Free ebook: NIS2 ready using ISO 27001 best practices
Download ebook

Learn more about the connected frameworks

4.2.3
NSM ICT-SP

Inform relevant stakeholders

Article 14
DORA

Communication

RC.CO-3
NIST

Recovery actions

RC.CO-3
CyFun

Recovery activities are communicated to internal and external stakeholders as well as executive and management teams

Other tasks from the same security theme

Creating and documenting continuity plans

Critical
High
Normal
Low

Sometimes an unexpected event, such as a fire, flood, or equipment failure, can cause downtime. In order to be able to continue operations as quickly and smoothly as possible, continuity planning is carried out, i.e. planning the operations in advance for these exceptional situations.

Each continuity plan shall contain at least the following information:

  • Event for which the plan has been made
  • Goal for recovery time
  • Responsible persons and related stakeholders and contact information
  • Planned immediate actions
  • Planned recovery steps
17.1.2: Implementing information security continuity
ISO27 Full
T05: Jatkuvuuden hallinta
Katakri
​​​​​​​ID.SC-5: Response and recovery
NIST
PR.IP-9: Response and recovery plans
NIST
RC.RP: Recovery Planning
NIST

Preparation of contingency plans based on risk assessments

Critical
High
Normal
Low

Tiedonhallintayksikön on suoritettava olennaiset riskiarvioinnit sen tietoaineistojen käsittelyn, tietojärjestelmien hyödyntämisen ja toiminnan jatkuvuuden suhteen. Riskiarvioinnin perusteella tiedonhallintayksikön on:

a) Laadittava valmiussuunnitelmat ja etukäteisvalmistelut häiriötilanteiden varalle.

b) Suoritettava muut tarvittavat toimenpiteet, jotta tietoaineistojen käsittely, tietojärjestelmien hyödyntäminen ja niihin perustuva toiminta voivat jatkua mahdollisimman häiriöttömästi normaaliolojen häiriötilanteissa sekä valmiuslaissa (1552/2011) tarkoitetuissa poikkeusoloissa.

13 a §: Häiriötilanteista tiedottaminen ja varautuminen häiriötilanteisiin
TiHL
2.7: Varautuminen häiriötilanteisiin
TiHL: Tietoturva

Notifying the system provider of deviations from data system requirements

Critical
High
Normal
Low

Organisaation on Asiakastietolain 41 §:n mukaisesti ilmoitettava tietojärjestelmän tuottajalle, mikäli järjestelmässä ilmenee poikkeama järjestelmien olennaisista vaatimuksista. Poikkeamia on kuvattu THL:n määräyksen 5/2021 luvussa 10.4

Tietojärjestelmien merkittävistä poikkeamista on ilmoitettava Valviralle, erityisesti tilanteissa, joissa poikkeama voi aiheuttaa merkittävän riskin asiakas- tai potilasturvallisuudelle tai tietoturvalle. Merkittävien poikkeamien korjaamiseksi on ryhdyttävä korjaaviin toimenpiteisiin.


6.2b: Häiriöiden hallinta ja menettelyt ongelmatilanteissa
Tietoturvasuunnitelma

Identifying critical functions and related assets

Critical
High
Normal
Low

The organization has a clear process, according to which it identifies the most critical functions in terms of its operations (e.g. services offered to customers), which are subject to the highest continuity requirements.

Items in the IT environment that are necessary for these activities (such as information systems, data reserves, operating processes, partners, units, hardware) are classified as critical.

Critical functions are considered with the highest priority, e.g. in continuity planning, and stricter safety requirements can be applied to them than to other objects in the environment.

26: Kriittisten toimintojen tunnistaminen
Sec overview
72: Organisaation kriittisten palveluiden tunnistaminen
Sec overview
73: Kriittisten palveluiden riippuvuudet palvelutoimittajista
Sec overview
ASSET: Manage IT and OT Asset Inventory
C2M2: MIL1
ASSET-1: Manage IT and OT Asset Inventory
C2M2: MIL1

Ensuring and testing the resilience of data processing environment

Critical
High
Normal
Low

Organization must identify the required level of availability for the services it offers as well as for any related data systems and other data processing environment. The organization must plan its systems and operations so that the availability level can be met.

When planning a resilient data processing environment, the organization should consider the following factors:

  • use of resilient networks
  • use of two geographically separate data centers with mirrored databases
  • use of several parallel software components with automatic load sharing
  • use of duplicated key components in systems (e.g. CPU, hard drives, memories) or networks (e.g. firewalls , routers, switches)

For example, in important production systems, the resilience should also be tested regularly to ensure a smooth transition to backup solutions during incidents.

8.14: Redundancy of information processing facilities
ISO27k1 Full
4.3: Vikasietoisuuden ja toiminnallisen käytettävyyden testaus
TiHL: Tietoturva
ID.BE-5: Resilience requirements to support delivery of critical services are established for all operating states (e.g. under duress/attack, during recovery, normal operations).
CyFun
2.2.7: Establish a robust and resilient ICT architecture
NSM ICT-SP

Identifying and testing the continuity capabilities required from ICT services

Critical
High
Normal
Low

Continuity requirements for ICT services are derived from continuity plans that are created for core processes (e.g. related to the provision of organization's products and services) and the recovery time goals included in them.

Organization must identify what recovery times and recovery points different ICT services must be able to achieve, taking into account the defined recovery goals for related processes, and ensure the ability to achieve them.

The planning must take into account in particular:

  • responsibilities are defined for preparing for, managing and responding to disruptions in ICT services
  • in particular continuity plans related to ICT services have been created, approved and are regularly tested
  • continuity plans contain information on performance requirements, recovery time requirements and recovery actions for each important ICT service, as well as recovery point requirements and restoring actions for each important ICT service
5.30: ICT readiness for business continuity
ISO27k1 Full
6.2a: Jatkuvuuden hallinta
Tietoturvasuunnitelma
Article 11: Response and recovery
DORA
Article 12: Backup policies and procedures, restoration and recovery procedures and methods
DORA
5.2.8: IT service continuity planning
TISAX

Palveluriippuvuuksien huomiointi vikasietoisuuden suunnittelussa

Critical
High
Normal
Low

Palvelujen riippuvuus muista palveluista ja toisista toimijoista on otettu huomioon koko tietojenkäsittely-ympäristön ja sen vikasietoisuuden suunnittelussa.

VAR-08.1: Vikasietoisuus - riippuvuudet
Julkri

Continuity of critical tasks in exceptional situations

Critical
High
Normal
Low

The organisation has identified the tasks that are critical for the continuity of its operations. Alternative courses of action for specific exceptional situations and staff availability and contingency arrangements have been planned and prepared for the continuation of critical tasks.

To implement the continuation plans, the plan owners, their alternates and other persons required to implement the plan have been identified. In addition, their ability to carry out their tasks under normal circumstances has been ensured.

VAR-05: Henkilöstön saatavuus ja varajärjestelyt
Julkri
Article 11: Response and recovery
DORA
2.7: Varautuminen häiriötilanteisiin
TiHL: Tietoturva
1.6.3: Crisis preparedness
TISAX

Palveluntarjoajien siirtojen huomiointi jatkuvuussuunnitelmissa

Critical
High
Normal
Low

Palvelua hankittaessa tulee huomioida, että palvelua voi olla hankala kotiuttaa ja toimittajalukkoon jäänyttä palvelua vaikea siirtää toiselle palveluntarjoajalle. Erityisesti vaatimus tulee huomioida hankittaessa pilvipalveluita.

Jatkuvuussuunnitelmissa on huomioitu yhtenä erityistä tarkkuutta vaativana näkökulmana palveluiden kotiuttamiset ja siirrot toiselle palveluntarjoajalle.

VAR-02.1: Jatkuvuusvaatimusten määrittely - palveluiden siirrot
Julkri

Executing an incident response plan with stakeholders

Critical
High
Normal
Low

In the event of an incident, the implementation of the response plan with stakeholders must be carried out as specified in the plan.

RS.CO-4: Coordination with stakeholders
NIST
RS.RP-1: Response plan is executed during or after an incident.
CyFun
RS.CO-4: Coordination with stakeholders occurs consistent with response plans.
CyFun

Communication in accordance with the incident response plan in the event of a incident

Critical
High
Normal
Low

In the event of an incident , communication with internal and external stakeholders must be in accordance with the incident response plan.

RS.CO-3: Information sharing
NIST
32: Viestintäsuunnitelma häiriö- ja kriisitilanteisiin
Sec overview
RESPONSE-3: Respond to Cybersecurity Incidents
C2M2: MIL1
Article 14: Communication
DORA
Article 17: ICT-related incident management process
DORA

Developing an incident response plan for critical information systems

Critical
High
Normal
Low

The organization shall establish a incident response plan for security incidents to critical information systems. Response plans should also be tested by the necessary organizational elements. The plan should take into account at least:

  • The purpose of the information system and the precautions to be taken in the event of its disruption
  • Recovery plans, targets, and priorities for the order of recovery of assets
  • The role of implementing the response plans and the contact details of the persons assigned to the roles
  •  Continuation of normal operations regardless of the state of the information systems.
  • Distribution, approval and review of response plans

In addition, the plan should at least:

  • Establish a roadmap for developing disruption management capacity
  • Describe the structure and organization of incident management capability
  • Provides metrics to measure incident management capability
RS.RP: Response Planning
NIST
RS.RP-1: Incident response plan
NIST
HAL-17: Tietojärjestelmien toiminnallinen käytettävyys ja vikasietoisuus
Julkri
VAR-09: Tietojärjestelmien toipumissuunnitelmat
Julkri
CC7.4: Responding to identified security incidents
SOC 2

Testing and reviewing continuity plans related to cyber security breaches

Critical
High
Normal
Low

The organization must test and update its response to the security breach at scheduled intervals or after significant changes. For critical parts of the organization, operational plans should be tested at least annually. Test results should be documented and communicated to improve the plan.

PR.IP-10: Response and recovery plan tests
NIST
RS.IM-2: Response strategies update
NIST
RC.IM-2: Recovery strategies
NIST
Article 11: Response and recovery
DORA
2.7: Varautuminen häiriötilanteisiin
TiHL: Tietoturva

Considering cyber security breaches in continuity planning

Critical
High
Normal
Low

The organization must document in advance procedures for responding to security breaches to ensure the actions of related departments, customers, and other critical partners in the event of a security breach.

PR.IP-9: Response and recovery plans
NIST
RS.MI-2: Incident mitigation
NIST
RC.RP: Recovery Planning
NIST
RC.RP-1: Recovery plan
NIST
2.7: Varautuminen häiriötilanteisiin
TiHL: Tietoturva

Addressing disasters in continuity planning

Critical
High
Normal
Low

The organization has to include disaster recovery in their continuity planning. Relevant disasters for the planning are natural disasters (e.g floods, earthquake, hurricanes) and human caused disasters (e.g terror attack, chemical attack/incident, insider attack).

In disaster planning there is greater emphasis on the returning operations to normal levels safely than in continuity planning. After this focus moves to resuming normal operations.

The continuity plans must be updated at least annually or after significant changes.

PR.IP-9: Response and recovery plans
NIST
Article 11: Response and recovery
DORA
1.6.3: Crisis preparedness
TISAX
PR.IP-9: Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed.
CyFun
RC.RP-1: Recovery plan is executed during or after a cybersecurity incident.
CyFun

Regular testing and review of continuity plans

Critical
High
Normal
Low

The organisation should regularly, at least annually, test and review its information security continuity plans to ensure that they are valid and effective in adverse situations.

Testing of continuity plans shall involve, as appropriate, stakeholders critical to each plan. The organisation should identify and document the necessary contacts with suppliers and partners

In addition, the adequacy of continuity plans and associated management mechanisms should be reassessed in the event of significant changes in operations.

17.1.3: Verify, review and evaluate information security continuity
ISO27 Full
​​​​​​​ID.SC-5: Response and recovery
NIST
PR.IP-10: Response and recovery plan tests
NIST
RS.IM-2: Response strategies update
NIST
RC.IM-2: Recovery strategies
NIST

Ensuring the reliability of data systems

Critical
High
Normal
Low

To ensure the reliability of the systems, the following measures should be taken:

  • Duplication of the systems
  • Planned temporary solutions in case of problem situations
  • Spare parts available
  • Using special components
  • Active monitoring
  • Active maintenance activities

Maintenance, updating and possible renewal of information systems, devices and networks should be planned with the necessary component and software updates to be implemented before possible failures. When examining the criticality of components, the perspective of customer and patient safety should be taken into account.

6.2a: Jatkuvuuden hallinta
Tietoturvasuunnitelma
Article 9b: Prevention
DORA
Article 7: ICT systems, protocols and tools
DORA
4.1: Tietojärjestelmien tietoturvallisuus
TiHL: Tietoturva
RC.RP-1: Recovery plan is executed during or after a cybersecurity incident.
CyFun

Process for checking integrity of data after an incident

Critical
High
Normal
Low

The organisation must have a process to perform needed checks to ensure data integrity is maintained when recovering from ICT-incident.

The check should also be done when data is reconstructed from external stakeholders to ensure data is consistent and correct between the systems.

Article 12: Backup policies and procedures, restoration and recovery procedures and methods
DORA

Coducting digital operational resilience testing

Critical
High
Normal
Low

Organisation must , as part of it's cyber risk management framework, maintain and review digital operational resilience testing programme. It must help the organisation to asses their preparedness to:

  • handle ICT-related incidents
  • identify weaknesses, deficiencies and gaps in digital operational resilience
  • implement corrective measures

The testing programme:

  • should include variety of assesments, test and tools to ensure the correctness of the testing.
  • should be done with a risk-based approach to recognize the evolving landscape of ICT-related risks.
  • be conducted by independent parties, external or internal, by ensuring sufficient resources and avoid conflict of interests

The organisation should have processes to prioritise, classify and remedy the issues uncovered by the testing programme.

As part of the programme the organisation must ensure yearly testing of all ICT systems and applications that support critical or important functions.

Article 24: General requirements for the performance of digital operational resilience testing
DORA

Continuous improvement of continuation plans

Critical
High
Normal
Low

The organisation regularly develops its continuity plans by analyzing the testing of the plans, training and their actual use in real situations.

CC7.5: Recovery from security incidents
SOC 2
Article 11: Response and recovery
DORA
RS.IM-1: Response plans incorporate lessons learned.
CyFun
RS.IM-2: Response and Recovery strategies are updated.
CyFun
RC.IM-1: Recovery plans incorporate lessons learned.
CyFun

Henkilöstön tietoisuus jatkuvuussuunnitelmista

Critical
High
Normal
Low

Relevantit henkilöt tuntevat omaan toimintaan liittyvät jatkuvuussuunnitelmat sekä niiden tarkemmat sisällöt riittävän tarkasti ja osaavat toimia niiden mukaisesti.

VAR-04: Resurssit ja osaaminen
Julkri
1.6.3: Crisis preparedness
TISAX

Communicating recovery measures to stakeholders

Critical
High
Normal
Low

Organizational recovery measures must be communicated as planned to critical individuals and management within the organization. Recovery measures must also be communicated to external stakeholders.

RC.CO-3: Recovery actions
NIST
Article 14: Communication
DORA
RC.CO-3: Recovery activities are communicated to internal and external stakeholders as well as executive and management teams
CyFun
4.2.3: Inform relevant stakeholders
NSM ICT-SP

Communication to stakeholders on continuity plans

Critical
High
Normal
Low

The organization shall have procedures in place to communicate effectively with stakeholders and other participants during continuity plans and survival procedures.

Communication plans related to continuity plans shall include:

  • Responsible persons, related stakeholders and other necessary contact information
  • Clear criteria for the situation where continuity communication will be implemented
  • A clear description of the staff implementing the continuity communication in each situation and the recipients to whom the communication will be sent
  • References to the templates and tools to be used
VAR-03: Jatkuvuussuunnitelmat
Julkri
34: Sidosryhmien välisen viestinnän mahdollistaminen
Sec overview
21.2.c: Business continuity and backups
NIS2
CC2.3: Communication with external parties
SOC 2
CC7.5: Recovery from security incidents
SOC 2

Defining the organization's continuity strategy

Critical
High
Normal
Low

The organization must maintain a top-level strategy for continuity planning. The strategy should include at least:

  • Guidelines for defining continuity planning recovery time objectives and the adverse events requiring continuity plans
  • Management commitment to continuity planning and improvement
  • Description of the organization's risk appetite

In order to develop a strategy, it may be necessary to make use of general good practices, such as ISO 22300.

VAR-03: Jatkuvuussuunnitelmat
Julkri
24: Jatkuvuudenhallinnan kuvaus
Sec overview
Article 11: Response and recovery
DORA
5.2.8: IT service continuity planning
TISAX

Requirements about information security continuity

Critical
High
Normal
Low

The organization should define requirements for the continuity of information security management during a crisis or disaster.

Information security management can either assume that the requirements are the same in adverse situations as in normal operating conditions, or seek to determine separately the security requirements applicable to adverse situations.

17.1.1: Planning information security continuity
ISO27 Full
VAR-02: Jatkuvuusvaatimusten määrittely
Julkri
5.29: Information security during disruption
ISO27k1 Full
24: Jatkuvuudenhallinnan kuvaus
Sec overview

Establising a crisis management team and process

Critical
High
Normal
Low

The organisation should establish and maintain a comprehensive crisis management framework. This involves implementing methods to detect potential crisis situations by identifying general indicators and specific predictable crises, along with clear procedures for invoking and escalating crisis management when necessary. Strategic goals and priorities must be defined, focusing on ethical considerations for example:

  • protecting life and health
  • safeguarding core business processes
  • ensuring appropriate information security

A dedicated crisis management team should be formed, including representatives from all major organizational functions, with defined structures, roles, competencies, expectations, authority, and decision-making procedures.

Crisis management policies and procedures need to be developed and approved, encompassing exceptional authorities and decision-making processes, communication methods, emergency operating procedures, and organizational structures for reporting, information gathering, and decision-making.

The entire crisis management plan should be reviewed and updated regularly to ensure its ongoing effectiveness and relevance.

1.6.3: Crisis preparedness
TISAX
4.3.2: Determine whether the incident is under control and take the necessary reactive measures
NSM ICT-SP

Ensuring coverage of critical scenarios and aspects in continuity plans

Critical
High
Normal
Low

The organisation should include the following topics into their continuity planning:

  • Plans for (D)DoS attacks
  • Plans for succesful ransomware attacks and other sabotage
  • System failures
  • Natural disasters

Continuity planning should take into account alternate communication options for situations primary communication means aren't operational. There should also be alternative options for storage, power and network strategies.

5.2.8: IT service continuity planning
TISAX