The organization, engaged in security-sensitive activities, is required to assess their need for protective security through a documented analysis. Security sensitive activities include handling classified information, or conducting any other security sensitive activities of importance to Sweden's security. The security protection analysis should answer the following questions:
- What should be protected? Does the business handle classified information? Are there facilities, objects, systems, property and other assets of importance to Sweden's security?
- Against what should it be protected? What security threats exist against the activities covered by the Security Protection Act? What vulnerabilities exist in the business?
- How should it be protected? Based on identified vulnerabilities, what security protection measures are necessary to take? Security protection measures can be divided into personnel security, physical security and information security.
The completed analysis must be documented, resulting in a plan that justifies each security measure and defines responsibilities and timelines. The security measures detailed in the analysis must be implemented and can include physical access controls, secure information handling practices, or staff-related procedures, depending on the risks identified.
It must also be stated when the measures are to be taken and which function is responsible for them.
