Full, certification-level ISMS. Complete set of security controls along with management, auditing and risk evaluation aspects.

• Management-driven tasks e.g. about ISMS management, risk evaluation and treatment and internal auditing.
• Advanced tasks e.g. about procurement, physical security, other information assets and vulnerability management
• Advanced documentation e.g. risks, non-conformities and improvements

Audited security expands the basics covered by Core security and advanced controls covered by Extended security.

NIS 2 sets the baseline for cybersecurity risk management measures and reporting obligations across important industries covered by the directive, such as energy, transport, health, food, waste, public administration and digital infrastructure - and even more importantly to their supply chains.

NIS 2 tigthtens the rules and expand its scope when compared to original NIS Directive from 2016. It also adds top management accountability and tightens sanctions for non-compliance.

The Cybersecurity Capability Maturity Model (C2M2) helps organizations evaluate their cybersecurity capabilities and optimize security investments.

This level includes the MIL1 requirements and other measures included in other supported frameworks, giving an estimated 50% coverage of the full framework.

The CIS18 critical security controls cover the different fields of cyber security, including vulnerability management, secure configuration, access control, incident management and more. It is a comprehensive set of instructions and measures released by The Center for Internet Security. The controls are designed to fix and prevent common vulnerabilities and to offer organizations a structured way to strengthen their security.

The CIS18 controls were formerly known as the SANS Critical Security Controls (SANS Top 20), and the current version 8.1 is updated to align with the evolving industry standards and cyber security threats. The controls are a prescriptive, prioritized, and simplified set of best practices that any organization can use to strengthen their security measures.

The Cyber Resilience Act is an EU regulation for improving cyber security and cyber resilience in the EU. It includes requirements for hardware and software products with digital elements.

The act seeks to make cybersecurity a core feature in the design, development, and maintenance of digital products. Beyond just the initial design, the framework emphasizes the importance of ongoing security measures such as timely updates, vulnerability management, and incident reporting.

Cyber Essentials is backed by the United Kingdom's government to help protect organisations, large or small, from cyber attacks. It is a good tool for getting the essentials of cyber security to a level which helps decrease the chance of your organisation to be vulnerable to basic cyber attacks.

• Tasks for admins regarding firewall, password and device management policies and malware protection, user access control and software management.
• Guidelines for employees regarding secure password practices and other cyber security basics.
• Documentation of main software and hardware assets relevant for information security.

The CyberFundamentals framework is created by Centre for Cybersecurity Belgium. It provides a set of concrete measures to protect your data, significantly reduce the risk of the most common cyber-attacks, and increase your organisation's cyber resilience. The framework is based on:

The Cyberfundamentals are structured in 4 levels, with a subsequent level containing a little more measures than the previous one each time. A beginner level Small, followed by Basic, Important and Essential. The Essential level contains all the basic information security mesures from previous ones and introduces more advanced controls. The essential level is in line with the NIS2 directive.

Cyberday unravels cyber security and privacy requirements into clear tasks, which can be delegated and clearly demonstrated as done.

Cyberday is used to show "assurance information" of implementing the task, which either mean documentation, guidelines or reports directly in Cyberday, or free descriptions of task implementation when it's executed outside of the ISMS.

Feel free to familiarize yourself with Cyberday task content. Each task has its own page, which includes a description, connected Cyberday features and related requirements that are complied with through the task.

The DORA RTS on simplified ICT risk management describes the key elements that financial entities subject to lower scale, risk, size and complexity need to have in place to manage risks.

Related organizations shall e.g. maintain a sound and documented ICT risk management framework, continuously monitor the security and functioning of all ICT systems, identify key dependencies on ICT third-party service providers, and minimise the impact of ICT risk through the use of sound, resilient and updated protections.

The Digital Operational Resilience Act (DORA) is the EU law on digital operational resilience. DORA aims to achieve a uniform high level of digital resilience across the EU. It sets out uniform requirements for information networks and systems that support financial business processes.

DORA sets out requirements for, among other things, protection, detection, isolation, recovery and remediation in the event of a security incident. Further requirements include extensive risk and incident management, cyber threat and vulnerability sharing, requirements for resilience testing and reporting incidents to authorities.

Digital security overview is a service developed and maintained by the Finnish Digital and population data services agency. Goal of the service is to gather information about the digital security status of public sector organisations.

Requirements of this framework match the questions of the service.

GDPR sets out the requirements for lawful processing of personal data and demonstrating the adequate protection of data.

• Privacy and personal data handling guidelines for employees
• Informing, data processor and breach management tasks for admins
• Data processing, data transfer, privacy risk and DPIA documentation

Full, certification-level ISMS. Complete set of security controls along with management, auditing and risk evaluation aspects.

• Management-driven tasks e.g. about ISMS management, risk evaluation and treatment and internal auditing.
• Advanced tasks e.g. about procurement, physical security, other information assets and vulnerability management
• Advanced documentation e.g. risks, non-conformities and improvements

Audited security expands the basics covered by Core security and advanced controls covered by Extended security.

ISO 27017 is a security standard developed especially for cloud service providers and users to create a safer cloud-based environment and reduce the risk of security incidents.

• Technical tasks related to cloud environment and shared responsibilities.
• Advanced tasks e.g. about virtualization and monitoring cloud services

ISO 27017 gives cloud-specific additions to ISO 27001, so these two frameworks should be used together.

ISO 27018 is a security standard developed especially for cloud service providers to ensure risks are assessed and controls are implemented to protect personally identifiable information (PII).

• Documentation related to processing personally identifiable information (PII).
• Tasks related to purpose, data and retention minimization.
• Advanced tasks related to the information security while processing PII.

ISO 27018 gives cloud-specific additions to ISO 27001, so these two frameworks should be used together.

ISO 27701 is a privacy extension to ISO 27001. The framework aims to upgrade the existing Information Security Management System (ISMS) with additional requirements related to processing and protecting personal data in order to establish also a Privacy Information Management System (PIMS).

• Documentation related to processing activities, transfers and disclosures of personal data.
• Tasks related to data subject rights and ensuring lawfulness of processing.
• Advanced privacy-related tasks about ensuring proper consent and filling other requirements for personal data controllers and processors.

Certifications are available for ISO 27701. As the framework extends ISO 27001, organizations seeking an ISO 27701 certification will need to have the ISO 27001 certification.

Il Cybersecurity Act Decreto legislativo n. 138 implements the European Union's NIS2 directive in Italy. It establishes requirements for various organizations in order to strengthen the management of cybersecurity risks.

The law defines the principles of cybersecurity for the institutions included in its scope of application and provides additional requirements for national and municipal operators. Various security measures are also established, with checks on compliance with the requirements of the law and enforcement measures.

Cyber security evaluation criteria by Finnish authorities for Finnish public administration.

Julkri lists 200 security measures of varying levels, which help organizations fulfill the requirements of e.g. local laws and the GDPR.

This framework includes all the criteria from Julkri: Full framework and in addition criteria for security classified information (TL IV, TL III, TL II and TL I).

Katakri is used when evaluating organisation's ability to secure confidential information from Finnish national authorities. It can be used to guide security work in an organisation, that wants to be ready for an audit performed by authorities.

• Tasks for admins about security management, physical security and technical cyber security.
• Documentation of identified and evaluated security risks and defined control measures.
• Guidelines for employees on working on secure areas and protecting confidential data from authorities.

Katakri is used when evaluating organisation's ability to secure confidential information from Finnish national authorities. It can be used to guide security work in an organisation, that wants to be ready for an audit performed by authorities.

• Tasks for admins about security management, physical security and technical cyber security.
• Documentation of identified and evaluated security risks and defined control measures.
• Guidelines for employees on working on secure areas and protecting confidential data from authorities.

The Cybersecurity Act "Kibernetinio Saugumo Įstatymas" implements the European Union NIS2 law in Lithuania. It sets out requirements for various organisations to strengthen their cybersecurity risk management.

The law establishes the principles of cyber security for the institutions in the scope and sets additional requirements for national and municipal operators. Different security measures with checks of compliance with the requirements of this law and enforcement measures are set.

Kyberturvallisuuslaki säätää tietoturvatoimenpiteistä keskeisiksi tai tärkeiksi nimetyillä toimialoilla sekä kyberturvallisuutta koskevien riskien hallinnasta. Kyberturvallisuuslaki vie Suomessa täytäntöön NIS2 -direktiivin.

The European Union NIS2 has been transposed in Belgium into national law as the NIS2 law. The law closely aligns with the EU NIS2 directive and features only minor national differences. It was released as a Law establishing a framework for the cybersecurity of networks and information systems of general interest for public security. It obligates and defines cybersecurity rules for companies registered in Belgium working in the critical sector.

The aim of the law is to strengthen cybersecurity measures, incident management and the supervision of entities providing services that are essential for maintaining critical societal or economic activities. It also aims to improve the coordination of public policies in the area of cybersecurity. The Centre for Cyber Security Belgium (CCB) has also provided the CyberFundamentals framework that aligns with the NIS2 law.

The National Institute of Standards and Technology (NIST) has updated the widely used Cybersecurity Framework (CSF). The new 2.0 edition is designed to help all organizations in any sector to achieve their cybersecurity goals with added emphasis on governance as well as supply chains. The updated framework anticipates that organizations will come to the framework with varying needs and degrees of experience implementing cybersecurity tools.

The 2.0 update is the organization's first major update on their widely used cyber security framework since its release. This update is the outcome of a multiyear process of discussions and public comments aimed at making the framework more effective and suitable for all audiences, industry sectors and organization types while as the original CSF focused directly on the critical sector. The framework’s core is now organized around six key functions: Identify, Protect, Detect, Respond and Recover, along with CSF 2.0’s newly added Govern function. When considered together, these functions provide a comprehensive view of the life cycle for managing cybersecurity risk.

NIST Cybersecurity Framework is a collaborative effort coordinated by The National Institute of Standards and Technology (NIST, part of the U.S. Department of Commerce) and involving industry, academia, and government.

Framework is designed to help owners and operators of critical infrastructure to identify, assess and manage cyber risks.

• Advanced tasks e.g. about risk management and incident detection, response and recovery.
• Advanced documentation e.g. on information security risks
• Generic cyber security guidelines for empoyees, priviliged users, senior management and other stakeholders.

NCM ICT Security Principles is a framework for ICT security published and maintained by the Norwegian National Security Authority (NSM). The security principles advise businesses and organisations on how to protect their information systems from unauthorized access, damage or misuse.

The principles focus on technological and organisational measures. Measures concerning physical security and the human perspective are generally not covered. The measures apply to both unintentional and intentional acts, although the main focus is on intentional acts.

In this framework there are 21 security principles with a total of 118 security measures, distributed across four categories: i) identify, ii) protect and maintain, iii) detect and iv) respond and recover.

The European Union NIS2 directive has been adopted as "National Cyber Security Act" in Latvia. It aims to improve the security of information and communication technologies, including setting requirements for the provision and receipt of essential services and important services, as well as the operation of information and communication technologies.

The law determines the procedure for ensuring cyber security, foreseeing the distribution of responsibility and the competence of the National Cyber ​​Security Center, cooperation frameworks and cyber security promotion tasks. The aim is also to promote the implementation of cyber security measures in such a way as to be able to predict and prevent them in time, as well as to overcome cyber threats and eliminate their consequences, as far as possible ensuring the continuity of confidentiality, integrity and availability of services.

This Finnish law is designed to promote harmonization of information management, cyber security and digitalisation in public administration.

• Information management -specific guidelines for employees or different sectors
• Tasks related to setting responsibilities, reporting for public and residents, archiving and technical interfaces
• Documentation about operational processes, data systems, data stores, data processing and related risks

SOC 2 framework specifies how organizations should protect customer data from e.g. unauthorized access, security incidents or other vulnerabilities. It is developed by the American Institute of Certified Public Accountants (AICPA).

SOC 2 includes 5 different requirement sets: security, availability, processing integrity, confidentiality and privacy. A SOC 2 audit can be carried out related to one or all of these criteria. Each criteria has specific requirements that the company needs to comply with by implementing controls.

TISAX (Trusted Information Security Assessment Exchange) is an assessment and exchange mechanism for the information security of enterprises and allows recognition of assessment results among the participants.

This framework includes TISAX's information security requirements, which are mandatory for all TISAX participants. Framework can be further expanded with prototype protection and data protection requirements found as extension frameworks.

Tiedonhallintalautakunnan suositus, joka opastaa tiedonhallintalain asettamien tietoturvallisuuden vähimmäisvaatimusten täyttämisessä, jotka kaikkien julkishallinnon organisaatioiden tulee vähintään täyttää. Vähimmäisvaatimusten osana organisaatioiden tulee tunnistaa ja arvioida tietojenkäsittelyyn liittyvät riskit sekä toteuttaa toimenpiteet riskien pienentämiseksi hyväksyttävälle tasolle.

Voimassa olevan asiakastietolain mukaisesti kaikkien sosiaali- ja terveydenhuollon palvelunantajien on laadittava tietosuojan, tietoturvallisuuden ja tietojärjestelmien käytön omavalvontasuunnitelma.

THL julkaisi vuonna 2020 uuden mallin tietoturvallisuuden ja tietosuojan omavalvontasuunnitelmasta. Omavalvontasuunnitelma tukee sote-palveluntuottajia tietoturvallisuuden ja tietosuojan suunnittelussa.

Palveluntuottaja pystyy suunnitelman avulla huomioimaan ja suunnittelemaan olennaiset tietosuojan, tietoturvallisuuden ja tietojärjestelmien käytön asiat.

Tietoturvasuunnitelma on dokumentti, jolla sosiaali- ja terveyspalveluiden tuottajat kuvaavat tietoturvan- ja tietosuojan omavalvontaa. Tietoturvasuunnitelman täytyy kuvata kuinka palveluntuottaja täyttää asiakastietolain 27 §:n vaatimukset, joita asiakas- ja potilastietojen käsittelyyn ja niitä käsitteleviin tietojärjestelmiin liittyy. Vaatimuksia ovat mm.

• tietojärjestelmien käyttäjillä on oltava tarvittava koulutus
• tietojärejstelmien ylläpitoa toteuttaa vain henkilö, jolla on riittävä ammattitaitojärjestelmien käyttöohjeet on saatavilla
• tietojärjestelmät täyttävät tarkoituksen mukaiset olennaiset vaatimuksettietojärjestelmän tietoturva ja tietosuoja on varmistettava

Croatian implementation of the NIS2 The Cybersecurity Act (Zakon o kibernetičkoj sigurnosti NN 14/2024) has come into account in February 2024. It defines cybersecurity rules for Croatian companies with the same criteria as NIS2 with some exceptions. It is created by the Institute for Information Systems Security (ZSIS).

The aim of the law is to strengthen cybersecurity measures, incident management and the supervision of entities providing services that are essential for maintaining critical societal or economic activities. It also aims to improve the coordination of public policies in the area of cybersecurity.

Η Ελλάδα έχει εφαρμόσει την οδηγία NIS2 της Ευρωπαϊκής Ένωσης με σκοπό την επίτευξη υψηλού επιπέδου ασφάλειας στον κυβερνοχώρο με τα ειδικά μέτρα ασφάλειας στον κυβερνοχώρο.

Με την εφαρμογή της οδηγίας NIS2, η Ελλάδα ενισχύει την ανθεκτικότητα της ψηφιακής της υποδομής και διασφαλίζει την ασφάλεια των πολιτών και των επιχειρήσεων στον κυβερνοχώρο.