Free ebook: NIS2 ready using ISO 27001 best practices
Download ebook

Defining cyber security responsibilities and tasks in employment contracts

Critical
High
Normal
Low

The employment contracts specify the responsibilities of the employee and the organization for cyber security.

Contracts should include e.g.:

  • the employee's legal responsibilities and rights, such as those related to copyright or data protection law
  • the employee's responsibility for following the instructions, e.g. related to the use of hardware and data and the classification of information
  • the employee's or temporary employee's responsibility for processing information received from other companies or other parties
  • measures if the employee or temporary worker violates the safety requirements of the organization
  • continuing obligations after termination of employment
Connected other frameworks and requirements:
7.3: Termination and change of employment
ISO 27001
7.1.2: Terms and conditions of employment
7.3.1: Termination or change of employment responsibilities
ISO 27001
PR.DS-5: Data leak protection
NIST CSF
PR.IP-11: Cybersecurity in human resources
NIST CSF

Maintaining confidentiality agreements

Critical
High
Normal
Low

Kaikkien luottamuksellisia tietoja käsittelevien työntekijöiden olisi allekirjoitettava salassapito- tai vaitiolositoumus ennen luottamuksellisen tiedon käsittelyä.

Salassapitositoumuksen tulisi sisältää mm.:

  • luottamuksellisen tiedon selkeä määrittely
  • sitoumuksen oletettu kesto
  • edellytetyt toimenpiteet, kun sitoumus puretaan
  • allekirjoittaneiden vastuut ja toimenpiteet, jotta vältetään luvaton tiedon paljastaminen
  • tiedon, liikesalaisuuksien ja aineettoman omaisuuden omistajuus ja miten tämä liittyy luottamuksellisen tiedon suojaamiseen
  • luottamuksellisen tiedon sallittu käyttö ja allekirjoittaneen oikeudet käyttää tietoa
  • oikeus tarkastaa ja valvoa toimintoja, joihin liittyy luottamuksellista tietoa

Salassapitosopimuksien edellytyksiä ja tarpeita tarkistellaan ja päivitetään säännöllisin väliajoin.

Connected other frameworks and requirements:
7.3: Termination and change of employment
ISO 27001
7.1.2: Terms and conditions of employment
7.3.1: Termination or change of employment responsibilities
ISO 27001
13.2.4: Confidentiality or non-disclosure agreements
ISO 27001
T10: Salassapito- ja vaitiolositoumukset

Informing about cyber security responsibilities that continue after employment relationship has ended

Critical
High
Normal
Low

The employment contract should distinguish between cyber security responsibilities and obligations that remain in force after the termination of the employment relationship. The employee should also be reminded of these at the end of the employment relationship to ensure compliance.

Connected other frameworks and requirements:
7.3: Termination and change of employment
ISO 27001
7.3.1: Termination or change of employment responsibilities
ISO 27001
PR.DS-5: Data leak protection
NIST CSF
6.5: Responsibilities after termination or change of employment
ISO 27001

Arranging training and guidance during orientation (or before granting access rights)

Critical
High
Normal
Low

Before granting access rights to data systems with confidential information employees have:

  • received appropriate guidance on their security responsibilities (including reporting responsibilities and responsibility for their own devices)
  • received appropriate guidance on their security roles related to their own role (including digital security rules related to their role and information systems and their acceptable use)
  • received information from cyber security contacts who can be asked for more information
Connected other frameworks and requirements:
7.3: Termination and change of employment
ISO 27001
7.3.1: Termination or change of employment responsibilities
ISO 27001
9.2.2: User access provisioning
ISO 27001
2 luku, 4 §: Tiedonhallinnan järjestäminen tiedonhallintayksikössä
PR.IP-11: Cybersecurity in human resources
NIST CSF

Training personnel with a changed role

Critical
High
Normal
Low

Training arranged before granting access rights applies not only to new employees but also to those who move to new tasks or roles, especially when the data systems used by the person and the security requirements related to the job role change significantly with the change of job role. The training is arranged before the new job role becomes active.

Connected other frameworks and requirements:
7.3: Termination and change of employment
ISO 27001
7.3.1: Termination or change of employment responsibilities
ISO 27001
PR.IP-11: Cybersecurity in human resources
NIST CSF
6.5: Responsibilities after termination or change of employment
ISO 27001
No items found.