v1.1 v2.1.

1 Significanc Control
Scope Source ISO Ref. Requirement Testing Procedures
Clause Clause e Objective/Control

The scope should be made available to the auditor and should cover the
A communications provider must be able to demonstrate a clear interconnect types (as per the standard), the protocols used by the CP to support
understanding of where and how the standard applies to their
n/a 4.1 High. All ND1643 n/a Documented scope these, the product or service names the CP associates with these interconnects
organisation (and contractors or 3rd parties), meeting the
and the locations affected.
requirements of the Scopesection.

The auditor should validate that the scope is sufficiently clear to clearly identify
The scope must enable the auditor and others to clearly identify which personnel, equipment, physical locations, secure perimeters and so on are
n/a 4.1 High. All ND1643 n/a Documented scope which personnel, equipment, physical locations, secure perimeters
in scope, and which are not.
and so on are in scope.

n/a 4.1 High. All ND1643 n/a Documented scope

Relevant information on what is in scope must be made available to The auditor should validate that this information exists and that a process exists
an interconnecting operator who requests it. for its release.

1. An accurate and up to date list of interconnects must be provided to the

A list of interconnects covered by the scope must be made available auditor. This list of interconnects should be used by the auditor to select sites for
to the auditor, and this list (although not necessarily 100% update sample.
n/a 4.1 High. All ND1643 n/a Documented scope
to date) must be available for review with an interconnect operator 2. This CP must also demonstrate which other CPs are sharing the hosts facilities
on demand. to interconnect and therefore fall within scope.

An information security policy document must be approved by

The auditor should check that the information security policy document has
management, and published and communicated to all parties
been approved by the CP’s management prior to the audit with sufficient time
4.1 4.2 Medium All ISO27002 A.5.1.1 Information security involved with the interconnects within scope. that it has allowed for it to be published , communicated and assimilated by all
policy document The policy must include measures for each of the requirements of
parties involved with the interconnects within scope (both internal and external).
this document, and must apply to both normal operation, during
incidents and during the invocation of business continuity plans.

1. Auditors should review the relevant security policy document(s) and ensure it
The policy should explain how your organisation implements the
covers the controls within the Standard and explains how the CP implements
4.1 4.2 ISO27002 A.5.1.1 Information security controls that are required by the minimum standard. We
Medium All and measures the controls.
policy document recommend it explains how you measure the effectiveness of the
controls. 2. The auditor should ensure that the document is available to those who require
it, and that they know where it is.

Management must actively support the implementation of and

compliance with the minimum security standard. Where auditors find significant gaps in the controls and/or the overall controls do
Management Top-down commitment from senior management is essential to the not appear to be functioning or effective, a review should be undertaken with the
5.1 4.3 Medium All ISO27002 A.6.1.1 commitment to success of security controls and mitigation of risks in any senior manager responsible for security to ascertain the extent to which they
information security organisation. Whilst much of the detail can be delegated to understand and comply with their responsibilities.
appointed security officers or their equivalent, senior management
must, for the Minimum Standard:

Management The auditor’s assumption should be that this is a ‘pass’ as a CP would not seek
5.1 4.3 ISO27002 A.6.1.1 • Ensure appropriate funding and resource is available to
Medium All commitment to certification without appropriate funding being in place, unless evidence comes
information security implement the standard’s controls; to the contrary comes to light during the audit
 The auditor should validate that the responsibility for implementation and
Management compliance of the controls is clearly assigned within the organisation and that
5.1 4.3 Medium All ISO27002 A.6.1.1 commitment to
• Assign key roles and responsibilities for implementation, this is supported by the appropriate organisation charts. Job Descriptions, Notes
information security operation, monitoring and improvement of the controls;
of 1 to 1 reviews etc.

Management • Set the strategic approach the organisation will take to achieve The Information Security Document and Management Commitment to
5.1 4.3 Medium All ISO27002 A.6.1.1 commitment to compliance, and articulate this through policy documents and information security (Sections 4.2. and 4.3 above) meet this requirement. No
information security planning; further validation is expected of the auditor.

The auditor should validate that employees within scope have been made aware
of their responsibilities through review of training material, team briefing
Management • Ensure those employees within the scope of Interconnects are material, formal communications, email circulation lists etc. Auditors could also
5.1 4.3 Medium All ISO27002 A.6.1.1 commitment to
information security aware of their responsibilities through training and awareness. check the training records of personnel in scope where a company formally
records such activity.

A list of third party suppliers or other external parties involved must be shown
5.2 4.4 High. All ISO27002 A.6.2.3 Third Party Agreements
to the auditor. The auditor should verify this list by looking at access logs to sites,
and interviewing staff within scope.

A communications provider may contract a third-party to 1. CPs should demonstrate to the auditor that any new or renegotiated contracts
implement some of the controls in this document. The contract meet the control by:
with the third party must clearly cover the relevant security a) Clearly covering the relevant security controls, and include the right for the CP
requirements, and must also cover the right to audit. to audit the supplier.
b) Stipulating that obligations must be passed on to companies and individuals
The third party may choose to get external certification to further down the supply chain, as appropriate for compliance with the standard
5.2 4.4 High. All ISO27002 A.6.2.3 Third Party Agreements demonstrate their compliance with the contracted controls. 2. It is the CPs intention to request new Suppliers or new contract awards meet
the requirements of MSS and that a process exists to support this
3. The CP should demonstrate that a process is in place to review, evaluate and
accept the impact when a Supplier refuses to support the controls within the
Standard either as a result if the “market power” of the Supplier or where the
commercial implications are unreasonable. The inspection should validate that
this process has been used where appropriate.

1. The auditor should look for evidence that the CP monitors and enforces the
requirements on those Suppliers contracted to meet the controls within the
The communications provider must monitor the enforcement of the
5.2 4.4 High. All ISO27002 A.6.2.3 Third Party Agreements requirements. This monitoring is typically performed through Standard.
2. Ad-hoc checks by the auditor on any third parties encountered during an audit
logging and auditing procedures.
are encouraged but are not mandatory.

The communications provider must seek and maintain assurances 1. The auditor should look for evidence that the CP is actively seeking and
from the third party that the required security behaviours have maintaining such assurances, perhaps in minutes of supplier review meetings,
been communicated to their personnel and are being followed. induction briefings, audits or other mechanisms
5.2 4.4 High. All ISO27002 A.6.2.3 Third Party Agreements
Obligations must be passed on by any third-parties, as appropriate 2. Ad-hoc checks by the auditor on any third parties encountered during an audit
for compliance with the standard, to companies and individuals are encouraged but are not mandatory
further down the supply chain.
 1. The auditor should review the CP’s documentation for evidence of clearly
defined roles and responsibilities, confirm that these roles and responsibilities
Roles and
6.1 4.5 Medium All ISO27002 A.8.1.1 responsibilities exist either within the organisation or are contracted with a 3rd party and that
individuals within scope have an adequate understanding of them.
Communications providers must be able to show that security roles
and responsibilities are defined and documented in the policy
documentation.
1. Where roles and responsibilities are contracted outside the organisation the
Roles and
6.1 4.5 Medium All ISO27002 A.8.1.1 responsibilities auditor should check that there evidence that the CP is actively managing these.

You must carry out the following pre-employment checks on new

workers and those who have been employed after 1st May 2011:
• Seek references 1. The auditor should validate that a documented process exists to ensure that
• Check accuracy of applicant’s CV the appropriate pre employment checks are undertaken prior to employment, or
• Confirm claimed professional qualifications where necessary during an initial ‘trial-period’ and that this process is being used.
• Complete an independent identity check This could be a review of the written document or an interview with a member of
• Right to work: nationality and immigration status staff responsible for recruitment (HR in a larger organisation).
For all workers who were employed between 29 Feb 2008 and 31st
6.2 4.6 High. All ISO27002 A.8.1.2 Screening April 2011 you need only have carried out the: 2. The auditor should validate whether identities have been confirmed in
• Complete an independent identity check accordance with the Standard for new personnel and those employed for longer
• Right to work: nationality and immigration status than one year as follows:
Checks are not required on personnel who have been in continuous • CP with <100 employees in scope – 2 new, 1 employed
employment since before this date. • CP with <200 employees in scope – 3 new, 2 employed
Checks must be done prior to employment, or where necessary • CP with <400 employees in scope – 4 new, 2 employed
during an initial ‘trial-period’. • CP with >500 employees in scope – 6 new, 3 employed
There is no requirement to repeat checks on an individual during
the duration of their employment.

If the pre employment checks produce any anomalies or causes for concern, then
If the checks produce any anomalies or causes for concern then
either senior management within the CP are expected to be involved in the
senior management must be involved in the consideration of the consideration of the employment of the individual in question or senior
6.2 4.6 Medium All ISO27002 A.8.1.2 Screening employment of the individual in question and if they remain in
management must have agreed the process that shall be used to authorise such
employment with the organisation then records of the
exceptions. The auditor should validate that such a process exists and is being
consideration should be kept. used.

Communications providers must be able to demonstrate that the 1. The auditor should review a sample of two employment contracts for
6.3 4.7 Medium All ISO27002 A.8.1.3 Terms and Conditions of terms and conditions of the employment contract for all employees, employees within scope and check that they include an appropriate general
Employment contractors and third party users within scope state their and the statement which adequately supports this control.
organization’s responsibilities for information security. 2. The auditor should also check that the contracts checked are signed.
 Auditors should review the process for leavers and ensure managers, HR or both
are aware of it. Auditors should either:
• Review list of individuals (and or roles) with access to a piece of equipment
within scope. Identify when this was last updated and whether this is
appropriate to the rate of employee turnover , then ensure that all listed
individuals are still in employment and remain within the defined scope. If
shared accounts are used instead of individual accounts, identify the date of last
leaver, ensure that passwords have been changed since (both internally and with
6.5 4.8 High. NGN ISO27002 A.8.3.3 Removal of Access an interconnect partner, if appropriate) .
Rights The auditor should also validate that for a leaver within scope that any
computers, access tokens, keys etc which were allocated to the leaver were
recovered.
• Request that the CP demonstrate via a specific leaver (chosen by the auditor) ,
how leavers can no longer attempt to gain access to interconnect equipment, for
example by preventing access to buildings and barring remote access to the
network, cancelling of passwords etc. The CP should also demonstrate that any
The access rights of all employees, contractors and third party users computers, access tokens, keys etc which were allocated to the leaver were
to systems within scope must be removed upon termination of their recovered.
employment, contract or agreement, or adjusted if their role
changes.
Ensuring appropriate asset recovery (computers, access tokens,
keys etc) and account closures follow employment terminations.

2. The access rights of third party users to systems within scope must be
removed upon termination of their employment with the 3rd party, or of the
contract or agreement between the CP and 3rd party, or adjusted if their role
changes within the 3rd party. The auditor should look for evidence that the CP
Removal of Access
6.5 4.8 High. NGN ISO27002 A.8.3.3 Rights has covered the responsibilities within its contract with the 3rd party and is
actively managing and vetting these, perhaps in minutes of supplier review
meetings, induction briefings, audits or other mechanisms. The auditor is not
expected to undertake physical audits of any such 3rd party not collocated with
the CP.

3. Where 3rd party supply contracts have been reassigned, the auditor should
6.5 4.8 High. NGN ISO27002 A.8.3.3 Removal of Access ask the CP to demonstrate that the previous organisation and its employees have
Rights had their access rights removed. The auditor is not expected to undertake
physical audits of any such 3rd party not collocated with the CP.

Where accounts are created on a interconnect partners equipment

the interconnect partner must also be notified to close or modify
access permissions as appropriate. 1. The auditor should seek evidence of the process and validate this in a similar
Removal of Access Communications providers must ensure that they have process for manner to that above
6.5 4.8 High. NGN ISO27002 A.8.3.3 Rights the removal of access rights, both physical and logical, in the event 2. The CP should demonstrate that its interconnect agreements contain an
of employment termination or role change. This process may be equivalent commitment form its interconnect partner
manual or automatic, or a combination of both, and must be
completed in a timely manner.

It is also recommended that communications providers operate a Whilst not a pass /fail criteria the Auditor should note whether such reviews are
Removal of Access policy of regular internal review of access. Where access is granted undertaken. This may provide additional evidence towards whether the assessor
6.5 4.8 Advice NGN ISO27002 A.8.3.3 Rights to an interconnected providers equipment this should also be done views that there is adequate management commitment to information security
in partnership with the interconnected provider. ( see above)

Fire exits and alternative entrances will be controlled with

Within the sample of sites physically audited, the auditor should check that
7.1 4.9 High. All ISO27002 A.9.1.1 Physical Security mechanical locks and vulnerable points of intrusion protected by minimum physical security controls are in place for rooms and areas containing
Perimeter the means of window grilles or bar sets, intruder detection
interconnect equipment.
connected to the building alarm system and remotely monitored.
7.1 4.9 High. All ISO27002 A.9.1.1 Physical Security Locking racks must be used for new installations of racks in shared CPs are expected to use locking racks or caging for new installations of racks in
Perimeter areas, or caged areas. shared areas from December 2011 onwards.

1. The auditor should check that individuals who have access to a CP’s secure
areas and also shared( 3rd party) areas have been made aware of and comply
Communications providers must have robust processes/policies in
with the relevant security procedures. This can be demonstrated through
place to ensure that:
7.1 4.9 Medium All ISO27002 A.9.1.1 Physical Security
• Employees display the appropriate photo ID cards, when required training materials, notes of team meetings, copies of email briefings etc. The
Perimeter auditor should be sensitive to the size of the CP being audited.
to by their organisation or the host’s security policy.
2. Whilst not mandatory the auditor, where possible, encouraged to verify the
• Employees remain within authorised areas within sites.
understanding and compliance of any individuals encountered during the
inspection of interconnect locations.

In a shared area equipment is labelled effectively with a unique

identifier. This helps prevent accidental modification of the wrong The auditor should check the CP’s labels on interconnect equipment in the
Physical Security shared areas audited have an appropriate unique identifier which is sufficient to
7.1 4.9 Medium All ISO27002 A.9.1.1 equipment. You may decide to put an identifier other than your
Perimeter allow the specific instances of the equipment to be meaningfully identified by the
company name on the equipment to help reduce the risk of a
targeted attacked. CP or its contractors.

1. The auditor should assess whether the controls are effective both for a CPs
own locations and any 3rd party locations by validating that access requires the
use of entry controls and that these can only be obtained by authorised
You must lock or otherwise physically restrict access to areas
7.2 4.10 ISO27002 A.9.1.2 personnel who meet the controls set out within the Standard. This should apply
High. All Physical entry controls containing interconnect equipment to authorised individuals who
are in scope of this standard. to any individual entering such areas, not just those employed directly or
indirectly by the CP.
2. The auditor should also check that any personnel spoken to during the physical
audits agree the controls are effective.

1. The auditor should review the list of people authorised to access a CPs secure
areas unescorted and how the CP manages/validates this to ensure that these
people meet the requirements of this standard.
2. The auditor should validate a process exists such that where an individual who
A process must be in place for granting and removing access, is not authorised yet requires legitimate access to a secure area can be
7.2 4.10 High. All ISO27002 A.9.1.2 Physical entry controls whether the perimeter is controlled by your organisation or a third- appropriately escorted and supervised.
party. 3. Whilst it will not be possible for the auditor to view a similar list for 3rd party
sites, the auditor should view the information provided by the 3rd party host
covering physical entry procedures and the contract between the CP and the 3rd
party. The latter should adequately cover the host’s obligations to extend the
Standard’s requirements to other CPs within the shared area.

1. Where a CP is acting as the host and in its own secure areas, the auditor should
validate that appropriate maintenance routines are documented, have been
scheduled, undertaken and the results recorded.
Equipment in shared areas (the whole room, not just the cage or 2. Where issues have been identified with this environmental equipment
7.3 4.11 Medium NGN, ISO27002 A.9.2.4 (Environmental) rack) must be correctly maintained to ensure that it has no adverse appropriate and timely action to rectify faults should be demonstrated to the
Internet Equipment Maintenance impact on the environment containing other communications auditor. As an example a non functioning fire alarm once detected should be
providers’ equipment. addressed as a matter of urgency whereas instances of over temperature alarms
being triggered in the midst of a heat wave might be deemed less critical or
transient.
 1. The auditor should validate that the responsibility of the sharer is clearly
Owners of shared areas are responsible for setting and enforcing
stated within any contract between the host and its users of the shared space by
minimum equipment standards to reduce the chance of electrical
NGN, and fire safety incidents. checking the CPs own contract with the host.
(Environmental)
7.3 4.11 Medium ISO27002 A.9.2.4 2. The auditor should also check that the contract mandates that the hosting
Internet Equipment Maintenance Without this control catastrophic equipment failure (for example a
provider will enforce the same equipment safety standards on all other tenants
fire or electrical fault) in a shared area may adversely influence the
facility and other users. 3. This contract between the host and sharing CPs should also cover the
environmental conditions/services being provided by the host.

CPs must be able to demonstrate consistent operating practice for

activities on equipment in scope.
1. The auditor should review the operating procedures and ask the CP to
demonstrate they are applied consistently to activities on interconnect
This could be shown through demonstration of highly competent or
appropriate documentation showing the steps required for such equipment within scope.
8.1 4.12 Medium All ISO27002 A.10.1.1 Operating Procedures 2. The operating procedures should be appropriately documented to show the
activities.
steps required to undertake such activities.
The activities reviewed may include the security process described
3. The auditor should validate that relevant staff are aware of these operating
in this document, or other regular activities on the equipment in procedures.
scope. The auditor may consider the contents of the change
management system when looking for activities to review.

A change control process must exist. It must cover changes to the The auditor should validate that a change control process exists covering the
8.2 4.13 Medium All ISO27002 A.10.1.2 Change Management equipment within scope, and include: authorisation for changes, equipment in scope and at least authorisation for changes, the review of planned
review of planned changes and maintaining a log of changes. changes and maintaining a log of changes

The network must be configured so that only agreed traffic may

cross the interconnect and will only originate from interconnect
The auditor should identify that those responsible for the network configuration
boundary devices. and design are aware of the need to maintain logical separation of the
NGN, Except where direct communications are required, providers must
8.3 4.14 Medium ISO27002 A.10.6.1 Network controls interconnect partner from other external sources (e.g. other interconnects, the
Internet maintain logical separation of the interconnect partner from other
Internet). The auditor is not expected to technically validate these documents or
external sources (e.g. other interconnects, the Internet). Filters, SIP to test the separation of interconnect traffic.
proxies, firewalls, vLANs or other technology may be used to
maintain this separation.

The auditor should validate that a Network Design or Architecture

8.3 4.14 Medium All ISO27002 A.10.6.1 Network design or architecture documentation must exist and
Network controls
cover the equipment within scope. Documentation exists which covers the equipment within scope, that it is up to
date and available to those who need access.

Audit logs recording user activities (e.g. logon, logoff, configuration

changes), and security events (e.g. failed authentications) should be 1. The auditor should check that audit logs are generating the requried records
produced and kept for an agreed period to assist in future for equipment in scope
8.4 4.15 Medium All ISO27002 A.10.10.1 Audit logging
investigations and access control monitoring. 2. The auditor should request that the CP demonstrate a log entry from as close
as is practical to the 90 day limit
Logs should be retained for at least 90 days.

If equipment cannot automatically log user activity then the change Where equipment cannot log, then the auditor should check that a change
8.4 4.15 Medium All. ISO27002 A.10.10.1 Audit logging management process must be used instead or to supplement the management process exists to record who logged on, when and for what purpose
required information (see above). and that records are retained for the appropriate period of time.
 System administrator and system operator activities should be
logged. 1. The auditor should check that administrator and system operator activities are
Communications providers must be able to log and subsequently logged and record a full history of administrator activities on the equipment in
show full history of system administrator and system operator scope, including both successful and failed authentication attempts,
Administrator and
8.5 4.16 Medium All ISO27002 A.10.10.4 operator logs activities on equipment that’s scope including both successful and configuration, management and operational changes.
failed authentication attempts. Configuration, management and 2. The auditor should request that the CP demonstrate a log entry from as close
operational changes to the interconnect equipment should be as is practical to the 90 day limit
logged where possible.
Logs must be retained for 90 days.

If equipment cannot automatically log user activity then the change Where equipment within scope cannot log, then the auditor should check that a
Administrator and
8.5 4.16 Medium All. ISO27002 A.10.10.4 operator logs management process must be used instead or to supplement the change management process exists which records who logged on , when and for
required information (see above). what purpose and which retains the records for the appropriate period of time.

An access control policy must be established, documented, and

reviewed based on business and security requirements for access.
The access control policy should apply to the interconnect
equipment. It should cover:
• Formal authorisation of access requests
• The requirements for at least an annual review of access rights
• Removal of access rights
The access control policy could be the Communications provider’s
overarching policy or explicitly for the interconnect equipment,
perhaps defined in the interconnect security policy document.
It will include:
• Formal authorisation of access requests - Access requests must
9.1 4.17 High. NGN, Internet ISO27002 A.11.1.1 Access control policy follow a formal process. The role responsible for operating access
control must verify the identity of the individual, the access is
appropriate for the individual’s role, that management has
approved the request and that the individual has had the
appropriate security training/briefing relevant to the location.
• Requirements for periodic review of access rights. - As previously
discussed, and whilst this could be a line management duty it is
often responsibility of an Access Control duty or system
administrator.
• Removal of access rights - See Removal of Access Rights.
When granting, reviewing or removing access rights for third
parties, you should carry out any necessary validation with the
appropriate manager at the third party and any responsible
manager within your own organisation.
1. The auditor should review access control policy, which could be the
Communications Provider’s overarching policy or explicitly for the interconnect
equipment.
This might be defined in the interconnect security policy document. In reviewing
the policy access controls should be established based on the premise everything
is generally forbidden unless expressly permitted
The auditor should validate that the policy includes the requirement for access to
be appropriately authorised , for the periodic review of access rights and for and
removal of access rights.
2. The auditor should identify, from the policy, those persons responsible for
carrying out the authorisation of access , the periodic review and the removal of
access rights. The auditor should interview a sample of these people to ensure
they are aware of their responsibilities and can provide evidence of carrying out
these functions in accordance with the policy.
In auditing the activities of the roles responsible for operating access control the
auditor should check that this role actively verifies the identity of the individual,
that the access requested is appropriate for the individual’s role, that
management has approved the request and that the individual has had the
appropriate security training/briefing relevant to the location
3. The auditor should ensure that where 3rd party locations are used that the
access policy of the host maintains access controls consistent with the controls
within the Standard. This should be done through sight of the hosts procedures
supplied to the CP and any supporting contracts.
 Management access to the interconnect equipment from remote
locations, irrespective of the technology used, must be controlled
using a mechanism that provides protection against unauthorised
configuration of the interconnect equipment.
Authentication in these circumstances can be achieved using a
public key cryptography based technique or other two factor
1. The auditor should interview a sample of staff with responsibility for remote
authentication mechanism.
access and users and ask them how they use it.
Password authentication may be used if combined with a restriction 2. The auditor validate that if individuals can log in from arbitrary locations, that
User authentication for on the possible sources of authentication to known source
9.2 4.18 High. All ISO27002 A.11.4.2 they are using two-factor authentication (something more complex than just a
external connections locations.
username and password) and that they only have access to the permitted
There are various vendors providing remote access authentication
solutions. Communications providers should satisfy themselves that equipment and cannot get onward access from a permitted device to other
resources on the network.
the selected solution meets, as a minimum, the requirements of
this standard.
It is strongly recommended that where the remote user’s role does
not require them to have access to other equipment that the design
of the network is such that they cannot get onward access from a
permitted device to other resources on the network.

Communications providers must obtain timely information about

technical vulnerabilities affecting the interconnect equipment and
evaluate and address threats arising from these vulnerabilities.

This may include patching of vulnerabilities, the disabling of

The auditor should ask the CP to demonstrate that it has a timely and
10.1 4.19 Medium All ISO27002 A.12.6.1 Control of technical unnecessary services or the secure configuration of services that are
authoritative source of information regarding the occurrence of technical
vulnerabilities in use. vulnerabilities
There are various sources of information available depending upon
the platforms used and products offered. Organisations must have a
trustworthy source of advice so that corrective action can be taken
in a timely fashion.

The auditor should review the CPs log of vulnerabilities or other appropriate
records ( e.g. suitably stored e-mails) showing information on vulnerabilities for
its Interconnect equipment. The auditor should check that a reasonable sample
of any vulnerabilities so far identified have either been patched, worked-around
The deployment of vulnerability solutions should follow change
management processes. Communications providers must have or assessed as unnecessary.
NGN, Control of technical Where this evidence leads the auditor believes that the CP may not be dealing
10.1 4.19 Medium ISO27002 A.12.6.1 policy and procedures for vulnerability management. Records
Internet vulnerabilities with vulnerabilities in a timely manner, the CP should be asked to demonstrate
should be kept of vulnerabilities identified and whether they were
its compliance to its change management procedures and processes for
patched, worked-around or dismissed as unnecessary to fix.
vulnerability management.
If no vulnerabilities have been discovered, the auditor should validate that the
relevant employees are aware of and understand the policy/procedure for
addressing the threats from vulnerabilities.
 Information security events (which include loss of service,
equipment or facilities; system malfunctions or overloads; human
errors; non-compliances with policies or guidelines; breaches of 1. The auditor should validate that personnel within the scope of the Standard
physical security; uncontrolled system changes; malfunctions etc.) have been briefed on what constitutes a security event and on the reporting
should be reported through appropriate management channels as process. In a large company this might be formal training material, web based
Reporting information quickly as possible. information etc, whilst in a smaller CP it may be recorded as an agenda item
11.1 4.20 High. All ISO27002 A.13.1.1 security events Communications providers must have a process for reporting within team meetings. Where supporting evidence of a briefing is insubstantial ,
serious security events: the auditor should test the understanding of personnel in scope.
• through appropriate management channels; 2. The auditor should identify a recorded security event and validate this was
• externally where appropriate. reported effectively and appropriately
All personnel within scope should be fully briefed on how they
should report any security events.

1. The auditor should validate that the CP has a process for identifying serious
security incidents from events reported and notifying these:
• through appropriate management channels;
• externally where appropriate
Management responsibilities and procedures must be established
to ensure a quick, effective, and orderly response to information 2. The auditor should validate that personnel within scope are briefed on what
constitutes a security incident and on the reporting process.
security incidents.
Management of 3. The management involved should also be able to demonstrate an
11.2 4.21 High. All ISO27002 A.13.2.1 information security understanding of their responsibilities and use of procedure to provide a quick
incidents Communications providers must be able to describe the
and effective response. In larger organisations this may be more formalised with
management responsibilities and procedures for a quick, effective,
documented responsibilities ( i.e. within a job description) and processes. In
and orderly response to information security incidents affect assets
smaller organisation this might simply be key personnel describing how they
within scope. would deal with a security incident.
4. The auditor should identify a recorded security incident and validate this was
reported effectively and appropriately. The auditor should also validate that the
incident was dealt with in a timely and effective manner by management.

The incident response procedures must take into account the

Management of possible impact on other communications providers, and include The auditor should check that the process used by a CP identifies when another
11.2 4.21 High. All ISO27002 A.13.2.1 information security CP (or CPs) need to be notified of a security incident and that the appropriate
incidents notification of them in the event that the security incident affects a
information is readily available to do so e.g. up to date email or contact numbers.
shared area or interconnect boundary devices.

Managers must regularly review (at least annually) the compliance

of these controls within their area of responsibility. 1. The auditor should validate that managers regularly review the compliance of
If any non-compliance is found as a result of the review, managers
the controls within their area of responsibility and have acted upon these
should:
reviews, where appropriate.
Compliance with • determine the causes of the non-compliance;
13.1 4.22 Medium All ISO27002 A.15.2.1 2. The auditor should view the results of reviews and corrective actions carried
security policies and • evaluate the need for actions to ensure that non-compliance do out by managers to ensure they have been recorded and that these records are
standards not recur;
up to date.
• determine and implement appropriate corrective action;
• review the corrective action taken.
Results of reviews and corrective actions carried out by managers
should be recorded and these records should be maintained.

NOTES:
Internet peering is excluded
SS7 PSTN is excluded
Guidance ACTIONS

Where appropriate the CP may provide locations in generic form e.g. BT MUAs ,
where a common approach is adopted by the CP.
Any exceptions (see guidance notes) for which the CP is not seeking certification
must be clearly articulated in the scope with respect to the interconnect types , Generate example scope
services and locations they affect. This should also detail the controls which are
affected and the impact of the exception.

No specific template has to be used by a CP, as each approach may differ. The scope
may be defined in many ways: For example, to identify personnel CPs may just put a
category of staff, e.g. All Engineering Staff on the scope, or may choose to list
individual names, job roles or other categories as appropriate.

Exception information can be less detailed than that provided to the auditor but
must enable the 3rd party to understand which controls are affected , for which
interconnect types at which locations

The sample will be provided in the format most appropriate to the CP. No template is
mandated. Significant and material inaccuracies discovered during audit should be
considered a major non compliance

This ISP document could be the organisation’s overall information security policy,
standards and processes, and might comprise various sources and formats, such as
Word, HTML and PDF. However, CPs may choose to create a unique document (an
Interconnect Security Policy Document ) limited to those of its interconnects that fall
within the scope of the Standard.
The timeliness of management approval and communication will be a subjective
judgement of the Auditor based on the size and complexity of the CP, its processes
and supply chain.

The auditor is not expected to make a judgement on the quality of the ISP document
just that the controls within the Standard are covered and that measures are in place
to track these.
It is assumed that the quality of ISP document and the measures will ultimately be
reflected in whether audit is passed or not

The aim of the control is to demonstrate that management actively supports security
within the organization through clear direction, demonstrated commitment, explicit
assignment acknowledgment of information security responsibilities etc and actively
supports the implementation of and compliance with the minimum security
standard..
The acid-test on management commitment is ultimately whether or not the controls
are in place and functioning. A review should not be undertaken unless the auditor
has concern that such management commitment is lacking, based on evidence from
the audit.
The auditor should however be sensitive to the size of the organisation. Such
documentation described above may not be appropriate to a smaller businesses with
a more ‘informal’ approach. In such circumstances the auditor should ask individuals
identified as responsible to demonstrate their understanding of their responsibilities.

The auditor should be sensitive to the size of the organisation. Formal training and
communications approaches described above may not be appropriate to a smaller
businesses with a more ‘informal’ management style. In such circumstances the
auditor should ask for evidence of how responsibilities were briefed out e.g. emails, X
meeting notes etc but also by testing that individuals are aware of their
responsibilities.

Note: Interconnect partners i.e. another CP with whom a CP is interconnecting does

not constitute a 3rd party supplier X

CPs are not expected to seek to “force” suppliers to meet the Standard for existing
contracts unless this negotiated and agreed by both parties. The auditor should
review a sample of relevant contract documents, or other material, that supports the
obligations of the 3rd party to the CP to ensure these obligations have been
adequately cascaded. The auditor is not expected to audit the supply chain to
validate compliance. X
The auditor should consider for review any contract that is awarded from a date 3
months prior to the initial certification.
Note: The Standard states that a 3rd party may choose to obtain external
certification to demonstrate their compliance with the contracted controls, however,
at this time the scheme is not yet in place.

Where a 3rd party supplier is another CP certified to ND1643 and the services
provided are within the scope of its certification, then the CP being audited does not
have to provide further evidence of compliance but should demonstrate that its X
supplier CP has a valid certification

Where a 3rd party supplier is another CP certified to ND1643 and the services
provided are within the scope of its certification, then the CP being audited does not
have to provide further evidence of compliance but should demonstrate that its X
supplier CP has a valid certification.
These roles could be assigned in the policies, job descriptions or contracts. X

This evidence might be provided in minutes of supplier review meetings, induction

briefings, audits or other mechanisms.
The auditor is not expected to undertake any physical audits of any such 3rd party X
not collocated with the CP.

These principles are based on BS7858 CPNI advice on pre-employment screening.

CPNI can help with, for example, the issues surrounding the screening of non-UK
personnel. http://www.cpni.gov.uk.

The 29th Feb 2008 date is from the start of additional requirements on employers
from the "Immigration, Asylum & Nationality Act 2006"
X

X
This unique identifier helps prevent accidental modification of the wrong equipment.
CPs may however decide to use an identifier other than their company name to help
reduce the risk of a targeted attacked

This control is considering the impact of environmental equipment such as air

conditioning units, UPS , alarms, fire suppressants etc which need to be correctly
maintained to ensure no adverse impact on the environment containing interconnect
equipment. Without this control catastrophic equipment failure (for example a fire or
electrical fault) in a shared area may adversely influence the facility and other users.
For smaller CPs it may be more appropriate for the CP to demonstrate a high level of
competence amongst the small number of individuals involved which removes the
need for more detailed procedures or documentation.
The activities reviewed may include the security process described in the Standard, or
other regular activities on the equipment in scope. The auditor may consider the
contents of the change management system when looking for activities to review.

For smaller CPs it may be more appropriate for the CP to demonstrate the
effectiveness of the change process with the small number of individuals involved
which removes the need for more detailed procedures or documentation.

Audit logs are required to assist in future investigations and access control
monitoring. Review with NICC security group.
What exactly is required for best
If logs are not populated as a result of the youth of a system then the CP should security practice here?
demonstrate any recent log entry and the relevant settings for the storage period.
Administrator logs are required to assist in future investigations and access control
monitoring.

If logs are not populated as a result of the youth of a system then the CP should
demonstrate any recent log entry and the relevant settings for the storage period.
On some systems the audit logging controls and this, the administrator and operator
logs, may be identical.

Care should be taken to establish rules on the premise everything is generally Provide a simple example access
forbidden unless expressly permitted. control policy
Evidence of subscriptions to e-mails from vendors and other sources of security
information would be adequate in a smaller organisation, without the need for a
formal vulnerability management process.
A security incident is something that occurs (probably made of one or more events
reported from control 4.20) or is discovered which significantly affects the security of
the interconnect, your systems, or an interconnect partners.

Compliance reviews need not be a blanket approach. They may be various and
subject-matter specific, such as firewall rule-sets, administrator log history, on-site
checks that verify only authorised personnel are present, and so on. Compliance
checking provides the CP with a degree of assurance that risks are being mitigated,
and as such could be pragmatically programmed to cover areas of concern, or for
where no recent events or incidents have occurred. However, compliance with this
standard does need to be checked as a whole, albeit annually.
Change Log
1
2
3
4
5
6
7
8
Change Log
Should and may in control statements reviewed. Most should changed to must.
Date introduced for background checks. Review with CESG to confirm 224 compaibility.
Required logging information made more specific.
Format changed, guidance introduced.
Introduction of high / medium requirements. Guidance on how many mediums / highs can be failed
Slight change in wording to scope intiial control for clarity
Original wording from ISO removed.
Definition of security events and incidents refined. Additional guidance on what a security incident is.