Free ebook: NIS2 ready using ISO 27001 best practices
Download ebook

ISMS description and maintenance

Critical
High
Normal
Low

The organization must operate, maintain, and continuously develop a security management system.

The boundaries and scope, contents, role, cumulative implementation information and other necessary descriptive information related to the management system must be clearly documented.

Connected other frameworks and requirements:
5.1.1: Policies for information security
ISO 27001
PR.AT-5: Physical and cybersecurity personnel
NIST CSF
5.1: Policies for information security
ISO 27001
4.3 : Scope of the ISMS
ISO 27001
4.4: Information security management system
ISO 27001

Defining and documenting security objectives

Critical
High
Normal
Low

Organization's top management sets security objectives. Security objectives meet the following requirements:

  • they shall take into account applicable data security and data protection requirements and the results of risk assessment and treatment
  • they are clearly communicated to key security and data protection personnel, staff and other relevant stakeholders
  • they are updated as necessary (e.g. when the risk landscape changes or periodically when the objectives are met)
  • they are documented and (if possible) measurable

In connection with the documentation of security objectives, the necessary top-level improvements and tasks, needed resources, responsible persons, due dates and methods for evaluating the results in order to achieve the objectives are also defined.

Connected other frameworks and requirements:
5.1.1: Policies for information security
ISO 27001
ID.BE-3: Organizational mission, objectives and activities
NIST CSF
ID.GV-1: Cybersecurity policy
NIST CSF
5.1: Leadership and commitment
ISO 27001
6.2: Information security objectives
ISO 27001

Risk management procedure -report publishing and maintenance

Critical
High
Normal
Low

The organization has defined procedures for assessing and treating cyber security risks. The definition includes at least:

  • Risk identification methods
  • Methods for risk analysis
  • Criteria for risk evaluation (impact and likelihood)
  • Risk priorisation, treatment options and defining control tasks
  • Risk acceptance criteria
  • Process implementation cycle, resourcing and responsibilities

The task owner regularly checks that the procedure is clear and produces consistent results.

Connected other frameworks and requirements:
T04: Turvallisuusriskien hallinta
5.1.1: Policies for information security
ISO 27001
ID.GV-4: Processes
NIST CSF
ID.RA-5: Risk evaluation
NIST CSF
ID.RA-6: Risk responses
NIST CSF

Information security policy -report publishing, informing and maintenance

Critical
High
Normal
Low

The organization has an information security policy developed and approved by top management. The policy shall include at least the following:

  • the basis for setting the organization’s security objectives
  • commitment to meeting information security requirements
  • commitment to continuous improvement of the information security management system

In addition, the task owner shall ensure that:

  • the is appropriate for the organization's business idea
  • the policy is communicated to the entire organization
  • the policy is available to stakeholders as appropriate
Connected other frameworks and requirements:
T01: Turvallisuusperiaatteet
5.1.2: Review of the policies for information security
ISO 27001
5: Information security policies
ISO 27001
5.1: Management direction for information security
ISO 27001
5.1.1: Policies for information security
ISO 27001

Maintaining chosen theme-specific policy documents

Critical
High
Normal
Low

Theme-specific policy documents can help the communication and viewing of tasks, instructions and other documentation related to different areas, as well as connecting possible upper-level principles to these contents of the management system, which describe a more detailed implementation.

The organization must define which theme-specific policy documents are maintained and, if necessary, reviewed as a whole at desired intervals. Examples of topics for which you may want to maintain your own policy document include:

  • access control
  • physical security
  • management of assets to be protected
  • backup
  • encryption practices
  • data classification
  • technical vulnerability management
  • secure development
Connected other frameworks and requirements:
5.1: Policies for information security
ISO 27001
5.1.1: Policies for information security
ISO 27001
7.5: Requirements for documented information
ISO 27001

Management commitment to cyber security management and management system

Critical
High
Normal
Low

The organization's top management must demonstrate a commitment to cyber security work and the management system. Management commits to:

  • defining the frameworks or other requirements that form the basis for work (e.g. customer promises, regulations or certificates)
  • determining the resources needed to manage security
  • communicating the importance of cyber security
  • ensuring that the work achieves the desired results
  • promoting the continuous improvement of cyber security

Top management also decides the scope of the information security management system and records the decision in the description of the system. This means, for example, whether some parts of the organisation's activities or information are excluded from the scope of the management system, or whether it applies to all information / activities of the organization.

Connected other frameworks and requirements:
24. Responsibility of the controller
GDPR
7.2.1: Management responsibilities
ISO 27001
7.2.2: Information security awareness, education and training
ISO 27001
5.1.1: Policies for information security
ISO 27001
ID.GV-1: Cybersecurity policy
NIST CSF

Formal adoption of security policies

Critical
High
Normal
Low

The employees of our organization accept the general information security policy formed by the management with their signatures. The policy may refer to a number of more specific security guidelines.

Connected other frameworks and requirements:
7.2.2: Information security awareness, education and training
ISO 27001
5.1.1: Policies for information security
ISO 27001
5.1: Policies for information security
ISO 27001
No items found.