Staff guidance and training procedure in cyber security

Critical
High
Normal
Low

Our organization has defined procedures for maintaining staff's cyber security awareness.These may include e.g. the following things:

  • staff receive instructions describing the general guidelines of digital security related to their job role
  • staff receive training to maintain the appropriate digital and cyber security skills and knowledge required for the job role
  • staff demonstrate through tests that they have the security skills and knowledge required for the job role

Training should focus on the most relevant security aspects for each job role and include often enough the basics, which concern all employees:

  • employee's personal security responsibilities (e.g. for devices and processed data)
  • policies relevant for everyone (e.g. security incident reporting)
  • guidelines relevant for everyone (e.g. clean desk)
  • organization's security roles (who to contact with problems)
Connected other frameworks and requirements:
T11: Turvallisuuskoulutus ja -tietoisuus
2 luku, 4 §: Tiedonhallinnan järjestäminen tiedonhallintayksikössä
29. Processing under the authority of the controller or processor
GDPR
32. Security of processing
GDPR
7.2.1: Management responsibilities
ISO 27001

General security competence and awareness of personnel

Critical
High
Normal
Low

Personnel under the direction of the entire organization must be aware:

  • how they can contribute to the effectiveness of the information security management system and the benefits of improving the level of information security
  • the consequences of non-compliance with the requirements of the information security management systemwhich roles in the personnel have effects to the level of security

In addition, top management has defined ways in which personnel are kept aware of security guidelines related to their own job role.

Connected other frameworks and requirements:
32. Security of processing
GDPR
29. Processing under the authority of the controller or processor
GDPR
7.2.2: Information security awareness, education and training
ISO 27001
7.2.1: Management responsibilities
ISO 27001
PR.AT-1: Awareness
NIST CSF

Management commitment to cyber security management and management system

Critical
High
Normal
Low

The organization's top management must demonstrate a commitment to cyber security work and the management system. Management commits to:

  • defining the frameworks or other requirements that form the basis for work (e.g. customer promises, regulations or certificates)
  • determining the resources needed to manage security
  • communicating the importance of cyber security
  • ensuring that the work achieves the desired results
  • promoting the continuous improvement of cyber security

Top management also decides the scope of the information security management system and records the decision in the description of the system. This means, for example, whether some parts of the organisation's activities or information are excluded from the scope of the management system, or whether it applies to all information / activities of the organization.

Connected other frameworks and requirements:
24. Responsibility of the controller
GDPR
7.2.1: Management responsibilities
ISO 27001
7.2.2: Information security awareness, education and training
ISO 27001
5.1.1: Policies for information security
ISO 27001
ID.GV-1: Cybersecurity policy
NIST CSF
No items found.