Cyberday offers a growing list frameworks that are all cross-linked to our task library. Frameworks provide you with a structured approach; you have something to base your work on and you always know your current security level while building your ISMS. Choose the frameworks that best suit your needs and objectives.
Vaatimukset täyttyvät jalkauttamalla digiturvatehtäviä.
Mitä kukin tekee digiturvan eteen?
Osa tehtävistä vaatii asioiden ohjeistamista henkilöstölle.
Mitä pitää muistaa arjessa?
Osa tehtävistä vaatii listausten pitoa tietoturvan ydinelementeistä.
Mistä pitää voida raportoida?
Full, certification-level ISMS. Complete set of security controls along with management, auditing and risk evaluation aspects.
ISO 27001:2022 is divided to 3 separate levels in Cyberday, so you can either start small or go for the certification-level ISMS directly.
Full, certification-level ISMS. Complete set of security controls along with management, auditing and risk evaluation aspects.
ISO 27001:2022 is divided to 3 separate levels in Cyberday, so you can either start small or go for the certification-level ISMS directly.
NIST Cybersecurity Framework is a collaborative effort coordinated by The National Institute of Standards and Technology (NIST, part of the U.S. Department of Commerce) and involving industry, academia, and government.
Framework is designed to help owners and operators of critical infrastructure to identify, assess and manage cyber risks.
GDPR sets out the requirements for lawful processing of personal data and demonstrating the adequate protection of data.
ISO 27017 is a security standard developed especially for cloud service providers and users to create a safer cloud-based environment and reduce the risk of security incidents.
ISO 27017 gives cloud-specific additions to ISO 27001, so these two frameworks should be used together.
ISO 27018 is a security standard developed especially for cloud service providers to ensure risks are assessed and controls are implemented to protect personally identifiable information (PII).
ISO 27018 gives cloud-specific additions to ISO 27001, so these two frameworks should be used together.
ISO 27701 is a privacy extension to ISO 27001. The framework aims to upgrade the existing Information Security Management System (ISMS) with additional requirements related to processing and protecting personal data in order to establish also a Privacy Information Management System (PIMS).
Certifications are available for ISO 27701. As the framework extends ISO 27001, organizations seeking an ISO 27701 certification will need to have the ISO 27001 certification.
ISO 13485:2016 specifies requirements for an organisation that needs to demonstrate its ability to provide medical devices and related services that consistently meet customer and applicable regulatory requirements.
Organisation utilising ISO 13485 can be involved in one or more stages of the life-cycle (e.g. design, development, production, storage, distribution, installation, or servicing) of a medical device or provision of associated activities (e.g. technical support).
ISO 13485:2016 can also be used by suppliers or external parties that provide product, including quality management system-related services to such organisations.
N.b.! Only the framework structure is currently available in Cyberday.
NIS 2 sets the baseline for cybersecurity risk management measures and reporting obligations across important industries covered by the directive, such as energy, transport, health, food, waste, public administration and digital infrastructure - and even more importantly to their supply chains.
NIS 2 tigthtens the rules and expand its scope when compared to original NIS Directive from 2016. It also adds top management accountability and tightens sanctions for non-compliance.
SOC 2 framework specifies how organizations should protect customer data from e.g. unauthorized access, security incidents or other vulnerabilities. It is developed by the American Institute of Certified Public Accountants (AICPA).
SOC 2 includes 5 different requirement sets: security, availability, processing integrity, confidentiality and privacy. A SOC 2 audit can be carried out related to one or all of these criteria. Each criteria has specific requirements that the company needs to comply with by implementing controls.
Cyber Essentials is backed by the United Kingdom's government to help protect organisations, large or small, from cyber attacks. It is a good tool for getting the essentials of cyber security to a level which helps decrease the chance of your organisation to be vulnerable to basic cyber attacks.
The Digital Operational Resilience Act (DORA) is an EU law on the resilience of digital operations. With the help of DORA, the aim is to achieve uniform high digital resilience in the EU area. It provides uniform requirements regarding information networks and systems that support business processes in the financial sector.
DORA sets requirements, e.g. protection, detection, isolation, recovery and repair in situations related to information security events. In addition, the requirements include extensive risk and incident management, sharing of cyber threats and vulnerabilities, requirements for resilience testing and notification of incidents to the authorities.
The Cybersecurity Capability Maturity Model (C2M2) helps organizations evaluate their cybersecurity capabilities and optimize security investments.
It uses a set of industry-vetted cybersecurity practices focused on both information technology (IT) and operations technology (OT) assets and environments.
ISO 9001 is a globally recognized standard for quality management. It helps organizations of all sizes and sectors to improve their performance, meet customer expectations and demonstrate their commitment to quality.
The CyberFundamentals framework is created by Centre for Cybersecurity Belgium. It provides a set of concrete measures to protect your data, significantly reduce the risk of the most common cyber-attacks, and increase your organisation's cyber resilience. The framework is based on:
The Cyberfundamentals are structured in 4 levels, with a subsequent level containing a little more measures than the previous one each time. A beginner level Small, followed by Basic, Important and Essential. The Essential level contains all the basic information security mesures from previous ones and introduces more advanced controls. The essential level is in line with the NIS2 directive.
NCM ICT Security Principles is a framework for ICT security published and maintained by the Norwegian National Security Authority (NSM). The security principles advise businesses and organisations on how to protect their information systems from unauthorized access, damage or misuse.
The principles focus on technological and organisational measures. Measures concerning physical security and the human perspective are generally not covered. The measures apply to both unintentional and intentional acts, although the main focus is on intentional acts.
In this framework there are 21 security principles with a total of 118 security measures, distributed across four categories: i) identify, ii) protect and maintain, iii) detect and iv) respond and recover.
TISAX is an assessment and exchange mechanism for the information security of enterprises and allows recognition of assessment results among the participants.
ISO 22301 specifies requirements for building a management system that protects organization's business continuity by ensuring preparedness, response and recovering from disruptions.
ISO 22301 is generic and applicable to all organizations, regardless of type, size and nature of the organization. Organization can also get certified against ISO 22301.
The Center for Internet Security (CIS) has created CIS 18, a prioritized set of best practices created to stop the most pervasive and dangerous cyber security threats of today.
CIS 18 has been developed by leading security experts from around the world and is refined and validated every year.
IEC 62443 focuses on the safety of industrial automation and control systems (IACS). The requirements are designed to provide a framework for creating, implementing, operating, monitoring, verifying and improving security of IACS.
The requirements are relevant to several industrial sectors, such as manufacturing, energy and other critical infrastructure.
HIPAA is a series of regulatory standards outlining the lawful use and disclosure of protected health information (PHI). HIPAA compliance is regulated in the USA by the Department of Health and Human Services (HHS) and enforced by the Office for Civil Rights (OCR).
The Payment Card Industry Data Security Standard (PCI DSS) was developed to encourage and enhance payment card account data security and facilitate the broad adoption of consistent data security measures globally.
PCI DSS provides a baseline of technical and operational requirements designed to protect account data. While specifically designed to focus on environments with payment card account data, PCI DSS can also be used to protect against threats and secure other elements in the payment ecosystem.
Choose the framework you're interested in to learn more or view the whole framework library.
"A ready-made operating model for managing digital security and implementing various themes speeds up the start of digital security work, helps to get up to speed and helps people to participate in work more flexibly."
"With the help of Cyberday it is possible to significantly reduce the municipality's burden in managing the requirements set by law and to increase the efficiency of management and control work related to digital security. The service helps to increase the personnel's cyber security skills and to take care of their own responsibilities on time."
"Cyberday has helped to understand the requirements of the GDPR holistically and to organize the cooperation through which data protection issues are taken over in the organization."
.png)
.svg)
.png){kind=icon}
.png){kind=icon}
