The National Institute of Standards and Technology (NIST) provides a variety of checklists and guidelines for different aspects of information security. The specific checklist you might be referring to depends on the context or the area of security you are interested in. Here's a general approach with some commonly used NIST checklists:
https://www.infosectrain.com/blog/nist-cybersecurity-framework/
2. Functions Functions Specified by NIST Implementation of Function Expected Results
Identify
ID.AM: Asset Management
ID.AM.1
The organization conducts an inventory
of physical devices and systems.
To reflect changes in the infrastructure, ensure
that the organization establishes and consistently
updates an inventory encompassing all physical
devices and systems.
Documentation detailing the inventory records of physical
devices and systems, including the procedures for
maintaining and updating this inventory, should be created.
ID.AM.2
The organization maintains an inventory
of software platforms and applications
in use.
Check if the organization established and upheld a
record of all software platforms and applications.
Ensure that the inventory is constantly refreshed to
reflect alterations in software assets.
Documents covering inventory records of software
platforms and applications, along with protocols detailing
the maintenance and updating procedures for the software
inventory.
ID.AM.3
Communication pathways and data
flows within the organization are charted
or mapped out.
Confirm that the organization mapped its
communication and data flows to comprehend
information transmission and storage and regularly
reviewed and updated these maps.
Provide documentation illustrating communication and
data flow diagrams accompanied by an outline of the
mapping and updating process.
ID.AM.4
External information systems are listed
or inventoried.
Check that the organization compiled all external
information systems interacting with its network or
data and consistently updated the catalog to reflect
any changes in these external systems.
Provide an inventory of external information systems along
with documentation detailing the procedure for cataloging
and updating these external systems.
ID.AM.5
Assets such as hardware, devices,
data, time, personnel, and software are
ranked according to their classification,
criticality, and business significance to
determine their prioritization.
Ensure that the organization categorizes its resources
according to their classification, criticality, and
business value and establishes criteria for prioritizing
them.
Document the resource categorization and prioritization,
including documentation specifying the criteria employed
for prioritization.
ID.AM.6
Roles and responsibilities in
cybersecurity are defined for the entire
workforce and external stakeholders,
including suppliers, customers, and
partners.
Ensure that cybersecurity roles and responsibilities
have been outlined for all employees and third-party
stakeholders and that they have been documented
and communicated.
Documentation outlining cybersecurity roles and
responsibilities should be kept alongside communication
records and training on these specific roles and
responsibilities.
www.infosectrain.com I sales@infosectrain.com
3. Funtions Functions Specified by NIST Implementation of Function Expected Results
Identify
ID.BE: Business Environment
ID.BE.1
The organization recognized and conveyed its
role within the supply chain.
Verify that the organization has acknowledged its
position within the supply chain and has successfully
communicated these designated roles internally and
to relevant stakeholders.
Documentation delineating the organization’s
position in the supply chain, along with records of
communications related to these supply chain roles.
ID.BE.2
The organization identified and
communicated its position within critical
infrastructure and industry sectors.
Confirm that the organization identified its role
in critical infrastructure and industry sectors and
effectively communicated this information internally
and to relevant parties.
Provide documentation detailing the organization’s
placement in critical infrastructure and industry
sectors, alongside records of communications
concerning this positioning within critical infrastructure
and industry sectors.
ID.BE.3
The organization has set and conveyed
priorities for its mission, objectives, and
activities.
Confirm whether the organization has set,
documented, and efficiently communicated its
priorities for its mission, objectives, and activities to
relevant personnel and stakeholders.
Documentation outlining the priorities for the
organization’s mission, objectives, and activities, along
with records of communications about these priorities.
ID.BE.4
Ensure that dependencies and essential
functions necessary for providing critical
services are identified and established.
Ensure the organization has identified, documented,
and regularly reviewed dependencies and essential
functions for delivering critical services.
Documentation listing dependencies, basic
procedures, and records documenting regular reviews
and updates should be maintained.
ID.BE.5
Resilience must facilitate delivering critical
services determined for all operational
conditions (such as under stress or attack,
during recovery, and normal operations).
Ensure that resilience requirements for essential
services across various operational states- such
as during attack, recovery, and normal operations-
have been established, documented, and integrated
into the organization’s processes and procedures.
Document resilience requirements for critical services
in diverse operational states, integrated into relevant
processes and procedures.
www.infosectrain.com I sales@infosectrain.com
4. Functions Functions Specified by NIST Implementation of Function Expected Results
Identify
ID.GV: Governance
ID.GV.1
A cybersecurity policy for the organization has
been created and shared.
Confirm the existence of a comprehensive cybersecurity
policy document that covers roles, responsibilities,
compliance, and cybersecurity measures, and ensure
there’s a documented procedure for sharing it with all
employees and relevant external parties.
The cybersecurity policy document includes
records indicating its distribution, employee
acknowledgment receipts, briefing minutes, training
materials, and attendance records demonstrating
policy communication.
ID.GV.2
Roles and responsibilities in cybersecurity
are synchronized and matched with internal
positions and external partners.
Verify that cybersecurity roles and responsibilities
within the organization are clearly defined, that there
is documented coordination between internal and
external roles, and that these roles and responsibilities
are regularly reviewed and updated.
Job descriptions detailing cybersecurity
responsibilities, along with contracts or Service Level
Agreements (SLAs) with third parties delineating
cybersecurity roles, in addition to documented
records of meetings or communications related to
role coordination.
ID.GV.3
The organization comprehends and effectively
handles cybersecurity legal and regulatory
obligations, encompassing responsibilities for
privacy and civil liberties.
Identify and ensure compliance with all pertinent legal
and regulatory requirements. Implement policies and
procedures to manage adherence while verifying
consistent training and updates on changes within
these laws and regulations.
Consolidate compliance checklists or matrices
outlining requirements, documented procedures
and controls for compliance, and training logs
and materials covering legal and regulatory
requirements.
ID.GV.4
Governance and risk management procedures
effectively manage cybersecurity risks.
Assess the alignment of risk management
governance with cybersecurity risks, review
procedures for identifying and mitigating
cybersecurity risks, and confirm the integration
of these risks into the organization’s overall risk
management approach.
Consolidate risk management policies and
procedures, risk assessment reports, risk
treatment plans, and meeting minutes or reports
demonstrating the incorporation of cybersecurity
risk into the enterprise risk management framework.
www.infosectrain.com I sales@infosectrain.com
5. Functions Functions Specified by NIST Implementation of Function Expected Results
Identify
ID.RA: Risk Assessment
ID.RA.1
Identify and document vulnerabilities
related to assets.
Verify the existence of an asset inventory,and
ensure regular performance of vulnerability scans,
and documentation and evaluation of identified
vulnerabilities.
Create a comprehensive asset inventory, vulnerability
scan reports, and documented assessments of identified
vulnerabilities.
ID.RA.2
Information on cyber threats is acquired
from forums and various sources for
intelligence gathering.
Evaluate the organization’s involvement in cyber
threat intelligence-sharing platforms, examine
the procedure for receiving and distributing
threat intelligence, and assess how the acquired
intelligence influences security practices.
Evidence of membership in information-sharing
forums, with records of received threat intelligence
and documented utilization of intelligence within the
organization’s cybersecurity strategy, should be present.
ID.RA.3
Internal and external threats are
recognized and recorded.
Confirm the existence of a threat identification
methodology, review documented records of
identified threats, and ensure comprehensive
consideration of internal and external threats.
Consolidate threat assessment reports or logs,
documentation detailing the threat identification process,
and records of identified internal and external threats.
ID.RA.4
Potential consequences for the business,
and their probabilities are determined.
Verify the presence of a procedure for assessing
potential threat impacts, evaluate the probability
of threat occurrence, and examine the integration
of these assessments into the overarching risk
management strategy.
Consolidate business impact analysis reports,
documentation of probability assessments, and risk analysis
reports that combine impact and likelihood assessments.
ID.RA.5
Risk is assessed by considering threats,
vulnerabilities, probabilities, and
impacts.
Evaluate the incorporation of threat, vulnerability,
impact, and likelihood data into the risk assessment
procedure, ensure the completion of comprehensive
risk assessments integrating these elements, and
review the process of updating and reflecting this
information in risk documentation.
Merge comprehensive risk assessment reports with risk
matrices or dashboards displaying the amalgamation of
these elements alongside change logs or updates reflecting
the evolution of risk assessments over time.
ID.RA.6
Identify and rank risk responses based
on priority.
Confirm the presence of documented risk responses,
examine the criteria used to prioritize these
responses, and ensure the risk response process
remains adaptable and responsive to shifts in the
risk environment.
Consolidate risk response plans or procedures,
documentation outlining the prioritization of risk responses,
and records demonstrating the implementation and
modifications of risk responses.
www.infosectrain.com I sales@infosectrain.com
6. Functions Functions Specified by NIST Implementation of Function Expected Results
Identify
ID.RM: Risk Management Strategy
ID.RM.1
Organizational stakeholders establish,
manage, and consent to the risk
management processes in place.
Validate the presence of established
formal procedures for managing risks within
the organization.
Examine documentation to ensure a well-defined
and widely communicated risk management process.
Verify stakeholder involvement in risk management
through meeting records or documented decisions.
Confirm clear assignment and comprehension
of roles and responsibilities related to
risk management.
Evaluate the mechanisms used to monitor and
review the ongoing management of the risk process.
Consolidate risk management policy and
procedure documents, meeting minutes
reflecting stakeholder engagement, outlining
roles and responsibilities for risk management,
and records detailing periodic reviews and
updates to the risk management process.
ID.RM.2
The organization determines and explicitly
communicates its risk tolerance.
Examine if there’s a formal declaration or policy
outlining the organization’s risk tolerance, ensuring
clear communication and understanding of these levels
among those engaged in risk-related decision-making,
while reviewing records referencing risk tolerance in
decision processes.
Consolidate official documentation outlining the
organization’s risk tolerance, supporting evidence
of communicated risk tolerance (e.g., emails,
training materials), and decision-making records
demonstrating the integration of risk tolerance
as a factor.
www.infosectrain.com I sales@infosectrain.com
7. www.infosectrain.com I sales@infosectrain.com
Functions Specified by NIST Implementation of Function Expected Results
Identify
ID.SC: Supply Chain Risk Management
ID.SC.1
The organization’s stakeholders identify,
establish, assess, manage, and mutually
agree upon processes for managing cyber
supply chain risks.
Ensure documentation and implementation of cyber
supply chain risk management (C-SCRM) processes,
confirming stakeholder consensus and understanding,
reviewing mechanisms for supply chain risk assessment and
management while verifying stakeholder engagement in
developing and maintaining C-SCRM processes.
Consolidate C-SCRM policies and procedures,
records demonstrating stakeholder agreement
and involvement (e.g., meeting minutes or signed
acknowledgments), and supply chain-related risk
assessment documentation.
ID.SC.2
The cyber supply chain risk assessment
process identifies, prioritizes, and evaluates
suppliers and third-party partners providing
information systems, components, and
services.
Confirm the existence of a comprehensive list detailing all
suppliers and third-party partners and their provided services
or components, coupled with a documented risk assessment
process for these entities; prioritize suppliers based on the
criticality of their service or component to the organization.
Combine the inventory of suppliers and third-
party partners, cyber supply chain risk assessment
reports, and documented evidence detailing the
prioritization of suppliers according to assessed
risks.
ID.SC.3
Agreements with suppliers and third-
party partners are employed to enact
suitable measures to fulfill the goals of an
organization’s cybersecurity program and
Cyber Supply Chain Risk Management Plan.
Examine contracts to verify the inclusion of cybersecurity
requisites consistent with the organization’s cybersecurity
program, ensure that clauses are present outlining Cyber
Supply Chain Risk Management (C-SCRM) objectives, and
confirm service level agreements (SLAs) that articulate
cybersecurity expectations.
Consolidate copies of contracts containing
cybersecurity clauses, Service Level Agreements
(SLAs) specifying cybersecurity requirements, and
a Cyber Supply Chain Risk Management (C-SCRM)
plan delineating the contractual measures to be
implemented.
ID.SC.4
Regular assessments, including audits, test
outcomes, or alternative evaluations, are
conducted on suppliers and third-party
partners to verify their compliance with
contractual obligations.
Ensure regular assessments of suppliers and third-party
partners align with contractual obligations, reviewing the
methods and frequency of these evaluations and verifying
the existence of established processes to address identified
issues or gaps.
Consolidate audit reports, test results, or evaluation
documents related to suppliers and third-party
partners alongside schedules and procedures for
regular assessments while maintaining records of
subsequent actions taken upon identification of
issues.
ID.SC.5
Response and recovery planning and testing
are carried out in collaboration with suppliers
and third-party providers.
Evaluate the integration of suppliers and third-party providers
within the organization’s incident response and recovery
plans, reviewing test plans and records to confirm their
inclusion, while assessing the response and recovery plans’
effectiveness via testing documentation.
Combine incident response and recovery plans
outlining roles and responsibilities for suppliers and
third parties, test plans and records involving these
entities, and after-action reports or improvement
plans resulting from joint response and recovery
testing.