System Owner

Offline backup

All critical backup media, documentation and other IT resources needed for IT recovery, and business continuity plans are stored offsite. The content of backup storage is determined after collaboration between...

Datacenter uptime

Data centres used in the processing of information take appropriate measures to guarantee continued uptime.

Backup procedure

For every system a documented backup procedure is available with values for the RPO (Recovery Point Objective, maximum tolerable amount of data that can be lost) and RTO (Recovery Time...

Supplier Security Management

Before engaging in an agreement with a supplier of an IT-service, an information security risk assessment is performed. Contractual agreements regarding information security are made with suppliers of IT-services. Suppliers...

Software Bill-of-Materials

The organisation must know what software is used on managed devices, including a Software “Bill-of-Materials” (BOM) of libraries and components.

Emergency updates

Emergency changes requiring immediate implementation are properly handled to ensure minimal impact on systems and IT applications. The emergency change is registered, evaluated and tested after implementation and approved by...

Patch management

Available patches and/or security fixes are installed in compliance with set and approved policies (including those for operating systems, databases and installed applications) and recommendations of CERT and/or suppliers.

Asset registration

The assets making up a system that are under control of the organisation are registered and tracked in the CMDB. System owners periodically check that the information in the CMDB...