Free ebook: NIS2 ready using ISO 27001 best practices
Download ebook

Staff guidance and training procedure in cyber security

Critical
High
Normal
Low

Our organization has defined procedures for maintaining staff's cyber security awareness.These may include e.g. the following things:

  • staff receive instructions describing the general guidelines of digital security related to their job role
  • staff receive training to maintain the appropriate digital and cyber security skills and knowledge required for the job role
  • staff demonstrate through tests that they have the security skills and knowledge required for the job role

Training should focus on the most relevant security aspects for each job role and include often enough the basics, which concern all employees:

  • employee's personal security responsibilities (e.g. for devices and processed data)
  • policies relevant for everyone (e.g. security incident reporting)
  • guidelines relevant for everyone (e.g. clean desk)
  • organization's security roles (who to contact with problems)
Connected other frameworks and requirements:
T11: Turvallisuuskoulutus ja -tietoisuus
2 luku, 4 §: Tiedonhallinnan järjestäminen tiedonhallintayksikössä
29. Processing under the authority of the controller or processor
GDPR
32. Security of processing
GDPR
7.2.1: Management responsibilities
ISO 27001

Personnel guidelines for safe processing of personal and confidential data

Critical
High
Normal
Low

The Data Protection Officer (or other responsible person) has drawn up operating instructions for personnel handling personal data. In addition, the Data Protection Officer is ready to advise the controller, personal data processing partners or their own staff on compliance with GDPR or other data protection requirements.

Connected other frameworks and requirements:
29. Processing under the authority of the controller or processor
GDPR
7.2.2: Information security awareness, education and training
ISO 27001
18.1.4: Privacy and protection of personally identifiable information
12.1.1: Documented operating procedures
ISO 27001
11.2.8: Unattended user equipment
ISO 27001

General security guidelines for staff

Critical
High
Normal
Low

Personnel must have security guidelines that deal with e.g. the following topics:

  • Using and updating mobile devices
  • Storing and backing up data
  • Privacy
  • Using email
  • Handling of printouts, papers and files
  • Reporting incidents
  • Scam prevention
Connected other frameworks and requirements:
T11: Turvallisuuskoulutus ja -tietoisuus
2 luku, 4 §: Tiedonhallinnan järjestäminen tiedonhallintayksikössä
29. Processing under the authority of the controller or processor
GDPR
9.4.4: Use of privileged utility programs
ISO 27001
11.2.7: Secure disposal or re-use of equipment
ISO 27001

Personnel guidelines for safe data system and authentication info usage

Critical
High
Normal
Low

The organization should have defined guidelines for the generally acceptable use of data systems and for the management of the necessary credentials.

In addition, the owners of data systems classified as 'High' or 'Critical' priority can define, document, and implement more specific guidelines for the use of that particular data system. These guidelines can describe e.g. security requirements related to the data contained in the system.

Connected other frameworks and requirements:
32. Security of processing
GDPR
29. Processing under the authority of the controller or processor
GDPR
8.1.3: Acceptable use of assets
ISO 27001
12.1.1: Documented operating procedures
ISO 27001
9.1.1: Access control policy
ISO 27001

General security competence and awareness of personnel

Critical
High
Normal
Low

Personnel under the direction of the entire organization must be aware:

  • how they can contribute to the effectiveness of the information security management system and the benefits of improving the level of information security
  • the consequences of non-compliance with the requirements of the information security management systemwhich roles in the personnel have effects to the level of security

In addition, top management has defined ways in which personnel are kept aware of security guidelines related to their own job role.

Connected other frameworks and requirements:
29. Processing under the authority of the controller or processor
GDPR
32. Security of processing
GDPR
7.2.1: Management responsibilities
ISO 27001
7.2.2: Information security awareness, education and training
ISO 27001
PR.AT-1: Awareness
NIST CSF

Monitoring compliance with security guidelines

Critical
High
Normal
Low

Following security guidelines can be monitored either technically or directly by asking / testing employees.

Connected other frameworks and requirements:
29. Processing under the authority of the controller or processor
GDPR
18.2.2: Compliance with security policies and standards
ISO 27001
T11: Turvallisuuskoulutus ja -tietoisuus
5.36: Compliance with policies, rules and standards for information security
ISO 27001
5.37: Documented operating procedures
ISO 27001
No items found.