006-008"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"essential"}],"title":"Requirement RC.CO-04.3"}]}]}]}]}}