Free ebook: NIS2 ready using ISO 27001 best practices
Download ebook

Risk management procedure -report publishing and maintenance

Critical
High
Normal
Low

The organization has defined procedures for assessing and treating cyber security risks. The definition includes at least:

  • Risk identification methods
  • Methods for risk analysis
  • Criteria for risk evaluation (impact and likelihood)
  • Risk priorisation, treatment options and defining control tasks
  • Risk acceptance criteria
  • Process implementation cycle, resourcing and responsibilities

The task owner regularly checks that the procedure is clear and produces consistent results.

Connected other frameworks and requirements:
T04: Turvallisuusriskien hallinta
5.1.1: Policies for information security
ISO 27001
ID.GV-4: Processes
NIST CSF
ID.RA-5: Risk evaluation
NIST CSF
ID.RA-6: Risk responses
NIST CSF

Identification and documentation of cyber security risks

Critical
High
Normal
Low

The organization proactively seeks to list and assess the likelihood and severity of various cyber security risks. The documentation shall include the following:

  • Description of the risk
  • Evaluated impact and likelihood of the risk
  • Tasks for managing the risk or other treatment options
  • Acceptability of the risk
Connected other frameworks and requirements:
T04: Turvallisuusriskien hallinta
4 luku, 13 §: Tietoaineistojen ja tietojärjestelmien tietoturvallisuus
24. Responsibility of the controller
GDPR
5. Principles relating to processing of personal data
GDPR
ID.GV-4: Processes
NIST CSF

Data store listing and owner assignment

Critical
High
Normal
Low

Organisation must maintain a listing of controlled data stores and their owners. Owner is responsible for completing the documentation and other possible security actions directly related to the data store.

Data store documentation must include at least:

  • Connected responsibilities
  • Data processing purposes (covered in a separate task)
  • Data sets included in the data store (covered in a separate task)
  • Data disclosures (covered in a separate task)
  • When necessary, data stores connections to action processes
Connected other frameworks and requirements:
2 luku, 5 §: Tiedonhallintamalli ja muutosvaikutuksen arviointi
6. Lawfulness of processing
GDPR
5. Principles relating to processing of personal data
GDPR
8.1.1: Inventory of assets
ISO 27001
ID.GV-4: Processes
NIST CSF
No items found.