Annual safety + cyber joint review
Demonstrate that safety and cybersecurity leadership conduct formal annual reviews to identify and remediate risks at the intersection of physical safety systems and cyber controls, with documented outcomes and cross-functional risk mitigation actions.
Description
What this control does
This control requires an annual structured review meeting between physical safety and cybersecurity teams to identify overlaps, dependencies, and cross-domain risks at the intersection of industrial control systems, physical access, and digital infrastructure. The joint review assesses whether safety-critical systems (fire suppression, HVAC, building management, industrial processes) have cyber vulnerabilities that could create physical harm, and whether security controls could inadvertently interfere with safety operations. Organizations document findings, establish shared accountability for mitigating identified convergence risks, and update both safety and cybersecurity programs based on lessons learned.
Control objective
What auditing this proves
Demonstrate that safety and cybersecurity leadership conduct formal annual reviews to identify and remediate risks at the intersection of physical safety systems and cyber controls, with documented outcomes and cross-functional risk mitigation actions.
Associated risks
Risks this control addresses
- Ransomware or denial-of-service attacks disabling fire suppression, emergency notification, or life-safety systems during a physical emergency
- Unauthorized modification of HVAC or building management system setpoints causing environmental hazards (temperature extremes, toxic gas exposure, oxygen depletion)
- Security incident response procedures that conflict with safety lockout/tagout or emergency egress requirements, trapping personnel or preventing safe shutdown
- Insider threats exploiting gaps between physical access controls and logical access controls to sabotage safety-critical industrial control systems
- Patch management or system hardening activities inadvertently disabling safety interlocks or alarm functions in operational technology environments
- Lack of shared situational awareness causing delayed incident response when a cyber event has physical safety implications or vice versa
- Regulatory non-compliance due to siloed safety and cybersecurity documentation that fails to address converged risk scenarios required by sector-specific standards
Testing procedure
How an auditor verifies this control
- Request and review the charter, agenda, and attendance records for the most recent annual safety-cyber joint review meeting held within the past 13 months.
- Verify that participants included authorized representatives from both the safety function (EHS, industrial hygiene, process safety) and cybersecurity/IT risk teams with documented decision-making authority.
- Examine the documented scope of the review, confirming it explicitly addresses safety-critical systems with cyber components (BMS, SCADA, ICS, fire/life-safety, physical security systems).
- Review the risk inventory or findings log produced by the meeting, sampling 5-7 identified convergence risks to verify each includes both safety and cyber dimensions with assigned ownership.
- Trace three sampled risks from the prior year's review to current-year remediation evidence (completed work orders, policy updates, control implementations, or accepted risk documentation).
- Interview one safety representative and one cybersecurity representative separately to assess their understanding of shared risks and the effectiveness of cross-functional collaboration.
- Validate that meeting outputs were escalated to appropriate governance bodies (risk committee, executive leadership, board) with documented acknowledgment or approval.
- Confirm that a future review is scheduled within the next 12-month cycle and that action items from the current review have assigned owners and target completion dates.
Where this control is tested