ISMS description and maintenance

Critical
High
Normal
Low

The organization must operate, maintain, and continuously develop a security management system.

The boundaries and scope, contents, role, cumulative implementation information and other necessary descriptive information related to the management system must be clearly documented.

Connected other frameworks and requirements:
5.1.1: Policies for information security
ISO 27001
PR.AT-5: Physical and cybersecurity personnel
NIST CSF
5.1: Policies for information security
ISO 27001
4.3 : Scope of the ISMS
ISO 27001
4.4: Information security management system
ISO 27001

Information security policy -report publishing, informing and maintenance

Critical
High
Normal
Low

The organization has an information security policy developed and approved by top management. The policy shall include at least the following:

  • the basis for setting the organization’s security objectives
  • commitment to meeting information security requirements
  • commitment to continuous improvement of the information security management system

In addition, the task owner shall ensure that:

  • the is appropriate for the organization's business idea
  • the policy is communicated to the entire organization
  • the policy is available to stakeholders as appropriate
Connected other frameworks and requirements:
T01: Turvallisuusperiaatteet
5.1.2: Review of the policies for information security
ISO 27001
5: Information security policies
ISO 27001
5.1: Management direction for information security
ISO 27001
5.1.1: Policies for information security
ISO 27001

Maintaining chosen theme-specific policy documents

Critical
High
Normal
Low

Theme-specific policy documents can help the communication and reviewing of tasks, guidelines and other documentation related to different security themes, as well as connecting possible higher-level principles to the management system contents that describe the more detailed security implementation.

Organization must define which theme-specific policy documents are maintained and, if necessary, reviewed at chosen intervals. Examples of themes for which own policy documents may be maintained include e.g.:

  • access management
  • physical security
  • asset management
  • backups
  • encryption
  • data classification
  • technical vulnerability management
  • secure development
Connected other frameworks and requirements:
5.1.1: Policies for information security
ISO 27001
5.1: Policies for information security
ISO 27001
7.5: Requirements for documented information
ISO 27001

Formal adoption of security policies

Critical
High
Normal
Low

The employees of our organization accept the general information security policy formed by the management with their signatures. The policy may refer to a number of more specific security guidelines.

Connected other frameworks and requirements:
5.1.1: Policies for information security
ISO 27001
7.2.2: Information security awareness, education and training
ISO 27001
5.1: Policies for information security
ISO 27001
No items found.