Establish, implement, and maintain damage assessment procedures.

Establish/Maintain Documentation


This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a continuity plan., CC ID: 00752

There are no implementation support Controls.


  • A security administration function and a set of formal procedures should be established for administering the allocation of access rights to system resources and application systems, and monitoring the use of system resources to detect any unusual or unauthorized activities. In particular, the funct… (3.3.1, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 – 24.06.03)
  • When developing contingency plans, the organization shall develop a procedures manual that defines procedures for identifying damaged conditions. (O65.3(4), FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • Calls for the development of disaster assessment guidelines. This checklist helps ensure a good set of guidelines. Check yes or no for each item: The BCP clearly identifies the people involved in the disaster assessment The notification process for those involved in the disaster assessment is clearl… (Pg 81, Australia Better Practice Guide - Business Continuity Management, January 2000)
  • Does the IRS and associated procedures include thresholds, assessment, activation, resource provision and communication? (Operation ¶ 20, ISO 22301: Self-assessment questionnaire)
  • Policies and procedures shall be established, and supporting business processes and technical measures implemented, to triage security-related events and ensure timely and thorough incident management, as per established IT service management policies and procedures. (SEF-02, Cloud Controls Matrix, v3.0)
  • assess the nature and extent of a disruptive incident and its potential impact, (§ 8.4.2 ¶ 2 b), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • When a disruptive incident occurs and results in the activation of its business continuity procedures, the organization shall undertake a post-incident review and record the results. (§ 9.1.2 ¶ 1, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • The organization shall analyse the information security incidents by type, volume and impact on the SMS, services and interested parties. Information security incidents shall be reported and reviewed to identify opportunities for improvement. (§ ¶ 2, ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • Principle: Firms should establish policies and procedures, as well as roles and responsibilities for escalating and responding to cybersecurity incidents. Effective practices for incident response include: - preparation of incident responses for those types of incidents to which the firm is most lik… (Incident Response Planning, Report on Cybersecurity Practices)
  • Procedures must be implemented to conduct a situation analysis that includes a damage assessment to support the response and recovery operations. (§ 5.11.4, Disaster / Emergency Management and Business Continuity, NFPA 1600, 2007 Edition)
  • The nature and extent of a disruption must be determined in order to implement the contingency plan. The assessment should be completed as quickly as possible, and the safety of personnel must remain the number one priority. The following areas should be addressed, at a minimum, during an outage ass… (§ 4.2.3, Contingency Planning Guide for Information Technology Systems, NIST SP 800-34, Rev. 1 (Draft))