Your organisation must establish policies and procedures to evaluate the effectiveness of the implemented measures.
Assessing the effectiveness of measures
You must ensure that the security measures put in place are sufficient to address the risks the organisation faces. The measures must be proportional to the threat landscape.
Measure
You must have a policy for assessing whether your security measures are effective continuously. The assessment must confirm that the measures still protect against relevant risks and that the information security policy complies with internal requirements and laws.
Next, you must establish procedures for carrying out these assessments and for deciding when to perform technical tests, e.g. vulnerability scans. These procedures should include:
- Specific tools and methods for continuously assessing and testing the security of network and information systems,
- checks to confirm whether measures comply with current laws and regulations,
- methods for assessing whether policies are followed and how the organisation ensures that measures are effectively implemented and maintained for the assets they are meant to protect,
- a process for handling measures that are found to be ineffective, including follow-up and improvement,
- clarification of who is responsible for carrying out the assessments.
Both your policies and procedures should take into consideration:
- the results of your risk assessments and lessons learned from past incidents,
- what the measures are meant to protect, whether they provide an appropriate level of protection, and whether your organisation has the necessary resources to effectively manage them.
These policies and procedures should be linked to your organisation’s information system security policy, the risk management policy, and its incident handling.
Finally, you may also ensure that those responsible for risk management, measures, and management reporting are familiar with the requirements for effectiveness assessments, so they can plan relevant controls and follow up on the results.
Documentation
Your policies and procedures for assessing effectiveness should be updated regularly and when there are major changes to the organisation’s business objectives, vulnerabilities, or threat landscape. This may, for example, take place ahead of the scheduled review of the organisation’s information systems security policy.
Technical Tests
By performing technical tests you make it possible to identify vulnerabilities and to evaluate the effectiveness of your implemented measures.
Requirements
You must regularly assess the need for technical tests to evaluate the effectiveness of your security measures. Based on a risk assessment you must define the type and frequency of tests, as well as which components, systems, and organisational elements should be tested to ensure secure the operations.
Examples of technical tests include:
- vulnerability scans,
- penetration tests and red team tests,
- blue team activities,
- configuration reviews of systems and networks against best practices and your security policies,
- code reviews,
- patch management reviews,
- social engineering tests,
- access control and password security tests,
Your network and information systems should be security tested during installation, maintenance, upgrades, or other significant changes.
In addition, planned and regular technical tests should be carried out across the organisation. Tests may be conducted internally or by third parties, and should follow a documented methodology. The scope, type, timing, and results of the tests should be documented in a way that is clear even to external experts.
The results of technical tests may be used to update policies and procedures for assessing the effectiveness of security measures. At a minimum, documentation should include an assessment of how critical the findings are and any corrective actions taken if results indicate risks to confidentiality, integrity, authenticity, or availability. Any remaining risk must be formally accepted by risk owners and reported to the relevant management.
Documentation
You should carry out tests at regular intervals and after major changes or significant incidents. The documentation should be reviewed by relevant staff, and results should be reported to management.
