Organisation must create and maintain comperhensive and well-documented a risk management framework.
The risk management framework should include at least:
used in cyber risk management.
The risk management framework must be reviewed at least yearly.
The organization has defined procedures for assessing and treating cyber security risks. The definition includes at least:
The task owner regularly checks that the procedure is clear and produces consistent results.
The organization proactively seeks to list and assess the likelihood and severity of various cyber security risks. The documentation shall include the following:
The organization has a defined cybersecurity risk management policy and it has been communicated to relevant stakeholders and been approved by the top management. The policy should include at least:
The policy should be kept updated, reviewed periodically and reflect organizational changes. The task owner should also ensure that the policy is understandable and available to all parties.
In the management of information security risks, the tasks must be separated if they are not compatible.
In a situation where the tasks are not compatible, but the separation of tasks is not practical, separate controls must be developed to monitor it.
The organization must consider the risks for achieving information security goals. Risks related to the achievement of goals must be mitigated by setting up control measures in at least the following areas:
The organization must identify the functions critical to the continuity of its operations (e.g. services offered to the customer).
Risks related to critical operations should be identified, evaluated and handled with emphasis and regularly in cooperation with service providers.
Implemented risk management measures and the overall situation of risk management are checked regularly.
The operating model for monitoring the status of risk management is clearly described.
Critical risks threatening the organization's operations are reported to the organization's management immediately.
There is a clearly planned operating model for reporting.
Fyysiset turvatoimet on mitoitettava riskien arvioinnin mukaisesti. Riskien arvioinnissa tulee ottaa huomioon esimerkiksi pääsyoikeuksien hallintaan ja muihin turvallisuusjärjestelyihin liittyviin prosesseihin sisällytettävät tiedonsaantitarpeen, tehtävien eriyttämisen ja vähimpien oikeuksien periaatteet. Fyysisiä turvatoimia koskevan riskien arvioinnin tulee olla säännöllistä ja osa organisaation riskienhallinnan kokonaisuutta. Arvioiduilla riskeillä on nimetyt omistajat.
Riskien arvioinnissa on otettava huomioon kaikki asiaan kuuluvat tekijät, erityisesti
seuraavat:
Lainsäädäntöjohdannaisilla riskeillä viitataan eri maiden lainsäädännössä oleviin mahdollisuuksiin velvoittaa palveluntarjoaja toimimaan yhteistyössä kyseisen maan viranomaisten kanssa, ja tarjoamaan esimerkiksi suora tai epäsuora pääsy palvelun asiakkaiden salassa pidettäviin tietoihin. Lainsäädäntöjohdannaiset riskit voivat ulottua sekä salassa pidettävän tiedon fyysiseen sijaintiin sekä muun muassa toisesta maasta käsin hallintayhteyksien kautta toteutettavaan tietojen luovutukseen. Lainsäädäntöjohdannainen tietojen luovuttaminen ja tutkimusoikeus on useissa maissa rajattu koskevaksi poliisia sekä tiedusteluviranomaisia.
Riskienarvioinnin tulisi kattaa lainsäädäntöjohdannaiset riskit vähintään seuraavien tekijöiden osalta:
Organisaation tulee varmistaa, että lainsäädäntöjohdannaiset riskit eivät rajoita palvelun soveltuvuutta sen käyttötarkoitukseen. Lainsäädäntöjohdannaisten riskien arvioinnissa on otettu huomioon koko palvelun tuottamisessa käytetty toimitusketju, ja niiden valtioiden säännökset, joiden mukaisesti palvelua tuotetaan sekä riski tietojen oikeudettomasta paljastumisesta näiden valtioiden viranomaisille.
Tietoturvariskien hallintaa toteuttaessaan organisaation on tunnistettava käsittelyä vaativat riskit ja määriteltävä näille käsittelysuunnitelmat, jotka usein koostuvat uusista tietoturvallisuustoimenpiteistä.
Organisaatio on määritellyt, kuinka säännöllisesti arvioidaan kokonaisuutena määriteltyjä käsittelysuunnitelmia ja niiden oikeasuhtaisuutta riskeille täytettyihin arvioihin (riskin vakavuus ja todennäköisyys) verrattuna.
The organization must determine an acceptable level for risks. The level is calculated based on the likelihood, impact and control of the risks.
The organization shall establish a description of the procedures for risk management processes and it has to be approved. The organization must agree about it with the organization's stakeholders.
As part of the security risk assessment, the organization shall make assessments of the severity and probability of the risk materializing.
The organization shall have a clearly instructed risk scale that allows each participant in the risk assessment to decide on the appropriate level of severity and probability.
Organisation has defined how information security aspects are integrated into used project management methods. Methods in use should require:
The organization has to exercise executing the catastrophe plan annually or always when there are significant changes to the plan.
If possible local authorities should be included in the exercise.
The organisation has to evaluate the impact of business disruptions and risks. Based on this evaluation the organisation must prioritize themes in continuity planning to focus on the important risk related issues.
The organization must take into account risk management procedures results when planning internal audit topics and execution, and when executing audits.
From the point of view of the information security management system, non-conformities are situations in which:
In systematic security work, all detected non-conformities must be documented. To treat the non-conformity, the organization must identify and implement improvements that correct it.
In systematic cyber security work, the impact of significant changes must be assessed in advance and they must be executed in a controlled way. The consequences of unintentional changes must be assessed and efforts made to mitigate possible adverse effects.
Significant changes may include: changes in the organization, operating environment, business processes and data systems. Changes can be identified e.g. through management reviews and other cyber security work.
Järjestelmällisessä turvallisuustyössä muutosten vaikutukset on arvioitava ennakkoon, muutokset on dokumentoitava selkeästi ja toteutettava systemaattisesti.
Suojaustasolla II muutostenhallinnassa käytetään seuraavia toimintatapoja:
Järjestelmällisessä turvallisuustyössä muutosten vaikutukset on arvioitava ennakkoon, muutokset on dokumentoitava selkeästi ja toteutettava systemaattisesti.
Suojaustasoilla IV-III muutostenhallinnassa käytetään seuraavia toimintatapoja:
Organisaatio ylläpitää luetteloa salassa pidettävän tiedon käsittelyä edellyttävistä työtehtävistä. Pääsyoikeus salassa pidettävään tietoon myönnetään vasta, kun henkilön työtehtävistä johtuva tiedonsaantitarve on selvitetty. Luettelo sisältää tiedon salassa pidettävien tietojen käsittelyoikeuksista suojaustasoittain.
Organization assesses cyber security risks by responding to situations where security has been mildly or severely compromised. The documentation shall include at least the following:
The ISMS should monitor the implementation of the tasks and guidelines recorded therein.
The task owner should regularly review the implementation status of the ISMS as a whole.
Top management of the organization is responsible for:
Management support, guidance and responsibility are manifested in the fact that the organization has security principles approved by top management, which describe the connection of the organization's information security measures to the organization's operations. This shows that the management is committed to the organization's safety principles and that the principles represent the will of the management and support the organization's operations. The principles can be described in many different ways, for example as a single document, as part of general operating principles, policy or strategy.
The responsibility for the organisations ICT risk management should be assigned to a function that has a level of independence to conduct the risk management without conflicts of interest.
The independence of the risk management and segregation of management, control and audit functions needs to be ensured.
The organisation must enable asset based risk management from the ISMS settings.
Asset-based risk management should be set to cover all needed asset types with high enough criticality. The asset based risk management should be used at least for:
The organization plans and prioritizes measures related to the identification and assessment of information security risks based on the classification of data sets.
Choose the right method for risk assessment. There are a number of different methods for identifying and assessing risk. It is important that the organisation chooses a method that makes risk assessments manageable and allows one to identify, discuss and manage the most significant risks. Examples of different methods/frameworks include ISO/IEC 27005, NIST SP 800-30 and Octave Allegro.
Strategic opportunities can address the organization's cybersecurity risks and enhance the overall strategic positioning. Identify and include them into the organizational cybersecurity risk discussions for example by the following:
The organization has a defined cybersecurity risk management policy and it has been communicated to relevant stakeholders and been approved by the top management. The policy should include at least:
The policy should be kept updated, reviewed periodically and reflect organizational changes. The task owner should also ensure that the policy is understandable and available to all parties.
Organization has defined procedures on measuring and evaluating the performance of the risk management strategy and the outcomes of occurred risks.
The results are communicated to the top management and other relevant stakeholders, and the necessary actions and adjustments are performed.
The organization must take into account the risks caused by partners when managing information security risks. If necessary, separate theme-specific risk assessments can be made for critical partners.
The organization has an operating model for continuously improving the functionality and efficiency of the risk management process.
In the improvement, it is possible to use e.g. general standards (e.g. ISO 27005) or feedback from people involved in risk management.
After risk treatment, the organization assesses the remaining level of residual risk per risk.
Regarding the residual risk, clear decisions are made by the risk owner to either close the risk or return the risk to the processing queue.
The organization's risk outlook is reported to the organization's management regularly and at least once a year.
The organization has to have rules for urgent emergencies when following the rules allows for deviating from standard change management procedures.
The rules should include references and comparisons to the normal change management procedures and for example needed evidence for the reason for deviation from normal procedure.
The organization has to have pre-planned means of detecting non-compliance with the change management procedure.
If a deviation from the change management procedure is detected, it should be addressed in accordance with the disruption management process.
Organisation carries out data security auditing regularly. Auditing is used to identify e.g. problems and development needs in data systems and system providers activity.
Important auditing partners should be listed on Other stakeholders -list.