ISO 27001

Defining and documenting accepted authentication methods

Critical

High

Normal

Low

Use and evaluation of password management system

Critical

High

Normal

Low

Secure setting and distribution of temporary login information

Critical

High

Normal

Low

Secure development

Credentials are not transmitted via email

Critical

High

Normal

Low

Personnel guidelines for safe data system and authentication info usage

Critical

High

Normal

Low

Data system management

5.18: Access rights

Access to information and related assets must follow the organization's access control policy, this involves setting up, reviewing, modifying, and removing access rights in line with the Organization's rules. The process of assigning or revoking access rights can involve e.g. obtaining authorization from asset owners, with separate management approval if necessary, addressing segregation of duties, including separation of approval and implementation roles and ensuring timely removal of access rights when not needed.

Related tasks

Regular reviewing of data system access rights

Critical

High

Normal

Low

Changes in employment relationships

Review of access right for changed employee roles

Critical

High

Normal

Low

Arranging training and guidance during orientation (or before granting access rights)

Critical

High

Normal

Low

Cyber security training

Identification and management of shadow IT

Critical

High

Normal

Low

Data system management

Restriction of access rights at high risk times of employment

Critical

High

Normal

Low

Changes in employment relationships

Instructions for reporting changes affecting access rights

Critical

High

Normal

Low

5.19: Information security in supplier relationships

Organization should establish and follow processes to handle security risks tied to using products or services from suppliers. This ensures that a mutually agreed-upon level of information security is maintained in supplier relationships. It's beneficial to evaluate and select suppliers' products and services that have strong information security controls. Supplier controls must ensure the integrity of their information and processing, thereby safeguarding the organization's information security.

Related tasks

Data processing agreement analysis for most important system providers

Critical

High

Normal

Low

Criteria for high priority partners

Critical

High

Normal

Low

Defining supplier types that can access confidential data

Critical

High

Normal

Low

Data processing partner listing and owner assignment

Critical

High

Normal

Low

5.20: Addressing information security within supplier agreements

Organization needs to define and agree on information security requirements with each supplier based on the type of relationship. This is done to ensure a consistent level of information security in supplier interactions. Documented supplier agreements are crucial to establish a clear understanding between the organization and the supplier, outlining both parties' obligations to fulfill relevant information security requirements.

Related tasks

Evaluation of data processing agreement for important data processors

Critical

High

Normal

Low

Data transfer and disclosure

Inventory and documentation of data processing agreements

Critical

High

Normal

Low

5.21: Managing information security in the ICT supply chain

Organization should implement processes and procedures to handle information security risks in the supply chain of ICT products and services. This is crucial for maintaining a mutually agreed-upon level of information security in relationships with suppliers. To address this, organization should e.g. mandate suppliers extend security requirements throughout the supply chain when subcontracting for ICT services and ensure ICT products suppliers propagate security practices for components acquired from other entities.

Related tasks

Minimum requirements for partner companies to gain access to different levels of information

Critical

High

Normal

Low

Documentation of partner contract status

Critical

High

Normal

Low

5.22: Monitoring, review and change management of supplier services

The organization must consistently monitor, review, assess, and manage changes in supplier information security practices and service delivery, for upholding an agreed-upon level of information security and service delivery in accordance with established supplier agreements. Organization can e.g. review supplier service reports, hold progress meetings as per agreements, conduct audits on suppliers and sub-suppliers, and address issues identified in conjunction with independent auditor reports, if available.

Related tasks

Criteria for suppliers of high priority data systems

Critical

High

Normal

Low

Defined security arrangements for providing critical network equipment

Critical

High

Normal

Low

Monitoring suppliers' compliance with security requirements

Critical

High

Normal

Low

5.23: Information security for use of cloud services

Organization need to establish processes for acquiring, using, managing, and exiting from cloud services that align with the organization's information security requirements. This is essential to clearly define and manage information security aspects when utilizing cloud services. It can be either integrated into the current approach for managing services offered by external parties, or serving as an extension of the existing framework.

Related tasks

General rules for the procurement of data systems

Critical

High

Normal

Low

Process for detecting and reporting security breaches related to the supply chain

Critical

High

Normal

Low

Data breach management

Documenting security-related responsibilities for offered cloud services and utilized data systems

Critical

High

Normal

Low

Cloud service management

Confirming information security roles and responsibilities related to utilized cloud services

Critical

High

Normal

Low

General principles regarding the use of cloud services

Critical

High

Normal

Low

Data system management

Comprehensiveness of contractual terms for cloud service provisioning

Critical

High

Normal

Low

Cyber security management

5.24: Information security incident management planning and preparation

Organizations should plan and prepare for managing information security incidents by defining, establishing, and communicating incident management processes, roles, and responsibilities. This is essential to ensure an effective, consistent, and orderly response to information security incidents.

Related tasks

Incident management resourcing and monitoring

Critical

High

Normal

Low

5.25: Assessment and decision on information security events

The organization needs to assess information security events to determine whether they should be categorized as information security incidents. This process ensures the effective categorization and prioritization of information security events. Those responsible with coordinating and responding to information security incidents should assess the events and determine appropriate actions.

Related tasks

The first level response process to security incidents

Critical

High

Normal

Low

Designation of an incident management team

Critical

High

Normal

Low

5.26: Response to information security incidents

The organization must respond to information security incidents, following documented procedures to ensure a prompt and effective response to these incidents. The response to an information security incident can involve containing the incident, collecting evidence, escalating as needed, logging activities, coordinating with internal and external entities, closing the incident formally, conducting forensic analysis and performing post-incident analysis to identify root causes.

Related tasks

Process for initiating data breach treatment

Critical

High

Normal

Low

Data breach management

Treatment process and documentation of occurred security incidents

Critical

High

Normal

Low

5.27: Learning from information security incidents

Knowledge gained from information security incidents should be leveraged to strengthen and improve information security controls, aiming to reduce the likelihood or consequences of future incidents. The organization should establish procedures to quantify and monitor information security incidents in terms of types, volumes, and costs. This information is utilized to enhance incident management plans, identify recurring or serious incidents and their causes.

Related tasks

Communicating the results of cyber security incident analysis

Critical

High

Normal

Low

Regular periodic analysis and learning of incidents

Critical

High

Normal

Low

Follow-up analysis for security incidents

Critical

High

Normal

Low

Cyber security in contracts

5.28: Collection of evidence

The organization should develop and implement procedures for identifying, collecting, acquiring, and preserving evidence related to information security events. These procedures aim to ensure a consistent and effective management of evidence, particularly for disciplinary and legal actions resulting from information security incidents.

Related tasks

Disciplinary process for security breaches

Critical

High

Normal

Low

Managing evidence information for information security incidents

Critical

High

Normal

Low

5.29: Information security during disruption

The Organization should develop plans to ensure information security remains at an appropriate level even during disruptions, aiming to safeguard information and related assets in challenging circumstances. Plans must be created, tested, and regularly reviewed to sustain or restore information security in critical business processes post-disruption.

Related tasks

Preparing for quick data recovery after faults

Critical

High

Normal

Low

Backups

Creating and documenting continuity plans

Critical

High

Normal

Low

Requirements about information security continuity

Critical

High

Normal

Low

Regular testing and review of continuity plans

Critical

High

Normal

Low

5.30: ICT readiness for business continuity

The organization should plan, implement, maintain, and test ICT readiness aligned with business continuity objectives and ICT continuity requirements. This is done to guarantee the availability of the organization's information and other associated assets during disruptions. ICT continuity plans, including response and recovery procedures, should be regularly evaluated and approved by management.

Related tasks

Identifying and testing the continuity capabilities required from ICT services

Critical

High

Normal

Low

Cyber security management

5.31: Legal, statutory, regulatory and contractual requirements

The Organization should identify, document, and regularly update legal, statutory, regulatory, and contractual requirements pertinent to information security. This is crucial to ensure that the Organization remains in compliance with these standards, fulfilling its commitment to meeting legal obligations, industry regulations, and contractual agreements related to information security.

Related tasks

Identification, documentation and management of other information security requirements

Critical

High

Normal

Low

Compliance of used cryptographic controls in relation to applicable requirements

Critical

High

Normal

Low

Encryption

5.32: Intellectual property rights

The organization should establish and implement procedures to safeguard intellectual property rights, ensuring compliance with legal, statutory, regulatory, and contractual requirements concerning intellectual property and the use of proprietary products. Asset registers should be maintained, identifying assets subject to intellectual property protection. Proof of ownership, including licenses and manuals, should be documented.

Related tasks

Procedure for identifying software licensing requirements

Critical

High

Normal

Low

Mobile device management