Free ebook: NIS2 ready using ISO 27001 best practices
Download ebook

Data system listing and owner assignment

Critical
High
Normal
Low

Organisation must maintain a listing of used data systems and their owners. Owner is responsible for completing the related documentation and possible other security actions directly related to the data system.

Data system documentation must include at least:

  • System purpose and linked responsibilities
  • System's data location (covered in a separate task)
  • System's maintenance and development responsibilities and linked partners (covered in a separate task)
  • When necessary system's access roles and authentication methods (covered in a separate task)
  • When necessary systems interfaces to other systems (covered in a separate task)
Connected other frameworks and requirements:
I06: Pääsyoikeuksien hallinnointi
4 luku, 13 §: Tietoaineistojen ja tietojärjestelmien tietoturvallisuus
24. Responsibility of the controller
GDPR
5. Principles relating to processing of personal data
GDPR
32. Security of processing
GDPR

Personnel guidelines for reporting security incidents

Critical
High
Normal
Low

A process for reporting incidents is maintained to help staff report incidents efficiently and consistently.

Things to report as an incident include e.g.:

  • unauthorized access to data / premises
  • action against security guidelines
  • suspected security issue (e.g. phishing, malware infection)
  • data system outage
  • accidental or intentional destruction / alteration of data
  • lost or stolen device
  • compromised password
  • lost physical identifier (e.g. keychain, smart card, smart sticker)
  • suspected security weakness (e.g. on utilized data system or other procedures)

The personnel guidelines emphasize the obligation to report security incidents as soon as possible in accordance with the agreed process. The instructions also describe other operations in the event of an incident (e.g. recording seen error messages and other details).

Connected other frameworks and requirements:
T06: Turvallisuuspoikkeamien hallinta
24. Responsibility of the controller
GDPR
16.1.3: Reporting information security weaknesses
ISO 27001
16.1.2: Reporting information security events
ISO 27001
ID.RA-3: Threat identification
NIST CSF

Identification and documentation of cyber security risks

Critical
High
Normal
Low

The organization proactively seeks to list and assess the likelihood and severity of various cyber security risks. The documentation shall include the following:

  • Description of the risk
  • Evaluated impact and likelihood of the risk
  • Tasks for managing the risk or other treatment options
  • Acceptability of the risk
Connected other frameworks and requirements:
T04: Turvallisuusriskien hallinta
4 luku, 13 §: Tietoaineistojen ja tietojärjestelmien tietoturvallisuus
24. Responsibility of the controller
GDPR
5. Principles relating to processing of personal data
GDPR
ID.GV-4: Processes
NIST CSF

Regular reviewing of data system access rights

Critical
High
Normal
Low

Data system owner determines the access roles to the system in relation to the tasks of users. The compliance of the actual access rights with the planned ones must be monitored and the rights reassessed at regular intervals.

When reviewing access rights, care must also be taken to minimize admin rights and eliminate unnecessary accounts.

Connected other frameworks and requirements:
I06: Pääsyoikeuksien hallinnointi
4 luku, 16 §: Tietojärjestelmien käyttöoikeuksien hallinta
24. Responsibility of the controller
GDPR
32. Security of processing
GDPR
5. Principles relating to processing of personal data
GDPR

Incident management resourcing and monitoring

Critical
High
Normal
Low

Management shall define responsibilities and establish procedures to ensure an effective and consistent response to security incidents.

Management must ensure e.g.:

  • interference management has clear responsibilities
  • there is a documented process for responding, handling and reporting incidents

The process must ensure e.g.:

  • staff have a clear contact point / tool and instructions for reporting incidents
  • the reported security breaches will be addressed by qualified personnel in a sufficiently comprehensive manner
Connected other frameworks and requirements:
24. Responsibility of the controller
GDPR
7.2.1: Management responsibilities
ISO 27001
16.1.1: Responsibilities and procedures
ISO 27001
5.24: Information security incident management planning and preparation
ISO 27001

Management commitment to cyber security management and management system

Critical
High
Normal
Low

The organization's top management must demonstrate a commitment to cyber security work and the management system. Management commits to:

  • defining the frameworks or other requirements that form the basis for work (e.g. customer promises, regulations or certificates)
  • determining the resources needed to manage security
  • communicating the importance of cyber security
  • ensuring that the work achieves the desired results
  • promoting the continuous improvement of cyber security

Top management also decides the scope of the information security management system and records the decision in the description of the system. This means, for example, whether some parts of the organisation's activities or information are excluded from the scope of the management system, or whether it applies to all information / activities of the organization.

Connected other frameworks and requirements:
24. Responsibility of the controller
GDPR
7.2.1: Management responsibilities
ISO 27001
7.2.2: Information security awareness, education and training
ISO 27001
5.1.1: Policies for information security
ISO 27001
ID.GV-1: Cybersecurity policy
NIST CSF

Documentation of linked risks for identified security incidents

Critical
High
Normal
Low

Organization assesses cyber security risks by responding to situations where security has been mildly or severely compromised. The documentation shall include at least the following:

  • Description of the incident
  • Risks associated with the incident
  • New tasks introduced as a result of the incident
  • Other measures taken due to the incident
Connected other frameworks and requirements:
T05: Jatkuvuuden hallinta
24. Responsibility of the controller
GDPR
5. Principles relating to processing of personal data
GDPR

Process for initiating data breach treatment

Critical
High
Normal
Low

Our organization has pre-defined procedures through which the detected security breach will be addressed. The process may include e.g. the following things:

  • who are part of a team that is ready to respond to breaches
  • how and along what channel the entire team is immediately notified of the breach
  • the team determines the severity (low, medium, high) of the breach based on predefined criteria
  • the breach management is continued with a larger group according to the severity level
Connected other frameworks and requirements:
24. Responsibility of the controller
GDPR
32. Security of processing
GDPR
16.1.5: Response to information security incidents
ISO 27001
16.1.7: Collection of evidence
5.26: Response to information security incidents
ISO 27001

Defining security roles and responsibilities

Critical
High
Normal
Low

Top management must ensure clear responsibilities / authority on at least the following themes:

  • who is primarily responsible for ensuring that the information security management system complies with the information security requirements
  • who act as ISMS theme owners responsible for the main themes of the information security management system
  • who has the responsibility and authority to report to top management on the performance of the information security management system
  • who is authorized to carry out internal audits

The ISMS theme owners are presented on the desktop of the management system and in the Information security policy report.

In addition, top management shall ensure that all roles relevant to information security, as well as related responsibilities and authorities, are defined and communicated. It is also important to recognize the roles and responsibilities of external partners and providers.

Connected other frameworks and requirements:
T02: Turvallisuustyön tehtävien ja vastuiden määrittäminen
24. Responsibility of the controller
GDPR
6.1.1: Information security roles and responsibilities
ISO 27001
ID.AM-6: Cybersecurity roles and responsibilities
NIST CSF
ID.GV-2: Cybersecurity role coordination
NIST CSF
No items found.