SAMMY UI is optimized for resolutions with a width 1024px and higher.
NIS2
Browse NIS2
ID.IM: Improvement
Continuous Improvements Evaluation
ID.IM-01: Improvements are identified based on evaluations.
  • 1. In accordance with the results of the review referred to in point 1 of measure GV.PO-02, an adjustment plan is defined, implemented, documented, and approved by the administrative and executive bodies, identifying the necessary actions to ensure the implementation of security policies.
  • 2. The administrative and executive bodies are informed through specific periodic reports on the outcomes of the plans referred to in point 1.
  • 3. A plan is defined, implemented, updated, and documented for evaluating the effectiveness of risk management measures for cybersecurity, which includes an indication of the measures to be evaluated and the related evaluation methods.
  • 4. The administrative and executive bodies are informed through specific periodic reports on the evaluation plan's effectiveness referred to in point 3.
Requirement Covered
Not Applicable - Not applicable
No - The requirement(s) have not been meaningfully implemented.
Partial - Not all requirement(s) have been meaningfully implemented.
Yes - There is an organization-wide approach to managing cybersecurity risks that uses risk-informed policies, processes, and procedures to address potential cybersecurity events.
Description

Improvements are identified based on evaluations.

Plans Affecting Operations
ID.IM-04: Incident response plans and other cybersecurity plans impacting operations are established, communicated, maintained, and improved.
  • 1. For at least the relevant information and network systems, an operational continuity plan is defined, implemented, updated, and documented, including at least: a) the objectives and scope of application; b) roles and responsibilities; c) main contacts and communication channels (internal and external); d) conditions for activation and deactivation of the plan;
  • e) necessary resources, including backups and redundancies.
  • 2. For at least the relevant information and network systems, a disaster recovery plan is defined, implemented, updated, and documented, including at least: a) the objectives and scope of application; b) roles and responsibilities; c) main contacts and communication channels (internal and external); d) conditions for activation and deactivation of the plan; e) necessary resources, including backups and redundancies; f) the order of recovery operations; g) recovery procedures for specific operations, including recovery objectives.
  • 3. For at least the relevant information and network systems, a crisis management plan is defined, implemented, updated, and documented, including at least: a) the roles and responsibilities of personnel and, where appropriate, suppliers, specifying role assignments in crisis situations, including specific procedures to follow; b) communication methods between parties and competent authorities.
  • 4. The plans referred to in points 1, 2, and 3 are approved by the administrative and management bodies.
  • 5. The plans referred to in points 1, 2, and 3 are reviewed and, where appropriate, periodically updated at least every two years, as well as whenever significant incidents occur or changes in threat exposure and related risks.
Requirement Covered
Not Applicable - Not applicable
No - The requirement(s) have not been meaningfully implemented.
Partial - Not all requirement(s) have been meaningfully implemented.
Yes - There is an organization-wide approach to managing cybersecurity risks that uses risk-informed policies, processes, and procedures to address potential cybersecurity events.
Description

Incident response plans and other cybersecurity plans impacting operations are established, communicated, maintained, and improved.