Free ebook: NIS2 ready using ISO 27001 best practices
Download ebook

Learn more about the connected frameworks

17.1.3
ISO 27001

Tietoturvallisuuden jatkuvuuden todentaminen, katselmointi ja arviointi

5.29
ISO 27001

Information security during disruption

6.4 (MIL3)
C2M2

Address Cybersecurity in Continuity of Operations

ID.SC-5
NIST CSF

Response and recovery

PR.IP-10
NIST CSF

Response and recovery plan tests

RC.IM-2
NIST CSF

Recovery strategies

RS.IM-2
NIST CSF

Response strategies update

Other tasks from the same security theme

Creating and documenting continuity plans

Critical
High
Normal
Low

Sometimes an unexpected event, such as a fire, flood, or equipment failure, can cause downtime. In order to be able to continue operations as quickly and smoothly as possible, continuity planning is carried out, i.e. planning the operations in advance for these exceptional situations.

Each continuity plan shall contain at least the following information:

  • Event for which the plan has been made
  • Goal for recovery time
  • Responsible persons and related stakeholders and contact information
  • Planned immediate actions
  • Planned recovery steps
T05: Jatkuvuuden hallinta
17.1.2: Implementing information security continuity
ISO 27001
ID.SC-5: Response and recovery
NIST CSF
PR.IP-9: Response and recovery plans
NIST CSF
RC.RP-1: Recovery plan
NIST CSF

Preparation of contingency plans based on risk assessments

Critical
High
Normal
Low

Tiedonhallintayksikön on suoritettava olennaiset riskiarvioinnit sen tietoaineistojen käsittelyn, tietojärjestelmien hyödyntämisen ja toiminnan jatkuvuuden suhteen. Riskiarvioinnin perusteella tiedonhallintayksikön on:

a) Laadittava valmiussuunnitelmat ja etukäteisvalmistelut häiriötilanteiden varalle.

b) Suoritettava muut tarvittavat toimenpiteet, jotta tietoaineistojen käsittely, tietojärjestelmien hyödyntäminen ja niihin perustuva toiminta voivat jatkua mahdollisimman häiriöttömästi normaaliolojen häiriötilanteissa sekä valmiuslaissa (1552/2011) tarkoitetuissa poikkeusoloissa.

No items found.

Notifying the system provider of deviations from data system requirements

Critical
High
Normal
Low

Organisaation on Asiakastietolain 41 §:n mukaisesti ilmoitettava tietojärjestelmän tuottajalle, mikäli järjestelmässä ilmenee poikkeama järjestelmien olennaisista vaatimuksista. Poikkeamia on kuvattu THL:n määräyksen 5/2021 luvussa 10.4

Tietojärjestelmien merkittävistä poikkeamista on ilmoitettava Valviralle, erityisesti tilanteissa, joissa poikkeama voi aiheuttaa merkittävän riskin asiakas- tai potilasturvallisuudelle tai tietoturvalle. Merkittävien poikkeamien korjaamiseksi on ryhdyttävä korjaaviin toimenpiteisiin.


No items found.

Identifying critical functions and related assets

Critical
High
Normal
Low

The organization has a clear process, according to which it identifies the most critical functions in terms of its operations (e.g. services offered to customers), which are subject to the highest continuity requirements.

Items in the IT environment that are necessary for these activities (such as information systems, data reserves, operating processes, partners, units, hardware) are classified as critical.

Critical functions are considered with the highest priority, e.g. in continuity planning, and stricter safety requirements can be applied to them than to other objects in the environment.

1.1 (MIL1): Manage IT and OT Asset Inventory
C2M2

Ensuring and testing the resilience of data processing environment

Critical
High
Normal
Low

Organization must identify the required level of availability for the services it offers as well as for any related data systems and other data processing environment. The organization must plan its systems and operations so that the availability level can be met.

When planning a resilient data processing environment, the organization should consider the following factors:

  • use of resilient networks
  • use of two geographically separate data centers with mirrored databases
  • use of several parallel software components with automatic load sharing
  • use of duplicated key components in systems (e.g. CPU, hard drives, memories) or networks (e.g. firewalls , routers, switches)

For example, in important production systems, the resilience should also be tested regularly to ensure a smooth transition to backup solutions during incidents.

8.14: Redundancy of information processing facilities
ISO 27001

Identifying and testing the continuity capabilities required from ICT services

Critical
High
Normal
Low

Continuity requirements for ICT services are derived from continuity plans that are created for core processes (e.g. related to the provision of organization's products and services) and the recovery time goals included in them.

Organization must identify what recovery times and recovery points different ICT services must be able to achieve, taking into account the defined recovery goals for related processes, and ensure the ability to achieve them.

The planning must take into account in particular:

  • responsibilities are defined for preparing for, managing and responding to disruptions in ICT services
  • in particular continuity plans related to ICT services have been created, approved and are regularly tested
  • continuity plans contain information on performance requirements, recovery time requirements and recovery actions for each important ICT service, as well as recovery point requirements and restoring actions for each important ICT service
5.30: ICT readiness for business continuity
ISO 27001

Palveluriippuvuuksien huomiointi vikasietoisuuden suunnittelussa

Critical
High
Normal
Low

Palvelujen riippuvuus muista palveluista ja toisista toimijoista on otettu huomioon koko tietojenkäsittely-ympäristön ja sen vikasietoisuuden suunnittelussa.

No items found.

Kriittisten tehtävien jatkuvuus erityistilanteissa

Critical
High
Normal
Low

Organisaatio on tunnistanut toimintansa jatkuvuuden kannalta kriittiset työtehtävät. Kriittisten tehtävien jatkamiseksi on suunniteltu ja valmisteltu erityistilanteiden vaihtoehtoiset toimintatavat ja henkilöstön saatavuus ja varajärjestelyt.

Jatkuussuunnitelmien toteuttamista varten on nimetty suunnitelmien omistajat, heille varahenkilöt sekä tarkennettu suunnitelman toteuttamiseen tarvittavat muut henkilöt. Lisäksi heidän kykynsä hoitaa tehtävät normaalitilanteissa on varmistettu.

No items found.

Henkilöstön tietoisuus jatkuvuussuunnitelmista

Critical
High
Normal
Low

Relevantit henkilöt tuntevat omaan toimintaan liittyvät jatkuvuussuunnitelmat sekä niiden tarkemmat sisällöt riittävän tarkasti ja osaavat toimia niiden mukaisesti.

No items found.

Palveluntarjoajien siirtojen huomiointi jatkuvuussuunnitelmissa

Critical
High
Normal
Low

Palvelua hankittaessa tulee huomioida, että palvelua voi olla hankala kotiuttaa ja toimittajalukkoon jäänyttä palvelua vaikea siirtää toiselle palveluntarjoajalle. Erityisesti vaatimus tulee huomioida hankittaessa pilvipalveluita.

Jatkuvuussuunnitelmissa on huomioitu yhtenä erityistä tarkkuutta vaativana näkökulmana palveluiden kotiuttamiset ja siirrot toiselle palveluntarjoajalle.

No items found.

Executing an incident response plan with stakeholders

Critical
High
Normal
Low

In the event of an incident, the implementation of the response plan with stakeholders must be carried out as specified in the plan.

RS.CO-4: Coordination with stakeholders
NIST CSF

Communication in accordance with the incident response plan in the event of a incident

Critical
High
Normal
Low

In the event of an incident , communication with internal and external stakeholders must be in accordance with the incident response plan.

RS.CO-3: Information sharing
NIST CSF
6.3 (MIL1): Respond to Cybersecurity Incidents
C2M2

Developing an incident response plan for critical information systems

Critical
High
Normal
Low

The organization shall establish a incident response plan for security incidents to critical information systems. Response plans should also be tested by the necessary organizational elements. The plan should take into account at least:

  • The purpose of the information system and the precautions to be taken in the event of its disruption
  • Recovery plans, targets, and priorities for the order of recovery of assets
  • The role of implementing the response plans and the contact details of the persons assigned to the roles
  •  Continuation of normal operations regardless of the state of the information systems.
  • Distribution, approval and review of response plans

In addition, the plan should at least:

  • Establish a roadmap for developing disruption management capacity
  • Describe the structure and organization of incident management capability
  • Provides metrics to measure incident management capability
RS.RP: Response Planning
NIST CSF
RS.RP-1: Incident response plan
NIST CSF

Defining the organization's continuity strategy

Critical
High
Normal
Low

The organization must maintain a top-level strategy for continuity planning. The strategy should include at least:

  • Guidelines for defining continuity planning recovery time objectives and the adverse events requiring continuity plans
  • Management commitment to continuity planning and improvement
  • Description of the organization's risk appetite

In order to develop a strategy, it may be necessary to make use of general good practices, such as ISO 22300.

No items found.

Testing and reviewing continuity plans related to cyber security breaches

Critical
High
Normal
Low

The organization must test and update its response to the security breach at scheduled intervals or after significant changes. For critical parts of the organization, operational plans should be tested at least annually. Test results should be documented and communicated to improve the plan.

PR.IP-10: Response and recovery plan tests
NIST CSF
RS.IM-2: Response strategies update
NIST CSF
RC.IM-2: Recovery strategies
NIST CSF

Considering cyber security breaches in continuity planning

Critical
High
Normal
Low

The organization must document in advance procedures for responding to security breaches to ensure the actions of related departments, customers, and other critical partners in the event of a security breach.

PR.IP-9: Response and recovery plans
NIST CSF
RS.MI-2: Incident mitigation
NIST CSF
RC.RP: Recovery Planning
NIST CSF
RC.RP-1: Recovery plan
NIST CSF

Addressing disasters in continuity planning

Critical
High
Normal
Low

The organization has to include disaster recovery in their continuity planning. Relevant disasters for the planning are natural disasters (e.g floods, earthquake, hurricanes) and human caused disasters (e.g terror attack, chemical attack/incident, insider attack).

In disaster planning there is greater emphasis on the returning operations to normal levels safely than in continuity planning. After this focus moves to resuming normal operations.

The continuity plans must be updated at least annually or after significant changes.

PR.IP-9: Response and recovery plans
NIST CSF

Regular testing and review of continuity plans

Critical
High
Normal
Low

The organization should regularly and at least annually test and review information security continuity plans to ensure that they are valid and effective in adverse situations.

Stakeholders critical to each plan will be involved in the testing of continuity plans, as appropriate.

In addition, in the event of significant changes in operations, the adequacy of continuity plans and related management mechanisms should be reassessed.

17.1.3: Verify, review and evaluate information security continuity
ISO 27001
ID.SC-5: Response and recovery
NIST CSF
PR.IP-10: Response and recovery plan tests
NIST CSF
RS.IM-2: Response strategies update
NIST CSF
RC.IM-2: Recovery strategies
NIST CSF

Ensuring the reliability of data systems

Critical
High
Normal
Low

To ensure the reliability of the systems, the following measures should be taken:

  • Duplication of the systems
  • Planned temporary solutions in case of problem situations
  • Spare parts available
  • Using special components
  • Active monitoring
  • Active maintenance activities

Maintenance, updating and possible renewal of information systems, devices and networks should be planned with the necessary component and software updates to be implemented before possible failures. When examining the criticality of components, the perspective of customer and patient safety should be taken into account.

No items found.

Process for checking integrity of data after an incident

Critical
High
Normal
Low

The organisation must have a process to perform needed checks to ensure data integrity is maintained when recovering from ICT-incident.

The check should also be done when data is reconstructed from external stakeholders to ensure data is consistent and correct between the systems.

No items found.

Coducting digital operational resilience testing

Critical
High
Normal
Low

Organisation must , as part of it's cyber risk management framework, maintain and review digital operational resilience testing programme. It must help the organisation to asses their preparedness to:

  • handle ICT-related incidents
  • identify weaknesses, deficiencies and gaps in digital operational resilience
  • implement corrective measures

The testing programme:

  • should include variety of assesments, test and tools to ensure the correctness of the testing.
  • should be done with a risk-based approach to recognize the evolving landscape of ICT-related risks.
  • be conducted by independent parties, external or internal, by ensuring sufficient resources and avoid conflict of interests

The organisation should have processes to prioritise, classify and remedy the issues uncovered by the testing programme.

As part of the programme the organisation must ensure yearly testing of all ICT systems and applications that support critical or important functions.

No items found.

Continuous improvement of continuation plans

Critical
High
Normal
Low

The organisation regularly develops its continuity plans by analyzing the testing of the plans, training and their actual use in real situations.

No items found.

Communicating recovery measures to stakeholders

Critical
High
Normal
Low

Organizational recovery measures must be communicated as planned to critical individuals and management within the organization. Recovery measures must also be communicated to external stakeholders.

RC.CO-3: Recovery actions
NIST CSF

Communication to stakeholders on continuity plans

Critical
High
Normal
Low

The organization shall have procedures in place to communicate effectively with stakeholders and other participants during continuity plans and survival procedures.

Communication plans related to continuity plans shall include:

  • Responsible persons, related stakeholders and other necessary contact information
  • Clear criteria for the situation where continuity communication will be implemented
  • A clear description of the staff implementing the continuity communication in each situation and the recipients to whom the communication will be sent
  • References to the templates and tools to be used
No items found.

Requirements about information security continuity

Critical
High
Normal
Low

The organization should define requirements for the continuity of information security management during a crisis or disaster.

Information security management can either assume that the requirements are the same in adverse situations as in normal operating conditions, or seek to determine separately the security requirements applicable to adverse situations.

17.1.1: Planning information security continuity
ISO 27001
5.29: Information security during disruption
ISO 27001