Home / Blog / CII indicators update: changes made and evolution

CII indicators update: changes made and evolution

Posted on 06/25/2020, by INCIBE
CII indicators update

What is CII model IMC?

The Cyberresilience Improvement Indicators (CII) model is a diagnostic and measurement framework from INCIBE-CERT and National Center for Infrastructure Protection and Cybersecurity (CNPIC), specially designed to help organizations self-assess their cyberresilience, or in other words, their ability to anticipate, resist, recover and evolve to operate under adverse conditions, stress or resource attack that may cause an interruption or disruption in the delivery of their services.

This model is inspired by other indicator models, such as the one proposed by MITRE [*], for the construction of a comprehensive framework of indicators (on page 16 of CII_01 - Evaluation Methodology comes the detail of the references mentioned to delve into the frameworks from which the model arises), and has been aligned with the Spanish Government's National Cybersecurity Strategy. The CII model consists of three documents:

Since its creation in 2014, the CII model has evolved many times in order to suit the purpose of its creation: to become a reference model in the measurement of cyberresilience in Spain. The model is based on the concepts of objectives or goals and categories or functional domains, to categorize the indicators and facilitate the measurement of the cyberresilience status of organizations belonging to any essential sector.

How has the model been updated?

EThe CII model was updated in May 2020 to further improve its approach and applicability to businesses. In particular, this revision has mainly affected the document “CII_02 – Dictionary of Cyberresilience Improvement Indicators”. The improvements and developments undertaken have been the following:

  • Incorporate a brief description of the different functional domains.
  • Improvement in the explanation of each indicator. Clearer description to simplify the understanding of the target audience.
  • Relocation of indicators to more robustly complete the objective of each functional domain.
  • Elimination of redundancies in indicators.

As a result of these changes, the 2020 version of the CII model finally considers four goals and nine functional domains:

  • Anticipate (A): maintain an informed state of readiness, in order to prevent essential services from being compromised by cyberattacks.
    • Cybersecurity Policy (CP): have a policy that sets out the requirements for cyberresilience, addresses the cybersecurity risks, assigns responsibilities and is communicated throughout the organization.
    • Risk Management (RM): identify, analyze and mitigate risks to the organization's assets, which could adversely affect the operation and delivery of services.
    • Cybersecurity Training (CT): to promote the knowledge and development of people's skills in support of their functions, in order to achieve and maintain operational cyberresilience and protection.
  • Resist (T): continue with essential services despite the successful execution of a cyberattack.
    • Vulnerability Management (VM): identify, analyze and manage vulnerabilities in assets that support the delivery of essential services.
    • Continuous Supervision (CS): to collect, compile and distribute information on the behavior and activities of systems and people, to support the continuous process of identifying and analyzing risks to the organization's assets and essential services that may adversely affect their operation and delivery.
  • Recover (R): restore essential services as much as possible after the successful execution of a cyberattack.
    • Incident Management (IM): establish processes to identify and analyze events, detect incidents, and determine and implement appropriate organizational response.
    • Service Continuity Management (SC): establish how the organization conducts business planning to ensure essential service continuity in the event of an incident or disaster.
  • Evolve (E): change functions and capabilities in order to redesign strategies to minimize the negative impacts of actual or anticipated cyberattacks.
    • Configuration and Change Management (CC): establish processes to maintain the integrity of all assets (technology, information and facilities) required in order to provide essential services.
    • Communication (CM): establish processes that guarantee communication between those responsible for essential service operation, both within and outside to the organization.

During its review, the 46 of the model’s indicators have been redefined, reorganized and better adapted to its goals and functional domains. The diagram below shows the evolution in the total distribution of indicators compared to the last review in 2017.


Have the results reports also evolved?

The improvements do not only end with the model’s review, but the results reports have also been optimized in order to simplify them and help to better understand the results. An example of cyberresilience indicators visualization for a professional category or sector, in comparison with the operator and its environment, is shown for each of the functional domains that make up the four goals:


A new analysis is also included in order to compare the operators’ participation rate with the overall cyberresilience assessment (CII) for each of the sectors involved in the consultation. The following graph illustrates this concept.



In short, the improvements made make it possible to help all interested parties measure their cyberresilience capabilities and have a methodology enables them to know the degree of maturity of their controls more clearly with the aim of helping organizations undertake this self-assessment.

These documents may be accessed from our guides section