Content library
TISAX: Information security
1.5.1: Assessment of policies and requirements

How to fill the requirement

TISAX: Information security

1.5.1: Assessment of policies and requirements

Task name
Priority
Status
Theme
Policy
Other requirements
Internal audit procedure -report publishing and maintenance
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Cyber security management
12
requirements

Task is fulfilling also these other security requirements

ID.GV-3: Legal and regulatory requirements
NIST
7.5: Requirements for documented information
ISO27k1 Full
9.2: Internal audit
ISO27k1 Full
CC1.5: Accountability for responsibilities
SOC 2
Article 5: Governance and organisation
DORA
1. Task description

The organization has established a procedure for conducting internal audits. The procedure shall describe at least:

  • how often audits are carried out
  • who may carry out the audits (including audit criteria)
  • how the actual audit is carried out
  • how audit results are documented and to whom the results are reported
Executing and documenting internal audits
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Cyber security management
24
requirements

Task is fulfilling also these other security requirements

18.2.1: Independent review of information security
ISO27 Full
12.7: Information systems audit considerations
ISO27 Full
12.7.1: Information systems audit controls
ISO27 Full
ID.GV-3: Legal and regulatory requirements
NIST
HAL-07: Seuranta ja valvonta
Julkri
1. Task description

The organization conducts internal audits in accordance with its internal audit procedure. The aim is to check:

  • whether the information security management system complies with the organisation's cyber security requirements
  • whether the information security management system complies with other operational security requirements or standards complied with
  • whether the information security management system is implemented effectively

Documented information on the execution and results of audits must be kept.

Maintaining chosen theme-specific policy documents
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Cyber security management
8
requirements

Task is fulfilling also these other security requirements

5.1: Policies for information security
ISO27k1 Full
5.1.1: Policies for information security
ISO27 Full
7.5: Requirements for documented information
ISO27k1 Full
CC5.3: Establishment of policies
SOC 2
6.1: Yleiset tietoturvakäytännöt
Tietoturvasuunnitelma
1. Task description

Theme-specific policy documents can help the communication and viewing of tasks, instructions and other documentation related to different areas, as well as connecting possible upper-level principles to these contents of the management system, which describe a more detailed implementation.

The organization must define which theme-specific policy documents are maintained and, if necessary, reviewed as a whole at desired intervals. Examples of topics for which you may want to maintain your own policy document include:

  • access control
  • physical security
  • management of assets to be protected
  • backup
  • encryption practices
  • data classification
  • technical vulnerability management
  • secure development
Treatment process and documentation of identified non-conformities
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Risk management
11
requirements

Task is fulfilling also these other security requirements

10.2: Non-conformity and corrective action
ISO27k1 Full
23: Häiriöiden- ja poikkeamienhallintaprosessi
Sec overview
CC4.2: Evaluation and communication of internal control deficiencies
SOC 2
21.4: Non-conformities and corrective actions
NIS2
P8.1: Periodic monitoring of privacy compliance
SOC 2
1. Task description

From the point of view of the information security management system, non-conformities are situations in which:

  • the organisation's security requirements are not matched by the management system
  • the procedures, tasks or guidelines defined in the management system are not complied with in the organisation's day-to-day operations

In systematic security work, all detected non-conformities must be documented. To treat the non-conformity, the organization must identify and implement improvements that correct it.

Monitoring compliance with security guidelines
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Personnel security
Security guidelines
12
requirements

Task is fulfilling also these other security requirements

T11: Turvallisuuskoulutus ja -tietoisuus
Katakri
29. Processing under the authority of the controller or processor
GDPR
18.2.2: Compliance with security policies and standards
ISO27 Full
HAL-12: Ohjeet
Julkri
HAL-13: Koulutukset
Julkri
1. Task description

Following security guidelines can be monitored either technically or directly by asking / testing employees.

Regular internal monitoring of the implementation of the information security management system
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Risk management
19
requirements

Task is fulfilling also these other security requirements

18.2.2: Compliance with security policies and standards
ISO27 Full
8.1: Operational planning and control
ISO27k1 Full
CC4.2: Evaluation and communication of internal control deficiencies
SOC 2
5.36: Compliance with policies, rules and standards for information security
ISO27k1 Full
4.4: Information security management system
ISO27k1 Full
1. Task description

The ISMS should monitor the implementation of the tasks and guidelines recorded therein.

The task owner should regularly review the implementation status of the ISMS as a whole.

Regular monitoring of the vulnerability management process
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Development and cloud
Technical vulnerability management
13
requirements

Task is fulfilling also these other security requirements

12.6.1: Management of technical vulnerabilities
ISO27 Full
ID.RA-1: Asset vulnerabilities
NIST
PR.IP-12: Vulnerability management plan
NIST
TEK-19: Ohjelmistohaavoittuvuuksien hallinta
Julkri
8.8: Management of technical vulnerabilities
ISO27k1 Full
1. Task description

The technical vulnerability management process is regularly monitored and evaluated to ensure its effectiveness and efficiency.

No items found.