Our organization has defined procedures for maintaining staff's cyber security awareness.These may include e.g. the following things:
Training should focus on the most relevant security aspects for each job role and include often enough the basics, which concern all employees:
The organization must operate, maintain, and continuously develop a security management system.
The boundaries and scope, contents, role, cumulative implementation information and other necessary descriptive information related to the management system must be clearly documented.
The organization has established a procedure for conducting internal audits. The procedure shall describe at least:
The Statement of Applicability (SoA) is a key document that defines how an organization implements much of its cyber security.
The statement describes which of the controls recommended by ISO 27001 are implemented in the organization, how they are implemented, and the current state of the controls. In addition, possible reasons for not using certain controls are described.
The organization has defined procedures for assessing and treating cyber security risks. The definition includes at least:
The task owner regularly checks that the procedure is clear and produces consistent results.
The organization has an information security policy developed and approved by top management. The policy shall include at least the following:
In addition, the task owner shall ensure that:
Theme-specific policy documents can help the communication and reviewing of tasks, guidelines and other documentation related to different security themes, as well as connecting possible higher-level principles to the management system contents that describe the more detailed security implementation.
Organization must define which theme-specific policy documents are maintained and, if necessary, reviewed at chosen intervals. Examples of themes for which own policy documents may be maintained include e.g.: