Content library
Kyberturvallisuuslaki (NIS2)
10 §: Johdon vastuu

How to fill the requirement

Kyberturvallisuuslaki (NIS2)

10 §: Johdon vastuu

Task name
Priority
Status
Theme
Policy
Other requirements
Defining and documenting security objectives
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Cyber security management
19
requirements

Task is fulfilling also these other security requirements

5.1.1: Policies for information security
ISO27 Full
ID.BE-3: Organizational mission, objectives, and activities
NIST
ID.GV-1: Cybersecurity policy
NIST
HAL-01: Periaatteet
Julkri
5.1: Leadership and commitment
ISO27k1 Full
1. Task description

Organization's top management sets security objectives. Security objectives meet the following requirements:

  • they shall take into account applicable data security and data protection requirements and the results of risk assessment and treatment
  • they are clearly communicated to key security and data protection personnel, staff and other relevant stakeholders
  • they are updated as necessary (e.g. when the risk landscape changes or periodically when the objectives are met)
  • they are documented and (if possible) measurable

In connection with the documentation of security objectives, the necessary top-level improvements and tasks, needed resources, responsible persons, due dates and methods for evaluating the results in order to achieve the objectives are also defined.

Information security policy -report publishing, informing and maintenance
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Cyber security management
31
requirements

Task is fulfilling also these other security requirements

T01: Turvallisuusperiaatteet
Katakri
8.1: Operational planning and control
ISO27k1 Full
5.1.2: Review of the policies for information security
ISO27 Full
5: Information security policies
ISO27 Full
5.1: Management direction for information security
ISO27 Full
1. Task description

The organization has an information security policy developed and approved by top management. The policy shall include at least the following:

  • the basis for setting the organization’s security objectives
  • commitment to meeting information security requirements
  • commitment to continuous improvement of the information security management system

In addition, the task owner shall ensure that:

  • the is appropriate for the organization's business idea
  • the policy is communicated to the entire organization
  • the policy is available to stakeholders as appropriate
Determination and adequacy of the cyber security budget
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Cyber security management
4
requirements

Task is fulfilling also these other security requirements

5: Riittävä digiturvallisuuden budjetti
Sec overview
20.1: Top management commitment
NIS2
Article 5: Governance and organisation
DORA
10 §: Johdon vastuu
KyberTL
1. Task description

The organization has clearly defined a budget dedicated to the maintenance and development of digital security. The budget is sufficient to achieve the goals set for digital security.

When budgeting for digital security, three key areas must be considered in particular - personnel costs, technology solutions and operational costs.

Implementation and documentation of management reviews
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Cyber security management
16
requirements

Task is fulfilling also these other security requirements

18.1.1: Identification of applicable legislation and contractual requirements
ISO27 Full
ID.GV-3: Legal and regulatory requirements
NIST
9.3: Management review
ISO27k1 Full
12: Digiturvan tilan seuraaminen
Sec overview
13: Digiturvan kokonaistilanteen raportointi
Sec overview
1. Task description

Top management shall review the organization's information security management system at planned intervals to ensure that it remains appropriate, relevant and effective.

The management review shall address and comment on at least the following:

  • Status of improvements (or other actions) initiated as a result of previous management reviews
  • Future changes relevant to the security management system
  • Performance of the ISMS (problem areas, metering, audit results and fulfillment of management security objectives)
  • Stakeholder feedback on data security
  • Operation of the risk assessment and treatment process

Documented information on the execution and results of reviews must be maintained.

General security competence and awareness of personnel
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Cyber security management
20
requirements

Task is fulfilling also these other security requirements

32. Security of processing
GDPR
29. Processing under the authority of the controller or processor
GDPR
7.2.2: Information security awareness, education and training
ISO27 Full
7.2.1: Management responsibilities
ISO27 Full
PR.AT-1: Awareness
NIST
1. Task description

Personnel under the direction of the entire organization must be aware:

  • how they can contribute to the effectiveness of the information security management system and the benefits of improving the level of information security
  • the consequences of non-compliance with the requirements of the information security management systemwhich roles in the personnel have effects to the level of security

In addition, top management has defined ways in which personnel are kept aware of security guidelines related to their own job role.

Regular internal monitoring of the implementation of the information security management system
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Risk management
19
requirements

Task is fulfilling also these other security requirements

18.2.2: Compliance with security policies and standards
ISO27 Full
8.1: Operational planning and control
ISO27k1 Full
CC4.2: Evaluation and communication of internal control deficiencies
SOC 2
5.36: Compliance with policies, rules and standards for information security
ISO27k1 Full
4.4: Information security management system
ISO27k1 Full
1. Task description

The ISMS should monitor the implementation of the tasks and guidelines recorded therein.

The task owner should regularly review the implementation status of the ISMS as a whole.

No items found.