2026年-VE稽核改善

CY-IT101 "IT - Cybersecurity governance
Do you have an appropriate cybersecurity organization within your entity? "
CY-IT102 "IT - Roadmap and dedicated cybersecurity budget
Do you have a cybersecurity roadmap and an associated annual budget within your entity?"
CY-IT103 "IT - Asset inventory
Do you have a regularly updated list of all physical assets (servers, workstations, smartphones, firewalls, switches, VPN concentrators, etc.) and application assets (software, applications, etc.), including identification of related business processes and an assessment of the criticality of each of these assets in your organization? "
CY-IT104 "IT - Risk management
Is cybersecurity risk mapping carried out transversally for the entity? Are risk analyzes carried out on critical assets as well as new projects (security by design)? Are the identified cybersecurity risks the subject of an action plan to address them?"
CY-IT105 "IT - Security dashboard
Do you maintain an up-to-date dashboard, including cybersecurity KPIs from the roadmap, to track the progress of action plans and cybersecurity maturity of your entity?"
CY-IT106 "IT - Third party management
Is cybersecurity integrated into the management of business and technical third parties (security clauses in contracts, maturity assessment)? "
CY-IT107 "IT - Inventory of critical business process assets
Are business processes (finance, HR, IT, industrial, etc.) and their critical assets identified in an inventory?
Is a plan in place to secure these assets?"
CY-IT201 "IT - Secure management of the information system
Do you apply a patch management process to manage the obsolescence of your equipment (servers, workstations, firewalls, switches, VPN concentrators, mobile devices, etc.) and applications?"
CY-IT202 "IT - Account and password management
Do you have a process for managing user accounts and privileged accounts, and for securing passwords? Is it applied throughout your perimeter? Are administration tasks only performed from a dedicated account? "
CY-IT203 "IT - SSO
Is authentication of services exposed on the Internet done using SSO with the Google account, and only with a strong authentication mechanism process? "
CY-IT204 "IT - Active Directory / LDAP Authentication Directory
Do you use an Active Directory (AD) or LDAP authentication directory? Do you apply the recommendations for secure directory architecture? Do you regularly audit your directory?"
CY-IT206 "IT - Network - Internet Access Point
Do you have an Internet Access Point (IAP) inventory? Have you implemented a secure architecture for outputs to the Internet?"
CY-IT207 "IT - Network Architecture Document
Do you have a network architecture document indicating the segmentations of your information system?"
CY-IT208 "IT - Protection of exposed assets
Do you have an action plan in place to reinforce security and surveillance on services exposed on the Internet?"
CY-IT209 "IT - Security by design
Is cybersecurity integrated from the design stage (security by design) and at each key stage of business and technical projects? (expression of needs, definition of architecture, validation before putting into production)"
CY-IT210 "IT - Awareness and training
Do you have a cybersecurity awareness and training program and do you carry out cybersecurity awareness actions on a regular basis among employees within your scope?"
CY-IT211 "IT - Server hardening
Are you implementing server and application hardening (including mobile applications)?"
CY-IT213 "IT - Mobile devices
Is a mobile device security policy in place (for smartphone, tablet) ?"
CY-IT214 "IT - Data classification and protection
Do you apply the requirements of the Key 19 procedure?
Do you have a regularly updated data inventory?"
CY-IT215 "IT - Data encryption
An encryption policy for data at rest and in transit is defined and applied?"
CY-IT216 "IT - Network Architecture
Does your network architecture follow security best practices?
Are there interconnections between IT and OT if there is an industrial information system in your area?"
CY-IT301 "IT - Deployment of detection tools and services
Is a Security Operation Center (SOC) in place? Is an Endpoint Detection Response (EDR) solution deployed across the entire perimeter?"
CY-IT302 "IT - Vulnerability detection
Do you carry out vulnerability scans regularly and apply the associated patches as part of a patch management process?"
CY-IT303 "IT - Audits and intrusion tests
Do you regularly (at least every 3 years) carry out intrusion tests (application pentest), audits (information system security audit) and/or red teams on a regular basis and carry out the identified remedial actions resulting from this?"
CY-IT304 "IT - Centralization of logs and detection rules
Are the event logs essential to investigation and detection collected in the SOC? Are these qualified and analyzed by the SOC?"
CY-IT401 "IT - Incident management
Do you apply the group standard for managing cybersecurity alerts and incidents? Do you have a local cybersecurity incident management procedure?"
CY-IT402 "IT - Crisis management
Do you apply the group alert and crisis management procedure adapted to your scope?
Is this procedure regularly tested as part of cyber crisis management exercises?"
CY-IT501 "IT - Backup and Restore
Is there a documented and implemented backup management procedure that takes into account full equipment backup, recovery testing, offline data storage and on-premises or Cloud data retention time?
Is this procedure consistent with the Recovery Point Objective (RPO) associated with the activity?"
CY-IT502 "IT - Business continuity
Does the business continuity plan (BCP) include a plan to manage cyber events?
Is an IT business recovery plan (DRP) applied to all activities?"