Evidence to provide for critical systems self-assessment

Evidence can include formal documents outlining processes, or simply minutes from meetings where cyber security was discussed.

Use your judgment on what counts as evidence. Consider if it is relevant to the IGP or contributing outcome in question and if it provides enough context for an independent assurer.

Here are typical examples of documentation your independent assurers expect to see as part of your self-assessment.

Protecting against cyber attack (objective B)

Policy, process and procedure development (B1.a)

• Policies and processes that support critical systems – for example, information security, IT, risk management, supplier, physical, legal
• Documentation approval and sign-off process (policy, procedure, process)
• Evidence of policies on your HR system
• Policy review or renewal schedule
• Communication plan
• Minutes or agendas from governance steering group meetings

Policy, process and procedure implementation (B1.b)

• Policies and processes that support critical systems – for example, information security, IT, risk management, supplier, physical, legal, HR, finance
• Documentation approval and sign-off process (policy, procedure, process)
• Process for dealing with policy breaches
• Policy review or renewal schedule
• Incident management reports, or equivalent
• Disaster recovery plan
• Business continuity plan
• Communication plan
• Documented roles and responsibilities
• HR disciplinary process

Identity verification, authentication and authorisation (B2.a)

• Council procedure documentation that support the critical systems – for example, information security, IT
• Joiners, movers and leavers process
• Access control policy
• Remote access policy
• Process for your HR and payroll system
• Evidence of what authentication you have in place
• Evidence of user access reviews – for example, a screenshot of the review reminder

Device management (B2.b)

• Council information and IT policies and processes including:
  • information security, or commercial (third-party) access
  • bring your own device (BYOD)
  • acceptable use
  • remote access
  • mobile device management
• Procedure documentation that support the critical systems- for example, privileged access management, build documents
• Network diagram showing commercial (third-party) connectivity
• Risk assessments for commercial (third-party) connectivity, and remediation plans
• Joiners, movers and leavers process

Privileged user management (B2.c)

• Council information and IT policies including:
  • information security policy
  • bring your own device (BYOD) policy
  • acceptable use policy
  • remote access policy
  • identity and access management policy
• Evidence of multi-factor authorisation your cloud computing platform
• Evidence of multi-factor authorisation to access domain servers
• Evidence of domain admin review- for example, a screenshot of the review reminder
• Evidence of separate standard and administrative accounts
• Process and procedure documentation that support the critical systems – for example, privileged access management
• Joiners, movers and leavers process
• Network diagram showing the boundary enforcing controls, zoning model and monitoring arrangements
• Risk assessments for commercial (third-party) connectivity, and remediation plans

Identity and access management (IdAM) (B2.d)

• Council information and IT policies and procesess including:
  • information security
  • asset management
  • acceptable use
  • identity and access management
• Joiners, movers and leavers process
• Documented process for approving and requesting user access
• Screenshot of access logs
• Process and procedure documentation that support the critical systems – for example, information asset owner approval
• Network diagram showing boundary enforcing controls, zoning model and monitoring arrangements

Understanding data (B3.a)

• Council information and IT policies and processes including:
  • information security
  • asset management
  • acceptable use
  • identity and access management
  • removable media
• Council process and procedure documentation that support the critical systems – for example, information asset owner approval
• Joiners, movers and leavers process
• Network diagram showing boundary enforcing controls, zoning model and monitoring arrangements
• Evidence of who has access to any Microsoft Teams or Slack channels that hold data important to the operation of your essential function

Data in transit (B3.b)

• Council information and IT policies and processes including:
  • information security
  • asset management
  • acceptable use
  • identity and access management
  • cryptographic
• Evidence of internet protocol security (IPsec) or SSL tunnels
• Supplier assurance process – for example, questionnaire, risk assessments, inventory
• Network diagram showing boundary enforcing controls, zoning model, supplier connectivity and monitoring arrangements

Stored data (B3.c)

• Council information and IT policies and processes including:
  • information security
  • asset management
  • acceptable use
  • identity and access management
  • data movement or transfer
  • physical security
  • clear desk
  • data handling
  • data classification
  • data retention
  • backup, verification and recovery
  • cryptographic

Mobile data (B3.d)

• Council information and IT policies and processes including:
  • information security
  • asset management
  • acceptable use
  • identity and access management
  • data handling
  • data classification
  • data retention
  • cryptographic
  • mobile device management – for example, build procedures
• Information asset register (physical devices, data) and supporting process
• Evidence of bitlocker

Media/equipment sanitisation (B3.e)

• Council information and IT policies and processes including:
  • information security
  • asset management
  • acceptable use
  • data handling
  • data retention
  • secure data deletion and destruction
• Information asset register (physical devices, software, data) and supporting process
• Procedure to wipe devices
• Disposal certificates

Secure by design (B4.a)

• Policies and processes for:
  • secure development
  • software assurance
  • network and information system recovery recovery
• Approved product or software list
• Competency framework or skills matrix
• Network diagram showing boundary enforcing controls, zoning model, supplier connectivity and monitoring arrangements
• Data flow diagrams
• Infrastructure, endpoint and server build standards

Secure configuration (B4.b)

• Policies and processes for:
  • secure development
  • asset management
  • change management
• Information asset register (physical, software and data) and supporting process
• Infrastructure, endpoint and server build standards
• Security configuration change logs
• Approved software list – this may be included in your software policy
• Network diagram showing boundary enforcing controls, zoning model, environments (test, development, production) monitoring arrangements
• Data flow diagrams

Secure management (B4.c)

• Council information and IT policies including:
  • information security
  • acceptable use
  • antivirus
  • identity and access management
• Council process and procedure documentation that support the critical systems – for example, privileged access management
• Infrastructure, endpoint and server build standards
• Network diagram showing boundary enforcing controls, zoning model, environments (test, development, production) monitoring arrangements

Vulnerability management (B4.d)

• Council information and IT policies including:
  • information security
  • patch management
  • vulnerability management (including remediation plans, testing)
• Risk assessments, risk register and risk sign-offs process
• Infrastructure, endpoint and server build standards
• Network diagram showing boundary enforcing controls, zoning model, environments (test, development, production) monitoring arrangements
• Evidence of penetration testing
• Evidence of severity scoring

Resilience preparation (B5.a)

• Council information and IT policies including:
  • information security
  • backup, verification and recovery
  • physical security (data centres, server or communication rooms)
• Council process and procedure documentation that support the critical systems – for example, SOC or SIEM, failover procedures
• Business continuity plan (including tests)
• Disaster recovery plan (including tests)
• IT disaster recovery plan (including table-top exercise reports)
• Incident response plan
• Business impact assessment (BIA)
• Recovery time objective (RTO) and recovery point objective (RPO)
• Information asset register (physical, software and data) and supporting process

Design for resilience (B5.b)

• Risk assessments
• Evidence that your risk register considers resource limitations
• Council process and procedure documentation that support the critical systems – for example, design, failover procedures
• Network diagram showing boundary enforcing controls, zoning model, environments (test, development, production) monitoring arrangements

Backups (B5.c)

• Backup, verification and recovery policy and process
• Evidence of backup testing or a backup test schedule
• Information asset register (software and data) and supporting process

Cyber security culture (B6.a)

• Council information and IT policies including:
  • information security
  • incident management
  • HR policy on staff training
• Details of security briefings
• Communication plan
• Evidence of staff news informing employees of contribution to cyber security
• Evidence of intranet main page showing cyber security contribution

Cyber security training (B6.b)

• Council information and IT policies including:
  • information security
    HR policy on staff training
• Evidence of information and cyber security training courses (mandatory and role-specific)
• Industry training and certifications
• Skills matrix
• Details of simulated cyber attack campaigns – for example, phishing simulations
• Cyber security communications to employees

Detecting cyber security events (objective C)

Monitoring coverage (C1.a)

• Protective monitoring policy and support process
• Architecture for event logging infrastructure and SIEM implementation
• SOC or SIEM processes

Securing logs (C1.b)

• Policies and support processes for:
  • protective monitoring
  • incident management
  • backup, verification and recovery
• Architecture for event logging infrastructure and SIEM implementation
• SOC and SIEM processes (including retention)
• Evidence of who has access to cyber security portals – for example, Microsoft Defender Portal
• Evidence that your security information and event management (SIEM) system is read-only access

Generating alerts (C1.c)

• Policies and support processes for:
  • protective monitoring
  • incident management
  • backup, verification and recovery
• Architecture for event logging infrastructure and SIEM implementation
• SOC and SIEM processes
• Information asset register (physical, software and data) and supporting process
• Evidence of early warnings from NCSC
• Evidence of alert prioritisation to confirm essential functions are resolved as a priority
• Evidence of alert testing – for example, a copy of a tuning request

Identifying security incidents (C1.d)

• Policies and support processes for:
  • protective monitoring
  • incident management
  • patch management
• Change requests to resolve identified vulnerabilities
• Architecture for event logging infrastructure and SIEM implementation
• SOC or SIEM processes
• Information asset register (physical, software and data) and supporting process
• Evidence of any threat intelligence feeds your council is part of
• Schedule for protective technologies – for example, anti-virus (AV) or intrusion detection systems (IDS)

Monitoring tools and skills (C1.e)

• Policies and support processes for:
  • protective monitoring
  • incident management
• Architecture for event logging infrastructure and SIEM implementation
• SOC or SIEM processes
• Documented monitoring staff roles
• Skills matrix
• Vendor training and cyber certifications