SEF-02: Service Management Policy and Procedures

PF v1.0 References:

Info icon.

Control is new to this version of the control set and incorporates the following items from the previous version: GRM-06: Policy, GRM-09: Policy Reviews, SEF-02: Incident Management.

Control Statement

Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for the timely management of security incidents. Review and update the policies and procedures at least annually.

Implementation Guidance

Policies and procedures should address personnel involved in the entire incident and event management lifecycle— which includes prevention, identification, investigation, and resolution—as well as periodic training for this personnel.

Auditing Guidance

  1. Examine the policy for adequacy, approval, communication, and effectiveness as applicable to planning, delivery and support of the organization’s Security Incident Management, with respect to timely management.
  2. Examine the policy and procedures for evidence of review at least annually.

[ Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.