Back

Include the implementation status of controls in the baseline of internal controls.


CONTROL ID
16128
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a baseline of internal controls., CC ID: 12415

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Gateway providers holding government information must document their implementation and effectiveness with the scoped ISM controls, the PSPF and the Australian Security Intelligence Organisation's (ASIO) T4 Physical Accreditation requirements. (55., IRAP Policies and Procedures Australian Signals Directorate Information Security Registered Assessors Program, 11/2020)
  • IT-Grundschutz Check: This step is to check whether the basic requirements according to IT-Grundschutz have been implemented already in parts or completely, and which security safeguards are still missing. (§ 6 ¶ 3 Bullet 3, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Check whether the security safeguards have been accepted and improve if necessary (§ 10.3 Subsection 1 Bullet 6, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Check implementation of the safeguards agreed (§ 10.3 Subsection 1 Bullet 4, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • To check and improve the efficiency of the information security process, procedures and mechanisms should be established that check the implementation of the safeguards agreed, on the one hand, and their effectiveness and efficiency, on the other. (§ 10.1 ¶ 2, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Ask for the implementation status of the individual requirements (§ 8.4.2 Subsection 1 Bullet 3, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Verify implementation of centralized, simple (economy of design), vetted, secure, and reusable security controls to avoid duplicate, missing, ineffective, or insecure controls. (1.1.6, Application Security Verification Standard 4.0.3, 4.0.3)
  • The implementation of each risk treatment measure and its effectiveness should be verified and recorded according to 6.7. (§ 6.5.3 ¶ 3, ISO/IEC 23894:2023, Information technology — Artificial intelligence — Guidance on risk management)
  • whether the necessary controls are implemented or not; and (§ 6.1.3 ¶ 1 d) Bullet 3, ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection — Information security management systems — Requirements)