We are thrilled to announce the integration of new cybersecurity controls for Jira, aimed at elevating the security posture of your organization. In addition to the default Minimum Viable Secure Product (MVSP), we have incorporated the ISO/IEC 27001 standards for both 2013 and the latest 2022 version. Furthermore, we are aligning our controls with the upcoming EU NIS Directive, contributing to a common and converged level of security in network and information systems.
New Security Standards
ISO/IEC 27001:2013 and 2022
We understand the importance of staying ahead in the ever-evolving landscape of cybersecurity. By integrating the ISO/IEC 27001 standards of 2013 and 2022, we ensure that our cybersecurity controls are in line with the latest industry best practices, providing robust protection against emerging threats.
Unicis Platform Beta
With Unicis, you can manage tasks for security, privacy, and compliance team in one place.
Collaborate accross multiple teams about gap analysis, register of procedures and transfer impact assessment.
NIS Cooperation Group Security Measures
To address the requirements of the new EU NIS Directive, we have created a comprehensive table mapping the NIS Cooperation Group Security Measures for Operators of Essential Services (OES) with MVSP and ISO/IEC 27001 standards. This table aims to facilitate a common and converged level of security in network and information systems at the EU level.
The table goes on to comprehensively map various security domains, sub-domains, and measures against the MVSP and ISO/IEC standards.
| SECURITY DOMAIN / SUB-DOMAIN / MEASURE | MVSP (v1.0-20211007) | ISO 27001:2013 | ISO 27001:2022 |
|---|---|---|---|
| Defence / Computer Security Incident Management / Incident Report | MVSP 1.1 Vulnerability reports MVSP 1.7 Incident handling | 7.5 Documented information A.12.1.1 Documented operating procedures A.16.1.1 Responsibilities and procedures A.16.1.2 Reporting information security events A.16.1.3 Reporting information security weaknesses | 7.5 Documented information A.5.37 Documented operating procedures A.5.2 Information security roles and responsibilities A.5.25 Assessment and decision on information security events A.6.8 Information security event reporting |
| Defence / Computer Security Incident Management / Communication with competent authorities | MVSP 1.7 Incident handling | 7.4 Communication 7.5 Documented information A.6.1.3 Contact with authorities A.6.1.4 Contact with special interest groups A.8.2.2 Labelling of information | 7.4 Communication 7.5 Documented information A.5.5 Contact with authorities A.5.6 Contact with special interest groups A.5.12 Labelling of information |
| Defence / Detection / Logging | MVSP 2.7 Logging | 9.1 Monitoring, measurement, analysis and evaluation A.12.4 Logging and monitoring A.14.1.2 Securing application services on public networks A.15.2.1 Monitoring and review of supplier services A.18.1.3 Protection of records | 9.1 Monitoring, measurement, analysis and evaluation A.5.22 Monitoring, review and change management of supplier services A.5.33 Protection of records A.8.15 Logging A.8.16 Monitoring A.8.20 Networks security A.8.21 Security of network services |
| Defence / Detection / Logs correlation and analysis | MVSP 2.7 Logging | 9.1 Monitoring, measurement, analysis and evaluation 9.3 Management review A.16.1.4 Assessment of and decision on information security events A.16.1.7 Collection of evidence | 9.1 Monitoring, measurement, analysis and evaluation 9.3 Management review A.5.25 Assessment of and decision on information security events A.5.28 Collection of evidence |
| Defence / Computer Security Incident Management / Communication with competent authorities and CSIRTs | MVSP 1.7 Incident handling | 7.4 Communication 7.5 Documented information A.6.1.3 Contact with authorities A.6.1.4 Contact with special interest groups A.8.2.2 Labelling of information | 7.4 Communication 7.5 Documented information A.5.5 Contact with authorities A.5.6 Contact with special interest groups A.5.13 Labelling of information |
| Defence / Detection / Detection | MVSP 1.8 Data handling MVSP 3.3 Vulnerability prevention MVSP 3.4 Time to fix vulnerabilities | 9.1 Monitoring, measurement, analysis and evaluation A.12.2 Protection from malware A.12.4 Logging and monitoring A.12.6.1 Management of technical vulnerabilities A.15.2.1 Monitoring and review of supplier services | 9.1 Monitoring, measurement, analysis and evaluation A.8.7 Protection from malware A.8.15 Logging A.8.16 Monitoring A.8.8 Management of technical vulnerabilities A.5.22 Monitoring, review and change management of supplier services |
| Defence / Computer Security Incident Management /Information system security incident response | MVSP 1.7 Incident handling | A.16.1.1 Responsibilities and procedures A.16.1.4Assessment of and decision on information security events A.16.1.5 Response to information security incidents A.16.1.6 Learning from information security incidents A.16.1.7 Collection of evidence | A.5.2 Information security roles and responsibilities A.5.37 Documented operating procedures A.5.25 Assessment of and decision on information security events A.5.26 Response to information security incidents A.5.27 Learning from information security incidents A.5.28 Collection of evidence |
| Governance and Ecosystem / Information System Security Governance & Risk Management / Human resource security | MVSP 1.5 Training | 4.1 Understanding the organization and its context 4.2 Understanding the needs and expectations of interested parties 5.3 Organizational roles, responsibilities, and authorities 6.2 Information security objectives and planning to achieve them 7 Support 9.1 Monitoring, measurement, analysis and evaluation A.6.1.1 Information security roles and responsibilities A.6.1.2 Segregation of duties A.7 Human resource security A.9.3 User responsibilities | 4.1 Organisational context 4.2 Interested parties 5.3 Organizational roles, responsibilities, and authorities 6.2 Information security objectives & plans 7 Support 9.1 Monitoring, measurement, analysis and evaluation A.5.2 Information security roles and responsibilities A.5.3 Segregation of duties A.5.10 Acceptable use of information and other associated assets A.6 People controls A.6.3 Information security awareness, education and training |
| Governance and Ecosystem / Information System Security Governance & Risk Management / Information system security indicators | MVSP 1.6 Compliance | 6.2 Information security objectives and planning to achieve them 7.1 Resources 7.2 Competence 9 Performance evaluation A.12.1.3.Capacity Management | 6.2 Information security objectives & plans 7.1 Resources 7.2 Competence 9 Performance evaluation A.8.6 Capacity Management |
| Governance and Ecosystem / Information System Security Governance & Risk Management / Information system security risk analysis | MVSP 1.3 Self-assessment MVSP 1.4 External testing MVSP 1.8 Data handling MVSP 2.6 Dependency Patching | 6 Planning 8 Operation 9.3 Management review 10 Improvement A.8.1.1 Inventory of assets A.12.6.1 Management of technical vulnerabilities A.18.2.1 Independent review of information security | 6 Planning 8 Operation 9.3 Management review 10 Improvement A.5.9 Inventory of information and other associated assets A.8.8 Management of technical vulnerabilities A.5.35 Independent review of information security |
| Governance and Ecosystem / Information System Security Governance & Risk Management / Information system security audit | MVSP 1.4 External testing | 6 Planning 8 Operation 9.2 Internal audit 9.3 Management review 10 Improvement A.5.1.2 Review of the policies for information security A.12.7.1 Information systems audit controls A.18.2 Information security reviews | 6 Planning 8 Operation 9.2 Internal audit 9.3 Management review 10 Improvement A.5.1 Policies for information security A.5.35 Independent review of information security A.8.34 Protection of information systems during audit testing |
| Governance and Ecosystem / Ecosystem Management / Ecosystem mapping | MVSP 1.2 Customer testing | 4.1 Understanding the organization and its context 4.2 Understanding the needs and expectations of interested parties 4.3 Determining the scope of the information security management system 5.2 Policy 8.1 Operational planning and control | 4.1 Organisational context 4.2 Interested parties 4.3 ISMS scope 5.2 Policy 8.1 Operational planning and control |
| Governance and Ecosystem / Information System Security Governance & Risk Management / Information system security accreditation | MVSP 1.3 Self-assessment MVSP 1.4 External testing MVSP 1.8 Data handling | 6.1 Actions to address risks and opportunities 8 Operation 9.2 Internal audit 10.1 Nonconformity and corrective action A.12.1.1 Documented operating procedures A.12.7.1 Information systems audit controls | 6.1 Actions to address risks and opportunities 8 Operation 9.2 Internal audit 10.2 Nonconformity and corrective action A.5.37 Documented operating procedures A.8.34 Protection of information systems during audit testing |
| Governance and Ecosystem / Information System Security Governance & Risk Management / Information system security policy | MVSP 1.6 Compliance MVSP 1.5 Training MVPS 3.1 List of data MVSP 3.2 Data flow diagram | 4.3 Determining the scope of the information security management system 4.4 Information security management system 5.1 Leadership and commitment 5.2 Policy 5.3 Organizational roles, responsibilities and authorities 6.2 Information security objectives and planning to achieve them 9.3 Management review A.5.1.1 Policies for information security A.5.1.2 Review of the policies for information security A.6.1.1 Information security roles and responsibilities A.7.2.1 Management responsibilities A.18.1.1 Identification of applicable legislation and contractual requirements A.18.1.2 Intellectual property rights A.18.2.2 Compliance with security policies and standards | 4.3 ISMS scope 4.4 Information security management system 5.1 Leadership and commitment 5.2 Policy 5.3 Organizational roles, responsibilities and authorities 6.2 Information security objectives & plans 9.3 Management review A.5.1 Policies for information security A.5.35 Independent review of information security A.5.2 Information security roles and responsibilities A.5.4 Management responsibilities A.5.31 Legal, statutory, regulatory and contractual requirements A.5.32 Intellectual property rights A.5.36 Compliance with policies, rules and standards for information security |
| Governance and Ecosystem / Ecosystem Management / Ecosystem relations | MVSP 4.1 Physical access MVSP 4.2 Logical access MVSP 4.3 Subprocessors | 4.2 Understanding the needs and expectations of interested parties 5.2 Policy 7.4 Communication 7.5 Documented information 8.1 Operational planning and control 9.3 Management review A.5.1.1 Policies for information Security A.7.1.2 Terms and conditions of employment A.7.2 During employment A.7.3 Termination and change of employment A.12.7 Information systems audit considerations A.13.2 Information transfer A.14.2.7 Outsourced development A.15 Supplier relationships A.18.1.1 Identification of applicable legislation and contractual requirements | 4.2 Interested parties 5.2 Policy 7.4 Communication 7.5 Documented information 8.1 Operational planning and control 9.3 Management review A.5.1 Policies for information security A.76.2 Terms and conditions of employment A.6.5 Responsibilities after termination or change of employment A.5.23 Independent review of information security A.5.14 Information transfer A.8.30 Outsourced development A.5.19 Information security in supplier relationships A.5.31 Legal, statutory, regulatory and contractual requirements |
| Potection / Identity and access management / Authentication and identification | MVSP 2.1 Single Sign-On MVSP 2.4 Password policy MVSP 4.1 Physical access MVSP 4.2 Logical access | A.9.1 Business requirements of access control A.9.3 User responsibilities A.9.4.1 Information access restriction A.9.4.2 Secure log-on procedures A.9.4.3 Password management system | A.5.15 Access control A.8.3 Information access restriction A.8.5 Secure authentication A.8.6 Capacity management |
| Potection / IT Security Maintenance / IT security maintenance procedure | MVSP 1.1 Vulnerability reports MVSP 1.2 Customer testing MVSP 2.5 Security libraries MVSP 2.6 Dependency Patching | 7.5.3 Control of documented information 8.1 Operational planning and control 10.1 Nonconformity and corrective action A.11.2.4 Equipment maintenance A.12.1.2 Change management A.12.6.1 Management of technical vulnerabilities A.14.1.1 Information security requirements analysis and specification A.14.2 Security in development and support processes A.15.2.2 Managing changes to supplier services | 7.5.3 Control of documented properly 8.1 Operational planning and control 10.1 Nonconformity and corrective action A.7.13 Equipment maintenance A.8.32 Change management A.8.8 Management of technical vulnerabilities A.5.31 Legal, statutory, regulatory and contractual requirements A.8.25 Secure development life cycle A.8.26 Application security requirements A.8.27 Secure system architecture and engineering principles A.5.22 Monitoring, review and change management of supplier services |
| Potection / IT Security Architecture / System segregation | MVSP 4.2 Logical access | A.12.1.4 Separation of development, testing and operational environments A.13.1 Network security management | A.8.31 Separation of development, testing and operational environments A.8.20 Network security management A.8.21 Security of network services |
| Potection / IT Security Architecture / Cryptography | MVSP 2.2 HTTPS-only MVSP 2.8 Encryption MVSP 3.1 List of data MVSP 3.2 Data flow diagram | A.10.1 Cryptographic controls A.18.1.5 Regulation of cryptographic controls | A.8.24 Use of cryptography A.5.36 Compliance with policies, rules and standards for information security |
| Potection / IT Security Maintenance / Industrial control systems | MVSP 1.6 Compliance | 4 Context of the organization 5.2 Policy 5.3 Organizational roles, responsibilities and authorities 7 Support 8 Operation 9.1 Monitoring, measurement, analysis and evaluation A.6.1.1 Information security roles and responsibilities A.8.1.1 Inventory of assets A.8.2.3 Handling of assets A.9 Access control A.11 Physical and environmental security A.12 Operations security A.14 System acquisition, development and maintenance A.15 Supplier relationships A.17 Information security aspects of business continuity management | 4 Context of the organization 5.2 Policy 5.3 Organizational roles, responsibilities and authorities 7 Support 8 Operation 9.1 Monitoring, measurement, analysis and evaluation A.5,2 Information security roles and responsibilities A.5.9 Inventory of information and other associated assets A.5.10 Acceptable use of information and other associated assets A.9 Access control A.7 Physical controls A.8 Technological controls A.5.19 Information security in supplier relationships A.5.30 ICT readiness for business continuity |
| Potection / IT Security Administration / Administration accounts | MVSP 2.1 Single Sign-On MVSP 2.2 HTTPS-only MVSP 2.3 Security Headers MVSP 2.4 Password policy | A.9.2.3 Management of privileged access rights A.9.2.5 Review of user access rights A.9.2.6 Removal or adjustment of access rights A.12.4.3 Administrator and operator logs | A.8.2 Privileged access rights A.8.3 Information access restriction A.8.4 Access to source code A.8.5 Secure authentication |
| Potection / Physical and environmental security / Physical and environmental security | MVSP 4.1 Physical access | A.8.1 Responsibility for assets A.11 Physical and environmental security | A.5.9 Inventory of information and other associated assets A.5.10 Acceptable use of information and other associated assets A.5.11 Return of assets |
| Potection / Identity and access management / Access rights | MVSP 4.2 Logical access | A.9.2 User access management A.9.4.4 Use of privileged utility programs A.9.4.5 Access control to program source code | A.5.15 Access control A.8.2 Privileged access rights A.8.3 Information access restriction A.8.4 Access to source code |
| Potection / IT Security Architecture / Traffic filtering | MVSP 3.5 Build process | 8.1 Operational planning and control A.13.1 Network security management A.13.2.1 Information transfer policies and procedures A.13.2.2 Agreements on information transfer | 8.1 Operational planning and control A.8.20 Network security A.8.21 Security of network services A.8.22 Segregation of networks A.5.14 Information transfer |
| Potection / IT Security Administration / Administration information systems | MVSP 3.1 List of data MVSP 3.2 Data flow diagram | A.9.3.1 Use of secret authentication information A.9.4 System and application access control A.12.1.4 Separation of development, testing and operational environments A.12.4.3 Administrator and operator logs | A.5.17 Authentication Information A.8.31 Separation of Development, Test and Production Environments A.8.15 Logging |
| Potection / IT Security Architecture / Systems configuration | MVSP 2.3 Security Headers MVSP 2.5 Security libraries MVSP 2.6 Dependency Patching | 4.3 Determining the scope of the information security management system A.6.2.1 Mobile device policy A.8.3.1 Management of removable media A.12.1 Operational procedures and responsibilities A.12.5 Control of operational software A.12.6.2 Restrictions on software installation A.13.1.2 Security of network services A.14.1 Security requirements of information systems A.14.2.1 Secure development policy A.14.2.2 System change control procedures A.14.2.3 Technical review of applications after operating platform changes A.14.2.4 Restrictions on changes to software packages A.14.2.5 Secure system engineering principles A.14.2.6 Secure development environment | 4.3 ISMS scope A.7.10 Storage media A.8 Technological controls |
| Resilience / Continuity of operations / Disaster recovery management | MVSP 4.4 Backup and Disaster recovery | A.17.2 Redundancies | A.8.14 Redundancy of information processing facilities |
| Resilience / Crisis management / Crisis management organisation | MVSP 1.7 Incident handling MVSP 4.4 Backup and Disaster recovery | 5.3 Organizational roles, responsibilities and authorities A.6.1.1 Information security roles and responsibilities A.11.2.4 Equipment maintenance A.17.1 Information security continuity | 5.3 Organizational roles, responsibilities and authorities A.5.2 Information security roles and responsibilities A.7.13 Equipment maintenance A.5.30 ICT readiness for business continuity |
| Resilience / Crisis management Crisis management organization | MVSP 1.7 Incident handling | 5.3 Organizational roles, responsibilities and authorities A.6.1.1 Information security roles and responsibilities A.11.2.4 Equipment maintenance A.17.1 Information security continuity | 5.3 Organizational roles, responsibilities and authorities A.5.2 Information security roles and responsibilities A.7.13 Equipment maintenance A.5.30 ICT readiness for business continuity |
| Resilience / Continuity of operations / Business continuity management | MVSP 3.3 Vulnerability prevention MVSP 3.4 Time to fix vulnerabilities MVSP 3.5 Build process MVSP 4.4 Backup and Disaster recovery | 9.3 Management review 10.2 Continual improvement A.5.1.2 Review of the policies for information security A.11.2.4 Equipment maintenance A.17.1 Information security continuity A.17.2 Redundancies | 9.3 Management review 10.2 Continual improvement A.5.35 Independent review of information security A.7.13 Equipment maintenance A.5.30 ICT readiness for business continuity A.8.14 Redundancy of information processing facilities |
| Resilience / Crisis management / Crisis management process | MVSP 3.3 Vulnerability prevention MVSP 3.4 Time to fix vulnerabilities MVSP 3.5 Build process MVSP 4.4 Backup and Disaster recovery | 7.4 Communication 9.3 Management review 10.2 Continual improvement A.5.1.2 Review of the policies for information security A.6.1.3 Contact with authorities A.11.2.4 Equipment maintenance A.17.1 Information security continuity | 7.4 Communication 9.3 Management review 10.2 Continual improvement A.5.35 Independent review of information security A.5.5 Contact with authorities A.7.14 Equipment maintenance A.5.30 ICT readiness for business continuity |
ENISA Minimum Security Measures
To achieve these standards and mappings, we have leveraged the expertise of the European ENISA agency and its Minimum Security Measures for Operators of Essential Services. This collaborative effort ensures that our cybersecurity controls not only meet international standards but also align with the specific requirements of essential services.
Conclusion
With the integration of new cybersecurity controls and alignment with ISO/IEC standards and the EU NIS Directive, Unicis Cybersecurity Controls for Jira is committed to providing a robust and comprehensive security solution. This initiative aims to enhance the security posture of organizations, contributing to a safer and more secure digital ecosystem.
Subscribe to our newsletters below for further updates and enhancements as we continue to evolve our cybersecurity controls to meet the dynamic challenges of the cybersecurity landscape. Your security is our highest priority.
