Content library
Cyber security management
Creating and maintaining a statement of applicability

Other tasks from the same security theme

Task name
Priority
Status
Theme
Policy
Other requirements
Creation and maintenance of the information security plan report
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Cyber security management
1
requirements

Examples of other requirements this task affects

3: Vastuut tietoturvan sekä asiakastietojen asianmukaisen käsittelyn varmistamisessa
Tietoturvasuunnitelma
See all related requirements and other information from tasks own page.
Go to >
Creation and maintenance of the information security plan report
1. Task description

Organisaation on luotava ja ylläpidettävä tietoturvasuunnitelmaa.

Asiakastietolain 27 §:n mukaisesti palvelunantajan on laadittava tietoturvaan ja tietosuojaan sekä tietojärjestelmien käyttöön liittyvä tietoturvasuunnitelma.

Tämän määräyksen(MÄÄRÄYS 3/2024) mukaista tietoturvasuunnitelmaa ei tule sisällyttää tai yhdistää julkaistaviin tai julkisesti saatavilla oleviin omavalvontasuunnitelmiin. Tietoturvasuunnitelmaa ja siinä viitattuja liitedokumentteja tulee käsitellä ja säilyttää ottaen huomioon tarvittava suojaaminen sivullisilta ja tarvittaessa niihin tulee merkitä salassa pidettävä -tieto

Defining the frameworks that serve as the basis of the management system
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Cyber security management
1
requirements

Examples of other requirements this task affects

CC3.1: Sufficient specifying of objectives
SOC 2
See all related requirements and other information from tasks own page.
Go to >
Defining the frameworks that serve as the basis of the management system
1. Task description

The organization must define the frameworks that are used as the basis of the management system. Requirements frameworks should address:

Internal reporting goals:

  • Reports that support decision-making for management
  • Reporting accuracy and details not related to financial reports

Requirement fulfillment goals:

  • Fulfillment of laws and regulations
  • Setting sub-goals so that the security, availability, processing integrity, confidentiality and privacy criteria support adequate reporting, the organization's operation and compliance with the requirements
ISMS description and maintenance
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Cyber security management
29
requirements

Examples of other requirements this task affects

5.1.1: Policies for information security
ISO27 Full
PR.AT-5: Physical and cybersecurity personnel
NIST
HAL-02: Tehtävät ja vastuut
Julkri
HAL-07: Seuranta ja valvonta
Julkri
HAL-09: Dokumentointi
Julkri
See all related requirements and other information from tasks own page.
Go to >
ISMS description and maintenance
1. Task description

The organization must operate, maintain, and continuously develop a security management system.

The boundaries and scope, contents, role, cumulative implementation information and other necessary descriptive information related to the management system must be clearly documented.

Internal audit procedure -report publishing and maintenance
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Cyber security management
15
requirements

Examples of other requirements this task affects

ID.GV-3: Legal and regulatory requirements
NIST
7.5: Requirements for documented information
ISO27k1 Full
9.2: Internal audit
ISO27k1 Full
CC1.5: Accountability for responsibilities
SOC 2
Article 5: Governance and organisation
DORA
See all related requirements and other information from tasks own page.
Go to >
Internal audit procedure -report publishing and maintenance
1. Task description

The organization has established a procedure for conducting internal audits. The procedure shall describe at least:

  • how often audits are carried out
  • who may carry out the audits (including audit criteria)
  • how the actual audit is carried out
  • how audit results are documented and to whom the results are reported
  • results should be reported to a competent authority if it's law regulated
Identification, documentation and management of other information security requirements
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Cyber security management
16
requirements

Examples of other requirements this task affects

18.1.1: Identification of applicable legislation and contractual requirements
ISO27 Full
ID.GV-3: Legal and regulatory requirements
NIST
HAL-05: Vaatimukset
Julkri
5.31: Legal, statutory, regulatory and contractual requirements
ISO27k1 Full
2: Lainsäädäntö ja velvoitteet
Sec overview
See all related requirements and other information from tasks own page.
Go to >
Identification, documentation and management of other information security requirements
1. Task description

Compliance with required laws, regulations, standards, and contractual obligations can be as challenging as dealing with an ever-changing threat environment and new forms of cyber-attacks.

The organization shall document the information security requirements and the organisation's operating model for meeting them.

It is important to note that a large part of the requirements (e.g. laws, standards) are evolving entities. It is recommended to define a review interval for the documentation to describe the frequency at which changes in the requirements should at least be checked.

Creating and maintaining a statement of applicability
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Cyber security management
3
requirements

Examples of other requirements this task affects

6.1: Information security risk management
ISO27k1 Full
7.5: Requirements for documented information
ISO27k1 Full
1.2.1: Scope of Information Security management
TISAX
See all related requirements and other information from tasks own page.
Go to >
Creating and maintaining a statement of applicability
1. Task description

The Statement of Applicability (SoA) is a key document that defines how an organization implements much of its cyber security.

The statement describes which of the controls recommended by ISO 27001 are implemented in the organization, how they are implemented, and the current state of the controls. In addition, possible reasons for not using certain controls are described.

Executing and documenting internal audits
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Cyber security management
29
requirements

Examples of other requirements this task affects

12.7: Information systems audit considerations
ISO27 Full
12.7.1: Information systems audit controls
ISO27 Full
18.2.1: Independent review of information security
ISO27 Full
ID.GV-3: Legal and regulatory requirements
NIST
HAL-07: Seuranta ja valvonta
Julkri
See all related requirements and other information from tasks own page.
Go to >
Executing and documenting internal audits
1. Task description

The organization conducts internal audits in accordance with its internal audit procedure. The aim is to check:

  • whether the information security management system complies with the organisation's cyber security requirements
  • whether the information security management system complies with other operational security requirements or standards complied with
  • whether the information security management system is implemented effectively

Documented information on the execution and results of audits must be kept.

Defining and documenting security objectives
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Cyber security management
21
requirements

Examples of other requirements this task affects

5.1.1: Policies for information security
ISO27 Full
ID.BE-3: Organizational mission, objectives, and activities
NIST
ID.GV-1: Cybersecurity policy
NIST
HAL-01: Periaatteet
Julkri
5.1: Leadership and commitment
ISO27k1 Full
See all related requirements and other information from tasks own page.
Go to >
Defining and documenting security objectives
1. Task description

Organization's top management sets security objectives. Security objectives meet the following requirements:

  • they shall take into account applicable data security and data protection requirements and the results of risk assessment and treatment
  • they are clearly communicated to key security and data protection personnel, staff and other relevant stakeholders
  • they are updated as necessary (e.g. when the risk landscape changes or periodically when the objectives are met)
  • they are documented and (if possible) measurable

In connection with the documentation of security objectives, the necessary top-level improvements and tasks, needed resources, responsible persons, due dates and methods for evaluating the results in order to achieve the objectives are also defined.

Information security policy -report publishing, informing and maintenance
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Cyber security management
37
requirements

Examples of other requirements this task affects

5: Information security policies
ISO27 Full
5.1: Management direction for information security
ISO27 Full
5.1.1: Policies for information security
ISO27 Full
5.1.2: Review of the policies for information security
ISO27 Full
T01: Turvallisuusperiaatteet
Katakri
See all related requirements and other information from tasks own page.
Go to >
Information security policy -report publishing, informing and maintenance
1. Task description

The organization has an information security policy developed and approved by top management. The policy shall include at least the following:

  • the basis for setting the organization’s security objectives
  • commitment to meeting information security requirements
  • commitment to continuous improvement of the information security management system

In addition, the task owner shall ensure that:

  • the is appropriate for the organization's business idea
  • the policy is communicated to the entire organization
  • the policy is available to stakeholders as appropriate
Establishing and maintaining a cyber security program
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Cyber security management
requirements

Examples of other requirements this task affects

PROGRAM-2: Establish and Maintain Cybersecurity Program
C2M2: MIL1
See all related requirements and other information from tasks own page.
Go to >
Establishing and maintaining a cyber security program
1. Task description

The organization must establish and maintain a cyber security program. The program must have the support of the top management.

The program must be established:

  • According to the cyber security program strategy
  • The support of the top management is active and supports the development and maintenance of the program

    • p> li>
    • The program is responsible for a role that has the authority to fulfill it
Strategy for cyber security program
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Cyber security management
1
requirements

Examples of other requirements this task affects

PROGRAM-1: Establish Cybersecurity Program Strategy
C2M2: MIL1
See all related requirements and other information from tasks own page.
Go to >
Strategy for cyber security program
1. Task description

The organization must create and maintain a strategy for the cyber security program. The cyber security program defines the goals for the organization's cyber security measures.

A strategy for cyber security architecture
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Cyber security management
7
requirements

Examples of other requirements this task affects

ARCHITECTURE-1: Establish and Maintain Cybersecurity Architecture Strategy and Program
C2M2: MIL1
ARCHITECTURE-2: Implement Network Protections as an Element of the Cybersecurity Architecture
C2M2: MIL1
ARCHITECTURE-3: Implement IT and OT Asset Security as an Element of the Cybersecurity Architecture
C2M2: MIL1
ARCHITECTURE-4: Implement Software Security as an Element of the Cybersecurity Architecture
C2M2: MIL1
ARCHITECTURE-5: Implement Data Security as an Element of the Cybersecurity Architecture
C2M2: MIL1
See all related requirements and other information from tasks own page.
Go to >
A strategy for cyber security architecture
1. Task description

The organization must have a strategy for developing and maintaining a cyber security architecture.

The strategy must match the organization's cyber security program and the organization's architecture.

The architecture must include:

  • Security measures for computer networks
  • Protection of information assets
  • Application security
  • Implementation of data protection and privacy
Recognizing the technology needed to accomplish the cybersecurity goals
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Cyber security management
2
requirements

Examples of other requirements this task affects

CC5.2: Control activities for achievement of objectives
SOC 2
3.3.1: Create a plan for analysing data from security monitoring
NSM ICT-SP
See all related requirements and other information from tasks own page.
Go to >
Recognizing the technology needed to accomplish the cybersecurity goals
1. Task description

The organization must:

  • identify the connections between technology and the running of business operations
  • Build the necessary infrastructure to maintain the necessary technology so that their availability and operational reliability can be guaranteed

The organization must define what technology is needed in order to achieve the information security objectives? And, what technology must be acquired / developed in order to achieve the information security goals?

Consideration of external goals when setting information security objectives
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Cyber security management
1
requirements

Examples of other requirements this task affects

CC3.1: Sufficient specifying of objectives
SOC 2
See all related requirements and other information from tasks own page.
Go to >
Consideration of external goals when setting information security objectives
1. Task description

When setting the organization's information security objectives, external objectives must be taken into account. This means, for example:

  • Externally set requirement frameworks, such as laws and regulations or requirements set by other external stakeholders
  • The reporting takes into account a sufficient amount of detail in the reports to demonstrate the fulfillment of the external requirements
Defining the units of your organization
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Cyber security management
1
requirements

Examples of other requirements this task affects

CC1.3: Established responsibilities
SOC 2
See all related requirements and other information from tasks own page.
Go to >
Defining the units of your organization
1. Task description

The organization must define its operations and, in particular, the units relevant to the implementation of information security.

The owners defined for the units can be assigned responsibilities for the unit-specific implementation of various tasks.

Data collection and processing
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Cyber security management
2
requirements

Examples of other requirements this task affects

CC2.1: Quality information to support internal controls
SOC 2
See all related requirements and other information from tasks own page.
Go to >
Data collection and processing
1. Task description

The organization's information systems collect data from internal and external sources and process essential data into information. Information supports internal control components

Information must be:

  • Up-to-date
  • Accurate
  • Complete
  • Secured
  • Secured
Supervision carried out by the board of the organization
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Cyber security management
1
requirements

Examples of other requirements this task affects

CC1.2: Board of directors oversight
SOC 2
See all related requirements and other information from tasks own page.
Go to >
Supervision carried out by the board of the organization
1. Task description

A board separate from the management supervises the development and implementation of internal information security measures.

The board's duties include in particular:

  • Responsibility for the more detailed implementation and monitoring of operations
  • Using experts in the field of information security and evaluates the need for additional expertise in the board
  • Works independently and is objective in assessments and decision-making
  • Adds expertise when necessary, for example with consultants
Preparation for information campaign against the organization
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Cyber security management
1
requirements

Examples of other requirements this task affects

76: Varautuminen informaatiovaikuttamiseen
Sec overview
See all related requirements and other information from tasks own page.
Go to >
Preparation for information campaign against the organization
1. Task description

The organization has formed a plan in case of a smear or influence campaign against it.

Adequacy of digital security resourcing
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Cyber security management
5
requirements

Examples of other requirements this task affects

70: Riittävät resurssit digiturvan kehittämiseen
Sec overview
1.2.2: Information Security Responsibilities
TISAX
See all related requirements and other information from tasks own page.
Go to >
Adequacy of digital security resourcing
1. Task description

The organization has dedicated sufficient resources and expertise to the development of digital security as part of the implementation of the organization's strategy.

In addition, a responsible person has been named for digital security, and this theme receives enough attention in the responsible person's job description and time management.

Internal communication about the organization's risk situation
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Cyber security management
6
requirements

Examples of other requirements this task affects

16: Organisaationlaajuinen viestintä riskitilanteesta
Sec overview
DE.DP-4: Event detection information is communicated.
CyFun
RC.CO-2: Reputation is repaired after an incident.
CyFun
4.1.5: Determine which communication channels to use in the event of an incident
NSM ICT-SP
See all related requirements and other information from tasks own page.
Go to >
Internal communication about the organization's risk situation
1. Task description

The organization has an operating model for regular communication to the entire organization about the risk situation in information security and about new significant risks affecting the organization.

Information can be implemented, for example, as a collaboration between the information security core team and communication professionals.

Determination and adequacy of the cyber security budget
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Cyber security management
4
requirements

Examples of other requirements this task affects

5: Riittävä digiturvallisuuden budjetti
Sec overview
20.1: Top management commitment
NIS2
Article 5: Governance and organisation
DORA
10 §: Johdon vastuu
KyberTL
See all related requirements and other information from tasks own page.
Go to >
Determination and adequacy of the cyber security budget
1. Task description

The organization has clearly defined a budget dedicated to the maintenance and development of digital security. The budget is sufficient to achieve the goals set for digital security.

When budgeting for digital security, three key areas must be considered in particular - personnel costs, technology solutions and operational costs.

Maintaining chosen theme-specific policy documents
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Cyber security management
8
requirements

Examples of other requirements this task affects

5.1.1: Policies for information security
ISO27 Full
5.1: Policies for information security
ISO27k1 Full
7.5: Requirements for documented information
ISO27k1 Full
CC5.3: Establishment of policies
SOC 2
6.1: Yleiset tietoturvakäytännöt
Tietoturvasuunnitelma
See all related requirements and other information from tasks own page.
Go to >
Maintaining chosen theme-specific policy documents
1. Task description

Theme-specific policy documents can help the communication and viewing of tasks, instructions and other documentation related to different areas, as well as connecting possible upper-level principles to these contents of the management system, which describe a more detailed implementation.

The organization must define which theme-specific policy documents are maintained and, if necessary, reviewed as a whole at desired intervals. Examples of topics for which you may want to maintain your own policy document include:

  • access control
  • physical security
  • management of assets to be protected
  • backup
  • encryption practices
  • data classification
  • technical vulnerability management
  • secure development
Varautumista ohjaavan lainsäädännön tunnistaminen ja dokumentointi
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Cyber security management
1
requirements

Examples of other requirements this task affects

VAR-01: Varautumista ohjaava lainsäädäntö
Julkri
See all related requirements and other information from tasks own page.
Go to >
Varautumista ohjaavan lainsäädännön tunnistaminen ja dokumentointi
1. Task description

The organization has identified the national and EU legislation governing ICT preparedness related to its operations and services, as well as other norms related to ICT preparedness.

Legislation and norms determine the minimum level for implementing ICT preparedness. In addition to this, the organization must take into account the needs arising from the special features of its own operations. Understanding the internal and external dependencies of operations is a basic requirement for cost-effective management of preparedness.

Luettelo turvaluokiteltuja asiakirjoja käsittelevistä henkilöistä valtionhallinnossa
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Cyber security management
1
requirements

Examples of other requirements this task affects

HAL-14.1: Käyttö- ja käsittelyoikeudet - ajantasainen luettelo - TL III
Julkri
See all related requirements and other information from tasks own page.
Go to >
Luettelo turvaluokiteltuja asiakirjoja käsittelevistä henkilöistä valtionhallinnossa
1. Task description

Valtionhallinnon viranomaisen on pidettävä luetteloa henkilöistä, joilla on oikeus käsitellä turvallisuusluokan I, II tai III asiakirjoja. Luettelossa on mainittava henkilön tehtävä, johon turvallisuusluokitellun tiedon käsittelytarve perustuu.

Tietoturvallisuuteen liittyvän dokumentaation ajantasaisuus
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Cyber security management
1
requirements

Examples of other requirements this task affects

HAL-09.1: Dokumentointi - ajantasaisuus
Julkri
See all related requirements and other information from tasks own page.
Go to >
Tietoturvallisuuteen liittyvän dokumentaation ajantasaisuus
1. Task description

Tietoturvallisuuteen liittyvä dokumentaatio on ajantasaista.

  • Organisaatiolla on prosessi, jonka avulla seurataan dokumentaation kattavuutta ja ajantasaisuutta
  • Dokumentaation puutteisiin reagoidaan
Muiden tietoturvavaatimusten seuranta
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Cyber security management
2
requirements

Examples of other requirements this task affects

HAL-05: Vaatimukset
Julkri
HAL-05.1: Vaatimukset - seuranta
Julkri
See all related requirements and other information from tasks own page.
Go to >
Muiden tietoturvavaatimusten seuranta
1. Task description

Organisaation tietoturvallisuusvaatimukset muodostuvat esimerkiksi lainsäädännössä ja sopimuksissa määritellyistä vähimmäisvaatimuksista sekä muista tunnistetuista tai itse tavoitelluiksi valituista vaatimuksista.

Organisaation on seurattava tietoturvallisuusvaatimusten muutoksia ja tehtävä tarvittavat toimenpiteet niihin reagoimiseksi.

Identifying and documenting dependencies between assets
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Cyber security management
4
requirements

Examples of other requirements this task affects

HAL-04.5: Suojattavat kohteet - riippuvuudet
Julkri
Article 8: Identification
DORA
1.1.5: Identify the organisation’s deliverables, information systems and supporting ICT functions
NSM ICT-SP
4.1.2: Perform a business impact analysis
NSM ICT-SP
See all related requirements and other information from tasks own page.
Go to >
Identifying and documenting dependencies between assets
1. Task description

Organisation should identify and document dependencies between its assets.

In Cyberday dependencies between asset elements are created when creating and linking documentation. Procedure can be expanded according to organisation's own needs.

Kasautumisvaikutuksen huomiointi suojattavien kohteiden luokittelussa
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Cyber security management
2
requirements

Examples of other requirements this task affects

HAL-04.3: Suojattavat kohteet - kasautumisvaikutus
Julkri
2.4: Luokittelu ja turvallisuusluokittelu
TiHL: Tietoturva
See all related requirements and other information from tasks own page.
Go to >
Kasautumisvaikutuksen huomiointi suojattavien kohteiden luokittelussa
1. Task description

Tietojärjestelmän tai muun useita tietoaineistoja sisältävän kohteen luokitus määräytyy ensi sijassa korkeimman luokituksen aineiston mukaan. Tietojärjestelmien luokitusta arvioitaessa tulee huomioida myös kasautumisvaikutus riskilähtöisesti.

Suuresta määrästä tietyn luottamuksellisuuden tason tietoa koostuvissa tietojärjestelmissä asiakokonaisuus voi nousta luokitukseltaan yksittäistä tietoa korkeammalle tasolle. Määrä ei ole kuitenkaan ainoa tekijä, vaan joskus esimerkiksi kahden eri tietolähteen yhdistäminen voi johtaa tietovarannon luokituksen nousemiseen.

Tyypillisesti kasautumisessa on kysymys IV-luokan tiedosta (esimerkiksi suuri määrä turvallisuusluokan IV tietoa voi muodostaa yhdistettynä turvallisuusluokan III tietovarannon), mutta kasautumisvaikutus tulee huomioida myös turvallisuusluokittelemattoman salassa pidettävän tiedon suojaamisessa.



Security roles, responsibilities, and objectives derived from the organization's goals
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Cyber security management
5
requirements

Examples of other requirements this task affects

ID.BE-3: Organizational mission, objectives, and activities
NIST
69: Digiturvan huomiointi osana kokonaisuutta
Sec overview
ID.BE-3: Priorities for organizational mission, objectives, and activities are established and communicated.
CyFun
See all related requirements and other information from tasks own page.
Go to >
Security roles, responsibilities, and objectives derived from the organization's goals
1. Task description

The organization has set priorities for its operations and goals. Based on these priorities, you need to be able to define security roles, responsibilities, and goals.

Segregation of information security related duties
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Cyber security management
9
requirements

Examples of other requirements this task affects

6.1.2: Segregation of duties
ISO27 Full
ID.RA-3: Threat identification
NIST
PR.AC-4: Access permissions and authorizations
NIST
PR.DS-5: Data leak protection
NIST
HAL-02.1: Tehtävät ja vastuut - tehtävien eriyttäminen
Julkri
See all related requirements and other information from tasks own page.
Go to >
Segregation of information security related duties
1. Task description

Organisation should have processes for ensuring that conflicting responsibilities are segregated to reduce opportunities for misuse of the organization’s assets.

Care should be taken e.g. in relation to a single person being able to process data without detection. Often also separating the initiation of an event from its authorization is a good practice.

When direct segregation of duties is hard to achieve, the following principles can be utilized:

  • High-level segregation of information security responsibilities
  • Supporting segregation with good monitoring, audit trails and management supervision
Archiving and retaining outdated security documentation
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Cyber security management
1
requirements

Examples of other requirements this task affects

A.10.2: Retention period for administrative security policies and guidelines
ISO 27018
See all related requirements and other information from tasks own page.
Go to >
Archiving and retaining outdated security documentation
1. Task description

Organization has defined what constitutes important security-related documentation and guidelines (e.g. report documents or all task / guideline content), which should be securely archived after they are replaced or become otherwise outdated.

This information should be saved for possible reviews of old policies or guidelines, which may be relevant e.g. in the case of a customer dispute or investigation by data protection authority.

When no specific legal or contractual requirement states the retention period, information should be saved for at least five years.

Continuous improvement and documentation
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Cyber security management
12
requirements

Examples of other requirements this task affects

PR.IP-7: Protection processes
NIST
10.1: Continuous improvement
ISO27k1 Full
21.4: Non-conformities and corrective actions
NIS2
CC4.2: Evaluation and communication of internal control deficiencies
SOC 2
1.5.2: External review of ISMS
TISAX
See all related requirements and other information from tasks own page.
Go to >
Continuous improvement and documentation
1. Task description

The organization shall continuously strive to improve the performance of the information security management system. Ways to improve are being actively sought - not just through audits or clear non-conformities.

Task owner is responsible for documenting the improvements made to the management system and dividing them into tasks to be performed, monitoring task execution and assessing the reached effects.

Communication plan for information security management system
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Cyber security management
13
requirements

Examples of other requirements this task affects

RC.CO-2: Reputation
NIST
5.1: Leadership and commitment
ISO27k1 Full
7.4: Communication
ISO27k1 Full
20.1: Top management commitment
NIS2
CC2.2: Internal communication of information
SOC 2
See all related requirements and other information from tasks own page.
Go to >
Communication plan for information security management system
1. Task description

The organization shall determine which issues related to the information security management system need to be communicated on a regular basis. The plan must include the answers, e.g. to the following points:

  • What issues are communicated? These can be e.g. new or changed security objectives
  • How and when to communicate?What channels are used and how often?
  • To whom is communicated? How often for security executives, how often for the entire organization or partners.
  • Who takes part? Who has the right to message and from whom, for example, messages should be approved.

Task owner will take care of the implementation of the plan and regular evaluation of its effectiveness.

Implementation and documentation of management reviews
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Cyber security management
20
requirements

Examples of other requirements this task affects

18.1.1: Identification of applicable legislation and contractual requirements
ISO27 Full
ID.GV-3: Legal and regulatory requirements
NIST
9.3: Management review
ISO27k1 Full
12: Digiturvan tilan seuraaminen
Sec overview
13: Digiturvan kokonaistilanteen raportointi
Sec overview
See all related requirements and other information from tasks own page.
Go to >
Implementation and documentation of management reviews
1. Task description

Top management shall review the organization's information security management system at planned intervals to ensure that it remains appropriate, relevant and effective.

The management review shall address and comment on at least the following:

  • Status of improvements (or other actions) initiated as a result of previous management reviews
  • Future changes relevant to the security management system
  • Performance of the ISMS (problem areas, metering, audit results and fulfillment of management security objectives)
  • Stakeholder feedback on data security
  • Operation of the risk assessment and treatment process

Documented information on the execution and results of reviews must be maintained.

Defining and documenting cyber security metrics
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Cyber security management
13
requirements

Examples of other requirements this task affects

7.2.1: Management responsibilities
ISO27 Full
13 §: Tietoaineistojen ja tietojärjestelmien tietoturvallisuus
TiHL
HAL-07: Seuranta ja valvonta
Julkri
9.1: Monitoring, measurement, analysis and evaluation
ISO27k1 Full
11: Digiturvan mittarien määrittäminen
Sec overview
See all related requirements and other information from tasks own page.
Go to >
Defining and documenting cyber security metrics
1. Task description

The organisation regularly evaluates the level of cyber security and the effectiveness of the information security management system.

Organisation has defined:

  • monitored metrics to provide comparable results on the development of cyber security level
  • persons responsible for the metering
  • methods, timetable and responsible persons for metrics reviewing and evaluation
  • methods to document metric-related evaluations and results

Effective metrics should be usable for identifying weaknesses, targeting resources better and assessing organisation's success / failure related to cyber security.

General security competence and awareness of personnel
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Cyber security management
22
requirements

Examples of other requirements this task affects

29. Processing under the authority of the controller or processor
GDPR
32. Security of processing
GDPR
7.2.1: Management responsibilities
ISO27 Full
7.2.2: Information security awareness, education and training
ISO27 Full
PR.AT-1: Awareness
NIST
See all related requirements and other information from tasks own page.
Go to >
General security competence and awareness of personnel
1. Task description

Personnel under the direction of the entire organization must be aware:

  • how they can contribute to the effectiveness of the information security management system and the benefits of improving the level of information security
  • the consequences of non-compliance with the requirements of the information security management systemwhich roles in the personnel have effects to the level of security

In addition, top management has defined ways in which personnel are kept aware of security guidelines related to their own job role.

Incident management resourcing and monitoring
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Cyber security management
12
requirements

Examples of other requirements this task affects

24. Responsibility of the controller
GDPR
7.2.1: Management responsibilities
ISO27 Full
16.1.1: Responsibilities and procedures
ISO27 Full
5.24: Information security incident management planning and preparation
ISO27k1 Full
Article 17: ICT-related incident management process
DORA
See all related requirements and other information from tasks own page.
Go to >
Incident management resourcing and monitoring
1. Task description

Management shall define responsibilities and establish procedures to ensure an effective and consistent response to security incidents.

Management must ensure e.g.:

  • interference management has clear responsibilities
  • there is a documented process for responding, handling and reporting incidents

The process must ensure e.g.:

  • staff have a clear contact point / tool and instructions for reporting incidents
  • the reported security breaches will be addressed by qualified personnel in a sufficiently comprehensive manner
Management commitment to cyber security management and management system
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Cyber security management
26
requirements

Examples of other requirements this task affects

24. Responsibility of the controller
GDPR
5.1.1: Policies for information security
ISO27 Full
7.2.1: Management responsibilities
ISO27 Full
7.2.2: Information security awareness, education and training
ISO27 Full
ID.GV-1: Cybersecurity policy
NIST
See all related requirements and other information from tasks own page.
Go to >
Management commitment to cyber security management and management system
1. Task description

The organization's top management must demonstrate a commitment to cyber security work and the management system. Management commits to:

  • defining the frameworks or other requirements that form the basis for work (e.g. customer promises, regulations or certificates)
  • determining the resources needed to manage security
  • communicating the importance of cyber security
  • ensuring that the work achieves the desired results
  • promoting the continuous improvement of cyber security

Top management also decides the scope of the information security management system and records the decision in the description of the system. This means, for example, whether some parts of the organisation's activities or information are excluded from the scope of the management system, or whether it applies to all information / activities of the organization.

Amount, competence and adequacy of key cyber security personnel
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Cyber security management
23
requirements

Examples of other requirements this task affects

32. Security of processing
GDPR
37. Designation of the data protection officer
GDPR
6.1.1: Information security roles and responsibilities
ISO27 Full
T03: Turvallisuustyön resurssit
Katakri
ID.GV-2: Cybersecurity role coordination
NIST
See all related requirements and other information from tasks own page.
Go to >
Amount, competence and adequacy of key cyber security personnel
1. Task description

The organization shall have a sufficient number of trained, supervised and, where necessary, properly security cleared personnel who play key roles in information security, performing management tasks related to the information security management system.

The organization has defined:

  • what qualifications this staff should have
  • how qualifications are acquired and ensured (e.g. through appropriate training and training monitoring)
  • how qualifications can be demonstrated through documentation

The owner of the task regularly reviews the number and level of competence of the security personnel.

Defining security roles and responsibilities
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Cyber security management
33
requirements

Examples of other requirements this task affects

24. Responsibility of the controller
GDPR
6.1.1: Information security roles and responsibilities
ISO27 Full
T02: Turvallisuustyön tehtävien ja vastuiden määrittäminen
Katakri
ID.AM-6: Cybersecurity roles and responsibilities
NIST
ID.GV-2: Cybersecurity role coordination
NIST
See all related requirements and other information from tasks own page.
Go to >
Defining security roles and responsibilities
1. Task description

Top management must ensure clear responsibilities / authority on at least the following themes:

  • who is primarily responsible for ensuring that the information security management system complies with the information security requirements
  • who act as ISMS theme owners responsible for the main themes of the information security management system
  • who has the responsibility and authority to report to top management on the performance of the information security management system
  • who is authorized to carry out internal audits

The ISMS theme owners are presented on the desktop of the management system and in the Information security policy report.

In addition, top management shall ensure that all roles relevant to information security, as well as related responsibilities and authorities, are defined and communicated. It is also important to recognize the roles and responsibilities of external partners and providers.

Adequate security principles of the organisation in terms of classified information
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Cyber security management
1
requirements

Examples of other requirements this task affects

T-01: JOHDON TUKI, OHJAUS JA VASTUU – TURVALLISUUSPERIAATTEET
Katakri 2020
See all related requirements and other information from tasks own page.
Go to >
Adequate security principles of the organisation in terms of classified information
1. Task description

Top management of the organization is responsible for:

  • the organization having security principles approved by top management, which describe the connection of the organization's information security measures to the organization's operations
  • the security principles being comprehensive and appropriate in terms of protecting classified information
  • these security principles guiding information security measures
  • the organization having organized sufficient monitoring of compliance with obligations and instructions related to information management of security-classified information.
Learning from testing operational resilience
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Cyber security management
3
requirements

Examples of other requirements this task affects

Article 13: Learning and evolving
DORA
RC.IM-1: Recovery plans incorporate lessons learned.
CyFun
See all related requirements and other information from tasks own page.
Go to >
Learning from testing operational resilience
1. Task description

Organisation should have a process to analyse and learn from the operational resilience testing results, from actual cyber security incidents and from experiences of activating continuity plans. Relevant information and experiences should be exchanged with counterparts.

The lessons learned should be incorporated in to the cyber risk management process.

The organisation's top management should have a yearly report about the lessons from senior ICT staff along with recommendations for improvements.

Monitoring and analysing effectiveness of digital operational resilience strategy
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Cyber security management
1
requirements

Examples of other requirements this task affects

Article 13: Learning and evolving
DORA
See all related requirements and other information from tasks own page.
Go to >
Monitoring and analysing effectiveness of digital operational resilience strategy
1. Task description

The organisation must monitor the effectiveness of their digital operational resilience strategy. This should include at least:

  • Mapping of ICT risk evaluation over time
  • Analyse frequency, type, scale and evolution of incidents
  • Special focus should be in patterns of cyber attacks

This should increase the awareness of exposure to cyber attack related risk especially with important and critical functions and preparedness against cyber attacks.

Description of cyber security structure
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Cyber security management
1
requirements

Examples of other requirements this task affects

1.2.2: Information Security Responsibilities
TISAX
See all related requirements and other information from tasks own page.
Go to >
Description of cyber security structure
1. Task description

Organisation should define and document an information security structure within the organisation. This should include the consideration of other relevant security roles.

Recognizing and listing sensitive work fields and jobs
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Cyber security management
1
requirements

Examples of other requirements this task affects

2.1.1: Competence of employees
TISAX
See all related requirements and other information from tasks own page.
Go to >
Recognizing and listing sensitive work fields and jobs
1. Task description

The organization must determine what work fields and specific jobs are considered sensitive (e.g. based on data handled and access the employee has).

Sensitive work fields depend on the nature of organizations operations, but can include e.g. information security, IT and system administration, finance, HR, legal, R&D, customer support, analytics, management and many others.

Implementing a crisis response strategy
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Cyber security management
5
requirements

Examples of other requirements this task affects

RC.CO-2: Reputation is repaired after an incident.
CyFun
4.3.2: Determine whether the incident is under control and take the necessary reactive measures
NSM ICT-SP
4.3.5: Co-ordinate and communicate with internal and external stakeholders while managing the incident
NSM ICT-SP
See all related requirements and other information from tasks own page.
Go to >
Implementing a crisis response strategy
1. Task description

The organization develops and implements a crisis response strategy to protect the organization from the negative consequences and reputational damage of a crisis. This strategy should include predefined actions to manage public view, control the narrative, and mitigate the impact of the crisis on the organization.

Identify the organisation's strategy and priorities
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Cyber security management
1
requirements

Examples of other requirements this task affects

1.1.1: Identify the organisation’s strategy and priorities
NSM ICT-SP
See all related requirements and other information from tasks own page.
Go to >
Identify the organisation's strategy and priorities
1. Task description

Identify and document the organisation's strategy and priorities, which may have an impact on information system security.

It is important to note that this documentation should be reviewed when the organization's strategy and priorities change.

Strategic directions of risk response options
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Cyber security management
1
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Strategic directions of risk response options
1. Task description

Organization defines the strategic approaches for responding to risks based on the risk types, and the organizational risk tolerance and exposure. These strategies can include for example:

  • Define criteria for accepting or avoiding cybersecurity risks for different data classifications
  • Determine the need for cybersecurity insurance based on the organizational risk tolerance and exposure
  • Document conditions under which shared responsibility models (e.g., outsourcing cybersecurity, third-party transactions, or public cloud services) are acceptable for the organization
Documentation of organization's dependencies on external resources
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Cyber security management
1
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Documentation of organization's dependencies on external resources
1. Task description

Dependencies on external services might affect the organization's risk management and critical capabilities. The organization needs to identify and maintain a list of the organization’s external dependencies, including facilities, cloud providers, and any third-party services.

The documentation should also include:

  • The relationships between the dependencies and key organizational assets and business functions
  • The dependencies that pose potential failure points for critical services

Ensure that relevant personnel are informed about these dependencies and their associated risks.

Assessment of conformity (Belgium)
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Cyber security management
1
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Assessment of conformity (Belgium)
1. Task description

Conformity of the organization is ensured by passing a mandatory regular conformity assessment. To carry out this assessment, the organization can choose from three options:

  • A CyberFundamentals (CyFun®) certification (level essential) or verification (level important or basic) with the relevant scope of application, granted by a conformity assessment body (CAB) approved by the CCB after accreditation from BELAC
  • An ISO/IEC 27001 certification with the relevant scope of application, issued by a CAB accredited by an accreditation body that has signed the mutual recognition agreement (MLA) governing the ISO 27001 standard within the framework of the European co-operation for Accreditation (EA) or the International Accreditation Forum (IAF)
  • An inspection by the CCB inspection service (or by a sectoral inspection service).

The conformity assessment statement that the organization receives after the conformity assessment of their chosen framework, allows them to benefit from a presumption of conformity. Until proven otherwise, they are presumed to have respected their obligations.

Appointment, tasks and position of a Cyber security manager
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Cyber security management
2
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Appointment, tasks and position of a Cyber security manager
1. Task description

The entity's cyber security management is ensured and is the responsibility of the entity's manager. The head of each entity determines the responsible person who implements and supervises the implementation of cyber security measures in the relevant entity. The Cabinet of Ministers determines the requirements for the cyber security manager.

The cyber security manager has the following duties:

  • Organize security measures for the institution's information and communication technology infrastructure.
  • Not less than once a year to conduct a security check of information and communication technologies and, according to its results, to organize the elimination of the detected deficiencies.
  • At least once a year attend a cyber security training organized by the cyber incident prevention institution.
  • Not less than once a year, to ensure that the employees of the institution are briefed on the subject's current cyber risks and cyber security.
Providing the security managers information to a competent authority
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Cyber security management
3
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Providing the security managers information to a competent authority
1. Task description

The organization shall notify a competent authority immediately, but no later than within five working days, of the appointment of a cyber security manager. The notice shall state the name, surname, personal identification number, position, e-mail address and telephone number of the cyber security manager. The organization shall report any changes to a competent immediately, but no later than within five working days.

Cyber Security Information System usage (Lithuania)
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Cyber security management
3
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Cyber Security Information System usage (Lithuania)
1. Task description

The national cyber security authorities maintain a Cyber Security Information System for managing data related to cyber security entities, incidents, and risk management measures. The organization based on the requirements specified in the Cyber Security Information System regulations must register to this system and has a right to become a user of the data it provides.

The key requirements include:

  • Register as a user of the system and implement mutual information sharing agreements, also maintaining up-to-date information
  • Notify the National Cyber Security Center of the mutual agreements or terminations within 20 working days
  • Report cyber incidents, near-miss events, and threats to the Cyber Security Information System
  • Ensure compliance with national cyber security laws and avoid operational risks

Benefits of the Cyber Security Information system usage for the organization:

  • Access and use the Cyber Security Information System data related to the organization’s managed network and systems
  • Collaborate with the National Cyber Security Center and institutions during extreme cyber incidents
  • Gain real-time insights to improve incident management and preparedness
  • Strengthen organizational risk management through tools, services and information the system provides
Usage of the Secure Network (Lithuania)
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Cyber security management
1
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Usage of the Secure Network (Lithuania)
1. Task description

Governmental and municipal organizations or other institutions handling state information or meeting the criteria must use the Ministry of National Defense overseen Secure State Data Transmission Network for electronic communications and connect to public networks only through it except for government-defined exceptions.

Conditions for the usage of the Secure Network:

  • Only organizations included in the government-approved list of users are allowed to use the secure network.
  • Institutions must follow government-set plans and timelines for connecting to or disconnecting from the Secure Network
  • Includes data transmission, public network access, collective cyber security, and interaction with EU/NATO resources, provided free of charge, funded by the state
  • Offered at user-specific levels for a fee covering actual costs, verified annually by auditors
Usage of data centers (Lithuania)
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Cyber security management
1
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Usage of data centers (Lithuania)
1. Task description

State and municipal organization or other institutions listed in the Secure Network list must store state information resources in state data centers or data centers within Lithuania, EU, EEA, or NATO member states. Storage costs of the state information resources are funded from the institutions' allocated state budget funds.

Technical cyber security measures (Lithuania)
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Cyber security management
1
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Technical cyber security measures (Lithuania)
1. Task description

The National Cyber Security Center installs and manages technical cyber security measures for entities to monitor and address cyber threats and incidents. Important entities can request and essential entities must facilitate the implementation and management of these measures for their systems. The Ministry of National Defense defines the procedures and approves the installation plan, specifying the measures and any data processed. The installation, maintenance, and repair costs of these cyber security measures are covered by The National Cyber Security Center.

Cybersecurity auditing (Lithuania)
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Cyber security management
1
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Cybersecurity auditing (Lithuania)
1. Task description

The organization performs cyber security audits according to the procedures of the National Cyber ​​Security Center.

  • Cyber security audits must be conducted at least once every three years
  • Audits must follow the methodology approved by the National Cyber Security Center
  • The auditor must be certified, trained and qualified as per National Cyber Security Center procedures
  • The auditor must meet the National Cyber Security Center's standards for independence, impartiality, and reputation. Auditors cannot assess networks or systems managed by their employer
Appointment of a Chief Information Security Officer (Lithuania)
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Cyber security management
4
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Appointment of a Chief Information Security Officer (Lithuania)
1. Task description

The organization appoints a chief information security officer (CISO) that meets the defined requirements and is responsible for the implementation of the organization's risk management measures.

  • Ensure the individual is directly accountable to the head of the entity
  • Verify the candidate meets qualification standards: impeccable reputation, no recent penalties, and relevant experience or certification
  • Define their responsibilities for the cyber security risk management measures and compliance
  • Optionally this role can be combined with that of a Cyber Security Officer or outsourced
Appointment of a Cyber Security Officer (Lithuania)
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Cyber security management
4
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Appointment of a Cyber Security Officer (Lithuania)
1. Task description

The organization appoints a Cyber Security Officer who is responsible for the compliance of specific networks and systems.

  • Ensure the candidate meets the same qualification standards as the Chief Information Security Officer
  • Allow for the Cyber Security Officer to oversee multiple systems if needed
  • Optionally outsource this role to a service provider or appoint the CISO to take care of the duties
Considering the possibility of fraud in risk assessment
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Cyber security management
1
requirements

Examples of other requirements this task affects

CC3.3: Potential of fraud is considered
SOC 2
See all related requirements and other information from tasks own page.
Go to >
Considering the possibility of fraud in risk assessment
1. Task description

The organization must consider the possibility of fraud related to information security when assessing risks.

It is at least worth noting:

  • Different types of fraud and their possible consequences (incorrect reporting, loss of information assets and corruption)
  • Effect of various incentives and pressures to commit fraud
  • Evaluation of attitudes and justifications, how a manager or other employee could justify their fraudulent activity
  • Evaluation of the possibilities of fraud in the use of information systems
Priority classification of an organization's information assets
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Cyber security management
7
requirements

Examples of other requirements this task affects

ID.AM-5: Resource prioritization
NIST
HAL-04.2: Suojattavat kohteet - luokittelu
Julkri
CC3.2: Identification of risks related to objectives
SOC 2
2.4: Luokittelu ja turvallisuusluokittelu
TiHL: Tietoturva
ID.AM-5: Resources are prioritized based on their classification, criticality, and business value.
CyFun
See all related requirements and other information from tasks own page.
Go to >
Priority classification of an organization's information assets
1. Task description

An organization must classify its information assets, such as information systems, data, units, key personnel, and other assets to be protected (e.g., equipment), according to priorities. Prioritization can be done, for example, based on the requirements for confidentiality, integrity, and availability of the information being processed.

Evaluating the efficiency of internal audits
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Cyber security management
1
requirements

Examples of other requirements this task affects

Article 5: Governance and organisation
DORA
See all related requirements and other information from tasks own page.
Go to >
Evaluating the efficiency of internal audits
1. Task description

Task owner regularly evaluates the implementation of internal audits, especially from the following perspectives:

  • whether the auditors have been selected in such a way that the objectivity and impartiality of the audit process are realized
  • whether the audits were performed in such a way that the objectivity and impartiality of the audit process were realized

If necessary, task owner makes changes to the internal audit procedure.

Data protection certifications
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Cyber security management
4
requirements

Examples of other requirements this task affects

18.2.2: Compliance with security policies and standards
ISO27 Full
21.2.f: Assessing effectiveness of security measures
NIS2
9.1 §: Toimien vaikuttavuuden arviointi
KyberTL
9.2 §: Kyberturvallisuuden toimintaperiaatteet
KyberTL
See all related requirements and other information from tasks own page.
Go to >
Data protection certifications
1. Task description

The idea behind the certification mechanisms is to demonstrate that data processing follows good data processing practices and good practices in general. Example of a security certificate is for example: ISO27001.

Procedure for classification of projects
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Cyber security management
1
requirements

Examples of other requirements this task affects

1.2.3: Information Security requirements in projects
TISAX
See all related requirements and other information from tasks own page.
Go to >
Procedure for classification of projects
1. Task description

Organisation should have a procedure to classify projects from the point-of-view of required information security level and other information security requirements for the project.

The criteria for the classification of projects should be documented.

Ensuring record integrity related to security requirements
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Cyber security management
1
requirements

Examples of other requirements this task affects

7.1.1: Compliance management
TISAX
See all related requirements and other information from tasks own page.
Go to >
Ensuring record integrity related to security requirements
1. Task description

Non-compliance with legal, regulatory, or contractual provisions can create risks to the information security of the organization.

To facilitate this, the integrity of records in accordance with the legal, regulatory, or contractual provisions and business requirements is considered.

Universal cyber compliance language model: Comply with confidence and least effort

In Cyberday, all frameworks’ requirements are mapped into universal tasks, so you achieve multi-framework compliance effortlessly.

Security frameworks tend to share the common core. All frameworks cover basic topics like risk management, backup, malware, personnel awareness or access management in their respective sections.
Cyberday’s universal cyber security language technology creates you a single security plan and ensures you implement the common parts of frameworks just once. You focus on implementing your plan, we automate the compliance part - for current and upcoming frameworks.
Start your free trial
Get to know Cyberday
Start your free trial
Cyberday is your all-in-one solution for building a secure and compliant organization. Whether you're setting up a cyber security plan, evaluating policies, implementing tasks, or generating automated reports, Cyberday simplifies the entire process.
With AI-driven insights and a user-friendly interface, it's easier than ever to stay ahead of compliance requirements and focus on continuous improvement.
Clear framework compliance plans
Activate relevant frameworks and turn them into actionable policies tailored to your needs.
Credible reports to proof your compliance
Use guided tasks to ensure secure implementations and create professional reports with just a few clicks.
AI-powered improvement suggestions
Focus on the most impactful improvements in your compliance with help from Cyberday AI.