Free ebook: NIS2 ready using ISO 27001 best practices
Download ebook

Learn more about the connected frameworks

No items found.

Other tasks from the same security theme

Creation and maintenance of the information security plan report

Critical
High
Normal
Low

Organisaation on luotava ja ylläpidettävä tietoturvasuunnitelmaa.

Asiakastietolain 27 §:n mukaisesti palvelunantajan on laadittava tietoturvaan ja tietosuojaan sekä tietojärjestelmien käyttöön liittyvä tietoturvasuunnitelma.

Tämän määräyksen(MÄÄRÄYS 3/2021) mukaista tietoturvasuunnitelmaa ei tule sisällyttää tai yhdistää julkaistaviin tai julkisesti saatavilla oleviin omavalvontasuunnitelmiin. Tietoturvasuunnitelmaa ja siinä viitattuja liitedokumentteja tulee käsitellä ja säilyttää ottaen huomioon tarvittava suojaaminen sivullisilta ja tarvittaessa niihin tulee merkitä salassa pidettävä -tieto

No items found.

Defining the frameworks that serve as the basis of the management system

Critical
High
Normal
Low

The organization must define the frameworks that are used as the basis of the management system. Requirements frameworks should address:

Internal reporting goals:

  • Reports that support decision-making for management
  • Reporting accuracy and details not related to financial reports

Requirement fulfillment goals:

  • Fulfillment of laws and regulations
  • Setting sub-goals so that the security, availability, processing integrity, confidentiality and privacy criteria support adequate reporting, the organization's operation and compliance with the requirements
No items found.

ISMS description and maintenance

Critical
High
Normal
Low

The organization must operate, maintain, and continuously develop a security management system.

The boundaries and scope, contents, role, cumulative implementation information and other necessary descriptive information related to the management system must be clearly documented.

5.1.1: Policies for information security
ISO 27001
PR.AT-5: Physical and cybersecurity personnel
NIST CSF
5.1: Policies for information security
ISO 27001
4.3 : Scope of the ISMS
ISO 27001
4.4: Information security management system
ISO 27001

Internal audit procedure -report publishing and maintenance

Critical
High
Normal
Low

The organization has established a procedure for conducting internal audits. The procedure shall describe at least:

  • how often audits are carried out
  • who may carry out the audits (including audit criteria)
  • how the actual audit is carried out
  • how audit results are documented and to whom the results are reported
ID.GV-3: Legal and regulatory requirements
NIST CSF
7.5: Requirements for documented information
ISO 27001
9.2: Internal audit
ISO 27001

Identification, documentation and management of other information security requirements

Critical
High
Normal
Low

Compliance with required laws, regulations, standards, and contractual obligations can be as challenging as dealing with an ever-changing threat environment and new forms of cyber-attacks.

The organization shall document the information security requirements and the organisation's operating model for meeting them.

It is important to note that a large part of the requirements (e.g. laws, standards) are evolving entities. It is recommended to define a review interval for the documentation to describe the frequency at which changes in the requirements should at least be checked.

18.1.1: Identification of applicable legislation and contractual requirements
ISO 27001
ID.GV-3: Legal and regulatory requirements
NIST CSF
5.31: Legal, statutory, regulatory and contractual requirements
ISO 27001

Creating and maintaining a statement of applicability

Critical
High
Normal
Low

The Statement of Applicability (SoA) is a key document that defines how an organization implements much of its cyber security.

The statement describes which of the controls recommended by ISO 27001 are implemented in the organization, how they are implemented, and the current state of the controls. In addition, possible reasons for not using certain controls are described.

6.1: Information security risk management
ISO 27001
7.5: Requirements for documented information
ISO 27001

Executing and documenting internal audits

Critical
High
Normal
Low

The organization conducts internal audits in accordance with its internal audit procedure. The aim is to check:

  • whether the information security management system complies with the organisation's cyber security requirements
  • whether the information security management system complies with other operational security requirements or standards complied with
  • whether the information security management system is implemented effectively

Documented information on the execution and results of audits must be kept.

18.2.1: Independent review of information security
ISO 27001
12.7: Information systems audit considerations
ISO 27001
12.7.1: Information systems audit controls
ISO 27001
ID.GV-3: Legal and regulatory requirements
NIST CSF
5.35: Independent review of information security
ISO 27001

Defining and documenting security objectives

Critical
High
Normal
Low

Organization's top management sets security objectives. Security objectives meet the following requirements:

  • they shall take into account applicable data security and data protection requirements and the results of risk assessment and treatment
  • they are clearly communicated to key security and data protection personnel, staff and other relevant stakeholders
  • they are updated as necessary (e.g. when the risk landscape changes or periodically when the objectives are met)
  • they are documented and (if possible) measurable

In connection with the documentation of security objectives, the necessary top-level improvements and tasks, needed resources, responsible persons, due dates and methods for evaluating the results in order to achieve the objectives are also defined.

5.1.1: Policies for information security
ISO 27001
ID.BE-3: Organizational mission, objectives and activities
NIST CSF
ID.GV-1: Cybersecurity policy
NIST CSF
5.1: Leadership and commitment
ISO 27001
6.2: Information security objectives
ISO 27001

Information security policy -report publishing, informing and maintenance

Critical
High
Normal
Low

The organization has an information security policy developed and approved by top management. The policy shall include at least the following:

  • the basis for setting the organization’s security objectives
  • commitment to meeting information security requirements
  • commitment to continuous improvement of the information security management system

In addition, the task owner shall ensure that:

  • the is appropriate for the organization's business idea
  • the policy is communicated to the entire organization
  • the policy is available to stakeholders as appropriate
T01: Turvallisuusperiaatteet
5.1.2: Review of the policies for information security
ISO 27001
5: Information security policies
ISO 27001
5.1: Management direction for information security
ISO 27001
5.1.1: Policies for information security
ISO 27001

Establishing and maintaining a cyber security program

Critical
High
Normal
Low

The organization must establish and maintain a cyber security program. The program must have the support of the top management.

The program must be established:

  • According to the cyber security program strategy
  • The support of the top management is active and supports the development and maintenance of the program

    • p> li>
    • The program is responsible for a role that has the authority to fulfill it
10.2 (MIL1): Establish and Maintain Cybersecurity Program
C2M2

Strategy for cyber security program

Critical
High
Normal
Low

The organization must create and maintain a strategy for the cyber security program. The cyber security program defines the goals for the organization's cyber security measures.

10.1 (MIL1): Establish Cybersecurity Program Strategy
C2M2

A strategy for cyber security architecture

Critical
High
Normal
Low

The organization must have a strategy for developing and maintaining a cyber security architecture.

The strategy must match the organization's cyber security program and the organization's architecture.

The architecture must include:

  • Security measures for computer networks
  • Protection of information assets
  • Application security
  • Implementation of data protection and privacy
9.1 (MIL1): Establish and Maintain Cybersecurity Architecture Strategy and Program
C2M2
9.2 (MIL1): Implement Network Protections as an Element of the Cybersecurity Architecture
C2M2
9.3 (MIL1): Implement IT and OT Asset Security as an Element of the Cybersecurity Architecture
C2M2
9.4 (MIL1): Implement Software Security as an Element of the Cybersecurity Architecture
C2M2
9.5 (MIL1): Implement Data Security as an Element of the Cybersecurity Architecture
C2M2

Recognizing the technology needed to accomplish the cybersecurity goals

Critical
High
Normal
Low

The organization must:

  • identify the connections between technology and the running of business operations
  • Build the necessary infrastructure to maintain the necessary technology so that their availability and operational reliability can be guaranteed

The organization must define what technology is needed in order to achieve the information security objectives? And, what technology must be acquired / developed in order to achieve the information security goals?

No items found.

Consideration of external goals when setting information security objectives

Critical
High
Normal
Low

When setting the organization's information security objectives, external objectives must be taken into account. This means, for example:

  • Externally set requirement frameworks, such as laws and regulations or requirements set by other external stakeholders
  • The reporting takes into account a sufficient amount of detail in the reports to demonstrate the fulfillment of the external requirements
No items found.

Defining the units of your organization

Critical
High
Normal
Low

The organization must define its operations and, in particular, the units relevant to the implementation of information security.

The owners defined for the units can be assigned responsibilities for the unit-specific implementation of various tasks.

No items found.

Data collection and processing

Critical
High
Normal
Low

The organization's information systems collect data from internal and external sources and process essential data into information. Information supports internal control components

Information must be:

  • Up-to-date
  • Accurate
  • Complete
  • Secured
  • Secured
No items found.

Supervision carried out by the board of the organization

Critical
High
Normal
Low

A board separate from the management supervises the development and implementation of internal information security measures.

The board's duties include in particular:

  • Responsibility for the more detailed implementation and monitoring of operations
  • Using experts in the field of information security and evaluates the need for additional expertise in the board
  • Works independently and is objective in assessments and decision-making
  • Adds expertise when necessary, for example with consultants
No items found.

Preparation for information campaign against the organization

Critical
High
Normal
Low

The organization has formed a plan in case of a smear or influence campaign against it.

No items found.

Adequacy of digital security resourcing

Critical
High
Normal
Low

The organization has dedicated sufficient resources and expertise to the development of digital security as part of the implementation of the organization's strategy.

In addition, a responsible person has been named for digital security, and this theme receives enough attention in the responsible person's job description and time management.

No items found.

Internal communication about the organization's risk situation

Critical
High
Normal
Low

The organization has an operating model for regular communication to the entire organization about the risk situation in information security and about new significant risks affecting the organization.

Information can be implemented, for example, as a collaboration between the information security core team and communication professionals.

No items found.

Determination and adequacy of the cyber security budget

Critical
High
Normal
Low

The organization has clearly defined a budget dedicated to the maintenance and development of digital security. The budget is sufficient to achieve the goals set for digital security.

When budgeting for digital security, three key areas must be considered in particular - personnel costs, technology solutions and operational costs.

No items found.

Maintaining chosen theme-specific policy documents

Critical
High
Normal
Low

Theme-specific policy documents can help the communication and viewing of tasks, instructions and other documentation related to different areas, as well as connecting possible upper-level principles to these contents of the management system, which describe a more detailed implementation.

The organization must define which theme-specific policy documents are maintained and, if necessary, reviewed as a whole at desired intervals. Examples of topics for which you may want to maintain your own policy document include:

  • access control
  • physical security
  • management of assets to be protected
  • backup
  • encryption practices
  • data classification
  • technical vulnerability management
  • secure development
5.1.1: Policies for information security
ISO 27001
5.1: Policies for information security
ISO 27001
7.5: Requirements for documented information
ISO 27001

Varautumista ohjaavan lainsäädännön tunnistaminen ja dokumentointi

Critical
High
Normal
Low

The organization has identified the national and EU legislation governing ICT preparedness related to its operations and services, as well as other norms related to ICT preparedness.

Legislation and norms determine the minimum level for implementing ICT preparedness. In addition to this, the organization must take into account the needs arising from the special features of its own operations. Understanding the internal and external dependencies of operations is a basic requirement for cost-effective management of preparedness.

No items found.

Luettelo turvaluokiteltuja asiakirjoja käsittelevistä henkilöistä valtionhallinnossa

Critical
High
Normal
Low

Valtionhallinnon viranomaisen on pidettävä luetteloa henkilöistä, joilla on oikeus käsitellä turvallisuusluokan I, II tai III asiakirjoja. Luettelossa on mainittava henkilön tehtävä, johon turvallisuusluokitellun tiedon käsittelytarve perustuu.

No items found.

Tietoturvallisuuteen liittyvän dokumentaation ajantasaisuus

Critical
High
Normal
Low

Tietoturvallisuuteen liittyvä dokumentaatio on ajantasaista.

  • Organisaatiolla on prosessi, jonka avulla seurataan dokumentaation kattavuutta ja ajantasaisuutta
  • Dokumentaation puutteisiin reagoidaan
No items found.

Muiden tietoturvavaatimusten seuranta

Critical
High
Normal
Low

Organisaation tietoturvallisuusvaatimukset muodostuvat esimerkiksi lainsäädännössä ja sopimuksissa määritellyistä vähimmäisvaatimuksista sekä muista tunnistetuista tai itse tavoitelluiksi valituista vaatimuksista.

Organisaation on seurattava tietoturvallisuusvaatimusten muutoksia ja tehtävä tarvittavat toimenpiteet niihin reagoimiseksi.

No items found.

Tieto-omaisuuden välisten riippuvuuksien tunnistaminen ja dokumentointi

Critical
High
Normal
Low

Organisaatio on tunnistanut ja dokumentoinut tieto-omaisuuden väliset riippuvuudet.

Digiturvamallissa riippuvuuksia eri elementtien välille syntyy paljolti automaattisesti, mutta toimintatapaa voidaan tarkentaa organisaation omien valintojen mukaan.

No items found.

Kasautumisvaikutuksen huomiointi suojattavien kohteiden luokittelussa

Critical
High
Normal
Low

Tietojärjestelmän tai muun useita tietoaineistoja sisältävän kohteen luokitus määräytyy ensi sijassa korkeimman luokituksen aineiston mukaan. Tietojärjestelmien luokitusta arvioitaessa tulee huomioida myös kasautumisvaikutus riskilähtöisesti.

Suuresta määrästä tietyn luottamuksellisuuden tason tietoa koostuvissa tietojärjestelmissä asiakokonaisuus voi nousta luokitukseltaan yksittäistä tietoa korkeammalle tasolle. Määrä ei ole kuitenkaan ainoa tekijä, vaan joskus esimerkiksi kahden eri tietolähteen yhdistäminen voi johtaa tietovarannon luokituksen nousemiseen.

Tyypillisesti kasautumisessa on kysymys IV-luokan tiedosta (esimerkiksi suuri määrä turvallisuusluokan IV tietoa voi muodostaa yhdistettynä turvallisuusluokan III tietovarannon), mutta kasautumisvaikutus tulee huomioida myös turvallisuusluokittelemattoman salassa pidettävän tiedon suojaamisessa.



No items found.

Security roles, responsibilities, and objectives derived from the organization's goals

Critical
High
Normal
Low

The organization has set priorities for its operations and goals. Based on these priorities, you need to be able to define security roles, responsibilities, and goals.

ID.BE-3: Organizational mission, objectives and activities
NIST CSF

Segregation of information security related duties

Critical
High
Normal
Low

Organisation should have processes for ensuring that conflicting responsibilities are segregated to reduce opportunities for misuse of the organization’s assets.

Care should be taken e.g. in relation to a single person being able to process data without detection. Often also separating the initiation of an event from its authorization is a good practice.

When direct segregation of duties is hard to achieve, the following principles can be utilized:

  • High-level segregation of information security responsibilities
  • Supporting segregation with good monitoring, audit trails and management supervision
6.1.2: Segregation of duties
ISO 27001
ID.RA-3: Threat identification
NIST CSF
PR.AC-4: Access permissions and authorizations
NIST CSF
PR.DS-5: Data leak protection
NIST CSF
5.3: Segregation of duties
ISO 27001

Archiving and retaining outdated security documentation

Critical
High
Normal
Low

Organization has defined what constitutes important security-related documentation and guidelines (e.g. report documents or all task / guideline content), which should be securely archived after they are replaced or become otherwise outdated.

This information should be saved for possible reviews of old policies or guidelines, which may be relevant e.g. in the case of a customer dispute or investigation by data protection authority.

When no specific legal or contractual requirement states the retention period, information should be saved for at least five years.

A.10.2: Retention period for administrative security policies and guidelines
ISO 27018

Continuous improvement and documentation

Critical
High
Normal
Low

The organization shall continuously strive to improve the performance of the information security management system. Ways to improve are being actively sought - not just through audits or clear non-conformities.

Task owner is responsible for documenting the improvements made to the management system and dividing them into tasks to be performed, monitoring task execution and assessing the reached effects.

PR.IP-7: Protection processes
NIST CSF
10.1: Continuous improvement
ISO 27001

Communication plan for information security management system

Critical
High
Normal
Low

The organization shall determine which issues related to the information security management system need to be communicated on a regular basis. The plan must include the answers, e.g. to the following points:

  • What issues are communicated? These can be e.g. new or changed security objectives
  • How and when to communicate?What channels are used and how often?
  • To whom is communicated? How often for security executives, how often for the entire organization or partners.
  • Who takes part? Who has the right to message and from whom, for example, messages should be approved.

Task owner will take care of the implementation of the plan and regular evaluation of its effectiveness.

RC.CO-2: Reputation
NIST CSF
5.1: Leadership and commitment
ISO 27001
7.4: Communication
ISO 27001

Implementation and documentation of management reviews

Critical
High
Normal
Low

Top management shall review the organization's information security management system at planned intervals to ensure that it remains appropriate, relevant and effective.

The management review shall address and comment on at least the following:

  • Status of improvements (or other actions) initiated as a result of previous management reviews
  • Future changes relevant to the security management system
  • Performance of the ISMS (problem areas, metering, audit results and fulfillment of management security objectives)
  • Stakeholder feedback on data security
  • Operation of the risk assessment and treatment process

Documented information on the execution and results of reviews must be maintained.

18.1.1: Identification of applicable legislation and contractual requirements
ISO 27001
ID.GV-3: Legal and regulatory requirements
NIST CSF
9.3: Management review
ISO 27001

Defining and documenting cyber security metrics

Critical
High
Normal
Low

The organisation regularly evaluates the level of cyber security and the effectiveness of the information security management system.

Organisation has defined:

  • monitored metrics to provide comparable results on the development of cyber security level
  • persons responsible for the metering
  • methods, timetable and responsible persons for metrics reviewing and evaluation
  • methods to document metric-related evaluations and results

Effective metrics should be usable for identifying weaknesses, targeting resources better and assessing organisation's success / failure related to cyber security.

7.2.1: Management responsibilities
ISO 27001
4 luku, 13 §: Tietoaineistojen ja tietojärjestelmien tietoturvallisuus
9.1: Monitoring, measurement, analysis and evaluation
ISO 27001

General security competence and awareness of personnel

Critical
High
Normal
Low

Personnel under the direction of the entire organization must be aware:

  • how they can contribute to the effectiveness of the information security management system and the benefits of improving the level of information security
  • the consequences of non-compliance with the requirements of the information security management systemwhich roles in the personnel have effects to the level of security

In addition, top management has defined ways in which personnel are kept aware of security guidelines related to their own job role.

32. Security of processing
GDPR
29. Processing under the authority of the controller or processor
GDPR
7.2.2: Information security awareness, education and training
ISO 27001
7.2.1: Management responsibilities
ISO 27001
PR.AT-1: Awareness
NIST CSF

Incident management resourcing and monitoring

Critical
High
Normal
Low

Management shall define responsibilities and establish procedures to ensure an effective and consistent response to security incidents.

Management must ensure e.g.:

  • interference management has clear responsibilities
  • there is a documented process for responding, handling and reporting incidents

The process must ensure e.g.:

  • staff have a clear contact point / tool and instructions for reporting incidents
  • the reported security breaches will be addressed by qualified personnel in a sufficiently comprehensive manner
24. Responsibility of the controller
GDPR
7.2.1: Management responsibilities
ISO 27001
16.1.1: Responsibilities and procedures
ISO 27001
5.24: Information security incident management planning and preparation
ISO 27001

Management commitment to cyber security management and management system

Critical
High
Normal
Low

The organization's top management must demonstrate a commitment to cyber security work and the management system. Management commits to:

  • defining the frameworks or other requirements that form the basis for work (e.g. customer promises, regulations or certificates)
  • determining the resources needed to manage security
  • communicating the importance of cyber security
  • ensuring that the work achieves the desired results
  • promoting the continuous improvement of cyber security

Top management also decides the scope of the information security management system and records the decision in the description of the system. This means, for example, whether some parts of the organisation's activities or information are excluded from the scope of the management system, or whether it applies to all information / activities of the organization.

24. Responsibility of the controller
GDPR
7.2.1: Management responsibilities
ISO 27001
7.2.2: Information security awareness, education and training
ISO 27001
5.1.1: Policies for information security
ISO 27001
ID.GV-1: Cybersecurity policy
NIST CSF

Amount, competence and adequacy of key cyber security personnel

Critical
High
Normal
Low

The organization shall have a sufficient number of trained, supervised and, where necessary, properly security cleared personnel who play key roles in information security, performing management tasks related to the information security management system.

The organization has defined:

  • what qualifications this staff should have
  • how qualifications are acquired and ensured (e.g. through appropriate training and training monitoring)
  • how qualifications can be demonstrated through documentation

The owner of the task regularly reviews the number and level of competence of the security personnel.

T03: Turvallisuustyön resurssit
32. Security of processing
GDPR
37. Designation of the data protection officer
GDPR
6.1.1: Information security roles and responsibilities
ISO 27001
ID.GV-2: Cybersecurity role coordination
NIST CSF

Defining security roles and responsibilities

Critical
High
Normal
Low

Top management must ensure clear responsibilities / authority on at least the following themes:

  • who is primarily responsible for ensuring that the information security management system complies with the information security requirements
  • who act as ISMS theme owners responsible for the main themes of the information security management system
  • who has the responsibility and authority to report to top management on the performance of the information security management system
  • who is authorized to carry out internal audits

The ISMS theme owners are presented on the desktop of the management system and in the Information security policy report.

In addition, top management shall ensure that all roles relevant to information security, as well as related responsibilities and authorities, are defined and communicated.

T02: Turvallisuustyön tehtävien ja vastuiden määrittäminen
24. Responsibility of the controller
GDPR
6.1.1: Information security roles and responsibilities
ISO 27001
ID.AM-6: Cybersecurity roles and responsibilities
NIST CSF
ID.GV-2: Cybersecurity role coordination
NIST CSF

Adequate security principles of the organisation in terms of classified information

Critical
High
Normal
Low

Top management of the organization is responsible for:

  • the organization having security principles approved by top management, which describe the connection of the organization's information security measures to the organization's operations
  • the security principles being comprehensive and appropriate in terms of protecting classified information
  • these security principles guiding information security measures
  • the organization having organized sufficient monitoring of compliance with obligations and instructions related to information management of security-classified information.
No items found.

Learning from testing operational resilience

Critical
High
Normal
Low

Organisation should have a process to analyse and learn from the operational resilience testing results, from actual cyber security incidents and from experiences of activating continuity plans. Relevant information and experiences should be exchanged with counterparts.

The lessons learned should be incorporated in to the cyber risk management process.

The organisation's top management should have a yearly report about the lessons from senior ICT staff along with recommendations for improvements.

No items found.

Monitoring and analysing effectiveness of digital operational resilience strategy

Critical
High
Normal
Low

The organisation must monitor the effectiveness of their digital operational resilience strategy. This should include at least:

  • Mapping of ICT risk evaluation over time
  • Analyse frequency, type, scale and evolution of incidents
  • Special focus should be in patterns of cyber attacks

This should increase the awareness of exposure to cyber attack related risk especially with important and critical functions and preparedness against cyber attacks.

No items found.

Considering the possibility of fraud in risk assessment

Critical
High
Normal
Low

The organization must consider the possibility of fraud related to information security when assessing risks.

It is at least worth noting:

  • Different types of fraud and their possible consequences (incorrect reporting, loss of information assets and corruption)
  • Effect of various incentives and pressures to commit fraud
  • Evaluation of attitudes and justifications, how a manager or other employee could justify their fraudulent activity
  • Evaluation of the possibilities of fraud in the use of information systems
No items found.

Priority classification of an organization's information assets

Critical
High
Normal
Low

An organization must classify its information assets, such as information systems, data, units, key personnel, and other assets to be protected (e.g., equipment), according to priorities. Prioritization can be done, for example, based on the requirements for confidentiality, integrity, and availability of the information being processed.

ID.AM-5: Resource prioritization
NIST CSF

Evaluating the efficiency of internal audits

Critical
High
Normal
Low

Task owner regularly evaluates the implementation of internal audits, especially from the following perspectives:

  • whether the auditors have been selected in such a way that the objectivity and impartiality of the audit process are realized
  • whether the audits were performed in such a way that the objectivity and impartiality of the audit process were realized

If necessary, task owner makes changes to the internal audit procedure.

No items found.

Data protection certifications

Critical
High
Normal
Low

The idea behind the certification mechanisms is to demonstrate that data processing follows good data processing practices and good practices in general. Example of a security certificate is for example: ISO27001.

18.2.2: Compliance with security policies and standards
ISO 27001