The audits are carried out taking as a reference the specific control framework that has been developed by LEET Security for the CCI, which assesses the security level of the services offered in up to 73 different factors.

This framework of reference controls, available for download from the CCI/Pinakes website, is made up of 14 domains, divided into the 73 indicated sections. Each of these have control points associated with one or more levels: from D, the most basic, to A +, which corresponds to the highest grade. These controls may refer to policies or procedures, and technical security measures.

The 14 domains are:

  • Information Security Management

  • Systems Operation

  • Security related to personnel

  • Facility security

  • Supply chain management

  • Resilience

  • Compliance

  • Protection against malware

  • Network controls

  • Monitoring

  • Access control

  • Safe development

  • Incident Management

  • Cryptography

The audit process is always carried out for a certain service. Each control is assigned to one of the three dimensions of Confidentiality, Integrity or Availability, and is identified with a certain level from which it must be evaluated.

Controls can be evaluated as Non applicable, when the control object does not exist (never when it is not implemented or has not been evaluated) - for example, the custody of sensitive physical documentation in safes, when all associated documentation is electronic -, as Yes or as No. There is no partial implementation.

To simplify the extension of the evaluation process, it is possible to carry it out on a certain level below the maximum, for example, level B, without evaluating the controls required for levels A and A + (which in this case would be marked as Non applicable) . When evaluating a certain level, all the controls of lower levels are taken, since, if the evaluated objective level is not reached, the level that has actually been obtained can be determined.

Once the evaluation is completed, the auditor will provide an Excel sheet, which includes the applicability, or not, and the implementation, or not, of all the controls that make up the PINAKES benchmark, and a report that indicates:

  • Typology of service (within those established by CCI)

  • Service description

  • Detailed scope of service

  • Target level for evaluation

  • Audit dates and locations

  • Participating team (auditors and signing partners)

  • Declaration of impartiality and no conflict of interest (other work carried out)

Both documents, report and Excel sheet, must have the electronic signature of the partners authorized to do so.

If you have more questions about PINAKES or need additional information about the qualification process,
contact us

In the Financial Sector, Pinakes is the solution

by means of LEET Security methodology.