Free ebook: NIS2 ready using ISO 27001 best practices
Download ebook

General rules for the procurement of data systems

Critical
High
Normal
Low

Whenever new data systems are acquired, a pre-defined procurement process and rules are followed. The rules ensure that the supplier is able to guarantee an adequate level of security, taking into account the priority of the system.

Connected other frameworks and requirements:
4 luku, 13 §: Tietoaineistojen ja tietojärjestelmien tietoturvallisuus
14.1.1: Information security requirements analysis and specification
ISO 27001
5.23: Information security for use of cloud services
ISO 27001
7.2 (MIL1): Manage Third-Party Risk
C2M2

Security rules for the development and acquisition of data systems

Critical
High
Normal
Low

Whenever new data systems are acquired or developed, pre-defined security rules are followed, taking into account the priority of the system. The rules ensure that adequate measures are taken to ensure the security of the data and data processing in the system.

Connected other frameworks and requirements:
I13: Ohjelmistoilla toteutettavat pääsynhallintatoteutukset
4 luku, 13 §: Tietoaineistojen ja tietojärjestelmien tietoturvallisuus
14.1.1: Information security requirements analysis and specification
ISO 27001
14.1.2: Securing application services on public networks
ISO 27001
14.2.5: Secure system engineering principles
ISO 27001

Criteria for suppliers of high priority data systems

Critical
High
Normal
Low

The organization has defined the certifications or standards required of key partners. Commonly recognized standards related to cyber security include:

  • ISO 27001 (information security management system)
  • SOC2 (general security, also called SSAE 16)
  • ISO 27701 (data protection management system)
  • ISO 27017 (cyber security in cloud services) or ISO 27018 (data protection in cloud services)
  • other popular e.g. NIST (general), CSA (cloud software), PCI DSS (card payments and data)

Certifications required from partners can make organization's own partner management more efficient and provide good evidence of a particular level of security or privacy of the partner.

Connected other frameworks and requirements:
15.1.1: Information security policy for supplier relationships
ISO 27001
14.1.1: Information security requirements analysis and specification
ISO 27001
15.2.1: Monitoring and review of supplier services
ISO 27001
ID.SC-1: Cyber supply chain
NIST CSF
ID.SC-4: Audit suppliers and third-party partners
NIST CSF

System portfolio management and proactive design of portfolio

Critical
High
Normal
Low

Determined system portfolio management means a clear picture of the organization's system as a whole, the benefits of different systems and future needs.

The aim of system portfolio management is to achieve e.g.:

  • efficiency benefits by understanding the whole and e.g. the possibilities of integrations
  • eliminate duplication
  • save on unnecessary licensing costs
  • control the number of suppliers
  • facilitate staff guidance
Connected other frameworks and requirements:
14.1.1: Information security requirements analysis and specification
ISO 27001

Data processing agreement analysis for most important system providers

Critical
High
Normal
Low

The processing agreement binds the actions of the data processor (such as the system vendor).

It can be important for us to ensure an important partner takes responsibility of e.g. access control (logging) and data recovery at the end of the contract according to our preferred policies.

Connected other frameworks and requirements:
28. Processor
GDPR
15.1.2: Addressing security within supplier agreements
ISO 27001
14.1.1: Information security requirements analysis and specification
ISO 27001
5.19: Information security in supplier relationships
ISO 27001
No items found.