1.
All physical systems and devices within the organization are inventoried.
2.
All software platforms and applications within the organization are inventoried.
3.
All systems, devices, software platforms and applications are classified & prioritized based on their criticality & business value.
4.
The organization has clearly defined cybersecurity roles and responsibilities for internal users, external vendors, customers and partners.
5.
The organization has a written information security policies and procedures.
6.
The organization clearly understands all legal and regulatory requirements regarding cybersecurity.
7.
Cybersecurity risks are identified and managed by a governance and risk management process.
8.
Cybersecurity risk tolerance is determined, expressed in policy & agreed upon by all stakeholders.
