Learn more about the connected frameworks

13.1.2
ISO 27001

Verkkopalvelujen turvaaminen

6.4 (MIL1)
C2M2

Address Cybersecurity in Continuity of Operations

8.14
ISO 27001

Redundancy of information processing facilities

8.21
ISO 27001

Security of network services

ID.BE-4
NIST CSF

Dependencies and critical functions

ID.BE-5
NIST CSF

Resilience requirements

Other tasks from the same security theme

Identifying critical IT partners

Critical
High
Normal
Low

The organization must identify critical IT partners. A critical partner (internal or external) refers to a partner without whom the operation is interrupted.

7.1 (MIL1): Identify and Prioritize Third Parties
C2M2

Organizing supplier management meetings to discuss digital security

Critical
High
Normal
Low

The organization regularly discusses information security with critical suppliers and other partners in supplier management meetings.

No items found.

Tietoliikenteen toimivuuden varmistaminen

Critical
High
Normal
Low

Tietoliikennepalveluissa ja -sopimuksissa on huomioitu toiminnan kannalta tärkeiden palveluiden saatavuus häiriötilanteissa. 

Tärkeiden palvelujen verkkoympäristöt ja tietoliikennepalvelut varmennetaan esimerkiksi kahdentamalla. Tietoliikenne voidaan kahdentaa fyysisesti kahta eri reittiä pitkin kahden eri operaattorin toimesta.

Tärkeissä ympäristöissä varmistetaan, että yksittäisen tietoliikennekomponentin vikaantuminen ei keskeytä palvelun toimintaa.

Erikseen valittuihin työasemiin voidaan esimerkiksi asentaa erillinen tietoliikenneyhteys, jonka kautta voi päästä yleiseen tietoverkkoon.

Sopimusvaiheessa tulisi huomioida myös Suomen ulkopuolisten yhteyksien vikasietoisuus.

No items found.

Prioritization of partners based on the confidentiality of the information processed

Critical
High
Normal
Low

The organization must prioritize partners based on the confidentiality of the information processed.

ID.SC-2: Suppliers and third party partners of information systems
NIST CSF

Supply chain cyber security risk management

Critical
High
Normal
Low

The organization shall agree and implement a common security risk management measures and processes with stakeholders.

ID.SC-1: Cyber supply chain
NIST CSF

Defining supplier types that can access confidential data

Critical
High
Normal
Low

We define in advance the types of suppliers with whom cooperation requires access to confidential information or their processing areas, and through this e.g. demands data processing contracts. Such supplier types can be, for example, IT services, logistics, financial management and IT infrastructure components.

15.1.1: Information security policy for supplier relationships
ISO 27001
ID.BE-1: Role in supply chain
NIST CSF
5.19: Information security in supplier relationships
ISO 27001

Criteria for high priority partners

Critical
High
Normal
Low

The organization has defined the certifications or standards required of key partners. Commonly recognized standards related to cyber security include:

  • ISO 27001 (information security management system)
  • SOC2 (general security, also called SSAE 16)
  • ISO 27701 (data protection management system)
  • ISO 27017 (cyber security in cloud services) or ISO 27018 (data protection in cloud services)
  • other popular e.g. NIST (general), CSA (cloud software), PCI DSS (card payments and data)

Certifications required from partners can make organization's own partner management more efficient and provide good evidence of a particular level of security or privacy of the partner.

15.1.1: Information security policy for supplier relationships
ISO 27001
ID.BE-1: Role in supply chain
NIST CSF
ID.SC-4: Audit suppliers and third-party partners
NIST CSF
5.19: Information security in supplier relationships
ISO 27001
7.2 (MIL1): Manage Third-Party Risk
C2M2

Minimum requirements for partner companies to gain access to different levels of information

Critical
High
Normal
Low

Minimum security requirements have been set for partner companies handling our confidential information and these have been included in supplier agreements. Requirements vary depending on how critical information the partner handles.

It makes sense for requirements to consist of rules and practices that are followed in your own organization. You can divide the requirement levels into low, medium and high risk suppliers.

15.1.1: Information security policy for supplier relationships
ISO 27001
15.1.3: Information and communication technology supply chain
ISO 27001
ID.BE-1: Role in supply chain
NIST CSF
5.21: Managing information security in the ICT supply chain
ISO 27001

Defined security arrangements for providing critical network equipment

Critical
High
Normal
Low

The security arrangements required for critical online services, such as security features, service levels, and management requirements, are carefully defined in advance. Online services include e.g. connections, networks and network security solutions (e.g. firewalls).

The security features of online services can be e.g. the following:

  • required security-related technologies such as authentication, encryption technology, and network connection management tools
  • the technical parameters required for a secure connection to network services
  • online service usage criteria that restrict access to the online service or applications as needed
13.1.2: Security of network services
ISO 27001
15.2.1: Monitoring and review of supplier services
ISO 27001
ID.BE-5: Resilience requirements
NIST CSF
DE.CM-1: The network monitoring
NIST CSF
5.22: Monitoring, review and change management of supplier services
ISO 27001

Tietoteknisten ympäristöjen toimivuuden varmistaminen

Critical
High
Normal
Low

Tietoteknisissä ympäristöissä ja niihin liittyvissä sopimuksissa on huomioitu toiminnan kannalta tärkeiden palveluiden saatavuus häiriötilanteissa.

Tärkeiden palvelujen tietotekniset ympäristöt varmennetaan esimerkiksi kahdentamalla siten, että yksittäisten komponenttien vikaantumiset eivät aiheuta toiminnan edellyttämää palvelutasoa pidempiä käyttökatkoja.

Tietotekniset ympäristöt voidaan varmentaa varavoimalla tai varavoimaliitännöillä siten, että sähkönjakelu voidaan käynnistää riittävän nopeasti ja ylläpitää sitä riittävän ajan suhteessa toiminnan vaatimuksiin.

No items found.

Required security objectives for cloud service subcontractors related to offered cloud services

Critical
High
Normal
Low

When the organisation chooses to use another cloud service provider’s services for the provision of its own offered cloud services, the organisation must make sure that the information security level of its customers is maintained or exceeded.

To ensure this the organisation must specify required security objectives to the subcontractors included in the supply chain. These objectives should require performing risk management to accomplish the objectives.

15.1.3: Information and communication technology supply chain
ISO 27017

Confirming information security roles and responsibilities related to utilized cloud services

Critical
High
Normal
Low

When an organisation is using a cloud-based data system, the organisation should understand and confirm the related information security roles and responsibilities as stated in the service agreement.

These can include responsibilities related e.g. to:

  • Malware protection
  • Cryptographic controls
  • Backup
  • Vulnerability and incident management
  • Compliance and security testing
  • Authentication, identity and access management
15: Supplier relationships
ISO 27017
15.1: Information security in supplier relationships
ISO 27017
15.1.2: Addressing security within supplier agreements
ISO 27017
15.1.3: Information and communication technology supply chain
ISO 27017
5.23: Information security for use of cloud services
ISO 27001

Multiple providers for critical network equipment

Critical
High
Normal
Low

For example, when the fault tolerance of a telecommunication network is critical, it can be further improved by procuring basic network services through several routes and through several service providers.

13.1.2: Security of network services
ISO 27001
ID.BE-4: Dependencies and critical functions
NIST CSF
ID.BE-5: Resilience requirements
NIST CSF
8.14: Redundancy of information processing facilities
ISO 27001
8.21: Security of network services
ISO 27001