Free ebook: NIS2 ready using ISO 27001 best practices
Download ebook

Staff guidance and training procedure in cyber security

Critical
High
Normal
Low

Our organization has defined procedures for maintaining staff's cyber security awareness.These may include e.g. the following things:

  • staff receive instructions describing the general guidelines of digital security related to their job role
  • staff receive training to maintain the appropriate digital and cyber security skills and knowledge required for the job role
  • staff demonstrate through tests that they have the security skills and knowledge required for the job role

Training should focus on the most relevant security aspects for each job role and include often enough the basics, which concern all employees:

  • employee's personal security responsibilities (e.g. for devices and processed data)
  • policies relevant for everyone (e.g. security incident reporting)
  • guidelines relevant for everyone (e.g. clean desk)
  • organization's security roles (who to contact with problems)
Connected other frameworks and requirements:
T11: Turvallisuuskoulutus ja -tietoisuus
2 luku, 4 §: Tiedonhallinnan järjestäminen tiedonhallintayksikössä
29. Processing under the authority of the controller or processor
GDPR
32. Security of processing
GDPR
7.2.1: Management responsibilities
ISO 27001

ISMS description and maintenance

Critical
High
Normal
Low

The organization must operate, maintain, and continuously develop a security management system.

The boundaries and scope, contents, role, cumulative implementation information and other necessary descriptive information related to the management system must be clearly documented.

Connected other frameworks and requirements:
5.1.1: Policies for information security
ISO 27001
PR.AT-5: Physical and cybersecurity personnel
NIST CSF
5.1: Policies for information security
ISO 27001
4.3 : Scope of the ISMS
ISO 27001
4.4: Information security management system
ISO 27001

Internal audit procedure -report publishing and maintenance

Critical
High
Normal
Low

The organization has established a procedure for conducting internal audits. The procedure shall describe at least:

  • how often audits are carried out
  • who may carry out the audits (including audit criteria)
  • how the actual audit is carried out
  • how audit results are documented and to whom the results are reported
Connected other frameworks and requirements:
ID.GV-3: Legal and regulatory requirements
NIST CSF
7.5: Requirements for documented information
ISO 27001
9.2: Internal audit
ISO 27001

Creating and maintaining a statement of applicability

Critical
High
Normal
Low

The Statement of Applicability (SoA) is a key document that defines how an organization implements much of its cyber security.

The statement describes which of the controls recommended by ISO 27001 are implemented in the organization, how they are implemented, and the current state of the controls. In addition, possible reasons for not using certain controls are described.

Connected other frameworks and requirements:
6.1: Information security risk management
ISO 27001
7.5: Requirements for documented information
ISO 27001

Risk management procedure -report publishing and maintenance

Critical
High
Normal
Low

The organization has defined procedures for assessing and treating cyber security risks. The definition includes at least:

  • Risk identification methods
  • Methods for risk analysis
  • Criteria for risk evaluation (impact and likelihood)
  • Risk priorisation, treatment options and defining control tasks
  • Risk acceptance criteria
  • Process implementation cycle, resourcing and responsibilities

The task owner regularly checks that the procedure is clear and produces consistent results.

Connected other frameworks and requirements:
T04: Turvallisuusriskien hallinta
5.1.1: Policies for information security
ISO 27001
ID.GV-4: Processes
NIST CSF
ID.RA-5: Risk evaluation
NIST CSF
ID.RA-6: Risk responses
NIST CSF

Information security policy -report publishing, informing and maintenance

Critical
High
Normal
Low

The organization has an information security policy developed and approved by top management. The policy shall include at least the following:

  • the basis for setting the organization’s security objectives
  • commitment to meeting information security requirements
  • commitment to continuous improvement of the information security management system

In addition, the task owner shall ensure that:

  • the is appropriate for the organization's business idea
  • the policy is communicated to the entire organization
  • the policy is available to stakeholders as appropriate
Connected other frameworks and requirements:
T01: Turvallisuusperiaatteet
5.1.2: Review of the policies for information security
ISO 27001
5: Information security policies
ISO 27001
5.1: Management direction for information security
ISO 27001
5.1.1: Policies for information security
ISO 27001

Maintaining chosen theme-specific policy documents

Critical
High
Normal
Low

Theme-specific policy documents can help the communication and viewing of tasks, instructions and other documentation related to different areas, as well as connecting possible upper-level principles to these contents of the management system, which describe a more detailed implementation.

The organization must define which theme-specific policy documents are maintained and, if necessary, reviewed as a whole at desired intervals. Examples of topics for which you may want to maintain your own policy document include:

  • access control
  • physical security
  • management of assets to be protected
  • backup
  • encryption practices
  • data classification
  • technical vulnerability management
  • secure development
Connected other frameworks and requirements:
5.1.1: Policies for information security
ISO 27001
5.1: Policies for information security
ISO 27001
7.5: Requirements for documented information
ISO 27001
No items found.