Learn more about the connected frameworks

5.28
ISO 27001

Collection of evidence

Other tasks from the same security theme

The step-by-step process of notification of incidents to the authorities

Critical
High
Normal
Low

The organization informs the authority defined in the legislation (CSIRT) without delay about disturbances that have significantly affected the provision of its services. 

A disturbance is significant when at least one of the following occurs:

  • disruption may cause serious disruption in the operation of services or serious financial losses for the service provider
  • disruption may cause significant material or immaterial damage to related people or other organizations

Notifications are to be done step by step according to the descriptions below. In addition, while the disruption is ongoing, the organization must deliver the status updates requested by the authority.

Early warning (at the latest within 24 hours of detecting the disruption)

  • is the cause suspected to be illegal activities
  • can the disruption have effects on other countries

More detailed notification of disruption (within 72 hours of the disruption at the latest detection)

  • previous information is updated
  • the current assessment of the disturbance, its severity and effects is given
  • possible evidence of the leakage is listed

Final report (at the latest within 1 month of the incident report)

  • a detailed description of the incident, including its severity and effects
  • type of threat or root cause that likely triggered the event
  • applied and ongoing mitigation measures
  • potential impact on other countries
No items found.

Treatment process and documentation of occurred security incidents

Critical
High
Normal
Low

All security incidents are addressed in a consistent manner to improve security based on what has happened.

In the incident treatment process:

  • the reported incident is confirmed (or found unnecessary to record)
  • the type and cause of incident is documented
  • the risks associated with the incident are documented
  • the risks are re-evaluated and treated if that is necessary after the incident
  • risk mitigation measures or a decision their acceptance is documented
  • people who need to be informed of the results of the incident treatment are identified (including external ones)
  • possible need for a post-incident analysis is determined
12. Transparent information, communication and modalities for the exercise of the rights of the data subject
GDPR
32. Security of processing
GDPR
16.1.5: Response to information security incidents
ISO 27001
T06: Turvallisuuspoikkeamien hallinta
DE.AE-2: Analyze detected events
NIST CSF

Designation of an incident management team

Critical
High
Normal
Low

The organization shall ensure that clear persons are assigned to incident management responsibilities, e.g. handling the first response for incidents.

Incident management personnel need to be instructed and trained to understand the organization's priorities in dealing with security incidents.

16.1.2: Reporting information security events
ISO 27001
16.1.3: Reporting information security weaknesses
ISO 27001
ID.RA-3: Threat identification
NIST CSF
RS.CO-1: Personnel roles
NIST CSF
5.25: Assessment and decision on information security events
ISO 27001

Personnel guidelines for reporting security incidents

Critical
High
Normal
Low

A process for reporting incidents is maintained to help staff report incidents efficiently and consistently.

Things to report as an incident include e.g.:

  • unauthorized access to data / premises
  • action against security guidelines
  • suspected security issue (e.g. phishing, malware infection)
  • data system outage
  • accidental or intentional destruction / alteration of data
  • lost or stolen device
  • compromised password
  • lost physical identifier (e.g. keychain, smart card, smart sticker)
  • suspected security weakness (e.g. on utilized data system or other procedures)

The personnel guidelines emphasize the obligation to report security incidents as soon as possible in accordance with the agreed process. The instructions also describe other operations in the event of an incident (e.g. recording seen error messages and other details).

24. Responsibility of the controller
GDPR
16.1.2: Reporting information security events
ISO 27001
16.1.3: Reporting information security weaknesses
ISO 27001
T06: Turvallisuuspoikkeamien hallinta
ID.RA-3: Threat identification
NIST CSF

Tiedottaminen häiriötilanteissa ja varautuminen

Critical
High
Normal
Low

Viranomaisen on viipymättä tiedotettava niille, jotka hyödyntävät sen tietoaineistoja, jos viranoman tietojenhallintaan kohdistuu häiriö, joka estää tai uhkaa estää tietoaineistojen saatavuuden. Tiedotuksessa on annettava seuraavat tiedot:

a) Häiriön tai sen uhan arvioitu kesto.

b) Mahdolliset korvaavat tavat hyödyntää viranomaisen tietoaineistoja, jos sellaisia on.

c) Häiriön tai uhan päättyessä.

Viranomaisen on noudatettava digitaalisten palvelujen ja muiden sähköisten tiedonsiirtomenetelmien käyttökatkoista tiedottamisesta yleisölle annettuja ohjeita, kuten ne on säädetty digitaalisten palvelujen tarjoamisesta annetun lain (306/2019) 4 §:n 2 momentissa.

No items found.

Communication about information security threats and protective measures affecting users of the services

Critical
High
Normal
Low

When users of the organization's services are potentially exposed to a significant information security threat, the organization must communicate this to them, including all possible remedial measures that users can take themselves to protect themselves against the threat.

When necessary for clarity of communication, the organization must include in its communication also more general information about the related information security threat.

No items found.

Incident notifications for users of own services

Critical
High
Normal
Low

If it is appropriate from the point of view of the service provided by the organization, the organization will notify the users of its services without delay of significant disruptions that are likely to negatively affect the delivery of the services in question. 

A disruption is significant when at least one of the following occurs:

  • disruption can cause a serious disruption in the operation of services or serious financial losses for the service provider
  • disruption can cause significant material or non-material damage to related people or other organizations
No items found.

Regular practice of security incident situations

Critical
High
Normal
Low

The organization should regularly, at least once a year, practice potential disruption or attack situations.

The exercise can focus either on developing disturbance detection, response or management, or all of these.

Documentation of the implementation of exercises and observations must be maintained.

No items found.

Reporting data security incidents to the authorities

Critical
High
Normal
Low

The organization must have a procedure for reporting disturbances, attacks and violations to the authorities. For example:

  • Police
  • Office of the Data Protection Commissioner
  • Cyber Security Center
No items found.

Definition of tolerable outages

Critical
High
Normal
Low

For each identified critical function, the organization should define how long an interruption can be tolerated without disrupting the organization's operations.

The definition must take into account:

  • Legal requirements related to the availability of the organization's systems, registers and services
  • Requirements of own operations and stakeholders
No items found.

Managing evidence information for information security incidents

Critical
High
Normal
Low

Organization must create processes that identify, collect and store relevant evidence information related to information security incidents. The evidence may need to have been collected in a way that can be accepted in relevant courts or other similar disciplinary bodies.

Regarding the evidence material, it should be possible to demonstrate e.g.:

  • the records are complete and not altered in any way
  • copies of electronic evidence are likely to be identical to the originals
  • the data system from which the evidence was collected was functioning properly at the time of collection

Certification or other assurances of the competency of related personnel and tools may additionally be considered to establish more evidentiary value.

5.28: Collection of evidence
ISO 27001

Incident containing measures

Critical
High
Normal
Low

The organization shall establish means to limit the impact of the incident to a minimum. The means should correspond to the plans made and include:

  • Preparations for incidents
  • Analyzing of the incident
  • Containment of the incident
  • Destruction of the incident
  • Starting the recovery measures
RS.MI-1: Incident containment
NIST CSF

Detection process testing and compliance

Critical
High
Normal
Low

Detection processes and procedures are maintained and tested to ensure awareness of anomalous events. Detection activities must comply with all relevant requirements.

DE.DP-2: Detection activities
NIST CSF

Defining threshold for cyber security breach

Critical
High
Normal
Low

The organization must define the threshold at which a security incident becomes a cyber security breach.

DE.AE-5: Incident alert thresholds
NIST CSF
6.1 (MIL2): Detect Cybersecurity Events
C2M2
6.2 (MIL1): Analyze Cybersecurity Events and Declare Incidents
C2M2

Identification and monitoring of event sources

Critical
High
Normal
Low

The organization shall determine what security events it monitors and in what ways.

Security events should be monitored from a variety of sources to identify important potential incidents that require a response. Information can be obtained e.g. directly from the management system, external partners, or logs generated by the organization’s equipment.

Examples of security incidents that can be monitored include:

  1. Slow server performance
  2. Recurring login errors
  3. Unknown login attempts
  4. Abnormal network traffic
  5. Out of storage
  6. Changes in code projects
  7. Configuration changes in the firewall
  8. Access changes to critical systems / servers / databases
  9. Large database downloads
  10. Unauthorized software installations on endpoint devices
  11. Traffic from IP addresses known to be malicious
DE.AE-3: Event data
NIST CSF
6.1 (MIL1): Detect Cybersecurity Events
C2M2

Processes for reporting information security events related to offered cloud services

Critical
High
Normal
Low

When offering cloud services, the organisation needs to have planned processes or procedures for:

  • how the cloud service customer reports an information security event to the organisation
  • how the organisation reports information security events to cloud service customers
  • how the cloud service customer can track the status of a previously reported information security event
ID.RA-3: Threat identification
NIST CSF
DE.DP-4: Event detection
NIST CSF
RS.CO-3: Information sharing
NIST CSF
RC.CO-1: Public relations
NIST CSF
16: Information security incident management
ISO 27017

Defining cyber security metrics for cyber security breaches

Critical
High
Normal
Low

The organization has defined metrics that can be monitored and are related to cyber security incident management. At its best, good metrics help detect weaknesses in incident detection.

Possible metrics include:

  • Number of security incidents and relationship to disruptions
  • Number of disruptions by service, department, severity or type provided
  • Time required for incident identification, investigation and handling
  • Deviations from documented practices
6.1 (MIL2): Detect Cybersecurity Events
C2M2
6.2 (MIL1): Analyze Cybersecurity Events and Declare Incidents
C2M2

The first level response process to security incidents

Critical
High
Normal
Low

The organization has defined a process and the team involved in responding promptly to security incidents and deciding on the appropriate actions.

The first level response process includes at least:

  • effectively seeking to confirm the identified incident
  • deciding on the need for immediate response
16.1.4: Assessment of and decision on information security events
ISO 27001
DE.AE-4: Impact of events
NIST CSF
RS.RP: Response Planning
NIST CSF
RS.RP-1: Incident response plan
NIST CSF
RS.AN-4: Incident categorization
NIST CSF

Consideration of environmental threats in risk and incident management

Critical
High
Normal
Low

The organization should take into account environmental threats that may affect the usability of systems as part of the risk assessment process and also as part of the information security incident process.

Environmental threats include, for example:

  • Unfavorable weather
  • Failure in environmental management systems
  • Power spikes in electricity distribution
  • Fires
  • Water damage


No items found.

Forensic investigation of incidents

Critical
High
Normal
Low

After a disturbance, a forensic examination must be carried out on the malicious code or other remnants of the disturbance. A safe investigation in a closed environment can open up the causes, goals, and motives of the incident. This helps the organization fix potential security vulnerabilities, prepare for similar incidents, and identify or profile a potential attacker.

RS.AN-3: Forensics
NIST CSF

Ensuring sorting of cyber security events

Critical
High
Normal
Low

The organization shall define procedures for clearly sorting detected security events. Sorting must enable the prioritizing of events according to severity and potential impact.

Sorting is intended to enhance the investigation and evaluation of security events so that, for example, a response to a disruption can be initiated quickly.

Procedures can consist of common processes, technical tools, or algorithms that utilize machine learning. Procedures need to be reviewed regularly to ensure that they work and are appropriate for their needs.

DE.AE-2: Analyze detected events
NIST CSF
6.2 (MIL1): Analyze Cybersecurity Events and Declare Incidents
C2M2

Follow-up analysis for security incidents

Critical
High
Normal
Low

If it is difficult to identify the source of a security incident based on the primary treatment, a separate follow-up analysis is performed for the incident, in which the root cause is sought to be identified.

16.1.6: Learning from information security incidents
ISO 27001
ID.RA-4: Impacts on business
NIST CSF
DE.DP-5: Detection processes improvment
NIST CSF
RS.AN-2: The impact of the incident
NIST CSF
RS.IM-1: Response plans
NIST CSF

Regular periodic analysis and learning of incidents

Critical
High
Normal
Low

The knowledge gained from analyzing and resolving security incidents should be used to reduce the likelihood of future incidents and their impact.

The organization regularly analyzes incidents as a whole. This process examines the type, amount and cost of incidents with the aim of identifying recurrent and significant incidents that need more action.

If recurrent incidents requiring response are identified, based on them:

  • new management tasks are created or current ones expanded
  • security guidelines in this area are refined or extended
  • a case example of the incident is created that is used to train staff to respond to or avoid similar incidents
16.1.6: Learning from information security incidents
ISO 27001
PR.IP-7: Protection processes
NIST CSF
PR.IP-8: Protection effectiveness
NIST CSF
DE.DP-5: Detection processes improvment
NIST CSF
RS.AN-2: The impact of the incident
NIST CSF

Communicating the results of cyber security incident analysis

Critical
High
Normal
Low

The organization has defined procedures to ensure that the original reporter and other personnel involved in the incident are informed of the outcome of the incident management.

Linked personnel can be documented on an optional field on the incident documentation template.

16.1.6: Learning from information security incidents
ISO 27001
PR.IP-8: Protection effectiveness
NIST CSF
DE.DP-4: Event detection
NIST CSF
5.27: Learning from information security incidents
ISO 27001

Whistle blowing -system

Critical
High
Normal
Low

Staff have a whistle blowing system that allows them to report breaches of security rules or procedures anonymously.

No items found.