What does VSP mean in the CSIR model?
In the CSIR model (Cyber Security Incident Response), the label VSP stands for process measures. These focus on organisation, procedures, collaboration, Governance and human action in the context of Cybersecurity — particularly within OT environments.
Where VSE focuses on technology, VSP is about how people and organisations act: policies, working methods, agreements and responsibilities.
🧠 What falls under VSP?
VSP measures are:
- Organisational in nature
- Focused on processes, policies, behaviour and collaboration
- Often supportive of VSE measures
- Essential for sustainable and repeatable cyber resilience
- Aligned with frameworks such as ISO 27001, NIS2, IEC 62443-2-1
✅ Examples of VSP measures
| Measure | Explanation |
|---|---|
| Patch management | Policy and process for safely testing, planning and rolling out patches |
| Third Party Risk Management | Assessment and monitoring of suppliers and external access |
| Security Awareness | Regular training and awareness for operators and engineers |
| Incident Management | Process for detection, reporting, analysis and recovery from incidents |
| Backup policy | Frequency, retention and recovery procedures formally documented |
| Access Control policy | Access authorisations, roles and periodic review |
| Change Management | Process for controlled changes within OT |
VSP measures ensure that technical VSE measures are actually applied, maintained and followed up.
🔁 VSP, VSE and Conformance
| Label | Focus | Example |
|---|---|---|
| VSP | Process & organisation | Patch policy, supplier selection, logging policy |
| VSE | Technology & systems | Firewall configuration, USB blocking, segmentation |
| Conformance | Standards & assessment | IEC 62443, ISO 27001, BIO, NIS2 |
Together with VSE, VSP forms the operational core of the CSIR model, while conformance assesses whether this meets recognised standards.
📦 When do you use the VSP label?
Use VSP when a measure:
- Is aimed at procedures, policy or human behaviour
- Originates from operational or policy documentation
- Is not technically enforceable, but is essential for effectiveness
- Requires input or follow-up from multiple departments or external parties
📌 In summary
VSP is the label for process measures within the CSIR model. Without clear procedures, awareness and Governance, technical measures (such as VSE) are often ineffective or temporary. VSP ensures that security is implemented in an integrated, structured and sustainable way.