Free ebook: NIS2 ready using ISO 27001 best practices
Download ebook

Designation of an incident management team

Critical
High
Normal
Low

The organization shall ensure that clear persons are assigned to incident management responsibilities, e.g. handling the first response for incidents.

Incident management personnel need to be instructed and trained to understand the organization's priorities in dealing with security incidents.

Connected other frameworks and requirements:
16.1.3: Reporting information security weaknesses
ISO 27001
16.1.2: Reporting information security events
ISO 27001
ID.RA-3: Threat identification
NIST CSF
RS.CO-1: Personnel roles
NIST CSF
5.25: Assessment and decision on information security events
ISO 27001

Personnel guidelines for reporting security incidents

Critical
High
Normal
Low

A process for reporting incidents is maintained to help staff report incidents efficiently and consistently.

Things to report as an incident include e.g.:

  • unauthorized access to data / premises
  • action against security guidelines
  • suspected security issue (e.g. phishing, malware infection)
  • data system outage
  • accidental or intentional destruction / alteration of data
  • lost or stolen device
  • compromised password
  • lost physical identifier (e.g. keychain, smart card, smart sticker)
  • suspected security weakness (e.g. on utilized data system or other procedures)

The personnel guidelines emphasize the obligation to report security incidents as soon as possible in accordance with the agreed process. The instructions also describe other operations in the event of an incident (e.g. recording seen error messages and other details).

Connected other frameworks and requirements:
T06: Turvallisuuspoikkeamien hallinta
24. Responsibility of the controller
GDPR
16.1.3: Reporting information security weaknesses
ISO 27001
16.1.2: Reporting information security events
ISO 27001
ID.RA-3: Threat identification
NIST CSF

Segregation of information security related duties

Critical
High
Normal
Low

Organisation should have processes for ensuring that conflicting responsibilities are segregated to reduce opportunities for misuse of the organization’s assets.

Care should be taken e.g. in relation to a single person being able to process data without detection. Often also separating the initiation of an event from its authorization is a good practice.

When direct segregation of duties is hard to achieve, the following principles can be utilized:

  • High-level segregation of information security responsibilities
  • Supporting segregation with good monitoring, audit trails and management supervision
Connected other frameworks and requirements:
6.1.2: Segregation of duties
ISO 27001
ID.RA-3: Threat identification
NIST CSF
PR.AC-4: Access permissions and authorizations
NIST CSF
PR.DS-5: Data leak protection
NIST CSF
5.3: Segregation of duties
ISO 27001

Processes for reporting information security events related to offered cloud services

Critical
High
Normal
Low

When offering cloud services, the organisation needs to have planned processes or procedures for:

  • how the cloud service customer reports an information security event to the organisation
  • how the organisation reports information security events to cloud service customers
  • how the cloud service customer can track the status of a previously reported information security event
Connected other frameworks and requirements:
ID.RA-3: Threat identification
NIST CSF
DE.DP-4: Event detection
NIST CSF
RS.CO-3: Information sharing
NIST CSF
RC.CO-1: Public relations
NIST CSF
16: Information security incident management
ISO 27017
No items found.