Chapter 2

Organisation

Internal Context

Operational Structure

Business Units

In the modern business and operational context, information technology has become a key business enabler. It is frequently the case that business units, also called line units, generate their own business requirements, consume external IT services, or get systems dedicated to their own units.

Departments

Departments, also called staff units, perform staff functions to support the entity’s mission. In the context of IT and Information Security, most staff functions are performed through multiple departments with complex interdependencies. Some of the departments involved in a typical CSE for smooth delivery of these functions are:

Administration department manages personnel and physical security.
Finance department manages the procurement.
Workforce (HR) department ensures that people have the right competencies and critical positions are always staffed by candidates with the right mix of skills and experience.
Legal and Corporate Governance department manages legal and regulatory compliance.
Internal Audit department provides an independent view of compliance of processes and people.
Technical functions related to IT are carried out by the IT Department
Information Security related functions are carried out by the Information Security Department.

It is also well-established that Information technology is a key enabler for non-IT staff functions. The functional requirements of various departments are typically enabled through IT. The IT department is usually responsible for the design, development and/ or procurement, implementation and deployment, operation and management of the IT infrastructure, operations, and support. The departments themselves focus on the usage side of IT, covering the users, applications, and data.

Further, the Information Security Department usually works closely with the IT and the Legal and Corporate Governance Departments as part of its responsibility and accountability towards the governance, risk, policies, compliance, and assessment of information security of the entity’s IT infrastructure.

Sites and Locations

Large enterprises are typically spread across multiple sites or geographical locations, typically referred to as remote or branch offices. Sectors such as Power and Energy have OT Sites in the form of substations and regional command and control centres. Enterprises with such geographically separated ICTs must ensure governance mechanisms and controls for the holistic cybersecurity of the entity.

Organisational Structure

Board of Directors

The Board of Directors of CSEs is ultimately accountable for cybersecurity in the organisation and its responsibilities would include:

approving strategic goals, business objectives, and policies related to IT, Business Continuity, Information Security, Cyber Security, and Cyber Crisis Management,
approving the cyber risk appetite as part of the overall risk appetite,
approving and overseeing the cybersecurity programme, strategy, and policy to manage cyber risks,
ensuring the implementation of the cybersecurity program,
being aware of and ensuring compliance with legal and regulatory obligations related to cyber security risks,
supporting the culture of awareness of cybersecurity in the organisation,
allocating adequate budget and resources for fulfilling cybersecurity requirements.

The Board of Directors of the CSEs should set up appropriate board level and other high-level empowered committees for the purpose of Governance of Enterprise IT and Information Security to support both strategic and operational goals while addressing the unique risk and compliance requirements in these areas. The governance structures should be kept in mind while framing these committees. Board should have independent director with substantial IT expertise in managing / guiding information technology initiatives. Further technically competent members should be there in the Committees formed.

In case, any CSE doesn’t have a Board of Directors, then it would be the responsibility of the top management or executive leadership to set up appropriate high-level empowered committees for the purpose of Governance of Enterprise IT and Information Security and ensure their effective functioning.

CSEs having “Protected System” are mandated to constitute an Information Security Steering Committee (ISSC) under the Chairmanship of the Chief Executive Officer/ Managing Director/ Secretary of the organisation as per the Information Technology (Information Security Practices and Procedures for Protected System) Rules, 2018 notified vide Gazette Notification S.O. 2235(E) dated 22 May 2018.

Top-Level Management

The top management of entities, led by the Chief Executive (Managing Director or CEO) is accountable to the governing body (or Board) with respect to the effective and efficient use of Information, Communication and Operational Technologies and Information Security. Most entities usually have permanent leadership roles, with teams under them, that constitutes enterprise-level top management. Typical leadership roles in a CSE are Chief Risk Officer (CRO), Chief of Operations/ Chief Operating Officer (COO), Chief Technology Officer (CTO), Chief Information Officer (CIO), Chief Strategy Officer (CSO), Chief Information Security Officer (CISO), Chief Human Resource Officer (CHRO) and, if required by law, a Data Protection Officer (DPO).

Top-level management’s responsibilities in CSEs will centre around strategic alignment, value delivery, risk management, resource optimization, and stakeholder engagement to leverage IT for competitive advantage and sustainable business performance.

The essential top-level management functions for Enterprise Governance of IT (EGIT) and Information Security Governance (EISG) are:

Aligning IT and infosec goals and objectives with the overall business strategy and vision set by the Board of Directors. This involves
- setting objectives and initiatives in line with the overall business goals.
- establishing governance structures by creating committees and steering groups to oversee the alignment between business, IT and cyber resilience.
- establishing entity-wide policies and programs.
- ensuring stakeholder involvement.
Providing leadership, direction and oversight for the IT and Infosec departments. This includes defining the IT operating models, planning, organising and implementing projects to achieve the desired business outcomes, budgeting, organisational structure, roles and responsibilities, and project management oversight.
Resource Management - This entails ensuring optimal allocation and utilization of IT and infosec resources (e.g., personnel, technology, budgets), capacity planning, developing strategies for internal and external sourcing of IT and infosec services and solutions, exercising oversight on contracts with third-party service providers, outsourcing of work to Managed Service Providers (MSP), etc. Adequate resources should be designated specifically for cybersecurity, separate from those allocated for general IT needs. Allocation of such resources may widely vary based on the business objective and risk management of each CSE. However, based on global best practice, it is recommended that at least 10% of the total IT budget should be allocated to cybersecurity. This should progressively increase as per the cybersecurity risks faced by the entity. Such allocation should be mentioned under a separate budget head for monitoring by the Board of Directors, Governing Body
Risk Management - This involves
- establishing a risk management framework that identifies, assesses and mitigates risks associated with the use of technology, and ensures compliance with the relevant laws, regulations, and policies.
- analysing and managing the business impact of degradation, failure and non-availability of IT, OT and IIoT systems, and safety of operational technologies (OT).
Monitoring and measuring IT performance and value delivery - This involves
- maintaining oversight using management systems for all IT, OT and Information Security aspects that can adversely affect the organisation.
- establishing and tracking key performance indicators (KPIs) for IT and infosec services and activities.
- using performance data to drive continuous improvement in services and processes.
- benchmarking to compare IT and infosec performance against industry standards and best practices.
Fostering effective communication, collaboration and partnership between business and IT stakeholders. Communicate regularly within and outside the entity to ensure coherence. This is especially important during crisis management related to high-impact IT and cybersecurity incidents.

The Enterprise Information Security Governance (EISG) functions are usually led by the CRO or the Enterprise CISO, who is responsible for the implementation of enterprise-wide information security policies, and exercising information security-related oversight on the business groups and business units of the enterprise.

A CISO should have knowledge and experience of information security governance, risk and compliance management, ISMS and related issues. The CISO’s responsibilities typically includes cyber resilience and cybersecurity planning, development and rollout of ISMS, coordinating the cyber security related issues within the organisation and with relevant external agencies. The CISO must be capable of performing the duties as per “Roles and Responsibilities of CISOs” as defined by NCIIPC, CERT-In and Regulators.

CSEs must clearly define the roles, responsibilties and teams for governance of enterprise IT and information security, as appropriate to their organisational structures. The leadership and teams must be given the required authority and resources to carry out their functions and held accountable for the required outcomes. A key factor for success is the ability of the leaders, their teams, business units and departments to work collaboratively to address the shared concerns of all stakeholders. Adequate thought must be given to behavioural aspects and conflict resolution mechanisms while assigning responsibilities to leaders and teams. Further, each team must have a proper mix of expertise and experience and should use technology to carry out the functions effectively.

Committees

Entities usually have different formal and semi-formal structures to support the governing body and the top management in their IT and information security governance functions. These structures are in the form of committees, groups, task forces etc, and typically carry out evaluation, monitoring, and oversight functions to support the governing body and the top management.

Many Sectoral Regulators have prescribed the frameworks for the Governance of Enterprise IT and Information Security for their regulated entities. The governance frameworks and governance related guidance of the important regulators of the country emphasise the need to have a good governance framework for enterprise IT and Information Security of entities using ICT for achieving their business mission and objectives.

Information Security Division/ Department (ISD)

The ISD of an entity is responsible for planning, implementing and continually improving the technology-driven capabilities, processes, and workforce to achieve cybersecurity.

Each business group or unit in the CSE may have its own ISO (Information Security Officer) and a team under him who may hierarchically report to the CISO. Together, they constitute the entity’s Information Security Division/ Department with appropriate resources and manpower based on the size and business of the CSE.

Technology Strategy and Perspective Planning

All modern enterprises use technology to carry out their business functions. A good practice followed by many organisations is to have a Technology Strategy and Perspective Planning (TS&PP) programme for planning, implementing and continually improving the technology-driven capabilities, processes, and workforce.

The technologies and processes are typically deployed through individual projects that are conceived, designed, and implemented by different business units and departments. In many cases, this leads to duplication or inadequate optimisation of enterprise resources, operations, and workforce utilisation.

The use of IT, OT and Information Security should therefore be evaluated, directed, and monitored from an entity-wide perspective that enables the governing bodies and top management to holistically evaluate the achievement of mission and business objectives. This will ensure that the individual IT, OT and IS projects of different business units and departments are aligned with the enterprise’s strategic IT and Information Security objectives and compliant with all enterprise policies and processes. Further, it helps in the optimisation of investments, IT and cybersecurity workforce competency development, exploitation of the latest technologies and practices, continuous improvement of cybersecurity maturity etc.

Organisations will benefit from having an entity-wide TS&PP programme that provides enterprise-wide strategic direction and decisions on the use of IT, OT, and information security. The CTO, CIO, Heads of OT and CISO should be a part of Technology Strategy and Perspective Planning committee. Typically the committee should

evaluate the objectives and expected outcomes of different projects within the overall technology adoption roadmap of the organisation.
synergise activities and investments across multiple projects.
provide oversight and guidance to individual project management teams.
oversee the cyber resilience aspects.

Performance and Effectiveness Monitoring

Governing bodies and top management should have a well-defined mechanism for monitoring and measurement of IT, OT and Information Security performance and effectiveness of management systems and processes at the strategic, tactical, and operational levels. The monitoring and measurement mechanism should cover all processes, both automated and manual, with the objective of providing actionable evidence to take preventive and corrective actions at each level.

Metrics are tools designed to enhance the performance and accountability through collection, analysis, and reporting of relevant performance related data. Metrics in information security track the achievement of set goals and objectives by measuring the degree to which security measures are applied, as well as assessing the controls’ efficiency and efficacy, evaluating the sufficiency of security measures, and pinpointing potential areas for improvement. Entities should develop Key Performance Indicators (KPIs) for evaluation of their IT and Information Security programmes and periodically evaluate the implementation and effectiveness of their IT and Information Security Governance programmes by measuring the defined KPIs.

Organizations will benefit significantly from having a Performance and Effectiveness Monitoring (P&EM) programme to assist the governing bodies and top management in their function of enterprise-wide monitoring and measurement of IT, OT and infosec performance and effectiveness. The Governance, Risk and Compliance team should work with the business units, IT, OT and Infosec Heads and other stakeholders to develop KPIs that monitor and measure vital aspects of IT, OT and Information Security processes, people and technologies. The KPIs should address the concerns of the governing body and top management.

CSEs should put in place a structured process of reporting cybersecurity related matters to the Board or the Board Level Committees through the CISO. Structured reporting should inter alia include, key cyber risks faced by the organisation, cyber security preparedness, cyber security postures, organisational initiatives to enhance the cyber security resilience, status of compliance with regulatory guidelines, reporting of cyber security events and incidents.

Governance

Organisational governance is defined as “a system by which an organisation makes and implements decisions in pursuit of its objectives.” Organisational governance is achieved by a mix of standards, rules, processes, practices, and technology platforms that support maturity in governance.

In view of enhanced role of ICT for achieving the business mission and objectives, governance of IT and information security are considered as a subset or domain of organisational (entity) governance. Definitions of governance in specific context of IT and Information security are provided in ISO/IEC 26000, ISO/IEC 38500:2015¹ and ISO/IEC 27014:2020².

Governance of Enterprise IT (ISO/IEC 38500:2015) deals with resources required to acquire, process, store and disseminate information.
Enterprise Information Security Governance (ISO/IEC 27014:2020) deals with assurance of information confidentiality, integrity and availability and effective communication of the same with various external stakeholders.

Governance of Enterprise IT

A model for good governance of IT shall assist those at the highest level of the entities to understand and fulfil their legal, regulatory and other obligations in respect of their entity’s use of IT. Further it assists governing bodies to ensure that the use of IT contributes positively to the performance of the organisation. Governing bodies should exercise their authority to ensure that their organisations follow a well-defined and suitable model for governance of IT, based on global best practices, to ensure that the risks arising from the use of IT can be managed and opportunities can be exploited.

ISO/IEC 38500:2015 describes the principles and practices for good governance of IT and provides a baseline for each entity to develop their own model. The six core principles are:

Establish responsibility.
Define strategy for IT to support business.
Make acquisitions as appropriate.
Ensure performance.
Ensure conformance.
Achieve appropriate human behaviour.

Further, three main practices through which the governing bodies can continuously evolve governance of IT are:

Evaluate the current and future use of IT in the context of the business need.
Direct preparation and implementation of strategies and policies to ensure that use of IT meets business objectives.
Monitor performance against the strategies particularly regarding their business objectives and conformance to external obligations and internal work practices.

Governance of Information Security

Governance of information security ensure effective implementation of information security controls and provides the following assurance:

Directives concerning information security will be followed.
The governing body will receive reliable and relevant reports about information security related activities.

The framework for governance of information security will assist the governing body to make decisions concerning the strategic objectives for the organisation. It further provides information about information security that can affect these strategic objectives. It also ensures that information security strategy aligns with the overall objectives of the entity.

ISO/IEC 27014:2020 defines six objectives for information security governance that provide a baseline for overall direction and control by the governing bodies and the top management. The detailed description of each objective and process is given in the ISO document. The practical application of each objective within an entity is briefly described below:

1. Establish integrated comprehensive entity-wide information security

Objective 1 calls for the establishment of an integrated comprehensive entity-wide information security framework. In practice, this would generally be addressed as under:

Organisations should define and document an enterprise level context for their Information Security Management System (ISMS). Further, the context, scope, external elements etc. of each of their individual ISMS implementations (business-unit or site-based) should flow from and be fully aligned with the enterprise context.
Organisations should define and document an enterprise level ISMS objective and policy. The ISMS policies of each of the individual ISMS implementations should be aligned with the enterprise context.

An enterprise level approach would provide the following benefits:

Governing bodies and top management can evaluate, direct, and monitor that information security is consistent across the enterprise.
Regulators and national nodal agencies can validate that the policy directives and regulatory guidelines provided to the regulated and critical sector entities are incorporated into the enterprise level ISMS framework, which further gets applied uniformly into all the ISMS implementations in the entities.
Auditors can easily assess and verify whether all the mandated policies have been incorporated in each of the ISMSs audited by them.

2. Make decisions using a risk-based approach

Objective 2 calls for using a risk-based approach for decisions. A risk-based approach is recognised world-wide as an effective mechanism for inter-se prioritisation of the following:

Investment in protection functions that includes business continuity.
Allocation and use of resources.
Work related to tracking and monitoring functions.
Incident response and crisis management activities.

In general, risk is a function of impact and likelihood. However, entities may decide that the potential impact of some of the disruptions are so devastating that they have the highest risk even if their likelihood is very low. In all other cases, risk reflects the organisation’s ability to accomplish its assigned mission, protect its assets, fulfil its legal responsibilities, maintain its day-to-day functions, and protect individuals.

Regulated and critical sector entities would benefit from using the ISO, IEC, NIST and other well-known standards to design, develop and implement risk management system within their organisations. A risk-based approach helps entities correctly identify all the controls that are applicable in their ISMSs. An enterprise level approach to risk management would provide the following benefits:

Governing bodies and top management can evaluate the information security risks with the use of IT to achieve business objectives and further incorporate them into the enterprise level ISMS framework. This will help them direct and monitor the individual ISMSs effectively.
Regulators and national nodal agencies can validate that all the additional controls prescribed by them are consolidated into the enterprise level ISMS framework, which further gets applied uniformly into all the ISMS implementations in the entities.
Cybersecurity auditors can use the comprehensively defined Statement of Applicability (SoA) to verify that all risks have been considered for their technical audit.

3. Set the direction of acquisition

Objective 3 calls for setting the direction of acquisition of IT, OT, and Information Security capabilities in a comprehensive and consistent manner.

The enterprise level risk assessment carried out as part of Objective 2 will help in the prioritisation of investments and allocation of resources. The Information Security Steering Committees (ISSC) of critical sector entities can provide right guidance to the top management when there is a common understanding of risk.

4. Ensure conformance with internal and external requirements.

Objective 4 calls for ensuring conformance with internal and external requirements.

One of the objectives of regulators and national bodies is to standardise information security management and its audit across various entities, particularly the critical sector entities. A common approach and methodology of audit of IT Security can be achieved through the guidelines given in various national / international standards.

Entities should evaluate and adopt an internationally accepted methodology for audit of the implemented IT and Information Security Management System at agreed frequency and scope (this frequency and scope should be compliant with the minimum baseline promulgated vide various rules and regulations). The audit scope, audit objective, audit criteria and the competency of the auditors should be such that it provides adequate assurance to the stakeholders on the objectivity and impartiality of the results. The results of the audit are to be reviewed at an appropriate level in the entity / controller / regulator. The causal analysis and corrective action plan for any non-conformities observed in the audit are also to be reviewed and tracked for acceptable closure.

5. Foster a security-positive culture

Objective 5 calls for fostering a security-positive culture, which is largely a people-driven activity. This requires the top management to focus on building a positive information security culture within the entity through security education, training and awareness programs and integrating the information security responsibilities into the roles of employees and managers.

6. Ensure the security performance meets current and future requirements of the entity

Objective 6 calls for ensuring that the security performance meets current and future requirements of the entity.

A data-driven analytical approach for security performance monitoring and measurement would be highly beneficial for entities. This approach requires entities to identify and use software applications and automation platforms for data acquisition, evidence collection and analysis of both IT and information security performance. The acquired measurement data would help the internal, external, and special audit teams to review and assess the information security processes and activities.

National nodal agencies can further evolve platforms and processes for machine-processing of data from different entities to carry out sectoral and cross-sectoral analysis of audit compliance, audit effectiveness and grading of auditors.

The governing bodies and the top management may apply following four main processes repetitively to achieve the above objectives:

Evaluate
Direct
Monitor
Communicate

Essential Top Level Management Governance Functions

The key processes for governance of Enterprise IT and Information Security are depicted in the pictorial below.

A harmonised view of the governance functions are covered here.

Summary

The governance frameworks provide the core principles, objectives and processes in IT and Information Security for the governing bodies and top management to implement effective governance in their respective business context. The focus of governance of IT is on managing resources to acquire, process, store and disseminate information (this may include OT and IIoT). This functionality is complemented by the governance of Information Security, which focuses on confidentiality, integrity, and availability of information (including the safety of OT and IIoT).

The governing bodies and top management of all regulated and critical sector entities are accountable for the Governance of Enterprise IT and Information Security. They have the responsibility to evaluate and direct the specific actions required to implement the principles within their organisations and monitor their efficacy. In short, Governance of Enterprise IT and Information Security are board-level agendas.

Communication is an important Information Security governance process since it enables entities to be held accountable to interested parties. As part of this function, the critical sector entities must maintain continuous information flow with the national nodal agencies and the sectoral regulators. This communication is necessary for the national nodal agencies to evaluate the effectiveness of their risk management and information security management. The entities are also required by law to report information security incidents to appropriate national nodal agencies and regulators, as applicable.

Assurance aspect is overseen by the sectoral regulators and the national nodal agencies bodies, who exercise their authority to audit the regulated and critical sector entities for compliance to law, regulation and directives issued by them.

It is also important to recognise that, while the authority for specific aspects of IT and Information Security may be delegated to managers within the organisations, the accountability for effective, efficient, and acceptable use of IT and Information Security within the entity and all its organisations remains with the governing body and top management in case of CSEs. This responsibility and accountability cannot be delegated.

The governance of enterprise IT and information security in the internal context (within the jurisdiction of the entity) is fairly straightforward. All entities typically implement their IT, OT and IS infrastructure to align with their business functions. The operational structure is usually in the form of business units, departments, sites/ branches, and locations. The organisational structure is closely aligned with the operational structure in the form of a governing body or board, top or executive management, senior, middle-level, and lower-level management.

Information Security Management System (ISMS)

ISMS Design, Implementation and Operation

Overview and Purpose

All organisations recognise the need to protect their business functions, capabilities and processes from being disrupted or compromised. It requires the resilience to be built into the governance, business, technology and physical levels. Organisations use mechanisms like information security management systems (ISMS), incident response (IR), business continuity management systems (BCMS) and cyber crisis management plans (CCMP) to implement and manage the required resilience.

Information Security Management System (ISMS) is a generic term to describe the practice of protecting an organisation’s business functions from disruptions and compromise, and to ensure compliance to laws and regulation. Critical sector entities with notified CII/ Protected Systems are mandated under IT (NCIIPC) Rules, 2018, to setup and operate an ISMS in their organisations.

All the business functions and processes run on an underlying information infrastructure. An ISMS can assure the resilience of an organisation’s information infrastructure.

Organisations have an option to design, implement and operate their own custom-built ISMS. However, most organisations implement their ISMS based on published standards like IS/ISO/IEC 27001 or QCI CSMS Level 1. The latter option gives them the benefit of independent third-party certification by an accredited Certification Body (CB).

Tip

It is advisable for an organisation to start its ISMS journey with a custom-designed, standards-agnostic ISMS. This approach will trigger a deep application of mind on the governance, business and technical objectives and the desired outcomes from the ISMS without being constrained by any specific framework. If required, Section 4 of ISO 27003 can be used for basic guidance and direction. Once the standards-agnostic ISMS design is accepted by the governing body and the top management, the ISMS implementation team can work on using an appropriate standard for implementation.

Information Security Management Systems (ISMS) design, implementation and operation refers to the approach that organisations must adopt to protect their IT, OT and IIoT information infrastructure and keep them resilient against cyberattacks. The practice involves identifying risks to the information infrastructure of the organisation, designing policies and controls to mitigate and manage these risks, and implementing the same within the organisation.

A crucial part of this practice is about regular reviews and updates to keep up with evolving security threats. Consistent review and improvement of an organisation’s ISMS practice not only secures the information infrastructure but also supports the organisations’ regulatory compliance and business continuity.

ISMS Governance

Governing bodies and top management of entities must direct the ISMS to be based on organisational reqirements and have an entity-wide perspective. They have the responsibility to evaluate the requirement of one or more ISMSs to support the information security objectives of the entity. Section 5 of ISO 27003 provides guidance for leadership functions. Section 6 of ISO 27003 and ISO 27005 provide guidance for risk related functions. Section 7 of ISO 27003 provides guidance on providing resources for implementation and operation of ISMS.

The governing body should undertake the following with due diligence for the success of ISMS:

Mandatorily define and document an enterprise-level context for ISMS in their organisations.
Approve the creation of ISMS.
Mandatorily define and document an enterprise-level ISMS objective and policy. It should provide directions to each ISMS implementation in the organisation to align it with the enterprise context.
All policy and regulatory directions received from and national nodal bodies and the regulators should be incorporated into the enterprise-level ISMS policy. This will help auditors assess whether all the policies have been incorporated.
Take decisions on acceptable levels of residual risk or appropriate risk treatments.
Provide each ISMS with communication channels and authority to inform interested parties and all persons in the scope of that ISMS.

Plans to obtain ISMS certifications must be formulated at the enterprise level. Obtaining certifications for individual sites, without having an entity-wide plan will be inefficient and ineffective because the individual ISMSs would not be aligned with the entity’s information security objectives, policies and processes and risk management.

The governing bodies and top management of entities must also monitor the performance and effectiveness of the ISMS during the operational stage to keep it aligned with the organisation’s objectives.

Conformance to Standards

ISMS based on ISO 27001:2022 or NCIIPC-QCI Cybersecurity Management System (CSMS) Level 1 Scheme offer significant benefits in terms of documentation and guidance. The ISO 27000 series documents provide comprehensive information for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an ISMS. These documents can also be used for establishing an ISMS even when an organisation does not want the ISO certification.

Note

The NCIIPC-QCI Cybersecurity Management System (CSMS) Level 1 Scheme encompasses ISO 27001 certification.

ISO 27000 Series
ISO 27001	ISMS Requirements - Details the actual requirements for organizations to comply with the ISO 27000 standards.
ISO 27002	ISMS controls - Builds on ISO 27001 by providing a description of the various controls that can be utilized to meet the requirements of ISO 27001.
ISO 27003	Guidelines for implementing an ISMS involve securing project approval, defining scope, conducting analysis and risk assessment, and designing the ISMS framework.
ISO 27004	ISMS Measurements - Outlines how an organization can monitor and measure security in relation to the ISO 27000 standards with metrics.
ISO 27005	Risk Management - Defines the high-level risk management approach.
ISO 27006	Guidelines for ISO 27000 accreditation bodies - Outlines the requirements for organizations that will measure ISO 27000 compliance for certification.

Tip

ISMS practitioners should study the ISO 27000 series documents listed above and adopt them in a suitable manner into the ISMS design, implementation and operation.

ISMS Design

Some of the activities and tasks associated with ISMS design are given below:

Scope Determination: Define the ISMS scope, ensuring it encompasses all assets, people, processes, and IT systems. The ISMS design and implementation team must understand the business functions and processes of the organisation and their interdependencies.
Policy Development: Design comprehensive security policies that address the protection of information assets against various threats and establish security objectives.
Roles Definition: Assign clear information security roles and responsibilities, ensuring accountability and proper oversight of the ISMS initiatives.
Risk Management: Find, assess, and handle risks according to the set standards.
Control Selection: Choose appropriate security controls from the relevant frameworks to mitigate identified risks.
Control Implementation: Deploy security measures and practices in alignment with the established ISMS policy framework, supporting the organisation’s security strategy.
Automation: Evaluate and select software applications and platforms for operating and managing the ISMS processes (documentation, risk, SoA mapping, evidence collection, compliance tracking etc).
Employee Training and Awareness: Combine regular security awareness programs with skill enhancement training to educate employees about ISMS policies and improve their ability to contribute to the organisation’s security.
Continuous Monitoring: Oversee the ongoing effectiveness of the ISMS and security controls, adapting to new threats and organisational changes.
Regular Audits: Implement a schedule of internal and external audits to ensure continuous compliance with ISMS requirements and identify opportunities for improvement.
Improvement Actions: Address non-conformities and areas of weakness identified during reviews and audits, closing gaps in the ISMS where necessary.

ISMS Implementation

Each ISMS must implement controls for information security risk treatment in accordance with the policies approved by the governing board / top management of the CSE. ISO 27003 provides explanation and guidance for implementing all requirements of ISO 27001.

Generic steps for implementing ISMS based on ISO 27001:2022 or NCIIPC-QCI Cybersecurity Management System (CSMS) Level 1 Scheme are given below:

Set the scope of ISMS by defining what parts of the organisation’s information systems are intended to be protected. The scope typically includes the organisation’s business processes and locations that will be covered under ISMS.
Establish and publish a top-level Information Security policy for the organisation. This will be further supported by subordinate policies.
Set the Risk Assessment context as per the requirements stated in Clause 4 to Clause 10 of ISO 27001:2022. Use ISO 27005 and various other guidelines for risk assessment.
Identify and evaluate risk as per Clause 6 and Clause 8 of ISO 27001:2022.
Establish a Risk Acceptance Criteria (RAC) for the organisation, which should be approved by the top management of the organisation (Board or Board equivalent). The RAC will then be used as the basis for risk management (assessment, evaluation, and treatment).
Set the risk acceptance threshold, based on the context of the organisation and the expectations of internal and external interested parties.
Formulate the risk treatment plan in respect of the RAC by selecting appropriate controls from “Annex A of ISO 27001:2022”. Add supplementary and technical controls from external sources (e.g. guidelines and directives from Ministries, Regulators, NCIIPC, CERT-In, NSCS) and global good practices (e.g. PCI, CIS, Cloud Security Alliance) if they are considered necessary or suitable in the business context of the organisation. Use ISO 27002:2022 as a working guideline for meeting the requirements of ISO 27001:2022.
Document all the applicable controls along with their point of application in a Statement of Applicability (SoA) document. Any control, if excluded, should be justified in the SoA and the same should also comply with the risk acceptance criteria.
Implement the security controls given in the SoA on the information infrastructure. Typically, two-tier control deployment, viz primary control and supervisory control is adopted to mitigate the critical risks.
Carry out an audit or inspection of the information infrastructure through CERT-In empanelled auditors, covering both process and technical deployment of controls, as per the guidelines issued by CERT-In and NSCS.
Test the effectiveness of implementation and operation of cyber security technical controls through the mechanism of Vulnerability Assessment and Penetration Testing (VA & PT)

ISMS flowchart is pictorially represented below.

ISMS Operation

Organisations should adopt appropriate methods to continuously operate and evaluate the performance and effectiveness of the ISMS after its implementation and Go-Live. Reporting to the governing body and top management is essential to the success of ISMS.

IS/ISO/IEC TS 27008:2019 provides guidance on reviewing and assessing the implementation and operation of information security controls. It includes the technical assessment of information system controls and their compliance to criteria established by the organisation, law and regulation.

Another critical aspect of ISMS operation is to measure the outcomes delivered by it. ISO/IEC 27004 provides detailed guidelines for evaluating the information security performance and the effectiveness of an ISMS.

ISO/IEC 27001:2022, Clause 9.1 requires the organisation to evaluate the information security performance and the effectiveness of the ISMS. It requires the organisation to determine:

what needs to be monitored and measured (systems, processes and activities).
the methods for monitoring, measurement, analysis and evaluation.
when the monitoring and measuring shall be performed.
who shall monitor and measure.
when the results from monitoring and measurement shall be analysed and evaluated.
who shall analyse and evaluate these results.

The ISMS operation must generate output for various attributes of the implemented controls that can be used to measure the efficacy of the controls, such as:

the degree to which a control reduces the likelihood of the occurrence of an event.
the degree to which a control reduces the consequence of an event.
the frequency of events that a control can cope with before failure.
how long after the occurrence of an event does it take for the control to detect that the event has occurred.

Measurable data from systems and processes is generated continuously in the form of event logs, metrics, traces and audit trails. These measures must be collected and analysed as frequently as possible. However, the reporting of such measures may be scheduled as per the needs of the interested parties.

For example, while data on security incidents is collected continually, internal reporting to higher levels of management will depend on the defined polices, such as severity (possibly requiring immediate notification as in the case of a reportable breach) or aggregated values (as might be the case for attempted intrusions which were detected and blocked). Similarly, reporting of cybersecurity incidents to external interested parties like regulators, CERT-In, sectoral CERTs and NCIIPC, will be based on their respective directives.

ISO/IEC 27001:2022 also requires the organisation to retain appropriate documented information as evidence of the monitoring and measurement results.

Metrics

Some of the possible metrics for continual improvement of ISMS are listed below.

Key Performance Indicators	Description
Number of Security Incidents	Count of unwanted events that could endanger the confidentiality, integrity, or availability of information.
Security Control Audit and Review Frequency	Measures the number of times security controls are reviewed and audited.
Audit Findings	The number of critical findings or unresolved issues from audits.
Delay in Scheduled Audits	Measures the percentage of scheduled audits and reviews that are not completed within their planned timeframes.
Number of Non-Compliance Issues	Track the number of identified non-compliance issues during the audit with legal and regulatory requirements
Effectiveness of Security Controls	Tracks the percentage of risks successfully prevented, detected, and mitigated. How well security measures prevent, detect, and mitigate risks
Policy Implementation Coverage	The percentage of critical assets covered by security policies.
Number of outdated Policies	Number of policies that are not updated to reflect current threats.
Number of Improvements Identified	Measures the number of policies, processes or controls identified for improvement during ISMS activities or audits.
Number of Non-Conformities Identified	Measures the number of occasions on which the ISMS fails to meet the specified ISO 27001 requirements.
Percentage of Assets Covered under ISMS	Measures the proportion of the organization’s assets - people, processes, technology - that are protected by the implemented ISMS.
Frequency of ISMS Review	Tracks the number of ISMS being reviewed and updated.
Employee Training Completion Rates	Numbers of employees that have completed security awareness and training programs.
Security Awareness Level	Measures the percentage of employees understanding security protocols.

Leveraging Automation

Given the scale and complexity of modern information infrastructures, automation is essential for monitoring the use and effectiveness of controls. There are many software platforms that can monitor the ISMS activities and generate reports for various levels of management. The software platforms also provide a record of ISMS activities that the audit teams can use as evidence. Work is also being done to create human and machine-readable formats such as the Open Security Controls Assessment Language (OSCAL) for automated management of ISMS controls.

Periodic inspection and audit of ISMS of CSEs is a time-consuming activity. The regulators and national bodies can also create platforms and processes for machine-processing of ISMS data from the CSEs, which will also help in sectoral and cross-sectoral analysis of audit compliance and non-compliance issues, audit effectiveness, grading of auditors etc.

ISMS Practice Owners

A sample matrix of responsibilities is given below.

Activity	Primary Ownership	Collaborative Role
Establish and review the ISMS strategy.	ISSC	Information Security Team
Oversee the development of ISMS policies and procedures.	CISO	Information Security Team
Maintain the ISMS documentation and control mechanisms.	Information Security Team	-
Ensure ISMS compliance with legal and regulatory standards.	GRC Team	Legal Team
Implement controls, standards and guidelines emanating from the ISMS implementation and design programme.	IT/OT Ops Team	-
Conduct ISMS awareness and training programs.	HR Team	Information Security Team
Monitor and report on ISMS performance using KPIs/KRIs.	GRC Team	IT/OT Ops Team
Manage ISMS auditing and continual improvement.	Internal/External Audit Team	Information Security Team

NCIIPC Guidelines

Important

These guidelines are taken from NCIIPC’s documentation of Nov 2024. CSEs must consult NCIIPC for the latest updates and further guidance.

Governance

CSE shall design, develop, approve, and implement ISMS as part of the Information Security Policy to maintain confidentiality, integrity, and availability of the organisation’s information assets.
CSE shall establish an Information Security Steering Committee responsible for providing direction, approving policies, and monitoring the ISMS effectiveness.
CSE shall describe and assign information security roles and responsibilities based on the organization’s requirements.
CSE shall appoint a senior management representative as the Chief Information Security Officer (CISO) to oversee the ISMS design, implementation, operation, and maintenance.
CSE shall ensure that all individuals working in the organisation are aware of:
- the information security policy
- their part in improving the security system.
- the consequences of not following security policies
CSEs shall establish clear channels for all information security related communications.
CSE shall conduct reviews of the ISMS to ensure the effectiveness of the organization’s approach to managing cybersecurity and its implementation, at planned intervals or when significant changes occur.
All employees shall be provided with information security awareness training and be held accountable for adhering to security policies and procedures.
CSE should monitor the defined Key Performance Indicators (KPIs) to measure the effectiveness and efficiency of the ISMS design, implementation and operation.

Technical

CSEs shall develop and implement an ISMS policy framework that includes related information security policies, procedures, and standards.
While developing the ISMS, the CSE shall consider relevant factors, identify risks and opportunities, and focus on preventative measures and continuous improvement.
CSE shall implement appropriate security controls based on identified risks, in alignment with ISO 27001 Annex A controls as well as other controls prescribed by regulators and nodal agencies.
CSE shall maintain a Statement of Applicability (SoA) defining the controls applicable to the organisation.
CSE shall identify and control external documents deemed necessary for the planning and operation of its information security management system.
CSE shall review the ISMS design and implementation process at regular intervals and implement changes.
CSE shall utilize appropriate technological, organizational, and physical safeguards to protect information assets.
CSE shall ensure compliance with all applicable laws and regulations regarding information security and data privacy.
CSE shall maintain a business continuity and disaster recovery plan to minimize disruption in the event of an incident.
CSE shall design and execute an audit programme to assess the ISMS. This programme shall have a systematic approach and prioritise processes based on their significance and findings from previous audits.
The auditing exercise shall provide documented information to verify the execution and effectiveness of the ISMS.

ISMS for Regulators

Besides the CSEs, the regulatory bodies would also benefit from establishing an ISMS, based on recognised standards. The ISMS would specifically help the regulators to:

Control the collection, processing, distribution, and retention, of sensitive information to be processed by them for effective regulation in the sector.
Understand the requirements of the ISMS established and audit the regulated entities on adherence to the requirements.
Issue sector-specific requirements, guidelines, checklists, to address the variations and constraints relevant to the local processing requirements.
Adopt audit tools and analysis engines, designed to standard requirements, for evaluation of the information security performance in the regulated entities.

ISMS for Agencies directing CSEs

Agencies directing and controlling the operations in the critical sector have a responsibility to lead the way. The controlling agency typically review the functioning of the CSEs and, if policies exist that hinder the achievement of business objectives, these policies are identified and reported for improvement. Such agencies will therefore have sensitive data of the critical sectors. It is therefore recommended that the agencies also implement an ISMS to protect the information being processed at various levels within the agencies. Establishment of an ISMS will help the agencies to:

Control the collection, processing, distribution, and retention, of sensitive information to be processed by them for effective governance in the sector.
Understand the requirements of the ISMS established, and issue relevant directions to the controlled entities, and supply-chain, on adherence to the requirements.
Establish a centrally managed framework to identify, analyse, evaluate, and treat the information security risks prevalent in the sector.
Get trust, recognition, and support from other stakeholders for information security governance in the sector.
Respond to emerging information security threats and trends by centrally managing the information security incidents in the sector.
Easily migrate to any upgrades and improvements in information security governance, based on international and industry best practices.

Acquisition of capabilities

The acquisition of capabilities to enable and support business needs is an important activity within organisations and also in the larger ecosystem. This section focuses on information and guidance related to acquisition of business and technology capabilities by the stakeholders.

The audience for this section includes:

Business Unit heads, CIOs, CISOs.
Technology strategy and perspective planning team.
Project management and procurement teams.
Technical implementation teams.
OEMs and System Integrators (SI), service and support providers, consultancy organisations, inspection and audit bodies.

Overview

All capabilities are acquired through project or incremental procurement based approach, using capital or revenue budgets. Business and technology capabilities typically have two major lifecycle stages:

Acquire and Provision.
Operate and Maintain.

The Acquire and Provision stage has a shorter lifespan of a few months, as compared to the Operate and Maintain stage, which typically extends into a few years for IT or tens of years for OT. A “Go-Live” event typically separates the two stages.

Government, public sector entities and large enterprises have two broad frameworks for acquisition of capabilities, namely, Detailed Project Reports (DPR) and Request for Proposal (RFP).

The DPR framework is used when the requirement is for large scale and complex use of IT for transformation of business functions. RFPs are more focused and are typically used for incremental improvement of business functions using IT.

Technology Strategy and Perspective Planning

A study of various DPRs indicate that they reflect the strategic direction of the organisations in the use of IT and cover a period of 7 to 10 years. However, each DPR is usually treated as a standalone document and the strategic thinking recorded in one DPR is not fully carried into other DPRs.

Entities may consider the development of a common “Technology Strategy and Perspective Planning (TS&PP)” document that captures the entity-wide strategic use of technology by the organisation. All DPRs and RFPs must then be aligned with the TS&PP document.

The following aspects of strategic direction that is typically recorded in the DPRs, may be moved into the TS&PP document:

Mission, functions, business capabilities and business processes of the organisation.
External context – other organisations with whom governance, business and IT-driven interactions are carried out. This should also include the likely sources of threats and liabilities created by the external partners.
Internal context – organisational hierarchy and structure, sites and locations, line, staff and functional units, roles and responsibilities of departments and key personnel.
Current state of use of IT and information security to support the business functions.
Expectations from the use of IT in terms of enhancement of capabilities, efficiency, and effectiveness in carrying out the business functions.
Expected or desired future state of use of IT and information security.

Some examples of strategic directions regarding the use of IT are given below:

Selection of data centre and cloud service providers:

owned by the organisation.
provided by a government-owned or public sector entity.
provided by a private entity with India-based data centres.
multi-country-based data centres.

Models of cloud deployment:

IaaS
PaaS
SaaS
XaaS

Data access concerns:

data access is required only for India based users and systems.
data access is required for users and systems located outside India.

Data localisation concerns:

data can reside in any country.
data can reside in any country, but one copy must reside in India for accessibility to regulatory and legal authorities.
data must reside within India only and not move out of Indian jurisdiction.

Models of workforce supply chain:

entity’s own employees.
contracted employees hired from manpower provider entities.
outsourced work to service providers using their own employees.

Data classification and handling methodologies for data that is created, stored, and shared in electronic form.
Information Security Assurance and ISMS:

entities to have a trusted mechanism of internal and external audits, undertaken and reported by competent independent auditors.
the audit scope, audit objectives, and audit criteria to be defined by the entity in consultation and direction of the concerned controlling / regulating body.
the audit methodologies adopted to be in accordance with internationally accepted practices.
the competency of the auditors to be ensured and ascertained through recognised trainings and evaluation criteria.

Information security capabilities to enable smart, resilient, and sustainable digital ecosystem.
Systems and security engineering lifecycle approaches.
Technologies, practices, and operating processes.

Enterprise Architecture

Organisations acquire off-the-shelf, custom-developed or SaaS-based business systems like ERP, CRM etc, to automate the business and industrial processes that deliver their business needs. The business systems run on underlying technology systems, which may be off-the-shelf, custom-built or in the cloud.

A well-defined and well-designed architecture is crucial for the long-term resilience of an organisation’s business and technology systems. The mandatory governance, risk, compliance, and audit requirements prescribed by the regulators and nodal bodies are best achieved when they are embedded into the enterprise business and technology architectures of the entities.

The Enterprise Architecture Framework provides common information and guidance to create good architecture documents for use by various stakeholders responsible for design, engineering, implementation, maintenance and incremental enhancements of systems.

Enterprise architects are the best people to create the business and technology architectures. The Technology Strategy and Perspective Planning Group may be assigned responsibility for its creation, periodic review and update. The group should also advise the advise the top management on providing the required strategic direction. Once accepted by the top management, the architecture can be used as a common base framework in DPRs and RFPs.

Ontology of Tags

Entities use a wide variety of methods to depict and describe their enterprise business and technology architectures. However, there is no commonality on this aspect amongst the CSEs of different sectors.

The ontology of tags provides a common mechanism for business and technical managers to express distinct characteristics or features of various architectural elements. The common ontology helps different stakeholders to evaluate the impact, risk, compliance, governance, security, monitoring, and oversight aspects of the architecture elements. A combined view of all the evaluations can help the top management to decide and direct the most appropriate use of IT and prioritisation for investments.

The business and technology operation levels of the entity hierarchy can further use the ontology of tags to evaluate, decide, design, procure, implement, deploy, operate, manage, support, and monitor the digital ecosystem resources over their operating lifecycle.

The common ontology also helps the Government ministries, regulators, and national nodal bodies to focus their policies, regulations, oversight, and monitoring mechanisms on the vital components of the enterprise architecture.

Important

Entities typically do not adopt the best practice of creating baseline record of key security architectural decisions and security configurations of systems at Go-Live stage. It is usually left to the SI and OEMs to keep such records.

These records are vital during the operations stage to discover the changes to architecture and configurations, some of which may have been triggered by malicious activities.

Top management and external oversight bodies must insist that such records are maintained by the project management teams and the teams managing the business and technology systems.

Engineering of ICT and Security

The engineering aspects describe “how” ICT and cyber resilience capabilities can be implemented by proper conceptualisation and execution of IT and OT projects as well as through incremental engineering improvements during a project’s operating lifecycle. It delves into systems engineering and systems security engineering in IT, OT and IIoT systems. It also delves into cyber resiliency engineering, an emerging specialty system engineering discipline to develop survivable, trustworthy secure systems.

The audience for this chapter includes:

Business Heads, CIOs, CTOs, CISOs and their respective teams within CSEs.
Sectoral Regulators, who are mandated to oversee/ regulate the cybersecurity related issues of their regulated entities.
Consultancy organisations, System Integrators, OEMs and MSPs/ MSSPs engaged by the CSEs.
Empaneled bodies, who carry out cyber security verification & validation (V&V), VAPT and technical audit of systems and networks of CSEs.
the lower levels of management, who are responsible for project execution and maintenance of systems in the operations phase.
project design and implementation teams, who conceptualise, design and implement the ICT and cyber security elements for protection of their IT, OT and IIoT.
engineering support teams, who support the operations teams during the use of ICT, OT and IIoT.

An engineering lifecycle approach is essential for successful delivery of business and technology systems. Readers may refer to relevant material included in the standards section of this document.

Engineering requires the knowledge of concepts and technologies related to the use of IT and information security. The resources section provides links to well-known public documents.

Systems Engineering

It is globally recognised that large and complex IT and OT systems need to be engineered and secured using a life cycle approach. The design and engineering teams are expected to apply the knowledge, concepts, and principles from international work on systems engineering. The publications cover the principles and processes of systems engineering and systems security engineering, connecting the governance, program management, technology (systems) and operations layers within enterprises.

Systems and software engineering lays the groundwork for a disciplined and organised approach towards building reliable, trustworthy secure systems. It is a collection of system life cycle technical and nontechnical processes with associated activities and tasks. The technical processes apply engineering analysis and design principles to deliver a system with the capability to satisfy stakeholder requirements and critical quality properties. The nontechnical processes provide engineering management of all aspects of the engineering project, agreements between parties involved in the engineering project, and project-enabling support to facilitate execution of the engineering project.

Systems Security Engineering

The systems security engineering discipline is applicable at each stage of the system life cycle and provides security considerations towards the engineering of systems. The system security engineering processes are designed to address cybersecurity aspects in IT, OT and IS projects. These processes are typically carried out by design and engineering teams during the project implementation phase, and by field engineering teams during the operations phase.

Systems security engineering ensures that stakeholder protection requirements, and security issues associated with the system are accurately recognized and addressed in all systems engineering tasks throughout the system life cycle.

An organisation adopting systems security engineering lifecycle approach will be able to incorporate security by design and engineering during all the lifecycle stages of IT and OT systems, right from conceptualisation to design, procurement, installation, commissioning, acceptance, operations, and retirement.

Cyber Resiliency Engineering

Cyber resiliency engineering is an evolving specialised discipline within system engineering, employed together with systems security engineering and resilience engineering to develop systems that are secure, dependable, and capable of withstanding threats. This is predicated on the assumption that adversaries will breach defences and establish a long-term presence in organisational systems. Hence, the focus should be on assuring the continuity of mission or business functions and reducing the risk of potentially compromised cyber resources.

Guidance on Systems and Security Engineering

Currently, implementing cybersecurity in large and complex systems is generally a bolt-on activity. The conventional VAPT carried out prior to acceptance of systems happens shortly before the system is put into production. At this stage, the time pressure typically impacts the level of testing of the robustness of security of the system.

The systems security engineering approach must be incorporated in every stage of the system cycle, covering both business systems and technology systems. This will ensure that the security architecture is of high quality and is based on the rigour with which the fundamental security design principles have been applied in the system lifecycle.

The following aspects must be considered while acquiring any new software/ application:

complete cybersecurity life cycle support for the software system.
appying the principles of Dev-Sec-Ops in the custom-development of software applications.
mechanisms for software enhancements and bug fixing activities to avoid adverse impact of software weaknesses and vulnerabilties.
skillsets required (in-house or through support services) for secure operations of the acquired system.
carrying out VAPT and all vulnerabilities removed/ patched before any system goes live.
accountability of OEMs and suppliers to follow the Information Security Engineering Lifecycle approach in the manufacturing/ assembly/ development of their products.
non-acceptance of products/ solutions which have not followed the system security and cyber resiliency engineering best practices in the product development and in providing maintenance support services.

Senior management, business heads, operations and support teams must develop in-house expertise or hire experts to help adopt systems security engineering lifecycle approach within their enterprise projects, starting with securing their CII.

Operations, Maintenance and Management of ICT and Security

The operations aspect focuses on “how” ICT and cyber resilience capabilities can be achieved during the operation phase of business and technology systems, through well-designed operating processes enabled by technology and tools, and by a workforce that is adequately trained on the processes and tools.

The audience for this chapter includes:

Business Heads, CIOs, CTOs, CISOs and their respective teams within CSEs.
Sectoral Regulators, who are mandated to oversee/regulate the cyber security related issues of their regulated entities.
Consultancy Organisations, System Integrators, OEMs and MSPs/ MSSPs engaged by the CSEs.
Empaneled Organiszations to carry out cyber security verification & validation (V&V), VAPT and technical audit of systems and networks of CSEs.
the lower levels of management, who are responsible for day-to-day business and technology operations.
process design teams, who conceptualise and design ICT and cyber security operating processes for day to day use and for protection of ICT, OT and IIoT.
operations teams, who implement and execute the day to day business and technology operating processes.
workforce development teams, who train and enable the workforce to absorb and adopt technology and the day to day operating processes designed for achieving business and cyber resilience.

Operations and Management Practices

There is an intrinsic association and a high degree of interdependence between the practices of IT Operations (IT-Ops), IT Operations Management (ITOM), AI-driven operations (AI-Ops), site reliability engineering (SRE), information security operations (IS-Ops), Dev-Sec-Ops and CI/CD pipeline activities.

At the macro level all operating and management practices have a generic purpose to help improve visibility, observability, compliance, control, responsiveness, and reporting within the critical sector entities themselves, as well as in the larger federated digital ecosystem.

At a granular level, the execution steps of operating and management processes would be sector/ entity and context specific, depending on generic and sector/ entity-specific factors. These factors include the entity type, size, geographical spread, heterogeneity of the technology layer, proportion and maturity of IT and OT implementations, the overall maturity of the prevailing cybersecurity implementation etc.

Further, all processes need to be monitored regularly for their effectiveness.

Guidance on IT and Cybersecurity Operations

Establishing Good Practices and Processes

One of the key aspects of operations is the distribution of responsibilities and associated practices between the inward-looking IT operations and IT security teams and the outward-looking Information Security (Infosec) teams.

The IT Operations and IT Security teams form the first line of defence. They carry out defensive and protective activities such are patch, vulnerability and compliance management, system hardening, configuration baselining and change management, backup management, network access control, domain management, identity and role-based access management, service desk, ticketing and case management.
The Information Security GRC and SOC teams form the second line of defence. They observe the internal and external environments, monitor the risk and detect cyber threats to the digital infrastructure.
The IT Operations and IT Security teams also carry out many of the incident response and recovery activities, in close coordination with the SOC teams.

Resilience of business, technology and cybersecurity operations and support essentially depends upon good operating and management practices and processes. These can be based on an Integrated Service Management (ISM) framework that combines both ITSM and ISMS and draws upon well-defined national/ international standards. Readers may refer to relevant material included under standards.

Developing Workforce Competencies

Modern IT Systems are reasonably large and complex, and the teams require different skill sets and expertise levels to handle the entire gamut of IT and Information Security operations effectively. The competency framework provides a broad structured approach and guidance to CSEs on how to establish a strategic program for ensuring cybersecurity competence in their workforce across their respective organisations.

Note

IT Ops teams must also contribute to securing the digital infrastucture. Managers can achieve this if they encourage their IT specialists to go beyond the functional and performance aspects of systems, networks, applications and databases. The specialists must develop competence in IT security aspects related to their job functions.

The NCIIPC-QCI Scheme for cybersecurity professionals incorporates essential IT security knowledge and skills in all the specialisation areas.

Leveraging Technology as an Enabler

A critical element for every organisation is the proper and effective use of technology by its workforce to achieve different cybersecurity functions. The following teams will benefit from technologies and platforms:

Enterprise Governance, Risk and Compliance (GRC) team, who are responsible for enterprise-wide governance, policies and management of risk and compliance.
The CIO, IT Operations and IT Security teams and management personnel, who are responsible for day-to-day management of the digital infrastructure.
The CISO, Information Security SOC teams, who are responsible for SOC operations.

Besides the teams listed above, the following teams and groups require information and guidance on IT, OT and IS technologies, products, platforms, and solutions:

The Technology Strategy group, systems engineering and systems security engineering teams, who are responsible for conceptualisation, design, and implementation of systems.
The acquisition and provisioning teams, who are responsible for preparation of RFPs and evaluation of solutions.
Persons responsible for tracking and enhancing cybersecurity performance and maturity since technology usage is essential for achieving higher levels of cybersecurity capabilities.

The technologies and platforms need to be selected based on relevance to the organisation’s business functions and processes. Readers are advised to refer to the resources section and Techsagar, the national repository of India’s cybertech capabilities, for identification of suitable ‘Made in India’ IT resources to meet IT/ IS requirements.

Automating the Processes using Technology

Given the increased use of IT by CSEs, many of the manual and semi-automated IT and information security processes of yore need to be enhanced to higher levels of automation using technology. The Dev-Sec-Ops and CI/CD pipeline used in software development lifecycles are examples of modern process automation. Automation frameworks are also being developed for content-based processes such as governance, risk, compliance, audit, information sharing and AI/ML enabled decision support.

CSEs can improve the efficiency of its workforce significantly by using standard operating processes (SOPs) for routine jobs and employing technology to run the standardised processes. Enabling manpower with technology to meet IT and IS, is strongly recommended.

To achieve automation and workforce enablement, it is essential for an organisation to have suitable manpower with adequate enablement through training, technology, and availability of resources to undertake jobs at levels as mentioned below:

Operating Level: This is the basic workforce of most Organizations that is capable of “doing things” at the operating level.
Operational Analytics Level: Competent workforce with capability to analyze issues at the operational, tactical, and strategic levels and suggest mitigation measures. This workforce needs IT-enabled analytical support tools to demonstrate reliability and efficiency in their operations.
Design Level: This level requires experienced specialists with skills and competence to design the operating and analytical processes and configure the platforms, to execute them.

The critical success factors for cyber resilience and sustenance of the nation’s digital ecosystem are:

The speed and quality of detection of compromise and cyber-attacks within the entities.
The rapidity by which information and guidance is disseminated to all the actual and potential targets.
The speed and effectiveness of response within entities as well as across sectors and cross-sectors.

Conventional paper-based and email-based methods of sharing are not capable of achieving the required speed in information sharing amongst all the stakeholders and participants, since they are less amenable for automated processing. Use of standardised STIX, TAXII and TLP protocols (or equivalent protocols) is a recommended for sharing CTI with speed and objectivity to counter cyber-attacks. Details of such protocols are covered in protocols section.

Community-driven MISP platform and OASIS STIX/TAXII protocols with TLP based classification is considered well suited for the Indian IT ecosystem at this stage. A coherent approach is required for adopting TLP, MISP and STIX/ TAXII as the core elements for operational cybersecurity information sharing. Standardisation in this aspect can help achieve balance between speed (with ambiguity or inaccuracy) and correctness (with delays) in sharing of CTI.

Workforce

Organisational Structure

Workforce responsible for IT, OT, IIoT and Information Security within organisations can be generically divided into four levels of hierarchy, as given below. Typical job titles at each level are also mentioned, which are indicative of the associated job roles, tasks, and responsibilities.

Governing board and top management level – Board of Directors, MD, CEO.
Senior management level – Vice Presidents, CFO, CRO, CHRO, CTO, CIO, CISO, CSO, Heads of Business Units, Divisions, and Departments.
Middle and lower management level – IT Project Managers, Technology Managers, IT Operations Managers, IT Security Managers, Cyber Defence, NOC, and SOC Team Leads, GRC Managers, Workforce Development Managers etc.
Individual Contributor level – Operators, Analysts, Administrators, Specialists, Engineers, Technicians, Architects, Developers, Testers, QA, Apprentices, Associates, Interns. Individual contributors may also include MSP/ MSSP personnel and contractors etc, working in the CSEs.

The middle and lower management, as well as individual contributors, are accountable and responsible for day-to-day operational activities and tasks.

Workforce Competencies

The overall workforce in an organisation, having accountability and responsibility for cybersecurity, would typically comprise of a composite mix of employees, contracted/ hired resources, and external providers of products (OEMs/ ISVs) and services (OEM partners, System Integrators, consultants, other service providers). The essential competencies and focus of the composite workforce are summarised in the table below, along with the applicable knowledge, skills, expertise, and experience.

Workforce Level	Focus	Competencies	Knowledge & Skill Areas
Governing board and top management	Business objectives, Information/ Cybersecurity	Business strategy, governance of use of IT, OT and Information security. Expertise in managing technology for a qualified IT Strategy Committee (ITSC), where established	Business Strategy, Risk, Finance, Technology, Workforce Development. The board should have independent Director with substantial IT expertise in managing/guiding information technology initiatives.
Senior management	Security programme, GRC	Business and technology leadership and experience	Governance, Risk, Compliance, Technology, Operations, Security
Middle and lower management	Technology management	Business and technology management experience	Technology, Operations, Security, Compliance, Supply Chain, Programme Management, MSP/ MSSP management
Individual Contributor	Technology	Technical skills, expertise, and experience	Systems, networks, platforms, applications, databases, enterprise IT and IS functions, cloud platforms and services, ITSM, ISMS, network and security operations, cyber defence, risk analysis, forensics, data analytics, systems & security design & engineering, software development, CI/CD, DevSecOps, testing, VAPT, audit

Ownership of Activities and Tasks

All operating processes within organisations are owned and carried out by designated teams, each having middle and lower-level managers overseeing the operations on a day-to-day and periodic basis.

Typically, the team compositions include different individuals with specialized skills and knowledge. Given the size and complexity of IT, OT, IIoT and cybersecurity ecosystems, the CSEs and other organisations usually have a composite workforce which is a mix of own employees, contracted workforce, resources of SIs, OEMs, ISVs, Partners, consultants, MSPs, SaaS and other service providers, who work together to carry out the organisations’ activities and tasks. A must have practice for an outsourced workforce is to have senior and middle-level managers of the organisation oversee the outsourced work.

Cybersecurity practices and processes can map across multiple cybersecurity support functions due to the interconnected nature of cybersecurity operations, where different aspects of a process may support various functions simultaneously. Considering the interconnected nature of cybersecurity activities, entities should assign the primary ownership and support roles to the activities related to each practice/ process.

Primary ownership indicates the team or role with overall responsibility for executing a particular cybersecurity process or function. The primary team or role is accountable for the required outcomes and decision-making. The support (collaborative() role identifies the supporting teams or roles that contribute to the overall objectives of the practice or process. They may be required to provide necessary data, analysis, or assistance to ensure the process’s success.

The top and senior management of CSEs may use well-known mechanisms like RACI matrix to outline the roles and responsibilities of individuals and teams. The primary owners must be clear about their responsibility and accountability while the collaborative teams and roles must know what support is expected from them.

It is essential that the top and senior management clearly communicate the overarching objectives of cybersecurity and how each team’s efforts contribute to them. Cyber resilience can be enhanced when there is a shared sense of purpose and reduced friction between teams that usually arises due to overlapping or conflicting purposes.

Organisations will accrue significant benefits if their workforce understands the end goal of the practices and processes, and how the activities and tasks help or harm the accomplishment of the goal. Training and enablement of the workforce should focus on this aspect so that the workforce has a clear understanding of their ownership and responsibility for achieving the objectives.

Organisation

Subsections of Organisation

Internal Context

Operational Structure

Business Units

Departments

Sites and Locations

Organisational Structure

Board of Directors

Top-Level Management

Committees

Information Security Division/ Department (ISD)

Technology Strategy and Perspective Planning

Performance and Effectiveness Monitoring

Governance

Governance of Enterprise IT

Governance of Information Security

1. Establish integrated comprehensive entity-wide information security

2. Make decisions using a risk-based approach

3. Set the direction of acquisition

4. Ensure conformance with internal and external requirements.

5. Foster a security-positive culture

6. Ensure the security performance meets current and future requirements of the entity

Essential Top Level Management Governance Functions

Summary

Subsections of Governance

Information Security Management System (ISMS)

ISMS Design, Implementation and Operation

Overview and Purpose

ISMS Governance

Conformance to Standards

ISMS Design

ISMS Implementation

ISMS Operation

Metrics

Leveraging Automation

ISMS Practice Owners

NCIIPC Guidelines

Governance

Technical

ISMS for Regulators

ISMS for Agencies directing CSEs

Acquisition of capabilities

Overview

Technology Strategy and Perspective Planning

Enterprise Architecture

Ontology of Tags

Engineering of ICT and Security

Systems Engineering

Systems Security Engineering

Cyber Resiliency Engineering

Guidance on Systems and Security Engineering

Operations, Maintenance and Management of ICT and Security

Operations and Management Practices

Guidance on IT and Cybersecurity Operations

Establishing Good Practices and Processes

Developing Workforce Competencies

Leveraging Technology as an Enabler

Automating the Processes using Technology

Automation in CTI Sharing

Workforce

Organisational Structure

Workforce Competencies

Ownership of Activities and Tasks