Cybersecurity activities are independently reviewed to ensure conformance with cybersecurity policies and procedures, periodically and according to defined triggers, such as process changes
Context and Guidance: The purpose of this practice is to provide additional assurance that cybersecurity activities are being performed as specified by the organisation’s cybersecurity policies and procedures. The evaluation must be independent; that is, conducted by reviewers from outside the cybersecurity program under direction from the organisation's governing body). Those directly involved in program activities cannot perform the evaluation or render an opinion on the program’s effectiveness. Such evaluations may be done through internal and external audits, post-event reviews, and capability appraisals and should be initiated by and accountable to the board of directors or a similar group. Advanced cybersecurity techniques such as threat hunting and active defense can be used to provide insight into the performance of the overall cybersecurity program.
Related Practices • Input From: Implementing ACCESS-4a, ACCESS-4c, ARCHITECTURE-6a, ARCHITECTURE-6c, ASSET-5a, ASSET-5c, RESPONSE-5a, RESPONSE-5c, RISK-5a, RISK-5c, SITUATION-4a, SITUATION-4c, THIRD-PARTIES-3a, THIRD-PARTIES-3c, THREAT-3a, THREAT-3c, WORKFORCE-5a, WORKFORCE-5c provides input that may be useful for implementing this practice. • Progression: This practice is part of a practice progression. Practice progressions are groups of related practices that represent increasingly complete or more advanced implementations of an activity. The practices in this progression include: PROGRAM-2b, PROGRAM-2g, PROGRAM-2h, PROGRAM-2i.