Content library
Kyberturvallisuuslaki (NIS2)
7 §: Riskienhallinta

How to fill the requirement

Kyberturvallisuuslaki (NIS2)

7 §: Riskienhallinta

Task name
Priority
Status
Theme
Policy
Other requirements
Identification and documentation of cyber security risks
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Risk management
35
requirements

Task is fulfilling also these other security requirements

T04: Turvallisuusriskien hallinta
Katakri
13 §: Tietoaineistojen ja tietojärjestelmien tietoturvallisuus
TiHL
24. Responsibility of the controller
GDPR
5. Principles relating to processing of personal data
GDPR
8.3: Information security risk treatment
ISO27k1 Full
1. Task description

The organization proactively seeks to list and assess the likelihood and severity of various cyber security risks. The documentation shall include the following:

  • Description of the risk
  • Evaluated impact and likelihood of the risk
  • Tasks for managing the risk or other treatment options
  • Acceptability of the risk
Evaluation process and documentation of significant security-related changes
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Risk management
30
requirements

Task is fulfilling also these other security requirements

6.3: Planning of changes
ISO27k1 Full
8.1: Operational planning and control
ISO27k1 Full
12.1.2: Change management
ISO27 Full
6.5: Tietojärjestelmien asennus, ylläpito ja päivitys
Self-monitoring
PR.IP-3: Configuration change control processes
NIST
1. Task description

In systematic cyber security work, the impact of significant changes must be assessed in advance and they must be executed in a controlled way. The consequences of unintentional changes must be assessed and efforts made to mitigate possible adverse effects.

Significant changes may include: changes in the organization, operating environment, business processes and data systems. Changes can be identified e.g. through management reviews and other cyber security work.

Documentation of linked risks for identified security incidents
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Risk management
9
requirements

Task is fulfilling also these other security requirements

T05: Jatkuvuuden hallinta
Katakri
24. Responsibility of the controller
GDPR
5. Principles relating to processing of personal data
GDPR
8.3: Information security risk treatment
ISO27k1 Full
21.2.a: Risk management and information system security
NIS2
1. Task description

Organization assesses cyber security risks by responding to situations where security has been mildly or severely compromised. The documentation shall include at least the following:

  • Description of the incident
  • Risks associated with the incident
  • New tasks introduced as a result of the incident
  • Other measures taken due to the incident
Assessment of residual risks
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Risk management
5
requirements

Task is fulfilling also these other security requirements

20: Jäännösriskien arviointi
Sec overview
21.2.a: Risk management and information system security
NIS2
2.5: Riskienhallinta
TiHL: Tietoturva
7 §: Riskienhallinta
KyberTL
ID.GV-4: Governance and risk management processes address cybersecurity risks.
CyFun
1. Task description

After risk treatment, the organization assesses the remaining level of residual risk per risk.

Regarding the residual risk, clear decisions are made by the risk owner to either close the risk or return the risk to the processing queue.

No items found.