Organisation must maintain a listing of used data systems and their owners. Owner is responsible for completing the related documentation and possible other security actions directly related to the data system.
Data system documentation must include at least:
A process for reporting incidents is maintained to help staff report incidents efficiently and consistently.
Things to report as an incident include e.g.:
The personnel guidelines emphasize the obligation to report security incidents as soon as possible in accordance with the agreed process. The instructions also describe other operations in the event of an incident (e.g. recording seen error messages and other details).
The organization proactively seeks to list and assess the likelihood and severity of various cyber security risks. The documentation shall include the following:
Data system owner determines the access roles to the system in relation to the tasks of users. The compliance of the actual access rights with the planned ones must be monitored and the rights reassessed at regular intervals.
When reviewing access rights, care must also be taken to minimize admin rights and eliminate unnecessary accounts.
Management shall define responsibilities and establish procedures to ensure an effective and consistent response to security incidents.
Management must ensure e.g.:
The process must ensure e.g.:
The organization's top management must demonstrate a commitment to cyber security work and the management system. Management commits to:
Top management also decides the scope of the information security management system and records the decision in the description of the system. This means, for example, whether some parts of the organisation's activities or information are excluded from the scope of the management system, or whether it applies to all information / activities of the organization.
Organization assesses cyber security risks by responding to situations where security has been mildly or severely compromised. The documentation shall include at least the following:
Our organization has pre-defined procedures through which the detected security breach will be addressed. The process may include e.g. the following things:
Top management must ensure clear responsibilities / authority on at least the following themes:
The ISMS theme owners are presented on the desktop of the management system and in the Information security policy report.
In addition, top management shall ensure that all roles relevant to information security, as well as related responsibilities and authorities, are defined and communicated.