Free ebook: NIS2 ready using ISO 27001 best practices
Download ebook

Learn more about the connected frameworks

No items found.

Other tasks from the same security theme

Defining cyber security responsibilities and tasks in employment contracts

Critical
High
Normal
Low

The employment contracts specify the responsibilities of the employee and the organization for cyber security.

Contracts should include e.g.:

  • the employee's legal responsibilities and rights, such as those related to copyright or data protection law
  • the employee's responsibility for following the instructions, e.g. related to the use of hardware and data and the classification of information
  • the employee's or temporary employee's responsibility for processing information received from other companies or other parties
  • measures if the employee or temporary worker violates the safety requirements of the organization
  • continuing obligations after termination of employment
7.3: Termination and change of employment
ISO 27001
7.1.2: Terms and conditions of employment
7.3.1: Termination or change of employment responsibilities
ISO 27001
PR.DS-5: Data leak protection
NIST CSF
PR.IP-11: Cybersecurity in human resources
NIST CSF

Maintaining confidentiality agreements

Critical
High
Normal
Low

Kaikkien luottamuksellisia tietoja käsittelevien työntekijöiden olisi allekirjoitettava salassapito- tai vaitiolositoumus ennen luottamuksellisen tiedon käsittelyä.

Salassapitositoumuksen tulisi sisältää mm.:

  • luottamuksellisen tiedon selkeä määrittely
  • sitoumuksen oletettu kesto
  • edellytetyt toimenpiteet, kun sitoumus puretaan
  • allekirjoittaneiden vastuut ja toimenpiteet, jotta vältetään luvaton tiedon paljastaminen
  • tiedon, liikesalaisuuksien ja aineettoman omaisuuden omistajuus ja miten tämä liittyy luottamuksellisen tiedon suojaamiseen
  • luottamuksellisen tiedon sallittu käyttö ja allekirjoittaneen oikeudet käyttää tietoa
  • oikeus tarkastaa ja valvoa toimintoja, joihin liittyy luottamuksellista tietoa

Salassapitosopimuksien edellytyksiä ja tarpeita tarkistellaan ja päivitetään säännöllisin väliajoin.

7.3: Termination and change of employment
ISO 27001
7.1.2: Terms and conditions of employment
7.3.1: Termination or change of employment responsibilities
ISO 27001
13.2.4: Confidentiality or non-disclosure agreements
ISO 27001
T10: Salassapito- ja vaitiolositoumukset

Personnel compliance with information security policies

Critical
High
Normal
Low
No items found.

Signing contract before getting access to the organizations information and systems

Critical
High
Normal
Low

The organization must ensure that the new employee signs an employment contract before he or she has access to any of the organization's records or data systems.

The employment contract should reflect the employee's responsibilities for information security and other roles relevant to the organization's information security.

No items found.

Reviewing confidentiality agreements

Critical
High
Normal
Low

Confidentiality and non-disclosure requirements are reviewed at regular intervals and whenever changes affecting these requirements occur.

7.1.2: Terms and conditions of employment
13.2.4: Confidentiality or non-disclosure agreements
ISO 27001
6.2: Terms and conditions of employment
ISO 27001
6.6: Confidentiality or non-disclosure agreements
ISO 27001

Disciplinary process for security breaches

Critical
High
Normal
Low

Our organization has defined the actions to be taken in the event of a breach of confidentiality. These may include e.g. the following steps:

  • investigating what data was breached and how harmful this was
  • investigating the intentionality of the act
  • investigating what was set as conseguence on the confidentiality agreement
  • deciding whether and how to proceed (e.g. legal actions)
  • deciding whether outside assistance is needed
7.2.3: Disciplinary process
ISO 27001
PR.IP-11: Cybersecurity in human resources
NIST CSF
5.28: Collection of evidence
ISO 27001
6.4: Disciplinary process
ISO 27001
7.3: Awareness
ISO 27001

Formal adoption of security policies

Critical
High
Normal
Low

The employees of our organization accept the general information security policy formed by the management with their signatures. The policy may refer to a number of more specific security guidelines.

5.1.1: Policies for information security
ISO 27001
7.2.2: Information security awareness, education and training
ISO 27001
5.1: Policies for information security
ISO 27001

Ensuring necessary aspects in personnel's non-disclosure or confidentiality agreements

Critical
High
Normal
Low

Organization's confidentiality or non-disclosure agreements continue beyond the employment contract or order.

Organization also has defined a procedure handling violations of the personnel obligations.

No items found.