The organization must operate, maintain, and continuously develop a security management system.
The boundaries and scope, contents, role, cumulative implementation information and other necessary descriptive information related to the management system must be clearly documented.
Organization's top management sets security objectives. Security objectives meet the following requirements:
In connection with the documentation of security objectives, the necessary top-level improvements and tasks, needed resources, responsible persons, due dates and methods for evaluating the results in order to achieve the objectives are also defined.
The organization has defined procedures for assessing and treating cyber security risks. The definition includes at least:
The task owner regularly checks that the procedure is clear and produces consistent results.
The organization has an information security policy developed and approved by top management. The policy shall include at least the following:
In addition, the task owner shall ensure that:
Theme-specific policy documents can help the communication and viewing of tasks, instructions and other documentation related to different areas, as well as connecting possible upper-level principles to these contents of the management system, which describe a more detailed implementation.
The organization must define which theme-specific policy documents are maintained and, if necessary, reviewed as a whole at desired intervals. Examples of topics for which you may want to maintain your own policy document include:
The organization's top management must demonstrate a commitment to cyber security work and the management system. Management commits to:
Top management also decides the scope of the information security management system and records the decision in the description of the system. This means, for example, whether some parts of the organisation's activities or information are excluded from the scope of the management system, or whether it applies to all information / activities of the organization.
The employees of our organization accept the general information security policy formed by the management with their signatures. The policy may refer to a number of more specific security guidelines.