Our organization has defined procedures for maintaining staff's cyber security awareness.These may include e.g. the following things:
Training should focus on the most relevant security aspects for each job role and include often enough the basics, which concern all employees:
The organisation regularly evaluates the level of cyber security and the effectiveness of the information security management system.
Organisation has defined:
Effective metrics should be usable for identifying weaknesses, targeting resources better and assessing organisation's success / failure related to cyber security.
Personnel under the direction of the entire organization must be aware:
In addition, top management has defined ways in which personnel are kept aware of security guidelines related to their own job role.
Management shall define responsibilities and establish procedures to ensure an effective and consistent response to security incidents.
Management must ensure e.g.:
The process must ensure e.g.:
The organization's top management must demonstrate a commitment to cyber security work and the management system. Management commits to:
Top management also decides the scope of the information security management system and records the decision in the description of the system. This means, for example, whether some parts of the organisation's activities or information are excluded from the scope of the management system, or whether it applies to all information / activities of the organization.