ISO 27001

Informing and data subject requests

5.34: Privacy and protection of PII

Organization must identify and fulfill the requirements related to preserving privacy and safeguarding Personally Identifiable Information (PII) as per applicable laws, regulations, and contractual obligations. This is crucial to ensuring compliance with requirements concerning the information security aspects of PII protection.

Related tasks

Process for receiving and handling data subject requests

Critical

High

Normal

Low

Management and documentation of data breaches

Critical

High

Normal

Low

Data breach management

Personnel guidelines for safe processing of personal and confidential data

Critical

High

Normal

Low

Processing principles and accountability

Privacy notices -report publishing and maintenance

Critical

High

Normal

Low

Informing and data subject requests

Appointment, tasks and position of a Data Protection Officer (DPO)

Critical

High

Normal

Low

Security and responsibilities

Documentation of personal data processing purposes for data stores

Critical

High

Normal

Low

Processing principles and accountability

Cyber security management

5.35: Independent review of information security

The organization should do independent reviews of its approach to managing information security, people, processes, and technologies. These reviews should be conducted at planned intervals or triggered by significant changes. The objective is to ascertain the ongoing suitability, adequacy, and effectiveness of the organization's information security management approach.

Related tasks

Regular external auditing of security practices

Critical

High

Normal

Low

Risk management

Executing and documenting internal audits

Critical

High

Normal

Low

Technical vulnerability management

5.36: Compliance with policies, rules and standards for information security

Regular reviews are essential to confirm adherence to the organization's information security policies, as well as topic-specific policies, rules, and standards. This ensures that information security is implemented and operated in alignment with the organization's overall information security framework. In the event of non-compliance, managers should identify causes, assess the need for corrective actions, implement those actions, and subsequently review their effectiveness.

Related tasks

Regular internal monitoring of the implementation of the information security management system

Critical

High

Normal

Low

Risk management

Regular vulnerability scanning

Critical

High

Normal

Low

Monitoring compliance with security guidelines

Critical

High

Normal

Low

Technical vulnerability management

Regular penetration testing

Critical

High

Normal

Low

5.37: Documented operating procedures

Operating procedures for information processing facilities should be documented and accessible to relevant personnel to ensure correct and secure operations. Documented procedures should cover various operational activities related to information security, such as routine tasks performed by multiple individuals, infrequent tasks prone to being forgotten, new tasks with potential risks, and handovers to new personnel.

Related tasks

Staff guidance and training procedure in cyber security

Critical

High

Normal

Low

General security guidelines for staff

Critical

High

Normal

Low

Monitoring compliance with security guidelines

Critical

High

Normal

Low

Continuous development of guidelines

Critical

High

Normal

Low

Changes in employment relationships

6.1: Screening

Background verification checks should be conducted on all candidates prior to their employment and on an ongoing basis, adhering to relevant laws, regulations, and ethical considerations. This process should be proportional to business requirements, the sensitivity of accessed information, and perceived risks. Goal is to ensure personnel are eligible and suitable for their roles before and during employment.

Related tasks

Screenings and background checks before recruitment

Critical

High

Normal

Low

6.2: Terms and conditions of employment

Employment contracts should clearly outline both the responsibilities of personnel and the organization regarding information security. This is essential to ensure that personnel have a clear understanding of their information security responsibilities within their respective roles. Terms should be tailored to the level of access personnel will have to the organization's assets linked to information systems and services.

Related tasks

Reviewing confidentiality agreements

Critical

High

Normal

Low

Maintaining confidentiality agreements

Critical

High

Normal

Low

Defining cyber security responsibilities and tasks in employment contracts

Critical

High

Normal

Low

6.3: Information security awareness, education and training

Organization personnel and relevant stakeholders must undergo suitable information security awareness, education, and training, along with regular updates on the organization's information security policy, topic-specific policies, and procedures relevant to their roles. This ensures that personnel and stakeholders are informed and capable of fulfilling their information security responsibilities.

Related tasks

Evaluating the efficiency of arranged training

Critical

High

Normal

Low

Maintaining a log of cyber security trainings

Critical

High

Normal

Low

Staff guidance and training procedure in cyber security

Critical

High

Normal

Low

Unit- or role-specific security guidelines

Critical

High

Normal

Low

Continuous development of guidelines

Critical

High

Normal

Low

6.4: Disciplinary process

The organization should have a clear and communicated disciplinary process in place to address information security policy violations by personnel and other relevant parties. This ensures that everyone understands the consequences of such violations. The goal is to deter and appropriately handle individuals who breach the information security policy.

Related tasks

Disciplinary process for security breaches

Critical

High

Normal

Low

6.5: Responsibilities after termination or change of employment

Clear information security responsibilities and duties should be defined for personnel and other involved parties, ensuring their comprehension and enforcement even after employment termination or contract change. This safeguards the organization's interests during transitions in employment or contractual arrangements. The management of termination or change in employment should specify which information security responsibilities remain applicable post-termination.

Related tasks

Defining cyber security responsibilities and tasks in employment contracts

Critical

High

Normal

Low

Changes in employment relationships

Informing about cyber security responsibilities that continue after employment relationship has ended

Critical

High

Normal

Low

Training personnel with a changed role

Critical

High

Normal

Low

6.6: Confidentiality or non-disclosure agreements

Clear and regularly reviewed confidentiality agreements, aligning with the organization's information protection requirements, should be identified, documented, and signed by personnel and other relevant parties. This ensures the continued confidentiality of information accessed by both internal and external entities. Considerations for these agreements include e.g. defining the information to be protected, specifying the agreement duration and determining actions for non-compliance.

Related tasks

Reviewing confidentiality agreements

Critical

High

Normal

Low

Maintaining confidentiality agreements

Critical

High

Normal

Low

6.7: Remote working

When working remotely, it's important to have security measures in place to protect information accessed, processed, or stored outside the organization's premises. This ensures the security of information even when personnel are working from locations away from the organization's physical offices. Organizations that permit remote working should establish a specific policy on remote work, outlining relevant conditions and restrictions.

Related tasks

Arranging suitable equipment and storage equipment for teleworking

Critical

High

Normal

Low

Definition of measures permitted in remote work

Critical

High

Normal

Low

Defining suitable locations and needed protections for remote work

Critical

High

Normal

Low

Personnel guidelines for secure remote work

Critical

High

Normal

Low

Acquisition and instructions for a VPN-service

Critical

High

Normal

Low

Incident management and response

6.8: Information security event reporting

The organization should have a way for its personnel to report any observed or suspected information security events (incidents, breaches, and vulnerabilities) promptly through proper channels. This ensures quick, consistent, and effective reporting of events. All personnel and users must understand their duty to promptly report information security events to prevent or mitigate the impact of incidents. Reporting mechanisms should be convenient and accessible.

Related tasks

Personnel guidelines for reporting security incidents

Critical

High

Normal

Low

7.1: Physical security perimeters

To safeguard information and associated assets, organizations should establish and utilize physical security perimeters for information processing facilities. They serve to prevent unauthorized physical entry and protect against potential damage or interference to the organization's valuable assets. External structures like roofs, walls, ceilings, and flooring should be sturdy, and external doors should be secured with control mechanisms such as bars, alarms, and locks.

Related tasks

Security services in real estates

Critical

High

Normal

Low

Camera surveillance in real estates

Critical

High

Normal

Low

Strong authentication for processing or storage areas of highly confidential information

Critical

High

Normal

Low

Physical access control to building, offices and other premises

Critical

High

Normal

Low

7.2: Physical entry

Secure areas need effective protection through suitable entry controls. This is crucial to guarantee that only authorized individuals gain physical access to the organization's information and associated assets. In order to ensure security, organization can e.g. restrict access to sites and buildings to authorized personnel only and with a comprehensive process for managing access rights. Organizations should also authenticate the identity of visitors appropriately.

Related tasks

Limited access and monitoring of support staff

Critical

High

Normal

Low

Using visible IDs

Critical

High

Normal

Low

Visitor instructions and log

Critical

High

Normal

Low

Using keys and other IDs that produce electronic movement log

Critical

High

Normal

Low

Physical access control to building, offices and other premises

Critical

High

Normal

Low

Notification process in case of loss of physical identifiers

Critical

High

Normal

Low

7.3: Securing offices, rooms and facilities

To mitigate the risk of unauthorized physical access, damage, and interference to an organization's information and associated assets within offices, rooms, and facilities, it is crucial to design and implement robust physical security measures. This can be done e.g. designing buildings to be discreet, with minimal indicators of their purpose to outsiders and restricting access to directories, internal telephone books, and online maps that identify locations of confidential information processing facilities.

Related tasks

Preventing eavesdropping

Critical

High

Normal

Low

Preventing unauthorized viewing personal data

Critical

High

Normal

Low

Strong authentication for processing or storage areas of highly confidential information

Critical

High

Normal

Low

Equipment maintenance and safety

Electromagnetic data breach management

Critical

High

Normal

Low

Safe placement of equipment

Critical

High

Normal

Low

Equipment maintenance and safety