The organization shall regularly review the technical compliance of the data systems with the organisation's requirements.
The review may use manual implementation by experienced professionals or automated tools (including intrusion testing).
The technical review shall always be planned and carried out by competent and pre-approved staff.
The data systems (and their content) that support critical business processes are regularly reviewed to locate malware. All unauthorized files and changes will be formally investigated.
Inadequate change management is a common cause of incidents for digital services.
An organization shall document the change management process that must be followed whenever significant changes are made to developed digital services or other computing services that affect cyber security. The process includes requirements e.g. for the following:
Whenever new data systems are acquired or developed, pre-defined security rules are followed, taking into account the priority of the system. The rules ensure that adequate measures are taken to ensure the security of the data and data processing in the system.
The organization must have pre-planned, clear policies for situations where logging or other access controls are suspected of failing. These situations should be reported to the appropriate authority without delay.
Different types of situations should have their own policies. Monitoring errors can be caused by software errors, log saving errors, log backup errors, or memory overflows.