SAMMY works best on screens 1024px wide or larger.
Cybersecurity Fundamentals 2.0
Browse Cybersecurity...
PR.DS-01 PR.DS-02 PR.DS-10 PR.DS-11
PR.DS-01.2
PR.DS-01.2: The organisation shall implement automated tools where feasible to provide notification upon discovering discrepancies during integrity verification.

The organisation shall implement automated tools where feasible to provide notification upon discovering discrepancies during integrity verification.

Not applicable - Not applicable in the selected scope.
Level 1 - Initial - No Process documentation or not formally approved by management.
Level 2 - Repeatable - Formally approved Process documentation exists but not reviewed in the previous 2 years.
Level 3 - Defined - Formally approved Process documentation exists, and exceptions are documented and approved. Documented and approved exceptions < 5% of the time.
Level 4 - Managed - Formally approved Process documentation exists, and exceptions are documented and approved. Documented and approved exceptions < 3% of the time.
Level 5 - Optimizing - Formally approved Process documentation exists, and exceptions are documented and approved. Documented and approved exceptions < 0,5% of the time.
Not applicable - Not applicable in the selected scope.
Level 1 - Initial - Standard process does not exist.
Level 2 - Repeatable - Ad-hoc process exists and is done informally.
Level 3 - Defined - Formal process exists and is implemented. Evidence available for most activities. Less than 10% process exceptions.
Level 4 - Managed - Formal process exists and is implemented. Evidence available for all activities. Detailed metrics of the process are captured and reported. Minimal target for metrics has been established. Less than 5% of process exceptions.
Level 5 - Optimizing - Formal process exists and is implemented. Evidence available for all activities. Detailed metrics of the process are captured and reported. Minimal target for metrics has been established and continually improving. Less than 1% of process exceptions.
Description

The organisation shall implement automated tools where feasible to provide notification upon discovering discrepancies during integrity verification.

PR.DS-01.3
PR.DS-01.3: The organisation shall define and implement automated responses to detected integrity violations, using predefined safeguards that are proportionate to the severity and impact of the violation.

The organisation shall define and implement automated responses to detected integrity violations, using predefined safeguards that are proportionate to the severity and impact of the violation.

Not applicable - Not applicable in the selected scope.
Level 1 - Initial - No Process documentation or not formally approved by management.
Level 2 - Repeatable - Formally approved Process documentation exists but not reviewed in the previous 2 years.
Level 3 - Defined - Formally approved Process documentation exists, and exceptions are documented and approved. Documented and approved exceptions < 5% of the time.
Level 4 - Managed - Formally approved Process documentation exists, and exceptions are documented and approved. Documented and approved exceptions < 3% of the time.
Level 5 - Optimizing - Formally approved Process documentation exists, and exceptions are documented and approved. Documented and approved exceptions < 0,5% of the time.
Not applicable - Not applicable in the selected scope.
Level 1 - Initial - Standard process does not exist.
Level 2 - Repeatable - Ad-hoc process exists and is done informally.
Level 3 - Defined - Formal process exists and is implemented. Evidence available for most activities. Less than 10% process exceptions.
Level 4 - Managed - Formal process exists and is implemented. Evidence available for all activities. Detailed metrics of the process are captured and reported. Minimal target for metrics has been established. Less than 5% of process exceptions.
Level 5 - Optimizing - Formal process exists and is implemented. Evidence available for all activities. Detailed metrics of the process are captured and reported. Minimal target for metrics has been established and continually improving. Less than 1% of process exceptions.
Description

The organisation shall define and implement automated responses to detected integrity violations, using predefined safeguards that are proportionate to the severity and impact of the violation.

PR.DS-01.6
PR.DS-01.6: The organisation shall protect the confidentiality of its critical assets while at rest.

The organisation shall protect the confidentiality of its critical assets while at rest.

Not applicable - Not applicable in the selected scope.
Level 1 - Initial - No Process documentation or not formally approved by management.
Level 2 - Repeatable - Formally approved Process documentation exists but not reviewed in the previous 2 years.
Level 3 - Defined - Formally approved Process documentation exists, and exceptions are documented and approved. Documented and approved exceptions < 5% of the time.
Level 4 - Managed - Formally approved Process documentation exists, and exceptions are documented and approved. Documented and approved exceptions < 3% of the time.
Level 5 - Optimizing - Formally approved Process documentation exists, and exceptions are documented and approved. Documented and approved exceptions < 0,5% of the time.
Not applicable - Not applicable in the selected scope.
Level 1 - Initial - Standard process does not exist.
Level 2 - Repeatable - Ad-hoc process exists and is done informally.
Level 3 - Defined - Formal process exists and is implemented. Evidence available for most activities. Less than 10% process exceptions.
Level 4 - Managed - Formal process exists and is implemented. Evidence available for all activities. Detailed metrics of the process are captured and reported. Minimal target for metrics has been established. Less than 5% of process exceptions.
Level 5 - Optimizing - Formal process exists and is implemented. Evidence available for all activities. Detailed metrics of the process are captured and reported. Minimal target for metrics has been established and continually improving. Less than 1% of process exceptions.
Description

The organisation shall protect the confidentiality of its critical assets while at rest.

PR.DS-01.1
PR.DS-01.1: The organisation shall implement software, firmware, and information integrity checks to detect unauthorised changes to its critical system components during storage, transport, start-up and when determined necessary.

The organisation shall implement software, firmware, and information integrity checks to detect unauthorised changes to its critical system components during storage, transport, start-up and when determined necessary.

Not applicable - Not applicable in the selected scope.
Level 1 - Initial - No Process documentation or not formally approved by management.
Level 2 - Repeatable - Formally approved Process documentation exists but not reviewed in the previous 2 years.
Level 3 - Defined - Formally approved Process documentation exists, and exceptions are documented and approved. Documented and approved exceptions < 5% of the time.
Level 4 - Managed - Formally approved Process documentation exists, and exceptions are documented and approved. Documented and approved exceptions < 3% of the time.
Level 5 - Optimizing - Formally approved Process documentation exists, and exceptions are documented and approved. Documented and approved exceptions < 0,5% of the time.
Not applicable - Not applicable in the selected scope.
Level 1 - Initial - Standard process does not exist.
Level 2 - Repeatable - Ad-hoc process exists and is done informally.
Level 3 - Defined - Formal process exists and is implemented. Evidence available for most activities. Less than 10% process exceptions.
Level 4 - Managed - Formal process exists and is implemented. Evidence available for all activities. Detailed metrics of the process are captured and reported. Minimal target for metrics has been established. Less than 5% of process exceptions.
Level 5 - Optimizing - Formal process exists and is implemented. Evidence available for all activities. Detailed metrics of the process are captured and reported. Minimal target for metrics has been established and continually improving. Less than 1% of process exceptions.
Description

The organisation shall implement software, firmware, and information integrity checks to detect unauthorised changes to its critical system components during storage, transport, start-up and when determined necessary.

PR.DS-01.4
PR.DS-01.4: The organisation shall define and enforce clear policies and practical safeguards to manage and restrict the use of portable storage media, in order to reduce the risk of data leakage, unauthorised access, and malware introduction.

The organisation shall define and enforce clear policies and practical safeguards to manage and restrict the use of portable storage media, in order to reduce the risk of data leakage, unauthorised access, and malware introduction.

Not applicable - Not applicable in the selected scope.
Level 1 - Initial - No Process documentation or not formally approved by management.
Level 2 - Repeatable - Formally approved Process documentation exists but not reviewed in the previous 2 years.
Level 3 - Defined - Formally approved Process documentation exists, and exceptions are documented and approved. Documented and approved exceptions < 5% of the time.
Level 4 - Managed - Formally approved Process documentation exists, and exceptions are documented and approved. Documented and approved exceptions < 3% of the time.
Level 5 - Optimizing - Formally approved Process documentation exists, and exceptions are documented and approved. Documented and approved exceptions < 0,5% of the time.
Not applicable - Not applicable in the selected scope.
Level 1 - Initial - Standard process does not exist.
Level 2 - Repeatable - Ad-hoc process exists and is done informally.
Level 3 - Defined - Formal process exists and is implemented. Evidence available for most activities. Less than 10% process exceptions.
Level 4 - Managed - Formal process exists and is implemented. Evidence available for all activities. Detailed metrics of the process are captured and reported. Minimal target for metrics has been established. Less than 5% of process exceptions.
Level 5 - Optimizing - Formal process exists and is implemented. Evidence available for all activities. Detailed metrics of the process are captured and reported. Minimal target for metrics has been established and continually improving. Less than 1% of process exceptions.
Description

The organisation shall define and enforce clear policies and practical safeguards to manage and restrict the use of portable storage media, in order to reduce the risk of data leakage, unauthorised access, and malware introduction.

PR.DS-01.5
PR.DS-01.5: The organisation shall only allow the use of removable media when absolutely necessary, and shall put technical measures in place to block automatic execution of files from these devices.

The organisation shall only allow the use of removable media when absolutely necessary, and shall put technical measures in place to block automatic execution of files from these devices.

Not applicable - Not applicable in the selected scope.
Level 1 - Initial - No Process documentation or not formally approved by management.
Level 2 - Repeatable - Formally approved Process documentation exists but not reviewed in the previous 2 years.
Level 3 - Defined - Formally approved Process documentation exists, and exceptions are documented and approved. Documented and approved exceptions < 5% of the time.
Level 4 - Managed - Formally approved Process documentation exists, and exceptions are documented and approved. Documented and approved exceptions < 3% of the time.
Level 5 - Optimizing - Formally approved Process documentation exists, and exceptions are documented and approved. Documented and approved exceptions < 0,5% of the time.
Not applicable - Not applicable in the selected scope.
Level 1 - Initial - Standard process does not exist.
Level 2 - Repeatable - Ad-hoc process exists and is done informally.
Level 3 - Defined - Formal process exists and is implemented. Evidence available for most activities. Less than 10% process exceptions.
Level 4 - Managed - Formal process exists and is implemented. Evidence available for all activities. Detailed metrics of the process are captured and reported. Minimal target for metrics has been established. Less than 5% of process exceptions.
Level 5 - Optimizing - Formal process exists and is implemented. Evidence available for all activities. Detailed metrics of the process are captured and reported. Minimal target for metrics has been established and continually improving. Less than 1% of process exceptions.
Description

The organisation shall only allow the use of removable media when absolutely necessary, and shall put technical measures in place to block automatic execution of files from these devices.

PR.DS-01.9
PR.DS-01.9: Enterprise assets shall be disposed of safely.

Enterprise assets shall be disposed of safely.

Not applicable - Not applicable in the selected scope.
Level 1 - Initial - No Process documentation or not formally approved by management.
Level 2 - Repeatable - Formally approved Process documentation exists but not reviewed in the previous 2 years.
Level 3 - Defined - Formally approved Process documentation exists, and exceptions are documented and approved. Documented and approved exceptions < 5% of the time.
Level 4 - Managed - Formally approved Process documentation exists, and exceptions are documented and approved. Documented and approved exceptions < 3% of the time.
Level 5 - Optimizing - Formally approved Process documentation exists, and exceptions are documented and approved. Documented and approved exceptions < 0,5% of the time.
Not applicable - Not applicable in the selected scope.
Level 1 - Initial - Standard process does not exist.
Level 2 - Repeatable - Ad-hoc process exists and is done informally.
Level 3 - Defined - Formal process exists and is implemented. Evidence available for most activities. Less than 10% process exceptions.
Level 4 - Managed - Formal process exists and is implemented. Evidence available for all activities. Detailed metrics of the process are captured and reported. Minimal target for metrics has been established. Less than 5% of process exceptions.
Level 5 - Optimizing - Formal process exists and is implemented. Evidence available for all activities. Detailed metrics of the process are captured and reported. Minimal target for metrics has been established and continually improving. Less than 1% of process exceptions.
Description

Enterprise assets shall be disposed of safely.